Age | Commit message (Collapse) | Author | Files | Lines |
|
We also need to move the conf-notes.txt files.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ic44e015c0216b526de4fec277ad42f162bca1f33
|
|
The latest poky commit is requiring us to have all of
our template configs in a subdirectory instead of directly in
the `conf` directory. Without this we end up with errors during
setup like:
```
Error: TEMPLATECONF value (which is .../openbmc/meta-facebook/meta-bletchley/conf) must point to meta-some-layer/conf/templates/template-name
```
Fix this by moving all of our template files into the 'default'
template subdirectory (following the pattern of poky) and modifying
`setup` as necessary to follow.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Iecefde73d55acbb6bc63ae3d68c4311adaf327ae
|
|
Some systems wish to override the distro name. Allow this by not
forcefully setting the variable in phosphor-base.
Change-Id: Ie6fc72e92d7bd215dfa6a2835a8022ae8daf51b2
Signed-off-by: Joel Stanley <joel@jms.id.au>
|
|
The only recipes which use content from meta-perl are openpower
machines:
```
meta-openpower/recipes-bsp/pdata/pdata_git.bb: libxml-libxml-perl-native \
meta-yadro/meta-nicole/recipes-phosphor/logging/openpower-esel-parser_git.bb: libxml-libxml-perl-native \
```
Remove meta-perl from the bblayers of every layer except openpower
machines.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I51f1a8fbfbe879295c64d2339fc115dbd8823681
|
|
This was added with cde0f094f for libseccomp, but shortly after that
upstream moved libseccomp from meta-security to core (241c7d2e6). As
such, meta-security is no longer used or required.
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Change-Id: I371e54b11f6336720dfc6edf0ef733d22b7fb4f2
|
|
These layers are all required, so add them to the layer dependencies.
This generates an error earlier in the build process when layers are
missing from the configuration (bblayers.conf).
The dependency list below is informative, but likely not comprehensive:
-meta-python: python3-inflection-native
-meta-networking: net-snmp
-meta-oe: rsyslog, libvncserver, ipmitool, boost-url, libgpiod,
lmsensors-config, openldap
Change-Id: I1b480224e6ec4b8bd61c8f21d6e569d17363a9a6
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Per [1][2], Yocto is starting to deprecate ABORT and has replaced
the "ABORT" action in BB_DISKMON_DIRS entries with "HALT".
1. https://wiki.yoctoproject.org/wiki/Inclusive_language
2. https://git.yoctoproject.org/poky/commit/?id=4f77505d94a8f6260933f457e9848d1d2fa98ce5
Tested:
Built obmc-phosphor-image successfully and eliminate the following
warnings:
```
WARNING: The BB_DISKMON_DIRS "ABORT" action has been renamed to
"HALT", update configuration
```
Signed-off-by: George Liu <liuxiwei@inspur.com>
Change-Id: If57d0ded9fac41e23b31b01e2a0e309ac7388148
|
|
Ensure the vmlinux is archived as part of the build artifacts for
debugging.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Change-Id: If84c284cfc60f6b8ae5c641ef7ee06255f29d8c1
|
|
* Deprecate N-1 release (hardknott).
* Enable N+1 release (kirkstone).
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I39e027e02dab64b4390b46ffbd9c299c858f403e
|
|
We don't need pkcs11 support on the BMC by default and it ends up
causing a dependency chain that brings in Rust.
This packagegroup can only be pulled in when meta-security/meta-tpm is
used, so hook into BBFILES_DYNAMIC to use it when appropriate.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Iff12f641e57ace313ad64a402091444edba74ea4
|
|
Switch from custom BBFILE_COLLECTION parsing to relying on
BBFILES_DYNAMIC for any new layers. The existing layers (aspeed,
nuvoton) have already been moved to the BBFILES_DYNAMIC mechanism.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ie67b95684349b6419e4608afba660607d0566803
|
|
The proper way to add extensions to another layer is with
BBFILES_DYNAMIC rather than adding to BBFILES based on
BBFILE_COLLECTIONS. Move nuvoton-layer to a dynamic-layers subdirectory
and hook into layer.conf using BBFILES_DYNAMIC.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ic1b1f0ce837a899c5060531735c75c73cf51f1f5
|
|
The proper way to add extensions to another layer is with
BBFILES_DYNAMIC rather than adding to BBFILES based on
BBFILE_COLLECTIONS. Move aspeed-layer to a dynamic-layers subdirectory
and hook into layer.conf using BBFILES_DYNAMIC.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I26e5093d469ce0a57c0b93bcc6b3383dd7bcf264
|
|
www.example.com is having intermittent connection issues, causing a lot
of intermittent openbmc builds fails in CI. Upstream is moving to
https://www.yoctoproject.org/ so we should as well.
Upstream: https://lists.openembedded.org/g/openembedded-core/message/161662
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Iae7c2debcfe294e3facca25ad47a6b8434449769
|
|
Our builds with MMC will explicitly depend on this as needed. No other
BMC builds should need this utility normally and it gets included with
all builds.
Change-Id: I4ce0303dfd4646579d70f79be3e6af9b191ca45a
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
A few recipes are specifying 'protocol=git' to the git-fetcher, which is
already the default[1]. For github URLs, upstream Yocto / OE suggest
that 'protocol=https' is used[2]. Switch any URL that has a protocol
specified to be 'https' instead of 'git'.
1. https://docs.yoctoproject.org/bitbake/bitbake-user-manual/bitbake-user-manual-fetching.html#git-fetcher-git
2. https://lists.openembedded.org/g/openembedded-devel/message/94255
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ibf1ab0fa2cb83c8cb9f4e535a0781f41e3b0dafe
|
|
`BBLAYERS_NON_REMOVABLE` is obsolete and no longer required.
As it said by Yocto documentation it can be used by `Hob`
https://www.yoctoproject.org/docs/1.5.2/ref-manual/ref-manual.html#var-BBLAYERS_NON_REMOVABLE
that already removed since Yocto-2.1
https://www.yoctoproject.org/tools-resources/projects/hob
Change-Id: Ibc2d8268a9d837a81e9cf6b0131dba8d0a030a3f
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
|
|
It was reported that after 5a5f33c729e6b5869362172b63595422eb84a418 the
qemu images are not buildable. Treat qemu systems like an 'evb' so that
the obmc-system-mgmt package is not included. Make a minor change to
how evb is specified so that it is treated as a MACHINEOVERRIDE that can
be leveraged in multiple recipes.
Tested by ensuring that `evb-ast2600` still successfully resolves all
package dependencies (with `bitbake -p`).
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Iff4573aa3d4aac30a6681ed75741a6e351bda982
|
|
The obmc-system-mgmt feature is currently used in the image to trigger
inclusion of a virtual-provider which provides a number of packages many
systems need. Partially revert the removal of this feature so that
the outcome is:
1. The empty obmc-phosphor-sysd package is still removed.
2. By default the 'obmc-system-mgmt' feature is included, unless
specifically exempted.
3. All EVB platforms remove the 'obmc-system-mgmt' feature since
they have no system they are managing.
This partially reverts commit 060ad3ff7fcc30aff78a9e504efee9d8fa0d4526.
Tested:
* Built `bletchley` and confirmed `packagegroup-fb-apps-system` and
`entity-manager` are present.
```
entity-manager armv7ahf-vfpv4d16 0.1+git0+6bf41588ab-r0
packagegroup-fb-apps-system all 1.0-r1
```
* Built `witherspoon` and confirmed `packagegroup-op-apps-system` and
`pdbg` are present.
```
packagegroup-op-apps-system noarch 1.0
pdbg arm1176jzs 3.3
```
* Ran `bitbake -p` on `evb-ast2600` to confirm the undefined
`virtual-obmc-system-mgmt` is not being included in the image.
Change-Id: I8b7804d5101cc84a2c57473b3f85672bf7767c67
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
|
|
Every machine layer treats 'system-management' as either part of a
package-group or removes the feature. The sample implementation in
meta-phosphor is a do-nothing shell script (and up until recently was a
Python script). There appears to be no useful purpose to this feature
as a stand-alone concept, so remove it.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I20ca1fa8ff3cb01cac2d07d4ded84e0769e4514b
|
|
Clean up the final part of this indirect, which is the append of the
variable to the MACHINE_FEATURES one.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I2077d7acff5602b7bf333677f5866d979bdaa07c
|
|
The ast2500 shares the RGMII1 pin and the hw strap pins
for SPI interface mode selection ( pin[12:13] ).
In some systems, the RGMII/NCSI interface will use the pin.
It makes the SPI interface mode setting is not correct.
This patch adds a distro feature to enable the SPI master
mode by default.
Signed-off-by: Chanh Nguyen <chanh@os.amperecomputing.com>
Change-Id: I93e5dd5e86870601169974aa1aab4b5480a45ef1
|
|
bitbake offers a choice of DEB, RPM or IPK packaging. To a degree the
choice is functionally arbitrary for image generation but control over
the package format becomes important if we want to:
1. Include runtime package management functionality in the firmware image
2. Mess about with the packages on the build system
With respect to 1 the IPK format and opkg (an ipk package manager) are
designed for embedded systems[1] - by contrast to RPMs have heavier
dependencies and a greater impact on the size and complexity of the
firmware image.
Regarding 2, the embedded nature and the need for opkg to work without
much fuss leads to a lower configuration barrier by comparison to RPMs.
With ipk it becomes possible to reuse the packages built during image
preparation for core analysis without needing to generate an SDK:
```
$ export LD_LIBRARY_PATH=./tmp/work/x86_64-linux/opkg-native/*/recipe-sysroot-native/usr/lib
$ MY_DEBUG_ROOT=tmp/rootfs-debug
$ ./tmp/sysroots-components/x86_64/opkg-native/usr/bin/opkg \
-f ./tmp/work/p10bmc-openbmc-linux-gnueabi/obmc-phosphor-image/*/opkg.conf \
-o $MY_DEBUG_ROOT \
update
$ fakeroot ./tmp/sysroots-components/x86_64/opkg-native/usr/bin/opkg \
-f ./tmp/work/p10bmc-openbmc-linux-gnueabi/obmc-phosphor-image/1.0-r0/opkg.conf \
-o $MY_DEBUG_ROOT \
install dbus-sensors dbus-sensors-dbg
$ gdb-multiarch
(gdb) set solib-absolute-prefix .../tmp/rootfs-debug
(gdb) add-auto-load-safe-path .../tmp/rootfs-debug
(gdb) file tmp/rootfs-debug/usr/bin/nvmesensor
(gdb) core-file obmcdump_17_9597/core.nvmesensor.0.aae91b519d0e4e0e8bbe746e3f6cd25f.2779.9594000000
Core was generated by `/usr/bin/nvmesensor'.
Program terminated with signal SIGABRT, Aborted.
pthread_kill.c:45
45 pthread_kill.c: No such file or directory.
(gdb) bt
pthread_kill.c:45
../sysdeps/posix/raise.c:26
/home/andrew/src/openbmc/openbmc/build/p10bmc/tmp/rootfs-debug/usr/lib/libstdc++.so.6
/home/andrew/src/openbmc/openbmc/build/p10bmc/tmp/rootfs-debug/usr/lib/libstdc++.so.6
/home/andrew/src/openbmc/openbmc/build/p10bmc/tmp/rootfs-debug/usr/lib/libstdc++.so.6
/home/andrew/src/openbmc/openbmc/build/p10bmc/tmp/rootfs-debug/usr/lib/libstdc++.so.6
"xyz.openbmc_project.NVMeSensor", this=0x488f04) at
/usr/include/sdbusplus/bus.hpp:234
../../../../../../workspace/sources/dbus-sensors/src/NVMeSensorMain.cpp:159
(gdb)
```
This approach documented in the Poky Reference Manual:
https://www.yoctoproject.org/docs/1.0/poky-ref-manual/poky-ref-manual.html#platdev-gdb-remotedebug-launch-gdb-inferiorbins
Switch all machines to IPK to align the debugging experience with
upstream's documentation and to facilitate efficient use of packaged
software at runtime.
[1] https://openwrt.org/docs/guide-user/additional-software/opkg
Change-Id: I8ef526add2d7a6790de1b3eb3fb85cd39b864f23
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
|
|
Commit aff0243 added seccomp to the systemd PACKAGECONFIG. The
libseccomp recipe requires seccomp be a DISTRO_FEATURE.
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Iee1d5e9b2efe8284454c0b5125d9de7b43c1bdb0
|
|
The meta-security layer requires the DISTRO_FEATURE 'security' set
otherwise it gives a warning:
WARNING: You have included the meta-security layer, but 'security'
has not been enabled in your DISTRO_FEATURES. Some bbappend files
and preferred version setting may not take effect. See the
meta-security README for details on enabling security support.
This DISTRO_FEATURE doesn't really seem to do anything except enable
an additional include file in the linux-yocto recipe (which itself
then checks other features). It seems entirely safe for us to enable
this feature everywhere to avoid the warning.
$ git grep -A4 "DISTRO_FEATURES" | grep "'security'"
meta-security/README:to have 'security' in DISTRO_FEATURES to have effect.
meta-security/README: 'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files
meta-security/classes/sanity-meta-security.bbclass: if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
meta-security/classes/sanity-meta-security.bbclass:'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend:require ${@bb.utils.contains('DISTRO_FEATURES', 'security', '${BPN}_security.inc', '', d)}
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ife1549783b356f87f429466f260f34b9a41d002c
|
|
We've typically kept these LAYERSERIES_COMPAT to 2 releases: the current
and the upcoming. Remove 'gatesgarth' is it is now 2 releases back.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I5e812a94fed1738898af75c0fdee81996a5bbf20
|
|
We want to build OpenBMC on ppc64le, so add it to QEMU_TARGETS.
Signed-off-by: Anton Blanchard <anton@ozlabs.org>
Change-Id: Ice8735a105f40c938dde42061d2e33ddf55a07dc
|
|
LAYERVERSION should keep underscore instead of colon.
Change-Id: I53b0af2fd8c756d09a11ee2c970910cdf7331738
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
|
|
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ib334e243bb2293148b6bf3587c79a77e46bd8ce3
|
|
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I588025b614416c43aa2d053765ab53bacf890cb5
|
|
Background:
OpenBMC provisions the BMC firmware image with the root account password
in a form which is no longer acceptable to Linux-PAM version 1.5.1.
Specifically, [phosphor-defaults.inc][] sets the password hash into
/etc/shadow as "\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/", where $1
indicates the deprecated [MD5 hash algorithm][]. Ref: [wikipedia passwd
entry][]. Beginning around PAM version 1.5.1, when you log in, the
[pam_unix.so module][] authenticates okay but requires the password to
be changed. (For example, you'll get a message like "You are required
to change your password immediately (administrator enforced)." This
behavior is undesirable for OpenBMC project defaults, and is not
tolerated by the project's current continuous integration tools.)
This change is to replace the password hash to keep the same cleartext
password but hashed with an acceptable algorithm.
Specifically, the password hash supplied in phosphor-defaults.inc is
updated to use the same password as before but encoded
with the SHA-512 algorithm. The hash was generated by the
`openssl passwd -6 0penBmc` command. This change ought to be
transparent and forward and backward compatible.
Note various meta-layers use this same hash string in
conf/local.conf.sample files. They are changed to match.
References:
[phosphor-defaults.inc]: https://github.com/openbmc/openbmc/blob/1a977b269ed437bebb9ae7810e3157746ec9174d/meta-phosphor/conf/distro/include/phosphor-defa
ults.inc#L245
[wikipedia passwd entry]: https://en.wikipedia.org/wiki/Passwd
[pam_unix.so module]: https://github.com/linux-pam/linux-pam/tree/master/modules/pam_unix
[MD5 hash algorithm]: https://en.wikipedia.org/wiki/MD5
Tested:
Created image with new password hash and PAM 1.5.1 and checked that
login works okay and does not require the passwod to be changed.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I5b189374f08ba506dbed7f8b9b991f2808cc3bc5
|
|
Background: The OpenBmc project default root account password is set
in meta-phosphor/conf/distro/include/phosphor-defaults.inc and can be
customized in each layer's local.conf file.
Many of these local.conf.sample files had redundant code to set the
password, which probably should not have been there. Removing them
allows the defaults in phosphor-defaults.inc to take effect.
Tested: No. Only meta-ibm was tested.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I76dce00d269d7afa005d7bcfd63f846d3cf45596
|
|
Improved practice to use DISTRO_VERSION instead of the undocumented
VERSION_ID.
DISTRO_VERSION is documented in yocto
https://www.yoctoproject.org/docs/latest/ref-manual/ref-manual.html
and specified in this section about creating your own distribution.
https://docs.yoctoproject.org/dev-manual/common-tasks.html#creating-your-own-distribution
VERSION_ID is undocumented and will more likely be changed compared
to the documented DISTRO_VERSION.
The VERSION_ID is set to DISTRO_VERSION in poky/.../os-release.bb
Use weak default to DISTRO_VERSION instead of overriding VERSION_ID.
This allows other layers to override in *.bbappend or *.conf.
Tested:
```
root@romulus:~# cat /etc/os-release
ID=openbmc-openpower
NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro)"
VERSION="2.11.0-dev"
VERSION_ID=2.11.0-dev-165-g20885c497
PRETTY_NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro) 2.11.0-dev"
BUILD_ID="2.11.0-dev"
OPENBMC_TARGET_MACHINE="romulus"
```
Signed-off-by: Willy Tu <wltu@google.com>
Change-Id: I25b5a165b764e6562fa8008c9d2a75a82fb09139
|
|
This is apparently not actually working anymore and is removed in the
next poky update.
Change-Id: Ia1c6a258d124a4a30a14fc42e8e0bba95e64faeb
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Build QEMU only for relevant targets to speed up compilation process.
Signed-off-by: Konstantin Aladyshev <aladyshev22@gmail.com>
Change-Id: I67c86d6c8fdd2b4969c35c98bec9d5d2342bbef6
|
|
We want to benefit from the space savings of being able to link time
optimize all of our binaries built through meson.
Change-Id: If36f9e76a27bfa8d00210492c2397a174e09dbd3
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Add new QEMU targets 'riscv32' and 'riscv64' to be able to
use runqemu script on these architectures.
Signed-off-by: Konstantin Aladyshev <aladyshev22@gmail.com>
Change-Id: Ib4019e57a0167203fb42c2214a806709a923209a
|
|
DynamicUsers flag in systemd service configuration file required to create,
handle and recycle temporary users.
This is essential module for upcoming daemons' privilege separation work.
Reference: https://github.com/openbmc/openbmc/issues/3383
Signed-off-by: Anton D. Kachalov <gmouse@google.com>
Change-Id: Iabd709c4a20f754fc6ea505e640b2d361aba0be2
|
|
Latest upstream yocto has moved on to the 3.3 hardknott release
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ieae36798d66d21c2c642931f06407d3bb2acf163
|
|
phosphor-led-manager has 3 packages
- phosphor-led-manager : Default
- phosphor-led-manager-ledmanager : Packages phosphor-ledmanager
- phosphor-ledmanager-faultmonitor : Packages phosphor-fru-fault-monitor
Because of this, it was not possible to install files via Makefile and
that always needed a corresponding update to FILES_{PN}-ledmanager.
Removing phosphor-led-manager-ledmanager will eliminate this problem.
Change-Id: I00ca4c34346a47f887872464b9050a46d8f5e8e9
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>
|
|
This layer provides libseccomp.
Signed-off-by: Anton D. Kachalov <gmouse@google.com>
Change-Id: I84513d56f2ed75fab49043196b98ef8b858e394f
|
|
The feature was implemented as an append to the kernel (BSP) layers in
meta-phsophor. This created a three way dance between machine layers,
BSP and meta-phosphor, when it should have been the kernel layer
providing this feature and machines could then opt in.
Fixing this means we could remove the KERNEL_DANGLING_FEATURES_WARN_ONLY
workaround.
As the feature is simply turning on a pair of kernel options without any
other impact, we can implement it by adding the options to our
defconfigs. In fact, aspeed and hpe kernel configurations enable the two
kernel options:
$ git grep CONFIG_KEYBOARD_GPIO=y
meta-aspeed/recipes-kernel/linux/linux-aspeed/aspeed-g4/defconfig:CONFIG_KEYBOARD_GPIO=y
meta-aspeed/recipes-kernel/linux/linux-aspeed/aspeed-g5/defconfig:CONFIG_KEYBOARD_GPIO=y
meta-aspeed/recipes-kernel/linux/linux-aspeed/aspeed-g6/defconfig:CONFIG_KEYBOARD_GPIO=y
meta-hpe/meta-gxp/recipes-kernel/linux/linux-obmc/defconfig:CONFIG_KEYBOARD_GPIO=y
$ git grep CONFIG_INPUT_EVDEV
meta-aspeed/recipes-kernel/linux/linux-aspeed/aspeed-g4/defconfig:CONFIG_INPUT_EVDEV=y
meta-aspeed/recipes-kernel/linux/linux-aspeed/aspeed-g5/defconfig:CONFIG_INPUT_EVDEV=y
meta-aspeed/recipes-kernel/linux/linux-aspeed/aspeed-g6/defconfig:CONFIG_INPUT_EVDEV=y
meta-hpe/meta-gxp/recipes-kernel/linux/linux-obmc/defconfig:CONFIG_INPUT_EVDEV=y
Other machines that wish to enable this feature should ensure it is
added to their BSP's defconfig, or add it to their machine specific
defconfig.
Change-Id: I0726836319022f96c1d13d4a0cbd73708047302c
Signed-off-by: Joel Stanley <joel@jms.id.au>
|
|
This distro feature is not used anywhere. Remove it to reduce
the clutter.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I1dd4e5ae52197a377b552a8a0e7d1e6d7e7ebe7f
|
|
Yocto has a built-in class for applying compiler security flags to
builds. Some security concious projects within OpenBMC set these flags
manually. We should do this project wide, given that it has a
negligible performance impact, and brings us in line with modern
security requirements.
There are some whitepapers on the specifics of what these flags do,
which is a much better documentation than I am able to write here, but
the key takeaways are that this:
1. Enables position independent code.
2. Enables FORTIFY_SOURCE level 2.
3. Enables -wformat and -wformat-security
4. Enables strong stack protection.
None of these flags should have any change in functional behavior.
Section 4.3 of this doc goes through this file in more detail:
https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/improving-embedded-linux-security-yocto3.pdf
croserver/eCMD doesn't currently compile with these flags, so it's
explicitly excluded for the moment. Patchset has been merged against
eCMD master to fix this, but we're so far behind, the bump doesn't build
obmc-libobmc-intf has an error that I can't quite understand yet about
unused results, which shouldn't have been effected by this, yet it seems
to be related to enabling the security hardening, so it is also excluded
from the security flags for the moment.
libpldm includes an IBM OEM command that relies on undefined behavior with
open() the proposed fix is here, but libpldm is excluded until that is
merged and bumped.
https://gerrit.openbmc-project.xyz/c/openbmc/pldm/+/3998412
Even with those three exceptions, getting a majority of the security flags
enabled on a majority of the repos should be an overall win.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I0483b1dbe1123a7beff8c5788363685487fb9c09
|
|
Upstream yocto removed these parameters in this commit:
d707fa30f8a24d1e50831846330757254f245791
packagegroup-core-device-devel: remove
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=d707fa30f8a24d1e50831846330757254f245791
and now builds against a qemu machine fail to build. This commit
removes phosphors use of these items, as it isn't clear what they were
doing for us anyway, which the aformentioned commit also asserts.
(From meta-phosphor rev: 933b75141f46cefe838f298f793f7d49c9f1f2b3)
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I2c9ab4ade1ac1926094da9102ac2c047baa147e0
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
The next release of Yocto is soon and most of the upstream
layers have switched support strings for it. Support layer
compat for gatesgarth (current) and dunsfell (previous).
(From meta-phosphor rev: 49b2a2c56bb774224b15f80deeffff096f59a2db)
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ie37ab65b72c2e10e0324774c56b7968db091ea5b
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
Add a fru-device package, packagegroup, and image feature.
Remove the ipmi-fru distro feature, since adding it in the first place
was a mistake - no projects have conditional ipmi-fru feature flags.
(From meta-phosphor rev: 4525a9d01a5f65438342a894f27c82f0dd61642c)
Change-Id: I6928ac67d4acb4568359a308b45cb0734d116054
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
Add machine overrides for IBM processors:
- ibm-power-cpu: for any IBM POWER processor
- ibm-power8-cpu: for IBM POWER8 processors
- ibm-power9-cpu: for IBM POWER9 processors
- ibm-power10-cpu: for IBM POWER10 processors
ibm-power-cpu is used when an override applies to any IBM POWER
processor. ibm-power<N>-cpu can be used when a specific override exists
for a specific POWER processor generation.
(From meta-phosphor rev: a59b21d85e90ba5ecfc42e22e751c9dfe6aacb0e)
Change-Id: Ie1eebb677204b9314942f414c10e5dc3134397a9
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
The ldap and libc-inet-anl DISTRO_FEATURES aren't used anywhere, so
don't set them.
(From meta-phosphor rev: 23140b75afb741ebcd9190efd825b7ef81576e29)
Change-Id: Iba881c25d572397b69b134174336f88b936bddd9
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
152695448 removed our openbmc-phosphor distro override. This had
minimal or no impact because distro overrides based on the DISTRO aren't
being used as they should. Add a distro override so they can be used
where appropriate (e.g. oe-core bbappends).
(From meta-phosphor rev: 1b9a74965ae664726e82ff7941b2d046392fb0f3)
Change-Id: I7ae07ac26c2ea4882d3b1b002b340f53d885c1e8
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|