diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2022-05-27 19:33:10 +0300 |
|---|---|---|
| committer | Andrew Geissler <andrew@geissonator.com> | 2022-06-11 15:18:26 +0300 |
| commit | d583833a9a54248703bfc1ec48e2c98515f06899 (patch) | |
| tree | d43be51238c5a5ef7bebd40912974b5ceff435c9 /meta-security | |
| parent | f7a3395e850d59f92b1f42550ec244f567df39eb (diff) | |
| download | openbmc-d583833a9a54248703bfc1ec48e2c98515f06899.tar.xz | |
subtree updates
meta-security: 93f2146211..7628a3e90b:
Anton Antonov (3):
Parsec-service: Update installation procedure
Parsec-service: Fix arm32 build
meta-parsec: Update Parsec runtime tests
Armin Kuster (20):
fscrypt: add distro_check on pam
meta-security: move perl and python recipes to dynamic layers structure
packagegroup-core-security: remove pkgs
packagegroup-core-security: add perl pkgs grps
packagegroup-core-security: add dynamic python pkgs
arpwatch: add postfix to pkg config
suricata: drop nfnetlink from pkg config
packagegroup-core-security.bb: fix suricata inclusion
layer.conf: fix up layer dependancies.
ima-evm-utils: Update to 1.4
aide: Update 01.17.4
ossec-hids: update to 3.7.0
suricata: update to 5.0.5
samhain: update to 4.4.9
tpm2-pkcs11: tpm2-pkcs11 module missing
tpm2-tools: Add missing rdepends
oeqa/cases/tpm2: fix and enhance test suite
meta-parsec: Add pkg grps
meta-parsec: add build image.
oeqa: add parsec runtime tests
Jeremy A. Puhlman (2):
aide: Add depend on audit when audit is enabled.
lib-perl: prefix man pages to avoid conflicting with base perl
Josh Harley (1):
Add EROFS support to dm-verity-img class
Lei Maohui (1):
layer.conf: Added BBFILES_DYNAMIC for dynamic-layers.
meta-openembedded: 77c2fda04e..a9e6d16e66:
Alejandro Enedino Hernandez Samaniego (1):
cryptsetup: Add luks2 configure options defaults
Alex Kiernan (2):
ulogd2: Add recipe
libcoap: Add recipe
Armin Kuster (13):
meta-python-image: Fix build depends
crda: move to a dynamic-layer for python
cyrus-sasl: move from meta-networking to meta-oe
netplan: move from meta-networking to meta-oe
nvmetcli: move recipe to meta-oe
packagegroup-meta-oe: update pkg group
python3-ldap: move to meta-python
packagegroup-meta-python.bb: update pkg group
firewalld: move to dynamic meta-python layer
packagegroup-meta-networking: update pkg group
meta-networking: drop meta-python layer depends
meta-gnome: fix layer depends.
layer.conf: Post release codename changes
Bartosz Golaszewski (19):
python3-pyfanotify: new package
python3-toolz: new package
python3-cytoolz: new package
python3-decouple: new package
python3-eth-hash: new package
python3-eth-typing: new package
python3-eth-utils: new package
python3-eth-keys: new package
python3-eth-keyfile: new package
python3-hexbytes: new package
python3-rlp: new package
python3-eth-rlp: new package
python3-parsimonious: new package
python3-eth-abi: new package
python3-eth-account: new package
python3-lru-dict: new package
python3-web3: new package
python3-inotify: new package
speedtest-cli: drop the recipe
Changqing Li (1):
zabbix: upgrade 5.2.6 -> 6.0.4
Chase Qi (1):
kernel-selftest: install kselftest runner
Claudius Heine (1):
btrfsmaintenance: add recipe for btrfsmaintenance scripts
Denys Dmytriyenko (2):
devmem2: reinstate previous patches, removed by mistake
devmem2: add support for different page sizes
Diego Sueiro (1):
bats: upgrade 1.6.0 -> 1.6.1
Gianfranco (3):
sdbus-c++-libsystemd: Bump SRCREV to last commit of 250-stable branch
sdbus-c++: Bump version from 1.00 to 1.1.0
libmtp: Add doxygen-native dependency in case documentation build is enabled in PACKAGECONFIG. This fixes a FTBFS due to missing dependency.
Gianfranco Costamagna (1):
vboxguestdrivers: upgrade 6.1.32 -> 6.1.34
Jiaqing Zhao (2):
openldap: Remove libgcrypt dependency
openldap: Upgrade 2.5.9 -> 2.5.12
Joerg Vehlow (1):
jq: Fix typo OE_EXTRACONF -> EXTRA_OECONF
Julien STEPHAN (1):
libcamera: fix packaging
Kai Kang (3):
conntrack-tools: fix postinst script
wxwidgets: enable to use private fonts
python3-wxgtk4: backport patch to fix svg issue
Khem Raj (12):
ufw: Fix packaging errors found with ppc64
libcereal: Enable for glibc/ppc
mimic: Use special rateconv.c license
makedumpfile: Use right TARGET for ppc32
evince: Add dbus to depnedencies on non-x11 builds
evolution-data-server: Do not pass --library-path to gir compiler
python3-wxgtk4: Needs x11 for sip module
zfs: Fix build on musl systems
zfs: Disable on riscv32
zfs: Disable on mips
zfs: Make systemd and sysvinit into packageconfigs
sdbus-c++: Link with libatomic on mips/ppc32
Markus Volk (1):
minidlna: fix obsolete license warning
Martin Jansa (1):
ostree: prevent ostree-native depending on target virtual/kernel to provide kernel-module-overlay
Michael Opdenacker (1):
devmem2: update SRC_URI according to redirect
Mingli Yu (1):
s-nail: Set VAL_MTA
Nicolas Dechesne (1):
imlib2: update SRC_URI
Peter Kjellerstedt (1):
libwebsockets: Avoid absolute paths in *.cmake files in the sysroot
Portia (1):
cpulimit: introduce support for this package
Randy MacLeod (1):
intel-speed-select: Add libnl dependency and extend CFLAGS
Richard Neill (1):
bats: Add patch to fix false-negatives caused by teardown code
Ross Burton (1):
Revert "python3-cbor2: upgrade 5.4.2 -> 5.4.3"
Samuli Piippo (1):
python3-qface: upgrade 2.0.7 -> 2.0.8
Teresa Remmet (1):
meta-networking: Add meta-python to BBFILES_DYNAMIC
Vyacheslav Yurkov (1):
polkit: add udisks2 rule
Windel Bouwman (1):
Add zfs recipe
Xu Huan (17):
python3-astroid: upgrade 2.11.2 -> 2.11.3
python3-bitstruct: upgrade 8.14.0 -> 8.14.1
python3-cachecontrol: upgrade 0.12.10 -> 0.12.11
python3-engineio: upgrade 4.3.1 -> 4.3.2
python3-flask-socketio: upgrade 5.1.1 -> 5.1.2
python3-google-api-python-client: upgrade 2.43.0 -> 2.45.0
python3-graphviz: upgrade 0.19.2 -> 0.20
python3-cbor2: upgrade 5.4.2 -> 5.4.3
python3-click: upgrade 8.1.2 -> 8.1.3
python3-flask-login: upgrade 0.6.0 -> 0.6.1
python3-flask: upgrade 2.1.1 -> 2.1.2
python3-google-api-core: upgrade 2.7.1 -> 2.7.3
python3-google-auth: upgrade 2.6.3 -> 2.6.6
python3-mypy: upgrade 0.942 -> 0.950
python3-pyalsaaudio: upgrade 0.9.0 -> 0.9.2
python3-grpcio-tools: upgrade 1.45.0 -> 1.46.0
python3-pychromecast: upgrade 11.0.0 -> 12.1.1
Yi Zhao (1):
networkmanager: fix parallel build failure
wangmy (41):
python3-sentry-sdk: upgrade 1.5.8 -> 1.5.10
python3-socketio: upgrade 5.5.2 -> 5.6.0
python3-textparser: upgrade 0.23.0 -> 0.24.0
python3-twisted: upgrade 22.2.0 -> 22.4.0
python3-websockets: upgrade 10.2 -> 10.3
fuse3: upgrade 3.10.5 -> 3.11.0
zenity: upgrade 3.42.0 -> 3.42.1
babeld: upgrade 1.11 -> 1.12
cifs-utils: upgrade 6.14 -> 6.15
nbdkit: upgrade 1.31.1 -> 1.31.2
stunnel: upgrade 5.63 -> 5.64
tgt: upgrade 1.0.79 -> 1.0.82
wolfssl: upgrade 5.2.0 -> 5.3.0
ctags: upgrade 5.9.20220417.0 -> 5.9.20220501.0
freerdp: upgrade 2.6.1 -> 2.7.0
fwupd-efi: upgrade 1.2 -> 1.3
htop: upgrade 3.1.2 -> 3.2.0
hwdata: upgrade 0.358 -> 0.359
icewm: upgrade 2.9.6 -> 2.9.7
iwd: upgrade 1.26 -> 1.27
jemalloc: upgrade 5.2.1 -> 5.3.0
libmbim: upgrade 1.26.2 -> 1.26.4
libyang: upgrade 2.0.164 -> 2.0.194
nano: upgrade 6.2 -> 6.3
phoronix-test-suite: upgrade 10.8.2 -> 10.8.3
php: upgrade 8.1.4 -> 8.1.5
pkcs11-helper: upgrade 1.28.0 -> 1.29.0
poppler: upgrade 22.04.0 -> 22.05.0
toybox: upgrade 0.8.6 -> 0.8.7
unixodbc: upgrade 2.3.9 -> 2.3.11
xmlsec1: upgrade 1.2.33 -> 1.2.34
gtk4: upgrade 4.6.3 -> 4.6.4
nbdkit: upgrade 1.31.2 -> 1.31.5
ctags: upgrade 5.9.20220501.0 -> 5.9.20220508.0
openjpeg: upgrade 2.4.0 -> 2.5.0
php: upgrade 8.1.5 -> 8.1.6
postgresql: upgrade 14.2 -> 14.3
phpmyadmin: upgrade 5.1.3 -> 5.2.0
python3-aiohue: upgrade 3.0.11 -> 4.4.1
python3-awesomeversion : add recipe
python3-traitlets: upgrade 5.1.1 -> 5.2.0
zhengrq.fnst (12):
glibmm-2.68: upgrade 2.70.0 -> 2.72.1
gnome-text-editor: upgrade 42.0 -> 42.1
apitrace: upgrade 10.0 -> 11.0
libconfig-general-perl: upgrade 2.63 -> 2.65
gpsd: upgrade 3.23.1 -> 3.24
mbw: upgrade 1.4 -> 1.5
gtk4: upgrade 4.6.2 -> 4.6.3
python3-antlr4-runtime: upgrade 4.9.2 -> 4.10
python3-booleanpy: upgrade 3.8 -> 4.0
python3-pika: upgrade 1.2.0 -> 1.2.1
python3-autobahn: upgrade 22.3.2 -> 22.4.2
python3-bitarray: upgrade 2.4.1 -> 2.5.0
zhengruoqin (7):
python3-imageio: upgrade 2.17.0 -> 2.18.0
python3-langtable: upgrade 0.0.57 -> 0.0.58
python3-paramiko: upgrade 2.10.3 -> 2.10.4
python3-protobuf: upgrade 3.20.0 -> 3.20.1
python3-pylint: upgrade 2.13.5 -> 2.13.7
python3-pymongo: upgrade 4.1.0 -> 4.1.1
python3-regex: upgrade 2022.3.15 -> 2022.4.24
poky: 9e55696042..13d70e57f8:
Alex Kiernan (7):
eudev: Upgrade 3.2.10 -> 3.2.11
eudev: Add PACKAGECONFIG for manpages & selinux
pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE
openssh: Add openssh-sftp-server to openssh RDEPENDS
eudev: Convert dependencies to PACKAGECONFIG
eudev: Cleanup redundant configuration
eudev: Use PACKAGE_BEFORE_PN/${PN}, clean up spaces
Alexander Kanavin (106):
systemd: upgrade 250.4 -> 250.5
python3-cryptography: upgrade 36.0.2 -> 37.0.1
util-linux: upgrade 2.37.4 -> 2.38
vulkan: upgrade 1.3.204.1 -> 1.3.211.0
libnl: upgrade 3.5.0 -> 3.6.0
libsdl2: upgrade 2.0.20 -> 2.0.22
mesa: upgrade 22.0.0 -> 22.0.2
python3-babel: upgrade 2.9.1 -> 2.10.1
python3-mako: upgrade 1.1.6 -> 1.2.0
python3-pygments: upgrade 2.11.2 -> 2.12.0
at-spi2-core: upgrade 2.44.0 -> 2.44.1
bind: upgrade 9.18.1 -> 9.18.2
cronie: upgrade 1.6.0 -> 1.6.1
diffoscope: upgrade 208 -> 211
dnf: upgrade 4.11.1 -> 4.12.0
ell: upgrade 0.49 -> 0.50
epiphany: upgrade 42.0 -> 42.2
ffmpeg: upgrade 5.0 -> 5.0.1
fribidi: upgrade 1.0.11 -> 1.0.12
harfbuzz: upgrade 4.2.0 -> 4.2.1
libinput: upgrade 1.19.3 -> 1.19.4
libmnl: upgrade 1.0.4 -> 1.0.5
libnotify: upgrade 0.7.9 -> 0.7.11
libpipeline: upgrade 1.5.5 -> 1.5.6
libseccomp: upgrade 2.5.3 -> 2.5.4
libx11: upgrade 1.7.5 -> 1.8
lttng-tools: upgrade 2.13.4 -> 2.13.7
mmc-utils: upgrade to latest revision
neard: upgrade 0.16 -> 0.18
pango: upgrade 1.50.6 -> 1.50.7
parted: upgrade 3.4 -> 3.5
piglit: upgrade to latest revision
python3-cryptography-vectors: upgrade 36.0.2 -> 37.0.1
python3-dtschema: upgrade 2022.1 -> 2022.4
python3-hypothesis: upgrade 6.44.0 -> 6.46.0
python3-jinja2: upgrade 3.1.1 -> 3.1.2
python3-pygobject: upgrade 3.42.0 -> 3.42.1
python3-pytest: upgrade 7.1.1 -> 7.1.2
repo: upgrade 2.23 -> 2.24.1
sqlite3: upgrade 3.38.2 -> 3.38.3
vala: upgrade 0.56.0 -> 0.56.1
vte: upgrade 0.66.2 -> 0.68.0
webkitgtk: upgrade 2.36.0 -> 2.36.1
xorgproto: upgrade 2021.5 -> 2022.1
xwayland: upgrade 22.1.0 -> 22.1.1
sysvinit: update 3.02 -> 3.04
pciutils: update 3.7.0 -> 3.8.0
elfutils: update 0.186 -> 0.187
git: update 2.35.3 -> 2.36.0
libdnf: update 0.66.0 -> 0.67.0
llvm: update 14.0.1 -> 14.0.3
rsync: update 3.2.3 -> 3.2.4
lsof: update 4.94.0 -> 4.95.0
libhandy: update 1.5.0 -> 1.6.2
librsvg: update 2.54.0 -> 2.54.1
xauth: update 1.1.1 -> 1.1.2
gnupg: update 2.3.4 -> 2.3.6
qemu: update 6.2.0 -> 7.0.0
stress-ng: disable apparmor from the correct spot
coreutils: update 9.0 -> 9.1
python3-setuptools: upgrade 59.5.0 -> 62.3.1
go: upgrade 1.18.1 -> 1.18.2
iptables: upgrade 1.8.7 -> 1.8.8
gnu-config: update to latest version
u-boot: upgrade 2022.01 -> 2022.04
python3-pip: update 22.0.4 -> 22.1
libxcb: update 1.14 -> 1.15
xcb-proto: upgrade 1.14.1 -> 1.15
systemtap: update 4.6 -> 4.7
vulkan-samples: update to latest revision
curl: upgrade 7.83.0 -> 7.83.1
diffoscope: upgrade 211 -> 212
git: upgrade 2.36.0 -> 2.36.1
gnutls: upgrade 3.7.4 -> 3.7.5
gst-devtools: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-libav: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-omx: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-bad: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-base: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-good: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-ugly: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-python: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-rtsp-server: upgrade 1.20.1 -> 1.20.2
gstreamer1.0: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-vaapi: upgrade 1.20.1 -> 1.20.2
libcgroup: upgrade 2.0.1 -> 2.0.2
libnotify: upgrade 0.7.11 -> 0.7.12
librsvg: upgrade 2.54.1 -> 2.54.3
mesa: upgrade 22.0.2 -> 22.0.3
mobile-broadband-provider-info: upgrade 20220315 -> 20220511
piglit: upgrade to latest revision
psmisc: upgrade 23.4 -> 23.5
python3-bcrypt: upgrade 3.2.0 -> 3.2.2
python3-cryptography: upgrade 37.0.1 -> 37.0.2
python3-cryptography-vectors: upgrade 37.0.1 -> 37.0.2
python3-hypothesis: upgrade 6.46.0 -> 6.46.4
python3-jsonschema: upgrade 4.4.0 -> 4.5.1
python3-markdown: upgrade 3.3.6 -> 3.3.7
python3-more-itertools: upgrade 8.12.0 -> 8.13.0
python3-pbr: upgrade 5.8.1 -> 5.9.0
python3-pyparsing: upgrade 3.0.8 -> 3.0.9
repo: upgrade 2.24.1 -> 2.25
sqlite3: upgrade 3.38.3 -> 3.38.5
stress-ng: upgrade 0.14.00 -> 0.14.01
python3-setuptools-rust: update 1.1.2 -> 1.3.0
python3: use built-in distutils for ptest, rather than setuptools' 'fork'
Andrej Valek (1):
kernel: add missing path to search for debug files
Arkadiusz Drabczyk (1):
overview-manual: fix a forgotten link
Aryaman Gupta (1):
e2fsprogs: update upstream status
Bruce Ashfield (23):
linux-yocto/5.15: arm: poky-tiny cleanup and fixes
linux-yocto/5.10: update to v5.10.110
linux-yocto/5.10: base: enable kernel crypto userspace API
linux-yocto/5.15: update to v5.15.33
linux-yocto/5.15: base: enable kernel crypto userspace API
linux-yocto/5.15: kasan: fix BUG: sleeping function called from invalid context
linux-yocto/5.15: fix ppc boot
linux-yocto/5.15: netfilter: conntrack: avoid useless indirection during conntrack destruction
linux-yocto/5.10: update to v5.10.112
linux-yocto/5.15: update to v5.15.35
linux-yocto/5.15: Fix CVE-2022-28796
linux-yocto: enable powerpc debug fragment
linux-yocto/5.15: fix -standard kernel build issue
linux-yocto/5.15: update to v5.15.36
linux-yocto/5.15: fix qemuarm graphical boot
strace: fix ptest failure in landlock
yocto-bsps: update to v5.15.36
yocto-bsps: update to v5.10.113
linux-yocto/5.15: update to v5.15.37
linux-yocto/5.10: update to v5.10.113
linux-yocto/5.15: update to v5.15.38
linux-yocto/5.10: update to v5.10.114
lttng-modules: fix build against 5.18-rc7+
Changqing Li (1):
eudev: create static-nodes in init script
Chanho Park (2):
externalsrc.bbclass: support crate fetcher on externalsrc
cargo_common.bbclass: enable bitbake vendoring for externalsrc
Claudius Heine (3):
classes: rootfs-postcommands: add skip option to overlayfs_qa_check
overlayfs: add docs about skipping QA check & service dependencies
wic: added fspassno parameter to partition
Davide Gardenal (4):
cve-check: add JSON format to summary output
cve-check: fix symlinks where link and output path are equal
rootfs-postcommands: fix symlinks where link and output path are equal
openssl: minor security upgrade 3.0.2 -> 3.0.3
Dmitry Baryshkov (3):
linux-firmware: upgrade 20220411 -> 20220509
linux-firmware: package new Qualcomm firmware
image.bbclass: allow overriding dependency on virtual/kernel:do_deploy
Felix Moessbauer (1):
wic/plugins/rootfs: Fix permissions when splitting rootfs folders across partitions
Gunjan Gupta (2):
bitbake: fetch2/osc: Small fixes for osc fetcher
bitbake: fetch2/osc: Add support to query latest revision
Jacob Kroon (1):
Revert "image.bbclass: allow overriding dependency on virtual/kernel:do_deploy"
Jiaqing Zhao (5):
libxml2: Upgrade 2.9.13 -> 2.9.14
systemd: Drop 0001-test-parse-argument-Include-signal.h.patch
systemd: Remove __compare_fn_t type in musl-specific patch
systemd: Drop 0002-don-t-use-glibc-specific-qsort_r.patch
systemd: Correct path returned in sd_path_lookup()
Jon Mason (1):
qemuarmv5: use arm-versatile-926ejs KMACHINE
Kai Kang (1):
wpa-supplicant: update config for gnutls
Khem Raj (15):
qemu: Add packageconfig for libbpf support
linux-yocto: Enable powerpc-debug fragment for ppc64 LE
musl: Upgrade to tip of trunk
systemd: Fix build regression with latest update
gcc: upgrade 11.3 -> 12.1
libstd-rs: Forward port rust libc patches
gdb: Upgrade to 12.1
bash: build with bash_cv_getcwd_malloc=yes on musl too
ovmf: Fix native build with gcc-12
elfutils: Disable stringop-overflow warning for build host
musl-locales: Switch SRC_URI to new location
systemd: Drop redundant musl patches
systemd: Document future actions needed for set of musl patches
systemd: Drop 0016-Hide-__start_BUS_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch
systemd: Update patch status
Konrad Weihmann (1):
linux-firmware: replace mkdir by install
Kory Maincent (1):
images_types: isolate the write of UBI configuration
Leon Anavi (1):
image_types/runqemu-addptable2image: Fix a minor typo
Markus Volk (2):
mesa.inc: package 00-radv-defaults.conf
libsdl2: add PACKAGECONFIG for libusb1 and remove obsolete options
Marta Rybczynska (3):
cve-update-db-native: update the CVE database once a day only
cve-update-db-native: let the user to drive the update interval
cve-check: Fix report generation
Martin Jansa (1):
bitbake: osc: fix DeprecationWarning
Michael Halstead (5):
releases: update to include 3.1.16
scripts/autobuilder-worker-prereq-tests: update to use yocto 4.0
scripts/autobuilder-worker-prereq-tests: add additional limit testing
releases: update to include 3.4.4
releases: include 4.0.1
Michael Opdenacker (12):
MAINTAINERS.md: no more need for a prelink-cross maintainer
dev-manual: further gdb usage simplifications
doc/Makefile: fix epub and latexpdf targets
manuals: fix name capitalization issues
doc: standards for project and file names
manuals: improve the width of diagrams
manuals: improve documentation for TEMPLATECONF
overview-manual: remove confusing and unnecessary paragraph about site.conf
manuals: add quoting to references to bitbake.conf
manuals: add missing space in appends
manuals: add documentation for WKS_FILES
migration guides: release notes for 3.4.3 and 3.4.4
Mingli Yu (1):
python3-cryptography: remove --benchmark-disable option
Peter Kjellerstedt (4):
base-passwd: Regenerate the patches
base-passwd: Update to 3.5.52
base-passwd: Update the status for two patches
librsvg: Drop the dependency on libcroco
Quentin Schulz (2):
docs: set_versions.py: remove hardknott from active releases list
docs: set_versions.py: show release name in switchers.js
Raphael Teller (1):
kernel.bbclass: Do not overwrite recipe's custom postinst
Richard Purdie (25):
bitbake: cookerdata: Change emphasis in error message to be clearer to users
cairo: Add missing GPLv3 license checksum entry
libgcrypt: Drop GPLv3 license after upstream changes
base: Avoid circular references to our own scripts
scripts: Make git intercept global
scripts/git: Ensure we don't have circular references
abi_version/sstate: Bump hashequiv and sstate versions due to git changes
vim: Upgrade 8.2.4681 -> 8.2.4912
package: Ensure we track whether PRSERV was active or not
libgcrypt: Fix reproducibility issues in ptest
liberror-perl: Update sstate/equiv versions to clean cache
freetype: Upgrade 2.12.0 -> 2.12.1
bitbake: fetch/git : Use cat as pager
pciutils: Add make-native dependency
sanity: Don't warn about make 4.2.1 for mint
bitbake: build: Add clean_stamp API function to allow removal of task stamps
staging: Fix rare sysroot corruption issue
selftest/imagefeatures/overlayfs: Always append to DISTRO_FEATURES
udev-extraconf/initrdscripts/parted: Rename mount.blacklist -> mount.ignorelist
layer.conf: Don't use indirect help2man-native dependencies
rust-common: Fix sstate signatures between arm hf and non-hf
rust-common: Drop LLVM_TARGET and simplify
rust-common: Fix native signature dependency issues
scripts/patchreview: Add commit to stored json data
scripts/patchreview: Make json output human parsable
Robert Joslyn (1):
powerpc: Remove invalid GLIBC_EXTRA_OECONF
Roland Hieber (1):
bitbake: cache: correctly handle file names containing colons
Ross Burton (4):
oeqa/selftest: add test for git working correctly inside pseudo
Revert "bitbake.conf: mark all directories as safe for git to read"
kernel-yocto.bbclass: say what SRC_URI entry is being dropped
oeqa/selftest/cve_check: add tests for recipe and image reports
Rouven Czerwinski (1):
kbd: fix pam DISTRO_FEATURES check
Samuli Piippo (1):
binutils: Bump to latest 2.38 release branch
Schmidt, Adriaan (1):
bitbake: bitbake-diffsigs: break on first dependent task difference
Simone Weiss (1):
libgcrypt: Add ptest
Steve Sakoman (2):
virgl: skip headless test on alma 8.6
python3: fix reproducibility issue with python3-core
Sundeep KOKKONDA (3):
dev-manual: improvements for gdbserver configuration
rust-common: Ensure sstate signatures have correct dependencues for do_rust_gen_targets
rust-common: Fix for target definitions returning 'NoneType' for arm
Thomas Epperson (1):
dev-manual: fix documentation for bmaptool usage
Thomas Perrot (1):
man-pages: add an alternative link name for crypt_r.3
Tomasz Dziendzielski (1):
bitbake: data: Do not depend on vardepvalueexclude flag
Trevor Woerner (1):
DISTRO_FEATURES: remove uclibc remnants
Zoltán Böszörményi (2):
npm.bbclass: Fix file permissions before opening it for writing
npm.bbclass: Don't create /usr/lib/node symlink
leimaohui (1):
cve-check.bbclass: Added do_populate_sdk[recrdeptask].
wangmy (1):
librepo: upgrade 1.14.2 -> 1.14.3
meta-raspberrypi: c97a9e34ab..62a84833d9:
Andrei Gherzan (1):
Revert "kmod: Enable xz compression"
Khem Raj (3):
rpi-config: Add option to enable One-wire interface
linux-firmware-rpidistro: Create brcmfmac43455-sdio.raspberrypi,4-model-b.bin symlink
linux-raspberrypi: Upgrade to 5.15.38
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: If15534d7da5bfa78ef2224bb09ff1a8eb96a0e10
Diffstat (limited to 'meta-security')
61 files changed, 364 insertions, 235 deletions
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass index 93f667d6cd..dd447e661f 100644 --- a/meta-security/classes/dm-verity-img.bbclass +++ b/meta-security/classes/dm-verity-img.bbclass @@ -63,7 +63,7 @@ verity_setup() { veritysetup --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity } -VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity" +VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity erofs.verity erofs-lz4.verity erofs-lz4hc.verity" IMAGE_TYPES += "${VERITY_TYPES}" CONVERSIONTYPES += "verity" CONVERSION_CMD:verity = "verity_setup ${type}" @@ -90,6 +90,6 @@ python __anonymous() { # If we're using wic: we'll have to use partition images and not the rootfs # source plugin so add the appropriate dependency. if 'wic' in image_fstypes: - dep = ' %s:do_image_%s' % (pn, verity_type) + dep = ' %s:do_image_%s' % (pn, verity_type.replace("-", "_")) d.appendVarFlag('do_image_wic', 'depends', dep) } diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 21f03d1ef2..7d57f9c850 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -11,7 +11,14 @@ BBFILE_PRIORITY_security = "8" LAYERSERIES_COMPAT_security = "kirkstone" -LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" +LAYERDEPENDS_security = "core openembedded-layer" + +BBFILES_DYNAMIC += " \ + perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bb \ + perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bbappend \ + meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bb \ + meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bbappend \ +" # Sanity check for meta-security layer. # Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check. diff --git a/meta-security/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend b/meta-security/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend new file mode 100644 index 0000000000..475a24d2d4 --- /dev/null +++ b/meta-security/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend @@ -0,0 +1,18 @@ + + +PACKAGES += "\ + packagegroup-security-hardening \ + " +RDEPENDS:packagegroup-core-security += "\ + packagegroup-security-hardening \ + " + +SUMMARY:packagegroup-security-hardening = "Security Hardening tools" +RDEPENDS:packagegroup-security-hardening = " \ + bastille \ + " + +RDEPENDS:packagegroup-security-scanners += "\ + nikto \ + checksecurity \ + " diff --git a/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.15.bb index e053a150b8..e053a150b8 100644 --- a/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb +++ b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.15.bb diff --git a/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch index f1fe8edce7..f1fe8edce7 100644 --- a/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch diff --git a/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/setuid-log-folder.patch index 540ea9c319..540ea9c319 100644 --- a/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/setuid-log-folder.patch diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb index e7852d9f58..e7852d9f58 100644 --- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb diff --git a/meta-security/recipes-security/bastille/files/API.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/API.pm index 5060f52a4e..5060f52a4e 100644 --- a/meta-security/recipes-security/bastille/files/API.pm +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/API.pm diff --git a/meta-security/recipes-security/bastille/files/AccountPermission.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/AccountPermission.pm index 132b30ccbd..132b30ccbd 100644 --- a/meta-security/recipes-security/bastille/files/AccountPermission.pm +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/AccountPermission.pm diff --git a/meta-security/recipes-security/bastille/files/FileContent.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/FileContent.pm index 1ef89dd761..1ef89dd761 100644 --- a/meta-security/recipes-security/bastille/files/FileContent.pm +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/FileContent.pm diff --git a/meta-security/recipes-security/bastille/files/HPSpecific.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm index 7e7d709fbc..7e7d709fbc 100644 --- a/meta-security/recipes-security/bastille/files/HPSpecific.pm +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm diff --git a/meta-security/recipes-security/bastille/files/Miscellaneous.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/Miscellaneous.pm index b3bdf10cde..b3bdf10cde 100644 --- a/meta-security/recipes-security/bastille/files/Miscellaneous.pm +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/Miscellaneous.pm diff --git a/meta-security/recipes-security/bastille/files/ServiceAdmin.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/ServiceAdmin.pm index 879223a53b..879223a53b 100644 --- a/meta-security/recipes-security/bastille/files/ServiceAdmin.pm +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/ServiceAdmin.pm diff --git a/meta-security/recipes-security/bastille/files/accept_os_flag_in_backend.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch index 4a438e49fb..4a438e49fb 100644 --- a/meta-security/recipes-security/bastille/files/accept_os_flag_in_backend.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch diff --git a/meta-security/recipes-security/bastille/files/allow_os_with_assess.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch index e112f907b5..e112f907b5 100644 --- a/meta-security/recipes-security/bastille/files/allow_os_with_assess.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch diff --git a/meta-security/recipes-security/bastille/files/call_output_config.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch index 1e898b1486..1e898b1486 100644 --- a/meta-security/recipes-security/bastille/files/call_output_config.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch diff --git a/meta-security/recipes-security/bastille/files/config b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/config index 9e5e206584..9e5e206584 100755 --- a/meta-security/recipes-security/bastille/files/config +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/config diff --git a/meta-security/recipes-security/bastille/files/do_not_apply_config.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch index 574aa98033..574aa98033 100644 --- a/meta-security/recipes-security/bastille/files/do_not_apply_config.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch diff --git a/meta-security/recipes-security/bastille/files/edit_usage_message.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch index 72cdc2ff9d..72cdc2ff9d 100644 --- a/meta-security/recipes-security/bastille/files/edit_usage_message.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch diff --git a/meta-security/recipes-security/bastille/files/find_existing_config.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch index c0758752b7..c0758752b7 100644 --- a/meta-security/recipes-security/bastille/files/find_existing_config.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch diff --git a/meta-security/recipes-security/bastille/files/fix_missing_use_directives.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch index 05f145a3e7..05f145a3e7 100644 --- a/meta-security/recipes-security/bastille/files/fix_missing_use_directives.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch diff --git a/meta-security/recipes-security/bastille/files/fix_number_of_modules.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch index 743e54920a..743e54920a 100644 --- a/meta-security/recipes-security/bastille/files/fix_number_of_modules.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch diff --git a/meta-security/recipes-security/bastille/files/fix_version_parse.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch index 5923c04080..5923c04080 100644 --- a/meta-security/recipes-security/bastille/files/fix_version_parse.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch diff --git a/meta-security/recipes-security/bastille/files/fixed_defined_warnings.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch index e7996e3800..e7996e3800 100644 --- a/meta-security/recipes-security/bastille/files/fixed_defined_warnings.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch diff --git a/meta-security/recipes-security/bastille/files/organize_distro_discovery.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch index d64d1e26e4..d64d1e26e4 100644 --- a/meta-security/recipes-security/bastille/files/organize_distro_discovery.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch diff --git a/meta-security/recipes-security/bastille/files/remove_questions_text_file_references.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch index bd094ee253..bd094ee253 100644 --- a/meta-security/recipes-security/bastille/files/remove_questions_text_file_references.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch diff --git a/meta-security/recipes-security/bastille/files/set_required_questions.py b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/set_required_questions.py index f306109d78..f306109d78 100755 --- a/meta-security/recipes-security/bastille/files/set_required_questions.py +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/set_required_questions.py diff --git a/meta-security/recipes-security/bastille/files/simplify_B_place.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch index 307fdcab0f..307fdcab0f 100644 --- a/meta-security/recipes-security/bastille/files/simplify_B_place.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch diff --git a/meta-security/recipes-security/bastille/files/upgrade_options_processing.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch index 4093867e9f..4093867e9f 100644 --- a/meta-security/recipes-security/bastille/files/upgrade_options_processing.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch diff --git a/meta-security/recipes-security/nikto/files/location.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch index edaa20475d..edaa20475d 100644 --- a/meta-security/recipes-security/nikto/files/location.patch +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch diff --git a/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb index 8c21b3072e..8c21b3072e 100644 --- a/meta-security/recipes-security/nikto/nikto_2.1.6.bb +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb diff --git a/meta-security/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend b/meta-security/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend new file mode 100644 index 0000000000..828931d6cb --- /dev/null +++ b/meta-security/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend @@ -0,0 +1,10 @@ + + +RDEPENDS:packagegroup-security-utils += "\ + python3-privacyidea \ + python3-fail2ban \ + " + +RDEPENDS:packagegroup-meta-security-ptest-packages += "\ + python3-fail2ban-ptest \ + " diff --git a/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch index 7f0812c4e0..7f0812c4e0 100644 --- a/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch +++ b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch diff --git a/meta-security/recipes-security/fail2ban/files/initd b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/initd index 586b3dac36..586b3dac36 100644 --- a/meta-security/recipes-security/fail2ban/files/initd +++ b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/initd diff --git a/meta-security/recipes-security/fail2ban/files/run-ptest b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/run-ptest index 64d07d587e..64d07d587e 100644 --- a/meta-security/recipes-security/fail2ban/files/run-ptest +++ b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/run-ptest diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb index 96e17b77f5..96e17b77f5 100644 --- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb diff --git a/meta-security/recipes-security/mfa/python3-privacyidea_3.6.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb index 40f6d154bb..40f6d154bb 100644 --- a/meta-security/recipes-security/mfa/python3-privacyidea_3.6.2.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb diff --git a/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb b/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb index 3a074614a5..3a074614a5 100644 --- a/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch deleted file mode 100644 index 35c3162701..0000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Fri, 30 Sep 2016 10:22:16 +0200 -Subject: [PATCH] command line: apply operation to all paths - -Previously, invocations like "evmctl ima_hash foo bar" silently -ignored all parameters after the first path name ("foo" in this -example). - -Now evmctl iterates over all specified paths. It aborts with an -error as soon as the selected operation fails for a path. - -Supporting more than one parameter is useful in combination with -"find" and "xargs" because it is noticably faster than invoking -evmutil separately for each file, in particular when run under pseudo -(a fakeroot environment used by the OpenEmbedded build system). - -This complements the recursive mode and can be used when more control -over file selection is needed. - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> ---- - src/evmctl.c | 21 ++++++++++++--------- - 1 file changed, 12 insertions(+), 9 deletions(-) - -diff --git a/src/evmctl.c b/src/evmctl.c -index 23cf54c..2072034 100644 ---- a/src/evmctl.c -+++ b/src/evmctl.c -@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type) - static int do_cmd(struct command *cmd, find_cb_t func) - { - char *path = g_argv[optind++]; -- int err, dts = REG_MASK; /* only regular files by default */ -+ int err = 0, dts = REG_MASK; /* only regular files by default */ - - if (!path) { - log_err("Parameters missing\n"); -@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func) - return -1; - } - -- if (recursive) { -- if (search_type) { -- dts = get_file_type(path, search_type); -- if (dts < 0) -- return dts; -+ while (path && !err) { -+ if (recursive) { -+ if (search_type) { -+ dts = get_file_type(path, search_type); -+ if (dts < 0) -+ return dts; -+ } -+ err = find(path, dts, func); -+ } else { -+ err = func(path); - } -- err = find(path, dts, func); -- } else { -- err = func(path); -+ path = g_argv[optind++]; - } - - return err; --- -2.1.4 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch deleted file mode 100644 index 75076f52f0..0000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Wed, 13 May 2015 03:41:02 -0700 -Subject: [PATCH] Makefile.am: disable man page creation - -Depends on asciidoc, which is not available. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> ---- - Makefile.am | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/Makefile.am b/Makefile.am -index 06ebf59..4ddd52c 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1,5 +1,5 @@ - SUBDIRS = src --dist_man_MANS = evmctl.1 -+# dist_man_MANS = evmctl.1 - - doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh - EXTRA_DIST = autogen.sh $(doc_DATA) -@@ -39,4 +39,21 @@ rmman: - - doc: evmctl.1.html rmman evmctl.1 - -+# requires asciidoc, xslproc, docbook-xsl -+# FIXME Disabled until docbook-xsl is unavaliable on tizen.org -+#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl -+# -+#evmctl.1.html: README -+# @asciidoc -o $@ $< -+# -+#evmctl.1: -+# asciidoc -d manpage -b docbook -o evmctl.1.xsl README -+# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl -+# rm -f evmctl.1.xsl -+# -+#rmman: -+# rm -f evmctl.1 -+# -+#doc: evmctl.1.html rmman evmctl.1 -+ - .PHONY: $(tarname) --- -1.8.4.5 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch deleted file mode 100644 index ffa65dfb00..0000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Wed, 17 Jun 2015 14:28:18 +0200 -Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines - -Compilation on older Linux distros (like Ubuntu 12.04) fails -because linux/xattr.h does not yet have the IMA defines. Compiling -there makes sense when only the tools are needed, for example when -signing an image in cross-compile mode. - -To support this, add fallbacks for the two defines which are needed. -Their value is part of the Linux ABI and thus fixed. - -Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> - ---- - src/evmctl.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/evmctl.c b/src/evmctl.c -index c54efbb..23cf54c 100644 ---- a/src/evmctl.c -+++ b/src/evmctl.c -@@ -57,6 +57,18 @@ - #include <termios.h> - #include <assert.h> - -+/* -+ * linux/xattr.h might be old to have this. Allow compilation on older -+ * Linux distros (like Ubuntu 12.04) by falling back to our own -+ * definition. -+ */ -+#ifndef XATTR_IMA_SUFFIX -+# define XATTR_IMA_SUFFIX "ima" -+#endif -+#ifndef XATTR_NAME_IMA -+# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX -+#endif -+ - #include <openssl/sha.h> - #include <openssl/pem.h> - #include <openssl/hmac.h> --- -2.1.4 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb index fc7a2d61ab..4f1d1a31b1 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb @@ -6,22 +6,8 @@ DEPENDS += "openssl attr keyutils" DEPENDS:class-native += "openssl-native keyutils-native" -PV = "1.2.1+git${SRCPV}" -SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" -SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y" - -# Documentation depends on asciidoc, which we do not have, so -# do not build documentation. -SRC_URI += "file://disable-doc-creation.patch" - -# Workaround for upstream incompatibility with older Linux distros. -# Relevant for us when compiling ima-evm-utils-native. -SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" - -# Required for xargs with more than one path as argument (better for performance). -SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" - -S = "${WORKDIR}/git" +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz" +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1" inherit pkgconfig autotools features_check diff --git a/meta-security/meta-parsec/README.md b/meta-security/meta-parsec/README.md index 97026ea602..f720cd24a7 100644 --- a/meta-security/meta-parsec/README.md +++ b/meta-security/meta-parsec/README.md @@ -88,6 +88,71 @@ https://github.com/meta-rust/cargo-bitbake 2. Run cargo-bitbake inside the repository. It will produce a BB file. 3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file. +Automated Parsec testing with runqemu +===================================== + + The Yocto build system has the ability to run a series of automated tests for qemu images. +All the tests are actually commands run on the target system over ssh. + + Meta-parsec includes automated unittests which run end to end Parsec tests. +The tests are run against: +- all providers pre-configured in the Parsec config file included in the image. +- PKCS11 and TPM providers with software backends if softhsm and + swtpm packages included in the image. + +Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec, +softhsm and swtpm included. + + Please notice that the account you use to run bitbake should have access to `/dev/kvm`. +You might need to change permissions or add the account into `kvm` unix group. + +1. Testing Parsec with your own image where `parsec-service` and `parsec-tool` are already included. + +- Add into your `local.conf`: +``` +INHERIT += "testimage" +TEST_SUITES = "ping ssh parsec" +``` +- Build your image +```bash +bitbake <your-image> +``` +- Run tests +```bash +bitbake <your-image> -c testimage +``` + +2. Testing Parsec with pre-defined `security-parsec-image` image. + +- Add into your `local.conf`: +``` +DISTRO_FEATURES += " tpm2" +INHERIT += "testimage" +TEST_SUITES = "ping ssh parsec" +``` +- Build security-parsec-image image +```bash +bitbake security-parsec-image +``` +- Run tests +```bash +bitbake security-parsec-image -c testimage +``` + +Output of a successfull tests run should look similar to: +``` +RESULTS: +RESULTS - ping.PingTest.test_ping: PASSED (0.05s) +RESULTS - ssh.SSHTest.test_ssh: PASSED (0.25s) +RESULTS - parsec.ParsecTest.test_all_providers: PASSED (1.84s) +RESULTS - parsec.ParsecTest.test_pkcs11_provider: PASSED (2.91s) +RESULTS - parsec.ParsecTest.test_tpm_provider: PASSED (3.33s) +SUMMARY: +security-parsec-image () - Ran 5 tests in 8.386s +security-parsec-image - OK - All required tests passed (successes=5, skipped=0, failures=0, errors=0) +``` + + Manual testing with runqemu =========================== diff --git a/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py new file mode 100644 index 0000000000..d3d3f2e0ce --- /dev/null +++ b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py @@ -0,0 +1,138 @@ +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> +# Copyright (C) 2022 Anton Antonov <Anton.Antonov@arm.com> +# +import re +from tempfile import mkstemp + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +class ParsecTest(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.toml_file = '/etc/parsec/config.toml' + + def setUp(self): + super(ParsecTest, self).setUp() + if 'systemd' in self.tc.td['DISTRO_FEATURES']: + self.parsec_status='systemctl status -l parsec' + self.parsec_reload='systemctl restart parsec' + else: + self.parsec_status='pgrep -l parsec' + self.parsec_reload='/etc/init.d/parsec reload' + + def copy_subconfig(self, cfg, provider): + """ Copy a provider configuration to target and append it to Parsec config """ + + tmp_fd, tmp_path = mkstemp() + with os.fdopen(tmp_fd, 'w') as f: + f.write('\n'.join(cfg)) + + (status, output) = self.target.copyTo(tmp_path, "%s-%s" % (self.toml_file, provider)) + self.assertEqual(status, 0, msg='File could not be copied.\n%s' % output) + status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file)) + os.remove(tmp_path) + + def check_parsec_providers(self, provider=None, prov_id=None): + """ Get Parsec providers list and check for one if defined """ + + status, output = self.target.run(self.parsec_status) + self.assertEqual(status, 0, msg='Parsec service is not running.\n%s' % output) + + status, output = self.target.run('parsec-tool list-providers') + self.assertEqual(status, 0, msg='Cannot get a list of Parsec providers.\n%s' % output) + if provider and prov_id: + self.assertIn("ID: 0x0%d (%s provider)" % (prov_id, provider), + output, msg='%s provider is not configured.' % provider) + + def run_cli_tests(self, prov_id=None): + """ Run Parsec CLI end-to-end tests against one or all providers """ + + status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else "")) + self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output) + + @OEHasPackage(['parsec-service']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_all_providers(self): + """ Test Parsec service with all pre-defined providers """ + + self.check_parsec_providers() + self.run_cli_tests() + + def configure_tpm_provider(self): + """ Create Parsec TPM provider configuration """ + + cfg = [ + '', + '[[provider]]', + 'name = "tpm-provider"', + 'provider_type = "Tpm"', + 'key_info_manager = "sqlite-manager"', + 'tcti = "swtpm:port=2321"', + 'owner_hierarchy_auth = ""', + ] + self.copy_subconfig(cfg, "TPM") + + cmds = [ + 'mkdir /tmp/myvtpm', + 'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init', + 'tpm2_startup -c -T "swtpm:port=2321"', + self.parsec_reload, + ] + + for cmd in cmds: + status, output = self.target.run(cmd) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) + + @OEHasPackage(['parsec-service']) + @OEHasPackage(['swtpm']) + @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES') + @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers']) + def test_tpm_provider(self): + """ Configure and test Parsec TPM provider with swtpm as a backend """ + + prov_id = 3 + self.configure_tpm_provider() + self.check_parsec_providers("TPM", prov_id) + self.run_cli_tests(prov_id) + + def configure_pkcs11_provider(self): + """ Create Parsec PKCS11 provider configuration """ + + status, output = self.target.run('softhsm2-util --init-token --free --label "Parsec Service" --pin 123456 --so-pin 123456') + self.assertEqual(status, 0, msg='Failed to init PKCS11 token.\n%s' % output) + + slot = re.search('The token has been initialized and is reassigned to slot (\d*)', output) + if slot is None: + self.fail('Failed to get PKCS11 slot serial number.\n%s' % output) + self.assertNotEqual(slot.group(1), None, msg='Failed to get PKCS11 slot serial number.\n%s' % output) + + cfg = [ + '', + '[[provider]]', + 'name = "pkcs11-provider"', + 'provider_type = "Pkcs11"', + 'key_info_manager = "sqlite-manager"', + 'library_path = "/usr/lib/softhsm/libsofthsm2.so"', + 'slot_number = %s' % slot.group(1), + 'user_pin = "123456"', + 'allow_export = true', + ] + self.copy_subconfig(cfg, "PKCS11") + + status, output = self.target.run('for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done') + status, output = self.target.run(self.parsec_reload) + self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output) + + @OEHasPackage(['parsec-service']) + @OEHasPackage(['softhsm']) + @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers']) + def test_pkcs11_provider(self): + """ Configure and test Parsec PKCS11 provider with softhsm as a backend """ + + prov_id = 2 + self.configure_pkcs11_provider() + self.check_parsec_providers("PKCS #11", prov_id) + self.run_cli_tests(prov_id) diff --git a/meta-security/meta-parsec/recipes-core/images/security-parsec-image.bb b/meta-security/meta-parsec/recipes-core/images/security-parsec-image.bb new file mode 100644 index 0000000000..7add74b940 --- /dev/null +++ b/meta-security/meta-parsec/recipes-core/images/security-parsec-image.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "A small image for testing Parsec service with MbedCrypto, TPM and PKCS11 providers" + +inherit core-image + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-security-tpm2 \ + packagegroup-security-parsec \ + swtpm \ + softhsm \ + os-release" + +export IMAGE_BASENAME = "security-parsec-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb b/meta-security/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb new file mode 100644 index 0000000000..0af9c3d3ba --- /dev/null +++ b/meta-security/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb @@ -0,0 +1,16 @@ +DESCRIPTION = "Parsec Security packagegroup for Poky" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit packagegroup + +PACKAGES = "\ + packagegroup-security-parsec \ + " + +SUMMARY:packagegroup-security-parsec = "Security Parsec" +RDEPENDS:packagegroup-security-parsec = "\ + parsec-tool \ + parsec-service \ + " diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf b/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf index fe576a27fe..954bfa3b59 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf @@ -1,2 +1,3 @@ #Type Path Mode User Group Age Argument d /run/parsec 755 parsec parsec - - +d /var/lib/parsec 700 parsec parsec - - diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb index d1d6c07ad0..84539f9b25 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb @@ -15,8 +15,8 @@ PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO" have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}" PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}" -PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts" -PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss" +PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts" +PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device" PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings," PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider," PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider," @@ -25,6 +25,13 @@ PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts" PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}" CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}" +export BINDGEN_EXTRA_CLANG_ARGS +target = "${@d.getVar('TARGET_SYS',True).replace('-', ' ')}" +BINDGEN_EXTRA_CLANG_ARGS = "${@bb.utils.contains('target', 'arm', \ + '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include -mfloat-abi=hard', \ + '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include', \ + d)}" + inherit systemd SYSTEMD_SERVICE:${PN} = "parsec.service" @@ -35,7 +42,7 @@ INITSCRIPT_NAME = "parsec" # The file should also be included into SRC_URI then PARSEC_CONFIG ?= "${S}/config.toml" -do_install:append () { +do_install () { # Binaries install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec" install -m 700 -o parsec -g parsec "${WORKDIR}/build/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec @@ -44,9 +51,6 @@ do_install:append () { install -d -m 700 -o parsec -g parsec "${D}${sysconfdir}/parsec" install -m 400 -o parsec -g parsec "${PARSEC_CONFIG}" ${D}${sysconfdir}/parsec/config.toml - # Data dir - install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec" - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${systemd_unitdir}/system install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system @@ -58,6 +62,8 @@ do_install:append () { if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/init.d install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec + # Data dir + install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec" fi } @@ -65,12 +71,12 @@ inherit useradd USERADD_PACKAGES = "${PN}" USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec" GROUPADD_PARAM:${PN} = "-r parsec" +GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}" FILES:${PN} += " \ ${sysconfdir}/parsec/config.toml \ ${libexecdir}/parsec/parsec \ ${systemd_unitdir}/system/parsec.service \ - ${localstatedir}/lib/parsec \ ${libdir}/tmpfiles.d/parsec-tmpfiles.conf \ ${sysconfdir}/init.d/parsec \ " diff --git a/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass index 2f8b52d1b4..1ab03c8a8f 100644 --- a/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass +++ b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass @@ -2,7 +2,9 @@ addhandler tpm_machinecheck tpm_machinecheck[eventmask] = "bb.event.SanityCheck" python tpm_machinecheck() { skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1" - if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and \ + 'tpm2' not in e.data.getVar('DISTRO_FEATURES').split() and \ + not skip_check: bb.warn("You have included the meta-tpm layer, but \ 'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ and preferred version setting may not take effect. See the meta-tpm README \ diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py index c6f9d92245..c2c95e7159 100644 --- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py +++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -16,28 +16,45 @@ class Tpm2Test(OERuntimeTestCase): if expected_endlines: self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines)) - @OEHasPackage(['tpm2-tss']) - @OEHasPackage(['tpm2-abrmd']) @OEHasPackage(['tpm2-tools']) - @OEHasPackage(['ibmswtpm2']) + @OEHasPackage(['tpm2-abrmd']) + @OEHasPackage(['swtpm']) @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_tpm2_sim(self): + def test_tpm2_swtpm_socket(self): cmds = [ - 'tpm_server &', - 'tpm2-abrmd --allow-root --tcti=mssim &' + 'mkdir /tmp/myvtpm', + 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &', + 'export TPM2TOOLS_TCTI="swtpm:port=2321"', + 'tpm2_startup -c' ] for cmd in cmds: status, output = self.target.run(cmd) self.assertEqual(status, 0, msg='\n'.join([cmd, output])) - @OETestDepends(['tpm2.Tpm2Test.test_tpm2_sim']) - def test_tpm2(self): - (status, output) = self.target.run('tpm2_pcrlist') + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket']) + def test_tpm2_pcrread(self): + (status, output) = self.target.run('tpm2_pcrread') expected_endlines = [] - expected_endlines.append('sha1 :') - expected_endlines.append(' 0 : 0000000000000000000000000000000000000003') - expected_endlines.append(' 1 : 0000000000000000000000000000000000000000') + expected_endlines.append(' sha1:') + expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000') + expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000') + expected_endlines.append(' sha256:') + expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000000000000000000000000000') + expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000000000000000000000000000') + self.check_endlines(output, expected_endlines) + + @OEHasPackage(['p11-kit']) + @OEHasPackage(['tpm2-pkcs11']) + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket']) + def test_tpm2_pkcs11(self): + (status, output) = self.target.run('p11-kit list-modules -v') + self.assertEqual(status, 0, msg="Modules missing: %s" % output) + + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pkcs11']) + def test_tpm2_swtpm_reset(self): + (status, output) = self.target.run('swtpm_ioctl -i --tcp :2322') + self.assertEqual(status, 0, msg="swtpm reset failed: %s" % output) diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb index a9174e6717..e8812d06d0 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb @@ -27,8 +27,13 @@ do_compile:append() { do_install:append() { install -d ${D}${libdir}/pkcs11 install -d ${D}${datadir}/p11-kit + + # remove symlinks rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so + #install lib + install -m 755 ${B}/src/.libs/libtpm2_pkcs11.so ${D}${libdir}/pkcs11/libtpm2_pkcs11.so + cd ${S}/tools export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}" ${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build @@ -48,5 +53,5 @@ FILES:${PN} += "\ ${datadir}/p11-kit/* \ " -RDEPENDS:${PN} = "tpm2-tools" -RDEPENDS:${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" +RDEPENDS:${PN} = "p11-kit tpm2-tools " +RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb index f924038bdb..c20af7ef0a 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb @@ -16,3 +16,6 @@ do_configure:prepend() { # do not extract the version number from git sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac } + +# need tss-esys +RDEPENDS:${PN} = "libtss2 tpm2-abrmd" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index fefc66d9a1..901005440b 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -10,7 +10,6 @@ PACKAGES = "\ packagegroup-security-utils \ packagegroup-security-scanners \ packagegroup-security-audit \ - packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ @@ -20,7 +19,6 @@ RDEPENDS:packagegroup-core-security = "\ packagegroup-security-utils \ packagegroup-security-scanners \ packagegroup-security-audit \ - packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ @@ -35,8 +33,6 @@ RDEPENDS:packagegroup-security-utils = "\ keyutils \ nmap \ pinentry \ - python3-privacyidea \ - python3-fail2ban \ softhsm \ sshguard \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ @@ -47,8 +43,6 @@ RDEPENDS:packagegroup-security-utils = "\ SUMMARY:packagegroup-security-scanners = "Security scanners" RDEPENDS:packagegroup-security-scanners = "\ isic \ - nikto \ - checksecurity \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \ " RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "clamav clamav-daemon clamav-freshclam" @@ -59,15 +53,10 @@ RDEPENDS:packagegroup-security-audit = " \ redhat-security \ " -SUMMARY:packagegroup-security-hardening = "Security Hardening tools" -RDEPENDS:packagegroup-security-hardening = " \ - bastille \ - " - SUMMARY:packagegroup-security-ids = "Security Intrusion Detection systems" RDEPENDS:packagegroup-security-ids = " \ samhain-standalone \ - ${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata","", d)} \ + suricata \ ossec-hids \ aide \ " @@ -92,7 +81,6 @@ RDEPENDS:packagegroup-meta-security-ptest-packages = "\ ptest-runner \ samhain-standalone-ptest \ ${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata-ptest","", d)} \ - python3-fail2ban-ptest \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ " diff --git a/meta-security/recipes-ids/aide/aide_0.17.3.bb b/meta-security/recipes-ids/aide/aide_0.17.4.bb index b1fb58db3e..6bc2bfef84 100644 --- a/meta-security/recipes-ids/aide/aide_0.17.3.bb +++ b/meta-security/recipes-ids/aide/aide_0.17.4.bb @@ -8,7 +8,7 @@ DEPENDS = "bison-native libpcre" SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ file://aide.conf" -SRC_URI[sha256sum] = "a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8" +SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846" inherit autotools pkgconfig @@ -20,7 +20,7 @@ PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux, libseli PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib " PACKAGECONFIG[xattr] = "--with-xattr, --without-xattr, attr, attr" PACKAGECONFIG[curl] = "--with-curl, --without-curl, curl, libcurl" -PACKAGECONFIG[audit] = "--with-audit, --without-audit," +PACKAGECONFIG[audit] = "--with-audit, --without-audit,audit" PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt" PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash" PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs" diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb index b0759b10ef..c211f03212 100644 --- a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb +++ b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb @@ -9,7 +9,7 @@ SRC_URI = "git://github.com/ossec/ossec-hids;branch=master;protocol=https \ file://0002-Makefile-don-t-set-uid-gid.patch \ " -SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2" +SRCREV = "1ecffb1b884607cb12e619f9ab3c04f530801083" UPSTREAM_CHECK_COMMITS = "1" diff --git a/meta-security/recipes-ids/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc index df9e215b8c..eb8592d34b 100644 --- a/meta-security/recipes-ids/samhain/samhain.inc +++ b/meta-security/recipes-ids/samhain/samhain.inc @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.la-samhna.de/samhain/" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b" -PV = "4.4.7" +PV = "4.4.9" SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://${INITSCRIPT_NAME}.init \ @@ -21,7 +21,7 @@ SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://samhain-fix-initializer-element-is-not-constant.patch \ " -SRC_URI[sha256sum] = "0aa978accb635000c2d9170f307bff8a95836f8ec01615a53dbd9c2af9564d44" +SRC_URI[sha256sum] = "dd85bf2f90db3ce616a09608e650f3707a4d69aa1e1fe718f8b359ce0aafc198" UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.39.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.40.bb index 80c9014153..08e285e3ef 100644 --- a/meta-security/recipes-ids/suricata/libhtp_0.5.39.bb +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.40.bb @@ -5,7 +5,7 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" -SRCREV = "6b70803c45894da7a591b2305498335e6df4f9a3" +SRCREV = "1733478f7fd09e936fea2e024f1d228d40741df2" DEPENDS = "zlib" diff --git a/meta-security/recipes-ids/suricata/suricata_6.0.4.bb b/meta-security/recipes-ids/suricata/suricata_6.0.5.bb index 31244f3f93..913e64e0bb 100644 --- a/meta-security/recipes-ids/suricata/suricata_6.0.4.bb +++ b/meta-security/recipes-ids/suricata/suricata_6.0.5.bb @@ -5,7 +5,7 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz" -SRC_URI[sha256sum] = "a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d" +SRC_URI[sha256sum] = "0d4197047c84ba070dfc6b1d9f9ee92f52a71403bfac0e29b2554bb21fe00754" DEPENDS = "lz4 libhtp" @@ -121,7 +121,8 @@ CARGO_SRC_DIR = "rust" B = "${S}" -PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr " +# nfnetlink has a dependancy to meta-networking +PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nss nspr " PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," diff --git a/meta-security/recipes-perl/perl/lib-perl_0.63.bb b/meta-security/recipes-perl/perl/lib-perl_0.63.bb index 4c964d5c1b..25d0890d48 100644 --- a/meta-security/recipes-perl/perl/lib-perl_0.63.bb +++ b/meta-security/recipes-perl/perl/lib-perl_0.63.bb @@ -26,3 +26,10 @@ do_compile() { export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')" cpan_do_compile } + +do_install:append() { + # Man pages here conflict wtih the main perl documentation + for page in ${D}${mandir}/man*/*; do + mv $page $(dirname $page)/${BPN}-$(basename $page) + done +} diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb index c152b8c5c5..c8d31cf70d 100644 --- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb +++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb @@ -3,7 +3,7 @@ LICENSE = "BSD-4-Clause" HOME_PAGE = "http://ee.lbl.gov/" LIC_FILES_CHKSUM = "file://configure;md5=74ca964ed34fda7b46c6fe3e50bded9d" -DEPENDS += "libpcap postfix" +DEPENDS += "libpcap" SRC_URI = "https://ee.lbl.gov/downloads/arpwatch/${BP}.tar.gz \ file://arpwatch.conf \ @@ -21,7 +21,11 @@ ARPWATCH_GID ?= "arpwatch" APRWATCH_FROM ?= "root " ARPWATH_REPLY ?= "${ARPWATCH_UID}" -EXTRA_OECONF = " --srcdir=${S} --with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}" +PACKAGECONFIG ??= "" + +PACKACONFIG[email] = "-with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}, , postfix, postfix postfix-cfg" + +EXTRA_OECONF:append = " --srcdir=${S}" CONFIGUREOPTS = " --build=${BUILD_SYS} \ --host=${HOST_SYS} \ @@ -76,4 +80,4 @@ CONFFILE_FILES = "${sysconfdir}/${PN}.conf" FILES:${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \ ${sysconfdir} /var/lib/arpwatch" -RDEPENDS:${PN} = "libpcap postfix postfix-cfg" +RDEPENDS:${PN} = "libpcap" diff --git a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb b/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb index 663d8e25d6..8147fe6e86 100644 --- a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb +++ b/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb @@ -8,19 +8,19 @@ SECTION = "base" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -BBCLASSEXTEND = "native nativesdk" - # fscrypt depends on go and libpam DEPENDS += "go-native libpam" SRCREV = "92b1e9a8670ccd3916a7d24a06cab1e4c9815bc4" SRC_URI = "git://github.com/google/fscrypt.git;branch=master;protocol=https" + GO_IMPORT = "import" -S = "${WORKDIR}/git" +inherit go goarch features_check -inherit go -inherit goarch +REQUIRED_DISTRO_FEATURES = "pam" + +S = "${WORKDIR}/git" do_compile() { export GOARCH=${TARGET_GOARCH} @@ -47,3 +47,5 @@ do_install() { install -d ${D}/${bindir} install ${S}/src/${GO_IMPORT}/bin/fscrypt ${D}/${bindir}/fscrypt } + +BBCLASSEXTEND = "native nativesdk" |