diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2023-10-03 17:44:52 +0300 |
|---|---|---|
| committer | Andrew Geissler <geissonator@yahoo.com> | 2023-10-03 18:04:36 +0300 |
| commit | 1e488cdf844bf4aa82d3c90875a56fb35c7f210d (patch) | |
| tree | be163d890651760d24effea503cd567df3e119b5 | |
| parent | 4f6b1c0dcf9f9cb734f71b277af913e0d58c503f (diff) | |
| download | openbmc-mickledore.tar.xz | |
subtree updates oct 3 2023mickledore
poky: fc25449687..a61e021c65:
Alberto Planas (1):
bitbake.conf: add unzstd in HOSTTOOLS
Alejandro Hernandez Samaniego (2):
baremetal-helloworld: Update SRCREV to fix entry addresses for ARM architectures
baremetal-helloworld: Fix race condition
Alex Kiernan (2):
rootfs: Add debugfs package db file copy and cleanup
rpm: Pick debugfs package db files/dirs explicitly
Alexander Kanavin (35):
maintaines.inc: unassign Richard Weinberger from erofs-utils entry
maintainers.inc: unassign Andreas Müller from itstool entry
maintainers.inc: unassign Pascal Bach from cmake entry
maintainers.inc: correct unassigned entries
maintainers.inc: correct Carlos Rafael Giani's email address
apr: upgrade 1.7.3 -> 1.7.4
scripts/runqemu: split lock dir creation into a reusable function
scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes
qemu: a pending patch was submitted and accepted upstream
maintainers.inc: unassign Adrian Bunk from wireless-regdb
maintainers.inc: unassign Alistair Francis from opensbi
maintainers.inc: unassign Chase Qi from libc-test
maintainers.inc: unassign Oleksandr Kravchuk from python3 and all other items
maintainers.inc: unassign Ricardo Neri from ovmf
grub: submit determinism.patch upstream
gawk: upgrade 5.2.1 -> 5.2.2
gnupg: upgrade 2.4.0 -> 2.4.2
libx11: upgrade 1.8.4 -> 1.8.5
linux-firmware: upgrade 20230404 -> 20230515
serf: upgrade 1.3.9 -> 1.3.10
wget: upgrade 1.21.3 -> 1.21.4
wireless-regdb: upgrade 2023.02.13 -> 2023.05.03
gdb: upgrade 13.1 -> 13.2
sysfsutils: fetch a supported fork from github
diffutils: update 3.9 -> 3.10
libproxy: fetch from git
cargo.bbclass: set up cargo environment in common do_compile
rust-common.bbclass: move musl-specific linking fix from rust-source.inc
Revert "rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock"
ref-manual: document image-specific variant of INCOMPATIBLE_LICENSE
glibc-locale: use stricter matching for metapackages' runtime dependencies
devtool/upgrade: raise an error if extracting source produces more than one directory
curl: ensure all ptest failures are caught
python3: upgrade 3.11.2 -> 3.11.3
python3: update 3.11.3 -> 3.11.4
Alexis Lothoré (2):
scripts/resulttool: add mention about new detected tests
oeqa/utils/gitarchive: fix tag computation when creating archive
Andrej Valek (2):
busybox: 1.36.0 -> 1.36.1
maintainers.inc: Modify email address
Anuj Mittal (7):
gstreamer1.0: upgrade 1.22.2 -> 1.22.3
selftest/cases/glibc.py: fix the override syntax
glibc/check-test-wrapper: don't emit warnings from ssh
selftest/cases/glibc.py: increase the memory for testing
oeqa/utils/nfs: allow requesting non-udp ports
selftest/cases/glibc.py: switch to using NFS over TCP
gstreamer1.0: upgrade 1.22.4 -> 1.22.5
Archana Polampalli (3):
qemu: fix CVE-2023-0330
bind: upgrade 9.18.15 -> 9.18.16
vim: upgrade 9.0.1592 -> 9.0.1664
BELOUARGA Mohamed (2):
meta: lib: oe: npm_registry: Add more safe caracters
linux-firmware : Add firmware of RTL8822 serie
Benjamin Bouvier (1):
util-linux: add alternative links for ipcs,ipcrm
Bruce Ashfield (33):
linux-yocto/6.1: update to v6.1.26
linux-yocto/6.1: update to v6.1.27
linux-yocto/6.1: update to v6.1.28
linux-yocto/6.1: update to v6.1.29
linux-yocto/6.1: update to v6.1.30
linux-yocto/6.1: update to v6.1.31
linux-yocto/6.1: update to v6.1.32
linux-yocto/5.15: update to v5.15.114
linux-yocto/5.15: update to v5.15.115
linux-yocto/5.15: update to v5.15.116
linux-yocto/5.15: update to v5.15.117
linux-yocto/5.15: update to v5.15.118
linux-yocto/5.15: cfg: fix DECNET configuration warning
linux-yocto/6.1: update to v6.1.33
linux-yocto/6.1: fix intermittent x86 boot hangs
linux-yocto/6.1: update to v6.1.34
linux-yocto/6.1: update to v6.1.35
linux-yocto/5.15: update to v5.15.119
linux-yocto/5.15: update to v5.15.120
linux-yocto/6.1: update to v6.1.36
linux-yocto/6.1: update to v6.1.37
linux-yocto/6.1: update to v6.1.38
linux-yocto/5.15: update to v5.15.122
linux-yocto/5.15: update to v5.15.123
linux-yocto/5.15: update to v5.15.124
linux-yocto/6.1: cfg: update ima.cfg to match current meta-integrity
linux-yocto/6.1: update to v6.1.41
linux-yocto/6.1: update to v6.1.43
linux-yocto/6.1: update to v6.1.44
linux-yocto/6.1: update to v6.1.45
linux-yocto/6.1: fix uninitialized read in nohz_full/isolcpus setup
linux-yocto/6.1: update to v6.1.46
linux-yocto/6.1: fix IRQ-80 warnings
Changqing Li (4):
systemd: fix a dead link under /var/log
dnf: only write the log lock to root for native dnf
rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock
erofs-utils: fix CVE-2023-33551/CVE-2023-33552
Charlie Wu (1):
devtool: Fix the wrong variable in srcuri_entry
Chee Yang Lee (6):
python3-requests: fix CVE-2023-32681
curl: fix CVE-2023-32001
ghostscript: fix CVE-2023-38559
librsvg: upgrade to 2.54.6
libssh2: fix CVE-2020-22218
python3: update to 3.11.5
Chen Qi (13):
cmake.bbclass: do not search host paths for find_program()
qemurunner.py: fix error message about qmp
sdk.py: error out when moving file fails
sdk.py: fix moving dnf contents
rpm: write macros under libdir
zip: fix configure check by using _Static_assert
zip: remove unnecessary LARGE_FILE_SUPPORT CLFAGS
unzip: fix configure check for cross compilation
unzip: remove hardcoded LARGE_FILE_SUPPORT
ncurses: fix CVE-2023-29491
cmake.bbclass: fix allarch override syntax
multilib.conf: explicitly make MULTILIB_VARIANTS vardeps on MULTILIBS
gcc-crosssdk: ignore MULTILIB_VARIANTS in signature computation
Daniel Semkowicz (1):
dev-manual: wic.rst: Update native tools build command
Deepthi Hemraj (2):
glibc: stable 2.37 branch updates.
binutils: stable 2.40 branch updates
Denys Dmytriyenko (1):
binutils: move packaging of gprofng static lib into common .inc
Dmitry Baryshkov (3):
openssl: fix building on riscv32
linux-firmware: package firmare for Dragonboard 410c
linux-firmware: split platform-specific Adreno shaders to separate packages
Ed Beroset (1):
ref-manual: add clarification for SRCREV
Enrico Scholz (1):
shadow-sysroot: add license information
Etienne Cordonnier (2):
libxcrypt: fix hard-coded ".so" extension
vim: update obsolete comment
Fabien Mahot (2):
useradd-example: package typo correction
oeqa/selftest/bbtests: add non-existent prefile/postfile tests
Frieder Paape (1):
image_types: Fix reproducible builds for initramfs and UKI img
Frieder Schrempf (1):
psmisc: Set ALTERNATIVE for pstree to resolve conflict with busybox
Hannu Lounento (1):
profile-manual: fix blktrace remote usage instructions
Ian Ray (1):
systemd-systemctl: support instance expansion in WantedBy
Jaeyoon Jung (1):
cml1: Fix KCONFIG_CONFIG_COMMAND not conveyed fully in do_menuconfig
Jermain Horsman (1):
logrotate: Do not create logrotate.status file
Joe Slater (1):
ghostscript: fix CVE-2023-36664
Joel Stanley (1):
kernel: don't fail if Modules.symvers doesn't exist
Jose Quaresma (8):
kernel: config modules directories are handled by kernel-module-split
kernel-module-split: install config modules directories only when they are needed
kernel-module-split: use context manager to open files
kernel-module-split: make autoload and probeconf distribution specific
kernel-module-split add systemd modulesloaddir and modprobedir config
openssl: add PERLEXTERNAL path to test its existence
openssl: use a glob on the PERLEXTERNAL to track updates on the path
go: update 1.20.5 -> 1.20.6
Julien Stephan (1):
automake: fix buildtest patch
Jörg Sommer (2):
runqemu-gen-tapdevs: Refactoring
runqemu-ifupdown/get-tapdevs: Add support for ip tuntap
Kai Kang (4):
pm-utils: fix multilib conflictions
webkitgtk: 2.38.5 -> 2.38.6
webkitgtk: fix CVE-2023-32439
webkitgtk: fix CVE-2023-32435
Khem Raj (10):
systemd: Drop a backport
perf: Make built-in libtraceevent plugins cohabit with external libtraceevent
glibc: Pass linker choice via compiler flags
babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature
parted: Add missing libuuid to linker cmdline for libparted-fs-resize.so
rpcsvc-proto: Upgrade to 1.4.4
libxml2: Do not use lld linker when building with tests on rv64
python3-bcrypt: Use BFD linker when building tests
meson.bbclass: Point to llvm-config from native sysroot
build-sysroots: Add SUMMARY field
Lee Chee Yang (7):
migration-guides: add release notes for 4.0.10
migration-guides: add release notes for 4.0.11
migration-guides: add release notes for 4.2.2
migration-guides: add release notes for 4.2.3
migration-guides: add release notes for 4.0.12
bind: update to 9.18.19
ffmpeg: 5.1.2 -> 5.1.3
Marc Ferland (1):
connman: fix warning by specifying runstatedir at configure time
Marek Vasut (1):
linux-firmware: Fix mediatek mt7601u firmware path
Mark Hatle (1):
tcf-agent: Update to 1.8.0 release
Markus Niebel (1):
wic: fix wrong attempt to create file system in upartitioned regions
Markus Volk (3):
ell: upgrade 0.56 -> 0.57
gtk4: upgrade 4.10.3 -> 4.10.4
gtk4: upgrade 4.10.4 -> 4.10.5
Martin Jansa (8):
libx11: remove unused patch and FILESEXTRAPATHS
qemu: remove unused qemu-7.0.0-glibc-2.36.patch
minicom: remove unused patch files
inetutils: remove unused patch files
libgloss: remove unused patch file
kmod: remove unused ptest.patch
tcl: prevent installing another copy of tzdata
gcc: backport a fix for ICE caused by CVE-2023-4039.patch
Michael Halstead (4):
resulttool/resultutils: allow index generation despite corrupt json
yocto-uninative: Update hashes for uninative 4.1
yocto-uninative: Update to 4.2 for glibc 2.38
yocto-uninative: Update to 4.3
Michael Opdenacker (13):
ref-manual: releases.svg: updates
conf.py: add macro for Mitre CVE links
ref-manual: LTS releases now supported for 4 years
poky.conf: update SANITY_TESTED_DISTROS to match autobuilder
scripts/create-pull-request: update URLs to git repositories
ref-manual: system-requirements: update supported distros
manuals: add new contributor guide
dev-manual: disk-space: mention faster "find" command to trim sstate cache
sdk-manual: extensible.rst: fix multiple formatting issues
dev-manual: disk-space: improve wording for obsolete sstate cache files
dev-manual: new-recipe.rst fix inconsistency with contributor guide
contributor-guide: recipe-style-guide: add Upstream-Status
dev-manual: licenses: mention SPDX for license compliance
Mikko Rapeli (1):
useradd-staticids.bbclass: improve error message
Mingli Yu (5):
curl: fix CVE-2023-28319 through CVE-2023-28322
python3-numpy: remove NPY_INLINE, use inline instead
acpica: Update SRC_URI
cups: Fix CVE-2023-34241
ruby: Fix CVE-2023-36617
Narpat Mali (5):
python3-certifi: upgrade 2022.12.7 -> 2023.7.22
ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018
python3-git: upgrade 3.1.31 -> 3.1.32
python3-pygments: fix for CVE-2022-40896
python3-git: upgrade 3.1.32 -> 3.1.37
Natasha Bailey (1):
tiff: backport a fix for CVE-2023-2731
Oleksandr Hnatiuk (2):
file: return wrapper to fix builds when file is in buildtools-tarball
file: fix the way path is written to environment-setup.d
Ovidiu Panait (7):
mdadm: fix util-linux ptest dependency
mdadm: fix 07revert-inplace ptest
mdadm: fix segfaults when running ptests
mdadm: skip running known broken ptests
mdadm: re-add mdadm-ptest to PTESTS_SLOW
mdadm: add util-linux-blockdev ptest dependency
mdadm: skip running 04update-uuid and 07revert-inplace testcases
Peter Marko (7):
cve-update-nvd2-native: fix cvssV3 metrics
cve-update-nvd2-native: retry all errors and sleep between retries
cve-update-nvd2-native: increase retry count
libjpeg-turbo: patch CVE-2023-2804
python3: ignore CVE-2023-36632
libarchive: ignore CVE-2023-30571
openssl: Upgrade 3.1.1 -> 3.1.2
Peter Suti (1):
externalsrc: fix dependency chain issues
Poonam Jadhav (1):
pixman: Remove duplication of license MIT
Quentin Schulz (3):
docs: bsp-guide: bsp: fix typo
docs: ref-manual: terms: fix typos in SPDX term
uboot-extlinux-config.bbclass: fix old override syntax in comment
Randolph Sapp (6):
weston-init: make sure the render group exists
weston-init: add weston user to the render group
weston-init: add the weston user to the wayland group
weston-init: fix the mixed indentation
weston-init: guard against systemd configs
weston-init: add profile to point users to global socket
Richard Purdie (24):
selftest/license: Exclude from world
layer.conf: Add missing dependency exclusion
v86d: Improve kernel dependency
strace: Disable failing test
bitbake: runqueue: Fix deferred task/multiconfig race issue
strace: Merge two similar patches
strace: Update patches/tests with upstream fixes
ptest-runner: Pull in sync fix to improve log warnings
ptest-runner: Ensure data writes don't race
ptest-runner: Pull in "runner: Remove threads and mutexes" fix
gcc-testsuite: Fix ppc cpu specification
ptest-runner: Pull in parallel test fixes and output handling
glibc-testsuite: Fix network restrictions causing test failures
oeqa/target/ssh: Ensure EAGAIN doesn't truncate output
oeqa/runtime/ltp: Increase ltp test output timeout
ltp: Add kernel loopback module dependency
target/ssh: Ensure exit code set for commands
oeqa/ssh: Further improve process exit handling
pseudo: Fix to work with glibc 2.38
lib/package_manager: Improve repo artefact filtering
gnupg: Fix reproducibility failure
resulttool/report: Avoid divide by zero
build-sysroots: Ensure dependency chains are minimal
vim: Upgrade 9.0.1664 -> 9.0.1894
Riyaz Khan (1):
openssh: Remove BSD-4-clause contents completely from codebase
Roland Hieber (2):
template: fix typo in section header
ref-manual: point outdated link to the new location
Ross Burton (24):
ninja: ignore CVE-2021-4336, wrong ninja
binutils: fix CVE-2023-1972
pkgconf: upgrade 1.9.4 -> 1.9.5
git: upgrade to 2.39.3
gobject-introspection: remove obsolete DEPENDS
cve-update-nvd2-native: handle all configuration nodes, not just first
cve-update-nvd2-native: use exact times, don't truncate
cve-update-nvd2-native: log a little more
cve-update-nvd2-native: actually use API keys
tiff: upgrade to 4.5.1
gcc: don't pass --enable-standard-branch-protection
machine/arch-arm64: add -mbranch-protection=standard
pkgconf: update SRC_URI
python3: fix missing comma in get_module_deps3.py
oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case
rootfs_rpm: don't depend on opkg-native for update-alternatives
ltp: add RDEPENDS on findutils
openssh: upgrade to 9.3p2
linux-yocto: add script to generate kernel CVE_CHECK_IGNORE entries
linux/cve-exclusion: add generated CVE_CHECK_IGNOREs
procps: backport fix for CVE-2023-4016
graphene: fix runtime detection of IEEE754 behaviour
gcc: Fix -fstack-protector issue on aarch64
linux-yocto: update CVE exclusions
Sakib Sajal (4):
go: Upgrade 1.20.4 -> 1.20.5
bno_plot.py, btt_plot.py: Ask for python3 specifically
go: fix CVE-2023-24531
go: upgrade 1.20.6 -> 1.20.7
Sanjana (1):
binutils: Fix CVE-2023-39128
Sanjay Chitroda (2):
cups: Fix CVE-2023-32324
curl: Add CVE-2023-28320 follow-up fix
Siddharth (1):
tiff: Security fix for CVE-2023-25434 and CVE-2023-26965
Siddharth Doshi (1):
gdb: Fix CVE-2023-39128
Soumya (1):
perl: Fix CVE-2023-31484 & CVE-2023-31486
Staffan Rydén (1):
kernel: Fix path comparison in kernel staging dir symlinking
Steve Sakoman (6):
maintainers.inc: update version for gcc-source
Revert "systemd: fix a dead link under /var/log"
poky.conf: bump version for 4.2.2 release
build-appliance-image: Update to mickledore head revision
poky.conf: bump version for 4.2.3 release
build-appliance-image: Update to mickledore head revision
Stéphane Veyret (1):
scripts/oe-setup-builddir: copy conf-notes.txt to build dir
Sudip Mukherjee (2):
dpkg: upgrade to v1.21.22
bind: upgrade to v9.18.17
Sundeep KOKKONDA (1):
gcc : upgrade to v12.3
Thomas Roos (1):
testimage/oeqa: Drop testimage_dump_host functionality
Tim Orling (1):
openssl: upgrade 3.1.0 -> 3.1.1
Tom Hochstein (1):
weston: Cleanup and fix x11 and xwayland dependencies
Trevor Gamblin (4):
bind: upgrade 9.18.13 -> 9.18.14
glib-networking: use correct error code in ptest
vim: upgrade 9.0.1527 -> 9.0.1592
linux-firmware: upgrade 20230515 -> 20230625
Wang Mingyu (24):
babeltrace2: upgrade 2.0.4 -> 2.0.5
fribidi: upgrade 1.0.12 -> 1.0.13
libdnf: upgrade 0.70.0 -> 0.70.1
libmicrohttpd: upgrade 0.9.76 -> 0.9.77
libxft: upgrade 2.3.7 -> 2.3.8
libxpm: upgrade 3.5.15 -> 3.5.16
mobile-broadband-provider-info: upgrade 20221107 -> 20230416
bind: upgrade 9.18.14 -> 9.18.15
xdpyinfo: upgrade 1.3.3 -> 1.3.4
libxml2: upgrade 2.10.3 -> 2.10.4
freetype: upgrade 2.13.0 -> 2.13.1
gstreamer1.0: upgrade 1.22.3 -> 1.22.4
libassuan: upgrade 2.5.5 -> 2.5.6
libksba: upgrade 1.6.3 -> 1.6.4
libx11: upgrade 1.8.5 -> 1.8.6
lttng-ust: upgrade 2.13.5 -> 2.13.6
taglib: upgrade 1.13 -> 1.13.1
libwebp: upgrade 1.3.0 -> 1.3.1
libnss-nis: upgrade 3.1 -> 3.2
opkg: upgrade 0.6.1 -> 0.6.2
opkg-utils: upgrade 0.5.0 -> 0.6.2
file: upgrade 5.44 -> 5.45
tar: upgrade 1.34 -> 1.35
bind: upgrade 9.18.17 -> 9.18.18
Xiangyu Chen (1):
dbus: upgrade 1.14.6 -> 1.14.8
Yash Shinde (1):
glibc: fix CVE-2023-4527
Yi Zhao (1):
ifupdown: install missing directories
Yoann Congal (3):
recipetool: Fix inherit in created -native* recipes
oeqa/selftest/devtool: add unit test for "devtool add -b"
dev-manual: remove unsupported :term: markup inside markup
Yogita Urade (8):
dmidecode: fix CVE-2023-30630
qemu: fix CVE-2023-3301
qemu: fix CVE-2023-3255
qemu: fix CVE-2023-2861
inetutils: fix CVE-2023-40303
nghttp2: fix CVE-2023-35945
dropbear: fix CVE-2023-36328
qemu: fix CVE-2023-3354
Yuta Hayama (1):
systemd-systemctl: fix errors in instance name expansion
nikhil (1):
libwebp: Fix CVE-2023-1999
sanjana (2):
binutils: stable 2.40 branch updates
glibc: stable 2.37 branch updates
meta-openembedded: 9286582126..922f41b39f:
Armin Kuster (1):
openldap: update to 2.5.16.
Beniamin Sandu (1):
lmsensors: do not pull in unneeded perl modules for run-time dependencies
Changqing Li (2):
redis: upgrade 6.2.12 -> 6.2.13
redis: upgrade 7.0.11 -> 7.0.12
Chee Yang Lee (2):
rabbitmq-c: Fix CVE-2023-35789
c-ares: upgrade 1.19.0 -> 1.19.1
Chen Qi (3):
redis: use the files path correctly
grpc: fix CVE-2023-32732
grpc: fix CVE-2023-33953
Chris Dimich (1):
image_types_sparse: Fix syntax error
Hitendra Prajapati (4):
wireshark: Fix CVE-2023-2855 & CVE-2023-2856
wireshark: Fix CVE-2023-2858 & CVE-2023-2879
wireshark: CVE-2023-2952 XRA dissector infinite loop
wireshark: Fix Multiple CVEs
Jasper Orschulko (1):
yaml-cpp: Fix cmake export
Joe Slater (3):
libgpiod: modify test 'gpioset: toggle (continuous)'
python3-sqlparse: fix CVE-2023-30608
libgpiod: modify RDEPENDS for ptest
Khem Raj (2):
fftw: Check for TOOLCHAIN_OPTIONS to be non-empty before sed ops
system-config-printer: Delete __pycache__ files
Lee Chee Yang (2):
opensc: fix CVE-2023-2977
x11vnc: Fix CVE-2020-29074
Linus Jacobson (1):
khronos-cts: Replace wayland feature dependancy with vulkan
Martin Jansa (5):
libiio: use main branch instead of master
mongodb: enable hardware crc32 only with crc in TUNE_FEATURES
khronos-cts.inc: respect MLPREFIX when appending DEPENDS with anonymous python
libcyusbserial: fix installed-vs-shipped QA issue with multilib
tcpreplay: fix pcap detection with /usr/lib32 multilib
Mingli Yu (6):
dialog: Update the SRC_URI
gnulib: Update SRC_URI
yajl: Fix CVE-2023-33460
iniparser: Fix CVE-2023-33461
php: Upgrade to 8.2.8
mcelog: Drop unneeded autotools-brokensep
Polampalli, Archana (6):
tcpreplay: upgrade 4.4.3 -> 4.4.4
nodejs: upgrade 18.14.2 -> 18.16.1
yasm: fix CVE-2023-31975
nodejs: upgrade 18.16.1 -> 18.17.1
hwloc: fix CVE-2022-47022
python3-appdirs: print ptest results in unified format
Ross Burton (5):
glade: add autoconf-archive-native DEPENDS
libgxim: add autoconf-archive-native DEPENDS
libblockdev: clean up DEPENDS
imsettings: add missing DEPENDS on autoconf-archive-native
system-config-printer: clean up DEPENDS
Sandeep Gundlupet Raju 837 (1):
opencv: Revert fix runtime dependencies
Sanjay Chitroda (1):
netkit-telnet: Fix CVE-2022-39028
Soumya (1):
yasm: fix CVE-2023-37732
Soumya Sambu (1):
krb5: Fix CVE-2023-36054
Soumya via (1):
opencv: Fix for CVE-2023-2617
Urade, Yogita t.mo (1):
c-ares: fix CVE-2023-32067
Wang Mingyu (3):
python3-django: upgrade 4.1.7 -> 4.2.1
iperf3: upgrade 3.13 -> 3.14
tcpdump: upgrade 4.99.3 -> 4.99.4
Xiangyu Chen (2):
libbpf: installing uapi headers for native package
meta-oe: add pahole to NON_MULTILIB_RECIPES
Yi Zhao (4):
frr: upgrade 8.4.2 -> 8.4.4
mbedtls: upgrade 2.28.2 -> 2.28.3
open-vm-tools: Security fix CVE-2023-20867
frr: Security fix CVE-2023-3748
Yogita Urade (1):
poppler: fix CVE-2023-34872
meta-arm: 8db460fa5d..6e199b354e:
Abdellatif El Khlifi (6):
arm-bsp/documentation: corstone1000: Update change log
arm-bsp/doc: corstone1000: Update the software architecture document
arm-bsp/documentation: corstone1000: update the release note
arm-bsp/documentation: corstone1000: update user guide
kas: set the SHAs for 2023.06 release
arm-bsp/trusted-firmware-a: corstone1000: enable ERRATA_A35_855472
Adam Johnston (2):
CI: Platform specific Trusted Services config
arm-bsp/trusted-firmware-a: Reserve OP-TEE memory from NWd on N1SDP
Anton Antonov (1):
arm/oeqa: Make ts-service-test config match selected SPs
Denys Dmytriyenko (1):
optee-os: do not explicitly set CFG_MAP_EXT_DT_SECURE=y
Emekcan Aras (7):
arm-bsp/u-boot: corstone1000: Fix EFI multiple protocol install failure
arm-bsp/u-boot: corstone1000: Enable EFI set/get time services
arm-bsp/trusted-services: corstone1000: GetNextVariableName Fix
arm-bsp/optee-os:corstone1000: Drop SPMC non secure interrupt patches
arm-bsp/u-boot: corstone1000: Fix u-boot compilation warnings
arm-bsp/trusted-services: corstone1000: Fix PSA_RAW_KEY agreement test
arm-bsp/trusted-services: corstone1000: Fix Capsule Update
Gyorgy Szing (11):
arm/trusted-services: update TS version
optee-os: remove v3.18 pin of OP-TEE on qemuarm64-secureboot
optee-os: Add support for TOS_FW_CONFIG on qemu
arm/trusted-firmware-a: Add TOS_FW_CONFIG handling for quemu
optee-test: backport SWd ABI compatibility changes
optee-os: enable SPMC test
arm/oeqa: enable OP-TEE SPMC tests
trusted-services: update documentation
arm/trusted-services: disable psa-iat on qemuarm64-secureboot
arm/trusted-services: fix nanopb build error
optee-os: unblock NWd interrupts
Jon Mason (3):
CI: remove master refspec for meta-virtualization yml file
arm/linux-yocto: move 6.1 patches to a unique bbappend
README: remove reference to meta-arm-autonomy
Robbie Cao (1):
arm/recipes-kernel: Add preempt-rt support for generic-arm64
Rui Miguel Silva (3):
arm-bsp/trusted-services:corstone1000: remove already merged patches
arm-bsp/trusted-services: remove merged patches for corstone1000
arm-bps/corstone1000: setup trusted service proxy configuration
Tomás González (2):
arm-bsp/documentation: corstone1000: Update the user guide
arm-bsp/documentation: corstone1000: Update the release notes
Change-Id: I19ad289a1580a28192b5c063d06553d4e171687b
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
582 files changed, 28088 insertions, 12522 deletions
diff --git a/meta-arm/.gitlab-ci.yml b/meta-arm/.gitlab-ci.yml index df1f0f5ade..4ee75fcc1e 100644 --- a/meta-arm/.gitlab-ci.yml +++ b/meta-arm/.gitlab-ci.yml @@ -150,7 +150,7 @@ n1sdp: parallel: matrix: - TOOLCHAINS: [gcc, armgcc] - TS: [none, trusted-services] + TS: [none, n1sdp-ts] qemu-generic-arm64: extends: .build @@ -167,7 +167,7 @@ qemuarm64-secureboot: - KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt] TOOLCHAINS: [gcc, clang] TCLIBC: [glibc, musl] - TS: [none, trusted-services] + TS: [none, qemuarm64-secureboot-ts] TESTING: testimage qemuarm64: diff --git a/meta-arm/README.md b/meta-arm/README.md index 7779258551..82c326de7e 100644 --- a/meta-arm/README.md +++ b/meta-arm/README.md @@ -6,10 +6,6 @@ This repository contains the Arm layers for OpenEmbedded. This layer contains general recipes for the Arm architecture, such as firmware, FVPs, and Arm-specific integration. -* meta-arm-autonomy - - This layer is the distribution for a reference stack for autonomous systems. - * meta-arm-bsp This layer contains machines for Arm reference platforms, for example FVP Base, N1SDP, and Juno. diff --git a/meta-arm/ci/meta-virtualization.yml b/meta-arm/ci/meta-virtualization.yml index 8791fc3be5..1cd0e21a89 100644 --- a/meta-arm/ci/meta-virtualization.yml +++ b/meta-arm/ci/meta-virtualization.yml @@ -6,4 +6,3 @@ header: repos: meta-virtualization: url: git://git.yoctoproject.org/meta-virtualization - refspec: master diff --git a/meta-arm/ci/trusted-services.yml b/meta-arm/ci/n1sdp-ts.yml index 433ec78b37..e8e9298d24 100644 --- a/meta-arm/ci/trusted-services.yml +++ b/meta-arm/ci/n1sdp-ts.yml @@ -6,8 +6,8 @@ header: local_conf_header: trusted_services: | TEST_SUITES:append = " trusted_services" - # Include TS Crypto, Storage, ITS, Attestation and SMM-Gateway SPs into optee-os image - MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its ts-attestation ts-smm-gateway" + # Include TS Crypto, TS Protected Storage, TS Internal and Trusted Storage SPs into optee-os image + MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its" # Include TS demo/test tools into image IMAGE_INSTALL:append = " packagegroup-ts-tests" # Include TS PSA Arch tests into image diff --git a/meta-arm/ci/qemuarm64-secureboot-ts.yml b/meta-arm/ci/qemuarm64-secureboot-ts.yml new file mode 100644 index 0000000000..5f28dd3c17 --- /dev/null +++ b/meta-arm/ci/qemuarm64-secureboot-ts.yml @@ -0,0 +1,14 @@ +header: + version: 11 + includes: + - ci/meta-openembedded.yml + +local_conf_header: + trusted_services: | + TEST_SUITES:append = " trusted_services" + # Include TS Crypto, TS Protected Storage, TS Internal Trusted Storage and SMM-Gateway SPs into optee-os image + MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its ts-smm-gateway" + # Include TS demo/test tools into image + IMAGE_INSTALL:append = " packagegroup-ts-tests" + # Include TS PSA Arch tests into image + IMAGE_INSTALL:append = " packagegroup-ts-tests-psa" diff --git a/meta-arm/documentation/trusted-services.md b/meta-arm/documentation/trusted-services.md index e3cee6b3c0..70826f681e 100644 --- a/meta-arm/documentation/trusted-services.md +++ b/meta-arm/documentation/trusted-services.md @@ -1,6 +1,6 @@ # The Trusted Services: framework for developing root-of-trust services - meta-arm layer includes recipes for [Trusted Services][1] Secure Partitions and Normal World applications +meta-arm layer includes recipes for [Trusted Services][^1] Secure Partitions and Normal World applications in `meta-arm/recipes-security/trusted-services` ## Secure Partitions recipes @@ -12,7 +12,7 @@ These files are automatically included into optee-os image accordingly to define ### How to include TS SPs To include TS SPs into optee-os image you need to add into MACHINE_FEATURES -features for each [Secure Partition][2] you would like to include: +features for each [Secure Partition][^2] you would like to include: | Secure Partition | MACHINE_FEATURE | | ----------------- | --------------- | @@ -22,32 +22,44 @@ features for each [Secure Partition][2] you would like to include: | Protected Storage | ts-storage | | se-proxy | ts-se-proxy | | smm-gateway | ts-smm-gateway | +| spm-test[1-3] | optee-spmc-test | Other steps depend on your machine/platform definition: 1. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y` -is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES. + is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES. + (Please see ` meta-arm/recipes-kernel/arm-ffa-tee`.) + + For running the `uefi-test` or the `xtest -t ffa_spmc` tests under Linux the `arm-ffa-user` drivel is required. This is + enabled if the `ts-smm-gateway` and/or the `optee-spmc-test` machine features are enabled. + (Please see ` meta-arm/recipes-kernel/arm-ffa-user`.) 2. optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at). -You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine -and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc` -for N1SDP and Corstone1000 platforms accordingly. + You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine + and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc` + for N1SDP and Corstone1000 platforms accordingly. 3. trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform). -See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine -and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and -`meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms. + See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine + and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and + `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms. ## Normal World applications - Optionally for testing purposes you can add `packagegroup-ts-tests` and `packagegroup-ts-tests-psa` package groups into your image. -They include [Trusted Services test and demo tools][3] +Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes +[Trusted Services test and demo tools][^3] and [xtest][^4] configured to include the `ffa_spmc` tests. ## OEQA Trusted Services tests meta-arm also includes Trusted Service OEQA tests which can be used for automated testing. See `ci/trusted-services.yml` for an example how to include them into an image. -[1] https://trusted-services.readthedocs.io/en/integration/overview/introduction.html -[2] https://trusted-services.readthedocs.io/en/integration/developer/deployments/secure-partitions.html -[3] https://trusted-services.readthedocs.io/en/integration/developer/deployments/test-executables.html + +------ +[^1]: https://trusted-services.readthedocs.io/en/integration/overview/index.html + +[^2]: https://trusted-services.readthedocs.io/en/integration/deployments/secure-partitions.html + +[^3]: https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html + +[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
\ No newline at end of file diff --git a/meta-arm/kas/corstone1000-base.yml b/meta-arm/kas/corstone1000-base.yml index 6594caa58b..ea62f42ce1 100644 --- a/meta-arm/kas/corstone1000-base.yml +++ b/meta-arm/kas/corstone1000-base.yml @@ -16,6 +16,7 @@ repos: poky: url: https://git.yoctoproject.org/git/poky + refspec: 31dd418207f6c95ef0aad589cd03cd2a4c9a8bf2 layers: meta: meta-poky: @@ -23,6 +24,7 @@ repos: meta-openembedded: url: https://git.openembedded.org/meta-openembedded + refspec: 5a01ab461c9bcabcbb2298236602373948f8f073 layers: meta-oe: meta-python: diff --git a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc index 3915d18b56..198c7ec877 100644 --- a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc +++ b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc @@ -43,6 +43,7 @@ OPTEE_BINARY = "tee-pager_v2.bin" # Include smm-gateway and se-proxy SPs into optee-os binary MACHINE_FEATURES += "ts-smm-gateway ts-se-proxy" TS_PLATFORM = "arm/corstone1000" +TS_SP_SE_PROXY_CONFIG = "corstone1000" # External System(Cortex-M3) EXTRA_IMAGEDEPENDS += "external-system" diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst index 64e82aac98..32d6529279 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022, Arm Limited. + # Copyright (c) 2022-2023, Arm Limited. # # SPDX-License-Identifier: MIT @@ -10,6 +10,72 @@ Change Log This document contains a summary of the new features, changes and fixes in each release of Corstone-1000 software stack. +*************** +Version 2023.06 +*************** + +Changes +======= + +- GPT support (in TF-M, TF-A, U-boot) +- Use TF-M BL1 code as the ROM code instead of MCUboot (the next stage bootloader BL2 remains to be MCUboot) +- Secure Enclave uses CC312 OTP as the provisioning backend in FVP and FPGA +- NVMXIP block storage support in U-Boot +- Upgrading the SW stack recipes +- Upgrades for the U-Boot FF-A driver and MM communication + +Corstone-1000 components versions +================================= + ++-------------------------------------------+--------------------------------------------+ +| arm-ffa-tee | 1.1.2-r0 | ++-------------------------------------------+--------------------------------------------+ +| arm-ffa-user | 5.0.1-r0 | ++-------------------------------------------+--------------------------------------------+ +| corstone1000-external-sys-tests | 1.0+gitAUTOINC+2945cd92f7-r0 | ++-------------------------------------------+--------------------------------------------+ +| external-system | 0.1.0+gitAUTOINC+8c9dca74b1-r0 | ++-------------------------------------------+--------------------------------------------+ +| linux-yocto | 6.1.25+gitAUTOINC+36901b5b29_581dc1aa2f-r0 | ++-------------------------------------------+--------------------------------------------+ +| u-boot | 2023.01-r0 | ++-------------------------------------------+--------------------------------------------+ +| optee-client | 3.18.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| optee-os | 3.20.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| trusted-firmware-a | 2.8.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| trusted-firmware-m | 1.7.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| ts-newlib | 4.1.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| ts-psa-{crypto, iat, its. ps}-api-test | 38cb53a4d9 | ++-------------------------------------------+--------------------------------------------+ +| ts-sp-{se-proxy, smm-gateway} | 08b3d39471 | ++-------------------------------------------+--------------------------------------------+ + +Yocto distribution components versions +====================================== + ++-------------------------------------------+--------------------------------+ +| meta-arm | mickledore | ++-------------------------------------------+--------------------------------+ +| poky | mickledore | ++-------------------------------------------+--------------------------------+ +| meta-openembedded | mickledore | ++-------------------------------------------+--------------------------------+ +| busybox | 1.36.0-r0 | ++-------------------------------------------+--------------------------------+ +| musl | 1.2.3+gitAUTOINC+7d756e1c04-r0 | ++-------------------------------------------+--------------------------------+ +| gcc-arm-none-eabi-native | 11.2-2022.02 | ++-------------------------------------------+--------------------------------+ +| gcc-cross-aarch64 | 12.2.rel1-r0 | ++-------------------------------------------+--------------------------------+ +| openssl | 3.1.0-r0 | ++-------------------------------------------+--------------------------------+ + ****************** Version 2022.11.23 ****************** @@ -25,7 +91,7 @@ Changes - Upgrades for the U-Boot FF-A driver and MM communication Corstone-1000 components versions -======================================= +================================= +-------------------------------------------+------------+ | arm-ffa-tee | 1.1.1 | @@ -56,7 +122,7 @@ Corstone-1000 components versions +-------------------------------------------+------------+ Yocto distribution components versions -======================================= +====================================== +-------------------------------------------+---------------------+ | meta-arm | langdale | @@ -161,4 +227,4 @@ Changes -------------- -*Copyright (c) 2022, Arm Limited. All rights reserved.* +*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/CorstoneSubsystems.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/CorstoneSubsystems.png Binary files differindex a41e721027..4c6a2a8c8c 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/CorstoneSubsystems.png +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/CorstoneSubsystems.png diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png Binary files differindex 38407c08d9..399f87568f 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png Binary files differindex bc5b4ba35e..88bb1259f6 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png Binary files differindex b7631b0230..1e37d803b7 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/UEFISupport.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/UEFISupport.png Binary files differindex f58531719d..a501de556e 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/UEFISupport.png +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/UEFISupport.png diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst index 89a4fa9ab2..62e3f8ff66 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022, Arm Limited. + # Copyright (c) 2022-2023, Arm Limited. # # SPDX-License-Identifier: MIT @@ -19,6 +19,28 @@ intended for safety-critical applications. Should Your Software or Your Hardware prove defective, you assume the entire cost of all necessary servicing, repair or correction. +*********************** +Release notes - 2023.06 +*********************** + +Known Issues or Limitations +--------------------------- + - FPGA supports Linux distro install and boot through installer. However, FVP only supports openSUSE raw image installation and boot. + - Due to the performance uplimit of MPS3 FPGA and FVP, some Linux distros like Fedora Rawhide can not boot on Corstone-1000 (i.e. user may experience timeouts or boot hang). + - PSA Crypto tests (psa-crypto-api-test command) take 30 minutes to complete for FVP and 1 hour for MPS3. + - Corstone-1000 SoC on FVP doesn't have a secure debug peripheral. It does on the MPS3 . + - The following limitations listed in the previous release are still applicable: + + - UEFI Compliant - Boot from network protocols must be implemented -- FAILURE + + - Known limitations regarding ACS tests - see previous release's notes. + +Platform Support +----------------- + - This software release is tested on Corstone-1000 FPGA version AN550_v2 + https://developer.arm.com/downloads/-/download-fpga-images + - This software release is tested on Corstone-1000 Fast Model platform (FVP) version 11.19_21 + https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps ************************** Release notes - 2022.11.23 @@ -174,4 +196,4 @@ For all security issues, contact Arm by email at arm-security@arm.com. -------------- -*Copyright (c) 2022, Arm Limited. All rights reserved.* +*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst index a17f1b8a68..bf3535b2ec 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022, Arm Limited. + # Copyright (c) 2022-2023, Arm Limited. # # SPDX-License-Identifier: MIT @@ -9,16 +9,16 @@ Software architecture ***************** -ARM corstone1000 +Arm Corstone-1000 ***************** -ARM corstone1000 is a reference solution for IoT devices. It is part of +Arm Corstone-1000 is a reference solution for IoT devices. It is part of Total Solution for IoT which consists of hardware and software reference implementation. -Corstone1000 software plus hardware reference solution is PSA Level-2 ready +Corstone-1000 software plus hardware reference solution is PSA Level-2 ready certified (`PSA L2 Ready`_) as well as System Ready IR certified(`SRIR cert`_). -More information on the corstone1000 subsystem product and design can be +More information on the Corstone-1000 subsystem product and design can be found at: `Arm corstone1000 Software`_ and `Arm corstone1000 Technical Overview`_. @@ -31,12 +31,12 @@ present in the user-guide document. Design Overview *************** -The software architecture of corstone1000 platform is a reference +The software architecture of Corstone-1000 platform is a reference implementation of Platform Security Architecture (`PSA`_) which provides framework to build secure IoT devices. The base system architecture of the platform is created from three -different tyes of systems: Secure Enclave, Host and External System. +different types of systems: Secure Enclave, Host and External System. Each subsystem provides different functionality to overall SoC. @@ -50,9 +50,9 @@ cryptographic functions. It is based on an Cortex-M0+ processor, CC312 Cryptographic Accelerator and peripherals, such as watchdog and secure flash. Software running on the Secure Enclave is isolated via hardware for enhanced security. Communication with the Secure Encalve -is achieved using Message Hnadling Units (MHUs) and shared memory. -On system power on, the Secure Enclaves boots first. Its software -comprises of two boot loading stages, both based on mcuboot, and +is achieved using Message Handling Units (MHUs) and shared memory. +On system power on, the Secure Enclave boots first. Its software +comprises of a ROM code (TF-M BL1), Mcuboot BL2, and TrustedFirmware-M(`TF-M`_) as runtime software. The software design on Secure Enclave follows Firmware Framework for M class processor (`FF-M`_) specification. @@ -66,7 +66,7 @@ The boot process follows Trusted Boot Base Requirement (`TBBR`_). The Host Subsystem is taken out of reset by the Secure Enclave system during its final stages of the initialization. The Host subsystem runs FF-A Secure Partitions(based on `Trusted Services`_) and OPTEE-OS -(`OPTEE-OS`_) in the secure world, and u-boot(`u-boot repo`_) and +(`OPTEE-OS`_) in the secure world, and U-Boot(`U-Boot repo`_) and linux (`linux repo`_) in the non-secure world. The communication between non-secure and the secure world is performed via FF-A messages. @@ -75,7 +75,7 @@ functionality. The system is based on Cortex-M3 and run RTX RTOS. Communictaion between external system and Host(cortex-A35) is performed using MHU as transport mechanism and rpmsg messaging system. -Overall, the corstone1000 architecture is designed to cover a range +Overall, the Corstone-1000 architecture is designed to cover a range of Power, Performance, and Area (PPA) applications, and enable extension for use-case specific applications, for example, sensors, cloud connectivitiy, and edge computing. @@ -85,13 +85,13 @@ Secure Boot Chain ***************** For the security of a device, it is essential that only authorized -software should run on the device. The corstone1000 boot uses a +software should run on the device. The Corstone-1000 boot uses a Secure Boot Chain process where an already authenticated image verifies and loads the following software in the chain. For the boot chain process to work, the start of the chain should be trusted, forming the Root of Trust (RoT) of the device. The RoT of the device is immutable in nature and encoded into the device by the device owner before it -is deployed into the field. In Corstone1000, the BL1 image of the secure +is deployed into the field. In Corstone-1000, the BL1 image of the secure enclave and content of the CC312 OTP (One Time Programmable) memory forms the RoT. The BL1 image exists in ROM (Read Only Memory). @@ -99,18 +99,20 @@ forms the RoT. The BL1 image exists in ROM (Read Only Memory). :width: 870 :alt: SecureBootChain -It is a lengthy chain to boot the software on corstone1000. On power on, +It is a lengthy chain to boot the software on Corstone-1000. On power on, the secure enclave starts executing BL1 code from the ROM which is the RoT of the device. Authentication of an image involves the steps listed below: - Load image from flash to dynamic RAM. -- The public key present in the image header is validated by comparing with the hash. Depending on the image, the hash of the public key is either stored in the OTP or part of the software which is being already verfied in the previous stages. +- The public key present in the image header is validated by comparing with the hash. + Depending on the image, the hash of the public key is either stored in the OTP or part + of the software which is being already verified in the previous stages. - The image is validated using the public key. In the secure enclave, BL1 authenticates the BL2 and passes the execution -control. BL2 authenticates the initial boot loader of the host (Host BL2) +control. BL2 authenticates the initial boot loader of the host (Host TF-A BL2) and TF-M. The execution control is now passed to TF-M. TF-M being the run -time executable of secure enclaves initializes itself and, in the end, +time executable of secure enclave which initializes itself and, at the end, brings the host CPU out of rest. The host follows the boot standard defined in the `TBBR`_ to authenticate the secure and non-secure software. @@ -118,10 +120,10 @@ in the `TBBR`_ to authenticate the secure and non-secure software. Secure Services *************** -corstone1000 is unique in providing a secure environment to run a secure -workload. The platform has Trustzone technology in the Host subsystem but +Corstone-1000 is unique in providing a secure environment to run a secure +workload. The platform has TrustZone technology in the Host subsystem but it also has hardware isolated secure enclave environment to run such secure -workloads. In corstone1000, known Secure Services such as Crypto, Protected +workloads. In Corstone-1000, known Secure Services such as Crypto, Protected Storage, Internal Trusted Storage and Attestation are available via PSA Functional APIs in TF-M. There is no difference for a user communicating to these services which are running on a secure enclave instead of the @@ -137,7 +139,7 @@ flow path for such calls. The SE Proxy SP (Secure Enclave Proxy Secure Partition) is a proxy partition managed by OPTEE which forwards such calls to the secure enclave. The solution relies on OpenAMP which uses shared memory and MHU interrupts as -a doorbell for communication between two cores. corstone1000 implements +a doorbell for communication between two cores. Corstone-1000 implements isolation level 2. Cortex-M0+ MPU (Memory Protection Unit) is used to implement isolation level 2. @@ -147,7 +149,7 @@ lower latency vs higher security. Services running on a secure enclave are secure by real hardware isolation but have a higher latency path. In the second scenario, the services running on the secure world of the host subsystem have lower latency but virtual hardware isolation created by -Trustzone technology. +TrustZone technology. ********************** @@ -156,14 +158,14 @@ Secure Firmware Update Apart from always booting the authorized images, it is also essential that the device only accepts the authorized images in the firmware update -process. corstone1000 supports OTA (Over the Air) firmware updates and +process. Corstone-1000 supports OTA (Over the Air) firmware updates and follows Platform Security Firmware Update sepcification (`FWU`_). As standardized into `FWU`_, the external flash is divided into two banks of which one bank has currently running images and the other bank is used for staging new images. There are four updatable units, i.e. Secure Enclave's BL2 and TF-M, and Host's FIP (Firmware Image Package) and Kernel -Image. The new images are accepted in the form of a UEFI capsule. +Image (the initramfs bundle). The new images are accepted in the form of a UEFI capsule. .. image:: images/ExternalFlash.png @@ -194,13 +196,13 @@ guarantee the availability of the device. ****************************** -UEFI Runtime Support in u-boot +UEFI Runtime Support in U-Boot ****************************** Implementation of UEFI boottime and runtime APIs require variable storage. -In corstone1000, these UEFI variables are stored in the Protected Storage +In Corstone-1000, these UEFI variables are stored in the Protected Storage service. The below diagram presents the data flow to store UEFI variables. -The u-boot implementation of the UEFI subsystem uses the FF-A driver to +The U-Boot implementation of the UEFI subsystem uses the U-Boot FF-A driver to communicate with the SMM Service in the secure world. The backend of the SMM service uses the proxy PS from the SE Proxy SP. From there on, the PS calls are forwarded to the secure enclave as explained above. @@ -215,11 +217,12 @@ calls are forwarded to the secure enclave as explained above. References *************** `ARM corstone1000 Search`_ + `Arm security features`_ -------------- -*Copyright (c) 2022, Arm Limited. All rights reserved.* +*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* .. _Arm corstone1000 Technical Overview: https://developer.arm.com/documentation/102360/0000 .. _Arm corstone1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software @@ -236,4 +239,4 @@ References .. _TBBR: https://developer.arm.com/documentation/den0006/latest .. _TF-M: https://www.trustedfirmware.org/projects/tf-m/ .. _Trusted Services: https://www.trustedfirmware.org/projects/trusted-services/ -.. _u-boot repo: https://github.com/u-boot/u-boot.git +.. _U-Boot repo: https://github.com/u-boot/u-boot.git diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst index e173f244b4..a5ccb31382 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022, Arm Limited. + # Copyright (c) 2022-2023, Arm Limited. # # SPDX-License-Identifier: MIT @@ -15,21 +15,35 @@ The Yocto Project relies on the `Bitbake <https://docs.yoctoproject.org/bitbake. tool as its build tool. Please see `Yocto Project documentation <https://docs.yoctoproject.org/>`__ for more information. - Prerequisites ------------- -These instructions assume your host PC is running Ubuntu Linux 18.04 or 20.04 LTS, with at least 32GB of free disk space and 16GB of RAM as minimum requirement. The following instructions expect that you are using a bash shell. All the paths stated in this document are absolute paths. -The following prerequisites must be available on the host system. To resolve these dependencies, run: +This guide assumes that your host PC is running Ubuntu 20.04 LTS, with at least +32GB of free disk space and 16GB of RAM as minimum requirement. -:: +The following prerequisites must be available on the host system: + +- Git 1.8.3.1 or greater +- tar 1.28 or greater +- Python 3.8.0 or greater. +- gcc 8.0 or greater. +- GNU make 4.0 or greater + +Please follow the steps described in the Yocto mega manual: + +- `Compatible Linux Distribution <https://docs.yoctoproject.org/singleindex.html#compatible-linux-distribution>`__ +- `Build Host Packages <https://docs.yoctoproject.org/singleindex.html#build-host-packages>`__ + +Targets +------- - sudo apt-get update - sudo apt-get install gawk wget git-core diffstat unzip texinfo gcc-multilib \ - build-essential chrpath socat cpio python3 python3-pip python3-pexpect \ - xz-utils debianutils iputils-ping python3-git libegl1-mesa libsdl1.2-dev \ - xterm zstd liblz4-tool picocom - sudo apt-get upgrade libstdc++6 +- `Arm Corstone-1000 Ecosystem FVP (Fixed Virtual Platform) <https://developer.arm.com/downloads/-/arm-ecosystem-fvps>`__ +- `Arm Corstone-1000 for MPS3 <https://developer.arm.com/documentation/dai0550/latest/>`__ + +Yocto stable branch +------------------- + +Corstone-1000 software stack is built on top of Yocto mickledore. Provided components ------------------- @@ -44,6 +58,8 @@ The Yocto machine config files for the Corstone-1000 FVP and FPGA targets are: - ``<_workspace>/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf`` - ``<_workspace>/meta-arm/meta-arm-bsp/conf/machine/corstone1000-mps3.conf`` +**NOTE:** All the paths stated in this document are absolute paths. + ***************** Software for Host ***************** @@ -52,50 +68,52 @@ Trusted Firmware-A ================== Based on `Trusted Firmware-A <https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git>`__ -+----------+---------------------------------------------------------------------------------------------------+ -| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend | -+----------+---------------------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb | -+----------+---------------------------------------------------------------------------------------------------+ ++----------+-----------------------------------------------------------------------------------------------------+ +| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.%.bbappend | ++----------+-----------------------------------------------------------------------------------------------------+ +| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb | ++----------+-----------------------------------------------------------------------------------------------------+ OP-TEE ====== Based on `OP-TEE <https://git.trustedfirmware.org/OP-TEE/optee_os.git>`__ +----------+------------------------------------------------------------------------------------+ -| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.18.0.bbappend | +| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.20.0.bbappend | +----------+------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/meta-arm/meta-arm/recipes-security/optee/optee-os_3.18.0.bb | +| Recipe | <_workspace>/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb | +----------+------------------------------------------------------------------------------------+ U-Boot -======= -Based on `U-Boot <https://gitlab.com/u-boot>`__ +====== +Based on `U-Boot repo`_ -+----------+---------------------------------------------------------------------+ -| bbappend | <_workspace>/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend | -+----------+---------------------------------------------------------------------+ -| Recipe | <_workspace>/poky/meta/recipes-bsp/u-boot/u-boot_2022.07.bb | -+----------+---------------------------------------------------------------------+ ++----------+-------------------------------------------------------------------------+ +| bbappend | <_workspace>/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend | ++----------+-------------------------------------------------------------------------+ +| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend | ++----------+-------------------------------------------------------------------------+ +| Recipe | <_workspace>/poky/meta/recipes-bsp/u-boot/u-boot_2023.01.bb | ++----------+-------------------------------------------------------------------------+ Linux ===== The distro is based on the `poky-tiny <https://wiki.yoctoproject.org/wiki/Poky-Tiny>`__ distribution which is a Linux distribution stripped down to a minimal configuration. -The provided distribution is based on busybox and built using muslibc. The +The provided distribution is based on busybox and built using musl libc. The recipe responsible for building a tiny version of Linux is listed below. +-----------+----------------------------------------------------------------------------------------------+ | bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend | +-----------+----------------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/poky/meta/recipes-kernel/linux/linux-yocto_5.19.bb | +| Recipe | <_workspace>/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb | +-----------+----------------------------------------------------------------------------------------------+ | defconfig | <_workspace>/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig | +-----------+----------------------------------------------------------------------------------------------+ External System Tests -======================= +===================== Based on `Corstone-1000/applications <https://git.gitlab.arm.com/arm-reference-solutions/corstone1000/applications>`__ +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -109,15 +127,15 @@ Software for Boot Processor (a.k.a Secure Enclave) ************************************************** Based on `Trusted Firmware-M <https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git>`__ -+----------+-------------------------------------------------------------------------------------------------+ -| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend | -+----------+-------------------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb | -+----------+-------------------------------------------------------------------------------------------------+ ++----------+-----------------------------------------------------------------------------------------------------+ +| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.%.bbappend | ++----------+-----------------------------------------------------------------------------------------------------+ +| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb | ++----------+-----------------------------------------------------------------------------------------------------+ -************************************************** +******************************** Software for the External System -************************************************** +******************************** RTX ==== @@ -150,7 +168,7 @@ In the top directory of the workspace ``<_workspace>``, run: :: - git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2022.11.23 + git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2023.06 To build a Corstone-1000 image for MPS3 FPGA, run: @@ -173,46 +191,47 @@ Once the build is successful, all output binaries will be placed in the followin - ``<_workspace>/build/tmp/deploy/images/corstone1000-mps3/`` folder for FPGA build. Everything apart from the Secure Enclave ROM firmware and External System firmware, is bundled into a single binary, the -``corstone1000-image-corstone1000-{mps3,fvp}.wic.nopt`` file. +``corstone1000-image-corstone1000-{mps3,fvp}.wic`` file. The output binaries run in the Corstone-1000 platform are the following: - The Secure Enclave ROM firmware: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/bl1.bin`` - The External System firmware: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/es_flashfw.bin`` - - The flash image: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/corstone1000-image-corstone1000-{mps3,fvp}.wic.nopt`` + - The flash image: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/corstone1000-image-corstone1000-{mps3,fvp}.wic`` Flash the firmware image on FPGA -------------------------------- -The user should download the FPGA bit file image ``AN550: Arm® Corstone™-1000 for MPS3 Version 1`` +The user should download the FPGA bit file image ``AN550: Arm® Corstone™-1000 for MPS3 Version 2.0`` from `this link <https://developer.arm.com/tools-and-software/development-boards/fpga-prototyping-boards/download-fpga-images>`__ -and under the section ``Arm® Corstone™-1000 for MPS3``. +and under the section ``Arm® Corstone™-1000 for MPS3``. The download is available after logging in. The directory structure of the FPGA bundle is shown below. :: - Boardfiles - ├── MB - │ ├── BRD_LOG.TXT - │ ├── HBI0309B - │ │ ├── AN550 - │ │ │ ├── AN550_v1.bit - │ │ │ ├── an550_v1.txt - │ │ │ └── images.txt - │ │ ├── board.txt - │ │ └── mbb_v210.ebf - │ └── HBI0309C - │ ├── AN550 - │ │ ├── AN550_v1.bit - │ │ ├── an550_v1.txt - │ │ └── images.txt - │ ├── board.txt - │ └── mbb_v210.ebf - ├── SOFTWARE - │ ├── ES0.bin - │ ├── SE.bin - │ └── an550_st.axf - └── config.txt + Boardfiles + ├── config.txt + ├── MB + │ ├── BRD_LOG.TXT + │ ├── HBI0309B + │ │ ├── AN550 + │ │ │ ├── AN550_v2.bit + │ │ │ ├── an550_v2.txt + │ │ │ └── images.txt + │ │ ├── board.txt + │ │ └── mbb_v210.ebf + │ └── HBI0309C + │ ├── AN550 + │ │ ├── AN550_v2.bit + │ │ ├── an550_v2.txt + │ │ └── images.txt + │ ├── board.txt + │ └── mbb_v210.ebf + └── SOFTWARE + ├── an550_st.axf + ├── bl1.bin + ├── cs1000.bin + └── ES0.bin Depending upon the MPS3 board version (printed on the MPS3 board) you should update the images.txt file (in corresponding HBI0309x folder. Boardfiles/MB/HBI0309<board_revision>/AN550/images.txt) so that the file points to the images under SOFTWARE directory. @@ -242,7 +261,7 @@ stack can be seen below; IMAGE0FILE: \SOFTWARE\bl1.bin IMAGE1PORT: 0 - IMAGE1ADDRESS: 0x00_0010_0000 + IMAGE1ADDRESS: 0x00_0000_0000 IMAGE1UPDATE: AUTOQSPI IMAGE1FILE: \SOFTWARE\cs1000.bin @@ -256,10 +275,9 @@ OUTPUT_DIR = ``<_workspace>/build/tmp/deploy/images/corstone1000-mps3`` 1. Copy ``bl1.bin`` from OUTPUT_DIR directory to SOFTWARE directory of the FPGA bundle. 2. Copy ``es_flashfw.bin`` from OUTPUT_DIR directory to SOFTWARE directory of the FPGA bundle and rename the binary to ``es0.bin``. -3. Copy ``corstone1000-image-corstone1000-mps3.wic.nopt`` from OUTPUT_DIR directory to SOFTWARE - directory of the FPGA bundle and rename the wic.nopt image to ``cs1000.bin``. +3. Copy ``corstone1000-image-corstone1000-mps3.wic`` from OUTPUT_DIR directory to SOFTWARE + directory of the FPGA bundle and rename the wic image to ``cs1000.bin``. - **NOTE:** Renaming of the images are required because MCC firmware has limitation of 8 characters before .(dot) and 3 characters after .(dot). @@ -274,7 +292,7 @@ be ttyUSB0, ttyUSB1, ttyUSB2, ttyUSB3 and it might be different on Windows machi - ttyUSB0 for MCC, OP-TEE and Secure Partition - ttyUSB1 for Boot Processor (Cortex-M0+) - ttyUSB2 for Host Processor (Cortex-A35) - - ttyUSB3 for External System Processor (Cortex-M3) + - ttyUSB3 for External System Processor (Cortex-M3) Run following commands to open serial port terminals on Linux: @@ -285,12 +303,26 @@ Run following commands to open serial port terminals on Linux: sudo picocom -b 115200 /dev/ttyUSB2 # in another terminal. sudo picocom -b 115200 /dev/ttyUSB3 # in another terminal. +**NOTE:** The MPS3 expects an ethernet cable to be plugged in, otherwise it will +wait for the network for a considerable amount of time, printing the following +logs: + +:: + + Generic PHY 40100000.ethernet-ffffffff:01: attached PHY driver (mii_bus:phy_addr=40100000.ethernet-ffffffff:01, irq=POLL) + smsc911x 40100000.ethernet eth0: SMSC911x/921x identified at 0xffffffc008e50000, IRQ: 17 + Waiting up to 100 more seconds for network. + Once the system boot is completed, you should see console logs on the serial port terminals. Once the HOST(Cortex-A35) is booted completely, user can login to the shell using **"root"** login. -If system does not boot and only the ttyUSB1 logs are visible, please follow the steps in `Clean Secure Flash Before Testing (applicable to FPGA only)`_ under `SystemReady-IR tests`_ section. The previous image used in FPGA (MPS3) might have filled the Secure Flash completely. The best practice is to clean the secure flash in this case. +If system does not boot and only the ttyUSB1 logs are visible, please follow the +steps in `Clean Secure Flash Before Testing (applicable to FPGA only)`_ under +`SystemReady-IR tests`_ section. The previous image used in FPGA (MPS3) might +have filled the Secure Flash completely. The best practice is to clean the +secure flash in this case. Running the software on FVP @@ -321,7 +353,7 @@ To run the FVP using the runfvp command, please run the following command: When the script is executed, three terminal instances will be launched, one for the boot processor (aka Secure Enclave) processing element and two for the Host processing element. Once the FVP is -executing, the Boot Processor will start to boot, wherein the relevant memory contents of the .wic.nopt +executing, the Boot Processor will start to boot, wherein the relevant memory contents of the .wic file are copied to their respective memory locations within the model, enforce firewall policies on memories and peripherals and then, bring the host out of reset. @@ -337,11 +369,11 @@ Login using the username root. The External System can be released out of reset on demand using the systems-comms-tests command. SystemReady-IR tests -------------------------- +-------------------- -********************* +************* Testing steps -********************* +************* **NOTE**: Running the SystemReady-IR tests described below requires the user to work with USB sticks. In our testing, not all USB stick models work well with @@ -359,7 +391,7 @@ erase the SecureEnclave flash cleanly and prepare a clean board environment for the testing. Clean Secure Flash Before Testing (applicable to FPGA only) -================================================================== +=========================================================== To prepare a clean board environment with clean secure flash for the testing, the user should prepare an image that erases the secure flash cleanly during @@ -368,17 +400,17 @@ boot. Run following commands to build such image. :: cd <_workspace> - git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2022.11.23 - git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2022.11.23 - cp -f systemready-patch/embedded-a/corstone1000/erase_flash/0001-arm-bsp-trusted-firmware-m-corstone1000-Clean-Secure.patch meta-arm + git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2023.06 + git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.06 + cp -f systemready-patch/embedded-a/corstone1000/erase_flash/0001-embedded-a-corstone1000-clean-secure-flash.patch meta-arm cd meta-arm - git apply 0001-arm-bsp-trusted-firmware-m-corstone1000-Clean-Secure.patch + git apply 0001-embedded-a-corstone1000-clean-secure-flash.patch cd .. kas build meta-arm/kas/corstone1000-mps3.yml Replace the bl1.bin and cs1000.bin files on the SD card with following files: - The ROM firmware: <_workspace>/build/tmp/deploy/images/corstone1000-mps3/bl1.bin - - The flash image: <_workspace>/build/tmp/deploy/images/corstone1000-mps3/corstone1000-image-corstone1000-mps3.wic.nopt + - The flash image: <_workspace>/build/tmp/deploy/images/corstone1000-mps3/corstone1000-image-corstone1000-mps3.wic Now reboot the board. This step erases the Corstone-1000 SecureEnclave flash completely, the user should expect following message from TF-M log (can be seen @@ -394,10 +426,16 @@ Then the user should follow "Building the software stack" to build a clean software stack and flash the FPGA as normal. And continue the testing. Run SystemReady-IR ACS tests -============================= +============================ + +Architecture Compliance Suite (ACS) is used to ensure architectural compliance +across different implementations of the architecture. Arm Enterprise ACS +includes a set of examples of the invariant behaviors that are provided by a +set of specifications for enterprise systems (For example: SBSA, SBBR, etc.), +so that implementers can verify if these behaviours have been interpreted correctly. ACS image contains two partitions. BOOT partition and RESULT partition. -Following packages are under BOOT partition +Following test suites and bootable applications are under BOOT partition: * SCT * FWTS @@ -406,12 +444,30 @@ Following packages are under BOOT partition * grub * uefi manual capsule application +BOOT partition contains the following: + +:: + + ├── EFI + │ └── BOOT + │ ├── app + │ ├── bbr + │ ├── bootaa64.efi + │ ├── bsa + │ ├── debug + │ ├── Shell.efi + │ └── startup.nsh + ├── grub + ├── grub.cfg + ├── Image + └── ramdisk-busybox.img + RESULT partition is used to store the test results. -PLEASE MAKE SURE THAT THE RESULT PARTITION IS EMPTY BEFORE YOU START THE TESTING. OTHERWISE THE TEST RESULTS +**NOTE**: PLEASE MAKE SURE THAT THE RESULT PARTITION IS EMPTY BEFORE YOU START THE TESTING. OTHERWISE THE TEST RESULTS WILL NOT BE CONSISTENT FPGA instructions for ACS image -================================ +=============================== This section describes how the user can build and run Architecture Compliance Suite (ACS) tests on Corstone-1000. @@ -449,10 +505,11 @@ Once the USB stick with ACS image is prepared, the user should make sure that ensure that only the USB stick with the ACS image is connected to the board, and then boot the board. -The FPGA will reset multiple times during the test, and it might take approx. 24-36 hours to finish the test. At the end of test, the FPGA host terminal will halt showing a shell prompt. Once test is finished the result can be copied following above instructions. +The FPGA will reset multiple times during the test, and it might take approx. 24-36 hours to finish the test. + FVP instructions for ACS image and run -============================================ +====================================== Download ACS image from: - ``https://gitlab.arm.com/systemready/acs/arm-systemready/-/tree/linux-5.17-rc7/IR/prebuilt_images/v22.04_1.0-Linux-v5.17-rc7`` @@ -487,7 +544,7 @@ Once test is finished, the FVP can be stoped, and result can be copied following instructions. Common to FVP and FPGA -=========================== +====================== U-Boot should be able to boot the grub bootloader from the 1st partition and if grub is not interrupted, tests are executed @@ -496,14 +553,13 @@ automatically in the following sequence: - SCT - UEFI BSA - FWTS - - BSA Linux The results can be fetched from the ``acs_results`` folder in the RESULT partition of the USB stick (FPGA) / SD Card (FVP). ##################################################### Manual capsule update and ESRT checks ---------------------------------------------------------------------- +------------------------------------- The following section describes running manual capsule update with the ``direct`` method. @@ -518,63 +574,86 @@ incorrect capsule (corrupted or outdated) which fails to boot to the host softwa Check the "Run SystemReady-IR ACS tests" section above to download and unpack the ACS image file - ``ir_acs_live_image.img.xz`` -Download edk2 under <_workspace> : +Download edk2 under <_workspace>: :: git clone https://github.com/tianocore/edk2.git + cd edk2 + git checkout f2188fe5d1553ad1896e27b2514d2f8d0308da8a -********************* -Generating Capsules -********************* +Download systemready-patch repo under <_workspace>: +:: -The capsule binary size (wic.nopt file) should be less than 15 MB. + git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.06 -Based on the user's requirement, the user can change the firmware version -number given to ``--fw-version`` option (the version number needs to be >= 1). +******************* +Generating Capsules +******************* Generating FPGA Capsules ======================== :: - <_workspace>/edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - cs1k_cap_mps3_v5 --fw-version 5 --lsv 0 --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ - 0 --verbose <_workspace>/build/tmp/deploy/images/corstone1000-mps3/corstone1000-image-corstone1000-mps3.wic.nopt + cd <_workspace>/build/tmp/deploy/images/corstone1000-mps3/ + sh <_workspace>/systemready-patch/embedded-a/corstone1000/capsule_gen/capsule_gen.sh -d mps3 + +This will generate a file called "corstone1000_image.nopt" which will be used to +generate a UEFI capsule. :: - <_workspace>/edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - cs1k_cap_mps3_v6 --fw-version 6 --lsv 0 --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ - 0 --verbose <_workspace>/build/tmp/deploy/images/corstone1000-mps3/corstone1000-image-corstone1000-mps3.wic.nopt + cd <_workspace> + edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o cs1k_cap_mps3_v6 --fw-version 6 \ + --lsv 0 --guid e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index 0 \ + --verbose build/tmp/deploy/images/corstone1000-mps3/corstone1000_image.nopt + + edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o cs1k_cap_mps3_v5 --fw-version 5 \ + --lsv 0 --guid e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index 0 \ + --verbose build/tmp/deploy/images/corstone1000-mps3/corstone1000_image.nopt Generating FVP Capsules -======================== +======================= :: - <_workspace>/edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - cs1k_cap_fvp_v6 --fw-version 6 --lsv 0 --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ - 0 --verbose <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.wic.nopt + cd <_workspace>/build/tmp/deploy/images/corstone1000-fvp/ + sh <_workspace>/systemready-patch/embedded-a/corstone1000/capsule_gen/capsule_gen.sh -d fvp + +This will generate a file called "corstone1000_image.nopt" which will be used to +generate a UEFI capsule. + :: - <_workspace>/edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - cs1k_cap_fvp_v5 --fw-version 5 --lsv 0 --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ - 0 --verbose <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.wic.nopt + cd <_workspace> + edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o cs1k_cap_fvp_v6 \ + --fw-version 6 --lsv 0 --guid e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ + 0 --verbose build/tmp/deploy/images/corstone1000-fvp/corstone1000_image.nopt -********************* + edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o cs1k_cap_fvp_v5 --fw-version 5 \ + --lsv 0 --guid e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ + 0 --verbose build/tmp/deploy/images/corstone1000-fvp/corstone1000_image.nopt + + +Common Notes for FVP and FPGA +============================= + +The capsule binary size (wic file) should be less than 15 MB. + +Based on the user's requirement, the user can change the firmware version +number given to ``--fw-version`` option (the version number needs to be >= 1). + + +**************** Copying Capsules -********************* +**************** Copying the FPGA capsules ========================= -The user should prepare a USB stick as explained in ACS image section (see above). +The user should prepare a USB stick as explained in ACS image section `FPGA instructions for ACS image`_. Place the generated ``cs1k_cap`` files in the root directory of the boot partition in the USB stick. Note: As we are running the direct method, the ``cs1k_cap`` file should not be under the EFI/UpdateCapsule directory as this may or may not trigger @@ -612,7 +691,7 @@ Then, unmount the IR image: **NOTE:** -Size of first partition in the image file is calculated in the following way. The data is +The size of first partition in the image file is calculated in the following way. The data is just an example and might vary with different ir_acs_live_image.img files. :: @@ -632,21 +711,21 @@ During this section we will be using the capsule with the higher version (cs1k_c and the capsule with the lower version (cs1k_cap_<fvp/mps3>_v5) for the negative scenario. Running the FVP with the IR prebuilt image -============================================== +========================================== Run the FVP with the IR prebuilt image: :: - <_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C "board.msd_mmc.p_mmc_file ${<path-to-img>/ir_acs_live_image.img}" + <_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C "board.msd_mmc.p_mmc_file=${<path-to-img>/ir_acs_live_image.img}" Running the FPGA with the IR prebuilt image -============================================== +=========================================== Insert the prepared USB stick then Power cycle the MPS3 board. Executing capsule update for FVP and FPGA -============================================== +========================================= Reach u-boot then interrupt the boot to reach the EFI shell. @@ -687,14 +766,14 @@ Then, reboot manually: Shell> reset FPGA: Select Corstone-1000 Linux kernel boot -============================================== +============================================ Remove the USB stick before u-boot is reached so the Corstone-1000 kernel will be detected and used for booting. **NOTE:** Otherwise, the execution ends up in the ACS live image. FVP: Select Corstone-1000 Linux kernel boot -============================================== +=========================================== Interrupt the u-boot shell. @@ -708,15 +787,14 @@ Run the following commands in order to run the Corstone-1000 Linux kernel and be :: - $ run retrieve_kernel_load_addr $ unzip $kernel_addr 0x90000000 $ loadm 0x90000000 $kernel_addr_r 0xf00000 $ bootefi $kernel_addr_r $fdtcontroladdr -*********************** +********************* Capsule update status -*********************** +********************* Positive scenario ================= @@ -733,7 +811,8 @@ correctly. SysTick_Handler: counted = 30, expiring on = 360 ... metadata_write: success: active = 1, previous = 0 - accept_full_capsule: exit: fwu state is changed to regular + flash_full_capsule: exit + corstone1000_fwu_flash_image: exit: ret = 0 ... @@ -775,15 +854,19 @@ see appropriate logs in the secure enclave terminal. ... uefi_capsule_retrieve_images: image 0 at 0xa0000070, size=15654928 uefi_capsule_retrieve_images: exit - flash_full_capsule: enter: image = 0x0xa0000070, size = 15654928, version = 10 + flash_full_capsule: enter: image = 0x0xa0000070, size = 7764541, version = 5 ERROR: flash_full_capsule: version error private_metadata_write: enter: boot_index = 1 private_metadata_write: success fmp_set_image_info:133 Enter FMP image update: image id = 0 - FMP image update: status = 1version=11 last_attempt_version=10. + FMP image update: status = 1version=6 last_attempt_version=5. fmp_set_image_info:157 Exit. corstone1000_fwu_flash_image: exit: ret = -1 + fmp_get_image_info:232 Enter + pack_image_info:207 ImageInfo size = 105, ImageName size = 34, ImageVersionName + size = 36 + fmp_get_image_info:236 Exit ... @@ -825,54 +908,96 @@ In the Linux command-line run the following: lowest_supported_fw_ver: 0 Linux distros tests ----------------------------------- +------------------- -*************************************************************************************** -Debian/OpenSUSE install and boot (applicable to FPGA only) -*************************************************************************************** +************************************************************* +Debian install and boot preparation (applicable to FPGA only) +************************************************************* + +There is a known issue in the `Shim 15.7 <https://salsa.debian.org/efi-team/shim/-/tree/upstream/15.7?ref_type=tags>`__ +provided with the Debian installer image (see below). This bug causes a fatal +error when attempting to boot media installer for Debian, and it resets the MPS3 before installation starts. +A patch to be applied to the Corstone-1000 stack (only applicable when +installing Debian) is provided to +`Skip the Shim <https://gitlab.arm.com/arm-reference-solutions/systemready-patch/-/blob/CORSTONE1000-2023.06/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch>`__. +This patch makes U-Boot automatically bypass the Shim and run grub and allows +the user to proceed with a normal installation. If at the moment of reading this +document the problem is solved in the Shim, the user is encouraged to try the +corresponding new installer image. Otherwise, please apply the patch as +indicated by the instructions listed below. These instructions assume that the +user has already built the stack by following the build steps of this +documentation. -To test Linux distro install and boot, the user should prepare two empty USB sticks (minimum size should be 4GB and formatted with FAT32). +:: + + cd <_workspace> + git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.06 + cp -f systemready-patch/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch meta-arm + cd meta-arm + git am 0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch + cd .. + kas shell meta-arm/kas/corstone1000-mps3.yml -c="bitbake u-boot trusted-firmware-a corstone1000-image -c cleansstate; bitbake corstone1000-image" + +Please update the cs1000.bin on the SD card with the newly generated wic file. + +************************************************* +Debian/openSUSE install (applicable to FPGA only) +************************************************* + +To test Linux distro install and boot, the user should prepare two empty USB +sticks (minimum size should be 4GB and formatted with FAT32). Download one of following Linux distro images: - - Debian installer image: https://cdimage.debian.org/cdimage/weekly-builds/arm64/iso-dvd/ - - OpenSUSE Tumbleweed installer image: http://download.opensuse.org/ports/aarch64/tumbleweed/iso/ - - The user should look for a DVD Snapshot like openSUSE-Tumbleweed-DVD-aarch64-Snapshot<date>-Media.iso + - `Debian 12.0.0 installer image <https://cdimage.debian.org/debian-cd/current/arm64/iso-dvd/debian-12.0.0-arm64-DVD-1.iso>`__ + - `OpenSUSE Tumbleweed installer image <http://download.opensuse.org/ports/aarch64/tumbleweed/iso/>`__ -Once the .iso file is downloaded, the .iso file needs to be flashed to your USB drive. +**NOTE:** For OpenSUSE Tumbleweed, the user should look for a DVD Snapshot like +openSUSE-Tumbleweed-DVD-aarch64-Snapshot<date>-Media.iso -In the given example here, we assume the USB device is ``/dev/sdb`` (the user -should use `lsblk` command to confirm). Be cautious here and don't confuse your -host PC's own hard drive with the USB drive. Then copy the contents of an iso -file into the first USB stick, run: +Once the iso file is downloaded, the iso file needs to be flashed to your USB +drive. This can be done with your development machine. + +In the example given below, we assume the USB device is ``/dev/sdb`` (the user +should use the `lsblk` command to confirm). + +**NOTE:** Please don't confuse your host PC's own hard drive with the USB drive. +Then, copy the contents of the iso file into the first USB stick by running the +following command in the development machine: :: sudo dd if=<path-to-iso_file> of=/dev/sdb iflag=direct oflag=direct status=progress bs=1M; sync; -Boot the MSP3 board with the first USB stick connected. Open following minicom sessions: +Unplug the first USB stick from the development machine and connect it to the +MSP3 board. At this moment, only the first USB stick should be connected. Open +the following picocom sessions in your development machine: :: sudo picocom -b 115200 /dev/ttyUSB0 # in one terminal sudo picocom -b 115200 /dev/ttyUSB2 # in another terminal. -Now plug in the second USB stick (once installation screen is visible), the distro installation process will start. The installation prompt can be seen in ttyUSB2. If installer does not start, please try to reboot the board with both USB sticks connected and repeat the process. +When the installation screen is visible in ttyUSB2, plug in the second USB stick +in the MPS3 and start the distro installation process. If the installer does not +start, please try to reboot the board with both USB sticks connected and repeat +the process. **NOTE:** Due to the performance limitation of Corstone-1000 MPS3 FPGA, the distro installation process can take up to 24 hours to complete. -Once installation is complete, unplug the first USB stick and reboot the board. -After successfully installing and booting the Linux distro, the user should see -a login prompt: - -:: +******************************************************* +Debian install clarifications (applicable to FPGA only) +******************************************************* - debian login: +As the installation process for Debian is different than the one for openSUSE, +Debian may need some extra steps, that are indicated below: -Login with the username root. +During Debian installation, please answer the following question: + - "Force GRUB installation to the EFI removable media path?" Yes + - "Update NVRAM variables to automatically boot into Debian?" No -**NOTE:** The Debian installer has a known issue "Install the GRUB bootloader - unable to install " and these are the steps to -follow on the subsequent popups to solve the issue during the installation: +If the grub installation fails, these are the steps to follow on the subsequent +popups: 1. Select "Continue", then "Continue" again on the next popup 2. Scroll down and select "Execute a shell" @@ -898,19 +1023,59 @@ follow on the subsequent popups to solve the issue during the installation: 7. Select "Continue without boot loader", then select "Continue" on the next popup 8. At this stage, the installation should proceed as normal. -*************************************************************************************** +***************************************************************** +Debian/openSUSE boot after installation (applicable to FPGA only) +***************************************************************** + +Once the installation is complete, unplug the first USB stick and reboot the +board. +The board will then enter recovery mode, from which the user can access a shell +after entering the password for the root user. Proceed to edit the following +files accordingly: + +:: + + vi /etc/systemd/system.conf + DefaultDeviceTimeoutSec=infinity + +The file to be editted next is different depending on the installed distro: + +:: + + vi /etc/login.defs # Only applicable to Debian + vi /usr/etc/login.defs # Only applicable to openSUSE + LOGIN_TIMEOUT 180 + +To make sure the changes are applied, please run: + +:: + + systemctl daemon-reload + +After applying the previous commands, please reboot the board. The user should +see a login prompt after booting, for example, for debian: + +:: + + debian login: + +Login with the username root and its corresponding password (already set at +installation time). + +************************************************************ OpenSUSE Raw image install and boot (applicable to FVP only) -*************************************************************************************** +************************************************************ -Steps to download openSUSE Tumbleweed raw image: - - Go to: http://download.opensuse.org/ports/aarch64/tumbleweed/appliances/ - - The user should look for a Tumbleweed-ARM-JeOS-efi.aarch64-* Snapshot, for example, ``openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64-<date>-Snapshot<date>.raw.xz`` +Steps to download OpenSUSE Tumbleweed raw image: + - Under `OpenSUSE Tumbleweed appliances <http://download.opensuse.org/ports/aarch64/tumbleweed/appliances/>`__ + - The user should look for a Tumbleweed-ARM-JeOS-efi.aarch64-* Snapshot, for example, + ``openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64-<date>-Snapshot<date>.raw.xz`` Once the .raw.xz file is downloaded, the raw image file needs to be extracted: :: - unxz <file-name.raw.xz> + unxz <file-name.raw.xz> The above command will generate a file ending with extension .raw image. Now, use the following command @@ -918,23 +1083,23 @@ to run FVP with raw image installation process. :: -<_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C board.msd_mmc.p_mmc_file="${openSUSE raw image file path}" + <_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C board.msd_mmc.p_mmc_file="${openSUSE raw image file path}" After successfully installing and booting the Linux distro, the user should see a openSUSE login prompt. :: - localhost login: + localhost login: Login with the username 'root' and password 'linux'. PSA API tests ----------------------- +------------- -*************************************************************************************** +*********************************************************** Run PSA API test commands (applicable to both FPGA and FVP) -*************************************************************************************** +*********************************************************** When running PSA API test commands (aka PSA Arch Tests) on MPS3 FPGA, the user should make sure there is no USB stick connected to the board. Power on the board and boot the board to @@ -948,7 +1113,7 @@ First, load FF-A TEE kernel module: :: - insmod /lib/modules/5.19.14-yocto-standard/extra/arm-ffa-tee.ko + insmod /lib/modules/6.1.32-yocto-standard/extra/arm-ffa-tee.ko Then, check whether the FF-A TEE driver is loaded correctly by using the following command: @@ -960,7 +1125,7 @@ The output should be: :: - arm_ffa_tee 16384 - - Live 0xffffffc0004f0000 (O) + arm_ffa_tee 16384 - - Live 0xffffffc000510000 (O) Now, run the PSA API tests in the following order: @@ -971,15 +1136,17 @@ Now, run the PSA API tests in the following order: psa-its-api-test psa-ps-api-test +**NOTE:** The psa-crypto-api-test takes between 30 minutes to 1 hour to run. + External System tests ------------------------------------ +--------------------- -*************************************************************************************** +************************************************************** Running the External System test command (systems-comms-tests) -*************************************************************************************** +************************************************************** Test 1: Releasing the External System out of reset -=================================================== +================================================== Run this command in the Linux command-line: @@ -1004,7 +1171,7 @@ The output on the External System terminal should be: MHUv2 module 'MHU1_SE' started Test 2: Communication -============================================= +===================== Test 2 releases the External System out of reset if not already done. Then, it performs communication between host and External System. @@ -1014,7 +1181,7 @@ After running Test 1, run this command in the Linux command-line: systems-comms-tests 2 -Additional output on the External System terminal will be printed: +Additional output on the External System terminal will be printed: :: @@ -1058,13 +1225,13 @@ The output on the Host terminal should be: Tests results ------------------------------------ +------------- -As a reference for the end user, reports for various tests for `Corstone-1000 software (CORSTONE1000-2022.11.23) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2022.11.23>`__ -can be found in `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/master/embedded-a/corstone1000>`__. +As a reference for the end user, reports for various tests for `Corstone-1000 software (CORSTONE1000-2023.06) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2023.06>`__ +can be found `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/master/embedded-a/corstone1000>`__. Running the software on FVP on Windows ---------------------------------------------------------------- +-------------------------------------- If the user needs to run the Corstone-1000 software on FVP on Windows. The user should follow the build instructions in this document to build on Linux host @@ -1073,6 +1240,7 @@ and launch the FVP binary. -------------- -*Copyright (c) 2022, Arm Limited. All rights reserved.* +*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* .. _Arm Ecosystem FVPs: https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps +.. _U-Boot repo: https://github.com/u-boot/u-boot.git diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/n1sdp/0001-Reserve-OP-TEE-memory-from-nwd.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/n1sdp/0001-Reserve-OP-TEE-memory-from-nwd.patch new file mode 100644 index 0000000000..2c634e350f --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/n1sdp/0001-Reserve-OP-TEE-memory-from-nwd.patch @@ -0,0 +1,41 @@ +From 2d305094f8f500362079e9e7637d46129bf980e4 Mon Sep 17 00:00:00 2001 +From: Adam Johnston <adam.johnston@arm.com> +Date: Tue, 25 Jul 2023 16:05:51 +0000 +Subject: [PATCH] n1sdp: Reserve OP-TEE memory from NWd + +The physical memory which is used to run OP-TEE on the N1SDP is known +to the secure world via TOS_FW_CONFIG, but it may not be known to the +normal world. + +As a precaution, explicitly reserve this memory via NT_FW_CONFIG to +prevent the normal world from using it. This is not required on most +platforms as the Trusted OS is run from secure RAM. + +Upstream-Status: Pending (not yet submited to upstream) +Signed-off-by: Adam Johnston <adam.johnston@arm.com> +--- + plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts b/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts +index da5e04ddb6..b7e2d4e86f 100644 +--- a/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts ++++ b/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts +@@ -20,4 +20,16 @@ + local-ddr-size = <0x0>; + remote-ddr-size = <0x0>; + }; ++ ++ reserved-memory { ++ #address-cells = <2>; ++ #size-cells = <2>; ++ ranges; ++ ++ optee@0x08000000 { ++ compatible = "removed-dma-pool"; ++ reg = <0x0 0x08000000 0x0 0x02000000>; ++ no-map; ++ }; ++ }; + }; +\ No newline at end of file diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc index 008103469e..2b85b9dbd1 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc @@ -37,6 +37,7 @@ EXTRA_OEMAKE:append = " \ NR_OF_IMAGES_IN_FW_BANK=4 \ COT=tbbr \ ARM_ROTPK_LOCATION=devel_rsa \ + ERRATA_A35_855472=1 \ ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ BL32=${RECIPE_SYSROOT}/lib/firmware/tee-pager_v2.bin \ LOG_LEVEL=50 \ diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc index f4ebcc1c5f..654e43270f 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc @@ -9,6 +9,12 @@ TFA_MBEDTLS = "1" TFA_UBOOT = "0" TFA_UEFI = "1" +FILESEXTRAPATHS:prepend := "${THISDIR}/files/n1sdp:" + +SRC_URI:append = " \ + file://0001-Reserve-OP-TEE-memory-from-nwd.patch \ + " + TFA_ROT_KEY= "plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem" # Enabling Secure-EL1 Payload Dispatcher (SPD) diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-efi_boottime-allow-to-reset-a-path-after-boot.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-efi_boottime-allow-to-reset-a-path-after-boot.patch deleted file mode 100644 index 5c053974d1..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-efi_boottime-allow-to-reset-a-path-after-boot.patch +++ /dev/null @@ -1,31 +0,0 @@ -From eb8e224290149fd39ca4b3a774abef2e31237943 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva <rui.silva@linaro.org> -Date: Wed, 1 Feb 2023 16:11:25 +0000 -Subject: [PATCH 34/42] efi_boottime: allow to reset a path after boot - -Allow to install multiple protocol interfaces in an -already installed root interface. -This may need to be fix in other way, but for now -looks like the get away fix. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - lib/efi_loader/efi_boottime.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c -index fea4eb7a34..90f43ff9a6 100644 ---- a/lib/efi_loader/efi_boottime.c -+++ b/lib/efi_loader/efi_boottime.c -@@ -2669,7 +2669,6 @@ efi_install_multiple_protocol_interfaces_int(efi_handle_t *handle, - EFI_PRINT("Path %pD already installed\n", - protocol_interface); - ret = EFI_ALREADY_STARTED; -- break; - } - } - ret = EFI_CALL(efi_install_protocol_interface(handle, protocol, --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-fwu_metadata-make-sure-structures-are-packed.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-fwu_metadata-make-sure-structures-are-packed.patch index fedc1f2e1b..fedc1f2e1b 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-fwu_metadata-make-sure-structures-are-packed.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-fwu_metadata-make-sure-structures-are-packed.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-add-boot-index.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-corstone1000-add-boot-index.patch index d9568563e6..d9568563e6 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-add-boot-index.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-corstone1000-add-boot-index.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-adjust-boot-bank-and-kernel-location.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-adjust-boot-bank-and-kernel-location.patch index 277e988b3f..277e988b3f 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-adjust-boot-bank-and-kernel-location.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-adjust-boot-bank-and-kernel-location.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch index a0f2bb16f5..a0f2bb16f5 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-nvmxip-move-header-to-include.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-nvmxip-move-header-to-include.patch index b745fe9b6b..b745fe9b6b 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-nvmxip-move-header-to-include.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-nvmxip-move-header-to-include.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-set-kernel_addr-based-on-boot_idx.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-corstone1000-set-kernel_addr-based-on-boot_idx.patch index ba2e5e17fe..ba2e5e17fe 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-set-kernel_addr-based-on-boot_idx.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-corstone1000-set-kernel_addr-based-on-boot_idx.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-boot-index-from-active.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-boot-index-from-active.patch index f0e14942ad..f0e14942ad 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-boot-index-from-active.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-boot-index-from-active.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-corstone1000-enable-PSCI-reset.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-enable-PSCI-reset.patch index cad830f4c8..cad830f4c8 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-corstone1000-enable-PSCI-reset.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-enable-PSCI-reset.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-Enable-EFI-set-get-time-services.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-Enable-EFI-set-get-time-services.patch new file mode 100644 index 0000000000..8911abfe20 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-Enable-EFI-set-get-time-services.patch @@ -0,0 +1,32 @@ +From 9f326f0db8aa13fde93e2ed79055b920c8598a28 Mon Sep 17 00:00:00 2001 +From: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com> +Date: Mon, 12 Jun 2023 15:14:52 +0000 +Subject: [PATCH] Enable EFI set/get time services + +SetTime_Conf and SetTime_Func tests in UEFI SCT test suite of ACS +fails with unsupported return value. CONFIG_EFI_SET_TIME and +CONFIG_EFI_GET_TIME config values are added to enable these EFI +services. + +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com> +--- + configs/corstone1000_defconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig +index c692cc91bd..f1901dfe8b 100644 +--- a/configs/corstone1000_defconfig ++++ b/configs/corstone1000_defconfig +@@ -7,6 +7,8 @@ CONFIG_NR_DRAM_BANKS=1 + CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y + CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x83f00000 + CONFIG_DM_GPIO=y ++CONFIG_EFI_SET_TIME=y ++CONFIG_EFI_GET_TIME=y + CONFIG_DEFAULT_DEVICE_TREE="corstone1000-mps3" + CONFIG_SYS_PROMPT="corstone1000# " + CONFIG_IDENT_STRING=" corstone1000 aarch64 " +-- +2.17.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0043-corstone1000-fix-compilation-warnings-in-fwu_plat_get_bootidx.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0043-corstone1000-fix-compilation-warnings-in-fwu_plat_get_bootidx.patch new file mode 100644 index 0000000000..e574103ec9 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0043-corstone1000-fix-compilation-warnings-in-fwu_plat_get_bootidx.patch @@ -0,0 +1,47 @@ +From dfebda98ce08d0cab411521ab3d9e832ed1b4608 Mon Sep 17 00:00:00 2001 +From: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +Date: Thu, 15 Jun 2023 16:51:49 +0100 +Subject: [PATCH] corstone1000: fix compilation warnings in + fwu_plat_get_bootidx() + +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +--- + board/armltd/corstone1000/corstone1000.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c +index db508ac3cb..2e1ace5d04 100644 +--- a/board/armltd/corstone1000/corstone1000.c ++++ b/board/armltd/corstone1000/corstone1000.c +@@ -9,6 +9,7 @@ + #include <common.h> + #include <dm.h> + #include <env.h> ++#include <fwu.h> + #include <netdev.h> + #include <nvmxip.h> + #include <part.h> +@@ -116,7 +117,7 @@ int dram_init_banksize(void) + return 0; + } + +-void fwu_plat_get_bootidx(int *boot_idx) ++void fwu_plat_get_bootidx(uint *boot_idx) + { + int ret; + +@@ -127,9 +128,7 @@ void fwu_plat_get_bootidx(int *boot_idx) + */ + ret = fwu_get_active_index(boot_idx); + if (ret < 0) +- log_err("corstone1000: failed to read active index\n"); +- +- return ret; ++ log_err("corstone1000: failed to read active index err %d\n", ret); + } + + int board_late_init(void) +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend index d16aca1430..e752112665 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend @@ -51,15 +51,16 @@ SRC_URI:append:corstone1000 = " \ file://0031-corstone1000-add-NVM-XIP-QSPI-device-tree-node.patch \ file://0032-sandbox64-add-a-test-case-for-UCLASS_NVMXIP.patch \ file://0033-corstone1000-add-fwu-metadata-store-info.patch \ - file://0034-efi_boottime-allow-to-reset-a-path-after-boot.patch \ - file://0035-fwu_metadata-make-sure-structures-are-packed.patch \ - file://0036-corstone1000-add-boot-index.patch \ - file://0037-corstone1000-adjust-boot-bank-and-kernel-location.patch \ - file://0038-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch \ - file://0039-nvmxip-move-header-to-include.patch \ - file://0040-corstone1000-set-kernel_addr-based-on-boot_idx.patch \ - file://0041-corstone1000-boot-index-from-active.patch \ - file://0042-corstone1000-enable-PSCI-reset.patch \ + file://0034-fwu_metadata-make-sure-structures-are-packed.patch \ + file://0035-corstone1000-add-boot-index.patch \ + file://0036-corstone1000-adjust-boot-bank-and-kernel-location.patch \ + file://0037-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch \ + file://0038-nvmxip-move-header-to-include.patch \ + file://0039-corstone1000-set-kernel_addr-based-on-boot_idx.patch \ + file://0040-corstone1000-boot-index-from-active.patch \ + file://0041-corstone1000-enable-PSCI-reset.patch \ + file://0042-Enable-EFI-set-get-time-services.patch \ + file://0043-corstone1000-fix-compilation-warnings-in-fwu_plat_get_bootidx.patch \ " # diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc index 30f9966662..1f028ffa37 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc @@ -1,5 +1,7 @@ SRC_URI:remove = " \ file://0003-core-link-add-no-warn-rwx-segments.patch \ + file://0007-core-spmc-handle-non-secure-interrupts.patch \ + file://0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch \ " COMPATIBLE_MACHINE = "corstone1000" diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-openamp-to-SE-proxy-deployment.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-openamp-to-SE-proxy-deployment.patch deleted file mode 100644 index c44885cf04..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-openamp-to-SE-proxy-deployment.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 13de79cd4f0d25b812e5f4ad4a19bc075496be83 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath <vishnu.banavath@arm.com> -Date: Fri, 3 Dec 2021 16:36:51 +0000 -Subject: [PATCH 01/20] Add openamp to SE proxy deployment - -Openamp is required to communicate between secure partitions(running on -Cortex-A) and trusted-firmware-m(running on Cortex-M). -These changes are to fetch libmetal and openamp from github repo's -and build it. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - deployments/se-proxy/opteesp/lse.S | 28 ++++++++ - deployments/se-proxy/se-proxy.cmake | 8 +++ - external/openamp/libmetal-init-cache.cmake.in | 20 ++++++ - external/openamp/libmetal.cmake | 67 +++++++++++++++++++ - external/openamp/openamp-init-cache.cmake.in | 20 ++++++ - external/openamp/openamp.cmake | 66 ++++++++++++++++++ - 6 files changed, 209 insertions(+) - create mode 100644 deployments/se-proxy/opteesp/lse.S - create mode 100644 external/openamp/libmetal-init-cache.cmake.in - create mode 100644 external/openamp/libmetal.cmake - create mode 100644 external/openamp/openamp-init-cache.cmake.in - create mode 100644 external/openamp/openamp.cmake - -diff --git a/deployments/se-proxy/opteesp/lse.S b/deployments/se-proxy/opteesp/lse.S -new file mode 100644 -index 000000000000..8e466d65fc2b ---- /dev/null -+++ b/deployments/se-proxy/opteesp/lse.S -@@ -0,0 +1,28 @@ -+// SPDX-License-Identifier: BSD-3-Clause -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ */ -+ -+.text -+.globl __aarch64_cas4_acq_rel -+.globl __aarch64_cas4_sync -+ -+__aarch64_cas4_acq_rel: -+ mov w16, w0 -+ ldaxr w0, [x2] -+ cmp w0, w16 -+0: bne 1f -+ -+ stlxr w17, w1, [x2] -+ cbnz w17, 0b -+1: ret -+ -+__aarch64_cas4_sync: -+ mov w16, w0 -+ ldxr w0, [x2] -+ cmp w0, w16 -+0: bne 1f -+ -+ stlxr w17, w1, [x2] -+ cbnz w17, 0b -+1: ret -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index 426c66c05350..d39873a0fe81 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -61,6 +61,7 @@ add_components(TARGET "se-proxy" - target_sources(se-proxy PRIVATE - ${CMAKE_CURRENT_LIST_DIR}/common/se_proxy_sp.c - ${CMAKE_CURRENT_LIST_DIR}/common/service_proxy_factory.c -+ ${CMAKE_CURRENT_LIST_DIR}/opteesp/lse.S - ) - - #------------------------------------------------------------------------------- -@@ -73,6 +74,13 @@ include(../../../external/nanopb/nanopb.cmake) - target_link_libraries(se-proxy PRIVATE nanopb::protobuf-nanopb-static) - protobuf_generate_all(TGT "se-proxy" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols") - -+# libmetal -+include(../../../external/openamp/libmetal.cmake) -+ -+# OpenAMP -+include(../../../external/openamp/openamp.cmake) -+target_link_libraries(se-proxy PRIVATE openamp libmetal) -+ - ################################################################# - - target_include_directories(se-proxy PRIVATE -diff --git a/external/openamp/libmetal-init-cache.cmake.in b/external/openamp/libmetal-init-cache.cmake.in -new file mode 100644 -index 000000000000..04c25fbde960 ---- /dev/null -+++ b/external/openamp/libmetal-init-cache.cmake.in -@@ -0,0 +1,20 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. -+# Copyright (c) 2021-2022, Linaro. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "") -+set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "") -+set(BUILD_SHARED_LIBS Off CACHE BOOL "") -+set(BUILD_STATIC_LIBS On CACHE BOOL "") -+ -+set(WITH_DOC OFF CACHE BOOL "") -+set(WITH_TESTS OFF CACHE BOOL "") -+set(WITH_EXAMPLES OFF CACHE BOOL "") -+set(WITH_DEFAULT_LOGGER OFF CACHE BOOL "") -+set(MACHINE "template" CACHE STRING "") -+ -+@_cmake_fragment@ -diff --git a/external/openamp/libmetal.cmake b/external/openamp/libmetal.cmake -new file mode 100644 -index 000000000000..6e5004ff555c ---- /dev/null -+++ b/external/openamp/libmetal.cmake -@@ -0,0 +1,67 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2022 Linaro Limited -+# Copyright (c) 2022, Arm Limited. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+set (LIBMETAL_URL "https://github.com/OpenAMP/libmetal.git" -+ CACHE STRING "libmetal repository URL") -+set (LIBMETAL_INSTALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/libmetal_install" -+ CACHE DIR "libmetal installation directory") -+set(LIBMETAL_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/libmetal" -+ CACHE DIR "libmetal source-code") -+set (LIBMETAL_PACKAGE_DIR "${LIBMETAL_INSTALL_DIR}/libmetal/cmake" -+ CACHE DIR "libmetal CMake package directory") -+set (LIBMETAL_TARGET_NAME "libmetal") -+set (LIBMETAL_REFSPEC "f252f0e007fbfb8b3a52b1d5901250ddac96baad" -+ CACHE STRING "The version of libmetal to use") -+set(LIBMETAL_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/libmetal-build") -+ -+set(GIT_OPTIONS -+ GIT_REPOSITORY ${LIBMETAL_URL} -+ GIT_TAG ${LIBMETAL_REFSPEC} -+ GIT_SHALLOW FALSE -+) -+ -+if(NOT LIBMETAL_DEBUG) -+ set(LIBMETAL_BUILD_TYPE "Release") -+else() -+ set(LIBMETAL_BUILD_TYPE "Debug") -+endif() -+ -+include(FetchContent) -+ -+# Checking git -+find_program(GIT_COMMAND "git") -+if (NOT GIT_COMMAND) -+ message(FATAL_ERROR "Please install git") -+endif() -+ -+# Only pass libc settings to libmetal if needed. For environments where the -+# standard library is not overridden, this is not needed. -+if(TARGET stdlib::c) -+ include(${TS_ROOT}/tools/cmake/common/PropertyCopy.cmake) -+ -+ # Save libc settings -+ save_interface_target_properties(TGT stdlib::c PREFIX LIBC) -+ # Translate libc settings to cmake code fragment. Will be inserted into -+ # libmetal-init-cache.cmake.in when LazyFetch configures the file. -+ translate_interface_target_properties(PREFIX LIBC RES _cmake_fragment) -+ unset_saved_properties(LIBC) -+endif() -+ -+include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) -+LazyFetch_MakeAvailable(DEP_NAME libmetal -+ FETCH_OPTIONS "${GIT_OPTIONS}" -+ INSTALL_DIR "${LIBMETAL_INSTALL_DIR}" -+ CACHE_FILE "${TS_ROOT}/external/openamp/libmetal-init-cache.cmake.in" -+ SOURCE_DIR "${LIBMETAL_SOURCE_DIR}" -+) -+unset(_cmake_fragment) -+ -+#Create an imported target to have clean abstraction in the build-system. -+add_library(libmetal STATIC IMPORTED) -+set_property(TARGET libmetal PROPERTY IMPORTED_LOCATION "${LIBMETAL_INSTALL_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}metal${CMAKE_STATIC_LIBRARY_SUFFIX}") -+set_property(TARGET libmetal PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${LIBMETAL_INSTALL_DIR}/include") -diff --git a/external/openamp/openamp-init-cache.cmake.in b/external/openamp/openamp-init-cache.cmake.in -new file mode 100644 -index 000000000000..302b80511bce ---- /dev/null -+++ b/external/openamp/openamp-init-cache.cmake.in -@@ -0,0 +1,20 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. -+# Copyright (c) 2021-2022, Linaro. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "") -+set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "") -+set(BUILD_SHARED_LIBS Off CACHE BOOL "") -+set(BUILD_STATIC_LIBS On CACHE BOOL "") -+ -+set(LIBMETAL_INCLUDE_DIR "@CMAKE_CURRENT_BINARY_DIR@/libmetal_install/include" CACHE -+ STRING "") -+set(LIBMETAL_LIB "@CMAKE_CURRENT_BINARY_DIR@/libmetal_install/lib" CACHE STRING "") -+set(RPMSG_BUFFER_SIZE "512" CACHE STRING "") -+set(MACHINE "template" CACHE STRING "") -+ -+@_cmake_fragment@ -diff --git a/external/openamp/openamp.cmake b/external/openamp/openamp.cmake -new file mode 100644 -index 000000000000..449f35f4fda4 ---- /dev/null -+++ b/external/openamp/openamp.cmake -@@ -0,0 +1,66 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2022 Linaro Limited -+# Copyright (c) 2022, Arm Limited. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+set (OPENAMP_URL "https://github.com/OpenAMP/open-amp.git" -+ CACHE STRING "OpenAMP repository URL") -+set (OPENAMP_INSTALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/openamp_install" -+ CACHE DIR "OpenAMP installation directory") -+set (OPENAMP_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/openamp" -+ CACHE DIR "OpenAMP source code directory") -+set (OPENAMP_PACKAGE_DIR "${OPENAMP_INSTALL_DIR}/openamp/cmake" -+ CACHE DIR "OpenAMP CMake package directory") -+set (OPENAMP_TARGET_NAME "openamp") -+set (OPENAMP_REFSPEC "347397decaa43372fc4d00f965640ebde042966d" -+ CACHE STRING "The version of openamp to use") -+ -+set(GIT_OPTIONS -+ GIT_REPOSITORY ${OPENAMP_URL} -+ GIT_TAG ${OPENAMP_REFSPEC} -+ GIT_SHALLOW FALSE -+) -+ -+if(NOT OPENAMP_DEBUG) -+ set(OPENAMP_BUILD_TYPE "Release") -+else() -+ set(OPENAMP_BUILD_TYPE "Debug") -+endif() -+ -+include(FetchContent) -+ -+# Checking git -+find_program(GIT_COMMAND "git") -+if (NOT GIT_COMMAND) -+ message(FATAL_ERROR "Please install git") -+endif() -+ -+# Only pass libc settings to openamp if needed. For environments where the -+# standard library is not overridden, this is not needed. -+if(TARGET stdlib::c) -+ include(${TS_ROOT}/tools/cmake/common/PropertyCopy.cmake) -+ -+ # Save libc settings -+ save_interface_target_properties(TGT stdlib::c PREFIX LIBC) -+ # Translate libc settings to cmake code fragment. Will be inserted into -+ # libmetal-init-cache.cmake.in when LazyFetch configures the file. -+ translate_interface_target_properties(PREFIX LIBC RES _cmake_fragment) -+ unset_saved_properties(LIBC) -+endif() -+ -+include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) -+LazyFetch_MakeAvailable(DEP_NAME openamp -+ FETCH_OPTIONS "${GIT_OPTIONS}" -+ INSTALL_DIR "${OPENAMP_INSTALL_DIR}" -+ CACHE_FILE "${TS_ROOT}/external/openamp/openamp-init-cache.cmake.in" -+ SOURCE_DIR "${OPENAMP_SOURCE_DIR}" -+) -+unset(_cmake_fragment) -+ -+#Create an imported target to have clean abstraction in the build-system. -+add_library(openamp STATIC IMPORTED) -+set_property(TARGET openamp PROPERTY IMPORTED_LOCATION "${OPENAMP_INSTALL_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}open_amp${CMAKE_STATIC_LIBRARY_SUFFIX}") -+set_property(TARGET openamp PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${OPENAMP_INSTALL_DIR}/include") --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Add-stub-capsule-update-service-components.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch index 0040e12727..c1775b795c 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Add-stub-capsule-update-service-components.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch @@ -1,7 +1,7 @@ -From 050be6fdfee656b0556766cc1db30f4c0ea87c79 Mon Sep 17 00:00:00 2001 +From a965129153a0cca340535fe2cf99dbfef9b557da Mon Sep 17 00:00:00 2001 From: Julian Hall <julian.hall@arm.com> Date: Tue, 12 Oct 2021 15:45:41 +0100 -Subject: [PATCH 13/20] Add stub capsule update service components +Subject: [PATCH 1/6] Add stub capsule update service components To facilitate development of a capsule update service provider, stub components are added to provide a starting point for an @@ -18,15 +18,12 @@ Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> .../provider/capsule_update_provider.c | 133 ++++++++++++++++++ .../provider/capsule_update_provider.h | 51 +++++++ .../capsule_update/provider/component.cmake | 13 ++ - deployments/se-proxy/common/se_proxy_sp.c | 3 + - .../se-proxy/common/service_proxy_factory.c | 16 +++ - .../se-proxy/common/service_proxy_factory.h | 1 + - deployments/se-proxy/se-proxy.cmake | 1 + + .../se-proxy/infra/corstone1000/infra.cmake | 1 + deployments/se-proxy/se_proxy_interfaces.h | 9 +- .../capsule_update/capsule_update_proto.h | 13 ++ protocols/service/capsule_update/opcodes.h | 17 +++ protocols/service/capsule_update/parameters.h | 15 ++ - 12 files changed, 292 insertions(+), 4 deletions(-) + 9 files changed, 272 insertions(+), 4 deletions(-) create mode 100644 components/service/capsule_update/backend/capsule_update_backend.h create mode 100644 components/service/capsule_update/provider/capsule_update_provider.c create mode 100644 components/service/capsule_update/provider/capsule_update_provider.h @@ -280,75 +277,18 @@ index 000000000000..1d412eb234d9 +target_sources(${TGT} PRIVATE + "${CMAKE_CURRENT_LIST_DIR}/capsule_update_provider.c" + ) -diff --git a/deployments/se-proxy/common/se_proxy_sp.c b/deployments/se-proxy/common/se_proxy_sp.c -index a37396f4454b..a38ad6ca3f56 100644 ---- a/deployments/se-proxy/common/se_proxy_sp.c -+++ b/deployments/se-proxy/common/se_proxy_sp.c -@@ -77,6 +77,9 @@ void __noreturn sp_main(struct ffa_init_info *init_info) - } - rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ATTEST, rpc_iface); - -+ rpc_iface = capsule_update_proxy_create(); -+ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE, rpc_iface); -+ - /* End of boot phase */ - result = sp_msg_wait(&req_msg); - if (result != SP_RESULT_OK) { -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index 7edeef8b434a..591cc9eeb59e 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -13,6 +13,7 @@ - #include <service/crypto/factory/crypto_provider_factory.h> - #include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> - #include <trace.h> -+#include <service/capsule_update/provider/capsule_update_provider.h> - - /* Stub backends */ - #include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -@@ -93,3 +94,18 @@ struct rpc_interface *its_proxy_create(void) - - return secure_storage_provider_init(&its_provider, backend); - } -+ -+struct rpc_interface *capsule_update_proxy_create(void) -+{ -+ static struct capsule_update_provider capsule_update_provider; -+ static struct rpc_caller *capsule_update_caller; -+ -+ capsule_update_caller = openamp_caller_init(&openamp); -+ -+ if (!capsule_update_caller) -+ return NULL; -+ -+ capsule_update_provider.client.caller = capsule_update_caller; -+ -+ return capsule_update_provider_init(&capsule_update_provider); -+} -diff --git a/deployments/se-proxy/common/service_proxy_factory.h b/deployments/se-proxy/common/service_proxy_factory.h -index 298d407a2371..02aa7fe2550d 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.h -+++ b/deployments/se-proxy/common/service_proxy_factory.h -@@ -17,6 +17,7 @@ struct rpc_interface *attest_proxy_create(void); - struct rpc_interface *crypto_proxy_create(void); - struct rpc_interface *ps_proxy_create(void); - struct rpc_interface *its_proxy_create(void); -+struct rpc_interface *capsule_update_proxy_create(void); - - #ifdef __cplusplus - } -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index 3dbbc36c968d..f0db2d43f443 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -51,6 +51,7 @@ add_components(TARGET "se-proxy" - "components/service/attestation/provider/serializer/packed-c" +diff --git a/deployments/se-proxy/infra/corstone1000/infra.cmake b/deployments/se-proxy/infra/corstone1000/infra.cmake +index 4e7e2bd58028..e60b5400617f 100644 +--- a/deployments/se-proxy/infra/corstone1000/infra.cmake ++++ b/deployments/se-proxy/infra/corstone1000/infra.cmake +@@ -21,6 +21,7 @@ add_components(TARGET "se-proxy" + "components/service/attestation/key_mngr/local" "components/service/attestation/reporter/psa_ipc" - "components/service/attestation/client/psa_ipc" + "components/service/crypto/backend/psa_ipc" + "components/service/capsule_update/provider" - "components/rpc/openamp/caller/sp" + "components/service/secure_storage/backend/secure_storage_ipc" + ) - # Stub service provider backends diff --git a/deployments/se-proxy/se_proxy_interfaces.h b/deployments/se-proxy/se_proxy_interfaces.h index 48908f846990..3d4a7c204785 100644 --- a/deployments/se-proxy/se_proxy_interfaces.h @@ -432,5 +372,5 @@ index 000000000000..285d924186be + +#endif /* CAPSULE_UPDATE_PARAMETERS_H */ -- -2.38.1 +2.40.0 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch index c1598a9e11..3f3800ceb9 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch @@ -1,7 +1,7 @@ -From 1a4d46fdc0b5745b9cfb0789e4b778111bd6dbbb Mon Sep 17 00:00:00 2001 +From 51a7024967187644011c5043ef0f733cf81b26be Mon Sep 17 00:00:00 2001 From: Satish Kumar <satish.kumar01@arm.com> Date: Mon, 14 Feb 2022 08:22:25 +0000 -Subject: [PATCH 18/20] Fixes in AEAD for psa-arch test 54 and 58. +Subject: [PATCH 2/6] Fixes in AEAD for psa-arch test 54 and 58. Upstream-Status: Pending [Not submitted to upstream yet] Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com> @@ -29,7 +29,7 @@ index c4ffb20cf7f8..a91f66c14008 100644 /* Mandatory input data parameter */ diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h -index 4d7bf6e959b0..e3c4df2927b3 100644 +index 30aa102da581..130d27295878 100644 --- a/components/service/crypto/include/psa/crypto_sizes.h +++ b/components/service/crypto/include/psa/crypto_sizes.h @@ -351,7 +351,7 @@ @@ -117,5 +117,5 @@ index 0be266b52403..435fd3b523ce 100644 /* Variable length input parameter tags */ -- -2.38.1 +2.40.0 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch deleted file mode 100644 index 0371a7a418..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch +++ /dev/null @@ -1,1091 +0,0 @@ -From 28aedac78016e5063ebd675a43e6c3655f87b442 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath <vishnu.banavath@arm.com> -Date: Fri, 3 Dec 2021 18:00:46 +0000 -Subject: [PATCH 02/20] Implement mhu driver and the OpenAmp conversion layer. - -This commit adds an mhu driver (v2.1 and v2) to the secure -partition se_proxy and a conversion layer to communicate with -the secure enclave using OpenAmp. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../se-proxy/opteesp/default_se-proxy.dts.in | 16 + - .../drivers/arm/mhu_driver/component.cmake | 12 + - platform/drivers/arm/mhu_driver/mhu_v2.h | 391 ++++++++++++ - platform/drivers/arm/mhu_driver/mhu_v2_x.c | 602 ++++++++++++++++++ - .../providers/arm/corstone1000/platform.cmake | 10 + - 5 files changed, 1031 insertions(+) - create mode 100644 platform/drivers/arm/mhu_driver/component.cmake - create mode 100644 platform/drivers/arm/mhu_driver/mhu_v2.h - create mode 100644 platform/drivers/arm/mhu_driver/mhu_v2_x.c - create mode 100644 platform/providers/arm/corstone1000/platform.cmake - -diff --git a/deployments/se-proxy/opteesp/default_se-proxy.dts.in b/deployments/se-proxy/opteesp/default_se-proxy.dts.in -index 5748d2f80f88..267b4f923540 100644 ---- a/deployments/se-proxy/opteesp/default_se-proxy.dts.in -+++ b/deployments/se-proxy/opteesp/default_se-proxy.dts.in -@@ -17,4 +17,20 @@ - xlat-granule = <0>; /* 4KiB */ - messaging-method = <3>; /* Direct messaging only */ - legacy-elf-format = <1>; -+ -+ device-regions { -+ compatible = "arm,ffa-manifest-device-regions"; -+ mhu-sender { -+ /* Armv8 A Foundation Platform values */ -+ base-address = <0x00000000 0x1b820000>; -+ pages-count = <16>; -+ attributes = <0x3>; /* read-write */ -+ }; -+ mhu-receiver { -+ /* Armv8 A Foundation Platform values */ -+ base-address = <0x00000000 0x1b830000>; -+ pages-count = <16>; -+ attributes = <0x3>; /* read-write */ -+ }; -+ }; - }; -diff --git a/platform/drivers/arm/mhu_driver/component.cmake b/platform/drivers/arm/mhu_driver/component.cmake -new file mode 100644 -index 000000000000..77a5a50b67d1 ---- /dev/null -+++ b/platform/drivers/arm/mhu_driver/component.cmake -@@ -0,0 +1,12 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+# Add source files for using mhu driver -+target_sources(${TGT} -+ PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/mhu_v2_x.c" -+) -diff --git a/platform/drivers/arm/mhu_driver/mhu_v2.h b/platform/drivers/arm/mhu_driver/mhu_v2.h -new file mode 100644 -index 000000000000..2e4ba80fab95 ---- /dev/null -+++ b/platform/drivers/arm/mhu_driver/mhu_v2.h -@@ -0,0 +1,391 @@ -+/* -+ * Copyright (c) 2021 Arm Limited -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+/** -+ * \file mhu_v2_x.h -+ * \brief Driver for Arm MHU v2.0 and v2.1 -+ */ -+ -+#ifndef __MHU_V2_X_H__ -+#define __MHU_V2_X_H__ -+ -+#include <stdint.h> -+#include <stdbool.h> -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+#define MHU_2_X_INTR_NR2R_OFF (0x0u) -+#define MHU_2_X_INTR_R2NR_OFF (0x1u) -+#define MHU_2_1_INTR_CHCOMB_OFF (0x2u) -+ -+#define MHU_2_X_INTR_NR2R_MASK (0x1u << MHU_2_X_INTR_NR2R_OFF) -+#define MHU_2_X_INTR_R2NR_MASK (0x1u << MHU_2_X_INTR_R2NR_OFF) -+#define MHU_2_1_INTR_CHCOMB_MASK (0x1u << MHU_2_1_INTR_CHCOMB_OFF) -+ -+enum mhu_v2_x_frame_t { -+ MHU_V2_X_SENDER_FRAME = 0x0u, -+ MHU_V2_X_RECEIVER_FRAME = 0x1u, -+}; -+ -+enum mhu_v2_x_supported_revisions { -+ MHU_REV_READ_FROM_HW = 0, -+ MHU_REV_2_0, -+ MHU_REV_2_1, -+}; -+ -+struct mhu_v2_x_dev_t { -+ uint32_t base; -+ enum mhu_v2_x_frame_t frame; -+ uint32_t subversion; /*!< Hardware subversion: v2.X */ -+ bool is_initialized; /*!< Indicates if the MHU driver -+ * is initialized and enabled -+ */ -+}; -+ -+/** -+ * \brief MHU v2 error enumeration types. -+ */ -+enum mhu_v2_x_error_t { -+ MHU_V_2_X_ERR_NONE = 0, -+ MHU_V_2_X_ERR_NOT_INIT = -1, -+ MHU_V_2_X_ERR_ALREADY_INIT = -2, -+ MHU_V_2_X_ERR_UNSUPPORTED_VERSION = -3, -+ MHU_V_2_X_ERR_INVALID_ARG = -4, -+ MHU_V_2_X_ERR_GENERAL = -5 -+}; -+ -+/** -+ * \brief Initializes the driver -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] rev MHU revision (if can't be identified from HW) -+ * -+ * Reads the MHU hardware version -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note MHU revision only has to be specified when versions can't be read -+ * from HW (ARCH_MAJOR_REV reg reads as 0x0). -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_driver_init(struct mhu_v2_x_dev_t *dev, -+ enum mhu_v2_x_supported_revisions rev); -+ -+/** -+ * \brief Returns the number of channels implemented. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * Returns the number of channels implemented. -+ * -+ * \return Returns the number of channels implemented. -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+uint32_t mhu_v2_x_get_num_channel_implemented( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Sends the value over a channel. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Channel to send the value over. -+ * \param[in] val Value to send. -+ * -+ * Sends the value over a channel. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_send(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel, uint32_t val); -+ -+/** -+ * \brief Clears the channel after the value is send over it. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Channel to clear. -+ * -+ * Clears the channel after the value is send over it. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_clear(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel); -+ -+/** -+ * \brief Receives the value over a channel. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Channel to receive the value from. -+ * \param[out] value Pointer to variable that will store the value. -+ * -+ * Receives the value over a channel. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_receive( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t *value); -+ -+/** -+ * \brief Sets bits in the Channel Mask. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's mask to set. -+ * \param[in] mask Mask to be set over a receiver frame. -+ * -+ * Sets bits in the Channel Mask. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_mask_set( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t mask); -+ -+/** -+ * \brief Clears bits in the Channel Mask. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's mask to clear. -+ * \param[in] mask Mask to be clear over a receiver frame. -+ * -+ * Clears bits in the Channel Mask. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_mask_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t mask); -+ -+/** -+ * \brief Enables the Channel interrupt. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's interrupt to enable. -+ * -+ * Enables the Channel clear interrupt. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_enable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel); -+ -+/** -+ * \brief Disables the Channel interrupt. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's interrupt to disable. -+ * -+ * Disables the Channel interrupt. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_disable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel); -+ -+/** -+ * \brief Cleares the Channel interrupt. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's interrupt to clear. -+ * -+ * Cleares the Channel interrupt. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel); -+ -+/** -+ * \brief Initiates a MHU transfer with the handshake signals. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * Initiates a MHU transfer with the handshake signals in a blocking mode. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_initiate_transfer( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Closes a MHU transfer with the handshake signals. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * Closes a MHU transfer with the handshake signals in a blocking mode. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_close_transfer( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Returns the value of access request signal. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[out] val Pointer to variable that will store the value. -+ * -+ * For more information please read the MHU v2 user guide -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_get_access_request( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *val); -+ -+/** -+ * \brief Sets the value of access request signal to high. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * For more information please read the MHU v2 user guide -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_set_access_request( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Sets the value of access request signal to low. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * For more information please read the MHU v2 user guide -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_reset_access_request( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Returns the value of access ready signal. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[out] val Pointer to variable that will store the value. -+ * -+ * For more information please read the MHU v2 user guide -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_get_access_ready( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *val); -+ -+/** -+ * \brief Returns the MHU interrupt status. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * \return Interrupt status register value. Masking is needed for individual -+ * interrupts. -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+uint32_t mhu_v2_x_get_interrupt_status(const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Enables MHU interrupts. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] mask Bit mask for enabling/disabling interrupts -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_enable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask); -+ -+/** -+ * \brief Disables MHU interrupts. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] mask Bit mask for enabling/disabling interrupts -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_disable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask); -+ -+/** -+ * \brief Clears MHU interrupts. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] mask Bit mask for clearing interrupts -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask); -+ -+/** -+ * \brief Returns the first channel number whose interrupt bit is high. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[out] channel Pointer to variable that will have the channel value. -+ * -+ * \return Returns the first channel number whose interrupt bit is high. -+ * \return Returns mhu_v2_x_error_t error code. -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_1_get_ch_interrupt_num( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *channel); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* __MHU_V2_X_H__ */ -diff --git a/platform/drivers/arm/mhu_driver/mhu_v2_x.c b/platform/drivers/arm/mhu_driver/mhu_v2_x.c -new file mode 100644 -index 000000000000..01d8f659a73a ---- /dev/null -+++ b/platform/drivers/arm/mhu_driver/mhu_v2_x.c -@@ -0,0 +1,602 @@ -+/* -+ * Copyright (c) 2021 Arm Limited -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+#include <stdint.h> -+#include <stdbool.h> -+#include "mhu_v2.h" -+ -+#define _MHU_V2_X_MAX_CHANNELS 124 -+#define _MHU_V2_1_MAX_CHCOMB_INT 4 -+#define ENABLE 0x1 -+#define DISABLE 0x0 -+#define CLEAR_INTR 0x1 -+#define CH_PER_CH_COMB 0x20 -+#define SEND_FRAME(p_mhu) ((struct _mhu_v2_x_send_frame_t *)p_mhu) -+#define RECV_FRAME(p_mhu) ((struct _mhu_v2_x_recv_frame_t *)p_mhu) -+ -+#define MHU_MAJOR_REV_V2 0x1u -+#define MHU_MINOR_REV_2_0 0x0u -+#define MHU_MINOR_REV_2_1 0x1u -+ -+struct _mhu_v2_x_send_ch_window_t { -+ /* Offset: 0x00 (R/ ) Channel Status */ -+ volatile uint32_t ch_st; -+ /* Offset: 0x04 (R/ ) Reserved */ -+ volatile uint32_t reserved_0; -+ /* Offset: 0x08 (R/ ) Reserved */ -+ volatile uint32_t reserved_1; -+ /* Offset: 0x0C ( /W) Channel Set */ -+ volatile uint32_t ch_set; -+ /* Offset: 0x10 (R/ ) Channel Interrupt Status (Reserved in 2.0) */ -+ volatile uint32_t ch_int_st; -+ /* Offset: 0x14 ( /W) Channel Interrupt Clear (Reserved in 2.0) */ -+ volatile uint32_t ch_int_clr; -+ /* Offset: 0x18 (R/W) Channel Interrupt Enable (Reserved in 2.0) */ -+ volatile uint32_t ch_int_en; -+ /* Offset: 0x1C (R/ ) Reserved */ -+ volatile uint32_t reserved_2; -+}; -+ -+struct _mhu_v2_x_send_frame_t { -+ /* Offset: 0x000 ( / ) Sender Channel Window 0 -123 */ -+ struct _mhu_v2_x_send_ch_window_t send_ch_window[_MHU_V2_X_MAX_CHANNELS]; -+ /* Offset: 0xF80 (R/ ) Message Handling Unit Configuration */ -+ volatile uint32_t mhu_cfg; -+ /* Offset: 0xF84 (R/W) Response Configuration */ -+ volatile uint32_t resp_cfg; -+ /* Offset: 0xF88 (R/W) Access Request */ -+ volatile uint32_t access_request; -+ /* Offset: 0xF8C (R/ ) Access Ready */ -+ volatile uint32_t access_ready; -+ /* Offset: 0xF90 (R/ ) Interrupt Status */ -+ volatile uint32_t int_st; -+ /* Offset: 0xF94 ( /W) Interrupt Clear */ -+ volatile uint32_t int_clr; -+ /* Offset: 0xF98 (R/W) Interrupt Enable */ -+ volatile uint32_t int_en; -+ /* Offset: 0xF9C (R/ ) Reserved */ -+ volatile uint32_t reserved_0; -+ /* Offset: 0xFA0 (R/W) Channel Combined Interrupt Stat (Reserved in 2.0) */ -+ volatile uint32_t ch_comb_int_st[_MHU_V2_1_MAX_CHCOMB_INT]; -+ /* Offset: 0xFC4 (R/ ) Reserved */ -+ volatile uint32_t reserved_1[6]; -+ /* Offset: 0xFC8 (R/ ) Implementer Identification Register */ -+ volatile uint32_t iidr; -+ /* Offset: 0xFCC (R/ ) Architecture Identification Register */ -+ volatile uint32_t aidr; -+ /* Offset: 0xFD0 (R/ ) */ -+ volatile uint32_t pid_1[4]; -+ /* Offset: 0xFE0 (R/ ) */ -+ volatile uint32_t pid_0[4]; -+ /* Offset: 0xFF0 (R/ ) */ -+ volatile uint32_t cid[4]; -+}; -+ -+struct _mhu_v2_x_rec_ch_window_t { -+ /* Offset: 0x00 (R/ ) Channel Status */ -+ volatile uint32_t ch_st; -+ /* Offset: 0x04 (R/ ) Channel Status Masked */ -+ volatile uint32_t ch_st_msk; -+ /* Offset: 0x08 ( /W) Channel Clear */ -+ volatile uint32_t ch_clr; -+ /* Offset: 0x0C (R/ ) Reserved */ -+ volatile uint32_t reserved_0; -+ /* Offset: 0x10 (R/ ) Channel Mask Status */ -+ volatile uint32_t ch_msk_st; -+ /* Offset: 0x14 ( /W) Channel Mask Set */ -+ volatile uint32_t ch_msk_set; -+ /* Offset: 0x18 ( /W) Channel Mask Clear */ -+ volatile uint32_t ch_msk_clr; -+ /* Offset: 0x1C (R/ ) Reserved */ -+ volatile uint32_t reserved_1; -+}; -+ -+struct _mhu_v2_x_recv_frame_t { -+ /* Offset: 0x000 ( / ) Receiver Channel Window 0 -123 */ -+ struct _mhu_v2_x_rec_ch_window_t rec_ch_window[_MHU_V2_X_MAX_CHANNELS]; -+ /* Offset: 0xF80 (R/ ) Message Handling Unit Configuration */ -+ volatile uint32_t mhu_cfg; -+ /* Offset: 0xF84 (R/ ) Reserved */ -+ volatile uint32_t reserved_0[3]; -+ /* Offset: 0xF90 (R/ ) Interrupt Status (Reserved in 2.0) */ -+ volatile uint32_t int_st; -+ /* Offset: 0xF94 (R/ ) Interrupt Clear (Reserved in 2.0) */ -+ volatile uint32_t int_clr; -+ /* Offset: 0xF98 (R/W) Interrupt Enable (Reserved in 2.0) */ -+ volatile uint32_t int_en; -+ /* Offset: 0xF9C (R/ ) Reserved */ -+ volatile uint32_t reserved_1; -+ /* Offset: 0xFA0 (R/ ) Channel Combined Interrupt Stat (Reserved in 2.0) */ -+ volatile uint32_t ch_comb_int_st[_MHU_V2_1_MAX_CHCOMB_INT]; -+ /* Offset: 0xFB0 (R/ ) Reserved */ -+ volatile uint32_t reserved_2[6]; -+ /* Offset: 0xFC8 (R/ ) Implementer Identification Register */ -+ volatile uint32_t iidr; -+ /* Offset: 0xFCC (R/ ) Architecture Identification Register */ -+ volatile uint32_t aidr; -+ /* Offset: 0xFD0 (R/ ) */ -+ volatile uint32_t pid_1[4]; -+ /* Offset: 0xFE0 (R/ ) */ -+ volatile uint32_t pid_0[4]; -+ /* Offset: 0xFF0 (R/ ) */ -+ volatile uint32_t cid[4]; -+}; -+ -+union _mhu_v2_x_frame_t { -+ struct _mhu_v2_x_send_frame_t send_frame; -+ struct _mhu_v2_x_recv_frame_t recv_frame; -+}; -+ -+enum mhu_v2_x_error_t mhu_v2_x_driver_init(struct mhu_v2_x_dev_t *dev, -+ enum mhu_v2_x_supported_revisions rev) -+{ -+ uint32_t AIDR = 0; -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if (dev->is_initialized) { -+ return MHU_V_2_X_ERR_ALREADY_INIT; -+ } -+ -+ if (rev == MHU_REV_READ_FROM_HW) { -+ /* Read revision from HW */ -+ if (dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ AIDR = p_mhu->recv_frame.aidr; -+ } else { -+ AIDR = p_mhu->send_frame.aidr; -+ } -+ -+ /* Get bits 7:4 to read major revision */ -+ if ( ((AIDR >> 4) & 0b1111) != MHU_MAJOR_REV_V2) { -+ /* Unsupported MHU version */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } /* No need to save major version, driver only supports MHUv2 */ -+ -+ /* Get bits 3:0 to read minor revision */ -+ dev->subversion = AIDR & 0b1111; -+ -+ if (dev->subversion != MHU_MINOR_REV_2_0 && -+ dev->subversion != MHU_MINOR_REV_2_1) { -+ /* Unsupported subversion */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ } else { -+ /* Revisions were provided by caller */ -+ if (rev == MHU_REV_2_0) { -+ dev->subversion = MHU_MINOR_REV_2_0; -+ } else if (rev == MHU_REV_2_1) { -+ dev->subversion = MHU_MINOR_REV_2_1; -+ } else { -+ /* Unsupported subversion */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ }/* No need to save major version, driver only supports MHUv2 */ -+ } -+ -+ dev->is_initialized = true; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+uint32_t mhu_v2_x_get_num_channel_implemented(const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ return (SEND_FRAME(p_mhu))->mhu_cfg; -+ } else { -+ return (RECV_FRAME(p_mhu))->mhu_cfg; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_send(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel, uint32_t val) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->send_ch_window[channel].ch_set = val; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_clear(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ (RECV_FRAME(p_mhu))->rec_ch_window[channel].ch_clr = UINT32_MAX; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_receive( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t *value) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ *value = (RECV_FRAME(p_mhu))->rec_ch_window[channel].ch_st; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_mask_set( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ (RECV_FRAME(p_mhu))->rec_ch_window[channel].ch_msk_set = mask; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_mask_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ (RECV_FRAME(p_mhu))->rec_ch_window[channel].ch_msk_clr = mask; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_enable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_1) { -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->send_ch_window[channel].ch_int_en = ENABLE; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_disable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_1) { -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->send_ch_window[channel].ch_int_en = DISABLE; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_1) { -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->send_ch_window[channel].ch_int_clr = CLEAR_INTR; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_initiate_transfer( -+ const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ (SEND_FRAME(p_mhu))->access_request = ENABLE; -+ -+ while ( !((SEND_FRAME(p_mhu))->access_ready) ) { -+ /* Wait in a loop for access ready signal to be high */ -+ ; -+ } -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_close_transfer(const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ (SEND_FRAME(p_mhu))->access_request = DISABLE; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_get_access_request( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *val) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ *val = (SEND_FRAME(p_mhu))->access_request; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_set_access_request( -+ const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ (SEND_FRAME(p_mhu))->access_request = ENABLE; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_reset_access_request( -+ const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ (SEND_FRAME(p_mhu))->access_request = DISABLE; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_get_access_ready( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *val) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ *val = (SEND_FRAME(p_mhu))->access_ready; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+uint32_t mhu_v2_x_get_interrupt_status(const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ return (SEND_FRAME(p_mhu))->int_st; -+ } else { -+ return (RECV_FRAME(p_mhu))->int_st; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_enable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_0) { -+ if (mask & MHU_2_1_INTR_CHCOMB_MASK) { -+ /* Combined channel IRQ is not present in v2.0 */ -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ if (dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ /* Only sender frame has these registers */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->int_en |= mask; -+ } else { -+ (RECV_FRAME(p_mhu))->int_en |= mask; -+ } -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_disable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_0) { -+ if (mask & MHU_2_1_INTR_CHCOMB_MASK) { -+ /* Combined channel IRQ is not present in v2.0 */ -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ if (dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ /* Only sender frame has these registers */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->int_en &= ~mask; -+ } else { -+ (RECV_FRAME(p_mhu))->int_en &= ~mask; -+ } -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_0) { -+ if (mask & MHU_2_1_INTR_CHCOMB_MASK) { -+ /* Combined channel IRQ is not present in v2.0 */ -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ if (dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ /* Only sender frame has these registers */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->int_clr = mask; -+ } else { -+ (RECV_FRAME(p_mhu))->int_clr = mask; -+ } -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_1_get_ch_interrupt_num( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *channel) -+{ -+ uint32_t i, j, status; -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion != MHU_MINOR_REV_2_1) { -+ /* Feature is only supported in MHU v2.1 */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ -+ for(i = 0; i < _MHU_V2_1_MAX_CHCOMB_INT; i++) { -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ status = (SEND_FRAME(p_mhu))->ch_comb_int_st[i]; -+ } else { -+ status = (RECV_FRAME(p_mhu))->ch_comb_int_st[i]; -+ } -+ -+ for(j = 0; j < CH_PER_CH_COMB; j++) { -+ if ((status >> CH_PER_CH_COMB - j - 1) & (ENABLE)) { -+ *channel = (CH_PER_CH_COMB - j -1 + (i * CH_PER_CH_COMB)); -+ return MHU_V_2_X_ERR_NONE; -+ } -+ } -+ } -+ -+ return MHU_V_2_X_ERR_GENERAL; -+} -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -new file mode 100644 -index 000000000000..bb778bb9719b ---- /dev/null -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -0,0 +1,10 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+# Platform definition for the 'fvp_base_revc-2xaem8a' virtual platform. -+#------------------------------------------------------------------------------- -+ -+# include MHU driver -+include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake) --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Add-openamp-rpc-caller.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Add-openamp-rpc-caller.patch deleted file mode 100644 index 5686face15..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Add-openamp-rpc-caller.patch +++ /dev/null @@ -1,1196 +0,0 @@ -From 55394c4c9681af71b1ed7f7ebc7c44b2e1737113 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath <vishnu.banavath@arm.com> -Date: Fri, 3 Dec 2021 19:00:54 +0000 -Subject: [PATCH 03/20] Add openamp rpc caller - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - components/rpc/common/caller/rpc_caller.c | 10 + - components/rpc/common/interface/rpc_caller.h | 8 + - .../rpc/openamp/caller/sp/component.cmake | 15 + - .../rpc/openamp/caller/sp/openamp_caller.c | 203 +++++++ - .../rpc/openamp/caller/sp/openamp_caller.h | 43 ++ - .../rpc/openamp/caller/sp/openamp_mhu.c | 191 ++++++ - .../rpc/openamp/caller/sp/openamp_mhu.h | 19 + - .../rpc/openamp/caller/sp/openamp_virtio.c | 555 ++++++++++++++++++ - .../rpc/openamp/caller/sp/openamp_virtio.h | 24 + - .../se-proxy/opteesp/default_se-proxy.dts.in | 6 + - deployments/se-proxy/se-proxy.cmake | 1 + - 11 files changed, 1075 insertions(+) - create mode 100644 components/rpc/openamp/caller/sp/component.cmake - create mode 100644 components/rpc/openamp/caller/sp/openamp_caller.c - create mode 100644 components/rpc/openamp/caller/sp/openamp_caller.h - create mode 100644 components/rpc/openamp/caller/sp/openamp_mhu.c - create mode 100644 components/rpc/openamp/caller/sp/openamp_mhu.h - create mode 100644 components/rpc/openamp/caller/sp/openamp_virtio.c - create mode 100644 components/rpc/openamp/caller/sp/openamp_virtio.h - -diff --git a/components/rpc/common/caller/rpc_caller.c b/components/rpc/common/caller/rpc_caller.c -index 2dceabeb8967..20d889c162b0 100644 ---- a/components/rpc/common/caller/rpc_caller.c -+++ b/components/rpc/common/caller/rpc_caller.c -@@ -37,3 +37,13 @@ void rpc_caller_end(struct rpc_caller *s, rpc_call_handle handle) - { - s->call_end(s->context, handle); - } -+ -+void *rpc_caller_virt_to_phys(struct rpc_caller *s, void *va) -+{ -+ return s->virt_to_phys(s->context, va); -+} -+ -+void *rpc_caller_phys_to_virt(struct rpc_caller *s, void *pa) -+{ -+ return s->phys_to_virt(s->context, pa); -+} -diff --git a/components/rpc/common/interface/rpc_caller.h b/components/rpc/common/interface/rpc_caller.h -index 387489cdb1b2..ef9bb64905ed 100644 ---- a/components/rpc/common/interface/rpc_caller.h -+++ b/components/rpc/common/interface/rpc_caller.h -@@ -45,6 +45,10 @@ struct rpc_caller - rpc_opstatus_t *opstatus, uint8_t **resp_buf, size_t *resp_len); - - void (*call_end)(void *context, rpc_call_handle handle); -+ -+ void *(*virt_to_phys)(void *context, void *va); -+ -+ void *(*phys_to_virt)(void *context, void *pa); - }; - - /* -@@ -87,6 +91,10 @@ RPC_CALLER_EXPORTED rpc_status_t rpc_caller_invoke(struct rpc_caller *s, rpc_cal - */ - RPC_CALLER_EXPORTED void rpc_caller_end(struct rpc_caller *s, rpc_call_handle handle); - -+RPC_CALLER_EXPORTED void *rpc_caller_virt_to_phys(struct rpc_caller *s, void *va); -+ -+RPC_CALLER_EXPORTED void *rpc_caller_phys_to_virt(struct rpc_caller *s, void *pa); -+ - #ifdef __cplusplus - } - #endif -diff --git a/components/rpc/openamp/caller/sp/component.cmake b/components/rpc/openamp/caller/sp/component.cmake -new file mode 100644 -index 000000000000..fc919529d731 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/component.cmake -@@ -0,0 +1,15 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2020, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/openamp_caller.c" -+ "${CMAKE_CURRENT_LIST_DIR}/openamp_virtio.c" -+ "${CMAKE_CURRENT_LIST_DIR}/openamp_mhu.c" -+ ) -diff --git a/components/rpc/openamp/caller/sp/openamp_caller.c b/components/rpc/openamp/caller/sp/openamp_caller.c -new file mode 100644 -index 000000000000..6cdfb756568f ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_caller.c -@@ -0,0 +1,203 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include <stddef.h> -+#include <trace.h> -+#include "openamp_caller.h" -+#include "openamp_mhu.h" -+#include "openamp_virtio.h" -+#include <protocols/rpc/common/packed-c/status.h> -+ -+#define OPENAMP_TRANSACTION_IDLE 0x0 -+#define OPENAMP_TRANSACTION_INPROGRESS 0x1 -+#define OPENAMP_TRANSACTION_INVOKED 0x2 -+ -+static rpc_call_handle openamp_call_begin(void *context, uint8_t **req_buf, -+ size_t req_len) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ rpc_call_handle handle; -+ int ret; -+ -+ if (!req_buf) { -+ EMSG("openamp: call_begin: not req_buf"); -+ return NULL; -+ } -+ -+ if (req_len > UINT32_MAX || req_len == 0) { -+ EMSG("openamp: call_begin: resp_len invalid: %lu", req_len); -+ return NULL; -+ } -+ -+ if (openamp->status != OPENAMP_TRANSACTION_IDLE) { -+ EMSG("openamp: call_begin: transaction not idle"); -+ return NULL; -+ } -+ -+ ret = ops->platform_call_begin(openamp, req_buf, req_len); -+ if (ret < 0) { -+ EMSG("openamp: call_begin: platform begin failed: %d", ret); -+ return NULL; -+ } -+ -+ openamp->status = OPENAMP_TRANSACTION_INPROGRESS; -+ handle = openamp; -+ -+ return handle; -+} -+ -+static rpc_status_t openamp_call_invoke(void *context, rpc_call_handle handle, -+ uint32_t opcode, int *opstatus, -+ uint8_t **resp_buf, size_t *resp_len) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ rpc_status_t status; -+ int ret; -+ -+ (void)opcode; -+ -+ if ((handle != openamp) || !opstatus || !resp_buf || !resp_len) { -+ EMSG("openamp: call_invoke: invalid arguments"); -+ return TS_RPC_ERROR_INVALID_PARAMETER; -+ } -+ -+ if (openamp->status != OPENAMP_TRANSACTION_INPROGRESS) { -+ EMSG("openamp: call_invoke: transaction needed to be started"); -+ return TS_RPC_ERROR_NOT_READY; -+ } -+ -+ ret = ops->platform_call_invoke(openamp, opstatus, resp_buf, resp_len); -+ if (ret < 0) -+ return TS_RPC_ERROR_INTERNAL; -+ -+ openamp->status = OPENAMP_TRANSACTION_INVOKED; -+ *opstatus = 0; -+ -+ return TS_RPC_CALL_ACCEPTED; -+} -+ -+static void openamp_call_end(void *context, rpc_call_handle handle) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ -+ if (handle != openamp) { -+ EMSG("openamp: call_end: invalid arguments"); -+ return; -+ } -+ -+ if (openamp->status == OPENAMP_TRANSACTION_IDLE) { -+ EMSG("openamp: call_end: transaction idle"); -+ return; -+ } -+ -+ ops->platform_call_end(openamp); -+ -+ openamp->status = OPENAMP_TRANSACTION_IDLE; -+} -+ -+static void *openamp_virt_to_phys(void *context, void *va) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ -+ return ops->platform_virt_to_phys(openamp, va); -+} -+ -+static void *openamp_phys_to_virt(void *context, void *pa) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ -+ return ops->platform_phys_to_virt(openamp, pa); -+} -+ -+static int openamp_init(struct openamp_caller *openamp) -+{ -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ int ret; -+ -+ ret = ops->transport_init(openamp); -+ if (ret < 0) -+ return ret; -+ -+ ret = ops->platform_init(openamp); -+ if (ret < 0) -+ goto denit_transport; -+ -+ return 0; -+ -+denit_transport: -+ ops->transport_deinit(openamp); -+ -+ return ret; -+} -+ -+static const struct openamp_platform_ops openamp_virtio_ops = { -+ .transport_init = openamp_mhu_init, -+ .transport_deinit = openamp_mhu_deinit, -+ .transport_notify = openamp_mhu_notify_peer, -+ .transport_receive = openamp_mhu_receive, -+ .platform_init = openamp_virtio_init, -+ .platform_call_begin = openamp_virtio_call_begin, -+ .platform_call_invoke = openamp_virtio_call_invoke, -+ .platform_call_end = openamp_virtio_call_end, -+ .platform_virt_to_phys = openamp_virtio_virt_to_phys, -+ .platform_phys_to_virt = openamp_virtio_phys_to_virt, -+}; -+ -+struct rpc_caller *openamp_caller_init(struct openamp_caller *openamp) -+{ -+ struct rpc_caller *rpc = &openamp->rpc_caller; -+ int ret; -+ -+ if (openamp->ref_count) -+ return rpc; -+ -+ rpc_caller_init(rpc, openamp); -+ -+ rpc->call_begin = openamp_call_begin; -+ rpc->call_invoke = openamp_call_invoke; -+ rpc->call_end = openamp_call_end; -+ rpc->virt_to_phys = openamp_virt_to_phys; -+ rpc->phys_to_virt = openamp_phys_to_virt; -+ openamp->platform_ops = &openamp_virtio_ops; -+ -+ ret = openamp_init(openamp); -+ if (ret < 0) { -+ EMSG("openamp_init: failed to start: %d", ret); -+ return rpc; -+ } -+ openamp->ref_count++; -+ -+ return rpc; -+} -+ -+void openamp_caller_deinit(struct openamp_caller *openamp) -+{ -+ struct rpc_caller *rpc = &openamp->rpc_caller; -+ -+ if (--openamp->ref_count) -+ return; -+ -+ rpc->context = NULL; -+ rpc->call_begin = NULL; -+ rpc->call_invoke = NULL; -+ rpc->call_end = NULL; -+} -+ -+int openamp_caller_discover(struct openamp_caller *openamp) -+{ -+ return openamp_init(openamp); -+} -+ -+int openamp_caller_open(struct openamp_caller *openamp) -+{ -+ -+} -diff --git a/components/rpc/openamp/caller/sp/openamp_caller.h b/components/rpc/openamp/caller/sp/openamp_caller.h -new file mode 100644 -index 000000000000..3fb67c56cc53 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_caller.h -@@ -0,0 +1,43 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+#ifndef OPENAMP_CALLER_H -+#define OPENAMP_CALLER_H -+ -+#include <stddef.h> -+#include <rpc_caller.h> -+ -+struct openamp_caller { -+ struct rpc_caller rpc_caller; -+ const struct openamp_platform_ops *platform_ops; -+ uint32_t ref_count; -+ uint8_t status; -+ -+ void *transport; -+ void *platform; -+}; -+ -+struct openamp_platform_ops { -+ int (*transport_init)(struct openamp_caller *openamp); -+ int (*transport_deinit)(struct openamp_caller *openamp); -+ int (*transport_notify)(struct openamp_caller *openamp); -+ int (*transport_receive)(struct openamp_caller *openamp); -+ int (*platform_init)(struct openamp_caller *openamp); -+ int (*platform_deinit)(struct openamp_caller *openamp); -+ int (*platform_call_begin)(struct openamp_caller *openamp, -+ uint8_t **req_buf, size_t req_len); -+ int (*platform_call_invoke)(struct openamp_caller *openamp, -+ int *opstatus, uint8_t **resp_buf, -+ size_t *resp_len); -+ int (*platform_call_end)(struct openamp_caller *openamp); -+ void *(*platform_virt_to_phys)(struct openamp_caller *openamp, void *va); -+ void *(*platform_phys_to_virt)(struct openamp_caller *openamp, void *pa); -+}; -+ -+struct rpc_caller *openamp_caller_init(struct openamp_caller *openamp); -+void openamp_caller_deinit(struct openamp_caller *openamp); -+ -+#endif -diff --git a/components/rpc/openamp/caller/sp/openamp_mhu.c b/components/rpc/openamp/caller/sp/openamp_mhu.c -new file mode 100644 -index 000000000000..ffdadaf870a3 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_mhu.c -@@ -0,0 +1,191 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include <config/interface/config_store.h> -+#include <config/interface/config_blob.h> -+#include <platform/interface/device_region.h> -+#include <platform/drivers/arm/mhu_driver/mhu_v2.h> -+#include <trace.h> -+#include <errno.h> -+#include <stdlib.h> -+#include <stdint.h> -+#include <stddef.h> -+#include <limits.h> -+ -+#include "openamp_caller.h" -+ -+#define MHU_V_2_NOTIFY_CHANNEL 0 -+#define MHU_V_2_NOTIFY_VALUE 0xff -+ -+struct openamp_mhu { -+ struct device_region rx_region; -+ struct device_region tx_region; -+ struct mhu_v2_x_dev_t rx_dev; -+ struct mhu_v2_x_dev_t tx_dev; -+}; -+ -+static int openamp_mhu_device_get(const char *dev, -+ struct device_region *dev_region) -+{ -+ bool found; -+ -+ found = config_store_query(CONFIG_CLASSIFIER_DEVICE_REGION, dev, 0, -+ dev_region, sizeof(*dev_region)); -+ if (!found) -+ return -EINVAL; -+ -+ if (!dev_region->base_addr) -+ return -EINVAL; -+ -+ IMSG("mhu: device region found: %s addr: 0x%x size: %d", dev, -+ dev_region->base_addr, dev_region->io_region_size); -+ -+ return 0; -+} -+ -+int openamp_mhu_receive(struct openamp_caller *openamp) -+{ -+ struct mhu_v2_x_dev_t *rx_dev; -+ enum mhu_v2_x_error_t ret; -+ struct openamp_mhu *mhu; -+ uint32_t channel = 0; -+ uint32_t irq_status; -+ -+ if (!openamp->transport) { -+ EMSG("openamp: mhu: receive transport not initialized"); -+ return -EINVAL; -+ } -+ -+ mhu = openamp->transport; -+ rx_dev = &mhu->rx_dev; -+ -+ irq_status = 0; -+ -+ do { -+ irq_status = mhu_v2_x_get_interrupt_status(rx_dev); -+ } while(!irq_status); -+ -+ ret = mhu_v2_1_get_ch_interrupt_num(rx_dev, &channel); -+ -+ ret = mhu_v2_x_channel_clear(rx_dev, channel); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: failed to clear channel: %d", channel); -+ return -EPROTO; -+ } -+ -+ return 0; -+} -+ -+int openamp_mhu_notify_peer(struct openamp_caller *openamp) -+{ -+ struct mhu_v2_x_dev_t *tx_dev; -+ enum mhu_v2_x_error_t ret; -+ struct openamp_mhu *mhu; -+ uint32_t access_ready; -+ -+ if (!openamp->transport) { -+ EMSG("openamp: mhu: notify transport not initialized"); -+ return -EINVAL; -+ } -+ -+ mhu = openamp->transport; -+ tx_dev = &mhu->tx_dev; -+ -+ ret = mhu_v2_x_set_access_request(tx_dev); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: set access request failed"); -+ return -EPROTO; -+ } -+ -+ do { -+ ret = mhu_v2_x_get_access_ready(tx_dev, &access_ready); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: failed to get access_ready"); -+ return -EPROTO; -+ } -+ } while (!access_ready); -+ -+ ret = mhu_v2_x_channel_send(tx_dev, MHU_V_2_NOTIFY_CHANNEL, -+ MHU_V_2_NOTIFY_VALUE); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: failed send over channel"); -+ return -EPROTO; -+ } -+ -+ ret = mhu_v2_x_reset_access_request(tx_dev); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: failed reset access request"); -+ return -EPROTO; -+ } -+ -+ return 0; -+} -+ -+int openamp_mhu_init(struct openamp_caller *openamp) -+{ -+ struct mhu_v2_x_dev_t *rx_dev; -+ struct mhu_v2_x_dev_t *tx_dev; -+ struct openamp_mhu *mhu; -+ int ret; -+ -+ /* if we already have initialized skip this */ -+ if (openamp->transport) -+ return 0; -+ -+ mhu = malloc(sizeof(*mhu)); -+ if (!mhu) -+ return -1; -+ -+ ret = openamp_mhu_device_get("mhu-sender", &mhu->tx_region); -+ if (ret < 0) -+ goto free_mhu; -+ -+ ret = openamp_mhu_device_get("mhu-receiver", &mhu->rx_region); -+ if (ret < 0) -+ goto free_mhu; -+ -+ rx_dev = &mhu->rx_dev; -+ tx_dev = &mhu->tx_dev; -+ -+ rx_dev->base = (unsigned int)mhu->rx_region.base_addr; -+ rx_dev->frame = MHU_V2_X_RECEIVER_FRAME; -+ -+ tx_dev->base = (unsigned int)mhu->tx_region.base_addr; -+ tx_dev->frame = MHU_V2_X_SENDER_FRAME; -+ -+ ret = mhu_v2_x_driver_init(rx_dev, MHU_REV_READ_FROM_HW); -+ if (ret < 0) -+ goto free_mhu; -+ -+ ret = mhu_v2_x_driver_init(tx_dev, MHU_REV_READ_FROM_HW); -+ if (ret < 0) -+ goto free_mhu; -+ -+ openamp->transport = (void *)mhu; -+ -+ return 0; -+ -+free_mhu: -+ free(mhu); -+ -+ return ret; -+} -+ -+int openamp_mhu_deinit(struct openamp_caller *openamp) -+{ -+ struct openamp_mhu *mhu; -+ -+ if (!openamp->transport) -+ return 0; -+ -+ mhu = openamp->transport; -+ free(mhu); -+ -+ openamp->transport = NULL; -+ -+ return 0; -+} -diff --git a/components/rpc/openamp/caller/sp/openamp_mhu.h b/components/rpc/openamp/caller/sp/openamp_mhu.h -new file mode 100644 -index 000000000000..2ae5cb8ee1c6 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_mhu.h -@@ -0,0 +1,19 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+#ifndef OPENAMP_MHU_H -+#define OPENAMP_MHU_H -+ -+#include <stddef.h> -+#include "openamp_caller.h" -+ -+int openamp_mhu_init(struct openamp_caller *openamp); -+int openamp_mhu_deinit(struct openamp_caller *openamp); -+ -+int openamp_mhu_notify_peer(struct openamp_caller *openamp); -+int openamp_mhu_receive(struct openamp_caller *openamp); -+ -+#endif -diff --git a/components/rpc/openamp/caller/sp/openamp_virtio.c b/components/rpc/openamp/caller/sp/openamp_virtio.c -new file mode 100644 -index 000000000000..b7c1aa929111 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_virtio.c -@@ -0,0 +1,555 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include <metal/device.h> -+#include <metal/spinlock.h> -+#include <openamp/open_amp.h> -+#include <platform/interface/device_region.h> -+#include <config/interface/config_store.h> -+ -+#include <stddef.h> -+#include <trace.h> -+#include "openamp_caller.h" -+ -+#define OPENAMP_SHEM_DEVICE_NAME "openamp-virtio" -+#define OPENAMP_RPMSG_ENDPOINT_NAME OPENAMP_SHEM_DEVICE_NAME -+#define OPENAMP_RPMSG_ENDPOINT_ADDR 1024 -+ -+#define OPENAMP_SHEM_PHYS 0x88000000 -+#define OPENAMP_SHEM_PHYS_PAGES 1 -+#define OPENAMP_SHEM_SE_PHYS 0xa8000000 -+ -+#define OPENAMP_SHEM_VDEV_SIZE (4 * 1024) -+#define OPENAMP_SHEM_VRING_SIZE (4 * 1024) -+ -+#define OPENAMP_BUFFER_NO_WAIT 0 -+#define OPENAMP_BUFFER_WAIT 1 -+ -+#define VIRTQUEUE_NR 2 -+#define VQ_TX 0 -+#define VQ_RX 1 -+ -+#define VRING_DESCRIPTORS 16 -+#define VRING_ALIGN 4 -+ -+#define container_of(ptr, type, member) \ -+ ((type *)((char *)(ptr) - (unsigned long)(&((type *)0)->member))) -+ -+struct openamp_virtio_shm { -+ uintptr_t base_addr; -+ size_t size; -+ uintptr_t vdev_status; -+ size_t vdev_status_size; -+ uintptr_t payload_addr; -+ size_t payload_size; -+ uintptr_t vring_tx; -+ size_t vring_tx_size; -+ uintptr_t vring_rx; -+ size_t vring_rx_size; -+ -+ metal_phys_addr_t shm_physmap[OPENAMP_SHEM_PHYS_PAGES]; -+}; -+ -+struct openamp_virtio_metal { -+ struct metal_spinlock lock; -+ struct metal_device shm_dev; -+ struct metal_device *io_dev; -+ -+ struct metal_io_region *io; -+ struct openamp_virtio_shm shm; -+}; -+ -+struct openamp_virtio_device { -+ struct virtio_device virtio_dev; -+ struct virtqueue *vq[VIRTQUEUE_NR]; -+ struct virtio_vring_info rvrings[VIRTQUEUE_NR]; -+}; -+ -+struct openamp_virtio_rpmsg { -+ struct rpmsg_virtio_device rpmsg_vdev; -+ struct rpmsg_endpoint ep; -+ uint8_t *req_buf; -+ uint32_t req_len; -+ uint8_t *resp_buf; -+ size_t resp_len; -+}; -+ -+struct openamp_virtio { -+ struct openamp_caller *openamp; -+ struct openamp_virtio_rpmsg rpmsg; -+ struct openamp_virtio_device vdev; -+ struct openamp_virtio_metal metal; -+}; -+ -+static struct openamp_virtio *openamp_virtio_from_dev(struct virtio_device *vdev) -+{ -+ struct openamp_virtio_device *openamp_vdev; -+ -+ openamp_vdev = container_of(vdev, struct openamp_virtio_device, -+ virtio_dev); -+ -+ return container_of(openamp_vdev, struct openamp_virtio, vdev); -+} -+ -+static struct openamp_virtio_rpmsg *openamp_virtio_rpmsg_from_dev(struct rpmsg_device *rdev) -+{ -+ struct rpmsg_virtio_device *rvdev; -+ -+ rvdev = container_of(rdev, struct rpmsg_virtio_device, rdev); -+ -+ return container_of(rvdev, struct openamp_virtio_rpmsg, rpmsg_vdev); -+ -+} -+ -+static void openamp_virtio_metal_device_setup(struct metal_device *shm_dev, -+ struct openamp_virtio_shm *shm) -+{ -+ struct metal_io_region *shm_region; -+ -+ shm_region = &shm_dev->regions[0]; -+ -+ shm_dev->name = OPENAMP_SHEM_DEVICE_NAME; -+ shm_dev->num_regions = 1; -+ -+ shm_region->virt = (void *)shm->payload_addr; -+ shm_region->size = shm->payload_size; -+ -+ shm_region->physmap = &shm->shm_physmap; -+ shm_region->page_shift = (metal_phys_addr_t)(-1); -+ shm_region->page_mask = (metal_phys_addr_t)(-1); -+} -+ -+static int openamp_virtio_metal_init(struct openamp_virtio_metal *metal) -+{ -+ struct metal_init_params params = METAL_INIT_DEFAULTS; -+ struct metal_device *shm_dev = &metal->shm_dev; -+ int ret; -+ -+ openamp_virtio_metal_device_setup(shm_dev, &metal->shm); -+ -+ metal_spinlock_init(&metal->lock); -+ -+ ret = metal_init(¶ms); -+ if (ret < 0) -+ return ret; -+ -+ ret = metal_register_generic_device(shm_dev); -+ if (ret < 0) -+ goto metal_finish; -+ -+ ret = metal_device_open("generic", OPENAMP_SHEM_DEVICE_NAME, -+ &metal->io_dev); -+ if (ret < 0) -+ goto metal_finish; -+ -+ metal->io = metal_device_io_region(metal->io_dev, 0); -+ if (!metal->io) { -+ EMSG("openamp: virtio: failed to init metal io"); -+ ret = -EPROTO; -+ goto metal_finish; -+ } -+ -+ return 0; -+ -+metal_finish: -+ metal_finish(); -+ return ret; -+} -+ -+static unsigned char openamp_virtio_status_get(struct virtio_device *vdev) -+{ -+ struct openamp_virtio *virtio = openamp_virtio_from_dev(vdev); -+ struct openamp_virtio_shm *shm = &virtio->metal.shm; -+ -+ uint32_t status = *(volatile uint32_t *)shm->vdev_status; -+ -+ return status; -+} -+ -+static void openamp_virtio_status_set(struct virtio_device *vdev, -+ unsigned char status) -+{ -+ struct openamp_virtio *virtio = openamp_virtio_from_dev(vdev); -+ struct openamp_virtio_shm *shm = &virtio->metal.shm; -+ -+ *(volatile uint32_t *)shm->vdev_status = status; -+} -+ -+static int count; -+ -+static uint32_t openamp_virtio_features_get(struct virtio_device *vdev) -+{ -+ return 1 << VIRTIO_RPMSG_F_NS; -+} -+ -+static void openamp_virtio_notify(struct virtqueue *vq) -+{ -+ struct openamp_virtio_device *openamp_vdev; -+ struct openamp_caller *openamp; -+ struct openamp_virtio *virtio; -+ int ret; -+ -+ openamp_vdev = container_of(vq->vq_dev, struct openamp_virtio_device, virtio_dev); -+ virtio = container_of(openamp_vdev, struct openamp_virtio, vdev); -+ openamp = virtio->openamp; -+ -+ ret = openamp->platform_ops->transport_notify(openamp); -+ if (ret < 0) -+ EMSG("openamp: virtio: erro in transport_notify: %d", ret); -+} -+ -+const static struct virtio_dispatch openamp_virtio_dispatch = { -+ .get_status = openamp_virtio_status_get, -+ .set_status = openamp_virtio_status_set, -+ .get_features = openamp_virtio_features_get, -+ .notify = openamp_virtio_notify, -+}; -+ -+static int openamp_virtio_device_setup(struct openamp_virtio *virtio) -+{ -+ struct openamp_virtio_metal *metal = &virtio->metal; -+ struct openamp_virtio_device *openamp_vdev = &virtio->vdev; -+ struct virtio_device *vdev = &openamp_vdev->virtio_dev; -+ struct openamp_virtio_shm *shm = &metal->shm; -+ struct virtio_vring_info *rvring; -+ -+ rvring = &openamp_vdev->rvrings[0]; -+ -+ vdev->role = RPMSG_REMOTE; -+ vdev->vrings_num = VIRTQUEUE_NR; -+ vdev->func = &openamp_virtio_dispatch; -+ -+ openamp_vdev->vq[VQ_TX] = virtqueue_allocate(VRING_DESCRIPTORS); -+ if (!openamp_vdev->vq[VQ_TX]) { -+ EMSG("openamp: virtio: failed to allocate virtqueue 0"); -+ return -ENOMEM; -+ } -+ rvring->io = metal->io; -+ rvring->info.vaddr = (void *)shm->vring_tx; -+ rvring->info.num_descs = VRING_DESCRIPTORS; -+ rvring->info.align = VRING_ALIGN; -+ rvring->vq = openamp_vdev->vq[VQ_TX]; -+ -+ openamp_vdev->vq[VQ_RX] = virtqueue_allocate(VRING_DESCRIPTORS); -+ if (!openamp_vdev->vq[VQ_RX]) { -+ EMSG("openamp: virtio: failed to allocate virtqueue 1"); -+ goto free_vq; -+ } -+ rvring = &openamp_vdev->rvrings[VQ_RX]; -+ rvring->io = metal->io; -+ rvring->info.vaddr = (void *)shm->vring_rx; -+ rvring->info.num_descs = VRING_DESCRIPTORS; -+ rvring->info.align = VRING_ALIGN; -+ rvring->vq = openamp_vdev->vq[VQ_RX]; -+ -+ vdev->vrings_info = &openamp_vdev->rvrings[0]; -+ -+ return 0; -+ -+free_vq: -+ virtqueue_free(openamp_vdev->vq[VQ_TX]); -+ virtqueue_free(openamp_vdev->vq[VQ_RX]); -+ -+ return -ENOMEM; -+} -+ -+static int openamp_virtio_rpmsg_endpoint_callback(struct rpmsg_endpoint *ep, -+ void *data, size_t len, -+ uint32_t src, void *priv) -+{ -+ struct openamp_virtio_rpmsg *vrpmsg; -+ struct rpmsg_device *rdev; -+ struct openamp_virtio *virtio; -+ -+ rdev = ep->rdev; -+ vrpmsg = openamp_virtio_rpmsg_from_dev(rdev); -+ virtio = container_of(vrpmsg, struct openamp_virtio, rpmsg); -+ -+ rpmsg_hold_rx_buffer(ep, data); -+ vrpmsg->resp_buf = data; -+ vrpmsg->resp_len = len; -+ -+ return 0; -+} -+ -+static void openamp_virtio_rpmsg_service_unbind(struct rpmsg_endpoint *ep) -+{ -+ struct openamp_virtio_rpmsg *vrpmsg; -+ struct rpmsg_device *rdev; -+ -+ rdev = container_of(ep, struct rpmsg_device, ns_ept); -+ vrpmsg = openamp_virtio_rpmsg_from_dev(rdev); -+ -+ rpmsg_destroy_ept(&vrpmsg->ep); -+} -+ -+static void openamp_virtio_rpmsg_endpoint_bind(struct rpmsg_device *rdev, -+ const char *name, -+ unsigned int dest) -+{ -+ struct openamp_virtio_rpmsg *vrpmsg; -+ -+ vrpmsg = openamp_virtio_rpmsg_from_dev(rdev); -+ -+ rpmsg_create_ept(&vrpmsg->ep, rdev, name, RPMSG_ADDR_ANY, dest, -+ openamp_virtio_rpmsg_endpoint_callback, -+ openamp_virtio_rpmsg_service_unbind); -+} -+ -+static int openamp_virtio_rpmsg_device_setup(struct openamp_virtio *virtio, -+ struct device_region *virtio_dev) -+{ -+ struct openamp_virtio_rpmsg *vrpmsg = &virtio->rpmsg; -+ struct rpmsg_virtio_device *rpmsg_vdev = &vrpmsg->rpmsg_vdev; -+ struct openamp_virtio_device *openamp_vdev = &virtio->vdev; -+ struct virtio_device *vdev = &openamp_vdev->virtio_dev; -+ struct openamp_virtio_metal *metal = &virtio->metal; -+ int ret; -+ -+ /* -+ * we assume here that we are the client side and do not need to -+ * initialize the share memory poll (this is done at server side). -+ */ -+ ret = rpmsg_init_vdev(rpmsg_vdev, vdev, -+ openamp_virtio_rpmsg_endpoint_bind, metal->io, -+ NULL); -+ if (ret < 0) { -+ EMSG("openamp: virtio: init vdev failed: %d", ret); -+ return ret; -+ } -+ -+ -+ ret = rpmsg_create_ept(&vrpmsg->ep, &rpmsg_vdev->rdev, -+ OPENAMP_RPMSG_ENDPOINT_NAME, RPMSG_ADDR_ANY, -+ RPMSG_ADDR_ANY, -+ openamp_virtio_rpmsg_endpoint_callback, -+ openamp_virtio_rpmsg_service_unbind); -+ if (ret < 0) { -+ EMSG("openamp: virtio: failed to create endpoint: %d", ret); -+ return ret; -+ } -+ -+ /* set default remote addr */ -+ vrpmsg->ep.dest_addr = OPENAMP_RPMSG_ENDPOINT_ADDR; -+ -+ return 0; -+} -+ -+static void openamp_virtio_shm_set(struct openamp_virtio *virtio, -+ struct device_region *virtio_region) -+{ -+ struct openamp_virtio_shm *shm = &virtio->metal.shm; -+ -+ shm->base_addr = virtio_region->base_addr; -+ shm->size = virtio_region->io_region_size; -+ -+ shm->vdev_status = shm->base_addr; -+ shm->vdev_status_size = OPENAMP_SHEM_VDEV_SIZE; -+ -+ shm->vring_rx = shm->base_addr + shm->size - -+ (2 * OPENAMP_SHEM_VRING_SIZE); -+ shm->vring_rx_size = OPENAMP_SHEM_VRING_SIZE; -+ -+ shm->vring_tx = shm->vring_rx + shm->vring_rx_size; -+ shm->vring_tx_size = OPENAMP_SHEM_VRING_SIZE; -+ -+ shm->payload_addr = shm->vdev_status + shm->vdev_status_size; -+ shm->payload_size = shm->size - shm->vdev_status_size - -+ shm->vring_rx_size - shm->vring_tx_size; -+ -+ shm->shm_physmap[0] = OPENAMP_SHEM_PHYS + shm->vdev_status_size; -+ -+ IMSG("SHEM: base: 0x%0x size: 0x%0x size: %d", -+ shm->base_addr, shm->size, shm->size); -+ IMSG("VDEV: base: 0x%0x size: 0x%0x size: %d", -+ shm->vdev_status, shm->vdev_status_size, shm->vdev_status_size); -+ IMSG("PAYLOAD: base: 0x%0x size: 0x%0x size: %d", -+ shm->payload_addr, shm->payload_size, shm->payload_size); -+ IMSG("VRING_TX: base: 0x%0x size: 0x%0x size: %d", -+ shm->vring_tx, shm->vring_tx_size, shm->vring_tx_size); -+ IMSG("VRING_RX: base: 0x%0x size: 0x%0x size: %d", -+ shm->vring_rx, shm->vring_rx_size, shm->vring_rx_size); -+ IMSG("PHYMAP: base: 0x%0x", shm->shm_physmap[0]); -+} -+ -+static int openamp_virtio_device_get(const char *dev, -+ struct device_region *dev_region) -+{ -+ bool found; -+ -+ found = config_store_query(CONFIG_CLASSIFIER_DEVICE_REGION, dev, 0, -+ dev_region, sizeof(*dev_region)); -+ if (!found) { -+ EMSG("openamp: virtio: device region not found: %s", dev); -+ return -EINVAL; -+ } -+ -+ if (dev_region->base_addr == 0 || dev_region->io_region_size == 0) { -+ EMSG("openamp: virtio: device region not valid"); -+ return -EINVAL; -+ } -+ -+ IMSG("openamp: virtio: device region found: %s addr: 0x%x size: %d", -+ dev, dev_region->base_addr, dev_region->io_region_size); -+ -+ return 0; -+} -+ -+int openamp_virtio_call_begin(struct openamp_caller *openamp, uint8_t **req_buf, -+ size_t req_len) -+{ -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_rpmsg *vrpmsg = &virtio->rpmsg; -+ struct rpmsg_endpoint *ep = &vrpmsg->ep; -+ -+ -+ *req_buf = rpmsg_get_tx_payload_buffer(ep, &vrpmsg->req_len, -+ OPENAMP_BUFFER_WAIT); -+ if (*req_buf == NULL) -+ return -EINVAL; -+ -+ if (vrpmsg->req_len < req_len) -+ return -E2BIG; -+ -+ vrpmsg->req_buf = *req_buf; -+ -+ return 0; -+} -+ -+int openamp_virtio_call_invoke(struct openamp_caller *openamp, int *opstatus, -+ uint8_t **resp_buf, size_t *resp_len) -+{ -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_device *openamp_vdev = &virtio->vdev; -+ struct openamp_virtio_rpmsg *vrpmsg = &virtio->rpmsg; -+ struct rpmsg_endpoint *ep = &vrpmsg->ep; -+ int ret; -+ -+ ret = rpmsg_send_nocopy(ep, vrpmsg->req_buf, vrpmsg->req_len); -+ if (ret < 0) { -+ EMSG("openamp: virtio: send nocopy failed: %d", ret); -+ return -EIO; -+ } -+ -+ if (ret != vrpmsg->req_len) { -+ EMSG("openamp: virtio: send less bytes %d than requested %d", -+ ret, vrpmsg->req_len); -+ return -EIO; -+ } -+ -+ if (!ops->transport_receive) -+ return 0; -+ -+ ret = ops->transport_receive(openamp); -+ if (ret < 0) { -+ EMSG("openamp: virtio: failed transport_receive"); -+ return -EIO; -+ } -+ -+ virtqueue_notification(openamp_vdev->vq[VQ_RX]); -+ -+ *resp_buf = vrpmsg->resp_buf; -+ *resp_len = vrpmsg->resp_len; -+ -+ return 0; -+} -+ -+void openamp_virtio_call_end(struct openamp_caller *openamp) -+{ -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_rpmsg *vrpmsg = &virtio->rpmsg; -+ -+ rpmsg_release_rx_buffer(&vrpmsg->ep, vrpmsg->resp_buf); -+ -+ vrpmsg->req_buf = NULL; -+ vrpmsg->req_len = 0; -+ vrpmsg->resp_buf = NULL; -+ vrpmsg->resp_len = 0; -+} -+ -+void *openamp_virtio_virt_to_phys(struct openamp_caller *openamp, void *va) -+{ -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_metal *metal = &virtio->metal; -+ -+ return metal_io_virt_to_phys(metal->io, va); -+} -+ -+void *openamp_virtio_phys_to_virt(struct openamp_caller *openamp, void *pa) -+{ -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_metal *metal = &virtio->metal; -+ -+ return metal_io_phys_to_virt(metal->io, pa); -+} -+ -+int openamp_virtio_init(struct openamp_caller *openamp) -+{ -+ struct device_region virtio_dev; -+ struct openamp_virtio *virtio; -+ int ret; -+ -+ if (openamp->platform) -+ return 0; -+ -+ -+ virtio = malloc(sizeof(*virtio)); -+ if (!virtio) -+ return -ENOMEM; -+ -+ virtio->openamp = openamp; -+ -+ ret = openamp_virtio_device_get(OPENAMP_SHEM_DEVICE_NAME, &virtio_dev); -+ if (ret < 0) -+ goto free_virtio; -+ -+ openamp_virtio_shm_set(virtio, &virtio_dev); -+ -+ ret = openamp_virtio_metal_init(&virtio->metal); -+ if (ret < 0) -+ goto free_virtio; -+ -+ ret = openamp_virtio_device_setup(virtio); -+ if (ret < 0) -+ goto finish_metal; -+ -+ ret = openamp_virtio_rpmsg_device_setup(virtio, &virtio_dev); -+ if (ret < 0) { -+ EMSG("openamp: virtio: rpmsg device setup failed: %d", ret); -+ goto finish_metal; -+ } -+ -+ openamp->platform = virtio; -+ -+ return 0; -+ -+finish_metal: -+ metal_finish(); -+ -+free_virtio: -+ free(virtio); -+ -+ return ret; -+} -+ -+int openamp_virtio_deinit(struct openamp_caller *openamp) -+{ -+ struct openamp_virtio *virtio; -+ -+ if (!openamp->platform) -+ return 0; -+ -+ virtio = openamp->platform; -+ -+ metal_finish(); -+ free(virtio); -+ -+ openamp->platform = NULL; -+ -+ return 0; -+} -diff --git a/components/rpc/openamp/caller/sp/openamp_virtio.h b/components/rpc/openamp/caller/sp/openamp_virtio.h -new file mode 100644 -index 000000000000..915128ff65ce ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_virtio.h -@@ -0,0 +1,24 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+#ifndef OPENAMP_VIRTIO_H -+#define OPENAMP_VIRTIO_H -+ -+#include <stddef.h> -+#include "openamp_caller.h" -+ -+int openamp_virtio_call_begin(struct openamp_caller *openamp, uint8_t **req_buf, -+ size_t req_len); -+int openamp_virtio_call_invoke(struct openamp_caller *openamp, int *opstatus, -+ uint8_t **resp_buf, size_t *resp_len); -+int openamp_virtio_call_end(struct openamp_caller *openamp); -+void *openamp_virtio_virt_to_phys(struct openamp_caller *openamp, void *va); -+void *openamp_virtio_phys_to_virt(struct openamp_caller *openamp, void *pa); -+ -+int openamp_virtio_init(struct openamp_caller *openamp); -+int openamp_virtio_deinit(struct openamp_caller *openamp); -+ -+#endif -diff --git a/deployments/se-proxy/opteesp/default_se-proxy.dts.in b/deployments/se-proxy/opteesp/default_se-proxy.dts.in -index 267b4f923540..04c181586b06 100644 ---- a/deployments/se-proxy/opteesp/default_se-proxy.dts.in -+++ b/deployments/se-proxy/opteesp/default_se-proxy.dts.in -@@ -32,5 +32,11 @@ - pages-count = <16>; - attributes = <0x3>; /* read-write */ - }; -+ openamp-virtio { -+ /* Armv8 A Foundation Platform values */ -+ base-address = <0x00000000 0x88000000>; -+ pages-count = <256>; -+ attributes = <0x3>; /* read-write */ -+ }; - }; - }; -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index d39873a0fe81..34fe5ff1b925 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -47,6 +47,7 @@ add_components(TARGET "se-proxy" - "components/service/attestation/include" - "components/service/attestation/provider" - "components/service/attestation/provider/serializer/packed-c" -+ "components/rpc/openamp/caller/sp" - - # Stub service provider backends - "components/rpc/dummy" --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0020-FMP-Support-in-Corstone1000.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch index ce40df0fd8..3d743d2827 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0020-FMP-Support-in-Corstone1000.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch @@ -1,7 +1,7 @@ -From 70cf374fb55f2d62ecbe28049253df33b42b6749 Mon Sep 17 00:00:00 2001 +From 5c8ac10337ac853d8a82992fb6e1d91b122b99d2 Mon Sep 17 00:00:00 2001 From: Satish Kumar <satish.kumar01@arm.com> Date: Fri, 8 Jul 2022 09:48:06 +0100 -Subject: [PATCH 20/20] FMP Support in Corstone1000. +Subject: [PATCH 3/6] FMP Support in Corstone1000. The FMP support is used by u-boot to pupolate ESRT information for the kernel. @@ -414,5 +414,5 @@ index 000000000000..95fba2a04d5c + +#endif /* CORSTONE1000_FMP_SERVICE_H */ -- -2.38.1 +2.40.0 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-GetNextVariableName-Fix.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch index ed4e6e27a3..ed4e6e27a3 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-GetNextVariableName-Fix.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-add-psa-client-definitions-for-ff-m.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-add-psa-client-definitions-for-ff-m.patch deleted file mode 100644 index 84d418c131..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-add-psa-client-definitions-for-ff-m.patch +++ /dev/null @@ -1,298 +0,0 @@ -From fb6d2f33e26c7b6ef88d552feca1f835da3f0df6 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath <vishnu.banavath@arm.com> -Date: Fri, 3 Dec 2021 19:05:18 +0000 -Subject: [PATCH 04/20] add psa client definitions for ff-m - -Add PSA client definitions in common include to add future -ff-m support. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../service/common/include/psa/client.h | 194 ++++++++++++++++++ - components/service/common/include/psa/sid.h | 71 +++++++ - 2 files changed, 265 insertions(+) - create mode 100644 components/service/common/include/psa/client.h - create mode 100644 components/service/common/include/psa/sid.h - -diff --git a/components/service/common/include/psa/client.h b/components/service/common/include/psa/client.h -new file mode 100644 -index 000000000000..69ccf14f40a3 ---- /dev/null -+++ b/components/service/common/include/psa/client.h -@@ -0,0 +1,194 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef SERVICE_PSA_IPC_H -+#define SERVICE_PSA_IPC_H -+ -+#include <stddef.h> -+#include <stdint.h> -+ -+#include <rpc_caller.h> -+#include <psa/error.h> -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+#ifndef IOVEC_LEN -+#define IOVEC_LEN(arr) ((uint32_t)(sizeof(arr)/sizeof(arr[0]))) -+#endif -+ -+/*********************** PSA Client Macros and Types *************************/ -+ -+typedef int32_t psa_handle_t; -+ -+/** -+ * The version of the PSA Framework API that is being used to build the calling -+ * firmware. Only part of features of FF-M v1.1 have been implemented. FF-M v1.1 -+ * is compatible with v1.0. -+ */ -+#define PSA_FRAMEWORK_VERSION (0x0101u) -+ -+/** -+ * Return value from psa_version() if the requested RoT Service is not present -+ * in the system. -+ */ -+#define PSA_VERSION_NONE (0u) -+ -+/** -+ * The zero-value null handle can be assigned to variables used in clients and -+ * RoT Services, indicating that there is no current connection or message. -+ */ -+#define PSA_NULL_HANDLE ((psa_handle_t)0) -+ -+/** -+ * Tests whether a handle value returned by psa_connect() is valid. -+ */ -+#define PSA_HANDLE_IS_VALID(handle) ((psa_handle_t)(handle) > 0) -+ -+/** -+ * Converts the handle value returned from a failed call psa_connect() into -+ * an error code. -+ */ -+#define PSA_HANDLE_TO_ERROR(handle) ((psa_status_t)(handle)) -+ -+/** -+ * Maximum number of input and output vectors for a request to psa_call(). -+ */ -+#define PSA_MAX_IOVEC (4u) -+ -+/** -+ * An IPC message type that indicates a generic client request. -+ */ -+#define PSA_IPC_CALL (0) -+ -+/** -+ * A read-only input memory region provided to an RoT Service. -+ */ -+struct __attribute__ ((__packed__)) psa_invec { -+ uint32_t base; /*!< the start address of the memory buffer */ -+ uint32_t len; /*!< the size in bytes */ -+}; -+ -+/** -+ * A writable output memory region provided to an RoT Service. -+ */ -+struct __attribute__ ((__packed__)) psa_outvec { -+ uint32_t base; /*!< the start address of the memory buffer */ -+ uint32_t len; /*!< the size in bytes */ -+}; -+ -+/*************************** PSA Client API **********************************/ -+ -+/** -+ * \brief Retrieve the version of the PSA Framework API that is implemented. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \return version The version of the PSA Framework implementation -+ * that is providing the runtime services to the -+ * caller. The major and minor version are encoded -+ * as follows: -+ * \arg version[15:8] -- major version number. -+ * \arg version[7:0] -- minor version number. -+ */ -+uint32_t psa_framework_version(struct rpc_caller *caller); -+ -+/** -+ * \brief Retrieve the version of an RoT Service or indicate that it is not -+ * present on this system. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \param[in] sid ID of the RoT Service to query. -+ * -+ * \retval PSA_VERSION_NONE The RoT Service is not implemented, or the -+ * caller is not permitted to access the service. -+ * \retval > 0 The version of the implemented RoT Service. -+ */ -+uint32_t psa_version(struct rpc_caller *caller, uint32_t sid); -+ -+/** -+ * \brief Connect to an RoT Service by its SID. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \param[in] sid ID of the RoT Service to connect to. -+ * \param[in] version Requested version of the RoT Service. -+ * -+ * \retval > 0 A handle for the connection. -+ * \retval PSA_ERROR_CONNECTION_REFUSED The SPM or RoT Service has refused the -+ * connection. -+ * \retval PSA_ERROR_CONNECTION_BUSY The SPM or RoT Service cannot make the -+ * connection at the moment. -+ * \retval "PROGRAMMER ERROR" The call is a PROGRAMMER ERROR if one or more -+ * of the following are true: -+ * \arg The RoT Service ID is not present. -+ * \arg The RoT Service version is not supported. -+ * \arg The caller is not allowed to access the RoT -+ * service. -+ */ -+psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, -+ uint32_t version); -+ -+/** -+ * \brief Call an RoT Service on an established connection. -+ * -+ * \note FF-M 1.0 proposes 6 parameters for psa_call but the secure gateway ABI -+ * support at most 4 parameters. TF-M chooses to encode 'in_len', -+ * 'out_len', and 'type' into a 32-bit integer to improve efficiency. -+ * Compared with struct-based encoding, this method saves extra memory -+ * check and memory copy operation. The disadvantage is that the 'type' -+ * range has to be reduced into a 16-bit integer. So with this encoding, -+ * the valid range for 'type' is 0-32767. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \param[in] handle A handle to an established connection. -+ * \param[in] type The request type. -+ * Must be zero( \ref PSA_IPC_CALL) or positive. -+ * \param[in] in_vec Array of input \ref psa_invec structures. -+ * \param[in] in_len Number of input \ref psa_invec structures. -+ * \param[in,out] out_vec Array of output \ref psa_outvec structures. -+ * \param[in] out_len Number of output \ref psa_outvec structures. -+ * -+ * \retval >=0 RoT Service-specific status value. -+ * \retval <0 RoT Service-specific error code. -+ * \retval PSA_ERROR_PROGRAMMER_ERROR The connection has been terminated by the -+ * RoT Service. The call is a PROGRAMMER ERROR if -+ * one or more of the following are true: -+ * \arg An invalid handle was passed. -+ * \arg The connection is already handling a request. -+ * \arg type < 0. -+ * \arg An invalid memory reference was provided. -+ * \arg in_len + out_len > PSA_MAX_IOVEC. -+ * \arg The message is unrecognized by the RoT -+ * Service or incorrectly formatted. -+ */ -+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle, -+ int32_t type, const struct psa_invec *in_vec, -+ size_t in_len, struct psa_outvec *out_vec, size_t out_len); -+ -+/** -+ * \brief Close a connection to an RoT Service. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \param[in] handle A handle to an established connection, or the -+ * null handle. -+ * -+ * \retval void Success. -+ * \retval "PROGRAMMER ERROR" The call is a PROGRAMMER ERROR if one or more -+ * of the following are true: -+ * \arg An invalid handle was provided that is not -+ * the null handle. -+ * \arg The connection is currently handling a -+ * request. -+ */ -+void psa_close(struct rpc_caller *caller, psa_handle_t handle); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* SERVICE_PSA_IPC_H */ -+ -+ -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -new file mode 100644 -index 000000000000..aaa973c6e987 ---- /dev/null -+++ b/components/service/common/include/psa/sid.h -@@ -0,0 +1,71 @@ -+/* -+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ * -+ */ -+ -+#ifndef __PSA_MANIFEST_SID_H__ -+#define __PSA_MANIFEST_SID_H__ -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/******** TFM_SP_PS ********/ -+#define TFM_PROTECTED_STORAGE_SERVICE_SID (0x00000060U) -+#define TFM_PROTECTED_STORAGE_SERVICE_VERSION (1U) -+#define TFM_PROTECTED_STORAGE_SERVICE_HANDLE (0x40000101U) -+ -+/* Invalid UID */ -+#define TFM_PS_INVALID_UID 0 -+ -+/* PS message types that distinguish PS services. */ -+#define TFM_PS_SET 1001 -+#define TFM_PS_GET 1002 -+#define TFM_PS_GET_INFO 1003 -+#define TFM_PS_REMOVE 1004 -+#define TFM_PS_GET_SUPPORT 1005 -+ -+/******** TFM_SP_ITS ********/ -+#define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_SID (0x00000070U) -+#define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_VERSION (1U) -+#define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_HANDLE (0x40000102U) -+ -+/******** TFM_SP_CRYPTO ********/ -+#define TFM_CRYPTO_SID (0x00000080U) -+#define TFM_CRYPTO_VERSION (1U) -+#define TFM_CRYPTO_HANDLE (0x40000100U) -+ -+/******** TFM_SP_PLATFORM ********/ -+#define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) -+#define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -+#define TFM_SP_PLATFORM_IOCTL_SID (0x00000041U) -+#define TFM_SP_PLATFORM_IOCTL_VERSION (1U) -+#define TFM_SP_PLATFORM_NV_COUNTER_SID (0x00000042U) -+#define TFM_SP_PLATFORM_NV_COUNTER_VERSION (1U) -+ -+/******** TFM_SP_INITIAL_ATTESTATION ********/ -+#define TFM_ATTESTATION_SERVICE_SID (0x00000020U) -+#define TFM_ATTESTATION_SERVICE_VERSION (1U) -+#define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U) -+ -+/******** TFM_SP_FWU ********/ -+#define TFM_FWU_WRITE_SID (0x000000A0U) -+#define TFM_FWU_WRITE_VERSION (1U) -+#define TFM_FWU_INSTALL_SID (0x000000A1U) -+#define TFM_FWU_INSTALL_VERSION (1U) -+#define TFM_FWU_ABORT_SID (0x000000A2U) -+#define TFM_FWU_ABORT_VERSION (1U) -+#define TFM_FWU_QUERY_SID (0x000000A3U) -+#define TFM_FWU_QUERY_VERSION (1U) -+#define TFM_FWU_REQUEST_REBOOT_SID (0x000000A4U) -+#define TFM_FWU_REQUEST_REBOOT_VERSION (1U) -+#define TFM_FWU_ACCEPT_SID (0x000000A5U) -+#define TFM_FWU_ACCEPT_VERSION (1U) -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* __PSA_MANIFEST_SID_H__ */ --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Add-common-service-component-to-ipc-support.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Add-common-service-component-to-ipc-support.patch deleted file mode 100644 index df3cb2f4c2..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Add-common-service-component-to-ipc-support.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 0311fc8f131fe7a2b0f4dd9988c610fda47394aa Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath <vishnu.banavath@arm.com> -Date: Fri, 3 Dec 2021 19:13:03 +0000 -Subject: [PATCH 05/20] Add common service component to ipc support - -Add support for inter processor communication for PSA -including, the openamp client side structures lib. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../service/common/psa_ipc/component.cmake | 13 ++ - .../service/common/psa_ipc/service_psa_ipc.c | 97 +++++++++++++ - .../psa_ipc/service_psa_ipc_openamp_lib.h | 131 ++++++++++++++++++ - deployments/se-proxy/se-proxy.cmake | 1 + - 4 files changed, 242 insertions(+) - create mode 100644 components/service/common/psa_ipc/component.cmake - create mode 100644 components/service/common/psa_ipc/service_psa_ipc.c - create mode 100644 components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h - -diff --git a/components/service/common/psa_ipc/component.cmake b/components/service/common/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..5a1c9e62e2f0 ---- /dev/null -+++ b/components/service/common/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/service_psa_ipc.c" -+ ) -diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c -new file mode 100644 -index 000000000000..e8093c20a523 ---- /dev/null -+++ b/components/service/common/psa_ipc/service_psa_ipc.c -@@ -0,0 +1,97 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include <stddef.h> -+#include <stdint.h> -+#include <string.h> -+#include <trace.h> -+ -+#include <protocols/rpc/common/packed-c/status.h> -+#include <psa/error.h> -+#include <rpc_caller.h> -+ -+#include <psa/client.h> -+#include "service_psa_ipc_openamp_lib.h" -+ -+psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, -+ uint32_t version) -+{ -+ psa_status_t psa_status = PSA_SUCCESS; -+ struct s_openamp_msg *resp_msg = NULL; -+ struct ns_openamp_msg *req_msg; -+ rpc_call_handle rpc_handle; -+ size_t resp_len; -+ uint8_t *resp; -+ uint8_t *req; -+ int ret; -+ -+ rpc_handle = rpc_caller_begin(caller, &req, -+ sizeof(struct ns_openamp_msg)); -+ if (!rpc_handle) { -+ EMSG("psa_connect: could not get handle"); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ req_msg = (struct ns_openamp_msg *)req; -+ -+ req_msg->call_type = OPENAMP_PSA_CONNECT; -+ req_msg->params.psa_connect_params.sid = sid; -+ req_msg->params.psa_connect_params.version = version; -+ -+ ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp, -+ &resp_len); -+ if (ret != TS_RPC_CALL_ACCEPTED) { -+ EMSG("psa_connect: invoke failed: %d", ret); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ if (psa_status == PSA_SUCCESS) -+ resp_msg = (struct s_openamp_msg *)resp; -+ -+ rpc_caller_end(caller, rpc_handle); -+ -+ return resp_msg ? (psa_handle_t)resp_msg->reply : PSA_NULL_HANDLE; -+} -+ -+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle, -+ int32_t type, const struct psa_invec *in_vec, -+ size_t in_len, struct psa_outvec *out_vec, size_t out_len) -+{ -+ -+} -+ -+void psa_close(struct rpc_caller *caller, psa_handle_t handle) -+{ -+ psa_status_t psa_status = PSA_SUCCESS; -+ struct s_openamp_msg *resp_msg = NULL; -+ struct ns_openamp_msg *req_msg; -+ rpc_call_handle rpc_handle; -+ size_t resp_len; -+ uint8_t *resp; -+ uint8_t *req; -+ int ret; -+ -+ rpc_handle = rpc_caller_begin(caller, &req, -+ sizeof(struct ns_openamp_msg)); -+ if (!rpc_handle) { -+ EMSG("psa_close: could not get handle"); -+ return; -+ } -+ -+ req_msg = (struct ns_openamp_msg *)req; -+ -+ req_msg->call_type = OPENAMP_PSA_CLOSE; -+ req_msg->params.psa_close_params.handle = handle; -+ -+ ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp, -+ &resp_len); -+ if (ret != TS_RPC_CALL_ACCEPTED) { -+ EMSG("psa_close: invoke failed: %d", ret); -+ return; -+ } -+ -+ rpc_caller_end(caller, rpc_handle); -+} -diff --git a/components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h b/components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h -new file mode 100644 -index 000000000000..33ea96660572 ---- /dev/null -+++ b/components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h -@@ -0,0 +1,131 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef SERVICE_PSA_IPC_OPENAMP_LIB_H -+#define SERVICE_PSA_IPC_OPENAMP_LIB_H -+ -+#include <stddef.h> -+#include <stdint.h> -+ -+#include <compiler.h> -+#include <psa/error.h> -+ -+#include <stdint.h> -+#include <psa/client.h> -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/* PSA client call type value */ -+#define OPENAMP_PSA_FRAMEWORK_VERSION (0x1) -+#define OPENAMP_PSA_VERSION (0x2) -+#define OPENAMP_PSA_CONNECT (0x3) -+#define OPENAMP_PSA_CALL (0x4) -+#define OPENAMP_PSA_CLOSE (0x5) -+ -+/* Return code of openamp APIs */ -+#define OPENAMP_SUCCESS (0) -+#define OPENAMP_MAP_FULL (INT32_MIN + 1) -+#define OPENAMP_MAP_ERROR (INT32_MIN + 2) -+#define OPENAMP_INVAL_PARAMS (INT32_MIN + 3) -+#define OPENAMP_NO_PERMS (INT32_MIN + 4) -+#define OPENAMP_NO_PEND_EVENT (INT32_MIN + 5) -+#define OPENAMP_CHAN_BUSY (INT32_MIN + 6) -+#define OPENAMP_CALLBACK_REG_ERROR (INT32_MIN + 7) -+#define OPENAMP_INIT_ERROR (INT32_MIN + 8) -+ -+#define HOLD_INPUT_BUFFER (1) /* IF true, TF-M Library will hold the openamp -+ * buffer so that openamp shared memory buffer -+ * does not get freed. -+ */ -+ -+/* -+ * This structure holds the parameters used in a PSA client call. -+ */ -+typedef struct __packed psa_client_in_params { -+ union { -+ struct __packed { -+ uint32_t sid; -+ } psa_version_params; -+ -+ struct __packed { -+ uint32_t sid; -+ uint32_t version; -+ } psa_connect_params; -+ -+ struct __packed { -+ psa_handle_t handle; -+ int32_t type; -+ uint32_t in_vec; -+ uint32_t in_len; -+ uint32_t out_vec; -+ uint32_t out_len; -+ } psa_call_params; -+ -+ struct __packed { -+ psa_handle_t handle; -+ } psa_close_params; -+ }; -+} psa_client_in_params_t; -+ -+/* Openamp message passed from NSPE to SPE to deliver a PSA client call */ -+struct __packed ns_openamp_msg { -+ uint32_t call_type; /* PSA client call type */ -+ struct psa_client_in_params params; /* Contain parameters used in PSA -+ * client call -+ */ -+ -+ int32_t client_id; /* Optional client ID of the -+ * non-secure caller. -+ * It is required to identify the -+ * non-secure task when NSPE OS -+ * enforces non-secure task -+ * isolation -+ */ -+ int32_t request_id; /* This is the unique ID for a -+ * request send to TF-M by the -+ * non-secure core. TF-M forward -+ * the ID back to non-secure on the -+ * reply to a given request. Using -+ * this id, the non-secure library -+ * can identify the request for -+ * which the reply has received. -+ */ -+}; -+ -+/* -+ * This structure holds the location of the out data of the PSA client call. -+ */ -+struct __packed psa_client_out_params { -+ uint32_t out_vec; -+ uint32_t out_len; -+}; -+ -+ -+/* Openamp message from SPE to NSPE delivering the reply back for a PSA client -+ * call. -+ */ -+struct __packed s_openamp_msg { -+ int32_t request_id; /* Using this id, the non-secure -+ * library identifies the request. -+ * TF-M forwards the same -+ * request-id received on the -+ * initial request. -+ */ -+ int32_t reply; /* Reply of the PSA client call */ -+ struct psa_client_out_params params; /* Contain out data result of the -+ * PSA client call. -+ */ -+}; -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* SERVICE_PSA_IPC_OPENAMP_LIB_H */ -+ -+ -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index 34fe5ff1b925..dd0c5d00c21e 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -24,6 +24,7 @@ add_components(TARGET "se-proxy" - "components/service/common/include" - "components/service/common/serializer/protobuf" - "components/service/common/client" -+ "components/service/common/psa_ipc" - "components/service/common/provider" - "components/service/discovery/provider" - "components/service/discovery/provider/serializer/packed-c" --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch new file mode 100644 index 0000000000..2fdd19e79f --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch @@ -0,0 +1,27 @@ +From 041d30bb9cc6857f5ef26ded154ff7126dafaa20 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <emekcan.aras@arm.com> +Date: Fri, 16 Jun 2023 10:47:48 +0100 +Subject: [PATCH] plat: corstone1000: add compile definitions for + ECP_DP_SECP512R1 + +Corstone1000 runs PSA-API tests which requires this ECC algorithm. +Without setting this, corstone1000 fails psa-api-crypto-test no 243. + +Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> +--- + platform/providers/arm/corstone1000/platform.cmake | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index dbdf1097..e7a295dd 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -14,3 +14,5 @@ target_compile_definitions(${TGT} PRIVATE + SMM_VARIABLE_INDEX_STORAGE_UID=0x787 + SMM_GATEWAY_MAX_UEFI_VARIABLES=100 + ) ++ ++add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) +-- +2.17.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Add-secure-storage-ipc-backend.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Add-secure-storage-ipc-backend.patch deleted file mode 100644 index 74a83777df..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Add-secure-storage-ipc-backend.patch +++ /dev/null @@ -1,523 +0,0 @@ -From ed4371d63cb52c121be9678bc225055944286c30 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath <vishnu.banavath@arm.com> -Date: Fri, 3 Dec 2021 19:19:24 +0000 -Subject: [PATCH 06/20] Add secure storage ipc backend - -Add secure storage ipc ff-m implementation which may use -openamp as rpc to communicate with other processor. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../service/common/psa_ipc/service_psa_ipc.c | 143 +++++++++++- - .../secure_storage_ipc/component.cmake | 14 ++ - .../secure_storage_ipc/secure_storage_ipc.c | 214 ++++++++++++++++++ - .../secure_storage_ipc/secure_storage_ipc.h | 52 +++++ - deployments/se-proxy/se-proxy.cmake | 1 + - 5 files changed, 420 insertions(+), 4 deletions(-) - create mode 100644 components/service/secure_storage/backend/secure_storage_ipc/component.cmake - create mode 100644 components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c - create mode 100644 components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h - -diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c -index e8093c20a523..95a07c135f31 100644 ---- a/components/service/common/psa_ipc/service_psa_ipc.c -+++ b/components/service/common/psa_ipc/service_psa_ipc.c -@@ -16,6 +16,52 @@ - #include <psa/client.h> - #include "service_psa_ipc_openamp_lib.h" - -+static struct psa_invec *psa_call_in_vec_param(uint8_t *req) -+{ -+ return (struct psa_invec *)(req + sizeof(struct ns_openamp_msg)); -+} -+ -+static struct psa_outvec *psa_call_out_vec_param(uint8_t *req, size_t in_len) -+{ -+ return (struct psa_outvec *)(req + sizeof(struct ns_openamp_msg) + -+ (in_len * sizeof(struct psa_invec))); -+} -+ -+static size_t psa_call_header_len(const struct psa_invec *in_vec, size_t in_len, -+ struct psa_outvec *out_vec, size_t out_len) -+{ -+ return sizeof(struct ns_openamp_msg) + (in_len * sizeof(*in_vec)) + -+ (out_len * sizeof(*out_vec)); -+} -+ -+static size_t psa_call_in_vec_len(const struct psa_invec *in_vec, size_t in_len) -+{ -+ size_t req_len = 0; -+ int i; -+ -+ if (!in_vec || !in_len) -+ return 0; -+ -+ for (i = 0; i < in_len; i++) -+ req_len += in_vec[i].len; -+ -+ return req_len; -+} -+ -+static size_t psa_call_out_vec_len(const struct psa_outvec *out_vec, size_t out_len) -+{ -+ size_t resp_len = 0; -+ int i; -+ -+ if (!out_vec || !out_len) -+ return 0; -+ -+ for (i = 0; i < out_len; i++) -+ resp_len += out_vec[i].len; -+ -+ return resp_len; -+} -+ - psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, - uint32_t version) - { -@@ -31,7 +77,7 @@ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, - rpc_handle = rpc_caller_begin(caller, &req, - sizeof(struct ns_openamp_msg)); - if (!rpc_handle) { -- EMSG("psa_connect: could not get handle"); -+ EMSG("psa_connect: could not get rpc handle"); - return PSA_ERROR_GENERIC_ERROR; - } - -@@ -56,14 +102,100 @@ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, - return resp_msg ? (psa_handle_t)resp_msg->reply : PSA_NULL_HANDLE; - } - --psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle, -+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, - int32_t type, const struct psa_invec *in_vec, - size_t in_len, struct psa_outvec *out_vec, size_t out_len) - { -+ psa_status_t psa_status = PSA_SUCCESS; -+ struct s_openamp_msg *resp_msg = NULL; -+ struct psa_outvec *out_vec_param; -+ struct psa_invec *in_vec_param; -+ struct ns_openamp_msg *req_msg; -+ rpc_call_handle rpc_handle; -+ size_t out_vec_len; -+ size_t in_vec_len; -+ size_t header_len; -+ uint8_t *payload; -+ size_t resp_len; -+ uint8_t *resp; -+ uint8_t *req; -+ int ret; -+ int i; -+ -+ if ((psa_handle == PSA_NULL_HANDLE) || !caller) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ header_len = psa_call_header_len(in_vec, in_len, out_vec, out_len); -+ in_vec_len = psa_call_in_vec_len(in_vec, in_len); -+ out_vec_len = psa_call_out_vec_len(out_vec, out_len); - -+ rpc_handle = rpc_caller_begin(caller, &req, header_len + in_vec_len); -+ if (!rpc_handle) { -+ EMSG("psa_call: could not get handle"); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ payload = req + header_len; -+ -+ out_vec_param = psa_call_out_vec_param(req, in_len); -+ in_vec_param = psa_call_in_vec_param(req); -+ -+ req_msg = (struct ns_openamp_msg *)req; -+ -+ req_msg->call_type = OPENAMP_PSA_CALL; -+ req_msg->request_id = 1234; -+ req_msg->params.psa_call_params.handle = psa_handle; -+ req_msg->params.psa_call_params.type = type; -+ req_msg->params.psa_call_params.in_len = in_len; -+ req_msg->params.psa_call_params.in_vec = rpc_caller_virt_to_phys(caller, in_vec_param); -+ req_msg->params.psa_call_params.out_len = out_len; -+ req_msg->params.psa_call_params.out_vec = rpc_caller_virt_to_phys(caller, out_vec_param); -+ -+ for (i = 0; i < in_len; i++) { -+ in_vec_param[i].base = rpc_caller_virt_to_phys(caller, payload); -+ in_vec_param[i].len = in_vec[i].len; -+ -+ memcpy(payload, in_vec[i].base, in_vec[i].len); -+ payload += in_vec[i].len; -+ } -+ -+ for (i = 0; i < out_len; i++) { -+ out_vec_param[i].base = NULL; -+ out_vec_param[i].len = out_vec[i].len; -+ } -+ -+ ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp, -+ &resp_len); -+ if (ret != TS_RPC_CALL_ACCEPTED) { -+ EMSG("psa_call: invoke failed: %d", ret); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ if (psa_status != PSA_SUCCESS) { -+ EMSG("psa_call: psa_status invoke failed: %d", psa_status); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ resp_msg = (struct s_openamp_msg *)resp; -+ -+ if (!resp_msg || !out_len || resp_msg->reply != PSA_SUCCESS) -+ goto caller_end; -+ -+ out_vec_param = (struct psa_outvec *)rpc_caller_phys_to_virt(caller, -+ resp_msg->params.out_vec); -+ -+ for (i = 0; i < resp_msg->params.out_len; i++) { -+ memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base), -+ out_vec[i].len); -+ } -+ -+caller_end: -+ rpc_caller_end(caller, rpc_handle); -+ -+ return resp_msg ? resp_msg->reply : PSA_ERROR_COMMUNICATION_FAILURE; - } - --void psa_close(struct rpc_caller *caller, psa_handle_t handle) -+void psa_close(struct rpc_caller *caller, psa_handle_t psa_handle) - { - psa_status_t psa_status = PSA_SUCCESS; - struct s_openamp_msg *resp_msg = NULL; -@@ -74,6 +206,9 @@ void psa_close(struct rpc_caller *caller, psa_handle_t handle) - uint8_t *req; - int ret; - -+ if ((psa_handle == PSA_NULL_HANDLE) || !caller) -+ return; -+ - rpc_handle = rpc_caller_begin(caller, &req, - sizeof(struct ns_openamp_msg)); - if (!rpc_handle) { -@@ -84,7 +219,7 @@ void psa_close(struct rpc_caller *caller, psa_handle_t handle) - req_msg = (struct ns_openamp_msg *)req; - - req_msg->call_type = OPENAMP_PSA_CLOSE; -- req_msg->params.psa_close_params.handle = handle; -+ req_msg->params.psa_close_params.handle = psa_handle; - - ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp, - &resp_len); -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/component.cmake b/components/service/secure_storage/backend/secure_storage_ipc/component.cmake -new file mode 100644 -index 000000000000..5d8f6714e0bd ---- /dev/null -+++ b/components/service/secure_storage/backend/secure_storage_ipc/component.cmake -@@ -0,0 +1,14 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/secure_storage_ipc.c" -+ ) -+ -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -new file mode 100644 -index 000000000000..9b55f77dd395 ---- /dev/null -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -@@ -0,0 +1,214 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include <protocols/rpc/common/packed-c/status.h> -+#include "secure_storage_ipc.h" -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <rpc_caller.h> -+#include <string.h> -+#include <trace.h> -+ -+ -+static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, -+ psa_storage_uid_t uid, size_t data_length, -+ const void *p_data, psa_storage_create_flags_t create_flags) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ struct psa_invec in_vec[] = { -+ { .base = &uid, .len = sizeof(uid) }, -+ { .base = p_data, .len = data_length }, -+ { .base = &create_flags, .len = sizeof(create_flags) }, -+ }; -+ -+ (void)client_id; -+ -+ ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED; -+ -+ /* Validating input parameters */ -+ if (p_data == NULL) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0); -+ if (psa_status < 0) -+ EMSG("ipc_set: psa_call failed: %d", psa_status); -+ -+ return psa_status; -+} -+ -+static psa_status_t secure_storage_ipc_get(void *context, -+ uint32_t client_id, -+ psa_storage_uid_t uid, -+ size_t data_offset, -+ size_t data_size, -+ void *p_data, -+ size_t *p_data_length) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ uint32_t offset = (uint32_t)data_offset; -+ struct psa_invec in_vec[] = { -+ { .base = &uid, .len = sizeof(uid) }, -+ { .base = &offset, .len = sizeof(offset) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = p_data, .len = data_size }, -+ }; -+ -+ if (!p_data_length) { -+ EMSG("ipc_get: p_data_length not defined"); -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_GET, in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ if (psa_status == PSA_SUCCESS) -+ *p_data_length = out_vec[0].len; -+ -+ return psa_status; -+} -+ -+static psa_status_t secure_storage_ipc_get_info(void *context, -+ uint32_t client_id, -+ psa_storage_uid_t uid, -+ struct psa_storage_info_t *p_info) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ struct psa_invec in_vec[] = { -+ { .base = &uid, .len = sizeof(uid) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = p_info, .len = sizeof(*p_info) }, -+ }; -+ -+ (void)client_id; -+ -+ /* Validating input parameters */ -+ if (!p_info) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_GET_INFO, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ if (psa_status != PSA_SUCCESS) -+ EMSG("ipc_get_info: failed to psa_call: %d", psa_status); -+ -+ return psa_status; -+} -+ -+static psa_status_t secure_storage_ipc_remove(void *context, -+ uint32_t client_id, -+ psa_storage_uid_t uid) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ struct psa_invec in_vec[] = { -+ { .base = &uid, .len = sizeof(uid) }, -+ }; -+ -+ (void)client_id; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_REMOVE, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ if (psa_status != PSA_SUCCESS) -+ EMSG("ipc_remove: failed to psa_call: %d", psa_status); -+ -+ return psa_status; -+} -+ -+static psa_status_t secure_storage_ipc_create(void *context, -+ uint32_t client_id, -+ uint64_t uid, -+ size_t capacity, -+ uint32_t create_flags) -+{ -+ (void)context; -+ (void)uid; -+ (void)client_id; -+ (void)capacity; -+ (void)create_flags; -+ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static psa_status_t secure_storage_set_extended(void *context, -+ uint32_t client_id, -+ uint64_t uid, -+ size_t data_offset, -+ size_t data_length, -+ const void *p_data) -+{ -+ (void)context; -+ (void)uid; -+ (void)client_id; -+ (void)data_offset; -+ (void)data_length; -+ (void)p_data; -+ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static uint32_t secure_storage_get_support(void *context, uint32_t client_id) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ uint32_t support_flags; -+ struct psa_outvec out_vec[] = { -+ { .base = &support_flags, .len = sizeof(support_flags) }, -+ }; -+ -+ (void)client_id; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_GET_SUPPORT, NULL, 0, -+ out_vec, IOVEC_LEN(out_vec)); -+ if (psa_status != PSA_SUCCESS) -+ EMSG("ipc_get_support: failed to psa_call: %d", psa_status); -+ -+ return psa_status; -+} -+ -+struct storage_backend *secure_storage_ipc_init(struct secure_storage_ipc *context, -+ struct rpc_caller *caller) -+{ -+ service_client_init(&context->client, caller); -+ -+ static const struct storage_backend_interface interface = -+ { -+ .set = secure_storage_ipc_set, -+ .get = secure_storage_ipc_get, -+ .get_info = secure_storage_ipc_get_info, -+ .remove = secure_storage_ipc_remove, -+ .create = secure_storage_ipc_create, -+ .set_extended = secure_storage_set_extended, -+ .get_support = secure_storage_get_support, -+ }; -+ -+ context->backend.context = context; -+ context->backend.interface = &interface; -+ -+ return &context->backend; -+} -+ -+void secure_storage_ipc_deinit(struct secure_storage_ipc *context) -+{ -+ service_client_deinit(&context->client); -+} -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -new file mode 100644 -index 000000000000..e8c1e8fd2f92 ---- /dev/null -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -@@ -0,0 +1,52 @@ -+/* -+ * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef SECURE_STORAGE_IPC_H -+#define SECURE_STORAGE_IPC_H -+ -+#include <service/secure_storage/backend/storage_backend.h> -+#include <service/common/client/service_client.h> -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/** -+ * @brief Secure storage ipc instance -+ */ -+struct secure_storage_ipc -+{ -+ struct storage_backend backend; -+ struct service_client client; -+}; -+ -+/** -+ * @brief Initialize a secure storage ipc client -+ * -+ * A secure storage client is a storage backend that makes RPC calls -+ * to a remote secure storage provider. -+ * -+ * @param[in] context Instance data -+ * @param[in] rpc_caller RPC caller instance -+ * -+ * -+ * @return Pointer to inialized storage backend or NULL on failure -+ */ -+struct storage_backend *secure_storage_ipc_init(struct secure_storage_ipc *context, -+ struct rpc_caller *caller); -+ -+/** -+ * @brief Deinitialize a secure storage ipc client -+ * -+ * @param[in] context Instance data -+ */ -+void secure_storage_ipc_deinit(struct secure_storage_ipc *context); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* SECURE_STORAGE_IPC_H */ -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index dd0c5d00c21e..cd51460406ca 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -45,6 +45,7 @@ add_components(TARGET "se-proxy" - "components/service/crypto/factory/full" - "components/service/secure_storage/include" - "components/service/secure_storage/frontend/secure_storage_provider" -+ "components/service/secure_storage/backend/secure_storage_ipc" - "components/service/attestation/include" - "components/service/attestation/provider" - "components/service/attestation/provider/serializer/packed-c" --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0023-Use-the-stateless-platform-service.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch index 824196c11a..4e9d5c2e13 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0023-Use-the-stateless-platform-service.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch @@ -1,21 +1,21 @@ -From 956b8a8e1dd5702b9c1657f4ec27a7aeddb0758e Mon Sep 17 00:00:00 2001 -From: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> -Date: Mon, 21 Nov 2022 00:08:20 +0000 -Subject: [PATCH] Use the stateless platform service calls - -Calls to psa_connect is not needed and psa_call can be called -directly with a pre defined handle. +From a71e99045996c57a4f80509ae8b770aa4f73f6c0 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <emekcan.aras@arm.com> +Date: Sun, 18 Jun 2023 14:38:42 +0100 +Subject: [PATCH] plat: corstone1000: Use the stateless platform service calls + Calls to psa_connect is not needed and psa_call can be called directly with a + pre defined handle. Signed-off-by: Satish Kumar <satish.kumar01@arm.com> Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> -Upstream-Status: Inappropriate [Design is to revisted] +Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> +Upstream-Status: Inappropriate [Design is to revisted] --- .../provider/capsule_update_provider.c | 24 ++++--------------- .../provider/corstone1000_fmp_service.c | 10 ++++---- .../provider/corstone1000_fmp_service.h | 3 +-- - components/service/common/include/psa/sid.h | 6 +++++ - 4 files changed, 16 insertions(+), 27 deletions(-) + components/service/common/include/psa/sid.h | 7 ++++++ + 4 files changed, 17 insertions(+), 27 deletions(-) diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c index 991a2235..6809249f 100644 @@ -119,22 +119,23 @@ index 95fba2a0..963223e8 100644 #ifdef __cplusplus } /* extern "C" */ diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 7a29cc25..8103a9af 100644 +index 5aaa659d..fc3a4fb0 100644 --- a/components/service/common/include/psa/sid.h +++ b/components/service/common/include/psa/sid.h -@@ -37,6 +37,12 @@ extern "C" { +@@ -40,6 +40,13 @@ extern "C" { #define TFM_CRYPTO_VERSION (1U) #define TFM_CRYPTO_HANDLE (0x40000100U) -+ +/******** TFM_PLATFORM_SERVICE *******/ +#define TFM_PLATFORM_API_ID_IOCTL (1013) +#define TFM_PLATFORM_SERVICE_HANDLE (0x40000105U) + -+ - /** - * \brief Define a progressive numerical value for each SID which can be used - * when dispatching the requests to the service ++/** ++ * \brief Define a progressive numerical value for each SID which can be used ++ * when dispatching the requests to the service + /******** TFM_SP_PLATFORM ********/ + #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) + #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -- -2.25.1 +2.17.1 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch deleted file mode 100644 index ad33295d41..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d1377a5ed909e3a1d9caca56aeda262a80322a4b Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath <vishnu.banavath@arm.com> -Date: Fri, 3 Dec 2021 19:25:34 +0000 -Subject: [PATCH 07/20] Use secure storage ipc and openamp for se_proxy - -Remove mock up backend for secure storage in se proxy -deployment and use instead the secure storage ipc backend with -openamp as rpc to secure enclave side. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../se-proxy/common/service_proxy_factory.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index acfb6e8873fa..57290056d614 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -6,15 +6,20 @@ - - #include <stddef.h> - #include <rpc/common/endpoint/rpc_interface.h> -+#include <rpc/openamp/caller/sp/openamp_caller.h> - #include <service/attestation/provider/attest_provider.h> - #include <service/attestation/provider/serializer/packed-c/packedc_attest_provider_serializer.h> - #include <service/crypto/factory/crypto_provider_factory.h> - #include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> -+#include <trace.h> - - /* Stub backends */ - #include <service/crypto/backend/stub/stub_crypto_backend.h> -+#include <service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h> - #include <service/secure_storage/backend/mock_store/mock_store.h> - -+struct openamp_caller openamp; -+ - struct rpc_interface *attest_proxy_create(void) - { - struct rpc_interface *attest_iface; -@@ -47,10 +52,15 @@ struct rpc_interface *crypto_proxy_create(void) - - struct rpc_interface *ps_proxy_create(void) - { -- static struct mock_store ps_backend; - static struct secure_storage_provider ps_provider; -- -- struct storage_backend *backend = mock_store_init(&ps_backend); -+ static struct secure_storage_ipc ps_backend; -+ static struct rpc_caller *storage_caller; -+ struct storage_backend *backend; -+ -+ storage_caller = openamp_caller_init(&openamp); -+ if (!storage_caller) -+ return NULL; -+ backend = secure_storage_ipc_init(&ps_backend, &openamp.rpc_caller); - - return secure_storage_provider_init(&ps_provider, backend); - } --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch new file mode 100644 index 0000000000..3e6f606c5d --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch @@ -0,0 +1,78 @@ +From b5b31064959665f4cc616733be3d989ae4356636 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <emekcan.aras@arm.com> +Date: Sun, 18 Jun 2023 16:05:27 +0100 +Subject: [PATCH] plat: corstone1000: Initialize capsule update provider + +Initializes the capsule update service provider in se-proxy-sp.c deployment +for corstone1000. + +Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> +Upstream-Status: Inappropriate [Design is to revisted] + +--- + deployments/se-proxy/env/commonsp/se_proxy_sp.c | 3 +++ + .../infra/corstone1000/service_proxy_factory.c | 17 +++++++++++++++++ + .../se-proxy/infra/service_proxy_factory.h | 1 + + 3 files changed, 21 insertions(+) + +diff --git a/deployments/se-proxy/env/commonsp/se_proxy_sp.c b/deployments/se-proxy/env/commonsp/se_proxy_sp.c +index 45fcb385..dc2a9d49 100644 +--- a/deployments/se-proxy/env/commonsp/se_proxy_sp.c ++++ b/deployments/se-proxy/env/commonsp/se_proxy_sp.c +@@ -77,6 +77,9 @@ void __noreturn sp_main(struct ffa_init_info *init_info) + } + rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ATTEST, rpc_iface); + ++ rpc_iface = capsule_update_proxy_create(); ++ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE, rpc_iface); ++ + /* End of boot phase */ + result = sp_msg_wait(&req_msg); + if (result != SP_RESULT_OK) { +diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c +index bacab1de..32d88c97 100644 +--- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c ++++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c +@@ -14,6 +14,7 @@ + #include <service/crypto/factory/crypto_provider_factory.h> + #include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> + #include <trace.h> ++#include <service/capsule_update/provider/capsule_update_provider.h> + + /* backends */ + #include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> +@@ -94,3 +95,19 @@ struct rpc_interface *its_proxy_create(void) + + return secure_storage_provider_init(&its_provider, backend); + } ++ ++struct rpc_interface *capsule_update_proxy_create(void) ++{ ++ static struct capsule_update_provider capsule_update_provider; ++ static struct rpc_caller *capsule_update_caller; ++ ++ capsule_update_caller = psa_ipc_caller_init(&psa_ipc); ++ ++ if (!capsule_update_caller) ++ return NULL; ++ ++ capsule_update_provider.client.caller = capsule_update_caller; ++ ++ return capsule_update_provider_init(&capsule_update_provider); ++} ++ +diff --git a/deployments/se-proxy/infra/service_proxy_factory.h b/deployments/se-proxy/infra/service_proxy_factory.h +index 298d407a..02aa7fe2 100644 +--- a/deployments/se-proxy/infra/service_proxy_factory.h ++++ b/deployments/se-proxy/infra/service_proxy_factory.h +@@ -17,6 +17,7 @@ struct rpc_interface *attest_proxy_create(void); + struct rpc_interface *crypto_proxy_create(void); + struct rpc_interface *ps_proxy_create(void); + struct rpc_interface *its_proxy_create(void); ++struct rpc_interface *capsule_update_proxy_create(void); + + #ifdef __cplusplus + } +-- +2.17.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-Run-psa-arch-test.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-Run-psa-arch-test.patch deleted file mode 100644 index ab57688276..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-Run-psa-arch-test.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 1b50ab6b6ff1c6f27ab320e18fb0d4aeb1122f0d Mon Sep 17 00:00:00 2001 -From: Satish Kumar <satish.kumar01@arm.com> -Date: Sun, 12 Dec 2021 10:43:48 +0000 -Subject: [PATCH 08/20] Run psa-arch-test - -Fixes needed to run psa-arch-test - -Upstream-Status: Pending -Signed-off-by: Satish Kumar <satish.kumar01@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - components/service/common/psa_ipc/service_psa_ipc.c | 1 + - .../backend/secure_storage_ipc/secure_storage_ipc.c | 8 -------- - .../service/secure_storage/include/psa/storage_common.h | 4 ++-- - 3 files changed, 3 insertions(+), 10 deletions(-) - -diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c -index 95a07c135f31..5e5815dbc9cf 100644 ---- a/components/service/common/psa_ipc/service_psa_ipc.c -+++ b/components/service/common/psa_ipc/service_psa_ipc.c -@@ -185,6 +185,7 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, - resp_msg->params.out_vec); - - for (i = 0; i < resp_msg->params.out_len; i++) { -+ out_vec[i].len = out_vec_param[i].len; - memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base), - out_vec[i].len); - } -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -index 9b55f77dd395..a1f369db253e 100644 ---- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -@@ -31,10 +31,6 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, - - ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED; - -- /* Validating input parameters */ -- if (p_data == NULL) -- return PSA_ERROR_INVALID_ARGUMENT; -- - psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, - TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0); - if (psa_status < 0) -@@ -96,10 +92,6 @@ static psa_status_t secure_storage_ipc_get_info(void *context, - - (void)client_id; - -- /* Validating input parameters */ -- if (!p_info) -- return PSA_ERROR_INVALID_ARGUMENT; -- - psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, - TFM_PS_GET_INFO, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -diff --git a/components/service/secure_storage/include/psa/storage_common.h b/components/service/secure_storage/include/psa/storage_common.h -index 4f6ba2a7d822..1fd6b40dc803 100644 ---- a/components/service/secure_storage/include/psa/storage_common.h -+++ b/components/service/secure_storage/include/psa/storage_common.h -@@ -20,8 +20,8 @@ typedef uint64_t psa_storage_uid_t; - typedef uint32_t psa_storage_create_flags_t; - - struct psa_storage_info_t { -- size_t capacity; -- size_t size; -+ uint32_t capacity; -+ uint32_t size; - psa_storage_create_flags_t flags; - }; - --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Use-address-instead-of-pointers.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Use-address-instead-of-pointers.patch deleted file mode 100644 index 3295fa9bd9..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Use-address-instead-of-pointers.patch +++ /dev/null @@ -1,168 +0,0 @@ -From a6fba503ffddae004e23b32559212e749e8586f6 Mon Sep 17 00:00:00 2001 -From: Satish Kumar <satish.kumar01@arm.com> -Date: Sun, 12 Dec 2021 10:57:17 +0000 -Subject: [PATCH 09/20] Use address instead of pointers - -Since secure enclave is 32bit and we 64bit there is an issue -in the protocol communication design that force us to handle -on our side the manipulation of address and pointers to make -this work. - -Upstream-Status: Pending -Signed-off-by: Satish Kumar <satish.kumar01@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../service/common/include/psa/client.h | 15 ++++++++++++++ - .../service/common/psa_ipc/service_psa_ipc.c | 20 ++++++++++++------- - .../secure_storage_ipc/secure_storage_ipc.c | 20 +++++++++---------- - 3 files changed, 38 insertions(+), 17 deletions(-) - -diff --git a/components/service/common/include/psa/client.h b/components/service/common/include/psa/client.h -index 69ccf14f40a3..12dcd68f8a76 100644 ---- a/components/service/common/include/psa/client.h -+++ b/components/service/common/include/psa/client.h -@@ -81,6 +81,21 @@ struct __attribute__ ((__packed__)) psa_outvec { - uint32_t len; /*!< the size in bytes */ - }; - -+static void *psa_u32_to_ptr(uint32_t addr) -+{ -+ return (void *)(uintptr_t)addr; -+} -+ -+static uint32_t psa_ptr_to_u32(void *ptr) -+{ -+ return (uintptr_t)ptr; -+} -+ -+static uint32_t psa_ptr_const_to_u32(const void *ptr) -+{ -+ return (uintptr_t)ptr; -+} -+ - /*************************** PSA Client API **********************************/ - - /** -diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c -index 5e5815dbc9cf..435c6c0a2eba 100644 ---- a/components/service/common/psa_ipc/service_psa_ipc.c -+++ b/components/service/common/psa_ipc/service_psa_ipc.c -@@ -62,6 +62,11 @@ static size_t psa_call_out_vec_len(const struct psa_outvec *out_vec, size_t out_ - return resp_len; - } - -+static uint32_t psa_virt_to_phys_u32(struct rpc_caller *caller, void *va) -+{ -+ return (uintptr_t)rpc_caller_virt_to_phys(caller, va); -+} -+ - psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, - uint32_t version) - { -@@ -147,20 +152,20 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, - req_msg->params.psa_call_params.handle = psa_handle; - req_msg->params.psa_call_params.type = type; - req_msg->params.psa_call_params.in_len = in_len; -- req_msg->params.psa_call_params.in_vec = rpc_caller_virt_to_phys(caller, in_vec_param); -+ req_msg->params.psa_call_params.in_vec = psa_virt_to_phys_u32(caller, in_vec_param); - req_msg->params.psa_call_params.out_len = out_len; -- req_msg->params.psa_call_params.out_vec = rpc_caller_virt_to_phys(caller, out_vec_param); -+ req_msg->params.psa_call_params.out_vec = psa_virt_to_phys_u32(caller, out_vec_param); - - for (i = 0; i < in_len; i++) { -- in_vec_param[i].base = rpc_caller_virt_to_phys(caller, payload); -+ in_vec_param[i].base = psa_virt_to_phys_u32(caller, payload); - in_vec_param[i].len = in_vec[i].len; - -- memcpy(payload, in_vec[i].base, in_vec[i].len); -+ memcpy(payload, psa_u32_to_ptr(in_vec[i].base), in_vec[i].len); - payload += in_vec[i].len; - } - - for (i = 0; i < out_len; i++) { -- out_vec_param[i].base = NULL; -+ out_vec_param[i].base = 0; - out_vec_param[i].len = out_vec[i].len; - } - -@@ -182,11 +187,12 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, - goto caller_end; - - out_vec_param = (struct psa_outvec *)rpc_caller_phys_to_virt(caller, -- resp_msg->params.out_vec); -+ psa_u32_to_ptr(resp_msg->params.out_vec)); - - for (i = 0; i < resp_msg->params.out_len; i++) { - out_vec[i].len = out_vec_param[i].len; -- memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base), -+ memcpy(psa_u32_to_ptr(out_vec[i].base), -+ rpc_caller_phys_to_virt(caller, psa_u32_to_ptr(out_vec_param[i].base)), - out_vec[i].len); - } - -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -index a1f369db253e..bda442a61d5c 100644 ---- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -@@ -22,9 +22,9 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, - psa_handle_t psa_handle; - psa_status_t psa_status; - struct psa_invec in_vec[] = { -- { .base = &uid, .len = sizeof(uid) }, -- { .base = p_data, .len = data_length }, -- { .base = &create_flags, .len = sizeof(create_flags) }, -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, -+ { .base = psa_ptr_const_to_u32(p_data), .len = data_length }, -+ { .base = psa_ptr_to_u32(&create_flags), .len = sizeof(create_flags) }, - }; - - (void)client_id; -@@ -53,11 +53,11 @@ static psa_status_t secure_storage_ipc_get(void *context, - psa_status_t psa_status; - uint32_t offset = (uint32_t)data_offset; - struct psa_invec in_vec[] = { -- { .base = &uid, .len = sizeof(uid) }, -- { .base = &offset, .len = sizeof(offset) }, -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, -+ { .base = psa_ptr_to_u32(&offset), .len = sizeof(offset) }, - }; - struct psa_outvec out_vec[] = { -- { .base = p_data, .len = data_size }, -+ { .base = psa_ptr_to_u32(p_data), .len = data_size }, - }; - - if (!p_data_length) { -@@ -84,10 +84,10 @@ static psa_status_t secure_storage_ipc_get_info(void *context, - psa_handle_t psa_handle; - psa_status_t psa_status; - struct psa_invec in_vec[] = { -- { .base = &uid, .len = sizeof(uid) }, -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, - }; - struct psa_outvec out_vec[] = { -- { .base = p_info, .len = sizeof(*p_info) }, -+ { .base = psa_ptr_to_u32(p_info), .len = sizeof(*p_info) }, - }; - - (void)client_id; -@@ -110,7 +110,7 @@ static psa_status_t secure_storage_ipc_remove(void *context, - psa_handle_t psa_handle; - psa_status_t psa_status; - struct psa_invec in_vec[] = { -- { .base = &uid, .len = sizeof(uid) }, -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, - }; - - (void)client_id; -@@ -164,7 +164,7 @@ static uint32_t secure_storage_get_support(void *context, uint32_t client_id) - psa_status_t psa_status; - uint32_t support_flags; - struct psa_outvec out_vec[] = { -- { .base = &support_flags, .len = sizeof(support_flags) }, -+ { .base = psa_ptr_to_u32(&support_flags), .len = sizeof(support_flags) }, - }; - - (void)client_id; --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch deleted file mode 100644 index 2d0725cb24..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch +++ /dev/null @@ -1,323 +0,0 @@ -From b142f3c162fb1c28982d26b5ac2181ba79197a28 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva <rui.silva@linaro.org> -Date: Tue, 7 Dec 2021 11:50:00 +0000 -Subject: [PATCH 10/20] Add psa ipc attestation to se proxy - -Implement attestation client API as psa ipc and include it to -se proxy deployment. - -Upstream-Status: Pending -Signed-off-by: Satish Kumar <satish.kumar01@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../client/psa_ipc/component.cmake | 13 +++ - .../client/psa_ipc/iat_ipc_client.c | 86 +++++++++++++++++++ - .../reporter/psa_ipc/component.cmake | 13 +++ - .../reporter/psa_ipc/psa_ipc_attest_report.c | 45 ++++++++++ - components/service/common/include/psa/sid.h | 4 + - .../se-proxy/common/service_proxy_factory.c | 6 ++ - deployments/se-proxy/se-proxy.cmake | 7 +- - ...ble-using-hard-coded-attestation-key.patch | 29 ------- - external/psa_arch_tests/psa_arch_tests.cmake | 4 - - 9 files changed, 171 insertions(+), 36 deletions(-) - create mode 100644 components/service/attestation/client/psa_ipc/component.cmake - create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c - create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake - create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c - delete mode 100644 external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch - -diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..a5bc6b4a387e ---- /dev/null -+++ b/components/service/attestation/client/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c" -+ ) -diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c -new file mode 100644 -index 000000000000..30bd0a13a385 ---- /dev/null -+++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c -@@ -0,0 +1,86 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include <stddef.h> -+#include <string.h> -+ -+#include "../psa/iat_client.h" -+#include <protocols/rpc/common/packed-c/status.h> -+#include <psa/initial_attestation.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+ -+/** -+ * @brief The singleton psa_iat_client instance -+ * -+ * The psa attestation C API assumes a single backend service provider. -+ */ -+static struct service_client instance; -+ -+ -+psa_status_t psa_iat_client_init(struct rpc_caller *caller) -+{ -+ return service_client_init(&instance, caller); -+} -+ -+void psa_iat_client_deinit(void) -+{ -+ service_client_deinit(&instance); -+} -+ -+int psa_iat_client_rpc_status(void) -+{ -+ return instance.rpc_status; -+} -+ -+psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge, -+ size_t challenge_size, -+ uint8_t *token_buf, -+ size_t token_buf_size, -+ size_t *token_size) -+{ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller *caller = instance.caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(token_buf), .len = token_buf_size}, -+ }; -+ -+ if (!token_buf || !token_buf_size) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, -+ TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ if (status == PSA_SUCCESS) { -+ *token_size = out_vec[0].len; -+ } -+ -+ return status; -+} -+ -+psa_status_t psa_initial_attest_get_token_size(size_t challenge_size, -+ size_t *token_size) -+{ -+ struct rpc_caller *caller = instance.caller; -+ psa_status_t status; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)} -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, -+ TFM_ATTEST_GET_TOKEN_SIZE, -+ in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..b37830c618fe ---- /dev/null -+++ b/components/service/attestation/reporter/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c" -+ ) -diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c -new file mode 100644 -index 000000000000..15805e8ed4b1 ---- /dev/null -+++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c -@@ -0,0 +1,45 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+/** -+ * A attestation reporter for psa ipc -+ */ -+ -+#include <stddef.h> -+#include <psa/error.h> -+#include <service/attestation/reporter/attest_report.h> -+#include <psa/initial_attestation.h> -+ -+#define TOKEN_BUF_SIZE 1024 -+ -+static uint8_t token_buf[TOKEN_BUF_SIZE]; -+ -+int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data, -+ size_t auth_challenge_len, const uint8_t **report, -+ size_t *report_len) -+{ -+ *report = token_buf; -+ psa_status_t ret; -+ size_t token_size = 0; -+ -+ ret = psa_initial_attest_get_token(auth_challenge_data, -+ auth_challenge_len, token_buf, -+ TOKEN_BUF_SIZE, &token_size); -+ if (ret != PSA_SUCCESS) { -+ *report = NULL; -+ *report_len = 0; -+ return ret; -+ } -+ -+ *report_len = token_size; -+ -+ return PSA_SUCCESS; -+} -+ -+void attest_report_destroy(const uint8_t *report) -+{ -+ (void)report; -+} -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index aaa973c6e987..833f5039425f 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -50,6 +50,10 @@ extern "C" { - #define TFM_ATTESTATION_SERVICE_VERSION (1U) - #define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U) - -+/* Initial Attestation message types that distinguish Attest services. */ -+#define TFM_ATTEST_GET_TOKEN 1001 -+#define TFM_ATTEST_GET_TOKEN_SIZE 1002 -+ - /******** TFM_SP_FWU ********/ - #define TFM_FWU_WRITE_SID (0x000000A0U) - #define TFM_FWU_WRITE_VERSION (1U) -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index 57290056d614..4b8cceccbe4d 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -23,12 +23,18 @@ struct openamp_caller openamp; - struct rpc_interface *attest_proxy_create(void) - { - struct rpc_interface *attest_iface; -+ struct rpc_caller *attest_caller; - - /* Static objects for proxy instance */ - static struct attest_provider attest_provider; - -+ attest_caller = openamp_caller_init(&openamp); -+ if (!attest_caller) -+ return NULL; -+ - /* Initialize the service provider */ - attest_iface = attest_provider_init(&attest_provider); -+ psa_iat_client_init(&openamp.rpc_caller); - - attest_provider_register_serializer(&attest_provider, - TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance()); -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index cd51460406ca..3dbbc36c968d 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -49,14 +49,15 @@ add_components(TARGET "se-proxy" - "components/service/attestation/include" - "components/service/attestation/provider" - "components/service/attestation/provider/serializer/packed-c" -+ "components/service/attestation/reporter/psa_ipc" -+ "components/service/attestation/client/psa_ipc" - "components/rpc/openamp/caller/sp" - - # Stub service provider backends - "components/rpc/dummy" - "components/rpc/common/caller" -- "components/service/attestation/reporter/stub" -- "components/service/attestation/key_mngr/stub" -- "components/service/crypto/backend/stub" -+ "components/service/attestation/key_mngr/local" -+ "components/service/crypto/backend/psa_ipc" - "components/service/crypto/client/psa" - "components/service/secure_storage/backend/mock_store" - ) -diff --git a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch b/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch -deleted file mode 100644 -index 6664961ab662..000000000000 ---- a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch -+++ /dev/null -@@ -1,29 +0,0 @@ --From dbd25f94eb62a9855bf342dd97503a49ea50f83e Mon Sep 17 00:00:00 2001 --From: Gyorgy Szing <Gyorgy.Szing@arm.com> --Date: Tue, 8 Feb 2022 17:06:37 +0000 --Subject: [PATCH 1/1] Disable using hard-coded attestation key -- --Modify platform config to disable using a hard-coded attestation --key. -- --Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> ----- -- api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h | 2 +- -- 1 file changed, 1 insertion(+), 1 deletion(-) -- --diff --git a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h --index 6112ba7..1cdf581 100755 ----- a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h --+++ b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h --@@ -60,7 +60,7 @@ typedef uint32_t cfg_id_t; -- #define CRYPTO_VERSION_BETA3 -- -- /* Use hardcoded public key */ ---#define PLATFORM_OVERRIDE_ATTEST_PK --+//#define PLATFORM_OVERRIDE_ATTEST_PK -- -- /* -- * Include of PSA defined Header files ---- --2.17.1 -- -diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake -index a8b77a1fc05e..1995df3e0b49 100644 ---- a/external/psa_arch_tests/psa_arch_tests.cmake -+++ b/external/psa_arch_tests/psa_arch_tests.cmake -@@ -15,10 +15,6 @@ set(GIT_OPTIONS - GIT_REPOSITORY ${PSA_ARCH_TESTS_URL} - GIT_TAG ${PSA_ARCH_TESTS_REFSPEC} - GIT_SHALLOW FALSE -- PATCH_COMMAND git stash -- COMMAND git tag -f ts-before-am -- COMMAND git am ${CMAKE_CURRENT_LIST_DIR}/0001-Disable-using-hard-coded-attestation-key.patch -- COMMAND git reset ts-before-am - ) - - # Ensure list of defines is separated correctly --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch deleted file mode 100644 index 5803cc17dc..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 4240977f7c38950f5edb316bb08ae05cb7b99875 Mon Sep 17 00:00:00 2001 -From: Satish Kumar <satish.kumar01@arm.com> -Date: Thu, 9 Dec 2021 14:11:06 +0000 -Subject: [PATCH 11/20] Setup its backend as openamp rpc using secure storage - ipc implementation. - -Upstream-Status: Pending -Signed-off-by: Satish Kumar <satish.kumar01@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - components/service/common/include/psa/sid.h | 12 +++++----- - .../secure_storage_ipc/secure_storage_ipc.c | 20 ++++++++--------- - .../secure_storage_ipc/secure_storage_ipc.h | 1 + - .../se-proxy/common/service_proxy_factory.c | 22 +++++++++++++------ - 4 files changed, 32 insertions(+), 23 deletions(-) - -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 833f5039425f..4a951d4a3502 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -20,12 +20,12 @@ extern "C" { - /* Invalid UID */ - #define TFM_PS_INVALID_UID 0 - --/* PS message types that distinguish PS services. */ --#define TFM_PS_SET 1001 --#define TFM_PS_GET 1002 --#define TFM_PS_GET_INFO 1003 --#define TFM_PS_REMOVE 1004 --#define TFM_PS_GET_SUPPORT 1005 -+/* PS / ITS message types that distinguish PS services. */ -+#define TFM_PS_ITS_SET 1001 -+#define TFM_PS_ITS_GET 1002 -+#define TFM_PS_ITS_GET_INFO 1003 -+#define TFM_PS_ITS_REMOVE 1004 -+#define TFM_PS_ITS_GET_SUPPORT 1005 - - /******** TFM_SP_ITS ********/ - #define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_SID (0x00000070U) -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -index bda442a61d5c..0e1b48c0d2e2 100644 ---- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -@@ -31,8 +31,8 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, - - ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED; - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0); -+ psa_status = psa_call(caller, ipc->service_handle, TFM_PS_ITS_SET, -+ in_vec, IOVEC_LEN(in_vec), NULL, 0); - if (psa_status < 0) - EMSG("ipc_set: psa_call failed: %d", psa_status); - -@@ -65,8 +65,8 @@ static psa_status_t secure_storage_ipc_get(void *context, - return PSA_ERROR_INVALID_ARGUMENT; - } - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_GET, in_vec, IOVEC_LEN(in_vec), -+ psa_status = psa_call(caller, ipc->service_handle, -+ TFM_PS_ITS_GET, in_vec, IOVEC_LEN(in_vec), - out_vec, IOVEC_LEN(out_vec)); - if (psa_status == PSA_SUCCESS) - *p_data_length = out_vec[0].len; -@@ -92,8 +92,8 @@ static psa_status_t secure_storage_ipc_get_info(void *context, - - (void)client_id; - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_GET_INFO, in_vec, -+ psa_status = psa_call(caller, ipc->service_handle, -+ TFM_PS_ITS_GET_INFO, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); - if (psa_status != PSA_SUCCESS) - EMSG("ipc_get_info: failed to psa_call: %d", psa_status); -@@ -115,8 +115,8 @@ static psa_status_t secure_storage_ipc_remove(void *context, - - (void)client_id; - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_REMOVE, in_vec, -+ psa_status = psa_call(caller, ipc->service_handle, -+ TFM_PS_ITS_REMOVE, in_vec, - IOVEC_LEN(in_vec), NULL, 0); - if (psa_status != PSA_SUCCESS) - EMSG("ipc_remove: failed to psa_call: %d", psa_status); -@@ -169,8 +169,8 @@ static uint32_t secure_storage_get_support(void *context, uint32_t client_id) - - (void)client_id; - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_GET_SUPPORT, NULL, 0, -+ psa_status = psa_call(caller, ipc->service_handle, -+ TFM_PS_ITS_GET_SUPPORT, NULL, 0, - out_vec, IOVEC_LEN(out_vec)); - if (psa_status != PSA_SUCCESS) - EMSG("ipc_get_support: failed to psa_call: %d", psa_status); -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -index e8c1e8fd2f92..d9949f6a9305 100644 ---- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -@@ -21,6 +21,7 @@ struct secure_storage_ipc - { - struct storage_backend backend; - struct service_client client; -+ int32_t service_handle; - }; - - /** -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index 4b8cceccbe4d..1110ac46bf8b 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -5,6 +5,7 @@ - */ - - #include <stddef.h> -+#include <psa/sid.h> - #include <rpc/common/endpoint/rpc_interface.h> - #include <rpc/openamp/caller/sp/openamp_caller.h> - #include <service/attestation/provider/attest_provider.h> -@@ -60,23 +61,30 @@ struct rpc_interface *ps_proxy_create(void) - { - static struct secure_storage_provider ps_provider; - static struct secure_storage_ipc ps_backend; -- static struct rpc_caller *storage_caller; -+ struct rpc_caller *storage_caller; - struct storage_backend *backend; - - storage_caller = openamp_caller_init(&openamp); - if (!storage_caller) - return NULL; - backend = secure_storage_ipc_init(&ps_backend, &openamp.rpc_caller); -+ ps_backend.service_handle = TFM_PROTECTED_STORAGE_SERVICE_HANDLE; - - return secure_storage_provider_init(&ps_provider, backend); - } - - struct rpc_interface *its_proxy_create(void) - { -- static struct mock_store its_backend; -- static struct secure_storage_provider its_provider; -- -- struct storage_backend *backend = mock_store_init(&its_backend); -- -- return secure_storage_provider_init(&its_provider, backend); -+ static struct secure_storage_provider its_provider; -+ static struct secure_storage_ipc its_backend; -+ struct rpc_caller *storage_caller; -+ struct storage_backend *backend; -+ -+ storage_caller = openamp_caller_init(&openamp); -+ if (!storage_caller) -+ return NULL; -+ backend = secure_storage_ipc_init(&its_backend, &openamp.rpc_caller); -+ its_backend.service_handle = TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_HANDLE; -+ -+ return secure_storage_provider_init(&its_provider, backend); - } --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-add-psa-ipc-crypto-backend.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-add-psa-ipc-crypto-backend.patch deleted file mode 100644 index 67ea7b8c56..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-add-psa-ipc-crypto-backend.patch +++ /dev/null @@ -1,2570 +0,0 @@ -From 0b5d96b1a9f927dc141047600edf2249af7022c5 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva <rui.silva@linaro.org> -Date: Thu, 9 Dec 2021 14:17:39 +0000 -Subject: [PATCH 12/20] add psa ipc crypto backend - -Add psa ipc crypto backend and attach it to se proxy -deployment. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - components/service/common/include/psa/sid.h | 73 +++++ - .../crypto/backend/psa_ipc/component.cmake | 21 ++ - .../backend/psa_ipc/crypto_ipc_backend.c | 26 ++ - .../backend/psa_ipc/crypto_ipc_backend.h | 70 ++++ - .../client/caller/psa_ipc/crypto_caller.h | 34 ++ - .../caller/psa_ipc/crypto_caller_aead.h | 252 +++++++++++++++ - .../crypto_caller_asymmetric_decrypt.h | 76 +++++ - .../crypto_caller_asymmetric_encrypt.h | 76 +++++ - .../caller/psa_ipc/crypto_caller_cipher.h | 246 +++++++++++++++ - .../caller/psa_ipc/crypto_caller_copy_key.h | 57 ++++ - .../psa_ipc/crypto_caller_destroy_key.h | 51 +++ - .../caller/psa_ipc/crypto_caller_export_key.h | 59 ++++ - .../psa_ipc/crypto_caller_export_public_key.h | 59 ++++ - .../psa_ipc/crypto_caller_generate_key.h | 55 ++++ - .../psa_ipc/crypto_caller_generate_random.h | 57 ++++ - .../crypto_caller_get_key_attributes.h | 56 ++++ - .../caller/psa_ipc/crypto_caller_hash.h | 220 +++++++++++++ - .../caller/psa_ipc/crypto_caller_import_key.h | 57 ++++ - .../psa_ipc/crypto_caller_key_attributes.h | 51 +++ - .../psa_ipc/crypto_caller_key_derivation.h | 298 ++++++++++++++++++ - .../client/caller/psa_ipc/crypto_caller_mac.h | 207 ++++++++++++ - .../caller/psa_ipc/crypto_caller_purge_key.h | 51 +++ - .../caller/psa_ipc/crypto_caller_sign_hash.h | 64 ++++ - .../psa_ipc/crypto_caller_verify_hash.h | 59 ++++ - .../crypto/include/psa/crypto_client_struct.h | 8 +- - .../service/crypto/include/psa/crypto_sizes.h | 2 +- - .../se-proxy/common/service_proxy_factory.c | 15 +- - .../providers/arm/corstone1000/platform.cmake | 2 + - 28 files changed, 2292 insertions(+), 10 deletions(-) - create mode 100644 components/service/crypto/backend/psa_ipc/component.cmake - create mode 100644 components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c - create mode 100644 components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h - -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 4a951d4a3502..7a29cc253bad 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -37,6 +37,79 @@ extern "C" { - #define TFM_CRYPTO_VERSION (1U) - #define TFM_CRYPTO_HANDLE (0x40000100U) - -+/** -+ * \brief Define a progressive numerical value for each SID which can be used -+ * when dispatching the requests to the service -+ */ -+enum { -+ TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID = (0u), -+ TFM_CRYPTO_RESET_KEY_ATTRIBUTES_SID, -+ TFM_CRYPTO_OPEN_KEY_SID, -+ TFM_CRYPTO_CLOSE_KEY_SID, -+ TFM_CRYPTO_IMPORT_KEY_SID, -+ TFM_CRYPTO_DESTROY_KEY_SID, -+ TFM_CRYPTO_EXPORT_KEY_SID, -+ TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, -+ TFM_CRYPTO_PURGE_KEY_SID, -+ TFM_CRYPTO_COPY_KEY_SID, -+ TFM_CRYPTO_HASH_COMPUTE_SID, -+ TFM_CRYPTO_HASH_COMPARE_SID, -+ TFM_CRYPTO_HASH_SETUP_SID, -+ TFM_CRYPTO_HASH_UPDATE_SID, -+ TFM_CRYPTO_HASH_FINISH_SID, -+ TFM_CRYPTO_HASH_VERIFY_SID, -+ TFM_CRYPTO_HASH_ABORT_SID, -+ TFM_CRYPTO_HASH_CLONE_SID, -+ TFM_CRYPTO_MAC_COMPUTE_SID, -+ TFM_CRYPTO_MAC_VERIFY_SID, -+ TFM_CRYPTO_MAC_SIGN_SETUP_SID, -+ TFM_CRYPTO_MAC_VERIFY_SETUP_SID, -+ TFM_CRYPTO_MAC_UPDATE_SID, -+ TFM_CRYPTO_MAC_SIGN_FINISH_SID, -+ TFM_CRYPTO_MAC_VERIFY_FINISH_SID, -+ TFM_CRYPTO_MAC_ABORT_SID, -+ TFM_CRYPTO_CIPHER_ENCRYPT_SID, -+ TFM_CRYPTO_CIPHER_DECRYPT_SID, -+ TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, -+ TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, -+ TFM_CRYPTO_CIPHER_GENERATE_IV_SID, -+ TFM_CRYPTO_CIPHER_SET_IV_SID, -+ TFM_CRYPTO_CIPHER_UPDATE_SID, -+ TFM_CRYPTO_CIPHER_FINISH_SID, -+ TFM_CRYPTO_CIPHER_ABORT_SID, -+ TFM_CRYPTO_AEAD_ENCRYPT_SID, -+ TFM_CRYPTO_AEAD_DECRYPT_SID, -+ TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, -+ TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, -+ TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, -+ TFM_CRYPTO_AEAD_SET_NONCE_SID, -+ TFM_CRYPTO_AEAD_SET_LENGTHS_SID, -+ TFM_CRYPTO_AEAD_UPDATE_AD_SID, -+ TFM_CRYPTO_AEAD_UPDATE_SID, -+ TFM_CRYPTO_AEAD_FINISH_SID, -+ TFM_CRYPTO_AEAD_VERIFY_SID, -+ TFM_CRYPTO_AEAD_ABORT_SID, -+ TFM_CRYPTO_SIGN_MESSAGE_SID, -+ TFM_CRYPTO_VERIFY_MESSAGE_SID, -+ TFM_CRYPTO_SIGN_HASH_SID, -+ TFM_CRYPTO_VERIFY_HASH_SID, -+ TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, -+ TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, -+ TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, -+ TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, -+ TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, -+ TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, -+ TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, -+ TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, -+ TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, -+ TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, -+ TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, -+ TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, -+ TFM_CRYPTO_GENERATE_RANDOM_SID, -+ TFM_CRYPTO_GENERATE_KEY_SID, -+ TFM_CRYPTO_SID_MAX, -+}; -+ - /******** TFM_SP_PLATFORM ********/ - #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) - #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -diff --git a/components/service/crypto/backend/psa_ipc/component.cmake b/components/service/crypto/backend/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..93c297a83ac6 ---- /dev/null -+++ b/components/service/crypto/backend/psa_ipc/component.cmake -@@ -0,0 +1,21 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/crypto_ipc_backend.c" -+ ) -+ -+# The ipc crypto backend uses the psa crypto client to realize the -+# psa crypto API that the crypto provider depends on. This define -+# configures the psa crypto client to be built with the ipc crypto -+# caller. -+target_compile_definitions(${TGT} PRIVATE -+ PSA_CRYPTO_CLIENT_CALLER_SELECTION_H="service/crypto/client/caller/psa_ipc/crypto_caller.h" -+) -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c -new file mode 100644 -index 000000000000..e47cd4ffb4ce ---- /dev/null -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c -@@ -0,0 +1,26 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include <stddef.h> -+#include <psa/crypto.h> -+#include <service/crypto/client/psa/psa_crypto_client.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include "crypto_ipc_backend.h" -+ -+psa_status_t crypto_ipc_backend_init(struct rpc_caller *caller) -+{ -+ psa_status_t status = psa_crypto_client_init(caller); -+ -+ if (status == PSA_SUCCESS) -+ status = psa_crypto_init(); -+ -+ return status; -+} -+ -+void crypto_ipc_backend_deinit(void) -+{ -+ psa_crypto_client_deinit(); -+} -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -new file mode 100644 -index 000000000000..c13c20e84131 ---- /dev/null -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -@@ -0,0 +1,70 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef CRYPTO_IPC_BACKEND_H -+#define CRYPTO_IPC_BACKEND_H -+ -+#include <service/crypto/client/psa/psa_crypto_client.h> -+#include <psa/error.h> -+#include <rpc_caller.h> -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/** -+ * \brief This type is used to overcome a limitation in the number of maximum -+ * IOVECs that can be used especially in psa_aead_encrypt and -+ * psa_aead_decrypt. To be removed in case the AEAD APIs number of -+ * parameters passed gets restructured -+ */ -+#define TFM_CRYPTO_MAX_NONCE_LENGTH (16u) -+struct psa_ipc_crypto_aead_pack_input { -+ uint8_t nonce[TFM_CRYPTO_MAX_NONCE_LENGTH]; -+ uint32_t nonce_length; -+}; -+ -+struct psa_ipc_crypto_pack_iovec { -+ uint32_t sfn_id; /*!< Secure function ID used to dispatch the -+ * request -+ */ -+ uint16_t step; /*!< Key derivation step */ -+ psa_key_id_t key_id; /*!< Key id */ -+ psa_algorithm_t alg; /*!< Algorithm */ -+ uint32_t op_handle; /*!< Frontend context handle associated to a -+ * multipart operation -+ */ -+ uint32_t capacity; /*!< Key derivation capacity */ -+ -+ struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for -+ * AEAD until the API is -+ * restructured -+ */ -+}; -+ -+#define iov_size sizeof(struct psa_ipc_crypto_pack_iovec) -+ -+/** -+ * \brief Initialize the psa ipc crypto backend -+ * -+ * Initializes a crypto backend that uses the psa API client with a -+ * psa_ipc_backend caller to realize the PSA crypto API used by the crypto -+ * service proviser. -+ * -+ * \return PSA_SUCCESS if backend initialized successfully -+ */ -+psa_status_t crypto_ipc_backend_init(struct rpc_caller *caller); -+ -+/** -+ * \brief Clean-up to free any resource used by the crypto backend -+ */ -+void crypto_ipc_backend_deinit(void); -+ -+#ifdef __cplusplus -+} /* extern "C" */ -+#endif -+ -+#endif /* CRYPTO_IPC_BACKEND_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller.h -new file mode 100644 -index 000000000000..0a972187062f ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller.h -@@ -0,0 +1,34 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_H -+#define PSA_IPC_CRYPTO_CALLER_H -+ -+/** -+ * Includes all header files that form the psa ipc crypto caller -+ * interface. May be used by a client that needs to call operations -+ * provided by a crypto service instance using the psa ipc interface. -+ */ -+#include "crypto_caller_aead.h" -+#include "crypto_caller_asymmetric_decrypt.h" -+#include "crypto_caller_asymmetric_encrypt.h" -+#include "crypto_caller_cipher.h" -+#include "crypto_caller_copy_key.h" -+#include "crypto_caller_destroy_key.h" -+#include "crypto_caller_export_key.h" -+#include "crypto_caller_export_public_key.h" -+#include "crypto_caller_generate_key.h" -+#include "crypto_caller_generate_random.h" -+#include "crypto_caller_get_key_attributes.h" -+#include "crypto_caller_hash.h" -+#include "crypto_caller_import_key.h" -+#include "crypto_caller_key_derivation.h" -+#include "crypto_caller_mac.h" -+#include "crypto_caller_purge_key.h" -+#include "crypto_caller_sign_hash.h" -+#include "crypto_caller_verify_hash.h" -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -new file mode 100644 -index 000000000000..78517fe32ca9 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -@@ -0,0 +1,252 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_AEAD_H -+#define PSA_IPC_CRYPTO_CALLER_AEAD_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_aead_encrypt( -+ struct service_client *context, -+ psa_key_id_t key, -+ psa_algorithm_t alg, -+ const uint8_t *nonce, -+ size_t nonce_length, -+ const uint8_t *additional_data, -+ size_t additional_data_length, -+ const uint8_t *plaintext, -+ size_t plaintext_length, -+ uint8_t *aeadtext, -+ size_t aeadtext_size, -+ size_t *aeadtext_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ size_t in_len; -+ int i; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SID, -+ .key_id = key, -+ .alg = alg, -+ .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, -+ }; -+ -+ if (!additional_data && additional_data_length) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(plaintext), -+ .len = plaintext_length }, -+ { .base = psa_ptr_const_to_u32(additional_data), -+ .len = additional_data_length}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(aeadtext), .len = aeadtext_size }, -+ }; -+ -+ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ if (nonce) { -+ for (i = 0; i < nonce_length; i++) -+ iov.aead_in.nonce[i] = nonce[i]; -+ } -+ -+ in_len = IOVEC_LEN(in_vec); -+ -+ if (!additional_data) -+ in_len--; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *aeadtext_length = out_vec[0].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_aead_decrypt( -+ struct service_client *context, -+ psa_key_id_t key, -+ psa_algorithm_t alg, -+ const uint8_t *nonce, -+ size_t nonce_length, -+ const uint8_t *additional_data, -+ size_t additional_data_length, -+ const uint8_t *aeadtext, -+ size_t aeadtext_length, -+ uint8_t *plaintext, -+ size_t plaintext_size, -+ size_t *plaintext_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ size_t in_len; -+ int i; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SID, -+ .key_id = key, -+ .alg = alg, -+ .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, -+ }; -+ -+ if (!additional_data && additional_data_length) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(aeadtext), -+ .len = aeadtext_length }, -+ { .base = psa_ptr_const_to_u32(additional_data), -+ .len = additional_data_length}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(plaintext), .len = plaintext_size }, -+ }; -+ -+ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ if (nonce) { -+ for (i = 0; i < nonce_length; i++) -+ iov.aead_in.nonce[i] = nonce[i]; -+ } -+ -+ in_len = IOVEC_LEN(in_vec); -+ -+ if (!additional_data) -+ in_len--; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *plaintext_length = out_vec[0].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_aead_encrypt_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_decrypt_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_generate_nonce( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *nonce, -+ size_t nonce_size, -+ size_t *nonce_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_set_nonce( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *nonce, -+ size_t nonce_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_set_lengths( -+ struct service_client *context, -+ uint32_t op_handle, -+ size_t ad_length, -+ size_t plaintext_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_update_ad( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_update( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length, -+ uint8_t *output, -+ size_t output_size, -+ size_t *output_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *aeadtext, -+ size_t aeadtext_size, -+ size_t *aeadtext_length, -+ uint8_t *tag, -+ size_t tag_size, -+ size_t *tag_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_verify( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *plaintext, -+ size_t plaintext_size, -+ size_t *plaintext_length, -+ const uint8_t *tag, -+ size_t tag_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_AEAD_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -new file mode 100644 -index 000000000000..ff01815c09e9 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -@@ -0,0 +1,76 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_DECRYPT_H -+#define PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_DECRYPT_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_asymmetric_decrypt( -+ struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *input, size_t input_length, -+ const uint8_t *salt, size_t salt_length, -+ uint8_t *output, size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ size_t in_len; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ -+ /* Sanitize optional input */ -+ if (!salt && salt_length) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ { .base = psa_ptr_const_to_u32(salt), .len = salt_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ -+ in_len = IOVEC_LEN(in_vec); -+ if (!salt) -+ in_len--; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_DECRYPT_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -new file mode 100644 -index 000000000000..1daf1689c076 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -@@ -0,0 +1,76 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_ENCRYPT_H -+#define PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_ENCRYPT_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_asymmetric_encrypt( -+ struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *input, size_t input_length, -+ const uint8_t *salt, size_t salt_length, -+ uint8_t *output, size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ size_t in_len; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ -+ /* Sanitize optional input */ -+ if (!salt && salt_length) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ { .base = psa_ptr_const_to_u32(salt), .len = salt_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ -+ in_len = IOVEC_LEN(in_vec); -+ if (!salt) -+ in_len--; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_ENCRYPT_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -new file mode 100644 -index 000000000000..fbefb28d813a ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -@@ -0,0 +1,246 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_CIPHER_H -+#define PSA_IPC_CRYPTO_CALLER_CIPHER_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_cipher_encrypt_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_decrypt_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_generate_iv( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *iv, -+ size_t iv_size, -+ size_t *iv_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_GENERATE_IV_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(iv), .len = iv_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *iv_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_set_iv( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *iv, -+ size_t iv_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_SET_IV_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(iv), .len = iv_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_update( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length, -+ uint8_t *output, -+ size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_UPDATE_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *output, -+ size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline size_t crypto_caller_cipher_max_update_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the cipher_update operation -+ * using the ipc encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ /* Allow for output to be a whole number of blocks */ -+ overhead += PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_CIPHER_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -new file mode 100644 -index 000000000000..9a988171b098 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -@@ -0,0 +1,57 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_COPY_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_COPY_KEY_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_copy_key(struct service_client *context, -+ psa_key_id_t source_key, -+ const psa_key_attributes_t *attributes, -+ psa_key_id_t *target_key) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_COPY_KEY_SID, -+ .key_id = source_key, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ { .base = psa_ptr_const_to_u32(attributes), .len = sizeof(psa_key_attributes_t) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(target_key), .len = sizeof(psa_key_id_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_COPY_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -new file mode 100644 -index 000000000000..d00f4faa7a52 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -@@ -0,0 +1,51 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_DESTROY_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_DESTROY_KEY_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_destroy_key(struct service_client *context, -+ psa_key_id_t id) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_DESTROY_KEY_SID, -+ .key_id = id, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_DESTROY_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -new file mode 100644 -index 000000000000..8ac5477f7b9a ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -@@ -0,0 +1,59 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_EXPORT_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_EXPORT_KEY_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_export_key(struct service_client *context, -+ psa_key_id_t id, -+ uint8_t *data, -+ size_t data_size, -+ size_t *data_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_EXPORT_KEY_SID, -+ .key_id = id, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(data), .len = data_size } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *data_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_EXPORT_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -new file mode 100644 -index 000000000000..b24c47f1257e ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -@@ -0,0 +1,59 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_EXPORT_PUBLIC_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_EXPORT_PUBLIC_KEY_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_export_public_key(struct service_client *context, -+ psa_key_id_t id, -+ uint8_t *data, -+ size_t data_size, -+ size_t *data_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, -+ .key_id = id, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(data), .len = data_size } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *data_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_EXPORT_PUBLIC_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -new file mode 100644 -index 000000000000..1b66ed4020de ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -@@ -0,0 +1,55 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_GENERATE_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_GENERATE_KEY_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_generate_key(struct service_client *context, -+ const psa_key_attributes_t *attributes, -+ psa_key_id_t *id) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_GENERATE_KEY_SID, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ { .base = psa_ptr_const_to_u32(attributes), .len = sizeof(psa_key_attributes_t) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(id), .len = sizeof(psa_key_id_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_GENERATE_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -new file mode 100644 -index 000000000000..7c538237805a ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -@@ -0,0 +1,57 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_GENERATE_RANDOM_H -+#define PSA_IPC_CRYPTO_CALLER_GENERATE_RANDOM_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_generate_random(struct service_client *context, -+ uint8_t *output, -+ size_t output_size) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_GENERATE_RANDOM_SID, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_size } -+ }; -+ -+ if (!output_size) -+ return PSA_SUCCESS; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_GENERATE_RANDOM_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -new file mode 100644 -index 000000000000..22f1d18f1476 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -@@ -0,0 +1,56 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_GET_KEY_ATTRIBUTES_H -+#define PSA_IPC_CRYPTO_CALLER_GET_KEY_ATTRIBUTES_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_get_key_attributes( -+ struct service_client *context, -+ psa_key_id_t key, -+ psa_key_attributes_t *attributes) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID, -+ .key_id = key, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(attributes), .len = sizeof(psa_key_attributes_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_GET_KEY_ATTRIBUTES_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -new file mode 100644 -index 000000000000..9f37908a2f25 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -@@ -0,0 +1,220 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_HASH_H -+#define PSA_IPC_CRYPTO_CALLER_HASH_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_hash_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_SETUP_SID, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_update( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_UPDATE_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *hash, -+ size_t hash_size, -+ size_t *hash_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(hash), .len = hash_size}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *hash_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_verify( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *hash, -+ size_t hash_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_VERIFY_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(hash), .len = hash_length}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_clone( -+ struct service_client *context, -+ uint32_t source_op_handle, -+ uint32_t *target_op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_CLONE_SID, -+ .op_handle = source_op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(target_op_handle), -+ .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_suspend(struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *hash_state, -+ size_t hash_state_size, -+ size_t *hash_state_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_hash_resume(struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *hash_state, -+ size_t hash_state_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline size_t crypto_caller_hash_max_update_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the hash_update operation -+ * using the packed-c encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_HASH_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -new file mode 100644 -index 000000000000..d47033662790 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -@@ -0,0 +1,57 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_IMPORT_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_IMPORT_KEY_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_import_key(struct service_client *context, -+ const psa_key_attributes_t *attributes, -+ const uint8_t *data, size_t data_length, -+ psa_key_id_t *id) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_IMPORT_KEY_SID, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ { .base = psa_ptr_const_to_u32(attributes), .len = sizeof(psa_key_attributes_t) }, -+ { .base = psa_ptr_const_to_u32(data), .len = data_length } -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(id), .len = sizeof(psa_key_id_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PACKEDC_CRYPTO_CALLER_IMPORT_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h -new file mode 100644 -index 000000000000..2fad2f0a64e6 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h -@@ -0,0 +1,51 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PACKEDC_CRYPTO_CALLER_KEY_ATTRIBUTES_H -+#define PACKEDC_CRYPTO_CALLER_KEY_ATTRIBUTES_H -+ -+#include <psa/crypto.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline void packedc_crypto_caller_translate_key_attributes_to_proto( -+ struct ts_crypto_key_attributes *proto_attributes, -+ const psa_key_attributes_t *psa_attributes) -+{ -+ proto_attributes->type = psa_get_key_type(psa_attributes); -+ proto_attributes->key_bits = psa_get_key_bits(psa_attributes); -+ proto_attributes->lifetime = psa_get_key_lifetime(psa_attributes); -+ proto_attributes->id = psa_get_key_id(psa_attributes); -+ -+ proto_attributes->policy.usage = psa_get_key_usage_flags(psa_attributes); -+ proto_attributes->policy.alg = psa_get_key_algorithm(psa_attributes); -+ } -+ -+static inline void packedc_crypto_caller_translate_key_attributes_from_proto( -+ psa_key_attributes_t *psa_attributes, -+ const struct ts_crypto_key_attributes *proto_attributes) -+{ -+ psa_set_key_type(psa_attributes, proto_attributes->type); -+ psa_set_key_bits(psa_attributes, proto_attributes->key_bits); -+ psa_set_key_lifetime(psa_attributes, proto_attributes->lifetime); -+ -+ if (proto_attributes->lifetime == PSA_KEY_LIFETIME_PERSISTENT) { -+ -+ psa_set_key_id(psa_attributes, proto_attributes->id); -+ } -+ -+ psa_set_key_usage_flags(psa_attributes, proto_attributes->policy.usage); -+ psa_set_key_algorithm(psa_attributes, proto_attributes->policy.alg); -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PACKEDC_CRYPTO_CALLER_KEY_ATTRIBUTES_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -new file mode 100644 -index 000000000000..5ce4fb6cca82 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -@@ -0,0 +1,298 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_KEY_DERIVATION_H -+#define PSA_IPC_CRYPTO_CALLER_KEY_DERIVATION_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_key_derivation_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_get_capacity( -+ struct service_client *context, -+ const uint32_t op_handle, -+ size_t *capacity) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(capacity), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_set_capacity( -+ struct service_client *context, -+ uint32_t op_handle, -+ size_t capacity) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, -+ .capacity = capacity, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_input_bytes( -+ struct service_client *context, -+ uint32_t op_handle, -+ psa_key_derivation_step_t step, -+ const uint8_t *data, -+ size_t data_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, -+ .step = step, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(data), .len = data_length }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_input_key( -+ struct service_client *context, -+ uint32_t op_handle, -+ psa_key_derivation_step_t step, -+ psa_key_id_t key) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, -+ .key_id = key, -+ .step = step, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_output_bytes( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *output, -+ size_t output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_length }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_output_key( -+ struct service_client *context, -+ const psa_key_attributes_t *attributes, -+ uint32_t op_handle, -+ psa_key_id_t *key) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(attributes), -+ .len = sizeof(psa_key_attributes_t) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(key), .len = sizeof(psa_key_id_t)}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_key_agreement( -+ struct service_client *context, -+ uint32_t op_handle, -+ psa_key_derivation_step_t step, -+ psa_key_id_t private_key, -+ const uint8_t *peer_key, -+ size_t peer_key_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, -+ .key_id = private_key, -+ .step = step, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(peer_key), -+ .len = peer_key_length}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_raw_key_agreement( -+ struct service_client *context, -+ psa_algorithm_t alg, -+ psa_key_id_t private_key, -+ const uint8_t *peer_key, -+ size_t peer_key_length, -+ uint8_t *output, -+ size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, -+ .alg = alg, -+ .key_id = private_key, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(peer_key), -+ .len = peer_key_length}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_KEY_DERIVATION_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -new file mode 100644 -index 000000000000..3a820192495a ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -@@ -0,0 +1,207 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_MAC_H -+#define PSA_IPC_CRYPTO_CALLER_MAC_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_mac_sign_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_verify_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_update( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_UPDATE_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_sign_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *mac, -+ size_t mac_size, -+ size_t *mac_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_SIGN_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(mac), .len = mac_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *mac_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_verify_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *mac, -+ size_t mac_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_VERIFY_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(mac), .len = mac_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline size_t crypto_caller_mac_max_update_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the mac_update operation -+ * using the packed-c encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_MAC_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -new file mode 100644 -index 000000000000..a3a796e2166c ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -@@ -0,0 +1,51 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PACKEDC_CRYPTO_CALLER_PURGE_KEY_H -+#define PACKEDC_CRYPTO_CALLER_PURGE_KEY_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_purge_key(struct service_client *context, -+ psa_key_id_t id) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_PURGE_KEY_SID, -+ .key_id = id, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PACKEDC_CRYPTO_CALLER_PURGE_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -new file mode 100644 -index 000000000000..71d88cededf5 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -@@ -0,0 +1,64 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_SIGN_HASH_H -+#define PSA_IPC_CRYPTO_CALLER_SIGN_HASH_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_sign_hash(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ uint8_t *signature, -+ size_t signature_size, -+ size_t *signature_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_SIGN_HASH_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(hash), .len = hash_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(signature), .len = signature_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *signature_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_SIGN_HASH_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -new file mode 100644 -index 000000000000..e16f6e5450af ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -@@ -0,0 +1,59 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_VERIFY_HASH_H -+#define PSA_IPC_CRYPTO_CALLER_VERIFY_HASH_H -+ -+#include <string.h> -+#include <stdlib.h> -+#include <psa/crypto.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -+#include <protocols/rpc/common/packed-c/status.h> -+#include <protocols/service/crypto/packed-c/opcodes.h> -+#include <protocols/service/crypto/packed-c/key_attributes.h> -+#include <protocols/service/crypto/packed-c/import_key.h> -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ const uint8_t *signature, -+ size_t signature_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_VERIFY_HASH_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ { .base = psa_ptr_const_to_u32(hash), .len = hash_length }, -+ { .base = psa_ptr_const_to_u32(signature), .len = signature_length}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_VERIFY_HASH_H */ -diff --git a/components/service/crypto/include/psa/crypto_client_struct.h b/components/service/crypto/include/psa/crypto_client_struct.h -index abd420c82607..bf95c9821e55 100644 ---- a/components/service/crypto/include/psa/crypto_client_struct.h -+++ b/components/service/crypto/include/psa/crypto_client_struct.h -@@ -31,12 +31,12 @@ extern "C" { - * data structure internally. */ - struct psa_client_key_attributes_s - { -+ uint16_t type; -+ uint16_t bits; - uint32_t lifetime; -- uint32_t id; -- uint32_t alg; -+ psa_key_id_t id; - uint32_t usage; -- size_t bits; -- uint16_t type; -+ uint32_t alg; - }; - - #define PSA_CLIENT_KEY_ATTRIBUTES_INIT {0, 0, 0, 0, 0, 0} -diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h -index 7a0149bbca62..4d7bf6e959b0 100644 ---- a/components/service/crypto/include/psa/crypto_sizes.h -+++ b/components/service/crypto/include/psa/crypto_sizes.h -@@ -81,7 +81,7 @@ - #define PSA_HASH_MAX_SIZE 64 - #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128 - #else --#define PSA_HASH_MAX_SIZE 32 -+#define PSA_HASH_MAX_SIZE 64 - #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64 - #endif - -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index 1110ac46bf8b..7edeef8b434a 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -15,7 +15,7 @@ - #include <trace.h> - - /* Stub backends */ --#include <service/crypto/backend/stub/stub_crypto_backend.h> -+#include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> - #include <service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h> - #include <service/secure_storage/backend/mock_store/mock_store.h> - -@@ -47,12 +47,17 @@ struct rpc_interface *crypto_proxy_create(void) - { - struct rpc_interface *crypto_iface = NULL; - struct crypto_provider *crypto_provider; -+ struct rpc_caller *crypto_caller; - -- if (stub_crypto_backend_init() == PSA_SUCCESS) { -+ crypto_caller = openamp_caller_init(&openamp); -+ if (!crypto_caller) -+ return NULL; -+ -+ if (crypto_ipc_backend_init(&openamp.rpc_caller) != PSA_SUCCESS) -+ return NULL; - -- crypto_provider = crypto_provider_factory_create(); -- crypto_iface = service_provider_get_rpc_interface(&crypto_provider->base_provider); -- } -+ crypto_provider = crypto_provider_factory_create(); -+ crypto_iface = service_provider_get_rpc_interface(&crypto_provider->base_provider); - - return crypto_iface; - } -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index bb778bb9719b..51e5faa3e4d8 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -8,3 +8,5 @@ - - # include MHU driver - include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake) -+ -+add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Configure-storage-size.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Configure-storage-size.patch deleted file mode 100644 index 22b1da6906..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Configure-storage-size.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 229ec29154a4404426ad3083af68ca111a214e13 Mon Sep 17 00:00:00 2001 -From: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com> -Date: Thu, 16 Dec 2021 21:31:40 +0000 -Subject: [PATCH 14/20] Configure storage size - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../service/smm_variable/backend/uefi_variable_store.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/components/service/smm_variable/backend/uefi_variable_store.c b/components/service/smm_variable/backend/uefi_variable_store.c -index 611e2e225c6b..6c3b9ed81c25 100644 ---- a/components/service/smm_variable/backend/uefi_variable_store.c -+++ b/components/service/smm_variable/backend/uefi_variable_store.c -@@ -88,6 +88,7 @@ static efi_status_t check_name_terminator( - * may be overridden using uefi_variable_store_set_storage_limits() - */ - #define DEFAULT_MAX_VARIABLE_SIZE (2048) -+#define CONFIGURE_STORAGE_SIZE (50) - - efi_status_t uefi_variable_store_init( - struct uefi_variable_store *context, -@@ -101,13 +102,13 @@ efi_status_t uefi_variable_store_init( - /* Initialise persistent store defaults */ - context->persistent_store.is_nv = true; - context->persistent_store.max_variable_size = DEFAULT_MAX_VARIABLE_SIZE; -- context->persistent_store.total_capacity = DEFAULT_MAX_VARIABLE_SIZE * max_variables; -+ context->persistent_store.total_capacity = CONFIGURE_STORAGE_SIZE * max_variables; - context->persistent_store.storage_backend = persistent_store; - - /* Initialise volatile store defaults */ - context->volatile_store.is_nv = false; - context->volatile_store.max_variable_size = DEFAULT_MAX_VARIABLE_SIZE; -- context->volatile_store.total_capacity = DEFAULT_MAX_VARIABLE_SIZE * max_variables; -+ context->volatile_store.total_capacity = CONFIGURE_STORAGE_SIZE * max_variables; - context->volatile_store.storage_backend = volatile_store; - - context->owner_id = owner_id; --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch deleted file mode 100644 index 426f2ca5c4..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch +++ /dev/null @@ -1,31 +0,0 @@ -From cf83184500703f9b4f2ac04be59cc7d624d8fd66 Mon Sep 17 00:00:00 2001 -From: Satish Kumar <satish.kumar01@arm.com> -Date: Sun, 13 Feb 2022 09:01:10 +0000 -Subject: [PATCH 15/20] Fix: Crypto interface structure aligned with tf-m - change. - -NO NEED TO RAISE PR: The PR for this FIX is raied by Emek. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -index c13c20e84131..ec25eaf868c7 100644 ---- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -@@ -38,7 +38,8 @@ struct psa_ipc_crypto_pack_iovec { - * multipart operation - */ - uint32_t capacity; /*!< Key derivation capacity */ -- -+ uint32_t ad_length; /*!< Additional Data length for multipart AEAD */ -+ uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */ - struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for - * AEAD until the API is - * restructured --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Integrate-remaining-psa-ipc-client-APIs.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Integrate-remaining-psa-ipc-client-APIs.patch deleted file mode 100644 index a59d140023..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Integrate-remaining-psa-ipc-client-APIs.patch +++ /dev/null @@ -1,494 +0,0 @@ -From 551d8722769fa2f2d2ac74adcb289333a9b03598 Mon Sep 17 00:00:00 2001 -From: Satish Kumar <satish.kumar01@arm.com> -Date: Sun, 13 Feb 2022 09:49:51 +0000 -Subject: [PATCH 16/20] Integrate remaining psa-ipc client APIs. - -Upstream-Status: Pending -Signed-off-by: Satish Kumar <satish.kumar01@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../caller/psa_ipc/crypto_caller_aead.h | 297 +++++++++++++++++- - .../caller/psa_ipc/crypto_caller_sign_hash.h | 35 +++ - .../psa_ipc/crypto_caller_verify_hash.h | 33 +- - 3 files changed, 352 insertions(+), 13 deletions(-) - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -index 78517fe32ca9..f6aadd8b9098 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -@@ -152,7 +152,27 @@ static inline psa_status_t crypto_caller_aead_encrypt_setup( - psa_key_id_t key, - psa_algorithm_t alg) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = (*op_handle), -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; - } - - static inline psa_status_t crypto_caller_aead_decrypt_setup( -@@ -161,7 +181,26 @@ static inline psa_status_t crypto_caller_aead_decrypt_setup( - psa_key_id_t key, - psa_algorithm_t alg) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = (*op_handle), -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ return status; - } - - static inline psa_status_t crypto_caller_aead_generate_nonce( -@@ -171,7 +210,27 @@ static inline psa_status_t crypto_caller_aead_generate_nonce( - size_t nonce_size, - size_t *nonce_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, -+ .op_handle = op_handle, -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ {.base = psa_ptr_to_u32(nonce), .len = nonce_size} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *nonce_length = out_vec[1].len; -+ return status; - } - - static inline psa_status_t crypto_caller_aead_set_nonce( -@@ -180,7 +239,25 @@ static inline psa_status_t crypto_caller_aead_set_nonce( - const uint8_t *nonce, - size_t nonce_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_SET_NONCE_SID, -+ .op_handle = op_handle, -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ {.base = psa_ptr_to_u32(nonce), .len = nonce_length} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ return status; - } - - static inline psa_status_t crypto_caller_aead_set_lengths( -@@ -189,7 +266,27 @@ static inline psa_status_t crypto_caller_aead_set_lengths( - size_t ad_length, - size_t plaintext_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_SET_LENGTHS_SID, -+ .ad_length = ad_length, -+ .plaintext_length = plaintext_length, -+ .op_handle = op_handle, -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; - } - - static inline psa_status_t crypto_caller_aead_update_ad( -@@ -198,7 +295,35 @@ static inline psa_status_t crypto_caller_aead_update_ad( - const uint8_t *input, - size_t input_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_UPDATE_AD_SID, -+ .op_handle = op_handle, -+ }; -+ -+ /* Sanitize the optional input */ -+ if ((input == NULL) && (input_length != 0)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ {.base = psa_ptr_const_to_u32(input), .len = input_length} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ size_t in_len = IOVEC_LEN(in_vec); -+ -+ if (input == NULL) { -+ in_len--; -+ } -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ return status; - } - - static inline psa_status_t crypto_caller_aead_update( -@@ -210,7 +335,38 @@ static inline psa_status_t crypto_caller_aead_update( - size_t output_size, - size_t *output_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_UPDATE_SID, -+ .op_handle = op_handle, -+ }; -+ -+ /* Sanitize the optional input */ -+ if ((input == NULL) && (input_length != 0)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ {.base = psa_ptr_const_to_u32(input), .len = input_length} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ {.base = psa_ptr_const_to_u32(output), .len = output_size}, -+ }; -+ -+ size_t in_len = IOVEC_LEN(in_vec); -+ -+ if (input == NULL) { -+ in_len--; -+ } -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[1].len; -+ return status; - } - - static inline psa_status_t crypto_caller_aead_finish( -@@ -223,7 +379,48 @@ static inline psa_status_t crypto_caller_aead_finish( - size_t tag_size, - size_t *tag_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ -+ /* Sanitize the optional output */ -+ if ((aeadtext == NULL) && (aeadtext_size != 0)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ {.base = psa_ptr_const_to_u32(tag), .len = tag_size}, -+ {.base = psa_ptr_const_to_u32(aeadtext), .len = aeadtext_size} -+ }; -+ -+ size_t out_len = IOVEC_LEN(out_vec); -+ -+ if (aeadtext == NULL || aeadtext_size == 0) { -+ out_len--; -+ } -+ if ((out_len == 3) && (aeadtext_length == NULL)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, out_len); -+ -+ *tag_length = out_vec[1].len; -+ -+ if (out_len == 3) { -+ *aeadtext_length = out_vec[2].len; -+ } else { -+ *aeadtext_length = 0; -+ } -+ return status; - } - - static inline psa_status_t crypto_caller_aead_verify( -@@ -235,14 +432,94 @@ static inline psa_status_t crypto_caller_aead_verify( - const uint8_t *tag, - size_t tag_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_VERIFY_SID, -+ .op_handle = op_handle, -+ }; -+ -+ /* Sanitize the optional output */ -+ if ((plaintext == NULL) && (plaintext_size != 0)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ {.base = psa_ptr_const_to_u32(tag), .len = tag_length} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ {.base = psa_ptr_const_to_u32(plaintext), .len = plaintext_size}, -+ }; -+ -+ size_t out_len = IOVEC_LEN(out_vec); -+ -+ if (plaintext == NULL || plaintext_size == 0) { -+ out_len--; -+ } -+ if ((out_len == 2) && (plaintext_length == NULL)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, out_len); -+ -+ if (out_len == 2) { -+ *plaintext_length = out_vec[1].len; -+ } else { -+ *plaintext_length = 0; -+ } -+ return status; - } - - static inline psa_status_t crypto_caller_aead_abort( - struct service_client *context, - uint32_t op_handle) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ return status; -+} -+ -+static inline size_t crypto_caller_aead_max_update_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the mac_update operation -+ * using the packed-c encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; -+} -+ -+static inline size_t crypto_caller_aead_max_update_ad_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the mac_update operation -+ * using the packed-c encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; - } - - #ifdef __cplusplus -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -index 71d88cededf5..e4a2b167defb 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -@@ -57,6 +57,41 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex - return status; - } - -+static inline psa_status_t crypto_caller_sign_message(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ uint8_t *signature, -+ size_t signature_size, -+ size_t *signature_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_SIGN_MESSAGE_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(hash), .len = hash_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(signature), .len = signature_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *signature_length = out_vec[0].len; -+ -+ return status; -+} -+ -+ -+ - #ifdef __cplusplus - } - #endif -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -index e16f6e5450af..cc9279ee79f2 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -@@ -24,19 +24,20 @@ - extern "C" { - #endif - --static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, -+static inline psa_status_t crypto_caller_common(struct service_client *context, - psa_key_id_t id, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - const uint8_t *signature, -- size_t signature_length) -+ size_t signature_length, -+ uint32_t sfn_id) - { - struct service_client *ipc = context; - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_VERIFY_HASH_SID, -+ .sfn_id = sfn_id, - .key_id = id, - .alg = alg, - }; -@@ -52,6 +53,32 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont - return status; - } - -+static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ const uint8_t *signature, -+ size_t signature_length) -+{ -+ -+ return crypto_caller_common(context,id,alg,hash,hash_length, -+ signature,signature_length, TFM_CRYPTO_VERIFY_HASH_SID); -+} -+ -+static inline psa_status_t crypto_caller_verify_message(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ const uint8_t *signature, -+ size_t signature_length) -+{ -+ -+ return crypto_caller_common(context,id,alg,hash,hash_length, -+ signature,signature_length, TFM_CRYPTO_VERIFY_MESSAGE_SID); -+} -+ - #ifdef __cplusplus - } - #endif --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch deleted file mode 100644 index 4adcd90a5f..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 5a5e162e17c9decb04b3b2905a0fb604e8f06e91 Mon Sep 17 00:00:00 2001 -From: Satish Kumar <satish.kumar01@arm.com> -Date: Mon, 14 Feb 2022 17:52:00 +0000 -Subject: [PATCH 17/20] Fix : update psa_set_key_usage_flags definition to the - latest from the tf-m - -Upstream-Status: Pending -Signed-off-by: Satish Kumar <satish.kumar01@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - components/service/crypto/include/psa/crypto_struct.h | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/components/service/crypto/include/psa/crypto_struct.h b/components/service/crypto/include/psa/crypto_struct.h -index 1bc55e375eea..b4a7ed4b39d3 100644 ---- a/components/service/crypto/include/psa/crypto_struct.h -+++ b/components/service/crypto/include/psa/crypto_struct.h -@@ -155,9 +155,19 @@ static inline psa_key_lifetime_t psa_get_key_lifetime( - return( attributes->lifetime ); - } - -+static inline void psa_extend_key_usage_flags( psa_key_usage_t *usage_flags ) -+{ -+ if( *usage_flags & PSA_KEY_USAGE_SIGN_HASH ) -+ *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE; -+ -+ if( *usage_flags & PSA_KEY_USAGE_VERIFY_HASH ) -+ *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE; -+} -+ - static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes, - psa_key_usage_t usage_flags) - { -+ psa_extend_key_usage_flags( &usage_flags ); - attributes->usage = usage_flags; - } - --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-plat-corstone1000-change-default-smm-values.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-plat-corstone1000-change-default-smm-values.patch deleted file mode 100644 index 02c89d895e..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-plat-corstone1000-change-default-smm-values.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c519bae79629bfe551d79cfeb4e7d8a059545145 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva <rui.silva@linaro.org> -Date: Tue, 11 Oct 2022 10:46:10 +0100 -Subject: [PATCH 19/20] plat: corstone1000: change default smm values - -Smm gateway uses SE proxy to route the calls for any NV -storage so set the NV_STORE_SN. -Change the storage index uid because TF-M in the secure -enclave reserves the default value (0x1) to some internal -operation. -Increase the maximum number of uefi variables to cope with all -the needs for testing and certification - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - platform/providers/arm/corstone1000/platform.cmake | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index 51e5faa3e4d8..04b629a81906 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -10,3 +10,9 @@ - include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake) - - add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) -+ -+target_compile_definitions(${TGT} PRIVATE -+ SMM_GATEWAY_NV_STORE_SN="sn:ffa:46bb39d1-b4d9-45b5-88ff-040027dab249:1" -+ SMM_VARIABLE_INDEX_STORAGE_UID=0x787 -+ SMM_GATEWAY_MAX_UEFI_VARIABLES=100 -+) --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-smm_gateway-add-checks-for-null-attributes.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-smm_gateway-add-checks-for-null-attributes.patch deleted file mode 100644 index 87c053fcc6..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-smm_gateway-add-checks-for-null-attributes.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 6d3cac6f3a6e977e9330c9c06514a372ade170a2 Mon Sep 17 00:00:00 2001 -From: Emekcan <emekcan.aras@arm.com> -Date: Wed, 2 Nov 2022 09:58:27 +0000 -Subject: [PATCH] smm_gateway: add checks for null attributes - -As par EDK-2 and EDK-2 test code, setVariable() with 0 -attributes means a delete variable request. Currently, -smm gatway doesn't handle this scenario. This commit adds -that support. - -Upstream-Status: Pending -Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> ---- - components/service/smm_variable/backend/uefi_variable_store.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/components/service/smm_variable/backend/uefi_variable_store.c b/components/service/smm_variable/backend/uefi_variable_store.c -index 6c3b9ed8..a691dc5d 100644 ---- a/components/service/smm_variable/backend/uefi_variable_store.c -+++ b/components/service/smm_variable/backend/uefi_variable_store.c -@@ -202,9 +202,9 @@ efi_status_t uefi_variable_store_set_variable( - if (info->is_variable_set) { - - /* It's a request to update to an existing variable */ -- if (!(var->Attributes & -+ if (!(var->Attributes) || (!(var->Attributes & - (EFI_VARIABLE_APPEND_WRITE | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS_MASK)) && -- !var->DataSize) { -+ !var->DataSize)) { - - /* It's a remove operation - for a remove, the variable - * data must be removed from the storage backend before --- -2.17.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch deleted file mode 100644 index 7e65de8698..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch +++ /dev/null @@ -1,413 +0,0 @@ -From ca7d37502f9453125aead14c7ee5181336cbe8f4 Mon Sep 17 00:00:00 2001 -From: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> -Date: Thu, 9 Feb 2023 00:22:40 +0000 -Subject: [PATCH 1/3] TF-Mv1.7 alignment: Align PSA Crypto SIDs - -This patch is to change the PSA Crypto SIDs to match the values of the -PSA Crypto SID definitions in TF-M v1.7 running on the secure enclave - -Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> -Upstream-Status: Pending [Not submitted yet] ---- - .../service/common/include/psa/crypto_sid.h | 241 ++++++++++++++++++ - components/service/common/include/psa/sid.h | 78 +----- - .../caller/psa_ipc/crypto_caller_sign_hash.h | 4 +- - .../psa_ipc/crypto_caller_verify_hash.h | 4 +- - 4 files changed, 249 insertions(+), 78 deletions(-) - create mode 100644 components/service/common/include/psa/crypto_sid.h - -diff --git a/components/service/common/include/psa/crypto_sid.h b/components/service/common/include/psa/crypto_sid.h -new file mode 100644 -index 00000000..5b05f46d ---- /dev/null -+++ b/components/service/common/include/psa/crypto_sid.h -@@ -0,0 +1,241 @@ -+/* -+ * Copyright (c) 2023, Arm Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ * -+ */ -+ -+#ifndef __PSA_CRYPTO_SID_H__ -+#define __PSA_CRYPTO_SID_H__ -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+#include <stdint.h> -+ -+/** -+ * \brief Type associated to the group of a function encoding. There can be -+ * nine groups (Random, Key management, Hash, MAC, Cipher, AEAD, -+ * Asym sign, Asym encrypt, Key derivation). -+ */ -+enum tfm_crypto_group_id { -+ TFM_CRYPTO_GROUP_ID_RANDOM = 0x0, -+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, -+ TFM_CRYPTO_GROUP_ID_HASH, -+ TFM_CRYPTO_GROUP_ID_MAC, -+ TFM_CRYPTO_GROUP_ID_CIPHER, -+ TFM_CRYPTO_GROUP_ID_AEAD, -+ TFM_CRYPTO_GROUP_ID_ASYM_SIGN, -+ TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT, -+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, -+}; -+ -+/* X macro describing each of the available PSA Crypto APIs */ -+#define KEY_MANAGEMENT_FUNCS \ -+ X(TFM_CRYPTO_GET_KEY_ATTRIBUTES) \ -+ X(TFM_CRYPTO_RESET_KEY_ATTRIBUTES) \ -+ X(TFM_CRYPTO_OPEN_KEY) \ -+ X(TFM_CRYPTO_CLOSE_KEY) \ -+ X(TFM_CRYPTO_IMPORT_KEY) \ -+ X(TFM_CRYPTO_DESTROY_KEY) \ -+ X(TFM_CRYPTO_EXPORT_KEY) \ -+ X(TFM_CRYPTO_EXPORT_PUBLIC_KEY) \ -+ X(TFM_CRYPTO_PURGE_KEY) \ -+ X(TFM_CRYPTO_COPY_KEY) \ -+ X(TFM_CRYPTO_GENERATE_KEY) -+ -+#define HASH_FUNCS \ -+ X(TFM_CRYPTO_HASH_COMPUTE) \ -+ X(TFM_CRYPTO_HASH_COMPARE) \ -+ X(TFM_CRYPTO_HASH_SETUP) \ -+ X(TFM_CRYPTO_HASH_UPDATE) \ -+ X(TFM_CRYPTO_HASH_CLONE) \ -+ X(TFM_CRYPTO_HASH_FINISH) \ -+ X(TFM_CRYPTO_HASH_VERIFY) \ -+ X(TFM_CRYPTO_HASH_ABORT) -+ -+#define MAC_FUNCS \ -+ X(TFM_CRYPTO_MAC_COMPUTE) \ -+ X(TFM_CRYPTO_MAC_VERIFY) \ -+ X(TFM_CRYPTO_MAC_SIGN_SETUP) \ -+ X(TFM_CRYPTO_MAC_VERIFY_SETUP) \ -+ X(TFM_CRYPTO_MAC_UPDATE) \ -+ X(TFM_CRYPTO_MAC_SIGN_FINISH) \ -+ X(TFM_CRYPTO_MAC_VERIFY_FINISH) \ -+ X(TFM_CRYPTO_MAC_ABORT) -+ -+#define CIPHER_FUNCS \ -+ X(TFM_CRYPTO_CIPHER_ENCRYPT) \ -+ X(TFM_CRYPTO_CIPHER_DECRYPT) \ -+ X(TFM_CRYPTO_CIPHER_ENCRYPT_SETUP) \ -+ X(TFM_CRYPTO_CIPHER_DECRYPT_SETUP) \ -+ X(TFM_CRYPTO_CIPHER_GENERATE_IV) \ -+ X(TFM_CRYPTO_CIPHER_SET_IV) \ -+ X(TFM_CRYPTO_CIPHER_UPDATE) \ -+ X(TFM_CRYPTO_CIPHER_FINISH) \ -+ X(TFM_CRYPTO_CIPHER_ABORT) -+ -+#define AEAD_FUNCS \ -+ X(TFM_CRYPTO_AEAD_ENCRYPT) \ -+ X(TFM_CRYPTO_AEAD_DECRYPT) \ -+ X(TFM_CRYPTO_AEAD_ENCRYPT_SETUP) \ -+ X(TFM_CRYPTO_AEAD_DECRYPT_SETUP) \ -+ X(TFM_CRYPTO_AEAD_GENERATE_NONCE) \ -+ X(TFM_CRYPTO_AEAD_SET_NONCE) \ -+ X(TFM_CRYPTO_AEAD_SET_LENGTHS) \ -+ X(TFM_CRYPTO_AEAD_UPDATE_AD) \ -+ X(TFM_CRYPTO_AEAD_UPDATE) \ -+ X(TFM_CRYPTO_AEAD_FINISH) \ -+ X(TFM_CRYPTO_AEAD_VERIFY) \ -+ X(TFM_CRYPTO_AEAD_ABORT) -+ -+#define ASYMMETRIC_SIGN_FUNCS \ -+ X(TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE) \ -+ X(TFM_CRYPTO_ASYMMETRIC_VERIFY_MESSAGE) \ -+ X(TFM_CRYPTO_ASYMMETRIC_SIGN_HASH) \ -+ X(TFM_CRYPTO_ASYMMETRIC_VERIFY_HASH) -+ -+#define AYSMMETRIC_ENCRYPT_FUNCS \ -+ X(TFM_CRYPTO_ASYMMETRIC_ENCRYPT) \ -+ X(TFM_CRYPTO_ASYMMETRIC_DECRYPT) -+ -+#define KEY_DERIVATION_FUNCS \ -+ X(TFM_CRYPTO_RAW_KEY_AGREEMENT) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_SETUP) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_ABORT) -+ -+#define RANDOM_FUNCS \ -+ X(TFM_CRYPTO_GENERATE_RANDOM) -+ -+/* -+ * Define function IDs in each group. The function ID will be encoded into -+ * tfm_crypto_func_sid below. -+ * Each group is defined as a dedicated enum in case the total number of -+ * PSA Crypto APIs exceeds 256. -+ */ -+#define X(func_id) func_id, -+enum tfm_crypto_key_management_func_id { -+ KEY_MANAGEMENT_FUNCS -+}; -+enum tfm_crypto_hash_func_id { -+ HASH_FUNCS -+}; -+enum tfm_crypto_mac_func_id { -+ MAC_FUNCS -+}; -+enum tfm_crypto_cipher_func_id { -+ CIPHER_FUNCS -+}; -+enum tfm_crypto_aead_func_id { -+ AEAD_FUNCS -+}; -+enum tfm_crypto_asym_sign_func_id { -+ ASYMMETRIC_SIGN_FUNCS -+}; -+enum tfm_crypto_asym_encrypt_func_id { -+ AYSMMETRIC_ENCRYPT_FUNCS -+}; -+enum tfm_crypto_key_derivation_func_id { -+ KEY_DERIVATION_FUNCS -+}; -+enum tfm_crypto_random_func_id { -+ RANDOM_FUNCS -+}; -+#undef X -+ -+#define FUNC_ID(func_id) (((func_id) & 0xFF) << 8) -+ -+/* -+ * Numerical progressive value identifying a function API exposed through -+ * the interfaces (S or NS). It's used to dispatch the requests from S/NS -+ * to the corresponding API implementation in the Crypto service backend. -+ * -+ * Each function SID is encoded as uint16_t. -+ * | Func ID | Group ID | -+ * 15 8 7 0 -+ * Func ID is defined in each group func_id enum above -+ * Group ID is defined in tfm_crypto_group_id. -+ */ -+enum tfm_crypto_func_sid { -+ -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT & 0xFF)), -+ -+ KEY_MANAGEMENT_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_HASH & 0xFF)), -+ HASH_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_MAC & 0xFF)), -+ MAC_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_CIPHER & 0xFF)), -+ CIPHER_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_AEAD & 0xFF)), -+ AEAD_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_ASYM_SIGN & 0xFF)), -+ ASYMMETRIC_SIGN_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT & 0xFF)), -+ AYSMMETRIC_ENCRYPT_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_KEY_DERIVATION & 0xFF)), -+ KEY_DERIVATION_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_RANDOM & 0xFF)), -+ RANDOM_FUNCS -+ -+}; -+#undef X -+ -+/** -+ * \brief Define an invalid value for an SID -+ * -+ */ -+#define TFM_CRYPTO_SID_INVALID (~0x0u) -+ -+/** -+ * \brief This value is used to mark an handle as invalid. -+ * -+ */ -+#define TFM_CRYPTO_INVALID_HANDLE (0x0u) -+ -+/** -+ * \brief Define miscellaneous literal constants that are used in the service -+ * -+ */ -+enum { -+ TFM_CRYPTO_NOT_IN_USE = 0, -+ TFM_CRYPTO_IN_USE = 1 -+}; -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* __PSA_CRYPTO_SID_H__ */ -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 8103a9af..50ad070e 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2019-2021, Arm Limited. All rights reserved. -+ * Copyright (c) 2019-2023, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - * -@@ -12,6 +12,9 @@ - extern "C" { - #endif - -+/******** PSA Crypto SIDs ********/ -+#include "crypto_sid.h" -+ - /******** TFM_SP_PS ********/ - #define TFM_PROTECTED_STORAGE_SERVICE_SID (0x00000060U) - #define TFM_PROTECTED_STORAGE_SERVICE_VERSION (1U) -@@ -43,79 +46,6 @@ extern "C" { - #define TFM_PLATFORM_SERVICE_HANDLE (0x40000105U) - - --/** -- * \brief Define a progressive numerical value for each SID which can be used -- * when dispatching the requests to the service -- */ --enum { -- TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID = (0u), -- TFM_CRYPTO_RESET_KEY_ATTRIBUTES_SID, -- TFM_CRYPTO_OPEN_KEY_SID, -- TFM_CRYPTO_CLOSE_KEY_SID, -- TFM_CRYPTO_IMPORT_KEY_SID, -- TFM_CRYPTO_DESTROY_KEY_SID, -- TFM_CRYPTO_EXPORT_KEY_SID, -- TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, -- TFM_CRYPTO_PURGE_KEY_SID, -- TFM_CRYPTO_COPY_KEY_SID, -- TFM_CRYPTO_HASH_COMPUTE_SID, -- TFM_CRYPTO_HASH_COMPARE_SID, -- TFM_CRYPTO_HASH_SETUP_SID, -- TFM_CRYPTO_HASH_UPDATE_SID, -- TFM_CRYPTO_HASH_FINISH_SID, -- TFM_CRYPTO_HASH_VERIFY_SID, -- TFM_CRYPTO_HASH_ABORT_SID, -- TFM_CRYPTO_HASH_CLONE_SID, -- TFM_CRYPTO_MAC_COMPUTE_SID, -- TFM_CRYPTO_MAC_VERIFY_SID, -- TFM_CRYPTO_MAC_SIGN_SETUP_SID, -- TFM_CRYPTO_MAC_VERIFY_SETUP_SID, -- TFM_CRYPTO_MAC_UPDATE_SID, -- TFM_CRYPTO_MAC_SIGN_FINISH_SID, -- TFM_CRYPTO_MAC_VERIFY_FINISH_SID, -- TFM_CRYPTO_MAC_ABORT_SID, -- TFM_CRYPTO_CIPHER_ENCRYPT_SID, -- TFM_CRYPTO_CIPHER_DECRYPT_SID, -- TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, -- TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, -- TFM_CRYPTO_CIPHER_GENERATE_IV_SID, -- TFM_CRYPTO_CIPHER_SET_IV_SID, -- TFM_CRYPTO_CIPHER_UPDATE_SID, -- TFM_CRYPTO_CIPHER_FINISH_SID, -- TFM_CRYPTO_CIPHER_ABORT_SID, -- TFM_CRYPTO_AEAD_ENCRYPT_SID, -- TFM_CRYPTO_AEAD_DECRYPT_SID, -- TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, -- TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, -- TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, -- TFM_CRYPTO_AEAD_SET_NONCE_SID, -- TFM_CRYPTO_AEAD_SET_LENGTHS_SID, -- TFM_CRYPTO_AEAD_UPDATE_AD_SID, -- TFM_CRYPTO_AEAD_UPDATE_SID, -- TFM_CRYPTO_AEAD_FINISH_SID, -- TFM_CRYPTO_AEAD_VERIFY_SID, -- TFM_CRYPTO_AEAD_ABORT_SID, -- TFM_CRYPTO_SIGN_MESSAGE_SID, -- TFM_CRYPTO_VERIFY_MESSAGE_SID, -- TFM_CRYPTO_SIGN_HASH_SID, -- TFM_CRYPTO_VERIFY_HASH_SID, -- TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, -- TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, -- TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, -- TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, -- TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, -- TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, -- TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, -- TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, -- TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, -- TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, -- TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, -- TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, -- TFM_CRYPTO_GENERATE_RANDOM_SID, -- TFM_CRYPTO_GENERATE_KEY_SID, -- TFM_CRYPTO_SID_MAX, --}; -- - /******** TFM_SP_PLATFORM ********/ - #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) - #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -index e4a2b167..9276748d 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -@@ -37,7 +37,7 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_SIGN_HASH_SID, -+ .sfn_id = TFM_CRYPTO_ASYMMETRIC_SIGN_HASH_SID, - .key_id = id, - .alg = alg, - }; -@@ -70,7 +70,7 @@ static inline psa_status_t crypto_caller_sign_message(struct service_client *con - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_SIGN_MESSAGE_SID, -+ .sfn_id = TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE_SID, - .key_id = id, - .alg = alg, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -index cc9279ee..bcd8e0e4 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -@@ -63,7 +63,7 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont - { - - return crypto_caller_common(context,id,alg,hash,hash_length, -- signature,signature_length, TFM_CRYPTO_VERIFY_HASH_SID); -+ signature,signature_length, TFM_CRYPTO_ASYMMETRIC_VERIFY_HASH_SID); - } - - static inline psa_status_t crypto_caller_verify_message(struct service_client *context, -@@ -76,7 +76,7 @@ static inline psa_status_t crypto_caller_verify_message(struct service_client *c - { - - return crypto_caller_common(context,id,alg,hash,hash_length, -- signature,signature_length, TFM_CRYPTO_VERIFY_MESSAGE_SID); -+ signature,signature_length, TFM_CRYPTO_ASYMMETRIC_VERIFY_MESSAGE_SID); - } - - #ifdef __cplusplus --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0025-TF-Mv1.7-alignment-Align-crypto-iovec-definition.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0025-TF-Mv1.7-alignment-Align-crypto-iovec-definition.patch deleted file mode 100644 index ecea236403..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0025-TF-Mv1.7-alignment-Align-crypto-iovec-definition.patch +++ /dev/null @@ -1,655 +0,0 @@ -From a3e203136e7c552069ae582273e0540a219c105f Mon Sep 17 00:00:00 2001 -From: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> -Date: Thu, 9 Feb 2023 00:01:06 +0000 -Subject: [PATCH 2/3] TF-Mv1.7 alignment: Align crypto iovec definition - -This patch is to align psa_ipc_crypto_pack_iovec with TF-M v1.7 -And propagate changes accross psa_ipc functions -More accuratly change sfn_id to function_id - -Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> -Upstream-Status: Pending [Not submitted yet] ---- - .../backend/psa_ipc/crypto_ipc_backend.h | 34 +++++++++---------- - .../caller/psa_ipc/crypto_caller_aead.h | 24 ++++++------- - .../crypto_caller_asymmetric_decrypt.h | 2 +- - .../crypto_caller_asymmetric_encrypt.h | 2 +- - .../caller/psa_ipc/crypto_caller_cipher.h | 14 ++++---- - .../caller/psa_ipc/crypto_caller_copy_key.h | 2 +- - .../psa_ipc/crypto_caller_destroy_key.h | 2 +- - .../caller/psa_ipc/crypto_caller_export_key.h | 2 +- - .../psa_ipc/crypto_caller_export_public_key.h | 2 +- - .../psa_ipc/crypto_caller_generate_key.h | 2 +- - .../psa_ipc/crypto_caller_generate_random.h | 2 +- - .../crypto_caller_get_key_attributes.h | 2 +- - .../caller/psa_ipc/crypto_caller_hash.h | 12 +++---- - .../caller/psa_ipc/crypto_caller_import_key.h | 2 +- - .../psa_ipc/crypto_caller_key_derivation.h | 20 +++++------ - .../client/caller/psa_ipc/crypto_caller_mac.h | 12 +++---- - .../caller/psa_ipc/crypto_caller_purge_key.h | 2 +- - .../caller/psa_ipc/crypto_caller_sign_hash.h | 4 +-- - .../psa_ipc/crypto_caller_verify_hash.h | 4 +-- - 19 files changed, 73 insertions(+), 73 deletions(-) - -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -index ec25eaf8..aacd3fcc 100644 ---- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -@@ -28,23 +28,23 @@ struct psa_ipc_crypto_aead_pack_input { - }; - - struct psa_ipc_crypto_pack_iovec { -- uint32_t sfn_id; /*!< Secure function ID used to dispatch the -- * request -- */ -- uint16_t step; /*!< Key derivation step */ -- psa_key_id_t key_id; /*!< Key id */ -- psa_algorithm_t alg; /*!< Algorithm */ -- uint32_t op_handle; /*!< Frontend context handle associated to a -- * multipart operation -- */ -- uint32_t capacity; /*!< Key derivation capacity */ -- uint32_t ad_length; /*!< Additional Data length for multipart AEAD */ -- uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */ -- struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for -- * AEAD until the API is -- * restructured -- */ --}; -+ psa_key_id_t key_id; /*!< Key id */ -+ psa_algorithm_t alg; /*!< Algorithm */ -+ uint32_t op_handle; /*!< Frontend context handle associated to a -+ * multipart operation -+ */ -+ uint32_t capacity; /*!< Key derivation capacity */ -+ uint32_t ad_length; /*!< Additional Data length for multipart AEAD */ -+ uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */ -+ -+ struct psa_ipc_crypto_aead_pack_input aead_in; /*!< Packs AEAD-related inputs */ -+ -+ uint16_t function_id; /*!< Used to identify the function in the -+ * API dispatcher to the service backend -+ * See tfm_crypto_func_sid for detail -+ */ -+ uint16_t step; /*!< Key derivation step */ -+}__packed; - - #define iov_size sizeof(struct psa_ipc_crypto_pack_iovec) - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -index f6aadd8b..efdffdf7 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -@@ -44,7 +44,7 @@ static inline psa_status_t crypto_caller_aead_encrypt( - size_t in_len; - int i; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SID, -+ .function_id = TFM_CRYPTO_AEAD_ENCRYPT_SID, - .key_id = key, - .alg = alg, - .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, -@@ -105,7 +105,7 @@ static inline psa_status_t crypto_caller_aead_decrypt( - size_t in_len; - int i; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SID, -+ .function_id = TFM_CRYPTO_AEAD_DECRYPT_SID, - .key_id = key, - .alg = alg, - .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, -@@ -156,7 +156,7 @@ static inline psa_status_t crypto_caller_aead_encrypt_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, -+ .function_id = TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = (*op_handle), -@@ -185,7 +185,7 @@ static inline psa_status_t crypto_caller_aead_decrypt_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, -+ .function_id = TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = (*op_handle), -@@ -214,7 +214,7 @@ static inline psa_status_t crypto_caller_aead_generate_nonce( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, -+ .function_id = TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, - .op_handle = op_handle, - }; - -@@ -243,7 +243,7 @@ static inline psa_status_t crypto_caller_aead_set_nonce( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_SET_NONCE_SID, -+ .function_id = TFM_CRYPTO_AEAD_SET_NONCE_SID, - .op_handle = op_handle, - }; - -@@ -270,7 +270,7 @@ static inline psa_status_t crypto_caller_aead_set_lengths( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_SET_LENGTHS_SID, -+ .function_id = TFM_CRYPTO_AEAD_SET_LENGTHS_SID, - .ad_length = ad_length, - .plaintext_length = plaintext_length, - .op_handle = op_handle, -@@ -299,7 +299,7 @@ static inline psa_status_t crypto_caller_aead_update_ad( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_UPDATE_AD_SID, -+ .function_id = TFM_CRYPTO_AEAD_UPDATE_AD_SID, - .op_handle = op_handle, - }; - -@@ -339,7 +339,7 @@ static inline psa_status_t crypto_caller_aead_update( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_UPDATE_SID, -+ .function_id = TFM_CRYPTO_AEAD_UPDATE_SID, - .op_handle = op_handle, - }; - -@@ -383,7 +383,7 @@ static inline psa_status_t crypto_caller_aead_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_FINISH_SID, -+ .function_id = TFM_CRYPTO_AEAD_FINISH_SID, - .op_handle = op_handle, - }; - -@@ -436,7 +436,7 @@ static inline psa_status_t crypto_caller_aead_verify( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_VERIFY_SID, -+ .function_id = TFM_CRYPTO_AEAD_VERIFY_SID, - .op_handle = op_handle, - }; - -@@ -482,7 +482,7 @@ static inline psa_status_t crypto_caller_aead_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_ABORT_SID, -+ .function_id = TFM_CRYPTO_AEAD_ABORT_SID, - .op_handle = op_handle, - }; - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -index ff01815c..c387eb55 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -@@ -38,7 +38,7 @@ static inline psa_status_t crypto_caller_asymmetric_decrypt( - psa_status_t status; - size_t in_len; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, -+ .function_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, - .key_id = id, - .alg = alg, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -index 1daf1689..8eb3de45 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -@@ -38,7 +38,7 @@ static inline psa_status_t crypto_caller_asymmetric_encrypt( - psa_status_t status; - size_t in_len; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, -+ .function_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, - .key_id = id, - .alg = alg, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -index fbefb28d..20aa46a5 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -@@ -34,7 +34,7 @@ static inline psa_status_t crypto_caller_cipher_encrypt_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, -+ .function_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = *op_handle, -@@ -62,7 +62,7 @@ static inline psa_status_t crypto_caller_cipher_decrypt_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, -+ .function_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = *op_handle, -@@ -91,7 +91,7 @@ static inline psa_status_t crypto_caller_cipher_generate_iv( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_GENERATE_IV_SID, -+ .function_id = TFM_CRYPTO_CIPHER_GENERATE_IV_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -120,7 +120,7 @@ static inline psa_status_t crypto_caller_cipher_set_iv( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_SET_IV_SID, -+ .function_id = TFM_CRYPTO_CIPHER_SET_IV_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -150,7 +150,7 @@ static inline psa_status_t crypto_caller_cipher_update( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_UPDATE_SID, -+ .function_id = TFM_CRYPTO_CIPHER_UPDATE_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -181,7 +181,7 @@ static inline psa_status_t crypto_caller_cipher_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_FINISH_SID, -+ .function_id = TFM_CRYPTO_CIPHER_FINISH_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -208,7 +208,7 @@ static inline psa_status_t crypto_caller_cipher_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_ABORT_SID, -+ .function_id = TFM_CRYPTO_CIPHER_ABORT_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -index 9a988171..48157d7e 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_copy_key(struct service_client *context - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_COPY_KEY_SID, -+ .function_id = TFM_CRYPTO_COPY_KEY_SID, - .key_id = source_key, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -index d00f4faa..6d0a05e6 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -@@ -31,7 +31,7 @@ static inline psa_status_t crypto_caller_destroy_key(struct service_client *cont - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_DESTROY_KEY_SID, -+ .function_id = TFM_CRYPTO_DESTROY_KEY_SID, - .key_id = id, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -index 8ac5477f..9a6b7013 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -@@ -34,7 +34,7 @@ static inline psa_status_t crypto_caller_export_key(struct service_client *conte - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_EXPORT_KEY_SID, -+ .function_id = TFM_CRYPTO_EXPORT_KEY_SID, - .key_id = id, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -index b24c47f1..52bdd757 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -@@ -34,7 +34,7 @@ static inline psa_status_t crypto_caller_export_public_key(struct service_client - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, -+ .function_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, - .key_id = id, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -index 1b66ed40..7ed1673b 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -@@ -32,7 +32,7 @@ static inline psa_status_t crypto_caller_generate_key(struct service_client *con - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_GENERATE_KEY_SID, -+ .function_id = TFM_CRYPTO_GENERATE_KEY_SID, - }; - struct psa_invec in_vec[] = { - { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -index 7c538237..4fb87aa8 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -@@ -32,7 +32,7 @@ static inline psa_status_t crypto_caller_generate_random(struct service_client * - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_GENERATE_RANDOM_SID, -+ .function_id = TFM_CRYPTO_GENERATE_RANDOM_SID, - }; - struct psa_invec in_vec[] = { - { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -index 22f1d18f..2caa3bd3 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_get_key_attributes( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID, -+ .function_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID, - .key_id = key, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -index 9f37908a..4fb60d44 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_hash_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_SETUP_SID, -+ .function_id = TFM_CRYPTO_HASH_SETUP_SID, - .alg = alg, - .op_handle = *op_handle, - }; -@@ -60,7 +60,7 @@ static inline psa_status_t crypto_caller_hash_update( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_UPDATE_SID, -+ .function_id = TFM_CRYPTO_HASH_UPDATE_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -88,7 +88,7 @@ static inline psa_status_t crypto_caller_hash_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_FINISH_SID, -+ .function_id = TFM_CRYPTO_HASH_FINISH_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -115,7 +115,7 @@ static inline psa_status_t crypto_caller_hash_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_ABORT_SID, -+ .function_id = TFM_CRYPTO_HASH_ABORT_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -141,7 +141,7 @@ static inline psa_status_t crypto_caller_hash_verify( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_VERIFY_SID, -+ .function_id = TFM_CRYPTO_HASH_VERIFY_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -167,7 +167,7 @@ static inline psa_status_t crypto_caller_hash_clone( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_CLONE_SID, -+ .function_id = TFM_CRYPTO_HASH_CLONE_SID, - .op_handle = source_op_handle, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -index d4703366..1458163c 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_import_key(struct service_client *conte - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_IMPORT_KEY_SID, -+ .function_id = TFM_CRYPTO_IMPORT_KEY_SID, - }; - struct psa_invec in_vec[] = { - { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -index 5ce4fb6c..16be9916 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_key_derivation_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, - .alg = alg, - .op_handle = *op_handle, - }; -@@ -59,7 +59,7 @@ static inline psa_status_t crypto_caller_key_derivation_get_capacity( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -84,7 +84,7 @@ static inline psa_status_t crypto_caller_key_derivation_set_capacity( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, - .capacity = capacity, - .op_handle = op_handle, - }; -@@ -109,7 +109,7 @@ static inline psa_status_t crypto_caller_key_derivation_input_bytes( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, - .step = step, - .op_handle = op_handle, - }; -@@ -134,7 +134,7 @@ static inline psa_status_t crypto_caller_key_derivation_input_key( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, - .key_id = key, - .step = step, - .op_handle = op_handle, -@@ -159,7 +159,7 @@ static inline psa_status_t crypto_caller_key_derivation_output_bytes( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -185,7 +185,7 @@ static inline psa_status_t crypto_caller_key_derivation_output_key( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -211,7 +211,7 @@ static inline psa_status_t crypto_caller_key_derivation_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -239,7 +239,7 @@ static inline psa_status_t crypto_caller_key_derivation_key_agreement( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, - .key_id = private_key, - .step = step, - .op_handle = op_handle, -@@ -270,7 +270,7 @@ static inline psa_status_t crypto_caller_raw_key_agreement( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, -+ .function_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, - .alg = alg, - .key_id = private_key, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -index 3a820192..30222800 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -@@ -34,7 +34,7 @@ static inline psa_status_t crypto_caller_mac_sign_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID, -+ .function_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = *op_handle, -@@ -62,7 +62,7 @@ static inline psa_status_t crypto_caller_mac_verify_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID, -+ .function_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = *op_handle, -@@ -90,7 +90,7 @@ static inline psa_status_t crypto_caller_mac_update( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_UPDATE_SID, -+ .function_id = TFM_CRYPTO_MAC_UPDATE_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -118,7 +118,7 @@ static inline psa_status_t crypto_caller_mac_sign_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_SIGN_FINISH_SID, -+ .function_id = TFM_CRYPTO_MAC_SIGN_FINISH_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -147,7 +147,7 @@ static inline psa_status_t crypto_caller_mac_verify_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_VERIFY_FINISH_SID, -+ .function_id = TFM_CRYPTO_MAC_VERIFY_FINISH_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -172,7 +172,7 @@ static inline psa_status_t crypto_caller_mac_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_ABORT_SID, -+ .function_id = TFM_CRYPTO_MAC_ABORT_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -index a3a796e2..f6ab0978 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -@@ -31,7 +31,7 @@ static inline psa_status_t crypto_caller_purge_key(struct service_client *contex - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_PURGE_KEY_SID, -+ .function_id = TFM_CRYPTO_PURGE_KEY_SID, - .key_id = id, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -index 9276748d..8b53e3dc 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -@@ -37,7 +37,7 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_ASYMMETRIC_SIGN_HASH_SID, -+ .function_id = TFM_CRYPTO_ASYMMETRIC_SIGN_HASH_SID, - .key_id = id, - .alg = alg, - }; -@@ -70,7 +70,7 @@ static inline psa_status_t crypto_caller_sign_message(struct service_client *con - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE_SID, -+ .function_id = TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE_SID, - .key_id = id, - .alg = alg, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -index bcd8e0e4..c9ed865b 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -@@ -31,13 +31,13 @@ static inline psa_status_t crypto_caller_common(struct service_client *context, - size_t hash_length, - const uint8_t *signature, - size_t signature_length, -- uint32_t sfn_id) -+ uint32_t function_id) - { - struct service_client *ipc = context; - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = sfn_id, -+ .function_id = function_id, - .key_id = id, - .alg = alg, - }; --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0026-TF-Mv1.7-alignment-PSA-crypto-client-in-out_vec.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0026-TF-Mv1.7-alignment-PSA-crypto-client-in-out_vec.patch deleted file mode 100644 index 0dcdd5da2c..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0026-TF-Mv1.7-alignment-PSA-crypto-client-in-out_vec.patch +++ /dev/null @@ -1,117 +0,0 @@ -From ee7e13dcc14110aa16f7c6453cfe72f088857ed2 Mon Sep 17 00:00:00 2001 -From: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> -Date: Thu, 9 Feb 2023 00:34:23 +0000 -Subject: [PATCH 3/3] TF-Mv1.7 alignment: PSA crypto client in/out_vec - -Few psa crypto operations have different in/out_vec expectations -This patch is fixing the differences between psa crypto client in TS -and psa crypto service in TF-M running on the secure enclave - -operations: -- aead_generate_nonce: TFM service doesn't expect op_handle in in_vec -- aead_update: TFM service doesn't expect op_handle in in_vec -- cipher_generate_iv: TFM service doesn't expect op_handle in in_vec -- cipher_update: TFM service doesn't expect op_handle in in_vec -- hash_clone: TFM service expects target_op_handle in the in_vec - rationale is target_op_handle according to the spec - must be initialized and not active. and since hash_clone - manipulates it. hence, target_op_handle should be passed - as input and output. - -Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> -Upstream-Status: Pending [Not submitted yet] ---- - .../crypto/client/caller/psa_ipc/crypto_caller_aead.h | 6 ++---- - .../crypto/client/caller/psa_ipc/crypto_caller_cipher.h | 6 ++---- - .../crypto/client/caller/psa_ipc/crypto_caller_hash.h | 2 ++ - 3 files changed, 6 insertions(+), 8 deletions(-) - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -index efdffdf7..e862c2de 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -@@ -222,14 +222,13 @@ static inline psa_status_t crypto_caller_aead_generate_nonce( - {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, - }; - struct psa_outvec out_vec[] = { -- {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, - {.base = psa_ptr_to_u32(nonce), .len = nonce_size} - }; - - status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); - -- *nonce_length = out_vec[1].len; -+ *nonce_length = out_vec[0].len; - return status; - } - -@@ -353,7 +352,6 @@ static inline psa_status_t crypto_caller_aead_update( - {.base = psa_ptr_const_to_u32(input), .len = input_length} - }; - struct psa_outvec out_vec[] = { -- {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, - {.base = psa_ptr_const_to_u32(output), .len = output_size}, - }; - -@@ -365,7 +363,7 @@ static inline psa_status_t crypto_caller_aead_update( - status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, - in_len, out_vec, IOVEC_LEN(out_vec)); - -- *output_length = out_vec[1].len; -+ *output_length = out_vec[0].len; - return status; - } - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -index 20aa46a5..948865e4 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -@@ -98,14 +98,13 @@ static inline psa_status_t crypto_caller_cipher_generate_iv( - { .base = psa_ptr_to_u32(&iov), .len = iov_size }, - }; - struct psa_outvec out_vec[] = { -- { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, - { .base = psa_ptr_to_u32(iv), .len = iv_size }, - }; - - status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); - -- *iv_length = out_vec[1].len; -+ *iv_length = out_vec[0].len; - - return status; - } -@@ -158,14 +157,13 @@ static inline psa_status_t crypto_caller_cipher_update( - { .base = psa_ptr_const_to_u32(input), .len = input_length }, - }; - struct psa_outvec out_vec[] = { -- { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, - { .base = psa_ptr_to_u32(output), .len = output_size }, - }; - - status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); - -- *output_length = out_vec[1].len; -+ *output_length = out_vec[0].len; - - return status; - } -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -index 4fb60d44..1e422130 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -@@ -172,6 +172,8 @@ static inline psa_status_t crypto_caller_hash_clone( - }; - struct psa_invec in_vec[] = { - { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_to_u32(target_op_handle), -+ .len = sizeof(uint32_t) }, - }; - struct psa_outvec out_vec[] = { - { .base = psa_ptr_to_u32(target_op_handle), --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc index 867bd66e4d..3535ddb60e 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc @@ -2,32 +2,13 @@ FILESEXTRAPATHS:prepend:corstone1000 := "${THISDIR}/corstone1000:" COMPATIBLE_MACHINE:corstone1000 = "corstone1000" SRC_URI:append:corstone1000 = " \ - file://0001-Add-openamp-to-SE-proxy-deployment.patch;patchdir=../trusted-services \ - file://0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch;patchdir=../trusted-services \ - file://0003-Add-openamp-rpc-caller.patch;patchdir=../trusted-services \ - file://0004-add-psa-client-definitions-for-ff-m.patch;patchdir=../trusted-services \ - file://0005-Add-common-service-component-to-ipc-support.patch;patchdir=../trusted-services \ - file://0006-Add-secure-storage-ipc-backend.patch;patchdir=../trusted-services \ - file://0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch;patchdir=../trusted-services \ - file://0008-Run-psa-arch-test.patch;patchdir=../trusted-services \ - file://0009-Use-address-instead-of-pointers.patch;patchdir=../trusted-services \ - file://0010-Add-psa-ipc-attestation-to-se-proxy.patch;patchdir=../trusted-services \ - file://0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch;patchdir=../trusted-services;patchdir=../trusted-services \ - file://0012-add-psa-ipc-crypto-backend.patch;patchdir=../trusted-services \ - file://0013-Add-stub-capsule-update-service-components.patch;patchdir=../trusted-services \ - file://0014-Configure-storage-size.patch;patchdir=../trusted-services \ - file://0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch;patchdir=../trusted-services;patchdir=../trusted-services \ - file://0016-Integrate-remaining-psa-ipc-client-APIs.patch;patchdir=../trusted-services \ - file://0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch;patchdir=../trusted-services;patchdir=../trusted-services \ - file://0018-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch;patchdir=../trusted-services \ - file://0019-plat-corstone1000-change-default-smm-values.patch;patchdir=../trusted-services \ - file://0020-FMP-Support-in-Corstone1000.patch;patchdir=../trusted-services \ - file://0021-smm_gateway-add-checks-for-null-attributes.patch;patchdir=../trusted-services \ - file://0022-GetNextVariableName-Fix.patch;patchdir=../trusted-services \ - file://0023-Use-the-stateless-platform-service.patch;patchdir=../trusted-services \ - file://0024-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch;patchdir=../trusted-services \ - file://0025-TF-Mv1.7-alignment-Align-crypto-iovec-definition.patch;patchdir=../trusted-services \ - file://0026-TF-Mv1.7-alignment-PSA-crypto-client-in-out_vec.patch;patchdir=../trusted-services \ + file://0001-Add-stub-capsule-update-service-components.patch;patchdir=../trusted-services \ + file://0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch;patchdir=../trusted-services \ + file://0003-FMP-Support-in-Corstone1000.patch;patchdir=../trusted-services \ + file://0004-GetNextVariableName-Fix.patch;patchdir=../trusted-services \ + file://0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch;patchdir=../trusted-services \ + file://0006-plat-corstone1000-Use-the-stateless-platform-service.patch;patchdir=../trusted-services \ + file://0007-plat-corstone1000-Initialize-capsule-update-provider.patch;patchdir=../trusted-services \ " diff --git a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf index 7277817ddf..55c4cab457 100644 --- a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -23,6 +23,3 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" - -PREFERRED_VERSION_optee-os ?= "3.18.%" - diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py index a5f9376062..882989561d 100644 --- a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py +++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py @@ -3,25 +3,23 @@ from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotInDataVar class TrustedServicesTest(OERuntimeTestCase): - def run_test_tool(self, cmd, expected_status=0 ): + def run_test_tool(self, cmd, expected_status=0, expected_output=None ): """ Run a test utility """ status, output = self.target.run(cmd) self.assertEqual(status, expected_status, msg='\n'.join([cmd, output])) + if expected_output is not None: + self.assertEqual(output, expected_output, msg='\n'.join([cmd, output])) @OEHasPackage(['ts-demo']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_00_ts_demo(self): self.run_test_tool('ts-demo') - @OEHasPackage(['ts-service-test']) - @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_01_ts_service_test(self): - self.run_test_tool('ts-service-test') - @OEHasPackage(['ts-uefi-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_02_ts_uefi_test(self): @@ -30,7 +28,8 @@ class TrustedServicesTest(OERuntimeTestCase): @OEHasPackage(['ts-psa-crypto-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_03_psa_crypto_api_test(self): - # There are a few expected PSA Crypto tests failing + # There are a two expected PSA Crypto tests failures testing features + # TS will not support. self.run_test_tool('psa-crypto-api-test', expected_status=46) @OEHasPackage(['ts-psa-its-api-test']) @@ -48,3 +47,74 @@ class TrustedServicesTest(OERuntimeTestCase): @OETestDepends(['ssh.SSHTest.test_ssh']) def test_06_psa_iat_api_test(self): self.run_test_tool('psa-iat-api-test') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_09_ts_service_grp_check(self): + # If this test fails, available test groups in ts-service-test have changed and all + # tests using the test executable need to be double checked to ensure test group to + # TS SP mapping is still valid. + test_grp_list="FwuServiceTests PsServiceTests ItsServiceTests AttestationProvisioningTests" + test_grp_list+=" AttestationServiceTests CryptoKeyDerivationServicePackedcTests" + test_grp_list+=" CryptoMacServicePackedcTests CryptoCipherServicePackedcTests" + test_grp_list+=" CryptoHashServicePackedcTests CryptoServicePackedcTests" + test_grp_list+=" CryptoServiceProtobufTests CryptoServiceLimitTests" + test_grp_list+=" DiscoveryServiceTests" + self.run_test_tool('ts-service-test -lg', expected_output=test_grp_list) + + @OEHasPackage(['optee-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'optee-spmc-test', 'SPMC Test SPs are not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_07_spmc_test(self): + self.run_test_tool('xtest -t ffa_spmc') + + @OEHasPackage(['ts-service-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-fwu', 'FWU SP is not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_10_fwu_service_tests(self): + self.run_test_tool('ts-service-test -g FwuServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_11_ps_service_tests(self): + if 'ts-storage' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Storage SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g PsServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_12_its_service_tests(self): + if 'ts-its' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Internal Storage SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g ItsServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_14_attestation_service_tests(self): + if 'ts-attestation' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Attestation SP is not included into OPTEE') + for grp in ["AttestationProvisioningTests", "AttestationServiceTests"]: + self.run_test_tool('ts-service-test -g %s'%grp) + + @OEHasPackage(['ts-service-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-crypto', 'Crypto SP is not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_15_crypto_service_tests(self): + if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Crypto SP is not included into OPTEE') + for grp in ["CryptoKeyDerivationServicePackedcTests", "CryptoMacServicePackedcTests", \ + "CryptoCipherServicePackedcTests", "CryptoHashServicePackedcTests", \ + "CryptoServicePackedcTests", "CryptoServiceProtobufTests CryptoServiceLimitTests"]: + self.run_test_tool('ts-service-test -g %s'%grp) + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_16_discovery_service_test(self): + if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Crypto SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g DiscoveryServiceTests') diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch new file mode 100644 index 0000000000..50a57d6179 --- /dev/null +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch @@ -0,0 +1,67 @@ +From e1cbb35ad4655fe13ccb89247c81e850f6392c92 Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing <Gyorgy.Szing@arm.com> +Date: Mon, 13 Mar 2023 21:15:59 +0100 +Subject: Add spmc_manifest for qemu + +This version only supports embedded packaging. + +Upstream-Status: Inappropriate [other] + - The SPMC manifest is integration specific and should live at an + integration spcific place. The manifest file is processed by TF-A + and I am adding the patch to TF-A to keep things simple. + +Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> +--- + plat/qemu/fdts/optee_spmc_manifest.dts | 40 ++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + create mode 100644 plat/qemu/fdts/optee_spmc_manifest.dts + +diff --git a/plat/qemu/fdts/optee_spmc_manifest.dts b/plat/qemu/fdts/optee_spmc_manifest.dts +new file mode 100644 +index 000000000..ae2ae3d95 +--- /dev/null ++++ b/plat/qemu/fdts/optee_spmc_manifest.dts +@@ -0,0 +1,40 @@ ++/* SPDX-License-Identifier: BSD-3-Clause */ ++/* ++ * Copyright (c) 2023, Arm Limited. All rights reserved. ++ */ ++ ++/dts-v1/; ++ ++/ { ++ compatible = "arm,ffa-core-manifest-1.0"; ++ #address-cells = <2>; ++ #size-cells = <1>; ++ ++ attribute { ++ spmc_id = <0x8000>; ++ maj_ver = <0x1>; ++ min_ver = <0x0>; ++ exec_state = <0x0>; ++ load_address = <0x0 0x0e100000>; ++ entrypoint = <0x0 0x0e100000>; ++ binary_size = <0x80000>; ++ }; ++ ++/* ++ * This file will be preprocessed by TF-A's build system. If Measured Boot is ++ * enabled in TF-A's config, the build system will add the MEASURED_BOOT=1 macro ++ * to the preprocessor arguments. ++ */ ++#if MEASURED_BOOT ++ tpm_event_log { ++ compatible = "arm,tpm_event_log"; ++ tpm_event_log_addr = <0x0 0x0>; ++ tpm_event_log_size = <0x0>; ++ }; ++#endif ++ ++/* If the ARM_BL2_SP_LIST_DTS is defined, SPs should be loaded from FIP */ ++#ifdef ARM_BL2_SP_LIST_DTS ++ #error "FIP SP load addresses configuration is missing. ++#endif ++}; +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch new file mode 100644 index 0000000000..7c851fd041 --- /dev/null +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch @@ -0,0 +1,263 @@ +From d215b0c08e51192baab96d75beaeacf3abf8724e Mon Sep 17 00:00:00 2001 +From: Jens Wiklander <jens.wiklander@linaro.org> +Date: Fri, 18 Nov 2022 15:40:04 +0100 +Subject: feat(qemu): update abi between spmd and spmc + +Updates the ABI between SPMD and the SPMC at S-EL1 so that the hard +coded SPMC manifest can be replaced by a proper manifest via TOS FW +Config. TOS FW Config is provided via QEMU_TOS_FW_CONFIG_DTS as a DTS +file when building. The DTS is turned into a DTB which is added to the +FIP. + +Note that this is an incompatible change and requires corresponding +change in OP-TEE ("core: sel1 spmc: boot abi update"). + +Upstream-Status: Accepted + +Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> +Change-Id: Ibabe78ef50a24f775492854ce5ac54e4d471e369 +--- + plat/qemu/common/qemu_bl2_mem_params_desc.c | 18 +++++++++++- + plat/qemu/common/qemu_bl2_setup.c | 32 +++++++++++++-------- + plat/qemu/common/qemu_io_storage.c | 16 ++++++++++- + plat/qemu/common/qemu_spmd_manifest.c | 31 -------------------- + plat/qemu/qemu/include/platform_def.h | 3 ++ + plat/qemu/qemu/platform.mk | 12 +++++++- + 6 files changed, 66 insertions(+), 46 deletions(-) + delete mode 100644 plat/qemu/common/qemu_spmd_manifest.c + +diff --git a/plat/qemu/common/qemu_bl2_mem_params_desc.c b/plat/qemu/common/qemu_bl2_mem_params_desc.c +index 5af3a2264..8d8047c92 100644 +--- a/plat/qemu/common/qemu_bl2_mem_params_desc.c ++++ b/plat/qemu/common/qemu_bl2_mem_params_desc.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2017-2021, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -122,6 +122,22 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { + #endif + .next_handoff_image_id = INVALID_IMAGE_ID, + }, ++ ++#if defined(SPD_spmd) ++ /* Fill TOS_FW_CONFIG related information */ ++ { ++ .image_id = TOS_FW_CONFIG_ID, ++ SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY, ++ VERSION_2, entry_point_info_t, SECURE | NON_EXECUTABLE), ++ SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY, ++ VERSION_2, image_info_t, 0), ++ .image_info.image_base = TOS_FW_CONFIG_BASE, ++ .image_info.image_max_size = TOS_FW_CONFIG_LIMIT - ++ TOS_FW_CONFIG_BASE, ++ .next_handoff_image_id = INVALID_IMAGE_ID, ++ }, ++#endif ++ + # endif /* QEMU_LOAD_BL32 */ + + /* Fill BL33 related information */ +diff --git a/plat/qemu/common/qemu_bl2_setup.c b/plat/qemu/common/qemu_bl2_setup.c +index 2c0da15b9..6afa3a44d 100644 +--- a/plat/qemu/common/qemu_bl2_setup.c ++++ b/plat/qemu/common/qemu_bl2_setup.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -149,8 +149,7 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + bl_mem_params_node_t *paged_mem_params = NULL; + #endif + #if defined(SPD_spmd) +- unsigned int mode_rw = MODE_RW_64; +- uint64_t pagable_part = 0; ++ bl_mem_params_node_t *bl32_mem_params = NULL; + #endif + + assert(bl_mem_params); +@@ -170,17 +169,18 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + if (err != 0) { + WARN("OPTEE header parse error.\n"); + } +-#if defined(SPD_spmd) +- mode_rw = bl_mem_params->ep_info.args.arg0; +- pagable_part = bl_mem_params->ep_info.args.arg1; +-#endif + #endif + +-#if defined(SPD_spmd) +- bl_mem_params->ep_info.args.arg0 = ARM_PRELOADED_DTB_BASE; +- bl_mem_params->ep_info.args.arg1 = pagable_part; +- bl_mem_params->ep_info.args.arg2 = mode_rw; +- bl_mem_params->ep_info.args.arg3 = 0; ++#if defined(SPMC_OPTEE) ++ /* ++ * Explicit zeroes to unused registers since they may have ++ * been populated by parse_optee_header() above. ++ * ++ * OP-TEE expects system DTB in x2 and TOS_FW_CONFIG in x0, ++ * the latter is filled in below for TOS_FW_CONFIG_ID and ++ * applies to any other SPMC too. ++ */ ++ bl_mem_params->ep_info.args.arg2 = ARM_PRELOADED_DTB_BASE; + #elif defined(SPD_opteed) + /* + * OP-TEE expect to receive DTB address in x2. +@@ -224,6 +224,14 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + + bl_mem_params->ep_info.spsr = qemu_get_spsr_for_bl33_entry(); + break; ++#if defined(SPD_spmd) ++ case TOS_FW_CONFIG_ID: ++ /* An SPMC expects TOS_FW_CONFIG in x0/r0 */ ++ bl32_mem_params = get_bl_mem_params_node(BL32_IMAGE_ID); ++ bl32_mem_params->ep_info.args.arg0 = ++ bl_mem_params->image_info.image_base; ++ break; ++#endif + default: + /* Do nothing in default case */ + break; +diff --git a/plat/qemu/common/qemu_io_storage.c b/plat/qemu/common/qemu_io_storage.c +index 1107e443f..e2d4932c0 100644 +--- a/plat/qemu/common/qemu_io_storage.c ++++ b/plat/qemu/common/qemu_io_storage.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -24,6 +24,7 @@ + #define BL2_IMAGE_NAME "bl2.bin" + #define BL31_IMAGE_NAME "bl31.bin" + #define BL32_IMAGE_NAME "bl32.bin" ++#define TOS_FW_CONFIG_NAME "tos_fw_config.dtb" + #define BL32_EXTRA1_IMAGE_NAME "bl32_extra1.bin" + #define BL32_EXTRA2_IMAGE_NAME "bl32_extra2.bin" + #define BL33_IMAGE_NAME "bl33.bin" +@@ -78,6 +79,10 @@ static const io_uuid_spec_t bl32_extra2_uuid_spec = { + .uuid = UUID_SECURE_PAYLOAD_BL32_EXTRA2, + }; + ++static const io_uuid_spec_t tos_fw_config_uuid_spec = { ++ .uuid = UUID_TOS_FW_CONFIG, ++}; ++ + static const io_uuid_spec_t bl33_uuid_spec = { + .uuid = UUID_NON_TRUSTED_FIRMWARE_BL33, + }; +@@ -137,6 +142,10 @@ static const io_file_spec_t sh_file_spec[] = { + .path = BL32_EXTRA2_IMAGE_NAME, + .mode = FOPEN_MODE_RB + }, ++ [TOS_FW_CONFIG_ID] = { ++ .path = TOS_FW_CONFIG_NAME, ++ .mode = FOPEN_MODE_RB ++ }, + [BL33_IMAGE_ID] = { + .path = BL33_IMAGE_NAME, + .mode = FOPEN_MODE_RB +@@ -252,6 +261,11 @@ static const struct plat_io_policy policies[] = { + open_fip + }, + #endif ++ [TOS_FW_CONFIG_ID] = { ++ &fip_dev_handle, ++ (uintptr_t)&tos_fw_config_uuid_spec, ++ open_fip ++ }, + [BL33_IMAGE_ID] = { + &fip_dev_handle, + (uintptr_t)&bl33_uuid_spec, +diff --git a/plat/qemu/common/qemu_spmd_manifest.c b/plat/qemu/common/qemu_spmd_manifest.c +deleted file mode 100644 +index fd46e2675..000000000 +--- a/plat/qemu/common/qemu_spmd_manifest.c ++++ /dev/null +@@ -1,31 +0,0 @@ +-/* +- * Copyright (c) 2021, ARM Limited and Contributors. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- */ +- +-#include <assert.h> +- +-#include <services/spm_core_manifest.h> +- +-#include <plat/common/platform.h> +-#include <platform_def.h> +- +-int plat_spm_core_manifest_load(spmc_manifest_attribute_t *manifest, +- const void *pm_addr) +-{ +- entry_point_info_t *ep_info = bl31_plat_get_next_image_ep_info(SECURE); +- +- assert(ep_info != NULL); +- assert(manifest != NULL); +- +- manifest->major_version = 1; +- manifest->minor_version = 0; +- manifest->exec_state = ep_info->args.arg2; +- manifest->load_address = BL32_BASE; +- manifest->entrypoint = BL32_BASE; +- manifest->binary_size = BL32_LIMIT - BL32_BASE; +- manifest->spmc_id = 0x8000; +- +- return 0; +-} +diff --git a/plat/qemu/qemu/include/platform_def.h b/plat/qemu/qemu/include/platform_def.h +index c9ed6409f..5c3239cb8 100644 +--- a/plat/qemu/qemu/include/platform_def.h ++++ b/plat/qemu/qemu/include/platform_def.h +@@ -118,6 +118,9 @@ + #define BL_RAM_BASE (SHARED_RAM_BASE + SHARED_RAM_SIZE) + #define BL_RAM_SIZE (SEC_SRAM_SIZE - SHARED_RAM_SIZE) + ++#define TOS_FW_CONFIG_BASE BL_RAM_BASE ++#define TOS_FW_CONFIG_LIMIT (TOS_FW_CONFIG_BASE + PAGE_SIZE) ++ + /* + * BL1 specific defines. + * +diff --git a/plat/qemu/qemu/platform.mk b/plat/qemu/qemu/platform.mk +index 6becc32fa..02493025a 100644 +--- a/plat/qemu/qemu/platform.mk ++++ b/plat/qemu/qemu/platform.mk +@@ -212,7 +212,10 @@ BL31_SOURCES += lib/cpus/aarch64/aem_generic.S \ + ${QEMU_GIC_SOURCES} + + ifeq (${SPD},spmd) +-BL31_SOURCES += plat/qemu/common/qemu_spmd_manifest.c ++BL31_SOURCES += plat/common/plat_spmd_manifest.c \ ++ common/uuid.c \ ++ ${LIBFDT_SRCS} \ ++ ${FDT_WRAPPERS_SOURCES} + endif + endif + +@@ -233,6 +236,13 @@ $(eval $(call TOOL_ADD_IMG,bl32_extra2,--tos-fw-extra2)) + endif + endif + ++ifneq ($(QEMU_TOS_FW_CONFIG_DTS),) ++FDT_SOURCES += ${QEMU_TOS_FW_CONFIG_DTS} ++QEMU_TOS_FW_CONFIG := ${BUILD_PLAT}/fdts/$(notdir $(basename ${QEMU_TOS_FW_CONFIG_DTS})).dtb ++# Add the TOS_FW_CONFIG to FIP ++$(eval $(call TOOL_ADD_PAYLOAD,${QEMU_TOS_FW_CONFIG},--tos-fw-config,${QEMU_TOS_FW_CONFIG})) ++endif ++ + SEPARATE_CODE_AND_RODATA := 1 + ENABLE_STACK_PROTECTOR := 0 + ifneq ($(ENABLE_STACK_PROTECTOR), 0) +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 6cf55d69cd..e58a090229 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -47,7 +47,10 @@ EXTRA_OEMAKE:append:arm:qemuall = " \ BL32_RAM_LOCATION=tdram \ AARCH32_SP=optee \ " - +# When using OP-TEE SPMC specify the SPMC manifest file. +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', \ + 'QEMU_TOS_FW_CONFIG_DTS=${S}/plat/qemu/fdts/optee_spmc_manifest.dts', '', d)}" + do_compile:append:qemuarm64-secureboot() { # Create a secure flash image for booting AArch64 Qemu. See: # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu.rst diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb index 3a5006e53d..5830339c42 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb @@ -5,6 +5,12 @@ SRCREV_tfa = "9881bb93a3bc0a3ea37e9f093e09ab4b360a9e48" SRC_URI += "file://rwx-segments.patch" +# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS. +SRC_URI:append:qemuarm64-secureboot = " \ + file://add-spmc_manifest-for-qemu.patch \ + file://feat-qemu-update-abi-between-spmd-and-spmc.patch \ + " + LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" # mbed TLS v2.28.2 diff --git a/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb b/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb index 1261fa413b..726a65bb9a 100644 --- a/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb +++ b/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb @@ -18,10 +18,16 @@ COMPATIBLE_HOST = "(arm|aarch64).*-linux" KERNEL_MODULE_AUTOLOAD += "arm-ffa-user" KERNEL_MODULE_PROBECONF += "arm-ffa-user" -# This debugfs driver is used only by uefi-test for testing SmmGW SP -# UUIDs = SMM Gateway SP -FFA-USER-UUID-LIST ?= "ed32d533-99e6-4209-9cc0-2d72cdd998a7" -module_conf_arm-ffa-user = "options arm-ffa-user uuid_str_list=${FFA-USER-UUID-LIST}" +# SMM Gateway SP +UUID_LIST = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + 'ed32d533-99e6-4209-9cc0-2d72cdd998a7', '' , d)}" +# SPMC Tests SPs +UUID_LIST:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ',5c9edbc3-7b3a-4367-9f83-7c191ae86a37,7817164c-c40c-4d1a-867a-9bb2278cf41a,23eb0100-e32a-4497-9052-2f11e584afa6', '' , d)}" + +FFA_USER_UUID_LIST ?= "${@d.getVar('UUID_LIST').strip(',')}" + +module_conf_arm-ffa-user = "options arm-ffa-user uuid_str_list=${FFA_USER_UUID_LIST}" do_install:append() { install -d ${D}${includedir} diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg new file mode 100644 index 0000000000..84e0dd71ca --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg @@ -0,0 +1,4 @@ +# These configurations have a dependency on !PREEMPT_RT. Set them to `n` to +# avoid complain when do_kernel_configcheck. +CONFIG_LEDS_TRIGGER_CPU=n +CONFIG_TRANSPARENT_HUGEPAGE=n diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc new file mode 100644 index 0000000000..ae97c2e2a3 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc @@ -0,0 +1,7 @@ +define KMACHINE generic-arm64 +define KTYPE preempt-rt +define KARCH arm64 + +kconf hardware generic-arm64-preempt-rt-tweaks.cfg +include ktypes/preempt-rt/preempt-rt.scc +include features/bluetooth/bluetooth.scc diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index 883ed2ca66..0a42ce4a5d 100644 --- a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -1,11 +1,5 @@ ARMFILESPATHS := "${THISDIR}/files:" -FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" -SRC_URI:append:aarch64 = " \ - file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ - file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ - " - COMPATIBLE_MACHINE:generic-arm64 = "generic-arm64" FILESEXTRAPATHS:prepend:generic-arm64 = "${ARMFILESPATHS}" SRC_URI:append:generic-arm64 = " \ diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend new file mode 100644 index 0000000000..e6d50a4bc4 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend @@ -0,0 +1,6 @@ + +FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" +SRC_URI:append:aarch64 = " \ + file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ + file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ + " diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend new file mode 100644 index 0000000000..e6d50a4bc4 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend @@ -0,0 +1,6 @@ + +FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" +SRC_URI:append:aarch64 = " \ + file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ + file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ + " diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch new file mode 100644 index 0000000000..4313a829ac --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch @@ -0,0 +1,91 @@ +From 11f4ea86579bc1a58e4adde2849326f4213694f2 Mon Sep 17 00:00:00 2001 +From: Jens Wiklander <jens.wiklander@linaro.org> +Date: Mon, 21 Nov 2022 18:17:33 +0100 +Subject: core: arm: S-EL1 SPMC: boot ABI update + +Updates the boot ABI for S-EL1 SPMC to align better with other SPMCs, +like Hafnium, but also with the non-FF-A configuration. + +Register usage: +X0 - TOS FW config [1] address, if not NULL +X2 - System DTB, if not NULL + +Adds check in the default get_aslr_seed() to see if the system DTB is +present before trying to read kaslr-seed from secure-chosen. + +Note that this is an incompatible change and requires corresponding +change in TF-A ("feat(qemu): update abi between spmd and spmc") [2]. + +[1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware configuration + file. Used by Trusted OS (BL32), that is, OP-TEE in this case +Link: [2] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=25ae7ad1878244f78206cc7c91f7bdbd267331a1 + +Upstream-Status: Accepted + +Acked-by: Etienne Carriere <etienne.carriere@linaro.org> +Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> +--- + core/arch/arm/kernel/boot.c | 8 +++++++- + core/arch/arm/kernel/entry_a64.S | 17 ++++++++--------- + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c +index dd34173e8..e02c02b60 100644 +--- a/core/arch/arm/kernel/boot.c ++++ b/core/arch/arm/kernel/boot.c +@@ -1502,11 +1502,17 @@ struct ns_entry_context *boot_core_hpen(void) + #if defined(CFG_DT) + unsigned long __weak get_aslr_seed(void *fdt) + { +- int rc = fdt_check_header(fdt); ++ int rc = 0; + const uint64_t *seed = NULL; + int offs = 0; + int len = 0; + ++ if (!fdt) { ++ DMSG("No fdt"); ++ goto err; ++ } ++ ++ rc = fdt_check_header(fdt); + if (rc) { + DMSG("Bad fdt: %d", rc); + goto err; +diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S +index 4c6e9d75c..047ae1f25 100644 +--- a/core/arch/arm/kernel/entry_a64.S ++++ b/core/arch/arm/kernel/entry_a64.S +@@ -143,21 +143,20 @@ + .endm + + FUNC _start , : +-#if defined(CFG_CORE_SEL1_SPMC) + /* +- * With OP-TEE as SPMC at S-EL1 the SPMD (SPD_spmd) in TF-A passes +- * the DTB in x0, pagaeble part in x1 and the rest of the registers +- * are unused ++ * If CFG_CORE_FFA is enabled, then x0 if non-NULL holds the TOS FW ++ * config [1] address, else x0 if non-NULL holds the pagable part ++ * address. ++ * ++ * [1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware ++ * configuration file. Used by Trusted OS (BL32), that is, OP-TEE ++ * here. + */ +- mov x19, x1 /* Save pagable part */ +- mov x20, x0 /* Save DT address */ +-#else +- mov x19, x0 /* Save pagable part address */ ++ mov x19, x0 + #if defined(CFG_DT_ADDR) + ldr x20, =CFG_DT_ADDR + #else + mov x20, x2 /* Save DT address */ +-#endif + #endif + + adr x0, reset_vect_table +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch new file mode 100644 index 0000000000..add39076fd --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch @@ -0,0 +1,249 @@ +From 84f4ef4c4f2f45e2f54597f1afe80d8f8396cc57 Mon Sep 17 00:00:00 2001 +From: Balint Dobszay <balint.dobszay@arm.com> +Date: Fri, 10 Feb 2023 11:07:27 +0100 +Subject: core: ffa: add TOS_FW_CONFIG handling + +At boot TF-A passes two DT addresses (HW_CONFIG and TOS_FW_CONFIG), but +currently only the HW_CONFIG address is saved, the other one is dropped. +This commit adds functionality to save the TOS_FW_CONFIG too, so we can +retrieve it later. This is necessary for the CFG_CORE_SEL1_SPMC use +case, because the SPMC manifest is passed in this DT. + +Upstream-Status: Accepted + +Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> +Signed-off-by: Balint Dobszay <balint.dobszay@arm.com> +--- + core/arch/arm/kernel/boot.c | 60 ++++++++++++++++++++++- + core/arch/arm/kernel/entry_a32.S | 3 +- + core/arch/arm/kernel/entry_a64.S | 13 ++++- + core/arch/arm/kernel/link_dummies_paged.c | 4 +- + core/arch/arm/kernel/secure_partition.c | 2 +- + core/include/kernel/boot.h | 7 ++- + 6 files changed, 81 insertions(+), 8 deletions(-) + +diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c +index e02c02b60..98e13c072 100644 +--- a/core/arch/arm/kernel/boot.c ++++ b/core/arch/arm/kernel/boot.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-2-Clause + /* + * Copyright (c) 2015-2022, Linaro Limited ++ * Copyright (c) 2023, Arm Limited + */ + + #include <arm.h> +@@ -83,6 +84,9 @@ struct dt_descriptor { + }; + + static struct dt_descriptor external_dt __nex_bss; ++#ifdef CFG_CORE_SEL1_SPMC ++static struct dt_descriptor tos_fw_config_dt __nex_bss; ++#endif + #endif + + #ifdef CFG_SECONDARY_INIT_CNTFRQ +@@ -1224,6 +1228,54 @@ static struct core_mmu_phys_mem *get_nsec_memory(void *fdt __unused, + #endif /*CFG_CORE_DYN_SHM*/ + #endif /*!CFG_DT*/ + ++#if defined(CFG_CORE_SEL1_SPMC) && defined(CFG_DT) ++void *get_tos_fw_config_dt(void) ++{ ++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE)) ++ return NULL; ++ ++ assert(cpu_mmu_enabled()); ++ ++ return tos_fw_config_dt.blob; ++} ++ ++static void init_tos_fw_config_dt(unsigned long pa) ++{ ++ struct dt_descriptor *dt = &tos_fw_config_dt; ++ void *fdt = NULL; ++ int ret = 0; ++ ++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE)) ++ return; ++ ++ if (!pa) ++ panic("No TOS_FW_CONFIG DT found"); ++ ++ fdt = core_mmu_add_mapping(MEM_AREA_EXT_DT, pa, CFG_DTB_MAX_SIZE); ++ if (!fdt) ++ panic("Failed to map TOS_FW_CONFIG DT"); ++ ++ dt->blob = fdt; ++ ++ ret = fdt_open_into(fdt, fdt, CFG_DTB_MAX_SIZE); ++ if (ret < 0) { ++ EMSG("Invalid Device Tree at %#lx: error %d", pa, ret); ++ panic(); ++ } ++ ++ IMSG("TOS_FW_CONFIG DT found"); ++} ++#else ++void *get_tos_fw_config_dt(void) ++{ ++ return NULL; ++} ++ ++static void init_tos_fw_config_dt(unsigned long pa __unused) ++{ ++} ++#endif /*CFG_CORE_SEL1_SPMC && CFG_DT*/ ++ + #ifdef CFG_CORE_DYN_SHM + static void discover_nsec_memory(void) + { +@@ -1361,10 +1413,16 @@ static bool cpu_nmfi_enabled(void) + * Note: this function is weak just to make it possible to exclude it from + * the unpaged area. + */ +-void __weak boot_init_primary_late(unsigned long fdt) ++void __weak boot_init_primary_late(unsigned long fdt, ++ unsigned long tos_fw_config) + { + init_external_dt(fdt); ++ init_tos_fw_config_dt(tos_fw_config); ++#ifdef CFG_CORE_SEL1_SPMC ++ tpm_map_log_area(get_tos_fw_config_dt()); ++#else + tpm_map_log_area(get_external_dt()); ++#endif + discover_nsec_memory(); + update_external_dt(); + configure_console_from_dt(); +diff --git a/core/arch/arm/kernel/entry_a32.S b/core/arch/arm/kernel/entry_a32.S +index 0f14ca2f6..3758fd8b7 100644 +--- a/core/arch/arm/kernel/entry_a32.S ++++ b/core/arch/arm/kernel/entry_a32.S +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2014, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + + #include <arm32_macros.S> +@@ -560,6 +560,7 @@ shadow_stack_access_ok: + str r0, [r8, #THREAD_CORE_LOCAL_FLAGS] + #endif + mov r0, r6 /* DT address */ ++ mov r1, #0 /* unused */ + bl boot_init_primary_late + #ifndef CFG_VIRTUALIZATION + mov r0, #THREAD_CLF_TMP +diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S +index 047ae1f25..fa76437fb 100644 +--- a/core/arch/arm/kernel/entry_a64.S ++++ b/core/arch/arm/kernel/entry_a64.S +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2015-2022, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + + #include <platform_config.h> +@@ -320,7 +320,11 @@ clear_nex_bss: + bl core_mmu_set_default_prtn_tbl + #endif + ++#ifdef CFG_CORE_SEL1_SPMC ++ mov x0, xzr /* pager not used */ ++#else + mov x0, x19 /* pagable part address */ ++#endif + mov x1, #-1 + bl boot_init_primary_early + +@@ -337,7 +341,12 @@ clear_nex_bss: + mov x22, x0 + str wzr, [x22, #THREAD_CORE_LOCAL_FLAGS] + #endif +- mov x0, x20 /* DT address */ ++ mov x0, x20 /* DT address also known as HW_CONFIG */ ++#ifdef CFG_CORE_SEL1_SPMC ++ mov x1, x19 /* TOS_FW_CONFIG DT address */ ++#else ++ mov x1, xzr /* unused */ ++#endif + bl boot_init_primary_late + #ifdef CFG_CORE_PAUTH + init_pauth_per_cpu +diff --git a/core/arch/arm/kernel/link_dummies_paged.c b/core/arch/arm/kernel/link_dummies_paged.c +index 3b8287e06..023a5f3f5 100644 +--- a/core/arch/arm/kernel/link_dummies_paged.c ++++ b/core/arch/arm/kernel/link_dummies_paged.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-2-Clause + /* + * Copyright (c) 2017-2021, Linaro Limited ++ * Copyright (c) 2023, Arm Limited + */ + #include <compiler.h> + #include <initcall.h> +@@ -27,7 +28,8 @@ void __section(".text.dummy.call_finalcalls") call_finalcalls(void) + } + + void __section(".text.dummy.boot_init_primary_late") +-boot_init_primary_late(unsigned long fdt __unused) ++boot_init_primary_late(unsigned long fdt __unused, ++ unsigned long tos_fw_config __unused) + { + } + +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 1d36e90b1..d386f1e4d 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -1212,7 +1212,7 @@ static TEE_Result fip_sp_map_all(void) + int subnode = 0; + int root = 0; + +- fdt = get_external_dt(); ++ fdt = get_tos_fw_config_dt(); + if (!fdt) { + EMSG("No SPMC manifest found"); + return TEE_ERROR_GENERIC; +diff --git a/core/include/kernel/boot.h b/core/include/kernel/boot.h +index 260854473..941e093b2 100644 +--- a/core/include/kernel/boot.h ++++ b/core/include/kernel/boot.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2015-2020, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + #ifndef __KERNEL_BOOT_H + #define __KERNEL_BOOT_H +@@ -46,7 +46,7 @@ extern const struct core_mmu_config boot_mmu_config; + /* @nsec_entry is unused if using CFG_WITH_ARM_TRUSTED_FW */ + void boot_init_primary_early(unsigned long pageable_part, + unsigned long nsec_entry); +-void boot_init_primary_late(unsigned long fdt); ++void boot_init_primary_late(unsigned long fdt, unsigned long tos_fw_config); + void boot_init_memtag(void); + + void __panic_at_smc_return(void) __noreturn; +@@ -103,6 +103,9 @@ void *get_embedded_dt(void); + /* Returns external DTB if present, otherwise NULL */ + void *get_external_dt(void); + ++/* Returns TOS_FW_CONFIG DTB if present, otherwise NULL */ ++void *get_tos_fw_config_dt(void); ++ + /* + * get_aslr_seed() - return a random seed for core ASLR + * @fdt: Pointer to a device tree if CFG_DT_ADDR=y +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch new file mode 100644 index 0000000000..a0377abafe --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch @@ -0,0 +1,279 @@ +From f4b4f5bccc1be9a709008cc8e6107302745796c8 Mon Sep 17 00:00:00 2001 +From: Imre Kis <imre.kis@arm.com> +Date: Tue, 18 Apr 2023 16:41:51 +0200 +Subject: [PATCH] core: spmc: handle non-secure interrupts + +Add FFA_INTERRUPT and FFA_RUN support for signaling non-secure +interrupts and for resuming to the secure world. If a secure partition +is preempted by a non-secure interrupt OP-TEE saves the SP's state and +sends an FFA_INTERRUPT to the normal world. After handling the interrupt +the normal world should send an FFA_RUN to OP-TEE so it can continue +running the SP. +If OP-TEE is the active FF-A endpoint (i.e. it is running TAs) the +non-secure interrupts are signaled by the existing +OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message instead of +FFA_INTERRUPT. + +Upstream-Status: Pending + +Signed-off-by: Imre Kis <imre.kis@arm.com> +Change-Id: I577ebe86d416ee494963216a66a3bfc8206921b4 + +--- + core/arch/arm/include/ffa.h | 2 +- + .../arch/arm/include/kernel/spmc_sp_handler.h | 11 +++++++ + core/arch/arm/kernel/secure_partition.c | 17 ++++++++++ + core/arch/arm/kernel/spmc_sp_handler.c | 26 ++++++++++++++++ + core/arch/arm/kernel/thread.c | 7 +++++ + core/arch/arm/kernel/thread_spmc.c | 31 ++++++++++++++++++- + core/arch/arm/kernel/thread_spmc_a64.S | 30 ++++++++++++++++++ + 7 files changed, 122 insertions(+), 2 deletions(-) + +diff --git a/core/arch/arm/include/ffa.h b/core/arch/arm/include/ffa.h +index 5a19fb0c..b3d1d354 100644 +--- a/core/arch/arm/include/ffa.h ++++ b/core/arch/arm/include/ffa.h +@@ -50,7 +50,7 @@ + #define FFA_ID_GET U(0x84000069) + #define FFA_MSG_WAIT U(0x8400006B) + #define FFA_MSG_YIELD U(0x8400006C) +-#define FFA_MSG_RUN U(0x8400006D) ++#define FFA_RUN U(0x8400006D) + #define FFA_MSG_SEND U(0x8400006E) + #define FFA_MSG_SEND_DIRECT_REQ_32 U(0x8400006F) + #define FFA_MSG_SEND_DIRECT_REQ_64 U(0xC400006F) +diff --git a/core/arch/arm/include/kernel/spmc_sp_handler.h b/core/arch/arm/include/kernel/spmc_sp_handler.h +index f5bda7bf..30c1e469 100644 +--- a/core/arch/arm/include/kernel/spmc_sp_handler.h ++++ b/core/arch/arm/include/kernel/spmc_sp_handler.h +@@ -25,6 +25,8 @@ void spmc_sp_start_thread(struct thread_smc_args *args); + int spmc_sp_add_share(struct ffa_rxtx *rxtx, + size_t blen, uint64_t *global_handle, + struct sp_session *owner_sp); ++void spmc_sp_set_to_preempted(struct ts_session *ts_sess); ++int spmc_sp_resume_from_preempted(uint16_t endpoint_id); + #else + static inline void spmc_sp_start_thread(struct thread_smc_args *args __unused) + { +@@ -37,6 +39,15 @@ static inline int spmc_sp_add_share(struct ffa_rxtx *rxtx __unused, + { + return FFA_NOT_SUPPORTED; + } ++ ++static inline void spmc_sp_set_to_preempted(struct ts_session *ts_sess __unused) ++{ ++} ++ ++static inline int spmc_sp_resume_from_preempted(uint16_t endpoint_id __unused) ++{ ++ return FFA_NOT_SUPPORTED; ++} + #endif + + #endif /* __KERNEL_SPMC_SP_HANDLER_H */ +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 1d36e90b..6e351e43 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -999,6 +999,8 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + struct sp_session *sp_s = to_sp_session(s); + struct ts_session *sess = NULL; + struct thread_ctx_regs *sp_regs = NULL; ++ uint32_t thread_id = THREAD_ID_INVALID; ++ uint32_t rpc_target_info = 0; + uint32_t panicked = false; + uint32_t panic_code = 0; + +@@ -1011,8 +1013,23 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT); + + exceptions = thread_mask_exceptions(THREAD_EXCP_ALL); ++ ++ /* ++ * Store endpoint ID and thread ID in rpc_target_info. This will be used ++ * as w1 in FFA_INTERRUPT in case of a NWd interrupt. ++ */ ++ rpc_target_info = thread_get_tsd()->rpc_target_info; ++ thread_id = thread_get_id(); ++ assert((thread_id & ~0xffff) == 0); ++ thread_get_tsd()->rpc_target_info = (sp_s->endpoint_id << 16) | ++ (thread_id & 0xffff); ++ + __thread_enter_user_mode(sp_regs, &panicked, &panic_code); ++ + sp_regs->cpsr = cpsr; ++ /* Restore rpc_target_info */ ++ thread_get_tsd()->rpc_target_info = rpc_target_info; ++ + thread_unmask_exceptions(exceptions); + + thread_user_clear_vfp(&ctx->uctx); +diff --git a/core/arch/arm/kernel/spmc_sp_handler.c b/core/arch/arm/kernel/spmc_sp_handler.c +index 5d3326fc..f4c7ff81 100644 +--- a/core/arch/arm/kernel/spmc_sp_handler.c ++++ b/core/arch/arm/kernel/spmc_sp_handler.c +@@ -366,6 +366,32 @@ cleanup: + return res; + } + ++void spmc_sp_set_to_preempted(struct ts_session *ts_sess) ++{ ++ if (ts_sess && is_sp_ctx(ts_sess->ctx)) { ++ struct sp_session *sp_sess = to_sp_session(ts_sess); ++ ++ assert(sp_sess->state == sp_busy); ++ ++ sp_sess->state = sp_preempted; ++ } ++} ++ ++int spmc_sp_resume_from_preempted(uint16_t endpoint_id) ++{ ++ struct sp_session *sp_sess = sp_get_session(endpoint_id); ++ ++ if (!sp_sess) ++ return FFA_INVALID_PARAMETERS; ++ ++ if (sp_sess->state != sp_preempted) ++ return FFA_DENIED; ++ ++ sp_sess->state = sp_busy; ++ ++ return FFA_OK; ++} ++ + static bool check_rxtx(struct ffa_rxtx *rxtx) + { + return rxtx && rxtx->rx && rxtx->tx && rxtx->size > 0; +diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c +index 1e7f9f96..8cd4dc96 100644 +--- a/core/arch/arm/kernel/thread.c ++++ b/core/arch/arm/kernel/thread.c +@@ -531,6 +531,13 @@ int thread_state_suspend(uint32_t flags, uint32_t cpsr, vaddr_t pc) + core_mmu_set_user_map(NULL); + } + ++ if (IS_ENABLED(CFG_SECURE_PARTITION)) { ++ struct ts_session *ts_sess = ++ TAILQ_FIRST(&threads[ct].tsd.sess_stack); ++ ++ spmc_sp_set_to_preempted(ts_sess); ++ } ++ + l->curr_thread = THREAD_ID_INVALID; + + if (IS_ENABLED(CFG_VIRTUALIZATION)) +diff --git a/core/arch/arm/kernel/thread_spmc.c b/core/arch/arm/kernel/thread_spmc.c +index 3b4ac0b4..bc4e7687 100644 +--- a/core/arch/arm/kernel/thread_spmc.c ++++ b/core/arch/arm/kernel/thread_spmc.c +@@ -45,7 +45,7 @@ struct mem_frag_state { + #endif + + /* Initialized in spmc_init() below */ +-static uint16_t my_endpoint_id; ++uint16_t my_endpoint_id; + + /* + * If struct ffa_rxtx::size is 0 RX/TX buffers are not mapped or initialized. +@@ -437,6 +437,32 @@ out: + FFA_PARAM_MBZ, FFA_PARAM_MBZ); + cpu_spin_unlock(&rxtx->spinlock); + } ++ ++static void spmc_handle_run(struct thread_smc_args *args) ++{ ++ uint16_t endpoint = (args->a1 >> 16) & 0xffff; ++ uint16_t thread_id = (args->a1 & 0xffff); ++ uint32_t rc = 0; ++ ++ if (endpoint != my_endpoint_id) { ++ /* ++ * The endpoint should be an SP, try to resume the SP from ++ * preempted into busy state. ++ */ ++ rc = spmc_sp_resume_from_preempted(endpoint); ++ if (rc) ++ goto out; ++ } ++ ++ thread_resume_from_rpc(thread_id, 0, 0, 0, 0); ++ ++ /* thread_resume_from_rpc return only of the thread_id is invalid */ ++ rc = FFA_INVALID_PARAMETERS; ++ ++out: ++ spmc_set_args(args, FFA_ERROR, FFA_PARAM_MBZ, rc, FFA_PARAM_MBZ, ++ FFA_PARAM_MBZ, FFA_PARAM_MBZ); ++} + #endif /*CFG_CORE_SEL1_SPMC*/ + + static void handle_yielding_call(struct thread_smc_args *args) +@@ -970,6 +996,9 @@ void thread_spmc_msg_recv(struct thread_smc_args *args) + case FFA_PARTITION_INFO_GET: + spmc_handle_partition_info_get(args, &nw_rxtx); + break; ++ case FFA_RUN: ++ spmc_handle_run(args); ++ break; + #endif /*CFG_CORE_SEL1_SPMC*/ + case FFA_INTERRUPT: + itr_core_handler(); +diff --git a/core/arch/arm/kernel/thread_spmc_a64.S b/core/arch/arm/kernel/thread_spmc_a64.S +index 21cb6251..7297005a 100644 +--- a/core/arch/arm/kernel/thread_spmc_a64.S ++++ b/core/arch/arm/kernel/thread_spmc_a64.S +@@ -14,6 +14,20 @@ + #include <kernel/thread.h> + #include <optee_ffa.h> + ++#if CFG_SECURE_PARTITION ++LOCAL_FUNC thread_ffa_interrupt , : ++ mov_imm x0, FFA_INTERRUPT /* FID */ ++ /* X1: Endpoint/vCPU IDs is set by caller */ ++ mov x2, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x3, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x4, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x5, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x6, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x7, #FFA_PARAM_MBZ /* Param MBZ */ ++ b .ffa_msg_loop ++END_FUNC thread_ffa_msg_wait ++#endif /* CFG_SECURE_PARTITION */ ++ + FUNC thread_ffa_msg_wait , : + mov_imm x0, FFA_MSG_WAIT /* FID */ + mov x1, #FFA_TARGET_INFO_MBZ /* Target info MBZ */ +@@ -171,6 +185,14 @@ END_FUNC thread_rpc + * The current thread as indicated by @thread_index has just been + * suspended. The job here is just to inform normal world the thread id to + * resume when returning. ++ * If the active FF-A endpoint is OP-TEE (or a TA) then an this function send an ++ * OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message to the normal world via the ++ * FFA_MSG_SEND_DIRECT_RESP interface. This is handled by the OP-TEE ++ * driver in Linux so it can schedule task to the thread. ++ * If the active endpoint is an SP the function sends an FFA_INTERRUPT. This is ++ * handled by the FF-A driver and after taking care of the NWd interrupts it ++ * returns via an FFA_RUN call. ++ * The active endpoint is determined by the upper 16 bits of rpc_target_info. + */ + FUNC thread_foreign_intr_exit , : + /* load threads[w0].tsd.rpc_target_info into w1 */ +@@ -178,6 +200,14 @@ FUNC thread_foreign_intr_exit , : + adr_l x2, threads + madd x1, x1, x0, x2 + ldr w1, [x1, #THREAD_CTX_TSD_RPC_TARGET_INFO] ++#if CFG_SECURE_PARTITION ++ adr_l x2, my_endpoint_id ++ ldrh w2, [x2] ++ lsr w3, w1, #16 ++ cmp w2, w3 ++ /* (threads[w0].tsd.rpc_target_info >> 16) != my_endpoint_id */ ++ bne thread_ffa_interrupt ++#endif /* CFG_SECURE_PARTITION */ + mov x2, #FFA_PARAM_MBZ + mov w3, #FFA_PARAM_MBZ + mov w4, #OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT + +-- +2.17.1 diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch new file mode 100644 index 0000000000..32e560689f --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch @@ -0,0 +1,150 @@ +From cad33cffb5be17fc0654aaf03c4d5227ae682e7a Mon Sep 17 00:00:00 2001 +From: Imre Kis <imre.kis@arm.com> +Date: Tue, 25 Apr 2023 14:19:14 +0200 +Subject: [PATCH] core: spmc: configure SP's NS interrupt action based on + the manifest + +Used mandatory ns-interrupts-action SP manifest property to configure +signaled or queued non-secure interrupt handling. + +Upstream-Status: Pending + +Signed-off-by: Imre Kis <imre.kis@arm.com> +Change-Id: I843e69e5dbb9613ecd8b95654e8ca1730a594ca6 +--- + .../arm/include/kernel/secure_partition.h | 2 + + core/arch/arm/kernel/secure_partition.c | 66 +++++++++++++++++-- + 2 files changed, 63 insertions(+), 5 deletions(-) + +diff --git a/core/arch/arm/include/kernel/secure_partition.h b/core/arch/arm/include/kernel/secure_partition.h +index 290750936..3bf339d3c 100644 +--- a/core/arch/arm/include/kernel/secure_partition.h ++++ b/core/arch/arm/include/kernel/secure_partition.h +@@ -43,6 +43,8 @@ struct sp_session { + unsigned int spinlock; + const void *fdt; + bool is_initialized; ++ uint32_t ns_interrupts_action; ++ uint32_t ns_interrupts_action_inherited; + TAILQ_ENTRY(sp_session) link; + }; + +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 52365553b..e54069c17 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -46,6 +46,10 @@ + SP_MANIFEST_ATTR_WRITE | \ + SP_MANIFEST_ATTR_EXEC) + ++#define SP_MANIFEST_NS_INT_QUEUED (0x0) ++#define SP_MANIFEST_NS_INT_MANAGED_EXIT (0x1) ++#define SP_MANIFEST_NS_INT_SIGNALED (0x2) ++ + #define SP_PKG_HEADER_MAGIC (0x474b5053) + #define SP_PKG_HEADER_VERSION_V1 (0x1) + #define SP_PKG_HEADER_VERSION_V2 (0x2) +@@ -907,6 +911,30 @@ static TEE_Result sp_init_uuid(const TEE_UUID *uuid, const void * const fdt) + return res; + DMSG("endpoint is 0x%"PRIx16, sess->endpoint_id); + ++ res = sp_dt_get_u32(fdt, 0, "ns-interrupts-action", ++ &sess->ns_interrupts_action); ++ ++ if (res) { ++ EMSG("Mandatory property is missing: ns-interrupts-action"); ++ return res; ++ } ++ ++ switch (sess->ns_interrupts_action) { ++ case SP_MANIFEST_NS_INT_QUEUED: ++ case SP_MANIFEST_NS_INT_SIGNALED: ++ /* OK */ ++ break; ++ ++ case SP_MANIFEST_NS_INT_MANAGED_EXIT: ++ EMSG("Managed exit is not implemented"); ++ return TEE_ERROR_NOT_IMPLEMENTED; ++ ++ default: ++ EMSG("Invalid ns-interrupts-action value: %d", ++ sess->ns_interrupts_action); ++ return TEE_ERROR_BAD_PARAMETERS; ++ } ++ + return TEE_SUCCESS; + } + +@@ -989,17 +1017,45 @@ TEE_Result sp_enter(struct thread_smc_args *args, struct sp_session *sp) + return res; + } + ++/* ++ * According to FF-A v1.1 section 8.3.1.4 if a caller requires less permissive ++ * active on NS interrupt than the callee, the callee must inherit the caller's ++ * configuration. ++ * Each SP's own NS action setting is stored in ns_interrupts_action. The ++ * effective action will be MIN([self action], [caller's action]) which is ++ * stored in the ns_interrupts_action_inherited field. ++ */ ++static void sp_cpsr_configure_foreing_interrupts(struct sp_session *s, ++ struct ts_session *caller, ++ uint64_t *cpsr) ++{ ++ if (caller) { ++ struct sp_session *caller_sp = to_sp_session(caller); ++ ++ s->ns_interrupts_action_inherited = ++ MIN(caller_sp->ns_interrupts_action_inherited, ++ s->ns_interrupts_action); ++ } else { ++ s->ns_interrupts_action_inherited = s->ns_interrupts_action; ++ } ++ ++ if (s->ns_interrupts_action_inherited == SP_MANIFEST_NS_INT_QUEUED) ++ *cpsr |= (THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT); ++ else ++ *cpsr &= ~(THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT); ++} ++ + static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + uint32_t cmd __unused) + { + struct sp_ctx *ctx = to_sp_ctx(s->ctx); + TEE_Result res = TEE_SUCCESS; + uint32_t exceptions = 0; +- uint64_t cpsr = 0; + struct sp_session *sp_s = to_sp_session(s); + struct ts_session *sess = NULL; + struct thread_ctx_regs *sp_regs = NULL; + uint32_t thread_id = THREAD_ID_INVALID; ++ struct ts_session *caller = NULL; + uint32_t rpc_target_info = 0; + uint32_t panicked = false; + uint32_t panic_code = 0; +@@ -1009,11 +1065,12 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + sp_regs = &ctx->sp_regs; + ts_push_current_session(s); + +- cpsr = sp_regs->cpsr; +- sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT); +- + exceptions = thread_mask_exceptions(THREAD_EXCP_ALL); + ++ /* Enable/disable foreign interrupts in CPSR/SPSR */ ++ caller = ts_get_calling_session(); ++ sp_cpsr_configure_foreing_interrupts(sp_s, caller, &sp_regs->cpsr); ++ + /* + * Store endpoint ID and thread ID in rpc_target_info. This will be used + * as w1 in FFA_INTERRUPT in case of a NWd interrupt. +@@ -1026,7 +1083,6 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + + __thread_enter_user_mode(sp_regs, &panicked, &panic_code); + +- sp_regs->cpsr = cpsr; + /* Restore rpc_target_info */ + thread_get_tsd()->rpc_target_info = rpc_target_info; + +-- +2.17.1 diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend new file mode 100644 index 0000000000..a9732e4c9c --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend @@ -0,0 +1,4 @@ +# Include extra headers needed by SPMC tests to TA DEVKIT. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc new file mode 100644 index 0000000000..4dffc46da3 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc @@ -0,0 +1,54 @@ +# Include Trusted Services SPs accordingly to defined machine features + +# Please notice that OPTEE will load SPs in the order listed in this file. +# If an SP requires another SP to be already loaded it must be listed lower. + +# TS SPs UUIDs definitions +require recipes-security/trusted-services/ts-uuid.inc + +TS_ENV = "opteesp" +TS_BIN = "${RECIPE_SYSROOT}/usr/${TS_ENV}/bin" + +# ITS SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ts-sp-its', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ${TS_BIN}/${ITS_UUID}.stripped.elf', '', d)}" + +# Storage SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ts-sp-storage', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ${TS_BIN}/${STORAGE_UUID}.stripped.elf', '', d)}" + +# Crypto SP. +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ts-sp-crypto', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ${TS_BIN}/${CRYPTO_UUID}.stripped.elf', '', d)}" + +# Attestation SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ts-sp-attestation', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ${TS_BIN}/${ATTESTATION_UUID}.stripped.elf', '', d)}" + +# Env-test SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ts-sp-env-test', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ${TS_BIN}/${ENV_TEST_UUID}.stripped.elf', '', d)}" + +# SE-Proxy SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ts-sp-se-proxy', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ${TS_BIN}/${SE_PROXY_UUID}.stripped.elf', '', d)}" + +# SMM Gateway +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ts-sp-smm-gateway', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" + +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc index 73b8c14f7c..057dde25cf 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc @@ -51,4 +51,12 @@ DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" -EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" +# SPM test SPs +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ts-sp-spm-test1 ts-sp-spm-test2 ts-sp-spm-test3', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ${TS_BIN}/${SPM_TEST1_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST2_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST3_UUID}.stripped.elf', '', d)}" +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" + +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend new file mode 100644 index 0000000000..2ff1b83497 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend @@ -0,0 +1,5 @@ +# Include Trusted Services Secure Partitions +require optee-os-ts-3.18.inc + +# Conditionally include platform specific Trusted Services related OPTEE build parameters +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_CORE_HEAP_SIZE=131072 CFG_TEE_BENCHMARK=n CFG_TEE_CORE_LOG_LEVEL=4 CFG_CORE_SEL1_SPMC=y ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend index 09650b9a7a..09650b9a7a 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb index 5f4b066ae3..2fdfbb5a88 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb @@ -7,4 +7,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-3.20.0:" SRCREV = "8e74d47616a20eaa23ca692f4bbbf917a236ed94" SRC_URI:append = " \ file://0004-core-Define-section-attributes-for-clang.patch \ + file://0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch \ + file://0006-core-ffa-add-TOS_FW_CONFIG-handling.patch \ + file://0007-core-spmc-handle-non-secure-interrupts.patch \ + file://0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch \ " diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch b/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch new file mode 100644 index 0000000000..e889f74051 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch @@ -0,0 +1,39 @@ +From 7e15470f3dd45c844f0e0901f0c85c46a0882b8b Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Fri, 3 Mar 2023 12:23:45 +0100 +Subject: [PATCH 1/2] Update arm_ffa_user driver dependency + +Updating arm-ffa-user to v5.0.1 to get the following changes: + - move to 64 bit direct messages + - add Linux Kernel v6.1 compatibility +The motivation is to update x-test to depend on the same driver +version as TS uefi-test and thus to enable running these in a single +configuration. +Note: arm_ffa_user.h was copied from: + - URL:https://git.gitlab.arm.com/linux-arm/linux-trusted-services.git + - SHA:18e3be71f65a405dfb5d97603ae71b3c11759861 + +Upstream-Status: Backport + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Acked-by: Jens Wiklander <jens.wiklander@linaro.org> +--- + host/xtest/include/uapi/linux/arm_ffa_user.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/host/xtest/include/uapi/linux/arm_ffa_user.h b/host/xtest/include/uapi/linux/arm_ffa_user.h +index 9ef0be3..0acde4f 100644 +--- a/host/xtest/include/uapi/linux/arm_ffa_user.h ++++ b/host/xtest/include/uapi/linux/arm_ffa_user.h +@@ -33,7 +33,7 @@ struct ffa_ioctl_ep_desc { + * @dst_id: [in] 16-bit ID of destination endpoint. + */ + struct ffa_ioctl_msg_args { +- __u32 args[5]; ++ __u64 args[5]; + __u16 dst_id; + }; + #define FFA_IOC_MSG_SEND _IOWR(FFA_IOC_MAGIC, FFA_IOC_BASE + 1, \ +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch b/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch new file mode 100644 index 0000000000..d333e860a7 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch @@ -0,0 +1,163 @@ +From 6734d14cc249af37705129de7874533df9535cd3 Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Fri, 3 Mar 2023 12:25:58 +0100 +Subject: [PATCH 2/2] ffa_spmc: Add arm_ffa_user driver compatibility check + +Check the version of the arm_ffa_user Kernel Driver and fail with a +meaningful message if incompatible driver is detected. + +Upstream-Status: Backport + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Acked-by: Jens Wiklander <jens.wiklander@linaro.org> +--- + host/xtest/ffa_spmc_1000.c | 68 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 61 insertions(+), 7 deletions(-) + +diff --git a/host/xtest/ffa_spmc_1000.c b/host/xtest/ffa_spmc_1000.c +index 15f4a46..1839d03 100644 +--- a/host/xtest/ffa_spmc_1000.c ++++ b/host/xtest/ffa_spmc_1000.c +@@ -1,11 +1,12 @@ + // SPDX-License-Identifier: BSD-3-Clause + /* +- * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved. + */ + #include <fcntl.h> + #include <ffa.h> + #include <stdio.h> + #include <string.h> ++#include <errno.h> + #include <sys/ioctl.h> + #include <unistd.h> + #include "include/uapi/linux/arm_ffa_user.h" +@@ -17,6 +18,10 @@ + #define INCORRECT_ENDPOINT_ID 0xffff + #define NORMAL_WORLD_ENDPOINT_ID 0 + ++#define FFA_USER_REQ_VER_MAJOR 5 ++#define FFA_USER_REQ_VER_MINOR 0 ++#define FFA_USER_REQ_VER_PATCH 1 ++ + /* Get the 32 least significant bits of a handle.*/ + #define MEM_SHARE_HANDLE_LOW(x) ((x) & 0xffffffff) + /* Get the 32 most significant bits of a handle.*/ +@@ -62,6 +67,50 @@ static struct ffa_ioctl_ep_desc test_endpoint3 = { + .uuid_ptr = (uint64_t)test_endpoint3_uuid, + }; + ++static bool check_ffa_user_version(void) ++{ ++ FILE *f = NULL; ++ int ver_major = -1; ++ int ver_minor = -1; ++ int ver_patch = -1; ++ int scan_cnt = 0; ++ ++ f = fopen("/sys/module/arm_ffa_user/version", "r"); ++ if (f) { ++ scan_cnt = fscanf(f, "%d.%d.%d", ++ &ver_major, &ver_minor, &ver_patch); ++ fclose(f); ++ if (scan_cnt != 3) { ++ printf("error: failed to parse arm_ffa_user version\n"); ++ return false; ++ } ++ } else { ++ printf("error: failed to read arm_ffa_user module info - %s\n", ++ strerror(errno)); ++ return false; ++ } ++ ++ if (ver_major != FFA_USER_REQ_VER_MAJOR) ++ goto err; ++ ++ if (ver_minor < FFA_USER_REQ_VER_MINOR) ++ goto err; ++ ++ if (ver_minor == FFA_USER_REQ_VER_MINOR) ++ if (ver_patch < FFA_USER_REQ_VER_PATCH) ++ goto err; ++ ++ return true; ++ ++err: ++ printf("error: Incompatible arm_ffa_user driver detected."); ++ printf("Found v%d.%d.%d wanted >= v%d.%d.%d)\n", ++ ver_major, ver_minor, ver_patch, FFA_USER_REQ_VER_MAJOR, ++ FFA_USER_REQ_VER_MINOR, FFA_USER_REQ_VER_PATCH); ++ ++ return false; ++} ++ + static void close_debugfs(void) + { + int err = 0; +@@ -76,6 +125,9 @@ static void close_debugfs(void) + + static bool init_sp_xtest(ADBG_Case_t *c) + { ++ if (!check_ffa_user_version()) ++ return false; ++ + if (ffa_fd < 0) { + ffa_fd = open(FFA_DRIVER_FS_PATH, O_RDWR); + if (ffa_fd < 0) { +@@ -83,6 +135,7 @@ static bool init_sp_xtest(ADBG_Case_t *c) + return false; + } + } ++ + return true; + } + +@@ -99,7 +152,7 @@ static uint16_t get_endpoint_id(uint64_t endp) + struct ffa_ioctl_ep_desc sid = { .uuid_ptr = endp }; + + /* Get ID of destination SP based on UUID */ +- if(ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid)) ++ if (ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid)) + return INCORRECT_ENDPOINT_ID; + + return sid.id; +@@ -213,14 +266,15 @@ static int set_up_mem(struct ffa_ioctl_ep_desc *endp, + rc = share_mem(endpoint, handle); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + +- if (!ADBG_EXPECT_TRUE(c, handle != NULL)) +- return TEEC_ERROR_GENERIC; ++ if (!ADBG_EXPECT_NOT_NULL(c, handle)) ++ return TEEC_ERROR_GENERIC; + + /* SP will retrieve the memory region. */ + memset(args, 0, sizeof(*args)); + args->dst_id = endpoint; + args->args[MEM_SHARE_HANDLE_LOW_INDEX] = MEM_SHARE_HANDLE_LOW(*handle); +- args->args[MEM_SHARE_HANDLE_HIGH_INDEX] = MEM_SHARE_HANDLE_HIGH(*handle); ++ args->args[MEM_SHARE_HANDLE_HIGH_INDEX] = ++ MEM_SHARE_HANDLE_HIGH(*handle); + args->args[MEM_SHARE_HANDLE_ENDPOINT_INDEX] = NORMAL_WORLD_ENDPOINT_ID; + + rc = start_sp_test(endpoint, EP_RETRIEVE, args); +@@ -254,7 +308,7 @@ static void xtest_ffa_spmc_test_1002(ADBG_Case_t *c) + rc = start_sp_test(endpoint1_id, EP_TEST_SP, &args); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK)) +- goto out; ++ goto out; + + /* Set up memory and have the SP retrieve it. */ + Do_ADBG_BeginSubCase(c, "Test memory set-up"); +@@ -469,7 +523,7 @@ static void xtest_ffa_spmc_test_1005(ADBG_Case_t *c) + memset(&args, 0, sizeof(args)); + args.args[1] = endpoint2; + args.args[2] = endpoint3; +- rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI,&args); ++ rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI, &args); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK); + +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend new file mode 100644 index 0000000000..c052774c62 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend @@ -0,0 +1,7 @@ +# Include ffa_spmc test group if the SPMC test is enabled. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y CFG_SECURE_PARTITION=y', '' , d)}" + +RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' arm-ffa-user', '' , d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb index 95452b6a0d..50f5afe718 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb @@ -1,6 +1,8 @@ require optee-test.inc SRC_URI:append = " \ + file://Update-arm_ffa_user-driver-dependency.patch \ + file://ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch \ file://musl-workaround.patch \ " SRCREV = "5db8ab4c733d5b2f4afac3e9aef0a26634c4b444" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch new file mode 100644 index 0000000000..28e041bce6 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch @@ -0,0 +1,41 @@ +From aca9f9ae26235e9da2bc9adef49f9f5578f3e1e7 Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing <Gyorgy.Szing@arm.com> +Date: Tue, 25 Apr 2023 15:03:46 +0000 +Subject: [PATCH 1/1] Limit nanopb build to single process + +Sometimes in yocto the nanopb build step fails. The reason seems +to be a race condition. This fix disables parallel build as +a workaround. + +Upstream-Status: Inappropriate [yocto specific] + +Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> +--- + external/nanopb/nanopb.cmake | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/external/nanopb/nanopb.cmake b/external/nanopb/nanopb.cmake +index 36465f61..94f8048c 100644 +--- a/external/nanopb/nanopb.cmake ++++ b/external/nanopb/nanopb.cmake +@@ -65,6 +65,8 @@ if(TARGET stdlib::c) + unset_saved_properties(LIBC) + endif() + ++set(_PROCESSOR_COUNT ${PROCESSOR_COUNT}) ++set(PROCESSOR_COUNT 1) + include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) + LazyFetch_MakeAvailable(DEP_NAME nanopb + FETCH_OPTIONS ${GIT_OPTIONS} +@@ -73,6 +75,8 @@ LazyFetch_MakeAvailable(DEP_NAME nanopb + CACHE_FILE "${TS_ROOT}/external/nanopb/nanopb-init-cache.cmake.in" + SOURCE_DIR "${NANOPB_SOURCE_DIR}" + ) ++set(PROCESSOR_COUNT ${_PROCESSOR_COUNT}) ++ + unset(_cmake_fragment) + + if(TARGET stdlib::c) +-- +2.34.1 + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc index dc295506bb..2bb4a8a11f 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc @@ -5,8 +5,14 @@ LICENSE = "Apache-2.0 & BSD-3-Clause & BSD-2-Clause & Zlib" SRC_URI = "git://git.trustedfirmware.org/TS/trusted-services.git;protocol=https;branch=integration;name=trusted-services;destsuffix=git/trusted-services \ " -#latest on 12.10.22. -SRCREV_trusted-services = "3d4956770f89eb9ae0a73257901ae6277c078da6" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI:append = "\ + file://0001-Limit-nanopb-build-to-single-process.patch \ +" + +#Latest on 2023 April 28 +SRCREV="08b3d39471f4914186bd23793dc920e83b0e3197" LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4" S = "${WORKDIR}/git/trusted-services" @@ -17,14 +23,14 @@ SRC_URI += "git://github.com/dgibson/dtc;name=dtc;protocol=https;branch=main;des SRCREV_dtc = "b6910bec11614980a21e46fbccc35934b671bd81" LIC_FILES_CHKSUM += "file://../dtc/README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" -# MbedTLS, tag "mbedtls-3.1.0" +# MbedTLS, tag "mbedtls-3.3.0" SRC_URI += "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=master;destsuffix=git/mbedtls" -SRCREV_mbedtls = "d65aeb37349ad1a50e0f6c9b694d4b5290d60e49" +SRCREV_mbedtls = "8c89224991adff88d53cd380f42a2baa36f91454" LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -# Nanopb, tag "nanopb-0.4.6" +# Nanopb, tag "nanopb-0.4.2" SRC_URI += "git://github.com/nanopb/nanopb.git;name=nanopb;protocol=https;branch=master;destsuffix=git/nanopb" -SRCREV_nanopb = "afc499f9a410fc9bbf6c9c48cdd8d8b199d49eb4" +SRCREV_nanopb = "df0e92f474f9cca704fe2b31483f0b4d1b1715a4" LIC_FILES_CHKSUM += "file://../nanopb/LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" # qcbor, tag "v1.0.0" @@ -54,15 +60,12 @@ LIC_FILES_CHKSUM += "file://../openamp/LICENSE.md;md5=a8d8cf662ef6bf9936a1e14135 # TS ships patches for external dependencies that needs to be applied apply_ts_patches() { - for p in ${S}/external/qcbor/*.patch; do - patch -p1 -N -d ${WORKDIR}/git/qcbor < ${p} || true - done - for p in ${S}/external/t_cose/*.patch; do - patch -p1 -N -d ${WORKDIR}/git/tcose < ${p} || true - done - for p in ${S}/external/CppUTest/*.patch; do - patch -p1 -d ${WORKDIR}/git/cpputest < ${p} - done + ( cd ${WORKDIR}/git/qcbor; git stash; git branch -f bf_am; git am ${S}/external/qcbor/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/tcose; git stash; git branch -f bf_am; git am ${S}/external/t_cose/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/mbedtls; git stash; git branch -f bf_am; git am ${S}/external/MbedTLS/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/cpputest; git stash; git apply ${S}/external/CppUTest/*.patch ) + ( cd ${WORKDIR}/git/dtc; git stash; git apply ${S}/external/libfdt/*.patch ) + ( cd ${WORKDIR}/git/nanopb; git stash; git apply ${S}/external/nanopb/*.patch ) } do_patch[postfuncs] += "apply_ts_patches" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb index a9f7b65f09..668bde568f 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb @@ -6,6 +6,7 @@ TS_ENV = "arm-linux" require trusted-services.inc +DEPENDS += "python3-jsonschema-native python3-jinja2-native" DEPENDS += "libts" RDEPENDS:${PN} += "libts" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb index 408c7d3c24..24a724a4fd 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb @@ -22,9 +22,7 @@ OECMAKE_SOURCEPATH = "${S}/deployments/newlib/${TS_ENV}/" # TS ships a patch that needs to be applied to newlib apply_ts_patch() { - for p in ${S}/external/newlib/*.patch; do - patch -p1 -d ${WORKDIR}/git/newlib < ${p} - done + ( cd ${WORKDIR}/git/newlib; git stash; git branch -f bf_am; git am ${S}/external/newlib/*.patch; git reset bf_am ) } do_patch[postfuncs] += "apply_ts_patch" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc index 41cb0c08bc..8a7b0e5ca2 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc @@ -4,6 +4,8 @@ TS_ENV = "arm-linux" require trusted-services.inc +DEPENDS += "python3-jsonschema-native python3-jinja2-native" + DEPENDS += "libts" RDEPENDS:${PN} += "libts" @@ -11,7 +13,7 @@ SRC_URI += "git://github.com/ARM-software/psa-arch-tests.git;name=psatest;protoc file://0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch;patchdir=../psatest \ " -SRCREV_psatest = "451aa087a40d02c7d04778235014c5619d126471" +SRCREV_psatest = "38cb53a4d9e292435ddf7899960b15af62decfbe" LIC_FILES_CHKSUM += "file://../psatest/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" EXTRA_OECMAKE += "\ diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb index eef05fe3a9..6cddfb03e0 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services attestation service provider" require ts-sp-common.inc SP_UUID = "${ATTESTATION_UUID}" +TS_SP_IAT_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/attestation/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/attestation/config/${TS_SP_IAT_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc index 75ddab37d1..3d756015a0 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -17,8 +17,8 @@ do_install:append() { dtc -I dts -O dtb -o ${D}${TS_INSTALL}/manifest/${SP_UUID}.dtb ${SP_DTS_FILE} # We do not need libs and headers - rm -r --one-file-system ${D}${TS_INSTALL}/lib - rm -r --one-file-system ${D}${TS_INSTALL}/include + rm -rf --one-file-system ${D}${TS_INSTALL}/lib + rm -rf --one-file-system ${D}${TS_INSTALL}/include } # Use Yocto debug prefix maps for compiling assembler. diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb index 77a28557cb..867e4a8179 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb @@ -3,7 +3,8 @@ DESCRIPTION = "Trusted Services crypto service provider" require ts-sp-common.inc SP_UUID = "${CRYPTO_UUID}" +TS_SP_CRYPTO_CONFIG ?= "default" -DEPENDS += "python3-protobuf-native" +DEPENDS += "python3-protobuf-native python3-jsonschema-native python3-jinja2-native" -OECMAKE_SOURCEPATH="${S}/deployments/crypto/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/crypto/config/${TS_SP_CRYPTO_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb index 040fd4d159..5551a4deba 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb @@ -6,5 +6,6 @@ require ts-sp-common.inc COMPATIBLE_MACHINE ?= "invalid" SP_UUID = "${ENV_TEST_UUID}" +TS_SP_ENVTEST_CONFIG ?= "baremetal-fvp_base_revc" -OECMAKE_SOURCEPATH="${S}/deployments/env-test/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/env-test/config/${TS_SP_ENVTEST_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb index 4eb5dc5e5c..5472dbdae3 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services internal secure storage service provider" require ts-sp-common.inc SP_UUID = "${ITS_UUID}" +TS_SP_ITS_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/config/${TS_SP_ITS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb index b9246418e9..26781434fd 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb @@ -3,7 +3,8 @@ DESCRIPTION = "Trusted Services proxy service providers" require ts-sp-common.inc SP_UUID = "${SE_PROXY_UUID}" +TS_SP_SE_PROXY_CONFIG ?= "default" DEPENDS += "python3-protobuf-native" -OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/config/${TS_SP_SE_PROXY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb index 06ca6bd116..752f7fe708 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services service provider for UEFI SMM services" require ts-sp-common.inc SP_UUID = "${SMM_GATEWAY_UUID}" +TS_SP_SMM_GATEWAY_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc new file mode 100644 index 0000000000..e357629b0f --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc @@ -0,0 +1,7 @@ +DESCRIPTION = "Trusted Services SPMC test SPs" + +require ts-sp-common.inc + +SP_UUID = "${SPM_TEST${SP_INDEX}_UUID}" +SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts" +OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb new file mode 100644 index 0000000000..4cbb970b27 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb @@ -0,0 +1,5 @@ +DESCRIPTION = "Trusted Services SPMC test SP1" + +SP_INDEX="1" + +require ts-sp-spm-test-common.inc diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb new file mode 100644 index 0000000000..e6fb822b80 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP2" + +SP_INDEX="2" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb new file mode 100644 index 0000000000..ad3ee76ebe --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP3" + +SP_INDEX="3" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb index c893754650..5b2f47b3f6 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services secure storage service provider" require ts-sp-common.inc SP_UUID = "${STORAGE_UUID}" +TS_SP_PS_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/config/${TS_SP_PS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc index 7a39f733e8..c18ec5d7f8 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc @@ -7,3 +7,6 @@ ITS_UUID = "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14" SE_PROXY_UUID = "46bb39d1-b4d9-45b5-88ff-040027dab249" SMM_GATEWAY_UUID = "ed32d533-99e6-4209-9cc0-2d72cdd998a7" STORAGE_UUID = "751bf801-3dde-4768-a514-0f10aeed1790" +SPM_TEST1_UUID = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37" +SPM_TEST2_UUID = "7817164c-c40c-4d1a-867a-9bb2278cf41a" +SPM_TEST3_UUID = "23eb0100-e32a-4497-9052-2f11e584afa6"
\ No newline at end of file diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-printing/system-config-printer/system-config-printer_1.5.18.bb b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-printing/system-config-printer/system-config-printer_1.5.18.bb index e70edef271..f0ff24f376 100644 --- a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-printing/system-config-printer/system-config-printer_1.5.18.bb +++ b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-printing/system-config-printer/system-config-printer_1.5.18.bb @@ -11,16 +11,25 @@ inherit autotools gettext pkgconfig python3native features_check REQUIRED_DISTRO_FEATURES = "gobject-introspection-data" -DEPENDS = "cups glib-2.0 libusb xmlto-native intltool-native desktop-file-utils-native" +DEPENDS = "cups glib-2.0 libusb xmlto-native desktop-file-utils-native autoconf-archive-native" PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" -PACKAGECONFIG[systemd] = ",,systemd" +PACKAGECONFIG[systemd] = ",--without-systemdsystemunitdir,systemd" do_configure:prepend() { # This file is not provided if fetching from git but required for configure touch ${S}/ChangeLog } +do_install:append() { + for f in __init__.cpython-311.pyc cupshelpers.cpython-311.pyc \ + config.cpython-311.pyc ppds.cpython-311.pyc \ + installdriver.cpython-311.pyc openprinting.cpython-311.pyc \ + xmldriverprefs.cpython-311.pyc; do + rm -rf ${D}${PYTHON_SITEPACKAGES_DIR}/cupshelpers/__pycache__/$f + done +} + FILES:${PN} += "${libdir} ${datadir}" RDEPENDS:${PN} = " \ diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb index 242495e941..ce094d5afb 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb @@ -23,7 +23,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" SECTION = "libs" S = "${WORKDIR}/git" -SRCREV = "89f040a5c938985c5f30728baed21e49d0846a53" +SRCREV = "981743de6fcdbe672e482b6fd724d31d0a0d2476" SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=mbedtls-2.28 \ file://run-ptest \ " @@ -62,6 +62,12 @@ CVE_CHECK_IGNORE += "CVE-2021-43666" # Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c CVE_CHECK_IGNORE += "CVE-2021-45451" +# Strip host paths from autogenerated test files +do_compile:append() { + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : +} + # Export source files/headers needed by Arm Trusted Firmware sysroot_stage_all:append() { sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" diff --git a/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch new file mode 100644 index 0000000000..e8c3f1d84b --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch @@ -0,0 +1,53 @@ +From 4133a888aa256312186962ab70d4a36eed5920c1 Mon Sep 17 00:00:00 2001 +From: Brooks Davis <brooks@FreeBSD.org> +Date: Mon, 26 Sep 2022 18:56:51 +0100 +Subject: [PATCH] telnetd: fix two-byte input crash + +Move initialization of the slc table earlier so it doesn't get +accessed before that happens. + +For details on the issue, see: +https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html + +Reviewed by: cy +Obtained from: NetBSD via cy +Differential Revision: https://reviews.freebsd.org/D36680 + +CVE: CVE-2022-39028 +Upstream-Status: Backport [https://cgit.freebsd.org/src/commit/?id=6914ffef4e23] + +(cherry picked from commit 6914ffef4e2318ca1d0ead28eafb6f06055ce0f8) +Signed-off-by: Sanjay Chitroda <sanjay.chitroda@einfochips.com> + +--- + telnetd/telnetd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c +index f36f505..efa0fe1 100644 +--- a/telnetd/telnetd.c ++++ b/telnetd/telnetd.c +@@ -615,6 +615,11 @@ doit(struct sockaddr_in *who) + int level; + char user_name[256]; + ++ /* ++ * Initialize the slc mapping table. ++ */ ++ get_slc_defaults(); ++ + /* + * Find an available pty to use. + */ +@@ -698,11 +703,6 @@ void telnet(int f, int p) + char *HE; + const char *IM; + +- /* +- * Initialize the slc mapping table. +- */ +- get_slc_defaults(); +- + /* + * Do some tests where it is desireable to wait for a response. + * Rather than doing them slowly, one at a time, do them all diff --git a/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb index e28eeae491..d3de038d16 100644 --- a/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb +++ b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb @@ -16,6 +16,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/netkit-telnet_${PV}.orig.tar.gz file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \ file://0001-utility-Include-time.h-form-time-and-strftime-protot.patch \ file://0001-Drop-using-register-keyword.patch \ + file://CVE-2022-39028.patch \ " UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/" diff --git a/meta-openembedded/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch b/meta-openembedded/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch new file mode 100644 index 0000000000..4a8a7e1afd --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch @@ -0,0 +1,54 @@ +From e61593f2ded104c4c7f01eb93e2b404e93e0c560 Mon Sep 17 00:00:00 2001 +From: harryreps <harryreps@gmail.com> +Date: Fri, 3 Mar 2023 23:17:14 +0000 +Subject: [PATCH] babeld: fix #11808 to avoid infinite loops + +Replacing continue in loops to goto done so that index of packet buffer +increases. + +Signed-off-by: harryreps <harryreps@gmail.com> + +CVE: CVE-2023-3748 + +Upstream-Status: Backport +[https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + babeld/message.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/babeld/message.c b/babeld/message.c +index 7d45d91bf..2bf233796 100644 +--- a/babeld/message.c ++++ b/babeld/message.c +@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + /* +@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + DO_NTOHS(seqno, message + 4); +@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + changed = update_neighbour(neigh, seqno, interval); +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb index 9669260945..f32b52f331 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb +++ b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb @@ -12,9 +12,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \ file://frr.pam \ file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \ + file://CVE-2023-3748.patch \ " -SRCREV = "62ac43de9f3bc470586cf4f51fadf013bf542b32" +SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d" UPSTREAM_CHECK_GITTAGREGEX = "frr-(?P<pver>\d+(\.\d+)+)$" diff --git a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch new file mode 100644 index 0000000000..170dddf688 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch @@ -0,0 +1,163 @@ +From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001 +From: John Wolfe <jwolfe@vmware.com> +Date: Mon, 8 May 2023 19:04:57 -0700 +Subject: [PATCH] Remove some dead code. + +Address CVE-2023-20867. +Remove some authentication types which were deprecated long +ago and are no longer in use. These are dead code. + +CVE: CVE-2023-20867 + +Upstream-Status: Backport +[https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + open-vm-tools/services/plugins/vix/vixTools.c | 102 -------------------------- + 1 file changed, 102 deletions(-) + +diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c +index 9f376a7..85c5ba7 100644 +--- a/open-vm-tools/services/plugins/vix/vixTools.c ++++ b/open-vm-tools/services/plugins/vix/vixTools.c +@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL; + #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication" + #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents" + +-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE +- + /* + * The switch that controls all APIs + */ +@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate( + + void GuestAuthUnimpersonate(); + +-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, +- const char *typeName); +- + #if SUPPORT_VGAUTH + + VGAuthError TheVGAuthContext(VGAuthContext **ctx); +@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN + userToken); + break; + } +- case VIX_USER_CREDENTIAL_ROOT: +- { +- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) && +- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef, +- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) { +- /* +- * Don't accept hashed shared secret if disabled. +- */ +- g_message("%s: Requested authentication type has been disabled.\n", +- __FUNCTION__); +- err = VIX_E_GUEST_AUTHTYPE_DISABLED; +- goto done; +- } +- } +- // fall through +- +- case VIX_USER_CREDENTIAL_CONSOLE_USER: +- err = VixToolsImpersonateUserImplEx(NULL, +- credentialType, +- NULL, +- loadUserProfile, +- userToken); +- break; + case VIX_USER_CREDENTIAL_NAME_PASSWORD: + case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED: + case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER: +@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN + } + + /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- */ +- if ((VIX_USER_CREDENTIAL_ROOT == credentialType) +- && (thisProcessRunsAsRoot)) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_ROOT_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- * +- * XXX This has been deprecated XXX +- */ +- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType) +- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* + * If the VMX asks us to run commands in the context of the current + * user, make sure that the user who requested the command is the + * same as the current user. +@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN + /* + *----------------------------------------------------------------------------- + * +- * VixToolsCheckIfAuthenticationTypeEnabled -- +- * +- * Checks to see if a given authentication type has been +- * disabled via the tools configuration. +- * +- * Return value: +- * TRUE if enabled, FALSE otherwise. +- * +- * Side effects: +- * None +- * +- *----------------------------------------------------------------------------- +- */ +- +-static Bool +-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN +- const char *typeName) // IN +-{ +- char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled +- gboolean disabled; +- +- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName), +- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled", +- typeName); +- +- ASSERT(confDictRef != NULL); +- +- /* +- * XXX Skip doing the strcmp() to verify the auth type since we only +- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default +- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT. +- */ +- disabled = VMTools_ConfigGetBoolean(confDictRef, +- VIX_TOOLS_CONFIG_API_GROUPNAME, +- authnDisabledName, +- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT); +- +- return !disabled; +-} +- +- +-/* +- *----------------------------------------------------------------------------- +- * + * VixTools_ProcessVixCommand -- + * + * +-- +2.6.2 + diff --git a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb index d389d2450c..e12e4be7f8 100644 --- a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb +++ b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb @@ -43,6 +43,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=stabl file://0012-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \ file://0013-open-vm-tools-Correct-include-path-for-poll.h.patch;patchdir=.. \ file://0001-timeSync-Portable-way-to-print-64bit-time_t.patch;patchdir=.. \ + file://CVE-2023-20867.patch;patchdir=.. \ " UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.3.bb b/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb index 03f1b76f97..803a9bb5f5 100644 --- a/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.3.bb +++ b/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb @@ -26,7 +26,7 @@ SRC_URI = " \ file://run-ptest \ " -SRC_URI[sha256sum] = "ad75a6ed3dc0d9732945b2e5483cb41dc8b4b528a169315e499c6861952e73b3" +SRC_URI[sha256sum] = "0232231bb2f29d6bf2426e70a08a7e0c63a0d59a9b44863b7f5e2357a6e49fea" UPSTREAM_CHECK_REGEX = "tcpdump-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay/0001-configure.ac-unify-search-dirs-for-pcap-and-add-lib3.patch b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay/0001-configure.ac-unify-search-dirs-for-pcap-and-add-lib3.patch new file mode 100644 index 0000000000..709d2cccbc --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay/0001-configure.ac-unify-search-dirs-for-pcap-and-add-lib3.patch @@ -0,0 +1,82 @@ +From 5f8c78362b3b1e06f5adff2d4b140509c4799894 Mon Sep 17 00:00:00 2001 +From: Martin Jansa <Martin.Jansa@gmail.com> +Date: Sun, 3 Sep 2023 12:31:59 +0200 +Subject: [PATCH] configure.ac: unify search dirs for pcap and add lib32 + +* add lib32 because when building lib32-tcpreplay it's + impossible to set --with-libpcap so that it would find + both include files as well as the library in lib32 directory + +* maybe it would be beneficial to split --with-libpcap + into --with-libpcap-includedir --with-libpcap-libdir as this + already searches in the --with-libpcap value with and + without any "lib" prefix, but include files always expect + "include" dir there + +* most of this code was added in: + https://github.com/appneta/tcpreplay/commit/202b8e82f9fd3c84ce5804577caeb36a33baabe7#diff-49473dca262eeab3b4a43002adb08b4db31020d190caaad1594b47f1d5daa810R570 + +* then search for + ${host_cpu} lib/${host_cpu} (without -${host_os} suffix) + and ${build_arch}-${host_os} lib/${build_arch}-${host_os} + was added, but only for search of dynamic library in: + https://github.com/appneta/tcpreplay/commit/c3d5236563985a99f8bb02c3f1bd6950e3929047 + +* ${build_arch}-${host_os} lib/${build_arch}-${host_os} + was later replaced with: + lib/${MULTIARCH} ${MULTIARCH} + and it was added to static library search as well + + but for dynamic library it was searching in reversed order: + ${MULTIARCH} lib/${MULTIARCH} + https://github.com/appneta/tcpreplay/commit/ed9e3a818bde04813144014561e62f018c9eb85f + + I don't think this reversed order was intentional, just unify all 4 cases + to use the same directories in the same order + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +Upstream-Status: Submitted [https://github.com/appneta/tcpreplay/pull/819] +--- + configure.ac | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 387219de..26ba31a5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -671,7 +671,7 @@ AC_ARG_WITH(libpcap, + LPCAPINCDIR=${testdir} + if test $dynamic_link = yes; then + for ext in .dylib .so .tbd ; do +- for dir in . lib lib64 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do ++ for dir in . lib lib64 lib32 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do + sharefile=$(ls ${testdir}/$dir/libpcap${ext}* 2> /dev/null | sort | head -n1) + if test -n "${sharefile}"; then + LPCAP_LD_LIBRARY_PATH="$(dirname ${sharefile})" +@@ -690,7 +690,7 @@ AC_ARG_WITH(libpcap, + dnl If dynamic library not found, try static + dnl + for ext in ${libext} .a .A.tbd ; do +- for dir in . lib lib64 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do ++ for dir in . lib lib64 lib32 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do + staticfile=$(ls ${testdir}/$dir/libpcap${ext} 2> /dev/null | sort | head -n1) + if test -n "${staticfile}"; then + LPCAPLIB="${staticfile}" +@@ -771,7 +771,7 @@ AC_ARG_WITH(libpcap, + LPCAPINCDIR="${testdir}/include" + if test $dynamic_link = yes; then + for ext in .dylib .so .tbd; do +- for dir in . lib lib64 ${host_cpu} lib/${host_cpu} ${host_cpu}-${host_os} lib/${host_cpu}-${host_os} ${MULTIARCH} lib/${MULTIARCH}; do ++ for dir in . lib lib64 lib32 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do + sharefile=$(ls "${testdir}/$dir/libpcap${ext}" 2> /dev/null | sort | head -n1) + if test -n "${sharefile}"; then + LPCAPLIB="-L$(dirname ${sharefile}) -lpcap" +@@ -790,7 +790,7 @@ AC_ARG_WITH(libpcap, + dnl If dynamic library not found, try static + dnl + for ext in ${libext} .a .A.tbd ; do +- for dir in . lib lib64 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do ++ for dir in . lib lib64 lib32 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do + staticfile=$(ls "${testdir}/$dir/libpcap${ext}" 2> /dev/null | sort | head -n1) + if test -n "${staticfile}"; then + LPCAPLIB="${staticfile}" diff --git a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb index d461c8d3dc..53f17c9619 100644 --- a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb +++ b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb @@ -7,17 +7,18 @@ SECTION = "net" LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=10f0474a2f0e5dccfca20f69d6598ad8" -SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz \ - file://0001-libopts.m4-set-POSIX_SHELL-to-bin-sh.patch \ - " +SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ + file://0001-libopts.m4-set-POSIX_SHELL-to-bin-sh.patch \ + file://0001-configure.ac-unify-search-dirs-for-pcap-and-add-lib3.patch \ +" -SRC_URI[sha256sum] = "216331692e10c12d7f257945e777928d79bd091117f3e4ffb5b312eb2ca0bf7c" +SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf" UPSTREAM_CHECK_URI = "https://github.com/appneta/tcpreplay/releases" DEPENDS = "libpcap" -EXTRA_OECONF += "--with-libpcap=${STAGING_DIR_HOST}/usr" +EXTRA_OECONF += "--with-libpcap=${STAGING_DIR_HOST}${prefix}" inherit siteinfo autotools-brokensep diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch new file mode 100644 index 0000000000..7732916826 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch @@ -0,0 +1,122 @@ +From 265cbf15a418b629c3c8f02c0ba901913b1c8fd2 Mon Sep 17 00:00:00 2001 +From: Gerald Combs <gerald@wireshark.org> +Date: Thu, 18 May 2023 13:52:48 -0700 +Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes + +Use the proper dest_size in various g_strlcpy calls. + +Fixes #19085 + +(cherry picked from commit 28fdce547c417b868c521f87fb58f71ca6b1e3f7) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/265cbf15a418b629c3c8f02c0ba901913b1c8fd2] +CVE: CVE-2023-0666 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-rtps.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c +index 5c2d1c1..ef592d7 100644 +--- a/epan/dissectors/packet-rtps.c ++++ b/epan/dissectors/packet-rtps.c +@@ -3025,7 +3025,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + ++tk_id; + } + +- g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40); ++ g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name)); + + /* Structure of the typecode data: + * +@@ -3196,7 +3196,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + member_name, -1, NULL, ndds_40_hack); + } + /* Finally prints the name of the struct (if provided) */ +- g_strlcpy(type_name, "}", 40); ++ g_strlcpy(type_name, "}", sizeof(type_name)); + break; + + } /* end of case UNION */ +@@ -3367,7 +3367,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + } + } + /* Finally prints the name of the struct (if provided) */ +- g_strlcpy(type_name, "}", 40); ++ g_strlcpy(type_name, "}", sizeof(type_name)); + break; + } + +@@ -3459,7 +3459,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + offset += 4; + alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII); + offset += alias_name_length; +- g_strlcpy(type_name, alias_name, 40); ++ g_strlcpy(type_name, alias_name, sizeof(type_name)); + break; + } + +@@ -3494,7 +3494,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + if (tk_id == RTI_CDR_TK_VALUE_PARAM) { + type_id_name = "valueparam"; + } +- g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name); ++ g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name); + break; + } + } /* switch(tk_id) */ +@@ -3673,7 +3673,7 @@ static gint rtps_util_add_type_library_type(proto_tree *tree, + long_number = tvb_get_guint32(tvb, offset_tmp, encoding); + name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset_tmp+4, long_number, ENC_ASCII); + if (info) +- g_strlcpy(info->member_name, name, long_number); ++ g_strlcpy(info->member_name, name, sizeof(info->member_name)); + + proto_item_append_text(tree, " %s", name); + offset += member_length; +@@ -3848,13 +3848,13 @@ static gint rtps_util_add_type_member(proto_tree *tree, + proto_item_append_text(tree, " %s (ID: %d)", name, member_id); + if (member_object) { + member_object->member_id = member_id; +- g_strlcpy(member_object->member_name, name, long_number < 256 ? long_number : 256); ++ g_strlcpy(member_object->member_name, name, sizeof(member_object->member_name)); + member_object->type_id = member_type_id; + } + if (info && info->extensibility == EXTENSIBILITY_MUTABLE) { + mutable_member_mapping * mutable_mapping = NULL; + mutable_mapping = wmem_new(wmem_file_scope(), mutable_member_mapping); +- g_strlcpy(mutable_mapping->member_name, name, long_number < 256 ? long_number : 256); ++ g_strlcpy(mutable_mapping->member_name, name, sizeof(mutable_mapping->member_name)); + mutable_mapping->struct_type_id = info->type_id; + mutable_mapping->member_type_id = member_type_id; + mutable_mapping->member_id = member_id; +@@ -3909,7 +3909,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + union_member_mapping * mapping = NULL; + + mapping = wmem_new(wmem_file_scope(), union_member_mapping); +- g_strlcpy(mapping->member_name, object.member_name, 256); ++ g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = HASHMAP_DISCRIMINATOR_CONSTANT; + mapping->union_type_id = union_type_id + mapping->discriminator; +@@ -3922,7 +3922,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + union_member_mapping * mapping = NULL; + + mapping = wmem_new(wmem_file_scope(), union_member_mapping); +- g_strlcpy(mapping->member_name, object.member_name, 256); ++ g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = -1; + mapping->union_type_id = union_type_id + mapping->discriminator; +@@ -3942,7 +3942,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + ti = proto_tree_add_item(labels, hf_rtps_type_object_union_label, tvb, offset_tmp, 4, encoding); + offset_tmp += 4; + +- g_strlcpy(mapping->member_name, object.member_name, 256); ++ g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = discriminator_case; + mapping->union_type_id = union_type_id + discriminator_case; +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch new file mode 100644 index 0000000000..cd07395aac --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch @@ -0,0 +1,66 @@ +From 85fbca8adb09ea8e1af635db3d92727fbfa1e28a Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 18 May 2023 18:06:36 -0400 +Subject: [PATCH] MS-MMS: Use format_text_string() + +The length of a string transcoded from UTF-16 to UTF-8 can be +shorter (or longer) than the original length in bytes in the packet. +Use the new string length, not the original length. + +Use format_text_string, which is a convenience function that +calls strlen. + +Fix #19086 + +(cherry picked from commit 1c45a899f83fa88e60ab69936bea3c4754e7808b) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a] +CVE: CVE-2023-0667 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-ms-mms.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c +index f4dbcd0..092a64b 100644 +--- a/epan/dissectors/packet-ms-mms.c ++++ b/epan/dissectors/packet-ms-mms.c +@@ -740,7 +740,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro + transport_info, "Transport: (%s)", transport_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (guchar*)transport_info, length_remaining - 20)); ++ format_text_string(pinfo->pool, (const guchar*)transport_info)); + + + /* Try to extract details from this string */ +@@ -837,7 +837,7 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_version); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (version='%s')", +- format_text(wmem_packet_scope(), (const guchar*)server_version, strlen(server_version))); ++ format_text_string(pinfo->pool, (const guchar*)server_version)); + } + offset += (server_version_length*2); + +@@ -891,7 +891,7 @@ static void dissect_client_player_info(tvbuff_t *tvb, packet_info *pinfo, proto_ + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &player_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)player_info, strlen(player_info))); ++ format_text_string(pinfo->pool, (const guchar*)player_info)); + } + + /* Dissect info about where client wants to start playing from */ +@@ -966,7 +966,7 @@ static void dissect_request_server_file(tvbuff_t *tvb, packet_info *pinfo, proto + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_file); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)server_file, strlen(server_file))); ++ format_text_string(pinfo->pool, (const guchar*)server_file)); + } + + /* Dissect media details from server */ +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch new file mode 100644 index 0000000000..0009939330 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch @@ -0,0 +1,33 @@ +From c4f37d77b29ec6a9754795d0efb6f68d633728d9 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 20 May 2023 23:08:08 -0400 +Subject: [PATCH] synphasor: Use val_to_str_const + +Don't use a value from packet data to directly index a value_string, +particularly when the value string doesn't cover all possible values. + +Fix #19087 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9] +CVE: CVE-2023-0668 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-synphasor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c +index 12b388b..fbde875 100644 +--- a/epan/dissectors/packet-synphasor.c ++++ b/epan/dissectors/packet-synphasor.c +@@ -1212,7 +1212,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c + + data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, + ett_conf_phflags, NULL, "Phasor Data flags: %s", +- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); ++ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); + + /* first and second bytes - phasor modification flags*/ + phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 0000000000..b4718f4607 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch @@ -0,0 +1,108 @@ +From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Tue, 16 May 2023 12:05:07 -0700 +Subject: [PATCH] candump: check for a too-long frame length. + +If the frame length is longer than the maximum, report an error in the +file. + +Fixes #19062, preventing the overflow on a buffer on the stack (assuming +your compiler doesn't call a bounds-checknig version of memcpy() if the +size of the target space is known). + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb] +CVE: CVE-2023-2855 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/candump.c | 39 +++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/wiretap/candump.c b/wiretap/candump.c +index 0def7bc..3f7c2b2 100644 +--- a/wiretap/candump.c ++++ b/wiretap/candump.c +@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off, + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info); + +-static void +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) ++static gboolean ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, ++ gchar **err_info) + { + static const char *can_proto_name = "can-hostendian"; + static const char *canfd_proto_name = "canfd"; +@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + canfd_frame_t canfd_frame = {0}; + ++ /* ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. ++ */ ++ if (msg->data.length > CANFD_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", ++ msg->data.length, CANFD_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + canfd_frame.can_id = msg->id; + canfd_frame.flags = msg->flags; + canfd_frame.len = msg->data.length; +@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + can_frame_t can_frame = {0}; + ++ /* ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. ++ */ ++ if (msg->data.length > CAN_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", ++ msg->data.length, CAN_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + can_frame.can_id = msg->id; + can_frame.can_dlc = msg->data.length; + memcpy(can_frame.data, msg->data.data, msg->data.length); +@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + rec->rec_header.packet_header.caplen = packet_length; + rec->rec_header.packet_header.len = packet_length; ++ ++ return TRUE; + } + + static gboolean +@@ -190,9 +217,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, + ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); + #endif + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static gboolean +@@ -216,9 +241,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) + return FALSE; + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + /* +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch new file mode 100644 index 0000000000..863421f986 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch @@ -0,0 +1,69 @@ +From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Thu, 18 May 2023 15:03:23 -0700 +Subject: [PATCH] vms: fix the search for the packet length field. + +The packet length field is of the form + + Total Length = DDD = ^xXXX + +where "DDD" is the length in decimal and "XXX" is the length in +hexadecimal. + +Search for "length ". not just "Length", as we skip past "Length ", not +just "Length", so if we assume we found "Length " but only found +"Length", we'd skip past the end of the string. + +While we're at it, fail if we don't find a length field, rather than +just blithely acting as if the packet length were zero. + +Fixes #19083. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca] +CVE: CVE-2023-2856 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/vms.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/wiretap/vms.c b/wiretap/vms.c +index 0aa83ea..5f5fdbb 100644 +--- a/wiretap/vms.c ++++ b/wiretap/vms.c +@@ -318,6 +318,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + { + char line[VMS_LINE_LENGTH + 1]; + int num_items_scanned; ++ gboolean have_pkt_len = FALSE; + guint32 pkt_len = 0; + int pktnum; + int csec = 101; +@@ -374,7 +375,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + return FALSE; + } + } +- if ( (! pkt_len) && (p = strstr(line, "Length"))) { ++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { + p += sizeof("Length "); + while (*p && ! g_ascii_isdigit(*p)) + p++; +@@ -390,9 +391,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); + return FALSE; + } ++ have_pkt_len = TRUE; + break; + } + } while (! isdumpline(line)); ++ if (! have_pkt_len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("vms: Length field not found"); ++ return FALSE; ++ } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; return an error, +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch new file mode 100644 index 0000000000..7174e9155c --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch @@ -0,0 +1,95 @@ +From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Fri, 19 May 2023 16:29:45 -0700 +Subject: [PATCH] netscaler: add more checks to make sure the record is within + the page. + +Whie we're at it, restructure some other checks to test-before-casting - +it's OK to test afterwards, but testing before makes it follow the +pattern used elsewhere. + +Fixes #19081. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105] +CVE: CVE-2023-2858 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/netscaler.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index 01a7f6d..4fa020b 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -1091,13 +1091,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info) + + #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ + do {\ +- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ ++ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + return FALSE;\ + }\ ++ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Check sanity of record size */\ + if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ + *err = WTAP_ERR_BAD_FILE;\ +@@ -1162,6 +1162,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_ABSTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1175,6 +1177,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_RELTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1192,6 +1196,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + default: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1475,14 +1481,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ + do {\ +- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ ++ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + g_free(nstrace_tmpbuff);\ + return FALSE;\ + }\ ++ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + (rec)->rec_type = REC_TYPE_PACKET;\ + TIMEDEFV##ver((rec),fp,type);\ + FULLPART##SIZEDEFV##ver((rec),fp,ver);\ +@@ -1589,7 +1595,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, + g_free(nstrace_tmpbuff); + return FALSE; + } +- + hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; + if (nspr_getv20recordsize(hdp) == 0) { + *err = WTAP_ERR_BAD_FILE; +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch new file mode 100644 index 0000000000..0a8247923e --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch @@ -0,0 +1,37 @@ +From 118815ca7c9f82c1f83f8f64d9e0e54673f31677 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 13 May 2023 21:45:16 -0400 +Subject: [PATCH] GDSDB: Make sure our offset advances. + +add_uint_string() returns the next offset to use, not the number +of bytes consumed. So to consume all the bytes and make sure the +offset advances, return the entire reported tvb length, not the +number of bytes remaining. + +Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f +Fixes #19068 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677] +CVE: CVE-2023-2879 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-gdsdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c +index 75bcfb9..950d68f 100644 +--- a/epan/dissectors/packet-gdsdb.c ++++ b/epan/dissectors/packet-gdsdb.c +@@ -480,7 +480,7 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o + int ret_offset = offset + length; + if (length < 4 || ret_offset < offset) { + expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length); +- return tvb_reported_length_remaining(tvb, offset); ++ return tvb_reported_length(tvb); + } + return ret_offset; + } +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch new file mode 100644 index 0000000000..41b02bb3fa --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch @@ -0,0 +1,98 @@ +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001 +From: Gerald Combs <gerald@wireshark.org> +Date: Tue, 23 May 2023 13:52:03 -0700 +Subject: [PATCH] XRA: Fix an infinite loop + +C compilers don't care what size a value was on the wire. Use +naturally-sized ints, including in dissect_message_channel_mb where we +would otherwise overflow and loop infinitely. + +Fixes #19100 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5] +CVE: CVE-2023-2952 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-xra.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c +index 68a8e72..6c7ab74 100644 +--- a/epan/dissectors/packet-xra.c ++++ b/epan/dissectors/packet-xra.c +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; + + while (tlv_index < tlv_length) { +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + if(packet_start_pointer_field_present) { + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); + +- guint16 docsis_start = 3 + packet_start_pointer; ++ unsigned docsis_start = 3 + packet_start_pointer; + while (docsis_start + 6 < remaining_length) { + /*DOCSIS header in packet*/ + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + docsis_start += 1; + continue; + } +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + if (docsis_start + 6 + docsis_length <= remaining_length) { + /*DOCSIS packet included in packet*/ + tvbuff_t *docsis_tvb; +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { + static int + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { + +- guint16 offset = 0; ++ int offset = 0; + proto_tree *plc_tree; + proto_item *plc_item; + tvbuff_t *mb_tvb; +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ + + static int + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { +- guint16 offset = 0; ++ int offset = 0; + proto_tree *ncp_tree; + proto_item *ncp_item; + tvbuff_t *ncp_mb_tvb; +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index 693a167938..0255591934 100644 --- a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb @@ -16,6 +16,14 @@ SRC_URI += " \ file://0003-bison-Remove-line-directives.patch \ file://0004-lemon-Remove-line-directives.patch \ file://CVE-2022-3190.patch \ + file://CVE-2023-2855.patch \ + file://CVE-2023-2856.patch \ + file://CVE-2023-2858.patch \ + file://CVE-2023-2879.patch \ + file://CVE-2023-2952.patch \ + file://CVE-2023-0666.patch \ + file://CVE-2023-0667.patch \ + file://CVE-2023-0668.patch \ " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" diff --git a/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass b/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass index 69e24cbb79..68c5dbaa14 100644 --- a/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass +++ b/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass @@ -8,9 +8,11 @@ inherit image_types SPARSE_BLOCK_SIZE ??= "4096" CONVERSIONTYPES += "sparse" -CONVERSION_CMD:sparse() { - INPUT="${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}" - truncate --no-create --size=%${SPARSE_BLOCK_SIZE} "$INPUT" - img2simg -s "$INPUT" "$INPUT.sparse" ${SPARSE_BLOCK_SIZE} -} + +CONVERSION_CMD:sparse = " \ + INPUT="${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}"; \ + truncate --no-create --size=%${SPARSE_BLOCK_SIZE} "$INPUT"; \ + img2simg -s "$INPUT" "$INPUT.sparse" ${SPARSE_BLOCK_SIZE}; \ + " + CONVERSION_DEPENDS_sparse = "android-tools-native" diff --git a/meta-openembedded/meta-oe/conf/layer.conf b/meta-openembedded/meta-oe/conf/layer.conf index b17add6f74..923b722b3c 100644 --- a/meta-openembedded/meta-oe/conf/layer.conf +++ b/meta-openembedded/meta-oe/conf/layer.conf @@ -111,4 +111,4 @@ SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ DEFAULT_TEST_SUITES:pn-meta-oe-ptest-image = " ${PTESTTESTSUITE}" -NON_MULTILIB_RECIPES:append = " crash" +NON_MULTILIB_RECIPES:append = " crash pahole" diff --git a/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb index 550fbc30d3..61f3c2df52 100644 --- a/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb +++ b/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb @@ -94,6 +94,7 @@ EXTRA_OESCONS = "PREFIX=${prefix} \ --use-system-zlib \ --nostrip \ --endian=${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', 'little', 'big', d)} \ + --use-hardware-crc32=${@bb.utils.contains('TUNE_FEATURES', 'crc', 'on', 'off', d)} \ --wiredtiger='${WIREDTIGER}' \ --separate-debug \ ${PACKAGECONFIG_CONFARGS}" diff --git a/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.13.bb b/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb index 62a95b303c..d181eb3b02 100644 --- a/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.13.bb +++ b/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb @@ -18,7 +18,7 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0001-configure.ac-check-for-CPP-prog.patch \ " -SRCREV = "f48e7fa92b8932814f3d92f36986d51be9efe6e0" +SRCREV = "a0be85934144bc04712a6695b14ea6e45c379e1d" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb b/meta-openembedded/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb index f821cdaf4a..aba5ab5878 100644 --- a/meta-openembedded/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb +++ b/meta-openembedded/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb @@ -151,12 +151,13 @@ RRECOMMENDS:${PN}-fancontrol = "lmsensors-config-fancontrol" # sensors-detect script files FILES:${PN}-sensorsdetect = "${sbindir}/sensors-detect" FILES:${PN}-sensorsdetect-doc = "${mandir}/man8/sensors-detect.8" -RDEPENDS:${PN}-sensorsdetect = "${PN}-sensors perl perl-modules" +RDEPENDS:${PN}-sensorsdetect = "${PN}-sensors perl perl-module-fcntl perl-module-file-basename \ + perl-module-strict perl-module-constant" # sensors-conf-convert script files FILES:${PN}-sensorsconfconvert = "${bindir}/sensors-conf-convert" FILES:${PN}-sensorsconfconvert-doc = "${mandir}/man8/sensors-conf-convert.8" -RDEPENDS:${PN}-sensorsconfconvert = "${PN}-sensors perl perl-modules" +RDEPENDS:${PN}-sensorsconfconvert = "${PN}-sensors perl perl-module-strict perl-module-vars" # pwmconfig script files FILES:${PN}-pwmconfig = "${sbindir}/pwmconfig" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch new file mode 100644 index 0000000000..160c090bce --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch @@ -0,0 +1,68 @@ +From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 21 Aug 2023 03:08:15 +0000 +Subject: [PATCH] Ensure array count consistency in kadm5 RPC + +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the +key_data array count when decoding. Otherwise when the structure is +later freed, xdr_array() could iterate over the wrong number of +elements, either leaking some memory or freeing uninitialized +pointers. Reported by Robert Morris. + +CVE: CVE-2023-36054 + +An authenticated attacker can cause a kadmind process to crash by +freeing uninitialized pointers. Remote code execution is unlikely. +An attacker with control of a kadmin server can cause a kadmin client +to crash by freeing uninitialized pointers. + +ticket: 9099 (new) +tags: pullup +target_version: 1.21-next +target_version: 1.20-next + +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 2892d41..94b1ce8 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + int v) + { + unsigned int n; ++ bool_t r; + + if (!xdr_krb5_principal(xdrs, &objp->principal)) { + return (FALSE); +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { + return (FALSE); + } ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { ++ return (FALSE); ++ } + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { + return (FALSE); + } +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return FALSE; + } + n = objp->n_key_data; +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, +- &n, ~0, sizeof(krb5_key_data), +- xdr_krb5_key_data_nocontents)) { ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, ++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ objp->n_key_data = n; ++ if (!r) { + return (FALSE); + } + +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb index 10fff11c25..e353b58aa1 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb @@ -29,6 +29,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ file://etc/default/krb5-admin-server \ file://krb5-kdc.service \ file://krb5-admin-server.service \ + file://CVE-2023-36054.patch;striplevel=2 \ " SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686" SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch new file mode 100644 index 0000000000..dfd1f98759 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch @@ -0,0 +1,131 @@ +CVE: CVE-2023-35789 +Upstream-Status: Backport [ https://github.com/alanxz/rabbitmq-c/commit/463054383fbeef889b409a7f843df5365288e2a0 ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +From 463054383fbeef889b409a7f843df5365288e2a0 Mon Sep 17 00:00:00 2001 +From: Christian Kastner <ckk@kvr.at> +Date: Tue, 13 Jun 2023 14:21:52 +0200 +Subject: [PATCH] Add option to read username/password from file (#781) + +* Add option to read username/password from file +--- + tools/common.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 66 insertions(+) + +diff --git a/tools/common.c b/tools/common.c +index 73b47e25..7efe557b 100644 +--- a/tools/common.c ++++ b/tools/common.c +@@ -18,6 +18,11 @@ + #include "compat.h" + #endif + ++/* For when reading auth data from a file */ ++#define MAXAUTHTOKENLEN 128 ++#define USERNAMEPREFIX "username:" ++#define PASSWORDPREFIX "password:" ++ + void die(const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); +@@ -125,6 +130,7 @@ static char *amqp_vhost; + static char *amqp_username; + static char *amqp_password; + static int amqp_heartbeat = 0; ++static char *amqp_authfile; + #ifdef WITH_SSL + static int amqp_ssl = 0; + static char *amqp_cacert = "/etc/ssl/certs/cacert.pem"; +@@ -147,6 +153,8 @@ struct poptOption connect_options[] = { + "the password to login with", "password"}, + {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0, + "heartbeat interval, set to 0 to disable", "heartbeat"}, ++ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0, ++ "path to file containing username/password for authentication", "file"}, + #ifdef WITH_SSL + {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL}, + {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0, +@@ -158,6 +166,50 @@ struct poptOption connect_options[] = { + #endif /* WITH_SSL */ + {NULL, '\0', 0, NULL, 0, NULL, NULL}}; + ++void read_authfile(const char *path) { ++ size_t n; ++ FILE *fp = NULL; ++ char token[MAXAUTHTOKENLEN]; ++ ++ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL || ++ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) { ++ die("Out of memory"); ++ } else if ((fp = fopen(path, "r")) == NULL) { ++ die("Could not read auth data file %s", path); ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) { ++ die("Malformed auth file (missing username)"); ++ } ++ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_username); ++ if (amqp_username[n - 1] != '\n') { ++ die("Username too long"); ++ } else { ++ amqp_username[n - 1] = '\0'; ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) { ++ die("Malformed auth file (missing password)"); ++ } ++ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_password); ++ if (amqp_password[n - 1] != '\n') { ++ die("Password too long"); ++ } else { ++ amqp_password[n - 1] = '\0'; ++ } ++ ++ (void)fgetc(fp); ++ if (!feof(fp)) { ++ die("Malformed auth file (trailing data)"); ++ } ++} ++ + static void init_connection_info(struct amqp_connection_info *ci) { + ci->user = NULL; + ci->password = NULL; +@@ -237,6 +289,8 @@ static void init_connection_info(struct amqp_connection_info *ci) { + if (amqp_username) { + if (amqp_url) { + die("--username and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--username and --authfile options cannot be used at the same time"); + } + + ci->user = amqp_username; +@@ -245,11 +299,23 @@ static void init_connection_info(struct amqp_connection_info *ci) { + if (amqp_password) { + if (amqp_url) { + die("--password and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--password and --authfile options cannot be used at the same time"); + } + + ci->password = amqp_password; + } + ++ if (amqp_authfile) { ++ if (amqp_url) { ++ die("--authfile and --url options cannot be used at the same time"); ++ } ++ ++ read_authfile(amqp_authfile); ++ ci->user = amqp_username; ++ ci->password = amqp_password; ++ } ++ + if (amqp_vhost) { + if (amqp_url) { + die("--vhost and --url options cannot be used at the same time"); diff --git a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb index f9c2b2c8a9..ea80ec3344 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb @@ -3,7 +3,9 @@ HOMEPAGE = "https://github.com/alanxz/rabbitmq-c" LIC_FILES_CHKSUM = "file://LICENSE;md5=7e12f6e40e662e039e2f02b4893011ec" LICENSE = "MIT" -SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https" +SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https \ + file://CVE-2023-35789.patch \ +" # v0.13.0-master SRCREV = "974d71adceae6d742ae20a4c880d99c131f1460a" diff --git a/meta-openembedded/meta-oe/recipes-devtools/glade/glade_3.22.2.bb b/meta-openembedded/meta-oe/recipes-devtools/glade/glade_3.22.2.bb index 6c1112038c..28b1279390 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/glade/glade_3.22.2.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/glade/glade_3.22.2.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=aabe87591cb8ae0f3c68be6977bb5522 \ file://COPYING.LGPL;md5=252890d9eee26aab7b432e8b8a616475" DEPENDS = "gtk+3 glib-2.0 libxml2 intltool-native \ gnome-common-native \ + autoconf-archive-native \ " inherit features_check autotools pkgconfig gnomebase gobject-introspection mime-xdg diff --git a/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-backport-iomgr-EventEngine-Improve-server-handling-o.patch b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-backport-iomgr-EventEngine-Improve-server-handling-o.patch new file mode 100644 index 0000000000..4488df172f --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-backport-iomgr-EventEngine-Improve-server-handling-o.patch @@ -0,0 +1,224 @@ +From b3c105c59dfb7d932b36b0d9ac7ab62875ab23e8 Mon Sep 17 00:00:00 2001 +From: AJ Heller <hork@google.com> +Date: Wed, 12 Jul 2023 18:42:09 -0700 +Subject: [PATCH] [backport][iomgr][EventEngine] Improve server handling of + file descriptor exhaustion (#33672) + +Backport of #33656 + +CVE: CVE-2023-33953 + +Upstream-Status: Backport [1e86ca5834b94cae7d5e6d219056c0fc895cf95d] +The patch is backported with tweaks to fit 1.50.1. + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + .../event_engine/posix_engine/posix_engine.h | 1 + + src/core/lib/iomgr/tcp_server_posix.cc | 51 ++++++++++++++----- + src/core/lib/iomgr/tcp_server_utils_posix.h | 14 ++++- + .../iomgr/tcp_server_utils_posix_common.cc | 22 ++++++++ + 4 files changed, 73 insertions(+), 15 deletions(-) + +diff --git a/src/core/lib/event_engine/posix_engine/posix_engine.h b/src/core/lib/event_engine/posix_engine/posix_engine.h +index eac6dfb4c5..866c04bcfa 100644 +--- a/src/core/lib/event_engine/posix_engine/posix_engine.h ++++ b/src/core/lib/event_engine/posix_engine/posix_engine.h +@@ -97,6 +97,7 @@ class PosixEventEngine final : public EventEngine { + const DNSResolver::ResolverOptions& options) override; + void Run(Closure* closure) override; + void Run(absl::AnyInvocable<void()> closure) override; ++ // Caution!! The timer implementation cannot create any fds. See #20418. + TaskHandle RunAfter(Duration when, Closure* closure) override; + TaskHandle RunAfter(Duration when, + absl::AnyInvocable<void()> closure) override; +diff --git a/src/core/lib/iomgr/tcp_server_posix.cc b/src/core/lib/iomgr/tcp_server_posix.cc +index d43113fb03..32be997cff 100644 +--- a/src/core/lib/iomgr/tcp_server_posix.cc ++++ b/src/core/lib/iomgr/tcp_server_posix.cc +@@ -16,13 +16,17 @@ + * + */ + +-/* FIXME: "posix" files shouldn't be depending on _GNU_SOURCE */ ++#include <grpc/support/port_platform.h> ++ ++#include <utility> ++ ++#include <grpc/support/atm.h> ++ ++// FIXME: "posix" files shouldn't be depending on _GNU_SOURCE + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif + +-#include <grpc/support/port_platform.h> +- + #include "src/core/lib/iomgr/port.h" + + #ifdef GRPC_POSIX_SOCKET_TCP_SERVER +@@ -44,6 +48,7 @@ + #include "absl/strings/str_format.h" + + #include <grpc/event_engine/endpoint_config.h> ++#include <grpc/event_engine/event_engine.h> + #include <grpc/support/alloc.h> + #include <grpc/support/log.h> + #include <grpc/support/sync.h> +@@ -63,6 +68,8 @@ + #include "src/core/lib/resource_quota/api.h" + + static std::atomic<int64_t> num_dropped_connections{0}; ++static constexpr grpc_core::Duration kRetryAcceptWaitTime{ ++ grpc_core::Duration::Seconds(1)}; + + using ::grpc_event_engine::experimental::EndpointConfig; + +@@ -195,21 +202,35 @@ static void on_read(void* arg, grpc_error_handle err) { + if (fd < 0) { + if (errno == EINTR) { + continue; +- } else if (errno == EAGAIN || errno == ECONNABORTED || +- errno == EWOULDBLOCK) { ++ } ++ // When the process runs out of fds, accept4() returns EMFILE. When this ++ // happens, the connection is left in the accept queue until either a ++ // read event triggers the on_read callback, or time has passed and the ++ // accept should be re-tried regardless. This callback is not cancelled, ++ // so a spurious wakeup may occur even when there's nothing to accept. ++ // This is not a performant code path, but if an fd limit has been ++ // reached, the system is likely in an unhappy state regardless. ++ if (errno == EMFILE) { + grpc_fd_notify_on_read(sp->emfd, &sp->read_closure); ++ if (gpr_atm_full_xchg(&sp->retry_timer_armed, true)) return; ++ grpc_timer_init(&sp->retry_timer, ++ grpc_core::Timestamp::Now() + kRetryAcceptWaitTime, ++ &sp->retry_closure); + return; ++ } ++ if (errno == EAGAIN || errno == ECONNABORTED || errno == EWOULDBLOCK) { ++ grpc_fd_notify_on_read(sp->emfd, &sp->read_closure); ++ return; ++ } ++ gpr_mu_lock(&sp->server->mu); ++ if (!sp->server->shutdown_listeners) { ++ gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno)); + } else { +- gpr_mu_lock(&sp->server->mu); +- if (!sp->server->shutdown_listeners) { +- gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno)); +- } else { +- /* if we have shutdown listeners, accept4 could fail, and we +- needn't notify users */ +- } +- gpr_mu_unlock(&sp->server->mu); +- goto error; ++ // if we have shutdown listeners, accept4 could fail, and we ++ // needn't notify users + } ++ gpr_mu_unlock(&sp->server->mu); ++ goto error; + } + + if (sp->server->memory_quota->IsMemoryPressureHigh()) { +@@ -403,6 +424,7 @@ static grpc_error_handle clone_port(grpc_tcp_listener* listener, + sp->port_index = listener->port_index; + sp->fd_index = listener->fd_index + count - i; + GPR_ASSERT(sp->emfd); ++ grpc_tcp_server_listener_initialize_retry_timer(sp); + while (listener->server->tail->next != nullptr) { + listener->server->tail = listener->server->tail->next; + } +@@ -575,6 +597,7 @@ static void tcp_server_shutdown_listeners(grpc_tcp_server* s) { + if (s->active_ports) { + grpc_tcp_listener* sp; + for (sp = s->head; sp; sp = sp->next) { ++ grpc_timer_cancel(&sp->retry_timer); + grpc_fd_shutdown(sp->emfd, + GRPC_ERROR_CREATE_FROM_STATIC_STRING("Server shutdown")); + } +diff --git a/src/core/lib/iomgr/tcp_server_utils_posix.h b/src/core/lib/iomgr/tcp_server_utils_posix.h +index 94faa2c17e..2e78ce555f 100644 +--- a/src/core/lib/iomgr/tcp_server_utils_posix.h ++++ b/src/core/lib/iomgr/tcp_server_utils_posix.h +@@ -25,6 +25,7 @@ + #include "src/core/lib/iomgr/resolve_address.h" + #include "src/core/lib/iomgr/socket_utils_posix.h" + #include "src/core/lib/iomgr/tcp_server.h" ++#include "src/core/lib/iomgr/timer.h" + #include "src/core/lib/resource_quota/memory_quota.h" + + /* one listening port */ +@@ -47,6 +48,11 @@ typedef struct grpc_tcp_listener { + identified while iterating through 'next'. */ + struct grpc_tcp_listener* sibling; + int is_sibling; ++ // If an accept4() call fails, a timer is started to drain the accept queue in ++ // case no further connection attempts reach the gRPC server. ++ grpc_closure retry_closure; ++ grpc_timer retry_timer; ++ gpr_atm retry_timer_armed; + } grpc_tcp_listener; + + /* the overall server */ +@@ -126,4 +132,10 @@ grpc_error_handle grpc_tcp_server_prepare_socket( + /* Ruturn true if the platform supports ifaddrs */ + bool grpc_tcp_server_have_ifaddrs(void); + +-#endif /* GRPC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H */ ++// Initialize (but don't start) the timer and callback to retry accept4() on a ++// listening socket after file descriptors have been exhausted. This must be ++// called when creating a new listener. ++void grpc_tcp_server_listener_initialize_retry_timer( ++ grpc_tcp_listener* listener); ++ ++#endif // GRPC_SRC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H +diff --git a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +index 73a6b943ec..0e671c6485 100644 +--- a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc ++++ b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +@@ -18,6 +18,8 @@ + + #include <grpc/support/port_platform.h> + ++#include <grpc/support/atm.h> ++ + #include "src/core/lib/iomgr/port.h" + + #ifdef GRPC_POSIX_SOCKET_TCP_SERVER_UTILS_COMMON +@@ -80,6 +82,24 @@ static int get_max_accept_queue_size(void) { + return s_max_accept_queue_size; + } + ++static void listener_retry_timer_cb(void* arg, grpc_error_handle err) { ++ // Do nothing if cancelled. ++ if (!err.ok()) return; ++ grpc_tcp_listener* listener = static_cast<grpc_tcp_listener*>(arg); ++ gpr_atm_no_barrier_store(&listener->retry_timer_armed, false); ++ if (!grpc_fd_is_shutdown(listener->emfd)) { ++ grpc_fd_set_readable(listener->emfd); ++ } ++} ++ ++void grpc_tcp_server_listener_initialize_retry_timer( ++ grpc_tcp_listener* listener) { ++ gpr_atm_no_barrier_store(&listener->retry_timer_armed, false); ++ grpc_timer_init_unset(&listener->retry_timer); ++ GRPC_CLOSURE_INIT(&listener->retry_closure, listener_retry_timer_cb, listener, ++ grpc_schedule_on_exec_ctx); ++} ++ + static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd, + const grpc_resolved_address* addr, + unsigned port_index, +@@ -112,6 +132,8 @@ static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd, + sp->server = s; + sp->fd = fd; + sp->emfd = grpc_fd_create(fd, name.c_str(), true); ++ grpc_tcp_server_listener_initialize_retry_timer(sp); ++ + memcpy(&sp->addr, addr, sizeof(grpc_resolved_address)); + sp->port = port; + sp->port_index = port_index; +-- +2.34.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch new file mode 100644 index 0000000000..ab46897b12 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch @@ -0,0 +1,81 @@ +From d39489045b5aa73e27713e3cbacb8832c1140ec8 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Wed, 9 Aug 2023 13:33:45 +0800 +Subject: [PATCH] fix CVE-2023-32732 + +CVE: CVE-2023-32732 + +Upstream-Status: Backport [https://github.com/grpc/grpc/pull/32309/commits/6a7850ef4f042ac26559854266dddc79bfbc75b2] +The original patch is adjusted to fit the current 1.50.1 version. + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + .../ext/transport/chttp2/transport/hpack_parser.cc | 10 +++++++--- + src/core/ext/transport/chttp2/transport/internal.h | 2 -- + src/core/ext/transport/chttp2/transport/parsing.cc | 6 ++---- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc +index f2e49022dc3..cd459d15238 100644 +--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc ++++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc +@@ -1211,12 +1211,16 @@ class HPackParser::Parser { + "). GRPC_ARG_MAX_METADATA_SIZE can be set to increase this limit.", + *frame_length_, metadata_size_limit_); + if (metadata_buffer_ != nullptr) metadata_buffer_->Clear(); ++ // StreamId is used as a signal to skip this stream but keep the connection ++ // alive + return input_->MaybeSetErrorAndReturn( + [] { + return grpc_error_set_int( +- GRPC_ERROR_CREATE_FROM_STATIC_STRING( +- "received initial metadata size exceeds limit"), +- GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED); ++ grpc_error_set_int( ++ GRPC_ERROR_CREATE_FROM_STATIC_STRING( ++ "received initial metadata size exceeds limit"), ++ GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED), ++ GRPC_ERROR_INT_STREAM_ID, 0); + }, + false); + } +diff --git a/src/core/ext/transport/chttp2/transport/internal.h b/src/core/ext/transport/chttp2/transport/internal.h +index 4a2f4261d83..f8b544d9583 100644 +--- a/src/core/ext/transport/chttp2/transport/internal.h ++++ b/src/core/ext/transport/chttp2/transport/internal.h +@@ -542,8 +542,6 @@ struct grpc_chttp2_stream { + + grpc_core::Timestamp deadline = grpc_core::Timestamp::InfFuture(); + +- /** saw some stream level error */ +- grpc_error_handle forced_close_error = GRPC_ERROR_NONE; + /** how many header frames have we received? */ + uint8_t header_frames_received = 0; + /** number of bytes received - reset at end of parse thread execution */ +diff --git a/src/core/ext/transport/chttp2/transport/parsing.cc b/src/core/ext/transport/chttp2/transport/parsing.cc +index 980f13543f6..afe6da190b6 100644 +--- a/src/core/ext/transport/chttp2/transport/parsing.cc ++++ b/src/core/ext/transport/chttp2/transport/parsing.cc +@@ -22,6 +22,7 @@ + #include <string.h> + + #include <string> ++#include <utility> + + #include "absl/base/attributes.h" + #include "absl/status/status.h" +@@ -719,10 +720,7 @@ static grpc_error_handle parse_frame_slice(grpc_chttp2_transport* t, + } + grpc_chttp2_parsing_become_skip_parser(t); + if (s) { +- s->forced_close_error = err; +- grpc_chttp2_add_rst_stream_to_next_write(t, t->incoming_stream_id, +- GRPC_HTTP2_PROTOCOL_ERROR, +- &s->stats.outgoing); ++ grpc_chttp2_cancel_stream(t, s, std::exchange(err, absl::OkStatus())); + } else { + GRPC_ERROR_UNREF(err); + } +-- +2.34.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb index 7b8a25c277..3cfd0210db 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb @@ -26,6 +26,8 @@ SRC_URI = "gitsm://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BR file://0001-Revert-Changed-GRPCPP_ABSEIL_SYNC-to-GPR_ABSEIL_SYNC.patch \ file://0001-cmake-add-separate-export-for-plugin-targets.patch \ file://0001-cmake-Link-with-libatomic-on-rv32-rv64.patch \ + file://0001-fix-CVE-2023-32732.patch \ + file://0001-backport-iomgr-EventEngine-Improve-server-handling-o.patch \ " # Fixes build with older compilers 4.8 especially on ubuntu 14.04 CXXFLAGS:append:class-native = " -Wl,--no-as-needed" diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.14/oe-npm-cache b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.17/oe-npm-cache index f596207648..f596207648 100755 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.14/oe-npm-cache +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.17/oe-npm-cache diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.14.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.17.bb index a61dd5018f..a61dd5018f 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.14.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.17.bb diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch index 356c98d176..059b5cc070 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch @@ -29,10 +29,13 @@ python prune_sources() { } do_unpack[postfuncs] += "prune_sources" +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) +diff --git a/Makefile b/Makefile +index 0be0659d..3c442014 100644 --- a/Makefile +++ b/Makefile @@ -169,7 +169,7 @@ with-code-cache test-code-cache: @@ -41,6 +44,8 @@ do_unpack[postfuncs] += "prune_sources" out/Makefile: config.gypi common.gypi node.gyp \ - deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ + deps/llhttp/llhttp.gyp \ - deps/simdutf/simdutf.gyp \ + deps/simdutf/simdutf.gyp deps/ada/ada.gyp \ tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.14.2.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.17.1.bb index 19df7d542a..402cf56717 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.14.2.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.17.1.bb @@ -1,7 +1,7 @@ DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" HOMEPAGE = "http://nodejs.org" LICENSE = "MIT & ISC & BSD-2-Clause & BSD-3-Clause & Artistic-2.0 & Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=2dff1ccca11e333f1388e34f7e2d1de3" +LIC_FILES_CHKSUM = "file://LICENSE;md5=bc1f9ebe76be76f163e3b675303ad9cd" CVE_PRODUCT = "nodejs node.js" @@ -39,7 +39,7 @@ SRC_URI:append:toolchain-clang:x86 = " \ SRC_URI:append:toolchain-clang:powerpc64le = " \ file://0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch \ " -SRC_URI[sha256sum] = "fbc364dd25fee2cacc0f2033db2d86115fc07575310ea0e64408b8170d09c685" +SRC_URI[sha256sum] = "f215cf03d0f00f07ac0b674c6819f804c1542e16f152da04980022aeccf5e65a" S = "${WORKDIR}/node-v${PV}" diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.6.bb b/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.8.bb index 54c40392db..233ded25d4 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.6.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.8.bb @@ -33,7 +33,7 @@ SRC_URI:append:class-target = " \ " S = "${WORKDIR}/php-${PV}" -SRC_URI[sha256sum] = "44a70c52f537662c10d91eedbf51fd765c9961be6ba2508ed63bf7a26cdd3100" +SRC_URI[sha256sum] = "995ed4009c7917c962d31837a1a3658f36d4af4f357b673c97ffdbe6403f8517" CVE_CHECK_IGNORE += "\ CVE-2007-2728 \ diff --git a/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_1.patch b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_1.patch new file mode 100644 index 0000000000..c538991125 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_1.patch @@ -0,0 +1,43 @@ +From 3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf Mon Sep 17 00:00:00 2001 +From: wujing <wujing50@huawei.com> +Date: Thu, 14 Feb 2019 03:12:30 +0800 +Subject: [PATCH] yajl: fix memory leak problem + +reason: fix memory leak problem + +CVE: CVE-2023-33460 + +Upstream-Status: Backport [https://github.com/openEuler-BaseService/yajl/commit/3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/yajl_tree.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/yajl_tree.c b/src/yajl_tree.c +index 3d357a3..4b3cf2b 100644 +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx) + ctx->stack = stack->next; + + v = stack->value; +- ++ free (stack->key); + free (stack); + + return (v); +@@ -444,6 +444,10 @@ yajl_val yajl_tree_parse (const char *input, + snprintf(error_buffer, error_buffer_size, "%s", internal_err_str); + YA_FREE(&(handle->alloc), internal_err_str); + } ++ while(ctx.stack != NULL) { ++ yajl_val v = context_pop(&ctx); ++ yajl_tree_free(v); ++ } + yajl_free (handle); + return NULL; + } +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_2.patch b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_2.patch new file mode 100644 index 0000000000..6e9b119b56 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_2.patch @@ -0,0 +1,31 @@ +From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001 +From: "zhang.jiujiu" <282627424@qq.com> +Date: Tue, 7 Dec 2021 22:37:02 +0800 +Subject: [PATCH] fix memory leaks + +CVE: CVE-2023-33460 + +Upstream-Status: Backport [https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/yajl_tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/yajl_tree.c b/src/yajl_tree.c +index b9e6604..0e7bde9 100644 +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -456,6 +456,9 @@ yajl_val yajl_tree_parse (const char *input, + yajl_tree_free(v); + } + yajl_free (handle); ++ //If the requested memory is not released in time, it will cause memory leakage ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index cf8dbb183e..aae3c6f3a1 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb @@ -8,7 +8,10 @@ HOMEPAGE = "http://lloyd.github.com/yajl/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" -SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https" +SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \ + file://CVE-2023-33460_1.patch \ + file://CVE-2023-33460_2.patch \ +" SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-31975.patch b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-31975.patch new file mode 100644 index 0000000000..ae10e99c2f --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-31975.patch @@ -0,0 +1,29 @@ +From b2cc5a1693b17ac415df76d0795b15994c106441 Mon Sep 17 00:00:00 2001 +From: Katsuhiko Gondow <gondow@cs.titech.ac.jp> +Date: Tue, 13 Jun 2023 05:00:47 +0900 +Subject: [PATCH] Fix memory leak in bin-objfmt (#231) + +Upstream-Status: Backport [https://github.com/yasm/yasm/commit/b2cc5a1693b17ac415df76d0795b15994c106441] + +CVE: CVE-2023-31975 +--- + modules/objfmts/bin/bin-objfmt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/modules/objfmts/bin/bin-objfmt.c b/modules/objfmts/bin/bin-objfmt.c +index 18026750..a38c3422 100644 +--- a/modules/objfmts/bin/bin-objfmt.c ++++ b/modules/objfmts/bin/bin-objfmt.c +@@ -1680,6 +1680,10 @@ static void + bin_section_data_destroy(void *data) + { + bin_section_data *bsd = (bin_section_data *)data; ++ if (bsd->align) ++ yasm_xfree(bsd->align); ++ if (bsd->valign) ++ yasm_xfree(bsd->valign); + if (bsd->start) + yasm_expr_destroy(bsd->start); + if (bsd->vstart) +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-37732.patch b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-37732.patch new file mode 100644 index 0000000000..1ca33f0a92 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-37732.patch @@ -0,0 +1,41 @@ +From 2cd3bb50e256f5ed5f611ac611d25fe673f2cec3 Mon Sep 17 00:00:00 2001 +From: Peter Johnson <johnson.peter@gmail.com> +Date: Fri, 11 Aug 2023 10:49:51 +0000 +Subject: [PATCH] elf.c: Fix NULL deref on bad xsize expression (#234) + +CVE: CVE-2023-37732 + +Upstream-Status: Backport [https://github.com/yasm/yasm/commit/2cd3bb50e256f5ed5f611ac611d25fe673f2cec3] + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + modules/objfmts/elf/elf.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/modules/objfmts/elf/elf.c b/modules/objfmts/elf/elf.c +index 2486bba8..bab4c9ca 100644 +--- a/modules/objfmts/elf/elf.c ++++ b/modules/objfmts/elf/elf.c +@@ -482,15 +482,15 @@ elf_symtab_write_to_file(FILE *f, elf_symtab_head *symtab, + + /* get size (if specified); expr overrides stored integer */ + if (entry->xsize) { +- size_intn = yasm_intnum_copy( +- yasm_expr_get_intnum(&entry->xsize, 1)); +- if (!size_intn) { ++ yasm_intnum *intn = yasm_expr_get_intnum(&entry->xsize, 1); ++ if (!intn) { + yasm_error_set(YASM_ERROR_VALUE, + N_("size specifier not an integer expression")); + yasm_errwarn_propagate(errwarns, entry->xsize->line); +- } ++ } else ++ size_intn = yasm_intnum_copy(intn); + } +- else ++ if (!size_intn) + size_intn = yasm_intnum_create_uint(entry->size); + + /* get EQU value for constants */ +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm_git.bb index 3dd382be1f..26540b4295 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -12,6 +12,8 @@ PV = "1.3.0+git${SRCPV}" SRCREV = "ba463d3c26c0ece2e797b8d6381b161633b5971a" SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https \ file://0001-Do-not-use-AC_HEADER_STDC.patch \ + file://CVE-2023-31975.patch \ + file://CVE-2023-37732.patch \ " S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-extended/dialog/dialog_1.3-20210509.bb b/meta-openembedded/meta-oe/recipes-extended/dialog/dialog_1.3-20210509.bb index 0b1e7e6088..d67156e1fd 100644 --- a/meta-openembedded/meta-oe/recipes-extended/dialog/dialog_1.3-20210509.bb +++ b/meta-openembedded/meta-oe/recipes-extended/dialog/dialog_1.3-20210509.bb @@ -8,7 +8,7 @@ DEPENDS = "ncurses" LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" -SRC_URI = "ftp://ftp.invisible-island.net/${BPN}/${BP}.tgz" +SRC_URI = "https://invisible-mirror.net/archives/${BPN}/${BP}.tgz" SRC_URI[sha256sum] = "ae478fe7d5fca82bcf4b51684641e07d2ee68489d319710fe1e81f41a197bd66" # hardcoded here for use in dialog-static recipe diff --git a/meta-openembedded/meta-oe/recipes-extended/hwloc/files/CVE-2022-47022.patch b/meta-openembedded/meta-oe/recipes-extended/hwloc/files/CVE-2022-47022.patch new file mode 100644 index 0000000000..1925e2605d --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/hwloc/files/CVE-2022-47022.patch @@ -0,0 +1,76 @@ +From ac1f8db9a0790d2bf153711ff4cbf6101f89aace Mon Sep 17 00:00:00 2001 +From: Brice Goglin <Brice.Goglin@inria.fr> +Date: Wed, 23 Aug 2023 19:52:47 +0200 +Subject: [PATCH] linux: handle glibc cpuset allocation failures + +Closes #544 +CVE-2022-47022 + +CVE: CVE-2022-47022 + +Upstream-Status: Backport [https://github.com/open-mpi/hwloc/commit/ac1f8db9a0790d2bf153711ff4cbf6101f89aace] + +Signed-off-by: Brice Goglin <Brice.Goglin@inria.fr> +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + hwloc/topology-linux.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/hwloc/topology-linux.c b/hwloc/topology-linux.c +index 3f059465d..030076e7f 100644 +--- a/hwloc/topology-linux.c ++++ b/hwloc/topology-linux.c +@@ -878,6 +878,8 @@ hwloc_linux_set_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused, + + setsize = CPU_ALLOC_SIZE(last+1); + plinux_set = CPU_ALLOC(last+1); ++ if (!plinux_set) ++ return -1; + + CPU_ZERO_S(setsize, plinux_set); + hwloc_bitmap_foreach_begin(cpu, hwloc_set) +@@ -958,7 +960,10 @@ hwloc_linux_find_kernel_nr_cpus(hwloc_topology_t topology) + while (1) { + cpu_set_t *set = CPU_ALLOC(nr_cpus); + size_t setsize = CPU_ALLOC_SIZE(nr_cpus); +- int err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */ ++ int err; ++ if (!set) ++ return -1; /* caller will return an error, and we'll try again later */ ++ err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */ + CPU_FREE(set); + nr_cpus = setsize * 8; /* that's the value that was actually tested */ + if (!err) +@@ -986,8 +991,12 @@ hwloc_linux_get_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused, + + /* find the kernel nr_cpus so as to use a large enough cpu_set size */ + kernel_nr_cpus = hwloc_linux_find_kernel_nr_cpus(topology); ++ if (kernel_nr_cpus < 0) ++ return -1; + setsize = CPU_ALLOC_SIZE(kernel_nr_cpus); + plinux_set = CPU_ALLOC(kernel_nr_cpus); ++ if (!plinux_set) ++ return -1; + + err = sched_getaffinity(tid, setsize, plinux_set); + +@@ -1341,6 +1350,8 @@ hwloc_linux_set_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_c + + setsize = CPU_ALLOC_SIZE(last+1); + plinux_set = CPU_ALLOC(last+1); ++ if (!plinux_set) ++ return -1; + + CPU_ZERO_S(setsize, plinux_set); + hwloc_bitmap_foreach_begin(cpu, hwloc_set) +@@ -1432,6 +1443,8 @@ hwloc_linux_get_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_b + + setsize = CPU_ALLOC_SIZE(last+1); + plinux_set = CPU_ALLOC(last+1); ++ if (!plinux_set) ++ return -1; + + err = pthread_getaffinity_np(tid, setsize, plinux_set); + if (err) { +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.0.bb b/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.0.bb index 51ceb4c262..ee766c8391 100644 --- a/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.0.bb +++ b/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.0.bb @@ -7,7 +7,9 @@ SECTION = "base" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=79179bb373cd55cbd834463a514fb714" -SRC_URI = "https://www.open-mpi.org/software/${BPN}/v2.9/downloads/${BP}.tar.bz2" +SRC_URI = "https://www.open-mpi.org/software/${BPN}/v2.9/downloads/${BP}.tar.bz2 \ + file://CVE-2022-47022.patch \ + " SRC_URI[sha256sum] = "2070e963596a2421b9af8eca43bdec113ee1107aaf7ccb475d4d3767a8856887" UPSTREAM_CHECK_URI = "https://www.open-mpi.org/software/hwloc/v2.9/" diff --git a/meta-openembedded/meta-oe/recipes-extended/libblockdev/libblockdev_2.28.bb b/meta-openembedded/meta-oe/recipes-extended/libblockdev/libblockdev_2.28.bb index 44b4e7daf9..22ccbf144e 100644 --- a/meta-openembedded/meta-oe/recipes-extended/libblockdev/libblockdev_2.28.bb +++ b/meta-openembedded/meta-oe/recipes-extended/libblockdev/libblockdev_2.28.bb @@ -10,6 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c" inherit autotools gobject-introspection pkgconfig +DEPENDS = "autoconf-archive-native glib-2.0 kmod udev" + SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch;protocol=https \ " SRCREV = "1412dc51c8f76bf8d9a6008228737db4a9a26d69" @@ -24,12 +26,12 @@ PACKAGECONFIG[lvm] = "--with-lvm, --without-lvm, multipath-tools, lvm2" PACKAGECONFIG[lvm-dbus] = "--with-lvm_dbus, --without-lvm_dbus, multipath-tools, lvm2" PACKAGECONFIG[dm] = "--with-dm, --without-dm, multipath-tools, lvm2" PACKAGECONFIG[dmraid] = "--with-dmraid, --without-dmraid" -PACKAGECONFIG[kmod] = "--with-kbd, --without-kbd, kmod" +PACKAGECONFIG[kmod] = "--with-kbd, --without-kbd,libbytesize" PACKAGECONFIG[parted] = "--with-part, --without-part, parted" PACKAGECONFIG[fs] = "--with-fs, --without-fs, util-linux" PACKAGECONFIG[doc] = "--with-gtk-doc, --without-gtk-doc, gtk-doc-native" PACKAGECONFIG[nvdimm] = "--with-nvdimm, --without-nvdimm, ndctl util-linux" -PACKAGECONFIG[vdo] = "--with-vdo, --without-vdo" +PACKAGECONFIG[vdo] = "--with-vdo, --without-vdo,libbytesize" PACKAGECONFIG[escrow] = "--with-escrow, --without-escrow, nss volume-key" PACKAGECONFIG[btrfs] = "--with-btrfs,--without-btrfs,libbytesize btrfs-tools" PACKAGECONFIG[crypto] = "--with-crypto,--without-crypto,cryptsetup nss volume-key" diff --git a/meta-openembedded/meta-oe/recipes-extended/libgxim/libgxim_0.5.0.bb b/meta-openembedded/meta-oe/recipes-extended/libgxim/libgxim_0.5.0.bb index 2d93936f37..3912e0a8d7 100644 --- a/meta-openembedded/meta-oe/recipes-extended/libgxim/libgxim_0.5.0.bb +++ b/meta-openembedded/meta-oe/recipes-extended/libgxim/libgxim_0.5.0.bb @@ -24,7 +24,7 @@ LIC_FILES_CHKSUM = "\ file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1" EXTRA_OECONF = "--enable-debug --disable-static --disable-rebuilds --enable-compile-warnings=minimum" -DEPENDS += "gtk+ glib-2.0 glib-2.0-native ruby-native intltool-native gnome-common-native" +DEPENDS += "gtk+ glib-2.0 glib-2.0-native ruby-native intltool-native gnome-common-native autoconf-archive-native" inherit features_check autotools pkgconfig gettext diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0001-src-Do-not-reset-FINAL_LIBS.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0001-src-Do-not-reset-FINAL_LIBS.patch index e8d8b1d53f..e8d8b1d53f 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0001-src-Do-not-reset-FINAL_LIBS.patch +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0001-src-Do-not-reset-FINAL_LIBS.patch diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0006-Define-correct-gregs-for-RISCV32.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0006-Define-correct-gregs-for-RISCV32.patch index 385b0aeed0..385b0aeed0 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0006-Define-correct-gregs-for-RISCV32.patch +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0006-Define-correct-gregs-for-RISCV32.patch diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/GNU_SOURCE-7.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/GNU_SOURCE-7.patch index 6e07c25c6a..6e07c25c6a 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/GNU_SOURCE-7.patch +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/GNU_SOURCE-7.patch diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/hiredis-use-default-CC-if-it-is-set.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/hiredis-use-default-CC-if-it-is-set.patch index 657b0923e2..657b0923e2 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/hiredis-use-default-CC-if-it-is-set.patch +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/hiredis-use-default-CC-if-it-is-set.patch diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/init-redis-server b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/init-redis-server index c5f335f57d..c5f335f57d 100755 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/init-redis-server +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/init-redis-server diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/lua-update-Makefile-to-use-environment-build-setting.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/lua-update-Makefile-to-use-environment-build-setting.patch index c6c6fde162..c6c6fde162 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/lua-update-Makefile-to-use-environment-build-setting.patch +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/lua-update-Makefile-to-use-environment-build-setting.patch diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/oe-use-libc-malloc.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/oe-use-libc-malloc.patch index bf6d0cf3c1..bf6d0cf3c1 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/oe-use-libc-malloc.patch +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/oe-use-libc-malloc.patch diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.conf b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.conf index 75037d6dc8..75037d6dc8 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.conf +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.conf diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.service b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.service index a52204cc70..a52204cc70 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.service +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.service diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.13.bb index 3ed6867816..640831c525 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.13.bb @@ -17,7 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ " -SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b" +SRC_URI[sha256sum] = "89ff27c80d420456a721ccfb3beb7cc628d883c53059803513749e13214a23d1" inherit autotools-brokensep update-rc.d systemd useradd diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.11.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.12.bb index 4626044781..321b90dadf 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.11.bb +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.12.bb @@ -6,8 +6,6 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=8ffdd6c926faaece928cf9d9640132d2" DEPENDS = "readline lua ncurses" -FILESPATH =. "${FILE_DIRNAME}/${BPN}-7:" - SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://redis.conf \ file://init-redis-server \ @@ -19,7 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE-7.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ " -SRC_URI[sha256sum] = "ce250d1fba042c613de38a15d40889b78f7cb6d5461a27e35017ba39b07221e3" +SRC_URI[sha256sum] = "9dd83d5b278bb2bf0e39bfeb75c3e8170024edbaf11ba13b7037b2945cf48ab7" inherit autotools-brokensep update-rc.d systemd useradd diff --git a/meta-openembedded/meta-oe/recipes-graphics/vk-gl-cts/khronos-cts.inc b/meta-openembedded/meta-oe/recipes-graphics/vk-gl-cts/khronos-cts.inc index 01f4a572f8..e05e35fe0e 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/vk-gl-cts/khronos-cts.inc +++ b/meta-openembedded/meta-oe/recipes-graphics/vk-gl-cts/khronos-cts.inc @@ -21,7 +21,7 @@ S = "${WORKDIR}/git" inherit pkgconfig cmake features_check python3native qemu -ANY_OF_DISTRO_FEATURES += "opengl wayland" +ANY_OF_DISTRO_FEATURES += "opengl vulkan" DEPENDS += "python3-lxml-native libpng zlib virtual/libgles2 qemu-native" @@ -72,9 +72,9 @@ python __anonymous() { distrofeatures = (d.getVar("DISTRO_FEATURES") or "") if not bb.utils.contains_any("PACKAGECONFIG", ["surfaceless", "wayland", "x11_egl", "x11_glx", "x11_egl_glx"], True, False, d): if "wayland" in distrofeatures: - d.appendVar("DEPENDS", " wayland-native wayland wayland-protocols") + d.appendVar("DEPENDS", " wayland-native ${MLPREFIX}wayland ${MLPREFIX}wayland-protocols") if "x11" in distrofeatures: - d.appendVar("DEPENDS", " virtual/libx11 virtual/egl ") + d.appendVar("DEPENDS", " virtual/${MLPREFIX}libx11 virtual/${MLPREFIX}egl ") } CTSDIR = "/usr/lib/${BPN}" diff --git a/meta-openembedded/meta-oe/recipes-graphics/x11vnc/files/CVE-2020-29074.patch b/meta-openembedded/meta-oe/recipes-graphics/x11vnc/files/CVE-2020-29074.patch new file mode 100644 index 0000000000..fbdb9123cc --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-graphics/x11vnc/files/CVE-2020-29074.patch @@ -0,0 +1,27 @@ +CVE: CVE-2020-29074 +Upstream-Status: Backport [https://github.com/LibVNC/x11vnc/commit/69eeb9f7baa14ca03b16c9de821f9876def7a36a ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + + +From 69eeb9f7baa14ca03b16c9de821f9876def7a36a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Gu=C3=A9nal=20DAVALAN?= <guenal.davalan@uca.fr> +Date: Wed, 18 Nov 2020 08:40:45 +0100 +Subject: [PATCH] scan: limit access to shared memory segments to current user + +--- + src/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/scan.c b/src/scan.c +index 43e00d20..12994d52 100644 +--- a/src/scan.c ++++ b/src/scan.c +@@ -320,7 +320,7 @@ static int shm_create(XShmSegmentInfo *shm, XImage **ximg_ptr, int w, int h, + + #if HAVE_XSHM + shm->shmid = shmget(IPC_PRIVATE, +- xim->bytes_per_line * xim->height, IPC_CREAT | 0777); ++ xim->bytes_per_line * xim->height, IPC_CREAT | 0600); + + if (shm->shmid == -1) { + rfbErr("shmget(%s) failed.\n", name); diff --git a/meta-openembedded/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb b/meta-openembedded/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb index 5f7c0beb66..be9ef3cbaa 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb +++ b/meta-openembedded/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb @@ -12,6 +12,7 @@ PV .= "+git${SRCPV}" SRC_URI = "git://github.com/LibVNC/x11vnc;branch=master;protocol=https \ file://starting-fix.patch \ + file://CVE-2020-29074.patch \ " S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-kernel/libbpf/libbpf_1.1.0.bb b/meta-openembedded/meta-oe/recipes-kernel/libbpf/libbpf_1.1.0.bb index 1aee51f1eb..9517481ee5 100644 --- a/meta-openembedded/meta-oe/recipes-kernel/libbpf/libbpf_1.1.0.bb +++ b/meta-openembedded/meta-oe/recipes-kernel/libbpf/libbpf_1.1.0.bb @@ -17,6 +17,7 @@ COMPATIBLE_HOST = "(x86_64|i.86|aarch64|riscv64|powerpc64).*-linux" S = "${WORKDIR}/git/src" EXTRA_OEMAKE += "DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir}" +EXTRA_OEMAKE:append:class-native = " UAPIDIR=${includedir}" inherit pkgconfig @@ -28,4 +29,8 @@ do_install() { oe_runmake install } +do_install:append:class-native() { + oe_runmake install_uapi_headers +} + BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.1.bb index bb19ff1bd3..1440d72711 100644 --- a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.1.bb @@ -6,7 +6,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https" -SRCREV = "fddf01938d3789e06cc1c3774e4cd0c7d2a89976" +SRCREV = "6360e96b5cf8e5980c887ce58ef727e53d77243a" UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)" diff --git a/meta-openembedded/meta-oe/recipes-support/fftw/fftw_3.3.10.bb b/meta-openembedded/meta-oe/recipes-support/fftw/fftw_3.3.10.bb index 1fead4d029..33e8279880 100644 --- a/meta-openembedded/meta-oe/recipes-support/fftw/fftw_3.3.10.bb +++ b/meta-openembedded/meta-oe/recipes-support/fftw/fftw_3.3.10.bb @@ -55,7 +55,7 @@ do_configure() { do_compile() { for lib in fftw fftwl fftwf; do cd ${WORKDIR}/build-$lib - sed -i -e 's|${TOOLCHAIN_OPTIONS}||g' config.h + test -n "${TOOLCHAIN_OPTIONS}" && sed -i -e 's|${TOOLCHAIN_OPTIONS}||g' config.h autotools_do_compile done } diff --git a/meta-openembedded/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb b/meta-openembedded/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb index a27968079e..9e09b971c9 100644 --- a/meta-openembedded/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb +++ b/meta-openembedded/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb @@ -13,7 +13,7 @@ LICENSE = "LGPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=56a22a6e5bcce45e2c8ac184f81412b5" SRCREV = "0d6e3307bbdb8df4d56043d5f373eeeffe4cbef3" -SRC_URI = "git://git.savannah.gnu.org/git/gnulib.git;branch=master \ +SRC_URI = "git://git.savannah.gnu.org/git/gnulib.git;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser/CVE-2023-33461.patch b/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser/CVE-2023-33461.patch new file mode 100644 index 0000000000..ae714c5318 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser/CVE-2023-33461.patch @@ -0,0 +1,52 @@ +From ace9871f65d11b5d73f0b9ee8cf5d2807439442d Mon Sep 17 00:00:00 2001 +From: Antonio <antoniolrt@gmail.com> +Date: Fri, 2 Jun 2023 15:03:10 -0300 +Subject: [PATCH] Handle null return from iniparser_getstring + +Fix handling of NULL returns from iniparser_getstring in +iniparser_getboolean, iniparser_getlongint and iniparser_getdouble, +avoiding a crash. + +CVE: CVE-2023-33461 + +Upstream-Status: Submitted [https://github.com/ndevilla/iniparser/pull/146/commits/ace9871f65d11b5d73f0b9ee8cf5d2807439442d] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/iniparser.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/iniparser.c b/src/iniparser.c +index f1d1658..dbceb20 100644 +--- a/src/iniparser.c ++++ b/src/iniparser.c +@@ -456,7 +456,7 @@ long int iniparser_getlongint(const dictionary * d, const char * key, long int n + const char * str ; + + str = iniparser_getstring(d, key, INI_INVALID_KEY); +- if (str==INI_INVALID_KEY) return notfound ; ++ if (str==NULL || str==INI_INVALID_KEY) return notfound ; + return strtol(str, NULL, 0); + } + +@@ -511,7 +511,7 @@ double iniparser_getdouble(const dictionary * d, const char * key, double notfou + const char * str ; + + str = iniparser_getstring(d, key, INI_INVALID_KEY); +- if (str==INI_INVALID_KEY) return notfound ; ++ if (str==NULL || str==INI_INVALID_KEY) return notfound ; + return atof(str); + } + +@@ -553,7 +553,7 @@ int iniparser_getboolean(const dictionary * d, const char * key, int notfound) + const char * c ; + + c = iniparser_getstring(d, key, INI_INVALID_KEY); +- if (c==INI_INVALID_KEY) return notfound ; ++ if (c==NULL || c==INI_INVALID_KEY) return notfound ; + if (c[0]=='y' || c[0]=='Y' || c[0]=='1' || c[0]=='t' || c[0]=='T') { + ret = 1 ; + } else if (c[0]=='n' || c[0]=='N' || c[0]=='0' || c[0]=='f' || c[0]=='F') { +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser_4.1.bb b/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser_4.1.bb index f9e1530161..166a74824f 100644 --- a/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser_4.1.bb +++ b/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser_4.1.bb @@ -10,7 +10,8 @@ PV .= "+git${SRCPV}" SRC_URI = "git://github.com/ndevilla/iniparser.git;protocol=https;branch=master \ file://0001-iniparser.pc-Make-libpath-a-variable.patch \ - file://Add-CMake-support.patch" + file://Add-CMake-support.patch \ + file://CVE-2023-33461.patch" SRCREV= "deb85ad4936d4ca32cc2260ce43323d47936410d" diff --git a/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial/0001-CMakeLists.txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch b/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial/0001-CMakeLists.txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch new file mode 100644 index 0000000000..d9e10469d3 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial/0001-CMakeLists.txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch @@ -0,0 +1,43 @@ +From 655c5c32b37a2bea12389ed69c0869215fcf5abe Mon Sep 17 00:00:00 2001 +From: Martin Jansa <Martin.Jansa@gmail.com> +Date: Sun, 3 Sep 2023 11:22:35 +0200 +Subject: [PATCH] CMakeLists.txt: don't fall back CMAKE_INSTALL_LIBDIR to lib + +* testing ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR} existence + doesn't really work in cross compilation and on some hosts was causing: + + ERROR: QA Issue: libcyusbserial: Files/directories were installed but not shipped in any package: + /usr/lib/libcyusbserial.so.1 + /usr/lib/libcyusbserial.so + Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install. + libcyusbserial: 2 installed and not shipped files. [installed-vs-shipped] + + with multilib using /usr/lib32 or /usr/lib64 when the same didn't + exist on host. + +Upstream-Status: Pending +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + lib/CMakeLists.txt | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt +index 2b031cb..53a7263 100644 +--- a/lib/CMakeLists.txt ++++ b/lib/CMakeLists.txt +@@ -6,15 +6,6 @@ if (NOT CMAKE_INSTALL_LIBDIR) + include(GNUInstallDirs) + endif (NOT CMAKE_INSTALL_LIBDIR) + +-# Fall back to just "lib" if the item provided by GNUInstallDirs doesn't exist +-# For example, on Ubuntu 13.10 with CMake 2.8.11.2, +-# /usr/lib/${CMAKE_LIBRARY_ARCHITECTURE} doesn't exist. +-if (NOT EXISTS "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}") +- message(STATUS "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR} does not exist. Defaulting libcyusbserial install location to ${CMAKE_INSTALL_PREFIX}/lib.") +- set(CMAKE_INSTALL_LIBDIR lib) +-endif() +- +- + ################################################################################ + # Include paths + ################################################################################ diff --git a/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb b/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb index 81453fb888..a69194996b 100644 --- a/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb +++ b/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb @@ -8,7 +8,9 @@ DEPENDS = "libusb udev" PV = "1.0.0+git${SRCPV}" SRCREV = "655e2d544183d094f0e2d119c7e0c6206a0ddb3f" -SRC_URI = "git://github.com/cyrozap/${BPN}.git;branch=master;protocol=https" +SRC_URI = "git://github.com/cyrozap/${BPN}.git;branch=master;protocol=https \ + file://0001-CMakeLists.txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch \ +" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod-2.0/gpio-tools-test-bats-modify.patch b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod-2.0/gpio-tools-test-bats-modify.patch new file mode 100644 index 0000000000..4d49467968 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod-2.0/gpio-tools-test-bats-modify.patch @@ -0,0 +1,67 @@ +From 53f9670d6af1bd0745c1df9c469b269c72607b23 Mon Sep 17 00:00:00 2001 +From: Joe Slater <joe.slater@windriver.com> +Date: Tue, 6 Jun 2023 08:04:27 -0700 +Subject: [PATCH] tools: tests: modify delays in toggle test + +The test "gpioset: toggle (continuous)" uses fixed delays to test +toggling values. This is not reliable, so we switch to looking +for transitions from one value to another. + +We wait for a transition up to 1.5 seconds. + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> + +Upstream-status: accepted + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + tools/gpio-tools-test.bats | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/tools/gpio-tools-test.bats b/tools/gpio-tools-test.bats +index c83ca7d..929c35a 100755 +--- a/tools/gpio-tools-test.bats ++++ b/tools/gpio-tools-test.bats +@@ -141,6 +141,20 @@ gpiosim_check_value() { + [ "$VAL" = "$EXPECTED" ] + } + ++gpiosim_wait_value() { ++ local OFFSET=$2 ++ local EXPECTED=$3 ++ local DEVNAME=${GPIOSIM_DEV_NAME[$1]} ++ local CHIPNAME=${GPIOSIM_CHIP_NAME[$1]} ++ local PORT=$GPIOSIM_SYSFS/$DEVNAME/$CHIPNAME/sim_gpio$OFFSET/value ++ ++ for i in {1..15}; do ++ [ "$(<$PORT)" = "$EXPECTED" ] && return ++ sleep 0.1 ++ done ++ return 1 ++} ++ + gpiosim_cleanup() { + for CHIP in ${!GPIOSIM_CHIP_NAME[@]} + do +@@ -1567,15 +1581,12 @@ request_release_line() { + gpiosim_check_value sim0 4 0 + gpiosim_check_value sim0 7 0 + +- sleep 1 +- +- gpiosim_check_value sim0 1 0 ++ gpiosim_wait_value sim0 1 0 + gpiosim_check_value sim0 4 1 + gpiosim_check_value sim0 7 1 + +- sleep 1 + +- gpiosim_check_value sim0 1 1 ++ gpiosim_wait_value sim0 1 1 + gpiosim_check_value sim0 4 0 + gpiosim_check_value sim0 7 0 + } +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod.inc b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod.inc index abb6544ec2..cf6c0ae0f6 100644 --- a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod.inc +++ b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod.inc @@ -38,7 +38,7 @@ FILES:${PN}-ptest += " \ FILES:libgpiodcxx = "${libdir}/libgpiodcxx.so.*" RRECOMMENDS:${PN}-ptest += "coreutils" -RDEPENDS:${PN}-ptest += "bats" +RDEPENDS:${PN}-ptest += "${@bb.utils.contains('PTEST_ENABLED', '1', 'bats', '', d)}" do_install_ptest() { install -d ${D}${PTEST_PATH}/tests/ diff --git a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod_2.0.bb b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod_2.0.bb index 179fe170e2..ee20aaf792 100644 --- a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod_2.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod_2.0.bb @@ -11,6 +11,8 @@ SRC_URI[sha256sum] = "f74cbf82038b3cb98ebeb25bce55ee2553be28194002d2a9889b9268cc S = "${WORKDIR}/libgpiod-2.0" +SRC_URI += "file://gpio-tools-test-bats-modify.patch" + # We must enable gpioset-interactive for all gpio-tools tests to pass PACKAGECONFIG[tests] = "--enable-tests --enable-gpioset-interactive,--disable-tests,kmod util-linux glib-2.0 catch2 libedit" PACKAGECONFIG[gpioset-interactive] = "--enable-gpioset-interactive,--disable-gpioset-interactive,libedit" diff --git a/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb b/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb index bb253f421a..612dd897be 100644 --- a/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb +++ b/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=7c13b3376cea0ce68d2d2da0a1b3a72c" SRCREV = "92d6a35f3d8d721cda7d6fe664b435311dd368b4" PV = "0.23" -SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https;branch=master \ +SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https;branch=main \ file://0001-CMake-Move-include-CheckCSourceCompiles-before-its-m.patch \ " UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" diff --git a/meta-openembedded/meta-oe/recipes-support/mcelog/mcelog_191.bb b/meta-openembedded/meta-oe/recipes-support/mcelog/mcelog_191.bb index e713433469..3c1c451c02 100644 --- a/meta-openembedded/meta-oe/recipes-support/mcelog/mcelog_191.bb +++ b/meta-openembedded/meta-oe/recipes-support/mcelog/mcelog_191.bb @@ -18,11 +18,18 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" S = "${WORKDIR}/git" -inherit autotools-brokensep ptest +inherit ptest COMPATIBLE_HOST = '(x86_64.*|i.86.*)-linux' -do_install:append() { +EXTRA_OEMAKE += "CFLAGS='${CFLAGS}'" + +do_compile() { + oe_runmake +} + +do_install() { + oe_runmake install DESTDIR=${D} install -d ${D}${sysconfdir}/cron.hourly install -m 0755 ${S}/mcelog.cron ${D}${sysconfdir}/cron.hourly/ sed -i 's/bash/sh/' ${D}${sysconfdir}/cron.hourly/mcelog.cron diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch new file mode 100644 index 0000000000..92c096e29c --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch @@ -0,0 +1,88 @@ +commit ccc277247ac1a7aef0a90353edcdec35fbc5903c +Author: Nano <nanoapezlk@gmail.com> +Date: Wed Apr 26 15:09:52 2023 +0800 + + fix(wechat_qrcode): Init nBytes after the count value is determined (#3480) + + * fix(wechat_qrcode): Initialize nBytes after the count value is determined + + * fix(wechat_qrcode): Incorrect count data repair + + * chore: format expr + + * fix(wechat_qrcode): Avoid null pointer exception + + * fix(wechat_qrcode): return when bytes_ is empty + + * test(wechat_qrcode): add test case + + --------- + + Co-authored-by: GZTime <Time.GZ@outlook.com> + +CVE: CVE-2023-2617 + +Upstream-Status: Backport [https://github.com/opencv/opencv_contrib/commit/ccc277247ac1a7aef0a90353edcdec35fbc5903c] + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + +diff --git a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp +index 05de793c..b3a0a69c 100644 +--- a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp ++++ b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp +@@ -65,7 +65,8 @@ void DecodedBitStreamParser::append(std::string& result, string const& in, + + void DecodedBitStreamParser::append(std::string& result, const char* bufIn, size_t nIn, + ErrorHandler& err_handler) { +- if (err_handler.ErrCode()) return; ++ // avoid null pointer exception ++ if (err_handler.ErrCode() || bufIn == nullptr) return; + #ifndef NO_ICONV_INSIDE + if (nIn == 0) { + return; +@@ -190,16 +191,20 @@ void DecodedBitStreamParser::decodeByteSegment(Ref<BitSource> bits_, string& res + CharacterSetECI* currentCharacterSetECI, + ArrayRef<ArrayRef<char> >& byteSegments, + ErrorHandler& err_handler) { +- int nBytes = count; + BitSource& bits(*bits_); + // Don't crash trying to read more bits than we have available. + int available = bits.available(); + // try to repair count data if count data is invalid + if (count * 8 > available) { +- count = (available + 7 / 8); ++ count = (available + 7) / 8; + } ++ size_t nBytes = count; ++ ++ ArrayRef<char> bytes_(nBytes); ++ // issue https://github.com/opencv/opencv_contrib/issues/3478 ++ if (bytes_->empty()) ++ return; + +- ArrayRef<char> bytes_(count); + char* readBytes = &(*bytes_)[0]; + for (int i = 0; i < count; i++) { + // readBytes[i] = (char) bits.readBits(8); +diff --git a/modules/wechat_qrcode/test/test_qrcode.cpp b/modules/wechat_qrcode/test/test_qrcode.cpp +index d59932b8..ec2559b0 100644 +--- a/modules/wechat_qrcode/test/test_qrcode.cpp ++++ b/modules/wechat_qrcode/test/test_qrcode.cpp +@@ -455,5 +455,16 @@ TEST_P(Objdetect_QRCode_Easy_Multi, regression) { + std::string qrcode_model_path[] = {"", "dnn/wechat_2021-01"}; + INSTANTIATE_TEST_CASE_P(/**/, Objdetect_QRCode_Easy_Multi, testing::ValuesIn(qrcode_model_path)); + ++TEST(Objdetect_QRCode_bug, issue_3478) { ++ auto detector = wechat_qrcode::WeChatQRCode(); ++ std::string image_path = findDataFile("qrcode/issue_3478.png"); ++ Mat src = imread(image_path, IMREAD_GRAYSCALE); ++ ASSERT_FALSE(src.empty()) << "Can't read image: " << image_path; ++ std::vector<std::string> outs = detector.detectAndDecode(src); ++ ASSERT_EQ(1, (int) outs.size()); ++ ASSERT_EQ(16, (int) outs[0].size()); ++ ASSERT_EQ("KFCVW50 ", outs[0]); ++} ++ + } // namespace + } // namespace opencv_test diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.7.0.bb b/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.7.0.bb index 361b004308..a1fbaaa091 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.7.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.7.0.bb @@ -31,6 +31,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv;branch=master;protocol file://download.patch \ file://0001-Make-ts-module-external.patch \ file://0008-Do-not-embed-build-directory-in-binaries.patch \ + file://CVE-2023-2617.patch;patchdir=contrib \ " SRC_URI:append:riscv64 = " file://0001-Use-Os-to-compile-tinyxml2.cpp.patch;patchdir=contrib" @@ -162,7 +163,7 @@ python populate_packages:prepend () { metapkg = pn d.setVar('ALLOW_EMPTY:' + metapkg, "1") - blacklist = [ metapkg, "libopencv-ts" ] + blacklist = [ metapkg ] metapkg_rdepends = [ ] for pkg in packages[1:]: if not pkg in blacklist and not pkg in metapkg_rdepends and not pkg.endswith('-dev') and not pkg.endswith('-dbg') and not pkg.endswith('-doc') and not pkg.endswith('-locale') and not pkg.endswith('-staticdev'): diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/0001-configure-Pass-pthread_t-to-pthread_detach.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/0001-configure-Pass-pthread_t-to-pthread_detach.patch deleted file mode 100644 index 6e73f8b382..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/0001-configure-Pass-pthread_t-to-pthread_detach.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 7577b120acda087bf3f5f613c2c72663b3864ad8 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Sun, 4 Sep 2022 09:43:06 -0700 -Subject: [PATCH] configure: Pass pthread_t to pthread_detach - -This helps compilers when using C2X standard - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - configure.ac | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 0978eeb..58d15f8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1467,10 +1467,7 @@ pthread_rwlock_t rwlock; - dnl save the flags - AC_LINK_IFELSE([AC_LANG_PROGRAM([[ - #include <pthread.h> --#ifndef NULL --#define NULL (void*)0 --#endif --]], [[pthread_detach(NULL);]])],[ol_cv_func_pthread_detach=yes],[ol_cv_func_pthread_detach=no]) -+]], [[pthread_detach((pthread_t)-1);]])],[ol_cv_func_pthread_detach=yes],[ol_cv_func_pthread_detach=no]) - ]) - - if test $ol_cv_func_pthread_detach = no ; then --- -2.37.3 - diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.13.bb b/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.16.bb index b117677f9b..a56b454dc0 100644 --- a/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.13.bb +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.16.bb @@ -19,10 +19,9 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$ file://slapd.service \ file://remove-user-host-pwd-from-version.patch \ file://0001-build-top.mk-unset-STRIP_OPTS.patch \ - file://0001-configure-Pass-pthread_t-to-pthread_detach.patch \ " -SRC_URI[sha256sum] = "ee3c430c4ef7b87c57b622108c7339376d6c27fbbf2767770be3de1df63d008c" +SRC_URI[sha256sum] = "546ba591822e8bb0e467d40c4d4a30f89d937c3a507fe83a578f582f6a211327" DEPENDS = "util-linux groff-native" diff --git a/meta-openembedded/meta-oe/recipes-support/opensc/files/CVE-2023-2977.patch b/meta-openembedded/meta-oe/recipes-support/opensc/files/CVE-2023-2977.patch new file mode 100644 index 0000000000..165fc316bf --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/opensc/files/CVE-2023-2977.patch @@ -0,0 +1,54 @@ +CVE: CVE-2023-2977 +Upstream-Status: Backport [ https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + + +From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001 +From: fullwaywang <fullwaywang@tencent.com> +Date: Mon, 29 May 2023 10:38:48 +0800 +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer + overrun bug. Fixes #2785 + +--- + src/pkcs15init/pkcs15-cardos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c +index 9715cf390f..f41f73c349 100644 +--- a/src/pkcs15init/pkcs15-cardos.c ++++ b/src/pkcs15init/pkcs15-cardos.c +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + sc_apdu_t apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + int r; +- const u8 *p = rbuf, *q; ++ const u8 *p = rbuf, *q, *pp; + size_t len, tlen = 0, ilen = 0; + + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + return 0; + + while (len != 0) { +- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); +- if (p == NULL) ++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); ++ if (pp == NULL) + return 0; + if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { + /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ + /* and Package Number 0x07 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x07) +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { + /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ + /* and Package Number 0x02 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x02) diff --git a/meta-openembedded/meta-oe/recipes-support/opensc/opensc_0.23.0.bb b/meta-openembedded/meta-oe/recipes-support/opensc/opensc_0.23.0.bb index f68107df87..b3fc1f0458 100644 --- a/meta-openembedded/meta-oe/recipes-support/opensc/opensc_0.23.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/opensc/opensc_0.23.0.bb @@ -16,6 +16,7 @@ SRCREV = "5497519ea6b4af596628f8f8f2f904bacaa3148f" SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ file://0001-pkcs11-tool-Fix-private-key-import.patch \ file://0002-pkcs11-tool-Log-more-information-on-OpenSSL-errors.patch \ + file://CVE-2023-2977.patch \ " DEPENDS = "virtual/libiconv openssl" diff --git a/meta-openembedded/meta-oe/recipes-support/poppler/poppler/CVE-2023-34872.patch b/meta-openembedded/meta-oe/recipes-support/poppler/poppler/CVE-2023-34872.patch new file mode 100644 index 0000000000..69f164de96 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/poppler/poppler/CVE-2023-34872.patch @@ -0,0 +1,46 @@ +From 591235c8b6c65a2eee88991b9ae73490fd9afdfe Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Fri, 18 Aug 2023 09:17:07 +0000 +Subject: [PATCH] OutlineItem::open: Fix crash on malformed files + +Fixes #1399 + +CVE: CVE-2023-34872 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + poppler/Outline.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/poppler/Outline.cc b/poppler/Outline.cc +index cbb6cb4..4c68be9 100644 +--- a/poppler/Outline.cc ++++ b/poppler/Outline.cc +@@ -14,7 +14,7 @@ + // under GPL version 2 or later + // + // Copyright (C) 2005 Marco Pesenti Gritti <mpg@redhat.com> +-// Copyright (C) 2008, 2016-2019, 2021 Albert Astals Cid <aacid@kde.org> ++// Copyright (C) 2008, 2016-2019, 2021, 2023 Albert Astals Cid <aacid@kde.org> + // Copyright (C) 2009 Nick Jones <nick.jones@network-box.com> + // Copyright (C) 2016 Jason Crain <jason@aquaticape.us> + // Copyright (C) 2017 Adrian Johnson <ajohnson@redneon.com> +@@ -483,8 +483,12 @@ void OutlineItem::open() + { + if (!kids) { + Object itemDict = xref->fetch(ref); +- const Object &firstRef = itemDict.dictLookupNF("First"); +- kids = readItemList(this, &firstRef, xref, doc); ++ if (itemDict.isDict()) { ++ const Object &firstRef = itemDict.dictLookupNF("First"); ++ kids = readItemList(this, &firstRef, xref, doc); ++ } else { ++ kids = new std::vector<OutlineItem *>(); ++ } + } + } + +-- +2.35.5 diff --git a/meta-openembedded/meta-oe/recipes-support/poppler/poppler_23.03.0.bb b/meta-openembedded/meta-oe/recipes-support/poppler/poppler_23.03.0.bb index 165e155ec9..81e776d8f6 100644 --- a/meta-openembedded/meta-oe/recipes-support/poppler/poppler_23.03.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/poppler/poppler_23.03.0.bb @@ -7,6 +7,7 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \ file://0001-Do-not-overwrite-all-our-build-flags.patch \ file://basename-include.patch \ file://0001-cmake-Do-not-use-isystem.patch \ + file://CVE-2023-34872.patch \ " SRC_URI[sha256sum] = "b04148bf849c1965ada7eff6be4685130e3a18a84e0cce73bf9bc472ec32f2b4" diff --git a/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp/0001-Fix-CMake-export-files-1077.patch b/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp/0001-Fix-CMake-export-files-1077.patch new file mode 100644 index 0000000000..b6c4a3b883 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp/0001-Fix-CMake-export-files-1077.patch @@ -0,0 +1,117 @@ +From 3d436f6cfc2dfe52fc1533c01f57c25ae7ffac9c Mon Sep 17 00:00:00 2001 +From: Felix Schwitzer <flx107809@gmail.com> +Date: Fri, 1 Apr 2022 05:26:47 +0200 +Subject: [PATCH] Fix CMake export files (#1077) + +After configuring the file `yaml-cpp-config.cmake.in`, the result ends up with +empty variables. (see also the discussion in #774). + +Rework this file and the call to `configure_package_config_file` according the +cmake documentation +(https://cmake.org/cmake/help/v3.22/module/CMakePackageConfigHelpers.html?highlight=configure_package_config#command:configure_package_config_file) +to overcome this issue and allow a simple `find_package` after install. + +As there was some discussion about the place where to install the +`yaml-cpp-config.cmake` file, e.g. #1055, factor out the install location into +an extra variable to make it easier changing this location in the future. + +Also untabify CMakeLists.txt in some places to align with the other code parts in this file. + +Upstream-Status: Accepted [https://github.com/jbeder/yaml-cpp/pull/1077] + +Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> +--- + CMakeLists.txt | 29 ++++++++++++++++++----------- + yaml-cpp-config.cmake.in | 10 ++++++---- + 2 files changed, 24 insertions(+), 15 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b230b9e..983d1a4 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -127,10 +127,16 @@ set_target_properties(yaml-cpp PROPERTIES + PROJECT_LABEL "yaml-cpp ${yaml-cpp-label-postfix}" + DEBUG_POSTFIX "${CMAKE_DEBUG_POSTFIX}") + ++# FIXME(felix2012): A more common place for the cmake export would be ++# `CMAKE_INSTALL_LIBDIR`, as e.g. done in ubuntu or in this project for GTest ++set(CONFIG_EXPORT_DIR "${CMAKE_INSTALL_DATADIR}/cmake/yaml-cpp") ++set(EXPORT_TARGETS yaml-cpp) + configure_package_config_file( + "${PROJECT_SOURCE_DIR}/yaml-cpp-config.cmake.in" + "${PROJECT_BINARY_DIR}/yaml-cpp-config.cmake" +- INSTALL_DESTINATION "${CMAKE_INSTALL_DATADIR}/cmake/yaml-cpp") ++ INSTALL_DESTINATION "${CONFIG_EXPORT_DIR}" ++ PATH_VARS CMAKE_INSTALL_INCLUDEDIR CONFIG_EXPORT_DIR) ++unset(EXPORT_TARGETS) + + write_basic_package_version_file( + "${PROJECT_BINARY_DIR}/yaml-cpp-config-version.cmake" +@@ -139,30 +145,31 @@ write_basic_package_version_file( + configure_file(yaml-cpp.pc.in yaml-cpp.pc @ONLY) + + if (YAML_CPP_INSTALL) +- install(TARGETS yaml-cpp ++ install(TARGETS yaml-cpp + EXPORT yaml-cpp-targets + RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} + LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} + ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}) +- install(DIRECTORY ${PROJECT_SOURCE_DIR}/include/ ++ install(DIRECTORY ${PROJECT_SOURCE_DIR}/include/ + DESTINATION ${CMAKE_INSTALL_INCLUDEDIR} +- FILES_MATCHING PATTERN "*.h") ++ FILES_MATCHING PATTERN "*.h") + install(EXPORT yaml-cpp-targets +- DESTINATION "${CMAKE_INSTALL_DATADIR}/cmake/yaml-cpp") +- install(FILES +- "${PROJECT_BINARY_DIR}/yaml-cpp-config.cmake" +- "${PROJECT_BINARY_DIR}/yaml-cpp-config-version.cmake" +- DESTINATION "${CMAKE_INSTALL_DATADIR}/cmake/yaml-cpp") ++ DESTINATION "${CONFIG_EXPORT_DIR}") ++ install(FILES ++ "${PROJECT_BINARY_DIR}/yaml-cpp-config.cmake" ++ "${PROJECT_BINARY_DIR}/yaml-cpp-config-version.cmake" ++ DESTINATION "${CONFIG_EXPORT_DIR}") + install(FILES "${PROJECT_BINARY_DIR}/yaml-cpp.pc" + DESTINATION ${CMAKE_INSTALL_DATADIR}/pkgconfig) + endif() ++unset(CONFIG_EXPORT_DIR) + + if(YAML_CPP_BUILD_TESTS) +- add_subdirectory(test) ++ add_subdirectory(test) + endif() + + if(YAML_CPP_BUILD_TOOLS) +- add_subdirectory(util) ++ add_subdirectory(util) + endif() + + if (YAML_CPP_CLANG_FORMAT_EXE) +diff --git a/yaml-cpp-config.cmake.in b/yaml-cpp-config.cmake.in +index 7b41e3f..a7ace3d 100644 +--- a/yaml-cpp-config.cmake.in ++++ b/yaml-cpp-config.cmake.in +@@ -3,12 +3,14 @@ + # YAML_CPP_INCLUDE_DIR - include directory + # YAML_CPP_LIBRARIES - libraries to link against + +-# Compute paths +-get_filename_component(YAML_CPP_CMAKE_DIR "${CMAKE_CURRENT_LIST_FILE}" PATH) +-set(YAML_CPP_INCLUDE_DIR "@CONFIG_INCLUDE_DIRS@") ++@PACKAGE_INIT@ ++ ++set_and_check(YAML_CPP_INCLUDE_DIR "@PACKAGE_CMAKE_INSTALL_INCLUDEDIR@") + + # Our library dependencies (contains definitions for IMPORTED targets) +-include("${YAML_CPP_CMAKE_DIR}/yaml-cpp-targets.cmake") ++include(@PACKAGE_CONFIG_EXPORT_DIR@/yaml-cpp-targets.cmake) + + # These are IMPORTED targets created by yaml-cpp-targets.cmake + set(YAML_CPP_LIBRARIES "@EXPORT_TARGETS@") ++ ++check_required_components(@EXPORT_TARGETS@) +-- +2.39.2 + diff --git a/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp_0.7.0.bb b/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp_0.7.0.bb index d3984abe8b..e04d4705a4 100644 --- a/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp_0.7.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp_0.7.0.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=6a8aaf0595c2efc1a9c2e0913e9c1a2c" # yaml-cpp releases are stored as archive files in github. # download the exact revision of release SRC_URI = "git://github.com/jbeder/yaml-cpp.git;branch=master;protocol=https" +SRC_URI += "file://0001-Fix-CMake-export-files-1077.patch" SRCREV = "0579ae3d976091d7d664aa9d2527e0d0cff25763" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-appdirs/run-ptest b/meta-openembedded/meta-python/recipes-devtools/python/python3-appdirs/run-ptest index 5287f3e035..b63c4de0d9 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-appdirs/run-ptest +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-appdirs/run-ptest @@ -1,3 +1,3 @@ #!/bin/sh -pytest | sed -e 's/\[100%\]//g' | sed -e 's/\.\.F/: FAIL/g' | sed -e 's/\.\.\./: PASS/g' +pytest -o log_cli=true -o log_cli_level=INFO | sed -e 's/\[...%\]//g'| sed -e 's/PASSED/PASS/g'| sed -e 's/FAILED/FAIL/g'|sed -e 's/SKIPPED/SKIP/g'| awk '{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS"){printf "%s: %s\n", $NF, $0}else{print}}'| awk '{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS") {$NF="";print $0}else{print}}' diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.1.7.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.2.1.bb index be806eefaa..b1474cf054 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.1.7.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.2.1.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "44f714b81c5f190d9d2ddad01a532fe502fa01c4cb8faf1d081f4264ed15dcd8" +SRC_URI[sha256sum] = "7efa6b1f781a6119a10ac94b4794ded90db8accbe7802281cd26f8664ffed59c" RDEPENDS:${PN} += "\ ${PYTHON_PN}-sqlparse \ diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch b/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch new file mode 100644 index 0000000000..f5526c5b88 --- /dev/null +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch @@ -0,0 +1,51 @@ +From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001 +From: Andi Albrecht <albrecht.andi@gmail.com> +Date: Mon, 20 Mar 2023 08:33:46 +0100 +Subject: [PATCH] Remove unnecessary parts in regex for bad escaping. + +The regex tried to deal with situations where escaping in the +SQL to be parsed was suspicious. + +Upstream-Status: Backport +CVE: CVE-2023-30608 + +Reference to upstream patch: +https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb + +[AZ: drop changes to CHANGELOG file and adjust context whitespaces] +Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com> + +Adjust indentation in keywords.py. +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + sqlparse/keywords.py | 4 ++-- + tests/test_split.py | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- sqlparse-0.4.3.orig/sqlparse/keywords.py ++++ sqlparse-0.4.3/sqlparse/keywords.py +@@ -72,9 +72,9 @@ SQL_REGEX = { + (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])', + tokens.Number.Float), + (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), +- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), ++ (r"'(''|\\'|[^'])*'", tokens.String.Single), + # not a real string literal in ANSI SQL: +- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol), ++ (r'"(""|\\"|[^"])*"', tokens.String.Symbol), + (r'(""|".*?[^\\]")', tokens.String.Symbol), + # sqlite names can be escaped with [square brackets]. left bracket + # cannot be preceded by word character or a right bracket -- +--- sqlparse-0.4.3.orig/tests/test_split.py ++++ sqlparse-0.4.3/tests/test_split.py +@@ -18,8 +18,8 @@ def test_split_semicolon(): + + + def test_split_backslash(): +- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") +- assert len(stmts) == 3 ++ stmts = sqlparse.parse("select '\'; select '\'';") ++ assert len(stmts) == 2 + + + @pytest.mark.parametrize('fn', ['function.sql', diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse_0.4.3.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse_0.4.3.bb index c952c71d0b..a402f991f7 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse_0.4.3.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse_0.4.3.bb @@ -5,6 +5,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=2b136f573f5386001ea3b7b9016222fc" SRC_URI += "file://0001-sqlparse-change-shebang-to-python3.patch \ + file://CVE-2023-30608.patch \ file://run-ptest \ " diff --git a/meta-openembedded/meta-xfce/recipes-extended/imsettings/imsettings_1.8.3.bb b/meta-openembedded/meta-xfce/recipes-extended/imsettings/imsettings_1.8.3.bb index cdf4557cd3..21e9b3908f 100644 --- a/meta-openembedded/meta-xfce/recipes-extended/imsettings/imsettings_1.8.3.bb +++ b/meta-openembedded/meta-xfce/recipes-extended/imsettings/imsettings_1.8.3.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1" inherit autotools gtk-doc gobject-introspection gettext features_check -DEPENDS = "gtk+3 libnotify" +DEPENDS = "autoconf-archive-native gtk+3 libnotify" REQUIRED_DISTRO_FEATURES = "x11" diff --git a/poky/bitbake/lib/bb/runqueue.py b/poky/bitbake/lib/bb/runqueue.py index 02f1474540..99fac63616 100644 --- a/poky/bitbake/lib/bb/runqueue.py +++ b/poky/bitbake/lib/bb/runqueue.py @@ -1991,11 +1991,19 @@ class RunQueueExecute: self.setbuildable(revdep) logger.debug("Marking task %s as buildable", revdep) - for t in self.sq_deferred.copy(): + found = None + for t in sorted(self.sq_deferred.copy()): if self.sq_deferred[t] == task: - logger.debug2("Deferred task %s now buildable" % t) - del self.sq_deferred[t] - update_scenequeue_data([t], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False) + # Allow the next deferred task to run. Any other deferred tasks should be deferred after that task. + # We shouldn't allow all to run at once as it is prone to races. + if not found: + bb.note("Deferred task %s now buildable" % t) + del self.sq_deferred[t] + update_scenequeue_data([t], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False) + found = t + else: + bb.note("Deferring %s after %s" % (t, found)) + self.sq_deferred[t] = found def task_complete(self, task): self.stats.taskCompleted() diff --git a/poky/documentation/bsp-guide/bsp.rst b/poky/documentation/bsp-guide/bsp.rst index f2f5d4d954..3be314bcf6 100644 --- a/poky/documentation/bsp-guide/bsp.rst +++ b/poky/documentation/bsp-guide/bsp.rst @@ -109,7 +109,7 @@ them to the "Dependencies" section. Some layers function as a layer to hold other BSP layers. These layers are known as ":term:`container layers <Container Layer>`". An example of -this type of layer is OpenEmbedded's :oe_git:`meta-openbedded </meta-openembedded>` +this type of layer is OpenEmbedded's :oe_git:`meta-openembedded </meta-openembedded>` layer. The ``meta-openembedded`` layer contains many ``meta-*`` layers. In cases like this, you need to include the names of the actual layers you want to work with, such as:: @@ -927,8 +927,8 @@ Yocto Project: - The name and contact information for the BSP layer maintainer. This is the person to whom patches and questions should be sent. For information on how to find the right person, see the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" - section in the Yocto Project Development Tasks Manual. + :doc:`../contributor-guide/submit-changes` section in the Yocto Project and + OpenEmbedded Contributor Guide. - Instructions on how to build the BSP using the BSP layer. diff --git a/poky/documentation/conf.py b/poky/documentation/conf.py index bd45a73fa6..a64685ec9b 100644 --- a/poky/documentation/conf.py +++ b/poky/documentation/conf.py @@ -91,6 +91,7 @@ rst_prolog = """ # external links and substitutions extlinks = { 'cve': ('https://nvd.nist.gov/vuln/detail/CVE-%s', 'CVE-%s'), + 'cve_mitre': ('https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-%s', 'CVE-%s'), 'yocto_home': ('https://www.yoctoproject.org%s', None), 'yocto_wiki': ('https://wiki.yoctoproject.org/wiki%s', None), 'yocto_dl': ('https://downloads.yoctoproject.org%s', None), diff --git a/poky/documentation/contributor-guide/identify-component.rst b/poky/documentation/contributor-guide/identify-component.rst new file mode 100644 index 0000000000..a28391a66a --- /dev/null +++ b/poky/documentation/contributor-guide/identify-component.rst @@ -0,0 +1,31 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Identify the component +********************** + +The Yocto Project and OpenEmbedded ecosystem is built of :term:`layers <Layer>` +so the first step is to identify the component where the issue likely lies. +For example, if you have a hardware issue, it is likely related to the BSP +you are using and the best place to seek advice would be from the BSP provider +or :term:`layer`. If the issue is a build/configuration one and a distro is in +use, they would likely be the first place to ask questions. If the issue is a +generic one and/or in the core classes or metadata, the core layer or BitBake +might be the appropriate component. + +Each metadata layer being used should contain a ``README`` file and that should +explain where to report issues, where to send changes and how to contact the +maintainers. + +If the issue is in the core metadata layer (OpenEmbedded-Core) or in BitBake, +issues can be reported in the :yocto_bugs:`Yocto Project Bugzilla <>`. The +:yocto_lists:`yocto </g/yocto>` mailing list is a general “catch-all” location +where questions can be sent if you can’t work out where something should go. + +:term:`Poky` is a commonly used “combination” repository where multiple +components have been combined (:oe_git:`bitbake </bitbake>`, +:oe_git:`openembedded-core </openembedded-core>`, +:yocto_git:`meta-yocto </meta-yocto>` and +:yocto_git:`yocto-docs </yocto-docs>`). Patches should be submitted against the +appropriate individual component rather than :term:`Poky` itself as detailed in +the appropriate ``README`` file. + diff --git a/poky/documentation/contributor-guide/index.rst b/poky/documentation/contributor-guide/index.rst new file mode 100644 index 0000000000..a832169455 --- /dev/null +++ b/poky/documentation/contributor-guide/index.rst @@ -0,0 +1,26 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +================================================ +Yocto Project and OpenEmbedded Contributor Guide +================================================ + +The Yocto Project and OpenEmbedded are open-source, community-based projects so +contributions are very welcome, it is how the code evolves and everyone can +effect change. Contributions take different forms, if you have a fix for an +issue you’ve run into, a patch is the most appropriate way to contribute it. +If you run into an issue but don’t have a solution, opening a defect in +:yocto_bugs:`Bugzilla <>` or asking questions on the mailing lists might be +more appropriate. This guide intends to point you in the right direction to +this. + + +.. toctree:: + :caption: Table of Contents + :numbered: + + identify-component + report-defect + recipe-style-guide + submit-changes + +.. include:: /boilerplate.rst diff --git a/poky/documentation/contributor-guide/recipe-style-guide.rst b/poky/documentation/contributor-guide/recipe-style-guide.rst new file mode 100644 index 0000000000..99105179a6 --- /dev/null +++ b/poky/documentation/contributor-guide/recipe-style-guide.rst @@ -0,0 +1,338 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Recipe Style Guide +****************** + +Recipe Naming Conventions +========================= + +In general, most recipes should follow the naming convention +``recipes-category/package/packagename_version.bb``. Recipes for related +projects may share the same package directory. ``packagename``, ``category``, +and ``package`` may contain hyphens, but hyphens are not allowed in ``version``. + +If the recipe is tracking a Git revision that does not correspond to a released +version of the software, ``version`` may be ``git`` (e.g. ``packagename_git.bb``) + +Version Policy +============== + +Our versions follow the form ``<package epoch>:<package version>-<package revision>`` +or in BitBake variable terms ${:term:`PE`}:${:term:`PV`}-${:term:`PR`}. We +generally follow the `Debian <https://www.debian.org/doc/debian-policy/ch-controlfields.html#version>`__ +version policy which defines these terms. + +In most cases the version :term:`PV` will be set automatically from the recipe +file name. It is recommended to use released versions of software as these are +revisions that upstream are expecting people to use. + +Package versions should always compare and sort correctly so that upgrades work +as expected. With conventional versions such as ``1.4`` upgrading ``to 1.5`` +this happens naturally, but some versions don't sort. For example, +``1.5 Release Candidate 2`` could be written as ``1.5rc2`` but this sorts after +``1.5``, so upgrades from feeds won't happen correctly. + +Instead the tilde (``~``) operator can be used, which sorts before the empty +string so ``1.5~rc2`` comes before ``1.5``. There is a historical syntax which +may be found where :term:`PV` is set as a combination of the prior version +``+`` the pre-release version, for example ``PV=1.4+1.5rc2``. This is a valid +syntax but the tilde form is preferred. + +For version comparisons, the ``opkg-compare-versions`` program from +``opkg-utils`` can be useful when attempting to determine how two version +numbers compare to each other. Our definitive version comparison algorithm is +the one within bitbake which aims to match those of the package managers and +Debian policy closely. + +When a recipe references a git revision that does not correspond to a released +version of software (e.g. is not a tagged version), the :term:`PV` variable +should include the Git revision using the following to make the +version clear:: + + PV = "<version>+git${SRCPV}" + +In this case, ``<version>`` should be the most recently released version of the +software from the current source revision (``git describe`` can be useful for +determining this). Whilst not recommended for published layers, this format is +also useful when using :term:`AUTOREV` to set the recipe to increment source +control revisions automatically, which can be useful during local development. + +Version Number Changes +====================== + +The :term:`PR` variable is used to indicate different revisions of a recipe +that reference the same upstream source version. It can be used to force a +new version of a package to be installed onto a device from a package feed. +These once had to be set manually but in most cases these can now be set and +incremented automatically by a PR Server connected with a package feed. + +When :term:`PV` increases, any existing :term:`PR` value can and should be +removed. + +If :term:`PV` changes in such a way that it does not increase with respect to +the previous value, you need to increase :term:`PE` to ensure package managers +will upgrade it correctly. If unset you should set :term:`PE` to "1" since +the default of empty is easily confused with "0" depending on the package +manager. :term:`PE` can only have an integer value. + +Recipe formatting +================= + +Variable Formatting +------------------- + +- Variable assignment should a space around each side of the operator, e.g. + ``FOO = "bar"``, not ``FOO="bar"``. + +- Double quotes should be used on the right-hand side of the assignment, + e.g. ``FOO = "bar"`` not ``FOO = 'bar'`` + +- Spaces should be used for indenting variables, with 4 spaces per tab + +- Long variables should be split over multiple lines when possible by using + the continuation character (``\``) + +- When splitting a long variable over multiple lines, all continuation lines + should be indented (with spaces) to align with the start of the quote on the + first line:: + + FOO = "this line is \ + long \ + " + + Instead of:: + + FOO = "this line is \ + long \ + " + +Python Function formatting +-------------------------- + +- Spaces must be used for indenting Python code, with 4 spaces per tab + +Shell Function formatting +------------------------- + +- The formatting of shell functions should be consistent within layers. + Some use tabs, some use spaces. + +Recipe metadata +=============== + +Required Variables +------------------ + +The following variables should be included in all recipes: + +- :term:`SUMMARY`: a one line description of the upstream project + +- :term:`DESCRIPTION`: an extended description of the upstream project, + possibly with multiple lines. If no reasonable description can be written, + this may be omitted as it defaults to :term:`SUMMARY`. + +- :term:`HOMEPAGE`: the URL to the upstream projects homepage. + +- :term:`BUGTRACKER`: the URL upstream projects bug tracking website, + if applicable. + +Recipe Ordering +--------------- + +When a variable is defined in recipes and classes, variables should follow the +general order when possible: + +- :term:`SUMMARY` +- :term:`DESCRIPTION` +- :term:`HOMEPAGE` +- :term:`BUGTRACKER` +- :term:`SECTION` +- :term:`LICENSE` +- :term:`LIC_FILES_CHKSUM` +- :term:`DEPENDS` +- :term:`PROVIDES` +- :term:`PV` +- :term:`SRC_URI` +- :term:`SRCREV` +- :term:`S` +- ``inherit ...`` +- :term:`PACKAGECONFIG` +- Build class specific variables such as ``EXTRA_QMAKEVARS_POST`` and :term:`EXTRA_OECONF` +- Tasks such as :ref:`ref-tasks-configure` +- :term:`PACKAGE_ARCH` +- :term:`PACKAGES` +- :term:`FILES` +- :term:`RDEPENDS` +- :term:`RRECOMMENDS` +- :term:`RSUGGESTS` +- :term:`RPROVIDES` +- :term:`RCONFLICTS` +- :term:`BBCLASSEXTEND` + +There are some cases where ordering is important and these cases would override +this default order. Examples include: + +- :term:`PACKAGE_ARCH` needing to be set before ``inherit packagegroup`` + +Tasks should be ordered based on the order they generally execute. For commonly +used tasks this would be: + +- :ref:`ref-tasks-fetch` +- :ref:`ref-tasks-unpack` +- :ref:`ref-tasks-patch` +- :ref:`ref-tasks-prepare_recipe_sysroot` +- :ref:`ref-tasks-configure` +- :ref:`ref-tasks-compile` +- :ref:`ref-tasks-install` +- :ref:`ref-tasks-populate_sysroot` +- :ref:`ref-tasks-package` + +Custom tasks should be sorted similarly. + +Package specific variables are typically grouped together, e.g.:: + + RDEPENDS:${PN} = “foo” + RDEPENDS:${PN}-libs = “bar” + + RRECOMMENDS:${PN} = “one” + RRECOMMENDS:${PN}-libs = “two” + +Recipe License Fields +--------------------- + +Recipes need to define both the :term:`LICENSE` and +:term:`LIC_FILES_CHKSUM` variables: + +- :term:`LICENSE`: This variable specifies the license for the software. + If you do not know the license under which the software you are + building is distributed, you should go to the source code and look + for that information. Typical files containing this information + include ``COPYING``, :term:`LICENSE`, and ``README`` files. You could + also find the information near the top of a source file. For example, + given a piece of software licensed under the GNU General Public + License version 2, you would set :term:`LICENSE` as follows:: + + LICENSE = "GPL-2.0-only" + + The licenses you specify within :term:`LICENSE` can have any name as long + as you do not use spaces, since spaces are used as separators between + license names. For standard licenses, use the names of the files in + ``meta/files/common-licenses/`` or the :term:`SPDXLICENSEMAP` flag names + defined in ``meta/conf/licenses.conf``. + +- :term:`LIC_FILES_CHKSUM`: The OpenEmbedded build system uses this + variable to make sure the license text has not changed. If it has, + the build produces an error and it affords you the chance to figure + it out and correct the problem. + + You need to specify all applicable licensing files for the software. + At the end of the configuration step, the build process will compare + the checksums of the files to be sure the text has not changed. Any + differences result in an error with the message containing the + current checksum. For more explanation and examples of how to set the + :term:`LIC_FILES_CHKSUM` variable, see the + ":ref:`dev-manual/licenses:tracking license changes`" section. + + To determine the correct checksum string, you can list the + appropriate files in the :term:`LIC_FILES_CHKSUM` variable with incorrect + md5 strings, attempt to build the software, and then note the + resulting error messages that will report the correct md5 strings. + See the ":ref:`dev-manual/new-recipe:fetching code`" section for + additional information. + + Here is an example that assumes the software has a ``COPYING`` file:: + + LIC_FILES_CHKSUM = "file://COPYING;md5=xxx" + + When you try to build the + software, the build system will produce an error and give you the + correct string that you can substitute into the recipe file for a + subsequent build. + +Tips and Guidelines for Writing Recipes +--------------------------------------- + +- Use :term:`BBCLASSEXTEND` instead of creating separate recipes such as ``-native`` + and ``-nativesdk`` ones, whenever possible. This avoids having to maintain multiple + recipe files at the same time. + +Patch Upstream Status +===================== + +In order to keep track of patches applied by recipes and ultimately reduce the +number of patches that need maintaining, the OpenEmbedded build system +requires information about the upstream status of each patch. + +In its description, each patch should provide detailed information about the +bug that it addresses, such as the URL in a bug tracking system and links +to relevant mailing list archives. + +Then, you should also add an ``Upstream-Status:`` tag containing one of the +following status strings: + +``Pending`` + No determination has been made yet or not yet submitted to upstream. + +``Submitted [where]`` + Submitted to upstream, waiting for approval. Optionally include where + it was submitted, such as the author, mailing list, etc. + +``Accepted`` + Accepted in upstream, expect it to be removed at next update, include + expected version info. + +``Backport`` + Backported from new upstream version, because we are at a fixed version, + include upstream version info. + +``Denied`` + Not accepted by upstream, include reason in patch. + +``Inactive-Upstream [lastcommit: when (and/or) lastrelease: when]`` + The upstream is no longer available. This typically means a defunct project + where no activity has happened for a long time --- measured in years. To make + that judgement, it is recommended to look at not only when the last release + happened, but also when the last commit happened, and whether newly made bug + reports and merge requests since that time receive no reaction. It is also + recommended to add to the patch description any relevant links where the + inactivity can be clearly seen. + +``Inappropriate [reason]`` + The patch is not appropriate for upstream, include a brief reason on the + same line enclosed with ``[]``. The reason can be: + + - ``not author`` (you are not the author and do not intend to upstream this, + the source must be listed in the comments) + - ``native`` + - ``licensing`` + - ``configuration`` + - ``enable feature`` + - ``disable feature`` + - ``bugfix`` (add bug URL here) + - ``embedded specific`` + - ``other`` (give details in comments) + +The various ``Inappropriate [reason]`` status items are meant to indicate that +the person responsible for adding this patch to the system does not intend to +upstream the patch for a specific reason. + +Of course, if another person later takes care of submitting this patch upstream, +the status should be changed to ``Submitted [where]``, and an additional +``Signed-off-by:`` line should be added to the patch by the person claiming +responsibility for upstreaming. + +For example, if the patch has been submitted upstream:: + + rpm: Adjusted the foo setting in bar + + [RPM Ticket #65] -- http://rpm5.org/cvs/tktview?tn=65,5 + + The foo setting in bar was decreased from X to X-50% in order to + ensure we don't exhaust all system memory with foobar threads. + + Upstream-Status: Submitted [rpm5-devel@rpm5.org] + + Signed-off-by: Joe Developer <joe.developer@example.com> + +A future update can change the value to ``Accepted`` or ``Denied`` as +appropriate. diff --git a/poky/documentation/contributor-guide/report-defect.rst b/poky/documentation/contributor-guide/report-defect.rst new file mode 100644 index 0000000000..8ef133b842 --- /dev/null +++ b/poky/documentation/contributor-guide/report-defect.rst @@ -0,0 +1,67 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Reporting a Defect Against the Yocto Project and OpenEmbedded +************************************************************** + +You can use the Yocto Project instance of +`Bugzilla <https://www.bugzilla.org/about/>`__ to submit a defect (bug) +against BitBake, OpenEmbedded-Core, against any other Yocto Project component +or for tool issues. For additional information on this implementation of +Bugzilla see the ":ref:`Yocto Project Bugzilla <resources-bugtracker>`" section +in the Yocto Project Reference Manual. For more detail on any of the following +steps, see the Yocto Project +:yocto_wiki:`Bugzilla wiki page </Bugzilla_Configuration_and_Bug_Tracking>`. + +Use the following general steps to submit a bug: + +#. Open the Yocto Project implementation of :yocto_bugs:`Bugzilla <>`. + +#. Click "File a Bug" to enter a new bug. + +#. Choose the appropriate "Classification", "Product", and "Component" + for which the bug was found. Bugs for the Yocto Project fall into + one of several classifications, which in turn break down into + several products and components. For example, for a bug against the + ``meta-intel`` layer, you would choose "Build System, Metadata & + Runtime", "BSPs", and "bsps-meta-intel", respectively. + +#. Choose the "Version" of the Yocto Project for which you found the + bug (e.g. &DISTRO;). + +#. Determine and select the "Severity" of the bug. The severity + indicates how the bug impacted your work. + +#. Choose the "Hardware" that the bug impacts. + +#. Choose the "Architecture" that the bug impacts. + +#. Choose a "Documentation change" item for the bug. Fixing a bug might + or might not affect the Yocto Project documentation. If you are + unsure of the impact to the documentation, select "Don't Know". + +#. Provide a brief "Summary" of the bug. Try to limit your summary to + just a line or two and be sure to capture the essence of the bug. + +#. Provide a detailed "Description" of the bug. You should provide as + much detail as you can about the context, behavior, output, and so + forth that surrounds the bug. You can even attach supporting files + for output from logs by using the "Add an attachment" button. + +#. Click the "Submit Bug" button submit the bug. A new Bugzilla number + is assigned to the bug and the defect is logged in the bug tracking + system. + +Once you file a bug, the bug is processed by the Yocto Project Bug +Triage Team and further details concerning the bug are assigned (e.g. +priority and owner). You are the "Submitter" of the bug and any further +categorization, progress, or comments on the bug result in Bugzilla +sending you an automated email concerning the particular change or +progress to the bug. + +There are no guarantees about if or when a bug might be worked on since an +open-source project has no dedicated engineering resources. However, the +project does have a good track record of resolving common issues over the +medium and long term. We do encourage people to file bugs so issues are +at least known about. It helps other users when they find somebody having +the same issue as they do, and an issue that is unknown is much less likely +to ever be fixed! diff --git a/poky/documentation/contributor-guide/submit-changes.rst b/poky/documentation/contributor-guide/submit-changes.rst new file mode 100644 index 0000000000..cda2d12d25 --- /dev/null +++ b/poky/documentation/contributor-guide/submit-changes.rst @@ -0,0 +1,754 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Contributing Changes to a Component +************************************ + +Contributions to the Yocto Project and OpenEmbedded are very welcome. +Because the system is extremely configurable and flexible, we recognize +that developers will want to extend, configure or optimize it for their +specific uses. + +.. _ref-why-mailing-lists: + +Contributing through mailing lists --- Why not using web-based workflows? +========================================================================= + +Both Yocto Project and OpenEmbedded have many key components that are +maintained by patches being submitted on mailing lists. We appreciate this +approach does look a little old fashioned when other workflows are available +through web technology such as GitHub, GitLab and others. Since we are often +asked this question, we’ve decided to document the reasons for using mailing +lists. + +One significant factor is that we value peer review. When a change is proposed +to many of the core pieces of the project, it helps to have many eyes of review +go over them. Whilst there is ultimately one maintainer who needs to make the +final call on accepting or rejecting a patch, the review is made by many eyes +and the exact people reviewing it are likely unknown to the maintainer. It is +often the surprise reviewer that catches the most interesting issues! + +This is in contrast to the "GitHub" style workflow where either just a +maintainer makes that review, or review is specifically requested from +nominated people. We believe there is significant value added to the codebase +by this peer review and that moving away from mailing lists would be to the +detriment of our code. + +We also need to acknowledge that many of our developers are used to this +mailing list workflow and have worked with it for years, with tools and +processes built around it. Changing away from this would result in a loss +of key people from the project, which would again be to its detriment. + +The projects are acutely aware that potential new contributors find the +mailing list approach off-putting and would prefer a web-based GUI. +Since we don’t believe that can work for us, the project is aiming to ensure +`patchwork <https://patchwork.yoctoproject.org/>`__ is available to help track +patch status and also looking at how tooling can provide more feedback to users +about patch status. We are looking at improving tools such as ``patchtest`` to +test user contributions before they hit the mailing lists and also at better +documenting how to use such workflows since we recognise that whilst this was +common knowledge a decade ago, it might not be as familiar now. + +Preparing Changes for Submission +================================ + +Set up Git +---------- + +The first thing to do is to install Git packages. Here is an example +on Debian and Ubuntu:: + + sudo aptitude install git-core git-email + +Then, you need to set a name and e-mail address that Git will +use to identify your commits:: + + git config --global user.name "Ada Lovelace" + git config --global user.email "ada.lovelace@gmail.com" + +Clone the Git repository for the component to modify +---------------------------------------------------- + +After identifying the component to modify as described in the +":doc:`../contributor-guide/identify-component`" section, clone the +corresponding Git repository. Here is an example for OpenEmbedded-Core:: + + git clone https://git.openembedded.org/openembedded-core + cd openembedded-core + +Create a new branch +------------------- + +Then, create a new branch in your local Git repository +for your changes, starting from the reference branch in the upstream +repository (often called ``master``):: + + $ git checkout <ref-branch> + $ git checkout -b my-changes + +If you have completely unrelated sets of changes to submit, you should even +create one branch for each set. + +Implement and commit changes +---------------------------- + +In each branch, you should group your changes into small, controlled and +isolated ones. Keeping changes small and isolated aids review, makes +merging/rebasing easier and keeps the change history clean should anyone need +to refer to it in future. + +To this purpose, you should create *one Git commit per change*, +corresponding to each of the patches you will eventually submit. +See `further guidance <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#separate-your-changes>`__ +in the Linux kernel documentation if needed. + +For example, when you intend to add multiple new recipes, each recipe +should be added in a separate commit. For upgrades to existing recipes, +the previous version should usually be deleted as part of the same commit +to add the upgraded version. + +#. *Stage Your Changes:* Stage your changes by using the ``git add`` + command on each file you modified. If you want to stage all the + files you modified, you can even use the ``git add -A`` command. + +#. *Commit Your Changes:* This is when you can create separate commits. For + each commit to create, use the ``git commit -s`` command with the files + or directories you want to include in the commit:: + + $ git commit -s file1 file2 dir1 dir2 ... + + To include **a**\ ll staged files:: + + $ git commit -sa + + - The ``-s`` option of ``git commit`` adds a "Signed-off-by:" line + to your commit message. There is the same requirement for contributing + to the Linux kernel. Adding such a line signifies that you, the + submitter, have agreed to the `Developer's Certificate of Origin 1.1 + <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin>`__ + as follows: + + .. code-block:: none + + Developer's Certificate of Origin 1.1 + + By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. + + - Provide a single-line summary of the change and, if more + explanation is needed, provide more detail in the body of the + commit. This summary is typically viewable in the "shortlist" of + changes. Thus, providing something short and descriptive that + gives the reader a summary of the change is useful when viewing a + list of many commits. You should prefix this short description + with the recipe name (if changing a recipe), or else with the + short form path to the file being changed. + + .. note:: + + To find a suitable prefix for the commit summary, a good idea + is to look for prefixes used in previous commits touching the + same files or directories:: + + git log --oneline <paths> + + - For the body of the commit message, provide detailed information + that describes what you changed, why you made the change, and the + approach you used. It might also be helpful if you mention how you + tested the change. Provide as much detail as you can in the body + of the commit message. + + .. note:: + + If the single line summary is enough to describe a simple + change, the body of the commit message can be left empty. + + - If the change addresses a specific bug or issue that is associated + with a bug-tracking ID, include a reference to that ID in your + detailed description. For example, the Yocto Project uses a + specific convention for bug references --- any commit that addresses + a specific bug should use the following form for the detailed + description. Be sure to use the actual bug-tracking ID from + Bugzilla for bug-id:: + + Fixes [YOCTO #bug-id] + + detailed description of change + +#. *Crediting contributors:* By using the ``git commit --amend`` command, + you can add some tags to the commit description to credit other contributors + to the change: + + - ``Reported-by``: name and email of a person reporting a bug + that your commit is trying to fix. This is a good practice + to encourage people to go on reporting bugs and let them + know that their reports are taken into account. + + - ``Suggested-by``: name and email of a person to credit for the + idea of making the change. + + - ``Tested-by``, ``Reviewed-by``: name and email for people having + tested your changes or reviewed their code. These fields are + usually added by the maintainer accepting a patch, or by + yourself if you submitted your patches to early reviewers, + or are submitting an unmodified patch again as part of a + new iteration of your patch series. + + - ``CC:`` Name and email of people you want to send a copy + of your changes to. This field will be used by ``git send-email``. + + See `more guidance about using such tags + <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#using-reported-by-tested-by-reviewed-by-suggested-by-and-fixes>`__ + in the Linux kernel documentation. + +Creating Patches +================ + +Here is the general procedure on how to create patches to be sent through email: + +#. *Describe the Changes in your Branch:* If you have more than one commit + in your branch, it's recommended to provide a cover letter describing + the series of patches you are about to send. + + For this purpose, a good solution is to store the cover letter contents + in the branch itself:: + + git branch --edit-description + + This will open a text editor to fill in the description for your + changes. This description can be updated when necessary and will + be used by Git to create the cover letter together with the patches. + + It is recommended to start this description with a title line which + will serve a the subject line for the cover letter. + +#. *Generate Patches for your Branch:* The ``git format-patch`` command will + generate patch files for each of the commits in your branch. You need + to pass the reference branch your branch starts from. + + If you branch didn't need a description in the previous step:: + + $ git format-patch <ref-branch> + + If you filled a description for your branch, you will want to generate + a cover letter too:: + + $ git format-patch --cover-letter --cover-from-description=auto <ref-branch> + + After the command is run, the current directory contains numbered + ``.patch`` files for the commits in your branch. If you have a cover + letter, it will be in the ``0000-cover-letter.patch``. + + .. note:: + + The ``--cover-from-description=auto`` option makes ``git format-patch`` + use the first paragraph of the branch description as the cover + letter title. Another possibility, which is easier to remember, is to pass + only the ``--cover-letter`` option, but you will have to edit the + subject line manually every time you generate the patches. + + See the `git format-patch manual page <https://git-scm.com/docs/git-format-patch>`__ + for details. + +#. *Review each of the Patch Files:* This final review of the patches + before sending them often allows to view your changes from a different + perspective and discover defects such as typos, spacing issues or lines + or even files that you didn't intend to modify. This review should + include the cover letter patch too. + + If necessary, rework your commits as described in + ":ref:`contributor-guide/submit-changes:taking patch review into account`". + +Sending the Patches via Email +============================= + +Using Git to Send Patches +------------------------- + +To submit patches through email, it is very important that you send them +without any whitespace or HTML formatting that either you or your mailer +introduces. The maintainer that receives your patches needs to be able +to save and apply them directly from your emails, using the ``git am`` +command. + +Using the ``git send-email`` command is the only error-proof way of sending +your patches using email since there is no risk of compromising whitespace +in the body of the message, which can occur when you use your own mail +client. It will also properly include your patches as *inline attachments*, +which is not easy to do with standard e-mail clients without breaking lines. +If you used your regular e-mail client and shared your patches as regular +attachments, reviewers wouldn't be able to quote specific sections of your +changes and make comments about them. + +Setting up Git to Send Email +---------------------------- + +The ``git send-email`` command can send email by using a local or remote +Mail Transport Agent (MTA) such as ``msmtp``, ``sendmail``, or +through a direct SMTP configuration in your Git ``~/.gitconfig`` file. + +Here are the settings for letting ``git send-email`` send e-mail through your +regular STMP server, using a Google Mail account as an example:: + + git config --global sendemail.smtpserver smtp.gmail.com + git config --global sendemail.smtpserverport 587 + git config --global sendemail.smtpencryption tls + git config --global sendemail.smtpuser ada.lovelace@gmail.com + git config --global sendemail.smtppass = XXXXXXXX + +These settings will appear in the ``.gitconfig`` file in your home directory. + +If you neither can use a local MTA nor SMTP, make sure you use an email client +that does not touch the message (turning spaces in tabs, wrapping lines, etc.). +A good mail client to do so is Pine (or Alpine) or Mutt. For more +information about suitable clients, see `Email clients info for Linux +<https://www.kernel.org/doc/html/latest/process/email-clients.html>`__ +in the Linux kernel sources. + +If you use such clients, just include the patch in the body of your email. + +Finding a Suitable Mailing List +------------------------------- + +You should send patches to the appropriate mailing list so that they can be +reviewed by the right contributors and merged by the appropriate maintainer. +The specific mailing list you need to use depends on the location of the code +you are changing. + +If people have concerns with any of the patches, they will usually voice +their concern over the mailing list. If patches do not receive any negative +reviews, the maintainer of the affected layer typically takes them, tests them, +and then based on successful testing, merges them. + +In general, each component (e.g. layer) should have a ``README`` file +that indicates where to send the changes and which process to follow. + +The "poky" repository, which is the Yocto Project's reference build +environment, is a hybrid repository that contains several individual +pieces (e.g. BitBake, Metadata, documentation, and so forth) built using +the combo-layer tool. The upstream location used for submitting changes +varies by component: + +- *Core Metadata:* Send your patches to the + :oe_lists:`openembedded-core </g/openembedded-core>` + mailing list. For example, a change to anything under the ``meta`` or + ``scripts`` directories should be sent to this mailing list. + +- *BitBake:* For changes to BitBake (i.e. anything under the + ``bitbake`` directory), send your patches to the + :oe_lists:`bitbake-devel </g/bitbake-devel>` + mailing list. + +- *"meta-\*" trees:* These trees contain Metadata. Use the + :yocto_lists:`poky </g/poky>` mailing list. + +- *Documentation*: For changes to the Yocto Project documentation, use the + :yocto_lists:`docs </g/docs>` mailing list. + +For changes to other layers and tools hosted in the Yocto Project source +repositories (i.e. :yocto_git:`git.yoctoproject.org <>`), use the +:yocto_lists:`yocto </g/yocto/>` general mailing list. + +For changes to other layers hosted in the OpenEmbedded source +repositories (i.e. :oe_git:`git.openembedded.org <>`), use +the :oe_lists:`openembedded-devel </g/openembedded-devel>` +mailing list, unless specified otherwise in the layer's ``README`` file. + +If you intend to submit a new recipe that neither fits into the core Metadata, +nor into :oe_git:`meta-openembedded </meta-openembedded/>`, you should +look for a suitable layer in https://layers.openembedded.org. If similar +recipes can be expected, you may consider :ref:`dev-manual/layers:creating your own layer`. + +If in doubt, please ask on the :yocto_lists:`yocto </g/yocto/>` general mailing list +or on the :oe_lists:`openembedded-devel </g/openembedded-devel>` mailing list. + +Subscribing to the Mailing List +------------------------------- + +After identifying the right mailing list to use, you will have to subscribe to +it if you haven't done it yet. + +If you attempt to send patches to a list you haven't subscribed to, your email +will be returned as undelivered. + +However, if you don't want to be receive all the messages sent to a mailing list, +you can set your subscription to "no email". You will still be a subscriber able +to send messages, but you won't receive any e-mail. If people reply to your message, +their e-mail clients will default to including your email address in the +conversation anyway. + +Anyway, you'll also be able to access the new messages on mailing list archives, +either through a web browser, or for the lists archived on https://lore.kernelorg, +through an individual newsgroup feed or a git repository. + +Sending Patches via Email +------------------------- + +At this stage, you are ready to send your patches via email. Here's the +typical usage of ``git send-email``:: + + git send-email --to <mailing-list-address> *.patch + +Then, review each subject line and list of recipients carefully, and then +and then allow the command to send each message. + +You will see that ``git send-email`` will automatically copy the people listed +in any commit tags such as ``Signed-off-by`` or ``Reported-by``. + +In case you are sending patches for :oe_git:`meta-openembedded </meta-openembedded/>` +or any layer other than :oe_git:`openembedded-core </openembedded-core/>`, +please add the appropriate prefix so that it is clear which layer the patch is intended +to be applied to:: + + git send-email --subject-prefix="meta-oe][PATCH" ... + +.. note:: + + It is actually possible to send patches without generating them + first. However, make sure you have reviewed your changes carefully + because ``git send-email`` will just show you the title lines of + each patch. + + Here's a command you can use if you just have one patch in your + branch:: + + git send-email --to <mailing-list-address> -1 + + If you have multiple patches and a cover letter, you can send + patches for all the commits between the reference branch + and the tip of your branch:: + + git send-email --cover-letter --cover-from-description=auto --to <mailing-list-address> -M <ref-branch> + +See the `git send-email manual page <https://git-scm.com/docs/git-send-email>`__ +for details. + +Troubleshooting Email Issues +---------------------------- + +Fixing your From identity +~~~~~~~~~~~~~~~~~~~~~~~~~ + +We have a frequent issue with contributors whose patches are received through +a ``From`` field which doesn't match the ``Signed-off-by`` information. Here is +a typical example for people sending from a domain name with :wikipedia:`DMARC`:: + + From: "Linus Torvalds via lists.openembedded.org <linus.torvalds=kernel.org@lists.openembedded.org>" + +This ``From`` field is used by ``git am`` to recreate commits with the right +author name. The following will ensure that your e-mails have an additional +``From`` field at the beginning of the Email body, and therefore that +maintainers accepting your patches don't have to fix commit author information +manually:: + + git config --global sendemail.from "linus.torvalds@kernel.org" + +The ``sendemail.from`` should match your ``user.email`` setting, +which appears in the ``Signed-off-by`` line of your commits. + +Streamlining git send-email usage +--------------------------------- + +If you want to save time and not be forced to remember the right options to use +with ``git send-email``, you can use Git configuration settings. + +- To set the right mailing list address for a given repository:: + + git config --local sendemail.to openembedded-devel@lists.openembedded.org + +- If the mailing list requires a subject prefix for the layer + (this only works when the repository only contains one layer):: + + git config --local format.subjectprefix "meta-something][PATCH" + +Using Scripts to Push a Change Upstream and Request a Pull +========================================================== + +For larger patch series it is preferable to send a pull request which not +only includes the patch but also a pointer to a branch that can be pulled +from. This involves making a local branch for your changes, pushing this +branch to an accessible repository and then using the ``create-pull-request`` +and ``send-pull-request`` scripts from openembedded-core to create and send a +patch series with a link to the branch for review. + +Follow this procedure to push a change to an upstream "contrib" Git +repository once the steps in +":ref:`contributor-guide/submit-changes:preparing changes for submission`" +have been followed: + +.. note:: + + You can find general Git information on how to push a change upstream + in the + `Git Community Book <https://git-scm.com/book/en/v2/Distributed-Git-Distributed-Workflows>`__. + +#. *Request Push Access to an "Upstream" Contrib Repository:* Send an email to + ``helpdesk@yoctoproject.org``: + + - Attach your SSH public key which usually named ``id_rsa.pub.``. + If you don't have one generate it by running ``ssh-keygen -t rsa -b 4096 -C "your_email@example.com"``. + + - List the repositories you're planning to contribute to. + + - Include your preferred branch prefix for ``-contrib`` repositories. + +#. *Push Your Commits to the "Contrib" Upstream:* Push your + changes to that repository:: + + $ git push upstream_remote_repo local_branch_name + + For example, suppose you have permissions to push + into the upstream ``meta-intel-contrib`` repository and you are + working in a local branch named `your_name`\ ``/README``. The following + command pushes your local commits to the ``meta-intel-contrib`` + upstream repository and puts the commit in a branch named + `your_name`\ ``/README``:: + + $ git push meta-intel-contrib your_name/README + +#. *Determine Who to Notify:* Determine the maintainer or the mailing + list that you need to notify for the change. + + Before submitting any change, you need to be sure who the maintainer + is or what mailing list that you need to notify. Use either these + methods to find out: + + - *Maintenance File:* Examine the ``maintainers.inc`` file, which is + located in the :term:`Source Directory` at + ``meta/conf/distro/include``, to see who is responsible for code. + + - *Search by File:* Using :ref:`overview-manual/development-environment:git`, you can + enter the following command to bring up a short list of all + commits against a specific file:: + + git shortlog -- filename + + Just provide the name of the file for which you are interested. The + information returned is not ordered by history but does include a + list of everyone who has committed grouped by name. From the list, + you can see who is responsible for the bulk of the changes against + the file. + + - *Find the Mailing List to Use:* See the + ":ref:`contributor-guide/submit-changes:finding a suitable mailing list`" + section above. + +#. *Make a Pull Request:* Notify the maintainer or the mailing list that + you have pushed a change by making a pull request. + + The Yocto Project provides two scripts that conveniently let you + generate and send pull requests to the Yocto Project. These scripts + are ``create-pull-request`` and ``send-pull-request``. You can find + these scripts in the ``scripts`` directory within the + :term:`Source Directory` (e.g. + ``poky/scripts``). + + Using these scripts correctly formats the requests without + introducing any whitespace or HTML formatting. The maintainer that + receives your patches either directly or through the mailing list + needs to be able to save and apply them directly from your emails. + Using these scripts is the preferred method for sending patches. + + First, create the pull request. For example, the following command + runs the script, specifies the upstream repository in the contrib + directory into which you pushed the change, and provides a subject + line in the created patch files:: + + $ poky/scripts/create-pull-request -u meta-intel-contrib -s "Updated Manual Section Reference in README" + + Running this script forms ``*.patch`` files in a folder named + ``pull-``\ `PID` in the current directory. One of the patch files is a + cover letter. + + Before running the ``send-pull-request`` script, you must edit the + cover letter patch to insert information about your change. After + editing the cover letter, send the pull request. For example, the + following command runs the script and specifies the patch directory + and email address. In this example, the email address is a mailing + list:: + + $ poky/scripts/send-pull-request -p ~/meta-intel/pull-10565 -t meta-intel@lists.yoctoproject.org + + You need to follow the prompts as the script is interactive. + + .. note:: + + For help on using these scripts, simply provide the ``-h`` + argument as follows:: + + $ poky/scripts/create-pull-request -h + $ poky/scripts/send-pull-request -h + +Submitting Changes to Stable Release Branches +============================================= + +The process for proposing changes to a Yocto Project stable branch differs +from the steps described above. Changes to a stable branch must address +identified bugs or CVEs and should be made carefully in order to avoid the +risk of introducing new bugs or breaking backwards compatibility. Typically +bug fixes must already be accepted into the master branch before they can be +backported to a stable branch unless the bug in question does not affect the +master branch or the fix on the master branch is unsuitable for backporting. + +The list of stable branches along with the status and maintainer for each +branch can be obtained from the +:yocto_wiki:`Releases wiki page </Releases>`. + +.. note:: + + Changes will not typically be accepted for branches which are marked as + End-Of-Life (EOL). + +With this in mind, the steps to submit a change for a stable branch are as +follows: + +#. *Identify the bug or CVE to be fixed:* This information should be + collected so that it can be included in your submission. + + See :ref:`dev-manual/vulnerabilities:checking for vulnerabilities` + for details about CVE tracking. + +#. *Check if the fix is already present in the master branch:* This will + result in the most straightforward path into the stable branch for the + fix. + + #. *If the fix is present in the master branch --- submit a backport request + by email:* You should send an email to the relevant stable branch + maintainer and the mailing list with details of the bug or CVE to be + fixed, the commit hash on the master branch that fixes the issue and + the stable branches which you would like this fix to be backported to. + + #. *If the fix is not present in the master branch --- submit the fix to the + master branch first:* This will ensure that the fix passes through the + project's usual patch review and test processes before being accepted. + It will also ensure that bugs are not left unresolved in the master + branch itself. Once the fix is accepted in the master branch a backport + request can be submitted as above. + + #. *If the fix is unsuitable for the master branch --- submit a patch + directly for the stable branch:* This method should be considered as a + last resort. It is typically necessary when the master branch is using + a newer version of the software which includes an upstream fix for the + issue or when the issue has been fixed on the master branch in a way + that introduces backwards incompatible changes. In this case follow the + steps in ":ref:`contributor-guide/submit-changes:preparing changes for submission`" + and in the following sections but modify the subject header of your patch + email to include the name of the stable branch which you are + targetting. This can be done using the ``--subject-prefix`` argument to + ``git format-patch``, for example to submit a patch to the + "&DISTRO_NAME_NO_CAP_MINUS_ONE;" branch use:: + + git format-patch --subject-prefix='&DISTRO_NAME_NO_CAP_MINUS_ONE;][PATCH' ... + +Taking Patch Review into Account +================================ + +You may get feedback on your submitted patches from other community members +or from the automated patchtest service. If issues are identified in your +patches then it is usually necessary to address these before the patches are +accepted into the project. In this case you should your commits according +to the feedback and submit an updated version to the relevant mailing list. + +In any case, never fix reported issues by fixing them in new commits +on the tip of your branch. Always come up with a new series of commits +without the reported issues. + +.. note:: + + It is a good idea to send a copy to the reviewers who provided feedback + to the previous version of the patch. You can make sure this happens + by adding a ``CC`` tag to the commit description:: + + CC: William Shakespeare <bill@yoctoproject.org> + +A single patch can be amended using ``git commit --amend``, and multiple +patches can be easily reworked and reordered through an interactive Git rebase:: + + git rebase -i <ref-branch> + +See `this tutorial <https://hackernoon.com/beginners-guide-to-interactive-rebasing-346a3f9c3a6d>`__ +for practical guidance about using Git interactive rebasing. + +You should also modify the ``[PATCH]`` tag in the email subject line when +sending the revised patch to mark the new iteration as ``[PATCH v2]``, +``[PATCH v3]``, etc as appropriate. This can be done by passing the ``-v`` +argument to ``git format-patch`` with a version number:: + + git format-patch -v2 <ref-branch> + +Lastly please ensure that you also test your revised changes. In particular +please don't just edit the patch file written out by ``git format-patch`` and +resend it. + +Tracking the Status of Patches +============================== + +The Yocto Project uses a `Patchwork instance <https://patchwork.yoctoproject.org/>`__ +to track the status of patches submitted to the various mailing lists and to +support automated patch testing. Each submitted patch is checked for common +mistakes and deviations from the expected patch format and submitters are +notified by ``patchtest`` if such mistakes are found. This process helps to +reduce the burden of patch review on maintainers. + +.. note:: + + This system is imperfect and changes can sometimes get lost in the flow. + Asking about the status of a patch or change is reasonable if the change + has been idle for a while with no feedback. + +If your patches have not had any feedback in a few days, they may have already +been merged. You can run ``git pull`` branch to check this. Note that many if +not most layer maintainers do not send out acknowledgement emails when they +accept patches. Alternatively, if there is no response or merge after a few days +the patch may have been missed or the appropriate reviewers may not currently be +around. It is then perfectly fine to reply to it yourself with a reminder asking +for feedback. + +.. note:: + + Patch reviews for feature and recipe upgrade patches are likely be delayed + during a feature freeze because these types of patches aren't merged during + at that time --- you may have to wait until after the freeze is lifted. + +Maintainers also commonly use ``-next`` branches to test submissions prior to +merging patches. Thus, you can get an idea of the status of a patch based on +whether the patch has been merged into one of these branches. The commonly +used testing branches for OpenEmbedded-Core are as follows: + +- *openembedded-core "master-next" branch:* This branch is part of the + :oe_git:`openembedded-core </openembedded-core/>` repository and contains + proposed changes to the core metadata. + +- *poky "master-next" branch:* This branch is part of the + :yocto_git:`poky </poky/>` repository and combines proposed + changes to BitBake, the core metadata and the poky distro. + +Similarly, stable branches maintained by the project may have corresponding +``-next`` branches which collect proposed changes. For example, +``&DISTRO_NAME_NO_CAP;-next`` and ``&DISTRO_NAME_NO_CAP_MINUS_ONE;-next`` +branches in both the "openembdedded-core" and "poky" repositories. + +Other layers may have similar testing branches but there is no formal +requirement or standard for these so please check the documentation for the +layers you are contributing to. + diff --git a/poky/documentation/dev-manual/building.rst b/poky/documentation/dev-manual/building.rst index 1f1642e846..a395793493 100644 --- a/poky/documentation/dev-manual/building.rst +++ b/poky/documentation/dev-manual/building.rst @@ -273,12 +273,12 @@ loading modules needed to locate and mount the final root filesystem. Follow these steps to create an :term:`Initramfs` image: -#. *Create the :term:`Initramfs` Image Recipe:* You can reference the +#. *Create the Initramfs Image Recipe:* You can reference the ``core-image-minimal-initramfs.bb`` recipe found in the ``meta/recipes-core`` directory of the :term:`Source Directory` as an example from which to work. -#. *Decide if You Need to Bundle the :term:`Initramfs` Image Into the Kernel +#. *Decide if You Need to Bundle the Initramfs Image Into the Kernel Image:* If you want the :term:`Initramfs` image that is built to be bundled in with the kernel image, set the :term:`INITRAMFS_IMAGE_BUNDLE` variable to ``"1"`` in your ``local.conf`` configuration file and set the diff --git a/poky/documentation/dev-manual/changes.rst b/poky/documentation/dev-manual/changes.rst deleted file mode 100644 index 9db6ce010c..0000000000 --- a/poky/documentation/dev-manual/changes.rst +++ /dev/null @@ -1,525 +0,0 @@ -.. SPDX-License-Identifier: CC-BY-SA-2.0-UK - -Making Changes to the Yocto Project -*********************************** - -Because the Yocto Project is an open-source, community-based project, -you can effect changes to the project. This section presents procedures -that show you how to submit a defect against the project and how to -submit a change. - -Submitting a Defect Against the Yocto Project -============================================= - -Use the Yocto Project implementation of -`Bugzilla <https://www.bugzilla.org/about/>`__ to submit a defect (bug) -against the Yocto Project. For additional information on this -implementation of Bugzilla see the ":ref:`Yocto Project -Bugzilla <resources-bugtracker>`" section in the -Yocto Project Reference Manual. For more detail on any of the following -steps, see the Yocto Project -:yocto_wiki:`Bugzilla wiki page </Bugzilla_Configuration_and_Bug_Tracking>`. - -Use the following general steps to submit a bug: - -#. Open the Yocto Project implementation of :yocto_bugs:`Bugzilla <>`. - -#. Click "File a Bug" to enter a new bug. - -#. Choose the appropriate "Classification", "Product", and "Component" - for which the bug was found. Bugs for the Yocto Project fall into - one of several classifications, which in turn break down into - several products and components. For example, for a bug against the - ``meta-intel`` layer, you would choose "Build System, Metadata & - Runtime", "BSPs", and "bsps-meta-intel", respectively. - -#. Choose the "Version" of the Yocto Project for which you found the - bug (e.g. &DISTRO;). - -#. Determine and select the "Severity" of the bug. The severity - indicates how the bug impacted your work. - -#. Choose the "Hardware" that the bug impacts. - -#. Choose the "Architecture" that the bug impacts. - -#. Choose a "Documentation change" item for the bug. Fixing a bug might - or might not affect the Yocto Project documentation. If you are - unsure of the impact to the documentation, select "Don't Know". - -#. Provide a brief "Summary" of the bug. Try to limit your summary to - just a line or two and be sure to capture the essence of the bug. - -#. Provide a detailed "Description" of the bug. You should provide as - much detail as you can about the context, behavior, output, and so - forth that surrounds the bug. You can even attach supporting files - for output from logs by using the "Add an attachment" button. - -#. Click the "Submit Bug" button submit the bug. A new Bugzilla number - is assigned to the bug and the defect is logged in the bug tracking - system. - -Once you file a bug, the bug is processed by the Yocto Project Bug -Triage Team and further details concerning the bug are assigned (e.g. -priority and owner). You are the "Submitter" of the bug and any further -categorization, progress, or comments on the bug result in Bugzilla -sending you an automated email concerning the particular change or -progress to the bug. - -Submitting a Change to the Yocto Project -======================================== - -Contributions to the Yocto Project and OpenEmbedded are very welcome. -Because the system is extremely configurable and flexible, we recognize -that developers will want to extend, configure or optimize it for their -specific uses. - -The Yocto Project uses a mailing list and a patch-based workflow that is -similar to the Linux kernel but contains important differences. In -general, there is a mailing list through which you can submit patches. You -should send patches to the appropriate mailing list so that they can be -reviewed and merged by the appropriate maintainer. The specific mailing -list you need to use depends on the location of the code you are -changing. Each component (e.g. layer) should have a ``README`` file that -indicates where to send the changes and which process to follow. - -You can send the patch to the mailing list using whichever approach you -feel comfortable with to generate the patch. Once sent, the patch is -usually reviewed by the community at large. If somebody has concerns -with the patch, they will usually voice their concern over the mailing -list. If a patch does not receive any negative reviews, the maintainer -of the affected layer typically takes the patch, tests it, and then -based on successful testing, merges the patch. - -The "poky" repository, which is the Yocto Project's reference build -environment, is a hybrid repository that contains several individual -pieces (e.g. BitBake, Metadata, documentation, and so forth) built using -the combo-layer tool. The upstream location used for submitting changes -varies by component: - -- *Core Metadata:* Send your patch to the - :oe_lists:`openembedded-core </g/openembedded-core>` - mailing list. For example, a change to anything under the ``meta`` or - ``scripts`` directories should be sent to this mailing list. - -- *BitBake:* For changes to BitBake (i.e. anything under the - ``bitbake`` directory), send your patch to the - :oe_lists:`bitbake-devel </g/bitbake-devel>` - mailing list. - -- *"meta-\*" trees:* These trees contain Metadata. Use the - :yocto_lists:`poky </g/poky>` mailing list. - -- *Documentation*: For changes to the Yocto Project documentation, use the - :yocto_lists:`docs </g/docs>` mailing list. - -For changes to other layers hosted in the Yocto Project source -repositories (i.e. ``yoctoproject.org``) and tools use the -:yocto_lists:`Yocto Project </g/yocto/>` general mailing list. - -.. note:: - - Sometimes a layer's documentation specifies to use a particular - mailing list. If so, use that list. - -For additional recipes that do not fit into the core Metadata, you -should determine which layer the recipe should go into and submit the -change in the manner recommended by the documentation (e.g. the -``README`` file) supplied with the layer. If in doubt, please ask on the -Yocto general mailing list or on the openembedded-devel mailing list. - -You can also push a change upstream and request a maintainer to pull the -change into the component's upstream repository. You do this by pushing -to a contribution repository that is upstream. See the -":ref:`overview-manual/development-environment:git workflows and the yocto project`" -section in the Yocto Project Overview and Concepts Manual for additional -concepts on working in the Yocto Project development environment. - -Maintainers commonly use ``-next`` branches to test submissions prior to -merging patches. Thus, you can get an idea of the status of a patch based on -whether the patch has been merged into one of these branches. The commonly -used testing branches for OpenEmbedded-Core are as follows: - -- *openembedded-core "master-next" branch:* This branch is part of the - :oe_git:`openembedded-core </openembedded-core/>` repository and contains - proposed changes to the core metadata. - -- *poky "master-next" branch:* This branch is part of the - :yocto_git:`poky </poky/>` repository and combines proposed - changes to BitBake, the core metadata and the poky distro. - -Similarly, stable branches maintained by the project may have corresponding -``-next`` branches which collect proposed changes. For example, -``&DISTRO_NAME_NO_CAP;-next`` and ``&DISTRO_NAME_NO_CAP_MINUS_ONE;-next`` -branches in both the "openembdedded-core" and "poky" repositories. - -Other layers may have similar testing branches but there is no formal -requirement or standard for these so please check the documentation for the -layers you are contributing to. - -The following sections provide procedures for submitting a change. - -Preparing Changes for Submission --------------------------------- - -#. *Make Your Changes Locally:* Make your changes in your local Git - repository. You should make small, controlled, isolated changes. - Keeping changes small and isolated aids review, makes - merging/rebasing easier and keeps the change history clean should - anyone need to refer to it in future. - -#. *Stage Your Changes:* Stage your changes by using the ``git add`` - command on each file you changed. - -#. *Commit Your Changes:* Commit the change by using the ``git commit`` - command. Make sure your commit information follows standards by - following these accepted conventions: - - - Be sure to include a "Signed-off-by:" line in the same style as - required by the Linux kernel. This can be done by using the - ``git commit -s`` command. Adding this line signifies that you, - the submitter, have agreed to the Developer's Certificate of - Origin 1.1 as follows: - - .. code-block:: none - - Developer's Certificate of Origin 1.1 - - By making a contribution to this project, I certify that: - - (a) The contribution was created in whole or in part by me and I - have the right to submit it under the open source license - indicated in the file; or - - (b) The contribution is based upon previous work that, to the best - of my knowledge, is covered under an appropriate open source - license and I have the right under that license to submit that - work with modifications, whether created in whole or in part - by me, under the same open source license (unless I am - permitted to submit under a different license), as indicated - in the file; or - - (c) The contribution was provided directly to me by some other - person who certified (a), (b) or (c) and I have not modified - it. - - (d) I understand and agree that this project and the contribution - are public and that a record of the contribution (including all - personal information I submit with it, including my sign-off) is - maintained indefinitely and may be redistributed consistent with - this project or the open source license(s) involved. - - - Provide a single-line summary of the change and, if more - explanation is needed, provide more detail in the body of the - commit. This summary is typically viewable in the "shortlist" of - changes. Thus, providing something short and descriptive that - gives the reader a summary of the change is useful when viewing a - list of many commits. You should prefix this short description - with the recipe name (if changing a recipe), or else with the - short form path to the file being changed. - - - For the body of the commit message, provide detailed information - that describes what you changed, why you made the change, and the - approach you used. It might also be helpful if you mention how you - tested the change. Provide as much detail as you can in the body - of the commit message. - - .. note:: - - You do not need to provide a more detailed explanation of a - change if the change is minor to the point of the single line - summary providing all the information. - - - If the change addresses a specific bug or issue that is associated - with a bug-tracking ID, include a reference to that ID in your - detailed description. For example, the Yocto Project uses a - specific convention for bug references --- any commit that addresses - a specific bug should use the following form for the detailed - description. Be sure to use the actual bug-tracking ID from - Bugzilla for bug-id:: - - Fixes [YOCTO #bug-id] - - detailed description of change - -Using Email to Submit a Patch ------------------------------ - -Depending on the components changed, you need to submit the email to a -specific mailing list. For some guidance on which mailing list to use, -see the -:ref:`list <dev-manual/changes:submitting a change to the yocto project>` -at the beginning of this section. For a description of all the available -mailing lists, see the ":ref:`Mailing Lists <resources-mailinglist>`" section in the -Yocto Project Reference Manual. - -Here is the general procedure on how to submit a patch through email -without using the scripts once the steps in -:ref:`dev-manual/changes:preparing changes for submission` have been followed: - -#. *Format the Commit:* Format the commit into an email message. To - format commits, use the ``git format-patch`` command. When you - provide the command, you must include a revision list or a number of - patches as part of the command. For example, either of these two - commands takes your most recent single commit and formats it as an - email message in the current directory:: - - $ git format-patch -1 - - or :: - - $ git format-patch HEAD~ - - After the command is run, the current directory contains a numbered - ``.patch`` file for the commit. - - If you provide several commits as part of the command, the - ``git format-patch`` command produces a series of numbered files in - the current directory – one for each commit. If you have more than - one patch, you should also use the ``--cover`` option with the - command, which generates a cover letter as the first "patch" in the - series. You can then edit the cover letter to provide a description - for the series of patches. For information on the - ``git format-patch`` command, see ``GIT_FORMAT_PATCH(1)`` displayed - using the ``man git-format-patch`` command. - - .. note:: - - If you are or will be a frequent contributor to the Yocto Project - or to OpenEmbedded, you might consider requesting a contrib area - and the necessary associated rights. - -#. *Send the patches via email:* Send the patches to the recipients and - relevant mailing lists by using the ``git send-email`` command. - - .. note:: - - In order to use ``git send-email``, you must have the proper Git packages - installed on your host. - For Ubuntu, Debian, and Fedora the package is ``git-email``. - - The ``git send-email`` command sends email by using a local or remote - Mail Transport Agent (MTA) such as ``msmtp``, ``sendmail``, or - through a direct ``smtp`` configuration in your Git ``~/.gitconfig`` - file. If you are submitting patches through email only, it is very - important that you submit them without any whitespace or HTML - formatting that either you or your mailer introduces. The maintainer - that receives your patches needs to be able to save and apply them - directly from your emails. A good way to verify that what you are - sending will be applicable by the maintainer is to do a dry run and - send them to yourself and then save and apply them as the maintainer - would. - - The ``git send-email`` command is the preferred method for sending - your patches using email since there is no risk of compromising - whitespace in the body of the message, which can occur when you use - your own mail client. The command also has several options that let - you specify recipients and perform further editing of the email - message. For information on how to use the ``git send-email`` - command, see ``GIT-SEND-EMAIL(1)`` displayed using the - ``man git-send-email`` command. - -The Yocto Project uses a `Patchwork instance <https://patchwork.yoctoproject.org/>`__ -to track the status of patches submitted to the various mailing lists and to -support automated patch testing. Each submitted patch is checked for common -mistakes and deviations from the expected patch format and submitters are -notified by patchtest if such mistakes are found. This process helps to -reduce the burden of patch review on maintainers. - -.. note:: - - This system is imperfect and changes can sometimes get lost in the flow. - Asking about the status of a patch or change is reasonable if the change - has been idle for a while with no feedback. - -Using Scripts to Push a Change Upstream and Request a Pull ----------------------------------------------------------- - -For larger patch series it is preferable to send a pull request which not -only includes the patch but also a pointer to a branch that can be pulled -from. This involves making a local branch for your changes, pushing this -branch to an accessible repository and then using the ``create-pull-request`` -and ``send-pull-request`` scripts from openembedded-core to create and send a -patch series with a link to the branch for review. - -Follow this procedure to push a change to an upstream "contrib" Git -repository once the steps in :ref:`dev-manual/changes:preparing changes for submission` have -been followed: - -.. note:: - - You can find general Git information on how to push a change upstream - in the - `Git Community Book <https://git-scm.com/book/en/v2/Distributed-Git-Distributed-Workflows>`__. - -#. *Push Your Commits to a "Contrib" Upstream:* If you have arranged for - permissions to push to an upstream contrib repository, push the - change to that repository:: - - $ git push upstream_remote_repo local_branch_name - - For example, suppose you have permissions to push - into the upstream ``meta-intel-contrib`` repository and you are - working in a local branch named `your_name`\ ``/README``. The following - command pushes your local commits to the ``meta-intel-contrib`` - upstream repository and puts the commit in a branch named - `your_name`\ ``/README``:: - - $ git push meta-intel-contrib your_name/README - -#. *Determine Who to Notify:* Determine the maintainer or the mailing - list that you need to notify for the change. - - Before submitting any change, you need to be sure who the maintainer - is or what mailing list that you need to notify. Use either these - methods to find out: - - - *Maintenance File:* Examine the ``maintainers.inc`` file, which is - located in the :term:`Source Directory` at - ``meta/conf/distro/include``, to see who is responsible for code. - - - *Search by File:* Using :ref:`overview-manual/development-environment:git`, you can - enter the following command to bring up a short list of all - commits against a specific file:: - - git shortlog -- filename - - Just provide the name of the file for which you are interested. The - information returned is not ordered by history but does include a - list of everyone who has committed grouped by name. From the list, - you can see who is responsible for the bulk of the changes against - the file. - - - *Examine the List of Mailing Lists:* For a list of the Yocto - Project and related mailing lists, see the ":ref:`Mailing - lists <resources-mailinglist>`" section in - the Yocto Project Reference Manual. - -#. *Make a Pull Request:* Notify the maintainer or the mailing list that - you have pushed a change by making a pull request. - - The Yocto Project provides two scripts that conveniently let you - generate and send pull requests to the Yocto Project. These scripts - are ``create-pull-request`` and ``send-pull-request``. You can find - these scripts in the ``scripts`` directory within the - :term:`Source Directory` (e.g. - ``poky/scripts``). - - Using these scripts correctly formats the requests without - introducing any whitespace or HTML formatting. The maintainer that - receives your patches either directly or through the mailing list - needs to be able to save and apply them directly from your emails. - Using these scripts is the preferred method for sending patches. - - First, create the pull request. For example, the following command - runs the script, specifies the upstream repository in the contrib - directory into which you pushed the change, and provides a subject - line in the created patch files:: - - $ poky/scripts/create-pull-request -u meta-intel-contrib -s "Updated Manual Section Reference in README" - - Running this script forms ``*.patch`` files in a folder named - ``pull-``\ `PID` in the current directory. One of the patch files is a - cover letter. - - Before running the ``send-pull-request`` script, you must edit the - cover letter patch to insert information about your change. After - editing the cover letter, send the pull request. For example, the - following command runs the script and specifies the patch directory - and email address. In this example, the email address is a mailing - list:: - - $ poky/scripts/send-pull-request -p ~/meta-intel/pull-10565 -t meta-intel@lists.yoctoproject.org - - You need to follow the prompts as the script is interactive. - - .. note:: - - For help on using these scripts, simply provide the ``-h`` - argument as follows:: - - $ poky/scripts/create-pull-request -h - $ poky/scripts/send-pull-request -h - -Responding to Patch Review --------------------------- - -You may get feedback on your submitted patches from other community members -or from the automated patchtest service. If issues are identified in your -patch then it is usually necessary to address these before the patch will be -accepted into the project. In this case you should amend the patch according -to the feedback and submit an updated version to the relevant mailing list, -copying in the reviewers who provided feedback to the previous version of the -patch. - -The patch should be amended using ``git commit --amend`` or perhaps ``git -rebase`` for more expert git users. You should also modify the ``[PATCH]`` -tag in the email subject line when sending the revised patch to mark the new -iteration as ``[PATCH v2]``, ``[PATCH v3]``, etc as appropriate. This can be -done by passing the ``-v`` argument to ``git format-patch`` with a version -number. - -Lastly please ensure that you also test your revised changes. In particular -please don't just edit the patch file written out by ``git format-patch`` and -resend it. - -Submitting Changes to Stable Release Branches ---------------------------------------------- - -The process for proposing changes to a Yocto Project stable branch differs -from the steps described above. Changes to a stable branch must address -identified bugs or CVEs and should be made carefully in order to avoid the -risk of introducing new bugs or breaking backwards compatibility. Typically -bug fixes must already be accepted into the master branch before they can be -backported to a stable branch unless the bug in question does not affect the -master branch or the fix on the master branch is unsuitable for backporting. - -The list of stable branches along with the status and maintainer for each -branch can be obtained from the -:yocto_wiki:`Releases wiki page </Releases>`. - -.. note:: - - Changes will not typically be accepted for branches which are marked as - End-Of-Life (EOL). - -With this in mind, the steps to submit a change for a stable branch are as -follows: - -#. *Identify the bug or CVE to be fixed:* This information should be - collected so that it can be included in your submission. - - See :ref:`dev-manual/vulnerabilities:checking for vulnerabilities` - for details about CVE tracking. - -#. *Check if the fix is already present in the master branch:* This will - result in the most straightforward path into the stable branch for the - fix. - - #. *If the fix is present in the master branch --- submit a backport request - by email:* You should send an email to the relevant stable branch - maintainer and the mailing list with details of the bug or CVE to be - fixed, the commit hash on the master branch that fixes the issue and - the stable branches which you would like this fix to be backported to. - - #. *If the fix is not present in the master branch --- submit the fix to the - master branch first:* This will ensure that the fix passes through the - project's usual patch review and test processes before being accepted. - It will also ensure that bugs are not left unresolved in the master - branch itself. Once the fix is accepted in the master branch a backport - request can be submitted as above. - - #. *If the fix is unsuitable for the master branch --- submit a patch - directly for the stable branch:* This method should be considered as a - last resort. It is typically necessary when the master branch is using - a newer version of the software which includes an upstream fix for the - issue or when the issue has been fixed on the master branch in a way - that introduces backwards incompatible changes. In this case follow the - steps in :ref:`dev-manual/changes:preparing changes for submission` and - :ref:`dev-manual/changes:using email to submit a patch` but modify the subject header of your patch - email to include the name of the stable branch which you are - targetting. This can be done using the ``--subject-prefix`` argument to - ``git format-patch``, for example to submit a patch to the dunfell - branch use - ``git format-patch --subject-prefix='&DISTRO_NAME_NO_CAP_MINUS_ONE;][PATCH' ...``. - diff --git a/poky/documentation/dev-manual/debugging.rst b/poky/documentation/dev-manual/debugging.rst index 3c5609cef5..fea2cb30a1 100644 --- a/poky/documentation/dev-manual/debugging.rst +++ b/poky/documentation/dev-manual/debugging.rst @@ -879,8 +879,7 @@ The build should work without issue. As with all solved problems, if they originated upstream, you need to submit the fix for the recipe in OE-Core and upstream so that the problem is taken care of at its source. See the -":ref:`dev-manual/changes:submitting a change to the yocto project`" -section for more information. +":doc:`../contributor-guide/submit-changes`" section for more information. Debugging With the GNU Project Debugger (GDB) Remotely ====================================================== @@ -1236,9 +1235,7 @@ Here are some other tips that you might find useful: :yocto_bugs:`Bugzilla <>`. For information on how to submit a bug against the Yocto Project, see the Yocto Project Bugzilla :yocto_wiki:`wiki page </Bugzilla_Configuration_and_Bug_Tracking>` - and the - ":ref:`dev-manual/changes:submitting a defect against the yocto project`" - section. + and the ":doc:`../contributor-guide/report-defect`" section. .. note:: diff --git a/poky/documentation/dev-manual/disk-space.rst b/poky/documentation/dev-manual/disk-space.rst index c63591cc7a..6d1638a302 100644 --- a/poky/documentation/dev-manual/disk-space.rst +++ b/poky/documentation/dev-manual/disk-space.rst @@ -23,23 +23,39 @@ final disk usage of 22 Gbytes instead of &MIN_DISK_SPACE; Gbytes. However, &MIN_DISK_SPACE_RM_WORK; Gbytes of initial free disk space are still needed to create temporary files before they can be deleted. -Purging Duplicate Shared State Cache Files -========================================== +Purging Obsolete Shared State Cache Files +========================================= After multiple build iterations, the Shared State (sstate) cache can contain -duplicate cache files for a given package, while only the most recent one -is likely to be reusable. The following command purges all but the -newest sstate cache file for each package:: +multiple cache files for a given package, consuming a substantial amount of +disk space. However, only the most recent ones are likely to be reused. - sstate-cache-management.sh --remove-duplicated --cache-dir=build/sstate-cache +The following command is a quick way to purge all the cache files which +haven't been used for a least a specified number of days:: -This command will ask you to confirm the deletions it identifies. + find build/sstate-cache -type f -mtime +$DAYS -delete -.. note:: +The above command relies on the fact that BitBake touches the sstate cache +files as it accesses them, when it has write access to the cache. - The duplicated sstate cache files of one package must have the same - architecture, which means that sstate cache files with multiple - architectures are not considered as duplicate. +You could use ``-atime`` instead of ``-mtime`` if the partition isn't mounted +with the ``noatime`` option for a read only cache. +For more advanced needs, OpenEmbedded-Core also offers a more elaborate +command. It has the ability to purge all but the newest cache files on each +architecture, and also to remove files that it considers unreachable by +exploring a set of build configurations. However, this command +requires a full build environment to be available and doesn't work well +covering multiple releases. It won't work either on limited environments +such as BSD based NAS:: + + sstate-cache-management.sh --remove-duplicated --cache-dir=build/sstate-cache + +This command will ask you to confirm the deletions it identifies. Run ``sstate-cache-management.sh`` for more details about this script. +.. note:: + + As this command is much more cautious and selective, removing only cache files, + it will execute much slower than the simple ``find`` command described above. + Therefore, it may not be your best option to trim huge cache directories. diff --git a/poky/documentation/dev-manual/index.rst b/poky/documentation/dev-manual/index.rst index b0bb5576ad..3618e51c8d 100644 --- a/poky/documentation/dev-manual/index.rst +++ b/poky/documentation/dev-manual/index.rst @@ -43,7 +43,6 @@ Yocto Project Development Tasks Manual build-quality runtime-testing debugging - changes licenses vulnerabilities sbom diff --git a/poky/documentation/dev-manual/licenses.rst b/poky/documentation/dev-manual/licenses.rst index 9629dc5329..200c3fc389 100644 --- a/poky/documentation/dev-manual/licenses.rst +++ b/poky/documentation/dev-manual/licenses.rst @@ -298,14 +298,28 @@ There are other requirements beyond the scope of these three and the methods described in this section (e.g. the mechanism through which source code is distributed). -As different organizations have different methods of complying with open -source licensing, this section is not meant to imply that there is only -one single way to meet your compliance obligations, but rather to -describe one method of achieving compliance. The remainder of this -section describes methods supported to meet the previously mentioned -three requirements. Once you take steps to meet these requirements, and -prior to releasing images, sources, and the build system, you should -audit all artifacts to ensure completeness. +As different organizations have different ways of releasing software, +there can be multiple ways of meeting license obligations. At +least, we describe here two methods for achieving compliance: + +- The first method is to use OpenEmbedded's ability to provide + the source code, provide a list of licenses, as well as + compilation scripts and source code modifications. + + The remainder of this section describes supported methods to meet + the previously mentioned three requirements. + +- The second method is to generate a *Software Bill of Materials* + (:term:`SBoM`), as described in the ":doc:`/dev-manual/sbom`" section. + Not only do you generate :term:`SPDX` output which can be used meet + license compliance requirements (except for sharing the build system + and layers sources for the time being), but this output also includes + component version and patch information which can be used + for vulnerability assessment. + +Whatever method you choose, prior to releasing images, sources, +and the build system, you should audit all artifacts to ensure +completeness. .. note:: diff --git a/poky/documentation/dev-manual/new-recipe.rst b/poky/documentation/dev-manual/new-recipe.rst index ab3e193aaf..39ee9683b0 100644 --- a/poky/documentation/dev-manual/new-recipe.rst +++ b/poky/documentation/dev-manual/new-recipe.rst @@ -1082,13 +1082,14 @@ build system and package managers, so the resulting packages will not correctly trigger an upgrade. In order to ensure the versions compare properly, the recommended -convention is to set :term:`PV` within the -recipe to "previous_version+current_version". You can use an additional -variable so that you can use the current version elsewhere. Here is an -example:: +convention is to use a tilde (``~``) character as follows:: - REALPV = "0.8.16-rc1" - PV = "0.8.15+${REALPV}" + PV = 0.8.16~rc1 + +This way ``0.8.16~rc1`` sorts before ``0.8.16``. See the +":ref:`contributor-guide/recipe-style-guide:version policy`" section in the +Yocto Project and OpenEmbedded Contributor Guide for more details about +versioning code corresponding to a pre-release or to a specific Git commit. Post-Installation Scripts ========================= diff --git a/poky/documentation/dev-manual/start.rst b/poky/documentation/dev-manual/start.rst index 4881481044..88afa27ad5 100644 --- a/poky/documentation/dev-manual/start.rst +++ b/poky/documentation/dev-manual/start.rst @@ -246,14 +246,13 @@ particular working environment and set of practices. - The Yocto Project community encourages you to send patches to the project to fix bugs or add features. If you do submit patches, follow the project commit guidelines for writing good commit - messages. See the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" - section. + messages. See the ":doc:`../contributor-guide/submit-changes`" + section in the Yocto Project and OpenEmbedded Contributor Guide. - Send changes to the core sooner than later as others are likely to run into the same issues. For some guidance on mailing lists - to use, see the list in the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" + to use, see the lists in the + ":ref:`contributor-guide/submit-changes:finding a suitable mailing list`" section. For a description of the available mailing lists, see the ":ref:`resources-mailinglist`" section in the Yocto Project Reference Manual. diff --git a/poky/documentation/dev-manual/vulnerabilities.rst b/poky/documentation/dev-manual/vulnerabilities.rst index 0ee3ec52c5..ac0ca249c1 100644 --- a/poky/documentation/dev-manual/vulnerabilities.rst +++ b/poky/documentation/dev-manual/vulnerabilities.rst @@ -22,7 +22,7 @@ issues may be impacting Poky and OE-Core. It is up to the maintainers, users, contributors and anyone interested in the issues to investigate and possibly fix them by updating software components to newer versions or by applying patches to address them. It is recommended to work with Poky and OE-Core upstream maintainers and submit -patches to fix them, see ":ref:`dev-manual/changes:submitting a change to the yocto project`" for details. +patches to fix them, see ":doc:`../contributor-guide/submit-changes`" for details. Vulnerability check at build time ================================= diff --git a/poky/documentation/dev-manual/wic.rst b/poky/documentation/dev-manual/wic.rst index 2a4408cdb0..664f07a212 100644 --- a/poky/documentation/dev-manual/wic.rst +++ b/poky/documentation/dev-manual/wic.rst @@ -92,7 +92,7 @@ system needs to meet the following requirements: - You must build several native tools, which are built to run on the build system:: - $ bitbake parted-native dosfstools-native mtools-native + $ bitbake wic-tools - Include "wic" as part of the :term:`IMAGE_FSTYPES` diff --git a/poky/documentation/index.rst b/poky/documentation/index.rst index 6335c707e0..3fef1704a4 100644 --- a/poky/documentation/index.rst +++ b/poky/documentation/index.rst @@ -26,6 +26,7 @@ Welcome to the Yocto Project Documentation :caption: Manuals Overview and Concepts Manual <overview-manual/index> + Contributor Guide <contributor-guide/index> Reference Manual <ref-manual/index> Board Support Package (BSP) Developer's guide <bsp-guide/index> Development Tasks Manual <dev-manual/index> diff --git a/poky/documentation/migration-guides/release-4.0.rst b/poky/documentation/migration-guides/release-4.0.rst index 1fc74a0f6d..688ea7ae06 100644 --- a/poky/documentation/migration-guides/release-4.0.rst +++ b/poky/documentation/migration-guides/release-4.0.rst @@ -16,3 +16,6 @@ Release 4.0 (kirkstone) release-notes-4.0.7 release-notes-4.0.8 release-notes-4.0.9 + release-notes-4.0.10 + release-notes-4.0.11 + release-notes-4.0.12 diff --git a/poky/documentation/migration-guides/release-4.2.rst b/poky/documentation/migration-guides/release-4.2.rst index 2757f89274..abeebcb1c8 100644 --- a/poky/documentation/migration-guides/release-4.2.rst +++ b/poky/documentation/migration-guides/release-4.2.rst @@ -8,3 +8,5 @@ Release 4.2 (mickledore) migration-4.2 release-notes-4.2 release-notes-4.2.1 + release-notes-4.2.2 + release-notes-4.2.3 diff --git a/poky/documentation/migration-guides/release-notes-4.0.10.rst b/poky/documentation/migration-guides/release-notes-4.0.10.rst new file mode 100644 index 0000000000..f37c3471ea --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.0.10.rst @@ -0,0 +1,180 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.0.10 (Kirkstone) +------------------------------------------ + +Security Fixes in Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- binutils: Fix :cve:`2023-1579`, :cve:`2023-1972`, :cve_mitre:`2023-25584`, :cve_mitre:`2023-25585` and :cve_mitre:`2023-25588` +- cargo : Ignore :cve:`2022-46176` +- connman: Fix :cve:`2023-28488` +- curl: Fix :cve:`2023-27533`, :cve:`2023-27534`, :cve:`2023-27535`, :cve:`2023-27536` and :cve:`2023-27538` +- ffmpeg: Fix :cve:`2022-48434` +- freetype: Fix :cve:`2023-2004` +- ghostscript: Fix :cve_mitre:`2023-29979` +- git: Fix :cve:`2023-25652` and :cve:`2023-29007` +- go: Fix :cve:`2022-41722`, :cve:`2022-41724`, :cve:`2022-41725`, :cve:`2023-24534`, :cve:`2023-24537` and :cve:`2023-24538` +- go: Ignore :cve:`2022-41716` +- libxml2: Fix :cve:`2023-28484` and :cve:`2023-29469` +- libxpm: Fix :cve:`2022-44617`, :cve:`2022-46285` and :cve:`2022-4883` +- linux-yocto: Ignore :cve:`2021-3759`, :cve:`2021-4135`, :cve:`2021-4155`, :cve:`2022-0168`, :cve:`2022-0171`, :cve:`2022-1016`, :cve:`2022-1184`, :cve:`2022-1198`, :cve:`2022-1199`, :cve:`2022-1462`, :cve:`2022-1734`, :cve:`2022-1852`, :cve:`2022-1882`, :cve:`2022-1998`, :cve:`2022-2078`, :cve:`2022-2196`, :cve:`2022-2318`, :cve:`2022-2380`, :cve:`2022-2503`, :cve:`2022-26365`, :cve:`2022-2663`, :cve:`2022-2873`, :cve:`2022-2905`, :cve:`2022-2959`, :cve:`2022-3028`, :cve:`2022-3078`, :cve:`2022-3104`, :cve:`2022-3105`, :cve:`2022-3106`, :cve:`2022-3107`, :cve:`2022-3111`, :cve:`2022-3112`, :cve:`2022-3113`, :cve:`2022-3115`, :cve:`2022-3202`, :cve:`2022-32250`, :cve:`2022-32296`, :cve:`2022-32981`, :cve:`2022-3303`, :cve:`2022-33740`, :cve:`2022-33741`, :cve:`2022-33742`, :cve:`2022-33743`, :cve:`2022-33744`, :cve:`2022-33981`, :cve:`2022-3424`, :cve:`2022-3435`, :cve:`2022-34918`, :cve:`2022-3521`, :cve:`2022-3545`, :cve:`2022-3564`, :cve:`2022-3586`, :cve:`2022-3594`, :cve:`2022-36123`, :cve:`2022-3621`, :cve:`2022-3623`, :cve:`2022-3629`, :cve:`2022-3633`, :cve:`2022-3635`, :cve:`2022-3646`, :cve:`2022-3649`, :cve:`2022-36879`, :cve:`2022-36946`, :cve:`2022-3707`, :cve:`2022-39188`, :cve:`2022-39190`, :cve:`2022-39842`, :cve:`2022-40307`, :cve:`2022-40768`, :cve:`2022-4095`, :cve:`2022-41218`, :cve:`2022-4139`, :cve:`2022-41849`, :cve:`2022-41850`, :cve:`2022-41858`, :cve:`2022-42328`, :cve:`2022-42329`, :cve:`2022-42703`, :cve:`2022-42721`, :cve:`2022-42722`, :cve:`2022-42895`, :cve:`2022-4382`, :cve:`2022-4662`, :cve:`2022-47518`, :cve:`2022-47519`, :cve:`2022-47520`, :cve:`2022-47929`, :cve:`2023-0179`, :cve:`2023-0394`, :cve:`2023-0461`, :cve:`2023-0590`, :cve:`2023-1073`, :cve:`2023-1074`, :cve:`2023-1077`, :cve:`2023-1078`, :cve:`2023-1079`, :cve:`2023-1095`, :cve:`2023-1118`, :cve:`2023-1249`, :cve:`2023-1252`, :cve:`2023-1281`, :cve:`2023-1382`, :cve:`2023-1513`, :cve:`2023-1829`, :cve:`2023-1838`, :cve:`2023-1998`, :cve:`2023-2006`, :cve:`2023-2008`, :cve:`2023-2162`, :cve:`2023-2166`, :cve:`2023-2177`, :cve:`2023-22999`, :cve:`2023-23002`, :cve:`2023-23004`, :cve:`2023-23454`, :cve:`2023-23455`, :cve:`2023-23559`, :cve:`2023-25012`, :cve:`2023-26545`, :cve:`2023-28327` and :cve:`2023-28328` +- nasm: Fix :cve:`2022-44370` +- python3-cryptography: Fix :cve:`2023-23931` +- qemu: Ignore :cve:`2023-0664` +- ruby: Fix :cve:`2023-28755` and :cve:`2023-28756` +- screen: Fix :cve:`2023-24626` +- shadow: Fix :cve:`2023-29383` +- tiff: Fix :cve:`2022-4645` +- webkitgtk: Fix :cve:`2022-32888` and :cve:`2022-32923` +- xserver-xorg: Fix :cve:`2023-1393` + + +Fixes in Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~ + +- bitbake: bin/utils: Ensure locale en_US.UTF-8 is available on the system +- build-appliance-image: Update to kirkstone head revision +- cmake: add CMAKE_SYSROOT to generated toolchain file +- glibc: stable 2.35 branch updates. +- kernel-devsrc: depend on python3-core instead of python3 +- kernel: improve initramfs bundle processing time +- libarchive: Enable acls, xattr for native as well as target +- libbsd: Add correct license for all packages +- libpam: Fix the xtests/tst-pam_motd[1|3] failures +- libxpm: upgrade to 3.5.15 +- linux-firmware: upgrade to 20230404 +- linux-yocto/5.15: upgrade to v5.15.108 +- migration-guides: add release-notes for 4.0.9 +- oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set +- openssl: Move microblaze to linux-latomic config +- package.bbclass: correct check for /build in copydebugsources() +- poky.conf: bump version for 4.0.10 +- populate_sdk_base: add zip options +- populate_sdk_ext.bbclass: set :term:`METADATA_REVISION` with an :term:`DISTRO` override +- run-postinsts: Set dependency for ldconfig to avoid boot issues +- update-alternatives.bbclass: fix old override syntax +- wic/bootimg-efi: if fixed-size is set then use that for mkdosfs +- wpebackend-fdo: upgrade to 1.14.2 +- xorg-lib-common: Add variable to set tarball type +- xserver-xorg: upgrade to 21.1.8 + + +Known Issues in Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Archana Polampalli +- Arturo Buzarra +- Bruce Ashfield +- Christoph Lauer +- Deepthi Hemraj +- Dmitry Baryshkov +- Frank de Brabander +- Hitendra Prajapati +- Joe Slater +- Kai Kang +- Kyle Russell +- Lee Chee Yang +- Mark Hatle +- Martin Jansa +- Mingli Yu +- Narpat Mali +- Pascal Bach +- Pawan Badganchi +- Peter Bergin +- Peter Marko +- Piotr Łobacz +- Randolph Sapp +- Ranjitsinh Rathod +- Ross Burton +- Shubham Kulkarni +- Siddharth Doshi +- Steve Sakoman +- Sundeep KOKKONDA +- Thomas Roos +- Virendra Thakur +- Vivek Kumbhar +- Wang Mingyu +- Xiangyu Chen +- Yash Shinde +- Yoann Congal +- Yogita Urade +- Zhixiong Chi + + +Repositories / Downloads for Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.10 </poky/log/?h=yocto-4.0.10>` +- Git Revision: :yocto_git:`f53ab3a2ff206a130cdc843839dd0ea5ec4ad02f </poky/commit/?id=f53ab3a2ff206a130cdc843839dd0ea5ec4ad02f>` +- Release Artefact: poky-f53ab3a2ff206a130cdc843839dd0ea5ec4ad02f +- sha: 8820aeac857ce6bbd1c7ef26cadbb86eca02be93deded253b4a5f07ddd69255d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/poky-f53ab3a2ff206a130cdc843839dd0ea5ec4ad02f.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/poky-f53ab3a2ff206a130cdc843839dd0ea5ec4ad02f.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>` +- Tag: :oe_git:`yocto-4.0.10 </openembedded-core/log/?h=yocto-4.0.10>` +- Git Revision: :oe_git:`d2713785f9cd2d58731df877bc8b7bcc71b6c8e6 </openembedded-core/commit/?id=d2713785f9cd2d58731df877bc8b7bcc71b6c8e6>` +- Release Artefact: oecore-d2713785f9cd2d58731df877bc8b7bcc71b6c8e6 +- sha: 78e084a1aceaaa6ec022702f29f80eaffade3159e9c42b6b8985c1b7ddd2fbab +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/oecore-d2713785f9cd2d58731df877bc8b7bcc71b6c8e6.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/oecore-d2713785f9cd2d58731df877bc8b7bcc71b6c8e6.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.10 </meta-mingw/log/?h=yocto-4.0.10>` +- Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 </meta-mingw/commit/?id=a90614a6498c3345704e9611f2842eb933dc51c1>` +- Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1 +- sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + +meta-gplv2 + +- Repository Location: :yocto_git:`/meta-gplv2` +- Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.10 </meta-gplv2/log/?h=yocto-4.0.10>` +- Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>` +- Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a +- sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>` +- Tag: :oe_git:`yocto-4.0.10 </bitbake/log/?h=yocto-4.0.10>` +- Git Revision: :oe_git:`0c6f86b60cfba67c20733516957c0a654eb2b44c </bitbake/commit/?id=0c6f86b60cfba67c20733516957c0a654eb2b44c>` +- Release Artefact: bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c +- sha: 4caa94ee4d644017b0cc51b702e330191677f7d179018cbcec8b1793949ebc74 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.10 </yocto-docs/log/?h=yocto-4.0.10>` +- Git Revision: :yocto_git:`8388be749806bd0bf4fccf1005dae8f643aa4ef4 </yocto-docs/commit/?id=8388be749806bd0bf4fccf1005dae8f643aa4ef4>` + diff --git a/poky/documentation/migration-guides/release-notes-4.0.11.rst b/poky/documentation/migration-guides/release-notes-4.0.11.rst new file mode 100644 index 0000000000..8a15884908 --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.0.11.rst @@ -0,0 +1,214 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.0.11 (Kirkstone) +------------------------------------------ + +Security Fixes in Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- cups: Fix :cve:`2023-32324` +- curl: Fix :cve:`2023-28319`, :cve:`2023-28320`, :cve:`2023-28321` and :cve:`2023-28322` +- git: Ignore :cve:`2023-25815` +- go: Fix :cve:`2023-24539` and :cve:`2023-24540` +- nasm: Fix :cve:`2022-46457` +- openssh: Fix :cve:`2023-28531` +- openssl: Fix :cve:`2023-1255` and :cve:`2023-2650` +- perl: Fix :cve:`2023-31484` +- python3-requests: Fix for :cve:`2023-32681` +- sysstat: Fix :cve:`2023-33204` +- vim: Fix :cve:`2023-2426` +- webkitgtk: fix :cve:`2022-42867`, :cve:`2022-46691`, :cve:`2022-46699` and :cve:`2022-46700` + + +Fixes in Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~ + +- Revert "docs: conf.py: fix cve extlinks caption for sphinx <4.0" +- Revert "ipk: Decode byte data to string in manifest handling" +- avahi: fix D-Bus introspection +- build-appliance-image: Update to kirkstone head revision +- conf.py: add macro for Mitre CVE links +- conf: add nice level to the hash config ignred variables +- cpio: Fix wrong CRC with ASCII CRC for large files +- cve-update-nvd2-native: added the missing http import +- cve-update-nvd2-native: new CVE database fetcher +- dhcpcd: use git instead of tarballs +- e2fsprogs: fix ptest bug for second running +- gcc-runtime: Use static dummy libstdc++ +- glibc: stable 2.35 branch updates (cbceb903c4d7) +- go.bbclass: don't use test to check output from ls +- gstreamer1.0: Upgrade to 1.20.6 +- iso-codes: Upgrade to 4.15.0 +- kernel-devicetree: allow specification of dtb directory +- kernel-devicetree: make shell scripts posix compliant +- kernel-devicetree: recursively search for dtbs +- kernel: don't force PAHOLE=false +- kmscube: Correct :term:`DEPENDS` to avoid overwrite +- lib/terminal.py: Add urxvt terminal +- license.bbclass: Include :term:`LICENSE` in the output when it fails to parse +- linux-yocto/5.10: Upgrade to v5.10.180 +- linux-yocto/5.15: Upgrade to v5.15.113 +- llvm: backport a fix for build with gcc-13 +- maintainers.inc: Fix email address typo +- maintainers.inc: Move repo to unassigned +- migration-guides: add release notes for 4.0.10 +- migration-guides: use new cve_mitre macro +- nghttp2: Deleted the entries for -client and -server, and removed a dependency on them from the main package. +- oeqa/selftest/cases/devtool.py: skip all tests require folder a git repo +- openssh: Remove BSD-4-clause contents completely from codebase +- openssl: Upgrade to 3.0.9 +- overview-manual: concepts.rst: Fix a typo +- p11-kit: add native to :term:`BBCLASSEXTEND` +- package: enable recursion on file globs +- package_manager/ipk: fix config path generation in _create_custom_config() +- piglit: Add :term:`PACKAGECONFIG` for glx and opencl +- piglit: Add missing glslang dependencies +- piglit: Fix build time dependency +- poky.conf: bump version for 4.0.11 +- profile-manual: fix blktrace remote usage instructions +- quilt: Fix merge.test race condition +- ref-manual: add clarification for :term:`SRCREV` +- selftest/reproducible: Allow native/cross reuse in test +- staging.bbclass: do not add extend_recipe_sysroot to prefuncs of prepare_recipe_sysroot +- systemd-networkd: backport fix for rm unmanaged wifi +- systemd-systemctl: fix instance template WantedBy symlink construction +- systemd-systemctl: support instance expansion in WantedBy +- uninative: Upgrade to 3.10 to support gcc 13 +- uninative: Upgrade to 4.0 to include latest gcc 13.1.1 +- vim: Upgrade to 9.0.1527 +- waffle: Upgrade to 1.7.2 +- weston: add xwayland to :term:`DEPENDS` for :term:`PACKAGECONFIG` xwayland + + +Known Issues in Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Alexander Kanavin +- Andrew Jeffery +- Archana Polampalli +- Bhabu Bindu +- Bruce Ashfield +- C. Andy Martin +- Chen Qi +- Daniel Ammann +- Deepthi Hemraj +- Ed Beroset +- Eero Aaltonen +- Enrico Jörns +- Hannu Lounento +- Hitendra Prajapati +- Ian Ray +- Jan Luebbe +- Jan Vermaete +- Khem Raj +- Lee Chee Yang +- Lei Maohui +- Lorenzo Arena +- Marek Vasut +- Marta Rybczynska +- Martin Jansa +- Martin Siegumfeldt +- Michael Halstead +- Michael Opdenacker +- Ming Liu +- Narpat Mali +- Omkar Patil +- Pablo Saavedra +- Pavel Zhukov +- Peter Kjellerstedt +- Peter Marko +- Qiu Tingting +- Quentin Schulz +- Randolph Sapp +- Randy MacLeod +- Ranjitsinh Rathod +- Richard Purdie +- Riyaz Khan +- Sakib Sajal +- Sanjay Chitroda +- Soumya Sambu +- Steve Sakoman +- Thomas Roos +- Tom Hochstein +- Vivek Kumbhar +- Wang Mingyu +- Yogita Urade +- Zoltan Boszormenyi + + +Repositories / Downloads for Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.11 </poky/log/?h=yocto-4.0.11>` +- Git Revision: :yocto_git:`fc697fe87412b9b179ae3a68d266ace85bb1fcc6 </poky/commit/?id=fc697fe87412b9b179ae3a68d266ace85bb1fcc6>` +- Release Artefact: poky-fc697fe87412b9b179ae3a68d266ace85bb1fcc6 +- sha: d42ab1b76b9d8ab164d86dc0882c908658f6b5be0742b13a71531068f6a5ee98 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/poky-fc697fe87412b9b179ae3a68d266ace85bb1fcc6.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/poky-fc697fe87412b9b179ae3a68d266ace85bb1fcc6.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>` +- Tag: :oe_git:`yocto-4.0.11 </openembedded-core/log/?h=yocto-4.0.11>` +- Git Revision: :oe_git:`7949e786cf8e50f716ff1f1c4797136637205e0c </openembedded-core/commit/?id=7949e786cf8e50f716ff1f1c4797136637205e0c>` +- Release Artefact: oecore-7949e786cf8e50f716ff1f1c4797136637205e0c +- sha: 3bda3f7d15961bad5490faf3194709528591a97564b5eae3da7345b63be20334 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/oecore-7949e786cf8e50f716ff1f1c4797136637205e0c.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/oecore-7949e786cf8e50f716ff1f1c4797136637205e0c.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.11 </meta-mingw/log/?h=yocto-4.0.11>` +- Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 </meta-mingw/commit/?id=a90614a6498c3345704e9611f2842eb933dc51c1>` +- Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1 +- sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + +meta-gplv2 + +- Repository Location: :yocto_git:`/meta-gplv2` +- Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.11 </meta-gplv2/log/?h=yocto-4.0.11>` +- Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>` +- Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a +- sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>` +- Tag: :oe_git:`yocto-4.0.11 </bitbake/log/?h=yocto-4.0.11>` +- Git Revision: :oe_git:`0c6f86b60cfba67c20733516957c0a654eb2b44c </bitbake/commit/?id=0c6f86b60cfba67c20733516957c0a654eb2b44c>` +- Release Artefact: bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c +- sha: 4caa94ee4d644017b0cc51b702e330191677f7d179018cbcec8b1793949ebc74 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.11 </yocto-docs/log/?h=yocto-4.0.11>` +- Git Revision: :yocto_git:`6d16d2bde0aa32276a035ee49703e6eea7c7b29a </yocto-docs/commit/?id=6d16d2bde0aa32276a035ee49703e6eea7c7b29a>` + diff --git a/poky/documentation/migration-guides/release-notes-4.0.12.rst b/poky/documentation/migration-guides/release-notes-4.0.12.rst new file mode 100644 index 0000000000..0ea92a453d --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.0.12.rst @@ -0,0 +1,277 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.0.12 (Kirkstone) +------------------------------------------ + +Security Fixes in Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- bind: Fix :cve:`2023-2828` and :cve:`2023-2911` +- cups: Fix :cve:`2023-34241` +- curl: Added :cve:`2023-28320` Follow-up patch +- dbus: Fix :cve:`2023-34969` +- dmidecode: fix :cve:`2023-30630` +- ghostscript: fix :cve:`2023-36664` +- go: fix :cve_mitre:`2023-24531`, :cve:`2023-24536`, :cve:`2023-29400`, :cve:`2023-29402`, :cve:`2023-29404`, :cve:`2023-29405` and :cve:`2023-29406` +- libarchive: Ignore :cve:`2023-30571` +- libcap: Fix :cve:`2023-2602` and :cve:`2023-2603` +- libjpeg-turbo: Fix :cve:`2023-2804` +- libpcre2: Fix :cve:`2022-41409` +- libtiff: fix :cve:`2023-26965` +- libwebp: Fix :cve:`2023-1999` +- libx11: Fix :cve:`2023-3138` +- libxpm: Fix :cve:`2022-44617` +- ninja: Ignore :cve:`2021-4336` +- openssh: Fix :cve:`2023-38408` +- openssl: Fix :cve:`2023-2975`, :cve:`2023-3446` and :cve:`2023-3817` +- perl: Fix :cve:`2023-31486` +- python3: Ignore :cve:`2023-36632` +- qemu: Fix :cve:`2023-0330`, :cve_mitre:`2023-2861`, :cve_mitre:`2023-3255` and :cve_mitre:`2023-3301` +- sqlite3: Fix :cve:`2023-36191` +- tiff: Fix :cve:`2023-0795`, :cve:`2023-0796`, :cve:`2023-0797`, :cve:`2023-0798`, :cve:`2023-0799`, :cve:`2023-25433`, :cve:`2023-25434` and :cve:`2023-25435` +- vim: :cve:`2023-2609` and :cve:`2023-2610` + + +Fixes in Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~ + +- babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature +- babeltrace2: upgrade to 2.0.5 +- bitbake.conf: add unzstd in :term:`HOSTTOOLS` +- bitbake: bitbake-layers: initialize tinfoil before registering command line arguments +- bitbake: runqueue: Fix deferred task/multiconfig race issue +- blktrace: ask for python3 specifically +- build-appliance-image: Update to kirkstone head revision +- cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK +- connman: fix warning by specifying runstatedir at configure time +- cpio: Replace fix wrong CRC with ASCII CRC for large files with upstream backport +- cve-update-nvd2-native: actually use API keys +- cve-update-nvd2-native: always pass str for json.loads() +- cve-update-nvd2-native: fix cvssV3 metrics +- cve-update-nvd2-native: handle all configuration nodes, not just first +- cve-update-nvd2-native: increase retry count +- cve-update-nvd2-native: log a little more +- cve-update-nvd2-native: retry all errors and sleep between retries +- cve-update-nvd2-native: use exact times, don't truncate +- dbus: upgrade to 1.14.8 +- devtool: Fix the wrong variable in srcuri_entry +- diffutils: upgrade to 3.10 +- docs: ref-manual: terms: fix typos in :term:`SPDX` term +- fribidi: upgrade to 1.0.13 +- gcc: upgrade to v11.4 +- gcc-testsuite: Fix ppc cpu specification +- gcc: don't pass --enable-standard-branch-protection +- gcc: fix runpath errors in cc1 binary +- grub: submit determinism.patch upstream +- image_types: Fix reproducible builds for initramfs and UKI img +- kernel: add missing path to search for debug files +- kmod: remove unused ptest.patch +- layer.conf: Add missing dependency exclusion +- libassuan: upgrade to 2.5.6 +- libksba: upgrade to 1.6.4 +- libpng: Add ptest for libpng +- libxcrypt: fix build with perl-5.38 and use master branch +- libxcrypt: fix hard-coded ".so" extension +- libxpm: upgrade to 3.5.16 +- linux-firmware: upgrade to 20230515 +- linux-yocto/5.10: cfg: fix DECNET configuration warning +- linux-yocto/5.10: update to v5.10.185 +- linux-yocto/5.15: cfg: fix DECNET configuration warning +- linux-yocto/5.15: update to v5.15.120 +- logrotate: Do not create logrotate.status file +- lttng-ust: upgrade to 2.13.6 +- machine/arch-arm64: add -mbranch-protection=standard +- maintainers.inc: correct Carlos Rafael Giani's email address +- maintainers.inc: correct unassigned entries +- maintainers.inc: unassign Adrian Bunk from wireless-regdb +- maintainers.inc: unassign Alistair Francis from opensbi +- maintainers.inc: unassign Andreas Müller from itstool entry +- maintainers.inc: unassign Pascal Bach from cmake entry +- maintainers.inc: unassign Ricardo Neri from ovmf +- maintainers.inc: unassign Richard Weinberger from erofs-utils entry +- mdadm: fix 07revert-inplace ptest +- mdadm: fix segfaults when running ptests +- mdadm: fix util-linux ptest dependency +- mdadm: skip running known broken ptests +- meson.bbclass: Point to llvm-config from native sysroot +- meta: lib: oe: npm_registry: Add more safe caracters +- migration-guides: add release notes for 4.0.11 +- minicom: remove unused patch files +- mobile-broadband-provider-info: upgrade to 20230416 +- oe-depends-dot: Handle new format for task-depends.dot +- oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case +- oeqa/selftest/bbtests: add non-existent prefile/postfile tests +- oeqa/selftest/devtool: add unit test for "devtool add -b" +- openssl: Upgrade to 3.0.10 +- openssl: add PERLEXTERNAL path to test its existence +- openssl: use a glob on the PERLEXTERNAL to track updates on the path +- package.bbclass: moving field data process before variable process in process_pkgconfig +- pm-utils: fix multilib conflictions +- poky.conf: bump version for 4.0.12 +- psmisc: Set :term:`ALTERNATIVE` for pstree to resolve conflict with busybox +- pybootchartgui: show elapsed time for each task +- python3: fix missing comma in get_module_deps3.py +- python3: upgrade to 3.10.12 +- recipetool: Fix inherit in created -native* recipes +- ref-manual: add LTS and Mixin terms +- ref-manual: document image-specific variant of :term:`INCOMPATIBLE_LICENSE` +- ref-manual: release-process: update for LTS releases +- rust-llvm: backport a fix for build with gcc-13 +- scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes +- scripts/runqemu: split lock dir creation into a reusable function +- sdk.py: error out when moving file fails +- sdk.py: fix moving dnf contents +- selftest reproducible.py: support different build targets +- selftest/license: Exclude from world +- selftest/reproducible: Allow chose the package manager +- serf: upgrade to 1.3.10 +- strace: Disable failing test +- strace: Merge two similar patches +- strace: Update patches/tests with upstream fixes +- sysfsutils: fetch a supported fork from github +- systemd-systemctl: fix errors in instance name expansion +- systemd: Backport nspawn: make sure host root can write to the uidmapped mounts we prepare for the container payload +- tzdata: upgrade to 2023c +- uboot-extlinux-config.bbclass: fix old override syntax in comment +- unzip: fix configure check for cross compilation +- useradd-staticids.bbclass: improve error message +- util-linux: add alternative links for ipcs,ipcrm +- v86d: Improve kernel dependency +- vim: upgrade to 9.0.1592 +- wget: upgrade to 1.21.4 +- wic: Add dependencies for erofs-utils +- wireless-regdb: upgrade to 2023.05.03 +- xdpyinfo: upgrade to 1.3.4 +- zip: fix configure check by using _Static_assert + + +Known Issues in Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Alberto Planas +- Alexander Kanavin +- Alexander Sverdlin +- Andrej Valek +- Archana Polampalli +- BELOUARGA Mohamed +- Benjamin Bouvier +- Bruce Ashfield +- Charlie Wu +- Chen Qi +- Etienne Cordonnier +- Fabien Mahot +- Frieder Paape +- Frieder Schrempf +- Heiko Thole +- Hitendra Prajapati +- Jermain Horsman +- Jose Quaresma +- Kai Kang +- Khem Raj +- Lee Chee Yang +- Marc Ferland +- Marek Vasut +- Martin Jansa +- Mauro Queiros +- Michael Opdenacker +- Mikko Rapeli +- Nikhil R +- Ovidiu Panait +- Peter Marko +- Poonam Jadhav +- Quentin Schulz +- Richard Purdie +- Ross Burton +- Rusty Howell +- Sakib Sajal +- Soumya Sambu +- Steve Sakoman +- Sundeep KOKKONDA +- Tim Orling +- Tom Hochstein +- Trevor Gamblin +- Vijay Anusuri +- Vivek Kumbhar +- Wang Mingyu +- Xiangyu Chen +- Yoann Congal +- Yogita Urade +- Yuta Hayama + + +Repositories / Downloads for Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.12 </poky/log/?h=yocto-4.0.12>` +- Git Revision: :yocto_git:`d6b8790370500b99ca11f0d8a05c39b661ab2ba6 </poky/commit/?id=d6b8790370500b99ca11f0d8a05c39b661ab2ba6>` +- Release Artefact: poky-d6b8790370500b99ca11f0d8a05c39b661ab2ba6 +- sha: 35f0390e0c5a12f403ed471c0b1254c13cbb9d7c7b46e5a3538e63e36c1ac280 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/poky-d6b8790370500b99ca11f0d8a05c39b661ab2ba6.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/poky-d6b8790370500b99ca11f0d8a05c39b661ab2ba6.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>` +- Tag: :oe_git:`yocto-4.0.12 </openembedded-core/log/?h=yocto-4.0.12>` +- Git Revision: :oe_git:`e1a604db8d2cf8782038b4016cc2e2052467333b </openembedded-core/commit/?id=e1a604db8d2cf8782038b4016cc2e2052467333b>` +- Release Artefact: oecore-e1a604db8d2cf8782038b4016cc2e2052467333b +- sha: 8b302eb3f3ffe5643f88bc6e4ae8f9a5cda63544d67e04637ecc4197e9750a1d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/oecore-e1a604db8d2cf8782038b4016cc2e2052467333b.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/oecore-e1a604db8d2cf8782038b4016cc2e2052467333b.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.12 </meta-mingw/log/?h=yocto-4.0.12>` +- Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 </meta-mingw/commit/?id=a90614a6498c3345704e9611f2842eb933dc51c1>` +- Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1 +- sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + +meta-gplv2 + +- Repository Location: :yocto_git:`/meta-gplv2` +- Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.12 </meta-gplv2/log/?h=yocto-4.0.12>` +- Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>` +- Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a +- sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>` +- Tag: :oe_git:`yocto-4.0.12 </bitbake/log/?h=yocto-4.0.12>` +- Git Revision: :oe_git:`41b6684489d0261753344956042be2cc4adb0159 </bitbake/commit/?id=41b6684489d0261753344956042be2cc4adb0159>` +- Release Artefact: bitbake-41b6684489d0261753344956042be2cc4adb0159 +- sha: efa2b1c4d0be115ed3960750d1e4ed958771b2db6d7baee2d13ad386589376e8 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/bitbake-41b6684489d0261753344956042be2cc4adb0159.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/bitbake-41b6684489d0261753344956042be2cc4adb0159.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.12 </yocto-docs/log/?h=yocto-4.0.12>` +- Git Revision: :yocto_git:`4dfef81ac6164764c6541e39a9fef81d49227096 </yocto-docs/commit/?id=4dfef81ac6164764c6541e39a9fef81d49227096>` + diff --git a/poky/documentation/migration-guides/release-notes-4.2.2.rst b/poky/documentation/migration-guides/release-notes-4.2.2.rst new file mode 100644 index 0000000000..74f2d0e82a --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.2.2.rst @@ -0,0 +1,330 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.2.2 (Mickledore) +------------------------------------------ + +Security Fixes in Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- binutils: Fix :cve:`2023-1972` +- cups: Fix :cve:`2023-32324` +- curl: Fix :cve:`2023-28319`, :cve:`2023-28320`, :cve:`2023-28321` and :cve:`2023-28322` +- dbus: Fix :cve:`2023-34969` +- git: Fix :cve:`2023-25652` and :cve:`2023-29007` +- git: Ignore :cve:`2023-25815` +- libwebp: Fix :cve:`2023-1999` +- libxml2: Fix :cve:`2023-28484` and :cve:`2023-29469` +- libxpm: Fix :cve:`2022-44617` +- ninja: Ignore :cve:`2021-4336` +- openssl: Fix :cve:`2023-0464`, :cve:`2023-0465`, :cve:`2023-0466`, :cve:`2023-1255` and :cve:`2023-2650` +- perl: Fix :cve:`2023-31484` and :cve:`2023-31486` +- sysstat: Fix :cve:`2023-33204` +- tiff: Fix :cve_mitre:`2023-25434`, :cve:`2023-26965` and :cve:`2023-2731` +- vim: Fix :cve:`2023-2426` + + +Fixes in Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~ + +- apr: Upgrade to 1.7.4 +- avahi: fix D-Bus introspection +- babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature +- babeltrace2: Upgrade to 2.0.5 +- baremetal-helloworld: Update :term:`SRCREV` to fix entry addresses for ARM architectures +- bind: Upgrade to 9.18.15 +- binutils: move packaging of gprofng static lib into common .inc +- binutils: package static libs from gprofng +- binutils: stable 2.40 branch updates (7343182dd1) +- bitbake.conf: add unzstd in :term:`HOSTTOOLS` +- bitbake: runqueue: Fix deferred task/multiconfig race issue +- bno_plot.py, btt_plot.py: Ask for python3 specifically +- build-appliance-image: Update to mickledore head revision +- busybox: Upgrade to 1.36.1 +- cmake.bbclass: do not search host paths for find_program() +- conf: add nice level to the hash config ignred variables +- connman: fix warning by specifying runstatedir at configure time +- cpio: Run ptests under ptest user +- dbus: Upgrade to 1.14.8 +- devtool: Fix the wrong variable in srcuri_entry +- dnf: only write the log lock to root for native dnf +- docs: bsp-guide: bsp: fix typo +- dpkg: Upgrade to v1.21.22 +- e2fsprogs: Fix error SRCDIR when using usrmerge :term:`DISTRO_FEATURES` +- e2fsprogs: fix ptest bug for second running +- ell: Upgrade to 0.57 +- expect: Add ptest support +- fribidi: Upgrade to 1.0.13 +- gawk: Upgrade to 5.2.2 +- gcc : upgrade to v12.3 +- gdb: fix crashes when debugging threads with Arm Pointer Authentication enabled +- gdb: Upgrade to 13.2 +- git: Upgrade to 2.39.3 +- glib-networking: use correct error code in ptest +- glibc: Pass linker choice via compiler flags +- glibc: stable 2.37 branch updates. +- gnupg: Upgrade to 2.4.2 +- go.bbclass: don't use test to check output from ls +- go: Upgrade to 1.20.5 +- go: Use -no-pie to build target cgo +- gobject-introspection: remove obsolete :term:`DEPENDS` +- grub: submit determinism.patch upstream +- gstreamer1.0: Upgrade to 1.22.3 +- gtk4: Upgrade to 4.10.4 +- image-live.bbclass: respect :term:`IMAGE_MACHINE_SUFFIX` +- image_types: Fix reproducible builds for initramfs and UKI img +- inetutils: remove unused patch files +- ipk: Revert Decode byte data to string in manifest handling +- iso-codes: Upgrade to 4.15.0 +- kernel: don't force PAHOLE=false +- kmod: remove unused ptest.patch +- kmscube: Correct :term:`DEPENDS` to avoid overwrite +- layer.conf: Add missing dependency exclusion +- lib/terminal.py: Add urxvt terminal +- libbsd: Add correct license for all packages +- libdnf: Upgrade to 0.70.1 +- libgcrypt: Upgrade to 1.10.2 +- libgloss: remove unused patch file +- libmicrohttpd: Upgrade to 0.9.77 +- libmodule-build-perl: Upgrade to 0.4234 +- libx11: remove unused patch and :term:`FILESEXTRAPATHS` +- libx11: Upgrade to 1.8.5 +- libxfixes: Upgrade to v6.0.1 +- libxft: Upgrade to 2.3.8 +- libxi: Upgrade to v1.8.1 +- libxml2: Do not use lld linker when building with tests on rv64 +- libxml2: Upgrade to 2.10.4 +- libxpm: Upgrade to 3.5.16 +- linux-firmware: Upgrade to 20230515 +- linux-yocto/5.15: cfg: fix DECNET configuration warning +- linux-yocto/5.15: Upgrade to v5.15.118 +- linux-yocto/6.1: fix intermittent x86 boot hangs +- linux-yocto/6.1: Upgrade to v6.1.35 +- linux-yocto: move build / debug dependencies to .inc +- logrotate: Do not create logrotate.status file +- maintainers.inc: correct Carlos Rafael Giani's email address +- maintainers.inc: correct unassigned entries +- maintainers.inc: unassign Adrian Bunk from wireless-regdb +- maintainers.inc: unassign Alistair Francis from opensbi +- maintainers.inc: unassign Andreas Müller from itstool entry +- maintainers.inc: unassign Chase Qi from libc-test +- maintainers.inc: unassign Oleksandr Kravchuk from python3 and all other items +- maintainers.inc: unassign Pascal Bach from cmake entry +- maintainers.inc: unassign Ricardo Neri from ovmf +- maintainers.inc: update version for gcc-source +- maintainers.inc: unassign Richard Weinberger from erofs-utils entry +- meta: depend on autoconf-archive-native, not autoconf-archive +- meta: lib: oe: npm_registry: Add more safe caracters +- migration-guides: add release notes for 4.2.1 +- minicom: remove unused patch files +- mobile-broadband-provider-info: Upgrade to 20230416 +- musl: Correct :term:`SRC_URI` +- oeqa/selftest/bbtests: add non-existent prefile/postfile tests +- oeqa/selftest/cases/devtool.py: skip all tests require folder a git repo +- oeqa: adding selftest-hello and use it to speed up tests +- openssh: Remove BSD-4-clause contents completely from codebase +- openssl: fix building on riscv32 +- openssl: Upgrade to 3.1.1 +- overview-manual: concepts.rst: Fix a typo +- parted: Add missing libuuid to linker cmdline for libparted-fs-resize.so +- perf: Make built-in libtraceevent plugins cohabit with external libtraceevent +- piglit: Add missing glslang dependencies +- piglit: Fix c++11-narrowing warnings in tests +- pkgconf: Upgrade to 1.9.5 +- pm-utils: fix multilib conflictions +- poky.conf: bump version for 4.2.2 release +- populate_sdk_base.bbclass: respect :term:`MLPREFIX` for ptest-pkgs's ptest-runner +- profile-manual: fix blktrace remote usage instructions +- psmisc: Set :term:`ALTERNATIVE` for pstree to resolve conflict with busybox +- ptest-runner: Ensure data writes don't race +- ptest-runner: Pull in "runner: Remove threads and mutexes" fix +- ptest-runner: Pull in sync fix to improve log warnings +- python3-bcrypt: Use BFD linker when building tests +- python3-numpy: remove NPY_INLINE, use inline instead +- qemu: a pending patch was submitted and accepted upstream +- qemu: remove unused qemu-7.0.0-glibc-2.36.patch +- qemurunner.py: fix error message about qmp +- qemurunner: avoid leaking server_socket +- ref-manual: add clarification for :term:`SRCREV` +- ref-manual: classes.rst: fix typo +- rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock +- rpcsvc-proto: Upgrade to 1.4.4 +- rpm: drop unused 0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch +- rpm: Upgrade to 4.18.1 +- rpm: write macros under libdir +- runqemu-gen-tapdevs: Refactoring +- runqemu-ifupdown/get-tapdevs: Add support for ip tuntap +- scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes +- scripts/runqemu: split lock dir creation into a reusable function +- scripts: fix buildstats diff/summary hard bound to host python3 +- sdk.py: error out when moving file fails +- sdk.py: fix moving dnf contents +- selftest/license: Exclude from world +- selftest/reproducible: Allow native/cross reuse in test +- serf: Upgrade to 1.3.10 +- staging.bbclass: do not add extend_recipe_sysroot to prefuncs of prepare_recipe_sysroot +- strace: Disable failing test +- strace: Merge two similar patches +- strace: Update patches/tests with upstream fixes +- sysfsutils: fetch a supported fork from github +- systemd-systemctl: support instance expansion in WantedBy +- systemd: Drop a backport +- tiff: Remove unused patch from tiff +- uninative: Upgrade to 3.10 to support gcc 13 +- uninative: Upgrade to 4.0 to include latest gcc 13.1.1 +- unzip: fix configure check for cross compilation +- unzip: remove hardcoded LARGE_FILE_SUPPORT +- useradd-example: package typo correction +- useradd-staticids.bbclass: improve error message +- v86d: Improve kernel dependency +- vim: Upgrade to 9.0.1527 +- weston-init: add profile to point users to global socket +- weston-init: add the weston user to the wayland group +- weston-init: add weston user to the render group +- weston-init: fix the mixed indentation +- weston-init: guard against systemd configs +- weston-init: make sure the render group exists +- wget: Upgrade to 1.21.4 +- wireless-regdb: Upgrade to 2023.05.03 +- xdpyinfo: Upgrade to 1.3.4 +- xf86-video-intel: Use the HTTPS protocol to fetch the Git repositories +- xinput: upgrade to v1.6.4 +- xwininfo: upgrade to v1.1.6 +- xz: Upgrade to 5.4.3 +- yocto-bsps: update to v5.15.106 +- zip: fix configure check by using _Static_assert +- zip: remove unnecessary LARGE_FILE_SUPPORT CLFAGS + + +Known Issues in Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Alberto Planas +- Alejandro Hernandez Samaniego +- Alexander Kanavin +- Andrej Valek +- Andrew Jeffery +- Anuj Mittal +- Archana Polampalli +- BELOUARGA Mohamed +- Bruce Ashfield +- Changqing Li +- Charlie Wu +- Chen Qi +- Chi Xu +- Daniel Ammann +- Deepthi Hemraj +- Denys Dmytriyenko +- Dmitry Baryshkov +- Ed Beroset +- Eero Aaltonen +- Fabien Mahot +- Frieder Paape +- Frieder Schrempf +- Hannu Lounento +- Ian Ray +- Jermain Horsman +- Jörg Sommer +- Kai Kang +- Khem Raj +- Lee Chee Yang +- Lorenzo Arena +- Marc Ferland +- Markus Volk +- Martin Jansa +- Michael Halstead +- Mikko Rapeli +- Mingli Yu +- Natasha Bailey +- Nikhil R +- Pablo Saavedra +- Paul Gortmaker +- Pavel Zhukov +- Peter Kjellerstedt +- Qiu Tingting +- Quentin Schulz +- Randolph Sapp +- Randy MacLeod +- Ranjitsinh Rathod +- Richard Purdie +- Riyaz Khan +- Ross Burton +- Sakib Sajal +- Sanjay Chitroda +- Siddharth Doshi +- Soumya Sambu +- Steve Sakoman +- Sudip Mukherjee +- Sundeep KOKKONDA +- Thomas Roos +- Tim Orling +- Tom Hochstein +- Trevor Gamblin +- Ulrich Ölmann +- Wang Mingyu +- Xiangyu Chen + + +Repositories / Downloads for Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`mickledore </poky/log/?h=mickledore>` +- Tag: :yocto_git:`yocto-4.2.2 </poky/log/?h=yocto-4.2.2>` +- Git Revision: :yocto_git:`6e17b3e644ca15b8b4afd071ccaa6f172a0e681a </poky/commit/?id=6e17b3e644ca15b8b4afd071ccaa6f172a0e681a>` +- Release Artefact: poky-6e17b3e644ca15b8b4afd071ccaa6f172a0e681a +- sha: c0b4dadcf00b97d866dd4cc2f162474da2c3e3289badaa42a978bff1d479af99 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.2/poky-6e17b3e644ca15b8b4afd071ccaa6f172a0e681a.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.2/poky-6e17b3e644ca15b8b4afd071ccaa6f172a0e681a.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`mickledore </openembedded-core/log/?h=mickledore>` +- Tag: :oe_git:`yocto-4.2.2 </openembedded-core/log/?h=yocto-4.2.2>` +- Git Revision: :oe_git:`3ef283e02b0b91daf64c3a589e1f6bb68d4f5aa1 </openembedded-core/commit/?id=3ef283e02b0b91daf64c3a589e1f6bb68d4f5aa1>` +- Release Artefact: oecore-3ef283e02b0b91daf64c3a589e1f6bb68d4f5aa1 +- sha: d2fd127f46e626fa4456c193af3dbd25d4b2565db59bc23be69a3b2dd4febed5 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.2/oecore-3ef283e02b0b91daf64c3a589e1f6bb68d4f5aa1.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.2/oecore-3ef283e02b0b91daf64c3a589e1f6bb68d4f5aa1.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`mickledore </meta-mingw/log/?h=mickledore>` +- Tag: :yocto_git:`yocto-4.2.2 </meta-mingw/log/?h=yocto-4.2.2>` +- Git Revision: :yocto_git:`4608d0bb7e47c52b8f6e9be259bfb1716fda9fd6 </meta-mingw/commit/?id=4608d0bb7e47c52b8f6e9be259bfb1716fda9fd6>` +- Release Artefact: meta-mingw-4608d0bb7e47c52b8f6e9be259bfb1716fda9fd6 +- sha: fcbae0dedb363477492b86b8f997e06f995793285535b24dc66038845483eeef +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.2/meta-mingw-4608d0bb7e47c52b8f6e9be259bfb1716fda9fd6.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.2/meta-mingw-4608d0bb7e47c52b8f6e9be259bfb1716fda9fd6.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.4 </bitbake/log/?h=2.4>` +- Tag: :oe_git:`yocto-4.2.2 </bitbake/log/?h=yocto-4.2.2>` +- Git Revision: :oe_git:`08033b63ae442c774bd3fce62844eac23e6882d7 </bitbake/commit/?id=08033b63ae442c774bd3fce62844eac23e6882d7>` +- Release Artefact: bitbake-08033b63ae442c774bd3fce62844eac23e6882d7 +- sha: 1d070c133bfb6502ac04befbf082cbfda7582c8b1c48296a788384352e5061fd +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.2/bitbake-08033b63ae442c774bd3fce62844eac23e6882d7.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.2/bitbake-08033b63ae442c774bd3fce62844eac23e6882d7.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`mickledore </yocto-docs/log/?h=mickledore>` +- Tag: :yocto_git:`yocto-4.2.2 </yocto-docs/log/?h=yocto-4.2.2>` +- Git Revision: :yocto_git:`54d849d259a332389beea159d789f8fa92871475 </yocto-docs/commit/?id=54d849d259a332389beea159d789f8fa92871475>` + diff --git a/poky/documentation/migration-guides/release-notes-4.2.3.rst b/poky/documentation/migration-guides/release-notes-4.2.3.rst new file mode 100644 index 0000000000..3b568a1c29 --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.2.3.rst @@ -0,0 +1,263 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.2.3 (Mickledore) +------------------------------------------ + +Security Fixes in Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- bind: Fix :cve:`2023-2828` and :cve:`2023-2911` +- cups: Fix :cve:`2023-34241` +- dmidecode: Fix :cve:`2023-30630` +- erofs-utils: Fix :cve:`2023-33551` and :cve:`2023-33552` +- ghostscript: Fix :cve:`2023-36664` +- go: Fix :cve_mitre:`2023-24531` +- libarchive: ignore :cve:`2023-30571` +- libjpeg-turbo: Fix :cve:`2023-2804` +- libx11: Fix :cve:`2023-3138` +- ncurses: Fix :cve:`2023-29491` +- openssh: Fix :cve:`2023-38408` +- python3-certifi: Fix :cve:`2023-37920` +- python3-requests: Fix :cve:`2023-32681` +- python3: Ignore :cve:`2023-36632` +- qemu: fix :cve:`2023-0330`, :cve_mitre:`2023-2861`, :cve_mitre:`2023-3255` and :cve_mitre:`2023-3301` +- ruby: Fix :cve:`2023-36617` +- vim: Fix :cve:`2023-2609` and :cve:`2023-2610` +- webkitgtk: Fix :cve:`2023-27932` and :cve:`2023-27954` + + +Fixes in Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~ + +- acpica: Update :term:`SRC_URI` +- automake: fix buildtest patch +- baremetal-helloworld: Fix race condition +- bind: upgrade to v9.18.17 +- binutils: stable 2.40 branch updates +- build-appliance-image: Update to mickledore head revision +- cargo.bbclass: set up cargo environment in common do_compile +- conf.py: add macro for Mitre CVE links +- curl: ensure all ptest failures are caught +- cve-update-nvd2-native: actually use API keys +- cve-update-nvd2-native: fix cvssV3 metrics +- cve-update-nvd2-native: handle all configuration nodes, not just first +- cve-update-nvd2-native: increase retry count +- cve-update-nvd2-native: log a little more +- cve-update-nvd2-native: retry all errors and sleep between retries +- cve-update-nvd2-native: use exact times, don't truncate +- dev-manual: wic.rst: Update native tools build command +- devtool/upgrade: raise an error if extracting source produces more than one directory +- diffutils: upgrade to 3.10 +- docs: ref-manual: terms: fix typos in :term:`SPDX` term +- file: fix the way path is written to environment-setup.d +- file: return wrapper to fix builds when file is in buildtools-tarball +- freetype: upgrade to 2.13.1 +- gcc-testsuite: Fix ppc cpu specification +- gcc: don't pass --enable-standard-branch-protection +- glibc-locale: use stricter matching for metapackages' runtime dependencies +- glibc-testsuite: Fix network restrictions causing test failures +- glibc/check-test-wrapper: don't emit warnings from ssh +- go: upgrade to 1.20.6 +- gstreamer1.0: upgrade to 1.22.4 +- ifupdown: install missing directories +- kernel-module-split add systemd modulesloaddir and modprobedir config +- kernel-module-split: install config modules directories only when they are needed +- kernel-module-split: make autoload and probeconf distribution specific +- kernel-module-split: use context manager to open files +- kernel: Fix path comparison in kernel staging dir symlinking +- kernel: config modules directories are handled by kernel-module-split +- kernel: don't fail if Modules.symvers doesn't exist +- libassuan: upgrade to 2.5.6 +- libksba: upgrade to 1.6.4 +- libnss-nis: upgrade to 3.2 +- libproxy: fetch from git +- libwebp: upgrade to 1.3.1 +- libx11: upgrade to 1.8.6 +- libxcrypt: fix hard-coded ".so" extension +- linux-firmware : Add firmware of RTL8822 serie +- linux-firmware: Fix mediatek mt7601u firmware path +- linux-firmware: package firmare for Dragonboard 410c +- linux-firmware: split platform-specific Adreno shaders to separate packages +- linux-firmware: upgrade to 20230625 +- linux-yocto/5.15: update to v5.15.124 +- linux-yocto/6.1: cfg: update ima.cfg to match current meta-integrity +- linux-yocto/6.1: upgrade to v6.1.38 +- ltp: Add kernel loopback module dependency +- ltp: add :term:`RDEPENDS` on findutils +- lttng-ust: upgrade to 2.13.6 +- machine/arch-arm64: add -mbranch-protection=standard +- maintainers.inc: Modify email address +- mdadm: add util-linux-blockdev ptest dependency +- mdadm: fix 07revert-inplace ptest +- mdadm: fix segfaults when running ptests +- mdadm: fix util-linux ptest dependency +- mdadm: re-add mdadm-ptest to PTESTS_SLOW +- mdadm: skip running known broken ptests +- meson.bbclass: Point to llvm-config from native sysroot +- migration-guides: add release notes for 4.0.10 +- migration-guides: add release notes for 4.0.11 +- migration-guides: add release notes for 4.2.2 +- oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case +- oeqa/runtime/ltp: Increase ltp test output timeout +- oeqa/selftest/devtool: add unit test for "devtool add -b" +- oeqa/ssh: Further improve process exit handling +- oeqa/target/ssh: Ensure EAGAIN doesn't truncate output +- oeqa/utils/nfs: allow requesting non-udp ports +- openssh: upgrade to 9.3p2 +- openssl: add PERLEXTERNAL path to test its existence +- openssl: use a glob on the PERLEXTERNAL to track updates on the path +- opkg-utils: upgrade to 0.6.2 +- opkg: upgrade to 0.6.2 +- pkgconf: update :term:`SRC_URI` +- poky.conf: bump version for 4.2.3 release +- poky.conf: update :term:`SANITY_TESTED_DISTROS` to match autobuilder +- ptest-runner: Pull in parallel test fixes and output handling +- python3-certifi: upgrade to 2023.7.22 +- python3: fix missing comma in get_module_deps3.py +- recipetool: Fix inherit in created -native* recipes +- ref-manual: LTS releases now supported for 4 years +- ref-manual: document image-specific variant of :term:`INCOMPATIBLE_LICENSE` +- ref-manual: releases.svg: updates +- resulttool/resultutils: allow index generation despite corrupt json +- rootfs-postcommands.bbclass: Revert "add post func remove_unused_dnf_log_lock" +- rootfs: Add debugfs package db file copy and cleanup +- rootfs_rpm: don't depend on opkg-native for update-alternatives +- rpm: Pick debugfs package db files/dirs explicitly +- rust-common.bbclass: move musl-specific linking fix from rust-source.inc +- scripts/oe-setup-builddir: copy conf-notes.txt to build dir +- scripts/resulttool: add mention about new detected tests +- selftest/cases/glibc.py: fix the override syntax +- selftest/cases/glibc.py: increase the memory for testing +- selftest/cases/glibc.py: switch to using NFS over TCP +- shadow-sysroot: add license information +- systemd-systemctl: fix errors in instance name expansion +- taglib: upgrade to 1.13.1 +- target/ssh: Ensure exit code set for commands +- tcf-agent: upgrade to 1.8.0 +- testimage/oeqa: Drop testimage_dump_host functionality +- tiff: upgrade to 4.5.1 +- uboot-extlinux-config.bbclass: fix old override syntax in comment +- util-linux: add alternative links for ipcs,ipcrm +- vim: upgrade to 9.0.1592 +- webkitgtk: upgrade to 2.38.6 +- weston: Cleanup and fix x11 and xwayland dependencies + + +Known Issues in Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Alejandro Hernandez Samaniego +- Alex Kiernan +- Alexander Kanavin +- Alexis Lothoré +- Andrej Valek +- Anuj Mittal +- Archana Polampalli +- BELOUARGA Mohamed +- Benjamin Bouvier +- Bruce Ashfield +- Changqing Li +- Chen Qi +- Daniel Semkowicz +- Dmitry Baryshkov +- Enrico Scholz +- Etienne Cordonnier +- Joe Slater +- Joel Stanley +- Jose Quaresma +- Julien Stephan +- Kai Kang +- Khem Raj +- Lee Chee Yang +- Marek Vasut +- Mark Hatle +- Michael Halstead +- Michael Opdenacker +- Mingli Yu +- Narpat Mali +- Oleksandr Hnatiuk +- Ovidiu Panait +- Peter Marko +- Quentin Schulz +- Richard Purdie +- Ross Burton +- Sanjana +- Sakib Sajal +- Staffan Rydén +- Steve Sakoman +- Stéphane Veyret +- Sudip Mukherjee +- Thomas Roos +- Tom Hochstein +- Trevor Gamblin +- Wang Mingyu +- Yi Zhao +- Yoann Congal +- Yogita Urade +- Yuta Hayama + + +Repositories / Downloads for Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`mickledore </poky/log/?h=mickledore>` +- Tag: :yocto_git:`yocto-4.2.3 </poky/log/?h=yocto-4.2.3>` +- Git Revision: :yocto_git:`aa63b25cbe25d89ab07ca11ee72c17cab68df8de </poky/commit/?id=aa63b25cbe25d89ab07ca11ee72c17cab68df8de>` +- Release Artefact: poky-aa63b25cbe25d89ab07ca11ee72c17cab68df8de +- sha: 9e2b40fc25f7984b3227126ec9b8aa68d3747c8821fb7bf8cb635fc143f894c3 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.3/poky-aa63b25cbe25d89ab07ca11ee72c17cab68df8de.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.3/poky-aa63b25cbe25d89ab07ca11ee72c17cab68df8de.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`mickledore </openembedded-core/log/?h=mickledore>` +- Tag: :oe_git:`yocto-4.2.3 </openembedded-core/log/?h=yocto-4.2.3>` +- Git Revision: :oe_git:`7e3489c0c5970389c8a239dc7b367bcadf554eb5 </openembedded-core/commit/?id=7e3489c0c5970389c8a239dc7b367bcadf554eb5>` +- Release Artefact: oecore-7e3489c0c5970389c8a239dc7b367bcadf554eb5 +- sha: 68620aca7c9db6b9a65d9853cacff4e60578f0df39e3e37114e062e1667ba724 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.3/oecore-7e3489c0c5970389c8a239dc7b367bcadf554eb5.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.3/oecore-7e3489c0c5970389c8a239dc7b367bcadf554eb5.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`mickledore </meta-mingw/log/?h=mickledore>` +- Tag: :yocto_git:`yocto-4.2.3 </meta-mingw/log/?h=yocto-4.2.3>` +- Git Revision: :yocto_git:`92258028e1b5664a9f832541d5c4f6de0bd05e07 </meta-mingw/commit/?id=92258028e1b5664a9f832541d5c4f6de0bd05e07>` +- Release Artefact: meta-mingw-92258028e1b5664a9f832541d5c4f6de0bd05e07 +- sha: ee081460b5dff4fb8dd4869ce5631718dbaaffbede9532b879b854c18f1b3f5d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.3/meta-mingw-92258028e1b5664a9f832541d5c4f6de0bd05e07.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.3/meta-mingw-92258028e1b5664a9f832541d5c4f6de0bd05e07.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.4 </bitbake/log/?h=2.4>` +- Tag: :oe_git:`yocto-4.2.3 </bitbake/log/?h=yocto-4.2.3>` +- Git Revision: :oe_git:`08033b63ae442c774bd3fce62844eac23e6882d7 </bitbake/commit/?id=08033b63ae442c774bd3fce62844eac23e6882d7>` +- Release Artefact: bitbake-08033b63ae442c774bd3fce62844eac23e6882d7 +- sha: 1d070c133bfb6502ac04befbf082cbfda7582c8b1c48296a788384352e5061fd +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.3/bitbake-08033b63ae442c774bd3fce62844eac23e6882d7.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.3/bitbake-08033b63ae442c774bd3fce62844eac23e6882d7.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`mickledore </yocto-docs/log/?h=mickledore>` +- Tag: :yocto_git:`yocto-4.2.3 </yocto-docs/log/?h=yocto-4.2.3>` +- Git Revision: :yocto_git:`8e6752a9e55d16f3713e248b37f9d4d2745a2375 </yocto-docs/commit/?id=8e6752a9e55d16f3713e248b37f9d4d2745a2375>` + diff --git a/poky/documentation/overview-manual/development-environment.rst b/poky/documentation/overview-manual/development-environment.rst index 6139e7a412..262d5cb203 100644 --- a/poky/documentation/overview-manual/development-environment.rst +++ b/poky/documentation/overview-manual/development-environment.rst @@ -232,8 +232,8 @@ and so forth. For information on finding out who is responsible for (maintains) a particular area of code in the Yocto Project, see the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" - section of the Yocto Project Development Tasks Manual. + ":doc:`../contributor-guide/identify-component`" + section of the Yocto Project and OpenEmbedded Contributor Guide. The Yocto Project ``poky`` Git repository also has an upstream contribution Git repository named ``poky-contrib``. You can see all the @@ -264,8 +264,8 @@ push them into the "contrib" area and subsequently request that the maintainer include them into an upstream branch. This process is called "submitting a patch" or "submitting a change." For information on submitting patches and changes, see the -":ref:`dev-manual/changes:submitting a change to the yocto project`" -section in the Yocto Project Development Tasks Manual. +":doc:`../contributor-guide/submit-changes`" section in the Yocto Project +and OpenEmbedded Contributor Guide. In summary, there is a single point of entry for changes into the development branch of the Git repository, which is controlled by the @@ -328,11 +328,10 @@ Book <https://book.git-scm.com>`__. software on which to develop. The Yocto Project has two scripts named ``create-pull-request`` and ``send-pull-request`` that ship with the release to facilitate this workflow. You can find these scripts in - the ``scripts`` folder of the - :term:`Source Directory`. For information + the ``scripts`` folder of the :term:`Source Directory`. For information on how to use these scripts, see the - ":ref:`dev-manual/changes:using scripts to push a change upstream and request a pull`" - section in the Yocto Project Development Tasks Manual. + ":ref:`contributor-guide/submit-changes:using scripts to push a change upstream and request a pull`" + section in the Yocto Project and OpenEmbedded Contributor Guide. - *Patch Workflow:* This workflow allows you to notify the maintainer through an email that you have a change (or patch) you would like @@ -340,8 +339,8 @@ Book <https://book.git-scm.com>`__. this type of change, you format the patch and then send the email using the Git commands ``git format-patch`` and ``git send-email``. For information on how to use these scripts, see the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" - section in the Yocto Project Development Tasks Manual. + ":doc:`../contributor-guide/submit-changes`" section in the Yocto Project + and OpenEmbedded Contributor Guide. Git === diff --git a/poky/documentation/profile-manual/usage.rst b/poky/documentation/profile-manual/usage.rst index 703ac459a0..6f0b0418e7 100644 --- a/poky/documentation/profile-manual/usage.rst +++ b/poky/documentation/profile-manual/usage.rst @@ -2423,20 +2423,21 @@ tracer writes to, blktrace provides a way to trace without perturbing the traced device at all by providing native support for sending all trace data over the network. -To have blktrace operate in this mode, start blktrace on the target -system being traced with the -l option, along with the device to trace:: +To have blktrace operate in this mode, start blktrace in server mode on the +host system, which is going to store the captured data:: - root@crownbay:~# blktrace -l /dev/sdc + $ blktrace -l server: waiting for connections... -On the host system, use the -h option to connect to the target system, -also passing it the device to trace:: +On the target system that is going to be traced, start blktrace in client +mode with the -h option to connect to the host system, also passing it the +device to trace:: - $ blktrace -d /dev/sdc -h 192.168.1.43 + root@crownbay:~# blktrace -d /dev/sdc -h 192.168.1.43 blktrace: connecting to 192.168.1.43 blktrace: connected! -On the target system, you should see this:: +On the host system, you should see this:: server: connection from 192.168.1.43 @@ -2446,7 +2447,7 @@ In another shell, execute a workload you want to trace. :: Connecting to downloads.yoctoproject.org (140.211.169.59:80) linux-2.6.19.2.tar.b 100% \|*******************************\| 41727k 0:00:00 ETA -When it's done, do a Ctrl-C on the host system to stop the +When it's done, do a Ctrl-C on the target system to stop the trace:: ^C=== sdc === @@ -2454,7 +2455,7 @@ trace:: CPU 1: 4109 events, 193 KiB data Total: 11800 events (dropped 0), 554 KiB data -On the target system, you should also see a trace summary for the trace +On the host system, you should also see a trace summary for the trace just ended:: server: end of run for 192.168.1.43:sdc diff --git a/poky/documentation/ref-manual/images.rst b/poky/documentation/ref-manual/images.rst index d3aeb0829f..0f6d6bdb3f 100644 --- a/poky/documentation/ref-manual/images.rst +++ b/poky/documentation/ref-manual/images.rst @@ -14,15 +14,17 @@ image you want. Building an image without GNU General Public License Version 3 (GPLv3), GNU Lesser General Public License Version 3 (LGPLv3), and the GNU Affero General Public License Version 3 (AGPL-3.0) components - is only supported for minimal and base images. Furthermore, if you - are going to build an image using non-GPLv3 and similarly licensed - components, you must make the following changes in the ``local.conf`` - file before using the BitBake command to build the minimal or base - image: + is only tested for core-image-minimal image. Furthermore, if you would like to + build an image and verify that it does not include GPLv3 and similarly licensed + components, you must make the following changes in the image recipe + file before using the BitBake command to build the image: - #. Comment out the :term:`EXTRA_IMAGE_FEATURES` line + INCOMPATIBLE_LICENSE = "GPL-3.0* LGPL-3.0*" - #. Set :term:`INCOMPATIBLE_LICENSE` to "GPL-3.0* LGPL-3.0* AGPL-3.0*" + Alternatively, you can adjust ``local.conf`` file, repeating and adjusting the line + for all images where the license restriction must apply: + + INCOMPATIBLE_LICENSE:pn-your-image-name = "GPL-3.0* LGPL-3.0*" From within the ``poky`` Git repository, you can use the following command to display the list of directories within the :term:`Source Directory` diff --git a/poky/documentation/ref-manual/qa-checks.rst b/poky/documentation/ref-manual/qa-checks.rst index 6fdb0fbde9..4a02e7206a 100644 --- a/poky/documentation/ref-manual/qa-checks.rst +++ b/poky/documentation/ref-manual/qa-checks.rst @@ -754,7 +754,7 @@ Errors and Warnings - ``Missing Upstream-Status in patch <patchfile> Please add according to <url> [patch-status-core/patch-status-noncore]`` - The Upstream-Status value is missing in the specified patch file's header. + The ``Upstream-Status`` value is missing in the specified patch file's header. This value is intended to track whether or not the patch has been sent upstream, whether or not it has been merged, etc. @@ -762,13 +762,13 @@ Errors and Warnings recipes in OE-Core) and ``patch-status-noncore`` (for recipes in any other layer). - For more information on setting Upstream-Status see: - https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status - + For more information, see the + ":ref:`contributor-guide/recipe-style-guide:patch upstream status`" + section in the Yocto Project and OpenEmbedded Contributor Guide. - ``Malformed Upstream-Status in patch <patchfile> Please correct according to <url> [patch-status-core/patch-status-noncore]`` - The Upstream-Status value in the specified patch file's header is invalid - + The ``Upstream-Status`` value in the specified patch file's header is invalid - it must be a specific format. See the "Missing Upstream-Status" entry above for more information. diff --git a/poky/documentation/ref-manual/release-process.rst b/poky/documentation/ref-manual/release-process.rst index 2ffbd935c7..81c0cdb36d 100644 --- a/poky/documentation/ref-manual/release-process.rst +++ b/poky/documentation/ref-manual/release-process.rst @@ -96,22 +96,21 @@ While stable releases are supported for a duration of seven months, some specific ones are now supported for a longer period by the Yocto Project, and are called Long Term Support (:term:`LTS`) releases. -This started with version 3.1 ("Dunfell"), released in April 2020, that -the project committed to supporting until the next :term:`LTS` release was out. -This next :term:`LTS` release, version 4.0 ("Kirkstone"), was released in May 2022 -and offered with two years of support too. - -However, as an experiment, support for "Dunfell" was extended to four years, until -April 2024, therefore offering more stability to projects and leaving more time -to upgrade to the latest :term:`LTS` release. The project hasn't made any commitment to -extending "Kirkstone" support too, as this will also depend on available funding -for such an effort. - When significant issues are found, :term:`LTS` releases allow to publish fixes not only for the current stable release, but also to the :term:`LTS` releases that are still supported. Older stable releases which have reached their End of Life (EOL) won't receive such updates. +This started with version 3.1 ("Dunfell"), released in April 2020, which +the project initially committed to supporting for two years, but this duration +was later extended to four years. Similarly, the following :term:`LTS` release, +version 4.0 ("Kirkstone"), was released two years later in May 2022 and the +project committed to supporting it for four years too. + +Therefore, a new :term:`LTS` release is made every two years and is supported +for four years. This offers more stability to project users and leaves more +time to upgrade to the following :term:`LTS` release. + See :yocto_wiki:`/Stable_Release_and_LTS` for details about the management of stable and :term:`LTS` releases. diff --git a/poky/documentation/ref-manual/resources.rst b/poky/documentation/ref-manual/resources.rst index d2344e39a0..8c3726e83b 100644 --- a/poky/documentation/ref-manual/resources.rst +++ b/poky/documentation/ref-manual/resources.rst @@ -23,8 +23,7 @@ The Yocto Project gladly accepts contributions. You can submit changes to the project either by creating and sending pull requests, or by submitting patches through email. For information on how to do both as well as information on how to identify the maintainer for each area of -code, see the ":ref:`dev-manual/changes:submitting a change to the yocto project`" section in the -Yocto Project Development Tasks Manual. +code, see the :doc:`../contributor-guide/index`. .. _resources-bugtracker: @@ -46,8 +45,8 @@ your expectations). For a general procedure and guidelines on how to use Bugzilla to submit a bug against the Yocto Project, see the following: -- The ":ref:`dev-manual/changes:submitting a defect against the yocto project`" - section in the Yocto Project Development Tasks Manual. +- The ":doc:`../contributor-guide/report-defect`" + section in the Yocto Project and OpenEmbedded Contributor Guide. - The Yocto Project :yocto_wiki:`Bugzilla wiki page </Bugzilla_Configuration_and_Bug_Tracking>` diff --git a/poky/documentation/ref-manual/svg/releases.svg b/poky/documentation/ref-manual/svg/releases.svg index d41edc1cb0..e7d5c6d502 100644 --- a/poky/documentation/ref-manual/svg/releases.svg +++ b/poky/documentation/ref-manual/svg/releases.svg @@ -2,9 +2,9 @@ <svg version="1.1" id="svg2" - width="1175.0006" - height="568.85858" - viewBox="0 0 1175.0006 568.85856" + width="2040.0006" + height="624.30518" + viewBox="0 0 2040.0006 624.30515" sodipodi:docname="releases.svg" inkscape:version="1.1.2 (0a00cf5339, 2022-02-04)" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" @@ -14,6 +14,8 @@ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/"> + <title + id="title8568">Yocto Project Release Timeline</title> <metadata id="metadata8"> <rdf:RDF> @@ -22,7 +24,30 @@ <dc:format>image/svg+xml</dc:format> <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> + <cc:license + rdf:resource="http://artlibre.org/licence/lal" /> + <dc:title>Yocto Project Release Timeline</dc:title> + <dc:creator> + <cc:Agent> + <dc:title>The Yocto Project</dc:title> + </cc:Agent> + </dc:creator> </cc:Work> + <cc:License + rdf:about="http://creativecommons.org/licenses/by-sa/4.0/"> + <cc:permits + rdf:resource="http://creativecommons.org/ns#Reproduction" /> + <cc:permits + rdf:resource="http://creativecommons.org/ns#Distribution" /> + <cc:requires + rdf:resource="http://creativecommons.org/ns#Notice" /> + <cc:requires + rdf:resource="http://creativecommons.org/ns#Attribution" /> + <cc:permits + rdf:resource="http://creativecommons.org/ns#DerivativeWorks" /> + <cc:requires + rdf:resource="http://creativecommons.org/ns#ShareAlike" /> + </cc:License> </rdf:RDF> </metadata> <defs @@ -383,9 +408,9 @@ inkscape:window-height="1016" id="namedview4" showgrid="true" - inkscape:zoom="2.0466562" - inkscape:cx="450.4909" - inkscape:cy="286.56498" + inkscape:zoom="0.51166405" + inkscape:cx="-43.974166" + inkscape:cy="311.72798" inkscape:window-x="1994" inkscape:window-y="27" inkscape:window-maximized="1" @@ -401,29 +426,65 @@ <inkscape:grid type="xygrid" id="grid1257" - originx="-289.99935" - originy="269.99997" /> + originx="-289.99936" + originy="325" /> </sodipodi:namedview> <g inkscape:groupmode="layer" inkscape:label="Image" id="g10" - transform="translate(-289.99935,270)"> + transform="translate(-289.99936,325.00004)"> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 1080,220.00002 V -240 v 0 0" + d="m 1080,220.00003 v -515.00007 0 0" id="path207708" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 1200,220.00002 V -240 v 0 0" + d="m 1200,220.00003 v -515.00007 0 0" id="path207708-4" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 1320,220.00002 V -240 v 0 0" + d="m 1320,220.00003 v -515.00007 0 0" id="path207708-4-3" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 960,220.00002 V -240 v 0 0" + d="m 1440,219.99998 v -515.00002 0 0" + id="path207708-4-3-6" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1560,219.99998 v -515.00001 0 0" + id="path207708-4-3-6-2" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1680,219.99998 v -515.00002 0 0" + id="path207708-4-3-6-2-8" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1800,219.99998 v -515.00002 0 0" + id="path207708-4-3-6-2-8-4" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1920,219.99998 v -515.00002 0 0" + id="path207708-4-3-6-2-8-4-3" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 2040,219.99997 v -460.00002 0 0" + id="path207708-4-3-6-2-8-4-3-8" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 2040,219.99998 v -515.00002 0 0" + id="path207708-4-3-6-2-8-4-3-8-0" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 2159.954,219.99997 v -514.99999 0 0" + id="path207708-4-3-6-2-8-4-3-8-4" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 2280,219.99997 v -514.99999 0 0" + id="path207708-4-3-6-2-8-4-3-8-4-0" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 960,220.00003 v -515.00007 0 0" id="path207708-9" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" @@ -431,23 +492,23 @@ id="path207708-9-6" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 840,220.00002 V -240 v 0 0" + d="m 840,220.00002 v -515.00004 0 0" id="path207708-9-6-2" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 720,220.00002 V -240 v 0 0" + d="m 720,220.00003 v -515.00007 0 0" id="path207708-9-6-2-5" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 600,220.00002 V -240 v 0 0" + d="m 600,220.00003 v -515.00007 0 0" id="path207708-9-6-2-5-9" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 480,220.00002 V -240 v 0 0" + d="m 480,220.00003 v -515.00007 0 0" id="path207708-9-6-2-5-9-0" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 360,220.00002 V -240 v 0 0" + d="m 360,220.00003 v -515.00007 0 0" id="path207708-9-6-2-5-9-0-5" /> <text xml:space="preserve" @@ -482,7 +543,7 @@ <rect style="fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1" id="rect917-0-0" - width="960.00006" + width="980" height="45.000004" x="360" y="154.99997" @@ -524,7 +585,7 @@ id="tspan957-2-8-6">Gatesgarth</tspan><tspan sodipodi:role="line" x="534.10651" - y="136.9464" + y="136.94638" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none" id="tspan10317-2">3.2</tspan></text> <rect @@ -586,7 +647,7 @@ <rect style="opacity:1;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1" id="rect917-0-0-4-4-9-4-5" - width="140.00002" + width="140.00003" height="45.000004" x="1100" y="-175.00003" @@ -607,36 +668,63 @@ y="-137.50214" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none" id="tspan10317-2-9-1-4">4.2</tspan></text> + <g + id="g32107"> + <rect + style="opacity:0.75;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1" + id="rect917-0-0-4-4-9-4-5-3" + width="140.00014" + height="45.000004" + x="1199.9999" + y="-229.99998" + ry="2.2558987" /> + <text + xml:space="preserve" + style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" + x="1247.2329" + y="-210.32925" + id="text1185-3-55-4-0-0-0-1-1"><tspan + sodipodi:role="line" + x="1247.2329" + y="-210.32925" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none" + id="tspan957-2-8-6-3-9-7-4">Nanbield</tspan><tspan + sodipodi:role="line" + x="1247.2329" + y="-192.33258" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none" + id="tspan10317-2-9-1-4-6">4.3</tspan></text> + </g> <rect style="opacity:0.75;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1" - id="rect917-0-0-4-4-9-4-5-3" - width="140.00014" + id="rect917-0-0-4-4-9-4-5-3-9" + width="979.99994" height="45.000004" - x="1199.9999" - y="-229.99998" + x="1320" + y="-285.00003" ry="2.2558987" /> <text xml:space="preserve" style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" - x="1247.2329" - y="-210.32925" - id="text1185-3-55-4-0-0-0-1-1"><tspan + x="1373.233" + y="-265.32928" + id="text1185-3-55-4-0-0-0-1-1-6"><tspan sodipodi:role="line" - x="1247.2329" - y="-210.32925" + x="1373.233" + y="-265.32928" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none" - id="tspan957-2-8-6-3-9-7-4">Nanbield</tspan><tspan + id="tspan957-2-8-6-3-9-7-4-2">Scarthgap</tspan><tspan sodipodi:role="line" - x="1247.2329" - y="-192.33258" + x="1373.233" + y="-247.33261" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none" - id="tspan10317-2-9-1-4-6">4.3</tspan></text> + id="tspan10317-2-9-1-4-6-5">4.4</tspan></text> <rect style="fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1" id="rect917-0-0-4-4-9-9" - width="480.00006" + width="960.00012" height="45.000004" - x="860" + x="859.99994" y="-64.999992" ry="2.2558987" /> <text @@ -673,7 +761,7 @@ id="tspan10317-2-9-8">3.3</tspan></text> <g id="g1125-0" - transform="matrix(0.42240595,0,0,0.41654472,354.16682,-355.15199)" + transform="matrix(0.42240595,0,0,0.41654472,354.53445,-399.96314)" style="stroke:none;stroke-width:2.38399"> <rect style="opacity:1;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:4.76797;stroke-opacity:1" @@ -777,6 +865,38 @@ id="tspan49906">2023</tspan></text> <text xml:space="preserve" + style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" + x="1439.3904" + y="249.86044" + id="text1185-9-7-1-1-89"><tspan + sodipodi:role="line" + x="1439.3904" + y="249.86044" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan31345-7">Oct.</tspan><tspan + sodipodi:role="line" + x="1439.3904" + y="267.85712" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan49906-76">2024</tspan></text> + <text + xml:space="preserve" + style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" + x="1679.3094" + y="250.58356" + id="text1185-9-7-1-1-89-6"><tspan + sodipodi:role="line" + x="1679.3094" + y="250.58356" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan31345-7-8">Oct.</tspan><tspan + sodipodi:role="line" + x="1679.3094" + y="268.58023" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan49906-76-0">2025</tspan></text> + <text + xml:space="preserve" style="font-weight:bold;font-size:6.66667px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" x="849.49744" y="61.106953" @@ -799,64 +919,64 @@ <text xml:space="preserve" style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" - x="972.71832" - y="260.21216" + x="959.52008" + y="250.67822" id="text1185-9-7-1-1-0-7"><tspan sodipodi:role="line" - x="972.71832" - y="260.21216" + x="959.52008" + y="250.67822" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan31345-42-7">Oct.</tspan><tspan sodipodi:role="line" - x="972.71832" - y="278.20883" + x="959.52008" + y="268.6749" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan49906-9-6">2022</tspan></text> <text xml:space="preserve" style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" - x="721.13617" + x="719.13617" y="250.21216" id="text1185-9-7-1-1-2"><tspan sodipodi:role="line" - x="721.13617" + x="719.13617" y="250.21216" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan31345-1">Oct.</tspan><tspan sodipodi:role="line" - x="721.13617" + x="719.13617" y="268.20883" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan49906-5">2021</tspan></text> <text xml:space="preserve" style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" - x="485.04486" + x="478.82367" y="250.21216" id="text1185-9-7-1-1-80"><tspan sodipodi:role="line" - x="485.04486" + x="478.82367" y="250.21216" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan31345-5">Oct.</tspan><tspan sodipodi:role="line" - x="485.04486" + x="478.82367" y="268.20883" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan49906-6">2020</tspan></text> <text xml:space="preserve" style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" - x="360.96921" + x="361.81961" y="250.07544" id="text1185-9-7-1-1-8"><tspan sodipodi:role="line" - x="360.96921" + x="361.81961" y="250.07544" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan31345-4">Apr.</tspan><tspan sodipodi:role="line" - x="360.96921" + x="361.81961" y="268.07211" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan49906-7">2020</tspan></text> @@ -879,22 +999,54 @@ <text xml:space="preserve" style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" - x="1317.4003" + x="1321.8608" y="250.07544" id="text1185-9-7-1-1-8-1-0"><tspan sodipodi:role="line" - x="1317.4003" + x="1321.8608" y="250.07544" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan31345-4-0-4">Apr.</tspan><tspan sodipodi:role="line" - x="1317.4003" + x="1321.8608" y="268.07211" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan49906-7-3-8">2024</tspan></text> <text xml:space="preserve" style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" + x="1561.8163" + y="249.66977" + id="text1185-9-7-1-1-8-1-0-4"><tspan + sodipodi:role="line" + x="1561.8163" + y="249.66977" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan31345-4-0-4-81">Apr.</tspan><tspan + sodipodi:role="line" + x="1561.8163" + y="267.66644" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan49906-7-3-8-2">2025</tspan></text> + <text + xml:space="preserve" + style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" + x="1802.1477" + y="250.26334" + id="text1185-9-7-1-1-8-1-0-4-2"><tspan + sodipodi:role="line" + x="1802.1477" + y="250.26334" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan31345-4-0-4-81-5">Apr.</tspan><tspan + sodipodi:role="line" + x="1802.1477" + y="268.26001" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan49906-7-3-8-2-8">2026</tspan></text> + <text + xml:space="preserve" + style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" x="1081.4458" y="250.07544" id="text1185-9-7-1-1-8-1-0-2"><tspan @@ -911,16 +1063,16 @@ <text xml:space="preserve" style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" - x="604.18005" + x="602.51526" y="250.07544" id="text1185-9-7-1-1-8-1-7"><tspan sodipodi:role="line" - x="604.18005" + x="602.51526" y="250.07544" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan31345-4-0-5">Apr.</tspan><tspan sodipodi:role="line" - x="604.18005" + x="602.51526" y="268.07211" style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" id="tspan49906-7-3-6">2021</tspan></text> @@ -937,7 +1089,7 @@ <path id="path29430" style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 319.99935,219.99912 H 1435 Z" /> + d="M 319.99936,219.99912 H 2300 Z" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 360,219.99997 v 10.00004 0" @@ -1178,42 +1330,201 @@ inkscape:transform-center-y="-0.085282837" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="m 1200,220.00002 v 9.99999 0" - id="path29548-5-1-3-6-3-1-0" /> - <path - style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 1320,219.99996 v 10 0" id="path29548-5-1-3-6-3-1-0-8" /> + <g + id="g1267"> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1200,220.00002 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1220,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1240,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1260,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1280,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1299.7216,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0" + inkscape:transform-center-x="-14.78205" + inkscape:transform-center-y="-0.085282837" /> + </g> + <g + id="g1267-4" + transform="translate(240,-4e-5)"> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1200,220.00002 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1220,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1240,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1260,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1280,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1299.7216,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2" + inkscape:transform-center-x="-14.78205" + inkscape:transform-center-y="-0.085282837" /> + </g> + <g + id="g1267-4-5" + transform="translate(480,-5e-5)"> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1200,220.00002 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3-4" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1220,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1240,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1260,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1280,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1299.7216,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6" + inkscape:transform-center-x="-14.78205" + inkscape:transform-center-y="-0.085282837" /> + </g> + <g + id="g1267-4-5-22" + transform="translate(600,-4e-5)"> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1200,220.00002 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3-4-0" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1220,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0-55" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1240,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5-2" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1260,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9-90" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1280,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4-2" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1299.7216,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6-8" + inkscape:transform-center-x="-14.78205" + inkscape:transform-center-y="-0.085282837" /> + </g> + <g + id="g1267-4-5-9" + transform="translate(360,-4e-5)"> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1200,220.00002 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3-4-2" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1220,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0-2" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1240,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5-4" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1260,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9-7" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1280,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4-7" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1299.7216,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6-5" + inkscape:transform-center-x="-14.78205" + inkscape:transform-center-y="-0.085282837" /> + </g> <path - style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="m 1220,219.99997 v 5.00004 0" - id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5" - inkscape:transform-center-x="14.782001" - inkscape:transform-center-y="-0.085282837" /> - <path - style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="m 1240,219.99997 v 5.00004 0" - id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5" - inkscape:transform-center-x="14.782001" - inkscape:transform-center-y="-0.085282837" /> - <path - style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="m 1260,219.99997 v 5.00004 0" - id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2" - inkscape:transform-center-x="14.782001" - inkscape:transform-center-y="-0.085282837" /> - <path - style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="m 1280,219.99997 v 5.00004 0" - id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9" - inkscape:transform-center-x="14.782001" - inkscape:transform-center-y="-0.085282837" /> - <path - style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="m 1299.7216,219.99997 v 5.00004 0" - id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0" - inkscape:transform-center-x="-14.78205" - inkscape:transform-center-y="-0.085282837" /> + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1800,219.99997 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3-4-2-0" /> <path style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 1340,219.99997 v 5.00004 0" @@ -1244,6 +1555,188 @@ id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-9" inkscape:transform-center-x="-14.78205" inkscape:transform-center-y="-0.085282837" /> + <text + xml:space="preserve" + style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" + x="1919.3904" + y="249.86044" + id="text1185-9-7-1-1-89-62"><tspan + sodipodi:role="line" + x="1919.3904" + y="249.86044" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan31345-7-6">Oct.</tspan><tspan + sodipodi:role="line" + x="1919.3904" + y="267.85712" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan49906-76-7">2026</tspan></text> + <text + xml:space="preserve" + style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" + x="2159.3093" + y="250.58356" + id="text1185-9-7-1-1-89-6-5"><tspan + sodipodi:role="line" + x="2159.3093" + y="250.58356" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan31345-7-8-6">Oct.</tspan><tspan + sodipodi:role="line" + x="2159.3093" + y="268.58023" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan49906-76-0-9">2027</tspan></text> + <text + xml:space="preserve" + style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" + x="2041.8163" + y="249.66977" + id="text1185-9-7-1-1-8-1-0-4-8"><tspan + sodipodi:role="line" + x="2041.8163" + y="249.66977" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan31345-4-0-4-81-7">Apr.</tspan><tspan + sodipodi:role="line" + x="2041.8163" + y="267.66644" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan49906-7-3-8-2-2">2027</tspan></text> + <text + xml:space="preserve" + style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" + x="2282.1477" + y="250.26334" + id="text1185-9-7-1-1-8-1-0-4-2-8"><tspan + sodipodi:role="line" + x="2282.1477" + y="250.26334" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan31345-4-0-4-81-5-2">Apr.</tspan><tspan + sodipodi:role="line" + x="2282.1477" + y="268.26001" + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none" + id="tspan49906-7-3-8-2-8-9">2028</tspan></text> + <g + id="g1267-4-9" + transform="translate(720,-3e-5)"> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1200,220.00002 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3-6" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1220,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-02" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1240,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-7" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1260,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-6" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1280,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-1" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1299.7216,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-3" + inkscape:transform-center-x="-14.78205" + inkscape:transform-center-y="-0.085282837" /> + </g> + <g + id="g1267-4-5-2" + transform="translate(960,-4e-5)"> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1200,220.00002 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3-4-1" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1220,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0-5" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1240,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5-9" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1260,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9-9" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1280,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4-1" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1299.7216,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6-4" + inkscape:transform-center-x="-14.78205" + inkscape:transform-center-y="-0.085282837" /> + </g> + <g + id="g1267-4-5-9-9" + transform="translate(840,-3e-5)"> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1200,220.00002 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3-4-2-1" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1220,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0-2-0" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1240,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5-4-7" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1260,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9-7-5" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1280,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4-7-8" + inkscape:transform-center-x="14.782001" + inkscape:transform-center-y="-0.085282837" /> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1299.7216,219.99997 v 5.00004 0" + id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6-5-7" + inkscape:transform-center-x="-14.78205" + inkscape:transform-center-y="-0.085282837" /> + </g> + <path + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 2280,219.99998 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3-4-2-0-0" /> </g> <style type="text/css" diff --git a/poky/documentation/ref-manual/system-requirements.rst b/poky/documentation/ref-manual/system-requirements.rst index d6e8b4583c..e1ff51c859 100644 --- a/poky/documentation/ref-manual/system-requirements.rst +++ b/poky/documentation/ref-manual/system-requirements.rst @@ -55,28 +55,48 @@ as much RAM and as many CPU cores as possible. Supported Linux Distributions ============================= -Currently, the Yocto Project is supported on the following distributions: - -- Ubuntu 18.04 (LTS) +Currently, the &DISTRO; release ("&DISTRO_NAME;") of the Yocto Project is +supported on the following distributions: - Ubuntu 20.04 (LTS) - Ubuntu 22.04 (LTS) -- Fedora 36 - - Fedora 37 -- AlmaLinux 8.7 +- Fedora 38 -- AlmaLinux 9.1 +- CentOS Stream 8 -- Debian GNU/Linux 11.x (Bullseye) +- Debian GNU/Linux 11 (Bullseye) -- OpenSUSE Leap 15.3 +- Debian GNU/Linux 12 (Bookworm) - OpenSUSE Leap 15.4 +- AlmaLinux 8.8 + +- AlmaLinux 9.2 + +The following distribution versions are still tested (being listed +in :term:`SANITY_TESTED_DISTROS`), even though the organizations +publishing them no longer make updates publicly available: + +- Ubuntu 18.04 (LTS) + +- Ubuntu 22.10 + +- OpenSUSE Leap 15.3 + +Note that the Yocto Project doesn't have access to private updates +that some of these versions may have. Therefore, our testing has +limited value if you have access to such updates. + +Finally, here are the distribution versions which were previously +tested on former revisions of "&DISTRO_NAME;", but no longer are: + +*This list is currently empty* + .. note:: - While the Yocto Project Team attempts to ensure all Yocto Project @@ -114,9 +134,8 @@ Currently, the Yocto Project is supported on the following distributions: interested in hearing about your experience. For information on how to submit a bug, see the Yocto Project :yocto_wiki:`Bugzilla wiki page </Bugzilla_Configuration_and_Bug_Tracking>` - and the ":ref:`dev-manual/changes:submitting a defect against the yocto project`" - section in the Yocto Project Development Tasks Manual. - + and the ":doc:`../contributor-guide/report-defect`" + section in the Yocto Project and OpenEmbedded Contributor Guide. Required Packages for the Build Host ==================================== diff --git a/poky/documentation/ref-manual/terms.rst b/poky/documentation/ref-manual/terms.rst index 4baef38cfd..046eed6359 100644 --- a/poky/documentation/ref-manual/terms.rst +++ b/poky/documentation/ref-manual/terms.rst @@ -276,7 +276,7 @@ universal, the list includes them just in case: :term:`LTS` This term means "Long Term Support", and in the context of the Yocto Project, it corresponds to selected stable releases for which bug and - security fixes are provided for at least two years. See + security fixes are provided for at least four years. See the :ref:`ref-long-term-support-releases` section for details. :term:`Metadata` @@ -475,11 +475,11 @@ universal, the list includes them just in case: section in the Yocto Project Overview and Concepts Manual. :term:`SPDX` - This term means *Software Package Data Exchange*, and is used as a open + This term means *Software Package Data Exchange*, and is used as an open standard for providing a *Software Bill of Materials* (:term:`SBOM`). This standard is developed through a `Linux Foundation project <https://spdx.dev/>`__ and is used by the OpenEmbedded Build System to - provide an :term:`SBOM` associated to each a software image. + provide an :term:`SBOM` associated to each software image. For details, see Wikipedia's :wikipedia:`SPDX page <Software_Package_Data_Exchange>` and the ":ref:`dev-manual/sbom:creating a software bill of materials`" diff --git a/poky/documentation/ref-manual/variables.rst b/poky/documentation/ref-manual/variables.rst index 32359291b2..3f10efabc7 100644 --- a/poky/documentation/ref-manual/variables.rst +++ b/poky/documentation/ref-manual/variables.rst @@ -3845,9 +3845,18 @@ system and gives an overview of their function and contents. :term:`INCOMPATIBLE_LICENSE` Specifies a space-separated list of license names (as they would appear in :term:`LICENSE`) that should be excluded - from the build. Recipes that provide no alternatives to listed + from the build (if set globally), or from an image (if set locally + in an image recipe). + + When the variable is set globally, recipes that provide no alternatives to listed incompatible licenses are not built. Packages that are individually - licensed with the specified incompatible licenses will be deleted. + licensed with the specified incompatible licenses will be deleted. + Most of the time this does not allow a feasible build (because it becomes impossible + to satisfy build time dependencies), so the recommended way to + implement license restrictions is to set the variable in specific + image recipes where the restrictions must apply. That way there + are no build time restrictions, but the license check is still + performed when the image's filesystem is assembled from packages. There is some support for wildcards in this variable's value, however it is restricted to specific licenses. Currently only @@ -7787,7 +7796,7 @@ system and gives an overview of their function and contents. that if you want to build a fixed revision and you want to avoid performing a query on the remote repository every time BitBake parses your recipe, you should specify a :term:`SRCREV` that is a full revision - identifier and not just a tag. + identifier (e.g. the full SHA hash in git) and not just a tag. .. note:: diff --git a/poky/documentation/sdk-manual/extensible.rst b/poky/documentation/sdk-manual/extensible.rst index 9e08e57a4e..355c6cb0e4 100644 --- a/poky/documentation/sdk-manual/extensible.rst +++ b/poky/documentation/sdk-manual/extensible.rst @@ -48,18 +48,20 @@ Extensible SDK can be installed in two different ways, and both have their own pros and cons: #. *Setting up the Extensible SDK environment directly in a Yocto build*. This -avoids having to produce, test, distribute and maintain separate SDK installer -archives, which can get very large. There is only one environment for the regular -Yocto build and the SDK and less code paths where things can go not according to plan. -It's easier to update the SDK: it simply means updating the Yocto layers with -git fetch or layer management tooling. The SDK extensibility is better than in the -second option: just run ``bitbake`` again to add more things to the sysroot, or add layers -if even more things are required. - -#. *Setting up the Extensible SDK from a standalone installer*. This has the benefit of -having a single, self-contained archive that includes all the needed binary artifacts. -So nothing needs to be rebuilt, and there is no need to provide a well-functioning -binary artefact cache over the network for developers with underpowered laptops. + avoids having to produce, test, distribute and maintain separate SDK + installer archives, which can get very large. There is only one environment + for the regular Yocto build and the SDK and less code paths where things can + go not according to plan. It's easier to update the SDK: it simply means + updating the Yocto layers with git fetch or layer management tooling. The + SDK extensibility is better than in the second option: just run ``bitbake`` + again to add more things to the sysroot, or add layers if even more things + are required. + +#. *Setting up the Extensible SDK from a standalone installer*. This has the + benefit of having a single, self-contained archive that includes all the + needed binary artifacts. So nothing needs to be rebuilt, and there is no + need to provide a well-functioning binary artefact cache over the network + for developers with underpowered laptops. Setting up the Extensible SDK environment directly in a Yocto build ------------------------------------------------------------------- @@ -67,12 +69,12 @@ Setting up the Extensible SDK environment directly in a Yocto build #. Set up all the needed layers and a Yocto :term:`Build Directory`, e.g. a regular Yocto build where ``bitbake`` can be executed. -#. Run: - $ bitbake meta-ide-support - $ bitbake -c populate_sysroot gtk+3 - (or any other target or native item that the application developer would need) - $ bitbake build-sysroots +#. Run:: + $ bitbake meta-ide-support + $ bitbake -c populate_sysroot gtk+3 + # or any other target or native item that the application developer would need + $ bitbake build-sysroots Setting up the Extensible SDK from a standalone installer --------------------------------------------------------- @@ -194,15 +196,13 @@ script is for an IA-based target machine using i586 tuning:: Run devtool --help for further details. When using the environment script directly in a Yocto build, it can -be run similarly: +be run similarly:: $ source tmp/deploy/images/qemux86-64/environment-setup-core2-64-poky-linux -Running the setup script defines many environment variables needed in -order to use the SDK (e.g. ``PATH``, -:term:`CC`, -:term:`LD`, and so forth). If you want to -see all the environment variables the script exports, examine the +Running the setup script defines many environment variables needed in order to +use the SDK (e.g. ``PATH``, :term:`CC`, :term:`LD`, and so forth). If you want +to see all the environment variables the script exports, examine the installation file itself. Using ``devtool`` in Your SDK Workflow @@ -216,11 +216,8 @@ system. .. note:: - The use of - devtool - is not limited to the extensible SDK. You can use - devtool - to help you easily develop any project whose build output must be + The use of ``devtool`` is not limited to the extensible SDK. You can use + ``devtool`` to help you easily develop any project whose build output must be part of an image built using the build system. The ``devtool`` command line is organized similarly to @@ -230,15 +227,10 @@ all the commands. .. note:: - See the " - devtool - Quick Reference - " in the Yocto Project Reference Manual for a - devtool - quick reference. + See the ":doc:`/ref-manual/devtool-reference`" + section in the Yocto Project Reference Manual. -Three ``devtool`` subcommands provide entry-points into -development: +Three ``devtool`` subcommands provide entry-points into development: - *devtool add*: Assists in adding new software to be built. @@ -315,9 +307,8 @@ command: .. note:: - If required, - devtool - always creates a Git repository locally during the extraction. + If required, ``devtool`` always creates a Git repository locally + during the extraction. Furthermore, the first positional argument ``srctree`` in this case identifies where the ``devtool add`` command will locate the @@ -326,8 +317,7 @@ command: $ devtool add recipe srctree fetchuri - In summary, - the source code is pulled from fetchuri and extracted into the + In summary, the source code is pulled from fetchuri and extracted into the location defined by ``srctree`` as a local Git repository. Within workspace, ``devtool`` creates a recipe named recipe along @@ -358,16 +348,14 @@ command: $ devtool edit-recipe recipe - From within the editor, you - can make modifications to the recipe that take effect when you build - it later. + From within the editor, you can make modifications to the recipe that + take effect when you build it later. #. *Build the Recipe or Rebuild the Image*: The next step you take depends on what you are going to do with the new code. If you need to eventually move the build output to the target - hardware, use the following ``devtool`` command: - :; + hardware, use the following ``devtool`` command:: $ devtool build recipe @@ -392,8 +380,11 @@ command: development machine. You can deploy your build output to that target hardware by using the - ``devtool deploy-target`` command: $ devtool deploy-target recipe - target The target is a live target machine running as an SSH server. + ``devtool deploy-target`` command:: + + $ devtool deploy-target recipe target + + The target is a live target machine running as an SSH server. You can, of course, also deploy the image you build to actual hardware by using the ``devtool build-image`` command. However, @@ -422,11 +413,9 @@ command: .. note:: - You can use the - devtool reset - command to put things back should you decide you do not want to - proceed with your work. If you do use this command, realize that - the source tree is preserved. + You can use the ``devtool reset`` command to put things back should you + decide you do not want to proceed with your work. If you do use this + command, realize that the source tree is preserved. Use ``devtool modify`` to Modify the Source of an Existing Component -------------------------------------------------------------------- @@ -473,11 +462,9 @@ command: $ devtool modify recipe - Once - ``devtool``\ locates the recipe, ``devtool`` uses the recipe's - :term:`SRC_URI` statements to - locate the source code and any local patch files from other - developers. + Once ``devtool`` locates the recipe, ``devtool`` uses the recipe's + :term:`SRC_URI` statements to locate the source code and any local + patch files from other developers. With this scenario, there is no ``srctree`` argument. Consequently, the default behavior of the ``devtool modify`` command is to extract @@ -513,11 +500,7 @@ command: .. note:: - You cannot provide a URL for - srctree - using the - devtool - command. + You cannot provide a URL for ``srctree`` using the ``devtool`` command. As with all extractions, the command uses the recipe's :term:`SRC_URI` statements to locate the source files and any associated patch @@ -570,7 +553,9 @@ command: On the other hand, if you want an image to contain the recipe's packages from the workspace for immediate deployment onto a device (e.g. for testing purposes), you can use the ``devtool build-image`` - command: $ devtool build-image image + command:: + + $ devtool build-image image #. *Deploy the Build Output*: When you use the ``devtool build`` command to build out your recipe, you probably want to see if the resulting @@ -610,8 +595,7 @@ command: Any changes you want to turn into patches must be staged and committed within the local Git repository before you use the - devtool finish - command. + ``devtool finish`` command. Because there is no need to move the recipe, ``devtool finish`` either updates the original recipe in the original layer or the @@ -626,11 +610,9 @@ command: .. note:: - You can use the - devtool reset - command to put things back should you decide you do not want to - proceed with your work. If you do use this command, realize that - the source tree is preserved. + You can use the ``devtool reset`` command to put things back should you + decide you do not want to proceed with your work. If you do use this + command, realize that the source tree is preserved. Use ``devtool upgrade`` to Create a Version of the Recipe that Supports a Newer Version of the Software ------------------------------------------------------------------------------------------------------- @@ -644,12 +626,11 @@ counterparts. .. note:: - Several methods exist by which you can upgrade recipes - - ``devtool upgrade`` - happens to be one. You can read about all the methods by which you - can upgrade recipes in the - :ref:`dev-manual/upgrading-recipes:upgrading recipes` section - of the Yocto Project Development Tasks Manual. + Several methods exist by which you can upgrade recipes --- + ``devtool upgrade`` happens to be one. You can read about all the methods by + which you can upgrade recipes in the + :ref:`dev-manual/upgrading-recipes:upgrading recipes` section of the Yocto + Project Development Tasks Manual. The ``devtool upgrade`` command is flexible enough to allow you to specify source code revision and versioning schemes, extract code into or out of the @@ -755,8 +736,11 @@ The following diagram shows the common development flow used with the development machine. You can deploy your build output to that target hardware by using the - ``devtool deploy-target`` command: $ devtool deploy-target recipe - target The target is a live target machine running as an SSH server. + ``devtool deploy-target`` command:: + + $ devtool deploy-target recipe target + + The target is a live target machine running as an SSH server. You can, of course, also deploy the image you build using the ``devtool build-image`` command to actual hardware. However, @@ -790,11 +774,9 @@ The following diagram shows the common development flow used with the .. note:: - You can use the - devtool reset - command to put things back should you decide you do not want to - proceed with your work. If you do use this command, realize that - the source tree is preserved. + You can use the ``devtool reset`` command to put things back should you + decide you do not want to proceed with your work. If you do use this + command, realize that the source tree is preserved. A Closer Look at ``devtool add`` ================================ @@ -862,10 +844,9 @@ run ``devtool add`` again and provide the name or the version. Dependency Detection and Mapping -------------------------------- -The ``devtool add`` command attempts to detect build-time dependencies -and map them to other recipes in the system. During this mapping, the -command fills in the names of those recipes as part of the -:term:`DEPENDS` variable within the +The ``devtool add`` command attempts to detect build-time dependencies and map +them to other recipes in the system. During this mapping, the command fills in +the names of those recipes as part of the :term:`DEPENDS` variable within the recipe. If a dependency cannot be mapped, ``devtool`` places a comment in the recipe indicating such. The inability to map a dependency can result from naming not being recognized or because the dependency simply @@ -882,10 +863,8 @@ following to your recipe:: .. note:: - The - devtool add - command often cannot distinguish between mandatory and optional - dependencies. Consequently, some of the detected dependencies might + The ``devtool add`` command often cannot distinguish between mandatory and + optional dependencies. Consequently, some of the detected dependencies might in fact be optional. When in doubt, consult the documentation or the configure script for the software the recipe is building for further details. In some cases, you might find you can substitute the @@ -895,16 +874,14 @@ following to your recipe:: License Detection ----------------- -The ``devtool add`` command attempts to determine if the software you -are adding is able to be distributed under a common, open-source -license. If so, the command sets the -:term:`LICENSE` value accordingly. +The ``devtool add`` command attempts to determine if the software you are +adding is able to be distributed under a common, open-source license. If +so, the command sets the :term:`LICENSE` value accordingly. You should double-check the value added by the command against the documentation or source files for the software you are building and, if necessary, update that :term:`LICENSE` value. -The ``devtool add`` command also sets the -:term:`LIC_FILES_CHKSUM` +The ``devtool add`` command also sets the :term:`LIC_FILES_CHKSUM` value to point to all files that appear to be license-related. Realize that license statements often appear in comments at the top of source files or within the documentation. In such cases, the command does not @@ -984,10 +961,9 @@ mind: Adding Native Tools ------------------- -Often, you need to build additional tools that run on the :term:`Build -Host` as opposed to -the target. You should indicate this requirement by using one of the -following methods when you run ``devtool add``: +Often, you need to build additional tools that run on the :term:`Build Host` +as opposed to the target. You should indicate this requirement by using one of +the following methods when you run ``devtool add``: - Specify the name of the recipe such that it ends with "-native". Specifying the name like this produces a recipe that only builds for @@ -1011,8 +987,7 @@ Adding Node.js Modules ---------------------- You can use the ``devtool add`` command two different ways to add -Node.js modules: 1) Through ``npm`` and, 2) from a repository or local -source. +Node.js modules: through ``npm`` or from a repository or local source. Use the following form to add Node.js modules through ``npm``:: @@ -1027,7 +1002,7 @@ these behaviors ensure the reproducibility and integrity of the build. .. note:: - - You must use quotes around the URL. The ``devtool add`` does not + - You must use quotes around the URL. ``devtool add`` does not require the quotes, but the shell considers ";" as a splitter between multiple commands. Thus, without the quotes, ``devtool add`` does not receive the other parts, which results in @@ -1042,9 +1017,8 @@ repository or local source tree. To add modules this way, use $ devtool add https://github.com/diversario/node-ssdp -In this example, ``devtool`` -fetches the specified Git repository, detects the code as Node.js code, -fetches dependencies using ``npm``, and sets +In this example, ``devtool`` fetches the specified Git repository, detects the +code as Node.js code, fetches dependencies using ``npm``, and sets :term:`SRC_URI` accordingly. Working With Recipes @@ -1121,18 +1095,13 @@ Setting Configure Arguments If the software your recipe is building uses GNU autoconf, then a fixed set of arguments is passed to it to enable cross-compilation plus any -extras specified by -:term:`EXTRA_OECONF` or -:term:`PACKAGECONFIG_CONFARGS` +extras specified by :term:`EXTRA_OECONF` or :term:`PACKAGECONFIG_CONFARGS` set within the recipe. If you wish to pass additional options, add them to :term:`EXTRA_OECONF` or :term:`PACKAGECONFIG_CONFARGS`. Other supported build -tools have similar variables (e.g. -:term:`EXTRA_OECMAKE` for -CMake, :term:`EXTRA_OESCONS` -for Scons, and so forth). If you need to pass anything on the ``make`` -command line, you can use :term:`EXTRA_OEMAKE` or the -:term:`PACKAGECONFIG_CONFARGS` -variables to do so. +tools have similar variables (e.g. :term:`EXTRA_OECMAKE` for CMake, +:term:`EXTRA_OESCONS` for Scons, and so forth). If you need to pass anything on +the ``make`` command line, you can use :term:`EXTRA_OEMAKE` or the +:term:`PACKAGECONFIG_CONFARGS` variables to do so. You can use the ``devtool configure-help`` command to help you set the arguments listed in the previous paragraph. The command determines the @@ -1156,8 +1125,7 @@ the build host. Recipes should never write files directly into the sysroot. Instead, files should be installed into standard locations during the -:ref:`ref-tasks-install` task within -the ``${``\ :term:`D`\ ``}`` directory. A +:ref:`ref-tasks-install` task within the ``${``\ :term:`D`\ ``}`` directory. A subset of these files automatically goes into the sysroot. The reason for this limitation is that almost all files that go into the sysroot are cataloged in manifests in order to ensure they can be removed later @@ -1173,14 +1141,12 @@ the target device, it is important to understand packaging because the contents of the image are expressed in terms of packages and not recipes. -During the :ref:`ref-tasks-package` -task, files installed during the -:ref:`ref-tasks-install` task are -split into one main package, which is almost always named the same as -the recipe, and into several other packages. This separation exists -because not all of those installed files are useful in every image. For -example, you probably do not need any of the documentation installed in -a production image. Consequently, for each recipe the documentation +During the :ref:`ref-tasks-package` task, files installed during the +:ref:`ref-tasks-install` task are split into one main package, which is almost +always named the same as the recipe, and into several other packages. This +separation exists because not all of those installed files are useful in every +image. For example, you probably do not need any of the documentation installed +in a production image. Consequently, for each recipe the documentation files are separated into a ``-doc`` package. Recipes that package software containing optional modules or plugins might undergo additional package splitting as well. @@ -1188,8 +1154,7 @@ package splitting as well. After building a recipe, you can see where files have gone by looking in the ``oe-workdir/packages-split`` directory, which contains a subdirectory for each package. Apart from some advanced cases, the -:term:`PACKAGES` and -:term:`FILES` variables controls +:term:`PACKAGES` and :term:`FILES` variables controls splitting. The :term:`PACKAGES` variable lists all of the packages to be produced, while the :term:`FILES` variable specifies which files to include in each package by using an override to specify the package. For @@ -1231,16 +1196,11 @@ target machine. .. note:: - The - devtool deploy-target - and - devtool undeploy-target - commands do not currently interact with any package management system - on the target device (e.g. RPM or OPKG). Consequently, you should not - intermingle - devtool deploy-target - and package manager operations on the target device. Doing so could - result in a conflicting set of files. + The ``devtool deploy-target`` and ``devtool undeploy-target`` commands do + not currently interact with any package management system on the target + device (e.g. RPM or OPKG). Consequently, you should not intermingle + ``devtool deploy-target`` and package manager operations on the target + device. Doing so could result in a conflicting set of files. Installing Additional Items Into the Extensible SDK =================================================== @@ -1264,7 +1224,7 @@ When using the extensible SDK directly in a Yocto build In this scenario, the Yocto build tooling, e.g. ``bitbake`` is directly accessible to build additional items, and it -can simply be executed directly: +can simply be executed directly:: $ bitbake mesa $ bitbake build-sysroots @@ -1272,6 +1232,8 @@ can simply be executed directly: When using a standalone installer for the Extensible SDK -------------------------------------------------------- +:: + $ devtool sdk-install mesa By default, the ``devtool sdk-install`` command assumes @@ -1297,13 +1259,13 @@ To update your installed SDK, use ``devtool`` as follows:: $ devtool sdk-update -The previous command assumes your SDK provider has set the -default update URL for you through the :term:`SDK_UPDATE_URL` -variable as described in the +The previous command assumes your SDK provider has set the default update URL +for you through the :term:`SDK_UPDATE_URL` variable as described in the ":ref:`sdk-manual/appendix-customizing:Providing Updates to the Extensible SDK After Installation`" section. If the SDK provider has not set that default URL, you need to -specify it yourself in the command as follows: $ devtool sdk-update -path_to_update_directory +specify it yourself in the command as follows:: + + $ devtool sdk-update path_to_update_directory .. note:: diff --git a/poky/documentation/template/template.svg b/poky/documentation/template/template.svg index 43043e3afb..50715c08b0 100644 --- a/poky/documentation/template/template.svg +++ b/poky/documentation/template/template.svg @@ -1019,7 +1019,7 @@ id="tspan1183-1-8" x="-52.348656" y="518.42615" - style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:37.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke:none">Objets</tspan></text> + style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:37.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke:none">Objects</tspan></text> <text xml:space="preserve" style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" diff --git a/poky/meta-poky/conf/distro/poky.conf b/poky/meta-poky/conf/distro/poky.conf index d7bfc4dc1b..35ca512382 100644 --- a/poky/meta-poky/conf/distro/poky.conf +++ b/poky/meta-poky/conf/distro/poky.conf @@ -1,6 +1,6 @@ DISTRO = "poky" DISTRO_NAME = "Poky (Yocto Project Reference Distro)" -DISTRO_VERSION = "4.2.1" +DISTRO_VERSION = "4.2.3" DISTRO_CODENAME = "mickledore" SDK_VENDOR = "-pokysdk" SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}" @@ -38,13 +38,16 @@ SANITY_TESTED_DISTROS ?= " \ ubuntu-18.04 \n \ ubuntu-20.04 \n \ ubuntu-22.04 \n \ - fedora-36 \n \ + ubuntu-22.10 \n \ fedora-37 \n \ + fedora-38 \n \ + centosstream-8 \n \ debian-11 \n \ + debian-12 \n \ opensuseleap-15.3 \n \ opensuseleap-15.4 \n \ - almalinux-8.7 \n \ - almalinux-9.1 \n \ + almalinux-8.8 \n \ + almalinux-9.2 \n \ " # add poky sanity bbclass INHERIT += "poky-sanity" diff --git a/poky/meta-selftest/recipes-test/license/incompatible-license-alias.bb b/poky/meta-selftest/recipes-test/license/incompatible-license-alias.bb index e0b4e13c26..1af99e7809 100644 --- a/poky/meta-selftest/recipes-test/license/incompatible-license-alias.bb +++ b/poky/meta-selftest/recipes-test/license/incompatible-license-alias.bb @@ -1,3 +1,5 @@ SUMMARY = "Recipe with an alias of an SPDX license" DESCRIPTION = "Is licensed with an alias of an SPDX license to be used for testing" LICENSE = "GPLv3" + +EXCLUDE_FROM_WORLD = "1" diff --git a/poky/meta-selftest/recipes-test/license/incompatible-license.bb b/poky/meta-selftest/recipes-test/license/incompatible-license.bb index 282f5c2875..6fdc58fd30 100644 --- a/poky/meta-selftest/recipes-test/license/incompatible-license.bb +++ b/poky/meta-selftest/recipes-test/license/incompatible-license.bb @@ -1,3 +1,5 @@ SUMMARY = "Recipe with an SPDX license" DESCRIPTION = "Is licensed with an SPDX license to be used for testing" LICENSE = "GPL-3.0-only" + +EXCLUDE_FROM_WORLD = "1" diff --git a/poky/meta-selftest/recipes-test/license/incompatible-licenses.bb b/poky/meta-selftest/recipes-test/license/incompatible-licenses.bb index 9709892644..47bd8d7c00 100644 --- a/poky/meta-selftest/recipes-test/license/incompatible-licenses.bb +++ b/poky/meta-selftest/recipes-test/license/incompatible-licenses.bb @@ -1,3 +1,5 @@ SUMMARY = "Recipe with multiple SPDX licenses" DESCRIPTION = "Is licensed with multiple SPDX licenses to be used for testing" LICENSE = "GPL-2.0-only & GPL-3.0-only & LGPL-3.0-only" + +EXCLUDE_FROM_WORLD = "1" diff --git a/poky/meta-selftest/recipes-test/license/incompatible-nonspdx-license.bb b/poky/meta-selftest/recipes-test/license/incompatible-nonspdx-license.bb index 35af0966ef..142d73158e 100644 --- a/poky/meta-selftest/recipes-test/license/incompatible-nonspdx-license.bb +++ b/poky/meta-selftest/recipes-test/license/incompatible-nonspdx-license.bb @@ -1,3 +1,5 @@ SUMMARY = "Recipe with a non-SPDX license" DESCRIPTION = "Is licensed with a non-SPDX license to be used for testing" LICENSE = "FooLicense" + +EXCLUDE_FROM_WORLD = "1" diff --git a/poky/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb b/poky/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb index cff624e2f9..d7a5a95bac 100644 --- a/poky/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb +++ b/poky/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb @@ -32,7 +32,7 @@ USERADD_PACKAGES = "${PN} ${PN}-user3" # user1 and user2: USERADD_PARAM:${PN} = "-u 1200 -d /home/user1 -r -s /bin/bash user1; -u 1201 -d /home/user2 -r -s /bin/bash user2" -# user3 will be managed in the useradd-example-user3 pacakge: +# user3 will be managed in the useradd-example-user3 package: # As an example, we use the -p option to set password ('user3') for user3 USERADD_PARAM:${PN}-user3 = "-u 1202 -d /home/user3 -r -s /bin/bash -p '\$6\$XAWr.8nc\$bUE4pYYaVb8n6BbnBitU0zeJMtfhTpFpiOBLL9zRl4e4YQo88UU4r/1kjRzmTimCy.BvDh4xoFwVqcO.pihLa1' user3" diff --git a/poky/meta/classes-recipe/cargo.bbclass b/poky/meta/classes-recipe/cargo.bbclass index 7a8cc1e751..3ef0bbbb44 100644 --- a/poky/meta/classes-recipe/cargo.bbclass +++ b/poky/meta/classes-recipe/cargo.bbclass @@ -55,7 +55,6 @@ oe_cargo_build () { do_compile[progress] = "outof:\s+(\d+)/(\d+)" cargo_do_compile () { - oe_cargo_fix_env oe_cargo_build } diff --git a/poky/meta/classes-recipe/cargo_common.bbclass b/poky/meta/classes-recipe/cargo_common.bbclass index 82ab25b59c..1ca0be471c 100644 --- a/poky/meta/classes-recipe/cargo_common.bbclass +++ b/poky/meta/classes-recipe/cargo_common.bbclass @@ -149,6 +149,10 @@ python cargo_common_do_patch_paths() { } do_configure[postfuncs] += "cargo_common_do_patch_paths" +do_compile:prepend () { + oe_cargo_fix_env +} + oe_cargo_fix_env () { export CC="${RUST_TARGET_CC}" export CXX="${RUST_TARGET_CXX}" diff --git a/poky/meta/classes-recipe/cmake.bbclass b/poky/meta/classes-recipe/cmake.bbclass index 554b948c32..2153efe5c0 100644 --- a/poky/meta/classes-recipe/cmake.bbclass +++ b/poky/meta/classes-recipe/cmake.bbclass @@ -51,17 +51,16 @@ OECMAKE_CXX_COMPILER ?= "${@oecmake_map_compiler('CXX', d)[0]}" OECMAKE_CXX_COMPILER_LAUNCHER ?= "${@oecmake_map_compiler('CXX', d)[1]}" # clear compiler vars for allarch to avoid sig hash difference -OECMAKE_C_COMPILER_allarch = "" -OECMAKE_C_COMPILER_LAUNCHER_allarch = "" -OECMAKE_CXX_COMPILER_allarch = "" -OECMAKE_CXX_COMPILER_LAUNCHER_allarch = "" +OECMAKE_C_COMPILER:allarch = "" +OECMAKE_C_COMPILER_LAUNCHER:allarch = "" +OECMAKE_CXX_COMPILER:allarch = "" +OECMAKE_CXX_COMPILER_LAUNCHER:allarch = "" OECMAKE_RPATH ?= "" OECMAKE_PERLNATIVE_DIR ??= "" OECMAKE_EXTRA_ROOT_PATH ?= "" OECMAKE_FIND_ROOT_PATH_MODE_PROGRAM = "ONLY" -OECMAKE_FIND_ROOT_PATH_MODE_PROGRAM:class-native = "BOTH" EXTRA_OECMAKE:append = " ${PACKAGECONFIG_CONFARGS}" diff --git a/poky/meta/classes-recipe/cml1.bbclass b/poky/meta/classes-recipe/cml1.bbclass index a09a042c3f..73c22f81d6 100644 --- a/poky/meta/classes-recipe/cml1.bbclass +++ b/poky/meta/classes-recipe/cml1.bbclass @@ -53,7 +53,7 @@ python do_menuconfig() { # ensure that environment variables are overwritten with this tasks 'd' values d.appendVar("OE_TERMINAL_EXPORTS", " PKG_CONFIG_DIR PKG_CONFIG_PATH PKG_CONFIG_LIBDIR PKG_CONFIG_SYSROOT_DIR") - oe_terminal("sh -c \"make %s; if [ \\$? -ne 0 ]; then echo 'Command failed.'; printf 'Press any key to continue... '; read r; fi\"" % d.getVar('KCONFIG_CONFIG_COMMAND'), + oe_terminal("sh -c 'make %s; if [ \\$? -ne 0 ]; then echo \"Command failed.\"; printf \"Press any key to continue... \"; read r; fi'" % d.getVar('KCONFIG_CONFIG_COMMAND'), d.getVar('PN') + ' Configuration', d) # FIXME this check can be removed when the minimum bitbake version has been bumped diff --git a/poky/meta/classes-recipe/image_types.bbclass b/poky/meta/classes-recipe/image_types.bbclass index bbddfaf272..023eb87537 100644 --- a/poky/meta/classes-recipe/image_types.bbclass +++ b/poky/meta/classes-recipe/image_types.bbclass @@ -148,10 +148,11 @@ IMAGE_CMD:cpio () { if [ ! -L ${IMAGE_ROOTFS}/init ] && [ ! -e ${IMAGE_ROOTFS}/init ]; then if [ -L ${IMAGE_ROOTFS}/sbin/init ] || [ -e ${IMAGE_ROOTFS}/sbin/init ]; then ln -sf /sbin/init ${WORKDIR}/cpio_append/init + touch -h -r ${IMAGE_ROOTFS}/sbin/init ${WORKDIR}/cpio_append/init else - touch ${WORKDIR}/cpio_append/init + touch -r ${IMAGE_ROOTFS} ${WORKDIR}/cpio_append/init fi - (cd ${WORKDIR}/cpio_append && echo ./init | cpio -oA -H newc -F ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio) + (cd ${WORKDIR}/cpio_append && echo ./init | cpio --reproducible -oA -H newc -F ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio) fi fi } diff --git a/poky/meta/classes-recipe/kernel-module-split.bbclass b/poky/meta/classes-recipe/kernel-module-split.bbclass index 50882c31a7..c1208d55e0 100644 --- a/poky/meta/classes-recipe/kernel-module-split.bbclass +++ b/poky/meta/classes-recipe/kernel-module-split.bbclass @@ -30,9 +30,8 @@ fi PACKAGE_WRITE_DEPS += "kmod-native depmodwrapper-cross" -do_install:append() { - install -d ${D}${sysconfdir}/modules-load.d/ ${D}${sysconfdir}/modprobe.d/ -} +modulesloaddir ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${nonarch_libdir}', '${sysconfdir}', d)}/modules-load.d" +modprobedir ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${nonarch_base_libdir}', '${sysconfdir}', d)}/modprobe.d" KERNEL_SPLIT_MODULES ?= "1" PACKAGESPLITFUNCS =+ "split_kernel_module_packages" @@ -73,9 +72,8 @@ python split_kernel_module_packages () { cmd = "%sobjcopy -j .modinfo -O binary %s %s" % (d.getVar("HOST_PREFIX") or "", file, tmpfile) subprocess.check_call(cmd, shell=True) # errors='replace': Some old kernel versions contain invalid utf-8 characters in mod descriptions (like 0xf6, 'ö') - f = open(tmpfile, errors='replace') - l = f.read().split("\000") - f.close() + with open(tmpfile, errors='replace') as f: + l = f.read().split("\000") os.close(tf[0]) os.unlink(tmpfile) if compressed: @@ -93,7 +91,7 @@ python split_kernel_module_packages () { dvar = d.getVar('PKGD') - # If autoloading is requested, output /etc/modules-load.d/<name>.conf and append + # If autoloading is requested, output ${modulesloaddir}/<name>.conf and append # appropriate modprobe commands to the postinst autoloadlist = (d.getVar("KERNEL_MODULE_AUTOLOAD") or "").split() autoload = d.getVar('module_autoload_%s' % basename) @@ -102,14 +100,18 @@ python split_kernel_module_packages () { if autoload and basename not in autoloadlist: bb.warn("module_autoload_%s is defined but '%s' isn't included in KERNEL_MODULE_AUTOLOAD, please add it there" % (basename, basename)) if basename in autoloadlist: - name = '%s/etc/modules-load.d/%s.conf' % (dvar, basename) - f = open(name, 'w') - if autoload: - for m in autoload.split(): - f.write('%s\n' % m) - else: - f.write('%s\n' % basename) - f.close() + conf = '%s/%s.conf' % (d.getVar('modulesloaddir'), basename) + name = '%s%s' % (dvar, conf) + os.makedirs(os.path.dirname(name), exist_ok=True) + with open(name, 'w') as f: + if autoload: + for m in autoload.split(): + f.write('%s\n' % m) + else: + f.write('%s\n' % basename) + conf2append = ' %s' % conf + d.appendVar('FILES:%s' % pkg, conf2append) + d.appendVar('CONFFILES:%s' % pkg, conf2append) postinst = d.getVar('pkg_postinst:%s' % pkg) if not postinst: bb.fatal("pkg_postinst:%s not defined" % pkg) @@ -120,21 +122,18 @@ python split_kernel_module_packages () { modconflist = (d.getVar("KERNEL_MODULE_PROBECONF") or "").split() modconf = d.getVar('module_conf_%s' % basename) if modconf and basename in modconflist: - name = '%s/etc/modprobe.d/%s.conf' % (dvar, basename) - f = open(name, 'w') - f.write("%s\n" % modconf) - f.close() + conf = '%s/%s.conf' % (d.getVar('modprobedir'), basename) + name = '%s%s' % (dvar, conf) + os.makedirs(os.path.dirname(name), exist_ok=True) + with open(name, 'w') as f: + f.write("%s\n" % modconf) + conf2append = ' %s' % conf + d.appendVar('FILES:%s' % pkg, conf2append) + d.appendVar('CONFFILES:%s' % pkg, conf2append) + elif modconf: bb.error("Please ensure module %s is listed in KERNEL_MODULE_PROBECONF since module_conf_%s is set" % (basename, basename)) - files = d.getVar('FILES:%s' % pkg) - files = "%s /etc/modules-load.d/%s.conf /etc/modprobe.d/%s.conf" % (files, basename, basename) - d.setVar('FILES:%s' % pkg, files) - - conffiles = d.getVar('CONFFILES:%s' % pkg) - conffiles = "%s /etc/modules-load.d/%s.conf /etc/modprobe.d/%s.conf" % (conffiles, basename, basename) - d.setVar('CONFFILES:%s' % pkg, conffiles) - if "description" in vals: old_desc = d.getVar('DESCRIPTION:' + pkg) or "" d.setVar('DESCRIPTION:' + pkg, old_desc + "; " + vals["description"]) @@ -169,8 +168,8 @@ python split_kernel_module_packages () { postrm = d.getVar('pkg_postrm:modules') if splitmods != '1': - etcdir = d.getVar('sysconfdir') - d.appendVar('FILES:' + metapkg, '%s/modules-load.d/ %s/modprobe.d/ %s/modules/' % (etcdir, etcdir, d.getVar("nonarch_base_libdir"))) + d.appendVar('FILES:' + metapkg, '%s %s %s/modules' % + (d.getVar('modulesloaddir'), d.getVar('modprobedir'), d.getVar("nonarch_base_libdir"))) d.appendVar('pkg_postinst:%s' % metapkg, postinst) d.prependVar('pkg_postrm:%s' % metapkg, postrm); return @@ -184,14 +183,6 @@ python split_kernel_module_packages () { modules = do_split_packages(d, root='${nonarch_base_libdir}/modules', file_regex=module_regex, output_pattern=module_pattern, description='%s kernel module', postinst=postinst, postrm=postrm, recursive=True, hook=frob_metadata, extra_depends='%s-%s' % (kernel_package_name, kernel_version)) if modules: d.appendVar('RDEPENDS:' + metapkg, ' '+' '.join(modules)) - - # If modules-load.d and modprobe.d are empty at this point, remove them to - # avoid warnings. removedirs only raises an OSError if an empty - # directory cannot be removed. - dvar = d.getVar('PKGD') - for dir in ["%s/etc/modprobe.d" % (dvar), "%s/etc/modules-load.d" % (dvar), "%s/etc" % (dvar)]: - if len(os.listdir(dir)) == 0: - os.rmdir(dir) } do_package[vardeps] += '${@" ".join(map(lambda s: "module_conf_" + s, (d.getVar("KERNEL_MODULE_PROBECONF") or "").split()))}' diff --git a/poky/meta/classes-recipe/kernel.bbclass b/poky/meta/classes-recipe/kernel.bbclass index 1e97de5696..3abd689794 100644 --- a/poky/meta/classes-recipe/kernel.bbclass +++ b/poky/meta/classes-recipe/kernel.bbclass @@ -181,13 +181,14 @@ do_unpack[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILD do_clean[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILDDIR}" python do_symlink_kernsrc () { s = d.getVar("S") - if s[-1] == '/': - # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as directory name and fail - s=s[:-1] kernsrc = d.getVar("STAGING_KERNEL_DIR") if s != kernsrc: bb.utils.mkdirhier(kernsrc) bb.utils.remove(kernsrc, recurse=True) + if s[-1] == '/': + # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as + # directory name and fail + s = s[:-1] if d.getVar("EXTERNALSRC"): # With EXTERNALSRC S will not be wiped so we can symlink to it os.symlink(s, kernsrc) @@ -476,9 +477,7 @@ kernel_do_install() { install -m 0644 System.map ${D}/${KERNEL_IMAGEDEST}/System.map-${KERNEL_VERSION} install -m 0644 .config ${D}/${KERNEL_IMAGEDEST}/config-${KERNEL_VERSION} install -m 0644 vmlinux ${D}/${KERNEL_IMAGEDEST}/vmlinux-${KERNEL_VERSION} - [ -e Module.symvers ] && install -m 0644 Module.symvers ${D}/${KERNEL_IMAGEDEST}/Module.symvers-${KERNEL_VERSION} - install -d ${D}${sysconfdir}/modules-load.d - install -d ${D}${sysconfdir}/modprobe.d + ! [ -e Module.symvers ] || install -m 0644 Module.symvers ${D}/${KERNEL_IMAGEDEST}/Module.symvers-${KERNEL_VERSION} } # Must be ran no earlier than after do_kernel_checkout or else Makefile won't be in ${S}/Makefile @@ -546,7 +545,7 @@ do_shared_workdir () { # Copy files required for module builds cp System.map $kerneldir/System.map-${KERNEL_VERSION} - [ -e Module.symvers ] && cp Module.symvers $kerneldir/ + ! [ -e Module.symvers ] || cp Module.symvers $kerneldir/ cp .config $kerneldir/ mkdir -p $kerneldir/include/config cp include/config/kernel.release $kerneldir/include/config/kernel.release diff --git a/poky/meta/classes-recipe/meson.bbclass b/poky/meta/classes-recipe/meson.bbclass index 48688bed75..7f5e9b1943 100644 --- a/poky/meta/classes-recipe/meson.bbclass +++ b/poky/meta/classes-recipe/meson.bbclass @@ -111,6 +111,7 @@ nm = ${@meson_array('BUILD_NM', d)} strip = ${@meson_array('BUILD_STRIP', d)} readelf = ${@meson_array('BUILD_READELF', d)} objcopy = ${@meson_array('BUILD_OBJCOPY', d)} +llvm-config = '${STAGING_BINDIR_NATIVE}/llvm-config' pkgconfig = 'pkg-config-native' ${@rust_tool(d, "BUILD_SYS")} diff --git a/poky/meta/classes-recipe/rootfs_rpm.bbclass b/poky/meta/classes-recipe/rootfs_rpm.bbclass index 6eccd5a959..55f1cc92ca 100644 --- a/poky/meta/classes-recipe/rootfs_rpm.bbclass +++ b/poky/meta/classes-recipe/rootfs_rpm.bbclass @@ -20,11 +20,9 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = "${@bb.utils.contains("PACKAGE_INSTALL", "dnf" # Dnf is python based, so be sure python3-native is available to us. EXTRANATIVEPATH += "python3-native" -# opkg is needed for update-alternatives RPMROOTFSDEPENDS = "rpm-native:do_populate_sysroot \ dnf-native:do_populate_sysroot \ - createrepo-c-native:do_populate_sysroot \ - opkg-native:do_populate_sysroot" + createrepo-c-native:do_populate_sysroot" do_rootfs[depends] += "${RPMROOTFSDEPENDS}" do_populate_sdk[depends] += "${RPMROOTFSDEPENDS}" diff --git a/poky/meta/classes-recipe/rust-common.bbclass b/poky/meta/classes-recipe/rust-common.bbclass index e0cedd7aa2..878272721c 100644 --- a/poky/meta/classes-recipe/rust-common.bbclass +++ b/poky/meta/classes-recipe/rust-common.bbclass @@ -158,6 +158,10 @@ WRAPPER_TARGET_CXX = "${CXX}" WRAPPER_TARGET_CCLD = "${CCLD}" WRAPPER_TARGET_LDFLAGS = "${LDFLAGS}" WRAPPER_TARGET_EXTRALD = "" +# see recipes-devtools/gcc/gcc/0018-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch +# we need to link with ssp_nonshared on musl to avoid "undefined reference to `__stack_chk_fail_local'" +# when building MACHINE=qemux86 for musl +WRAPPER_TARGET_EXTRALD:libc-musl = "-lssp_nonshared" WRAPPER_TARGET_AR = "${AR}" # compiler is used by gcc-rs diff --git a/poky/meta/classes-recipe/testexport.bbclass b/poky/meta/classes-recipe/testexport.bbclass index 0f0c56107f..572f5d9e76 100644 --- a/poky/meta/classes-recipe/testexport.bbclass +++ b/poky/meta/classes-recipe/testexport.bbclass @@ -61,16 +61,12 @@ def testexport_main(d): d.getVar("TEST_TARGET"), None, d.getVar("TEST_TARGET_IP"), d.getVar("TEST_SERVER_IP")) - host_dumper = OERuntimeTestContextExecutor.getHostDumper( - d.getVar("testimage_dump_host"), d.getVar("TESTIMAGE_DUMP_DIR")) - image_manifest = "%s.manifest" % image_name image_packages = OERuntimeTestContextExecutor.readPackagesManifest(image_manifest) extract_dir = d.getVar("TEST_EXTRACTED_DIR") - tc = OERuntimeTestContext(td, logger, target, host_dumper, - image_packages, extract_dir) + tc = OERuntimeTestContext(td, logger, target, image_packages, extract_dir) copy_needed_files(d, tc) diff --git a/poky/meta/classes-recipe/testimage.bbclass b/poky/meta/classes-recipe/testimage.bbclass index b48cd96575..cc3650ad42 100644 --- a/poky/meta/classes-recipe/testimage.bbclass +++ b/poky/meta/classes-recipe/testimage.bbclass @@ -115,18 +115,6 @@ testimage_dump_target () { find /var/log/ -type f 2>/dev/null -exec echo "====================" \; -exec echo {} \; -exec echo "====================" \; -exec cat {} \; -exec echo "" \; } -testimage_dump_host () { - top -bn1 - iostat -x -z -N -d -p ALL 20 2 - ps -ef - free - df - memstat - dmesg - ip -s link - netstat -an -} - testimage_dump_monitor () { query-status query-block @@ -339,19 +327,13 @@ def testimage_main(d): # runtime use network for download projects for build export_proxies(d) - # we need the host dumper in test context - host_dumper = OERuntimeTestContextExecutor.getHostDumper( - d.getVar("testimage_dump_host"), - d.getVar("TESTIMAGE_DUMP_DIR")) - # the robot dance target = OERuntimeTestContextExecutor.getTarget( d.getVar("TEST_TARGET"), logger, d.getVar("TEST_TARGET_IP"), d.getVar("TEST_SERVER_IP"), **target_kwargs) # test context - tc = OERuntimeTestContext(td, logger, target, host_dumper, - image_packages, extract_dir) + tc = OERuntimeTestContext(td, logger, target, image_packages, extract_dir) # Load tests before starting the target test_paths = get_runtime_paths(d) diff --git a/poky/meta/classes-recipe/uboot-extlinux-config.bbclass b/poky/meta/classes-recipe/uboot-extlinux-config.bbclass index 86a7d30ca0..653e583663 100644 --- a/poky/meta/classes-recipe/uboot-extlinux-config.bbclass +++ b/poky/meta/classes-recipe/uboot-extlinux-config.bbclass @@ -33,11 +33,11 @@ # UBOOT_EXTLINUX_DEFAULT_LABEL ??= "Linux Default" # UBOOT_EXTLINUX_TIMEOUT ??= "30" # -# UBOOT_EXTLINUX_KERNEL_IMAGE_default ??= "../zImage" -# UBOOT_EXTLINUX_MENU_DESCRIPTION_default ??= "Linux Default" +# UBOOT_EXTLINUX_KERNEL_IMAGE:default ??= "../zImage" +# UBOOT_EXTLINUX_MENU_DESCRIPTION:default ??= "Linux Default" # -# UBOOT_EXTLINUX_KERNEL_IMAGE_fallback ??= "../zImage-fallback" -# UBOOT_EXTLINUX_MENU_DESCRIPTION_fallback ??= "Linux Fallback" +# UBOOT_EXTLINUX_KERNEL_IMAGE:fallback ??= "../zImage-fallback" +# UBOOT_EXTLINUX_MENU_DESCRIPTION:fallback ??= "Linux Fallback" # # Results: # diff --git a/poky/meta/classes/externalsrc.bbclass b/poky/meta/classes/externalsrc.bbclass index b00fdba8e9..aedd78a03a 100644 --- a/poky/meta/classes/externalsrc.bbclass +++ b/poky/meta/classes/externalsrc.bbclass @@ -75,6 +75,8 @@ python () { # Dummy value because the default function can't be called with blank SRC_URI d.setVar('SRCPV', '999') + # sstate is never going to work for external source trees, disable it + d.setVar('SSTATE_SKIP_CREATION', '1') if d.getVar('CONFIGUREOPT_DEPTRACK') == '--disable-dependency-tracking': d.setVar('CONFIGUREOPT_DEPTRACK', '') @@ -82,10 +84,7 @@ python () { tasks = filter(lambda k: d.getVarFlag(k, "task"), d.keys()) for task in tasks: - if task.endswith("_setscene"): - # sstate is never going to work for external source trees, disable it - bb.build.deltask(task, d) - elif os.path.realpath(d.getVar('S')) == os.path.realpath(d.getVar('B')): + if os.path.realpath(d.getVar('S')) == os.path.realpath(d.getVar('B')): # Since configure will likely touch ${S}, ensure only we lock so one task has access at a time d.appendVarFlag(task, "lockfiles", " ${S}/singletask.lock") diff --git a/poky/meta/classes/useradd-staticids.bbclass b/poky/meta/classes/useradd-staticids.bbclass index abe484eb46..1dbcba2bf1 100644 --- a/poky/meta/classes/useradd-staticids.bbclass +++ b/poky/meta/classes/useradd-staticids.bbclass @@ -47,7 +47,7 @@ def update_useradd_static_config(d): def handle_missing_id(id, type, pkg, files, var, value): # For backwards compatibility we accept "1" in addition to "error" error_dynamic = d.getVar('USERADD_ERROR_DYNAMIC') - msg = "%s - %s: %sname %s does not have a static ID defined." % (d.getVar('PN'), pkg, type, id) + msg = 'Recipe %s, package %s: %sname "%s" does not have a static ID defined.' % (d.getVar('PN'), pkg, type, id) if files: msg += " Add %s to one of these files: %s" % (id, files) else: diff --git a/poky/meta/conf/bitbake.conf b/poky/meta/conf/bitbake.conf index 52ef64b50a..f679a49eb0 100644 --- a/poky/meta/conf/bitbake.conf +++ b/poky/meta/conf/bitbake.conf @@ -529,7 +529,7 @@ HOSTTOOLS += " \ python3 pzstd ranlib readelf readlink realpath rm rmdir rpcgen sed seq sh \ sha1sum sha224sum sha256sum sha384sum sha512sum \ sleep sort split stat strings strip tail tar tee test touch tr true uname \ - uniq wc wget which xargs zstd \ + uniq unzstd wc wget which xargs zstd \ " # Tools needed to run testimage runtime image testing diff --git a/poky/meta/conf/distro/include/maintainers.inc b/poky/meta/conf/distro/include/maintainers.inc index b4ce618ca0..784a4647e3 100644 --- a/poky/meta/conf/distro/include/maintainers.inc +++ b/poky/meta/conf/distro/include/maintainers.inc @@ -41,7 +41,7 @@ RECIPE_MAINTAINER:pn-alsa-utils = "Michael Opdenacker <michael.opdenacker@bootli RECIPE_MAINTAINER:pn-apmd = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-apr = "Hongxu Jia <hongxu.jia@windriver.com>" RECIPE_MAINTAINER:pn-apr-util = "Hongxu Jia <hongxu.jia@windriver.com>" -RECIPE_MAINTAINER:pn-apt = "Aníbal Limón <limon.anibal@gmail.com>" +RECIPE_MAINTAINER:pn-apt = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-argp-standalone = "Khem Raj <raj.khem@gmail.com>" RECIPE_MAINTAINER:pn-asciidoc = "Yi Zhao <yi.zhao@windriver.com>" RECIPE_MAINTAINER:pn-aspell = "Anuj Mittal <anuj.mittal@intel.com>" @@ -60,7 +60,7 @@ RECIPE_MAINTAINER:pn-base-passwd = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-bash = "Hongxu Jia <hongxu.jia@windriver.com>" RECIPE_MAINTAINER:pn-bash-completion = "Alexander Kanavin <alex.kanavin@gmail.com>" RECIPE_MAINTAINER:pn-bc = "Anuj Mittal <anuj.mittal@intel.com>" -RECIPE_MAINTAINER:pn-bind = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-bind = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-binutils = "Khem Raj <raj.khem@gmail.com>" RECIPE_MAINTAINER:pn-binutils-cross-${TARGET_ARCH} = "Khem Raj <raj.khem@gmail.com>" RECIPE_MAINTAINER:pn-binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} = "Khem Raj <raj.khem@gmail.com>" @@ -83,7 +83,7 @@ RECIPE_MAINTAINER:pn-buildtools-extended-tarball = "Richard Purdie <richard.purd RECIPE_MAINTAINER:pn-buildtools-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>" RECIPE_MAINTAINER:pn-buildtools-docs-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>" RECIPE_MAINTAINER:pn-buildtools-make-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>" -RECIPE_MAINTAINER:pn-busybox = "Andrej Valek <andrej.valek@siemens.com>" +RECIPE_MAINTAINER:pn-busybox = "Andrej Valek <andrej.v@skyrain.eu>" RECIPE_MAINTAINER:pn-busybox-inittab = "Denys Dmytriyenko <denis@denix.org>" RECIPE_MAINTAINER:pn-bzip2 = "Denys Dmytriyenko <denis@denix.org>" RECIPE_MAINTAINER:pn-ca-certificates = "Alexander Kanavin <alex.kanavin@gmail.com>" @@ -93,8 +93,8 @@ RECIPE_MAINTAINER:pn-cantarell-fonts = "Alexander Kanavin <alex.kanavin@gmail.co RECIPE_MAINTAINER:pn-ccache = "Robert Yang <liezhi.yang@windriver.com>" RECIPE_MAINTAINER:pn-cdrtools-native = "Yi Zhao <yi.zhao@windriver.com>" RECIPE_MAINTAINER:pn-chrpath = "Yi Zhao <yi.zhao@windriver.com>" -RECIPE_MAINTAINER:pn-cmake = "Pascal Bach <pascal.bach@siemens.com>" -RECIPE_MAINTAINER:pn-cmake-native = "Pascal Bach <pascal.bach@siemens.com>" +RECIPE_MAINTAINER:pn-cmake = "Unassigned <unassigned@yoctoproject.org>" +RECIPE_MAINTAINER:pn-cmake-native = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-connman = "Changhyeok Bae <changhyeok.bae@gmail.com>" RECIPE_MAINTAINER:pn-connman-conf = "Ross Burton <ross.burton@arm.com>" RECIPE_MAINTAINER:pn-connman-gnome = "Ross Burton <ross.burton@arm.com>" @@ -152,7 +152,7 @@ RECIPE_MAINTAINER:pn-docbook-xml-dtd4 = "Yi Zhao <yi.zhao@windriver.com>" RECIPE_MAINTAINER:pn-docbook-xsl-stylesheets = "Yi Zhao <yi.zhao@windriver.com>" RECIPE_MAINTAINER:pn-dos2unix = "Khem Raj <raj.khem@gmail.com>" RECIPE_MAINTAINER:pn-dosfstools = "Yi Zhao <yi.zhao@windriver.com>" -RECIPE_MAINTAINER:pn-dpkg = "Aníbal Limón <limon.anibal@gmail.com>" +RECIPE_MAINTAINER:pn-dpkg = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-dropbear = "Yi Zhao <yi.zhao@windriver.com>" RECIPE_MAINTAINER:pn-dtc = "Wang Mingyu <wangmy@fujitsu.com>" RECIPE_MAINTAINER:pn-dwarfsrcfiles = "Alexander Kanavin <alex.kanavin@gmail.com>" @@ -165,7 +165,7 @@ RECIPE_MAINTAINER:pn-ell = "Zang Ruochen <zangruochen@loongson.cn>" RECIPE_MAINTAINER:pn-enchant2 = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-encodings = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-epiphany = "Alexander Kanavin <alex.kanavin@gmail.com>" -RECIPE_MAINTAINER:pn-erofs-utils = "Richard Weinberger <richard@nod.at>" +RECIPE_MAINTAINER:pn-erofs-utils = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-ethtool = "Changhyeok Bae <changhyeok.bae@gmail.com>" RECIPE_MAINTAINER:pn-eudev = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-expat = "Yi Zhao <yi.zhao@windriver.com>" @@ -189,7 +189,7 @@ RECIPE_MAINTAINER:pn-gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "Khem Raj <r RECIPE_MAINTAINER:pn-gcc-crosssdk-${SDK_SYS} = "Khem Raj <raj.khem@gmail.com>" RECIPE_MAINTAINER:pn-gcc-runtime = "Khem Raj <raj.khem@gmail.com>" RECIPE_MAINTAINER:pn-gcc-sanitizers = "Khem Raj <raj.khem@gmail.com>" -RECIPE_MAINTAINER:pn-gcc-source-12.2.0 = "Khem Raj <raj.khem@gmail.com>" +RECIPE_MAINTAINER:pn-gcc-source-12.3.0 = "Khem Raj <raj.khem@gmail.com>" RECIPE_MAINTAINER:pn-gconf = "Ross Burton <ross.burton@arm.com>" RECIPE_MAINTAINER:pn-gcr3 = "Markus Volk <f_l_k@t-online.de>" RECIPE_MAINTAINER:pn-gcr = "Alexander Kanavin <alex.kanavin@gmail.com>" @@ -288,7 +288,7 @@ RECIPE_MAINTAINER:pn-iproute2 = "Changhyeok Bae <changhyeok.bae@gmail.com>" RECIPE_MAINTAINER:pn-iptables = "Changhyeok Bae <changhyeok.bae@gmail.com>" RECIPE_MAINTAINER:pn-iputils = "Changhyeok Bae <changhyeok.bae@gmail.com>" RECIPE_MAINTAINER:pn-iso-codes = "Wang Mingyu <wangmy@cn.fujitsu.com>" -RECIPE_MAINTAINER:pn-itstool = "Andreas Müller <schnitzeltony@gmail.com>" +RECIPE_MAINTAINER:pn-itstool = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-iw = "Changhyeok Bae <changhyeok.bae@gmail.com>" RECIPE_MAINTAINER:pn-libjpeg-turbo = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-json-c = "Yi Zhao <yi.zhao@windriver.com>" @@ -301,7 +301,7 @@ RECIPE_MAINTAINER:pn-kernel-devsrc = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-kexec-tools = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-keymaps = "Alexander Kanavin <alex.kanavin@gmail.com>" RECIPE_MAINTAINER:pn-kmod = "Chen Qi <Qi.Chen@windriver.com>" -RECIPE_MAINTAINER:pn-kmscube = "Carlos Rafael Giani <dv@pseudoterminal.org>" +RECIPE_MAINTAINER:pn-kmscube = "Carlos Rafael Giani <crg7475@mailbox.org>" RECIPE_MAINTAINER:pn-l3afpad = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-lame = "Michael Opdenacker <michael.opdenacker@bootlin.com>" RECIPE_MAINTAINER:pn-ldconfig-native = "Khem Raj <raj.khem@gmail.com>" @@ -313,7 +313,7 @@ RECIPE_MAINTAINER:pn-libarchive = "Otavio Salvador <otavio.salvador@ossystems.co RECIPE_MAINTAINER:pn-libassuan = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-libatomic-ops = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-libbsd = "Yi Zhao <yi.zhao@windriver.com>" -RECIPE_MAINTAINER:pn-libc-test = "Chase Qi <chase.qi@linaro.org>" +RECIPE_MAINTAINER:pn-libc-test = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-libcap = "Yi Zhao <yi.zhao@windriver.com>" RECIPE_MAINTAINER:pn-libcap-ng = "Yi Zhao <yi.zhao@windriver.com>" RECIPE_MAINTAINER:pn-libcap-ng-python = "Yi Zhao <yi.zhao@windriver.com>" @@ -415,7 +415,7 @@ RECIPE_MAINTAINER:pn-liburcu = "Wang Mingyu <wangmy@fujitsu.com>" RECIPE_MAINTAINER:pn-liburi-perl = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-libusb1 = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-libubootenv = "Stefano Babic <sbabic@denx.de>" -RECIPE_MAINTAINER:pn-libuv = "Armin Kuster <akuster@mvista.com>" +RECIPE_MAINTAINER:pn-libuv = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-libva = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-libva-initial = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-libva-utils = "Anuj Mittal <anuj.mittal@intel.com>" @@ -426,7 +426,7 @@ RECIPE_MAINTAINER:pn-libx11 = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-libx11-compose-data = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-libxau = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-libxcb = "Unassigned <unassigned@yoctoproject.org>" -RECIPE_MAINTAINER:pn-libxcvt = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-libxcvt = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-libxcomposite = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-libxcursor = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-libxcrypt = "Khem Raj <raj.khem@gmail.com>" @@ -555,7 +555,7 @@ RECIPE_MAINTAINER:pn-npth = "Alexander Kanavin <alex.kanavin@gmail.com>" RECIPE_MAINTAINER:pn-nss-myhostname = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-numactl = "Richard Purdie <richard.purdie@linuxfoundation.org>" RECIPE_MAINTAINER:pn-ofono = "Ross Burton <ross.burton@arm.com>" -RECIPE_MAINTAINER:pn-opensbi = "Alistair Francis <alistair.francis@wdc.com>" +RECIPE_MAINTAINER:pn-opensbi = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-openssh = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-openssl = "Alexander Kanavin <alex.kanavin@gmail.com>" RECIPE_MAINTAINER:pn-opkg = "Alex Stewart <alex.stewart@ni.com>" @@ -564,8 +564,8 @@ RECIPE_MAINTAINER:pn-opkg-keyrings = "Alex Stewart <alex.stewart@ni.com>" RECIPE_MAINTAINER:pn-opkg-utils = "Alex Stewart <alex.stewart@ni.com>" RECIPE_MAINTAINER:pn-orc = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-os-release = "Ross Burton <ross.burton@arm.com>" -RECIPE_MAINTAINER:pn-ovmf = "Ricardo Neri <ricardo.neri-calderon@linux.intel.com>" -RECIPE_MAINTAINER:pn-ovmf-shell-image = "Ricardo Neri <ricardo.neri-calderon@linux.intel.com>" +RECIPE_MAINTAINER:pn-ovmf = "Unassigned <unassigned@yoctoproject.org>" +RECIPE_MAINTAINER:pn-ovmf-shell-image = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-p11-kit = "Alexander Kanavin <alex.kanavin@gmail.com>" RECIPE_MAINTAINER:pn-package-index = "Ross Burton <ross.burton@arm.com>" RECIPE_MAINTAINER:pn-pango = "Ross Burton <ross.burton@arm.com>" @@ -599,7 +599,7 @@ RECIPE_MAINTAINER:pn-ptest-runner = "Ross Burton <ross.burton@arm.com>" RECIPE_MAINTAINER:pn-pulseaudio = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-pulseaudio-client-conf-sato = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-puzzles = "Anuj Mittal <anuj.mittal@intel.com>" -RECIPE_MAINTAINER:pn-python3 = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3 = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-alabaster = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-async = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" RECIPE_MAINTAINER:pn-python3-asn1crypto = "Tim Orling <tim.orling@konsulko.com>" @@ -613,20 +613,20 @@ RECIPE_MAINTAINER:pn-python3-cffi = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-chardet = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-cryptography = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-cryptography-vectors = "Tim Orling <tim.orling@konsulko.com>" -RECIPE_MAINTAINER:pn-python3-cython = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-cython = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-dbus = "Zang Ruochen <zangruochen@loongson.cn>" -RECIPE_MAINTAINER:pn-python3-dbusmock = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" -RECIPE_MAINTAINER:pn-python3-docutils = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-dbusmock = "Unassigned <unassigned@yoctoproject.org>" +RECIPE_MAINTAINER:pn-python3-docutils = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-dtschema = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-python3-dtschema-wrapper = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-python3-editables = "Ross Burton <ross.burton@arm.com>" RECIPE_MAINTAINER:pn-python3-pycryptodome = "Joshua Watt <JPEWhacker@gmail.com>" RECIPE_MAINTAINER:pn-python3-pycryptodomex = "Joshua Watt <JPEWhacker@gmail.com>" RECIPE_MAINTAINER:pn-python3-pyrsistent = "Bruce Ashfield <bruce.ashfield@gmail.com>" -RECIPE_MAINTAINER:pn-python3-extras = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-extras = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-flit-core = "Tim Orling <tim.orling@konsulko.com>" -RECIPE_MAINTAINER:pn-python3-git = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" -RECIPE_MAINTAINER:pn-python3-gitdb = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-git = "Unassigned <unassigned@yoctoproject.org>" +RECIPE_MAINTAINER:pn-python3-gitdb = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-hatchling = "Ross Burton <ross.burton@arm.com>" RECIPE_MAINTAINER:pn-python3-hatch-fancy-pypi-readme = "Ross Burton <ross.burton@arm.com>" RECIPE_MAINTAINER:pn-python3-hatch-vcs = "Ross Burton <ross.burton@arm.com>" @@ -635,7 +635,7 @@ RECIPE_MAINTAINER:pn-python3-idna = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-python3-imagesize = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-importlib-metadata = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-iniconfig = "Tim Orling <tim.orling@konsulko.com>" -RECIPE_MAINTAINER:pn-python3-iniparse = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-iniparse = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-iso8601 = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-installer = "Ross Burton <ross.burton@arm.com>" RECIPE_MAINTAINER:pn-python3-jinja2 = "Richard Purdie <richard.purdie@linuxfoundation.org>" @@ -644,12 +644,12 @@ RECIPE_MAINTAINER:pn-python3-jsonschema = "Bruce Ashfield <bruce.ashfield@gmail. RECIPE_MAINTAINER:pn-python3-libarchive-c = "Joshua Watt <JPEWhacker@gmail.com>" RECIPE_MAINTAINER:pn-python3-lxml = "Khem Raj <raj.khem@gmail.com>" RECIPE_MAINTAINER:pn-python3-magic = "Joshua Watt <JPEWhacker@gmail.com>" -RECIPE_MAINTAINER:pn-python3-mako = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-mako = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-markdown = "Alexander Kanavin <alex.kanavin@gmail.com>" RECIPE_MAINTAINER:pn-python3-markupsafe = "Richard Purdie <richard.purdie@linuxfoundation.org>" RECIPE_MAINTAINER:pn-python3-more-itertools = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-ndg-httpsclient = "Tim Orling <tim.orling@konsulko.com>" -RECIPE_MAINTAINER:pn-python3-numpy = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-numpy = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-packaging = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-pathlib2 = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-pathspec = "Ross Burton <ross.burton@arm.com>" @@ -665,10 +665,10 @@ RECIPE_MAINTAINER:pn-python3-pyasn1 = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-pycairo = "Zang Ruochen <zangruochen@loongson.cn>" RECIPE_MAINTAINER:pn-python3-pycparser = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-pyelftools = "Joshua Watt <JPEWhacker@gmail.com>" -RECIPE_MAINTAINER:pn-python3-pygments = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-pygments = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-pygobject = "Zang Ruochen <zangruochen@loongson.cn>" RECIPE_MAINTAINER:pn-python3-pyopenssl = "Tim Orling <tim.orling@konsulko.com>" -RECIPE_MAINTAINER:pn-python3-pyparsing = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-pyparsing = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-pyproject-hooks = "Ross Burton <ross.burton@arm.com>" RECIPE_MAINTAINER:pn-python3-pysocks = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-pytest = "Tim Orling <tim.orling@konsulko.com>" @@ -683,12 +683,12 @@ RECIPE_MAINTAINER:pn-python3-rfc3987 = "Bruce Ashfield <bruce.ashfield@gmail.com RECIPE_MAINTAINER:pn-python3-ruamel-yaml = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-python3-scons = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-semantic-version = "Tim Orling <tim.orling@konsulko.com>" -RECIPE_MAINTAINER:pn-python3-setuptools = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-setuptools = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-setuptools-rust = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-setuptools-scm = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-six = "Zang Ruochen <zangruochen@loongson.cn>" RECIPE_MAINTAINER:pn-python3-smartypants = "Alexander Kanavin <alex.kanavin@gmail.com>" -RECIPE_MAINTAINER:pn-python3-smmap = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-smmap = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-snowballstemmer = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-sortedcontainers = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-sphinx = "Tim Orling <tim.orling@konsulko.com>" @@ -699,8 +699,8 @@ RECIPE_MAINTAINER:pn-python3-sphinxcontrib-serializinghtml = "Tim Orling <tim.or RECIPE_MAINTAINER:pn-python3-sphinxcontrib-jsmath = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-sphinxcontrib-applehelp = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-sphinx-rtd-theme = "Tim Orling <tim.orling@konsulko.com>" -RECIPE_MAINTAINER:pn-python3-subunit = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" -RECIPE_MAINTAINER:pn-python3-testtools = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" +RECIPE_MAINTAINER:pn-python3-subunit = "Unassigned <unassigned@yoctoproject.org>" +RECIPE_MAINTAINER:pn-python3-testtools = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-python3-toml = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-tomli = "Tim Orling <tim.orling@konsulko.com>" RECIPE_MAINTAINER:pn-python3-typing-extensions = "Tim Orling <tim.orling@konsulko.com>" @@ -838,7 +838,7 @@ RECIPE_MAINTAINER:pn-weston-init = "Denys Dmytriyenko <denis@denix.org>" RECIPE_MAINTAINER:pn-wget = "Yi Zhao <yi.zhao@windriver.com>" RECIPE_MAINTAINER:pn-which = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-wic-tools = "Anuj Mittal <anuj.mittal@intel.com>" -RECIPE_MAINTAINER:pn-wireless-regdb = "Adrian Bunk <bunk@kernel.org>" +RECIPE_MAINTAINER:pn-wireless-regdb = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-wpa-supplicant = "Changhyeok Bae <changhyeok.bae@gmail.com>" RECIPE_MAINTAINER:pn-wpebackend-fdo = "Alexander Kanavin <alex.kanavin@gmail.com>" RECIPE_MAINTAINER:pn-x11perf = "Unassigned <unassigned@yoctoproject.org>" diff --git a/poky/meta/conf/distro/include/ptest-packagelists.inc b/poky/meta/conf/distro/include/ptest-packagelists.inc index 003348906a..674801d8b8 100644 --- a/poky/meta/conf/distro/include/ptest-packagelists.inc +++ b/poky/meta/conf/distro/include/ptest-packagelists.inc @@ -96,6 +96,7 @@ PTESTS_SLOW = "\ libgcrypt \ libmodule-build-perl \ lttng-tools \ + mdadm \ openssh \ openssl \ parted \ @@ -119,7 +120,6 @@ PTESTS_PROBLEMS:append:x86 = " valgrind" # rt-tests \ # Needs to be checked whether it runs at all # bash \ # Test outcomes are non-deterministic by design # ifupdown \ # Tested separately in lib/oeqa/selftest/cases/imagefeatures.py -# mdadm \ # Tests rely on non-deterministic sleep() amounts # libinput \ # Tests need an unloaded system to be reliable # libpam \ # Needs pam DISTRO_FEATURE # numactl \ # qemu not (yet) configured for numa; all tests are skipped @@ -132,7 +132,6 @@ PTESTS_PROBLEMS = "\ rt-tests \ bash \ ifupdown \ - mdadm \ libinput \ libpam \ libseccomp \ diff --git a/poky/meta/conf/distro/include/yocto-uninative.inc b/poky/meta/conf/distro/include/yocto-uninative.inc index ad4816a1f3..eaa3e9b31c 100644 --- a/poky/meta/conf/distro/include/yocto-uninative.inc +++ b/poky/meta/conf/distro/include/yocto-uninative.inc @@ -6,10 +6,10 @@ # to the distro running on the build machine. # -UNINATIVE_MAXGLIBCVERSION = "2.37" -UNINATIVE_VERSION = "4.0" +UNINATIVE_MAXGLIBCVERSION = "2.38" +UNINATIVE_VERSION = "4.3" UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/" -UNINATIVE_CHECKSUM[aarch64] ?= "7baa8418a302df52e00916193b0a04f318356d9d2670c9a2bce3e966efefd738" -UNINATIVE_CHECKSUM[i686] ?= "83114d36883d43a521e280742b9849bf85d039b2f83d8e21d480659babe75ee8" -UNINATIVE_CHECKSUM[x86_64] ?= "fd75b2a1a67a10f6b7d65afb7d0f3e71a63b0038e428f34dfe420bb37716558a" +UNINATIVE_CHECKSUM[aarch64] ?= "8df05f4a41455018b4303b2e0ea4eac5c960b5a13713f6dbb33dfdb3e32753ec" +UNINATIVE_CHECKSUM[i686] ?= "bea76b4a97c9ba0077c0dd1295f519cd599dbf71f0ca1c964471c4cdb043addd" +UNINATIVE_CHECKSUM[x86_64] ?= "1c35f09a75c4096749bbe1e009df4e3968cde151424062cf4aa3ed89db22b030" diff --git a/poky/meta/conf/layer.conf b/poky/meta/conf/layer.conf index 948ded667e..2cc7ed8415 100644 --- a/poky/meta/conf/layer.conf +++ b/poky/meta/conf/layer.conf @@ -69,6 +69,7 @@ SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ initramfs-module-install->grub \ initramfs-module-install->parted \ initramfs-module-install->util-linux \ + initramfs-module-setup-live->udev-extraconf \ grub-efi->grub-bootconf \ liberation-fonts->fontconfig \ cantarell-fonts->fontconfig \ diff --git a/poky/meta/conf/machine/include/arm/arch-arm64.inc b/poky/meta/conf/machine/include/arm/arch-arm64.inc index 0e2efb5a40..832d0000ac 100644 --- a/poky/meta/conf/machine/include/arm/arch-arm64.inc +++ b/poky/meta/conf/machine/include/arm/arch-arm64.inc @@ -37,3 +37,8 @@ TUNE_ARCH = "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', '${TUNE_ARCH_64}', TUNE_PKGARCH = "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', '${TUNE_PKGARCH_64}', '${TUNE_PKGARCH_32}', d)}" ABIEXTENSION = "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', '${ABIEXTENSION_64}', '${ABIEXTENSION_32}', d)}" TARGET_FPU = "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', '${TARGET_FPU_64}', '${TARGET_FPU_32}', d)}" + +# Emit branch protection (PAC/BTI) instructions. On hardware that doesn't +# support these they're meaningless NOP instructions, so there's very little +# reason not to. +TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', ' -mbranch-protection=standard', '', d)}" diff --git a/poky/meta/conf/multilib.conf b/poky/meta/conf/multilib.conf index 7f3b9463ef..ef3605a73d 100644 --- a/poky/meta/conf/multilib.conf +++ b/poky/meta/conf/multilib.conf @@ -2,6 +2,7 @@ baselib = "${@d.getVar('BASE_LIB:tune-' + (d.getVar('DEFAULTTUNE') or 'INVALID')) or d.getVar('BASELIB')}" MULTILIB_VARIANTS = "${@extend_variants(d,'MULTILIBS','multilib')}" +MULTILIB_VARIANTS[vardeps] += "MULTILIBS" MULTILIB_SAVE_VARNAME = "DEFAULTTUNE TARGET_ARCH TARGET_SYS TARGET_VENDOR" MULTILIBS ??= "multilib:lib32" diff --git a/poky/meta/lib/oe/npm_registry.py b/poky/meta/lib/oe/npm_registry.py index db581e280e..d97ced7cda 100644 --- a/poky/meta/lib/oe/npm_registry.py +++ b/poky/meta/lib/oe/npm_registry.py @@ -11,7 +11,7 @@ import subprocess _ALWAYS_SAFE = frozenset('ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' '0123456789' - '_.-~') + '_.-~()') MISSING_OK = object() diff --git a/poky/meta/lib/oe/package_manager/__init__.py b/poky/meta/lib/oe/package_manager/__init__.py index 0c313190cf..6774cdb794 100644 --- a/poky/meta/lib/oe/package_manager/__init__.py +++ b/poky/meta/lib/oe/package_manager/__init__.py @@ -470,7 +470,10 @@ def create_packages_dir(d, subrepo_dir, deploydir, taskname, filterbydependencie # Detect bitbake -b usage nodeps = d.getVar("BB_LIMITEDDEPS") or False if nodeps or not filterbydependencies: - oe.path.symlink(deploydir, subrepo_dir, True) + for arch in d.getVar("ALL_MULTILIB_PACKAGE_ARCHS").split() + d.getVar("ALL_MULTILIB_PACKAGE_ARCHS").replace("-", "_").split(): + target = os.path.join(deploydir + "/" + arch) + if os.path.exists(target): + oe.path.symlink(target, subrepo_dir + "/" + arch, True) return start = None diff --git a/poky/meta/lib/oe/package_manager/rpm/rootfs.py b/poky/meta/lib/oe/package_manager/rpm/rootfs.py index d4c415f68c..3ba5396320 100644 --- a/poky/meta/lib/oe/package_manager/rpm/rootfs.py +++ b/poky/meta/lib/oe/package_manager/rpm/rootfs.py @@ -110,7 +110,7 @@ class PkgRootfs(Rootfs): if self.progress_reporter: self.progress_reporter.next_stage() - self._setup_dbg_rootfs(['/etc', '/var/lib/rpm', '/var/cache/dnf', '/var/lib/dnf']) + self._setup_dbg_rootfs(['/etc/rpm', '/etc/rpmrc', '/etc/dnf', '/var/lib/rpm', '/var/cache/dnf', '/var/lib/dnf']) execute_pre_post_process(self.d, rpm_post_process_cmds) diff --git a/poky/meta/lib/oe/package_manager/rpm/sdk.py b/poky/meta/lib/oe/package_manager/rpm/sdk.py index 0726a18b91..85df6e949c 100644 --- a/poky/meta/lib/oe/package_manager/rpm/sdk.py +++ b/poky/meta/lib/oe/package_manager/rpm/sdk.py @@ -112,5 +112,6 @@ class PkgSdk(Sdk): for f in glob.glob(os.path.join(self.sdk_output, "etc", "rpm*")): self.movefile(f, native_sysconf_dir) for f in glob.glob(os.path.join(self.sdk_output, "etc", "dnf", "*")): - self.movefile(f, native_sysconf_dir) + self.mkdirhier(native_sysconf_dir + "/dnf") + self.movefile(f, native_sysconf_dir + "/dnf") self.remove(os.path.join(self.sdk_output, "etc"), True) diff --git a/poky/meta/lib/oe/rootfs.py b/poky/meta/lib/oe/rootfs.py index 890ba5f039..1a48ed10b3 100644 --- a/poky/meta/lib/oe/rootfs.py +++ b/poky/meta/lib/oe/rootfs.py @@ -106,7 +106,7 @@ class Rootfs(object, metaclass=ABCMeta): def _cleanup(self): pass - def _setup_dbg_rootfs(self, dirs): + def _setup_dbg_rootfs(self, package_paths): gen_debugfs = self.d.getVar('IMAGE_GEN_DEBUGFS') or '0' if gen_debugfs != '1': return @@ -122,11 +122,12 @@ class Rootfs(object, metaclass=ABCMeta): bb.utils.mkdirhier(self.image_rootfs) bb.note(" Copying back package database...") - for dir in dirs: - if not os.path.isdir(self.image_rootfs + '-orig' + dir): - continue - bb.utils.mkdirhier(self.image_rootfs + os.path.dirname(dir)) - shutil.copytree(self.image_rootfs + '-orig' + dir, self.image_rootfs + dir, symlinks=True) + for path in package_paths: + bb.utils.mkdirhier(self.image_rootfs + os.path.dirname(path)) + if os.path.isdir(self.image_rootfs + '-orig' + path): + shutil.copytree(self.image_rootfs + '-orig' + path, self.image_rootfs + path, symlinks=True) + elif os.path.isfile(self.image_rootfs + '-orig' + path): + shutil.copyfile(self.image_rootfs + '-orig' + path, self.image_rootfs + path) # Copy files located in /usr/lib/debug or /usr/src/debug for dir in ["/usr/lib/debug", "/usr/src/debug"]: @@ -162,6 +163,13 @@ class Rootfs(object, metaclass=ABCMeta): bb.note(" Install extra debug packages...") self.pm.install(extra_debug_pkgs.split(), True) + bb.note(" Removing package database...") + for path in package_paths: + if os.path.isdir(self.image_rootfs + path): + shutil.rmtree(self.image_rootfs + path) + elif os.path.isfile(self.image_rootfs + path): + os.remove(self.image_rootfs + path) + bb.note(" Rename debug rootfs...") try: shutil.rmtree(self.image_rootfs + '-dbg') diff --git a/poky/meta/lib/oe/sdk.py b/poky/meta/lib/oe/sdk.py index 81fcf15371..3dc3672210 100644 --- a/poky/meta/lib/oe/sdk.py +++ b/poky/meta/lib/oe/sdk.py @@ -70,7 +70,7 @@ class Sdk(object, metaclass=ABCMeta): #FIXME: using umbrella exc catching because bb.utils method raises it except Exception as e: bb.debug(1, "printing the stack trace\n %s" %traceback.format_exc()) - bb.error("unable to place %s in final SDK location" % sourcefile) + bb.fatal("unable to place %s in final SDK location" % sourcefile) def mkdirhier(self, dirpath): try: diff --git a/poky/meta/lib/oeqa/core/target/qemu.py b/poky/meta/lib/oeqa/core/target/qemu.py index 79fd724f7d..6893d10226 100644 --- a/poky/meta/lib/oeqa/core/target/qemu.py +++ b/poky/meta/lib/oeqa/core/target/qemu.py @@ -22,7 +22,7 @@ supported_fstypes = ['ext3', 'ext4', 'cpio.gz', 'wic'] class OEQemuTarget(OESSHTarget): def __init__(self, logger, server_ip, timeout=300, user='root', port=None, machine='', rootfs='', kernel='', kvm=False, slirp=False, - dump_dir='', dump_host_cmds='', display='', bootlog='', + dump_dir='', display='', bootlog='', tmpdir='', dir_image='', boottime=60, serial_ports=2, boot_patterns = defaultdict(str), ovmf=False, tmpfsdir=None, **kwargs): @@ -44,8 +44,7 @@ class OEQemuTarget(OESSHTarget): self.runner = QemuRunner(machine=machine, rootfs=rootfs, tmpdir=tmpdir, deploy_dir_image=dir_image, display=display, logfile=bootlog, boottime=boottime, - use_kvm=kvm, use_slirp=slirp, dump_dir=dump_dir, - dump_host_cmds=dump_host_cmds, logger=logger, + use_kvm=kvm, use_slirp=slirp, dump_dir=dump_dir, logger=logger, serial_ports=serial_ports, boot_patterns = boot_patterns, use_ovmf=ovmf, tmpfsdir=tmpfsdir) dump_monitor_cmds = kwargs.get("testimage_dump_monitor") diff --git a/poky/meta/lib/oeqa/core/target/ssh.py b/poky/meta/lib/oeqa/core/target/ssh.py index 51079075b5..a9566d9bd6 100644 --- a/poky/meta/lib/oeqa/core/target/ssh.py +++ b/poky/meta/lib/oeqa/core/target/ssh.py @@ -250,6 +250,9 @@ def SSHCall(command, logger, timeout=None, **opts): except InterruptedError: logger.debug('InterruptedError') continue + except BlockingIOError: + logger.debug('BlockingIOError') + continue process.stdout.close() @@ -267,6 +270,7 @@ def SSHCall(command, logger, timeout=None, **opts): " running time: %d seconds." % (timeout, endtime)) logger.debug('Received data from SSH call:\n%s ' % lastline) output += lastline + process.wait() else: output_raw = process.communicate()[0] @@ -284,6 +288,7 @@ def SSHCall(command, logger, timeout=None, **opts): except OSError: logger.debug('OSError') pass + process.wait() options = { "stdout": subprocess.PIPE, @@ -310,6 +315,8 @@ def SSHCall(command, logger, timeout=None, **opts): # whilst running and ensure we don't leave a process behind. if process.poll() is None: process.kill() + if process.returncode == None: + process.wait() logger.debug('Something went wrong, killing SSH process') raise diff --git a/poky/meta/lib/oeqa/runtime/cases/ltp.py b/poky/meta/lib/oeqa/runtime/cases/ltp.py index a66d5d13d7..879f2a673c 100644 --- a/poky/meta/lib/oeqa/runtime/cases/ltp.py +++ b/poky/meta/lib/oeqa/runtime/cases/ltp.py @@ -67,7 +67,7 @@ class LtpTest(LtpTestBase): def runltp(self, ltp_group): cmd = '/opt/ltp/runltp -f %s -p -q -r /opt/ltp -l /opt/ltp/results/%s -I 1 -d /opt/ltp' % (ltp_group, ltp_group) starttime = time.time() - (status, output) = self.target.run(cmd) + (status, output) = self.target.run(cmd, timeout=1200) endtime = time.time() with open(os.path.join(self.ltptest_log_dir, "%s-raw.log" % ltp_group), 'w') as f: diff --git a/poky/meta/lib/oeqa/runtime/cases/rpm.py b/poky/meta/lib/oeqa/runtime/cases/rpm.py index fa86eb0537..a4ba4e6769 100644 --- a/poky/meta/lib/oeqa/runtime/cases/rpm.py +++ b/poky/meta/lib/oeqa/runtime/cases/rpm.py @@ -59,8 +59,8 @@ class RpmBasicTest(OERuntimeTestCase): return time.sleep(1) user_pss = [ps for ps in output.split("\n") if u + ' ' in ps] - msg = "There're %s 's process(es) still running: %s".format(u, "\n".join(user_pss)) - assertTrue(True, msg=msg) + msg = "User %s has processes still running: %s" % (u, "\n".join(user_pss)) + self.fail(msg=msg) def unset_up_test_user(u): # ensure no test1 process in running diff --git a/poky/meta/lib/oeqa/runtime/context.py b/poky/meta/lib/oeqa/runtime/context.py index 0c5d1869ab..cb7227a8df 100644 --- a/poky/meta/lib/oeqa/runtime/context.py +++ b/poky/meta/lib/oeqa/runtime/context.py @@ -10,7 +10,6 @@ import sys from oeqa.core.context import OETestContext, OETestContextExecutor from oeqa.core.target.ssh import OESSHTarget from oeqa.core.target.qemu import OEQemuTarget -from oeqa.utils.dump import HostDumper from oeqa.runtime.loader import OERuntimeTestLoader @@ -20,12 +19,11 @@ class OERuntimeTestContext(OETestContext): os.path.dirname(os.path.abspath(__file__)), "files") def __init__(self, td, logger, target, - host_dumper, image_packages, extract_dir): + image_packages, extract_dir): super(OERuntimeTestContext, self).__init__(td, logger) self.target = target self.image_packages = image_packages - self.host_dumper = host_dumper self.extract_dir = extract_dir self._set_target_cmds() @@ -199,10 +197,6 @@ class OERuntimeTestContextExecutor(OETestContextExecutor): return image_packages - @staticmethod - def getHostDumper(cmds, directory): - return HostDumper(cmds, directory) - def _process_args(self, logger, args): if not args.packages_manifest: raise TypeError('Manifest file not provided') @@ -215,9 +209,6 @@ class OERuntimeTestContextExecutor(OETestContextExecutor): self.tc_kwargs['init']['target'] = \ OERuntimeTestContextExecutor.getTarget(args.target_type, None, args.target_ip, args.server_ip, **target_kwargs) - self.tc_kwargs['init']['host_dumper'] = \ - OERuntimeTestContextExecutor.getHostDumper(None, - args.host_dumper_dir) self.tc_kwargs['init']['image_packages'] = \ OERuntimeTestContextExecutor.readPackagesManifest( args.packages_manifest) diff --git a/poky/meta/lib/oeqa/selftest/cases/bbtests.py b/poky/meta/lib/oeqa/selftest/cases/bbtests.py index 1dd2839c8d..31aa5680f0 100644 --- a/poky/meta/lib/oeqa/selftest/cases/bbtests.py +++ b/poky/meta/lib/oeqa/selftest/cases/bbtests.py @@ -188,6 +188,10 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\" self.assertTrue(find, "No version returned for searched recipe. bitbake output: %s" % result.output) def test_prefile(self): + # Test when the prefile does not exist + result = runCmd('bitbake -r conf/prefile.conf', ignore_status=True) + self.assertEqual(1, result.status, "bitbake didn't error and should have when a specified prefile didn't exist: %s" % result.output) + # Test when the prefile exists preconf = os.path.join(self.builddir, 'conf/prefile.conf') self.track_for_cleanup(preconf) ftools.write_file(preconf ,"TEST_PREFILE=\"prefile\"") @@ -198,6 +202,10 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\" self.assertIn('localconf', result.output) def test_postfile(self): + # Test when the postfile does not exist + result = runCmd('bitbake -R conf/postfile.conf', ignore_status=True) + self.assertEqual(1, result.status, "bitbake didn't error and should have when a specified postfile didn't exist: %s" % result.output) + # Test when the postfile exists postconf = os.path.join(self.builddir, 'conf/postfile.conf') self.track_for_cleanup(postconf) ftools.write_file(postconf , "TEST_POSTFILE=\"postfile\"") diff --git a/poky/meta/lib/oeqa/selftest/cases/devtool.py b/poky/meta/lib/oeqa/selftest/cases/devtool.py index f51de8efe0..7ea56d3133 100644 --- a/poky/meta/lib/oeqa/selftest/cases/devtool.py +++ b/poky/meta/lib/oeqa/selftest/cases/devtool.py @@ -366,6 +366,38 @@ class DevtoolAddTests(DevtoolBase): bindir = bindir[1:] self.assertTrue(os.path.isfile(os.path.join(installdir, bindir, 'pv')), 'pv binary not found in D') + def test_devtool_add_binary(self): + # Create a binary package containing a known test file + tempdir = tempfile.mkdtemp(prefix='devtoolqa') + self.track_for_cleanup(tempdir) + pn = 'tst-bin' + pv = '1.0' + test_file_dir = "var/lib/%s/" % pn + test_file_name = "test_file" + test_file_content = "TEST CONTENT" + test_file_package_root = os.path.join(tempdir, pn) + test_file_dir_full = os.path.join(test_file_package_root, test_file_dir) + bb.utils.mkdirhier(test_file_dir_full) + with open(os.path.join(test_file_dir_full, test_file_name), "w") as f: + f.write(test_file_content) + bin_package_path = os.path.join(tempdir, "%s.tar.gz" % pn) + runCmd("tar czf %s -C %s ." % (bin_package_path, test_file_package_root)) + + # Test devtool add -b on the binary package + self.track_for_cleanup(self.workspacedir) + self.add_command_to_tearDown('bitbake -c cleansstate %s' % pn) + self.add_command_to_tearDown('bitbake-layers remove-layer */workspace') + result = runCmd('devtool add -b %s %s' % (pn, bin_package_path)) + self.assertExists(os.path.join(self.workspacedir, 'conf', 'layer.conf'), 'Workspace directory not created') + + # Build the resulting recipe + result = runCmd('devtool build %s' % pn) + installdir = get_bb_var('D', pn) + self.assertTrue(installdir, 'Could not query installdir variable') + + # Check that a known file from the binary package has indeed been installed + self.assertTrue(os.path.isfile(os.path.join(installdir, test_file_dir, test_file_name)), '%s not found in D' % test_file_name) + def test_devtool_add_git_local(self): # We need dbus built so that DEPENDS recognition works bitbake('dbus') diff --git a/poky/meta/lib/oeqa/selftest/cases/glibc.py b/poky/meta/lib/oeqa/selftest/cases/glibc.py index a446543a17..924df6c5a6 100644 --- a/poky/meta/lib/oeqa/selftest/cases/glibc.py +++ b/poky/meta/lib/oeqa/selftest/cases/glibc.py @@ -28,7 +28,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): features.append('TOOLCHAIN_TEST_HOST_USER = "root"') features.append('TOOLCHAIN_TEST_HOST_PORT = "22"') # force single threaded test execution - features.append('EGLIBCPARALLELISM_task-check:pn-glibc-testsuite = "PARALLELMFLAGS="-j1""') + features.append('EGLIBCPARALLELISM:task-check:pn-glibc-testsuite = "PARALLELMFLAGS="-j1""') self.write_config("\n".join(features)) bitbake("glibc-testsuite -c check") @@ -45,7 +45,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): with contextlib.ExitStack() as s: # use the base work dir, as the nfs mount, since the recipe directory may not exist tmpdir = get_bb_var("BASE_WORKDIR") - nfsport, mountport = s.enter_context(unfs_server(tmpdir)) + nfsport, mountport = s.enter_context(unfs_server(tmpdir, udp = False)) # build core-image-minimal with required packages default_installed_packages = [ @@ -65,7 +65,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): bitbake("core-image-minimal") # start runqemu - qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic")) + qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic", qemuparams = "-m 1024")) # validate that SSH is working status, _ = qemu.run("uname") @@ -74,7 +74,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): # setup nfs mount if qemu.run("mkdir -p \"{0}\"".format(tmpdir))[0] != 0: raise Exception("Failed to setup NFS mount directory on target") - mountcmd = "mount -o noac,nfsvers=3,port={0},udp,mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir) + mountcmd = "mount -o noac,nfsvers=3,port={0},mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir) status, output = qemu.run(mountcmd) if status != 0: raise Exception("Failed to setup NFS mount on target ({})".format(repr(output))) diff --git a/poky/meta/lib/oeqa/targetcontrol.py b/poky/meta/lib/oeqa/targetcontrol.py index d686fe07ec..e21655c979 100644 --- a/poky/meta/lib/oeqa/targetcontrol.py +++ b/poky/meta/lib/oeqa/targetcontrol.py @@ -104,7 +104,6 @@ class QemuTarget(BaseTarget): self.kernel = os.path.join(d.getVar("DEPLOY_DIR_IMAGE"), d.getVar("KERNEL_IMAGETYPE", False) + '-' + d.getVar('MACHINE', False) + '.bin') self.qemulog = os.path.join(self.testdir, "qemu_boot_log.%s" % self.datetime) dump_target_cmds = d.getVar("testimage_dump_target") - dump_host_cmds = d.getVar("testimage_dump_host") dump_monitor_cmds = d.getVar("testimage_dump_monitor") dump_dir = d.getVar("TESTIMAGE_DUMP_DIR") if not dump_dir: @@ -141,7 +140,6 @@ class QemuTarget(BaseTarget): boottime = int(d.getVar("TEST_QEMUBOOT_TIMEOUT")), use_kvm = use_kvm, dump_dir = dump_dir, - dump_host_cmds = dump_host_cmds, logger = logger, tmpfsdir = d.getVar("RUNQEMU_TMPFS_DIR"), serial_ports = len(d.getVar("SERIAL_CONSOLES").split())) diff --git a/poky/meta/lib/oeqa/utils/dump.py b/poky/meta/lib/oeqa/utils/dump.py index d420b497f9..d4d271369f 100644 --- a/poky/meta/lib/oeqa/utils/dump.py +++ b/poky/meta/lib/oeqa/utils/dump.py @@ -51,9 +51,7 @@ class BaseDumper(object): self.dump_dir = dump_dir def _construct_filename(self, command): - if isinstance(self, HostDumper): - prefix = "host" - elif isinstance(self, TargetDumper): + if isinstance(self, TargetDumper): prefix = "target" elif isinstance(self, MonitorDumper): prefix = "qmp" @@ -76,22 +74,6 @@ class BaseDumper(object): with open(fullname, 'w') as dump_file: dump_file.write(output) -class HostDumper(BaseDumper): - """ Class to get dumps from the host running the tests """ - - def __init__(self, cmds, parent_dir): - super(HostDumper, self).__init__(cmds, parent_dir) - - def dump_host(self, dump_dir=""): - if dump_dir: - self.dump_dir = dump_dir - env = os.environ.copy() - env['PATH'] = '/usr/sbin:/sbin:/usr/bin:/bin' - env['COLUMNS'] = '9999' - for cmd in self.cmds: - result = runCmd(cmd, ignore_status=True, env=env) - self._write_dump(cmd.split()[0], result.output) - class TargetDumper(BaseDumper): """ Class to get dumps from target, it only works with QemuRunner. Will give up permanently after 5 errors from running commands over diff --git a/poky/meta/lib/oeqa/utils/gitarchive.py b/poky/meta/lib/oeqa/utils/gitarchive.py index 6e8040eb5c..73beafecb5 100644 --- a/poky/meta/lib/oeqa/utils/gitarchive.py +++ b/poky/meta/lib/oeqa/utils/gitarchive.py @@ -116,7 +116,8 @@ def expand_tag_strings(repo, name_pattern, msg_subj_pattern, msg_body_pattern, tag_re = tag_re.format(tag_number='(?P<tag_number>[0-9]{1,5})') keyws['tag_number'] = 0 - for existing_tag in repo.run_cmd('tag').splitlines(): + tags_refs = repo.run_cmd(['ls-remote', '--refs', '--tags', '-q']) + for existing_tag in ["".join(d.split()[1].split('/', 2)[2:]) for d in tags_refs.splitlines()]: match = re.match(tag_re, existing_tag) if match and int(match.group('tag_number')) >= keyws['tag_number']: @@ -181,7 +182,8 @@ def get_test_runs(log, repo, tag_name, **kwargs): # Get a list of all matching tags tag_pattern = tag_name.format(**str_fields) - tags = repo.run_cmd(['tag', '-l', tag_pattern]).splitlines() + revs = repo.run_cmd(['ls-remote', '--refs', '--tags', 'origin', '-q', tag_pattern]).splitlines() + tags = ["".join(d.split()[1].split('/', 2)[2:]) for d in revs] log.debug("Found %d tags matching pattern '%s'", len(tags), tag_pattern) # Parse undefined fields from tag names diff --git a/poky/meta/lib/oeqa/utils/nfs.py b/poky/meta/lib/oeqa/utils/nfs.py index b66ed42a58..903469bfee 100644 --- a/poky/meta/lib/oeqa/utils/nfs.py +++ b/poky/meta/lib/oeqa/utils/nfs.py @@ -12,7 +12,7 @@ from oeqa.utils.commands import bitbake, get_bb_var, Command from oeqa.utils.network import get_free_port @contextlib.contextmanager -def unfs_server(directory, logger = None): +def unfs_server(directory, logger = None, udp = True): unfs_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "unfs3-native") if not os.path.exists(os.path.join(unfs_sysroot, "usr", "bin", "unfsd")): # build native tool @@ -26,7 +26,7 @@ def unfs_server(directory, logger = None): exports.write("{0} (rw,no_root_squash,no_all_squash,insecure)\n".format(directory).encode()) # find some ports for the server - nfsport, mountport = get_free_port(udp = True), get_free_port(udp = True) + nfsport, mountport = get_free_port(udp), get_free_port(udp) nenv = dict(os.environ) nenv['PATH'] = "{0}/sbin:{0}/usr/sbin:{0}/usr/bin:".format(unfs_sysroot) + nenv.get('PATH', '') diff --git a/poky/meta/lib/oeqa/utils/qemurunner.py b/poky/meta/lib/oeqa/utils/qemurunner.py index 8bb35f5a8b..2ba0596ba1 100644 --- a/poky/meta/lib/oeqa/utils/qemurunner.py +++ b/poky/meta/lib/oeqa/utils/qemurunner.py @@ -21,7 +21,6 @@ import threading import codecs import logging import tempfile -from oeqa.utils.dump import HostDumper from collections import defaultdict import importlib @@ -33,8 +32,8 @@ re_control_char = re.compile('[%s]' % re.escape("".join(control_chars))) class QemuRunner: - def __init__(self, machine, rootfs, display, tmpdir, deploy_dir_image, logfile, boottime, dump_dir, dump_host_cmds, - use_kvm, logger, use_slirp=False, serial_ports=2, boot_patterns = defaultdict(str), use_ovmf=False, workdir=None, tmpfsdir=None): + def __init__(self, machine, rootfs, display, tmpdir, deploy_dir_image, logfile, boottime, dump_dir, use_kvm, logger, use_slirp=False, + serial_ports=2, boot_patterns = defaultdict(str), use_ovmf=False, workdir=None, tmpfsdir=None): # Popen object for runqemu self.runqemu = None @@ -69,7 +68,6 @@ class QemuRunner: if not workdir: workdir = os.getcwd() self.qemu_pidfile = workdir + '/pidfile_' + str(os.getpid()) - self.host_dumper = HostDumper(dump_host_cmds, dump_dir) self.monitorpipe = None self.logger = logger @@ -138,7 +136,6 @@ class QemuRunner: self.logger.error('runqemu exited with code %d' % self.runqemu.returncode) self.logger.error('Output from runqemu:\n%s' % self.getOutput(self.runqemu.stdout)) self.stop() - self._dump_host() def start(self, qemuparams = None, get_ip = True, extra_bootparams = None, runqemuparams='', launch_cmd=None, discard_writes=True): env = os.environ.copy() @@ -188,7 +185,7 @@ class QemuRunner: def launch(self, launch_cmd, get_ip = True, qemuparams = None, extra_bootparams = None, env = None): # use logfile to determine the recipe-sysroot-native path and # then add in the site-packages path components and add that - # to the python sys.path so qmp.py can be found. + # to the python sys.path so the qmp module can be found. python_path = os.path.dirname(os.path.dirname(self.logfile)) python_path += "/recipe-sysroot-native/usr/lib/qemu-python" sys.path.append(python_path) @@ -196,7 +193,7 @@ class QemuRunner: try: qmp = importlib.import_module("qmp") except Exception as e: - self.logger.error("qemurunner: qmp.py missing, please ensure it's installed (%s)" % str(e)) + self.logger.error("qemurunner: qmp module missing, please ensure it's installed in %s (%s)" % (python_path, str(e))) return False # Path relative to tmpdir used as cwd for qemu below to avoid unix socket path length issues qmp_file = "." + next(tempfile._get_candidate_names()) @@ -286,7 +283,6 @@ class QemuRunner: if self.runqemu.returncode: # No point waiting any longer self.logger.warning('runqemu exited with code %d' % self.runqemu.returncode) - self._dump_host() self.logger.warning("Output from runqemu:\n%s" % self.getOutput(output)) self.stop() return False @@ -314,7 +310,6 @@ class QemuRunner: ps = subprocess.Popen(['ps', 'axww', '-o', 'pid,ppid,pri,ni,command '], stdout=subprocess.PIPE).communicate()[0] processes = ps.decode("utf-8") self.logger.debug("Running processes:\n%s" % processes) - self._dump_host() op = self.getOutput(output) self.stop() if op: @@ -430,7 +425,6 @@ class QemuRunner: self.logger.error("Couldn't get ip from qemu command line and runqemu output! " "Here is the qemu command line used:\n%s\n" "and output from runqemu:\n%s" % (cmdline, out)) - self._dump_host() self.stop() return False @@ -508,7 +502,6 @@ class QemuRunner: lines = tail(bootlog if bootlog else self.msg) self.logger.warning("Last 25 lines of text (%d):\n%s" % (len(bootlog), lines)) self.logger.warning("Check full boot log: %s" % self.logfile) - self._dump_host() self.stop() return False @@ -689,13 +682,6 @@ class QemuRunner: status = 1 return (status, str(data)) - - def _dump_host(self): - self.host_dumper.create_dir("qemu") - self.logger.warning("Qemu ended unexpectedly, dump data from host" - " is in %s" % self.host_dumper.dump_dir) - self.host_dumper.dump_host() - # This class is for reading data from a socket and passing it to logfunc # to be processed. It's completely event driven and has a straightforward # event loop. The mechanism for stopping the thread is a simple pipe which diff --git a/poky/meta/recipes-bsp/grub/files/determinism.patch b/poky/meta/recipes-bsp/grub/files/determinism.patch index 2828e80975..852b95a856 100644 --- a/poky/meta/recipes-bsp/grub/files/determinism.patch +++ b/poky/meta/recipes-bsp/grub/files/determinism.patch @@ -14,7 +14,7 @@ missing sorting of the list used to generate it. Add such a sort. Also ensure the generated unidata.c file is deterministic by sorting the keys of the dict. -Upstream-Status: Pending +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/grub-devel/2023-06/index.html] Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com> --- diff --git a/poky/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb b/poky/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb index c6a4bc4932..dcc09f279e 100644 --- a/poky/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb +++ b/poky/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb @@ -19,9 +19,12 @@ PACKAGECONFIG[manpages] = "--enable-doc, --disable-doc, libxslt-native xmlto-nat RDEPENDS:${PN} = "grep bash" +EXTRA_OECONF = "--libdir=${nonarch_libdir}" + do_configure:prepend () { ( cd ${S}; autoreconf -f -i -s ) } -FILES:${PN} += "${libdir}/${BPN}/*" +FILES:${PN} += "${nonarch_libdir}/${BPN}/*" FILES:${PN}-dbg += "${datadir}/doc/pm-utils/README.debugging" +FILES:${PN}-dev += "${nonarch_libdir}/pkgconfig/pm-utils.pc" diff --git a/poky/meta/recipes-bsp/v86d/v86d_0.1.10.bb b/poky/meta/recipes-bsp/v86d/v86d_0.1.10.bb index 5f342b1120..b4fe362f8e 100644 --- a/poky/meta/recipes-bsp/v86d/v86d_0.1.10.bb +++ b/poky/meta/recipes-bsp/v86d/v86d_0.1.10.bb @@ -6,7 +6,6 @@ DESCRIPTION = "v86d provides a backend for kernel drivers that need to execute x LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://README;md5=94ac1971e4f2309dc322d598e7b1f7dd" -DEPENDS = "virtual/kernel" RRECOMMENDS:${PN} = "kernel-module-uvesafb" PR = "r2" diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-avoid-start-failure-with-bind-user.patch b/poky/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch index ec1bc7b567..ec1bc7b567 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-avoid-start-failure-with-bind-user.patch +++ b/poky/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/poky/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch index 4c10f33f04..4c10f33f04 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch +++ b/poky/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind-ensure-searching-for-json-headers-searches-sysr.patch b/poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch index f1abd179e8..f1abd179e8 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind9 b/poky/meta/recipes-connectivity/bind/bind/bind9 index 968679ff7f..968679ff7f 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind9 +++ b/poky/meta/recipes-connectivity/bind/bind/bind9 diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/conf.patch b/poky/meta/recipes-connectivity/bind/bind/conf.patch index aa3642acec..aa3642acec 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/conf.patch +++ b/poky/meta/recipes-connectivity/bind/bind/conf.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/generate-rndc-key.sh b/poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh index 633e29c0e6..633e29c0e6 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/generate-rndc-key.sh +++ b/poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/init.d-add-support-for-read-only-rootfs.patch b/poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch index 11db95ede1..11db95ede1 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/init.d-add-support-for-read-only-rootfs.patch +++ b/poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/make-etc-initd-bind-stop-work.patch b/poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch index 146f3e35db..146f3e35db 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/make-etc-initd-bind-stop-work.patch +++ b/poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/named.service b/poky/meta/recipes-connectivity/bind/bind/named.service index cda56ef015..cda56ef015 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/named.service +++ b/poky/meta/recipes-connectivity/bind/bind/named.service diff --git a/poky/meta/recipes-connectivity/bind/bind_9.18.13.bb b/poky/meta/recipes-connectivity/bind/bind_9.18.19.bb index 8617137e87..6936c1c6ad 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.18.13.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.18.19.bb @@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system" SECTION = "console/network" LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=d8cf7bd9c4fd5471a588e7e66e672408" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43" DEPENDS = "openssl libcap zlib libuv" @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "3b06b6390c1012dd3956b1479c73b2097c0b22207817e2e8aae352fd20e578c7" +SRC_URI[sha256sum] = "115e09c05439bebade1d272eda08fa88eb3b60129edef690588c87a4d27612cc" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # follow the ESV versions divisible by 2 @@ -39,7 +39,7 @@ PACKAGECONFIG[readline] = "--with-readline=readline,,readline" PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit" PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2" -EXTRA_OECONF = " --disable-devpoll --disable-auto-validation --enable-epoll \ +EXTRA_OECONF = " --disable-auto-validation \ --with-gssapi=no --with-lmdb=no --with-zlib \ --sysconfdir=${sysconfdir}/bind \ --with-openssl=${STAGING_DIR_HOST}${prefix} \ diff --git a/poky/meta/recipes-connectivity/connman/connman.inc b/poky/meta/recipes-connectivity/connman/connman.inc index d7af94f792..7487ca0d0c 100644 --- a/poky/meta/recipes-connectivity/connman/connman.inc +++ b/poky/meta/recipes-connectivity/connman/connman.inc @@ -27,6 +27,7 @@ EXTRA_OECONF += "\ --enable-ethernet \ --enable-tools \ --disable-polkit \ + --runstatedir=/run \ " # For smooth operation it would be best to start only one wireless daemon at a time. # If wpa-supplicant is running, connman will use it preferentially. diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch new file mode 100644 index 0000000000..04fd9b1f85 --- /dev/null +++ b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch @@ -0,0 +1,284 @@ +From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001 +From: Jeffrey Bencteux <jeffbencteux@gmail.com> +Date: Mon, 28 Aug 2023 15:35:19 +0000 +Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check +set*id() return values + +Several setuid(), setgid(), seteuid() and setguid() return values +were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially +leading to potential security issues. + +Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com> +Signed-off-by: Simon Josefsson <simon@josefsson.org> + +CVE: CVE-2023-40303 + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + ftpd/ftpd.c | 10 +++++++--- + src/rcp.c | 39 +++++++++++++++++++++++++++++++++------ + src/rlogin.c | 11 +++++++++-- + src/rsh.c | 25 +++++++++++++++++++++---- + src/rshd.c | 20 +++++++++++++++++--- + src/uucpd.c | 15 +++++++++++++-- + 6 files changed, 100 insertions(+), 20 deletions(-) + +diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c +index 92b2cca..009f3f1 100644 +--- a/ftpd/ftpd.c ++++ b/ftpd/ftpd.c +@@ -862,7 +862,9 @@ end_login (struct credentials *pcred) + char *remotehost = pcred->remotehost; + int atype = pcred->auth_type; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); ++ + if (pcred->logged_in) + { + logwtmp_keep_open (ttyline, "", ""); +@@ -1151,7 +1153,8 @@ getdatasock (const char *mode) + + if (data >= 0) + return fdopen (data, mode); +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); + s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0); + if (s < 0) + goto bad; +@@ -1978,7 +1981,8 @@ passive (int epsv, int af) + else /* !AF_INET6 */ + ((struct sockaddr_in *) &pasv_addr)->sin_port = 0; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); + if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0) + { + if (seteuid ((uid_t) cred.uid)) +diff --git a/src/rcp.c b/src/rcp.c +index 75adb25..f913256 100644 +--- a/src/rcp.c ++++ b/src/rcp.c +@@ -345,14 +345,23 @@ main (int argc, char *argv[]) + if (from_option) + { /* Follow "protocol", send data. */ + response (); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + source (argc, argv); + exit (errs); + } + + if (to_option) + { /* Receive data. */ +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + sink (argc, argv); + exit (errs); + } +@@ -537,7 +546,11 @@ toremote (char *targ, int argc, char *argv[]) + if (response () < 0) + exit (EXIT_FAILURE); + free (bp); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -630,7 +643,12 @@ tolocal (int argc, char *argv[]) + ++errs; + continue; + } +- seteuid (userid); ++ ++ if (seteuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); + (void) getpeername (rem, (struct sockaddr *) &ss, &sslen); +@@ -643,7 +661,12 @@ tolocal (int argc, char *argv[]) + #endif + vect[0] = target; + sink (1, vect); +- seteuid (effuid); ++ ++ if (seteuid (effuid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + close (rem); + rem = -1; + #ifdef SHISHI +@@ -1441,7 +1464,11 @@ susystem (char *s, int userid) + return (127); + + case 0: +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + execl (PATH_BSHELL, "sh", "-c", s, NULL); + _exit (127); + } +diff --git a/src/rlogin.c b/src/rlogin.c +index aa6426f..9bf9645 100644 +--- a/src/rlogin.c ++++ b/src/rlogin.c +@@ -647,8 +647,15 @@ try_connect: + /* Now change to the real user ID. We have to be set-user-ID root + to get the privileged port that rcmd () uses. We now want, however, + to run as the real user who invoked us. */ +- seteuid (uid); +- setuid (uid); ++ if (seteuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ ++ if (setuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + + doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ + +diff --git a/src/rsh.c b/src/rsh.c +index 2d622ca..7b9cf22 100644 +--- a/src/rsh.c ++++ b/src/rsh.c +@@ -276,8 +276,17 @@ main (int argc, char **argv) + { + if (asrsh) + *argv = (char *) "rlogin"; +- seteuid (getuid ()); +- setuid (getuid ()); ++ ++ if (seteuid (getuid ()) == -1) ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ ++ if (setuid (getuid ()) == -1) ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } ++ + execv (PATH_RLOGIN, argv); + error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); + } +@@ -541,8 +550,16 @@ try_connect: + error (0, errno, "setsockopt DEBUG (ignored)"); + } + +- seteuid (uid); +- setuid (uid); ++ if (seteuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ ++ if (setuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } ++ + #ifdef HAVE_SIGACTION + sigemptyset (&sigs); + sigaddset (&sigs, SIGINT); +diff --git a/src/rshd.c b/src/rshd.c +index d1c0d0c..19d9a60 100644 +--- a/src/rshd.c ++++ b/src/rshd.c +@@ -1847,8 +1847,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + pwd->pw_shell = PATH_BSHELL; + + /* Set the gid, then uid to become the user specified by "locuser" */ +- setegid ((gid_t) pwd->pw_gid); +- setgid ((gid_t) pwd->pw_gid); ++ if (setegid ((gid_t) pwd->pw_gid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setegid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } ++ ++ if (setgid ((gid_t) pwd->pw_gid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setgid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } ++ + #ifdef HAVE_INITGROUPS + initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ + #endif +@@ -1870,7 +1880,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + } + #endif /* WITH_PAM */ + +- setuid ((uid_t) pwd->pw_uid); ++ if (setuid ((uid_t) pwd->pw_uid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setuid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + /* We'll execute the client's command in the home directory + * of locuser. Note, that the chdir must be executed after +diff --git a/src/uucpd.c b/src/uucpd.c +index 107589e..34be165 100644 +--- a/src/uucpd.c ++++ b/src/uucpd.c +@@ -252,7 +252,12 @@ doit (struct sockaddr *sap, socklen_t salen) + snprintf (Username, sizeof (Username), "USER=%s", user); + snprintf (Logname, sizeof (Logname), "LOGNAME=%s", user); + dologin (pw, sap, salen); +- setgid (pw->pw_gid); ++ ++ if (setgid (pw->pw_gid) == -1) ++ { ++ fprintf (stderr, "setgid() failed"); ++ return; ++ } + #ifdef HAVE_INITGROUPS + initgroups (pw->pw_name, pw->pw_gid); + #endif +@@ -261,7 +266,13 @@ doit (struct sockaddr *sap, socklen_t salen) + fprintf (stderr, "Login incorrect."); + return; + } +- setuid (pw->pw_uid); ++ ++ if (setuid (pw->pw_uid) == -1) ++ { ++ fprintf (stderr, "setuid() failed"); ++ return; ++ } ++ + execl (uucico_location, "uucico", NULL); + perror ("uucico server: execl"); + } +-- +2.40.0 diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch deleted file mode 100644 index 49d319f59d..0000000000 --- a/poky/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 7d39930468e272c740b0eed3c7e5b7fb3abf29e8 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Wed, 5 Aug 2020 10:36:22 -0700 -Subject: [PATCH] ftpd,telnetd: Fix multiple definitions of errcatch and not42 - -This helps fix build failures when -fno-common option is used - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - ftpd/extern.h | 2 +- - ftpd/ftpcmd.c | 1 + - telnetd/utility.c | 2 +- - 3 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/ftpd/extern.h b/ftpd/extern.h -index ab33cf3..91dbbee 100644 ---- a/ftpd/extern.h -+++ b/ftpd/extern.h -@@ -90,7 +90,7 @@ extern void user (const char *); - extern char *sgetsave (const char *); - - /* Exported from ftpd.c. */ --jmp_buf errcatch; -+extern jmp_buf errcatch; - extern struct sockaddr_storage data_dest; - extern socklen_t data_dest_len; - extern struct sockaddr_storage his_addr; -diff --git a/ftpd/ftpcmd.c b/ftpd/ftpcmd.c -index beb1f06..d272e9d 100644 ---- a/ftpd/ftpcmd.c -+++ b/ftpd/ftpcmd.c -@@ -106,6 +106,7 @@ - #endif - - off_t restart_point; -+jmp_buf errcatch; - - static char cbuf[512]; /* Command Buffer. */ - static char *fromname; -diff --git a/telnetd/utility.c b/telnetd/utility.c -index e7ffb8e..46bf91e 100644 ---- a/telnetd/utility.c -+++ b/telnetd/utility.c -@@ -63,7 +63,7 @@ static int ncc; - static char ptyibuf[BUFSIZ], *ptyip; - static int pcc; - --int not42; -+extern int not42; - - static int - readstream (int p, char *ibuf, int bufsize) --- -2.28.0 - diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch new file mode 100644 index 0000000000..f4252b5f34 --- /dev/null +++ b/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch @@ -0,0 +1,258 @@ +From 9122999252c7e21eb7774de11d539748e7bdf46d Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <simon@josefsson.org> +Date: Tue, 29 Aug 2023 06:42:11 +0000 +Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit. + +CVE: CVE-2023-40303 + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + src/rcp.c | 42 ++++++++++++++++++++++++------------------ + src/rlogin.c | 12 ++++++------ + src/rsh.c | 26 +++++++++++++------------- + src/rshd.c | 24 ++++++++++++------------ + src/uucpd.c | 16 ++++++++-------- + 5 files changed, 63 insertions(+), 57 deletions(-) + +diff --git a/src/rcp.c b/src/rcp.c +index 7018e35..e504f8a 100644 +--- a/src/rcp.c ++++ b/src/rcp.c +@@ -347,9 +347,10 @@ main (int argc, char *argv[]) + response (); + + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + source (argc, argv); + exit (errs); +@@ -358,9 +359,10 @@ main (int argc, char *argv[]) + if (to_option) + { /* Receive data. */ + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + sink (argc, argv); + exit (errs); +@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[]) + free (bp); + + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[]) + } + + if (seteuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (seteuid() failed)"); ++ } + + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); +@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[]) + sink (1, vect); + + if (seteuid (effuid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (seteuid() failed)"); ++ } + + close (rem); + rem = -1; +@@ -1465,9 +1470,10 @@ susystem (char *s, int userid) + + case 0: + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + execl (PATH_BSHELL, "sh", "-c", s, NULL); + _exit (127); +diff --git a/src/rlogin.c b/src/rlogin.c +index 9bf9645..a0c1237 100644 +--- a/src/rlogin.c ++++ b/src/rlogin.c +@@ -648,14 +648,14 @@ try_connect: + to get the privileged port that rcmd () uses. We now want, however, + to run as the real user who invoked us. */ + if (seteuid (uid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } + + if (setuid (uid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + + doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ + +diff --git a/src/rsh.c b/src/rsh.c +index 7b9cf22..c8f50d3 100644 +--- a/src/rsh.c ++++ b/src/rsh.c +@@ -278,14 +278,14 @@ main (int argc, char **argv) + *argv = (char *) "rlogin"; + + if (seteuid (getuid ()) == -1) +- { +- error (EXIT_FAILURE, errno, "seteuid() failed"); +- } +- ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ + if (setuid (getuid ()) == -1) +- { +- error (EXIT_FAILURE, errno, "setuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } + + execv (PATH_RLOGIN, argv); + error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); +@@ -551,14 +551,14 @@ try_connect: + } + + if (seteuid (uid) == -1) +- { +- error (EXIT_FAILURE, errno, "seteuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } + + if (setuid (uid) == -1) +- { +- error (EXIT_FAILURE, errno, "setuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } + + #ifdef HAVE_SIGACTION + sigemptyset (&sigs); +diff --git a/src/rshd.c b/src/rshd.c +index 707790e..df43edf 100644 +--- a/src/rshd.c ++++ b/src/rshd.c +@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + + /* Set the gid, then uid to become the user specified by "locuser" */ + if (setegid ((gid_t) pwd->pw_gid) == -1) +- { +- rshd_error ("Cannot drop privileges (setegid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setegid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + if (setgid ((gid_t) pwd->pw_gid) == -1) +- { +- rshd_error ("Cannot drop privileges (setgid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setgid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + #ifdef HAVE_INITGROUPS + initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ +@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + #endif /* WITH_PAM */ + + if (setuid ((uid_t) pwd->pw_uid) == -1) +- { +- rshd_error ("Cannot drop privileges (setuid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setuid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + /* We'll execute the client's command in the home directory + * of locuser. Note, that the chdir must be executed after +diff --git a/src/uucpd.c b/src/uucpd.c +index 29cfce3..afe24f3 100644 +--- a/src/uucpd.c ++++ b/src/uucpd.c +@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen) + dologin (pw, sap, salen); + + if (setgid (pw->pw_gid) == -1) +- { +- fprintf (stderr, "setgid() failed"); +- return; +- } ++ { ++ fprintf (stderr, "setgid() failed"); ++ return; ++ } + #ifdef HAVE_INITGROUPS + initgroups (pw->pw_name, pw->pw_gid); + #endif +@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen) + } + + if (setuid (pw->pw_uid) == -1) +- { +- fprintf (stderr, "setuid() failed"); +- return; +- } ++ { ++ fprintf (stderr, "setuid() failed"); ++ return; ++ } + + execl (uucico_location, "uucico", NULL); + perror ("uucico server: execl"); +-- +2.40.0 diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch deleted file mode 100644 index a91913cb51..0000000000 --- a/poky/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch +++ /dev/null @@ -1,25 +0,0 @@ -tftpd: Fix abort on error path - -When trying to fetch a non existent file, the app crashes with: - -*** buffer overflow detected ***: -Aborted - - -Upstream-Status: Submitted [https://www.mail-archive.com/bug-inetutils@gnu.org/msg03036.html https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91205] -Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com> -diff --git a/src/tftpd.c b/src/tftpd.c -index 56002a0..144012f 100644 ---- a/src/tftpd.c -+++ b/src/tftpd.c -@@ -864,9 +864,8 @@ nak (int error) - pe->e_msg = strerror (error - 100); - tp->th_code = EUNDEF; /* set 'undef' errorcode */ - } -- strcpy (tp->th_msg, pe->e_msg); - length = strlen (pe->e_msg); -- tp->th_msg[length] = '\0'; -+ memcpy(tp->th_msg, pe->e_msg, length + 1); - length += 5; - if (sendto (peer, buf, length, 0, (struct sockaddr *) &from, fromlen) != length) - syslog (LOG_ERR, "nak: %m\n"); diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb b/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb index 6519331141..032c0d6b24 100644 --- a/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb +++ b/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb @@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ file://tftpd.xinetd.inetutils \ file://inetutils-1.9-PATH_PROCNET_DEV.patch \ file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ + file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \ + file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \ " inherit autotools gettext update-alternatives texinfo diff --git a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index e802bcee18..a4030b7b32 100644 --- a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb @@ -5,8 +5,8 @@ SECTION = "network" LICENSE = "PD" LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" -SRCREV = "22a5de3ef637990ce03141f786fbdb327e9c5a3f" -PV = "20221107" +SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe" +PV = "20230416" PE = "1" SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main" diff --git a/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch b/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch new file mode 100644 index 0000000000..4c8aa085f3 --- /dev/null +++ b/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch @@ -0,0 +1,994 @@ +From 7280401bdd77ca54be6867a154cc01e0d72612e0 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Fri, 24 Mar 2023 13:56:25 +1100 +Subject: [PATCH] remove support for old libcrypto + +OpenSSH now requires LibreSSL 3.1.0 or greater or +OpenSSL 1.1.1 or greater + +with/ok dtucker@ + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7280401bdd77ca54be6867a154cc01e0d72612e0] +Comment: Hunks are refreshed. +Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com> + +--- + .github/workflows/c-cpp.yml | 7 - + INSTALL | 8 +- + cipher-aes.c | 2 +- + configure.ac | 96 ++--- + openbsd-compat/libressl-api-compat.c | 556 +-------------------------- + openbsd-compat/openssl-compat.h | 151 +------- + 6 files changed, 40 insertions(+), 780 deletions(-) + +diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml +index 3d9aa22dba5..d299a32468d 100644 +--- a/.github/workflows/c-cpp.yml ++++ b/.github/workflows/c-cpp.yml +@@ -47,9 +47,6 @@ jobs: + - { target: ubuntu-20.04, config: tcmalloc } + - { target: ubuntu-20.04, config: musl } + - { target: ubuntu-latest, config: libressl-master } +- - { target: ubuntu-latest, config: libressl-2.2.9 } +- - { target: ubuntu-latest, config: libressl-2.8.3 } +- - { target: ubuntu-latest, config: libressl-3.0.2 } + - { target: ubuntu-latest, config: libressl-3.2.6 } + - { target: ubuntu-latest, config: libressl-3.3.6 } + - { target: ubuntu-latest, config: libressl-3.4.3 } +@@ -58,10 +55,6 @@ jobs: + - { target: ubuntu-latest, config: libressl-3.7.0 } + - { target: ubuntu-latest, config: openssl-master } + - { target: ubuntu-latest, config: openssl-noec } +- - { target: ubuntu-latest, config: openssl-1.0.1 } +- - { target: ubuntu-latest, config: openssl-1.0.1u } +- - { target: ubuntu-latest, config: openssl-1.0.2u } +- - { target: ubuntu-latest, config: openssl-1.1.0h } + - { target: ubuntu-latest, config: openssl-1.1.1 } + - { target: ubuntu-latest, config: openssl-1.1.1k } + - { target: ubuntu-latest, config: openssl-1.1.1n } +diff --git a/INSTALL b/INSTALL +index 68b15e13190..f99d1e2a809 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -21,12 +21,8 @@ https://zlib.net/ + + libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto + is supported but severely restricts the available ciphers and algorithms. +- - LibreSSL (https://www.libressl.org/) +- - OpenSSL (https://www.openssl.org) with any of the following versions: +- - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 +- +-Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to +-1.1.0g can't be used. ++ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater ++ - OpenSSL (https://www.openssl.org) 1.1.1 or greater + + LibreSSL/OpenSSL should be compiled as a position-independent library + (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" +diff --git a/cipher-aes.c b/cipher-aes.c +index 8b101727284..87c763353d8 100644 +--- a/cipher-aes.c ++++ b/cipher-aes.c +@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + + static int + ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, +- LIBCRYPTO_EVP_INL_TYPE len) ++ size_t len) + { + struct ssh_rijndael_ctx *c; + u_char buf[RIJNDAEL_BLOCKSIZE]; +diff --git a/configure.ac b/configure.ac +index 22fee70f604..1c0ccdf19c5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then + #include <openssl/crypto.h> + #define DATA "conftest.ssllibver" + ]], [[ +- FILE *fd; +- int rc; ++ FILE *f; + +- fd = fopen(DATA,"w"); +- if(fd == NULL) ++ if ((f = fopen(DATA, "w")) == NULL) + exit(1); +-#ifndef OPENSSL_VERSION +-# define OPENSSL_VERSION SSLEAY_VERSION +-#endif +-#ifndef HAVE_OPENSSL_VERSION +-# define OpenSSL_version SSLeay_version +-#endif +-#ifndef HAVE_OPENSSL_VERSION_NUM +-# define OpenSSL_version_num SSLeay +-#endif +- if ((rc = fprintf(fd, "%08lx (%s)\n", ++ if (fprintf(f, "%08lx (%s)", + (unsigned long)OpenSSL_version_num(), +- OpenSSL_version(OPENSSL_VERSION))) < 0) ++ OpenSSL_version(OPENSSL_VERSION)) < 0) ++ exit(1); ++#ifdef LIBRESSL_VERSION_NUMBER ++ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0) ++ exit(1); ++#endif ++ if (fputc('\n', f) == EOF || fclose(f) == EOF) + exit(1); +- + exit(0); + ]])], + [ +- ssl_library_ver=`cat conftest.ssllibver` ++ sslver=`cat conftest.ssllibver` ++ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'` + # Check version is supported. +- case "$ssl_library_ver" in +- 10000*|0*) +- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")]) +- ;; +- 100*) ;; # 1.0.x +- 101000[[0123456]]*) +- # https://github.com/openssl/openssl/pull/4613 +- AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")]) ++ case "$sslver" in ++ 100*|10100*) # 1.0.x, 1.1.0x ++ AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")]) + ;; + 101*) ;; # 1.1.x +- 200*) ;; # LibreSSL ++ 200*) # LibreSSL ++ lver=`echo "$sslver" | sed 's/.*libressl-//'` ++ case "$lver" in ++ 2*|300*) # 2.x, 3.0.0 ++ AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")]) ++ ;; ++ *) ;; # Assume all other versions are good. ++ esac ++ ;; + 300*) + # OpenSSL 3; we use the 1.1x API + CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" +@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then + CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" + ;; + *) +- AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")]) ++ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")]) + ;; + esac +- AC_MSG_RESULT([$ssl_library_ver]) ++ AC_MSG_RESULT([$ssl_showver]) + ], + [ + AC_MSG_RESULT([not found]) +@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then + + case "$host" in + x86_64-*) +- case "$ssl_library_ver" in ++ case "$sslver" in + 3000004*) + AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) + ;; +@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then + #include <openssl/opensslv.h> + #include <openssl/crypto.h> + ]], [[ +-#ifndef HAVE_OPENSSL_VERSION_NUM +-# define OpenSSL_version_num SSLeay +-#endif + exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1); + ]])], + [ +@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then + ) + ) + +- # LibreSSL/OpenSSL 1.1x API ++ # LibreSSL/OpenSSL API differences + AC_CHECK_FUNCS([ \ +- OPENSSL_init_crypto \ +- DH_get0_key \ +- DH_get0_pqg \ +- DH_set0_key \ +- DH_set_length \ +- DH_set0_pqg \ +- DSA_get0_key \ +- DSA_get0_pqg \ +- DSA_set0_key \ +- DSA_set0_pqg \ +- DSA_SIG_get0 \ +- DSA_SIG_set0 \ +- ECDSA_SIG_get0 \ +- ECDSA_SIG_set0 \ + EVP_CIPHER_CTX_iv \ + EVP_CIPHER_CTX_iv_noconst \ + EVP_CIPHER_CTX_get_iv \ + EVP_CIPHER_CTX_get_updated_iv \ + EVP_CIPHER_CTX_set_iv \ +- RSA_get0_crt_params \ +- RSA_get0_factors \ +- RSA_get0_key \ +- RSA_set0_crt_params \ +- RSA_set0_factors \ +- RSA_set0_key \ +- RSA_meth_free \ +- RSA_meth_dup \ +- RSA_meth_set1_name \ +- RSA_meth_get_finish \ +- RSA_meth_set_priv_enc \ +- RSA_meth_set_priv_dec \ +- RSA_meth_set_finish \ +- EVP_PKEY_get0_RSA \ +- EVP_MD_CTX_new \ +- EVP_MD_CTX_free \ +- EVP_chacha20 \ + ]) + + if test "x$openssl_engine" = "xyes" ; then +@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then + ] + ) + +- # Check for SHA256, SHA384 and SHA512 support in OpenSSL +- AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512]) ++ # Check for various EVP support in OpenSSL ++ AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20]) + + # Check complete ECC support in OpenSSL + AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) +diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c +index 498180dc894..59be17397c5 100644 +--- a/openbsd-compat/libressl-api-compat.c ++++ b/openbsd-compat/libressl-api-compat.c +@@ -1,129 +1,5 @@ +-/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */ +-/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */ +-/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */ +-/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */ +-/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */ +-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ +-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) +- * All rights reserved. +- * +- * This package is an SSL implementation written +- * by Eric Young (eay@cryptsoft.com). +- * The implementation was written so as to conform with Netscapes SSL. +- * +- * This library is free for commercial and non-commercial use as long as +- * the following conditions are aheared to. The following conditions +- * apply to all code found in this distribution, be it the RC4, RSA, +- * lhash, DES, etc., code; not just the SSL code. The SSL documentation +- * included with this distribution is covered by the same copyright terms +- * except that the holder is Tim Hudson (tjh@cryptsoft.com). +- * +- * Copyright remains Eric Young's, and as such any Copyright notices in +- * the code are not to be removed. +- * If this package is used in a product, Eric Young should be given attribution +- * as the author of the parts of the library used. +- * This can be in the form of a textual message at program startup or +- * in documentation (online or textual) provided with the package. +- * +- * Redistribution and use in source and binary forms, with or without +- * modification, are permitted provided that the following conditions +- * are met: +- * 1. Redistributions of source code must retain the copyright +- * notice, this list of conditions and the following disclaimer. +- * 2. Redistributions in binary form must reproduce the above copyright +- * notice, this list of conditions and the following disclaimer in the +- * documentation and/or other materials provided with the distribution. +- * 3. All advertising materials mentioning features or use of this software +- * must display the following acknowledgement: +- * "This product includes cryptographic software written by +- * Eric Young (eay@cryptsoft.com)" +- * The word 'cryptographic' can be left out if the rouines from the library +- * being used are not cryptographic related :-). +- * 4. If you include any Windows specific code (or a derivative thereof) from +- * the apps directory (application code) you must include an acknowledgement: +- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" +- * +- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- * +- * The licence and distribution terms for any publically available version or +- * derivative of this code cannot be changed. i.e. this code cannot simply be +- * copied and put under another distribution licence +- * [including the GNU Public Licence.] +- */ +- +-/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */ +-/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */ +-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ +-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +- * project 2000. +- */ +-/* ==================================================================== +- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. +- * +- * Redistribution and use in source and binary forms, with or without +- * modification, are permitted provided that the following conditions +- * are met: +- * +- * 1. Redistributions of source code must retain the above copyright +- * notice, this list of conditions and the following disclaimer. +- * +- * 2. Redistributions in binary form must reproduce the above copyright +- * notice, this list of conditions and the following disclaimer in +- * the documentation and/or other materials provided with the +- * distribution. +- * +- * 3. All advertising materials mentioning features or use of this +- * software must display the following acknowledgment: +- * "This product includes software developed by the OpenSSL Project +- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" +- * +- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +- * endorse or promote products derived from this software without +- * prior written permission. For written permission, please contact +- * licensing@OpenSSL.org. +- * +- * 5. Products derived from this software may not be called "OpenSSL" +- * nor may "OpenSSL" appear in their names without prior written +- * permission of the OpenSSL Project. +- * +- * 6. Redistributions of any form whatsoever must retain the following +- * acknowledgment: +- * "This product includes software developed by the OpenSSL Project +- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" +- * +- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +- * OF THE POSSIBILITY OF SUCH DAMAGE. +- * ==================================================================== +- * +- * This product includes cryptographic software written by Eric Young +- * (eay@cryptsoft.com). This product includes software written by Tim +- * Hudson (tjh@cryptsoft.com). +- * +- */ +- +-/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */ + /* +- * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> ++ * Copyright (c) 2018 Damien Miller <djm@mindrot.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -147,192 +23,7 @@ + #include <stdlib.h> + #include <string.h> + +-#include <openssl/err.h> +-#include <openssl/bn.h> +-#include <openssl/dsa.h> +-#include <openssl/rsa.h> + #include <openssl/evp.h> +-#ifdef OPENSSL_HAS_ECC +-#include <openssl/ecdsa.h> +-#endif +-#include <openssl/dh.h> +- +-#ifndef HAVE_DSA_GET0_PQG +-void +-DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +-{ +- if (p != NULL) +- *p = d->p; +- if (q != NULL) +- *q = d->q; +- if (g != NULL) +- *g = d->g; +-} +-#endif /* HAVE_DSA_GET0_PQG */ +- +-#ifndef HAVE_DSA_SET0_PQG +-int +-DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) +-{ +- if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) || +- (d->g == NULL && g == NULL)) +- return 0; +- +- if (p != NULL) { +- BN_free(d->p); +- d->p = p; +- } +- if (q != NULL) { +- BN_free(d->q); +- d->q = q; +- } +- if (g != NULL) { +- BN_free(d->g); +- d->g = g; +- } +- +- return 1; +-} +-#endif /* HAVE_DSA_SET0_PQG */ +- +-#ifndef HAVE_DSA_GET0_KEY +-void +-DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) +-{ +- if (pub_key != NULL) +- *pub_key = d->pub_key; +- if (priv_key != NULL) +- *priv_key = d->priv_key; +-} +-#endif /* HAVE_DSA_GET0_KEY */ +- +-#ifndef HAVE_DSA_SET0_KEY +-int +-DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) +-{ +- if (d->pub_key == NULL && pub_key == NULL) +- return 0; +- +- if (pub_key != NULL) { +- BN_free(d->pub_key); +- d->pub_key = pub_key; +- } +- if (priv_key != NULL) { +- BN_free(d->priv_key); +- d->priv_key = priv_key; +- } +- +- return 1; +-} +-#endif /* HAVE_DSA_SET0_KEY */ +- +-#ifndef HAVE_RSA_GET0_KEY +-void +-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) +-{ +- if (n != NULL) +- *n = r->n; +- if (e != NULL) +- *e = r->e; +- if (d != NULL) +- *d = r->d; +-} +-#endif /* HAVE_RSA_GET0_KEY */ +- +-#ifndef HAVE_RSA_SET0_KEY +-int +-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) +-{ +- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) +- return 0; +- +- if (n != NULL) { +- BN_free(r->n); +- r->n = n; +- } +- if (e != NULL) { +- BN_free(r->e); +- r->e = e; +- } +- if (d != NULL) { +- BN_free(r->d); +- r->d = d; +- } +- +- return 1; +-} +-#endif /* HAVE_RSA_SET0_KEY */ +- +-#ifndef HAVE_RSA_GET0_CRT_PARAMS +-void +-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, +- const BIGNUM **iqmp) +-{ +- if (dmp1 != NULL) +- *dmp1 = r->dmp1; +- if (dmq1 != NULL) +- *dmq1 = r->dmq1; +- if (iqmp != NULL) +- *iqmp = r->iqmp; +-} +-#endif /* HAVE_RSA_GET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_SET0_CRT_PARAMS +-int +-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) +-{ +- if ((r->dmp1 == NULL && dmp1 == NULL) || +- (r->dmq1 == NULL && dmq1 == NULL) || +- (r->iqmp == NULL && iqmp == NULL)) +- return 0; +- +- if (dmp1 != NULL) { +- BN_free(r->dmp1); +- r->dmp1 = dmp1; +- } +- if (dmq1 != NULL) { +- BN_free(r->dmq1); +- r->dmq1 = dmq1; +- } +- if (iqmp != NULL) { +- BN_free(r->iqmp); +- r->iqmp = iqmp; +- } +- +- return 1; +-} +-#endif /* HAVE_RSA_SET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_GET0_FACTORS +-void +-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) +-{ +- if (p != NULL) +- *p = r->p; +- if (q != NULL) +- *q = r->q; +-} +-#endif /* HAVE_RSA_GET0_FACTORS */ +- +-#ifndef HAVE_RSA_SET0_FACTORS +-int +-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) +-{ +- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) +- return 0; +- +- if (p != NULL) { +- BN_free(r->p); +- r->p = p; +- } +- if (q != NULL) { +- BN_free(r->q); +- r->q = q; +- } +- +- return 1; +-} +-#endif /* HAVE_RSA_SET0_FACTORS */ + + #ifndef HAVE_EVP_CIPHER_CTX_GET_IV + int +@@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len) + } + #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ + +-#ifndef HAVE_DSA_SIG_GET0 +-void +-DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +-{ +- if (pr != NULL) +- *pr = sig->r; +- if (ps != NULL) +- *ps = sig->s; +-} +-#endif /* HAVE_DSA_SIG_GET0 */ +- +-#ifndef HAVE_DSA_SIG_SET0 +-int +-DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) +-{ +- if (r == NULL || s == NULL) +- return 0; +- +- BN_clear_free(sig->r); +- sig->r = r; +- BN_clear_free(sig->s); +- sig->s = s; +- +- return 1; +-} +-#endif /* HAVE_DSA_SIG_SET0 */ +- +-#ifdef OPENSSL_HAS_ECC +-#ifndef HAVE_ECDSA_SIG_GET0 +-void +-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +-{ +- if (pr != NULL) +- *pr = sig->r; +- if (ps != NULL) +- *ps = sig->s; +-} +-#endif /* HAVE_ECDSA_SIG_GET0 */ +- +-#ifndef HAVE_ECDSA_SIG_SET0 +-int +-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) +-{ +- if (r == NULL || s == NULL) +- return 0; +- +- BN_clear_free(sig->r); +- BN_clear_free(sig->s); +- sig->r = r; +- sig->s = s; +- return 1; +-} +-#endif /* HAVE_ECDSA_SIG_SET0 */ +-#endif /* OPENSSL_HAS_ECC */ +- +-#ifndef HAVE_DH_GET0_PQG +-void +-DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +-{ +- if (p != NULL) +- *p = dh->p; +- if (q != NULL) +- *q = dh->q; +- if (g != NULL) +- *g = dh->g; +-} +-#endif /* HAVE_DH_GET0_PQG */ +- +-#ifndef HAVE_DH_SET0_PQG +-int +-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +-{ +- if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) +- return 0; +- +- if (p != NULL) { +- BN_free(dh->p); +- dh->p = p; +- } +- if (q != NULL) { +- BN_free(dh->q); +- dh->q = q; +- } +- if (g != NULL) { +- BN_free(dh->g); +- dh->g = g; +- } +- +- return 1; +-} +-#endif /* HAVE_DH_SET0_PQG */ +- +-#ifndef HAVE_DH_GET0_KEY +-void +-DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) +-{ +- if (pub_key != NULL) +- *pub_key = dh->pub_key; +- if (priv_key != NULL) +- *priv_key = dh->priv_key; +-} +-#endif /* HAVE_DH_GET0_KEY */ +- +-#ifndef HAVE_DH_SET0_KEY +-int +-DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) +-{ +- if (pub_key != NULL) { +- BN_free(dh->pub_key); +- dh->pub_key = pub_key; +- } +- if (priv_key != NULL) { +- BN_free(dh->priv_key); +- dh->priv_key = priv_key; +- } +- +- return 1; +-} +-#endif /* HAVE_DH_SET0_KEY */ +- +-#ifndef HAVE_DH_SET_LENGTH +-int +-DH_set_length(DH *dh, long length) +-{ +- if (length < 0 || length > INT_MAX) +- return 0; +- +- dh->length = length; +- return 1; +-} +-#endif /* HAVE_DH_SET_LENGTH */ +- +-#ifndef HAVE_RSA_METH_FREE +-void +-RSA_meth_free(RSA_METHOD *meth) +-{ +- if (meth != NULL) { +- free((char *)meth->name); +- free(meth); +- } +-} +-#endif /* HAVE_RSA_METH_FREE */ +- +-#ifndef HAVE_RSA_METH_DUP +-RSA_METHOD * +-RSA_meth_dup(const RSA_METHOD *meth) +-{ +- RSA_METHOD *copy; +- +- if ((copy = calloc(1, sizeof(*copy))) == NULL) +- return NULL; +- memcpy(copy, meth, sizeof(*copy)); +- if ((copy->name = strdup(meth->name)) == NULL) { +- free(copy); +- return NULL; +- } +- +- return copy; +-} +-#endif /* HAVE_RSA_METH_DUP */ +- +-#ifndef HAVE_RSA_METH_SET1_NAME +-int +-RSA_meth_set1_name(RSA_METHOD *meth, const char *name) +-{ +- char *copy; +- +- if ((copy = strdup(name)) == NULL) +- return 0; +- free((char *)meth->name); +- meth->name = copy; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET1_NAME */ +- +-#ifndef HAVE_RSA_METH_GET_FINISH +-int +-(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa) +-{ +- return meth->finish; +-} +-#endif /* HAVE_RSA_METH_GET_FINISH */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_ENC +-int +-RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +-{ +- meth->rsa_priv_enc = priv_enc; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_DEC +-int +-RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +-{ +- meth->rsa_priv_dec = priv_dec; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ +- +-#ifndef HAVE_RSA_METH_SET_FINISH +-int +-RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) +-{ +- meth->finish = finish; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET_FINISH */ +- +-#ifndef HAVE_EVP_PKEY_GET0_RSA +-RSA * +-EVP_PKEY_get0_RSA(EVP_PKEY *pkey) +-{ +- if (pkey->type != EVP_PKEY_RSA) { +- /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */ +- return NULL; +- } +- return pkey->pkey.rsa; +-} +-#endif /* HAVE_EVP_PKEY_GET0_RSA */ +- +-#ifndef HAVE_EVP_MD_CTX_NEW +-EVP_MD_CTX * +-EVP_MD_CTX_new(void) +-{ +- return calloc(1, sizeof(EVP_MD_CTX)); +-} +-#endif /* HAVE_EVP_MD_CTX_NEW */ +- +-#ifndef HAVE_EVP_MD_CTX_FREE +-void +-EVP_MD_CTX_free(EVP_MD_CTX *ctx) +-{ +- if (ctx == NULL) +- return; +- +- EVP_MD_CTX_cleanup(ctx); +- +- free(ctx); +-} +-#endif /* HAVE_EVP_MD_CTX_FREE */ +- + #endif /* WITH_OPENSSL */ +diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h +index 61a69dd56eb..d0dd2c3450d 100644 +--- a/openbsd-compat/openssl-compat.h ++++ b/openbsd-compat/openssl-compat.h +@@ -33,26 +33,13 @@ + int ssh_compatible_openssl(long, long); + void ssh_libcrypto_init(void); + +-#if (OPENSSL_VERSION_NUMBER < 0x1000100fL) +-# error OpenSSL 1.0.1 or greater is required ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) ++# error OpenSSL 1.1.0 or greater is required + #endif +- +-#ifndef OPENSSL_VERSION +-# define OPENSSL_VERSION SSLEAY_VERSION +-#endif +- +-#ifndef HAVE_OPENSSL_VERSION +-# define OpenSSL_version(x) SSLeay_version(x) +-#endif +- +-#ifndef HAVE_OPENSSL_VERSION_NUM +-# define OpenSSL_version_num SSLeay +-#endif +- +-#if OPENSSL_VERSION_NUMBER < 0x10000001L +-# define LIBCRYPTO_EVP_INL_TYPE unsigned int +-#else +-# define LIBCRYPTO_EVP_INL_TYPE size_t ++#ifdef LIBRESSL_VERSION_NUMBER ++# if LIBRESSL_VERSION_NUMBER < 0x3010000fL ++# error LibreSSL 3.1.0 or greater is required ++# endif + #endif + + #ifndef OPENSSL_RSA_MAX_MODULUS_BITS +@@ -68,25 +55,6 @@ void ssh_libcrypto_init(void); + # endif + #endif + +-/* LibreSSL/OpenSSL 1.1x API compat */ +-#ifndef HAVE_DSA_GET0_PQG +-void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, +- const BIGNUM **g); +-#endif /* HAVE_DSA_GET0_PQG */ +- +-#ifndef HAVE_DSA_SET0_PQG +-int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); +-#endif /* HAVE_DSA_SET0_PQG */ +- +-#ifndef HAVE_DSA_GET0_KEY +-void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, +- const BIGNUM **priv_key); +-#endif /* HAVE_DSA_GET0_KEY */ +- +-#ifndef HAVE_DSA_SET0_KEY +-int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); +-#endif /* HAVE_DSA_SET0_KEY */ +- + #ifndef HAVE_EVP_CIPHER_CTX_GET_IV + # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV + # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv +@@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, + const unsigned char *iv, size_t len); + #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ + +-#ifndef HAVE_RSA_GET0_KEY +-void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, +- const BIGNUM **d); +-#endif /* HAVE_RSA_GET0_KEY */ +- +-#ifndef HAVE_RSA_SET0_KEY +-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); +-#endif /* HAVE_RSA_SET0_KEY */ +- +-#ifndef HAVE_RSA_GET0_CRT_PARAMS +-void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, +- const BIGNUM **iqmp); +-#endif /* HAVE_RSA_GET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_SET0_CRT_PARAMS +-int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); +-#endif /* HAVE_RSA_SET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_GET0_FACTORS +-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); +-#endif /* HAVE_RSA_GET0_FACTORS */ +- +-#ifndef HAVE_RSA_SET0_FACTORS +-int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); +-#endif /* HAVE_RSA_SET0_FACTORS */ +- +-#ifndef DSA_SIG_GET0 +-void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +-#endif /* DSA_SIG_GET0 */ +- +-#ifndef DSA_SIG_SET0 +-int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); +-#endif /* DSA_SIG_SET0 */ +- +-#ifdef OPENSSL_HAS_ECC +-#ifndef HAVE_ECDSA_SIG_GET0 +-void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +-#endif /* HAVE_ECDSA_SIG_GET0 */ +- +-#ifndef HAVE_ECDSA_SIG_SET0 +-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); +-#endif /* HAVE_ECDSA_SIG_SET0 */ +-#endif /* OPENSSL_HAS_ECC */ +- +-#ifndef HAVE_DH_GET0_PQG +-void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, +- const BIGNUM **g); +-#endif /* HAVE_DH_GET0_PQG */ +- +-#ifndef HAVE_DH_SET0_PQG +-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); +-#endif /* HAVE_DH_SET0_PQG */ +- +-#ifndef HAVE_DH_GET0_KEY +-void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); +-#endif /* HAVE_DH_GET0_KEY */ +- +-#ifndef HAVE_DH_SET0_KEY +-int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); +-#endif /* HAVE_DH_SET0_KEY */ +- +-#ifndef HAVE_DH_SET_LENGTH +-int DH_set_length(DH *dh, long length); +-#endif /* HAVE_DH_SET_LENGTH */ +- +-#ifndef HAVE_RSA_METH_FREE +-void RSA_meth_free(RSA_METHOD *meth); +-#endif /* HAVE_RSA_METH_FREE */ +- +-#ifndef HAVE_RSA_METH_DUP +-RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); +-#endif /* HAVE_RSA_METH_DUP */ +- +-#ifndef HAVE_RSA_METH_SET1_NAME +-int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); +-#endif /* HAVE_RSA_METH_SET1_NAME */ +- +-#ifndef HAVE_RSA_METH_GET_FINISH +-int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa); +-#endif /* HAVE_RSA_METH_GET_FINISH */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_ENC +-int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_DEC +-int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ +- +-#ifndef HAVE_RSA_METH_SET_FINISH +-int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)); +-#endif /* HAVE_RSA_METH_SET_FINISH */ +- +-#ifndef HAVE_EVP_PKEY_GET0_RSA +-RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); +-#endif /* HAVE_EVP_PKEY_GET0_RSA */ +- +-#ifndef HAVE_EVP_MD_CTX_new +-EVP_MD_CTX *EVP_MD_CTX_new(void); +-#endif /* HAVE_EVP_MD_CTX_new */ +- +-#ifndef HAVE_EVP_MD_CTX_free +-void EVP_MD_CTX_free(EVP_MD_CTX *ctx); +-#endif /* HAVE_EVP_MD_CTX_free */ +- + #endif /* WITH_OPENSSL */ + #endif /* _OPENSSL_COMPAT_H */ diff --git a/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb index d3dedd1a5a..558e027f5d 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb @@ -24,8 +24,9 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ + file://7280401bdd77ca54be6867a154cc01e0d72612e0.patch \ " -SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8" +SRC_URI[sha256sum] = "200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8" # This CVE is specific to OpenSSH with the pam opie which we don't build/use here CVE_CHECK_IGNORE += "CVE-2007-2768" diff --git a/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch index 0b7abc3a11..502a7aaf32 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch +++ b/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -1,6 +1,6 @@ -From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001 +From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> -Date: Tue, 14 Sep 2021 12:18:25 +0200 +Date: Tue, 30 May 2023 09:11:27 -0700 Subject: [PATCH] Configure: do not tweak mips cflags This conflicts with mips machine definitons from yocto, @@ -9,20 +9,23 @@ e.g. Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin <alex@linutronix.de> + +Refreshed for openssl-3.1.1 +Signed-off-by: Tim Orling <tim.orling@konsulko.com> --- Configure | 10 ---------- 1 file changed, 10 deletions(-) -Index: openssl-3.0.4/Configure -=================================================================== ---- openssl-3.0.4.orig/Configure -+++ openssl-3.0.4/Configure -@@ -1423,16 +1423,6 @@ if ($target =~ /^mingw/ && `$config{CC} +diff --git a/Configure b/Configure +index 4569952..adf019b 100755 +--- a/Configure ++++ b/Configure +@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) push @{$config{shared_ldflag}}, "-mno-cygwin"; } -if ($target =~ /linux.*-mips/ && !$disabled{asm} -- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { +- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { - # minimally required architecture flags for assembly modules - my $value; - $value = '-mips2' if ($target =~ /mips32/); diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch deleted file mode 100644 index 33b0bb6c79..0000000000 --- a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch +++ /dev/null @@ -1,226 +0,0 @@ -From 2017771e2db3e2b96f89bbe8766c3209f6a99545 Mon Sep 17 00:00:00 2001 -From: Pauli <pauli@openssl.org> -Date: Wed, 8 Mar 2023 15:28:20 +1100 -Subject: [PATCH] x509: excessive resource use verifying policy constraints - -A security vulnerability has been identified in all supported versions -of OpenSSL related to the verification of X.509 certificate chains -that include policy constraints. Attackers may be able to exploit this -vulnerability by creating a malicious certificate chain that triggers -exponential use of computational resources, leading to a denial-of-service -(DoS) attack on affected systems. - -Fixes CVE-2023-0464 - -Reviewed-by: Tomas Mraz <tomas@openssl.org> -Reviewed-by: Shane Lontis <shane.lontis@oracle.com> -(Merged from https://github.com/openssl/openssl/pull/20570) - -Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545] -CVE: CVE-2023-0464 -Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> - ---- - crypto/x509/pcy_local.h | 8 +++++++- - crypto/x509/pcy_node.c | 12 +++++++++--- - crypto/x509/pcy_tree.c | 36 ++++++++++++++++++++++++++---------- - 3 files changed, 42 insertions(+), 14 deletions(-) - -diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h -index 18b53cc..cba107c 100644 ---- a/crypto/x509/pcy_local.h -+++ b/crypto/x509/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+ /* The number of nodes in the tree */ -+ size_t node_count; -+ /* The maximum number of nodes in the tree */ -+ size_t node_maximum; -+ - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; -@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree); -+ X509_POLICY_TREE *tree, -+ int extra_data); - void ossl_policy_node_free(X509_POLICY_NODE *node); - int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); -diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c -index 9d9a7ea..450f95a 100644 ---- a/crypto/x509/pcy_node.c -+++ b/crypto/x509/pcy_node.c -@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, - X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree) -+ X509_POLICY_TREE *tree, -+ int extra_data) - { - X509_POLICY_NODE *node; - -+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ -+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) -+ return NULL; -+ - node = OPENSSL_zalloc(sizeof(*node)); - if (node == NULL) { - ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); -@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - node->data = data; - node->parent = parent; -- if (level) { -+ if (level != NULL) { - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (level->anyPolicy) - goto node_error; -@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - } - -- if (tree) { -+ if (extra_data) { - if (tree->extra_data == NULL) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (tree->extra_data == NULL){ -@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - } - -+ tree->node_count++; - if (parent) - parent->nchild++; - -diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c -index fa45da5..f953a05 100644 ---- a/crypto/x509/pcy_tree.c -+++ b/crypto/x509/pcy_tree.c -@@ -14,6 +14,17 @@ - - #include "pcy_local.h" - -+/* -+ * If the maximum number of nodes in the policy tree isn't defined, set it to -+ * a generous default of 1000 nodes. -+ * -+ * Defining this to be zero means unlimited policy tree growth which opens the -+ * door on CVE-2023-0464. -+ */ -+#ifndef OPENSSL_POLICY_TREE_NODES_MAX -+# define OPENSSL_POLICY_TREE_NODES_MAX 1000 -+#endif -+ - static void expected_print(BIO *channel, - X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, - int indent) -@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - return X509_PCY_TREE_INTERNAL; - } - -+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ -+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; -+ - /* - * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. - * -@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - if ((data = ossl_policy_data_new(NULL, - OBJ_nid2obj(NID_any_policy), 0)) == NULL) - goto bad_tree; -- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { -+ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { - ossl_policy_data_free(data); - goto bad_tree; - } -@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - * Return value: 1 on success, 0 otherwise - */ - static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, -- X509_POLICY_DATA *data) -+ X509_POLICY_DATA *data, -+ X509_POLICY_TREE *tree) - { - X509_POLICY_LEVEL *last = curr - 1; - int i, matched = 0; -@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (ossl_policy_node_match(last, node, data->valid_policy)) { -- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) -+ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) { -- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) -+ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) - return 0; - } - return 1; -@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - * Return value: 1 on success, 0 otherwise. - */ - static int tree_link_nodes(X509_POLICY_LEVEL *curr, -- const X509_POLICY_CACHE *cache) -+ const X509_POLICY_CACHE *cache, -+ X509_POLICY_TREE *tree) - { - int i; - -@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); - - /* Look for matching nodes in previous level */ -- if (!tree_link_matching_nodes(curr, data)) -+ if (!tree_link_matching_nodes(curr, data, tree)) - return 0; - } - return 1; -@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; -- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { -+ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { - ossl_policy_data_free(data); - return 0; - } -@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, - /* Finally add link to anyPolicy */ - if (last->anyPolicy && - ossl_policy_level_add_node(curr, cache->anyPolicy, -- last->anyPolicy, NULL) == NULL) -+ last->anyPolicy, tree, 0) == NULL) - return 0; - return 1; - } -@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS - | POLICY_DATA_FLAG_EXTRA_NODE; - node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, -- tree); -+ tree, 1); - } - if (!tree->user_policies) { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); -@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) - - for (i = 1; i < tree->nlevel; i++, curr++) { - cache = ossl_policy_cache_set(curr->cert); -- if (!tree_link_nodes(curr, cache)) -+ if (!tree_link_nodes(curr, cache, tree)) - return X509_PCY_TREE_INTERNAL; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) --- -2.25.1 - diff --git a/poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb b/poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb index b319c66044..d55695dba4 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb +++ b/poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb @@ -12,14 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ file://fix_random_labels.patch \ - file://CVE-2023-0464.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "aaa925ad9828745c4cad9d9efeb273deca820f2cdcf2c3ac7d7c1212b7c497b4" +SRC_URI[sha256sum] = "a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -119,7 +118,7 @@ do_configure () { target=linux-ppc64le ;; linux-riscv32) - target=linux-generic32 + target=linux-latomic ;; linux-riscv64) target=linux-generic64 @@ -138,7 +137,9 @@ do_configure () { fi # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. - HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)" + test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!" + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \ perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target perl ${B}/configdata.pm --dump } diff --git a/poky/meta/recipes-core/busybox/busybox-inittab_1.36.0.bb b/poky/meta/recipes-core/busybox/busybox-inittab_1.36.1.bb index 868d7a230f..868d7a230f 100644 --- a/poky/meta/recipes-core/busybox/busybox-inittab_1.36.0.bb +++ b/poky/meta/recipes-core/busybox/busybox-inittab_1.36.1.bb diff --git a/poky/meta/recipes-core/busybox/busybox_1.36.0.bb b/poky/meta/recipes-core/busybox/busybox_1.36.1.bb index 8014a5c7bf..968dce65e4 100644 --- a/poky/meta/recipes-core/busybox/busybox_1.36.0.bb +++ b/poky/meta/recipes-core/busybox/busybox_1.36.1.bb @@ -53,4 +53,4 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ SRC_URI:append:libc-musl = " file://musl.cfg " # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html SRC_URI:append:x86 = " file://sha_accel.cfg" -SRC_URI[tarball.sha256sum] = "542750c8af7cb2630e201780b4f99f3dcceeb06f505b479ec68241c1e6af61a5" +SRC_URI[tarball.sha256sum] = "b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314" diff --git a/poky/meta/recipes-core/dbus/dbus_1.14.6.bb b/poky/meta/recipes-core/dbus/dbus_1.14.8.bb index da25155773..b6c245d40b 100644 --- a/poky/meta/recipes-core/dbus/dbus_1.14.6.bb +++ b/poky/meta/recipes-core/dbus/dbus_1.14.8.bb @@ -16,7 +16,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \ file://dbus-1.init \ " -SRC_URI[sha256sum] = "fd2bdf1bb89dc365a46531bff631536f22b0d1c6d5ce2c5c5e59b55265b3d66b" +SRC_URI[sha256sum] = "a6bd5bac5cf19f0c3c594bdae2565a095696980a683a0ef37cb6212e093bde35" EXTRA_OECONF = "--disable-xml-docs \ --disable-doxygen-docs \ diff --git a/poky/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch b/poky/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch new file mode 100644 index 0000000000..932503e507 --- /dev/null +++ b/poky/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch @@ -0,0 +1,144 @@ +From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 +From: czurnieden <czurnieden@gmx.de> +Date: Fri, 8 Sep 2023 05:01:00 +0000 +Subject: [PATCH] Fix possible integer overflow + +CVE: CVE-2023-36328 + +Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + libtommath/bn_mp_2expt.c | 4 ++++ + libtommath/bn_mp_grow.c | 4 ++++ + libtommath/bn_mp_init_size.c | 5 +++++ + libtommath/bn_mp_mul_2d.c | 4 ++++ + libtommath/bn_s_mp_mul_digs.c | 4 ++++ + libtommath/bn_s_mp_mul_digs_fast.c | 4 ++++ + libtommath/bn_s_mp_mul_high_digs.c | 4 ++++ + libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++ + 8 files changed, 33 insertions(+) + +diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c +index 0ae3df1..ca6fbc3 100644 +--- a/libtommath/bn_mp_2expt.c ++++ b/libtommath/bn_mp_2expt.c +@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) + { + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* zero a as per default */ + mp_zero(a); + +diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c +index 9e904c5..b9321f7 100644 +--- a/libtommath/bn_mp_grow.c ++++ b/libtommath/bn_mp_grow.c +@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) + int i; + mp_digit *tmp; + ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + /* if the alloc size is smaller alloc more ram */ + if (a->alloc < size) { + /* reallocate the array a->dp +diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c +index d622687..5fefa96 100644 +--- a/libtommath/bn_mp_init_size.c ++++ b/libtommath/bn_mp_init_size.c +@@ -6,6 +6,11 @@ + /* init an mp_init for a given size */ + mp_err mp_init_size(mp_int *a, int size) + { ++ ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + size = MP_MAX(MP_MIN_PREC, size); + + /* alloc mem */ +diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c +index 87354de..2744163 100644 +--- a/libtommath/bn_mp_mul_2d.c ++++ b/libtommath/bn_mp_mul_2d.c +@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c) + mp_digit d; + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* copy */ + if (a != c) { + if ((err = mp_copy(a, c)) != MP_OKAY) { +diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c +index 64509d4..2d2f5b0 100644 +--- a/libtommath/bn_s_mp_mul_digs.c ++++ b/libtommath/bn_s_mp_mul_digs.c +@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if ((digs < MP_WARRAY) && + (MP_MIN(a->used, b->used) < MP_MAXFAST)) { +diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c +index b2a287b..d6dd3cc 100644 +--- a/libtommath/bn_s_mp_mul_digs_fast.c ++++ b/libtommath/bn_s_mp_mul_digs_fast.c +@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + if (c->alloc < digs) { + if ((err = mp_grow(c, digs)) != MP_OKAY) { +diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c +index 2bb2a50..860ebcb 100644 +--- a/libtommath/bn_s_mp_mul_high_digs.c ++++ b/libtommath/bn_s_mp_mul_high_digs.c +@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) + && ((a->used + b->used + 1) < MP_WARRAY) +diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c +index a2c4fb6..afe3e4b 100644 +--- a/libtommath/bn_s_mp_mul_high_digs_fast.c ++++ b/libtommath/bn_s_mp_mul_high_digs_fast.c +@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + pa = a->used + b->used; + if (c->alloc < pa) { +-- +2.35.5 diff --git a/poky/meta/recipes-core/dropbear/dropbear_2022.83.bb b/poky/meta/recipes-core/dropbear/dropbear_2022.83.bb index 0c7a8f4caa..12ac732f58 100644 --- a/poky/meta/recipes-core/dropbear/dropbear_2022.83.bb +++ b/poky/meta/recipes-core/dropbear/dropbear_2022.83.bb @@ -21,6 +21,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://dropbear.default \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ + file://CVE-2023-36328.patch \ " SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b" diff --git a/poky/meta/recipes-core/ell/ell_0.56.bb b/poky/meta/recipes-core/ell/ell_0.57.bb index 0ace622835..09a0831fbe 100644 --- a/poky/meta/recipes-core/ell/ell_0.56.bb +++ b/poky/meta/recipes-core/ell/ell_0.57.bb @@ -15,7 +15,7 @@ DEPENDS = "dbus" inherit autotools pkgconfig SRC_URI = "https://mirrors.edge.kernel.org/pub/linux/libs/${BPN}/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "58eb8b2b64087f7479d5db6a830a0656c536d93e5f11d4c9a4443ce8760a1b63" +SRC_URI[sha256sum] = "7603928ee584b758ca27c67e4dc513049a09b038d7d28459a9440f8443c91018" do_configure:prepend () { mkdir -p ${S}/build-aux diff --git a/poky/meta/recipes-core/glib-networking/glib-networking/eagain.patch b/poky/meta/recipes-core/glib-networking/glib-networking/eagain.patch index ac6592ffef..ee5b6a7beb 100644 --- a/poky/meta/recipes-core/glib-networking/glib-networking/eagain.patch +++ b/poky/meta/recipes-core/glib-networking/glib-networking/eagain.patch @@ -21,7 +21,7 @@ Index: glib-networking-2.74.0/tls/tests/connection.c MIN (TEST_DATA_LENGTH / 2, TEST_DATA_LENGTH - test->nread), NULL, &error); + -+ if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_BUSY)) ++ if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK)) + continue; + g_assert_no_error (error); diff --git a/poky/meta/recipes-core/glibc/glibc-locale.inc b/poky/meta/recipes-core/glibc/glibc-locale.inc index 760de9437b..289f58d4df 100644 --- a/poky/meta/recipes-core/glibc/glibc-locale.inc +++ b/poky/meta/recipes-core/glibc/glibc-locale.inc @@ -37,22 +37,22 @@ PACKAGES_DYNAMIC = "^locale-base-.* \ # Create a glibc-binaries package ALLOW_EMPTY:${BPN}-binaries = "1" PACKAGES += "${BPN}-binaries" -RRECOMMENDS:${BPN}-binaries = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-binary") != -1])}" +RRECOMMENDS:${BPN}-binaries = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-binary-") != -1])}" # Create a glibc-charmaps package ALLOW_EMPTY:${BPN}-charmaps = "1" PACKAGES += "${BPN}-charmaps" -RRECOMMENDS:${BPN}-charmaps = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-charmap") != -1])}" +RRECOMMENDS:${BPN}-charmaps = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-charmap-") != -1])}" # Create a glibc-gconvs package ALLOW_EMPTY:${BPN}-gconvs = "1" PACKAGES += "${BPN}-gconvs" -RRECOMMENDS:${BPN}-gconvs = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-gconv") != -1])}" +RRECOMMENDS:${BPN}-gconvs = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-gconv-") != -1])}" # Create a glibc-localedatas package ALLOW_EMPTY:${BPN}-localedatas = "1" PACKAGES += "${BPN}-localedatas" -RRECOMMENDS:${BPN}-localedatas = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-localedata") != -1])}" +RRECOMMENDS:${BPN}-localedatas = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-localedata-") != -1])}" DESCRIPTION:localedef = "glibc: compile locale definition files" diff --git a/poky/meta/recipes-core/glibc/glibc-testsuite_2.37.bb b/poky/meta/recipes-core/glibc/glibc-testsuite_2.37.bb index e8ad2a938b..2e076f4b0f 100644 --- a/poky/meta/recipes-core/glibc/glibc-testsuite_2.37.bb +++ b/poky/meta/recipes-core/glibc/glibc-testsuite_2.37.bb @@ -16,6 +16,7 @@ TOOLCHAIN_TEST_HOST_USER ??= "root" TOOLCHAIN_TEST_HOST_PORT ??= "2222" do_check[nostamp] = "1" +do_check[network] = "1" do_check:append () { chmod 0755 ${WORKDIR}/check-test-wrapper diff --git a/poky/meta/recipes-core/glibc/glibc-version.inc b/poky/meta/recipes-core/glibc/glibc-version.inc index 37bb9fd34f..ff2b2ade9d 100644 --- a/poky/meta/recipes-core/glibc/glibc-version.inc +++ b/poky/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.37/master" PV = "2.37" -SRCREV_glibc ?= "d8e1a7590d375159fb5aac07ad8111ab4699e994" +SRCREV_glibc ?= "58f7431fd77c0a6dd8df08d50c51ee3e7f09825f" SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https" diff --git a/poky/meta/recipes-core/glibc/glibc/0023-CVE-2023-4527.patch b/poky/meta/recipes-core/glibc/glibc/0023-CVE-2023-4527.patch new file mode 100644 index 0000000000..211249211a --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0023-CVE-2023-4527.patch @@ -0,0 +1,219 @@ +From 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Wed, 13 Sep 2023 14:10:56 +0200 +Subject: [PATCH] CVE-2023-4527: Stack read overflow with large TCP responses + in no-aaaa mode + +Without passing alt_dns_packet_buffer, __res_context_search can only +store 2048 bytes (what fits into dns_packet_buffer). However, +the function returns the total packet size, and the subsequent +DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end +of the stack-allocated buffer. + +Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa +stub resolver option") and bug 30842. + +(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d) + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f] +CVE: CVE-2023-4527 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + NEWS | 7 ++ + resolv/Makefile | 2 + + resolv/nss_dns/dns-host.c | 2 +- + resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++ + 4 files changed, 139 insertions(+), 1 deletion(-) + create mode 100644 resolv/tst-resolv-noaaaa-vc.c + +diff --git a/NEWS b/NEWS +--- a/NEWS ++++ b/NEWS +@@ -25,6 +25,7 @@ + [30101] gmon: fix memory corruption issues + [30125] dynamic-link: [regression, bisected] glibc-2.37 creates new + symlink for libraries without soname ++ [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) + [30151] gshadow: Matching sgetsgent, sgetsgent_r ERANGE handling + [30163] posix: Fix system blocks SIGCHLD erroneously + [30305] x86_64: Fix asm constraints in feraiseexcept +@@ -54,6 +55,12 @@ + heap and prints it to the target log file, potentially revealing a + portion of the contents of the heap. + ++ CVE-2023-4527: If the system is configured in no-aaaa mode via ++ /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address ++ family, and a DNS response is received over TCP that is larger than ++ 2048 bytes, getaddrinfo may potentially disclose stack contents via ++ the returned address data, or crash. ++ + The following bugs are resolved with this release: + + [12154] network: Cannot resolve hosts which have wildcard aliases +diff --git a/resolv/Makefile b/resolv/Makefile +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -101,6 +101,7 @@ + tst-resolv-invalid-cname \ + tst-resolv-network \ + tst-resolv-noaaaa \ ++ tst-resolv-noaaaa-vc \ + tst-resolv-nondecimal \ + tst-resolv-res_init-multi \ + tst-resolv-search \ +@@ -292,6 +293,7 @@ + $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ + $(shared-thread-library) + $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) ++$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -427,7 +427,7 @@ + { + n = __res_context_search (ctx, name, C_IN, T_A, + dns_packet_buffer, sizeof (dns_packet_buffer), +- NULL, NULL, NULL, NULL, NULL); ++ &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); + if (n >= 0) + status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, + &abuf, pat, errnop, herrnop, ttlp); +diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c +new file mode 100644 +--- /dev/null ++++ b/resolv/tst-resolv-noaaaa-vc.c +@@ -0,0 +1,129 @@ ++/* Test the RES_NOAAAA resolver option with a large response. ++ Copyright (C) 2022-2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <netdb.h> ++#include <resolv.h> ++#include <stdbool.h> ++#include <stdlib.h> ++#include <support/check.h> ++#include <support/check_nss.h> ++#include <support/resolv_test.h> ++#include <support/support.h> ++#include <support/xmemstream.h> ++ ++/* Used to keep track of the number of queries. */ ++static volatile unsigned int queries; ++ ++/* If true, add a large TXT record at the start of the answer section. */ ++static volatile bool stuff_txt; ++ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ /* If not using TCP, just force its use. */ ++ if (!ctx->tcp) ++ { ++ struct resolv_response_flags flags = {.tc = true}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ return; ++ } ++ ++ /* The test needs to send four queries, the first three are used to ++ grow the NSS buffer via the ERANGE handshake. */ ++ ++queries; ++ TEST_VERIFY (queries <= 4); ++ ++ /* AAAA queries are supposed to be disabled. */ ++ TEST_COMPARE (qtype, T_A); ++ TEST_COMPARE (qclass, C_IN); ++ TEST_COMPARE_STRING (qname, "example.com"); ++ ++ struct resolv_response_flags flags = {}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ ++ resolv_response_section (b, ns_s_an); ++ ++ if (stuff_txt) ++ { ++ resolv_response_open_record (b, qname, qclass, T_TXT, 60); ++ int zero = 0; ++ for (int i = 0; i <= 15000; ++i) ++ resolv_response_add_data (b, &zero, sizeof (zero)); ++ resolv_response_close_record (b); ++ } ++ ++ for (int i = 0; i < 200; ++i) ++ { ++ resolv_response_open_record (b, qname, qclass, qtype, 60); ++ char ipv4[4] = {192, 0, 2, i + 1}; ++ resolv_response_add_data (b, &ipv4, sizeof (ipv4)); ++ resolv_response_close_record (b); ++ } ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *obj = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response ++ }); ++ ++ _res.options |= RES_NOAAAA; ++ ++ for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt) ++ { ++ queries = 0; ++ stuff_txt = do_stuff_txt; ++ ++ struct addrinfo *ai = NULL; ++ int ret; ++ ret = getaddrinfo ("example.com", "80", ++ &(struct addrinfo) ++ { ++ .ai_family = AF_UNSPEC, ++ .ai_socktype = SOCK_STREAM, ++ }, &ai); ++ ++ char *expected_result; ++ { ++ struct xmemstream mem; ++ xopen_memstream (&mem); ++ for (int i = 0; i < 200; ++i) ++ fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1); ++ xfclose_memstream (&mem); ++ expected_result = mem.buffer; ++ } ++ ++ check_addrinfo ("example.com", ai, ret, expected_result); ++ ++ free (expected_result); ++ freeaddrinfo (ai); ++ } ++ ++ resolv_test_end (obj); ++ return 0; ++} ++ ++#include <support/test-driver.c> diff --git a/poky/meta/recipes-core/glibc/glibc/check-test-wrapper b/poky/meta/recipes-core/glibc/glibc/check-test-wrapper index 6ec9b9b29e..5cc993f718 100644 --- a/poky/meta/recipes-core/glibc/glibc/check-test-wrapper +++ b/poky/meta/recipes-core/glibc/glibc/check-test-wrapper @@ -58,7 +58,7 @@ elif targettype == "ssh": user = os.environ.get("SSH_HOST_USER", None) port = os.environ.get("SSH_HOST_PORT", None) - command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no"] + command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "LogLevel=quiet"] if port: command += ["-p", str(port)] if not host: diff --git a/poky/meta/recipes-core/glibc/glibc_2.37.bb b/poky/meta/recipes-core/glibc/glibc_2.37.bb index b27f98fb19..caf454f368 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.37.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.37.bb @@ -49,6 +49,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0020-tzselect.ksh-Use-bin-sh-default-shell-interpreter.patch \ file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ + file://0023-CVE-2023-4527.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" @@ -103,10 +104,12 @@ do_configure () { # version check and doesn't really help with anything (cd ${S} && gnu-configize) || die "failure in running gnu-configize" find ${S} -name "configure" | xargs touch - CPPFLAGS="" oe_runconf + CPPFLAGS="" LD="${HOST_PREFIX}ld.bfd ${TOOLCHAIN_OPTIONS}" oe_runconf } LDFLAGS += "-fuse-ld=bfd" +CC += "-fuse-ld=bfd" + do_compile () { base_do_compile echo "Adjust ldd script" diff --git a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.41.bb b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.41.bb index 5dbd6193b8..16425ea9e4 100644 --- a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.41.bb +++ b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.41.bb @@ -42,6 +42,11 @@ do_install () { install -m 0644 ifup.8 ${D}${mandir}/man8 install -m 0644 interfaces.5 ${D}${mandir}/man5 cd ${D}${mandir}/man8 && ln -s ifup.8 ifdown.8 + + install -d ${D}${sysconfdir}/network/if-pre-up.d + install -d ${D}${sysconfdir}/network/if-up.d + install -d ${D}${sysconfdir}/network/if-down.d + install -d ${D}${sysconfdir}/network/if-post-down.d } do_install_ptest () { diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 7ac9fddf2d..a70d2d16bb 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check REQUIRED_DISTRO_FEATURES += "xattr" -SRCREV ?= "ad1f61d8667b7f3663883112e0cd36112659b603" +SRCREV ?= "500101cc152bdba0c69936be8d71682a731cf21d" SRC_URI = "git://git.yoctoproject.org/poky;branch=mickledore \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/poky/meta/recipes-core/images/core-image-ptest.bb b/poky/meta/recipes-core/images/core-image-ptest.bb index 90c26641ba..ddc56c8f9f 100644 --- a/poky/meta/recipes-core/images/core-image-ptest.bb +++ b/poky/meta/recipes-core/images/core-image-ptest.bb @@ -19,6 +19,7 @@ BBCLASSEXTEND = "${@' '.join(['mcextend:'+x for x in d.getVar('PTESTS').split()] # strace-ptest in particular needs more than 500MB IMAGE_OVERHEAD_FACTOR = "1.0" IMAGE_ROOTFS_EXTRA_SPACE = "324288" +IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-mdadm = "1524288" IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-strace = "1024288" IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-lttng-tools = "1524288" diff --git a/poky/meta/recipes-core/libxcrypt/libxcrypt.inc b/poky/meta/recipes-core/libxcrypt/libxcrypt.inc index 61b0381076..454a55d73d 100644 --- a/poky/meta/recipes-core/libxcrypt/libxcrypt.inc +++ b/poky/meta/recipes-core/libxcrypt/libxcrypt.inc @@ -17,12 +17,6 @@ SRC_URI += "file://fix_cflags_handling.patch" PROVIDES = "virtual/crypt" -FILES:${PN} = "${libdir}/libcrypt*.so.* \ - ${libdir}/libcrypt-*.so \ - ${libdir}/libowcrypt*.so.* \ - ${libdir}/libowcrypt-*.so \ -" - S = "${WORKDIR}/git" BUILD_CPPFLAGS = "-I${STAGING_INCDIR_NATIVE}" diff --git a/poky/meta/recipes-core/libxml/libxml2_2.10.3.bb b/poky/meta/recipes-core/libxml/libxml2_2.10.4.bb index 0ccd48964f..4f3b17093e 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.10.3.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.10.4.bb @@ -21,7 +21,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://libxml-m4-use-pkgconfig.patch \ " -SRC_URI[archive.sha256sum] = "5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c" +SRC_URI[archive.sha256sum] = "ed0c91c5845008f1936739e4eee2035531c1c94742c6541f44ee66d885948d45" SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" BINCONFIG = "${bindir}/xml2-config" @@ -40,6 +40,8 @@ inherit autotools pkgconfig binconfig-disabled ptest inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3targetconfig', '', d)} +LDFLAGS:append:riscv64 = "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-lld ptest', ' -fuse-ld=bfd', '', d)}" + RDEPENDS:${PN}-ptest += "bash make locale-base-en-us ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}" RDEPENDS:${PN}-python += "${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3-core', '', d)}" diff --git a/poky/meta/recipes-core/meta/build-sysroots.bb b/poky/meta/recipes-core/meta/build-sysroots.bb index ad22a75eb2..1a3b692a1b 100644 --- a/poky/meta/recipes-core/meta/build-sysroots.bb +++ b/poky/meta/recipes-core/meta/build-sysroots.bb @@ -1,5 +1,6 @@ -INHIBIT_DEFAULT_DEPS = "1" LICENSE = "MIT" +SUMMARY = "Build old style sysroot based on everything in the components directory that matches the current MACHINE" +INHIBIT_DEFAULT_DEPS = "1" STANDALONE_SYSROOT = "${STAGING_DIR}/${MACHINE}" STANDALONE_SYSROOT_NATIVE = "${STAGING_DIR}/${BUILD_ARCH}" @@ -16,6 +17,10 @@ deltask configure deltask compile deltask install deltask populate_sysroot +deltask create_spdx +deltask collect_spdx_deps +deltask create_runtime_spdx +deltask recipe_qa python do_build_native_sysroot () { targetsysroot = d.getVar("STANDALONE_SYSROOT") diff --git a/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb b/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb index 2b585983ac..2f7dad7e82 100644 --- a/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -17,6 +17,10 @@ deltask do_populate_sysroot NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0" +# If you have a NVD API key (https://nvd.nist.gov/developers/request-an-api-key) +# then setting this to get higher rate limits. +NVDCVE_API_KEY ?= "" + # CVE database update interval, in seconds. By default: once a day (24*60*60). # Use 0 to force the update # Use a negative value to skip the update @@ -119,18 +123,16 @@ def nvd_request_next(url, api_key, args): import urllib.parse import gzip import http + import time - headers = {} + request = urllib.request.Request(url + "?" + urllib.parse.urlencode(args)) if api_key: - headers['apiKey'] = api_key - - data = urllib.parse.urlencode(args) - - full_request = url + '?' + data + request.add_header("apiKey", api_key) + bb.note("Requesting %s" % request.full_url) - for attempt in range(3): + for attempt in range(5): try: - r = urllib.request.urlopen(full_request) + r = urllib.request.urlopen(request) if (r.headers['content-encoding'] == 'gzip'): buf = r.read() @@ -140,13 +142,9 @@ def nvd_request_next(url, api_key, args): r.close() - except UnicodeDecodeError: - # Received garbage, retry - bb.debug(2, "CVE database: received malformed data, retrying (request: %s)" %(full_request)) - pass - except http.client.IncompleteRead: - # Read incomplete, let's try again - bb.debug(2, "CVE database: received incomplete data, retrying (request: %s)" %(full_request)) + except Exception as e: + bb.note("CVE database: received error (%s), retrying" % (e)) + time.sleep(6) pass else: return raw_data @@ -172,11 +170,11 @@ def update_db_file(db_tmp_file, d, database_time): # The maximum range for time is 120 days # Force a complete update if our range is longer if (database_time != 0): - database_date = datetime.datetime.combine(datetime.date.fromtimestamp(database_time), datetime.time()) - today_date = datetime.datetime.combine(datetime.date.today(), datetime.time()) + database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc) + today_date = datetime.datetime.now(tz=datetime.timezone.utc) delta = today_date - database_date if delta.days < 120: - bb.debug(2, "CVE database: performing partial update") + bb.note("CVE database: performing partial update") req_args['lastModStartDate'] = database_date.isoformat() req_args['lastModEndDate'] = today_date.isoformat() else: @@ -184,12 +182,14 @@ def update_db_file(db_tmp_file, d, database_time): with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: - bb.debug(2, "Updating entries") + bb.note("Updating entries") index = 0 url = d.getVar("NVDCVE_URL") + api_key = d.getVar("NVDCVE_API_KEY") or None + while True: req_args['startIndex'] = index - raw_data = nvd_request_next(url, None, req_args) + raw_data = nvd_request_next(url, api_key, req_args) if raw_data is None: # We haven't managed to download data return False @@ -199,7 +199,7 @@ def update_db_file(db_tmp_file, d, database_time): index = data["startIndex"] total = data["totalResults"] per_page = data["resultsPerPage"] - + bb.note("Got %d entries" % per_page) for cve in data["vulnerabilities"]: update_db(conn, cve) @@ -312,22 +312,30 @@ def update_db(conn, elt): cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] except KeyError: cvssv2 = 0.0 + cvssv3 = None try: - accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector'] - cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] + accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] + cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] except KeyError: - accessVector = accessVector or "UNKNOWN" - cvssv3 = 0.0 + pass + try: + accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] + cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] + except KeyError: + pass + accessVector = accessVector or "UNKNOWN" + cvssv3 = cvssv3 or 0.0 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() try: - configurations = elt['cve']['configurations'][0]['nodes'] - for config in configurations: - parse_node_and_insert(conn, config, cveId) + for config in elt['cve']['configurations']: + # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing + for node in config["nodes"]: + parse_node_and_insert(conn, node, cveId) except KeyError: - bb.debug(2, "Entry without a configuration") + bb.note("CVE %s has no configurations" % cveId) do_fetch[nostamp] = "1" diff --git a/poky/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch b/poky/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch new file mode 100644 index 0000000000..1232c8c2a8 --- /dev/null +++ b/poky/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch @@ -0,0 +1,462 @@ +From 3d54a41f12e9aa059f06e66e72d872f2283395b6 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Sun, 30 Jul 2023 21:14:00 -0700 +Subject: [PATCH] Fix CVE-2023-29491 + +CVE: CVE-2023-29491 + +Upstream-Status: Backport [http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + ncurses/tinfo/lib_tgoto.c | 10 +++- + ncurses/tinfo/lib_tparm.c | 116 ++++++++++++++++++++++++++++++++----- + ncurses/tinfo/read_entry.c | 3 + + progs/tic.c | 6 ++ + progs/tparm_type.c | 9 +++ + progs/tparm_type.h | 2 + + progs/tput.c | 61 ++++++++++++++++--- + 7 files changed, 185 insertions(+), 22 deletions(-) + +diff --git a/ncurses/tinfo/lib_tgoto.c b/ncurses/tinfo/lib_tgoto.c +index 9cf5e100..c50ed4df 100644 +--- a/ncurses/tinfo/lib_tgoto.c ++++ b/ncurses/tinfo/lib_tgoto.c +@@ -207,6 +207,14 @@ tgoto(const char *string, int x, int y) + result = tgoto_internal(string, x, y); + else + #endif +- result = TIPARM_2(string, y, x); ++ if ((result = TIPARM_2(string, y, x)) == NULL) { ++ /* ++ * Because termcap did not provide a more general solution such as ++ * tparm(), it was necessary to handle single-parameter capabilities ++ * using tgoto(). The internal _nc_tiparm() function returns a NULL ++ * for that case; retry for the single-parameter case. ++ */ ++ result = TIPARM_1(string, y); ++ } + returnPtr(result); + } +diff --git a/ncurses/tinfo/lib_tparm.c b/ncurses/tinfo/lib_tparm.c +index d9bdfd8f..a10a3877 100644 +--- a/ncurses/tinfo/lib_tparm.c ++++ b/ncurses/tinfo/lib_tparm.c +@@ -1086,6 +1086,64 @@ tparam_internal(TPARM_STATE *tps, const char *string, TPARM_DATA *data) + return (TPS(out_buff)); + } + ++#ifdef CUR ++/* ++ * Only a few standard capabilities accept string parameters. The others that ++ * are parameterized accept only numeric parameters. ++ */ ++static bool ++check_string_caps(TPARM_DATA *data, const char *string) ++{ ++ bool result = FALSE; ++ ++#define CHECK_CAP(name) (VALID_STRING(name) && !strcmp(name, string)) ++ ++ /* ++ * Disallow string parameters unless we can check them against a terminal ++ * description. ++ */ ++ if (cur_term != NULL) { ++ int want_type = 0; ++ ++ if (CHECK_CAP(pkey_key)) ++ want_type = 2; /* function key #1, type string #2 */ ++ else if (CHECK_CAP(pkey_local)) ++ want_type = 2; /* function key #1, execute string #2 */ ++ else if (CHECK_CAP(pkey_xmit)) ++ want_type = 2; /* function key #1, transmit string #2 */ ++ else if (CHECK_CAP(plab_norm)) ++ want_type = 2; /* label #1, show string #2 */ ++ else if (CHECK_CAP(pkey_plab)) ++ want_type = 6; /* function key #1, type string #2, show string #3 */ ++#if NCURSES_XNAMES ++ else { ++ char *check; ++ ++ check = tigetstr("Cs"); ++ if (CHECK_CAP(check)) ++ want_type = 1; /* style #1 */ ++ ++ check = tigetstr("Ms"); ++ if (CHECK_CAP(check)) ++ want_type = 3; /* storage unit #1, content #2 */ ++ } ++#endif ++ ++ if (want_type == data->tparm_type) { ++ result = TRUE; ++ } else { ++ T(("unexpected string-parameter")); ++ } ++ } ++ return result; ++} ++ ++#define ValidCap() (myData.tparm_type == 0 || \ ++ check_string_caps(&myData, string)) ++#else ++#define ValidCap() 1 ++#endif ++ + #if NCURSES_TPARM_VARARGS + + NCURSES_EXPORT(char *) +@@ -1100,7 +1158,7 @@ tparm(const char *string, ...) + tps->tname = "tparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK) { ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { + va_list ap; + + va_start(ap, string); +@@ -1135,7 +1193,7 @@ tparm(const char *string, + tps->tname = "tparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK) { ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { + + myData.param[0] = a1; + myData.param[1] = a2; +@@ -1166,7 +1224,7 @@ tiparm(const char *string, ...) + tps->tname = "tiparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK) { ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { + va_list ap; + + va_start(ap, string); +@@ -1179,7 +1237,25 @@ tiparm(const char *string, ...) + } + + /* +- * The internal-use flavor ensures that the parameters are numbers, not strings ++ * The internal-use flavor ensures that parameters are numbers, not strings. ++ * In addition to ensuring that they are numbers, it ensures that the parameter ++ * count is consistent with intended usage. ++ * ++ * Unlike the general-purpose tparm/tiparm, these internal calls are fairly ++ * well defined: ++ * ++ * expected == 0 - not applicable ++ * expected == 1 - set color, or vertical/horizontal addressing ++ * expected == 2 - cursor addressing ++ * expected == 4 - initialize color or color pair ++ * expected == 9 - set attributes ++ * ++ * Only for the last case (set attributes) should a parameter be optional. ++ * Also, a capability which calls for more parameters than expected should be ++ * ignored. ++ * ++ * Return a null if the parameter-checks fail. Otherwise, return a pointer to ++ * the formatted capability string. + */ + NCURSES_EXPORT(char *) + _nc_tiparm(int expected, const char *string, ...) +@@ -1189,22 +1265,36 @@ _nc_tiparm(int expected, const char *string, ...) + char *result = NULL; + + _nc_tparm_err = 0; ++ T((T_CALLED("_nc_tiparm(%d, %s, ...)"), expected, _nc_visbuf(string))); + #ifdef TRACE + tps->tname = "_nc_tiparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK +- && myData.num_actual <= expected +- && myData.tparm_type == 0) { +- va_list ap; ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { ++ if (myData.num_actual == 0) { ++ T(("missing parameter%s, expected %s%d", ++ expected > 1 ? "s" : "", ++ expected == 9 ? "up to " : "", ++ expected)); ++ } else if (myData.num_actual > expected) { ++ T(("too many parameters, have %d, expected %d", ++ myData.num_actual, ++ expected)); ++ } else if (expected != 9 && myData.num_actual != expected) { ++ T(("expected %d parameters, have %d", ++ myData.num_actual, ++ expected)); ++ } else { ++ va_list ap; + +- va_start(ap, string); +- tparm_copy_valist(&myData, FALSE, ap); +- va_end(ap); ++ va_start(ap, string); ++ tparm_copy_valist(&myData, FALSE, ap); ++ va_end(ap); + +- result = tparam_internal(tps, string, &myData); ++ result = tparam_internal(tps, string, &myData); ++ } + } +- return result; ++ returnPtr(result); + } + + /* +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 2b1875ed..341337d2 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -323,6 +323,9 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit) + || bool_count < 0 + || num_count < 0 + || str_count < 0 ++ || bool_count > BOOLCOUNT ++ || num_count > NUMCOUNT ++ || str_count > STRCOUNT + || str_size < 0) { + returnDB(TGETENT_NO); + } +diff --git a/progs/tic.c b/progs/tic.c +index 93a0b491..888927e2 100644 +--- a/progs/tic.c ++++ b/progs/tic.c +@@ -2270,9 +2270,15 @@ check_1_infotocap(const char *name, NCURSES_CONST char *value, int count) + + _nc_reset_tparm(NULL); + switch (actual) { ++ case Str: ++ result = TPARM_1(value, strings[1]); ++ break; + case Num_Str: + result = TPARM_2(value, numbers[1], strings[2]); + break; ++ case Str_Str: ++ result = TPARM_2(value, strings[1], strings[2]); ++ break; + case Num_Str_Str: + result = TPARM_3(value, numbers[1], strings[2], strings[3]); + break; +diff --git a/progs/tparm_type.c b/progs/tparm_type.c +index 3da4a077..644aa62a 100644 +--- a/progs/tparm_type.c ++++ b/progs/tparm_type.c +@@ -47,6 +47,7 @@ tparm_type(const char *name) + {code, {longname} }, \ + {code, {ti} }, \ + {code, {tc} } ++#define XD(code, onlyname) TD(code, onlyname, onlyname, onlyname) + TParams result = Numbers; + /* *INDENT-OFF* */ + static const struct { +@@ -58,6 +59,10 @@ tparm_type(const char *name) + TD(Num_Str, "pkey_xmit", "pfx", "px"), + TD(Num_Str, "plab_norm", "pln", "pn"), + TD(Num_Str_Str, "pkey_plab", "pfxl", "xl"), ++#if NCURSES_XNAMES ++ XD(Str, "Cs"), ++ XD(Str_Str, "Ms"), ++#endif + }; + /* *INDENT-ON* */ + +@@ -80,12 +85,16 @@ guess_tparm_type(int nparam, char **p_is_s) + case 1: + if (!p_is_s[0]) + result = Numbers; ++ if (p_is_s[0]) ++ result = Str; + break; + case 2: + if (!p_is_s[0] && !p_is_s[1]) + result = Numbers; + if (!p_is_s[0] && p_is_s[1]) + result = Num_Str; ++ if (p_is_s[0] && p_is_s[1]) ++ result = Str_Str; + break; + case 3: + if (!p_is_s[0] && !p_is_s[1] && !p_is_s[2]) +diff --git a/progs/tparm_type.h b/progs/tparm_type.h +index 7c102a30..af5bcf0f 100644 +--- a/progs/tparm_type.h ++++ b/progs/tparm_type.h +@@ -45,8 +45,10 @@ + typedef enum { + Other = -1 + ,Numbers = 0 ++ ,Str + ,Num_Str + ,Num_Str_Str ++ ,Str_Str + } TParams; + + extern TParams tparm_type(const char *name); +diff --git a/progs/tput.c b/progs/tput.c +index 4cd0c5ba..41508b72 100644 +--- a/progs/tput.c ++++ b/progs/tput.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2021,2022 Thomas E. Dickey * ++ * Copyright 2018-2022,2023 Thomas E. Dickey * + * Copyright 1998-2016,2017 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -47,12 +47,15 @@ + #include <transform.h> + #include <tty_settings.h> + +-MODULE_ID("$Id: tput.c,v 1.99 2022/02/26 23:19:31 tom Exp $") ++MODULE_ID("$Id: tput.c,v 1.102 2023/04/08 16:26:36 tom Exp $") + + #define PUTS(s) fputs(s, stdout) + + const char *_nc_progname = "tput"; + ++static bool opt_v = FALSE; /* quiet, do not show warnings */ ++static bool opt_x = FALSE; /* clear scrollback if possible */ ++ + static bool is_init = FALSE; + static bool is_reset = FALSE; + static bool is_clear = FALSE; +@@ -81,6 +84,7 @@ usage(const char *optstring) + KEEP(" -S << read commands from standard input") + KEEP(" -T TERM use this instead of $TERM") + KEEP(" -V print curses-version") ++ KEEP(" -v verbose, show warnings") + KEEP(" -x do not try to clear scrollback") + KEEP("") + KEEP("Commands:") +@@ -148,7 +152,7 @@ exit_code(int token, int value) + * Returns nonzero on error. + */ + static int +-tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) ++tput_cmd(int fd, TTY * settings, int argc, char **argv, int *used) + { + NCURSES_CONST char *name; + char *s; +@@ -231,7 +235,9 @@ tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) + } else if (VALID_STRING(s)) { + if (argc > 1) { + int k; ++ int narg; + int analyzed; ++ int provided; + int popcount; + long numbers[1 + NUM_PARM]; + char *strings[1 + NUM_PARM]; +@@ -271,14 +277,45 @@ tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) + + popcount = 0; + _nc_reset_tparm(NULL); ++ /* ++ * Count the number of numeric parameters which are provided. ++ */ ++ provided = 0; ++ for (narg = 1; narg < argc; ++narg) { ++ char *ending = NULL; ++ long check = strtol(argv[narg], &ending, 10); ++ if (check < 0 || ending == argv[narg] || *ending != '\0') ++ break; ++ provided = narg; ++ } + switch (paramType) { ++ case Str: ++ s = TPARM_1(s, strings[1]); ++ analyzed = 1; ++ if (provided == 0 && argc >= 1) ++ provided++; ++ break; ++ case Str_Str: ++ s = TPARM_2(s, strings[1], strings[2]); ++ analyzed = 2; ++ if (provided == 0 && argc >= 1) ++ provided++; ++ if (provided == 1 && argc >= 2) ++ provided++; ++ break; + case Num_Str: + s = TPARM_2(s, numbers[1], strings[2]); + analyzed = 2; ++ if (provided == 1 && argc >= 2) ++ provided++; + break; + case Num_Str_Str: + s = TPARM_3(s, numbers[1], strings[2], strings[3]); + analyzed = 3; ++ if (provided == 1 && argc >= 2) ++ provided++; ++ if (provided == 2 && argc >= 3) ++ provided++; + break; + case Numbers: + analyzed = _nc_tparm_analyze(NULL, s, p_is_s, &popcount); +@@ -316,7 +353,13 @@ tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) + if (analyzed < popcount) { + analyzed = popcount; + } +- *used += analyzed; ++ if (opt_v && (analyzed != provided)) { ++ fprintf(stderr, "%s: %s parameters for \"%s\"\n", ++ _nc_progname, ++ (analyzed < provided ? "extra" : "missing"), ++ argv[0]); ++ } ++ *used += provided; + } + + /* use putp() in order to perform padding */ +@@ -339,7 +382,6 @@ main(int argc, char **argv) + int used; + TTY old_settings; + TTY tty_settings; +- bool opt_x = FALSE; /* clear scrollback if possible */ + bool is_alias; + bool need_tty; + +@@ -348,7 +390,7 @@ main(int argc, char **argv) + + term = getenv("TERM"); + +- while ((c = getopt(argc, argv, is_alias ? "T:Vx" : "ST:Vx")) != -1) { ++ while ((c = getopt(argc, argv, is_alias ? "T:Vvx" : "ST:Vvx")) != -1) { + switch (c) { + case 'S': + cmdline = FALSE; +@@ -361,6 +403,9 @@ main(int argc, char **argv) + case 'V': + puts(curses_version()); + ExitProgram(EXIT_SUCCESS); ++ case 'v': /* verbose */ ++ opt_v = TRUE; ++ break; + case 'x': /* do not try to clear scrollback */ + opt_x = TRUE; + break; +@@ -404,7 +449,7 @@ main(int argc, char **argv) + usage(NULL); + while (argc > 0) { + tty_settings = old_settings; +- code = tput_cmd(fd, &tty_settings, opt_x, argc, argv, &used); ++ code = tput_cmd(fd, &tty_settings, argc, argv, &used); + if (code != 0) + break; + argc -= used; +@@ -439,7 +484,7 @@ main(int argc, char **argv) + while (argnum > 0) { + int code; + tty_settings = old_settings; +- code = tput_cmd(fd, &tty_settings, opt_x, argnum, argnow, &used); ++ code = tput_cmd(fd, &tty_settings, argnum, argnow, &used); + if (code != 0) { + if (result == 0) + result = ErrSystem(0); /* will return value >4 */ +-- +2.40.0 + diff --git a/poky/meta/recipes-core/ncurses/ncurses_6.4.bb b/poky/meta/recipes-core/ncurses/ncurses_6.4.bb index 1eb15673d1..388cd8d407 100644 --- a/poky/meta/recipes-core/ncurses/ncurses_6.4.bb +++ b/poky/meta/recipes-core/ncurses/ncurses_6.4.bb @@ -4,6 +4,7 @@ SRC_URI += "file://0001-tic-hang.patch \ file://0002-configure-reproducible.patch \ file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ file://exit_prototype.patch \ + file://0001-Fix-CVE-2023-29491.patch \ " # commit id corresponds to the revision in package version SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f" diff --git a/poky/meta/recipes-core/newlib/libgloss/fix_makefile_include_arm_h.patch b/poky/meta/recipes-core/newlib/libgloss/fix_makefile_include_arm_h.patch deleted file mode 100644 index 7645be7314..0000000000 --- a/poky/meta/recipes-core/newlib/libgloss/fix_makefile_include_arm_h.patch +++ /dev/null @@ -1,30 +0,0 @@ -Upstream-Status: Inappropriate [OE-Specific] - -When trying to build libgloss for an arm target, the build system -complains about missing some include files: - -| fatal error: acle-compiat.h: No such file or directory -| #include "acle-compat.h" -| ^~~~~~~~~~~~~~~ -| compilation terminated. - -These include files come from the newlib source, but since we -are building libgloss separately from newlib, libgloss is unaware -of where they are, this patch fixes the INCLUDES so the build system -can find such files. - -Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandr@xilinx.com> - -Index: newlib-3.0.0/libgloss/config/default.mh -=================================================================== ---- newlib-3.0.0.orig/libgloss/config/default.mh -+++ newlib-3.0.0/libgloss/config/default.mh -@@ -1,7 +1,7 @@ - NEWLIB_CFLAGS = `if [ -d ${objroot}/newlib ]; then echo -I${objroot}/newlib/targ-include -I${srcroot}/newlib/libc/include; fi` - NEWLIB_LDFLAGS = `if [ -d ${objroot}/newlib ]; then echo -B${objroot}/newlib/ -L${objroot}/newlib/; fi` - --INCLUDES = -I. -I$(srcdir)/.. -+INCLUDES = -I. -I$(srcdir)/.. -I$(srcdir)/../newlib/libc/machine/arm - # Note that when building the library, ${MULTILIB} is not the way multilib - # options are passed; they're passed in $(CFLAGS). - CFLAGS_FOR_TARGET = -O2 -g ${MULTILIB} ${INCLUDES} ${NEWLIB_CFLAGS} diff --git a/poky/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb b/poky/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb index c90a02f131..fd72cf4165 100644 --- a/poky/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb +++ b/poky/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb @@ -10,18 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3d06403ea54c7574a9e581c6478cc393 \ file://lib/LGPL;md5=b75d069791103ffe1c0d6435deeff72e" PR = "r5" -SRC_URI = "${SOURCEFORGE_MIRROR}/linux-diag/sysfsutils-${PV}.tar.gz \ +SRC_URI = "git://github.com/linux-ras/sysfsutils.git;protocol=https;branch=master \ file://sysfsutils-2.0.0-class-dup.patch \ file://obsolete_automake_macros.patch \ file://separatebuild.patch" -SRC_URI[md5sum] = "14e7dcd0436d2f49aa403f67e1ef7ddc" -SRC_URI[sha256sum] = "e865de2c1f559fff0d3fc936e660c0efaf7afe662064f2fb97ccad1ec28d208a" +SRCREV = "0d5456e1c9d969cdad6accef2ae2d4881d5db085" -UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/linux-diag/files/sysfsutils/" -UPSTREAM_CHECK_REGEX = "/sysfsutils/(?P<pver>(\d+[\.\-_]*)+)/" - -S = "${WORKDIR}/sysfsutils-${PV}" +S = "${WORKDIR}/git" inherit autotools diff --git a/poky/meta/recipes-core/systemd/systemd-systemctl/systemctl b/poky/meta/recipes-core/systemd/systemd-systemctl/systemctl index b45a2dc2f7..7fe751b397 100755 --- a/poky/meta/recipes-core/systemd/systemd-systemctl/systemctl +++ b/poky/meta/recipes-core/systemd/systemd-systemctl/systemctl @@ -201,13 +201,8 @@ class SystemdUnit(): target = ROOT / location.relative_to(self.root) try: for dependent in config.get('Install', prop): - # determine whether or not dependent is a template with an actual - # instance (i.e. a '@%i') - dependent_is_template = re.match(r"[^@]+@(?P<instance>[^\.]*)\.", dependent) - if dependent_is_template: - # if so, replace with the actual instance to achieve - # svc-wants@a.service.wants/svc-wanted-by@a.service - dependent = re.sub(dependent_is_template.group('instance'), instance, dependent, 1) + # expand any %i to instance (ignoring escape sequence %%) + dependent = re.sub("([^%](%%)*)%i", "\\g<1>{}".format(instance), dependent) wants = systemdir / "{}.{}".format(dependent, dirstem) / service add_link(wants, target) diff --git a/poky/meta/recipes-core/systemd/systemd/0007-Add-sys-stat.h-for-S_IFDIR.patch b/poky/meta/recipes-core/systemd/systemd/0007-Add-sys-stat.h-for-S_IFDIR.patch deleted file mode 100644 index 479b9a1ca1..0000000000 --- a/poky/meta/recipes-core/systemd/systemd/0007-Add-sys-stat.h-for-S_IFDIR.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1480ef4ea9f71befbc22272c219b62ee5cd71d43 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Fri, 21 Jan 2022 15:17:37 -0800 -Subject: [PATCH] Add sys/stat.h for S_IFDIR - -../git/src/shared/mkdir-label.c:13:61: error: use of undeclared identifier 'S_IFDIR' - r = mac_selinux_create_file_prepare_at(dirfd, path, S_IFDIR); - -Upstream-Status: Backport [29b7114c5d9624002aa7c17748d960cd1e45362d] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/shared/mkdir-label.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c -index e3afc2b666..f1df778966 100644 ---- a/src/shared/mkdir-label.c -+++ b/src/shared/mkdir-label.c -@@ -7,6 +7,7 @@ - #include "selinux-util.h" - #include "smack-util.h" - #include "user-util.h" -+#include <sys/stat.h> - - int mkdirat_label(int dirfd, const char *path, mode_t mode) { - int r; --- -2.39.2 - diff --git a/poky/meta/recipes-core/systemd/systemd_253.1.bb b/poky/meta/recipes-core/systemd/systemd_253.1.bb index 9c2b96d3c1..f306765168 100644 --- a/poky/meta/recipes-core/systemd/systemd_253.1.bb +++ b/poky/meta/recipes-core/systemd/systemd_253.1.bb @@ -47,7 +47,6 @@ SRC_URI_MUSL = "\ file://0023-Handle-missing-gshadow.patch \ file://0024-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch \ file://0005-pass-correct-parameters-to-getdents64.patch \ - file://0007-Add-sys-stat.h-for-S_IFDIR.patch \ file://0001-Adjust-for-musl-headers.patch \ file://0006-test-bus-error-strerror-is-assumed-to-be-GNU-specifi.patch \ file://0003-errno-util-Make-STRERROR-portable-for-musl.patch \ diff --git a/poky/meta/recipes-core/util-linux/util-linux_2.38.1.bb b/poky/meta/recipes-core/util-linux/util-linux_2.38.1.bb index 9ea7a04e8a..c81405533c 100644 --- a/poky/meta/recipes-core/util-linux/util-linux_2.38.1.bb +++ b/poky/meta/recipes-core/util-linux/util-linux_2.38.1.bb @@ -234,6 +234,8 @@ ALTERNATIVE_TARGET[getty] = "${base_sbindir}/agetty" ALTERNATIVE_LINK_NAME[hexdump] = "${bindir}/hexdump" ALTERNATIVE_LINK_NAME[hwclock] = "${base_sbindir}/hwclock" ALTERNATIVE_LINK_NAME[ionice] = "${bindir}/ionice" +ALTERNATIVE_LINK_NAME[ipcrm] = "${bindir}/ipcrm" +ALTERNATIVE_LINK_NAME[ipcs] = "${bindir}/ipcs" ALTERNATIVE_LINK_NAME[kill] = "${base_bindir}/kill" ALTERNATIVE:${PN}-last = "last lastb" ALTERNATIVE_LINK_NAME[last] = "${bindir}/last" diff --git a/poky/meta/recipes-devtools/automake/automake/buildtest.patch b/poky/meta/recipes-devtools/automake/automake/buildtest.patch index b88b9e8693..c43a4ac8f3 100644 --- a/poky/meta/recipes-devtools/automake/automake/buildtest.patch +++ b/poky/meta/recipes-devtools/automake/automake/buildtest.patch @@ -36,7 +36,7 @@ index e0db651..de137fa 100644 -check-TESTS: $(TESTS) +AM_RECURSIVE_TARGETS += buildtest runtest + -+buildtest-TESTS: $(TESTS) ++buildtest-TESTS: $(TESTS) $(check_PROGRAMS) + +check-TESTS: buildtest-TESTS + $(MAKE) $(AM_MAKEFLAGS) runtest-TESTS diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.40.inc b/poky/meta/recipes-devtools/binutils/binutils-2.40.inc index dbb43044a4..424cfc48fc 100644 --- a/poky/meta/recipes-devtools/binutils/binutils-2.40.inc +++ b/poky/meta/recipes-devtools/binutils/binutils-2.40.inc @@ -18,7 +18,7 @@ SRCBRANCH ?= "binutils-2_40-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)" -SRCREV ?= "4671be001eb5a899ecac3e2686a92934000f8262" +SRCREV ?= "391fd4d9ee5d2b78244cbcd57fc405738359b70b" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https" SRC_URI = "\ ${BINUTILS_GIT_URI} \ @@ -34,5 +34,7 @@ SRC_URI = "\ file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://0015-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ file://0016-CVE-2023-25586.patch \ + file://0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch \ + file://0017-CVE-2023-39128.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/binutils/binutils.inc b/poky/meta/recipes-devtools/binutils/binutils.inc index c69d29448f..e176b5cff1 100644 --- a/poky/meta/recipes-devtools/binutils/binutils.inc +++ b/poky/meta/recipes-devtools/binutils/binutils.inc @@ -33,6 +33,8 @@ FILES:${PN}-dev = " \ ${libdir}/libctf-nobfd.so \ ${libdir}/libopcodes.so" +FILES:${PN}-staticdev += "${libdir}/gprofng/*.a" + # Rather than duplicating multiple entries for these, make one # list and reuse it. diff --git a/poky/meta/recipes-devtools/binutils/binutils/0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch b/poky/meta/recipes-devtools/binutils/binutils/0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch new file mode 100644 index 0000000000..31157cacd2 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch @@ -0,0 +1,43 @@ +From c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 30 Mar 2023 10:10:09 +0100 +Subject: [PATCH] Fix an illegal memory access when an accessing a + zer0-lengthverdef table. + + PR 30285 + * elf.c (_bfd_elf_slurp_version_tables): Fail if no version definitions are allocated. + +CVE: CVE-2023-1972 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + bfd/ChangeLog | 6 ++++++ + bfd/elf.c | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/bfd/elf.c b/bfd/elf.c +index 027d0143735..185028cbd97 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -9030,6 +9030,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return_verdef; + } ++ ++ if (amt == 0) ++ goto error_return_verdef; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return_verdef; +@@ -9133,6 +9136,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return; + } ++ if (amt == 0) ++ goto error_return; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return; +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch b/poky/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch new file mode 100644 index 0000000000..cd81a52b15 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch @@ -0,0 +1,74 @@ +From: Tom Tromey <tromey@adacore.com> +Date: Wed, 16 Aug 2023 17:29:19 +0000 (-0600) +Subject: Avoid buffer overflow in ada_decode +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=033bc52bb6190393c8eed80925fa78cc35b40c6d + +Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz <keiths@redhat.com> +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] + +CVE: CVE-2023-39128 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 4a9a6e0f38f..2f934b1e79a 100644 +--- a/gdb/ada-lang.c ++++ b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include <algorithm> + #include "ada-exp.h" + #include "charset.h" +@@ -1377,7 +1378,7 @@ ada_decode (const char *encoded, bool wrap, bool operators) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1574,6 +1575,18 @@ Suppress: + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once + allocated, names in this table are never released. While this is a + storage leak, it should not be significant unless there are massive +@@ -13984,4 +13997,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } diff --git a/poky/meta/recipes-devtools/binutils/binutils_2.40.bb b/poky/meta/recipes-devtools/binutils/binutils_2.40.bb index 9fe4bf5ae3..4ce1b4bec2 100644 --- a/poky/meta/recipes-devtools/binutils/binutils_2.40.bb +++ b/poky/meta/recipes-devtools/binutils/binutils_2.40.bb @@ -67,7 +67,6 @@ FILES:libbfd = "${libdir}/libbfd-*.so.* ${libdir}/libbfd-*.so" FILES:libopcodes = "${libdir}/libopcodes-*.so.* ${libdir}/libopcodes-*.so" FILES:gprofng = "${sysconfdir}/gprofng.rc ${libdir}/gprofng/libgp-*.so ${libdir}/gprofng/libgprofng.so.* ${bindir}/gp-* ${bindir}/gprofng" FILES:${PN}-dev += "${libdir}/libgprofng.so ${libdir}/libsframe.so" -FILES:${PN}-staticdev += "${libdir}/gprofng/*.a" SRC_URI:append:class-nativesdk = " file://0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch " USE_ALTERNATIVES_FOR:class-nativesdk = "" diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch new file mode 100644 index 0000000000..53480d6299 --- /dev/null +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch @@ -0,0 +1,237 @@ +From d8cfbc808f387e87091c25e7d5b8c2bb348bb206 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 09:40:23 +0000 +Subject: [PATCH] dmidecode: Write the whole dump file at once + +When option --dump-bin is used, write the whole dump file at once, +instead of opening and closing the file separately for the table +and then for the entry point. + +As the file writing function is no longer generic, it gets moved +from util.c to dmidecode.c. + +One minor functional change resulting from the new implementation is +that the entry point is written first now, so the messages printed +are swapped. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Reference: https://github.com/mirror/dmidecode/commit/39b2dd7b6ab719b920e96ed832cfb4bdd664e808 + +Upstream-Status: Backport [https://github.com/mirror/dmidecode/commit/d8cfbc808f387e87091c25e7d5b8c2bb348bb206] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 79 +++++++++++++++++++++++++++++++++++++++-------------- + util.c | 40 --------------------------- + util.h | 1 - + 3 files changed, 58 insertions(+), 62 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 9aeff91..5477309 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5427,11 +5427,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver + } + } + +-static void dmi_table_dump(const u8 *buf, u32 len) ++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, ++ u32 table_len) + { ++ FILE *f; ++ ++ f = fopen(opt.dumpfile, "wb"); ++ if (!f) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fopen"); ++ return -1; ++ } ++ ++ if (!(opt.flags & FLAG_QUIET)) ++ pr_comment("Writing %d bytes to %s.", ep_len, opt.dumpfile); ++ if (fwrite(ep, ep_len, 1, f) != 1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fwrite"); ++ goto err_close; ++ } ++ ++ if (fseek(f, 32, SEEK_SET) != 0) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fseek"); ++ goto err_close; ++ } ++ + if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", len, opt.dumpfile); +- write_dump(32, len, buf, opt.dumpfile, 0); ++ pr_comment("Writing %d bytes to %s.", table_len, opt.dumpfile); ++ if (fwrite(table, table_len, 1, f) != 1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fwrite"); ++ goto err_close; ++ } ++ ++ if (fclose(f)) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fclose"); ++ return -1; ++ } ++ ++ return 0; ++ ++err_close: ++ fclose(f); ++ return -1; + } + + static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) +@@ -5648,11 +5693,6 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, + return; + } + +- if (opt.flags & FLAG_DUMP_BIN) +- dmi_table_dump(buf, len); +- else +- dmi_table_decode(buf, len, num, ver >> 8, flags); +- + free(buf); + } + +@@ -5688,8 +5728,9 @@ static void overwrite_smbios3_address(u8 *buf) + + static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + { +- u32 ver; ++ u32 ver, len; + u64 offset; ++ u8 *table; + + /* Don't let checksum run beyond the buffer */ + if (buf[0x06] > 0x20) +@@ -5725,10 +5766,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_smbios3_address(crafted); + +- if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", crafted[0x06], +- opt.dumpfile); +- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, crafted[0x06], table, len); + } + + return 1; +@@ -5737,6 +5775,8 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + { + u16 ver; ++ u32 len; ++ u8 *table; + + /* Don't let checksum run beyond the buffer */ + if (buf[0x05] > 0x20) +@@ -5786,10 +5826,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_dmi_address(crafted + 0x10); + +- if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", crafted[0x05], +- opt.dumpfile); +- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, crafted[0x05], table, len); + } + + return 1; +@@ -5797,6 +5834,9 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + + static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + { ++ u32 len; ++ u8 *table; ++ + if (!checksum(buf, 0x0F)) + return 0; + +@@ -5815,10 +5855,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 16); + overwrite_dmi_address(crafted); + +- if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", 0x0F, +- opt.dumpfile); +- write_dump(0, 0x0F, crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, 0x0F, table, len); + } + + return 1; +diff --git a/util.c b/util.c +index 04aaadd..1547096 100644 +--- a/util.c ++++ b/util.c +@@ -259,46 +259,6 @@ out: + return p; + } + +-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add) +-{ +- FILE *f; +- +- f = fopen(dumpfile, add ? "r+b" : "wb"); +- if (!f) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fopen"); +- return -1; +- } +- +- if (fseek(f, base, SEEK_SET) != 0) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fseek"); +- goto err_close; +- } +- +- if (fwrite(data, len, 1, f) != 1) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fwrite"); +- goto err_close; +- } +- +- if (fclose(f)) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fclose"); +- return -1; +- } +- +- return 0; +- +-err_close: +- fclose(f); +- return -1; +-} +- + /* Returns end - start + 1, assuming start < end */ + u64 u64_range(u64 start, u64 end) + { +diff --git a/util.h b/util.h +index 3094cf8..ef24eb9 100644 +--- a/util.h ++++ b/util.h +@@ -27,5 +27,4 @@ + int checksum(const u8 *buf, size_t len); + void *read_file(off_t base, size_t *len, const char *filename); + void *mem_chunk(off_t base, size_t len, const char *devmem); +-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add); + u64 u64_range(u64 start, u64 end); +-- +2.35.5 diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch new file mode 100644 index 0000000000..dcc87d2326 --- /dev/null +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch @@ -0,0 +1,81 @@ +From 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 10:03:53 +0000 +Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file + +Make sure that the file passed to option --dump-bin does not already +exist. In practice, it is rather unlikely that an honest user would +want to overwrite an existing dump file, while this possibility +could be used by a rogue user to corrupt a system file. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport +[https://github.com/mirror/dmidecode/commit/6ca381c1247c81f74e1ca4e7706f70bdda72e6f2] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 14 ++++++++++++-- + man/dmidecode.8 | 3 ++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 5477309..98f9692 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -60,6 +60,7 @@ + * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf + */ + ++#include <fcntl.h> + #include <stdio.h> + #include <string.h> + #include <strings.h> +@@ -5430,13 +5431,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver + static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, + u32 table_len) + { ++ int fd; + FILE *f; + +- f = fopen(opt.dumpfile, "wb"); ++ fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); ++ if (fd == -1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("open"); ++ return -1; ++ } ++ ++ f = fdopen(fd, "wb"); + if (!f) + { + fprintf(stderr, "%s: ", opt.dumpfile); +- perror("fopen"); ++ perror("fdopen"); + return -1; + } + +diff --git a/man/dmidecode.8 b/man/dmidecode.8 +index ed066b3..3a732c0 100644 +--- a/man/dmidecode.8 ++++ b/man/dmidecode.8 +@@ -1,4 +1,4 @@ +-.TH DMIDECODE 8 "January 2019" "dmidecode" ++.TH DMIDECODE 8 "February 2023" "dmidecode" + .\" + .SH NAME + dmidecode \- \s-1DMI\s0 table decoder +@@ -159,6 +159,7 @@ hexadecimal and \s-1ASCII\s0. This option is mainly useful for debugging. + Do not decode the entries, instead dump the DMI data to a file in binary + form. The generated file is suitable to pass to \fB--from-dump\fP + later. ++\fIFILE\fP must not exist. + .TP + .BR " " " " "--from-dump \fIFILE\fP" + Read the DMI data from a binary file previously generated using +-- +2.35.5 diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch new file mode 100644 index 0000000000..01d0d1f867 --- /dev/null +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch @@ -0,0 +1,69 @@ +From c76ddda0ba0aa99a55945e3290095c2ec493c892 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 10:25:50 +0000 +Subject: [PATCH] Consistently use read_file() when reading from a dump file + +Use read_file() instead of mem_chunk() to read the entry point from a +dump file. This is faster, and consistent with how we then read the +actual DMI table from that dump file. + +This made no functional difference so far, which is why it went +unnoticed for years. But now that a file type check was added to the +mem_chunk() function, we must stop using it to read from regular +files. + +This will again allow root to use the --from-dump option. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Tested-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=c76ddda0ba0aa99a55945e3290095c2ec493c892] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 98f9692..b4dbc9d 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5997,17 +5997,25 @@ int main(int argc, char * const argv[]) + pr_comment("dmidecode %s", VERSION); + + /* Read from dump if so instructed */ ++ size = 0x20; + if (opt.flags & FLAG_FROM_DUMP) + { + if (!(opt.flags & FLAG_QUIET)) + pr_info("Reading SMBIOS/DMI data from file %s.", + opt.dumpfile); +- if ((buf = mem_chunk(0, 0x20, opt.dumpfile)) == NULL) ++ if ((buf = read_file(0, &size, opt.dumpfile)) == NULL) + { + ret = 1; + goto exit_free; + } + ++ /* Truncated entry point can't be processed */ ++ if (size < 0x20) ++ { ++ ret = 1; ++ goto done; ++ } ++ + if (memcmp(buf, "_SM3_", 5) == 0) + { + if (smbios3_decode(buf, opt.dumpfile, 0)) +@@ -6031,7 +6039,6 @@ int main(int argc, char * const argv[]) + * contain one of several types of entry points, so read enough for + * the largest one, then determine what type it contains. + */ +- size = 0x20; + if (!(opt.flags & FLAG_NO_SYSFS) + && (buf = read_file(0, &size, SYS_ENTRY_FILE)) != NULL) + { +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch new file mode 100644 index 0000000000..5fa72b4f9b --- /dev/null +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch @@ -0,0 +1,137 @@ +From 2b83c4b898f8325313162f588765411e8e3e5561 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 10:58:11 +0000 +Subject: [PATCH] Don't read beyond sysfs entry point buffer + +Functions smbios_decode() and smbios3_decode() include a check +against buffer overrun. This check assumes that the buffer length is +always 32 bytes. This is true when reading from /dev/mem or from a +dump file, however when reading from sysfs, the buffer length is the +size of the actual sysfs attribute file, typically 31 bytes for an +SMBIOS 2.x entry point and 24 bytes for an SMBIOS 3.x entry point. + +In the unlikely event of a malformed entry point, with encoded length +larger than expected but smaller than or equal to 32, we would hit a +buffer overrun. So properly pass the actual buffer length as an +argument and perform the check against it. + +In practice, this will never happen, because on the Linux kernel +side, the size of the sysfs attribute file is decided from the entry +point length field. So it is technically impossible for them not to +match. But user-space code should not make such assumptions. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport +[https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=2b83c4b898f8325313162f588765411e8e3e5561] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index b4dbc9d..870d94e 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf) + buf[0x17] = 0; + } + +-static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) ++static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) + { + u32 ver, len; + u64 offset; + u8 *table; + + /* Don't let checksum run beyond the buffer */ +- if (buf[0x06] > 0x20) ++ if (buf[0x06] > buf_len) + { + fprintf(stderr, + "Entry point length too large (%u bytes, expected %u).\n", +@@ -5782,14 +5782,14 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + return 1; + } + +-static int smbios_decode(u8 *buf, const char *devmem, u32 flags) ++static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) + { + u16 ver; + u32 len; + u8 *table; + + /* Don't let checksum run beyond the buffer */ +- if (buf[0x05] > 0x20) ++ if (buf[0x05] > buf_len) + { + fprintf(stderr, + "Entry point length too large (%u bytes, expected %u).\n", +@@ -6018,12 +6018,12 @@ int main(int argc, char * const argv[]) + + if (memcmp(buf, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf, opt.dumpfile, 0)) ++ if (smbios3_decode(buf, size, opt.dumpfile, 0)) + found++; + } + else if (memcmp(buf, "_SM_", 4) == 0) + { +- if (smbios_decode(buf, opt.dumpfile, 0)) ++ if (smbios_decode(buf, size, opt.dumpfile, 0)) + found++; + } + else if (memcmp(buf, "_DMI_", 5) == 0) +@@ -6046,12 +6046,12 @@ int main(int argc, char * const argv[]) + pr_info("Getting SMBIOS data from sysfs."); + if (size >= 24 && memcmp(buf, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) ++ if (smbios3_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) + found++; + } + else if (size >= 31 && memcmp(buf, "_SM_", 4) == 0) + { +- if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) ++ if (smbios_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) + found++; + } + else if (size >= 15 && memcmp(buf, "_DMI_", 5) == 0) +@@ -6088,12 +6088,12 @@ int main(int argc, char * const argv[]) + + if (memcmp(buf, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf, opt.devmem, 0)) ++ if (smbios3_decode(buf, 0x20, opt.devmem, 0)) + found++; + } + else if (memcmp(buf, "_SM_", 4) == 0) + { +- if (smbios_decode(buf, opt.devmem, 0)) ++ if (smbios_decode(buf, 0x20, opt.devmem, 0)) + found++; + } + goto done; +@@ -6114,7 +6114,7 @@ memory_scan: + { + if (memcmp(buf + fp, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf + fp, opt.devmem, 0)) ++ if (smbios3_decode(buf + fp, 0x20, opt.devmem, 0)) + { + found++; + goto done; +@@ -6127,7 +6127,7 @@ memory_scan: + { + if (memcmp(buf + fp, "_SM_", 4) == 0 && fp <= 0xFFE0) + { +- if (smbios_decode(buf + fp, opt.devmem, 0)) ++ if (smbios_decode(buf + fp, 0x20, opt.devmem, 0)) + { + found++; + goto done; +-- +2.35.5 diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb b/poky/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb index bc741046dd..4d5255df64 100644 --- a/poky/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb @@ -6,6 +6,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ file://0001-Committing-changes-from-do_unpack_extra.patch \ + file://CVE-2023-30630_1.patch \ + file://CVE-2023-30630_2.patch \ + file://CVE-2023-30630_3.patch \ + file://CVE-2023-30630_4.patch \ " COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux" diff --git a/poky/meta/recipes-devtools/dnf/dnf_4.14.0.bb b/poky/meta/recipes-devtools/dnf/dnf_4.14.0.bb index 62df8c4ace..95007c9c4b 100644 --- a/poky/meta/recipes-devtools/dnf/dnf_4.14.0.bb +++ b/poky/meta/recipes-devtools/dnf/dnf_4.14.0.bb @@ -15,9 +15,10 @@ SRC_URI = "git://github.com/rpm-software-management/dnf.git;branch=master;protoc file://0029-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \ file://0030-Run-python-scripts-using-env.patch \ file://0001-set-python-path-for-completion_helper.patch \ - file://0001-dnf-write-the-log-lock-to-root.patch \ " +SRC_URI:append:class-native = "file://0001-dnf-write-the-log-lock-to-root.patch" + SRCREV = "e50875b3f5790f70720bdb670e1dd2bf4d828744" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" diff --git a/poky/meta/recipes-devtools/dpkg/dpkg_1.21.21.bb b/poky/meta/recipes-devtools/dpkg/dpkg_1.21.22.bb index a19a96ef06..04bcc93321 100644 --- a/poky/meta/recipes-devtools/dpkg/dpkg_1.21.21.bb +++ b/poky/meta/recipes-devtools/dpkg/dpkg_1.21.22.bb @@ -18,6 +18,6 @@ SRC_URI = "git://salsa.debian.org/dpkg-team/dpkg.git;protocol=https;branch=1.21. SRC_URI:append:class-native = " file://0001-build.c-ignore-return-of-1-from-tar-cf.patch" -SRCREV = "9ef736b7b3a5fa0d6e991e8475eb2e3151fec345" +SRCREV = "48482e4f16467e05a08aa3b3b8048e08f0024609" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch new file mode 100644 index 0000000000..9ed77d921f --- /dev/null +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch @@ -0,0 +1,80 @@ +From 5782f0d47df99dcfc743aa138361336e9a4ac966 Mon Sep 17 00:00:00 2001 +From: Gao Xiang <hsiangkao@linux.alibaba.com> +Date: Fri, 2 Jun 2023 13:52:56 +0800 +Subject: [PATCH 1/4] erofs-utils: fsck: block insane long paths when + extracting images + +Since some crafted EROFS filesystem images could have insane deep +hierarchy (or may form directory loops) which triggers the +PATH_MAX-sized path buffer OR stack overflow. + +Actually some crafted images cannot be deemed as real corrupted +images but over-PATH_MAX paths are not something that we'd like to +support for now. + +CVE: CVE-2023-33551 +Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551 +Reported-by: Chaoming Yang <lometsj@live.com> +Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs") +Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()") +Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X") +Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> +Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/patch/?id=27aeef179bf17d5f1d98f827e93d24839a6d4176] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + fsck/main.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/fsck/main.c b/fsck/main.c +index 5a2f659..2b6a6dd 100644 +--- a/fsck/main.c ++++ b/fsck/main.c +@@ -679,28 +679,35 @@ again: + static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx) + { + int ret; +- size_t prev_pos = fsckcfg.extract_pos; ++ size_t prev_pos, curr_pos; + + if (ctx->dot_dotdot) + return 0; + +- if (fsckcfg.extract_path) { +- size_t curr_pos = prev_pos; ++ prev_pos = fsckcfg.extract_pos; ++ curr_pos = prev_pos; ++ ++ if (prev_pos + ctx->de_namelen >= PATH_MAX) { ++ erofs_err("unable to fsck since the path is too long (%u)", ++ curr_pos + ctx->de_namelen); ++ return -EOPNOTSUPP; ++ } + ++ if (fsckcfg.extract_path) { + fsckcfg.extract_path[curr_pos++] = '/'; + strncpy(fsckcfg.extract_path + curr_pos, ctx->dname, + ctx->de_namelen); + curr_pos += ctx->de_namelen; + fsckcfg.extract_path[curr_pos] = '\0'; +- fsckcfg.extract_pos = curr_pos; ++ } else { ++ curr_pos += ctx->de_namelen; + } +- ++ fsckcfg.extract_pos = curr_pos; + ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid); + +- if (fsckcfg.extract_path) { ++ if (fsckcfg.extract_path) + fsckcfg.extract_path[prev_pos] = '\0'; +- fsckcfg.extract_pos = prev_pos; +- } ++ fsckcfg.extract_pos = prev_pos; + return ret; + } + +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-1.patch b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-1.patch new file mode 100644 index 0000000000..011ca1cd5e --- /dev/null +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-1.patch @@ -0,0 +1,221 @@ +From 8aef6015a03242a7d13467d23ad52b5427bf5247 Mon Sep 17 00:00:00 2001 +From: Yue Hu <huyue2@coolpad.com> +Date: Wed, 11 Jan 2023 09:49:26 +0800 +Subject: [PATCH] erofs-utils: lib: export parts of erofs_pread() + +Export parts of erofs_pread() to avoid duplicated code in +erofs_verify_inode_data(). Let's make two helpers for this. + +Signed-off-by: Yue Hu <huyue2@coolpad.com> +Link: https://lore.kernel.org/r/ff560da9c798b2ca1f1a663a000501486d865487.1673401718.git.huyue2@coolpad.com +Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> + +CVE: CVE-2023-33552 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/commit/?id=4c0fb15a5d85378debe9d10d96cd643d167300ca] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + include/erofs/internal.h | 5 ++ + lib/data.c | 108 ++++++++++++++++++++++++--------------- + 2 files changed, 71 insertions(+), 42 deletions(-) + +diff --git a/include/erofs/internal.h b/include/erofs/internal.h +index d3b2986..28d0e68 100644 +--- a/include/erofs/internal.h ++++ b/include/erofs/internal.h +@@ -335,6 +335,11 @@ int erofs_pread(struct erofs_inode *inode, char *buf, + int erofs_map_blocks(struct erofs_inode *inode, + struct erofs_map_blocks *map, int flags); + int erofs_map_dev(struct erofs_sb_info *sbi, struct erofs_map_dev *map); ++int erofs_read_one_data(struct erofs_map_blocks *map, char *buffer, u64 offset, ++ size_t len); ++int z_erofs_read_one_data(struct erofs_inode *inode, ++ struct erofs_map_blocks *map, char *raw, char *buffer, ++ erofs_off_t skip, erofs_off_t length, bool trimmed); + + static inline int erofs_get_occupied_size(const struct erofs_inode *inode, + erofs_off_t *size) +diff --git a/lib/data.c b/lib/data.c +index 6bc554d..2a7fdd5 100644 +--- a/lib/data.c ++++ b/lib/data.c +@@ -158,19 +158,38 @@ int erofs_map_dev(struct erofs_sb_info *sbi, struct erofs_map_dev *map) + return 0; + } + ++int erofs_read_one_data(struct erofs_map_blocks *map, char *buffer, u64 offset, ++ size_t len) ++{ ++ struct erofs_map_dev mdev; ++ int ret; ++ ++ mdev = (struct erofs_map_dev) { ++ .m_deviceid = map->m_deviceid, ++ .m_pa = map->m_pa, ++ }; ++ ret = erofs_map_dev(&sbi, &mdev); ++ if (ret) ++ return ret; ++ ++ ret = dev_read(mdev.m_deviceid, buffer, mdev.m_pa + offset, len); ++ if (ret < 0) ++ return -EIO; ++ return 0; ++} ++ + static int erofs_read_raw_data(struct erofs_inode *inode, char *buffer, + erofs_off_t size, erofs_off_t offset) + { + struct erofs_map_blocks map = { + .index = UINT_MAX, + }; +- struct erofs_map_dev mdev; + int ret; + erofs_off_t ptr = offset; + + while (ptr < offset + size) { + char *const estart = buffer + ptr - offset; +- erofs_off_t eend; ++ erofs_off_t eend, moff = 0; + + map.m_la = ptr; + ret = erofs_map_blocks(inode, &map, 0); +@@ -179,14 +198,6 @@ static int erofs_read_raw_data(struct erofs_inode *inode, char *buffer, + + DBG_BUGON(map.m_plen != map.m_llen); + +- mdev = (struct erofs_map_dev) { +- .m_deviceid = map.m_deviceid, +- .m_pa = map.m_pa, +- }; +- ret = erofs_map_dev(&sbi, &mdev); +- if (ret) +- return ret; +- + /* trim extent */ + eend = min(offset + size, map.m_la + map.m_llen); + DBG_BUGON(ptr < map.m_la); +@@ -204,19 +215,54 @@ static int erofs_read_raw_data(struct erofs_inode *inode, char *buffer, + } + + if (ptr > map.m_la) { +- mdev.m_pa += ptr - map.m_la; ++ moff = ptr - map.m_la; + map.m_la = ptr; + } + +- ret = dev_read(mdev.m_deviceid, estart, mdev.m_pa, +- eend - map.m_la); +- if (ret < 0) +- return -EIO; ++ ret = erofs_read_one_data(&map, estart, moff, eend - map.m_la); ++ if (ret) ++ return ret; + ptr = eend; + } + return 0; + } + ++int z_erofs_read_one_data(struct erofs_inode *inode, ++ struct erofs_map_blocks *map, char *raw, char *buffer, ++ erofs_off_t skip, erofs_off_t length, bool trimmed) ++{ ++ struct erofs_map_dev mdev; ++ int ret = 0; ++ ++ /* no device id here, thus it will always succeed */ ++ mdev = (struct erofs_map_dev) { ++ .m_pa = map->m_pa, ++ }; ++ ret = erofs_map_dev(&sbi, &mdev); ++ if (ret) { ++ DBG_BUGON(1); ++ return ret; ++ } ++ ++ ret = dev_read(mdev.m_deviceid, raw, mdev.m_pa, map->m_plen); ++ if (ret < 0) ++ return ret; ++ ++ ret = z_erofs_decompress(&(struct z_erofs_decompress_req) { ++ .in = raw, ++ .out = buffer, ++ .decodedskip = skip, ++ .inputsize = map->m_plen, ++ .decodedlength = length, ++ .alg = map->m_algorithmformat, ++ .partial_decoding = trimmed ? true : ++ !(map->m_flags & EROFS_MAP_FULL_MAPPED) ++ }); ++ if (ret < 0) ++ return ret; ++ return 0; ++} ++ + static int z_erofs_read_data(struct erofs_inode *inode, char *buffer, + erofs_off_t size, erofs_off_t offset) + { +@@ -224,8 +270,7 @@ static int z_erofs_read_data(struct erofs_inode *inode, char *buffer, + struct erofs_map_blocks map = { + .index = UINT_MAX, + }; +- struct erofs_map_dev mdev; +- bool partial; ++ bool trimmed; + unsigned int bufsize = 0; + char *raw = NULL; + int ret = 0; +@@ -238,27 +283,17 @@ static int z_erofs_read_data(struct erofs_inode *inode, char *buffer, + if (ret) + break; + +- /* no device id here, thus it will always succeed */ +- mdev = (struct erofs_map_dev) { +- .m_pa = map.m_pa, +- }; +- ret = erofs_map_dev(&sbi, &mdev); +- if (ret) { +- DBG_BUGON(1); +- break; +- } +- + /* + * trim to the needed size if the returned extent is quite + * larger than requested, and set up partial flag as well. + */ + if (end < map.m_la + map.m_llen) { + length = end - map.m_la; +- partial = true; ++ trimmed = true; + } else { + DBG_BUGON(end != map.m_la + map.m_llen); + length = map.m_llen; +- partial = !(map.m_flags & EROFS_MAP_FULL_MAPPED); ++ trimmed = false; + } + + if (map.m_la < offset) { +@@ -283,19 +318,8 @@ static int z_erofs_read_data(struct erofs_inode *inode, char *buffer, + break; + } + } +- ret = dev_read(mdev.m_deviceid, raw, mdev.m_pa, map.m_plen); +- if (ret < 0) +- break; +- +- ret = z_erofs_decompress(&(struct z_erofs_decompress_req) { +- .in = raw, +- .out = buffer + end - offset, +- .decodedskip = skip, +- .inputsize = map.m_plen, +- .decodedlength = length, +- .alg = map.m_algorithmformat, +- .partial_decoding = partial +- }); ++ ret = z_erofs_read_one_data(inode, &map, raw, ++ buffer + end - offset, skip, length, trimmed); + if (ret < 0) + break; + } +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-2.patch b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-2.patch new file mode 100644 index 0000000000..4d190363b9 --- /dev/null +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-2.patch @@ -0,0 +1,97 @@ +From 3a360e01058467573bd7239fa430d8dc5fbd60f4 Mon Sep 17 00:00:00 2001 +From: Yue Hu <huyue2@coolpad.com> +Date: Wed, 11 Jan 2023 09:49:27 +0800 +Subject: [PATCH 3/4] erofs-utils: fsck: cleanup erofs_verify_inode_data() + +Diretly call {z_}erofs_read_one_data() to avoid duplicated code. +Accordingly, fragment and partial-referenced plusters are also supported +after this change. + +Signed-off-by: Yue Hu <huyue2@coolpad.com> +Link: https://lore.kernel.org/r/115e61fc9c2d34cab6d3dd78383ac57c94a491fc.1673401718.git.huyue2@coolpad.com +Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> + +CVE: CVE-2023-33552 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/commit/?id=87430c69e1d542928c4519e8fabfd6348a741999] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + fsck/main.c | 53 ++++++++++------------------------------------------- + 1 file changed, 10 insertions(+), 43 deletions(-) + +diff --git a/fsck/main.c b/fsck/main.c +index 2b6a6dd..92ef17a 100644 +--- a/fsck/main.c ++++ b/fsck/main.c +@@ -366,7 +366,6 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + struct erofs_map_blocks map = { + .index = UINT_MAX, + }; +- struct erofs_map_dev mdev; + int ret = 0; + bool compressed; + erofs_off_t pos = 0; +@@ -427,51 +426,19 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + BUG_ON(!raw); + } + +- mdev = (struct erofs_map_dev) { +- .m_deviceid = map.m_deviceid, +- .m_pa = map.m_pa, +- }; +- ret = erofs_map_dev(&sbi, &mdev); +- if (ret) { +- erofs_err("failed to map device of m_pa %" PRIu64 ", m_deviceid %u @ nid %llu: %d", +- map.m_pa, map.m_deviceid, inode->nid | 0ULL, +- ret); +- goto out; +- } +- +- if (compressed && map.m_llen > buffer_size) { +- buffer_size = map.m_llen; +- buffer = realloc(buffer, buffer_size); +- BUG_ON(!buffer); +- } +- +- ret = dev_read(mdev.m_deviceid, raw, mdev.m_pa, map.m_plen); +- if (ret < 0) { +- erofs_err("failed to read data of m_pa %" PRIu64 ", m_plen %" PRIu64 " @ nid %llu: %d", +- mdev.m_pa, map.m_plen, inode->nid | 0ULL, +- ret); +- goto out; +- } +- + if (compressed) { +- struct z_erofs_decompress_req rq = { +- .in = raw, +- .out = buffer, +- .decodedskip = 0, +- .inputsize = map.m_plen, +- .decodedlength = map.m_llen, +- .alg = map.m_algorithmformat, +- .partial_decoding = 0 +- }; +- +- ret = z_erofs_decompress(&rq); +- if (ret < 0) { +- erofs_err("failed to decompress data of m_pa %" PRIu64 ", m_plen %" PRIu64 " @ nid %llu: %s", +- mdev.m_pa, map.m_plen, +- inode->nid | 0ULL, strerror(-ret)); +- goto out; ++ if (map.m_llen > buffer_size) { ++ buffer_size = map.m_llen; ++ buffer = realloc(buffer, buffer_size); ++ BUG_ON(!buffer); + } ++ ret = z_erofs_read_one_data(inode, &map, raw, buffer, ++ 0, map.m_llen, false); ++ } else { ++ ret = erofs_read_one_data(&map, raw, 0, map.m_plen); + } ++ if (ret) ++ goto out; + + if (outfd >= 0 && write(outfd, compressed ? buffer : raw, + map.m_llen) < 0) { +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-3.patch b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-3.patch new file mode 100644 index 0000000000..c05d62c5dd --- /dev/null +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-3.patch @@ -0,0 +1,127 @@ +From b4e155ba759ae389c5f71cd13d97eb3bcf2c1adf Mon Sep 17 00:00:00 2001 +From: Gao Xiang <hsiangkao@linux.alibaba.com> +Date: Fri, 2 Jun 2023 11:05:19 +0800 +Subject: [PATCH] erofs-utils: fsck: don't allocate/read too large extents + +Since some crafted EROFS filesystem images could have insane large +extents, which causes unexpected bahaviors when extracting data. + +Fix it by extracting large extents with a buffer of a reasonable +maximum size limit and reading multiple times instead. + +Note that only `--extract` option is impacted. + +CVE: CVE-2023-33552 +Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33552 +Reported-by: Chaoming Yang <lometsj@live.com> +Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X") +Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> +Link: https://lore.kernel.org/r/20230602030519.117071-1-hsiangkao@linux.alibaba.com + +CVE: CVE-2023-33552 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/patch/?id=2145dff03dd3f3f74bcda3b52160fbad37f7fcfe] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + fsck/main.c | 64 ++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 49 insertions(+), 15 deletions(-) + +diff --git a/fsck/main.c b/fsck/main.c +index 92ef17a..1bd1117 100644 +--- a/fsck/main.c ++++ b/fsck/main.c +@@ -392,6 +392,8 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + } + + while (pos < inode->i_size) { ++ unsigned int alloc_rawsize; ++ + map.m_la = pos; + if (compressed) + ret = z_erofs_map_blocks_iter(inode, &map, +@@ -420,10 +422,28 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + if (!(map.m_flags & EROFS_MAP_MAPPED) || !fsckcfg.check_decomp) + continue; + +- if (map.m_plen > raw_size) { +- raw_size = map.m_plen; +- raw = realloc(raw, raw_size); +- BUG_ON(!raw); ++ if (map.m_plen > Z_EROFS_PCLUSTER_MAX_SIZE) { ++ if (compressed) { ++ erofs_err("invalid pcluster size %" PRIu64 " @ offset %" PRIu64 " of nid %" PRIu64, ++ map.m_plen, map.m_la, ++ inode->nid | 0ULL); ++ ret = -EFSCORRUPTED; ++ goto out; ++ } ++ alloc_rawsize = Z_EROFS_PCLUSTER_MAX_SIZE; ++ } else { ++ alloc_rawsize = map.m_plen; ++ } ++ ++ if (alloc_rawsize > raw_size) { ++ char *newraw = realloc(raw, alloc_rawsize); ++ ++ if (!newraw) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ raw = newraw; ++ raw_size = alloc_rawsize; + } + + if (compressed) { +@@ -434,18 +454,26 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + } + ret = z_erofs_read_one_data(inode, &map, raw, buffer, + 0, map.m_llen, false); +- } else { +- ret = erofs_read_one_data(&map, raw, 0, map.m_plen); +- } +- if (ret) +- goto out; ++ if (ret) ++ goto out; + +- if (outfd >= 0 && write(outfd, compressed ? buffer : raw, +- map.m_llen) < 0) { +- erofs_err("I/O error occurred when verifying data chunk @ nid %llu", +- inode->nid | 0ULL); +- ret = -EIO; +- goto out; ++ if (outfd >= 0 && write(outfd, buffer, map.m_llen) < 0) ++ goto fail_eio; ++ } else { ++ u64 p = 0; ++ do { ++ u64 count = min_t(u64, alloc_rawsize, ++ map.m_llen); ++ ++ ret = erofs_read_one_data(&map, raw, p, count); ++ if (ret) ++ goto out; ++ ++ if (outfd >= 0 && write(outfd, raw, count) < 0) ++ goto fail_eio; ++ map.m_llen -= count; ++ p += count; ++ } while (map.m_llen); + } + } + +@@ -461,6 +489,12 @@ out: + if (buffer) + free(buffer); + return ret < 0 ? ret : 0; ++ ++fail_eio: ++ erofs_err("I/O error occurred when verifying data chunk @ nid %llu", ++ inode->nid | 0ULL); ++ ret = -EIO; ++ goto out; + } + + static inline int erofs_extract_dir(struct erofs_inode *inode) +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils_1.5.bb b/poky/meta/recipes-devtools/erofs-utils/erofs-utils_1.5.bb index 2b5861882d..d7e646a66c 100644 --- a/poky/meta/recipes-devtools/erofs-utils/erofs-utils_1.5.bb +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils_1.5.bb @@ -10,6 +10,10 @@ SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git;b file://0001-configure-use-AC_SYS_LARGEFILE.patch \ file://0002-erofs-replace-l-stat64-by-equivalent-l-stat.patch \ file://0003-internal.h-Make-LFS-mandatory-for-all-usecases.patch \ + file://CVE-2023-33551.patch \ + file://CVE-2023-33552-1.patch \ + file://CVE-2023-33552-2.patch \ + file://CVE-2023-33552-3.patch \ " UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(\d+(\.\d+)+))" diff --git a/poky/meta/recipes-devtools/file/file_5.44.bb b/poky/meta/recipes-devtools/file/file_5.45.bb index 3090d346ed..a7127023cb 100644 --- a/poky/meta/recipes-devtools/file/file_5.44.bb +++ b/poky/meta/recipes-devtools/file/file_5.45.bb @@ -13,7 +13,7 @@ DEPENDS:class-native = "bzip2-replacement-native" SRC_URI = "git://github.com/file/file.git;branch=master;protocol=https" -SRCREV = "b92eed41b1bc0739c5c5d70c444e0c574429321b" +SRCREV = "4cbd5c8f0851201d203755b76cb66ba991ffd8be" S = "${WORKDIR}/git" inherit autotools update-alternatives @@ -45,9 +45,10 @@ do_install:append:class-native() { } do_install:append:class-nativesdk() { + create_wrapper ${D}/${bindir}/file MAGIC=${datadir}/misc/magic.mgc mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d cat <<- EOF > ${D}${SDKPATHNATIVE}/environment-setup.d/file.sh - export MAGIC="$OECORE_NATIVE_SYSROOT${datadir}/misc/magic.mgc" + export MAGIC="${datadir}/misc/magic.mgc" EOF } diff --git a/poky/meta/recipes-devtools/gcc/gcc-12.2.inc b/poky/meta/recipes-devtools/gcc/gcc-12.3.inc index 0dbbecad4a..5655b6f46d 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-12.2.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-12.3.inc @@ -2,11 +2,11 @@ require gcc-common.inc # Third digit in PV should be incremented after a minor release -PV = "12.2.0" +PV = "12.3.0" # BINV should be incremented to a revision after a minor gcc release -BINV = "12.2.0" +BINV = "12.3.0" FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc:${FILE_DIRNAME}/gcc/backport:" @@ -63,8 +63,10 @@ SRC_URI = "${BASEURI} \ file://0026-rust-recursion-limit.patch \ file://prefix-map-realpath.patch \ file://hardcoded-paths.patch \ + file://CVE-2023-4039.patch \ + file://0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch \ " -SRC_URI[sha256sum] = "e549cf9cf3594a00e27b6589d4322d70e0720cdd213f39beb4181e06926230ff" +SRC_URI[sha256sum] = "949a5d4f99e786421a93b532b22ffab5578de7321369975b91aec97adfda8c3b" S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/${SOURCEDIR}" B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}" diff --git a/poky/meta/recipes-devtools/gcc/gcc-configure-common.inc b/poky/meta/recipes-devtools/gcc/gcc-configure-common.inc index e4cdb73f0a..dba25eb754 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-configure-common.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-configure-common.inc @@ -40,7 +40,6 @@ EXTRA_OECONF = "\ ${@get_gcc_mips_plt_setting(bb, d)} \ ${@get_gcc_ppc_plt_settings(bb, d)} \ ${@get_gcc_multiarch_setting(bb, d)} \ - --enable-standard-branch-protection \ " # glibc version is a minimum controlling whether features are enabled. diff --git a/poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.3.bb index bf53c5cd78..bf53c5cd78 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-cross_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-cross_12.3.bb index b43cca0c52..b43cca0c52 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-cross_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-cross_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-crosssdk.inc b/poky/meta/recipes-devtools/gcc/gcc-crosssdk.inc index bd2e71d63f..74c4537f4f 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-crosssdk.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-crosssdk.inc @@ -10,3 +10,5 @@ GCCMULTILIB = "--disable-multilib" DEPENDS = "virtual/${TARGET_PREFIX}binutils-crosssdk gettext-native ${NATIVEDEPS}" PROVIDES = "virtual/${TARGET_PREFIX}gcc-crosssdk virtual/${TARGET_PREFIX}g++-crosssdk" + +gcc_multilib_setup[vardepsexclude] = "MULTILIB_VARIANTS" diff --git a/poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.3.bb index 40a6c4feff..40a6c4feff 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-runtime_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-runtime_12.3.bb index dd430b57eb..dd430b57eb 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-runtime_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-runtime_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.3.bb index 8bda2ccad6..8bda2ccad6 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-source_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-source_12.3.bb index b890fa33ea..b890fa33ea 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-source_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-source_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-testsuite.inc b/poky/meta/recipes-devtools/gcc/gcc-testsuite.inc index f68fec58ed..64f60c730f 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-testsuite.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-testsuite.inc @@ -51,9 +51,10 @@ python check_prepare() { # enable all valid instructions, since the test suite itself does not # limit itself to the target cpu options. # - valid for x86*, powerpc, arm, arm64 - if qemu_binary.lstrip("qemu-") in ["x86_64", "i386", "ppc", "arm", "aarch64"]: + if qemu_binary.lstrip("qemu-") in ["x86_64", "i386", "arm", "aarch64"]: args += ["-cpu", "max"] - + elif qemu_binary.lstrip("qemu-") in ["ppc"]: + args += d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('PACKAGE_ARCH')).split() sysroot = d.getVar("RECIPE_SYSROOT") args += ["-L", sysroot] # lib paths are static here instead of using $libdir since this is used by a -cross recipe diff --git a/poky/meta/recipes-devtools/gcc/gcc/0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch b/poky/meta/recipes-devtools/gcc/gcc/0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch new file mode 100644 index 0000000000..a408a98698 --- /dev/null +++ b/poky/meta/recipes-devtools/gcc/gcc/0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch @@ -0,0 +1,117 @@ +From adb60dc78e0da4877747f32347cee339364775be Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Fri, 15 Sep 2023 09:19:14 +0100 +Subject: [PATCH] aarch64: Fix loose ldpstp check [PR111411] + +aarch64_operands_ok_for_ldpstp contained the code: + + /* One of the memory accesses must be a mempair operand. + If it is not the first one, they need to be swapped by the + peephole. */ + if (!aarch64_mem_pair_operand (mem_1, GET_MODE (mem_1)) + && !aarch64_mem_pair_operand (mem_2, GET_MODE (mem_2))) + return false; + +But the requirement isn't just that one of the accesses must be a +valid mempair operand. It's that the lower access must be, since +that's the access that will be used for the instruction operand. + +gcc/ + PR target/111411 + * config/aarch64/aarch64.cc (aarch64_operands_ok_for_ldpstp): Require + the lower memory access to a mem-pair operand. + +gcc/testsuite/ + PR target/111411 + * gcc.dg/rtl/aarch64/pr111411.c: New test. + +Upstream-Status: Backport [https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=2d38f45bcca62ca0c7afef4b579f82c5c2a01610] +Signed-off-by: Martin Jansa <martin.jansa@gmail.com> +--- + gcc/config/aarch64/aarch64.cc | 8 ++- + gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c | 57 +++++++++++++++++++++ + 2 files changed, 60 insertions(+), 5 deletions(-) + create mode 100644 gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 6118a3354ac..9b1f791ca8b 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -26154,11 +26154,9 @@ aarch64_operands_ok_for_ldpstp (rtx *operands, bool load, + gcc_assert (known_eq (GET_MODE_SIZE (GET_MODE (mem_1)), + GET_MODE_SIZE (GET_MODE (mem_2)))); + +- /* One of the memory accesses must be a mempair operand. +- If it is not the first one, they need to be swapped by the +- peephole. */ +- if (!aarch64_mem_pair_operand (mem_1, GET_MODE (mem_1)) +- && !aarch64_mem_pair_operand (mem_2, GET_MODE (mem_2))) ++ /* The lower memory access must be a mem-pair operand. */ ++ rtx lower_mem = reversed ? mem_2 : mem_1; ++ if (!aarch64_mem_pair_operand (lower_mem, GET_MODE (lower_mem))) + return false; + + if (REG_P (reg_1) && FP_REGNUM_P (REGNO (reg_1))) +diff --git a/gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c b/gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c +new file mode 100644 +index 00000000000..ad07e9c6c89 +--- /dev/null ++++ b/gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c +@@ -0,0 +1,57 @@ ++/* { dg-do compile { target aarch64*-*-* } } */ ++/* { dg-require-effective-target lp64 } */ ++/* { dg-options "-O -fdisable-rtl-postreload -fpeephole2 -fno-schedule-fusion" } */ ++ ++extern int data[]; ++ ++void __RTL (startwith ("ira")) foo (void *ptr) ++{ ++ (function "foo" ++ (param "ptr" ++ (DECL_RTL (reg/v:DI <0> [ ptr ])) ++ (DECL_RTL_INCOMING (reg/v:DI x0 [ ptr ])) ++ ) ;; param "ptr" ++ (insn-chain ++ (block 2 ++ (edge-from entry (flags "FALLTHRU")) ++ (cnote 3 [bb 2] NOTE_INSN_BASIC_BLOCK) ++ (insn 4 (set (reg:DI <0>) (reg:DI x0))) ++ (insn 5 (set (reg:DI <1>) ++ (plus:DI (reg:DI <0>) (const_int 768)))) ++ (insn 6 (set (mem:SI (plus:DI (reg:DI <0>) ++ (const_int 508)) [1 &data+508 S4 A4]) ++ (const_int 0))) ++ (insn 7 (set (mem:SI (plus:DI (reg:DI <1>) ++ (const_int -256)) [1 &data+512 S4 A4]) ++ (const_int 0))) ++ (edge-to exit (flags "FALLTHRU")) ++ ) ;; block 2 ++ ) ;; insn-chain ++ ) ;; function ++} ++ ++void __RTL (startwith ("ira")) bar (void *ptr) ++{ ++ (function "bar" ++ (param "ptr" ++ (DECL_RTL (reg/v:DI <0> [ ptr ])) ++ (DECL_RTL_INCOMING (reg/v:DI x0 [ ptr ])) ++ ) ;; param "ptr" ++ (insn-chain ++ (block 2 ++ (edge-from entry (flags "FALLTHRU")) ++ (cnote 3 [bb 2] NOTE_INSN_BASIC_BLOCK) ++ (insn 4 (set (reg:DI <0>) (reg:DI x0))) ++ (insn 5 (set (reg:DI <1>) ++ (plus:DI (reg:DI <0>) (const_int 768)))) ++ (insn 6 (set (mem:SI (plus:DI (reg:DI <1>) ++ (const_int -256)) [1 &data+512 S4 A4]) ++ (const_int 0))) ++ (insn 7 (set (mem:SI (plus:DI (reg:DI <0>) ++ (const_int 508)) [1 &data+508 S4 A4]) ++ (const_int 0))) ++ (edge-to exit (flags "FALLTHRU")) ++ ) ;; block 2 ++ ) ;; insn-chain ++ ) ;; function ++} diff --git a/poky/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch b/poky/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch new file mode 100644 index 0000000000..8cb52849cd --- /dev/null +++ b/poky/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch @@ -0,0 +1,3093 @@ +From: Richard Sandiford <richard.sandiford@arm.com> +Subject: [PATCH 00/19] aarch64: Fix -fstack-protector issue +Date: Tue, 12 Sep 2023 16:25:10 +0100 + +This series of patches fixes deficiencies in GCC's -fstack-protector +implementation for AArch64 when using dynamically allocated stack space. +This is CVE-2023-4039. See: + +https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 +https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf + +for more details. + +The fix is to put the saved registers above the locals area when +-fstack-protector is used. + +The series also fixes a stack-clash problem that I found while working +on the CVE. In unpatched sources, the stack-clash problem would only +trigger for unrealistic numbers of arguments (8K 64-bit arguments, or an +equivalent). But it would be a more significant issue with the new +-fstack-protector frame layout. It's therefore important that both +problems are fixed together. + +Some reorganisation of the code seemed necessary to fix the problems in a +cleanish way. The series is therefore quite long, but only a handful of +patches should have any effect on code generation. + +See the individual patches for a detailed description. + +Tested on aarch64-linux-gnu. Pushed to trunk and to all active branches. +I've also pushed backports to GCC 7+ to vendors/ARM/heads/CVE-2023-4039. + +CVE: CVE-2023-4039 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + + +From 62fbb215cc817e9f2c1ca80282a64f4ee30806bc Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:48 +0100 +Subject: [PATCH 01/19] aarch64: Use local frame vars in shrink-wrapping code + +aarch64_layout_frame uses a shorthand for referring to +cfun->machine->frame: + + aarch64_frame &frame = cfun->machine->frame; + +This patch does the same for some other heavy users of the structure. +No functional change intended. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_save_callee_saves): Use + a local shorthand for cfun->machine->frame. + (aarch64_restore_callee_saves, aarch64_get_separate_components): + (aarch64_process_components): Likewise. + (aarch64_allocate_and_probe_stack_space): Likewise. + (aarch64_expand_prologue, aarch64_expand_epilogue): Likewise. + (aarch64_layout_frame): Use existing shorthand for one more case. +--- + gcc/config/aarch64/aarch64.cc | 123 ++++++++++++++++++---------------- + 1 file changed, 64 insertions(+), 59 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 226dc9dffd4..ae42ffdedbe 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8351,7 +8351,7 @@ aarch64_layout_frame (void) + frame.is_scs_enabled + = (!crtl->calls_eh_return + && sanitize_flags_p (SANITIZE_SHADOW_CALL_STACK) +- && known_ge (cfun->machine->frame.reg_offset[LR_REGNUM], 0)); ++ && known_ge (frame.reg_offset[LR_REGNUM], 0)); + + /* When shadow call stack is enabled, the scs_pop in the epilogue will + restore x30, and we don't need to pop x30 again in the traditional +@@ -8763,6 +8763,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + unsigned start, unsigned limit, bool skip_wb, + bool hard_fp_valid_p) + { ++ aarch64_frame &frame = cfun->machine->frame; + rtx_insn *insn; + unsigned regno; + unsigned regno2; +@@ -8777,8 +8778,8 @@ aarch64_save_callee_saves (poly_int64 start_offset, + bool frame_related_p = aarch64_emit_cfi_for_reg_p (regno); + + if (skip_wb +- && (regno == cfun->machine->frame.wb_push_candidate1 +- || regno == cfun->machine->frame.wb_push_candidate2)) ++ && (regno == frame.wb_push_candidate1 ++ || regno == frame.wb_push_candidate2)) + continue; + + if (cfun->machine->reg_is_wrapped_separately[regno]) +@@ -8786,7 +8787,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + cfun->machine->frame.reg_offset[regno]; ++ offset = start_offset + frame.reg_offset[regno]; + rtx base_rtx = stack_pointer_rtx; + poly_int64 sp_offset = offset; + +@@ -8799,7 +8800,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + { + gcc_assert (known_eq (start_offset, 0)); + poly_int64 fp_offset +- = cfun->machine->frame.below_hard_fp_saved_regs_size; ++ = frame.below_hard_fp_saved_regs_size; + if (hard_fp_valid_p) + base_rtx = hard_frame_pointer_rtx; + else +@@ -8821,8 +8822,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + && (regno2 = aarch64_next_callee_save (regno + 1, limit)) <= limit + && !cfun->machine->reg_is_wrapped_separately[regno2] + && known_eq (GET_MODE_SIZE (mode), +- cfun->machine->frame.reg_offset[regno2] +- - cfun->machine->frame.reg_offset[regno])) ++ frame.reg_offset[regno2] - frame.reg_offset[regno])) + { + rtx reg2 = gen_rtx_REG (mode, regno2); + rtx mem2; +@@ -8872,6 +8872,7 @@ static void + aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + unsigned limit, bool skip_wb, rtx *cfi_ops) + { ++ aarch64_frame &frame = cfun->machine->frame; + unsigned regno; + unsigned regno2; + poly_int64 offset; +@@ -8888,13 +8889,13 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + rtx reg, mem; + + if (skip_wb +- && (regno == cfun->machine->frame.wb_pop_candidate1 +- || regno == cfun->machine->frame.wb_pop_candidate2)) ++ && (regno == frame.wb_pop_candidate1 ++ || regno == frame.wb_pop_candidate2)) + continue; + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + cfun->machine->frame.reg_offset[regno]; ++ offset = start_offset + frame.reg_offset[regno]; + rtx base_rtx = stack_pointer_rtx; + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg, +@@ -8905,8 +8906,7 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + && (regno2 = aarch64_next_callee_save (regno + 1, limit)) <= limit + && !cfun->machine->reg_is_wrapped_separately[regno2] + && known_eq (GET_MODE_SIZE (mode), +- cfun->machine->frame.reg_offset[regno2] +- - cfun->machine->frame.reg_offset[regno])) ++ frame.reg_offset[regno2] - frame.reg_offset[regno])) + { + rtx reg2 = gen_rtx_REG (mode, regno2); + rtx mem2; +@@ -9011,6 +9011,7 @@ offset_12bit_unsigned_scaled_p (machine_mode mode, poly_int64 offset) + static sbitmap + aarch64_get_separate_components (void) + { ++ aarch64_frame &frame = cfun->machine->frame; + sbitmap components = sbitmap_alloc (LAST_SAVED_REGNUM + 1); + bitmap_clear (components); + +@@ -9027,18 +9028,18 @@ aarch64_get_separate_components (void) + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + continue; + +- poly_int64 offset = cfun->machine->frame.reg_offset[regno]; ++ poly_int64 offset = frame.reg_offset[regno]; + + /* If the register is saved in the first SVE save slot, we use + it as a stack probe for -fstack-clash-protection. */ + if (flag_stack_clash_protection +- && maybe_ne (cfun->machine->frame.below_hard_fp_saved_regs_size, 0) ++ && maybe_ne (frame.below_hard_fp_saved_regs_size, 0) + && known_eq (offset, 0)) + continue; + + /* Get the offset relative to the register we'll use. */ + if (frame_pointer_needed) +- offset -= cfun->machine->frame.below_hard_fp_saved_regs_size; ++ offset -= frame.below_hard_fp_saved_regs_size; + else + offset += crtl->outgoing_args_size; + +@@ -9057,11 +9058,11 @@ aarch64_get_separate_components (void) + /* If the spare predicate register used by big-endian SVE code + is call-preserved, it must be saved in the main prologue + before any saves that use it. */ +- if (cfun->machine->frame.spare_pred_reg != INVALID_REGNUM) +- bitmap_clear_bit (components, cfun->machine->frame.spare_pred_reg); ++ if (frame.spare_pred_reg != INVALID_REGNUM) ++ bitmap_clear_bit (components, frame.spare_pred_reg); + +- unsigned reg1 = cfun->machine->frame.wb_push_candidate1; +- unsigned reg2 = cfun->machine->frame.wb_push_candidate2; ++ unsigned reg1 = frame.wb_push_candidate1; ++ unsigned reg2 = frame.wb_push_candidate2; + /* If registers have been chosen to be stored/restored with + writeback don't interfere with them to avoid having to output explicit + stack adjustment instructions. */ +@@ -9170,6 +9171,7 @@ aarch64_get_next_set_bit (sbitmap bmp, unsigned int start) + static void + aarch64_process_components (sbitmap components, bool prologue_p) + { ++ aarch64_frame &frame = cfun->machine->frame; + rtx ptr_reg = gen_rtx_REG (Pmode, frame_pointer_needed + ? HARD_FRAME_POINTER_REGNUM + : STACK_POINTER_REGNUM); +@@ -9184,9 +9186,9 @@ aarch64_process_components (sbitmap components, bool prologue_p) + machine_mode mode = aarch64_reg_save_mode (regno); + + rtx reg = gen_rtx_REG (mode, regno); +- poly_int64 offset = cfun->machine->frame.reg_offset[regno]; ++ poly_int64 offset = frame.reg_offset[regno]; + if (frame_pointer_needed) +- offset -= cfun->machine->frame.below_hard_fp_saved_regs_size; ++ offset -= frame.below_hard_fp_saved_regs_size; + else + offset += crtl->outgoing_args_size; + +@@ -9211,14 +9213,14 @@ aarch64_process_components (sbitmap components, bool prologue_p) + break; + } + +- poly_int64 offset2 = cfun->machine->frame.reg_offset[regno2]; ++ poly_int64 offset2 = frame.reg_offset[regno2]; + /* The next register is not of the same class or its offset is not + mergeable with the current one into a pair. */ + if (aarch64_sve_mode_p (mode) + || !satisfies_constraint_Ump (mem) + || GP_REGNUM_P (regno) != GP_REGNUM_P (regno2) + || (crtl->abi->id () == ARM_PCS_SIMD && FP_REGNUM_P (regno)) +- || maybe_ne ((offset2 - cfun->machine->frame.reg_offset[regno]), ++ || maybe_ne ((offset2 - frame.reg_offset[regno]), + GET_MODE_SIZE (mode))) + { + insn = emit_insn (set); +@@ -9240,7 +9242,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + /* REGNO2 can be saved/restored in a pair with REGNO. */ + rtx reg2 = gen_rtx_REG (mode, regno2); + if (frame_pointer_needed) +- offset2 -= cfun->machine->frame.below_hard_fp_saved_regs_size; ++ offset2 -= frame.below_hard_fp_saved_regs_size; + else + offset2 += crtl->outgoing_args_size; + rtx addr2 = plus_constant (Pmode, ptr_reg, offset2); +@@ -9335,6 +9337,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + bool frame_related_p, + bool final_adjustment_p) + { ++ aarch64_frame &frame = cfun->machine->frame; + HOST_WIDE_INT guard_size + = 1 << param_stack_clash_protection_guard_size; + HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD; +@@ -9355,25 +9358,25 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + register as a probe. We can't assume that LR was saved at position 0 + though, so treat any space below it as unprobed. */ + if (final_adjustment_p +- && known_eq (cfun->machine->frame.below_hard_fp_saved_regs_size, 0)) ++ && known_eq (frame.below_hard_fp_saved_regs_size, 0)) + { +- poly_int64 lr_offset = cfun->machine->frame.reg_offset[LR_REGNUM]; ++ poly_int64 lr_offset = frame.reg_offset[LR_REGNUM]; + if (known_ge (lr_offset, 0)) + min_probe_threshold -= lr_offset.to_constant (); + else + gcc_assert (!flag_stack_clash_protection || known_eq (poly_size, 0)); + } + +- poly_int64 frame_size = cfun->machine->frame.frame_size; ++ poly_int64 frame_size = frame.frame_size; + + /* We should always have a positive probe threshold. */ + gcc_assert (min_probe_threshold > 0); + + if (flag_stack_clash_protection && !final_adjustment_p) + { +- poly_int64 initial_adjust = cfun->machine->frame.initial_adjust; +- poly_int64 sve_callee_adjust = cfun->machine->frame.sve_callee_adjust; +- poly_int64 final_adjust = cfun->machine->frame.final_adjust; ++ poly_int64 initial_adjust = frame.initial_adjust; ++ poly_int64 sve_callee_adjust = frame.sve_callee_adjust; ++ poly_int64 final_adjust = frame.final_adjust; + + if (known_eq (frame_size, 0)) + { +@@ -9662,17 +9665,18 @@ aarch64_epilogue_uses (int regno) + void + aarch64_expand_prologue (void) + { +- poly_int64 frame_size = cfun->machine->frame.frame_size; +- poly_int64 initial_adjust = cfun->machine->frame.initial_adjust; +- HOST_WIDE_INT callee_adjust = cfun->machine->frame.callee_adjust; +- poly_int64 final_adjust = cfun->machine->frame.final_adjust; +- poly_int64 callee_offset = cfun->machine->frame.callee_offset; +- poly_int64 sve_callee_adjust = cfun->machine->frame.sve_callee_adjust; ++ aarch64_frame &frame = cfun->machine->frame; ++ poly_int64 frame_size = frame.frame_size; ++ poly_int64 initial_adjust = frame.initial_adjust; ++ HOST_WIDE_INT callee_adjust = frame.callee_adjust; ++ poly_int64 final_adjust = frame.final_adjust; ++ poly_int64 callee_offset = frame.callee_offset; ++ poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 below_hard_fp_saved_regs_size +- = cfun->machine->frame.below_hard_fp_saved_regs_size; +- unsigned reg1 = cfun->machine->frame.wb_push_candidate1; +- unsigned reg2 = cfun->machine->frame.wb_push_candidate2; +- bool emit_frame_chain = cfun->machine->frame.emit_frame_chain; ++ = frame.below_hard_fp_saved_regs_size; ++ unsigned reg1 = frame.wb_push_candidate1; ++ unsigned reg2 = frame.wb_push_candidate2; ++ bool emit_frame_chain = frame.emit_frame_chain; + rtx_insn *insn; + + if (flag_stack_clash_protection && known_eq (callee_adjust, 0)) +@@ -9703,7 +9707,7 @@ aarch64_expand_prologue (void) + } + + /* Push return address to shadow call stack. */ +- if (cfun->machine->frame.is_scs_enabled) ++ if (frame.is_scs_enabled) + emit_insn (gen_scs_push ()); + + if (flag_stack_usage_info) +@@ -9742,7 +9746,7 @@ aarch64_expand_prologue (void) + + /* The offset of the frame chain record (if any) from the current SP. */ + poly_int64 chain_offset = (initial_adjust + callee_adjust +- - cfun->machine->frame.hard_fp_offset); ++ - frame.hard_fp_offset); + gcc_assert (known_ge (chain_offset, 0)); + + /* The offset of the bottom of the save area from the current SP. */ +@@ -9845,16 +9849,17 @@ aarch64_use_return_insn_p (void) + void + aarch64_expand_epilogue (bool for_sibcall) + { +- poly_int64 initial_adjust = cfun->machine->frame.initial_adjust; +- HOST_WIDE_INT callee_adjust = cfun->machine->frame.callee_adjust; +- poly_int64 final_adjust = cfun->machine->frame.final_adjust; +- poly_int64 callee_offset = cfun->machine->frame.callee_offset; +- poly_int64 sve_callee_adjust = cfun->machine->frame.sve_callee_adjust; ++ aarch64_frame &frame = cfun->machine->frame; ++ poly_int64 initial_adjust = frame.initial_adjust; ++ HOST_WIDE_INT callee_adjust = frame.callee_adjust; ++ poly_int64 final_adjust = frame.final_adjust; ++ poly_int64 callee_offset = frame.callee_offset; ++ poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 below_hard_fp_saved_regs_size +- = cfun->machine->frame.below_hard_fp_saved_regs_size; +- unsigned reg1 = cfun->machine->frame.wb_pop_candidate1; +- unsigned reg2 = cfun->machine->frame.wb_pop_candidate2; +- unsigned int last_gpr = (cfun->machine->frame.is_scs_enabled ++ = frame.below_hard_fp_saved_regs_size; ++ unsigned reg1 = frame.wb_pop_candidate1; ++ unsigned reg2 = frame.wb_pop_candidate2; ++ unsigned int last_gpr = (frame.is_scs_enabled + ? R29_REGNUM : R30_REGNUM); + rtx cfi_ops = NULL; + rtx_insn *insn; +@@ -9888,7 +9893,7 @@ aarch64_expand_epilogue (bool for_sibcall) + /* We need to add memory barrier to prevent read from deallocated stack. */ + bool need_barrier_p + = maybe_ne (get_frame_size () +- + cfun->machine->frame.saved_varargs_size, 0); ++ + frame.saved_varargs_size, 0); + + /* Emit a barrier to prevent loads from a deallocated stack. */ + if (maybe_gt (final_adjust, crtl->outgoing_args_size) +@@ -9969,7 +9974,7 @@ aarch64_expand_epilogue (bool for_sibcall) + } + + /* Pop return address from shadow call stack. */ +- if (cfun->machine->frame.is_scs_enabled) ++ if (frame.is_scs_enabled) + { + machine_mode mode = aarch64_reg_save_mode (R30_REGNUM); + rtx reg = gen_rtx_REG (mode, R30_REGNUM); +@@ -12564,24 +12569,24 @@ aarch64_can_eliminate (const int from ATTRIBUTE_UNUSED, const int to) + poly_int64 + aarch64_initial_elimination_offset (unsigned from, unsigned to) + { ++ aarch64_frame &frame = cfun->machine->frame; ++ + if (to == HARD_FRAME_POINTER_REGNUM) + { + if (from == ARG_POINTER_REGNUM) +- return cfun->machine->frame.hard_fp_offset; ++ return frame.hard_fp_offset; + + if (from == FRAME_POINTER_REGNUM) +- return cfun->machine->frame.hard_fp_offset +- - cfun->machine->frame.locals_offset; ++ return frame.hard_fp_offset - frame.locals_offset; + } + + if (to == STACK_POINTER_REGNUM) + { + if (from == FRAME_POINTER_REGNUM) +- return cfun->machine->frame.frame_size +- - cfun->machine->frame.locals_offset; ++ return frame.frame_size - frame.locals_offset; + } + +- return cfun->machine->frame.frame_size; ++ return frame.frame_size; + } + + +-- +2.34.1 + + +From 12a8889de169f892d2e927584c00d20b8b7e456f Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:49 +0100 +Subject: [PATCH 02/19] aarch64: Avoid a use of callee_offset + +When we emit the frame chain, i.e. when we reach Here in this statement +of aarch64_expand_prologue: + + if (emit_frame_chain) + { + // Here + ... + } + +the stack is in one of two states: + +- We've allocated up to the frame chain, but no more. + +- We've allocated the whole frame, and the frame chain is within easy + reach of the new SP. + +The offset of the frame chain from the current SP is available +in aarch64_frame as callee_offset. It is also available as the +chain_offset local variable, where the latter is calculated from other +data. (However, chain_offset is not always equal to callee_offset when +!emit_frame_chain, so chain_offset isn't redundant.) + +In c600df9a4060da3c6121ff4d0b93f179eafd69d1 I switched to using +chain_offset for the initialisation of the hard frame pointer: + + aarch64_add_offset (Pmode, hard_frame_pointer_rtx, +- stack_pointer_rtx, callee_offset, ++ stack_pointer_rtx, chain_offset, + tmp1_rtx, tmp0_rtx, frame_pointer_needed); + +But the later REG_CFA_ADJUST_CFA handling still used callee_offset. + +I think the difference is harmless, but it's more logical for the +CFA note to be in sync, and it's more convenient for later patches +if it uses chain_offset. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_expand_prologue): Use + chain_offset rather than callee_offset. +--- + gcc/config/aarch64/aarch64.cc | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index ae42ffdedbe..79253322fd7 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -9670,7 +9670,6 @@ aarch64_expand_prologue (void) + poly_int64 initial_adjust = frame.initial_adjust; + HOST_WIDE_INT callee_adjust = frame.callee_adjust; + poly_int64 final_adjust = frame.final_adjust; +- poly_int64 callee_offset = frame.callee_offset; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 below_hard_fp_saved_regs_size + = frame.below_hard_fp_saved_regs_size; +@@ -9783,8 +9782,7 @@ aarch64_expand_prologue (void) + implicit. */ + if (!find_reg_note (insn, REG_CFA_ADJUST_CFA, NULL_RTX)) + { +- rtx src = plus_constant (Pmode, stack_pointer_rtx, +- callee_offset); ++ rtx src = plus_constant (Pmode, stack_pointer_rtx, chain_offset); + add_reg_note (insn, REG_CFA_ADJUST_CFA, + gen_rtx_SET (hard_frame_pointer_rtx, src)); + } +-- +2.34.1 + + +From 03d5e89e7f3be53fd7142556e8e0a2774c653dca Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:49 +0100 +Subject: [PATCH 03/19] aarch64: Explicitly handle frames with no saved + registers + +If a frame has no saved registers, it can be allocated in one go. +There is no need to treat the areas below and above the saved +registers as separate. + +And if we allocate the frame in one go, it should be allocated +as the initial_adjust rather than the final_adjust. This allows the +frame size to grow to guard_size - guard_used_by_caller before a stack +probe is needed. (A frame with no register saves is necessarily a +leaf frame.) + +This is a no-op as thing stand, since a leaf function will have +no outgoing arguments, and so all the frame will be above where +the saved registers normally go. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_layout_frame): Explicitly + allocate the frame in one go if there are no saved registers. +--- + gcc/config/aarch64/aarch64.cc | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 79253322fd7..e1f21230c15 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8378,9 +8378,11 @@ aarch64_layout_frame (void) + + HOST_WIDE_INT const_size, const_outgoing_args_size, const_fp_offset; + HOST_WIDE_INT const_saved_regs_size; +- if (frame.frame_size.is_constant (&const_size) +- && const_size < max_push_offset +- && known_eq (frame.hard_fp_offset, const_size)) ++ if (known_eq (frame.saved_regs_size, 0)) ++ frame.initial_adjust = frame.frame_size; ++ else if (frame.frame_size.is_constant (&const_size) ++ && const_size < max_push_offset ++ && known_eq (frame.hard_fp_offset, const_size)) + { + /* Simple, small frame with no outgoing arguments: + +-- +2.34.1 + + +From 49c2eb7616756c323b7f6b18d8616ec945eb1263 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:49 +0100 +Subject: [PATCH 04/19] aarch64: Add bytes_below_saved_regs to frame info + +The frame layout code currently hard-codes the assumption that +the number of bytes below the saved registers is equal to the +size of the outgoing arguments. This patch abstracts that +value into a new field of aarch64_frame. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::bytes_below_saved_regs): New + field. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Initialize it, + and use it instead of crtl->outgoing_args_size. + (aarch64_get_separate_components): Use bytes_below_saved_regs instead + of outgoing_args_size. + (aarch64_process_components): Likewise. +--- + gcc/config/aarch64/aarch64.cc | 71 ++++++++++++++++++----------------- + gcc/config/aarch64/aarch64.h | 5 +++ + 2 files changed, 41 insertions(+), 35 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index e1f21230c15..94e1b686584 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8217,6 +8217,8 @@ aarch64_layout_frame (void) + gcc_assert (crtl->is_leaf + || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED)); + ++ frame.bytes_below_saved_regs = crtl->outgoing_args_size; ++ + /* Now assign stack slots for the registers. Start with the predicate + registers, since predicate LDR and STR have a relatively small + offset range. These saves happen below the hard frame pointer. */ +@@ -8321,18 +8323,18 @@ aarch64_layout_frame (void) + + poly_int64 varargs_and_saved_regs_size = offset + frame.saved_varargs_size; + +- poly_int64 above_outgoing_args ++ poly_int64 saved_regs_and_above + = aligned_upper_bound (varargs_and_saved_regs_size + + get_frame_size (), + STACK_BOUNDARY / BITS_PER_UNIT); + + frame.hard_fp_offset +- = above_outgoing_args - frame.below_hard_fp_saved_regs_size; ++ = saved_regs_and_above - frame.below_hard_fp_saved_regs_size; + + /* Both these values are already aligned. */ +- gcc_assert (multiple_p (crtl->outgoing_args_size, ++ gcc_assert (multiple_p (frame.bytes_below_saved_regs, + STACK_BOUNDARY / BITS_PER_UNIT)); +- frame.frame_size = above_outgoing_args + crtl->outgoing_args_size; ++ frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs; + + frame.locals_offset = frame.saved_varargs_size; + +@@ -8376,7 +8378,7 @@ aarch64_layout_frame (void) + else if (frame.wb_pop_candidate1 != INVALID_REGNUM) + max_push_offset = 256; + +- HOST_WIDE_INT const_size, const_outgoing_args_size, const_fp_offset; ++ HOST_WIDE_INT const_size, const_below_saved_regs, const_fp_offset; + HOST_WIDE_INT const_saved_regs_size; + if (known_eq (frame.saved_regs_size, 0)) + frame.initial_adjust = frame.frame_size; +@@ -8384,31 +8386,31 @@ aarch64_layout_frame (void) + && const_size < max_push_offset + && known_eq (frame.hard_fp_offset, const_size)) + { +- /* Simple, small frame with no outgoing arguments: ++ /* Simple, small frame with no data below the saved registers. + + stp reg1, reg2, [sp, -frame_size]! + stp reg3, reg4, [sp, 16] */ + frame.callee_adjust = const_size; + } +- else if (crtl->outgoing_args_size.is_constant (&const_outgoing_args_size) ++ else if (frame.bytes_below_saved_regs.is_constant (&const_below_saved_regs) + && frame.saved_regs_size.is_constant (&const_saved_regs_size) +- && const_outgoing_args_size + const_saved_regs_size < 512 +- /* We could handle this case even with outgoing args, provided +- that the number of args left us with valid offsets for all +- predicate and vector save slots. It's such a rare case that +- it hardly seems worth the effort though. */ +- && (!saves_below_hard_fp_p || const_outgoing_args_size == 0) ++ && const_below_saved_regs + const_saved_regs_size < 512 ++ /* We could handle this case even with data below the saved ++ registers, provided that that data left us with valid offsets ++ for all predicate and vector save slots. It's such a rare ++ case that it hardly seems worth the effort though. */ ++ && (!saves_below_hard_fp_p || const_below_saved_regs == 0) + && !(cfun->calls_alloca + && frame.hard_fp_offset.is_constant (&const_fp_offset) + && const_fp_offset < max_push_offset)) + { +- /* Frame with small outgoing arguments: ++ /* Frame with small area below the saved registers: + + sub sp, sp, frame_size +- stp reg1, reg2, [sp, outgoing_args_size] +- stp reg3, reg4, [sp, outgoing_args_size + 16] */ ++ stp reg1, reg2, [sp, bytes_below_saved_regs] ++ stp reg3, reg4, [sp, bytes_below_saved_regs + 16] */ + frame.initial_adjust = frame.frame_size; +- frame.callee_offset = const_outgoing_args_size; ++ frame.callee_offset = const_below_saved_regs; + } + else if (saves_below_hard_fp_p + && known_eq (frame.saved_regs_size, +@@ -8418,30 +8420,29 @@ aarch64_layout_frame (void) + + sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size + save SVE registers relative to SP +- sub sp, sp, outgoing_args_size */ ++ sub sp, sp, bytes_below_saved_regs */ + frame.initial_adjust = (frame.hard_fp_offset + + frame.below_hard_fp_saved_regs_size); +- frame.final_adjust = crtl->outgoing_args_size; ++ frame.final_adjust = frame.bytes_below_saved_regs; + } + else if (frame.hard_fp_offset.is_constant (&const_fp_offset) + && const_fp_offset < max_push_offset) + { +- /* Frame with large outgoing arguments or SVE saves, but with +- a small local area: ++ /* Frame with large area below the saved registers, or with SVE saves, ++ but with a small area above: + + stp reg1, reg2, [sp, -hard_fp_offset]! + stp reg3, reg4, [sp, 16] + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] +- sub sp, sp, outgoing_args_size */ ++ sub sp, sp, bytes_below_saved_regs */ + frame.callee_adjust = const_fp_offset; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; +- frame.final_adjust = crtl->outgoing_args_size; ++ frame.final_adjust = frame.bytes_below_saved_regs; + } + else + { +- /* Frame with large local area and outgoing arguments or SVE saves, +- using frame pointer: ++ /* General case: + + sub sp, sp, hard_fp_offset + stp x29, x30, [sp, 0] +@@ -8449,10 +8450,10 @@ aarch64_layout_frame (void) + stp reg3, reg4, [sp, 16] + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] +- sub sp, sp, outgoing_args_size */ ++ sub sp, sp, bytes_below_saved_regs */ + frame.initial_adjust = frame.hard_fp_offset; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; +- frame.final_adjust = crtl->outgoing_args_size; ++ frame.final_adjust = frame.bytes_below_saved_regs; + } + + /* Make sure the individual adjustments add up to the full frame size. */ +@@ -9043,7 +9044,7 @@ aarch64_get_separate_components (void) + if (frame_pointer_needed) + offset -= frame.below_hard_fp_saved_regs_size; + else +- offset += crtl->outgoing_args_size; ++ offset += frame.bytes_below_saved_regs; + + /* Check that we can access the stack slot of the register with one + direct load with no adjustments needed. */ +@@ -9192,7 +9193,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + if (frame_pointer_needed) + offset -= frame.below_hard_fp_saved_regs_size; + else +- offset += crtl->outgoing_args_size; ++ offset += frame.bytes_below_saved_regs; + + rtx addr = plus_constant (Pmode, ptr_reg, offset); + rtx mem = gen_frame_mem (mode, addr); +@@ -9246,7 +9247,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + if (frame_pointer_needed) + offset2 -= frame.below_hard_fp_saved_regs_size; + else +- offset2 += crtl->outgoing_args_size; ++ offset2 += frame.bytes_below_saved_regs; + rtx addr2 = plus_constant (Pmode, ptr_reg, offset2); + rtx mem2 = gen_frame_mem (mode, addr2); + rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2) +@@ -9320,10 +9321,10 @@ aarch64_stack_clash_protection_alloca_probe_range (void) + registers. If POLY_SIZE is not large enough to require a probe this function + will only adjust the stack. When allocating the stack space + FRAME_RELATED_P is then used to indicate if the allocation is frame related. +- FINAL_ADJUSTMENT_P indicates whether we are allocating the outgoing +- arguments. If we are then we ensure that any allocation larger than the ABI +- defined buffer needs a probe so that the invariant of having a 1KB buffer is +- maintained. ++ FINAL_ADJUSTMENT_P indicates whether we are allocating the area below ++ the saved registers. If we are then we ensure that any allocation ++ larger than the ABI defined buffer needs a probe so that the ++ invariant of having a 1KB buffer is maintained. + + We emit barriers after each stack adjustment to prevent optimizations from + breaking the invariant that we never drop the stack more than a page. This +@@ -9532,7 +9533,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + /* Handle any residuals. Residuals of at least MIN_PROBE_THRESHOLD have to + be probed. This maintains the requirement that each page is probed at + least once. For initial probing we probe only if the allocation is +- more than GUARD_SIZE - buffer, and for the outgoing arguments we probe ++ more than GUARD_SIZE - buffer, and below the saved registers we probe + if the amount is larger than buffer. GUARD_SIZE - buffer + buffer == + GUARD_SIZE. This works that for any allocation that is large enough to + trigger a probe here, we'll have at least one, and if they're not large +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 6834c3e9922..1e105e12db8 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -871,6 +871,11 @@ struct GTY (()) aarch64_frame + /* The size of the callee-save registers with a slot in REG_OFFSET. */ + poly_int64 saved_regs_size; + ++ /* The number of bytes between the bottom of the static frame (the bottom ++ of the outgoing arguments) and the bottom of the register save area. ++ This value is always a multiple of STACK_BOUNDARY. */ ++ poly_int64 bytes_below_saved_regs; ++ + /* The size of the callee-save registers with a slot in REG_OFFSET that + are saved below the hard frame pointer. */ + poly_int64 below_hard_fp_saved_regs_size; +-- +2.34.1 + + +From 34081079ea4de0c98331843f574b5f6f94d7b234 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:50 +0100 +Subject: [PATCH 05/19] aarch64: Add bytes_below_hard_fp to frame info + +Following on from the previous bytes_below_saved_regs patch, this one +records the number of bytes that are below the hard frame pointer. +This eventually replaces below_hard_fp_saved_regs_size. + +If a frame pointer is not needed, the epilogue adds final_adjust +to the stack pointer before restoring registers: + + aarch64_add_sp (tmp1_rtx, tmp0_rtx, final_adjust, true); + +Therefore, if the epilogue needs to restore the stack pointer from +the hard frame pointer, the directly corresponding offset is: + + -bytes_below_hard_fp + final_adjust + +i.e. go from the hard frame pointer to the bottom of the frame, +then add the same amount as if we were using the stack pointer +from the outset. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::bytes_below_hard_fp): New + field. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Initialize it. + (aarch64_expand_epilogue): Use it instead of + below_hard_fp_saved_regs_size. +--- + gcc/config/aarch64/aarch64.cc | 6 +++--- + gcc/config/aarch64/aarch64.h | 5 +++++ + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 94e1b686584..c7d84245fbf 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8269,6 +8269,7 @@ aarch64_layout_frame (void) + of the callee save area. */ + bool saves_below_hard_fp_p = maybe_ne (offset, 0); + frame.below_hard_fp_saved_regs_size = offset; ++ frame.bytes_below_hard_fp = offset + frame.bytes_below_saved_regs; + if (frame.emit_frame_chain) + { + /* FP and LR are placed in the linkage record. */ +@@ -9856,8 +9857,7 @@ aarch64_expand_epilogue (bool for_sibcall) + poly_int64 final_adjust = frame.final_adjust; + poly_int64 callee_offset = frame.callee_offset; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; +- poly_int64 below_hard_fp_saved_regs_size +- = frame.below_hard_fp_saved_regs_size; ++ poly_int64 bytes_below_hard_fp = frame.bytes_below_hard_fp; + unsigned reg1 = frame.wb_pop_candidate1; + unsigned reg2 = frame.wb_pop_candidate2; + unsigned int last_gpr = (frame.is_scs_enabled +@@ -9915,7 +9915,7 @@ aarch64_expand_epilogue (bool for_sibcall) + is restored on the instruction doing the writeback. */ + aarch64_add_offset (Pmode, stack_pointer_rtx, + hard_frame_pointer_rtx, +- -callee_offset - below_hard_fp_saved_regs_size, ++ -bytes_below_hard_fp + final_adjust, + tmp1_rtx, tmp0_rtx, callee_adjust == 0); + else + /* The case where we need to re-use the register here is very rare, so +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 1e105e12db8..de68ff7202f 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -880,6 +880,11 @@ struct GTY (()) aarch64_frame + are saved below the hard frame pointer. */ + poly_int64 below_hard_fp_saved_regs_size; + ++ /* The number of bytes between the bottom of the static frame (the bottom ++ of the outgoing arguments) and the hard frame pointer. This value is ++ always a multiple of STACK_BOUNDARY. */ ++ poly_int64 bytes_below_hard_fp; ++ + /* Offset from the base of the frame (incomming SP) to the + top of the locals area. This value is always a multiple of + STACK_BOUNDARY. */ +-- +2.34.1 + + +From 187861af7c51db9eddc6f954b589c121b210fc74 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:50 +0100 +Subject: [PATCH 06/19] aarch64: Tweak aarch64_save/restore_callee_saves + +aarch64_save_callee_saves and aarch64_restore_callee_saves took +a parameter called start_offset that gives the offset of the +bottom of the saved register area from the current stack pointer. +However, it's more convenient for later patches if we use the +bottom of the entire frame as the reference point, rather than +the bottom of the saved registers. + +Doing that removes the need for the callee_offset field. +Other than that, this is not a win on its own. It only really +makes sense in combination with the follow-on patches. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::callee_offset): Delete. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Remove + callee_offset handling. + (aarch64_save_callee_saves): Replace the start_offset parameter + with a bytes_below_sp parameter. + (aarch64_restore_callee_saves): Likewise. + (aarch64_expand_prologue): Update accordingly. + (aarch64_expand_epilogue): Likewise. +--- + gcc/config/aarch64/aarch64.cc | 56 +++++++++++++++++------------------ + gcc/config/aarch64/aarch64.h | 4 --- + 2 files changed, 28 insertions(+), 32 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index c7d84245fbf..e79551af41d 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8343,7 +8343,6 @@ aarch64_layout_frame (void) + frame.final_adjust = 0; + frame.callee_adjust = 0; + frame.sve_callee_adjust = 0; +- frame.callee_offset = 0; + + frame.wb_pop_candidate1 = frame.wb_push_candidate1; + frame.wb_pop_candidate2 = frame.wb_push_candidate2; +@@ -8411,7 +8410,6 @@ aarch64_layout_frame (void) + stp reg1, reg2, [sp, bytes_below_saved_regs] + stp reg3, reg4, [sp, bytes_below_saved_regs + 16] */ + frame.initial_adjust = frame.frame_size; +- frame.callee_offset = const_below_saved_regs; + } + else if (saves_below_hard_fp_p + && known_eq (frame.saved_regs_size, +@@ -8758,12 +8756,13 @@ aarch64_add_cfa_expression (rtx_insn *insn, rtx reg, + } + + /* Emit code to save the callee-saved registers from register number START +- to LIMIT to the stack at the location starting at offset START_OFFSET, +- skipping any write-back candidates if SKIP_WB is true. HARD_FP_VALID_P +- is true if the hard frame pointer has been set up. */ ++ to LIMIT to the stack. The stack pointer is currently BYTES_BELOW_SP ++ bytes above the bottom of the static frame. Skip any write-back ++ candidates if SKIP_WB is true. HARD_FP_VALID_P is true if the hard ++ frame pointer has been set up. */ + + static void +-aarch64_save_callee_saves (poly_int64 start_offset, ++aarch64_save_callee_saves (poly_int64 bytes_below_sp, + unsigned start, unsigned limit, bool skip_wb, + bool hard_fp_valid_p) + { +@@ -8791,7 +8790,9 @@ aarch64_save_callee_saves (poly_int64 start_offset, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + frame.reg_offset[regno]; ++ offset = (frame.reg_offset[regno] ++ + frame.bytes_below_saved_regs ++ - bytes_below_sp); + rtx base_rtx = stack_pointer_rtx; + poly_int64 sp_offset = offset; + +@@ -8802,9 +8803,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + else if (GP_REGNUM_P (regno) + && (!offset.is_constant (&const_offset) || const_offset >= 512)) + { +- gcc_assert (known_eq (start_offset, 0)); +- poly_int64 fp_offset +- = frame.below_hard_fp_saved_regs_size; ++ poly_int64 fp_offset = frame.bytes_below_hard_fp - bytes_below_sp; + if (hard_fp_valid_p) + base_rtx = hard_frame_pointer_rtx; + else +@@ -8868,12 +8867,13 @@ aarch64_save_callee_saves (poly_int64 start_offset, + } + + /* Emit code to restore the callee registers from register number START +- up to and including LIMIT. Restore from the stack offset START_OFFSET, +- skipping any write-back candidates if SKIP_WB is true. Write the +- appropriate REG_CFA_RESTORE notes into CFI_OPS. */ ++ up to and including LIMIT. The stack pointer is currently BYTES_BELOW_SP ++ bytes above the bottom of the static frame. Skip any write-back ++ candidates if SKIP_WB is true. Write the appropriate REG_CFA_RESTORE ++ notes into CFI_OPS. */ + + static void +-aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, ++aarch64_restore_callee_saves (poly_int64 bytes_below_sp, unsigned start, + unsigned limit, bool skip_wb, rtx *cfi_ops) + { + aarch64_frame &frame = cfun->machine->frame; +@@ -8899,7 +8899,9 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + frame.reg_offset[regno]; ++ offset = (frame.reg_offset[regno] ++ + frame.bytes_below_saved_regs ++ - bytes_below_sp); + rtx base_rtx = stack_pointer_rtx; + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg, +@@ -9675,8 +9677,6 @@ aarch64_expand_prologue (void) + HOST_WIDE_INT callee_adjust = frame.callee_adjust; + poly_int64 final_adjust = frame.final_adjust; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; +- poly_int64 below_hard_fp_saved_regs_size +- = frame.below_hard_fp_saved_regs_size; + unsigned reg1 = frame.wb_push_candidate1; + unsigned reg2 = frame.wb_push_candidate2; + bool emit_frame_chain = frame.emit_frame_chain; +@@ -9752,8 +9752,8 @@ aarch64_expand_prologue (void) + - frame.hard_fp_offset); + gcc_assert (known_ge (chain_offset, 0)); + +- /* The offset of the bottom of the save area from the current SP. */ +- poly_int64 saved_regs_offset = chain_offset - below_hard_fp_saved_regs_size; ++ /* The offset of the current SP from the bottom of the static frame. */ ++ poly_int64 bytes_below_sp = frame_size - initial_adjust - callee_adjust; + + if (emit_frame_chain) + { +@@ -9761,7 +9761,7 @@ aarch64_expand_prologue (void) + { + reg1 = R29_REGNUM; + reg2 = R30_REGNUM; +- aarch64_save_callee_saves (saved_regs_offset, reg1, reg2, ++ aarch64_save_callee_saves (bytes_below_sp, reg1, reg2, + false, false); + } + else +@@ -9801,7 +9801,7 @@ aarch64_expand_prologue (void) + emit_insn (gen_stack_tie (stack_pointer_rtx, hard_frame_pointer_rtx)); + } + +- aarch64_save_callee_saves (saved_regs_offset, R0_REGNUM, R30_REGNUM, ++ aarch64_save_callee_saves (bytes_below_sp, R0_REGNUM, R30_REGNUM, + callee_adjust != 0 || emit_frame_chain, + emit_frame_chain); + if (maybe_ne (sve_callee_adjust, 0)) +@@ -9811,16 +9811,17 @@ aarch64_expand_prologue (void) + aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, + sve_callee_adjust, + !frame_pointer_needed, false); +- saved_regs_offset += sve_callee_adjust; ++ bytes_below_sp -= sve_callee_adjust; + } +- aarch64_save_callee_saves (saved_regs_offset, P0_REGNUM, P15_REGNUM, ++ aarch64_save_callee_saves (bytes_below_sp, P0_REGNUM, P15_REGNUM, + false, emit_frame_chain); +- aarch64_save_callee_saves (saved_regs_offset, V0_REGNUM, V31_REGNUM, ++ aarch64_save_callee_saves (bytes_below_sp, V0_REGNUM, V31_REGNUM, + callee_adjust != 0 || emit_frame_chain, + emit_frame_chain); + + /* We may need to probe the final adjustment if it is larger than the guard + that is assumed by the called. */ ++ gcc_assert (known_eq (bytes_below_sp, final_adjust)); + aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust, + !frame_pointer_needed, true); + } +@@ -9855,7 +9856,6 @@ aarch64_expand_epilogue (bool for_sibcall) + poly_int64 initial_adjust = frame.initial_adjust; + HOST_WIDE_INT callee_adjust = frame.callee_adjust; + poly_int64 final_adjust = frame.final_adjust; +- poly_int64 callee_offset = frame.callee_offset; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 bytes_below_hard_fp = frame.bytes_below_hard_fp; + unsigned reg1 = frame.wb_pop_candidate1; +@@ -9925,9 +9925,9 @@ aarch64_expand_epilogue (bool for_sibcall) + + /* Restore the vector registers before the predicate registers, + so that we can use P4 as a temporary for big-endian SVE frames. */ +- aarch64_restore_callee_saves (callee_offset, V0_REGNUM, V31_REGNUM, ++ aarch64_restore_callee_saves (final_adjust, V0_REGNUM, V31_REGNUM, + callee_adjust != 0, &cfi_ops); +- aarch64_restore_callee_saves (callee_offset, P0_REGNUM, P15_REGNUM, ++ aarch64_restore_callee_saves (final_adjust, P0_REGNUM, P15_REGNUM, + false, &cfi_ops); + if (maybe_ne (sve_callee_adjust, 0)) + aarch64_add_sp (NULL_RTX, NULL_RTX, sve_callee_adjust, true); +@@ -9935,7 +9935,7 @@ aarch64_expand_epilogue (bool for_sibcall) + /* When shadow call stack is enabled, the scs_pop in the epilogue will + restore x30, we don't need to restore x30 again in the traditional + way. */ +- aarch64_restore_callee_saves (callee_offset - sve_callee_adjust, ++ aarch64_restore_callee_saves (final_adjust + sve_callee_adjust, + R0_REGNUM, last_gpr, + callee_adjust != 0, &cfi_ops); + +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index de68ff7202f..94fca4b9471 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -907,10 +907,6 @@ struct GTY (()) aarch64_frame + It is zero when no push is used. */ + HOST_WIDE_INT callee_adjust; + +- /* The offset from SP to the callee-save registers after initial_adjust. +- It may be non-zero if no push is used (ie. callee_adjust == 0). */ +- poly_int64 callee_offset; +- + /* The size of the stack adjustment before saving or after restoring + SVE registers. */ + poly_int64 sve_callee_adjust; +-- +2.34.1 + + +From 2b983f9064d808daf909bde1d4a13980934a7e6e Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:51 +0100 +Subject: [PATCH 07/19] aarch64: Only calculate chain_offset if there is a + chain + +After previous patches, it is no longer necessary to calculate +a chain_offset in cases where there is no chain record. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_expand_prologue): Move the + calculation of chain_offset into the emit_frame_chain block. +--- + gcc/config/aarch64/aarch64.cc | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index e79551af41d..d71a042d611 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -9747,16 +9747,16 @@ aarch64_expand_prologue (void) + if (callee_adjust != 0) + aarch64_push_regs (reg1, reg2, callee_adjust); + +- /* The offset of the frame chain record (if any) from the current SP. */ +- poly_int64 chain_offset = (initial_adjust + callee_adjust +- - frame.hard_fp_offset); +- gcc_assert (known_ge (chain_offset, 0)); +- + /* The offset of the current SP from the bottom of the static frame. */ + poly_int64 bytes_below_sp = frame_size - initial_adjust - callee_adjust; + + if (emit_frame_chain) + { ++ /* The offset of the frame chain record (if any) from the current SP. */ ++ poly_int64 chain_offset = (initial_adjust + callee_adjust ++ - frame.hard_fp_offset); ++ gcc_assert (known_ge (chain_offset, 0)); ++ + if (callee_adjust == 0) + { + reg1 = R29_REGNUM; +-- +2.34.1 + + +From 0a0a824808d1dec51004fb5805c1a0ae2a35433f Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:51 +0100 +Subject: [PATCH 08/19] aarch64: Rename locals_offset to bytes_above_locals +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +locals_offset was described as: + + /* Offset from the base of the frame (incomming SP) to the + top of the locals area. This value is always a multiple of + STACK_BOUNDARY. */ + +This is implicitly an “upside down” view of the frame: the incoming +SP is at offset 0, and anything N bytes below the incoming SP is at +offset N (rather than -N). + +However, reg_offset instead uses a “right way up” view; that is, +it views offsets in address terms. Something above X is at a +positive offset from X and something below X is at a negative +offset from X. + +Also, even on FRAME_GROWS_DOWNWARD targets like AArch64, +target-independent code views offsets in address terms too: +locals are allocated at negative offsets to virtual_stack_vars. + +It seems confusing to have *_offset fields of the same structure +using different polarities like this. This patch tries to avoid +that by renaming locals_offset to bytes_above_locals. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::locals_offset): Rename to... + (aarch64_frame::bytes_above_locals): ...this. + * config/aarch64/aarch64.cc (aarch64_layout_frame) + (aarch64_initial_elimination_offset): Update accordingly. +--- + gcc/config/aarch64/aarch64.cc | 6 +++--- + gcc/config/aarch64/aarch64.h | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index d71a042d611..d4ec352ba98 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8337,7 +8337,7 @@ aarch64_layout_frame (void) + STACK_BOUNDARY / BITS_PER_UNIT)); + frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs; + +- frame.locals_offset = frame.saved_varargs_size; ++ frame.bytes_above_locals = frame.saved_varargs_size; + + frame.initial_adjust = 0; + frame.final_adjust = 0; +@@ -12578,13 +12578,13 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to) + return frame.hard_fp_offset; + + if (from == FRAME_POINTER_REGNUM) +- return frame.hard_fp_offset - frame.locals_offset; ++ return frame.hard_fp_offset - frame.bytes_above_locals; + } + + if (to == STACK_POINTER_REGNUM) + { + if (from == FRAME_POINTER_REGNUM) +- return frame.frame_size - frame.locals_offset; ++ return frame.frame_size - frame.bytes_above_locals; + } + + return frame.frame_size; +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 94fca4b9471..bf46e6124aa 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -885,10 +885,10 @@ struct GTY (()) aarch64_frame + always a multiple of STACK_BOUNDARY. */ + poly_int64 bytes_below_hard_fp; + +- /* Offset from the base of the frame (incomming SP) to the +- top of the locals area. This value is always a multiple of ++ /* The number of bytes between the top of the locals area and the top ++ of the frame (the incomming SP). This value is always a multiple of + STACK_BOUNDARY. */ +- poly_int64 locals_offset; ++ poly_int64 bytes_above_locals; + + /* Offset from the base of the frame (incomming SP) to the + hard_frame_pointer. This value is always a multiple of +-- +2.34.1 + + +From 3fbf0789202b30a67b12e1fb785c7130f098d665 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:52 +0100 +Subject: [PATCH 09/19] aarch64: Rename hard_fp_offset to bytes_above_hard_fp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Similarly to the previous locals_offset patch, hard_fp_offset +was described as: + + /* Offset from the base of the frame (incomming SP) to the + hard_frame_pointer. This value is always a multiple of + STACK_BOUNDARY. */ + poly_int64 hard_fp_offset; + +which again took an “upside-down” view: higher offsets meant lower +addresses. This patch renames the field to bytes_above_hard_fp instead. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::hard_fp_offset): Rename + to... + (aarch64_frame::bytes_above_hard_fp): ...this. + * config/aarch64/aarch64.cc (aarch64_layout_frame) + (aarch64_expand_prologue): Update accordingly. + (aarch64_initial_elimination_offset): Likewise. +--- + gcc/config/aarch64/aarch64.cc | 26 +++++++++++++------------- + gcc/config/aarch64/aarch64.h | 6 +++--- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index d4ec352ba98..3c4052740e7 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8329,7 +8329,7 @@ aarch64_layout_frame (void) + + get_frame_size (), + STACK_BOUNDARY / BITS_PER_UNIT); + +- frame.hard_fp_offset ++ frame.bytes_above_hard_fp + = saved_regs_and_above - frame.below_hard_fp_saved_regs_size; + + /* Both these values are already aligned. */ +@@ -8378,13 +8378,13 @@ aarch64_layout_frame (void) + else if (frame.wb_pop_candidate1 != INVALID_REGNUM) + max_push_offset = 256; + +- HOST_WIDE_INT const_size, const_below_saved_regs, const_fp_offset; ++ HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp; + HOST_WIDE_INT const_saved_regs_size; + if (known_eq (frame.saved_regs_size, 0)) + frame.initial_adjust = frame.frame_size; + else if (frame.frame_size.is_constant (&const_size) + && const_size < max_push_offset +- && known_eq (frame.hard_fp_offset, const_size)) ++ && known_eq (frame.bytes_above_hard_fp, const_size)) + { + /* Simple, small frame with no data below the saved registers. + +@@ -8401,8 +8401,8 @@ aarch64_layout_frame (void) + case that it hardly seems worth the effort though. */ + && (!saves_below_hard_fp_p || const_below_saved_regs == 0) + && !(cfun->calls_alloca +- && frame.hard_fp_offset.is_constant (&const_fp_offset) +- && const_fp_offset < max_push_offset)) ++ && frame.bytes_above_hard_fp.is_constant (&const_above_fp) ++ && const_above_fp < max_push_offset)) + { + /* Frame with small area below the saved registers: + +@@ -8420,12 +8420,12 @@ aarch64_layout_frame (void) + sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size + save SVE registers relative to SP + sub sp, sp, bytes_below_saved_regs */ +- frame.initial_adjust = (frame.hard_fp_offset ++ frame.initial_adjust = (frame.bytes_above_hard_fp + + frame.below_hard_fp_saved_regs_size); + frame.final_adjust = frame.bytes_below_saved_regs; + } +- else if (frame.hard_fp_offset.is_constant (&const_fp_offset) +- && const_fp_offset < max_push_offset) ++ else if (frame.bytes_above_hard_fp.is_constant (&const_above_fp) ++ && const_above_fp < max_push_offset) + { + /* Frame with large area below the saved registers, or with SVE saves, + but with a small area above: +@@ -8435,7 +8435,7 @@ aarch64_layout_frame (void) + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ +- frame.callee_adjust = const_fp_offset; ++ frame.callee_adjust = const_above_fp; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } +@@ -8450,7 +8450,7 @@ aarch64_layout_frame (void) + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ +- frame.initial_adjust = frame.hard_fp_offset; ++ frame.initial_adjust = frame.bytes_above_hard_fp; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } +@@ -9754,7 +9754,7 @@ aarch64_expand_prologue (void) + { + /* The offset of the frame chain record (if any) from the current SP. */ + poly_int64 chain_offset = (initial_adjust + callee_adjust +- - frame.hard_fp_offset); ++ - frame.bytes_above_hard_fp); + gcc_assert (known_ge (chain_offset, 0)); + + if (callee_adjust == 0) +@@ -12575,10 +12575,10 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to) + if (to == HARD_FRAME_POINTER_REGNUM) + { + if (from == ARG_POINTER_REGNUM) +- return frame.hard_fp_offset; ++ return frame.bytes_above_hard_fp; + + if (from == FRAME_POINTER_REGNUM) +- return frame.hard_fp_offset - frame.bytes_above_locals; ++ return frame.bytes_above_hard_fp - frame.bytes_above_locals; + } + + if (to == STACK_POINTER_REGNUM) +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index bf46e6124aa..dd1f403f939 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -890,10 +890,10 @@ struct GTY (()) aarch64_frame + STACK_BOUNDARY. */ + poly_int64 bytes_above_locals; + +- /* Offset from the base of the frame (incomming SP) to the +- hard_frame_pointer. This value is always a multiple of ++ /* The number of bytes between the hard_frame_pointer and the top of ++ the frame (the incomming SP). This value is always a multiple of + STACK_BOUNDARY. */ +- poly_int64 hard_fp_offset; ++ poly_int64 bytes_above_hard_fp; + + /* The size of the frame. This value is the offset from base of the + frame (incomming SP) to the stack_pointer. This value is always +-- +2.34.1 + + +From aac8b31379ac3bbd14fc6427dce23f56e54e8485 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:52 +0100 +Subject: [PATCH 10/19] aarch64: Tweak frame_size comment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes another case in which a value was described with +an “upside-down” view. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::frame_size): Tweak comment. +--- + gcc/config/aarch64/aarch64.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index dd1f403f939..700524ae22b 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -895,8 +895,8 @@ struct GTY (()) aarch64_frame + STACK_BOUNDARY. */ + poly_int64 bytes_above_hard_fp; + +- /* The size of the frame. This value is the offset from base of the +- frame (incomming SP) to the stack_pointer. This value is always ++ /* The size of the frame, i.e. the number of bytes between the bottom ++ of the outgoing arguments and the incoming SP. This value is always + a multiple of STACK_BOUNDARY. */ + poly_int64 frame_size; + +-- +2.34.1 + + +From 8d5506a8aeb8dd7e8b209a3663b07688478f76b9 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:53 +0100 +Subject: [PATCH 11/19] aarch64: Measure reg_offset from the bottom of the + frame + +reg_offset was measured from the bottom of the saved register area. +This made perfect sense with the original layout, since the bottom +of the saved register area was also the hard frame pointer address. +It became slightly less obvious with SVE, since we save SVE +registers below the hard frame pointer, but it still made sense. + +However, if we want to allow different frame layouts, it's more +convenient and obvious to measure reg_offset from the bottom of +the frame. After previous patches, it's also a slight simplification +in its own right. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame): Add comment above + reg_offset. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Walk offsets + from the bottom of the frame, rather than the bottom of the saved + register area. Measure reg_offset from the bottom of the frame + rather than the bottom of the saved register area. + (aarch64_save_callee_saves): Update accordingly. + (aarch64_restore_callee_saves): Likewise. + (aarch64_get_separate_components): Likewise. + (aarch64_process_components): Likewise. +--- + gcc/config/aarch64/aarch64.cc | 53 ++++++++++++++++------------------- + gcc/config/aarch64/aarch64.h | 3 ++ + 2 files changed, 27 insertions(+), 29 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 3c4052740e7..97dd077844b 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8139,7 +8139,6 @@ aarch64_needs_frame_chain (void) + static void + aarch64_layout_frame (void) + { +- poly_int64 offset = 0; + int regno, last_fp_reg = INVALID_REGNUM; + machine_mode vector_save_mode = aarch64_reg_save_mode (V8_REGNUM); + poly_int64 vector_save_size = GET_MODE_SIZE (vector_save_mode); +@@ -8217,7 +8216,9 @@ aarch64_layout_frame (void) + gcc_assert (crtl->is_leaf + || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED)); + +- frame.bytes_below_saved_regs = crtl->outgoing_args_size; ++ poly_int64 offset = crtl->outgoing_args_size; ++ gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); ++ frame.bytes_below_saved_regs = offset; + + /* Now assign stack slots for the registers. Start with the predicate + registers, since predicate LDR and STR have a relatively small +@@ -8229,7 +8230,8 @@ aarch64_layout_frame (void) + offset += BYTES_PER_SVE_PRED; + } + +- if (maybe_ne (offset, 0)) ++ poly_int64 saved_prs_size = offset - frame.bytes_below_saved_regs; ++ if (maybe_ne (saved_prs_size, 0)) + { + /* If we have any vector registers to save above the predicate registers, + the offset of the vector register save slots need to be a multiple +@@ -8247,10 +8249,10 @@ aarch64_layout_frame (void) + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + else + { +- if (known_le (offset, vector_save_size)) +- offset = vector_save_size; +- else if (known_le (offset, vector_save_size * 2)) +- offset = vector_save_size * 2; ++ if (known_le (saved_prs_size, vector_save_size)) ++ offset = frame.bytes_below_saved_regs + vector_save_size; ++ else if (known_le (saved_prs_size, vector_save_size * 2)) ++ offset = frame.bytes_below_saved_regs + vector_save_size * 2; + else + gcc_unreachable (); + } +@@ -8267,9 +8269,10 @@ aarch64_layout_frame (void) + + /* OFFSET is now the offset of the hard frame pointer from the bottom + of the callee save area. */ +- bool saves_below_hard_fp_p = maybe_ne (offset, 0); +- frame.below_hard_fp_saved_regs_size = offset; +- frame.bytes_below_hard_fp = offset + frame.bytes_below_saved_regs; ++ frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; ++ bool saves_below_hard_fp_p ++ = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); ++ frame.bytes_below_hard_fp = offset; + if (frame.emit_frame_chain) + { + /* FP and LR are placed in the linkage record. */ +@@ -8320,9 +8323,10 @@ aarch64_layout_frame (void) + + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + +- frame.saved_regs_size = offset; ++ frame.saved_regs_size = offset - frame.bytes_below_saved_regs; + +- poly_int64 varargs_and_saved_regs_size = offset + frame.saved_varargs_size; ++ poly_int64 varargs_and_saved_regs_size ++ = frame.saved_regs_size + frame.saved_varargs_size; + + poly_int64 saved_regs_and_above + = aligned_upper_bound (varargs_and_saved_regs_size +@@ -8790,9 +8794,7 @@ aarch64_save_callee_saves (poly_int64 bytes_below_sp, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = (frame.reg_offset[regno] +- + frame.bytes_below_saved_regs +- - bytes_below_sp); ++ offset = frame.reg_offset[regno] - bytes_below_sp; + rtx base_rtx = stack_pointer_rtx; + poly_int64 sp_offset = offset; + +@@ -8899,9 +8901,7 @@ aarch64_restore_callee_saves (poly_int64 bytes_below_sp, unsigned start, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = (frame.reg_offset[regno] +- + frame.bytes_below_saved_regs +- - bytes_below_sp); ++ offset = frame.reg_offset[regno] - bytes_below_sp; + rtx base_rtx = stack_pointer_rtx; + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg, +@@ -9040,14 +9040,12 @@ aarch64_get_separate_components (void) + it as a stack probe for -fstack-clash-protection. */ + if (flag_stack_clash_protection + && maybe_ne (frame.below_hard_fp_saved_regs_size, 0) +- && known_eq (offset, 0)) ++ && known_eq (offset, frame.bytes_below_saved_regs)) + continue; + + /* Get the offset relative to the register we'll use. */ + if (frame_pointer_needed) +- offset -= frame.below_hard_fp_saved_regs_size; +- else +- offset += frame.bytes_below_saved_regs; ++ offset -= frame.bytes_below_hard_fp; + + /* Check that we can access the stack slot of the register with one + direct load with no adjustments needed. */ +@@ -9194,9 +9192,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + rtx reg = gen_rtx_REG (mode, regno); + poly_int64 offset = frame.reg_offset[regno]; + if (frame_pointer_needed) +- offset -= frame.below_hard_fp_saved_regs_size; +- else +- offset += frame.bytes_below_saved_regs; ++ offset -= frame.bytes_below_hard_fp; + + rtx addr = plus_constant (Pmode, ptr_reg, offset); + rtx mem = gen_frame_mem (mode, addr); +@@ -9248,9 +9244,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + /* REGNO2 can be saved/restored in a pair with REGNO. */ + rtx reg2 = gen_rtx_REG (mode, regno2); + if (frame_pointer_needed) +- offset2 -= frame.below_hard_fp_saved_regs_size; +- else +- offset2 += frame.bytes_below_saved_regs; ++ offset2 -= frame.bytes_below_hard_fp; + rtx addr2 = plus_constant (Pmode, ptr_reg, offset2); + rtx mem2 = gen_frame_mem (mode, addr2); + rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2) +@@ -9366,7 +9360,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + if (final_adjustment_p + && known_eq (frame.below_hard_fp_saved_regs_size, 0)) + { +- poly_int64 lr_offset = frame.reg_offset[LR_REGNUM]; ++ poly_int64 lr_offset = (frame.reg_offset[LR_REGNUM] ++ - frame.bytes_below_saved_regs); + if (known_ge (lr_offset, 0)) + min_probe_threshold -= lr_offset.to_constant (); + else +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 700524ae22b..b6135837073 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -860,6 +860,9 @@ extern enum aarch64_processor aarch64_tune; + #ifdef HAVE_POLY_INT_H + struct GTY (()) aarch64_frame + { ++ /* The offset from the bottom of the static frame (the bottom of the ++ outgoing arguments) of each register save slot, or -2 if no save is ++ needed. */ + poly_int64 reg_offset[LAST_SAVED_REGNUM + 1]; + + /* The number of extra stack bytes taken up by register varargs. +-- +2.34.1 + + +From b47766614df3b9df878262efb2ad73aaac108363 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:53 +0100 +Subject: [PATCH 12/19] aarch64: Simplify top of frame allocation + +After previous patches, it no longer really makes sense to allocate +the top of the frame in terms of varargs_and_saved_regs_size and +saved_regs_and_above. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_layout_frame): Simplify + the allocation of the top of the frame. +--- + gcc/config/aarch64/aarch64.cc | 23 ++++++++--------------- + 1 file changed, 8 insertions(+), 15 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 97dd077844b..81935852d5b 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8325,23 +8325,16 @@ aarch64_layout_frame (void) + + frame.saved_regs_size = offset - frame.bytes_below_saved_regs; + +- poly_int64 varargs_and_saved_regs_size +- = frame.saved_regs_size + frame.saved_varargs_size; +- +- poly_int64 saved_regs_and_above +- = aligned_upper_bound (varargs_and_saved_regs_size +- + get_frame_size (), +- STACK_BOUNDARY / BITS_PER_UNIT); +- +- frame.bytes_above_hard_fp +- = saved_regs_and_above - frame.below_hard_fp_saved_regs_size; ++ offset += get_frame_size (); ++ offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); ++ auto top_of_locals = offset; + +- /* Both these values are already aligned. */ +- gcc_assert (multiple_p (frame.bytes_below_saved_regs, +- STACK_BOUNDARY / BITS_PER_UNIT)); +- frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs; ++ offset += frame.saved_varargs_size; ++ gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); ++ frame.frame_size = offset; + +- frame.bytes_above_locals = frame.saved_varargs_size; ++ frame.bytes_above_hard_fp = frame.frame_size - frame.bytes_below_hard_fp; ++ frame.bytes_above_locals = frame.frame_size - top_of_locals; + + frame.initial_adjust = 0; + frame.final_adjust = 0; +-- +2.34.1 + + +From 08f71b4bb28fb74d20e8d2927a557e8119ce9f4d Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:54 +0100 +Subject: [PATCH 13/19] aarch64: Minor initial adjustment tweak + +This patch just changes a calculation of initial_adjust +to one that makes it slightly more obvious that the total +adjustment is frame.frame_size. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_layout_frame): Tweak + calculation of initial_adjust for frames in which all saves + are SVE saves. +--- + gcc/config/aarch64/aarch64.cc | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 81935852d5b..4d9fcf3d162 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8414,11 +8414,10 @@ aarch64_layout_frame (void) + { + /* Frame in which all saves are SVE saves: + +- sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size ++ sub sp, sp, frame_size - bytes_below_saved_regs + save SVE registers relative to SP + sub sp, sp, bytes_below_saved_regs */ +- frame.initial_adjust = (frame.bytes_above_hard_fp +- + frame.below_hard_fp_saved_regs_size); ++ frame.initial_adjust = frame.frame_size - frame.bytes_below_saved_regs; + frame.final_adjust = frame.bytes_below_saved_regs; + } + else if (frame.bytes_above_hard_fp.is_constant (&const_above_fp) +-- +2.34.1 + + +From f22315d5c19e8310e4dc880fd509678fd291fca8 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:54 +0100 +Subject: [PATCH 14/19] aarch64: Tweak stack clash boundary condition + +The AArch64 ABI says that, when stack clash protection is used, +there can be a maximum of 1KiB of unprobed space at sp on entry +to a function. Therefore, we need to probe when allocating +>= guard_size - 1KiB of data (>= rather than >). This is what +GCC does. + +If an allocation is exactly guard_size bytes, it is enough to allocate +those bytes and probe once at offset 1024. It isn't possible to use a +single probe at any other offset: higher would conmplicate later code, +by leaving more unprobed space than usual, while lower would risk +leaving an entire page unprobed. For simplicity, the code probes all +allocations at offset 1024. + +Some register saves also act as probes. If we need to allocate +more space below the last such register save probe, we need to +probe the allocation if it is > 1KiB. Again, this allocation is +then sometimes (but not always) probed at offset 1024. This sort of +allocation is currently only used for outgoing arguments, which are +rarely this big. + +However, the code also probed if this final outgoing-arguments +allocation was == 1KiB, rather than just > 1KiB. This isn't +necessary, since the register save then probes at offset 1024 +as required. Continuing to probe allocations of exactly 1KiB +would complicate later patches. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_allocate_and_probe_stack_space): + Don't probe final allocations that are exactly 1KiB in size (after + unprobed space above the final allocation has been deducted). + +gcc/testsuite/ + * gcc.target/aarch64/stack-check-prologue-17.c: New test. +--- + gcc/config/aarch64/aarch64.cc | 4 +- + .../aarch64/stack-check-prologue-17.c | 55 +++++++++++++++++++ + 2 files changed, 58 insertions(+), 1 deletion(-) + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 4d9fcf3d162..34c1d8614cd 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -9333,9 +9333,11 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + HOST_WIDE_INT guard_size + = 1 << param_stack_clash_protection_guard_size; + HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD; ++ HOST_WIDE_INT byte_sp_alignment = STACK_BOUNDARY / BITS_PER_UNIT; ++ gcc_assert (multiple_p (poly_size, byte_sp_alignment)); + HOST_WIDE_INT min_probe_threshold + = (final_adjustment_p +- ? guard_used_by_caller ++ ? guard_used_by_caller + byte_sp_alignment + : guard_size - guard_used_by_caller); + /* When doing the final adjustment for the outgoing arguments, take into + account any unprobed space there is above the current SP. There are +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +new file mode 100644 +index 00000000000..0d8a25d73a2 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +@@ -0,0 +1,55 @@ ++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void f(int, ...); ++void g(); ++ ++/* ++** test1: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1024 ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test1(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test2: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1040 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test2(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x); ++ } ++ g(); ++ return 1; ++} +-- +2.34.1 + + +From 15e18831bf98fd25af098b970ebf0c9a6200a34b Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:55 +0100 +Subject: [PATCH 15/19] aarch64: Put LR save probe in first 16 bytes + +-fstack-clash-protection uses the save of LR as a probe for the next +allocation. The next allocation could be: + +* another part of the static frame, e.g. when allocating SVE save slots + or outgoing arguments + +* an alloca in the same function + +* an allocation made by a callee function + +However, when -fomit-frame-pointer is used, the LR save slot is placed +above the other GPR save slots. It could therefore be up to 80 bytes +above the base of the GPR save area (which is also the hard fp address). + +aarch64_allocate_and_probe_stack_space took this into account when +deciding how much subsequent space could be allocated without needing +a probe. However, it interacted badly with: + + /* If doing a small final adjustment, we always probe at offset 0. + This is done to avoid issues when LR is not at position 0 or when + the final adjustment is smaller than the probing offset. */ + else if (final_adjustment_p && rounded_size == 0) + residual_probe_offset = 0; + +which forces any allocation that is smaller than the guard page size +to be probed at offset 0 rather than the usual offset 1024. It was +therefore possible to construct cases in which we had: + +* a probe using LR at SP + 80 bytes (or some other value >= 16) +* an allocation of the guard page size - 16 bytes +* a probe at SP + 0 + +which allocates guard page size + 64 consecutive unprobed bytes. + +This patch requires the LR probe to be in the first 16 bytes of the +save area when stack clash protection is active. Doing it +unconditionally would cause code-quality regressions. + +Putting LR before other registers prevents push/pop allocation +when shadow call stacks are enabled, since LR is restored +separately from the other callee-saved registers. + +The new comment doesn't say that the probe register is required +to be LR, since a later patch removes that restriction. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_layout_frame): Ensure that + the LR save slot is in the first 16 bytes of the register save area. + Only form STP/LDP push/pop candidates if both registers are valid. + (aarch64_allocate_and_probe_stack_space): Remove workaround for + when LR was not in the first 16 bytes. + +gcc/testsuite/ + * gcc.target/aarch64/stack-check-prologue-18.c: New test. + * gcc.target/aarch64/stack-check-prologue-19.c: Likewise. + * gcc.target/aarch64/stack-check-prologue-20.c: Likewise. +--- + gcc/config/aarch64/aarch64.cc | 72 ++++++------- + .../aarch64/stack-check-prologue-18.c | 100 ++++++++++++++++++ + .../aarch64/stack-check-prologue-19.c | 100 ++++++++++++++++++ + .../aarch64/stack-check-prologue-20.c | 3 + + 4 files changed, 233 insertions(+), 42 deletions(-) + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 34c1d8614cd..16433fb70f4 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8273,26 +8273,34 @@ aarch64_layout_frame (void) + bool saves_below_hard_fp_p + = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); + frame.bytes_below_hard_fp = offset; ++ ++ auto allocate_gpr_slot = [&](unsigned int regno) ++ { ++ frame.reg_offset[regno] = offset; ++ if (frame.wb_push_candidate1 == INVALID_REGNUM) ++ frame.wb_push_candidate1 = regno; ++ else if (frame.wb_push_candidate2 == INVALID_REGNUM) ++ frame.wb_push_candidate2 = regno; ++ offset += UNITS_PER_WORD; ++ }; ++ + if (frame.emit_frame_chain) + { + /* FP and LR are placed in the linkage record. */ +- frame.reg_offset[R29_REGNUM] = offset; +- frame.wb_push_candidate1 = R29_REGNUM; +- frame.reg_offset[R30_REGNUM] = offset + UNITS_PER_WORD; +- frame.wb_push_candidate2 = R30_REGNUM; +- offset += 2 * UNITS_PER_WORD; ++ allocate_gpr_slot (R29_REGNUM); ++ allocate_gpr_slot (R30_REGNUM); + } ++ else if (flag_stack_clash_protection ++ && known_eq (frame.reg_offset[R30_REGNUM], SLOT_REQUIRED)) ++ /* Put the LR save slot first, since it makes a good choice of probe ++ for stack clash purposes. The idea is that the link register usually ++ has to be saved before a call anyway, and so we lose little by ++ stopping it from being individually shrink-wrapped. */ ++ allocate_gpr_slot (R30_REGNUM); + + for (regno = R0_REGNUM; regno <= R30_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) +- { +- frame.reg_offset[regno] = offset; +- if (frame.wb_push_candidate1 == INVALID_REGNUM) +- frame.wb_push_candidate1 = regno; +- else if (frame.wb_push_candidate2 == INVALID_REGNUM) +- frame.wb_push_candidate2 = regno; +- offset += UNITS_PER_WORD; +- } ++ allocate_gpr_slot (regno); + + poly_int64 max_int_offset = offset; + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +@@ -8370,10 +8378,13 @@ aarch64_layout_frame (void) + max_push_offset to 0, because no registers are popped at this time, + so callee_adjust cannot be adjusted. */ + HOST_WIDE_INT max_push_offset = 0; +- if (frame.wb_pop_candidate2 != INVALID_REGNUM) +- max_push_offset = 512; +- else if (frame.wb_pop_candidate1 != INVALID_REGNUM) +- max_push_offset = 256; ++ if (frame.wb_pop_candidate1 != INVALID_REGNUM) ++ { ++ if (frame.wb_pop_candidate2 != INVALID_REGNUM) ++ max_push_offset = 512; ++ else ++ max_push_offset = 256; ++ } + + HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp; + HOST_WIDE_INT const_saved_regs_size; +@@ -9339,29 +9350,6 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + = (final_adjustment_p + ? guard_used_by_caller + byte_sp_alignment + : guard_size - guard_used_by_caller); +- /* When doing the final adjustment for the outgoing arguments, take into +- account any unprobed space there is above the current SP. There are +- two cases: +- +- - When saving SVE registers below the hard frame pointer, we force +- the lowest save to take place in the prologue before doing the final +- adjustment (i.e. we don't allow the save to be shrink-wrapped). +- This acts as a probe at SP, so there is no unprobed space. +- +- - When there are no SVE register saves, we use the store of the link +- register as a probe. We can't assume that LR was saved at position 0 +- though, so treat any space below it as unprobed. */ +- if (final_adjustment_p +- && known_eq (frame.below_hard_fp_saved_regs_size, 0)) +- { +- poly_int64 lr_offset = (frame.reg_offset[LR_REGNUM] +- - frame.bytes_below_saved_regs); +- if (known_ge (lr_offset, 0)) +- min_probe_threshold -= lr_offset.to_constant (); +- else +- gcc_assert (!flag_stack_clash_protection || known_eq (poly_size, 0)); +- } +- + poly_int64 frame_size = frame.frame_size; + + /* We should always have a positive probe threshold. */ +@@ -9541,8 +9529,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + if (final_adjustment_p && rounded_size != 0) + min_probe_threshold = 0; + /* If doing a small final adjustment, we always probe at offset 0. +- This is done to avoid issues when LR is not at position 0 or when +- the final adjustment is smaller than the probing offset. */ ++ This is done to avoid issues when the final adjustment is smaller ++ than the probing offset. */ + else if (final_adjustment_p && rounded_size == 0) + residual_probe_offset = 0; + +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +new file mode 100644 +index 00000000000..82447d20fff +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +@@ -0,0 +1,100 @@ ++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void f(int, ...); ++void g(); ++ ++/* ++** test1: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #4064 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++** str x26, \[sp, #?4128\] ++** ... ++*/ ++int test1(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test2: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1040 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test2(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test3: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1024 ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test3(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c +new file mode 100644 +index 00000000000..73ac3e4e4eb +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c +@@ -0,0 +1,100 @@ ++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12 -fsanitize=shadow-call-stack -ffixed-x18" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void f(int, ...); ++void g(); ++ ++/* ++** test1: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #4064 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++** str x26, \[sp, #?4128\] ++** ... ++*/ ++int test1(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test2: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1040 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test2(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test3: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1024 ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test3(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c +new file mode 100644 +index 00000000000..690aae8dfd5 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c +@@ -0,0 +1,3 @@ ++/* { dg-options "-O2 -fstack-protector-all -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12 -fsanitize=shadow-call-stack -ffixed-x18" } */ ++ ++#include "stack-check-prologue-19.c" +-- +2.34.1 + + +From c4f0e121faa36342f1d21919e54a05ad841c4f86 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:55 +0100 +Subject: [PATCH 16/19] aarch64: Simplify probe of final frame allocation + +Previous patches ensured that the final frame allocation only needs +a probe when the size is strictly greater than 1KiB. It's therefore +safe to use the normal 1024 probe offset in all cases. + +The main motivation for doing this is to simplify the code and +remove the number of special cases. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_allocate_and_probe_stack_space): + Always probe the residual allocation at offset 1024, asserting + that that is in range. + +gcc/testsuite/ + * gcc.target/aarch64/stack-check-prologue-17.c: Expect the probe + to be at offset 1024 rather than offset 0. + * gcc.target/aarch64/stack-check-prologue-18.c: Likewise. + * gcc.target/aarch64/stack-check-prologue-19.c: Likewise. +--- + gcc/config/aarch64/aarch64.cc | 12 ++++-------- + .../gcc.target/aarch64/stack-check-prologue-17.c | 2 +- + .../gcc.target/aarch64/stack-check-prologue-18.c | 4 ++-- + .../gcc.target/aarch64/stack-check-prologue-19.c | 4 ++-- + 4 files changed, 9 insertions(+), 13 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 16433fb70f4..8abf3d7a1e2 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -9523,16 +9523,12 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + are still safe. */ + if (residual) + { +- HOST_WIDE_INT residual_probe_offset = guard_used_by_caller; ++ gcc_assert (guard_used_by_caller + byte_sp_alignment <= size); ++ + /* If we're doing final adjustments, and we've done any full page + allocations then any residual needs to be probed. */ + if (final_adjustment_p && rounded_size != 0) + min_probe_threshold = 0; +- /* If doing a small final adjustment, we always probe at offset 0. +- This is done to avoid issues when the final adjustment is smaller +- than the probing offset. */ +- else if (final_adjustment_p && rounded_size == 0) +- residual_probe_offset = 0; + + aarch64_sub_sp (temp1, temp2, residual, frame_related_p); + if (residual >= min_probe_threshold) +@@ -9543,8 +9539,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + HOST_WIDE_INT_PRINT_DEC " bytes, probing will be required." + "\n", residual); + +- emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx, +- residual_probe_offset)); ++ emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx, ++ guard_used_by_caller)); + emit_insn (gen_blockage ()); + } + } +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +index 0d8a25d73a2..f0ec1389771 100644 +--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +@@ -33,7 +33,7 @@ int test1(int z) { + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #1040 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +index 82447d20fff..6383bec5ebc 100644 +--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +@@ -9,7 +9,7 @@ void g(); + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #4064 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +@@ -50,7 +50,7 @@ int test1(int z) { + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #1040 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c +index 73ac3e4e4eb..562039b5e9b 100644 +--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c +@@ -9,7 +9,7 @@ void g(); + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #4064 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +@@ -50,7 +50,7 @@ int test1(int z) { + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #1040 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +-- +2.34.1 + + +From 6f0ab0a9f46a17b68349ff6035aa776bf65f0575 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:56 +0100 +Subject: [PATCH 17/19] aarch64: Explicitly record probe registers in frame + info + +The stack frame is currently divided into three areas: + +A: the area above the hard frame pointer +B: the SVE saves below the hard frame pointer +C: the outgoing arguments + +If the stack frame is allocated in one chunk, the allocation needs a +probe if the frame size is >= guard_size - 1KiB. In addition, if the +function is not a leaf function, it must probe an address no more than +1KiB above the outgoing SP. We ensured the second condition by + +(1) using single-chunk allocations for non-leaf functions only if + the link register save slot is within 512 bytes of the bottom + of the frame; and + +(2) using the link register save as a probe (meaning, for instance, + that it can't be individually shrink wrapped) + +If instead the stack is allocated in multiple chunks, then: + +* an allocation involving only the outgoing arguments (C above) requires + a probe if the allocation size is > 1KiB + +* any other allocation requires a probe if the allocation size + is >= guard_size - 1KiB + +* second and subsequent allocations require the previous allocation + to probe at the bottom of the allocated area, regardless of the size + of that previous allocation + +The final point means that, unlike for single allocations, +it can be necessary to have both a non-SVE register probe and +an SVE register probe. For example: + +* allocate A, probe using a non-SVE register save +* allocate B, probe using an SVE register save +* allocate C + +The non-SVE register used in this case was again the link register. +It was previously used even if the link register save slot was some +bytes above the bottom of the non-SVE register saves, but an earlier +patch avoided that by putting the link register save slot first. + +As a belt-and-braces fix, this patch explicitly records which +probe registers we're using and allows the non-SVE probe to be +whichever register comes first (as for SVE). + +The patch also avoids unnecessary probes in sve/pcs/stack_clash_3.c. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::sve_save_and_probe) + (aarch64_frame::hard_fp_save_and_probe): New fields. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Initialize them. + Rather than asserting that a leaf function saves LR, instead assert + that a leaf function saves something. + (aarch64_get_separate_components): Prevent the chosen probe + registers from being individually shrink-wrapped. + (aarch64_allocate_and_probe_stack_space): Remove workaround for + probe registers that aren't at the bottom of the previous allocation. + +gcc/testsuite/ + * gcc.target/aarch64/sve/pcs/stack_clash_3.c: Avoid redundant probes. +--- + gcc/config/aarch64/aarch64.cc | 68 +++++++++++++++---- + gcc/config/aarch64/aarch64.h | 8 +++ + .../aarch64/sve/pcs/stack_clash_3.c | 6 +- + 3 files changed, 64 insertions(+), 18 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 8abf3d7a1e2..a8d907df884 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8210,15 +8210,11 @@ aarch64_layout_frame (void) + && !crtl->abi->clobbers_full_reg_p (regno)) + frame.reg_offset[regno] = SLOT_REQUIRED; + +- /* With stack-clash, LR must be saved in non-leaf functions. The saving of +- LR counts as an implicit probe which allows us to maintain the invariant +- described in the comment at expand_prologue. */ +- gcc_assert (crtl->is_leaf +- || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED)); + + poly_int64 offset = crtl->outgoing_args_size; + gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); + frame.bytes_below_saved_regs = offset; ++ frame.sve_save_and_probe = INVALID_REGNUM; + + /* Now assign stack slots for the registers. Start with the predicate + registers, since predicate LDR and STR have a relatively small +@@ -8226,6 +8222,8 @@ aarch64_layout_frame (void) + for (regno = P0_REGNUM; regno <= P15_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) + { ++ if (frame.sve_save_and_probe == INVALID_REGNUM) ++ frame.sve_save_and_probe = regno; + frame.reg_offset[regno] = offset; + offset += BYTES_PER_SVE_PRED; + } +@@ -8263,6 +8261,8 @@ aarch64_layout_frame (void) + for (regno = V0_REGNUM; regno <= V31_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) + { ++ if (frame.sve_save_and_probe == INVALID_REGNUM) ++ frame.sve_save_and_probe = regno; + frame.reg_offset[regno] = offset; + offset += vector_save_size; + } +@@ -8272,10 +8272,18 @@ aarch64_layout_frame (void) + frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; + bool saves_below_hard_fp_p + = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); ++ gcc_assert (!saves_below_hard_fp_p ++ || (frame.sve_save_and_probe != INVALID_REGNUM ++ && known_eq (frame.reg_offset[frame.sve_save_and_probe], ++ frame.bytes_below_saved_regs))); ++ + frame.bytes_below_hard_fp = offset; ++ frame.hard_fp_save_and_probe = INVALID_REGNUM; + + auto allocate_gpr_slot = [&](unsigned int regno) + { ++ if (frame.hard_fp_save_and_probe == INVALID_REGNUM) ++ frame.hard_fp_save_and_probe = regno; + frame.reg_offset[regno] = offset; + if (frame.wb_push_candidate1 == INVALID_REGNUM) + frame.wb_push_candidate1 = regno; +@@ -8309,6 +8317,8 @@ aarch64_layout_frame (void) + for (regno = V0_REGNUM; regno <= V31_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) + { ++ if (frame.hard_fp_save_and_probe == INVALID_REGNUM) ++ frame.hard_fp_save_and_probe = regno; + /* If there is an alignment gap between integer and fp callee-saves, + allocate the last fp register to it if possible. */ + if (regno == last_fp_reg +@@ -8332,6 +8342,17 @@ aarch64_layout_frame (void) + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + + frame.saved_regs_size = offset - frame.bytes_below_saved_regs; ++ gcc_assert (known_eq (frame.saved_regs_size, ++ frame.below_hard_fp_saved_regs_size) ++ || (frame.hard_fp_save_and_probe != INVALID_REGNUM ++ && known_eq (frame.reg_offset[frame.hard_fp_save_and_probe], ++ frame.bytes_below_hard_fp))); ++ ++ /* With stack-clash, a register must be saved in non-leaf functions. ++ The saving of the bottommost register counts as an implicit probe, ++ which allows us to maintain the invariant described in the comment ++ at expand_prologue. */ ++ gcc_assert (crtl->is_leaf || maybe_ne (frame.saved_regs_size, 0)); + + offset += get_frame_size (); + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +@@ -8462,6 +8483,25 @@ aarch64_layout_frame (void) + frame.final_adjust = frame.bytes_below_saved_regs; + } + ++ /* The frame is allocated in pieces, with each non-final piece ++ including a register save at offset 0 that acts as a probe for ++ the following piece. In addition, the save of the bottommost register ++ acts as a probe for callees and allocas. Roll back any probes that ++ aren't needed. ++ ++ A probe isn't needed if it is associated with the final allocation ++ (including callees and allocas) that happens before the epilogue is ++ executed. */ ++ if (crtl->is_leaf ++ && !cfun->calls_alloca ++ && known_eq (frame.final_adjust, 0)) ++ { ++ if (maybe_ne (frame.sve_callee_adjust, 0)) ++ frame.sve_save_and_probe = INVALID_REGNUM; ++ else ++ frame.hard_fp_save_and_probe = INVALID_REGNUM; ++ } ++ + /* Make sure the individual adjustments add up to the full frame size. */ + gcc_assert (known_eq (frame.initial_adjust + + frame.callee_adjust +@@ -9039,13 +9079,6 @@ aarch64_get_separate_components (void) + + poly_int64 offset = frame.reg_offset[regno]; + +- /* If the register is saved in the first SVE save slot, we use +- it as a stack probe for -fstack-clash-protection. */ +- if (flag_stack_clash_protection +- && maybe_ne (frame.below_hard_fp_saved_regs_size, 0) +- && known_eq (offset, frame.bytes_below_saved_regs)) +- continue; +- + /* Get the offset relative to the register we'll use. */ + if (frame_pointer_needed) + offset -= frame.bytes_below_hard_fp; +@@ -9080,6 +9113,13 @@ aarch64_get_separate_components (void) + + bitmap_clear_bit (components, LR_REGNUM); + bitmap_clear_bit (components, SP_REGNUM); ++ if (flag_stack_clash_protection) ++ { ++ if (frame.sve_save_and_probe != INVALID_REGNUM) ++ bitmap_clear_bit (components, frame.sve_save_and_probe); ++ if (frame.hard_fp_save_and_probe != INVALID_REGNUM) ++ bitmap_clear_bit (components, frame.hard_fp_save_and_probe); ++ } + + return components; + } +@@ -9616,8 +9656,8 @@ aarch64_epilogue_uses (int regno) + When probing is needed, we emit a probe at the start of the prologue + and every PARAM_STACK_CLASH_PROTECTION_GUARD_SIZE bytes thereafter. + +- We have to track how much space has been allocated and the only stores +- to the stack we track as implicit probes are the FP/LR stores. ++ We can also use register saves as probes. These are stored in ++ sve_save_and_probe and hard_fp_save_and_probe. + + For outgoing arguments we probe if the size is larger than 1KB, such that + the ABI specified buffer is maintained for the next callee. +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index b6135837073..46d4693e206 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -957,6 +957,14 @@ struct GTY (()) aarch64_frame + This is the register they should use. */ + unsigned spare_pred_reg; + ++ /* An SVE register that is saved below the hard frame pointer and that acts ++ as a probe for later allocations, or INVALID_REGNUM if none. */ ++ unsigned sve_save_and_probe; ++ ++ /* A register that is saved at the hard frame pointer and that acts ++ as a probe for later allocations, or INVALID_REGNUM if none. */ ++ unsigned hard_fp_save_and_probe; ++ + bool laid_out; + + /* True if shadow call stack should be enabled for the current function. */ +diff --git a/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c b/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c +index 3e01ec36c3a..3530a0d504b 100644 +--- a/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c ++++ b/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c +@@ -11,11 +11,10 @@ + ** mov x11, sp + ** ... + ** sub sp, sp, x13 +-** str p4, \[sp\] + ** cbz w0, [^\n]* ++** str p4, \[sp\] + ** ... + ** ptrue p0\.b, all +-** ldr p4, \[sp\] + ** addvl sp, sp, #1 + ** ldr x24, \[sp\], 32 + ** ret +@@ -39,13 +38,12 @@ test_1 (int n) + ** mov x11, sp + ** ... + ** sub sp, sp, x13 +-** str p4, \[sp\] + ** cbz w0, [^\n]* ++** str p4, \[sp\] + ** str p5, \[sp, #1, mul vl\] + ** str p6, \[sp, #2, mul vl\] + ** ... + ** ptrue p0\.b, all +-** ldr p4, \[sp\] + ** addvl sp, sp, #1 + ** ldr x24, \[sp\], 32 + ** ret +-- +2.34.1 + + +From 8254e1b9cd500e0c278465a3657543477e9d1250 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:56 +0100 +Subject: [PATCH 18/19] aarch64: Remove below_hard_fp_saved_regs_size + +After previous patches, it's no longer necessary to store +saved_regs_size and below_hard_fp_saved_regs_size in the frame info. +All measurements instead use the top or bottom of the frame as +reference points. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::saved_regs_size) + (aarch64_frame::below_hard_fp_saved_regs_size): Delete. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Update accordingly. +--- + gcc/config/aarch64/aarch64.cc | 45 ++++++++++++++++------------------- + gcc/config/aarch64/aarch64.h | 7 ------ + 2 files changed, 21 insertions(+), 31 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index a8d907df884..ac3d3b336a3 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8269,9 +8269,8 @@ aarch64_layout_frame (void) + + /* OFFSET is now the offset of the hard frame pointer from the bottom + of the callee save area. */ +- frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; +- bool saves_below_hard_fp_p +- = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); ++ auto below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; ++ bool saves_below_hard_fp_p = maybe_ne (below_hard_fp_saved_regs_size, 0); + gcc_assert (!saves_below_hard_fp_p + || (frame.sve_save_and_probe != INVALID_REGNUM + && known_eq (frame.reg_offset[frame.sve_save_and_probe], +@@ -8341,9 +8340,8 @@ aarch64_layout_frame (void) + + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + +- frame.saved_regs_size = offset - frame.bytes_below_saved_regs; +- gcc_assert (known_eq (frame.saved_regs_size, +- frame.below_hard_fp_saved_regs_size) ++ auto saved_regs_size = offset - frame.bytes_below_saved_regs; ++ gcc_assert (known_eq (saved_regs_size, below_hard_fp_saved_regs_size) + || (frame.hard_fp_save_and_probe != INVALID_REGNUM + && known_eq (frame.reg_offset[frame.hard_fp_save_and_probe], + frame.bytes_below_hard_fp))); +@@ -8352,7 +8350,7 @@ aarch64_layout_frame (void) + The saving of the bottommost register counts as an implicit probe, + which allows us to maintain the invariant described in the comment + at expand_prologue. */ +- gcc_assert (crtl->is_leaf || maybe_ne (frame.saved_regs_size, 0)); ++ gcc_assert (crtl->is_leaf || maybe_ne (saved_regs_size, 0)); + + offset += get_frame_size (); + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +@@ -8409,7 +8407,7 @@ aarch64_layout_frame (void) + + HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp; + HOST_WIDE_INT const_saved_regs_size; +- if (known_eq (frame.saved_regs_size, 0)) ++ if (known_eq (saved_regs_size, 0)) + frame.initial_adjust = frame.frame_size; + else if (frame.frame_size.is_constant (&const_size) + && const_size < max_push_offset +@@ -8422,7 +8420,7 @@ aarch64_layout_frame (void) + frame.callee_adjust = const_size; + } + else if (frame.bytes_below_saved_regs.is_constant (&const_below_saved_regs) +- && frame.saved_regs_size.is_constant (&const_saved_regs_size) ++ && saved_regs_size.is_constant (&const_saved_regs_size) + && const_below_saved_regs + const_saved_regs_size < 512 + /* We could handle this case even with data below the saved + registers, provided that that data left us with valid offsets +@@ -8441,8 +8439,7 @@ aarch64_layout_frame (void) + frame.initial_adjust = frame.frame_size; + } + else if (saves_below_hard_fp_p +- && known_eq (frame.saved_regs_size, +- frame.below_hard_fp_saved_regs_size)) ++ && known_eq (saved_regs_size, below_hard_fp_saved_regs_size)) + { + /* Frame in which all saves are SVE saves: + +@@ -8464,7 +8461,7 @@ aarch64_layout_frame (void) + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ + frame.callee_adjust = const_above_fp; +- frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; ++ frame.sve_callee_adjust = below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } + else +@@ -8479,7 +8476,7 @@ aarch64_layout_frame (void) + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ + frame.initial_adjust = frame.bytes_above_hard_fp; +- frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; ++ frame.sve_callee_adjust = below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } + +@@ -9621,17 +9618,17 @@ aarch64_epilogue_uses (int regno) + | local variables | <-- frame_pointer_rtx + | | + +-------------------------------+ +- | padding | \ +- +-------------------------------+ | +- | callee-saved registers | | frame.saved_regs_size +- +-------------------------------+ | +- | LR' | | +- +-------------------------------+ | +- | FP' | | +- +-------------------------------+ |<- hard_frame_pointer_rtx (aligned) +- | SVE vector registers | | \ +- +-------------------------------+ | | below_hard_fp_saved_regs_size +- | SVE predicate registers | / / ++ | padding | ++ +-------------------------------+ ++ | callee-saved registers | ++ +-------------------------------+ ++ | LR' | ++ +-------------------------------+ ++ | FP' | ++ +-------------------------------+ <-- hard_frame_pointer_rtx (aligned) ++ | SVE vector registers | ++ +-------------------------------+ ++ | SVE predicate registers | + +-------------------------------+ + | dynamic allocation | + +-------------------------------+ +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 46d4693e206..01f7751bc78 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -871,18 +871,11 @@ struct GTY (()) aarch64_frame + STACK_BOUNDARY. */ + HOST_WIDE_INT saved_varargs_size; + +- /* The size of the callee-save registers with a slot in REG_OFFSET. */ +- poly_int64 saved_regs_size; +- + /* The number of bytes between the bottom of the static frame (the bottom + of the outgoing arguments) and the bottom of the register save area. + This value is always a multiple of STACK_BOUNDARY. */ + poly_int64 bytes_below_saved_regs; + +- /* The size of the callee-save registers with a slot in REG_OFFSET that +- are saved below the hard frame pointer. */ +- poly_int64 below_hard_fp_saved_regs_size; +- + /* The number of bytes between the bottom of the static frame (the bottom + of the outgoing arguments) and the hard frame pointer. This value is + always a multiple of STACK_BOUNDARY. */ +-- +2.34.1 + + +From 75c37e031408262263442f5b4cdb83d3777b6422 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:57 +0100 +Subject: [PATCH 19/19] aarch64: Make stack smash canary protect saved + registers + +AArch64 normally puts the saved registers near the bottom of the frame, +immediately above any dynamic allocations. But this means that a +stack-smash attack on those dynamic allocations could overwrite the +saved registers without needing to reach as far as the stack smash +canary. + +The same thing could also happen for variable-sized arguments that are +passed by value, since those are allocated before a call and popped on +return. + +This patch avoids that by putting the locals (and thus the canary) below +the saved registers when stack smash protection is active. + +The patch fixes CVE-2023-4039. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_save_regs_above_locals_p): + New function. + (aarch64_layout_frame): Use it to decide whether locals should + go above or below the saved registers. + (aarch64_expand_prologue): Update stack layout comment. + Emit a stack tie after the final adjustment. + +gcc/testsuite/ + * gcc.target/aarch64/stack-protector-8.c: New test. + * gcc.target/aarch64/stack-protector-9.c: Likewise. +--- + gcc/config/aarch64/aarch64.cc | 46 +++++++-- + .../gcc.target/aarch64/stack-protector-8.c | 95 +++++++++++++++++++ + .../gcc.target/aarch64/stack-protector-9.c | 33 +++++++ + 3 files changed, 168 insertions(+), 6 deletions(-) + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-8.c + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-9.c + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index ac3d3b336a3..96c3f48fdc4 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8133,6 +8133,20 @@ aarch64_needs_frame_chain (void) + return aarch64_use_frame_pointer; + } + ++/* Return true if the current function should save registers above ++ the locals area, rather than below it. */ ++ ++static bool ++aarch64_save_regs_above_locals_p () ++{ ++ /* When using stack smash protection, make sure that the canary slot ++ comes between the locals and the saved registers. Otherwise, ++ it would be possible for a carefully sized smash attack to change ++ the saved registers (particularly LR and FP) without reaching the ++ canary. */ ++ return crtl->stack_protect_guard; ++} ++ + /* Mark the registers that need to be saved by the callee and calculate + the size of the callee-saved registers area and frame record (both FP + and LR may be omitted). */ +@@ -8144,6 +8158,7 @@ aarch64_layout_frame (void) + poly_int64 vector_save_size = GET_MODE_SIZE (vector_save_mode); + bool frame_related_fp_reg_p = false; + aarch64_frame &frame = cfun->machine->frame; ++ poly_int64 top_of_locals = -1; + + frame.emit_frame_chain = aarch64_needs_frame_chain (); + +@@ -8210,9 +8225,16 @@ aarch64_layout_frame (void) + && !crtl->abi->clobbers_full_reg_p (regno)) + frame.reg_offset[regno] = SLOT_REQUIRED; + ++ bool regs_at_top_p = aarch64_save_regs_above_locals_p (); + + poly_int64 offset = crtl->outgoing_args_size; + gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); ++ if (regs_at_top_p) ++ { ++ offset += get_frame_size (); ++ offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); ++ top_of_locals = offset; ++ } + frame.bytes_below_saved_regs = offset; + frame.sve_save_and_probe = INVALID_REGNUM; + +@@ -8352,15 +8374,18 @@ aarch64_layout_frame (void) + at expand_prologue. */ + gcc_assert (crtl->is_leaf || maybe_ne (saved_regs_size, 0)); + +- offset += get_frame_size (); +- offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +- auto top_of_locals = offset; +- ++ if (!regs_at_top_p) ++ { ++ offset += get_frame_size (); ++ offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); ++ top_of_locals = offset; ++ } + offset += frame.saved_varargs_size; + gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); + frame.frame_size = offset; + + frame.bytes_above_hard_fp = frame.frame_size - frame.bytes_below_hard_fp; ++ gcc_assert (known_ge (top_of_locals, 0)); + frame.bytes_above_locals = frame.frame_size - top_of_locals; + + frame.initial_adjust = 0; +@@ -9615,10 +9640,10 @@ aarch64_epilogue_uses (int regno) + | for register varargs | + | | + +-------------------------------+ +- | local variables | <-- frame_pointer_rtx ++ | local variables (1) | <-- frame_pointer_rtx + | | + +-------------------------------+ +- | padding | ++ | padding (1) | + +-------------------------------+ + | callee-saved registers | + +-------------------------------+ +@@ -9630,6 +9655,10 @@ aarch64_epilogue_uses (int regno) + +-------------------------------+ + | SVE predicate registers | + +-------------------------------+ ++ | local variables (2) | ++ +-------------------------------+ ++ | padding (2) | ++ +-------------------------------+ + | dynamic allocation | + +-------------------------------+ + | padding | +@@ -9639,6 +9668,9 @@ aarch64_epilogue_uses (int regno) + +-------------------------------+ + | | <-- stack_pointer_rtx (aligned) + ++ The regions marked (1) and (2) are mutually exclusive. (2) is used ++ when aarch64_save_regs_above_locals_p is true. ++ + Dynamic stack allocations via alloca() decrease stack_pointer_rtx + but leave frame_pointer_rtx and hard_frame_pointer_rtx + unchanged. +@@ -9834,6 +9866,8 @@ aarch64_expand_prologue (void) + gcc_assert (known_eq (bytes_below_sp, final_adjust)); + aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust, + !frame_pointer_needed, true); ++ if (emit_frame_chain && maybe_ne (final_adjust, 0)) ++ emit_insn (gen_stack_tie (stack_pointer_rtx, hard_frame_pointer_rtx)); + } + + /* Return TRUE if we can use a simple_return insn. +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c +new file mode 100644 +index 00000000000..e71d820e365 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c +@@ -0,0 +1,95 @@ ++/* { dg-options " -O -fstack-protector-strong -mstack-protector-guard=sysreg -mstack-protector-guard-reg=tpidr2_el0 -mstack-protector-guard-offset=16" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void g(void *); ++__SVBool_t *h(void *); ++ ++/* ++** test1: ++** sub sp, sp, #288 ++** stp x29, x30, \[sp, #?272\] ++** add x29, sp, #?272 ++** mrs (x[0-9]+), tpidr2_el0 ++** ldr (x[0-9]+), \[\1, #?16\] ++** str \2, \[sp, #?264\] ++** mov \2, #?0 ++** add x0, sp, #?8 ++** bl g ++** ... ++** mrs .* ++** ... ++** bne .* ++** ... ++** ldp x29, x30, \[sp, #?272\] ++** add sp, sp, #?288 ++** ret ++** bl __stack_chk_fail ++*/ ++int test1() { ++ int y[0x40]; ++ g(y); ++ return 1; ++} ++ ++/* ++** test2: ++** stp x29, x30, \[sp, #?-16\]! ++** mov x29, sp ++** sub sp, sp, #1040 ++** mrs (x[0-9]+), tpidr2_el0 ++** ldr (x[0-9]+), \[\1, #?16\] ++** str \2, \[sp, #?1032\] ++** mov \2, #?0 ++** add x0, sp, #?8 ++** bl g ++** ... ++** mrs .* ++** ... ++** bne .* ++** ... ++** add sp, sp, #?1040 ++** ldp x29, x30, \[sp\], #?16 ++** ret ++** bl __stack_chk_fail ++*/ ++int test2() { ++ int y[0x100]; ++ g(y); ++ return 1; ++} ++ ++#pragma GCC target "+sve" ++ ++/* ++** test3: ++** stp x29, x30, \[sp, #?-16\]! ++** mov x29, sp ++** addvl sp, sp, #-18 ++** ... ++** str p4, \[sp\] ++** ... ++** sub sp, sp, #272 ++** mrs (x[0-9]+), tpidr2_el0 ++** ldr (x[0-9]+), \[\1, #?16\] ++** str \2, \[sp, #?264\] ++** mov \2, #?0 ++** add x0, sp, #?8 ++** bl h ++** ... ++** mrs .* ++** ... ++** bne .* ++** ... ++** add sp, sp, #?272 ++** ... ++** ldr p4, \[sp\] ++** ... ++** addvl sp, sp, #18 ++** ldp x29, x30, \[sp\], #?16 ++** ret ++** bl __stack_chk_fail ++*/ ++__SVBool_t test3() { ++ int y[0x40]; ++ return *h(y); ++} +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c +new file mode 100644 +index 00000000000..58f322aa480 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c +@@ -0,0 +1,33 @@ ++/* { dg-options "-O2 -mcpu=neoverse-v1 -fstack-protector-all" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++/* ++** main: ++** ... ++** stp x29, x30, \[sp, #?-[0-9]+\]! ++** ... ++** sub sp, sp, #[0-9]+ ++** ... ++** str x[0-9]+, \[x29, #?-8\] ++** ... ++*/ ++int f(const char *); ++void g(void *); ++int main(int argc, char* argv[]) ++{ ++ int a; ++ int b; ++ char c[2+f(argv[1])]; ++ int d[0x100]; ++ char y; ++ ++ y=42; a=4; b=10; ++ c[0] = 'h'; c[1] = '\0'; ++ ++ c[f(argv[2])] = '\0'; ++ ++ __builtin_printf("%d %d\n%s\n", a, b, c); ++ g(d); ++ ++ return 0; ++} +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/gcc/gcc_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc_12.3.bb index 255fe552bd..255fe552bd 100644 --- a/poky/meta/recipes-devtools/gcc/gcc_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/libgcc-initial_12.2.bb b/poky/meta/recipes-devtools/gcc/libgcc-initial_12.3.bb index a259082b47..a259082b47 100644 --- a/poky/meta/recipes-devtools/gcc/libgcc-initial_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/libgcc-initial_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/libgcc_12.2.bb b/poky/meta/recipes-devtools/gcc/libgcc_12.3.bb index f88963b0a4..f88963b0a4 100644 --- a/poky/meta/recipes-devtools/gcc/libgcc_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/libgcc_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/libgfortran_12.2.bb b/poky/meta/recipes-devtools/gcc/libgfortran_12.3.bb index 71dd8b4bdc..71dd8b4bdc 100644 --- a/poky/meta/recipes-devtools/gcc/libgfortran_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/libgfortran_12.3.bb diff --git a/poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.1.bb b/poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.2.bb index 4ab2b7156d..4ab2b7156d 100644 --- a/poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.1.bb +++ b/poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.2.bb diff --git a/poky/meta/recipes-devtools/gdb/gdb-cross_13.1.bb b/poky/meta/recipes-devtools/gdb/gdb-cross_13.2.bb index 3b654a2f0d..3b654a2f0d 100644 --- a/poky/meta/recipes-devtools/gdb/gdb-cross_13.1.bb +++ b/poky/meta/recipes-devtools/gdb/gdb-cross_13.2.bb diff --git a/poky/meta/recipes-devtools/gdb/gdb.inc b/poky/meta/recipes-devtools/gdb/gdb.inc index 8589de62ff..2437a96ae7 100644 --- a/poky/meta/recipes-devtools/gdb/gdb.inc +++ b/poky/meta/recipes-devtools/gdb/gdb.inc @@ -13,10 +13,9 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0006-resolve-restrict-keyword-conflict.patch \ file://0007-Fix-invalid-sigprocmask-call.patch \ file://0008-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ - file://0009-gdbserver-linux-low.cc-Fix-a-typo-in-ternary-operato.patch \ file://add-missing-ldflags.patch \ - file://0001-aarch64-Check-for-valid-inferior-thread-regcache-bef.patch \ + file://0009-CVE-2023-39128.patch \ " -SRC_URI[sha256sum] = "115ad5c18d69a6be2ab15882d365dda2a2211c14f480b3502c6eba576e2e95a0" +SRC_URI[sha256sum] = "fd5bebb7be1833abdb6e023c2f498a354498281df9d05523d8915babeb893f0a" TOOLCHAIN = "gcc" diff --git a/poky/meta/recipes-devtools/gdb/gdb/0001-aarch64-Check-for-valid-inferior-thread-regcache-bef.patch b/poky/meta/recipes-devtools/gdb/gdb/0001-aarch64-Check-for-valid-inferior-thread-regcache-bef.patch deleted file mode 100644 index 9adf4a4db5..0000000000 --- a/poky/meta/recipes-devtools/gdb/gdb/0001-aarch64-Check-for-valid-inferior-thread-regcache-bef.patch +++ /dev/null @@ -1,286 +0,0 @@ -From b3eff3e15576229af9bae026c5c23ee694b90389 Mon Sep 17 00:00:00 2001 -From: Luis Machado <luis.machado@arm.com> -Date: Fri, 24 Mar 2023 07:58:38 +0000 -Subject: [PATCH] aarch64: Check for valid inferior thread/regcache before - reading pauth registers - -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -There were reports of gdb throwing internal errors when calling -inferior_thread ()/get_current_regcache () on a system with -Pointer Authentication enabled. - -In such cases, gdb produces the following backtrace, or a variation -of it (for gdb's with the non-address removal implemented only in -the aarch64-linux-tdep.c file). - -../../../repos/binutils-gdb/gdb/thread.c:86: internal-error: inferior_thread: Assertion `current_thread_ != nullptr' failed. -A problem internal to GDB has been detected, -further debugging may prove unreliable. ------ Backtrace ----- -0xaaaae04a571f gdb_internal_backtrace_1 - ../../../repos/binutils-gdb/gdb/bt-utils.c:122 -0xaaaae04a57f3 _Z22gdb_internal_backtracev - ../../../repos/binutils-gdb/gdb/bt-utils.c:168 -0xaaaae0b52ccf internal_vproblem - ../../../repos/binutils-gdb/gdb/utils.c:401 -0xaaaae0b5310b _Z15internal_verrorPKciS0_St9__va_list - ../../../repos/binutils-gdb/gdb/utils.c:481 -0xaaaae0e24b8f _Z18internal_error_locPKciS0_z - ../../../repos/binutils-gdb/gdbsupport/errors.cc:58 -0xaaaae0a88983 _Z15inferior_threadv - ../../../repos/binutils-gdb/gdb/thread.c:86 -0xaaaae0956c87 _Z20get_current_regcachev - ../../../repos/binutils-gdb/gdb/regcache.c:428 -0xaaaae035223f aarch64_remove_non_address_bits - ../../../repos/binutils-gdb/gdb/aarch64-tdep.c:3572 -0xaaaae03e8abb _Z31gdbarch_remove_non_address_bitsP7gdbarchm - ../../../repos/binutils-gdb/gdb/gdbarch.c:3109 -0xaaaae0a692d7 memory_xfer_partial - ../../../repos/binutils-gdb/gdb/target.c:1620 -0xaaaae0a695e3 _Z19target_xfer_partialP10target_ops13target_objectPKcPhPKhmmPm - ../../../repos/binutils-gdb/gdb/target.c:1684 -0xaaaae0a69e9f target_read_partial - ../../../repos/binutils-gdb/gdb/target.c:1937 -0xaaaae0a69fdf _Z11target_readP10target_ops13target_objectPKcPhml - ../../../repos/binutils-gdb/gdb/target.c:1977 -0xaaaae0a69937 _Z18target_read_memorymPhl - ../../../repos/binutils-gdb/gdb/target.c:1773 -0xaaaae08be523 ps_xfer_memory - ../../../repos/binutils-gdb/gdb/proc-service.c:90 -0xaaaae08be6db ps_pdread - ../../../repos/binutils-gdb/gdb/proc-service.c:124 -0x40001ed7c3b3 _td_fetch_value - /build/glibc-RIFKjK/glibc-2.31/nptl_db/fetch-value.c:115 -0x40001ed791ef td_ta_map_lwp2thr - /build/glibc-RIFKjK/glibc-2.31/nptl_db/td_ta_map_lwp2thr.c:194 -0xaaaae07f4473 thread_from_lwp - ../../../repos/binutils-gdb/gdb/linux-thread-db.c:413 -0xaaaae07f6d6f _ZN16thread_db_target4waitE6ptid_tP17target_waitstatus10enum_flagsI16target_wait_flagE - ../../../repos/binutils-gdb/gdb/linux-thread-db.c:1420 -0xaaaae0a6b33b _Z11target_wait6ptid_tP17target_waitstatus10enum_flagsI16target_wait_flagE - ../../../repos/binutils-gdb/gdb/target.c:2586 -0xaaaae0789cf7 do_target_wait_1 - ../../../repos/binutils-gdb/gdb/infrun.c:3825 -0xaaaae0789e6f operator() - ../../../repos/binutils-gdb/gdb/infrun.c:3884 -0xaaaae078a167 do_target_wait - ../../../repos/binutils-gdb/gdb/infrun.c:3903 -0xaaaae078b0af _Z20fetch_inferior_eventv - ../../../repos/binutils-gdb/gdb/infrun.c:4314 -0xaaaae076652f _Z22inferior_event_handler19inferior_event_type - ../../../repos/binutils-gdb/gdb/inf-loop.c:41 -0xaaaae07dc68b handle_target_event - ../../../repos/binutils-gdb/gdb/linux-nat.c:4206 -0xaaaae0e25fbb handle_file_event - ../../../repos/binutils-gdb/gdbsupport/event-loop.cc:573 -0xaaaae0e264f3 gdb_wait_for_event - ../../../repos/binutils-gdb/gdbsupport/event-loop.cc:694 -0xaaaae0e24f9b _Z16gdb_do_one_eventi - ../../../repos/binutils-gdb/gdbsupport/event-loop.cc:217 -0xaaaae080f033 start_event_loop - ../../../repos/binutils-gdb/gdb/main.c:411 -0xaaaae080f1b7 captured_command_loop - ../../../repos/binutils-gdb/gdb/main.c:475 -0xaaaae0810b97 captured_main - ../../../repos/binutils-gdb/gdb/main.c:1318 -0xaaaae0810c1b _Z8gdb_mainP18captured_main_args - ../../../repos/binutils-gdb/gdb/main.c:1337 -0xaaaae0338453 main - ../../../repos/binutils-gdb/gdb/gdb.c:32 ---------------------- -../../../repos/binutils-gdb/gdb/thread.c:86: internal-error: inferior_thread: Assertion `current_thread_ != nullptr' failed. -A problem internal to GDB has been detected, -further debugging may prove unreliable. -Quit this debugging session? (y or n) - -We also see failures across the testsuite if the tests get executed on a target -that has native support for the pointer authentication feature. But -gdb.base/break.exp and gdb.base/access-mem-running.exp are two examples of -tests that run into errors and internal errors. - -This issue started after commit d88cb738e6a7a7179dfaff8af78d69250c852af1, which -enabled more broad use of pointer authentication masks to remove non-address -bits of pointers, but wasn't immediately detected because systems with native -support for pointer authentication are not that common yet. - -The above crash happens because gdb is in the middle of handling an event, -and do_target_wait_1 calls switch_to_inferior_no_thread, nullifying the -current thread. This means a call to inferior_thread () will assert, and -attempting to call get_current_regcache () will also call inferior_thread (), -resulting in an assertion as well. - -target_has_registers was one function that seemed useful for detecting these -types of situation where we don't have a register cache. The problem with that -is the inconsistent state of inferior_ptid, which is used by -target_has_registers. - -Despite the call to switch_to_no_thread in switch_to_inferior_no_thread from -do_target_wait_1 in the backtrace above clearing inferior_ptid, the call to -ps_xfer_memory sets inferior_ptid momentarily before reading memory: - -static ps_err_e -ps_xfer_memory (const struct ps_prochandle *ph, psaddr_t addr, - gdb_byte *buf, size_t len, int write) -{ - scoped_restore_current_inferior restore_inferior; - set_current_inferior (ph->thread->inf); - - scoped_restore_current_program_space restore_current_progspace; - set_current_program_space (ph->thread->inf->pspace); - - scoped_restore save_inferior_ptid = make_scoped_restore (&inferior_ptid); - inferior_ptid = ph->thread->ptid; - - CORE_ADDR core_addr = ps_addr_to_core_addr (addr); - - int ret; - if (write) - ret = target_write_memory (core_addr, buf, len); - else - ret = target_read_memory (core_addr, buf, len); - return (ret == 0 ? PS_OK : PS_ERR); -} - -Maybe this shouldn't happen, or maybe it is just an unfortunate state to be -in. But this prevents the use of target_has_registers to guard against the -lack of registers, since, although current_thread_ is still nullptr, -inferior_ptid is valid and is not null_ptid. - -There is another crash scenario after we kill a previously active inferior, in -which case the gdbarch will still say we support pointer authentication but we -will also have no current thread (inferior_thread () will assert etc). - -If the target has support for pointer authentication, gdb needs to use -a couple (or 4, for bare-metal) mask registers to mask off some bits of -pointers, and for that it needs to access the registers. - -At some points, like the one from the backtrace above, there is no active -thread/current regcache because gdb is in the middle of doing event handling -and switching between threads. - -Simon suggested the use of inferior_ptid to fetch the register cache, as -opposed to relying on the current register cache. Though we need to make sure -inferior_ptid is valid (not null_ptid), I think this works nicely. - -With inferior_ptid, we can do safety checks along the way, making sure we have -a thread to fetch a register cache from and checking if the thread is actually -stopped or running. - -The following patch implements this idea with safety checks to make sure we -don't run into assertions or errors. If any of the checks fail, we fallback to -using a default mask to remove non-address bits of a pointer. - -I discussed with Pedro the possibility of caching the mask register values -(which are per-process and can change mid-execution), but there isn't a good -spot to cache those values. Besides, the mask registers can change constantly -for bare-metal debugging when switching between exception levels. - -In some cases, it is just not possible to get access to these mask registers, -like the case where threads are running. In those cases, using a default mask -to remove the non-address bits should be enough. - -This can happen when we let threads run in the background and then we attempt -to access a memory address (now that gdb is capable of reading memory even -with threads running). Thus gdb will attempt to remove non-address bits -of that memory access, will attempt to access registers, running into errors. - -Regression-tested on aarch64-linux Ubuntu 20.04. ---- - gdb/aarch64-linux-tdep.c | 64 ++++++++++++++++++++++++++++++---------- - 1 file changed, 49 insertions(+), 15 deletions(-) - -diff --git a/gdb/aarch64-linux-tdep.c b/gdb/aarch64-linux-tdep.c -index 20a041c599e..4b2915b8e99 100644 ---- a/gdb/aarch64-linux-tdep.c -+++ b/gdb/aarch64-linux-tdep.c -@@ -57,6 +57,9 @@ - #include "elf/common.h" - #include "elf/aarch64.h" - -+/* For inferior_ptid and current_inferior (). */ -+#include "inferior.h" -+ - /* Signal frame handling. - - +------------+ ^ -@@ -1986,29 +1989,60 @@ aarch64_linux_decode_memtag_section (struct gdbarch *gdbarch, - static CORE_ADDR - aarch64_remove_non_address_bits (struct gdbarch *gdbarch, CORE_ADDR pointer) - { -- aarch64_gdbarch_tdep *tdep = gdbarch_tdep<aarch64_gdbarch_tdep> (gdbarch); -- - /* By default, we assume TBI and discard the top 8 bits plus the VA range -- select bit (55). */ -+ select bit (55). Below we try to fetch information about pointer -+ authentication masks in order to make non-address removal more -+ precise. */ - CORE_ADDR mask = AARCH64_TOP_BITS_MASK; - -- if (tdep->has_pauth ()) -+ /* Check if we have an inferior first. If not, just use the default -+ mask. -+ -+ We use the inferior_ptid here because the pointer authentication masks -+ should be the same across threads of a process. Since we may not have -+ access to the current thread (gdb may have switched to no inferiors -+ momentarily), we use the inferior ptid. */ -+ if (inferior_ptid != null_ptid) - { -- /* Fetch the PAC masks. These masks are per-process, so we can just -- fetch data from whatever thread we have at the moment. -+ /* If we do have an inferior, attempt to fetch its thread's thread_info -+ struct. */ -+ thread_info *thread -+ = find_thread_ptid (current_inferior ()->process_target (), -+ inferior_ptid); - -- Also, we have both a code mask and a data mask. For now they are the -- same, but this may change in the future. */ -- struct regcache *regs = get_current_regcache (); -- CORE_ADDR cmask, dmask; -+ /* If the thread is running, we will not be able to fetch the mask -+ registers. */ -+ if (thread != nullptr && thread->state != THREAD_RUNNING) -+ { -+ /* Otherwise, fetch the register cache and the masks. */ -+ struct regcache *regs -+ = get_thread_regcache (current_inferior ()->process_target (), -+ inferior_ptid); -+ -+ /* Use the gdbarch from the register cache to check for pointer -+ authentication support, as it matches the features found in -+ that particular thread. */ -+ aarch64_gdbarch_tdep *tdep -+ = gdbarch_tdep<aarch64_gdbarch_tdep> (regs->arch ()); -+ -+ /* Is there pointer authentication support? */ -+ if (tdep->has_pauth ()) -+ { -+ /* We have both a code mask and a data mask. For now they are -+ the same, but this may change in the future. */ -+ CORE_ADDR cmask, dmask; - -- if (regs->cooked_read (tdep->pauth_reg_base, &dmask) != REG_VALID) -- dmask = mask; -+ if (regs->cooked_read (tdep->pauth_reg_base, &dmask) -+ != REG_VALID) -+ dmask = mask; - -- if (regs->cooked_read (tdep->pauth_reg_base + 1, &cmask) != REG_VALID) -- cmask = mask; -+ if (regs->cooked_read (tdep->pauth_reg_base + 1, &cmask) -+ != REG_VALID) -+ cmask = mask; - -- mask |= aarch64_mask_from_pac_registers (cmask, dmask); -+ mask |= aarch64_mask_from_pac_registers (cmask, dmask); -+ } -+ } - } - - return aarch64_remove_top_bits (pointer, mask); --- -2.34.1 - diff --git a/poky/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch b/poky/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch new file mode 100644 index 0000000000..88e39eaa59 --- /dev/null +++ b/poky/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey <tromey@adacore.com> +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz <keiths@redhat.com> + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + gdb/ada-lang.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 40f8591..06ac46b 100644 +--- a/gdb/ada-lang.c ++++ b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include <algorithm> + #include "ada-exp.h" + #include "charset.h" +@@ -1388,7 +1389,7 @@ ada_decode (const char *encoded, bool wrap, bool operators) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1585,6 +1586,18 @@ ada_decode (const char *encoded, bool wrap, bool operators) + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once + allocated, names in this table are never released. While this is a + storage leak, it should not be significant unless there are massive +@@ -14084,4 +14097,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/gdb/gdb/0009-gdbserver-linux-low.cc-Fix-a-typo-in-ternary-operato.patch b/poky/meta/recipes-devtools/gdb/gdb/0009-gdbserver-linux-low.cc-Fix-a-typo-in-ternary-operato.patch deleted file mode 100644 index 32eba089bc..0000000000 --- a/poky/meta/recipes-devtools/gdb/gdb/0009-gdbserver-linux-low.cc-Fix-a-typo-in-ternary-operato.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 9a85132c4ba7d37a5df146239b3ab1a5854ce478 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Wed, 22 Feb 2023 16:24:07 -0800 -Subject: [PATCH] gdbserver/linux-low.cc: Fix a typo in ternary operator - -Upstream-Status: Submitted [https://sourceware.org/pipermail/gdb-patches/2023-February/197298.html] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - gdbserver/linux-low.cc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/gdbserver/linux-low.cc b/gdbserver/linux-low.cc -index 7e1de397893..95ec871d436 100644 ---- a/gdbserver/linux-low.cc -+++ b/gdbserver/linux-low.cc -@@ -5390,7 +5390,7 @@ proc_xfer_memory (CORE_ADDR memaddr, unsigned char *readbuf, - if (lseek (fd, memaddr, SEEK_SET) != -1) - bytes = (readbuf != nullptr - ? read (fd, readbuf, len) -- ? write (fd, writebuf, len)); -+ : write (fd, writebuf, len)); - #endif - - if (bytes < 0) diff --git a/poky/meta/recipes-devtools/gdb/gdb_13.1.bb b/poky/meta/recipes-devtools/gdb/gdb_13.2.bb index 9c6db4ca2c..9c6db4ca2c 100644 --- a/poky/meta/recipes-devtools/gdb/gdb_13.1.bb +++ b/poky/meta/recipes-devtools/gdb/gdb_13.2.bb diff --git a/poky/meta/recipes-devtools/git/git_2.39.2.bb b/poky/meta/recipes-devtools/git/git_2.39.3.bb index 9fac9d13f8..6fdf1caa74 100644 --- a/poky/meta/recipes-devtools/git/git_2.39.2.bb +++ b/poky/meta/recipes-devtools/git/git_2.39.3.bb @@ -170,4 +170,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ " EXTRA_OEMAKE += "NO_GETTEXT=1" -SRC_URI[tarball.sha256sum] = "fb6807d1eb4094bb2349ab97d203fe1e6c3eb28af73ea391decfbd3a03c02e85" +SRC_URI[tarball.sha256sum] = "2f9aa93c548941cc5aff641cedc24add15b912ad8c9b36ff5a41b1a9dcad783e" diff --git a/poky/meta/recipes-devtools/go/go-1.20.4.inc b/poky/meta/recipes-devtools/go/go-1.20.7.inc index 05bc168e0c..009a67e89e 100644 --- a/poky/meta/recipes-devtools/go/go-1.20.4.inc +++ b/poky/meta/recipes-devtools/go/go-1.20.7.inc @@ -14,5 +14,7 @@ SRC_URI += "\ file://0007-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ + file://CVE-2023-24531_1.patch \ + file://CVE-2023-24531_2.patch \ " -SRC_URI[main.sha256sum] = "9f34ace128764b7a3a4b238b805856cc1b2184304df9e5690825b0710f4202d6" +SRC_URI[main.sha256sum] = "2c5ee9c9ec1e733b0dbbc2bdfed3f62306e51d8172bf38f4f4e542b27520f597" diff --git a/poky/meta/recipes-devtools/go/go-binary-native_1.20.4.bb b/poky/meta/recipes-devtools/go/go-binary-native_1.20.7.bb index 87ce8a558f..3decde1954 100644 --- a/poky/meta/recipes-devtools/go/go-binary-native_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-binary-native_1.20.7.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "698ef3243972a51ddb4028e4a1ac63dc6d60821bf18e59a807e051fee0a385bd" -SRC_URI[go_linux_arm64.sha256sum] = "105889992ee4b1d40c7c108555222ca70ae43fccb42e20fbf1eebb822f5e72c6" -SRC_URI[go_linux_ppc64le.sha256sum] = "8c6f44b96c2719c90eebabe2dd866f9c39538648f7897a212cac448587e9a408" +SRC_URI[go_linux_amd64.sha256sum] = "f0a87f1bcae91c4b69f8dc2bc6d7e6bfcd7524fceec130af525058c0c17b1b44" +SRC_URI[go_linux_arm64.sha256sum] = "44781ae3b153c3b07651d93b6bc554e835a36e2d72a696281c1e4dad9efffe43" +SRC_URI[go_linux_ppc64le.sha256sum] = "6318a1db307c12b8afe68808bd6fae4fba1e558a85b958216096869ed506dcb3" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" diff --git a/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb b/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.7.bb index 7ac9449e47..7ac9449e47 100644 --- a/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go-cross_1.20.4.bb b/poky/meta/recipes-devtools/go/go-cross_1.20.7.bb index 80b5a03f6c..80b5a03f6c 100644 --- a/poky/meta/recipes-devtools/go/go-cross_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-cross_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go-crosssdk_1.20.4.bb b/poky/meta/recipes-devtools/go/go-crosssdk_1.20.7.bb index 1857c8a577..1857c8a577 100644 --- a/poky/meta/recipes-devtools/go/go-crosssdk_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-crosssdk_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go-native_1.20.4.bb b/poky/meta/recipes-devtools/go/go-native_1.20.7.bb index ddf25b2c9b..ddf25b2c9b 100644 --- a/poky/meta/recipes-devtools/go/go-native_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-native_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go-runtime_1.20.4.bb b/poky/meta/recipes-devtools/go/go-runtime_1.20.7.bb index 63464a1501..63464a1501 100644 --- a/poky/meta/recipes-devtools/go/go-runtime_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-runtime_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch b/poky/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch new file mode 100644 index 0000000000..9de701b64b --- /dev/null +++ b/poky/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch @@ -0,0 +1,266 @@ +From c5463ec922a57d8b175c6639186ba9cbe15e6bc1 Mon Sep 17 00:00:00 2001 +From: Michael Matloob <matloob@golang.org> +Date: Mon, 24 Apr 2023 16:57:28 -0400 +Subject: [PATCH 1/2] cmd/go: sanitize go env outputs + +go env, without any arguments, outputs the environment variables in +the form of a script that can be run on the host OS. On Unix, single +quote the strings and place single quotes themselves outside the +single quoted strings. On windows use the set "var=val" syntax with +the quote starting before the variable. + +Fixes #58508 + +Change-Id: Iecd379a4af7285ea9b2024f0202250c74fd9a2bd +Reviewed-on: https://go-review.googlesource.com/c/go/+/488375 +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Michael Matloob <matloob@golang.org> +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Michael Matloob <matloob@golang.org> +Reviewed-by: Bryan Mills <bcmills@google.com> +Reviewed-by: Quim Muntal <quimmuntal@gmail.com> + +CVE: CVE-2023-24531 +Upstream-Status: Backport [f379e78951a405e7e99a60fb231eeedbf976c108] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/cmd/go/internal/envcmd/env.go | 60 ++++++++++++- + src/cmd/go/internal/envcmd/env_test.go | 94 +++++++++++++++++++++ + src/cmd/go/testdata/script/env_sanitize.txt | 5 ++ + src/cmd/go/testdata/script/work_env.txt | 2 +- + 4 files changed, 158 insertions(+), 3 deletions(-) + create mode 100644 src/cmd/go/internal/envcmd/env_test.go + create mode 100644 src/cmd/go/testdata/script/env_sanitize.txt + +diff --git a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +index fb7448a..5b52fad 100644 +--- a/src/cmd/go/internal/envcmd/env.go ++++ b/src/cmd/go/internal/envcmd/env.go +@@ -6,6 +6,7 @@ + package envcmd + + import ( ++ "bytes" + "context" + "encoding/json" + "fmt" +@@ -17,6 +18,7 @@ import ( + "runtime" + "sort" + "strings" ++ "unicode" + "unicode/utf8" + + "cmd/go/internal/base" +@@ -413,9 +415,12 @@ func checkBuildConfig(add map[string]string, del map[string]bool) error { + func PrintEnv(w io.Writer, env []cfg.EnvVar) { + for _, e := range env { + if e.Name != "TERM" { ++ if runtime.GOOS != "plan9" && bytes.Contains([]byte(e.Value), []byte{0}) { ++ base.Fatalf("go: internal error: encountered null byte in environment variable %s on non-plan9 platform", e.Name) ++ } + switch runtime.GOOS { + default: +- fmt.Fprintf(w, "%s=\"%s\"\n", e.Name, e.Value) ++ fmt.Fprintf(w, "%s=%s\n", e.Name, shellQuote(e.Value)) + case "plan9": + if strings.IndexByte(e.Value, '\x00') < 0 { + fmt.Fprintf(w, "%s='%s'\n", e.Name, strings.ReplaceAll(e.Value, "'", "''")) +@@ -426,17 +431,68 @@ func PrintEnv(w io.Writer, env []cfg.EnvVar) { + if x > 0 { + fmt.Fprintf(w, " ") + } ++ // TODO(#59979): Does this need to be quoted like above? + fmt.Fprintf(w, "%s", s) + } + fmt.Fprintf(w, ")\n") + } + case "windows": +- fmt.Fprintf(w, "set %s=%s\n", e.Name, e.Value) ++ if hasNonGraphic(e.Value) { ++ base.Errorf("go: stripping unprintable or unescapable characters from %%%q%%", e.Name) ++ } ++ fmt.Fprintf(w, "set %s=%s\n", e.Name, batchEscape(e.Value)) + } + } + } + } + ++func hasNonGraphic(s string) bool { ++ for _, c := range []byte(s) { ++ if c == '\r' || c == '\n' || (!unicode.IsGraphic(rune(c)) && !unicode.IsSpace(rune(c))) { ++ return true ++ } ++ } ++ return false ++} ++ ++func shellQuote(s string) string { ++ var b bytes.Buffer ++ b.WriteByte('\'') ++ for _, x := range []byte(s) { ++ if x == '\'' { ++ // Close the single quoted string, add an escaped single quote, ++ // and start another single quoted string. ++ b.WriteString(`'\''`) ++ } else { ++ b.WriteByte(x) ++ } ++ } ++ b.WriteByte('\'') ++ return b.String() ++} ++ ++func batchEscape(s string) string { ++ var b bytes.Buffer ++ for _, x := range []byte(s) { ++ if x == '\r' || x == '\n' || (!unicode.IsGraphic(rune(x)) && !unicode.IsSpace(rune(x))) { ++ b.WriteRune(unicode.ReplacementChar) ++ continue ++ } ++ switch x { ++ case '%': ++ b.WriteString("%%") ++ case '<', '>', '|', '&', '^': ++ // These are special characters that need to be escaped with ^. See ++ // https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1. ++ b.WriteByte('^') ++ b.WriteByte(x) ++ default: ++ b.WriteByte(x) ++ } ++ } ++ return b.String() ++} ++ + func printEnvAsJSON(env []cfg.EnvVar) { + m := make(map[string]string) + for _, e := range env { +diff --git a/src/cmd/go/internal/envcmd/env_test.go b/src/cmd/go/internal/envcmd/env_test.go +new file mode 100644 +index 0000000..32d99fd +--- /dev/null ++++ b/src/cmd/go/internal/envcmd/env_test.go +@@ -0,0 +1,94 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++//go:build unix || windows ++ ++package envcmd ++ ++import ( ++ "bytes" ++ "cmd/go/internal/cfg" ++ "fmt" ++ "internal/testenv" ++ "os" ++ "os/exec" ++ "path/filepath" ++ "runtime" ++ "testing" ++ "unicode" ++) ++ ++func FuzzPrintEnvEscape(f *testing.F) { ++ f.Add(`$(echo 'cc"'; echo 'OOPS="oops')`) ++ f.Add("$(echo shell expansion 1>&2)") ++ f.Add("''") ++ f.Add(`C:\"Program Files"\`) ++ f.Add(`\\"Quoted Host"\\share`) ++ f.Add("\xfb") ++ f.Add("0") ++ f.Add("") ++ f.Add("''''''''") ++ f.Add("\r") ++ f.Add("\n") ++ f.Add("E,%") ++ f.Fuzz(func(t *testing.T, s string) { ++ t.Parallel() ++ ++ for _, c := range []byte(s) { ++ if c == 0 { ++ t.Skipf("skipping %q: contains a null byte. Null bytes can't occur in the environment"+ ++ " outside of Plan 9, which has different code path than Windows and Unix that this test"+ ++ " isn't testing.", s) ++ } ++ if c > unicode.MaxASCII { ++ t.Skipf("skipping %#q: contains a non-ASCII character %q", s, c) ++ } ++ if !unicode.IsGraphic(rune(c)) && !unicode.IsSpace(rune(c)) { ++ t.Skipf("skipping %#q: contains non-graphic character %q", s, c) ++ } ++ if runtime.GOOS == "windows" && c == '\r' || c == '\n' { ++ t.Skipf("skipping %#q on Windows: contains unescapable character %q", s, c) ++ } ++ } ++ ++ var b bytes.Buffer ++ if runtime.GOOS == "windows" { ++ b.WriteString("@echo off\n") ++ } ++ PrintEnv(&b, []cfg.EnvVar{{Name: "var", Value: s}}) ++ var want string ++ if runtime.GOOS == "windows" { ++ fmt.Fprintf(&b, "echo \"%%var%%\"\n") ++ want += "\"" + s + "\"\r\n" ++ } else { ++ fmt.Fprintf(&b, "printf '%%s\\n' \"$var\"\n") ++ want += s + "\n" ++ } ++ scriptfilename := "script.sh" ++ if runtime.GOOS == "windows" { ++ scriptfilename = "script.bat" ++ } ++ scriptfile := filepath.Join(t.TempDir(), scriptfilename) ++ if err := os.WriteFile(scriptfile, b.Bytes(), 0777); err != nil { ++ t.Fatal(err) ++ } ++ t.Log(b.String()) ++ var cmd *exec.Cmd ++ if runtime.GOOS == "windows" { ++ cmd = testenv.Command(t, "cmd.exe", "/C", scriptfile) ++ } else { ++ cmd = testenv.Command(t, "sh", "-c", scriptfile) ++ } ++ out, err := cmd.Output() ++ t.Log(string(out)) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ if string(out) != want { ++ t.Fatalf("output of running PrintEnv script and echoing variable: got: %q, want: %q", ++ string(out), want) ++ } ++ }) ++} +diff --git a/src/cmd/go/testdata/script/env_sanitize.txt b/src/cmd/go/testdata/script/env_sanitize.txt +new file mode 100644 +index 0000000..cc4d23a +--- /dev/null ++++ b/src/cmd/go/testdata/script/env_sanitize.txt +@@ -0,0 +1,5 @@ ++env GOFLAGS='$(echo ''cc"''; echo ''OOPS="oops'')' ++go env ++[GOOS:darwin] stdout 'GOFLAGS=''\$\(echo ''\\''''cc"''\\''''; echo ''\\''''OOPS="oops''\\''''\)''' ++[GOOS:linux] stdout 'GOFLAGS=''\$\(echo ''\\''''cc"''\\''''; echo ''\\''''OOPS="oops''\\''''\)''' ++[GOOS:windows] stdout 'set GOFLAGS=\$\(echo ''cc"''; echo ''OOPS="oops''\)' +diff --git a/src/cmd/go/testdata/script/work_env.txt b/src/cmd/go/testdata/script/work_env.txt +index 511bb4e..8b1779e 100644 +--- a/src/cmd/go/testdata/script/work_env.txt ++++ b/src/cmd/go/testdata/script/work_env.txt +@@ -1,7 +1,7 @@ + go env GOWORK + stdout '^'$GOPATH'[\\/]src[\\/]go.work$' + go env +-stdout '^(set )?GOWORK="?'$GOPATH'[\\/]src[\\/]go.work"?$' ++stdout '^(set )?GOWORK=''?'$GOPATH'[\\/]src[\\/]go.work''?$' + + cd .. + go env GOWORK +-- +2.39.0 + diff --git a/poky/meta/recipes-devtools/go/go/CVE-2023-24531_2.patch b/poky/meta/recipes-devtools/go/go/CVE-2023-24531_2.patch new file mode 100644 index 0000000000..dec36f9d42 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go/CVE-2023-24531_2.patch @@ -0,0 +1,47 @@ +From 24f1def536c5344e0067a3119790b83ee6224058 Mon Sep 17 00:00:00 2001 +From: miller <millerresearch@gmail.com> +Date: Mon, 8 May 2023 16:56:21 +0100 +Subject: [PATCH 2/2] cmd/go: quote entries in list-valued variables for go env + in plan9 + +When 'go env' without an argument prints environment variables as +a script which can be executed by the shell, variables with a +list value in Plan 9 (such as GOPATH) need to be printed with each +element enclosed in single quotes in case it contains characters +significant to the Plan 9 shell (such as ' ' or '='). + +For #58508 + +Change-Id: Ia30f51307cc6d07a7e3ada6bf9d60bf9951982ff +Reviewed-on: https://go-review.googlesource.com/c/go/+/493535 +Run-TryBot: Cherry Mui <cherryyz@google.com> +Reviewed-by: Cherry Mui <cherryyz@google.com> +Reviewed-by: Russ Cox <rsc@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> +Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> + +CVE: CVE-2023-24531 +Upstream-Status: Backport [05cc9e55876874462a4726ca0101c970838c80e5] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/cmd/go/internal/envcmd/env.go | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +index 5b52fad..d4fc399 100644 +--- a/src/cmd/go/internal/envcmd/env.go ++++ b/src/cmd/go/internal/envcmd/env.go +@@ -431,8 +431,7 @@ func PrintEnv(w io.Writer, env []cfg.EnvVar) { + if x > 0 { + fmt.Fprintf(w, " ") + } +- // TODO(#59979): Does this need to be quoted like above? +- fmt.Fprintf(w, "%s", s) ++ fmt.Fprintf(w, "'%s'", strings.ReplaceAll(s, "'", "''")) + } + fmt.Fprintf(w, ")\n") + } +-- +2.39.0 + diff --git a/poky/meta/recipes-devtools/go/go_1.20.4.bb b/poky/meta/recipes-devtools/go/go_1.20.7.bb index 46f5fbc6be..46f5fbc6be 100644 --- a/poky/meta/recipes-devtools/go/go_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go_1.20.7.bb diff --git a/poky/meta/recipes-devtools/libdnf/libdnf_0.70.0.bb b/poky/meta/recipes-devtools/libdnf/libdnf_0.70.1.bb index 14d6a37de1..c44ae2729b 100644 --- a/poky/meta/recipes-devtools/libdnf/libdnf_0.70.0.bb +++ b/poky/meta/recipes-devtools/libdnf/libdnf_0.70.1.bb @@ -12,7 +12,7 @@ SRC_URI = "git://github.com/rpm-software-management/libdnf;branch=dnf-4-master;p file://0001-drop-FindPythonInstDir.cmake.patch \ " -SRCREV = "93759bc5cac262906e52b6a173d7b157914ec29e" +SRCREV = "3b8e59ad8ed3a3eb736d8a2e16b4fc04313d1f12" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(?!4\.90)\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/poky/meta/recipes-devtools/ninja/ninja_1.11.1.bb index 255f5efb70..83d2f01263 100644 --- a/poky/meta/recipes-devtools/ninja/ninja_1.11.1.bb +++ b/poky/meta/recipes-devtools/ninja/ninja_1.11.1.bb @@ -29,3 +29,6 @@ do_install() { } BBCLASSEXTEND = "native nativesdk" + +# This is a different Ninja +CVE_CHECK_IGNORE += "CVE-2021-4336" diff --git a/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb b/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.6.2.bb index b27e3ded33..eb88b9b734 100644 --- a/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb +++ b/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.6.2.bb @@ -10,7 +10,7 @@ PROVIDES += "${@bb.utils.contains('PACKAGECONFIG', 'update-alternatives', 'virtu SRC_URI = "git://git.yoctoproject.org/opkg-utils;protocol=https;branch=master \ file://0001-update-alternatives-correctly-match-priority.patch \ " -SRCREV = "9239541f14a2529b9d01c0a253ab11afa2822dab" +SRCREV = "67994e62dc598282830385da75ba9b1abbbda941" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/opkg/opkg/0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch b/poky/meta/recipes-devtools/opkg/opkg/0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch deleted file mode 100644 index 3406878a1d..0000000000 --- a/poky/meta/recipes-devtools/opkg/opkg/0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4089affd371e6d62dd8c1e57b344f8cc329005ea Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Sat, 14 Jan 2023 23:11:08 -0800 -Subject: [PATCH] Define alignof using _Alignof when using C11 or newer - -WG14 N2350 made very clear that it is an UB having type definitions -within "offsetof" [1]. This patch enhances the implementation of macro -alignof_slot to use builtin "_Alignof" to avoid undefined behavior on -when using std=c11 or newer - -clang 16+ has started to flag this [2] - -Fixes build when using -std >= gnu11 and using clang16+ - -Older compilers gcc < 4.9 or clang < 8 has buggy _Alignof even though it -may support C11, exclude those compilers too - -[1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2350.htm -[2] https://reviews.llvm.org/D133574 - -Upstream-Status: Submitted [https://groups.google.com/g/opkg-devel/c/gjcQPZgT_jI] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - libopkg/md5.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libopkg/md5.c b/libopkg/md5.c -index 981b9b8..ccb645e 100644 ---- a/libopkg/md5.c -+++ b/libopkg/md5.c -@@ -237,7 +237,17 @@ void md5_process_bytes(const void *buffer, size_t len, struct md5_ctx *ctx) - /* Process available complete blocks. */ - if (len >= 64) { - #if !_STRING_ARCH_unaligned -+/* GCC releases before GCC 4.9 had a bug in _Alignof. See GCC bug 52023 -+ <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52023>. -+ clang versions < 8.0.0 have the same bug. */ -+#if (!defined __STDC_VERSION__ || __STDC_VERSION__ < 201112 \ -+ || (defined __GNUC__ && __GNUC__ < 4 + (__GNUC_MINOR__ < 9) \ -+ && !defined __clang__) \ -+ || (defined __clang__ && __clang_major__ < 8)) - #define alignof(type) offsetof (struct { char c; type x; }, x) -+#else -+#define alignof(type) _Alignof(type) -+#endif - #define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0) - if (UNALIGNED_P(buffer)) - while (len > 64) { --- -2.39.0 - diff --git a/poky/meta/recipes-devtools/opkg/opkg/0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch b/poky/meta/recipes-devtools/opkg/opkg/0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch deleted file mode 100644 index f216950002..0000000000 --- a/poky/meta/recipes-devtools/opkg/opkg/0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a658e6402382250f0164c5b47b744740e04f3611 Mon Sep 17 00:00:00 2001 -From: Charlie Johnston <charlie.johnston@ni.com> -Date: Fri, 30 Dec 2022 15:21:14 -0600 -Subject: [PATCH] opkg-key: Remove --no-options flag from gpg calls. - -The opkg-key script was always passing the --no-options -flag to gpg, which uses /dev/null as the options file. -As a result, the opkg gpg.conf file was not getting -used. This change removes that flag so that gpg.conf -in the GPGHOMEDIR for opkg (currently /etc/opkg/gpg/) -will be used if present. - -Upstream-Status: Accepted [https://git.yoctoproject.org/opkg/commit/?id=cee294e72d257417b5e55ef7a76a0fd15313e46b] -Signed-off-by: Charlie Johnston <charlie.johnston@ni.com> ---- - utils/opkg-key | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/utils/opkg-key b/utils/opkg-key -index e395a59..8645ebc 100755 ---- a/utils/opkg-key -+++ b/utils/opkg-key -@@ -53,7 +53,7 @@ else - exit 1 - fi - --GPG="$GPGCMD --no-options --homedir $GPGHOMEDIR" -+GPG="$GPGCMD --homedir $GPGHOMEDIR" - - # Gpg home dir isn't created automatically when --homedir option is used - if [ ! -e "$GPGHOMEDIR" ]; then --- -2.30.2 - diff --git a/poky/meta/recipes-devtools/opkg/opkg_0.6.1.bb b/poky/meta/recipes-devtools/opkg/opkg_0.6.2.bb index 4c25fe963a..46be137354 100644 --- a/poky/meta/recipes-devtools/opkg/opkg_0.6.1.bb +++ b/poky/meta/recipes-devtools/opkg/opkg_0.6.2.bb @@ -15,12 +15,10 @@ PE = "1" SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz \ file://opkg.conf \ file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \ - file://0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch \ - file://0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://run-ptest \ -" + " -SRC_URI[sha256sum] = "e87fccb575c64d3ac0559444016a2795f12125986a0da896bab97c4a1a2f1b2a" +SRC_URI[sha256sum] = "ac73a90a2549cd04948e563d915912c78e1b8ba0f43af75c5a53fcca474adbd5" # This needs to be before ptest inherit, otherwise all ptest files end packaged # in libopkg package if OPKGLIBDIR == libdir, because default diff --git a/poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch new file mode 100644 index 0000000000..1f7cbd0da1 --- /dev/null +++ b/poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch @@ -0,0 +1,29 @@ +From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001 +From: Stig Palmquist <git@stig.io> +Date: Tue, 28 Feb 2023 11:54:06 +0100 +Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server + identity + +Upstream-Status: Backport [https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0] + +CVE: CVE-2023-31484 + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +index 4fc792c..a616fee 100644 +--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm ++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +@@ -32,6 +32,7 @@ sub mirror { + + my $want_proxy = $self->_want_proxy($uri); + my $http = HTTP::Tiny->new( ++ verify_SSL => 1, + $want_proxy ? (proxy => $self->{proxy}) : () + ); + +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch b/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch new file mode 100644 index 0000000000..e2a2216a0d --- /dev/null +++ b/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch @@ -0,0 +1,217 @@ +From e1ca8defeff496000fc96600ebfca7250065c1f1 Mon Sep 17 00:00:00 2001 +From: Stig Palmquist <git@stig.io> +Date: Thu, 29 Jun 2023 14:36:05 +0000 +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable + insecure default + +- Changes the `verify_SSL` default parameter from `0` to `1` + + Based on patch by Dominic Hargreaves: + https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 + + Fixes CVE-2023-31486 + +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that + enables the previous insecure default behaviour if set to `1`. + + This provides a workaround for users who encounter problems with the + new `verify_SSL` default. + + Example to disable certificate checks: + ``` + $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl + ``` + +- Updates to documentation: + - Describe changing the verify_SSL value + - Describe the escape-hatch environment variable + - Remove rationale for not enabling verify_SSL + - Add missing certificate search paths + - Replace "SSL" with "TLS/SSL" where appropriate + - Use "machine-in-the-middle" instead of "man-in-the-middle" + +Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d] + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++++++++++++++++++++++----------- + 1 file changed, 57 insertions(+), 29 deletions(-) + +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +index 83ca06d..5f6ced8 100644 +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm ++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) } + #pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open, + #pod read or write takes longer than the timeout, the request response status code + #pod will be 599. +-#pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL +-#pod certificate of an C<https> — connection (default is false) ++#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL ++#pod certificate of an C<https> — connection (default is true). Changed from false ++#pod to true in version 0.083. + #pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to + #pod L<IO::Socket::SSL> ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default ++#pod certificate verification behavior to not check server identity if set to 1. ++#pod Only effective if C<verify_SSL> is not set. Added in version 0.083. + #pod + #pod An accessor/mutator method exists for each attribute. + #pod +@@ -111,11 +115,17 @@ sub timeout { + sub new { + my($class, %args) = @_; + ++ # Support lower case verify_ssl argument, but only if verify_SSL is not ++ # true. ++ if ( exists $args{verify_ssl} ) { ++ $args{verify_SSL} ||= $args{verify_ssl}; ++ } ++ + my $self = { + max_redirect => 5, + timeout => defined $args{timeout} ? $args{timeout} : 60, + keep_alive => 1, +- verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default ++ verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(), + no_proxy => $ENV{no_proxy}, + }; + +@@ -134,6 +144,13 @@ sub new { + return $self; + } + ++sub _verify_SSL_default { ++ my ($self) = @_; ++ # Check if insecure default certificate verification behaviour has been ++ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ++ return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++} ++ + sub _set_proxies { + my ($self) = @_; + +@@ -1055,7 +1072,7 @@ sub new { + timeout => 60, + max_line_size => 16384, + max_header_lines => 64, +- verify_SSL => 0, ++ verify_SSL => HTTP::Tiny::_verify_SSL_default(), + SSL_options => {}, + %args + }, $class; +@@ -2043,11 +2060,11 @@ proxy + timeout + verify_SSL + +-=head1 SSL SUPPORT ++=head1 TLS/SSL SUPPORT + + Direct C<https> connections are supported only if L<IO::Socket::SSL> 1.56 or + greater and L<Net::SSLeay> 1.49 or greater are installed. An error will occur +-if new enough versions of these modules are not installed or if the SSL ++if new enough versions of these modules are not installed or if the TLS + encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function + that returns boolean to see if the required modules are installed. + +@@ -2055,7 +2072,7 @@ An C<https> connection may be made via an C<http> proxy that supports the CONNEC + command (i.e. RFC 2817). You may not proxy C<https> via a proxy that itself + requires C<https> to communicate. + +-SSL provides two distinct capabilities: ++TLS/SSL provides two distinct capabilities: + + =over 4 + +@@ -2069,24 +2086,17 @@ Verification of server identity + + =back + +-B<By default, HTTP::Tiny does not verify server identity>. +- +-Server identity verification is controversial and potentially tricky because it +-depends on a (usually paid) third-party Certificate Authority (CA) trust model +-to validate a certificate as legitimate. This discriminates against servers +-with self-signed certificates or certificates signed by free, community-driven +-CA's such as L<CAcert.org|http://cacert.org>. ++B<By default, HTTP::Tiny verifies server identity>. + +-By default, HTTP::Tiny does not make any assumptions about your trust model, +-threat level or risk tolerance. It just aims to give you an encrypted channel +-when you need one. ++This was changed in version 0.083 due to security concerns. The previous default ++behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> ++to 1. + +-Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify +-that an SSL connection has a valid SSL certificate corresponding to the host +-name of the connection and that the SSL certificate has been verified by a CA. +-Assuming you trust the CA, this will protect against a L<man-in-the-middle +-attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If you are +-concerned about security, you should enable this option. ++Verification is done by checking that that the TLS/SSL connection has a valid ++certificate corresponding to the host name of the connection and that the ++certificate has been verified by a CA. Assuming you trust the CA, this will ++protect against L<machine-in-the-middle ++attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>. + + Certificate verification requires a file containing trusted CA certificates. + +@@ -2094,9 +2104,7 @@ If the environment variable C<SSL_CERT_FILE> is present, HTTP::Tiny + will try to find a CA certificate file in that location. + + If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file +-included with it as a source of trusted CA's. (This means you trust Mozilla, +-the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the +-toolchain used to install it, and your operating system security, right?) ++included with it as a source of trusted CA's. + + If that module is not available, then HTTP::Tiny will search several + system-specific default locations for a CA certificate file: +@@ -2115,13 +2123,33 @@ system-specific default locations for a CA certificate file: + + /etc/ssl/ca-bundle.pem + ++=item * ++ ++/etc/openssl/certs/ca-certificates.crt ++ ++=item * ++ ++/etc/ssl/cert.pem ++ ++=item * ++ ++/usr/local/share/certs/ca-root-nss.crt ++ ++=item * ++ ++/etc/pki/tls/cacert.pem ++ ++=item * ++ ++/etc/certs/ca-certificates.crt ++ + =back + + An error will be occur if C<verify_SSL> is true and no CA certificate file + is available. + +-If you desire complete control over SSL connections, the C<SSL_options> attribute +-lets you provide a hash reference that will be passed through to ++If you desire complete control over TLS/SSL connections, the C<SSL_options> ++attribute lets you provide a hash reference that will be passed through to + C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For + example, to provide your own trusted CA file: + +@@ -2131,7 +2159,7 @@ example, to provide your own trusted CA file: + + The C<SSL_options> attribute could also be used for such things as providing a + client certificate for authentication to a server or controlling the choice of +-cipher used for the SSL connection. See L<IO::Socket::SSL> documentation for ++cipher used for the TLS/SSL connection. See L<IO::Socket::SSL> documentation for + details. + + =head1 PROXY SUPPORT +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch b/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch new file mode 100644 index 0000000000..e41e140cf9 --- /dev/null +++ b/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch @@ -0,0 +1,30 @@ +commit a22785783b17cbaa28afaee4a024d81a1903701d +From: Stig Palmquist <git@stig.io> +Date: Sun Jun 18 11:36:05 2023 +0200 + + Fix incorrect env var name for verify_SSL default + + The variable to override the verify_SSL default differed slightly in the + documentation from what was checked for in the code. + + This commit makes the code use `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` + as documented, instead of `PERL_HTTP_TINY_INSECURE_BY_DEFAULT` which was + missing `SSL_` + +Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d] + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- +diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm +index bf455b6..7240b65 100644 +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm ++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +@@ -149,7 +149,7 @@ sub _verify_SSL_default { + my ($self) = @_; + # Check if insecure default certificate verification behaviour has been + # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 +- return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++ return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; + } + + sub _set_proxies { diff --git a/poky/meta/recipes-devtools/perl/perl_5.36.0.bb b/poky/meta/recipes-devtools/perl/perl_5.36.0.bb index b8dba00f18..c3ca28ed23 100644 --- a/poky/meta/recipes-devtools/perl/perl_5.36.0.bb +++ b/poky/meta/recipes-devtools/perl/perl_5.36.0.bb @@ -18,6 +18,9 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \ file://determinism.patch \ file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \ file://0001-Fix-build-with-gcc-12.patch \ + file://CVE-2023-31484.patch \ + file://CVE-2023-31486-0001.patch \ + file://CVE-2023-31486-0002.patch \ " SRC_URI:append:class-native = " \ file://perl-configpm-switch.patch \ diff --git a/poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.4.bb b/poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.5.bb index ab0f371093..ab1d1c84e8 100644 --- a/poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.4.bb +++ b/poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.5.bb @@ -15,12 +15,12 @@ LICENSE = "pkgconf" LIC_FILES_CHKSUM = "file://COPYING;md5=2214222ec1a820bd6cc75167a56925e0" SRC_URI = "\ - https://distfiles.dereferenced.org/pkgconf/pkgconf-${PV}.tar.xz \ + https://distfiles.ariadne.space/pkgconf/pkgconf-${PV}.tar.xz \ file://pkg-config-wrapper \ file://pkg-config-native.in \ file://pkg-config-esdk.in \ " -SRC_URI[sha256sum] = "daccf1bbe5a30d149b556c7d2ffffeafd76d7b514e249271abdd501533c1d8ae" +SRC_URI[sha256sum] = "1ac1656debb27497563036f7bffc281490f83f9b8457c0d60bcfb638fb6b6171" inherit autotools diff --git a/poky/meta/recipes-devtools/pseudo/files/glibc238.patch b/poky/meta/recipes-devtools/pseudo/files/glibc238.patch new file mode 100644 index 0000000000..76ca8c11eb --- /dev/null +++ b/poky/meta/recipes-devtools/pseudo/files/glibc238.patch @@ -0,0 +1,72 @@ +glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by +_GNU_SOURCE but we have to set that for other definitions. Therefore play with defines +to turn this off within pseudo_wrappers.c. Elsewhere we can switch to _DEFAULT_SOURCE +rather than _GNU_SOURCE. + +Upstream-Status: Pending + +Index: git/pseudo_wrappers.c +=================================================================== +--- git.orig/pseudo_wrappers.c ++++ git/pseudo_wrappers.c +@@ -6,6 +6,15 @@ + * SPDX-License-Identifier: LGPL-2.1-only + * + */ ++/* glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by ++ * _GNU_SOURCE but we have to set that for other definitions. Therefore play with defines ++ * to turn this off. ++ */ ++#include <features.h> ++#undef __GLIBC_USE_ISOC2X ++#undef __GLIBC_USE_C2X_STRTOL ++#define __GLIBC_USE_C2X_STRTOL 0 ++ + #include <assert.h> + #include <stdlib.h> + #include <limits.h> +Index: git/pseudo_util.c +=================================================================== +--- git.orig/pseudo_util.c ++++ git/pseudo_util.c +@@ -8,6 +8,14 @@ + */ + /* we need access to RTLD_NEXT for a horrible workaround */ + #define _GNU_SOURCE ++/* glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by ++ * _GNU_SOURCE but we have to set that for other definitions. Therefore play with defines ++ * to turn this off. ++ */ ++#include <features.h> ++#undef __GLIBC_USE_ISOC2X ++#undef __GLIBC_USE_C2X_STRTOL ++#define __GLIBC_USE_C2X_STRTOL 0 + + #include <ctype.h> + #include <errno.h> +Index: git/pseudolog.c +=================================================================== +--- git.orig/pseudolog.c ++++ git/pseudolog.c +@@ -8,7 +8,7 @@ + */ + /* We need _XOPEN_SOURCE for strptime(), but if we define that, + * we then don't get S_IFSOCK... _GNU_SOURCE turns on everything. */ +-#define _GNU_SOURCE ++#define _DEFAULT_SOURCE + + #include <ctype.h> + #include <limits.h> +Index: git/pseudo_client.c +=================================================================== +--- git.orig/pseudo_client.c ++++ git/pseudo_client.c +@@ -6,7 +6,7 @@ + * SPDX-License-Identifier: LGPL-2.1-only + * + */ +-#define _GNU_SOURCE ++#define _DEFAULT_SOURCE + + #include <stdio.h> + #include <signal.h> diff --git a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb index c3c4bb0ed9..9260a3faa3 100644 --- a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -2,6 +2,7 @@ require pseudo.inc SRC_URI = "git://git.yoctoproject.org/pseudo;branch=master;protocol=https \ file://0001-configure-Prune-PIE-flags.patch \ + file://glibc238.patch \ file://fallback-passwd \ file://fallback-group \ " diff --git a/poky/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb b/poky/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb index 9f5b81330b..42d5d4dfce 100644 --- a/poky/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb +++ b/poky/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb @@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8f7bb094c7232b058c7e9f2e431f389c" HOMEPAGE = "https://pypi.org/project/bcrypt/" DEPENDS += "${PYTHON_PN}-cffi-native" +LDFLAGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', ' -fuse-ld=bfd', '', d)}" SRC_URI[sha256sum] = "27d375903ac8261cfe4047f6709d16f7d18d39b1ec92aaf72af989552a650ebd" diff --git a/poky/meta/recipes-devtools/python/python3-certifi_2022.12.7.bb b/poky/meta/recipes-devtools/python/python3-certifi_2023.7.22.bb index dca3d26811..f63b0b6cb8 100644 --- a/poky/meta/recipes-devtools/python/python3-certifi_2022.12.7.bb +++ b/poky/meta/recipes-devtools/python/python3-certifi_2023.7.22.bb @@ -7,7 +7,7 @@ HOMEPAGE = " http://certifi.io/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=3c2b7404369c587c3559afb604fce2f2" -SRC_URI[sha256sum] = "35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3" +SRC_URI[sha256sum] = "539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082" inherit pypi setuptools3 diff --git a/poky/meta/recipes-devtools/python/python3-git_3.1.31.bb b/poky/meta/recipes-devtools/python/python3-git_3.1.37.bb index 08b9f66bcb..56a335a79e 100644 --- a/poky/meta/recipes-devtools/python/python3-git_3.1.31.bb +++ b/poky/meta/recipes-devtools/python/python3-git_3.1.37.bb @@ -6,13 +6,13 @@ access with big-files support." HOMEPAGE = "http://github.com/gitpython-developers/GitPython" SECTION = "devel/python" LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=8b8d26c37c1d5a04f9b0186edbebc183" +LIC_FILES_CHKSUM = "file://LICENSE;md5=5279a7ab369ba336989dcf2a107e5c8e" PYPI_PACKAGE = "GitPython" inherit pypi python_setuptools_build_meta -SRC_URI[sha256sum] = "8ce3bcf69adfdf7c7d503e78fd3b1c492af782d58893b650adb2ac8912ddd573" +SRC_URI[sha256sum] = "f9b9ddc0761c125d5780eab2d64be4873fc6817c2899cbcb34b02344bdc7bc54" DEPENDS += " ${PYTHON_PN}-gitdb" diff --git a/poky/meta/recipes-devtools/python/python3-numpy/0001-simd.inc.src-Change-NPY_INLINE-to-inline.patch b/poky/meta/recipes-devtools/python/python3-numpy/0001-simd.inc.src-Change-NPY_INLINE-to-inline.patch new file mode 100644 index 0000000000..d733dda333 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-numpy/0001-simd.inc.src-Change-NPY_INLINE-to-inline.patch @@ -0,0 +1,135 @@ +From f2a722aa30a29709bb9b5f60fc6d20a10fe6b4f5 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 28 Jun 2023 17:58:52 +0800 +Subject: [PATCH] simd.inc.src: Change NPY_INLINE to inline +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: + | numpy/core/src/umath/simd.inc.src:977:20: note: called from here + | 977 | @vtype@ zeros = _mm512_setzero_@vsuffix@(); + | ^~~~~~~~~~~~~~~~~~~ + | numpy/core/src/umath/simd.inc.src:596:1: error: inlining failed in call to ‘always_inline’ ‘avx512_get_full_load_mask_ps’: target specific option mismatch + 596 | avx512_get_full_load_mask_ps(void) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + | numpy/core/src/umath/simd.inc.src:976:27: note: called from here + 976 | @mask@ load_mask = avx512_get_full_load_mask_@vsuffix@(); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + | /usr/lib/gcc/x86_64-redhat-linux/13/include/avx512fintrin.h:6499:1: error: inlining failed in call to ‘always_inline’ ‘_mm512_loadu_si512’: target specific option mismatch + +Upstream-Status: Inappropriate [The file simd.inc.src have been removed in new version as + https://github.com/numpy/numpy/commit/640e85017aa8eac3e9be68b475acf27d623b16b7] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + numpy/core/src/umath/simd.inc.src | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/numpy/core/src/umath/simd.inc.src b/numpy/core/src/umath/simd.inc.src +index d6c9a7e..39aec9a 100644 +--- a/numpy/core/src/umath/simd.inc.src ++++ b/numpy/core/src/umath/simd.inc.src +@@ -61,11 +61,11 @@ + */ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512F_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +-static NPY_INLINE NPY_GCC_TARGET_AVX512F void ++static inline NPY_GCC_TARGET_AVX512F void + AVX512F_@func@_@TYPE@(@type@*, @type@*, const npy_intp n, const npy_intp stride); + #endif + +-static NPY_INLINE int ++static inline int + run_unary_avx512f_@func@_@TYPE@(char **args, const npy_intp *dimensions, const npy_intp *steps) + { + #if defined HAVE_ATTRIBUTE_TARGET_AVX512F_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +@@ -99,11 +99,11 @@ run_unary_avx512f_@func@_@TYPE@(char **args, const npy_intp *dimensions, const n + */ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512_SKX_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS && @EXISTS@ +-static NPY_INLINE NPY_GCC_TARGET_AVX512_SKX void ++static inline NPY_GCC_TARGET_AVX512_SKX void + AVX512_SKX_@func@_@TYPE@(npy_bool*, @type@*, const npy_intp n, const npy_intp stride); + #endif + +-static NPY_INLINE int ++static inline int + run_@func@_avx512_skx_@TYPE@(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if defined HAVE_ATTRIBUTE_TARGET_AVX512_SKX_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS && @EXISTS@ +@@ -144,7 +144,7 @@ sse2_@func@_@TYPE@(@type@ *, @type@ *, const npy_intp n); + + #endif + +-static NPY_INLINE int ++static inline int + run_@name@_simd_@func@_@TYPE@(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if @vector@ && defined NPY_HAVE_SSE2_INTRINSICS +@@ -169,7 +169,7 @@ sse2_@kind@_@TYPE@(npy_bool * op, @type@ * ip1, npy_intp n); + + #endif + +-static NPY_INLINE int ++static inline int + run_@kind@_simd_@TYPE@(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if @vector@ && defined NPY_HAVE_SSE2_INTRINSICS +@@ -205,7 +205,7 @@ static void + sse2_reduce_@kind@_BOOL(npy_bool * op, npy_bool * ip, npy_intp n); + #endif + +-static NPY_INLINE int ++static inline int + run_binary_simd_@kind@_BOOL(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if defined NPY_HAVE_SSE2_INTRINSICS +@@ -220,7 +220,7 @@ run_binary_simd_@kind@_BOOL(char **args, npy_intp const *dimensions, npy_intp co + } + + +-static NPY_INLINE int ++static inline int + run_reduce_simd_@kind@_BOOL(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if defined NPY_HAVE_SSE2_INTRINSICS +@@ -245,7 +245,7 @@ static void + sse2_@kind@_BOOL(npy_bool *, npy_bool *, const npy_intp n); + #endif + +-static NPY_INLINE int ++static inline int + run_unary_simd_@kind@_BOOL(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if defined NPY_HAVE_SSE2_INTRINSICS +@@ -875,7 +875,7 @@ NPY_FINLINE NPY_GCC_OPT_3 NPY_GCC_TARGET_@ISA@ @vtype@d + */ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512_SKX_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +-static NPY_INLINE NPY_GCC_TARGET_AVX512_SKX void ++static inline NPY_GCC_TARGET_AVX512_SKX void + AVX512_SKX_@func@_@TYPE@(npy_bool* op, @type@* ip, const npy_intp array_size, const npy_intp steps) + { + const npy_intp stride_ip = steps/(npy_intp)sizeof(@type@); +@@ -954,7 +954,7 @@ AVX512_SKX_@func@_@TYPE@(npy_bool* op, @type@* ip, const npy_intp array_size, co + */ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512F_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +-static NPY_GCC_OPT_3 NPY_INLINE NPY_GCC_TARGET_AVX512F void ++static NPY_GCC_OPT_3 inline NPY_GCC_TARGET_AVX512F void + AVX512F_@func@_@TYPE@(@type@ * op, + @type@ * ip, + const npy_intp array_size, +@@ -1001,7 +1001,7 @@ AVX512F_@func@_@TYPE@(@type@ * op, + /**end repeat1**/ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512F_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +-static NPY_GCC_OPT_3 NPY_INLINE NPY_GCC_TARGET_AVX512F void ++static NPY_GCC_OPT_3 inline NPY_GCC_TARGET_AVX512F void + AVX512F_absolute_@TYPE@(@type@ * op, + @type@ * ip, + const npy_intp array_size, +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/python/python3-numpy_1.24.2.bb b/poky/meta/recipes-devtools/python/python3-numpy_1.24.2.bb index bfcfc52729..5f88948de2 100644 --- a/poky/meta/recipes-devtools/python/python3-numpy_1.24.2.bb +++ b/poky/meta/recipes-devtools/python/python3-numpy_1.24.2.bb @@ -10,6 +10,7 @@ SRCNAME = "numpy" SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${SRCNAME}-${PV}.tar.gz \ file://0001-Don-t-search-usr-and-so-on-for-libraries-by-default-.patch \ file://0001-numpy-core-Define-RISCV-32-support.patch \ + file://0001-simd.inc.src-Change-NPY_INLINE-to-inline.patch \ file://run-ptest \ " SRC_URI[sha256sum] = "003a9f530e880cb2cd177cba1af7220b9aa42def9c4afc2a2fc3ee6be7eb2b22" diff --git a/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch b/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch new file mode 100644 index 0000000000..d7fc87fec8 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch @@ -0,0 +1,49 @@ +From 9a73f2a80e5cf869d473ddcbfceaab229fb99b5e Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Mon, 28 Aug 2023 15:04:14 +0000 +Subject: [PATCH] SQL+Jinja: use a simpler regex in analyse_text + +Fixes catastrophic backtracking + +Fixes #2355 + +CVE: CVE-2022-40896 + +Upstream-Status: Backport [https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + CHANGES | 1 + + pygments/lexers/templates.py | 6 +----- + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/CHANGES b/CHANGES +index 2aa54fa..4c84fa6 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -61,6 +61,7 @@ Version 2.14.0 + * Spice: Add ``enum`` keyword and fix a bug regarding binary, + hexadecimal and octal number tokens (#2227) + * YAML: Accept colons in key names (#2277) ++ * SQL+Jinja (``analyse_text`` method): fix catastrophic backtracking [Backported] + + - Fix `make mapfiles` when Pygments is not installed in editable mode + (#2223) +diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py +index 1fcf708..1066294 100644 +--- a/pygments/lexers/templates.py ++++ b/pygments/lexers/templates.py +@@ -2291,10 +2291,6 @@ class SqlJinjaLexer(DelegatingLexer): + if re.search(r'\{\{\s*source\(.*\)\s*\}\}', text): + rv += 0.25 + # Jinja macro +- if re.search( +- r'\{%-?\s*macro \w+\(.*\)\s*-?%\}\s+.*\s+\{%-?\s*endmacro\s*-?%\}', +- text, +- re.S, +- ): ++ if re.search(r'\{%-?\s*macro \w+\(.*\)\s*-?%\}', text): + rv += 0.15 + return rv +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch b/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch new file mode 100644 index 0000000000..61ebe5dad5 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch @@ -0,0 +1,301 @@ +From 45ff8eabe0363f829c397372aefc3b23aeb135b3 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Tue, 29 Aug 2023 10:45:34 +0000 +Subject: [PATCH] Improve Java properties lexer (#2404) + +Use special lexer rules for escapes; fixes catastrophic backtracking, +and highlights them too. + +Fixes #2356 + +CVE: CVE-2022-40896 + +Upstream-Status: Backport [https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + pygments/lexers/configs.py | 50 +++++--- + tests/examplefiles/properties/java.properties | 11 ++ + .../properties/java.properties.output | 110 +++++++++++++++--- + .../test_escaped_space_in_value.txt | 4 +- + .../properties/test_just_key_with_space.txt | 4 +- + 5 files changed, 143 insertions(+), 36 deletions(-) + +diff --git a/pygments/lexers/configs.py b/pygments/lexers/configs.py +index e04c722..b28b56a 100644 +--- a/pygments/lexers/configs.py ++++ b/pygments/lexers/configs.py +@@ -129,26 +129,42 @@ class PropertiesLexer(RegexLexer): + + tokens = { + 'root': [ +- (r'\s+', Whitespace), ++ # comments + (r'[!#].*|/{2}.*', Comment.Single), +- # search for first separator +- (r'([^\\\n]|\\.)*?(?=[ \f\t=:])', Name.Attribute, "separator"), +- # empty key +- (r'.+?$', Name.Attribute), ++ # ending a comment or whitespace-only line ++ (r'\n', Whitespace), ++ # eat whitespace at the beginning of a line ++ (r'^[^\S\n]+', Whitespace), ++ # start lexing a key ++ default('key'), + ], +- 'separator': [ +- # search for line continuation escape +- (r'([ \f\t]*)([=:]*)([ \f\t]*)(.*(?<!\\)(?:\\{2})*)(\\)(?!\\)$', +- bygroups(Whitespace, Operator, Whitespace, String, Text), "value", "#pop"), +- (r'([ \f\t]*)([=:]*)([ \f\t]*)(.*)', +- bygroups(Whitespace, Operator, Whitespace, String), "#pop"), ++ 'key': [ ++ # non-escaped key characters ++ (r'[^\\:=\s]+', Name.Attribute), ++ # escapes ++ include('escapes'), ++ # separator is the first non-escaped whitespace or colon or '=' on the line; ++ # if it's whitespace, = and : are gobbled after it ++ (r'([^\S\n]*)([:=])([^\S\n]*)', ++ bygroups(Whitespace, Operator, Whitespace), ++ ('#pop', 'value')), ++ (r'[^\S\n]+', Whitespace, ('#pop', 'value')), ++ # maybe we got no value after all ++ (r'\n', Whitespace, '#pop'), + ], +- 'value': [ # line continuation +- (r'\s+', Whitespace), +- # search for line continuation escape +- (r'(\s*)(.*(?<!\\)(?:\\{2})*)(\\)(?!\\)([ \t]*)', +- bygroups(Whitespace, String, Text, Whitespace)), +- (r'.*$', String, "#pop"), ++ 'value': [ ++ # non-escaped value characters ++ (r'[^\\\n]+', String), ++ # escapes ++ include('escapes'), ++ # end the value on an unescaped newline ++ (r'\n', Whitespace, '#pop'), ++ ], ++ 'escapes': [ ++ # line continuations; these gobble whitespace at the beginning of the next line ++ (r'(\\\n)([^\S\n]*)', bygroups(String.Escape, Whitespace)), ++ # other escapes ++ (r'\\(.|\n)', String.Escape), + ], + } + +diff --git a/tests/examplefiles/properties/java.properties b/tests/examplefiles/properties/java.properties +index d5b594e..7fe915c 100644 +--- a/tests/examplefiles/properties/java.properties ++++ b/tests/examplefiles/properties/java.properties +@@ -14,6 +14,8 @@ key = \ + and value2\\ + key\ 2 = value + key\\ 3 = value3 ++key \ ++ = value + + ! empty keys and edge cases + key1 = +@@ -22,3 +24,12 @@ key3 the value3 + key4 the:value4 + key5 the=value5 + key6=the value6 ++ ++! escapes in keys ++key\ with\ spaces = value ++key\nwith\nnewlines = value\nwith\nnewlines ++ ++ ! indented comment ++ ++! line continuations do \ ++not = work for comments +diff --git a/tests/examplefiles/properties/java.properties.output b/tests/examplefiles/properties/java.properties.output +index 0c1fdee..4822575 100644 +--- a/tests/examplefiles/properties/java.properties.output ++++ b/tests/examplefiles/properties/java.properties.output +@@ -2,13 +2,17 @@ + '\n' Text.Whitespace + + '# mixing spaces' Comment.Single +-'\n\t' Text.Whitespace ++'\n' Text.Whitespace ++ ++'\t' Text.Whitespace + 'Truth' Name.Attribute + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace + 'Beauty' Literal.String +-'\n ' Text.Whitespace ++'\n' Text.Whitespace ++ ++' ' Text.Whitespace + 'Truth' Name.Attribute + ':' Operator + 'Beauty' Literal.String +@@ -23,18 +27,24 @@ + ' ' Text.Whitespace + ':' Operator + 'Beauty' Literal.String +-'\n \n' Text.Whitespace ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace + + '! line continuations and escapes' Comment.Single +-'\n ' Text.Whitespace ++'\n' Text.Whitespace ++ ++' ' Text.Whitespace + 'fruits' Name.Attribute + ' ' Text.Whitespace + 'apple, banana, pear, ' Literal.String +-'\\' Text +-'\n ' Text.Whitespace ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace + 'cantaloupe, watermelon, ' Literal.String +-'\\' Text +-'\n ' Text.Whitespace ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace + 'kiwi, mango' Literal.String + '\n' Text.Whitespace + +@@ -42,25 +52,42 @@ + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace +-'\\' Text +-'\n ' Text.Whitespace +-'value1 \\\\' Literal.String +-'\\' Text +-'\n ' Text.Whitespace +-'and value2\\\\' Literal.String ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace ++'value1 ' Literal.String ++'\\\\' Literal.String.Escape ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace ++'and value2' Literal.String ++'\\\\' Literal.String.Escape + '\n' Text.Whitespace + +-'key\\ 2' Name.Attribute ++'key' Name.Attribute ++'\\ ' Literal.String.Escape ++'2' Name.Attribute + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace + 'value' Literal.String + '\n' Text.Whitespace + +-'key\\\\' Name.Attribute ++'key' Name.Attribute ++'\\\\' Literal.String.Escape + ' ' Text.Whitespace + '3 = value3' Literal.String +-'\n\n' Text.Whitespace ++'\n' Text.Whitespace ++ ++'key' Name.Attribute ++' ' Text.Whitespace ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace ++'= value' Literal.String ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace + + '! empty keys and edge cases' Comment.Single + '\n' Text.Whitespace +@@ -92,3 +119,52 @@ + '=' Operator + 'the value6' Literal.String + '\n' Text.Whitespace ++ ++'\n' Text.Whitespace ++ ++'! escapes in keys' Comment.Single ++'\n' Text.Whitespace ++ ++'key' Name.Attribute ++'\\ ' Literal.String.Escape ++'with' Name.Attribute ++'\\ ' Literal.String.Escape ++'spaces' Name.Attribute ++' ' Text.Whitespace ++'=' Operator ++' ' Text.Whitespace ++'value' Literal.String ++'\n' Text.Whitespace ++ ++'key' Name.Attribute ++'\\n' Literal.String.Escape ++'with' Name.Attribute ++'\\n' Literal.String.Escape ++'newlines' Name.Attribute ++' ' Text.Whitespace ++'=' Operator ++' ' Text.Whitespace ++'value' Literal.String ++'\\n' Literal.String.Escape ++'with' Literal.String ++'\\n' Literal.String.Escape ++'newlines' Literal.String ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace ++ ++' ' Text.Whitespace ++'! indented comment' Comment.Single ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace ++ ++'! line continuations do \\' Comment.Single ++'\n' Text.Whitespace ++ ++'not' Name.Attribute ++' ' Text.Whitespace ++'=' Operator ++' ' Text.Whitespace ++'work for comments' Literal.String ++'\n' Text.Whitespace +diff --git a/tests/snippets/properties/test_escaped_space_in_value.txt b/tests/snippets/properties/test_escaped_space_in_value.txt +index f76507f..44772d8 100644 +--- a/tests/snippets/properties/test_escaped_space_in_value.txt ++++ b/tests/snippets/properties/test_escaped_space_in_value.txt +@@ -6,5 +6,7 @@ key = doubleword\ value + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace +-'doubleword\\ value' Literal.String ++'doubleword' Literal.String ++'\\ ' Literal.String.Escape ++'value' Literal.String + '\n' Text.Whitespace +diff --git a/tests/snippets/properties/test_just_key_with_space.txt b/tests/snippets/properties/test_just_key_with_space.txt +index 660c37c..833fe40 100644 +--- a/tests/snippets/properties/test_just_key_with_space.txt ++++ b/tests/snippets/properties/test_just_key_with_space.txt +@@ -2,5 +2,7 @@ + just\ key + + ---tokens--- +-'just\\ key' Name.Attribute ++'just' Name.Attribute ++'\\ ' Literal.String.Escape ++'key' Name.Attribute + '\n' Text.Whitespace +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/python/python3-pygments_2.14.0.bb b/poky/meta/recipes-devtools/python/python3-pygments_2.14.0.bb index 16769e9263..b5b8abc113 100644 --- a/poky/meta/recipes-devtools/python/python3-pygments_2.14.0.bb +++ b/poky/meta/recipes-devtools/python/python3-pygments_2.14.0.bb @@ -7,6 +7,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=36a13c90514e2899f1eba7f41c3ee592" inherit setuptools3 SRC_URI[sha256sum] = "b3ed06a9e8ac9a9aae5a6f5dbe78a8a58655d17b43b93c078f094ddc476ae297" +SRC_URI += "file://CVE-2022-40896-0001.patch \ + file://CVE-2022-40896-0002.patch \ + " + DEPENDS += "\ ${PYTHON_PN} \ " diff --git a/poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch b/poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch new file mode 100644 index 0000000000..0110615572 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch @@ -0,0 +1,61 @@ +From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt <nate.prewitt@gmail.com> +Date: Mon, 22 May 2023 08:08:57 -0700 +Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q + +CVE: CVE-2023-32681 +Upstream-Status: Backport +[https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +--- + requests/sessions.py | 4 +++- + tests/test_requests.py | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/requests/sessions.py b/requests/sessions.py +index 6cb3b4dae3..dbcf2a7b0e 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -324,7 +324,9 @@ def rebuild_proxies(self, prepared_request, proxies): + except KeyError: + username, password = None, None + +- if username and password: ++ # urllib3 handles proxy authorization for us in the standard adapter. ++ # Avoid appending this to TLS tunneled requests where it may be leaked. ++ if not scheme.startswith('https') and username and password: + headers["Proxy-Authorization"] = _basic_auth_str(username, password) + + return new_proxies +diff --git a/tests/test_requests.py b/tests/test_requests.py +index b1c8dd4534..b420c44d73 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -647,6 +647,26 @@ def test_proxy_authorization_preserved_on_request(self, httpbin): + + assert sent_headers.get("Proxy-Authorization") == proxy_auth_value + ++ ++ @pytest.mark.parametrize( ++ "url,has_proxy_auth", ++ ( ++ ('http://example.com', True), ++ ('https://example.com', False), ++ ), ++ ) ++ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): ++ session = requests.Session() ++ proxies = { ++ 'http': 'http://test:pass@localhost:8080', ++ 'https': 'http://test:pass@localhost:8090', ++ } ++ req = requests.Request('GET', url) ++ prep = req.prepare() ++ session.rebuild_proxies(prep, proxies) ++ ++ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth ++ + def test_basicauth_with_netrc(self, httpbin): + auth = ("user", "pass") + wrong_auth = ("wronguser", "wrongpass") diff --git a/poky/meta/recipes-devtools/python/python3-requests_2.28.2.bb b/poky/meta/recipes-devtools/python/python3-requests_2.28.2.bb index 2f397ddaad..b57f71673c 100644 --- a/poky/meta/recipes-devtools/python/python3-requests_2.28.2.bb +++ b/poky/meta/recipes-devtools/python/python3-requests_2.28.2.bb @@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658" SRC_URI[sha256sum] = "98b1b2782e3c6c4904938b84c0eb932721069dfdb9134313beff7c83c2df24bf" +SRC_URI += " file://CVE-2023-32681.patch" + inherit pypi setuptools3 RDEPENDS:${PN} += " \ diff --git a/poky/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch b/poky/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch index 96e5e81342..222a567dd5 100644 --- a/poky/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch +++ b/poky/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch @@ -1,4 +1,4 @@ -From 7d296dc635ad3ac2792955ce37e140a4104b098f Mon Sep 17 00:00:00 2001 +From aa8f1709c54557d2b51a9a37d15ccc3de62e90cb Mon Sep 17 00:00:00 2001 From: Jeremy Puhlman <jpuhlman@mvista.com> Date: Wed, 4 Mar 2020 00:06:42 +0000 Subject: [PATCH] Don't search system for headers/libraries diff --git a/poky/meta/recipes-devtools/python/python3/0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch b/poky/meta/recipes-devtools/python/python3/0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch index df5179e877..07c6aef9b9 100644 --- a/poky/meta/recipes-devtools/python/python3/0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch +++ b/poky/meta/recipes-devtools/python/python3/0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch @@ -1,4 +1,4 @@ -From 86061629f4a179e740a17e53dd2c98ab47af2fe2 Mon Sep 17 00:00:00 2001 +From 7b0a14e7320078ac891d415cab9b7568e3f52ad8 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> Date: Thu, 16 Sep 2021 16:35:37 +0200 Subject: [PATCH] Lib/pty.py: handle stdin I/O errors same way as master I/O @@ -30,18 +30,18 @@ Signed-off-by: Alexander Kanavin <alex@linutronix.de> 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Lib/pty.py b/Lib/pty.py -index 8d8ce40..35439c6 100644 +index fefb63a..4cef056 100644 --- a/Lib/pty.py +++ b/Lib/pty.py -@@ -154,7 +154,10 @@ def _copy(master_fd, master_read=_read, stdin_read=_read): - os.write(STDOUT_FILENO, data) +@@ -184,7 +184,10 @@ def _copy(master_fd, master_read=_read, stdin_read=_read): + i_buf = i_buf[n:] - if STDIN_FILENO in rfds: + if stdin_avail and STDIN_FILENO in rfds: - data = stdin_read(STDIN_FILENO) + try: + data = stdin_read(STDIN_FILENO) + except OSError: + data = b"" if not data: - fds.remove(STDIN_FILENO) + stdin_avail = False else: diff --git a/poky/meta/recipes-devtools/python/python3/0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch b/poky/meta/recipes-devtools/python/python3/0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch index 86971f4048..a0f3d72992 100644 --- a/poky/meta/recipes-devtools/python/python3/0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch +++ b/poky/meta/recipes-devtools/python/python3/0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch @@ -1,4 +1,4 @@ -From cab8b8b1390165a93dfb27c48c1cc4c3e4280dfd Mon Sep 17 00:00:00 2001 +From 512c617bd00b74b30a80dd56a12391de46e2b6cf Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> Date: Fri, 10 Sep 2021 12:28:31 +0200 Subject: [PATCH] Lib/sysconfig.py: use prefix value from build configuration diff --git a/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch index e080b5c562..bbdd8b586e 100644 --- a/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch +++ b/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch @@ -1,4 +1,4 @@ -From 79e7ed59750612e57647847957ab85709307ea38 Mon Sep 17 00:00:00 2001 +From 843574d5a5b0818e83e20f8c0389d567bd4733fb Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Tue, 14 May 2013 15:00:26 -0700 Subject: [PATCH] python3: Add target and native recipes diff --git a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py index 0ca687d2eb..8e432b49af 100644 --- a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py +++ b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py @@ -32,7 +32,7 @@ def fix_path(dep_path): dep_path = dep_path[dep_path.find(pivot)+len(pivot):] if '/usr/bin' in dep_path: - dep_path = dep_path.replace('/usr/bin''${bindir}') + dep_path = dep_path.replace('/usr/bin','${bindir}') # Handle multilib, is there a better way? if '/usr/lib32' in dep_path: diff --git a/poky/meta/recipes-devtools/python/python3/makerace.patch b/poky/meta/recipes-devtools/python/python3/makerace.patch index 979fc9dc36..c71c1e15de 100644 --- a/poky/meta/recipes-devtools/python/python3/makerace.patch +++ b/poky/meta/recipes-devtools/python/python3/makerace.patch @@ -1,4 +1,4 @@ -From 4f52aaf2a548b3356c6f1369c62b11335dc27464 Mon Sep 17 00:00:00 2001 +From dde5cb74f55b6dd39d25cff639d16940d9dad505 Mon Sep 17 00:00:00 2001 From: Richard Purdie <richard.purdie@linuxfoundation.org> Date: Tue, 13 Jul 2021 23:19:29 +0100 Subject: [PATCH] python3: Fix make race @@ -18,11 +18,11 @@ Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.pre.in b/Makefile.pre.in -index 7558f0c..8cec819 100644 +index c6d7e85..205af6c 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -2005,7 +2005,7 @@ TESTSUBDIRS= ctypes/test \ - unittest/test unittest/test/testmock +@@ -2045,7 +2045,7 @@ TESTSUBDIRS= ctypes/test \ + unittest/test/testmock TEST_MODULES=@TEST_MODULES@ -libinstall: all $(srcdir)/Modules/xxmodule.c diff --git a/poky/meta/recipes-devtools/python/python3_3.11.2.bb b/poky/meta/recipes-devtools/python/python3_3.11.5.bb index 5bd8d32b14..b1ab307804 100644 --- a/poky/meta/recipes-devtools/python/python3_3.11.2.bb +++ b/poky/meta/recipes-devtools/python/python3_3.11.5.bb @@ -39,7 +39,7 @@ SRC_URI:append:class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "29e4b8f5f1658542a8c13e2dd277358c9c48f2b2f7318652ef1675e402b9d2af" +SRC_URI[sha256sum] = "85cd12e9cf1d6d5a45f17f7afe1cebe7ee628d3282281c492e86adf636defa3f" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" @@ -56,6 +56,8 @@ CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488" # The mailcap module is insecure by design, so this can't be fixed in a meaningful way. # The module will be removed in the future and flaws documented. CVE_CHECK_IGNORE += "CVE-2015-20107" +# Not an issue, in fact expected behaviour +CVE_CHECK_IGNORE += "CVE-2023-36632" PYTHON_MAJMIN = "3.11" diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 4c9be91cb0..c8e1d28654 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -36,6 +36,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://qemu-guest-agent.init \ file://qemu-guest-agent.udev \ file://ppc.patch \ + file://CVE-2023-0330.patch \ + file://CVE-2023-3301.patch \ + file://CVE-2023-3255.patch \ + file://CVE-2023-2861.patch \ + file://CVE-2023-3354.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch index 5ef1184e3c..36c537eee1 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch @@ -8,7 +8,7 @@ The event filename is an absolute path. Convert it to a relative path when writing '#line' directives, to preserve reproducibility of the generated output when different base paths are used. -Upstream-Status: Pending +Upstream-Status: Accepted [https://gitlab.com/qemu-project/qemu/-/commit/9d672e290475001fcecdcc9dc79ad088ff89d17f] --- scripts/tracetool/backend/ftrace.py | 4 +++- diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..f609ea29b4 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch @@ -0,0 +1,75 @@ +From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Mon, 22 May 2023 11:10:11 +0200 +Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI + controller (CVE-2023-0330) + +We cannot use the generic reentrancy guard in the LSI code, so +we have to manually prevent endless reentrancy here. The problematic +lsi_execute_script() function has already a way to detect whether +too many instructions have been executed - we just have to slightly +change the logic here that it also takes into account if the function +has been called too often in a reentrant way. + +The code in fuzz-lsi53c895a-test.c has been taken from an earlier +patch by Mauro Matteo Cascella. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 +Message-Id: <20230522091011.1082574-1-thuth@redhat.com> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Thomas Huth <thuth@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] +CVE: CVE-2023-0330 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ + tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ + 2 files changed, 50 insertions(+), 6 deletions(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 048436352b7a..f7d45b0b20fb 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1134,15 +1134,24 @@ static void lsi_execute_script(LSIState *s) + uint32_t addr, addr_high; + int opcode; + int insn_processed = 0; ++ static int reentrancy_level; ++ ++ reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; + again: +- if (++insn_processed > LSI_MAX_INSN) { +- /* Some windows drivers make the device spin waiting for a memory +- location to change. If we have been executed a lot of code then +- assume this is the case and force an unexpected device disconnect. +- This is apparently sufficient to beat the drivers into submission. +- */ ++ /* ++ * Some windows drivers make the device spin waiting for a memory location ++ * to change. If we have executed more than LSI_MAX_INSN instructions then ++ * assume this is the case and force an unexpected device disconnect. This ++ * is apparently sufficient to beat the drivers into submission. ++ * ++ * Another issue (CVE-2023-0330) can occur if the script is programmed to ++ * trigger itself again and again. Avoid this problem by stopping after ++ * being called multiple times in a reentrant way (8 is an arbitrary value ++ * which should be enough for all valid use cases). ++ */ ++ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { + if (!(s->sien0 & LSI_SIST0_UDC)) { + qemu_log_mask(LOG_GUEST_ERROR, + "lsi_scsi: inf. loop with UDC masked"); +@@ -1596,6 +1605,8 @@ static void lsi_execute_script(LSIState *s) + } + } + trace_lsi_execute_script_stop(); ++ ++ reentrancy_level--; + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset) diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch new file mode 100644 index 0000000000..34be8afe16 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch @@ -0,0 +1,171 @@ +From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 +From: Christian Schoenebeck <qemu_oss@crudebyte.com> +Date: Wed, 2 Aug 2023 13:02:55 +0000 +Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) + +The 9p protocol does not specifically define how server shall behave when +client tries to open a special file, however from security POV it does +make sense for 9p server to prohibit opening any special file on host side +in general. A sane Linux 9p client for instance would never attempt to +open a special file on host side, it would always handle those exclusively +on its guest side. A malicious client however could potentially escape +from the exported 9p tree by creating and opening a device file on host +side. + +With QEMU this could only be exploited in the following unsafe setups: + + - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' + security model. + +or + + - Using 9p 'proxy' fs driver (which is running its helper daemon as + root). + +These setups were already discouraged for safety reasons before, +however for obvious reasons we are now tightening behaviour on this. + +Fixes: CVE-2023-2861 +Reported-by: Yanwu Shen <ywsPlz@gmail.com> +Reported-by: Jietao Xiao <shawtao1125@gmail.com> +Reported-by: Jinku Li <jkli@xidian.edu.cn> +Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn> +Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> +Reviewed-by: Greg Kurz <groug@kaod.org> +Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> +Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com> + +CVE: CVE-2023-2861 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + fsdev/virtfs-proxy-helper.c | 27 ++++++++++++++++++++++++-- + hw/9pfs/9p-util.h | 38 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 63 insertions(+), 2 deletions(-) + +diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c +index 5cafcd770..d9511f429 100644 +--- a/fsdev/virtfs-proxy-helper.c ++++ b/fsdev/virtfs-proxy-helper.c +@@ -26,6 +26,7 @@ + #include "qemu/xattr.h" + #include "9p-iov-marshal.h" + #include "hw/9pfs/9p-proxy.h" ++#include "hw/9pfs/9p-util.h" + #include "fsdev/9p-iov-marshal.h" + + #define PROGNAME "virtfs-proxy-helper" +@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid) + } + } + ++/* ++ * Open regular file or directory. Attempts to open any special file are ++ * rejected. ++ * ++ * returns file descriptor or -1 on error ++ */ ++static int open_regular(const char *pathname, int flags, mode_t mode) ++{ ++ int fd; ++ ++ fd = open(pathname, flags, mode); ++ if (fd < 0) { ++ return fd; ++ } ++ ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ ++ return fd; ++} ++ + /* + * send response in two parts + * 1) ProxyHeader +@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec) + if (ret < 0) { + goto unmarshal_err_out; + } +- ret = open(path.data, flags, mode); ++ ret = open_regular(path.data, flags, mode); + if (ret < 0) { + ret = -errno; + } +@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec) + if (ret < 0) { + goto err_out; + } +- ret = open(path.data, flags); ++ ret = open_regular(path.data, flags, 0); + if (ret < 0) { + ret = -errno; + } +diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h +index c3526144c..6b44e5f7a 100644 +--- a/hw/9pfs/9p-util.h ++++ b/hw/9pfs/9p-util.h +@@ -13,6 +13,8 @@ + #ifndef QEMU_9P_UTIL_H + #define QEMU_9P_UTIL_H + ++#include "qemu/error-report.h" ++ + #ifdef O_PATH + #define O_PATH_9P_UTIL O_PATH + #else +@@ -112,6 +114,38 @@ static inline void close_preserve_errno(int fd) + errno = serrno; + } + ++/** ++ * close_if_special_file() - Close @fd if neither regular file nor directory. ++ * ++ * @fd: file descriptor of open file ++ * Return: 0 on regular file or directory, -1 otherwise ++ * ++ * CVE-2023-2861: Prohibit opening any special file directly on host ++ * (especially device files), as a compromised client could potentially gain ++ * access outside exported tree under certain, unsafe setups. We expect ++ * client to handle I/O on special files exclusively on guest side. ++ */ ++static inline int close_if_special_file(int fd) ++{ ++ struct stat stbuf; ++ ++ if (fstat(fd, &stbuf) < 0) { ++ close_preserve_errno(fd); ++ return -1; ++ } ++ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { ++ error_report_once( ++ "9p: broken or compromised client detected; attempt to open " ++ "special file (i.e. neither regular file, nor directory)" ++ ); ++ close(fd); ++ errno = ENXIO; ++ return -1; ++ } ++ ++ return 0; ++} ++ + static inline int openat_dir(int dirfd, const char *name) + { + return openat(dirfd, name, +@@ -146,6 +180,10 @@ again: + return -1; + } + ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ + serrno = errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't + * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch new file mode 100644 index 0000000000..661af629b0 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch @@ -0,0 +1,65 @@ +From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Wed, 2 Aug 2023 12:29:55 +0000 +Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer + (CVE-2023-3255) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; + charset=UTF-8 Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A wrong exit condition may lead to an infinite loop when inflating a +valid zlib buffer containing some extra bytes in the `inflate_buffer` +function. The bug only occurs post-authentication. Return the buffer +immediately if the end of the compressed data has been reached +(Z_STREAM_END). + +Fixes: CVE-2023-3255 +Fixes: 0bf41cab ("ui/vnc: clipboard support") +Reported-by: Kevin Denis <kevin.denis@synacktiv.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-ID: <20230704084210.101822-1-mcascell@redhat.com> + +CVE: CVE-2023-3255 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + ui/vnc-clipboard.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c +index 8aeadfaa2..c759be343 100644 +--- a/ui/vnc-clipboard.c ++++ b/ui/vnc-clipboard.c +@@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + ret = inflate(&stream, Z_FINISH); + switch (ret) { + case Z_OK: +- case Z_STREAM_END: + break; ++ case Z_STREAM_END: ++ *size = stream.total_out; ++ inflateEnd(&stream); ++ return out; + case Z_BUF_ERROR: + out_len <<= 1; + if (out_len > (1 << 20)) { +@@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + } + } + +- *size = stream.total_out; +- inflateEnd(&stream); +- +- return out; +- + err_end: + inflateEnd(&stream); + err: +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch new file mode 100644 index 0000000000..977f017ed2 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch @@ -0,0 +1,65 @@ +From a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 Sep 17 00:00:00 2001 +From: Ani Sinha <anisinha@redhat.com> +Date: Wed, 2 Aug 2023 09:25:27 +0000 +Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if + peer nic is present + +When a peer nic is still attached to the vdpa backend, it is too early to free +up the vhost-net and vdpa structures. If these structures are freed here, then +QEMU crashes when the guest is being shut down. The following call chain +would result in an assertion failure since the pointer returned from +vhost_vdpa_get_vhost_net() would be NULL: + +do_vm_stop() -> vm_state_notify() -> virtio_set_status() -> +virtio_net_vhost_status() -> get_vhost_net(). + +Therefore, we defer freeing up the structures until at guest shutdown +time when qemu_cleanup() calls net_cleanup() which then calls +qemu_del_net_client() which would eventually call vhost_vdpa_cleanup() +again to free up the structures. This time, the loop in net_cleanup() +ensures that vhost_vdpa_cleanup() will be called one last time when +all the peer nics are detached and freed. + +All unit tests pass with this change. + +CC: imammedo@redhat.com +CC: jusual@redhat.com +CC: mst@redhat.com +Fixes: CVE-2023-3301 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929 +Signed-off-by: Ani Sinha <anisinha@redhat.com> +Message-Id: <20230619065209.442185-1-anisinha@redhat.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +CVE: CVE-2023-3301 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + net/vhost-vdpa.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c +index 2b4b85d8f..8dbe929c1 100644 +--- a/net/vhost-vdpa.c ++++ b/net/vhost-vdpa.c +@@ -158,6 +158,15 @@ err_init: + static void vhost_vdpa_cleanup(NetClientState *nc) + { + VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc); ++ ++ /* ++ * If a peer NIC is attached, do not cleanup anything. ++ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup() ++ * when the guest is shutting down. ++ */ ++ if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) { ++ return; ++ } + struct vhost_dev *dev = &s->vhost_net->dev; + + qemu_vfree(s->cvq_cmd_out_buffer); +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..b3958ecbf5 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch @@ -0,0 +1,88 @@ +From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 +From: Daniel P. Berrangé <berrange@redhat.com> +Date: Tue, 12 Sep 2023 06:38:03 +0000 +Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TLS handshake make take some time to complete, during which time an +I/O watch might be registered with the main loop. If the owner of the +I/O channel invokes qio_channel_close() while the handshake is waiting +to continue the I/O watch must be removed. Failing to remove it will +later trigger the completion callback which the owner is not expecting +to receive. In the case of the VNC server, this results in a SEGV as +vnc_disconnect_start() tries to shutdown a client connection that is +already gone / NULL. + +CVE-2023-3354 +Reported-by: jiangyegen <jiangyegen@huawei.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> + +CVE: CVE-2023-3354 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + include/io/channel-tls.h | 1 + + io/channel-tls.c | 18 ++++++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h +index 5672479e9..ccd510ade 100644 +--- a/include/io/channel-tls.h ++++ b/include/io/channel-tls.h +@@ -48,6 +48,7 @@ struct QIOChannelTLS { + QIOChannel *master; + QCryptoTLSSession *session; + QIOChannelShutdown shutdown; ++ guint hs_ioc_tag; + }; + + /** +diff --git a/io/channel-tls.c b/io/channel-tls.c +index 4ce890a53..17d73f02e 100644 +--- a/io/channel-tls.c ++++ b/io/channel-tls.c +@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, + } + + trace_qio_channel_tls_handshake_pending(ioc, status); +- qio_channel_add_watch_full(ioc->master, +- condition, +- qio_channel_tls_handshake_io, +- data, +- NULL, +- context); ++ ioc->hs_ioc_tag = ++ qio_channel_add_watch_full(ioc->master, ++ condition, ++ qio_channel_tls_handshake_io, ++ data, ++ NULL, ++ context); + } + } + +@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, + QIOChannelTLS *tioc = QIO_CHANNEL_TLS( + qio_task_get_source(task)); + ++ tioc->hs_ioc_tag = 0; + g_free(data); + qio_channel_tls_handshake_task(tioc, task, context); + +@@ -374,6 +376,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, + { + QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); + ++ if (tioc->hs_ioc_tag) { ++ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); ++ } ++ + return qio_channel_close(tioc->master, errp); + } + +-- +2.35.5 diff --git a/poky/meta/recipes-devtools/qemu/qemu/qemu-7.0.0-glibc-2.36.patch b/poky/meta/recipes-devtools/qemu/qemu/qemu-7.0.0-glibc-2.36.patch deleted file mode 100644 index abad1cfeeb..0000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/qemu-7.0.0-glibc-2.36.patch +++ /dev/null @@ -1,46 +0,0 @@ -Avoid conflicts between sys/mount.h and linux/mount.h that are seen -with glibc 2.36 - -Source: https://github.com/archlinux/svntogit-packages/blob/packages/qemu/trunk/qemu-7.0.0-glibc-2.36.patch - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -95,7 +95,25 @@ - #include <linux/soundcard.h> - #include <linux/kd.h> - #include <linux/mtio.h> -+ -+#ifdef HAVE_SYS_MOUNT_FSCONFIG -+/* -+ * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h, -+ * which in turn prevents use of linux/fs.h. So we have to -+ * define the constants ourselves for now. -+ */ -+#define FS_IOC_GETFLAGS _IOR('f', 1, long) -+#define FS_IOC_SETFLAGS _IOW('f', 2, long) -+#define FS_IOC_GETVERSION _IOR('v', 1, long) -+#define FS_IOC_SETVERSION _IOW('v', 2, long) -+#define FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap) -+#define FS_IOC32_GETFLAGS _IOR('f', 1, int) -+#define FS_IOC32_SETFLAGS _IOW('f', 2, int) -+#define FS_IOC32_GETVERSION _IOR('v', 1, int) -+#define FS_IOC32_SETVERSION _IOW('v', 2, int) -+#else - #include <linux/fs.h> -+#endif - #include <linux/fd.h> - #if defined(CONFIG_FIEMAP) - #include <linux/fiemap.h> ---- a/meson.build -+++ b/meson.build -@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET', - cc.has_header_symbol('getopt.h', 'optreset')) - config_host_data.set('HAVE_IPPROTO_MPTCP', - cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP')) -+config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG', -+ cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG')) - - # has_member - config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID', diff --git a/poky/meta/recipes-devtools/rpm/rpm_4.18.1.bb b/poky/meta/recipes-devtools/rpm/rpm_4.18.1.bb index 6da2edddf3..83537d4761 100644 --- a/poky/meta/recipes-devtools/rpm/rpm_4.18.1.bb +++ b/poky/meta/recipes-devtools/rpm/rpm_4.18.1.bb @@ -134,8 +134,8 @@ do_install:append:class-target() { do_install:append:class-nativesdk() { rm -rf ${D}${SDKPATHNATIVE}/var # Ensure find-debuginfo is located correctly inside SDK - mkdir -p ${D}${SDKPATHNATIVE}/etc/rpm - echo "%__find_debuginfo ${SDKPATHNATIVE}/usr/bin/find-debuginfo" >> ${D}${SDKPATHNATIVE}/etc/rpm/macros + mkdir -p ${D}${libdir}/rpm + echo "%__find_debuginfo ${SDKPATHNATIVE}/usr/bin/find-debuginfo" >> ${D}${libdir}/rpm/macros } do_install:append () { @@ -173,7 +173,6 @@ FILES:${PN}-build = "\ ${libdir}/rpm/macros.p* \ ${libdir}/rpm/fileattrs/* \ " -FILES:${PN}-build:append:class-nativesdk = " ${SDKPATHNATIVE}/etc/rpm/macros" FILES:${PN}-sign = "\ ${bindir}/rpmsign \ diff --git a/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch new file mode 100644 index 0000000000..17c7e30176 --- /dev/null +++ b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch @@ -0,0 +1,56 @@ +From 2ebb50d2dc302917a6f57c1239dc9e700dfe0e34 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Thu, 27 Jul 2023 15:53:01 +0800 +Subject: [PATCH] Fix quadratic backtracking on invalid relative URI + +https://hackerone.com/reports/1958260 + +CVE: CVE-2023-36617 + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/uri/rfc2396_parser.rb | 4 ++-- + test/uri/test_parser.rb | 12 ++++++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb +index 76a8f99..00c66cf 100644 +--- a/lib/uri/rfc2396_parser.rb ++++ b/lib/uri/rfc2396_parser.rb +@@ -497,8 +497,8 @@ module URI + ret = {} + + # for URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 72fb590..721e05e 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -79,4 +79,16 @@ class URI::TestParser < Test::Unit::TestCase + assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com")) + assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]")) + end ++ ++ def test_rfc2822_parse_relative_uri ++ pre = ->(length) { ++ " " * length + "\0" ++ } ++ parser = URI::RFC2396_Parser.new ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ parser.split(uri) ++ end ++ end ++ end + end +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch new file mode 100644 index 0000000000..7c51deaa42 --- /dev/null +++ b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch @@ -0,0 +1,52 @@ +From eea5868120509c245216c4b5c2d4b5db1c593d0e Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Thu, 27 Jul 2023 16:16:30 +0800 +Subject: [PATCH] Fix quadratic backtracking on invalid port number + +https://hackerone.com/reports/1958260 + +CVE: CVE-2023-36617 + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/uri/rfc3986_parser.rb | 2 +- + test/uri/test_parser.rb | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index dd24a40..9b1663d 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -100,7 +100,7 @@ module URI + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 721e05e..cee0acb 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -91,4 +91,14 @@ class URI::TestParser < Test::Unit::TestCase + end + end + end ++ ++ def test_rfc3986_port_check ++ pre = ->(length) {"\t" * length + "a"} ++ uri = URI.parse("http://my.example.com") ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port| ++ assert_raise(URI::InvalidComponentError) do ++ uri.port = port ++ end ++ end ++ end + end +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/ruby/ruby_3.2.2.bb b/poky/meta/recipes-devtools/ruby/ruby_3.2.2.bb index 481fe7c23d..d1359e388c 100644 --- a/poky/meta/recipes-devtools/ruby/ruby_3.2.2.bb +++ b/poky/meta/recipes-devtools/ruby/ruby_3.2.2.bb @@ -31,6 +31,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ file://0006-Make-gemspecs-reproducible.patch \ file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ file://0001-fiddle-Use-C11-_Alignof-to-define-ALIGN_OF-when-poss.patch \ + file://CVE-2023-36617_1.patch \ + file://CVE-2023-36617_2.patch \ " UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" diff --git a/poky/meta/recipes-devtools/rust/rust-source.inc b/poky/meta/recipes-devtools/rust/rust-source.inc index b25b5c17e8..0534e59c35 100644 --- a/poky/meta/recipes-devtools/rust/rust-source.inc +++ b/poky/meta/recipes-devtools/rust/rust-source.inc @@ -17,8 +17,3 @@ export TARGET_VENDOR UPSTREAM_CHECK_URI = "https://forge.rust-lang.org/infra/other-installation-methods.html" UPSTREAM_CHECK_REGEX = "rustc-(?P<pver>\d+(\.\d+)+)-src" - -# see recipes-devtools/gcc/gcc/0018-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch -# we need to link with ssp_nonshared on musl to avoid "undefined reference to `__stack_chk_fail_local'" -# when building MACHINE=qemux86 for musl -WRAPPER_TARGET_EXTRALD:libc-musl = "-lssp_nonshared" diff --git a/poky/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch b/poky/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch deleted file mode 100644 index 235e803641..0000000000 --- a/poky/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 597cc206d982e7237eb93fdc33e8c4bb6bb2d796 Mon Sep 17 00:00:00 2001 -From: Robert Yang <liezhi.yang@windriver.com> -Date: Thu, 9 Feb 2017 01:27:49 -0800 -Subject: [PATCH] caps-abbrev.awk: fix gawk's path - -It should be /usr/bin/gawk as other scripts use in this package. - -Upstream-Status: Pending - -Signed-off-by: Robert Yang <liezhi.yang@windriver.com> - ---- - tests-m32/caps-abbrev.awk | 2 +- - tests-mx32/caps-abbrev.awk | 2 +- - tests/caps-abbrev.awk | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests-m32/caps-abbrev.awk b/tests-m32/caps-abbrev.awk -index c00023b..a56cd56 100644 ---- a/tests-m32/caps-abbrev.awk -+++ b/tests-m32/caps-abbrev.awk -@@ -1,4 +1,4 @@ --#!/bin/gawk -+#!/usr/bin/gawk - # - # This file is part of caps strace test. - # -diff --git a/tests-mx32/caps-abbrev.awk b/tests-mx32/caps-abbrev.awk -index c00023b..a56cd56 100644 ---- a/tests-mx32/caps-abbrev.awk -+++ b/tests-mx32/caps-abbrev.awk -@@ -1,4 +1,4 @@ --#!/bin/gawk -+#!/usr/bin/gawk - # - # This file is part of caps strace test. - # -diff --git a/tests/caps-abbrev.awk b/tests/caps-abbrev.awk -index c00023b..a56cd56 100644 ---- a/tests/caps-abbrev.awk -+++ b/tests/caps-abbrev.awk -@@ -1,4 +1,4 @@ --#!/bin/gawk -+#!/usr/bin/gawk - # - # This file is part of caps strace test. - # diff --git a/poky/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch b/poky/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch new file mode 100644 index 0000000000..b4c6ff99de --- /dev/null +++ b/poky/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch @@ -0,0 +1,50 @@ +From 3bbfb541b258baec9eba674b5d8dc30007a61542 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@strace.io> +Date: Wed, 21 Jun 2023 08:00:00 +0000 +Subject: [PATCH] net: enhance getsockopt decoding + +When getsockopt syscall fails the kernel sometimes updates the optlen +argument, for example, NETLINK_LIST_MEMBERSHIPS updates it even if +optval is not writable. + +* src/net.c (SYS_FUNC(getsockopt)): Try to fetch and print optlen +argument on exiting syscall regardless of getsockopt exit status. + +Upstream-Status: Backport +--- + src/net.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/net.c b/src/net.c +index f68ccb947..7244b5e57 100644 +--- a/src/net.c ++++ b/src/net.c +@@ -1038,7 +1038,7 @@ SYS_FUNC(getsockopt) + } else { + ulen = get_tcb_priv_ulong(tcp); + +- if (syserror(tcp) || umove(tcp, tcp->u_arg[4], &rlen) < 0) { ++ if (umove(tcp, tcp->u_arg[4], &rlen) < 0) { + /* optval */ + printaddr(tcp->u_arg[3]); + tprint_arg_next(); +@@ -1047,6 +1047,19 @@ SYS_FUNC(getsockopt) + tprint_indirect_begin(); + PRINT_VAL_D(ulen); + tprint_indirect_end(); ++ } else if (syserror(tcp)) { ++ /* optval */ ++ printaddr(tcp->u_arg[3]); ++ tprint_arg_next(); ++ ++ /* optlen */ ++ tprint_indirect_begin(); ++ if (ulen != rlen) { ++ PRINT_VAL_D(ulen); ++ tprint_value_changed(); ++ } ++ PRINT_VAL_D(rlen); ++ tprint_indirect_end(); + } else { + /* optval */ + print_getsockopt(tcp, tcp->u_arg[1], tcp->u_arg[2], diff --git a/poky/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch b/poky/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch new file mode 100644 index 0000000000..a0843836c2 --- /dev/null +++ b/poky/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch @@ -0,0 +1,50 @@ +From f31c2f4494779e5c5f170ad10539bfc2dfafe967 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@strace.io> +Date: Sat, 24 Jun 2023 08:00:00 +0000 +Subject: [PATCH] tests: update sockopt-sol_netlink test + +Update sockopt-sol_netlink test that started to fail, likely +due to recent linux kernel commit f4e4534850a9 ("net/netlink: fix +NETLINK_LIST_MEMBERSHIPS length report"). + +* tests/sockopt-sol_netlink.c (main): Always print changing optlen value +on exiting syscall. + +Reported-by: Alexander Gordeev <agordeev@linux.ibm.com> +--- + tests/sockopt-sol_netlink.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +Upstream-Status: Backport + +diff --git a/tests/sockopt-sol_netlink.c b/tests/sockopt-sol_netlink.c +index 82b98adc23..1c33219ac5 100644 +--- a/tests/sockopt-sol_netlink.c ++++ b/tests/sockopt-sol_netlink.c +@@ -94,7 +94,10 @@ main(void) + printf("%p", val); + else + printf("[%d]", *val); +- printf(", [%d]) = %s\n", *len, errstr); ++ printf(", [%d", (int) sizeof(*val)); ++ if ((int) sizeof(*val) != *len) ++ printf(" => %d", *len); ++ printf("]) = %s\n", errstr); + + /* optlen larger than necessary - shortened */ + *len = sizeof(*val) + 1; +@@ -150,8 +153,12 @@ main(void) + /* optval EFAULT - print address */ + *len = sizeof(*val); + get_sockopt(fd, names[i].val, efault, len); +- printf("getsockopt(%d, SOL_NETLINK, %s, %p, [%d]) = %s\n", +- fd, names[i].str, efault, *len, errstr); ++ printf("getsockopt(%d, SOL_NETLINK, %s, %p", ++ fd, names[i].str, efault); ++ printf(", [%d", (int) sizeof(*val)); ++ if ((int) sizeof(*val) != *len) ++ printf(" => %d", *len); ++ printf("]) = %s\n", errstr); + + /* optlen EFAULT - print address */ + get_sockopt(fd, names[i].val, val, len + 1); diff --git a/poky/meta/recipes-devtools/strace/strace/update-gawk-paths.patch b/poky/meta/recipes-devtools/strace/strace/update-gawk-paths.patch index 0c683496ae..a16ede95c2 100644 --- a/poky/meta/recipes-devtools/strace/strace/update-gawk-paths.patch +++ b/poky/meta/recipes-devtools/strace/strace/update-gawk-paths.patch @@ -125,3 +125,33 @@ index dce78f5..573d9ea 100644 # # Copyright (c) 2014-2015 Dmitry V. Levin <ldv@strace.io> # Copyright (c) 2016 Elvira Khabirova <lineprinter0@gmail.com> +diff --git a/tests-m32/caps-abbrev.awk b/tests-m32/caps-abbrev.awk +index c00023b..a56cd56 100644 +--- a/tests-m32/caps-abbrev.awk ++++ b/tests-m32/caps-abbrev.awk +@@ -1,4 +1,4 @@ +-#!/bin/gawk ++#!/usr/bin/gawk + # + # This file is part of caps strace test. + # +diff --git a/tests-mx32/caps-abbrev.awk b/tests-mx32/caps-abbrev.awk +index c00023b..a56cd56 100644 +--- a/tests-mx32/caps-abbrev.awk ++++ b/tests-mx32/caps-abbrev.awk +@@ -1,4 +1,4 @@ +-#!/bin/gawk ++#!/usr/bin/gawk + # + # This file is part of caps strace test. + # +diff --git a/tests/caps-abbrev.awk b/tests/caps-abbrev.awk +index c00023b..a56cd56 100644 +--- a/tests/caps-abbrev.awk ++++ b/tests/caps-abbrev.awk +@@ -1,4 +1,4 @@ +-#!/bin/gawk ++#!/usr/bin/gawk + # + # This file is part of caps strace test. + # diff --git a/poky/meta/recipes-devtools/strace/strace_6.2.bb b/poky/meta/recipes-devtools/strace/strace_6.2.bb index dc01b57d80..e7a34bbf66 100644 --- a/poky/meta/recipes-devtools/strace/strace_6.2.bb +++ b/poky/meta/recipes-devtools/strace/strace_6.2.bb @@ -9,12 +9,13 @@ SRC_URI = "https://strace.io/files/${PV}/strace-${PV}.tar.xz \ file://update-gawk-paths.patch \ file://Makefile-ptest.patch \ file://run-ptest \ - file://0001-caps-abbrev.awk-fix-gawk-s-path.patch \ file://ptest-spacesave.patch \ file://0001-strace-fix-reproducibilty-issues.patch \ file://skip-load.patch \ file://0001-configure-Use-autoconf-macro-to-detect-largefile-sup.patch \ file://0002-tests-Replace-off64_t-with-off_t.patch \ + file://f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch \ + file://3bbfb541b258baec9eba674b5d8dc30007a61542.patch \ " SRC_URI[sha256sum] = "0c7d38a449416268d3004029a220a15a77c2206a03cc88120f37f46e949177e8" diff --git a/poky/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb b/poky/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb index 9e77f12b53..7d151d4642 100644 --- a/poky/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb +++ b/poky/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb @@ -6,8 +6,8 @@ BUGTRACKER = "https://bugs.eclipse.org/bugs/" LICENSE = "EPL-1.0 | EDL-1.0" LIC_FILES_CHKSUM = "file://edl-v10.html;md5=522a390a83dc186513f0500543ad3679" -SRCREV = "4a2c4baaccbc8c29ce0297705de9a4e096d57ce5" -PV = "1.7.0+git${SRCPV}" +SRCREV = "1f11747e83ebf4f53e8d17f430136f92ec378709" +PV = "1.8.0+git${SRCPV}" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))" SRC_URI = "git://git.eclipse.org/r/tcf/org.eclipse.tcf.agent.git;protocol=https;branch=master \ diff --git a/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb index 982f370edb..921ea7a01d 100644 --- a/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb +++ b/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb @@ -45,6 +45,12 @@ inherit autotools ptest binconfig AUTOTOOLS_SCRIPT_PATH = "${S}/unix" EXTRA_OECONF = "--enable-threads --disable-rpath --enable-man-suffix" +# Prevent installing copy of tzdata based on tzdata installation on the build host +# It doesn't install tzdata if one of the following files exist on the host: +# /usr/share/zoneinfo/UTC /usr/share/zoneinfo/GMT /usr/share/lib/zoneinfo/UTC /usr/share/lib/zoneinfo/GMT /usr/lib/zoneinfo/UTC /usr/lib/zoneinfo/GMT +# otherwise "/usr/lib/tcl8.6/tzdata" is included in tcl package +EXTRA_OECONF += "--with-tzdata=no" + do_install() { autotools_do_install oe_runmake 'DESTDIR=${D}' install-private-headers diff --git a/poky/meta/recipes-extended/acpica/acpica_20220331.bb b/poky/meta/recipes-extended/acpica/acpica_20220331.bb index 2c554f863a..73b9154ee7 100644 --- a/poky/meta/recipes-extended/acpica/acpica_20220331.bb +++ b/poky/meta/recipes-extended/acpica/acpica_20220331.bb @@ -16,7 +16,7 @@ COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" DEPENDS = "m4-native flex-native bison-native" -SRC_URI = "https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz" +SRC_URI = "https://downloadmirror.intel.com/774879/acpica-unix-${PV}.tar.gz" SRC_URI[sha256sum] = "acaff68b14f1e0804ebbfc4b97268a4ccbefcfa053b02ed9924f2b14d8a98e21" UPSTREAM_CHECK_URI = "https://acpica.org/downloads" diff --git a/poky/meta/recipes-extended/baremetal-example/baremetal-helloworld_git.bb b/poky/meta/recipes-extended/baremetal-example/baremetal-helloworld_git.bb index 82b2901d51..c5d3e04ed5 100644 --- a/poky/meta/recipes-extended/baremetal-example/baremetal-helloworld_git.bb +++ b/poky/meta/recipes-extended/baremetal-example/baremetal-helloworld_git.bb @@ -4,10 +4,10 @@ DESCRIPTION = "These are introductory examples to showcase the use of QEMU to ru LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=39346640a23c701e4f459e05f56f4449" -SRCREV = "22016ecbb9fb6c5f3a7a06698aea7ff8a701c166" +SRCREV = "fc7c43d138185028b6ac14c83f6492fce26eca95" PV = "0.1+git${SRCPV}" -SRC_URI = "git://github.com/aehs29/baremetal-helloqemu.git;protocol=https;branch=master" +SRC_URI = "git://github.com/ahcbb6/baremetal-helloqemu.git;protocol=https;branch=master" UPSTREAM_VERSION_UNKNOWN="1" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-extended/cups/cups.inc b/poky/meta/recipes-extended/cups/cups.inc index da320b1085..c6a676b747 100644 --- a/poky/meta/recipes-extended/cups/cups.inc +++ b/poky/meta/recipes-extended/cups/cups.inc @@ -15,6 +15,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://0004-cups-fix-multilib-install-file-conflicts.patch \ file://volatiles.99_cups \ file://cups-volatiles.conf \ + file://CVE-2023-32324.patch \ + file://CVE-2023-34241.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/poky/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/poky/meta/recipes-extended/cups/cups/CVE-2023-32324.patch new file mode 100644 index 0000000000..40b89c9899 --- /dev/null +++ b/poky/meta/recipes-extended/cups/cups/CVE-2023-32324.patch @@ -0,0 +1,36 @@ +From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal <zdohnal@redhat.com> +Date: Thu, 1 Jun 2023 12:04:00 +0200 +Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324) + +CVE: CVE-2023-32324 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589] + +(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e) +Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> +--- + cups/string.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/cups/string.c b/cups/string.c +index 93cdad19..6ef58515 100644 +--- a/cups/string.c ++++ b/cups/string.c +@@ -1,6 +1,7 @@ + /* + * String functions for CUPS. + * ++ * Copyright © 2023 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products. + * +@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */ + size_t srclen; /* Length of source string */ + + ++ if (size == 0) ++ return (0); ++ + /* + * Figure out how much room is needed... + */ diff --git a/poky/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/poky/meta/recipes-extended/cups/cups/CVE-2023-34241.patch new file mode 100644 index 0000000000..4950ca341d --- /dev/null +++ b/poky/meta/recipes-extended/cups/cups/CVE-2023-34241.patch @@ -0,0 +1,70 @@ +From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001 +From: Rose <83477269+AtariDreams@users.noreply.github.com> +Date: Thu, 1 Jun 2023 11:33:39 -0400 +Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection + +httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to. + +We have to log the hostname first. + +CVE: CVE-2023-34241 + +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + scheduler/client.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/scheduler/client.c b/scheduler/client.c +index 91e441188..327473a4d 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + /* + * Can't have an unresolved IP address with double-lookups enabled... + */ +- +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "Name lookup failed - connection from %s closed!", ++ "Name lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); + ++ httpClose(con->http); + free(con); + return; + } +@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + * with double-lookups enabled... + */ + +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "IP lookup failed - connection from %s closed!", ++ "IP lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } +@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + + if (!hosts_access(&wrap_req)) + { +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, + "Connection from %s refused by /etc/hosts.allow and " + "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/diffutils/diffutils/0001-Skip-strip-trailing-cr-test-case.patch b/poky/meta/recipes-extended/diffutils/diffutils/0001-Skip-strip-trailing-cr-test-case.patch index 8b88c308f2..32793233f9 100644 --- a/poky/meta/recipes-extended/diffutils/diffutils/0001-Skip-strip-trailing-cr-test-case.patch +++ b/poky/meta/recipes-extended/diffutils/diffutils/0001-Skip-strip-trailing-cr-test-case.patch @@ -1,4 +1,4 @@ -From 027229d25392b22d7280c0abbc3efde4f467d167 Mon Sep 17 00:00:00 2001 +From f31395c931bc633206eccfcfaaaa5d15021a3e86 Mon Sep 17 00:00:00 2001 From: Peiran Hong <peiran.hong@windriver.com> Date: Thu, 5 Sep 2019 15:42:22 -0400 Subject: [PATCH] Skip strip-trailing-cr test case @@ -12,23 +12,18 @@ Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Peiran Hong <peiran.hong@windriver.com> --- - tests/Makefile.am | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) + tests/Makefile.am | 1 - + 1 file changed, 1 deletion(-) diff --git a/tests/Makefile.am b/tests/Makefile.am -index d98df82..757ea52 100644 +index 79bacfb..4adb4d7 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am -@@ -21,9 +21,11 @@ TESTS = \ +@@ -22,7 +22,6 @@ TESTS = \ stdin \ strcoll-0-names \ filename-quoting \ - strip-trailing-cr \ timezone \ - colors -+# Skipping this test since it requires valgrind -+# and thus is too heavy for diffutils package -+# strip-trailing-cr - - XFAIL_TESTS = large-subopt - + colors \ + y2038-vs-32bit diff --git a/poky/meta/recipes-extended/diffutils/diffutils_3.9.bb b/poky/meta/recipes-extended/diffutils/diffutils_3.10.bb index 2bb9e6f32d..08e8305612 100644 --- a/poky/meta/recipes-extended/diffutils/diffutils_3.9.bb +++ b/poky/meta/recipes-extended/diffutils/diffutils_3.10.bb @@ -8,7 +8,7 @@ SRC_URI = "${GNU_MIRROR}/diffutils/diffutils-${PV}.tar.xz \ file://0001-Skip-strip-trailing-cr-test-case.patch \ " -SRC_URI[sha256sum] = "d80d3be90a201868de83d78dad3413ad88160cc53bcc36eb9eaf7c20dbf023f1" +SRC_URI[sha256sum] = "90e5e93cc724e4ebe12ede80df1634063c7a855692685919bfe60b556c9bd09e" EXTRA_OECONF += "ac_cv_path_PR_PROGRAM=${bindir}/pr --without-libsigsegv-prefix" diff --git a/poky/meta/recipes-extended/gawk/gawk_5.2.1.bb b/poky/meta/recipes-extended/gawk/gawk_5.2.2.bb index 768c8eb364..3c18b6911a 100644 --- a/poky/meta/recipes-extended/gawk/gawk_5.2.1.bb +++ b/poky/meta/recipes-extended/gawk/gawk_5.2.2.bb @@ -19,7 +19,7 @@ SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \ file://run-ptest \ " -SRC_URI[sha256sum] = "529e7c8c6acf21ff3a6183f4d763c632810908989c24675c77995d51ac37b79c" +SRC_URI[sha256sum] = "945aef7ccff101f20b22a10802bc005e994ab2b8ea3e724cc1a197c62f41f650" inherit autotools gettext texinfo update-alternatives diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch new file mode 100644 index 0000000000..4ef71cba7b --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch @@ -0,0 +1,31 @@ +CVE: CVE-2023-38559 +Upstream-Status: Backport [ https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=d81b82c70bc1 ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Mon, 17 Jul 2023 14:06:37 +0100 +Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from + devices/gdevpcx.c + +Bounds check the buffer, before dereferencing the pointer. +--- + base/gdevdevn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gdevdevn.c b/base/gdevdevn.c +index 7b14d9c71..6351fb77a 100644 +--- a/base/gdevdevn.c ++++ b/base/gdevdevn.c +@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file + byte data = *from; + + from += step; +- if (data != *from || from == end) { ++ if (from >= end || data != *from) { + if (data >= 0xc0) + gp_fputc(0xc1, file); + } else { +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch new file mode 100644 index 0000000000..fea0665523 --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch @@ -0,0 +1,165 @@ +From 6f244ecef4a740b3b2dde15303b13a93a83706c1 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 7 Jun 2023 10:23:06 +0100 +Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission + validation + +For regular file names, we try to simplfy relative paths before we use them. + +Because the %pipe% device can, effectively, accept command line calls, we +shouldn't be simplifying that string, because the command line syntax can end +up confusing the path simplifying code. That can result in permitting a pipe +command which does not match what was originally permitted. + +Special case "%pipe" in the validation code so we always deal with the entire +string. + +Bug 706778: 706761 revisit + +Two problems with the original commit. The first a silly typo inverting the +logic of a test. + +The second was forgetting that we actually actually validate two candidate +strings for pipe devices. One with the expected "%pipe%" prefix, the other +using the pipe character prefix: "|". + +This addresses both those. +--- +CVE: CVE-2023-36664 + +Upstream-Status: Backport [see text] + +From git://git.ghostscript.com/ghostpdl + commit 5e65eeae225c7d02d447de5abaf4a8e6d234fcea + commit fb342fdb60391073a69147cb71af1ac416a81099 + +The second commit fixes errors in the first one, so we combine them. + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + base/gpmisc.c | 31 +++++++++++++++++++-------- + base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- + 2 files changed, 64 insertions(+), 23 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 3d878ac..f9a9230 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem, + && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { + prefix_len = 0; + } +- rlen = len+1; +- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); +- if (bufferfull == NULL) +- return gs_error_VMerror; +- +- buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; + ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); ++ if (bufferfull == NULL) ++ return gs_error_VMerror; ++ ++ buffer = bufferfull + prefix_len; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + while (1) { + switch (mode[0]) + { +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 1862482..8bfe4bb 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len + 1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) +@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) { +-- +2.35.5 + diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/poky/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb index 86ecdbe24a..9e2cd01ff4 100644 --- a/poky/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb +++ b/poky/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb @@ -35,6 +35,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://mkdir-p.patch \ file://cross-compile.patch \ file://cve-2023-28879.patch \ + file://cve-2023-36664.patch \ + file://CVE-2023-38559.patch \ " SRC_URI = "${SRC_URI_BASE} \ diff --git a/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index aafede3da8..6e0bc426f5 100644 --- a/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb @@ -33,6 +33,9 @@ UPSTREAM_CHECK_URI = "http://libarchive.org/" SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3" +# upstream-wontfix: upstream has documented that reported function is not thread-safe +CVE_CHECK_IGNORE += "CVE-2023-30571" + inherit autotools update-alternatives pkgconfig CPPFLAGS += "-I${WORKDIR}/extra-includes" diff --git a/poky/meta/recipes-extended/libnss-nis/libnss-nis.bb b/poky/meta/recipes-extended/libnss-nis/libnss-nis.bb index d0afb3ca0a..f0e687c330 100644 --- a/poky/meta/recipes-extended/libnss-nis/libnss-nis.bb +++ b/poky/meta/recipes-extended/libnss-nis/libnss-nis.bb @@ -13,9 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SECTION = "libs" DEPENDS += "libtirpc libnsl2" -PV = "3.1+git${SRCPV}" +PV = "3.2" -SRCREV = "062f31999b35393abf7595cb89dfc9590d5a42ad" +SRCREV = "cd0d391af9535b56e612ed227c1b89be269f3d59" SRC_URI = "git://github.com/thkukuk/libnss_nis;branch=master;protocol=https \ " diff --git a/poky/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/poky/meta/recipes-extended/logrotate/logrotate_3.21.0.bb index 4e4ea10628..44d86a8f8d 100644 --- a/poky/meta/recipes-extended/logrotate/logrotate_3.21.0.bb +++ b/poky/meta/recipes-extended/logrotate/logrotate_3.21.0.bb @@ -64,7 +64,6 @@ do_install(){ install -p -m 644 ${S}/examples/logrotate.conf ${D}${sysconfdir}/logrotate.conf install -p -m 644 ${S}/examples/btmp ${D}${sysconfdir}/logrotate.d/btmp install -p -m 644 ${S}/examples/wtmp ${D}${sysconfdir}/logrotate.d/wtmp - touch ${D}${localstatedir}/lib/logrotate.status if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${systemd_system_unitdir} diff --git a/poky/meta/recipes-extended/ltp/ltp_20230127.bb b/poky/meta/recipes-extended/ltp/ltp_20230127.bb index 4325aa6672..79c64ca579 100644 --- a/poky/meta/recipes-extended/ltp/ltp_20230127.bb +++ b/poky/meta/recipes-extended/ltp/ltp_20230127.bb @@ -92,6 +92,7 @@ RDEPENDS:${PN} = "\ e2fsprogs-mke2fs \ expect \ file \ + findutils \ gawk \ gdb \ gzip \ @@ -110,6 +111,8 @@ RDEPENDS:${PN} = "\ tar \ " +RRECOMMENDS:${PN} += "kernel-module-loop" + FILES:${PN} += "${prefix}/* ${prefix}/runtest/* ${prefix}/scenario_groups/* ${prefix}/testcases/bin/* ${prefix}/testcases/bin/*/bin/* ${prefix}/testscripts/* ${prefix}/testcases/open_posix_testsuite/* ${prefix}/testcases/open_posix_testsuite/conformance/* ${prefix}/testcases/open_posix_testsuite/Documentation/* ${prefix}/testcases/open_posix_testsuite/functional/* ${prefix}/testcases/open_posix_testsuite/include/* ${prefix}/testcases/open_posix_testsuite/scripts/* ${prefix}/testcases/open_posix_testsuite/stress/* ${prefix}/testcases/open_posix_testsuite/tools/* ${prefix}/testcases/data/nm01/lib.a ${prefix}/lib/libmem.a" # Avoid stripping some generated binaries otherwise some of the ltp tests such as ldd01 & nm01 fail diff --git a/poky/meta/recipes-extended/mdadm/files/0001-DDF-Cleanup-validate_geometry_ddf_container.patch b/poky/meta/recipes-extended/mdadm/files/0001-DDF-Cleanup-validate_geometry_ddf_container.patch new file mode 100644 index 0000000000..cea435f83b --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0001-DDF-Cleanup-validate_geometry_ddf_container.patch @@ -0,0 +1,148 @@ +From ca458f4dcc4de9403298f67543466ce4bbc8f8ae Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe <logang@deltatee.com> +Date: Wed, 22 Jun 2022 14:25:07 -0600 +Subject: [PATCH 1/4] DDF: Cleanup validate_geometry_ddf_container() + +Move the function up so that the function declaration is not necessary +and remove the unused arguments to the function. + +No functional changes are intended but will help with a bug fix in the +next patch. + +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Acked-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> + +Upstream-Status: Backport + +Reference to upstream patch: +https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=679bd9508a30 + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + super-ddf.c | 88 ++++++++++++++++++++++++----------------------------- + 1 file changed, 39 insertions(+), 49 deletions(-) + +diff --git a/super-ddf.c b/super-ddf.c +index 3f304cd..65cf727 100644 +--- a/super-ddf.c ++++ b/super-ddf.c +@@ -503,13 +503,6 @@ struct ddf_super { + static int load_super_ddf_all(struct supertype *st, int fd, + void **sbp, char *devname); + static int get_svd_state(const struct ddf_super *, const struct vcl *); +-static int +-validate_geometry_ddf_container(struct supertype *st, +- int level, int layout, int raiddisks, +- int chunk, unsigned long long size, +- unsigned long long data_offset, +- char *dev, unsigned long long *freesize, +- int verbose); + + static int validate_geometry_ddf_bvd(struct supertype *st, + int level, int layout, int raiddisks, +@@ -3322,6 +3315,42 @@ static int reserve_space(struct supertype *st, int raiddisks, + return 1; + } + ++static int ++validate_geometry_ddf_container(struct supertype *st, ++ int level, int raiddisks, ++ unsigned long long data_offset, ++ char *dev, unsigned long long *freesize, ++ int verbose) ++{ ++ int fd; ++ unsigned long long ldsize; ++ ++ if (level != LEVEL_CONTAINER) ++ return 0; ++ if (!dev) ++ return 1; ++ ++ fd = dev_open(dev, O_RDONLY|O_EXCL); ++ if (fd < 0) { ++ if (verbose) ++ pr_err("ddf: Cannot open %s: %s\n", ++ dev, strerror(errno)); ++ return 0; ++ } ++ if (!get_dev_size(fd, dev, &ldsize)) { ++ close(fd); ++ return 0; ++ } ++ close(fd); ++ if (freesize) { ++ *freesize = avail_size_ddf(st, ldsize >> 9, INVALID_SECTORS); ++ if (*freesize == 0) ++ return 0; ++ } ++ ++ return 1; ++} ++ + static int validate_geometry_ddf(struct supertype *st, + int level, int layout, int raiddisks, + int *chunk, unsigned long long size, +@@ -3347,11 +3376,9 @@ static int validate_geometry_ddf(struct supertype *st, + level = LEVEL_CONTAINER; + if (level == LEVEL_CONTAINER) { + /* Must be a fresh device to add to a container */ +- return validate_geometry_ddf_container(st, level, layout, +- raiddisks, *chunk, +- size, data_offset, dev, +- freesize, +- verbose); ++ return validate_geometry_ddf_container(st, level, raiddisks, ++ data_offset, dev, ++ freesize, verbose); + } + + if (!dev) { +@@ -3449,43 +3476,6 @@ static int validate_geometry_ddf(struct supertype *st, + return 1; + } + +-static int +-validate_geometry_ddf_container(struct supertype *st, +- int level, int layout, int raiddisks, +- int chunk, unsigned long long size, +- unsigned long long data_offset, +- char *dev, unsigned long long *freesize, +- int verbose) +-{ +- int fd; +- unsigned long long ldsize; +- +- if (level != LEVEL_CONTAINER) +- return 0; +- if (!dev) +- return 1; +- +- fd = dev_open(dev, O_RDONLY|O_EXCL); +- if (fd < 0) { +- if (verbose) +- pr_err("ddf: Cannot open %s: %s\n", +- dev, strerror(errno)); +- return 0; +- } +- if (!get_dev_size(fd, dev, &ldsize)) { +- close(fd); +- return 0; +- } +- close(fd); +- if (freesize) { +- *freesize = avail_size_ddf(st, ldsize >> 9, INVALID_SECTORS); +- if (*freesize == 0) +- return 0; +- } +- +- return 1; +-} +- + static int validate_geometry_ddf_bvd(struct supertype *st, + int level, int layout, int raiddisks, + int *chunk, unsigned long long size, +-- +2.39.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0001-tests-add-.broken-files-for-04update-uuid-and-07reve.patch b/poky/meta/recipes-extended/mdadm/files/0001-tests-add-.broken-files-for-04update-uuid-and-07reve.patch new file mode 100644 index 0000000000..5a6bf9e4bd --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0001-tests-add-.broken-files-for-04update-uuid-and-07reve.patch @@ -0,0 +1,39 @@ +From ee594b1a12833c06102de888248a361bc49cea09 Mon Sep 17 00:00:00 2001 +From: Ovidiu Panait <ovidiu.panait@windriver.com> +Date: Fri, 18 Aug 2023 12:20:40 +0300 +Subject: [PATCH] tests: add .broken files for 04update-uuid and + 07revert-inplace + +04update-uuid and 07revert-inplace tests are unreliable and fail intermittently +on the autobuilder. Unfortunately, the failures cannot be reproduced locally +and the logs cannot be retrieved from the AB. + +Mark the testcases as BROKEN to skip them when running ptest. + +Upstream-Status: Inappropriate + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + tests/04update-uuid.broken | 1 + + tests/07revert-inplace.broken | 1 + + 2 files changed, 2 insertions(+) + create mode 100644 tests/04update-uuid.broken + create mode 100644 tests/07revert-inplace.broken + +diff --git a/tests/04update-uuid.broken b/tests/04update-uuid.broken +new file mode 100644 +index 0000000..197b35b +--- /dev/null ++++ b/tests/04update-uuid.broken +@@ -0,0 +1 @@ ++fails infrequently +diff --git a/tests/07revert-inplace.broken b/tests/07revert-inplace.broken +new file mode 100644 +index 0000000..197b35b +--- /dev/null ++++ b/tests/07revert-inplace.broken +@@ -0,0 +1 @@ ++fails infrequently +-- +2.39.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0002-DDF-Fix-NULL-pointer-dereference-in-validate_geometr.patch b/poky/meta/recipes-extended/mdadm/files/0002-DDF-Fix-NULL-pointer-dereference-in-validate_geometr.patch new file mode 100644 index 0000000000..fafe88b49c --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0002-DDF-Fix-NULL-pointer-dereference-in-validate_geometr.patch @@ -0,0 +1,56 @@ +From 14f110f0286d38e29ef5e51d7f72e049c2f18323 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe <logang@deltatee.com> +Date: Wed, 22 Jun 2022 14:25:08 -0600 +Subject: [PATCH 2/4] DDF: Fix NULL pointer dereference in + validate_geometry_ddf() + +A relatively recent patch added a call to validate_geometry() in +Manage_add() that has level=LEVEL_CONTAINER and chunk=NULL. + +This causes some ddf tests to segfault which aborts the test suite. + +To fix this, avoid dereferencing chunk when the level is +LEVEL_CONTAINER or LEVEL_NONE. + +Fixes: 1f5d54a06df0 ("Manage: Call validate_geometry when adding drive to external container") +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Acked-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> + +Upstream-Status: Backport + +Reference to upstream patch: +https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=2b93288a5650 + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + super-ddf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/super-ddf.c b/super-ddf.c +index 65cf727..3ef1293 100644 +--- a/super-ddf.c ++++ b/super-ddf.c +@@ -3369,9 +3369,6 @@ static int validate_geometry_ddf(struct supertype *st, + * If given BVDs, we make an SVD, changing all the GUIDs in the process. + */ + +- if (*chunk == UnSet) +- *chunk = DEFAULT_CHUNK; +- + if (level == LEVEL_NONE) + level = LEVEL_CONTAINER; + if (level == LEVEL_CONTAINER) { +@@ -3381,6 +3378,9 @@ static int validate_geometry_ddf(struct supertype *st, + freesize, verbose); + } + ++ if (*chunk == UnSet) ++ *chunk = DEFAULT_CHUNK; ++ + if (!dev) { + mdu_array_info_t array = { + .level = level, +-- +2.39.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0003-mdadm-Grow-Fix-use-after-close-bug-by-closing-after-.patch b/poky/meta/recipes-extended/mdadm/files/0003-mdadm-Grow-Fix-use-after-close-bug-by-closing-after-.patch new file mode 100644 index 0000000000..a954ab027a --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0003-mdadm-Grow-Fix-use-after-close-bug-by-closing-after-.patch @@ -0,0 +1,91 @@ +From bd064da1469a6a07331b076a0294a8c6c3c38526 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe <logang@deltatee.com> +Date: Wed, 22 Jun 2022 14:25:09 -0600 +Subject: [PATCH 3/4] mdadm/Grow: Fix use after close bug by closing after fork + +The test 07reshape-grow fails most of the time. But it succeeds around +1 in 5 times. When it does succeed, it causes the tests to die because +mdadm has segfaulted. + +The segfault was caused by mdadm attempting to repoen a file +descriptor that was already closed. The backtrace of the segfault +was: + + #0 __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:101 + #1 0x000056146e31d44b in devnm2devid (devnm=0x0) at util.c:956 + #2 0x000056146e31dab4 in open_dev_flags (devnm=0x0, flags=0) + at util.c:1072 + #3 0x000056146e31db22 in open_dev (devnm=0x0) at util.c:1079 + #4 0x000056146e3202e8 in reopen_mddev (mdfd=4) at util.c:2244 + #5 0x000056146e329f36 in start_array (mdfd=4, + mddev=0x7ffc55342450 "/dev/md0", content=0x7ffc55342860, + st=0x56146fc78660, ident=0x7ffc55342f70, best=0x56146fc6f5d0, + bestcnt=10, chosen_drive=0, devices=0x56146fc706b0, okcnt=5, + sparecnt=0, rebuilding_cnt=0, journalcnt=0, c=0x7ffc55342e90, + clean=1, avail=0x56146fc78720 "\001\001\001\001\001", + start_partial_ok=0, err_ok=0, was_forced=0) + at Assemble.c:1206 + #6 0x000056146e32c36e in Assemble (st=0x56146fc78660, + mddev=0x7ffc55342450 "/dev/md0", ident=0x7ffc55342f70, + devlist=0x56146fc6e2d0, c=0x7ffc55342e90) + at Assemble.c:1914 + #7 0x000056146e312ac9 in main (argc=11, argv=0x7ffc55343238) + at mdadm.c:1510 + +The file descriptor was closed early in Grow_continue(). The noted commit +moved the close() call to close the fd above the fork which caused the +parent process to return with a closed fd. + +This meant reshape_array() and Grow_continue() would return in the parent +with the fd forked. The fd would eventually be passed to reopen_mddev() +which returned an unhandled NULL from fd2devnm() which would then be +dereferenced in devnm2devid. + +Fix this by moving the close() call below the fork. This appears to +fix the 07revert-grow test. While we're at it, switch to using +close_fd() to invalidate the file descriptor. + +Fixes: 77b72fa82813 ("mdadm/Grow: prevent md's fd from being occupied during delayed time") +Cc: Alex Wu <alexwu@synology.com> +Cc: BingJing Chang <bingjingc@synology.com> +Cc: Danny Shih <dannyshih@synology.com> +Cc: ChangSyun Peng <allenpeng@synology.com> +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Acked-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> + +Upstream-Status: Backport + +Reference to upstream patch: +https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=548e9b916f86 + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + Grow.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Grow.c b/Grow.c +index 9c6fc95..a8e4e83 100644 +--- a/Grow.c ++++ b/Grow.c +@@ -3501,7 +3501,6 @@ started: + return 0; + } + +- close(fd); + /* Now we just need to kick off the reshape and watch, while + * handling backups of the data... + * This is all done by a forked background process. +@@ -3522,6 +3521,9 @@ started: + break; + } + ++ /* Close unused file descriptor in the forked process */ ++ close_fd(&fd); ++ + /* If another array on the same devices is busy, the + * reshape will wait for them. This would mean that + * the first section that we suspend will stay suspended +-- +2.39.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0004-monitor-Avoid-segfault-when-calling-NULL-get_bad_blo.patch b/poky/meta/recipes-extended/mdadm/files/0004-monitor-Avoid-segfault-when-calling-NULL-get_bad_blo.patch new file mode 100644 index 0000000000..72cb40f782 --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0004-monitor-Avoid-segfault-when-calling-NULL-get_bad_blo.patch @@ -0,0 +1,42 @@ +From 2296a4a441b4b8546e2eb32403930f1bb8f3ee4a Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe <logang@deltatee.com> +Date: Wed, 22 Jun 2022 14:25:10 -0600 +Subject: [PATCH 4/4] monitor: Avoid segfault when calling NULL get_bad_blocks + +Not all struct superswitch implement a get_bad_blocks() function, +yet mdmon seems to call it without checking for NULL and thus +occasionally segfaults in the test 10ddf-geometry. + +Fix this by checking for NULL before calling it. + +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Acked-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> + +Upstream-Status: Backport + +Reference to upstream patch: +https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=9ae62977b51d + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + monitor.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/monitor.c b/monitor.c +index afc3e50..8e43c0d 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -312,6 +312,9 @@ static int check_for_cleared_bb(struct active_array *a, struct mdinfo *mdi) + struct md_bb *bb; + int i; + ++ if (!ss->get_bad_blocks) ++ return -1; ++ + /* + * Get a list of bad blocks for an array, then read list of + * acknowledged bad blocks from kernel and compare it against metadata +-- +2.39.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0005-mdadm-test-Mark-and-ignore-broken-test-failures.patch b/poky/meta/recipes-extended/mdadm/files/0005-mdadm-test-Mark-and-ignore-broken-test-failures.patch new file mode 100644 index 0000000000..c55bfb125b --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0005-mdadm-test-Mark-and-ignore-broken-test-failures.patch @@ -0,0 +1,128 @@ +From feab1f72fcf032a4d21d0a69eb61b23a5ddb3352 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe <logang@deltatee.com> +Date: Wed, 22 Jun 2022 14:25:18 -0600 +Subject: [PATCH 5/6] mdadm/test: Mark and ignore broken test failures + +Add functionality to continue if a test marked as broken fails. + +To mark a test as broken, a file with the same name but with the suffix +'.broken' should exist. The first line in the file will be printed with +a KNOWN BROKEN message; the rest of the file can describe the how the +test is broken. + +Also adds --skip-broken and --skip-always-broken to skip all the tests +that have a .broken file or to skip all tests whose .broken file's first +line contains the keyword always. + +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> + +Upstream-Status: Backport + +Reference to upstream patch: +https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=28520bf114b3 + +[OP: adjusted context for mdadm-4.2] +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + test | 37 +++++++++++++++++++++++++++++++++++-- + 1 file changed, 35 insertions(+), 2 deletions(-) + +diff --git a/test b/test +index 8f189d9..ee8fba1 100755 +--- a/test ++++ b/test +@@ -10,6 +10,8 @@ devlist= + + savelogs=0 + exitonerror=1 ++ctrl_c_error=0 ++skipbroken=0 + prefix='[0-9][0-9]' + + # use loop devices by default if doesn't specify --dev +@@ -35,6 +37,7 @@ die() { + + ctrl_c() { + exitonerror=1 ++ ctrl_c_error=1 + } + + # mdadm always adds --quiet, and we want to see any unexpected messages +@@ -79,8 +82,21 @@ mdadm() { + do_test() { + _script=$1 + _basename=`basename $_script` ++ _broken=0 ++ + if [ -f "$_script" ] + then ++ if [ -f "${_script}.broken" ]; then ++ _broken=1 ++ _broken_msg=$(head -n1 "${_script}.broken" | tr -d '\n') ++ if [ "$skipbroken" == "all" ]; then ++ return ++ elif [ "$skipbroken" == "always" ] && ++ [[ "$_broken_msg" == *always* ]]; then ++ return ++ fi ++ fi ++ + rm -f $targetdir/stderr + # this might have been reset: restore the default. + echo 2000 > /proc/sys/dev/raid/speed_limit_max +@@ -97,10 +113,15 @@ do_test() { + else + save_log fail + _fail=1 ++ if [ "$_broken" == "1" ]; then ++ echo " (KNOWN BROKEN TEST: $_broken_msg)" ++ fi + fi + [ "$savelogs" == "1" ] && + mv -f $targetdir/log $logdir/$_basename.log +- [ "$_fail" == "1" -a "$exitonerror" == "1" ] && exit 1 ++ [ "$ctrl_c_error" == "1" ] && exit 1 ++ [ "$_fail" == "1" -a "$exitonerror" == "1" \ ++ -a "$_broken" == "0" ] && exit 1 + fi + } + +@@ -117,6 +138,8 @@ do_help() { + --logdir=directory Directory to save all logfiles in + --save-logs Usually use with --logdir together + --keep-going | --no-error Don't stop on error, ie. run all tests ++ --skip-broken Skip tests that are known to be broken ++ --skip-always-broken Skip tests that are known to always fail + --dev=loop|lvm|ram|disk Use loop devices (default), LVM, RAM or disk + --disks= Provide a bunch of physical devices for test + --volgroup=name LVM volume group for LVM test +@@ -211,6 +234,12 @@ parse_args() { + --keep-going | --no-error ) + exitonerror=0 + ;; ++ --skip-broken ) ++ skipbroken=all ++ ;; ++ --skip-always-broken ) ++ skipbroken=always ++ ;; + --disable-multipath ) + unset MULTIPATH + ;; +@@ -275,7 +304,11 @@ main() { + if [ $script == "$testdir/11spare-migration" ];then + continue + fi +- do_test $script ++ case $script in ++ *.broken) ;; ++ *) ++ do_test $script ++ esac + done + fi + +-- +2.39.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0006-tests-Add-broken-files-for-all-broken-tests.patch b/poky/meta/recipes-extended/mdadm/files/0006-tests-Add-broken-files-for-all-broken-tests.patch new file mode 100644 index 0000000000..115b23bac5 --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0006-tests-Add-broken-files-for-all-broken-tests.patch @@ -0,0 +1,454 @@ +From fd1c26ba129b069d9f73afaefdbe53683de3814a Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe <logang@deltatee.com> +Date: Wed, 22 Jun 2022 14:25:19 -0600 +Subject: [PATCH 6/6] tests: Add broken files for all broken tests + +Each broken file contains the rough frequency of brokeness as well +as a brief explanation of what happens when it breaks. Estimates +of failure rates are not statistically significant and can vary +run to run. + +This is really just a view from my window. Tests were done on a +small VM with the default loop devices, not real hardware. We've +seen different kernel configurations can cause bugs to appear as well +(ie. different block schedulers). It may also be that different race +conditions will be seen on machines with different performance +characteristics. + +These annotations were done with the kernel currently in md/md-next: + + facef3b96c5b ("md: Notify sysfs sync_completed in md_reap_sync_thread()") + +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> + +Upstream-Status: Backport + +Reference to upstream patch: +https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=daa86d663476 + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + tests/01r5integ.broken | 7 ++++ + tests/01raid6integ.broken | 7 ++++ + tests/04r5swap.broken | 7 ++++ + tests/07autoassemble.broken | 8 ++++ + tests/07autodetect.broken | 5 +++ + tests/07changelevelintr.broken | 9 +++++ + tests/07changelevels.broken | 9 +++++ + tests/07reshape5intr.broken | 45 ++++++++++++++++++++++ + tests/07revert-grow.broken | 31 +++++++++++++++ + tests/07revert-shrink.broken | 9 +++++ + tests/07testreshape5.broken | 12 ++++++ + tests/09imsm-assemble.broken | 6 +++ + tests/09imsm-create-fail-rebuild.broken | 5 +++ + tests/09imsm-overlap.broken | 7 ++++ + tests/10ddf-assemble-missing.broken | 6 +++ + tests/10ddf-fail-create-race.broken | 7 ++++ + tests/10ddf-fail-two-spares.broken | 5 +++ + tests/10ddf-incremental-wrong-order.broken | 9 +++++ + tests/14imsm-r1_2d-grow-r1_3d.broken | 5 +++ + tests/14imsm-r1_2d-takeover-r0_2d.broken | 6 +++ + tests/18imsm-r10_4d-takeover-r0_2d.broken | 5 +++ + tests/18imsm-r1_2d-takeover-r0_1d.broken | 6 +++ + tests/19raid6auto-repair.broken | 5 +++ + tests/19raid6repair.broken | 5 +++ + 24 files changed, 226 insertions(+) + create mode 100644 tests/01r5integ.broken + create mode 100644 tests/01raid6integ.broken + create mode 100644 tests/04r5swap.broken + create mode 100644 tests/07autoassemble.broken + create mode 100644 tests/07autodetect.broken + create mode 100644 tests/07changelevelintr.broken + create mode 100644 tests/07changelevels.broken + create mode 100644 tests/07reshape5intr.broken + create mode 100644 tests/07revert-grow.broken + create mode 100644 tests/07revert-shrink.broken + create mode 100644 tests/07testreshape5.broken + create mode 100644 tests/09imsm-assemble.broken + create mode 100644 tests/09imsm-create-fail-rebuild.broken + create mode 100644 tests/09imsm-overlap.broken + create mode 100644 tests/10ddf-assemble-missing.broken + create mode 100644 tests/10ddf-fail-create-race.broken + create mode 100644 tests/10ddf-fail-two-spares.broken + create mode 100644 tests/10ddf-incremental-wrong-order.broken + create mode 100644 tests/14imsm-r1_2d-grow-r1_3d.broken + create mode 100644 tests/14imsm-r1_2d-takeover-r0_2d.broken + create mode 100644 tests/18imsm-r10_4d-takeover-r0_2d.broken + create mode 100644 tests/18imsm-r1_2d-takeover-r0_1d.broken + create mode 100644 tests/19raid6auto-repair.broken + create mode 100644 tests/19raid6repair.broken + +diff --git a/tests/01r5integ.broken b/tests/01r5integ.broken +new file mode 100644 +index 0000000..2073763 +--- /dev/null ++++ b/tests/01r5integ.broken +@@ -0,0 +1,7 @@ ++fails rarely ++ ++Fails about 1 in every 30 runs with a sha mismatch error: ++ ++ c49ab26e1b01def7874af9b8a6d6d0c29fdfafe6 /dev/md0 does not match ++ 15dc2f73262f811ada53c65e505ceec9cf025cb9 /dev/md0 with /dev/loop3 ++ missing +diff --git a/tests/01raid6integ.broken b/tests/01raid6integ.broken +new file mode 100644 +index 0000000..1df735f +--- /dev/null ++++ b/tests/01raid6integ.broken +@@ -0,0 +1,7 @@ ++fails infrequently ++ ++Fails about 1 in 5 with a sha mismatch: ++ ++ 8286c2bc045ae2cfe9f8b7ae3a898fa25db6926f /dev/md0 does not match ++ a083a0738b58caab37fd568b91b177035ded37df /dev/md0 with /dev/loop2 and ++ /dev/loop3 missing +diff --git a/tests/04r5swap.broken b/tests/04r5swap.broken +new file mode 100644 +index 0000000..e38987d +--- /dev/null ++++ b/tests/04r5swap.broken +@@ -0,0 +1,7 @@ ++always fails ++ ++Fails with errors: ++ ++ mdadm: /dev/loop0 has no superblock - assembly aborted ++ ++ ERROR: no recovery happening +diff --git a/tests/07autoassemble.broken b/tests/07autoassemble.broken +new file mode 100644 +index 0000000..8be0940 +--- /dev/null ++++ b/tests/07autoassemble.broken +@@ -0,0 +1,8 @@ ++always fails ++ ++Prints lots of messages, but the array doesn't assemble. Error ++possibly related to: ++ ++ mdadm: /dev/md/1 is busy - skipping ++ mdadm: no recogniseable superblock on /dev/md/testing:0 ++ mdadm: /dev/md/2 is busy - skipping +diff --git a/tests/07autodetect.broken b/tests/07autodetect.broken +new file mode 100644 +index 0000000..294954a +--- /dev/null ++++ b/tests/07autodetect.broken +@@ -0,0 +1,5 @@ ++always fails ++ ++Fails with error: ++ ++ ERROR: no resync happening +diff --git a/tests/07changelevelintr.broken b/tests/07changelevelintr.broken +new file mode 100644 +index 0000000..284b490 +--- /dev/null ++++ b/tests/07changelevelintr.broken +@@ -0,0 +1,9 @@ ++always fails ++ ++Fails with errors: ++ ++ mdadm: this change will reduce the size of the array. ++ use --grow --array-size first to truncate array. ++ e.g. mdadm --grow /dev/md0 --array-size 56832 ++ ++ ERROR: no reshape happening +diff --git a/tests/07changelevels.broken b/tests/07changelevels.broken +new file mode 100644 +index 0000000..9b930d9 +--- /dev/null ++++ b/tests/07changelevels.broken +@@ -0,0 +1,9 @@ ++always fails ++ ++Fails with errors: ++ ++ mdadm: /dev/loop0 is smaller than given size. 18976K < 19968K + metadata ++ mdadm: /dev/loop1 is smaller than given size. 18976K < 19968K + metadata ++ mdadm: /dev/loop2 is smaller than given size. 18976K < 19968K + metadata ++ ++ ERROR: /dev/md0 isn't a block device. +diff --git a/tests/07reshape5intr.broken b/tests/07reshape5intr.broken +new file mode 100644 +index 0000000..efe52a6 +--- /dev/null ++++ b/tests/07reshape5intr.broken +@@ -0,0 +1,45 @@ ++always fails ++ ++This patch, recently added to md-next causes the test to always fail: ++ ++7e6ba434cc60 ("md: don't unregister sync_thread with reconfig_mutex ++held") ++ ++The new error is simply: ++ ++ ERROR: no reshape happening ++ ++Before the patch, the error seen is below. ++ ++-- ++ ++fails infrequently ++ ++Fails roughly 1 in 4 runs with errors: ++ ++ mdadm: Merging with already-assembled /dev/md/0 ++ mdadm: cannot re-read metadata from /dev/loop6 - aborting ++ ++ ERROR: no reshape happening ++ ++Also have seen a random deadlock: ++ ++ INFO: task mdadm:109702 blocked for more than 30 seconds. ++ Not tainted 5.18.0-rc3-eid-vmlocalyes-dbg-00095-g3c2b5427979d #2040 ++ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. ++ task:mdadm state:D stack: 0 pid:109702 ppid: 1 flags:0x00004000 ++ Call Trace: ++ <TASK> ++ __schedule+0x67e/0x13b0 ++ schedule+0x82/0x110 ++ mddev_suspend+0x2e1/0x330 ++ suspend_lo_store+0xbd/0x140 ++ md_attr_store+0xcb/0x130 ++ sysfs_kf_write+0x89/0xb0 ++ kernfs_fop_write_iter+0x202/0x2c0 ++ new_sync_write+0x222/0x330 ++ vfs_write+0x3bc/0x4d0 ++ ksys_write+0xd9/0x180 ++ __x64_sys_write+0x43/0x50 ++ do_syscall_64+0x3b/0x90 ++ entry_SYSCALL_64_after_hwframe+0x44/0xae +diff --git a/tests/07revert-grow.broken b/tests/07revert-grow.broken +new file mode 100644 +index 0000000..9b6db86 +--- /dev/null ++++ b/tests/07revert-grow.broken +@@ -0,0 +1,31 @@ ++always fails ++ ++This patch, recently added to md-next causes the test to always fail: ++ ++7e6ba434cc60 ("md: don't unregister sync_thread with reconfig_mutex held") ++ ++The errors are: ++ ++ mdadm: No active reshape to revert on /dev/loop0 ++ ERROR: active raid5 not found ++ ++Before the patch, the error seen is below. ++ ++-- ++ ++fails rarely ++ ++Fails about 1 in every 30 runs with errors: ++ ++ mdadm: Merging with already-assembled /dev/md/0 ++ mdadm: backup file /tmp/md-backup inaccessible: No such file or directory ++ mdadm: failed to add /dev/loop1 to /dev/md/0: Invalid argument ++ mdadm: failed to add /dev/loop2 to /dev/md/0: Invalid argument ++ mdadm: failed to add /dev/loop3 to /dev/md/0: Invalid argument ++ mdadm: failed to add /dev/loop0 to /dev/md/0: Invalid argument ++ mdadm: /dev/md/0 assembled from 1 drive - need all 5 to start it ++ (use --run to insist). ++ ++ grep: /sys/block/md*/md/sync_action: No such file or directory ++ ++ ERROR: active raid5 not found +diff --git a/tests/07revert-shrink.broken b/tests/07revert-shrink.broken +new file mode 100644 +index 0000000..c33c39e +--- /dev/null ++++ b/tests/07revert-shrink.broken +@@ -0,0 +1,9 @@ ++always fails ++ ++Fails with errors: ++ ++ mdadm: this change will reduce the size of the array. ++ use --grow --array-size first to truncate array. ++ e.g. mdadm --grow /dev/md0 --array-size 53760 ++ ++ ERROR: active raid5 not found +diff --git a/tests/07testreshape5.broken b/tests/07testreshape5.broken +new file mode 100644 +index 0000000..a8ce03e +--- /dev/null ++++ b/tests/07testreshape5.broken +@@ -0,0 +1,12 @@ ++always fails ++ ++Test seems to run 'test_stripe' at $dir directory, but $dir is never ++set. If $dir is adjusted to $PWD, the test still fails with: ++ ++ mdadm: /dev/loop2 is not suitable for this array. ++ mdadm: create aborted ++ ++ return 1 ++ ++ cmp -s -n 8192 /dev/md0 /tmp/RandFile ++ ++ echo cmp failed ++ cmp failed ++ ++ exit 2 +diff --git a/tests/09imsm-assemble.broken b/tests/09imsm-assemble.broken +new file mode 100644 +index 0000000..a6d4d5c +--- /dev/null ++++ b/tests/09imsm-assemble.broken +@@ -0,0 +1,6 @@ ++fails infrequently ++ ++Fails roughly 1 in 10 runs with errors: ++ ++ mdadm: /dev/loop2 is still in use, cannot remove. ++ /dev/loop2 removal from /dev/md/container should have succeeded +diff --git a/tests/09imsm-create-fail-rebuild.broken b/tests/09imsm-create-fail-rebuild.broken +new file mode 100644 +index 0000000..40c4b29 +--- /dev/null ++++ b/tests/09imsm-create-fail-rebuild.broken +@@ -0,0 +1,5 @@ ++always fails ++ ++Fails with error: ++ ++ **Error**: Array size mismatch - expected 3072, actual 16384 +diff --git a/tests/09imsm-overlap.broken b/tests/09imsm-overlap.broken +new file mode 100644 +index 0000000..e7ccab7 +--- /dev/null ++++ b/tests/09imsm-overlap.broken +@@ -0,0 +1,7 @@ ++always fails ++ ++Fails with errors: ++ ++ **Error**: Offset mismatch - expected 15360, actual 0 ++ **Error**: Offset mismatch - expected 15360, actual 0 ++ /dev/md/vol3 failed check +diff --git a/tests/10ddf-assemble-missing.broken b/tests/10ddf-assemble-missing.broken +new file mode 100644 +index 0000000..bfd8d10 +--- /dev/null ++++ b/tests/10ddf-assemble-missing.broken +@@ -0,0 +1,6 @@ ++always fails ++ ++Fails with errors: ++ ++ ERROR: /dev/md/vol0 has unexpected state on /dev/loop10 ++ ERROR: unexpected number of online disks on /dev/loop10 +diff --git a/tests/10ddf-fail-create-race.broken b/tests/10ddf-fail-create-race.broken +new file mode 100644 +index 0000000..6c0df02 +--- /dev/null ++++ b/tests/10ddf-fail-create-race.broken +@@ -0,0 +1,7 @@ ++usually fails ++ ++Fails about 9 out of 10 times with many errors: ++ ++ mdadm: cannot open MISSING: No such file or directory ++ ERROR: non-degraded array found ++ ERROR: disk 0 not marked as failed in meta data +diff --git a/tests/10ddf-fail-two-spares.broken b/tests/10ddf-fail-two-spares.broken +new file mode 100644 +index 0000000..eeea56d +--- /dev/null ++++ b/tests/10ddf-fail-two-spares.broken +@@ -0,0 +1,5 @@ ++fails infrequently ++ ++Fails roughly 1 in 3 with error: ++ ++ ERROR: /dev/md/vol1 should be optimal in meta data +diff --git a/tests/10ddf-incremental-wrong-order.broken b/tests/10ddf-incremental-wrong-order.broken +new file mode 100644 +index 0000000..a5af3ba +--- /dev/null ++++ b/tests/10ddf-incremental-wrong-order.broken +@@ -0,0 +1,9 @@ ++always fails ++ ++Fails with errors: ++ ERROR: sha1sum of /dev/md/vol0 has changed ++ ERROR: /dev/md/vol0 has unexpected state on /dev/loop10 ++ ERROR: unexpected number of online disks on /dev/loop10 ++ ERROR: /dev/md/vol0 has unexpected state on /dev/loop8 ++ ERROR: unexpected number of online disks on /dev/loop8 ++ ERROR: sha1sum of /dev/md/vol0 has changed +diff --git a/tests/14imsm-r1_2d-grow-r1_3d.broken b/tests/14imsm-r1_2d-grow-r1_3d.broken +new file mode 100644 +index 0000000..4ef1d40 +--- /dev/null ++++ b/tests/14imsm-r1_2d-grow-r1_3d.broken +@@ -0,0 +1,5 @@ ++always fails ++ ++Fails with error: ++ ++ mdadm/tests/func.sh: line 325: dvsize/chunk: division by 0 (error token is "chunk") +diff --git a/tests/14imsm-r1_2d-takeover-r0_2d.broken b/tests/14imsm-r1_2d-takeover-r0_2d.broken +new file mode 100644 +index 0000000..89cd4e5 +--- /dev/null ++++ b/tests/14imsm-r1_2d-takeover-r0_2d.broken +@@ -0,0 +1,6 @@ ++always fails ++ ++Fails with error: ++ ++ tests/func.sh: line 325: dvsize/chunk: division by 0 (error token ++ is "chunk") +diff --git a/tests/18imsm-r10_4d-takeover-r0_2d.broken b/tests/18imsm-r10_4d-takeover-r0_2d.broken +new file mode 100644 +index 0000000..a27399f +--- /dev/null ++++ b/tests/18imsm-r10_4d-takeover-r0_2d.broken +@@ -0,0 +1,5 @@ ++fails rarely ++ ++Fails about 1 run in 100 with message: ++ ++ ERROR: size is wrong for /dev/md/vol0: 2 * 5120 (chunk=128) = 20480, not 0 +diff --git a/tests/18imsm-r1_2d-takeover-r0_1d.broken b/tests/18imsm-r1_2d-takeover-r0_1d.broken +new file mode 100644 +index 0000000..aa1982e +--- /dev/null ++++ b/tests/18imsm-r1_2d-takeover-r0_1d.broken +@@ -0,0 +1,6 @@ ++always fails ++ ++Fails with error: ++ ++ tests/func.sh: line 325: dvsize/chunk: division by 0 (error token ++ is "chunk") +diff --git a/tests/19raid6auto-repair.broken b/tests/19raid6auto-repair.broken +new file mode 100644 +index 0000000..e91a142 +--- /dev/null ++++ b/tests/19raid6auto-repair.broken +@@ -0,0 +1,5 @@ ++always fails ++ ++Fails with: ++ ++ "should detect errors" +diff --git a/tests/19raid6repair.broken b/tests/19raid6repair.broken +new file mode 100644 +index 0000000..e91a142 +--- /dev/null ++++ b/tests/19raid6repair.broken +@@ -0,0 +1,5 @@ ++always fails ++ ++Fails with: ++ ++ "should detect errors" +-- +2.39.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/run-ptest b/poky/meta/recipes-extended/mdadm/files/run-ptest index fae8071d43..2380c322a9 100644 --- a/poky/meta/recipes-extended/mdadm/files/run-ptest +++ b/poky/meta/recipes-extended/mdadm/files/run-ptest @@ -2,6 +2,6 @@ mkdir -p /mdadm-testing-dir # make the test continue to execute even one fail -dir=. ./test --keep-going --disable-integrity +dir=. ./test --keep-going --disable-integrity --skip-broken rm -rf /mdadm-testing-dir/* diff --git a/poky/meta/recipes-extended/mdadm/mdadm_4.2.bb b/poky/meta/recipes-extended/mdadm/mdadm_4.2.bb index 14de9d88c2..c367b633a3 100644 --- a/poky/meta/recipes-extended/mdadm/mdadm_4.2.bb +++ b/poky/meta/recipes-extended/mdadm/mdadm_4.2.bb @@ -32,6 +32,13 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \ file://0001-tests-fix-raid0-tests-for-0.90-metadata.patch \ file://0001-tests-00readonly-Run-udevadm-settle-before-setting-r.patch \ file://0001-tests-04update-metadata-avoid-passing-chunk-size-to.patch \ + file://0001-DDF-Cleanup-validate_geometry_ddf_container.patch \ + file://0002-DDF-Fix-NULL-pointer-dereference-in-validate_geometr.patch \ + file://0003-mdadm-Grow-Fix-use-after-close-bug-by-closing-after-.patch \ + file://0004-monitor-Avoid-segfault-when-calling-NULL-get_bad_blo.patch \ + file://0005-mdadm-test-Mark-and-ignore-broken-test-failures.patch \ + file://0006-tests-Add-broken-files-for-all-broken-tests.patch \ + file://0001-tests-add-.broken-files-for-04update-uuid-and-07reve.patch \ " SRC_URI[sha256sum] = "461c215670864bb74a4d1a3620684aa2b2f8296dffa06743f26dda5557acf01d" @@ -101,10 +108,16 @@ do_install_ptest() { } RDEPENDS:${PN} += "bash" -RDEPENDS:${PN}-ptest += "bash e2fsprogs-mke2fs" +RDEPENDS:${PN}-ptest += " \ + bash \ + e2fsprogs-mke2fs \ + util-linux-lsblk \ + util-linux-losetup \ + util-linux-blockdev \ + strace \ +" RRECOMMENDS:${PN}-ptest += " \ coreutils \ - util-linux \ kernel-module-loop \ kernel-module-linear \ kernel-module-raid0 \ diff --git a/poky/meta/recipes-extended/minicom/minicom/0001-Drop-superfluous-global-variable-definitions.patch b/poky/meta/recipes-extended/minicom/minicom/0001-Drop-superfluous-global-variable-definitions.patch deleted file mode 100644 index 01b23898e7..0000000000 --- a/poky/meta/recipes-extended/minicom/minicom/0001-Drop-superfluous-global-variable-definitions.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b65152ebc03832972115e6d98e50cb6190d01793 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com> -Date: Mon, 3 Feb 2020 13:18:13 +0100 -Subject: [PATCH 1/3] Drop superfluous global variable definitions - -The file minicom.c, by including the minicom.h header, already defines -the global variables 'dial_user' and 'dial_pass'. The object file -minicom.o is always linked to dial.o. Thus the definitions in dial.c -can be dropped. - -This fixes linking with gcc 10 which uses -fno-common by default, -disallowing multiple global variable definitions. - -Upstream-Status: Backport [https://salsa.debian.org/minicom-team/minicom/-/commit/db269bba2a68fde03f5df45ac8372a8f1248ca96] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/dial.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/src/dial.c b/src/dial.c -index eada5ee..d9d481f 100644 ---- a/src/dial.c -+++ b/src/dial.c -@@ -146,8 +146,6 @@ static int newtype; - /* Access to ".dialdir" denied? */ - static int dendd = 0; - static char *tagged; --char *dial_user; --char *dial_pass; - - /* Change the baud rate. Treat all characters in the given array as if - * they were key presses within the comm parameters dialog (C-A P) and --- -2.24.1 - diff --git a/poky/meta/recipes-extended/minicom/minicom/0002-Drop-superfluous-global-variable-definitions.patch b/poky/meta/recipes-extended/minicom/minicom/0002-Drop-superfluous-global-variable-definitions.patch deleted file mode 100644 index e86b470b7e..0000000000 --- a/poky/meta/recipes-extended/minicom/minicom/0002-Drop-superfluous-global-variable-definitions.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 924bd2da3a00e030e29d82b74ef82900bd50b475 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com> -Date: Mon, 3 Feb 2020 13:18:33 +0100 -Subject: [PATCH 2/3] Drop superfluous global variable definitions - -The only place where the EXTERN macro mechanism is used to define the -global variables 'vt_outmap' and 'vt_inmap' is minicom.c (by defining -an empty EXTERN macro and including the minicom.h header). The file -vt100.c already defines these variables. The vt100.o object file is -always linked to minicom.o. Thus it is safe not to define the -variables in minicom.c and only declare them in the minicom.h header. - -This fixes linking with gcc 10 which uses -fno-common by default, -disallowing multiple global variable definitions. - -Upstream-Status: Backport [https://salsa.debian.org/minicom-team/minicom/-/commit/c69cad5b5dda85d361a3a0c1fddc65e933f26d11] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/minicom.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/minicom.h b/src/minicom.h -index 061c013..0f9693b 100644 ---- a/src/minicom.h -+++ b/src/minicom.h -@@ -141,7 +141,7 @@ EXTERN int sbcolor; /* Status Bar Background Color */ - EXTERN int st_attr; /* Status Bar attributes. */ - - /* jl 04.09.97 conversion tables */ --EXTERN unsigned char vt_outmap[256], vt_inmap[256]; -+extern unsigned char vt_outmap[256], vt_inmap[256]; - - /* MARK updated 02/17/95 - history buffer */ - EXTERN int num_hist_lines; /* History buffer size */ --- -2.24.1 - diff --git a/poky/meta/recipes-extended/minicom/minicom/0003-Drop-superfluous-global-variable-definitions.patch b/poky/meta/recipes-extended/minicom/minicom/0003-Drop-superfluous-global-variable-definitions.patch deleted file mode 100644 index 3225a0c32a..0000000000 --- a/poky/meta/recipes-extended/minicom/minicom/0003-Drop-superfluous-global-variable-definitions.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a4fc603b3641d2efe31479116eb7ba66932901c7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com> -Date: Mon, 3 Feb 2020 13:21:41 +0100 -Subject: [PATCH 3/3] Drop superfluous global variable definitions - -The only place where the EXTERN macro mechanism is used to define the -global variables 'portfd_is_socket', 'portfd_is_connected' and -'portfd_sock_addr' is minicom.c (by defining an empty EXTERN macro and -including the minicom.h header). The source file sysdep1_s.c already -defines these variables. The sysdep1_s.o object file is always linked -to minicom.o. Thus it is safe to drop the definitions from minicom.c -and only declare the variables in the minicom.h header. - -This fixes linking with gcc 10 which uses -fno-common by default, -disallowing multiple global variable definitions. - -Upstream-Status: Backport [https://salsa.debian.org/minicom-team/minicom/-/commit/c8382374c5d340aa4115d527aed76e876ee5456b] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/minicom.h | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/minicom.h b/src/minicom.h -index 0f9693b..1e7cb8c 100644 ---- a/src/minicom.h -+++ b/src/minicom.h -@@ -113,9 +113,9 @@ EXTERN char *dial_user; /* Our username there */ - EXTERN char *dial_pass; /* Our password */ - - #ifdef USE_SOCKET --EXTERN int portfd_is_socket; /* File descriptor is a unix socket */ --EXTERN int portfd_is_connected; /* 1 if the socket is connected */ --EXTERN struct sockaddr_un portfd_sock_addr; /* the unix socket address */ -+extern int portfd_is_socket; /* File descriptor is a unix socket */ -+extern int portfd_is_connected; /* 1 if the socket is connected */ -+extern struct sockaddr_un portfd_sock_addr; /* the unix socket address */ - #define portfd_connected ((portfd_is_socket && !portfd_is_connected) \ - ? -1 : portfd) - #else --- -2.24.1 - diff --git a/poky/meta/recipes-extended/parted/files/0001-fs-Add-libuuid-to-linker-flags-for-libparted-fs-resi.patch b/poky/meta/recipes-extended/parted/files/0001-fs-Add-libuuid-to-linker-flags-for-libparted-fs-resi.patch new file mode 100644 index 0000000000..10354f1ed9 --- /dev/null +++ b/poky/meta/recipes-extended/parted/files/0001-fs-Add-libuuid-to-linker-flags-for-libparted-fs-resi.patch @@ -0,0 +1,34 @@ +From 1fc88332f7e906294fd889287b9e84cefc7f1586 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 12 Jun 2023 10:40:07 -0700 +Subject: [PATCH] fs: Add libuuid to linker flags for libparted-fs-resize + library + +This library uses uuid_generate function which comes from libuuid and +hence it should be mentioned on linker cmdline + +fixes +| aarch64-yoe-linux-ld.lld: error: undefined reference due to --no-allow-shlib-undefined: uuid_generate +| >>> referenced by /mnt/b/yoe/master/build/tmp/work/cortexa72-cortexa53-crypto-yoe-linux/fatresize/1.1.0-r0/recipe-sysroot/usr/lib/libparted-fs-resize.so + +Upstream-Status: Submitted [https://alioth-lists.debian.net/pipermail/parted-devel/2023-June/005873.html] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + libparted/fs/Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libparted/fs/Makefile.am b/libparted/fs/Makefile.am +index 2f345f3..a8970eb 100644 +--- a/libparted/fs/Makefile.am ++++ b/libparted/fs/Makefile.am +@@ -75,6 +75,7 @@ libparted_fs_resize_la_LDFLAGS = \ + EXTRA_DIST += fsresize.sym + libparted_fs_resize_la_DEPENDENCIES = $(sym_file) + ++libparted_fs_resize_la_LIBADD = $(UUID_LIBS) + libparted_fs_resize_la_SOURCES = \ + r/filesys.c \ + r/fat/bootsector.c \ +-- +2.41.0 + diff --git a/poky/meta/recipes-extended/parted/parted_3.5.bb b/poky/meta/recipes-extended/parted/parted_3.5.bb index ea2b68bbd8..ca35852eb0 100644 --- a/poky/meta/recipes-extended/parted/parted_3.5.bb +++ b/poky/meta/recipes-extended/parted/parted_3.5.bb @@ -8,6 +8,7 @@ DEPENDS = "ncurses util-linux virtual/libiconv" SRC_URI = "${GNU_MIRROR}/parted/parted-${PV}.tar.xz \ file://fix-doc-mandir.patch \ + file://0001-fs-Add-libuuid-to-linker-flags-for-libparted-fs-resi.patch \ file://run-ptest \ " diff --git a/poky/meta/recipes-extended/procps/procps/CVE-2023-4016.patch b/poky/meta/recipes-extended/procps/procps/CVE-2023-4016.patch new file mode 100644 index 0000000000..202fea91f1 --- /dev/null +++ b/poky/meta/recipes-extended/procps/procps/CVE-2023-4016.patch @@ -0,0 +1,73 @@ +From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001 +From: Craig Small <csmall@dropbear.xyz> +Date: Thu, 10 Aug 2023 21:18:38 +1000 +Subject: [PATCH] ps: Fix possible buffer overflow in -C option + +ps allocates memory using malloc(length of arg * len of struct). +In certain strange circumstances, the arg length could be very large +and the multiplecation will overflow, allocating a small amount of +memory. + +Subsequent strncpy() will then write into unallocated memory. +The fix is to use calloc. It's slower but this is a one-time +allocation. Other malloc(x * y) calls have also been replaced +by calloc(x, y) + +References: + https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016 + https://nvd.nist.gov/vuln/detail/CVE-2023-4016 + https://gitlab.com/procps-ng/procps/-/issues/297 + https://bugs.debian.org/1042887 + +Signed-off-by: Craig Small <csmall@dropbear.xyz> + +CVE: CVE-2023-4016 +Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413] +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + NEWS | 1 + + src/ps/parser.c | 8 ++++---- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/ps/parser.c b/src/ps/parser.c +index 248aa741..15873dfa 100644 +--- a/src/ps/parser.c ++++ b/src/ps/parser.c +@@ -189,7 +189,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + const char *err; /* error code that could or did happen */ + /*** prepare to operate ***/ + node = xmalloc(sizeof(selection_node)); +- node->u = xmalloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */ + node->n = 0; + buf = strdup(arg); + /*** sanity check and count items ***/ +@@ -210,6 +209,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + } while (*++walk); + if(need_item) goto parse_error; + node->n = items; ++ node->u = xcalloc(items, sizeof(sel_union)); + /*** actually parse the list ***/ + walk = buf; + while(items--){ +@@ -1050,15 +1050,15 @@ static const char *parse_trailing_pids(void){ + thisarg = ps_argc - 1; /* we must be at the end now */ + + pidnode = xmalloc(sizeof(selection_node)); +- pidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ pidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ + pidnode->n = 0; + + grpnode = xmalloc(sizeof(selection_node)); +- grpnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ grpnode->u = xcalloc(i,sizeof(sel_union)); /* waste is insignificant */ + grpnode->n = 0; + + sidnode = xmalloc(sizeof(selection_node)); +- sidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ sidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ + sidnode->n = 0; + + while(i--){ +-- +GitLab + diff --git a/poky/meta/recipes-extended/procps/procps_4.0.3.bb b/poky/meta/recipes-extended/procps/procps_4.0.3.bb index cc3420df4e..140e7bfd22 100644 --- a/poky/meta/recipes-extended/procps/procps_4.0.3.bb +++ b/poky/meta/recipes-extended/procps/procps_4.0.3.bb @@ -15,6 +15,7 @@ inherit autotools gettext pkgconfig update-alternatives SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \ file://sysctl.conf \ file://0001-src-w.c-use-utmp.h-only.patch \ + file://CVE-2023-4016.patch \ " SRCREV = "806eb270f217ff7e1e745c7bda2b002b5be74be4" diff --git a/poky/meta/recipes-extended/psmisc/psmisc.inc b/poky/meta/recipes-extended/psmisc/psmisc.inc index a429c2ee96..23e98d21be 100644 --- a/poky/meta/recipes-extended/psmisc/psmisc.inc +++ b/poky/meta/recipes-extended/psmisc/psmisc.inc @@ -55,3 +55,5 @@ ALTERNATIVE_PRIORITY = "90" ALTERNATIVE:killall = "killall" ALTERNATIVE:fuser = "fuser" + +ALTERNATIVE:pstree = "pstree" diff --git a/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb b/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb index 00919a3d70..20933153a3 100644 --- a/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb +++ b/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb @@ -15,13 +15,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0daaf958d5531ab86169ec6e275e1517" SECTION = "libs" DEPENDS += "rpcsvc-proto-native" -PV = "1.4.3" +PV = "1.4.4" -SRCREV = "71e0a12c04d130a78674ac6309eefffa6ecee612" +SRCREV = "c65926005e50da02a4da3e26abc42eded36cd19d" SRC_URI = "git://github.com/thkukuk/${BPN};branch=master;protocol=https \ file://0001-Use-cross-compiled-rpcgen.patch \ - file://0001-Use-AC_SYS_LARGEFILE-macro-to-control-largefile-supp.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto/0001-Use-AC_SYS_LARGEFILE-macro-to-control-largefile-supp.patch b/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto/0001-Use-AC_SYS_LARGEFILE-macro-to-control-largefile-supp.patch deleted file mode 100644 index f07866d55a..0000000000 --- a/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto/0001-Use-AC_SYS_LARGEFILE-macro-to-control-largefile-supp.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 6820c53c3952f78185beb59f767c372fc745dcf3 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Sun, 11 Dec 2022 21:42:59 -0800 -Subject: [PATCH] Use AC_SYS_LARGEFILE macro to control largefile support - -The autoconf macro AC_SYS_LARGEFILE defines _FILE_OFFSET_BITS=64 -where necessary to ensure that off_t and all interfaces using off_t -are 64bit, even on 32bit systems. - -replace stat64 by equivalent stat struct/func - -Upstream-Status: Accepted [https://github.com/thkukuk/rpcsvc-proto/pull/15] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - configure.ac | 1 + - rpcgen/rpc_main.c | 16 +++++----------- - 2 files changed, 6 insertions(+), 11 deletions(-) - -diff --git a/configure.ac b/configure.ac -index bacc2fb..a9fc730 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -8,6 +8,7 @@ AC_PREFIX_DEFAULT(/usr) - AC_SUBST(PACKAGE) - AC_SUBST(VERSION) - -+AC_SYS_LARGEFILE - AC_PROG_CC - AC_GNU_SOURCE - AM_PROG_CC_C_O -diff --git a/rpcgen/rpc_main.c b/rpcgen/rpc_main.c -index 277adc6..fd7dea9 100644 ---- a/rpcgen/rpc_main.c -+++ b/rpcgen/rpc_main.c -@@ -62,12 +62,6 @@ - #define EXTEND 1 /* alias for TRUE */ - #define DONT_EXTEND 0 /* alias for FALSE */ - --#ifdef __APPLE__ --# if __DARWIN_ONLY_64_BIT_INO_T --# define stat64 stat --# endif --#endif -- - struct commandline - { - int cflag; /* xdr C routines */ -@@ -337,9 +331,9 @@ clear_args (void) - static void - find_cpp (void) - { -- struct stat64 buf; -+ struct stat buf; - -- if (stat64 (CPP, &buf) == 0) -+ if (stat (CPP, &buf) == 0) - return; - - if (cppDefined) /* user specified cpp but it does not exist */ -@@ -1125,17 +1119,17 @@ putarg (int whereto, const char *cp) - static void - checkfiles (const char *infile, const char *outfile) - { -- struct stat64 buf; -+ struct stat buf; - - if (infile) /* infile ! = NULL */ -- if (stat64 (infile, &buf) < 0) -+ if (stat (infile, &buf) < 0) - { - perror (infile); - crash (); - } - if (outfile) - { -- if (stat64 (outfile, &buf) < 0) -+ if (stat (outfile, &buf) < 0) - return; /* file does not exist */ - else - { diff --git a/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto/0001-Use-cross-compiled-rpcgen.patch b/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto/0001-Use-cross-compiled-rpcgen.patch index 208974004b..8e459b5634 100644 --- a/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto/0001-Use-cross-compiled-rpcgen.patch +++ b/poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto/0001-Use-cross-compiled-rpcgen.patch @@ -10,14 +10,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> rpcsvc/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: git/rpcsvc/Makefile.am -=================================================================== ---- git.orig/rpcsvc/Makefile.am -+++ git/rpcsvc/Makefile.am -@@ -12,5 +12,5 @@ nodist_rpcsvc_HEADERS = klm_prot.h nlm_p +--- a/rpcsvc/Makefile.am ++++ b/rpcsvc/Makefile.am +@@ -12,4 +12,4 @@ nodist_rpcsvc_HEADERS = klm_prot.h nlm_p nfs_prot.h rquota.h sm_inter.h - %.h: %.x + .x.h: - $(top_builddir)/rpcgen/rpcgen -h -o $@ $< + rpcgen -h -o $@ $< - diff --git a/poky/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot b/poky/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot index 8a68dd341a..09df77d2e7 100644 --- a/poky/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot +++ b/poky/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: BSD-3-Clause OR Artistic-1.0 # # /etc/login.defs - Configuration control definitions for the shadow package. # diff --git a/poky/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb b/poky/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb index e05fa237a2..6580bd9166 100644 --- a/poky/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb +++ b/poky/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://github.com/shadow-maint/shadow" BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" SECTION = "base utils" LICENSE = "BSD-3-Clause | Artistic-1.0" -LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" +LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;endline=1;md5=ceddfb61608e4db87012499555184aed" DEPENDS = "base-passwd" diff --git a/poky/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/poky/meta/recipes-extended/tar/tar/CVE-2022-48303.patch deleted file mode 100644 index b2f40f3e64..0000000000 --- a/poky/meta/recipes-extended/tar/tar/CVE-2022-48303.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 -From: Sergey Poznyakoff <gray@gnu.org> -Date: Sat, 11 Feb 2023 11:57:39 +0200 -Subject: Fix boundary checking in base-256 decoder - -* src/list.c (from_header): Base-256 encoding is at least 2 bytes -long. - -Upstream-Status: Backport [see reference below] -CVE: CVE-2022-48303 - -Reference to upstream patch: -https://savannah.gnu.org/bugs/?62387 -https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 - -Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> -Signed-off-by: Joe Slater <joe.slater@windriver.com> ---- - src/list.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> - - -(limited to 'src/list.c') - -diff --git a/src/list.c b/src/list.c -index 9fafc42..86bcfdd 100644 ---- a/src/list.c -+++ b/src/list.c -@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, - where++; - } - } -- else if (*where == '\200' /* positive base-256 */ -- || *where == '\377' /* negative base-256 */) -+ else if (where <= lim - 2 -+ && (*where == '\200' /* positive base-256 */ -+ || *where == '\377' /* negative base-256 */)) - { - /* Parse base-256 output. A nonnegative number N is - represented as (256**DIGS)/2 + N; a negative number -N is --- -cgit v1.1 - diff --git a/poky/meta/recipes-extended/tar/tar_1.34.bb b/poky/meta/recipes-extended/tar/tar_1.35.bb index 1ef5fe221e..4dbd418b60 100644 --- a/poky/meta/recipes-extended/tar/tar_1.34.bb +++ b/poky/meta/recipes-extended/tar/tar_1.35.bb @@ -4,13 +4,11 @@ or disk archive, and can restore individual files from the archive." HOMEPAGE = "http://www.gnu.org/software/tar/" SECTION = "base" LICENSE = "GPL-3.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" +LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464" -SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ - file://CVE-2022-48303.patch \ -" +SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2" -SRC_URI[sha256sum] = "b44cc67f8a1f6b0250b7c860e952b37e8ed932a90bd9b1862a511079255646ff" +SRC_URI[sha256sum] = "7edb8886a3dc69420a1446e1e2d061922b642f1cf632d2cd0f9ee7e690775985" inherit autotools gettext texinfo diff --git a/poky/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch b/poky/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch new file mode 100644 index 0000000000..2fa7f481b7 --- /dev/null +++ b/poky/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch @@ -0,0 +1,103 @@ +From 5cbf901b5c3b6a7d1d0ed91b6df4194bb6d25a40 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Thu, 15 Jun 2023 07:14:17 -0700 +Subject: [PATCH] unix/configure: fix detection for cross compilation + +We're doing cross compilation, running a cross-compiled problem +on host to detemine feature is not correct. So we change runtime +check into compile-time check to detect the features. + +Upstream-Status: Inactive-Upstream + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + unix/configure | 44 +++++++++++++++----------------------------- + 1 file changed, 15 insertions(+), 29 deletions(-) + +diff --git a/unix/configure b/unix/configure +index 8fd82dd..68dee98 100755 +--- a/unix/configure ++++ b/unix/configure +@@ -259,6 +259,10 @@ cat > conftest.c << _EOF_ + #include <sys/stat.h> + #include <unistd.h> + #include <stdio.h> ++ ++_Static_assert(sizeof(off_t) < 8, "sizeof off_t < 8 failed"); ++_Static_assert(sizeof((struct stat){0}.st_size) < 8, "sizeof st_size < 8 failed"); ++ + int main() + { + off_t offset; +@@ -278,21 +282,10 @@ _EOF_ + # compile it + $CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null + if [ $? -ne 0 ]; then +- echo -- no Large File Support ++ echo -- yes we have Large File Support! ++ CFLAGSR="${CFLAGSR} -DLARGE_FILE_SUPPORT" + else +-# run it +- ./conftest +- r=$? +- if [ $r -eq 1 ]; then +- echo -- no Large File Support - no 64-bit off_t +- elif [ $r -eq 2 ]; then +- echo -- no Large File Support - no 64-bit stat +- elif [ $r -eq 3 ]; then +- echo -- yes we have Large File Support! +- CFLAGSR="${CFLAGSR} -DLARGE_FILE_SUPPORT" +- else +- echo -- no Large File Support - conftest returned $r +- fi ++ echo -- no Large File Support + fi + + # Added 11/24/2005 EG +@@ -302,6 +295,11 @@ cat > conftest.c << _EOF_ + #include <stdlib.h> + #include <stdio.h> + #include <wchar.h> ++ ++#ifndef __STDC_ISO_10646__ ++#error "__STDC_ISO_10646__ not defined ++#endif ++ + int main() + { + size_t wsize; +@@ -327,19 +325,8 @@ if [ $? -ne 0 ]; then + echo "-- no Unicode (wchar_t) support" + else + # have wide char support +-# run it +- ./conftest +- r=$? +- if [ $r -eq 0 ]; then +- echo -- no Unicode wchar_t support - wchar_t allocation error +- elif [ $r -eq 1 ]; then +- echo -- no Unicode support - wchar_t encoding unspecified +- elif [ $r -eq 2 ]; then +- echo -- have wchar_t with known UCS encoding - enabling Unicode support! +- CFLAGSR="${CFLAGSR} -DUNICODE_SUPPORT -DUNICODE_WCHAR" +- else +- echo "-- no Unicode (wchar_t) support - conftest returned $r" +- fi ++ echo -- have wchar_t with known UCS encoding - enabling Unicode support! ++ CFLAGSR="${CFLAGSR} -DUNICODE_SUPPORT -DUNICODE_WCHAR" + fi + + echo "Check for setlocale support (needed for UNICODE Native check)" +@@ -418,8 +405,7 @@ temp_link="link_$$" + echo "int main() { lchmod(\"${temp_file}\", 0666); }" \ + ) > conftest.c + ln -s "${temp_link}" "${temp_file}" && \ +- $CC $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null && \ +- ./conftest ++ $CC -Werror=implicit-function-declaration $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null + [ $? -ne 0 ] && CFLAGSR="${CFLAGSR} -DNO_LCHMOD" + rm -f "${temp_file}" + +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/unzip/unzip_6.0.bb b/poky/meta/recipes-extended/unzip/unzip_6.0.bb index a4d10c30aa..3051e9b5bc 100644 --- a/poky/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/poky/meta/recipes-extended/unzip/unzip_6.0.bb @@ -32,6 +32,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://CVE-2022-0529.patch \ file://CVE-2022-0530.patch \ file://0001-configure-Add-correct-system-headers-and-prototypes-.patch \ + file://0001-unix-configure-fix-detection-for-cross-compilation.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" @@ -46,9 +47,6 @@ UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" S = "${WORKDIR}/unzip60" -# Enable largefile support -CFLAGS += "-DLARGE_FILE_SUPPORT" - # Makefile uses CF_NOOPT instead of CFLAGS. We lifted the values from # Makefile and add CFLAGS. Optimization will be overriden by unzip # configure to be -O3. diff --git a/poky/meta/recipes-extended/wget/wget.inc b/poky/meta/recipes-extended/wget/wget.inc index d31756dbc8..51926e7296 100644 --- a/poky/meta/recipes-extended/wget/wget.inc +++ b/poky/meta/recipes-extended/wget/wget.inc @@ -7,7 +7,7 @@ FTP sites" HOMEPAGE = "https://www.gnu.org/software/wget/" SECTION = "console/network" LICENSE = "GPL-3.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=c678957b0c8e964aa6c70fd77641a71e" +LIC_FILES_CHKSUM = "file://COPYING;md5=6f65012d1daf98cb09b386cfb68df26b" inherit autotools gettext texinfo update-alternatives pkgconfig diff --git a/poky/meta/recipes-extended/wget/wget_1.21.3.bb b/poky/meta/recipes-extended/wget/wget_1.21.4.bb index f176a1546c..1d31b0116d 100644 --- a/poky/meta/recipes-extended/wget/wget_1.21.3.bb +++ b/poky/meta/recipes-extended/wget/wget_1.21.4.bb @@ -2,6 +2,6 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \ file://0002-improve-reproducibility.patch \ " -SRC_URI[sha256sum] = "5726bb8bc5ca0f6dc7110f6416e4bb7019e2d2ff5bf93d1ca2ffcc6656f220e5" +SRC_URI[sha256sum] = "81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c" require wget.inc diff --git a/poky/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch b/poky/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch new file mode 100644 index 0000000000..106f246a7c --- /dev/null +++ b/poky/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch @@ -0,0 +1,96 @@ +From 9916fc6f1f93f3e092e3c6937c30dc8137c26d34 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Thu, 15 Jun 2023 18:31:26 +0800 +Subject: [PATCH] unix/configure: use _Static_assert to do correct detection + +We're doing cross compilation, running a cross-compiled problem +on host to detemine feature is not correct. Use _Static_assert +to do the detection correctly. + +Upstream-Status: Inactive-Upstream + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + unix/configure | 42 ++++++++++++------------------------------ + 1 file changed, 12 insertions(+), 30 deletions(-) + +diff --git a/unix/configure b/unix/configure +index f2b3d02..f917086 100644 +--- a/unix/configure ++++ b/unix/configure +@@ -361,6 +361,10 @@ cat > conftest.c << _EOF_ + #include <sys/stat.h> + #include <unistd.h> + #include <stdio.h> ++ ++_Static_assert(sizeof((struct stat){0}.st_uid) == 2, "sizeof st_uid is not 16 bit"); ++_Static_assert(sizeof((struct stat){0}.st_gid) == 2, "sizeof st_gid is not 16 bit"); ++ + int main() + { + struct stat s; +@@ -385,21 +389,7 @@ if [ $? -ne 0 ]; then + echo -- UID/GID test failed on compile - disabling old 16-bit UID/GID support + CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT" + else +-# run it +- ./conftest +- r=$? +- if [ $r -eq 1 ]; then +- echo -- UID not 2 bytes - disabling old 16-bit UID/GID support +- CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT" +- elif [ $r -eq 2 ]; then +- echo -- GID not 2 bytes - disabling old 16-bit UID/GID support +- CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT" +- elif [ $r -eq 3 ]; then +- echo -- 16-bit UIDs and GIDs - keeping old 16-bit UID/GID support +- else +- echo -- test failed - conftest returned $r - disabling old 16-bit UID/GID support +- CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT" +- fi ++ echo -- 16-bit UIDs and GIDs - keeping old 16-bit UID/GID support + fi + + +@@ -417,6 +407,10 @@ cat > conftest.c << _EOF_ + #include <sys/stat.h> + #include <unistd.h> + #include <stdio.h> ++ ++_Static_assert(sizeof(off_t) < 8, "sizeof off_t < 8 failed"); ++_Static_assert(sizeof((struct stat){0}.st_size) < 8, "sizeof st_size < 8 failed"); ++ + int main() + { + off_t offset; +@@ -436,24 +430,12 @@ _EOF_ + # compile it + $CC -o conftest conftest.c >/dev/null 2>/dev/null + if [ $? -ne 0 ]; then +- echo -- no Large File Support ++ echo -- yes we have Large File Support! ++ CFLAGS="${CFLAGS} -DLARGE_FILE_SUPPORT" + else +-# run it +- ./conftest +- r=$? +- if [ $r -eq 1 ]; then +- echo -- no Large File Support - no 64-bit off_t +- elif [ $r -eq 2 ]; then +- echo -- no Large File Support - no 64-bit stat +- elif [ $r -eq 3 ]; then +- echo -- yes we have Large File Support! +- CFLAGS="${CFLAGS} -DLARGE_FILE_SUPPORT" +- else +- echo -- no Large File Support - conftest returned $r +- fi ++ echo -- no Large File Support + fi + +- + # Check for wide char for Unicode support + # Added 11/24/2005 EG + +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/zip/zip_3.0.bb b/poky/meta/recipes-extended/zip/zip_3.0.bb index 1930a40140..82153131b4 100644 --- a/poky/meta/recipes-extended/zip/zip_3.0.bb +++ b/poky/meta/recipes-extended/zip/zip_3.0.bb @@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/Zip%203.x%20%28latest%29/3.0/zip30.tar. file://0001-configure-Use-CFLAGS-and-LDFLAGS-when-doing-link-tes.patch \ file://0001-configure-Specify-correct-function-signatures-and-de.patch \ file://0002-unix.c-Do-not-redefine-DIR-as-FILE.patch \ + file://0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" @@ -31,9 +32,6 @@ CVE_CHECK_IGNORE += "CVE-2018-13410" # Not for zip but for smart contract implementation for it CVE_CHECK_IGNORE += "CVE-2018-13684" -# Enable largefile support -CFLAGS += "-DLARGE_FILE_SUPPORT" - # zip.inc sets CFLAGS, but what Makefile actually uses is # CFLAGS_NOOPT. It will also force -O3 optimization, overriding # whatever we set. diff --git a/poky/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.74.0.bb b/poky/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.74.0.bb index d3a7ce2fd9..15265d1dc4 100644 --- a/poky/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.74.0.bb +++ b/poky/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.74.0.bb @@ -27,7 +27,7 @@ GTKDOC_MESON_OPTION = "gtk_doc" MULTILIB_SCRIPTS = "${PN}:${bindir}/g-ir-annotation-tool ${PN}:${bindir}/g-ir-scanner" -DEPENDS += " libffi zlib glib-2.0 python3 flex-native bison-native autoconf-archive-native" +DEPENDS += " libffi zlib glib-2.0 python3 flex-native bison-native" # target build needs qemu to run temporary introspection binaries created # on the fly by g-ir-scanner and a native version of itself to run diff --git a/poky/meta/recipes-gnome/gtk+/gtk4_4.10.3.bb b/poky/meta/recipes-gnome/gtk+/gtk4_4.10.5.bb index 9aa33e6851..85fff6c61e 100644 --- a/poky/meta/recipes-gnome/gtk+/gtk4_4.10.3.bb +++ b/poky/meta/recipes-gnome/gtk+/gtk4_4.10.5.bb @@ -37,7 +37,7 @@ MAJ_VER = "${@oe.utils.trim_version("${PV}", 2)}" UPSTREAM_CHECK_REGEX = "gtk-(?P<pver>\d+\.(\d*[02468])+(\.\d+)+)\.tar.xz" SRC_URI = "http://ftp.gnome.org/pub/gnome/sources/gtk/${MAJ_VER}/gtk-${PV}.tar.xz" -SRC_URI[sha256sum] = "4545441ad79e377eb6e0a705026dc7a46886e46a1b034db40912909da801cea9" +SRC_URI[sha256sum] = "9bd5e437e41d48e3d6a224c336b0fd3fd490036dceb8956ed74b956369af609b" S = "${WORKDIR}/gtk-${PV}" diff --git a/poky/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb b/poky/meta/recipes-gnome/librsvg/librsvg_2.54.6.bb index 59278d1b16..b917b76041 100644 --- a/poky/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb +++ b/poky/meta/recipes-gnome/librsvg/librsvg_2.54.6.bb @@ -20,7 +20,7 @@ SRC_URI += "file://0001-Makefile.am-pass-rust-target-to-cargo-also-when-not-.pat file://0001-system-deps-src-lib.rs-do-not-probe-into-harcoded-li.patch \ " -SRC_URI[archive.sha256sum] = "4f03190f45324d1fa1f52a79dfcded1f64eaf49b3ae2f88eedab0c07617cae6e" +SRC_URI[archive.sha256sum] = "0ee6174140b5fc017e19a75c26e8c3324a560bf2c37f7abd3da06bd58542bb03" # librsvg is still autotools-based, but is calling cargo from its automake-driven makefiles # so we cannot use cargo class directly, but still need bits and pieces from it diff --git a/poky/meta/recipes-graphics/freetype/freetype_2.13.0.bb b/poky/meta/recipes-graphics/freetype/freetype_2.13.1.bb index 514672c0ee..5b1c520944 100644 --- a/poky/meta/recipes-graphics/freetype/freetype_2.13.0.bb +++ b/poky/meta/recipes-graphics/freetype/freetype_2.13.1.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=843b6efc16f6b1652ec97f89d5a516c0 \ " SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "5ee23abd047636c24b2d43c6625dcafc66661d1aca64dec9e0d05df29592624c" +SRC_URI[sha256sum] = "ea67e3b019b1104d1667aa274f5dc307d8cbd606b399bc32df308a77f1a564bf" UPSTREAM_CHECK_REGEX = "freetype-(?P<pver>\d+(\.\d+)+)" diff --git a/poky/meta/recipes-graphics/graphene/files/float-div.patch b/poky/meta/recipes-graphics/graphene/files/float-div.patch new file mode 100644 index 0000000000..bf74101b1c --- /dev/null +++ b/poky/meta/recipes-graphics/graphene/files/float-div.patch @@ -0,0 +1,28 @@ +From c19d1f4a7e44e071df3a2612ae2eb20c84e831a6 Mon Sep 17 00:00:00 2001 +From: Emmanuele Bassi <ebassi@gnome.org> +Date: Thu, 10 Aug 2023 12:44:49 +0100 +Subject: [PATCH] build: Allow host builds when cross-compiling + +Environments that set up execution wrappers when cross-compiling should +be allowed to run code. We only fall back on external properties if we +really can't run any native code on the host machine. + +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 48f22d7..7dcb9e6 100644 +--- a/meson.build ++++ b/meson.build +@@ -270,7 +270,7 @@ int main() { + return 0; + } + ''' +-if meson.is_cross_build() ++if not meson.can_run_host_binaries() + ieee754_float_div = meson.get_external_property('ieee754_float_div', cc.get_id() in ['gcc', 'clang']) + message('Cross-building, assuming IEEE 754 division:', ieee754_float_div) + else diff --git a/poky/meta/recipes-graphics/graphene/graphene_1.10.8.bb b/poky/meta/recipes-graphics/graphene/graphene_1.10.8.bb index 9f5b4d0e2d..55d8a2d74e 100644 --- a/poky/meta/recipes-graphics/graphene/graphene_1.10.8.bb +++ b/poky/meta/recipes-graphics/graphene/graphene_1.10.8.bb @@ -7,6 +7,8 @@ GNOMEBASEBUILDCLASS = "meson" inherit gnomebase gobject-introspection gtk-doc +SRC_URI += "file://float-div.patch" + SRC_URI[archive.sha256sum] = "a37bb0e78a419dcbeaa9c7027bcff52f5ec2367c25ec859da31dfde2928f279a" # Disable neon support by default on ARM-32 platforms because of the diff --git a/poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch new file mode 100644 index 0000000000..fd8a66bca7 --- /dev/null +++ b/poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch @@ -0,0 +1,103 @@ +From 42ce199c9cfe129e5e21afd48dfe757a6acf87c4 Mon Sep 17 00:00:00 2001 +From: DRC <information@libjpeg-turbo.org> +Date: Tue, 4 Apr 2023 19:06:20 -0500 +Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565 + +The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565 +is the only 3-component colorspace that doesn't have 3-sample pixels, so +we need to treat it as a special case when determining whether to enable +2-pass color quantization. Otherwise, attempting to initialize 2-pass +color quantization with an RGB565 output buffer could cause +prescan_quantize() to read from uninitialized memory and subsequently +underflow/overflow the histogram array. + +djpeg is supposed to fail gracefully if both -rgb565 and -colors are +specified, because none of its destination managers (image writers) +support color quantization with RGB565. However, prescan_quantize() was +called before that could occur. It is possible but very unlikely that +these issues could have been reproduced in applications other than +djpeg. The issues involve the use of two features (12-bit precision and +RGB565) that are incompatible, and they also involve the use of two +rarely-used legacy features (RGB565 and color quantization) that don't +make much sense when combined. + +Fixes #668 +Fixes #671 +Fixes #680 + +CVE: CVE-2023-2804 +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/42ce199c9cfe129e5e21afd48dfe757a6acf87c4] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + ChangeLog.md | 12 ++++++++++++ + jdmaster.c | 5 +++-- + jquant2.c | 5 +++-- + 3 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog.md b/ChangeLog.md +index 1c1e6538a..f1bfb3d87 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -1,3 +1,15 @@ ++2.1.6 ++===== ++ ++### Significant changes relative to 2.1.5.1: ++ ++1. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer ++overruns when attempting to decompress various specially-crafted malformed ++12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg ++(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion ++enabled. ++ ++ + 2.1.5.1 + ======= + +diff --git a/jdmaster.c b/jdmaster.c +index a3690bf56..a9446adfd 100644 +--- a/jdmaster.c ++++ b/jdmaster.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1991-1997, Thomas G. Lane. + * Modified 2002-2009 by Guido Vollbeding. + * libjpeg-turbo Modifications: +- * Copyright (C) 2009-2011, 2016, 2019, 2022, D. R. Commander. ++ * Copyright (C) 2009-2011, 2016, 2019, 2022-2023, D. R. Commander. + * Copyright (C) 2013, Linaro Limited. + * Copyright (C) 2015, Google, Inc. + * For conditions of distribution and use, see the accompanying README.ijg +@@ -480,7 +480,8 @@ master_selection(j_decompress_ptr cinfo) + if (cinfo->raw_data_out) + ERREXIT(cinfo, JERR_NOTIMPL); + /* 2-pass quantizer only works in 3-component color space. */ +- if (cinfo->out_color_components != 3) { ++ if (cinfo->out_color_components != 3 || ++ cinfo->out_color_space == JCS_RGB565) { + cinfo->enable_1pass_quant = TRUE; + cinfo->enable_external_quant = FALSE; + cinfo->enable_2pass_quant = FALSE; +diff --git a/jquant2.c b/jquant2.c +index 44efb18ca..1c14ef763 100644 +--- a/jquant2.c ++++ b/jquant2.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1991-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2009, 2014-2015, 2020, D. R. Commander. ++ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo) + cquantize->error_limiter = NULL; + + /* Make sure jdmaster didn't give me a case I can't handle */ +- if (cinfo->out_color_components != 3) ++ if (cinfo->out_color_components != 3 || ++ cinfo->out_color_space == JCS_RGB565) + ERREXIT(cinfo, JERR_NOTIMPL); + + /* Allocate the histogram/inverse colormap storage */ diff --git a/poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch new file mode 100644 index 0000000000..af955a72f6 --- /dev/null +++ b/poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch @@ -0,0 +1,75 @@ +From 2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593 Mon Sep 17 00:00:00 2001 +From: DRC <information@libjpeg-turbo.org> +Date: Thu, 6 Apr 2023 18:33:41 -0500 +Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp + +When computing the downsampled width for a particular component, +jpeg_crop_scanline() needs to take into account the fact that the +libjpeg code uses a combination of IDCT scaling and upsampling to +implement 4x2 and 2x4 upsampling with certain decompression scaling +factors. Failing to account for that led to incomplete upsampling of +4x2- or 2x4-subsampled components, which caused the color converter to +read from uninitialized memory. With 12-bit data precision, this caused +a buffer overrun or underrun and subsequent segfault if the +uninitialized memory contained a value that was outside of the valid +sample range (because the color converter uses the value as an array +index.) + +Fixes #669 + +CVE: CVE-2023-2804 +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + ChangeLog.md | 8 ++++++++ + jdapistd.c | 10 ++++++---- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog.md b/ChangeLog.md +index f1bfb3d87..0a075c3c5 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -9,6 +9,14 @@ overruns when attempting to decompress various specially-crafted malformed + (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion + enabled. + ++2. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the ++downsampled width for components with 4x2 or 2x4 subsampling factors if ++decompression scaling was enabled. This caused the components to be upsampled ++incompletely, which caused the color converter to read from uninitialized ++memory. With 12-bit data precision, this caused a buffer overrun or underrun ++and subsequent segfault if the sample value read from unitialized memory was ++outside of the valid sample range. ++ + + 2.1.5.1 + ======= +diff --git a/jdapistd.c b/jdapistd.c +index 02cd0cb93..96cded112 100644 +--- a/jdapistd.c ++++ b/jdapistd.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2010, 2015-2020, 2022, D. R. Commander. ++ * Copyright (C) 2010, 2015-2020, 2022-2023, D. R. Commander. + * Copyright (C) 2015, Google, Inc. + * For conditions of distribution and use, see the accompanying README.ijg + * file. +@@ -236,9 +236,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset, + /* Set downsampled_width to the new output width. */ + orig_downsampled_width = compptr->downsampled_width; + compptr->downsampled_width = +- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width * +- compptr->h_samp_factor), +- (long)cinfo->max_h_samp_factor); ++ (JDIMENSION)jdiv_round_up((long)cinfo->output_width * ++ (long)(compptr->h_samp_factor * ++ compptr->_DCT_scaled_size), ++ (long)(cinfo->max_h_samp_factor * ++ cinfo->_min_DCT_scaled_size)); + if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2) + reinit_upsampler = TRUE; + diff --git a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb index e086830c02..86bf471eea 100644 --- a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb +++ b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb @@ -12,6 +12,8 @@ DEPENDS:append:x86:class-target = " nasm-native" SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ file://0001-libjpeg-turbo-fix-package_qa-error.patch \ + file://CVE-2023-2804-1.patch \ + file://CVE-2023-2804-2.patch \ " SRC_URI[sha256sum] = "2fdc3feb6e9deb17adec9bafa3321419aa19f8f4e5dea7bf8486844ca22207bf" diff --git a/poky/meta/recipes-graphics/wayland/weston-init.bb b/poky/meta/recipes-graphics/wayland/weston-init.bb index 77dda03cf5..99b99f72f1 100644 --- a/poky/meta/recipes-graphics/wayland/weston-init.bb +++ b/poky/meta/recipes-graphics/wayland/weston-init.bb @@ -9,6 +9,7 @@ SRC_URI = "file://init \ file://weston.ini \ file://weston.service \ file://weston.socket \ + file://weston-socket.sh \ file://weston-autologin \ file://weston-start" @@ -25,28 +26,34 @@ DEFAULTBACKEND ??= "" DEFAULTBACKEND:qemuall ?= "drm" do_install() { - if [ "${VIRTUAL-RUNTIME_init_manager}" != "systemd" ]; then + # Install weston-start script + if [ "${VIRTUAL-RUNTIME_init_manager}" != "systemd" ]; then + install -Dm755 ${WORKDIR}/weston-start ${D}${bindir}/weston-start + sed -i 's,@DATADIR@,${datadir},g' ${D}${bindir}/weston-start + sed -i 's,@LOCALSTATEDIR@,${localstatedir},g' ${D}${bindir}/weston-start install -Dm755 ${WORKDIR}/init ${D}/${sysconfdir}/init.d/weston sed -i 's#ROOTHOME#${ROOT_HOME}#' ${D}/${sysconfdir}/init.d/weston - fi - install -D -p -m0644 ${WORKDIR}/weston.ini ${D}${sysconfdir}/xdg/weston/weston.ini - install -Dm644 ${WORKDIR}/weston.env ${D}${sysconfdir}/default/weston + fi # Install Weston systemd service and accompanying udev rule - install -D -p -m0644 ${WORKDIR}/weston.service ${D}${systemd_system_unitdir}/weston.service - install -D -p -m0644 ${WORKDIR}/weston.socket ${D}${systemd_system_unitdir}/weston.socket - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -D -p -m0644 ${WORKDIR}/weston.service ${D}${systemd_system_unitdir}/weston.service + install -D -p -m0644 ${WORKDIR}/weston.socket ${D}${systemd_system_unitdir}/weston.socket + install -D -p -m0644 ${WORKDIR}/weston-socket.sh ${D}${sysconfdir}/profile.d/weston-socket.sh + sed -i -e s:/etc:${sysconfdir}:g \ + -e s:/usr/bin:${bindir}:g \ + -e s:/var:${localstatedir}:g \ + ${D}${systemd_system_unitdir}/weston.service + fi + + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then install -D -p -m0644 ${WORKDIR}/weston-autologin ${D}${sysconfdir}/pam.d/weston-autologin - fi - sed -i -e s:/etc:${sysconfdir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/var:${localstatedir}:g \ - ${D}${systemd_system_unitdir}/weston.service - # Install weston-start script - install -Dm755 ${WORKDIR}/weston-start ${D}${bindir}/weston-start - sed -i 's,@DATADIR@,${datadir},g' ${D}${bindir}/weston-start - sed -i 's,@LOCALSTATEDIR@,${localstatedir},g' ${D}${bindir}/weston-start - if [ -n "${DEFAULTBACKEND}" ]; then + fi + + install -D -p -m0644 ${WORKDIR}/weston.ini ${D}${sysconfdir}/xdg/weston/weston.ini + install -Dm644 ${WORKDIR}/weston.env ${D}${sysconfdir}/default/weston + + if [ -n "${DEFAULTBACKEND}" ]; then sed -i -e "/^\[core\]/a backend=${DEFAULTBACKEND}-backend.so" ${D}${sysconfdir}/xdg/weston/weston.ini fi @@ -82,6 +89,7 @@ INITSCRIPT_PARAMS = "start 9 5 2 . stop 20 0 1 6 ." FILES:${PN} += "\ ${sysconfdir}/xdg/weston/weston.ini \ + ${sysconfdir}/profile.d/weston-socket.sh \ ${systemd_system_unitdir}/weston.service \ ${systemd_system_unitdir}/weston.socket \ ${sysconfdir}/default/weston \ @@ -92,6 +100,6 @@ FILES:${PN} += "\ CONFFILES:${PN} += "${sysconfdir}/xdg/weston/weston.ini ${sysconfdir}/default/weston" SYSTEMD_SERVICE:${PN} = "weston.service weston.socket" -USERADD_PARAM:${PN} = "--home /home/weston --shell /bin/sh --user-group -G video,input weston" -GROUPADD_PARAM:${PN} = "-r wayland" +USERADD_PARAM:${PN} = "--home /home/weston --shell /bin/sh --user-group -G video,input,render,wayland weston" +GROUPADD_PARAM:${PN} = "-r wayland; -r render" diff --git a/poky/meta/recipes-graphics/wayland/weston-init/weston-socket.sh b/poky/meta/recipes-graphics/wayland/weston-init/weston-socket.sh new file mode 100755 index 0000000000..86389d63a3 --- /dev/null +++ b/poky/meta/recipes-graphics/wayland/weston-init/weston-socket.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# set weston variables for use with global weston socket +global_socket="/run/wayland-0" +if [ -e "$global_socket" ]; then + weston_group=$(stat -c "%G" "$global_socket") + if [ "$(id -u)" = "0" ]; then + export WAYLAND_DISPLAY="$global_socket" + else + case "$(groups "$USER")" in + *"$weston_group"*) + export WAYLAND_DISPLAY="$global_socket" + ;; + *) + ;; + esac + fi + unset weston_group +fi +unset global_socket diff --git a/poky/meta/recipes-graphics/wayland/weston_11.0.1.bb b/poky/meta/recipes-graphics/wayland/weston_11.0.1.bb index 4f6ce19915..0838791a6b 100644 --- a/poky/meta/recipes-graphics/wayland/weston_11.0.1.bb +++ b/poky/meta/recipes-graphics/wayland/weston_11.0.1.bb @@ -57,7 +57,7 @@ PACKAGECONFIG[kms] = "-Dbackend-drm=true,-Dbackend-drm=false,drm udev virtual/eg # Weston on Wayland (nested Weston) PACKAGECONFIG[wayland] = "-Dbackend-wayland=true,-Dbackend-wayland=false,virtual/egl virtual/libgles2" # Weston on X11 -PACKAGECONFIG[x11] = "-Dbackend-x11=true,-Dbackend-x11=false,virtual/libx11 libxcb libxcb libxcursor cairo" +PACKAGECONFIG[x11] = "-Dbackend-x11=true,-Dbackend-x11=false,virtual/libx11 libxcb libxcursor" # Headless Weston PACKAGECONFIG[headless] = "-Dbackend-headless=true,-Dbackend-headless=false" # Weston on RDP @@ -73,7 +73,7 @@ PACKAGECONFIG[webp] = "-Dimage-webp=true,-Dimage-webp=false,libwebp" # Weston with systemd-login support PACKAGECONFIG[systemd] = "-Dsystemd=true -Dlauncher-logind=true,-Dsystemd=false -Dlauncher-logind=false,systemd dbus" # Weston with Xwayland support (requires X11 and Wayland) -PACKAGECONFIG[xwayland] = "-Dxwayland=true,-Dxwayland=false,xwayland" +PACKAGECONFIG[xwayland] = "-Dxwayland=true,-Dxwayland=false,libxcb libxcursor xwayland" # colord CMS support PACKAGECONFIG[colord] = "-Ddeprecated-color-management-colord=true,-Ddeprecated-color-management-colord=false,colord" # Clients support diff --git a/poky/meta/recipes-graphics/xorg-app/xdpyinfo_1.3.3.bb b/poky/meta/recipes-graphics/xorg-app/xdpyinfo_1.3.4.bb index e75a840b7d..aaa8aa8903 100644 --- a/poky/meta/recipes-graphics/xorg-app/xdpyinfo_1.3.3.bb +++ b/poky/meta/recipes-graphics/xorg-app/xdpyinfo_1.3.4.bb @@ -15,6 +15,6 @@ PE = "1" SRC_URI += "file://disable-xkb.patch" SRC_URI_EXT = "xz" -SRC_URI[sha256sum] = "356d5fd62f3e98ee36d6becf1b32d4ab6112d618339fb4b592ccffbd9e0fc206" +SRC_URI[sha256sum] = "a8ada581dbd7266440d7c3794fa89edf6b99b8857fc2e8c31042684f3af4822b" EXTRA_OECONF = "--disable-xkb" diff --git a/poky/meta/recipes-graphics/xorg-lib/libx11/0001-fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch b/poky/meta/recipes-graphics/xorg-lib/libx11/0001-fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch deleted file mode 100644 index 722116c07e..0000000000 --- a/poky/meta/recipes-graphics/xorg-lib/libx11/0001-fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch +++ /dev/null @@ -1,57 +0,0 @@ -CVE: CVE-2022-3554 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 1d11822601fd24a396b354fa616b04ed3df8b4ef Mon Sep 17 00:00:00 2001 -From: "Thomas E. Dickey" <dickey@invisible-island.net> -Date: Tue, 4 Oct 2022 18:26:17 -0400 -Subject: [PATCH] fix a memory leak in XRegisterIMInstantiateCallback - -Analysis: - - _XimRegisterIMInstantiateCallback() opens an XIM and closes it using - the internal function pointers, but the internal close function does - not free the pointer to the XIM (this would be done in XCloseIM()). - -Report/patch: - - Date: Mon, 03 Oct 2022 18:47:32 +0800 - From: Po Lu <luangruo@yahoo.com> - To: xorg-devel@lists.x.org - Subject: Re: Yet another leak in Xlib - - For reference, here's how I'm calling XRegisterIMInstantiateCallback: - - XSetLocaleModifiers (""); - XRegisterIMInstantiateCallback (compositor.display, - XrmGetDatabase (compositor.display), - (char *) compositor.resource_name, - (char *) compositor.app_name, - IMInstantiateCallback, NULL); - - and XMODIFIERS is: - - @im=ibus - -Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net> ---- - modules/im/ximcp/imInsClbk.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c -index 95b379cb..c10e347f 100644 ---- a/modules/im/ximcp/imInsClbk.c -+++ b/modules/im/ximcp/imInsClbk.c -@@ -212,6 +212,9 @@ _XimRegisterIMInstantiateCallback( - if( xim ) { - lock = True; - xim->methods->close( (XIM)xim ); -+ /* XIMs must be freed manually after being opened; close just -+ does the protocol to deinitialize the IM. */ -+ XFree( xim ); - lock = False; - icb->call = True; - callback( display, client_data, NULL ); --- -2.34.1 - diff --git a/poky/meta/recipes-graphics/xorg-lib/libx11_1.8.4.bb b/poky/meta/recipes-graphics/xorg-lib/libx11_1.8.6.bb index 7831b4986a..1cfa56b21e 100644 --- a/poky/meta/recipes-graphics/xorg-lib/libx11_1.8.4.bb +++ b/poky/meta/recipes-graphics/xorg-lib/libx11_1.8.6.bb @@ -18,15 +18,13 @@ DEPENDS += "xorgproto \ PROVIDES = "virtual/libx11" -FILESEXTRAPATHS =. "${FILE_DIRNAME}/libx11:" - PE = "1" XORG_PN = "libX11" -SRC_URI += "file://disable_tests.patch \ - " -SRC_URI[sha256sum] = "c9a287a5aefa9804ce3cfafcf516fe96ed3f7e8e45c0e2ee59e84c86757df518" +SRC_URI += "file://disable_tests.patch" + +SRC_URI[sha256sum] = "59535b7cc6989ba806a022f7e8533b28c4397b9d86e9d07b6df0c0703fa25cc9" inherit gettext diff --git a/poky/meta/recipes-graphics/xorg-lib/libxft_2.3.7.bb b/poky/meta/recipes-graphics/xorg-lib/libxft_2.3.8.bb index ad126d2092..2699c1dfd7 100644 --- a/poky/meta/recipes-graphics/xorg-lib/libxft_2.3.7.bb +++ b/poky/meta/recipes-graphics/xorg-lib/libxft_2.3.8.bb @@ -20,7 +20,7 @@ PROVIDES = "xft" PE = "1" -SRC_URI[sha256sum] = "79f0b37c45007381c371a790c2754644ad955166dbf2a48e3625032e9bdd4f71" +SRC_URI[sha256sum] = "5e8c3c4bc2d4c0a40aef6b4b38ed2fb74301640da29f6528154b5009b1c6dd49" XORG_PN = "libXft" diff --git a/poky/meta/recipes-graphics/xorg-lib/libxpm_3.5.15.bb b/poky/meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb index 32a2b35356..c3d01f1bb3 100644 --- a/poky/meta/recipes-graphics/xorg-lib/libxpm_3.5.15.bb +++ b/poky/meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb @@ -22,6 +22,6 @@ PACKAGES =+ "sxpm cxpm" FILES:cxpm = "${bindir}/cxpm" FILES:sxpm = "${bindir}/sxpm" -SRC_URI[sha256sum] = "60bb906c5c317a6db863e39b69c4a83fdbd2ae2154fcf47640f8fefc9fdfd1c1" +SRC_URI[sha256sum] = "e6bc5da7a69dbd9bcc67e87c93d4904fe2f5177a0711c56e71fa2f6eff649f51" BBCLASSEXTEND = "native" diff --git a/poky/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb b/poky/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb index d26d7f581a..a580d73185 100644 --- a/poky/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb +++ b/poky/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb @@ -17,7 +17,7 @@ UPSTREAM_CHECK_REGEX = "pixman-(?P<pver>\d+\.(\d*[02468])+(\.\d+)+)" PE = "1" -LICENSE = "MIT & MIT & PD" +LICENSE = "MIT & PD" LIC_FILES_CHKSUM = "file://COPYING;md5=14096c769ae0cbb5fcb94ec468be11b3 \ file://pixman/pixman-matrix.c;endline=21;md5=4a018dff3e4e25302724c88ff95c2456 \ file://pixman/pixman-arm-neon-asm.h;endline=24;md5=9a9cc1e51abbf1da58f4d9528ec9d49b \ diff --git a/poky/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch b/poky/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch new file mode 100644 index 0000000000..a3b8a98589 --- /dev/null +++ b/poky/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch @@ -0,0 +1,35 @@ +From b8d9618cbbec5a04cf6dede0a6ceda41021b92ae Mon Sep 17 00:00:00 2001 +From: Sakib Sajal <sakib.sajal@windriver.com> +Date: Mon, 26 Jun 2023 17:34:01 -0400 +Subject: [PATCH] bno_plot.py, btt_plot.py: Ask for python3 specifically + +python2 is deprecated, use python3. + +Upstream-Status: Denied [https://www.spinics.net/lists/linux-btrace/msg01364.html] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + btt/bno_plot.py | 2 +- + btt/btt_plot.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/btt/bno_plot.py b/btt/bno_plot.py +index 3aa4e19..d7d7159 100644 +--- a/btt/bno_plot.py ++++ b/btt/bno_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt blkno plotting interface + # +diff --git a/btt/btt_plot.py b/btt/btt_plot.py +index 40bc71f..8620d31 100755 +--- a/btt/btt_plot.py ++++ b/btt/btt_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt_plot.py: Generate matplotlib plots for BTT generate data files + # diff --git a/poky/meta/recipes-kernel/blktrace/blktrace_git.bb b/poky/meta/recipes-kernel/blktrace/blktrace_git.bb index d0eeba3208..288784236a 100644 --- a/poky/meta/recipes-kernel/blktrace/blktrace_git.bb +++ b/poky/meta/recipes-kernel/blktrace/blktrace_git.bb @@ -14,7 +14,9 @@ SRCREV = "366d30b9cdb20345c5d064af850d686da79b89eb" PV = "1.3.0+git${SRCPV}" -SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master;protocol=https" +SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master;protocol=https \ + file://0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch \ + " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-kernel/kmod/kmod/ptest.patch b/poky/meta/recipes-kernel/kmod/kmod/ptest.patch deleted file mode 100644 index 831dbcb909..0000000000 --- a/poky/meta/recipes-kernel/kmod/kmod/ptest.patch +++ /dev/null @@ -1,25 +0,0 @@ -Add 'install-ptest' rule. - -Signed-off-by: Tudor Florea <tudor.florea@enea.com> -Upstream-Status: Pending - -diff -ruN a/Makefile.am b/Makefile.am ---- a/Makefile.am 2013-07-12 17:11:05.278331557 +0200 -+++ b/Makefile.am 2013-07-12 17:14:27.033788016 +0200 -@@ -204,6 +204,16 @@ - - distclean-local: $(DISTCLEAN_LOCAL_HOOKS) - -+install-ptest: -+ @$(MKDIR_P) $(DESTDIR)/testsuite -+ @for file in $(TESTSUITE); do \ -+ install $$file $(DESTDIR)/testsuite; \ -+ done; -+ @sed -e 's/^Makefile/_Makefile/' < Makefile > $(DESTDIR)/Makefile -+ @$(MKDIR_P) $(DESTDIR)/tools -+ @cp $(noinst_SCRIPTS) $(noinst_PROGRAMS) $(DESTDIR)/tools -+ @cp -r testsuite/rootfs testsuite/.libs $(DESTDIR)/testsuite -+ - # ------------------------------------------------------------------------------ - # custom release helpers - # ------------------------------------------------------------------------------ diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb index 7412c022ba..6765226b9d 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb @@ -134,7 +134,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ " # WHENCE checksum is defined separately to ease overriding it if # class-devupstream is selected. -WHENCE_CHKSUM = "0782deea054d4b1b7f10c92c3a245da4" +WHENCE_CHKSUM = "57bf874056926f12aec2405d3fc390d9" # These are not common licenses, set NO_GENERIC_LICENSE for them # so that the license files will be copied from fetched source @@ -212,7 +212,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw # Pin this to the 20220509 release, override this in local.conf SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae" -SRC_URI[sha256sum] = "c3f9ad2bb5311cce2490f37a8052f836703d6936aabd840246b6576f1f71f607" +SRC_URI[sha256sum] = "87597111c0d4b71b31e53cb85a92c386921b84c825a402db8c82e0e86015500d" inherit allarch @@ -241,6 +241,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \ ${PN}-rtl8761 \ ${PN}-rtl8168 \ + ${PN}-rtl8822 \ ${PN}-cypress-license \ ${PN}-broadcom-license \ ${PN}-bcm-0bb4-0306 \ @@ -315,14 +316,15 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-qcom-vpu-1.0 ${PN}-qcom-vpu-2.0 \ ${PN}-qcom-adreno-a2xx ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a4xx ${PN}-qcom-adreno-a530 \ ${PN}-qcom-adreno-a630 ${PN}-qcom-adreno-a650 ${PN}-qcom-adreno-a660 \ - ${PN}-qcom-apq8096-audio ${PN}-qcom-apq8096-modem \ + ${PN}-qcom-apq8016-modem ${PN}-qcom-apq8016-wifi \ + ${PN}-qcom-apq8096-adreno ${PN}-qcom-apq8096-audio ${PN}-qcom-apq8096-modem \ ${PN}-qcom-sc8280xp-lenovo-x13s-compat \ ${PN}-qcom-sc8280xp-lenovo-x13s-audio \ ${PN}-qcom-sc8280xp-lenovo-x13s-adreno \ ${PN}-qcom-sc8280xp-lenovo-x13s-compute \ ${PN}-qcom-sc8280xp-lenovo-x13s-sensors \ - ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \ - ${PN}-qcom-sm8250-audio ${PN}-qcom-sm8250-compute \ + ${PN}-qcom-sdm845-adreno ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \ + ${PN}-qcom-sm8250-adreno ${PN}-qcom-sm8250-audio ${PN}-qcom-sm8250-compute \ ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \ ${PN}-lt9611uxc ${PN}-lontium-license \ ${PN}-whence-license \ @@ -417,7 +419,7 @@ LICENSE:${PN}-mt7601u-license = "Firmware-ralink_a_mediatek_company_firmware" FILES:${PN}-mt7601u-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink_a_mediatek_company_firmware" FILES:${PN}-mt7601u = " \ - ${nonarch_base_libdir}/firmware/mt7601u.bin \ + ${nonarch_base_libdir}/firmware/mediatek/mt7601u.bin \ " RDEPENDS:${PN}-mt7601u += "${PN}-mt7601u-license" @@ -581,6 +583,7 @@ LICENSE:${PN}-rtl8192su = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl8723 = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl8761 = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl8821 = "Firmware-rtlwifi_firmware" +LICENSE:${PN}-rtl8822 = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl-license = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl8168 = "WHENCE" @@ -611,6 +614,11 @@ FILES:${PN}-rtl8761 = " \ FILES:${PN}-rtl8168 = " \ ${nonarch_base_libdir}/firmware/rtl_nic/rtl8168*.fw \ " +FILES:${PN}-rtl8822 = " \ + ${nonarch_base_libdir}/firmware/rtl_bt/rtl8822*.bin \ + ${nonarch_base_libdir}/firmware/rtw88/rtw8822*.bin \ + ${nonarch_base_libdir}/firmware/rtlwifi/rtl8822*.bin \ +" RDEPENDS:${PN}-rtl8188 += "${PN}-rtl-license" RDEPENDS:${PN}-rtl8192ce += "${PN}-rtl-license" @@ -619,6 +627,7 @@ RDEPENDS:${PN}-rtl8192su = "${PN}-rtl-license" RDEPENDS:${PN}-rtl8723 += "${PN}-rtl-license" RDEPENDS:${PN}-rtl8821 += "${PN}-rtl-license" RDEPENDS:${PN}-rtl8761 += "${PN}-rtl-license" +RDEPENDS:${PN}-rtl8822 += "${PN}-rtl-license" RDEPENDS:${PN}-rtl8168 += "${PN}-whence-license" # For ti-connectivity @@ -1000,16 +1009,21 @@ LICENSE:${PN}-qcom-adreno-a530 = "Firmware-qcom" LICENSE:${PN}-qcom-adreno-a630 = "Firmware-qcom" LICENSE:${PN}-qcom-adreno-a650 = "Firmware-qcom" LICENSE:${PN}-qcom-adreno-a660 = "Firmware-qcom" +LICENSE:${PN}-qcom-apq8016-modem = "Firmware-qcom" +LICENSE:${PN}-qcom-apq8016-wifi = "Firmware-qcom" LICENSE:${PN}-qcom-apq8096-audio = "Firmware-qcom" +LICENSE:${PN}-qcom-apq8096-adreno = "Firmware-qcom" LICENSE:${PN}-qcom-apq8096-modem = "Firmware-qcom" LICENSE:${PN}-qcom-sc8280xp-lenovo-x13s-audio = "Firmware-qcom" LICENSE:${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "Firmware-qcom" LICENSE:${PN}-qcom-sc8280xp-lenovo-x13s-compute = "Firmware-qcom" LICENSE:${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "Firmware-qcom" LICENSE:${PN}-qcom-sdm845-audio = "Firmware-qcom" +LICENSE:${PN}-qcom-sdm845-adreno = "Firmware-qcom" LICENSE:${PN}-qcom-sdm845-compute = "Firmware-qcom" LICENSE:${PN}-qcom-sdm845-modem = "Firmware-qcom" LICENSE:${PN}-qcom-sm8250-audio = "Firmware-qcom" +LICENSE:${PN}-qcom-sm8250-adreno = "Firmware-qcom" LICENSE:${PN}-qcom-sm8250-compute = "Firmware-qcom" FILES:${PN}-qcom-license = "${nonarch_base_libdir}/firmware/LICENSE.qcom ${nonarch_base_libdir}/firmware/qcom/NOTICE.txt" @@ -1023,10 +1037,13 @@ FILES:${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*" FILES:${PN}-qcom-adreno-a2xx = "${nonarch_base_libdir}/firmware/qcom/leia_*.fw ${nonarch_base_libdir}/firmware/qcom/yamato_*.fw" FILES:${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a3*_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw" FILES:${PN}-qcom-adreno-a4xx = "${nonarch_base_libdir}/firmware/qcom/a4*_*.fw" -FILES:${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.* ${nonarch_base_libdir}/firmware/qcom/apq8096/a530*.*" -FILES:${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*" -FILES:${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.* ${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*" +FILES:${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.fw*" +FILES:${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.*" +FILES:${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.*" FILES:${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*" +FILES:${PN}-qcom-apq8016-modem = "${nonarch_base_libdir}/firmware/qcom/apq8016/mba.mbn ${nonarch_base_libdir}/firmware/qcom/apq8016/modem.mbn" +FILES:${PN}-qcom-apq8016-wifi = "${nonarch_base_libdir}/firmware/qcom/apq8016/wcnss.mbn ${nonarch_base_libdir}/firmware/qcom/apq8016/WCNSS*" +FILES:${PN}-qcom-apq8096-adreno = "${nonarch_base_libdir}/firmware/qcom/apq8096/a530_zap.mbn ${nonarch_base_libdir}/firmware/qcom/a530_zap.mdt" FILES:${PN}-qcom-apq8096-audio = "${nonarch_base_libdir}/firmware/qcom/apq8096/adsp*.*" FILES:${PN}-qcom-apq8096-modem = "${nonarch_base_libdir}/firmware/qcom/apq8096/mba.mbn ${nonarch_base_libdir}/firmware/qcom/apq8096/modem*.* ${nonarch_base_libdir}/firmware/qcom/apq8096/wlanmdsp.mbn" FILES:${PN}-qcom-sc8280xp-lenovo-x13s-compat = "${nonarch_base_libdir}/firmware/qcom/LENOVO/21BX" @@ -1034,9 +1051,11 @@ FILES:${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${nonarch_base_libdir}/firmware/q FILES:${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn" FILES:${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*cdsp*.*" FILES:${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*slpi*.*" +FILES:${PN}-qcom-sdm845-adreno = "${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*" FILES:${PN}-qcom-sdm845-audio = "${nonarch_base_libdir}/firmware/qcom/sdm845/adsp*.*" FILES:${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/cdsp*.*" FILES:${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn" +FILES:${PN}-qcom-sm8250-adreno = "${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*" FILES:${PN}-qcom-sm8250-audio = "${nonarch_base_libdir}/firmware/qcom/sm8250/adsp*.*" FILES:${PN}-qcom-sm8250-compute = "${nonarch_base_libdir}/firmware/qcom/sm8250/cdsp*.*" @@ -1053,6 +1072,8 @@ RDEPENDS:${PN}-qcom-adreno-a530 = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-adreno-a630 = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-adreno-a650 = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-adreno-a660 = "${PN}-qcom-license" +RDEPENDS:${PN}-qcom-apq8016-modem = "${PN}-qcom-license" +RDEPENDS:${PN}-qcom-apq8016-wifi = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-apq8096-audio = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-apq8096-modem = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${PN}-qcom-license" diff --git a/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc index 4cc151901b..1656ffc8b5 100644 --- a/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc +++ b/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc @@ -1,36 +1,7315 @@ -# https://nvd.nist.gov/vuln/detail/CVE-2022-3523 -# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 -# Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33 + +# Auto-generated CVE metadata, DO NOT EDIT BY HAND. +# Generated at 2023-09-23 10:45:45.248445 for version 6.1.46 + +python check_kernel_cve_status_version() { + this_version = "6.1.46" + kernel_version = d.getVar("LINUX_VERSION") + if kernel_version != this_version: + bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) +} +do_cve_check[prefuncs] += "check_kernel_cve_status_version" + +# fixed-version: Fixed after version 2.6.12rc2 +CVE_CHECK_IGNORE += "CVE-2003-1604" + +# fixed-version: Fixed after version 3.6rc1 +CVE_CHECK_IGNORE += "CVE-2004-0230" + +# CVE-2005-3660 has no known resolution + +# fixed-version: Fixed after version 2.6.26rc5 +CVE_CHECK_IGNORE += "CVE-2006-3635" + +# fixed-version: Fixed after version 2.6.19rc3 +CVE_CHECK_IGNORE += "CVE-2006-5331" + +# fixed-version: Fixed after version 2.6.19rc2 +CVE_CHECK_IGNORE += "CVE-2006-6128" + +# CVE-2007-3719 has no known resolution + +# fixed-version: Fixed after version 2.6.12rc2 +CVE_CHECK_IGNORE += "CVE-2007-4774" + +# fixed-version: Fixed after version 2.6.24rc6 +CVE_CHECK_IGNORE += "CVE-2007-6761" + +# fixed-version: Fixed after version 2.6.20rc5 +CVE_CHECK_IGNORE += "CVE-2007-6762" + +# CVE-2008-2544 has no known resolution + +# CVE-2008-4609 has no known resolution + +# fixed-version: Fixed after version 2.6.25rc1 +CVE_CHECK_IGNORE += "CVE-2008-7316" + +# fixed-version: Fixed after version 2.6.31rc6 +CVE_CHECK_IGNORE += "CVE-2009-2692" + +# fixed-version: Fixed after version 2.6.23rc9 +CVE_CHECK_IGNORE += "CVE-2010-0008" + +# fixed-version: Fixed after version 2.6.36rc5 +CVE_CHECK_IGNORE += "CVE-2010-3432" + +# CVE-2010-4563 has no known resolution + +# fixed-version: Fixed after version 2.6.37rc6 +CVE_CHECK_IGNORE += "CVE-2010-4648" + +# fixed-version: Fixed after version 2.6.38rc1 +CVE_CHECK_IGNORE += "CVE-2010-5313" + +# CVE-2010-5321 has no known resolution + +# fixed-version: Fixed after version 2.6.35rc1 +CVE_CHECK_IGNORE += "CVE-2010-5328" + +# fixed-version: Fixed after version 2.6.39rc1 +CVE_CHECK_IGNORE += "CVE-2010-5329" + +# fixed-version: Fixed after version 2.6.34rc7 +CVE_CHECK_IGNORE += "CVE-2010-5331" + +# fixed-version: Fixed after version 2.6.37rc1 +CVE_CHECK_IGNORE += "CVE-2010-5332" + +# fixed-version: Fixed after version 3.2rc1 +CVE_CHECK_IGNORE += "CVE-2011-4098" + +# fixed-version: Fixed after version 3.3rc1 +CVE_CHECK_IGNORE += "CVE-2011-4131" + +# fixed-version: Fixed after version 3.2rc1 +CVE_CHECK_IGNORE += "CVE-2011-4915" + +# CVE-2011-4916 has no known resolution + +# CVE-2011-4917 has no known resolution + +# fixed-version: Fixed after version 3.2rc1 +CVE_CHECK_IGNORE += "CVE-2011-5321" + +# fixed-version: Fixed after version 3.1rc1 +CVE_CHECK_IGNORE += "CVE-2011-5327" + +# fixed-version: Fixed after version 3.7rc2 +CVE_CHECK_IGNORE += "CVE-2012-0957" + +# fixed-version: Fixed after version 3.5rc1 +CVE_CHECK_IGNORE += "CVE-2012-2119" + +# fixed-version: Fixed after version 3.5rc1 +CVE_CHECK_IGNORE += "CVE-2012-2136" + +# fixed-version: Fixed after version 3.5rc2 +CVE_CHECK_IGNORE += "CVE-2012-2137" + +# fixed-version: Fixed after version 3.4rc6 +CVE_CHECK_IGNORE += "CVE-2012-2313" + +# fixed-version: Fixed after version 3.4rc6 +CVE_CHECK_IGNORE += "CVE-2012-2319" + +# fixed-version: Fixed after version 3.13rc4 +CVE_CHECK_IGNORE += "CVE-2012-2372" + +# fixed-version: Fixed after version 3.4rc1 +CVE_CHECK_IGNORE += "CVE-2012-2375" + +# fixed-version: Fixed after version 3.5rc1 +CVE_CHECK_IGNORE += "CVE-2012-2390" + +# fixed-version: Fixed after version 3.5rc4 +CVE_CHECK_IGNORE += "CVE-2012-2669" + +# fixed-version: Fixed after version 2.6.34rc1 +CVE_CHECK_IGNORE += "CVE-2012-2744" + +# fixed-version: Fixed after version 3.4rc3 +CVE_CHECK_IGNORE += "CVE-2012-2745" + +# fixed-version: Fixed after version 3.5rc6 +CVE_CHECK_IGNORE += "CVE-2012-3364" + +# fixed-version: Fixed after version 3.4rc5 +CVE_CHECK_IGNORE += "CVE-2012-3375" + +# fixed-version: Fixed after version 3.5rc5 +CVE_CHECK_IGNORE += "CVE-2012-3400" + +# fixed-version: Fixed after version 3.6rc2 +CVE_CHECK_IGNORE += "CVE-2012-3412" + +# fixed-version: Fixed after version 3.6rc1 +CVE_CHECK_IGNORE += "CVE-2012-3430" + +# fixed-version: Fixed after version 2.6.19rc4 +CVE_CHECK_IGNORE += "CVE-2012-3510" + +# fixed-version: Fixed after version 3.5rc6 +CVE_CHECK_IGNORE += "CVE-2012-3511" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2012-3520" + +# fixed-version: Fixed after version 3.0rc1 +CVE_CHECK_IGNORE += "CVE-2012-3552" + +# Skipping CVE-2012-4220, no affected_versions + +# Skipping CVE-2012-4221, no affected_versions + +# Skipping CVE-2012-4222, no affected_versions + +# fixed-version: Fixed after version 3.4rc1 +CVE_CHECK_IGNORE += "CVE-2012-4398" + +# fixed-version: Fixed after version 2.6.36rc4 +CVE_CHECK_IGNORE += "CVE-2012-4444" + +# fixed-version: Fixed after version 3.7rc6 +CVE_CHECK_IGNORE += "CVE-2012-4461" + +# fixed-version: Fixed after version 3.6rc5 +CVE_CHECK_IGNORE += "CVE-2012-4467" + +# fixed-version: Fixed after version 3.7rc3 +CVE_CHECK_IGNORE += "CVE-2012-4508" + +# fixed-version: Fixed after version 3.8rc1 +CVE_CHECK_IGNORE += "CVE-2012-4530" + +# CVE-2012-4542 has no known resolution + +# fixed-version: Fixed after version 3.7rc4 +CVE_CHECK_IGNORE += "CVE-2012-4565" + +# fixed-version: Fixed after version 3.8rc1 +CVE_CHECK_IGNORE += "CVE-2012-5374" + +# fixed-version: Fixed after version 3.8rc1 +CVE_CHECK_IGNORE += "CVE-2012-5375" + +# fixed-version: Fixed after version 3.6rc1 +CVE_CHECK_IGNORE += "CVE-2012-5517" + +# fixed-version: Fixed after version 3.6rc7 +CVE_CHECK_IGNORE += "CVE-2012-6536" + +# fixed-version: Fixed after version 3.6rc7 +CVE_CHECK_IGNORE += "CVE-2012-6537" + +# fixed-version: Fixed after version 3.6rc7 +CVE_CHECK_IGNORE += "CVE-2012-6538" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2012-6539" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2012-6540" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2012-6541" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2012-6542" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2012-6543" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2012-6544" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2012-6545" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2012-6546" + +# fixed-version: Fixed after version 3.6rc1 +CVE_CHECK_IGNORE += "CVE-2012-6547" + +# fixed-version: Fixed after version 3.6rc1 +CVE_CHECK_IGNORE += "CVE-2012-6548" + +# fixed-version: Fixed after version 3.6rc1 +CVE_CHECK_IGNORE += "CVE-2012-6549" + +# fixed-version: Fixed after version 3.3rc1 +CVE_CHECK_IGNORE += "CVE-2012-6638" + +# fixed-version: Fixed after version 3.6rc2 +CVE_CHECK_IGNORE += "CVE-2012-6647" + +# fixed-version: Fixed after version 3.6 +CVE_CHECK_IGNORE += "CVE-2012-6657" + +# fixed-version: Fixed after version 3.6rc5 +CVE_CHECK_IGNORE += "CVE-2012-6689" + +# fixed-version: Fixed after version 3.5rc1 +CVE_CHECK_IGNORE += "CVE-2012-6701" + +# fixed-version: Fixed after version 3.7rc1 +CVE_CHECK_IGNORE += "CVE-2012-6703" + +# fixed-version: Fixed after version 3.5rc1 +CVE_CHECK_IGNORE += "CVE-2012-6704" + +# fixed-version: Fixed after version 3.4rc1 +CVE_CHECK_IGNORE += "CVE-2012-6712" + +# fixed-version: Fixed after version 3.9rc1 +CVE_CHECK_IGNORE += "CVE-2013-0160" + +# fixed-version: Fixed after version 3.8rc5 +CVE_CHECK_IGNORE += "CVE-2013-0190" + +# fixed-version: Fixed after version 3.8rc7 +CVE_CHECK_IGNORE += "CVE-2013-0216" + +# fixed-version: Fixed after version 3.8rc7 +CVE_CHECK_IGNORE += "CVE-2013-0217" + +# fixed-version: Fixed after version 3.8 +CVE_CHECK_IGNORE += "CVE-2013-0228" + +# fixed-version: Fixed after version 3.8rc7 +CVE_CHECK_IGNORE += "CVE-2013-0231" + +# fixed-version: Fixed after version 3.8rc6 +CVE_CHECK_IGNORE += "CVE-2013-0268" + +# fixed-version: Fixed after version 3.8 +CVE_CHECK_IGNORE += "CVE-2013-0290" + +# fixed-version: Fixed after version 3.7rc1 +CVE_CHECK_IGNORE += "CVE-2013-0309" + +# fixed-version: Fixed after version 3.5 +CVE_CHECK_IGNORE += "CVE-2013-0310" + +# fixed-version: Fixed after version 3.7rc8 +CVE_CHECK_IGNORE += "CVE-2013-0311" + +# fixed-version: Fixed after version 3.8rc5 +CVE_CHECK_IGNORE += "CVE-2013-0313" + +# fixed-version: Fixed after version 3.11rc7 +CVE_CHECK_IGNORE += "CVE-2013-0343" + +# fixed-version: Fixed after version 3.8rc6 +CVE_CHECK_IGNORE += "CVE-2013-0349" + +# fixed-version: Fixed after version 3.8rc5 +CVE_CHECK_IGNORE += "CVE-2013-0871" + +# fixed-version: Fixed after version 3.9rc4 +CVE_CHECK_IGNORE += "CVE-2013-0913" + +# fixed-version: Fixed after version 3.9rc3 +CVE_CHECK_IGNORE += "CVE-2013-0914" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2013-1059" + +# fixed-version: Fixed after version 3.9rc1 +CVE_CHECK_IGNORE += "CVE-2013-1763" + +# fixed-version: Fixed after version 3.9rc1 +CVE_CHECK_IGNORE += "CVE-2013-1767" + +# fixed-version: Fixed after version 3.5rc1 +CVE_CHECK_IGNORE += "CVE-2013-1772" + +# fixed-version: Fixed after version 3.3rc1 +CVE_CHECK_IGNORE += "CVE-2013-1773" + +# fixed-version: Fixed after version 3.8rc5 +CVE_CHECK_IGNORE += "CVE-2013-1774" + +# fixed-version: Fixed after version 3.9rc3 +CVE_CHECK_IGNORE += "CVE-2013-1792" + +# fixed-version: Fixed after version 3.9rc4 +CVE_CHECK_IGNORE += "CVE-2013-1796" + +# fixed-version: Fixed after version 3.9rc4 +CVE_CHECK_IGNORE += "CVE-2013-1797" + +# fixed-version: Fixed after version 3.9rc4 +CVE_CHECK_IGNORE += "CVE-2013-1798" + +# fixed-version: Fixed after version 3.8rc6 +CVE_CHECK_IGNORE += "CVE-2013-1819" + +# fixed-version: Fixed after version 3.6rc7 +CVE_CHECK_IGNORE += "CVE-2013-1826" + +# fixed-version: Fixed after version 3.6rc3 +CVE_CHECK_IGNORE += "CVE-2013-1827" + +# fixed-version: Fixed after version 3.9rc2 +CVE_CHECK_IGNORE += "CVE-2013-1828" + +# fixed-version: Fixed after version 3.9rc3 +CVE_CHECK_IGNORE += "CVE-2013-1848" + +# fixed-version: Fixed after version 3.9rc3 +CVE_CHECK_IGNORE += "CVE-2013-1858" + +# fixed-version: Fixed after version 3.9rc3 +CVE_CHECK_IGNORE += "CVE-2013-1860" + +# fixed-version: Fixed after version 3.7rc3 +CVE_CHECK_IGNORE += "CVE-2013-1928" + +# fixed-version: Fixed after version 3.9rc6 +CVE_CHECK_IGNORE += "CVE-2013-1929" + +# Skipping CVE-2013-1935, no affected_versions + +# fixed-version: Fixed after version 3.0rc1 +CVE_CHECK_IGNORE += "CVE-2013-1943" + +# fixed-version: Fixed after version 3.9rc5 +CVE_CHECK_IGNORE += "CVE-2013-1956" + +# fixed-version: Fixed after version 3.9rc5 +CVE_CHECK_IGNORE += "CVE-2013-1957" + +# fixed-version: Fixed after version 3.9rc5 +CVE_CHECK_IGNORE += "CVE-2013-1958" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-1959" + +# fixed-version: Fixed after version 3.9rc8 +CVE_CHECK_IGNORE += "CVE-2013-1979" + +# fixed-version: Fixed after version 3.8rc2 +CVE_CHECK_IGNORE += "CVE-2013-2015" + +# fixed-version: Fixed after version 2.6.34 +CVE_CHECK_IGNORE += "CVE-2013-2017" + +# fixed-version: Fixed after version 3.8rc4 +CVE_CHECK_IGNORE += "CVE-2013-2058" + +# fixed-version: Fixed after version 3.9rc8 +CVE_CHECK_IGNORE += "CVE-2013-2094" + +# fixed-version: Fixed after version 2.6.34rc4 +CVE_CHECK_IGNORE += "CVE-2013-2128" + +# fixed-version: Fixed after version 3.11rc3 +CVE_CHECK_IGNORE += "CVE-2013-2140" + +# fixed-version: Fixed after version 3.9rc8 +CVE_CHECK_IGNORE += "CVE-2013-2141" + +# fixed-version: Fixed after version 3.9rc8 +CVE_CHECK_IGNORE += "CVE-2013-2146" + +# fixed-version: Fixed after version 3.12rc3 +CVE_CHECK_IGNORE += "CVE-2013-2147" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2013-2148" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2013-2164" + +# Skipping CVE-2013-2188, no affected_versions + +# fixed-version: Fixed after version 3.9rc4 +CVE_CHECK_IGNORE += "CVE-2013-2206" + +# Skipping CVE-2013-2224, no affected_versions + +# fixed-version: Fixed after version 3.10 +CVE_CHECK_IGNORE += "CVE-2013-2232" + +# fixed-version: Fixed after version 3.10 +CVE_CHECK_IGNORE += "CVE-2013-2234" + +# fixed-version: Fixed after version 3.9rc6 +CVE_CHECK_IGNORE += "CVE-2013-2237" + +# Skipping CVE-2013-2239, no affected_versions + +# fixed-version: Fixed after version 3.9rc1 +CVE_CHECK_IGNORE += "CVE-2013-2546" + +# fixed-version: Fixed after version 3.9rc1 +CVE_CHECK_IGNORE += "CVE-2013-2547" + +# fixed-version: Fixed after version 3.9rc1 +CVE_CHECK_IGNORE += "CVE-2013-2548" + +# fixed-version: Fixed after version 3.9rc8 +CVE_CHECK_IGNORE += "CVE-2013-2596" + +# fixed-version: Fixed after version 3.9rc3 +CVE_CHECK_IGNORE += "CVE-2013-2634" + +# fixed-version: Fixed after version 3.9rc3 +CVE_CHECK_IGNORE += "CVE-2013-2635" + +# fixed-version: Fixed after version 3.9rc3 +CVE_CHECK_IGNORE += "CVE-2013-2636" + +# fixed-version: Fixed after version 3.10rc4 +CVE_CHECK_IGNORE += "CVE-2013-2850" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2013-2851" + +# fixed-version: Fixed after version 3.10rc6 +CVE_CHECK_IGNORE += "CVE-2013-2852" + +# fixed-version: Fixed after version 3.12rc1 +CVE_CHECK_IGNORE += "CVE-2013-2888" + +# fixed-version: Fixed after version 3.12rc2 +CVE_CHECK_IGNORE += "CVE-2013-2889" + +# fixed-version: Fixed after version 3.12rc2 +CVE_CHECK_IGNORE += "CVE-2013-2890" + +# fixed-version: Fixed after version 3.12rc2 +CVE_CHECK_IGNORE += "CVE-2013-2891" + +# fixed-version: Fixed after version 3.12rc1 +CVE_CHECK_IGNORE += "CVE-2013-2892" + +# fixed-version: Fixed after version 3.12rc2 +CVE_CHECK_IGNORE += "CVE-2013-2893" + +# fixed-version: Fixed after version 3.12rc2 +CVE_CHECK_IGNORE += "CVE-2013-2894" + +# fixed-version: Fixed after version 3.12rc2 +CVE_CHECK_IGNORE += "CVE-2013-2895" + +# fixed-version: Fixed after version 3.12rc1 +CVE_CHECK_IGNORE += "CVE-2013-2896" + +# fixed-version: Fixed after version 3.12rc2 +CVE_CHECK_IGNORE += "CVE-2013-2897" + +# fixed-version: Fixed after version 3.12rc1 +CVE_CHECK_IGNORE += "CVE-2013-2898" + +# fixed-version: Fixed after version 3.12rc1 +CVE_CHECK_IGNORE += "CVE-2013-2899" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-2929" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-2930" + +# fixed-version: Fixed after version 3.9 +CVE_CHECK_IGNORE += "CVE-2013-3076" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3222" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3223" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3224" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3225" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3226" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3227" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3228" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3229" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3230" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3231" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3232" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3233" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3234" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3235" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3236" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3237" + +# fixed-version: Fixed after version 3.9rc7 +CVE_CHECK_IGNORE += "CVE-2013-3301" + +# fixed-version: Fixed after version 3.8rc3 +CVE_CHECK_IGNORE += "CVE-2013-3302" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2013-4125" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2013-4127" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2013-4129" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2013-4162" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2013-4163" + +# fixed-version: Fixed after version 3.11rc5 +CVE_CHECK_IGNORE += "CVE-2013-4205" + +# fixed-version: Fixed after version 3.10rc4 +CVE_CHECK_IGNORE += "CVE-2013-4220" + +# fixed-version: Fixed after version 3.10rc5 +CVE_CHECK_IGNORE += "CVE-2013-4247" + +# fixed-version: Fixed after version 3.11rc6 +CVE_CHECK_IGNORE += "CVE-2013-4254" + +# fixed-version: Fixed after version 3.12rc4 +CVE_CHECK_IGNORE += "CVE-2013-4270" + +# fixed-version: Fixed after version 3.12rc6 +CVE_CHECK_IGNORE += "CVE-2013-4299" + +# fixed-version: Fixed after version 3.11 +CVE_CHECK_IGNORE += "CVE-2013-4300" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2013-4312" + +# fixed-version: Fixed after version 3.12rc2 +CVE_CHECK_IGNORE += "CVE-2013-4343" + +# fixed-version: Fixed after version 3.13rc2 +CVE_CHECK_IGNORE += "CVE-2013-4345" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-4348" + +# fixed-version: Fixed after version 3.12rc2 +CVE_CHECK_IGNORE += "CVE-2013-4350" + +# fixed-version: Fixed after version 3.12rc4 +CVE_CHECK_IGNORE += "CVE-2013-4387" + +# fixed-version: Fixed after version 3.12rc7 +CVE_CHECK_IGNORE += "CVE-2013-4470" + +# fixed-version: Fixed after version 3.10rc1 +CVE_CHECK_IGNORE += "CVE-2013-4483" + +# fixed-version: Fixed after version 3.12 +CVE_CHECK_IGNORE += "CVE-2013-4511" + +# fixed-version: Fixed after version 3.12 +CVE_CHECK_IGNORE += "CVE-2013-4512" + +# fixed-version: Fixed after version 3.12 +CVE_CHECK_IGNORE += "CVE-2013-4513" + +# fixed-version: Fixed after version 3.12 +CVE_CHECK_IGNORE += "CVE-2013-4514" + +# fixed-version: Fixed after version 3.12 +CVE_CHECK_IGNORE += "CVE-2013-4515" + +# fixed-version: Fixed after version 3.12 +CVE_CHECK_IGNORE += "CVE-2013-4516" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-4563" + +# fixed-version: Fixed after version 3.13rc7 +CVE_CHECK_IGNORE += "CVE-2013-4579" + +# fixed-version: Fixed after version 3.13rc4 +CVE_CHECK_IGNORE += "CVE-2013-4587" + +# fixed-version: Fixed after version 2.6.33rc4 +CVE_CHECK_IGNORE += "CVE-2013-4588" + +# fixed-version: Fixed after version 3.8rc1 +CVE_CHECK_IGNORE += "CVE-2013-4591" + +# fixed-version: Fixed after version 3.7rc1 +CVE_CHECK_IGNORE += "CVE-2013-4592" + +# Skipping CVE-2013-4737, no affected_versions + +# Skipping CVE-2013-4738, no affected_versions + +# Skipping CVE-2013-4739, no affected_versions + +# fixed-version: Fixed after version 3.10rc5 +CVE_CHECK_IGNORE += "CVE-2013-5634" + +# fixed-version: Fixed after version 3.6rc6 +CVE_CHECK_IGNORE += "CVE-2013-6282" + +# fixed-version: Fixed after version 3.13rc4 +CVE_CHECK_IGNORE += "CVE-2013-6367" + +# fixed-version: Fixed after version 3.13rc4 +CVE_CHECK_IGNORE += "CVE-2013-6368" + +# fixed-version: Fixed after version 3.13rc4 +CVE_CHECK_IGNORE += "CVE-2013-6376" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-6378" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-6380" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-6381" + +# fixed-version: Fixed after version 3.13rc4 +CVE_CHECK_IGNORE += "CVE-2013-6382" + +# fixed-version: Fixed after version 3.12 +CVE_CHECK_IGNORE += "CVE-2013-6383" + +# Skipping CVE-2013-6392, no affected_versions + +# fixed-version: Fixed after version 3.12rc1 +CVE_CHECK_IGNORE += "CVE-2013-6431" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-6432" + +# fixed-version: Fixed after version 3.14rc1 +CVE_CHECK_IGNORE += "CVE-2013-6885" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7026" + +# fixed-version: Fixed after version 3.12rc7 +CVE_CHECK_IGNORE += "CVE-2013-7027" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7263" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7264" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7265" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7266" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7267" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7268" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7269" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7270" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7271" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7281" + +# fixed-version: Fixed after version 3.13rc7 +CVE_CHECK_IGNORE += "CVE-2013-7339" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2013-7348" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2013-7421" + +# CVE-2013-7445 has no known resolution + +# fixed-version: Fixed after version 4.4rc4 +CVE_CHECK_IGNORE += "CVE-2013-7446" + +# fixed-version: Fixed after version 3.12rc7 +CVE_CHECK_IGNORE += "CVE-2013-7470" + +# fixed-version: Fixed after version 3.14rc1 +CVE_CHECK_IGNORE += "CVE-2014-0038" + +# fixed-version: Fixed after version 3.14rc5 +CVE_CHECK_IGNORE += "CVE-2014-0049" + +# fixed-version: Fixed after version 3.14 +CVE_CHECK_IGNORE += "CVE-2014-0055" + +# fixed-version: Fixed after version 3.14rc4 +CVE_CHECK_IGNORE += "CVE-2014-0069" + +# fixed-version: Fixed after version 3.14 +CVE_CHECK_IGNORE += "CVE-2014-0077" + +# fixed-version: Fixed after version 3.14rc7 +CVE_CHECK_IGNORE += "CVE-2014-0100" + +# fixed-version: Fixed after version 3.14rc6 +CVE_CHECK_IGNORE += "CVE-2014-0101" + +# fixed-version: Fixed after version 3.14rc6 +CVE_CHECK_IGNORE += "CVE-2014-0102" + +# fixed-version: Fixed after version 3.14rc7 +CVE_CHECK_IGNORE += "CVE-2014-0131" + +# fixed-version: Fixed after version 3.15rc2 +CVE_CHECK_IGNORE += "CVE-2014-0155" + +# fixed-version: Fixed after version 3.15rc5 +CVE_CHECK_IGNORE += "CVE-2014-0181" + +# fixed-version: Fixed after version 3.15rc5 +CVE_CHECK_IGNORE += "CVE-2014-0196" + +# fixed-version: Fixed after version 2.6.33rc5 +CVE_CHECK_IGNORE += "CVE-2014-0203" + +# fixed-version: Fixed after version 2.6.37rc1 +CVE_CHECK_IGNORE += "CVE-2014-0205" + +# fixed-version: Fixed after version 3.16rc3 +CVE_CHECK_IGNORE += "CVE-2014-0206" + +# Skipping CVE-2014-0972, no affected_versions + +# fixed-version: Fixed after version 3.13 +CVE_CHECK_IGNORE += "CVE-2014-1438" + +# fixed-version: Fixed after version 3.12rc7 +CVE_CHECK_IGNORE += "CVE-2014-1444" + +# fixed-version: Fixed after version 3.12rc7 +CVE_CHECK_IGNORE += "CVE-2014-1445" + +# fixed-version: Fixed after version 3.13rc7 +CVE_CHECK_IGNORE += "CVE-2014-1446" + +# fixed-version: Fixed after version 3.13rc8 +CVE_CHECK_IGNORE += "CVE-2014-1690" + +# fixed-version: Fixed after version 3.15rc5 +CVE_CHECK_IGNORE += "CVE-2014-1737" + +# fixed-version: Fixed after version 3.15rc5 +CVE_CHECK_IGNORE += "CVE-2014-1738" + +# fixed-version: Fixed after version 3.15rc6 +CVE_CHECK_IGNORE += "CVE-2014-1739" + +# fixed-version: Fixed after version 3.14rc2 +CVE_CHECK_IGNORE += "CVE-2014-1874" + +# fixed-version: Fixed after version 3.14rc1 +CVE_CHECK_IGNORE += "CVE-2014-2038" + +# fixed-version: Fixed after version 3.14rc3 +CVE_CHECK_IGNORE += "CVE-2014-2039" + +# fixed-version: Fixed after version 3.14rc7 +CVE_CHECK_IGNORE += "CVE-2014-2309" + +# fixed-version: Fixed after version 3.14rc1 +CVE_CHECK_IGNORE += "CVE-2014-2523" + +# fixed-version: Fixed after version 3.14 +CVE_CHECK_IGNORE += "CVE-2014-2568" + +# fixed-version: Fixed after version 3.15rc1 +CVE_CHECK_IGNORE += "CVE-2014-2580" + +# fixed-version: Fixed after version 3.14rc6 +CVE_CHECK_IGNORE += "CVE-2014-2672" + +# fixed-version: Fixed after version 3.14rc6 +CVE_CHECK_IGNORE += "CVE-2014-2673" + +# fixed-version: Fixed after version 3.15rc1 +CVE_CHECK_IGNORE += "CVE-2014-2678" + +# fixed-version: Fixed after version 3.14rc6 +CVE_CHECK_IGNORE += "CVE-2014-2706" + +# fixed-version: Fixed after version 3.15rc1 +CVE_CHECK_IGNORE += "CVE-2014-2739" + +# fixed-version: Fixed after version 3.15rc2 +CVE_CHECK_IGNORE += "CVE-2014-2851" + +# fixed-version: Fixed after version 3.2rc7 +CVE_CHECK_IGNORE += "CVE-2014-2889" + +# fixed-version: Fixed after version 3.15rc1 +CVE_CHECK_IGNORE += "CVE-2014-3122" + +# fixed-version: Fixed after version 3.15rc2 +CVE_CHECK_IGNORE += "CVE-2014-3144" + +# fixed-version: Fixed after version 3.15rc2 +CVE_CHECK_IGNORE += "CVE-2014-3145" + +# fixed-version: Fixed after version 3.15 +CVE_CHECK_IGNORE += "CVE-2014-3153" + +# fixed-version: Fixed after version 3.17rc4 +CVE_CHECK_IGNORE += "CVE-2014-3180" + +# fixed-version: Fixed after version 3.17rc3 +CVE_CHECK_IGNORE += "CVE-2014-3181" + +# fixed-version: Fixed after version 3.17rc2 +CVE_CHECK_IGNORE += "CVE-2014-3182" + +# fixed-version: Fixed after version 3.17rc2 +CVE_CHECK_IGNORE += "CVE-2014-3183" + +# fixed-version: Fixed after version 3.17rc2 +CVE_CHECK_IGNORE += "CVE-2014-3184" + +# fixed-version: Fixed after version 3.17rc3 +CVE_CHECK_IGNORE += "CVE-2014-3185" + +# fixed-version: Fixed after version 3.17rc3 +CVE_CHECK_IGNORE += "CVE-2014-3186" + +# Skipping CVE-2014-3519, no affected_versions + +# fixed-version: Fixed after version 3.16rc7 +CVE_CHECK_IGNORE += "CVE-2014-3534" + +# fixed-version: Fixed after version 2.6.36rc1 +CVE_CHECK_IGNORE += "CVE-2014-3535" + +# fixed-version: Fixed after version 3.17rc2 +CVE_CHECK_IGNORE += "CVE-2014-3601" + +# fixed-version: Fixed after version 3.18rc2 +CVE_CHECK_IGNORE += "CVE-2014-3610" + +# fixed-version: Fixed after version 3.18rc2 +CVE_CHECK_IGNORE += "CVE-2014-3611" + +# fixed-version: Fixed after version 3.17rc5 +CVE_CHECK_IGNORE += "CVE-2014-3631" + +# fixed-version: Fixed after version 3.12rc1 +CVE_CHECK_IGNORE += "CVE-2014-3645" + +# fixed-version: Fixed after version 3.18rc2 +CVE_CHECK_IGNORE += "CVE-2014-3646" + +# fixed-version: Fixed after version 3.18rc2 +CVE_CHECK_IGNORE += "CVE-2014-3647" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-3673" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-3687" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-3688" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-3690" + +# fixed-version: Fixed after version 3.16rc1 +CVE_CHECK_IGNORE += "CVE-2014-3917" + +# fixed-version: Fixed after version 3.15 +CVE_CHECK_IGNORE += "CVE-2014-3940" + +# fixed-version: Fixed after version 3.16rc1 +CVE_CHECK_IGNORE += "CVE-2014-4014" + +# fixed-version: Fixed after version 3.14rc1 +CVE_CHECK_IGNORE += "CVE-2014-4027" + +# fixed-version: Fixed after version 3.15rc1 +CVE_CHECK_IGNORE += "CVE-2014-4157" + +# fixed-version: Fixed after version 3.16rc3 +CVE_CHECK_IGNORE += "CVE-2014-4171" + +# Skipping CVE-2014-4322, no affected_versions + +# Skipping CVE-2014-4323, no affected_versions + +# fixed-version: Fixed after version 3.16rc3 +CVE_CHECK_IGNORE += "CVE-2014-4508" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-4608" + +# fixed-version: Fixed after version 3.16rc3 +CVE_CHECK_IGNORE += "CVE-2014-4611" + +# fixed-version: Fixed after version 3.16rc2 +CVE_CHECK_IGNORE += "CVE-2014-4652" + +# fixed-version: Fixed after version 3.16rc2 +CVE_CHECK_IGNORE += "CVE-2014-4653" + +# fixed-version: Fixed after version 3.16rc2 +CVE_CHECK_IGNORE += "CVE-2014-4654" + +# fixed-version: Fixed after version 3.16rc2 +CVE_CHECK_IGNORE += "CVE-2014-4655" + +# fixed-version: Fixed after version 3.16rc2 +CVE_CHECK_IGNORE += "CVE-2014-4656" + +# fixed-version: Fixed after version 3.16rc1 +CVE_CHECK_IGNORE += "CVE-2014-4667" + +# fixed-version: Fixed after version 3.16rc4 +CVE_CHECK_IGNORE += "CVE-2014-4699" + +# fixed-version: Fixed after version 3.16rc6 +CVE_CHECK_IGNORE += "CVE-2014-4943" + +# fixed-version: Fixed after version 3.16rc7 +CVE_CHECK_IGNORE += "CVE-2014-5045" + +# fixed-version: Fixed after version 3.16 +CVE_CHECK_IGNORE += "CVE-2014-5077" + +# fixed-version: Fixed after version 3.17rc1 +CVE_CHECK_IGNORE += "CVE-2014-5206" + +# fixed-version: Fixed after version 3.17rc1 +CVE_CHECK_IGNORE += "CVE-2014-5207" + +# Skipping CVE-2014-5332, no affected_versions + +# fixed-version: Fixed after version 3.17rc2 +CVE_CHECK_IGNORE += "CVE-2014-5471" + +# fixed-version: Fixed after version 3.17rc2 +CVE_CHECK_IGNORE += "CVE-2014-5472" + +# fixed-version: Fixed after version 3.17rc5 +CVE_CHECK_IGNORE += "CVE-2014-6410" + +# fixed-version: Fixed after version 3.17rc5 +CVE_CHECK_IGNORE += "CVE-2014-6416" + +# fixed-version: Fixed after version 3.17rc5 +CVE_CHECK_IGNORE += "CVE-2014-6417" + +# fixed-version: Fixed after version 3.17rc5 +CVE_CHECK_IGNORE += "CVE-2014-6418" + +# fixed-version: Fixed after version 3.17rc2 +CVE_CHECK_IGNORE += "CVE-2014-7145" + +# Skipping CVE-2014-7207, no affected_versions + +# fixed-version: Fixed after version 3.15rc1 +CVE_CHECK_IGNORE += "CVE-2014-7283" + +# fixed-version: Fixed after version 3.15rc7 +CVE_CHECK_IGNORE += "CVE-2014-7284" + +# fixed-version: Fixed after version 3.16rc1 +CVE_CHECK_IGNORE += "CVE-2014-7822" + +# fixed-version: Fixed after version 3.18rc3 +CVE_CHECK_IGNORE += "CVE-2014-7825" + +# fixed-version: Fixed after version 3.18rc3 +CVE_CHECK_IGNORE += "CVE-2014-7826" + +# fixed-version: Fixed after version 3.18rc5 +CVE_CHECK_IGNORE += "CVE-2014-7841" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-7842" + +# fixed-version: Fixed after version 3.18rc5 +CVE_CHECK_IGNORE += "CVE-2014-7843" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-7970" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-7975" + +# fixed-version: Fixed after version 3.18rc3 +CVE_CHECK_IGNORE += "CVE-2014-8086" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-8133" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-8134" + +# fixed-version: Fixed after version 4.0rc7 +CVE_CHECK_IGNORE += "CVE-2014-8159" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-8160" + +# fixed-version: Fixed after version 3.12rc1 +CVE_CHECK_IGNORE += "CVE-2014-8171" + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2014-8172" + +# fixed-version: Fixed after version 3.13rc5 +CVE_CHECK_IGNORE += "CVE-2014-8173" + +# Skipping CVE-2014-8181, no affected_versions + +# fixed-version: Fixed after version 3.18rc2 +CVE_CHECK_IGNORE += "CVE-2014-8369" + +# fixed-version: Fixed after version 3.18rc2 +CVE_CHECK_IGNORE += "CVE-2014-8480" + +# fixed-version: Fixed after version 3.18rc2 +CVE_CHECK_IGNORE += "CVE-2014-8481" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-8559" + +# fixed-version: Fixed after version 3.14rc3 +CVE_CHECK_IGNORE += "CVE-2014-8709" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2014-8884" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-8989" + +# fixed-version: Fixed after version 3.18rc6 +CVE_CHECK_IGNORE += "CVE-2014-9090" + +# fixed-version: Fixed after version 3.18rc6 +CVE_CHECK_IGNORE += "CVE-2014-9322" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-9419" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-9420" + +# fixed-version: Fixed after version 3.19rc3 +CVE_CHECK_IGNORE += "CVE-2014-9428" + +# fixed-version: Fixed after version 3.19rc4 +CVE_CHECK_IGNORE += "CVE-2014-9529" + +# fixed-version: Fixed after version 3.19rc3 +CVE_CHECK_IGNORE += "CVE-2014-9584" + +# fixed-version: Fixed after version 3.19rc4 +CVE_CHECK_IGNORE += "CVE-2014-9585" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-9644" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-9683" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-9710" + +# fixed-version: Fixed after version 3.15rc1 +CVE_CHECK_IGNORE += "CVE-2014-9715" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2014-9717" + +# fixed-version: Fixed after version 3.19rc3 +CVE_CHECK_IGNORE += "CVE-2014-9728" + +# fixed-version: Fixed after version 3.19rc3 +CVE_CHECK_IGNORE += "CVE-2014-9729" + +# fixed-version: Fixed after version 3.19rc3 +CVE_CHECK_IGNORE += "CVE-2014-9730" + +# fixed-version: Fixed after version 3.19rc3 +CVE_CHECK_IGNORE += "CVE-2014-9731" + +# Skipping CVE-2014-9777, no affected_versions + +# Skipping CVE-2014-9778, no affected_versions + +# Skipping CVE-2014-9779, no affected_versions + +# Skipping CVE-2014-9780, no affected_versions + +# Skipping CVE-2014-9781, no affected_versions + +# Skipping CVE-2014-9782, no affected_versions + +# Skipping CVE-2014-9783, no affected_versions + +# Skipping CVE-2014-9784, no affected_versions + +# Skipping CVE-2014-9785, no affected_versions + +# Skipping CVE-2014-9786, no affected_versions + +# Skipping CVE-2014-9787, no affected_versions + +# Skipping CVE-2014-9788, no affected_versions + +# Skipping CVE-2014-9789, no affected_versions + +# fixed-version: Fixed after version 3.16rc1 +CVE_CHECK_IGNORE += "CVE-2014-9803" + +# Skipping CVE-2014-9863, no affected_versions + +# Skipping CVE-2014-9864, no affected_versions + +# Skipping CVE-2014-9865, no affected_versions + +# Skipping CVE-2014-9866, no affected_versions + +# Skipping CVE-2014-9867, no affected_versions + +# Skipping CVE-2014-9868, no affected_versions + +# Skipping CVE-2014-9869, no affected_versions + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2014-9870" + +# Skipping CVE-2014-9871, no affected_versions + +# Skipping CVE-2014-9872, no affected_versions + +# Skipping CVE-2014-9873, no affected_versions + +# Skipping CVE-2014-9874, no affected_versions + +# Skipping CVE-2014-9875, no affected_versions + +# Skipping CVE-2014-9876, no affected_versions + +# Skipping CVE-2014-9877, no affected_versions + +# Skipping CVE-2014-9878, no affected_versions + +# Skipping CVE-2014-9879, no affected_versions + +# Skipping CVE-2014-9880, no affected_versions + +# Skipping CVE-2014-9881, no affected_versions + +# Skipping CVE-2014-9882, no affected_versions + +# Skipping CVE-2014-9883, no affected_versions + +# Skipping CVE-2014-9884, no affected_versions + +# Skipping CVE-2014-9885, no affected_versions + +# Skipping CVE-2014-9886, no affected_versions + +# Skipping CVE-2014-9887, no affected_versions + +# fixed-version: Fixed after version 3.13rc1 +CVE_CHECK_IGNORE += "CVE-2014-9888" + +# Skipping CVE-2014-9889, no affected_versions + +# Skipping CVE-2014-9890, no affected_versions + +# Skipping CVE-2014-9891, no affected_versions + +# Skipping CVE-2014-9892, no affected_versions + +# Skipping CVE-2014-9893, no affected_versions + +# Skipping CVE-2014-9894, no affected_versions + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2014-9895" + +# Skipping CVE-2014-9896, no affected_versions + +# Skipping CVE-2014-9897, no affected_versions + +# Skipping CVE-2014-9898, no affected_versions + +# Skipping CVE-2014-9899, no affected_versions + +# Skipping CVE-2014-9900, no affected_versions + +# fixed-version: Fixed after version 3.14rc4 +CVE_CHECK_IGNORE += "CVE-2014-9903" + +# fixed-version: Fixed after version 3.17rc1 +CVE_CHECK_IGNORE += "CVE-2014-9904" + +# fixed-version: Fixed after version 3.16rc1 +CVE_CHECK_IGNORE += "CVE-2014-9914" + +# fixed-version: Fixed after version 3.18rc2 +CVE_CHECK_IGNORE += "CVE-2014-9922" + +# fixed-version: Fixed after version 3.19rc1 +CVE_CHECK_IGNORE += "CVE-2014-9940" + +# fixed-version: Fixed after version 3.19rc6 +CVE_CHECK_IGNORE += "CVE-2015-0239" + +# fixed-version: Fixed after version 3.15rc5 +CVE_CHECK_IGNORE += "CVE-2015-0274" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2015-0275" + +# Skipping CVE-2015-0777, no affected_versions + +# Skipping CVE-2015-1328, no affected_versions + +# fixed-version: Fixed after version 4.2rc5 +CVE_CHECK_IGNORE += "CVE-2015-1333" + +# fixed-version: Fixed after version 4.4rc5 +CVE_CHECK_IGNORE += "CVE-2015-1339" + +# fixed-version: Fixed after version 4.9rc1 +CVE_CHECK_IGNORE += "CVE-2015-1350" + +# fixed-version: Fixed after version 4.1rc7 +CVE_CHECK_IGNORE += "CVE-2015-1420" + +# fixed-version: Fixed after version 3.19rc7 +CVE_CHECK_IGNORE += "CVE-2015-1421" + +# fixed-version: Fixed after version 3.19rc7 +CVE_CHECK_IGNORE += "CVE-2015-1465" + +# fixed-version: Fixed after version 3.19rc5 +CVE_CHECK_IGNORE += "CVE-2015-1573" + +# fixed-version: Fixed after version 4.0rc1 +CVE_CHECK_IGNORE += "CVE-2015-1593" + +# fixed-version: Fixed after version 3.16rc1 +CVE_CHECK_IGNORE += "CVE-2015-1805" + +# fixed-version: Fixed after version 3.19rc7 +CVE_CHECK_IGNORE += "CVE-2015-2041" + +# fixed-version: Fixed after version 3.19 +CVE_CHECK_IGNORE += "CVE-2015-2042" + +# fixed-version: Fixed after version 4.0rc4 +CVE_CHECK_IGNORE += "CVE-2015-2150" + +# fixed-version: Fixed after version 4.0rc1 +CVE_CHECK_IGNORE += "CVE-2015-2666" + +# fixed-version: Fixed after version 4.0rc3 +CVE_CHECK_IGNORE += "CVE-2015-2672" + +# fixed-version: Fixed after version 4.0rc6 +CVE_CHECK_IGNORE += "CVE-2015-2686" + +# fixed-version: Fixed after version 4.0rc3 +CVE_CHECK_IGNORE += "CVE-2015-2830" + +# CVE-2015-2877 has no known resolution + +# fixed-version: Fixed after version 4.0rc7 +CVE_CHECK_IGNORE += "CVE-2015-2922" + +# fixed-version: Fixed after version 4.3rc1 +CVE_CHECK_IGNORE += "CVE-2015-2925" + +# fixed-version: Fixed after version 4.2rc1 +CVE_CHECK_IGNORE += "CVE-2015-3212" + +# fixed-version: Fixed after version 2.6.33rc8 +CVE_CHECK_IGNORE += "CVE-2015-3214" + +# fixed-version: Fixed after version 4.2rc2 +CVE_CHECK_IGNORE += "CVE-2015-3288" + +# fixed-version: Fixed after version 4.2rc3 +CVE_CHECK_IGNORE += "CVE-2015-3290" + +# fixed-version: Fixed after version 4.2rc3 +CVE_CHECK_IGNORE += "CVE-2015-3291" + +# fixed-version: Fixed after version 4.0rc5 +CVE_CHECK_IGNORE += "CVE-2015-3331" + +# Skipping CVE-2015-3332, no affected_versions + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2015-3339" + +# fixed-version: Fixed after version 4.1rc2 +CVE_CHECK_IGNORE += "CVE-2015-3636" + +# fixed-version: Fixed after version 4.1rc7 +CVE_CHECK_IGNORE += "CVE-2015-4001" + +# fixed-version: Fixed after version 4.1rc7 +CVE_CHECK_IGNORE += "CVE-2015-4002" + +# fixed-version: Fixed after version 4.1rc7 +CVE_CHECK_IGNORE += "CVE-2015-4003" + +# fixed-version: Fixed after version 4.3rc1 +CVE_CHECK_IGNORE += "CVE-2015-4004" + +# fixed-version: Fixed after version 4.0rc1 +CVE_CHECK_IGNORE += "CVE-2015-4036" + +# fixed-version: Fixed after version 4.0rc1 +CVE_CHECK_IGNORE += "CVE-2015-4167" + +# fixed-version: Fixed after version 3.13rc5 +CVE_CHECK_IGNORE += "CVE-2015-4170" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2015-4176" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2015-4177" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2015-4178" + +# fixed-version: Fixed after version 4.2rc1 +CVE_CHECK_IGNORE += "CVE-2015-4692" + +# fixed-version: Fixed after version 4.1rc6 +CVE_CHECK_IGNORE += "CVE-2015-4700" + +# fixed-version: Fixed after version 4.2rc7 +CVE_CHECK_IGNORE += "CVE-2015-5156" + +# fixed-version: Fixed after version 4.2rc3 +CVE_CHECK_IGNORE += "CVE-2015-5157" + +# fixed-version: Fixed after version 4.3rc3 +CVE_CHECK_IGNORE += "CVE-2015-5257" + +# fixed-version: Fixed after version 4.3rc3 +CVE_CHECK_IGNORE += "CVE-2015-5283" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-5307" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-5327" + +# fixed-version: Fixed after version 4.1rc7 +CVE_CHECK_IGNORE += "CVE-2015-5364" + +# fixed-version: Fixed after version 4.1rc7 +CVE_CHECK_IGNORE += "CVE-2015-5366" + +# fixed-version: Fixed after version 4.2rc6 +CVE_CHECK_IGNORE += "CVE-2015-5697" + +# fixed-version: Fixed after version 4.1rc3 +CVE_CHECK_IGNORE += "CVE-2015-5706" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2015-5707" + +# fixed-version: Fixed after version 4.2rc5 +CVE_CHECK_IGNORE += "CVE-2015-6252" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2015-6526" + +# CVE-2015-6619 has no known resolution + +# CVE-2015-6646 has no known resolution + +# fixed-version: Fixed after version 4.3rc1 +CVE_CHECK_IGNORE += "CVE-2015-6937" + +# Skipping CVE-2015-7312, no affected_versions + +# fixed-version: Fixed after version 3.7rc1 +CVE_CHECK_IGNORE += "CVE-2015-7509" + +# fixed-version: Fixed after version 4.4rc7 +CVE_CHECK_IGNORE += "CVE-2015-7513" + +# fixed-version: Fixed after version 4.4rc6 +CVE_CHECK_IGNORE += "CVE-2015-7515" + +# fixed-version: Fixed after version 4.4rc8 +CVE_CHECK_IGNORE += "CVE-2015-7550" + +# Skipping CVE-2015-7553, no affected_versions + +# fixed-version: Fixed after version 4.5rc2 +CVE_CHECK_IGNORE += "CVE-2015-7566" + +# fixed-version: Fixed after version 4.3rc4 +CVE_CHECK_IGNORE += "CVE-2015-7613" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-7799" + +# fixed-version: Fixed after version 4.6rc6 +CVE_CHECK_IGNORE += "CVE-2015-7833" + +# Skipping CVE-2015-7837, no affected_versions + +# fixed-version: Fixed after version 4.3rc7 +CVE_CHECK_IGNORE += "CVE-2015-7872" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-7884" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-7885" + +# fixed-version: Fixed after version 4.4rc4 +CVE_CHECK_IGNORE += "CVE-2015-7990" + +# Skipping CVE-2015-8019, no affected_versions + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-8104" + +# fixed-version: Fixed after version 4.0rc3 +CVE_CHECK_IGNORE += "CVE-2015-8215" + +# fixed-version: Fixed after version 2.6.34rc1 +CVE_CHECK_IGNORE += "CVE-2015-8324" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-8374" + +# fixed-version: Fixed after version 4.4rc3 +CVE_CHECK_IGNORE += "CVE-2015-8539" + +# fixed-version: Fixed after version 4.4rc6 +CVE_CHECK_IGNORE += "CVE-2015-8543" + +# fixed-version: Fixed after version 4.4rc6 +CVE_CHECK_IGNORE += "CVE-2015-8550" + +# fixed-version: Fixed after version 4.4rc6 +CVE_CHECK_IGNORE += "CVE-2015-8551" + +# fixed-version: Fixed after version 4.4rc6 +CVE_CHECK_IGNORE += "CVE-2015-8552" + +# fixed-version: Fixed after version 4.4rc6 +CVE_CHECK_IGNORE += "CVE-2015-8553" + +# fixed-version: Fixed after version 4.4rc6 +CVE_CHECK_IGNORE += "CVE-2015-8569" + +# fixed-version: Fixed after version 4.4rc6 +CVE_CHECK_IGNORE += "CVE-2015-8575" + +# fixed-version: Fixed after version 4.4rc4 +CVE_CHECK_IGNORE += "CVE-2015-8660" + +# fixed-version: Fixed after version 4.10rc1 +CVE_CHECK_IGNORE += "CVE-2015-8709" + +# fixed-version: Fixed after version 4.3rc1 +CVE_CHECK_IGNORE += "CVE-2015-8746" + +# fixed-version: Fixed after version 4.3rc4 +CVE_CHECK_IGNORE += "CVE-2015-8767" + +# fixed-version: Fixed after version 4.4rc5 +CVE_CHECK_IGNORE += "CVE-2015-8785" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-8787" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2015-8812" + +# fixed-version: Fixed after version 4.4rc6 +CVE_CHECK_IGNORE += "CVE-2015-8816" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2015-8830" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2015-8839" + +# fixed-version: Fixed after version 4.4rc3 +CVE_CHECK_IGNORE += "CVE-2015-8844" + +# fixed-version: Fixed after version 4.4rc3 +CVE_CHECK_IGNORE += "CVE-2015-8845" + +# Skipping CVE-2015-8937, no affected_versions + +# Skipping CVE-2015-8938, no affected_versions + +# Skipping CVE-2015-8939, no affected_versions + +# Skipping CVE-2015-8940, no affected_versions + +# Skipping CVE-2015-8941, no affected_versions + +# Skipping CVE-2015-8942, no affected_versions + +# Skipping CVE-2015-8943, no affected_versions + +# Skipping CVE-2015-8944, no affected_versions + +# fixed-version: Fixed after version 4.1rc2 +CVE_CHECK_IGNORE += "CVE-2015-8950" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2015-8952" + +# fixed-version: Fixed after version 4.3 +CVE_CHECK_IGNORE += "CVE-2015-8953" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2015-8955" + +# fixed-version: Fixed after version 4.2rc1 +CVE_CHECK_IGNORE += "CVE-2015-8956" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-8961" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2015-8962" + +# fixed-version: Fixed after version 4.4 +CVE_CHECK_IGNORE += "CVE-2015-8963" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2015-8964" + +# fixed-version: Fixed after version 4.4rc8 +CVE_CHECK_IGNORE += "CVE-2015-8966" + +# fixed-version: Fixed after version 4.0rc1 +CVE_CHECK_IGNORE += "CVE-2015-8967" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2015-8970" + +# fixed-version: Fixed after version 3.19rc7 +CVE_CHECK_IGNORE += "CVE-2015-9004" + +# fixed-version: Fixed after version 4.3rc1 +CVE_CHECK_IGNORE += "CVE-2015-9016" + +# fixed-version: Fixed after version 4.2rc1 +CVE_CHECK_IGNORE += "CVE-2015-9289" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-0617" + +# fixed-version: Fixed after version 4.5rc2 +CVE_CHECK_IGNORE += "CVE-2016-0723" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-0728" + +# fixed-version: Fixed after version 4.6 +CVE_CHECK_IGNORE += "CVE-2016-0758" + +# Skipping CVE-2016-0774, no affected_versions + +# fixed-version: Fixed after version 4.3rc1 +CVE_CHECK_IGNORE += "CVE-2016-0821" + +# fixed-version: Fixed after version 4.0rc5 +CVE_CHECK_IGNORE += "CVE-2016-0823" + +# fixed-version: Fixed after version 4.8rc7 +CVE_CHECK_IGNORE += "CVE-2016-10044" + +# fixed-version: Fixed after version 4.10rc1 +CVE_CHECK_IGNORE += "CVE-2016-10088" + +# fixed-version: Fixed after version 4.9 +CVE_CHECK_IGNORE += "CVE-2016-10147" + +# fixed-version: Fixed after version 4.9rc8 +CVE_CHECK_IGNORE += "CVE-2016-10150" + +# fixed-version: Fixed after version 4.10rc1 +CVE_CHECK_IGNORE += "CVE-2016-10153" + +# fixed-version: Fixed after version 4.10rc1 +CVE_CHECK_IGNORE += "CVE-2016-10154" + +# fixed-version: Fixed after version 4.9rc7 +CVE_CHECK_IGNORE += "CVE-2016-10200" + +# fixed-version: Fixed after version 4.10rc1 +CVE_CHECK_IGNORE += "CVE-2016-10208" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-10229" + +# fixed-version: Fixed after version 4.8rc6 +CVE_CHECK_IGNORE += "CVE-2016-10318" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2016-10723" + +# fixed-version: Fixed after version 4.10rc1 +CVE_CHECK_IGNORE += "CVE-2016-10741" + +# fixed-version: Fixed after version 4.10rc1 +CVE_CHECK_IGNORE += "CVE-2016-10764" + +# fixed-version: Fixed after version 4.8rc1 +CVE_CHECK_IGNORE += "CVE-2016-10905" + +# fixed-version: Fixed after version 4.5rc6 +CVE_CHECK_IGNORE += "CVE-2016-10906" + +# fixed-version: Fixed after version 4.9rc1 +CVE_CHECK_IGNORE += "CVE-2016-10907" + +# fixed-version: Fixed after version 4.7rc5 +CVE_CHECK_IGNORE += "CVE-2016-1237" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-1575" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-1576" + +# fixed-version: Fixed after version 4.7rc3 +CVE_CHECK_IGNORE += "CVE-2016-1583" + +# fixed-version: Fixed after version 4.3rc1 +CVE_CHECK_IGNORE += "CVE-2016-2053" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-2069" + +# fixed-version: Fixed after version 4.4 +CVE_CHECK_IGNORE += "CVE-2016-2070" + +# fixed-version: Fixed after version 4.5rc4 +CVE_CHECK_IGNORE += "CVE-2016-2085" + +# fixed-version: Fixed after version 4.6rc5 +CVE_CHECK_IGNORE += "CVE-2016-2117" + +# fixed-version: Fixed after version 4.5 +CVE_CHECK_IGNORE += "CVE-2016-2143" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-2184" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-2185" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-2186" + +# fixed-version: Fixed after version 4.6rc5 +CVE_CHECK_IGNORE += "CVE-2016-2187" + +# fixed-version: Fixed after version 4.11rc2 +CVE_CHECK_IGNORE += "CVE-2016-2188" + +# fixed-version: Fixed after version 4.5rc4 +CVE_CHECK_IGNORE += "CVE-2016-2383" + +# fixed-version: Fixed after version 4.5rc4 +CVE_CHECK_IGNORE += "CVE-2016-2384" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-2543" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-2544" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-2545" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-2546" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-2547" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-2548" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-2549" + +# fixed-version: Fixed after version 4.5rc4 +CVE_CHECK_IGNORE += "CVE-2016-2550" + +# fixed-version: Fixed after version 4.5rc2 +CVE_CHECK_IGNORE += "CVE-2016-2782" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2016-2847" + +# Skipping CVE-2016-2853, no affected_versions + +# Skipping CVE-2016-2854, no affected_versions + +# fixed-version: Fixed after version 4.5 +CVE_CHECK_IGNORE += "CVE-2016-3044" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2016-3070" + +# fixed-version: Fixed after version 4.6rc2 +CVE_CHECK_IGNORE += "CVE-2016-3134" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-3135" + +# fixed-version: Fixed after version 4.6rc3 +CVE_CHECK_IGNORE += "CVE-2016-3136" + +# fixed-version: Fixed after version 4.6rc3 +CVE_CHECK_IGNORE += "CVE-2016-3137" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-3138" + +# fixed-version: Fixed after version 3.17rc1 +CVE_CHECK_IGNORE += "CVE-2016-3139" + +# fixed-version: Fixed after version 4.6rc3 +CVE_CHECK_IGNORE += "CVE-2016-3140" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-3156" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-3157" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-3672" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-3689" + +# Skipping CVE-2016-3695, no affected_versions + +# Skipping CVE-2016-3699, no affected_versions + +# Skipping CVE-2016-3707, no affected_versions + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-3713" + +# CVE-2016-3775 has no known resolution + +# CVE-2016-3802 has no known resolution + +# CVE-2016-3803 has no known resolution + +# fixed-version: Fixed after version 4.4rc4 +CVE_CHECK_IGNORE += "CVE-2016-3841" + +# fixed-version: Fixed after version 4.8rc2 +CVE_CHECK_IGNORE += "CVE-2016-3857" + +# fixed-version: Fixed after version 4.5 +CVE_CHECK_IGNORE += "CVE-2016-3951" + +# fixed-version: Fixed after version 4.6rc3 +CVE_CHECK_IGNORE += "CVE-2016-3955" + +# fixed-version: Fixed after version 4.6rc5 +CVE_CHECK_IGNORE += "CVE-2016-3961" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-4440" + +# fixed-version: Fixed after version 4.7rc4 +CVE_CHECK_IGNORE += "CVE-2016-4470" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-4482" + +# fixed-version: Fixed after version 4.6 +CVE_CHECK_IGNORE += "CVE-2016-4485" + +# fixed-version: Fixed after version 4.6 +CVE_CHECK_IGNORE += "CVE-2016-4486" + +# fixed-version: Fixed after version 4.6rc6 +CVE_CHECK_IGNORE += "CVE-2016-4557" + +# fixed-version: Fixed after version 4.6rc7 +CVE_CHECK_IGNORE += "CVE-2016-4558" + +# fixed-version: Fixed after version 4.6rc6 +CVE_CHECK_IGNORE += "CVE-2016-4565" + +# fixed-version: Fixed after version 4.6rc6 +CVE_CHECK_IGNORE += "CVE-2016-4568" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-4569" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-4578" + +# fixed-version: Fixed after version 4.6 +CVE_CHECK_IGNORE += "CVE-2016-4580" + +# fixed-version: Fixed after version 4.6rc7 +CVE_CHECK_IGNORE += "CVE-2016-4581" + +# fixed-version: Fixed after version 4.7rc4 +CVE_CHECK_IGNORE += "CVE-2016-4794" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-4805" + +# fixed-version: Fixed after version 4.6 +CVE_CHECK_IGNORE += "CVE-2016-4913" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-4951" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-4997" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-4998" + +# fixed-version: Fixed after version 4.9rc2 +CVE_CHECK_IGNORE += "CVE-2016-5195" + +# fixed-version: Fixed after version 4.7rc3 +CVE_CHECK_IGNORE += "CVE-2016-5243" + +# fixed-version: Fixed after version 4.7rc3 +CVE_CHECK_IGNORE += "CVE-2016-5244" + +# Skipping CVE-2016-5340, no affected_versions + +# Skipping CVE-2016-5342, no affected_versions + +# Skipping CVE-2016-5343, no affected_versions + +# Skipping CVE-2016-5344, no affected_versions + +# fixed-version: Fixed after version 4.7 +CVE_CHECK_IGNORE += "CVE-2016-5400" + +# fixed-version: Fixed after version 4.8rc1 +CVE_CHECK_IGNORE += "CVE-2016-5412" + +# fixed-version: Fixed after version 4.7 +CVE_CHECK_IGNORE += "CVE-2016-5696" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-5728" + +# fixed-version: Fixed after version 4.7rc6 +CVE_CHECK_IGNORE += "CVE-2016-5828" + +# fixed-version: Fixed after version 4.7rc5 +CVE_CHECK_IGNORE += "CVE-2016-5829" + +# CVE-2016-5870 has no known resolution + +# fixed-version: Fixed after version 4.6rc6 +CVE_CHECK_IGNORE += "CVE-2016-6130" + +# fixed-version: Fixed after version 4.8rc1 +CVE_CHECK_IGNORE += "CVE-2016-6136" + +# fixed-version: Fixed after version 4.7rc7 +CVE_CHECK_IGNORE += "CVE-2016-6156" + +# fixed-version: Fixed after version 4.7 +CVE_CHECK_IGNORE += "CVE-2016-6162" + +# fixed-version: Fixed after version 4.7rc7 +CVE_CHECK_IGNORE += "CVE-2016-6187" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-6197" + +# fixed-version: Fixed after version 4.6 +CVE_CHECK_IGNORE += "CVE-2016-6198" + +# fixed-version: Fixed after version 4.9rc1 +CVE_CHECK_IGNORE += "CVE-2016-6213" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-6327" + +# fixed-version: Fixed after version 4.8rc3 +CVE_CHECK_IGNORE += "CVE-2016-6480" + +# fixed-version: Fixed after version 4.8rc1 +CVE_CHECK_IGNORE += "CVE-2016-6516" + +# Skipping CVE-2016-6753, no affected_versions + +# fixed-version: Fixed after version 4.0rc1 +CVE_CHECK_IGNORE += "CVE-2016-6786" + +# fixed-version: Fixed after version 4.0rc1 +CVE_CHECK_IGNORE += "CVE-2016-6787" + +# fixed-version: Fixed after version 4.8rc5 +CVE_CHECK_IGNORE += "CVE-2016-6828" + +# fixed-version: Fixed after version 4.9rc4 +CVE_CHECK_IGNORE += "CVE-2016-7039" + +# fixed-version: Fixed after version 4.9rc3 +CVE_CHECK_IGNORE += "CVE-2016-7042" + +# fixed-version: Fixed after version 4.9rc1 +CVE_CHECK_IGNORE += "CVE-2016-7097" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-7117" + +# Skipping CVE-2016-7118, no affected_versions + +# fixed-version: Fixed after version 4.9rc1 +CVE_CHECK_IGNORE += "CVE-2016-7425" + +# fixed-version: Fixed after version 4.8rc1 +CVE_CHECK_IGNORE += "CVE-2016-7910" + +# fixed-version: Fixed after version 4.7rc7 +CVE_CHECK_IGNORE += "CVE-2016-7911" + +# fixed-version: Fixed after version 4.6rc5 +CVE_CHECK_IGNORE += "CVE-2016-7912" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-7913" + +# fixed-version: Fixed after version 4.6rc4 +CVE_CHECK_IGNORE += "CVE-2016-7914" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-7915" + +# fixed-version: Fixed after version 4.6rc7 +CVE_CHECK_IGNORE += "CVE-2016-7916" + +# fixed-version: Fixed after version 4.5rc6 +CVE_CHECK_IGNORE += "CVE-2016-7917" + +# fixed-version: Fixed after version 4.9 +CVE_CHECK_IGNORE += "CVE-2016-8399" + +# Skipping CVE-2016-8401, no affected_versions + +# Skipping CVE-2016-8402, no affected_versions + +# Skipping CVE-2016-8403, no affected_versions + +# Skipping CVE-2016-8404, no affected_versions + +# fixed-version: Fixed after version 4.10rc6 +CVE_CHECK_IGNORE += "CVE-2016-8405" + +# Skipping CVE-2016-8406, no affected_versions + +# Skipping CVE-2016-8407, no affected_versions + +# fixed-version: Fixed after version 4.9rc4 +CVE_CHECK_IGNORE += "CVE-2016-8630" + +# fixed-version: Fixed after version 4.9rc8 +CVE_CHECK_IGNORE += "CVE-2016-8632" + +# fixed-version: Fixed after version 4.9rc4 +CVE_CHECK_IGNORE += "CVE-2016-8633" + +# fixed-version: Fixed after version 4.10rc8 +CVE_CHECK_IGNORE += "CVE-2016-8636" + +# fixed-version: Fixed after version 4.9rc6 +CVE_CHECK_IGNORE += "CVE-2016-8645" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2016-8646" + +# fixed-version: Fixed after version 4.9rc7 +CVE_CHECK_IGNORE += "CVE-2016-8650" + +# fixed-version: Fixed after version 4.9rc8 +CVE_CHECK_IGNORE += "CVE-2016-8655" + +# fixed-version: Fixed after version 4.8rc7 +CVE_CHECK_IGNORE += "CVE-2016-8658" + +# CVE-2016-8660 has no known resolution + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-8666" + +# fixed-version: Fixed after version 4.9rc4 +CVE_CHECK_IGNORE += "CVE-2016-9083" + +# fixed-version: Fixed after version 4.9rc4 +CVE_CHECK_IGNORE += "CVE-2016-9084" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-9120" + +# fixed-version: Fixed after version 4.8rc7 +CVE_CHECK_IGNORE += "CVE-2016-9178" + +# fixed-version: Fixed after version 4.10rc4 +CVE_CHECK_IGNORE += "CVE-2016-9191" + +# fixed-version: Fixed after version 4.9rc3 +CVE_CHECK_IGNORE += "CVE-2016-9313" + +# fixed-version: Fixed after version 4.9rc4 +CVE_CHECK_IGNORE += "CVE-2016-9555" + +# fixed-version: Fixed after version 4.9 +CVE_CHECK_IGNORE += "CVE-2016-9576" + +# fixed-version: Fixed after version 4.10rc1 +CVE_CHECK_IGNORE += "CVE-2016-9588" + +# fixed-version: Fixed after version 4.11rc8 +CVE_CHECK_IGNORE += "CVE-2016-9604" + +# Skipping CVE-2016-9644, no affected_versions + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2016-9685" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-9754" + +# fixed-version: Fixed after version 4.9rc8 +CVE_CHECK_IGNORE += "CVE-2016-9755" + +# fixed-version: Fixed after version 4.9rc7 +CVE_CHECK_IGNORE += "CVE-2016-9756" + +# fixed-version: Fixed after version 4.9rc7 +CVE_CHECK_IGNORE += "CVE-2016-9777" + +# fixed-version: Fixed after version 4.9rc8 +CVE_CHECK_IGNORE += "CVE-2016-9793" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-9794" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2016-9806" + +# fixed-version: Fixed after version 4.9rc8 +CVE_CHECK_IGNORE += "CVE-2016-9919" + +# Skipping CVE-2017-0403, no affected_versions + +# Skipping CVE-2017-0404, no affected_versions + +# Skipping CVE-2017-0426, no affected_versions + +# Skipping CVE-2017-0427, no affected_versions + +# CVE-2017-0507 has no known resolution + +# CVE-2017-0508 has no known resolution + +# Skipping CVE-2017-0510, no affected_versions + +# Skipping CVE-2017-0528, no affected_versions + +# Skipping CVE-2017-0537, no affected_versions + +# CVE-2017-0564 has no known resolution + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-0605" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2017-0627" + +# CVE-2017-0630 has no known resolution + +# CVE-2017-0749 has no known resolution + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2017-0750" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2017-0786" + +# fixed-version: Fixed after version 4.15rc3 +CVE_CHECK_IGNORE += "CVE-2017-0861" + +# fixed-version: Fixed after version 4.13rc5 +CVE_CHECK_IGNORE += "CVE-2017-1000" + +# fixed-version: Fixed after version 4.13rc5 +CVE_CHECK_IGNORE += "CVE-2017-1000111" + +# fixed-version: Fixed after version 4.13rc5 +CVE_CHECK_IGNORE += "CVE-2017-1000112" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2017-1000251" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2017-1000252" + +# fixed-version: Fixed after version 4.1rc1 +CVE_CHECK_IGNORE += "CVE-2017-1000253" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-1000255" + +# fixed-version: Fixed after version 4.12rc2 +CVE_CHECK_IGNORE += "CVE-2017-1000363" + +# fixed-version: Fixed after version 4.12rc6 +CVE_CHECK_IGNORE += "CVE-2017-1000364" + +# fixed-version: Fixed after version 4.12rc7 +CVE_CHECK_IGNORE += "CVE-2017-1000365" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-1000370" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-1000371" + +# fixed-version: Fixed after version 4.12rc6 +CVE_CHECK_IGNORE += "CVE-2017-1000379" + +# fixed-version: Fixed after version 4.12rc5 +CVE_CHECK_IGNORE += "CVE-2017-1000380" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2017-1000405" + +# fixed-version: Fixed after version 4.15rc3 +CVE_CHECK_IGNORE += "CVE-2017-1000407" + +# fixed-version: Fixed after version 4.15rc8 +CVE_CHECK_IGNORE += "CVE-2017-1000410" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-10661" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-10662" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-10663" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-10810" + +# fixed-version: Fixed after version 4.12rc7 +CVE_CHECK_IGNORE += "CVE-2017-10911" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-11089" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-11176" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-11472" + +# fixed-version: Fixed after version 4.13rc2 +CVE_CHECK_IGNORE += "CVE-2017-11473" + +# fixed-version: Fixed after version 4.13 +CVE_CHECK_IGNORE += "CVE-2017-11600" + +# fixed-version: Fixed after version 4.13rc6 +CVE_CHECK_IGNORE += "CVE-2017-12134" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-12146" + +# fixed-version: Fixed after version 4.14rc2 +CVE_CHECK_IGNORE += "CVE-2017-12153" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2017-12154" + +# fixed-version: Fixed after version 4.9rc6 +CVE_CHECK_IGNORE += "CVE-2017-12168" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-12188" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-12190" + +# fixed-version: Fixed after version 4.14rc3 +CVE_CHECK_IGNORE += "CVE-2017-12192" + +# fixed-version: Fixed after version 4.14rc7 +CVE_CHECK_IGNORE += "CVE-2017-12193" + +# fixed-version: Fixed after version 4.13rc4 +CVE_CHECK_IGNORE += "CVE-2017-12762" + +# fixed-version: Fixed after version 4.14rc6 +CVE_CHECK_IGNORE += "CVE-2017-13080" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2017-13166" + +# fixed-version: Fixed after version 4.5rc4 +CVE_CHECK_IGNORE += "CVE-2017-13167" + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2017-13168" + +# fixed-version: Fixed after version 4.5rc1 +CVE_CHECK_IGNORE += "CVE-2017-13215" + +# fixed-version: Fixed after version 4.15rc8 +CVE_CHECK_IGNORE += "CVE-2017-13216" + +# fixed-version: Fixed after version 3.19rc3 +CVE_CHECK_IGNORE += "CVE-2017-13220" + +# CVE-2017-13221 has no known resolution + +# CVE-2017-13222 has no known resolution + +# fixed-version: Fixed after version 4.12rc5 +CVE_CHECK_IGNORE += "CVE-2017-13305" + +# fixed-version: Fixed after version 4.13rc7 +CVE_CHECK_IGNORE += "CVE-2017-13686" + +# CVE-2017-13693 has no known resolution + +# CVE-2017-13694 has no known resolution + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2017-13695" + +# fixed-version: Fixed after version 4.3rc1 +CVE_CHECK_IGNORE += "CVE-2017-13715" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2017-14051" + +# fixed-version: Fixed after version 4.12rc3 +CVE_CHECK_IGNORE += "CVE-2017-14106" + +# fixed-version: Fixed after version 4.13rc6 +CVE_CHECK_IGNORE += "CVE-2017-14140" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2017-14156" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2017-14340" + +# fixed-version: Fixed after version 4.14rc3 +CVE_CHECK_IGNORE += "CVE-2017-14489" + +# fixed-version: Fixed after version 4.13 +CVE_CHECK_IGNORE += "CVE-2017-14497" + +# fixed-version: Fixed after version 4.14rc3 +CVE_CHECK_IGNORE += "CVE-2017-14954" + +# fixed-version: Fixed after version 4.14rc2 +CVE_CHECK_IGNORE += "CVE-2017-14991" + +# fixed-version: Fixed after version 4.9rc1 +CVE_CHECK_IGNORE += "CVE-2017-15102" + +# fixed-version: Fixed after version 4.14rc6 +CVE_CHECK_IGNORE += "CVE-2017-15115" + +# fixed-version: Fixed after version 4.2rc1 +CVE_CHECK_IGNORE += "CVE-2017-15116" + +# fixed-version: Fixed after version 3.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-15121" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2017-15126" + +# fixed-version: Fixed after version 4.13rc5 +CVE_CHECK_IGNORE += "CVE-2017-15127" + +# fixed-version: Fixed after version 4.14rc8 +CVE_CHECK_IGNORE += "CVE-2017-15128" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-15129" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-15265" + +# fixed-version: Fixed after version 4.12rc5 +CVE_CHECK_IGNORE += "CVE-2017-15274" + +# fixed-version: Fixed after version 4.14rc6 +CVE_CHECK_IGNORE += "CVE-2017-15299" + +# fixed-version: Fixed after version 4.14rc7 +CVE_CHECK_IGNORE += "CVE-2017-15306" + +# fixed-version: Fixed after version 4.14rc3 +CVE_CHECK_IGNORE += "CVE-2017-15537" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2017-15649" + +# fixed-version: Fixed after version 3.19rc3 +CVE_CHECK_IGNORE += "CVE-2017-15868" + +# fixed-version: Fixed after version 4.14rc6 +CVE_CHECK_IGNORE += "CVE-2017-15951" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-16525" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2017-16526" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-16527" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2017-16528" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2017-16529" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2017-16530" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2017-16531" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-16532" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-16533" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2017-16534" + +# fixed-version: Fixed after version 4.14rc6 +CVE_CHECK_IGNORE += "CVE-2017-16535" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-16536" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-16537" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2017-16538" + +# fixed-version: Fixed after version 4.14rc7 +CVE_CHECK_IGNORE += "CVE-2017-16643" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2017-16644" + +# fixed-version: Fixed after version 4.14rc6 +CVE_CHECK_IGNORE += "CVE-2017-16645" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-16646" + +# fixed-version: Fixed after version 4.14 +CVE_CHECK_IGNORE += "CVE-2017-16647" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-16648" + +# fixed-version: Fixed after version 4.14 +CVE_CHECK_IGNORE += "CVE-2017-16649" + +# fixed-version: Fixed after version 4.14 +CVE_CHECK_IGNORE += "CVE-2017-16650" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-16911" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-16912" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-16913" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-16914" + +# fixed-version: Fixed after version 4.14rc7 +CVE_CHECK_IGNORE += "CVE-2017-16939" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-16994" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-16995" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-16996" + +# fixed-version: Fixed after version 4.13rc7 +CVE_CHECK_IGNORE += "CVE-2017-17052" + +# fixed-version: Fixed after version 4.13rc7 +CVE_CHECK_IGNORE += "CVE-2017-17053" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-17448" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-17449" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-17450" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-17558" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-17712" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-17741" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-17805" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-17806" + +# fixed-version: Fixed after version 4.15rc3 +CVE_CHECK_IGNORE += "CVE-2017-17807" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-17852" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-17853" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-17854" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-17855" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-17856" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-17857" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-17862" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-17863" + +# fixed-version: Fixed after version 4.15rc5 +CVE_CHECK_IGNORE += "CVE-2017-17864" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2017-17975" + +# fixed-version: Fixed after version 4.11rc7 +CVE_CHECK_IGNORE += "CVE-2017-18017" + +# fixed-version: Fixed after version 4.15rc7 +CVE_CHECK_IGNORE += "CVE-2017-18075" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-18079" + +# CVE-2017-18169 has no known resolution + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2017-18174" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-18193" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-18200" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2017-18202" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-18203" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-18204" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2017-18208" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-18216" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-18218" + +# fixed-version: Fixed after version 4.12rc4 +CVE_CHECK_IGNORE += "CVE-2017-18221" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-18222" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-18224" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2017-18232" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-18241" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-18249" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-18255" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-18257" + +# fixed-version: Fixed after version 4.13rc6 +CVE_CHECK_IGNORE += "CVE-2017-18261" + +# fixed-version: Fixed after version 4.14rc3 +CVE_CHECK_IGNORE += "CVE-2017-18270" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2017-18344" + +# fixed-version: Fixed after version 4.12rc2 +CVE_CHECK_IGNORE += "CVE-2017-18360" + +# fixed-version: Fixed after version 4.14rc3 +CVE_CHECK_IGNORE += "CVE-2017-18379" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-18509" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-18549" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-18550" + +# fixed-version: Fixed after version 4.15rc9 +CVE_CHECK_IGNORE += "CVE-2017-18551" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-18552" + +# fixed-version: Fixed after version 4.15rc6 +CVE_CHECK_IGNORE += "CVE-2017-18595" + +# fixed-version: Fixed after version 4.10rc4 +CVE_CHECK_IGNORE += "CVE-2017-2583" + +# fixed-version: Fixed after version 4.10rc4 +CVE_CHECK_IGNORE += "CVE-2017-2584" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-2596" + +# fixed-version: Fixed after version 4.10rc8 +CVE_CHECK_IGNORE += "CVE-2017-2618" + +# fixed-version: Fixed after version 2.6.25rc1 +CVE_CHECK_IGNORE += "CVE-2017-2634" + +# fixed-version: Fixed after version 4.11rc2 +CVE_CHECK_IGNORE += "CVE-2017-2636" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2017-2647" + +# fixed-version: Fixed after version 4.11rc6 +CVE_CHECK_IGNORE += "CVE-2017-2671" + +# fixed-version: Fixed after version 4.14rc5 +CVE_CHECK_IGNORE += "CVE-2017-5123" + +# fixed-version: Fixed after version 4.10rc4 +CVE_CHECK_IGNORE += "CVE-2017-5546" + +# fixed-version: Fixed after version 4.10rc5 +CVE_CHECK_IGNORE += "CVE-2017-5547" + +# fixed-version: Fixed after version 4.10rc5 +CVE_CHECK_IGNORE += "CVE-2017-5548" + +# fixed-version: Fixed after version 4.10rc4 +CVE_CHECK_IGNORE += "CVE-2017-5549" + +# fixed-version: Fixed after version 4.10rc4 +CVE_CHECK_IGNORE += "CVE-2017-5550" + +# fixed-version: Fixed after version 4.10rc4 +CVE_CHECK_IGNORE += "CVE-2017-5551" + +# fixed-version: Fixed after version 4.10rc6 +CVE_CHECK_IGNORE += "CVE-2017-5576" + +# fixed-version: Fixed after version 4.10rc6 +CVE_CHECK_IGNORE += "CVE-2017-5577" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-5669" + +# fixed-version: Fixed after version 4.15rc8 +CVE_CHECK_IGNORE += "CVE-2017-5715" + +# fixed-version: Fixed after version 4.15rc8 +CVE_CHECK_IGNORE += "CVE-2017-5753" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2017-5754" + +# fixed-version: Fixed after version 4.10rc8 +CVE_CHECK_IGNORE += "CVE-2017-5897" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-5967" + +# fixed-version: Fixed after version 4.10rc8 +CVE_CHECK_IGNORE += "CVE-2017-5970" + +# fixed-version: Fixed after version 4.4rc1 +CVE_CHECK_IGNORE += "CVE-2017-5972" + +# fixed-version: Fixed after version 4.10rc8 +CVE_CHECK_IGNORE += "CVE-2017-5986" + +# fixed-version: Fixed after version 4.10rc4 +CVE_CHECK_IGNORE += "CVE-2017-6001" + +# fixed-version: Fixed after version 4.10 +CVE_CHECK_IGNORE += "CVE-2017-6074" + +# fixed-version: Fixed after version 4.10rc8 +CVE_CHECK_IGNORE += "CVE-2017-6214" + +# fixed-version: Fixed after version 4.10 +CVE_CHECK_IGNORE += "CVE-2017-6345" + +# fixed-version: Fixed after version 4.10 +CVE_CHECK_IGNORE += "CVE-2017-6346" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-6347" + +# fixed-version: Fixed after version 4.10 +CVE_CHECK_IGNORE += "CVE-2017-6348" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-6353" + +# fixed-version: Fixed after version 4.11rc2 +CVE_CHECK_IGNORE += "CVE-2017-6874" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2017-6951" + +# fixed-version: Fixed after version 4.11rc5 +CVE_CHECK_IGNORE += "CVE-2017-7184" + +# fixed-version: Fixed after version 4.11rc5 +CVE_CHECK_IGNORE += "CVE-2017-7187" + +# fixed-version: Fixed after version 4.11rc6 +CVE_CHECK_IGNORE += "CVE-2017-7261" + +# fixed-version: Fixed after version 4.10rc4 +CVE_CHECK_IGNORE += "CVE-2017-7273" + +# fixed-version: Fixed after version 4.11rc4 +CVE_CHECK_IGNORE += "CVE-2017-7277" + +# fixed-version: Fixed after version 4.11rc6 +CVE_CHECK_IGNORE += "CVE-2017-7294" + +# fixed-version: Fixed after version 4.11rc6 +CVE_CHECK_IGNORE += "CVE-2017-7308" + +# fixed-version: Fixed after version 4.12rc5 +CVE_CHECK_IGNORE += "CVE-2017-7346" + +# CVE-2017-7369 has no known resolution + +# fixed-version: Fixed after version 4.11rc4 +CVE_CHECK_IGNORE += "CVE-2017-7374" + +# fixed-version: Fixed after version 4.11rc8 +CVE_CHECK_IGNORE += "CVE-2017-7472" + +# fixed-version: Fixed after version 4.11 +CVE_CHECK_IGNORE += "CVE-2017-7477" + +# fixed-version: Fixed after version 4.12rc7 +CVE_CHECK_IGNORE += "CVE-2017-7482" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-7487" + +# fixed-version: Fixed after version 4.7rc1 +CVE_CHECK_IGNORE += "CVE-2017-7495" + +# fixed-version: Fixed after version 4.12rc7 +CVE_CHECK_IGNORE += "CVE-2017-7518" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-7533" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-7541" + +# fixed-version: Fixed after version 4.13rc2 +CVE_CHECK_IGNORE += "CVE-2017-7542" + +# fixed-version: Fixed after version 4.13 +CVE_CHECK_IGNORE += "CVE-2017-7558" + +# fixed-version: Fixed after version 4.11rc6 +CVE_CHECK_IGNORE += "CVE-2017-7616" + +# fixed-version: Fixed after version 4.11rc8 +CVE_CHECK_IGNORE += "CVE-2017-7618" + +# fixed-version: Fixed after version 4.11 +CVE_CHECK_IGNORE += "CVE-2017-7645" + +# fixed-version: Fixed after version 4.11rc7 +CVE_CHECK_IGNORE += "CVE-2017-7889" + +# fixed-version: Fixed after version 4.11 +CVE_CHECK_IGNORE += "CVE-2017-7895" + +# fixed-version: Fixed after version 4.11rc8 +CVE_CHECK_IGNORE += "CVE-2017-7979" + +# fixed-version: Fixed after version 4.11rc4 +CVE_CHECK_IGNORE += "CVE-2017-8061" + +# fixed-version: Fixed after version 4.11rc2 +CVE_CHECK_IGNORE += "CVE-2017-8062" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-8063" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-8064" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-8065" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-8066" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2017-8067" + +# fixed-version: Fixed after version 4.10rc8 +CVE_CHECK_IGNORE += "CVE-2017-8068" + +# fixed-version: Fixed after version 4.10rc8 +CVE_CHECK_IGNORE += "CVE-2017-8069" + +# fixed-version: Fixed after version 4.10rc8 +CVE_CHECK_IGNORE += "CVE-2017-8070" + +# fixed-version: Fixed after version 4.10rc7 +CVE_CHECK_IGNORE += "CVE-2017-8071" + +# fixed-version: Fixed after version 4.10rc7 +CVE_CHECK_IGNORE += "CVE-2017-8072" + +# fixed-version: Fixed after version 3.16rc1 +CVE_CHECK_IGNORE += "CVE-2017-8106" + +# fixed-version: Fixed after version 3.19rc6 +CVE_CHECK_IGNORE += "CVE-2017-8240" + +# CVE-2017-8242 has no known resolution + +# CVE-2017-8244 has no known resolution + +# CVE-2017-8245 has no known resolution + +# CVE-2017-8246 has no known resolution + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-8797" + +# fixed-version: Fixed after version 4.15rc3 +CVE_CHECK_IGNORE += "CVE-2017-8824" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-8831" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-8890" + +# fixed-version: Fixed after version 4.11rc2 +CVE_CHECK_IGNORE += "CVE-2017-8924" + +# fixed-version: Fixed after version 4.11rc2 +CVE_CHECK_IGNORE += "CVE-2017-8925" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-9059" + +# fixed-version: Fixed after version 4.12rc2 +CVE_CHECK_IGNORE += "CVE-2017-9074" + +# fixed-version: Fixed after version 4.12rc2 +CVE_CHECK_IGNORE += "CVE-2017-9075" + +# fixed-version: Fixed after version 4.12rc2 +CVE_CHECK_IGNORE += "CVE-2017-9076" + +# fixed-version: Fixed after version 4.12rc2 +CVE_CHECK_IGNORE += "CVE-2017-9077" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2017-9150" + +# fixed-version: Fixed after version 4.12rc3 +CVE_CHECK_IGNORE += "CVE-2017-9211" + +# fixed-version: Fixed after version 4.12rc3 +CVE_CHECK_IGNORE += "CVE-2017-9242" + +# fixed-version: Fixed after version 4.12rc5 +CVE_CHECK_IGNORE += "CVE-2017-9605" + +# fixed-version: Fixed after version 4.3rc7 +CVE_CHECK_IGNORE += "CVE-2017-9725" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-9984" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2017-9985" + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2017-9986" + +# fixed-version: Fixed after version 4.15rc9 +CVE_CHECK_IGNORE += "CVE-2018-1000004" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2018-1000026" + +# fixed-version: Fixed after version 4.15 +CVE_CHECK_IGNORE += "CVE-2018-1000028" + +# fixed-version: Fixed after version 4.16 +CVE_CHECK_IGNORE += "CVE-2018-1000199" + +# fixed-version: Fixed after version 4.17rc5 +CVE_CHECK_IGNORE += "CVE-2018-1000200" + +# fixed-version: Fixed after version 4.17rc7 +CVE_CHECK_IGNORE += "CVE-2018-1000204" + +# fixed-version: Fixed after version 4.16rc7 +CVE_CHECK_IGNORE += "CVE-2018-10021" + +# fixed-version: Fixed after version 4.16rc7 +CVE_CHECK_IGNORE += "CVE-2018-10074" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2018-10087" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2018-10124" + +# fixed-version: Fixed after version 4.17rc4 +CVE_CHECK_IGNORE += "CVE-2018-10322" + +# fixed-version: Fixed after version 4.17rc4 +CVE_CHECK_IGNORE += "CVE-2018-10323" + +# fixed-version: Fixed after version 4.16rc3 +CVE_CHECK_IGNORE += "CVE-2018-1065" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2018-1066" + +# fixed-version: Fixed after version 4.13rc6 +CVE_CHECK_IGNORE += "CVE-2018-10675" + +# fixed-version: Fixed after version 4.16rc5 +CVE_CHECK_IGNORE += "CVE-2018-1068" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-10840" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-10853" + +# fixed-version: Fixed after version 4.16rc7 +CVE_CHECK_IGNORE += "CVE-2018-1087" + +# CVE-2018-10872 has no known resolution + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2018-10876" + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2018-10877" + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2018-10878" + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2018-10879" + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2018-10880" + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2018-10881" + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2018-10882" + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2018-10883" + +# fixed-version: Fixed after version 2.6.36rc1 +CVE_CHECK_IGNORE += "CVE-2018-10901" + +# fixed-version: Fixed after version 4.18rc6 +CVE_CHECK_IGNORE += "CVE-2018-10902" + +# fixed-version: Fixed after version 4.14rc2 +CVE_CHECK_IGNORE += "CVE-2018-1091" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2018-1092" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2018-1093" + +# fixed-version: Fixed after version 4.13rc5 +CVE_CHECK_IGNORE += "CVE-2018-10938" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2018-1094" + +# fixed-version: Fixed after version 4.17rc3 +CVE_CHECK_IGNORE += "CVE-2018-10940" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2018-1095" + +# fixed-version: Fixed after version 4.17rc2 +CVE_CHECK_IGNORE += "CVE-2018-1108" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-1118" + +# fixed-version: Fixed after version 4.17rc6 +CVE_CHECK_IGNORE += "CVE-2018-1120" + +# CVE-2018-1121 has no known resolution + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2018-11232" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-1128" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-1129" + +# fixed-version: Fixed after version 4.16rc7 +CVE_CHECK_IGNORE += "CVE-2018-1130" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-11412" + +# fixed-version: Fixed after version 4.17rc7 +CVE_CHECK_IGNORE += "CVE-2018-11506" + +# fixed-version: Fixed after version 4.17rc5 +CVE_CHECK_IGNORE += "CVE-2018-11508" + +# CVE-2018-11987 has no known resolution + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2018-12126" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2018-12127" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2018-12130" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2018-12207" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-12232" + +# fixed-version: Fixed after version 4.18rc2 +CVE_CHECK_IGNORE += "CVE-2018-12233" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-12633" + +# fixed-version: Fixed after version 4.18rc2 +CVE_CHECK_IGNORE += "CVE-2018-12714" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-12896" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-12904" + +# CVE-2018-12928 has no known resolution + +# CVE-2018-12929 has no known resolution + +# CVE-2018-12930 has no known resolution + +# CVE-2018-12931 has no known resolution + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-13053" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-13093" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-13094" + +# fixed-version: Fixed after version 4.18rc3 +CVE_CHECK_IGNORE += "CVE-2018-13095" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-13096" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-13097" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-13098" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-13099" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-13100" + +# fixed-version: Fixed after version 4.18rc4 +CVE_CHECK_IGNORE += "CVE-2018-13405" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-13406" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-14609" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-14610" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-14611" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-14612" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-14613" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-14614" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-14615" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-14616" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-14617" + +# fixed-version: Fixed after version 4.15rc4 +CVE_CHECK_IGNORE += "CVE-2018-14619" + +# fixed-version: Fixed after version 4.20rc6 +CVE_CHECK_IGNORE += "CVE-2018-14625" + +# fixed-version: Fixed after version 4.19rc6 +CVE_CHECK_IGNORE += "CVE-2018-14633" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2018-14634" + +# fixed-version: Fixed after version 4.19rc4 +CVE_CHECK_IGNORE += "CVE-2018-14641" + +# fixed-version: Fixed after version 4.15rc8 +CVE_CHECK_IGNORE += "CVE-2018-14646" + +# fixed-version: Fixed after version 4.19rc2 +CVE_CHECK_IGNORE += "CVE-2018-14656" + +# fixed-version: Fixed after version 4.18rc8 +CVE_CHECK_IGNORE += "CVE-2018-14678" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-14734" + +# fixed-version: Fixed after version 4.19rc7 +CVE_CHECK_IGNORE += "CVE-2018-15471" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-15572" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-15594" + +# fixed-version: Fixed after version 4.18rc5 +CVE_CHECK_IGNORE += "CVE-2018-16276" + +# fixed-version: Fixed after version 4.8rc1 +CVE_CHECK_IGNORE += "CVE-2018-16597" + +# fixed-version: Fixed after version 4.19rc2 +CVE_CHECK_IGNORE += "CVE-2018-16658" + +# fixed-version: Fixed after version 4.20rc5 +CVE_CHECK_IGNORE += "CVE-2018-16862" + +# fixed-version: Fixed after version 4.20rc3 +CVE_CHECK_IGNORE += "CVE-2018-16871" + +# fixed-version: Fixed after version 5.0rc5 +CVE_CHECK_IGNORE += "CVE-2018-16880" + +# fixed-version: Fixed after version 4.20 +CVE_CHECK_IGNORE += "CVE-2018-16882" + +# fixed-version: Fixed after version 5.0rc1 +CVE_CHECK_IGNORE += "CVE-2018-16884" + +# CVE-2018-16885 has no known resolution + +# fixed-version: Fixed after version 4.19rc4 +CVE_CHECK_IGNORE += "CVE-2018-17182" + +# fixed-version: Fixed after version 4.19rc7 +CVE_CHECK_IGNORE += "CVE-2018-17972" + +# CVE-2018-17977 has no known resolution + +# fixed-version: Fixed after version 4.19rc7 +CVE_CHECK_IGNORE += "CVE-2018-18021" + +# fixed-version: Fixed after version 4.19 +CVE_CHECK_IGNORE += "CVE-2018-18281" + +# fixed-version: Fixed after version 4.15rc6 +CVE_CHECK_IGNORE += "CVE-2018-18386" + +# fixed-version: Fixed after version 4.20rc5 +CVE_CHECK_IGNORE += "CVE-2018-18397" + +# fixed-version: Fixed after version 4.19rc7 +CVE_CHECK_IGNORE += "CVE-2018-18445" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2018-18559" + +# CVE-2018-18653 has no known resolution + +# fixed-version: Fixed after version 4.17rc4 +CVE_CHECK_IGNORE += "CVE-2018-18690" + +# fixed-version: Fixed after version 4.20rc1 +CVE_CHECK_IGNORE += "CVE-2018-18710" + +# fixed-version: Fixed after version 4.20rc2 +CVE_CHECK_IGNORE += "CVE-2018-18955" + +# fixed-version: Fixed after version 4.20rc5 +CVE_CHECK_IGNORE += "CVE-2018-19406" + +# fixed-version: Fixed after version 4.20rc5 +CVE_CHECK_IGNORE += "CVE-2018-19407" + +# fixed-version: Fixed after version 4.20rc6 +CVE_CHECK_IGNORE += "CVE-2018-19824" + +# fixed-version: Fixed after version 4.20rc3 +CVE_CHECK_IGNORE += "CVE-2018-19854" + +# fixed-version: Fixed after version 4.20 +CVE_CHECK_IGNORE += "CVE-2018-19985" + +# fixed-version: Fixed after version 4.20rc6 +CVE_CHECK_IGNORE += "CVE-2018-20169" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2018-20449" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2018-20509" + +# fixed-version: Fixed after version 4.16rc3 +CVE_CHECK_IGNORE += "CVE-2018-20510" + +# fixed-version: Fixed after version 4.19rc5 +CVE_CHECK_IGNORE += "CVE-2018-20511" + +# fixed-version: Fixed after version 5.0rc1 +CVE_CHECK_IGNORE += "CVE-2018-20669" + +# fixed-version: Fixed after version 5.0rc1 +CVE_CHECK_IGNORE += "CVE-2018-20784" + +# fixed-version: Fixed after version 4.20rc1 +CVE_CHECK_IGNORE += "CVE-2018-20836" + +# fixed-version: Fixed after version 4.20rc1 +CVE_CHECK_IGNORE += "CVE-2018-20854" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-20855" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-20856" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2018-20961" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-20976" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2018-21008" + +# fixed-version: Fixed after version 4.15rc9 +CVE_CHECK_IGNORE += "CVE-2018-25015" + +# fixed-version: Fixed after version 4.17rc7 +CVE_CHECK_IGNORE += "CVE-2018-25020" + +# CVE-2018-3574 has no known resolution + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-3620" + +# fixed-version: Fixed after version 4.17rc7 +CVE_CHECK_IGNORE += "CVE-2018-3639" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-3646" + +# fixed-version: Fixed after version 3.7rc1 +CVE_CHECK_IGNORE += "CVE-2018-3665" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-3693" + +# fixed-version: Fixed after version 4.15rc8 +CVE_CHECK_IGNORE += "CVE-2018-5332" + +# fixed-version: Fixed after version 4.15rc8 +CVE_CHECK_IGNORE += "CVE-2018-5333" + +# fixed-version: Fixed after version 4.15rc8 +CVE_CHECK_IGNORE += "CVE-2018-5344" + +# fixed-version: Fixed after version 4.18rc7 +CVE_CHECK_IGNORE += "CVE-2018-5390" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-5391" + +# fixed-version: Fixed after version 4.16rc5 +CVE_CHECK_IGNORE += "CVE-2018-5703" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2018-5750" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2018-5803" + +# fixed-version: Fixed after version 4.17rc6 +CVE_CHECK_IGNORE += "CVE-2018-5814" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2018-5848" + +# Skipping CVE-2018-5856, no affected_versions + +# fixed-version: Fixed after version 4.11rc8 +CVE_CHECK_IGNORE += "CVE-2018-5873" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2018-5953" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2018-5995" + +# fixed-version: Fixed after version 4.16rc5 +CVE_CHECK_IGNORE += "CVE-2018-6412" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2018-6554" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2018-6555" + +# CVE-2018-6559 has no known resolution + +# fixed-version: Fixed after version 4.15rc9 +CVE_CHECK_IGNORE += "CVE-2018-6927" + +# fixed-version: Fixed after version 4.14rc6 +CVE_CHECK_IGNORE += "CVE-2018-7191" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2018-7273" + +# fixed-version: Fixed after version 4.11rc1 +CVE_CHECK_IGNORE += "CVE-2018-7480" + +# fixed-version: Fixed after version 4.15rc3 +CVE_CHECK_IGNORE += "CVE-2018-7492" + +# fixed-version: Fixed after version 4.16rc2 +CVE_CHECK_IGNORE += "CVE-2018-7566" + +# fixed-version: Fixed after version 4.16rc7 +CVE_CHECK_IGNORE += "CVE-2018-7740" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2018-7754" + +# fixed-version: Fixed after version 4.19rc5 +CVE_CHECK_IGNORE += "CVE-2018-7755" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2018-7757" + +# fixed-version: Fixed after version 4.16rc5 +CVE_CHECK_IGNORE += "CVE-2018-7995" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2018-8043" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2018-8087" + +# fixed-version: Fixed after version 4.16rc7 +CVE_CHECK_IGNORE += "CVE-2018-8781" + +# fixed-version: Fixed after version 4.16rc7 +CVE_CHECK_IGNORE += "CVE-2018-8822" + +# fixed-version: Fixed after version 4.16rc7 +CVE_CHECK_IGNORE += "CVE-2018-8897" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2018-9363" + +# fixed-version: Fixed after version 4.17rc3 +CVE_CHECK_IGNORE += "CVE-2018-9385" + +# fixed-version: Fixed after version 4.17rc3 +CVE_CHECK_IGNORE += "CVE-2018-9415" + +# fixed-version: Fixed after version 4.6rc1 +CVE_CHECK_IGNORE += "CVE-2018-9422" + +# fixed-version: Fixed after version 4.15rc6 +CVE_CHECK_IGNORE += "CVE-2018-9465" + +# fixed-version: Fixed after version 4.18rc5 +CVE_CHECK_IGNORE += "CVE-2018-9516" + +# fixed-version: Fixed after version 4.14rc1 +CVE_CHECK_IGNORE += "CVE-2018-9517" + +# fixed-version: Fixed after version 4.16rc3 +CVE_CHECK_IGNORE += "CVE-2018-9518" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2018-9568" + +# fixed-version: Fixed after version 5.2rc6 +CVE_CHECK_IGNORE += "CVE-2019-0136" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-0145" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-0146" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-0147" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-0148" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-0149" + +# fixed-version: Fixed after version 5.4rc8 +CVE_CHECK_IGNORE += "CVE-2019-0154" + +# fixed-version: Fixed after version 5.4rc8 +CVE_CHECK_IGNORE += "CVE-2019-0155" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-10124" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-10125" + +# fixed-version: Fixed after version 5.2rc6 +CVE_CHECK_IGNORE += "CVE-2019-10126" + +# CVE-2019-10140 has no known resolution + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-10142" + +# fixed-version: Fixed after version 5.3rc3 +CVE_CHECK_IGNORE += "CVE-2019-10207" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2019-10220" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-10638" + +# fixed-version: Fixed after version 5.1rc4 +CVE_CHECK_IGNORE += "CVE-2019-10639" + +# fixed-version: Fixed after version 5.0rc3 +CVE_CHECK_IGNORE += "CVE-2019-11085" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-11091" + +# fixed-version: Fixed after version 5.4rc8 +CVE_CHECK_IGNORE += "CVE-2019-11135" + +# fixed-version: Fixed after version 4.8rc5 +CVE_CHECK_IGNORE += "CVE-2019-11190" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-11191" + +# fixed-version: Fixed after version 5.3rc4 +CVE_CHECK_IGNORE += "CVE-2019-1125" + +# fixed-version: Fixed after version 5.2rc6 +CVE_CHECK_IGNORE += "CVE-2019-11477" + +# fixed-version: Fixed after version 5.2rc6 +CVE_CHECK_IGNORE += "CVE-2019-11478" + +# fixed-version: Fixed after version 5.2rc6 +CVE_CHECK_IGNORE += "CVE-2019-11479" + +# fixed-version: Fixed after version 5.1rc4 +CVE_CHECK_IGNORE += "CVE-2019-11486" + +# fixed-version: Fixed after version 5.1rc5 +CVE_CHECK_IGNORE += "CVE-2019-11487" + +# fixed-version: Fixed after version 5.1rc6 +CVE_CHECK_IGNORE += "CVE-2019-11599" + +# fixed-version: Fixed after version 5.1 +CVE_CHECK_IGNORE += "CVE-2019-11683" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-11810" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-11811" + +# fixed-version: Fixed after version 5.1rc4 +CVE_CHECK_IGNORE += "CVE-2019-11815" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-11833" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-11884" + +# fixed-version: Fixed after version 5.2rc3 +CVE_CHECK_IGNORE += "CVE-2019-12378" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-12379" + +# fixed-version: Fixed after version 5.2rc3 +CVE_CHECK_IGNORE += "CVE-2019-12380" + +# fixed-version: Fixed after version 5.2rc3 +CVE_CHECK_IGNORE += "CVE-2019-12381" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-12382" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-12454" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-12455" + +# CVE-2019-12456 has no known resolution + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-12614" + +# fixed-version: Fixed after version 5.2rc4 +CVE_CHECK_IGNORE += "CVE-2019-12615" + +# fixed-version: Fixed after version 5.2rc7 +CVE_CHECK_IGNORE += "CVE-2019-12817" + +# fixed-version: Fixed after version 5.0 +CVE_CHECK_IGNORE += "CVE-2019-12818" + +# fixed-version: Fixed after version 5.0rc8 +CVE_CHECK_IGNORE += "CVE-2019-12819" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2019-12881" + +# fixed-version: Fixed after version 5.2rc6 +CVE_CHECK_IGNORE += "CVE-2019-12984" + +# fixed-version: Fixed after version 5.2rc4 +CVE_CHECK_IGNORE += "CVE-2019-13233" + +# fixed-version: Fixed after version 5.2 +CVE_CHECK_IGNORE += "CVE-2019-13272" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-13631" + +# fixed-version: Fixed after version 5.3rc2 +CVE_CHECK_IGNORE += "CVE-2019-13648" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-14283" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-14284" + +# fixed-version: Fixed after version 5.5rc7 +CVE_CHECK_IGNORE += "CVE-2019-14615" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2019-14763" + +# fixed-version: Fixed after version 5.3 +CVE_CHECK_IGNORE += "CVE-2019-14814" + +# fixed-version: Fixed after version 5.3 +CVE_CHECK_IGNORE += "CVE-2019-14815" + +# fixed-version: Fixed after version 5.3 +CVE_CHECK_IGNORE += "CVE-2019-14816" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-14821" + +# fixed-version: Fixed after version 5.3 +CVE_CHECK_IGNORE += "CVE-2019-14835" + +# fixed-version: Fixed after version 5.5rc3 +CVE_CHECK_IGNORE += "CVE-2019-14895" + +# fixed-version: Fixed after version 5.5 +CVE_CHECK_IGNORE += "CVE-2019-14896" + +# fixed-version: Fixed after version 5.5 +CVE_CHECK_IGNORE += "CVE-2019-14897" + +# CVE-2019-14898 has no known resolution + +# fixed-version: Fixed after version 5.5rc3 +CVE_CHECK_IGNORE += "CVE-2019-14901" + +# fixed-version: Fixed after version 5.3rc8 +CVE_CHECK_IGNORE += "CVE-2019-15030" + +# fixed-version: Fixed after version 5.3rc8 +CVE_CHECK_IGNORE += "CVE-2019-15031" + +# fixed-version: Fixed after version 5.2rc2 +CVE_CHECK_IGNORE += "CVE-2019-15090" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-15098" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-15099" + +# fixed-version: Fixed after version 5.3rc5 +CVE_CHECK_IGNORE += "CVE-2019-15117" + +# fixed-version: Fixed after version 5.3rc5 +CVE_CHECK_IGNORE += "CVE-2019-15118" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-15211" + +# fixed-version: Fixed after version 5.2rc3 +CVE_CHECK_IGNORE += "CVE-2019-15212" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-15213" + +# fixed-version: Fixed after version 5.1rc6 +CVE_CHECK_IGNORE += "CVE-2019-15214" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-15215" + +# fixed-version: Fixed after version 5.1 +CVE_CHECK_IGNORE += "CVE-2019-15216" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-15217" + +# fixed-version: Fixed after version 5.2rc3 +CVE_CHECK_IGNORE += "CVE-2019-15218" + +# fixed-version: Fixed after version 5.2rc3 +CVE_CHECK_IGNORE += "CVE-2019-15219" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-15220" + +# fixed-version: Fixed after version 5.2 +CVE_CHECK_IGNORE += "CVE-2019-15221" + +# fixed-version: Fixed after version 5.3rc3 +CVE_CHECK_IGNORE += "CVE-2019-15222" + +# fixed-version: Fixed after version 5.2rc3 +CVE_CHECK_IGNORE += "CVE-2019-15223" + +# CVE-2019-15239 has no known resolution + +# CVE-2019-15290 has no known resolution + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-15291" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-15292" + +# fixed-version: Fixed after version 5.3 +CVE_CHECK_IGNORE += "CVE-2019-15504" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-15505" + +# fixed-version: Fixed after version 5.3rc6 +CVE_CHECK_IGNORE += "CVE-2019-15538" + +# fixed-version: Fixed after version 5.1 +CVE_CHECK_IGNORE += "CVE-2019-15666" + +# CVE-2019-15791 has no known resolution + +# CVE-2019-15792 has no known resolution + +# CVE-2019-15793 has no known resolution + +# fixed-version: Fixed after version 5.12 +CVE_CHECK_IGNORE += "CVE-2019-15794" + +# fixed-version: Fixed after version 5.2rc3 +CVE_CHECK_IGNORE += "CVE-2019-15807" + +# CVE-2019-15902 has no known resolution + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-15916" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-15917" + +# fixed-version: Fixed after version 5.1rc6 +CVE_CHECK_IGNORE += "CVE-2019-15918" + +# fixed-version: Fixed after version 5.1rc6 +CVE_CHECK_IGNORE += "CVE-2019-15919" + +# fixed-version: Fixed after version 5.1rc6 +CVE_CHECK_IGNORE += "CVE-2019-15920" + +# fixed-version: Fixed after version 5.1rc3 +CVE_CHECK_IGNORE += "CVE-2019-15921" + +# fixed-version: Fixed after version 5.1rc4 +CVE_CHECK_IGNORE += "CVE-2019-15922" + +# fixed-version: Fixed after version 5.1rc4 +CVE_CHECK_IGNORE += "CVE-2019-15923" + +# fixed-version: Fixed after version 5.1rc4 +CVE_CHECK_IGNORE += "CVE-2019-15924" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-15925" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-15926" + +# fixed-version: Fixed after version 5.0rc2 +CVE_CHECK_IGNORE += "CVE-2019-15927" + +# CVE-2019-16089 has no known resolution + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-16229" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-16230" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2019-16231" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-16232" + +# fixed-version: Fixed after version 5.4rc5 +CVE_CHECK_IGNORE += "CVE-2019-16233" + +# fixed-version: Fixed after version 5.4rc4 +CVE_CHECK_IGNORE += "CVE-2019-16234" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-16413" + +# fixed-version: Fixed after version 5.3rc7 +CVE_CHECK_IGNORE += "CVE-2019-16714" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2019-16746" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2019-16921" + +# fixed-version: Fixed after version 5.0 +CVE_CHECK_IGNORE += "CVE-2019-16994" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-16995" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-17052" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-17053" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-17054" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-17055" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-17056" + +# fixed-version: Fixed after version 5.4rc3 +CVE_CHECK_IGNORE += "CVE-2019-17075" + +# fixed-version: Fixed after version 5.4rc4 +CVE_CHECK_IGNORE += "CVE-2019-17133" + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-17351" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2019-17666" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-18198" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2019-18282" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-18660" + +# fixed-version: Fixed after version 4.17rc5 +CVE_CHECK_IGNORE += "CVE-2019-18675" + +# CVE-2019-18680 has no known resolution + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-18683" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-18786" + +# fixed-version: Fixed after version 5.1rc7 +CVE_CHECK_IGNORE += "CVE-2019-18805" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2019-18806" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2019-18807" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-18808" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-18809" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2019-18810" + +# fixed-version: Fixed after version 5.4rc7 +CVE_CHECK_IGNORE += "CVE-2019-18811" + +# fixed-version: Fixed after version 5.4rc7 +CVE_CHECK_IGNORE += "CVE-2019-18812" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2019-18813" + +# fixed-version: Fixed after version 5.7rc7 +CVE_CHECK_IGNORE += "CVE-2019-18814" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-18885" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19036" + +# fixed-version: Fixed after version 5.5rc3 +CVE_CHECK_IGNORE += "CVE-2019-19037" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2019-19039" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19043" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2019-19044" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2019-19045" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19046" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2019-19047" + +# fixed-version: Fixed after version 5.4rc3 +CVE_CHECK_IGNORE += "CVE-2019-19048" + +# fixed-version: Fixed after version 5.4rc5 +CVE_CHECK_IGNORE += "CVE-2019-19049" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19050" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2019-19051" + +# fixed-version: Fixed after version 5.4rc7 +CVE_CHECK_IGNORE += "CVE-2019-19052" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19053" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19054" + +# fixed-version: Fixed after version 5.4rc4 +CVE_CHECK_IGNORE += "CVE-2019-19055" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19056" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19057" + +# fixed-version: Fixed after version 5.4rc4 +CVE_CHECK_IGNORE += "CVE-2019-19058" + +# fixed-version: Fixed after version 5.4rc4 +CVE_CHECK_IGNORE += "CVE-2019-19059" + +# fixed-version: Fixed after version 5.4rc3 +CVE_CHECK_IGNORE += "CVE-2019-19060" + +# fixed-version: Fixed after version 5.4rc3 +CVE_CHECK_IGNORE += "CVE-2019-19061" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19062" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19063" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19064" + +# fixed-version: Fixed after version 5.4rc3 +CVE_CHECK_IGNORE += "CVE-2019-19065" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19066" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2019-19067" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19068" + +# fixed-version: Fixed after version 5.4rc3 +CVE_CHECK_IGNORE += "CVE-2019-19069" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19070" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19071" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19072" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19073" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19074" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2019-19075" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19076" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19077" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19078" + +# fixed-version: Fixed after version 5.3 +CVE_CHECK_IGNORE += "CVE-2019-19079" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19080" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19081" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19082" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2019-19083" + +# fixed-version: Fixed after version 5.1rc3 +CVE_CHECK_IGNORE += "CVE-2019-19227" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19241" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19252" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19318" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-19319" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19332" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19338" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2019-19377" + +# CVE-2019-19378 has no known resolution + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19447" + +# fixed-version: Fixed after version 5.9rc1 +CVE_CHECK_IGNORE += "CVE-2019-19448" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2019-19449" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2019-19462" + +# fixed-version: Fixed after version 5.4rc3 +CVE_CHECK_IGNORE += "CVE-2019-19523" + +# fixed-version: Fixed after version 5.4rc8 +CVE_CHECK_IGNORE += "CVE-2019-19524" + +# fixed-version: Fixed after version 5.4rc2 +CVE_CHECK_IGNORE += "CVE-2019-19525" + +# fixed-version: Fixed after version 5.4rc4 +CVE_CHECK_IGNORE += "CVE-2019-19526" + +# fixed-version: Fixed after version 5.3rc4 +CVE_CHECK_IGNORE += "CVE-2019-19527" + +# fixed-version: Fixed after version 5.4rc3 +CVE_CHECK_IGNORE += "CVE-2019-19528" + +# fixed-version: Fixed after version 5.4rc7 +CVE_CHECK_IGNORE += "CVE-2019-19529" + +# fixed-version: Fixed after version 5.3rc5 +CVE_CHECK_IGNORE += "CVE-2019-19530" + +# fixed-version: Fixed after version 5.3rc4 +CVE_CHECK_IGNORE += "CVE-2019-19531" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2019-19532" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19533" + +# fixed-version: Fixed after version 5.4rc7 +CVE_CHECK_IGNORE += "CVE-2019-19534" + +# fixed-version: Fixed after version 5.3rc4 +CVE_CHECK_IGNORE += "CVE-2019-19535" + +# fixed-version: Fixed after version 5.3rc4 +CVE_CHECK_IGNORE += "CVE-2019-19536" + +# fixed-version: Fixed after version 5.3rc5 +CVE_CHECK_IGNORE += "CVE-2019-19537" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-19543" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19602" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2019-19767" + +# fixed-version: Fixed after version 5.6rc4 +CVE_CHECK_IGNORE += "CVE-2019-19768" + +# fixed-version: Fixed after version 5.6rc5 +CVE_CHECK_IGNORE += "CVE-2019-19769" + +# fixed-version: Fixed after version 5.9rc1 +CVE_CHECK_IGNORE += "CVE-2019-19770" + +# fixed-version: Fixed after version 5.4rc7 +CVE_CHECK_IGNORE += "CVE-2019-19807" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-19813" + +# CVE-2019-19814 has no known resolution + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2019-19815" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-19816" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-19922" + +# fixed-version: Fixed after version 5.1rc6 +CVE_CHECK_IGNORE += "CVE-2019-19927" + +# fixed-version: Fixed after version 5.5rc3 +CVE_CHECK_IGNORE += "CVE-2019-19947" + +# fixed-version: Fixed after version 5.5rc2 +CVE_CHECK_IGNORE += "CVE-2019-19965" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-19966" + +# fixed-version: Fixed after version 5.1rc3 +CVE_CHECK_IGNORE += "CVE-2019-1999" + +# fixed-version: Fixed after version 5.1rc3 +CVE_CHECK_IGNORE += "CVE-2019-20054" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-20095" + +# fixed-version: Fixed after version 5.1rc4 +CVE_CHECK_IGNORE += "CVE-2019-20096" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2019-2024" + +# fixed-version: Fixed after version 4.20rc5 +CVE_CHECK_IGNORE += "CVE-2019-2025" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-20422" + +# fixed-version: Fixed after version 4.8rc1 +CVE_CHECK_IGNORE += "CVE-2019-2054" + +# fixed-version: Fixed after version 5.5rc6 +CVE_CHECK_IGNORE += "CVE-2019-20636" + +# CVE-2019-20794 has no known resolution + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-20806" + +# fixed-version: Fixed after version 5.6rc1 +CVE_CHECK_IGNORE += "CVE-2019-20810" + +# fixed-version: Fixed after version 5.1rc3 +CVE_CHECK_IGNORE += "CVE-2019-20811" + +# fixed-version: Fixed after version 5.5rc3 +CVE_CHECK_IGNORE += "CVE-2019-20812" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2019-20908" + +# fixed-version: Fixed after version 5.3rc2 +CVE_CHECK_IGNORE += "CVE-2019-20934" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-2101" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-2181" + +# fixed-version: Fixed after version 4.16rc3 +CVE_CHECK_IGNORE += "CVE-2019-2182" + +# fixed-version: Fixed after version 5.2rc6 +CVE_CHECK_IGNORE += "CVE-2019-2213" + +# fixed-version: Fixed after version 5.3rc2 +CVE_CHECK_IGNORE += "CVE-2019-2214" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2019-2215" + +# fixed-version: Fixed after version 5.2rc4 +CVE_CHECK_IGNORE += "CVE-2019-25044" + +# fixed-version: Fixed after version 5.1 +CVE_CHECK_IGNORE += "CVE-2019-25045" + +# fixed-version: Fixed after version 5.6rc1 +CVE_CHECK_IGNORE += "CVE-2019-3016" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-3459" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-3460" + +# fixed-version: Fixed after version 5.0rc3 +CVE_CHECK_IGNORE += "CVE-2019-3701" + +# fixed-version: Fixed after version 5.0rc6 +CVE_CHECK_IGNORE += "CVE-2019-3819" + +# fixed-version: Fixed after version 3.18rc1 +CVE_CHECK_IGNORE += "CVE-2019-3837" + +# fixed-version: Fixed after version 5.2rc6 +CVE_CHECK_IGNORE += "CVE-2019-3846" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-3874" + +# fixed-version: Fixed after version 5.1rc4 +CVE_CHECK_IGNORE += "CVE-2019-3882" + +# fixed-version: Fixed after version 5.1rc4 +CVE_CHECK_IGNORE += "CVE-2019-3887" + +# fixed-version: Fixed after version 5.1rc6 +CVE_CHECK_IGNORE += "CVE-2019-3892" + +# fixed-version: Fixed after version 2.6.35rc1 +CVE_CHECK_IGNORE += "CVE-2019-3896" + +# fixed-version: Fixed after version 5.2rc4 +CVE_CHECK_IGNORE += "CVE-2019-3900" + +# fixed-version: Fixed after version 4.6rc6 +CVE_CHECK_IGNORE += "CVE-2019-3901" + +# fixed-version: Fixed after version 5.3 +CVE_CHECK_IGNORE += "CVE-2019-5108" + +# Skipping CVE-2019-5489, no affected_versions + +# fixed-version: Fixed after version 5.0rc2 +CVE_CHECK_IGNORE += "CVE-2019-6133" + +# fixed-version: Fixed after version 5.0rc6 +CVE_CHECK_IGNORE += "CVE-2019-6974" + +# fixed-version: Fixed after version 5.0rc6 +CVE_CHECK_IGNORE += "CVE-2019-7221" + +# fixed-version: Fixed after version 5.0rc6 +CVE_CHECK_IGNORE += "CVE-2019-7222" + +# fixed-version: Fixed after version 5.0rc3 +CVE_CHECK_IGNORE += "CVE-2019-7308" + +# fixed-version: Fixed after version 5.0rc8 +CVE_CHECK_IGNORE += "CVE-2019-8912" + +# fixed-version: Fixed after version 5.0rc6 +CVE_CHECK_IGNORE += "CVE-2019-8956" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-8980" + +# fixed-version: Fixed after version 5.0rc4 +CVE_CHECK_IGNORE += "CVE-2019-9003" + +# fixed-version: Fixed after version 5.0rc7 +CVE_CHECK_IGNORE += "CVE-2019-9162" + +# fixed-version: Fixed after version 5.0 +CVE_CHECK_IGNORE += "CVE-2019-9213" + +# fixed-version: Fixed after version 5.0rc1 +CVE_CHECK_IGNORE += "CVE-2019-9245" + +# fixed-version: Fixed after version 4.15rc2 +CVE_CHECK_IGNORE += "CVE-2019-9444" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-9445" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2019-9453" + +# fixed-version: Fixed after version 4.15rc9 +CVE_CHECK_IGNORE += "CVE-2019-9454" + +# fixed-version: Fixed after version 5.0rc1 +CVE_CHECK_IGNORE += "CVE-2019-9455" + +# fixed-version: Fixed after version 4.16rc6 +CVE_CHECK_IGNORE += "CVE-2019-9456" + +# fixed-version: Fixed after version 4.13rc1 +CVE_CHECK_IGNORE += "CVE-2019-9457" + +# fixed-version: Fixed after version 4.19rc7 +CVE_CHECK_IGNORE += "CVE-2019-9458" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-9466" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-9500" + +# fixed-version: Fixed after version 5.1rc1 +CVE_CHECK_IGNORE += "CVE-2019-9503" + +# fixed-version: Fixed after version 5.2 +CVE_CHECK_IGNORE += "CVE-2019-9506" + +# fixed-version: Fixed after version 5.1rc2 +CVE_CHECK_IGNORE += "CVE-2019-9857" + +# fixed-version: Fixed after version 5.6rc3 +CVE_CHECK_IGNORE += "CVE-2020-0009" + +# fixed-version: Fixed after version 4.16rc3 +CVE_CHECK_IGNORE += "CVE-2020-0030" + +# fixed-version: Fixed after version 5.5rc2 +CVE_CHECK_IGNORE += "CVE-2020-0041" + +# fixed-version: Fixed after version 4.3rc7 +CVE_CHECK_IGNORE += "CVE-2020-0066" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2020-0067" + +# fixed-version: Fixed after version 5.6rc2 +CVE_CHECK_IGNORE += "CVE-2020-0110" + +# fixed-version: Fixed after version 5.7rc4 +CVE_CHECK_IGNORE += "CVE-2020-0255" + +# fixed-version: Fixed after version 5.5rc6 +CVE_CHECK_IGNORE += "CVE-2020-0305" + +# CVE-2020-0347 has no known resolution + +# fixed-version: Fixed after version 5.6rc1 +CVE_CHECK_IGNORE += "CVE-2020-0404" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-0423" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2020-0427" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2020-0429" + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2020-0430" + +# fixed-version: Fixed after version 5.5rc6 +CVE_CHECK_IGNORE += "CVE-2020-0431" + +# fixed-version: Fixed after version 5.6rc1 +CVE_CHECK_IGNORE += "CVE-2020-0432" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2020-0433" + +# fixed-version: Fixed after version 4.19rc1 +CVE_CHECK_IGNORE += "CVE-2020-0435" + +# fixed-version: Fixed after version 5.6rc4 +CVE_CHECK_IGNORE += "CVE-2020-0444" + +# fixed-version: Fixed after version 5.9rc4 +CVE_CHECK_IGNORE += "CVE-2020-0465" + +# fixed-version: Fixed after version 5.9rc2 +CVE_CHECK_IGNORE += "CVE-2020-0466" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-0543" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-10135" + +# fixed-version: Fixed after version 5.5rc5 +CVE_CHECK_IGNORE += "CVE-2020-10690" + +# CVE-2020-10708 has no known resolution + +# fixed-version: Fixed after version 5.7rc6 +CVE_CHECK_IGNORE += "CVE-2020-10711" + +# fixed-version: Fixed after version 5.2rc3 +CVE_CHECK_IGNORE += "CVE-2020-10720" + +# fixed-version: Fixed after version 5.7 +CVE_CHECK_IGNORE += "CVE-2020-10732" + +# fixed-version: Fixed after version 3.16rc1 +CVE_CHECK_IGNORE += "CVE-2020-10742" + +# fixed-version: Fixed after version 5.7rc4 +CVE_CHECK_IGNORE += "CVE-2020-10751" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-10757" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-10766" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-10767" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-10768" + +# fixed-version: Fixed after version 5.0rc3 +CVE_CHECK_IGNORE += "CVE-2020-10769" + +# fixed-version: Fixed after version 5.4rc6 +CVE_CHECK_IGNORE += "CVE-2020-10773" + +# CVE-2020-10774 has no known resolution + +# fixed-version: Fixed after version 5.8rc6 +CVE_CHECK_IGNORE += "CVE-2020-10781" + +# fixed-version: Fixed after version 5.6rc4 +CVE_CHECK_IGNORE += "CVE-2020-10942" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-11494" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-11565" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-11608" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-11609" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-11668" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2020-11669" + +# CVE-2020-11725 has no known resolution + +# fixed-version: Fixed after version 5.7rc4 +CVE_CHECK_IGNORE += "CVE-2020-11884" + +# CVE-2020-11935 has no known resolution + +# fixed-version: Fixed after version 5.3rc1 +CVE_CHECK_IGNORE += "CVE-2020-12114" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-12351" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-12352" + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2020-12362" + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2020-12363" + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2020-12364" + +# fixed-version: Fixed after version 5.7rc3 +CVE_CHECK_IGNORE += "CVE-2020-12464" + +# fixed-version: Fixed after version 5.6rc6 +CVE_CHECK_IGNORE += "CVE-2020-12465" + +# fixed-version: Fixed after version 5.5rc7 +CVE_CHECK_IGNORE += "CVE-2020-12652" + +# fixed-version: Fixed after version 5.6rc1 +CVE_CHECK_IGNORE += "CVE-2020-12653" + +# fixed-version: Fixed after version 5.6rc1 +CVE_CHECK_IGNORE += "CVE-2020-12654" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-12655" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-12656" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-12657" + +# fixed-version: Fixed after version 5.7rc2 +CVE_CHECK_IGNORE += "CVE-2020-12659" + +# fixed-version: Fixed after version 5.6rc4 +CVE_CHECK_IGNORE += "CVE-2020-12768" + +# fixed-version: Fixed after version 5.5rc6 +CVE_CHECK_IGNORE += "CVE-2020-12769" + +# fixed-version: Fixed after version 5.7rc3 +CVE_CHECK_IGNORE += "CVE-2020-12770" + +# fixed-version: Fixed after version 5.8rc2 +CVE_CHECK_IGNORE += "CVE-2020-12771" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-12826" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-12888" + +# fixed-version: Fixed after version 5.10rc4 +CVE_CHECK_IGNORE += "CVE-2020-12912" + +# fixed-version: Fixed after version 5.7rc6 +CVE_CHECK_IGNORE += "CVE-2020-13143" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-13974" + +# CVE-2020-14304 has no known resolution + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2020-14305" + +# fixed-version: Fixed after version 5.9rc2 +CVE_CHECK_IGNORE += "CVE-2020-14314" + +# fixed-version: Fixed after version 5.9rc1 +CVE_CHECK_IGNORE += "CVE-2020-14331" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-14351" + +# fixed-version: Fixed after version 4.14rc3 +CVE_CHECK_IGNORE += "CVE-2020-14353" + +# fixed-version: Fixed after version 5.8rc5 +CVE_CHECK_IGNORE += "CVE-2020-14356" + +# fixed-version: Fixed after version 5.6rc6 +CVE_CHECK_IGNORE += "CVE-2020-14381" + +# fixed-version: Fixed after version 5.9rc4 +CVE_CHECK_IGNORE += "CVE-2020-14385" + +# fixed-version: Fixed after version 5.9rc4 +CVE_CHECK_IGNORE += "CVE-2020-14386" + +# fixed-version: Fixed after version 5.9rc6 +CVE_CHECK_IGNORE += "CVE-2020-14390" + +# fixed-version: Fixed after version 5.5 +CVE_CHECK_IGNORE += "CVE-2020-14416" + +# fixed-version: Fixed after version 5.8rc3 +CVE_CHECK_IGNORE += "CVE-2020-15393" + +# fixed-version: Fixed after version 5.8rc2 +CVE_CHECK_IGNORE += "CVE-2020-15436" + +# fixed-version: Fixed after version 5.8rc7 +CVE_CHECK_IGNORE += "CVE-2020-15437" + +# fixed-version: Fixed after version 5.8rc3 +CVE_CHECK_IGNORE += "CVE-2020-15780" + +# CVE-2020-15802 has no known resolution + +# fixed-version: Fixed after version 5.8rc6 +CVE_CHECK_IGNORE += "CVE-2020-15852" + +# fixed-version: Fixed after version 5.15rc2 +CVE_CHECK_IGNORE += "CVE-2020-16119" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-16120" + +# fixed-version: Fixed after version 5.8 +CVE_CHECK_IGNORE += "CVE-2020-16166" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2020-1749" + +# fixed-version: Fixed after version 5.8rc4 +CVE_CHECK_IGNORE += "CVE-2020-24394" + +# fixed-version: Fixed after version 5.8 +CVE_CHECK_IGNORE += "CVE-2020-24490" + +# CVE-2020-24502 has no known resolution + +# CVE-2020-24503 has no known resolution + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2020-24504" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2020-24586" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2020-24587" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2020-24588" + +# fixed-version: Fixed after version 5.9rc7 +CVE_CHECK_IGNORE += "CVE-2020-25211" + +# fixed-version: Fixed after version 5.9rc1 +CVE_CHECK_IGNORE += "CVE-2020-25212" + +# CVE-2020-25220 has no known resolution + +# fixed-version: Fixed after version 5.9rc4 +CVE_CHECK_IGNORE += "CVE-2020-25221" + +# fixed-version: Fixed after version 5.9rc5 +CVE_CHECK_IGNORE += "CVE-2020-25284" + +# fixed-version: Fixed after version 5.9rc4 +CVE_CHECK_IGNORE += "CVE-2020-25285" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2020-25639" + +# fixed-version: Fixed after version 5.9rc4 +CVE_CHECK_IGNORE += "CVE-2020-25641" + +# fixed-version: Fixed after version 5.9rc7 +CVE_CHECK_IGNORE += "CVE-2020-25643" + +# fixed-version: Fixed after version 5.9rc7 +CVE_CHECK_IGNORE += "CVE-2020-25645" + +# fixed-version: Fixed after version 5.10rc2 +CVE_CHECK_IGNORE += "CVE-2020-25656" + +# CVE-2020-25661 has no known resolution + +# CVE-2020-25662 has no known resolution + +# fixed-version: Fixed after version 5.10rc3 +CVE_CHECK_IGNORE += "CVE-2020-25668" + +# fixed-version: Fixed after version 5.10rc5 +CVE_CHECK_IGNORE += "CVE-2020-25669" + +# fixed-version: Fixed after version 5.12rc7 +CVE_CHECK_IGNORE += "CVE-2020-25670" + +# fixed-version: Fixed after version 5.12rc7 +CVE_CHECK_IGNORE += "CVE-2020-25671" + +# fixed-version: Fixed after version 5.12rc7 +CVE_CHECK_IGNORE += "CVE-2020-25672" + +# fixed-version: Fixed after version 5.12rc7 +CVE_CHECK_IGNORE += "CVE-2020-25673" + +# fixed-version: Fixed after version 5.10rc3 +CVE_CHECK_IGNORE += "CVE-2020-25704" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-25705" + +# fixed-version: Fixed after version 5.9rc1 +CVE_CHECK_IGNORE += "CVE-2020-26088" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2020-26139" + +# CVE-2020-26140 has no known resolution + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2020-26141" + +# CVE-2020-26142 has no known resolution + +# CVE-2020-26143 has no known resolution + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2020-26145" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2020-26147" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2020-26541" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2020-26555" + +# CVE-2020-26556 has no known resolution + +# CVE-2020-26557 has no known resolution + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2020-26558" + +# CVE-2020-26559 has no known resolution + +# CVE-2020-26560 has no known resolution + +# fixed-version: Fixed after version 5.6 +CVE_CHECK_IGNORE += "CVE-2020-27066" + +# fixed-version: Fixed after version 4.14rc4 +CVE_CHECK_IGNORE += "CVE-2020-27067" + +# fixed-version: Fixed after version 5.6rc2 +CVE_CHECK_IGNORE += "CVE-2020-27068" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-27152" + +# fixed-version: Fixed after version 5.12rc5 +CVE_CHECK_IGNORE += "CVE-2020-27170" + +# fixed-version: Fixed after version 5.12rc5 +CVE_CHECK_IGNORE += "CVE-2020-27171" + +# fixed-version: Fixed after version 5.9 +CVE_CHECK_IGNORE += "CVE-2020-27194" + +# fixed-version: Fixed after version 5.6rc4 +CVE_CHECK_IGNORE += "CVE-2020-2732" + +# CVE-2020-27418 has no known resolution + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-27673" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-27675" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-27777" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-27784" + +# fixed-version: Fixed after version 5.7rc6 +CVE_CHECK_IGNORE += "CVE-2020-27786" + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2020-27815" + +# fixed-version: Fixed after version 5.16rc1 +CVE_CHECK_IGNORE += "CVE-2020-27820" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-27825" + +# fixed-version: Fixed after version 5.10rc7 +CVE_CHECK_IGNORE += "CVE-2020-27830" + +# fixed-version: Fixed after version 5.10rc6 +CVE_CHECK_IGNORE += "CVE-2020-27835" + +# fixed-version: Fixed after version 5.9rc6 +CVE_CHECK_IGNORE += "CVE-2020-28097" + +# fixed-version: Fixed after version 5.11rc4 +CVE_CHECK_IGNORE += "CVE-2020-28374" + +# fixed-version: Fixed after version 5.10rc7 +CVE_CHECK_IGNORE += "CVE-2020-28588" + +# fixed-version: Fixed after version 5.9 +CVE_CHECK_IGNORE += "CVE-2020-28915" + +# fixed-version: Fixed after version 5.10rc5 +CVE_CHECK_IGNORE += "CVE-2020-28941" + +# fixed-version: Fixed after version 5.10rc3 +CVE_CHECK_IGNORE += "CVE-2020-28974" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-29368" + +# fixed-version: Fixed after version 5.8rc7 +CVE_CHECK_IGNORE += "CVE-2020-29369" + +# fixed-version: Fixed after version 5.6rc7 +CVE_CHECK_IGNORE += "CVE-2020-29370" + +# fixed-version: Fixed after version 5.9rc2 +CVE_CHECK_IGNORE += "CVE-2020-29371" + +# fixed-version: Fixed after version 5.7rc3 +CVE_CHECK_IGNORE += "CVE-2020-29372" + +# fixed-version: Fixed after version 5.6rc2 +CVE_CHECK_IGNORE += "CVE-2020-29373" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-29374" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-29534" + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2020-29568" + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2020-29569" + +# fixed-version: Fixed after version 5.10rc7 +CVE_CHECK_IGNORE += "CVE-2020-29660" + +# fixed-version: Fixed after version 5.10rc7 +CVE_CHECK_IGNORE += "CVE-2020-29661" + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2020-35499" + +# CVE-2020-35501 has no known resolution + +# fixed-version: Fixed after version 5.10rc3 +CVE_CHECK_IGNORE += "CVE-2020-35508" + +# fixed-version: Fixed after version 4.17rc1 +CVE_CHECK_IGNORE += "CVE-2020-35513" + +# fixed-version: Fixed after version 5.10rc7 +CVE_CHECK_IGNORE += "CVE-2020-35519" + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2020-36158" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-36310" + +# fixed-version: Fixed after version 5.9rc5 +CVE_CHECK_IGNORE += "CVE-2020-36311" + +# fixed-version: Fixed after version 5.9rc5 +CVE_CHECK_IGNORE += "CVE-2020-36312" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-36313" + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2020-36322" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2020-36385" + +# fixed-version: Fixed after version 5.9rc1 +CVE_CHECK_IGNORE += "CVE-2020-36386" + +# fixed-version: Fixed after version 5.9rc1 +CVE_CHECK_IGNORE += "CVE-2020-36387" + +# fixed-version: Fixed after version 5.17rc2 +CVE_CHECK_IGNORE += "CVE-2020-36516" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-36557" + +# fixed-version: Fixed after version 5.6rc3 +CVE_CHECK_IGNORE += "CVE-2020-36558" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2020-36691" + +# fixed-version: Fixed after version 5.10 +CVE_CHECK_IGNORE += "CVE-2020-36694" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2020-3702" + +# fixed-version: Fixed after version 5.10rc5 +CVE_CHECK_IGNORE += "CVE-2020-4788" + +# fixed-version: Fixed after version 5.2rc1 +CVE_CHECK_IGNORE += "CVE-2020-7053" + +# fixed-version: Fixed after version 5.5 +CVE_CHECK_IGNORE += "CVE-2020-8428" + +# fixed-version: Fixed after version 5.6rc5 +CVE_CHECK_IGNORE += "CVE-2020-8647" + +# fixed-version: Fixed after version 5.6rc3 +CVE_CHECK_IGNORE += "CVE-2020-8648" + +# fixed-version: Fixed after version 5.6rc5 +CVE_CHECK_IGNORE += "CVE-2020-8649" + +# fixed-version: Fixed after version 5.10rc4 +CVE_CHECK_IGNORE += "CVE-2020-8694" + +# CVE-2020-8832 has no known resolution + +# fixed-version: Fixed after version 4.18rc1 +CVE_CHECK_IGNORE += "CVE-2020-8834" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2020-8835" + +# fixed-version: Fixed after version 5.6rc2 +CVE_CHECK_IGNORE += "CVE-2020-8992" + +# fixed-version: Fixed after version 5.6rc4 +CVE_CHECK_IGNORE += "CVE-2020-9383" + +# fixed-version: Fixed after version 5.6rc3 +CVE_CHECK_IGNORE += "CVE-2020-9391" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-0129" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2021-0342" + +# CVE-2021-0399 has no known resolution + +# fixed-version: Fixed after version 4.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-0447" + +# fixed-version: Fixed after version 5.9rc7 +CVE_CHECK_IGNORE += "CVE-2021-0448" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-0512" + +# fixed-version: Fixed after version 5.8 +CVE_CHECK_IGNORE += "CVE-2021-0605" + +# CVE-2021-0606 has no known resolution + +# CVE-2021-0695 has no known resolution + +# fixed-version: Fixed after version 5.11rc3 +CVE_CHECK_IGNORE += "CVE-2021-0707" + +# fixed-version: Fixed after version 5.14rc4 +CVE_CHECK_IGNORE += "CVE-2021-0920" + +# CVE-2021-0924 has no known resolution + +# fixed-version: Fixed after version 5.6rc1 +CVE_CHECK_IGNORE += "CVE-2021-0929" + +# fixed-version: Fixed after version 4.16rc7 +CVE_CHECK_IGNORE += "CVE-2021-0935" + +# CVE-2021-0936 has no known resolution + +# fixed-version: Fixed after version 5.12rc8 +CVE_CHECK_IGNORE += "CVE-2021-0937" + +# fixed-version: Fixed after version 5.10rc4 +CVE_CHECK_IGNORE += "CVE-2021-0938" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-0941" + +# CVE-2021-0961 has no known resolution + +# fixed-version: Fixed after version 5.9rc4 +CVE_CHECK_IGNORE += "CVE-2021-1048" + +# fixed-version: Fixed after version 5.5rc1 +CVE_CHECK_IGNORE += "CVE-2021-20177" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2021-20194" + +# CVE-2021-20219 has no known resolution + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2021-20226" + +# fixed-version: Fixed after version 5.9rc1 +CVE_CHECK_IGNORE += "CVE-2021-20239" + +# fixed-version: Fixed after version 4.5rc5 +CVE_CHECK_IGNORE += "CVE-2021-20261" + +# fixed-version: Fixed after version 4.5rc3 +CVE_CHECK_IGNORE += "CVE-2021-20265" + +# fixed-version: Fixed after version 5.11rc5 +CVE_CHECK_IGNORE += "CVE-2021-20268" + +# fixed-version: Fixed after version 5.9rc1 +CVE_CHECK_IGNORE += "CVE-2021-20292" + +# fixed-version: Fixed after version 5.4rc1 +CVE_CHECK_IGNORE += "CVE-2021-20317" + +# fixed-version: Fixed after version 5.15rc3 +CVE_CHECK_IGNORE += "CVE-2021-20320" + +# fixed-version: Fixed after version 5.15rc5 +CVE_CHECK_IGNORE += "CVE-2021-20321" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-20322" + +# fixed-version: Fixed after version 5.11rc7 +CVE_CHECK_IGNORE += "CVE-2021-21781" + +# fixed-version: Fixed after version 5.13 +CVE_CHECK_IGNORE += "CVE-2021-22543" + +# fixed-version: Fixed after version 5.12rc8 +CVE_CHECK_IGNORE += "CVE-2021-22555" + +# fixed-version: Fixed after version 5.16rc6 +CVE_CHECK_IGNORE += "CVE-2021-22600" + +# fixed-version: Fixed after version 5.12rc8 +CVE_CHECK_IGNORE += "CVE-2021-23133" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-23134" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2021-26401" + +# fixed-version: Fixed after version 5.11rc7 +CVE_CHECK_IGNORE += "CVE-2021-26708" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-26930" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-26931" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-26932" + +# CVE-2021-26934 has no known resolution + +# fixed-version: Fixed after version 5.12rc2 +CVE_CHECK_IGNORE += "CVE-2021-27363" + +# fixed-version: Fixed after version 5.12rc2 +CVE_CHECK_IGNORE += "CVE-2021-27364" + +# fixed-version: Fixed after version 5.12rc2 +CVE_CHECK_IGNORE += "CVE-2021-27365" + +# fixed-version: Fixed after version 5.12rc2 +CVE_CHECK_IGNORE += "CVE-2021-28038" + +# fixed-version: Fixed after version 5.12rc2 +CVE_CHECK_IGNORE += "CVE-2021-28039" + +# fixed-version: Fixed after version 5.12rc3 +CVE_CHECK_IGNORE += "CVE-2021-28375" + +# fixed-version: Fixed after version 5.12rc3 +CVE_CHECK_IGNORE += "CVE-2021-28660" + +# fixed-version: Fixed after version 5.12rc6 +CVE_CHECK_IGNORE += "CVE-2021-28688" + +# fixed-version: Fixed after version 5.13rc6 +CVE_CHECK_IGNORE += "CVE-2021-28691" + +# fixed-version: Fixed after version 5.16rc7 +CVE_CHECK_IGNORE += "CVE-2021-28711" + +# fixed-version: Fixed after version 5.16rc7 +CVE_CHECK_IGNORE += "CVE-2021-28712" + +# fixed-version: Fixed after version 5.16rc7 +CVE_CHECK_IGNORE += "CVE-2021-28713" + +# fixed-version: Fixed after version 5.16rc7 +CVE_CHECK_IGNORE += "CVE-2021-28714" + +# fixed-version: Fixed after version 5.16rc7 +CVE_CHECK_IGNORE += "CVE-2021-28715" + +# fixed-version: Fixed after version 5.12rc4 +CVE_CHECK_IGNORE += "CVE-2021-28950" + +# fixed-version: Fixed after version 5.12rc2 +CVE_CHECK_IGNORE += "CVE-2021-28951" + +# fixed-version: Fixed after version 5.12rc4 +CVE_CHECK_IGNORE += "CVE-2021-28952" + +# fixed-version: Fixed after version 5.12rc4 +CVE_CHECK_IGNORE += "CVE-2021-28964" + +# fixed-version: Fixed after version 5.12rc4 +CVE_CHECK_IGNORE += "CVE-2021-28971" + +# fixed-version: Fixed after version 5.12rc4 +CVE_CHECK_IGNORE += "CVE-2021-28972" + +# fixed-version: Fixed after version 5.12rc7 +CVE_CHECK_IGNORE += "CVE-2021-29154" + +# fixed-version: Fixed after version 5.12rc8 +CVE_CHECK_IGNORE += "CVE-2021-29155" + +# fixed-version: Fixed after version 5.12rc3 +CVE_CHECK_IGNORE += "CVE-2021-29264" + +# fixed-version: Fixed after version 5.12rc3 +CVE_CHECK_IGNORE += "CVE-2021-29265" + +# fixed-version: Fixed after version 5.12rc4 +CVE_CHECK_IGNORE += "CVE-2021-29266" + +# fixed-version: Fixed after version 5.12rc5 +CVE_CHECK_IGNORE += "CVE-2021-29646" + +# fixed-version: Fixed after version 5.12rc5 +CVE_CHECK_IGNORE += "CVE-2021-29647" + +# fixed-version: Fixed after version 5.12rc5 +CVE_CHECK_IGNORE += "CVE-2021-29648" + +# fixed-version: Fixed after version 5.12rc5 +CVE_CHECK_IGNORE += "CVE-2021-29649" + +# fixed-version: Fixed after version 5.12rc5 +CVE_CHECK_IGNORE += "CVE-2021-29650" + +# fixed-version: Fixed after version 5.12rc6 +CVE_CHECK_IGNORE += "CVE-2021-29657" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-30002" + +# fixed-version: Fixed after version 5.12rc2 +CVE_CHECK_IGNORE += "CVE-2021-30178" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-31440" + +# fixed-version: Fixed after version 5.11rc5 +CVE_CHECK_IGNORE += "CVE-2021-3178" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-31829" + +# fixed-version: Fixed after version 5.12rc5 +CVE_CHECK_IGNORE += "CVE-2021-31916" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-32078" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-32399" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2021-32606" + +# fixed-version: Fixed after version 5.12rc3 +CVE_CHECK_IGNORE += "CVE-2021-33033" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-33034" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2021-33061" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2021-33098" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2021-33135" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2021-33200" + +# fixed-version: Fixed after version 5.11rc6 +CVE_CHECK_IGNORE += "CVE-2021-3347" + +# fixed-version: Fixed after version 5.11rc6 +CVE_CHECK_IGNORE += "CVE-2021-3348" + +# fixed-version: Fixed after version 5.13rc7 +CVE_CHECK_IGNORE += "CVE-2021-33624" + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2021-33655" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-33656" + +# fixed-version: Fixed after version 5.14rc3 +CVE_CHECK_IGNORE += "CVE-2021-33909" + +# fixed-version: Fixed after version 5.10 +CVE_CHECK_IGNORE += "CVE-2021-3411" + +# fixed-version: Fixed after version 5.9rc2 +CVE_CHECK_IGNORE += "CVE-2021-3428" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-3444" + +# fixed-version: Fixed after version 5.14rc4 +CVE_CHECK_IGNORE += "CVE-2021-34556" + +# fixed-version: Fixed after version 5.13rc7 +CVE_CHECK_IGNORE += "CVE-2021-34693" + +# fixed-version: Fixed after version 5.12rc6 +CVE_CHECK_IGNORE += "CVE-2021-3483" + +# fixed-version: Fixed after version 5.14 +CVE_CHECK_IGNORE += "CVE-2021-34866" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2021-3489" + +# fixed-version: Fixed after version 5.13rc4 +CVE_CHECK_IGNORE += "CVE-2021-3490" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-3491" + +# CVE-2021-3492 has no known resolution + +# fixed-version: Fixed after version 5.11rc1 +CVE_CHECK_IGNORE += "CVE-2021-3493" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2021-34981" + +# fixed-version: Fixed after version 5.12rc8 +CVE_CHECK_IGNORE += "CVE-2021-3501" + +# fixed-version: Fixed after version 5.13 +CVE_CHECK_IGNORE += "CVE-2021-35039" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-3506" + +# CVE-2021-3542 has no known resolution + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-3543" + +# fixed-version: Fixed after version 5.14rc4 +CVE_CHECK_IGNORE += "CVE-2021-35477" + +# fixed-version: Fixed after version 5.13rc5 +CVE_CHECK_IGNORE += "CVE-2021-3564" + +# fixed-version: Fixed after version 5.13rc5 +CVE_CHECK_IGNORE += "CVE-2021-3573" + +# fixed-version: Fixed after version 5.13rc5 +CVE_CHECK_IGNORE += "CVE-2021-3587" + +# fixed-version: Fixed after version 5.11 +CVE_CHECK_IGNORE += "CVE-2021-3600" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2021-3609" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-3612" + +# fixed-version: Fixed after version 5.5rc7 +CVE_CHECK_IGNORE += "CVE-2021-3635" + +# fixed-version: Fixed after version 5.16rc1 +CVE_CHECK_IGNORE += "CVE-2021-3640" + +# fixed-version: Fixed after version 5.14rc7 +CVE_CHECK_IGNORE += "CVE-2021-3653" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2021-3655" + +# fixed-version: Fixed after version 5.14rc7 +CVE_CHECK_IGNORE += "CVE-2021-3656" + +# fixed-version: Fixed after version 5.12rc7 +CVE_CHECK_IGNORE += "CVE-2021-3659" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-3669" + +# fixed-version: Fixed after version 5.14rc3 +CVE_CHECK_IGNORE += "CVE-2021-3679" + +# CVE-2021-3714 has no known resolution + +# fixed-version: Fixed after version 5.6 +CVE_CHECK_IGNORE += "CVE-2021-3715" + +# fixed-version: Fixed after version 5.14rc3 +CVE_CHECK_IGNORE += "CVE-2021-37159" + +# fixed-version: Fixed after version 5.14rc6 +CVE_CHECK_IGNORE += "CVE-2021-3732" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-3736" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-3739" + +# fixed-version: Fixed after version 5.13rc7 +CVE_CHECK_IGNORE += "CVE-2021-3743" + +# fixed-version: Fixed after version 5.15rc4 +CVE_CHECK_IGNORE += "CVE-2021-3744" + +# fixed-version: Fixed after version 5.16rc1 +CVE_CHECK_IGNORE += "CVE-2021-3752" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-3753" + +# fixed-version: Fixed after version 5.14rc3 +CVE_CHECK_IGNORE += "CVE-2021-37576" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-3759" + +# fixed-version: Fixed after version 5.15rc6 +CVE_CHECK_IGNORE += "CVE-2021-3760" + +# fixed-version: Fixed after version 5.15rc4 +CVE_CHECK_IGNORE += "CVE-2021-3764" + +# fixed-version: Fixed after version 5.15 +CVE_CHECK_IGNORE += "CVE-2021-3772" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2021-38160" + +# fixed-version: Fixed after version 5.14rc6 +CVE_CHECK_IGNORE += "CVE-2021-38166" + +# fixed-version: Fixed after version 5.13rc6 +CVE_CHECK_IGNORE += "CVE-2021-38198" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2021-38199" + +# fixed-version: Fixed after version 5.13rc7 +CVE_CHECK_IGNORE += "CVE-2021-38200" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2021-38201" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2021-38202" + +# fixed-version: Fixed after version 5.14rc2 +CVE_CHECK_IGNORE += "CVE-2021-38203" + +# fixed-version: Fixed after version 5.14rc3 +CVE_CHECK_IGNORE += "CVE-2021-38204" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2021-38205" + +# fixed-version: Fixed after version 5.13rc7 +CVE_CHECK_IGNORE += "CVE-2021-38206" + +# fixed-version: Fixed after version 5.13rc7 +CVE_CHECK_IGNORE += "CVE-2021-38207" + +# fixed-version: Fixed after version 5.13rc5 +CVE_CHECK_IGNORE += "CVE-2021-38208" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-38209" + +# fixed-version: Fixed after version 5.15rc4 +CVE_CHECK_IGNORE += "CVE-2021-38300" + +# CVE-2021-3847 has no known resolution + +# CVE-2021-3864 has no known resolution + +# CVE-2021-3892 has no known resolution + +# fixed-version: Fixed after version 5.15rc6 +CVE_CHECK_IGNORE += "CVE-2021-3894" + +# fixed-version: Fixed after version 5.15rc6 +CVE_CHECK_IGNORE += "CVE-2021-3896" + +# fixed-version: Fixed after version 5.16 +CVE_CHECK_IGNORE += "CVE-2021-3923" + +# fixed-version: Fixed after version 5.14 +CVE_CHECK_IGNORE += "CVE-2021-39633" + +# fixed-version: Fixed after version 5.9rc8 +CVE_CHECK_IGNORE += "CVE-2021-39634" + +# fixed-version: Fixed after version 4.16rc1 +CVE_CHECK_IGNORE += "CVE-2021-39636" + +# fixed-version: Fixed after version 5.11rc3 +CVE_CHECK_IGNORE += "CVE-2021-39648" + +# fixed-version: Fixed after version 5.12rc3 +CVE_CHECK_IGNORE += "CVE-2021-39656" + +# fixed-version: Fixed after version 5.11rc4 +CVE_CHECK_IGNORE += "CVE-2021-39657" + +# fixed-version: Fixed after version 5.16rc5 +CVE_CHECK_IGNORE += "CVE-2021-39685" + +# fixed-version: Fixed after version 5.16rc1 +CVE_CHECK_IGNORE += "CVE-2021-39686" + +# fixed-version: Fixed after version 5.16rc5 +CVE_CHECK_IGNORE += "CVE-2021-39698" + +# fixed-version: Fixed after version 4.18rc6 +CVE_CHECK_IGNORE += "CVE-2021-39711" + +# fixed-version: Fixed after version 4.20rc1 +CVE_CHECK_IGNORE += "CVE-2021-39713" + +# fixed-version: Fixed after version 4.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-39714" + +# CVE-2021-39800 has no known resolution + +# CVE-2021-39801 has no known resolution + +# CVE-2021-39802 has no known resolution + +# fixed-version: Fixed after version 5.16rc2 +CVE_CHECK_IGNORE += "CVE-2021-4001" + +# fixed-version: Fixed after version 5.16rc3 +CVE_CHECK_IGNORE += "CVE-2021-4002" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-4023" + +# fixed-version: Fixed after version 5.15rc4 +CVE_CHECK_IGNORE += "CVE-2021-4028" + +# fixed-version: Fixed after version 5.15rc7 +CVE_CHECK_IGNORE += "CVE-2021-4032" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2021-4037" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-40490" + +# fixed-version: Fixed after version 5.16rc4 +CVE_CHECK_IGNORE += "CVE-2021-4083" + +# fixed-version: Fixed after version 5.16rc2 +CVE_CHECK_IGNORE += "CVE-2021-4090" + +# fixed-version: Fixed after version 5.15rc7 +CVE_CHECK_IGNORE += "CVE-2021-4093" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2021-4095" + +# fixed-version: Fixed after version 5.15rc2 +CVE_CHECK_IGNORE += "CVE-2021-41073" + +# fixed-version: Fixed after version 5.16rc6 +CVE_CHECK_IGNORE += "CVE-2021-4135" + +# fixed-version: Fixed after version 5.15 +CVE_CHECK_IGNORE += "CVE-2021-4148" + +# fixed-version: Fixed after version 5.15rc6 +CVE_CHECK_IGNORE += "CVE-2021-4149" + +# fixed-version: Fixed after version 5.15rc7 +CVE_CHECK_IGNORE += "CVE-2021-4150" + +# fixed-version: Fixed after version 5.14rc2 +CVE_CHECK_IGNORE += "CVE-2021-4154" + +# fixed-version: Fixed after version 5.16 +CVE_CHECK_IGNORE += "CVE-2021-4155" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-4157" + +# fixed-version: Fixed after version 5.7rc1 +CVE_CHECK_IGNORE += "CVE-2021-4159" + +# fixed-version: Fixed after version 5.15rc5 +CVE_CHECK_IGNORE += "CVE-2021-41864" + +# fixed-version: Fixed after version 5.16 +CVE_CHECK_IGNORE += "CVE-2021-4197" + +# fixed-version: Fixed after version 5.14rc7 +CVE_CHECK_IGNORE += "CVE-2021-42008" + +# fixed-version: Fixed after version 5.16rc2 +CVE_CHECK_IGNORE += "CVE-2021-4202" + +# fixed-version: Fixed after version 5.15rc4 +CVE_CHECK_IGNORE += "CVE-2021-4203" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2021-4204" + +# fixed-version: Fixed after version 5.8rc1 +CVE_CHECK_IGNORE += "CVE-2021-4218" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2021-42252" + +# fixed-version: Fixed after version 5.15 +CVE_CHECK_IGNORE += "CVE-2021-42327" + +# fixed-version: Fixed after version 5.16rc1 +CVE_CHECK_IGNORE += "CVE-2021-42739" + +# fixed-version: Fixed after version 5.15rc6 +CVE_CHECK_IGNORE += "CVE-2021-43056" + +# fixed-version: Fixed after version 5.15rc3 +CVE_CHECK_IGNORE += "CVE-2021-43057" + +# fixed-version: Fixed after version 5.15 +CVE_CHECK_IGNORE += "CVE-2021-43267" + +# fixed-version: Fixed after version 5.15rc6 +CVE_CHECK_IGNORE += "CVE-2021-43389" + +# fixed-version: Fixed after version 5.16rc2 +CVE_CHECK_IGNORE += "CVE-2021-43975" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2021-43976" + +# fixed-version: Fixed after version 5.16rc7 +CVE_CHECK_IGNORE += "CVE-2021-44733" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2021-44879" + +# fixed-version: Fixed after version 5.16rc6 +CVE_CHECK_IGNORE += "CVE-2021-45095" + +# fixed-version: Fixed after version 5.16rc7 +CVE_CHECK_IGNORE += "CVE-2021-45100" + +# fixed-version: Fixed after version 5.16rc6 +CVE_CHECK_IGNORE += "CVE-2021-45402" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2021-45469" + +# fixed-version: Fixed after version 5.16rc6 +CVE_CHECK_IGNORE += "CVE-2021-45480" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2021-45485" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2021-45486" + +# fixed-version: Fixed after version 5.16rc1 +CVE_CHECK_IGNORE += "CVE-2021-45868" + +# fixed-version: Fixed after version 5.13rc7 +CVE_CHECK_IGNORE += "CVE-2021-46283" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-0001" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-0002" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-0168" + +# fixed-version: Fixed after version 5.18rc4 +CVE_CHECK_IGNORE += "CVE-2022-0171" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2022-0185" + +# fixed-version: Fixed after version 5.16rc6 +CVE_CHECK_IGNORE += "CVE-2022-0264" + +# fixed-version: Fixed after version 5.14rc2 +CVE_CHECK_IGNORE += "CVE-2022-0286" + +# fixed-version: Fixed after version 5.15rc6 +CVE_CHECK_IGNORE += "CVE-2022-0322" + +# fixed-version: Fixed after version 5.17rc2 +CVE_CHECK_IGNORE += "CVE-2022-0330" + +# fixed-version: Fixed after version 5.16 +CVE_CHECK_IGNORE += "CVE-2022-0382" + +# CVE-2022-0400 has no known resolution + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2022-0433" + +# fixed-version: Fixed after version 5.17rc4 +CVE_CHECK_IGNORE += "CVE-2022-0435" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2022-0480" + +# fixed-version: Fixed after version 5.17rc4 +CVE_CHECK_IGNORE += "CVE-2022-0487" + +# fixed-version: Fixed after version 5.17rc3 +CVE_CHECK_IGNORE += "CVE-2022-0492" + +# fixed-version: Fixed after version 5.17rc5 +CVE_CHECK_IGNORE += "CVE-2022-0494" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2022-0500" + +# fixed-version: Fixed after version 5.17rc4 +CVE_CHECK_IGNORE += "CVE-2022-0516" + +# fixed-version: Fixed after version 5.17rc2 +CVE_CHECK_IGNORE += "CVE-2022-0617" + +# fixed-version: Fixed after version 5.15rc7 +CVE_CHECK_IGNORE += "CVE-2022-0644" + +# fixed-version: Fixed after version 5.17rc5 +CVE_CHECK_IGNORE += "CVE-2022-0646" + +# fixed-version: Fixed after version 5.17rc7 +CVE_CHECK_IGNORE += "CVE-2022-0742" + +# fixed-version: Fixed after version 5.8rc6 +CVE_CHECK_IGNORE += "CVE-2022-0812" + +# fixed-version: Fixed after version 5.17rc6 +CVE_CHECK_IGNORE += "CVE-2022-0847" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2022-0850" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-0854" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-0995" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2022-0998" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-1011" + +# fixed-version: Fixed after version 5.18rc6 +CVE_CHECK_IGNORE += "CVE-2022-1012" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-1015" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-1016" + +# fixed-version: Fixed after version 5.14rc7 +CVE_CHECK_IGNORE += "CVE-2022-1043" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-1048" + +# fixed-version: Fixed after version 5.17rc3 +CVE_CHECK_IGNORE += "CVE-2022-1055" + +# CVE-2022-1116 has no known resolution + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-1158" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-1184" + +# fixed-version: Fixed after version 5.16rc7 +CVE_CHECK_IGNORE += "CVE-2022-1195" + +# fixed-version: Fixed after version 5.17rc6 +CVE_CHECK_IGNORE += "CVE-2022-1198" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-1199" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-1204" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-1205" + +# CVE-2022-1247 has no known resolution + +# fixed-version: Fixed after version 5.18rc3 +CVE_CHECK_IGNORE += "CVE-2022-1263" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2022-1280" + +# fixed-version: Fixed after version 5.17 +CVE_CHECK_IGNORE += "CVE-2022-1353" + +# fixed-version: Fixed after version 5.6rc2 +CVE_CHECK_IGNORE += "CVE-2022-1419" + +# fixed-version: Fixed after version 5.19rc7 +CVE_CHECK_IGNORE += "CVE-2022-1462" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2022-1508" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-1516" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-1651" + +# fixed-version: Fixed after version 5.18rc6 +CVE_CHECK_IGNORE += "CVE-2022-1652" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-1671" + +# fixed-version: Fixed after version 4.20rc1 +CVE_CHECK_IGNORE += "CVE-2022-1678" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-1679" + +# fixed-version: Fixed after version 5.18 +CVE_CHECK_IGNORE += "CVE-2022-1729" + +# fixed-version: Fixed after version 5.18rc6 +CVE_CHECK_IGNORE += "CVE-2022-1734" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2022-1786" + +# fixed-version: Fixed after version 5.18 +CVE_CHECK_IGNORE += "CVE-2022-1789" + +# fixed-version: Fixed after version 5.18rc5 +CVE_CHECK_IGNORE += "CVE-2022-1836" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-1852" + +# fixed-version: Fixed after version 5.19rc8 +CVE_CHECK_IGNORE += "CVE-2022-1882" + +# fixed-version: Fixed after version 5.18rc7 +CVE_CHECK_IGNORE += "CVE-2022-1943" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-1966" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-1972" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-1973" + +# fixed-version: Fixed after version 5.18rc6 +CVE_CHECK_IGNORE += "CVE-2022-1974" + +# fixed-version: Fixed after version 5.18rc6 +CVE_CHECK_IGNORE += "CVE-2022-1975" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-1976" + +# fixed-version: Fixed after version 5.17rc3 +CVE_CHECK_IGNORE += "CVE-2022-1998" + +# fixed-version: Fixed after version 5.17rc5 +CVE_CHECK_IGNORE += "CVE-2022-20008" + +# fixed-version: Fixed after version 5.16rc5 +CVE_CHECK_IGNORE += "CVE-2022-20132" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2022-20141" + +# fixed-version: Fixed after version 5.16rc1 +CVE_CHECK_IGNORE += "CVE-2022-20148" + +# fixed-version: Fixed after version 5.13rc1 +CVE_CHECK_IGNORE += "CVE-2022-20153" + +# fixed-version: Fixed after version 5.16rc8 +CVE_CHECK_IGNORE += "CVE-2022-20154" + +# fixed-version: Fixed after version 5.17 +CVE_CHECK_IGNORE += "CVE-2022-20158" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2022-20166" + +# fixed-version: Fixed after version 5.17 +CVE_CHECK_IGNORE += "CVE-2022-20368" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-20369" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2022-20409" + +# fixed-version: Fixed after version 6.0rc4 +CVE_CHECK_IGNORE += "CVE-2022-20421" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-20422" + +# fixed-version: Fixed after version 5.17 +CVE_CHECK_IGNORE += "CVE-2022-20423" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2022-20424" + +# fixed-version: Fixed after version 5.9rc4 +CVE_CHECK_IGNORE += "CVE-2022-20565" + +# fixed-version: Fixed after version 5.19 +CVE_CHECK_IGNORE += "CVE-2022-20566" + +# fixed-version: Fixed after version 4.16rc5 +CVE_CHECK_IGNORE += "CVE-2022-20567" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2022-20568" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-20572" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-2078" + +# fixed-version: Fixed after version 5.19rc3 +CVE_CHECK_IGNORE += "CVE-2022-21123" + +# fixed-version: Fixed after version 5.19rc3 +CVE_CHECK_IGNORE += "CVE-2022-21125" + +# fixed-version: Fixed after version 5.19rc3 +CVE_CHECK_IGNORE += "CVE-2022-21166" + +# fixed-version: Fixed after version 4.20 +CVE_CHECK_IGNORE += "CVE-2022-21385" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-21499" + +# fixed-version: Fixed after version 5.19rc8 +CVE_CHECK_IGNORE += "CVE-2022-21505" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-2153" + +# cpe-stable-backport: Backported in 6.1.14 +CVE_CHECK_IGNORE += "CVE-2022-2196" + +# CVE-2022-2209 has no known resolution + +# fixed-version: Fixed after version 5.17rc2 +CVE_CHECK_IGNORE += "CVE-2022-22942" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-23036" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-23037" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-23038" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-23039" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-23040" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-23041" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-23042" + +# fixed-version: Fixed after version 6.0 +CVE_CHECK_IGNORE += "CVE-2022-2308" + +# fixed-version: Fixed after version 5.19rc5 +CVE_CHECK_IGNORE += "CVE-2022-2318" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2022-23222" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2022-2327" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-2380" + +# fixed-version: Fixed after version 5.19rc7 +CVE_CHECK_IGNORE += "CVE-2022-23816" + +# CVE-2022-23825 has no known resolution + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-23960" + +# fixed-version: Fixed after version 5.17rc2 +CVE_CHECK_IGNORE += "CVE-2022-24122" + +# fixed-version: Fixed after version 5.17rc2 +CVE_CHECK_IGNORE += "CVE-2022-24448" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2022-24958" + +# fixed-version: Fixed after version 5.17rc2 +CVE_CHECK_IGNORE += "CVE-2022-24959" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-2503" + +# fixed-version: Fixed after version 5.17rc4 +CVE_CHECK_IGNORE += "CVE-2022-25258" + +# CVE-2022-25265 has no known resolution + +# fixed-version: Fixed after version 5.17rc4 +CVE_CHECK_IGNORE += "CVE-2022-25375" + +# fixed-version: Fixed after version 5.17rc6 +CVE_CHECK_IGNORE += "CVE-2022-25636" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-2585" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-2586" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-2588" + +# fixed-version: Fixed after version 6.0rc3 +CVE_CHECK_IGNORE += "CVE-2022-2590" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-2602" + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2022-26365" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-26373" + +# fixed-version: Fixed after version 5.18rc4 +CVE_CHECK_IGNORE += "CVE-2022-2639" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2022-26490" + +# fixed-version: Fixed after version 6.0rc5 +CVE_CHECK_IGNORE += "CVE-2022-2663" + +# CVE-2022-26878 has no known resolution + +# fixed-version: Fixed after version 5.17rc6 +CVE_CHECK_IGNORE += "CVE-2022-26966" + +# fixed-version: Fixed after version 5.17rc6 +CVE_CHECK_IGNORE += "CVE-2022-27223" + +# fixed-version: Fixed after version 5.17rc8 +CVE_CHECK_IGNORE += "CVE-2022-27666" + +# cpe-stable-backport: Backported in 6.1.12 +CVE_CHECK_IGNORE += "CVE-2022-27672" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-2785" + +# fixed-version: Fixed after version 5.17rc5 +CVE_CHECK_IGNORE += "CVE-2022-27950" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-28356" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-28388" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-28389" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-28390" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-2873" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-28796" + +# fixed-version: Fixed after version 5.18rc2 +CVE_CHECK_IGNORE += "CVE-2022-28893" + +# fixed-version: Fixed after version 6.0rc4 +CVE_CHECK_IGNORE += "CVE-2022-2905" + +# fixed-version: Fixed after version 5.17rc6 +CVE_CHECK_IGNORE += "CVE-2022-29156" + +# fixed-version: Fixed after version 5.17rc2 +CVE_CHECK_IGNORE += "CVE-2022-2938" + +# fixed-version: Fixed after version 5.18rc4 +CVE_CHECK_IGNORE += "CVE-2022-29581" + +# fixed-version: Fixed after version 5.18rc2 +CVE_CHECK_IGNORE += "CVE-2022-29582" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-2959" + +# CVE-2022-2961 has no known resolution + +# fixed-version: Fixed after version 5.17rc4 +CVE_CHECK_IGNORE += "CVE-2022-2964" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-2977" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-2978" + +# fixed-version: Fixed after version 5.19rc7 +CVE_CHECK_IGNORE += "CVE-2022-29900" + +# fixed-version: Fixed after version 5.19rc7 +CVE_CHECK_IGNORE += "CVE-2022-29901" + +# fixed-version: Fixed after version 5.15rc1 +CVE_CHECK_IGNORE += "CVE-2022-2991" + +# fixed-version: Fixed after version 5.18rc5 +CVE_CHECK_IGNORE += "CVE-2022-29968" + +# fixed-version: Fixed after version 6.0rc3 +CVE_CHECK_IGNORE += "CVE-2022-3028" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-30594" + +# fixed-version: Fixed after version 5.18rc5 +CVE_CHECK_IGNORE += "CVE-2022-3061" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-3077" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-3078" + +# fixed-version: Fixed after version 6.0rc3 +CVE_CHECK_IGNORE += "CVE-2022-3103" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-3104" + +# fixed-version: Fixed after version 5.16 +CVE_CHECK_IGNORE += "CVE-2022-3105" + +# fixed-version: Fixed after version 5.16rc6 +CVE_CHECK_IGNORE += "CVE-2022-3106" + +# fixed-version: Fixed after version 5.17 +CVE_CHECK_IGNORE += "CVE-2022-3107" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2022-3108" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-3110" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-3111" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-3112" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-3113" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-3114" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-3115" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3169" + +# fixed-version: Fixed after version 6.0rc4 +CVE_CHECK_IGNORE += "CVE-2022-3170" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2022-3176" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-3202" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-32250" + +# fixed-version: Fixed after version 5.18rc6 +CVE_CHECK_IGNORE += "CVE-2022-32296" + +# CVE-2022-3238 has no known resolution + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2022-3239" + +# fixed-version: Fixed after version 5.19rc2 +CVE_CHECK_IGNORE += "CVE-2022-32981" + +# fixed-version: Fixed after version 6.0rc5 +CVE_CHECK_IGNORE += "CVE-2022-3303" + +# fixed-version: Fixed after version 6.1rc7 +CVE_CHECK_IGNORE += "CVE-2022-3344" + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2022-33740" + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2022-33741" + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2022-33742" + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2022-33743" + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2022-33744" + +# fixed-version: Fixed after version 5.18rc5 +CVE_CHECK_IGNORE += "CVE-2022-33981" + +# cpe-stable-backport: Backported in 6.1.2 +CVE_CHECK_IGNORE += "CVE-2022-3424" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3435" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-34494" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-34495" + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2022-34918" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3521" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3522" + +# fixed-version: Fixed after version 6.1rc1 CVE_CHECK_IGNORE += "CVE-2022-3523" -# https://nvd.nist.gov/vuln/detail/CVE-2022-3566 -# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 -# Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3524" + +# fixed-version: Fixed after version 5.18rc3 +CVE_CHECK_IGNORE += "CVE-2022-3526" + +# cpe-stable-backport: Backported in 6.1.2 +CVE_CHECK_IGNORE += "CVE-2022-3531" + +# cpe-stable-backport: Backported in 6.1.2 +CVE_CHECK_IGNORE += "CVE-2022-3532" + +# CVE-2022-3533 has no known resolution + +# cpe-stable-backport: Backported in 6.1.2 +CVE_CHECK_IGNORE += "CVE-2022-3534" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3535" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3541" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3542" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3543" + +# CVE-2022-3544 has no known resolution + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-3545" + +# fixed-version: Fixed after version 6.1rc4 +CVE_CHECK_IGNORE += "CVE-2022-3564" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3565" + +# fixed-version: Fixed after version 6.1rc1 CVE_CHECK_IGNORE += "CVE-2022-3566" -# https://nvd.nist.gov/vuln/detail/CVE-2022-3567 -# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 -# Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6 +# fixed-version: Fixed after version 6.1rc1 CVE_CHECK_IGNORE += "CVE-2022-3567" +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-3577" + +# fixed-version: Fixed after version 6.0rc5 +CVE_CHECK_IGNORE += "CVE-2022-3586" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3594" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3595" + +# CVE-2022-3606 has no known resolution + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2022-36123" + +# fixed-version: Fixed after version 6.1rc4 +CVE_CHECK_IGNORE += "CVE-2022-3619" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3621" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3623" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-3624" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-3625" + +# fixed-version: Fixed after version 6.1rc5 +CVE_CHECK_IGNORE += "CVE-2022-3628" + +# cpe-stable-backport: Backported in 6.1.4 +CVE_CHECK_IGNORE += "CVE-2022-36280" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-3629" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-3630" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-3633" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-3635" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-3636" + +# fixed-version: Fixed after version 6.1rc4 +CVE_CHECK_IGNORE += "CVE-2022-3640" + +# CVE-2022-36402 has no known resolution + +# CVE-2022-3642 has no known resolution + +# fixed-version: Fixed after version 6.1 +CVE_CHECK_IGNORE += "CVE-2022-3643" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3646" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3649" -# 2023 - -# https://nvd.nist.gov/vuln/detail/CVE-2022-38457 -# https://nvd.nist.gov/vuln/detail/CVE-2022-40133 -# Both CVE-2022-38457 & CVE-2022-40133 are fixed by the same commit: -# Introduced in version v4.20 e14c02e6b6990e9f6ee18a214a22ac26bae1b25e -# Patched in kernel since v6.2 a309c7194e8a2f8bd4539b9449917913f6c2cd50 -# Backported in version v6.1.7 7ac9578e45b20e3f3c0c8eb71f5417a499a7226a -# See: -# * https://www.linuxkernelcves.com/cves/CVE-2022-38457 -# * https://www.linuxkernelcves.com/cves/CVE-2022-40133 -# * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/ -CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133" - -# https://nvd.nist.gov/vuln/detail/CVE-2023-1075 -# Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221 -# Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb -# Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50 -# 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch +# fixed-version: Fixed after version 5.19rc8 +CVE_CHECK_IGNORE += "CVE-2022-36879" + +# fixed-version: Fixed after version 5.19 +CVE_CHECK_IGNORE += "CVE-2022-36946" + +# cpe-stable-backport: Backported in 6.1.5 +CVE_CHECK_IGNORE += "CVE-2022-3707" + +# CVE-2022-38096 has no known resolution + +# cpe-stable-backport: Backported in 6.1.7 +CVE_CHECK_IGNORE += "CVE-2022-38457" + +# fixed-version: Fixed after version 6.1rc2 +CVE_CHECK_IGNORE += "CVE-2022-3903" + +# fixed-version: Fixed after version 6.0rc6 +CVE_CHECK_IGNORE += "CVE-2022-3910" + +# fixed-version: Fixed after version 5.19rc8 +CVE_CHECK_IGNORE += "CVE-2022-39188" + +# fixed-version: Fixed after version 5.19rc2 +CVE_CHECK_IGNORE += "CVE-2022-39189" + +# fixed-version: Fixed after version 6.0rc3 +CVE_CHECK_IGNORE += "CVE-2022-39190" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-3977" + +# fixed-version: Fixed after version 5.19rc4 +CVE_CHECK_IGNORE += "CVE-2022-39842" + +# cpe-stable-backport: Backported in 6.1.7 +CVE_CHECK_IGNORE += "CVE-2022-40133" + +# fixed-version: Fixed after version 6.0rc5 +CVE_CHECK_IGNORE += "CVE-2022-40307" + +# fixed-version: Fixed after version 5.19rc4 +CVE_CHECK_IGNORE += "CVE-2022-40476" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-40768" + +# fixed-version: Fixed after version 6.0rc4 +CVE_CHECK_IGNORE += "CVE-2022-4095" + +# cpe-stable-backport: Backported in 6.1.44 +CVE_CHECK_IGNORE += "CVE-2022-40982" + +# cpe-stable-backport: Backported in 6.1.4 +CVE_CHECK_IGNORE += "CVE-2022-41218" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2022-41222" + +# fixed-version: Fixed after version 5.19rc6 +CVE_CHECK_IGNORE += "CVE-2022-4127" + +# fixed-version: Fixed after version 5.19rc7 +CVE_CHECK_IGNORE += "CVE-2022-4128" + +# fixed-version: Fixed after version 6.1rc6 +CVE_CHECK_IGNORE += "CVE-2022-4129" + +# fixed-version: Fixed after version 6.1rc8 +CVE_CHECK_IGNORE += "CVE-2022-4139" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-41674" + +# CVE-2022-41848 has no known resolution + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-41849" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-41850" + +# fixed-version: Fixed after version 5.18rc2 +CVE_CHECK_IGNORE += "CVE-2022-41858" + +# fixed-version: Fixed after version 6.1 +CVE_CHECK_IGNORE += "CVE-2022-42328" + +# fixed-version: Fixed after version 6.1 +CVE_CHECK_IGNORE += "CVE-2022-42329" + +# fixed-version: Fixed after version 6.0rc7 +CVE_CHECK_IGNORE += "CVE-2022-42432" + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2022-4269" + +# fixed-version: Fixed after version 6.0rc4 +CVE_CHECK_IGNORE += "CVE-2022-42703" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-42719" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-42720" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-42721" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-42722" + +# fixed-version: Fixed after version 6.1rc4 +CVE_CHECK_IGNORE += "CVE-2022-42895" + +# fixed-version: Fixed after version 6.1rc4 +CVE_CHECK_IGNORE += "CVE-2022-42896" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-43750" + +# fixed-version: Fixed after version 6.1 +CVE_CHECK_IGNORE += "CVE-2022-4378" + +# cpe-stable-backport: Backported in 6.1.3 +CVE_CHECK_IGNORE += "CVE-2022-4379" + +# cpe-stable-backport: Backported in 6.1.8 +CVE_CHECK_IGNORE += "CVE-2022-4382" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2022-43945" + +# CVE-2022-44032 needs backporting (fixed from 6.4rc1) + +# CVE-2022-44033 needs backporting (fixed from 6.4rc1) + +# CVE-2022-44034 has no known resolution + +# CVE-2022-4543 has no known resolution + +# fixed-version: Fixed after version 6.1rc7 +CVE_CHECK_IGNORE += "CVE-2022-45869" + +# CVE-2022-45884 has no known resolution + +# CVE-2022-45885 has no known resolution + +# cpe-stable-backport: Backported in 6.1.33 +CVE_CHECK_IGNORE += "CVE-2022-45886" + +# cpe-stable-backport: Backported in 6.1.33 +CVE_CHECK_IGNORE += "CVE-2022-45887" + +# CVE-2022-45888 needs backporting (fixed from 6.2rc1) + +# cpe-stable-backport: Backported in 6.1.33 +CVE_CHECK_IGNORE += "CVE-2022-45919" + +# fixed-version: Fixed after version 6.1 +CVE_CHECK_IGNORE += "CVE-2022-45934" + +# fixed-version: Fixed after version 6.0rc4 +CVE_CHECK_IGNORE += "CVE-2022-4662" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2022-4696" + +# fixed-version: Fixed after version 5.16rc7 +CVE_CHECK_IGNORE += "CVE-2022-4744" + +# fixed-version: Fixed after version 6.1rc8 +CVE_CHECK_IGNORE += "CVE-2022-47518" + +# fixed-version: Fixed after version 6.1rc8 +CVE_CHECK_IGNORE += "CVE-2022-47519" + +# fixed-version: Fixed after version 6.1rc8 +CVE_CHECK_IGNORE += "CVE-2022-47520" + +# fixed-version: Fixed after version 6.1rc8 +CVE_CHECK_IGNORE += "CVE-2022-47521" + +# cpe-stable-backport: Backported in 6.1.6 +CVE_CHECK_IGNORE += "CVE-2022-47929" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-47938" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-47939" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2022-47940" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-47941" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-47942" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2022-47943" + +# fixed-version: Fixed after version 5.12rc2 +CVE_CHECK_IGNORE += "CVE-2022-47946" + +# cpe-stable-backport: Backported in 6.1.8 +CVE_CHECK_IGNORE += "CVE-2022-4842" + +# cpe-stable-backport: Backported in 6.1.3 +CVE_CHECK_IGNORE += "CVE-2022-48423" + +# cpe-stable-backport: Backported in 6.1.3 +CVE_CHECK_IGNORE += "CVE-2022-48424" + +# cpe-stable-backport: Backported in 6.1.33 +CVE_CHECK_IGNORE += "CVE-2022-48425" + +# cpe-stable-backport: Backported in 6.1.40 +CVE_CHECK_IGNORE += "CVE-2022-48502" + +# fixed-version: Fixed after version 5.0rc1 +CVE_CHECK_IGNORE += "CVE-2023-0030" + +# cpe-stable-backport: Backported in 6.1.5 +CVE_CHECK_IGNORE += "CVE-2023-0045" + +# fixed-version: Fixed after version 5.16rc1 +CVE_CHECK_IGNORE += "CVE-2023-0047" + +# fixed-version: Fixed after version 6.0rc4 +CVE_CHECK_IGNORE += "CVE-2023-0122" + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-0160" + +# cpe-stable-backport: Backported in 6.1.7 +CVE_CHECK_IGNORE += "CVE-2023-0179" + +# cpe-stable-backport: Backported in 6.1.5 +CVE_CHECK_IGNORE += "CVE-2023-0210" + +# fixed-version: Fixed after version 5.10rc1 +CVE_CHECK_IGNORE += "CVE-2023-0240" + +# cpe-stable-backport: Backported in 6.1.6 +CVE_CHECK_IGNORE += "CVE-2023-0266" + +# cpe-stable-backport: Backported in 6.1.9 +CVE_CHECK_IGNORE += "CVE-2023-0386" + +# cpe-stable-backport: Backported in 6.1.7 +CVE_CHECK_IGNORE += "CVE-2023-0394" + +# cpe-stable-backport: Backported in 6.1.8 +CVE_CHECK_IGNORE += "CVE-2023-0458" + +# cpe-stable-backport: Backported in 6.1.14 +CVE_CHECK_IGNORE += "CVE-2023-0459" + +# cpe-stable-backport: Backported in 6.1.5 +CVE_CHECK_IGNORE += "CVE-2023-0461" + +# fixed-version: Fixed after version 6.1rc7 +CVE_CHECK_IGNORE += "CVE-2023-0468" + +# fixed-version: Fixed after version 6.1rc7 +CVE_CHECK_IGNORE += "CVE-2023-0469" + +# fixed-version: Fixed after version 6.1rc2 +CVE_CHECK_IGNORE += "CVE-2023-0590" + +# CVE-2023-0597 needs backporting (fixed from 6.2rc1) + +# fixed-version: Fixed after version 6.1rc3 +CVE_CHECK_IGNORE += "CVE-2023-0615" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-1032" + +# cpe-stable-backport: Backported in 6.1.9 +CVE_CHECK_IGNORE += "CVE-2023-1073" + +# cpe-stable-backport: Backported in 6.1.9 +CVE_CHECK_IGNORE += "CVE-2023-1074" + +# cpe-stable-backport: Backported in 6.1.11 CVE_CHECK_IGNORE += "CVE-2023-1075" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-1076" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-1077" + +# cpe-stable-backport: Backported in 6.1.12 +CVE_CHECK_IGNORE += "CVE-2023-1078" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-1079" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2023-1095" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-1118" + +# cpe-stable-backport: Backported in 6.1.33 +CVE_CHECK_IGNORE += "CVE-2023-1192" + +# CVE-2023-1193 has no known resolution + +# CVE-2023-1194 has no known resolution + +# fixed-version: Fixed after version 6.1rc3 +CVE_CHECK_IGNORE += "CVE-2023-1195" + +# cpe-stable-backport: Backported in 6.1.43 +CVE_CHECK_IGNORE += "CVE-2023-1206" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2023-1249" + +# fixed-version: Fixed after version 5.16rc1 +CVE_CHECK_IGNORE += "CVE-2023-1252" + +# cpe-stable-backport: Backported in 6.1.13 +CVE_CHECK_IGNORE += "CVE-2023-1281" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2023-1295" + +# cpe-stable-backport: Backported in 6.1.27 +CVE_CHECK_IGNORE += "CVE-2023-1380" + +# fixed-version: Fixed after version 6.1rc7 +CVE_CHECK_IGNORE += "CVE-2023-1382" + +# fixed-version: Fixed after version 5.11rc4 +CVE_CHECK_IGNORE += "CVE-2023-1390" + +# cpe-stable-backport: Backported in 6.1.13 +CVE_CHECK_IGNORE += "CVE-2023-1513" + +# fixed-version: Fixed after version 5.17rc4 +CVE_CHECK_IGNORE += "CVE-2023-1582" + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2023-1583" + +# cpe-stable-backport: Backported in 6.1.23 +CVE_CHECK_IGNORE += "CVE-2023-1611" + +# fixed-version: Fixed after version 5.18rc2 +CVE_CHECK_IGNORE += "CVE-2023-1637" + +# cpe-stable-backport: Backported in 6.1.9 +CVE_CHECK_IGNORE += "CVE-2023-1652" + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2023-1670" + +# cpe-stable-backport: Backported in 6.1.18 +CVE_CHECK_IGNORE += "CVE-2023-1829" + +# fixed-version: Fixed after version 5.18 +CVE_CHECK_IGNORE += "CVE-2023-1838" + +# cpe-stable-backport: Backported in 6.1.21 +CVE_CHECK_IGNORE += "CVE-2023-1855" + +# cpe-stable-backport: Backported in 6.1.25 +CVE_CHECK_IGNORE += "CVE-2023-1859" + +# fixed-version: Fixed after version 5.18rc2 +CVE_CHECK_IGNORE += "CVE-2023-1872" + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2023-1989" + +# cpe-stable-backport: Backported in 6.1.21 +CVE_CHECK_IGNORE += "CVE-2023-1990" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-1998" + +# cpe-stable-backport: Backported in 6.1.27 +CVE_CHECK_IGNORE += "CVE-2023-2002" + +# fixed-version: Fixed after version 6.1rc7 +CVE_CHECK_IGNORE += "CVE-2023-2006" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2023-2007" + +# fixed-version: Fixed after version 5.19rc4 +CVE_CHECK_IGNORE += "CVE-2023-2008" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2023-2019" + +# cpe-stable-backport: Backported in 6.1.44 +CVE_CHECK_IGNORE += "CVE-2023-20569" + +# cpe-stable-backport: Backported in 6.1.45 +CVE_CHECK_IGNORE += "CVE-2023-20588" + +# cpe-stable-backport: Backported in 6.1.41 +CVE_CHECK_IGNORE += "CVE-2023-20593" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2023-20928" + +# CVE-2023-20937 has no known resolution + +# fixed-version: Fixed after version 5.18rc5 +CVE_CHECK_IGNORE += "CVE-2023-20938" + +# CVE-2023-20941 has no known resolution + +# cpe-stable-backport: Backported in 6.1.8 +CVE_CHECK_IGNORE += "CVE-2023-21102" + +# cpe-stable-backport: Backported in 6.1.9 +CVE_CHECK_IGNORE += "CVE-2023-21106" + +# cpe-stable-backport: Backported in 6.1.33 +CVE_CHECK_IGNORE += "CVE-2023-2124" + +# cpe-stable-backport: Backported in 6.1.31 +CVE_CHECK_IGNORE += "CVE-2023-21255" + +# CVE-2023-21264 needs backporting (fixed from 6.4rc5) + +# CVE-2023-21400 has no known resolution + +# cpe-stable-backport: Backported in 6.1.26 +CVE_CHECK_IGNORE += "CVE-2023-2156" + +# cpe-stable-backport: Backported in 6.1.11 +CVE_CHECK_IGNORE += "CVE-2023-2162" + +# cpe-stable-backport: Backported in 6.1.26 +CVE_CHECK_IGNORE += "CVE-2023-2163" + +# fixed-version: Fixed after version 6.1 +CVE_CHECK_IGNORE += "CVE-2023-2166" + +# CVE-2023-2176 needs backporting (fixed from 6.3rc1) + +# fixed-version: Fixed after version 5.19 +CVE_CHECK_IGNORE += "CVE-2023-2177" + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2023-2194" + +# cpe-stable-backport: Backported in 6.1.21 +CVE_CHECK_IGNORE += "CVE-2023-2235" + +# fixed-version: Fixed after version 6.1rc7 +CVE_CHECK_IGNORE += "CVE-2023-2236" + +# cpe-stable-backport: Backported in 6.1.26 +CVE_CHECK_IGNORE += "CVE-2023-2248" + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-2269" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2023-22995" + +# fixed-version: Fixed after version 5.18rc1 +CVE_CHECK_IGNORE += "CVE-2023-22996" + +# cpe-stable-backport: Backported in 6.1.2 +CVE_CHECK_IGNORE += "CVE-2023-22997" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2023-22998" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2023-22999" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2023-23000" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2023-23001" + +# fixed-version: Fixed after version 5.17rc1 +CVE_CHECK_IGNORE += "CVE-2023-23002" + +# fixed-version: Fixed after version 5.16rc6 +CVE_CHECK_IGNORE += "CVE-2023-23003" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2023-23004" + +# CVE-2023-23005 needs backporting (fixed from 6.2rc1) + +# fixed-version: Fixed after version 5.16rc8 +CVE_CHECK_IGNORE += "CVE-2023-23006" + +# CVE-2023-23039 has no known resolution + +# cpe-stable-backport: Backported in 6.1.5 +CVE_CHECK_IGNORE += "CVE-2023-23454" + +# cpe-stable-backport: Backported in 6.1.5 +CVE_CHECK_IGNORE += "CVE-2023-23455" + +# cpe-stable-backport: Backported in 6.1.9 +CVE_CHECK_IGNORE += "CVE-2023-23559" + +# fixed-version: Fixed after version 5.12rc1 +CVE_CHECK_IGNORE += "CVE-2023-23586" + +# CVE-2023-2430 needs backporting (fixed from 6.1.50) + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2023-2483" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-25012" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2023-2513" + +# CVE-2023-25775 needs backporting (fixed from 6.1.53) + +# fixed-version: only affects 6.3rc1 onwards +CVE_CHECK_IGNORE += "CVE-2023-2598" + +# CVE-2023-26242 has no known resolution + +# CVE-2023-2640 has no known resolution + +# cpe-stable-backport: Backported in 6.1.3 +CVE_CHECK_IGNORE += "CVE-2023-26544" + +# cpe-stable-backport: Backported in 6.1.13 +CVE_CHECK_IGNORE += "CVE-2023-26545" + +# fixed-version: Fixed after version 6.1rc7 +CVE_CHECK_IGNORE += "CVE-2023-26605" + +# cpe-stable-backport: Backported in 6.1.2 +CVE_CHECK_IGNORE += "CVE-2023-26606" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2023-26607" + +# fixed-version: Fixed after version 6.1 +CVE_CHECK_IGNORE += "CVE-2023-28327" + +# cpe-stable-backport: Backported in 6.1.2 +CVE_CHECK_IGNORE += "CVE-2023-28328" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2023-28410" + +# fixed-version: only affects 6.3rc1 onwards +CVE_CHECK_IGNORE += "CVE-2023-28464" + +# cpe-stable-backport: Backported in 6.1.20 +CVE_CHECK_IGNORE += "CVE-2023-28466" + +# fixed-version: Fixed after version 6.0rc5 +CVE_CHECK_IGNORE += "CVE-2023-2860" + +# fixed-version: Fixed after version 5.14rc1 +CVE_CHECK_IGNORE += "CVE-2023-28772" + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2023-28866" + +# cpe-stable-backport: Backported in 6.1.39 +CVE_CHECK_IGNORE += "CVE-2023-2898" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-2985" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2023-3006" + +# Skipping CVE-2023-3022, no affected_versions + +# cpe-stable-backport: Backported in 6.1.21 +CVE_CHECK_IGNORE += "CVE-2023-30456" + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2023-30772" + +# cpe-stable-backport: Backported in 6.1.30 +CVE_CHECK_IGNORE += "CVE-2023-3090" + +# fixed-version: Fixed after version 4.8rc7 +CVE_CHECK_IGNORE += "CVE-2023-3106" + +# Skipping CVE-2023-3108, no affected_versions + +# CVE-2023-31081 has no known resolution + +# CVE-2023-31082 has no known resolution + +# CVE-2023-31083 needs backporting (fixed from 6.6rc1) + +# CVE-2023-31084 needs backporting (fixed from 6.4rc3) + +# CVE-2023-31085 has no known resolution + +# fixed-version: Fixed after version 6.0rc2 +CVE_CHECK_IGNORE += "CVE-2023-3111" + +# cpe-stable-backport: Backported in 6.1.35 +CVE_CHECK_IGNORE += "CVE-2023-3117" + +# cpe-stable-backport: Backported in 6.1.39 +CVE_CHECK_IGNORE += "CVE-2023-31248" + +# cpe-stable-backport: Backported in 6.1.30 +CVE_CHECK_IGNORE += "CVE-2023-3141" + +# cpe-stable-backport: Backported in 6.1.26 +CVE_CHECK_IGNORE += "CVE-2023-31436" + +# fixed-version: Fixed after version 5.18rc6 +CVE_CHECK_IGNORE += "CVE-2023-3159" + +# cpe-stable-backport: Backported in 6.1.11 +CVE_CHECK_IGNORE += "CVE-2023-3161" + +# cpe-stable-backport: Backported in 6.1.33 +CVE_CHECK_IGNORE += "CVE-2023-3212" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-3220" + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-32233" + +# cpe-stable-backport: Backported in 6.1.29 +CVE_CHECK_IGNORE += "CVE-2023-32247" + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-32248" + +# cpe-stable-backport: Backported in 6.1.29 +CVE_CHECK_IGNORE += "CVE-2023-32250" + +# cpe-stable-backport: Backported in 6.1.29 +CVE_CHECK_IGNORE += "CVE-2023-32252" + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-32254" + +# cpe-stable-backport: Backported in 6.1.29 +CVE_CHECK_IGNORE += "CVE-2023-32257" + +# cpe-stable-backport: Backported in 6.1.29 +CVE_CHECK_IGNORE += "CVE-2023-32258" + +# cpe-stable-backport: Backported in 6.1.11 +CVE_CHECK_IGNORE += "CVE-2023-32269" + +# CVE-2023-32629 has no known resolution + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-3268" + +# cpe-stable-backport: Backported in 6.1.37 +CVE_CHECK_IGNORE += "CVE-2023-3269" + +# fixed-version: only affects 6.2rc1 onwards +CVE_CHECK_IGNORE += "CVE-2023-3312" + +# fixed-version: only affects 6.2rc1 onwards +CVE_CHECK_IGNORE += "CVE-2023-3317" + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2023-33203" + +# fixed-version: only affects 6.2rc1 onwards +CVE_CHECK_IGNORE += "CVE-2023-33250" + +# cpe-stable-backport: Backported in 6.1.22 +CVE_CHECK_IGNORE += "CVE-2023-33288" + +# fixed-version: Fixed after version 6.1rc1 +CVE_CHECK_IGNORE += "CVE-2023-3338" + +# cpe-stable-backport: Backported in 6.1.16 +CVE_CHECK_IGNORE += "CVE-2023-3355" + +# cpe-stable-backport: Backported in 6.1.2 +CVE_CHECK_IGNORE += "CVE-2023-3357" + +# cpe-stable-backport: Backported in 6.1.9 +CVE_CHECK_IGNORE += "CVE-2023-3358" + +# cpe-stable-backport: Backported in 6.1.11 +CVE_CHECK_IGNORE += "CVE-2023-3359" + +# fixed-version: Fixed after version 6.0rc1 +CVE_CHECK_IGNORE += "CVE-2023-3389" + +# cpe-stable-backport: Backported in 6.1.35 +CVE_CHECK_IGNORE += "CVE-2023-3390" + +# cpe-stable-backport: Backported in 6.1.13 +CVE_CHECK_IGNORE += "CVE-2023-33951" + +# cpe-stable-backport: Backported in 6.1.13 +CVE_CHECK_IGNORE += "CVE-2023-33952" + +# CVE-2023-3397 has no known resolution + +# cpe-stable-backport: Backported in 6.1.33 +CVE_CHECK_IGNORE += "CVE-2023-34255" + +# cpe-stable-backport: Backported in 6.1.29 +CVE_CHECK_IGNORE += "CVE-2023-34256" + +# cpe-stable-backport: Backported in 6.1.44 +CVE_CHECK_IGNORE += "CVE-2023-34319" + +# fixed-version: Fixed after version 5.18rc5 +CVE_CHECK_IGNORE += "CVE-2023-3439" + +# cpe-stable-backport: Backported in 6.1.39 +CVE_CHECK_IGNORE += "CVE-2023-35001" + +# cpe-stable-backport: Backported in 6.1.11 +CVE_CHECK_IGNORE += "CVE-2023-3567" + +# CVE-2023-35693 has no known resolution + +# cpe-stable-backport: Backported in 6.1.33 +CVE_CHECK_IGNORE += "CVE-2023-35788" + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-35823" + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-35824" + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-35826" + +# CVE-2023-35827 has no known resolution + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-35828" + +# cpe-stable-backport: Backported in 6.1.28 +CVE_CHECK_IGNORE += "CVE-2023-35829" + +# cpe-stable-backport: Backported in 6.1.35 +CVE_CHECK_IGNORE += "CVE-2023-3609" + +# cpe-stable-backport: Backported in 6.1.36 +CVE_CHECK_IGNORE += "CVE-2023-3610" + +# cpe-stable-backport: Backported in 6.1.40 +CVE_CHECK_IGNORE += "CVE-2023-3611" + +# CVE-2023-3640 has no known resolution + +# fixed-version: only affects 6.3rc1 onwards +CVE_CHECK_IGNORE += "CVE-2023-37453" + +# CVE-2023-37454 has no known resolution + +# CVE-2023-3772 needs backporting (fixed from 6.1.47) + +# CVE-2023-3773 needs backporting (fixed from 6.1.47) + +# cpe-stable-backport: Backported in 6.1.40 +CVE_CHECK_IGNORE += "CVE-2023-3776" + +# cpe-stable-backport: Backported in 6.1.42 +CVE_CHECK_IGNORE += "CVE-2023-3777" + +# fixed-version: Fixed after version 6.1rc4 +CVE_CHECK_IGNORE += "CVE-2023-3812" + +# cpe-stable-backport: Backported in 6.1.25 +CVE_CHECK_IGNORE += "CVE-2023-38409" + +# cpe-stable-backport: Backported in 6.1.30 +CVE_CHECK_IGNORE += "CVE-2023-38426" + +# cpe-stable-backport: Backported in 6.1.34 +CVE_CHECK_IGNORE += "CVE-2023-38427" + +# cpe-stable-backport: Backported in 6.1.30 +CVE_CHECK_IGNORE += "CVE-2023-38428" + +# cpe-stable-backport: Backported in 6.1.30 +CVE_CHECK_IGNORE += "CVE-2023-38429" + +# cpe-stable-backport: Backported in 6.1.35 +CVE_CHECK_IGNORE += "CVE-2023-38430" + +# cpe-stable-backport: Backported in 6.1.34 +CVE_CHECK_IGNORE += "CVE-2023-38431" + +# cpe-stable-backport: Backported in 6.1.36 +CVE_CHECK_IGNORE += "CVE-2023-38432" + +# cpe-stable-backport: Backported in 6.1.39 +CVE_CHECK_IGNORE += "CVE-2023-3863" + +# cpe-stable-backport: Backported in 6.1.36 +CVE_CHECK_IGNORE += "CVE-2023-3865" + +# cpe-stable-backport: Backported in 6.1.36 +CVE_CHECK_IGNORE += "CVE-2023-3866" + +# cpe-stable-backport: Backported in 6.1.40 +CVE_CHECK_IGNORE += "CVE-2023-3867" + +# cpe-stable-backport: Backported in 6.1.42 +CVE_CHECK_IGNORE += "CVE-2023-4004" + +# CVE-2023-4010 has no known resolution + +# cpe-stable-backport: Backported in 6.1.43 +CVE_CHECK_IGNORE += "CVE-2023-4015" + +# cpe-stable-backport: Backported in 6.1.45 +CVE_CHECK_IGNORE += "CVE-2023-40283" + +# cpe-stable-backport: Backported in 6.1.45 +CVE_CHECK_IGNORE += "CVE-2023-4128" + +# cpe-stable-backport: Backported in 6.1.39 +CVE_CHECK_IGNORE += "CVE-2023-4132" + +# CVE-2023-4133 needs backporting (fixed from 6.3) + +# CVE-2023-4134 needs backporting (fixed from 6.5rc1) + +# cpe-stable-backport: Backported in 6.1.43 +CVE_CHECK_IGNORE += "CVE-2023-4147" + +# cpe-stable-backport: Backported in 6.1.46 +CVE_CHECK_IGNORE += "CVE-2023-4155" + +# fixed-version: only affects 6.3rc1 onwards +CVE_CHECK_IGNORE += "CVE-2023-4194" + +# cpe-stable-backport: Backported in 6.1.45 +CVE_CHECK_IGNORE += "CVE-2023-4206" + +# cpe-stable-backport: Backported in 6.1.45 +CVE_CHECK_IGNORE += "CVE-2023-4207" + +# cpe-stable-backport: Backported in 6.1.45 +CVE_CHECK_IGNORE += "CVE-2023-4208" + +# CVE-2023-4244 needs backporting (fixed from 6.5rc7) + +# cpe-stable-backport: Backported in 6.1.45 +CVE_CHECK_IGNORE += "CVE-2023-4273" + +# fixed-version: Fixed after version 5.19rc1 +CVE_CHECK_IGNORE += "CVE-2023-4385" + +# fixed-version: Fixed after version 5.18 +CVE_CHECK_IGNORE += "CVE-2023-4387" + +# fixed-version: Fixed after version 5.18rc3 +CVE_CHECK_IGNORE += "CVE-2023-4389" + +# fixed-version: Fixed after version 6.0rc3 +CVE_CHECK_IGNORE += "CVE-2023-4394" + +# fixed-version: Fixed after version 5.18 +CVE_CHECK_IGNORE += "CVE-2023-4459" + +# CVE-2023-4563 needs backporting (fixed from 6.5rc6) + +# CVE-2023-4569 needs backporting (fixed from 6.1.47) + +# fixed-version: only affects 6.4rc1 onwards +CVE_CHECK_IGNORE += "CVE-2023-4611" + +# CVE-2023-4622 needs backporting (fixed from 6.5rc1) + +# CVE-2023-4623 needs backporting (fixed from 6.1.53) + +# CVE-2023-4881 needs backporting (fixed from 6.6rc1) + +# CVE-2023-4921 needs backporting (fixed from 6.6rc1) + diff --git a/poky/meta/recipes-kernel/linux/generate-cve-exclusions.py b/poky/meta/recipes-kernel/linux/generate-cve-exclusions.py new file mode 100755 index 0000000000..b9b87f245d --- /dev/null +++ b/poky/meta/recipes-kernel/linux/generate-cve-exclusions.py @@ -0,0 +1,101 @@ +#! /usr/bin/env python3 + +# Generate granular CVE status metadata for a specific version of the kernel +# using data from linuxkernelcves.com. +# +# SPDX-License-Identifier: GPL-2.0-only + +import argparse +import datetime +import json +import pathlib +import re + +from packaging.version import Version + + +def parse_version(s): + """ + Parse the version string and either return a packaging.version.Version, or + None if the string was unset or "unk". + """ + if s and s != "unk": + # packaging.version.Version doesn't approve of versions like v5.12-rc1-dontuse + s = s.replace("-dontuse", "") + return Version(s) + return None + + +def main(argp=None): + parser = argparse.ArgumentParser() + parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/nluedtke/linux_kernel_cves") + parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38") + + args = parser.parse_args(argp) + datadir = args.datadir + version = args.version + base_version = f"{version.major}.{version.minor}" + + with open(datadir / "data" / "kernel_cves.json", "r") as f: + cve_data = json.load(f) + + with open(datadir / "data" / "stream_fixes.json", "r") as f: + stream_data = json.load(f) + + print(f""" +# Auto-generated CVE metadata, DO NOT EDIT BY HAND. +# Generated at {datetime.datetime.now()} for version {version} + +python check_kernel_cve_status_version() {{ + this_version = "{version}" + kernel_version = d.getVar("LINUX_VERSION") + if kernel_version != this_version: + bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) +}} +do_cve_check[prefuncs] += "check_kernel_cve_status_version" +""") + + for cve, data in cve_data.items(): + if "affected_versions" not in data: + print(f"# Skipping {cve}, no affected_versions") + print() + continue + + affected = data["affected_versions"] + first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups() + first_affected = parse_version(first_affected) + last_affected = parse_version(last_affected) + + handled = False + if not last_affected: + print(f"# {cve} has no known resolution") + elif first_affected and version < first_affected: + print(f"# fixed-version: only affects {first_affected} onwards") + handled = True + elif last_affected < version: + print(f"# fixed-version: Fixed after version {last_affected}") + handled = True + else: + if cve in stream_data: + backport_data = stream_data[cve] + if base_version in backport_data: + backport_ver = Version(backport_data[base_version]["fixed_version"]) + if backport_ver <= version: + print(f"# cpe-stable-backport: Backported in {backport_ver}") + handled = True + else: + # TODO print a note that the kernel needs bumping + print(f"# {cve} needs backporting (fixed from {backport_ver})") + else: + print(f"# {cve} needs backporting (fixed from {last_affected})") + else: + print(f"# {cve} needs backporting (fixed from {last_affected})") + + if handled: + print(f'CVE_CHECK_IGNORE += "{cve}"') + + print() + + +if __name__ == "__main__": + main() diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb index f49623a2cc..be5dd5efec 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "613a261b361c2f0d1e1428ad02dffe4e81d1a24b" -SRCREV_meta ?= "957ddf5f9d4bf5791e88a46ce9ec4352a6d0a171" +SRCREV_machine ?= "0ac91942af8fec31671ffe62e9518aaf15f110b3" +SRCREV_meta ?= "f484a7f175b4f3c4f7d2b553cde232bd41f757d8" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "5.15.113" +LINUX_VERSION ?= "5.15.124" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb index 20d2729371..d13722b32f 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "f974a72071f8b481fc4e38517219bc5c503e14f6" -SRCREV_meta ?= "36901b5b298e601fe73dd79aaff8b615a7762013" +SRCREV_machine ?= "9d355978d3a95f5c190a21d95ebb2a5d0e638537" +SRCREV_meta ?= "295d37e268bc02070da670e46456227bee38795b" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.1;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.1.25" +LINUX_VERSION ?= "6.1.46" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb index 1981d6e5ac..b8f3d71a72 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb @@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.15.113" +LINUX_VERSION ?= "5.15.124" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "cad8d3fd06feec26840453ddfd483216b4cf5b51" -SRCREV_meta ?= "957ddf5f9d4bf5791e88a46ce9ec4352a6d0a171" +SRCREV_machine ?= "cdb289c798fe1fc9f259a08c32e2dd9516ccb7a4" +SRCREV_meta ?= "f484a7f175b4f3c4f7d2b553cde232bd41f757d8" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb index 47d77404d0..a77bd9d183 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.1.inc -LINUX_VERSION ?= "6.1.25" +LINUX_VERSION ?= "6.1.46" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "581dc1aa2f340fff2cc010067257185fa2c993f9" -SRCREV_meta ?= "36901b5b298e601fe73dd79aaff8b615a7762013" +SRCREV_machine ?= "44fd0c7a5a7955282a1ab24bf3dcdee068839ad2" +SRCREV_meta ?= "295d37e268bc02070da670e46456227bee38795b" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb index 6213763295..a15284fb4b 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb @@ -13,24 +13,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base" KBRANCH:qemux86-64 ?= "v5.15/standard/base" KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "8f55d1b405ec36812e15592bec1a471c4afa8dfa" -SRCREV_machine:qemuarm64 ?= "6f43cd2bf083a3a6d77edd2ddd275b9c6c3adf63" -SRCREV_machine:qemumips ?= "942912a383bbb5b1edb362c1da8f328c50e8e16a" -SRCREV_machine:qemuppc ?= "9b2cc2b52ad546d07bcef0d6c76e657ff46140ce" -SRCREV_machine:qemuriscv64 ?= "934b0d629afd6e3bf31fcaeada9828b1f13dbd91" -SRCREV_machine:qemuriscv32 ?= "934b0d629afd6e3bf31fcaeada9828b1f13dbd91" -SRCREV_machine:qemux86 ?= "934b0d629afd6e3bf31fcaeada9828b1f13dbd91" -SRCREV_machine:qemux86-64 ?= "934b0d629afd6e3bf31fcaeada9828b1f13dbd91" -SRCREV_machine:qemumips64 ?= "570b02954e1cf598ba8792aa6127ddde7f2af647" -SRCREV_machine ?= "934b0d629afd6e3bf31fcaeada9828b1f13dbd91" -SRCREV_meta ?= "957ddf5f9d4bf5791e88a46ce9ec4352a6d0a171" +SRCREV_machine:qemuarm ?= "676a22c65ec0f8bb5dc7e13d130f6e3764959d75" +SRCREV_machine:qemuarm64 ?= "f0e7afd5948f71be062cd9194b56cd03de94b7cb" +SRCREV_machine:qemumips ?= "0f1ceb9008f182cd7f21420bbec6f21a67da8397" +SRCREV_machine:qemuppc ?= "4ec9fc13283ce01627ef8c32617a1eb71e127c62" +SRCREV_machine:qemuriscv64 ?= "1c09be01f4b87f60ea64136459167d73502a118f" +SRCREV_machine:qemuriscv32 ?= "1c09be01f4b87f60ea64136459167d73502a118f" +SRCREV_machine:qemux86 ?= "1c09be01f4b87f60ea64136459167d73502a118f" +SRCREV_machine:qemux86-64 ?= "1c09be01f4b87f60ea64136459167d73502a118f" +SRCREV_machine:qemumips64 ?= "fad09cc6acf2175aa6b5979ef48cd5f05afc3da0" +SRCREV_machine ?= "1c09be01f4b87f60ea64136459167d73502a118f" +SRCREV_meta ?= "f484a7f175b4f3c4f7d2b553cde232bd41f757d8" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "1fe619a7d25218e9b9fdcce9fcac6a05cd62abed" +SRCREV_machine:class-devupstream ?= "38d4ca22a5288c4bae7e6d62a1728b0718d51866" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v5.15/base" @@ -38,7 +38,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.15.113" +LINUX_VERSION ?= "5.15.124" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb b/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb index 6640000d83..df477b7dee 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb @@ -17,25 +17,25 @@ KBRANCH:qemux86-64 ?= "v6.1/standard/base" KBRANCH:qemuloongarch64 ?= "v6.1/standard/base" KBRANCH:qemumips64 ?= "v6.1/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "0b80e90b38ae1735c7dab701ca3d0b2447376ccc" -SRCREV_machine:qemuarm64 ?= "581dc1aa2f340fff2cc010067257185fa2c993f9" -SRCREV_machine:qemuloongarch64 ?= "581dc1aa2f340fff2cc010067257185fa2c993f9" -SRCREV_machine:qemumips ?= "db61d7fe3540904fbe77b532ce3e37aeb737524a" -SRCREV_machine:qemuppc ?= "581dc1aa2f340fff2cc010067257185fa2c993f9" -SRCREV_machine:qemuriscv64 ?= "581dc1aa2f340fff2cc010067257185fa2c993f9" -SRCREV_machine:qemuriscv32 ?= "581dc1aa2f340fff2cc010067257185fa2c993f9" -SRCREV_machine:qemux86 ?= "581dc1aa2f340fff2cc010067257185fa2c993f9" -SRCREV_machine:qemux86-64 ?= "581dc1aa2f340fff2cc010067257185fa2c993f9" -SRCREV_machine:qemumips64 ?= "aacc52b6216955723cebb5bc493a4210357b23b2" -SRCREV_machine ?= "581dc1aa2f340fff2cc010067257185fa2c993f9" -SRCREV_meta ?= "36901b5b298e601fe73dd79aaff8b615a7762013" +SRCREV_machine:qemuarm ?= "4e49d63e747e81aebad5ce6091ba6de09f09d46f" +SRCREV_machine:qemuarm64 ?= "44fd0c7a5a7955282a1ab24bf3dcdee068839ad2" +SRCREV_machine:qemuloongarch64 ?= "44fd0c7a5a7955282a1ab24bf3dcdee068839ad2" +SRCREV_machine:qemumips ?= "e527feb9cd8acbcbcd7115f51cf71166fdbce11a" +SRCREV_machine:qemuppc ?= "44fd0c7a5a7955282a1ab24bf3dcdee068839ad2" +SRCREV_machine:qemuriscv64 ?= "44fd0c7a5a7955282a1ab24bf3dcdee068839ad2" +SRCREV_machine:qemuriscv32 ?= "44fd0c7a5a7955282a1ab24bf3dcdee068839ad2" +SRCREV_machine:qemux86 ?= "44fd0c7a5a7955282a1ab24bf3dcdee068839ad2" +SRCREV_machine:qemux86-64 ?= "44fd0c7a5a7955282a1ab24bf3dcdee068839ad2" +SRCREV_machine:qemumips64 ?= "296b096f4c747e4c4b31b1708fc8a0acb1dac04e" +SRCREV_machine ?= "44fd0c7a5a7955282a1ab24bf3dcdee068839ad2" +SRCREV_meta ?= "295d37e268bc02070da670e46456227bee38795b" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "f17b0ab65d17988d5e6d6fe22f708ef3721080bf" +SRCREV_machine:class-devupstream ?= "6c44e13dc284f7f4db17706ca48fd016d6b3d49a" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.1/base" @@ -43,7 +43,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.1;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.1.25" +LINUX_VERSION ?= "6.1.46" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/lttng/babeltrace2_2.0.4.bb b/poky/meta/recipes-kernel/lttng/babeltrace2_2.0.5.bb index 16d8b945a4..9a4007fb25 100644 --- a/poky/meta/recipes-kernel/lttng/babeltrace2_2.0.4.bb +++ b/poky/meta/recipes-kernel/lttng/babeltrace2_2.0.5.bb @@ -12,7 +12,7 @@ SRC_URI = "git://git.efficios.com/babeltrace.git;branch=stable-2.0;protocol=http file://0001-tests-do-not-run-test-applications-from-.libs.patch \ file://0001-Make-manpages-multilib-identical.patch \ " -SRCREV = "23e8cf4e6fdc1d0b230e964dafac08a57e6228e6" +SRCREV = "66e76d1ea601705928899138f02730a3a2a3153d" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>2(\.\d+)+)$" S = "${WORKDIR}/git" @@ -28,6 +28,7 @@ FILES:${PN}-staticdev += "${libdir}/babeltrace2/plugins/*.a" FILES:${PN} += "${libdir}/babeltrace2/plugins/*.so" ASNEEDED = "" +LDFLAGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-lld ptest', ' -fuse-ld=bfd ', '', d)}" # coreutils since we need full mktemp RDEPENDS:${PN}-ptest += "bash gawk python3 make grep coreutils findutils" diff --git a/poky/meta/recipes-kernel/lttng/lttng-ust_2.13.5.bb b/poky/meta/recipes-kernel/lttng/lttng-ust_2.13.6.bb index 916408bff0..424b0fa645 100644 --- a/poky/meta/recipes-kernel/lttng/lttng-ust_2.13.5.bb +++ b/poky/meta/recipes-kernel/lttng/lttng-ust_2.13.6.bb @@ -34,7 +34,7 @@ SRC_URI = "https://lttng.org/files/lttng-ust/lttng-ust-${PV}.tar.bz2 \ file://0001-Makefile.am-update-rpath-link.patch \ " -SRC_URI[sha256sum] = "f1d7bb4984a3dc5dacd3b7bcb4c10c04b041b0eecd7cba1fef3d8f86aff02bd6" +SRC_URI[sha256sum] = "e7e04596dd73ac7aa99e27cd000f949dbb0fed51bd29099f9b08a25c1df0ced5" CVE_PRODUCT = "ust" diff --git a/poky/meta/recipes-kernel/perf/perf.bb b/poky/meta/recipes-kernel/perf/perf.bb index 5fce30862e..297b42aebb 100644 --- a/poky/meta/recipes-kernel/perf/perf.bb +++ b/poky/meta/recipes-kernel/perf/perf.bb @@ -135,6 +135,10 @@ PERF_EXTRA_LDFLAGS:mipsarchn64el = "-m elf64ltsmip" do_compile() { # Linux kernel build system is expected to do the right thing unset CFLAGS + test -e ${S}/tools/lib/traceevent/plugins/Makefile && \ + sed -i -e 's|\$(libdir)/traceevent/plugins|\$(libdir)/traceevent_${KERNEL_VERSION}/plugins|g' ${S}/tools/lib/traceevent/plugins/Makefile + test -e ${S}/tools/perf/Makefile.config && \ + sed -i -e 's|\$(libdir)/traceevent/plugins|\$(libdir)/traceevent_${KERNEL_VERSION}/plugins|g' ${S}/tools/perf/Makefile.config oe_runmake all } @@ -361,7 +365,7 @@ RSUGGESTS_SCRIPTING = "${@bb.utils.contains('PACKAGECONFIG', 'scripting', '${PN} RSUGGESTS:${PN} += "${PN}-archive ${PN}-tests ${RSUGGESTS_SCRIPTING}" FILES_SOLIBSDEV = "" -FILES:${PN} += "${libexecdir}/perf-core ${exec_prefix}/libexec/perf-core ${libdir}/traceevent ${libdir}/libperf-jvmti.so" +FILES:${PN} += "${libexecdir}/perf-core ${exec_prefix}/libexec/perf-core ${libdir}/traceevent* ${libdir}/libperf-jvmti.so" FILES:${PN}-archive = "${libdir}/perf/perf-core/perf-archive" FILES:${PN}-tests = "${libdir}/perf/perf-core/tests ${libexecdir}/perf-core/tests" FILES:${PN}-python = " \ diff --git a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb index ce60154f1e..cd3f52fc76 100644 --- a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb +++ b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb @@ -5,7 +5,7 @@ LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "fe81e8a8694dc4753a45087a1c4c7e1b48dee5a59f5f796ce374ea550f0b2e73" +SRC_URI[sha256sum] = "f254d08ab3765aeae2b856222e11a95d44aef519a6663877c71ef68fae4c8c12" inherit bin_package allarch diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch deleted file mode 100644 index 2775a81cc8..0000000000 --- a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 92f9b28ed84a77138105475beba16c146bdaf984 Mon Sep 17 00:00:00 2001 -From: Paul B Mahol <onemda@gmail.com> -Date: Sat, 12 Nov 2022 16:12:00 +0100 -Subject: [PATCH] avcodec/rpzaenc: stop accessing out of bounds frame - -Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/92f9b28ed84a77138105475beba16c146bdaf984] - -Signed-off-by: <narpat.mali@windriver.com> - ---- - libavcodec/rpzaenc.c | 22 +++++++++++++++------- - 1 file changed, 15 insertions(+), 7 deletions(-) - -diff --git a/libavcodec/rpzaenc.c b/libavcodec/rpzaenc.c -index d710eb4f82..4ced9523e2 100644 ---- a/libavcodec/rpzaenc.c -+++ b/libavcodec/rpzaenc.c -@@ -205,7 +205,7 @@ static void get_max_component_diff(const BlockInfo *bi, const uint16_t *block_pt - - // loop thru and compare pixels - for (y = 0; y < bi->block_height; y++) { -- for (x = 0; x < bi->block_width; x++){ -+ for (x = 0; x < bi->block_width; x++) { - // TODO: optimize - min_r = FFMIN(R(block_ptr[x]), min_r); - min_g = FFMIN(G(block_ptr[x]), min_g); -@@ -278,7 +278,7 @@ static int leastsquares(const uint16_t *block_ptr, const BlockInfo *bi, - return -1; - - for (i = 0; i < bi->block_height; i++) { -- for (j = 0; j < bi->block_width; j++){ -+ for (j = 0; j < bi->block_width; j++) { - x = GET_CHAN(block_ptr[j], xchannel); - y = GET_CHAN(block_ptr[j], ychannel); - sumx += x; -@@ -325,7 +325,7 @@ static int calc_lsq_max_fit_error(const uint16_t *block_ptr, const BlockInfo *bi - int max_err = 0; - - for (i = 0; i < bi->block_height; i++) { -- for (j = 0; j < bi->block_width; j++){ -+ for (j = 0; j < bi->block_width; j++) { - int x_inc, lin_y, lin_x; - x = GET_CHAN(block_ptr[j], xchannel); - y = GET_CHAN(block_ptr[j], ychannel); -@@ -420,7 +420,9 @@ static void update_block_in_prev_frame(const uint16_t *src_pixels, - uint16_t *dest_pixels, - const BlockInfo *bi, int block_counter) - { -- for (int y = 0; y < 4; y++) { -+ const int y_size = FFMIN(4, bi->image_height - bi->row * 4); -+ -+ for (int y = 0; y < y_size; y++) { - memcpy(dest_pixels, src_pixels, 8); - dest_pixels += bi->rowstride; - src_pixels += bi->rowstride; -@@ -730,14 +732,15 @@ post_skip : - - if (err > s->sixteen_color_thresh) { // DO SIXTEEN COLOR BLOCK - uint16_t *row_ptr; -- int rgb555; -+ int y_size, rgb555; - - block_offset = get_block_info(&bi, block_counter); - - row_ptr = &src_pixels[block_offset]; -+ y_size = FFMIN(4, bi.image_height - bi.row * 4); - -- for (int y = 0; y < 4; y++) { -- for (int x = 0; x < 4; x++){ -+ for (int y = 0; y < y_size; y++) { -+ for (int x = 0; x < 4; x++) { - rgb555 = row_ptr[x] & ~0x8000; - - put_bits(&s->pb, 16, rgb555); -@@ -745,6 +748,11 @@ post_skip : - row_ptr += bi.rowstride; - } - -+ for (int y = y_size; y < 4; y++) { -+ for (int x = 0; x < 4; x++) -+ put_bits(&s->pb, 16, 0); -+ } -+ - block_counter++; - } else { // FOUR COLOR BLOCK - block_counter += encode_four_color_block(min_color, max_color, --- -2.34.1 - diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch deleted file mode 100644 index 923fc6a9c1..0000000000 --- a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 13c13109759090b7f7182480d075e13b36ed8edd Mon Sep 17 00:00:00 2001 -From: Paul B Mahol <onemda@gmail.com> -Date: Sat, 12 Nov 2022 15:19:21 +0100 -Subject: [PATCH] avcodec/smcenc: stop accessing out of bounds frame - -Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/13c13109759090b7f7182480d075e13b36ed8edd] - -Signed-off-by: <narpat.mali@windriver.com> - ---- - libavcodec/smcenc.c | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - -diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c -index f3d26a4e8d..33549b8ab4 100644 ---- a/libavcodec/smcenc.c -+++ b/libavcodec/smcenc.c -@@ -61,6 +61,7 @@ typedef struct SMCContext { - { \ - row_ptr += stride * 4; \ - pixel_ptr = row_ptr; \ -+ cur_y += 4; \ - } \ - } \ - } -@@ -117,6 +118,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, - const uint8_t *prev_pixels = (const uint8_t *)s->prev_frame->data[0]; - uint8_t *distinct_values = s->distinct_values; - const uint8_t *pixel_ptr, *row_ptr; -+ const int height = frame->height; - const int width = frame->width; - uint8_t block_values[16]; - int block_counter = 0; -@@ -125,13 +127,14 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, - int color_octet_index = 0; - int color_table_index; /* indexes to color pair, quad, or octet tables */ - int total_blocks; -+ int cur_y = 0; - - memset(s->color_pairs, 0, sizeof(s->color_pairs)); - memset(s->color_quads, 0, sizeof(s->color_quads)); - memset(s->color_octets, 0, sizeof(s->color_octets)); - - /* Number of 4x4 blocks in frame. */ -- total_blocks = ((frame->width + 3) / 4) * ((frame->height + 3) / 4); -+ total_blocks = ((width + 3) / 4) * ((height + 3) / 4); - - pixel_ptr = row_ptr = src_pixels; - -@@ -145,11 +148,13 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, - int cache_index; - int distinct = 0; - int blocks = 0; -+ int frame_y = cur_y; - - while (prev_pixels && s->key_frame == 0 && block_counter + inter_skip_blocks < total_blocks) { -+ const int y_size = FFMIN(4, height - cur_y); - int compare = 0; - -- for (int y = 0; y < 4; y++) { -+ for (int y = 0; y < y_size; y++) { - const ptrdiff_t offset = pixel_ptr - src_pixels; - const uint8_t *prev_pixel_ptr = prev_pixels + offset; - -@@ -170,8 +175,10 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, - - pixel_ptr = xpixel_ptr; - row_ptr = xrow_ptr; -+ cur_y = frame_y; - - while (block_counter > 0 && block_counter + intra_skip_blocks < total_blocks) { -+ const int y_size = FFMIN(4, height - cur_y); - const ptrdiff_t offset = pixel_ptr - src_pixels; - const int sy = offset / stride; - const int sx = offset % stride; -@@ -180,7 +187,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, - const uint8_t *old_pixel_ptr = src_pixels + nx + ny * stride; - int compare = 0; - -- for (int y = 0; y < 4; y++) { -+ for (int y = 0; y < y_size; y++) { - compare |= memcmp(old_pixel_ptr + y * stride, pixel_ptr + y * stride, 4); - if (compare) - break; -@@ -197,9 +204,11 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, - - pixel_ptr = xpixel_ptr; - row_ptr = xrow_ptr; -+ cur_y = frame_y; - - while (block_counter + coded_blocks < total_blocks && coded_blocks < 256) { -- for (int y = 0; y < 4; y++) -+ const int y_size = FFMIN(4, height - cur_y); -+ for (int y = 0; y < y_size; y++) - memcpy(block_values + y * 4, pixel_ptr + y * stride, 4); - - qsort(block_values, 16, sizeof(block_values[0]), smc_cmp_values); -@@ -224,6 +233,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, - - pixel_ptr = xpixel_ptr; - row_ptr = xrow_ptr; -+ cur_y = frame_y; - - blocks = coded_blocks; - distinct = coded_distinct; --- -2.34.1 - diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/ffmpeg-fix-vulkan.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/ffmpeg-fix-vulkan.patch deleted file mode 100644 index 95bd608a27..0000000000 --- a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/ffmpeg-fix-vulkan.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Lynne <dev@lynne.ee> -Date: Sun, 25 Dec 2022 00:03:30 +0000 (+0100) -Subject: hwcontext_vulkan: remove optional encode/decode extensions from the list -X-Git-Url: http://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff_plain/eb0455d64690 - -hwcontext_vulkan: remove optional encode/decode extensions from the list - -They're not currently used, so they don't need to be there. -Vulkan stabilized the decode extensions less than a week ago, and their -name prefixes were changed from EXT to KHR. It's a bit too soon to be -depending on it, so rather than bumping, just remove these for now. - -Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff_plain/eb0455d64690] ---- - -diff --git a/libavutil/hwcontext_vulkan.c b/libavutil/hwcontext_vulkan.c -index f1db1c7291..2a9b5f4aac 100644 ---- a/libavutil/hwcontext_vulkan.c -+++ b/libavutil/hwcontext_vulkan.c -@@ -358,14 +358,6 @@ static const VulkanOptExtension optional_device_exts[] = { - { VK_KHR_EXTERNAL_MEMORY_WIN32_EXTENSION_NAME, FF_VK_EXT_EXTERNAL_WIN32_MEMORY }, - { VK_KHR_EXTERNAL_SEMAPHORE_WIN32_EXTENSION_NAME, FF_VK_EXT_EXTERNAL_WIN32_SEM }, - #endif -- -- /* Video encoding/decoding */ -- { VK_KHR_VIDEO_QUEUE_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, -- { VK_KHR_VIDEO_DECODE_QUEUE_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, -- { VK_KHR_VIDEO_ENCODE_QUEUE_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, -- { VK_EXT_VIDEO_ENCODE_H264_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, -- { VK_EXT_VIDEO_DECODE_H264_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, -- { VK_EXT_VIDEO_DECODE_H265_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, - }; - - /* Converts return values to strings */ diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.3.bb index cccd9f65ab..9899e570ad 100644 --- a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.3.bb @@ -23,12 +23,15 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://COPYING.LGPLv3;md5=e6a600fd5e1d9cbde2d983680233ad02" SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ - file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ - file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ - file://ffmpeg-fix-vulkan.patch \ " -SRC_URI[sha256sum] = "619e706d662c8420859832ddc259cd4d4096a48a2ce1eefd052db9e440eef3dc" +SRC_URI[sha256sum] = "1b113593ff907293be7aed95acdda5e785dd73616d7d4ec90a0f6adbc5a0312e" + +# CVE-2023-39018 issue belongs to ffmpeg-cli-wrapper (Java wrapper around the FFmpeg CLI) +# and not ffmepg itself. +# https://security-tracker.debian.org/tracker/CVE-2023-39018 +# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018 +CVE_CHECK_IGNORE += "CVE-2023-39018" # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 ARM_INSTRUCTION_SET:armv4 = "arm" diff --git a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb index 8b282bbb7b..3e029396a6 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb @@ -12,7 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV} file://0001-connect-has-a-different-signature-on-musl.patch \ " -SRC_URI[sha256sum] = "eb62726d3e27a8782369a24fd6364a8885ed2462b3bbdab091dffc8139ee06d8" +SRC_URI[sha256sum] = "2add1519aa6eeb01d544cb94293688ee3bc2079f6bca6075bf5c23d00a0921be" DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 gstreamer1.0-plugins-base" RRECOMMENDS:${PN} = "git" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb index ed3dbaca22..af9dc5d2d5 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=69333daa044cb77e486cc36129f7a770 \ " SRC_URI = "https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-${PV}.tar.xz" -SRC_URI[sha256sum] = "fcaaf9878fe8f3bc82317ef13a1558824cb68df1f8968c6797f556c5e33bcffd" +SRC_URI[sha256sum] = "8583f0c1f4fcb01eed11fa1e3c21126543a8bd739ed4fc1db31f756a5ab01d9a" S = "${WORKDIR}/gst-libav-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.5.bb index d2d23050d9..5d99810cd4 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.5.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-omx/gst-omx-${PV}.tar.xz" -SRC_URI[sha256sum] = "1b0c57f2cc4ddeec5e7f0c436e502f06665c4e93c73261855b94e04fc94337b2" +SRC_URI[sha256sum] = "cf0cb9c4de06c5d62eef77cb31238bbaf257dc88802010072eedd1c168f136a4" S = "${WORKDIR}/gst-omx-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.5.bb index 6260f9586b..94e5bb894c 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.5.bb @@ -10,7 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0002-avoid-including-sys-poll.h-directly.patch \ file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ " -SRC_URI[sha256sum] = "3d8faf1ce3402c8535ce3a8c4e1a6c960e4b5655dbda6b55943db9ac79022d0f" +SRC_URI[sha256sum] = "e64e75cdafd7ff2fc7fc34e855b06b1e3ed227cc06fa378d17bbcd76780c338c" S = "${WORKDIR}/gst-plugins-bad-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.5.bb index c1e5d0cd09..74105a44e7 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.5.bb @@ -11,7 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0003-viv-fb-Make-sure-config.h-is-included.patch \ file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ " -SRC_URI[sha256sum] = "eb65120c4ee79b7a153c3c1972d5c0158c2151877cc51ec7725bba5749679d49" +SRC_URI[sha256sum] = "edd4338b45c26a9af28c0d35aab964a024c3884ba6f520d8428df04212c8c93a" S = "${WORKDIR}/gst-plugins-base-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.5.bb index a9352949b5..93f0e76ee9 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.5.bb @@ -8,7 +8,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ file://0001-v4l2-Define-ioctl_req_t-for-posix-linux-case.patch" -SRC_URI[sha256sum] = "7c8cc59425f2b232f60ca7d13e56edd615da4f711e73dd01a7cffa46e6bc0cdd" +SRC_URI[sha256sum] = "b67b31313a54c6929b82969d41d3cfdf2f58db573fb5f491e6bba5d84aea0778" S = "${WORKDIR}/gst-plugins-good-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.5.bb index dc81bf27f6..29d705aaaf 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.5.bb @@ -14,7 +14,7 @@ LICENSE_FLAGS = "commercial" SRC_URI = " \ https://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-${PV}.tar.xz \ " -SRC_URI[sha256sum] = "8f30f44db0bd063709bf6fbe55138e3a98af0abcb61c360f35582bbe10e80691" +SRC_URI[sha256sum] = "2680473b218158f18467cac3e1c50291b7ff4e0710dd350a59eaacbc29c09a54" S = "${WORKDIR}/gst-plugins-ugly-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.5.bb index ab1600db41..be817bf3f5 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.5.bb @@ -8,7 +8,7 @@ LICENSE = "LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=c34deae4e395ca07e725ab0076a5f740" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "bef2b3d82ce4be46b775b1bb56305c1003ee01b535a53a82f9fe8924972153ad" +SRC_URI[sha256sum] = "bf05232415cf6018142ae51dd3b897bb73432687b5ce1786bf46edc6298ce5b0" DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" RDEPENDS:${PN} += "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.5.bb index 02c2badc2a..84c51e8a6c 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.5.bb @@ -10,7 +10,7 @@ PNREAL = "gst-rtsp-server" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "2be4aecfb88710100ea7115ed0216403e8094344ebf146094271b8d4d73828bf" +SRC_URI[sha256sum] = "f343eb54964ebd4d8c071be5eecad586f28feb0156e036e06b148d0e7febb1c0" S = "${WORKDIR}/${PNREAL}-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.5.bb index 6111720976..231d252323 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.5.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "https://gstreamer.freedesktop.org/src/${REALPN}/${REALPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "d2e642f9745f97d9f73a7f5085e7659a9a31fe209b774e6e45dae041b435df06" +SRC_URI[sha256sum] = "a9a550267c9584df0e8c70434d30476e8fd0018b733c1c1ee33deaf422bdb24b" S = "${WORKDIR}/${REALPN}-${PV}" DEPENDS = "libva gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.2.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.5.bb index f6dd2c168e..2dacf037f8 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.2.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.5.bb @@ -22,7 +22,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${PV}.tar.x file://0003-tests-use-a-dictionaries-for-environment.patch;striplevel=3 \ file://0004-tests-add-helper-script-to-run-the-installed_tests.patch;striplevel=3 \ " -SRC_URI[sha256sum] = "b2afe73603921c608ba48969dbb7d743776744bfe5d8059ece241137b7f88e21" +SRC_URI[sha256sum] = "4408d7930f381809e85917acc19712f173261ba85bdf20c5567b2a21b1193b61" PACKAGECONFIG ??= "${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)} \ check \ diff --git a/poky/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/poky/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch deleted file mode 100644 index e356d377ea..0000000000 --- a/poky/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch +++ /dev/null @@ -1,29 +0,0 @@ -CVE: CVE-2022-48281 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001 -From: Su Laus <sulau@freenet.de> -Date: Sat, 21 Jan 2023 15:58:10 +0000 -Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. - ---- - tools/tiffcrop.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 14fa18da..7db69883 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image, - cropsize + NUM_BUFF_OVERSIZE_BYTES); - else - { -- prev_cropsize = seg_buffs[0].size; -+ prev_cropsize = seg_buffs[i].size; - if (prev_cropsize < cropsize) - { - next_buff = _TIFFrealloc( --- -GitLab - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb index f8a2482a84..5af3f84265 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb @@ -8,10 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3" CVE_PRODUCT = "libtiff" -SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ - file://CVE-2022-48281.patch" +SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz" -SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464" +SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b" # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" @@ -19,11 +18,6 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" # Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 # and 4.3.0 doesn't have the issue CVE_CHECK_IGNORE += "CVE-2015-7313" -# These issues only affect libtiff post-4.3.0 but before 4.4.0, -# caused by 3079627e and fixed by b4e79bfa. -CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" -# Issue is in jbig which we don't enable -CVE_CHECK_IGNORE += "CVE-2022-1210" inherit autotools multilib_header diff --git a/poky/meta/recipes-multimedia/webp/libwebp_1.3.0.bb b/poky/meta/recipes-multimedia/webp/libwebp_1.3.1.bb index 7b4d138d2c..0a345498c1 100644 --- a/poky/meta/recipes-multimedia/webp/libwebp_1.3.0.bb +++ b/poky/meta/recipes-multimedia/webp/libwebp_1.3.1.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \ file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7" SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz" -SRC_URI[sha256sum] = "64ac4614db292ae8c5aa26de0295bf1623dbb3985054cb656c55e67431def17c" +SRC_URI[sha256sum] = "b3779627c2dfd31e3d8c4485962c2efe17785ef975e2be5c8c0c9e6cd3c4ef66" UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html" diff --git a/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch b/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch new file mode 100644 index 0000000000..c6ac6b4a1c --- /dev/null +++ b/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch @@ -0,0 +1,59 @@ +CVE: CVE-2023-32435 + +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/50c7aae] + +Backport and rebase patch to fix CVE-2023-32435 for webkitgtk 2.38.6: + +* drop the patches for the files WasmAirIRGenerator64.cpp and + WasmAirIRGeneratorBase.h which are involved in 2.40.0 +* drop test cases as well + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 50c7aaec2f53ab3b960f1b299aad5009df6f1967 Mon Sep 17 00:00:00 2001 +From: Justin Michaud <justin_michaud@apple.com> +Date: Wed, 8 Feb 2023 14:41:34 -0800 +Subject: [PATCH] Fixup air pointer args if they are not valid in BBQ + https://bugs.webkit.org/show_bug.cgi?id=251890 rdar://105079565 + +Reviewed by Mark Lam and Yusuke Suzuki. + +We are not fixing up air args if their offsets don't fit into the instruction +in a few cases. + +Here are some examples: + +MoveDouble 28480(%sp), %q16 ; too big +MoveVector 248(%sp), %q16 ; not 16-byte aligned + +Let's fix up these arguments. We also fix a missing validation check +when parsing exception tags exposed by this test. + +* Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp: +(JSC::Wasm::AirIRGenerator64::addReturn): +* Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h: +(JSC::Wasm::AirIRGeneratorBase::emitPatchpoint): + +oops + +Canonical link: https://commits.webkit.org/260038@main +--- + Source/JavaScriptCore/wasm/WasmSectionParser.cpp | 2 + + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp +index 6b8f9016..a5f3a88b 100644 +--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp ++++ b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp +@@ -917,6 +917,8 @@ auto SectionParser::parseException() -> PartialResult + WASM_PARSER_FAIL_IF(!parseVarUInt32(typeNumber), "can't get ", exceptionNumber, "th Exception's type number"); + WASM_PARSER_FAIL_IF(typeNumber >= m_info->typeCount(), exceptionNumber, "th Exception type number is invalid ", typeNumber); + TypeIndex typeIndex = TypeInformation::get(m_info->typeSignatures[typeNumber]); ++ auto signature = TypeInformation::getFunctionSignature(typeIndex); ++ WASM_PARSER_FAIL_IF(!signature.returnsVoid(), exceptionNumber, "th Exception type cannot have a non-void return type ", typeNumber); + m_info->internalExceptionTypeIndices.uncheckedAppend(typeIndex); + } + +-- +2.34.1 + diff --git a/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch b/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch new file mode 100644 index 0000000000..5c240011e0 --- /dev/null +++ b/poky/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch @@ -0,0 +1,128 @@ +CVE: CVE-2023-32439 + +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ebefb9e] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975 Mon Sep 17 00:00:00 2001 +From: Yijia Huang <yijia_huang@apple.com> +Date: Wed, 10 May 2023 09:41:48 -0700 +Subject: [PATCH] Cherry-pick 263909@main (52fe95e5805c). + https://bugs.webkit.org/show_bug.cgi?id=256567 + + EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different heap location kinds + https://bugs.webkit.org/show_bug.cgi?id=256567 + rdar://109089013 + + Reviewed by Yusuke Suzuki. + + EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG nodes. However, + they might introduce the same heap location kind in DFGClobberize.h which might lead to + hash collision. We should introduce a new locationn kind for EnumeratorNextUpdateIndexAndMode. + + * JSTests/stress/heap-location-collision-dfg-clobberize.js: Added. + (foo): + * Source/JavaScriptCore/dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * Source/JavaScriptCore/dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * Source/JavaScriptCore/dfg/DFGHeapLocation.h: + + Canonical link: https://commits.webkit.org/263909@main + +Canonical link: https://commits.webkit.org/260527.376@webkitglib/2.40 +--- + .../stress/heap-location-collision-dfg-clobberize.js | 12 ++++++++++++ + Source/JavaScriptCore/dfg/DFGClobberize.h | 7 ++++--- + Source/JavaScriptCore/dfg/DFGHeapLocation.cpp | 4 ++++ + Source/JavaScriptCore/dfg/DFGHeapLocation.h | 1 + + 4 files changed, 21 insertions(+), 3 deletions(-) + create mode 100644 JSTests/stress/heap-location-collision-dfg-clobberize.js + +diff --git a/JSTests/stress/heap-location-collision-dfg-clobberize.js b/JSTests/stress/heap-location-collision-dfg-clobberize.js +new file mode 100644 +index 000000000000..ed40601ea37f +--- /dev/null ++++ b/JSTests/stress/heap-location-collision-dfg-clobberize.js +@@ -0,0 +1,12 @@ ++//@ runDefault("--watchdog=300", "--watchdog-exception-ok") ++const arr = [0]; ++ ++function foo() { ++ for (let _ in arr) { ++ 0 in arr; ++ while(1); ++ } ++} ++ ++ ++foo(); +diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h +index e4db64155316..5ec334787c0c 100644 +--- a/Source/JavaScriptCore/dfg/DFGClobberize.h ++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h +@@ -383,6 +383,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + + read(JSObject_butterfly); + ArrayMode mode = node->arrayMode(); ++ LocationKind locationKind = node->op() == EnumeratorNextUpdateIndexAndMode ? EnumeratorNextUpdateIndexAndModeLoc : HasIndexedPropertyLoc; + switch (mode.type()) { + case Array::ForceExit: { + write(SideState); +@@ -392,7 +393,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + if (mode.isInBounds()) { + read(Butterfly_publicLength); + read(IndexedInt32Properties); +- def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); ++ def(HeapLocation(locationKind, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); + return; + } + break; +@@ -402,7 +403,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + if (mode.isInBounds()) { + read(Butterfly_publicLength); + read(IndexedDoubleProperties); +- def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); ++ def(HeapLocation(locationKind, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); + return; + } + break; +@@ -412,7 +413,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + if (mode.isInBounds()) { + read(Butterfly_publicLength); + read(IndexedContiguousProperties); +- def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); ++ def(HeapLocation(locationKind, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); + return; + } + break; +diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp +index 0661e5b826b7..698a6d4b6062 100644 +--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp ++++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp +@@ -134,6 +134,10 @@ void printInternal(PrintStream& out, LocationKind kind) + out.print("HasIndexedPorpertyLoc"); + return; + ++ case EnumeratorNextUpdateIndexAndModeLoc: ++ out.print("EnumeratorNextUpdateIndexAndModeLoc"); ++ return; ++ + case IndexedPropertyDoubleLoc: + out.print("IndexedPropertyDoubleLoc"); + return; +diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.h b/Source/JavaScriptCore/dfg/DFGHeapLocation.h +index 40fb71673284..7238491b02c9 100644 +--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.h ++++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.h +@@ -46,6 +46,7 @@ enum LocationKind { + DirectArgumentsLoc, + GetterLoc, + GlobalVariableLoc, ++ EnumeratorNextUpdateIndexAndModeLoc, + HasIndexedPropertyLoc, + IndexedPropertyDoubleLoc, + IndexedPropertyDoubleSaneChainLoc, +-- +2.34.1 + diff --git a/poky/meta/recipes-sato/webkit/webkitgtk_2.38.5.bb b/poky/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb index 36c6233b33..813198df5f 100644 --- a/poky/meta/recipes-sato/webkit/webkitgtk_2.38.5.bb +++ b/poky/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb @@ -14,8 +14,10 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \ file://reproducibility.patch \ file://0d3344e17d258106617b0e6d783d073b188a2548.patch \ file://d318bb461f040b90453bc4e100dcf967243ecd98.patch \ + file://CVE-2023-32435.patch \ + file://CVE-2023-32439.patch \ " -SRC_URI[sha256sum] = "40c20c43022274df5893f22b1054fa894c3eea057389bb08aee08c5b0bb0c1a7" +SRC_URI[sha256sum] = "1c614c9589389db1a79ea9ba4293bbe8ac3ab0a2234cac700935fae0724ad48b" inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gi-docgen diff --git a/poky/meta/recipes-support/apr/apr_1.7.3.bb b/poky/meta/recipes-support/apr/apr_1.7.4.bb index 9a93fe0967..e571469341 100644 --- a/poky/meta/recipes-support/apr/apr_1.7.3.bb +++ b/poky/meta/recipes-support/apr/apr_1.7.4.bb @@ -24,7 +24,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \ file://0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch \ " -SRC_URI[sha256sum] = "455e218c060c474f2c834816873f6ed69c0cf0e4cfee54282cc93e8e989ee59e" +SRC_URI[sha256sum] = "fc648de983f3a2a6c9e78dea1f180639bd2fad6c06d556d4367a701fe5c35577" inherit autotools-brokensep lib_package binconfig multilib_header ptest multilib_script diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-28319.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-28319.patch new file mode 100644 index 0000000000..c843a18174 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-28319.patch @@ -0,0 +1,38 @@ +From 8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 8 May 2023 14:33:54 +0200 +Subject: [PATCH] libssh2: free fingerprint better + +Reported-by: Wei Chong Tan +Closes #11088 + +CVE: CVE-2023-28319 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/8e21b1a05f3c0ee098dbcb6c] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> + +--- + lib/vssh/libssh2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index bfcc94e16..dd39a844c 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -728,11 +728,10 @@ static CURLcode ssh_check_fingerprint(struct Curl_easy *data) + */ + if((pub_pos != b64_pos) || + strncmp(fingerprint_b64, pubkey_sha256, pub_pos)) { +- free(fingerprint_b64); +- + failf(data, + "Denied establishing ssh session: mismatch sha256 fingerprint. " + "Remote %s is not equal to %s", fingerprint_b64, pubkey_sha256); ++ free(fingerprint_b64); + state(data, SSH_SESSION_FREE); + sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; + return sshc->actualcode; +-- +2.25.1 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch new file mode 100644 index 0000000000..3c06d8c518 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch @@ -0,0 +1,80 @@ +From e442feb37ba25c80b8480b908d1c570fd9f41c5e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 16 May 2023 23:40:42 +0200 +Subject: [PATCH] hostip: include easy_lock.h before using + GLOBAL_INIT_IS_THREADSAFE + +Since that header file is the only place that define can be defined. + +Reported-by: Marc Deslauriers + +Follow-up to 13718030ad4b3209 + +Closes #11121 + +CVE: CVE-2023-28320 +Upstream-Status: Backport [https://github.com/curl/curl/commit/f446258f0269] + +(cherry picked from commit f446258f0269a62289cca0210157cb8558d0edc3) +Signed-off-by: Sanjay Chitroda <sanjay.chitroda@einfochips.com> + +--- + lib/hostip.c | 10 ++++------ + lib/hostip.h | 9 --------- + 2 files changed, 4 insertions(+), 15 deletions(-) + +diff --git a/lib/hostip.c b/lib/hostip.c +index d6906a2e8..2d26b5628 100644 +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -70,6 +70,8 @@ + #include <SystemConfiguration/SCDynamicStoreCopySpecific.h> + #endif + ++#include "easy_lock.h" ++ + #if defined(CURLRES_SYNCH) && \ + defined(HAVE_ALARM) && \ + defined(SIGALRM) && \ +@@ -79,10 +81,6 @@ + #define USE_ALARM_TIMEOUT + #endif + +-#ifdef USE_ALARM_TIMEOUT +-#include "easy_lock.h" +-#endif +- + #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ + + /* +@@ -265,8 +263,8 @@ void Curl_hostcache_prune(struct Curl_easy *data) + /* Beware this is a global and unique instance. This is used to store the + return address that we can jump back to from inside a signal handler. This + is not thread-safe stuff. */ +-sigjmp_buf curl_jmpenv; +-curl_simple_lock curl_jmpenv_lock; ++static sigjmp_buf curl_jmpenv; ++static curl_simple_lock curl_jmpenv_lock; + #endif + + /* lookup address, returns entry if found and not stale */ +diff --git a/lib/hostip.h b/lib/hostip.h +index 4b5481f65..0dd19e87c 100644 +--- a/lib/hostip.h ++++ b/lib/hostip.h +@@ -186,15 +186,6 @@ Curl_cache_addr(struct Curl_easy *data, struct Curl_addrinfo *addr, + #define CURL_INADDR_NONE INADDR_NONE + #endif + +-#ifdef HAVE_SIGSETJMP +-/* Forward-declaration of variable defined in hostip.c. Beware this +- * is a global and unique instance. This is used to store the return +- * address that we can jump back to from inside a signal handler. +- * This is not thread-safe stuff. +- */ +-extern sigjmp_buf curl_jmpenv; +-#endif +- + /* + * Function provided by the resolver backend to set DNS servers to use. + */ diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-28320.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-28320.patch new file mode 100644 index 0000000000..c7cfd6a42f --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-28320.patch @@ -0,0 +1,88 @@ +From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen <sintonen@iki.fi> +Date: Tue, 25 Apr 2023 09:22:26 +0200 +Subject: [PATCH] hostip: add locks around use of global buffer for alarm() + +When building with the sync name resolver and timeout ability we now +require thread-safety to be present to enable it. + +Closes #11030 + +CVE: CVE-2023-28320 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/hostip.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/lib/hostip.c b/lib/hostip.c +index 2381290fd..e410cda69 100644 +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -70,12 +70,19 @@ + #include <SystemConfiguration/SCDynamicStoreCopySpecific.h> + #endif + +-#if defined(CURLRES_SYNCH) && \ +- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP) ++#if defined(CURLRES_SYNCH) && \ ++ defined(HAVE_ALARM) && \ ++ defined(SIGALRM) && \ ++ defined(HAVE_SIGSETJMP) && \ ++ defined(GLOBAL_INIT_IS_THREADSAFE) + /* alarm-based timeouts can only be used with all the dependencies satisfied */ + #define USE_ALARM_TIMEOUT + #endif + ++#ifdef USE_ALARM_TIMEOUT ++#include "easy_lock.h" ++#endif ++ + #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ + + /* +@@ -254,11 +261,12 @@ void Curl_hostcache_prune(struct Curl_easy *data) + Curl_share_unlock(data, CURL_LOCK_DATA_DNS); + } + +-#ifdef HAVE_SIGSETJMP ++#ifdef USE_ALARM_TIMEOUT + /* Beware this is a global and unique instance. This is used to store the + return address that we can jump back to from inside a signal handler. This + is not thread-safe stuff. */ + sigjmp_buf curl_jmpenv; ++curl_simple_lock curl_jmpenv_lock; + #endif + + /* lookup address, returns entry if found and not stale */ +@@ -832,7 +840,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data, + static + void alarmfunc(int sig) + { +- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ + (void)sig; + siglongjmp(curl_jmpenv, 1); + } +@@ -912,6 +919,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data, + This should be the last thing we do before calling Curl_resolv(), + as otherwise we'd have to worry about variables that get modified + before we invoke Curl_resolv() (and thus use "volatile"). */ ++ curl_simple_lock_lock(&curl_jmpenv_lock); ++ + if(sigsetjmp(curl_jmpenv, 1)) { + /* this is coming from a siglongjmp() after an alarm signal */ + failf(data, "name lookup timed out"); +@@ -980,6 +989,8 @@ clean_up: + #endif + #endif /* HAVE_SIGACTION */ + ++ curl_simple_lock_unlock(&curl_jmpenv_lock); ++ + /* switch back the alarm() to either zero or to what it was before minus + the time we spent until now! */ + if(prev_alarm) { +-- +2.25.1 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-28321.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-28321.patch new file mode 100644 index 0000000000..d328d83afa --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-28321.patch @@ -0,0 +1,111 @@ +From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 24 Apr 2023 21:07:02 +0200 +Subject: [PATCH] hostcheck: fix host name wildcard checking + +The leftmost "label" of the host name can now only match against single +'*'. Like the browsers have worked for a long time. + +Reported-by: Hiroki Kurosawa +Closes #11018 + +CVE: CVE-2023-28321 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/199f2d440d8659b42] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/vtls/hostcheck.c | 50 +++++++-------- + 1 file changed, 202 insertions(+), 180 deletions(-) + +diff --git a/lib/vtls/hostcheck.c b/lib/vtls/hostcheck.c +index e827dc58f..d061c6356 100644 +--- a/lib/vtls/hostcheck.c ++++ b/lib/vtls/hostcheck.c +@@ -71,7 +71,12 @@ static bool pmatch(const char *hostname, size_t hostlen, + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * ++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor ++ * "*b". ++ * + * Return TRUE on a match. FALSE if not. ++ * ++ * @unittest: 1397 + */ + + static bool hostmatch(const char *hostname, +@@ -79,53 +84,42 @@ static bool hostmatch(const char *hostname, + const char *pattern, + size_t patternlen) + { +- const char *pattern_label_end, *wildcard, *hostname_label_end; +- size_t prefixlen, suffixlen; ++ const char *pattern_label_end; + +- /* normalize pattern and hostname by stripping off trailing dots */ ++ DEBUGASSERT(pattern); + DEBUGASSERT(patternlen); ++ DEBUGASSERT(hostname); ++ DEBUGASSERT(hostlen); ++ ++ /* normalize pattern and hostname by stripping off trailing dots */ + if(hostname[hostlen-1]=='.') + hostlen--; + if(pattern[patternlen-1]=='.') + patternlen--; + +- wildcard = memchr(pattern, '*', patternlen); +- if(!wildcard) ++ if(strncmp(pattern, "*.", 2)) + return pmatch(hostname, hostlen, pattern, patternlen); + + /* detect IP address as hostname and fail the match if so */ +- if(Curl_host_is_ipnum(hostname)) ++ else if(Curl_host_is_ipnum(hostname)) + return FALSE; + + /* We require at least 2 dots in the pattern to avoid too wide wildcard + match. */ + pattern_label_end = memchr(pattern, '.', patternlen); + if(!pattern_label_end || +- (memrchr(pattern, '.', patternlen) == pattern_label_end) || +- strncasecompare(pattern, "xn--", 4)) ++ (memrchr(pattern, '.', patternlen) == pattern_label_end)) + return pmatch(hostname, hostlen, pattern, patternlen); +- +- hostname_label_end = memchr(hostname, '.', hostlen); +- if(!hostname_label_end) +- return FALSE; + else { +- size_t skiphost = hostname_label_end - hostname; +- size_t skiplen = pattern_label_end - pattern; +- if(!pmatch(hostname_label_end, hostlen - skiphost, +- pattern_label_end, patternlen - skiplen)) +- return FALSE; ++ const char *hostname_label_end = memchr(hostname, '.', hostlen); ++ if(hostname_label_end) { ++ size_t skiphost = hostname_label_end - hostname; ++ size_t skiplen = pattern_label_end - pattern; ++ return pmatch(hostname_label_end, hostlen - skiphost, ++ pattern_label_end, patternlen - skiplen); ++ } + } +- /* The wildcard must match at least one character, so the left-most +- label of the hostname is at least as large as the left-most label +- of the pattern. */ +- if(hostname_label_end - hostname < pattern_label_end - pattern) +- return FALSE; +- +- prefixlen = wildcard - pattern; +- suffixlen = pattern_label_end - (wildcard + 1); +- return strncasecompare(pattern, hostname, prefixlen) && +- strncasecompare(wildcard + 1, hostname_label_end - suffixlen, +- suffixlen) ? TRUE : FALSE; ++ return FALSE; + } + + /* +-- +2.25.1 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-28322.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-28322.patch new file mode 100644 index 0000000000..d0786d7a4b --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-28322.patch @@ -0,0 +1,441 @@ +From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 25 Apr 2023 08:28:01 +0200 +Subject: [PATCH] lib: unify the upload/method handling + +By making sure we set state.upload based on the set.method value and not +independently as set.upload, we reduce confusion and mixup risks, both +internally and externally. + +Closes #11017 + +CVE: CVE-2023-28322 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> + +--- + lib/curl_rtmp.c | 4 ++-- + lib/file.c | 4 ++-- + lib/ftp.c | 8 ++++---- + lib/http.c | 4 ++-- + lib/imap.c | 6 +++--- + lib/rtsp.c | 4 ++-- + lib/setopt.c | 6 ++---- + lib/smb.c | 6 +++--- + lib/smtp.c | 4 ++-- + lib/tftp.c | 8 ++++---- + lib/transfer.c | 4 ++-- + lib/urldata.h | 2 +- + lib/vssh/libssh.c | 6 +++--- + lib/vssh/libssh2.c | 6 +++--- + lib/vssh/wolfssh.c | 2 +- + 15 files changed, 36 insertions(+), 38 deletions(-) + +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 2679a2cdc..406fb42ac 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -231,7 +231,7 @@ static CURLcode rtmp_connect(struct Curl_easy *data, bool *done) + /* We have to know if it's a write before we send the + * connect request packet + */ +- if(data->set.upload) ++ if(data->state.upload) + r->Link.protocol |= RTMP_FEATURE_WRITE; + + /* For plain streams, use the buffer toggle trick to keep data flowing */ +@@ -263,7 +263,7 @@ static CURLcode rtmp_do(struct Curl_easy *data, bool *done) + if(!RTMP_ConnectStream(r, 0)) + return CURLE_FAILED_INIT; + +- if(data->set.upload) { ++ if(data->state.upload) { + Curl_pgrsSetUploadSize(data, data->state.infilesize); + Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET); + } +diff --git a/lib/file.c b/lib/file.c +index 51c5d07ce..c751e8861 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -240,7 +240,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done) + file->freepath = real_path; /* free this when done */ + + file->fd = fd; +- if(!data->set.upload && (fd == -1)) { ++ if(!data->state.upload && (fd == -1)) { + failf(data, "Couldn't open file %s", data->state.up.path); + file_done(data, CURLE_FILE_COULDNT_READ_FILE, FALSE); + return CURLE_FILE_COULDNT_READ_FILE; +@@ -422,7 +422,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) + + Curl_pgrsStartNow(data); + +- if(data->set.upload) ++ if(data->state.upload) + return file_upload(data); + + file = data->req.p.file; +diff --git a/lib/ftp.c b/lib/ftp.c +index f50d7baf6..4ff68cc45 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1348,7 +1348,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data) + data->set.str[STRING_CUSTOMREQUEST]? + data->set.str[STRING_CUSTOMREQUEST]: + (data->state.list_only?"NLST":"LIST")); +- else if(data->set.upload) ++ else if(data->state.upload) + result = Curl_pp_sendf(data, &ftpc->pp, "PRET STOR %s", + conn->proto.ftpc.file); + else +@@ -3384,7 +3384,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status, + /* the response code from the transfer showed an error already so no + use checking further */ + ; +- else if(data->set.upload) { ++ else if(data->state.upload) { + if((-1 != data->state.infilesize) && + (data->state.infilesize != data->req.writebytecount) && + !data->set.crlf && +@@ -3640,7 +3640,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep) + connected back to us */ + } + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + result = ftp_nb_type(data, conn, data->state.prefer_ascii, + FTP_STOR_TYPE); + if(result) +@@ -4225,7 +4225,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) + ftpc->file = NULL; /* instead of point to a zero byte, + we make it a NULL pointer */ + +- if(data->set.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { ++ if(data->state.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { + /* We need a file name when uploading. Return error! */ + failf(data, "Uploading to a URL without a file name"); + free(rawPath); +diff --git a/lib/http.c b/lib/http.c +index 80e43f6f3..bffdd3468 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2112,7 +2112,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn, + Curl_HttpReq httpreq = (Curl_HttpReq)data->state.httpreq; + const char *request; + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +- data->set.upload) ++ data->state.upload) + httpreq = HTTPREQ_PUT; + + /* Now set the 'request' pointer to the proper request string */ +@@ -2423,7 +2423,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn, + if((conn->handler->protocol & PROTO_FAMILY_HTTP) && + (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) && + http->postsize < 0) || +- ((data->set.upload || httpreq == HTTPREQ_POST) && ++ ((data->state.upload || httpreq == HTTPREQ_POST) && + data->state.infilesize == -1))) { + if(conn->bits.authneg) + /* don't enable chunked during auth neg */ +diff --git a/lib/imap.c b/lib/imap.c +index c2f675d4b..1952e66a1 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1511,11 +1511,11 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && !imap->custom && +- (imap->uid || imap->mindex || data->set.upload || ++ (imap->uid || imap->mindex || data->state.upload || + data->set.mimepost.kind != MIMEKIND_NONE)) { + /* Handle responses after FETCH or APPEND transfer has finished */ + +- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE) ++ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE) + state(data, IMAP_FETCH_FINAL); + else { + /* End the APPEND command first by sending an empty line */ +@@ -1581,7 +1581,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected, + selected = TRUE; + + /* Start the first command in the DO phase */ +- if(data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE) ++ if(data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE) + /* APPEND can be executed directly */ + result = imap_perform_append(data); + else if(imap->custom && (selected || !imap->mailbox)) +diff --git a/lib/rtsp.c b/lib/rtsp.c +index ea99d720e..ccd7264b0 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -493,7 +493,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + rtspreq == RTSPREQ_SET_PARAMETER || + rtspreq == RTSPREQ_GET_PARAMETER) { + +- if(data->set.upload) { ++ if(data->state.upload) { + putsize = data->state.infilesize; + data->state.httpreq = HTTPREQ_PUT; + +@@ -512,7 +512,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + result = + Curl_dyn_addf(&req_buffer, + "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n", +- (data->set.upload ? putsize : postsize)); ++ (data->state.upload ? putsize : postsize)); + if(result) + return result; + } +diff --git a/lib/setopt.c b/lib/setopt.c +index 38f5711e4..0c3b9634d 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -333,8 +333,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * We want to sent data to the remote host. If this is HTTP, that equals + * using the PUT request. + */ +- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE; +- if(data->set.upload) { ++ arg = va_arg(param, long); ++ if(arg) { + /* If this is HTTP, PUT is what's needed to "upload" */ + data->set.method = HTTPREQ_PUT; + data->set.opt_no_body = FALSE; /* this is implied */ +@@ -664,7 +664,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; + break; + + #ifndef CURL_DISABLE_MIME +@@ -888,7 +887,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + */ + if(va_arg(param, long)) { + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; /* switch off upload */ + data->set.opt_no_body = FALSE; /* this is implied */ + } + break; +diff --git a/lib/smb.c b/lib/smb.c +index a1e444ee6..d68222135 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -530,7 +530,7 @@ static CURLcode smb_send_open(struct Curl_easy *data) + byte_count = strlen(req->path); + msg.name_length = smb_swap16((unsigned short)byte_count); + msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL); +- if(data->set.upload) { ++ if(data->state.upload) { + msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE); + msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF); + } +@@ -762,7 +762,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + void *msg = NULL; + const struct smb_nt_create_response *smb_m; + +- if(data->set.upload && (data->state.infilesize < 0)) { ++ if(data->state.upload && (data->state.infilesize < 0)) { + failf(data, "SMB upload needs to know the size up front"); + return CURLE_SEND_ERROR; + } +@@ -813,7 +813,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + smb_m = (const struct smb_nt_create_response*) msg; + req->fid = smb_swap16(smb_m->fid); + data->req.offset = 0; +- if(data->set.upload) { ++ if(data->state.upload) { + data->req.size = data->state.infilesize; + Curl_pgrsSetUploadSize(data, data->req.size); + next_state = SMB_UPLOAD; +diff --git a/lib/smtp.c b/lib/smtp.c +index 7a030308d..c182cace7 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1419,7 +1419,7 @@ static CURLcode smtp_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && data->set.mail_rcpt && +- (data->set.upload || data->set.mimepost.kind)) { ++ (data->state.upload || data->set.mimepost.kind)) { + /* Calculate the EOB taking into account any terminating CRLF from the + previous line of the email or the CRLF of the DATA command when there + is "no mail data". RFC-5321, sect. 4.1.1.4. +@@ -1511,7 +1511,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected, + smtp->eob = 2; + + /* Start the first command in the DO phase */ +- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt) ++ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt) + /* MAIL transfer */ + result = smtp_perform_mail(data); + else +diff --git a/lib/tftp.c b/lib/tftp.c +index 164d3c723..8ed1b887b 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -370,7 +370,7 @@ static CURLcode tftp_parse_option_ack(struct tftp_state_data *state, + + /* tsize should be ignored on upload: Who cares about the size of the + remote file? */ +- if(!data->set.upload) { ++ if(!data->state.upload) { + if(!tsize) { + failf(data, "invalid tsize -:%s:- value in OACK packet", value); + return CURLE_TFTP_ILLEGAL; +@@ -451,7 +451,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + return result; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + /* If we are uploading, send an WRQ */ + setpacketevent(&state->spacket, TFTP_EVENT_WRQ); + state->data->req.upload_fromhere = +@@ -486,7 +486,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + if(!data->set.tftp_no_options) { + char buf[64]; + /* add tsize option */ +- if(data->set.upload && (data->state.infilesize != -1)) ++ if(data->state.upload && (data->state.infilesize != -1)) + msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T, + data->state.infilesize); + else +@@ -540,7 +540,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + break; + + case TFTP_EVENT_OACK: +- if(data->set.upload) { ++ if(data->state.upload) { + result = tftp_connect_for_tx(state, event); + } + else { +diff --git a/lib/transfer.c b/lib/transfer.c +index e9ab8fbf0..cb69f3365 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1293,6 +1293,7 @@ void Curl_init_CONNECT(struct Curl_easy *data) + { + data->state.fread_func = data->set.fread_func_set; + data->state.in = data->set.in_set; ++ data->state.upload = (data->state.httpreq == HTTPREQ_PUT); + } + + /* +@@ -1732,7 +1733,6 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->state.httpreq != HTTPREQ_POST_MIME) || + !(data->set.keep_post & CURL_REDIR_POST_303))) { + data->state.httpreq = HTTPREQ_GET; +- data->set.upload = false; + infof(data, "Switch to %s", + data->req.no_body?"HEAD":"GET"); + } +@@ -1770,7 +1770,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url) + + /* if we're talking upload, we can't do the checks below, unless the protocol + is HTTP as when uploading over HTTP we will still get a response */ +- if(data->set.upload && ++ if(data->state.upload && + !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP))) + return CURLE_OK; + +diff --git a/lib/urldata.h b/lib/urldata.h +index cca992a02..a8580bdb6 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1462,6 +1462,7 @@ struct UrlState { + BIT(rewindbeforesend);/* TRUE when the sending couldn't be stopped even + though it will be discarded. We must call the data + rewind callback before trying to send again. */ ++ BIT(upload); /* upload request */ + }; + + /* +@@ -1838,7 +1839,6 @@ struct UserDefined { + BIT(http_auto_referer); /* set "correct" referer when following + location: */ + BIT(opt_no_body); /* as set with CURLOPT_NOBODY */ +- BIT(upload); /* upload request */ + BIT(verbose); /* output verbosity */ + BIT(krb); /* Kerberos connection requested */ + BIT(reuse_forbid); /* forbidden to be reused, close after use */ +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index b31f741ba..d60edaa30 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1209,7 +1209,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(protop->path[strlen(protop->path)-1] == '/') +@@ -1802,7 +1802,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */ + ssh_set_blocking(sshc->ssh_session, 1); + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -1907,7 +1907,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index f1154dc47..f2e5352d1 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -2019,7 +2019,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sshp->path[strlen(sshp->path)-1] == '/') +@@ -2691,7 +2691,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -2831,7 +2831,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c +index 17d59ecd2..2ca91b736 100644 +--- a/lib/vssh/wolfssh.c ++++ b/lib/vssh/wolfssh.c +@@ -557,7 +557,7 @@ static CURLcode wssh_statemach_act(struct Curl_easy *data, bool *block) + } + break; + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/') +-- +2.25.1 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-32001.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-32001.patch new file mode 100644 index 0000000000..c9ca3ae514 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-32001.patch @@ -0,0 +1,39 @@ +CVE: CVE-2023-32001 +Upstream-Status: Backport [https://github.com/curl/curl/commit/0c667188e0c6cda615a036b8a2b4125f2c404dde] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + + +From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001 +From: SaltyMilk <soufiane.elmelcaoui@gmail.com> +Date: Mon, 10 Jul 2023 21:43:28 +0200 +Subject: [PATCH] fopen: optimize + +Closes #11419 +--- + lib/fopen.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index c9c9e3d6e73a2..b6e3cadddef65 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + int fd = -1; + *tempname = NULL; + +- if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { +- /* a non-regular file, fallback to direct fopen() */ +- *fh = fopen(filename, FOPEN_WRITETEXT); +- if(*fh) +- return CURLE_OK; ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(!*fh) + goto fail; +- } ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ return CURLE_OK; ++ fclose(*fh); ++ *fh = NULL; + + result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); + if(result) diff --git a/poky/meta/recipes-support/curl/curl/disable-tests b/poky/meta/recipes-support/curl/curl/disable-tests index 92056bd8ca..b687b2bb76 100644 --- a/poky/meta/recipes-support/curl/curl/disable-tests +++ b/poky/meta/recipes-support/curl/curl/disable-tests @@ -18,6 +18,8 @@ 1165 # This CRL test is looking for src files 1185 +# This test is scanning the source tree +1222 # These CRL tests need --libcurl option to be enabled 1400 1401 diff --git a/poky/meta/recipes-support/curl/curl/run-ptest b/poky/meta/recipes-support/curl/curl/run-ptest index 614e822922..2c74c58f5d 100644 --- a/poky/meta/recipes-support/curl/curl/run-ptest +++ b/poky/meta/recipes-support/curl/curl/run-ptest @@ -1,6 +1,6 @@ #!/bin/sh cd tests -./runtests.pl -a -n -s | sed \ +{ ./runtests.pl -a -n -s || echo "FAIL: curl" ; } | sed \ -e 's|\([^ ]* *\) \([^ ]* *\)...OK|PASS: \1 \2|' \ -e 's|\([^ ]* *\) \([^ ]* *\)...FAILED|FAIL: \1 \2|' \ -e 's/Warning: test[0-9]\+ not present in tests\/data\/Makefile.inc//' diff --git a/poky/meta/recipes-support/curl/curl_8.0.1.bb b/poky/meta/recipes-support/curl/curl_8.0.1.bb index 5cf044615f..708f622fe1 100644 --- a/poky/meta/recipes-support/curl/curl_8.0.1.bb +++ b/poky/meta/recipes-support/curl/curl_8.0.1.bb @@ -13,6 +13,12 @@ SRC_URI = " \ https://curl.se/download/${BP}.tar.xz \ file://run-ptest \ file://disable-tests \ + file://CVE-2023-28322.patch \ + file://CVE-2023-28319.patch \ + file://CVE-2023-28320.patch \ + file://CVE-2023-28321.patch \ + file://CVE-2023-32001.patch \ + file://CVE-2023-28320-fol1.patch \ " SRC_URI[sha256sum] = "0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0" diff --git a/poky/meta/recipes-support/fribidi/fribidi_1.0.12.bb b/poky/meta/recipes-support/fribidi/fribidi_1.0.13.bb index 9e46d958e9..5d0476a375 100644 --- a/poky/meta/recipes-support/fribidi/fribidi_1.0.12.bb +++ b/poky/meta/recipes-support/fribidi/fribidi_1.0.13.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.xz \ " -SRC_URI[sha256sum] = "0cd233f97fc8c67bb3ac27ce8440def5d3ffacf516765b91c2cc654498293495" +SRC_URI[sha256sum] = "7fa16c80c81bd622f7b198d31356da139cc318a63fc7761217af4130903f54a2" inherit meson lib_package pkgconfig github-releases diff --git a/poky/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/poky/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch index 0cd4c45907..81aeaf5d3a 100644 --- a/poky/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch +++ b/poky/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch @@ -1,4 +1,4 @@ -From 346a6b17a07b658954db65f814461b59824d9fcd Mon Sep 17 00:00:00 2001 +From 8b9e3d286e87bc978ec6bb9cfd790d8d253b79c3 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Mon, 22 Jan 2018 18:00:21 +0200 Subject: [PATCH] configure.ac: use a custom value for the location of @@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index 099c6a8..e8cf408 100644 +index a547401..60bc2c5 100644 --- a/configure.ac +++ b/configure.ac -@@ -1935,7 +1935,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf", +@@ -1922,7 +1922,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf", AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool]) diff --git a/poky/meta/recipes-support/gnupg/gnupg/relocate.patch b/poky/meta/recipes-support/gnupg/gnupg/relocate.patch index 071dd93ff5..f7dd12fbcc 100644 --- a/poky/meta/recipes-support/gnupg/gnupg/relocate.patch +++ b/poky/meta/recipes-support/gnupg/gnupg/relocate.patch @@ -1,4 +1,4 @@ -From b1117adeb476304ce2792814516a5b7cd44d0d38 Mon Sep 17 00:00:00 2001 +From c4ddea8e6070d1df51058aac08088e27c37e7e73 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@intel.com> Date: Wed, 19 Sep 2018 14:44:40 +0100 Subject: [PATCH] Allow the environment to override where gnupg looks for its @@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex@linutronix.de> 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/common/homedir.c b/common/homedir.c -index 67bbde8..7f360ba 100644 +index 286685f..212a945 100644 --- a/common/homedir.c +++ b/common/homedir.c -@@ -1171,7 +1171,7 @@ gnupg_socketdir (void) +@@ -1213,7 +1213,7 @@ gnupg_socketdir (void) if (!name) { unsigned int dummy; @@ -26,7 +26,7 @@ index 67bbde8..7f360ba 100644 gpgrt_annotate_leaked_object (name); } -@@ -1203,7 +1203,7 @@ gnupg_sysconfdir (void) +@@ -1245,7 +1245,7 @@ gnupg_sysconfdir (void) if (dir) return dir; else @@ -35,7 +35,7 @@ index 67bbde8..7f360ba 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -1239,7 +1239,7 @@ gnupg_bindir (void) +@@ -1281,7 +1281,7 @@ gnupg_bindir (void) return name; } else @@ -44,7 +44,7 @@ index 67bbde8..7f360ba 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -1266,7 +1266,7 @@ gnupg_libexecdir (void) +@@ -1308,7 +1308,7 @@ gnupg_libexecdir (void) return name; } else @@ -53,7 +53,7 @@ index 67bbde8..7f360ba 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -1296,7 +1296,7 @@ gnupg_libdir (void) +@@ -1338,7 +1338,7 @@ gnupg_libdir (void) return name; } else @@ -62,7 +62,7 @@ index 67bbde8..7f360ba 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -1327,7 +1327,7 @@ gnupg_datadir (void) +@@ -1369,7 +1369,7 @@ gnupg_datadir (void) return name; } else @@ -71,7 +71,7 @@ index 67bbde8..7f360ba 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -1359,7 +1359,7 @@ gnupg_localedir (void) +@@ -1401,7 +1401,7 @@ gnupg_localedir (void) return name; } else diff --git a/poky/meta/recipes-support/gnupg/gnupg_2.4.0.bb b/poky/meta/recipes-support/gnupg/gnupg_2.4.2.bb index 900aa8ad73..631df8ac9d 100644 --- a/poky/meta/recipes-support/gnupg/gnupg_2.4.0.bb +++ b/poky/meta/recipes-support/gnupg/gnupg_2.4.2.bb @@ -23,7 +23,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for- file://relocate.patch" SRC_URI:append:class-nativesdk = " file://relocate.patch" -SRC_URI[sha256sum] = "1d79158dd01d992431dd2e3facb89fdac97127f89784ea2cb610c600fb0c1483" +SRC_URI[sha256sum] = "97eb47df8ae5a3ff744f868005a090da5ab45cb48ee9836dbf5ee739a4e5cf49" EXTRA_OECONF = "--disable-ldap \ --disable-ccid-driver \ @@ -33,6 +33,8 @@ EXTRA_OECONF = "--disable-ldap \ --with-mailprog=${sbindir}/sendmail \ --enable-gpg-is-gpg2 \ " +# yat2m can be found from recipe-sysroot-native non-deterministically with different versioning otherwise +CACHED_CONFIGUREVARS += "ac_cv_path_YAT2M=./yat2m" # A minimal package containing just enough to run gpg+gpgagent (E.g. use gpgme in opkg) PACKAGES =+ "${PN}-gpg" diff --git a/poky/meta/recipes-support/libassuan/libassuan_2.5.5.bb b/poky/meta/recipes-support/libassuan/libassuan_2.5.6.bb index 2bab3ac955..7e899e7399 100644 --- a/poky/meta/recipes-support/libassuan/libassuan_2.5.5.bb +++ b/poky/meta/recipes-support/libassuan/libassuan_2.5.6.bb @@ -20,7 +20,7 @@ SRC_URI = "${GNUPG_MIRROR}/libassuan/libassuan-${PV}.tar.bz2 \ file://libassuan-add-pkgconfig-support.patch \ " -SRC_URI[sha256sum] = "8e8c2fcc982f9ca67dcbb1d95e2dc746b1739a4668bc20b3a3c5be632edb34e4" +SRC_URI[sha256sum] = "e9fd27218d5394904e4e39788f9b1742711c3e6b41689a31aa3380bd5aa4f426" BINCONFIG = "${bindir}/libassuan-config" diff --git a/poky/meta/recipes-support/libksba/libksba_1.6.3.bb b/poky/meta/recipes-support/libksba/libksba_1.6.4.bb index dc39693be4..f9636f9433 100644 --- a/poky/meta/recipes-support/libksba/libksba_1.6.3.bb +++ b/poky/meta/recipes-support/libksba/libksba_1.6.4.bb @@ -24,7 +24,7 @@ UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://ksba-add-pkgconfig-support.patch" -SRC_URI[sha256sum] = "3f72c68db30971ebbf14367527719423f0a4d5f8103fc9f4a1c01a9fa440de5c" +SRC_URI[sha256sum] = "bbb43f032b9164d86c781ffe42213a83bf4f2fee91455edfa4654521b8b03b6b" do_configure:prepend () { # Else these could be used in preference to those in aclocal-copy diff --git a/poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb b/poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.77.bb index 7bd66f63cf..16159a0fd8 100644 --- a/poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb +++ b/poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.77.bb @@ -7,7 +7,7 @@ SECTION = "net" DEPENDS = "file" SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz" -SRC_URI[sha256sum] = "f0b1547b5a42a6c0f724e8e1c1cb5ce9c4c35fb495e7d780b9930d35011ceb4c" +SRC_URI[sha256sum] = "9e7023a151120060d2806a6ea4c13ca9933ece4eacfc5c9464d20edddb76b0a0" inherit autotools lib_package pkgconfig gettext diff --git a/poky/meta/recipes-support/libproxy/libproxy_0.4.18.bb b/poky/meta/recipes-support/libproxy/libproxy_0.4.18.bb index 01ba2a6fe9..748b1bd2c0 100644 --- a/poky/meta/recipes-support/libproxy/libproxy_0.4.18.bb +++ b/poky/meta/recipes-support/libproxy/libproxy_0.4.18.bb @@ -12,10 +12,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ DEPENDS = "glib-2.0" -SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz" -SRC_URI[sha256sum] = "69b5856e9ea42c38ac77e6b8c92ffc86a71d341fef74e77bef85f9cc6c47a4b1" +SRC_URI = "git://github.com/libproxy/libproxy;protocol=https;branch=main" +SRCREV = "caccaf28e3df6ea612d2d4b39f781c4324019fdb" +S = "${WORKDIR}/git" -inherit cmake pkgconfig github-releases +inherit cmake pkgconfig PACKAGECONFIG ?= "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'gnome', '', d)} gnome3" PACKAGECONFIG[gnome] = "-DWITH_GNOME=yes,-DWITH_GNOME=no,gconf" diff --git a/poky/meta/recipes-support/libssh2/libssh2/CVE-2020-22218.patch b/poky/meta/recipes-support/libssh2/libssh2/CVE-2020-22218.patch new file mode 100644 index 0000000000..066233fcae --- /dev/null +++ b/poky/meta/recipes-support/libssh2/libssh2/CVE-2020-22218.patch @@ -0,0 +1,34 @@ +CVE: CVE-2020-22218 +Upstream-Status: Backport [ https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + + +From 642eec48ff3adfdb7a9e562b6d7fc865d1733f45 Mon Sep 17 00:00:00 2001 +From: lutianxiong <lutianxiong@huawei.com> +Date: Fri, 29 May 2020 01:25:40 +0800 +Subject: [PATCH] transport.c: fix use-of-uninitialized-value (#476) + +file:transport.c + +notes: +return error if malloc(0) + +credit: +lutianxiong +--- + src/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/transport.c b/src/transport.c +index 96fca6b8cc..adf96c2437 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -472,7 +472,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + /* Get a packet handle put data into. We get one to + hold all data, including padding and MAC. */ + p->payload = LIBSSH2_ALLOC(session, total_num); +- if(!p->payload) { ++ if(total_num == 0 || !p->payload) { + return LIBSSH2_ERROR_ALLOC; + } + p->total_num = total_num; diff --git a/poky/meta/recipes-support/libssh2/libssh2_1.10.0.bb b/poky/meta/recipes-support/libssh2/libssh2_1.10.0.bb index d5513373b0..8483a292c2 100644 --- a/poky/meta/recipes-support/libssh2/libssh2_1.10.0.bb +++ b/poky/meta/recipes-support/libssh2/libssh2_1.10.0.bb @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3e089ad0cf27edf1e7f261dfcd06acc7" SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ file://fix-ssh2-test.patch \ file://run-ptest \ + file://CVE-2020-22218.patch \ " SRC_URI[sha256sum] = "2d64e90f3ded394b91d3a2e774ca203a4179f69aebee03003e5a6fa621e41d51" diff --git a/poky/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch b/poky/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch new file mode 100644 index 0000000000..04d2086e1c --- /dev/null +++ b/poky/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch @@ -0,0 +1,151 @@ +From ce385d3f55a4b76da976b3bdf71fe2deddf315ba Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> +Date: Mon, 4 Sep 2023 06:48:30 +0000 +Subject: [PATCH] Fix memory leak + +This commit fixes memory leak that happens when PUSH_PROMISE or +HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback +fails with a fatal error. For example, if GOAWAY frame has been +received, a HEADERS frame that opens new stream cannot be sent. + +This issue has already been made public via CVE-2023-35945 [1] issued +by envoyproxy/envoy project. During embargo period, the patch to fix +this bug was accidentally submitted to nghttp2/nghttp2 repository [2]. +And they decided to disclose CVE early. I was notified just 1.5 hours +before disclosure. I had no time to respond. + +PoC described in [1] is quite simple, but I think it is not enough to +trigger this bug. While it is true that receiving GOAWAY prevents a +client from opening new stream, and nghttp2 enters error handling +branch, in order to cause the memory leak, +nghttp2_session_close_stream function must return a fatal error. +nghttp2 defines 2 fatal error codes: + +- NGHTTP2_ERR_NOMEM +- NGHTTP2_ERR_CALLBACK_FAILURE + +NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It +is unlikely that a process gets short of memory with this simple PoC +scenario unless application does something memory heavy processing. + +NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined +callback function (nghttp2_on_stream_close_callback, in this case), +which indicates something fatal happened inside a callback, and a +connection must be closed immediately without any further action. As +nghttp2_on_stream_close_error_callback documentation says, any error +code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal +error code. More specifically, it is treated as if +NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns +NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated +into NGHTTP2_ERR_CALLBACK_FAILURE. + +[1] https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r +[2] https://github.com/nghttp2/nghttp2/pull/1929 + +CVE: CVE-2023-35945 + +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/ce385d3f55a4b76da976b3bdf71fe2deddf315ba] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + lib/nghttp2_session.c | 10 +++++----- + tests/nghttp2_session_test.c | 34 ++++++++++++++++++++++++++++++++++ + 2 files changed, 39 insertions(+), 5 deletions(-) + +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index 93f3f07..9bb32b2 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -3300,6 +3300,7 @@ static ssize_t nghttp2_session_mem_send_internal(nghttp2_session *session, + if (rv < 0) { + int32_t opened_stream_id = 0; + uint32_t error_code = NGHTTP2_INTERNAL_ERROR; ++ int rv2 = 0; + + DEBUGF("send: frame preparation failed with %s\n", + nghttp2_strerror(rv)); +@@ -3342,19 +3343,18 @@ static ssize_t nghttp2_session_mem_send_internal(nghttp2_session *session, + } + if (opened_stream_id) { + /* careful not to override rv */ +- int rv2; + rv2 = nghttp2_session_close_stream(session, opened_stream_id, + error_code); +- +- if (nghttp2_is_fatal(rv2)) { +- return rv2; +- } + } + + nghttp2_outbound_item_free(item, mem); + nghttp2_mem_free(mem, item); + active_outbound_item_reset(aob, mem); + ++ if (nghttp2_is_fatal(rv2)) { ++ return rv2; ++ } ++ + if (rv == NGHTTP2_ERR_HEADER_COMP) { + /* If header compression error occurred, should terminiate + connection. */ +diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c +index 08152d4..14ab132 100644 +--- a/tests/nghttp2_session_test.c ++++ b/tests/nghttp2_session_test.c +@@ -585,6 +585,15 @@ static int on_stream_close_callback(nghttp2_session *session, int32_t stream_id, + return 0; + } + ++static int fatal_error_on_stream_close_callback(nghttp2_session *session, ++ int32_t stream_id, ++ uint32_t error_code, ++ void *user_data) { ++ on_stream_close_callback(session, stream_id, error_code, user_data); ++ ++ return NGHTTP2_ERR_CALLBACK_FAILURE; ++} ++ + static ssize_t pack_extension_callback(nghttp2_session *session, uint8_t *buf, + size_t len, const nghttp2_frame *frame, + void *user_data) { +@@ -4297,6 +4306,8 @@ void test_nghttp2_session_on_goaway_received(void) { + nghttp2_frame frame; + int i; + nghttp2_mem *mem; ++ const uint8_t *data; ++ ssize_t datalen; + + mem = nghttp2_mem_default(); + user_data.frame_recv_cb_called = 0; +@@ -4338,6 +4349,29 @@ void test_nghttp2_session_on_goaway_received(void) { + + nghttp2_frame_goaway_free(&frame.goaway, mem); + nghttp2_session_del(session); ++ ++ /* Make sure that no memory leak when stream_close callback fails ++ with a fatal error */ ++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks)); ++ callbacks.on_stream_close_callback = fatal_error_on_stream_close_callback; ++ ++ memset(&user_data, 0, sizeof(user_data)); ++ ++ nghttp2_session_client_new(&session, &callbacks, &user_data); ++ ++ nghttp2_frame_goaway_init(&frame.goaway, 0, NGHTTP2_NO_ERROR, NULL, 0); ++ ++ CU_ASSERT(0 == nghttp2_session_on_goaway_received(session, &frame)); ++ ++ nghttp2_submit_request(session, NULL, reqnv, ARRLEN(reqnv), NULL, NULL); ++ ++ datalen = nghttp2_session_mem_send(session, &data); ++ ++ CU_ASSERT(NGHTTP2_ERR_CALLBACK_FAILURE == datalen); ++ CU_ASSERT(1 == user_data.stream_close_cb_called); ++ ++ nghttp2_frame_goaway_free(&frame.goaway, mem); ++ nghttp2_session_del(session); + } + + void test_nghttp2_session_on_window_update_received(void) { +-- +2.35.5 diff --git a/poky/meta/recipes-support/nghttp2/nghttp2_1.52.0.bb b/poky/meta/recipes-support/nghttp2/nghttp2_1.52.0.bb index f57a15954d..0fba554919 100644 --- a/poky/meta/recipes-support/nghttp2/nghttp2_1.52.0.bb +++ b/poky/meta/recipes-support/nghttp2/nghttp2_1.52.0.bb @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=764abdf30b2eadd37ce47dcbce0ea1ec" SRC_URI = "\ ${GITHUB_BASE_URI}/download/v${PV}/nghttp2-${PV}.tar.xz \ file://0001-fetch-ocsp-response-use-python3.patch \ + file://CVE-2023-35945.patch \ " SRC_URI[sha256sum] = "3ea9f0439e60469ad4d39cb349938684ffb929dd7e8e06a7bffe9f9d21f8ba7d" diff --git a/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.2.bb b/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.2.bb index ff5629c6f9..60918a3892 100644 --- a/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.2.bb +++ b/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.2.bb @@ -7,7 +7,7 @@ HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/ptest-runner2/about/" LICENSE = "GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://LICENSE;md5=751419260aa954499f7abaabaa882bbe" -SRCREV = "bcb82804daa8f725b6add259dcef2067e61a75aa" +SRCREV = "4148e75284e443fc8ffaef425c467aa5523528ff" PV .= "+git${SRCPV}" SRC_URI = "git://git.yoctoproject.org/ptest-runner2;branch=master;protocol=https \ diff --git a/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch deleted file mode 100644 index 4a5832ac1a..0000000000 --- a/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 99f6e1b0d68281b63218d6adfe68cd9e331ac5be Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Mon, 3 Sep 2018 10:50:08 -0700 -Subject: [PATCH] Fix syntax of a print() in the scons file to unbreak building - with most recent scons version. - -* SConstruct Use Python 3.0 valid syntax to make Scons 3.0.0 happy on both python - 3.0 and 2.7. - -Upstream-Status: Backport -[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1809132&r2=1811083&diff_format=h] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - SConstruct | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/SConstruct b/SConstruct -index 1670459..18a45fa 100644 ---- a/SConstruct -+++ b/SConstruct -@@ -184,7 +184,7 @@ CALLOUT_OKAY = not (env.GetOption('clean') or env.GetOption('help')) - - unknown = opts.UnknownVariables() - if unknown: -- print 'Warning: Used unknown variables:', ', '.join(unknown.keys()) -+ print('Warning: Used unknown variables:', ', '.join(unknown.keys())) - - apr = str(env['APR']) - apu = str(env['APU']) diff --git a/poky/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch b/poky/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch deleted file mode 100644 index 91ccc8a474..0000000000 --- a/poky/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 2f45711a66ff99886b6e4a5708e2db01a63e5af4 Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex@linutronix.de> -Date: Fri, 10 Sep 2021 11:05:10 +0200 -Subject: [PATCH] buckets/ssl_buckets.c: do not use ERR_GET_FUNC - -Upstream removed it in -https://github.com/openssl/openssl/pull/16004 - -Upstream-Status: Inactive-Upstream [lastrelease: 2015, lastcommit: 2019] -Signed-off-by: Alexander Kanavin <alex@linutronix.de> ---- - buckets/ssl_buckets.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/buckets/ssl_buckets.c b/buckets/ssl_buckets.c -index b01e535..9801f87 100644 ---- a/buckets/ssl_buckets.c -+++ b/buckets/ssl_buckets.c -@@ -1325,8 +1325,7 @@ static int ssl_need_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey) - return 0; - } - else { -- printf("OpenSSL cert error: %d %d %d\n", ERR_GET_LIB(err), -- ERR_GET_FUNC(err), -+ printf("OpenSSL cert error: %d %d\n", ERR_GET_LIB(err), - ERR_GET_REASON(err)); - PKCS12_free(p12); - bio_meth_free(biom); diff --git a/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch deleted file mode 100644 index 02fa9e3a06..0000000000 --- a/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 565211fd082ef653ca9c44a345350fc1451f5a0f Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Mon, 3 Sep 2018 11:12:38 -0700 -Subject: [PATCH] Follow-up to r1811083 fix building with scons 3.0.0 and - Python3 - -* SConstruct: Append decode('utf-8) to FILE.get_contents() to avoid - TypeError: cannot use a string pattern on a bytes-like object - -Upstream-Status: Backport -[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1811088&r2=1814604] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - SConstruct | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/SConstruct b/SConstruct -index 877731e..7678bb1 100644 ---- a/SConstruct -+++ b/SConstruct -@@ -169,7 +169,7 @@ env.Append(BUILDERS = { - match = re.search('SERF_MAJOR_VERSION ([0-9]+).*' - 'SERF_MINOR_VERSION ([0-9]+).*' - 'SERF_PATCH_VERSION ([0-9]+)', -- env.File('serf.h').get_contents(), -+ env.File('serf.h').get_contents().decode('utf-8'), - re.DOTALL) - MAJOR, MINOR, PATCH = [int(x) for x in match.groups()] - env.Append(MAJOR=str(MAJOR)) diff --git a/poky/meta/recipes-support/serf/serf/SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch b/poky/meta/recipes-support/serf/serf/SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch index 4105868a7e..91640d6044 100644 --- a/poky/meta/recipes-support/serf/serf/SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch +++ b/poky/meta/recipes-support/serf/serf/SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch @@ -31,7 +31,7 @@ ERROR: scons install execution failed. and the installed paths (including the paths inside libserf*.pc) look correct -Upstream-Status: Inactive-Upstream [lastrelease: 2015, lastcommit: 2019] +Upstream-Status: Pending Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> diff --git a/poky/meta/recipes-support/serf/serf_1.3.9.bb b/poky/meta/recipes-support/serf/serf_1.3.10.bb index 669f42b8e7..c6b51452aa 100644 --- a/poky/meta/recipes-support/serf/serf_1.3.9.bb +++ b/poky/meta/recipes-support/serf/serf_1.3.10.bb @@ -7,16 +7,12 @@ HOMEPAGE = "http://serf.apache.org/" SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://norpath.patch \ file://env.patch \ - file://0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch \ file://0002-SConstruct-Fix-path-quoting-for-.def-generator.patch \ file://0003-gen_def.patch \ - file://0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch \ file://SConstruct.stop.creating.directories.without.sandbox-install.prefix.patch \ - file://0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch \ " -SRC_URI[md5sum] = "370a6340ff20366ab088012cd13f2b57" -SRC_URI[sha256sum] = "549c2d21c577a8a9c0450facb5cca809f26591f048e466552240947bdf7a87cc" +SRC_URI[sha256sum] = "be81ef08baa2516ecda76a77adf7def7bc3227eeb578b9a33b45f7b41dc064e6" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" diff --git a/poky/meta/recipes-support/taglib/taglib_1.13.bb b/poky/meta/recipes-support/taglib/taglib_1.13.1.bb index 6560bc3660..3f0a759f95 100644 --- a/poky/meta/recipes-support/taglib/taglib_1.13.bb +++ b/poky/meta/recipes-support/taglib/taglib_1.13.1.bb @@ -11,7 +11,7 @@ DEPENDS = "zlib" SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz" -SRC_URI[sha256sum] = "58f08b4db3dc31ed152c04896ee9172d22052bc7ef12888028c01d8b1d60ade0" +SRC_URI[sha256sum] = "c8da2b10f1bfec2cd7dbfcd33f4a2338db0765d851a50583d410bacf055cfd0b" UPSTREAM_CHECK_URI = "https://taglib.org/" diff --git a/poky/meta/recipes-support/vim/vim.inc b/poky/meta/recipes-support/vim/vim.inc index e1d2563316..5f55f590e6 100644 --- a/poky/meta/recipes-support/vim/vim.inc +++ b/poky/meta/recipes-support/vim/vim.inc @@ -10,7 +10,7 @@ DEPENDS = "ncurses gettext-native" RSUGGESTS:${PN} = "diffutils" LICENSE = "Vim" -LIC_FILES_CHKSUM = "file://LICENSE;md5=6b30ea4fa660c483b619924bc709ef99" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d1a651ab770b45d41c0f8cb5a8ca930e" SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://disable_acl_header_check.patch \ @@ -19,14 +19,13 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1527" -SRCREV = "c28e7a2b2f23dbd246a1ad7ad7aaa6f7ab2e5887" - -# Remove when 8.3 is out -UPSTREAM_VERSION_UNKNOWN = "1" +PV .= ".1894" +SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0" +# Ignore that the upstream version .z in x.y.z is always newer +UPSTREAM_VERSION_UNKNOWN = "1" S = "${WORKDIR}/git" diff --git a/poky/scripts/create-pull-request b/poky/scripts/create-pull-request index 2f91a355b0..885105fab3 100755 --- a/poky/scripts/create-pull-request +++ b/poky/scripts/create-pull-request @@ -149,13 +149,10 @@ fi WEB_URL="" case "$REMOTE_URL" in *git.yoctoproject.org*) - WEB_URL="http://git.yoctoproject.org/cgit.cgi/$REMOTE_REPO/log/?h=$BRANCH" - ;; - *git.pokylinux.org*) - WEB_URL="http://git.pokylinux.org/cgit.cgi/$REMOTE_REPO/log/?h=$BRANCH" + WEB_URL="https://git.yoctoproject.org/$REMOTE_REPO/log/?h=$BRANCH" ;; *git.openembedded.org*) - WEB_URL="http://cgit.openembedded.org/$REMOTE_REPO/log/?h=$BRANCH" + WEB_URL="https://git.openembedded.org/$REMOTE_REPO/log/?h=$BRANCH" ;; *github.com*) WEB_URL="https://github.com/$REMOTE_REPO/tree/$BRANCH" diff --git a/poky/scripts/lib/devtool/standard.py b/poky/scripts/lib/devtool/standard.py index 0339d12763..abf80e2f31 100644 --- a/poky/scripts/lib/devtool/standard.py +++ b/poky/scripts/lib/devtool/standard.py @@ -1629,7 +1629,7 @@ def _update_recipe_patch(recipename, workspace, srctree, rd, appendlayerdir, wil else: patchdir_params = {'patchdir': relpatchdir} - def srcuri_entry(fname): + def srcuri_entry(basepath): if patchdir_params: paramstr = ';' + ';'.join('%s=%s' % (k,v) for k,v in patchdir_params.items()) else: diff --git a/poky/scripts/lib/devtool/upgrade.py b/poky/scripts/lib/devtool/upgrade.py index 6c4a62b558..e015a85982 100644 --- a/poky/scripts/lib/devtool/upgrade.py +++ b/poky/scripts/lib/devtool/upgrade.py @@ -35,6 +35,8 @@ def _get_srctree(tmpdir): dirs = scriptutils.filter_src_subdirs(tmpdir) if len(dirs) == 1: srctree = os.path.join(tmpdir, dirs[0]) + else: + raise DevtoolError("Cannot determine where the source tree is after unpacking in {}: {}".format(tmpdir,dirs)) return srctree def _copy_source_code(orig, dest): diff --git a/poky/scripts/lib/recipetool/create.py b/poky/scripts/lib/recipetool/create.py index 824ac6350d..e99e0714bf 100644 --- a/poky/scripts/lib/recipetool/create.py +++ b/poky/scripts/lib/recipetool/create.py @@ -745,6 +745,10 @@ def create_recipe(args): for handler in handlers: handler.process(srctree_use, classes, lines_before, lines_after, handled, extravalues) + # native and nativesdk classes are special and must be inherited last + # If present, put them at the end of the classes list + classes.sort(key=lambda c: c in ("native", "nativesdk")) + extrafiles = extravalues.pop('extrafiles', {}) extra_pn = extravalues.pop('PN', None) extra_pv = extravalues.pop('PV', None) diff --git a/poky/scripts/lib/resulttool/regression.py b/poky/scripts/lib/resulttool/regression.py index 1facbcd85e..f80a9182a9 100644 --- a/poky/scripts/lib/resulttool/regression.py +++ b/poky/scripts/lib/resulttool/regression.py @@ -178,6 +178,8 @@ def compare_result(logger, base_name, target_name, base_result, target_result): base_result = base_result.get('result') target_result = target_result.get('result') result = {} + new_tests = 0 + if base_result and target_result: for k in base_result: base_testcase = base_result[k] @@ -189,6 +191,13 @@ def compare_result(logger, base_name, target_name, base_result, target_result): result[k] = {'base': base_status, 'target': target_status} else: logger.error('Failed to retrieved base test case status: %s' % k) + + # Also count new tests that were not present in base results: it + # could be newly added tests, but it could also highlights some tests + # renames or fixed faulty ptests + for k in target_result: + if k not in base_result: + new_tests += 1 if result: new_pass_count = sum(test['target'] is not None and test['target'].startswith("PASS") for test in result.values()) # Print a regression report only if at least one test has a regression status (FAIL, SKIPPED, absent...) @@ -200,10 +209,13 @@ def compare_result(logger, base_name, target_name, base_result, target_result): if new_pass_count > 0: resultstring += f' Additionally, {new_pass_count} previously failing test(s) is/are now passing\n' else: - resultstring = "Improvement: %s\n %s\n (+%d test(s) passing)" % (base_name, target_name, new_pass_count) + resultstring = "Improvement: %s\n %s\n (+%d test(s) passing)\n" % (base_name, target_name, new_pass_count) result = None else: - resultstring = "Match: %s\n %s" % (base_name, target_name) + resultstring = "Match: %s\n %s\n" % (base_name, target_name) + + if new_tests > 0: + resultstring += f' Additionally, {new_tests} new test(s) is/are present\n' return result, resultstring def get_results(logger, source): diff --git a/poky/scripts/lib/resulttool/report.py b/poky/scripts/lib/resulttool/report.py index f0ca50ebe2..a349510ab8 100644 --- a/poky/scripts/lib/resulttool/report.py +++ b/poky/scripts/lib/resulttool/report.py @@ -176,7 +176,10 @@ class ResultsTextReport(object): vals['sort'] = line['testseries'] + "_" + line['result_id'] vals['failed_testcases'] = line['failed_testcases'] for k in cols: - vals[k] = "%d (%s%%)" % (line[k], format(line[k] / total_tested * 100, '.0f')) + if total_tested: + vals[k] = "%d (%s%%)" % (line[k], format(line[k] / total_tested * 100, '.0f')) + else: + vals[k] = "0 (0%)" for k in maxlen: if k in vals and len(vals[k]) > maxlen[k]: maxlen[k] = len(vals[k]) diff --git a/poky/scripts/lib/resulttool/resultutils.py b/poky/scripts/lib/resulttool/resultutils.py index 7666331ba2..c5521d81bd 100644 --- a/poky/scripts/lib/resulttool/resultutils.py +++ b/poky/scripts/lib/resulttool/resultutils.py @@ -58,7 +58,11 @@ def append_resultsdata(results, f, configmap=store_map, configvars=extra_configv testseries = posixpath.basename(posixpath.dirname(url.path)) else: with open(f, "r") as filedata: - data = json.load(filedata) + try: + data = json.load(filedata) + except json.decoder.JSONDecodeError: + print("Cannot decode {}. Possible corruption. Skipping.".format(f)) + data = "" testseries = os.path.basename(os.path.dirname(f)) else: data = f diff --git a/poky/scripts/lib/wic/partition.py b/poky/scripts/lib/wic/partition.py index 382afa44bc..29b9dc4457 100644 --- a/poky/scripts/lib/wic/partition.py +++ b/poky/scripts/lib/wic/partition.py @@ -133,7 +133,7 @@ class Partition(): self.update_fstab_in_rootfs = True if not self.source: - if self.fstype == "none": + if self.fstype == "none" or self.no_table: return if not self.size and not self.fixed_size: raise WicError("The %s partition has a size of zero. Please " diff --git a/poky/scripts/lib/wic/plugins/source/bootimg-efi.py b/poky/scripts/lib/wic/plugins/source/bootimg-efi.py index d6aeab2aad..8ebb2a9be8 100644 --- a/poky/scripts/lib/wic/plugins/source/bootimg-efi.py +++ b/poky/scripts/lib/wic/plugins/source/bootimg-efi.py @@ -351,6 +351,8 @@ class BootimgEFIPlugin(SourcePlugin): # https://www.freedesktop.org/software/systemd/man/systemd-stub.html objcopy_cmd = "%s-objcopy" % target_sys + objcopy_cmd += " --enable-deterministic-archives" + objcopy_cmd += " --preserve-dates" objcopy_cmd += " --add-section .osrel=%s/usr/lib/os-release" % staging_dir_host objcopy_cmd += " --change-section-vma .osrel=0x20000" objcopy_cmd += " --add-section .cmdline=%s" % cmdline.name diff --git a/poky/scripts/oe-setup-builddir b/poky/scripts/oe-setup-builddir index 89ae30f609..678aeac4be 100755 --- a/poky/scripts/oe-setup-builddir +++ b/poky/scripts/oe-setup-builddir @@ -98,9 +98,17 @@ EOM SHOWYPDOC=yes fi +if [ -z "$OECORENOTESCONF" ]; then + OECORENOTESCONF="$OEROOT/meta/conf/templates/default/conf-notes.txt" +fi +if [ ! -r "$BUILDDIR/conf/conf-notes.txt" ]; then + [ ! -r "$OECORENOTESCONF" ] || cp "$OECORENOTESCONF" "$BUILDDIR/conf/conf-notes.txt" +fi + # Prevent disturbing a new GIT clone in same console unset OECORELOCALCONF unset OECORELAYERCONF +unset OECORENOTESCONF # Ending the first-time run message. Show the YP Documentation banner. if [ -n "$SHOWYPDOC" ]; then @@ -116,11 +124,7 @@ EOM # unset SHOWYPDOC fi -if [ -z "$OECORENOTESCONF" ]; then - OECORENOTESCONF="$OEROOT/meta/conf/templates/default/conf-notes.txt" -fi -[ ! -r "$OECORENOTESCONF" ] || cat "$OECORENOTESCONF" -unset OECORENOTESCONF +[ ! -r "$BUILDDIR/conf/conf-notes.txt" ] || cat "$BUILDDIR/conf/conf-notes.txt" if [ ! -f "$BUILDDIR/conf/templateconf.cfg" ]; then echo "$ORG_TEMPLATECONF" >"$BUILDDIR/conf/templateconf.cfg" diff --git a/poky/scripts/runqemu b/poky/scripts/runqemu index 4c06cefbff..ef24ddc6b2 100755 --- a/poky/scripts/runqemu +++ b/poky/scripts/runqemu @@ -1011,17 +1011,14 @@ to your build configuration. else: self.nfs_server = '192.168.7.@GATEWAY@' - # Figure out a new nfs_instance to allow multiple qemus running. - ps = subprocess.check_output(("ps", "auxww")).decode('utf-8') - pattern = '/bin/unfsd .* -i .*\.pid -e .*/exports([0-9]+) ' - all_instances = re.findall(pattern, ps, re.M) - if all_instances: - all_instances.sort(key=int) - self.nfs_instance = int(all_instances.pop()) + 1 - - nfsd_port = 3049 + 2 * self.nfs_instance - mountd_port = 3048 + 2 * self.nfs_instance + nfsd_port = 3048 + self.nfs_instance + lockdir = "/tmp/qemu-port-locks" + self.make_lock_dir(lockdir) + while not self.check_free_port('localhost', nfsd_port, lockdir): + self.nfs_instance += 1 + nfsd_port += 1 + mountd_port = nfsd_port # Export vars for runqemu-export-rootfs export_dict = { 'NFS_INSTANCE': self.nfs_instance, @@ -1083,6 +1080,17 @@ to your build configuration. self.set('NETWORK_CMD', '-netdev bridge,br=%s,id=net0,helper=%s -device virtio-net-pci,netdev=net0 ' % ( self.net_bridge, os.path.join(self.bindir_native, 'qemu-oe-bridge-helper'))) + def make_lock_dir(self, lockdir): + if not os.path.exists(lockdir): + # There might be a race issue when multi runqemu processess are + # running at the same time. + try: + os.mkdir(lockdir) + os.chmod(lockdir, 0o777) + except FileExistsError: + pass + return + def setup_slirp(self): """Setup user networking""" @@ -1101,14 +1109,7 @@ to your build configuration. mac = 2 lockdir = "/tmp/qemu-port-locks" - if not os.path.exists(lockdir): - # There might be a race issue when multi runqemu processess are - # running at the same time. - try: - os.mkdir(lockdir) - os.chmod(lockdir, 0o777) - except FileExistsError: - pass + self.make_lock_dir(lockdir) # Find a free port to avoid conflicts for p in ports[:]: @@ -1148,14 +1149,7 @@ to your build configuration. logger.error("ip: %s" % ip) raise OEPathError("runqemu-ifup, runqemu-ifdown or ip not found") - if not os.path.exists(lockdir): - # There might be a race issue when multi runqemu processess are - # running at the same time. - try: - os.mkdir(lockdir) - os.chmod(lockdir, 0o777) - except FileExistsError: - pass + self.make_lock_dir(lockdir) cmd = (ip, 'link') logger.debug('Running %s...' % str(cmd)) @@ -1598,13 +1592,13 @@ to your build configuration. logger.debug('Running %s' % str(cmd)) subprocess.check_call(cmd) self.release_taplock() - self.release_portlock() if self.nfs_running: logger.info("Shutting down the userspace NFS server...") cmd = ("runqemu-export-rootfs", "stop", self.rootfs) logger.debug('Running %s' % str(cmd)) subprocess.check_call(cmd) + self.release_portlock() if self.saved_stty: subprocess.check_call(("stty", self.saved_stty)) diff --git a/poky/scripts/runqemu-gen-tapdevs b/poky/scripts/runqemu-gen-tapdevs index a6ee4517da..ffb82adce6 100755 --- a/poky/scripts/runqemu-gen-tapdevs +++ b/poky/scripts/runqemu-gen-tapdevs @@ -44,10 +44,10 @@ GID=$2 COUNT=$3 STAGING_BINDIR_NATIVE=$4 -TUNCTL=$STAGING_BINDIR_NATIVE/tunctl -if [[ ! -x "$TUNCTL" || -d "$TUNCTL" ]]; then - echo "Error: $TUNCTL is not an executable" - usage +# check if COUNT is a number and >= 0 +if ! [ $COUNT -ge 0 ]; then + echo "Error: Incorrect count: $COUNT" + exit 1 fi if [ $EUID -ne 0 ]; then @@ -62,48 +62,53 @@ if [ ! -x "$RUNQEMU_IFUP" ]; then exit 1 fi -IFCONFIG=`which ip 2> /dev/null` -if [ -z "$IFCONFIG" ]; then - # Is it ever anywhere else? - IFCONFIG=/sbin/ip -fi -if [ ! -x "$IFCONFIG" ]; then - echo "$IFCONFIG cannot be executed" - exit 1 +TUNCTL=$STAGING_BINDIR_NATIVE/tunctl +ip_supports_tuntap=false +if interfaces=`ip tuntap list` 2>/dev/null; then + ip_supports_tuntap=true + interfaces=`echo "$interfaces |cut -f1 -d:` +elif [[ ! -x "$TUNCTL" || -d "$TUNCTL" ]]; then + echo "Error: $TUNCTL is not an executable" + usage +elif interfaces=`ip link` 2>/dev/null; then + interfaces=`echo "$interfaces" | sed '/^[0-9]\+: \(docker[0-9]\+\):.*/!d; s//\1/'` +else + echo "Failed to call 'ip link'" >&2 + exit 1 fi -if [ $COUNT -ge 0 ]; then - # Ensure we start with a clean slate - for tap in `$IFCONFIG link | grep tap | awk '{ print \$2 }' | sed s/://`; do - echo "Note: Destroying pre-existing tap interface $tap..." +# Ensure we start with a clean slate +for tap in $interfaces; do + echo "Note: Destroying pre-existing tap interface $tap..." + if $ip_supports_tuntap; then + ip tuntap del $tap mode tap + else $TUNCTL -d $tap - done - rm -f /etc/runqemu-nosudo -else - echo "Error: Incorrect count: $COUNT" - exit 1 + fi +done +rm -f /etc/runqemu-nosudo + +if [ $COUNT -eq 0 ]; then + exit 0 fi -if [ $COUNT -gt 0 ]; then - echo "Creating $COUNT tap devices for UID: $TUID GID: $GID..." - for ((index=0; index < $COUNT; index++)); do - echo "Creating tap$index" - ifup=`$RUNQEMU_IFUP $TUID $GID $STAGING_BINDIR_NATIVE 2>&1` - if [ $? -ne 0 ]; then - echo "Error running tunctl: $ifup" - exit 1 - fi - done +echo "Creating $COUNT tap devices for UID: $TUID GID: $GID..." +for ((index=0; index < $COUNT; index++)); do + echo "Creating tap$index" + if ! ifup=`$RUNQEMU_IFUP $TUID $GID $STAGING_BINDIR_NATIVE 2>&1`; then + echo "Error running tunctl: $ifup" + exit 1 + fi +done - echo "Note: For systems running NetworkManager, it's recommended" - echo "Note: that the tap devices be set as unmanaged in the" - echo "Note: NetworkManager.conf file. Add the following lines to" - echo "Note: /etc/NetworkManager/NetworkManager.conf" - echo "[keyfile]" - echo "unmanaged-devices=interface-name:tap*" +echo "Note: For systems running NetworkManager, it's recommended" +echo "Note: that the tap devices be set as unmanaged in the" +echo "Note: NetworkManager.conf file. Add the following lines to" +echo "Note: /etc/NetworkManager/NetworkManager.conf" +echo "[keyfile]" +echo "unmanaged-devices=interface-name:tap*" - # The runqemu script will check for this file, and if it exists, - # will use the existing bank of tap devices without creating - # additional ones via sudo. - touch /etc/runqemu-nosudo -fi +# The runqemu script will check for this file, and if it exists, +# will use the existing bank of tap devices without creating +# additional ones via sudo. +touch /etc/runqemu-nosudo diff --git a/poky/scripts/runqemu-ifdown b/poky/scripts/runqemu-ifdown index e0eb5344c6..f72166b32b 100755 --- a/poky/scripts/runqemu-ifdown +++ b/poky/scripts/runqemu-ifdown @@ -33,13 +33,15 @@ fi TAP=$1 STAGING_BINDIR_NATIVE=$2 -TUNCTL=$STAGING_BINDIR_NATIVE/tunctl -if [ ! -e "$TUNCTL" ]; then - echo "Error: Unable to find tunctl binary in '$STAGING_BINDIR_NATIVE', please bitbake qemu-helper-native" - exit 1 -fi +if !ip tuntap del $TAP mode tap 2>/dev/null; then + TUNCTL=$STAGING_BINDIR_NATIVE/tunctl + if [ ! -e "$TUNCTL" ]; then + echo "Error: Unable to find tunctl binary in '$STAGING_BINDIR_NATIVE', please bitbake qemu-helper-native" + exit 1 + fi -$TUNCTL -d $TAP + $TUNCTL -d $TAP +fi IFCONFIG=`which ip 2> /dev/null` if [ "x$IFCONFIG" = "x" ]; then diff --git a/poky/scripts/runqemu-ifup b/poky/scripts/runqemu-ifup index bb661740c5..5fdcddeeda 100755 --- a/poky/scripts/runqemu-ifup +++ b/poky/scripts/runqemu-ifup @@ -41,22 +41,29 @@ USERID="-u $1" GROUP="-g $2" STAGING_BINDIR_NATIVE=$3 -TUNCTL=$STAGING_BINDIR_NATIVE/tunctl -if [ ! -x "$TUNCTL" ]; then - echo "Error: Unable to find tunctl binary in '$STAGING_BINDIR_NATIVE', please bitbake qemu-helper-native" - exit 1 +if taps=$(ip tuntap list 2>/dev/null); then + tap_no=$(( $(echo "$taps" |sort -r |sed 's/^tap//; s/:.*//; q') + 1 )) + ip tuntap add tap$tap_no mode tap group $2 && TAP=tap$tap_no fi -TAP=`$TUNCTL -b $GROUP 2>&1` -STATUS=$? -if [ $STATUS -ne 0 ]; then -# If tunctl -g fails, try using tunctl -u, for older host kernels -# which do not support the TUNSETGROUP ioctl - TAP=`$TUNCTL -b $USERID 2>&1` +if [ -z $TAP ]; then + TUNCTL=$STAGING_BINDIR_NATIVE/tunctl + if [ ! -x "$TUNCTL" ]; then + echo "Error: Unable to find tunctl binary in '$STAGING_BINDIR_NATIVE', please bitbake qemu-helper-native" + exit 1 + fi + + TAP=`$TUNCTL -b $GROUP 2>&1` STATUS=$? if [ $STATUS -ne 0 ]; then - echo "tunctl failed:" - exit 1 + # If tunctl -g fails, try using tunctl -u, for older host kernels + # which do not support the TUNSETGROUP ioctl + TAP=`$TUNCTL -b $USERID 2>&1` + STATUS=$? + if [ $STATUS -ne 0 ]; then + echo "tunctl failed:" + exit 1 + fi fi fi |
