subtree updates: raspberrypi security arm

meta-arm: eb9c47a4e1..9b6c8c95e4:
  Abdellatif El Khlifi (1):
        CI: append classes to INHERIT in the common fvp.yml

  Adam Johnston (1):
        arm-bsp/linux-yocto: Update N1SDP PCI quirk patch

  Jon Mason (10):
        CI: add yml files for defaults
        CI: add support for dev kernel, rt kernel, and poky-tiny
        arm-bsp/fvp-base: update to u-boot 2023.01
        arm-bsp/fvp-base-arm32: remove support
        ci: add external-toolchain to qemuarm-secureboot
        arm-bsp/optee: remove unused recipes
        arm/optee: optee-os include cleanup
        arm/optee-os: update to 3.20.0
        arm/edk2: update version and relocate edk2-basetools to be with edk2
        arm-bsp/fvp-base: Add edk2 build testing

  Ross Burton (7):
        arm-bsp/linux-arm64-ack: update Upstream-Status tags
        CI: add CI_CLEAN_REPOS variable to allow cleaning the repo reference cache
        arm/scp-firmware: fix up whitespace
        arm/scp-firmware: enable verbose builds
        arm/scp-firmware: remove textrel from INSANE_SKIP
        arm/scp-firmware: improve debug packaging
        CI: mask poky's llvm if we're using clang

  Rui Miguel Silva (1):
        arm-bsp/optee: bump corstone1000 to v3.20

  Satish Kumar (1):
        arm-bsp/corstone1000: new gpt based disk layout and fwu metadata

  Xueliang Zhong (1):
        arm-bsp/n1sdp: update to linux yocto kernel 6.1

meta-security: c06b9a18a6..a397a38ed9:
  Armin Kuster (16):
        openscap: update to 1.3.6
        openscap: update to 1.3.7
        openscap git: add DEFAULT_PREFERENCE
        python3-fail2ban: update to 1.0.2
        python3-privacyidea: update to 3.8.1
        libhtp: update to 0.5.42
        lkrg-modules: update to 0.9.6
        chkrootkit: update to 0.57
        fscrypt: update to 1.1.0
        libmspack: update to 1.11
        firejail: update 0.9.72
        suricata: update to 6.0.10
        apparmor: update to 3.1.3
        krill: update 0.12.3
        cryptmout: update to 6.2.0
        packagegroup-core-security: refactor the inclusion of krill

  Eero Aaltonen (1):
        dm-verity-img.bbclass: fix syntax warning

  Jose Quaresma (3):
        meta-hardening/layer: lower the priority from 10 to 6
        meta-security-compliance/layer: lower the priority from 10 to 6
        meta-tpm/layer: lower the priority from 10 to 6

  Kevin Hao (1):
        dm-verity-img.bbclass: Fix the hash offset alignment issue

  Mikko Rapeli (1):
        ima-evm-utils: disable documentation from build

  Paul Gortmaker (3):
        dm-verity: update beaglebone wic to match meta-yocto
        dm-verity: add basic non-arch/non-BSP yocto specific settings
        dm-verity: document board specifics for Beaglebone Black

  Peter Marko (1):
        tpm2-tss: correct CVE product

meta-raspberrypi: e15b876155..3afdbbf782:
  Carlos Alberto Lopez Perez (1):
        mesa-demos: enable build with userland graphics drivers.

  Khem Raj (6):
        linux-raspberrypi: Add recipes for 6.1 kernel
        psplash: Make psplash wait for the framebuffer to be ready
        rpi-default-versions: Use 6.1 kernel as default
        gstreamer1.0-plugins-bad: Drop gpl packageconfig
        rpidistro-ffmpeg: Pin to use gcc always
        rpidistro-vlc: Fix build with clang16

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ie6e60085306d31972098b87738eb550e5140b92a

15 files changed, 74 insertions, 21 deletions

diff --git a/meta-arm/ci/clang.yml b/meta-arm/ci/clang.yml
index a2063f19c0..eeee785269 100644
--- a/meta-arm/ci/clang.yml
+++ b/meta-arm/ci/clang.yml
@@ -6,5 +6,8 @@ repos:
     url: https://github.com/kraj/meta-clang
 
 local_conf_header:
-  clang: |
+  toolchain: |
     TOOLCHAIN = "clang"
+    # This is needed to stop bitbake getting confused about what clang/llvm is
+    # being used, see https://github.com/kraj/meta-clang/pull/766
+    BBMASK += "/meta/recipes-devtools/llvm/llvm.*\.bb"
diff --git a/meta-arm/ci/corstone1000-common.yml b/meta-arm/ci/corstone1000-common.yml
index 65ff9d3861..d856cfe795 100644
--- a/meta-arm/ci/corstone1000-common.yml
+++ b/meta-arm/ci/corstone1000-common.yml
@@ -3,13 +3,12 @@ header:
   includes:
     - ci/base.yml
     - ci/meta-openembedded.yml
+    - ci/poky-tiny.yml
 
 local_conf_header:
     extrapackages: |
     # Intentionally blank to prevent perf from being added to the image in base.yml
 
-distro: poky-tiny
-
 target:
   - corstone1000-image
   - perf
diff --git a/meta-arm/ci/corstone500.yml b/meta-arm/ci/corstone500.yml
index 437c97c5d7..0f9592e3da 100644
--- a/meta-arm/ci/corstone500.yml
+++ b/meta-arm/ci/corstone500.yml
@@ -3,17 +3,10 @@ header:
   includes:
     - ci/base.yml
     - ci/fvp.yml
+    - ci/poky-tiny.yml
 
 local_conf_header:
   fvp-config: |
     IMAGE_FEATURES:remove = " ssh-server-dropbear"
-  extrapackages: |
-    # Intentionally blank to prevent perf from being added to the image in base.yml
 
 machine: corstone500
-
-distro: poky-tiny
-
-target:
-  - core-image-minimal
-  - perf
diff --git a/meta-arm/ci/fvp-base-arm32.yml b/meta-arm/ci/fvp-base-arm32.yml
deleted file mode 100644
index 9f790f670d..0000000000
--- a/meta-arm/ci/fvp-base-arm32.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-header:
-  version: 11
-  includes:
-    - ci/base.yml
-    - ci/fvp.yml
-
-machine: fvp-base-arm32
diff --git a/meta-arm/ci/fvp.yml b/meta-arm/ci/fvp.yml
index a12c621e0b..a8f8dfc083 100644
--- a/meta-arm/ci/fvp.yml
+++ b/meta-arm/ci/fvp.yml
@@ -3,7 +3,7 @@ header:
 
 local_conf_header:
   testimagefvp: |
-    INHERIT = "fvpboot"
+    INHERIT += "fvpboot"
     # This fails but we can't add to the ignorelist from meta-arm yet
     # https://bugzilla.yoctoproject.org/show_bug.cgi?id=14604
     TEST_SUITES:remove = "parselogs"
diff --git a/meta-arm/ci/gcc.yml b/meta-arm/ci/gcc.yml
new file mode 100644
index 0000000000..a39436804f
--- /dev/null
+++ b/meta-arm/ci/gcc.yml
@@ -0,0 +1,7 @@
+header:
+  version: 11
+
+#NOTE: This is the default for poky.  This is only being added for completeness/clarity
+local_conf_header:
+  toolchain: |
+    TOOLCHAIN = "gcc"
diff --git a/meta-arm/ci/glibc.yml b/meta-arm/ci/glibc.yml
new file mode 100644
index 0000000000..adc85a76e1
--- /dev/null
+++ b/meta-arm/ci/glibc.yml
@@ -0,0 +1,7 @@
+header:
+  version: 11
+
+#NOTE: This is the default for poky.  This is only being added for completeness/clarity
+local_conf_header:
+  libc: |
+    TCLIBC = "glibc"
diff --git a/meta-arm/ci/jobs-to-kas b/meta-arm/ci/jobs-to-kas
index d6896b7728..b8615a5ff5 100755
--- a/meta-arm/ci/jobs-to-kas
+++ b/meta-arm/ci/jobs-to-kas
@@ -18,7 +18,7 @@ for i in $(echo $1 | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do
 	# defaults, we can simply ignore those parameters.  They are necessary
 	# to pass in so that matrix can correctly setup all of the permutations
 	# of each individual run.
-	if [[ $i == 'none' || $i == 'gcc' || $i == 'glibc' || $i == 'uboot' ]]; then
+	if [[ $i == 'none' ]]; then
 		continue
 	fi
 	FILES+=":ci/$i.yml"
diff --git a/meta-arm/ci/linux-yocto-dev.yml b/meta-arm/ci/linux-yocto-dev.yml
new file mode 100644
index 0000000000..a6fadce1ec
--- /dev/null
+++ b/meta-arm/ci/linux-yocto-dev.yml
@@ -0,0 +1,6 @@
+header:
+  version: 9
+
+local_conf_header:
+  kernel: |
+    PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
diff --git a/meta-arm/ci/linux-yocto-rt.yml b/meta-arm/ci/linux-yocto-rt.yml
new file mode 100644
index 0000000000..69d768c5a3
--- /dev/null
+++ b/meta-arm/ci/linux-yocto-rt.yml
@@ -0,0 +1,6 @@
+header:
+  version: 9
+
+local_conf_header:
+  kernel: |
+    PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-rt"
diff --git a/meta-arm/ci/linux-yocto.yml b/meta-arm/ci/linux-yocto.yml
new file mode 100644
index 0000000000..359fea5a05
--- /dev/null
+++ b/meta-arm/ci/linux-yocto.yml
@@ -0,0 +1,7 @@
+header:
+  version: 9
+
+#NOTE: This is the default for poky.  This is only being added for completeness/clarity
+local_conf_header:
+  kernel: |
+    PREFERRED_PROVIDER_virtual/kernel = "linux-yocto"
diff --git a/meta-arm/ci/poky-tiny.yml b/meta-arm/ci/poky-tiny.yml
new file mode 100644
index 0000000000..cf252a0e18
--- /dev/null
+++ b/meta-arm/ci/poky-tiny.yml
@@ -0,0 +1,14 @@
+header:
+  version: 9
+
+distro: poky-tiny
+
+local_conf_header:
+  hacking: |
+    TEST_SUITES = "ping"
+  extrapackages: |
+    # Intentionally blank to prevent perf from being added to the image in base.yml
+
+target:
+  - core-image-minimal
+  - perf
diff --git a/meta-arm/ci/poky.yml b/meta-arm/ci/poky.yml
new file mode 100644
index 0000000000..d4bcfebfd2
--- /dev/null
+++ b/meta-arm/ci/poky.yml
@@ -0,0 +1,4 @@
+header:
+  version: 9
+
+distro: poky
diff --git a/meta-arm/ci/u-boot.yml b/meta-arm/ci/u-boot.yml
new file mode 100644
index 0000000000..76bdd23e74
--- /dev/null
+++ b/meta-arm/ci/u-boot.yml
@@ -0,0 +1,8 @@
+header:
+  version: 11
+
+local_conf_header:
+  bootfirmware: |
+    PREFERRED_PROVIDER_virtual/bootloader = "u-boot"
+    TFA_UBOOT = "1"
+    TFA_UEFI = "0"
diff --git a/meta-arm/ci/update-repos b/meta-arm/ci/update-repos
index 91ff197584..9487102df1 100755
--- a/meta-arm/ci/update-repos
+++ b/meta-arm/ci/update-repos
@@ -4,6 +4,7 @@
 
 import sys
 import os
+import shutil
 import subprocess
 import pathlib
 
@@ -34,9 +35,14 @@ if __name__ == "__main__":
 
     for repo in repositories:
         repodir = base_repodir / repo_shortname(repo)
+
+        if "CI_CLEAN_REPOS" in os.environ:
+            print("Cleaning %s..." % repo)
+            shutil.rmtree(repodir, ignore_errors=True)
+
         if repodir.exists():
             print("Updating %s..." % repo)
-            subprocess.run(["git", "-C", repodir, "fetch"], check=True)
+            subprocess.run(["git", "-C", repodir, "-c", "gc.autoDetach=false", "fetch"], check=True)
         else:
             print("Cloning %s..." % repo)
             subprocess.run(["git", "clone", "--bare", repo, repodir], check=True)