meta-security: subtree update:a85fbe980e..c20b35b527

Anton Antonov (1):
      Parsec service. Update PACKAGECONFIG definitions and README.md

Armin Kuster (20):
      python3-fail2ban: fix build failure and cleanup
      meta-parsec/README: remove rust layer req.
      opendnssec: blacklist do to ldns being blacklisted
      apparmor: Add a python 3.10 compatability patch
      tpm2-tools: update to 5.2
      openssl-tpm-engine: fix build issue with openssl 3
      tpm2-openssl: add new pkg
      tpm2-pkcs11: update to 1.7.0
      recipes: Update SRC_URI branch and protocols
      sssd: Create /var/log/sssd in runtime
      bastille: Create /var/log/Bastille in runtime
      python3-fail2ban: remove /run
      tpm2-pkcs11: update to 1.7.0
      libest: does not build with openssl 3.x
      clamav: fix useradd warning
      python3-fail2ban: update to tip
      tpm2-pkcs11: backport openssl 3.x build fixes
      packagegroup-security-tpm2: drop ibmswtpm2
      meta-integrity: drop strongswan bbappends
      meta-tpm: drop strongswan bbappends

Kai Kang (2):
      sssd: re-package to fix QA issues
      apparmor: fix warning of remove operator combined with +=

Kristian Klausen (2):
      swtpm: update to 0.6.1
      dm-verity-img.bbclass: Fix wrong override syntax for CONVERSION_DEPENDS

Liwei Song (1):
      recipes-security/chipsec: platform security assessment framework

Stefan Mueller-Klieser (1):
      tpm2-tss: fix fapi package config

Yi Zhao (2):
      openssl-tpm-engine: fix warning for append operator combined with +=
      meta-parsec/README.md: fix for append operator combined with +=

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I2156e47cf3f4f45daa2b60a73e3b46be3b6a86c0

2 files changed, 28 insertions, 27 deletions

diff --git a/meta-security/meta-parsec/README.md b/meta-security/meta-parsec/README.md
index 24958ac0a2..bb4c2b9798 100644
--- a/meta-security/meta-parsec/README.md
+++ b/meta-security/meta-parsec/README.md
@@ -1,8 +1,7 @@
 meta-parsec layer
 ==============
 
-This layer contains recipes for the Parsec service with Mbed-Crypto,
-Pkcs11 and TPM providers and parsec tools.
+This layer contains recipes for the Parsec service and parsec tools.
 
 Dependencies
 ============
@@ -11,23 +10,12 @@ This layer depends on:
 
     URI: git://git.openembedded.org/meta-openembedded
     branch: master
-    revision: HEAD
-    prio: default
 
     URI git://git.yoctoproject.org/meta-security
     branch: master
-    revision: HEAD
-    prio: default
-
-    URI https://github.com/meta-rust/meta-rust.git
-    branch: master
-    revision: HEAD
-    prio: default
 
     URI https://github.com/kraj/meta-clang.git
     branch: master
-    revision: HEAD
-    prio: default
 
 Adding the meta-parsec layer to your build
 ==========================================
@@ -44,7 +32,6 @@ other layers needed. e.g.:
       /path/to/yocto/meta-yocto-bsp \
       /path/to/meta-openembedded/meta-oe \
       /path/to/meta-openembedded/meta-python \
-      /path/to/meta-rust \
       /path/to/meta-clang \
       /path/to/meta-security/meta-tpm \
       /path/to/meta-security/meta-parsec \
@@ -55,9 +42,16 @@ local.conf:
 
     IMAGE_INSTALL:append = " parsec-service"
 
-  The Parsec service will be deployed into the image built with all the supported
-providers and with the default config file from the Parsec repository:
+  By default the Parsec service will be deployed into the image with
+TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in
+and with the default config file from the Parsec repository:
 https://github.com/parallaxsecond/parsec/blob/main/config.toml
+
+  You can use PACKAGECONFIG for Parsec servic recipe to define
+what providers should be built in. For example,
+
+    PACKAGECONFIG:pn-parsec-service = "TPM"
+
   The default Parsec service config file contains the MbedCrypto provider
 enabled. The config file needs to be updated to use the Parsec service
 with other providers like TPM or PKCS11. The required procedures are
@@ -86,24 +80,31 @@ Manual testing with runqemu
   This layer also contains a recipe for pasec-tool which can be used for
 manual testing of the Parsec service:
 
-    IMAGE_INSTALL:append += " parsec-tools"
+    IMAGE_INSTALL:append = " parsec-tools"
 
   There are a series of Parsec Demo videos showing how to use parsec-tool
 to test the Parsec service base functionality:
 https://www.youtube.com/watch?v=ido0CyUdMHM&list=PLKjl7IFAwc4S7WQqqphCsyy6DPDxJ2Skg&index=4
 
+  The parsec-tool recipe also includes `parsec-cli-tests.sh` script
+which runs e2e tests against all providers enabled and configured
+in Parsec service.
+
   You can use runqemu to start a VM with a built image file and run
 manual tests with parsec-tool.
 
+Enabling Parsec providers for manual testing
+============================================
+
 1. MbedCrypto provider
   The default Parsec service config file contains the MbedCrypto provider
-enabled. No changes required for manual testing.
+enabled. No changes required.
 
 2. PKCS11 provider
   The Software HSM can be used for manual testing of the provider by
 including it into your test image:
 
-    IMAGE_INSTALL:append += " softhsm"
+    IMAGE_INSTALL:append = " softhsm"
 
 Inside the running VM:
 - Stop Parsec
@@ -134,7 +135,7 @@ systemctl start parsec
   The IBM Software TPM service can be used for manual testing of the provider by
 including it into your test image:
 
-    IMAGE_INSTALL:append += " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
+    IMAGE_INSTALL:append = " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
 
 Inside the running VM:
 - Stop Parsec
@@ -165,11 +166,11 @@ Maintenance
 Send pull requests, patches, comments or questions to yocto@yoctoproject.org
 
 When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-parsec][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-parsec][PATCH'
 
 These values can be set as defaults for this repository:
 
-$ git config sendemail.to yocto@yoctoproject.org
+$ git config sendemail.to yocto@lists.yoctoproject.org
 $ git config format.subjectPrefix meta-parsec][PATCH
 
 Now you can just do 'git send-email origin/master' to send all local patches.
diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb
index b8bfa98ac6..91618722ef 100644
--- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb
+++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb
@@ -13,15 +13,15 @@ SRC_URI += "crate://crates.io/parsec-service/${PV} \
 DEPENDS = "clang-native"
 
 PACKAGECONFIG ??= "TPM PKCS11 MBED-CRYPTO CRYPTOAUTHLIB"
-PACKAGECONFIG[ALL] = "all-providers,,tpm2-tss libts,libts"
-PACKAGECONFIG[TPM] = "tpm-provider,,tpm2-tss"
-PACKAGECONFIG[PKCS11] = "pkcs11-provider,"
+PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts"
+PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss"
+PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings,"
 PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider,"
 PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider,"
 PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts"
 
-PARSEC_PROVIDERS = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).replace(' ', ',')}"
-CARGO_BUILD_FLAGS += " --features ${PARSEC_PROVIDERS},cryptoki/generate-bindings,tss-esapi/generate-bindings"
+PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}"
+CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}"
 
 inherit systemd
 SYSTEMD_SERVICE:${PN} = "parsec.service"