From 1e488cdf844bf4aa82d3c90875a56fb35c7f210d Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Tue, 3 Oct 2023 09:44:52 -0500 Subject: subtree updates oct 3 2023 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit poky: fc25449687..a61e021c65: Alberto Planas (1): bitbake.conf: add unzstd in HOSTTOOLS Alejandro Hernandez Samaniego (2): baremetal-helloworld: Update SRCREV to fix entry addresses for ARM architectures baremetal-helloworld: Fix race condition Alex Kiernan (2): rootfs: Add debugfs package db file copy and cleanup rpm: Pick debugfs package db files/dirs explicitly Alexander Kanavin (35): maintaines.inc: unassign Richard Weinberger from erofs-utils entry maintainers.inc: unassign Andreas Müller from itstool entry maintainers.inc: unassign Pascal Bach from cmake entry maintainers.inc: correct unassigned entries maintainers.inc: correct Carlos Rafael Giani's email address apr: upgrade 1.7.3 -> 1.7.4 scripts/runqemu: split lock dir creation into a reusable function scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes qemu: a pending patch was submitted and accepted upstream maintainers.inc: unassign Adrian Bunk from wireless-regdb maintainers.inc: unassign Alistair Francis from opensbi maintainers.inc: unassign Chase Qi from libc-test maintainers.inc: unassign Oleksandr Kravchuk from python3 and all other items maintainers.inc: unassign Ricardo Neri from ovmf grub: submit determinism.patch upstream gawk: upgrade 5.2.1 -> 5.2.2 gnupg: upgrade 2.4.0 -> 2.4.2 libx11: upgrade 1.8.4 -> 1.8.5 linux-firmware: upgrade 20230404 -> 20230515 serf: upgrade 1.3.9 -> 1.3.10 wget: upgrade 1.21.3 -> 1.21.4 wireless-regdb: upgrade 2023.02.13 -> 2023.05.03 gdb: upgrade 13.1 -> 13.2 sysfsutils: fetch a supported fork from github diffutils: update 3.9 -> 3.10 libproxy: fetch from git cargo.bbclass: set up cargo environment in common do_compile rust-common.bbclass: move musl-specific linking fix from rust-source.inc Revert "rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock" ref-manual: document image-specific variant of INCOMPATIBLE_LICENSE glibc-locale: use stricter matching for metapackages' runtime dependencies devtool/upgrade: raise an error if extracting source produces more than one directory curl: ensure all ptest failures are caught python3: upgrade 3.11.2 -> 3.11.3 python3: update 3.11.3 -> 3.11.4 Alexis Lothoré (2): scripts/resulttool: add mention about new detected tests oeqa/utils/gitarchive: fix tag computation when creating archive Andrej Valek (2): busybox: 1.36.0 -> 1.36.1 maintainers.inc: Modify email address Anuj Mittal (7): gstreamer1.0: upgrade 1.22.2 -> 1.22.3 selftest/cases/glibc.py: fix the override syntax glibc/check-test-wrapper: don't emit warnings from ssh selftest/cases/glibc.py: increase the memory for testing oeqa/utils/nfs: allow requesting non-udp ports selftest/cases/glibc.py: switch to using NFS over TCP gstreamer1.0: upgrade 1.22.4 -> 1.22.5 Archana Polampalli (3): qemu: fix CVE-2023-0330 bind: upgrade 9.18.15 -> 9.18.16 vim: upgrade 9.0.1592 -> 9.0.1664 BELOUARGA Mohamed (2): meta: lib: oe: npm_registry: Add more safe caracters linux-firmware : Add firmware of RTL8822 serie Benjamin Bouvier (1): util-linux: add alternative links for ipcs,ipcrm Bruce Ashfield (33): linux-yocto/6.1: update to v6.1.26 linux-yocto/6.1: update to v6.1.27 linux-yocto/6.1: update to v6.1.28 linux-yocto/6.1: update to v6.1.29 linux-yocto/6.1: update to v6.1.30 linux-yocto/6.1: update to v6.1.31 linux-yocto/6.1: update to v6.1.32 linux-yocto/5.15: update to v5.15.114 linux-yocto/5.15: update to v5.15.115 linux-yocto/5.15: update to v5.15.116 linux-yocto/5.15: update to v5.15.117 linux-yocto/5.15: update to v5.15.118 linux-yocto/5.15: cfg: fix DECNET configuration warning linux-yocto/6.1: update to v6.1.33 linux-yocto/6.1: fix intermittent x86 boot hangs linux-yocto/6.1: update to v6.1.34 linux-yocto/6.1: update to v6.1.35 linux-yocto/5.15: update to v5.15.119 linux-yocto/5.15: update to v5.15.120 linux-yocto/6.1: update to v6.1.36 linux-yocto/6.1: update to v6.1.37 linux-yocto/6.1: update to v6.1.38 linux-yocto/5.15: update to v5.15.122 linux-yocto/5.15: update to v5.15.123 linux-yocto/5.15: update to v5.15.124 linux-yocto/6.1: cfg: update ima.cfg to match current meta-integrity linux-yocto/6.1: update to v6.1.41 linux-yocto/6.1: update to v6.1.43 linux-yocto/6.1: update to v6.1.44 linux-yocto/6.1: update to v6.1.45 linux-yocto/6.1: fix uninitialized read in nohz_full/isolcpus setup linux-yocto/6.1: update to v6.1.46 linux-yocto/6.1: fix IRQ-80 warnings Changqing Li (4): systemd: fix a dead link under /var/log dnf: only write the log lock to root for native dnf rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock erofs-utils: fix CVE-2023-33551/CVE-2023-33552 Charlie Wu (1): devtool: Fix the wrong variable in srcuri_entry Chee Yang Lee (6): python3-requests: fix CVE-2023-32681 curl: fix CVE-2023-32001 ghostscript: fix CVE-2023-38559 librsvg: upgrade to 2.54.6 libssh2: fix CVE-2020-22218 python3: update to 3.11.5 Chen Qi (13): cmake.bbclass: do not search host paths for find_program() qemurunner.py: fix error message about qmp sdk.py: error out when moving file fails sdk.py: fix moving dnf contents rpm: write macros under libdir zip: fix configure check by using _Static_assert zip: remove unnecessary LARGE_FILE_SUPPORT CLFAGS unzip: fix configure check for cross compilation unzip: remove hardcoded LARGE_FILE_SUPPORT ncurses: fix CVE-2023-29491 cmake.bbclass: fix allarch override syntax multilib.conf: explicitly make MULTILIB_VARIANTS vardeps on MULTILIBS gcc-crosssdk: ignore MULTILIB_VARIANTS in signature computation Daniel Semkowicz (1): dev-manual: wic.rst: Update native tools build command Deepthi Hemraj (2): glibc: stable 2.37 branch updates. binutils: stable 2.40 branch updates Denys Dmytriyenko (1): binutils: move packaging of gprofng static lib into common .inc Dmitry Baryshkov (3): openssl: fix building on riscv32 linux-firmware: package firmare for Dragonboard 410c linux-firmware: split platform-specific Adreno shaders to separate packages Ed Beroset (1): ref-manual: add clarification for SRCREV Enrico Scholz (1): shadow-sysroot: add license information Etienne Cordonnier (2): libxcrypt: fix hard-coded ".so" extension vim: update obsolete comment Fabien Mahot (2): useradd-example: package typo correction oeqa/selftest/bbtests: add non-existent prefile/postfile tests Frieder Paape (1): image_types: Fix reproducible builds for initramfs and UKI img Frieder Schrempf (1): psmisc: Set ALTERNATIVE for pstree to resolve conflict with busybox Hannu Lounento (1): profile-manual: fix blktrace remote usage instructions Ian Ray (1): systemd-systemctl: support instance expansion in WantedBy Jaeyoon Jung (1): cml1: Fix KCONFIG_CONFIG_COMMAND not conveyed fully in do_menuconfig Jermain Horsman (1): logrotate: Do not create logrotate.status file Joe Slater (1): ghostscript: fix CVE-2023-36664 Joel Stanley (1): kernel: don't fail if Modules.symvers doesn't exist Jose Quaresma (8): kernel: config modules directories are handled by kernel-module-split kernel-module-split: install config modules directories only when they are needed kernel-module-split: use context manager to open files kernel-module-split: make autoload and probeconf distribution specific kernel-module-split add systemd modulesloaddir and modprobedir config openssl: add PERLEXTERNAL path to test its existence openssl: use a glob on the PERLEXTERNAL to track updates on the path go: update 1.20.5 -> 1.20.6 Julien Stephan (1): automake: fix buildtest patch Jörg Sommer (2): runqemu-gen-tapdevs: Refactoring runqemu-ifupdown/get-tapdevs: Add support for ip tuntap Kai Kang (4): pm-utils: fix multilib conflictions webkitgtk: 2.38.5 -> 2.38.6 webkitgtk: fix CVE-2023-32439 webkitgtk: fix CVE-2023-32435 Khem Raj (10): systemd: Drop a backport perf: Make built-in libtraceevent plugins cohabit with external libtraceevent glibc: Pass linker choice via compiler flags babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature parted: Add missing libuuid to linker cmdline for libparted-fs-resize.so rpcsvc-proto: Upgrade to 1.4.4 libxml2: Do not use lld linker when building with tests on rv64 python3-bcrypt: Use BFD linker when building tests meson.bbclass: Point to llvm-config from native sysroot build-sysroots: Add SUMMARY field Lee Chee Yang (7): migration-guides: add release notes for 4.0.10 migration-guides: add release notes for 4.0.11 migration-guides: add release notes for 4.2.2 migration-guides: add release notes for 4.2.3 migration-guides: add release notes for 4.0.12 bind: update to 9.18.19 ffmpeg: 5.1.2 -> 5.1.3 Marc Ferland (1): connman: fix warning by specifying runstatedir at configure time Marek Vasut (1): linux-firmware: Fix mediatek mt7601u firmware path Mark Hatle (1): tcf-agent: Update to 1.8.0 release Markus Niebel (1): wic: fix wrong attempt to create file system in upartitioned regions Markus Volk (3): ell: upgrade 0.56 -> 0.57 gtk4: upgrade 4.10.3 -> 4.10.4 gtk4: upgrade 4.10.4 -> 4.10.5 Martin Jansa (8): libx11: remove unused patch and FILESEXTRAPATHS qemu: remove unused qemu-7.0.0-glibc-2.36.patch minicom: remove unused patch files inetutils: remove unused patch files libgloss: remove unused patch file kmod: remove unused ptest.patch tcl: prevent installing another copy of tzdata gcc: backport a fix for ICE caused by CVE-2023-4039.patch Michael Halstead (4): resulttool/resultutils: allow index generation despite corrupt json yocto-uninative: Update hashes for uninative 4.1 yocto-uninative: Update to 4.2 for glibc 2.38 yocto-uninative: Update to 4.3 Michael Opdenacker (13): ref-manual: releases.svg: updates conf.py: add macro for Mitre CVE links ref-manual: LTS releases now supported for 4 years poky.conf: update SANITY_TESTED_DISTROS to match autobuilder scripts/create-pull-request: update URLs to git repositories ref-manual: system-requirements: update supported distros manuals: add new contributor guide dev-manual: disk-space: mention faster "find" command to trim sstate cache sdk-manual: extensible.rst: fix multiple formatting issues dev-manual: disk-space: improve wording for obsolete sstate cache files dev-manual: new-recipe.rst fix inconsistency with contributor guide contributor-guide: recipe-style-guide: add Upstream-Status dev-manual: licenses: mention SPDX for license compliance Mikko Rapeli (1): useradd-staticids.bbclass: improve error message Mingli Yu (5): curl: fix CVE-2023-28319 through CVE-2023-28322 python3-numpy: remove NPY_INLINE, use inline instead acpica: Update SRC_URI cups: Fix CVE-2023-34241 ruby: Fix CVE-2023-36617 Narpat Mali (5): python3-certifi: upgrade 2022.12.7 -> 2023.7.22 ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018 python3-git: upgrade 3.1.31 -> 3.1.32 python3-pygments: fix for CVE-2022-40896 python3-git: upgrade 3.1.32 -> 3.1.37 Natasha Bailey (1): tiff: backport a fix for CVE-2023-2731 Oleksandr Hnatiuk (2): file: return wrapper to fix builds when file is in buildtools-tarball file: fix the way path is written to environment-setup.d Ovidiu Panait (7): mdadm: fix util-linux ptest dependency mdadm: fix 07revert-inplace ptest mdadm: fix segfaults when running ptests mdadm: skip running known broken ptests mdadm: re-add mdadm-ptest to PTESTS_SLOW mdadm: add util-linux-blockdev ptest dependency mdadm: skip running 04update-uuid and 07revert-inplace testcases Peter Marko (7): cve-update-nvd2-native: fix cvssV3 metrics cve-update-nvd2-native: retry all errors and sleep between retries cve-update-nvd2-native: increase retry count libjpeg-turbo: patch CVE-2023-2804 python3: ignore CVE-2023-36632 libarchive: ignore CVE-2023-30571 openssl: Upgrade 3.1.1 -> 3.1.2 Peter Suti (1): externalsrc: fix dependency chain issues Poonam Jadhav (1): pixman: Remove duplication of license MIT Quentin Schulz (3): docs: bsp-guide: bsp: fix typo docs: ref-manual: terms: fix typos in SPDX term uboot-extlinux-config.bbclass: fix old override syntax in comment Randolph Sapp (6): weston-init: make sure the render group exists weston-init: add weston user to the render group weston-init: add the weston user to the wayland group weston-init: fix the mixed indentation weston-init: guard against systemd configs weston-init: add profile to point users to global socket Richard Purdie (24): selftest/license: Exclude from world layer.conf: Add missing dependency exclusion v86d: Improve kernel dependency strace: Disable failing test bitbake: runqueue: Fix deferred task/multiconfig race issue strace: Merge two similar patches strace: Update patches/tests with upstream fixes ptest-runner: Pull in sync fix to improve log warnings ptest-runner: Ensure data writes don't race ptest-runner: Pull in "runner: Remove threads and mutexes" fix gcc-testsuite: Fix ppc cpu specification ptest-runner: Pull in parallel test fixes and output handling glibc-testsuite: Fix network restrictions causing test failures oeqa/target/ssh: Ensure EAGAIN doesn't truncate output oeqa/runtime/ltp: Increase ltp test output timeout ltp: Add kernel loopback module dependency target/ssh: Ensure exit code set for commands oeqa/ssh: Further improve process exit handling pseudo: Fix to work with glibc 2.38 lib/package_manager: Improve repo artefact filtering gnupg: Fix reproducibility failure resulttool/report: Avoid divide by zero build-sysroots: Ensure dependency chains are minimal vim: Upgrade 9.0.1664 -> 9.0.1894 Riyaz Khan (1): openssh: Remove BSD-4-clause contents completely from codebase Roland Hieber (2): template: fix typo in section header ref-manual: point outdated link to the new location Ross Burton (24): ninja: ignore CVE-2021-4336, wrong ninja binutils: fix CVE-2023-1972 pkgconf: upgrade 1.9.4 -> 1.9.5 git: upgrade to 2.39.3 gobject-introspection: remove obsolete DEPENDS cve-update-nvd2-native: handle all configuration nodes, not just first cve-update-nvd2-native: use exact times, don't truncate cve-update-nvd2-native: log a little more cve-update-nvd2-native: actually use API keys tiff: upgrade to 4.5.1 gcc: don't pass --enable-standard-branch-protection machine/arch-arm64: add -mbranch-protection=standard pkgconf: update SRC_URI python3: fix missing comma in get_module_deps3.py oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case rootfs_rpm: don't depend on opkg-native for update-alternatives ltp: add RDEPENDS on findutils openssh: upgrade to 9.3p2 linux-yocto: add script to generate kernel CVE_CHECK_IGNORE entries linux/cve-exclusion: add generated CVE_CHECK_IGNOREs procps: backport fix for CVE-2023-4016 graphene: fix runtime detection of IEEE754 behaviour gcc: Fix -fstack-protector issue on aarch64 linux-yocto: update CVE exclusions Sakib Sajal (4): go: Upgrade 1.20.4 -> 1.20.5 bno_plot.py, btt_plot.py: Ask for python3 specifically go: fix CVE-2023-24531 go: upgrade 1.20.6 -> 1.20.7 Sanjana (1): binutils: Fix CVE-2023-39128 Sanjay Chitroda (2): cups: Fix CVE-2023-32324 curl: Add CVE-2023-28320 follow-up fix Siddharth (1): tiff: Security fix for CVE-2023-25434 and CVE-2023-26965 Siddharth Doshi (1): gdb: Fix CVE-2023-39128 Soumya (1): perl: Fix CVE-2023-31484 & CVE-2023-31486 Staffan Rydén (1): kernel: Fix path comparison in kernel staging dir symlinking Steve Sakoman (6): maintainers.inc: update version for gcc-source Revert "systemd: fix a dead link under /var/log" poky.conf: bump version for 4.2.2 release build-appliance-image: Update to mickledore head revision poky.conf: bump version for 4.2.3 release build-appliance-image: Update to mickledore head revision Stéphane Veyret (1): scripts/oe-setup-builddir: copy conf-notes.txt to build dir Sudip Mukherjee (2): dpkg: upgrade to v1.21.22 bind: upgrade to v9.18.17 Sundeep KOKKONDA (1): gcc : upgrade to v12.3 Thomas Roos (1): testimage/oeqa: Drop testimage_dump_host functionality Tim Orling (1): openssl: upgrade 3.1.0 -> 3.1.1 Tom Hochstein (1): weston: Cleanup and fix x11 and xwayland dependencies Trevor Gamblin (4): bind: upgrade 9.18.13 -> 9.18.14 glib-networking: use correct error code in ptest vim: upgrade 9.0.1527 -> 9.0.1592 linux-firmware: upgrade 20230515 -> 20230625 Wang Mingyu (24): babeltrace2: upgrade 2.0.4 -> 2.0.5 fribidi: upgrade 1.0.12 -> 1.0.13 libdnf: upgrade 0.70.0 -> 0.70.1 libmicrohttpd: upgrade 0.9.76 -> 0.9.77 libxft: upgrade 2.3.7 -> 2.3.8 libxpm: upgrade 3.5.15 -> 3.5.16 mobile-broadband-provider-info: upgrade 20221107 -> 20230416 bind: upgrade 9.18.14 -> 9.18.15 xdpyinfo: upgrade 1.3.3 -> 1.3.4 libxml2: upgrade 2.10.3 -> 2.10.4 freetype: upgrade 2.13.0 -> 2.13.1 gstreamer1.0: upgrade 1.22.3 -> 1.22.4 libassuan: upgrade 2.5.5 -> 2.5.6 libksba: upgrade 1.6.3 -> 1.6.4 libx11: upgrade 1.8.5 -> 1.8.6 lttng-ust: upgrade 2.13.5 -> 2.13.6 taglib: upgrade 1.13 -> 1.13.1 libwebp: upgrade 1.3.0 -> 1.3.1 libnss-nis: upgrade 3.1 -> 3.2 opkg: upgrade 0.6.1 -> 0.6.2 opkg-utils: upgrade 0.5.0 -> 0.6.2 file: upgrade 5.44 -> 5.45 tar: upgrade 1.34 -> 1.35 bind: upgrade 9.18.17 -> 9.18.18 Xiangyu Chen (1): dbus: upgrade 1.14.6 -> 1.14.8 Yash Shinde (1): glibc: fix CVE-2023-4527 Yi Zhao (1): ifupdown: install missing directories Yoann Congal (3): recipetool: Fix inherit in created -native* recipes oeqa/selftest/devtool: add unit test for "devtool add -b" dev-manual: remove unsupported :term: markup inside markup Yogita Urade (8): dmidecode: fix CVE-2023-30630 qemu: fix CVE-2023-3301 qemu: fix CVE-2023-3255 qemu: fix CVE-2023-2861 inetutils: fix CVE-2023-40303 nghttp2: fix CVE-2023-35945 dropbear: fix CVE-2023-36328 qemu: fix CVE-2023-3354 Yuta Hayama (1): systemd-systemctl: fix errors in instance name expansion nikhil (1): libwebp: Fix CVE-2023-1999 sanjana (2): binutils: stable 2.40 branch updates glibc: stable 2.37 branch updates meta-openembedded: 9286582126..922f41b39f: Armin Kuster (1): openldap: update to 2.5.16. Beniamin Sandu (1): lmsensors: do not pull in unneeded perl modules for run-time dependencies Changqing Li (2): redis: upgrade 6.2.12 -> 6.2.13 redis: upgrade 7.0.11 -> 7.0.12 Chee Yang Lee (2): rabbitmq-c: Fix CVE-2023-35789 c-ares: upgrade 1.19.0 -> 1.19.1 Chen Qi (3): redis: use the files path correctly grpc: fix CVE-2023-32732 grpc: fix CVE-2023-33953 Chris Dimich (1): image_types_sparse: Fix syntax error Hitendra Prajapati (4): wireshark: Fix CVE-2023-2855 & CVE-2023-2856 wireshark: Fix CVE-2023-2858 & CVE-2023-2879 wireshark: CVE-2023-2952 XRA dissector infinite loop wireshark: Fix Multiple CVEs Jasper Orschulko (1): yaml-cpp: Fix cmake export Joe Slater (3): libgpiod: modify test 'gpioset: toggle (continuous)' python3-sqlparse: fix CVE-2023-30608 libgpiod: modify RDEPENDS for ptest Khem Raj (2): fftw: Check for TOOLCHAIN_OPTIONS to be non-empty before sed ops system-config-printer: Delete __pycache__ files Lee Chee Yang (2): opensc: fix CVE-2023-2977 x11vnc: Fix CVE-2020-29074 Linus Jacobson (1): khronos-cts: Replace wayland feature dependancy with vulkan Martin Jansa (5): libiio: use main branch instead of master mongodb: enable hardware crc32 only with crc in TUNE_FEATURES khronos-cts.inc: respect MLPREFIX when appending DEPENDS with anonymous python libcyusbserial: fix installed-vs-shipped QA issue with multilib tcpreplay: fix pcap detection with /usr/lib32 multilib Mingli Yu (6): dialog: Update the SRC_URI gnulib: Update SRC_URI yajl: Fix CVE-2023-33460 iniparser: Fix CVE-2023-33461 php: Upgrade to 8.2.8 mcelog: Drop unneeded autotools-brokensep Polampalli, Archana (6): tcpreplay: upgrade 4.4.3 -> 4.4.4 nodejs: upgrade 18.14.2 -> 18.16.1 yasm: fix CVE-2023-31975 nodejs: upgrade 18.16.1 -> 18.17.1 hwloc: fix CVE-2022-47022 python3-appdirs: print ptest results in unified format Ross Burton (5): glade: add autoconf-archive-native DEPENDS libgxim: add autoconf-archive-native DEPENDS libblockdev: clean up DEPENDS imsettings: add missing DEPENDS on autoconf-archive-native system-config-printer: clean up DEPENDS Sandeep Gundlupet Raju 837 (1): opencv: Revert fix runtime dependencies Sanjay Chitroda (1): netkit-telnet: Fix CVE-2022-39028 Soumya (1): yasm: fix CVE-2023-37732 Soumya Sambu (1): krb5: Fix CVE-2023-36054 Soumya via (1): opencv: Fix for CVE-2023-2617 Urade, Yogita t.mo (1): c-ares: fix CVE-2023-32067 Wang Mingyu (3): python3-django: upgrade 4.1.7 -> 4.2.1 iperf3: upgrade 3.13 -> 3.14 tcpdump: upgrade 4.99.3 -> 4.99.4 Xiangyu Chen (2): libbpf: installing uapi headers for native package meta-oe: add pahole to NON_MULTILIB_RECIPES Yi Zhao (4): frr: upgrade 8.4.2 -> 8.4.4 mbedtls: upgrade 2.28.2 -> 2.28.3 open-vm-tools: Security fix CVE-2023-20867 frr: Security fix CVE-2023-3748 Yogita Urade (1): poppler: fix CVE-2023-34872 meta-arm: 8db460fa5d..6e199b354e: Abdellatif El Khlifi (6): arm-bsp/documentation: corstone1000: Update change log arm-bsp/doc: corstone1000: Update the software architecture document arm-bsp/documentation: corstone1000: update the release note arm-bsp/documentation: corstone1000: update user guide kas: set the SHAs for 2023.06 release arm-bsp/trusted-firmware-a: corstone1000: enable ERRATA_A35_855472 Adam Johnston (2): CI: Platform specific Trusted Services config arm-bsp/trusted-firmware-a: Reserve OP-TEE memory from NWd on N1SDP Anton Antonov (1): arm/oeqa: Make ts-service-test config match selected SPs Denys Dmytriyenko (1): optee-os: do not explicitly set CFG_MAP_EXT_DT_SECURE=y Emekcan Aras (7): arm-bsp/u-boot: corstone1000: Fix EFI multiple protocol install failure arm-bsp/u-boot: corstone1000: Enable EFI set/get time services arm-bsp/trusted-services: corstone1000: GetNextVariableName Fix arm-bsp/optee-os:corstone1000: Drop SPMC non secure interrupt patches arm-bsp/u-boot: corstone1000: Fix u-boot compilation warnings arm-bsp/trusted-services: corstone1000: Fix PSA_RAW_KEY agreement test arm-bsp/trusted-services: corstone1000: Fix Capsule Update Gyorgy Szing (11): arm/trusted-services: update TS version optee-os: remove v3.18 pin of OP-TEE on qemuarm64-secureboot optee-os: Add support for TOS_FW_CONFIG on qemu arm/trusted-firmware-a: Add TOS_FW_CONFIG handling for quemu optee-test: backport SWd ABI compatibility changes optee-os: enable SPMC test arm/oeqa: enable OP-TEE SPMC tests trusted-services: update documentation arm/trusted-services: disable psa-iat on qemuarm64-secureboot arm/trusted-services: fix nanopb build error optee-os: unblock NWd interrupts Jon Mason (3): CI: remove master refspec for meta-virtualization yml file arm/linux-yocto: move 6.1 patches to a unique bbappend README: remove reference to meta-arm-autonomy Robbie Cao (1): arm/recipes-kernel: Add preempt-rt support for generic-arm64 Rui Miguel Silva (3): arm-bsp/trusted-services:corstone1000: remove already merged patches arm-bsp/trusted-services: remove merged patches for corstone1000 arm-bps/corstone1000: setup trusted service proxy configuration Tomás González (2): arm-bsp/documentation: corstone1000: Update the user guide arm-bsp/documentation: corstone1000: Update the release notes Change-Id: I19ad289a1580a28192b5c063d06553d4e171687b Signed-off-by: Andrew Geissler --- meta-arm/.gitlab-ci.yml | 4 +- meta-arm/README.md | 4 - meta-arm/ci/meta-virtualization.yml | 1 - meta-arm/ci/n1sdp-ts.yml | 14 + meta-arm/ci/qemuarm64-secureboot-ts.yml | 14 + meta-arm/ci/trusted-services.yml | 14 - meta-arm/documentation/trusted-services.md | 40 +- meta-arm/kas/corstone1000-base.yml | 2 + .../conf/machine/include/corstone1000.inc | 1 + .../documentation/corstone1000/change-log.rst | 74 +- .../corstone1000/images/CorstoneSubsystems.png | Bin 111103 -> 78895 bytes .../corstone1000/images/ExternalFlash.png | Bin 35431 -> 40835 bytes .../corstone1000/images/SecureBootChain.png | Bin 150409 -> 95626 bytes .../corstone1000/images/SecureServices.png | Bin 73965 -> 57910 bytes .../corstone1000/images/UEFISupport.png | Bin 98811 -> 66244 bytes .../documentation/corstone1000/release-notes.rst | 26 +- .../corstone1000/software-architecture.rst | 63 +- .../documentation/corstone1000/user-guide.rst | 518 +- .../0001-Reserve-OP-TEE-memory-from-nwd.patch | 41 + .../trusted-firmware-a-corstone1000.inc | 1 + .../trusted-firmware-a-n1sdp.inc | 6 + ...boottime-allow-to-reset-a-path-after-boot.patch | 31 - ..._metadata-make-sure-structures-are-packed.patch | 50 + .../0035-corstone1000-add-boot-index.patch | 33 + ..._metadata-make-sure-structures-are-packed.patch | 50 - .../0036-corstone1000-add-boot-index.patch | 33 - ...1000-adjust-boot-bank-and-kernel-location.patch | 36 + ...1000-add-nvmxip-fwu-mdata-and-gpt-options.patch | 100 + ...1000-adjust-boot-bank-and-kernel-location.patch | 36 - ...1000-add-nvmxip-fwu-mdata-and-gpt-options.patch | 100 - .../0038-nvmxip-move-header-to-include.patch | 42 + ...one1000-set-kernel_addr-based-on-boot_idx.patch | 133 + .../0039-nvmxip-move-header-to-include.patch | 42 - .../0040-corstone1000-boot-index-from-active.patch | 42 + ...one1000-set-kernel_addr-based-on-boot_idx.patch | 133 - .../0041-corstone1000-boot-index-from-active.patch | 42 - .../0041-corstone1000-enable-PSCI-reset.patch | 30 + .../0042-Enable-EFI-set-get-time-services.patch | 32 + .../0042-corstone1000-enable-PSCI-reset.patch | 30 - ...pilation-warnings-in-fwu_plat_get_bootidx.patch | 47 + .../recipes-bsp/u-boot/u-boot_%.bbappend | 19 +- .../optee/optee-os-corstone1000-common.inc | 2 + .../0001-Add-openamp-to-SE-proxy-deployment.patch | 287 - ...dd-stub-capsule-update-service-components.patch | 376 + ...Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch | 121 + ...hu-driver-and-the-OpenAmp-conversion-laye.patch | 1091 --- .../corstone1000/0003-Add-openamp-rpc-caller.patch | 1196 ---- .../0003-FMP-Support-in-Corstone1000.patch | 418 ++ .../0004-GetNextVariableName-Fix.patch | 33 + .../0004-add-psa-client-definitions-for-ff-m.patch | 298 - ...d-common-service-component-to-ipc-support.patch | 295 - ...ne1000-add-compile-definitions-for-ECP_DP.patch | 27 + .../0006-Add-secure-storage-ipc-backend.patch | 523 -- ...ne1000-Use-the-stateless-platform-service.patch | 141 + ...cure-storage-ipc-and-openamp-for-se_proxy.patch | 63 - ...ne1000-Initialize-capsule-update-provider.patch | 78 + .../corstone1000/0008-Run-psa-arch-test.patch | 72 - .../0009-Use-address-instead-of-pointers.patch | 168 - .../0010-Add-psa-ipc-attestation-to-se-proxy.patch | 323 - ...ackend-as-openamp-rpc-using-secure-storag.patch | 163 - .../0012-add-psa-ipc-crypto-backend.patch | 2570 ------- ...dd-stub-capsule-update-service-components.patch | 436 -- .../corstone1000/0014-Configure-storage-size.patch | 42 - ...interface-structure-aligned-with-tf-m-cha.patch | 31 - ...6-Integrate-remaining-psa-ipc-client-APIs.patch | 494 -- ...psa_set_key_usage_flags-definition-to-the.patch | 40 - ...Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch | 121 - ...at-corstone1000-change-default-smm-values.patch | 37 - .../0020-FMP-Support-in-Corstone1000.patch | 418 -- ...mm_gateway-add-checks-for-null-attributes.patch | 35 - .../0022-GetNextVariableName-Fix.patch | 33 - .../0023-Use-the-stateless-platform-service.patch | 140 - ...-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch | 413 -- ...7-alignment-Align-crypto-iovec-definition.patch | 655 -- ....7-alignment-PSA-crypto-client-in-out_vec.patch | 117 - .../trusted-services/ts-arm-platforms.inc | 33 +- .../conf/machine/qemuarm64-secureboot.conf | 3 - .../lib/oeqa/runtime/cases/trusted_services.py | 84 +- .../files/add-spmc_manifest-for-qemu.patch | 67 + ...eat-qemu-update-abi-between-spmd-and-spmc.patch | 263 + .../trusted-firmware-a_%.bbappend | 5 +- .../trusted-firmware-a/trusted-firmware-a_2.8.0.bb | 6 + .../arm-ffa-user/arm-ffa-user_5.0.1.bb | 14 +- .../generic-arm64-preempt-rt-tweaks.cfg | 4 + .../generic-arm64-preempt-rt.scc | 7 + .../recipes-kernel/linux/linux-yocto%.bbappend | 6 - .../linux/linux-yocto-rt_6.1%.bbappend | 6 + .../recipes-kernel/linux/linux-yocto_6.1%.bbappend | 6 + .../0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch | 91 + .../0006-core-ffa-add-TOS_FW_CONFIG-handling.patch | 249 + ...07-core-spmc-handle-non-secure-interrupts.patch | 279 + ...onfigure-SP-s-NS-interrupt-action-based-o.patch | 150 + .../optee/optee-os-tadevkit_3.2%.bbappend | 4 + .../recipes-security/optee/optee-os-ts-3.18.inc | 54 + .../recipes-security/optee/optee-os-ts.inc | 10 +- .../recipes-security/optee/optee-os_%.bbappend | 5 - .../recipes-security/optee/optee-os_3.1%.bbappend | 5 + .../recipes-security/optee/optee-os_3.2%.bbappend | 5 + .../recipes-security/optee/optee-os_3.20.0.bb | 4 + .../Update-arm_ffa_user-driver-dependency.patch | 39 + ...d-arm_ffa_user-driver-compatibility-check.patch | 163 + .../optee/optee-test_3.2%.bbappend | 7 + .../recipes-security/optee/optee-test_3.20.0.bb | 2 + ...0001-Limit-nanopb-build-to-single-process.patch | 41 + .../trusted-services/trusted-services-src.inc | 33 +- .../trusted-services/ts-demo_git.bb | 1 + .../trusted-services/ts-newlib_4.1.0.bb | 4 +- .../ts-psa-api-test-common_git.inc | 4 +- .../trusted-services/ts-sp-attestation_git.bb | 3 +- .../trusted-services/ts-sp-common.inc | 4 +- .../trusted-services/ts-sp-crypto_git.bb | 5 +- .../trusted-services/ts-sp-env-test_git.bb | 3 +- .../trusted-services/ts-sp-its_git.bb | 3 +- .../trusted-services/ts-sp-se-proxy_git.bb | 3 +- .../trusted-services/ts-sp-smm-gateway_git.bb | 3 +- .../trusted-services/ts-sp-spm-test-common.inc | 7 + .../trusted-services/ts-sp-spm-test1_git.bb | 5 + .../trusted-services/ts-sp-spm-test2_git.bb | 6 + .../trusted-services/ts-sp-spm-test3_git.bb | 6 + .../trusted-services/ts-sp-storage_git.bb | 3 +- .../recipes-security/trusted-services/ts-uuid.inc | 3 + .../system-config-printer_1.5.18.bb | 13 +- .../recipes-connectivity/mbedtls/mbedtls_2.28.2.bb | 76 - .../recipes-connectivity/mbedtls/mbedtls_2.28.3.bb | 82 + .../netkit-telnet/files/CVE-2022-39028.patch | 53 + .../netkit-telnet/netkit-telnet_0.17.bb | 1 + .../recipes-protocols/frr/frr/CVE-2023-3748.patch | 54 + .../recipes-protocols/frr/frr_8.4.2.bb | 125 - .../recipes-protocols/frr/frr_8.4.4.bb | 126 + .../open-vm-tools/CVE-2023-20867.patch | 163 + .../open-vm-tools/open-vm-tools_12.1.5.bb | 1 + .../recipes-support/tcpdump/tcpdump_4.99.3.bb | 52 - .../recipes-support/tcpdump/tcpdump_4.99.4.bb | 52 + ...c-unify-search-dirs-for-pcap-and-add-lib3.patch | 82 + .../recipes-support/tcpreplay/tcpreplay_4.4.3.bb | 26 - .../recipes-support/tcpreplay/tcpreplay_4.4.4.bb | 27 + .../wireshark/files/CVE-2023-0666.patch | 122 + .../wireshark/files/CVE-2023-0667.patch | 66 + .../wireshark/files/CVE-2023-0668.patch | 33 + .../wireshark/files/CVE-2023-2855.patch | 108 + .../wireshark/files/CVE-2023-2856.patch | 69 + .../wireshark/files/CVE-2023-2858.patch | 95 + .../wireshark/files/CVE-2023-2879.patch | 37 + .../wireshark/files/CVE-2023-2952.patch | 98 + .../recipes-support/wireshark/wireshark_3.4.12.bb | 8 + .../meta-oe/classes/image_types_sparse.bbclass | 12 +- meta-openembedded/meta-oe/conf/layer.conf | 2 +- .../meta-python/recipes-dbs/mongodb/mongodb_git.bb | 1 + .../recipes-benchmark/iperf3/iperf3_3.13.bb | 34 - .../recipes-benchmark/iperf3/iperf3_3.14.bb | 34 + .../recipes-bsp/lm_sensors/lmsensors_3.6.0.bb | 5 +- .../krb5/krb5/CVE-2023-36054.patch | 68 + .../recipes-connectivity/krb5/krb5_1.20.1.bb | 1 + .../rabbitmq-c/files/CVE-2023-35789.patch | 131 + .../rabbitmq-c/rabbitmq-c_0.13.0.bb | 4 +- .../meta-oe/recipes-devtools/glade/glade_3.22.2.bb | 1 + ...mgr-EventEngine-Improve-server-handling-o.patch | 224 + .../grpc/grpc/0001-fix-CVE-2023-32732.patch | 81 + .../meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb | 2 + .../nodejs/nodejs-oe-cache-18.14/oe-npm-cache | 77 - .../nodejs/nodejs-oe-cache-18.17/oe-npm-cache | 77 + .../nodejs/nodejs-oe-cache-native_18.14.bb | 21 - .../nodejs/nodejs-oe-cache-native_18.17.bb | 21 + ...isable-running-gyp-files-for-bundled-deps.patch | 7 +- .../recipes-devtools/nodejs/nodejs_18.14.2.bb | 185 - .../recipes-devtools/nodejs/nodejs_18.17.1.bb | 185 + .../meta-oe/recipes-devtools/php/php_8.2.6.bb | 294 - .../meta-oe/recipes-devtools/php/php_8.2.8.bb | 294 + .../yajl/yajl/CVE-2023-33460_1.patch | 43 + .../yajl/yajl/CVE-2023-33460_2.patch | 31 + .../meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb | 5 +- .../yasm/yasm/CVE-2023-31975.patch | 29 + .../yasm/yasm/CVE-2023-37732.patch | 41 + .../meta-oe/recipes-devtools/yasm/yasm_git.bb | 2 + .../recipes-extended/dialog/dialog_1.3-20210509.bb | 2 +- .../hwloc/files/CVE-2022-47022.patch | 76 + .../meta-oe/recipes-extended/hwloc/hwloc_2.9.0.bb | 4 +- .../libblockdev/libblockdev_2.28.bb | 6 +- .../recipes-extended/libgxim/libgxim_0.5.0.bb | 2 +- .../0001-src-Do-not-reset-FINAL_LIBS.patch | 30 + .../0006-Define-correct-gregs-for-RISCV32.patch | 62 + .../redis/redis-7.0.12/GNU_SOURCE-7.patch | 29 + .../hiredis-use-default-CC-if-it-is-set.patch | 36 + .../redis/redis-7.0.12/init-redis-server | 71 + ...Makefile-to-use-environment-build-setting.patch | 76 + .../redis/redis-7.0.12/oe-use-libc-malloc.patch | 34 + .../recipes-extended/redis/redis-7.0.12/redis.conf | 1314 ++++ .../redis/redis-7.0.12/redis.service | 16 + .../redis-7/0001-src-Do-not-reset-FINAL_LIBS.patch | 30 - .../0006-Define-correct-gregs-for-RISCV32.patch | 62 - .../redis/redis-7/GNU_SOURCE-7.patch | 29 - .../hiredis-use-default-CC-if-it-is-set.patch | 36 - .../redis/redis-7/init-redis-server | 71 - ...Makefile-to-use-environment-build-setting.patch | 76 - .../redis/redis-7/oe-use-libc-malloc.patch | 34 - .../recipes-extended/redis/redis-7/redis.conf | 1314 ---- .../recipes-extended/redis/redis-7/redis.service | 16 - .../meta-oe/recipes-extended/redis/redis_6.2.12.bb | 66 - .../meta-oe/recipes-extended/redis/redis_6.2.13.bb | 66 + .../meta-oe/recipes-extended/redis/redis_7.0.11.bb | 72 - .../meta-oe/recipes-extended/redis/redis_7.0.12.bb | 70 + .../recipes-graphics/vk-gl-cts/khronos-cts.inc | 6 +- .../x11vnc/files/CVE-2020-29074.patch | 27 + .../recipes-graphics/x11vnc/x11vnc_0.9.16.bb | 1 + .../meta-oe/recipes-kernel/libbpf/libbpf_1.1.0.bb | 5 + .../recipes-support/c-ares/c-ares_1.19.0.bb | 21 - .../recipes-support/c-ares/c-ares_1.19.1.bb | 21 + .../meta-oe/recipes-support/fftw/fftw_3.3.10.bb | 2 +- .../recipes-support/gnulib/gnulib_2018-12-18.bb | 2 +- .../iniparser/iniparser/CVE-2023-33461.patch | 52 + .../recipes-support/iniparser/iniparser_4.1.bb | 3 +- ...txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch | 43 + .../libcyusbserial/libcyusbserial_git.bb | 4 +- .../libgpiod-2.0/gpio-tools-test-bats-modify.patch | 67 + .../meta-oe/recipes-support/libgpiod/libgpiod.inc | 2 +- .../recipes-support/libgpiod/libgpiod_2.0.bb | 2 + .../meta-oe/recipes-support/libiio/libiio_git.bb | 2 +- .../meta-oe/recipes-support/mcelog/mcelog_191.bb | 11 +- .../opencv/opencv/CVE-2023-2617.patch | 88 + .../meta-oe/recipes-support/opencv/opencv_4.7.0.bb | 3 +- ...onfigure-Pass-pthread_t-to-pthread_detach.patch | 32 - .../recipes-support/openldap/openldap_2.5.13.bb | 238 - .../recipes-support/openldap/openldap_2.5.16.bb | 237 + .../opensc/files/CVE-2023-2977.patch | 54 + .../recipes-support/opensc/opensc_0.23.0.bb | 1 + .../poppler/poppler/CVE-2023-34872.patch | 46 + .../recipes-support/poppler/poppler_23.03.0.bb | 1 + .../0001-Fix-CMake-export-files-1077.patch | 117 + .../recipes-support/yaml-cpp/yaml-cpp_0.7.0.bb | 1 + .../python/python3-appdirs/run-ptest | 2 +- .../python/python3-django_4.1.7.bb | 9 - .../python/python3-django_4.2.1.bb | 9 + .../python/python3-sqlparse/CVE-2023-30608.patch | 51 + .../python/python3-sqlparse_0.4.3.bb | 1 + .../imsettings/imsettings_1.8.3.bb | 2 +- poky/bitbake/lib/bb/runqueue.py | 16 +- poky/documentation/bsp-guide/bsp.rst | 6 +- poky/documentation/conf.py | 1 + .../contributor-guide/identify-component.rst | 31 + poky/documentation/contributor-guide/index.rst | 26 + .../contributor-guide/recipe-style-guide.rst | 338 + .../contributor-guide/report-defect.rst | 67 + .../contributor-guide/submit-changes.rst | 754 ++ poky/documentation/dev-manual/building.rst | 4 +- poky/documentation/dev-manual/changes.rst | 525 -- poky/documentation/dev-manual/debugging.rst | 7 +- poky/documentation/dev-manual/disk-space.rst | 38 +- poky/documentation/dev-manual/index.rst | 1 - poky/documentation/dev-manual/licenses.rst | 30 +- poky/documentation/dev-manual/new-recipe.rst | 13 +- poky/documentation/dev-manual/start.rst | 9 +- poky/documentation/dev-manual/vulnerabilities.rst | 2 +- poky/documentation/dev-manual/wic.rst | 2 +- poky/documentation/index.rst | 1 + .../documentation/migration-guides/release-4.0.rst | 3 + .../documentation/migration-guides/release-4.2.rst | 2 + .../migration-guides/release-notes-4.0.10.rst | 180 + .../migration-guides/release-notes-4.0.11.rst | 214 + .../migration-guides/release-notes-4.0.12.rst | 277 + .../migration-guides/release-notes-4.2.2.rst | 330 + .../migration-guides/release-notes-4.2.3.rst | 263 + .../overview-manual/development-environment.rst | 19 +- poky/documentation/profile-manual/usage.rst | 19 +- poky/documentation/ref-manual/images.rst | 16 +- poky/documentation/ref-manual/qa-checks.rst | 10 +- poky/documentation/ref-manual/release-process.rst | 21 +- poky/documentation/ref-manual/resources.rst | 7 +- poky/documentation/ref-manual/svg/releases.svg | 677 +- .../ref-manual/system-requirements.rst | 43 +- poky/documentation/ref-manual/terms.rst | 6 +- poky/documentation/ref-manual/variables.rst | 15 +- poky/documentation/sdk-manual/extensible.rst | 254 +- poky/documentation/template/template.svg | 2 +- poky/meta-poky/conf/distro/poky.conf | 11 +- .../license/incompatible-license-alias.bb | 2 + .../recipes-test/license/incompatible-license.bb | 2 + .../recipes-test/license/incompatible-licenses.bb | 2 + .../license/incompatible-nonspdx-license.bb | 2 + .../recipes-skeleton/useradd/useradd-example.bb | 2 +- poky/meta/classes-recipe/cargo.bbclass | 1 - poky/meta/classes-recipe/cargo_common.bbclass | 4 + poky/meta/classes-recipe/cmake.bbclass | 9 +- poky/meta/classes-recipe/cml1.bbclass | 2 +- poky/meta/classes-recipe/image_types.bbclass | 5 +- .../classes-recipe/kernel-module-split.bbclass | 65 +- poky/meta/classes-recipe/kernel.bbclass | 13 +- poky/meta/classes-recipe/meson.bbclass | 1 + poky/meta/classes-recipe/rootfs_rpm.bbclass | 4 +- poky/meta/classes-recipe/rust-common.bbclass | 4 + poky/meta/classes-recipe/testexport.bbclass | 6 +- poky/meta/classes-recipe/testimage.bbclass | 20 +- .../classes-recipe/uboot-extlinux-config.bbclass | 8 +- poky/meta/classes/externalsrc.bbclass | 7 +- poky/meta/classes/useradd-staticids.bbclass | 2 +- poky/meta/conf/bitbake.conf | 2 +- poky/meta/conf/distro/include/maintainers.inc | 66 +- .../conf/distro/include/ptest-packagelists.inc | 3 +- poky/meta/conf/distro/include/yocto-uninative.inc | 10 +- poky/meta/conf/layer.conf | 1 + poky/meta/conf/machine/include/arm/arch-arm64.inc | 5 + poky/meta/conf/multilib.conf | 1 + poky/meta/lib/oe/npm_registry.py | 2 +- poky/meta/lib/oe/package_manager/__init__.py | 5 +- poky/meta/lib/oe/package_manager/rpm/rootfs.py | 2 +- poky/meta/lib/oe/package_manager/rpm/sdk.py | 3 +- poky/meta/lib/oe/rootfs.py | 20 +- poky/meta/lib/oe/sdk.py | 2 +- poky/meta/lib/oeqa/core/target/qemu.py | 5 +- poky/meta/lib/oeqa/core/target/ssh.py | 7 + poky/meta/lib/oeqa/runtime/cases/ltp.py | 2 +- poky/meta/lib/oeqa/runtime/cases/rpm.py | 4 +- poky/meta/lib/oeqa/runtime/context.py | 11 +- poky/meta/lib/oeqa/selftest/cases/bbtests.py | 8 + poky/meta/lib/oeqa/selftest/cases/devtool.py | 32 + poky/meta/lib/oeqa/selftest/cases/glibc.py | 8 +- poky/meta/lib/oeqa/targetcontrol.py | 2 - poky/meta/lib/oeqa/utils/dump.py | 20 +- poky/meta/lib/oeqa/utils/gitarchive.py | 6 +- poky/meta/lib/oeqa/utils/nfs.py | 4 +- poky/meta/lib/oeqa/utils/qemurunner.py | 22 +- poky/meta/recipes-bsp/grub/files/determinism.patch | 2 +- poky/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb | 5 +- poky/meta/recipes-bsp/v86d/v86d_0.1.10.bb | 1 - .../0001-avoid-start-failure-with-bind-user.patch | 27 - ...lwresd-V-and-start-log-hide-build-options.patch | 35 - ...-searching-for-json-headers-searches-sysr.patch | 47 - .../recipes-connectivity/bind/bind-9.18.13/bind9 | 2 - .../bind/bind-9.18.13/conf.patch | 330 - .../bind/bind-9.18.13/generate-rndc-key.sh | 8 - .../init.d-add-support-for-read-only-rootfs.patch | 65 - .../make-etc-initd-bind-stop-work.patch | 42 - .../bind/bind-9.18.13/named.service | 22 - .../0001-avoid-start-failure-with-bind-user.patch | 27 + ...lwresd-V-and-start-log-hide-build-options.patch | 35 + ...-searching-for-json-headers-searches-sysr.patch | 47 + poky/meta/recipes-connectivity/bind/bind/bind9 | 2 + .../meta/recipes-connectivity/bind/bind/conf.patch | 330 + .../bind/bind/generate-rndc-key.sh | 8 + .../init.d-add-support-for-read-only-rootfs.patch | 65 + .../bind/bind/make-etc-initd-bind-stop-work.patch | 42 + .../recipes-connectivity/bind/bind/named.service | 22 + .../meta/recipes-connectivity/bind/bind_9.18.13.bb | 113 - .../meta/recipes-connectivity/bind/bind_9.18.19.bb | 113 + poky/meta/recipes-connectivity/connman/connman.inc | 1 + ...303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch | 284 + ...d-Fix-multiple-definitions-of-errcatch-an.patch | 58 - ...3-40303-Indent-changes-in-previous-commit.patch | 258 + .../inetutils/fix-buffer-fortify-tfpt.patch | 25 - .../inetutils/inetutils_2.4.bb | 2 + .../mobile-broadband-provider-info_git.bb | 4 +- .../7280401bdd77ca54be6867a154cc01e0d72612e0.patch | 994 +++ .../recipes-connectivity/openssh/openssh_9.3p1.bb | 176 - .../recipes-connectivity/openssh/openssh_9.3p2.bb | 177 + .../0001-Configure-do-not-tweak-mips-cflags.patch | 19 +- .../openssl/openssl/CVE-2023-0464.patch | 226 - .../recipes-connectivity/openssl/openssl_3.1.0.bb | 259 - .../recipes-connectivity/openssl/openssl_3.1.2.bb | 260 + .../recipes-core/busybox/busybox-inittab_1.36.0.bb | 85 - .../recipes-core/busybox/busybox-inittab_1.36.1.bb | 85 + poky/meta/recipes-core/busybox/busybox_1.36.0.bb | 56 - poky/meta/recipes-core/busybox/busybox_1.36.1.bb | 56 + poky/meta/recipes-core/dbus/dbus_1.14.6.bb | 187 - poky/meta/recipes-core/dbus/dbus_1.14.8.bb | 187 + .../dropbear/dropbear/CVE-2023-36328.patch | 144 + .../meta/recipes-core/dropbear/dropbear_2022.83.bb | 1 + poky/meta/recipes-core/ell/ell_0.56.bb | 22 - poky/meta/recipes-core/ell/ell_0.57.bb | 22 + .../glib-networking/glib-networking/eagain.patch | 2 +- poky/meta/recipes-core/glibc/glibc-locale.inc | 8 +- .../recipes-core/glibc/glibc-testsuite_2.37.bb | 1 + poky/meta/recipes-core/glibc/glibc-version.inc | 2 +- .../glibc/glibc/0023-CVE-2023-4527.patch | 219 + .../recipes-core/glibc/glibc/check-test-wrapper | 2 +- poky/meta/recipes-core/glibc/glibc_2.37.bb | 5 +- poky/meta/recipes-core/ifupdown/ifupdown_0.8.41.bb | 5 + .../images/build-appliance-image_15.0.0.bb | 2 +- poky/meta/recipes-core/images/core-image-ptest.bb | 1 + poky/meta/recipes-core/libxcrypt/libxcrypt.inc | 6 - poky/meta/recipes-core/libxml/libxml2_2.10.3.bb | 101 - poky/meta/recipes-core/libxml/libxml2_2.10.4.bb | 103 + poky/meta/recipes-core/meta/build-sysroots.bb | 7 +- .../recipes-core/meta/cve-update-nvd2-native.bb | 66 +- .../ncurses/files/0001-Fix-CVE-2023-29491.patch | 462 ++ poky/meta/recipes-core/ncurses/ncurses_6.4.bb | 1 + .../libgloss/fix_makefile_include_arm_h.patch | 30 - .../recipes-core/sysfsutils/sysfsutils_2.1.0.bb | 10 +- .../systemd/systemd-systemctl/systemctl | 9 +- .../systemd/0007-Add-sys-stat.h-for-S_IFDIR.patch | 29 - poky/meta/recipes-core/systemd/systemd_253.1.bb | 1 - .../recipes-core/util-linux/util-linux_2.38.1.bb | 2 + .../automake/automake/buildtest.patch | 2 +- .../recipes-devtools/binutils/binutils-2.40.inc | 4 +- poky/meta/recipes-devtools/binutils/binutils.inc | 2 + ...gal-memory-access-when-an-accessing-a-zer.patch | 43 + .../binutils/binutils/0017-CVE-2023-39128.patch | 74 + .../recipes-devtools/binutils/binutils_2.40.bb | 1 - .../dmidecode/dmidecode/CVE-2023-30630_1.patch | 237 + .../dmidecode/dmidecode/CVE-2023-30630_2.patch | 81 + .../dmidecode/dmidecode/CVE-2023-30630_3.patch | 69 + .../dmidecode/dmidecode/CVE-2023-30630_4.patch | 137 + .../recipes-devtools/dmidecode/dmidecode_3.4.bb | 4 + poky/meta/recipes-devtools/dnf/dnf_4.14.0.bb | 3 +- poky/meta/recipes-devtools/dpkg/dpkg_1.21.21.bb | 23 - poky/meta/recipes-devtools/dpkg/dpkg_1.21.22.bb | 23 + .../erofs-utils/erofs-utils/CVE-2023-33551.patch | 80 + .../erofs-utils/erofs-utils/CVE-2023-33552-1.patch | 221 + .../erofs-utils/erofs-utils/CVE-2023-33552-2.patch | 97 + .../erofs-utils/erofs-utils/CVE-2023-33552-3.patch | 127 + .../erofs-utils/erofs-utils_1.5.bb | 4 + poky/meta/recipes-devtools/file/file_5.44.bb | 58 - poky/meta/recipes-devtools/file/file_5.45.bb | 59 + poky/meta/recipes-devtools/gcc/gcc-12.2.inc | 114 - poky/meta/recipes-devtools/gcc/gcc-12.3.inc | 116 + .../recipes-devtools/gcc/gcc-configure-common.inc | 1 - .../gcc/gcc-cross-canadian_12.2.bb | 5 - .../gcc/gcc-cross-canadian_12.3.bb | 5 + poky/meta/recipes-devtools/gcc/gcc-cross_12.2.bb | 3 - poky/meta/recipes-devtools/gcc/gcc-cross_12.3.bb | 3 + poky/meta/recipes-devtools/gcc/gcc-crosssdk.inc | 2 + .../meta/recipes-devtools/gcc/gcc-crosssdk_12.2.bb | 2 - .../meta/recipes-devtools/gcc/gcc-crosssdk_12.3.bb | 2 + poky/meta/recipes-devtools/gcc/gcc-runtime_12.2.bb | 2 - poky/meta/recipes-devtools/gcc/gcc-runtime_12.3.bb | 2 + .../recipes-devtools/gcc/gcc-sanitizers_12.2.bb | 7 - .../recipes-devtools/gcc/gcc-sanitizers_12.3.bb | 7 + poky/meta/recipes-devtools/gcc/gcc-source_12.2.bb | 4 - poky/meta/recipes-devtools/gcc/gcc-source_12.3.bb | 4 + poky/meta/recipes-devtools/gcc/gcc-testsuite.inc | 5 +- ...6-aarch64-Fix-loose-ldpstp-check-PR111411.patch | 117 + .../recipes-devtools/gcc/gcc/CVE-2023-4039.patch | 3093 +++++++++ poky/meta/recipes-devtools/gcc/gcc_12.2.bb | 14 - poky/meta/recipes-devtools/gcc/gcc_12.3.bb | 14 + .../recipes-devtools/gcc/libgcc-initial_12.2.bb | 5 - .../recipes-devtools/gcc/libgcc-initial_12.3.bb | 5 + poky/meta/recipes-devtools/gcc/libgcc_12.2.bb | 5 - poky/meta/recipes-devtools/gcc/libgcc_12.3.bb | 5 + poky/meta/recipes-devtools/gcc/libgfortran_12.2.bb | 3 - poky/meta/recipes-devtools/gcc/libgfortran_12.3.bb | 3 + .../gdb/gdb-cross-canadian_13.1.bb | 3 - .../gdb/gdb-cross-canadian_13.2.bb | 3 + poky/meta/recipes-devtools/gdb/gdb-cross_13.1.bb | 2 - poky/meta/recipes-devtools/gdb/gdb-cross_13.2.bb | 2 + poky/meta/recipes-devtools/gdb/gdb.inc | 5 +- ...ck-for-valid-inferior-thread-regcache-bef.patch | 286 - .../gdb/gdb/0009-CVE-2023-39128.patch | 75 + ...inux-low.cc-Fix-a-typo-in-ternary-operato.patch | 24 - poky/meta/recipes-devtools/gdb/gdb_13.1.bb | 39 - poky/meta/recipes-devtools/gdb/gdb_13.2.bb | 39 + poky/meta/recipes-devtools/git/git_2.39.2.bb | 173 - poky/meta/recipes-devtools/git/git_2.39.3.bb | 173 + poky/meta/recipes-devtools/go/go-1.20.4.inc | 18 - poky/meta/recipes-devtools/go/go-1.20.7.inc | 20 + .../recipes-devtools/go/go-binary-native_1.20.4.bb | 50 - .../recipes-devtools/go/go-binary-native_1.20.7.bb | 50 + .../go/go-cross-canadian_1.20.4.bb | 2 - .../go/go-cross-canadian_1.20.7.bb | 2 + poky/meta/recipes-devtools/go/go-cross_1.20.4.bb | 2 - poky/meta/recipes-devtools/go/go-cross_1.20.7.bb | 2 + .../meta/recipes-devtools/go/go-crosssdk_1.20.4.bb | 2 - .../meta/recipes-devtools/go/go-crosssdk_1.20.7.bb | 2 + poky/meta/recipes-devtools/go/go-native_1.20.4.bb | 58 - poky/meta/recipes-devtools/go/go-native_1.20.7.bb | 58 + poky/meta/recipes-devtools/go/go-runtime_1.20.4.bb | 3 - poky/meta/recipes-devtools/go/go-runtime_1.20.7.bb | 3 + .../recipes-devtools/go/go/CVE-2023-24531_1.patch | 266 + .../recipes-devtools/go/go/CVE-2023-24531_2.patch | 47 + poky/meta/recipes-devtools/go/go_1.20.4.bb | 18 - poky/meta/recipes-devtools/go/go_1.20.7.bb | 18 + poky/meta/recipes-devtools/libdnf/libdnf_0.70.0.bb | 35 - poky/meta/recipes-devtools/libdnf/libdnf_0.70.1.bb | 35 + poky/meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 + .../opkg-utils/opkg-utils_0.5.0.bb | 65 - .../opkg-utils/opkg-utils_0.6.2.bb | 65 + ...nof-using-_Alignof-when-using-C11-or-newe.patch | 51 - ...key-remove-no-options-flag-from-gpg-calls.patch | 34 - poky/meta/recipes-devtools/opkg/opkg_0.6.1.bb | 77 - poky/meta/recipes-devtools/opkg/opkg_0.6.2.bb | 75 + .../perl/files/CVE-2023-31484.patch | 29 + .../perl/files/CVE-2023-31486-0001.patch | 217 + .../perl/files/CVE-2023-31486-0002.patch | 30 + poky/meta/recipes-devtools/perl/perl_5.36.0.bb | 3 + .../meta/recipes-devtools/pkgconf/pkgconf_1.9.4.bb | 67 - .../meta/recipes-devtools/pkgconf/pkgconf_1.9.5.bb | 67 + .../recipes-devtools/pseudo/files/glibc238.patch | 72 + poky/meta/recipes-devtools/pseudo/pseudo_git.bb | 1 + .../python/python3-bcrypt_4.0.1.bb | 1 + .../python/python3-certifi_2022.12.7.bb | 14 - .../python/python3-certifi_2023.7.22.bb | 14 + .../recipes-devtools/python/python3-git_3.1.31.bb | 32 - .../recipes-devtools/python/python3-git_3.1.37.bb | 32 + ...-simd.inc.src-Change-NPY_INLINE-to-inline.patch | 135 + .../python/python3-numpy_1.24.2.bb | 1 + .../python3-pygments/CVE-2022-40896-0001.patch | 49 + .../python3-pygments/CVE-2022-40896-0002.patch | 301 + .../python/python3-pygments_2.14.0.bb | 4 + .../python/python3-requests/CVE-2023-32681.patch | 61 + .../python/python3-requests_2.28.2.bb | 2 + ...Don-t-search-system-for-headers-libraries.patch | 2 +- ...handle-stdin-I-O-errors-same-way-as-maste.patch | 12 +- ...ig.py-use-prefix-value-from-build-configu.patch | 2 +- ...2-distutils-prefix-is-inside-staging-area.patch | 2 +- .../python/python3/get_module_deps3.py | 2 +- .../recipes-devtools/python/python3/makerace.patch | 8 +- .../meta/recipes-devtools/python/python3_3.11.2.bb | 445 -- .../meta/recipes-devtools/python/python3_3.11.5.bb | 447 ++ poky/meta/recipes-devtools/qemu/qemu.inc | 5 + ...se-relative-paths-for-line-preprocessor-d.patch | 2 +- .../recipes-devtools/qemu/qemu/CVE-2023-0330.patch | 75 + .../recipes-devtools/qemu/qemu/CVE-2023-2861.patch | 171 + .../recipes-devtools/qemu/qemu/CVE-2023-3255.patch | 65 + .../recipes-devtools/qemu/qemu/CVE-2023-3301.patch | 65 + .../recipes-devtools/qemu/qemu/CVE-2023-3354.patch | 88 + .../qemu/qemu/qemu-7.0.0-glibc-2.36.patch | 46 - poky/meta/recipes-devtools/rpm/rpm_4.18.1.bb | 5 +- .../ruby/ruby/CVE-2023-36617_1.patch | 56 + .../ruby/ruby/CVE-2023-36617_2.patch | 52 + poky/meta/recipes-devtools/ruby/ruby_3.2.2.bb | 2 + poky/meta/recipes-devtools/rust/rust-source.inc | 5 - .../0001-caps-abbrev.awk-fix-gawk-s-path.patch | 47 - .../3bbfb541b258baec9eba674b5d8dc30007a61542.patch | 50 + .../f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch | 50 + .../strace/strace/update-gawk-paths.patch | 30 + poky/meta/recipes-devtools/strace/strace_6.2.bb | 3 +- .../recipes-devtools/tcf-agent/tcf-agent_git.bb | 4 +- poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 6 + .../recipes-extended/acpica/acpica_20220331.bb | 2 +- .../baremetal-example/baremetal-helloworld_git.bb | 4 +- poky/meta/recipes-extended/cups/cups.inc | 2 + .../cups/cups/CVE-2023-32324.patch | 36 + .../cups/cups/CVE-2023-34241.patch | 70 + .../0001-Skip-strip-trailing-cr-test-case.patch | 19 +- .../recipes-extended/diffutils/diffutils_3.10.bb | 43 + .../recipes-extended/diffutils/diffutils_3.9.bb | 43 - poky/meta/recipes-extended/gawk/gawk_5.2.1.bb | 87 - poky/meta/recipes-extended/gawk/gawk_5.2.2.bb | 87 + .../ghostscript/ghostscript/CVE-2023-38559.patch | 31 + .../ghostscript/ghostscript/cve-2023-36664.patch | 165 + .../ghostscript/ghostscript_10.0.0.bb | 2 + .../libarchive/libarchive_3.6.2.bb | 3 + .../meta/recipes-extended/libnss-nis/libnss-nis.bb | 4 +- .../recipes-extended/logrotate/logrotate_3.21.0.bb | 1 - poky/meta/recipes-extended/ltp/ltp_20230127.bb | 3 + ...F-Cleanup-validate_geometry_ddf_container.patch | 148 + ...broken-files-for-04update-uuid-and-07reve.patch | 39 + ...L-pointer-dereference-in-validate_geometr.patch | 56 + ...Fix-use-after-close-bug-by-closing-after-.patch | 91 + ...id-segfault-when-calling-NULL-get_bad_blo.patch | 42 + ...test-Mark-and-ignore-broken-test-failures.patch | 128 + ...sts-Add-broken-files-for-all-broken-tests.patch | 454 ++ poky/meta/recipes-extended/mdadm/files/run-ptest | 2 +- poky/meta/recipes-extended/mdadm/mdadm_4.2.bb | 17 +- ...p-superfluous-global-variable-definitions.patch | 35 - ...p-superfluous-global-variable-definitions.patch | 37 - ...p-superfluous-global-variable-definitions.patch | 42 - ...uid-to-linker-flags-for-libparted-fs-resi.patch | 34 + poky/meta/recipes-extended/parted/parted_3.5.bb | 1 + .../procps/procps/CVE-2023-4016.patch | 73 + poky/meta/recipes-extended/procps/procps_4.0.3.bb | 1 + poky/meta/recipes-extended/psmisc/psmisc.inc | 2 + .../recipes-extended/rpcsvc-proto/rpcsvc-proto.bb | 5 +- ...LARGEFILE-macro-to-control-largefile-supp.patch | 80 - .../0001-Use-cross-compiled-rpcgen.patch | 11 +- .../shadow/files/login.defs_shadow-sysroot | 1 + .../recipes-extended/shadow/shadow-sysroot_4.6.bb | 2 +- .../recipes-extended/tar/tar/CVE-2022-48303.patch | 43 - poky/meta/recipes-extended/tar/tar_1.34.bb | 70 - poky/meta/recipes-extended/tar/tar_1.35.bb | 68 + ...igure-fix-detection-for-cross-compilation.patch | 103 + poky/meta/recipes-extended/unzip/unzip_6.0.bb | 4 +- poky/meta/recipes-extended/wget/wget.inc | 2 +- poky/meta/recipes-extended/wget/wget_1.21.3.bb | 7 - poky/meta/recipes-extended/wget/wget_1.21.4.bb | 7 + ...ure-use-_Static_assert-to-do-correct-dete.patch | 96 + poky/meta/recipes-extended/zip/zip_3.0.bb | 4 +- .../gobject-introspection_1.74.0.bb | 2 +- poky/meta/recipes-gnome/gtk+/gtk4_4.10.3.bb | 129 - poky/meta/recipes-gnome/gtk+/gtk4_4.10.5.bb | 129 + poky/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb | 77 - poky/meta/recipes-gnome/librsvg/librsvg_2.54.6.bb | 77 + .../recipes-graphics/freetype/freetype_2.13.0.bb | 45 - .../recipes-graphics/freetype/freetype_2.13.1.bb | 45 + .../graphene/files/float-div.patch | 28 + .../recipes-graphics/graphene/graphene_1.10.8.bb | 2 + .../jpeg/files/CVE-2023-2804-1.patch | 103 + .../jpeg/files/CVE-2023-2804-2.patch | 75 + .../recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb | 2 + poky/meta/recipes-graphics/wayland/weston-init.bb | 46 +- .../wayland/weston-init/weston-socket.sh | 20 + .../meta/recipes-graphics/wayland/weston_11.0.1.bb | 4 +- .../recipes-graphics/xorg-app/xdpyinfo_1.3.3.bb | 20 - .../recipes-graphics/xorg-app/xdpyinfo_1.3.4.bb | 20 + ...ry-leak-in-XRegisterIMInstantiateCallback.patch | 57 - .../meta/recipes-graphics/xorg-lib/libx11_1.8.4.bb | 45 - .../meta/recipes-graphics/xorg-lib/libx11_1.8.6.bb | 43 + .../meta/recipes-graphics/xorg-lib/libxft_2.3.7.bb | 32 - .../meta/recipes-graphics/xorg-lib/libxft_2.3.8.bb | 32 + .../recipes-graphics/xorg-lib/libxpm_3.5.15.bb | 27 - .../recipes-graphics/xorg-lib/libxpm_3.5.16.bb | 27 + .../recipes-graphics/xorg-lib/pixman_0.42.2.bb | 2 +- ...-btt_plot.py-Ask-for-python3-specifically.patch | 35 + poky/meta/recipes-kernel/blktrace/blktrace_git.bb | 4 +- poky/meta/recipes-kernel/kmod/kmod/ptest.patch | 25 - .../linux-firmware/linux-firmware_20230404.bb | 1157 --- .../linux-firmware/linux-firmware_20230625.bb | 1178 ++++ .../recipes-kernel/linux/cve-exclusion_6.1.inc | 7339 +++++++++++++++++++- .../linux/generate-cve-exclusions.py | 101 + .../recipes-kernel/linux/linux-yocto-rt_5.15.bb | 6 +- .../recipes-kernel/linux/linux-yocto-rt_6.1.bb | 6 +- .../recipes-kernel/linux/linux-yocto-tiny_5.15.bb | 6 +- .../recipes-kernel/linux/linux-yocto-tiny_6.1.bb | 6 +- poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +- poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb | 28 +- .../meta/recipes-kernel/lttng/babeltrace2_2.0.4.bb | 94 - .../meta/recipes-kernel/lttng/babeltrace2_2.0.5.bb | 95 + poky/meta/recipes-kernel/lttng/lttng-ust_2.13.5.bb | 53 - poky/meta/recipes-kernel/lttng/lttng-ust_2.13.6.bb | 53 + poky/meta/recipes-kernel/perf/perf.bb | 6 +- .../wireless-regdb/wireless-regdb_2023.02.13.bb | 43 - .../wireless-regdb/wireless-regdb_2023.05.03.bb | 43 + ...pzaenc-stop-accessing-out-of-bounds-frame.patch | 89 - ...smcenc-stop-accessing-out-of-bounds-frame.patch | 108 - .../ffmpeg/ffmpeg/ffmpeg-fix-vulkan.patch | 34 - .../meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb | 182 - .../meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.3.bb | 185 + .../gstreamer/gst-devtools_1.22.2.bb | 52 - .../gstreamer/gst-devtools_1.22.5.bb | 52 + .../gstreamer/gstreamer1.0-libav_1.22.2.bb | 28 - .../gstreamer/gstreamer1.0-libav_1.22.5.bb | 28 + .../gstreamer/gstreamer1.0-omx_1.22.2.bb | 47 - .../gstreamer/gstreamer1.0-omx_1.22.5.bb | 47 + .../gstreamer/gstreamer1.0-plugins-bad_1.22.2.bb | 165 - .../gstreamer/gstreamer1.0-plugins-bad_1.22.5.bb | 165 + .../gstreamer/gstreamer1.0-plugins-base_1.22.2.bb | 94 - .../gstreamer/gstreamer1.0-plugins-base_1.22.5.bb | 94 + .../gstreamer/gstreamer1.0-plugins-good_1.22.2.bb | 81 - .../gstreamer/gstreamer1.0-plugins-good_1.22.5.bb | 81 + .../gstreamer/gstreamer1.0-plugins-ugly_1.22.2.bb | 46 - .../gstreamer/gstreamer1.0-plugins-ugly_1.22.5.bb | 46 + .../gstreamer/gstreamer1.0-python_1.22.2.bb | 30 - .../gstreamer/gstreamer1.0-python_1.22.5.bb | 30 + .../gstreamer/gstreamer1.0-rtsp-server_1.22.2.bb | 31 - .../gstreamer/gstreamer1.0-rtsp-server_1.22.5.bb | 31 + .../gstreamer/gstreamer1.0-vaapi_1.22.2.bb | 53 - .../gstreamer/gstreamer1.0-vaapi_1.22.5.bb | 53 + .../gstreamer/gstreamer1.0_1.22.2.bb | 74 - .../gstreamer/gstreamer1.0_1.22.5.bb | 74 + .../libtiff/files/CVE-2022-48281.patch | 29 - poky/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 67 - poky/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb | 61 + poky/meta/recipes-multimedia/webp/libwebp_1.3.0.bb | 55 - poky/meta/recipes-multimedia/webp/libwebp_1.3.1.bb | 55 + .../webkit/webkitgtk/CVE-2023-32435.patch | 59 + .../webkit/webkitgtk/CVE-2023-32439.patch | 128 + poky/meta/recipes-sato/webkit/webkitgtk_2.38.5.bb | 158 - poky/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb | 160 + poky/meta/recipes-support/apr/apr_1.7.3.bb | 137 - poky/meta/recipes-support/apr/apr_1.7.4.bb | 137 + .../recipes-support/curl/curl/CVE-2023-28319.patch | 38 + .../curl/curl/CVE-2023-28320-fol1.patch | 80 + .../recipes-support/curl/curl/CVE-2023-28320.patch | 88 + .../recipes-support/curl/curl/CVE-2023-28321.patch | 111 + .../recipes-support/curl/curl/CVE-2023-28322.patch | 441 ++ .../recipes-support/curl/curl/CVE-2023-32001.patch | 39 + poky/meta/recipes-support/curl/curl/disable-tests | 2 + poky/meta/recipes-support/curl/curl/run-ptest | 2 +- poky/meta/recipes-support/curl/curl_8.0.1.bb | 6 + .../meta/recipes-support/fribidi/fribidi_1.0.12.bb | 20 - .../meta/recipes-support/fribidi/fribidi_1.0.13.bb | 20 + ...c-use-a-custom-value-for-the-location-of-.patch | 6 +- .../recipes-support/gnupg/gnupg/relocate.patch | 18 +- poky/meta/recipes-support/gnupg/gnupg_2.4.0.bb | 87 - poky/meta/recipes-support/gnupg/gnupg_2.4.2.bb | 89 + .../recipes-support/libassuan/libassuan_2.5.5.bb | 38 - .../recipes-support/libassuan/libassuan_2.5.6.bb | 38 + poky/meta/recipes-support/libksba/libksba_1.6.3.bb | 34 - poky/meta/recipes-support/libksba/libksba_1.6.4.bb | 34 + .../libmicrohttpd/libmicrohttpd_0.9.76.bb | 27 - .../libmicrohttpd/libmicrohttpd_0.9.77.bb | 27 + .../recipes-support/libproxy/libproxy_0.4.18.bb | 7 +- .../libssh2/libssh2/CVE-2020-22218.patch | 34 + .../meta/recipes-support/libssh2/libssh2_1.10.0.bb | 1 + .../nghttp2/nghttp2/CVE-2023-35945.patch | 151 + .../meta/recipes-support/nghttp2/nghttp2_1.52.0.bb | 1 + .../ptest-runner/ptest-runner_2.4.2.bb | 2 +- ...of-a-print-in-the-scons-file-to-unbreak-b.patch | 29 - ...ets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch | 28 - ...o-r1811083-fix-building-with-scons-3.0.0-.patch | 29 - ...irectories.without.sandbox-install.prefix.patch | 2 +- poky/meta/recipes-support/serf/serf_1.3.10.bb | 40 + poky/meta/recipes-support/serf/serf_1.3.9.bb | 44 - poky/meta/recipes-support/taglib/taglib_1.13.1.bb | 41 + poky/meta/recipes-support/taglib/taglib_1.13.bb | 41 - poky/meta/recipes-support/vim/vim.inc | 11 +- poky/scripts/create-pull-request | 7 +- poky/scripts/lib/devtool/standard.py | 2 +- poky/scripts/lib/devtool/upgrade.py | 2 + poky/scripts/lib/recipetool/create.py | 4 + poky/scripts/lib/resulttool/regression.py | 16 +- poky/scripts/lib/resulttool/report.py | 5 +- poky/scripts/lib/resulttool/resultutils.py | 6 +- poky/scripts/lib/wic/partition.py | 2 +- poky/scripts/lib/wic/plugins/source/bootimg-efi.py | 2 + poky/scripts/oe-setup-builddir | 14 +- poky/scripts/runqemu | 48 +- poky/scripts/runqemu-gen-tapdevs | 89 +- poky/scripts/runqemu-ifdown | 14 +- poky/scripts/runqemu-ifup | 31 +- 707 files changed, 38910 insertions(+), 23344 deletions(-) create mode 100644 meta-arm/ci/n1sdp-ts.yml create mode 100644 meta-arm/ci/qemuarm64-secureboot-ts.yml delete mode 100644 meta-arm/ci/trusted-services.yml create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/n1sdp/0001-Reserve-OP-TEE-memory-from-nwd.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-efi_boottime-allow-to-reset-a-path-after-boot.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-fwu_metadata-make-sure-structures-are-packed.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-corstone1000-add-boot-index.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-fwu_metadata-make-sure-structures-are-packed.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-add-boot-index.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-adjust-boot-bank-and-kernel-location.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-adjust-boot-bank-and-kernel-location.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-nvmxip-move-header-to-include.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-corstone1000-set-kernel_addr-based-on-boot_idx.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-nvmxip-move-header-to-include.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-boot-index-from-active.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-set-kernel_addr-based-on-boot_idx.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-boot-index-from-active.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-enable-PSCI-reset.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-Enable-EFI-set-get-time-services.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-corstone1000-enable-PSCI-reset.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0043-corstone1000-fix-compilation-warnings-in-fwu_plat_get_bootidx.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-openamp-to-SE-proxy-deployment.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Add-openamp-rpc-caller.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-add-psa-client-definitions-for-ff-m.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Add-common-service-component-to-ipc-support.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Add-secure-storage-ipc-backend.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch create mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-Run-psa-arch-test.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Use-address-instead-of-pointers.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-add-psa-ipc-crypto-backend.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Add-stub-capsule-update-service-components.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Configure-storage-size.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Integrate-remaining-psa-ipc-client-APIs.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-plat-corstone1000-change-default-smm-values.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0020-FMP-Support-in-Corstone1000.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-smm_gateway-add-checks-for-null-attributes.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-GetNextVariableName-Fix.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0023-Use-the-stateless-platform-service.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0025-TF-Mv1.7-alignment-Align-crypto-iovec-definition.patch delete mode 100644 meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0026-TF-Mv1.7-alignment-PSA-crypto-client-in-out_vec.patch create mode 100644 meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch create mode 100644 meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch create mode 100644 meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg create mode 100644 meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc create mode 100644 meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend create mode 100644 meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc delete mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch create mode 100644 meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend create mode 100644 meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch create mode 100644 meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc create mode 100644 meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb create mode 100644 meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb create mode 100644 meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb delete mode 100644 meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb create mode 100644 meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb create mode 100644 meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch create mode 100644 meta-openembedded/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch delete mode 100644 meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb create mode 100644 meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb create mode 100644 meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch delete mode 100644 meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.3.bb create mode 100644 meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb create mode 100644 meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay/0001-configure.ac-unify-search-dirs-for-pcap-and-add-lib3.patch delete mode 100644 meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb create mode 100644 meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb create mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch create mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch create mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch create mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch create mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch create mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch create mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch create mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch delete mode 100644 meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.13.bb create mode 100644 meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb create mode 100644 meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch create mode 100644 meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch create mode 100644 meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-backport-iomgr-EventEngine-Improve-server-handling-o.patch create mode 100644 meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch delete mode 100755 meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.14/oe-npm-cache create mode 100755 meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.17/oe-npm-cache delete mode 100644 meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.14.bb create mode 100644 meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.17.bb delete mode 100644 meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.14.2.bb create mode 100644 meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.17.1.bb delete mode 100644 meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.6.bb create mode 100644 meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.8.bb create mode 100644 meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_1.patch create mode 100644 meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_2.patch create mode 100644 meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-31975.patch create mode 100644 meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-37732.patch create mode 100644 meta-openembedded/meta-oe/recipes-extended/hwloc/files/CVE-2022-47022.patch create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0001-src-Do-not-reset-FINAL_LIBS.patch create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0006-Define-correct-gregs-for-RISCV32.patch create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/GNU_SOURCE-7.patch create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/hiredis-use-default-CC-if-it-is-set.patch create mode 100755 meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/init-redis-server create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/lua-update-Makefile-to-use-environment-build-setting.patch create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/oe-use-libc-malloc.patch create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.conf create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.service delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0001-src-Do-not-reset-FINAL_LIBS.patch delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0006-Define-correct-gregs-for-RISCV32.patch delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7/GNU_SOURCE-7.patch delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7/hiredis-use-default-CC-if-it-is-set.patch delete mode 100755 meta-openembedded/meta-oe/recipes-extended/redis/redis-7/init-redis-server delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7/lua-update-Makefile-to-use-environment-build-setting.patch delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7/oe-use-libc-malloc.patch delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.conf delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.service delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.12.bb create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.13.bb delete mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.11.bb create mode 100644 meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.12.bb create mode 100644 meta-openembedded/meta-oe/recipes-graphics/x11vnc/files/CVE-2020-29074.patch delete mode 100644 meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb create mode 100644 meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.1.bb create mode 100644 meta-openembedded/meta-oe/recipes-support/iniparser/iniparser/CVE-2023-33461.patch create mode 100644 meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial/0001-CMakeLists.txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch create mode 100644 meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod-2.0/gpio-tools-test-bats-modify.patch create mode 100644 meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch delete mode 100644 meta-openembedded/meta-oe/recipes-support/openldap/openldap/0001-configure-Pass-pthread_t-to-pthread_detach.patch delete mode 100644 meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.13.bb create mode 100644 meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.16.bb create mode 100644 meta-openembedded/meta-oe/recipes-support/opensc/files/CVE-2023-2977.patch create mode 100644 meta-openembedded/meta-oe/recipes-support/poppler/poppler/CVE-2023-34872.patch create mode 100644 meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp/0001-Fix-CMake-export-files-1077.patch delete mode 100644 meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.1.7.bb create mode 100644 meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.2.1.bb create mode 100644 meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch create mode 100644 poky/documentation/contributor-guide/identify-component.rst create mode 100644 poky/documentation/contributor-guide/index.rst create mode 100644 poky/documentation/contributor-guide/recipe-style-guide.rst create mode 100644 poky/documentation/contributor-guide/report-defect.rst create mode 100644 poky/documentation/contributor-guide/submit-changes.rst delete mode 100644 poky/documentation/dev-manual/changes.rst create mode 100644 poky/documentation/migration-guides/release-notes-4.0.10.rst create mode 100644 poky/documentation/migration-guides/release-notes-4.0.11.rst create mode 100644 poky/documentation/migration-guides/release-notes-4.0.12.rst create mode 100644 poky/documentation/migration-guides/release-notes-4.2.2.rst create mode 100644 poky/documentation/migration-guides/release-notes-4.2.3.rst delete mode 100644 poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-avoid-start-failure-with-bind-user.patch delete mode 100644 poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch delete mode 100644 poky/meta/recipes-connectivity/bind/bind-9.18.13/bind-ensure-searching-for-json-headers-searches-sysr.patch delete mode 100644 poky/meta/recipes-connectivity/bind/bind-9.18.13/bind9 delete mode 100644 poky/meta/recipes-connectivity/bind/bind-9.18.13/conf.patch delete mode 100644 poky/meta/recipes-connectivity/bind/bind-9.18.13/generate-rndc-key.sh delete mode 100644 poky/meta/recipes-connectivity/bind/bind-9.18.13/init.d-add-support-for-read-only-rootfs.patch delete mode 100644 poky/meta/recipes-connectivity/bind/bind-9.18.13/make-etc-initd-bind-stop-work.patch delete mode 100644 poky/meta/recipes-connectivity/bind/bind-9.18.13/named.service create mode 100644 poky/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/bind9 create mode 100644 poky/meta/recipes-connectivity/bind/bind/conf.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh create mode 100644 poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/named.service delete mode 100644 poky/meta/recipes-connectivity/bind/bind_9.18.13.bb create mode 100644 poky/meta/recipes-connectivity/bind/bind_9.18.19.bb create mode 100644 poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch delete mode 100644 poky/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch create mode 100644 poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch delete mode 100644 poky/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch create mode 100644 poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch delete mode 100644 poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb create mode 100644 poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb delete mode 100644 poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch delete mode 100644 poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb create mode 100644 poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb delete mode 100644 poky/meta/recipes-core/busybox/busybox-inittab_1.36.0.bb create mode 100644 poky/meta/recipes-core/busybox/busybox-inittab_1.36.1.bb delete mode 100644 poky/meta/recipes-core/busybox/busybox_1.36.0.bb create mode 100644 poky/meta/recipes-core/busybox/busybox_1.36.1.bb delete mode 100644 poky/meta/recipes-core/dbus/dbus_1.14.6.bb create mode 100644 poky/meta/recipes-core/dbus/dbus_1.14.8.bb create mode 100644 poky/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch delete mode 100644 poky/meta/recipes-core/ell/ell_0.56.bb create mode 100644 poky/meta/recipes-core/ell/ell_0.57.bb create mode 100644 poky/meta/recipes-core/glibc/glibc/0023-CVE-2023-4527.patch delete mode 100644 poky/meta/recipes-core/libxml/libxml2_2.10.3.bb create mode 100644 poky/meta/recipes-core/libxml/libxml2_2.10.4.bb create mode 100644 poky/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch delete mode 100644 poky/meta/recipes-core/newlib/libgloss/fix_makefile_include_arm_h.patch delete mode 100644 poky/meta/recipes-core/systemd/systemd/0007-Add-sys-stat.h-for-S_IFDIR.patch create mode 100644 poky/meta/recipes-devtools/binutils/binutils/0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch create mode 100644 poky/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch create mode 100644 poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch create mode 100644 poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch create mode 100644 poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch create mode 100644 poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch delete mode 100644 poky/meta/recipes-devtools/dpkg/dpkg_1.21.21.bb create mode 100644 poky/meta/recipes-devtools/dpkg/dpkg_1.21.22.bb create mode 100644 poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch create mode 100644 poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-1.patch create mode 100644 poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-2.patch create mode 100644 poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-3.patch delete mode 100644 poky/meta/recipes-devtools/file/file_5.44.bb create mode 100644 poky/meta/recipes-devtools/file/file_5.45.bb delete mode 100644 poky/meta/recipes-devtools/gcc/gcc-12.2.inc create mode 100644 poky/meta/recipes-devtools/gcc/gcc-12.3.inc delete mode 100644 poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.3.bb delete mode 100644 poky/meta/recipes-devtools/gcc/gcc-cross_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/gcc-cross_12.3.bb delete mode 100644 poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.3.bb delete mode 100644 poky/meta/recipes-devtools/gcc/gcc-runtime_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/gcc-runtime_12.3.bb delete mode 100644 poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.3.bb delete mode 100644 poky/meta/recipes-devtools/gcc/gcc-source_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/gcc-source_12.3.bb create mode 100644 poky/meta/recipes-devtools/gcc/gcc/0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch create mode 100644 poky/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch delete mode 100644 poky/meta/recipes-devtools/gcc/gcc_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/gcc_12.3.bb delete mode 100644 poky/meta/recipes-devtools/gcc/libgcc-initial_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/libgcc-initial_12.3.bb delete mode 100644 poky/meta/recipes-devtools/gcc/libgcc_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/libgcc_12.3.bb delete mode 100644 poky/meta/recipes-devtools/gcc/libgfortran_12.2.bb create mode 100644 poky/meta/recipes-devtools/gcc/libgfortran_12.3.bb delete mode 100644 poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.1.bb create mode 100644 poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.2.bb delete mode 100644 poky/meta/recipes-devtools/gdb/gdb-cross_13.1.bb create mode 100644 poky/meta/recipes-devtools/gdb/gdb-cross_13.2.bb delete mode 100644 poky/meta/recipes-devtools/gdb/gdb/0001-aarch64-Check-for-valid-inferior-thread-regcache-bef.patch create mode 100644 poky/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch delete mode 100644 poky/meta/recipes-devtools/gdb/gdb/0009-gdbserver-linux-low.cc-Fix-a-typo-in-ternary-operato.patch delete mode 100644 poky/meta/recipes-devtools/gdb/gdb_13.1.bb create mode 100644 poky/meta/recipes-devtools/gdb/gdb_13.2.bb delete mode 100644 poky/meta/recipes-devtools/git/git_2.39.2.bb create mode 100644 poky/meta/recipes-devtools/git/git_2.39.3.bb delete mode 100644 poky/meta/recipes-devtools/go/go-1.20.4.inc create mode 100644 poky/meta/recipes-devtools/go/go-1.20.7.inc delete mode 100644 poky/meta/recipes-devtools/go/go-binary-native_1.20.4.bb create mode 100644 poky/meta/recipes-devtools/go/go-binary-native_1.20.7.bb delete mode 100644 poky/meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb create mode 100644 poky/meta/recipes-devtools/go/go-cross-canadian_1.20.7.bb delete mode 100644 poky/meta/recipes-devtools/go/go-cross_1.20.4.bb create mode 100644 poky/meta/recipes-devtools/go/go-cross_1.20.7.bb delete mode 100644 poky/meta/recipes-devtools/go/go-crosssdk_1.20.4.bb create mode 100644 poky/meta/recipes-devtools/go/go-crosssdk_1.20.7.bb delete mode 100644 poky/meta/recipes-devtools/go/go-native_1.20.4.bb create mode 100644 poky/meta/recipes-devtools/go/go-native_1.20.7.bb delete mode 100644 poky/meta/recipes-devtools/go/go-runtime_1.20.4.bb create mode 100644 poky/meta/recipes-devtools/go/go-runtime_1.20.7.bb create mode 100644 poky/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch create mode 100644 poky/meta/recipes-devtools/go/go/CVE-2023-24531_2.patch delete mode 100644 poky/meta/recipes-devtools/go/go_1.20.4.bb create mode 100644 poky/meta/recipes-devtools/go/go_1.20.7.bb delete mode 100644 poky/meta/recipes-devtools/libdnf/libdnf_0.70.0.bb create mode 100644 poky/meta/recipes-devtools/libdnf/libdnf_0.70.1.bb delete mode 100644 poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb create mode 100644 poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.6.2.bb delete mode 100644 poky/meta/recipes-devtools/opkg/opkg/0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch delete mode 100644 poky/meta/recipes-devtools/opkg/opkg/0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch delete mode 100644 poky/meta/recipes-devtools/opkg/opkg_0.6.1.bb create mode 100644 poky/meta/recipes-devtools/opkg/opkg_0.6.2.bb create mode 100644 poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch create mode 100644 poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch create mode 100644 poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch delete mode 100644 poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.4.bb create mode 100644 poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.5.bb create mode 100644 poky/meta/recipes-devtools/pseudo/files/glibc238.patch delete mode 100644 poky/meta/recipes-devtools/python/python3-certifi_2022.12.7.bb create mode 100644 poky/meta/recipes-devtools/python/python3-certifi_2023.7.22.bb delete mode 100644 poky/meta/recipes-devtools/python/python3-git_3.1.31.bb create mode 100644 poky/meta/recipes-devtools/python/python3-git_3.1.37.bb create mode 100644 poky/meta/recipes-devtools/python/python3-numpy/0001-simd.inc.src-Change-NPY_INLINE-to-inline.patch create mode 100644 poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch create mode 100644 poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch create mode 100644 poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch delete mode 100644 poky/meta/recipes-devtools/python/python3_3.11.2.bb create mode 100644 poky/meta/recipes-devtools/python/python3_3.11.5.bb create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch delete mode 100644 poky/meta/recipes-devtools/qemu/qemu/qemu-7.0.0-glibc-2.36.patch create mode 100644 poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch create mode 100644 poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch delete mode 100644 poky/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch create mode 100644 poky/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch create mode 100644 poky/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch create mode 100644 poky/meta/recipes-extended/cups/cups/CVE-2023-32324.patch create mode 100644 poky/meta/recipes-extended/cups/cups/CVE-2023-34241.patch create mode 100644 poky/meta/recipes-extended/diffutils/diffutils_3.10.bb delete mode 100644 poky/meta/recipes-extended/diffutils/diffutils_3.9.bb delete mode 100644 poky/meta/recipes-extended/gawk/gawk_5.2.1.bb create mode 100644 poky/meta/recipes-extended/gawk/gawk_5.2.2.bb create mode 100644 poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch create mode 100644 poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch create mode 100644 poky/meta/recipes-extended/mdadm/files/0001-DDF-Cleanup-validate_geometry_ddf_container.patch create mode 100644 poky/meta/recipes-extended/mdadm/files/0001-tests-add-.broken-files-for-04update-uuid-and-07reve.patch create mode 100644 poky/meta/recipes-extended/mdadm/files/0002-DDF-Fix-NULL-pointer-dereference-in-validate_geometr.patch create mode 100644 poky/meta/recipes-extended/mdadm/files/0003-mdadm-Grow-Fix-use-after-close-bug-by-closing-after-.patch create mode 100644 poky/meta/recipes-extended/mdadm/files/0004-monitor-Avoid-segfault-when-calling-NULL-get_bad_blo.patch create mode 100644 poky/meta/recipes-extended/mdadm/files/0005-mdadm-test-Mark-and-ignore-broken-test-failures.patch create mode 100644 poky/meta/recipes-extended/mdadm/files/0006-tests-Add-broken-files-for-all-broken-tests.patch delete mode 100644 poky/meta/recipes-extended/minicom/minicom/0001-Drop-superfluous-global-variable-definitions.patch delete mode 100644 poky/meta/recipes-extended/minicom/minicom/0002-Drop-superfluous-global-variable-definitions.patch delete mode 100644 poky/meta/recipes-extended/minicom/minicom/0003-Drop-superfluous-global-variable-definitions.patch create mode 100644 poky/meta/recipes-extended/parted/files/0001-fs-Add-libuuid-to-linker-flags-for-libparted-fs-resi.patch create mode 100644 poky/meta/recipes-extended/procps/procps/CVE-2023-4016.patch delete mode 100644 poky/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto/0001-Use-AC_SYS_LARGEFILE-macro-to-control-largefile-supp.patch delete mode 100644 poky/meta/recipes-extended/tar/tar/CVE-2022-48303.patch delete mode 100644 poky/meta/recipes-extended/tar/tar_1.34.bb create mode 100644 poky/meta/recipes-extended/tar/tar_1.35.bb create mode 100644 poky/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch delete mode 100644 poky/meta/recipes-extended/wget/wget_1.21.3.bb create mode 100644 poky/meta/recipes-extended/wget/wget_1.21.4.bb create mode 100644 poky/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch delete mode 100644 poky/meta/recipes-gnome/gtk+/gtk4_4.10.3.bb create mode 100644 poky/meta/recipes-gnome/gtk+/gtk4_4.10.5.bb delete mode 100644 poky/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb create mode 100644 poky/meta/recipes-gnome/librsvg/librsvg_2.54.6.bb delete mode 100644 poky/meta/recipes-graphics/freetype/freetype_2.13.0.bb create mode 100644 poky/meta/recipes-graphics/freetype/freetype_2.13.1.bb create mode 100644 poky/meta/recipes-graphics/graphene/files/float-div.patch create mode 100644 poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch create mode 100644 poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch create mode 100755 poky/meta/recipes-graphics/wayland/weston-init/weston-socket.sh delete mode 100644 poky/meta/recipes-graphics/xorg-app/xdpyinfo_1.3.3.bb create mode 100644 poky/meta/recipes-graphics/xorg-app/xdpyinfo_1.3.4.bb delete mode 100644 poky/meta/recipes-graphics/xorg-lib/libx11/0001-fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch delete mode 100644 poky/meta/recipes-graphics/xorg-lib/libx11_1.8.4.bb create mode 100644 poky/meta/recipes-graphics/xorg-lib/libx11_1.8.6.bb delete mode 100644 poky/meta/recipes-graphics/xorg-lib/libxft_2.3.7.bb create mode 100644 poky/meta/recipes-graphics/xorg-lib/libxft_2.3.8.bb delete mode 100644 poky/meta/recipes-graphics/xorg-lib/libxpm_3.5.15.bb create mode 100644 poky/meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb create mode 100644 poky/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch delete mode 100644 poky/meta/recipes-kernel/kmod/kmod/ptest.patch delete mode 100644 poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb create mode 100644 poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb create mode 100755 poky/meta/recipes-kernel/linux/generate-cve-exclusions.py delete mode 100644 poky/meta/recipes-kernel/lttng/babeltrace2_2.0.4.bb create mode 100644 poky/meta/recipes-kernel/lttng/babeltrace2_2.0.5.bb delete mode 100644 poky/meta/recipes-kernel/lttng/lttng-ust_2.13.5.bb create mode 100644 poky/meta/recipes-kernel/lttng/lttng-ust_2.13.6.bb delete mode 100644 poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb create mode 100644 poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb delete mode 100644 poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch delete mode 100644 poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch delete mode 100644 poky/meta/recipes-multimedia/ffmpeg/ffmpeg/ffmpeg-fix-vulkan.patch delete mode 100644 poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb create mode 100644 poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.3.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.2.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.5.bb delete mode 100644 poky/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch delete mode 100644 poky/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb create mode 100644 poky/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb delete mode 100644 poky/meta/recipes-multimedia/webp/libwebp_1.3.0.bb create mode 100644 poky/meta/recipes-multimedia/webp/libwebp_1.3.1.bb create mode 100644 poky/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch create mode 100644 poky/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch delete mode 100644 poky/meta/recipes-sato/webkit/webkitgtk_2.38.5.bb create mode 100644 poky/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb delete mode 100644 poky/meta/recipes-support/apr/apr_1.7.3.bb create mode 100644 poky/meta/recipes-support/apr/apr_1.7.4.bb create mode 100644 poky/meta/recipes-support/curl/curl/CVE-2023-28319.patch create mode 100644 poky/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch create mode 100644 poky/meta/recipes-support/curl/curl/CVE-2023-28320.patch create mode 100644 poky/meta/recipes-support/curl/curl/CVE-2023-28321.patch create mode 100644 poky/meta/recipes-support/curl/curl/CVE-2023-28322.patch create mode 100644 poky/meta/recipes-support/curl/curl/CVE-2023-32001.patch delete mode 100644 poky/meta/recipes-support/fribidi/fribidi_1.0.12.bb create mode 100644 poky/meta/recipes-support/fribidi/fribidi_1.0.13.bb delete mode 100644 poky/meta/recipes-support/gnupg/gnupg_2.4.0.bb create mode 100644 poky/meta/recipes-support/gnupg/gnupg_2.4.2.bb delete mode 100644 poky/meta/recipes-support/libassuan/libassuan_2.5.5.bb create mode 100644 poky/meta/recipes-support/libassuan/libassuan_2.5.6.bb delete mode 100644 poky/meta/recipes-support/libksba/libksba_1.6.3.bb create mode 100644 poky/meta/recipes-support/libksba/libksba_1.6.4.bb delete mode 100644 poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb create mode 100644 poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.77.bb create mode 100644 poky/meta/recipes-support/libssh2/libssh2/CVE-2020-22218.patch create mode 100644 poky/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch delete mode 100644 poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch delete mode 100644 poky/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch delete mode 100644 poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch create mode 100644 poky/meta/recipes-support/serf/serf_1.3.10.bb delete mode 100644 poky/meta/recipes-support/serf/serf_1.3.9.bb create mode 100644 poky/meta/recipes-support/taglib/taglib_1.13.1.bb delete mode 100644 poky/meta/recipes-support/taglib/taglib_1.13.bb diff --git a/meta-arm/.gitlab-ci.yml b/meta-arm/.gitlab-ci.yml index df1f0f5ade..4ee75fcc1e 100644 --- a/meta-arm/.gitlab-ci.yml +++ b/meta-arm/.gitlab-ci.yml @@ -150,7 +150,7 @@ n1sdp: parallel: matrix: - TOOLCHAINS: [gcc, armgcc] - TS: [none, trusted-services] + TS: [none, n1sdp-ts] qemu-generic-arm64: extends: .build @@ -167,7 +167,7 @@ qemuarm64-secureboot: - KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt] TOOLCHAINS: [gcc, clang] TCLIBC: [glibc, musl] - TS: [none, trusted-services] + TS: [none, qemuarm64-secureboot-ts] TESTING: testimage qemuarm64: diff --git a/meta-arm/README.md b/meta-arm/README.md index 7779258551..82c326de7e 100644 --- a/meta-arm/README.md +++ b/meta-arm/README.md @@ -6,10 +6,6 @@ This repository contains the Arm layers for OpenEmbedded. This layer contains general recipes for the Arm architecture, such as firmware, FVPs, and Arm-specific integration. -* meta-arm-autonomy - - This layer is the distribution for a reference stack for autonomous systems. - * meta-arm-bsp This layer contains machines for Arm reference platforms, for example FVP Base, N1SDP, and Juno. diff --git a/meta-arm/ci/meta-virtualization.yml b/meta-arm/ci/meta-virtualization.yml index 8791fc3be5..1cd0e21a89 100644 --- a/meta-arm/ci/meta-virtualization.yml +++ b/meta-arm/ci/meta-virtualization.yml @@ -6,4 +6,3 @@ header: repos: meta-virtualization: url: git://git.yoctoproject.org/meta-virtualization - refspec: master diff --git a/meta-arm/ci/n1sdp-ts.yml b/meta-arm/ci/n1sdp-ts.yml new file mode 100644 index 0000000000..e8e9298d24 --- /dev/null +++ b/meta-arm/ci/n1sdp-ts.yml @@ -0,0 +1,14 @@ +header: + version: 11 + includes: + - ci/meta-openembedded.yml + +local_conf_header: + trusted_services: | + TEST_SUITES:append = " trusted_services" + # Include TS Crypto, TS Protected Storage, TS Internal and Trusted Storage SPs into optee-os image + MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its" + # Include TS demo/test tools into image + IMAGE_INSTALL:append = " packagegroup-ts-tests" + # Include TS PSA Arch tests into image + IMAGE_INSTALL:append = " packagegroup-ts-tests-psa" diff --git a/meta-arm/ci/qemuarm64-secureboot-ts.yml b/meta-arm/ci/qemuarm64-secureboot-ts.yml new file mode 100644 index 0000000000..5f28dd3c17 --- /dev/null +++ b/meta-arm/ci/qemuarm64-secureboot-ts.yml @@ -0,0 +1,14 @@ +header: + version: 11 + includes: + - ci/meta-openembedded.yml + +local_conf_header: + trusted_services: | + TEST_SUITES:append = " trusted_services" + # Include TS Crypto, TS Protected Storage, TS Internal Trusted Storage and SMM-Gateway SPs into optee-os image + MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its ts-smm-gateway" + # Include TS demo/test tools into image + IMAGE_INSTALL:append = " packagegroup-ts-tests" + # Include TS PSA Arch tests into image + IMAGE_INSTALL:append = " packagegroup-ts-tests-psa" diff --git a/meta-arm/ci/trusted-services.yml b/meta-arm/ci/trusted-services.yml deleted file mode 100644 index 433ec78b37..0000000000 --- a/meta-arm/ci/trusted-services.yml +++ /dev/null @@ -1,14 +0,0 @@ -header: - version: 11 - includes: - - ci/meta-openembedded.yml - -local_conf_header: - trusted_services: | - TEST_SUITES:append = " trusted_services" - # Include TS Crypto, Storage, ITS, Attestation and SMM-Gateway SPs into optee-os image - MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its ts-attestation ts-smm-gateway" - # Include TS demo/test tools into image - IMAGE_INSTALL:append = " packagegroup-ts-tests" - # Include TS PSA Arch tests into image - IMAGE_INSTALL:append = " packagegroup-ts-tests-psa" diff --git a/meta-arm/documentation/trusted-services.md b/meta-arm/documentation/trusted-services.md index e3cee6b3c0..70826f681e 100644 --- a/meta-arm/documentation/trusted-services.md +++ b/meta-arm/documentation/trusted-services.md @@ -1,6 +1,6 @@ # The Trusted Services: framework for developing root-of-trust services - meta-arm layer includes recipes for [Trusted Services][1] Secure Partitions and Normal World applications +meta-arm layer includes recipes for [Trusted Services][^1] Secure Partitions and Normal World applications in `meta-arm/recipes-security/trusted-services` ## Secure Partitions recipes @@ -12,7 +12,7 @@ These files are automatically included into optee-os image accordingly to define ### How to include TS SPs To include TS SPs into optee-os image you need to add into MACHINE_FEATURES -features for each [Secure Partition][2] you would like to include: +features for each [Secure Partition][^2] you would like to include: | Secure Partition | MACHINE_FEATURE | | ----------------- | --------------- | @@ -22,32 +22,44 @@ features for each [Secure Partition][2] you would like to include: | Protected Storage | ts-storage | | se-proxy | ts-se-proxy | | smm-gateway | ts-smm-gateway | +| spm-test[1-3] | optee-spmc-test | Other steps depend on your machine/platform definition: 1. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y` -is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES. + is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES. + (Please see ` meta-arm/recipes-kernel/arm-ffa-tee`.) + + For running the `uefi-test` or the `xtest -t ffa_spmc` tests under Linux the `arm-ffa-user` drivel is required. This is + enabled if the `ts-smm-gateway` and/or the `optee-spmc-test` machine features are enabled. + (Please see ` meta-arm/recipes-kernel/arm-ffa-user`.) 2. optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at). -You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine -and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc` -for N1SDP and Corstone1000 platforms accordingly. + You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine + and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc` + for N1SDP and Corstone1000 platforms accordingly. 3. trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform). -See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine -and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and -`meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms. + See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine + and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and + `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms. ## Normal World applications - Optionally for testing purposes you can add `packagegroup-ts-tests` and `packagegroup-ts-tests-psa` package groups into your image. -They include [Trusted Services test and demo tools][3] +Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes +[Trusted Services test and demo tools][^3] and [xtest][^4] configured to include the `ffa_spmc` tests. ## OEQA Trusted Services tests meta-arm also includes Trusted Service OEQA tests which can be used for automated testing. See `ci/trusted-services.yml` for an example how to include them into an image. -[1] https://trusted-services.readthedocs.io/en/integration/overview/introduction.html -[2] https://trusted-services.readthedocs.io/en/integration/developer/deployments/secure-partitions.html -[3] https://trusted-services.readthedocs.io/en/integration/developer/deployments/test-executables.html + +------ +[^1]: https://trusted-services.readthedocs.io/en/integration/overview/index.html + +[^2]: https://trusted-services.readthedocs.io/en/integration/deployments/secure-partitions.html + +[^3]: https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html + +[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html \ No newline at end of file diff --git a/meta-arm/kas/corstone1000-base.yml b/meta-arm/kas/corstone1000-base.yml index 6594caa58b..ea62f42ce1 100644 --- a/meta-arm/kas/corstone1000-base.yml +++ b/meta-arm/kas/corstone1000-base.yml @@ -16,6 +16,7 @@ repos: poky: url: https://git.yoctoproject.org/git/poky + refspec: 31dd418207f6c95ef0aad589cd03cd2a4c9a8bf2 layers: meta: meta-poky: @@ -23,6 +24,7 @@ repos: meta-openembedded: url: https://git.openembedded.org/meta-openembedded + refspec: 5a01ab461c9bcabcbb2298236602373948f8f073 layers: meta-oe: meta-python: diff --git a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc index 3915d18b56..198c7ec877 100644 --- a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc +++ b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc @@ -43,6 +43,7 @@ OPTEE_BINARY = "tee-pager_v2.bin" # Include smm-gateway and se-proxy SPs into optee-os binary MACHINE_FEATURES += "ts-smm-gateway ts-se-proxy" TS_PLATFORM = "arm/corstone1000" +TS_SP_SE_PROXY_CONFIG = "corstone1000" # External System(Cortex-M3) EXTRA_IMAGEDEPENDS += "external-system" diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst index 64e82aac98..32d6529279 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022, Arm Limited. + # Copyright (c) 2022-2023, Arm Limited. # # SPDX-License-Identifier: MIT @@ -10,6 +10,72 @@ Change Log This document contains a summary of the new features, changes and fixes in each release of Corstone-1000 software stack. +*************** +Version 2023.06 +*************** + +Changes +======= + +- GPT support (in TF-M, TF-A, U-boot) +- Use TF-M BL1 code as the ROM code instead of MCUboot (the next stage bootloader BL2 remains to be MCUboot) +- Secure Enclave uses CC312 OTP as the provisioning backend in FVP and FPGA +- NVMXIP block storage support in U-Boot +- Upgrading the SW stack recipes +- Upgrades for the U-Boot FF-A driver and MM communication + +Corstone-1000 components versions +================================= + ++-------------------------------------------+--------------------------------------------+ +| arm-ffa-tee | 1.1.2-r0 | ++-------------------------------------------+--------------------------------------------+ +| arm-ffa-user | 5.0.1-r0 | ++-------------------------------------------+--------------------------------------------+ +| corstone1000-external-sys-tests | 1.0+gitAUTOINC+2945cd92f7-r0 | ++-------------------------------------------+--------------------------------------------+ +| external-system | 0.1.0+gitAUTOINC+8c9dca74b1-r0 | ++-------------------------------------------+--------------------------------------------+ +| linux-yocto | 6.1.25+gitAUTOINC+36901b5b29_581dc1aa2f-r0 | ++-------------------------------------------+--------------------------------------------+ +| u-boot | 2023.01-r0 | ++-------------------------------------------+--------------------------------------------+ +| optee-client | 3.18.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| optee-os | 3.20.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| trusted-firmware-a | 2.8.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| trusted-firmware-m | 1.7.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| ts-newlib | 4.1.0-r0 | ++-------------------------------------------+--------------------------------------------+ +| ts-psa-{crypto, iat, its. ps}-api-test | 38cb53a4d9 | ++-------------------------------------------+--------------------------------------------+ +| ts-sp-{se-proxy, smm-gateway} | 08b3d39471 | ++-------------------------------------------+--------------------------------------------+ + +Yocto distribution components versions +====================================== + ++-------------------------------------------+--------------------------------+ +| meta-arm | mickledore | ++-------------------------------------------+--------------------------------+ +| poky | mickledore | ++-------------------------------------------+--------------------------------+ +| meta-openembedded | mickledore | ++-------------------------------------------+--------------------------------+ +| busybox | 1.36.0-r0 | ++-------------------------------------------+--------------------------------+ +| musl | 1.2.3+gitAUTOINC+7d756e1c04-r0 | ++-------------------------------------------+--------------------------------+ +| gcc-arm-none-eabi-native | 11.2-2022.02 | ++-------------------------------------------+--------------------------------+ +| gcc-cross-aarch64 | 12.2.rel1-r0 | ++-------------------------------------------+--------------------------------+ +| openssl | 3.1.0-r0 | ++-------------------------------------------+--------------------------------+ + ****************** Version 2022.11.23 ****************** @@ -25,7 +91,7 @@ Changes - Upgrades for the U-Boot FF-A driver and MM communication Corstone-1000 components versions -======================================= +================================= +-------------------------------------------+------------+ | arm-ffa-tee | 1.1.1 | @@ -56,7 +122,7 @@ Corstone-1000 components versions +-------------------------------------------+------------+ Yocto distribution components versions -======================================= +====================================== +-------------------------------------------+---------------------+ | meta-arm | langdale | @@ -161,4 +227,4 @@ Changes -------------- -*Copyright (c) 2022, Arm Limited. All rights reserved.* +*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/CorstoneSubsystems.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/CorstoneSubsystems.png index a41e721027..4c6a2a8c8c 100644 Binary files a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/CorstoneSubsystems.png and b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/CorstoneSubsystems.png differ diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png index 38407c08d9..399f87568f 100644 Binary files a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png and b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png differ diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png index bc5b4ba35e..88bb1259f6 100644 Binary files a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png and b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png differ diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png index b7631b0230..1e37d803b7 100644 Binary files a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png and b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png differ diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/UEFISupport.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/UEFISupport.png index f58531719d..a501de556e 100644 Binary files a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/UEFISupport.png and b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/UEFISupport.png differ diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst index 89a4fa9ab2..62e3f8ff66 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022, Arm Limited. + # Copyright (c) 2022-2023, Arm Limited. # # SPDX-License-Identifier: MIT @@ -19,6 +19,28 @@ intended for safety-critical applications. Should Your Software or Your Hardware prove defective, you assume the entire cost of all necessary servicing, repair or correction. +*********************** +Release notes - 2023.06 +*********************** + +Known Issues or Limitations +--------------------------- + - FPGA supports Linux distro install and boot through installer. However, FVP only supports openSUSE raw image installation and boot. + - Due to the performance uplimit of MPS3 FPGA and FVP, some Linux distros like Fedora Rawhide can not boot on Corstone-1000 (i.e. user may experience timeouts or boot hang). + - PSA Crypto tests (psa-crypto-api-test command) take 30 minutes to complete for FVP and 1 hour for MPS3. + - Corstone-1000 SoC on FVP doesn't have a secure debug peripheral. It does on the MPS3 . + - The following limitations listed in the previous release are still applicable: + + - UEFI Compliant - Boot from network protocols must be implemented -- FAILURE + + - Known limitations regarding ACS tests - see previous release's notes. + +Platform Support +----------------- + - This software release is tested on Corstone-1000 FPGA version AN550_v2 + https://developer.arm.com/downloads/-/download-fpga-images + - This software release is tested on Corstone-1000 Fast Model platform (FVP) version 11.19_21 + https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps ************************** Release notes - 2022.11.23 @@ -174,4 +196,4 @@ For all security issues, contact Arm by email at arm-security@arm.com. -------------- -*Copyright (c) 2022, Arm Limited. All rights reserved.* +*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst index a17f1b8a68..bf3535b2ec 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022, Arm Limited. + # Copyright (c) 2022-2023, Arm Limited. # # SPDX-License-Identifier: MIT @@ -9,16 +9,16 @@ Software architecture ***************** -ARM corstone1000 +Arm Corstone-1000 ***************** -ARM corstone1000 is a reference solution for IoT devices. It is part of +Arm Corstone-1000 is a reference solution for IoT devices. It is part of Total Solution for IoT which consists of hardware and software reference implementation. -Corstone1000 software plus hardware reference solution is PSA Level-2 ready +Corstone-1000 software plus hardware reference solution is PSA Level-2 ready certified (`PSA L2 Ready`_) as well as System Ready IR certified(`SRIR cert`_). -More information on the corstone1000 subsystem product and design can be +More information on the Corstone-1000 subsystem product and design can be found at: `Arm corstone1000 Software`_ and `Arm corstone1000 Technical Overview`_. @@ -31,12 +31,12 @@ present in the user-guide document. Design Overview *************** -The software architecture of corstone1000 platform is a reference +The software architecture of Corstone-1000 platform is a reference implementation of Platform Security Architecture (`PSA`_) which provides framework to build secure IoT devices. The base system architecture of the platform is created from three -different tyes of systems: Secure Enclave, Host and External System. +different types of systems: Secure Enclave, Host and External System. Each subsystem provides different functionality to overall SoC. @@ -50,9 +50,9 @@ cryptographic functions. It is based on an Cortex-M0+ processor, CC312 Cryptographic Accelerator and peripherals, such as watchdog and secure flash. Software running on the Secure Enclave is isolated via hardware for enhanced security. Communication with the Secure Encalve -is achieved using Message Hnadling Units (MHUs) and shared memory. -On system power on, the Secure Enclaves boots first. Its software -comprises of two boot loading stages, both based on mcuboot, and +is achieved using Message Handling Units (MHUs) and shared memory. +On system power on, the Secure Enclave boots first. Its software +comprises of a ROM code (TF-M BL1), Mcuboot BL2, and TrustedFirmware-M(`TF-M`_) as runtime software. The software design on Secure Enclave follows Firmware Framework for M class processor (`FF-M`_) specification. @@ -66,7 +66,7 @@ The boot process follows Trusted Boot Base Requirement (`TBBR`_). The Host Subsystem is taken out of reset by the Secure Enclave system during its final stages of the initialization. The Host subsystem runs FF-A Secure Partitions(based on `Trusted Services`_) and OPTEE-OS -(`OPTEE-OS`_) in the secure world, and u-boot(`u-boot repo`_) and +(`OPTEE-OS`_) in the secure world, and U-Boot(`U-Boot repo`_) and linux (`linux repo`_) in the non-secure world. The communication between non-secure and the secure world is performed via FF-A messages. @@ -75,7 +75,7 @@ functionality. The system is based on Cortex-M3 and run RTX RTOS. Communictaion between external system and Host(cortex-A35) is performed using MHU as transport mechanism and rpmsg messaging system. -Overall, the corstone1000 architecture is designed to cover a range +Overall, the Corstone-1000 architecture is designed to cover a range of Power, Performance, and Area (PPA) applications, and enable extension for use-case specific applications, for example, sensors, cloud connectivitiy, and edge computing. @@ -85,13 +85,13 @@ Secure Boot Chain ***************** For the security of a device, it is essential that only authorized -software should run on the device. The corstone1000 boot uses a +software should run on the device. The Corstone-1000 boot uses a Secure Boot Chain process where an already authenticated image verifies and loads the following software in the chain. For the boot chain process to work, the start of the chain should be trusted, forming the Root of Trust (RoT) of the device. The RoT of the device is immutable in nature and encoded into the device by the device owner before it -is deployed into the field. In Corstone1000, the BL1 image of the secure +is deployed into the field. In Corstone-1000, the BL1 image of the secure enclave and content of the CC312 OTP (One Time Programmable) memory forms the RoT. The BL1 image exists in ROM (Read Only Memory). @@ -99,18 +99,20 @@ forms the RoT. The BL1 image exists in ROM (Read Only Memory). :width: 870 :alt: SecureBootChain -It is a lengthy chain to boot the software on corstone1000. On power on, +It is a lengthy chain to boot the software on Corstone-1000. On power on, the secure enclave starts executing BL1 code from the ROM which is the RoT of the device. Authentication of an image involves the steps listed below: - Load image from flash to dynamic RAM. -- The public key present in the image header is validated by comparing with the hash. Depending on the image, the hash of the public key is either stored in the OTP or part of the software which is being already verfied in the previous stages. +- The public key present in the image header is validated by comparing with the hash. + Depending on the image, the hash of the public key is either stored in the OTP or part + of the software which is being already verified in the previous stages. - The image is validated using the public key. In the secure enclave, BL1 authenticates the BL2 and passes the execution -control. BL2 authenticates the initial boot loader of the host (Host BL2) +control. BL2 authenticates the initial boot loader of the host (Host TF-A BL2) and TF-M. The execution control is now passed to TF-M. TF-M being the run -time executable of secure enclaves initializes itself and, in the end, +time executable of secure enclave which initializes itself and, at the end, brings the host CPU out of rest. The host follows the boot standard defined in the `TBBR`_ to authenticate the secure and non-secure software. @@ -118,10 +120,10 @@ in the `TBBR`_ to authenticate the secure and non-secure software. Secure Services *************** -corstone1000 is unique in providing a secure environment to run a secure -workload. The platform has Trustzone technology in the Host subsystem but +Corstone-1000 is unique in providing a secure environment to run a secure +workload. The platform has TrustZone technology in the Host subsystem but it also has hardware isolated secure enclave environment to run such secure -workloads. In corstone1000, known Secure Services such as Crypto, Protected +workloads. In Corstone-1000, known Secure Services such as Crypto, Protected Storage, Internal Trusted Storage and Attestation are available via PSA Functional APIs in TF-M. There is no difference for a user communicating to these services which are running on a secure enclave instead of the @@ -137,7 +139,7 @@ flow path for such calls. The SE Proxy SP (Secure Enclave Proxy Secure Partition) is a proxy partition managed by OPTEE which forwards such calls to the secure enclave. The solution relies on OpenAMP which uses shared memory and MHU interrupts as -a doorbell for communication between two cores. corstone1000 implements +a doorbell for communication between two cores. Corstone-1000 implements isolation level 2. Cortex-M0+ MPU (Memory Protection Unit) is used to implement isolation level 2. @@ -147,7 +149,7 @@ lower latency vs higher security. Services running on a secure enclave are secure by real hardware isolation but have a higher latency path. In the second scenario, the services running on the secure world of the host subsystem have lower latency but virtual hardware isolation created by -Trustzone technology. +TrustZone technology. ********************** @@ -156,14 +158,14 @@ Secure Firmware Update Apart from always booting the authorized images, it is also essential that the device only accepts the authorized images in the firmware update -process. corstone1000 supports OTA (Over the Air) firmware updates and +process. Corstone-1000 supports OTA (Over the Air) firmware updates and follows Platform Security Firmware Update sepcification (`FWU`_). As standardized into `FWU`_, the external flash is divided into two banks of which one bank has currently running images and the other bank is used for staging new images. There are four updatable units, i.e. Secure Enclave's BL2 and TF-M, and Host's FIP (Firmware Image Package) and Kernel -Image. The new images are accepted in the form of a UEFI capsule. +Image (the initramfs bundle). The new images are accepted in the form of a UEFI capsule. .. image:: images/ExternalFlash.png @@ -194,13 +196,13 @@ guarantee the availability of the device. ****************************** -UEFI Runtime Support in u-boot +UEFI Runtime Support in U-Boot ****************************** Implementation of UEFI boottime and runtime APIs require variable storage. -In corstone1000, these UEFI variables are stored in the Protected Storage +In Corstone-1000, these UEFI variables are stored in the Protected Storage service. The below diagram presents the data flow to store UEFI variables. -The u-boot implementation of the UEFI subsystem uses the FF-A driver to +The U-Boot implementation of the UEFI subsystem uses the U-Boot FF-A driver to communicate with the SMM Service in the secure world. The backend of the SMM service uses the proxy PS from the SE Proxy SP. From there on, the PS calls are forwarded to the secure enclave as explained above. @@ -215,11 +217,12 @@ calls are forwarded to the secure enclave as explained above. References *************** `ARM corstone1000 Search`_ + `Arm security features`_ -------------- -*Copyright (c) 2022, Arm Limited. All rights reserved.* +*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* .. _Arm corstone1000 Technical Overview: https://developer.arm.com/documentation/102360/0000 .. _Arm corstone1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software @@ -236,4 +239,4 @@ References .. _TBBR: https://developer.arm.com/documentation/den0006/latest .. _TF-M: https://www.trustedfirmware.org/projects/tf-m/ .. _Trusted Services: https://www.trustedfirmware.org/projects/trusted-services/ -.. _u-boot repo: https://github.com/u-boot/u-boot.git +.. _U-Boot repo: https://github.com/u-boot/u-boot.git diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst index e173f244b4..a5ccb31382 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022, Arm Limited. + # Copyright (c) 2022-2023, Arm Limited. # # SPDX-License-Identifier: MIT @@ -15,21 +15,35 @@ The Yocto Project relies on the `Bitbake `__ for more information. - Prerequisites ------------- -These instructions assume your host PC is running Ubuntu Linux 18.04 or 20.04 LTS, with at least 32GB of free disk space and 16GB of RAM as minimum requirement. The following instructions expect that you are using a bash shell. All the paths stated in this document are absolute paths. -The following prerequisites must be available on the host system. To resolve these dependencies, run: +This guide assumes that your host PC is running Ubuntu 20.04 LTS, with at least +32GB of free disk space and 16GB of RAM as minimum requirement. -:: +The following prerequisites must be available on the host system: + +- Git 1.8.3.1 or greater +- tar 1.28 or greater +- Python 3.8.0 or greater. +- gcc 8.0 or greater. +- GNU make 4.0 or greater + +Please follow the steps described in the Yocto mega manual: + +- `Compatible Linux Distribution `__ +- `Build Host Packages `__ + +Targets +------- - sudo apt-get update - sudo apt-get install gawk wget git-core diffstat unzip texinfo gcc-multilib \ - build-essential chrpath socat cpio python3 python3-pip python3-pexpect \ - xz-utils debianutils iputils-ping python3-git libegl1-mesa libsdl1.2-dev \ - xterm zstd liblz4-tool picocom - sudo apt-get upgrade libstdc++6 +- `Arm Corstone-1000 Ecosystem FVP (Fixed Virtual Platform) `__ +- `Arm Corstone-1000 for MPS3 `__ + +Yocto stable branch +------------------- + +Corstone-1000 software stack is built on top of Yocto mickledore. Provided components ------------------- @@ -44,6 +58,8 @@ The Yocto machine config files for the Corstone-1000 FVP and FPGA targets are: - ``<_workspace>/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf`` - ``<_workspace>/meta-arm/meta-arm-bsp/conf/machine/corstone1000-mps3.conf`` +**NOTE:** All the paths stated in this document are absolute paths. + ***************** Software for Host ***************** @@ -52,50 +68,52 @@ Trusted Firmware-A ================== Based on `Trusted Firmware-A `__ -+----------+---------------------------------------------------------------------------------------------------+ -| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend | -+----------+---------------------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb | -+----------+---------------------------------------------------------------------------------------------------+ ++----------+-----------------------------------------------------------------------------------------------------+ +| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.%.bbappend | ++----------+-----------------------------------------------------------------------------------------------------+ +| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb | ++----------+-----------------------------------------------------------------------------------------------------+ OP-TEE ====== Based on `OP-TEE `__ +----------+------------------------------------------------------------------------------------+ -| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.18.0.bbappend | +| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.20.0.bbappend | +----------+------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/meta-arm/meta-arm/recipes-security/optee/optee-os_3.18.0.bb | +| Recipe | <_workspace>/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb | +----------+------------------------------------------------------------------------------------+ U-Boot -======= -Based on `U-Boot `__ +====== +Based on `U-Boot repo`_ -+----------+---------------------------------------------------------------------+ -| bbappend | <_workspace>/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend | -+----------+---------------------------------------------------------------------+ -| Recipe | <_workspace>/poky/meta/recipes-bsp/u-boot/u-boot_2022.07.bb | -+----------+---------------------------------------------------------------------+ ++----------+-------------------------------------------------------------------------+ +| bbappend | <_workspace>/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend | ++----------+-------------------------------------------------------------------------+ +| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend | ++----------+-------------------------------------------------------------------------+ +| Recipe | <_workspace>/poky/meta/recipes-bsp/u-boot/u-boot_2023.01.bb | ++----------+-------------------------------------------------------------------------+ Linux ===== The distro is based on the `poky-tiny `__ distribution which is a Linux distribution stripped down to a minimal configuration. -The provided distribution is based on busybox and built using muslibc. The +The provided distribution is based on busybox and built using musl libc. The recipe responsible for building a tiny version of Linux is listed below. +-----------+----------------------------------------------------------------------------------------------+ | bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend | +-----------+----------------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/poky/meta/recipes-kernel/linux/linux-yocto_5.19.bb | +| Recipe | <_workspace>/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb | +-----------+----------------------------------------------------------------------------------------------+ | defconfig | <_workspace>/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig | +-----------+----------------------------------------------------------------------------------------------+ External System Tests -======================= +===================== Based on `Corstone-1000/applications `__ +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -109,15 +127,15 @@ Software for Boot Processor (a.k.a Secure Enclave) ************************************************** Based on `Trusted Firmware-M `__ -+----------+-------------------------------------------------------------------------------------------------+ -| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend | -+----------+-------------------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb | -+----------+-------------------------------------------------------------------------------------------------+ ++----------+-----------------------------------------------------------------------------------------------------+ +| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.%.bbappend | ++----------+-----------------------------------------------------------------------------------------------------+ +| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.7.0.bb | ++----------+-----------------------------------------------------------------------------------------------------+ -************************************************** +******************************** Software for the External System -************************************************** +******************************** RTX ==== @@ -150,7 +168,7 @@ In the top directory of the workspace ``<_workspace>``, run: :: - git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2022.11.23 + git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2023.06 To build a Corstone-1000 image for MPS3 FPGA, run: @@ -173,46 +191,47 @@ Once the build is successful, all output binaries will be placed in the followin - ``<_workspace>/build/tmp/deploy/images/corstone1000-mps3/`` folder for FPGA build. Everything apart from the Secure Enclave ROM firmware and External System firmware, is bundled into a single binary, the -``corstone1000-image-corstone1000-{mps3,fvp}.wic.nopt`` file. +``corstone1000-image-corstone1000-{mps3,fvp}.wic`` file. The output binaries run in the Corstone-1000 platform are the following: - The Secure Enclave ROM firmware: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/bl1.bin`` - The External System firmware: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/es_flashfw.bin`` - - The flash image: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/corstone1000-image-corstone1000-{mps3,fvp}.wic.nopt`` + - The flash image: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/corstone1000-image-corstone1000-{mps3,fvp}.wic`` Flash the firmware image on FPGA -------------------------------- -The user should download the FPGA bit file image ``AN550: Arm® Corstone™-1000 for MPS3 Version 1`` +The user should download the FPGA bit file image ``AN550: Arm® Corstone™-1000 for MPS3 Version 2.0`` from `this link `__ -and under the section ``Arm® Corstone™-1000 for MPS3``. +and under the section ``Arm® Corstone™-1000 for MPS3``. The download is available after logging in. The directory structure of the FPGA bundle is shown below. :: - Boardfiles - ├── MB - │   ├── BRD_LOG.TXT - │   ├── HBI0309B - │   │   ├── AN550 - │   │   │   ├── AN550_v1.bit - │   │   │   ├── an550_v1.txt - │   │   │   └── images.txt - │   │   ├── board.txt - │   │   └── mbb_v210.ebf - │   └── HBI0309C - │   ├── AN550 - │   │   ├── AN550_v1.bit - │   │   ├── an550_v1.txt - │   │   └── images.txt - │   ├── board.txt - │   └── mbb_v210.ebf - ├── SOFTWARE - │   ├── ES0.bin - │   ├── SE.bin - │   └── an550_st.axf - └── config.txt + Boardfiles + ├── config.txt + ├── MB + │   ├── BRD_LOG.TXT + │   ├── HBI0309B + │   │   ├── AN550 + │   │   │   ├── AN550_v2.bit + │   │   │   ├── an550_v2.txt + │   │   │   └── images.txt + │   │   ├── board.txt + │   │   └── mbb_v210.ebf + │   └── HBI0309C + │   ├── AN550 + │   │   ├── AN550_v2.bit + │   │   ├── an550_v2.txt + │   │   └── images.txt + │   ├── board.txt + │   └── mbb_v210.ebf + └── SOFTWARE + ├── an550_st.axf + ├── bl1.bin + ├── cs1000.bin + └── ES0.bin Depending upon the MPS3 board version (printed on the MPS3 board) you should update the images.txt file (in corresponding HBI0309x folder. Boardfiles/MB/HBI0309/AN550/images.txt) so that the file points to the images under SOFTWARE directory. @@ -242,7 +261,7 @@ stack can be seen below; IMAGE0FILE: \SOFTWARE\bl1.bin IMAGE1PORT: 0 - IMAGE1ADDRESS: 0x00_0010_0000 + IMAGE1ADDRESS: 0x00_0000_0000 IMAGE1UPDATE: AUTOQSPI IMAGE1FILE: \SOFTWARE\cs1000.bin @@ -256,10 +275,9 @@ OUTPUT_DIR = ``<_workspace>/build/tmp/deploy/images/corstone1000-mps3`` 1. Copy ``bl1.bin`` from OUTPUT_DIR directory to SOFTWARE directory of the FPGA bundle. 2. Copy ``es_flashfw.bin`` from OUTPUT_DIR directory to SOFTWARE directory of the FPGA bundle and rename the binary to ``es0.bin``. -3. Copy ``corstone1000-image-corstone1000-mps3.wic.nopt`` from OUTPUT_DIR directory to SOFTWARE - directory of the FPGA bundle and rename the wic.nopt image to ``cs1000.bin``. +3. Copy ``corstone1000-image-corstone1000-mps3.wic`` from OUTPUT_DIR directory to SOFTWARE + directory of the FPGA bundle and rename the wic image to ``cs1000.bin``. - **NOTE:** Renaming of the images are required because MCC firmware has limitation of 8 characters before .(dot) and 3 characters after .(dot). @@ -274,7 +292,7 @@ be ttyUSB0, ttyUSB1, ttyUSB2, ttyUSB3 and it might be different on Windows machi - ttyUSB0 for MCC, OP-TEE and Secure Partition - ttyUSB1 for Boot Processor (Cortex-M0+) - ttyUSB2 for Host Processor (Cortex-A35) - - ttyUSB3 for External System Processor (Cortex-M3) + - ttyUSB3 for External System Processor (Cortex-M3) Run following commands to open serial port terminals on Linux: @@ -285,12 +303,26 @@ Run following commands to open serial port terminals on Linux: sudo picocom -b 115200 /dev/ttyUSB2 # in another terminal. sudo picocom -b 115200 /dev/ttyUSB3 # in another terminal. +**NOTE:** The MPS3 expects an ethernet cable to be plugged in, otherwise it will +wait for the network for a considerable amount of time, printing the following +logs: + +:: + + Generic PHY 40100000.ethernet-ffffffff:01: attached PHY driver (mii_bus:phy_addr=40100000.ethernet-ffffffff:01, irq=POLL) + smsc911x 40100000.ethernet eth0: SMSC911x/921x identified at 0xffffffc008e50000, IRQ: 17 + Waiting up to 100 more seconds for network. + Once the system boot is completed, you should see console logs on the serial port terminals. Once the HOST(Cortex-A35) is booted completely, user can login to the shell using **"root"** login. -If system does not boot and only the ttyUSB1 logs are visible, please follow the steps in `Clean Secure Flash Before Testing (applicable to FPGA only)`_ under `SystemReady-IR tests`_ section. The previous image used in FPGA (MPS3) might have filled the Secure Flash completely. The best practice is to clean the secure flash in this case. +If system does not boot and only the ttyUSB1 logs are visible, please follow the +steps in `Clean Secure Flash Before Testing (applicable to FPGA only)`_ under +`SystemReady-IR tests`_ section. The previous image used in FPGA (MPS3) might +have filled the Secure Flash completely. The best practice is to clean the +secure flash in this case. Running the software on FVP @@ -321,7 +353,7 @@ To run the FVP using the runfvp command, please run the following command: When the script is executed, three terminal instances will be launched, one for the boot processor (aka Secure Enclave) processing element and two for the Host processing element. Once the FVP is -executing, the Boot Processor will start to boot, wherein the relevant memory contents of the .wic.nopt +executing, the Boot Processor will start to boot, wherein the relevant memory contents of the .wic file are copied to their respective memory locations within the model, enforce firewall policies on memories and peripherals and then, bring the host out of reset. @@ -337,11 +369,11 @@ Login using the username root. The External System can be released out of reset on demand using the systems-comms-tests command. SystemReady-IR tests -------------------------- +-------------------- -********************* +************* Testing steps -********************* +************* **NOTE**: Running the SystemReady-IR tests described below requires the user to work with USB sticks. In our testing, not all USB stick models work well with @@ -359,7 +391,7 @@ erase the SecureEnclave flash cleanly and prepare a clean board environment for the testing. Clean Secure Flash Before Testing (applicable to FPGA only) -================================================================== +=========================================================== To prepare a clean board environment with clean secure flash for the testing, the user should prepare an image that erases the secure flash cleanly during @@ -368,17 +400,17 @@ boot. Run following commands to build such image. :: cd <_workspace> - git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2022.11.23 - git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2022.11.23 - cp -f systemready-patch/embedded-a/corstone1000/erase_flash/0001-arm-bsp-trusted-firmware-m-corstone1000-Clean-Secure.patch meta-arm + git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2023.06 + git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.06 + cp -f systemready-patch/embedded-a/corstone1000/erase_flash/0001-embedded-a-corstone1000-clean-secure-flash.patch meta-arm cd meta-arm - git apply 0001-arm-bsp-trusted-firmware-m-corstone1000-Clean-Secure.patch + git apply 0001-embedded-a-corstone1000-clean-secure-flash.patch cd .. kas build meta-arm/kas/corstone1000-mps3.yml Replace the bl1.bin and cs1000.bin files on the SD card with following files: - The ROM firmware: <_workspace>/build/tmp/deploy/images/corstone1000-mps3/bl1.bin - - The flash image: <_workspace>/build/tmp/deploy/images/corstone1000-mps3/corstone1000-image-corstone1000-mps3.wic.nopt + - The flash image: <_workspace>/build/tmp/deploy/images/corstone1000-mps3/corstone1000-image-corstone1000-mps3.wic Now reboot the board. This step erases the Corstone-1000 SecureEnclave flash completely, the user should expect following message from TF-M log (can be seen @@ -394,10 +426,16 @@ Then the user should follow "Building the software stack" to build a clean software stack and flash the FPGA as normal. And continue the testing. Run SystemReady-IR ACS tests -============================= +============================ + +Architecture Compliance Suite (ACS) is used to ensure architectural compliance +across different implementations of the architecture. Arm Enterprise ACS +includes a set of examples of the invariant behaviors that are provided by a +set of specifications for enterprise systems (For example: SBSA, SBBR, etc.), +so that implementers can verify if these behaviours have been interpreted correctly. ACS image contains two partitions. BOOT partition and RESULT partition. -Following packages are under BOOT partition +Following test suites and bootable applications are under BOOT partition: * SCT * FWTS @@ -406,12 +444,30 @@ Following packages are under BOOT partition * grub * uefi manual capsule application +BOOT partition contains the following: + +:: + + ├── EFI + │   └── BOOT + │   ├── app + │   ├── bbr + │   ├── bootaa64.efi + │   ├── bsa + │   ├── debug + │   ├── Shell.efi + │   └── startup.nsh + ├── grub + ├── grub.cfg + ├── Image + └── ramdisk-busybox.img + RESULT partition is used to store the test results. -PLEASE MAKE SURE THAT THE RESULT PARTITION IS EMPTY BEFORE YOU START THE TESTING. OTHERWISE THE TEST RESULTS +**NOTE**: PLEASE MAKE SURE THAT THE RESULT PARTITION IS EMPTY BEFORE YOU START THE TESTING. OTHERWISE THE TEST RESULTS WILL NOT BE CONSISTENT FPGA instructions for ACS image -================================ +=============================== This section describes how the user can build and run Architecture Compliance Suite (ACS) tests on Corstone-1000. @@ -449,10 +505,11 @@ Once the USB stick with ACS image is prepared, the user should make sure that ensure that only the USB stick with the ACS image is connected to the board, and then boot the board. -The FPGA will reset multiple times during the test, and it might take approx. 24-36 hours to finish the test. At the end of test, the FPGA host terminal will halt showing a shell prompt. Once test is finished the result can be copied following above instructions. +The FPGA will reset multiple times during the test, and it might take approx. 24-36 hours to finish the test. + FVP instructions for ACS image and run -============================================ +====================================== Download ACS image from: - ``https://gitlab.arm.com/systemready/acs/arm-systemready/-/tree/linux-5.17-rc7/IR/prebuilt_images/v22.04_1.0-Linux-v5.17-rc7`` @@ -487,7 +544,7 @@ Once test is finished, the FVP can be stoped, and result can be copied following instructions. Common to FVP and FPGA -=========================== +====================== U-Boot should be able to boot the grub bootloader from the 1st partition and if grub is not interrupted, tests are executed @@ -496,14 +553,13 @@ automatically in the following sequence: - SCT - UEFI BSA - FWTS - - BSA Linux The results can be fetched from the ``acs_results`` folder in the RESULT partition of the USB stick (FPGA) / SD Card (FVP). ##################################################### Manual capsule update and ESRT checks ---------------------------------------------------------------------- +------------------------------------- The following section describes running manual capsule update with the ``direct`` method. @@ -518,63 +574,86 @@ incorrect capsule (corrupted or outdated) which fails to boot to the host softwa Check the "Run SystemReady-IR ACS tests" section above to download and unpack the ACS image file - ``ir_acs_live_image.img.xz`` -Download edk2 under <_workspace> : +Download edk2 under <_workspace>: :: git clone https://github.com/tianocore/edk2.git + cd edk2 + git checkout f2188fe5d1553ad1896e27b2514d2f8d0308da8a -********************* -Generating Capsules -********************* +Download systemready-patch repo under <_workspace>: +:: -The capsule binary size (wic.nopt file) should be less than 15 MB. + git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.06 -Based on the user's requirement, the user can change the firmware version -number given to ``--fw-version`` option (the version number needs to be >= 1). +******************* +Generating Capsules +******************* Generating FPGA Capsules ======================== :: - <_workspace>/edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - cs1k_cap_mps3_v5 --fw-version 5 --lsv 0 --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ - 0 --verbose <_workspace>/build/tmp/deploy/images/corstone1000-mps3/corstone1000-image-corstone1000-mps3.wic.nopt + cd <_workspace>/build/tmp/deploy/images/corstone1000-mps3/ + sh <_workspace>/systemready-patch/embedded-a/corstone1000/capsule_gen/capsule_gen.sh -d mps3 + +This will generate a file called "corstone1000_image.nopt" which will be used to +generate a UEFI capsule. :: - <_workspace>/edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - cs1k_cap_mps3_v6 --fw-version 6 --lsv 0 --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ - 0 --verbose <_workspace>/build/tmp/deploy/images/corstone1000-mps3/corstone1000-image-corstone1000-mps3.wic.nopt + cd <_workspace> + edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o cs1k_cap_mps3_v6 --fw-version 6 \ + --lsv 0 --guid e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index 0 \ + --verbose build/tmp/deploy/images/corstone1000-mps3/corstone1000_image.nopt + + edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o cs1k_cap_mps3_v5 --fw-version 5 \ + --lsv 0 --guid e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index 0 \ + --verbose build/tmp/deploy/images/corstone1000-mps3/corstone1000_image.nopt Generating FVP Capsules -======================== +======================= :: - <_workspace>/edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - cs1k_cap_fvp_v6 --fw-version 6 --lsv 0 --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ - 0 --verbose <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.wic.nopt + cd <_workspace>/build/tmp/deploy/images/corstone1000-fvp/ + sh <_workspace>/systemready-patch/embedded-a/corstone1000/capsule_gen/capsule_gen.sh -d fvp + +This will generate a file called "corstone1000_image.nopt" which will be used to +generate a UEFI capsule. + :: - <_workspace>/edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o \ - cs1k_cap_fvp_v5 --fw-version 5 --lsv 0 --guid \ - e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ - 0 --verbose <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.wic.nopt + cd <_workspace> + edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o cs1k_cap_fvp_v6 \ + --fw-version 6 --lsv 0 --guid e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ + 0 --verbose build/tmp/deploy/images/corstone1000-fvp/corstone1000_image.nopt -********************* + edk2/BaseTools/BinWrappers/PosixLike/GenerateCapsule -e -o cs1k_cap_fvp_v5 --fw-version 5 \ + --lsv 0 --guid e2bb9c06-70e9-4b14-97a3-5a7913176e3f --verbose --update-image-index \ + 0 --verbose build/tmp/deploy/images/corstone1000-fvp/corstone1000_image.nopt + + +Common Notes for FVP and FPGA +============================= + +The capsule binary size (wic file) should be less than 15 MB. + +Based on the user's requirement, the user can change the firmware version +number given to ``--fw-version`` option (the version number needs to be >= 1). + + +**************** Copying Capsules -********************* +**************** Copying the FPGA capsules ========================= -The user should prepare a USB stick as explained in ACS image section (see above). +The user should prepare a USB stick as explained in ACS image section `FPGA instructions for ACS image`_. Place the generated ``cs1k_cap`` files in the root directory of the boot partition in the USB stick. Note: As we are running the direct method, the ``cs1k_cap`` file should not be under the EFI/UpdateCapsule directory as this may or may not trigger @@ -612,7 +691,7 @@ Then, unmount the IR image: **NOTE:** -Size of first partition in the image file is calculated in the following way. The data is +The size of first partition in the image file is calculated in the following way. The data is just an example and might vary with different ir_acs_live_image.img files. :: @@ -632,21 +711,21 @@ During this section we will be using the capsule with the higher version (cs1k_c and the capsule with the lower version (cs1k_cap__v5) for the negative scenario. Running the FVP with the IR prebuilt image -============================================== +========================================== Run the FVP with the IR prebuilt image: :: - <_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C "board.msd_mmc.p_mmc_file ${/ir_acs_live_image.img}" + <_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C "board.msd_mmc.p_mmc_file=${/ir_acs_live_image.img}" Running the FPGA with the IR prebuilt image -============================================== +=========================================== Insert the prepared USB stick then Power cycle the MPS3 board. Executing capsule update for FVP and FPGA -============================================== +========================================= Reach u-boot then interrupt the boot to reach the EFI shell. @@ -687,14 +766,14 @@ Then, reboot manually: Shell> reset FPGA: Select Corstone-1000 Linux kernel boot -============================================== +============================================ Remove the USB stick before u-boot is reached so the Corstone-1000 kernel will be detected and used for booting. **NOTE:** Otherwise, the execution ends up in the ACS live image. FVP: Select Corstone-1000 Linux kernel boot -============================================== +=========================================== Interrupt the u-boot shell. @@ -708,15 +787,14 @@ Run the following commands in order to run the Corstone-1000 Linux kernel and be :: - $ run retrieve_kernel_load_addr $ unzip $kernel_addr 0x90000000 $ loadm 0x90000000 $kernel_addr_r 0xf00000 $ bootefi $kernel_addr_r $fdtcontroladdr -*********************** +********************* Capsule update status -*********************** +********************* Positive scenario ================= @@ -733,7 +811,8 @@ correctly. SysTick_Handler: counted = 30, expiring on = 360 ... metadata_write: success: active = 1, previous = 0 - accept_full_capsule: exit: fwu state is changed to regular + flash_full_capsule: exit + corstone1000_fwu_flash_image: exit: ret = 0 ... @@ -775,15 +854,19 @@ see appropriate logs in the secure enclave terminal. ... uefi_capsule_retrieve_images: image 0 at 0xa0000070, size=15654928 uefi_capsule_retrieve_images: exit - flash_full_capsule: enter: image = 0x0xa0000070, size = 15654928, version = 10 + flash_full_capsule: enter: image = 0x0xa0000070, size = 7764541, version = 5 ERROR: flash_full_capsule: version error private_metadata_write: enter: boot_index = 1 private_metadata_write: success fmp_set_image_info:133 Enter FMP image update: image id = 0 - FMP image update: status = 1version=11 last_attempt_version=10. + FMP image update: status = 1version=6 last_attempt_version=5. fmp_set_image_info:157 Exit. corstone1000_fwu_flash_image: exit: ret = -1 + fmp_get_image_info:232 Enter + pack_image_info:207 ImageInfo size = 105, ImageName size = 34, ImageVersionName + size = 36 + fmp_get_image_info:236 Exit ... @@ -825,54 +908,96 @@ In the Linux command-line run the following: lowest_supported_fw_ver: 0 Linux distros tests ----------------------------------- +------------------- -*************************************************************************************** -Debian/OpenSUSE install and boot (applicable to FPGA only) -*************************************************************************************** +************************************************************* +Debian install and boot preparation (applicable to FPGA only) +************************************************************* + +There is a known issue in the `Shim 15.7 `__ +provided with the Debian installer image (see below). This bug causes a fatal +error when attempting to boot media installer for Debian, and it resets the MPS3 before installation starts. +A patch to be applied to the Corstone-1000 stack (only applicable when +installing Debian) is provided to +`Skip the Shim `__. +This patch makes U-Boot automatically bypass the Shim and run grub and allows +the user to proceed with a normal installation. If at the moment of reading this +document the problem is solved in the Shim, the user is encouraged to try the +corresponding new installer image. Otherwise, please apply the patch as +indicated by the instructions listed below. These instructions assume that the +user has already built the stack by following the build steps of this +documentation. -To test Linux distro install and boot, the user should prepare two empty USB sticks (minimum size should be 4GB and formatted with FAT32). +:: + + cd <_workspace> + git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.06 + cp -f systemready-patch/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch meta-arm + cd meta-arm + git am 0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch + cd .. + kas shell meta-arm/kas/corstone1000-mps3.yml -c="bitbake u-boot trusted-firmware-a corstone1000-image -c cleansstate; bitbake corstone1000-image" + +Please update the cs1000.bin on the SD card with the newly generated wic file. + +************************************************* +Debian/openSUSE install (applicable to FPGA only) +************************************************* + +To test Linux distro install and boot, the user should prepare two empty USB +sticks (minimum size should be 4GB and formatted with FAT32). Download one of following Linux distro images: - - Debian installer image: https://cdimage.debian.org/cdimage/weekly-builds/arm64/iso-dvd/ - - OpenSUSE Tumbleweed installer image: http://download.opensuse.org/ports/aarch64/tumbleweed/iso/ - - The user should look for a DVD Snapshot like openSUSE-Tumbleweed-DVD-aarch64-Snapshot-Media.iso + - `Debian 12.0.0 installer image `__ + - `OpenSUSE Tumbleweed installer image `__ -Once the .iso file is downloaded, the .iso file needs to be flashed to your USB drive. +**NOTE:** For OpenSUSE Tumbleweed, the user should look for a DVD Snapshot like +openSUSE-Tumbleweed-DVD-aarch64-Snapshot-Media.iso -In the given example here, we assume the USB device is ``/dev/sdb`` (the user -should use `lsblk` command to confirm). Be cautious here and don't confuse your -host PC's own hard drive with the USB drive. Then copy the contents of an iso -file into the first USB stick, run: +Once the iso file is downloaded, the iso file needs to be flashed to your USB +drive. This can be done with your development machine. + +In the example given below, we assume the USB device is ``/dev/sdb`` (the user +should use the `lsblk` command to confirm). + +**NOTE:** Please don't confuse your host PC's own hard drive with the USB drive. +Then, copy the contents of the iso file into the first USB stick by running the +following command in the development machine: :: sudo dd if= of=/dev/sdb iflag=direct oflag=direct status=progress bs=1M; sync; -Boot the MSP3 board with the first USB stick connected. Open following minicom sessions: +Unplug the first USB stick from the development machine and connect it to the +MSP3 board. At this moment, only the first USB stick should be connected. Open +the following picocom sessions in your development machine: :: sudo picocom -b 115200 /dev/ttyUSB0 # in one terminal sudo picocom -b 115200 /dev/ttyUSB2 # in another terminal. -Now plug in the second USB stick (once installation screen is visible), the distro installation process will start. The installation prompt can be seen in ttyUSB2. If installer does not start, please try to reboot the board with both USB sticks connected and repeat the process. +When the installation screen is visible in ttyUSB2, plug in the second USB stick +in the MPS3 and start the distro installation process. If the installer does not +start, please try to reboot the board with both USB sticks connected and repeat +the process. **NOTE:** Due to the performance limitation of Corstone-1000 MPS3 FPGA, the distro installation process can take up to 24 hours to complete. -Once installation is complete, unplug the first USB stick and reboot the board. -After successfully installing and booting the Linux distro, the user should see -a login prompt: - -:: +******************************************************* +Debian install clarifications (applicable to FPGA only) +******************************************************* - debian login: +As the installation process for Debian is different than the one for openSUSE, +Debian may need some extra steps, that are indicated below: -Login with the username root. +During Debian installation, please answer the following question: + - "Force GRUB installation to the EFI removable media path?" Yes + - "Update NVRAM variables to automatically boot into Debian?" No -**NOTE:** The Debian installer has a known issue "Install the GRUB bootloader - unable to install " and these are the steps to -follow on the subsequent popups to solve the issue during the installation: +If the grub installation fails, these are the steps to follow on the subsequent +popups: 1. Select "Continue", then "Continue" again on the next popup 2. Scroll down and select "Execute a shell" @@ -898,19 +1023,59 @@ follow on the subsequent popups to solve the issue during the installation: 7. Select "Continue without boot loader", then select "Continue" on the next popup 8. At this stage, the installation should proceed as normal. -*************************************************************************************** +***************************************************************** +Debian/openSUSE boot after installation (applicable to FPGA only) +***************************************************************** + +Once the installation is complete, unplug the first USB stick and reboot the +board. +The board will then enter recovery mode, from which the user can access a shell +after entering the password for the root user. Proceed to edit the following +files accordingly: + +:: + + vi /etc/systemd/system.conf + DefaultDeviceTimeoutSec=infinity + +The file to be editted next is different depending on the installed distro: + +:: + + vi /etc/login.defs # Only applicable to Debian + vi /usr/etc/login.defs # Only applicable to openSUSE + LOGIN_TIMEOUT 180 + +To make sure the changes are applied, please run: + +:: + + systemctl daemon-reload + +After applying the previous commands, please reboot the board. The user should +see a login prompt after booting, for example, for debian: + +:: + + debian login: + +Login with the username root and its corresponding password (already set at +installation time). + +************************************************************ OpenSUSE Raw image install and boot (applicable to FVP only) -*************************************************************************************** +************************************************************ -Steps to download openSUSE Tumbleweed raw image: - - Go to: http://download.opensuse.org/ports/aarch64/tumbleweed/appliances/ - - The user should look for a Tumbleweed-ARM-JeOS-efi.aarch64-* Snapshot, for example, ``openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64--Snapshot.raw.xz`` +Steps to download OpenSUSE Tumbleweed raw image: + - Under `OpenSUSE Tumbleweed appliances `__ + - The user should look for a Tumbleweed-ARM-JeOS-efi.aarch64-* Snapshot, for example, + ``openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64--Snapshot.raw.xz`` Once the .raw.xz file is downloaded, the raw image file needs to be extracted: :: - unxz + unxz The above command will generate a file ending with extension .raw image. Now, use the following command @@ -918,23 +1083,23 @@ to run FVP with raw image installation process. :: -<_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C board.msd_mmc.p_mmc_file="${openSUSE raw image file path}" + <_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C board.msd_mmc.p_mmc_file="${openSUSE raw image file path}" After successfully installing and booting the Linux distro, the user should see a openSUSE login prompt. :: - localhost login: + localhost login: Login with the username 'root' and password 'linux'. PSA API tests ----------------------- +------------- -*************************************************************************************** +*********************************************************** Run PSA API test commands (applicable to both FPGA and FVP) -*************************************************************************************** +*********************************************************** When running PSA API test commands (aka PSA Arch Tests) on MPS3 FPGA, the user should make sure there is no USB stick connected to the board. Power on the board and boot the board to @@ -948,7 +1113,7 @@ First, load FF-A TEE kernel module: :: - insmod /lib/modules/5.19.14-yocto-standard/extra/arm-ffa-tee.ko + insmod /lib/modules/6.1.32-yocto-standard/extra/arm-ffa-tee.ko Then, check whether the FF-A TEE driver is loaded correctly by using the following command: @@ -960,7 +1125,7 @@ The output should be: :: - arm_ffa_tee 16384 - - Live 0xffffffc0004f0000 (O) + arm_ffa_tee 16384 - - Live 0xffffffc000510000 (O) Now, run the PSA API tests in the following order: @@ -971,15 +1136,17 @@ Now, run the PSA API tests in the following order: psa-its-api-test psa-ps-api-test +**NOTE:** The psa-crypto-api-test takes between 30 minutes to 1 hour to run. + External System tests ------------------------------------ +--------------------- -*************************************************************************************** +************************************************************** Running the External System test command (systems-comms-tests) -*************************************************************************************** +************************************************************** Test 1: Releasing the External System out of reset -=================================================== +================================================== Run this command in the Linux command-line: @@ -1004,7 +1171,7 @@ The output on the External System terminal should be: MHUv2 module 'MHU1_SE' started Test 2: Communication -============================================= +===================== Test 2 releases the External System out of reset if not already done. Then, it performs communication between host and External System. @@ -1014,7 +1181,7 @@ After running Test 1, run this command in the Linux command-line: systems-comms-tests 2 -Additional output on the External System terminal will be printed: +Additional output on the External System terminal will be printed: :: @@ -1058,13 +1225,13 @@ The output on the Host terminal should be: Tests results ------------------------------------ +------------- -As a reference for the end user, reports for various tests for `Corstone-1000 software (CORSTONE1000-2022.11.23) `__ -can be found in `here `__. +As a reference for the end user, reports for various tests for `Corstone-1000 software (CORSTONE1000-2023.06) `__ +can be found `here `__. Running the software on FVP on Windows ---------------------------------------------------------------- +-------------------------------------- If the user needs to run the Corstone-1000 software on FVP on Windows. The user should follow the build instructions in this document to build on Linux host @@ -1073,6 +1240,7 @@ and launch the FVP binary. -------------- -*Copyright (c) 2022, Arm Limited. All rights reserved.* +*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* .. _Arm Ecosystem FVPs: https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps +.. _U-Boot repo: https://github.com/u-boot/u-boot.git diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/n1sdp/0001-Reserve-OP-TEE-memory-from-nwd.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/n1sdp/0001-Reserve-OP-TEE-memory-from-nwd.patch new file mode 100644 index 0000000000..2c634e350f --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/n1sdp/0001-Reserve-OP-TEE-memory-from-nwd.patch @@ -0,0 +1,41 @@ +From 2d305094f8f500362079e9e7637d46129bf980e4 Mon Sep 17 00:00:00 2001 +From: Adam Johnston +Date: Tue, 25 Jul 2023 16:05:51 +0000 +Subject: [PATCH] n1sdp: Reserve OP-TEE memory from NWd + +The physical memory which is used to run OP-TEE on the N1SDP is known +to the secure world via TOS_FW_CONFIG, but it may not be known to the +normal world. + +As a precaution, explicitly reserve this memory via NT_FW_CONFIG to +prevent the normal world from using it. This is not required on most +platforms as the Trusted OS is run from secure RAM. + +Upstream-Status: Pending (not yet submited to upstream) +Signed-off-by: Adam Johnston +--- + plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts b/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts +index da5e04ddb6..b7e2d4e86f 100644 +--- a/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts ++++ b/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts +@@ -20,4 +20,16 @@ + local-ddr-size = <0x0>; + remote-ddr-size = <0x0>; + }; ++ ++ reserved-memory { ++ #address-cells = <2>; ++ #size-cells = <2>; ++ ranges; ++ ++ optee@0x08000000 { ++ compatible = "removed-dma-pool"; ++ reg = <0x0 0x08000000 0x0 0x02000000>; ++ no-map; ++ }; ++ }; + }; +\ No newline at end of file diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc index 008103469e..2b85b9dbd1 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc @@ -37,6 +37,7 @@ EXTRA_OEMAKE:append = " \ NR_OF_IMAGES_IN_FW_BANK=4 \ COT=tbbr \ ARM_ROTPK_LOCATION=devel_rsa \ + ERRATA_A35_855472=1 \ ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ BL32=${RECIPE_SYSROOT}/lib/firmware/tee-pager_v2.bin \ LOG_LEVEL=50 \ diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc index f4ebcc1c5f..654e43270f 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc @@ -9,6 +9,12 @@ TFA_MBEDTLS = "1" TFA_UBOOT = "0" TFA_UEFI = "1" +FILESEXTRAPATHS:prepend := "${THISDIR}/files/n1sdp:" + +SRC_URI:append = " \ + file://0001-Reserve-OP-TEE-memory-from-nwd.patch \ + " + TFA_ROT_KEY= "plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem" # Enabling Secure-EL1 Payload Dispatcher (SPD) diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-efi_boottime-allow-to-reset-a-path-after-boot.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-efi_boottime-allow-to-reset-a-path-after-boot.patch deleted file mode 100644 index 5c053974d1..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-efi_boottime-allow-to-reset-a-path-after-boot.patch +++ /dev/null @@ -1,31 +0,0 @@ -From eb8e224290149fd39ca4b3a774abef2e31237943 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Wed, 1 Feb 2023 16:11:25 +0000 -Subject: [PATCH 34/42] efi_boottime: allow to reset a path after boot - -Allow to install multiple protocol interfaces in an -already installed root interface. -This may need to be fix in other way, but for now -looks like the get away fix. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - lib/efi_loader/efi_boottime.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c -index fea4eb7a34..90f43ff9a6 100644 ---- a/lib/efi_loader/efi_boottime.c -+++ b/lib/efi_loader/efi_boottime.c -@@ -2669,7 +2669,6 @@ efi_install_multiple_protocol_interfaces_int(efi_handle_t *handle, - EFI_PRINT("Path %pD already installed\n", - protocol_interface); - ret = EFI_ALREADY_STARTED; -- break; - } - } - ret = EFI_CALL(efi_install_protocol_interface(handle, protocol, --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-fwu_metadata-make-sure-structures-are-packed.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-fwu_metadata-make-sure-structures-are-packed.patch new file mode 100644 index 0000000000..fedc1f2e1b --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0034-fwu_metadata-make-sure-structures-are-packed.patch @@ -0,0 +1,50 @@ +From ac77679ffcb4b7fac01414c1492d3e1aae13f9be Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Wed, 1 Feb 2023 16:13:24 +0000 +Subject: [PATCH 35/42] fwu_metadata: make sure structures are packed + +The fwu metadata in the metadata partitions +should/are packed to guarantee that the info is +correct in all platforms. Also the size of them +are used to calculate the crc32 and that is important +to get it right. + +Upstream-Status: Pending +Signed-off-by: Rui Miguel Silva +--- + include/fwu_mdata.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/fwu_mdata.h b/include/fwu_mdata.h +index 8fda4f4ac2..c61221a917 100644 +--- a/include/fwu_mdata.h ++++ b/include/fwu_mdata.h +@@ -22,7 +22,7 @@ struct fwu_image_bank_info { + efi_guid_t image_uuid; + uint32_t accepted; + uint32_t reserved; +-}; ++} __packed; + + /** + * struct fwu_image_entry - information for a particular type of image +@@ -38,7 +38,7 @@ struct fwu_image_entry { + efi_guid_t image_type_uuid; + efi_guid_t location_uuid; + struct fwu_image_bank_info img_bank_info[CONFIG_FWU_NUM_BANKS]; +-}; ++} __packed; + + /** + * struct fwu_mdata - FWU metadata structure for multi-bank updates +@@ -62,6 +62,6 @@ struct fwu_mdata { + uint32_t previous_active_index; + + struct fwu_image_entry img_entry[CONFIG_FWU_NUM_IMAGES_PER_BANK]; +-}; ++} __packed; + + #endif /* _FWU_MDATA_H_ */ +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-corstone1000-add-boot-index.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-corstone1000-add-boot-index.patch new file mode 100644 index 0000000000..d9568563e6 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-corstone1000-add-boot-index.patch @@ -0,0 +1,33 @@ +From 92948559987d02baf9f690d9bbdc96d1179264ef Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Wed, 1 Feb 2023 16:15:30 +0000 +Subject: [PATCH 36/42] corstone1000: add boot index + +it is expected that the firmware that runs before +u-boot somehow provide the information of the bank +(index) of it is booting. +We will need to extend tf-a to pass that info, +meanwhile just set it to the default bank. + +Upstream-Status: Pending +Signed-off-by: Rui Miguel Silva +--- + board/armltd/corstone1000/corstone1000.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c +index d6ca6e8961..0a58ccd99c 100644 +--- a/board/armltd/corstone1000/corstone1000.c ++++ b/board/armltd/corstone1000/corstone1000.c +@@ -106,6 +106,7 @@ int dram_init_banksize(void) + return 0; + } + +-void reset_cpu(ulong addr) ++void fwu_plat_get_bootidx(int *boot_idx) + { ++ *boot_idx = 0; + } +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-fwu_metadata-make-sure-structures-are-packed.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-fwu_metadata-make-sure-structures-are-packed.patch deleted file mode 100644 index fedc1f2e1b..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0035-fwu_metadata-make-sure-structures-are-packed.patch +++ /dev/null @@ -1,50 +0,0 @@ -From ac77679ffcb4b7fac01414c1492d3e1aae13f9be Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Wed, 1 Feb 2023 16:13:24 +0000 -Subject: [PATCH 35/42] fwu_metadata: make sure structures are packed - -The fwu metadata in the metadata partitions -should/are packed to guarantee that the info is -correct in all platforms. Also the size of them -are used to calculate the crc32 and that is important -to get it right. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - include/fwu_mdata.h | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/include/fwu_mdata.h b/include/fwu_mdata.h -index 8fda4f4ac2..c61221a917 100644 ---- a/include/fwu_mdata.h -+++ b/include/fwu_mdata.h -@@ -22,7 +22,7 @@ struct fwu_image_bank_info { - efi_guid_t image_uuid; - uint32_t accepted; - uint32_t reserved; --}; -+} __packed; - - /** - * struct fwu_image_entry - information for a particular type of image -@@ -38,7 +38,7 @@ struct fwu_image_entry { - efi_guid_t image_type_uuid; - efi_guid_t location_uuid; - struct fwu_image_bank_info img_bank_info[CONFIG_FWU_NUM_BANKS]; --}; -+} __packed; - - /** - * struct fwu_mdata - FWU metadata structure for multi-bank updates -@@ -62,6 +62,6 @@ struct fwu_mdata { - uint32_t previous_active_index; - - struct fwu_image_entry img_entry[CONFIG_FWU_NUM_IMAGES_PER_BANK]; --}; -+} __packed; - - #endif /* _FWU_MDATA_H_ */ --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-add-boot-index.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-add-boot-index.patch deleted file mode 100644 index d9568563e6..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-add-boot-index.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 92948559987d02baf9f690d9bbdc96d1179264ef Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Wed, 1 Feb 2023 16:15:30 +0000 -Subject: [PATCH 36/42] corstone1000: add boot index - -it is expected that the firmware that runs before -u-boot somehow provide the information of the bank -(index) of it is booting. -We will need to extend tf-a to pass that info, -meanwhile just set it to the default bank. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - board/armltd/corstone1000/corstone1000.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c -index d6ca6e8961..0a58ccd99c 100644 ---- a/board/armltd/corstone1000/corstone1000.c -+++ b/board/armltd/corstone1000/corstone1000.c -@@ -106,6 +106,7 @@ int dram_init_banksize(void) - return 0; - } - --void reset_cpu(ulong addr) -+void fwu_plat_get_bootidx(int *boot_idx) - { -+ *boot_idx = 0; - } --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-adjust-boot-bank-and-kernel-location.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-adjust-boot-bank-and-kernel-location.patch new file mode 100644 index 0000000000..277e988b3f --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0036-corstone1000-adjust-boot-bank-and-kernel-location.patch @@ -0,0 +1,36 @@ +From 1a54c12aa6eed28a1a4e4f50d1aeb92a31cf6f52 Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Wed, 1 Feb 2023 16:17:21 +0000 +Subject: [PATCH 37/42] corstone1000: adjust boot bank and kernel location + +Adjust in the env boot script the address of the +bootbank with the new gpt layout, and also the +kernel partition address. Please be aware that +this is hack and needs a proper fix, since the +offset of the kernel partition is not fixed, +but for the propose of PoC it is enough for testing. + +Upstream-Status: Pending +Signed-off-by: Rui Miguel Silva +--- + board/armltd/corstone1000/corstone1000.env | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/board/armltd/corstone1000/corstone1000.env b/board/armltd/corstone1000/corstone1000.env +index b24ff07fc6..a6ee496221 100644 +--- a/board/armltd/corstone1000/corstone1000.env ++++ b/board/armltd/corstone1000/corstone1000.env +@@ -1,8 +1,8 @@ + /* SPDX-License-Identifier: GPL-2.0+ */ + + usb_pgood_delay=250 +-boot_bank_flag=0x08002000 +-kernel_addr_bank_0=0x083EE000 ++boot_bank_flag=0x08005006 ++kernel_addr_bank_0=0x08280000 + kernel_addr_bank_1=0x0936E000 + retrieve_kernel_load_addr= + if itest.l *${boot_bank_flag} == 0; then +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch new file mode 100644 index 0000000000..a0f2bb16f5 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch @@ -0,0 +1,100 @@ +From 5e0b7e40c4702d5494378d3e120fce0136f69a79 Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Fri, 9 Jun 2023 13:28:06 +0100 +Subject: [PATCH 38/42] corstone1000: add nvmxip, fwu-mdata and gpt options + +Enable the newest features: nvmxip, fwu-metadata and +gpt. Commands to print the partition info, gpt info +and fwu metadata will be available. + +Upstream-Status: Pending +Signed-off-by: Rui Miguel Silva +--- + configs/corstone1000_defconfig | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig +index 1179bf5f3b..c38113ce95 100644 +--- a/configs/corstone1000_defconfig ++++ b/configs/corstone1000_defconfig +@@ -4,18 +4,20 @@ CONFIG_TARGET_CORSTONE1000=y + CONFIG_TEXT_BASE=0x80000000 + CONFIG_SYS_MALLOC_LEN=0x2000000 + CONFIG_NR_DRAM_BANKS=1 ++CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y ++CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x83f00000 ++CONFIG_DM_GPIO=y + CONFIG_DEFAULT_DEVICE_TREE="corstone1000-mps3" + CONFIG_SYS_PROMPT="corstone1000# " + CONFIG_IDENT_STRING=" corstone1000 aarch64 " + CONFIG_SYS_LOAD_ADDR=0x82100000 ++CONFIG_FWU_NUM_IMAGES_PER_BANK=4 + CONFIG_DISTRO_DEFAULTS=y +-CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y +-CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x83f00000 + CONFIG_FIT=y + CONFIG_BOOTDELAY=3 + CONFIG_USE_BOOTARGS=y + CONFIG_BOOTARGS="console=ttyAMA0 loglevel=9 ip=dhcp earlyprintk" +-CONFIG_BOOTCOMMAND="run retrieve_kernel_load_addr; echo Loading kernel from $kernel_addr to memory ... ; unzip $kernel_addr 0x90000000; loadm 0x90000000 $kernel_addr_r 0xf00000; usb start; usb reset; run distro_bootcmd; bootefi $kernel_addr_r $fdtcontroladdr;" ++CONFIG_BOOTCOMMAND="echo Loading kernel from $kernel_addr to memory ... ; unzip $kernel_addr 0x90000000; loadm 0x90000000 $kernel_addr_r 0xf00000; usb start; usb reset; run distro_bootcmd; bootefi $kernel_addr_r $fdtcontroladdr;" + CONFIG_CONSOLE_RECORD=y + CONFIG_LOGLEVEL=7 + # CONFIG_DISPLAY_CPUINFO is not set +@@ -23,11 +25,15 @@ CONFIG_LOGLEVEL=7 + CONFIG_SYS_MAXARGS=64 + CONFIG_SYS_CBSIZE=512 + # CONFIG_CMD_CONSOLE is not set ++CONFIG_CMD_FWU_METADATA=y + CONFIG_CMD_BOOTZ=y + CONFIG_SYS_BOOTM_LEN=0x800000 + # CONFIG_CMD_XIMG is not set ++CONFIG_CMD_GPT=y ++# CONFIG_RANDOM_UUID is not set + CONFIG_CMD_LOADM=y + # CONFIG_CMD_LOADS is not set ++CONFIG_CMD_MMC=y + CONFIG_CMD_USB=y + # CONFIG_CMD_SETEXPR is not set + # CONFIG_CMD_NFS is not set +@@ -39,27 +45,30 @@ CONFIG_OF_CONTROL=y + CONFIG_VERSION_VARIABLE=y + CONFIG_NET_RANDOM_ETHADDR=y + CONFIG_REGMAP=y +-CONFIG_MISC=y ++CONFIG_ARM_FFA_TRANSPORT=y + CONFIG_CLK=y +-CONFIG_CMD_MMC=y +-CONFIG_DM_MMC=y ++CONFIG_FWU_MDATA=y ++CONFIG_FWU_MDATA_GPT_BLK=y ++CONFIG_MISC=y + CONFIG_ARM_PL180_MMCI=y +-CONFIG_MMC_SDHCI_ADMA_HELPERS=y +-CONFIG_MMC_WRITE=y +-CONFIG_DM_GPIO=y + CONFIG_PHYLIB=y + CONFIG_PHY_SMSC=y + CONFIG_SMC911X=y ++CONFIG_NVMXIP_QSPI=y + CONFIG_PHY=y + CONFIG_RAM=y + CONFIG_DM_RTC=y + CONFIG_RTC_EMULATION=y + CONFIG_DM_SERIAL=y ++CONFIG_SYSRESET=y + CONFIG_USB=y + CONFIG_USB_ISP1760=y + CONFIG_ERRNO_STR=y + CONFIG_EFI_MM_COMM_TEE=y + CONFIG_ARM_FFA_TRANSPORT=y + CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y ++CONFIG_EFI_CAPSULE_ON_DISK=y ++CONFIG_EFI_IGNORE_OSINDICATIONS=y + CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y +-CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y ++CONFIG_FWU_MULTI_BANK_UPDATE=y ++# CONFIG_TOOLS_MKEFICAPSULE is not set +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-adjust-boot-bank-and-kernel-location.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-adjust-boot-bank-and-kernel-location.patch deleted file mode 100644 index 277e988b3f..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0037-corstone1000-adjust-boot-bank-and-kernel-location.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 1a54c12aa6eed28a1a4e4f50d1aeb92a31cf6f52 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Wed, 1 Feb 2023 16:17:21 +0000 -Subject: [PATCH 37/42] corstone1000: adjust boot bank and kernel location - -Adjust in the env boot script the address of the -bootbank with the new gpt layout, and also the -kernel partition address. Please be aware that -this is hack and needs a proper fix, since the -offset of the kernel partition is not fixed, -but for the propose of PoC it is enough for testing. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - board/armltd/corstone1000/corstone1000.env | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/board/armltd/corstone1000/corstone1000.env b/board/armltd/corstone1000/corstone1000.env -index b24ff07fc6..a6ee496221 100644 ---- a/board/armltd/corstone1000/corstone1000.env -+++ b/board/armltd/corstone1000/corstone1000.env -@@ -1,8 +1,8 @@ - /* SPDX-License-Identifier: GPL-2.0+ */ - - usb_pgood_delay=250 --boot_bank_flag=0x08002000 --kernel_addr_bank_0=0x083EE000 -+boot_bank_flag=0x08005006 -+kernel_addr_bank_0=0x08280000 - kernel_addr_bank_1=0x0936E000 - retrieve_kernel_load_addr= - if itest.l *${boot_bank_flag} == 0; then --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch deleted file mode 100644 index a0f2bb16f5..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 5e0b7e40c4702d5494378d3e120fce0136f69a79 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Fri, 9 Jun 2023 13:28:06 +0100 -Subject: [PATCH 38/42] corstone1000: add nvmxip, fwu-mdata and gpt options - -Enable the newest features: nvmxip, fwu-metadata and -gpt. Commands to print the partition info, gpt info -and fwu metadata will be available. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - configs/corstone1000_defconfig | 29 +++++++++++++++++++---------- - 1 file changed, 19 insertions(+), 10 deletions(-) - -diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig -index 1179bf5f3b..c38113ce95 100644 ---- a/configs/corstone1000_defconfig -+++ b/configs/corstone1000_defconfig -@@ -4,18 +4,20 @@ CONFIG_TARGET_CORSTONE1000=y - CONFIG_TEXT_BASE=0x80000000 - CONFIG_SYS_MALLOC_LEN=0x2000000 - CONFIG_NR_DRAM_BANKS=1 -+CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y -+CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x83f00000 -+CONFIG_DM_GPIO=y - CONFIG_DEFAULT_DEVICE_TREE="corstone1000-mps3" - CONFIG_SYS_PROMPT="corstone1000# " - CONFIG_IDENT_STRING=" corstone1000 aarch64 " - CONFIG_SYS_LOAD_ADDR=0x82100000 -+CONFIG_FWU_NUM_IMAGES_PER_BANK=4 - CONFIG_DISTRO_DEFAULTS=y --CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y --CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x83f00000 - CONFIG_FIT=y - CONFIG_BOOTDELAY=3 - CONFIG_USE_BOOTARGS=y - CONFIG_BOOTARGS="console=ttyAMA0 loglevel=9 ip=dhcp earlyprintk" --CONFIG_BOOTCOMMAND="run retrieve_kernel_load_addr; echo Loading kernel from $kernel_addr to memory ... ; unzip $kernel_addr 0x90000000; loadm 0x90000000 $kernel_addr_r 0xf00000; usb start; usb reset; run distro_bootcmd; bootefi $kernel_addr_r $fdtcontroladdr;" -+CONFIG_BOOTCOMMAND="echo Loading kernel from $kernel_addr to memory ... ; unzip $kernel_addr 0x90000000; loadm 0x90000000 $kernel_addr_r 0xf00000; usb start; usb reset; run distro_bootcmd; bootefi $kernel_addr_r $fdtcontroladdr;" - CONFIG_CONSOLE_RECORD=y - CONFIG_LOGLEVEL=7 - # CONFIG_DISPLAY_CPUINFO is not set -@@ -23,11 +25,15 @@ CONFIG_LOGLEVEL=7 - CONFIG_SYS_MAXARGS=64 - CONFIG_SYS_CBSIZE=512 - # CONFIG_CMD_CONSOLE is not set -+CONFIG_CMD_FWU_METADATA=y - CONFIG_CMD_BOOTZ=y - CONFIG_SYS_BOOTM_LEN=0x800000 - # CONFIG_CMD_XIMG is not set -+CONFIG_CMD_GPT=y -+# CONFIG_RANDOM_UUID is not set - CONFIG_CMD_LOADM=y - # CONFIG_CMD_LOADS is not set -+CONFIG_CMD_MMC=y - CONFIG_CMD_USB=y - # CONFIG_CMD_SETEXPR is not set - # CONFIG_CMD_NFS is not set -@@ -39,27 +45,30 @@ CONFIG_OF_CONTROL=y - CONFIG_VERSION_VARIABLE=y - CONFIG_NET_RANDOM_ETHADDR=y - CONFIG_REGMAP=y --CONFIG_MISC=y -+CONFIG_ARM_FFA_TRANSPORT=y - CONFIG_CLK=y --CONFIG_CMD_MMC=y --CONFIG_DM_MMC=y -+CONFIG_FWU_MDATA=y -+CONFIG_FWU_MDATA_GPT_BLK=y -+CONFIG_MISC=y - CONFIG_ARM_PL180_MMCI=y --CONFIG_MMC_SDHCI_ADMA_HELPERS=y --CONFIG_MMC_WRITE=y --CONFIG_DM_GPIO=y - CONFIG_PHYLIB=y - CONFIG_PHY_SMSC=y - CONFIG_SMC911X=y -+CONFIG_NVMXIP_QSPI=y - CONFIG_PHY=y - CONFIG_RAM=y - CONFIG_DM_RTC=y - CONFIG_RTC_EMULATION=y - CONFIG_DM_SERIAL=y -+CONFIG_SYSRESET=y - CONFIG_USB=y - CONFIG_USB_ISP1760=y - CONFIG_ERRNO_STR=y - CONFIG_EFI_MM_COMM_TEE=y - CONFIG_ARM_FFA_TRANSPORT=y - CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y -+CONFIG_EFI_CAPSULE_ON_DISK=y -+CONFIG_EFI_IGNORE_OSINDICATIONS=y - CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y --CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y -+CONFIG_FWU_MULTI_BANK_UPDATE=y -+# CONFIG_TOOLS_MKEFICAPSULE is not set --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-nvmxip-move-header-to-include.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-nvmxip-move-header-to-include.patch new file mode 100644 index 0000000000..b745fe9b6b --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0038-nvmxip-move-header-to-include.patch @@ -0,0 +1,42 @@ +From d280414229d7bbee368f40be6cde17e4f251dd0f Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Fri, 9 Jun 2023 13:31:53 +0100 +Subject: [PATCH 39/42] nvmxip: move header to include + +Move header to include to allow external code +to get the internal bdev structures to access +block device operations. + +as at it, just add the UCLASS_NVMXIP string +so we get the correct output in partitions +listing. + +Upstream-Status: Pending +Signed-off-by: Rui Miguel Silva +--- + disk/part.c | 3 +++ + {drivers/mtd/nvmxip => include}/nvmxip.h | 0 + 2 files changed, 3 insertions(+) + rename {drivers/mtd/nvmxip => include}/nvmxip.h (100%) + +diff --git a/disk/part.c b/disk/part.c +index 5ee60a7fb5..593dd0004f 100644 +--- a/disk/part.c ++++ b/disk/part.c +@@ -270,6 +270,9 @@ static void print_part_header(const char *type, struct blk_desc *dev_desc) + case UCLASS_NVME: + puts ("NVMe"); + break; ++ case UCLASS_NVMXIP: ++ puts ("NVMXIP"); ++ break; + case UCLASS_PVBLOCK: + puts("PV BLOCK"); + break; +diff --git a/drivers/mtd/nvmxip/nvmxip.h b/include/nvmxip.h +similarity index 100% +rename from drivers/mtd/nvmxip/nvmxip.h +rename to include/nvmxip.h +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-corstone1000-set-kernel_addr-based-on-boot_idx.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-corstone1000-set-kernel_addr-based-on-boot_idx.patch new file mode 100644 index 0000000000..ba2e5e17fe --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-corstone1000-set-kernel_addr-based-on-boot_idx.patch @@ -0,0 +1,133 @@ +From e7cb997fd59c883572994b504dbc77bc670de8f7 Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Thu, 23 Feb 2023 10:35:00 +0000 +Subject: [PATCH 40/42] corstone1000: set kernel_addr based on boot_idx + +We need to distinguish between boot banks and from which +partition to load the kernel+initramfs to memory. + +For that, fetch the boot index, fetch the correspondent +partition, calculate the correct kernel address and +then set the env variable kernel_addr with that value. + +Upstream-Status: Pending +Signed-off-by: Rui Miguel Silva +--- + board/armltd/corstone1000/corstone1000.c | 58 +++++++++++++++++++++- + board/armltd/corstone1000/corstone1000.env | 8 --- + configs/corstone1000_defconfig | 1 + + 3 files changed, 58 insertions(+), 9 deletions(-) + +diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c +index 0a58ccd99c..b767195ccc 100644 +--- a/board/armltd/corstone1000/corstone1000.c ++++ b/board/armltd/corstone1000/corstone1000.c +@@ -5,13 +5,23 @@ + * Rui Miguel Silva + */ + ++#include + #include + #include ++#include + #include ++#include ++#include + #include + #include + #include + ++#define CORSTONE1000_KERNEL_PARTS 2 ++#define CORSTONE1000_KERNEL_PRIMARY "kernel_primary" ++#define CORSTONE1000_KERNEL_SECONDARY "kernel_secondary" ++ ++static int corstone1000_boot_idx; ++ + static struct mm_region corstone1000_mem_map[] = { + { + /* CVM */ +@@ -108,5 +118,51 @@ int dram_init_banksize(void) + + void fwu_plat_get_bootidx(int *boot_idx) + { +- *boot_idx = 0; ++ *boot_idx = corstone1000_boot_idx; ++} ++ ++int board_late_init(void) ++{ ++ struct disk_partition part_info; ++ struct udevice *dev, *bdev; ++ struct nvmxip_plat *plat; ++ struct blk_desc *desc; ++ int ret; ++ ++ ret = uclass_first_device_err(UCLASS_NVMXIP, &dev); ++ if (ret < 0) { ++ log_err("Cannot find kernel device\n"); ++ return ret; ++ } ++ ++ plat = dev_get_plat(dev); ++ device_find_first_child(dev, &bdev); ++ desc = dev_get_uclass_plat(bdev); ++ ret = fwu_get_active_index(&corstone1000_boot_idx); ++ if (ret < 0) ++ log_err("corstone1000: failed to read boot index\n"); ++ ++ if (!corstone1000_boot_idx) ++ ret = part_get_info_by_name(desc, CORSTONE1000_KERNEL_PRIMARY, ++ &part_info); ++ else ++ ret = part_get_info_by_name(desc, CORSTONE1000_KERNEL_SECONDARY, ++ &part_info); ++ ++ if (ret < 0) { ++ log_err("failed to fetch kernel partition index: %d\n", ++ corstone1000_boot_idx); ++ return ret; ++ } ++ ++ ret = 0; ++ ++ ret |= env_set_hex("kernel_addr", plat->phys_base + ++ (part_info.start * part_info.blksz)); ++ ret |= env_set_hex("kernel_size", part_info.size * part_info.blksz); ++ ++ if (ret < 0) ++ log_err("failed to setup kernel addr and size\n"); ++ ++ return ret; + } +diff --git a/board/armltd/corstone1000/corstone1000.env b/board/armltd/corstone1000/corstone1000.env +index a6ee496221..ee318b1b1c 100644 +--- a/board/armltd/corstone1000/corstone1000.env ++++ b/board/armltd/corstone1000/corstone1000.env +@@ -2,12 +2,4 @@ + + usb_pgood_delay=250 + boot_bank_flag=0x08005006 +-kernel_addr_bank_0=0x08280000 +-kernel_addr_bank_1=0x0936E000 +-retrieve_kernel_load_addr= +- if itest.l *${boot_bank_flag} == 0; then +- setenv kernel_addr $kernel_addr_bank_0; +- else +- setenv kernel_addr $kernel_addr_bank_1; +- fi; + kernel_addr_r=0x88200000 +diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig +index c38113ce95..20359cb181 100644 +--- a/configs/corstone1000_defconfig ++++ b/configs/corstone1000_defconfig +@@ -22,6 +22,7 @@ CONFIG_CONSOLE_RECORD=y + CONFIG_LOGLEVEL=7 + # CONFIG_DISPLAY_CPUINFO is not set + # CONFIG_DISPLAY_BOARDINFO is not set ++CONFIG_BOARD_LATE_INIT=y + CONFIG_SYS_MAXARGS=64 + CONFIG_SYS_CBSIZE=512 + # CONFIG_CMD_CONSOLE is not set +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-nvmxip-move-header-to-include.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-nvmxip-move-header-to-include.patch deleted file mode 100644 index b745fe9b6b..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0039-nvmxip-move-header-to-include.patch +++ /dev/null @@ -1,42 +0,0 @@ -From d280414229d7bbee368f40be6cde17e4f251dd0f Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Fri, 9 Jun 2023 13:31:53 +0100 -Subject: [PATCH 39/42] nvmxip: move header to include - -Move header to include to allow external code -to get the internal bdev structures to access -block device operations. - -as at it, just add the UCLASS_NVMXIP string -so we get the correct output in partitions -listing. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - disk/part.c | 3 +++ - {drivers/mtd/nvmxip => include}/nvmxip.h | 0 - 2 files changed, 3 insertions(+) - rename {drivers/mtd/nvmxip => include}/nvmxip.h (100%) - -diff --git a/disk/part.c b/disk/part.c -index 5ee60a7fb5..593dd0004f 100644 ---- a/disk/part.c -+++ b/disk/part.c -@@ -270,6 +270,9 @@ static void print_part_header(const char *type, struct blk_desc *dev_desc) - case UCLASS_NVME: - puts ("NVMe"); - break; -+ case UCLASS_NVMXIP: -+ puts ("NVMXIP"); -+ break; - case UCLASS_PVBLOCK: - puts("PV BLOCK"); - break; -diff --git a/drivers/mtd/nvmxip/nvmxip.h b/include/nvmxip.h -similarity index 100% -rename from drivers/mtd/nvmxip/nvmxip.h -rename to include/nvmxip.h --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-boot-index-from-active.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-boot-index-from-active.patch new file mode 100644 index 0000000000..f0e14942ad --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-boot-index-from-active.patch @@ -0,0 +1,42 @@ +From ab07a26290e44fb198403b658b8f1550e959a0cc Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Mon, 27 Feb 2023 14:40:13 +0000 +Subject: [PATCH 41/42] corstone1000: boot index from active + +In our platform, the Secure Enclave is the one who control +all the boot tries and status, so, every time we get here +we know that the we are booting from the active index. + +Upstream-Status: Pending +Signed-off-by: Rui Miguel Silva +--- + board/armltd/corstone1000/corstone1000.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c +index b767195ccc..db508ac3cb 100644 +--- a/board/armltd/corstone1000/corstone1000.c ++++ b/board/armltd/corstone1000/corstone1000.c +@@ -118,7 +118,18 @@ int dram_init_banksize(void) + + void fwu_plat_get_bootidx(int *boot_idx) + { +- *boot_idx = corstone1000_boot_idx; ++ int ret; ++ ++ /* ++ * in our platform, the Secure Enclave is the one who control ++ * all the boot tries and status, so, every time we get here ++ * we know that the we are booting from the active index ++ */ ++ ret = fwu_get_active_index(boot_idx); ++ if (ret < 0) ++ log_err("corstone1000: failed to read active index\n"); ++ ++ return ret; + } + + int board_late_init(void) +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-set-kernel_addr-based-on-boot_idx.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-set-kernel_addr-based-on-boot_idx.patch deleted file mode 100644 index ba2e5e17fe..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0040-corstone1000-set-kernel_addr-based-on-boot_idx.patch +++ /dev/null @@ -1,133 +0,0 @@ -From e7cb997fd59c883572994b504dbc77bc670de8f7 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Thu, 23 Feb 2023 10:35:00 +0000 -Subject: [PATCH 40/42] corstone1000: set kernel_addr based on boot_idx - -We need to distinguish between boot banks and from which -partition to load the kernel+initramfs to memory. - -For that, fetch the boot index, fetch the correspondent -partition, calculate the correct kernel address and -then set the env variable kernel_addr with that value. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - board/armltd/corstone1000/corstone1000.c | 58 +++++++++++++++++++++- - board/armltd/corstone1000/corstone1000.env | 8 --- - configs/corstone1000_defconfig | 1 + - 3 files changed, 58 insertions(+), 9 deletions(-) - -diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c -index 0a58ccd99c..b767195ccc 100644 ---- a/board/armltd/corstone1000/corstone1000.c -+++ b/board/armltd/corstone1000/corstone1000.c -@@ -5,13 +5,23 @@ - * Rui Miguel Silva - */ - -+#include - #include - #include -+#include - #include -+#include -+#include - #include - #include - #include - -+#define CORSTONE1000_KERNEL_PARTS 2 -+#define CORSTONE1000_KERNEL_PRIMARY "kernel_primary" -+#define CORSTONE1000_KERNEL_SECONDARY "kernel_secondary" -+ -+static int corstone1000_boot_idx; -+ - static struct mm_region corstone1000_mem_map[] = { - { - /* CVM */ -@@ -108,5 +118,51 @@ int dram_init_banksize(void) - - void fwu_plat_get_bootidx(int *boot_idx) - { -- *boot_idx = 0; -+ *boot_idx = corstone1000_boot_idx; -+} -+ -+int board_late_init(void) -+{ -+ struct disk_partition part_info; -+ struct udevice *dev, *bdev; -+ struct nvmxip_plat *plat; -+ struct blk_desc *desc; -+ int ret; -+ -+ ret = uclass_first_device_err(UCLASS_NVMXIP, &dev); -+ if (ret < 0) { -+ log_err("Cannot find kernel device\n"); -+ return ret; -+ } -+ -+ plat = dev_get_plat(dev); -+ device_find_first_child(dev, &bdev); -+ desc = dev_get_uclass_plat(bdev); -+ ret = fwu_get_active_index(&corstone1000_boot_idx); -+ if (ret < 0) -+ log_err("corstone1000: failed to read boot index\n"); -+ -+ if (!corstone1000_boot_idx) -+ ret = part_get_info_by_name(desc, CORSTONE1000_KERNEL_PRIMARY, -+ &part_info); -+ else -+ ret = part_get_info_by_name(desc, CORSTONE1000_KERNEL_SECONDARY, -+ &part_info); -+ -+ if (ret < 0) { -+ log_err("failed to fetch kernel partition index: %d\n", -+ corstone1000_boot_idx); -+ return ret; -+ } -+ -+ ret = 0; -+ -+ ret |= env_set_hex("kernel_addr", plat->phys_base + -+ (part_info.start * part_info.blksz)); -+ ret |= env_set_hex("kernel_size", part_info.size * part_info.blksz); -+ -+ if (ret < 0) -+ log_err("failed to setup kernel addr and size\n"); -+ -+ return ret; - } -diff --git a/board/armltd/corstone1000/corstone1000.env b/board/armltd/corstone1000/corstone1000.env -index a6ee496221..ee318b1b1c 100644 ---- a/board/armltd/corstone1000/corstone1000.env -+++ b/board/armltd/corstone1000/corstone1000.env -@@ -2,12 +2,4 @@ - - usb_pgood_delay=250 - boot_bank_flag=0x08005006 --kernel_addr_bank_0=0x08280000 --kernel_addr_bank_1=0x0936E000 --retrieve_kernel_load_addr= -- if itest.l *${boot_bank_flag} == 0; then -- setenv kernel_addr $kernel_addr_bank_0; -- else -- setenv kernel_addr $kernel_addr_bank_1; -- fi; - kernel_addr_r=0x88200000 -diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig -index c38113ce95..20359cb181 100644 ---- a/configs/corstone1000_defconfig -+++ b/configs/corstone1000_defconfig -@@ -22,6 +22,7 @@ CONFIG_CONSOLE_RECORD=y - CONFIG_LOGLEVEL=7 - # CONFIG_DISPLAY_CPUINFO is not set - # CONFIG_DISPLAY_BOARDINFO is not set -+CONFIG_BOARD_LATE_INIT=y - CONFIG_SYS_MAXARGS=64 - CONFIG_SYS_CBSIZE=512 - # CONFIG_CMD_CONSOLE is not set --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-boot-index-from-active.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-boot-index-from-active.patch deleted file mode 100644 index f0e14942ad..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-boot-index-from-active.patch +++ /dev/null @@ -1,42 +0,0 @@ -From ab07a26290e44fb198403b658b8f1550e959a0cc Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Mon, 27 Feb 2023 14:40:13 +0000 -Subject: [PATCH 41/42] corstone1000: boot index from active - -In our platform, the Secure Enclave is the one who control -all the boot tries and status, so, every time we get here -we know that the we are booting from the active index. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - board/armltd/corstone1000/corstone1000.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c -index b767195ccc..db508ac3cb 100644 ---- a/board/armltd/corstone1000/corstone1000.c -+++ b/board/armltd/corstone1000/corstone1000.c -@@ -118,7 +118,18 @@ int dram_init_banksize(void) - - void fwu_plat_get_bootidx(int *boot_idx) - { -- *boot_idx = corstone1000_boot_idx; -+ int ret; -+ -+ /* -+ * in our platform, the Secure Enclave is the one who control -+ * all the boot tries and status, so, every time we get here -+ * we know that the we are booting from the active index -+ */ -+ ret = fwu_get_active_index(boot_idx); -+ if (ret < 0) -+ log_err("corstone1000: failed to read active index\n"); -+ -+ return ret; - } - - int board_late_init(void) --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-enable-PSCI-reset.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-enable-PSCI-reset.patch new file mode 100644 index 0000000000..cad830f4c8 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0041-corstone1000-enable-PSCI-reset.patch @@ -0,0 +1,30 @@ +From 8bf48a56aa014146a8950532906b06e191754daa Mon Sep 17 00:00:00 2001 +From: Emekcan Aras +Date: Wed, 24 May 2023 09:12:11 +0100 +Subject: [PATCH 42/42] corstone1000: enable PSCI reset + +Even though corstone1000 does not implement entire PSCI APIs,it relies on +PSCI reset interface for the system reset. U-boot change the config name, so we +need to enable it again. + +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras +--- + configs/corstone1000_defconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig +index 20359cb181..19fe1432ae 100644 +--- a/configs/corstone1000_defconfig ++++ b/configs/corstone1000_defconfig +@@ -62,6 +62,7 @@ CONFIG_DM_RTC=y + CONFIG_RTC_EMULATION=y + CONFIG_DM_SERIAL=y + CONFIG_SYSRESET=y ++CONFIG_SYSRESET_PSCI=y + CONFIG_USB=y + CONFIG_USB_ISP1760=y + CONFIG_ERRNO_STR=y +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-Enable-EFI-set-get-time-services.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-Enable-EFI-set-get-time-services.patch new file mode 100644 index 0000000000..8911abfe20 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-Enable-EFI-set-get-time-services.patch @@ -0,0 +1,32 @@ +From 9f326f0db8aa13fde93e2ed79055b920c8598a28 Mon Sep 17 00:00:00 2001 +From: Gowtham Suresh Kumar +Date: Mon, 12 Jun 2023 15:14:52 +0000 +Subject: [PATCH] Enable EFI set/get time services + +SetTime_Conf and SetTime_Func tests in UEFI SCT test suite of ACS +fails with unsupported return value. CONFIG_EFI_SET_TIME and +CONFIG_EFI_GET_TIME config values are added to enable these EFI +services. + +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Gowtham Suresh Kumar +--- + configs/corstone1000_defconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig +index c692cc91bd..f1901dfe8b 100644 +--- a/configs/corstone1000_defconfig ++++ b/configs/corstone1000_defconfig +@@ -7,6 +7,8 @@ CONFIG_NR_DRAM_BANKS=1 + CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y + CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x83f00000 + CONFIG_DM_GPIO=y ++CONFIG_EFI_SET_TIME=y ++CONFIG_EFI_GET_TIME=y + CONFIG_DEFAULT_DEVICE_TREE="corstone1000-mps3" + CONFIG_SYS_PROMPT="corstone1000# " + CONFIG_IDENT_STRING=" corstone1000 aarch64 " +-- +2.17.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-corstone1000-enable-PSCI-reset.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-corstone1000-enable-PSCI-reset.patch deleted file mode 100644 index cad830f4c8..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0042-corstone1000-enable-PSCI-reset.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8bf48a56aa014146a8950532906b06e191754daa Mon Sep 17 00:00:00 2001 -From: Emekcan Aras -Date: Wed, 24 May 2023 09:12:11 +0100 -Subject: [PATCH 42/42] corstone1000: enable PSCI reset - -Even though corstone1000 does not implement entire PSCI APIs,it relies on -PSCI reset interface for the system reset. U-boot change the config name, so we -need to enable it again. - -Upstream-Status: Pending [Not submitted to upstream yet] -Signed-off-by: Emekcan Aras ---- - configs/corstone1000_defconfig | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig -index 20359cb181..19fe1432ae 100644 ---- a/configs/corstone1000_defconfig -+++ b/configs/corstone1000_defconfig -@@ -62,6 +62,7 @@ CONFIG_DM_RTC=y - CONFIG_RTC_EMULATION=y - CONFIG_DM_SERIAL=y - CONFIG_SYSRESET=y -+CONFIG_SYSRESET_PSCI=y - CONFIG_USB=y - CONFIG_USB_ISP1760=y - CONFIG_ERRNO_STR=y --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0043-corstone1000-fix-compilation-warnings-in-fwu_plat_get_bootidx.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0043-corstone1000-fix-compilation-warnings-in-fwu_plat_get_bootidx.patch new file mode 100644 index 0000000000..e574103ec9 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0043-corstone1000-fix-compilation-warnings-in-fwu_plat_get_bootidx.patch @@ -0,0 +1,47 @@ +From dfebda98ce08d0cab411521ab3d9e832ed1b4608 Mon Sep 17 00:00:00 2001 +From: Abdellatif El Khlifi +Date: Thu, 15 Jun 2023 16:51:49 +0100 +Subject: [PATCH] corstone1000: fix compilation warnings in + fwu_plat_get_bootidx() + +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Abdellatif El Khlifi +--- + board/armltd/corstone1000/corstone1000.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c +index db508ac3cb..2e1ace5d04 100644 +--- a/board/armltd/corstone1000/corstone1000.c ++++ b/board/armltd/corstone1000/corstone1000.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -116,7 +117,7 @@ int dram_init_banksize(void) + return 0; + } + +-void fwu_plat_get_bootidx(int *boot_idx) ++void fwu_plat_get_bootidx(uint *boot_idx) + { + int ret; + +@@ -127,9 +128,7 @@ void fwu_plat_get_bootidx(int *boot_idx) + */ + ret = fwu_get_active_index(boot_idx); + if (ret < 0) +- log_err("corstone1000: failed to read active index\n"); +- +- return ret; ++ log_err("corstone1000: failed to read active index err %d\n", ret); + } + + int board_late_init(void) +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend index d16aca1430..e752112665 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend @@ -51,15 +51,16 @@ SRC_URI:append:corstone1000 = " \ file://0031-corstone1000-add-NVM-XIP-QSPI-device-tree-node.patch \ file://0032-sandbox64-add-a-test-case-for-UCLASS_NVMXIP.patch \ file://0033-corstone1000-add-fwu-metadata-store-info.patch \ - file://0034-efi_boottime-allow-to-reset-a-path-after-boot.patch \ - file://0035-fwu_metadata-make-sure-structures-are-packed.patch \ - file://0036-corstone1000-add-boot-index.patch \ - file://0037-corstone1000-adjust-boot-bank-and-kernel-location.patch \ - file://0038-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch \ - file://0039-nvmxip-move-header-to-include.patch \ - file://0040-corstone1000-set-kernel_addr-based-on-boot_idx.patch \ - file://0041-corstone1000-boot-index-from-active.patch \ - file://0042-corstone1000-enable-PSCI-reset.patch \ + file://0034-fwu_metadata-make-sure-structures-are-packed.patch \ + file://0035-corstone1000-add-boot-index.patch \ + file://0036-corstone1000-adjust-boot-bank-and-kernel-location.patch \ + file://0037-corstone1000-add-nvmxip-fwu-mdata-and-gpt-options.patch \ + file://0038-nvmxip-move-header-to-include.patch \ + file://0039-corstone1000-set-kernel_addr-based-on-boot_idx.patch \ + file://0040-corstone1000-boot-index-from-active.patch \ + file://0041-corstone1000-enable-PSCI-reset.patch \ + file://0042-Enable-EFI-set-get-time-services.patch \ + file://0043-corstone1000-fix-compilation-warnings-in-fwu_plat_get_bootidx.patch \ " # diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc index 30f9966662..1f028ffa37 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc @@ -1,5 +1,7 @@ SRC_URI:remove = " \ file://0003-core-link-add-no-warn-rwx-segments.patch \ + file://0007-core-spmc-handle-non-secure-interrupts.patch \ + file://0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch \ " COMPATIBLE_MACHINE = "corstone1000" diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-openamp-to-SE-proxy-deployment.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-openamp-to-SE-proxy-deployment.patch deleted file mode 100644 index c44885cf04..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-openamp-to-SE-proxy-deployment.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 13de79cd4f0d25b812e5f4ad4a19bc075496be83 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath -Date: Fri, 3 Dec 2021 16:36:51 +0000 -Subject: [PATCH 01/20] Add openamp to SE proxy deployment - -Openamp is required to communicate between secure partitions(running on -Cortex-A) and trusted-firmware-m(running on Cortex-M). -These changes are to fetch libmetal and openamp from github repo's -and build it. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath -Signed-off-by: Rui Miguel Silva ---- - deployments/se-proxy/opteesp/lse.S | 28 ++++++++ - deployments/se-proxy/se-proxy.cmake | 8 +++ - external/openamp/libmetal-init-cache.cmake.in | 20 ++++++ - external/openamp/libmetal.cmake | 67 +++++++++++++++++++ - external/openamp/openamp-init-cache.cmake.in | 20 ++++++ - external/openamp/openamp.cmake | 66 ++++++++++++++++++ - 6 files changed, 209 insertions(+) - create mode 100644 deployments/se-proxy/opteesp/lse.S - create mode 100644 external/openamp/libmetal-init-cache.cmake.in - create mode 100644 external/openamp/libmetal.cmake - create mode 100644 external/openamp/openamp-init-cache.cmake.in - create mode 100644 external/openamp/openamp.cmake - -diff --git a/deployments/se-proxy/opteesp/lse.S b/deployments/se-proxy/opteesp/lse.S -new file mode 100644 -index 000000000000..8e466d65fc2b ---- /dev/null -+++ b/deployments/se-proxy/opteesp/lse.S -@@ -0,0 +1,28 @@ -+// SPDX-License-Identifier: BSD-3-Clause -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ */ -+ -+.text -+.globl __aarch64_cas4_acq_rel -+.globl __aarch64_cas4_sync -+ -+__aarch64_cas4_acq_rel: -+ mov w16, w0 -+ ldaxr w0, [x2] -+ cmp w0, w16 -+0: bne 1f -+ -+ stlxr w17, w1, [x2] -+ cbnz w17, 0b -+1: ret -+ -+__aarch64_cas4_sync: -+ mov w16, w0 -+ ldxr w0, [x2] -+ cmp w0, w16 -+0: bne 1f -+ -+ stlxr w17, w1, [x2] -+ cbnz w17, 0b -+1: ret -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index 426c66c05350..d39873a0fe81 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -61,6 +61,7 @@ add_components(TARGET "se-proxy" - target_sources(se-proxy PRIVATE - ${CMAKE_CURRENT_LIST_DIR}/common/se_proxy_sp.c - ${CMAKE_CURRENT_LIST_DIR}/common/service_proxy_factory.c -+ ${CMAKE_CURRENT_LIST_DIR}/opteesp/lse.S - ) - - #------------------------------------------------------------------------------- -@@ -73,6 +74,13 @@ include(../../../external/nanopb/nanopb.cmake) - target_link_libraries(se-proxy PRIVATE nanopb::protobuf-nanopb-static) - protobuf_generate_all(TGT "se-proxy" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols") - -+# libmetal -+include(../../../external/openamp/libmetal.cmake) -+ -+# OpenAMP -+include(../../../external/openamp/openamp.cmake) -+target_link_libraries(se-proxy PRIVATE openamp libmetal) -+ - ################################################################# - - target_include_directories(se-proxy PRIVATE -diff --git a/external/openamp/libmetal-init-cache.cmake.in b/external/openamp/libmetal-init-cache.cmake.in -new file mode 100644 -index 000000000000..04c25fbde960 ---- /dev/null -+++ b/external/openamp/libmetal-init-cache.cmake.in -@@ -0,0 +1,20 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. -+# Copyright (c) 2021-2022, Linaro. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "") -+set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "") -+set(BUILD_SHARED_LIBS Off CACHE BOOL "") -+set(BUILD_STATIC_LIBS On CACHE BOOL "") -+ -+set(WITH_DOC OFF CACHE BOOL "") -+set(WITH_TESTS OFF CACHE BOOL "") -+set(WITH_EXAMPLES OFF CACHE BOOL "") -+set(WITH_DEFAULT_LOGGER OFF CACHE BOOL "") -+set(MACHINE "template" CACHE STRING "") -+ -+@_cmake_fragment@ -diff --git a/external/openamp/libmetal.cmake b/external/openamp/libmetal.cmake -new file mode 100644 -index 000000000000..6e5004ff555c ---- /dev/null -+++ b/external/openamp/libmetal.cmake -@@ -0,0 +1,67 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2022 Linaro Limited -+# Copyright (c) 2022, Arm Limited. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+set (LIBMETAL_URL "https://github.com/OpenAMP/libmetal.git" -+ CACHE STRING "libmetal repository URL") -+set (LIBMETAL_INSTALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/libmetal_install" -+ CACHE DIR "libmetal installation directory") -+set(LIBMETAL_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/libmetal" -+ CACHE DIR "libmetal source-code") -+set (LIBMETAL_PACKAGE_DIR "${LIBMETAL_INSTALL_DIR}/libmetal/cmake" -+ CACHE DIR "libmetal CMake package directory") -+set (LIBMETAL_TARGET_NAME "libmetal") -+set (LIBMETAL_REFSPEC "f252f0e007fbfb8b3a52b1d5901250ddac96baad" -+ CACHE STRING "The version of libmetal to use") -+set(LIBMETAL_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/libmetal-build") -+ -+set(GIT_OPTIONS -+ GIT_REPOSITORY ${LIBMETAL_URL} -+ GIT_TAG ${LIBMETAL_REFSPEC} -+ GIT_SHALLOW FALSE -+) -+ -+if(NOT LIBMETAL_DEBUG) -+ set(LIBMETAL_BUILD_TYPE "Release") -+else() -+ set(LIBMETAL_BUILD_TYPE "Debug") -+endif() -+ -+include(FetchContent) -+ -+# Checking git -+find_program(GIT_COMMAND "git") -+if (NOT GIT_COMMAND) -+ message(FATAL_ERROR "Please install git") -+endif() -+ -+# Only pass libc settings to libmetal if needed. For environments where the -+# standard library is not overridden, this is not needed. -+if(TARGET stdlib::c) -+ include(${TS_ROOT}/tools/cmake/common/PropertyCopy.cmake) -+ -+ # Save libc settings -+ save_interface_target_properties(TGT stdlib::c PREFIX LIBC) -+ # Translate libc settings to cmake code fragment. Will be inserted into -+ # libmetal-init-cache.cmake.in when LazyFetch configures the file. -+ translate_interface_target_properties(PREFIX LIBC RES _cmake_fragment) -+ unset_saved_properties(LIBC) -+endif() -+ -+include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) -+LazyFetch_MakeAvailable(DEP_NAME libmetal -+ FETCH_OPTIONS "${GIT_OPTIONS}" -+ INSTALL_DIR "${LIBMETAL_INSTALL_DIR}" -+ CACHE_FILE "${TS_ROOT}/external/openamp/libmetal-init-cache.cmake.in" -+ SOURCE_DIR "${LIBMETAL_SOURCE_DIR}" -+) -+unset(_cmake_fragment) -+ -+#Create an imported target to have clean abstraction in the build-system. -+add_library(libmetal STATIC IMPORTED) -+set_property(TARGET libmetal PROPERTY IMPORTED_LOCATION "${LIBMETAL_INSTALL_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}metal${CMAKE_STATIC_LIBRARY_SUFFIX}") -+set_property(TARGET libmetal PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${LIBMETAL_INSTALL_DIR}/include") -diff --git a/external/openamp/openamp-init-cache.cmake.in b/external/openamp/openamp-init-cache.cmake.in -new file mode 100644 -index 000000000000..302b80511bce ---- /dev/null -+++ b/external/openamp/openamp-init-cache.cmake.in -@@ -0,0 +1,20 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. -+# Copyright (c) 2021-2022, Linaro. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "") -+set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "") -+set(BUILD_SHARED_LIBS Off CACHE BOOL "") -+set(BUILD_STATIC_LIBS On CACHE BOOL "") -+ -+set(LIBMETAL_INCLUDE_DIR "@CMAKE_CURRENT_BINARY_DIR@/libmetal_install/include" CACHE -+ STRING "") -+set(LIBMETAL_LIB "@CMAKE_CURRENT_BINARY_DIR@/libmetal_install/lib" CACHE STRING "") -+set(RPMSG_BUFFER_SIZE "512" CACHE STRING "") -+set(MACHINE "template" CACHE STRING "") -+ -+@_cmake_fragment@ -diff --git a/external/openamp/openamp.cmake b/external/openamp/openamp.cmake -new file mode 100644 -index 000000000000..449f35f4fda4 ---- /dev/null -+++ b/external/openamp/openamp.cmake -@@ -0,0 +1,66 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2022 Linaro Limited -+# Copyright (c) 2022, Arm Limited. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+set (OPENAMP_URL "https://github.com/OpenAMP/open-amp.git" -+ CACHE STRING "OpenAMP repository URL") -+set (OPENAMP_INSTALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/openamp_install" -+ CACHE DIR "OpenAMP installation directory") -+set (OPENAMP_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/openamp" -+ CACHE DIR "OpenAMP source code directory") -+set (OPENAMP_PACKAGE_DIR "${OPENAMP_INSTALL_DIR}/openamp/cmake" -+ CACHE DIR "OpenAMP CMake package directory") -+set (OPENAMP_TARGET_NAME "openamp") -+set (OPENAMP_REFSPEC "347397decaa43372fc4d00f965640ebde042966d" -+ CACHE STRING "The version of openamp to use") -+ -+set(GIT_OPTIONS -+ GIT_REPOSITORY ${OPENAMP_URL} -+ GIT_TAG ${OPENAMP_REFSPEC} -+ GIT_SHALLOW FALSE -+) -+ -+if(NOT OPENAMP_DEBUG) -+ set(OPENAMP_BUILD_TYPE "Release") -+else() -+ set(OPENAMP_BUILD_TYPE "Debug") -+endif() -+ -+include(FetchContent) -+ -+# Checking git -+find_program(GIT_COMMAND "git") -+if (NOT GIT_COMMAND) -+ message(FATAL_ERROR "Please install git") -+endif() -+ -+# Only pass libc settings to openamp if needed. For environments where the -+# standard library is not overridden, this is not needed. -+if(TARGET stdlib::c) -+ include(${TS_ROOT}/tools/cmake/common/PropertyCopy.cmake) -+ -+ # Save libc settings -+ save_interface_target_properties(TGT stdlib::c PREFIX LIBC) -+ # Translate libc settings to cmake code fragment. Will be inserted into -+ # libmetal-init-cache.cmake.in when LazyFetch configures the file. -+ translate_interface_target_properties(PREFIX LIBC RES _cmake_fragment) -+ unset_saved_properties(LIBC) -+endif() -+ -+include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) -+LazyFetch_MakeAvailable(DEP_NAME openamp -+ FETCH_OPTIONS "${GIT_OPTIONS}" -+ INSTALL_DIR "${OPENAMP_INSTALL_DIR}" -+ CACHE_FILE "${TS_ROOT}/external/openamp/openamp-init-cache.cmake.in" -+ SOURCE_DIR "${OPENAMP_SOURCE_DIR}" -+) -+unset(_cmake_fragment) -+ -+#Create an imported target to have clean abstraction in the build-system. -+add_library(openamp STATIC IMPORTED) -+set_property(TARGET openamp PROPERTY IMPORTED_LOCATION "${OPENAMP_INSTALL_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}open_amp${CMAKE_STATIC_LIBRARY_SUFFIX}") -+set_property(TARGET openamp PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${OPENAMP_INSTALL_DIR}/include") --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch new file mode 100644 index 0000000000..c1775b795c --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch @@ -0,0 +1,376 @@ +From a965129153a0cca340535fe2cf99dbfef9b557da Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Tue, 12 Oct 2021 15:45:41 +0100 +Subject: [PATCH 1/6] Add stub capsule update service components + +To facilitate development of a capsule update service provider, +stub components are added to provide a starting point for an +implementation. The capsule update service provider is integrated +into the se-proxy/common deployment. + +Upstream-Status: Pending +Signed-off-by: Vishnu Banavath +Signed-off-by: Julian Hall +Change-Id: I0d4049bb4de5af7ca80806403301692507085d28 +Signed-off-by: Rui Miguel Silva +--- + .../backend/capsule_update_backend.h | 24 ++++ + .../provider/capsule_update_provider.c | 133 ++++++++++++++++++ + .../provider/capsule_update_provider.h | 51 +++++++ + .../capsule_update/provider/component.cmake | 13 ++ + .../se-proxy/infra/corstone1000/infra.cmake | 1 + + deployments/se-proxy/se_proxy_interfaces.h | 9 +- + .../capsule_update/capsule_update_proto.h | 13 ++ + protocols/service/capsule_update/opcodes.h | 17 +++ + protocols/service/capsule_update/parameters.h | 15 ++ + 9 files changed, 272 insertions(+), 4 deletions(-) + create mode 100644 components/service/capsule_update/backend/capsule_update_backend.h + create mode 100644 components/service/capsule_update/provider/capsule_update_provider.c + create mode 100644 components/service/capsule_update/provider/capsule_update_provider.h + create mode 100644 components/service/capsule_update/provider/component.cmake + create mode 100644 protocols/service/capsule_update/capsule_update_proto.h + create mode 100644 protocols/service/capsule_update/opcodes.h + create mode 100644 protocols/service/capsule_update/parameters.h + +diff --git a/components/service/capsule_update/backend/capsule_update_backend.h b/components/service/capsule_update/backend/capsule_update_backend.h +new file mode 100644 +index 000000000000..f3144ff1d7d5 +--- /dev/null ++++ b/components/service/capsule_update/backend/capsule_update_backend.h +@@ -0,0 +1,24 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_BACKEND_H ++#define CAPSULE_UPDATE_BACKEND_H ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/** ++ * Defines the common capsule update backend interface. Concrete backends ++ * implement this interface for different types of platform. ++ */ ++ ++ ++#ifdef __cplusplus ++} /* extern "C" */ ++#endif ++ ++#endif /* CAPSULE_UPDATE_BACKEND_H */ +diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c +new file mode 100644 +index 000000000000..e133753f8560 +--- /dev/null ++++ b/components/service/capsule_update/provider/capsule_update_provider.c +@@ -0,0 +1,133 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include "capsule_update_provider.h" ++ ++ ++#define CAPSULE_UPDATE_REQUEST (0x1) ++#define KERNEL_STARTED_EVENT (0x2) ++ ++enum corstone1000_ioctl_id_t { ++ IOCTL_CORSTONE1000_FWU_FLASH_IMAGES = 0, ++ IOCTL_CORSTONE1000_FWU_HOST_ACK, ++}; ++ ++/* Service request handlers */ ++static rpc_status_t update_capsule_handler(void *context, struct call_req *req); ++static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req); ++ ++/* Handler mapping table for service */ ++static const struct service_handler handler_table[] = { ++ {CAPSULE_UPDATE_OPCODE_UPDATE_CAPSULE, update_capsule_handler}, ++ {CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED, boot_confirmed_handler} ++}; ++ ++struct rpc_interface *capsule_update_provider_init( ++ struct capsule_update_provider *context) ++{ ++ struct rpc_interface *rpc_interface = NULL; ++ ++ if (context) { ++ ++ service_provider_init( ++ &context->base_provider, ++ context, ++ handler_table, ++ sizeof(handler_table)/sizeof(struct service_handler)); ++ ++ rpc_interface = service_provider_get_rpc_interface(&context->base_provider); ++ } ++ ++ return rpc_interface; ++} ++ ++void capsule_update_provider_deinit(struct capsule_update_provider *context) ++{ ++ (void)context; ++} ++ ++static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) ++{ ++ uint32_t ioctl_id; ++ psa_handle_t handle; ++ rpc_status_t rpc_status = TS_RPC_CALL_ACCEPTED; ++ ++ struct psa_invec in_vec[] = { ++ { .base = &ioctl_id, .len = sizeof(ioctl_id) } ++ }; ++ ++ if(!caller) { ++ EMSG("event_handler rpc_caller is NULL"); ++ rpc_status = TS_RPC_ERROR_RESOURCE_FAILURE; ++ return rpc_status; ++ } ++ ++ IMSG("event handler opcode %x", opcode); ++ switch(opcode) { ++ case CAPSULE_UPDATE_REQUEST: ++ /* Openamp call with IOCTL for firmware update*/ ++ ioctl_id = IOCTL_CORSTONE1000_FWU_FLASH_IMAGES; ++ handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, ++ TFM_SP_PLATFORM_IOCTL_VERSION); ++ if (handle <= 0) { ++ EMSG("%s Invalid handle", __func__); ++ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; ++ return rpc_status; ++ } ++ psa_call(caller,handle, PSA_IPC_CALL, ++ in_vec,IOVEC_LEN(in_vec), NULL, 0); ++ break; ++ ++ case KERNEL_STARTED_EVENT: ++ ioctl_id = IOCTL_CORSTONE1000_FWU_HOST_ACK; ++ /*openamp call with IOCTL for kernel start*/ ++ handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, ++ TFM_SP_PLATFORM_IOCTL_VERSION); ++ if (handle <= 0) { ++ EMSG("%s Invalid handle", __func__); ++ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; ++ return rpc_status; ++ } ++ psa_call(caller,handle, PSA_IPC_CALL, ++ in_vec,IOVEC_LEN(in_vec), NULL, 0); ++ break; ++ default: ++ EMSG("%s unsupported opcode", __func__); ++ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; ++ return rpc_status; ++ } ++ return rpc_status; ++ ++} ++ ++static rpc_status_t update_capsule_handler(void *context, struct call_req *req) ++{ ++ struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; ++ struct rpc_caller *caller = this_instance->client.caller; ++ uint32_t opcode = req->opcode; ++ rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; ++ ++ rpc_status = event_handler(opcode, caller); ++ return rpc_status; ++} ++ ++static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req) ++{ ++ struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; ++ struct rpc_caller *caller = this_instance->client.caller; ++ uint32_t opcode = req->opcode; ++ rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; ++ ++ rpc_status = event_handler(opcode, caller); ++ ++ return rpc_status; ++} +diff --git a/components/service/capsule_update/provider/capsule_update_provider.h b/components/service/capsule_update/provider/capsule_update_provider.h +new file mode 100644 +index 000000000000..3de49854ea90 +--- /dev/null ++++ b/components/service/capsule_update/provider/capsule_update_provider.h +@@ -0,0 +1,51 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_PROVIDER_H ++#define CAPSULE_UPDATE_PROVIDER_H ++ ++#include ++#include ++#include ++#include ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/** ++ * The capsule_update_provider is a service provider that accepts update capsule ++ * requests and delegates them to a suitable backend that applies the update. ++ */ ++struct capsule_update_provider ++{ ++ struct service_provider base_provider; ++ struct service_client client; ++}; ++ ++/** ++ * \brief Initialize an instance of the capsule update service provider ++ * ++ * @param[in] context The instance to initialize ++ * ++ * \return An rpc_interface or NULL on failure ++ */ ++struct rpc_interface *capsule_update_provider_init( ++ struct capsule_update_provider *context); ++ ++/** ++ * \brief Cleans up when the instance is no longer needed ++ * ++ * \param[in] context The instance to de-initialize ++ */ ++void capsule_update_provider_deinit( ++ struct capsule_update_provider *context); ++ ++#ifdef __cplusplus ++} /* extern "C" */ ++#endif ++ ++#endif /* CAPSULE_UPDATE_PROVIDER_H */ +diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake +new file mode 100644 +index 000000000000..1d412eb234d9 +--- /dev/null ++++ b/components/service/capsule_update/provider/component.cmake +@@ -0,0 +1,13 @@ ++#------------------------------------------------------------------------------- ++# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++# ++# SPDX-License-Identifier: BSD-3-Clause ++# ++#------------------------------------------------------------------------------- ++if (NOT DEFINED TGT) ++ message(FATAL_ERROR "mandatory parameter TGT is not defined.") ++endif() ++ ++target_sources(${TGT} PRIVATE ++ "${CMAKE_CURRENT_LIST_DIR}/capsule_update_provider.c" ++ ) +diff --git a/deployments/se-proxy/infra/corstone1000/infra.cmake b/deployments/se-proxy/infra/corstone1000/infra.cmake +index 4e7e2bd58028..e60b5400617f 100644 +--- a/deployments/se-proxy/infra/corstone1000/infra.cmake ++++ b/deployments/se-proxy/infra/corstone1000/infra.cmake +@@ -21,6 +21,7 @@ add_components(TARGET "se-proxy" + "components/service/attestation/key_mngr/local" + "components/service/attestation/reporter/psa_ipc" + "components/service/crypto/backend/psa_ipc" ++ "components/service/capsule_update/provider" + "components/service/secure_storage/backend/secure_storage_ipc" + ) + +diff --git a/deployments/se-proxy/se_proxy_interfaces.h b/deployments/se-proxy/se_proxy_interfaces.h +index 48908f846990..3d4a7c204785 100644 +--- a/deployments/se-proxy/se_proxy_interfaces.h ++++ b/deployments/se-proxy/se_proxy_interfaces.h +@@ -8,9 +8,10 @@ + #define SE_PROXY_INTERFACES_H + + /* Interface IDs from service endpoints available from an se-proxy deployment */ +-#define SE_PROXY_INTERFACE_ID_ITS (0) +-#define SE_PROXY_INTERFACE_ID_PS (1) +-#define SE_PROXY_INTERFACE_ID_CRYPTO (2) +-#define SE_PROXY_INTERFACE_ID_ATTEST (3) ++#define SE_PROXY_INTERFACE_ID_ITS (0) ++#define SE_PROXY_INTERFACE_ID_PS (1) ++#define SE_PROXY_INTERFACE_ID_CRYPTO (2) ++#define SE_PROXY_INTERFACE_ID_ATTEST (3) ++#define SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE (4) + + #endif /* SE_PROXY_INTERFACES_H */ +diff --git a/protocols/service/capsule_update/capsule_update_proto.h b/protocols/service/capsule_update/capsule_update_proto.h +new file mode 100644 +index 000000000000..8f326cd387fb +--- /dev/null ++++ b/protocols/service/capsule_update/capsule_update_proto.h +@@ -0,0 +1,13 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_PROTO_H ++#define CAPSULE_UPDATE_PROTO_H ++ ++#include ++#include ++ ++#endif /* CAPSULE_UPDATE_PROTO_H */ +diff --git a/protocols/service/capsule_update/opcodes.h b/protocols/service/capsule_update/opcodes.h +new file mode 100644 +index 000000000000..8185a0902378 +--- /dev/null ++++ b/protocols/service/capsule_update/opcodes.h +@@ -0,0 +1,17 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_OPCODES_H ++#define CAPSULE_UPDATE_OPCODES_H ++ ++/** ++ * Opcode definitions for the capsule update service ++ */ ++ ++#define CAPSULE_UPDATE_OPCODE_UPDATE_CAPSULE 1 ++#define CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED 2 ++ ++#endif /* CAPSULE_UPDATE_OPCODES_H */ +diff --git a/protocols/service/capsule_update/parameters.h b/protocols/service/capsule_update/parameters.h +new file mode 100644 +index 000000000000..285d924186be +--- /dev/null ++++ b/protocols/service/capsule_update/parameters.h +@@ -0,0 +1,15 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_PARAMETERS_H ++#define CAPSULE_UPDATE_PARAMETERS_H ++ ++/** ++ * Operation parameter definitions for the capsule update service access protocol. ++ */ ++ ++ ++#endif /* CAPSULE_UPDATE_PARAMETERS_H */ +-- +2.40.0 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch new file mode 100644 index 0000000000..3f3800ceb9 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch @@ -0,0 +1,121 @@ +From 51a7024967187644011c5043ef0f733cf81b26be Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Mon, 14 Feb 2022 08:22:25 +0000 +Subject: [PATCH 2/6] Fixes in AEAD for psa-arch test 54 and 58. + +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras +Signed-off-by: Satish Kumar +Signed-off-by: Rui Miguel Silva +--- + .../crypto/client/caller/packed-c/crypto_caller_aead.h | 1 + + components/service/crypto/include/psa/crypto_sizes.h | 2 +- + .../crypto/provider/extension/aead/aead_provider.c | 8 ++++++-- + .../extension/aead/serializer/aead_provider_serializer.h | 1 + + .../packed-c/packedc_aead_provider_serializer.c | 2 ++ + protocols/service/crypto/packed-c/aead.h | 1 + + 6 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h +index c4ffb20cf7f8..a91f66c14008 100644 +--- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h ++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h +@@ -309,6 +309,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont + size_t req_len = req_fixed_len; + + *output_length = 0; ++ req_msg.output_size = output_size; + req_msg.op_handle = op_handle; + + /* Mandatory input data parameter */ +diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h +index 30aa102da581..130d27295878 100644 +--- a/components/service/crypto/include/psa/crypto_sizes.h ++++ b/components/service/crypto/include/psa/crypto_sizes.h +@@ -351,7 +351,7 @@ + * just the largest size that may be generated by + * #psa_aead_generate_nonce(). + */ +-#define PSA_AEAD_NONCE_MAX_SIZE 12 ++#define PSA_AEAD_NONCE_MAX_SIZE 16 + + /** A sufficient output buffer size for psa_aead_update(). + * +diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c +index 14a25436b3f6..6b144db821de 100644 +--- a/components/service/crypto/provider/extension/aead/aead_provider.c ++++ b/components/service/crypto/provider/extension/aead/aead_provider.c +@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) + uint32_t op_handle; + const uint8_t *input; + size_t input_len; ++ uint32_t recv_output_size; + + if (serializer) + rpc_status = serializer->deserialize_aead_update_req(req_buf, &op_handle, +- &input, &input_len); ++ &recv_output_size, &input, &input_len); + + if (rpc_status == TS_RPC_CALL_ACCEPTED) { + +@@ -300,9 +301,12 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) + if (crypto_context) { + + size_t output_len = 0; +- size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_len); ++ size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(24); + uint8_t *output = malloc(output_size); + ++ if (recv_output_size < output_size) { ++ output_size = recv_output_size; ++ } + if (output) { + + psa_status = psa_aead_update(&crypto_context->op.aead, +diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h +index bb1a2a97e4b7..0156aaba3fe3 100644 +--- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h ++++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h +@@ -51,6 +51,7 @@ struct aead_provider_serializer { + /* Operation: aead_update */ + rpc_status_t (*deserialize_aead_update_req)(const struct call_param_buf *req_buf, + uint32_t *op_handle, ++ uint32_t *output_size, + const uint8_t **input, size_t *input_len); + + rpc_status_t (*serialize_aead_update_resp)(struct call_param_buf *resp_buf, +diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c +index 6f00b3e3f6f1..45c739abcbb4 100644 +--- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c ++++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c +@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct call_param_buf * + /* Operation: aead_update */ + static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req_buf, + uint32_t *op_handle, ++ uint32_t *output_size, + const uint8_t **input, size_t *input_len) + { + rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY; +@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req + memcpy(&recv_msg, req_buf->data, expected_fixed_len); + + *op_handle = recv_msg.op_handle; ++ *output_size = recv_msg.output_size; + + tlv_const_iterator_begin(&req_iter, + (uint8_t*)req_buf->data + expected_fixed_len, +diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h +index 0be266b52403..435fd3b523ce 100644 +--- a/protocols/service/crypto/packed-c/aead.h ++++ b/protocols/service/crypto/packed-c/aead.h +@@ -98,6 +98,7 @@ enum + struct __attribute__ ((__packed__)) ts_crypto_aead_update_in + { + uint32_t op_handle; ++ uint32_t output_size; + }; + + /* Variable length input parameter tags */ +-- +2.40.0 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch deleted file mode 100644 index 0371a7a418..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch +++ /dev/null @@ -1,1091 +0,0 @@ -From 28aedac78016e5063ebd675a43e6c3655f87b442 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath -Date: Fri, 3 Dec 2021 18:00:46 +0000 -Subject: [PATCH 02/20] Implement mhu driver and the OpenAmp conversion layer. - -This commit adds an mhu driver (v2.1 and v2) to the secure -partition se_proxy and a conversion layer to communicate with -the secure enclave using OpenAmp. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath -Signed-off-by: Rui Miguel Silva ---- - .../se-proxy/opteesp/default_se-proxy.dts.in | 16 + - .../drivers/arm/mhu_driver/component.cmake | 12 + - platform/drivers/arm/mhu_driver/mhu_v2.h | 391 ++++++++++++ - platform/drivers/arm/mhu_driver/mhu_v2_x.c | 602 ++++++++++++++++++ - .../providers/arm/corstone1000/platform.cmake | 10 + - 5 files changed, 1031 insertions(+) - create mode 100644 platform/drivers/arm/mhu_driver/component.cmake - create mode 100644 platform/drivers/arm/mhu_driver/mhu_v2.h - create mode 100644 platform/drivers/arm/mhu_driver/mhu_v2_x.c - create mode 100644 platform/providers/arm/corstone1000/platform.cmake - -diff --git a/deployments/se-proxy/opteesp/default_se-proxy.dts.in b/deployments/se-proxy/opteesp/default_se-proxy.dts.in -index 5748d2f80f88..267b4f923540 100644 ---- a/deployments/se-proxy/opteesp/default_se-proxy.dts.in -+++ b/deployments/se-proxy/opteesp/default_se-proxy.dts.in -@@ -17,4 +17,20 @@ - xlat-granule = <0>; /* 4KiB */ - messaging-method = <3>; /* Direct messaging only */ - legacy-elf-format = <1>; -+ -+ device-regions { -+ compatible = "arm,ffa-manifest-device-regions"; -+ mhu-sender { -+ /* Armv8 A Foundation Platform values */ -+ base-address = <0x00000000 0x1b820000>; -+ pages-count = <16>; -+ attributes = <0x3>; /* read-write */ -+ }; -+ mhu-receiver { -+ /* Armv8 A Foundation Platform values */ -+ base-address = <0x00000000 0x1b830000>; -+ pages-count = <16>; -+ attributes = <0x3>; /* read-write */ -+ }; -+ }; - }; -diff --git a/platform/drivers/arm/mhu_driver/component.cmake b/platform/drivers/arm/mhu_driver/component.cmake -new file mode 100644 -index 000000000000..77a5a50b67d1 ---- /dev/null -+++ b/platform/drivers/arm/mhu_driver/component.cmake -@@ -0,0 +1,12 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+ -+# Add source files for using mhu driver -+target_sources(${TGT} -+ PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/mhu_v2_x.c" -+) -diff --git a/platform/drivers/arm/mhu_driver/mhu_v2.h b/platform/drivers/arm/mhu_driver/mhu_v2.h -new file mode 100644 -index 000000000000..2e4ba80fab95 ---- /dev/null -+++ b/platform/drivers/arm/mhu_driver/mhu_v2.h -@@ -0,0 +1,391 @@ -+/* -+ * Copyright (c) 2021 Arm Limited -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+/** -+ * \file mhu_v2_x.h -+ * \brief Driver for Arm MHU v2.0 and v2.1 -+ */ -+ -+#ifndef __MHU_V2_X_H__ -+#define __MHU_V2_X_H__ -+ -+#include -+#include -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+#define MHU_2_X_INTR_NR2R_OFF (0x0u) -+#define MHU_2_X_INTR_R2NR_OFF (0x1u) -+#define MHU_2_1_INTR_CHCOMB_OFF (0x2u) -+ -+#define MHU_2_X_INTR_NR2R_MASK (0x1u << MHU_2_X_INTR_NR2R_OFF) -+#define MHU_2_X_INTR_R2NR_MASK (0x1u << MHU_2_X_INTR_R2NR_OFF) -+#define MHU_2_1_INTR_CHCOMB_MASK (0x1u << MHU_2_1_INTR_CHCOMB_OFF) -+ -+enum mhu_v2_x_frame_t { -+ MHU_V2_X_SENDER_FRAME = 0x0u, -+ MHU_V2_X_RECEIVER_FRAME = 0x1u, -+}; -+ -+enum mhu_v2_x_supported_revisions { -+ MHU_REV_READ_FROM_HW = 0, -+ MHU_REV_2_0, -+ MHU_REV_2_1, -+}; -+ -+struct mhu_v2_x_dev_t { -+ uint32_t base; -+ enum mhu_v2_x_frame_t frame; -+ uint32_t subversion; /*!< Hardware subversion: v2.X */ -+ bool is_initialized; /*!< Indicates if the MHU driver -+ * is initialized and enabled -+ */ -+}; -+ -+/** -+ * \brief MHU v2 error enumeration types. -+ */ -+enum mhu_v2_x_error_t { -+ MHU_V_2_X_ERR_NONE = 0, -+ MHU_V_2_X_ERR_NOT_INIT = -1, -+ MHU_V_2_X_ERR_ALREADY_INIT = -2, -+ MHU_V_2_X_ERR_UNSUPPORTED_VERSION = -3, -+ MHU_V_2_X_ERR_INVALID_ARG = -4, -+ MHU_V_2_X_ERR_GENERAL = -5 -+}; -+ -+/** -+ * \brief Initializes the driver -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] rev MHU revision (if can't be identified from HW) -+ * -+ * Reads the MHU hardware version -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note MHU revision only has to be specified when versions can't be read -+ * from HW (ARCH_MAJOR_REV reg reads as 0x0). -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_driver_init(struct mhu_v2_x_dev_t *dev, -+ enum mhu_v2_x_supported_revisions rev); -+ -+/** -+ * \brief Returns the number of channels implemented. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * Returns the number of channels implemented. -+ * -+ * \return Returns the number of channels implemented. -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+uint32_t mhu_v2_x_get_num_channel_implemented( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Sends the value over a channel. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Channel to send the value over. -+ * \param[in] val Value to send. -+ * -+ * Sends the value over a channel. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_send(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel, uint32_t val); -+ -+/** -+ * \brief Clears the channel after the value is send over it. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Channel to clear. -+ * -+ * Clears the channel after the value is send over it. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_clear(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel); -+ -+/** -+ * \brief Receives the value over a channel. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Channel to receive the value from. -+ * \param[out] value Pointer to variable that will store the value. -+ * -+ * Receives the value over a channel. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_receive( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t *value); -+ -+/** -+ * \brief Sets bits in the Channel Mask. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's mask to set. -+ * \param[in] mask Mask to be set over a receiver frame. -+ * -+ * Sets bits in the Channel Mask. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_mask_set( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t mask); -+ -+/** -+ * \brief Clears bits in the Channel Mask. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's mask to clear. -+ * \param[in] mask Mask to be clear over a receiver frame. -+ * -+ * Clears bits in the Channel Mask. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_mask_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t mask); -+ -+/** -+ * \brief Enables the Channel interrupt. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's interrupt to enable. -+ * -+ * Enables the Channel clear interrupt. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_enable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel); -+ -+/** -+ * \brief Disables the Channel interrupt. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's interrupt to disable. -+ * -+ * Disables the Channel interrupt. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_disable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel); -+ -+/** -+ * \brief Cleares the Channel interrupt. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Which channel's interrupt to clear. -+ * -+ * Cleares the Channel interrupt. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel); -+ -+/** -+ * \brief Initiates a MHU transfer with the handshake signals. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * Initiates a MHU transfer with the handshake signals in a blocking mode. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_initiate_transfer( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Closes a MHU transfer with the handshake signals. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * Closes a MHU transfer with the handshake signals in a blocking mode. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_close_transfer( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Returns the value of access request signal. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[out] val Pointer to variable that will store the value. -+ * -+ * For more information please read the MHU v2 user guide -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_get_access_request( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *val); -+ -+/** -+ * \brief Sets the value of access request signal to high. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * For more information please read the MHU v2 user guide -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_set_access_request( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Sets the value of access request signal to low. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * For more information please read the MHU v2 user guide -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_reset_access_request( -+ const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Returns the value of access ready signal. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[out] val Pointer to variable that will store the value. -+ * -+ * For more information please read the MHU v2 user guide -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_get_access_ready( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *val); -+ -+/** -+ * \brief Returns the MHU interrupt status. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * -+ * \return Interrupt status register value. Masking is needed for individual -+ * interrupts. -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+uint32_t mhu_v2_x_get_interrupt_status(const struct mhu_v2_x_dev_t *dev); -+ -+/** -+ * \brief Enables MHU interrupts. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] mask Bit mask for enabling/disabling interrupts -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_enable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask); -+ -+/** -+ * \brief Disables MHU interrupts. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] mask Bit mask for enabling/disabling interrupts -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_disable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask); -+ -+/** -+ * \brief Clears MHU interrupts. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] mask Bit mask for clearing interrupts -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask); -+ -+/** -+ * \brief Returns the first channel number whose interrupt bit is high. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[out] channel Pointer to variable that will have the channel value. -+ * -+ * \return Returns the first channel number whose interrupt bit is high. -+ * \return Returns mhu_v2_x_error_t error code. -+ * -+ * \note This function doesn't check if dev is NULL. -+ */ -+enum mhu_v2_x_error_t mhu_v2_1_get_ch_interrupt_num( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *channel); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* __MHU_V2_X_H__ */ -diff --git a/platform/drivers/arm/mhu_driver/mhu_v2_x.c b/platform/drivers/arm/mhu_driver/mhu_v2_x.c -new file mode 100644 -index 000000000000..01d8f659a73a ---- /dev/null -+++ b/platform/drivers/arm/mhu_driver/mhu_v2_x.c -@@ -0,0 +1,602 @@ -+/* -+ * Copyright (c) 2021 Arm Limited -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+#include -+#include -+#include "mhu_v2.h" -+ -+#define _MHU_V2_X_MAX_CHANNELS 124 -+#define _MHU_V2_1_MAX_CHCOMB_INT 4 -+#define ENABLE 0x1 -+#define DISABLE 0x0 -+#define CLEAR_INTR 0x1 -+#define CH_PER_CH_COMB 0x20 -+#define SEND_FRAME(p_mhu) ((struct _mhu_v2_x_send_frame_t *)p_mhu) -+#define RECV_FRAME(p_mhu) ((struct _mhu_v2_x_recv_frame_t *)p_mhu) -+ -+#define MHU_MAJOR_REV_V2 0x1u -+#define MHU_MINOR_REV_2_0 0x0u -+#define MHU_MINOR_REV_2_1 0x1u -+ -+struct _mhu_v2_x_send_ch_window_t { -+ /* Offset: 0x00 (R/ ) Channel Status */ -+ volatile uint32_t ch_st; -+ /* Offset: 0x04 (R/ ) Reserved */ -+ volatile uint32_t reserved_0; -+ /* Offset: 0x08 (R/ ) Reserved */ -+ volatile uint32_t reserved_1; -+ /* Offset: 0x0C ( /W) Channel Set */ -+ volatile uint32_t ch_set; -+ /* Offset: 0x10 (R/ ) Channel Interrupt Status (Reserved in 2.0) */ -+ volatile uint32_t ch_int_st; -+ /* Offset: 0x14 ( /W) Channel Interrupt Clear (Reserved in 2.0) */ -+ volatile uint32_t ch_int_clr; -+ /* Offset: 0x18 (R/W) Channel Interrupt Enable (Reserved in 2.0) */ -+ volatile uint32_t ch_int_en; -+ /* Offset: 0x1C (R/ ) Reserved */ -+ volatile uint32_t reserved_2; -+}; -+ -+struct _mhu_v2_x_send_frame_t { -+ /* Offset: 0x000 ( / ) Sender Channel Window 0 -123 */ -+ struct _mhu_v2_x_send_ch_window_t send_ch_window[_MHU_V2_X_MAX_CHANNELS]; -+ /* Offset: 0xF80 (R/ ) Message Handling Unit Configuration */ -+ volatile uint32_t mhu_cfg; -+ /* Offset: 0xF84 (R/W) Response Configuration */ -+ volatile uint32_t resp_cfg; -+ /* Offset: 0xF88 (R/W) Access Request */ -+ volatile uint32_t access_request; -+ /* Offset: 0xF8C (R/ ) Access Ready */ -+ volatile uint32_t access_ready; -+ /* Offset: 0xF90 (R/ ) Interrupt Status */ -+ volatile uint32_t int_st; -+ /* Offset: 0xF94 ( /W) Interrupt Clear */ -+ volatile uint32_t int_clr; -+ /* Offset: 0xF98 (R/W) Interrupt Enable */ -+ volatile uint32_t int_en; -+ /* Offset: 0xF9C (R/ ) Reserved */ -+ volatile uint32_t reserved_0; -+ /* Offset: 0xFA0 (R/W) Channel Combined Interrupt Stat (Reserved in 2.0) */ -+ volatile uint32_t ch_comb_int_st[_MHU_V2_1_MAX_CHCOMB_INT]; -+ /* Offset: ‭0xFC4‬ (R/ ) Reserved */ -+ volatile uint32_t reserved_1[6]; -+ /* Offset: 0xFC8 (R/ ) Implementer Identification Register */ -+ volatile uint32_t iidr; -+ /* Offset: 0xFCC (R/ ) Architecture Identification Register */ -+ volatile uint32_t aidr; -+ /* Offset: 0xFD0 (R/ ) */ -+ volatile uint32_t pid_1[4]; -+ /* Offset: 0xFE0 (R/ ) */ -+ volatile uint32_t pid_0[4]; -+ /* Offset: 0xFF0 (R/ ) */ -+ volatile uint32_t cid[4]; -+}; -+ -+struct _mhu_v2_x_rec_ch_window_t { -+ /* Offset: 0x00 (R/ ) Channel Status */ -+ volatile uint32_t ch_st; -+ /* Offset: 0x04 (R/ ) Channel Status Masked */ -+ volatile uint32_t ch_st_msk; -+ /* Offset: 0x08 ( /W) Channel Clear */ -+ volatile uint32_t ch_clr; -+ /* Offset: 0x0C (R/ ) Reserved */ -+ volatile uint32_t reserved_0; -+ /* Offset: 0x10 (R/ ) Channel Mask Status */ -+ volatile uint32_t ch_msk_st; -+ /* Offset: 0x14 ( /W) Channel Mask Set */ -+ volatile uint32_t ch_msk_set; -+ /* Offset: 0x18 ( /W) Channel Mask Clear */ -+ volatile uint32_t ch_msk_clr; -+ /* Offset: 0x1C (R/ ) Reserved */ -+ volatile uint32_t reserved_1; -+}; -+ -+struct _mhu_v2_x_recv_frame_t { -+ /* Offset: 0x000 ( / ) Receiver Channel Window 0 -123 */ -+ struct _mhu_v2_x_rec_ch_window_t rec_ch_window[_MHU_V2_X_MAX_CHANNELS]; -+ /* Offset: 0xF80 (R/ ) Message Handling Unit Configuration */ -+ volatile uint32_t mhu_cfg; -+ /* Offset: 0xF84 (R/ ) Reserved */ -+ volatile uint32_t reserved_0[3]; -+ /* Offset: 0xF90 (R/ ) Interrupt Status (Reserved in 2.0) */ -+ volatile uint32_t int_st; -+ /* Offset: 0xF94 (R/ ) Interrupt Clear (Reserved in 2.0) */ -+ volatile uint32_t int_clr; -+ /* Offset: 0xF98 (R/W) Interrupt Enable (Reserved in 2.0) */ -+ volatile uint32_t int_en; -+ /* Offset: 0xF9C (R/ ) Reserved */ -+ volatile uint32_t reserved_1; -+ /* Offset: 0xFA0 (R/ ) Channel Combined Interrupt Stat (Reserved in 2.0) */ -+ volatile uint32_t ch_comb_int_st[_MHU_V2_1_MAX_CHCOMB_INT]; -+ /* Offset: 0xFB0 (R/ ) Reserved */ -+ volatile uint32_t reserved_2[6]; -+ /* Offset: 0xFC8 (R/ ) Implementer Identification Register */ -+ volatile uint32_t iidr; -+ /* Offset: 0xFCC (R/ ) Architecture Identification Register */ -+ volatile uint32_t aidr; -+ /* Offset: 0xFD0 (R/ ) */ -+ volatile uint32_t pid_1[4]; -+ /* Offset: 0xFE0 (R/ ) */ -+ volatile uint32_t pid_0[4]; -+ /* Offset: 0xFF0 (R/ ) */ -+ volatile uint32_t cid[4]; -+}; -+ -+union _mhu_v2_x_frame_t { -+ struct _mhu_v2_x_send_frame_t send_frame; -+ struct _mhu_v2_x_recv_frame_t recv_frame; -+}; -+ -+enum mhu_v2_x_error_t mhu_v2_x_driver_init(struct mhu_v2_x_dev_t *dev, -+ enum mhu_v2_x_supported_revisions rev) -+{ -+ uint32_t AIDR = 0; -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if (dev->is_initialized) { -+ return MHU_V_2_X_ERR_ALREADY_INIT; -+ } -+ -+ if (rev == MHU_REV_READ_FROM_HW) { -+ /* Read revision from HW */ -+ if (dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ AIDR = p_mhu->recv_frame.aidr; -+ } else { -+ AIDR = p_mhu->send_frame.aidr; -+ } -+ -+ /* Get bits 7:4 to read major revision */ -+ if ( ((AIDR >> 4) & 0b1111) != MHU_MAJOR_REV_V2) { -+ /* Unsupported MHU version */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } /* No need to save major version, driver only supports MHUv2 */ -+ -+ /* Get bits 3:0 to read minor revision */ -+ dev->subversion = AIDR & 0b1111; -+ -+ if (dev->subversion != MHU_MINOR_REV_2_0 && -+ dev->subversion != MHU_MINOR_REV_2_1) { -+ /* Unsupported subversion */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ } else { -+ /* Revisions were provided by caller */ -+ if (rev == MHU_REV_2_0) { -+ dev->subversion = MHU_MINOR_REV_2_0; -+ } else if (rev == MHU_REV_2_1) { -+ dev->subversion = MHU_MINOR_REV_2_1; -+ } else { -+ /* Unsupported subversion */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ }/* No need to save major version, driver only supports MHUv2 */ -+ } -+ -+ dev->is_initialized = true; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+uint32_t mhu_v2_x_get_num_channel_implemented(const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ return (SEND_FRAME(p_mhu))->mhu_cfg; -+ } else { -+ return (RECV_FRAME(p_mhu))->mhu_cfg; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_send(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel, uint32_t val) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->send_ch_window[channel].ch_set = val; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_clear(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ (RECV_FRAME(p_mhu))->rec_ch_window[channel].ch_clr = UINT32_MAX; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_receive( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t *value) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ *value = (RECV_FRAME(p_mhu))->rec_ch_window[channel].ch_st; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_mask_set( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ (RECV_FRAME(p_mhu))->rec_ch_window[channel].ch_msk_set = mask; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_mask_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ (RECV_FRAME(p_mhu))->rec_ch_window[channel].ch_msk_clr = mask; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_enable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_1) { -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->send_ch_window[channel].ch_int_en = ENABLE; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_disable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_1) { -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->send_ch_window[channel].ch_int_en = DISABLE; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_interrupt_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t channel) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_1) { -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->send_ch_window[channel].ch_int_clr = CLEAR_INTR; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_initiate_transfer( -+ const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ (SEND_FRAME(p_mhu))->access_request = ENABLE; -+ -+ while ( !((SEND_FRAME(p_mhu))->access_ready) ) { -+ /* Wait in a loop for access ready signal to be high */ -+ ; -+ } -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_close_transfer(const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ (SEND_FRAME(p_mhu))->access_request = DISABLE; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_get_access_request( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *val) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ *val = (SEND_FRAME(p_mhu))->access_request; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_set_access_request( -+ const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ (SEND_FRAME(p_mhu))->access_request = ENABLE; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_reset_access_request( -+ const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ (SEND_FRAME(p_mhu))->access_request = DISABLE; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_get_access_ready( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *val) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame != MHU_V2_X_SENDER_FRAME) { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ *val = (SEND_FRAME(p_mhu))->access_ready; -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+uint32_t mhu_v2_x_get_interrupt_status(const struct mhu_v2_x_dev_t *dev) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ return (SEND_FRAME(p_mhu))->int_st; -+ } else { -+ return (RECV_FRAME(p_mhu))->int_st; -+ } -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_enable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_0) { -+ if (mask & MHU_2_1_INTR_CHCOMB_MASK) { -+ /* Combined channel IRQ is not present in v2.0 */ -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ if (dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ /* Only sender frame has these registers */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->int_en |= mask; -+ } else { -+ (RECV_FRAME(p_mhu))->int_en |= mask; -+ } -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_disable( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_0) { -+ if (mask & MHU_2_1_INTR_CHCOMB_MASK) { -+ /* Combined channel IRQ is not present in v2.0 */ -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ if (dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ /* Only sender frame has these registers */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->int_en &= ~mask; -+ } else { -+ (RECV_FRAME(p_mhu))->int_en &= ~mask; -+ } -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_x_interrupt_clear( -+ const struct mhu_v2_x_dev_t *dev, uint32_t mask) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion == MHU_MINOR_REV_2_0) { -+ if (mask & MHU_2_1_INTR_CHCOMB_MASK) { -+ /* Combined channel IRQ is not present in v2.0 */ -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+ -+ if (dev->frame == MHU_V2_X_RECEIVER_FRAME) { -+ /* Only sender frame has these registers */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ } -+ -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ (SEND_FRAME(p_mhu))->int_clr = mask; -+ } else { -+ (RECV_FRAME(p_mhu))->int_clr = mask; -+ } -+ -+ return MHU_V_2_X_ERR_NONE; -+} -+ -+enum mhu_v2_x_error_t mhu_v2_1_get_ch_interrupt_num( -+ const struct mhu_v2_x_dev_t *dev, uint32_t *channel) -+{ -+ uint32_t i, j, status; -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->subversion != MHU_MINOR_REV_2_1) { -+ /* Feature is only supported in MHU v2.1 */ -+ return MHU_V_2_X_ERR_UNSUPPORTED_VERSION; -+ } -+ -+ for(i = 0; i < _MHU_V2_1_MAX_CHCOMB_INT; i++) { -+ if(dev->frame == MHU_V2_X_SENDER_FRAME) { -+ status = (SEND_FRAME(p_mhu))->ch_comb_int_st[i]; -+ } else { -+ status = (RECV_FRAME(p_mhu))->ch_comb_int_st[i]; -+ } -+ -+ for(j = 0; j < CH_PER_CH_COMB; j++) { -+ if ((status >> CH_PER_CH_COMB - j - 1) & (ENABLE)) { -+ *channel = (CH_PER_CH_COMB - j -1 + (i * CH_PER_CH_COMB)); -+ return MHU_V_2_X_ERR_NONE; -+ } -+ } -+ } -+ -+ return MHU_V_2_X_ERR_GENERAL; -+} -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -new file mode 100644 -index 000000000000..bb778bb9719b ---- /dev/null -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -0,0 +1,10 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+# Platform definition for the 'fvp_base_revc-2xaem8a' virtual platform. -+#------------------------------------------------------------------------------- -+ -+# include MHU driver -+include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake) --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Add-openamp-rpc-caller.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Add-openamp-rpc-caller.patch deleted file mode 100644 index 5686face15..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Add-openamp-rpc-caller.patch +++ /dev/null @@ -1,1196 +0,0 @@ -From 55394c4c9681af71b1ed7f7ebc7c44b2e1737113 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath -Date: Fri, 3 Dec 2021 19:00:54 +0000 -Subject: [PATCH 03/20] Add openamp rpc caller - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath -Signed-off-by: Rui Miguel Silva ---- - components/rpc/common/caller/rpc_caller.c | 10 + - components/rpc/common/interface/rpc_caller.h | 8 + - .../rpc/openamp/caller/sp/component.cmake | 15 + - .../rpc/openamp/caller/sp/openamp_caller.c | 203 +++++++ - .../rpc/openamp/caller/sp/openamp_caller.h | 43 ++ - .../rpc/openamp/caller/sp/openamp_mhu.c | 191 ++++++ - .../rpc/openamp/caller/sp/openamp_mhu.h | 19 + - .../rpc/openamp/caller/sp/openamp_virtio.c | 555 ++++++++++++++++++ - .../rpc/openamp/caller/sp/openamp_virtio.h | 24 + - .../se-proxy/opteesp/default_se-proxy.dts.in | 6 + - deployments/se-proxy/se-proxy.cmake | 1 + - 11 files changed, 1075 insertions(+) - create mode 100644 components/rpc/openamp/caller/sp/component.cmake - create mode 100644 components/rpc/openamp/caller/sp/openamp_caller.c - create mode 100644 components/rpc/openamp/caller/sp/openamp_caller.h - create mode 100644 components/rpc/openamp/caller/sp/openamp_mhu.c - create mode 100644 components/rpc/openamp/caller/sp/openamp_mhu.h - create mode 100644 components/rpc/openamp/caller/sp/openamp_virtio.c - create mode 100644 components/rpc/openamp/caller/sp/openamp_virtio.h - -diff --git a/components/rpc/common/caller/rpc_caller.c b/components/rpc/common/caller/rpc_caller.c -index 2dceabeb8967..20d889c162b0 100644 ---- a/components/rpc/common/caller/rpc_caller.c -+++ b/components/rpc/common/caller/rpc_caller.c -@@ -37,3 +37,13 @@ void rpc_caller_end(struct rpc_caller *s, rpc_call_handle handle) - { - s->call_end(s->context, handle); - } -+ -+void *rpc_caller_virt_to_phys(struct rpc_caller *s, void *va) -+{ -+ return s->virt_to_phys(s->context, va); -+} -+ -+void *rpc_caller_phys_to_virt(struct rpc_caller *s, void *pa) -+{ -+ return s->phys_to_virt(s->context, pa); -+} -diff --git a/components/rpc/common/interface/rpc_caller.h b/components/rpc/common/interface/rpc_caller.h -index 387489cdb1b2..ef9bb64905ed 100644 ---- a/components/rpc/common/interface/rpc_caller.h -+++ b/components/rpc/common/interface/rpc_caller.h -@@ -45,6 +45,10 @@ struct rpc_caller - rpc_opstatus_t *opstatus, uint8_t **resp_buf, size_t *resp_len); - - void (*call_end)(void *context, rpc_call_handle handle); -+ -+ void *(*virt_to_phys)(void *context, void *va); -+ -+ void *(*phys_to_virt)(void *context, void *pa); - }; - - /* -@@ -87,6 +91,10 @@ RPC_CALLER_EXPORTED rpc_status_t rpc_caller_invoke(struct rpc_caller *s, rpc_cal - */ - RPC_CALLER_EXPORTED void rpc_caller_end(struct rpc_caller *s, rpc_call_handle handle); - -+RPC_CALLER_EXPORTED void *rpc_caller_virt_to_phys(struct rpc_caller *s, void *va); -+ -+RPC_CALLER_EXPORTED void *rpc_caller_phys_to_virt(struct rpc_caller *s, void *pa); -+ - #ifdef __cplusplus - } - #endif -diff --git a/components/rpc/openamp/caller/sp/component.cmake b/components/rpc/openamp/caller/sp/component.cmake -new file mode 100644 -index 000000000000..fc919529d731 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/component.cmake -@@ -0,0 +1,15 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2020, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/openamp_caller.c" -+ "${CMAKE_CURRENT_LIST_DIR}/openamp_virtio.c" -+ "${CMAKE_CURRENT_LIST_DIR}/openamp_mhu.c" -+ ) -diff --git a/components/rpc/openamp/caller/sp/openamp_caller.c b/components/rpc/openamp/caller/sp/openamp_caller.c -new file mode 100644 -index 000000000000..6cdfb756568f ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_caller.c -@@ -0,0 +1,203 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include -+#include "openamp_caller.h" -+#include "openamp_mhu.h" -+#include "openamp_virtio.h" -+#include -+ -+#define OPENAMP_TRANSACTION_IDLE 0x0 -+#define OPENAMP_TRANSACTION_INPROGRESS 0x1 -+#define OPENAMP_TRANSACTION_INVOKED 0x2 -+ -+static rpc_call_handle openamp_call_begin(void *context, uint8_t **req_buf, -+ size_t req_len) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ rpc_call_handle handle; -+ int ret; -+ -+ if (!req_buf) { -+ EMSG("openamp: call_begin: not req_buf"); -+ return NULL; -+ } -+ -+ if (req_len > UINT32_MAX || req_len == 0) { -+ EMSG("openamp: call_begin: resp_len invalid: %lu", req_len); -+ return NULL; -+ } -+ -+ if (openamp->status != OPENAMP_TRANSACTION_IDLE) { -+ EMSG("openamp: call_begin: transaction not idle"); -+ return NULL; -+ } -+ -+ ret = ops->platform_call_begin(openamp, req_buf, req_len); -+ if (ret < 0) { -+ EMSG("openamp: call_begin: platform begin failed: %d", ret); -+ return NULL; -+ } -+ -+ openamp->status = OPENAMP_TRANSACTION_INPROGRESS; -+ handle = openamp; -+ -+ return handle; -+} -+ -+static rpc_status_t openamp_call_invoke(void *context, rpc_call_handle handle, -+ uint32_t opcode, int *opstatus, -+ uint8_t **resp_buf, size_t *resp_len) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ rpc_status_t status; -+ int ret; -+ -+ (void)opcode; -+ -+ if ((handle != openamp) || !opstatus || !resp_buf || !resp_len) { -+ EMSG("openamp: call_invoke: invalid arguments"); -+ return TS_RPC_ERROR_INVALID_PARAMETER; -+ } -+ -+ if (openamp->status != OPENAMP_TRANSACTION_INPROGRESS) { -+ EMSG("openamp: call_invoke: transaction needed to be started"); -+ return TS_RPC_ERROR_NOT_READY; -+ } -+ -+ ret = ops->platform_call_invoke(openamp, opstatus, resp_buf, resp_len); -+ if (ret < 0) -+ return TS_RPC_ERROR_INTERNAL; -+ -+ openamp->status = OPENAMP_TRANSACTION_INVOKED; -+ *opstatus = 0; -+ -+ return TS_RPC_CALL_ACCEPTED; -+} -+ -+static void openamp_call_end(void *context, rpc_call_handle handle) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ -+ if (handle != openamp) { -+ EMSG("openamp: call_end: invalid arguments"); -+ return; -+ } -+ -+ if (openamp->status == OPENAMP_TRANSACTION_IDLE) { -+ EMSG("openamp: call_end: transaction idle"); -+ return; -+ } -+ -+ ops->platform_call_end(openamp); -+ -+ openamp->status = OPENAMP_TRANSACTION_IDLE; -+} -+ -+static void *openamp_virt_to_phys(void *context, void *va) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ -+ return ops->platform_virt_to_phys(openamp, va); -+} -+ -+static void *openamp_phys_to_virt(void *context, void *pa) -+{ -+ struct openamp_caller *openamp = context; -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ -+ return ops->platform_phys_to_virt(openamp, pa); -+} -+ -+static int openamp_init(struct openamp_caller *openamp) -+{ -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ int ret; -+ -+ ret = ops->transport_init(openamp); -+ if (ret < 0) -+ return ret; -+ -+ ret = ops->platform_init(openamp); -+ if (ret < 0) -+ goto denit_transport; -+ -+ return 0; -+ -+denit_transport: -+ ops->transport_deinit(openamp); -+ -+ return ret; -+} -+ -+static const struct openamp_platform_ops openamp_virtio_ops = { -+ .transport_init = openamp_mhu_init, -+ .transport_deinit = openamp_mhu_deinit, -+ .transport_notify = openamp_mhu_notify_peer, -+ .transport_receive = openamp_mhu_receive, -+ .platform_init = openamp_virtio_init, -+ .platform_call_begin = openamp_virtio_call_begin, -+ .platform_call_invoke = openamp_virtio_call_invoke, -+ .platform_call_end = openamp_virtio_call_end, -+ .platform_virt_to_phys = openamp_virtio_virt_to_phys, -+ .platform_phys_to_virt = openamp_virtio_phys_to_virt, -+}; -+ -+struct rpc_caller *openamp_caller_init(struct openamp_caller *openamp) -+{ -+ struct rpc_caller *rpc = &openamp->rpc_caller; -+ int ret; -+ -+ if (openamp->ref_count) -+ return rpc; -+ -+ rpc_caller_init(rpc, openamp); -+ -+ rpc->call_begin = openamp_call_begin; -+ rpc->call_invoke = openamp_call_invoke; -+ rpc->call_end = openamp_call_end; -+ rpc->virt_to_phys = openamp_virt_to_phys; -+ rpc->phys_to_virt = openamp_phys_to_virt; -+ openamp->platform_ops = &openamp_virtio_ops; -+ -+ ret = openamp_init(openamp); -+ if (ret < 0) { -+ EMSG("openamp_init: failed to start: %d", ret); -+ return rpc; -+ } -+ openamp->ref_count++; -+ -+ return rpc; -+} -+ -+void openamp_caller_deinit(struct openamp_caller *openamp) -+{ -+ struct rpc_caller *rpc = &openamp->rpc_caller; -+ -+ if (--openamp->ref_count) -+ return; -+ -+ rpc->context = NULL; -+ rpc->call_begin = NULL; -+ rpc->call_invoke = NULL; -+ rpc->call_end = NULL; -+} -+ -+int openamp_caller_discover(struct openamp_caller *openamp) -+{ -+ return openamp_init(openamp); -+} -+ -+int openamp_caller_open(struct openamp_caller *openamp) -+{ -+ -+} -diff --git a/components/rpc/openamp/caller/sp/openamp_caller.h b/components/rpc/openamp/caller/sp/openamp_caller.h -new file mode 100644 -index 000000000000..3fb67c56cc53 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_caller.h -@@ -0,0 +1,43 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+#ifndef OPENAMP_CALLER_H -+#define OPENAMP_CALLER_H -+ -+#include -+#include -+ -+struct openamp_caller { -+ struct rpc_caller rpc_caller; -+ const struct openamp_platform_ops *platform_ops; -+ uint32_t ref_count; -+ uint8_t status; -+ -+ void *transport; -+ void *platform; -+}; -+ -+struct openamp_platform_ops { -+ int (*transport_init)(struct openamp_caller *openamp); -+ int (*transport_deinit)(struct openamp_caller *openamp); -+ int (*transport_notify)(struct openamp_caller *openamp); -+ int (*transport_receive)(struct openamp_caller *openamp); -+ int (*platform_init)(struct openamp_caller *openamp); -+ int (*platform_deinit)(struct openamp_caller *openamp); -+ int (*platform_call_begin)(struct openamp_caller *openamp, -+ uint8_t **req_buf, size_t req_len); -+ int (*platform_call_invoke)(struct openamp_caller *openamp, -+ int *opstatus, uint8_t **resp_buf, -+ size_t *resp_len); -+ int (*platform_call_end)(struct openamp_caller *openamp); -+ void *(*platform_virt_to_phys)(struct openamp_caller *openamp, void *va); -+ void *(*platform_phys_to_virt)(struct openamp_caller *openamp, void *pa); -+}; -+ -+struct rpc_caller *openamp_caller_init(struct openamp_caller *openamp); -+void openamp_caller_deinit(struct openamp_caller *openamp); -+ -+#endif -diff --git a/components/rpc/openamp/caller/sp/openamp_mhu.c b/components/rpc/openamp/caller/sp/openamp_mhu.c -new file mode 100644 -index 000000000000..ffdadaf870a3 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_mhu.c -@@ -0,0 +1,191 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "openamp_caller.h" -+ -+#define MHU_V_2_NOTIFY_CHANNEL 0 -+#define MHU_V_2_NOTIFY_VALUE 0xff -+ -+struct openamp_mhu { -+ struct device_region rx_region; -+ struct device_region tx_region; -+ struct mhu_v2_x_dev_t rx_dev; -+ struct mhu_v2_x_dev_t tx_dev; -+}; -+ -+static int openamp_mhu_device_get(const char *dev, -+ struct device_region *dev_region) -+{ -+ bool found; -+ -+ found = config_store_query(CONFIG_CLASSIFIER_DEVICE_REGION, dev, 0, -+ dev_region, sizeof(*dev_region)); -+ if (!found) -+ return -EINVAL; -+ -+ if (!dev_region->base_addr) -+ return -EINVAL; -+ -+ IMSG("mhu: device region found: %s addr: 0x%x size: %d", dev, -+ dev_region->base_addr, dev_region->io_region_size); -+ -+ return 0; -+} -+ -+int openamp_mhu_receive(struct openamp_caller *openamp) -+{ -+ struct mhu_v2_x_dev_t *rx_dev; -+ enum mhu_v2_x_error_t ret; -+ struct openamp_mhu *mhu; -+ uint32_t channel = 0; -+ uint32_t irq_status; -+ -+ if (!openamp->transport) { -+ EMSG("openamp: mhu: receive transport not initialized"); -+ return -EINVAL; -+ } -+ -+ mhu = openamp->transport; -+ rx_dev = &mhu->rx_dev; -+ -+ irq_status = 0; -+ -+ do { -+ irq_status = mhu_v2_x_get_interrupt_status(rx_dev); -+ } while(!irq_status); -+ -+ ret = mhu_v2_1_get_ch_interrupt_num(rx_dev, &channel); -+ -+ ret = mhu_v2_x_channel_clear(rx_dev, channel); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: failed to clear channel: %d", channel); -+ return -EPROTO; -+ } -+ -+ return 0; -+} -+ -+int openamp_mhu_notify_peer(struct openamp_caller *openamp) -+{ -+ struct mhu_v2_x_dev_t *tx_dev; -+ enum mhu_v2_x_error_t ret; -+ struct openamp_mhu *mhu; -+ uint32_t access_ready; -+ -+ if (!openamp->transport) { -+ EMSG("openamp: mhu: notify transport not initialized"); -+ return -EINVAL; -+ } -+ -+ mhu = openamp->transport; -+ tx_dev = &mhu->tx_dev; -+ -+ ret = mhu_v2_x_set_access_request(tx_dev); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: set access request failed"); -+ return -EPROTO; -+ } -+ -+ do { -+ ret = mhu_v2_x_get_access_ready(tx_dev, &access_ready); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: failed to get access_ready"); -+ return -EPROTO; -+ } -+ } while (!access_ready); -+ -+ ret = mhu_v2_x_channel_send(tx_dev, MHU_V_2_NOTIFY_CHANNEL, -+ MHU_V_2_NOTIFY_VALUE); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: failed send over channel"); -+ return -EPROTO; -+ } -+ -+ ret = mhu_v2_x_reset_access_request(tx_dev); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ EMSG("openamp: mhu: failed reset access request"); -+ return -EPROTO; -+ } -+ -+ return 0; -+} -+ -+int openamp_mhu_init(struct openamp_caller *openamp) -+{ -+ struct mhu_v2_x_dev_t *rx_dev; -+ struct mhu_v2_x_dev_t *tx_dev; -+ struct openamp_mhu *mhu; -+ int ret; -+ -+ /* if we already have initialized skip this */ -+ if (openamp->transport) -+ return 0; -+ -+ mhu = malloc(sizeof(*mhu)); -+ if (!mhu) -+ return -1; -+ -+ ret = openamp_mhu_device_get("mhu-sender", &mhu->tx_region); -+ if (ret < 0) -+ goto free_mhu; -+ -+ ret = openamp_mhu_device_get("mhu-receiver", &mhu->rx_region); -+ if (ret < 0) -+ goto free_mhu; -+ -+ rx_dev = &mhu->rx_dev; -+ tx_dev = &mhu->tx_dev; -+ -+ rx_dev->base = (unsigned int)mhu->rx_region.base_addr; -+ rx_dev->frame = MHU_V2_X_RECEIVER_FRAME; -+ -+ tx_dev->base = (unsigned int)mhu->tx_region.base_addr; -+ tx_dev->frame = MHU_V2_X_SENDER_FRAME; -+ -+ ret = mhu_v2_x_driver_init(rx_dev, MHU_REV_READ_FROM_HW); -+ if (ret < 0) -+ goto free_mhu; -+ -+ ret = mhu_v2_x_driver_init(tx_dev, MHU_REV_READ_FROM_HW); -+ if (ret < 0) -+ goto free_mhu; -+ -+ openamp->transport = (void *)mhu; -+ -+ return 0; -+ -+free_mhu: -+ free(mhu); -+ -+ return ret; -+} -+ -+int openamp_mhu_deinit(struct openamp_caller *openamp) -+{ -+ struct openamp_mhu *mhu; -+ -+ if (!openamp->transport) -+ return 0; -+ -+ mhu = openamp->transport; -+ free(mhu); -+ -+ openamp->transport = NULL; -+ -+ return 0; -+} -diff --git a/components/rpc/openamp/caller/sp/openamp_mhu.h b/components/rpc/openamp/caller/sp/openamp_mhu.h -new file mode 100644 -index 000000000000..2ae5cb8ee1c6 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_mhu.h -@@ -0,0 +1,19 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+#ifndef OPENAMP_MHU_H -+#define OPENAMP_MHU_H -+ -+#include -+#include "openamp_caller.h" -+ -+int openamp_mhu_init(struct openamp_caller *openamp); -+int openamp_mhu_deinit(struct openamp_caller *openamp); -+ -+int openamp_mhu_notify_peer(struct openamp_caller *openamp); -+int openamp_mhu_receive(struct openamp_caller *openamp); -+ -+#endif -diff --git a/components/rpc/openamp/caller/sp/openamp_virtio.c b/components/rpc/openamp/caller/sp/openamp_virtio.c -new file mode 100644 -index 000000000000..b7c1aa929111 ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_virtio.c -@@ -0,0 +1,555 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include "openamp_caller.h" -+ -+#define OPENAMP_SHEM_DEVICE_NAME "openamp-virtio" -+#define OPENAMP_RPMSG_ENDPOINT_NAME OPENAMP_SHEM_DEVICE_NAME -+#define OPENAMP_RPMSG_ENDPOINT_ADDR 1024 -+ -+#define OPENAMP_SHEM_PHYS 0x88000000 -+#define OPENAMP_SHEM_PHYS_PAGES 1 -+#define OPENAMP_SHEM_SE_PHYS 0xa8000000 -+ -+#define OPENAMP_SHEM_VDEV_SIZE (4 * 1024) -+#define OPENAMP_SHEM_VRING_SIZE (4 * 1024) -+ -+#define OPENAMP_BUFFER_NO_WAIT 0 -+#define OPENAMP_BUFFER_WAIT 1 -+ -+#define VIRTQUEUE_NR 2 -+#define VQ_TX 0 -+#define VQ_RX 1 -+ -+#define VRING_DESCRIPTORS 16 -+#define VRING_ALIGN 4 -+ -+#define container_of(ptr, type, member) \ -+ ((type *)((char *)(ptr) - (unsigned long)(&((type *)0)->member))) -+ -+struct openamp_virtio_shm { -+ uintptr_t base_addr; -+ size_t size; -+ uintptr_t vdev_status; -+ size_t vdev_status_size; -+ uintptr_t payload_addr; -+ size_t payload_size; -+ uintptr_t vring_tx; -+ size_t vring_tx_size; -+ uintptr_t vring_rx; -+ size_t vring_rx_size; -+ -+ metal_phys_addr_t shm_physmap[OPENAMP_SHEM_PHYS_PAGES]; -+}; -+ -+struct openamp_virtio_metal { -+ struct metal_spinlock lock; -+ struct metal_device shm_dev; -+ struct metal_device *io_dev; -+ -+ struct metal_io_region *io; -+ struct openamp_virtio_shm shm; -+}; -+ -+struct openamp_virtio_device { -+ struct virtio_device virtio_dev; -+ struct virtqueue *vq[VIRTQUEUE_NR]; -+ struct virtio_vring_info rvrings[VIRTQUEUE_NR]; -+}; -+ -+struct openamp_virtio_rpmsg { -+ struct rpmsg_virtio_device rpmsg_vdev; -+ struct rpmsg_endpoint ep; -+ uint8_t *req_buf; -+ uint32_t req_len; -+ uint8_t *resp_buf; -+ size_t resp_len; -+}; -+ -+struct openamp_virtio { -+ struct openamp_caller *openamp; -+ struct openamp_virtio_rpmsg rpmsg; -+ struct openamp_virtio_device vdev; -+ struct openamp_virtio_metal metal; -+}; -+ -+static struct openamp_virtio *openamp_virtio_from_dev(struct virtio_device *vdev) -+{ -+ struct openamp_virtio_device *openamp_vdev; -+ -+ openamp_vdev = container_of(vdev, struct openamp_virtio_device, -+ virtio_dev); -+ -+ return container_of(openamp_vdev, struct openamp_virtio, vdev); -+} -+ -+static struct openamp_virtio_rpmsg *openamp_virtio_rpmsg_from_dev(struct rpmsg_device *rdev) -+{ -+ struct rpmsg_virtio_device *rvdev; -+ -+ rvdev = container_of(rdev, struct rpmsg_virtio_device, rdev); -+ -+ return container_of(rvdev, struct openamp_virtio_rpmsg, rpmsg_vdev); -+ -+} -+ -+static void openamp_virtio_metal_device_setup(struct metal_device *shm_dev, -+ struct openamp_virtio_shm *shm) -+{ -+ struct metal_io_region *shm_region; -+ -+ shm_region = &shm_dev->regions[0]; -+ -+ shm_dev->name = OPENAMP_SHEM_DEVICE_NAME; -+ shm_dev->num_regions = 1; -+ -+ shm_region->virt = (void *)shm->payload_addr; -+ shm_region->size = shm->payload_size; -+ -+ shm_region->physmap = &shm->shm_physmap; -+ shm_region->page_shift = (metal_phys_addr_t)(-1); -+ shm_region->page_mask = (metal_phys_addr_t)(-1); -+} -+ -+static int openamp_virtio_metal_init(struct openamp_virtio_metal *metal) -+{ -+ struct metal_init_params params = METAL_INIT_DEFAULTS; -+ struct metal_device *shm_dev = &metal->shm_dev; -+ int ret; -+ -+ openamp_virtio_metal_device_setup(shm_dev, &metal->shm); -+ -+ metal_spinlock_init(&metal->lock); -+ -+ ret = metal_init(¶ms); -+ if (ret < 0) -+ return ret; -+ -+ ret = metal_register_generic_device(shm_dev); -+ if (ret < 0) -+ goto metal_finish; -+ -+ ret = metal_device_open("generic", OPENAMP_SHEM_DEVICE_NAME, -+ &metal->io_dev); -+ if (ret < 0) -+ goto metal_finish; -+ -+ metal->io = metal_device_io_region(metal->io_dev, 0); -+ if (!metal->io) { -+ EMSG("openamp: virtio: failed to init metal io"); -+ ret = -EPROTO; -+ goto metal_finish; -+ } -+ -+ return 0; -+ -+metal_finish: -+ metal_finish(); -+ return ret; -+} -+ -+static unsigned char openamp_virtio_status_get(struct virtio_device *vdev) -+{ -+ struct openamp_virtio *virtio = openamp_virtio_from_dev(vdev); -+ struct openamp_virtio_shm *shm = &virtio->metal.shm; -+ -+ uint32_t status = *(volatile uint32_t *)shm->vdev_status; -+ -+ return status; -+} -+ -+static void openamp_virtio_status_set(struct virtio_device *vdev, -+ unsigned char status) -+{ -+ struct openamp_virtio *virtio = openamp_virtio_from_dev(vdev); -+ struct openamp_virtio_shm *shm = &virtio->metal.shm; -+ -+ *(volatile uint32_t *)shm->vdev_status = status; -+} -+ -+static int count; -+ -+static uint32_t openamp_virtio_features_get(struct virtio_device *vdev) -+{ -+ return 1 << VIRTIO_RPMSG_F_NS; -+} -+ -+static void openamp_virtio_notify(struct virtqueue *vq) -+{ -+ struct openamp_virtio_device *openamp_vdev; -+ struct openamp_caller *openamp; -+ struct openamp_virtio *virtio; -+ int ret; -+ -+ openamp_vdev = container_of(vq->vq_dev, struct openamp_virtio_device, virtio_dev); -+ virtio = container_of(openamp_vdev, struct openamp_virtio, vdev); -+ openamp = virtio->openamp; -+ -+ ret = openamp->platform_ops->transport_notify(openamp); -+ if (ret < 0) -+ EMSG("openamp: virtio: erro in transport_notify: %d", ret); -+} -+ -+const static struct virtio_dispatch openamp_virtio_dispatch = { -+ .get_status = openamp_virtio_status_get, -+ .set_status = openamp_virtio_status_set, -+ .get_features = openamp_virtio_features_get, -+ .notify = openamp_virtio_notify, -+}; -+ -+static int openamp_virtio_device_setup(struct openamp_virtio *virtio) -+{ -+ struct openamp_virtio_metal *metal = &virtio->metal; -+ struct openamp_virtio_device *openamp_vdev = &virtio->vdev; -+ struct virtio_device *vdev = &openamp_vdev->virtio_dev; -+ struct openamp_virtio_shm *shm = &metal->shm; -+ struct virtio_vring_info *rvring; -+ -+ rvring = &openamp_vdev->rvrings[0]; -+ -+ vdev->role = RPMSG_REMOTE; -+ vdev->vrings_num = VIRTQUEUE_NR; -+ vdev->func = &openamp_virtio_dispatch; -+ -+ openamp_vdev->vq[VQ_TX] = virtqueue_allocate(VRING_DESCRIPTORS); -+ if (!openamp_vdev->vq[VQ_TX]) { -+ EMSG("openamp: virtio: failed to allocate virtqueue 0"); -+ return -ENOMEM; -+ } -+ rvring->io = metal->io; -+ rvring->info.vaddr = (void *)shm->vring_tx; -+ rvring->info.num_descs = VRING_DESCRIPTORS; -+ rvring->info.align = VRING_ALIGN; -+ rvring->vq = openamp_vdev->vq[VQ_TX]; -+ -+ openamp_vdev->vq[VQ_RX] = virtqueue_allocate(VRING_DESCRIPTORS); -+ if (!openamp_vdev->vq[VQ_RX]) { -+ EMSG("openamp: virtio: failed to allocate virtqueue 1"); -+ goto free_vq; -+ } -+ rvring = &openamp_vdev->rvrings[VQ_RX]; -+ rvring->io = metal->io; -+ rvring->info.vaddr = (void *)shm->vring_rx; -+ rvring->info.num_descs = VRING_DESCRIPTORS; -+ rvring->info.align = VRING_ALIGN; -+ rvring->vq = openamp_vdev->vq[VQ_RX]; -+ -+ vdev->vrings_info = &openamp_vdev->rvrings[0]; -+ -+ return 0; -+ -+free_vq: -+ virtqueue_free(openamp_vdev->vq[VQ_TX]); -+ virtqueue_free(openamp_vdev->vq[VQ_RX]); -+ -+ return -ENOMEM; -+} -+ -+static int openamp_virtio_rpmsg_endpoint_callback(struct rpmsg_endpoint *ep, -+ void *data, size_t len, -+ uint32_t src, void *priv) -+{ -+ struct openamp_virtio_rpmsg *vrpmsg; -+ struct rpmsg_device *rdev; -+ struct openamp_virtio *virtio; -+ -+ rdev = ep->rdev; -+ vrpmsg = openamp_virtio_rpmsg_from_dev(rdev); -+ virtio = container_of(vrpmsg, struct openamp_virtio, rpmsg); -+ -+ rpmsg_hold_rx_buffer(ep, data); -+ vrpmsg->resp_buf = data; -+ vrpmsg->resp_len = len; -+ -+ return 0; -+} -+ -+static void openamp_virtio_rpmsg_service_unbind(struct rpmsg_endpoint *ep) -+{ -+ struct openamp_virtio_rpmsg *vrpmsg; -+ struct rpmsg_device *rdev; -+ -+ rdev = container_of(ep, struct rpmsg_device, ns_ept); -+ vrpmsg = openamp_virtio_rpmsg_from_dev(rdev); -+ -+ rpmsg_destroy_ept(&vrpmsg->ep); -+} -+ -+static void openamp_virtio_rpmsg_endpoint_bind(struct rpmsg_device *rdev, -+ const char *name, -+ unsigned int dest) -+{ -+ struct openamp_virtio_rpmsg *vrpmsg; -+ -+ vrpmsg = openamp_virtio_rpmsg_from_dev(rdev); -+ -+ rpmsg_create_ept(&vrpmsg->ep, rdev, name, RPMSG_ADDR_ANY, dest, -+ openamp_virtio_rpmsg_endpoint_callback, -+ openamp_virtio_rpmsg_service_unbind); -+} -+ -+static int openamp_virtio_rpmsg_device_setup(struct openamp_virtio *virtio, -+ struct device_region *virtio_dev) -+{ -+ struct openamp_virtio_rpmsg *vrpmsg = &virtio->rpmsg; -+ struct rpmsg_virtio_device *rpmsg_vdev = &vrpmsg->rpmsg_vdev; -+ struct openamp_virtio_device *openamp_vdev = &virtio->vdev; -+ struct virtio_device *vdev = &openamp_vdev->virtio_dev; -+ struct openamp_virtio_metal *metal = &virtio->metal; -+ int ret; -+ -+ /* -+ * we assume here that we are the client side and do not need to -+ * initialize the share memory poll (this is done at server side). -+ */ -+ ret = rpmsg_init_vdev(rpmsg_vdev, vdev, -+ openamp_virtio_rpmsg_endpoint_bind, metal->io, -+ NULL); -+ if (ret < 0) { -+ EMSG("openamp: virtio: init vdev failed: %d", ret); -+ return ret; -+ } -+ -+ -+ ret = rpmsg_create_ept(&vrpmsg->ep, &rpmsg_vdev->rdev, -+ OPENAMP_RPMSG_ENDPOINT_NAME, RPMSG_ADDR_ANY, -+ RPMSG_ADDR_ANY, -+ openamp_virtio_rpmsg_endpoint_callback, -+ openamp_virtio_rpmsg_service_unbind); -+ if (ret < 0) { -+ EMSG("openamp: virtio: failed to create endpoint: %d", ret); -+ return ret; -+ } -+ -+ /* set default remote addr */ -+ vrpmsg->ep.dest_addr = OPENAMP_RPMSG_ENDPOINT_ADDR; -+ -+ return 0; -+} -+ -+static void openamp_virtio_shm_set(struct openamp_virtio *virtio, -+ struct device_region *virtio_region) -+{ -+ struct openamp_virtio_shm *shm = &virtio->metal.shm; -+ -+ shm->base_addr = virtio_region->base_addr; -+ shm->size = virtio_region->io_region_size; -+ -+ shm->vdev_status = shm->base_addr; -+ shm->vdev_status_size = OPENAMP_SHEM_VDEV_SIZE; -+ -+ shm->vring_rx = shm->base_addr + shm->size - -+ (2 * OPENAMP_SHEM_VRING_SIZE); -+ shm->vring_rx_size = OPENAMP_SHEM_VRING_SIZE; -+ -+ shm->vring_tx = shm->vring_rx + shm->vring_rx_size; -+ shm->vring_tx_size = OPENAMP_SHEM_VRING_SIZE; -+ -+ shm->payload_addr = shm->vdev_status + shm->vdev_status_size; -+ shm->payload_size = shm->size - shm->vdev_status_size - -+ shm->vring_rx_size - shm->vring_tx_size; -+ -+ shm->shm_physmap[0] = OPENAMP_SHEM_PHYS + shm->vdev_status_size; -+ -+ IMSG("SHEM: base: 0x%0x size: 0x%0x size: %d", -+ shm->base_addr, shm->size, shm->size); -+ IMSG("VDEV: base: 0x%0x size: 0x%0x size: %d", -+ shm->vdev_status, shm->vdev_status_size, shm->vdev_status_size); -+ IMSG("PAYLOAD: base: 0x%0x size: 0x%0x size: %d", -+ shm->payload_addr, shm->payload_size, shm->payload_size); -+ IMSG("VRING_TX: base: 0x%0x size: 0x%0x size: %d", -+ shm->vring_tx, shm->vring_tx_size, shm->vring_tx_size); -+ IMSG("VRING_RX: base: 0x%0x size: 0x%0x size: %d", -+ shm->vring_rx, shm->vring_rx_size, shm->vring_rx_size); -+ IMSG("PHYMAP: base: 0x%0x", shm->shm_physmap[0]); -+} -+ -+static int openamp_virtio_device_get(const char *dev, -+ struct device_region *dev_region) -+{ -+ bool found; -+ -+ found = config_store_query(CONFIG_CLASSIFIER_DEVICE_REGION, dev, 0, -+ dev_region, sizeof(*dev_region)); -+ if (!found) { -+ EMSG("openamp: virtio: device region not found: %s", dev); -+ return -EINVAL; -+ } -+ -+ if (dev_region->base_addr == 0 || dev_region->io_region_size == 0) { -+ EMSG("openamp: virtio: device region not valid"); -+ return -EINVAL; -+ } -+ -+ IMSG("openamp: virtio: device region found: %s addr: 0x%x size: %d", -+ dev, dev_region->base_addr, dev_region->io_region_size); -+ -+ return 0; -+} -+ -+int openamp_virtio_call_begin(struct openamp_caller *openamp, uint8_t **req_buf, -+ size_t req_len) -+{ -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_rpmsg *vrpmsg = &virtio->rpmsg; -+ struct rpmsg_endpoint *ep = &vrpmsg->ep; -+ -+ -+ *req_buf = rpmsg_get_tx_payload_buffer(ep, &vrpmsg->req_len, -+ OPENAMP_BUFFER_WAIT); -+ if (*req_buf == NULL) -+ return -EINVAL; -+ -+ if (vrpmsg->req_len < req_len) -+ return -E2BIG; -+ -+ vrpmsg->req_buf = *req_buf; -+ -+ return 0; -+} -+ -+int openamp_virtio_call_invoke(struct openamp_caller *openamp, int *opstatus, -+ uint8_t **resp_buf, size_t *resp_len) -+{ -+ const struct openamp_platform_ops *ops = openamp->platform_ops; -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_device *openamp_vdev = &virtio->vdev; -+ struct openamp_virtio_rpmsg *vrpmsg = &virtio->rpmsg; -+ struct rpmsg_endpoint *ep = &vrpmsg->ep; -+ int ret; -+ -+ ret = rpmsg_send_nocopy(ep, vrpmsg->req_buf, vrpmsg->req_len); -+ if (ret < 0) { -+ EMSG("openamp: virtio: send nocopy failed: %d", ret); -+ return -EIO; -+ } -+ -+ if (ret != vrpmsg->req_len) { -+ EMSG("openamp: virtio: send less bytes %d than requested %d", -+ ret, vrpmsg->req_len); -+ return -EIO; -+ } -+ -+ if (!ops->transport_receive) -+ return 0; -+ -+ ret = ops->transport_receive(openamp); -+ if (ret < 0) { -+ EMSG("openamp: virtio: failed transport_receive"); -+ return -EIO; -+ } -+ -+ virtqueue_notification(openamp_vdev->vq[VQ_RX]); -+ -+ *resp_buf = vrpmsg->resp_buf; -+ *resp_len = vrpmsg->resp_len; -+ -+ return 0; -+} -+ -+void openamp_virtio_call_end(struct openamp_caller *openamp) -+{ -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_rpmsg *vrpmsg = &virtio->rpmsg; -+ -+ rpmsg_release_rx_buffer(&vrpmsg->ep, vrpmsg->resp_buf); -+ -+ vrpmsg->req_buf = NULL; -+ vrpmsg->req_len = 0; -+ vrpmsg->resp_buf = NULL; -+ vrpmsg->resp_len = 0; -+} -+ -+void *openamp_virtio_virt_to_phys(struct openamp_caller *openamp, void *va) -+{ -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_metal *metal = &virtio->metal; -+ -+ return metal_io_virt_to_phys(metal->io, va); -+} -+ -+void *openamp_virtio_phys_to_virt(struct openamp_caller *openamp, void *pa) -+{ -+ struct openamp_virtio *virtio = openamp->platform; -+ struct openamp_virtio_metal *metal = &virtio->metal; -+ -+ return metal_io_phys_to_virt(metal->io, pa); -+} -+ -+int openamp_virtio_init(struct openamp_caller *openamp) -+{ -+ struct device_region virtio_dev; -+ struct openamp_virtio *virtio; -+ int ret; -+ -+ if (openamp->platform) -+ return 0; -+ -+ -+ virtio = malloc(sizeof(*virtio)); -+ if (!virtio) -+ return -ENOMEM; -+ -+ virtio->openamp = openamp; -+ -+ ret = openamp_virtio_device_get(OPENAMP_SHEM_DEVICE_NAME, &virtio_dev); -+ if (ret < 0) -+ goto free_virtio; -+ -+ openamp_virtio_shm_set(virtio, &virtio_dev); -+ -+ ret = openamp_virtio_metal_init(&virtio->metal); -+ if (ret < 0) -+ goto free_virtio; -+ -+ ret = openamp_virtio_device_setup(virtio); -+ if (ret < 0) -+ goto finish_metal; -+ -+ ret = openamp_virtio_rpmsg_device_setup(virtio, &virtio_dev); -+ if (ret < 0) { -+ EMSG("openamp: virtio: rpmsg device setup failed: %d", ret); -+ goto finish_metal; -+ } -+ -+ openamp->platform = virtio; -+ -+ return 0; -+ -+finish_metal: -+ metal_finish(); -+ -+free_virtio: -+ free(virtio); -+ -+ return ret; -+} -+ -+int openamp_virtio_deinit(struct openamp_caller *openamp) -+{ -+ struct openamp_virtio *virtio; -+ -+ if (!openamp->platform) -+ return 0; -+ -+ virtio = openamp->platform; -+ -+ metal_finish(); -+ free(virtio); -+ -+ openamp->platform = NULL; -+ -+ return 0; -+} -diff --git a/components/rpc/openamp/caller/sp/openamp_virtio.h b/components/rpc/openamp/caller/sp/openamp_virtio.h -new file mode 100644 -index 000000000000..915128ff65ce ---- /dev/null -+++ b/components/rpc/openamp/caller/sp/openamp_virtio.h -@@ -0,0 +1,24 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021, Linaro Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+#ifndef OPENAMP_VIRTIO_H -+#define OPENAMP_VIRTIO_H -+ -+#include -+#include "openamp_caller.h" -+ -+int openamp_virtio_call_begin(struct openamp_caller *openamp, uint8_t **req_buf, -+ size_t req_len); -+int openamp_virtio_call_invoke(struct openamp_caller *openamp, int *opstatus, -+ uint8_t **resp_buf, size_t *resp_len); -+int openamp_virtio_call_end(struct openamp_caller *openamp); -+void *openamp_virtio_virt_to_phys(struct openamp_caller *openamp, void *va); -+void *openamp_virtio_phys_to_virt(struct openamp_caller *openamp, void *pa); -+ -+int openamp_virtio_init(struct openamp_caller *openamp); -+int openamp_virtio_deinit(struct openamp_caller *openamp); -+ -+#endif -diff --git a/deployments/se-proxy/opteesp/default_se-proxy.dts.in b/deployments/se-proxy/opteesp/default_se-proxy.dts.in -index 267b4f923540..04c181586b06 100644 ---- a/deployments/se-proxy/opteesp/default_se-proxy.dts.in -+++ b/deployments/se-proxy/opteesp/default_se-proxy.dts.in -@@ -32,5 +32,11 @@ - pages-count = <16>; - attributes = <0x3>; /* read-write */ - }; -+ openamp-virtio { -+ /* Armv8 A Foundation Platform values */ -+ base-address = <0x00000000 0x88000000>; -+ pages-count = <256>; -+ attributes = <0x3>; /* read-write */ -+ }; - }; - }; -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index d39873a0fe81..34fe5ff1b925 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -47,6 +47,7 @@ add_components(TARGET "se-proxy" - "components/service/attestation/include" - "components/service/attestation/provider" - "components/service/attestation/provider/serializer/packed-c" -+ "components/rpc/openamp/caller/sp" - - # Stub service provider backends - "components/rpc/dummy" --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch new file mode 100644 index 0000000000..3d743d2827 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch @@ -0,0 +1,418 @@ +From 5c8ac10337ac853d8a82992fb6e1d91b122b99d2 Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Fri, 8 Jul 2022 09:48:06 +0100 +Subject: [PATCH 3/6] FMP Support in Corstone1000. + +The FMP support is used by u-boot to pupolate ESRT information +for the kernel. + +The solution is platform specific and needs to be revisted. + +Signed-off-by: Satish Kumar + +Upstream-Status: Inappropriate [The solution is platform specific and needs to be revisted] +Signed-off-by: Rui Miguel Silva +--- + .../provider/capsule_update_provider.c | 5 + + .../capsule_update/provider/component.cmake | 1 + + .../provider/corstone1000_fmp_service.c | 307 ++++++++++++++++++ + .../provider/corstone1000_fmp_service.h | 26 ++ + 4 files changed, 339 insertions(+) + create mode 100644 components/service/capsule_update/provider/corstone1000_fmp_service.c + create mode 100644 components/service/capsule_update/provider/corstone1000_fmp_service.h + +diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c +index e133753f8560..991a2235cd73 100644 +--- a/components/service/capsule_update/provider/capsule_update_provider.c ++++ b/components/service/capsule_update/provider/capsule_update_provider.c +@@ -11,6 +11,7 @@ + #include + #include + #include "capsule_update_provider.h" ++#include "corstone1000_fmp_service.h" + + + #define CAPSULE_UPDATE_REQUEST (0x1) +@@ -47,6 +48,8 @@ struct rpc_interface *capsule_update_provider_init( + rpc_interface = service_provider_get_rpc_interface(&context->base_provider); + } + ++ provision_fmp_variables_metadata(context->client.caller); ++ + return rpc_interface; + } + +@@ -85,6 +88,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) + } + psa_call(caller,handle, PSA_IPC_CALL, + in_vec,IOVEC_LEN(in_vec), NULL, 0); ++ set_fmp_image_info(caller, handle); + break; + + case KERNEL_STARTED_EVENT: +@@ -99,6 +103,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) + } + psa_call(caller,handle, PSA_IPC_CALL, + in_vec,IOVEC_LEN(in_vec), NULL, 0); ++ set_fmp_image_info(caller, handle); + break; + default: + EMSG("%s unsupported opcode", __func__); +diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake +index 1d412eb234d9..6b0601494938 100644 +--- a/components/service/capsule_update/provider/component.cmake ++++ b/components/service/capsule_update/provider/component.cmake +@@ -10,4 +10,5 @@ endif() + + target_sources(${TGT} PRIVATE + "${CMAKE_CURRENT_LIST_DIR}/capsule_update_provider.c" ++ "${CMAKE_CURRENT_LIST_DIR}/corstone1000_fmp_service.c" + ) +diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c +new file mode 100644 +index 000000000000..6a7a47a7ed99 +--- /dev/null ++++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c +@@ -0,0 +1,307 @@ ++/* ++ * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#include "corstone1000_fmp_service.h" ++#include ++#include ++#include ++#include ++ ++#include ++ ++#define VARIABLE_INDEX_STORAGE_UID (0x787) ++ ++/** ++ * Variable attributes ++ */ ++#define EFI_VARIABLE_NON_VOLATILE (0x00000001) ++#define EFI_VARIABLE_BOOTSERVICE_ACCESS (0x00000002) ++#define EFI_VARIABLE_RUNTIME_ACCESS (0x00000004) ++#define EFI_VARIABLE_HARDWARE_ERROR_RECORD (0x00000008) ++#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS (0x00000010) ++#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS (0x00000020) ++#define EFI_VARIABLE_APPEND_WRITE (0x00000040) ++#define EFI_VARIABLE_MASK \ ++ (EFI_VARIABLE_NON_VOLATILE | \ ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | \ ++ EFI_VARIABLE_RUNTIME_ACCESS | \ ++ EFI_VARIABLE_HARDWARE_ERROR_RECORD | \ ++ EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | \ ++ EFI_VARIABLE_APPEND_WRITE) ++ ++#define FMP_VARIABLES_COUNT 6 ++ ++static struct variable_metadata fmp_variables_metadata[FMP_VARIABLES_COUNT] = { ++ { ++ { 0x86c77a67, 0x0b97, 0x4633, \ ++ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, ++ /* name size = (variable_name + \0) * sizeof(u16) */ ++ .name_size = 42, { 'F', 'm', 'p', 'D', 'e', 's', 'c', 'r', 'i', 'p', 't', 'o', 'r', 'V', 'e', 'r', 's', 'i', 'o', 'n' }, ++ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 ++ }, ++ { ++ { 0x86c77a67, 0x0b97, 0x4633, \ ++ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, ++ /* name size = (variable_name + \0) * sizeof(u16) */ ++ .name_size = 34, { 'F', 'm', 'p', 'I', 'm', 'a', 'g', 'e', 'I', 'n', 'f', 'o', 'S', 'i', 'z', 'e' }, ++ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 ++ }, ++ { ++ { 0x86c77a67, 0x0b97, 0x4633, \ ++ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, ++ /* name size = (variable_name + \0) * sizeof(u16) */ ++ .name_size = 38, { 'F', 'm', 'p', 'D', 'e', 's', 'c', 'r', 'i', 'p', 't', 'o', 'r', 'C', 'o', 'u', 'n', 't' }, ++ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 ++ }, ++ { ++ { 0x86c77a67, 0x0b97, 0x4633, \ ++ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, ++ /* name size = (variable_name + \0) * sizeof(u16) */ ++ .name_size = 26, { 'F', 'm', 'p', 'I', 'm', 'a', 'g', 'e', 'I', 'n', 'f', 'o' }, ++ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 ++ }, ++ { ++ { 0x86c77a67, 0x0b97, 0x4633, \ ++ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, ++ /* name size = (variable_name + \0) * sizeof(u16) */ ++ .name_size = 28, { 'F', 'm', 'p', 'I', 'm', 'a', 'g', 'e', 'N', 'a', 'm', 'e', '1' }, ++ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 ++ }, ++ { ++ { 0x86c77a67, 0x0b97, 0x4633, \ ++ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, ++ /* name size = (variable_name + \0) * sizeof(u16) */ ++ .name_size = 32, { 'F', 'm', 'p', 'V', 'e', 'r', 's', 'i', 'o', 'n', 'N', 'a', 'm', 'e', '1' }, ++ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 ++ }, ++}; ++ ++static psa_status_t protected_storage_set(struct rpc_caller *caller, ++ psa_storage_uid_t uid, size_t data_length, const void *p_data) ++{ ++ psa_status_t psa_status; ++ psa_storage_create_flags_t create_flags = PSA_STORAGE_FLAG_NONE; ++ ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, ++ { .base = psa_ptr_const_to_u32(p_data), .len = data_length }, ++ { .base = psa_ptr_to_u32(&create_flags), .len = sizeof(create_flags) }, ++ }; ++ ++ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, TFM_PS_ITS_SET, ++ in_vec, IOVEC_LEN(in_vec), NULL, 0); ++ if (psa_status < 0) ++ EMSG("ipc_set: psa_call failed: %d", psa_status); ++ ++ return psa_status; ++} ++ ++static psa_status_t protected_storage_get(struct rpc_caller *caller, ++ psa_storage_uid_t uid, size_t data_size, void *p_data) ++{ ++ psa_status_t psa_status; ++ uint32_t offset = 0; ++ ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, ++ { .base = psa_ptr_to_u32(&offset), .len = sizeof(offset) }, ++ }; ++ ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(p_data), .len = data_size }, ++ }; ++ ++ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, ++ TFM_PS_ITS_GET, in_vec, IOVEC_LEN(in_vec), ++ out_vec, IOVEC_LEN(out_vec)); ++ ++ if (psa_status == PSA_SUCCESS && out_vec[0].len != data_size) { ++ EMSG("Return size does not match with expected size."); ++ return PSA_ERROR_BUFFER_TOO_SMALL; ++ } ++ ++ return psa_status; ++} ++ ++static uint64_t name_hash(EFI_GUID *guid, size_t name_size, ++ const int16_t *name) ++{ ++ /* Using djb2 hash by Dan Bernstein */ ++ uint64_t hash = 5381; ++ ++ /* Calculate hash over GUID */ ++ hash = ((hash << 5) + hash) + guid->Data1; ++ hash = ((hash << 5) + hash) + guid->Data2; ++ hash = ((hash << 5) + hash) + guid->Data3; ++ ++ for (int i = 0; i < 8; ++i) { ++ ++ hash = ((hash << 5) + hash) + guid->Data4[i]; ++ } ++ ++ /* Extend to cover name up to but not including null terminator */ ++ for (int i = 0; i < name_size / sizeof(int16_t); ++i) { ++ ++ if (!name[i]) break; ++ hash = ((hash << 5) + hash) + name[i]; ++ } ++ ++ return hash; ++} ++ ++ ++static void initialize_metadata(void) ++{ ++ for (int i = 0; i < FMP_VARIABLES_COUNT; i++) { ++ ++ fmp_variables_metadata[i].uid = name_hash( ++ &fmp_variables_metadata[i].guid, ++ fmp_variables_metadata[i].name_size, ++ fmp_variables_metadata[i].name); ++ } ++} ++ ++ ++void provision_fmp_variables_metadata(struct rpc_caller *caller) ++{ ++ struct variable_metadata metadata; ++ psa_status_t status; ++ uint32_t dummy_values = 0xDEAD; ++ ++ EMSG("Provisioning FMP metadata."); ++ ++ initialize_metadata(); ++ ++ status = protected_storage_get(caller, VARIABLE_INDEX_STORAGE_UID, ++ sizeof(struct variable_metadata), &metadata); ++ ++ if (status == PSA_SUCCESS) { ++ EMSG("UEFI variables store is already provisioned."); ++ return; ++ } ++ ++ /* Provision FMP variables with dummy values. */ ++ for (int i = 0; i < FMP_VARIABLES_COUNT; i++) { ++ protected_storage_set(caller, fmp_variables_metadata[i].uid, ++ sizeof(dummy_values), &dummy_values); ++ } ++ ++ status = protected_storage_set(caller, VARIABLE_INDEX_STORAGE_UID, ++ sizeof(struct variable_metadata) * FMP_VARIABLES_COUNT, ++ fmp_variables_metadata); ++ ++ if (status != EFI_SUCCESS) { ++ return; ++ } ++ ++ EMSG("FMP metadata is provisioned"); ++} ++ ++typedef struct { ++ void *base; ++ int len; ++} variable_data_t; ++ ++static variable_data_t fmp_variables_data[FMP_VARIABLES_COUNT]; ++ ++#define IMAGE_INFO_BUFFER_SIZE 256 ++static char image_info_buffer[IMAGE_INFO_BUFFER_SIZE]; ++#define IOCTL_CORSTONE1000_FMP_IMAGE_INFO 2 ++ ++static psa_status_t unpack_image_info(void *buffer, uint32_t size) ++{ ++ typedef struct __attribute__ ((__packed__)) { ++ uint32_t variable_count; ++ uint32_t variable_size[FMP_VARIABLES_COUNT]; ++ uint8_t variable[]; ++ } packed_buffer_t; ++ ++ packed_buffer_t *packed_buffer = buffer; ++ int runner = 0; ++ ++ if (packed_buffer->variable_count != FMP_VARIABLES_COUNT) { ++ EMSG("Expected fmp varaibles = %u, but received = %u", ++ FMP_VARIABLES_COUNT, packed_buffer->variable_count); ++ return PSA_ERROR_PROGRAMMER_ERROR; ++ } ++ ++ for (int i = 0; i < packed_buffer->variable_count; i++) { ++ EMSG("FMP variable %d : size %u", i, packed_buffer->variable_size[i]); ++ fmp_variables_data[i].base = &packed_buffer->variable[runner]; ++ fmp_variables_data[i].len= packed_buffer->variable_size[i]; ++ runner += packed_buffer->variable_size[i]; ++ } ++ ++ return PSA_SUCCESS; ++} ++ ++static psa_status_t get_image_info(struct rpc_caller *caller, ++ psa_handle_t platform_service_handle) ++{ ++ psa_status_t status; ++ psa_handle_t handle; ++ uint32_t ioctl_id = IOCTL_CORSTONE1000_FMP_IMAGE_INFO; ++ ++ struct psa_invec in_vec[] = { ++ { .base = &ioctl_id, .len = sizeof(ioctl_id) }, ++ }; ++ ++ struct psa_outvec out_vec[] = { ++ { .base = image_info_buffer, .len = IMAGE_INFO_BUFFER_SIZE }, ++ }; ++ ++ memset(image_info_buffer, 0, IMAGE_INFO_BUFFER_SIZE); ++ ++ psa_call(caller, platform_service_handle, PSA_IPC_CALL, ++ in_vec, IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ status = unpack_image_info(image_info_buffer, IMAGE_INFO_BUFFER_SIZE); ++ if (status != PSA_SUCCESS) { ++ return status; ++ } ++ ++ return PSA_SUCCESS; ++} ++ ++static psa_status_t set_image_info(struct rpc_caller *caller) ++{ ++ psa_status_t status; ++ ++ for (int i = 0; i < FMP_VARIABLES_COUNT; i++) { ++ ++ status = protected_storage_set(caller, ++ fmp_variables_metadata[i].uid, ++ fmp_variables_data[i].len, fmp_variables_data[i].base); ++ ++ if (status != PSA_SUCCESS) { ++ ++ EMSG("FMP variable %d set unsuccessful", i); ++ return status; ++ } ++ ++ EMSG("FMP variable %d set success", i); ++ } ++ ++ return PSA_SUCCESS; ++} ++ ++void set_fmp_image_info(struct rpc_caller *caller, ++ psa_handle_t platform_service_handle) ++{ ++ psa_status_t status; ++ ++ status = get_image_info(caller, platform_service_handle); ++ if (status != PSA_SUCCESS) { ++ return; ++ } ++ ++ status = set_image_info(caller); ++ if (status != PSA_SUCCESS) { ++ return; ++ } ++ ++ return; ++} +diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.h b/components/service/capsule_update/provider/corstone1000_fmp_service.h +new file mode 100644 +index 000000000000..95fba2a04d5c +--- /dev/null ++++ b/components/service/capsule_update/provider/corstone1000_fmp_service.h +@@ -0,0 +1,26 @@ ++/* ++ * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CORSTONE1000_FMP_SERVICE_H ++#define CORSTONE1000_FMP_SERVICE_H ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++#include ++#include ++ ++void provision_fmp_variables_metadata(struct rpc_caller *caller); ++ ++void set_fmp_image_info(struct rpc_caller *caller, ++ psa_handle_t platform_service_handle); ++ ++#ifdef __cplusplus ++} /* extern "C" */ ++#endif ++ ++#endif /* CORSTONE1000_FMP_SERVICE_H */ +-- +2.40.0 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch new file mode 100644 index 0000000000..ed4e6e27a3 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch @@ -0,0 +1,33 @@ +From 2aa665ad2cb13bc79b645db41686449a47593aab Mon Sep 17 00:00:00 2001 +From: Emekcan +Date: Thu, 3 Nov 2022 17:43:40 +0000 +Subject: [PATCH] smm_gateway: GetNextVariableName Fix + +GetNextVariableName() should return EFI_BUFFER_TOO_SMALL +when NameSize is smaller than the actual NameSize. It +currently returns EFI_BUFFER_OUT_OF_RESOURCES due to setting +max_name_len incorrectly. This fixes max_name_len error by +replacing it with actual NameSize request by u-boot. + +Upstream-Status: Pending +Signed-off-by: Emekcan Aras +--- + .../service/smm_variable/provider/smm_variable_provider.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/components/service/smm_variable/provider/smm_variable_provider.c b/components/service/smm_variable/provider/smm_variable_provider.c +index a9679b7e..6a4b6fa7 100644 +--- a/components/service/smm_variable/provider/smm_variable_provider.c ++++ b/components/service/smm_variable/provider/smm_variable_provider.c +@@ -197,7 +197,7 @@ static rpc_status_t get_next_variable_name_handler(void *context, struct call_re + efi_status = uefi_variable_store_get_next_variable_name( + &this_instance->variable_store, + (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data, +- max_name_len, ++ ((SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data)->NameSize, + &resp_buf->data_len); + } + else { +-- +2.17.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-add-psa-client-definitions-for-ff-m.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-add-psa-client-definitions-for-ff-m.patch deleted file mode 100644 index 84d418c131..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-add-psa-client-definitions-for-ff-m.patch +++ /dev/null @@ -1,298 +0,0 @@ -From fb6d2f33e26c7b6ef88d552feca1f835da3f0df6 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath -Date: Fri, 3 Dec 2021 19:05:18 +0000 -Subject: [PATCH 04/20] add psa client definitions for ff-m - -Add PSA client definitions in common include to add future -ff-m support. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath -Signed-off-by: Rui Miguel Silva ---- - .../service/common/include/psa/client.h | 194 ++++++++++++++++++ - components/service/common/include/psa/sid.h | 71 +++++++ - 2 files changed, 265 insertions(+) - create mode 100644 components/service/common/include/psa/client.h - create mode 100644 components/service/common/include/psa/sid.h - -diff --git a/components/service/common/include/psa/client.h b/components/service/common/include/psa/client.h -new file mode 100644 -index 000000000000..69ccf14f40a3 ---- /dev/null -+++ b/components/service/common/include/psa/client.h -@@ -0,0 +1,194 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef SERVICE_PSA_IPC_H -+#define SERVICE_PSA_IPC_H -+ -+#include -+#include -+ -+#include -+#include -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+#ifndef IOVEC_LEN -+#define IOVEC_LEN(arr) ((uint32_t)(sizeof(arr)/sizeof(arr[0]))) -+#endif -+ -+/*********************** PSA Client Macros and Types *************************/ -+ -+typedef int32_t psa_handle_t; -+ -+/** -+ * The version of the PSA Framework API that is being used to build the calling -+ * firmware. Only part of features of FF-M v1.1 have been implemented. FF-M v1.1 -+ * is compatible with v1.0. -+ */ -+#define PSA_FRAMEWORK_VERSION (0x0101u) -+ -+/** -+ * Return value from psa_version() if the requested RoT Service is not present -+ * in the system. -+ */ -+#define PSA_VERSION_NONE (0u) -+ -+/** -+ * The zero-value null handle can be assigned to variables used in clients and -+ * RoT Services, indicating that there is no current connection or message. -+ */ -+#define PSA_NULL_HANDLE ((psa_handle_t)0) -+ -+/** -+ * Tests whether a handle value returned by psa_connect() is valid. -+ */ -+#define PSA_HANDLE_IS_VALID(handle) ((psa_handle_t)(handle) > 0) -+ -+/** -+ * Converts the handle value returned from a failed call psa_connect() into -+ * an error code. -+ */ -+#define PSA_HANDLE_TO_ERROR(handle) ((psa_status_t)(handle)) -+ -+/** -+ * Maximum number of input and output vectors for a request to psa_call(). -+ */ -+#define PSA_MAX_IOVEC (4u) -+ -+/** -+ * An IPC message type that indicates a generic client request. -+ */ -+#define PSA_IPC_CALL (0) -+ -+/** -+ * A read-only input memory region provided to an RoT Service. -+ */ -+struct __attribute__ ((__packed__)) psa_invec { -+ uint32_t base; /*!< the start address of the memory buffer */ -+ uint32_t len; /*!< the size in bytes */ -+}; -+ -+/** -+ * A writable output memory region provided to an RoT Service. -+ */ -+struct __attribute__ ((__packed__)) psa_outvec { -+ uint32_t base; /*!< the start address of the memory buffer */ -+ uint32_t len; /*!< the size in bytes */ -+}; -+ -+/*************************** PSA Client API **********************************/ -+ -+/** -+ * \brief Retrieve the version of the PSA Framework API that is implemented. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \return version The version of the PSA Framework implementation -+ * that is providing the runtime services to the -+ * caller. The major and minor version are encoded -+ * as follows: -+ * \arg version[15:8] -- major version number. -+ * \arg version[7:0] -- minor version number. -+ */ -+uint32_t psa_framework_version(struct rpc_caller *caller); -+ -+/** -+ * \brief Retrieve the version of an RoT Service or indicate that it is not -+ * present on this system. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \param[in] sid ID of the RoT Service to query. -+ * -+ * \retval PSA_VERSION_NONE The RoT Service is not implemented, or the -+ * caller is not permitted to access the service. -+ * \retval > 0 The version of the implemented RoT Service. -+ */ -+uint32_t psa_version(struct rpc_caller *caller, uint32_t sid); -+ -+/** -+ * \brief Connect to an RoT Service by its SID. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \param[in] sid ID of the RoT Service to connect to. -+ * \param[in] version Requested version of the RoT Service. -+ * -+ * \retval > 0 A handle for the connection. -+ * \retval PSA_ERROR_CONNECTION_REFUSED The SPM or RoT Service has refused the -+ * connection. -+ * \retval PSA_ERROR_CONNECTION_BUSY The SPM or RoT Service cannot make the -+ * connection at the moment. -+ * \retval "PROGRAMMER ERROR" The call is a PROGRAMMER ERROR if one or more -+ * of the following are true: -+ * \arg The RoT Service ID is not present. -+ * \arg The RoT Service version is not supported. -+ * \arg The caller is not allowed to access the RoT -+ * service. -+ */ -+psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, -+ uint32_t version); -+ -+/** -+ * \brief Call an RoT Service on an established connection. -+ * -+ * \note FF-M 1.0 proposes 6 parameters for psa_call but the secure gateway ABI -+ * support at most 4 parameters. TF-M chooses to encode 'in_len', -+ * 'out_len', and 'type' into a 32-bit integer to improve efficiency. -+ * Compared with struct-based encoding, this method saves extra memory -+ * check and memory copy operation. The disadvantage is that the 'type' -+ * range has to be reduced into a 16-bit integer. So with this encoding, -+ * the valid range for 'type' is 0-32767. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \param[in] handle A handle to an established connection. -+ * \param[in] type The request type. -+ * Must be zero( \ref PSA_IPC_CALL) or positive. -+ * \param[in] in_vec Array of input \ref psa_invec structures. -+ * \param[in] in_len Number of input \ref psa_invec structures. -+ * \param[in,out] out_vec Array of output \ref psa_outvec structures. -+ * \param[in] out_len Number of output \ref psa_outvec structures. -+ * -+ * \retval >=0 RoT Service-specific status value. -+ * \retval <0 RoT Service-specific error code. -+ * \retval PSA_ERROR_PROGRAMMER_ERROR The connection has been terminated by the -+ * RoT Service. The call is a PROGRAMMER ERROR if -+ * one or more of the following are true: -+ * \arg An invalid handle was passed. -+ * \arg The connection is already handling a request. -+ * \arg type < 0. -+ * \arg An invalid memory reference was provided. -+ * \arg in_len + out_len > PSA_MAX_IOVEC. -+ * \arg The message is unrecognized by the RoT -+ * Service or incorrectly formatted. -+ */ -+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle, -+ int32_t type, const struct psa_invec *in_vec, -+ size_t in_len, struct psa_outvec *out_vec, size_t out_len); -+ -+/** -+ * \brief Close a connection to an RoT Service. -+ * -+ * \param[in] rpc_caller RPC caller to use -+ * \param[in] handle A handle to an established connection, or the -+ * null handle. -+ * -+ * \retval void Success. -+ * \retval "PROGRAMMER ERROR" The call is a PROGRAMMER ERROR if one or more -+ * of the following are true: -+ * \arg An invalid handle was provided that is not -+ * the null handle. -+ * \arg The connection is currently handling a -+ * request. -+ */ -+void psa_close(struct rpc_caller *caller, psa_handle_t handle); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* SERVICE_PSA_IPC_H */ -+ -+ -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -new file mode 100644 -index 000000000000..aaa973c6e987 ---- /dev/null -+++ b/components/service/common/include/psa/sid.h -@@ -0,0 +1,71 @@ -+/* -+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ * -+ */ -+ -+#ifndef __PSA_MANIFEST_SID_H__ -+#define __PSA_MANIFEST_SID_H__ -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/******** TFM_SP_PS ********/ -+#define TFM_PROTECTED_STORAGE_SERVICE_SID (0x00000060U) -+#define TFM_PROTECTED_STORAGE_SERVICE_VERSION (1U) -+#define TFM_PROTECTED_STORAGE_SERVICE_HANDLE (0x40000101U) -+ -+/* Invalid UID */ -+#define TFM_PS_INVALID_UID 0 -+ -+/* PS message types that distinguish PS services. */ -+#define TFM_PS_SET 1001 -+#define TFM_PS_GET 1002 -+#define TFM_PS_GET_INFO 1003 -+#define TFM_PS_REMOVE 1004 -+#define TFM_PS_GET_SUPPORT 1005 -+ -+/******** TFM_SP_ITS ********/ -+#define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_SID (0x00000070U) -+#define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_VERSION (1U) -+#define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_HANDLE (0x40000102U) -+ -+/******** TFM_SP_CRYPTO ********/ -+#define TFM_CRYPTO_SID (0x00000080U) -+#define TFM_CRYPTO_VERSION (1U) -+#define TFM_CRYPTO_HANDLE (0x40000100U) -+ -+/******** TFM_SP_PLATFORM ********/ -+#define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) -+#define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -+#define TFM_SP_PLATFORM_IOCTL_SID (0x00000041U) -+#define TFM_SP_PLATFORM_IOCTL_VERSION (1U) -+#define TFM_SP_PLATFORM_NV_COUNTER_SID (0x00000042U) -+#define TFM_SP_PLATFORM_NV_COUNTER_VERSION (1U) -+ -+/******** TFM_SP_INITIAL_ATTESTATION ********/ -+#define TFM_ATTESTATION_SERVICE_SID (0x00000020U) -+#define TFM_ATTESTATION_SERVICE_VERSION (1U) -+#define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U) -+ -+/******** TFM_SP_FWU ********/ -+#define TFM_FWU_WRITE_SID (0x000000A0U) -+#define TFM_FWU_WRITE_VERSION (1U) -+#define TFM_FWU_INSTALL_SID (0x000000A1U) -+#define TFM_FWU_INSTALL_VERSION (1U) -+#define TFM_FWU_ABORT_SID (0x000000A2U) -+#define TFM_FWU_ABORT_VERSION (1U) -+#define TFM_FWU_QUERY_SID (0x000000A3U) -+#define TFM_FWU_QUERY_VERSION (1U) -+#define TFM_FWU_REQUEST_REBOOT_SID (0x000000A4U) -+#define TFM_FWU_REQUEST_REBOOT_VERSION (1U) -+#define TFM_FWU_ACCEPT_SID (0x000000A5U) -+#define TFM_FWU_ACCEPT_VERSION (1U) -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* __PSA_MANIFEST_SID_H__ */ --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Add-common-service-component-to-ipc-support.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Add-common-service-component-to-ipc-support.patch deleted file mode 100644 index df3cb2f4c2..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Add-common-service-component-to-ipc-support.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 0311fc8f131fe7a2b0f4dd9988c610fda47394aa Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath -Date: Fri, 3 Dec 2021 19:13:03 +0000 -Subject: [PATCH 05/20] Add common service component to ipc support - -Add support for inter processor communication for PSA -including, the openamp client side structures lib. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath -Signed-off-by: Rui Miguel Silva ---- - .../service/common/psa_ipc/component.cmake | 13 ++ - .../service/common/psa_ipc/service_psa_ipc.c | 97 +++++++++++++ - .../psa_ipc/service_psa_ipc_openamp_lib.h | 131 ++++++++++++++++++ - deployments/se-proxy/se-proxy.cmake | 1 + - 4 files changed, 242 insertions(+) - create mode 100644 components/service/common/psa_ipc/component.cmake - create mode 100644 components/service/common/psa_ipc/service_psa_ipc.c - create mode 100644 components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h - -diff --git a/components/service/common/psa_ipc/component.cmake b/components/service/common/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..5a1c9e62e2f0 ---- /dev/null -+++ b/components/service/common/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/service_psa_ipc.c" -+ ) -diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c -new file mode 100644 -index 000000000000..e8093c20a523 ---- /dev/null -+++ b/components/service/common/psa_ipc/service_psa_ipc.c -@@ -0,0 +1,97 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+#include -+#include "service_psa_ipc_openamp_lib.h" -+ -+psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, -+ uint32_t version) -+{ -+ psa_status_t psa_status = PSA_SUCCESS; -+ struct s_openamp_msg *resp_msg = NULL; -+ struct ns_openamp_msg *req_msg; -+ rpc_call_handle rpc_handle; -+ size_t resp_len; -+ uint8_t *resp; -+ uint8_t *req; -+ int ret; -+ -+ rpc_handle = rpc_caller_begin(caller, &req, -+ sizeof(struct ns_openamp_msg)); -+ if (!rpc_handle) { -+ EMSG("psa_connect: could not get handle"); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ req_msg = (struct ns_openamp_msg *)req; -+ -+ req_msg->call_type = OPENAMP_PSA_CONNECT; -+ req_msg->params.psa_connect_params.sid = sid; -+ req_msg->params.psa_connect_params.version = version; -+ -+ ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp, -+ &resp_len); -+ if (ret != TS_RPC_CALL_ACCEPTED) { -+ EMSG("psa_connect: invoke failed: %d", ret); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ if (psa_status == PSA_SUCCESS) -+ resp_msg = (struct s_openamp_msg *)resp; -+ -+ rpc_caller_end(caller, rpc_handle); -+ -+ return resp_msg ? (psa_handle_t)resp_msg->reply : PSA_NULL_HANDLE; -+} -+ -+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle, -+ int32_t type, const struct psa_invec *in_vec, -+ size_t in_len, struct psa_outvec *out_vec, size_t out_len) -+{ -+ -+} -+ -+void psa_close(struct rpc_caller *caller, psa_handle_t handle) -+{ -+ psa_status_t psa_status = PSA_SUCCESS; -+ struct s_openamp_msg *resp_msg = NULL; -+ struct ns_openamp_msg *req_msg; -+ rpc_call_handle rpc_handle; -+ size_t resp_len; -+ uint8_t *resp; -+ uint8_t *req; -+ int ret; -+ -+ rpc_handle = rpc_caller_begin(caller, &req, -+ sizeof(struct ns_openamp_msg)); -+ if (!rpc_handle) { -+ EMSG("psa_close: could not get handle"); -+ return; -+ } -+ -+ req_msg = (struct ns_openamp_msg *)req; -+ -+ req_msg->call_type = OPENAMP_PSA_CLOSE; -+ req_msg->params.psa_close_params.handle = handle; -+ -+ ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp, -+ &resp_len); -+ if (ret != TS_RPC_CALL_ACCEPTED) { -+ EMSG("psa_close: invoke failed: %d", ret); -+ return; -+ } -+ -+ rpc_caller_end(caller, rpc_handle); -+} -diff --git a/components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h b/components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h -new file mode 100644 -index 000000000000..33ea96660572 ---- /dev/null -+++ b/components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h -@@ -0,0 +1,131 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef SERVICE_PSA_IPC_OPENAMP_LIB_H -+#define SERVICE_PSA_IPC_OPENAMP_LIB_H -+ -+#include -+#include -+ -+#include -+#include -+ -+#include -+#include -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/* PSA client call type value */ -+#define OPENAMP_PSA_FRAMEWORK_VERSION (0x1) -+#define OPENAMP_PSA_VERSION (0x2) -+#define OPENAMP_PSA_CONNECT (0x3) -+#define OPENAMP_PSA_CALL (0x4) -+#define OPENAMP_PSA_CLOSE (0x5) -+ -+/* Return code of openamp APIs */ -+#define OPENAMP_SUCCESS (0) -+#define OPENAMP_MAP_FULL (INT32_MIN + 1) -+#define OPENAMP_MAP_ERROR (INT32_MIN + 2) -+#define OPENAMP_INVAL_PARAMS (INT32_MIN + 3) -+#define OPENAMP_NO_PERMS (INT32_MIN + 4) -+#define OPENAMP_NO_PEND_EVENT (INT32_MIN + 5) -+#define OPENAMP_CHAN_BUSY (INT32_MIN + 6) -+#define OPENAMP_CALLBACK_REG_ERROR (INT32_MIN + 7) -+#define OPENAMP_INIT_ERROR (INT32_MIN + 8) -+ -+#define HOLD_INPUT_BUFFER (1) /* IF true, TF-M Library will hold the openamp -+ * buffer so that openamp shared memory buffer -+ * does not get freed. -+ */ -+ -+/* -+ * This structure holds the parameters used in a PSA client call. -+ */ -+typedef struct __packed psa_client_in_params { -+ union { -+ struct __packed { -+ uint32_t sid; -+ } psa_version_params; -+ -+ struct __packed { -+ uint32_t sid; -+ uint32_t version; -+ } psa_connect_params; -+ -+ struct __packed { -+ psa_handle_t handle; -+ int32_t type; -+ uint32_t in_vec; -+ uint32_t in_len; -+ uint32_t out_vec; -+ uint32_t out_len; -+ } psa_call_params; -+ -+ struct __packed { -+ psa_handle_t handle; -+ } psa_close_params; -+ }; -+} psa_client_in_params_t; -+ -+/* Openamp message passed from NSPE to SPE to deliver a PSA client call */ -+struct __packed ns_openamp_msg { -+ uint32_t call_type; /* PSA client call type */ -+ struct psa_client_in_params params; /* Contain parameters used in PSA -+ * client call -+ */ -+ -+ int32_t client_id; /* Optional client ID of the -+ * non-secure caller. -+ * It is required to identify the -+ * non-secure task when NSPE OS -+ * enforces non-secure task -+ * isolation -+ */ -+ int32_t request_id; /* This is the unique ID for a -+ * request send to TF-M by the -+ * non-secure core. TF-M forward -+ * the ID back to non-secure on the -+ * reply to a given request. Using -+ * this id, the non-secure library -+ * can identify the request for -+ * which the reply has received. -+ */ -+}; -+ -+/* -+ * This structure holds the location of the out data of the PSA client call. -+ */ -+struct __packed psa_client_out_params { -+ uint32_t out_vec; -+ uint32_t out_len; -+}; -+ -+ -+/* Openamp message from SPE to NSPE delivering the reply back for a PSA client -+ * call. -+ */ -+struct __packed s_openamp_msg { -+ int32_t request_id; /* Using this id, the non-secure -+ * library identifies the request. -+ * TF-M forwards the same -+ * request-id received on the -+ * initial request. -+ */ -+ int32_t reply; /* Reply of the PSA client call */ -+ struct psa_client_out_params params; /* Contain out data result of the -+ * PSA client call. -+ */ -+}; -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* SERVICE_PSA_IPC_OPENAMP_LIB_H */ -+ -+ -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index 34fe5ff1b925..dd0c5d00c21e 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -24,6 +24,7 @@ add_components(TARGET "se-proxy" - "components/service/common/include" - "components/service/common/serializer/protobuf" - "components/service/common/client" -+ "components/service/common/psa_ipc" - "components/service/common/provider" - "components/service/discovery/provider" - "components/service/discovery/provider/serializer/packed-c" --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch new file mode 100644 index 0000000000..2fdd19e79f --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch @@ -0,0 +1,27 @@ +From 041d30bb9cc6857f5ef26ded154ff7126dafaa20 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras +Date: Fri, 16 Jun 2023 10:47:48 +0100 +Subject: [PATCH] plat: corstone1000: add compile definitions for + ECP_DP_SECP512R1 + +Corstone1000 runs PSA-API tests which requires this ECC algorithm. +Without setting this, corstone1000 fails psa-api-crypto-test no 243. + +Signed-off-by: Emekcan Aras +--- + platform/providers/arm/corstone1000/platform.cmake | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index dbdf1097..e7a295dd 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -14,3 +14,5 @@ target_compile_definitions(${TGT} PRIVATE + SMM_VARIABLE_INDEX_STORAGE_UID=0x787 + SMM_GATEWAY_MAX_UEFI_VARIABLES=100 + ) ++ ++add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) +-- +2.17.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Add-secure-storage-ipc-backend.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Add-secure-storage-ipc-backend.patch deleted file mode 100644 index 74a83777df..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Add-secure-storage-ipc-backend.patch +++ /dev/null @@ -1,523 +0,0 @@ -From ed4371d63cb52c121be9678bc225055944286c30 Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath -Date: Fri, 3 Dec 2021 19:19:24 +0000 -Subject: [PATCH 06/20] Add secure storage ipc backend - -Add secure storage ipc ff-m implementation which may use -openamp as rpc to communicate with other processor. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath -Signed-off-by: Rui Miguel Silva ---- - .../service/common/psa_ipc/service_psa_ipc.c | 143 +++++++++++- - .../secure_storage_ipc/component.cmake | 14 ++ - .../secure_storage_ipc/secure_storage_ipc.c | 214 ++++++++++++++++++ - .../secure_storage_ipc/secure_storage_ipc.h | 52 +++++ - deployments/se-proxy/se-proxy.cmake | 1 + - 5 files changed, 420 insertions(+), 4 deletions(-) - create mode 100644 components/service/secure_storage/backend/secure_storage_ipc/component.cmake - create mode 100644 components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c - create mode 100644 components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h - -diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c -index e8093c20a523..95a07c135f31 100644 ---- a/components/service/common/psa_ipc/service_psa_ipc.c -+++ b/components/service/common/psa_ipc/service_psa_ipc.c -@@ -16,6 +16,52 @@ - #include - #include "service_psa_ipc_openamp_lib.h" - -+static struct psa_invec *psa_call_in_vec_param(uint8_t *req) -+{ -+ return (struct psa_invec *)(req + sizeof(struct ns_openamp_msg)); -+} -+ -+static struct psa_outvec *psa_call_out_vec_param(uint8_t *req, size_t in_len) -+{ -+ return (struct psa_outvec *)(req + sizeof(struct ns_openamp_msg) + -+ (in_len * sizeof(struct psa_invec))); -+} -+ -+static size_t psa_call_header_len(const struct psa_invec *in_vec, size_t in_len, -+ struct psa_outvec *out_vec, size_t out_len) -+{ -+ return sizeof(struct ns_openamp_msg) + (in_len * sizeof(*in_vec)) + -+ (out_len * sizeof(*out_vec)); -+} -+ -+static size_t psa_call_in_vec_len(const struct psa_invec *in_vec, size_t in_len) -+{ -+ size_t req_len = 0; -+ int i; -+ -+ if (!in_vec || !in_len) -+ return 0; -+ -+ for (i = 0; i < in_len; i++) -+ req_len += in_vec[i].len; -+ -+ return req_len; -+} -+ -+static size_t psa_call_out_vec_len(const struct psa_outvec *out_vec, size_t out_len) -+{ -+ size_t resp_len = 0; -+ int i; -+ -+ if (!out_vec || !out_len) -+ return 0; -+ -+ for (i = 0; i < out_len; i++) -+ resp_len += out_vec[i].len; -+ -+ return resp_len; -+} -+ - psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, - uint32_t version) - { -@@ -31,7 +77,7 @@ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, - rpc_handle = rpc_caller_begin(caller, &req, - sizeof(struct ns_openamp_msg)); - if (!rpc_handle) { -- EMSG("psa_connect: could not get handle"); -+ EMSG("psa_connect: could not get rpc handle"); - return PSA_ERROR_GENERIC_ERROR; - } - -@@ -56,14 +102,100 @@ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, - return resp_msg ? (psa_handle_t)resp_msg->reply : PSA_NULL_HANDLE; - } - --psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle, -+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, - int32_t type, const struct psa_invec *in_vec, - size_t in_len, struct psa_outvec *out_vec, size_t out_len) - { -+ psa_status_t psa_status = PSA_SUCCESS; -+ struct s_openamp_msg *resp_msg = NULL; -+ struct psa_outvec *out_vec_param; -+ struct psa_invec *in_vec_param; -+ struct ns_openamp_msg *req_msg; -+ rpc_call_handle rpc_handle; -+ size_t out_vec_len; -+ size_t in_vec_len; -+ size_t header_len; -+ uint8_t *payload; -+ size_t resp_len; -+ uint8_t *resp; -+ uint8_t *req; -+ int ret; -+ int i; -+ -+ if ((psa_handle == PSA_NULL_HANDLE) || !caller) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ header_len = psa_call_header_len(in_vec, in_len, out_vec, out_len); -+ in_vec_len = psa_call_in_vec_len(in_vec, in_len); -+ out_vec_len = psa_call_out_vec_len(out_vec, out_len); - -+ rpc_handle = rpc_caller_begin(caller, &req, header_len + in_vec_len); -+ if (!rpc_handle) { -+ EMSG("psa_call: could not get handle"); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ payload = req + header_len; -+ -+ out_vec_param = psa_call_out_vec_param(req, in_len); -+ in_vec_param = psa_call_in_vec_param(req); -+ -+ req_msg = (struct ns_openamp_msg *)req; -+ -+ req_msg->call_type = OPENAMP_PSA_CALL; -+ req_msg->request_id = 1234; -+ req_msg->params.psa_call_params.handle = psa_handle; -+ req_msg->params.psa_call_params.type = type; -+ req_msg->params.psa_call_params.in_len = in_len; -+ req_msg->params.psa_call_params.in_vec = rpc_caller_virt_to_phys(caller, in_vec_param); -+ req_msg->params.psa_call_params.out_len = out_len; -+ req_msg->params.psa_call_params.out_vec = rpc_caller_virt_to_phys(caller, out_vec_param); -+ -+ for (i = 0; i < in_len; i++) { -+ in_vec_param[i].base = rpc_caller_virt_to_phys(caller, payload); -+ in_vec_param[i].len = in_vec[i].len; -+ -+ memcpy(payload, in_vec[i].base, in_vec[i].len); -+ payload += in_vec[i].len; -+ } -+ -+ for (i = 0; i < out_len; i++) { -+ out_vec_param[i].base = NULL; -+ out_vec_param[i].len = out_vec[i].len; -+ } -+ -+ ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp, -+ &resp_len); -+ if (ret != TS_RPC_CALL_ACCEPTED) { -+ EMSG("psa_call: invoke failed: %d", ret); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ if (psa_status != PSA_SUCCESS) { -+ EMSG("psa_call: psa_status invoke failed: %d", psa_status); -+ return PSA_ERROR_GENERIC_ERROR; -+ } -+ -+ resp_msg = (struct s_openamp_msg *)resp; -+ -+ if (!resp_msg || !out_len || resp_msg->reply != PSA_SUCCESS) -+ goto caller_end; -+ -+ out_vec_param = (struct psa_outvec *)rpc_caller_phys_to_virt(caller, -+ resp_msg->params.out_vec); -+ -+ for (i = 0; i < resp_msg->params.out_len; i++) { -+ memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base), -+ out_vec[i].len); -+ } -+ -+caller_end: -+ rpc_caller_end(caller, rpc_handle); -+ -+ return resp_msg ? resp_msg->reply : PSA_ERROR_COMMUNICATION_FAILURE; - } - --void psa_close(struct rpc_caller *caller, psa_handle_t handle) -+void psa_close(struct rpc_caller *caller, psa_handle_t psa_handle) - { - psa_status_t psa_status = PSA_SUCCESS; - struct s_openamp_msg *resp_msg = NULL; -@@ -74,6 +206,9 @@ void psa_close(struct rpc_caller *caller, psa_handle_t handle) - uint8_t *req; - int ret; - -+ if ((psa_handle == PSA_NULL_HANDLE) || !caller) -+ return; -+ - rpc_handle = rpc_caller_begin(caller, &req, - sizeof(struct ns_openamp_msg)); - if (!rpc_handle) { -@@ -84,7 +219,7 @@ void psa_close(struct rpc_caller *caller, psa_handle_t handle) - req_msg = (struct ns_openamp_msg *)req; - - req_msg->call_type = OPENAMP_PSA_CLOSE; -- req_msg->params.psa_close_params.handle = handle; -+ req_msg->params.psa_close_params.handle = psa_handle; - - ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp, - &resp_len); -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/component.cmake b/components/service/secure_storage/backend/secure_storage_ipc/component.cmake -new file mode 100644 -index 000000000000..5d8f6714e0bd ---- /dev/null -+++ b/components/service/secure_storage/backend/secure_storage_ipc/component.cmake -@@ -0,0 +1,14 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/secure_storage_ipc.c" -+ ) -+ -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -new file mode 100644 -index 000000000000..9b55f77dd395 ---- /dev/null -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -@@ -0,0 +1,214 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include "secure_storage_ipc.h" -+#include -+#include -+#include -+#include -+#include -+ -+ -+static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, -+ psa_storage_uid_t uid, size_t data_length, -+ const void *p_data, psa_storage_create_flags_t create_flags) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ struct psa_invec in_vec[] = { -+ { .base = &uid, .len = sizeof(uid) }, -+ { .base = p_data, .len = data_length }, -+ { .base = &create_flags, .len = sizeof(create_flags) }, -+ }; -+ -+ (void)client_id; -+ -+ ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED; -+ -+ /* Validating input parameters */ -+ if (p_data == NULL) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0); -+ if (psa_status < 0) -+ EMSG("ipc_set: psa_call failed: %d", psa_status); -+ -+ return psa_status; -+} -+ -+static psa_status_t secure_storage_ipc_get(void *context, -+ uint32_t client_id, -+ psa_storage_uid_t uid, -+ size_t data_offset, -+ size_t data_size, -+ void *p_data, -+ size_t *p_data_length) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ uint32_t offset = (uint32_t)data_offset; -+ struct psa_invec in_vec[] = { -+ { .base = &uid, .len = sizeof(uid) }, -+ { .base = &offset, .len = sizeof(offset) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = p_data, .len = data_size }, -+ }; -+ -+ if (!p_data_length) { -+ EMSG("ipc_get: p_data_length not defined"); -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_GET, in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ if (psa_status == PSA_SUCCESS) -+ *p_data_length = out_vec[0].len; -+ -+ return psa_status; -+} -+ -+static psa_status_t secure_storage_ipc_get_info(void *context, -+ uint32_t client_id, -+ psa_storage_uid_t uid, -+ struct psa_storage_info_t *p_info) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ struct psa_invec in_vec[] = { -+ { .base = &uid, .len = sizeof(uid) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = p_info, .len = sizeof(*p_info) }, -+ }; -+ -+ (void)client_id; -+ -+ /* Validating input parameters */ -+ if (!p_info) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_GET_INFO, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ if (psa_status != PSA_SUCCESS) -+ EMSG("ipc_get_info: failed to psa_call: %d", psa_status); -+ -+ return psa_status; -+} -+ -+static psa_status_t secure_storage_ipc_remove(void *context, -+ uint32_t client_id, -+ psa_storage_uid_t uid) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ struct psa_invec in_vec[] = { -+ { .base = &uid, .len = sizeof(uid) }, -+ }; -+ -+ (void)client_id; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_REMOVE, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ if (psa_status != PSA_SUCCESS) -+ EMSG("ipc_remove: failed to psa_call: %d", psa_status); -+ -+ return psa_status; -+} -+ -+static psa_status_t secure_storage_ipc_create(void *context, -+ uint32_t client_id, -+ uint64_t uid, -+ size_t capacity, -+ uint32_t create_flags) -+{ -+ (void)context; -+ (void)uid; -+ (void)client_id; -+ (void)capacity; -+ (void)create_flags; -+ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static psa_status_t secure_storage_set_extended(void *context, -+ uint32_t client_id, -+ uint64_t uid, -+ size_t data_offset, -+ size_t data_length, -+ const void *p_data) -+{ -+ (void)context; -+ (void)uid; -+ (void)client_id; -+ (void)data_offset; -+ (void)data_length; -+ (void)p_data; -+ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static uint32_t secure_storage_get_support(void *context, uint32_t client_id) -+{ -+ struct secure_storage_ipc *ipc = context; -+ struct rpc_caller *caller = ipc->client.caller; -+ psa_handle_t psa_handle; -+ psa_status_t psa_status; -+ uint32_t support_flags; -+ struct psa_outvec out_vec[] = { -+ { .base = &support_flags, .len = sizeof(support_flags) }, -+ }; -+ -+ (void)client_id; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_GET_SUPPORT, NULL, 0, -+ out_vec, IOVEC_LEN(out_vec)); -+ if (psa_status != PSA_SUCCESS) -+ EMSG("ipc_get_support: failed to psa_call: %d", psa_status); -+ -+ return psa_status; -+} -+ -+struct storage_backend *secure_storage_ipc_init(struct secure_storage_ipc *context, -+ struct rpc_caller *caller) -+{ -+ service_client_init(&context->client, caller); -+ -+ static const struct storage_backend_interface interface = -+ { -+ .set = secure_storage_ipc_set, -+ .get = secure_storage_ipc_get, -+ .get_info = secure_storage_ipc_get_info, -+ .remove = secure_storage_ipc_remove, -+ .create = secure_storage_ipc_create, -+ .set_extended = secure_storage_set_extended, -+ .get_support = secure_storage_get_support, -+ }; -+ -+ context->backend.context = context; -+ context->backend.interface = &interface; -+ -+ return &context->backend; -+} -+ -+void secure_storage_ipc_deinit(struct secure_storage_ipc *context) -+{ -+ service_client_deinit(&context->client); -+} -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -new file mode 100644 -index 000000000000..e8c1e8fd2f92 ---- /dev/null -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -@@ -0,0 +1,52 @@ -+/* -+ * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef SECURE_STORAGE_IPC_H -+#define SECURE_STORAGE_IPC_H -+ -+#include -+#include -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/** -+ * @brief Secure storage ipc instance -+ */ -+struct secure_storage_ipc -+{ -+ struct storage_backend backend; -+ struct service_client client; -+}; -+ -+/** -+ * @brief Initialize a secure storage ipc client -+ * -+ * A secure storage client is a storage backend that makes RPC calls -+ * to a remote secure storage provider. -+ * -+ * @param[in] context Instance data -+ * @param[in] rpc_caller RPC caller instance -+ * -+ * -+ * @return Pointer to inialized storage backend or NULL on failure -+ */ -+struct storage_backend *secure_storage_ipc_init(struct secure_storage_ipc *context, -+ struct rpc_caller *caller); -+ -+/** -+ * @brief Deinitialize a secure storage ipc client -+ * -+ * @param[in] context Instance data -+ */ -+void secure_storage_ipc_deinit(struct secure_storage_ipc *context); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* SECURE_STORAGE_IPC_H */ -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index dd0c5d00c21e..cd51460406ca 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -45,6 +45,7 @@ add_components(TARGET "se-proxy" - "components/service/crypto/factory/full" - "components/service/secure_storage/include" - "components/service/secure_storage/frontend/secure_storage_provider" -+ "components/service/secure_storage/backend/secure_storage_ipc" - "components/service/attestation/include" - "components/service/attestation/provider" - "components/service/attestation/provider/serializer/packed-c" --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch new file mode 100644 index 0000000000..4e9d5c2e13 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch @@ -0,0 +1,141 @@ +From a71e99045996c57a4f80509ae8b770aa4f73f6c0 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras +Date: Sun, 18 Jun 2023 14:38:42 +0100 +Subject: [PATCH] plat: corstone1000: Use the stateless platform service calls + Calls to psa_connect is not needed and psa_call can be called directly with a + pre defined handle. + +Signed-off-by: Satish Kumar +Signed-off-by: Mohamed Omar Asaker +Signed-off-by: Emekcan Aras + +Upstream-Status: Inappropriate [Design is to revisted] +--- + .../provider/capsule_update_provider.c | 24 ++++--------------- + .../provider/corstone1000_fmp_service.c | 10 ++++---- + .../provider/corstone1000_fmp_service.h | 3 +-- + components/service/common/include/psa/sid.h | 7 ++++++ + 4 files changed, 17 insertions(+), 27 deletions(-) + +diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c +index 991a2235..6809249f 100644 +--- a/components/service/capsule_update/provider/capsule_update_provider.c ++++ b/components/service/capsule_update/provider/capsule_update_provider.c +@@ -61,7 +61,6 @@ void capsule_update_provider_deinit(struct capsule_update_provider *context) + static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) + { + uint32_t ioctl_id; +- psa_handle_t handle; + rpc_status_t rpc_status = TS_RPC_CALL_ACCEPTED; + + struct psa_invec in_vec[] = { +@@ -79,31 +78,18 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) + case CAPSULE_UPDATE_REQUEST: + /* Openamp call with IOCTL for firmware update*/ + ioctl_id = IOCTL_CORSTONE1000_FWU_FLASH_IMAGES; +- handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, +- TFM_SP_PLATFORM_IOCTL_VERSION); +- if (handle <= 0) { +- EMSG("%s Invalid handle", __func__); +- rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; +- return rpc_status; +- } +- psa_call(caller,handle, PSA_IPC_CALL, ++ psa_call(caller,TFM_PLATFORM_SERVICE_HANDLE, TFM_PLATFORM_API_ID_IOCTL, + in_vec,IOVEC_LEN(in_vec), NULL, 0); +- set_fmp_image_info(caller, handle); ++ set_fmp_image_info(caller); + break; + + case KERNEL_STARTED_EVENT: + ioctl_id = IOCTL_CORSTONE1000_FWU_HOST_ACK; + /*openamp call with IOCTL for kernel start*/ +- handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, +- TFM_SP_PLATFORM_IOCTL_VERSION); +- if (handle <= 0) { +- EMSG("%s Invalid handle", __func__); +- rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; +- return rpc_status; +- } +- psa_call(caller,handle, PSA_IPC_CALL, ++ ++ psa_call(caller,TFM_PLATFORM_SERVICE_HANDLE, TFM_PLATFORM_API_ID_IOCTL, + in_vec,IOVEC_LEN(in_vec), NULL, 0); +- set_fmp_image_info(caller, handle); ++ set_fmp_image_info(caller); + break; + default: + EMSG("%s unsupported opcode", __func__); +diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c +index 6a7a47a7..d811af9f 100644 +--- a/components/service/capsule_update/provider/corstone1000_fmp_service.c ++++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c +@@ -238,8 +238,7 @@ static psa_status_t unpack_image_info(void *buffer, uint32_t size) + return PSA_SUCCESS; + } + +-static psa_status_t get_image_info(struct rpc_caller *caller, +- psa_handle_t platform_service_handle) ++static psa_status_t get_image_info(struct rpc_caller *caller) + { + psa_status_t status; + psa_handle_t handle; +@@ -255,7 +254,7 @@ static psa_status_t get_image_info(struct rpc_caller *caller, + + memset(image_info_buffer, 0, IMAGE_INFO_BUFFER_SIZE); + +- psa_call(caller, platform_service_handle, PSA_IPC_CALL, ++ psa_call(caller, TFM_PLATFORM_SERVICE_HANDLE, TFM_PLATFORM_API_ID_IOCTL, + in_vec, IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); + + status = unpack_image_info(image_info_buffer, IMAGE_INFO_BUFFER_SIZE); +@@ -288,12 +287,11 @@ static psa_status_t set_image_info(struct rpc_caller *caller) + return PSA_SUCCESS; + } + +-void set_fmp_image_info(struct rpc_caller *caller, +- psa_handle_t platform_service_handle) ++void set_fmp_image_info(struct rpc_caller *caller) + { + psa_status_t status; + +- status = get_image_info(caller, platform_service_handle); ++ status = get_image_info(caller); + if (status != PSA_SUCCESS) { + return; + } +diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.h b/components/service/capsule_update/provider/corstone1000_fmp_service.h +index 95fba2a0..963223e8 100644 +--- a/components/service/capsule_update/provider/corstone1000_fmp_service.h ++++ b/components/service/capsule_update/provider/corstone1000_fmp_service.h +@@ -16,8 +16,7 @@ extern "C" { + + void provision_fmp_variables_metadata(struct rpc_caller *caller); + +-void set_fmp_image_info(struct rpc_caller *caller, +- psa_handle_t platform_service_handle); ++void set_fmp_image_info(struct rpc_caller *caller); + + #ifdef __cplusplus + } /* extern "C" */ +diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h +index 5aaa659d..fc3a4fb0 100644 +--- a/components/service/common/include/psa/sid.h ++++ b/components/service/common/include/psa/sid.h +@@ -40,6 +40,13 @@ extern "C" { + #define TFM_CRYPTO_VERSION (1U) + #define TFM_CRYPTO_HANDLE (0x40000100U) + ++/******** TFM_PLATFORM_SERVICE *******/ ++#define TFM_PLATFORM_API_ID_IOCTL (1013) ++#define TFM_PLATFORM_SERVICE_HANDLE (0x40000105U) ++ ++/** ++ * \brief Define a progressive numerical value for each SID which can be used ++ * when dispatching the requests to the service + /******** TFM_SP_PLATFORM ********/ + #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) + #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) +-- +2.17.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch deleted file mode 100644 index ad33295d41..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d1377a5ed909e3a1d9caca56aeda262a80322a4b Mon Sep 17 00:00:00 2001 -From: Vishnu Banavath -Date: Fri, 3 Dec 2021 19:25:34 +0000 -Subject: [PATCH 07/20] Use secure storage ipc and openamp for se_proxy - -Remove mock up backend for secure storage in se proxy -deployment and use instead the secure storage ipc backend with -openamp as rpc to secure enclave side. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath -Signed-off-by: Rui Miguel Silva ---- - .../se-proxy/common/service_proxy_factory.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index acfb6e8873fa..57290056d614 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -6,15 +6,20 @@ - - #include - #include -+#include - #include - #include - #include - #include -+#include - - /* Stub backends */ - #include -+#include - #include - -+struct openamp_caller openamp; -+ - struct rpc_interface *attest_proxy_create(void) - { - struct rpc_interface *attest_iface; -@@ -47,10 +52,15 @@ struct rpc_interface *crypto_proxy_create(void) - - struct rpc_interface *ps_proxy_create(void) - { -- static struct mock_store ps_backend; - static struct secure_storage_provider ps_provider; -- -- struct storage_backend *backend = mock_store_init(&ps_backend); -+ static struct secure_storage_ipc ps_backend; -+ static struct rpc_caller *storage_caller; -+ struct storage_backend *backend; -+ -+ storage_caller = openamp_caller_init(&openamp); -+ if (!storage_caller) -+ return NULL; -+ backend = secure_storage_ipc_init(&ps_backend, &openamp.rpc_caller); - - return secure_storage_provider_init(&ps_provider, backend); - } --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch new file mode 100644 index 0000000000..3e6f606c5d --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch @@ -0,0 +1,78 @@ +From b5b31064959665f4cc616733be3d989ae4356636 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras +Date: Sun, 18 Jun 2023 16:05:27 +0100 +Subject: [PATCH] plat: corstone1000: Initialize capsule update provider + +Initializes the capsule update service provider in se-proxy-sp.c deployment +for corstone1000. + +Signed-off-by: Emekcan Aras +Upstream-Status: Inappropriate [Design is to revisted] + +--- + deployments/se-proxy/env/commonsp/se_proxy_sp.c | 3 +++ + .../infra/corstone1000/service_proxy_factory.c | 17 +++++++++++++++++ + .../se-proxy/infra/service_proxy_factory.h | 1 + + 3 files changed, 21 insertions(+) + +diff --git a/deployments/se-proxy/env/commonsp/se_proxy_sp.c b/deployments/se-proxy/env/commonsp/se_proxy_sp.c +index 45fcb385..dc2a9d49 100644 +--- a/deployments/se-proxy/env/commonsp/se_proxy_sp.c ++++ b/deployments/se-proxy/env/commonsp/se_proxy_sp.c +@@ -77,6 +77,9 @@ void __noreturn sp_main(struct ffa_init_info *init_info) + } + rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ATTEST, rpc_iface); + ++ rpc_iface = capsule_update_proxy_create(); ++ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE, rpc_iface); ++ + /* End of boot phase */ + result = sp_msg_wait(&req_msg); + if (result != SP_RESULT_OK) { +diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c +index bacab1de..32d88c97 100644 +--- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c ++++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + /* backends */ + #include +@@ -94,3 +95,19 @@ struct rpc_interface *its_proxy_create(void) + + return secure_storage_provider_init(&its_provider, backend); + } ++ ++struct rpc_interface *capsule_update_proxy_create(void) ++{ ++ static struct capsule_update_provider capsule_update_provider; ++ static struct rpc_caller *capsule_update_caller; ++ ++ capsule_update_caller = psa_ipc_caller_init(&psa_ipc); ++ ++ if (!capsule_update_caller) ++ return NULL; ++ ++ capsule_update_provider.client.caller = capsule_update_caller; ++ ++ return capsule_update_provider_init(&capsule_update_provider); ++} ++ +diff --git a/deployments/se-proxy/infra/service_proxy_factory.h b/deployments/se-proxy/infra/service_proxy_factory.h +index 298d407a..02aa7fe2 100644 +--- a/deployments/se-proxy/infra/service_proxy_factory.h ++++ b/deployments/se-proxy/infra/service_proxy_factory.h +@@ -17,6 +17,7 @@ struct rpc_interface *attest_proxy_create(void); + struct rpc_interface *crypto_proxy_create(void); + struct rpc_interface *ps_proxy_create(void); + struct rpc_interface *its_proxy_create(void); ++struct rpc_interface *capsule_update_proxy_create(void); + + #ifdef __cplusplus + } +-- +2.17.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-Run-psa-arch-test.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-Run-psa-arch-test.patch deleted file mode 100644 index ab57688276..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-Run-psa-arch-test.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 1b50ab6b6ff1c6f27ab320e18fb0d4aeb1122f0d Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Sun, 12 Dec 2021 10:43:48 +0000 -Subject: [PATCH 08/20] Run psa-arch-test - -Fixes needed to run psa-arch-test - -Upstream-Status: Pending -Signed-off-by: Satish Kumar -Signed-off-by: Rui Miguel Silva ---- - components/service/common/psa_ipc/service_psa_ipc.c | 1 + - .../backend/secure_storage_ipc/secure_storage_ipc.c | 8 -------- - .../service/secure_storage/include/psa/storage_common.h | 4 ++-- - 3 files changed, 3 insertions(+), 10 deletions(-) - -diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c -index 95a07c135f31..5e5815dbc9cf 100644 ---- a/components/service/common/psa_ipc/service_psa_ipc.c -+++ b/components/service/common/psa_ipc/service_psa_ipc.c -@@ -185,6 +185,7 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, - resp_msg->params.out_vec); - - for (i = 0; i < resp_msg->params.out_len; i++) { -+ out_vec[i].len = out_vec_param[i].len; - memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base), - out_vec[i].len); - } -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -index 9b55f77dd395..a1f369db253e 100644 ---- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -@@ -31,10 +31,6 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, - - ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED; - -- /* Validating input parameters */ -- if (p_data == NULL) -- return PSA_ERROR_INVALID_ARGUMENT; -- - psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, - TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0); - if (psa_status < 0) -@@ -96,10 +92,6 @@ static psa_status_t secure_storage_ipc_get_info(void *context, - - (void)client_id; - -- /* Validating input parameters */ -- if (!p_info) -- return PSA_ERROR_INVALID_ARGUMENT; -- - psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, - TFM_PS_GET_INFO, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -diff --git a/components/service/secure_storage/include/psa/storage_common.h b/components/service/secure_storage/include/psa/storage_common.h -index 4f6ba2a7d822..1fd6b40dc803 100644 ---- a/components/service/secure_storage/include/psa/storage_common.h -+++ b/components/service/secure_storage/include/psa/storage_common.h -@@ -20,8 +20,8 @@ typedef uint64_t psa_storage_uid_t; - typedef uint32_t psa_storage_create_flags_t; - - struct psa_storage_info_t { -- size_t capacity; -- size_t size; -+ uint32_t capacity; -+ uint32_t size; - psa_storage_create_flags_t flags; - }; - --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Use-address-instead-of-pointers.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Use-address-instead-of-pointers.patch deleted file mode 100644 index 3295fa9bd9..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Use-address-instead-of-pointers.patch +++ /dev/null @@ -1,168 +0,0 @@ -From a6fba503ffddae004e23b32559212e749e8586f6 Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Sun, 12 Dec 2021 10:57:17 +0000 -Subject: [PATCH 09/20] Use address instead of pointers - -Since secure enclave is 32bit and we 64bit there is an issue -in the protocol communication design that force us to handle -on our side the manipulation of address and pointers to make -this work. - -Upstream-Status: Pending -Signed-off-by: Satish Kumar -Signed-off-by: Rui Miguel Silva ---- - .../service/common/include/psa/client.h | 15 ++++++++++++++ - .../service/common/psa_ipc/service_psa_ipc.c | 20 ++++++++++++------- - .../secure_storage_ipc/secure_storage_ipc.c | 20 +++++++++---------- - 3 files changed, 38 insertions(+), 17 deletions(-) - -diff --git a/components/service/common/include/psa/client.h b/components/service/common/include/psa/client.h -index 69ccf14f40a3..12dcd68f8a76 100644 ---- a/components/service/common/include/psa/client.h -+++ b/components/service/common/include/psa/client.h -@@ -81,6 +81,21 @@ struct __attribute__ ((__packed__)) psa_outvec { - uint32_t len; /*!< the size in bytes */ - }; - -+static void *psa_u32_to_ptr(uint32_t addr) -+{ -+ return (void *)(uintptr_t)addr; -+} -+ -+static uint32_t psa_ptr_to_u32(void *ptr) -+{ -+ return (uintptr_t)ptr; -+} -+ -+static uint32_t psa_ptr_const_to_u32(const void *ptr) -+{ -+ return (uintptr_t)ptr; -+} -+ - /*************************** PSA Client API **********************************/ - - /** -diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c -index 5e5815dbc9cf..435c6c0a2eba 100644 ---- a/components/service/common/psa_ipc/service_psa_ipc.c -+++ b/components/service/common/psa_ipc/service_psa_ipc.c -@@ -62,6 +62,11 @@ static size_t psa_call_out_vec_len(const struct psa_outvec *out_vec, size_t out_ - return resp_len; - } - -+static uint32_t psa_virt_to_phys_u32(struct rpc_caller *caller, void *va) -+{ -+ return (uintptr_t)rpc_caller_virt_to_phys(caller, va); -+} -+ - psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, - uint32_t version) - { -@@ -147,20 +152,20 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, - req_msg->params.psa_call_params.handle = psa_handle; - req_msg->params.psa_call_params.type = type; - req_msg->params.psa_call_params.in_len = in_len; -- req_msg->params.psa_call_params.in_vec = rpc_caller_virt_to_phys(caller, in_vec_param); -+ req_msg->params.psa_call_params.in_vec = psa_virt_to_phys_u32(caller, in_vec_param); - req_msg->params.psa_call_params.out_len = out_len; -- req_msg->params.psa_call_params.out_vec = rpc_caller_virt_to_phys(caller, out_vec_param); -+ req_msg->params.psa_call_params.out_vec = psa_virt_to_phys_u32(caller, out_vec_param); - - for (i = 0; i < in_len; i++) { -- in_vec_param[i].base = rpc_caller_virt_to_phys(caller, payload); -+ in_vec_param[i].base = psa_virt_to_phys_u32(caller, payload); - in_vec_param[i].len = in_vec[i].len; - -- memcpy(payload, in_vec[i].base, in_vec[i].len); -+ memcpy(payload, psa_u32_to_ptr(in_vec[i].base), in_vec[i].len); - payload += in_vec[i].len; - } - - for (i = 0; i < out_len; i++) { -- out_vec_param[i].base = NULL; -+ out_vec_param[i].base = 0; - out_vec_param[i].len = out_vec[i].len; - } - -@@ -182,11 +187,12 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, - goto caller_end; - - out_vec_param = (struct psa_outvec *)rpc_caller_phys_to_virt(caller, -- resp_msg->params.out_vec); -+ psa_u32_to_ptr(resp_msg->params.out_vec)); - - for (i = 0; i < resp_msg->params.out_len; i++) { - out_vec[i].len = out_vec_param[i].len; -- memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base), -+ memcpy(psa_u32_to_ptr(out_vec[i].base), -+ rpc_caller_phys_to_virt(caller, psa_u32_to_ptr(out_vec_param[i].base)), - out_vec[i].len); - } - -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -index a1f369db253e..bda442a61d5c 100644 ---- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -@@ -22,9 +22,9 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, - psa_handle_t psa_handle; - psa_status_t psa_status; - struct psa_invec in_vec[] = { -- { .base = &uid, .len = sizeof(uid) }, -- { .base = p_data, .len = data_length }, -- { .base = &create_flags, .len = sizeof(create_flags) }, -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, -+ { .base = psa_ptr_const_to_u32(p_data), .len = data_length }, -+ { .base = psa_ptr_to_u32(&create_flags), .len = sizeof(create_flags) }, - }; - - (void)client_id; -@@ -53,11 +53,11 @@ static psa_status_t secure_storage_ipc_get(void *context, - psa_status_t psa_status; - uint32_t offset = (uint32_t)data_offset; - struct psa_invec in_vec[] = { -- { .base = &uid, .len = sizeof(uid) }, -- { .base = &offset, .len = sizeof(offset) }, -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, -+ { .base = psa_ptr_to_u32(&offset), .len = sizeof(offset) }, - }; - struct psa_outvec out_vec[] = { -- { .base = p_data, .len = data_size }, -+ { .base = psa_ptr_to_u32(p_data), .len = data_size }, - }; - - if (!p_data_length) { -@@ -84,10 +84,10 @@ static psa_status_t secure_storage_ipc_get_info(void *context, - psa_handle_t psa_handle; - psa_status_t psa_status; - struct psa_invec in_vec[] = { -- { .base = &uid, .len = sizeof(uid) }, -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, - }; - struct psa_outvec out_vec[] = { -- { .base = p_info, .len = sizeof(*p_info) }, -+ { .base = psa_ptr_to_u32(p_info), .len = sizeof(*p_info) }, - }; - - (void)client_id; -@@ -110,7 +110,7 @@ static psa_status_t secure_storage_ipc_remove(void *context, - psa_handle_t psa_handle; - psa_status_t psa_status; - struct psa_invec in_vec[] = { -- { .base = &uid, .len = sizeof(uid) }, -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, - }; - - (void)client_id; -@@ -164,7 +164,7 @@ static uint32_t secure_storage_get_support(void *context, uint32_t client_id) - psa_status_t psa_status; - uint32_t support_flags; - struct psa_outvec out_vec[] = { -- { .base = &support_flags, .len = sizeof(support_flags) }, -+ { .base = psa_ptr_to_u32(&support_flags), .len = sizeof(support_flags) }, - }; - - (void)client_id; --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch deleted file mode 100644 index 2d0725cb24..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch +++ /dev/null @@ -1,323 +0,0 @@ -From b142f3c162fb1c28982d26b5ac2181ba79197a28 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Tue, 7 Dec 2021 11:50:00 +0000 -Subject: [PATCH 10/20] Add psa ipc attestation to se proxy - -Implement attestation client API as psa ipc and include it to -se proxy deployment. - -Upstream-Status: Pending -Signed-off-by: Satish Kumar -Signed-off-by: Rui Miguel Silva ---- - .../client/psa_ipc/component.cmake | 13 +++ - .../client/psa_ipc/iat_ipc_client.c | 86 +++++++++++++++++++ - .../reporter/psa_ipc/component.cmake | 13 +++ - .../reporter/psa_ipc/psa_ipc_attest_report.c | 45 ++++++++++ - components/service/common/include/psa/sid.h | 4 + - .../se-proxy/common/service_proxy_factory.c | 6 ++ - deployments/se-proxy/se-proxy.cmake | 7 +- - ...ble-using-hard-coded-attestation-key.patch | 29 ------- - external/psa_arch_tests/psa_arch_tests.cmake | 4 - - 9 files changed, 171 insertions(+), 36 deletions(-) - create mode 100644 components/service/attestation/client/psa_ipc/component.cmake - create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c - create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake - create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c - delete mode 100644 external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch - -diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..a5bc6b4a387e ---- /dev/null -+++ b/components/service/attestation/client/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c" -+ ) -diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c -new file mode 100644 -index 000000000000..30bd0a13a385 ---- /dev/null -+++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c -@@ -0,0 +1,86 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include -+ -+#include "../psa/iat_client.h" -+#include -+#include -+#include -+#include -+#include -+ -+/** -+ * @brief The singleton psa_iat_client instance -+ * -+ * The psa attestation C API assumes a single backend service provider. -+ */ -+static struct service_client instance; -+ -+ -+psa_status_t psa_iat_client_init(struct rpc_caller *caller) -+{ -+ return service_client_init(&instance, caller); -+} -+ -+void psa_iat_client_deinit(void) -+{ -+ service_client_deinit(&instance); -+} -+ -+int psa_iat_client_rpc_status(void) -+{ -+ return instance.rpc_status; -+} -+ -+psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge, -+ size_t challenge_size, -+ uint8_t *token_buf, -+ size_t token_buf_size, -+ size_t *token_size) -+{ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller *caller = instance.caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(token_buf), .len = token_buf_size}, -+ }; -+ -+ if (!token_buf || !token_buf_size) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, -+ TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ if (status == PSA_SUCCESS) { -+ *token_size = out_vec[0].len; -+ } -+ -+ return status; -+} -+ -+psa_status_t psa_initial_attest_get_token_size(size_t challenge_size, -+ size_t *token_size) -+{ -+ struct rpc_caller *caller = instance.caller; -+ psa_status_t status; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)} -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, -+ TFM_ATTEST_GET_TOKEN_SIZE, -+ in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..b37830c618fe ---- /dev/null -+++ b/components/service/attestation/reporter/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c" -+ ) -diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c -new file mode 100644 -index 000000000000..15805e8ed4b1 ---- /dev/null -+++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c -@@ -0,0 +1,45 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+/** -+ * A attestation reporter for psa ipc -+ */ -+ -+#include -+#include -+#include -+#include -+ -+#define TOKEN_BUF_SIZE 1024 -+ -+static uint8_t token_buf[TOKEN_BUF_SIZE]; -+ -+int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data, -+ size_t auth_challenge_len, const uint8_t **report, -+ size_t *report_len) -+{ -+ *report = token_buf; -+ psa_status_t ret; -+ size_t token_size = 0; -+ -+ ret = psa_initial_attest_get_token(auth_challenge_data, -+ auth_challenge_len, token_buf, -+ TOKEN_BUF_SIZE, &token_size); -+ if (ret != PSA_SUCCESS) { -+ *report = NULL; -+ *report_len = 0; -+ return ret; -+ } -+ -+ *report_len = token_size; -+ -+ return PSA_SUCCESS; -+} -+ -+void attest_report_destroy(const uint8_t *report) -+{ -+ (void)report; -+} -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index aaa973c6e987..833f5039425f 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -50,6 +50,10 @@ extern "C" { - #define TFM_ATTESTATION_SERVICE_VERSION (1U) - #define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U) - -+/* Initial Attestation message types that distinguish Attest services. */ -+#define TFM_ATTEST_GET_TOKEN 1001 -+#define TFM_ATTEST_GET_TOKEN_SIZE 1002 -+ - /******** TFM_SP_FWU ********/ - #define TFM_FWU_WRITE_SID (0x000000A0U) - #define TFM_FWU_WRITE_VERSION (1U) -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index 57290056d614..4b8cceccbe4d 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -23,12 +23,18 @@ struct openamp_caller openamp; - struct rpc_interface *attest_proxy_create(void) - { - struct rpc_interface *attest_iface; -+ struct rpc_caller *attest_caller; - - /* Static objects for proxy instance */ - static struct attest_provider attest_provider; - -+ attest_caller = openamp_caller_init(&openamp); -+ if (!attest_caller) -+ return NULL; -+ - /* Initialize the service provider */ - attest_iface = attest_provider_init(&attest_provider); -+ psa_iat_client_init(&openamp.rpc_caller); - - attest_provider_register_serializer(&attest_provider, - TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance()); -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index cd51460406ca..3dbbc36c968d 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -49,14 +49,15 @@ add_components(TARGET "se-proxy" - "components/service/attestation/include" - "components/service/attestation/provider" - "components/service/attestation/provider/serializer/packed-c" -+ "components/service/attestation/reporter/psa_ipc" -+ "components/service/attestation/client/psa_ipc" - "components/rpc/openamp/caller/sp" - - # Stub service provider backends - "components/rpc/dummy" - "components/rpc/common/caller" -- "components/service/attestation/reporter/stub" -- "components/service/attestation/key_mngr/stub" -- "components/service/crypto/backend/stub" -+ "components/service/attestation/key_mngr/local" -+ "components/service/crypto/backend/psa_ipc" - "components/service/crypto/client/psa" - "components/service/secure_storage/backend/mock_store" - ) -diff --git a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch b/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch -deleted file mode 100644 -index 6664961ab662..000000000000 ---- a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch -+++ /dev/null -@@ -1,29 +0,0 @@ --From dbd25f94eb62a9855bf342dd97503a49ea50f83e Mon Sep 17 00:00:00 2001 --From: Gyorgy Szing --Date: Tue, 8 Feb 2022 17:06:37 +0000 --Subject: [PATCH 1/1] Disable using hard-coded attestation key -- --Modify platform config to disable using a hard-coded attestation --key. -- --Signed-off-by: Gyorgy Szing ----- -- api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h | 2 +- -- 1 file changed, 1 insertion(+), 1 deletion(-) -- --diff --git a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h --index 6112ba7..1cdf581 100755 ----- a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h --+++ b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h --@@ -60,7 +60,7 @@ typedef uint32_t cfg_id_t; -- #define CRYPTO_VERSION_BETA3 -- -- /* Use hardcoded public key */ ---#define PLATFORM_OVERRIDE_ATTEST_PK --+//#define PLATFORM_OVERRIDE_ATTEST_PK -- -- /* -- * Include of PSA defined Header files ---- --2.17.1 -- -diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake -index a8b77a1fc05e..1995df3e0b49 100644 ---- a/external/psa_arch_tests/psa_arch_tests.cmake -+++ b/external/psa_arch_tests/psa_arch_tests.cmake -@@ -15,10 +15,6 @@ set(GIT_OPTIONS - GIT_REPOSITORY ${PSA_ARCH_TESTS_URL} - GIT_TAG ${PSA_ARCH_TESTS_REFSPEC} - GIT_SHALLOW FALSE -- PATCH_COMMAND git stash -- COMMAND git tag -f ts-before-am -- COMMAND git am ${CMAKE_CURRENT_LIST_DIR}/0001-Disable-using-hard-coded-attestation-key.patch -- COMMAND git reset ts-before-am - ) - - # Ensure list of defines is separated correctly --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch deleted file mode 100644 index 5803cc17dc..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 4240977f7c38950f5edb316bb08ae05cb7b99875 Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Thu, 9 Dec 2021 14:11:06 +0000 -Subject: [PATCH 11/20] Setup its backend as openamp rpc using secure storage - ipc implementation. - -Upstream-Status: Pending -Signed-off-by: Satish Kumar -Signed-off-by: Rui Miguel Silva ---- - components/service/common/include/psa/sid.h | 12 +++++----- - .../secure_storage_ipc/secure_storage_ipc.c | 20 ++++++++--------- - .../secure_storage_ipc/secure_storage_ipc.h | 1 + - .../se-proxy/common/service_proxy_factory.c | 22 +++++++++++++------ - 4 files changed, 32 insertions(+), 23 deletions(-) - -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 833f5039425f..4a951d4a3502 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -20,12 +20,12 @@ extern "C" { - /* Invalid UID */ - #define TFM_PS_INVALID_UID 0 - --/* PS message types that distinguish PS services. */ --#define TFM_PS_SET 1001 --#define TFM_PS_GET 1002 --#define TFM_PS_GET_INFO 1003 --#define TFM_PS_REMOVE 1004 --#define TFM_PS_GET_SUPPORT 1005 -+/* PS / ITS message types that distinguish PS services. */ -+#define TFM_PS_ITS_SET 1001 -+#define TFM_PS_ITS_GET 1002 -+#define TFM_PS_ITS_GET_INFO 1003 -+#define TFM_PS_ITS_REMOVE 1004 -+#define TFM_PS_ITS_GET_SUPPORT 1005 - - /******** TFM_SP_ITS ********/ - #define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_SID (0x00000070U) -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -index bda442a61d5c..0e1b48c0d2e2 100644 ---- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c -@@ -31,8 +31,8 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, - - ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED; - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0); -+ psa_status = psa_call(caller, ipc->service_handle, TFM_PS_ITS_SET, -+ in_vec, IOVEC_LEN(in_vec), NULL, 0); - if (psa_status < 0) - EMSG("ipc_set: psa_call failed: %d", psa_status); - -@@ -65,8 +65,8 @@ static psa_status_t secure_storage_ipc_get(void *context, - return PSA_ERROR_INVALID_ARGUMENT; - } - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_GET, in_vec, IOVEC_LEN(in_vec), -+ psa_status = psa_call(caller, ipc->service_handle, -+ TFM_PS_ITS_GET, in_vec, IOVEC_LEN(in_vec), - out_vec, IOVEC_LEN(out_vec)); - if (psa_status == PSA_SUCCESS) - *p_data_length = out_vec[0].len; -@@ -92,8 +92,8 @@ static psa_status_t secure_storage_ipc_get_info(void *context, - - (void)client_id; - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_GET_INFO, in_vec, -+ psa_status = psa_call(caller, ipc->service_handle, -+ TFM_PS_ITS_GET_INFO, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); - if (psa_status != PSA_SUCCESS) - EMSG("ipc_get_info: failed to psa_call: %d", psa_status); -@@ -115,8 +115,8 @@ static psa_status_t secure_storage_ipc_remove(void *context, - - (void)client_id; - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_REMOVE, in_vec, -+ psa_status = psa_call(caller, ipc->service_handle, -+ TFM_PS_ITS_REMOVE, in_vec, - IOVEC_LEN(in_vec), NULL, 0); - if (psa_status != PSA_SUCCESS) - EMSG("ipc_remove: failed to psa_call: %d", psa_status); -@@ -169,8 +169,8 @@ static uint32_t secure_storage_get_support(void *context, uint32_t client_id) - - (void)client_id; - -- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -- TFM_PS_GET_SUPPORT, NULL, 0, -+ psa_status = psa_call(caller, ipc->service_handle, -+ TFM_PS_ITS_GET_SUPPORT, NULL, 0, - out_vec, IOVEC_LEN(out_vec)); - if (psa_status != PSA_SUCCESS) - EMSG("ipc_get_support: failed to psa_call: %d", psa_status); -diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -index e8c1e8fd2f92..d9949f6a9305 100644 ---- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h -@@ -21,6 +21,7 @@ struct secure_storage_ipc - { - struct storage_backend backend; - struct service_client client; -+ int32_t service_handle; - }; - - /** -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index 4b8cceccbe4d..1110ac46bf8b 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -5,6 +5,7 @@ - */ - - #include -+#include - #include - #include - #include -@@ -60,23 +61,30 @@ struct rpc_interface *ps_proxy_create(void) - { - static struct secure_storage_provider ps_provider; - static struct secure_storage_ipc ps_backend; -- static struct rpc_caller *storage_caller; -+ struct rpc_caller *storage_caller; - struct storage_backend *backend; - - storage_caller = openamp_caller_init(&openamp); - if (!storage_caller) - return NULL; - backend = secure_storage_ipc_init(&ps_backend, &openamp.rpc_caller); -+ ps_backend.service_handle = TFM_PROTECTED_STORAGE_SERVICE_HANDLE; - - return secure_storage_provider_init(&ps_provider, backend); - } - - struct rpc_interface *its_proxy_create(void) - { -- static struct mock_store its_backend; -- static struct secure_storage_provider its_provider; -- -- struct storage_backend *backend = mock_store_init(&its_backend); -- -- return secure_storage_provider_init(&its_provider, backend); -+ static struct secure_storage_provider its_provider; -+ static struct secure_storage_ipc its_backend; -+ struct rpc_caller *storage_caller; -+ struct storage_backend *backend; -+ -+ storage_caller = openamp_caller_init(&openamp); -+ if (!storage_caller) -+ return NULL; -+ backend = secure_storage_ipc_init(&its_backend, &openamp.rpc_caller); -+ its_backend.service_handle = TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_HANDLE; -+ -+ return secure_storage_provider_init(&its_provider, backend); - } --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-add-psa-ipc-crypto-backend.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-add-psa-ipc-crypto-backend.patch deleted file mode 100644 index 67ea7b8c56..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-add-psa-ipc-crypto-backend.patch +++ /dev/null @@ -1,2570 +0,0 @@ -From 0b5d96b1a9f927dc141047600edf2249af7022c5 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Thu, 9 Dec 2021 14:17:39 +0000 -Subject: [PATCH 12/20] add psa ipc crypto backend - -Add psa ipc crypto backend and attach it to se proxy -deployment. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - components/service/common/include/psa/sid.h | 73 +++++ - .../crypto/backend/psa_ipc/component.cmake | 21 ++ - .../backend/psa_ipc/crypto_ipc_backend.c | 26 ++ - .../backend/psa_ipc/crypto_ipc_backend.h | 70 ++++ - .../client/caller/psa_ipc/crypto_caller.h | 34 ++ - .../caller/psa_ipc/crypto_caller_aead.h | 252 +++++++++++++++ - .../crypto_caller_asymmetric_decrypt.h | 76 +++++ - .../crypto_caller_asymmetric_encrypt.h | 76 +++++ - .../caller/psa_ipc/crypto_caller_cipher.h | 246 +++++++++++++++ - .../caller/psa_ipc/crypto_caller_copy_key.h | 57 ++++ - .../psa_ipc/crypto_caller_destroy_key.h | 51 +++ - .../caller/psa_ipc/crypto_caller_export_key.h | 59 ++++ - .../psa_ipc/crypto_caller_export_public_key.h | 59 ++++ - .../psa_ipc/crypto_caller_generate_key.h | 55 ++++ - .../psa_ipc/crypto_caller_generate_random.h | 57 ++++ - .../crypto_caller_get_key_attributes.h | 56 ++++ - .../caller/psa_ipc/crypto_caller_hash.h | 220 +++++++++++++ - .../caller/psa_ipc/crypto_caller_import_key.h | 57 ++++ - .../psa_ipc/crypto_caller_key_attributes.h | 51 +++ - .../psa_ipc/crypto_caller_key_derivation.h | 298 ++++++++++++++++++ - .../client/caller/psa_ipc/crypto_caller_mac.h | 207 ++++++++++++ - .../caller/psa_ipc/crypto_caller_purge_key.h | 51 +++ - .../caller/psa_ipc/crypto_caller_sign_hash.h | 64 ++++ - .../psa_ipc/crypto_caller_verify_hash.h | 59 ++++ - .../crypto/include/psa/crypto_client_struct.h | 8 +- - .../service/crypto/include/psa/crypto_sizes.h | 2 +- - .../se-proxy/common/service_proxy_factory.c | 15 +- - .../providers/arm/corstone1000/platform.cmake | 2 + - 28 files changed, 2292 insertions(+), 10 deletions(-) - create mode 100644 components/service/crypto/backend/psa_ipc/component.cmake - create mode 100644 components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c - create mode 100644 components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h - create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h - -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 4a951d4a3502..7a29cc253bad 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -37,6 +37,79 @@ extern "C" { - #define TFM_CRYPTO_VERSION (1U) - #define TFM_CRYPTO_HANDLE (0x40000100U) - -+/** -+ * \brief Define a progressive numerical value for each SID which can be used -+ * when dispatching the requests to the service -+ */ -+enum { -+ TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID = (0u), -+ TFM_CRYPTO_RESET_KEY_ATTRIBUTES_SID, -+ TFM_CRYPTO_OPEN_KEY_SID, -+ TFM_CRYPTO_CLOSE_KEY_SID, -+ TFM_CRYPTO_IMPORT_KEY_SID, -+ TFM_CRYPTO_DESTROY_KEY_SID, -+ TFM_CRYPTO_EXPORT_KEY_SID, -+ TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, -+ TFM_CRYPTO_PURGE_KEY_SID, -+ TFM_CRYPTO_COPY_KEY_SID, -+ TFM_CRYPTO_HASH_COMPUTE_SID, -+ TFM_CRYPTO_HASH_COMPARE_SID, -+ TFM_CRYPTO_HASH_SETUP_SID, -+ TFM_CRYPTO_HASH_UPDATE_SID, -+ TFM_CRYPTO_HASH_FINISH_SID, -+ TFM_CRYPTO_HASH_VERIFY_SID, -+ TFM_CRYPTO_HASH_ABORT_SID, -+ TFM_CRYPTO_HASH_CLONE_SID, -+ TFM_CRYPTO_MAC_COMPUTE_SID, -+ TFM_CRYPTO_MAC_VERIFY_SID, -+ TFM_CRYPTO_MAC_SIGN_SETUP_SID, -+ TFM_CRYPTO_MAC_VERIFY_SETUP_SID, -+ TFM_CRYPTO_MAC_UPDATE_SID, -+ TFM_CRYPTO_MAC_SIGN_FINISH_SID, -+ TFM_CRYPTO_MAC_VERIFY_FINISH_SID, -+ TFM_CRYPTO_MAC_ABORT_SID, -+ TFM_CRYPTO_CIPHER_ENCRYPT_SID, -+ TFM_CRYPTO_CIPHER_DECRYPT_SID, -+ TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, -+ TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, -+ TFM_CRYPTO_CIPHER_GENERATE_IV_SID, -+ TFM_CRYPTO_CIPHER_SET_IV_SID, -+ TFM_CRYPTO_CIPHER_UPDATE_SID, -+ TFM_CRYPTO_CIPHER_FINISH_SID, -+ TFM_CRYPTO_CIPHER_ABORT_SID, -+ TFM_CRYPTO_AEAD_ENCRYPT_SID, -+ TFM_CRYPTO_AEAD_DECRYPT_SID, -+ TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, -+ TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, -+ TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, -+ TFM_CRYPTO_AEAD_SET_NONCE_SID, -+ TFM_CRYPTO_AEAD_SET_LENGTHS_SID, -+ TFM_CRYPTO_AEAD_UPDATE_AD_SID, -+ TFM_CRYPTO_AEAD_UPDATE_SID, -+ TFM_CRYPTO_AEAD_FINISH_SID, -+ TFM_CRYPTO_AEAD_VERIFY_SID, -+ TFM_CRYPTO_AEAD_ABORT_SID, -+ TFM_CRYPTO_SIGN_MESSAGE_SID, -+ TFM_CRYPTO_VERIFY_MESSAGE_SID, -+ TFM_CRYPTO_SIGN_HASH_SID, -+ TFM_CRYPTO_VERIFY_HASH_SID, -+ TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, -+ TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, -+ TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, -+ TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, -+ TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, -+ TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, -+ TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, -+ TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, -+ TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, -+ TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, -+ TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, -+ TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, -+ TFM_CRYPTO_GENERATE_RANDOM_SID, -+ TFM_CRYPTO_GENERATE_KEY_SID, -+ TFM_CRYPTO_SID_MAX, -+}; -+ - /******** TFM_SP_PLATFORM ********/ - #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) - #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -diff --git a/components/service/crypto/backend/psa_ipc/component.cmake b/components/service/crypto/backend/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..93c297a83ac6 ---- /dev/null -+++ b/components/service/crypto/backend/psa_ipc/component.cmake -@@ -0,0 +1,21 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/crypto_ipc_backend.c" -+ ) -+ -+# The ipc crypto backend uses the psa crypto client to realize the -+# psa crypto API that the crypto provider depends on. This define -+# configures the psa crypto client to be built with the ipc crypto -+# caller. -+target_compile_definitions(${TGT} PRIVATE -+ PSA_CRYPTO_CLIENT_CALLER_SELECTION_H="service/crypto/client/caller/psa_ipc/crypto_caller.h" -+) -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c -new file mode 100644 -index 000000000000..e47cd4ffb4ce ---- /dev/null -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c -@@ -0,0 +1,26 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include -+#include -+#include -+#include "crypto_ipc_backend.h" -+ -+psa_status_t crypto_ipc_backend_init(struct rpc_caller *caller) -+{ -+ psa_status_t status = psa_crypto_client_init(caller); -+ -+ if (status == PSA_SUCCESS) -+ status = psa_crypto_init(); -+ -+ return status; -+} -+ -+void crypto_ipc_backend_deinit(void) -+{ -+ psa_crypto_client_deinit(); -+} -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -new file mode 100644 -index 000000000000..c13c20e84131 ---- /dev/null -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -@@ -0,0 +1,70 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef CRYPTO_IPC_BACKEND_H -+#define CRYPTO_IPC_BACKEND_H -+ -+#include -+#include -+#include -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/** -+ * \brief This type is used to overcome a limitation in the number of maximum -+ * IOVECs that can be used especially in psa_aead_encrypt and -+ * psa_aead_decrypt. To be removed in case the AEAD APIs number of -+ * parameters passed gets restructured -+ */ -+#define TFM_CRYPTO_MAX_NONCE_LENGTH (16u) -+struct psa_ipc_crypto_aead_pack_input { -+ uint8_t nonce[TFM_CRYPTO_MAX_NONCE_LENGTH]; -+ uint32_t nonce_length; -+}; -+ -+struct psa_ipc_crypto_pack_iovec { -+ uint32_t sfn_id; /*!< Secure function ID used to dispatch the -+ * request -+ */ -+ uint16_t step; /*!< Key derivation step */ -+ psa_key_id_t key_id; /*!< Key id */ -+ psa_algorithm_t alg; /*!< Algorithm */ -+ uint32_t op_handle; /*!< Frontend context handle associated to a -+ * multipart operation -+ */ -+ uint32_t capacity; /*!< Key derivation capacity */ -+ -+ struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for -+ * AEAD until the API is -+ * restructured -+ */ -+}; -+ -+#define iov_size sizeof(struct psa_ipc_crypto_pack_iovec) -+ -+/** -+ * \brief Initialize the psa ipc crypto backend -+ * -+ * Initializes a crypto backend that uses the psa API client with a -+ * psa_ipc_backend caller to realize the PSA crypto API used by the crypto -+ * service proviser. -+ * -+ * \return PSA_SUCCESS if backend initialized successfully -+ */ -+psa_status_t crypto_ipc_backend_init(struct rpc_caller *caller); -+ -+/** -+ * \brief Clean-up to free any resource used by the crypto backend -+ */ -+void crypto_ipc_backend_deinit(void); -+ -+#ifdef __cplusplus -+} /* extern "C" */ -+#endif -+ -+#endif /* CRYPTO_IPC_BACKEND_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller.h -new file mode 100644 -index 000000000000..0a972187062f ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller.h -@@ -0,0 +1,34 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_H -+#define PSA_IPC_CRYPTO_CALLER_H -+ -+/** -+ * Includes all header files that form the psa ipc crypto caller -+ * interface. May be used by a client that needs to call operations -+ * provided by a crypto service instance using the psa ipc interface. -+ */ -+#include "crypto_caller_aead.h" -+#include "crypto_caller_asymmetric_decrypt.h" -+#include "crypto_caller_asymmetric_encrypt.h" -+#include "crypto_caller_cipher.h" -+#include "crypto_caller_copy_key.h" -+#include "crypto_caller_destroy_key.h" -+#include "crypto_caller_export_key.h" -+#include "crypto_caller_export_public_key.h" -+#include "crypto_caller_generate_key.h" -+#include "crypto_caller_generate_random.h" -+#include "crypto_caller_get_key_attributes.h" -+#include "crypto_caller_hash.h" -+#include "crypto_caller_import_key.h" -+#include "crypto_caller_key_derivation.h" -+#include "crypto_caller_mac.h" -+#include "crypto_caller_purge_key.h" -+#include "crypto_caller_sign_hash.h" -+#include "crypto_caller_verify_hash.h" -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -new file mode 100644 -index 000000000000..78517fe32ca9 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -@@ -0,0 +1,252 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_AEAD_H -+#define PSA_IPC_CRYPTO_CALLER_AEAD_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_aead_encrypt( -+ struct service_client *context, -+ psa_key_id_t key, -+ psa_algorithm_t alg, -+ const uint8_t *nonce, -+ size_t nonce_length, -+ const uint8_t *additional_data, -+ size_t additional_data_length, -+ const uint8_t *plaintext, -+ size_t plaintext_length, -+ uint8_t *aeadtext, -+ size_t aeadtext_size, -+ size_t *aeadtext_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ size_t in_len; -+ int i; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SID, -+ .key_id = key, -+ .alg = alg, -+ .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, -+ }; -+ -+ if (!additional_data && additional_data_length) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(plaintext), -+ .len = plaintext_length }, -+ { .base = psa_ptr_const_to_u32(additional_data), -+ .len = additional_data_length}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(aeadtext), .len = aeadtext_size }, -+ }; -+ -+ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ if (nonce) { -+ for (i = 0; i < nonce_length; i++) -+ iov.aead_in.nonce[i] = nonce[i]; -+ } -+ -+ in_len = IOVEC_LEN(in_vec); -+ -+ if (!additional_data) -+ in_len--; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *aeadtext_length = out_vec[0].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_aead_decrypt( -+ struct service_client *context, -+ psa_key_id_t key, -+ psa_algorithm_t alg, -+ const uint8_t *nonce, -+ size_t nonce_length, -+ const uint8_t *additional_data, -+ size_t additional_data_length, -+ const uint8_t *aeadtext, -+ size_t aeadtext_length, -+ uint8_t *plaintext, -+ size_t plaintext_size, -+ size_t *plaintext_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ size_t in_len; -+ int i; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SID, -+ .key_id = key, -+ .alg = alg, -+ .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, -+ }; -+ -+ if (!additional_data && additional_data_length) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(aeadtext), -+ .len = aeadtext_length }, -+ { .base = psa_ptr_const_to_u32(additional_data), -+ .len = additional_data_length}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(plaintext), .len = plaintext_size }, -+ }; -+ -+ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ if (nonce) { -+ for (i = 0; i < nonce_length; i++) -+ iov.aead_in.nonce[i] = nonce[i]; -+ } -+ -+ in_len = IOVEC_LEN(in_vec); -+ -+ if (!additional_data) -+ in_len--; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *plaintext_length = out_vec[0].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_aead_encrypt_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_decrypt_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_generate_nonce( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *nonce, -+ size_t nonce_size, -+ size_t *nonce_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_set_nonce( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *nonce, -+ size_t nonce_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_set_lengths( -+ struct service_client *context, -+ uint32_t op_handle, -+ size_t ad_length, -+ size_t plaintext_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_update_ad( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_update( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length, -+ uint8_t *output, -+ size_t output_size, -+ size_t *output_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *aeadtext, -+ size_t aeadtext_size, -+ size_t *aeadtext_length, -+ uint8_t *tag, -+ size_t tag_size, -+ size_t *tag_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_verify( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *plaintext, -+ size_t plaintext_size, -+ size_t *plaintext_length, -+ const uint8_t *tag, -+ size_t tag_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_aead_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_AEAD_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -new file mode 100644 -index 000000000000..ff01815c09e9 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -@@ -0,0 +1,76 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_DECRYPT_H -+#define PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_DECRYPT_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_asymmetric_decrypt( -+ struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *input, size_t input_length, -+ const uint8_t *salt, size_t salt_length, -+ uint8_t *output, size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ size_t in_len; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ -+ /* Sanitize optional input */ -+ if (!salt && salt_length) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ { .base = psa_ptr_const_to_u32(salt), .len = salt_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ -+ in_len = IOVEC_LEN(in_vec); -+ if (!salt) -+ in_len--; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_DECRYPT_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -new file mode 100644 -index 000000000000..1daf1689c076 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -@@ -0,0 +1,76 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_ENCRYPT_H -+#define PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_ENCRYPT_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_asymmetric_encrypt( -+ struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *input, size_t input_length, -+ const uint8_t *salt, size_t salt_length, -+ uint8_t *output, size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ size_t in_len; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ -+ /* Sanitize optional input */ -+ if (!salt && salt_length) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ { .base = psa_ptr_const_to_u32(salt), .len = salt_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ -+ in_len = IOVEC_LEN(in_vec); -+ if (!salt) -+ in_len--; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_ENCRYPT_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -new file mode 100644 -index 000000000000..fbefb28d813a ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -@@ -0,0 +1,246 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_CIPHER_H -+#define PSA_IPC_CRYPTO_CALLER_CIPHER_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_cipher_encrypt_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_decrypt_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_generate_iv( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *iv, -+ size_t iv_size, -+ size_t *iv_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_GENERATE_IV_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(iv), .len = iv_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *iv_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_set_iv( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *iv, -+ size_t iv_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_SET_IV_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(iv), .len = iv_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_update( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length, -+ uint8_t *output, -+ size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_UPDATE_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *output, -+ size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_cipher_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_CIPHER_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline size_t crypto_caller_cipher_max_update_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the cipher_update operation -+ * using the ipc encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ /* Allow for output to be a whole number of blocks */ -+ overhead += PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_CIPHER_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -new file mode 100644 -index 000000000000..9a988171b098 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -@@ -0,0 +1,57 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_COPY_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_COPY_KEY_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_copy_key(struct service_client *context, -+ psa_key_id_t source_key, -+ const psa_key_attributes_t *attributes, -+ psa_key_id_t *target_key) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_COPY_KEY_SID, -+ .key_id = source_key, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ { .base = psa_ptr_const_to_u32(attributes), .len = sizeof(psa_key_attributes_t) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(target_key), .len = sizeof(psa_key_id_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_COPY_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -new file mode 100644 -index 000000000000..d00f4faa7a52 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -@@ -0,0 +1,51 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_DESTROY_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_DESTROY_KEY_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_destroy_key(struct service_client *context, -+ psa_key_id_t id) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_DESTROY_KEY_SID, -+ .key_id = id, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_DESTROY_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -new file mode 100644 -index 000000000000..8ac5477f7b9a ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -@@ -0,0 +1,59 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_EXPORT_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_EXPORT_KEY_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_export_key(struct service_client *context, -+ psa_key_id_t id, -+ uint8_t *data, -+ size_t data_size, -+ size_t *data_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_EXPORT_KEY_SID, -+ .key_id = id, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(data), .len = data_size } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *data_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_EXPORT_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -new file mode 100644 -index 000000000000..b24c47f1257e ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -@@ -0,0 +1,59 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_EXPORT_PUBLIC_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_EXPORT_PUBLIC_KEY_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_export_public_key(struct service_client *context, -+ psa_key_id_t id, -+ uint8_t *data, -+ size_t data_size, -+ size_t *data_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, -+ .key_id = id, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(data), .len = data_size } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *data_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_EXPORT_PUBLIC_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -new file mode 100644 -index 000000000000..1b66ed4020de ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -@@ -0,0 +1,55 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_GENERATE_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_GENERATE_KEY_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_generate_key(struct service_client *context, -+ const psa_key_attributes_t *attributes, -+ psa_key_id_t *id) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_GENERATE_KEY_SID, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ { .base = psa_ptr_const_to_u32(attributes), .len = sizeof(psa_key_attributes_t) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(id), .len = sizeof(psa_key_id_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_GENERATE_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -new file mode 100644 -index 000000000000..7c538237805a ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -@@ -0,0 +1,57 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_GENERATE_RANDOM_H -+#define PSA_IPC_CRYPTO_CALLER_GENERATE_RANDOM_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_generate_random(struct service_client *context, -+ uint8_t *output, -+ size_t output_size) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_GENERATE_RANDOM_SID, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_size } -+ }; -+ -+ if (!output_size) -+ return PSA_SUCCESS; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_GENERATE_RANDOM_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -new file mode 100644 -index 000000000000..22f1d18f1476 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -@@ -0,0 +1,56 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_GET_KEY_ATTRIBUTES_H -+#define PSA_IPC_CRYPTO_CALLER_GET_KEY_ATTRIBUTES_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_get_key_attributes( -+ struct service_client *context, -+ psa_key_id_t key, -+ psa_key_attributes_t *attributes) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID, -+ .key_id = key, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(attributes), .len = sizeof(psa_key_attributes_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_GET_KEY_ATTRIBUTES_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -new file mode 100644 -index 000000000000..9f37908a2f25 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -@@ -0,0 +1,220 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_HASH_H -+#define PSA_IPC_CRYPTO_CALLER_HASH_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_hash_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_SETUP_SID, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_update( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_UPDATE_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *hash, -+ size_t hash_size, -+ size_t *hash_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(hash), .len = hash_size}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *hash_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_verify( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *hash, -+ size_t hash_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_VERIFY_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(hash), .len = hash_length}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_clone( -+ struct service_client *context, -+ uint32_t source_op_handle, -+ uint32_t *target_op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_HASH_CLONE_SID, -+ .op_handle = source_op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(target_op_handle), -+ .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_hash_suspend(struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *hash_state, -+ size_t hash_state_size, -+ size_t *hash_state_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline psa_status_t crypto_caller_hash_resume(struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *hash_state, -+ size_t hash_state_length) -+{ -+ return PSA_ERROR_NOT_SUPPORTED; -+} -+ -+static inline size_t crypto_caller_hash_max_update_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the hash_update operation -+ * using the packed-c encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_HASH_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -new file mode 100644 -index 000000000000..d47033662790 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -@@ -0,0 +1,57 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_IMPORT_KEY_H -+#define PSA_IPC_CRYPTO_CALLER_IMPORT_KEY_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_import_key(struct service_client *context, -+ const psa_key_attributes_t *attributes, -+ const uint8_t *data, size_t data_length, -+ psa_key_id_t *id) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_IMPORT_KEY_SID, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ { .base = psa_ptr_const_to_u32(attributes), .len = sizeof(psa_key_attributes_t) }, -+ { .base = psa_ptr_const_to_u32(data), .len = data_length } -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(id), .len = sizeof(psa_key_id_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PACKEDC_CRYPTO_CALLER_IMPORT_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h -new file mode 100644 -index 000000000000..2fad2f0a64e6 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h -@@ -0,0 +1,51 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PACKEDC_CRYPTO_CALLER_KEY_ATTRIBUTES_H -+#define PACKEDC_CRYPTO_CALLER_KEY_ATTRIBUTES_H -+ -+#include -+#include -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline void packedc_crypto_caller_translate_key_attributes_to_proto( -+ struct ts_crypto_key_attributes *proto_attributes, -+ const psa_key_attributes_t *psa_attributes) -+{ -+ proto_attributes->type = psa_get_key_type(psa_attributes); -+ proto_attributes->key_bits = psa_get_key_bits(psa_attributes); -+ proto_attributes->lifetime = psa_get_key_lifetime(psa_attributes); -+ proto_attributes->id = psa_get_key_id(psa_attributes); -+ -+ proto_attributes->policy.usage = psa_get_key_usage_flags(psa_attributes); -+ proto_attributes->policy.alg = psa_get_key_algorithm(psa_attributes); -+ } -+ -+static inline void packedc_crypto_caller_translate_key_attributes_from_proto( -+ psa_key_attributes_t *psa_attributes, -+ const struct ts_crypto_key_attributes *proto_attributes) -+{ -+ psa_set_key_type(psa_attributes, proto_attributes->type); -+ psa_set_key_bits(psa_attributes, proto_attributes->key_bits); -+ psa_set_key_lifetime(psa_attributes, proto_attributes->lifetime); -+ -+ if (proto_attributes->lifetime == PSA_KEY_LIFETIME_PERSISTENT) { -+ -+ psa_set_key_id(psa_attributes, proto_attributes->id); -+ } -+ -+ psa_set_key_usage_flags(psa_attributes, proto_attributes->policy.usage); -+ psa_set_key_algorithm(psa_attributes, proto_attributes->policy.alg); -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PACKEDC_CRYPTO_CALLER_KEY_ATTRIBUTES_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -new file mode 100644 -index 000000000000..5ce4fb6cca82 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -@@ -0,0 +1,298 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_KEY_DERIVATION_H -+#define PSA_IPC_CRYPTO_CALLER_KEY_DERIVATION_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_key_derivation_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_get_capacity( -+ struct service_client *context, -+ const uint32_t op_handle, -+ size_t *capacity) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(capacity), .len = sizeof(uint32_t) } -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_set_capacity( -+ struct service_client *context, -+ uint32_t op_handle, -+ size_t capacity) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, -+ .capacity = capacity, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_input_bytes( -+ struct service_client *context, -+ uint32_t op_handle, -+ psa_key_derivation_step_t step, -+ const uint8_t *data, -+ size_t data_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, -+ .step = step, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(data), .len = data_length }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_input_key( -+ struct service_client *context, -+ uint32_t op_handle, -+ psa_key_derivation_step_t step, -+ psa_key_id_t key) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, -+ .key_id = key, -+ .step = step, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_output_bytes( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *output, -+ size_t output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_length }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_output_key( -+ struct service_client *context, -+ const psa_key_attributes_t *attributes, -+ uint32_t op_handle, -+ psa_key_id_t *key) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(attributes), -+ .len = sizeof(psa_key_attributes_t) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(key), .len = sizeof(psa_key_id_t)}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_key_derivation_key_agreement( -+ struct service_client *context, -+ uint32_t op_handle, -+ psa_key_derivation_step_t step, -+ psa_key_id_t private_key, -+ const uint8_t *peer_key, -+ size_t peer_key_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, -+ .key_id = private_key, -+ .step = step, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(peer_key), -+ .len = peer_key_length}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_raw_key_agreement( -+ struct service_client *context, -+ psa_algorithm_t alg, -+ psa_key_id_t private_key, -+ const uint8_t *peer_key, -+ size_t peer_key_length, -+ uint8_t *output, -+ size_t output_size, -+ size_t *output_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, -+ .alg = alg, -+ .key_id = private_key, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(peer_key), -+ .len = peer_key_length}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(output), .len = output_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_KEY_DERIVATION_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -new file mode 100644 -index 000000000000..3a820192495a ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -@@ -0,0 +1,207 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_MAC_H -+#define PSA_IPC_CRYPTO_CALLER_MAC_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_mac_sign_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_verify_setup( -+ struct service_client *context, -+ uint32_t *op_handle, -+ psa_key_id_t key, -+ psa_algorithm_t alg) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = *op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_update( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *input, -+ size_t input_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_UPDATE_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(input), .len = input_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_sign_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ uint8_t *mac, -+ size_t mac_size, -+ size_t *mac_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_SIGN_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_to_u32(mac), .len = mac_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *mac_length = out_vec[1].len; -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_verify_finish( -+ struct service_client *context, -+ uint32_t op_handle, -+ const uint8_t *mac, -+ size_t mac_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_VERIFY_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(mac), .len = mac_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline psa_status_t crypto_caller_mac_abort( -+ struct service_client *context, -+ uint32_t op_handle) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_MAC_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -+ -+static inline size_t crypto_caller_mac_max_update_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the mac_update operation -+ * using the packed-c encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_MAC_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -new file mode 100644 -index 000000000000..a3a796e2166c ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -@@ -0,0 +1,51 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PACKEDC_CRYPTO_CALLER_PURGE_KEY_H -+#define PACKEDC_CRYPTO_CALLER_PURGE_KEY_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_purge_key(struct service_client *context, -+ psa_key_id_t id) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_PURGE_KEY_SID, -+ .key_id = id, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PACKEDC_CRYPTO_CALLER_PURGE_KEY_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -new file mode 100644 -index 000000000000..71d88cededf5 ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -@@ -0,0 +1,64 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_SIGN_HASH_H -+#define PSA_IPC_CRYPTO_CALLER_SIGN_HASH_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_sign_hash(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ uint8_t *signature, -+ size_t signature_size, -+ size_t *signature_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_SIGN_HASH_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(hash), .len = hash_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(signature), .len = signature_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *signature_length = out_vec[0].len; -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_SIGN_HASH_H */ -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -new file mode 100644 -index 000000000000..e16f6e5450af ---- /dev/null -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -@@ -0,0 +1,59 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_IPC_CRYPTO_CALLER_VERIFY_HASH_H -+#define PSA_IPC_CRYPTO_CALLER_VERIFY_HASH_H -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "crypto_caller_key_attributes.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ const uint8_t *signature, -+ size_t signature_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_VERIFY_HASH_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -+ { .base = psa_ptr_const_to_u32(hash), .len = hash_length }, -+ { .base = psa_ptr_const_to_u32(signature), .len = signature_length}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), NULL, 0); -+ -+ return status; -+} -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_IPC_CRYPTO_CALLER_VERIFY_HASH_H */ -diff --git a/components/service/crypto/include/psa/crypto_client_struct.h b/components/service/crypto/include/psa/crypto_client_struct.h -index abd420c82607..bf95c9821e55 100644 ---- a/components/service/crypto/include/psa/crypto_client_struct.h -+++ b/components/service/crypto/include/psa/crypto_client_struct.h -@@ -31,12 +31,12 @@ extern "C" { - * data structure internally. */ - struct psa_client_key_attributes_s - { -+ uint16_t type; -+ uint16_t bits; - uint32_t lifetime; -- uint32_t id; -- uint32_t alg; -+ psa_key_id_t id; - uint32_t usage; -- size_t bits; -- uint16_t type; -+ uint32_t alg; - }; - - #define PSA_CLIENT_KEY_ATTRIBUTES_INIT {0, 0, 0, 0, 0, 0} -diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h -index 7a0149bbca62..4d7bf6e959b0 100644 ---- a/components/service/crypto/include/psa/crypto_sizes.h -+++ b/components/service/crypto/include/psa/crypto_sizes.h -@@ -81,7 +81,7 @@ - #define PSA_HASH_MAX_SIZE 64 - #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128 - #else --#define PSA_HASH_MAX_SIZE 32 -+#define PSA_HASH_MAX_SIZE 64 - #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64 - #endif - -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index 1110ac46bf8b..7edeef8b434a 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -15,7 +15,7 @@ - #include - - /* Stub backends */ --#include -+#include - #include - #include - -@@ -47,12 +47,17 @@ struct rpc_interface *crypto_proxy_create(void) - { - struct rpc_interface *crypto_iface = NULL; - struct crypto_provider *crypto_provider; -+ struct rpc_caller *crypto_caller; - -- if (stub_crypto_backend_init() == PSA_SUCCESS) { -+ crypto_caller = openamp_caller_init(&openamp); -+ if (!crypto_caller) -+ return NULL; -+ -+ if (crypto_ipc_backend_init(&openamp.rpc_caller) != PSA_SUCCESS) -+ return NULL; - -- crypto_provider = crypto_provider_factory_create(); -- crypto_iface = service_provider_get_rpc_interface(&crypto_provider->base_provider); -- } -+ crypto_provider = crypto_provider_factory_create(); -+ crypto_iface = service_provider_get_rpc_interface(&crypto_provider->base_provider); - - return crypto_iface; - } -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index bb778bb9719b..51e5faa3e4d8 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -8,3 +8,5 @@ - - # include MHU driver - include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake) -+ -+add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Add-stub-capsule-update-service-components.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Add-stub-capsule-update-service-components.patch deleted file mode 100644 index 0040e12727..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Add-stub-capsule-update-service-components.patch +++ /dev/null @@ -1,436 +0,0 @@ -From 050be6fdfee656b0556766cc1db30f4c0ea87c79 Mon Sep 17 00:00:00 2001 -From: Julian Hall -Date: Tue, 12 Oct 2021 15:45:41 +0100 -Subject: [PATCH 13/20] Add stub capsule update service components - -To facilitate development of a capsule update service provider, -stub components are added to provide a starting point for an -implementation. The capsule update service provider is integrated -into the se-proxy/common deployment. - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath -Signed-off-by: Julian Hall -Change-Id: I0d4049bb4de5af7ca80806403301692507085d28 -Signed-off-by: Rui Miguel Silva ---- - .../backend/capsule_update_backend.h | 24 ++++ - .../provider/capsule_update_provider.c | 133 ++++++++++++++++++ - .../provider/capsule_update_provider.h | 51 +++++++ - .../capsule_update/provider/component.cmake | 13 ++ - deployments/se-proxy/common/se_proxy_sp.c | 3 + - .../se-proxy/common/service_proxy_factory.c | 16 +++ - .../se-proxy/common/service_proxy_factory.h | 1 + - deployments/se-proxy/se-proxy.cmake | 1 + - deployments/se-proxy/se_proxy_interfaces.h | 9 +- - .../capsule_update/capsule_update_proto.h | 13 ++ - protocols/service/capsule_update/opcodes.h | 17 +++ - protocols/service/capsule_update/parameters.h | 15 ++ - 12 files changed, 292 insertions(+), 4 deletions(-) - create mode 100644 components/service/capsule_update/backend/capsule_update_backend.h - create mode 100644 components/service/capsule_update/provider/capsule_update_provider.c - create mode 100644 components/service/capsule_update/provider/capsule_update_provider.h - create mode 100644 components/service/capsule_update/provider/component.cmake - create mode 100644 protocols/service/capsule_update/capsule_update_proto.h - create mode 100644 protocols/service/capsule_update/opcodes.h - create mode 100644 protocols/service/capsule_update/parameters.h - -diff --git a/components/service/capsule_update/backend/capsule_update_backend.h b/components/service/capsule_update/backend/capsule_update_backend.h -new file mode 100644 -index 000000000000..f3144ff1d7d5 ---- /dev/null -+++ b/components/service/capsule_update/backend/capsule_update_backend.h -@@ -0,0 +1,24 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef CAPSULE_UPDATE_BACKEND_H -+#define CAPSULE_UPDATE_BACKEND_H -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/** -+ * Defines the common capsule update backend interface. Concrete backends -+ * implement this interface for different types of platform. -+ */ -+ -+ -+#ifdef __cplusplus -+} /* extern "C" */ -+#endif -+ -+#endif /* CAPSULE_UPDATE_BACKEND_H */ -diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c -new file mode 100644 -index 000000000000..e133753f8560 ---- /dev/null -+++ b/components/service/capsule_update/provider/capsule_update_provider.c -@@ -0,0 +1,133 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include -+#include -+ -+#include -+#include -+#include "capsule_update_provider.h" -+ -+ -+#define CAPSULE_UPDATE_REQUEST (0x1) -+#define KERNEL_STARTED_EVENT (0x2) -+ -+enum corstone1000_ioctl_id_t { -+ IOCTL_CORSTONE1000_FWU_FLASH_IMAGES = 0, -+ IOCTL_CORSTONE1000_FWU_HOST_ACK, -+}; -+ -+/* Service request handlers */ -+static rpc_status_t update_capsule_handler(void *context, struct call_req *req); -+static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req); -+ -+/* Handler mapping table for service */ -+static const struct service_handler handler_table[] = { -+ {CAPSULE_UPDATE_OPCODE_UPDATE_CAPSULE, update_capsule_handler}, -+ {CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED, boot_confirmed_handler} -+}; -+ -+struct rpc_interface *capsule_update_provider_init( -+ struct capsule_update_provider *context) -+{ -+ struct rpc_interface *rpc_interface = NULL; -+ -+ if (context) { -+ -+ service_provider_init( -+ &context->base_provider, -+ context, -+ handler_table, -+ sizeof(handler_table)/sizeof(struct service_handler)); -+ -+ rpc_interface = service_provider_get_rpc_interface(&context->base_provider); -+ } -+ -+ return rpc_interface; -+} -+ -+void capsule_update_provider_deinit(struct capsule_update_provider *context) -+{ -+ (void)context; -+} -+ -+static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) -+{ -+ uint32_t ioctl_id; -+ psa_handle_t handle; -+ rpc_status_t rpc_status = TS_RPC_CALL_ACCEPTED; -+ -+ struct psa_invec in_vec[] = { -+ { .base = &ioctl_id, .len = sizeof(ioctl_id) } -+ }; -+ -+ if(!caller) { -+ EMSG("event_handler rpc_caller is NULL"); -+ rpc_status = TS_RPC_ERROR_RESOURCE_FAILURE; -+ return rpc_status; -+ } -+ -+ IMSG("event handler opcode %x", opcode); -+ switch(opcode) { -+ case CAPSULE_UPDATE_REQUEST: -+ /* Openamp call with IOCTL for firmware update*/ -+ ioctl_id = IOCTL_CORSTONE1000_FWU_FLASH_IMAGES; -+ handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, -+ TFM_SP_PLATFORM_IOCTL_VERSION); -+ if (handle <= 0) { -+ EMSG("%s Invalid handle", __func__); -+ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; -+ return rpc_status; -+ } -+ psa_call(caller,handle, PSA_IPC_CALL, -+ in_vec,IOVEC_LEN(in_vec), NULL, 0); -+ break; -+ -+ case KERNEL_STARTED_EVENT: -+ ioctl_id = IOCTL_CORSTONE1000_FWU_HOST_ACK; -+ /*openamp call with IOCTL for kernel start*/ -+ handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, -+ TFM_SP_PLATFORM_IOCTL_VERSION); -+ if (handle <= 0) { -+ EMSG("%s Invalid handle", __func__); -+ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; -+ return rpc_status; -+ } -+ psa_call(caller,handle, PSA_IPC_CALL, -+ in_vec,IOVEC_LEN(in_vec), NULL, 0); -+ break; -+ default: -+ EMSG("%s unsupported opcode", __func__); -+ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; -+ return rpc_status; -+ } -+ return rpc_status; -+ -+} -+ -+static rpc_status_t update_capsule_handler(void *context, struct call_req *req) -+{ -+ struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; -+ struct rpc_caller *caller = this_instance->client.caller; -+ uint32_t opcode = req->opcode; -+ rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; -+ -+ rpc_status = event_handler(opcode, caller); -+ return rpc_status; -+} -+ -+static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req) -+{ -+ struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; -+ struct rpc_caller *caller = this_instance->client.caller; -+ uint32_t opcode = req->opcode; -+ rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; -+ -+ rpc_status = event_handler(opcode, caller); -+ -+ return rpc_status; -+} -diff --git a/components/service/capsule_update/provider/capsule_update_provider.h b/components/service/capsule_update/provider/capsule_update_provider.h -new file mode 100644 -index 000000000000..3de49854ea90 ---- /dev/null -+++ b/components/service/capsule_update/provider/capsule_update_provider.h -@@ -0,0 +1,51 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef CAPSULE_UPDATE_PROVIDER_H -+#define CAPSULE_UPDATE_PROVIDER_H -+ -+#include -+#include -+#include -+#include -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/** -+ * The capsule_update_provider is a service provider that accepts update capsule -+ * requests and delegates them to a suitable backend that applies the update. -+ */ -+struct capsule_update_provider -+{ -+ struct service_provider base_provider; -+ struct service_client client; -+}; -+ -+/** -+ * \brief Initialize an instance of the capsule update service provider -+ * -+ * @param[in] context The instance to initialize -+ * -+ * \return An rpc_interface or NULL on failure -+ */ -+struct rpc_interface *capsule_update_provider_init( -+ struct capsule_update_provider *context); -+ -+/** -+ * \brief Cleans up when the instance is no longer needed -+ * -+ * \param[in] context The instance to de-initialize -+ */ -+void capsule_update_provider_deinit( -+ struct capsule_update_provider *context); -+ -+#ifdef __cplusplus -+} /* extern "C" */ -+#endif -+ -+#endif /* CAPSULE_UPDATE_PROVIDER_H */ -diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake -new file mode 100644 -index 000000000000..1d412eb234d9 ---- /dev/null -+++ b/components/service/capsule_update/provider/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/capsule_update_provider.c" -+ ) -diff --git a/deployments/se-proxy/common/se_proxy_sp.c b/deployments/se-proxy/common/se_proxy_sp.c -index a37396f4454b..a38ad6ca3f56 100644 ---- a/deployments/se-proxy/common/se_proxy_sp.c -+++ b/deployments/se-proxy/common/se_proxy_sp.c -@@ -77,6 +77,9 @@ void __noreturn sp_main(struct ffa_init_info *init_info) - } - rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ATTEST, rpc_iface); - -+ rpc_iface = capsule_update_proxy_create(); -+ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE, rpc_iface); -+ - /* End of boot phase */ - result = sp_msg_wait(&req_msg); - if (result != SP_RESULT_OK) { -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index 7edeef8b434a..591cc9eeb59e 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - - /* Stub backends */ - #include -@@ -93,3 +94,18 @@ struct rpc_interface *its_proxy_create(void) - - return secure_storage_provider_init(&its_provider, backend); - } -+ -+struct rpc_interface *capsule_update_proxy_create(void) -+{ -+ static struct capsule_update_provider capsule_update_provider; -+ static struct rpc_caller *capsule_update_caller; -+ -+ capsule_update_caller = openamp_caller_init(&openamp); -+ -+ if (!capsule_update_caller) -+ return NULL; -+ -+ capsule_update_provider.client.caller = capsule_update_caller; -+ -+ return capsule_update_provider_init(&capsule_update_provider); -+} -diff --git a/deployments/se-proxy/common/service_proxy_factory.h b/deployments/se-proxy/common/service_proxy_factory.h -index 298d407a2371..02aa7fe2550d 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.h -+++ b/deployments/se-proxy/common/service_proxy_factory.h -@@ -17,6 +17,7 @@ struct rpc_interface *attest_proxy_create(void); - struct rpc_interface *crypto_proxy_create(void); - struct rpc_interface *ps_proxy_create(void); - struct rpc_interface *its_proxy_create(void); -+struct rpc_interface *capsule_update_proxy_create(void); - - #ifdef __cplusplus - } -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index 3dbbc36c968d..f0db2d43f443 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -51,6 +51,7 @@ add_components(TARGET "se-proxy" - "components/service/attestation/provider/serializer/packed-c" - "components/service/attestation/reporter/psa_ipc" - "components/service/attestation/client/psa_ipc" -+ "components/service/capsule_update/provider" - "components/rpc/openamp/caller/sp" - - # Stub service provider backends -diff --git a/deployments/se-proxy/se_proxy_interfaces.h b/deployments/se-proxy/se_proxy_interfaces.h -index 48908f846990..3d4a7c204785 100644 ---- a/deployments/se-proxy/se_proxy_interfaces.h -+++ b/deployments/se-proxy/se_proxy_interfaces.h -@@ -8,9 +8,10 @@ - #define SE_PROXY_INTERFACES_H - - /* Interface IDs from service endpoints available from an se-proxy deployment */ --#define SE_PROXY_INTERFACE_ID_ITS (0) --#define SE_PROXY_INTERFACE_ID_PS (1) --#define SE_PROXY_INTERFACE_ID_CRYPTO (2) --#define SE_PROXY_INTERFACE_ID_ATTEST (3) -+#define SE_PROXY_INTERFACE_ID_ITS (0) -+#define SE_PROXY_INTERFACE_ID_PS (1) -+#define SE_PROXY_INTERFACE_ID_CRYPTO (2) -+#define SE_PROXY_INTERFACE_ID_ATTEST (3) -+#define SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE (4) - - #endif /* SE_PROXY_INTERFACES_H */ -diff --git a/protocols/service/capsule_update/capsule_update_proto.h b/protocols/service/capsule_update/capsule_update_proto.h -new file mode 100644 -index 000000000000..8f326cd387fb ---- /dev/null -+++ b/protocols/service/capsule_update/capsule_update_proto.h -@@ -0,0 +1,13 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef CAPSULE_UPDATE_PROTO_H -+#define CAPSULE_UPDATE_PROTO_H -+ -+#include -+#include -+ -+#endif /* CAPSULE_UPDATE_PROTO_H */ -diff --git a/protocols/service/capsule_update/opcodes.h b/protocols/service/capsule_update/opcodes.h -new file mode 100644 -index 000000000000..8185a0902378 ---- /dev/null -+++ b/protocols/service/capsule_update/opcodes.h -@@ -0,0 +1,17 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef CAPSULE_UPDATE_OPCODES_H -+#define CAPSULE_UPDATE_OPCODES_H -+ -+/** -+ * Opcode definitions for the capsule update service -+ */ -+ -+#define CAPSULE_UPDATE_OPCODE_UPDATE_CAPSULE 1 -+#define CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED 2 -+ -+#endif /* CAPSULE_UPDATE_OPCODES_H */ -diff --git a/protocols/service/capsule_update/parameters.h b/protocols/service/capsule_update/parameters.h -new file mode 100644 -index 000000000000..285d924186be ---- /dev/null -+++ b/protocols/service/capsule_update/parameters.h -@@ -0,0 +1,15 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef CAPSULE_UPDATE_PARAMETERS_H -+#define CAPSULE_UPDATE_PARAMETERS_H -+ -+/** -+ * Operation parameter definitions for the capsule update service access protocol. -+ */ -+ -+ -+#endif /* CAPSULE_UPDATE_PARAMETERS_H */ --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Configure-storage-size.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Configure-storage-size.patch deleted file mode 100644 index 22b1da6906..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Configure-storage-size.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 229ec29154a4404426ad3083af68ca111a214e13 Mon Sep 17 00:00:00 2001 -From: Gowtham Suresh Kumar -Date: Thu, 16 Dec 2021 21:31:40 +0000 -Subject: [PATCH 14/20] Configure storage size - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - .../service/smm_variable/backend/uefi_variable_store.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/components/service/smm_variable/backend/uefi_variable_store.c b/components/service/smm_variable/backend/uefi_variable_store.c -index 611e2e225c6b..6c3b9ed81c25 100644 ---- a/components/service/smm_variable/backend/uefi_variable_store.c -+++ b/components/service/smm_variable/backend/uefi_variable_store.c -@@ -88,6 +88,7 @@ static efi_status_t check_name_terminator( - * may be overridden using uefi_variable_store_set_storage_limits() - */ - #define DEFAULT_MAX_VARIABLE_SIZE (2048) -+#define CONFIGURE_STORAGE_SIZE (50) - - efi_status_t uefi_variable_store_init( - struct uefi_variable_store *context, -@@ -101,13 +102,13 @@ efi_status_t uefi_variable_store_init( - /* Initialise persistent store defaults */ - context->persistent_store.is_nv = true; - context->persistent_store.max_variable_size = DEFAULT_MAX_VARIABLE_SIZE; -- context->persistent_store.total_capacity = DEFAULT_MAX_VARIABLE_SIZE * max_variables; -+ context->persistent_store.total_capacity = CONFIGURE_STORAGE_SIZE * max_variables; - context->persistent_store.storage_backend = persistent_store; - - /* Initialise volatile store defaults */ - context->volatile_store.is_nv = false; - context->volatile_store.max_variable_size = DEFAULT_MAX_VARIABLE_SIZE; -- context->volatile_store.total_capacity = DEFAULT_MAX_VARIABLE_SIZE * max_variables; -+ context->volatile_store.total_capacity = CONFIGURE_STORAGE_SIZE * max_variables; - context->volatile_store.storage_backend = volatile_store; - - context->owner_id = owner_id; --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch deleted file mode 100644 index 426f2ca5c4..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch +++ /dev/null @@ -1,31 +0,0 @@ -From cf83184500703f9b4f2ac04be59cc7d624d8fd66 Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Sun, 13 Feb 2022 09:01:10 +0000 -Subject: [PATCH 15/20] Fix: Crypto interface structure aligned with tf-m - change. - -NO NEED TO RAISE PR: The PR for this FIX is raied by Emek. - -Upstream-Status: Pending -Signed-off-by: Rui Miguel Silva ---- - components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -index c13c20e84131..ec25eaf868c7 100644 ---- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -@@ -38,7 +38,8 @@ struct psa_ipc_crypto_pack_iovec { - * multipart operation - */ - uint32_t capacity; /*!< Key derivation capacity */ -- -+ uint32_t ad_length; /*!< Additional Data length for multipart AEAD */ -+ uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */ - struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for - * AEAD until the API is - * restructured --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Integrate-remaining-psa-ipc-client-APIs.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Integrate-remaining-psa-ipc-client-APIs.patch deleted file mode 100644 index a59d140023..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Integrate-remaining-psa-ipc-client-APIs.patch +++ /dev/null @@ -1,494 +0,0 @@ -From 551d8722769fa2f2d2ac74adcb289333a9b03598 Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Sun, 13 Feb 2022 09:49:51 +0000 -Subject: [PATCH 16/20] Integrate remaining psa-ipc client APIs. - -Upstream-Status: Pending -Signed-off-by: Satish Kumar -Signed-off-by: Rui Miguel Silva ---- - .../caller/psa_ipc/crypto_caller_aead.h | 297 +++++++++++++++++- - .../caller/psa_ipc/crypto_caller_sign_hash.h | 35 +++ - .../psa_ipc/crypto_caller_verify_hash.h | 33 +- - 3 files changed, 352 insertions(+), 13 deletions(-) - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -index 78517fe32ca9..f6aadd8b9098 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -@@ -152,7 +152,27 @@ static inline psa_status_t crypto_caller_aead_encrypt_setup( - psa_key_id_t key, - psa_algorithm_t alg) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = (*op_handle), -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; - } - - static inline psa_status_t crypto_caller_aead_decrypt_setup( -@@ -161,7 +181,26 @@ static inline psa_status_t crypto_caller_aead_decrypt_setup( - psa_key_id_t key, - psa_algorithm_t alg) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, -+ .key_id = key, -+ .alg = alg, -+ .op_handle = (*op_handle), -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ return status; - } - - static inline psa_status_t crypto_caller_aead_generate_nonce( -@@ -171,7 +210,27 @@ static inline psa_status_t crypto_caller_aead_generate_nonce( - size_t nonce_size, - size_t *nonce_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, -+ .op_handle = op_handle, -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ {.base = psa_ptr_to_u32(nonce), .len = nonce_size} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *nonce_length = out_vec[1].len; -+ return status; - } - - static inline psa_status_t crypto_caller_aead_set_nonce( -@@ -180,7 +239,25 @@ static inline psa_status_t crypto_caller_aead_set_nonce( - const uint8_t *nonce, - size_t nonce_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_SET_NONCE_SID, -+ .op_handle = op_handle, -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ {.base = psa_ptr_to_u32(nonce), .len = nonce_length} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ return status; - } - - static inline psa_status_t crypto_caller_aead_set_lengths( -@@ -189,7 +266,27 @@ static inline psa_status_t crypto_caller_aead_set_lengths( - size_t ad_length, - size_t plaintext_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_SET_LENGTHS_SID, -+ .ad_length = ad_length, -+ .plaintext_length = plaintext_length, -+ .op_handle = op_handle, -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; - } - - static inline psa_status_t crypto_caller_aead_update_ad( -@@ -198,7 +295,35 @@ static inline psa_status_t crypto_caller_aead_update_ad( - const uint8_t *input, - size_t input_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_UPDATE_AD_SID, -+ .op_handle = op_handle, -+ }; -+ -+ /* Sanitize the optional input */ -+ if ((input == NULL) && (input_length != 0)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ {.base = psa_ptr_const_to_u32(input), .len = input_length} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)} -+ }; -+ -+ size_t in_len = IOVEC_LEN(in_vec); -+ -+ if (input == NULL) { -+ in_len--; -+ } -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ return status; - } - - static inline psa_status_t crypto_caller_aead_update( -@@ -210,7 +335,38 @@ static inline psa_status_t crypto_caller_aead_update( - size_t output_size, - size_t *output_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_UPDATE_SID, -+ .op_handle = op_handle, -+ }; -+ -+ /* Sanitize the optional input */ -+ if ((input == NULL) && (input_length != 0)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ {.base = psa_ptr_const_to_u32(input), .len = input_length} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ {.base = psa_ptr_const_to_u32(output), .len = output_size}, -+ }; -+ -+ size_t in_len = IOVEC_LEN(in_vec); -+ -+ if (input == NULL) { -+ in_len--; -+ } -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ in_len, out_vec, IOVEC_LEN(out_vec)); -+ -+ *output_length = out_vec[1].len; -+ return status; - } - - static inline psa_status_t crypto_caller_aead_finish( -@@ -223,7 +379,48 @@ static inline psa_status_t crypto_caller_aead_finish( - size_t tag_size, - size_t *tag_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_FINISH_SID, -+ .op_handle = op_handle, -+ }; -+ -+ /* Sanitize the optional output */ -+ if ((aeadtext == NULL) && (aeadtext_size != 0)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ {.base = psa_ptr_const_to_u32(tag), .len = tag_size}, -+ {.base = psa_ptr_const_to_u32(aeadtext), .len = aeadtext_size} -+ }; -+ -+ size_t out_len = IOVEC_LEN(out_vec); -+ -+ if (aeadtext == NULL || aeadtext_size == 0) { -+ out_len--; -+ } -+ if ((out_len == 3) && (aeadtext_length == NULL)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, out_len); -+ -+ *tag_length = out_vec[1].len; -+ -+ if (out_len == 3) { -+ *aeadtext_length = out_vec[2].len; -+ } else { -+ *aeadtext_length = 0; -+ } -+ return status; - } - - static inline psa_status_t crypto_caller_aead_verify( -@@ -235,14 +432,94 @@ static inline psa_status_t crypto_caller_aead_verify( - const uint8_t *tag, - size_t tag_length) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_VERIFY_SID, -+ .op_handle = op_handle, -+ }; -+ -+ /* Sanitize the optional output */ -+ if ((plaintext == NULL) && (plaintext_size != 0)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ {.base = psa_ptr_const_to_u32(tag), .len = tag_length} -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ {.base = psa_ptr_const_to_u32(plaintext), .len = plaintext_size}, -+ }; -+ -+ size_t out_len = IOVEC_LEN(out_vec); -+ -+ if (plaintext == NULL || plaintext_size == 0) { -+ out_len--; -+ } -+ if ((out_len == 2) && (plaintext_length == NULL)) { -+ return PSA_ERROR_INVALID_ARGUMENT; -+ } -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, out_len); -+ -+ if (out_len == 2) { -+ *plaintext_length = out_vec[1].len; -+ } else { -+ *plaintext_length = 0; -+ } -+ return status; - } - - static inline psa_status_t crypto_caller_aead_abort( - struct service_client *context, - uint32_t op_handle) - { -- return PSA_ERROR_NOT_SUPPORTED; -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_AEAD_ABORT_SID, -+ .op_handle = op_handle, -+ }; -+ -+ struct psa_invec in_vec[] = { -+ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, -+ }; -+ struct psa_outvec out_vec[] = { -+ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ return status; -+} -+ -+static inline size_t crypto_caller_aead_max_update_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the mac_update operation -+ * using the packed-c encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; -+} -+ -+static inline size_t crypto_caller_aead_max_update_ad_size(const struct service_client *context) -+{ -+ /* Returns the maximum number of bytes that may be -+ * carried as a parameter of the mac_update operation -+ * using the packed-c encoding. -+ */ -+ size_t payload_space = context->service_info.max_payload; -+ size_t overhead = iov_size; -+ -+ return (payload_space > overhead) ? payload_space - overhead : 0; - } - - #ifdef __cplusplus -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -index 71d88cededf5..e4a2b167defb 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -@@ -57,6 +57,41 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex - return status; - } - -+static inline psa_status_t crypto_caller_sign_message(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ uint8_t *signature, -+ size_t signature_size, -+ size_t *signature_length) -+{ -+ struct service_client *ipc = context; -+ struct rpc_caller *caller = ipc->caller; -+ psa_status_t status; -+ struct psa_ipc_crypto_pack_iovec iov = { -+ .sfn_id = TFM_CRYPTO_SIGN_MESSAGE_SID, -+ .key_id = id, -+ .alg = alg, -+ }; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_const_to_u32(hash), .len = hash_length }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(signature), .len = signature_size }, -+ }; -+ -+ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, -+ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ *signature_length = out_vec[0].len; -+ -+ return status; -+} -+ -+ -+ - #ifdef __cplusplus - } - #endif -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -index e16f6e5450af..cc9279ee79f2 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -@@ -24,19 +24,20 @@ - extern "C" { - #endif - --static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, -+static inline psa_status_t crypto_caller_common(struct service_client *context, - psa_key_id_t id, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - const uint8_t *signature, -- size_t signature_length) -+ size_t signature_length, -+ uint32_t sfn_id) - { - struct service_client *ipc = context; - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_VERIFY_HASH_SID, -+ .sfn_id = sfn_id, - .key_id = id, - .alg = alg, - }; -@@ -52,6 +53,32 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont - return status; - } - -+static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ const uint8_t *signature, -+ size_t signature_length) -+{ -+ -+ return crypto_caller_common(context,id,alg,hash,hash_length, -+ signature,signature_length, TFM_CRYPTO_VERIFY_HASH_SID); -+} -+ -+static inline psa_status_t crypto_caller_verify_message(struct service_client *context, -+ psa_key_id_t id, -+ psa_algorithm_t alg, -+ const uint8_t *hash, -+ size_t hash_length, -+ const uint8_t *signature, -+ size_t signature_length) -+{ -+ -+ return crypto_caller_common(context,id,alg,hash,hash_length, -+ signature,signature_length, TFM_CRYPTO_VERIFY_MESSAGE_SID); -+} -+ - #ifdef __cplusplus - } - #endif --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch deleted file mode 100644 index 4adcd90a5f..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 5a5e162e17c9decb04b3b2905a0fb604e8f06e91 Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Mon, 14 Feb 2022 17:52:00 +0000 -Subject: [PATCH 17/20] Fix : update psa_set_key_usage_flags definition to the - latest from the tf-m - -Upstream-Status: Pending -Signed-off-by: Satish Kumar -Signed-off-by: Rui Miguel Silva ---- - components/service/crypto/include/psa/crypto_struct.h | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/components/service/crypto/include/psa/crypto_struct.h b/components/service/crypto/include/psa/crypto_struct.h -index 1bc55e375eea..b4a7ed4b39d3 100644 ---- a/components/service/crypto/include/psa/crypto_struct.h -+++ b/components/service/crypto/include/psa/crypto_struct.h -@@ -155,9 +155,19 @@ static inline psa_key_lifetime_t psa_get_key_lifetime( - return( attributes->lifetime ); - } - -+static inline void psa_extend_key_usage_flags( psa_key_usage_t *usage_flags ) -+{ -+ if( *usage_flags & PSA_KEY_USAGE_SIGN_HASH ) -+ *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE; -+ -+ if( *usage_flags & PSA_KEY_USAGE_VERIFY_HASH ) -+ *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE; -+} -+ - static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes, - psa_key_usage_t usage_flags) - { -+ psa_extend_key_usage_flags( &usage_flags ); - attributes->usage = usage_flags; - } - --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch deleted file mode 100644 index c1598a9e11..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 1a4d46fdc0b5745b9cfb0789e4b778111bd6dbbb Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Mon, 14 Feb 2022 08:22:25 +0000 -Subject: [PATCH 18/20] Fixes in AEAD for psa-arch test 54 and 58. - -Upstream-Status: Pending [Not submitted to upstream yet] -Signed-off-by: Emekcan Aras -Signed-off-by: Satish Kumar -Signed-off-by: Rui Miguel Silva ---- - .../crypto/client/caller/packed-c/crypto_caller_aead.h | 1 + - components/service/crypto/include/psa/crypto_sizes.h | 2 +- - .../crypto/provider/extension/aead/aead_provider.c | 8 ++++++-- - .../extension/aead/serializer/aead_provider_serializer.h | 1 + - .../packed-c/packedc_aead_provider_serializer.c | 2 ++ - protocols/service/crypto/packed-c/aead.h | 1 + - 6 files changed, 12 insertions(+), 3 deletions(-) - -diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -index c4ffb20cf7f8..a91f66c14008 100644 ---- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -+++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -@@ -309,6 +309,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont - size_t req_len = req_fixed_len; - - *output_length = 0; -+ req_msg.output_size = output_size; - req_msg.op_handle = op_handle; - - /* Mandatory input data parameter */ -diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h -index 4d7bf6e959b0..e3c4df2927b3 100644 ---- a/components/service/crypto/include/psa/crypto_sizes.h -+++ b/components/service/crypto/include/psa/crypto_sizes.h -@@ -351,7 +351,7 @@ - * just the largest size that may be generated by - * #psa_aead_generate_nonce(). - */ --#define PSA_AEAD_NONCE_MAX_SIZE 12 -+#define PSA_AEAD_NONCE_MAX_SIZE 16 - - /** A sufficient output buffer size for psa_aead_update(). - * -diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c -index 14a25436b3f6..6b144db821de 100644 ---- a/components/service/crypto/provider/extension/aead/aead_provider.c -+++ b/components/service/crypto/provider/extension/aead/aead_provider.c -@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) - uint32_t op_handle; - const uint8_t *input; - size_t input_len; -+ uint32_t recv_output_size; - - if (serializer) - rpc_status = serializer->deserialize_aead_update_req(req_buf, &op_handle, -- &input, &input_len); -+ &recv_output_size, &input, &input_len); - - if (rpc_status == TS_RPC_CALL_ACCEPTED) { - -@@ -300,9 +301,12 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) - if (crypto_context) { - - size_t output_len = 0; -- size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_len); -+ size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(24); - uint8_t *output = malloc(output_size); - -+ if (recv_output_size < output_size) { -+ output_size = recv_output_size; -+ } - if (output) { - - psa_status = psa_aead_update(&crypto_context->op.aead, -diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -index bb1a2a97e4b7..0156aaba3fe3 100644 ---- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -+++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -@@ -51,6 +51,7 @@ struct aead_provider_serializer { - /* Operation: aead_update */ - rpc_status_t (*deserialize_aead_update_req)(const struct call_param_buf *req_buf, - uint32_t *op_handle, -+ uint32_t *output_size, - const uint8_t **input, size_t *input_len); - - rpc_status_t (*serialize_aead_update_resp)(struct call_param_buf *resp_buf, -diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -index 6f00b3e3f6f1..45c739abcbb4 100644 ---- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -+++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct call_param_buf * - /* Operation: aead_update */ - static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req_buf, - uint32_t *op_handle, -+ uint32_t *output_size, - const uint8_t **input, size_t *input_len) - { - rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY; -@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req - memcpy(&recv_msg, req_buf->data, expected_fixed_len); - - *op_handle = recv_msg.op_handle; -+ *output_size = recv_msg.output_size; - - tlv_const_iterator_begin(&req_iter, - (uint8_t*)req_buf->data + expected_fixed_len, -diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h -index 0be266b52403..435fd3b523ce 100644 ---- a/protocols/service/crypto/packed-c/aead.h -+++ b/protocols/service/crypto/packed-c/aead.h -@@ -98,6 +98,7 @@ enum - struct __attribute__ ((__packed__)) ts_crypto_aead_update_in - { - uint32_t op_handle; -+ uint32_t output_size; - }; - - /* Variable length input parameter tags */ --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-plat-corstone1000-change-default-smm-values.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-plat-corstone1000-change-default-smm-values.patch deleted file mode 100644 index 02c89d895e..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-plat-corstone1000-change-default-smm-values.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c519bae79629bfe551d79cfeb4e7d8a059545145 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva -Date: Tue, 11 Oct 2022 10:46:10 +0100 -Subject: [PATCH 19/20] plat: corstone1000: change default smm values - -Smm gateway uses SE proxy to route the calls for any NV -storage so set the NV_STORE_SN. -Change the storage index uid because TF-M in the secure -enclave reserves the default value (0x1) to some internal -operation. -Increase the maximum number of uefi variables to cope with all -the needs for testing and certification - -Upstream-Status: Pending -Signed-off-by: Vishnu Banavath -Signed-off-by: Rui Miguel Silva ---- - platform/providers/arm/corstone1000/platform.cmake | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index 51e5faa3e4d8..04b629a81906 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -10,3 +10,9 @@ - include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake) - - add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) -+ -+target_compile_definitions(${TGT} PRIVATE -+ SMM_GATEWAY_NV_STORE_SN="sn:ffa:46bb39d1-b4d9-45b5-88ff-040027dab249:1" -+ SMM_VARIABLE_INDEX_STORAGE_UID=0x787 -+ SMM_GATEWAY_MAX_UEFI_VARIABLES=100 -+) --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0020-FMP-Support-in-Corstone1000.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0020-FMP-Support-in-Corstone1000.patch deleted file mode 100644 index ce40df0fd8..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0020-FMP-Support-in-Corstone1000.patch +++ /dev/null @@ -1,418 +0,0 @@ -From 70cf374fb55f2d62ecbe28049253df33b42b6749 Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Fri, 8 Jul 2022 09:48:06 +0100 -Subject: [PATCH 20/20] FMP Support in Corstone1000. - -The FMP support is used by u-boot to pupolate ESRT information -for the kernel. - -The solution is platform specific and needs to be revisted. - -Signed-off-by: Satish Kumar - -Upstream-Status: Inappropriate [The solution is platform specific and needs to be revisted] -Signed-off-by: Rui Miguel Silva ---- - .../provider/capsule_update_provider.c | 5 + - .../capsule_update/provider/component.cmake | 1 + - .../provider/corstone1000_fmp_service.c | 307 ++++++++++++++++++ - .../provider/corstone1000_fmp_service.h | 26 ++ - 4 files changed, 339 insertions(+) - create mode 100644 components/service/capsule_update/provider/corstone1000_fmp_service.c - create mode 100644 components/service/capsule_update/provider/corstone1000_fmp_service.h - -diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c -index e133753f8560..991a2235cd73 100644 ---- a/components/service/capsule_update/provider/capsule_update_provider.c -+++ b/components/service/capsule_update/provider/capsule_update_provider.c -@@ -11,6 +11,7 @@ - #include - #include - #include "capsule_update_provider.h" -+#include "corstone1000_fmp_service.h" - - - #define CAPSULE_UPDATE_REQUEST (0x1) -@@ -47,6 +48,8 @@ struct rpc_interface *capsule_update_provider_init( - rpc_interface = service_provider_get_rpc_interface(&context->base_provider); - } - -+ provision_fmp_variables_metadata(context->client.caller); -+ - return rpc_interface; - } - -@@ -85,6 +88,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) - } - psa_call(caller,handle, PSA_IPC_CALL, - in_vec,IOVEC_LEN(in_vec), NULL, 0); -+ set_fmp_image_info(caller, handle); - break; - - case KERNEL_STARTED_EVENT: -@@ -99,6 +103,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) - } - psa_call(caller,handle, PSA_IPC_CALL, - in_vec,IOVEC_LEN(in_vec), NULL, 0); -+ set_fmp_image_info(caller, handle); - break; - default: - EMSG("%s unsupported opcode", __func__); -diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake -index 1d412eb234d9..6b0601494938 100644 ---- a/components/service/capsule_update/provider/component.cmake -+++ b/components/service/capsule_update/provider/component.cmake -@@ -10,4 +10,5 @@ endif() - - target_sources(${TGT} PRIVATE - "${CMAKE_CURRENT_LIST_DIR}/capsule_update_provider.c" -+ "${CMAKE_CURRENT_LIST_DIR}/corstone1000_fmp_service.c" - ) -diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c -new file mode 100644 -index 000000000000..6a7a47a7ed99 ---- /dev/null -+++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c -@@ -0,0 +1,307 @@ -+/* -+ * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include "corstone1000_fmp_service.h" -+#include -+#include -+#include -+#include -+ -+#include -+ -+#define VARIABLE_INDEX_STORAGE_UID (0x787) -+ -+/** -+ * Variable attributes -+ */ -+#define EFI_VARIABLE_NON_VOLATILE (0x00000001) -+#define EFI_VARIABLE_BOOTSERVICE_ACCESS (0x00000002) -+#define EFI_VARIABLE_RUNTIME_ACCESS (0x00000004) -+#define EFI_VARIABLE_HARDWARE_ERROR_RECORD (0x00000008) -+#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS (0x00000010) -+#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS (0x00000020) -+#define EFI_VARIABLE_APPEND_WRITE (0x00000040) -+#define EFI_VARIABLE_MASK \ -+ (EFI_VARIABLE_NON_VOLATILE | \ -+ EFI_VARIABLE_BOOTSERVICE_ACCESS | \ -+ EFI_VARIABLE_RUNTIME_ACCESS | \ -+ EFI_VARIABLE_HARDWARE_ERROR_RECORD | \ -+ EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | \ -+ EFI_VARIABLE_APPEND_WRITE) -+ -+#define FMP_VARIABLES_COUNT 6 -+ -+static struct variable_metadata fmp_variables_metadata[FMP_VARIABLES_COUNT] = { -+ { -+ { 0x86c77a67, 0x0b97, 0x4633, \ -+ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, -+ /* name size = (variable_name + \0) * sizeof(u16) */ -+ .name_size = 42, { 'F', 'm', 'p', 'D', 'e', 's', 'c', 'r', 'i', 'p', 't', 'o', 'r', 'V', 'e', 'r', 's', 'i', 'o', 'n' }, -+ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 -+ }, -+ { -+ { 0x86c77a67, 0x0b97, 0x4633, \ -+ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, -+ /* name size = (variable_name + \0) * sizeof(u16) */ -+ .name_size = 34, { 'F', 'm', 'p', 'I', 'm', 'a', 'g', 'e', 'I', 'n', 'f', 'o', 'S', 'i', 'z', 'e' }, -+ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 -+ }, -+ { -+ { 0x86c77a67, 0x0b97, 0x4633, \ -+ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, -+ /* name size = (variable_name + \0) * sizeof(u16) */ -+ .name_size = 38, { 'F', 'm', 'p', 'D', 'e', 's', 'c', 'r', 'i', 'p', 't', 'o', 'r', 'C', 'o', 'u', 'n', 't' }, -+ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 -+ }, -+ { -+ { 0x86c77a67, 0x0b97, 0x4633, \ -+ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, -+ /* name size = (variable_name + \0) * sizeof(u16) */ -+ .name_size = 26, { 'F', 'm', 'p', 'I', 'm', 'a', 'g', 'e', 'I', 'n', 'f', 'o' }, -+ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 -+ }, -+ { -+ { 0x86c77a67, 0x0b97, 0x4633, \ -+ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, -+ /* name size = (variable_name + \0) * sizeof(u16) */ -+ .name_size = 28, { 'F', 'm', 'p', 'I', 'm', 'a', 'g', 'e', 'N', 'a', 'm', 'e', '1' }, -+ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 -+ }, -+ { -+ { 0x86c77a67, 0x0b97, 0x4633, \ -+ { 0xa1, 0x87, 0x49, 0x10, 0x4d, 0x06, 0x85, 0xc7} }, -+ /* name size = (variable_name + \0) * sizeof(u16) */ -+ .name_size = 32, { 'F', 'm', 'p', 'V', 'e', 'r', 's', 'i', 'o', 'n', 'N', 'a', 'm', 'e', '1' }, -+ .attributes = EFI_VARIABLE_NON_VOLATILE, .uid = 0 -+ }, -+}; -+ -+static psa_status_t protected_storage_set(struct rpc_caller *caller, -+ psa_storage_uid_t uid, size_t data_length, const void *p_data) -+{ -+ psa_status_t psa_status; -+ psa_storage_create_flags_t create_flags = PSA_STORAGE_FLAG_NONE; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, -+ { .base = psa_ptr_const_to_u32(p_data), .len = data_length }, -+ { .base = psa_ptr_to_u32(&create_flags), .len = sizeof(create_flags) }, -+ }; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, TFM_PS_ITS_SET, -+ in_vec, IOVEC_LEN(in_vec), NULL, 0); -+ if (psa_status < 0) -+ EMSG("ipc_set: psa_call failed: %d", psa_status); -+ -+ return psa_status; -+} -+ -+static psa_status_t protected_storage_get(struct rpc_caller *caller, -+ psa_storage_uid_t uid, size_t data_size, void *p_data) -+{ -+ psa_status_t psa_status; -+ uint32_t offset = 0; -+ -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, -+ { .base = psa_ptr_to_u32(&offset), .len = sizeof(offset) }, -+ }; -+ -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(p_data), .len = data_size }, -+ }; -+ -+ psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, -+ TFM_PS_ITS_GET, in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ -+ if (psa_status == PSA_SUCCESS && out_vec[0].len != data_size) { -+ EMSG("Return size does not match with expected size."); -+ return PSA_ERROR_BUFFER_TOO_SMALL; -+ } -+ -+ return psa_status; -+} -+ -+static uint64_t name_hash(EFI_GUID *guid, size_t name_size, -+ const int16_t *name) -+{ -+ /* Using djb2 hash by Dan Bernstein */ -+ uint64_t hash = 5381; -+ -+ /* Calculate hash over GUID */ -+ hash = ((hash << 5) + hash) + guid->Data1; -+ hash = ((hash << 5) + hash) + guid->Data2; -+ hash = ((hash << 5) + hash) + guid->Data3; -+ -+ for (int i = 0; i < 8; ++i) { -+ -+ hash = ((hash << 5) + hash) + guid->Data4[i]; -+ } -+ -+ /* Extend to cover name up to but not including null terminator */ -+ for (int i = 0; i < name_size / sizeof(int16_t); ++i) { -+ -+ if (!name[i]) break; -+ hash = ((hash << 5) + hash) + name[i]; -+ } -+ -+ return hash; -+} -+ -+ -+static void initialize_metadata(void) -+{ -+ for (int i = 0; i < FMP_VARIABLES_COUNT; i++) { -+ -+ fmp_variables_metadata[i].uid = name_hash( -+ &fmp_variables_metadata[i].guid, -+ fmp_variables_metadata[i].name_size, -+ fmp_variables_metadata[i].name); -+ } -+} -+ -+ -+void provision_fmp_variables_metadata(struct rpc_caller *caller) -+{ -+ struct variable_metadata metadata; -+ psa_status_t status; -+ uint32_t dummy_values = 0xDEAD; -+ -+ EMSG("Provisioning FMP metadata."); -+ -+ initialize_metadata(); -+ -+ status = protected_storage_get(caller, VARIABLE_INDEX_STORAGE_UID, -+ sizeof(struct variable_metadata), &metadata); -+ -+ if (status == PSA_SUCCESS) { -+ EMSG("UEFI variables store is already provisioned."); -+ return; -+ } -+ -+ /* Provision FMP variables with dummy values. */ -+ for (int i = 0; i < FMP_VARIABLES_COUNT; i++) { -+ protected_storage_set(caller, fmp_variables_metadata[i].uid, -+ sizeof(dummy_values), &dummy_values); -+ } -+ -+ status = protected_storage_set(caller, VARIABLE_INDEX_STORAGE_UID, -+ sizeof(struct variable_metadata) * FMP_VARIABLES_COUNT, -+ fmp_variables_metadata); -+ -+ if (status != EFI_SUCCESS) { -+ return; -+ } -+ -+ EMSG("FMP metadata is provisioned"); -+} -+ -+typedef struct { -+ void *base; -+ int len; -+} variable_data_t; -+ -+static variable_data_t fmp_variables_data[FMP_VARIABLES_COUNT]; -+ -+#define IMAGE_INFO_BUFFER_SIZE 256 -+static char image_info_buffer[IMAGE_INFO_BUFFER_SIZE]; -+#define IOCTL_CORSTONE1000_FMP_IMAGE_INFO 2 -+ -+static psa_status_t unpack_image_info(void *buffer, uint32_t size) -+{ -+ typedef struct __attribute__ ((__packed__)) { -+ uint32_t variable_count; -+ uint32_t variable_size[FMP_VARIABLES_COUNT]; -+ uint8_t variable[]; -+ } packed_buffer_t; -+ -+ packed_buffer_t *packed_buffer = buffer; -+ int runner = 0; -+ -+ if (packed_buffer->variable_count != FMP_VARIABLES_COUNT) { -+ EMSG("Expected fmp varaibles = %u, but received = %u", -+ FMP_VARIABLES_COUNT, packed_buffer->variable_count); -+ return PSA_ERROR_PROGRAMMER_ERROR; -+ } -+ -+ for (int i = 0; i < packed_buffer->variable_count; i++) { -+ EMSG("FMP variable %d : size %u", i, packed_buffer->variable_size[i]); -+ fmp_variables_data[i].base = &packed_buffer->variable[runner]; -+ fmp_variables_data[i].len= packed_buffer->variable_size[i]; -+ runner += packed_buffer->variable_size[i]; -+ } -+ -+ return PSA_SUCCESS; -+} -+ -+static psa_status_t get_image_info(struct rpc_caller *caller, -+ psa_handle_t platform_service_handle) -+{ -+ psa_status_t status; -+ psa_handle_t handle; -+ uint32_t ioctl_id = IOCTL_CORSTONE1000_FMP_IMAGE_INFO; -+ -+ struct psa_invec in_vec[] = { -+ { .base = &ioctl_id, .len = sizeof(ioctl_id) }, -+ }; -+ -+ struct psa_outvec out_vec[] = { -+ { .base = image_info_buffer, .len = IMAGE_INFO_BUFFER_SIZE }, -+ }; -+ -+ memset(image_info_buffer, 0, IMAGE_INFO_BUFFER_SIZE); -+ -+ psa_call(caller, platform_service_handle, PSA_IPC_CALL, -+ in_vec, IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); -+ -+ status = unpack_image_info(image_info_buffer, IMAGE_INFO_BUFFER_SIZE); -+ if (status != PSA_SUCCESS) { -+ return status; -+ } -+ -+ return PSA_SUCCESS; -+} -+ -+static psa_status_t set_image_info(struct rpc_caller *caller) -+{ -+ psa_status_t status; -+ -+ for (int i = 0; i < FMP_VARIABLES_COUNT; i++) { -+ -+ status = protected_storage_set(caller, -+ fmp_variables_metadata[i].uid, -+ fmp_variables_data[i].len, fmp_variables_data[i].base); -+ -+ if (status != PSA_SUCCESS) { -+ -+ EMSG("FMP variable %d set unsuccessful", i); -+ return status; -+ } -+ -+ EMSG("FMP variable %d set success", i); -+ } -+ -+ return PSA_SUCCESS; -+} -+ -+void set_fmp_image_info(struct rpc_caller *caller, -+ psa_handle_t platform_service_handle) -+{ -+ psa_status_t status; -+ -+ status = get_image_info(caller, platform_service_handle); -+ if (status != PSA_SUCCESS) { -+ return; -+ } -+ -+ status = set_image_info(caller); -+ if (status != PSA_SUCCESS) { -+ return; -+ } -+ -+ return; -+} -diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.h b/components/service/capsule_update/provider/corstone1000_fmp_service.h -new file mode 100644 -index 000000000000..95fba2a04d5c ---- /dev/null -+++ b/components/service/capsule_update/provider/corstone1000_fmp_service.h -@@ -0,0 +1,26 @@ -+/* -+ * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef CORSTONE1000_FMP_SERVICE_H -+#define CORSTONE1000_FMP_SERVICE_H -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+#include -+#include -+ -+void provision_fmp_variables_metadata(struct rpc_caller *caller); -+ -+void set_fmp_image_info(struct rpc_caller *caller, -+ psa_handle_t platform_service_handle); -+ -+#ifdef __cplusplus -+} /* extern "C" */ -+#endif -+ -+#endif /* CORSTONE1000_FMP_SERVICE_H */ --- -2.38.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-smm_gateway-add-checks-for-null-attributes.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-smm_gateway-add-checks-for-null-attributes.patch deleted file mode 100644 index 87c053fcc6..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-smm_gateway-add-checks-for-null-attributes.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 6d3cac6f3a6e977e9330c9c06514a372ade170a2 Mon Sep 17 00:00:00 2001 -From: Emekcan -Date: Wed, 2 Nov 2022 09:58:27 +0000 -Subject: [PATCH] smm_gateway: add checks for null attributes - -As par EDK-2 and EDK-2 test code, setVariable() with 0 -attributes means a delete variable request. Currently, -smm gatway doesn't handle this scenario. This commit adds -that support. - -Upstream-Status: Pending -Signed-off-by: Emekcan Aras ---- - components/service/smm_variable/backend/uefi_variable_store.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/components/service/smm_variable/backend/uefi_variable_store.c b/components/service/smm_variable/backend/uefi_variable_store.c -index 6c3b9ed8..a691dc5d 100644 ---- a/components/service/smm_variable/backend/uefi_variable_store.c -+++ b/components/service/smm_variable/backend/uefi_variable_store.c -@@ -202,9 +202,9 @@ efi_status_t uefi_variable_store_set_variable( - if (info->is_variable_set) { - - /* It's a request to update to an existing variable */ -- if (!(var->Attributes & -+ if (!(var->Attributes) || (!(var->Attributes & - (EFI_VARIABLE_APPEND_WRITE | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS_MASK)) && -- !var->DataSize) { -+ !var->DataSize)) { - - /* It's a remove operation - for a remove, the variable - * data must be removed from the storage backend before --- -2.17.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-GetNextVariableName-Fix.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-GetNextVariableName-Fix.patch deleted file mode 100644 index ed4e6e27a3..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-GetNextVariableName-Fix.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2aa665ad2cb13bc79b645db41686449a47593aab Mon Sep 17 00:00:00 2001 -From: Emekcan -Date: Thu, 3 Nov 2022 17:43:40 +0000 -Subject: [PATCH] smm_gateway: GetNextVariableName Fix - -GetNextVariableName() should return EFI_BUFFER_TOO_SMALL -when NameSize is smaller than the actual NameSize. It -currently returns EFI_BUFFER_OUT_OF_RESOURCES due to setting -max_name_len incorrectly. This fixes max_name_len error by -replacing it with actual NameSize request by u-boot. - -Upstream-Status: Pending -Signed-off-by: Emekcan Aras ---- - .../service/smm_variable/provider/smm_variable_provider.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/components/service/smm_variable/provider/smm_variable_provider.c b/components/service/smm_variable/provider/smm_variable_provider.c -index a9679b7e..6a4b6fa7 100644 ---- a/components/service/smm_variable/provider/smm_variable_provider.c -+++ b/components/service/smm_variable/provider/smm_variable_provider.c -@@ -197,7 +197,7 @@ static rpc_status_t get_next_variable_name_handler(void *context, struct call_re - efi_status = uefi_variable_store_get_next_variable_name( - &this_instance->variable_store, - (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data, -- max_name_len, -+ ((SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data)->NameSize, - &resp_buf->data_len); - } - else { --- -2.17.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0023-Use-the-stateless-platform-service.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0023-Use-the-stateless-platform-service.patch deleted file mode 100644 index 824196c11a..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0023-Use-the-stateless-platform-service.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 956b8a8e1dd5702b9c1657f4ec27a7aeddb0758e Mon Sep 17 00:00:00 2001 -From: Mohamed Omar Asaker -Date: Mon, 21 Nov 2022 00:08:20 +0000 -Subject: [PATCH] Use the stateless platform service calls - -Calls to psa_connect is not needed and psa_call can be called -directly with a pre defined handle. - -Signed-off-by: Satish Kumar -Signed-off-by: Mohamed Omar Asaker -Upstream-Status: Inappropriate [Design is to revisted] - ---- - .../provider/capsule_update_provider.c | 24 ++++--------------- - .../provider/corstone1000_fmp_service.c | 10 ++++---- - .../provider/corstone1000_fmp_service.h | 3 +-- - components/service/common/include/psa/sid.h | 6 +++++ - 4 files changed, 16 insertions(+), 27 deletions(-) - -diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c -index 991a2235..6809249f 100644 ---- a/components/service/capsule_update/provider/capsule_update_provider.c -+++ b/components/service/capsule_update/provider/capsule_update_provider.c -@@ -61,7 +61,6 @@ void capsule_update_provider_deinit(struct capsule_update_provider *context) - static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) - { - uint32_t ioctl_id; -- psa_handle_t handle; - rpc_status_t rpc_status = TS_RPC_CALL_ACCEPTED; - - struct psa_invec in_vec[] = { -@@ -79,31 +78,18 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) - case CAPSULE_UPDATE_REQUEST: - /* Openamp call with IOCTL for firmware update*/ - ioctl_id = IOCTL_CORSTONE1000_FWU_FLASH_IMAGES; -- handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, -- TFM_SP_PLATFORM_IOCTL_VERSION); -- if (handle <= 0) { -- EMSG("%s Invalid handle", __func__); -- rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; -- return rpc_status; -- } -- psa_call(caller,handle, PSA_IPC_CALL, -+ psa_call(caller,TFM_PLATFORM_SERVICE_HANDLE, TFM_PLATFORM_API_ID_IOCTL, - in_vec,IOVEC_LEN(in_vec), NULL, 0); -- set_fmp_image_info(caller, handle); -+ set_fmp_image_info(caller); - break; - - case KERNEL_STARTED_EVENT: - ioctl_id = IOCTL_CORSTONE1000_FWU_HOST_ACK; - /*openamp call with IOCTL for kernel start*/ -- handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, -- TFM_SP_PLATFORM_IOCTL_VERSION); -- if (handle <= 0) { -- EMSG("%s Invalid handle", __func__); -- rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; -- return rpc_status; -- } -- psa_call(caller,handle, PSA_IPC_CALL, -+ -+ psa_call(caller,TFM_PLATFORM_SERVICE_HANDLE, TFM_PLATFORM_API_ID_IOCTL, - in_vec,IOVEC_LEN(in_vec), NULL, 0); -- set_fmp_image_info(caller, handle); -+ set_fmp_image_info(caller); - break; - default: - EMSG("%s unsupported opcode", __func__); -diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c -index 6a7a47a7..d811af9f 100644 ---- a/components/service/capsule_update/provider/corstone1000_fmp_service.c -+++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c -@@ -238,8 +238,7 @@ static psa_status_t unpack_image_info(void *buffer, uint32_t size) - return PSA_SUCCESS; - } - --static psa_status_t get_image_info(struct rpc_caller *caller, -- psa_handle_t platform_service_handle) -+static psa_status_t get_image_info(struct rpc_caller *caller) - { - psa_status_t status; - psa_handle_t handle; -@@ -255,7 +254,7 @@ static psa_status_t get_image_info(struct rpc_caller *caller, - - memset(image_info_buffer, 0, IMAGE_INFO_BUFFER_SIZE); - -- psa_call(caller, platform_service_handle, PSA_IPC_CALL, -+ psa_call(caller, TFM_PLATFORM_SERVICE_HANDLE, TFM_PLATFORM_API_ID_IOCTL, - in_vec, IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); - - status = unpack_image_info(image_info_buffer, IMAGE_INFO_BUFFER_SIZE); -@@ -288,12 +287,11 @@ static psa_status_t set_image_info(struct rpc_caller *caller) - return PSA_SUCCESS; - } - --void set_fmp_image_info(struct rpc_caller *caller, -- psa_handle_t platform_service_handle) -+void set_fmp_image_info(struct rpc_caller *caller) - { - psa_status_t status; - -- status = get_image_info(caller, platform_service_handle); -+ status = get_image_info(caller); - if (status != PSA_SUCCESS) { - return; - } -diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.h b/components/service/capsule_update/provider/corstone1000_fmp_service.h -index 95fba2a0..963223e8 100644 ---- a/components/service/capsule_update/provider/corstone1000_fmp_service.h -+++ b/components/service/capsule_update/provider/corstone1000_fmp_service.h -@@ -16,8 +16,7 @@ extern "C" { - - void provision_fmp_variables_metadata(struct rpc_caller *caller); - --void set_fmp_image_info(struct rpc_caller *caller, -- psa_handle_t platform_service_handle); -+void set_fmp_image_info(struct rpc_caller *caller); - - #ifdef __cplusplus - } /* extern "C" */ -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 7a29cc25..8103a9af 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -37,6 +37,12 @@ extern "C" { - #define TFM_CRYPTO_VERSION (1U) - #define TFM_CRYPTO_HANDLE (0x40000100U) - -+ -+/******** TFM_PLATFORM_SERVICE *******/ -+#define TFM_PLATFORM_API_ID_IOCTL (1013) -+#define TFM_PLATFORM_SERVICE_HANDLE (0x40000105U) -+ -+ - /** - * \brief Define a progressive numerical value for each SID which can be used - * when dispatching the requests to the service --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch deleted file mode 100644 index 7e65de8698..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch +++ /dev/null @@ -1,413 +0,0 @@ -From ca7d37502f9453125aead14c7ee5181336cbe8f4 Mon Sep 17 00:00:00 2001 -From: Mohamed Omar Asaker -Date: Thu, 9 Feb 2023 00:22:40 +0000 -Subject: [PATCH 1/3] TF-Mv1.7 alignment: Align PSA Crypto SIDs - -This patch is to change the PSA Crypto SIDs to match the values of the -PSA Crypto SID definitions in TF-M v1.7 running on the secure enclave - -Signed-off-by: Mohamed Omar Asaker -Upstream-Status: Pending [Not submitted yet] ---- - .../service/common/include/psa/crypto_sid.h | 241 ++++++++++++++++++ - components/service/common/include/psa/sid.h | 78 +----- - .../caller/psa_ipc/crypto_caller_sign_hash.h | 4 +- - .../psa_ipc/crypto_caller_verify_hash.h | 4 +- - 4 files changed, 249 insertions(+), 78 deletions(-) - create mode 100644 components/service/common/include/psa/crypto_sid.h - -diff --git a/components/service/common/include/psa/crypto_sid.h b/components/service/common/include/psa/crypto_sid.h -new file mode 100644 -index 00000000..5b05f46d ---- /dev/null -+++ b/components/service/common/include/psa/crypto_sid.h -@@ -0,0 +1,241 @@ -+/* -+ * Copyright (c) 2023, Arm Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ * -+ */ -+ -+#ifndef __PSA_CRYPTO_SID_H__ -+#define __PSA_CRYPTO_SID_H__ -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+#include -+ -+/** -+ * \brief Type associated to the group of a function encoding. There can be -+ * nine groups (Random, Key management, Hash, MAC, Cipher, AEAD, -+ * Asym sign, Asym encrypt, Key derivation). -+ */ -+enum tfm_crypto_group_id { -+ TFM_CRYPTO_GROUP_ID_RANDOM = 0x0, -+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, -+ TFM_CRYPTO_GROUP_ID_HASH, -+ TFM_CRYPTO_GROUP_ID_MAC, -+ TFM_CRYPTO_GROUP_ID_CIPHER, -+ TFM_CRYPTO_GROUP_ID_AEAD, -+ TFM_CRYPTO_GROUP_ID_ASYM_SIGN, -+ TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT, -+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, -+}; -+ -+/* X macro describing each of the available PSA Crypto APIs */ -+#define KEY_MANAGEMENT_FUNCS \ -+ X(TFM_CRYPTO_GET_KEY_ATTRIBUTES) \ -+ X(TFM_CRYPTO_RESET_KEY_ATTRIBUTES) \ -+ X(TFM_CRYPTO_OPEN_KEY) \ -+ X(TFM_CRYPTO_CLOSE_KEY) \ -+ X(TFM_CRYPTO_IMPORT_KEY) \ -+ X(TFM_CRYPTO_DESTROY_KEY) \ -+ X(TFM_CRYPTO_EXPORT_KEY) \ -+ X(TFM_CRYPTO_EXPORT_PUBLIC_KEY) \ -+ X(TFM_CRYPTO_PURGE_KEY) \ -+ X(TFM_CRYPTO_COPY_KEY) \ -+ X(TFM_CRYPTO_GENERATE_KEY) -+ -+#define HASH_FUNCS \ -+ X(TFM_CRYPTO_HASH_COMPUTE) \ -+ X(TFM_CRYPTO_HASH_COMPARE) \ -+ X(TFM_CRYPTO_HASH_SETUP) \ -+ X(TFM_CRYPTO_HASH_UPDATE) \ -+ X(TFM_CRYPTO_HASH_CLONE) \ -+ X(TFM_CRYPTO_HASH_FINISH) \ -+ X(TFM_CRYPTO_HASH_VERIFY) \ -+ X(TFM_CRYPTO_HASH_ABORT) -+ -+#define MAC_FUNCS \ -+ X(TFM_CRYPTO_MAC_COMPUTE) \ -+ X(TFM_CRYPTO_MAC_VERIFY) \ -+ X(TFM_CRYPTO_MAC_SIGN_SETUP) \ -+ X(TFM_CRYPTO_MAC_VERIFY_SETUP) \ -+ X(TFM_CRYPTO_MAC_UPDATE) \ -+ X(TFM_CRYPTO_MAC_SIGN_FINISH) \ -+ X(TFM_CRYPTO_MAC_VERIFY_FINISH) \ -+ X(TFM_CRYPTO_MAC_ABORT) -+ -+#define CIPHER_FUNCS \ -+ X(TFM_CRYPTO_CIPHER_ENCRYPT) \ -+ X(TFM_CRYPTO_CIPHER_DECRYPT) \ -+ X(TFM_CRYPTO_CIPHER_ENCRYPT_SETUP) \ -+ X(TFM_CRYPTO_CIPHER_DECRYPT_SETUP) \ -+ X(TFM_CRYPTO_CIPHER_GENERATE_IV) \ -+ X(TFM_CRYPTO_CIPHER_SET_IV) \ -+ X(TFM_CRYPTO_CIPHER_UPDATE) \ -+ X(TFM_CRYPTO_CIPHER_FINISH) \ -+ X(TFM_CRYPTO_CIPHER_ABORT) -+ -+#define AEAD_FUNCS \ -+ X(TFM_CRYPTO_AEAD_ENCRYPT) \ -+ X(TFM_CRYPTO_AEAD_DECRYPT) \ -+ X(TFM_CRYPTO_AEAD_ENCRYPT_SETUP) \ -+ X(TFM_CRYPTO_AEAD_DECRYPT_SETUP) \ -+ X(TFM_CRYPTO_AEAD_GENERATE_NONCE) \ -+ X(TFM_CRYPTO_AEAD_SET_NONCE) \ -+ X(TFM_CRYPTO_AEAD_SET_LENGTHS) \ -+ X(TFM_CRYPTO_AEAD_UPDATE_AD) \ -+ X(TFM_CRYPTO_AEAD_UPDATE) \ -+ X(TFM_CRYPTO_AEAD_FINISH) \ -+ X(TFM_CRYPTO_AEAD_VERIFY) \ -+ X(TFM_CRYPTO_AEAD_ABORT) -+ -+#define ASYMMETRIC_SIGN_FUNCS \ -+ X(TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE) \ -+ X(TFM_CRYPTO_ASYMMETRIC_VERIFY_MESSAGE) \ -+ X(TFM_CRYPTO_ASYMMETRIC_SIGN_HASH) \ -+ X(TFM_CRYPTO_ASYMMETRIC_VERIFY_HASH) -+ -+#define AYSMMETRIC_ENCRYPT_FUNCS \ -+ X(TFM_CRYPTO_ASYMMETRIC_ENCRYPT) \ -+ X(TFM_CRYPTO_ASYMMETRIC_DECRYPT) -+ -+#define KEY_DERIVATION_FUNCS \ -+ X(TFM_CRYPTO_RAW_KEY_AGREEMENT) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_SETUP) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_ABORT) -+ -+#define RANDOM_FUNCS \ -+ X(TFM_CRYPTO_GENERATE_RANDOM) -+ -+/* -+ * Define function IDs in each group. The function ID will be encoded into -+ * tfm_crypto_func_sid below. -+ * Each group is defined as a dedicated enum in case the total number of -+ * PSA Crypto APIs exceeds 256. -+ */ -+#define X(func_id) func_id, -+enum tfm_crypto_key_management_func_id { -+ KEY_MANAGEMENT_FUNCS -+}; -+enum tfm_crypto_hash_func_id { -+ HASH_FUNCS -+}; -+enum tfm_crypto_mac_func_id { -+ MAC_FUNCS -+}; -+enum tfm_crypto_cipher_func_id { -+ CIPHER_FUNCS -+}; -+enum tfm_crypto_aead_func_id { -+ AEAD_FUNCS -+}; -+enum tfm_crypto_asym_sign_func_id { -+ ASYMMETRIC_SIGN_FUNCS -+}; -+enum tfm_crypto_asym_encrypt_func_id { -+ AYSMMETRIC_ENCRYPT_FUNCS -+}; -+enum tfm_crypto_key_derivation_func_id { -+ KEY_DERIVATION_FUNCS -+}; -+enum tfm_crypto_random_func_id { -+ RANDOM_FUNCS -+}; -+#undef X -+ -+#define FUNC_ID(func_id) (((func_id) & 0xFF) << 8) -+ -+/* -+ * Numerical progressive value identifying a function API exposed through -+ * the interfaces (S or NS). It's used to dispatch the requests from S/NS -+ * to the corresponding API implementation in the Crypto service backend. -+ * -+ * Each function SID is encoded as uint16_t. -+ * | Func ID | Group ID | -+ * 15 8 7 0 -+ * Func ID is defined in each group func_id enum above -+ * Group ID is defined in tfm_crypto_group_id. -+ */ -+enum tfm_crypto_func_sid { -+ -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT & 0xFF)), -+ -+ KEY_MANAGEMENT_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_HASH & 0xFF)), -+ HASH_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_MAC & 0xFF)), -+ MAC_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_CIPHER & 0xFF)), -+ CIPHER_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_AEAD & 0xFF)), -+ AEAD_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_ASYM_SIGN & 0xFF)), -+ ASYMMETRIC_SIGN_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT & 0xFF)), -+ AYSMMETRIC_ENCRYPT_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_KEY_DERIVATION & 0xFF)), -+ KEY_DERIVATION_FUNCS -+ -+#undef X -+#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -+ (TFM_CRYPTO_GROUP_ID_RANDOM & 0xFF)), -+ RANDOM_FUNCS -+ -+}; -+#undef X -+ -+/** -+ * \brief Define an invalid value for an SID -+ * -+ */ -+#define TFM_CRYPTO_SID_INVALID (~0x0u) -+ -+/** -+ * \brief This value is used to mark an handle as invalid. -+ * -+ */ -+#define TFM_CRYPTO_INVALID_HANDLE (0x0u) -+ -+/** -+ * \brief Define miscellaneous literal constants that are used in the service -+ * -+ */ -+enum { -+ TFM_CRYPTO_NOT_IN_USE = 0, -+ TFM_CRYPTO_IN_USE = 1 -+}; -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* __PSA_CRYPTO_SID_H__ */ -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 8103a9af..50ad070e 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2019-2021, Arm Limited. All rights reserved. -+ * Copyright (c) 2019-2023, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - * -@@ -12,6 +12,9 @@ - extern "C" { - #endif - -+/******** PSA Crypto SIDs ********/ -+#include "crypto_sid.h" -+ - /******** TFM_SP_PS ********/ - #define TFM_PROTECTED_STORAGE_SERVICE_SID (0x00000060U) - #define TFM_PROTECTED_STORAGE_SERVICE_VERSION (1U) -@@ -43,79 +46,6 @@ extern "C" { - #define TFM_PLATFORM_SERVICE_HANDLE (0x40000105U) - - --/** -- * \brief Define a progressive numerical value for each SID which can be used -- * when dispatching the requests to the service -- */ --enum { -- TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID = (0u), -- TFM_CRYPTO_RESET_KEY_ATTRIBUTES_SID, -- TFM_CRYPTO_OPEN_KEY_SID, -- TFM_CRYPTO_CLOSE_KEY_SID, -- TFM_CRYPTO_IMPORT_KEY_SID, -- TFM_CRYPTO_DESTROY_KEY_SID, -- TFM_CRYPTO_EXPORT_KEY_SID, -- TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, -- TFM_CRYPTO_PURGE_KEY_SID, -- TFM_CRYPTO_COPY_KEY_SID, -- TFM_CRYPTO_HASH_COMPUTE_SID, -- TFM_CRYPTO_HASH_COMPARE_SID, -- TFM_CRYPTO_HASH_SETUP_SID, -- TFM_CRYPTO_HASH_UPDATE_SID, -- TFM_CRYPTO_HASH_FINISH_SID, -- TFM_CRYPTO_HASH_VERIFY_SID, -- TFM_CRYPTO_HASH_ABORT_SID, -- TFM_CRYPTO_HASH_CLONE_SID, -- TFM_CRYPTO_MAC_COMPUTE_SID, -- TFM_CRYPTO_MAC_VERIFY_SID, -- TFM_CRYPTO_MAC_SIGN_SETUP_SID, -- TFM_CRYPTO_MAC_VERIFY_SETUP_SID, -- TFM_CRYPTO_MAC_UPDATE_SID, -- TFM_CRYPTO_MAC_SIGN_FINISH_SID, -- TFM_CRYPTO_MAC_VERIFY_FINISH_SID, -- TFM_CRYPTO_MAC_ABORT_SID, -- TFM_CRYPTO_CIPHER_ENCRYPT_SID, -- TFM_CRYPTO_CIPHER_DECRYPT_SID, -- TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, -- TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, -- TFM_CRYPTO_CIPHER_GENERATE_IV_SID, -- TFM_CRYPTO_CIPHER_SET_IV_SID, -- TFM_CRYPTO_CIPHER_UPDATE_SID, -- TFM_CRYPTO_CIPHER_FINISH_SID, -- TFM_CRYPTO_CIPHER_ABORT_SID, -- TFM_CRYPTO_AEAD_ENCRYPT_SID, -- TFM_CRYPTO_AEAD_DECRYPT_SID, -- TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, -- TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, -- TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, -- TFM_CRYPTO_AEAD_SET_NONCE_SID, -- TFM_CRYPTO_AEAD_SET_LENGTHS_SID, -- TFM_CRYPTO_AEAD_UPDATE_AD_SID, -- TFM_CRYPTO_AEAD_UPDATE_SID, -- TFM_CRYPTO_AEAD_FINISH_SID, -- TFM_CRYPTO_AEAD_VERIFY_SID, -- TFM_CRYPTO_AEAD_ABORT_SID, -- TFM_CRYPTO_SIGN_MESSAGE_SID, -- TFM_CRYPTO_VERIFY_MESSAGE_SID, -- TFM_CRYPTO_SIGN_HASH_SID, -- TFM_CRYPTO_VERIFY_HASH_SID, -- TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, -- TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, -- TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, -- TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, -- TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, -- TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, -- TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, -- TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, -- TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, -- TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, -- TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, -- TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, -- TFM_CRYPTO_GENERATE_RANDOM_SID, -- TFM_CRYPTO_GENERATE_KEY_SID, -- TFM_CRYPTO_SID_MAX, --}; -- - /******** TFM_SP_PLATFORM ********/ - #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) - #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -index e4a2b167..9276748d 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -@@ -37,7 +37,7 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_SIGN_HASH_SID, -+ .sfn_id = TFM_CRYPTO_ASYMMETRIC_SIGN_HASH_SID, - .key_id = id, - .alg = alg, - }; -@@ -70,7 +70,7 @@ static inline psa_status_t crypto_caller_sign_message(struct service_client *con - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_SIGN_MESSAGE_SID, -+ .sfn_id = TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE_SID, - .key_id = id, - .alg = alg, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -index cc9279ee..bcd8e0e4 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -@@ -63,7 +63,7 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont - { - - return crypto_caller_common(context,id,alg,hash,hash_length, -- signature,signature_length, TFM_CRYPTO_VERIFY_HASH_SID); -+ signature,signature_length, TFM_CRYPTO_ASYMMETRIC_VERIFY_HASH_SID); - } - - static inline psa_status_t crypto_caller_verify_message(struct service_client *context, -@@ -76,7 +76,7 @@ static inline psa_status_t crypto_caller_verify_message(struct service_client *c - { - - return crypto_caller_common(context,id,alg,hash,hash_length, -- signature,signature_length, TFM_CRYPTO_VERIFY_MESSAGE_SID); -+ signature,signature_length, TFM_CRYPTO_ASYMMETRIC_VERIFY_MESSAGE_SID); - } - - #ifdef __cplusplus --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0025-TF-Mv1.7-alignment-Align-crypto-iovec-definition.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0025-TF-Mv1.7-alignment-Align-crypto-iovec-definition.patch deleted file mode 100644 index ecea236403..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0025-TF-Mv1.7-alignment-Align-crypto-iovec-definition.patch +++ /dev/null @@ -1,655 +0,0 @@ -From a3e203136e7c552069ae582273e0540a219c105f Mon Sep 17 00:00:00 2001 -From: Mohamed Omar Asaker -Date: Thu, 9 Feb 2023 00:01:06 +0000 -Subject: [PATCH 2/3] TF-Mv1.7 alignment: Align crypto iovec definition - -This patch is to align psa_ipc_crypto_pack_iovec with TF-M v1.7 -And propagate changes accross psa_ipc functions -More accuratly change sfn_id to function_id - -Signed-off-by: Mohamed Omar Asaker -Upstream-Status: Pending [Not submitted yet] ---- - .../backend/psa_ipc/crypto_ipc_backend.h | 34 +++++++++---------- - .../caller/psa_ipc/crypto_caller_aead.h | 24 ++++++------- - .../crypto_caller_asymmetric_decrypt.h | 2 +- - .../crypto_caller_asymmetric_encrypt.h | 2 +- - .../caller/psa_ipc/crypto_caller_cipher.h | 14 ++++---- - .../caller/psa_ipc/crypto_caller_copy_key.h | 2 +- - .../psa_ipc/crypto_caller_destroy_key.h | 2 +- - .../caller/psa_ipc/crypto_caller_export_key.h | 2 +- - .../psa_ipc/crypto_caller_export_public_key.h | 2 +- - .../psa_ipc/crypto_caller_generate_key.h | 2 +- - .../psa_ipc/crypto_caller_generate_random.h | 2 +- - .../crypto_caller_get_key_attributes.h | 2 +- - .../caller/psa_ipc/crypto_caller_hash.h | 12 +++---- - .../caller/psa_ipc/crypto_caller_import_key.h | 2 +- - .../psa_ipc/crypto_caller_key_derivation.h | 20 +++++------ - .../client/caller/psa_ipc/crypto_caller_mac.h | 12 +++---- - .../caller/psa_ipc/crypto_caller_purge_key.h | 2 +- - .../caller/psa_ipc/crypto_caller_sign_hash.h | 4 +-- - .../psa_ipc/crypto_caller_verify_hash.h | 4 +-- - 19 files changed, 73 insertions(+), 73 deletions(-) - -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -index ec25eaf8..aacd3fcc 100644 ---- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -@@ -28,23 +28,23 @@ struct psa_ipc_crypto_aead_pack_input { - }; - - struct psa_ipc_crypto_pack_iovec { -- uint32_t sfn_id; /*!< Secure function ID used to dispatch the -- * request -- */ -- uint16_t step; /*!< Key derivation step */ -- psa_key_id_t key_id; /*!< Key id */ -- psa_algorithm_t alg; /*!< Algorithm */ -- uint32_t op_handle; /*!< Frontend context handle associated to a -- * multipart operation -- */ -- uint32_t capacity; /*!< Key derivation capacity */ -- uint32_t ad_length; /*!< Additional Data length for multipart AEAD */ -- uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */ -- struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for -- * AEAD until the API is -- * restructured -- */ --}; -+ psa_key_id_t key_id; /*!< Key id */ -+ psa_algorithm_t alg; /*!< Algorithm */ -+ uint32_t op_handle; /*!< Frontend context handle associated to a -+ * multipart operation -+ */ -+ uint32_t capacity; /*!< Key derivation capacity */ -+ uint32_t ad_length; /*!< Additional Data length for multipart AEAD */ -+ uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */ -+ -+ struct psa_ipc_crypto_aead_pack_input aead_in; /*!< Packs AEAD-related inputs */ -+ -+ uint16_t function_id; /*!< Used to identify the function in the -+ * API dispatcher to the service backend -+ * See tfm_crypto_func_sid for detail -+ */ -+ uint16_t step; /*!< Key derivation step */ -+}__packed; - - #define iov_size sizeof(struct psa_ipc_crypto_pack_iovec) - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -index f6aadd8b..efdffdf7 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -@@ -44,7 +44,7 @@ static inline psa_status_t crypto_caller_aead_encrypt( - size_t in_len; - int i; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SID, -+ .function_id = TFM_CRYPTO_AEAD_ENCRYPT_SID, - .key_id = key, - .alg = alg, - .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, -@@ -105,7 +105,7 @@ static inline psa_status_t crypto_caller_aead_decrypt( - size_t in_len; - int i; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SID, -+ .function_id = TFM_CRYPTO_AEAD_DECRYPT_SID, - .key_id = key, - .alg = alg, - .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, -@@ -156,7 +156,7 @@ static inline psa_status_t crypto_caller_aead_encrypt_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, -+ .function_id = TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = (*op_handle), -@@ -185,7 +185,7 @@ static inline psa_status_t crypto_caller_aead_decrypt_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, -+ .function_id = TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = (*op_handle), -@@ -214,7 +214,7 @@ static inline psa_status_t crypto_caller_aead_generate_nonce( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, -+ .function_id = TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, - .op_handle = op_handle, - }; - -@@ -243,7 +243,7 @@ static inline psa_status_t crypto_caller_aead_set_nonce( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_SET_NONCE_SID, -+ .function_id = TFM_CRYPTO_AEAD_SET_NONCE_SID, - .op_handle = op_handle, - }; - -@@ -270,7 +270,7 @@ static inline psa_status_t crypto_caller_aead_set_lengths( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_SET_LENGTHS_SID, -+ .function_id = TFM_CRYPTO_AEAD_SET_LENGTHS_SID, - .ad_length = ad_length, - .plaintext_length = plaintext_length, - .op_handle = op_handle, -@@ -299,7 +299,7 @@ static inline psa_status_t crypto_caller_aead_update_ad( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_UPDATE_AD_SID, -+ .function_id = TFM_CRYPTO_AEAD_UPDATE_AD_SID, - .op_handle = op_handle, - }; - -@@ -339,7 +339,7 @@ static inline psa_status_t crypto_caller_aead_update( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_UPDATE_SID, -+ .function_id = TFM_CRYPTO_AEAD_UPDATE_SID, - .op_handle = op_handle, - }; - -@@ -383,7 +383,7 @@ static inline psa_status_t crypto_caller_aead_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_FINISH_SID, -+ .function_id = TFM_CRYPTO_AEAD_FINISH_SID, - .op_handle = op_handle, - }; - -@@ -436,7 +436,7 @@ static inline psa_status_t crypto_caller_aead_verify( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_VERIFY_SID, -+ .function_id = TFM_CRYPTO_AEAD_VERIFY_SID, - .op_handle = op_handle, - }; - -@@ -482,7 +482,7 @@ static inline psa_status_t crypto_caller_aead_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_AEAD_ABORT_SID, -+ .function_id = TFM_CRYPTO_AEAD_ABORT_SID, - .op_handle = op_handle, - }; - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -index ff01815c..c387eb55 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h -@@ -38,7 +38,7 @@ static inline psa_status_t crypto_caller_asymmetric_decrypt( - psa_status_t status; - size_t in_len; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, -+ .function_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, - .key_id = id, - .alg = alg, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -index 1daf1689..8eb3de45 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h -@@ -38,7 +38,7 @@ static inline psa_status_t crypto_caller_asymmetric_encrypt( - psa_status_t status; - size_t in_len; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, -+ .function_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, - .key_id = id, - .alg = alg, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -index fbefb28d..20aa46a5 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -@@ -34,7 +34,7 @@ static inline psa_status_t crypto_caller_cipher_encrypt_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, -+ .function_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = *op_handle, -@@ -62,7 +62,7 @@ static inline psa_status_t crypto_caller_cipher_decrypt_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, -+ .function_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = *op_handle, -@@ -91,7 +91,7 @@ static inline psa_status_t crypto_caller_cipher_generate_iv( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_GENERATE_IV_SID, -+ .function_id = TFM_CRYPTO_CIPHER_GENERATE_IV_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -120,7 +120,7 @@ static inline psa_status_t crypto_caller_cipher_set_iv( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_SET_IV_SID, -+ .function_id = TFM_CRYPTO_CIPHER_SET_IV_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -150,7 +150,7 @@ static inline psa_status_t crypto_caller_cipher_update( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_UPDATE_SID, -+ .function_id = TFM_CRYPTO_CIPHER_UPDATE_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -181,7 +181,7 @@ static inline psa_status_t crypto_caller_cipher_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_FINISH_SID, -+ .function_id = TFM_CRYPTO_CIPHER_FINISH_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -208,7 +208,7 @@ static inline psa_status_t crypto_caller_cipher_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_CIPHER_ABORT_SID, -+ .function_id = TFM_CRYPTO_CIPHER_ABORT_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -index 9a988171..48157d7e 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_copy_key(struct service_client *context - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_COPY_KEY_SID, -+ .function_id = TFM_CRYPTO_COPY_KEY_SID, - .key_id = source_key, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -index d00f4faa..6d0a05e6 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h -@@ -31,7 +31,7 @@ static inline psa_status_t crypto_caller_destroy_key(struct service_client *cont - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_DESTROY_KEY_SID, -+ .function_id = TFM_CRYPTO_DESTROY_KEY_SID, - .key_id = id, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -index 8ac5477f..9a6b7013 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h -@@ -34,7 +34,7 @@ static inline psa_status_t crypto_caller_export_key(struct service_client *conte - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_EXPORT_KEY_SID, -+ .function_id = TFM_CRYPTO_EXPORT_KEY_SID, - .key_id = id, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -index b24c47f1..52bdd757 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h -@@ -34,7 +34,7 @@ static inline psa_status_t crypto_caller_export_public_key(struct service_client - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, -+ .function_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, - .key_id = id, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -index 1b66ed40..7ed1673b 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h -@@ -32,7 +32,7 @@ static inline psa_status_t crypto_caller_generate_key(struct service_client *con - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_GENERATE_KEY_SID, -+ .function_id = TFM_CRYPTO_GENERATE_KEY_SID, - }; - struct psa_invec in_vec[] = { - { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -index 7c538237..4fb87aa8 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h -@@ -32,7 +32,7 @@ static inline psa_status_t crypto_caller_generate_random(struct service_client * - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_GENERATE_RANDOM_SID, -+ .function_id = TFM_CRYPTO_GENERATE_RANDOM_SID, - }; - struct psa_invec in_vec[] = { - { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -index 22f1d18f..2caa3bd3 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_get_key_attributes( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID, -+ .function_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID, - .key_id = key, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -index 9f37908a..4fb60d44 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_hash_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_SETUP_SID, -+ .function_id = TFM_CRYPTO_HASH_SETUP_SID, - .alg = alg, - .op_handle = *op_handle, - }; -@@ -60,7 +60,7 @@ static inline psa_status_t crypto_caller_hash_update( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_UPDATE_SID, -+ .function_id = TFM_CRYPTO_HASH_UPDATE_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -88,7 +88,7 @@ static inline psa_status_t crypto_caller_hash_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_FINISH_SID, -+ .function_id = TFM_CRYPTO_HASH_FINISH_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -115,7 +115,7 @@ static inline psa_status_t crypto_caller_hash_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_ABORT_SID, -+ .function_id = TFM_CRYPTO_HASH_ABORT_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -141,7 +141,7 @@ static inline psa_status_t crypto_caller_hash_verify( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_VERIFY_SID, -+ .function_id = TFM_CRYPTO_HASH_VERIFY_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -167,7 +167,7 @@ static inline psa_status_t crypto_caller_hash_clone( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_HASH_CLONE_SID, -+ .function_id = TFM_CRYPTO_HASH_CLONE_SID, - .op_handle = source_op_handle, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -index d4703366..1458163c 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_import_key(struct service_client *conte - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_IMPORT_KEY_SID, -+ .function_id = TFM_CRYPTO_IMPORT_KEY_SID, - }; - struct psa_invec in_vec[] = { - { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -index 5ce4fb6c..16be9916 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h -@@ -33,7 +33,7 @@ static inline psa_status_t crypto_caller_key_derivation_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, - .alg = alg, - .op_handle = *op_handle, - }; -@@ -59,7 +59,7 @@ static inline psa_status_t crypto_caller_key_derivation_get_capacity( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -84,7 +84,7 @@ static inline psa_status_t crypto_caller_key_derivation_set_capacity( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, - .capacity = capacity, - .op_handle = op_handle, - }; -@@ -109,7 +109,7 @@ static inline psa_status_t crypto_caller_key_derivation_input_bytes( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, - .step = step, - .op_handle = op_handle, - }; -@@ -134,7 +134,7 @@ static inline psa_status_t crypto_caller_key_derivation_input_key( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, - .key_id = key, - .step = step, - .op_handle = op_handle, -@@ -159,7 +159,7 @@ static inline psa_status_t crypto_caller_key_derivation_output_bytes( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -185,7 +185,7 @@ static inline psa_status_t crypto_caller_key_derivation_output_key( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -211,7 +211,7 @@ static inline psa_status_t crypto_caller_key_derivation_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -239,7 +239,7 @@ static inline psa_status_t crypto_caller_key_derivation_key_agreement( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, -+ .function_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, - .key_id = private_key, - .step = step, - .op_handle = op_handle, -@@ -270,7 +270,7 @@ static inline psa_status_t crypto_caller_raw_key_agreement( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, -+ .function_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, - .alg = alg, - .key_id = private_key, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -index 3a820192..30222800 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h -@@ -34,7 +34,7 @@ static inline psa_status_t crypto_caller_mac_sign_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID, -+ .function_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = *op_handle, -@@ -62,7 +62,7 @@ static inline psa_status_t crypto_caller_mac_verify_setup( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID, -+ .function_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID, - .key_id = key, - .alg = alg, - .op_handle = *op_handle, -@@ -90,7 +90,7 @@ static inline psa_status_t crypto_caller_mac_update( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_UPDATE_SID, -+ .function_id = TFM_CRYPTO_MAC_UPDATE_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -118,7 +118,7 @@ static inline psa_status_t crypto_caller_mac_sign_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_SIGN_FINISH_SID, -+ .function_id = TFM_CRYPTO_MAC_SIGN_FINISH_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -147,7 +147,7 @@ static inline psa_status_t crypto_caller_mac_verify_finish( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_VERIFY_FINISH_SID, -+ .function_id = TFM_CRYPTO_MAC_VERIFY_FINISH_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -@@ -172,7 +172,7 @@ static inline psa_status_t crypto_caller_mac_abort( - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_MAC_ABORT_SID, -+ .function_id = TFM_CRYPTO_MAC_ABORT_SID, - .op_handle = op_handle, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -index a3a796e2..f6ab0978 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h -@@ -31,7 +31,7 @@ static inline psa_status_t crypto_caller_purge_key(struct service_client *contex - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_PURGE_KEY_SID, -+ .function_id = TFM_CRYPTO_PURGE_KEY_SID, - .key_id = id, - }; - struct psa_invec in_vec[] = { -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -index 9276748d..8b53e3dc 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h -@@ -37,7 +37,7 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_ASYMMETRIC_SIGN_HASH_SID, -+ .function_id = TFM_CRYPTO_ASYMMETRIC_SIGN_HASH_SID, - .key_id = id, - .alg = alg, - }; -@@ -70,7 +70,7 @@ static inline psa_status_t crypto_caller_sign_message(struct service_client *con - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE_SID, -+ .function_id = TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE_SID, - .key_id = id, - .alg = alg, - }; -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -index bcd8e0e4..c9ed865b 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h -@@ -31,13 +31,13 @@ static inline psa_status_t crypto_caller_common(struct service_client *context, - size_t hash_length, - const uint8_t *signature, - size_t signature_length, -- uint32_t sfn_id) -+ uint32_t function_id) - { - struct service_client *ipc = context; - struct rpc_caller *caller = ipc->caller; - psa_status_t status; - struct psa_ipc_crypto_pack_iovec iov = { -- .sfn_id = sfn_id, -+ .function_id = function_id, - .key_id = id, - .alg = alg, - }; --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0026-TF-Mv1.7-alignment-PSA-crypto-client-in-out_vec.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0026-TF-Mv1.7-alignment-PSA-crypto-client-in-out_vec.patch deleted file mode 100644 index 0dcdd5da2c..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0026-TF-Mv1.7-alignment-PSA-crypto-client-in-out_vec.patch +++ /dev/null @@ -1,117 +0,0 @@ -From ee7e13dcc14110aa16f7c6453cfe72f088857ed2 Mon Sep 17 00:00:00 2001 -From: Mohamed Omar Asaker -Date: Thu, 9 Feb 2023 00:34:23 +0000 -Subject: [PATCH 3/3] TF-Mv1.7 alignment: PSA crypto client in/out_vec - -Few psa crypto operations have different in/out_vec expectations -This patch is fixing the differences between psa crypto client in TS -and psa crypto service in TF-M running on the secure enclave - -operations: -- aead_generate_nonce: TFM service doesn't expect op_handle in in_vec -- aead_update: TFM service doesn't expect op_handle in in_vec -- cipher_generate_iv: TFM service doesn't expect op_handle in in_vec -- cipher_update: TFM service doesn't expect op_handle in in_vec -- hash_clone: TFM service expects target_op_handle in the in_vec - rationale is target_op_handle according to the spec - must be initialized and not active. and since hash_clone - manipulates it. hence, target_op_handle should be passed - as input and output. - -Signed-off-by: Mohamed Omar Asaker -Upstream-Status: Pending [Not submitted yet] ---- - .../crypto/client/caller/psa_ipc/crypto_caller_aead.h | 6 ++---- - .../crypto/client/caller/psa_ipc/crypto_caller_cipher.h | 6 ++---- - .../crypto/client/caller/psa_ipc/crypto_caller_hash.h | 2 ++ - 3 files changed, 6 insertions(+), 8 deletions(-) - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -index efdffdf7..e862c2de 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h -@@ -222,14 +222,13 @@ static inline psa_status_t crypto_caller_aead_generate_nonce( - {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, - }; - struct psa_outvec out_vec[] = { -- {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, - {.base = psa_ptr_to_u32(nonce), .len = nonce_size} - }; - - status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); - -- *nonce_length = out_vec[1].len; -+ *nonce_length = out_vec[0].len; - return status; - } - -@@ -353,7 +352,6 @@ static inline psa_status_t crypto_caller_aead_update( - {.base = psa_ptr_const_to_u32(input), .len = input_length} - }; - struct psa_outvec out_vec[] = { -- {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, - {.base = psa_ptr_const_to_u32(output), .len = output_size}, - }; - -@@ -365,7 +363,7 @@ static inline psa_status_t crypto_caller_aead_update( - status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, - in_len, out_vec, IOVEC_LEN(out_vec)); - -- *output_length = out_vec[1].len; -+ *output_length = out_vec[0].len; - return status; - } - -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -index 20aa46a5..948865e4 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h -@@ -98,14 +98,13 @@ static inline psa_status_t crypto_caller_cipher_generate_iv( - { .base = psa_ptr_to_u32(&iov), .len = iov_size }, - }; - struct psa_outvec out_vec[] = { -- { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, - { .base = psa_ptr_to_u32(iv), .len = iv_size }, - }; - - status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); - -- *iv_length = out_vec[1].len; -+ *iv_length = out_vec[0].len; - - return status; - } -@@ -158,14 +157,13 @@ static inline psa_status_t crypto_caller_cipher_update( - { .base = psa_ptr_const_to_u32(input), .len = input_length }, - }; - struct psa_outvec out_vec[] = { -- { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, - { .base = psa_ptr_to_u32(output), .len = output_size }, - }; - - status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, - IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); - -- *output_length = out_vec[1].len; -+ *output_length = out_vec[0].len; - - return status; - } -diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -index 4fb60d44..1e422130 100644 ---- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h -@@ -172,6 +172,8 @@ static inline psa_status_t crypto_caller_hash_clone( - }; - struct psa_invec in_vec[] = { - { .base = psa_ptr_to_u32(&iov), .len = iov_size }, -+ { .base = psa_ptr_to_u32(target_op_handle), -+ .len = sizeof(uint32_t) }, - }; - struct psa_outvec out_vec[] = { - { .base = psa_ptr_to_u32(target_op_handle), --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc index 867bd66e4d..3535ddb60e 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc @@ -2,32 +2,13 @@ FILESEXTRAPATHS:prepend:corstone1000 := "${THISDIR}/corstone1000:" COMPATIBLE_MACHINE:corstone1000 = "corstone1000" SRC_URI:append:corstone1000 = " \ - file://0001-Add-openamp-to-SE-proxy-deployment.patch;patchdir=../trusted-services \ - file://0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch;patchdir=../trusted-services \ - file://0003-Add-openamp-rpc-caller.patch;patchdir=../trusted-services \ - file://0004-add-psa-client-definitions-for-ff-m.patch;patchdir=../trusted-services \ - file://0005-Add-common-service-component-to-ipc-support.patch;patchdir=../trusted-services \ - file://0006-Add-secure-storage-ipc-backend.patch;patchdir=../trusted-services \ - file://0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch;patchdir=../trusted-services \ - file://0008-Run-psa-arch-test.patch;patchdir=../trusted-services \ - file://0009-Use-address-instead-of-pointers.patch;patchdir=../trusted-services \ - file://0010-Add-psa-ipc-attestation-to-se-proxy.patch;patchdir=../trusted-services \ - file://0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch;patchdir=../trusted-services;patchdir=../trusted-services \ - file://0012-add-psa-ipc-crypto-backend.patch;patchdir=../trusted-services \ - file://0013-Add-stub-capsule-update-service-components.patch;patchdir=../trusted-services \ - file://0014-Configure-storage-size.patch;patchdir=../trusted-services \ - file://0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch;patchdir=../trusted-services;patchdir=../trusted-services \ - file://0016-Integrate-remaining-psa-ipc-client-APIs.patch;patchdir=../trusted-services \ - file://0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch;patchdir=../trusted-services;patchdir=../trusted-services \ - file://0018-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch;patchdir=../trusted-services \ - file://0019-plat-corstone1000-change-default-smm-values.patch;patchdir=../trusted-services \ - file://0020-FMP-Support-in-Corstone1000.patch;patchdir=../trusted-services \ - file://0021-smm_gateway-add-checks-for-null-attributes.patch;patchdir=../trusted-services \ - file://0022-GetNextVariableName-Fix.patch;patchdir=../trusted-services \ - file://0023-Use-the-stateless-platform-service.patch;patchdir=../trusted-services \ - file://0024-TF-Mv1.7-alignment-Align-PSA-Crypto-SIDs.patch;patchdir=../trusted-services \ - file://0025-TF-Mv1.7-alignment-Align-crypto-iovec-definition.patch;patchdir=../trusted-services \ - file://0026-TF-Mv1.7-alignment-PSA-crypto-client-in-out_vec.patch;patchdir=../trusted-services \ + file://0001-Add-stub-capsule-update-service-components.patch;patchdir=../trusted-services \ + file://0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch;patchdir=../trusted-services \ + file://0003-FMP-Support-in-Corstone1000.patch;patchdir=../trusted-services \ + file://0004-GetNextVariableName-Fix.patch;patchdir=../trusted-services \ + file://0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch;patchdir=../trusted-services \ + file://0006-plat-corstone1000-Use-the-stateless-platform-service.patch;patchdir=../trusted-services \ + file://0007-plat-corstone1000-Initialize-capsule-update-provider.patch;patchdir=../trusted-services \ " diff --git a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf index 7277817ddf..55c4cab457 100644 --- a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -23,6 +23,3 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" - -PREFERRED_VERSION_optee-os ?= "3.18.%" - diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py index a5f9376062..882989561d 100644 --- a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py +++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py @@ -3,25 +3,23 @@ from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotInDataVar class TrustedServicesTest(OERuntimeTestCase): - def run_test_tool(self, cmd, expected_status=0 ): + def run_test_tool(self, cmd, expected_status=0, expected_output=None ): """ Run a test utility """ status, output = self.target.run(cmd) self.assertEqual(status, expected_status, msg='\n'.join([cmd, output])) + if expected_output is not None: + self.assertEqual(output, expected_output, msg='\n'.join([cmd, output])) @OEHasPackage(['ts-demo']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_00_ts_demo(self): self.run_test_tool('ts-demo') - @OEHasPackage(['ts-service-test']) - @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_01_ts_service_test(self): - self.run_test_tool('ts-service-test') - @OEHasPackage(['ts-uefi-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_02_ts_uefi_test(self): @@ -30,7 +28,8 @@ class TrustedServicesTest(OERuntimeTestCase): @OEHasPackage(['ts-psa-crypto-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_03_psa_crypto_api_test(self): - # There are a few expected PSA Crypto tests failing + # There are a two expected PSA Crypto tests failures testing features + # TS will not support. self.run_test_tool('psa-crypto-api-test', expected_status=46) @OEHasPackage(['ts-psa-its-api-test']) @@ -48,3 +47,74 @@ class TrustedServicesTest(OERuntimeTestCase): @OETestDepends(['ssh.SSHTest.test_ssh']) def test_06_psa_iat_api_test(self): self.run_test_tool('psa-iat-api-test') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_09_ts_service_grp_check(self): + # If this test fails, available test groups in ts-service-test have changed and all + # tests using the test executable need to be double checked to ensure test group to + # TS SP mapping is still valid. + test_grp_list="FwuServiceTests PsServiceTests ItsServiceTests AttestationProvisioningTests" + test_grp_list+=" AttestationServiceTests CryptoKeyDerivationServicePackedcTests" + test_grp_list+=" CryptoMacServicePackedcTests CryptoCipherServicePackedcTests" + test_grp_list+=" CryptoHashServicePackedcTests CryptoServicePackedcTests" + test_grp_list+=" CryptoServiceProtobufTests CryptoServiceLimitTests" + test_grp_list+=" DiscoveryServiceTests" + self.run_test_tool('ts-service-test -lg', expected_output=test_grp_list) + + @OEHasPackage(['optee-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'optee-spmc-test', 'SPMC Test SPs are not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_07_spmc_test(self): + self.run_test_tool('xtest -t ffa_spmc') + + @OEHasPackage(['ts-service-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-fwu', 'FWU SP is not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_10_fwu_service_tests(self): + self.run_test_tool('ts-service-test -g FwuServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_11_ps_service_tests(self): + if 'ts-storage' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Storage SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g PsServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_12_its_service_tests(self): + if 'ts-its' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Internal Storage SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g ItsServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_14_attestation_service_tests(self): + if 'ts-attestation' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Attestation SP is not included into OPTEE') + for grp in ["AttestationProvisioningTests", "AttestationServiceTests"]: + self.run_test_tool('ts-service-test -g %s'%grp) + + @OEHasPackage(['ts-service-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-crypto', 'Crypto SP is not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_15_crypto_service_tests(self): + if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Crypto SP is not included into OPTEE') + for grp in ["CryptoKeyDerivationServicePackedcTests", "CryptoMacServicePackedcTests", \ + "CryptoCipherServicePackedcTests", "CryptoHashServicePackedcTests", \ + "CryptoServicePackedcTests", "CryptoServiceProtobufTests CryptoServiceLimitTests"]: + self.run_test_tool('ts-service-test -g %s'%grp) + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_16_discovery_service_test(self): + if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Crypto SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g DiscoveryServiceTests') diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch new file mode 100644 index 0000000000..50a57d6179 --- /dev/null +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch @@ -0,0 +1,67 @@ +From e1cbb35ad4655fe13ccb89247c81e850f6392c92 Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing +Date: Mon, 13 Mar 2023 21:15:59 +0100 +Subject: Add spmc_manifest for qemu + +This version only supports embedded packaging. + +Upstream-Status: Inappropriate [other] + - The SPMC manifest is integration specific and should live at an + integration spcific place. The manifest file is processed by TF-A + and I am adding the patch to TF-A to keep things simple. + +Signed-off-by: Gyorgy Szing +--- + plat/qemu/fdts/optee_spmc_manifest.dts | 40 ++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + create mode 100644 plat/qemu/fdts/optee_spmc_manifest.dts + +diff --git a/plat/qemu/fdts/optee_spmc_manifest.dts b/plat/qemu/fdts/optee_spmc_manifest.dts +new file mode 100644 +index 000000000..ae2ae3d95 +--- /dev/null ++++ b/plat/qemu/fdts/optee_spmc_manifest.dts +@@ -0,0 +1,40 @@ ++/* SPDX-License-Identifier: BSD-3-Clause */ ++/* ++ * Copyright (c) 2023, Arm Limited. All rights reserved. ++ */ ++ ++/dts-v1/; ++ ++/ { ++ compatible = "arm,ffa-core-manifest-1.0"; ++ #address-cells = <2>; ++ #size-cells = <1>; ++ ++ attribute { ++ spmc_id = <0x8000>; ++ maj_ver = <0x1>; ++ min_ver = <0x0>; ++ exec_state = <0x0>; ++ load_address = <0x0 0x0e100000>; ++ entrypoint = <0x0 0x0e100000>; ++ binary_size = <0x80000>; ++ }; ++ ++/* ++ * This file will be preprocessed by TF-A's build system. If Measured Boot is ++ * enabled in TF-A's config, the build system will add the MEASURED_BOOT=1 macro ++ * to the preprocessor arguments. ++ */ ++#if MEASURED_BOOT ++ tpm_event_log { ++ compatible = "arm,tpm_event_log"; ++ tpm_event_log_addr = <0x0 0x0>; ++ tpm_event_log_size = <0x0>; ++ }; ++#endif ++ ++/* If the ARM_BL2_SP_LIST_DTS is defined, SPs should be loaded from FIP */ ++#ifdef ARM_BL2_SP_LIST_DTS ++ #error "FIP SP load addresses configuration is missing. ++#endif ++}; +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch new file mode 100644 index 0000000000..7c851fd041 --- /dev/null +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch @@ -0,0 +1,263 @@ +From d215b0c08e51192baab96d75beaeacf3abf8724e Mon Sep 17 00:00:00 2001 +From: Jens Wiklander +Date: Fri, 18 Nov 2022 15:40:04 +0100 +Subject: feat(qemu): update abi between spmd and spmc + +Updates the ABI between SPMD and the SPMC at S-EL1 so that the hard +coded SPMC manifest can be replaced by a proper manifest via TOS FW +Config. TOS FW Config is provided via QEMU_TOS_FW_CONFIG_DTS as a DTS +file when building. The DTS is turned into a DTB which is added to the +FIP. + +Note that this is an incompatible change and requires corresponding +change in OP-TEE ("core: sel1 spmc: boot abi update"). + +Upstream-Status: Accepted + +Signed-off-by: Jens Wiklander +Change-Id: Ibabe78ef50a24f775492854ce5ac54e4d471e369 +--- + plat/qemu/common/qemu_bl2_mem_params_desc.c | 18 +++++++++++- + plat/qemu/common/qemu_bl2_setup.c | 32 +++++++++++++-------- + plat/qemu/common/qemu_io_storage.c | 16 ++++++++++- + plat/qemu/common/qemu_spmd_manifest.c | 31 -------------------- + plat/qemu/qemu/include/platform_def.h | 3 ++ + plat/qemu/qemu/platform.mk | 12 +++++++- + 6 files changed, 66 insertions(+), 46 deletions(-) + delete mode 100644 plat/qemu/common/qemu_spmd_manifest.c + +diff --git a/plat/qemu/common/qemu_bl2_mem_params_desc.c b/plat/qemu/common/qemu_bl2_mem_params_desc.c +index 5af3a2264..8d8047c92 100644 +--- a/plat/qemu/common/qemu_bl2_mem_params_desc.c ++++ b/plat/qemu/common/qemu_bl2_mem_params_desc.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2017-2021, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -122,6 +122,22 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { + #endif + .next_handoff_image_id = INVALID_IMAGE_ID, + }, ++ ++#if defined(SPD_spmd) ++ /* Fill TOS_FW_CONFIG related information */ ++ { ++ .image_id = TOS_FW_CONFIG_ID, ++ SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY, ++ VERSION_2, entry_point_info_t, SECURE | NON_EXECUTABLE), ++ SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY, ++ VERSION_2, image_info_t, 0), ++ .image_info.image_base = TOS_FW_CONFIG_BASE, ++ .image_info.image_max_size = TOS_FW_CONFIG_LIMIT - ++ TOS_FW_CONFIG_BASE, ++ .next_handoff_image_id = INVALID_IMAGE_ID, ++ }, ++#endif ++ + # endif /* QEMU_LOAD_BL32 */ + + /* Fill BL33 related information */ +diff --git a/plat/qemu/common/qemu_bl2_setup.c b/plat/qemu/common/qemu_bl2_setup.c +index 2c0da15b9..6afa3a44d 100644 +--- a/plat/qemu/common/qemu_bl2_setup.c ++++ b/plat/qemu/common/qemu_bl2_setup.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -149,8 +149,7 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + bl_mem_params_node_t *paged_mem_params = NULL; + #endif + #if defined(SPD_spmd) +- unsigned int mode_rw = MODE_RW_64; +- uint64_t pagable_part = 0; ++ bl_mem_params_node_t *bl32_mem_params = NULL; + #endif + + assert(bl_mem_params); +@@ -170,17 +169,18 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + if (err != 0) { + WARN("OPTEE header parse error.\n"); + } +-#if defined(SPD_spmd) +- mode_rw = bl_mem_params->ep_info.args.arg0; +- pagable_part = bl_mem_params->ep_info.args.arg1; +-#endif + #endif + +-#if defined(SPD_spmd) +- bl_mem_params->ep_info.args.arg0 = ARM_PRELOADED_DTB_BASE; +- bl_mem_params->ep_info.args.arg1 = pagable_part; +- bl_mem_params->ep_info.args.arg2 = mode_rw; +- bl_mem_params->ep_info.args.arg3 = 0; ++#if defined(SPMC_OPTEE) ++ /* ++ * Explicit zeroes to unused registers since they may have ++ * been populated by parse_optee_header() above. ++ * ++ * OP-TEE expects system DTB in x2 and TOS_FW_CONFIG in x0, ++ * the latter is filled in below for TOS_FW_CONFIG_ID and ++ * applies to any other SPMC too. ++ */ ++ bl_mem_params->ep_info.args.arg2 = ARM_PRELOADED_DTB_BASE; + #elif defined(SPD_opteed) + /* + * OP-TEE expect to receive DTB address in x2. +@@ -224,6 +224,14 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + + bl_mem_params->ep_info.spsr = qemu_get_spsr_for_bl33_entry(); + break; ++#if defined(SPD_spmd) ++ case TOS_FW_CONFIG_ID: ++ /* An SPMC expects TOS_FW_CONFIG in x0/r0 */ ++ bl32_mem_params = get_bl_mem_params_node(BL32_IMAGE_ID); ++ bl32_mem_params->ep_info.args.arg0 = ++ bl_mem_params->image_info.image_base; ++ break; ++#endif + default: + /* Do nothing in default case */ + break; +diff --git a/plat/qemu/common/qemu_io_storage.c b/plat/qemu/common/qemu_io_storage.c +index 1107e443f..e2d4932c0 100644 +--- a/plat/qemu/common/qemu_io_storage.c ++++ b/plat/qemu/common/qemu_io_storage.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -24,6 +24,7 @@ + #define BL2_IMAGE_NAME "bl2.bin" + #define BL31_IMAGE_NAME "bl31.bin" + #define BL32_IMAGE_NAME "bl32.bin" ++#define TOS_FW_CONFIG_NAME "tos_fw_config.dtb" + #define BL32_EXTRA1_IMAGE_NAME "bl32_extra1.bin" + #define BL32_EXTRA2_IMAGE_NAME "bl32_extra2.bin" + #define BL33_IMAGE_NAME "bl33.bin" +@@ -78,6 +79,10 @@ static const io_uuid_spec_t bl32_extra2_uuid_spec = { + .uuid = UUID_SECURE_PAYLOAD_BL32_EXTRA2, + }; + ++static const io_uuid_spec_t tos_fw_config_uuid_spec = { ++ .uuid = UUID_TOS_FW_CONFIG, ++}; ++ + static const io_uuid_spec_t bl33_uuid_spec = { + .uuid = UUID_NON_TRUSTED_FIRMWARE_BL33, + }; +@@ -137,6 +142,10 @@ static const io_file_spec_t sh_file_spec[] = { + .path = BL32_EXTRA2_IMAGE_NAME, + .mode = FOPEN_MODE_RB + }, ++ [TOS_FW_CONFIG_ID] = { ++ .path = TOS_FW_CONFIG_NAME, ++ .mode = FOPEN_MODE_RB ++ }, + [BL33_IMAGE_ID] = { + .path = BL33_IMAGE_NAME, + .mode = FOPEN_MODE_RB +@@ -252,6 +261,11 @@ static const struct plat_io_policy policies[] = { + open_fip + }, + #endif ++ [TOS_FW_CONFIG_ID] = { ++ &fip_dev_handle, ++ (uintptr_t)&tos_fw_config_uuid_spec, ++ open_fip ++ }, + [BL33_IMAGE_ID] = { + &fip_dev_handle, + (uintptr_t)&bl33_uuid_spec, +diff --git a/plat/qemu/common/qemu_spmd_manifest.c b/plat/qemu/common/qemu_spmd_manifest.c +deleted file mode 100644 +index fd46e2675..000000000 +--- a/plat/qemu/common/qemu_spmd_manifest.c ++++ /dev/null +@@ -1,31 +0,0 @@ +-/* +- * Copyright (c) 2021, ARM Limited and Contributors. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- */ +- +-#include +- +-#include +- +-#include +-#include +- +-int plat_spm_core_manifest_load(spmc_manifest_attribute_t *manifest, +- const void *pm_addr) +-{ +- entry_point_info_t *ep_info = bl31_plat_get_next_image_ep_info(SECURE); +- +- assert(ep_info != NULL); +- assert(manifest != NULL); +- +- manifest->major_version = 1; +- manifest->minor_version = 0; +- manifest->exec_state = ep_info->args.arg2; +- manifest->load_address = BL32_BASE; +- manifest->entrypoint = BL32_BASE; +- manifest->binary_size = BL32_LIMIT - BL32_BASE; +- manifest->spmc_id = 0x8000; +- +- return 0; +-} +diff --git a/plat/qemu/qemu/include/platform_def.h b/plat/qemu/qemu/include/platform_def.h +index c9ed6409f..5c3239cb8 100644 +--- a/plat/qemu/qemu/include/platform_def.h ++++ b/plat/qemu/qemu/include/platform_def.h +@@ -118,6 +118,9 @@ + #define BL_RAM_BASE (SHARED_RAM_BASE + SHARED_RAM_SIZE) + #define BL_RAM_SIZE (SEC_SRAM_SIZE - SHARED_RAM_SIZE) + ++#define TOS_FW_CONFIG_BASE BL_RAM_BASE ++#define TOS_FW_CONFIG_LIMIT (TOS_FW_CONFIG_BASE + PAGE_SIZE) ++ + /* + * BL1 specific defines. + * +diff --git a/plat/qemu/qemu/platform.mk b/plat/qemu/qemu/platform.mk +index 6becc32fa..02493025a 100644 +--- a/plat/qemu/qemu/platform.mk ++++ b/plat/qemu/qemu/platform.mk +@@ -212,7 +212,10 @@ BL31_SOURCES += lib/cpus/aarch64/aem_generic.S \ + ${QEMU_GIC_SOURCES} + + ifeq (${SPD},spmd) +-BL31_SOURCES += plat/qemu/common/qemu_spmd_manifest.c ++BL31_SOURCES += plat/common/plat_spmd_manifest.c \ ++ common/uuid.c \ ++ ${LIBFDT_SRCS} \ ++ ${FDT_WRAPPERS_SOURCES} + endif + endif + +@@ -233,6 +236,13 @@ $(eval $(call TOOL_ADD_IMG,bl32_extra2,--tos-fw-extra2)) + endif + endif + ++ifneq ($(QEMU_TOS_FW_CONFIG_DTS),) ++FDT_SOURCES += ${QEMU_TOS_FW_CONFIG_DTS} ++QEMU_TOS_FW_CONFIG := ${BUILD_PLAT}/fdts/$(notdir $(basename ${QEMU_TOS_FW_CONFIG_DTS})).dtb ++# Add the TOS_FW_CONFIG to FIP ++$(eval $(call TOOL_ADD_PAYLOAD,${QEMU_TOS_FW_CONFIG},--tos-fw-config,${QEMU_TOS_FW_CONFIG})) ++endif ++ + SEPARATE_CODE_AND_RODATA := 1 + ENABLE_STACK_PROTECTOR := 0 + ifneq ($(ENABLE_STACK_PROTECTOR), 0) +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 6cf55d69cd..e58a090229 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -47,7 +47,10 @@ EXTRA_OEMAKE:append:arm:qemuall = " \ BL32_RAM_LOCATION=tdram \ AARCH32_SP=optee \ " - +# When using OP-TEE SPMC specify the SPMC manifest file. +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', \ + 'QEMU_TOS_FW_CONFIG_DTS=${S}/plat/qemu/fdts/optee_spmc_manifest.dts', '', d)}" + do_compile:append:qemuarm64-secureboot() { # Create a secure flash image for booting AArch64 Qemu. See: # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu.rst diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb index 3a5006e53d..5830339c42 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb @@ -5,6 +5,12 @@ SRCREV_tfa = "9881bb93a3bc0a3ea37e9f093e09ab4b360a9e48" SRC_URI += "file://rwx-segments.patch" +# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS. +SRC_URI:append:qemuarm64-secureboot = " \ + file://add-spmc_manifest-for-qemu.patch \ + file://feat-qemu-update-abi-between-spmd-and-spmc.patch \ + " + LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" # mbed TLS v2.28.2 diff --git a/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb b/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb index 1261fa413b..726a65bb9a 100644 --- a/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb +++ b/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb @@ -18,10 +18,16 @@ COMPATIBLE_HOST = "(arm|aarch64).*-linux" KERNEL_MODULE_AUTOLOAD += "arm-ffa-user" KERNEL_MODULE_PROBECONF += "arm-ffa-user" -# This debugfs driver is used only by uefi-test for testing SmmGW SP -# UUIDs = SMM Gateway SP -FFA-USER-UUID-LIST ?= "ed32d533-99e6-4209-9cc0-2d72cdd998a7" -module_conf_arm-ffa-user = "options arm-ffa-user uuid_str_list=${FFA-USER-UUID-LIST}" +# SMM Gateway SP +UUID_LIST = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + 'ed32d533-99e6-4209-9cc0-2d72cdd998a7', '' , d)}" +# SPMC Tests SPs +UUID_LIST:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ',5c9edbc3-7b3a-4367-9f83-7c191ae86a37,7817164c-c40c-4d1a-867a-9bb2278cf41a,23eb0100-e32a-4497-9052-2f11e584afa6', '' , d)}" + +FFA_USER_UUID_LIST ?= "${@d.getVar('UUID_LIST').strip(',')}" + +module_conf_arm-ffa-user = "options arm-ffa-user uuid_str_list=${FFA_USER_UUID_LIST}" do_install:append() { install -d ${D}${includedir} diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg new file mode 100644 index 0000000000..84e0dd71ca --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg @@ -0,0 +1,4 @@ +# These configurations have a dependency on !PREEMPT_RT. Set them to `n` to +# avoid complain when do_kernel_configcheck. +CONFIG_LEDS_TRIGGER_CPU=n +CONFIG_TRANSPARENT_HUGEPAGE=n diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc new file mode 100644 index 0000000000..ae97c2e2a3 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc @@ -0,0 +1,7 @@ +define KMACHINE generic-arm64 +define KTYPE preempt-rt +define KARCH arm64 + +kconf hardware generic-arm64-preempt-rt-tweaks.cfg +include ktypes/preempt-rt/preempt-rt.scc +include features/bluetooth/bluetooth.scc diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index 883ed2ca66..0a42ce4a5d 100644 --- a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -1,11 +1,5 @@ ARMFILESPATHS := "${THISDIR}/files:" -FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" -SRC_URI:append:aarch64 = " \ - file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ - file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ - " - COMPATIBLE_MACHINE:generic-arm64 = "generic-arm64" FILESEXTRAPATHS:prepend:generic-arm64 = "${ARMFILESPATHS}" SRC_URI:append:generic-arm64 = " \ diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend new file mode 100644 index 0000000000..e6d50a4bc4 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend @@ -0,0 +1,6 @@ + +FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" +SRC_URI:append:aarch64 = " \ + file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ + file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ + " diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend new file mode 100644 index 0000000000..e6d50a4bc4 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend @@ -0,0 +1,6 @@ + +FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" +SRC_URI:append:aarch64 = " \ + file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ + file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ + " diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch new file mode 100644 index 0000000000..4313a829ac --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch @@ -0,0 +1,91 @@ +From 11f4ea86579bc1a58e4adde2849326f4213694f2 Mon Sep 17 00:00:00 2001 +From: Jens Wiklander +Date: Mon, 21 Nov 2022 18:17:33 +0100 +Subject: core: arm: S-EL1 SPMC: boot ABI update + +Updates the boot ABI for S-EL1 SPMC to align better with other SPMCs, +like Hafnium, but also with the non-FF-A configuration. + +Register usage: +X0 - TOS FW config [1] address, if not NULL +X2 - System DTB, if not NULL + +Adds check in the default get_aslr_seed() to see if the system DTB is +present before trying to read kaslr-seed from secure-chosen. + +Note that this is an incompatible change and requires corresponding +change in TF-A ("feat(qemu): update abi between spmd and spmc") [2]. + +[1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware configuration + file. Used by Trusted OS (BL32), that is, OP-TEE in this case +Link: [2] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=25ae7ad1878244f78206cc7c91f7bdbd267331a1 + +Upstream-Status: Accepted + +Acked-by: Etienne Carriere +Signed-off-by: Jens Wiklander +--- + core/arch/arm/kernel/boot.c | 8 +++++++- + core/arch/arm/kernel/entry_a64.S | 17 ++++++++--------- + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c +index dd34173e8..e02c02b60 100644 +--- a/core/arch/arm/kernel/boot.c ++++ b/core/arch/arm/kernel/boot.c +@@ -1502,11 +1502,17 @@ struct ns_entry_context *boot_core_hpen(void) + #if defined(CFG_DT) + unsigned long __weak get_aslr_seed(void *fdt) + { +- int rc = fdt_check_header(fdt); ++ int rc = 0; + const uint64_t *seed = NULL; + int offs = 0; + int len = 0; + ++ if (!fdt) { ++ DMSG("No fdt"); ++ goto err; ++ } ++ ++ rc = fdt_check_header(fdt); + if (rc) { + DMSG("Bad fdt: %d", rc); + goto err; +diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S +index 4c6e9d75c..047ae1f25 100644 +--- a/core/arch/arm/kernel/entry_a64.S ++++ b/core/arch/arm/kernel/entry_a64.S +@@ -143,21 +143,20 @@ + .endm + + FUNC _start , : +-#if defined(CFG_CORE_SEL1_SPMC) + /* +- * With OP-TEE as SPMC at S-EL1 the SPMD (SPD_spmd) in TF-A passes +- * the DTB in x0, pagaeble part in x1 and the rest of the registers +- * are unused ++ * If CFG_CORE_FFA is enabled, then x0 if non-NULL holds the TOS FW ++ * config [1] address, else x0 if non-NULL holds the pagable part ++ * address. ++ * ++ * [1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware ++ * configuration file. Used by Trusted OS (BL32), that is, OP-TEE ++ * here. + */ +- mov x19, x1 /* Save pagable part */ +- mov x20, x0 /* Save DT address */ +-#else +- mov x19, x0 /* Save pagable part address */ ++ mov x19, x0 + #if defined(CFG_DT_ADDR) + ldr x20, =CFG_DT_ADDR + #else + mov x20, x2 /* Save DT address */ +-#endif + #endif + + adr x0, reset_vect_table +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch new file mode 100644 index 0000000000..add39076fd --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch @@ -0,0 +1,249 @@ +From 84f4ef4c4f2f45e2f54597f1afe80d8f8396cc57 Mon Sep 17 00:00:00 2001 +From: Balint Dobszay +Date: Fri, 10 Feb 2023 11:07:27 +0100 +Subject: core: ffa: add TOS_FW_CONFIG handling + +At boot TF-A passes two DT addresses (HW_CONFIG and TOS_FW_CONFIG), but +currently only the HW_CONFIG address is saved, the other one is dropped. +This commit adds functionality to save the TOS_FW_CONFIG too, so we can +retrieve it later. This is necessary for the CFG_CORE_SEL1_SPMC use +case, because the SPMC manifest is passed in this DT. + +Upstream-Status: Accepted + +Reviewed-by: Jens Wiklander +Signed-off-by: Balint Dobszay +--- + core/arch/arm/kernel/boot.c | 60 ++++++++++++++++++++++- + core/arch/arm/kernel/entry_a32.S | 3 +- + core/arch/arm/kernel/entry_a64.S | 13 ++++- + core/arch/arm/kernel/link_dummies_paged.c | 4 +- + core/arch/arm/kernel/secure_partition.c | 2 +- + core/include/kernel/boot.h | 7 ++- + 6 files changed, 81 insertions(+), 8 deletions(-) + +diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c +index e02c02b60..98e13c072 100644 +--- a/core/arch/arm/kernel/boot.c ++++ b/core/arch/arm/kernel/boot.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-2-Clause + /* + * Copyright (c) 2015-2022, Linaro Limited ++ * Copyright (c) 2023, Arm Limited + */ + + #include +@@ -83,6 +84,9 @@ struct dt_descriptor { + }; + + static struct dt_descriptor external_dt __nex_bss; ++#ifdef CFG_CORE_SEL1_SPMC ++static struct dt_descriptor tos_fw_config_dt __nex_bss; ++#endif + #endif + + #ifdef CFG_SECONDARY_INIT_CNTFRQ +@@ -1224,6 +1228,54 @@ static struct core_mmu_phys_mem *get_nsec_memory(void *fdt __unused, + #endif /*CFG_CORE_DYN_SHM*/ + #endif /*!CFG_DT*/ + ++#if defined(CFG_CORE_SEL1_SPMC) && defined(CFG_DT) ++void *get_tos_fw_config_dt(void) ++{ ++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE)) ++ return NULL; ++ ++ assert(cpu_mmu_enabled()); ++ ++ return tos_fw_config_dt.blob; ++} ++ ++static void init_tos_fw_config_dt(unsigned long pa) ++{ ++ struct dt_descriptor *dt = &tos_fw_config_dt; ++ void *fdt = NULL; ++ int ret = 0; ++ ++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE)) ++ return; ++ ++ if (!pa) ++ panic("No TOS_FW_CONFIG DT found"); ++ ++ fdt = core_mmu_add_mapping(MEM_AREA_EXT_DT, pa, CFG_DTB_MAX_SIZE); ++ if (!fdt) ++ panic("Failed to map TOS_FW_CONFIG DT"); ++ ++ dt->blob = fdt; ++ ++ ret = fdt_open_into(fdt, fdt, CFG_DTB_MAX_SIZE); ++ if (ret < 0) { ++ EMSG("Invalid Device Tree at %#lx: error %d", pa, ret); ++ panic(); ++ } ++ ++ IMSG("TOS_FW_CONFIG DT found"); ++} ++#else ++void *get_tos_fw_config_dt(void) ++{ ++ return NULL; ++} ++ ++static void init_tos_fw_config_dt(unsigned long pa __unused) ++{ ++} ++#endif /*CFG_CORE_SEL1_SPMC && CFG_DT*/ ++ + #ifdef CFG_CORE_DYN_SHM + static void discover_nsec_memory(void) + { +@@ -1361,10 +1413,16 @@ static bool cpu_nmfi_enabled(void) + * Note: this function is weak just to make it possible to exclude it from + * the unpaged area. + */ +-void __weak boot_init_primary_late(unsigned long fdt) ++void __weak boot_init_primary_late(unsigned long fdt, ++ unsigned long tos_fw_config) + { + init_external_dt(fdt); ++ init_tos_fw_config_dt(tos_fw_config); ++#ifdef CFG_CORE_SEL1_SPMC ++ tpm_map_log_area(get_tos_fw_config_dt()); ++#else + tpm_map_log_area(get_external_dt()); ++#endif + discover_nsec_memory(); + update_external_dt(); + configure_console_from_dt(); +diff --git a/core/arch/arm/kernel/entry_a32.S b/core/arch/arm/kernel/entry_a32.S +index 0f14ca2f6..3758fd8b7 100644 +--- a/core/arch/arm/kernel/entry_a32.S ++++ b/core/arch/arm/kernel/entry_a32.S +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2014, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + + #include +@@ -560,6 +560,7 @@ shadow_stack_access_ok: + str r0, [r8, #THREAD_CORE_LOCAL_FLAGS] + #endif + mov r0, r6 /* DT address */ ++ mov r1, #0 /* unused */ + bl boot_init_primary_late + #ifndef CFG_VIRTUALIZATION + mov r0, #THREAD_CLF_TMP +diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S +index 047ae1f25..fa76437fb 100644 +--- a/core/arch/arm/kernel/entry_a64.S ++++ b/core/arch/arm/kernel/entry_a64.S +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2015-2022, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + + #include +@@ -320,7 +320,11 @@ clear_nex_bss: + bl core_mmu_set_default_prtn_tbl + #endif + ++#ifdef CFG_CORE_SEL1_SPMC ++ mov x0, xzr /* pager not used */ ++#else + mov x0, x19 /* pagable part address */ ++#endif + mov x1, #-1 + bl boot_init_primary_early + +@@ -337,7 +341,12 @@ clear_nex_bss: + mov x22, x0 + str wzr, [x22, #THREAD_CORE_LOCAL_FLAGS] + #endif +- mov x0, x20 /* DT address */ ++ mov x0, x20 /* DT address also known as HW_CONFIG */ ++#ifdef CFG_CORE_SEL1_SPMC ++ mov x1, x19 /* TOS_FW_CONFIG DT address */ ++#else ++ mov x1, xzr /* unused */ ++#endif + bl boot_init_primary_late + #ifdef CFG_CORE_PAUTH + init_pauth_per_cpu +diff --git a/core/arch/arm/kernel/link_dummies_paged.c b/core/arch/arm/kernel/link_dummies_paged.c +index 3b8287e06..023a5f3f5 100644 +--- a/core/arch/arm/kernel/link_dummies_paged.c ++++ b/core/arch/arm/kernel/link_dummies_paged.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-2-Clause + /* + * Copyright (c) 2017-2021, Linaro Limited ++ * Copyright (c) 2023, Arm Limited + */ + #include + #include +@@ -27,7 +28,8 @@ void __section(".text.dummy.call_finalcalls") call_finalcalls(void) + } + + void __section(".text.dummy.boot_init_primary_late") +-boot_init_primary_late(unsigned long fdt __unused) ++boot_init_primary_late(unsigned long fdt __unused, ++ unsigned long tos_fw_config __unused) + { + } + +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 1d36e90b1..d386f1e4d 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -1212,7 +1212,7 @@ static TEE_Result fip_sp_map_all(void) + int subnode = 0; + int root = 0; + +- fdt = get_external_dt(); ++ fdt = get_tos_fw_config_dt(); + if (!fdt) { + EMSG("No SPMC manifest found"); + return TEE_ERROR_GENERIC; +diff --git a/core/include/kernel/boot.h b/core/include/kernel/boot.h +index 260854473..941e093b2 100644 +--- a/core/include/kernel/boot.h ++++ b/core/include/kernel/boot.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2015-2020, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + #ifndef __KERNEL_BOOT_H + #define __KERNEL_BOOT_H +@@ -46,7 +46,7 @@ extern const struct core_mmu_config boot_mmu_config; + /* @nsec_entry is unused if using CFG_WITH_ARM_TRUSTED_FW */ + void boot_init_primary_early(unsigned long pageable_part, + unsigned long nsec_entry); +-void boot_init_primary_late(unsigned long fdt); ++void boot_init_primary_late(unsigned long fdt, unsigned long tos_fw_config); + void boot_init_memtag(void); + + void __panic_at_smc_return(void) __noreturn; +@@ -103,6 +103,9 @@ void *get_embedded_dt(void); + /* Returns external DTB if present, otherwise NULL */ + void *get_external_dt(void); + ++/* Returns TOS_FW_CONFIG DTB if present, otherwise NULL */ ++void *get_tos_fw_config_dt(void); ++ + /* + * get_aslr_seed() - return a random seed for core ASLR + * @fdt: Pointer to a device tree if CFG_DT_ADDR=y +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch new file mode 100644 index 0000000000..a0377abafe --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch @@ -0,0 +1,279 @@ +From f4b4f5bccc1be9a709008cc8e6107302745796c8 Mon Sep 17 00:00:00 2001 +From: Imre Kis +Date: Tue, 18 Apr 2023 16:41:51 +0200 +Subject: [PATCH] core: spmc: handle non-secure interrupts + +Add FFA_INTERRUPT and FFA_RUN support for signaling non-secure +interrupts and for resuming to the secure world. If a secure partition +is preempted by a non-secure interrupt OP-TEE saves the SP's state and +sends an FFA_INTERRUPT to the normal world. After handling the interrupt +the normal world should send an FFA_RUN to OP-TEE so it can continue +running the SP. +If OP-TEE is the active FF-A endpoint (i.e. it is running TAs) the +non-secure interrupts are signaled by the existing +OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message instead of +FFA_INTERRUPT. + +Upstream-Status: Pending + +Signed-off-by: Imre Kis +Change-Id: I577ebe86d416ee494963216a66a3bfc8206921b4 + +--- + core/arch/arm/include/ffa.h | 2 +- + .../arch/arm/include/kernel/spmc_sp_handler.h | 11 +++++++ + core/arch/arm/kernel/secure_partition.c | 17 ++++++++++ + core/arch/arm/kernel/spmc_sp_handler.c | 26 ++++++++++++++++ + core/arch/arm/kernel/thread.c | 7 +++++ + core/arch/arm/kernel/thread_spmc.c | 31 ++++++++++++++++++- + core/arch/arm/kernel/thread_spmc_a64.S | 30 ++++++++++++++++++ + 7 files changed, 122 insertions(+), 2 deletions(-) + +diff --git a/core/arch/arm/include/ffa.h b/core/arch/arm/include/ffa.h +index 5a19fb0c..b3d1d354 100644 +--- a/core/arch/arm/include/ffa.h ++++ b/core/arch/arm/include/ffa.h +@@ -50,7 +50,7 @@ + #define FFA_ID_GET U(0x84000069) + #define FFA_MSG_WAIT U(0x8400006B) + #define FFA_MSG_YIELD U(0x8400006C) +-#define FFA_MSG_RUN U(0x8400006D) ++#define FFA_RUN U(0x8400006D) + #define FFA_MSG_SEND U(0x8400006E) + #define FFA_MSG_SEND_DIRECT_REQ_32 U(0x8400006F) + #define FFA_MSG_SEND_DIRECT_REQ_64 U(0xC400006F) +diff --git a/core/arch/arm/include/kernel/spmc_sp_handler.h b/core/arch/arm/include/kernel/spmc_sp_handler.h +index f5bda7bf..30c1e469 100644 +--- a/core/arch/arm/include/kernel/spmc_sp_handler.h ++++ b/core/arch/arm/include/kernel/spmc_sp_handler.h +@@ -25,6 +25,8 @@ void spmc_sp_start_thread(struct thread_smc_args *args); + int spmc_sp_add_share(struct ffa_rxtx *rxtx, + size_t blen, uint64_t *global_handle, + struct sp_session *owner_sp); ++void spmc_sp_set_to_preempted(struct ts_session *ts_sess); ++int spmc_sp_resume_from_preempted(uint16_t endpoint_id); + #else + static inline void spmc_sp_start_thread(struct thread_smc_args *args __unused) + { +@@ -37,6 +39,15 @@ static inline int spmc_sp_add_share(struct ffa_rxtx *rxtx __unused, + { + return FFA_NOT_SUPPORTED; + } ++ ++static inline void spmc_sp_set_to_preempted(struct ts_session *ts_sess __unused) ++{ ++} ++ ++static inline int spmc_sp_resume_from_preempted(uint16_t endpoint_id __unused) ++{ ++ return FFA_NOT_SUPPORTED; ++} + #endif + + #endif /* __KERNEL_SPMC_SP_HANDLER_H */ +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 1d36e90b..6e351e43 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -999,6 +999,8 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + struct sp_session *sp_s = to_sp_session(s); + struct ts_session *sess = NULL; + struct thread_ctx_regs *sp_regs = NULL; ++ uint32_t thread_id = THREAD_ID_INVALID; ++ uint32_t rpc_target_info = 0; + uint32_t panicked = false; + uint32_t panic_code = 0; + +@@ -1011,8 +1013,23 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT); + + exceptions = thread_mask_exceptions(THREAD_EXCP_ALL); ++ ++ /* ++ * Store endpoint ID and thread ID in rpc_target_info. This will be used ++ * as w1 in FFA_INTERRUPT in case of a NWd interrupt. ++ */ ++ rpc_target_info = thread_get_tsd()->rpc_target_info; ++ thread_id = thread_get_id(); ++ assert((thread_id & ~0xffff) == 0); ++ thread_get_tsd()->rpc_target_info = (sp_s->endpoint_id << 16) | ++ (thread_id & 0xffff); ++ + __thread_enter_user_mode(sp_regs, &panicked, &panic_code); ++ + sp_regs->cpsr = cpsr; ++ /* Restore rpc_target_info */ ++ thread_get_tsd()->rpc_target_info = rpc_target_info; ++ + thread_unmask_exceptions(exceptions); + + thread_user_clear_vfp(&ctx->uctx); +diff --git a/core/arch/arm/kernel/spmc_sp_handler.c b/core/arch/arm/kernel/spmc_sp_handler.c +index 5d3326fc..f4c7ff81 100644 +--- a/core/arch/arm/kernel/spmc_sp_handler.c ++++ b/core/arch/arm/kernel/spmc_sp_handler.c +@@ -366,6 +366,32 @@ cleanup: + return res; + } + ++void spmc_sp_set_to_preempted(struct ts_session *ts_sess) ++{ ++ if (ts_sess && is_sp_ctx(ts_sess->ctx)) { ++ struct sp_session *sp_sess = to_sp_session(ts_sess); ++ ++ assert(sp_sess->state == sp_busy); ++ ++ sp_sess->state = sp_preempted; ++ } ++} ++ ++int spmc_sp_resume_from_preempted(uint16_t endpoint_id) ++{ ++ struct sp_session *sp_sess = sp_get_session(endpoint_id); ++ ++ if (!sp_sess) ++ return FFA_INVALID_PARAMETERS; ++ ++ if (sp_sess->state != sp_preempted) ++ return FFA_DENIED; ++ ++ sp_sess->state = sp_busy; ++ ++ return FFA_OK; ++} ++ + static bool check_rxtx(struct ffa_rxtx *rxtx) + { + return rxtx && rxtx->rx && rxtx->tx && rxtx->size > 0; +diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c +index 1e7f9f96..8cd4dc96 100644 +--- a/core/arch/arm/kernel/thread.c ++++ b/core/arch/arm/kernel/thread.c +@@ -531,6 +531,13 @@ int thread_state_suspend(uint32_t flags, uint32_t cpsr, vaddr_t pc) + core_mmu_set_user_map(NULL); + } + ++ if (IS_ENABLED(CFG_SECURE_PARTITION)) { ++ struct ts_session *ts_sess = ++ TAILQ_FIRST(&threads[ct].tsd.sess_stack); ++ ++ spmc_sp_set_to_preempted(ts_sess); ++ } ++ + l->curr_thread = THREAD_ID_INVALID; + + if (IS_ENABLED(CFG_VIRTUALIZATION)) +diff --git a/core/arch/arm/kernel/thread_spmc.c b/core/arch/arm/kernel/thread_spmc.c +index 3b4ac0b4..bc4e7687 100644 +--- a/core/arch/arm/kernel/thread_spmc.c ++++ b/core/arch/arm/kernel/thread_spmc.c +@@ -45,7 +45,7 @@ struct mem_frag_state { + #endif + + /* Initialized in spmc_init() below */ +-static uint16_t my_endpoint_id; ++uint16_t my_endpoint_id; + + /* + * If struct ffa_rxtx::size is 0 RX/TX buffers are not mapped or initialized. +@@ -437,6 +437,32 @@ out: + FFA_PARAM_MBZ, FFA_PARAM_MBZ); + cpu_spin_unlock(&rxtx->spinlock); + } ++ ++static void spmc_handle_run(struct thread_smc_args *args) ++{ ++ uint16_t endpoint = (args->a1 >> 16) & 0xffff; ++ uint16_t thread_id = (args->a1 & 0xffff); ++ uint32_t rc = 0; ++ ++ if (endpoint != my_endpoint_id) { ++ /* ++ * The endpoint should be an SP, try to resume the SP from ++ * preempted into busy state. ++ */ ++ rc = spmc_sp_resume_from_preempted(endpoint); ++ if (rc) ++ goto out; ++ } ++ ++ thread_resume_from_rpc(thread_id, 0, 0, 0, 0); ++ ++ /* thread_resume_from_rpc return only of the thread_id is invalid */ ++ rc = FFA_INVALID_PARAMETERS; ++ ++out: ++ spmc_set_args(args, FFA_ERROR, FFA_PARAM_MBZ, rc, FFA_PARAM_MBZ, ++ FFA_PARAM_MBZ, FFA_PARAM_MBZ); ++} + #endif /*CFG_CORE_SEL1_SPMC*/ + + static void handle_yielding_call(struct thread_smc_args *args) +@@ -970,6 +996,9 @@ void thread_spmc_msg_recv(struct thread_smc_args *args) + case FFA_PARTITION_INFO_GET: + spmc_handle_partition_info_get(args, &nw_rxtx); + break; ++ case FFA_RUN: ++ spmc_handle_run(args); ++ break; + #endif /*CFG_CORE_SEL1_SPMC*/ + case FFA_INTERRUPT: + itr_core_handler(); +diff --git a/core/arch/arm/kernel/thread_spmc_a64.S b/core/arch/arm/kernel/thread_spmc_a64.S +index 21cb6251..7297005a 100644 +--- a/core/arch/arm/kernel/thread_spmc_a64.S ++++ b/core/arch/arm/kernel/thread_spmc_a64.S +@@ -14,6 +14,20 @@ + #include + #include + ++#if CFG_SECURE_PARTITION ++LOCAL_FUNC thread_ffa_interrupt , : ++ mov_imm x0, FFA_INTERRUPT /* FID */ ++ /* X1: Endpoint/vCPU IDs is set by caller */ ++ mov x2, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x3, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x4, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x5, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x6, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x7, #FFA_PARAM_MBZ /* Param MBZ */ ++ b .ffa_msg_loop ++END_FUNC thread_ffa_msg_wait ++#endif /* CFG_SECURE_PARTITION */ ++ + FUNC thread_ffa_msg_wait , : + mov_imm x0, FFA_MSG_WAIT /* FID */ + mov x1, #FFA_TARGET_INFO_MBZ /* Target info MBZ */ +@@ -171,6 +185,14 @@ END_FUNC thread_rpc + * The current thread as indicated by @thread_index has just been + * suspended. The job here is just to inform normal world the thread id to + * resume when returning. ++ * If the active FF-A endpoint is OP-TEE (or a TA) then an this function send an ++ * OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message to the normal world via the ++ * FFA_MSG_SEND_DIRECT_RESP interface. This is handled by the OP-TEE ++ * driver in Linux so it can schedule task to the thread. ++ * If the active endpoint is an SP the function sends an FFA_INTERRUPT. This is ++ * handled by the FF-A driver and after taking care of the NWd interrupts it ++ * returns via an FFA_RUN call. ++ * The active endpoint is determined by the upper 16 bits of rpc_target_info. + */ + FUNC thread_foreign_intr_exit , : + /* load threads[w0].tsd.rpc_target_info into w1 */ +@@ -178,6 +200,14 @@ FUNC thread_foreign_intr_exit , : + adr_l x2, threads + madd x1, x1, x0, x2 + ldr w1, [x1, #THREAD_CTX_TSD_RPC_TARGET_INFO] ++#if CFG_SECURE_PARTITION ++ adr_l x2, my_endpoint_id ++ ldrh w2, [x2] ++ lsr w3, w1, #16 ++ cmp w2, w3 ++ /* (threads[w0].tsd.rpc_target_info >> 16) != my_endpoint_id */ ++ bne thread_ffa_interrupt ++#endif /* CFG_SECURE_PARTITION */ + mov x2, #FFA_PARAM_MBZ + mov w3, #FFA_PARAM_MBZ + mov w4, #OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT + +-- +2.17.1 diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch new file mode 100644 index 0000000000..32e560689f --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch @@ -0,0 +1,150 @@ +From cad33cffb5be17fc0654aaf03c4d5227ae682e7a Mon Sep 17 00:00:00 2001 +From: Imre Kis +Date: Tue, 25 Apr 2023 14:19:14 +0200 +Subject: [PATCH] core: spmc: configure SP's NS interrupt action based on + the manifest + +Used mandatory ns-interrupts-action SP manifest property to configure +signaled or queued non-secure interrupt handling. + +Upstream-Status: Pending + +Signed-off-by: Imre Kis +Change-Id: I843e69e5dbb9613ecd8b95654e8ca1730a594ca6 +--- + .../arm/include/kernel/secure_partition.h | 2 + + core/arch/arm/kernel/secure_partition.c | 66 +++++++++++++++++-- + 2 files changed, 63 insertions(+), 5 deletions(-) + +diff --git a/core/arch/arm/include/kernel/secure_partition.h b/core/arch/arm/include/kernel/secure_partition.h +index 290750936..3bf339d3c 100644 +--- a/core/arch/arm/include/kernel/secure_partition.h ++++ b/core/arch/arm/include/kernel/secure_partition.h +@@ -43,6 +43,8 @@ struct sp_session { + unsigned int spinlock; + const void *fdt; + bool is_initialized; ++ uint32_t ns_interrupts_action; ++ uint32_t ns_interrupts_action_inherited; + TAILQ_ENTRY(sp_session) link; + }; + +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 52365553b..e54069c17 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -46,6 +46,10 @@ + SP_MANIFEST_ATTR_WRITE | \ + SP_MANIFEST_ATTR_EXEC) + ++#define SP_MANIFEST_NS_INT_QUEUED (0x0) ++#define SP_MANIFEST_NS_INT_MANAGED_EXIT (0x1) ++#define SP_MANIFEST_NS_INT_SIGNALED (0x2) ++ + #define SP_PKG_HEADER_MAGIC (0x474b5053) + #define SP_PKG_HEADER_VERSION_V1 (0x1) + #define SP_PKG_HEADER_VERSION_V2 (0x2) +@@ -907,6 +911,30 @@ static TEE_Result sp_init_uuid(const TEE_UUID *uuid, const void * const fdt) + return res; + DMSG("endpoint is 0x%"PRIx16, sess->endpoint_id); + ++ res = sp_dt_get_u32(fdt, 0, "ns-interrupts-action", ++ &sess->ns_interrupts_action); ++ ++ if (res) { ++ EMSG("Mandatory property is missing: ns-interrupts-action"); ++ return res; ++ } ++ ++ switch (sess->ns_interrupts_action) { ++ case SP_MANIFEST_NS_INT_QUEUED: ++ case SP_MANIFEST_NS_INT_SIGNALED: ++ /* OK */ ++ break; ++ ++ case SP_MANIFEST_NS_INT_MANAGED_EXIT: ++ EMSG("Managed exit is not implemented"); ++ return TEE_ERROR_NOT_IMPLEMENTED; ++ ++ default: ++ EMSG("Invalid ns-interrupts-action value: %d", ++ sess->ns_interrupts_action); ++ return TEE_ERROR_BAD_PARAMETERS; ++ } ++ + return TEE_SUCCESS; + } + +@@ -989,17 +1017,45 @@ TEE_Result sp_enter(struct thread_smc_args *args, struct sp_session *sp) + return res; + } + ++/* ++ * According to FF-A v1.1 section 8.3.1.4 if a caller requires less permissive ++ * active on NS interrupt than the callee, the callee must inherit the caller's ++ * configuration. ++ * Each SP's own NS action setting is stored in ns_interrupts_action. The ++ * effective action will be MIN([self action], [caller's action]) which is ++ * stored in the ns_interrupts_action_inherited field. ++ */ ++static void sp_cpsr_configure_foreing_interrupts(struct sp_session *s, ++ struct ts_session *caller, ++ uint64_t *cpsr) ++{ ++ if (caller) { ++ struct sp_session *caller_sp = to_sp_session(caller); ++ ++ s->ns_interrupts_action_inherited = ++ MIN(caller_sp->ns_interrupts_action_inherited, ++ s->ns_interrupts_action); ++ } else { ++ s->ns_interrupts_action_inherited = s->ns_interrupts_action; ++ } ++ ++ if (s->ns_interrupts_action_inherited == SP_MANIFEST_NS_INT_QUEUED) ++ *cpsr |= (THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT); ++ else ++ *cpsr &= ~(THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT); ++} ++ + static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + uint32_t cmd __unused) + { + struct sp_ctx *ctx = to_sp_ctx(s->ctx); + TEE_Result res = TEE_SUCCESS; + uint32_t exceptions = 0; +- uint64_t cpsr = 0; + struct sp_session *sp_s = to_sp_session(s); + struct ts_session *sess = NULL; + struct thread_ctx_regs *sp_regs = NULL; + uint32_t thread_id = THREAD_ID_INVALID; ++ struct ts_session *caller = NULL; + uint32_t rpc_target_info = 0; + uint32_t panicked = false; + uint32_t panic_code = 0; +@@ -1009,11 +1065,12 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + sp_regs = &ctx->sp_regs; + ts_push_current_session(s); + +- cpsr = sp_regs->cpsr; +- sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT); +- + exceptions = thread_mask_exceptions(THREAD_EXCP_ALL); + ++ /* Enable/disable foreign interrupts in CPSR/SPSR */ ++ caller = ts_get_calling_session(); ++ sp_cpsr_configure_foreing_interrupts(sp_s, caller, &sp_regs->cpsr); ++ + /* + * Store endpoint ID and thread ID in rpc_target_info. This will be used + * as w1 in FFA_INTERRUPT in case of a NWd interrupt. +@@ -1026,7 +1083,6 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + + __thread_enter_user_mode(sp_regs, &panicked, &panic_code); + +- sp_regs->cpsr = cpsr; + /* Restore rpc_target_info */ + thread_get_tsd()->rpc_target_info = rpc_target_info; + +-- +2.17.1 diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend new file mode 100644 index 0000000000..a9732e4c9c --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend @@ -0,0 +1,4 @@ +# Include extra headers needed by SPMC tests to TA DEVKIT. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc new file mode 100644 index 0000000000..4dffc46da3 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc @@ -0,0 +1,54 @@ +# Include Trusted Services SPs accordingly to defined machine features + +# Please notice that OPTEE will load SPs in the order listed in this file. +# If an SP requires another SP to be already loaded it must be listed lower. + +# TS SPs UUIDs definitions +require recipes-security/trusted-services/ts-uuid.inc + +TS_ENV = "opteesp" +TS_BIN = "${RECIPE_SYSROOT}/usr/${TS_ENV}/bin" + +# ITS SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ts-sp-its', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ${TS_BIN}/${ITS_UUID}.stripped.elf', '', d)}" + +# Storage SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ts-sp-storage', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ${TS_BIN}/${STORAGE_UUID}.stripped.elf', '', d)}" + +# Crypto SP. +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ts-sp-crypto', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ${TS_BIN}/${CRYPTO_UUID}.stripped.elf', '', d)}" + +# Attestation SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ts-sp-attestation', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ${TS_BIN}/${ATTESTATION_UUID}.stripped.elf', '', d)}" + +# Env-test SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ts-sp-env-test', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ${TS_BIN}/${ENV_TEST_UUID}.stripped.elf', '', d)}" + +# SE-Proxy SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ts-sp-se-proxy', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ${TS_BIN}/${SE_PROXY_UUID}.stripped.elf', '', d)}" + +# SMM Gateway +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ts-sp-smm-gateway', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" + +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc index 73b8c14f7c..057dde25cf 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc @@ -51,4 +51,12 @@ DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" -EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" +# SPM test SPs +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ts-sp-spm-test1 ts-sp-spm-test2 ts-sp-spm-test3', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ${TS_BIN}/${SPM_TEST1_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST2_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST3_UUID}.stripped.elf', '', d)}" +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" + +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend deleted file mode 100644 index 09650b9a7a..0000000000 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend +++ /dev/null @@ -1,5 +0,0 @@ -# Include Trusted Services Secure Partitions -require optee-os-ts.inc - -# Conditionally include platform specific Trusted Services related OPTEE build parameters -EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_CORE_HEAP_SIZE=131072 CFG_TEE_BENCHMARK=n CFG_TEE_CORE_LOG_LEVEL=4 CFG_CORE_SEL1_SPMC=y ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend new file mode 100644 index 0000000000..2ff1b83497 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend @@ -0,0 +1,5 @@ +# Include Trusted Services Secure Partitions +require optee-os-ts-3.18.inc + +# Conditionally include platform specific Trusted Services related OPTEE build parameters +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_CORE_HEAP_SIZE=131072 CFG_TEE_BENCHMARK=n CFG_TEE_CORE_LOG_LEVEL=4 CFG_CORE_SEL1_SPMC=y ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend new file mode 100644 index 0000000000..09650b9a7a --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend @@ -0,0 +1,5 @@ +# Include Trusted Services Secure Partitions +require optee-os-ts.inc + +# Conditionally include platform specific Trusted Services related OPTEE build parameters +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_CORE_HEAP_SIZE=131072 CFG_TEE_BENCHMARK=n CFG_TEE_CORE_LOG_LEVEL=4 CFG_CORE_SEL1_SPMC=y ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb index 5f4b066ae3..2fdfbb5a88 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb @@ -7,4 +7,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-3.20.0:" SRCREV = "8e74d47616a20eaa23ca692f4bbbf917a236ed94" SRC_URI:append = " \ file://0004-core-Define-section-attributes-for-clang.patch \ + file://0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch \ + file://0006-core-ffa-add-TOS_FW_CONFIG-handling.patch \ + file://0007-core-spmc-handle-non-secure-interrupts.patch \ + file://0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch \ " diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch b/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch new file mode 100644 index 0000000000..e889f74051 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch @@ -0,0 +1,39 @@ +From 7e15470f3dd45c844f0e0901f0c85c46a0882b8b Mon Sep 17 00:00:00 2001 +From: Gabor Toth +Date: Fri, 3 Mar 2023 12:23:45 +0100 +Subject: [PATCH 1/2] Update arm_ffa_user driver dependency + +Updating arm-ffa-user to v5.0.1 to get the following changes: + - move to 64 bit direct messages + - add Linux Kernel v6.1 compatibility +The motivation is to update x-test to depend on the same driver +version as TS uefi-test and thus to enable running these in a single +configuration. +Note: arm_ffa_user.h was copied from: + - URL:https://git.gitlab.arm.com/linux-arm/linux-trusted-services.git + - SHA:18e3be71f65a405dfb5d97603ae71b3c11759861 + +Upstream-Status: Backport + +Signed-off-by: Gabor Toth +Acked-by: Jens Wiklander +--- + host/xtest/include/uapi/linux/arm_ffa_user.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/host/xtest/include/uapi/linux/arm_ffa_user.h b/host/xtest/include/uapi/linux/arm_ffa_user.h +index 9ef0be3..0acde4f 100644 +--- a/host/xtest/include/uapi/linux/arm_ffa_user.h ++++ b/host/xtest/include/uapi/linux/arm_ffa_user.h +@@ -33,7 +33,7 @@ struct ffa_ioctl_ep_desc { + * @dst_id: [in] 16-bit ID of destination endpoint. + */ + struct ffa_ioctl_msg_args { +- __u32 args[5]; ++ __u64 args[5]; + __u16 dst_id; + }; + #define FFA_IOC_MSG_SEND _IOWR(FFA_IOC_MAGIC, FFA_IOC_BASE + 1, \ +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch b/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch new file mode 100644 index 0000000000..d333e860a7 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch @@ -0,0 +1,163 @@ +From 6734d14cc249af37705129de7874533df9535cd3 Mon Sep 17 00:00:00 2001 +From: Gabor Toth +Date: Fri, 3 Mar 2023 12:25:58 +0100 +Subject: [PATCH 2/2] ffa_spmc: Add arm_ffa_user driver compatibility check + +Check the version of the arm_ffa_user Kernel Driver and fail with a +meaningful message if incompatible driver is detected. + +Upstream-Status: Backport + +Signed-off-by: Gabor Toth +Acked-by: Jens Wiklander +--- + host/xtest/ffa_spmc_1000.c | 68 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 61 insertions(+), 7 deletions(-) + +diff --git a/host/xtest/ffa_spmc_1000.c b/host/xtest/ffa_spmc_1000.c +index 15f4a46..1839d03 100644 +--- a/host/xtest/ffa_spmc_1000.c ++++ b/host/xtest/ffa_spmc_1000.c +@@ -1,11 +1,12 @@ + // SPDX-License-Identifier: BSD-3-Clause + /* +- * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved. + */ + #include + #include + #include + #include ++#include + #include + #include + #include "include/uapi/linux/arm_ffa_user.h" +@@ -17,6 +18,10 @@ + #define INCORRECT_ENDPOINT_ID 0xffff + #define NORMAL_WORLD_ENDPOINT_ID 0 + ++#define FFA_USER_REQ_VER_MAJOR 5 ++#define FFA_USER_REQ_VER_MINOR 0 ++#define FFA_USER_REQ_VER_PATCH 1 ++ + /* Get the 32 least significant bits of a handle.*/ + #define MEM_SHARE_HANDLE_LOW(x) ((x) & 0xffffffff) + /* Get the 32 most significant bits of a handle.*/ +@@ -62,6 +67,50 @@ static struct ffa_ioctl_ep_desc test_endpoint3 = { + .uuid_ptr = (uint64_t)test_endpoint3_uuid, + }; + ++static bool check_ffa_user_version(void) ++{ ++ FILE *f = NULL; ++ int ver_major = -1; ++ int ver_minor = -1; ++ int ver_patch = -1; ++ int scan_cnt = 0; ++ ++ f = fopen("/sys/module/arm_ffa_user/version", "r"); ++ if (f) { ++ scan_cnt = fscanf(f, "%d.%d.%d", ++ &ver_major, &ver_minor, &ver_patch); ++ fclose(f); ++ if (scan_cnt != 3) { ++ printf("error: failed to parse arm_ffa_user version\n"); ++ return false; ++ } ++ } else { ++ printf("error: failed to read arm_ffa_user module info - %s\n", ++ strerror(errno)); ++ return false; ++ } ++ ++ if (ver_major != FFA_USER_REQ_VER_MAJOR) ++ goto err; ++ ++ if (ver_minor < FFA_USER_REQ_VER_MINOR) ++ goto err; ++ ++ if (ver_minor == FFA_USER_REQ_VER_MINOR) ++ if (ver_patch < FFA_USER_REQ_VER_PATCH) ++ goto err; ++ ++ return true; ++ ++err: ++ printf("error: Incompatible arm_ffa_user driver detected."); ++ printf("Found v%d.%d.%d wanted >= v%d.%d.%d)\n", ++ ver_major, ver_minor, ver_patch, FFA_USER_REQ_VER_MAJOR, ++ FFA_USER_REQ_VER_MINOR, FFA_USER_REQ_VER_PATCH); ++ ++ return false; ++} ++ + static void close_debugfs(void) + { + int err = 0; +@@ -76,6 +125,9 @@ static void close_debugfs(void) + + static bool init_sp_xtest(ADBG_Case_t *c) + { ++ if (!check_ffa_user_version()) ++ return false; ++ + if (ffa_fd < 0) { + ffa_fd = open(FFA_DRIVER_FS_PATH, O_RDWR); + if (ffa_fd < 0) { +@@ -83,6 +135,7 @@ static bool init_sp_xtest(ADBG_Case_t *c) + return false; + } + } ++ + return true; + } + +@@ -99,7 +152,7 @@ static uint16_t get_endpoint_id(uint64_t endp) + struct ffa_ioctl_ep_desc sid = { .uuid_ptr = endp }; + + /* Get ID of destination SP based on UUID */ +- if(ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid)) ++ if (ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid)) + return INCORRECT_ENDPOINT_ID; + + return sid.id; +@@ -213,14 +266,15 @@ static int set_up_mem(struct ffa_ioctl_ep_desc *endp, + rc = share_mem(endpoint, handle); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + +- if (!ADBG_EXPECT_TRUE(c, handle != NULL)) +- return TEEC_ERROR_GENERIC; ++ if (!ADBG_EXPECT_NOT_NULL(c, handle)) ++ return TEEC_ERROR_GENERIC; + + /* SP will retrieve the memory region. */ + memset(args, 0, sizeof(*args)); + args->dst_id = endpoint; + args->args[MEM_SHARE_HANDLE_LOW_INDEX] = MEM_SHARE_HANDLE_LOW(*handle); +- args->args[MEM_SHARE_HANDLE_HIGH_INDEX] = MEM_SHARE_HANDLE_HIGH(*handle); ++ args->args[MEM_SHARE_HANDLE_HIGH_INDEX] = ++ MEM_SHARE_HANDLE_HIGH(*handle); + args->args[MEM_SHARE_HANDLE_ENDPOINT_INDEX] = NORMAL_WORLD_ENDPOINT_ID; + + rc = start_sp_test(endpoint, EP_RETRIEVE, args); +@@ -254,7 +308,7 @@ static void xtest_ffa_spmc_test_1002(ADBG_Case_t *c) + rc = start_sp_test(endpoint1_id, EP_TEST_SP, &args); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK)) +- goto out; ++ goto out; + + /* Set up memory and have the SP retrieve it. */ + Do_ADBG_BeginSubCase(c, "Test memory set-up"); +@@ -469,7 +523,7 @@ static void xtest_ffa_spmc_test_1005(ADBG_Case_t *c) + memset(&args, 0, sizeof(args)); + args.args[1] = endpoint2; + args.args[2] = endpoint3; +- rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI,&args); ++ rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI, &args); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK); + +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend new file mode 100644 index 0000000000..c052774c62 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend @@ -0,0 +1,7 @@ +# Include ffa_spmc test group if the SPMC test is enabled. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y CFG_SECURE_PARTITION=y', '' , d)}" + +RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' arm-ffa-user', '' , d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb index 95452b6a0d..50f5afe718 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb @@ -1,6 +1,8 @@ require optee-test.inc SRC_URI:append = " \ + file://Update-arm_ffa_user-driver-dependency.patch \ + file://ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch \ file://musl-workaround.patch \ " SRCREV = "5db8ab4c733d5b2f4afac3e9aef0a26634c4b444" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch new file mode 100644 index 0000000000..28e041bce6 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch @@ -0,0 +1,41 @@ +From aca9f9ae26235e9da2bc9adef49f9f5578f3e1e7 Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing +Date: Tue, 25 Apr 2023 15:03:46 +0000 +Subject: [PATCH 1/1] Limit nanopb build to single process + +Sometimes in yocto the nanopb build step fails. The reason seems +to be a race condition. This fix disables parallel build as +a workaround. + +Upstream-Status: Inappropriate [yocto specific] + +Signed-off-by: Gyorgy Szing +--- + external/nanopb/nanopb.cmake | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/external/nanopb/nanopb.cmake b/external/nanopb/nanopb.cmake +index 36465f61..94f8048c 100644 +--- a/external/nanopb/nanopb.cmake ++++ b/external/nanopb/nanopb.cmake +@@ -65,6 +65,8 @@ if(TARGET stdlib::c) + unset_saved_properties(LIBC) + endif() + ++set(_PROCESSOR_COUNT ${PROCESSOR_COUNT}) ++set(PROCESSOR_COUNT 1) + include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) + LazyFetch_MakeAvailable(DEP_NAME nanopb + FETCH_OPTIONS ${GIT_OPTIONS} +@@ -73,6 +75,8 @@ LazyFetch_MakeAvailable(DEP_NAME nanopb + CACHE_FILE "${TS_ROOT}/external/nanopb/nanopb-init-cache.cmake.in" + SOURCE_DIR "${NANOPB_SOURCE_DIR}" + ) ++set(PROCESSOR_COUNT ${_PROCESSOR_COUNT}) ++ + unset(_cmake_fragment) + + if(TARGET stdlib::c) +-- +2.34.1 + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc index dc295506bb..2bb4a8a11f 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc @@ -5,8 +5,14 @@ LICENSE = "Apache-2.0 & BSD-3-Clause & BSD-2-Clause & Zlib" SRC_URI = "git://git.trustedfirmware.org/TS/trusted-services.git;protocol=https;branch=integration;name=trusted-services;destsuffix=git/trusted-services \ " -#latest on 12.10.22. -SRCREV_trusted-services = "3d4956770f89eb9ae0a73257901ae6277c078da6" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI:append = "\ + file://0001-Limit-nanopb-build-to-single-process.patch \ +" + +#Latest on 2023 April 28 +SRCREV="08b3d39471f4914186bd23793dc920e83b0e3197" LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4" S = "${WORKDIR}/git/trusted-services" @@ -17,14 +23,14 @@ SRC_URI += "git://github.com/dgibson/dtc;name=dtc;protocol=https;branch=main;des SRCREV_dtc = "b6910bec11614980a21e46fbccc35934b671bd81" LIC_FILES_CHKSUM += "file://../dtc/README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" -# MbedTLS, tag "mbedtls-3.1.0" +# MbedTLS, tag "mbedtls-3.3.0" SRC_URI += "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=master;destsuffix=git/mbedtls" -SRCREV_mbedtls = "d65aeb37349ad1a50e0f6c9b694d4b5290d60e49" +SRCREV_mbedtls = "8c89224991adff88d53cd380f42a2baa36f91454" LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -# Nanopb, tag "nanopb-0.4.6" +# Nanopb, tag "nanopb-0.4.2" SRC_URI += "git://github.com/nanopb/nanopb.git;name=nanopb;protocol=https;branch=master;destsuffix=git/nanopb" -SRCREV_nanopb = "afc499f9a410fc9bbf6c9c48cdd8d8b199d49eb4" +SRCREV_nanopb = "df0e92f474f9cca704fe2b31483f0b4d1b1715a4" LIC_FILES_CHKSUM += "file://../nanopb/LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" # qcbor, tag "v1.0.0" @@ -54,15 +60,12 @@ LIC_FILES_CHKSUM += "file://../openamp/LICENSE.md;md5=a8d8cf662ef6bf9936a1e14135 # TS ships patches for external dependencies that needs to be applied apply_ts_patches() { - for p in ${S}/external/qcbor/*.patch; do - patch -p1 -N -d ${WORKDIR}/git/qcbor < ${p} || true - done - for p in ${S}/external/t_cose/*.patch; do - patch -p1 -N -d ${WORKDIR}/git/tcose < ${p} || true - done - for p in ${S}/external/CppUTest/*.patch; do - patch -p1 -d ${WORKDIR}/git/cpputest < ${p} - done + ( cd ${WORKDIR}/git/qcbor; git stash; git branch -f bf_am; git am ${S}/external/qcbor/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/tcose; git stash; git branch -f bf_am; git am ${S}/external/t_cose/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/mbedtls; git stash; git branch -f bf_am; git am ${S}/external/MbedTLS/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/cpputest; git stash; git apply ${S}/external/CppUTest/*.patch ) + ( cd ${WORKDIR}/git/dtc; git stash; git apply ${S}/external/libfdt/*.patch ) + ( cd ${WORKDIR}/git/nanopb; git stash; git apply ${S}/external/nanopb/*.patch ) } do_patch[postfuncs] += "apply_ts_patches" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb index a9f7b65f09..668bde568f 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb @@ -6,6 +6,7 @@ TS_ENV = "arm-linux" require trusted-services.inc +DEPENDS += "python3-jsonschema-native python3-jinja2-native" DEPENDS += "libts" RDEPENDS:${PN} += "libts" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb index 408c7d3c24..24a724a4fd 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb @@ -22,9 +22,7 @@ OECMAKE_SOURCEPATH = "${S}/deployments/newlib/${TS_ENV}/" # TS ships a patch that needs to be applied to newlib apply_ts_patch() { - for p in ${S}/external/newlib/*.patch; do - patch -p1 -d ${WORKDIR}/git/newlib < ${p} - done + ( cd ${WORKDIR}/git/newlib; git stash; git branch -f bf_am; git am ${S}/external/newlib/*.patch; git reset bf_am ) } do_patch[postfuncs] += "apply_ts_patch" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc index 41cb0c08bc..8a7b0e5ca2 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc @@ -4,6 +4,8 @@ TS_ENV = "arm-linux" require trusted-services.inc +DEPENDS += "python3-jsonschema-native python3-jinja2-native" + DEPENDS += "libts" RDEPENDS:${PN} += "libts" @@ -11,7 +13,7 @@ SRC_URI += "git://github.com/ARM-software/psa-arch-tests.git;name=psatest;protoc file://0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch;patchdir=../psatest \ " -SRCREV_psatest = "451aa087a40d02c7d04778235014c5619d126471" +SRCREV_psatest = "38cb53a4d9e292435ddf7899960b15af62decfbe" LIC_FILES_CHKSUM += "file://../psatest/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" EXTRA_OECMAKE += "\ diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb index eef05fe3a9..6cddfb03e0 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services attestation service provider" require ts-sp-common.inc SP_UUID = "${ATTESTATION_UUID}" +TS_SP_IAT_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/attestation/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/attestation/config/${TS_SP_IAT_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc index 75ddab37d1..3d756015a0 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -17,8 +17,8 @@ do_install:append() { dtc -I dts -O dtb -o ${D}${TS_INSTALL}/manifest/${SP_UUID}.dtb ${SP_DTS_FILE} # We do not need libs and headers - rm -r --one-file-system ${D}${TS_INSTALL}/lib - rm -r --one-file-system ${D}${TS_INSTALL}/include + rm -rf --one-file-system ${D}${TS_INSTALL}/lib + rm -rf --one-file-system ${D}${TS_INSTALL}/include } # Use Yocto debug prefix maps for compiling assembler. diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb index 77a28557cb..867e4a8179 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb @@ -3,7 +3,8 @@ DESCRIPTION = "Trusted Services crypto service provider" require ts-sp-common.inc SP_UUID = "${CRYPTO_UUID}" +TS_SP_CRYPTO_CONFIG ?= "default" -DEPENDS += "python3-protobuf-native" +DEPENDS += "python3-protobuf-native python3-jsonschema-native python3-jinja2-native" -OECMAKE_SOURCEPATH="${S}/deployments/crypto/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/crypto/config/${TS_SP_CRYPTO_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb index 040fd4d159..5551a4deba 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb @@ -6,5 +6,6 @@ require ts-sp-common.inc COMPATIBLE_MACHINE ?= "invalid" SP_UUID = "${ENV_TEST_UUID}" +TS_SP_ENVTEST_CONFIG ?= "baremetal-fvp_base_revc" -OECMAKE_SOURCEPATH="${S}/deployments/env-test/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/env-test/config/${TS_SP_ENVTEST_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb index 4eb5dc5e5c..5472dbdae3 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services internal secure storage service provider" require ts-sp-common.inc SP_UUID = "${ITS_UUID}" +TS_SP_ITS_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/config/${TS_SP_ITS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb index b9246418e9..26781434fd 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb @@ -3,7 +3,8 @@ DESCRIPTION = "Trusted Services proxy service providers" require ts-sp-common.inc SP_UUID = "${SE_PROXY_UUID}" +TS_SP_SE_PROXY_CONFIG ?= "default" DEPENDS += "python3-protobuf-native" -OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/config/${TS_SP_SE_PROXY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb index 06ca6bd116..752f7fe708 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services service provider for UEFI SMM services" require ts-sp-common.inc SP_UUID = "${SMM_GATEWAY_UUID}" +TS_SP_SMM_GATEWAY_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc new file mode 100644 index 0000000000..e357629b0f --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc @@ -0,0 +1,7 @@ +DESCRIPTION = "Trusted Services SPMC test SPs" + +require ts-sp-common.inc + +SP_UUID = "${SPM_TEST${SP_INDEX}_UUID}" +SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts" +OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb new file mode 100644 index 0000000000..4cbb970b27 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb @@ -0,0 +1,5 @@ +DESCRIPTION = "Trusted Services SPMC test SP1" + +SP_INDEX="1" + +require ts-sp-spm-test-common.inc diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb new file mode 100644 index 0000000000..e6fb822b80 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP2" + +SP_INDEX="2" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb new file mode 100644 index 0000000000..ad3ee76ebe --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP3" + +SP_INDEX="3" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb index c893754650..5b2f47b3f6 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services secure storage service provider" require ts-sp-common.inc SP_UUID = "${STORAGE_UUID}" +TS_SP_PS_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/config/${TS_SP_PS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc index 7a39f733e8..c18ec5d7f8 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc @@ -7,3 +7,6 @@ ITS_UUID = "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14" SE_PROXY_UUID = "46bb39d1-b4d9-45b5-88ff-040027dab249" SMM_GATEWAY_UUID = "ed32d533-99e6-4209-9cc0-2d72cdd998a7" STORAGE_UUID = "751bf801-3dde-4768-a514-0f10aeed1790" +SPM_TEST1_UUID = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37" +SPM_TEST2_UUID = "7817164c-c40c-4d1a-867a-9bb2278cf41a" +SPM_TEST3_UUID = "23eb0100-e32a-4497-9052-2f11e584afa6" \ No newline at end of file diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-printing/system-config-printer/system-config-printer_1.5.18.bb b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-printing/system-config-printer/system-config-printer_1.5.18.bb index e70edef271..f0ff24f376 100644 --- a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-printing/system-config-printer/system-config-printer_1.5.18.bb +++ b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-printing/system-config-printer/system-config-printer_1.5.18.bb @@ -11,16 +11,25 @@ inherit autotools gettext pkgconfig python3native features_check REQUIRED_DISTRO_FEATURES = "gobject-introspection-data" -DEPENDS = "cups glib-2.0 libusb xmlto-native intltool-native desktop-file-utils-native" +DEPENDS = "cups glib-2.0 libusb xmlto-native desktop-file-utils-native autoconf-archive-native" PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" -PACKAGECONFIG[systemd] = ",,systemd" +PACKAGECONFIG[systemd] = ",--without-systemdsystemunitdir,systemd" do_configure:prepend() { # This file is not provided if fetching from git but required for configure touch ${S}/ChangeLog } +do_install:append() { + for f in __init__.cpython-311.pyc cupshelpers.cpython-311.pyc \ + config.cpython-311.pyc ppds.cpython-311.pyc \ + installdriver.cpython-311.pyc openprinting.cpython-311.pyc \ + xmldriverprefs.cpython-311.pyc; do + rm -rf ${D}${PYTHON_SITEPACKAGES_DIR}/cupshelpers/__pycache__/$f + done +} + FILES:${PN} += "${libdir} ${datadir}" RDEPENDS:${PN} = " \ diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb deleted file mode 100644 index 242495e941..0000000000 --- a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb +++ /dev/null @@ -1,76 +0,0 @@ -SUMMARY = "Lightweight crypto and SSL/TLS library" -DESCRIPTION = "mbedtls is a lean open source crypto library \ -for providing SSL and TLS support in your programs. It offers \ -an intuitive API and documented header files, so you can actually \ -understand what the code does. It features: \ - \ - - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ - Camellia and XTEA \ - - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ - - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ - - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ - ECDSA and ECDH \ - - SSL v3 and TLS 1.0, 1.1 and 1.2 \ - - Abstraction layers for ciphers, hashes, public key operations, \ - platform abstraction and threading \ -" - -HOMEPAGE = "https://tls.mbed.org/" - -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" - -SECTION = "libs" - -S = "${WORKDIR}/git" -SRCREV = "89f040a5c938985c5f30728baed21e49d0846a53" -SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=mbedtls-2.28 \ - file://run-ptest \ - " - -inherit cmake update-alternatives ptest - -PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" -PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" -PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" -PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" -# Make X.509 and TLS calls use PSA -# https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md -PACKAGECONFIG[psa] = "" -PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" - -EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" - -# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS -CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" - -PROVIDES += "polarssl" -RPROVIDES:${PN} = "polarssl" - -PACKAGES =+ "${PN}-programs" -FILES:${PN}-programs = "${bindir}/" - -ALTERNATIVE:${PN}-programs = "hello" -ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" - -BBCLASSEXTEND = "native nativesdk" - -CVE_PRODUCT = "mbed_tls" - -# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 -CVE_CHECK_IGNORE += "CVE-2021-43666" -# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c -CVE_CHECK_IGNORE += "CVE-2021-45451" - -# Export source files/headers needed by Arm Trusted Firmware -sysroot_stage_all:append() { - sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" - sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" -} - -do_install_ptest () { - install -d ${D}${PTEST_PATH}/tests - cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ - find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete - cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ -} diff --git a/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb new file mode 100644 index 0000000000..ce094d5afb --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb @@ -0,0 +1,82 @@ +SUMMARY = "Lightweight crypto and SSL/TLS library" +DESCRIPTION = "mbedtls is a lean open source crypto library \ +for providing SSL and TLS support in your programs. It offers \ +an intuitive API and documented header files, so you can actually \ +understand what the code does. It features: \ + \ + - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ + Camellia and XTEA \ + - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ + - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ + - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ + ECDSA and ECDH \ + - SSL v3 and TLS 1.0, 1.1 and 1.2 \ + - Abstraction layers for ciphers, hashes, public key operations, \ + platform abstraction and threading \ +" + +HOMEPAGE = "https://tls.mbed.org/" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SECTION = "libs" + +S = "${WORKDIR}/git" +SRCREV = "981743de6fcdbe672e482b6fd724d31d0a0d2476" +SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=mbedtls-2.28 \ + file://run-ptest \ + " + +inherit cmake update-alternatives ptest + +PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" +PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" +PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" +PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" +# Make X.509 and TLS calls use PSA +# https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md +PACKAGECONFIG[psa] = "" +PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" + +EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" + +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" + +PROVIDES += "polarssl" +RPROVIDES:${PN} = "polarssl" + +PACKAGES =+ "${PN}-programs" +FILES:${PN}-programs = "${bindir}/" + +ALTERNATIVE:${PN}-programs = "hello" +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "mbed_tls" + +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 +CVE_CHECK_IGNORE += "CVE-2021-43666" +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c +CVE_CHECK_IGNORE += "CVE-2021-45451" + +# Strip host paths from autogenerated test files +do_compile:append() { + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : +} + +# Export source files/headers needed by Arm Trusted Firmware +sysroot_stage_all:append() { + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" +} + +do_install_ptest () { + install -d ${D}${PTEST_PATH}/tests + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ +} diff --git a/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch new file mode 100644 index 0000000000..e8c3f1d84b --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch @@ -0,0 +1,53 @@ +From 4133a888aa256312186962ab70d4a36eed5920c1 Mon Sep 17 00:00:00 2001 +From: Brooks Davis +Date: Mon, 26 Sep 2022 18:56:51 +0100 +Subject: [PATCH] telnetd: fix two-byte input crash + +Move initialization of the slc table earlier so it doesn't get +accessed before that happens. + +For details on the issue, see: +https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html + +Reviewed by: cy +Obtained from: NetBSD via cy +Differential Revision: https://reviews.freebsd.org/D36680 + +CVE: CVE-2022-39028 +Upstream-Status: Backport [https://cgit.freebsd.org/src/commit/?id=6914ffef4e23] + +(cherry picked from commit 6914ffef4e2318ca1d0ead28eafb6f06055ce0f8) +Signed-off-by: Sanjay Chitroda + +--- + telnetd/telnetd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c +index f36f505..efa0fe1 100644 +--- a/telnetd/telnetd.c ++++ b/telnetd/telnetd.c +@@ -615,6 +615,11 @@ doit(struct sockaddr_in *who) + int level; + char user_name[256]; + ++ /* ++ * Initialize the slc mapping table. ++ */ ++ get_slc_defaults(); ++ + /* + * Find an available pty to use. + */ +@@ -698,11 +703,6 @@ void telnet(int f, int p) + char *HE; + const char *IM; + +- /* +- * Initialize the slc mapping table. +- */ +- get_slc_defaults(); +- + /* + * Do some tests where it is desireable to wait for a response. + * Rather than doing them slowly, one at a time, do them all diff --git a/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb index e28eeae491..d3de038d16 100644 --- a/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb +++ b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb @@ -16,6 +16,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/netkit-telnet_${PV}.orig.tar.gz file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \ file://0001-utility-Include-time.h-form-time-and-strftime-protot.patch \ file://0001-Drop-using-register-keyword.patch \ + file://CVE-2022-39028.patch \ " UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/" diff --git a/meta-openembedded/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch b/meta-openembedded/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch new file mode 100644 index 0000000000..4a8a7e1afd --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch @@ -0,0 +1,54 @@ +From e61593f2ded104c4c7f01eb93e2b404e93e0c560 Mon Sep 17 00:00:00 2001 +From: harryreps +Date: Fri, 3 Mar 2023 23:17:14 +0000 +Subject: [PATCH] babeld: fix #11808 to avoid infinite loops + +Replacing continue in loops to goto done so that index of packet buffer +increases. + +Signed-off-by: harryreps + +CVE: CVE-2023-3748 + +Upstream-Status: Backport +[https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0] + +Signed-off-by: Yi Zhao +--- + babeld/message.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/babeld/message.c b/babeld/message.c +index 7d45d91bf..2bf233796 100644 +--- a/babeld/message.c ++++ b/babeld/message.c +@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + /* +@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + DO_NTOHS(seqno, message + 4); +@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + changed = update_neighbour(neigh, seqno, interval); +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb deleted file mode 100644 index 9669260945..0000000000 --- a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.2.bb +++ /dev/null @@ -1,125 +0,0 @@ -SUMMARY = "BGP/OSPF/RIP routing daemon" -DESCRIPTION = "FRRouting is a free and open source Internet routing protocol suite for Linux \ -and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric \ -and VRRP, with alpha support for EIGRP and NHRP." -HOMEPAGE = "https://frrouting.org/" -SECTION = "net" - -LICENSE = "GPL-2.0-only & LGPL-2.1-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://COPYING-LGPLv2.1;md5=4fbd65380cdd255951079008b364516c" - -SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \ - file://frr.pam \ - file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \ - " - -SRCREV = "62ac43de9f3bc470586cf4f51fadf013bf542b32" - -UPSTREAM_CHECK_GITTAGREGEX = "frr-(?P\d+(\.\d+)+)$" - -CVE_PRODUCT = "frrouting" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep python3native pkgconfig useradd systemd - -DEPENDS:class-native = "bison-native elfutils-native" -DEPENDS:class-target = "bison-native json-c readline c-ares libyang frr-native" - -RDEPENDS:${PN}:class-target = "iproute2 python3-core bash" - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" -PACKAGECONFIG:class-native = "" - -PACKAGECONFIG[fpm] = "--enable-fpm,--disable-fpm" -PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam" -PACKAGECONFIG[grpc] = "--enable-grpc,--disable-grpc,grpc-native grpc" -PACKAGECONFIG[snmp] = "--enable-snmp,--disable-snmp,net-snmp" -PACKAGECONFIG[zeromq] = "--enable-zeromq,--disable-zeromq,zeromq" -PACKAGECONFIG[protobuf] = "--enable-protobuf,--disable-protobuf,protobuf-c-native protobuf-c" -PACKAGECONFIG[capabilities] = "--enable-capabilities,--disable-capabilities,libcap" -PACKAGECONFIG[cumulus] = "--enable-cumulus,--disable-cumulus" -PACKAGECONFIG[datacenter] = "--enable-datacenter,--disable-datacenter" -PACKAGECONFIG[ospfclient] = "--enable-ospfapi --enable-ospfclient,--disable-ospfapi --disable-ospfclient" - -EXTRA_OECONF:class-native = "--enable-clippy-only" - -EXTRA_OECONF:class-target = "--sbindir=${libdir}/frr \ - --sysconfdir=${sysconfdir}/frr \ - --localstatedir=${localstatedir}/run/frr \ - --enable-vtysh \ - --enable-multipath=64 \ - --enable-user=frr \ - --enable-group=frr \ - --enable-vty-group=frrvty \ - --enable-configfile-mask=0640 \ - --enable-logfile-mask=0640 \ - --disable-doc \ - --with-clippy=${RECIPE_SYSROOT_NATIVE}/usr/lib/clippy \ - " - -CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl'" - -LDFLAGS:append:mips = " -latomic" -LDFLAGS:append:mipsel = " -latomic" -LDFLAGS:append:powerpc = " -latomic" -LDFLAGS:append:riscv32 = " -latomic" - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE:${PN} = "frr.service" -SYSTEMD_AUTO_ENABLE = "disable" - -do_compile:prepend () { - sed -i -e 's#${RECIPE_SYSROOT_NATIVE}##g' \ - -e 's#${RECIPE_SYSROOT}##g' ${S}/lib/version.h -} - -do_compile:class-native () { - oe_runmake clippy-only -} - -do_install:class-native () { - install -d ${D}${libdir} - install -m 755 ${S}/lib/clippy ${D}${libdir}/clippy -} - -do_install:append:class-target () { - install -m 0755 -d ${D}${sysconfdir}/frr - install -m 0640 ${S}/tools/etc/frr/* ${D}${sysconfdir}/frr/ - chown frr:frrvty ${D}${sysconfdir}/frr - chown frr:frr ${D}${sysconfdir}/frr/* - chown frr:frrvty ${D}${sysconfdir}/frr/vtysh.conf - chmod 640 ${D}${sysconfdir}/frr/* - - if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then - install -d ${D}/${sysconfdir}/pam.d - install -m 644 ${WORKDIR}/frr.pam ${D}/${sysconfdir}/pam.d/frr - fi - - if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/init.d - install -m 0755 ${B}/tools/frrinit.sh ${D}${sysconfdir}/init.d/frr - - install -d ${D}${sysconfdir}/default/volatiles - echo "d frr frr 0755 ${localstatedir}/run/frr none" \ - > ${D}${sysconfdir}/default/volatiles/99_frr - fi - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${B}/tools/frr*.service ${D}${systemd_system_unitdir} - - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /run/frr 0755 frr frr -" \ - > ${D}${sysconfdir}/tmpfiles.d/${BPN}.conf - fi -} - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system frr ; --system frrvty" -USERADD_PARAM:${PN} = "--system --home ${localstatedir}/run/frr/ -M -g frr -G frrvty --shell /bin/false frr" - -FILES:${PN} += "${datadir}/yang" - -BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb new file mode 100644 index 0000000000..f32b52f331 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-protocols/frr/frr_8.4.4.bb @@ -0,0 +1,126 @@ +SUMMARY = "BGP/OSPF/RIP routing daemon" +DESCRIPTION = "FRRouting is a free and open source Internet routing protocol suite for Linux \ +and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric \ +and VRRP, with alpha support for EIGRP and NHRP." +HOMEPAGE = "https://frrouting.org/" +SECTION = "net" + +LICENSE = "GPL-2.0-only & LGPL-2.1-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://COPYING-LGPLv2.1;md5=4fbd65380cdd255951079008b364516c" + +SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \ + file://frr.pam \ + file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \ + file://CVE-2023-3748.patch \ + " + +SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d" + +UPSTREAM_CHECK_GITTAGREGEX = "frr-(?P\d+(\.\d+)+)$" + +CVE_PRODUCT = "frrouting" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep python3native pkgconfig useradd systemd + +DEPENDS:class-native = "bison-native elfutils-native" +DEPENDS:class-target = "bison-native json-c readline c-ares libyang frr-native" + +RDEPENDS:${PN}:class-target = "iproute2 python3-core bash" + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" +PACKAGECONFIG:class-native = "" + +PACKAGECONFIG[fpm] = "--enable-fpm,--disable-fpm" +PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam" +PACKAGECONFIG[grpc] = "--enable-grpc,--disable-grpc,grpc-native grpc" +PACKAGECONFIG[snmp] = "--enable-snmp,--disable-snmp,net-snmp" +PACKAGECONFIG[zeromq] = "--enable-zeromq,--disable-zeromq,zeromq" +PACKAGECONFIG[protobuf] = "--enable-protobuf,--disable-protobuf,protobuf-c-native protobuf-c" +PACKAGECONFIG[capabilities] = "--enable-capabilities,--disable-capabilities,libcap" +PACKAGECONFIG[cumulus] = "--enable-cumulus,--disable-cumulus" +PACKAGECONFIG[datacenter] = "--enable-datacenter,--disable-datacenter" +PACKAGECONFIG[ospfclient] = "--enable-ospfapi --enable-ospfclient,--disable-ospfapi --disable-ospfclient" + +EXTRA_OECONF:class-native = "--enable-clippy-only" + +EXTRA_OECONF:class-target = "--sbindir=${libdir}/frr \ + --sysconfdir=${sysconfdir}/frr \ + --localstatedir=${localstatedir}/run/frr \ + --enable-vtysh \ + --enable-multipath=64 \ + --enable-user=frr \ + --enable-group=frr \ + --enable-vty-group=frrvty \ + --enable-configfile-mask=0640 \ + --enable-logfile-mask=0640 \ + --disable-doc \ + --with-clippy=${RECIPE_SYSROOT_NATIVE}/usr/lib/clippy \ + " + +CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl'" + +LDFLAGS:append:mips = " -latomic" +LDFLAGS:append:mipsel = " -latomic" +LDFLAGS:append:powerpc = " -latomic" +LDFLAGS:append:riscv32 = " -latomic" + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE:${PN} = "frr.service" +SYSTEMD_AUTO_ENABLE = "disable" + +do_compile:prepend () { + sed -i -e 's#${RECIPE_SYSROOT_NATIVE}##g' \ + -e 's#${RECIPE_SYSROOT}##g' ${S}/lib/version.h +} + +do_compile:class-native () { + oe_runmake clippy-only +} + +do_install:class-native () { + install -d ${D}${libdir} + install -m 755 ${S}/lib/clippy ${D}${libdir}/clippy +} + +do_install:append:class-target () { + install -m 0755 -d ${D}${sysconfdir}/frr + install -m 0640 ${S}/tools/etc/frr/* ${D}${sysconfdir}/frr/ + chown frr:frrvty ${D}${sysconfdir}/frr + chown frr:frr ${D}${sysconfdir}/frr/* + chown frr:frrvty ${D}${sysconfdir}/frr/vtysh.conf + chmod 640 ${D}${sysconfdir}/frr/* + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + install -d ${D}/${sysconfdir}/pam.d + install -m 644 ${WORKDIR}/frr.pam ${D}/${sysconfdir}/pam.d/frr + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${B}/tools/frrinit.sh ${D}${sysconfdir}/init.d/frr + + install -d ${D}${sysconfdir}/default/volatiles + echo "d frr frr 0755 ${localstatedir}/run/frr none" \ + > ${D}${sysconfdir}/default/volatiles/99_frr + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${B}/tools/frr*.service ${D}${systemd_system_unitdir} + + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /run/frr 0755 frr frr -" \ + > ${D}${sysconfdir}/tmpfiles.d/${BPN}.conf + fi +} + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system frr ; --system frrvty" +USERADD_PARAM:${PN} = "--system --home ${localstatedir}/run/frr/ -M -g frr -G frrvty --shell /bin/false frr" + +FILES:${PN} += "${datadir}/yang" + +BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch new file mode 100644 index 0000000000..170dddf688 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch @@ -0,0 +1,163 @@ +From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001 +From: John Wolfe +Date: Mon, 8 May 2023 19:04:57 -0700 +Subject: [PATCH] Remove some dead code. + +Address CVE-2023-20867. +Remove some authentication types which were deprecated long +ago and are no longer in use. These are dead code. + +CVE: CVE-2023-20867 + +Upstream-Status: Backport +[https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch] + +Signed-off-by: Yi Zhao +--- + open-vm-tools/services/plugins/vix/vixTools.c | 102 -------------------------- + 1 file changed, 102 deletions(-) + +diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c +index 9f376a7..85c5ba7 100644 +--- a/open-vm-tools/services/plugins/vix/vixTools.c ++++ b/open-vm-tools/services/plugins/vix/vixTools.c +@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL; + #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication" + #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents" + +-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE +- + /* + * The switch that controls all APIs + */ +@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate( + + void GuestAuthUnimpersonate(); + +-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, +- const char *typeName); +- + #if SUPPORT_VGAUTH + + VGAuthError TheVGAuthContext(VGAuthContext **ctx); +@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN + userToken); + break; + } +- case VIX_USER_CREDENTIAL_ROOT: +- { +- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) && +- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef, +- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) { +- /* +- * Don't accept hashed shared secret if disabled. +- */ +- g_message("%s: Requested authentication type has been disabled.\n", +- __FUNCTION__); +- err = VIX_E_GUEST_AUTHTYPE_DISABLED; +- goto done; +- } +- } +- // fall through +- +- case VIX_USER_CREDENTIAL_CONSOLE_USER: +- err = VixToolsImpersonateUserImplEx(NULL, +- credentialType, +- NULL, +- loadUserProfile, +- userToken); +- break; + case VIX_USER_CREDENTIAL_NAME_PASSWORD: + case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED: + case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER: +@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN + } + + /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- */ +- if ((VIX_USER_CREDENTIAL_ROOT == credentialType) +- && (thisProcessRunsAsRoot)) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_ROOT_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- * +- * XXX This has been deprecated XXX +- */ +- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType) +- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* + * If the VMX asks us to run commands in the context of the current + * user, make sure that the user who requested the command is the + * same as the current user. +@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN + /* + *----------------------------------------------------------------------------- + * +- * VixToolsCheckIfAuthenticationTypeEnabled -- +- * +- * Checks to see if a given authentication type has been +- * disabled via the tools configuration. +- * +- * Return value: +- * TRUE if enabled, FALSE otherwise. +- * +- * Side effects: +- * None +- * +- *----------------------------------------------------------------------------- +- */ +- +-static Bool +-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN +- const char *typeName) // IN +-{ +- char authnDisabledName[64]; // Authentication..disabled +- gboolean disabled; +- +- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName), +- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled", +- typeName); +- +- ASSERT(confDictRef != NULL); +- +- /* +- * XXX Skip doing the strcmp() to verify the auth type since we only +- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default +- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT. +- */ +- disabled = VMTools_ConfigGetBoolean(confDictRef, +- VIX_TOOLS_CONFIG_API_GROUPNAME, +- authnDisabledName, +- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT); +- +- return !disabled; +-} +- +- +-/* +- *----------------------------------------------------------------------------- +- * + * VixTools_ProcessVixCommand -- + * + * +-- +2.6.2 + diff --git a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb index d389d2450c..e12e4be7f8 100644 --- a/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb +++ b/meta-openembedded/meta-networking/recipes-support/open-vm-tools/open-vm-tools_12.1.5.bb @@ -43,6 +43,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=stabl file://0012-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \ file://0013-open-vm-tools-Correct-include-path-for-poll.h.patch;patchdir=.. \ file://0001-timeSync-Portable-way-to-print-64bit-time_t.patch;patchdir=.. \ + file://CVE-2023-20867.patch;patchdir=.. \ " UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P\d+(\.\d+)+)" diff --git a/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.3.bb b/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.3.bb deleted file mode 100644 index 03f1b76f97..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.3.bb +++ /dev/null @@ -1,52 +0,0 @@ -SUMMARY = "A sophisticated network protocol analyzer" -HOMEPAGE = "http://www.tcpdump.org/" -SECTION = "net" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453" - -DEPENDS = "libpcap" - -RDEPENDS:${PN}-ptest += " make perl \ - perl-module-file-basename \ - perl-module-file-spec \ - perl-module-file-spec-unix \ - perl-module-file-path \ - perl-module-file-glob \ - perl-module-data-dumper \ - perl-module-bytes \ - perl-module-posix \ - perl-module-carp \ - perl-module-cwd \ - perl-module-constant \ -" - -SRC_URI = " \ - http://www.tcpdump.org/release/${BP}.tar.gz \ - file://add-ptest.patch \ - file://run-ptest \ -" - -SRC_URI[sha256sum] = "ad75a6ed3dc0d9732945b2e5483cb41dc8b4b528a169315e499c6861952e73b3" - -UPSTREAM_CHECK_REGEX = "tcpdump-(?P\d+(\.\d+)+)\.tar" - -inherit autotools-brokensep pkgconfig ptest - -PACKAGECONFIG ?= "openssl" - -PACKAGECONFIG[libcap-ng] = "--with-cap-ng,--without-cap-ng,libcap-ng" -PACKAGECONFIG[openssl] = "--with-crypto,--without-crypto,openssl" -PACKAGECONFIG[smi] = "--with-smi,--without-smi,libsmi" -# Note: CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled) -PACKAGECONFIG[smb] = "--enable-smb,--disable-smb" - -EXTRA_AUTORECONF += "--exclude=aclocal" - -do_install:append() { - # make install installs an unneeded extra copy of the tcpdump binary - rm ${D}${bindir}/tcpdump.${PV} -} - -do_compile_ptest() { - oe_runmake buildtest-TESTS -} diff --git a/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb b/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb new file mode 100644 index 0000000000..803a9bb5f5 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb @@ -0,0 +1,52 @@ +SUMMARY = "A sophisticated network protocol analyzer" +HOMEPAGE = "http://www.tcpdump.org/" +SECTION = "net" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453" + +DEPENDS = "libpcap" + +RDEPENDS:${PN}-ptest += " make perl \ + perl-module-file-basename \ + perl-module-file-spec \ + perl-module-file-spec-unix \ + perl-module-file-path \ + perl-module-file-glob \ + perl-module-data-dumper \ + perl-module-bytes \ + perl-module-posix \ + perl-module-carp \ + perl-module-cwd \ + perl-module-constant \ +" + +SRC_URI = " \ + http://www.tcpdump.org/release/${BP}.tar.gz \ + file://add-ptest.patch \ + file://run-ptest \ +" + +SRC_URI[sha256sum] = "0232231bb2f29d6bf2426e70a08a7e0c63a0d59a9b44863b7f5e2357a6e49fea" + +UPSTREAM_CHECK_REGEX = "tcpdump-(?P\d+(\.\d+)+)\.tar" + +inherit autotools-brokensep pkgconfig ptest + +PACKAGECONFIG ?= "openssl" + +PACKAGECONFIG[libcap-ng] = "--with-cap-ng,--without-cap-ng,libcap-ng" +PACKAGECONFIG[openssl] = "--with-crypto,--without-crypto,openssl" +PACKAGECONFIG[smi] = "--with-smi,--without-smi,libsmi" +# Note: CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled) +PACKAGECONFIG[smb] = "--enable-smb,--disable-smb" + +EXTRA_AUTORECONF += "--exclude=aclocal" + +do_install:append() { + # make install installs an unneeded extra copy of the tcpdump binary + rm ${D}${bindir}/tcpdump.${PV} +} + +do_compile_ptest() { + oe_runmake buildtest-TESTS +} diff --git a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay/0001-configure.ac-unify-search-dirs-for-pcap-and-add-lib3.patch b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay/0001-configure.ac-unify-search-dirs-for-pcap-and-add-lib3.patch new file mode 100644 index 0000000000..709d2cccbc --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay/0001-configure.ac-unify-search-dirs-for-pcap-and-add-lib3.patch @@ -0,0 +1,82 @@ +From 5f8c78362b3b1e06f5adff2d4b140509c4799894 Mon Sep 17 00:00:00 2001 +From: Martin Jansa +Date: Sun, 3 Sep 2023 12:31:59 +0200 +Subject: [PATCH] configure.ac: unify search dirs for pcap and add lib32 + +* add lib32 because when building lib32-tcpreplay it's + impossible to set --with-libpcap so that it would find + both include files as well as the library in lib32 directory + +* maybe it would be beneficial to split --with-libpcap + into --with-libpcap-includedir --with-libpcap-libdir as this + already searches in the --with-libpcap value with and + without any "lib" prefix, but include files always expect + "include" dir there + +* most of this code was added in: + https://github.com/appneta/tcpreplay/commit/202b8e82f9fd3c84ce5804577caeb36a33baabe7#diff-49473dca262eeab3b4a43002adb08b4db31020d190caaad1594b47f1d5daa810R570 + +* then search for + ${host_cpu} lib/${host_cpu} (without -${host_os} suffix) + and ${build_arch}-${host_os} lib/${build_arch}-${host_os} + was added, but only for search of dynamic library in: + https://github.com/appneta/tcpreplay/commit/c3d5236563985a99f8bb02c3f1bd6950e3929047 + +* ${build_arch}-${host_os} lib/${build_arch}-${host_os} + was later replaced with: + lib/${MULTIARCH} ${MULTIARCH} + and it was added to static library search as well + + but for dynamic library it was searching in reversed order: + ${MULTIARCH} lib/${MULTIARCH} + https://github.com/appneta/tcpreplay/commit/ed9e3a818bde04813144014561e62f018c9eb85f + + I don't think this reversed order was intentional, just unify all 4 cases + to use the same directories in the same order + +Signed-off-by: Martin Jansa +Upstream-Status: Submitted [https://github.com/appneta/tcpreplay/pull/819] +--- + configure.ac | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 387219de..26ba31a5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -671,7 +671,7 @@ AC_ARG_WITH(libpcap, + LPCAPINCDIR=${testdir} + if test $dynamic_link = yes; then + for ext in .dylib .so .tbd ; do +- for dir in . lib lib64 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do ++ for dir in . lib lib64 lib32 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do + sharefile=$(ls ${testdir}/$dir/libpcap${ext}* 2> /dev/null | sort | head -n1) + if test -n "${sharefile}"; then + LPCAP_LD_LIBRARY_PATH="$(dirname ${sharefile})" +@@ -690,7 +690,7 @@ AC_ARG_WITH(libpcap, + dnl If dynamic library not found, try static + dnl + for ext in ${libext} .a .A.tbd ; do +- for dir in . lib lib64 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do ++ for dir in . lib lib64 lib32 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do + staticfile=$(ls ${testdir}/$dir/libpcap${ext} 2> /dev/null | sort | head -n1) + if test -n "${staticfile}"; then + LPCAPLIB="${staticfile}" +@@ -771,7 +771,7 @@ AC_ARG_WITH(libpcap, + LPCAPINCDIR="${testdir}/include" + if test $dynamic_link = yes; then + for ext in .dylib .so .tbd; do +- for dir in . lib lib64 ${host_cpu} lib/${host_cpu} ${host_cpu}-${host_os} lib/${host_cpu}-${host_os} ${MULTIARCH} lib/${MULTIARCH}; do ++ for dir in . lib lib64 lib32 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do + sharefile=$(ls "${testdir}/$dir/libpcap${ext}" 2> /dev/null | sort | head -n1) + if test -n "${sharefile}"; then + LPCAPLIB="-L$(dirname ${sharefile}) -lpcap" +@@ -790,7 +790,7 @@ AC_ARG_WITH(libpcap, + dnl If dynamic library not found, try static + dnl + for ext in ${libext} .a .A.tbd ; do +- for dir in . lib lib64 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do ++ for dir in . lib lib64 lib32 lib/${host_cpu}-${host_os} ${host_cpu}-${host_os} lib/${MULTIARCH} ${MULTIARCH}; do + staticfile=$(ls "${testdir}/$dir/libpcap${ext}" 2> /dev/null | sort | head -n1) + if test -n "${staticfile}"; then + LPCAPLIB="${staticfile}" diff --git a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb deleted file mode 100644 index d461c8d3dc..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.3.bb +++ /dev/null @@ -1,26 +0,0 @@ -SUMMARY = "Use previously captured traffic to test network devices" - -HOMEPAGE = "https://tcpreplay.appneta.com/" - -SECTION = "net" - -LICENSE = "GPL-3.0-only" -LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=10f0474a2f0e5dccfca20f69d6598ad8" - -SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz \ - file://0001-libopts.m4-set-POSIX_SHELL-to-bin-sh.patch \ - " - -SRC_URI[sha256sum] = "216331692e10c12d7f257945e777928d79bd091117f3e4ffb5b312eb2ca0bf7c" - -UPSTREAM_CHECK_URI = "https://github.com/appneta/tcpreplay/releases" - -DEPENDS = "libpcap" - -EXTRA_OECONF += "--with-libpcap=${STAGING_DIR_HOST}/usr" - -inherit siteinfo autotools-brokensep - -do_install:append() { - sed -i -e 's:${RECIPE_SYSROOT}::g' ${S}/src/defines.h -} diff --git a/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb new file mode 100644 index 0000000000..53f17c9619 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb @@ -0,0 +1,27 @@ +SUMMARY = "Use previously captured traffic to test network devices" + +HOMEPAGE = "https://tcpreplay.appneta.com/" + +SECTION = "net" + +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=10f0474a2f0e5dccfca20f69d6598ad8" + +SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ + file://0001-libopts.m4-set-POSIX_SHELL-to-bin-sh.patch \ + file://0001-configure.ac-unify-search-dirs-for-pcap-and-add-lib3.patch \ +" + +SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf" + +UPSTREAM_CHECK_URI = "https://github.com/appneta/tcpreplay/releases" + +DEPENDS = "libpcap" + +EXTRA_OECONF += "--with-libpcap=${STAGING_DIR_HOST}${prefix}" + +inherit siteinfo autotools-brokensep + +do_install:append() { + sed -i -e 's:${RECIPE_SYSROOT}::g' ${S}/src/defines.h +} diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch new file mode 100644 index 0000000000..7732916826 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0666.patch @@ -0,0 +1,122 @@ +From 265cbf15a418b629c3c8f02c0ba901913b1c8fd2 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Thu, 18 May 2023 13:52:48 -0700 +Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes + +Use the proper dest_size in various g_strlcpy calls. + +Fixes #19085 + +(cherry picked from commit 28fdce547c417b868c521f87fb58f71ca6b1e3f7) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/265cbf15a418b629c3c8f02c0ba901913b1c8fd2] +CVE: CVE-2023-0666 +Signed-off-by: Hitendra Prajapati +--- + epan/dissectors/packet-rtps.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c +index 5c2d1c1..ef592d7 100644 +--- a/epan/dissectors/packet-rtps.c ++++ b/epan/dissectors/packet-rtps.c +@@ -3025,7 +3025,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + ++tk_id; + } + +- g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40); ++ g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name)); + + /* Structure of the typecode data: + * +@@ -3196,7 +3196,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + member_name, -1, NULL, ndds_40_hack); + } + /* Finally prints the name of the struct (if provided) */ +- g_strlcpy(type_name, "}", 40); ++ g_strlcpy(type_name, "}", sizeof(type_name)); + break; + + } /* end of case UNION */ +@@ -3367,7 +3367,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + } + } + /* Finally prints the name of the struct (if provided) */ +- g_strlcpy(type_name, "}", 40); ++ g_strlcpy(type_name, "}", sizeof(type_name)); + break; + } + +@@ -3459,7 +3459,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + offset += 4; + alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII); + offset += alias_name_length; +- g_strlcpy(type_name, alias_name, 40); ++ g_strlcpy(type_name, alias_name, sizeof(type_name)); + break; + } + +@@ -3494,7 +3494,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset, + if (tk_id == RTI_CDR_TK_VALUE_PARAM) { + type_id_name = "valueparam"; + } +- g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name); ++ g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name); + break; + } + } /* switch(tk_id) */ +@@ -3673,7 +3673,7 @@ static gint rtps_util_add_type_library_type(proto_tree *tree, + long_number = tvb_get_guint32(tvb, offset_tmp, encoding); + name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset_tmp+4, long_number, ENC_ASCII); + if (info) +- g_strlcpy(info->member_name, name, long_number); ++ g_strlcpy(info->member_name, name, sizeof(info->member_name)); + + proto_item_append_text(tree, " %s", name); + offset += member_length; +@@ -3848,13 +3848,13 @@ static gint rtps_util_add_type_member(proto_tree *tree, + proto_item_append_text(tree, " %s (ID: %d)", name, member_id); + if (member_object) { + member_object->member_id = member_id; +- g_strlcpy(member_object->member_name, name, long_number < 256 ? long_number : 256); ++ g_strlcpy(member_object->member_name, name, sizeof(member_object->member_name)); + member_object->type_id = member_type_id; + } + if (info && info->extensibility == EXTENSIBILITY_MUTABLE) { + mutable_member_mapping * mutable_mapping = NULL; + mutable_mapping = wmem_new(wmem_file_scope(), mutable_member_mapping); +- g_strlcpy(mutable_mapping->member_name, name, long_number < 256 ? long_number : 256); ++ g_strlcpy(mutable_mapping->member_name, name, sizeof(mutable_mapping->member_name)); + mutable_mapping->struct_type_id = info->type_id; + mutable_mapping->member_type_id = member_type_id; + mutable_mapping->member_id = member_id; +@@ -3909,7 +3909,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + union_member_mapping * mapping = NULL; + + mapping = wmem_new(wmem_file_scope(), union_member_mapping); +- g_strlcpy(mapping->member_name, object.member_name, 256); ++ g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = HASHMAP_DISCRIMINATOR_CONSTANT; + mapping->union_type_id = union_type_id + mapping->discriminator; +@@ -3922,7 +3922,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + union_member_mapping * mapping = NULL; + + mapping = wmem_new(wmem_file_scope(), union_member_mapping); +- g_strlcpy(mapping->member_name, object.member_name, 256); ++ g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = -1; + mapping->union_type_id = union_type_id + mapping->discriminator; +@@ -3942,7 +3942,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree, + ti = proto_tree_add_item(labels, hf_rtps_type_object_union_label, tvb, offset_tmp, 4, encoding); + offset_tmp += 4; + +- g_strlcpy(mapping->member_name, object.member_name, 256); ++ g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name)); + mapping->member_type_id = object.type_id; + mapping->discriminator = discriminator_case; + mapping->union_type_id = union_type_id + discriminator_case; +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch new file mode 100644 index 0000000000..cd07395aac --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch @@ -0,0 +1,66 @@ +From 85fbca8adb09ea8e1af635db3d92727fbfa1e28a Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Thu, 18 May 2023 18:06:36 -0400 +Subject: [PATCH] MS-MMS: Use format_text_string() + +The length of a string transcoded from UTF-16 to UTF-8 can be +shorter (or longer) than the original length in bytes in the packet. +Use the new string length, not the original length. + +Use format_text_string, which is a convenience function that +calls strlen. + +Fix #19086 + +(cherry picked from commit 1c45a899f83fa88e60ab69936bea3c4754e7808b) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a] +CVE: CVE-2023-0667 +Signed-off-by: Hitendra Prajapati +--- + epan/dissectors/packet-ms-mms.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c +index f4dbcd0..092a64b 100644 +--- a/epan/dissectors/packet-ms-mms.c ++++ b/epan/dissectors/packet-ms-mms.c +@@ -740,7 +740,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro + transport_info, "Transport: (%s)", transport_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (guchar*)transport_info, length_remaining - 20)); ++ format_text_string(pinfo->pool, (const guchar*)transport_info)); + + + /* Try to extract details from this string */ +@@ -837,7 +837,7 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_version); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (version='%s')", +- format_text(wmem_packet_scope(), (const guchar*)server_version, strlen(server_version))); ++ format_text_string(pinfo->pool, (const guchar*)server_version)); + } + offset += (server_version_length*2); + +@@ -891,7 +891,7 @@ static void dissect_client_player_info(tvbuff_t *tvb, packet_info *pinfo, proto_ + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &player_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)player_info, strlen(player_info))); ++ format_text_string(pinfo->pool, (const guchar*)player_info)); + } + + /* Dissect info about where client wants to start playing from */ +@@ -966,7 +966,7 @@ static void dissect_request_server_file(tvbuff_t *tvb, packet_info *pinfo, proto + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_file); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)server_file, strlen(server_file))); ++ format_text_string(pinfo->pool, (const guchar*)server_file)); + } + + /* Dissect media details from server */ +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch new file mode 100644 index 0000000000..0009939330 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch @@ -0,0 +1,33 @@ +From c4f37d77b29ec6a9754795d0efb6f68d633728d9 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 20 May 2023 23:08:08 -0400 +Subject: [PATCH] synphasor: Use val_to_str_const + +Don't use a value from packet data to directly index a value_string, +particularly when the value string doesn't cover all possible values. + +Fix #19087 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9] +CVE: CVE-2023-0668 +Signed-off-by: Hitendra Prajapati +--- + epan/dissectors/packet-synphasor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c +index 12b388b..fbde875 100644 +--- a/epan/dissectors/packet-synphasor.c ++++ b/epan/dissectors/packet-synphasor.c +@@ -1212,7 +1212,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c + + data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, + ett_conf_phflags, NULL, "Phasor Data flags: %s", +- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); ++ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); + + /* first and second bytes - phasor modification flags*/ + phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 0000000000..b4718f4607 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch @@ -0,0 +1,108 @@ +From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 16 May 2023 12:05:07 -0700 +Subject: [PATCH] candump: check for a too-long frame length. + +If the frame length is longer than the maximum, report an error in the +file. + +Fixes #19062, preventing the overflow on a buffer on the stack (assuming +your compiler doesn't call a bounds-checknig version of memcpy() if the +size of the target space is known). + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb] +CVE: CVE-2023-2855 + +Signed-off-by: Hitendra Prajapati +--- + wiretap/candump.c | 39 +++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/wiretap/candump.c b/wiretap/candump.c +index 0def7bc..3f7c2b2 100644 +--- a/wiretap/candump.c ++++ b/wiretap/candump.c +@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off, + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info); + +-static void +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) ++static gboolean ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, ++ gchar **err_info) + { + static const char *can_proto_name = "can-hostendian"; + static const char *canfd_proto_name = "canfd"; +@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + canfd_frame_t canfd_frame = {0}; + ++ /* ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. ++ */ ++ if (msg->data.length > CANFD_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", ++ msg->data.length, CANFD_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + canfd_frame.can_id = msg->id; + canfd_frame.flags = msg->flags; + canfd_frame.len = msg->data.length; +@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + can_frame_t can_frame = {0}; + ++ /* ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. ++ */ ++ if (msg->data.length > CAN_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", ++ msg->data.length, CAN_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + can_frame.can_id = msg->id; + can_frame.can_dlc = msg->data.length; + memcpy(can_frame.data, msg->data.data, msg->data.length); +@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + rec->rec_header.packet_header.caplen = packet_length; + rec->rec_header.packet_header.len = packet_length; ++ ++ return TRUE; + } + + static gboolean +@@ -190,9 +217,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, + ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); + #endif + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static gboolean +@@ -216,9 +241,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) + return FALSE; + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + /* +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch new file mode 100644 index 0000000000..863421f986 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch @@ -0,0 +1,69 @@ +From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Thu, 18 May 2023 15:03:23 -0700 +Subject: [PATCH] vms: fix the search for the packet length field. + +The packet length field is of the form + + Total Length = DDD = ^xXXX + +where "DDD" is the length in decimal and "XXX" is the length in +hexadecimal. + +Search for "length ". not just "Length", as we skip past "Length ", not +just "Length", so if we assume we found "Length " but only found +"Length", we'd skip past the end of the string. + +While we're at it, fail if we don't find a length field, rather than +just blithely acting as if the packet length were zero. + +Fixes #19083. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca] +CVE: CVE-2023-2856 + +Signed-off-by: Hitendra Prajapati +--- + wiretap/vms.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/wiretap/vms.c b/wiretap/vms.c +index 0aa83ea..5f5fdbb 100644 +--- a/wiretap/vms.c ++++ b/wiretap/vms.c +@@ -318,6 +318,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + { + char line[VMS_LINE_LENGTH + 1]; + int num_items_scanned; ++ gboolean have_pkt_len = FALSE; + guint32 pkt_len = 0; + int pktnum; + int csec = 101; +@@ -374,7 +375,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + return FALSE; + } + } +- if ( (! pkt_len) && (p = strstr(line, "Length"))) { ++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { + p += sizeof("Length "); + while (*p && ! g_ascii_isdigit(*p)) + p++; +@@ -390,9 +391,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); + return FALSE; + } ++ have_pkt_len = TRUE; + break; + } + } while (! isdumpline(line)); ++ if (! have_pkt_len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("vms: Length field not found"); ++ return FALSE; ++ } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; return an error, +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch new file mode 100644 index 0000000000..7174e9155c --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch @@ -0,0 +1,95 @@ +From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Fri, 19 May 2023 16:29:45 -0700 +Subject: [PATCH] netscaler: add more checks to make sure the record is within + the page. + +Whie we're at it, restructure some other checks to test-before-casting - +it's OK to test afterwards, but testing before makes it follow the +pattern used elsewhere. + +Fixes #19081. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105] +CVE: CVE-2023-2858 + +Signed-off-by: Hitendra Prajapati +--- + wiretap/netscaler.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index 01a7f6d..4fa020b 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -1091,13 +1091,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info) + + #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ + do {\ +- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ ++ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + return FALSE;\ + }\ ++ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Check sanity of record size */\ + if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ + *err = WTAP_ERR_BAD_FILE;\ +@@ -1162,6 +1162,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_ABSTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1175,6 +1177,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_RELTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1192,6 +1196,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + default: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1475,14 +1481,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ + do {\ +- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ ++ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + g_free(nstrace_tmpbuff);\ + return FALSE;\ + }\ ++ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + (rec)->rec_type = REC_TYPE_PACKET;\ + TIMEDEFV##ver((rec),fp,type);\ + FULLPART##SIZEDEFV##ver((rec),fp,ver);\ +@@ -1589,7 +1595,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, + g_free(nstrace_tmpbuff); + return FALSE; + } +- + hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; + if (nspr_getv20recordsize(hdp) == 0) { + *err = WTAP_ERR_BAD_FILE; +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch new file mode 100644 index 0000000000..0a8247923e --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2879.patch @@ -0,0 +1,37 @@ +From 118815ca7c9f82c1f83f8f64d9e0e54673f31677 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 13 May 2023 21:45:16 -0400 +Subject: [PATCH] GDSDB: Make sure our offset advances. + +add_uint_string() returns the next offset to use, not the number +of bytes consumed. So to consume all the bytes and make sure the +offset advances, return the entire reported tvb length, not the +number of bytes remaining. + +Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f +Fixes #19068 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677] +CVE: CVE-2023-2879 + +Signed-off-by: Hitendra Prajapati +--- + epan/dissectors/packet-gdsdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c +index 75bcfb9..950d68f 100644 +--- a/epan/dissectors/packet-gdsdb.c ++++ b/epan/dissectors/packet-gdsdb.c +@@ -480,7 +480,7 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o + int ret_offset = offset + length; + if (length < 4 || ret_offset < offset) { + expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length); +- return tvb_reported_length_remaining(tvb, offset); ++ return tvb_reported_length(tvb); + } + return ret_offset; + } +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch new file mode 100644 index 0000000000..41b02bb3fa --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch @@ -0,0 +1,98 @@ +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Tue, 23 May 2023 13:52:03 -0700 +Subject: [PATCH] XRA: Fix an infinite loop + +C compilers don't care what size a value was on the wire. Use +naturally-sized ints, including in dissect_message_channel_mb where we +would otherwise overflow and loop infinitely. + +Fixes #19100 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5] +CVE: CVE-2023-2952 + +Signed-off-by: Hitendra Prajapati +--- + epan/dissectors/packet-xra.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c +index 68a8e72..6c7ab74 100644 +--- a/epan/dissectors/packet-xra.c ++++ b/epan/dissectors/packet-xra.c +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; + + while (tlv_index < tlv_length) { +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + if(packet_start_pointer_field_present) { + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); + +- guint16 docsis_start = 3 + packet_start_pointer; ++ unsigned docsis_start = 3 + packet_start_pointer; + while (docsis_start + 6 < remaining_length) { + /*DOCSIS header in packet*/ + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + docsis_start += 1; + continue; + } +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + if (docsis_start + 6 + docsis_length <= remaining_length) { + /*DOCSIS packet included in packet*/ + tvbuff_t *docsis_tvb; +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { + static int + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { + +- guint16 offset = 0; ++ int offset = 0; + proto_tree *plc_tree; + proto_item *plc_item; + tvbuff_t *mb_tvb; +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ + + static int + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { +- guint16 offset = 0; ++ int offset = 0; + proto_tree *ncp_tree; + proto_item *ncp_item; + tvbuff_t *ncp_mb_tvb; +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index 693a167938..0255591934 100644 --- a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb @@ -16,6 +16,14 @@ SRC_URI += " \ file://0003-bison-Remove-line-directives.patch \ file://0004-lemon-Remove-line-directives.patch \ file://CVE-2022-3190.patch \ + file://CVE-2023-2855.patch \ + file://CVE-2023-2856.patch \ + file://CVE-2023-2858.patch \ + file://CVE-2023-2879.patch \ + file://CVE-2023-2952.patch \ + file://CVE-2023-0666.patch \ + file://CVE-2023-0667.patch \ + file://CVE-2023-0668.patch \ " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" diff --git a/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass b/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass index 69e24cbb79..68c5dbaa14 100644 --- a/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass +++ b/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass @@ -8,9 +8,11 @@ inherit image_types SPARSE_BLOCK_SIZE ??= "4096" CONVERSIONTYPES += "sparse" -CONVERSION_CMD:sparse() { - INPUT="${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}" - truncate --no-create --size=%${SPARSE_BLOCK_SIZE} "$INPUT" - img2simg -s "$INPUT" "$INPUT.sparse" ${SPARSE_BLOCK_SIZE} -} + +CONVERSION_CMD:sparse = " \ + INPUT="${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}"; \ + truncate --no-create --size=%${SPARSE_BLOCK_SIZE} "$INPUT"; \ + img2simg -s "$INPUT" "$INPUT.sparse" ${SPARSE_BLOCK_SIZE}; \ + " + CONVERSION_DEPENDS_sparse = "android-tools-native" diff --git a/meta-openembedded/meta-oe/conf/layer.conf b/meta-openembedded/meta-oe/conf/layer.conf index b17add6f74..923b722b3c 100644 --- a/meta-openembedded/meta-oe/conf/layer.conf +++ b/meta-openembedded/meta-oe/conf/layer.conf @@ -111,4 +111,4 @@ SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \ DEFAULT_TEST_SUITES:pn-meta-oe-ptest-image = " ${PTESTTESTSUITE}" -NON_MULTILIB_RECIPES:append = " crash" +NON_MULTILIB_RECIPES:append = " crash pahole" diff --git a/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb index 550fbc30d3..61f3c2df52 100644 --- a/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb +++ b/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb @@ -94,6 +94,7 @@ EXTRA_OESCONS = "PREFIX=${prefix} \ --use-system-zlib \ --nostrip \ --endian=${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', 'little', 'big', d)} \ + --use-hardware-crc32=${@bb.utils.contains('TUNE_FEATURES', 'crc', 'on', 'off', d)} \ --wiredtiger='${WIREDTIGER}' \ --separate-debug \ ${PACKAGECONFIG_CONFARGS}" diff --git a/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.13.bb b/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.13.bb deleted file mode 100644 index 62a95b303c..0000000000 --- a/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.13.bb +++ /dev/null @@ -1,34 +0,0 @@ -SUMMARY = "Network benchmark tool" -DESCRIPTION = "\ -iperf is a tool for active measurements of the maximum achievable bandwidth \ -on IP networks. It supports tuning of various parameters related to timing, \ -protocols, and buffers. For each test it reports the bandwidth, loss, and \ -other parameters." - -HOMEPAGE = "http://software.es.net/iperf/" -SECTION = "console/network" -BUGTRACKER = "https://github.com/esnet/iperf/issues" -AUTHOR = "ESNET , Lawrence Berkeley National Laboratory " - -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=dc6301c8256ceb8f71c9e3c2ae9096b9" - -SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ - file://0002-Remove-pg-from-profile_CFLAGS.patch \ - file://0001-configure.ac-check-for-CPP-prog.patch \ - " - -SRCREV = "f48e7fa92b8932814f3d92f36986d51be9efe6e0" - -S = "${WORKDIR}/git" - -inherit autotools - -PACKAGECONFIG ?= "openssl" - -PACKAGECONFIG[lksctp] = "ac_cv_header_netinet_sctp_h=yes,ac_cv_header_netinet_sctp_h=no,lksctp-tools" -PACKAGECONFIG[openssl] = "--with-openssl=${RECIPE_SYSROOT}${prefix},--without-openssl,openssl" - -CFLAGS += "-D_GNU_SOURCE" - -CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb b/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb new file mode 100644 index 0000000000..d181eb3b02 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb @@ -0,0 +1,34 @@ +SUMMARY = "Network benchmark tool" +DESCRIPTION = "\ +iperf is a tool for active measurements of the maximum achievable bandwidth \ +on IP networks. It supports tuning of various parameters related to timing, \ +protocols, and buffers. For each test it reports the bandwidth, loss, and \ +other parameters." + +HOMEPAGE = "http://software.es.net/iperf/" +SECTION = "console/network" +BUGTRACKER = "https://github.com/esnet/iperf/issues" +AUTHOR = "ESNET , Lawrence Berkeley National Laboratory " + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=dc6301c8256ceb8f71c9e3c2ae9096b9" + +SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ + file://0002-Remove-pg-from-profile_CFLAGS.patch \ + file://0001-configure.ac-check-for-CPP-prog.patch \ + " + +SRCREV = "a0be85934144bc04712a6695b14ea6e45c379e1d" + +S = "${WORKDIR}/git" + +inherit autotools + +PACKAGECONFIG ?= "openssl" + +PACKAGECONFIG[lksctp] = "ac_cv_header_netinet_sctp_h=yes,ac_cv_header_netinet_sctp_h=no,lksctp-tools" +PACKAGECONFIG[openssl] = "--with-openssl=${RECIPE_SYSROOT}${prefix},--without-openssl,openssl" + +CFLAGS += "-D_GNU_SOURCE" + +CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-openembedded/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb b/meta-openembedded/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb index f821cdaf4a..aba5ab5878 100644 --- a/meta-openembedded/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb +++ b/meta-openembedded/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb @@ -151,12 +151,13 @@ RRECOMMENDS:${PN}-fancontrol = "lmsensors-config-fancontrol" # sensors-detect script files FILES:${PN}-sensorsdetect = "${sbindir}/sensors-detect" FILES:${PN}-sensorsdetect-doc = "${mandir}/man8/sensors-detect.8" -RDEPENDS:${PN}-sensorsdetect = "${PN}-sensors perl perl-modules" +RDEPENDS:${PN}-sensorsdetect = "${PN}-sensors perl perl-module-fcntl perl-module-file-basename \ + perl-module-strict perl-module-constant" # sensors-conf-convert script files FILES:${PN}-sensorsconfconvert = "${bindir}/sensors-conf-convert" FILES:${PN}-sensorsconfconvert-doc = "${mandir}/man8/sensors-conf-convert.8" -RDEPENDS:${PN}-sensorsconfconvert = "${PN}-sensors perl perl-modules" +RDEPENDS:${PN}-sensorsconfconvert = "${PN}-sensors perl perl-module-strict perl-module-vars" # pwmconfig script files FILES:${PN}-pwmconfig = "${sbindir}/pwmconfig" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch new file mode 100644 index 0000000000..160c090bce --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch @@ -0,0 +1,68 @@ +From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 21 Aug 2023 03:08:15 +0000 +Subject: [PATCH] Ensure array count consistency in kadm5 RPC + +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the +key_data array count when decoding. Otherwise when the structure is +later freed, xdr_array() could iterate over the wrong number of +elements, either leaking some memory or freeing uninitialized +pointers. Reported by Robert Morris. + +CVE: CVE-2023-36054 + +An authenticated attacker can cause a kadmind process to crash by +freeing uninitialized pointers. Remote code execution is unlikely. +An attacker with control of a kadmin server can cause a kadmin client +to crash by freeing uninitialized pointers. + +ticket: 9099 (new) +tags: pullup +target_version: 1.21-next +target_version: 1.20-next + +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd] + +Signed-off-by: Soumya Sambu +--- + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 2892d41..94b1ce8 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + int v) + { + unsigned int n; ++ bool_t r; + + if (!xdr_krb5_principal(xdrs, &objp->principal)) { + return (FALSE); +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { + return (FALSE); + } ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { ++ return (FALSE); ++ } + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { + return (FALSE); + } +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return FALSE; + } + n = objp->n_key_data; +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, +- &n, ~0, sizeof(krb5_key_data), +- xdr_krb5_key_data_nocontents)) { ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, ++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ objp->n_key_data = n; ++ if (!r) { + return (FALSE); + } + +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb index 10fff11c25..e353b58aa1 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb @@ -29,6 +29,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ file://etc/default/krb5-admin-server \ file://krb5-kdc.service \ file://krb5-admin-server.service \ + file://CVE-2023-36054.patch;striplevel=2 \ " SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686" SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch new file mode 100644 index 0000000000..dfd1f98759 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch @@ -0,0 +1,131 @@ +CVE: CVE-2023-35789 +Upstream-Status: Backport [ https://github.com/alanxz/rabbitmq-c/commit/463054383fbeef889b409a7f843df5365288e2a0 ] +Signed-off-by: Lee Chee Yang + +From 463054383fbeef889b409a7f843df5365288e2a0 Mon Sep 17 00:00:00 2001 +From: Christian Kastner +Date: Tue, 13 Jun 2023 14:21:52 +0200 +Subject: [PATCH] Add option to read username/password from file (#781) + +* Add option to read username/password from file +--- + tools/common.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 66 insertions(+) + +diff --git a/tools/common.c b/tools/common.c +index 73b47e25..7efe557b 100644 +--- a/tools/common.c ++++ b/tools/common.c +@@ -18,6 +18,11 @@ + #include "compat.h" + #endif + ++/* For when reading auth data from a file */ ++#define MAXAUTHTOKENLEN 128 ++#define USERNAMEPREFIX "username:" ++#define PASSWORDPREFIX "password:" ++ + void die(const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); +@@ -125,6 +130,7 @@ static char *amqp_vhost; + static char *amqp_username; + static char *amqp_password; + static int amqp_heartbeat = 0; ++static char *amqp_authfile; + #ifdef WITH_SSL + static int amqp_ssl = 0; + static char *amqp_cacert = "/etc/ssl/certs/cacert.pem"; +@@ -147,6 +153,8 @@ struct poptOption connect_options[] = { + "the password to login with", "password"}, + {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0, + "heartbeat interval, set to 0 to disable", "heartbeat"}, ++ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0, ++ "path to file containing username/password for authentication", "file"}, + #ifdef WITH_SSL + {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL}, + {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0, +@@ -158,6 +166,50 @@ struct poptOption connect_options[] = { + #endif /* WITH_SSL */ + {NULL, '\0', 0, NULL, 0, NULL, NULL}}; + ++void read_authfile(const char *path) { ++ size_t n; ++ FILE *fp = NULL; ++ char token[MAXAUTHTOKENLEN]; ++ ++ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL || ++ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) { ++ die("Out of memory"); ++ } else if ((fp = fopen(path, "r")) == NULL) { ++ die("Could not read auth data file %s", path); ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) { ++ die("Malformed auth file (missing username)"); ++ } ++ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_username); ++ if (amqp_username[n - 1] != '\n') { ++ die("Username too long"); ++ } else { ++ amqp_username[n - 1] = '\0'; ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) { ++ die("Malformed auth file (missing password)"); ++ } ++ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_password); ++ if (amqp_password[n - 1] != '\n') { ++ die("Password too long"); ++ } else { ++ amqp_password[n - 1] = '\0'; ++ } ++ ++ (void)fgetc(fp); ++ if (!feof(fp)) { ++ die("Malformed auth file (trailing data)"); ++ } ++} ++ + static void init_connection_info(struct amqp_connection_info *ci) { + ci->user = NULL; + ci->password = NULL; +@@ -237,6 +289,8 @@ static void init_connection_info(struct amqp_connection_info *ci) { + if (amqp_username) { + if (amqp_url) { + die("--username and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--username and --authfile options cannot be used at the same time"); + } + + ci->user = amqp_username; +@@ -245,11 +299,23 @@ static void init_connection_info(struct amqp_connection_info *ci) { + if (amqp_password) { + if (amqp_url) { + die("--password and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--password and --authfile options cannot be used at the same time"); + } + + ci->password = amqp_password; + } + ++ if (amqp_authfile) { ++ if (amqp_url) { ++ die("--authfile and --url options cannot be used at the same time"); ++ } ++ ++ read_authfile(amqp_authfile); ++ ci->user = amqp_username; ++ ci->password = amqp_password; ++ } ++ + if (amqp_vhost) { + if (amqp_url) { + die("--vhost and --url options cannot be used at the same time"); diff --git a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb index f9c2b2c8a9..ea80ec3344 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb @@ -3,7 +3,9 @@ HOMEPAGE = "https://github.com/alanxz/rabbitmq-c" LIC_FILES_CHKSUM = "file://LICENSE;md5=7e12f6e40e662e039e2f02b4893011ec" LICENSE = "MIT" -SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https" +SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https \ + file://CVE-2023-35789.patch \ +" # v0.13.0-master SRCREV = "974d71adceae6d742ae20a4c880d99c131f1460a" diff --git a/meta-openembedded/meta-oe/recipes-devtools/glade/glade_3.22.2.bb b/meta-openembedded/meta-oe/recipes-devtools/glade/glade_3.22.2.bb index 6c1112038c..28b1279390 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/glade/glade_3.22.2.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/glade/glade_3.22.2.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=aabe87591cb8ae0f3c68be6977bb5522 \ file://COPYING.LGPL;md5=252890d9eee26aab7b432e8b8a616475" DEPENDS = "gtk+3 glib-2.0 libxml2 intltool-native \ gnome-common-native \ + autoconf-archive-native \ " inherit features_check autotools pkgconfig gnomebase gobject-introspection mime-xdg diff --git a/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-backport-iomgr-EventEngine-Improve-server-handling-o.patch b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-backport-iomgr-EventEngine-Improve-server-handling-o.patch new file mode 100644 index 0000000000..4488df172f --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-backport-iomgr-EventEngine-Improve-server-handling-o.patch @@ -0,0 +1,224 @@ +From b3c105c59dfb7d932b36b0d9ac7ab62875ab23e8 Mon Sep 17 00:00:00 2001 +From: AJ Heller +Date: Wed, 12 Jul 2023 18:42:09 -0700 +Subject: [PATCH] [backport][iomgr][EventEngine] Improve server handling of + file descriptor exhaustion (#33672) + +Backport of #33656 + +CVE: CVE-2023-33953 + +Upstream-Status: Backport [1e86ca5834b94cae7d5e6d219056c0fc895cf95d] +The patch is backported with tweaks to fit 1.50.1. + +Signed-off-by: Chen Qi +--- + .../event_engine/posix_engine/posix_engine.h | 1 + + src/core/lib/iomgr/tcp_server_posix.cc | 51 ++++++++++++++----- + src/core/lib/iomgr/tcp_server_utils_posix.h | 14 ++++- + .../iomgr/tcp_server_utils_posix_common.cc | 22 ++++++++ + 4 files changed, 73 insertions(+), 15 deletions(-) + +diff --git a/src/core/lib/event_engine/posix_engine/posix_engine.h b/src/core/lib/event_engine/posix_engine/posix_engine.h +index eac6dfb4c5..866c04bcfa 100644 +--- a/src/core/lib/event_engine/posix_engine/posix_engine.h ++++ b/src/core/lib/event_engine/posix_engine/posix_engine.h +@@ -97,6 +97,7 @@ class PosixEventEngine final : public EventEngine { + const DNSResolver::ResolverOptions& options) override; + void Run(Closure* closure) override; + void Run(absl::AnyInvocable closure) override; ++ // Caution!! The timer implementation cannot create any fds. See #20418. + TaskHandle RunAfter(Duration when, Closure* closure) override; + TaskHandle RunAfter(Duration when, + absl::AnyInvocable closure) override; +diff --git a/src/core/lib/iomgr/tcp_server_posix.cc b/src/core/lib/iomgr/tcp_server_posix.cc +index d43113fb03..32be997cff 100644 +--- a/src/core/lib/iomgr/tcp_server_posix.cc ++++ b/src/core/lib/iomgr/tcp_server_posix.cc +@@ -16,13 +16,17 @@ + * + */ + +-/* FIXME: "posix" files shouldn't be depending on _GNU_SOURCE */ ++#include ++ ++#include ++ ++#include ++ ++// FIXME: "posix" files shouldn't be depending on _GNU_SOURCE + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif + +-#include +- + #include "src/core/lib/iomgr/port.h" + + #ifdef GRPC_POSIX_SOCKET_TCP_SERVER +@@ -44,6 +48,7 @@ + #include "absl/strings/str_format.h" + + #include ++#include + #include + #include + #include +@@ -63,6 +68,8 @@ + #include "src/core/lib/resource_quota/api.h" + + static std::atomic num_dropped_connections{0}; ++static constexpr grpc_core::Duration kRetryAcceptWaitTime{ ++ grpc_core::Duration::Seconds(1)}; + + using ::grpc_event_engine::experimental::EndpointConfig; + +@@ -195,21 +202,35 @@ static void on_read(void* arg, grpc_error_handle err) { + if (fd < 0) { + if (errno == EINTR) { + continue; +- } else if (errno == EAGAIN || errno == ECONNABORTED || +- errno == EWOULDBLOCK) { ++ } ++ // When the process runs out of fds, accept4() returns EMFILE. When this ++ // happens, the connection is left in the accept queue until either a ++ // read event triggers the on_read callback, or time has passed and the ++ // accept should be re-tried regardless. This callback is not cancelled, ++ // so a spurious wakeup may occur even when there's nothing to accept. ++ // This is not a performant code path, but if an fd limit has been ++ // reached, the system is likely in an unhappy state regardless. ++ if (errno == EMFILE) { + grpc_fd_notify_on_read(sp->emfd, &sp->read_closure); ++ if (gpr_atm_full_xchg(&sp->retry_timer_armed, true)) return; ++ grpc_timer_init(&sp->retry_timer, ++ grpc_core::Timestamp::Now() + kRetryAcceptWaitTime, ++ &sp->retry_closure); + return; ++ } ++ if (errno == EAGAIN || errno == ECONNABORTED || errno == EWOULDBLOCK) { ++ grpc_fd_notify_on_read(sp->emfd, &sp->read_closure); ++ return; ++ } ++ gpr_mu_lock(&sp->server->mu); ++ if (!sp->server->shutdown_listeners) { ++ gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno)); + } else { +- gpr_mu_lock(&sp->server->mu); +- if (!sp->server->shutdown_listeners) { +- gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno)); +- } else { +- /* if we have shutdown listeners, accept4 could fail, and we +- needn't notify users */ +- } +- gpr_mu_unlock(&sp->server->mu); +- goto error; ++ // if we have shutdown listeners, accept4 could fail, and we ++ // needn't notify users + } ++ gpr_mu_unlock(&sp->server->mu); ++ goto error; + } + + if (sp->server->memory_quota->IsMemoryPressureHigh()) { +@@ -403,6 +424,7 @@ static grpc_error_handle clone_port(grpc_tcp_listener* listener, + sp->port_index = listener->port_index; + sp->fd_index = listener->fd_index + count - i; + GPR_ASSERT(sp->emfd); ++ grpc_tcp_server_listener_initialize_retry_timer(sp); + while (listener->server->tail->next != nullptr) { + listener->server->tail = listener->server->tail->next; + } +@@ -575,6 +597,7 @@ static void tcp_server_shutdown_listeners(grpc_tcp_server* s) { + if (s->active_ports) { + grpc_tcp_listener* sp; + for (sp = s->head; sp; sp = sp->next) { ++ grpc_timer_cancel(&sp->retry_timer); + grpc_fd_shutdown(sp->emfd, + GRPC_ERROR_CREATE_FROM_STATIC_STRING("Server shutdown")); + } +diff --git a/src/core/lib/iomgr/tcp_server_utils_posix.h b/src/core/lib/iomgr/tcp_server_utils_posix.h +index 94faa2c17e..2e78ce555f 100644 +--- a/src/core/lib/iomgr/tcp_server_utils_posix.h ++++ b/src/core/lib/iomgr/tcp_server_utils_posix.h +@@ -25,6 +25,7 @@ + #include "src/core/lib/iomgr/resolve_address.h" + #include "src/core/lib/iomgr/socket_utils_posix.h" + #include "src/core/lib/iomgr/tcp_server.h" ++#include "src/core/lib/iomgr/timer.h" + #include "src/core/lib/resource_quota/memory_quota.h" + + /* one listening port */ +@@ -47,6 +48,11 @@ typedef struct grpc_tcp_listener { + identified while iterating through 'next'. */ + struct grpc_tcp_listener* sibling; + int is_sibling; ++ // If an accept4() call fails, a timer is started to drain the accept queue in ++ // case no further connection attempts reach the gRPC server. ++ grpc_closure retry_closure; ++ grpc_timer retry_timer; ++ gpr_atm retry_timer_armed; + } grpc_tcp_listener; + + /* the overall server */ +@@ -126,4 +132,10 @@ grpc_error_handle grpc_tcp_server_prepare_socket( + /* Ruturn true if the platform supports ifaddrs */ + bool grpc_tcp_server_have_ifaddrs(void); + +-#endif /* GRPC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H */ ++// Initialize (but don't start) the timer and callback to retry accept4() on a ++// listening socket after file descriptors have been exhausted. This must be ++// called when creating a new listener. ++void grpc_tcp_server_listener_initialize_retry_timer( ++ grpc_tcp_listener* listener); ++ ++#endif // GRPC_SRC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H +diff --git a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +index 73a6b943ec..0e671c6485 100644 +--- a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc ++++ b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +@@ -18,6 +18,8 @@ + + #include + ++#include ++ + #include "src/core/lib/iomgr/port.h" + + #ifdef GRPC_POSIX_SOCKET_TCP_SERVER_UTILS_COMMON +@@ -80,6 +82,24 @@ static int get_max_accept_queue_size(void) { + return s_max_accept_queue_size; + } + ++static void listener_retry_timer_cb(void* arg, grpc_error_handle err) { ++ // Do nothing if cancelled. ++ if (!err.ok()) return; ++ grpc_tcp_listener* listener = static_cast(arg); ++ gpr_atm_no_barrier_store(&listener->retry_timer_armed, false); ++ if (!grpc_fd_is_shutdown(listener->emfd)) { ++ grpc_fd_set_readable(listener->emfd); ++ } ++} ++ ++void grpc_tcp_server_listener_initialize_retry_timer( ++ grpc_tcp_listener* listener) { ++ gpr_atm_no_barrier_store(&listener->retry_timer_armed, false); ++ grpc_timer_init_unset(&listener->retry_timer); ++ GRPC_CLOSURE_INIT(&listener->retry_closure, listener_retry_timer_cb, listener, ++ grpc_schedule_on_exec_ctx); ++} ++ + static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd, + const grpc_resolved_address* addr, + unsigned port_index, +@@ -112,6 +132,8 @@ static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd, + sp->server = s; + sp->fd = fd; + sp->emfd = grpc_fd_create(fd, name.c_str(), true); ++ grpc_tcp_server_listener_initialize_retry_timer(sp); ++ + memcpy(&sp->addr, addr, sizeof(grpc_resolved_address)); + sp->port = port; + sp->port_index = port_index; +-- +2.34.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch new file mode 100644 index 0000000000..ab46897b12 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch @@ -0,0 +1,81 @@ +From d39489045b5aa73e27713e3cbacb8832c1140ec8 Mon Sep 17 00:00:00 2001 +From: Chen Qi +Date: Wed, 9 Aug 2023 13:33:45 +0800 +Subject: [PATCH] fix CVE-2023-32732 + +CVE: CVE-2023-32732 + +Upstream-Status: Backport [https://github.com/grpc/grpc/pull/32309/commits/6a7850ef4f042ac26559854266dddc79bfbc75b2] +The original patch is adjusted to fit the current 1.50.1 version. + +Signed-off-by: Chen Qi +--- + .../ext/transport/chttp2/transport/hpack_parser.cc | 10 +++++++--- + src/core/ext/transport/chttp2/transport/internal.h | 2 -- + src/core/ext/transport/chttp2/transport/parsing.cc | 6 ++---- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc +index f2e49022dc3..cd459d15238 100644 +--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc ++++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc +@@ -1211,12 +1211,16 @@ class HPackParser::Parser { + "). GRPC_ARG_MAX_METADATA_SIZE can be set to increase this limit.", + *frame_length_, metadata_size_limit_); + if (metadata_buffer_ != nullptr) metadata_buffer_->Clear(); ++ // StreamId is used as a signal to skip this stream but keep the connection ++ // alive + return input_->MaybeSetErrorAndReturn( + [] { + return grpc_error_set_int( +- GRPC_ERROR_CREATE_FROM_STATIC_STRING( +- "received initial metadata size exceeds limit"), +- GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED); ++ grpc_error_set_int( ++ GRPC_ERROR_CREATE_FROM_STATIC_STRING( ++ "received initial metadata size exceeds limit"), ++ GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED), ++ GRPC_ERROR_INT_STREAM_ID, 0); + }, + false); + } +diff --git a/src/core/ext/transport/chttp2/transport/internal.h b/src/core/ext/transport/chttp2/transport/internal.h +index 4a2f4261d83..f8b544d9583 100644 +--- a/src/core/ext/transport/chttp2/transport/internal.h ++++ b/src/core/ext/transport/chttp2/transport/internal.h +@@ -542,8 +542,6 @@ struct grpc_chttp2_stream { + + grpc_core::Timestamp deadline = grpc_core::Timestamp::InfFuture(); + +- /** saw some stream level error */ +- grpc_error_handle forced_close_error = GRPC_ERROR_NONE; + /** how many header frames have we received? */ + uint8_t header_frames_received = 0; + /** number of bytes received - reset at end of parse thread execution */ +diff --git a/src/core/ext/transport/chttp2/transport/parsing.cc b/src/core/ext/transport/chttp2/transport/parsing.cc +index 980f13543f6..afe6da190b6 100644 +--- a/src/core/ext/transport/chttp2/transport/parsing.cc ++++ b/src/core/ext/transport/chttp2/transport/parsing.cc +@@ -22,6 +22,7 @@ + #include + + #include ++#include + + #include "absl/base/attributes.h" + #include "absl/status/status.h" +@@ -719,10 +720,7 @@ static grpc_error_handle parse_frame_slice(grpc_chttp2_transport* t, + } + grpc_chttp2_parsing_become_skip_parser(t); + if (s) { +- s->forced_close_error = err; +- grpc_chttp2_add_rst_stream_to_next_write(t, t->incoming_stream_id, +- GRPC_HTTP2_PROTOCOL_ERROR, +- &s->stats.outgoing); ++ grpc_chttp2_cancel_stream(t, s, std::exchange(err, absl::OkStatus())); + } else { + GRPC_ERROR_UNREF(err); + } +-- +2.34.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb index 7b8a25c277..3cfd0210db 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb @@ -26,6 +26,8 @@ SRC_URI = "gitsm://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BR file://0001-Revert-Changed-GRPCPP_ABSEIL_SYNC-to-GPR_ABSEIL_SYNC.patch \ file://0001-cmake-add-separate-export-for-plugin-targets.patch \ file://0001-cmake-Link-with-libatomic-on-rv32-rv64.patch \ + file://0001-fix-CVE-2023-32732.patch \ + file://0001-backport-iomgr-EventEngine-Improve-server-handling-o.patch \ " # Fixes build with older compilers 4.8 especially on ubuntu 14.04 CXXFLAGS:append:class-native = " -Wl,--no-as-needed" diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.14/oe-npm-cache b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.14/oe-npm-cache deleted file mode 100755 index f596207648..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.14/oe-npm-cache +++ /dev/null @@ -1,77 +0,0 @@ -#!/usr/bin/env node - -/// Usage: oe-npm-cache -/// ... meta - metainformation about package -/// tgz - tarball - -const process = require("node:process"); - -module.paths.unshift("@@libdir@@/node_modules/npm/node_modules"); - -const cacache = require('cacache') -const fs = require('fs') - -// argv[0] is 'node', argv[1] is this script -const cache_dir = process.argv[2] -const type = process.argv[3] -const key = process.argv[4] -const file = process.argv[5] - -const data = fs.readFileSync(file) - -// metadata content is highly nodejs dependent; when cache entries are not -// found, place debug statements in 'make-fetch-happen/lib/cache/policy.js' -// (CachePolicy::satisfies()) -const xlate = { - 'meta': { - 'key_prefix': 'make-fetch-happen:request-cache:', - 'metadata': function() { - return { - time: Date.now(), - url: key, - reqHeaders: { - 'accept': 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*', - }, - resHeaders: { - "content-type": "application/json", - "status": 200, - }, - options: { - compress: true, - } - }; - }, - }, - - 'tgz': { - 'key_prefix': 'make-fetch-happen:request-cache:', - 'metadata': function() { - return { - time: Date.now(), - url: key, - reqHeaders: { - 'accept': '*/*', - }, - resHeaders: { - "content-type": "application/octet-stream", - "status": 200, - }, - options: { - compress: true, - }, - }; - }, - }, -}; - -const info = xlate[type]; -let opts = {} - -if (info.metadata) { - opts['metadata'] = info.metadata(); -} - -cacache.put(cache_dir, info.key_prefix + key, data, opts) - .then(integrity => { - console.log(`Saved content of ${key} (${file}).`); -}) diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.17/oe-npm-cache b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.17/oe-npm-cache new file mode 100755 index 0000000000..f596207648 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-18.17/oe-npm-cache @@ -0,0 +1,77 @@ +#!/usr/bin/env node + +/// Usage: oe-npm-cache +/// ... meta - metainformation about package +/// tgz - tarball + +const process = require("node:process"); + +module.paths.unshift("@@libdir@@/node_modules/npm/node_modules"); + +const cacache = require('cacache') +const fs = require('fs') + +// argv[0] is 'node', argv[1] is this script +const cache_dir = process.argv[2] +const type = process.argv[3] +const key = process.argv[4] +const file = process.argv[5] + +const data = fs.readFileSync(file) + +// metadata content is highly nodejs dependent; when cache entries are not +// found, place debug statements in 'make-fetch-happen/lib/cache/policy.js' +// (CachePolicy::satisfies()) +const xlate = { + 'meta': { + 'key_prefix': 'make-fetch-happen:request-cache:', + 'metadata': function() { + return { + time: Date.now(), + url: key, + reqHeaders: { + 'accept': 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*', + }, + resHeaders: { + "content-type": "application/json", + "status": 200, + }, + options: { + compress: true, + } + }; + }, + }, + + 'tgz': { + 'key_prefix': 'make-fetch-happen:request-cache:', + 'metadata': function() { + return { + time: Date.now(), + url: key, + reqHeaders: { + 'accept': '*/*', + }, + resHeaders: { + "content-type": "application/octet-stream", + "status": 200, + }, + options: { + compress: true, + }, + }; + }, + }, +}; + +const info = xlate[type]; +let opts = {} + +if (info.metadata) { + opts['metadata'] = info.metadata(); +} + +cacache.put(cache_dir, info.key_prefix + key, data, opts) + .then(integrity => { + console.log(`Saved content of ${key} (${file}).`); +}) diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.14.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.14.bb deleted file mode 100644 index a61dd5018f..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.14.bb +++ /dev/null @@ -1,21 +0,0 @@ -DESCRIPTION = "OE helper for manipulating npm cache" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" - -SRC_URI = "\ - file://oe-npm-cache \ -" - -inherit native - -B = "${WORKDIR}/build" - -do_configure() { - sed -e 's!@@libdir@@!${libdir}!g' < '${WORKDIR}/oe-npm-cache' > '${B}/oe-npm-cache' -} - -do_install() { - install -D -p -m 0755 ${B}/oe-npm-cache ${D}${bindir}/oe-npm-cache -} - -RDEPENDS:${PN} = "nodejs-native" diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.17.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.17.bb new file mode 100644 index 0000000000..a61dd5018f --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_18.17.bb @@ -0,0 +1,21 @@ +DESCRIPTION = "OE helper for manipulating npm cache" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +SRC_URI = "\ + file://oe-npm-cache \ +" + +inherit native + +B = "${WORKDIR}/build" + +do_configure() { + sed -e 's!@@libdir@@!${libdir}!g' < '${WORKDIR}/oe-npm-cache' > '${B}/oe-npm-cache' +} + +do_install() { + install -D -p -m 0755 ${B}/oe-npm-cache ${D}${bindir}/oe-npm-cache +} + +RDEPENDS:${PN} = "nodejs-native" diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch index 356c98d176..059b5cc070 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch @@ -29,10 +29,13 @@ python prune_sources() { } do_unpack[postfuncs] += "prune_sources" +Signed-off-by: Archana Polampalli --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) +diff --git a/Makefile b/Makefile +index 0be0659d..3c442014 100644 --- a/Makefile +++ b/Makefile @@ -169,7 +169,7 @@ with-code-cache test-code-cache: @@ -41,6 +44,8 @@ do_unpack[postfuncs] += "prune_sources" out/Makefile: config.gypi common.gypi node.gyp \ - deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ + deps/llhttp/llhttp.gyp \ - deps/simdutf/simdutf.gyp \ + deps/simdutf/simdutf.gyp deps/ada/ada.gyp \ tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.14.2.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.14.2.bb deleted file mode 100644 index 19df7d542a..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.14.2.bb +++ /dev/null @@ -1,185 +0,0 @@ -DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" -HOMEPAGE = "http://nodejs.org" -LICENSE = "MIT & ISC & BSD-2-Clause & BSD-3-Clause & Artistic-2.0 & Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=2dff1ccca11e333f1388e34f7e2d1de3" - -CVE_PRODUCT = "nodejs node.js" - -DEPENDS = "openssl file-replacement-native" -DEPENDS:append:class-target = " qemu-native" -DEPENDS:append:class-native = " c-ares-native" - -inherit pkgconfig python3native qemu ptest - -COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*" -COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*" -COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" - -COMPATIBLE_HOST:riscv64 = "null" -COMPATIBLE_HOST:riscv32 = "null" -COMPATIBLE_HOST:powerpc = "null" - -SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ - file://0001-Disable-running-gyp-files-for-bundled-deps.patch \ - file://0004-v8-don-t-override-ARM-CFLAGS.patch \ - file://big-endian.patch \ - file://mips-less-memory.patch \ - file://system-c-ares.patch \ - file://0001-liftoff-Correct-function-signatures.patch \ - file://0001-mips-Use-32bit-cast-for-operand-on-mips32.patch \ - file://run-ptest \ - " - -SRC_URI:append:class-target = " \ - file://0001-Using-native-binaries.patch \ - " -SRC_URI:append:toolchain-clang:x86 = " \ - file://libatomic.patch \ - " -SRC_URI:append:toolchain-clang:powerpc64le = " \ - file://0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch \ - " -SRC_URI[sha256sum] = "fbc364dd25fee2cacc0f2033db2d86115fc07575310ea0e64408b8170d09c685" - -S = "${WORKDIR}/node-v${PV}" - -# v8 errors out if you have set CCACHE -CCACHE = "" - -def map_nodejs_arch(a, d): - import re - - if re.match('i.86$', a): return 'ia32' - elif re.match('x86_64$', a): return 'x64' - elif re.match('aarch64$', a): return 'arm64' - elif re.match('(powerpc64|powerpc64le|ppc64le)$', a): return 'ppc64' - elif re.match('powerpc$', a): return 'ppc' - return a - -ARCHFLAGS:arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \ - ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \ - bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \ - bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \ - '--with-arm-fpu=vfp', d), d), d)}" -ARCHFLAGS:append:mips = " --v8-lite-mode" -ARCHFLAGS:append:mipsel = " --v8-lite-mode" -ARCHFLAGS ?= "" - -PACKAGECONFIG ??= "ares brotli icu zlib" - -PACKAGECONFIG[ares] = "--shared-cares,,c-ares" -PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" -PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" -PACKAGECONFIG[libuv] = "--shared-libuv,,libuv" -PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2" -PACKAGECONFIG[shared] = "--shared" -PACKAGECONFIG[zlib] = "--shared-zlib,,zlib" - -# We don't want to cross-compile during target compile, -# and we need to use the right flags during host compile, -# too. -EXTRA_OEMAKE = "\ - CC.host='${CC}' \ - CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \ - CXX.host='${CXX}' \ - CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \ - LDFLAGS.host='${LDFLAGS}' \ - AR.host='${AR}' \ - \ - builddir_name=./ \ -" - -EXTRANATIVEPATH += "file-native" - -python prune_sources() { - import shutil - - shutil.rmtree(d.getVar('S') + '/deps/openssl') - if 'ares' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/cares') - if 'brotli' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/brotli') - if 'libuv' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/uv') - if 'nghttp2' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/nghttp2') - if 'zlib' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/zlib') -} -do_unpack[postfuncs] += "prune_sources" - -# V8's JIT infrastructure requires binaries such as mksnapshot and -# mkpeephole to be run in the host during the build. However, these -# binaries must have the same bit-width as the target (e.g. a x86_64 -# host targeting ARMv6 needs to produce a 32-bit binary). Instead of -# depending on a third Yocto toolchain, we just build those binaries -# for the target and run them on the host with QEMU. -python do_create_v8_qemu_wrapper () { - """Creates a small wrapper that invokes QEMU to run some target V8 binaries - on the host.""" - qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'), - d.expand('${STAGING_DIR_HOST}${base_libdir}')] - qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), - qemu_libdirs) - wrapper_path = d.expand('${B}/v8-qemu-wrapper.sh') - with open(wrapper_path, 'w') as wrapper_file: - wrapper_file.write("""#!/bin/sh - -# This file has been generated automatically. -# It invokes QEMU to run binaries built for the target in the host during the -# build process. - -%s "$@" -""" % qemu_cmd) - os.chmod(wrapper_path, 0o755) -} - -do_create_v8_qemu_wrapper[dirs] = "${B}" -addtask create_v8_qemu_wrapper after do_configure before do_compile - -LDFLAGS:append:x86 = " -latomic" - -CROSS_FLAGS = "--cross-compiling" -CROSS_FLAGS:class-native = "--no-cross-compiling" - -# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi -do_configure () { - GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES - # $TARGET_ARCH settings don't match --dest-cpu settings - python3 configure.py --verbose --prefix=${prefix} \ - --shared-openssl \ - --without-dtrace \ - --without-etw \ - --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \ - --dest-os=linux \ - --libdir=${baselib} \ - ${CROSS_FLAGS} \ - ${ARCHFLAGS} \ - ${PACKAGECONFIG_CONFARGS} -} - -do_compile () { - install -D ${RECIPE_SYSROOT_NATIVE}/etc/ssl/openssl.cnf ${B}/deps/openssl/nodejs-openssl.cnf - install -D ${B}/v8-qemu-wrapper.sh ${B}/out/Release/v8-qemu-wrapper.sh - oe_runmake BUILDTYPE=Release -} - -do_install () { - oe_runmake install DESTDIR=${D} -} - -do_install_ptest () { - cp -r ${B}/out/Release/cctest ${D}${PTEST_PATH}/ - cp -r ${B}/test ${D}${PTEST_PATH} - chown -R root:root ${D}${PTEST_PATH} -} - -PACKAGES =+ "${PN}-npm" -FILES:${PN}-npm = "${nonarch_libdir}/node_modules ${bindir}/npm ${bindir}/npx ${bindir}/corepack" -RDEPENDS:${PN}-npm = "bash python3-core python3-shell python3-datetime \ - python3-misc python3-multiprocessing" - -PACKAGES =+ "${PN}-systemtap" -FILES:${PN}-systemtap = "${datadir}/systemtap" - -BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.17.1.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.17.1.bb new file mode 100644 index 0000000000..402cf56717 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_18.17.1.bb @@ -0,0 +1,185 @@ +DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" +HOMEPAGE = "http://nodejs.org" +LICENSE = "MIT & ISC & BSD-2-Clause & BSD-3-Clause & Artistic-2.0 & Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=bc1f9ebe76be76f163e3b675303ad9cd" + +CVE_PRODUCT = "nodejs node.js" + +DEPENDS = "openssl file-replacement-native" +DEPENDS:append:class-target = " qemu-native" +DEPENDS:append:class-native = " c-ares-native" + +inherit pkgconfig python3native qemu ptest + +COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*" +COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*" +COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" + +COMPATIBLE_HOST:riscv64 = "null" +COMPATIBLE_HOST:riscv32 = "null" +COMPATIBLE_HOST:powerpc = "null" + +SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ + file://0001-Disable-running-gyp-files-for-bundled-deps.patch \ + file://0004-v8-don-t-override-ARM-CFLAGS.patch \ + file://big-endian.patch \ + file://mips-less-memory.patch \ + file://system-c-ares.patch \ + file://0001-liftoff-Correct-function-signatures.patch \ + file://0001-mips-Use-32bit-cast-for-operand-on-mips32.patch \ + file://run-ptest \ + " + +SRC_URI:append:class-target = " \ + file://0001-Using-native-binaries.patch \ + " +SRC_URI:append:toolchain-clang:x86 = " \ + file://libatomic.patch \ + " +SRC_URI:append:toolchain-clang:powerpc64le = " \ + file://0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch \ + " +SRC_URI[sha256sum] = "f215cf03d0f00f07ac0b674c6819f804c1542e16f152da04980022aeccf5e65a" + +S = "${WORKDIR}/node-v${PV}" + +# v8 errors out if you have set CCACHE +CCACHE = "" + +def map_nodejs_arch(a, d): + import re + + if re.match('i.86$', a): return 'ia32' + elif re.match('x86_64$', a): return 'x64' + elif re.match('aarch64$', a): return 'arm64' + elif re.match('(powerpc64|powerpc64le|ppc64le)$', a): return 'ppc64' + elif re.match('powerpc$', a): return 'ppc' + return a + +ARCHFLAGS:arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \ + ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \ + '--with-arm-fpu=vfp', d), d), d)}" +ARCHFLAGS:append:mips = " --v8-lite-mode" +ARCHFLAGS:append:mipsel = " --v8-lite-mode" +ARCHFLAGS ?= "" + +PACKAGECONFIG ??= "ares brotli icu zlib" + +PACKAGECONFIG[ares] = "--shared-cares,,c-ares" +PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" +PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" +PACKAGECONFIG[libuv] = "--shared-libuv,,libuv" +PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2" +PACKAGECONFIG[shared] = "--shared" +PACKAGECONFIG[zlib] = "--shared-zlib,,zlib" + +# We don't want to cross-compile during target compile, +# and we need to use the right flags during host compile, +# too. +EXTRA_OEMAKE = "\ + CC.host='${CC}' \ + CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \ + CXX.host='${CXX}' \ + CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \ + LDFLAGS.host='${LDFLAGS}' \ + AR.host='${AR}' \ + \ + builddir_name=./ \ +" + +EXTRANATIVEPATH += "file-native" + +python prune_sources() { + import shutil + + shutil.rmtree(d.getVar('S') + '/deps/openssl') + if 'ares' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/cares') + if 'brotli' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/brotli') + if 'libuv' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/uv') + if 'nghttp2' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/nghttp2') + if 'zlib' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/zlib') +} +do_unpack[postfuncs] += "prune_sources" + +# V8's JIT infrastructure requires binaries such as mksnapshot and +# mkpeephole to be run in the host during the build. However, these +# binaries must have the same bit-width as the target (e.g. a x86_64 +# host targeting ARMv6 needs to produce a 32-bit binary). Instead of +# depending on a third Yocto toolchain, we just build those binaries +# for the target and run them on the host with QEMU. +python do_create_v8_qemu_wrapper () { + """Creates a small wrapper that invokes QEMU to run some target V8 binaries + on the host.""" + qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'), + d.expand('${STAGING_DIR_HOST}${base_libdir}')] + qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), + qemu_libdirs) + wrapper_path = d.expand('${B}/v8-qemu-wrapper.sh') + with open(wrapper_path, 'w') as wrapper_file: + wrapper_file.write("""#!/bin/sh + +# This file has been generated automatically. +# It invokes QEMU to run binaries built for the target in the host during the +# build process. + +%s "$@" +""" % qemu_cmd) + os.chmod(wrapper_path, 0o755) +} + +do_create_v8_qemu_wrapper[dirs] = "${B}" +addtask create_v8_qemu_wrapper after do_configure before do_compile + +LDFLAGS:append:x86 = " -latomic" + +CROSS_FLAGS = "--cross-compiling" +CROSS_FLAGS:class-native = "--no-cross-compiling" + +# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi +do_configure () { + GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES + # $TARGET_ARCH settings don't match --dest-cpu settings + python3 configure.py --verbose --prefix=${prefix} \ + --shared-openssl \ + --without-dtrace \ + --without-etw \ + --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \ + --dest-os=linux \ + --libdir=${baselib} \ + ${CROSS_FLAGS} \ + ${ARCHFLAGS} \ + ${PACKAGECONFIG_CONFARGS} +} + +do_compile () { + install -D ${RECIPE_SYSROOT_NATIVE}/etc/ssl/openssl.cnf ${B}/deps/openssl/nodejs-openssl.cnf + install -D ${B}/v8-qemu-wrapper.sh ${B}/out/Release/v8-qemu-wrapper.sh + oe_runmake BUILDTYPE=Release +} + +do_install () { + oe_runmake install DESTDIR=${D} +} + +do_install_ptest () { + cp -r ${B}/out/Release/cctest ${D}${PTEST_PATH}/ + cp -r ${B}/test ${D}${PTEST_PATH} + chown -R root:root ${D}${PTEST_PATH} +} + +PACKAGES =+ "${PN}-npm" +FILES:${PN}-npm = "${nonarch_libdir}/node_modules ${bindir}/npm ${bindir}/npx ${bindir}/corepack" +RDEPENDS:${PN}-npm = "bash python3-core python3-shell python3-datetime \ + python3-misc python3-multiprocessing" + +PACKAGES =+ "${PN}-systemtap" +FILES:${PN}-systemtap = "${datadir}/systemtap" + +BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.6.bb b/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.6.bb deleted file mode 100644 index 54c40392db..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.6.bb +++ /dev/null @@ -1,294 +0,0 @@ -SUMMARY = "A server-side, HTML-embedded scripting language" -HOMEPAGE = "http://www.php.net" -SECTION = "console/network" - -LICENSE = "PHP-3.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=5ebd5be8e2a89f634486445bd164bef0" - -BBCLASSEXTEND = "native" -DEPENDS = "zlib bzip2 libxml2 virtual/libiconv php-native lemon-native" -DEPENDS:append:libc-musl = " libucontext" -DEPENDS:class-native = "zlib-native libxml2-native" - -PHP_MAJOR_VERSION = "${@d.getVar('PV').split('.')[0]}" - -SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ - file://0002-build-php.m4-don-t-unset-cache-variables.patch \ - file://0003-php-remove-host-specific-info-from-header-file.patch \ - file://0004-configure.ac-don-t-include-build-libtool.m4.patch \ - file://0006-ext-phar-Makefile.frag-Fix-phar-packaging.patch \ - file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \ - file://0010-iconv-fix-detection.patch \ - " - -SRC_URI:append:class-target = " \ - file://0001-ext-opcache-config.m4-enable-opcache.patch \ - file://0005-pear-fix-Makefile.frag-for-Yocto.patch \ - file://0007-sapi-cli-config.m4-fix-build-directory.patch \ - file://0008-ext-imap-config.m4-fix-include-paths.patch \ - file://php-fpm.conf \ - file://php-fpm-apache.conf \ - file://70_mod_php${PHP_MAJOR_VERSION}.conf \ - file://php-fpm.service \ - " - -S = "${WORKDIR}/php-${PV}" -SRC_URI[sha256sum] = "44a70c52f537662c10d91eedbf51fd765c9961be6ba2508ed63bf7a26cdd3100" - -CVE_CHECK_IGNORE += "\ - CVE-2007-2728 \ - CVE-2007-3205 \ - CVE-2007-4596 \ -" - -inherit autotools pkgconfig python3native gettext - -# phpize is not scanned for absolute paths by default (but php-config is). -# -SSTATE_SCAN_FILES += "phpize" -SSTATE_SCAN_FILES += "build-defs.h" - -PHP_LIBDIR = "${libdir}/php${PHP_MAJOR_VERSION}" - -# Common EXTRA_OECONF -COMMON_EXTRA_OECONF = "--enable-sockets \ - --enable-pcntl \ - --enable-shared \ - --disable-rpath \ - --with-pic \ - --libdir=${PHP_LIBDIR} \ -" -EXTRA_OECONF = "--enable-mbstring \ - --enable-fpm \ - --with-libdir=${baselib} \ - --with-gettext=${STAGING_LIBDIR}/.. \ - --with-zlib=${STAGING_LIBDIR}/.. \ - --with-iconv=${STAGING_LIBDIR}/.. \ - --with-bz2=${STAGING_DIR_TARGET}${exec_prefix} \ - --with-config-file-path=${sysconfdir}/php/apache2-php${PHP_MAJOR_VERSION} \ - ${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', 'ac_cv_c_bigendian_php=no', 'ac_cv_c_bigendian_php=yes', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'pam', '', 'ac_cv_lib_pam_pam_start=no', d)} \ - ${COMMON_EXTRA_OECONF} \ -" - -EXTRA_OECONF:append:riscv64 = " --with-pcre-jit=no" -EXTRA_OECONF:append:riscv32 = " --with-pcre-jit=no" -# Needs fibers assembly implemented for rv32 -# for example rv64 implementation is below -# see https://github.com/php/php-src/commit/70b02d75f2abe3a292d49c4a4e9e4f850c2fee68 -EXTRA_OECONF:append:riscv32:libc-musl = " --disable-fiber-asm" - -CACHED_CONFIGUREVARS += "ac_cv_func_dlopen=no ac_cv_lib_dl_dlopen=yes" - -EXTRA_OECONF:class-native = " \ - --with-zlib=${STAGING_LIBDIR_NATIVE}/.. \ - --without-iconv \ - ${COMMON_EXTRA_OECONF} \ -" - -PACKAGECONFIG ??= "mysql sqlite3 imap opcache openssl \ - ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 pam', d)} \ -" -PACKAGECONFIG:class-native = "" - -PACKAGECONFIG[zip] = "--with-zip --with-zlib-dir=${STAGING_EXECPREFIXDIR},,libzip" - -PACKAGECONFIG[mysql] = "--with-mysqli=mysqlnd \ - --with-pdo-mysql=mysqlnd \ - ,--without-mysqli --without-pdo-mysql \ - ,mysql5" - -PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_LIBDIR}/.. \ - --with-pdo-sqlite=${STAGING_LIBDIR}/.. \ - ,--without-sqlite3 --without-pdo-sqlite \ - ,sqlite3" -PACKAGECONFIG[pgsql] = "--with-pgsql=${STAGING_DIR_TARGET}${exec_prefix},--without-pgsql,postgresql" -PACKAGECONFIG[soap] = "--enable-soap, --disable-soap, libxml2" -PACKAGECONFIG[apache2] = "--with-apxs2=${STAGING_BINDIR_CROSS}/apxs,,apache2-native apache2" -PACKAGECONFIG[pam] = ",,libpam" -PACKAGECONFIG[imap] = "--with-imap=${STAGING_DIR_HOST} \ - --with-imap-ssl=${STAGING_DIR_HOST} \ - ,--without-imap --without-imap-ssl \ - ,uw-imap" -PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," -PACKAGECONFIG[opcache] = "--enable-opcache,--disable-opcache" -PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl" -PACKAGECONFIG[valgrind] = "--with-valgrind=${STAGING_DIR_TARGET}/usr,--with-valgrind=no,valgrind" -PACKAGECONFIG[mbregex] = "--enable-mbregex, --disable-mbregex, oniguruma" -PACKAGECONFIG[mbstring] = "--enable-mbstring,," - -export HOSTCC = "${BUILD_CC}" -export PHP_NATIVE_DIR = "${STAGING_BINDIR_NATIVE}" -export PHP_PEAR_PHP_BIN = "${STAGING_BINDIR_NATIVE}/php" -CFLAGS += " -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -g -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED -I${STAGING_INCDIR}/apache2" - -# Adding these flags enables dynamic library support, which is disabled by -# default when cross compiling -# See https://bugs.php.net/bug.php?id=60109 -CFLAGS += " -DHAVE_LIBDL " -LDFLAGS += " -ldl " -LDFLAGS:append:libc-musl = " -lucontext " -LDFLAGS:append:riscv64 = " -latomic" - -EXTRA_OEMAKE = "INSTALL_ROOT=${D}" - -acpaths = "" - -do_configure:prepend () { - rm -f ${S}/build/libtool.m4 ${S}/ltmain.sh ${S}/aclocal.m4 - find ${S} -name config.m4 | xargs -n1 sed -i 's!APXS_HTTPD=.*!APXS_HTTPD=${STAGING_SBINDIR_NATIVE}/httpd!' -} - -do_configure:append() { - # No, libtool, we really don't want rpath set... - sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool - sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool - sed -i -e's@${RECIPE_SYSROOT}@@g' \ - -e's@-ffile-prefix-map=[^ ]*[ ]*@@g' \ - -e's@-fdebug-prefix-map=[^ ]*[ ]*@@g' \ - -e's@-ffile-prefix-map=[^ ]*[ ]*@@g' \ - -e's@-fmacro-prefix-map=[^ ]*[ ]*@@g' \ - ${B}/main/build-defs.h \ - ${B}/scripts/php-config -} - -do_install:append:class-native() { - rm -rf ${D}/${PHP_LIBDIR}/php/.registry - rm -rf ${D}/${PHP_LIBDIR}/php/.channels - rm -rf ${D}/${PHP_LIBDIR}/php/.[a-z]* -} - -do_install:prepend() { - cat ${ACLOCALDIR}/libtool.m4 ${ACLOCALDIR}/lt~obsolete.m4 ${ACLOCALDIR}/ltoptions.m4 \ - ${ACLOCALDIR}/ltsugar.m4 ${ACLOCALDIR}/ltversion.m4 > ${S}/build/libtool.m4 -} - -do_install:prepend:class-target() { - if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then - # Install dummy config file so apxs doesn't fail - install -d ${D}${sysconfdir}/apache2 - printf "\nLoadModule dummy_module modules/mod_dummy.so\n" > ${D}${sysconfdir}/apache2/httpd.conf - fi -} - -# fixme -do_install:append:class-target() { - install -d ${D}${sysconfdir}/ - rm -rf ${D}/.registry - rm -rf ${D}/.channels - rm -rf ${D}/.[a-z]* - rm -rf ${D}/var - rm -f ${D}/${sysconfdir}/php-fpm.conf.default - install -m 0644 ${WORKDIR}/php-fpm.conf ${D}/${sysconfdir}/php-fpm.conf - install -d ${D}/${sysconfdir}/apache2/conf.d - install -m 0644 ${WORKDIR}/php-fpm-apache.conf ${D}/${sysconfdir}/apache2/conf.d/php-fpm.conf - install -d ${D}${sysconfdir}/init.d - sed -i 's:=/usr/sbin:=${sbindir}:g' ${B}/sapi/fpm/init.d.php-fpm - sed -i 's:=/etc:=${sysconfdir}:g' ${B}/sapi/fpm/init.d.php-fpm - sed -i 's:=/var:=${localstatedir}:g' ${B}/sapi/fpm/init.d.php-fpm - install -m 0755 ${B}/sapi/fpm/init.d.php-fpm ${D}${sysconfdir}/init.d/php-fpm - install -m 0644 ${WORKDIR}/php-fpm-apache.conf ${D}/${sysconfdir}/apache2/conf.d/php-fpm.conf - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/php-fpm.service ${D}${systemd_unitdir}/system/ - sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' \ - -e 's,@LOCALSTATEDIR@,${localstatedir},g' \ - ${D}${systemd_unitdir}/system/php-fpm.service - fi - - if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/apache2/modules.d - install -d ${D}${sysconfdir}/php/apache2-php${PHP_MAJOR_VERSION} - install -m 644 ${WORKDIR}/70_mod_php${PHP_MAJOR_VERSION}.conf ${D}${sysconfdir}/apache2/modules.d - sed -i s,lib/,${libexecdir}/, ${D}${sysconfdir}/apache2/modules.d/70_mod_php${PHP_MAJOR_VERSION}.conf - cat ${S}/php.ini-production | \ - sed -e 's,extension_dir = \"\./\",extension_dir = \"/usr/lib/extensions\",' \ - > ${D}${sysconfdir}/php/apache2-php${PHP_MAJOR_VERSION}/php.ini - rm -f ${D}${sysconfdir}/apache2/httpd.conf* - fi -} - -SYSROOT_PREPROCESS_FUNCS += "php_sysroot_preprocess" - -php_sysroot_preprocess () { - install -d ${SYSROOT_DESTDIR}${bindir_crossscripts}/ - install -m 755 ${D}${bindir}/phpize ${SYSROOT_DESTDIR}${bindir_crossscripts}/ - install -m 755 ${D}${bindir}/php-config ${SYSROOT_DESTDIR}${bindir_crossscripts}/ - - sed -i 's!eval echo /!eval echo ${STAGING_DIR_HOST}/!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/phpize - sed -i 's!^include_dir=.*!include_dir=${STAGING_INCDIR}/php!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/php-config -} - -MODPHP_PACKAGE = "${@bb.utils.contains('PACKAGECONFIG', 'apache2', '${PN}-modphp', '', d)}" - -PACKAGES = "${PN}-dbg ${PN}-cli ${PN}-phpdbg ${PN}-cgi ${PN}-fpm ${PN}-fpm-apache2 ${PN}-pear ${PN}-phar ${MODPHP_PACKAGE} ${PN}-dev ${PN}-staticdev ${PN}-doc ${PN}-opcache ${PN}" - -RDEPENDS:${PN} += "libgcc" -RDEPENDS:${PN}-pear = "${PN}" -RDEPENDS:${PN}-phar = "${PN}-cli" -RDEPENDS:${PN}-cli = "${PN}" -RDEPENDS:${PN}-modphp = "${PN} apache2" -RDEPENDS:${PN}-opcache = "${PN}" - -ALLOW_EMPTY:${PN} = "1" - -INITSCRIPT_PACKAGES = "${PN}-fpm" -inherit update-rc.d - -# WARNING: lib32-php-8.0.12-r0 do_package_qa: QA Issue: lib32-php: ELF binary /usr/libexec/apache2/modules/libphp.so has relocations in .text [textrel] -#WARNING: lib32-php-8.0.12-r0 do_package_qa: QA Issue: lib32-php-opcache: ELF binary /usr/lib/php8/extensions/no-debug-zts-20200930/opcache.so has relocations in .text [textrel] -INSANE_SKIP:${PN}:append:x86 = " textrel" -INSANE_SKIP:${PN}-opcache:append:x86 = " textrel" - -FILES:${PN}-dbg =+ "${bindir}/.debug \ - ${libexecdir}/apache2/modules/.debug" -FILES:${PN}-doc += "${PHP_LIBDIR}/php/doc" -FILES:${PN}-cli = "${bindir}/php" -FILES:${PN}-phpdbg = "${bindir}/phpdbg" -FILES:${PN}-phar = "${bindir}/phar*" -FILES:${PN}-cgi = "${bindir}/php-cgi" -FILES:${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${systemd_unitdir}/system/php-fpm.service ${sysconfdir}/php-fpm.d/www.conf.default" -FILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf" -CONFFILES:${PN}-fpm = "${sysconfdir}/php-fpm.conf" -CONFFILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf" -INITSCRIPT_NAME:${PN}-fpm = "php-fpm" -INITSCRIPT_PARAMS:${PN}-fpm = "defaults 60" -FILES:${PN}-pear = "${bindir}/pear* ${bindir}/pecl ${PHP_LIBDIR}/php/PEAR \ - ${PHP_LIBDIR}/php/PEAR*.php ${PHP_LIBDIR}/php/System.php \ - ${PHP_LIBDIR}/php/peclcmd.php ${PHP_LIBDIR}/php/pearcmd.php \ - ${PHP_LIBDIR}/php/.channels ${PHP_LIBDIR}/php/.channels/.alias \ - ${PHP_LIBDIR}/php/.registry ${PHP_LIBDIR}/php/Archive/Tar.php \ - ${PHP_LIBDIR}/php/Console/Getopt.php ${PHP_LIBDIR}/php/OS/Guess.php \ - ${PHP_LIBDIR}/php/data/PEAR \ - ${sysconfdir}/pear.conf" -FILES:${PN}-dev = "${includedir}/php ${PHP_LIBDIR}/build ${bindir}/phpize \ - ${bindir}/php-config ${PHP_LIBDIR}/php/.depdb \ - ${PHP_LIBDIR}/php/.depdblock ${PHP_LIBDIR}/php/.filemap \ - ${PHP_LIBDIR}/php/.lock ${PHP_LIBDIR}/php/test" -FILES:${PN}-staticdev += "${PHP_LIBDIR}/extensions/*/*.a" -FILES:${PN}-opcache = "${PHP_LIBDIR}/extensions/*/opcache${SOLIBSDEV}" -FILES:${PN} = "${PHP_LIBDIR}/php" -FILES:${PN} += "${bindir} ${libexecdir}/apache2" - -SUMMARY:${PN}-modphp = "PHP module for the Apache HTTP server" -FILES:${PN}-modphp = "${libdir}/apache2 ${sysconfdir}" - -MODPHP_OLDPACKAGE = "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'modphp', '', d)}" -RPROVIDES:${PN}-modphp = "${MODPHP_OLDPACKAGE}" -RREPLACES:${PN}-modphp = "${MODPHP_OLDPACKAGE}" -RCONFLICTS:${PN}-modphp = "${MODPHP_OLDPACKAGE}" - -do_install:append:class-native() { - create_wrapper ${D}${bindir}/php \ - PHP_PEAR_SYSCONF_DIR=${sysconfdir}/ -} - -# Fails to build with thumb-1 (qemuarm) -# | {standard input}: Assembler messages: -# | {standard input}:3719: Error: selected processor does not support Thumb mode `smull r0,r2,r9,r3' -# | {standard input}:3720: Error: unshifted register required -- `sub r2,r2,r0,asr#31' -# | {standard input}:3796: Error: selected processor does not support Thumb mode `smull r0,r2,r3,r3' -# | {standard input}:3797: Error: unshifted register required -- `sub r2,r2,r0,asr#31' -# | make: *** [ext/standard/math.lo] Error 1 -ARM_INSTRUCTION_SET = "arm" diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.8.bb b/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.8.bb new file mode 100644 index 0000000000..233ded25d4 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/php/php_8.2.8.bb @@ -0,0 +1,294 @@ +SUMMARY = "A server-side, HTML-embedded scripting language" +HOMEPAGE = "http://www.php.net" +SECTION = "console/network" + +LICENSE = "PHP-3.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=5ebd5be8e2a89f634486445bd164bef0" + +BBCLASSEXTEND = "native" +DEPENDS = "zlib bzip2 libxml2 virtual/libiconv php-native lemon-native" +DEPENDS:append:libc-musl = " libucontext" +DEPENDS:class-native = "zlib-native libxml2-native" + +PHP_MAJOR_VERSION = "${@d.getVar('PV').split('.')[0]}" + +SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ + file://0002-build-php.m4-don-t-unset-cache-variables.patch \ + file://0003-php-remove-host-specific-info-from-header-file.patch \ + file://0004-configure.ac-don-t-include-build-libtool.m4.patch \ + file://0006-ext-phar-Makefile.frag-Fix-phar-packaging.patch \ + file://0009-php-don-t-use-broken-wrapper-for-mkdir.patch \ + file://0010-iconv-fix-detection.patch \ + " + +SRC_URI:append:class-target = " \ + file://0001-ext-opcache-config.m4-enable-opcache.patch \ + file://0005-pear-fix-Makefile.frag-for-Yocto.patch \ + file://0007-sapi-cli-config.m4-fix-build-directory.patch \ + file://0008-ext-imap-config.m4-fix-include-paths.patch \ + file://php-fpm.conf \ + file://php-fpm-apache.conf \ + file://70_mod_php${PHP_MAJOR_VERSION}.conf \ + file://php-fpm.service \ + " + +S = "${WORKDIR}/php-${PV}" +SRC_URI[sha256sum] = "995ed4009c7917c962d31837a1a3658f36d4af4f357b673c97ffdbe6403f8517" + +CVE_CHECK_IGNORE += "\ + CVE-2007-2728 \ + CVE-2007-3205 \ + CVE-2007-4596 \ +" + +inherit autotools pkgconfig python3native gettext + +# phpize is not scanned for absolute paths by default (but php-config is). +# +SSTATE_SCAN_FILES += "phpize" +SSTATE_SCAN_FILES += "build-defs.h" + +PHP_LIBDIR = "${libdir}/php${PHP_MAJOR_VERSION}" + +# Common EXTRA_OECONF +COMMON_EXTRA_OECONF = "--enable-sockets \ + --enable-pcntl \ + --enable-shared \ + --disable-rpath \ + --with-pic \ + --libdir=${PHP_LIBDIR} \ +" +EXTRA_OECONF = "--enable-mbstring \ + --enable-fpm \ + --with-libdir=${baselib} \ + --with-gettext=${STAGING_LIBDIR}/.. \ + --with-zlib=${STAGING_LIBDIR}/.. \ + --with-iconv=${STAGING_LIBDIR}/.. \ + --with-bz2=${STAGING_DIR_TARGET}${exec_prefix} \ + --with-config-file-path=${sysconfdir}/php/apache2-php${PHP_MAJOR_VERSION} \ + ${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', 'ac_cv_c_bigendian_php=no', 'ac_cv_c_bigendian_php=yes', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'pam', '', 'ac_cv_lib_pam_pam_start=no', d)} \ + ${COMMON_EXTRA_OECONF} \ +" + +EXTRA_OECONF:append:riscv64 = " --with-pcre-jit=no" +EXTRA_OECONF:append:riscv32 = " --with-pcre-jit=no" +# Needs fibers assembly implemented for rv32 +# for example rv64 implementation is below +# see https://github.com/php/php-src/commit/70b02d75f2abe3a292d49c4a4e9e4f850c2fee68 +EXTRA_OECONF:append:riscv32:libc-musl = " --disable-fiber-asm" + +CACHED_CONFIGUREVARS += "ac_cv_func_dlopen=no ac_cv_lib_dl_dlopen=yes" + +EXTRA_OECONF:class-native = " \ + --with-zlib=${STAGING_LIBDIR_NATIVE}/.. \ + --without-iconv \ + ${COMMON_EXTRA_OECONF} \ +" + +PACKAGECONFIG ??= "mysql sqlite3 imap opcache openssl \ + ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 pam', d)} \ +" +PACKAGECONFIG:class-native = "" + +PACKAGECONFIG[zip] = "--with-zip --with-zlib-dir=${STAGING_EXECPREFIXDIR},,libzip" + +PACKAGECONFIG[mysql] = "--with-mysqli=mysqlnd \ + --with-pdo-mysql=mysqlnd \ + ,--without-mysqli --without-pdo-mysql \ + ,mysql5" + +PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_LIBDIR}/.. \ + --with-pdo-sqlite=${STAGING_LIBDIR}/.. \ + ,--without-sqlite3 --without-pdo-sqlite \ + ,sqlite3" +PACKAGECONFIG[pgsql] = "--with-pgsql=${STAGING_DIR_TARGET}${exec_prefix},--without-pgsql,postgresql" +PACKAGECONFIG[soap] = "--enable-soap, --disable-soap, libxml2" +PACKAGECONFIG[apache2] = "--with-apxs2=${STAGING_BINDIR_CROSS}/apxs,,apache2-native apache2" +PACKAGECONFIG[pam] = ",,libpam" +PACKAGECONFIG[imap] = "--with-imap=${STAGING_DIR_HOST} \ + --with-imap-ssl=${STAGING_DIR_HOST} \ + ,--without-imap --without-imap-ssl \ + ,uw-imap" +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +PACKAGECONFIG[opcache] = "--enable-opcache,--disable-opcache" +PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl" +PACKAGECONFIG[valgrind] = "--with-valgrind=${STAGING_DIR_TARGET}/usr,--with-valgrind=no,valgrind" +PACKAGECONFIG[mbregex] = "--enable-mbregex, --disable-mbregex, oniguruma" +PACKAGECONFIG[mbstring] = "--enable-mbstring,," + +export HOSTCC = "${BUILD_CC}" +export PHP_NATIVE_DIR = "${STAGING_BINDIR_NATIVE}" +export PHP_PEAR_PHP_BIN = "${STAGING_BINDIR_NATIVE}/php" +CFLAGS += " -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -g -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED -I${STAGING_INCDIR}/apache2" + +# Adding these flags enables dynamic library support, which is disabled by +# default when cross compiling +# See https://bugs.php.net/bug.php?id=60109 +CFLAGS += " -DHAVE_LIBDL " +LDFLAGS += " -ldl " +LDFLAGS:append:libc-musl = " -lucontext " +LDFLAGS:append:riscv64 = " -latomic" + +EXTRA_OEMAKE = "INSTALL_ROOT=${D}" + +acpaths = "" + +do_configure:prepend () { + rm -f ${S}/build/libtool.m4 ${S}/ltmain.sh ${S}/aclocal.m4 + find ${S} -name config.m4 | xargs -n1 sed -i 's!APXS_HTTPD=.*!APXS_HTTPD=${STAGING_SBINDIR_NATIVE}/httpd!' +} + +do_configure:append() { + # No, libtool, we really don't want rpath set... + sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool + sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + sed -i -e's@${RECIPE_SYSROOT}@@g' \ + -e's@-ffile-prefix-map=[^ ]*[ ]*@@g' \ + -e's@-fdebug-prefix-map=[^ ]*[ ]*@@g' \ + -e's@-ffile-prefix-map=[^ ]*[ ]*@@g' \ + -e's@-fmacro-prefix-map=[^ ]*[ ]*@@g' \ + ${B}/main/build-defs.h \ + ${B}/scripts/php-config +} + +do_install:append:class-native() { + rm -rf ${D}/${PHP_LIBDIR}/php/.registry + rm -rf ${D}/${PHP_LIBDIR}/php/.channels + rm -rf ${D}/${PHP_LIBDIR}/php/.[a-z]* +} + +do_install:prepend() { + cat ${ACLOCALDIR}/libtool.m4 ${ACLOCALDIR}/lt~obsolete.m4 ${ACLOCALDIR}/ltoptions.m4 \ + ${ACLOCALDIR}/ltsugar.m4 ${ACLOCALDIR}/ltversion.m4 > ${S}/build/libtool.m4 +} + +do_install:prepend:class-target() { + if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then + # Install dummy config file so apxs doesn't fail + install -d ${D}${sysconfdir}/apache2 + printf "\nLoadModule dummy_module modules/mod_dummy.so\n" > ${D}${sysconfdir}/apache2/httpd.conf + fi +} + +# fixme +do_install:append:class-target() { + install -d ${D}${sysconfdir}/ + rm -rf ${D}/.registry + rm -rf ${D}/.channels + rm -rf ${D}/.[a-z]* + rm -rf ${D}/var + rm -f ${D}/${sysconfdir}/php-fpm.conf.default + install -m 0644 ${WORKDIR}/php-fpm.conf ${D}/${sysconfdir}/php-fpm.conf + install -d ${D}/${sysconfdir}/apache2/conf.d + install -m 0644 ${WORKDIR}/php-fpm-apache.conf ${D}/${sysconfdir}/apache2/conf.d/php-fpm.conf + install -d ${D}${sysconfdir}/init.d + sed -i 's:=/usr/sbin:=${sbindir}:g' ${B}/sapi/fpm/init.d.php-fpm + sed -i 's:=/etc:=${sysconfdir}:g' ${B}/sapi/fpm/init.d.php-fpm + sed -i 's:=/var:=${localstatedir}:g' ${B}/sapi/fpm/init.d.php-fpm + install -m 0755 ${B}/sapi/fpm/init.d.php-fpm ${D}${sysconfdir}/init.d/php-fpm + install -m 0644 ${WORKDIR}/php-fpm-apache.conf ${D}/${sysconfdir}/apache2/conf.d/php-fpm.conf + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/php-fpm.service ${D}${systemd_unitdir}/system/ + sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' \ + -e 's,@LOCALSTATEDIR@,${localstatedir},g' \ + ${D}${systemd_unitdir}/system/php-fpm.service + fi + + if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/apache2/modules.d + install -d ${D}${sysconfdir}/php/apache2-php${PHP_MAJOR_VERSION} + install -m 644 ${WORKDIR}/70_mod_php${PHP_MAJOR_VERSION}.conf ${D}${sysconfdir}/apache2/modules.d + sed -i s,lib/,${libexecdir}/, ${D}${sysconfdir}/apache2/modules.d/70_mod_php${PHP_MAJOR_VERSION}.conf + cat ${S}/php.ini-production | \ + sed -e 's,extension_dir = \"\./\",extension_dir = \"/usr/lib/extensions\",' \ + > ${D}${sysconfdir}/php/apache2-php${PHP_MAJOR_VERSION}/php.ini + rm -f ${D}${sysconfdir}/apache2/httpd.conf* + fi +} + +SYSROOT_PREPROCESS_FUNCS += "php_sysroot_preprocess" + +php_sysroot_preprocess () { + install -d ${SYSROOT_DESTDIR}${bindir_crossscripts}/ + install -m 755 ${D}${bindir}/phpize ${SYSROOT_DESTDIR}${bindir_crossscripts}/ + install -m 755 ${D}${bindir}/php-config ${SYSROOT_DESTDIR}${bindir_crossscripts}/ + + sed -i 's!eval echo /!eval echo ${STAGING_DIR_HOST}/!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/phpize + sed -i 's!^include_dir=.*!include_dir=${STAGING_INCDIR}/php!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/php-config +} + +MODPHP_PACKAGE = "${@bb.utils.contains('PACKAGECONFIG', 'apache2', '${PN}-modphp', '', d)}" + +PACKAGES = "${PN}-dbg ${PN}-cli ${PN}-phpdbg ${PN}-cgi ${PN}-fpm ${PN}-fpm-apache2 ${PN}-pear ${PN}-phar ${MODPHP_PACKAGE} ${PN}-dev ${PN}-staticdev ${PN}-doc ${PN}-opcache ${PN}" + +RDEPENDS:${PN} += "libgcc" +RDEPENDS:${PN}-pear = "${PN}" +RDEPENDS:${PN}-phar = "${PN}-cli" +RDEPENDS:${PN}-cli = "${PN}" +RDEPENDS:${PN}-modphp = "${PN} apache2" +RDEPENDS:${PN}-opcache = "${PN}" + +ALLOW_EMPTY:${PN} = "1" + +INITSCRIPT_PACKAGES = "${PN}-fpm" +inherit update-rc.d + +# WARNING: lib32-php-8.0.12-r0 do_package_qa: QA Issue: lib32-php: ELF binary /usr/libexec/apache2/modules/libphp.so has relocations in .text [textrel] +#WARNING: lib32-php-8.0.12-r0 do_package_qa: QA Issue: lib32-php-opcache: ELF binary /usr/lib/php8/extensions/no-debug-zts-20200930/opcache.so has relocations in .text [textrel] +INSANE_SKIP:${PN}:append:x86 = " textrel" +INSANE_SKIP:${PN}-opcache:append:x86 = " textrel" + +FILES:${PN}-dbg =+ "${bindir}/.debug \ + ${libexecdir}/apache2/modules/.debug" +FILES:${PN}-doc += "${PHP_LIBDIR}/php/doc" +FILES:${PN}-cli = "${bindir}/php" +FILES:${PN}-phpdbg = "${bindir}/phpdbg" +FILES:${PN}-phar = "${bindir}/phar*" +FILES:${PN}-cgi = "${bindir}/php-cgi" +FILES:${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${systemd_unitdir}/system/php-fpm.service ${sysconfdir}/php-fpm.d/www.conf.default" +FILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf" +CONFFILES:${PN}-fpm = "${sysconfdir}/php-fpm.conf" +CONFFILES:${PN}-fpm-apache2 = "${sysconfdir}/apache2/conf.d/php-fpm.conf" +INITSCRIPT_NAME:${PN}-fpm = "php-fpm" +INITSCRIPT_PARAMS:${PN}-fpm = "defaults 60" +FILES:${PN}-pear = "${bindir}/pear* ${bindir}/pecl ${PHP_LIBDIR}/php/PEAR \ + ${PHP_LIBDIR}/php/PEAR*.php ${PHP_LIBDIR}/php/System.php \ + ${PHP_LIBDIR}/php/peclcmd.php ${PHP_LIBDIR}/php/pearcmd.php \ + ${PHP_LIBDIR}/php/.channels ${PHP_LIBDIR}/php/.channels/.alias \ + ${PHP_LIBDIR}/php/.registry ${PHP_LIBDIR}/php/Archive/Tar.php \ + ${PHP_LIBDIR}/php/Console/Getopt.php ${PHP_LIBDIR}/php/OS/Guess.php \ + ${PHP_LIBDIR}/php/data/PEAR \ + ${sysconfdir}/pear.conf" +FILES:${PN}-dev = "${includedir}/php ${PHP_LIBDIR}/build ${bindir}/phpize \ + ${bindir}/php-config ${PHP_LIBDIR}/php/.depdb \ + ${PHP_LIBDIR}/php/.depdblock ${PHP_LIBDIR}/php/.filemap \ + ${PHP_LIBDIR}/php/.lock ${PHP_LIBDIR}/php/test" +FILES:${PN}-staticdev += "${PHP_LIBDIR}/extensions/*/*.a" +FILES:${PN}-opcache = "${PHP_LIBDIR}/extensions/*/opcache${SOLIBSDEV}" +FILES:${PN} = "${PHP_LIBDIR}/php" +FILES:${PN} += "${bindir} ${libexecdir}/apache2" + +SUMMARY:${PN}-modphp = "PHP module for the Apache HTTP server" +FILES:${PN}-modphp = "${libdir}/apache2 ${sysconfdir}" + +MODPHP_OLDPACKAGE = "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'modphp', '', d)}" +RPROVIDES:${PN}-modphp = "${MODPHP_OLDPACKAGE}" +RREPLACES:${PN}-modphp = "${MODPHP_OLDPACKAGE}" +RCONFLICTS:${PN}-modphp = "${MODPHP_OLDPACKAGE}" + +do_install:append:class-native() { + create_wrapper ${D}${bindir}/php \ + PHP_PEAR_SYSCONF_DIR=${sysconfdir}/ +} + +# Fails to build with thumb-1 (qemuarm) +# | {standard input}: Assembler messages: +# | {standard input}:3719: Error: selected processor does not support Thumb mode `smull r0,r2,r9,r3' +# | {standard input}:3720: Error: unshifted register required -- `sub r2,r2,r0,asr#31' +# | {standard input}:3796: Error: selected processor does not support Thumb mode `smull r0,r2,r3,r3' +# | {standard input}:3797: Error: unshifted register required -- `sub r2,r2,r0,asr#31' +# | make: *** [ext/standard/math.lo] Error 1 +ARM_INSTRUCTION_SET = "arm" diff --git a/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_1.patch b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_1.patch new file mode 100644 index 0000000000..c538991125 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_1.patch @@ -0,0 +1,43 @@ +From 3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf Mon Sep 17 00:00:00 2001 +From: wujing +Date: Thu, 14 Feb 2019 03:12:30 +0800 +Subject: [PATCH] yajl: fix memory leak problem + +reason: fix memory leak problem + +CVE: CVE-2023-33460 + +Upstream-Status: Backport [https://github.com/openEuler-BaseService/yajl/commit/3d65cb0c6db4d433e5e42ee7d91d8a04e21337cf] + +Signed-off-by: Mingli Yu +--- + src/yajl_tree.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/yajl_tree.c b/src/yajl_tree.c +index 3d357a3..4b3cf2b 100644 +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx) + ctx->stack = stack->next; + + v = stack->value; +- ++ free (stack->key); + free (stack); + + return (v); +@@ -444,6 +444,10 @@ yajl_val yajl_tree_parse (const char *input, + snprintf(error_buffer, error_buffer_size, "%s", internal_err_str); + YA_FREE(&(handle->alloc), internal_err_str); + } ++ while(ctx.stack != NULL) { ++ yajl_val v = context_pop(&ctx); ++ yajl_tree_free(v); ++ } + yajl_free (handle); + return NULL; + } +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_2.patch b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_2.patch new file mode 100644 index 0000000000..6e9b119b56 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460_2.patch @@ -0,0 +1,31 @@ +From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001 +From: "zhang.jiujiu" <282627424@qq.com> +Date: Tue, 7 Dec 2021 22:37:02 +0800 +Subject: [PATCH] fix memory leaks + +CVE: CVE-2023-33460 + +Upstream-Status: Backport [https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698] + +Signed-off-by: Mingli Yu +--- + src/yajl_tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/yajl_tree.c b/src/yajl_tree.c +index b9e6604..0e7bde9 100644 +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -456,6 +456,9 @@ yajl_val yajl_tree_parse (const char *input, + yajl_tree_free(v); + } + yajl_free (handle); ++ //If the requested memory is not released in time, it will cause memory leakage ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index cf8dbb183e..aae3c6f3a1 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb @@ -8,7 +8,10 @@ HOMEPAGE = "http://lloyd.github.com/yajl/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" -SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https" +SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \ + file://CVE-2023-33460_1.patch \ + file://CVE-2023-33460_2.patch \ +" SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-31975.patch b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-31975.patch new file mode 100644 index 0000000000..ae10e99c2f --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-31975.patch @@ -0,0 +1,29 @@ +From b2cc5a1693b17ac415df76d0795b15994c106441 Mon Sep 17 00:00:00 2001 +From: Katsuhiko Gondow +Date: Tue, 13 Jun 2023 05:00:47 +0900 +Subject: [PATCH] Fix memory leak in bin-objfmt (#231) + +Upstream-Status: Backport [https://github.com/yasm/yasm/commit/b2cc5a1693b17ac415df76d0795b15994c106441] + +CVE: CVE-2023-31975 +--- + modules/objfmts/bin/bin-objfmt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/modules/objfmts/bin/bin-objfmt.c b/modules/objfmts/bin/bin-objfmt.c +index 18026750..a38c3422 100644 +--- a/modules/objfmts/bin/bin-objfmt.c ++++ b/modules/objfmts/bin/bin-objfmt.c +@@ -1680,6 +1680,10 @@ static void + bin_section_data_destroy(void *data) + { + bin_section_data *bsd = (bin_section_data *)data; ++ if (bsd->align) ++ yasm_xfree(bsd->align); ++ if (bsd->valign) ++ yasm_xfree(bsd->valign); + if (bsd->start) + yasm_expr_destroy(bsd->start); + if (bsd->vstart) +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-37732.patch b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-37732.patch new file mode 100644 index 0000000000..1ca33f0a92 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-37732.patch @@ -0,0 +1,41 @@ +From 2cd3bb50e256f5ed5f611ac611d25fe673f2cec3 Mon Sep 17 00:00:00 2001 +From: Peter Johnson +Date: Fri, 11 Aug 2023 10:49:51 +0000 +Subject: [PATCH] elf.c: Fix NULL deref on bad xsize expression (#234) + +CVE: CVE-2023-37732 + +Upstream-Status: Backport [https://github.com/yasm/yasm/commit/2cd3bb50e256f5ed5f611ac611d25fe673f2cec3] + +Signed-off-by: Soumya +--- + modules/objfmts/elf/elf.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/modules/objfmts/elf/elf.c b/modules/objfmts/elf/elf.c +index 2486bba8..bab4c9ca 100644 +--- a/modules/objfmts/elf/elf.c ++++ b/modules/objfmts/elf/elf.c +@@ -482,15 +482,15 @@ elf_symtab_write_to_file(FILE *f, elf_symtab_head *symtab, + + /* get size (if specified); expr overrides stored integer */ + if (entry->xsize) { +- size_intn = yasm_intnum_copy( +- yasm_expr_get_intnum(&entry->xsize, 1)); +- if (!size_intn) { ++ yasm_intnum *intn = yasm_expr_get_intnum(&entry->xsize, 1); ++ if (!intn) { + yasm_error_set(YASM_ERROR_VALUE, + N_("size specifier not an integer expression")); + yasm_errwarn_propagate(errwarns, entry->xsize->line); +- } ++ } else ++ size_intn = yasm_intnum_copy(intn); + } +- else ++ if (!size_intn) + size_intn = yasm_intnum_create_uint(entry->size); + + /* get EQU value for constants */ +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm_git.bb index 3dd382be1f..26540b4295 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -12,6 +12,8 @@ PV = "1.3.0+git${SRCPV}" SRCREV = "ba463d3c26c0ece2e797b8d6381b161633b5971a" SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https \ file://0001-Do-not-use-AC_HEADER_STDC.patch \ + file://CVE-2023-31975.patch \ + file://CVE-2023-37732.patch \ " S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-extended/dialog/dialog_1.3-20210509.bb b/meta-openembedded/meta-oe/recipes-extended/dialog/dialog_1.3-20210509.bb index 0b1e7e6088..d67156e1fd 100644 --- a/meta-openembedded/meta-oe/recipes-extended/dialog/dialog_1.3-20210509.bb +++ b/meta-openembedded/meta-oe/recipes-extended/dialog/dialog_1.3-20210509.bb @@ -8,7 +8,7 @@ DEPENDS = "ncurses" LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" -SRC_URI = "ftp://ftp.invisible-island.net/${BPN}/${BP}.tgz" +SRC_URI = "https://invisible-mirror.net/archives/${BPN}/${BP}.tgz" SRC_URI[sha256sum] = "ae478fe7d5fca82bcf4b51684641e07d2ee68489d319710fe1e81f41a197bd66" # hardcoded here for use in dialog-static recipe diff --git a/meta-openembedded/meta-oe/recipes-extended/hwloc/files/CVE-2022-47022.patch b/meta-openembedded/meta-oe/recipes-extended/hwloc/files/CVE-2022-47022.patch new file mode 100644 index 0000000000..1925e2605d --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/hwloc/files/CVE-2022-47022.patch @@ -0,0 +1,76 @@ +From ac1f8db9a0790d2bf153711ff4cbf6101f89aace Mon Sep 17 00:00:00 2001 +From: Brice Goglin +Date: Wed, 23 Aug 2023 19:52:47 +0200 +Subject: [PATCH] linux: handle glibc cpuset allocation failures + +Closes #544 +CVE-2022-47022 + +CVE: CVE-2022-47022 + +Upstream-Status: Backport [https://github.com/open-mpi/hwloc/commit/ac1f8db9a0790d2bf153711ff4cbf6101f89aace] + +Signed-off-by: Brice Goglin +Signed-off-by: Archana Polampalli +--- + hwloc/topology-linux.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/hwloc/topology-linux.c b/hwloc/topology-linux.c +index 3f059465d..030076e7f 100644 +--- a/hwloc/topology-linux.c ++++ b/hwloc/topology-linux.c +@@ -878,6 +878,8 @@ hwloc_linux_set_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused, + + setsize = CPU_ALLOC_SIZE(last+1); + plinux_set = CPU_ALLOC(last+1); ++ if (!plinux_set) ++ return -1; + + CPU_ZERO_S(setsize, plinux_set); + hwloc_bitmap_foreach_begin(cpu, hwloc_set) +@@ -958,7 +960,10 @@ hwloc_linux_find_kernel_nr_cpus(hwloc_topology_t topology) + while (1) { + cpu_set_t *set = CPU_ALLOC(nr_cpus); + size_t setsize = CPU_ALLOC_SIZE(nr_cpus); +- int err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */ ++ int err; ++ if (!set) ++ return -1; /* caller will return an error, and we'll try again later */ ++ err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */ + CPU_FREE(set); + nr_cpus = setsize * 8; /* that's the value that was actually tested */ + if (!err) +@@ -986,8 +991,12 @@ hwloc_linux_get_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused, + + /* find the kernel nr_cpus so as to use a large enough cpu_set size */ + kernel_nr_cpus = hwloc_linux_find_kernel_nr_cpus(topology); ++ if (kernel_nr_cpus < 0) ++ return -1; + setsize = CPU_ALLOC_SIZE(kernel_nr_cpus); + plinux_set = CPU_ALLOC(kernel_nr_cpus); ++ if (!plinux_set) ++ return -1; + + err = sched_getaffinity(tid, setsize, plinux_set); + +@@ -1341,6 +1350,8 @@ hwloc_linux_set_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_c + + setsize = CPU_ALLOC_SIZE(last+1); + plinux_set = CPU_ALLOC(last+1); ++ if (!plinux_set) ++ return -1; + + CPU_ZERO_S(setsize, plinux_set); + hwloc_bitmap_foreach_begin(cpu, hwloc_set) +@@ -1432,6 +1443,8 @@ hwloc_linux_get_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_b + + setsize = CPU_ALLOC_SIZE(last+1); + plinux_set = CPU_ALLOC(last+1); ++ if (!plinux_set) ++ return -1; + + err = pthread_getaffinity_np(tid, setsize, plinux_set); + if (err) { +-- +2.40.0 diff --git a/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.0.bb b/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.0.bb index 51ceb4c262..ee766c8391 100644 --- a/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.0.bb +++ b/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.0.bb @@ -7,7 +7,9 @@ SECTION = "base" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=79179bb373cd55cbd834463a514fb714" -SRC_URI = "https://www.open-mpi.org/software/${BPN}/v2.9/downloads/${BP}.tar.bz2" +SRC_URI = "https://www.open-mpi.org/software/${BPN}/v2.9/downloads/${BP}.tar.bz2 \ + file://CVE-2022-47022.patch \ + " SRC_URI[sha256sum] = "2070e963596a2421b9af8eca43bdec113ee1107aaf7ccb475d4d3767a8856887" UPSTREAM_CHECK_URI = "https://www.open-mpi.org/software/hwloc/v2.9/" diff --git a/meta-openembedded/meta-oe/recipes-extended/libblockdev/libblockdev_2.28.bb b/meta-openembedded/meta-oe/recipes-extended/libblockdev/libblockdev_2.28.bb index 44b4e7daf9..22ccbf144e 100644 --- a/meta-openembedded/meta-oe/recipes-extended/libblockdev/libblockdev_2.28.bb +++ b/meta-openembedded/meta-oe/recipes-extended/libblockdev/libblockdev_2.28.bb @@ -10,6 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c" inherit autotools gobject-introspection pkgconfig +DEPENDS = "autoconf-archive-native glib-2.0 kmod udev" + SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch;protocol=https \ " SRCREV = "1412dc51c8f76bf8d9a6008228737db4a9a26d69" @@ -24,12 +26,12 @@ PACKAGECONFIG[lvm] = "--with-lvm, --without-lvm, multipath-tools, lvm2" PACKAGECONFIG[lvm-dbus] = "--with-lvm_dbus, --without-lvm_dbus, multipath-tools, lvm2" PACKAGECONFIG[dm] = "--with-dm, --without-dm, multipath-tools, lvm2" PACKAGECONFIG[dmraid] = "--with-dmraid, --without-dmraid" -PACKAGECONFIG[kmod] = "--with-kbd, --without-kbd, kmod" +PACKAGECONFIG[kmod] = "--with-kbd, --without-kbd,libbytesize" PACKAGECONFIG[parted] = "--with-part, --without-part, parted" PACKAGECONFIG[fs] = "--with-fs, --without-fs, util-linux" PACKAGECONFIG[doc] = "--with-gtk-doc, --without-gtk-doc, gtk-doc-native" PACKAGECONFIG[nvdimm] = "--with-nvdimm, --without-nvdimm, ndctl util-linux" -PACKAGECONFIG[vdo] = "--with-vdo, --without-vdo" +PACKAGECONFIG[vdo] = "--with-vdo, --without-vdo,libbytesize" PACKAGECONFIG[escrow] = "--with-escrow, --without-escrow, nss volume-key" PACKAGECONFIG[btrfs] = "--with-btrfs,--without-btrfs,libbytesize btrfs-tools" PACKAGECONFIG[crypto] = "--with-crypto,--without-crypto,cryptsetup nss volume-key" diff --git a/meta-openembedded/meta-oe/recipes-extended/libgxim/libgxim_0.5.0.bb b/meta-openembedded/meta-oe/recipes-extended/libgxim/libgxim_0.5.0.bb index 2d93936f37..3912e0a8d7 100644 --- a/meta-openembedded/meta-oe/recipes-extended/libgxim/libgxim_0.5.0.bb +++ b/meta-openembedded/meta-oe/recipes-extended/libgxim/libgxim_0.5.0.bb @@ -24,7 +24,7 @@ LIC_FILES_CHKSUM = "\ file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1" EXTRA_OECONF = "--enable-debug --disable-static --disable-rebuilds --enable-compile-warnings=minimum" -DEPENDS += "gtk+ glib-2.0 glib-2.0-native ruby-native intltool-native gnome-common-native" +DEPENDS += "gtk+ glib-2.0 glib-2.0-native ruby-native intltool-native gnome-common-native autoconf-archive-native" inherit features_check autotools pkgconfig gettext diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0001-src-Do-not-reset-FINAL_LIBS.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0001-src-Do-not-reset-FINAL_LIBS.patch new file mode 100644 index 0000000000..e8d8b1d53f --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0001-src-Do-not-reset-FINAL_LIBS.patch @@ -0,0 +1,30 @@ +From e97a572d4aef099a961e43d528c0268e10d9f1e2 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Tue, 10 Sep 2019 20:04:26 -0700 +Subject: [PATCH] src: Do not reset FINAL_LIBS + +This helps case where additional libraries are needed to be passed from +environment to get it going + +e.g. -latomic is needed on clang/x86 to provide for 64bit atomics + +Upstream-Status: Pending +Signed-off-by: Khem Raj + +--- + src/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile b/src/Makefile +index ddabd44..5133884 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -118,7 +118,7 @@ endif + + FINAL_CFLAGS=$(STD) $(WARN) $(OPT) $(DEBUG) $(CFLAGS) $(REDIS_CFLAGS) + FINAL_LDFLAGS=$(LDFLAGS) $(REDIS_LDFLAGS) $(DEBUG) +-FINAL_LIBS=-lm ++FINAL_LIBS+=-lm + DEBUG=-g -ggdb + + # Linux ARM32 needs -latomic at linking time diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0006-Define-correct-gregs-for-RISCV32.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0006-Define-correct-gregs-for-RISCV32.patch new file mode 100644 index 0000000000..385b0aeed0 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/0006-Define-correct-gregs-for-RISCV32.patch @@ -0,0 +1,62 @@ +From b6b2c652abfa98093401b232baca8719c50cadf4 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Mon, 26 Oct 2020 21:32:22 -0700 +Subject: [PATCH] Define correct gregs for RISCV32 + +Upstream-Status: Pending +Signed-off-by: Khem Raj + +Updated patch for 6.2.8 +Signed-off-by: Changqing Li +--- + src/debug.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/debug.c b/src/debug.c +index ebda858..90bc450 100644 +--- a/src/debug.c ++++ b/src/debug.c +@@ -1168,7 +1168,9 @@ static void* getAndSetMcontextEip(ucontext_t *uc, void *eip) { + #endif + #elif defined(__linux__) + /* Linux */ +- #if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) ++ #if defined(__riscv) && __riscv_xlen == 32 ++ return (void*) uc->uc_mcontext.__gregs[REG_PC]; ++ #elif defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) + GET_SET_RETURN(uc->uc_mcontext.gregs[14], eip); + #elif defined(__X86_64__) || defined(__x86_64__) + GET_SET_RETURN(uc->uc_mcontext.gregs[16], eip); +@@ -1350,8 +1352,28 @@ void logRegisters(ucontext_t *uc) { + #endif + /* Linux */ + #elif defined(__linux__) ++ /* Linux RISCV32 */ ++ #if defined(__riscv) && __riscv_xlen == 32 ++ serverLog(LL_WARNING, ++ "\n" ++ "RA:%08lx S0:%08lx S1:%08lx S2:%08lx\n" ++ "SP:%08lx PC:%08lx A0:%08lx A1:%08lx\n" ++ "A2 :%08lx A3:%08lx A4:%08lx", ++ (unsigned long) uc->uc_mcontext.__gregs[REG_RA], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_S0], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_S1], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_S2], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_SP], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_PC], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 0], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 1], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 2], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 3], ++ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 4] ++ ); ++ logStackContent((void**)uc->uc_mcontext.__gregs[REG_SP]); + /* Linux x86 */ +- #if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) ++ #elif defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) + serverLog(LL_WARNING, + "\n" + "EAX:%08lx EBX:%08lx ECX:%08lx EDX:%08lx\n" +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/GNU_SOURCE-7.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/GNU_SOURCE-7.patch new file mode 100644 index 0000000000..6e07c25c6a --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/GNU_SOURCE-7.patch @@ -0,0 +1,29 @@ +From a22512ac1cbd6de1f5646219722e49752d1f60ac Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Sat, 21 Dec 2019 12:09:51 -0800 +Subject: [PATCH] Define _GNU_SOURCE to get PTHREAD_MUTEX_INITIALIZER + +Fixes +| zmalloc.c:87:37: error: 'PTHREAD_MUTEX_DEFAULT' undeclared here (not in a function) +| 87 | pthread_mutex_t used_memory_mutex = PTHREAD_MUTEX_INITIALIZER; +| | ^~~~~~~~~~~~~~~~~~~~~~~~~ + +Upstream-Status: Pending +Signed-off-by: Khem Raj + +--- + src/zmalloc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/zmalloc.c b/src/zmalloc.c +index ba03685..322304f 100644 +--- a/src/zmalloc.c ++++ b/src/zmalloc.c +@@ -32,6 +32,7 @@ + #include "config.h" + #include "solarisfixes.h" + ++#define _GNU_SOURCE + #include + #include + #include diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/hiredis-use-default-CC-if-it-is-set.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/hiredis-use-default-CC-if-it-is-set.patch new file mode 100644 index 0000000000..657b0923e2 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/hiredis-use-default-CC-if-it-is-set.patch @@ -0,0 +1,36 @@ +From 9da2d12c9fabfff4b4460accf887658db89687e4 Mon Sep 17 00:00:00 2001 +From: Venture Research +Date: Fri, 8 Feb 2013 17:39:52 -0600 +Subject: [PATCH] hiredis: use default CC if it is set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of trying to automagically figure out CC, which breaks with OE +as CC has spaces in it, just skip it if one was already passed in. + +Signed-off-by: Venture Research + +Update to work with 4.0.8 +Signed-off-by: Alistair Francis + +Reworked for 6.0.4 +Signed-off-by: Andreas Müller + +--- + deps/hiredis/Makefile | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/deps/hiredis/Makefile b/deps/hiredis/Makefile +index 7e41c97..54717e3 100644 +--- a/deps/hiredis/Makefile ++++ b/deps/hiredis/Makefile +@@ -42,8 +42,6 @@ endef + export REDIS_TEST_CONFIG + + # Fallback to gcc when $CC is not in $PATH. +-CC:=$(shell sh -c 'type $${CC%% *} >/dev/null 2>/dev/null && echo $(CC) || echo gcc') +-CXX:=$(shell sh -c 'type $${CXX%% *} >/dev/null 2>/dev/null && echo $(CXX) || echo g++') + OPTIMIZATION?=-O3 + WARNINGS=-Wall -W -Wstrict-prototypes -Wwrite-strings -Wno-missing-field-initializers + DEBUG_FLAGS?= -g -ggdb diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/init-redis-server b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/init-redis-server new file mode 100755 index 0000000000..c5f335f57d --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/init-redis-server @@ -0,0 +1,71 @@ +#!/bin/sh +# +### BEGIN INIT INFO +# Provides: redis-server +# Required-Start: $network +# Required-Stop: $network +# Default-Start: S 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Redis, a key-value store +# Description: Redis is an open source, advanced key-value store. +# http://redis.io +### END INIT INFO + +test -f /usr/bin/redis-server || exit 0 + +ARGS="/etc/redis/redis.conf" + +case "$1" in + start) + echo "Starting redis-server..." + start-stop-daemon --start --quiet --exec /usr/bin/redis-server -- $ARGS + ;; + stop) + echo "Stopping redis-server..." + start-stop-daemon --stop --quiet --exec /usr/bin/redis-server + ;; + restart) + echo "Stopping redis-server..." + start-stop-daemon --stop --quiet --exec /usr/bin/redis-server + + # Since busybox implementation ignores --retry arguments repeatedly check + # if the process is still running and try another signal after a timeout, + # efectively simulating a stop with --retry=TERM/5/KILL/5 schedule. + waitAfterTerm=5000000 # us / 5000 ms / 5 s + waitAfterKill=5000000 # us / 5000 ms / 5 s + waitStep=100000 # us / 100 ms / 0.1 s + waited=0 + start-stop-daemon --stop --test --quiet --exec /usr/bin/redis-server + processOff=$? + while [ $processOff -eq 0 ] && [ $waited -le $waitAfterTerm ] ; do + usleep ${waitStep} + ((waited+=${waitStep})) + start-stop-daemon --stop --test --quiet --exec /usr/bin/redis-server + processOff=$? + done + if [ $processOff -eq 0 ] ; then + start-stop-daemon --stop --signal KILL --exec /usr/bin/redis-server + start-stop-daemon --stop --test --quiet --exec /usr/bin/redis-server + processOff=$? + fi + waited=0 + while [ $processOff -eq 0 ] && [ $waited -le $waitAfterKill ] ; do + usleep ${waitStep} + ((waited+=${waitStep})) + start-stop-daemon --stop --test --quiet --exec /usr/bin/redis-server + processOff=$? + done + # Here $processOff will indicate if waiting and retrying according to + # the schedule ended in a successfull stop or not. + + echo "Starting redis-server..." + start-stop-daemon --start --quiet --exec /usr/bin/redis-server -- $ARGS + ;; + *) + echo "Usage: /etc/init.d/redis-server {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 + diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/lua-update-Makefile-to-use-environment-build-setting.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/lua-update-Makefile-to-use-environment-build-setting.patch new file mode 100644 index 0000000000..c6c6fde162 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/lua-update-Makefile-to-use-environment-build-setting.patch @@ -0,0 +1,76 @@ +From 734ab2f7879c6f94fc18ea6a10adb9bd156ba769 Mon Sep 17 00:00:00 2001 +From: Venture Research +Date: Fri, 8 Feb 2013 20:22:19 -0600 +Subject: [PATCH] lua: update Makefile to use environment build settings + +OE-specific parameters, instead of overriding all of these simply use +the ones that are already passed in. Also configure for only Linux... + +Signed-off-by: Venture Research + +Updated to work with 3.0.x + +Signed-off-by: Armin Kuster + +updated to work wtih 6.2.1 +Signed-off-by: Yi Fan Yu + +--- + deps/Makefile | 1 - + deps/lua/Makefile | 1 - + deps/lua/src/Makefile | 16 ++++++---------- + 3 files changed, 6 insertions(+), 12 deletions(-) + +diff --git a/deps/Makefile b/deps/Makefile +index 8592e17..1807af5 100644 +--- a/deps/Makefile ++++ b/deps/Makefile +@@ -81,7 +81,6 @@ endif + # lua's Makefile defines AR="ar rcu", which is unusual, and makes it more + # challenging to cross-compile lua (and redis). These defines make it easier + # to fit redis into cross-compilation environments, which typically set AR. +-AR=ar + ARFLAGS=rc + + lua: .make-prerequisites +diff --git a/deps/lua/Makefile b/deps/lua/Makefile +index 209a132..72f4b2b 100644 +--- a/deps/lua/Makefile ++++ b/deps/lua/Makefile +@@ -33,7 +33,6 @@ INSTALL_DATA= $(INSTALL) -m 0644 + + # Utilities. + MKDIR= mkdir -p +-RANLIB= ranlib + + # == END OF USER SETTINGS. NO NEED TO CHANGE ANYTHING BELOW THIS LINE ========= + +diff --git a/deps/lua/src/Makefile b/deps/lua/src/Makefile +index f3bba2f..1555ec0 100644 +--- a/deps/lua/src/Makefile ++++ b/deps/lua/src/Makefile +@@ -5,18 +5,14 @@ + # == CHANGE THE SETTINGS BELOW TO SUIT YOUR ENVIRONMENT ======================= + + # Your platform. See PLATS for possible values. +-PLAT= none ++PLAT= linux + +-CC?= gcc +-CFLAGS= -O2 -Wall $(MYCFLAGS) +-AR= ar rcu +-RANLIB= ranlib +-RM= rm -f +-LIBS= -lm $(MYLIBS) +- +-MYCFLAGS= ++MYCFLAGS=-DLUA_USE_LINUX + MYLDFLAGS= +-MYLIBS= ++MYLIBS=-Wl,-E -ldl -lreadline -lhistory -lncurses ++ ++CFLAGS += $(MYCFLAGS) ++LIBS += -lm $(MYLIBS) + + # == END OF USER SETTINGS. NO NEED TO CHANGE ANYTHING BELOW THIS LINE ========= + diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/oe-use-libc-malloc.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/oe-use-libc-malloc.patch new file mode 100644 index 0000000000..bf6d0cf3c1 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/oe-use-libc-malloc.patch @@ -0,0 +1,34 @@ +From 88da6b19ecd00747769663e913aba5e9569c489d Mon Sep 17 00:00:00 2001 +From: Venture Research +Date: Wed, 6 Feb 2013 20:51:02 -0600 +Subject: [PATCH] hack to force use of libc malloc + +Hack to force libc usage as it seems the option to pass it in has been +removed in favor of magic. + +Note that this of course doesn't allow tcmalloc and jemalloc, however +jemalloc wasn't building correctly. + +Signed-off-by: Venture Research + +Update to work with 4.0.8 +Signed-off-by: Alistair Francis + +--- + src/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/Makefile b/src/Makefile +index 2a0d74d..ddabd44 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -13,7 +13,8 @@ + # Just use 'make dep', but this is only needed by developers. + + release_hdr := $(shell sh -c './mkreleasehdr.sh') +-uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not') ++# use fake uname option to force use of generic libc ++uname_S := "USE_LIBC_MALLOC" + uname_M := $(shell sh -c 'uname -m 2>/dev/null || echo not') + OPTIMIZATION?=-O2 + DEPENDENCY_TARGETS=hiredis linenoise lua hdr_histogram diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.conf b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.conf new file mode 100644 index 0000000000..75037d6dc8 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.conf @@ -0,0 +1,1314 @@ +# Redis configuration file example. +# +# Note that in order to read the configuration file, Redis must be +# started with the file path as first argument: +# +# ./redis-server /path/to/redis.conf + +# Note on units: when memory size is needed, it is possible to specify +# it in the usual form of 1k 5GB 4M and so forth: +# +# 1k => 1000 bytes +# 1kb => 1024 bytes +# 1m => 1000000 bytes +# 1mb => 1024*1024 bytes +# 1g => 1000000000 bytes +# 1gb => 1024*1024*1024 bytes +# +# units are case insensitive so 1GB 1Gb 1gB are all the same. + +################################## INCLUDES ################################### + +# Include one or more other config files here. This is useful if you +# have a standard template that goes to all Redis servers but also need +# to customize a few per-server settings. Include files can include +# other files, so use this wisely. +# +# Notice option "include" won't be rewritten by command "CONFIG REWRITE" +# from admin or Redis Sentinel. Since Redis always uses the last processed +# line as value of a configuration directive, you'd better put includes +# at the beginning of this file to avoid overwriting config change at runtime. +# +# If instead you are interested in using includes to override configuration +# options, it is better to use include as the last line. +# +# include /path/to/local.conf +# include /path/to/other.conf + +################################## MODULES ##################################### + +# Load modules at startup. If the server is not able to load modules +# it will abort. It is possible to use multiple loadmodule directives. +# +# loadmodule /path/to/my_module.so +# loadmodule /path/to/other_module.so + +################################## NETWORK ##################################### + +# By default, if no "bind" configuration directive is specified, Redis listens +# for connections from all the network interfaces available on the server. +# It is possible to listen to just one or multiple selected interfaces using +# the "bind" configuration directive, followed by one or more IP addresses. +# +# Examples: +# +# bind 192.168.1.100 10.0.0.1 +# bind 127.0.0.1 ::1 +# +# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the +# internet, binding to all the interfaces is dangerous and will expose the +# instance to everybody on the internet. So by default we uncomment the +# following bind directive, that will force Redis to listen only into +# the IPv4 lookback interface address (this means Redis will be able to +# accept connections only from clients running into the same computer it +# is running). +# +# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES +# JUST COMMENT THE FOLLOWING LINE. +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +bind 127.0.0.1 + +# Protected mode is a layer of security protection, in order to avoid that +# Redis instances left open on the internet are accessed and exploited. +# +# When protected mode is on and if: +# +# 1) The server is not binding explicitly to a set of addresses using the +# "bind" directive. +# 2) No password is configured. +# +# The server only accepts connections from clients connecting from the +# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain +# sockets. +# +# By default protected mode is enabled. You should disable it only if +# you are sure you want clients from other hosts to connect to Redis +# even if no authentication is configured, nor a specific set of interfaces +# are explicitly listed using the "bind" directive. +protected-mode yes + +# Accept connections on the specified port, default is 6379 (IANA #815344). +# If port 0 is specified Redis will not listen on a TCP socket. +port 6379 + +# TCP listen() backlog. +# +# In high requests-per-second environments you need an high backlog in order +# to avoid slow clients connections issues. Note that the Linux kernel +# will silently truncate it to the value of /proc/sys/net/core/somaxconn so +# make sure to raise both the value of somaxconn and tcp_max_syn_backlog +# in order to get the desired effect. +tcp-backlog 511 + +# Unix socket. +# +# Specify the path for the Unix socket that will be used to listen for +# incoming connections. There is no default, so Redis will not listen +# on a unix socket when not specified. +# +# unixsocket /tmp/redis.sock +# unixsocketperm 700 + +# Close the connection after a client is idle for N seconds (0 to disable) +timeout 0 + +# TCP keepalive. +# +# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence +# of communication. This is useful for two reasons: +# +# 1) Detect dead peers. +# 2) Take the connection alive from the point of view of network +# equipment in the middle. +# +# On Linux, the specified value (in seconds) is the period used to send ACKs. +# Note that to close the connection the double of the time is needed. +# On other kernels the period depends on the kernel configuration. +# +# A reasonable value for this option is 300 seconds, which is the new +# Redis default starting with Redis 3.2.1. +tcp-keepalive 300 + +################################# GENERAL ##################################### + +# OE: run as a daemon. +daemonize yes + +# If you run Redis from upstart or systemd, Redis can interact with your +# supervision tree. Options: +# supervised no - no supervision interaction +# supervised upstart - signal upstart by putting Redis into SIGSTOP mode +# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET +# supervised auto - detect upstart or systemd method based on +# UPSTART_JOB or NOTIFY_SOCKET environment variables +# Note: these supervision methods only signal "process is ready." +# They do not enable continuous liveness pings back to your supervisor. +supervised no + +# If a pid file is specified, Redis writes it where specified at startup +# and removes it at exit. +# +# When the server runs non daemonized, no pid file is created if none is +# specified in the configuration. When the server is daemonized, the pid file +# is used even if not specified, defaulting to "/var/run/redis.pid". +# +# Creating a pid file is best effort: if Redis is not able to create it +# nothing bad happens, the server will start and run normally. + +# When running daemonized, Redis writes a pid file in /var/run/redis.pid by +# default. You can specify a custom pid file location here. +pidfile /var/run/redis.pid + +# Specify the server verbosity level. +# This can be one of: +# debug (a lot of information, useful for development/testing) +# verbose (many rarely useful info, but not a mess like the debug level) +# notice (moderately verbose, what you want in production probably) +# warning (only very important / critical messages are logged) +loglevel notice + +# Specify the log file name. Also the empty string can be used to force +# Redis to log on the standard output. Note that if you use standard +# output for logging but daemonize, logs will be sent to /dev/null +logfile "" + +# To enable logging to the system logger, just set 'syslog-enabled' to yes, +# and optionally update the other syslog parameters to suit your needs. +syslog-enabled yes + +# Specify the syslog identity. +syslog-ident redis + +# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. +# syslog-facility local0 + +# Set the number of databases. The default database is DB 0, you can select +# a different one on a per-connection basis using SELECT where +# dbid is a number between 0 and 'databases'-1 +databases 16 + +# By default Redis shows an ASCII art logo only when started to log to the +# standard output and if the standard output is a TTY. Basically this means +# that normally a logo is displayed only in interactive sessions. +# +# However it is possible to force the pre-4.0 behavior and always show a +# ASCII art logo in startup logs by setting the following option to yes. +always-show-logo yes + +################################ SNAPSHOTTING ################################ +# +# Save the DB on disk: +# +# save +# +# Will save the DB if both the given number of seconds and the given +# number of write operations against the DB occurred. +# +# In the example below the behaviour will be to save: +# after 900 sec (15 min) if at least 1 key changed +# after 300 sec (5 min) if at least 10 keys changed +# after 60 sec if at least 10000 keys changed +# +# Note: you can disable saving completely by commenting out all "save" lines. +# +# It is also possible to remove all the previously configured save +# points by adding a save directive with a single empty string argument +# like in the following example: +# +# save "" + +#save 900 1 +#save 300 10 +#save 60 10000 + +# OE: tune for a small embedded system with a limited # of keys. +save 120 1 +save 60 100 +save 30 1000 + +# By default Redis will stop accepting writes if RDB snapshots are enabled +# (at least one save point) and the latest background save failed. +# This will make the user aware (in a hard way) that data is not persisting +# on disk properly, otherwise chances are that no one will notice and some +# disaster will happen. +# +# If the background saving process will start working again Redis will +# automatically allow writes again. +# +# However if you have setup your proper monitoring of the Redis server +# and persistence, you may want to disable this feature so that Redis will +# continue to work as usual even if there are problems with disk, +# permissions, and so forth. +stop-writes-on-bgsave-error yes + +# Compress string objects using LZF when dump .rdb databases? +# For default that's set to 'yes' as it's almost always a win. +# If you want to save some CPU in the saving child set it to 'no' but +# the dataset will likely be bigger if you have compressible values or keys. +rdbcompression yes + +# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. +# This makes the format more resistant to corruption but there is a performance +# hit to pay (around 10%) when saving and loading RDB files, so you can disable it +# for maximum performances. +# +# RDB files created with checksum disabled have a checksum of zero that will +# tell the loading code to skip the check. +rdbchecksum yes + +# The filename where to dump the DB +dbfilename dump.rdb + +# The working directory. +# +# The DB will be written inside this directory, with the filename specified +# above using the 'dbfilename' configuration directive. +# +# The Append Only File will also be created inside this directory. +# +# Note that you must specify a directory here, not a file name. +dir /var/lib/redis/ + +################################# REPLICATION ################################# + +# Master-Slave replication. Use slaveof to make a Redis instance a copy of +# another Redis server. A few things to understand ASAP about Redis replication. +# +# 1) Redis replication is asynchronous, but you can configure a master to +# stop accepting writes if it appears to be not connected with at least +# a given number of slaves. +# 2) Redis slaves are able to perform a partial resynchronization with the +# master if the replication link is lost for a relatively small amount of +# time. You may want to configure the replication backlog size (see the next +# sections of this file) with a sensible value depending on your needs. +# 3) Replication is automatic and does not need user intervention. After a +# network partition slaves automatically try to reconnect to masters +# and resynchronize with them. +# +# slaveof + +# If the master is password protected (using the "requirepass" configuration +# directive below) it is possible to tell the slave to authenticate before +# starting the replication synchronization process, otherwise the master will +# refuse the slave request. +# +# masterauth + +# When a slave loses its connection with the master, or when the replication +# is still in progress, the slave can act in two different ways: +# +# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will +# still reply to client requests, possibly with out of date data, or the +# data set may just be empty if this is the first synchronization. +# +# 2) if slave-serve-stale-data is set to 'no' the slave will reply with +# an error "SYNC with master in progress" to all the kind of commands +# but to INFO and SLAVEOF. +# +slave-serve-stale-data yes + +# You can configure a slave instance to accept writes or not. Writing against +# a slave instance may be useful to store some ephemeral data (because data +# written on a slave will be easily deleted after resync with the master) but +# may also cause problems if clients are writing to it because of a +# misconfiguration. +# +# Since Redis 2.6 by default slaves are read-only. +# +# Note: read only slaves are not designed to be exposed to untrusted clients +# on the internet. It's just a protection layer against misuse of the instance. +# Still a read only slave exports by default all the administrative commands +# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve +# security of read only slaves using 'rename-command' to shadow all the +# administrative / dangerous commands. +slave-read-only yes + +# Replication SYNC strategy: disk or socket. +# +# ------------------------------------------------------- +# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY +# ------------------------------------------------------- +# +# New slaves and reconnecting slaves that are not able to continue the replication +# process just receiving differences, need to do what is called a "full +# synchronization". An RDB file is transmitted from the master to the slaves. +# The transmission can happen in two different ways: +# +# 1) Disk-backed: The Redis master creates a new process that writes the RDB +# file on disk. Later the file is transferred by the parent +# process to the slaves incrementally. +# 2) Diskless: The Redis master creates a new process that directly writes the +# RDB file to slave sockets, without touching the disk at all. +# +# With disk-backed replication, while the RDB file is generated, more slaves +# can be queued and served with the RDB file as soon as the current child producing +# the RDB file finishes its work. With diskless replication instead once +# the transfer starts, new slaves arriving will be queued and a new transfer +# will start when the current one terminates. +# +# When diskless replication is used, the master waits a configurable amount of +# time (in seconds) before starting the transfer in the hope that multiple slaves +# will arrive and the transfer can be parallelized. +# +# With slow disks and fast (large bandwidth) networks, diskless replication +# works better. +repl-diskless-sync no + +# When diskless replication is enabled, it is possible to configure the delay +# the server waits in order to spawn the child that transfers the RDB via socket +# to the slaves. +# +# This is important since once the transfer starts, it is not possible to serve +# new slaves arriving, that will be queued for the next RDB transfer, so the server +# waits a delay in order to let more slaves arrive. +# +# The delay is specified in seconds, and by default is 5 seconds. To disable +# it entirely just set it to 0 seconds and the transfer will start ASAP. +repl-diskless-sync-delay 5 + +# Slaves send PINGs to server in a predefined interval. It's possible to change +# this interval with the repl_ping_slave_period option. The default value is 10 +# seconds. +# +# repl-ping-slave-period 10 + +# The following option sets the replication timeout for: +# +# 1) Bulk transfer I/O during SYNC, from the point of view of slave. +# 2) Master timeout from the point of view of slaves (data, pings). +# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). +# +# It is important to make sure that this value is greater than the value +# specified for repl-ping-slave-period otherwise a timeout will be detected +# every time there is low traffic between the master and the slave. +# +# repl-timeout 60 + +# Disable TCP_NODELAY on the slave socket after SYNC? +# +# If you select "yes" Redis will use a smaller number of TCP packets and +# less bandwidth to send data to slaves. But this can add a delay for +# the data to appear on the slave side, up to 40 milliseconds with +# Linux kernels using a default configuration. +# +# If you select "no" the delay for data to appear on the slave side will +# be reduced but more bandwidth will be used for replication. +# +# By default we optimize for low latency, but in very high traffic conditions +# or when the master and slaves are many hops away, turning this to "yes" may +# be a good idea. +repl-disable-tcp-nodelay no + +# Set the replication backlog size. The backlog is a buffer that accumulates +# slave data when slaves are disconnected for some time, so that when a slave +# wants to reconnect again, often a full resync is not needed, but a partial +# resync is enough, just passing the portion of data the slave missed while +# disconnected. +# +# The bigger the replication backlog, the longer the time the slave can be +# disconnected and later be able to perform a partial resynchronization. +# +# The backlog is only allocated once there is at least a slave connected. +# +# repl-backlog-size 1mb + +# After a master has no longer connected slaves for some time, the backlog +# will be freed. The following option configures the amount of seconds that +# need to elapse, starting from the time the last slave disconnected, for +# the backlog buffer to be freed. +# +# Note that slaves never free the backlog for timeout, since they may be +# promoted to masters later, and should be able to correctly "partially +# resynchronize" with the slaves: hence they should always accumulate backlog. +# +# A value of 0 means to never release the backlog. +# +# repl-backlog-ttl 3600 + +# The slave priority is an integer number published by Redis in the INFO output. +# It is used by Redis Sentinel in order to select a slave to promote into a +# master if the master is no longer working correctly. +# +# A slave with a low priority number is considered better for promotion, so +# for instance if there are three slaves with priority 10, 100, 25 Sentinel will +# pick the one with priority 10, that is the lowest. +# +# However a special priority of 0 marks the slave as not able to perform the +# role of master, so a slave with priority of 0 will never be selected by +# Redis Sentinel for promotion. +# +# By default the priority is 100. +slave-priority 100 + +# It is possible for a master to stop accepting writes if there are less than +# N slaves connected, having a lag less or equal than M seconds. +# +# The N slaves need to be in "online" state. +# +# The lag in seconds, that must be <= the specified value, is calculated from +# the last ping received from the slave, that is usually sent every second. +# +# This option does not GUARANTEE that N replicas will accept the write, but +# will limit the window of exposure for lost writes in case not enough slaves +# are available, to the specified number of seconds. +# +# For example to require at least 3 slaves with a lag <= 10 seconds use: +# +# min-slaves-to-write 3 +# min-slaves-max-lag 10 +# +# Setting one or the other to 0 disables the feature. +# +# By default min-slaves-to-write is set to 0 (feature disabled) and +# min-slaves-max-lag is set to 10. + +# A Redis master is able to list the address and port of the attached +# slaves in different ways. For example the "INFO replication" section +# offers this information, which is used, among other tools, by +# Redis Sentinel in order to discover slave instances. +# Another place where this info is available is in the output of the +# "ROLE" command of a master. +# +# The listed IP and address normally reported by a slave is obtained +# in the following way: +# +# IP: The address is auto detected by checking the peer address +# of the socket used by the slave to connect with the master. +# +# Port: The port is communicated by the slave during the replication +# handshake, and is normally the port that the slave is using to +# list for connections. +# +# However when port forwarding or Network Address Translation (NAT) is +# used, the slave may be actually reachable via different IP and port +# pairs. The following two options can be used by a slave in order to +# report to its master a specific set of IP and port, so that both INFO +# and ROLE will report those values. +# +# There is no need to use both the options if you need to override just +# the port or the IP address. +# +# slave-announce-ip 5.5.5.5 +# slave-announce-port 1234 + +################################## SECURITY ################################### + +# Require clients to issue AUTH before processing any other +# commands. This might be useful in environments in which you do not trust +# others with access to the host running redis-server. +# +# This should stay commented out for backward compatibility and because most +# people do not need auth (e.g. they run their own servers). +# +# Warning: since Redis is pretty fast an outside user can try up to +# 150k passwords per second against a good box. This means that you should +# use a very strong password otherwise it will be very easy to break. +# +# requirepass foobared + +# Command renaming. +# +# It is possible to change the name of dangerous commands in a shared +# environment. For instance the CONFIG command may be renamed into something +# hard to guess so that it will still be available for internal-use tools +# but not available for general clients. +# +# Example: +# +# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 +# +# It is also possible to completely kill a command by renaming it into +# an empty string: +# +# rename-command CONFIG "" +# +# Please note that changing the name of commands that are logged into the +# AOF file or transmitted to slaves may cause problems. + +################################### CLIENTS #################################### + +# Set the max number of connected clients at the same time. By default +# this limit is set to 10000 clients, however if the Redis server is not +# able to configure the process file limit to allow for the specified limit +# the max number of allowed clients is set to the current file limit +# minus 32 (as Redis reserves a few file descriptors for internal uses). +# +# Once the limit is reached Redis will close all the new connections sending +# an error 'max number of clients reached'. +# +# maxclients 10000 + +############################## MEMORY MANAGEMENT ################################ + +# Set a memory usage limit to the specified amount of bytes. +# When the memory limit is reached Redis will try to remove keys +# according to the eviction policy selected (see maxmemory-policy). +# +# If Redis can't remove keys according to the policy, or if the policy is +# set to 'noeviction', Redis will start to reply with errors to commands +# that would use more memory, like SET, LPUSH, and so on, and will continue +# to reply to read-only commands like GET. +# +# This option is usually useful when using Redis as an LRU or LFU cache, or to +# set a hard memory limit for an instance (using the 'noeviction' policy). +# +# WARNING: If you have slaves attached to an instance with maxmemory on, +# the size of the output buffers needed to feed the slaves are subtracted +# from the used memory count, so that network problems / resyncs will +# not trigger a loop where keys are evicted, and in turn the output +# buffer of slaves is full with DELs of keys evicted triggering the deletion +# of more keys, and so forth until the database is completely emptied. +# +# In short... if you have slaves attached it is suggested that you set a lower +# limit for maxmemory so that there is some free RAM on the system for slave +# output buffers (but this is not needed if the policy is 'noeviction'). +# +# maxmemory + +# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory +# is reached. You can select among five behaviors: +# +# volatile-lru -> Evict using approximated LRU among the keys with an expire set. +# allkeys-lru -> Evict any key using approximated LRU. +# volatile-lfu -> Evict using approximated LFU among the keys with an expire set. +# allkeys-lfu -> Evict any key using approximated LFU. +# volatile-random -> Remove a random key among the ones with an expire set. +# allkeys-random -> Remove a random key, any key. +# volatile-ttl -> Remove the key with the nearest expire time (minor TTL) +# noeviction -> Don't evict anything, just return an error on write operations. +# +# LRU means Least Recently Used +# LFU means Least Frequently Used +# +# Both LRU, LFU and volatile-ttl are implemented using approximated +# randomized algorithms. +# +# Note: with any of the above policies, Redis will return an error on write +# operations, when there are no suitable keys for eviction. +# +# At the date of writing these commands are: set setnx setex append +# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd +# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby +# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby +# getset mset msetnx exec sort +# +# The default is: +# +# maxmemory-policy noeviction + +# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated +# algorithms (in order to save memory), so you can tune it for speed or +# accuracy. For default Redis will check five keys and pick the one that was +# used less recently, you can change the sample size using the following +# configuration directive. +# +# The default of 5 produces good enough results. 10 Approximates very closely +# true LRU but costs more CPU. 3 is faster but not very accurate. +# +# maxmemory-samples 5 + +############################# LAZY FREEING #################################### + +# Redis has two primitives to delete keys. One is called DEL and is a blocking +# deletion of the object. It means that the server stops processing new commands +# in order to reclaim all the memory associated with an object in a synchronous +# way. If the key deleted is associated with a small object, the time needed +# in order to execute the DEL command is very small and comparable to most other +# O(1) or O(log_N) commands in Redis. However if the key is associated with an +# aggregated value containing millions of elements, the server can block for +# a long time (even seconds) in order to complete the operation. +# +# For the above reasons Redis also offers non blocking deletion primitives +# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and +# FLUSHDB commands, in order to reclaim memory in background. Those commands +# are executed in constant time. Another thread will incrementally free the +# object in the background as fast as possible. +# +# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled. +# It's up to the design of the application to understand when it is a good +# idea to use one or the other. However the Redis server sometimes has to +# delete keys or flush the whole database as a side effect of other operations. +# Specifically Redis deletes objects independently of a user call in the +# following scenarios: +# +# 1) On eviction, because of the maxmemory and maxmemory policy configurations, +# in order to make room for new data, without going over the specified +# memory limit. +# 2) Because of expire: when a key with an associated time to live (see the +# EXPIRE command) must be deleted from memory. +# 3) Because of a side effect of a command that stores data on a key that may +# already exist. For example the RENAME command may delete the old key +# content when it is replaced with another one. Similarly SUNIONSTORE +# or SORT with STORE option may delete existing keys. The SET command +# itself removes any old content of the specified key in order to replace +# it with the specified string. +# 4) During replication, when a slave performs a full resynchronization with +# its master, the content of the whole database is removed in order to +# load the RDB file just transfered. +# +# In all the above cases the default is to delete objects in a blocking way, +# like if DEL was called. However you can configure each case specifically +# in order to instead release memory in a non-blocking way like if UNLINK +# was called, using the following configuration directives: + +lazyfree-lazy-eviction no +lazyfree-lazy-expire no +lazyfree-lazy-server-del no +slave-lazy-flush no + +############################## APPEND ONLY MODE ############################### + +# By default Redis asynchronously dumps the dataset on disk. This mode is +# good enough in many applications, but an issue with the Redis process or +# a power outage may result into a few minutes of writes lost (depending on +# the configured save points). +# +# The Append Only File is an alternative persistence mode that provides +# much better durability. For instance using the default data fsync policy +# (see later in the config file) Redis can lose just one second of writes in a +# dramatic event like a server power outage, or a single write if something +# wrong with the Redis process itself happens, but the operating system is +# still running correctly. +# +# AOF and RDB persistence can be enabled at the same time without problems. +# If the AOF is enabled on startup Redis will load the AOF, that is the file +# with the better durability guarantees. +# +# Please check http://redis.io/topics/persistence for more information. + +# OE: changed default to enable this +appendonly yes + +# The name of the append only file (default: "appendonly.aof") + +appendfilename "appendonly.aof" + +# The fsync() call tells the Operating System to actually write data on disk +# instead of waiting for more data in the output buffer. Some OS will really flush +# data on disk, some other OS will just try to do it ASAP. +# +# Redis supports three different modes: +# +# no: don't fsync, just let the OS flush the data when it wants. Faster. +# always: fsync after every write to the append only log. Slow, Safest. +# everysec: fsync only one time every second. Compromise. +# +# The default is "everysec", as that's usually the right compromise between +# speed and data safety. It's up to you to understand if you can relax this to +# "no" that will let the operating system flush the output buffer when +# it wants, for better performances (but if you can live with the idea of +# some data loss consider the default persistence mode that's snapshotting), +# or on the contrary, use "always" that's very slow but a bit safer than +# everysec. +# +# More details please check the following article: +# http://antirez.com/post/redis-persistence-demystified.html +# +# If unsure, use "everysec". + +# appendfsync always +appendfsync everysec +# appendfsync no + +# When the AOF fsync policy is set to always or everysec, and a background +# saving process (a background save or AOF log background rewriting) is +# performing a lot of I/O against the disk, in some Linux configurations +# Redis may block too long on the fsync() call. Note that there is no fix for +# this currently, as even performing fsync in a different thread will block +# our synchronous write(2) call. +# +# In order to mitigate this problem it's possible to use the following option +# that will prevent fsync() from being called in the main process while a +# BGSAVE or BGREWRITEAOF is in progress. +# +# This means that while another child is saving, the durability of Redis is +# the same as "appendfsync none". In practical terms, this means that it is +# possible to lose up to 30 seconds of log in the worst scenario (with the +# default Linux settings). +# +# If you have latency problems turn this to "yes". Otherwise leave it as +# "no" that is the safest pick from the point of view of durability. + +no-appendfsync-on-rewrite no + +# Automatic rewrite of the append only file. +# Redis is able to automatically rewrite the log file implicitly calling +# BGREWRITEAOF when the AOF log size grows by the specified percentage. +# +# This is how it works: Redis remembers the size of the AOF file after the +# latest rewrite (if no rewrite has happened since the restart, the size of +# the AOF at startup is used). +# +# This base size is compared to the current size. If the current size is +# bigger than the specified percentage, the rewrite is triggered. Also +# you need to specify a minimal size for the AOF file to be rewritten, this +# is useful to avoid rewriting the AOF file even if the percentage increase +# is reached but it is still pretty small. +# +# Specify a percentage of zero in order to disable the automatic AOF +# rewrite feature. + +auto-aof-rewrite-percentage 100 +auto-aof-rewrite-min-size 64mb + +# An AOF file may be found to be truncated at the end during the Redis +# startup process, when the AOF data gets loaded back into memory. +# This may happen when the system where Redis is running +# crashes, especially when an ext4 filesystem is mounted without the +# data=ordered option (however this can't happen when Redis itself +# crashes or aborts but the operating system still works correctly). +# +# Redis can either exit with an error when this happens, or load as much +# data as possible (the default now) and start if the AOF file is found +# to be truncated at the end. The following option controls this behavior. +# +# If aof-load-truncated is set to yes, a truncated AOF file is loaded and +# the Redis server starts emitting a log to inform the user of the event. +# Otherwise if the option is set to no, the server aborts with an error +# and refuses to start. When the option is set to no, the user requires +# to fix the AOF file using the "redis-check-aof" utility before to restart +# the server. +# +# Note that if the AOF file will be found to be corrupted in the middle +# the server will still exit with an error. This option only applies when +# Redis will try to read more data from the AOF file but not enough bytes +# will be found. +aof-load-truncated yes + +# When rewriting the AOF file, Redis is able to use an RDB preamble in the +# AOF file for faster rewrites and recoveries. When this option is turned +# on the rewritten AOF file is composed of two different stanzas: +# +# [RDB file][AOF tail] +# +# When loading Redis recognizes that the AOF file starts with the "REDIS" +# string and loads the prefixed RDB file, and continues loading the AOF +# tail. +# +# This is currently turned off by default in order to avoid the surprise +# of a format change, but will at some point be used as the default. +aof-use-rdb-preamble no + +################################ LUA SCRIPTING ############################### + +# Max execution time of a Lua script in milliseconds. +# +# If the maximum execution time is reached Redis will log that a script is +# still in execution after the maximum allowed time and will start to +# reply to queries with an error. +# +# When a long running script exceeds the maximum execution time only the +# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be +# used to stop a script that did not yet called write commands. The second +# is the only way to shut down the server in the case a write command was +# already issued by the script but the user doesn't want to wait for the natural +# termination of the script. +# +# Set it to 0 or a negative value for unlimited execution without warnings. +lua-time-limit 5000 + +################################ REDIS CLUSTER ############################### +# +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however +# in order to mark it as "mature" we need to wait for a non trivial percentage +# of users to deploy it in production. +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +# +# Normal Redis instances can't be part of a Redis Cluster; only nodes that are +# started as cluster nodes can. In order to start a Redis instance as a +# cluster node enable the cluster support uncommenting the following: +# +# cluster-enabled yes + +# Every cluster node has a cluster configuration file. This file is not +# intended to be edited by hand. It is created and updated by Redis nodes. +# Every Redis Cluster node requires a different cluster configuration file. +# Make sure that instances running in the same system do not have +# overlapping cluster configuration file names. +# +# cluster-config-file nodes-6379.conf + +# Cluster node timeout is the amount of milliseconds a node must be unreachable +# for it to be considered in failure state. +# Most other internal time limits are multiple of the node timeout. +# +# cluster-node-timeout 15000 + +# A slave of a failing master will avoid to start a failover if its data +# looks too old. +# +# There is no simple way for a slave to actually have an exact measure of +# its "data age", so the following two checks are performed: +# +# 1) If there are multiple slaves able to failover, they exchange messages +# in order to try to give an advantage to the slave with the best +# replication offset (more data from the master processed). +# Slaves will try to get their rank by offset, and apply to the start +# of the failover a delay proportional to their rank. +# +# 2) Every single slave computes the time of the last interaction with +# its master. This can be the last ping or command received (if the master +# is still in the "connected" state), or the time that elapsed since the +# disconnection with the master (if the replication link is currently down). +# If the last interaction is too old, the slave will not try to failover +# at all. +# +# The point "2" can be tuned by user. Specifically a slave will not perform +# the failover if, since the last interaction with the master, the time +# elapsed is greater than: +# +# (node-timeout * slave-validity-factor) + repl-ping-slave-period +# +# So for example if node-timeout is 30 seconds, and the slave-validity-factor +# is 10, and assuming a default repl-ping-slave-period of 10 seconds, the +# slave will not try to failover if it was not able to talk with the master +# for longer than 310 seconds. +# +# A large slave-validity-factor may allow slaves with too old data to failover +# a master, while a too small value may prevent the cluster from being able to +# elect a slave at all. +# +# For maximum availability, it is possible to set the slave-validity-factor +# to a value of 0, which means, that slaves will always try to failover the +# master regardless of the last time they interacted with the master. +# (However they'll always try to apply a delay proportional to their +# offset rank). +# +# Zero is the only value able to guarantee that when all the partitions heal +# the cluster will always be able to continue. +# +# cluster-slave-validity-factor 10 + +# Cluster slaves are able to migrate to orphaned masters, that are masters +# that are left without working slaves. This improves the cluster ability +# to resist to failures as otherwise an orphaned master can't be failed over +# in case of failure if it has no working slaves. +# +# Slaves migrate to orphaned masters only if there are still at least a +# given number of other working slaves for their old master. This number +# is the "migration barrier". A migration barrier of 1 means that a slave +# will migrate only if there is at least 1 other working slave for its master +# and so forth. It usually reflects the number of slaves you want for every +# master in your cluster. +# +# Default is 1 (slaves migrate only if their masters remain with at least +# one slave). To disable migration just set it to a very large value. +# A value of 0 can be set but is useful only for debugging and dangerous +# in production. +# +# cluster-migration-barrier 1 + +# By default Redis Cluster nodes stop accepting queries if they detect there +# is at least an hash slot uncovered (no available node is serving it). +# This way if the cluster is partially down (for example a range of hash slots +# are no longer covered) all the cluster becomes, eventually, unavailable. +# It automatically returns available as soon as all the slots are covered again. +# +# However sometimes you want the subset of the cluster which is working, +# to continue to accept queries for the part of the key space that is still +# covered. In order to do so, just set the cluster-require-full-coverage +# option to no. +# +# cluster-require-full-coverage yes + +# In order to setup your cluster make sure to read the documentation +# available at http://redis.io web site. + +########################## CLUSTER DOCKER/NAT support ######################## + +# In certain deployments, Redis Cluster nodes address discovery fails, because +# addresses are NAT-ted or because ports are forwarded (the typical case is +# Docker and other containers). +# +# In order to make Redis Cluster working in such environments, a static +# configuration where each node knows its public address is needed. The +# following two options are used for this scope, and are: +# +# * cluster-announce-ip +# * cluster-announce-port +# * cluster-announce-bus-port +# +# Each instruct the node about its address, client port, and cluster message +# bus port. The information is then published in the header of the bus packets +# so that other nodes will be able to correctly map the address of the node +# publishing the information. +# +# If the above options are not used, the normal Redis Cluster auto-detection +# will be used instead. +# +# Note that when remapped, the bus port may not be at the fixed offset of +# clients port + 10000, so you can specify any port and bus-port depending +# on how they get remapped. If the bus-port is not set, a fixed offset of +# 10000 will be used as usually. +# +# Example: +# +# cluster-announce-ip 10.1.1.5 +# cluster-announce-port 6379 +# cluster-announce-bus-port 6380 + +################################## SLOW LOG ################################### + +# The Redis Slow Log is a system to log queries that exceeded a specified +# execution time. The execution time does not include the I/O operations +# like talking with the client, sending the reply and so forth, +# but just the time needed to actually execute the command (this is the only +# stage of command execution where the thread is blocked and can not serve +# other requests in the meantime). +# +# You can configure the slow log with two parameters: one tells Redis +# what is the execution time, in microseconds, to exceed in order for the +# command to get logged, and the other parameter is the length of the +# slow log. When a new command is logged the oldest one is removed from the +# queue of logged commands. + +# The following time is expressed in microseconds, so 1000000 is equivalent +# to one second. Note that a negative number disables the slow log, while +# a value of zero forces the logging of every command. +slowlog-log-slower-than 10000 + +# There is no limit to this length. Just be aware that it will consume memory. +# You can reclaim memory used by the slow log with SLOWLOG RESET. +slowlog-max-len 128 + +################################ LATENCY MONITOR ############################## + +# The Redis latency monitoring subsystem samples different operations +# at runtime in order to collect data related to possible sources of +# latency of a Redis instance. +# +# Via the LATENCY command this information is available to the user that can +# print graphs and obtain reports. +# +# The system only logs operations that were performed in a time equal or +# greater than the amount of milliseconds specified via the +# latency-monitor-threshold configuration directive. When its value is set +# to zero, the latency monitor is turned off. +# +# By default latency monitoring is disabled since it is mostly not needed +# if you don't have latency issues, and collecting data has a performance +# impact, that while very small, can be measured under big load. Latency +# monitoring can easily be enabled at runtime using the command +# "CONFIG SET latency-monitor-threshold " if needed. +latency-monitor-threshold 0 + +############################# EVENT NOTIFICATION ############################## + +# Redis can notify Pub/Sub clients about events happening in the key space. +# This feature is documented at http://redis.io/topics/notifications +# +# For instance if keyspace events notification is enabled, and a client +# performs a DEL operation on key "foo" stored in the Database 0, two +# messages will be published via Pub/Sub: +# +# PUBLISH __keyspace@0__:foo del +# PUBLISH __keyevent@0__:del foo +# +# It is possible to select the events that Redis will notify among a set +# of classes. Every class is identified by a single character: +# +# K Keyspace events, published with __keyspace@__ prefix. +# E Keyevent events, published with __keyevent@__ prefix. +# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... +# $ String commands +# l List commands +# s Set commands +# h Hash commands +# z Sorted set commands +# x Expired events (events generated every time a key expires) +# e Evicted events (events generated when a key is evicted for maxmemory) +# A Alias for g$lshzxe, so that the "AKE" string means all the events. +# +# The "notify-keyspace-events" takes as argument a string that is composed +# of zero or multiple characters. The empty string means that notifications +# are disabled. +# +# Example: to enable list and generic events, from the point of view of the +# event name, use: +# +# notify-keyspace-events Elg +# +# Example 2: to get the stream of the expired keys subscribing to channel +# name __keyevent@0__:expired use: +# +# notify-keyspace-events Ex +# +# By default all notifications are disabled because most users don't need +# this feature and the feature has some overhead. Note that if you don't +# specify at least one of K or E, no events will be delivered. +notify-keyspace-events "" + +############################### ADVANCED CONFIG ############################### + +# Hashes are encoded using a memory efficient data structure when they have a +# small number of entries, and the biggest entry does not exceed a given +# threshold. These thresholds can be configured using the following directives. +hash-max-ziplist-entries 512 +hash-max-ziplist-value 64 + +# Lists are also encoded in a special way to save a lot of space. +# The number of entries allowed per internal list node can be specified +# as a fixed maximum size or a maximum number of elements. +# For a fixed maximum size, use -5 through -1, meaning: +# -5: max size: 64 Kb <-- not recommended for normal workloads +# -4: max size: 32 Kb <-- not recommended +# -3: max size: 16 Kb <-- probably not recommended +# -2: max size: 8 Kb <-- good +# -1: max size: 4 Kb <-- good +# Positive numbers mean store up to _exactly_ that number of elements +# per list node. +# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), +# but if your use case is unique, adjust the settings as necessary. +list-max-ziplist-size -2 + +# Lists may also be compressed. +# Compress depth is the number of quicklist ziplist nodes from *each* side of +# the list to *exclude* from compression. The head and tail of the list +# are always uncompressed for fast push/pop operations. Settings are: +# 0: disable all list compression +# 1: depth 1 means "don't start compressing until after 1 node into the list, +# going from either the head or tail" +# So: [head]->node->node->...->node->[tail] +# [head], [tail] will always be uncompressed; inner nodes will compress. +# 2: [head]->[next]->node->node->...->node->[prev]->[tail] +# 2 here means: don't compress head or head->next or tail->prev or tail, +# but compress all nodes between them. +# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] +# etc. +list-compress-depth 0 + +# Sets have a special encoding in just one case: when a set is composed +# of just strings that happen to be integers in radix 10 in the range +# of 64 bit signed integers. +# The following configuration setting sets the limit in the size of the +# set in order to use this special memory saving encoding. +set-max-intset-entries 512 + +# Similarly to hashes and lists, sorted sets are also specially encoded in +# order to save a lot of space. This encoding is only used when the length and +# elements of a sorted set are below the following limits: +zset-max-ziplist-entries 128 +zset-max-ziplist-value 64 + +# HyperLogLog sparse representation bytes limit. The limit includes the +# 16 bytes header. When an HyperLogLog using the sparse representation crosses +# this limit, it is converted into the dense representation. +# +# A value greater than 16000 is totally useless, since at that point the +# dense representation is more memory efficient. +# +# The suggested value is ~ 3000 in order to have the benefits of +# the space efficient encoding without slowing down too much PFADD, +# which is O(N) with the sparse encoding. The value can be raised to +# ~ 10000 when CPU is not a concern, but space is, and the data set is +# composed of many HyperLogLogs with cardinality in the 0 - 15000 range. +hll-sparse-max-bytes 3000 + +# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in +# order to help rehashing the main Redis hash table (the one mapping top-level +# keys to values). The hash table implementation Redis uses (see dict.c) +# performs a lazy rehashing: the more operation you run into a hash table +# that is rehashing, the more rehashing "steps" are performed, so if the +# server is idle the rehashing is never complete and some more memory is used +# by the hash table. +# +# The default is to use this millisecond 10 times every second in order to +# actively rehash the main dictionaries, freeing memory when possible. +# +# If unsure: +# use "activerehashing no" if you have hard latency requirements and it is +# not a good thing in your environment that Redis can reply from time to time +# to queries with 2 milliseconds delay. +# +# use "activerehashing yes" if you don't have such hard requirements but +# want to free memory asap when possible. +activerehashing yes + +# The client output buffer limits can be used to force disconnection of clients +# that are not reading data from the server fast enough for some reason (a +# common reason is that a Pub/Sub client can't consume messages as fast as the +# publisher can produce them). +# +# The limit can be set differently for the three different classes of clients: +# +# normal -> normal clients including MONITOR clients +# slave -> slave clients +# pubsub -> clients subscribed to at least one pubsub channel or pattern +# +# The syntax of every client-output-buffer-limit directive is the following: +# +# client-output-buffer-limit +# +# A client is immediately disconnected once the hard limit is reached, or if +# the soft limit is reached and remains reached for the specified number of +# seconds (continuously). +# So for instance if the hard limit is 32 megabytes and the soft limit is +# 16 megabytes / 10 seconds, the client will get disconnected immediately +# if the size of the output buffers reach 32 megabytes, but will also get +# disconnected if the client reaches 16 megabytes and continuously overcomes +# the limit for 10 seconds. +# +# By default normal clients are not limited because they don't receive data +# without asking (in a push way), but just after a request, so only +# asynchronous clients may create a scenario where data is requested faster +# than it can read. +# +# Instead there is a default limit for pubsub and slave clients, since +# subscribers and slaves receive data in a push fashion. +# +# Both the hard or the soft limit can be disabled by setting them to zero. +client-output-buffer-limit normal 0 0 0 +client-output-buffer-limit slave 256mb 64mb 60 +client-output-buffer-limit pubsub 32mb 8mb 60 + +# Client query buffers accumulate new commands. They are limited to a fixed +# amount by default in order to avoid that a protocol desynchronization (for +# instance due to a bug in the client) will lead to unbound memory usage in +# the query buffer. However you can configure it here if you have very special +# needs, such us huge multi/exec requests or alike. +# +# client-query-buffer-limit 1gb + +# In the Redis protocol, bulk requests, that are, elements representing single +# strings, are normally limited ot 512 mb. However you can change this limit +# here. +# +# proto-max-bulk-len 512mb + +# Redis calls an internal function to perform many background tasks, like +# closing connections of clients in timeout, purging expired keys that are +# never requested, and so forth. +# +# Not all tasks are performed with the same frequency, but Redis checks for +# tasks to perform according to the specified "hz" value. +# +# By default "hz" is set to 10. Raising the value will use more CPU when +# Redis is idle, but at the same time will make Redis more responsive when +# there are many keys expiring at the same time, and timeouts may be +# handled with more precision. +# +# The range is between 1 and 500, however a value over 100 is usually not +# a good idea. Most users should use the default of 10 and raise this up to +# 100 only in environments where very low latency is required. +hz 10 + +# When a child rewrites the AOF file, if the following option is enabled +# the file will be fsync-ed every 32 MB of data generated. This is useful +# in order to commit the file to the disk more incrementally and avoid +# big latency spikes. +aof-rewrite-incremental-fsync yes + +# Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good +# idea to start with the default settings and only change them after investigating +# how to improve the performances and how the keys LFU change over time, which +# is possible to inspect via the OBJECT FREQ command. +# +# There are two tunable parameters in the Redis LFU implementation: the +# counter logarithm factor and the counter decay time. It is important to +# understand what the two parameters mean before changing them. +# +# The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis +# uses a probabilistic increment with logarithmic behavior. Given the value +# of the old counter, when a key is accessed, the counter is incremented in +# this way: +# +# 1. A random number R between 0 and 1 is extracted. +# 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1). +# 3. The counter is incremented only if R < P. +# +# The default lfu-log-factor is 10. This is a table of how the frequency +# counter changes with a different number of accesses with different +# logarithmic factors: +# +# +--------+------------+------------+------------+------------+------------+ +# | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits | +# +--------+------------+------------+------------+------------+------------+ +# | 0 | 104 | 255 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 1 | 18 | 49 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 10 | 10 | 18 | 142 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 100 | 8 | 11 | 49 | 143 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# +# NOTE: The above table was obtained by running the following commands: +# +# redis-benchmark -n 1000000 incr foo +# redis-cli object freq foo +# +# NOTE 2: The counter initial value is 5 in order to give new objects a chance +# to accumulate hits. +# +# The counter decay time is the time, in minutes, that must elapse in order +# for the key counter to be divided by two (or decremented if it has a value +# less <= 10). +# +# The default value for the lfu-decay-time is 1. A Special value of 0 means to +# decay the counter every time it happens to be scanned. +# +# lfu-log-factor 10 +# lfu-decay-time 1 + +########################### ACTIVE DEFRAGMENTATION ####################### +# +# WARNING THIS FEATURE IS EXPERIMENTAL. However it was stress tested +# even in production and manually tested by multiple engineers for some +# time. +# +# What is active defragmentation? +# ------------------------------- +# +# Active (online) defragmentation allows a Redis server to compact the +# spaces left between small allocations and deallocations of data in memory, +# thus allowing to reclaim back memory. +# +# Fragmentation is a natural process that happens with every allocator (but +# less so with Jemalloc, fortunately) and certain workloads. Normally a server +# restart is needed in order to lower the fragmentation, or at least to flush +# away all the data and create it again. However thanks to this feature +# implemented by Oran Agra for Redis 4.0 this process can happen at runtime +# in an "hot" way, while the server is running. +# +# Basically when the fragmentation is over a certain level (see the +# configuration options below) Redis will start to create new copies of the +# values in contiguous memory regions by exploiting certain specific Jemalloc +# features (in order to understand if an allocation is causing fragmentation +# and to allocate it in a better place), and at the same time, will release the +# old copies of the data. This process, repeated incrementally for all the keys +# will cause the fragmentation to drop back to normal values. +# +# Important things to understand: +# +# 1. This feature is disabled by default, and only works if you compiled Redis +# to use the copy of Jemalloc we ship with the source code of Redis. +# This is the default with Linux builds. +# +# 2. You never need to enable this feature if you don't have fragmentation +# issues. +# +# 3. Once you experience fragmentation, you can enable this feature when +# needed with the command "CONFIG SET activedefrag yes". +# +# The configuration parameters are able to fine tune the behavior of the +# defragmentation process. If you are not sure about what they mean it is +# a good idea to leave the defaults untouched. + +# Enabled active defragmentation +# activedefrag yes + +# Minimum amount of fragmentation waste to start active defrag +# active-defrag-ignore-bytes 100mb + +# Minimum percentage of fragmentation to start active defrag +# active-defrag-threshold-lower 10 + +# Maximum percentage of fragmentation at which we use maximum effort +# active-defrag-threshold-upper 100 + +# Minimal effort for defrag in CPU percentage +# active-defrag-cycle-min 25 + +# Maximal effort for defrag in CPU percentage +# active-defrag-cycle-max 75 diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.service b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.service new file mode 100644 index 0000000000..a52204cc70 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7.0.12/redis.service @@ -0,0 +1,16 @@ +[Unit] +Description=Redis In-Memory Data Store +After=network.target + +[Service] +User=redis +Group=redis +ExecStart=/usr/bin/redis-server /etc/redis/redis.conf +ExecStop=/usr/bin/redis-cli shutdown +Restart=always +LimitNOFILE=10032 +Type=notify + +[Install] +WantedBy=multi-user.target + diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0001-src-Do-not-reset-FINAL_LIBS.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0001-src-Do-not-reset-FINAL_LIBS.patch deleted file mode 100644 index e8d8b1d53f..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0001-src-Do-not-reset-FINAL_LIBS.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e97a572d4aef099a961e43d528c0268e10d9f1e2 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Tue, 10 Sep 2019 20:04:26 -0700 -Subject: [PATCH] src: Do not reset FINAL_LIBS - -This helps case where additional libraries are needed to be passed from -environment to get it going - -e.g. -latomic is needed on clang/x86 to provide for 64bit atomics - -Upstream-Status: Pending -Signed-off-by: Khem Raj - ---- - src/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile b/src/Makefile -index ddabd44..5133884 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -118,7 +118,7 @@ endif - - FINAL_CFLAGS=$(STD) $(WARN) $(OPT) $(DEBUG) $(CFLAGS) $(REDIS_CFLAGS) - FINAL_LDFLAGS=$(LDFLAGS) $(REDIS_LDFLAGS) $(DEBUG) --FINAL_LIBS=-lm -+FINAL_LIBS+=-lm - DEBUG=-g -ggdb - - # Linux ARM32 needs -latomic at linking time diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0006-Define-correct-gregs-for-RISCV32.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0006-Define-correct-gregs-for-RISCV32.patch deleted file mode 100644 index 385b0aeed0..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/0006-Define-correct-gregs-for-RISCV32.patch +++ /dev/null @@ -1,62 +0,0 @@ -From b6b2c652abfa98093401b232baca8719c50cadf4 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Mon, 26 Oct 2020 21:32:22 -0700 -Subject: [PATCH] Define correct gregs for RISCV32 - -Upstream-Status: Pending -Signed-off-by: Khem Raj - -Updated patch for 6.2.8 -Signed-off-by: Changqing Li ---- - src/debug.c | 26 ++++++++++++++++++++++++-- - 1 file changed, 24 insertions(+), 2 deletions(-) - -diff --git a/src/debug.c b/src/debug.c -index ebda858..90bc450 100644 ---- a/src/debug.c -+++ b/src/debug.c -@@ -1168,7 +1168,9 @@ static void* getAndSetMcontextEip(ucontext_t *uc, void *eip) { - #endif - #elif defined(__linux__) - /* Linux */ -- #if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) -+ #if defined(__riscv) && __riscv_xlen == 32 -+ return (void*) uc->uc_mcontext.__gregs[REG_PC]; -+ #elif defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) - GET_SET_RETURN(uc->uc_mcontext.gregs[14], eip); - #elif defined(__X86_64__) || defined(__x86_64__) - GET_SET_RETURN(uc->uc_mcontext.gregs[16], eip); -@@ -1350,8 +1352,28 @@ void logRegisters(ucontext_t *uc) { - #endif - /* Linux */ - #elif defined(__linux__) -+ /* Linux RISCV32 */ -+ #if defined(__riscv) && __riscv_xlen == 32 -+ serverLog(LL_WARNING, -+ "\n" -+ "RA:%08lx S0:%08lx S1:%08lx S2:%08lx\n" -+ "SP:%08lx PC:%08lx A0:%08lx A1:%08lx\n" -+ "A2 :%08lx A3:%08lx A4:%08lx", -+ (unsigned long) uc->uc_mcontext.__gregs[REG_RA], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_S0], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_S1], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_S2], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_SP], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_PC], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 0], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 1], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 2], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 3], -+ (unsigned long) uc->uc_mcontext.__gregs[REG_A0 + 4] -+ ); -+ logStackContent((void**)uc->uc_mcontext.__gregs[REG_SP]); - /* Linux x86 */ -- #if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) -+ #elif defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) - serverLog(LL_WARNING, - "\n" - "EAX:%08lx EBX:%08lx ECX:%08lx EDX:%08lx\n" --- -2.25.1 - diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/GNU_SOURCE-7.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/GNU_SOURCE-7.patch deleted file mode 100644 index 6e07c25c6a..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/GNU_SOURCE-7.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a22512ac1cbd6de1f5646219722e49752d1f60ac Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sat, 21 Dec 2019 12:09:51 -0800 -Subject: [PATCH] Define _GNU_SOURCE to get PTHREAD_MUTEX_INITIALIZER - -Fixes -| zmalloc.c:87:37: error: 'PTHREAD_MUTEX_DEFAULT' undeclared here (not in a function) -| 87 | pthread_mutex_t used_memory_mutex = PTHREAD_MUTEX_INITIALIZER; -| | ^~~~~~~~~~~~~~~~~~~~~~~~~ - -Upstream-Status: Pending -Signed-off-by: Khem Raj - ---- - src/zmalloc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/zmalloc.c b/src/zmalloc.c -index ba03685..322304f 100644 ---- a/src/zmalloc.c -+++ b/src/zmalloc.c -@@ -32,6 +32,7 @@ - #include "config.h" - #include "solarisfixes.h" - -+#define _GNU_SOURCE - #include - #include - #include diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/hiredis-use-default-CC-if-it-is-set.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/hiredis-use-default-CC-if-it-is-set.patch deleted file mode 100644 index 657b0923e2..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/hiredis-use-default-CC-if-it-is-set.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 9da2d12c9fabfff4b4460accf887658db89687e4 Mon Sep 17 00:00:00 2001 -From: Venture Research -Date: Fri, 8 Feb 2013 17:39:52 -0600 -Subject: [PATCH] hiredis: use default CC if it is set -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Instead of trying to automagically figure out CC, which breaks with OE -as CC has spaces in it, just skip it if one was already passed in. - -Signed-off-by: Venture Research - -Update to work with 4.0.8 -Signed-off-by: Alistair Francis - -Reworked for 6.0.4 -Signed-off-by: Andreas Müller - ---- - deps/hiredis/Makefile | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/deps/hiredis/Makefile b/deps/hiredis/Makefile -index 7e41c97..54717e3 100644 ---- a/deps/hiredis/Makefile -+++ b/deps/hiredis/Makefile -@@ -42,8 +42,6 @@ endef - export REDIS_TEST_CONFIG - - # Fallback to gcc when $CC is not in $PATH. --CC:=$(shell sh -c 'type $${CC%% *} >/dev/null 2>/dev/null && echo $(CC) || echo gcc') --CXX:=$(shell sh -c 'type $${CXX%% *} >/dev/null 2>/dev/null && echo $(CXX) || echo g++') - OPTIMIZATION?=-O3 - WARNINGS=-Wall -W -Wstrict-prototypes -Wwrite-strings -Wno-missing-field-initializers - DEBUG_FLAGS?= -g -ggdb diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/init-redis-server b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/init-redis-server deleted file mode 100755 index c5f335f57d..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/init-redis-server +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/sh -# -### BEGIN INIT INFO -# Provides: redis-server -# Required-Start: $network -# Required-Stop: $network -# Default-Start: S 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Redis, a key-value store -# Description: Redis is an open source, advanced key-value store. -# http://redis.io -### END INIT INFO - -test -f /usr/bin/redis-server || exit 0 - -ARGS="/etc/redis/redis.conf" - -case "$1" in - start) - echo "Starting redis-server..." - start-stop-daemon --start --quiet --exec /usr/bin/redis-server -- $ARGS - ;; - stop) - echo "Stopping redis-server..." - start-stop-daemon --stop --quiet --exec /usr/bin/redis-server - ;; - restart) - echo "Stopping redis-server..." - start-stop-daemon --stop --quiet --exec /usr/bin/redis-server - - # Since busybox implementation ignores --retry arguments repeatedly check - # if the process is still running and try another signal after a timeout, - # efectively simulating a stop with --retry=TERM/5/KILL/5 schedule. - waitAfterTerm=5000000 # us / 5000 ms / 5 s - waitAfterKill=5000000 # us / 5000 ms / 5 s - waitStep=100000 # us / 100 ms / 0.1 s - waited=0 - start-stop-daemon --stop --test --quiet --exec /usr/bin/redis-server - processOff=$? - while [ $processOff -eq 0 ] && [ $waited -le $waitAfterTerm ] ; do - usleep ${waitStep} - ((waited+=${waitStep})) - start-stop-daemon --stop --test --quiet --exec /usr/bin/redis-server - processOff=$? - done - if [ $processOff -eq 0 ] ; then - start-stop-daemon --stop --signal KILL --exec /usr/bin/redis-server - start-stop-daemon --stop --test --quiet --exec /usr/bin/redis-server - processOff=$? - fi - waited=0 - while [ $processOff -eq 0 ] && [ $waited -le $waitAfterKill ] ; do - usleep ${waitStep} - ((waited+=${waitStep})) - start-stop-daemon --stop --test --quiet --exec /usr/bin/redis-server - processOff=$? - done - # Here $processOff will indicate if waiting and retrying according to - # the schedule ended in a successfull stop or not. - - echo "Starting redis-server..." - start-stop-daemon --start --quiet --exec /usr/bin/redis-server -- $ARGS - ;; - *) - echo "Usage: /etc/init.d/redis-server {start|stop|restart}" - exit 1 - ;; -esac - -exit 0 - diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/lua-update-Makefile-to-use-environment-build-setting.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/lua-update-Makefile-to-use-environment-build-setting.patch deleted file mode 100644 index c6c6fde162..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/lua-update-Makefile-to-use-environment-build-setting.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 734ab2f7879c6f94fc18ea6a10adb9bd156ba769 Mon Sep 17 00:00:00 2001 -From: Venture Research -Date: Fri, 8 Feb 2013 20:22:19 -0600 -Subject: [PATCH] lua: update Makefile to use environment build settings - -OE-specific parameters, instead of overriding all of these simply use -the ones that are already passed in. Also configure for only Linux... - -Signed-off-by: Venture Research - -Updated to work with 3.0.x - -Signed-off-by: Armin Kuster - -updated to work wtih 6.2.1 -Signed-off-by: Yi Fan Yu - ---- - deps/Makefile | 1 - - deps/lua/Makefile | 1 - - deps/lua/src/Makefile | 16 ++++++---------- - 3 files changed, 6 insertions(+), 12 deletions(-) - -diff --git a/deps/Makefile b/deps/Makefile -index 8592e17..1807af5 100644 ---- a/deps/Makefile -+++ b/deps/Makefile -@@ -81,7 +81,6 @@ endif - # lua's Makefile defines AR="ar rcu", which is unusual, and makes it more - # challenging to cross-compile lua (and redis). These defines make it easier - # to fit redis into cross-compilation environments, which typically set AR. --AR=ar - ARFLAGS=rc - - lua: .make-prerequisites -diff --git a/deps/lua/Makefile b/deps/lua/Makefile -index 209a132..72f4b2b 100644 ---- a/deps/lua/Makefile -+++ b/deps/lua/Makefile -@@ -33,7 +33,6 @@ INSTALL_DATA= $(INSTALL) -m 0644 - - # Utilities. - MKDIR= mkdir -p --RANLIB= ranlib - - # == END OF USER SETTINGS. NO NEED TO CHANGE ANYTHING BELOW THIS LINE ========= - -diff --git a/deps/lua/src/Makefile b/deps/lua/src/Makefile -index f3bba2f..1555ec0 100644 ---- a/deps/lua/src/Makefile -+++ b/deps/lua/src/Makefile -@@ -5,18 +5,14 @@ - # == CHANGE THE SETTINGS BELOW TO SUIT YOUR ENVIRONMENT ======================= - - # Your platform. See PLATS for possible values. --PLAT= none -+PLAT= linux - --CC?= gcc --CFLAGS= -O2 -Wall $(MYCFLAGS) --AR= ar rcu --RANLIB= ranlib --RM= rm -f --LIBS= -lm $(MYLIBS) -- --MYCFLAGS= -+MYCFLAGS=-DLUA_USE_LINUX - MYLDFLAGS= --MYLIBS= -+MYLIBS=-Wl,-E -ldl -lreadline -lhistory -lncurses -+ -+CFLAGS += $(MYCFLAGS) -+LIBS += -lm $(MYLIBS) - - # == END OF USER SETTINGS. NO NEED TO CHANGE ANYTHING BELOW THIS LINE ========= - diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/oe-use-libc-malloc.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/oe-use-libc-malloc.patch deleted file mode 100644 index bf6d0cf3c1..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/oe-use-libc-malloc.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 88da6b19ecd00747769663e913aba5e9569c489d Mon Sep 17 00:00:00 2001 -From: Venture Research -Date: Wed, 6 Feb 2013 20:51:02 -0600 -Subject: [PATCH] hack to force use of libc malloc - -Hack to force libc usage as it seems the option to pass it in has been -removed in favor of magic. - -Note that this of course doesn't allow tcmalloc and jemalloc, however -jemalloc wasn't building correctly. - -Signed-off-by: Venture Research - -Update to work with 4.0.8 -Signed-off-by: Alistair Francis - ---- - src/Makefile | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/Makefile b/src/Makefile -index 2a0d74d..ddabd44 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -13,7 +13,8 @@ - # Just use 'make dep', but this is only needed by developers. - - release_hdr := $(shell sh -c './mkreleasehdr.sh') --uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not') -+# use fake uname option to force use of generic libc -+uname_S := "USE_LIBC_MALLOC" - uname_M := $(shell sh -c 'uname -m 2>/dev/null || echo not') - OPTIMIZATION?=-O2 - DEPENDENCY_TARGETS=hiredis linenoise lua hdr_histogram diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.conf b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.conf deleted file mode 100644 index 75037d6dc8..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.conf +++ /dev/null @@ -1,1314 +0,0 @@ -# Redis configuration file example. -# -# Note that in order to read the configuration file, Redis must be -# started with the file path as first argument: -# -# ./redis-server /path/to/redis.conf - -# Note on units: when memory size is needed, it is possible to specify -# it in the usual form of 1k 5GB 4M and so forth: -# -# 1k => 1000 bytes -# 1kb => 1024 bytes -# 1m => 1000000 bytes -# 1mb => 1024*1024 bytes -# 1g => 1000000000 bytes -# 1gb => 1024*1024*1024 bytes -# -# units are case insensitive so 1GB 1Gb 1gB are all the same. - -################################## INCLUDES ################################### - -# Include one or more other config files here. This is useful if you -# have a standard template that goes to all Redis servers but also need -# to customize a few per-server settings. Include files can include -# other files, so use this wisely. -# -# Notice option "include" won't be rewritten by command "CONFIG REWRITE" -# from admin or Redis Sentinel. Since Redis always uses the last processed -# line as value of a configuration directive, you'd better put includes -# at the beginning of this file to avoid overwriting config change at runtime. -# -# If instead you are interested in using includes to override configuration -# options, it is better to use include as the last line. -# -# include /path/to/local.conf -# include /path/to/other.conf - -################################## MODULES ##################################### - -# Load modules at startup. If the server is not able to load modules -# it will abort. It is possible to use multiple loadmodule directives. -# -# loadmodule /path/to/my_module.so -# loadmodule /path/to/other_module.so - -################################## NETWORK ##################################### - -# By default, if no "bind" configuration directive is specified, Redis listens -# for connections from all the network interfaces available on the server. -# It is possible to listen to just one or multiple selected interfaces using -# the "bind" configuration directive, followed by one or more IP addresses. -# -# Examples: -# -# bind 192.168.1.100 10.0.0.1 -# bind 127.0.0.1 ::1 -# -# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the -# internet, binding to all the interfaces is dangerous and will expose the -# instance to everybody on the internet. So by default we uncomment the -# following bind directive, that will force Redis to listen only into -# the IPv4 lookback interface address (this means Redis will be able to -# accept connections only from clients running into the same computer it -# is running). -# -# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES -# JUST COMMENT THE FOLLOWING LINE. -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -bind 127.0.0.1 - -# Protected mode is a layer of security protection, in order to avoid that -# Redis instances left open on the internet are accessed and exploited. -# -# When protected mode is on and if: -# -# 1) The server is not binding explicitly to a set of addresses using the -# "bind" directive. -# 2) No password is configured. -# -# The server only accepts connections from clients connecting from the -# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain -# sockets. -# -# By default protected mode is enabled. You should disable it only if -# you are sure you want clients from other hosts to connect to Redis -# even if no authentication is configured, nor a specific set of interfaces -# are explicitly listed using the "bind" directive. -protected-mode yes - -# Accept connections on the specified port, default is 6379 (IANA #815344). -# If port 0 is specified Redis will not listen on a TCP socket. -port 6379 - -# TCP listen() backlog. -# -# In high requests-per-second environments you need an high backlog in order -# to avoid slow clients connections issues. Note that the Linux kernel -# will silently truncate it to the value of /proc/sys/net/core/somaxconn so -# make sure to raise both the value of somaxconn and tcp_max_syn_backlog -# in order to get the desired effect. -tcp-backlog 511 - -# Unix socket. -# -# Specify the path for the Unix socket that will be used to listen for -# incoming connections. There is no default, so Redis will not listen -# on a unix socket when not specified. -# -# unixsocket /tmp/redis.sock -# unixsocketperm 700 - -# Close the connection after a client is idle for N seconds (0 to disable) -timeout 0 - -# TCP keepalive. -# -# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence -# of communication. This is useful for two reasons: -# -# 1) Detect dead peers. -# 2) Take the connection alive from the point of view of network -# equipment in the middle. -# -# On Linux, the specified value (in seconds) is the period used to send ACKs. -# Note that to close the connection the double of the time is needed. -# On other kernels the period depends on the kernel configuration. -# -# A reasonable value for this option is 300 seconds, which is the new -# Redis default starting with Redis 3.2.1. -tcp-keepalive 300 - -################################# GENERAL ##################################### - -# OE: run as a daemon. -daemonize yes - -# If you run Redis from upstart or systemd, Redis can interact with your -# supervision tree. Options: -# supervised no - no supervision interaction -# supervised upstart - signal upstart by putting Redis into SIGSTOP mode -# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET -# supervised auto - detect upstart or systemd method based on -# UPSTART_JOB or NOTIFY_SOCKET environment variables -# Note: these supervision methods only signal "process is ready." -# They do not enable continuous liveness pings back to your supervisor. -supervised no - -# If a pid file is specified, Redis writes it where specified at startup -# and removes it at exit. -# -# When the server runs non daemonized, no pid file is created if none is -# specified in the configuration. When the server is daemonized, the pid file -# is used even if not specified, defaulting to "/var/run/redis.pid". -# -# Creating a pid file is best effort: if Redis is not able to create it -# nothing bad happens, the server will start and run normally. - -# When running daemonized, Redis writes a pid file in /var/run/redis.pid by -# default. You can specify a custom pid file location here. -pidfile /var/run/redis.pid - -# Specify the server verbosity level. -# This can be one of: -# debug (a lot of information, useful for development/testing) -# verbose (many rarely useful info, but not a mess like the debug level) -# notice (moderately verbose, what you want in production probably) -# warning (only very important / critical messages are logged) -loglevel notice - -# Specify the log file name. Also the empty string can be used to force -# Redis to log on the standard output. Note that if you use standard -# output for logging but daemonize, logs will be sent to /dev/null -logfile "" - -# To enable logging to the system logger, just set 'syslog-enabled' to yes, -# and optionally update the other syslog parameters to suit your needs. -syslog-enabled yes - -# Specify the syslog identity. -syslog-ident redis - -# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. -# syslog-facility local0 - -# Set the number of databases. The default database is DB 0, you can select -# a different one on a per-connection basis using SELECT where -# dbid is a number between 0 and 'databases'-1 -databases 16 - -# By default Redis shows an ASCII art logo only when started to log to the -# standard output and if the standard output is a TTY. Basically this means -# that normally a logo is displayed only in interactive sessions. -# -# However it is possible to force the pre-4.0 behavior and always show a -# ASCII art logo in startup logs by setting the following option to yes. -always-show-logo yes - -################################ SNAPSHOTTING ################################ -# -# Save the DB on disk: -# -# save -# -# Will save the DB if both the given number of seconds and the given -# number of write operations against the DB occurred. -# -# In the example below the behaviour will be to save: -# after 900 sec (15 min) if at least 1 key changed -# after 300 sec (5 min) if at least 10 keys changed -# after 60 sec if at least 10000 keys changed -# -# Note: you can disable saving completely by commenting out all "save" lines. -# -# It is also possible to remove all the previously configured save -# points by adding a save directive with a single empty string argument -# like in the following example: -# -# save "" - -#save 900 1 -#save 300 10 -#save 60 10000 - -# OE: tune for a small embedded system with a limited # of keys. -save 120 1 -save 60 100 -save 30 1000 - -# By default Redis will stop accepting writes if RDB snapshots are enabled -# (at least one save point) and the latest background save failed. -# This will make the user aware (in a hard way) that data is not persisting -# on disk properly, otherwise chances are that no one will notice and some -# disaster will happen. -# -# If the background saving process will start working again Redis will -# automatically allow writes again. -# -# However if you have setup your proper monitoring of the Redis server -# and persistence, you may want to disable this feature so that Redis will -# continue to work as usual even if there are problems with disk, -# permissions, and so forth. -stop-writes-on-bgsave-error yes - -# Compress string objects using LZF when dump .rdb databases? -# For default that's set to 'yes' as it's almost always a win. -# If you want to save some CPU in the saving child set it to 'no' but -# the dataset will likely be bigger if you have compressible values or keys. -rdbcompression yes - -# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. -# This makes the format more resistant to corruption but there is a performance -# hit to pay (around 10%) when saving and loading RDB files, so you can disable it -# for maximum performances. -# -# RDB files created with checksum disabled have a checksum of zero that will -# tell the loading code to skip the check. -rdbchecksum yes - -# The filename where to dump the DB -dbfilename dump.rdb - -# The working directory. -# -# The DB will be written inside this directory, with the filename specified -# above using the 'dbfilename' configuration directive. -# -# The Append Only File will also be created inside this directory. -# -# Note that you must specify a directory here, not a file name. -dir /var/lib/redis/ - -################################# REPLICATION ################################# - -# Master-Slave replication. Use slaveof to make a Redis instance a copy of -# another Redis server. A few things to understand ASAP about Redis replication. -# -# 1) Redis replication is asynchronous, but you can configure a master to -# stop accepting writes if it appears to be not connected with at least -# a given number of slaves. -# 2) Redis slaves are able to perform a partial resynchronization with the -# master if the replication link is lost for a relatively small amount of -# time. You may want to configure the replication backlog size (see the next -# sections of this file) with a sensible value depending on your needs. -# 3) Replication is automatic and does not need user intervention. After a -# network partition slaves automatically try to reconnect to masters -# and resynchronize with them. -# -# slaveof - -# If the master is password protected (using the "requirepass" configuration -# directive below) it is possible to tell the slave to authenticate before -# starting the replication synchronization process, otherwise the master will -# refuse the slave request. -# -# masterauth - -# When a slave loses its connection with the master, or when the replication -# is still in progress, the slave can act in two different ways: -# -# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will -# still reply to client requests, possibly with out of date data, or the -# data set may just be empty if this is the first synchronization. -# -# 2) if slave-serve-stale-data is set to 'no' the slave will reply with -# an error "SYNC with master in progress" to all the kind of commands -# but to INFO and SLAVEOF. -# -slave-serve-stale-data yes - -# You can configure a slave instance to accept writes or not. Writing against -# a slave instance may be useful to store some ephemeral data (because data -# written on a slave will be easily deleted after resync with the master) but -# may also cause problems if clients are writing to it because of a -# misconfiguration. -# -# Since Redis 2.6 by default slaves are read-only. -# -# Note: read only slaves are not designed to be exposed to untrusted clients -# on the internet. It's just a protection layer against misuse of the instance. -# Still a read only slave exports by default all the administrative commands -# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve -# security of read only slaves using 'rename-command' to shadow all the -# administrative / dangerous commands. -slave-read-only yes - -# Replication SYNC strategy: disk or socket. -# -# ------------------------------------------------------- -# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY -# ------------------------------------------------------- -# -# New slaves and reconnecting slaves that are not able to continue the replication -# process just receiving differences, need to do what is called a "full -# synchronization". An RDB file is transmitted from the master to the slaves. -# The transmission can happen in two different ways: -# -# 1) Disk-backed: The Redis master creates a new process that writes the RDB -# file on disk. Later the file is transferred by the parent -# process to the slaves incrementally. -# 2) Diskless: The Redis master creates a new process that directly writes the -# RDB file to slave sockets, without touching the disk at all. -# -# With disk-backed replication, while the RDB file is generated, more slaves -# can be queued and served with the RDB file as soon as the current child producing -# the RDB file finishes its work. With diskless replication instead once -# the transfer starts, new slaves arriving will be queued and a new transfer -# will start when the current one terminates. -# -# When diskless replication is used, the master waits a configurable amount of -# time (in seconds) before starting the transfer in the hope that multiple slaves -# will arrive and the transfer can be parallelized. -# -# With slow disks and fast (large bandwidth) networks, diskless replication -# works better. -repl-diskless-sync no - -# When diskless replication is enabled, it is possible to configure the delay -# the server waits in order to spawn the child that transfers the RDB via socket -# to the slaves. -# -# This is important since once the transfer starts, it is not possible to serve -# new slaves arriving, that will be queued for the next RDB transfer, so the server -# waits a delay in order to let more slaves arrive. -# -# The delay is specified in seconds, and by default is 5 seconds. To disable -# it entirely just set it to 0 seconds and the transfer will start ASAP. -repl-diskless-sync-delay 5 - -# Slaves send PINGs to server in a predefined interval. It's possible to change -# this interval with the repl_ping_slave_period option. The default value is 10 -# seconds. -# -# repl-ping-slave-period 10 - -# The following option sets the replication timeout for: -# -# 1) Bulk transfer I/O during SYNC, from the point of view of slave. -# 2) Master timeout from the point of view of slaves (data, pings). -# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). -# -# It is important to make sure that this value is greater than the value -# specified for repl-ping-slave-period otherwise a timeout will be detected -# every time there is low traffic between the master and the slave. -# -# repl-timeout 60 - -# Disable TCP_NODELAY on the slave socket after SYNC? -# -# If you select "yes" Redis will use a smaller number of TCP packets and -# less bandwidth to send data to slaves. But this can add a delay for -# the data to appear on the slave side, up to 40 milliseconds with -# Linux kernels using a default configuration. -# -# If you select "no" the delay for data to appear on the slave side will -# be reduced but more bandwidth will be used for replication. -# -# By default we optimize for low latency, but in very high traffic conditions -# or when the master and slaves are many hops away, turning this to "yes" may -# be a good idea. -repl-disable-tcp-nodelay no - -# Set the replication backlog size. The backlog is a buffer that accumulates -# slave data when slaves are disconnected for some time, so that when a slave -# wants to reconnect again, often a full resync is not needed, but a partial -# resync is enough, just passing the portion of data the slave missed while -# disconnected. -# -# The bigger the replication backlog, the longer the time the slave can be -# disconnected and later be able to perform a partial resynchronization. -# -# The backlog is only allocated once there is at least a slave connected. -# -# repl-backlog-size 1mb - -# After a master has no longer connected slaves for some time, the backlog -# will be freed. The following option configures the amount of seconds that -# need to elapse, starting from the time the last slave disconnected, for -# the backlog buffer to be freed. -# -# Note that slaves never free the backlog for timeout, since they may be -# promoted to masters later, and should be able to correctly "partially -# resynchronize" with the slaves: hence they should always accumulate backlog. -# -# A value of 0 means to never release the backlog. -# -# repl-backlog-ttl 3600 - -# The slave priority is an integer number published by Redis in the INFO output. -# It is used by Redis Sentinel in order to select a slave to promote into a -# master if the master is no longer working correctly. -# -# A slave with a low priority number is considered better for promotion, so -# for instance if there are three slaves with priority 10, 100, 25 Sentinel will -# pick the one with priority 10, that is the lowest. -# -# However a special priority of 0 marks the slave as not able to perform the -# role of master, so a slave with priority of 0 will never be selected by -# Redis Sentinel for promotion. -# -# By default the priority is 100. -slave-priority 100 - -# It is possible for a master to stop accepting writes if there are less than -# N slaves connected, having a lag less or equal than M seconds. -# -# The N slaves need to be in "online" state. -# -# The lag in seconds, that must be <= the specified value, is calculated from -# the last ping received from the slave, that is usually sent every second. -# -# This option does not GUARANTEE that N replicas will accept the write, but -# will limit the window of exposure for lost writes in case not enough slaves -# are available, to the specified number of seconds. -# -# For example to require at least 3 slaves with a lag <= 10 seconds use: -# -# min-slaves-to-write 3 -# min-slaves-max-lag 10 -# -# Setting one or the other to 0 disables the feature. -# -# By default min-slaves-to-write is set to 0 (feature disabled) and -# min-slaves-max-lag is set to 10. - -# A Redis master is able to list the address and port of the attached -# slaves in different ways. For example the "INFO replication" section -# offers this information, which is used, among other tools, by -# Redis Sentinel in order to discover slave instances. -# Another place where this info is available is in the output of the -# "ROLE" command of a master. -# -# The listed IP and address normally reported by a slave is obtained -# in the following way: -# -# IP: The address is auto detected by checking the peer address -# of the socket used by the slave to connect with the master. -# -# Port: The port is communicated by the slave during the replication -# handshake, and is normally the port that the slave is using to -# list for connections. -# -# However when port forwarding or Network Address Translation (NAT) is -# used, the slave may be actually reachable via different IP and port -# pairs. The following two options can be used by a slave in order to -# report to its master a specific set of IP and port, so that both INFO -# and ROLE will report those values. -# -# There is no need to use both the options if you need to override just -# the port or the IP address. -# -# slave-announce-ip 5.5.5.5 -# slave-announce-port 1234 - -################################## SECURITY ################################### - -# Require clients to issue AUTH before processing any other -# commands. This might be useful in environments in which you do not trust -# others with access to the host running redis-server. -# -# This should stay commented out for backward compatibility and because most -# people do not need auth (e.g. they run their own servers). -# -# Warning: since Redis is pretty fast an outside user can try up to -# 150k passwords per second against a good box. This means that you should -# use a very strong password otherwise it will be very easy to break. -# -# requirepass foobared - -# Command renaming. -# -# It is possible to change the name of dangerous commands in a shared -# environment. For instance the CONFIG command may be renamed into something -# hard to guess so that it will still be available for internal-use tools -# but not available for general clients. -# -# Example: -# -# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 -# -# It is also possible to completely kill a command by renaming it into -# an empty string: -# -# rename-command CONFIG "" -# -# Please note that changing the name of commands that are logged into the -# AOF file or transmitted to slaves may cause problems. - -################################### CLIENTS #################################### - -# Set the max number of connected clients at the same time. By default -# this limit is set to 10000 clients, however if the Redis server is not -# able to configure the process file limit to allow for the specified limit -# the max number of allowed clients is set to the current file limit -# minus 32 (as Redis reserves a few file descriptors for internal uses). -# -# Once the limit is reached Redis will close all the new connections sending -# an error 'max number of clients reached'. -# -# maxclients 10000 - -############################## MEMORY MANAGEMENT ################################ - -# Set a memory usage limit to the specified amount of bytes. -# When the memory limit is reached Redis will try to remove keys -# according to the eviction policy selected (see maxmemory-policy). -# -# If Redis can't remove keys according to the policy, or if the policy is -# set to 'noeviction', Redis will start to reply with errors to commands -# that would use more memory, like SET, LPUSH, and so on, and will continue -# to reply to read-only commands like GET. -# -# This option is usually useful when using Redis as an LRU or LFU cache, or to -# set a hard memory limit for an instance (using the 'noeviction' policy). -# -# WARNING: If you have slaves attached to an instance with maxmemory on, -# the size of the output buffers needed to feed the slaves are subtracted -# from the used memory count, so that network problems / resyncs will -# not trigger a loop where keys are evicted, and in turn the output -# buffer of slaves is full with DELs of keys evicted triggering the deletion -# of more keys, and so forth until the database is completely emptied. -# -# In short... if you have slaves attached it is suggested that you set a lower -# limit for maxmemory so that there is some free RAM on the system for slave -# output buffers (but this is not needed if the policy is 'noeviction'). -# -# maxmemory - -# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory -# is reached. You can select among five behaviors: -# -# volatile-lru -> Evict using approximated LRU among the keys with an expire set. -# allkeys-lru -> Evict any key using approximated LRU. -# volatile-lfu -> Evict using approximated LFU among the keys with an expire set. -# allkeys-lfu -> Evict any key using approximated LFU. -# volatile-random -> Remove a random key among the ones with an expire set. -# allkeys-random -> Remove a random key, any key. -# volatile-ttl -> Remove the key with the nearest expire time (minor TTL) -# noeviction -> Don't evict anything, just return an error on write operations. -# -# LRU means Least Recently Used -# LFU means Least Frequently Used -# -# Both LRU, LFU and volatile-ttl are implemented using approximated -# randomized algorithms. -# -# Note: with any of the above policies, Redis will return an error on write -# operations, when there are no suitable keys for eviction. -# -# At the date of writing these commands are: set setnx setex append -# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd -# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby -# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby -# getset mset msetnx exec sort -# -# The default is: -# -# maxmemory-policy noeviction - -# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated -# algorithms (in order to save memory), so you can tune it for speed or -# accuracy. For default Redis will check five keys and pick the one that was -# used less recently, you can change the sample size using the following -# configuration directive. -# -# The default of 5 produces good enough results. 10 Approximates very closely -# true LRU but costs more CPU. 3 is faster but not very accurate. -# -# maxmemory-samples 5 - -############################# LAZY FREEING #################################### - -# Redis has two primitives to delete keys. One is called DEL and is a blocking -# deletion of the object. It means that the server stops processing new commands -# in order to reclaim all the memory associated with an object in a synchronous -# way. If the key deleted is associated with a small object, the time needed -# in order to execute the DEL command is very small and comparable to most other -# O(1) or O(log_N) commands in Redis. However if the key is associated with an -# aggregated value containing millions of elements, the server can block for -# a long time (even seconds) in order to complete the operation. -# -# For the above reasons Redis also offers non blocking deletion primitives -# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and -# FLUSHDB commands, in order to reclaim memory in background. Those commands -# are executed in constant time. Another thread will incrementally free the -# object in the background as fast as possible. -# -# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled. -# It's up to the design of the application to understand when it is a good -# idea to use one or the other. However the Redis server sometimes has to -# delete keys or flush the whole database as a side effect of other operations. -# Specifically Redis deletes objects independently of a user call in the -# following scenarios: -# -# 1) On eviction, because of the maxmemory and maxmemory policy configurations, -# in order to make room for new data, without going over the specified -# memory limit. -# 2) Because of expire: when a key with an associated time to live (see the -# EXPIRE command) must be deleted from memory. -# 3) Because of a side effect of a command that stores data on a key that may -# already exist. For example the RENAME command may delete the old key -# content when it is replaced with another one. Similarly SUNIONSTORE -# or SORT with STORE option may delete existing keys. The SET command -# itself removes any old content of the specified key in order to replace -# it with the specified string. -# 4) During replication, when a slave performs a full resynchronization with -# its master, the content of the whole database is removed in order to -# load the RDB file just transfered. -# -# In all the above cases the default is to delete objects in a blocking way, -# like if DEL was called. However you can configure each case specifically -# in order to instead release memory in a non-blocking way like if UNLINK -# was called, using the following configuration directives: - -lazyfree-lazy-eviction no -lazyfree-lazy-expire no -lazyfree-lazy-server-del no -slave-lazy-flush no - -############################## APPEND ONLY MODE ############################### - -# By default Redis asynchronously dumps the dataset on disk. This mode is -# good enough in many applications, but an issue with the Redis process or -# a power outage may result into a few minutes of writes lost (depending on -# the configured save points). -# -# The Append Only File is an alternative persistence mode that provides -# much better durability. For instance using the default data fsync policy -# (see later in the config file) Redis can lose just one second of writes in a -# dramatic event like a server power outage, or a single write if something -# wrong with the Redis process itself happens, but the operating system is -# still running correctly. -# -# AOF and RDB persistence can be enabled at the same time without problems. -# If the AOF is enabled on startup Redis will load the AOF, that is the file -# with the better durability guarantees. -# -# Please check http://redis.io/topics/persistence for more information. - -# OE: changed default to enable this -appendonly yes - -# The name of the append only file (default: "appendonly.aof") - -appendfilename "appendonly.aof" - -# The fsync() call tells the Operating System to actually write data on disk -# instead of waiting for more data in the output buffer. Some OS will really flush -# data on disk, some other OS will just try to do it ASAP. -# -# Redis supports three different modes: -# -# no: don't fsync, just let the OS flush the data when it wants. Faster. -# always: fsync after every write to the append only log. Slow, Safest. -# everysec: fsync only one time every second. Compromise. -# -# The default is "everysec", as that's usually the right compromise between -# speed and data safety. It's up to you to understand if you can relax this to -# "no" that will let the operating system flush the output buffer when -# it wants, for better performances (but if you can live with the idea of -# some data loss consider the default persistence mode that's snapshotting), -# or on the contrary, use "always" that's very slow but a bit safer than -# everysec. -# -# More details please check the following article: -# http://antirez.com/post/redis-persistence-demystified.html -# -# If unsure, use "everysec". - -# appendfsync always -appendfsync everysec -# appendfsync no - -# When the AOF fsync policy is set to always or everysec, and a background -# saving process (a background save or AOF log background rewriting) is -# performing a lot of I/O against the disk, in some Linux configurations -# Redis may block too long on the fsync() call. Note that there is no fix for -# this currently, as even performing fsync in a different thread will block -# our synchronous write(2) call. -# -# In order to mitigate this problem it's possible to use the following option -# that will prevent fsync() from being called in the main process while a -# BGSAVE or BGREWRITEAOF is in progress. -# -# This means that while another child is saving, the durability of Redis is -# the same as "appendfsync none". In practical terms, this means that it is -# possible to lose up to 30 seconds of log in the worst scenario (with the -# default Linux settings). -# -# If you have latency problems turn this to "yes". Otherwise leave it as -# "no" that is the safest pick from the point of view of durability. - -no-appendfsync-on-rewrite no - -# Automatic rewrite of the append only file. -# Redis is able to automatically rewrite the log file implicitly calling -# BGREWRITEAOF when the AOF log size grows by the specified percentage. -# -# This is how it works: Redis remembers the size of the AOF file after the -# latest rewrite (if no rewrite has happened since the restart, the size of -# the AOF at startup is used). -# -# This base size is compared to the current size. If the current size is -# bigger than the specified percentage, the rewrite is triggered. Also -# you need to specify a minimal size for the AOF file to be rewritten, this -# is useful to avoid rewriting the AOF file even if the percentage increase -# is reached but it is still pretty small. -# -# Specify a percentage of zero in order to disable the automatic AOF -# rewrite feature. - -auto-aof-rewrite-percentage 100 -auto-aof-rewrite-min-size 64mb - -# An AOF file may be found to be truncated at the end during the Redis -# startup process, when the AOF data gets loaded back into memory. -# This may happen when the system where Redis is running -# crashes, especially when an ext4 filesystem is mounted without the -# data=ordered option (however this can't happen when Redis itself -# crashes or aborts but the operating system still works correctly). -# -# Redis can either exit with an error when this happens, or load as much -# data as possible (the default now) and start if the AOF file is found -# to be truncated at the end. The following option controls this behavior. -# -# If aof-load-truncated is set to yes, a truncated AOF file is loaded and -# the Redis server starts emitting a log to inform the user of the event. -# Otherwise if the option is set to no, the server aborts with an error -# and refuses to start. When the option is set to no, the user requires -# to fix the AOF file using the "redis-check-aof" utility before to restart -# the server. -# -# Note that if the AOF file will be found to be corrupted in the middle -# the server will still exit with an error. This option only applies when -# Redis will try to read more data from the AOF file but not enough bytes -# will be found. -aof-load-truncated yes - -# When rewriting the AOF file, Redis is able to use an RDB preamble in the -# AOF file for faster rewrites and recoveries. When this option is turned -# on the rewritten AOF file is composed of two different stanzas: -# -# [RDB file][AOF tail] -# -# When loading Redis recognizes that the AOF file starts with the "REDIS" -# string and loads the prefixed RDB file, and continues loading the AOF -# tail. -# -# This is currently turned off by default in order to avoid the surprise -# of a format change, but will at some point be used as the default. -aof-use-rdb-preamble no - -################################ LUA SCRIPTING ############################### - -# Max execution time of a Lua script in milliseconds. -# -# If the maximum execution time is reached Redis will log that a script is -# still in execution after the maximum allowed time and will start to -# reply to queries with an error. -# -# When a long running script exceeds the maximum execution time only the -# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be -# used to stop a script that did not yet called write commands. The second -# is the only way to shut down the server in the case a write command was -# already issued by the script but the user doesn't want to wait for the natural -# termination of the script. -# -# Set it to 0 or a negative value for unlimited execution without warnings. -lua-time-limit 5000 - -################################ REDIS CLUSTER ############################### -# -# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however -# in order to mark it as "mature" we need to wait for a non trivial percentage -# of users to deploy it in production. -# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -# -# Normal Redis instances can't be part of a Redis Cluster; only nodes that are -# started as cluster nodes can. In order to start a Redis instance as a -# cluster node enable the cluster support uncommenting the following: -# -# cluster-enabled yes - -# Every cluster node has a cluster configuration file. This file is not -# intended to be edited by hand. It is created and updated by Redis nodes. -# Every Redis Cluster node requires a different cluster configuration file. -# Make sure that instances running in the same system do not have -# overlapping cluster configuration file names. -# -# cluster-config-file nodes-6379.conf - -# Cluster node timeout is the amount of milliseconds a node must be unreachable -# for it to be considered in failure state. -# Most other internal time limits are multiple of the node timeout. -# -# cluster-node-timeout 15000 - -# A slave of a failing master will avoid to start a failover if its data -# looks too old. -# -# There is no simple way for a slave to actually have an exact measure of -# its "data age", so the following two checks are performed: -# -# 1) If there are multiple slaves able to failover, they exchange messages -# in order to try to give an advantage to the slave with the best -# replication offset (more data from the master processed). -# Slaves will try to get their rank by offset, and apply to the start -# of the failover a delay proportional to their rank. -# -# 2) Every single slave computes the time of the last interaction with -# its master. This can be the last ping or command received (if the master -# is still in the "connected" state), or the time that elapsed since the -# disconnection with the master (if the replication link is currently down). -# If the last interaction is too old, the slave will not try to failover -# at all. -# -# The point "2" can be tuned by user. Specifically a slave will not perform -# the failover if, since the last interaction with the master, the time -# elapsed is greater than: -# -# (node-timeout * slave-validity-factor) + repl-ping-slave-period -# -# So for example if node-timeout is 30 seconds, and the slave-validity-factor -# is 10, and assuming a default repl-ping-slave-period of 10 seconds, the -# slave will not try to failover if it was not able to talk with the master -# for longer than 310 seconds. -# -# A large slave-validity-factor may allow slaves with too old data to failover -# a master, while a too small value may prevent the cluster from being able to -# elect a slave at all. -# -# For maximum availability, it is possible to set the slave-validity-factor -# to a value of 0, which means, that slaves will always try to failover the -# master regardless of the last time they interacted with the master. -# (However they'll always try to apply a delay proportional to their -# offset rank). -# -# Zero is the only value able to guarantee that when all the partitions heal -# the cluster will always be able to continue. -# -# cluster-slave-validity-factor 10 - -# Cluster slaves are able to migrate to orphaned masters, that are masters -# that are left without working slaves. This improves the cluster ability -# to resist to failures as otherwise an orphaned master can't be failed over -# in case of failure if it has no working slaves. -# -# Slaves migrate to orphaned masters only if there are still at least a -# given number of other working slaves for their old master. This number -# is the "migration barrier". A migration barrier of 1 means that a slave -# will migrate only if there is at least 1 other working slave for its master -# and so forth. It usually reflects the number of slaves you want for every -# master in your cluster. -# -# Default is 1 (slaves migrate only if their masters remain with at least -# one slave). To disable migration just set it to a very large value. -# A value of 0 can be set but is useful only for debugging and dangerous -# in production. -# -# cluster-migration-barrier 1 - -# By default Redis Cluster nodes stop accepting queries if they detect there -# is at least an hash slot uncovered (no available node is serving it). -# This way if the cluster is partially down (for example a range of hash slots -# are no longer covered) all the cluster becomes, eventually, unavailable. -# It automatically returns available as soon as all the slots are covered again. -# -# However sometimes you want the subset of the cluster which is working, -# to continue to accept queries for the part of the key space that is still -# covered. In order to do so, just set the cluster-require-full-coverage -# option to no. -# -# cluster-require-full-coverage yes - -# In order to setup your cluster make sure to read the documentation -# available at http://redis.io web site. - -########################## CLUSTER DOCKER/NAT support ######################## - -# In certain deployments, Redis Cluster nodes address discovery fails, because -# addresses are NAT-ted or because ports are forwarded (the typical case is -# Docker and other containers). -# -# In order to make Redis Cluster working in such environments, a static -# configuration where each node knows its public address is needed. The -# following two options are used for this scope, and are: -# -# * cluster-announce-ip -# * cluster-announce-port -# * cluster-announce-bus-port -# -# Each instruct the node about its address, client port, and cluster message -# bus port. The information is then published in the header of the bus packets -# so that other nodes will be able to correctly map the address of the node -# publishing the information. -# -# If the above options are not used, the normal Redis Cluster auto-detection -# will be used instead. -# -# Note that when remapped, the bus port may not be at the fixed offset of -# clients port + 10000, so you can specify any port and bus-port depending -# on how they get remapped. If the bus-port is not set, a fixed offset of -# 10000 will be used as usually. -# -# Example: -# -# cluster-announce-ip 10.1.1.5 -# cluster-announce-port 6379 -# cluster-announce-bus-port 6380 - -################################## SLOW LOG ################################### - -# The Redis Slow Log is a system to log queries that exceeded a specified -# execution time. The execution time does not include the I/O operations -# like talking with the client, sending the reply and so forth, -# but just the time needed to actually execute the command (this is the only -# stage of command execution where the thread is blocked and can not serve -# other requests in the meantime). -# -# You can configure the slow log with two parameters: one tells Redis -# what is the execution time, in microseconds, to exceed in order for the -# command to get logged, and the other parameter is the length of the -# slow log. When a new command is logged the oldest one is removed from the -# queue of logged commands. - -# The following time is expressed in microseconds, so 1000000 is equivalent -# to one second. Note that a negative number disables the slow log, while -# a value of zero forces the logging of every command. -slowlog-log-slower-than 10000 - -# There is no limit to this length. Just be aware that it will consume memory. -# You can reclaim memory used by the slow log with SLOWLOG RESET. -slowlog-max-len 128 - -################################ LATENCY MONITOR ############################## - -# The Redis latency monitoring subsystem samples different operations -# at runtime in order to collect data related to possible sources of -# latency of a Redis instance. -# -# Via the LATENCY command this information is available to the user that can -# print graphs and obtain reports. -# -# The system only logs operations that were performed in a time equal or -# greater than the amount of milliseconds specified via the -# latency-monitor-threshold configuration directive. When its value is set -# to zero, the latency monitor is turned off. -# -# By default latency monitoring is disabled since it is mostly not needed -# if you don't have latency issues, and collecting data has a performance -# impact, that while very small, can be measured under big load. Latency -# monitoring can easily be enabled at runtime using the command -# "CONFIG SET latency-monitor-threshold " if needed. -latency-monitor-threshold 0 - -############################# EVENT NOTIFICATION ############################## - -# Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at http://redis.io/topics/notifications -# -# For instance if keyspace events notification is enabled, and a client -# performs a DEL operation on key "foo" stored in the Database 0, two -# messages will be published via Pub/Sub: -# -# PUBLISH __keyspace@0__:foo del -# PUBLISH __keyevent@0__:del foo -# -# It is possible to select the events that Redis will notify among a set -# of classes. Every class is identified by a single character: -# -# K Keyspace events, published with __keyspace@__ prefix. -# E Keyevent events, published with __keyevent@__ prefix. -# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... -# $ String commands -# l List commands -# s Set commands -# h Hash commands -# z Sorted set commands -# x Expired events (events generated every time a key expires) -# e Evicted events (events generated when a key is evicted for maxmemory) -# A Alias for g$lshzxe, so that the "AKE" string means all the events. -# -# The "notify-keyspace-events" takes as argument a string that is composed -# of zero or multiple characters. The empty string means that notifications -# are disabled. -# -# Example: to enable list and generic events, from the point of view of the -# event name, use: -# -# notify-keyspace-events Elg -# -# Example 2: to get the stream of the expired keys subscribing to channel -# name __keyevent@0__:expired use: -# -# notify-keyspace-events Ex -# -# By default all notifications are disabled because most users don't need -# this feature and the feature has some overhead. Note that if you don't -# specify at least one of K or E, no events will be delivered. -notify-keyspace-events "" - -############################### ADVANCED CONFIG ############################### - -# Hashes are encoded using a memory efficient data structure when they have a -# small number of entries, and the biggest entry does not exceed a given -# threshold. These thresholds can be configured using the following directives. -hash-max-ziplist-entries 512 -hash-max-ziplist-value 64 - -# Lists are also encoded in a special way to save a lot of space. -# The number of entries allowed per internal list node can be specified -# as a fixed maximum size or a maximum number of elements. -# For a fixed maximum size, use -5 through -1, meaning: -# -5: max size: 64 Kb <-- not recommended for normal workloads -# -4: max size: 32 Kb <-- not recommended -# -3: max size: 16 Kb <-- probably not recommended -# -2: max size: 8 Kb <-- good -# -1: max size: 4 Kb <-- good -# Positive numbers mean store up to _exactly_ that number of elements -# per list node. -# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), -# but if your use case is unique, adjust the settings as necessary. -list-max-ziplist-size -2 - -# Lists may also be compressed. -# Compress depth is the number of quicklist ziplist nodes from *each* side of -# the list to *exclude* from compression. The head and tail of the list -# are always uncompressed for fast push/pop operations. Settings are: -# 0: disable all list compression -# 1: depth 1 means "don't start compressing until after 1 node into the list, -# going from either the head or tail" -# So: [head]->node->node->...->node->[tail] -# [head], [tail] will always be uncompressed; inner nodes will compress. -# 2: [head]->[next]->node->node->...->node->[prev]->[tail] -# 2 here means: don't compress head or head->next or tail->prev or tail, -# but compress all nodes between them. -# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] -# etc. -list-compress-depth 0 - -# Sets have a special encoding in just one case: when a set is composed -# of just strings that happen to be integers in radix 10 in the range -# of 64 bit signed integers. -# The following configuration setting sets the limit in the size of the -# set in order to use this special memory saving encoding. -set-max-intset-entries 512 - -# Similarly to hashes and lists, sorted sets are also specially encoded in -# order to save a lot of space. This encoding is only used when the length and -# elements of a sorted set are below the following limits: -zset-max-ziplist-entries 128 -zset-max-ziplist-value 64 - -# HyperLogLog sparse representation bytes limit. The limit includes the -# 16 bytes header. When an HyperLogLog using the sparse representation crosses -# this limit, it is converted into the dense representation. -# -# A value greater than 16000 is totally useless, since at that point the -# dense representation is more memory efficient. -# -# The suggested value is ~ 3000 in order to have the benefits of -# the space efficient encoding without slowing down too much PFADD, -# which is O(N) with the sparse encoding. The value can be raised to -# ~ 10000 when CPU is not a concern, but space is, and the data set is -# composed of many HyperLogLogs with cardinality in the 0 - 15000 range. -hll-sparse-max-bytes 3000 - -# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in -# order to help rehashing the main Redis hash table (the one mapping top-level -# keys to values). The hash table implementation Redis uses (see dict.c) -# performs a lazy rehashing: the more operation you run into a hash table -# that is rehashing, the more rehashing "steps" are performed, so if the -# server is idle the rehashing is never complete and some more memory is used -# by the hash table. -# -# The default is to use this millisecond 10 times every second in order to -# actively rehash the main dictionaries, freeing memory when possible. -# -# If unsure: -# use "activerehashing no" if you have hard latency requirements and it is -# not a good thing in your environment that Redis can reply from time to time -# to queries with 2 milliseconds delay. -# -# use "activerehashing yes" if you don't have such hard requirements but -# want to free memory asap when possible. -activerehashing yes - -# The client output buffer limits can be used to force disconnection of clients -# that are not reading data from the server fast enough for some reason (a -# common reason is that a Pub/Sub client can't consume messages as fast as the -# publisher can produce them). -# -# The limit can be set differently for the three different classes of clients: -# -# normal -> normal clients including MONITOR clients -# slave -> slave clients -# pubsub -> clients subscribed to at least one pubsub channel or pattern -# -# The syntax of every client-output-buffer-limit directive is the following: -# -# client-output-buffer-limit -# -# A client is immediately disconnected once the hard limit is reached, or if -# the soft limit is reached and remains reached for the specified number of -# seconds (continuously). -# So for instance if the hard limit is 32 megabytes and the soft limit is -# 16 megabytes / 10 seconds, the client will get disconnected immediately -# if the size of the output buffers reach 32 megabytes, but will also get -# disconnected if the client reaches 16 megabytes and continuously overcomes -# the limit for 10 seconds. -# -# By default normal clients are not limited because they don't receive data -# without asking (in a push way), but just after a request, so only -# asynchronous clients may create a scenario where data is requested faster -# than it can read. -# -# Instead there is a default limit for pubsub and slave clients, since -# subscribers and slaves receive data in a push fashion. -# -# Both the hard or the soft limit can be disabled by setting them to zero. -client-output-buffer-limit normal 0 0 0 -client-output-buffer-limit slave 256mb 64mb 60 -client-output-buffer-limit pubsub 32mb 8mb 60 - -# Client query buffers accumulate new commands. They are limited to a fixed -# amount by default in order to avoid that a protocol desynchronization (for -# instance due to a bug in the client) will lead to unbound memory usage in -# the query buffer. However you can configure it here if you have very special -# needs, such us huge multi/exec requests or alike. -# -# client-query-buffer-limit 1gb - -# In the Redis protocol, bulk requests, that are, elements representing single -# strings, are normally limited ot 512 mb. However you can change this limit -# here. -# -# proto-max-bulk-len 512mb - -# Redis calls an internal function to perform many background tasks, like -# closing connections of clients in timeout, purging expired keys that are -# never requested, and so forth. -# -# Not all tasks are performed with the same frequency, but Redis checks for -# tasks to perform according to the specified "hz" value. -# -# By default "hz" is set to 10. Raising the value will use more CPU when -# Redis is idle, but at the same time will make Redis more responsive when -# there are many keys expiring at the same time, and timeouts may be -# handled with more precision. -# -# The range is between 1 and 500, however a value over 100 is usually not -# a good idea. Most users should use the default of 10 and raise this up to -# 100 only in environments where very low latency is required. -hz 10 - -# When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 32 MB of data generated. This is useful -# in order to commit the file to the disk more incrementally and avoid -# big latency spikes. -aof-rewrite-incremental-fsync yes - -# Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good -# idea to start with the default settings and only change them after investigating -# how to improve the performances and how the keys LFU change over time, which -# is possible to inspect via the OBJECT FREQ command. -# -# There are two tunable parameters in the Redis LFU implementation: the -# counter logarithm factor and the counter decay time. It is important to -# understand what the two parameters mean before changing them. -# -# The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis -# uses a probabilistic increment with logarithmic behavior. Given the value -# of the old counter, when a key is accessed, the counter is incremented in -# this way: -# -# 1. A random number R between 0 and 1 is extracted. -# 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1). -# 3. The counter is incremented only if R < P. -# -# The default lfu-log-factor is 10. This is a table of how the frequency -# counter changes with a different number of accesses with different -# logarithmic factors: -# -# +--------+------------+------------+------------+------------+------------+ -# | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits | -# +--------+------------+------------+------------+------------+------------+ -# | 0 | 104 | 255 | 255 | 255 | 255 | -# +--------+------------+------------+------------+------------+------------+ -# | 1 | 18 | 49 | 255 | 255 | 255 | -# +--------+------------+------------+------------+------------+------------+ -# | 10 | 10 | 18 | 142 | 255 | 255 | -# +--------+------------+------------+------------+------------+------------+ -# | 100 | 8 | 11 | 49 | 143 | 255 | -# +--------+------------+------------+------------+------------+------------+ -# -# NOTE: The above table was obtained by running the following commands: -# -# redis-benchmark -n 1000000 incr foo -# redis-cli object freq foo -# -# NOTE 2: The counter initial value is 5 in order to give new objects a chance -# to accumulate hits. -# -# The counter decay time is the time, in minutes, that must elapse in order -# for the key counter to be divided by two (or decremented if it has a value -# less <= 10). -# -# The default value for the lfu-decay-time is 1. A Special value of 0 means to -# decay the counter every time it happens to be scanned. -# -# lfu-log-factor 10 -# lfu-decay-time 1 - -########################### ACTIVE DEFRAGMENTATION ####################### -# -# WARNING THIS FEATURE IS EXPERIMENTAL. However it was stress tested -# even in production and manually tested by multiple engineers for some -# time. -# -# What is active defragmentation? -# ------------------------------- -# -# Active (online) defragmentation allows a Redis server to compact the -# spaces left between small allocations and deallocations of data in memory, -# thus allowing to reclaim back memory. -# -# Fragmentation is a natural process that happens with every allocator (but -# less so with Jemalloc, fortunately) and certain workloads. Normally a server -# restart is needed in order to lower the fragmentation, or at least to flush -# away all the data and create it again. However thanks to this feature -# implemented by Oran Agra for Redis 4.0 this process can happen at runtime -# in an "hot" way, while the server is running. -# -# Basically when the fragmentation is over a certain level (see the -# configuration options below) Redis will start to create new copies of the -# values in contiguous memory regions by exploiting certain specific Jemalloc -# features (in order to understand if an allocation is causing fragmentation -# and to allocate it in a better place), and at the same time, will release the -# old copies of the data. This process, repeated incrementally for all the keys -# will cause the fragmentation to drop back to normal values. -# -# Important things to understand: -# -# 1. This feature is disabled by default, and only works if you compiled Redis -# to use the copy of Jemalloc we ship with the source code of Redis. -# This is the default with Linux builds. -# -# 2. You never need to enable this feature if you don't have fragmentation -# issues. -# -# 3. Once you experience fragmentation, you can enable this feature when -# needed with the command "CONFIG SET activedefrag yes". -# -# The configuration parameters are able to fine tune the behavior of the -# defragmentation process. If you are not sure about what they mean it is -# a good idea to leave the defaults untouched. - -# Enabled active defragmentation -# activedefrag yes - -# Minimum amount of fragmentation waste to start active defrag -# active-defrag-ignore-bytes 100mb - -# Minimum percentage of fragmentation to start active defrag -# active-defrag-threshold-lower 10 - -# Maximum percentage of fragmentation at which we use maximum effort -# active-defrag-threshold-upper 100 - -# Minimal effort for defrag in CPU percentage -# active-defrag-cycle-min 25 - -# Maximal effort for defrag in CPU percentage -# active-defrag-cycle-max 75 diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.service b/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.service deleted file mode 100644 index a52204cc70..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis-7/redis.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Redis In-Memory Data Store -After=network.target - -[Service] -User=redis -Group=redis -ExecStart=/usr/bin/redis-server /etc/redis/redis.conf -ExecStop=/usr/bin/redis-cli shutdown -Restart=always -LimitNOFILE=10032 -Type=notify - -[Install] -WantedBy=multi-user.target - diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.12.bb deleted file mode 100644 index 3ed6867816..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ /dev/null @@ -1,66 +0,0 @@ -SUMMARY = "Redis key-value store" -DESCRIPTION = "Redis is an open source, advanced key-value store." -HOMEPAGE = "http://redis.io" -SECTION = "libs" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://COPYING;md5=8ffdd6c926faaece928cf9d9640132d2" -DEPENDS = "readline lua ncurses" - -SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ - file://redis.conf \ - file://init-redis-server \ - file://redis.service \ - file://hiredis-use-default-CC-if-it-is-set.patch \ - file://lua-update-Makefile-to-use-environment-build-setting.patch \ - file://oe-use-libc-malloc.patch \ - file://0001-src-Do-not-reset-FINAL_LIBS.patch \ - file://GNU_SOURCE.patch \ - file://0006-Define-correct-gregs-for-RISCV32.patch \ - " -SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b" - -inherit autotools-brokensep update-rc.d systemd useradd - -FINAL_LIBS:x86:toolchain-clang = "-latomic" -FINAL_LIBS:riscv32:toolchain-clang = "-latomic" -FINAL_LIBS:mips = "-latomic" -FINAL_LIBS:arm = "-latomic" -FINAL_LIBS:powerpc = "-latomic" - -export FINAL_LIBS - -USERADD_PACKAGES = "${PN}" -USERADD_PARAM:${PN} = "--system --home-dir /var/lib/redis -g redis --shell /bin/false redis" -GROUPADD_PARAM:${PN} = "--system redis" - -REDIS_ON_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}" - -do_compile:prepend() { - (cd deps && oe_runmake hiredis lua linenoise) -} - -do_install() { - export PREFIX=${D}/${prefix} - oe_runmake install - install -d ${D}/${sysconfdir}/redis - install -m 0644 ${WORKDIR}/redis.conf ${D}/${sysconfdir}/redis/redis.conf - install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/init-redis-server ${D}/${sysconfdir}/init.d/redis-server - install -d ${D}/var/lib/redis/ - chown redis.redis ${D}/var/lib/redis/ - - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_system_unitdir} - sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${systemd_system_unitdir}/redis.service - - if [ "${REDIS_ON_SYSTEMD}" = true ]; then - sed -i 's!daemonize yes!# daemonize yes!' ${D}/${sysconfdir}/redis/redis.conf - fi -} - -CONFFILES:${PN} = "${sysconfdir}/redis/redis.conf" - -INITSCRIPT_NAME = "redis-server" -INITSCRIPT_PARAMS = "defaults 87" - -SYSTEMD_SERVICE:${PN} = "redis.service" diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.13.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.13.bb new file mode 100644 index 0000000000..640831c525 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.13.bb @@ -0,0 +1,66 @@ +SUMMARY = "Redis key-value store" +DESCRIPTION = "Redis is an open source, advanced key-value store." +HOMEPAGE = "http://redis.io" +SECTION = "libs" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ffdd6c926faaece928cf9d9640132d2" +DEPENDS = "readline lua ncurses" + +SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ + file://redis.conf \ + file://init-redis-server \ + file://redis.service \ + file://hiredis-use-default-CC-if-it-is-set.patch \ + file://lua-update-Makefile-to-use-environment-build-setting.patch \ + file://oe-use-libc-malloc.patch \ + file://0001-src-Do-not-reset-FINAL_LIBS.patch \ + file://GNU_SOURCE.patch \ + file://0006-Define-correct-gregs-for-RISCV32.patch \ + " +SRC_URI[sha256sum] = "89ff27c80d420456a721ccfb3beb7cc628d883c53059803513749e13214a23d1" + +inherit autotools-brokensep update-rc.d systemd useradd + +FINAL_LIBS:x86:toolchain-clang = "-latomic" +FINAL_LIBS:riscv32:toolchain-clang = "-latomic" +FINAL_LIBS:mips = "-latomic" +FINAL_LIBS:arm = "-latomic" +FINAL_LIBS:powerpc = "-latomic" + +export FINAL_LIBS + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM:${PN} = "--system --home-dir /var/lib/redis -g redis --shell /bin/false redis" +GROUPADD_PARAM:${PN} = "--system redis" + +REDIS_ON_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}" + +do_compile:prepend() { + (cd deps && oe_runmake hiredis lua linenoise) +} + +do_install() { + export PREFIX=${D}/${prefix} + oe_runmake install + install -d ${D}/${sysconfdir}/redis + install -m 0644 ${WORKDIR}/redis.conf ${D}/${sysconfdir}/redis/redis.conf + install -d ${D}/${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/init-redis-server ${D}/${sysconfdir}/init.d/redis-server + install -d ${D}/var/lib/redis/ + chown redis.redis ${D}/var/lib/redis/ + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_system_unitdir} + sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${systemd_system_unitdir}/redis.service + + if [ "${REDIS_ON_SYSTEMD}" = true ]; then + sed -i 's!daemonize yes!# daemonize yes!' ${D}/${sysconfdir}/redis/redis.conf + fi +} + +CONFFILES:${PN} = "${sysconfdir}/redis/redis.conf" + +INITSCRIPT_NAME = "redis-server" +INITSCRIPT_PARAMS = "defaults 87" + +SYSTEMD_SERVICE:${PN} = "redis.service" diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.11.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.11.bb deleted file mode 100644 index 4626044781..0000000000 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.11.bb +++ /dev/null @@ -1,72 +0,0 @@ -SUMMARY = "Redis key-value store" -DESCRIPTION = "Redis is an open source, advanced key-value store." -HOMEPAGE = "http://redis.io" -SECTION = "libs" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://COPYING;md5=8ffdd6c926faaece928cf9d9640132d2" -DEPENDS = "readline lua ncurses" - -FILESPATH =. "${FILE_DIRNAME}/${BPN}-7:" - -SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ - file://redis.conf \ - file://init-redis-server \ - file://redis.service \ - file://hiredis-use-default-CC-if-it-is-set.patch \ - file://lua-update-Makefile-to-use-environment-build-setting.patch \ - file://oe-use-libc-malloc.patch \ - file://0001-src-Do-not-reset-FINAL_LIBS.patch \ - file://GNU_SOURCE-7.patch \ - file://0006-Define-correct-gregs-for-RISCV32.patch \ - " -SRC_URI[sha256sum] = "ce250d1fba042c613de38a15d40889b78f7cb6d5461a27e35017ba39b07221e3" - -inherit autotools-brokensep update-rc.d systemd useradd - -FINAL_LIBS:x86:toolchain-clang = "-latomic" -FINAL_LIBS:riscv32:toolchain-clang = "-latomic" -FINAL_LIBS:mips = "-latomic" -FINAL_LIBS:arm = "-latomic" -FINAL_LIBS:powerpc = "-latomic" - -export FINAL_LIBS - -USERADD_PACKAGES = "${PN}" -USERADD_PARAM:${PN} = "--system --home-dir /var/lib/redis -g redis --shell /bin/false redis" -GROUPADD_PARAM:${PN} = "--system redis" - -PACKAGECONFIG = "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" -PACKAGECONFIG[systemd] = "USE_SYSTEMD=yes,USE_SYSTEMD=no,systemd" - -EXTRA_OEMAKE += "${PACKAGECONFIG_CONFARGS}" - -do_compile:prepend() { - (cd deps && oe_runmake hiredis lua linenoise) -} - -do_install() { - export PREFIX=${D}/${prefix} - oe_runmake install - install -d ${D}/${sysconfdir}/redis - install -m 0644 ${WORKDIR}/redis.conf ${D}/${sysconfdir}/redis/redis.conf - install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/init-redis-server ${D}/${sysconfdir}/init.d/redis-server - install -d ${D}/var/lib/redis/ - chown redis.redis ${D}/var/lib/redis/ - - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_system_unitdir} - sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${systemd_system_unitdir}/redis.service - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - sed -i 's!daemonize yes!# daemonize yes!' ${D}/${sysconfdir}/redis/redis.conf - sed -i 's!supervised no!supervised systemd!' ${D}/${sysconfdir}/redis/redis.conf - fi -} - -CONFFILES:${PN} = "${sysconfdir}/redis/redis.conf" - -INITSCRIPT_NAME = "redis-server" -INITSCRIPT_PARAMS = "defaults 87" - -SYSTEMD_SERVICE:${PN} = "redis.service" diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.12.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.12.bb new file mode 100644 index 0000000000..321b90dadf --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis_7.0.12.bb @@ -0,0 +1,70 @@ +SUMMARY = "Redis key-value store" +DESCRIPTION = "Redis is an open source, advanced key-value store." +HOMEPAGE = "http://redis.io" +SECTION = "libs" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ffdd6c926faaece928cf9d9640132d2" +DEPENDS = "readline lua ncurses" + +SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ + file://redis.conf \ + file://init-redis-server \ + file://redis.service \ + file://hiredis-use-default-CC-if-it-is-set.patch \ + file://lua-update-Makefile-to-use-environment-build-setting.patch \ + file://oe-use-libc-malloc.patch \ + file://0001-src-Do-not-reset-FINAL_LIBS.patch \ + file://GNU_SOURCE-7.patch \ + file://0006-Define-correct-gregs-for-RISCV32.patch \ + " +SRC_URI[sha256sum] = "9dd83d5b278bb2bf0e39bfeb75c3e8170024edbaf11ba13b7037b2945cf48ab7" + +inherit autotools-brokensep update-rc.d systemd useradd + +FINAL_LIBS:x86:toolchain-clang = "-latomic" +FINAL_LIBS:riscv32:toolchain-clang = "-latomic" +FINAL_LIBS:mips = "-latomic" +FINAL_LIBS:arm = "-latomic" +FINAL_LIBS:powerpc = "-latomic" + +export FINAL_LIBS + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM:${PN} = "--system --home-dir /var/lib/redis -g redis --shell /bin/false redis" +GROUPADD_PARAM:${PN} = "--system redis" + +PACKAGECONFIG = "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" +PACKAGECONFIG[systemd] = "USE_SYSTEMD=yes,USE_SYSTEMD=no,systemd" + +EXTRA_OEMAKE += "${PACKAGECONFIG_CONFARGS}" + +do_compile:prepend() { + (cd deps && oe_runmake hiredis lua linenoise) +} + +do_install() { + export PREFIX=${D}/${prefix} + oe_runmake install + install -d ${D}/${sysconfdir}/redis + install -m 0644 ${WORKDIR}/redis.conf ${D}/${sysconfdir}/redis/redis.conf + install -d ${D}/${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/init-redis-server ${D}/${sysconfdir}/init.d/redis-server + install -d ${D}/var/lib/redis/ + chown redis.redis ${D}/var/lib/redis/ + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_system_unitdir} + sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${systemd_system_unitdir}/redis.service + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + sed -i 's!daemonize yes!# daemonize yes!' ${D}/${sysconfdir}/redis/redis.conf + sed -i 's!supervised no!supervised systemd!' ${D}/${sysconfdir}/redis/redis.conf + fi +} + +CONFFILES:${PN} = "${sysconfdir}/redis/redis.conf" + +INITSCRIPT_NAME = "redis-server" +INITSCRIPT_PARAMS = "defaults 87" + +SYSTEMD_SERVICE:${PN} = "redis.service" diff --git a/meta-openembedded/meta-oe/recipes-graphics/vk-gl-cts/khronos-cts.inc b/meta-openembedded/meta-oe/recipes-graphics/vk-gl-cts/khronos-cts.inc index 01f4a572f8..e05e35fe0e 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/vk-gl-cts/khronos-cts.inc +++ b/meta-openembedded/meta-oe/recipes-graphics/vk-gl-cts/khronos-cts.inc @@ -21,7 +21,7 @@ S = "${WORKDIR}/git" inherit pkgconfig cmake features_check python3native qemu -ANY_OF_DISTRO_FEATURES += "opengl wayland" +ANY_OF_DISTRO_FEATURES += "opengl vulkan" DEPENDS += "python3-lxml-native libpng zlib virtual/libgles2 qemu-native" @@ -72,9 +72,9 @@ python __anonymous() { distrofeatures = (d.getVar("DISTRO_FEATURES") or "") if not bb.utils.contains_any("PACKAGECONFIG", ["surfaceless", "wayland", "x11_egl", "x11_glx", "x11_egl_glx"], True, False, d): if "wayland" in distrofeatures: - d.appendVar("DEPENDS", " wayland-native wayland wayland-protocols") + d.appendVar("DEPENDS", " wayland-native ${MLPREFIX}wayland ${MLPREFIX}wayland-protocols") if "x11" in distrofeatures: - d.appendVar("DEPENDS", " virtual/libx11 virtual/egl ") + d.appendVar("DEPENDS", " virtual/${MLPREFIX}libx11 virtual/${MLPREFIX}egl ") } CTSDIR = "/usr/lib/${BPN}" diff --git a/meta-openembedded/meta-oe/recipes-graphics/x11vnc/files/CVE-2020-29074.patch b/meta-openembedded/meta-oe/recipes-graphics/x11vnc/files/CVE-2020-29074.patch new file mode 100644 index 0000000000..fbdb9123cc --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-graphics/x11vnc/files/CVE-2020-29074.patch @@ -0,0 +1,27 @@ +CVE: CVE-2020-29074 +Upstream-Status: Backport [https://github.com/LibVNC/x11vnc/commit/69eeb9f7baa14ca03b16c9de821f9876def7a36a ] +Signed-off-by: Lee Chee Yang + + +From 69eeb9f7baa14ca03b16c9de821f9876def7a36a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Gu=C3=A9nal=20DAVALAN?= +Date: Wed, 18 Nov 2020 08:40:45 +0100 +Subject: [PATCH] scan: limit access to shared memory segments to current user + +--- + src/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/scan.c b/src/scan.c +index 43e00d20..12994d52 100644 +--- a/src/scan.c ++++ b/src/scan.c +@@ -320,7 +320,7 @@ static int shm_create(XShmSegmentInfo *shm, XImage **ximg_ptr, int w, int h, + + #if HAVE_XSHM + shm->shmid = shmget(IPC_PRIVATE, +- xim->bytes_per_line * xim->height, IPC_CREAT | 0777); ++ xim->bytes_per_line * xim->height, IPC_CREAT | 0600); + + if (shm->shmid == -1) { + rfbErr("shmget(%s) failed.\n", name); diff --git a/meta-openembedded/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb b/meta-openembedded/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb index 5f7c0beb66..be9ef3cbaa 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb +++ b/meta-openembedded/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb @@ -12,6 +12,7 @@ PV .= "+git${SRCPV}" SRC_URI = "git://github.com/LibVNC/x11vnc;branch=master;protocol=https \ file://starting-fix.patch \ + file://CVE-2020-29074.patch \ " S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-kernel/libbpf/libbpf_1.1.0.bb b/meta-openembedded/meta-oe/recipes-kernel/libbpf/libbpf_1.1.0.bb index 1aee51f1eb..9517481ee5 100644 --- a/meta-openembedded/meta-oe/recipes-kernel/libbpf/libbpf_1.1.0.bb +++ b/meta-openembedded/meta-oe/recipes-kernel/libbpf/libbpf_1.1.0.bb @@ -17,6 +17,7 @@ COMPATIBLE_HOST = "(x86_64|i.86|aarch64|riscv64|powerpc64).*-linux" S = "${WORKDIR}/git/src" EXTRA_OEMAKE += "DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir}" +EXTRA_OEMAKE:append:class-native = " UAPIDIR=${includedir}" inherit pkgconfig @@ -28,4 +29,8 @@ do_install() { oe_runmake install } +do_install:append:class-native() { + oe_runmake install_uapi_headers +} + BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb deleted file mode 100644 index bb19ff1bd3..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright (c) 2012-2014 LG Electronics, Inc. -SUMMARY = "c-ares is a C library that resolves names asynchronously." -HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" -SECTION = "libs" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" - -SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https" -SRCREV = "fddf01938d3789e06cc1c3774e4cd0c7d2a89976" - -UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P\d+_(\d_?)+)" - -S = "${WORKDIR}/git" - -inherit cmake pkgconfig - -PACKAGES =+ "${PN}-utils" - -FILES:${PN}-utils = "${bindir}" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.1.bb b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.1.bb new file mode 100644 index 0000000000..1440d72711 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.19.1.bb @@ -0,0 +1,21 @@ +# Copyright (c) 2012-2014 LG Electronics, Inc. +SUMMARY = "c-ares is a C library that resolves names asynchronously." +HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" +SECTION = "libs" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" + +SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https" +SRCREV = "6360e96b5cf8e5980c887ce58ef727e53d77243a" + +UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P\d+_(\d_?)+)" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig + +PACKAGES =+ "${PN}-utils" + +FILES:${PN}-utils = "${bindir}" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openembedded/meta-oe/recipes-support/fftw/fftw_3.3.10.bb b/meta-openembedded/meta-oe/recipes-support/fftw/fftw_3.3.10.bb index 1fead4d029..33e8279880 100644 --- a/meta-openembedded/meta-oe/recipes-support/fftw/fftw_3.3.10.bb +++ b/meta-openembedded/meta-oe/recipes-support/fftw/fftw_3.3.10.bb @@ -55,7 +55,7 @@ do_configure() { do_compile() { for lib in fftw fftwl fftwf; do cd ${WORKDIR}/build-$lib - sed -i -e 's|${TOOLCHAIN_OPTIONS}||g' config.h + test -n "${TOOLCHAIN_OPTIONS}" && sed -i -e 's|${TOOLCHAIN_OPTIONS}||g' config.h autotools_do_compile done } diff --git a/meta-openembedded/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb b/meta-openembedded/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb index a27968079e..9e09b971c9 100644 --- a/meta-openembedded/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb +++ b/meta-openembedded/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb @@ -13,7 +13,7 @@ LICENSE = "LGPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=56a22a6e5bcce45e2c8ac184f81412b5" SRCREV = "0d6e3307bbdb8df4d56043d5f373eeeffe4cbef3" -SRC_URI = "git://git.savannah.gnu.org/git/gnulib.git;branch=master \ +SRC_URI = "git://git.savannah.gnu.org/git/gnulib.git;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser/CVE-2023-33461.patch b/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser/CVE-2023-33461.patch new file mode 100644 index 0000000000..ae714c5318 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser/CVE-2023-33461.patch @@ -0,0 +1,52 @@ +From ace9871f65d11b5d73f0b9ee8cf5d2807439442d Mon Sep 17 00:00:00 2001 +From: Antonio +Date: Fri, 2 Jun 2023 15:03:10 -0300 +Subject: [PATCH] Handle null return from iniparser_getstring + +Fix handling of NULL returns from iniparser_getstring in +iniparser_getboolean, iniparser_getlongint and iniparser_getdouble, +avoiding a crash. + +CVE: CVE-2023-33461 + +Upstream-Status: Submitted [https://github.com/ndevilla/iniparser/pull/146/commits/ace9871f65d11b5d73f0b9ee8cf5d2807439442d] + +Signed-off-by: Mingli Yu +--- + src/iniparser.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/iniparser.c b/src/iniparser.c +index f1d1658..dbceb20 100644 +--- a/src/iniparser.c ++++ b/src/iniparser.c +@@ -456,7 +456,7 @@ long int iniparser_getlongint(const dictionary * d, const char * key, long int n + const char * str ; + + str = iniparser_getstring(d, key, INI_INVALID_KEY); +- if (str==INI_INVALID_KEY) return notfound ; ++ if (str==NULL || str==INI_INVALID_KEY) return notfound ; + return strtol(str, NULL, 0); + } + +@@ -511,7 +511,7 @@ double iniparser_getdouble(const dictionary * d, const char * key, double notfou + const char * str ; + + str = iniparser_getstring(d, key, INI_INVALID_KEY); +- if (str==INI_INVALID_KEY) return notfound ; ++ if (str==NULL || str==INI_INVALID_KEY) return notfound ; + return atof(str); + } + +@@ -553,7 +553,7 @@ int iniparser_getboolean(const dictionary * d, const char * key, int notfound) + const char * c ; + + c = iniparser_getstring(d, key, INI_INVALID_KEY); +- if (c==INI_INVALID_KEY) return notfound ; ++ if (c==NULL || c==INI_INVALID_KEY) return notfound ; + if (c[0]=='y' || c[0]=='Y' || c[0]=='1' || c[0]=='t' || c[0]=='T') { + ret = 1 ; + } else if (c[0]=='n' || c[0]=='N' || c[0]=='0' || c[0]=='f' || c[0]=='F') { +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser_4.1.bb b/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser_4.1.bb index f9e1530161..166a74824f 100644 --- a/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser_4.1.bb +++ b/meta-openembedded/meta-oe/recipes-support/iniparser/iniparser_4.1.bb @@ -10,7 +10,8 @@ PV .= "+git${SRCPV}" SRC_URI = "git://github.com/ndevilla/iniparser.git;protocol=https;branch=master \ file://0001-iniparser.pc-Make-libpath-a-variable.patch \ - file://Add-CMake-support.patch" + file://Add-CMake-support.patch \ + file://CVE-2023-33461.patch" SRCREV= "deb85ad4936d4ca32cc2260ce43323d47936410d" diff --git a/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial/0001-CMakeLists.txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch b/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial/0001-CMakeLists.txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch new file mode 100644 index 0000000000..d9e10469d3 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial/0001-CMakeLists.txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch @@ -0,0 +1,43 @@ +From 655c5c32b37a2bea12389ed69c0869215fcf5abe Mon Sep 17 00:00:00 2001 +From: Martin Jansa +Date: Sun, 3 Sep 2023 11:22:35 +0200 +Subject: [PATCH] CMakeLists.txt: don't fall back CMAKE_INSTALL_LIBDIR to lib + +* testing ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR} existence + doesn't really work in cross compilation and on some hosts was causing: + + ERROR: QA Issue: libcyusbserial: Files/directories were installed but not shipped in any package: + /usr/lib/libcyusbserial.so.1 + /usr/lib/libcyusbserial.so + Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install. + libcyusbserial: 2 installed and not shipped files. [installed-vs-shipped] + + with multilib using /usr/lib32 or /usr/lib64 when the same didn't + exist on host. + +Upstream-Status: Pending +Signed-off-by: Martin Jansa +--- + lib/CMakeLists.txt | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt +index 2b031cb..53a7263 100644 +--- a/lib/CMakeLists.txt ++++ b/lib/CMakeLists.txt +@@ -6,15 +6,6 @@ if (NOT CMAKE_INSTALL_LIBDIR) + include(GNUInstallDirs) + endif (NOT CMAKE_INSTALL_LIBDIR) + +-# Fall back to just "lib" if the item provided by GNUInstallDirs doesn't exist +-# For example, on Ubuntu 13.10 with CMake 2.8.11.2, +-# /usr/lib/${CMAKE_LIBRARY_ARCHITECTURE} doesn't exist. +-if (NOT EXISTS "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}") +- message(STATUS "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR} does not exist. Defaulting libcyusbserial install location to ${CMAKE_INSTALL_PREFIX}/lib.") +- set(CMAKE_INSTALL_LIBDIR lib) +-endif() +- +- + ################################################################################ + # Include paths + ################################################################################ diff --git a/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb b/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb index 81453fb888..a69194996b 100644 --- a/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb +++ b/meta-openembedded/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb @@ -8,7 +8,9 @@ DEPENDS = "libusb udev" PV = "1.0.0+git${SRCPV}" SRCREV = "655e2d544183d094f0e2d119c7e0c6206a0ddb3f" -SRC_URI = "git://github.com/cyrozap/${BPN}.git;branch=master;protocol=https" +SRC_URI = "git://github.com/cyrozap/${BPN}.git;branch=master;protocol=https \ + file://0001-CMakeLists.txt-don-t-fall-back-CMAKE_INSTALL_LIBDIR-.patch \ +" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod-2.0/gpio-tools-test-bats-modify.patch b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod-2.0/gpio-tools-test-bats-modify.patch new file mode 100644 index 0000000000..4d49467968 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod-2.0/gpio-tools-test-bats-modify.patch @@ -0,0 +1,67 @@ +From 53f9670d6af1bd0745c1df9c469b269c72607b23 Mon Sep 17 00:00:00 2001 +From: Joe Slater +Date: Tue, 6 Jun 2023 08:04:27 -0700 +Subject: [PATCH] tools: tests: modify delays in toggle test + +The test "gpioset: toggle (continuous)" uses fixed delays to test +toggling values. This is not reliable, so we switch to looking +for transitions from one value to another. + +We wait for a transition up to 1.5 seconds. + +Signed-off-by: Joe Slater +Signed-off-by: Bartosz Golaszewski + +Upstream-status: accepted + +Signed-off-by: Joe Slater +--- + tools/gpio-tools-test.bats | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/tools/gpio-tools-test.bats b/tools/gpio-tools-test.bats +index c83ca7d..929c35a 100755 +--- a/tools/gpio-tools-test.bats ++++ b/tools/gpio-tools-test.bats +@@ -141,6 +141,20 @@ gpiosim_check_value() { + [ "$VAL" = "$EXPECTED" ] + } + ++gpiosim_wait_value() { ++ local OFFSET=$2 ++ local EXPECTED=$3 ++ local DEVNAME=${GPIOSIM_DEV_NAME[$1]} ++ local CHIPNAME=${GPIOSIM_CHIP_NAME[$1]} ++ local PORT=$GPIOSIM_SYSFS/$DEVNAME/$CHIPNAME/sim_gpio$OFFSET/value ++ ++ for i in {1..15}; do ++ [ "$(<$PORT)" = "$EXPECTED" ] && return ++ sleep 0.1 ++ done ++ return 1 ++} ++ + gpiosim_cleanup() { + for CHIP in ${!GPIOSIM_CHIP_NAME[@]} + do +@@ -1567,15 +1581,12 @@ request_release_line() { + gpiosim_check_value sim0 4 0 + gpiosim_check_value sim0 7 0 + +- sleep 1 +- +- gpiosim_check_value sim0 1 0 ++ gpiosim_wait_value sim0 1 0 + gpiosim_check_value sim0 4 1 + gpiosim_check_value sim0 7 1 + +- sleep 1 + +- gpiosim_check_value sim0 1 1 ++ gpiosim_wait_value sim0 1 1 + gpiosim_check_value sim0 4 0 + gpiosim_check_value sim0 7 0 + } +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod.inc b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod.inc index abb6544ec2..cf6c0ae0f6 100644 --- a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod.inc +++ b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod.inc @@ -38,7 +38,7 @@ FILES:${PN}-ptest += " \ FILES:libgpiodcxx = "${libdir}/libgpiodcxx.so.*" RRECOMMENDS:${PN}-ptest += "coreutils" -RDEPENDS:${PN}-ptest += "bats" +RDEPENDS:${PN}-ptest += "${@bb.utils.contains('PTEST_ENABLED', '1', 'bats', '', d)}" do_install_ptest() { install -d ${D}${PTEST_PATH}/tests/ diff --git a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod_2.0.bb b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod_2.0.bb index 179fe170e2..ee20aaf792 100644 --- a/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod_2.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/libgpiod/libgpiod_2.0.bb @@ -11,6 +11,8 @@ SRC_URI[sha256sum] = "f74cbf82038b3cb98ebeb25bce55ee2553be28194002d2a9889b9268cc S = "${WORKDIR}/libgpiod-2.0" +SRC_URI += "file://gpio-tools-test-bats-modify.patch" + # We must enable gpioset-interactive for all gpio-tools tests to pass PACKAGECONFIG[tests] = "--enable-tests --enable-gpioset-interactive,--disable-tests,kmod util-linux glib-2.0 catch2 libedit" PACKAGECONFIG[gpioset-interactive] = "--enable-gpioset-interactive,--disable-gpioset-interactive,libedit" diff --git a/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb b/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb index bb253f421a..612dd897be 100644 --- a/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb +++ b/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=7c13b3376cea0ce68d2d2da0a1b3a72c" SRCREV = "92d6a35f3d8d721cda7d6fe664b435311dd368b4" PV = "0.23" -SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https;branch=master \ +SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https;branch=main \ file://0001-CMake-Move-include-CheckCSourceCompiles-before-its-m.patch \ " UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" diff --git a/meta-openembedded/meta-oe/recipes-support/mcelog/mcelog_191.bb b/meta-openembedded/meta-oe/recipes-support/mcelog/mcelog_191.bb index e713433469..3c1c451c02 100644 --- a/meta-openembedded/meta-oe/recipes-support/mcelog/mcelog_191.bb +++ b/meta-openembedded/meta-oe/recipes-support/mcelog/mcelog_191.bb @@ -18,11 +18,18 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" S = "${WORKDIR}/git" -inherit autotools-brokensep ptest +inherit ptest COMPATIBLE_HOST = '(x86_64.*|i.86.*)-linux' -do_install:append() { +EXTRA_OEMAKE += "CFLAGS='${CFLAGS}'" + +do_compile() { + oe_runmake +} + +do_install() { + oe_runmake install DESTDIR=${D} install -d ${D}${sysconfdir}/cron.hourly install -m 0755 ${S}/mcelog.cron ${D}${sysconfdir}/cron.hourly/ sed -i 's/bash/sh/' ${D}${sysconfdir}/cron.hourly/mcelog.cron diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch new file mode 100644 index 0000000000..92c096e29c --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch @@ -0,0 +1,88 @@ +commit ccc277247ac1a7aef0a90353edcdec35fbc5903c +Author: Nano +Date: Wed Apr 26 15:09:52 2023 +0800 + + fix(wechat_qrcode): Init nBytes after the count value is determined (#3480) + + * fix(wechat_qrcode): Initialize nBytes after the count value is determined + + * fix(wechat_qrcode): Incorrect count data repair + + * chore: format expr + + * fix(wechat_qrcode): Avoid null pointer exception + + * fix(wechat_qrcode): return when bytes_ is empty + + * test(wechat_qrcode): add test case + + --------- + + Co-authored-by: GZTime + +CVE: CVE-2023-2617 + +Upstream-Status: Backport [https://github.com/opencv/opencv_contrib/commit/ccc277247ac1a7aef0a90353edcdec35fbc5903c] + +Signed-off-by: Soumya +--- + +diff --git a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp +index 05de793c..b3a0a69c 100644 +--- a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp ++++ b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp +@@ -65,7 +65,8 @@ void DecodedBitStreamParser::append(std::string& result, string const& in, + + void DecodedBitStreamParser::append(std::string& result, const char* bufIn, size_t nIn, + ErrorHandler& err_handler) { +- if (err_handler.ErrCode()) return; ++ // avoid null pointer exception ++ if (err_handler.ErrCode() || bufIn == nullptr) return; + #ifndef NO_ICONV_INSIDE + if (nIn == 0) { + return; +@@ -190,16 +191,20 @@ void DecodedBitStreamParser::decodeByteSegment(Ref bits_, string& res + CharacterSetECI* currentCharacterSetECI, + ArrayRef >& byteSegments, + ErrorHandler& err_handler) { +- int nBytes = count; + BitSource& bits(*bits_); + // Don't crash trying to read more bits than we have available. + int available = bits.available(); + // try to repair count data if count data is invalid + if (count * 8 > available) { +- count = (available + 7 / 8); ++ count = (available + 7) / 8; + } ++ size_t nBytes = count; ++ ++ ArrayRef bytes_(nBytes); ++ // issue https://github.com/opencv/opencv_contrib/issues/3478 ++ if (bytes_->empty()) ++ return; + +- ArrayRef bytes_(count); + char* readBytes = &(*bytes_)[0]; + for (int i = 0; i < count; i++) { + // readBytes[i] = (char) bits.readBits(8); +diff --git a/modules/wechat_qrcode/test/test_qrcode.cpp b/modules/wechat_qrcode/test/test_qrcode.cpp +index d59932b8..ec2559b0 100644 +--- a/modules/wechat_qrcode/test/test_qrcode.cpp ++++ b/modules/wechat_qrcode/test/test_qrcode.cpp +@@ -455,5 +455,16 @@ TEST_P(Objdetect_QRCode_Easy_Multi, regression) { + std::string qrcode_model_path[] = {"", "dnn/wechat_2021-01"}; + INSTANTIATE_TEST_CASE_P(/**/, Objdetect_QRCode_Easy_Multi, testing::ValuesIn(qrcode_model_path)); + ++TEST(Objdetect_QRCode_bug, issue_3478) { ++ auto detector = wechat_qrcode::WeChatQRCode(); ++ std::string image_path = findDataFile("qrcode/issue_3478.png"); ++ Mat src = imread(image_path, IMREAD_GRAYSCALE); ++ ASSERT_FALSE(src.empty()) << "Can't read image: " << image_path; ++ std::vector outs = detector.detectAndDecode(src); ++ ASSERT_EQ(1, (int) outs.size()); ++ ASSERT_EQ(16, (int) outs[0].size()); ++ ASSERT_EQ("KFCVW50 ", outs[0]); ++} ++ + } // namespace + } // namespace opencv_test diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.7.0.bb b/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.7.0.bb index 361b004308..a1fbaaa091 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.7.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.7.0.bb @@ -31,6 +31,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv;branch=master;protocol file://download.patch \ file://0001-Make-ts-module-external.patch \ file://0008-Do-not-embed-build-directory-in-binaries.patch \ + file://CVE-2023-2617.patch;patchdir=contrib \ " SRC_URI:append:riscv64 = " file://0001-Use-Os-to-compile-tinyxml2.cpp.patch;patchdir=contrib" @@ -162,7 +163,7 @@ python populate_packages:prepend () { metapkg = pn d.setVar('ALLOW_EMPTY:' + metapkg, "1") - blacklist = [ metapkg, "libopencv-ts" ] + blacklist = [ metapkg ] metapkg_rdepends = [ ] for pkg in packages[1:]: if not pkg in blacklist and not pkg in metapkg_rdepends and not pkg.endswith('-dev') and not pkg.endswith('-dbg') and not pkg.endswith('-doc') and not pkg.endswith('-locale') and not pkg.endswith('-staticdev'): diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/0001-configure-Pass-pthread_t-to-pthread_detach.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/0001-configure-Pass-pthread_t-to-pthread_detach.patch deleted file mode 100644 index 6e73f8b382..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/0001-configure-Pass-pthread_t-to-pthread_detach.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 7577b120acda087bf3f5f613c2c72663b3864ad8 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sun, 4 Sep 2022 09:43:06 -0700 -Subject: [PATCH] configure: Pass pthread_t to pthread_detach - -This helps compilers when using C2X standard - -Upstream-Status: Pending -Signed-off-by: Khem Raj ---- - configure.ac | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 0978eeb..58d15f8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1467,10 +1467,7 @@ pthread_rwlock_t rwlock; - dnl save the flags - AC_LINK_IFELSE([AC_LANG_PROGRAM([[ - #include --#ifndef NULL --#define NULL (void*)0 --#endif --]], [[pthread_detach(NULL);]])],[ol_cv_func_pthread_detach=yes],[ol_cv_func_pthread_detach=no]) -+]], [[pthread_detach((pthread_t)-1);]])],[ol_cv_func_pthread_detach=yes],[ol_cv_func_pthread_detach=no]) - ]) - - if test $ol_cv_func_pthread_detach = no ; then --- -2.37.3 - diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.13.bb b/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.13.bb deleted file mode 100644 index b117677f9b..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.13.bb +++ /dev/null @@ -1,238 +0,0 @@ -SUMMARY = "OpenLDAP Directory Service" -DESCRIPTION = "OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol." -HOMEPAGE = "http://www.OpenLDAP.org/license.html" -# The OpenLDAP Public License - see the HOMEPAGE - defines -# the license. www.openldap.org claims this is Open Source -# (see http://www.openldap.org), the license appears to be -# basically BSD. opensource.org does not record this license -# at present (so it is apparently not OSI certified). -LICENSE = "OpenLDAP" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=beceb5ac7100b6430640c61655b25c1f \ - file://LICENSE;md5=153d07ef052c4a37a8fac23bc6031972 \ - " -SECTION = "libs" - -LDAP_VER = "${@'.'.join(d.getVar('PV').split('.')[0:2])}" - -SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/${BP}.tgz \ - file://initscript \ - file://slapd.service \ - file://remove-user-host-pwd-from-version.patch \ - file://0001-build-top.mk-unset-STRIP_OPTS.patch \ - file://0001-configure-Pass-pthread_t-to-pthread_detach.patch \ -" - -SRC_URI[sha256sum] = "ee3c430c4ef7b87c57b622108c7339376d6c27fbbf2767770be3de1df63d008c" - -DEPENDS = "util-linux groff-native" - -inherit autotools-brokensep update-rc.d systemd pkgconfig - -# CV SETTINGS -# Required to work round AC_FUNC_MEMCMP which gets the wrong answer -# when cross compiling (should be in site?) -EXTRA_OECONF += "ac_cv_func_memcmp_working=yes" - -# CONFIG DEFINITIONS -# The following is necessary because it cannot be determined for a -# cross compile automagically. Select should yield fine on all OE -# systems... -EXTRA_OECONF += "--with-yielding-select=yes" -# Shared libraries are nice... -EXTRA_OECONF += "--enable-dynamic" - -PACKAGECONFIG ??= "asyncmeta gnutls modules \ - mdb ldap meta null passwd proxycache dnssrv \ - ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ -" -#--with-tls with TLS/SSL support auto|openssl|gnutls [auto] -PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls" -PACKAGECONFIG[openssl] = "--with-tls=openssl,,openssl" - -PACKAGECONFIG[sasl] = "--with-cyrus-sasl,--without-cyrus-sasl,cyrus-sasl" -PACKAGECONFIG[modules] = "lt_cv_dlopen_self=yes --enable-modules,--disable-modules,libtool" -PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6" - -# SLAPD options -# -# UNIX crypt(3) passwd support: -EXTRA_OECONF += "--enable-crypt" - -# SLAPD BACKEND -# -# The backend must be set by the configuration. This controls the -# required database. -# -# Backends="asyncmeta dnssrv ldap mdb meta ndb null passwd perl relay sock sql wt" -# -# Note that multiple backends can be built. The ldbm backend requires a -# build-time choice of database API. To use the gdbm (or other) API the -# Berkely database module must be removed from the build. -md = "${libexecdir}/openldap" -# - -#--enable-asyncmeta enable asyncmeta backend no|yes|mod no -PACKAGECONFIG[asyncmeta] = "--enable-asyncmeta=mod,--enable-asyncmeta=no" - -#--enable-dnssrv enable dnssrv backend no|yes|mod no -PACKAGECONFIG[dnssrv] = "--enable-dnssrv=mod,--enable-dnssrv=no" - -#--enable-ldap enable ldap backend no|yes|mod no -PACKAGECONFIG[ldap] = "--enable-ldap=mod,--enable-ldap=no," - -#--enable-mdb enable mdb database backend no|yes|mod [yes] -PACKAGECONFIG[mdb] = "--enable-mdb=yes,--enable-mdb=no," - -#--enable-meta enable metadirectory backend no|yes|mod no -PACKAGECONFIG[meta] = "--enable-meta=mod,--enable-meta=no," - -#--enable-ndb enable MySQL NDB Cluster backend no|yes|mod [no] -PACKAGECONFIG[ndb] = "--enable-ndb=mod,--enable-ndb=no," - -#--enable-null enable null backend no|yes|mod no -PACKAGECONFIG[null] = "--enable-null=mod,--enable-null=no," - -#--enable-passwd enable passwd backend no|yes|mod no -PACKAGECONFIG[passwd] = "--enable-passwd=mod,--enable-passwd=no," - -#--enable-perl enable perl backend no|yes|mod no -# This requires a loadable perl dynamic library, if enabled without -# doing something appropriate (building perl?) the build will pick -# up the build machine perl - not good (inherit perlnative?) -PACKAGECONFIG[perl] = "--enable-perl=mod,--enable-perl=no,perl" - -#--enable-relay enable relay backend no|yes|mod [yes] -PACKAGECONFIG[relay] = "--enable-relay=mod,--enable-relay=no," - -#--enable-sock enable sock backend no|yes|mod [no] -PACKAGECONFIG[sock] = "--enable-sock=mod,--enable-sock=no," - -#--enable-sql enable sql backend no|yes|mod no -# sql requires some sql backend which provides sql.h, sqlite* provides -# sqlite.h (which may be compatible but hasn't been tried.) -PACKAGECONFIG[sql] = "--enable-sql=mod,--enable-sql=no,sqlite3" - -#--enable-wt enable wt backend no|yes|mod no -# back-wt is marked currently as experimental -PACKAGECONFIG[wt] = "--enable-wt=mod,--enable-wt=no" - -#--enable-dyngroup Dynamic Group overlay no|yes|mod no -# This is a demo, Proxy Cache defines init_module which conflicts with the -# same symbol in dyngroup -PACKAGECONFIG[dyngroup] = "--enable-dyngroup=mod,--enable-dyngroup=no," - -#--enable-proxycache Proxy Cache overlay no|yes|mod no -PACKAGECONFIG[proxycache] = "--enable-proxycache=mod,--enable-proxycache=no," -FILES:${PN}-overlay-proxycache = "${md}/pcache-*.so.*" -PACKAGES += "${PN}-overlay-proxycache" - -# Append URANDOM_DEVICE='/dev/urandom' to CPPFLAGS: -# This allows tls to obtain random bits from /dev/urandom, by default -# it was disabled for cross-compiling. -CPPFLAGS:append = " -D_GNU_SOURCE -DURANDOM_DEVICE=\\"/dev/urandom\\" -fPIC" - -LDFLAGS:append = " -pthread" - -do_configure() { - rm -f ${S}/libtool - aclocal - libtoolize --force --copy - gnu-configize - cp ${STAGING_DATADIR_NATIVE}/libtool/build-aux/ltmain.sh ${S}/build - cp ${STAGING_DATADIR_NATIVE}/libtool/build-aux/missing ${S}/build - cp ${STAGING_DATADIR_NATIVE}/libtool/build-aux/compile ${S}/build - autoconf - oe_runconf -} - -LEAD_SONAME = "libldap-${LDAP_VER}.so.*" - -# The executables go in a separate package. This allows the -# installation of the libraries with no daemon support. -# Each module also has its own package - see above. -PACKAGES += "${PN}-slapd ${PN}-slurpd ${PN}-bin" - -# Package contents - shift most standard contents to -bin -FILES:${PN} = "${libdir}/lib*.so.* ${sysconfdir}/openldap/ldap.* ${localstatedir}/${BPN}/data" -FILES:${PN}-slapd = "${sysconfdir}/init.d ${libexecdir}/slapd ${sbindir} ${localstatedir}/run ${localstatedir}/volatile/run \ - ${sysconfdir}/openldap/slapd.* ${sysconfdir}/openldap/schema \ - ${sysconfdir}/openldap/DB_CONFIG.example ${systemd_unitdir}/system/*" -FILES:${PN}-slurpd = "${libexecdir}/slurpd ${localstatedir}/openldap-slurp" -FILES:${PN}-bin = "${bindir}" -FILES:${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so ${libdir}/pkgconfig/*.pc" -FILES:${PN}-dbg += "${libexecdir}/openldap/.debug" - -do_install:append() { - install -d ${D}${sysconfdir}/init.d - cat ${WORKDIR}/initscript > ${D}${sysconfdir}/init.d/openldap - chmod 755 ${D}${sysconfdir}/init.d/openldap - # This is duplicated in /etc/openldap and is for slapd - rm -f ${D}${localstatedir}/openldap-data/DB_CONFIG.example - - # Installing slapd under ${sbin} is more FHS and LSB compliance - mv ${D}${libexecdir}/slapd ${D}/${sbindir}/slapd - rmdir --ignore-fail-on-non-empty ${D}${libexecdir} - SLAPTOOLS="slapadd slapcat slapdn slapindex slappasswd slaptest slapauth slapacl slapschema slapmodify" - cd ${D}/${sbindir}/ - rm -f ${SLAPTOOLS} - for i in ${SLAPTOOLS}; do ln -sf slapd $i; done - - rmdir "${D}${localstatedir}/run" - rmdir --ignore-fail-on-non-empty "${D}${localstatedir}" - - install -d ${D}${systemd_unitdir}/system/ - install -m 0644 ${WORKDIR}/slapd.service ${D}${systemd_unitdir}/system/ - sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/*.service - - # Uses mdm as the database - # and localstatedir as data directory ... - sed -e 's/# modulepath/modulepath/' \ - -e 's/# moduleload\s*back_bdb.*/moduleload back_mdb/' \ - -e 's/database\s*bdb/database mdb/' \ - -e 's%^directory\s*.*%directory ${localstatedir}/${BPN}/data/%' \ - -i ${D}${sysconfdir}/openldap/slapd.conf - - mkdir -p ${D}${localstatedir}/${BPN}/data -} - -INITSCRIPT_PACKAGES = "${PN}-slapd" -INITSCRIPT_NAME:${PN}-slapd = "openldap" -INITSCRIPT_PARAMS:${PN}-slapd = "defaults" -SYSTEMD_PACKAGES = "${PN}-slapd" -SYSTEMD_SERVICE:${PN}-slapd = "slapd.service" -SYSTEMD_AUTO_ENABLE:${PN}-slapd ?= "disable" - -PACKAGES_DYNAMIC += "^${PN}-backends.* ^${PN}-backend-.*" - -# The modules require their .so to be dynamicaly loaded -INSANE_SKIP:${PN}-backend-asyncmeta += "dev-so" -INSANE_SKIP:${PN}-backend-dnssrv += "dev-so" -INSANE_SKIP:${PN}-backend-ldap += "dev-so" -INSANE_SKIP:${PN}-backend-meta += "dev-so" -INSANE_SKIP:${PN}-backend-mdb += "dev-so" -INSANE_SKIP:${PN}-backend-null += "dev-so" -INSANE_SKIP:${PN}-backend-passwd += "dev-so" - -python populate_packages:prepend () { - backend_dir = d.expand('${libexecdir}/openldap') - do_split_packages(d, backend_dir, r'back_([a-z]*)\.so$', 'openldap-backend-%s', 'OpenLDAP %s backend', prepend=True, extra_depends='', allow_links=True) - do_split_packages(d, backend_dir, r'back_([a-z]*)\-.*\.so\..*$', 'openldap-backend-%s', 'OpenLDAP %s backend', extra_depends='', allow_links=True) - - metapkg = "${PN}-backends" - d.setVar('ALLOW_EMPTY:' + metapkg, "1") - d.setVar('FILES:' + metapkg, "") - metapkg_rdepends = [] - packages = d.getVar('PACKAGES').split() - for pkg in packages[1:]: - if pkg.count("openldap-backend-") and not pkg in metapkg_rdepends and not pkg.count("-dev") and not pkg.count("-dbg") and not pkg.count("static") and not pkg.count("locale"): - metapkg_rdepends.append(pkg) - d.setVar('RDEPENDS:' + metapkg, ' '.join(metapkg_rdepends)) - d.setVar('DESCRIPTION:' + metapkg, 'OpenLDAP backends meta package') - packages.append(metapkg) - d.setVar('PACKAGES', ' '.join(packages)) -} - -BBCLASSEXTEND = "native" - -# CVE-2015-3276 has no target code. -CVE_CHECK_IGNORE += "CVE-2015-3276" diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.16.bb b/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.16.bb new file mode 100644 index 0000000000..a56b454dc0 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.16.bb @@ -0,0 +1,237 @@ +SUMMARY = "OpenLDAP Directory Service" +DESCRIPTION = "OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol." +HOMEPAGE = "http://www.OpenLDAP.org/license.html" +# The OpenLDAP Public License - see the HOMEPAGE - defines +# the license. www.openldap.org claims this is Open Source +# (see http://www.openldap.org), the license appears to be +# basically BSD. opensource.org does not record this license +# at present (so it is apparently not OSI certified). +LICENSE = "OpenLDAP" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=beceb5ac7100b6430640c61655b25c1f \ + file://LICENSE;md5=153d07ef052c4a37a8fac23bc6031972 \ + " +SECTION = "libs" + +LDAP_VER = "${@'.'.join(d.getVar('PV').split('.')[0:2])}" + +SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/${BP}.tgz \ + file://initscript \ + file://slapd.service \ + file://remove-user-host-pwd-from-version.patch \ + file://0001-build-top.mk-unset-STRIP_OPTS.patch \ +" + +SRC_URI[sha256sum] = "546ba591822e8bb0e467d40c4d4a30f89d937c3a507fe83a578f582f6a211327" + +DEPENDS = "util-linux groff-native" + +inherit autotools-brokensep update-rc.d systemd pkgconfig + +# CV SETTINGS +# Required to work round AC_FUNC_MEMCMP which gets the wrong answer +# when cross compiling (should be in site?) +EXTRA_OECONF += "ac_cv_func_memcmp_working=yes" + +# CONFIG DEFINITIONS +# The following is necessary because it cannot be determined for a +# cross compile automagically. Select should yield fine on all OE +# systems... +EXTRA_OECONF += "--with-yielding-select=yes" +# Shared libraries are nice... +EXTRA_OECONF += "--enable-dynamic" + +PACKAGECONFIG ??= "asyncmeta gnutls modules \ + mdb ldap meta null passwd proxycache dnssrv \ + ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ +" +#--with-tls with TLS/SSL support auto|openssl|gnutls [auto] +PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls" +PACKAGECONFIG[openssl] = "--with-tls=openssl,,openssl" + +PACKAGECONFIG[sasl] = "--with-cyrus-sasl,--without-cyrus-sasl,cyrus-sasl" +PACKAGECONFIG[modules] = "lt_cv_dlopen_self=yes --enable-modules,--disable-modules,libtool" +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6" + +# SLAPD options +# +# UNIX crypt(3) passwd support: +EXTRA_OECONF += "--enable-crypt" + +# SLAPD BACKEND +# +# The backend must be set by the configuration. This controls the +# required database. +# +# Backends="asyncmeta dnssrv ldap mdb meta ndb null passwd perl relay sock sql wt" +# +# Note that multiple backends can be built. The ldbm backend requires a +# build-time choice of database API. To use the gdbm (or other) API the +# Berkely database module must be removed from the build. +md = "${libexecdir}/openldap" +# + +#--enable-asyncmeta enable asyncmeta backend no|yes|mod no +PACKAGECONFIG[asyncmeta] = "--enable-asyncmeta=mod,--enable-asyncmeta=no" + +#--enable-dnssrv enable dnssrv backend no|yes|mod no +PACKAGECONFIG[dnssrv] = "--enable-dnssrv=mod,--enable-dnssrv=no" + +#--enable-ldap enable ldap backend no|yes|mod no +PACKAGECONFIG[ldap] = "--enable-ldap=mod,--enable-ldap=no," + +#--enable-mdb enable mdb database backend no|yes|mod [yes] +PACKAGECONFIG[mdb] = "--enable-mdb=yes,--enable-mdb=no," + +#--enable-meta enable metadirectory backend no|yes|mod no +PACKAGECONFIG[meta] = "--enable-meta=mod,--enable-meta=no," + +#--enable-ndb enable MySQL NDB Cluster backend no|yes|mod [no] +PACKAGECONFIG[ndb] = "--enable-ndb=mod,--enable-ndb=no," + +#--enable-null enable null backend no|yes|mod no +PACKAGECONFIG[null] = "--enable-null=mod,--enable-null=no," + +#--enable-passwd enable passwd backend no|yes|mod no +PACKAGECONFIG[passwd] = "--enable-passwd=mod,--enable-passwd=no," + +#--enable-perl enable perl backend no|yes|mod no +# This requires a loadable perl dynamic library, if enabled without +# doing something appropriate (building perl?) the build will pick +# up the build machine perl - not good (inherit perlnative?) +PACKAGECONFIG[perl] = "--enable-perl=mod,--enable-perl=no,perl" + +#--enable-relay enable relay backend no|yes|mod [yes] +PACKAGECONFIG[relay] = "--enable-relay=mod,--enable-relay=no," + +#--enable-sock enable sock backend no|yes|mod [no] +PACKAGECONFIG[sock] = "--enable-sock=mod,--enable-sock=no," + +#--enable-sql enable sql backend no|yes|mod no +# sql requires some sql backend which provides sql.h, sqlite* provides +# sqlite.h (which may be compatible but hasn't been tried.) +PACKAGECONFIG[sql] = "--enable-sql=mod,--enable-sql=no,sqlite3" + +#--enable-wt enable wt backend no|yes|mod no +# back-wt is marked currently as experimental +PACKAGECONFIG[wt] = "--enable-wt=mod,--enable-wt=no" + +#--enable-dyngroup Dynamic Group overlay no|yes|mod no +# This is a demo, Proxy Cache defines init_module which conflicts with the +# same symbol in dyngroup +PACKAGECONFIG[dyngroup] = "--enable-dyngroup=mod,--enable-dyngroup=no," + +#--enable-proxycache Proxy Cache overlay no|yes|mod no +PACKAGECONFIG[proxycache] = "--enable-proxycache=mod,--enable-proxycache=no," +FILES:${PN}-overlay-proxycache = "${md}/pcache-*.so.*" +PACKAGES += "${PN}-overlay-proxycache" + +# Append URANDOM_DEVICE='/dev/urandom' to CPPFLAGS: +# This allows tls to obtain random bits from /dev/urandom, by default +# it was disabled for cross-compiling. +CPPFLAGS:append = " -D_GNU_SOURCE -DURANDOM_DEVICE=\\"/dev/urandom\\" -fPIC" + +LDFLAGS:append = " -pthread" + +do_configure() { + rm -f ${S}/libtool + aclocal + libtoolize --force --copy + gnu-configize + cp ${STAGING_DATADIR_NATIVE}/libtool/build-aux/ltmain.sh ${S}/build + cp ${STAGING_DATADIR_NATIVE}/libtool/build-aux/missing ${S}/build + cp ${STAGING_DATADIR_NATIVE}/libtool/build-aux/compile ${S}/build + autoconf + oe_runconf +} + +LEAD_SONAME = "libldap-${LDAP_VER}.so.*" + +# The executables go in a separate package. This allows the +# installation of the libraries with no daemon support. +# Each module also has its own package - see above. +PACKAGES += "${PN}-slapd ${PN}-slurpd ${PN}-bin" + +# Package contents - shift most standard contents to -bin +FILES:${PN} = "${libdir}/lib*.so.* ${sysconfdir}/openldap/ldap.* ${localstatedir}/${BPN}/data" +FILES:${PN}-slapd = "${sysconfdir}/init.d ${libexecdir}/slapd ${sbindir} ${localstatedir}/run ${localstatedir}/volatile/run \ + ${sysconfdir}/openldap/slapd.* ${sysconfdir}/openldap/schema \ + ${sysconfdir}/openldap/DB_CONFIG.example ${systemd_unitdir}/system/*" +FILES:${PN}-slurpd = "${libexecdir}/slurpd ${localstatedir}/openldap-slurp" +FILES:${PN}-bin = "${bindir}" +FILES:${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so ${libdir}/pkgconfig/*.pc" +FILES:${PN}-dbg += "${libexecdir}/openldap/.debug" + +do_install:append() { + install -d ${D}${sysconfdir}/init.d + cat ${WORKDIR}/initscript > ${D}${sysconfdir}/init.d/openldap + chmod 755 ${D}${sysconfdir}/init.d/openldap + # This is duplicated in /etc/openldap and is for slapd + rm -f ${D}${localstatedir}/openldap-data/DB_CONFIG.example + + # Installing slapd under ${sbin} is more FHS and LSB compliance + mv ${D}${libexecdir}/slapd ${D}/${sbindir}/slapd + rmdir --ignore-fail-on-non-empty ${D}${libexecdir} + SLAPTOOLS="slapadd slapcat slapdn slapindex slappasswd slaptest slapauth slapacl slapschema slapmodify" + cd ${D}/${sbindir}/ + rm -f ${SLAPTOOLS} + for i in ${SLAPTOOLS}; do ln -sf slapd $i; done + + rmdir "${D}${localstatedir}/run" + rmdir --ignore-fail-on-non-empty "${D}${localstatedir}" + + install -d ${D}${systemd_unitdir}/system/ + install -m 0644 ${WORKDIR}/slapd.service ${D}${systemd_unitdir}/system/ + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/*.service + + # Uses mdm as the database + # and localstatedir as data directory ... + sed -e 's/# modulepath/modulepath/' \ + -e 's/# moduleload\s*back_bdb.*/moduleload back_mdb/' \ + -e 's/database\s*bdb/database mdb/' \ + -e 's%^directory\s*.*%directory ${localstatedir}/${BPN}/data/%' \ + -i ${D}${sysconfdir}/openldap/slapd.conf + + mkdir -p ${D}${localstatedir}/${BPN}/data +} + +INITSCRIPT_PACKAGES = "${PN}-slapd" +INITSCRIPT_NAME:${PN}-slapd = "openldap" +INITSCRIPT_PARAMS:${PN}-slapd = "defaults" +SYSTEMD_PACKAGES = "${PN}-slapd" +SYSTEMD_SERVICE:${PN}-slapd = "slapd.service" +SYSTEMD_AUTO_ENABLE:${PN}-slapd ?= "disable" + +PACKAGES_DYNAMIC += "^${PN}-backends.* ^${PN}-backend-.*" + +# The modules require their .so to be dynamicaly loaded +INSANE_SKIP:${PN}-backend-asyncmeta += "dev-so" +INSANE_SKIP:${PN}-backend-dnssrv += "dev-so" +INSANE_SKIP:${PN}-backend-ldap += "dev-so" +INSANE_SKIP:${PN}-backend-meta += "dev-so" +INSANE_SKIP:${PN}-backend-mdb += "dev-so" +INSANE_SKIP:${PN}-backend-null += "dev-so" +INSANE_SKIP:${PN}-backend-passwd += "dev-so" + +python populate_packages:prepend () { + backend_dir = d.expand('${libexecdir}/openldap') + do_split_packages(d, backend_dir, r'back_([a-z]*)\.so$', 'openldap-backend-%s', 'OpenLDAP %s backend', prepend=True, extra_depends='', allow_links=True) + do_split_packages(d, backend_dir, r'back_([a-z]*)\-.*\.so\..*$', 'openldap-backend-%s', 'OpenLDAP %s backend', extra_depends='', allow_links=True) + + metapkg = "${PN}-backends" + d.setVar('ALLOW_EMPTY:' + metapkg, "1") + d.setVar('FILES:' + metapkg, "") + metapkg_rdepends = [] + packages = d.getVar('PACKAGES').split() + for pkg in packages[1:]: + if pkg.count("openldap-backend-") and not pkg in metapkg_rdepends and not pkg.count("-dev") and not pkg.count("-dbg") and not pkg.count("static") and not pkg.count("locale"): + metapkg_rdepends.append(pkg) + d.setVar('RDEPENDS:' + metapkg, ' '.join(metapkg_rdepends)) + d.setVar('DESCRIPTION:' + metapkg, 'OpenLDAP backends meta package') + packages.append(metapkg) + d.setVar('PACKAGES', ' '.join(packages)) +} + +BBCLASSEXTEND = "native" + +# CVE-2015-3276 has no target code. +CVE_CHECK_IGNORE += "CVE-2015-3276" diff --git a/meta-openembedded/meta-oe/recipes-support/opensc/files/CVE-2023-2977.patch b/meta-openembedded/meta-oe/recipes-support/opensc/files/CVE-2023-2977.patch new file mode 100644 index 0000000000..165fc316bf --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/opensc/files/CVE-2023-2977.patch @@ -0,0 +1,54 @@ +CVE: CVE-2023-2977 +Upstream-Status: Backport [ https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a ] +Signed-off-by: Lee Chee Yang + + +From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001 +From: fullwaywang +Date: Mon, 29 May 2023 10:38:48 +0800 +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer + overrun bug. Fixes #2785 + +--- + src/pkcs15init/pkcs15-cardos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c +index 9715cf390f..f41f73c349 100644 +--- a/src/pkcs15init/pkcs15-cardos.c ++++ b/src/pkcs15init/pkcs15-cardos.c +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + sc_apdu_t apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + int r; +- const u8 *p = rbuf, *q; ++ const u8 *p = rbuf, *q, *pp; + size_t len, tlen = 0, ilen = 0; + + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + return 0; + + while (len != 0) { +- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); +- if (p == NULL) ++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); ++ if (pp == NULL) + return 0; + if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { + /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ + /* and Package Number 0x07 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x07) +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { + /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ + /* and Package Number 0x02 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x02) diff --git a/meta-openembedded/meta-oe/recipes-support/opensc/opensc_0.23.0.bb b/meta-openembedded/meta-oe/recipes-support/opensc/opensc_0.23.0.bb index f68107df87..b3fc1f0458 100644 --- a/meta-openembedded/meta-oe/recipes-support/opensc/opensc_0.23.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/opensc/opensc_0.23.0.bb @@ -16,6 +16,7 @@ SRCREV = "5497519ea6b4af596628f8f8f2f904bacaa3148f" SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ file://0001-pkcs11-tool-Fix-private-key-import.patch \ file://0002-pkcs11-tool-Log-more-information-on-OpenSSL-errors.patch \ + file://CVE-2023-2977.patch \ " DEPENDS = "virtual/libiconv openssl" diff --git a/meta-openembedded/meta-oe/recipes-support/poppler/poppler/CVE-2023-34872.patch b/meta-openembedded/meta-oe/recipes-support/poppler/poppler/CVE-2023-34872.patch new file mode 100644 index 0000000000..69f164de96 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/poppler/poppler/CVE-2023-34872.patch @@ -0,0 +1,46 @@ +From 591235c8b6c65a2eee88991b9ae73490fd9afdfe Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Fri, 18 Aug 2023 09:17:07 +0000 +Subject: [PATCH] OutlineItem::open: Fix crash on malformed files + +Fixes #1399 + +CVE: CVE-2023-34872 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe] + +Signed-off-by: Yogita Urade +--- + poppler/Outline.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/poppler/Outline.cc b/poppler/Outline.cc +index cbb6cb4..4c68be9 100644 +--- a/poppler/Outline.cc ++++ b/poppler/Outline.cc +@@ -14,7 +14,7 @@ + // under GPL version 2 or later + // + // Copyright (C) 2005 Marco Pesenti Gritti +-// Copyright (C) 2008, 2016-2019, 2021 Albert Astals Cid ++// Copyright (C) 2008, 2016-2019, 2021, 2023 Albert Astals Cid + // Copyright (C) 2009 Nick Jones + // Copyright (C) 2016 Jason Crain + // Copyright (C) 2017 Adrian Johnson +@@ -483,8 +483,12 @@ void OutlineItem::open() + { + if (!kids) { + Object itemDict = xref->fetch(ref); +- const Object &firstRef = itemDict.dictLookupNF("First"); +- kids = readItemList(this, &firstRef, xref, doc); ++ if (itemDict.isDict()) { ++ const Object &firstRef = itemDict.dictLookupNF("First"); ++ kids = readItemList(this, &firstRef, xref, doc); ++ } else { ++ kids = new std::vector(); ++ } + } + } + +-- +2.35.5 diff --git a/meta-openembedded/meta-oe/recipes-support/poppler/poppler_23.03.0.bb b/meta-openembedded/meta-oe/recipes-support/poppler/poppler_23.03.0.bb index 165e155ec9..81e776d8f6 100644 --- a/meta-openembedded/meta-oe/recipes-support/poppler/poppler_23.03.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/poppler/poppler_23.03.0.bb @@ -7,6 +7,7 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \ file://0001-Do-not-overwrite-all-our-build-flags.patch \ file://basename-include.patch \ file://0001-cmake-Do-not-use-isystem.patch \ + file://CVE-2023-34872.patch \ " SRC_URI[sha256sum] = "b04148bf849c1965ada7eff6be4685130e3a18a84e0cce73bf9bc472ec32f2b4" diff --git a/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp/0001-Fix-CMake-export-files-1077.patch b/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp/0001-Fix-CMake-export-files-1077.patch new file mode 100644 index 0000000000..b6c4a3b883 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp/0001-Fix-CMake-export-files-1077.patch @@ -0,0 +1,117 @@ +From 3d436f6cfc2dfe52fc1533c01f57c25ae7ffac9c Mon Sep 17 00:00:00 2001 +From: Felix Schwitzer +Date: Fri, 1 Apr 2022 05:26:47 +0200 +Subject: [PATCH] Fix CMake export files (#1077) + +After configuring the file `yaml-cpp-config.cmake.in`, the result ends up with +empty variables. (see also the discussion in #774). + +Rework this file and the call to `configure_package_config_file` according the +cmake documentation +(https://cmake.org/cmake/help/v3.22/module/CMakePackageConfigHelpers.html?highlight=configure_package_config#command:configure_package_config_file) +to overcome this issue and allow a simple `find_package` after install. + +As there was some discussion about the place where to install the +`yaml-cpp-config.cmake` file, e.g. #1055, factor out the install location into +an extra variable to make it easier changing this location in the future. + +Also untabify CMakeLists.txt in some places to align with the other code parts in this file. + +Upstream-Status: Accepted [https://github.com/jbeder/yaml-cpp/pull/1077] + +Signed-off-by: Jasper Orschulko +--- + CMakeLists.txt | 29 ++++++++++++++++++----------- + yaml-cpp-config.cmake.in | 10 ++++++---- + 2 files changed, 24 insertions(+), 15 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b230b9e..983d1a4 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -127,10 +127,16 @@ set_target_properties(yaml-cpp PROPERTIES + PROJECT_LABEL "yaml-cpp ${yaml-cpp-label-postfix}" + DEBUG_POSTFIX "${CMAKE_DEBUG_POSTFIX}") + ++# FIXME(felix2012): A more common place for the cmake export would be ++# `CMAKE_INSTALL_LIBDIR`, as e.g. done in ubuntu or in this project for GTest ++set(CONFIG_EXPORT_DIR "${CMAKE_INSTALL_DATADIR}/cmake/yaml-cpp") ++set(EXPORT_TARGETS yaml-cpp) + configure_package_config_file( + "${PROJECT_SOURCE_DIR}/yaml-cpp-config.cmake.in" + "${PROJECT_BINARY_DIR}/yaml-cpp-config.cmake" +- INSTALL_DESTINATION "${CMAKE_INSTALL_DATADIR}/cmake/yaml-cpp") ++ INSTALL_DESTINATION "${CONFIG_EXPORT_DIR}" ++ PATH_VARS CMAKE_INSTALL_INCLUDEDIR CONFIG_EXPORT_DIR) ++unset(EXPORT_TARGETS) + + write_basic_package_version_file( + "${PROJECT_BINARY_DIR}/yaml-cpp-config-version.cmake" +@@ -139,30 +145,31 @@ write_basic_package_version_file( + configure_file(yaml-cpp.pc.in yaml-cpp.pc @ONLY) + + if (YAML_CPP_INSTALL) +- install(TARGETS yaml-cpp ++ install(TARGETS yaml-cpp + EXPORT yaml-cpp-targets + RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} + LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} + ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}) +- install(DIRECTORY ${PROJECT_SOURCE_DIR}/include/ ++ install(DIRECTORY ${PROJECT_SOURCE_DIR}/include/ + DESTINATION ${CMAKE_INSTALL_INCLUDEDIR} +- FILES_MATCHING PATTERN "*.h") ++ FILES_MATCHING PATTERN "*.h") + install(EXPORT yaml-cpp-targets +- DESTINATION "${CMAKE_INSTALL_DATADIR}/cmake/yaml-cpp") +- install(FILES +- "${PROJECT_BINARY_DIR}/yaml-cpp-config.cmake" +- "${PROJECT_BINARY_DIR}/yaml-cpp-config-version.cmake" +- DESTINATION "${CMAKE_INSTALL_DATADIR}/cmake/yaml-cpp") ++ DESTINATION "${CONFIG_EXPORT_DIR}") ++ install(FILES ++ "${PROJECT_BINARY_DIR}/yaml-cpp-config.cmake" ++ "${PROJECT_BINARY_DIR}/yaml-cpp-config-version.cmake" ++ DESTINATION "${CONFIG_EXPORT_DIR}") + install(FILES "${PROJECT_BINARY_DIR}/yaml-cpp.pc" + DESTINATION ${CMAKE_INSTALL_DATADIR}/pkgconfig) + endif() ++unset(CONFIG_EXPORT_DIR) + + if(YAML_CPP_BUILD_TESTS) +- add_subdirectory(test) ++ add_subdirectory(test) + endif() + + if(YAML_CPP_BUILD_TOOLS) +- add_subdirectory(util) ++ add_subdirectory(util) + endif() + + if (YAML_CPP_CLANG_FORMAT_EXE) +diff --git a/yaml-cpp-config.cmake.in b/yaml-cpp-config.cmake.in +index 7b41e3f..a7ace3d 100644 +--- a/yaml-cpp-config.cmake.in ++++ b/yaml-cpp-config.cmake.in +@@ -3,12 +3,14 @@ + # YAML_CPP_INCLUDE_DIR - include directory + # YAML_CPP_LIBRARIES - libraries to link against + +-# Compute paths +-get_filename_component(YAML_CPP_CMAKE_DIR "${CMAKE_CURRENT_LIST_FILE}" PATH) +-set(YAML_CPP_INCLUDE_DIR "@CONFIG_INCLUDE_DIRS@") ++@PACKAGE_INIT@ ++ ++set_and_check(YAML_CPP_INCLUDE_DIR "@PACKAGE_CMAKE_INSTALL_INCLUDEDIR@") + + # Our library dependencies (contains definitions for IMPORTED targets) +-include("${YAML_CPP_CMAKE_DIR}/yaml-cpp-targets.cmake") ++include(@PACKAGE_CONFIG_EXPORT_DIR@/yaml-cpp-targets.cmake) + + # These are IMPORTED targets created by yaml-cpp-targets.cmake + set(YAML_CPP_LIBRARIES "@EXPORT_TARGETS@") ++ ++check_required_components(@EXPORT_TARGETS@) +-- +2.39.2 + diff --git a/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp_0.7.0.bb b/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp_0.7.0.bb index d3984abe8b..e04d4705a4 100644 --- a/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp_0.7.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/yaml-cpp/yaml-cpp_0.7.0.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=6a8aaf0595c2efc1a9c2e0913e9c1a2c" # yaml-cpp releases are stored as archive files in github. # download the exact revision of release SRC_URI = "git://github.com/jbeder/yaml-cpp.git;branch=master;protocol=https" +SRC_URI += "file://0001-Fix-CMake-export-files-1077.patch" SRCREV = "0579ae3d976091d7d664aa9d2527e0d0cff25763" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-appdirs/run-ptest b/meta-openembedded/meta-python/recipes-devtools/python/python3-appdirs/run-ptest index 5287f3e035..b63c4de0d9 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-appdirs/run-ptest +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-appdirs/run-ptest @@ -1,3 +1,3 @@ #!/bin/sh -pytest | sed -e 's/\[100%\]//g' | sed -e 's/\.\.F/: FAIL/g' | sed -e 's/\.\.\./: PASS/g' +pytest -o log_cli=true -o log_cli_level=INFO | sed -e 's/\[...%\]//g'| sed -e 's/PASSED/PASS/g'| sed -e 's/FAILED/FAIL/g'|sed -e 's/SKIPPED/SKIP/g'| awk '{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS"){printf "%s: %s\n", $NF, $0}else{print}}'| awk '{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS") {$NF="";print $0}else{print}}' diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.1.7.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.1.7.bb deleted file mode 100644 index be806eefaa..0000000000 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.1.7.bb +++ /dev/null @@ -1,9 +0,0 @@ -require python-django.inc -inherit setuptools3 - -SRC_URI[sha256sum] = "44f714b81c5f190d9d2ddad01a532fe502fa01c4cb8faf1d081f4264ed15dcd8" - -RDEPENDS:${PN} += "\ - ${PYTHON_PN}-sqlparse \ - ${PYTHON_PN}-asgiref \ -" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.2.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.2.1.bb new file mode 100644 index 0000000000..b1474cf054 --- /dev/null +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_4.2.1.bb @@ -0,0 +1,9 @@ +require python-django.inc +inherit setuptools3 + +SRC_URI[sha256sum] = "7efa6b1f781a6119a10ac94b4794ded90db8accbe7802281cd26f8664ffed59c" + +RDEPENDS:${PN} += "\ + ${PYTHON_PN}-sqlparse \ + ${PYTHON_PN}-asgiref \ +" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch b/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch new file mode 100644 index 0000000000..f5526c5b88 --- /dev/null +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch @@ -0,0 +1,51 @@ +From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001 +From: Andi Albrecht +Date: Mon, 20 Mar 2023 08:33:46 +0100 +Subject: [PATCH] Remove unnecessary parts in regex for bad escaping. + +The regex tried to deal with situations where escaping in the +SQL to be parsed was suspicious. + +Upstream-Status: Backport +CVE: CVE-2023-30608 + +Reference to upstream patch: +https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb + +[AZ: drop changes to CHANGELOG file and adjust context whitespaces] +Signed-off-by: Adrian Zaharia + +Adjust indentation in keywords.py. +Signed-off-by: Joe Slater +--- + sqlparse/keywords.py | 4 ++-- + tests/test_split.py | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- sqlparse-0.4.3.orig/sqlparse/keywords.py ++++ sqlparse-0.4.3/sqlparse/keywords.py +@@ -72,9 +72,9 @@ SQL_REGEX = { + (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])', + tokens.Number.Float), + (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), +- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), ++ (r"'(''|\\'|[^'])*'", tokens.String.Single), + # not a real string literal in ANSI SQL: +- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol), ++ (r'"(""|\\"|[^"])*"', tokens.String.Symbol), + (r'(""|".*?[^\\]")', tokens.String.Symbol), + # sqlite names can be escaped with [square brackets]. left bracket + # cannot be preceded by word character or a right bracket -- +--- sqlparse-0.4.3.orig/tests/test_split.py ++++ sqlparse-0.4.3/tests/test_split.py +@@ -18,8 +18,8 @@ def test_split_semicolon(): + + + def test_split_backslash(): +- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") +- assert len(stmts) == 3 ++ stmts = sqlparse.parse("select '\'; select '\'';") ++ assert len(stmts) == 2 + + + @pytest.mark.parametrize('fn', ['function.sql', diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse_0.4.3.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse_0.4.3.bb index c952c71d0b..a402f991f7 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse_0.4.3.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse_0.4.3.bb @@ -5,6 +5,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=2b136f573f5386001ea3b7b9016222fc" SRC_URI += "file://0001-sqlparse-change-shebang-to-python3.patch \ + file://CVE-2023-30608.patch \ file://run-ptest \ " diff --git a/meta-openembedded/meta-xfce/recipes-extended/imsettings/imsettings_1.8.3.bb b/meta-openembedded/meta-xfce/recipes-extended/imsettings/imsettings_1.8.3.bb index cdf4557cd3..21e9b3908f 100644 --- a/meta-openembedded/meta-xfce/recipes-extended/imsettings/imsettings_1.8.3.bb +++ b/meta-openembedded/meta-xfce/recipes-extended/imsettings/imsettings_1.8.3.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1" inherit autotools gtk-doc gobject-introspection gettext features_check -DEPENDS = "gtk+3 libnotify" +DEPENDS = "autoconf-archive-native gtk+3 libnotify" REQUIRED_DISTRO_FEATURES = "x11" diff --git a/poky/bitbake/lib/bb/runqueue.py b/poky/bitbake/lib/bb/runqueue.py index 02f1474540..99fac63616 100644 --- a/poky/bitbake/lib/bb/runqueue.py +++ b/poky/bitbake/lib/bb/runqueue.py @@ -1991,11 +1991,19 @@ class RunQueueExecute: self.setbuildable(revdep) logger.debug("Marking task %s as buildable", revdep) - for t in self.sq_deferred.copy(): + found = None + for t in sorted(self.sq_deferred.copy()): if self.sq_deferred[t] == task: - logger.debug2("Deferred task %s now buildable" % t) - del self.sq_deferred[t] - update_scenequeue_data([t], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False) + # Allow the next deferred task to run. Any other deferred tasks should be deferred after that task. + # We shouldn't allow all to run at once as it is prone to races. + if not found: + bb.note("Deferred task %s now buildable" % t) + del self.sq_deferred[t] + update_scenequeue_data([t], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False) + found = t + else: + bb.note("Deferring %s after %s" % (t, found)) + self.sq_deferred[t] = found def task_complete(self, task): self.stats.taskCompleted() diff --git a/poky/documentation/bsp-guide/bsp.rst b/poky/documentation/bsp-guide/bsp.rst index f2f5d4d954..3be314bcf6 100644 --- a/poky/documentation/bsp-guide/bsp.rst +++ b/poky/documentation/bsp-guide/bsp.rst @@ -109,7 +109,7 @@ them to the "Dependencies" section. Some layers function as a layer to hold other BSP layers. These layers are known as ":term:`container layers `". An example of -this type of layer is OpenEmbedded's :oe_git:`meta-openbedded ` +this type of layer is OpenEmbedded's :oe_git:`meta-openembedded ` layer. The ``meta-openembedded`` layer contains many ``meta-*`` layers. In cases like this, you need to include the names of the actual layers you want to work with, such as:: @@ -927,8 +927,8 @@ Yocto Project: - The name and contact information for the BSP layer maintainer. This is the person to whom patches and questions should be sent. For information on how to find the right person, see the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" - section in the Yocto Project Development Tasks Manual. + :doc:`../contributor-guide/submit-changes` section in the Yocto Project and + OpenEmbedded Contributor Guide. - Instructions on how to build the BSP using the BSP layer. diff --git a/poky/documentation/conf.py b/poky/documentation/conf.py index bd45a73fa6..a64685ec9b 100644 --- a/poky/documentation/conf.py +++ b/poky/documentation/conf.py @@ -91,6 +91,7 @@ rst_prolog = """ # external links and substitutions extlinks = { 'cve': ('https://nvd.nist.gov/vuln/detail/CVE-%s', 'CVE-%s'), + 'cve_mitre': ('https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-%s', 'CVE-%s'), 'yocto_home': ('https://www.yoctoproject.org%s', None), 'yocto_wiki': ('https://wiki.yoctoproject.org/wiki%s', None), 'yocto_dl': ('https://downloads.yoctoproject.org%s', None), diff --git a/poky/documentation/contributor-guide/identify-component.rst b/poky/documentation/contributor-guide/identify-component.rst new file mode 100644 index 0000000000..a28391a66a --- /dev/null +++ b/poky/documentation/contributor-guide/identify-component.rst @@ -0,0 +1,31 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Identify the component +********************** + +The Yocto Project and OpenEmbedded ecosystem is built of :term:`layers ` +so the first step is to identify the component where the issue likely lies. +For example, if you have a hardware issue, it is likely related to the BSP +you are using and the best place to seek advice would be from the BSP provider +or :term:`layer`. If the issue is a build/configuration one and a distro is in +use, they would likely be the first place to ask questions. If the issue is a +generic one and/or in the core classes or metadata, the core layer or BitBake +might be the appropriate component. + +Each metadata layer being used should contain a ``README`` file and that should +explain where to report issues, where to send changes and how to contact the +maintainers. + +If the issue is in the core metadata layer (OpenEmbedded-Core) or in BitBake, +issues can be reported in the :yocto_bugs:`Yocto Project Bugzilla <>`. The +:yocto_lists:`yocto ` mailing list is a general “catch-all” location +where questions can be sent if you can’t work out where something should go. + +:term:`Poky` is a commonly used “combination” repository where multiple +components have been combined (:oe_git:`bitbake `, +:oe_git:`openembedded-core `, +:yocto_git:`meta-yocto ` and +:yocto_git:`yocto-docs `). Patches should be submitted against the +appropriate individual component rather than :term:`Poky` itself as detailed in +the appropriate ``README`` file. + diff --git a/poky/documentation/contributor-guide/index.rst b/poky/documentation/contributor-guide/index.rst new file mode 100644 index 0000000000..a832169455 --- /dev/null +++ b/poky/documentation/contributor-guide/index.rst @@ -0,0 +1,26 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +================================================ +Yocto Project and OpenEmbedded Contributor Guide +================================================ + +The Yocto Project and OpenEmbedded are open-source, community-based projects so +contributions are very welcome, it is how the code evolves and everyone can +effect change. Contributions take different forms, if you have a fix for an +issue you’ve run into, a patch is the most appropriate way to contribute it. +If you run into an issue but don’t have a solution, opening a defect in +:yocto_bugs:`Bugzilla <>` or asking questions on the mailing lists might be +more appropriate. This guide intends to point you in the right direction to +this. + + +.. toctree:: + :caption: Table of Contents + :numbered: + + identify-component + report-defect + recipe-style-guide + submit-changes + +.. include:: /boilerplate.rst diff --git a/poky/documentation/contributor-guide/recipe-style-guide.rst b/poky/documentation/contributor-guide/recipe-style-guide.rst new file mode 100644 index 0000000000..99105179a6 --- /dev/null +++ b/poky/documentation/contributor-guide/recipe-style-guide.rst @@ -0,0 +1,338 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Recipe Style Guide +****************** + +Recipe Naming Conventions +========================= + +In general, most recipes should follow the naming convention +``recipes-category/package/packagename_version.bb``. Recipes for related +projects may share the same package directory. ``packagename``, ``category``, +and ``package`` may contain hyphens, but hyphens are not allowed in ``version``. + +If the recipe is tracking a Git revision that does not correspond to a released +version of the software, ``version`` may be ``git`` (e.g. ``packagename_git.bb``) + +Version Policy +============== + +Our versions follow the form ``:-`` +or in BitBake variable terms ${:term:`PE`}:${:term:`PV`}-${:term:`PR`}. We +generally follow the `Debian `__ +version policy which defines these terms. + +In most cases the version :term:`PV` will be set automatically from the recipe +file name. It is recommended to use released versions of software as these are +revisions that upstream are expecting people to use. + +Package versions should always compare and sort correctly so that upgrades work +as expected. With conventional versions such as ``1.4`` upgrading ``to 1.5`` +this happens naturally, but some versions don't sort. For example, +``1.5 Release Candidate 2`` could be written as ``1.5rc2`` but this sorts after +``1.5``, so upgrades from feeds won't happen correctly. + +Instead the tilde (``~``) operator can be used, which sorts before the empty +string so ``1.5~rc2`` comes before ``1.5``. There is a historical syntax which +may be found where :term:`PV` is set as a combination of the prior version +``+`` the pre-release version, for example ``PV=1.4+1.5rc2``. This is a valid +syntax but the tilde form is preferred. + +For version comparisons, the ``opkg-compare-versions`` program from +``opkg-utils`` can be useful when attempting to determine how two version +numbers compare to each other. Our definitive version comparison algorithm is +the one within bitbake which aims to match those of the package managers and +Debian policy closely. + +When a recipe references a git revision that does not correspond to a released +version of software (e.g. is not a tagged version), the :term:`PV` variable +should include the Git revision using the following to make the +version clear:: + + PV = "+git${SRCPV}" + +In this case, ```` should be the most recently released version of the +software from the current source revision (``git describe`` can be useful for +determining this). Whilst not recommended for published layers, this format is +also useful when using :term:`AUTOREV` to set the recipe to increment source +control revisions automatically, which can be useful during local development. + +Version Number Changes +====================== + +The :term:`PR` variable is used to indicate different revisions of a recipe +that reference the same upstream source version. It can be used to force a +new version of a package to be installed onto a device from a package feed. +These once had to be set manually but in most cases these can now be set and +incremented automatically by a PR Server connected with a package feed. + +When :term:`PV` increases, any existing :term:`PR` value can and should be +removed. + +If :term:`PV` changes in such a way that it does not increase with respect to +the previous value, you need to increase :term:`PE` to ensure package managers +will upgrade it correctly. If unset you should set :term:`PE` to "1" since +the default of empty is easily confused with "0" depending on the package +manager. :term:`PE` can only have an integer value. + +Recipe formatting +================= + +Variable Formatting +------------------- + +- Variable assignment should a space around each side of the operator, e.g. + ``FOO = "bar"``, not ``FOO="bar"``. + +- Double quotes should be used on the right-hand side of the assignment, + e.g. ``FOO = "bar"`` not ``FOO = 'bar'`` + +- Spaces should be used for indenting variables, with 4 spaces per tab + +- Long variables should be split over multiple lines when possible by using + the continuation character (``\``) + +- When splitting a long variable over multiple lines, all continuation lines + should be indented (with spaces) to align with the start of the quote on the + first line:: + + FOO = "this line is \ + long \ + " + + Instead of:: + + FOO = "this line is \ + long \ + " + +Python Function formatting +-------------------------- + +- Spaces must be used for indenting Python code, with 4 spaces per tab + +Shell Function formatting +------------------------- + +- The formatting of shell functions should be consistent within layers. + Some use tabs, some use spaces. + +Recipe metadata +=============== + +Required Variables +------------------ + +The following variables should be included in all recipes: + +- :term:`SUMMARY`: a one line description of the upstream project + +- :term:`DESCRIPTION`: an extended description of the upstream project, + possibly with multiple lines. If no reasonable description can be written, + this may be omitted as it defaults to :term:`SUMMARY`. + +- :term:`HOMEPAGE`: the URL to the upstream projects homepage. + +- :term:`BUGTRACKER`: the URL upstream projects bug tracking website, + if applicable. + +Recipe Ordering +--------------- + +When a variable is defined in recipes and classes, variables should follow the +general order when possible: + +- :term:`SUMMARY` +- :term:`DESCRIPTION` +- :term:`HOMEPAGE` +- :term:`BUGTRACKER` +- :term:`SECTION` +- :term:`LICENSE` +- :term:`LIC_FILES_CHKSUM` +- :term:`DEPENDS` +- :term:`PROVIDES` +- :term:`PV` +- :term:`SRC_URI` +- :term:`SRCREV` +- :term:`S` +- ``inherit ...`` +- :term:`PACKAGECONFIG` +- Build class specific variables such as ``EXTRA_QMAKEVARS_POST`` and :term:`EXTRA_OECONF` +- Tasks such as :ref:`ref-tasks-configure` +- :term:`PACKAGE_ARCH` +- :term:`PACKAGES` +- :term:`FILES` +- :term:`RDEPENDS` +- :term:`RRECOMMENDS` +- :term:`RSUGGESTS` +- :term:`RPROVIDES` +- :term:`RCONFLICTS` +- :term:`BBCLASSEXTEND` + +There are some cases where ordering is important and these cases would override +this default order. Examples include: + +- :term:`PACKAGE_ARCH` needing to be set before ``inherit packagegroup`` + +Tasks should be ordered based on the order they generally execute. For commonly +used tasks this would be: + +- :ref:`ref-tasks-fetch` +- :ref:`ref-tasks-unpack` +- :ref:`ref-tasks-patch` +- :ref:`ref-tasks-prepare_recipe_sysroot` +- :ref:`ref-tasks-configure` +- :ref:`ref-tasks-compile` +- :ref:`ref-tasks-install` +- :ref:`ref-tasks-populate_sysroot` +- :ref:`ref-tasks-package` + +Custom tasks should be sorted similarly. + +Package specific variables are typically grouped together, e.g.:: + + RDEPENDS:${PN} = “foo” + RDEPENDS:${PN}-libs = “bar” + + RRECOMMENDS:${PN} = “one” + RRECOMMENDS:${PN}-libs = “two” + +Recipe License Fields +--------------------- + +Recipes need to define both the :term:`LICENSE` and +:term:`LIC_FILES_CHKSUM` variables: + +- :term:`LICENSE`: This variable specifies the license for the software. + If you do not know the license under which the software you are + building is distributed, you should go to the source code and look + for that information. Typical files containing this information + include ``COPYING``, :term:`LICENSE`, and ``README`` files. You could + also find the information near the top of a source file. For example, + given a piece of software licensed under the GNU General Public + License version 2, you would set :term:`LICENSE` as follows:: + + LICENSE = "GPL-2.0-only" + + The licenses you specify within :term:`LICENSE` can have any name as long + as you do not use spaces, since spaces are used as separators between + license names. For standard licenses, use the names of the files in + ``meta/files/common-licenses/`` or the :term:`SPDXLICENSEMAP` flag names + defined in ``meta/conf/licenses.conf``. + +- :term:`LIC_FILES_CHKSUM`: The OpenEmbedded build system uses this + variable to make sure the license text has not changed. If it has, + the build produces an error and it affords you the chance to figure + it out and correct the problem. + + You need to specify all applicable licensing files for the software. + At the end of the configuration step, the build process will compare + the checksums of the files to be sure the text has not changed. Any + differences result in an error with the message containing the + current checksum. For more explanation and examples of how to set the + :term:`LIC_FILES_CHKSUM` variable, see the + ":ref:`dev-manual/licenses:tracking license changes`" section. + + To determine the correct checksum string, you can list the + appropriate files in the :term:`LIC_FILES_CHKSUM` variable with incorrect + md5 strings, attempt to build the software, and then note the + resulting error messages that will report the correct md5 strings. + See the ":ref:`dev-manual/new-recipe:fetching code`" section for + additional information. + + Here is an example that assumes the software has a ``COPYING`` file:: + + LIC_FILES_CHKSUM = "file://COPYING;md5=xxx" + + When you try to build the + software, the build system will produce an error and give you the + correct string that you can substitute into the recipe file for a + subsequent build. + +Tips and Guidelines for Writing Recipes +--------------------------------------- + +- Use :term:`BBCLASSEXTEND` instead of creating separate recipes such as ``-native`` + and ``-nativesdk`` ones, whenever possible. This avoids having to maintain multiple + recipe files at the same time. + +Patch Upstream Status +===================== + +In order to keep track of patches applied by recipes and ultimately reduce the +number of patches that need maintaining, the OpenEmbedded build system +requires information about the upstream status of each patch. + +In its description, each patch should provide detailed information about the +bug that it addresses, such as the URL in a bug tracking system and links +to relevant mailing list archives. + +Then, you should also add an ``Upstream-Status:`` tag containing one of the +following status strings: + +``Pending`` + No determination has been made yet or not yet submitted to upstream. + +``Submitted [where]`` + Submitted to upstream, waiting for approval. Optionally include where + it was submitted, such as the author, mailing list, etc. + +``Accepted`` + Accepted in upstream, expect it to be removed at next update, include + expected version info. + +``Backport`` + Backported from new upstream version, because we are at a fixed version, + include upstream version info. + +``Denied`` + Not accepted by upstream, include reason in patch. + +``Inactive-Upstream [lastcommit: when (and/or) lastrelease: when]`` + The upstream is no longer available. This typically means a defunct project + where no activity has happened for a long time --- measured in years. To make + that judgement, it is recommended to look at not only when the last release + happened, but also when the last commit happened, and whether newly made bug + reports and merge requests since that time receive no reaction. It is also + recommended to add to the patch description any relevant links where the + inactivity can be clearly seen. + +``Inappropriate [reason]`` + The patch is not appropriate for upstream, include a brief reason on the + same line enclosed with ``[]``. The reason can be: + + - ``not author`` (you are not the author and do not intend to upstream this, + the source must be listed in the comments) + - ``native`` + - ``licensing`` + - ``configuration`` + - ``enable feature`` + - ``disable feature`` + - ``bugfix`` (add bug URL here) + - ``embedded specific`` + - ``other`` (give details in comments) + +The various ``Inappropriate [reason]`` status items are meant to indicate that +the person responsible for adding this patch to the system does not intend to +upstream the patch for a specific reason. + +Of course, if another person later takes care of submitting this patch upstream, +the status should be changed to ``Submitted [where]``, and an additional +``Signed-off-by:`` line should be added to the patch by the person claiming +responsibility for upstreaming. + +For example, if the patch has been submitted upstream:: + + rpm: Adjusted the foo setting in bar + + [RPM Ticket #65] -- http://rpm5.org/cvs/tktview?tn=65,5 + + The foo setting in bar was decreased from X to X-50% in order to + ensure we don't exhaust all system memory with foobar threads. + + Upstream-Status: Submitted [rpm5-devel@rpm5.org] + + Signed-off-by: Joe Developer + +A future update can change the value to ``Accepted`` or ``Denied`` as +appropriate. diff --git a/poky/documentation/contributor-guide/report-defect.rst b/poky/documentation/contributor-guide/report-defect.rst new file mode 100644 index 0000000000..8ef133b842 --- /dev/null +++ b/poky/documentation/contributor-guide/report-defect.rst @@ -0,0 +1,67 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Reporting a Defect Against the Yocto Project and OpenEmbedded +************************************************************** + +You can use the Yocto Project instance of +`Bugzilla `__ to submit a defect (bug) +against BitBake, OpenEmbedded-Core, against any other Yocto Project component +or for tool issues. For additional information on this implementation of +Bugzilla see the ":ref:`Yocto Project Bugzilla `" section +in the Yocto Project Reference Manual. For more detail on any of the following +steps, see the Yocto Project +:yocto_wiki:`Bugzilla wiki page `. + +Use the following general steps to submit a bug: + +#. Open the Yocto Project implementation of :yocto_bugs:`Bugzilla <>`. + +#. Click "File a Bug" to enter a new bug. + +#. Choose the appropriate "Classification", "Product", and "Component" + for which the bug was found. Bugs for the Yocto Project fall into + one of several classifications, which in turn break down into + several products and components. For example, for a bug against the + ``meta-intel`` layer, you would choose "Build System, Metadata & + Runtime", "BSPs", and "bsps-meta-intel", respectively. + +#. Choose the "Version" of the Yocto Project for which you found the + bug (e.g. &DISTRO;). + +#. Determine and select the "Severity" of the bug. The severity + indicates how the bug impacted your work. + +#. Choose the "Hardware" that the bug impacts. + +#. Choose the "Architecture" that the bug impacts. + +#. Choose a "Documentation change" item for the bug. Fixing a bug might + or might not affect the Yocto Project documentation. If you are + unsure of the impact to the documentation, select "Don't Know". + +#. Provide a brief "Summary" of the bug. Try to limit your summary to + just a line or two and be sure to capture the essence of the bug. + +#. Provide a detailed "Description" of the bug. You should provide as + much detail as you can about the context, behavior, output, and so + forth that surrounds the bug. You can even attach supporting files + for output from logs by using the "Add an attachment" button. + +#. Click the "Submit Bug" button submit the bug. A new Bugzilla number + is assigned to the bug and the defect is logged in the bug tracking + system. + +Once you file a bug, the bug is processed by the Yocto Project Bug +Triage Team and further details concerning the bug are assigned (e.g. +priority and owner). You are the "Submitter" of the bug and any further +categorization, progress, or comments on the bug result in Bugzilla +sending you an automated email concerning the particular change or +progress to the bug. + +There are no guarantees about if or when a bug might be worked on since an +open-source project has no dedicated engineering resources. However, the +project does have a good track record of resolving common issues over the +medium and long term. We do encourage people to file bugs so issues are +at least known about. It helps other users when they find somebody having +the same issue as they do, and an issue that is unknown is much less likely +to ever be fixed! diff --git a/poky/documentation/contributor-guide/submit-changes.rst b/poky/documentation/contributor-guide/submit-changes.rst new file mode 100644 index 0000000000..cda2d12d25 --- /dev/null +++ b/poky/documentation/contributor-guide/submit-changes.rst @@ -0,0 +1,754 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Contributing Changes to a Component +************************************ + +Contributions to the Yocto Project and OpenEmbedded are very welcome. +Because the system is extremely configurable and flexible, we recognize +that developers will want to extend, configure or optimize it for their +specific uses. + +.. _ref-why-mailing-lists: + +Contributing through mailing lists --- Why not using web-based workflows? +========================================================================= + +Both Yocto Project and OpenEmbedded have many key components that are +maintained by patches being submitted on mailing lists. We appreciate this +approach does look a little old fashioned when other workflows are available +through web technology such as GitHub, GitLab and others. Since we are often +asked this question, we’ve decided to document the reasons for using mailing +lists. + +One significant factor is that we value peer review. When a change is proposed +to many of the core pieces of the project, it helps to have many eyes of review +go over them. Whilst there is ultimately one maintainer who needs to make the +final call on accepting or rejecting a patch, the review is made by many eyes +and the exact people reviewing it are likely unknown to the maintainer. It is +often the surprise reviewer that catches the most interesting issues! + +This is in contrast to the "GitHub" style workflow where either just a +maintainer makes that review, or review is specifically requested from +nominated people. We believe there is significant value added to the codebase +by this peer review and that moving away from mailing lists would be to the +detriment of our code. + +We also need to acknowledge that many of our developers are used to this +mailing list workflow and have worked with it for years, with tools and +processes built around it. Changing away from this would result in a loss +of key people from the project, which would again be to its detriment. + +The projects are acutely aware that potential new contributors find the +mailing list approach off-putting and would prefer a web-based GUI. +Since we don’t believe that can work for us, the project is aiming to ensure +`patchwork `__ is available to help track +patch status and also looking at how tooling can provide more feedback to users +about patch status. We are looking at improving tools such as ``patchtest`` to +test user contributions before they hit the mailing lists and also at better +documenting how to use such workflows since we recognise that whilst this was +common knowledge a decade ago, it might not be as familiar now. + +Preparing Changes for Submission +================================ + +Set up Git +---------- + +The first thing to do is to install Git packages. Here is an example +on Debian and Ubuntu:: + + sudo aptitude install git-core git-email + +Then, you need to set a name and e-mail address that Git will +use to identify your commits:: + + git config --global user.name "Ada Lovelace" + git config --global user.email "ada.lovelace@gmail.com" + +Clone the Git repository for the component to modify +---------------------------------------------------- + +After identifying the component to modify as described in the +":doc:`../contributor-guide/identify-component`" section, clone the +corresponding Git repository. Here is an example for OpenEmbedded-Core:: + + git clone https://git.openembedded.org/openembedded-core + cd openembedded-core + +Create a new branch +------------------- + +Then, create a new branch in your local Git repository +for your changes, starting from the reference branch in the upstream +repository (often called ``master``):: + + $ git checkout + $ git checkout -b my-changes + +If you have completely unrelated sets of changes to submit, you should even +create one branch for each set. + +Implement and commit changes +---------------------------- + +In each branch, you should group your changes into small, controlled and +isolated ones. Keeping changes small and isolated aids review, makes +merging/rebasing easier and keeps the change history clean should anyone need +to refer to it in future. + +To this purpose, you should create *one Git commit per change*, +corresponding to each of the patches you will eventually submit. +See `further guidance `__ +in the Linux kernel documentation if needed. + +For example, when you intend to add multiple new recipes, each recipe +should be added in a separate commit. For upgrades to existing recipes, +the previous version should usually be deleted as part of the same commit +to add the upgraded version. + +#. *Stage Your Changes:* Stage your changes by using the ``git add`` + command on each file you modified. If you want to stage all the + files you modified, you can even use the ``git add -A`` command. + +#. *Commit Your Changes:* This is when you can create separate commits. For + each commit to create, use the ``git commit -s`` command with the files + or directories you want to include in the commit:: + + $ git commit -s file1 file2 dir1 dir2 ... + + To include **a**\ ll staged files:: + + $ git commit -sa + + - The ``-s`` option of ``git commit`` adds a "Signed-off-by:" line + to your commit message. There is the same requirement for contributing + to the Linux kernel. Adding such a line signifies that you, the + submitter, have agreed to the `Developer's Certificate of Origin 1.1 + `__ + as follows: + + .. code-block:: none + + Developer's Certificate of Origin 1.1 + + By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. + + - Provide a single-line summary of the change and, if more + explanation is needed, provide more detail in the body of the + commit. This summary is typically viewable in the "shortlist" of + changes. Thus, providing something short and descriptive that + gives the reader a summary of the change is useful when viewing a + list of many commits. You should prefix this short description + with the recipe name (if changing a recipe), or else with the + short form path to the file being changed. + + .. note:: + + To find a suitable prefix for the commit summary, a good idea + is to look for prefixes used in previous commits touching the + same files or directories:: + + git log --oneline + + - For the body of the commit message, provide detailed information + that describes what you changed, why you made the change, and the + approach you used. It might also be helpful if you mention how you + tested the change. Provide as much detail as you can in the body + of the commit message. + + .. note:: + + If the single line summary is enough to describe a simple + change, the body of the commit message can be left empty. + + - If the change addresses a specific bug or issue that is associated + with a bug-tracking ID, include a reference to that ID in your + detailed description. For example, the Yocto Project uses a + specific convention for bug references --- any commit that addresses + a specific bug should use the following form for the detailed + description. Be sure to use the actual bug-tracking ID from + Bugzilla for bug-id:: + + Fixes [YOCTO #bug-id] + + detailed description of change + +#. *Crediting contributors:* By using the ``git commit --amend`` command, + you can add some tags to the commit description to credit other contributors + to the change: + + - ``Reported-by``: name and email of a person reporting a bug + that your commit is trying to fix. This is a good practice + to encourage people to go on reporting bugs and let them + know that their reports are taken into account. + + - ``Suggested-by``: name and email of a person to credit for the + idea of making the change. + + - ``Tested-by``, ``Reviewed-by``: name and email for people having + tested your changes or reviewed their code. These fields are + usually added by the maintainer accepting a patch, or by + yourself if you submitted your patches to early reviewers, + or are submitting an unmodified patch again as part of a + new iteration of your patch series. + + - ``CC:`` Name and email of people you want to send a copy + of your changes to. This field will be used by ``git send-email``. + + See `more guidance about using such tags + `__ + in the Linux kernel documentation. + +Creating Patches +================ + +Here is the general procedure on how to create patches to be sent through email: + +#. *Describe the Changes in your Branch:* If you have more than one commit + in your branch, it's recommended to provide a cover letter describing + the series of patches you are about to send. + + For this purpose, a good solution is to store the cover letter contents + in the branch itself:: + + git branch --edit-description + + This will open a text editor to fill in the description for your + changes. This description can be updated when necessary and will + be used by Git to create the cover letter together with the patches. + + It is recommended to start this description with a title line which + will serve a the subject line for the cover letter. + +#. *Generate Patches for your Branch:* The ``git format-patch`` command will + generate patch files for each of the commits in your branch. You need + to pass the reference branch your branch starts from. + + If you branch didn't need a description in the previous step:: + + $ git format-patch + + If you filled a description for your branch, you will want to generate + a cover letter too:: + + $ git format-patch --cover-letter --cover-from-description=auto + + After the command is run, the current directory contains numbered + ``.patch`` files for the commits in your branch. If you have a cover + letter, it will be in the ``0000-cover-letter.patch``. + + .. note:: + + The ``--cover-from-description=auto`` option makes ``git format-patch`` + use the first paragraph of the branch description as the cover + letter title. Another possibility, which is easier to remember, is to pass + only the ``--cover-letter`` option, but you will have to edit the + subject line manually every time you generate the patches. + + See the `git format-patch manual page `__ + for details. + +#. *Review each of the Patch Files:* This final review of the patches + before sending them often allows to view your changes from a different + perspective and discover defects such as typos, spacing issues or lines + or even files that you didn't intend to modify. This review should + include the cover letter patch too. + + If necessary, rework your commits as described in + ":ref:`contributor-guide/submit-changes:taking patch review into account`". + +Sending the Patches via Email +============================= + +Using Git to Send Patches +------------------------- + +To submit patches through email, it is very important that you send them +without any whitespace or HTML formatting that either you or your mailer +introduces. The maintainer that receives your patches needs to be able +to save and apply them directly from your emails, using the ``git am`` +command. + +Using the ``git send-email`` command is the only error-proof way of sending +your patches using email since there is no risk of compromising whitespace +in the body of the message, which can occur when you use your own mail +client. It will also properly include your patches as *inline attachments*, +which is not easy to do with standard e-mail clients without breaking lines. +If you used your regular e-mail client and shared your patches as regular +attachments, reviewers wouldn't be able to quote specific sections of your +changes and make comments about them. + +Setting up Git to Send Email +---------------------------- + +The ``git send-email`` command can send email by using a local or remote +Mail Transport Agent (MTA) such as ``msmtp``, ``sendmail``, or +through a direct SMTP configuration in your Git ``~/.gitconfig`` file. + +Here are the settings for letting ``git send-email`` send e-mail through your +regular STMP server, using a Google Mail account as an example:: + + git config --global sendemail.smtpserver smtp.gmail.com + git config --global sendemail.smtpserverport 587 + git config --global sendemail.smtpencryption tls + git config --global sendemail.smtpuser ada.lovelace@gmail.com + git config --global sendemail.smtppass = XXXXXXXX + +These settings will appear in the ``.gitconfig`` file in your home directory. + +If you neither can use a local MTA nor SMTP, make sure you use an email client +that does not touch the message (turning spaces in tabs, wrapping lines, etc.). +A good mail client to do so is Pine (or Alpine) or Mutt. For more +information about suitable clients, see `Email clients info for Linux +`__ +in the Linux kernel sources. + +If you use such clients, just include the patch in the body of your email. + +Finding a Suitable Mailing List +------------------------------- + +You should send patches to the appropriate mailing list so that they can be +reviewed by the right contributors and merged by the appropriate maintainer. +The specific mailing list you need to use depends on the location of the code +you are changing. + +If people have concerns with any of the patches, they will usually voice +their concern over the mailing list. If patches do not receive any negative +reviews, the maintainer of the affected layer typically takes them, tests them, +and then based on successful testing, merges them. + +In general, each component (e.g. layer) should have a ``README`` file +that indicates where to send the changes and which process to follow. + +The "poky" repository, which is the Yocto Project's reference build +environment, is a hybrid repository that contains several individual +pieces (e.g. BitBake, Metadata, documentation, and so forth) built using +the combo-layer tool. The upstream location used for submitting changes +varies by component: + +- *Core Metadata:* Send your patches to the + :oe_lists:`openembedded-core ` + mailing list. For example, a change to anything under the ``meta`` or + ``scripts`` directories should be sent to this mailing list. + +- *BitBake:* For changes to BitBake (i.e. anything under the + ``bitbake`` directory), send your patches to the + :oe_lists:`bitbake-devel ` + mailing list. + +- *"meta-\*" trees:* These trees contain Metadata. Use the + :yocto_lists:`poky ` mailing list. + +- *Documentation*: For changes to the Yocto Project documentation, use the + :yocto_lists:`docs ` mailing list. + +For changes to other layers and tools hosted in the Yocto Project source +repositories (i.e. :yocto_git:`git.yoctoproject.org <>`), use the +:yocto_lists:`yocto ` general mailing list. + +For changes to other layers hosted in the OpenEmbedded source +repositories (i.e. :oe_git:`git.openembedded.org <>`), use +the :oe_lists:`openembedded-devel ` +mailing list, unless specified otherwise in the layer's ``README`` file. + +If you intend to submit a new recipe that neither fits into the core Metadata, +nor into :oe_git:`meta-openembedded `, you should +look for a suitable layer in https://layers.openembedded.org. If similar +recipes can be expected, you may consider :ref:`dev-manual/layers:creating your own layer`. + +If in doubt, please ask on the :yocto_lists:`yocto ` general mailing list +or on the :oe_lists:`openembedded-devel ` mailing list. + +Subscribing to the Mailing List +------------------------------- + +After identifying the right mailing list to use, you will have to subscribe to +it if you haven't done it yet. + +If you attempt to send patches to a list you haven't subscribed to, your email +will be returned as undelivered. + +However, if you don't want to be receive all the messages sent to a mailing list, +you can set your subscription to "no email". You will still be a subscriber able +to send messages, but you won't receive any e-mail. If people reply to your message, +their e-mail clients will default to including your email address in the +conversation anyway. + +Anyway, you'll also be able to access the new messages on mailing list archives, +either through a web browser, or for the lists archived on https://lore.kernelorg, +through an individual newsgroup feed or a git repository. + +Sending Patches via Email +------------------------- + +At this stage, you are ready to send your patches via email. Here's the +typical usage of ``git send-email``:: + + git send-email --to *.patch + +Then, review each subject line and list of recipients carefully, and then +and then allow the command to send each message. + +You will see that ``git send-email`` will automatically copy the people listed +in any commit tags such as ``Signed-off-by`` or ``Reported-by``. + +In case you are sending patches for :oe_git:`meta-openembedded ` +or any layer other than :oe_git:`openembedded-core `, +please add the appropriate prefix so that it is clear which layer the patch is intended +to be applied to:: + + git send-email --subject-prefix="meta-oe][PATCH" ... + +.. note:: + + It is actually possible to send patches without generating them + first. However, make sure you have reviewed your changes carefully + because ``git send-email`` will just show you the title lines of + each patch. + + Here's a command you can use if you just have one patch in your + branch:: + + git send-email --to -1 + + If you have multiple patches and a cover letter, you can send + patches for all the commits between the reference branch + and the tip of your branch:: + + git send-email --cover-letter --cover-from-description=auto --to -M + +See the `git send-email manual page `__ +for details. + +Troubleshooting Email Issues +---------------------------- + +Fixing your From identity +~~~~~~~~~~~~~~~~~~~~~~~~~ + +We have a frequent issue with contributors whose patches are received through +a ``From`` field which doesn't match the ``Signed-off-by`` information. Here is +a typical example for people sending from a domain name with :wikipedia:`DMARC`:: + + From: "Linus Torvalds via lists.openembedded.org " + +This ``From`` field is used by ``git am`` to recreate commits with the right +author name. The following will ensure that your e-mails have an additional +``From`` field at the beginning of the Email body, and therefore that +maintainers accepting your patches don't have to fix commit author information +manually:: + + git config --global sendemail.from "linus.torvalds@kernel.org" + +The ``sendemail.from`` should match your ``user.email`` setting, +which appears in the ``Signed-off-by`` line of your commits. + +Streamlining git send-email usage +--------------------------------- + +If you want to save time and not be forced to remember the right options to use +with ``git send-email``, you can use Git configuration settings. + +- To set the right mailing list address for a given repository:: + + git config --local sendemail.to openembedded-devel@lists.openembedded.org + +- If the mailing list requires a subject prefix for the layer + (this only works when the repository only contains one layer):: + + git config --local format.subjectprefix "meta-something][PATCH" + +Using Scripts to Push a Change Upstream and Request a Pull +========================================================== + +For larger patch series it is preferable to send a pull request which not +only includes the patch but also a pointer to a branch that can be pulled +from. This involves making a local branch for your changes, pushing this +branch to an accessible repository and then using the ``create-pull-request`` +and ``send-pull-request`` scripts from openembedded-core to create and send a +patch series with a link to the branch for review. + +Follow this procedure to push a change to an upstream "contrib" Git +repository once the steps in +":ref:`contributor-guide/submit-changes:preparing changes for submission`" +have been followed: + +.. note:: + + You can find general Git information on how to push a change upstream + in the + `Git Community Book `__. + +#. *Request Push Access to an "Upstream" Contrib Repository:* Send an email to + ``helpdesk@yoctoproject.org``: + + - Attach your SSH public key which usually named ``id_rsa.pub.``. + If you don't have one generate it by running ``ssh-keygen -t rsa -b 4096 -C "your_email@example.com"``. + + - List the repositories you're planning to contribute to. + + - Include your preferred branch prefix for ``-contrib`` repositories. + +#. *Push Your Commits to the "Contrib" Upstream:* Push your + changes to that repository:: + + $ git push upstream_remote_repo local_branch_name + + For example, suppose you have permissions to push + into the upstream ``meta-intel-contrib`` repository and you are + working in a local branch named `your_name`\ ``/README``. The following + command pushes your local commits to the ``meta-intel-contrib`` + upstream repository and puts the commit in a branch named + `your_name`\ ``/README``:: + + $ git push meta-intel-contrib your_name/README + +#. *Determine Who to Notify:* Determine the maintainer or the mailing + list that you need to notify for the change. + + Before submitting any change, you need to be sure who the maintainer + is or what mailing list that you need to notify. Use either these + methods to find out: + + - *Maintenance File:* Examine the ``maintainers.inc`` file, which is + located in the :term:`Source Directory` at + ``meta/conf/distro/include``, to see who is responsible for code. + + - *Search by File:* Using :ref:`overview-manual/development-environment:git`, you can + enter the following command to bring up a short list of all + commits against a specific file:: + + git shortlog -- filename + + Just provide the name of the file for which you are interested. The + information returned is not ordered by history but does include a + list of everyone who has committed grouped by name. From the list, + you can see who is responsible for the bulk of the changes against + the file. + + - *Find the Mailing List to Use:* See the + ":ref:`contributor-guide/submit-changes:finding a suitable mailing list`" + section above. + +#. *Make a Pull Request:* Notify the maintainer or the mailing list that + you have pushed a change by making a pull request. + + The Yocto Project provides two scripts that conveniently let you + generate and send pull requests to the Yocto Project. These scripts + are ``create-pull-request`` and ``send-pull-request``. You can find + these scripts in the ``scripts`` directory within the + :term:`Source Directory` (e.g. + ``poky/scripts``). + + Using these scripts correctly formats the requests without + introducing any whitespace or HTML formatting. The maintainer that + receives your patches either directly or through the mailing list + needs to be able to save and apply them directly from your emails. + Using these scripts is the preferred method for sending patches. + + First, create the pull request. For example, the following command + runs the script, specifies the upstream repository in the contrib + directory into which you pushed the change, and provides a subject + line in the created patch files:: + + $ poky/scripts/create-pull-request -u meta-intel-contrib -s "Updated Manual Section Reference in README" + + Running this script forms ``*.patch`` files in a folder named + ``pull-``\ `PID` in the current directory. One of the patch files is a + cover letter. + + Before running the ``send-pull-request`` script, you must edit the + cover letter patch to insert information about your change. After + editing the cover letter, send the pull request. For example, the + following command runs the script and specifies the patch directory + and email address. In this example, the email address is a mailing + list:: + + $ poky/scripts/send-pull-request -p ~/meta-intel/pull-10565 -t meta-intel@lists.yoctoproject.org + + You need to follow the prompts as the script is interactive. + + .. note:: + + For help on using these scripts, simply provide the ``-h`` + argument as follows:: + + $ poky/scripts/create-pull-request -h + $ poky/scripts/send-pull-request -h + +Submitting Changes to Stable Release Branches +============================================= + +The process for proposing changes to a Yocto Project stable branch differs +from the steps described above. Changes to a stable branch must address +identified bugs or CVEs and should be made carefully in order to avoid the +risk of introducing new bugs or breaking backwards compatibility. Typically +bug fixes must already be accepted into the master branch before they can be +backported to a stable branch unless the bug in question does not affect the +master branch or the fix on the master branch is unsuitable for backporting. + +The list of stable branches along with the status and maintainer for each +branch can be obtained from the +:yocto_wiki:`Releases wiki page `. + +.. note:: + + Changes will not typically be accepted for branches which are marked as + End-Of-Life (EOL). + +With this in mind, the steps to submit a change for a stable branch are as +follows: + +#. *Identify the bug or CVE to be fixed:* This information should be + collected so that it can be included in your submission. + + See :ref:`dev-manual/vulnerabilities:checking for vulnerabilities` + for details about CVE tracking. + +#. *Check if the fix is already present in the master branch:* This will + result in the most straightforward path into the stable branch for the + fix. + + #. *If the fix is present in the master branch --- submit a backport request + by email:* You should send an email to the relevant stable branch + maintainer and the mailing list with details of the bug or CVE to be + fixed, the commit hash on the master branch that fixes the issue and + the stable branches which you would like this fix to be backported to. + + #. *If the fix is not present in the master branch --- submit the fix to the + master branch first:* This will ensure that the fix passes through the + project's usual patch review and test processes before being accepted. + It will also ensure that bugs are not left unresolved in the master + branch itself. Once the fix is accepted in the master branch a backport + request can be submitted as above. + + #. *If the fix is unsuitable for the master branch --- submit a patch + directly for the stable branch:* This method should be considered as a + last resort. It is typically necessary when the master branch is using + a newer version of the software which includes an upstream fix for the + issue or when the issue has been fixed on the master branch in a way + that introduces backwards incompatible changes. In this case follow the + steps in ":ref:`contributor-guide/submit-changes:preparing changes for submission`" + and in the following sections but modify the subject header of your patch + email to include the name of the stable branch which you are + targetting. This can be done using the ``--subject-prefix`` argument to + ``git format-patch``, for example to submit a patch to the + "&DISTRO_NAME_NO_CAP_MINUS_ONE;" branch use:: + + git format-patch --subject-prefix='&DISTRO_NAME_NO_CAP_MINUS_ONE;][PATCH' ... + +Taking Patch Review into Account +================================ + +You may get feedback on your submitted patches from other community members +or from the automated patchtest service. If issues are identified in your +patches then it is usually necessary to address these before the patches are +accepted into the project. In this case you should your commits according +to the feedback and submit an updated version to the relevant mailing list. + +In any case, never fix reported issues by fixing them in new commits +on the tip of your branch. Always come up with a new series of commits +without the reported issues. + +.. note:: + + It is a good idea to send a copy to the reviewers who provided feedback + to the previous version of the patch. You can make sure this happens + by adding a ``CC`` tag to the commit description:: + + CC: William Shakespeare + +A single patch can be amended using ``git commit --amend``, and multiple +patches can be easily reworked and reordered through an interactive Git rebase:: + + git rebase -i + +See `this tutorial `__ +for practical guidance about using Git interactive rebasing. + +You should also modify the ``[PATCH]`` tag in the email subject line when +sending the revised patch to mark the new iteration as ``[PATCH v2]``, +``[PATCH v3]``, etc as appropriate. This can be done by passing the ``-v`` +argument to ``git format-patch`` with a version number:: + + git format-patch -v2 + +Lastly please ensure that you also test your revised changes. In particular +please don't just edit the patch file written out by ``git format-patch`` and +resend it. + +Tracking the Status of Patches +============================== + +The Yocto Project uses a `Patchwork instance `__ +to track the status of patches submitted to the various mailing lists and to +support automated patch testing. Each submitted patch is checked for common +mistakes and deviations from the expected patch format and submitters are +notified by ``patchtest`` if such mistakes are found. This process helps to +reduce the burden of patch review on maintainers. + +.. note:: + + This system is imperfect and changes can sometimes get lost in the flow. + Asking about the status of a patch or change is reasonable if the change + has been idle for a while with no feedback. + +If your patches have not had any feedback in a few days, they may have already +been merged. You can run ``git pull`` branch to check this. Note that many if +not most layer maintainers do not send out acknowledgement emails when they +accept patches. Alternatively, if there is no response or merge after a few days +the patch may have been missed or the appropriate reviewers may not currently be +around. It is then perfectly fine to reply to it yourself with a reminder asking +for feedback. + +.. note:: + + Patch reviews for feature and recipe upgrade patches are likely be delayed + during a feature freeze because these types of patches aren't merged during + at that time --- you may have to wait until after the freeze is lifted. + +Maintainers also commonly use ``-next`` branches to test submissions prior to +merging patches. Thus, you can get an idea of the status of a patch based on +whether the patch has been merged into one of these branches. The commonly +used testing branches for OpenEmbedded-Core are as follows: + +- *openembedded-core "master-next" branch:* This branch is part of the + :oe_git:`openembedded-core ` repository and contains + proposed changes to the core metadata. + +- *poky "master-next" branch:* This branch is part of the + :yocto_git:`poky ` repository and combines proposed + changes to BitBake, the core metadata and the poky distro. + +Similarly, stable branches maintained by the project may have corresponding +``-next`` branches which collect proposed changes. For example, +``&DISTRO_NAME_NO_CAP;-next`` and ``&DISTRO_NAME_NO_CAP_MINUS_ONE;-next`` +branches in both the "openembdedded-core" and "poky" repositories. + +Other layers may have similar testing branches but there is no formal +requirement or standard for these so please check the documentation for the +layers you are contributing to. + diff --git a/poky/documentation/dev-manual/building.rst b/poky/documentation/dev-manual/building.rst index 1f1642e846..a395793493 100644 --- a/poky/documentation/dev-manual/building.rst +++ b/poky/documentation/dev-manual/building.rst @@ -273,12 +273,12 @@ loading modules needed to locate and mount the final root filesystem. Follow these steps to create an :term:`Initramfs` image: -#. *Create the :term:`Initramfs` Image Recipe:* You can reference the +#. *Create the Initramfs Image Recipe:* You can reference the ``core-image-minimal-initramfs.bb`` recipe found in the ``meta/recipes-core`` directory of the :term:`Source Directory` as an example from which to work. -#. *Decide if You Need to Bundle the :term:`Initramfs` Image Into the Kernel +#. *Decide if You Need to Bundle the Initramfs Image Into the Kernel Image:* If you want the :term:`Initramfs` image that is built to be bundled in with the kernel image, set the :term:`INITRAMFS_IMAGE_BUNDLE` variable to ``"1"`` in your ``local.conf`` configuration file and set the diff --git a/poky/documentation/dev-manual/changes.rst b/poky/documentation/dev-manual/changes.rst deleted file mode 100644 index 9db6ce010c..0000000000 --- a/poky/documentation/dev-manual/changes.rst +++ /dev/null @@ -1,525 +0,0 @@ -.. SPDX-License-Identifier: CC-BY-SA-2.0-UK - -Making Changes to the Yocto Project -*********************************** - -Because the Yocto Project is an open-source, community-based project, -you can effect changes to the project. This section presents procedures -that show you how to submit a defect against the project and how to -submit a change. - -Submitting a Defect Against the Yocto Project -============================================= - -Use the Yocto Project implementation of -`Bugzilla `__ to submit a defect (bug) -against the Yocto Project. For additional information on this -implementation of Bugzilla see the ":ref:`Yocto Project -Bugzilla `" section in the -Yocto Project Reference Manual. For more detail on any of the following -steps, see the Yocto Project -:yocto_wiki:`Bugzilla wiki page `. - -Use the following general steps to submit a bug: - -#. Open the Yocto Project implementation of :yocto_bugs:`Bugzilla <>`. - -#. Click "File a Bug" to enter a new bug. - -#. Choose the appropriate "Classification", "Product", and "Component" - for which the bug was found. Bugs for the Yocto Project fall into - one of several classifications, which in turn break down into - several products and components. For example, for a bug against the - ``meta-intel`` layer, you would choose "Build System, Metadata & - Runtime", "BSPs", and "bsps-meta-intel", respectively. - -#. Choose the "Version" of the Yocto Project for which you found the - bug (e.g. &DISTRO;). - -#. Determine and select the "Severity" of the bug. The severity - indicates how the bug impacted your work. - -#. Choose the "Hardware" that the bug impacts. - -#. Choose the "Architecture" that the bug impacts. - -#. Choose a "Documentation change" item for the bug. Fixing a bug might - or might not affect the Yocto Project documentation. If you are - unsure of the impact to the documentation, select "Don't Know". - -#. Provide a brief "Summary" of the bug. Try to limit your summary to - just a line or two and be sure to capture the essence of the bug. - -#. Provide a detailed "Description" of the bug. You should provide as - much detail as you can about the context, behavior, output, and so - forth that surrounds the bug. You can even attach supporting files - for output from logs by using the "Add an attachment" button. - -#. Click the "Submit Bug" button submit the bug. A new Bugzilla number - is assigned to the bug and the defect is logged in the bug tracking - system. - -Once you file a bug, the bug is processed by the Yocto Project Bug -Triage Team and further details concerning the bug are assigned (e.g. -priority and owner). You are the "Submitter" of the bug and any further -categorization, progress, or comments on the bug result in Bugzilla -sending you an automated email concerning the particular change or -progress to the bug. - -Submitting a Change to the Yocto Project -======================================== - -Contributions to the Yocto Project and OpenEmbedded are very welcome. -Because the system is extremely configurable and flexible, we recognize -that developers will want to extend, configure or optimize it for their -specific uses. - -The Yocto Project uses a mailing list and a patch-based workflow that is -similar to the Linux kernel but contains important differences. In -general, there is a mailing list through which you can submit patches. You -should send patches to the appropriate mailing list so that they can be -reviewed and merged by the appropriate maintainer. The specific mailing -list you need to use depends on the location of the code you are -changing. Each component (e.g. layer) should have a ``README`` file that -indicates where to send the changes and which process to follow. - -You can send the patch to the mailing list using whichever approach you -feel comfortable with to generate the patch. Once sent, the patch is -usually reviewed by the community at large. If somebody has concerns -with the patch, they will usually voice their concern over the mailing -list. If a patch does not receive any negative reviews, the maintainer -of the affected layer typically takes the patch, tests it, and then -based on successful testing, merges the patch. - -The "poky" repository, which is the Yocto Project's reference build -environment, is a hybrid repository that contains several individual -pieces (e.g. BitBake, Metadata, documentation, and so forth) built using -the combo-layer tool. The upstream location used for submitting changes -varies by component: - -- *Core Metadata:* Send your patch to the - :oe_lists:`openembedded-core ` - mailing list. For example, a change to anything under the ``meta`` or - ``scripts`` directories should be sent to this mailing list. - -- *BitBake:* For changes to BitBake (i.e. anything under the - ``bitbake`` directory), send your patch to the - :oe_lists:`bitbake-devel ` - mailing list. - -- *"meta-\*" trees:* These trees contain Metadata. Use the - :yocto_lists:`poky ` mailing list. - -- *Documentation*: For changes to the Yocto Project documentation, use the - :yocto_lists:`docs ` mailing list. - -For changes to other layers hosted in the Yocto Project source -repositories (i.e. ``yoctoproject.org``) and tools use the -:yocto_lists:`Yocto Project ` general mailing list. - -.. note:: - - Sometimes a layer's documentation specifies to use a particular - mailing list. If so, use that list. - -For additional recipes that do not fit into the core Metadata, you -should determine which layer the recipe should go into and submit the -change in the manner recommended by the documentation (e.g. the -``README`` file) supplied with the layer. If in doubt, please ask on the -Yocto general mailing list or on the openembedded-devel mailing list. - -You can also push a change upstream and request a maintainer to pull the -change into the component's upstream repository. You do this by pushing -to a contribution repository that is upstream. See the -":ref:`overview-manual/development-environment:git workflows and the yocto project`" -section in the Yocto Project Overview and Concepts Manual for additional -concepts on working in the Yocto Project development environment. - -Maintainers commonly use ``-next`` branches to test submissions prior to -merging patches. Thus, you can get an idea of the status of a patch based on -whether the patch has been merged into one of these branches. The commonly -used testing branches for OpenEmbedded-Core are as follows: - -- *openembedded-core "master-next" branch:* This branch is part of the - :oe_git:`openembedded-core ` repository and contains - proposed changes to the core metadata. - -- *poky "master-next" branch:* This branch is part of the - :yocto_git:`poky ` repository and combines proposed - changes to BitBake, the core metadata and the poky distro. - -Similarly, stable branches maintained by the project may have corresponding -``-next`` branches which collect proposed changes. For example, -``&DISTRO_NAME_NO_CAP;-next`` and ``&DISTRO_NAME_NO_CAP_MINUS_ONE;-next`` -branches in both the "openembdedded-core" and "poky" repositories. - -Other layers may have similar testing branches but there is no formal -requirement or standard for these so please check the documentation for the -layers you are contributing to. - -The following sections provide procedures for submitting a change. - -Preparing Changes for Submission --------------------------------- - -#. *Make Your Changes Locally:* Make your changes in your local Git - repository. You should make small, controlled, isolated changes. - Keeping changes small and isolated aids review, makes - merging/rebasing easier and keeps the change history clean should - anyone need to refer to it in future. - -#. *Stage Your Changes:* Stage your changes by using the ``git add`` - command on each file you changed. - -#. *Commit Your Changes:* Commit the change by using the ``git commit`` - command. Make sure your commit information follows standards by - following these accepted conventions: - - - Be sure to include a "Signed-off-by:" line in the same style as - required by the Linux kernel. This can be done by using the - ``git commit -s`` command. Adding this line signifies that you, - the submitter, have agreed to the Developer's Certificate of - Origin 1.1 as follows: - - .. code-block:: none - - Developer's Certificate of Origin 1.1 - - By making a contribution to this project, I certify that: - - (a) The contribution was created in whole or in part by me and I - have the right to submit it under the open source license - indicated in the file; or - - (b) The contribution is based upon previous work that, to the best - of my knowledge, is covered under an appropriate open source - license and I have the right under that license to submit that - work with modifications, whether created in whole or in part - by me, under the same open source license (unless I am - permitted to submit under a different license), as indicated - in the file; or - - (c) The contribution was provided directly to me by some other - person who certified (a), (b) or (c) and I have not modified - it. - - (d) I understand and agree that this project and the contribution - are public and that a record of the contribution (including all - personal information I submit with it, including my sign-off) is - maintained indefinitely and may be redistributed consistent with - this project or the open source license(s) involved. - - - Provide a single-line summary of the change and, if more - explanation is needed, provide more detail in the body of the - commit. This summary is typically viewable in the "shortlist" of - changes. Thus, providing something short and descriptive that - gives the reader a summary of the change is useful when viewing a - list of many commits. You should prefix this short description - with the recipe name (if changing a recipe), or else with the - short form path to the file being changed. - - - For the body of the commit message, provide detailed information - that describes what you changed, why you made the change, and the - approach you used. It might also be helpful if you mention how you - tested the change. Provide as much detail as you can in the body - of the commit message. - - .. note:: - - You do not need to provide a more detailed explanation of a - change if the change is minor to the point of the single line - summary providing all the information. - - - If the change addresses a specific bug or issue that is associated - with a bug-tracking ID, include a reference to that ID in your - detailed description. For example, the Yocto Project uses a - specific convention for bug references --- any commit that addresses - a specific bug should use the following form for the detailed - description. Be sure to use the actual bug-tracking ID from - Bugzilla for bug-id:: - - Fixes [YOCTO #bug-id] - - detailed description of change - -Using Email to Submit a Patch ------------------------------ - -Depending on the components changed, you need to submit the email to a -specific mailing list. For some guidance on which mailing list to use, -see the -:ref:`list ` -at the beginning of this section. For a description of all the available -mailing lists, see the ":ref:`Mailing Lists `" section in the -Yocto Project Reference Manual. - -Here is the general procedure on how to submit a patch through email -without using the scripts once the steps in -:ref:`dev-manual/changes:preparing changes for submission` have been followed: - -#. *Format the Commit:* Format the commit into an email message. To - format commits, use the ``git format-patch`` command. When you - provide the command, you must include a revision list or a number of - patches as part of the command. For example, either of these two - commands takes your most recent single commit and formats it as an - email message in the current directory:: - - $ git format-patch -1 - - or :: - - $ git format-patch HEAD~ - - After the command is run, the current directory contains a numbered - ``.patch`` file for the commit. - - If you provide several commits as part of the command, the - ``git format-patch`` command produces a series of numbered files in - the current directory – one for each commit. If you have more than - one patch, you should also use the ``--cover`` option with the - command, which generates a cover letter as the first "patch" in the - series. You can then edit the cover letter to provide a description - for the series of patches. For information on the - ``git format-patch`` command, see ``GIT_FORMAT_PATCH(1)`` displayed - using the ``man git-format-patch`` command. - - .. note:: - - If you are or will be a frequent contributor to the Yocto Project - or to OpenEmbedded, you might consider requesting a contrib area - and the necessary associated rights. - -#. *Send the patches via email:* Send the patches to the recipients and - relevant mailing lists by using the ``git send-email`` command. - - .. note:: - - In order to use ``git send-email``, you must have the proper Git packages - installed on your host. - For Ubuntu, Debian, and Fedora the package is ``git-email``. - - The ``git send-email`` command sends email by using a local or remote - Mail Transport Agent (MTA) such as ``msmtp``, ``sendmail``, or - through a direct ``smtp`` configuration in your Git ``~/.gitconfig`` - file. If you are submitting patches through email only, it is very - important that you submit them without any whitespace or HTML - formatting that either you or your mailer introduces. The maintainer - that receives your patches needs to be able to save and apply them - directly from your emails. A good way to verify that what you are - sending will be applicable by the maintainer is to do a dry run and - send them to yourself and then save and apply them as the maintainer - would. - - The ``git send-email`` command is the preferred method for sending - your patches using email since there is no risk of compromising - whitespace in the body of the message, which can occur when you use - your own mail client. The command also has several options that let - you specify recipients and perform further editing of the email - message. For information on how to use the ``git send-email`` - command, see ``GIT-SEND-EMAIL(1)`` displayed using the - ``man git-send-email`` command. - -The Yocto Project uses a `Patchwork instance `__ -to track the status of patches submitted to the various mailing lists and to -support automated patch testing. Each submitted patch is checked for common -mistakes and deviations from the expected patch format and submitters are -notified by patchtest if such mistakes are found. This process helps to -reduce the burden of patch review on maintainers. - -.. note:: - - This system is imperfect and changes can sometimes get lost in the flow. - Asking about the status of a patch or change is reasonable if the change - has been idle for a while with no feedback. - -Using Scripts to Push a Change Upstream and Request a Pull ----------------------------------------------------------- - -For larger patch series it is preferable to send a pull request which not -only includes the patch but also a pointer to a branch that can be pulled -from. This involves making a local branch for your changes, pushing this -branch to an accessible repository and then using the ``create-pull-request`` -and ``send-pull-request`` scripts from openembedded-core to create and send a -patch series with a link to the branch for review. - -Follow this procedure to push a change to an upstream "contrib" Git -repository once the steps in :ref:`dev-manual/changes:preparing changes for submission` have -been followed: - -.. note:: - - You can find general Git information on how to push a change upstream - in the - `Git Community Book `__. - -#. *Push Your Commits to a "Contrib" Upstream:* If you have arranged for - permissions to push to an upstream contrib repository, push the - change to that repository:: - - $ git push upstream_remote_repo local_branch_name - - For example, suppose you have permissions to push - into the upstream ``meta-intel-contrib`` repository and you are - working in a local branch named `your_name`\ ``/README``. The following - command pushes your local commits to the ``meta-intel-contrib`` - upstream repository and puts the commit in a branch named - `your_name`\ ``/README``:: - - $ git push meta-intel-contrib your_name/README - -#. *Determine Who to Notify:* Determine the maintainer or the mailing - list that you need to notify for the change. - - Before submitting any change, you need to be sure who the maintainer - is or what mailing list that you need to notify. Use either these - methods to find out: - - - *Maintenance File:* Examine the ``maintainers.inc`` file, which is - located in the :term:`Source Directory` at - ``meta/conf/distro/include``, to see who is responsible for code. - - - *Search by File:* Using :ref:`overview-manual/development-environment:git`, you can - enter the following command to bring up a short list of all - commits against a specific file:: - - git shortlog -- filename - - Just provide the name of the file for which you are interested. The - information returned is not ordered by history but does include a - list of everyone who has committed grouped by name. From the list, - you can see who is responsible for the bulk of the changes against - the file. - - - *Examine the List of Mailing Lists:* For a list of the Yocto - Project and related mailing lists, see the ":ref:`Mailing - lists `" section in - the Yocto Project Reference Manual. - -#. *Make a Pull Request:* Notify the maintainer or the mailing list that - you have pushed a change by making a pull request. - - The Yocto Project provides two scripts that conveniently let you - generate and send pull requests to the Yocto Project. These scripts - are ``create-pull-request`` and ``send-pull-request``. You can find - these scripts in the ``scripts`` directory within the - :term:`Source Directory` (e.g. - ``poky/scripts``). - - Using these scripts correctly formats the requests without - introducing any whitespace or HTML formatting. The maintainer that - receives your patches either directly or through the mailing list - needs to be able to save and apply them directly from your emails. - Using these scripts is the preferred method for sending patches. - - First, create the pull request. For example, the following command - runs the script, specifies the upstream repository in the contrib - directory into which you pushed the change, and provides a subject - line in the created patch files:: - - $ poky/scripts/create-pull-request -u meta-intel-contrib -s "Updated Manual Section Reference in README" - - Running this script forms ``*.patch`` files in a folder named - ``pull-``\ `PID` in the current directory. One of the patch files is a - cover letter. - - Before running the ``send-pull-request`` script, you must edit the - cover letter patch to insert information about your change. After - editing the cover letter, send the pull request. For example, the - following command runs the script and specifies the patch directory - and email address. In this example, the email address is a mailing - list:: - - $ poky/scripts/send-pull-request -p ~/meta-intel/pull-10565 -t meta-intel@lists.yoctoproject.org - - You need to follow the prompts as the script is interactive. - - .. note:: - - For help on using these scripts, simply provide the ``-h`` - argument as follows:: - - $ poky/scripts/create-pull-request -h - $ poky/scripts/send-pull-request -h - -Responding to Patch Review --------------------------- - -You may get feedback on your submitted patches from other community members -or from the automated patchtest service. If issues are identified in your -patch then it is usually necessary to address these before the patch will be -accepted into the project. In this case you should amend the patch according -to the feedback and submit an updated version to the relevant mailing list, -copying in the reviewers who provided feedback to the previous version of the -patch. - -The patch should be amended using ``git commit --amend`` or perhaps ``git -rebase`` for more expert git users. You should also modify the ``[PATCH]`` -tag in the email subject line when sending the revised patch to mark the new -iteration as ``[PATCH v2]``, ``[PATCH v3]``, etc as appropriate. This can be -done by passing the ``-v`` argument to ``git format-patch`` with a version -number. - -Lastly please ensure that you also test your revised changes. In particular -please don't just edit the patch file written out by ``git format-patch`` and -resend it. - -Submitting Changes to Stable Release Branches ---------------------------------------------- - -The process for proposing changes to a Yocto Project stable branch differs -from the steps described above. Changes to a stable branch must address -identified bugs or CVEs and should be made carefully in order to avoid the -risk of introducing new bugs or breaking backwards compatibility. Typically -bug fixes must already be accepted into the master branch before they can be -backported to a stable branch unless the bug in question does not affect the -master branch or the fix on the master branch is unsuitable for backporting. - -The list of stable branches along with the status and maintainer for each -branch can be obtained from the -:yocto_wiki:`Releases wiki page `. - -.. note:: - - Changes will not typically be accepted for branches which are marked as - End-Of-Life (EOL). - -With this in mind, the steps to submit a change for a stable branch are as -follows: - -#. *Identify the bug or CVE to be fixed:* This information should be - collected so that it can be included in your submission. - - See :ref:`dev-manual/vulnerabilities:checking for vulnerabilities` - for details about CVE tracking. - -#. *Check if the fix is already present in the master branch:* This will - result in the most straightforward path into the stable branch for the - fix. - - #. *If the fix is present in the master branch --- submit a backport request - by email:* You should send an email to the relevant stable branch - maintainer and the mailing list with details of the bug or CVE to be - fixed, the commit hash on the master branch that fixes the issue and - the stable branches which you would like this fix to be backported to. - - #. *If the fix is not present in the master branch --- submit the fix to the - master branch first:* This will ensure that the fix passes through the - project's usual patch review and test processes before being accepted. - It will also ensure that bugs are not left unresolved in the master - branch itself. Once the fix is accepted in the master branch a backport - request can be submitted as above. - - #. *If the fix is unsuitable for the master branch --- submit a patch - directly for the stable branch:* This method should be considered as a - last resort. It is typically necessary when the master branch is using - a newer version of the software which includes an upstream fix for the - issue or when the issue has been fixed on the master branch in a way - that introduces backwards incompatible changes. In this case follow the - steps in :ref:`dev-manual/changes:preparing changes for submission` and - :ref:`dev-manual/changes:using email to submit a patch` but modify the subject header of your patch - email to include the name of the stable branch which you are - targetting. This can be done using the ``--subject-prefix`` argument to - ``git format-patch``, for example to submit a patch to the dunfell - branch use - ``git format-patch --subject-prefix='&DISTRO_NAME_NO_CAP_MINUS_ONE;][PATCH' ...``. - diff --git a/poky/documentation/dev-manual/debugging.rst b/poky/documentation/dev-manual/debugging.rst index 3c5609cef5..fea2cb30a1 100644 --- a/poky/documentation/dev-manual/debugging.rst +++ b/poky/documentation/dev-manual/debugging.rst @@ -879,8 +879,7 @@ The build should work without issue. As with all solved problems, if they originated upstream, you need to submit the fix for the recipe in OE-Core and upstream so that the problem is taken care of at its source. See the -":ref:`dev-manual/changes:submitting a change to the yocto project`" -section for more information. +":doc:`../contributor-guide/submit-changes`" section for more information. Debugging With the GNU Project Debugger (GDB) Remotely ====================================================== @@ -1236,9 +1235,7 @@ Here are some other tips that you might find useful: :yocto_bugs:`Bugzilla <>`. For information on how to submit a bug against the Yocto Project, see the Yocto Project Bugzilla :yocto_wiki:`wiki page ` - and the - ":ref:`dev-manual/changes:submitting a defect against the yocto project`" - section. + and the ":doc:`../contributor-guide/report-defect`" section. .. note:: diff --git a/poky/documentation/dev-manual/disk-space.rst b/poky/documentation/dev-manual/disk-space.rst index c63591cc7a..6d1638a302 100644 --- a/poky/documentation/dev-manual/disk-space.rst +++ b/poky/documentation/dev-manual/disk-space.rst @@ -23,23 +23,39 @@ final disk usage of 22 Gbytes instead of &MIN_DISK_SPACE; Gbytes. However, &MIN_DISK_SPACE_RM_WORK; Gbytes of initial free disk space are still needed to create temporary files before they can be deleted. -Purging Duplicate Shared State Cache Files -========================================== +Purging Obsolete Shared State Cache Files +========================================= After multiple build iterations, the Shared State (sstate) cache can contain -duplicate cache files for a given package, while only the most recent one -is likely to be reusable. The following command purges all but the -newest sstate cache file for each package:: +multiple cache files for a given package, consuming a substantial amount of +disk space. However, only the most recent ones are likely to be reused. - sstate-cache-management.sh --remove-duplicated --cache-dir=build/sstate-cache +The following command is a quick way to purge all the cache files which +haven't been used for a least a specified number of days:: -This command will ask you to confirm the deletions it identifies. + find build/sstate-cache -type f -mtime +$DAYS -delete -.. note:: +The above command relies on the fact that BitBake touches the sstate cache +files as it accesses them, when it has write access to the cache. - The duplicated sstate cache files of one package must have the same - architecture, which means that sstate cache files with multiple - architectures are not considered as duplicate. +You could use ``-atime`` instead of ``-mtime`` if the partition isn't mounted +with the ``noatime`` option for a read only cache. +For more advanced needs, OpenEmbedded-Core also offers a more elaborate +command. It has the ability to purge all but the newest cache files on each +architecture, and also to remove files that it considers unreachable by +exploring a set of build configurations. However, this command +requires a full build environment to be available and doesn't work well +covering multiple releases. It won't work either on limited environments +such as BSD based NAS:: + + sstate-cache-management.sh --remove-duplicated --cache-dir=build/sstate-cache + +This command will ask you to confirm the deletions it identifies. Run ``sstate-cache-management.sh`` for more details about this script. +.. note:: + + As this command is much more cautious and selective, removing only cache files, + it will execute much slower than the simple ``find`` command described above. + Therefore, it may not be your best option to trim huge cache directories. diff --git a/poky/documentation/dev-manual/index.rst b/poky/documentation/dev-manual/index.rst index b0bb5576ad..3618e51c8d 100644 --- a/poky/documentation/dev-manual/index.rst +++ b/poky/documentation/dev-manual/index.rst @@ -43,7 +43,6 @@ Yocto Project Development Tasks Manual build-quality runtime-testing debugging - changes licenses vulnerabilities sbom diff --git a/poky/documentation/dev-manual/licenses.rst b/poky/documentation/dev-manual/licenses.rst index 9629dc5329..200c3fc389 100644 --- a/poky/documentation/dev-manual/licenses.rst +++ b/poky/documentation/dev-manual/licenses.rst @@ -298,14 +298,28 @@ There are other requirements beyond the scope of these three and the methods described in this section (e.g. the mechanism through which source code is distributed). -As different organizations have different methods of complying with open -source licensing, this section is not meant to imply that there is only -one single way to meet your compliance obligations, but rather to -describe one method of achieving compliance. The remainder of this -section describes methods supported to meet the previously mentioned -three requirements. Once you take steps to meet these requirements, and -prior to releasing images, sources, and the build system, you should -audit all artifacts to ensure completeness. +As different organizations have different ways of releasing software, +there can be multiple ways of meeting license obligations. At +least, we describe here two methods for achieving compliance: + +- The first method is to use OpenEmbedded's ability to provide + the source code, provide a list of licenses, as well as + compilation scripts and source code modifications. + + The remainder of this section describes supported methods to meet + the previously mentioned three requirements. + +- The second method is to generate a *Software Bill of Materials* + (:term:`SBoM`), as described in the ":doc:`/dev-manual/sbom`" section. + Not only do you generate :term:`SPDX` output which can be used meet + license compliance requirements (except for sharing the build system + and layers sources for the time being), but this output also includes + component version and patch information which can be used + for vulnerability assessment. + +Whatever method you choose, prior to releasing images, sources, +and the build system, you should audit all artifacts to ensure +completeness. .. note:: diff --git a/poky/documentation/dev-manual/new-recipe.rst b/poky/documentation/dev-manual/new-recipe.rst index ab3e193aaf..39ee9683b0 100644 --- a/poky/documentation/dev-manual/new-recipe.rst +++ b/poky/documentation/dev-manual/new-recipe.rst @@ -1082,13 +1082,14 @@ build system and package managers, so the resulting packages will not correctly trigger an upgrade. In order to ensure the versions compare properly, the recommended -convention is to set :term:`PV` within the -recipe to "previous_version+current_version". You can use an additional -variable so that you can use the current version elsewhere. Here is an -example:: +convention is to use a tilde (``~``) character as follows:: - REALPV = "0.8.16-rc1" - PV = "0.8.15+${REALPV}" + PV = 0.8.16~rc1 + +This way ``0.8.16~rc1`` sorts before ``0.8.16``. See the +":ref:`contributor-guide/recipe-style-guide:version policy`" section in the +Yocto Project and OpenEmbedded Contributor Guide for more details about +versioning code corresponding to a pre-release or to a specific Git commit. Post-Installation Scripts ========================= diff --git a/poky/documentation/dev-manual/start.rst b/poky/documentation/dev-manual/start.rst index 4881481044..88afa27ad5 100644 --- a/poky/documentation/dev-manual/start.rst +++ b/poky/documentation/dev-manual/start.rst @@ -246,14 +246,13 @@ particular working environment and set of practices. - The Yocto Project community encourages you to send patches to the project to fix bugs or add features. If you do submit patches, follow the project commit guidelines for writing good commit - messages. See the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" - section. + messages. See the ":doc:`../contributor-guide/submit-changes`" + section in the Yocto Project and OpenEmbedded Contributor Guide. - Send changes to the core sooner than later as others are likely to run into the same issues. For some guidance on mailing lists - to use, see the list in the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" + to use, see the lists in the + ":ref:`contributor-guide/submit-changes:finding a suitable mailing list`" section. For a description of the available mailing lists, see the ":ref:`resources-mailinglist`" section in the Yocto Project Reference Manual. diff --git a/poky/documentation/dev-manual/vulnerabilities.rst b/poky/documentation/dev-manual/vulnerabilities.rst index 0ee3ec52c5..ac0ca249c1 100644 --- a/poky/documentation/dev-manual/vulnerabilities.rst +++ b/poky/documentation/dev-manual/vulnerabilities.rst @@ -22,7 +22,7 @@ issues may be impacting Poky and OE-Core. It is up to the maintainers, users, contributors and anyone interested in the issues to investigate and possibly fix them by updating software components to newer versions or by applying patches to address them. It is recommended to work with Poky and OE-Core upstream maintainers and submit -patches to fix them, see ":ref:`dev-manual/changes:submitting a change to the yocto project`" for details. +patches to fix them, see ":doc:`../contributor-guide/submit-changes`" for details. Vulnerability check at build time ================================= diff --git a/poky/documentation/dev-manual/wic.rst b/poky/documentation/dev-manual/wic.rst index 2a4408cdb0..664f07a212 100644 --- a/poky/documentation/dev-manual/wic.rst +++ b/poky/documentation/dev-manual/wic.rst @@ -92,7 +92,7 @@ system needs to meet the following requirements: - You must build several native tools, which are built to run on the build system:: - $ bitbake parted-native dosfstools-native mtools-native + $ bitbake wic-tools - Include "wic" as part of the :term:`IMAGE_FSTYPES` diff --git a/poky/documentation/index.rst b/poky/documentation/index.rst index 6335c707e0..3fef1704a4 100644 --- a/poky/documentation/index.rst +++ b/poky/documentation/index.rst @@ -26,6 +26,7 @@ Welcome to the Yocto Project Documentation :caption: Manuals Overview and Concepts Manual + Contributor Guide Reference Manual Board Support Package (BSP) Developer's guide Development Tasks Manual diff --git a/poky/documentation/migration-guides/release-4.0.rst b/poky/documentation/migration-guides/release-4.0.rst index 1fc74a0f6d..688ea7ae06 100644 --- a/poky/documentation/migration-guides/release-4.0.rst +++ b/poky/documentation/migration-guides/release-4.0.rst @@ -16,3 +16,6 @@ Release 4.0 (kirkstone) release-notes-4.0.7 release-notes-4.0.8 release-notes-4.0.9 + release-notes-4.0.10 + release-notes-4.0.11 + release-notes-4.0.12 diff --git a/poky/documentation/migration-guides/release-4.2.rst b/poky/documentation/migration-guides/release-4.2.rst index 2757f89274..abeebcb1c8 100644 --- a/poky/documentation/migration-guides/release-4.2.rst +++ b/poky/documentation/migration-guides/release-4.2.rst @@ -8,3 +8,5 @@ Release 4.2 (mickledore) migration-4.2 release-notes-4.2 release-notes-4.2.1 + release-notes-4.2.2 + release-notes-4.2.3 diff --git a/poky/documentation/migration-guides/release-notes-4.0.10.rst b/poky/documentation/migration-guides/release-notes-4.0.10.rst new file mode 100644 index 0000000000..f37c3471ea --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.0.10.rst @@ -0,0 +1,180 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.0.10 (Kirkstone) +------------------------------------------ + +Security Fixes in Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- binutils: Fix :cve:`2023-1579`, :cve:`2023-1972`, :cve_mitre:`2023-25584`, :cve_mitre:`2023-25585` and :cve_mitre:`2023-25588` +- cargo : Ignore :cve:`2022-46176` +- connman: Fix :cve:`2023-28488` +- curl: Fix :cve:`2023-27533`, :cve:`2023-27534`, :cve:`2023-27535`, :cve:`2023-27536` and :cve:`2023-27538` +- ffmpeg: Fix :cve:`2022-48434` +- freetype: Fix :cve:`2023-2004` +- ghostscript: Fix :cve_mitre:`2023-29979` +- git: Fix :cve:`2023-25652` and :cve:`2023-29007` +- go: Fix :cve:`2022-41722`, :cve:`2022-41724`, :cve:`2022-41725`, :cve:`2023-24534`, :cve:`2023-24537` and :cve:`2023-24538` +- go: Ignore :cve:`2022-41716` +- libxml2: Fix :cve:`2023-28484` and :cve:`2023-29469` +- libxpm: Fix :cve:`2022-44617`, :cve:`2022-46285` and :cve:`2022-4883` +- linux-yocto: Ignore :cve:`2021-3759`, :cve:`2021-4135`, :cve:`2021-4155`, :cve:`2022-0168`, :cve:`2022-0171`, :cve:`2022-1016`, :cve:`2022-1184`, :cve:`2022-1198`, :cve:`2022-1199`, :cve:`2022-1462`, :cve:`2022-1734`, :cve:`2022-1852`, :cve:`2022-1882`, :cve:`2022-1998`, :cve:`2022-2078`, :cve:`2022-2196`, :cve:`2022-2318`, :cve:`2022-2380`, :cve:`2022-2503`, :cve:`2022-26365`, :cve:`2022-2663`, :cve:`2022-2873`, :cve:`2022-2905`, :cve:`2022-2959`, :cve:`2022-3028`, :cve:`2022-3078`, :cve:`2022-3104`, :cve:`2022-3105`, :cve:`2022-3106`, :cve:`2022-3107`, :cve:`2022-3111`, :cve:`2022-3112`, :cve:`2022-3113`, :cve:`2022-3115`, :cve:`2022-3202`, :cve:`2022-32250`, :cve:`2022-32296`, :cve:`2022-32981`, :cve:`2022-3303`, :cve:`2022-33740`, :cve:`2022-33741`, :cve:`2022-33742`, :cve:`2022-33743`, :cve:`2022-33744`, :cve:`2022-33981`, :cve:`2022-3424`, :cve:`2022-3435`, :cve:`2022-34918`, :cve:`2022-3521`, :cve:`2022-3545`, :cve:`2022-3564`, :cve:`2022-3586`, :cve:`2022-3594`, :cve:`2022-36123`, :cve:`2022-3621`, :cve:`2022-3623`, :cve:`2022-3629`, :cve:`2022-3633`, :cve:`2022-3635`, :cve:`2022-3646`, :cve:`2022-3649`, :cve:`2022-36879`, :cve:`2022-36946`, :cve:`2022-3707`, :cve:`2022-39188`, :cve:`2022-39190`, :cve:`2022-39842`, :cve:`2022-40307`, :cve:`2022-40768`, :cve:`2022-4095`, :cve:`2022-41218`, :cve:`2022-4139`, :cve:`2022-41849`, :cve:`2022-41850`, :cve:`2022-41858`, :cve:`2022-42328`, :cve:`2022-42329`, :cve:`2022-42703`, :cve:`2022-42721`, :cve:`2022-42722`, :cve:`2022-42895`, :cve:`2022-4382`, :cve:`2022-4662`, :cve:`2022-47518`, :cve:`2022-47519`, :cve:`2022-47520`, :cve:`2022-47929`, :cve:`2023-0179`, :cve:`2023-0394`, :cve:`2023-0461`, :cve:`2023-0590`, :cve:`2023-1073`, :cve:`2023-1074`, :cve:`2023-1077`, :cve:`2023-1078`, :cve:`2023-1079`, :cve:`2023-1095`, :cve:`2023-1118`, :cve:`2023-1249`, :cve:`2023-1252`, :cve:`2023-1281`, :cve:`2023-1382`, :cve:`2023-1513`, :cve:`2023-1829`, :cve:`2023-1838`, :cve:`2023-1998`, :cve:`2023-2006`, :cve:`2023-2008`, :cve:`2023-2162`, :cve:`2023-2166`, :cve:`2023-2177`, :cve:`2023-22999`, :cve:`2023-23002`, :cve:`2023-23004`, :cve:`2023-23454`, :cve:`2023-23455`, :cve:`2023-23559`, :cve:`2023-25012`, :cve:`2023-26545`, :cve:`2023-28327` and :cve:`2023-28328` +- nasm: Fix :cve:`2022-44370` +- python3-cryptography: Fix :cve:`2023-23931` +- qemu: Ignore :cve:`2023-0664` +- ruby: Fix :cve:`2023-28755` and :cve:`2023-28756` +- screen: Fix :cve:`2023-24626` +- shadow: Fix :cve:`2023-29383` +- tiff: Fix :cve:`2022-4645` +- webkitgtk: Fix :cve:`2022-32888` and :cve:`2022-32923` +- xserver-xorg: Fix :cve:`2023-1393` + + +Fixes in Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~ + +- bitbake: bin/utils: Ensure locale en_US.UTF-8 is available on the system +- build-appliance-image: Update to kirkstone head revision +- cmake: add CMAKE_SYSROOT to generated toolchain file +- glibc: stable 2.35 branch updates. +- kernel-devsrc: depend on python3-core instead of python3 +- kernel: improve initramfs bundle processing time +- libarchive: Enable acls, xattr for native as well as target +- libbsd: Add correct license for all packages +- libpam: Fix the xtests/tst-pam_motd[1|3] failures +- libxpm: upgrade to 3.5.15 +- linux-firmware: upgrade to 20230404 +- linux-yocto/5.15: upgrade to v5.15.108 +- migration-guides: add release-notes for 4.0.9 +- oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set +- openssl: Move microblaze to linux-latomic config +- package.bbclass: correct check for /build in copydebugsources() +- poky.conf: bump version for 4.0.10 +- populate_sdk_base: add zip options +- populate_sdk_ext.bbclass: set :term:`METADATA_REVISION` with an :term:`DISTRO` override +- run-postinsts: Set dependency for ldconfig to avoid boot issues +- update-alternatives.bbclass: fix old override syntax +- wic/bootimg-efi: if fixed-size is set then use that for mkdosfs +- wpebackend-fdo: upgrade to 1.14.2 +- xorg-lib-common: Add variable to set tarball type +- xserver-xorg: upgrade to 21.1.8 + + +Known Issues in Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Archana Polampalli +- Arturo Buzarra +- Bruce Ashfield +- Christoph Lauer +- Deepthi Hemraj +- Dmitry Baryshkov +- Frank de Brabander +- Hitendra Prajapati +- Joe Slater +- Kai Kang +- Kyle Russell +- Lee Chee Yang +- Mark Hatle +- Martin Jansa +- Mingli Yu +- Narpat Mali +- Pascal Bach +- Pawan Badganchi +- Peter Bergin +- Peter Marko +- Piotr Łobacz +- Randolph Sapp +- Ranjitsinh Rathod +- Ross Burton +- Shubham Kulkarni +- Siddharth Doshi +- Steve Sakoman +- Sundeep KOKKONDA +- Thomas Roos +- Virendra Thakur +- Vivek Kumbhar +- Wang Mingyu +- Xiangyu Chen +- Yash Shinde +- Yoann Congal +- Yogita Urade +- Zhixiong Chi + + +Repositories / Downloads for Yocto-4.0.10 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.10 ` +- Git Revision: :yocto_git:`f53ab3a2ff206a130cdc843839dd0ea5ec4ad02f ` +- Release Artefact: poky-f53ab3a2ff206a130cdc843839dd0ea5ec4ad02f +- sha: 8820aeac857ce6bbd1c7ef26cadbb86eca02be93deded253b4a5f07ddd69255d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/poky-f53ab3a2ff206a130cdc843839dd0ea5ec4ad02f.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/poky-f53ab3a2ff206a130cdc843839dd0ea5ec4ad02f.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`kirkstone ` +- Tag: :oe_git:`yocto-4.0.10 ` +- Git Revision: :oe_git:`d2713785f9cd2d58731df877bc8b7bcc71b6c8e6 ` +- Release Artefact: oecore-d2713785f9cd2d58731df877bc8b7bcc71b6c8e6 +- sha: 78e084a1aceaaa6ec022702f29f80eaffade3159e9c42b6b8985c1b7ddd2fbab +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/oecore-d2713785f9cd2d58731df877bc8b7bcc71b6c8e6.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/oecore-d2713785f9cd2d58731df877bc8b7bcc71b6c8e6.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.10 ` +- Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 ` +- Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1 +- sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + +meta-gplv2 + +- Repository Location: :yocto_git:`/meta-gplv2` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.10 ` +- Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a ` +- Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a +- sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.0 ` +- Tag: :oe_git:`yocto-4.0.10 ` +- Git Revision: :oe_git:`0c6f86b60cfba67c20733516957c0a654eb2b44c ` +- Release Artefact: bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c +- sha: 4caa94ee4d644017b0cc51b702e330191677f7d179018cbcec8b1793949ebc74 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.10/bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.10/bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.10 ` +- Git Revision: :yocto_git:`8388be749806bd0bf4fccf1005dae8f643aa4ef4 ` + diff --git a/poky/documentation/migration-guides/release-notes-4.0.11.rst b/poky/documentation/migration-guides/release-notes-4.0.11.rst new file mode 100644 index 0000000000..8a15884908 --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.0.11.rst @@ -0,0 +1,214 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.0.11 (Kirkstone) +------------------------------------------ + +Security Fixes in Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- cups: Fix :cve:`2023-32324` +- curl: Fix :cve:`2023-28319`, :cve:`2023-28320`, :cve:`2023-28321` and :cve:`2023-28322` +- git: Ignore :cve:`2023-25815` +- go: Fix :cve:`2023-24539` and :cve:`2023-24540` +- nasm: Fix :cve:`2022-46457` +- openssh: Fix :cve:`2023-28531` +- openssl: Fix :cve:`2023-1255` and :cve:`2023-2650` +- perl: Fix :cve:`2023-31484` +- python3-requests: Fix for :cve:`2023-32681` +- sysstat: Fix :cve:`2023-33204` +- vim: Fix :cve:`2023-2426` +- webkitgtk: fix :cve:`2022-42867`, :cve:`2022-46691`, :cve:`2022-46699` and :cve:`2022-46700` + + +Fixes in Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~ + +- Revert "docs: conf.py: fix cve extlinks caption for sphinx <4.0" +- Revert "ipk: Decode byte data to string in manifest handling" +- avahi: fix D-Bus introspection +- build-appliance-image: Update to kirkstone head revision +- conf.py: add macro for Mitre CVE links +- conf: add nice level to the hash config ignred variables +- cpio: Fix wrong CRC with ASCII CRC for large files +- cve-update-nvd2-native: added the missing http import +- cve-update-nvd2-native: new CVE database fetcher +- dhcpcd: use git instead of tarballs +- e2fsprogs: fix ptest bug for second running +- gcc-runtime: Use static dummy libstdc++ +- glibc: stable 2.35 branch updates (cbceb903c4d7) +- go.bbclass: don't use test to check output from ls +- gstreamer1.0: Upgrade to 1.20.6 +- iso-codes: Upgrade to 4.15.0 +- kernel-devicetree: allow specification of dtb directory +- kernel-devicetree: make shell scripts posix compliant +- kernel-devicetree: recursively search for dtbs +- kernel: don't force PAHOLE=false +- kmscube: Correct :term:`DEPENDS` to avoid overwrite +- lib/terminal.py: Add urxvt terminal +- license.bbclass: Include :term:`LICENSE` in the output when it fails to parse +- linux-yocto/5.10: Upgrade to v5.10.180 +- linux-yocto/5.15: Upgrade to v5.15.113 +- llvm: backport a fix for build with gcc-13 +- maintainers.inc: Fix email address typo +- maintainers.inc: Move repo to unassigned +- migration-guides: add release notes for 4.0.10 +- migration-guides: use new cve_mitre macro +- nghttp2: Deleted the entries for -client and -server, and removed a dependency on them from the main package. +- oeqa/selftest/cases/devtool.py: skip all tests require folder a git repo +- openssh: Remove BSD-4-clause contents completely from codebase +- openssl: Upgrade to 3.0.9 +- overview-manual: concepts.rst: Fix a typo +- p11-kit: add native to :term:`BBCLASSEXTEND` +- package: enable recursion on file globs +- package_manager/ipk: fix config path generation in _create_custom_config() +- piglit: Add :term:`PACKAGECONFIG` for glx and opencl +- piglit: Add missing glslang dependencies +- piglit: Fix build time dependency +- poky.conf: bump version for 4.0.11 +- profile-manual: fix blktrace remote usage instructions +- quilt: Fix merge.test race condition +- ref-manual: add clarification for :term:`SRCREV` +- selftest/reproducible: Allow native/cross reuse in test +- staging.bbclass: do not add extend_recipe_sysroot to prefuncs of prepare_recipe_sysroot +- systemd-networkd: backport fix for rm unmanaged wifi +- systemd-systemctl: fix instance template WantedBy symlink construction +- systemd-systemctl: support instance expansion in WantedBy +- uninative: Upgrade to 3.10 to support gcc 13 +- uninative: Upgrade to 4.0 to include latest gcc 13.1.1 +- vim: Upgrade to 9.0.1527 +- waffle: Upgrade to 1.7.2 +- weston: add xwayland to :term:`DEPENDS` for :term:`PACKAGECONFIG` xwayland + + +Known Issues in Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Alexander Kanavin +- Andrew Jeffery +- Archana Polampalli +- Bhabu Bindu +- Bruce Ashfield +- C. Andy Martin +- Chen Qi +- Daniel Ammann +- Deepthi Hemraj +- Ed Beroset +- Eero Aaltonen +- Enrico Jörns +- Hannu Lounento +- Hitendra Prajapati +- Ian Ray +- Jan Luebbe +- Jan Vermaete +- Khem Raj +- Lee Chee Yang +- Lei Maohui +- Lorenzo Arena +- Marek Vasut +- Marta Rybczynska +- Martin Jansa +- Martin Siegumfeldt +- Michael Halstead +- Michael Opdenacker +- Ming Liu +- Narpat Mali +- Omkar Patil +- Pablo Saavedra +- Pavel Zhukov +- Peter Kjellerstedt +- Peter Marko +- Qiu Tingting +- Quentin Schulz +- Randolph Sapp +- Randy MacLeod +- Ranjitsinh Rathod +- Richard Purdie +- Riyaz Khan +- Sakib Sajal +- Sanjay Chitroda +- Soumya Sambu +- Steve Sakoman +- Thomas Roos +- Tom Hochstein +- Vivek Kumbhar +- Wang Mingyu +- Yogita Urade +- Zoltan Boszormenyi + + +Repositories / Downloads for Yocto-4.0.11 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.11 ` +- Git Revision: :yocto_git:`fc697fe87412b9b179ae3a68d266ace85bb1fcc6 ` +- Release Artefact: poky-fc697fe87412b9b179ae3a68d266ace85bb1fcc6 +- sha: d42ab1b76b9d8ab164d86dc0882c908658f6b5be0742b13a71531068f6a5ee98 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/poky-fc697fe87412b9b179ae3a68d266ace85bb1fcc6.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/poky-fc697fe87412b9b179ae3a68d266ace85bb1fcc6.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`kirkstone ` +- Tag: :oe_git:`yocto-4.0.11 ` +- Git Revision: :oe_git:`7949e786cf8e50f716ff1f1c4797136637205e0c ` +- Release Artefact: oecore-7949e786cf8e50f716ff1f1c4797136637205e0c +- sha: 3bda3f7d15961bad5490faf3194709528591a97564b5eae3da7345b63be20334 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/oecore-7949e786cf8e50f716ff1f1c4797136637205e0c.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/oecore-7949e786cf8e50f716ff1f1c4797136637205e0c.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.11 ` +- Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 ` +- Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1 +- sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + +meta-gplv2 + +- Repository Location: :yocto_git:`/meta-gplv2` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.11 ` +- Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a ` +- Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a +- sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.0 ` +- Tag: :oe_git:`yocto-4.0.11 ` +- Git Revision: :oe_git:`0c6f86b60cfba67c20733516957c0a654eb2b44c ` +- Release Artefact: bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c +- sha: 4caa94ee4d644017b0cc51b702e330191677f7d179018cbcec8b1793949ebc74 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.11/bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.11/bitbake-0c6f86b60cfba67c20733516957c0a654eb2b44c.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.11 ` +- Git Revision: :yocto_git:`6d16d2bde0aa32276a035ee49703e6eea7c7b29a ` + diff --git a/poky/documentation/migration-guides/release-notes-4.0.12.rst b/poky/documentation/migration-guides/release-notes-4.0.12.rst new file mode 100644 index 0000000000..0ea92a453d --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.0.12.rst @@ -0,0 +1,277 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.0.12 (Kirkstone) +------------------------------------------ + +Security Fixes in Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- bind: Fix :cve:`2023-2828` and :cve:`2023-2911` +- cups: Fix :cve:`2023-34241` +- curl: Added :cve:`2023-28320` Follow-up patch +- dbus: Fix :cve:`2023-34969` +- dmidecode: fix :cve:`2023-30630` +- ghostscript: fix :cve:`2023-36664` +- go: fix :cve_mitre:`2023-24531`, :cve:`2023-24536`, :cve:`2023-29400`, :cve:`2023-29402`, :cve:`2023-29404`, :cve:`2023-29405` and :cve:`2023-29406` +- libarchive: Ignore :cve:`2023-30571` +- libcap: Fix :cve:`2023-2602` and :cve:`2023-2603` +- libjpeg-turbo: Fix :cve:`2023-2804` +- libpcre2: Fix :cve:`2022-41409` +- libtiff: fix :cve:`2023-26965` +- libwebp: Fix :cve:`2023-1999` +- libx11: Fix :cve:`2023-3138` +- libxpm: Fix :cve:`2022-44617` +- ninja: Ignore :cve:`2021-4336` +- openssh: Fix :cve:`2023-38408` +- openssl: Fix :cve:`2023-2975`, :cve:`2023-3446` and :cve:`2023-3817` +- perl: Fix :cve:`2023-31486` +- python3: Ignore :cve:`2023-36632` +- qemu: Fix :cve:`2023-0330`, :cve_mitre:`2023-2861`, :cve_mitre:`2023-3255` and :cve_mitre:`2023-3301` +- sqlite3: Fix :cve:`2023-36191` +- tiff: Fix :cve:`2023-0795`, :cve:`2023-0796`, :cve:`2023-0797`, :cve:`2023-0798`, :cve:`2023-0799`, :cve:`2023-25433`, :cve:`2023-25434` and :cve:`2023-25435` +- vim: :cve:`2023-2609` and :cve:`2023-2610` + + +Fixes in Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~ + +- babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature +- babeltrace2: upgrade to 2.0.5 +- bitbake.conf: add unzstd in :term:`HOSTTOOLS` +- bitbake: bitbake-layers: initialize tinfoil before registering command line arguments +- bitbake: runqueue: Fix deferred task/multiconfig race issue +- blktrace: ask for python3 specifically +- build-appliance-image: Update to kirkstone head revision +- cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK +- connman: fix warning by specifying runstatedir at configure time +- cpio: Replace fix wrong CRC with ASCII CRC for large files with upstream backport +- cve-update-nvd2-native: actually use API keys +- cve-update-nvd2-native: always pass str for json.loads() +- cve-update-nvd2-native: fix cvssV3 metrics +- cve-update-nvd2-native: handle all configuration nodes, not just first +- cve-update-nvd2-native: increase retry count +- cve-update-nvd2-native: log a little more +- cve-update-nvd2-native: retry all errors and sleep between retries +- cve-update-nvd2-native: use exact times, don't truncate +- dbus: upgrade to 1.14.8 +- devtool: Fix the wrong variable in srcuri_entry +- diffutils: upgrade to 3.10 +- docs: ref-manual: terms: fix typos in :term:`SPDX` term +- fribidi: upgrade to 1.0.13 +- gcc: upgrade to v11.4 +- gcc-testsuite: Fix ppc cpu specification +- gcc: don't pass --enable-standard-branch-protection +- gcc: fix runpath errors in cc1 binary +- grub: submit determinism.patch upstream +- image_types: Fix reproducible builds for initramfs and UKI img +- kernel: add missing path to search for debug files +- kmod: remove unused ptest.patch +- layer.conf: Add missing dependency exclusion +- libassuan: upgrade to 2.5.6 +- libksba: upgrade to 1.6.4 +- libpng: Add ptest for libpng +- libxcrypt: fix build with perl-5.38 and use master branch +- libxcrypt: fix hard-coded ".so" extension +- libxpm: upgrade to 3.5.16 +- linux-firmware: upgrade to 20230515 +- linux-yocto/5.10: cfg: fix DECNET configuration warning +- linux-yocto/5.10: update to v5.10.185 +- linux-yocto/5.15: cfg: fix DECNET configuration warning +- linux-yocto/5.15: update to v5.15.120 +- logrotate: Do not create logrotate.status file +- lttng-ust: upgrade to 2.13.6 +- machine/arch-arm64: add -mbranch-protection=standard +- maintainers.inc: correct Carlos Rafael Giani's email address +- maintainers.inc: correct unassigned entries +- maintainers.inc: unassign Adrian Bunk from wireless-regdb +- maintainers.inc: unassign Alistair Francis from opensbi +- maintainers.inc: unassign Andreas Müller from itstool entry +- maintainers.inc: unassign Pascal Bach from cmake entry +- maintainers.inc: unassign Ricardo Neri from ovmf +- maintainers.inc: unassign Richard Weinberger from erofs-utils entry +- mdadm: fix 07revert-inplace ptest +- mdadm: fix segfaults when running ptests +- mdadm: fix util-linux ptest dependency +- mdadm: skip running known broken ptests +- meson.bbclass: Point to llvm-config from native sysroot +- meta: lib: oe: npm_registry: Add more safe caracters +- migration-guides: add release notes for 4.0.11 +- minicom: remove unused patch files +- mobile-broadband-provider-info: upgrade to 20230416 +- oe-depends-dot: Handle new format for task-depends.dot +- oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case +- oeqa/selftest/bbtests: add non-existent prefile/postfile tests +- oeqa/selftest/devtool: add unit test for "devtool add -b" +- openssl: Upgrade to 3.0.10 +- openssl: add PERLEXTERNAL path to test its existence +- openssl: use a glob on the PERLEXTERNAL to track updates on the path +- package.bbclass: moving field data process before variable process in process_pkgconfig +- pm-utils: fix multilib conflictions +- poky.conf: bump version for 4.0.12 +- psmisc: Set :term:`ALTERNATIVE` for pstree to resolve conflict with busybox +- pybootchartgui: show elapsed time for each task +- python3: fix missing comma in get_module_deps3.py +- python3: upgrade to 3.10.12 +- recipetool: Fix inherit in created -native* recipes +- ref-manual: add LTS and Mixin terms +- ref-manual: document image-specific variant of :term:`INCOMPATIBLE_LICENSE` +- ref-manual: release-process: update for LTS releases +- rust-llvm: backport a fix for build with gcc-13 +- scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes +- scripts/runqemu: split lock dir creation into a reusable function +- sdk.py: error out when moving file fails +- sdk.py: fix moving dnf contents +- selftest reproducible.py: support different build targets +- selftest/license: Exclude from world +- selftest/reproducible: Allow chose the package manager +- serf: upgrade to 1.3.10 +- strace: Disable failing test +- strace: Merge two similar patches +- strace: Update patches/tests with upstream fixes +- sysfsutils: fetch a supported fork from github +- systemd-systemctl: fix errors in instance name expansion +- systemd: Backport nspawn: make sure host root can write to the uidmapped mounts we prepare for the container payload +- tzdata: upgrade to 2023c +- uboot-extlinux-config.bbclass: fix old override syntax in comment +- unzip: fix configure check for cross compilation +- useradd-staticids.bbclass: improve error message +- util-linux: add alternative links for ipcs,ipcrm +- v86d: Improve kernel dependency +- vim: upgrade to 9.0.1592 +- wget: upgrade to 1.21.4 +- wic: Add dependencies for erofs-utils +- wireless-regdb: upgrade to 2023.05.03 +- xdpyinfo: upgrade to 1.3.4 +- zip: fix configure check by using _Static_assert + + +Known Issues in Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Alberto Planas +- Alexander Kanavin +- Alexander Sverdlin +- Andrej Valek +- Archana Polampalli +- BELOUARGA Mohamed +- Benjamin Bouvier +- Bruce Ashfield +- Charlie Wu +- Chen Qi +- Etienne Cordonnier +- Fabien Mahot +- Frieder Paape +- Frieder Schrempf +- Heiko Thole +- Hitendra Prajapati +- Jermain Horsman +- Jose Quaresma +- Kai Kang +- Khem Raj +- Lee Chee Yang +- Marc Ferland +- Marek Vasut +- Martin Jansa +- Mauro Queiros +- Michael Opdenacker +- Mikko Rapeli +- Nikhil R +- Ovidiu Panait +- Peter Marko +- Poonam Jadhav +- Quentin Schulz +- Richard Purdie +- Ross Burton +- Rusty Howell +- Sakib Sajal +- Soumya Sambu +- Steve Sakoman +- Sundeep KOKKONDA +- Tim Orling +- Tom Hochstein +- Trevor Gamblin +- Vijay Anusuri +- Vivek Kumbhar +- Wang Mingyu +- Xiangyu Chen +- Yoann Congal +- Yogita Urade +- Yuta Hayama + + +Repositories / Downloads for Yocto-4.0.12 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.12 ` +- Git Revision: :yocto_git:`d6b8790370500b99ca11f0d8a05c39b661ab2ba6 ` +- Release Artefact: poky-d6b8790370500b99ca11f0d8a05c39b661ab2ba6 +- sha: 35f0390e0c5a12f403ed471c0b1254c13cbb9d7c7b46e5a3538e63e36c1ac280 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/poky-d6b8790370500b99ca11f0d8a05c39b661ab2ba6.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/poky-d6b8790370500b99ca11f0d8a05c39b661ab2ba6.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`kirkstone ` +- Tag: :oe_git:`yocto-4.0.12 ` +- Git Revision: :oe_git:`e1a604db8d2cf8782038b4016cc2e2052467333b ` +- Release Artefact: oecore-e1a604db8d2cf8782038b4016cc2e2052467333b +- sha: 8b302eb3f3ffe5643f88bc6e4ae8f9a5cda63544d67e04637ecc4197e9750a1d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/oecore-e1a604db8d2cf8782038b4016cc2e2052467333b.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/oecore-e1a604db8d2cf8782038b4016cc2e2052467333b.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.12 ` +- Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 ` +- Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1 +- sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2 + +meta-gplv2 + +- Repository Location: :yocto_git:`/meta-gplv2` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.12 ` +- Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a ` +- Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a +- sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.0 ` +- Tag: :oe_git:`yocto-4.0.12 ` +- Git Revision: :oe_git:`41b6684489d0261753344956042be2cc4adb0159 ` +- Release Artefact: bitbake-41b6684489d0261753344956042be2cc4adb0159 +- sha: efa2b1c4d0be115ed3960750d1e4ed958771b2db6d7baee2d13ad386589376e8 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.12/bitbake-41b6684489d0261753344956042be2cc4adb0159.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.12/bitbake-41b6684489d0261753344956042be2cc4adb0159.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`kirkstone ` +- Tag: :yocto_git:`yocto-4.0.12 ` +- Git Revision: :yocto_git:`4dfef81ac6164764c6541e39a9fef81d49227096 ` + diff --git a/poky/documentation/migration-guides/release-notes-4.2.2.rst b/poky/documentation/migration-guides/release-notes-4.2.2.rst new file mode 100644 index 0000000000..74f2d0e82a --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.2.2.rst @@ -0,0 +1,330 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.2.2 (Mickledore) +------------------------------------------ + +Security Fixes in Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- binutils: Fix :cve:`2023-1972` +- cups: Fix :cve:`2023-32324` +- curl: Fix :cve:`2023-28319`, :cve:`2023-28320`, :cve:`2023-28321` and :cve:`2023-28322` +- dbus: Fix :cve:`2023-34969` +- git: Fix :cve:`2023-25652` and :cve:`2023-29007` +- git: Ignore :cve:`2023-25815` +- libwebp: Fix :cve:`2023-1999` +- libxml2: Fix :cve:`2023-28484` and :cve:`2023-29469` +- libxpm: Fix :cve:`2022-44617` +- ninja: Ignore :cve:`2021-4336` +- openssl: Fix :cve:`2023-0464`, :cve:`2023-0465`, :cve:`2023-0466`, :cve:`2023-1255` and :cve:`2023-2650` +- perl: Fix :cve:`2023-31484` and :cve:`2023-31486` +- sysstat: Fix :cve:`2023-33204` +- tiff: Fix :cve_mitre:`2023-25434`, :cve:`2023-26965` and :cve:`2023-2731` +- vim: Fix :cve:`2023-2426` + + +Fixes in Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~ + +- apr: Upgrade to 1.7.4 +- avahi: fix D-Bus introspection +- babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature +- babeltrace2: Upgrade to 2.0.5 +- baremetal-helloworld: Update :term:`SRCREV` to fix entry addresses for ARM architectures +- bind: Upgrade to 9.18.15 +- binutils: move packaging of gprofng static lib into common .inc +- binutils: package static libs from gprofng +- binutils: stable 2.40 branch updates (7343182dd1) +- bitbake.conf: add unzstd in :term:`HOSTTOOLS` +- bitbake: runqueue: Fix deferred task/multiconfig race issue +- bno_plot.py, btt_plot.py: Ask for python3 specifically +- build-appliance-image: Update to mickledore head revision +- busybox: Upgrade to 1.36.1 +- cmake.bbclass: do not search host paths for find_program() +- conf: add nice level to the hash config ignred variables +- connman: fix warning by specifying runstatedir at configure time +- cpio: Run ptests under ptest user +- dbus: Upgrade to 1.14.8 +- devtool: Fix the wrong variable in srcuri_entry +- dnf: only write the log lock to root for native dnf +- docs: bsp-guide: bsp: fix typo +- dpkg: Upgrade to v1.21.22 +- e2fsprogs: Fix error SRCDIR when using usrmerge :term:`DISTRO_FEATURES` +- e2fsprogs: fix ptest bug for second running +- ell: Upgrade to 0.57 +- expect: Add ptest support +- fribidi: Upgrade to 1.0.13 +- gawk: Upgrade to 5.2.2 +- gcc : upgrade to v12.3 +- gdb: fix crashes when debugging threads with Arm Pointer Authentication enabled +- gdb: Upgrade to 13.2 +- git: Upgrade to 2.39.3 +- glib-networking: use correct error code in ptest +- glibc: Pass linker choice via compiler flags +- glibc: stable 2.37 branch updates. +- gnupg: Upgrade to 2.4.2 +- go.bbclass: don't use test to check output from ls +- go: Upgrade to 1.20.5 +- go: Use -no-pie to build target cgo +- gobject-introspection: remove obsolete :term:`DEPENDS` +- grub: submit determinism.patch upstream +- gstreamer1.0: Upgrade to 1.22.3 +- gtk4: Upgrade to 4.10.4 +- image-live.bbclass: respect :term:`IMAGE_MACHINE_SUFFIX` +- image_types: Fix reproducible builds for initramfs and UKI img +- inetutils: remove unused patch files +- ipk: Revert Decode byte data to string in manifest handling +- iso-codes: Upgrade to 4.15.0 +- kernel: don't force PAHOLE=false +- kmod: remove unused ptest.patch +- kmscube: Correct :term:`DEPENDS` to avoid overwrite +- layer.conf: Add missing dependency exclusion +- lib/terminal.py: Add urxvt terminal +- libbsd: Add correct license for all packages +- libdnf: Upgrade to 0.70.1 +- libgcrypt: Upgrade to 1.10.2 +- libgloss: remove unused patch file +- libmicrohttpd: Upgrade to 0.9.77 +- libmodule-build-perl: Upgrade to 0.4234 +- libx11: remove unused patch and :term:`FILESEXTRAPATHS` +- libx11: Upgrade to 1.8.5 +- libxfixes: Upgrade to v6.0.1 +- libxft: Upgrade to 2.3.8 +- libxi: Upgrade to v1.8.1 +- libxml2: Do not use lld linker when building with tests on rv64 +- libxml2: Upgrade to 2.10.4 +- libxpm: Upgrade to 3.5.16 +- linux-firmware: Upgrade to 20230515 +- linux-yocto/5.15: cfg: fix DECNET configuration warning +- linux-yocto/5.15: Upgrade to v5.15.118 +- linux-yocto/6.1: fix intermittent x86 boot hangs +- linux-yocto/6.1: Upgrade to v6.1.35 +- linux-yocto: move build / debug dependencies to .inc +- logrotate: Do not create logrotate.status file +- maintainers.inc: correct Carlos Rafael Giani's email address +- maintainers.inc: correct unassigned entries +- maintainers.inc: unassign Adrian Bunk from wireless-regdb +- maintainers.inc: unassign Alistair Francis from opensbi +- maintainers.inc: unassign Andreas Müller from itstool entry +- maintainers.inc: unassign Chase Qi from libc-test +- maintainers.inc: unassign Oleksandr Kravchuk from python3 and all other items +- maintainers.inc: unassign Pascal Bach from cmake entry +- maintainers.inc: unassign Ricardo Neri from ovmf +- maintainers.inc: update version for gcc-source +- maintainers.inc: unassign Richard Weinberger from erofs-utils entry +- meta: depend on autoconf-archive-native, not autoconf-archive +- meta: lib: oe: npm_registry: Add more safe caracters +- migration-guides: add release notes for 4.2.1 +- minicom: remove unused patch files +- mobile-broadband-provider-info: Upgrade to 20230416 +- musl: Correct :term:`SRC_URI` +- oeqa/selftest/bbtests: add non-existent prefile/postfile tests +- oeqa/selftest/cases/devtool.py: skip all tests require folder a git repo +- oeqa: adding selftest-hello and use it to speed up tests +- openssh: Remove BSD-4-clause contents completely from codebase +- openssl: fix building on riscv32 +- openssl: Upgrade to 3.1.1 +- overview-manual: concepts.rst: Fix a typo +- parted: Add missing libuuid to linker cmdline for libparted-fs-resize.so +- perf: Make built-in libtraceevent plugins cohabit with external libtraceevent +- piglit: Add missing glslang dependencies +- piglit: Fix c++11-narrowing warnings in tests +- pkgconf: Upgrade to 1.9.5 +- pm-utils: fix multilib conflictions +- poky.conf: bump version for 4.2.2 release +- populate_sdk_base.bbclass: respect :term:`MLPREFIX` for ptest-pkgs's ptest-runner +- profile-manual: fix blktrace remote usage instructions +- psmisc: Set :term:`ALTERNATIVE` for pstree to resolve conflict with busybox +- ptest-runner: Ensure data writes don't race +- ptest-runner: Pull in "runner: Remove threads and mutexes" fix +- ptest-runner: Pull in sync fix to improve log warnings +- python3-bcrypt: Use BFD linker when building tests +- python3-numpy: remove NPY_INLINE, use inline instead +- qemu: a pending patch was submitted and accepted upstream +- qemu: remove unused qemu-7.0.0-glibc-2.36.patch +- qemurunner.py: fix error message about qmp +- qemurunner: avoid leaking server_socket +- ref-manual: add clarification for :term:`SRCREV` +- ref-manual: classes.rst: fix typo +- rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock +- rpcsvc-proto: Upgrade to 1.4.4 +- rpm: drop unused 0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch +- rpm: Upgrade to 4.18.1 +- rpm: write macros under libdir +- runqemu-gen-tapdevs: Refactoring +- runqemu-ifupdown/get-tapdevs: Add support for ip tuntap +- scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes +- scripts/runqemu: split lock dir creation into a reusable function +- scripts: fix buildstats diff/summary hard bound to host python3 +- sdk.py: error out when moving file fails +- sdk.py: fix moving dnf contents +- selftest/license: Exclude from world +- selftest/reproducible: Allow native/cross reuse in test +- serf: Upgrade to 1.3.10 +- staging.bbclass: do not add extend_recipe_sysroot to prefuncs of prepare_recipe_sysroot +- strace: Disable failing test +- strace: Merge two similar patches +- strace: Update patches/tests with upstream fixes +- sysfsutils: fetch a supported fork from github +- systemd-systemctl: support instance expansion in WantedBy +- systemd: Drop a backport +- tiff: Remove unused patch from tiff +- uninative: Upgrade to 3.10 to support gcc 13 +- uninative: Upgrade to 4.0 to include latest gcc 13.1.1 +- unzip: fix configure check for cross compilation +- unzip: remove hardcoded LARGE_FILE_SUPPORT +- useradd-example: package typo correction +- useradd-staticids.bbclass: improve error message +- v86d: Improve kernel dependency +- vim: Upgrade to 9.0.1527 +- weston-init: add profile to point users to global socket +- weston-init: add the weston user to the wayland group +- weston-init: add weston user to the render group +- weston-init: fix the mixed indentation +- weston-init: guard against systemd configs +- weston-init: make sure the render group exists +- wget: Upgrade to 1.21.4 +- wireless-regdb: Upgrade to 2023.05.03 +- xdpyinfo: Upgrade to 1.3.4 +- xf86-video-intel: Use the HTTPS protocol to fetch the Git repositories +- xinput: upgrade to v1.6.4 +- xwininfo: upgrade to v1.1.6 +- xz: Upgrade to 5.4.3 +- yocto-bsps: update to v5.15.106 +- zip: fix configure check by using _Static_assert +- zip: remove unnecessary LARGE_FILE_SUPPORT CLFAGS + + +Known Issues in Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Alberto Planas +- Alejandro Hernandez Samaniego +- Alexander Kanavin +- Andrej Valek +- Andrew Jeffery +- Anuj Mittal +- Archana Polampalli +- BELOUARGA Mohamed +- Bruce Ashfield +- Changqing Li +- Charlie Wu +- Chen Qi +- Chi Xu +- Daniel Ammann +- Deepthi Hemraj +- Denys Dmytriyenko +- Dmitry Baryshkov +- Ed Beroset +- Eero Aaltonen +- Fabien Mahot +- Frieder Paape +- Frieder Schrempf +- Hannu Lounento +- Ian Ray +- Jermain Horsman +- Jörg Sommer +- Kai Kang +- Khem Raj +- Lee Chee Yang +- Lorenzo Arena +- Marc Ferland +- Markus Volk +- Martin Jansa +- Michael Halstead +- Mikko Rapeli +- Mingli Yu +- Natasha Bailey +- Nikhil R +- Pablo Saavedra +- Paul Gortmaker +- Pavel Zhukov +- Peter Kjellerstedt +- Qiu Tingting +- Quentin Schulz +- Randolph Sapp +- Randy MacLeod +- Ranjitsinh Rathod +- Richard Purdie +- Riyaz Khan +- Ross Burton +- Sakib Sajal +- Sanjay Chitroda +- Siddharth Doshi +- Soumya Sambu +- Steve Sakoman +- Sudip Mukherjee +- Sundeep KOKKONDA +- Thomas Roos +- Tim Orling +- Tom Hochstein +- Trevor Gamblin +- Ulrich Ölmann +- Wang Mingyu +- Xiangyu Chen + + +Repositories / Downloads for Yocto-4.2.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`mickledore ` +- Tag: :yocto_git:`yocto-4.2.2 ` +- Git Revision: :yocto_git:`6e17b3e644ca15b8b4afd071ccaa6f172a0e681a ` +- Release Artefact: poky-6e17b3e644ca15b8b4afd071ccaa6f172a0e681a +- sha: c0b4dadcf00b97d866dd4cc2f162474da2c3e3289badaa42a978bff1d479af99 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.2/poky-6e17b3e644ca15b8b4afd071ccaa6f172a0e681a.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.2/poky-6e17b3e644ca15b8b4afd071ccaa6f172a0e681a.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`mickledore ` +- Tag: :oe_git:`yocto-4.2.2 ` +- Git Revision: :oe_git:`3ef283e02b0b91daf64c3a589e1f6bb68d4f5aa1 ` +- Release Artefact: oecore-3ef283e02b0b91daf64c3a589e1f6bb68d4f5aa1 +- sha: d2fd127f46e626fa4456c193af3dbd25d4b2565db59bc23be69a3b2dd4febed5 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.2/oecore-3ef283e02b0b91daf64c3a589e1f6bb68d4f5aa1.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.2/oecore-3ef283e02b0b91daf64c3a589e1f6bb68d4f5aa1.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`mickledore ` +- Tag: :yocto_git:`yocto-4.2.2 ` +- Git Revision: :yocto_git:`4608d0bb7e47c52b8f6e9be259bfb1716fda9fd6 ` +- Release Artefact: meta-mingw-4608d0bb7e47c52b8f6e9be259bfb1716fda9fd6 +- sha: fcbae0dedb363477492b86b8f997e06f995793285535b24dc66038845483eeef +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.2/meta-mingw-4608d0bb7e47c52b8f6e9be259bfb1716fda9fd6.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.2/meta-mingw-4608d0bb7e47c52b8f6e9be259bfb1716fda9fd6.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.4 ` +- Tag: :oe_git:`yocto-4.2.2 ` +- Git Revision: :oe_git:`08033b63ae442c774bd3fce62844eac23e6882d7 ` +- Release Artefact: bitbake-08033b63ae442c774bd3fce62844eac23e6882d7 +- sha: 1d070c133bfb6502ac04befbf082cbfda7582c8b1c48296a788384352e5061fd +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.2/bitbake-08033b63ae442c774bd3fce62844eac23e6882d7.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.2/bitbake-08033b63ae442c774bd3fce62844eac23e6882d7.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`mickledore ` +- Tag: :yocto_git:`yocto-4.2.2 ` +- Git Revision: :yocto_git:`54d849d259a332389beea159d789f8fa92871475 ` + diff --git a/poky/documentation/migration-guides/release-notes-4.2.3.rst b/poky/documentation/migration-guides/release-notes-4.2.3.rst new file mode 100644 index 0000000000..3b568a1c29 --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.2.3.rst @@ -0,0 +1,263 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.2.3 (Mickledore) +------------------------------------------ + +Security Fixes in Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- bind: Fix :cve:`2023-2828` and :cve:`2023-2911` +- cups: Fix :cve:`2023-34241` +- dmidecode: Fix :cve:`2023-30630` +- erofs-utils: Fix :cve:`2023-33551` and :cve:`2023-33552` +- ghostscript: Fix :cve:`2023-36664` +- go: Fix :cve_mitre:`2023-24531` +- libarchive: ignore :cve:`2023-30571` +- libjpeg-turbo: Fix :cve:`2023-2804` +- libx11: Fix :cve:`2023-3138` +- ncurses: Fix :cve:`2023-29491` +- openssh: Fix :cve:`2023-38408` +- python3-certifi: Fix :cve:`2023-37920` +- python3-requests: Fix :cve:`2023-32681` +- python3: Ignore :cve:`2023-36632` +- qemu: fix :cve:`2023-0330`, :cve_mitre:`2023-2861`, :cve_mitre:`2023-3255` and :cve_mitre:`2023-3301` +- ruby: Fix :cve:`2023-36617` +- vim: Fix :cve:`2023-2609` and :cve:`2023-2610` +- webkitgtk: Fix :cve:`2023-27932` and :cve:`2023-27954` + + +Fixes in Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~ + +- acpica: Update :term:`SRC_URI` +- automake: fix buildtest patch +- baremetal-helloworld: Fix race condition +- bind: upgrade to v9.18.17 +- binutils: stable 2.40 branch updates +- build-appliance-image: Update to mickledore head revision +- cargo.bbclass: set up cargo environment in common do_compile +- conf.py: add macro for Mitre CVE links +- curl: ensure all ptest failures are caught +- cve-update-nvd2-native: actually use API keys +- cve-update-nvd2-native: fix cvssV3 metrics +- cve-update-nvd2-native: handle all configuration nodes, not just first +- cve-update-nvd2-native: increase retry count +- cve-update-nvd2-native: log a little more +- cve-update-nvd2-native: retry all errors and sleep between retries +- cve-update-nvd2-native: use exact times, don't truncate +- dev-manual: wic.rst: Update native tools build command +- devtool/upgrade: raise an error if extracting source produces more than one directory +- diffutils: upgrade to 3.10 +- docs: ref-manual: terms: fix typos in :term:`SPDX` term +- file: fix the way path is written to environment-setup.d +- file: return wrapper to fix builds when file is in buildtools-tarball +- freetype: upgrade to 2.13.1 +- gcc-testsuite: Fix ppc cpu specification +- gcc: don't pass --enable-standard-branch-protection +- glibc-locale: use stricter matching for metapackages' runtime dependencies +- glibc-testsuite: Fix network restrictions causing test failures +- glibc/check-test-wrapper: don't emit warnings from ssh +- go: upgrade to 1.20.6 +- gstreamer1.0: upgrade to 1.22.4 +- ifupdown: install missing directories +- kernel-module-split add systemd modulesloaddir and modprobedir config +- kernel-module-split: install config modules directories only when they are needed +- kernel-module-split: make autoload and probeconf distribution specific +- kernel-module-split: use context manager to open files +- kernel: Fix path comparison in kernel staging dir symlinking +- kernel: config modules directories are handled by kernel-module-split +- kernel: don't fail if Modules.symvers doesn't exist +- libassuan: upgrade to 2.5.6 +- libksba: upgrade to 1.6.4 +- libnss-nis: upgrade to 3.2 +- libproxy: fetch from git +- libwebp: upgrade to 1.3.1 +- libx11: upgrade to 1.8.6 +- libxcrypt: fix hard-coded ".so" extension +- linux-firmware : Add firmware of RTL8822 serie +- linux-firmware: Fix mediatek mt7601u firmware path +- linux-firmware: package firmare for Dragonboard 410c +- linux-firmware: split platform-specific Adreno shaders to separate packages +- linux-firmware: upgrade to 20230625 +- linux-yocto/5.15: update to v5.15.124 +- linux-yocto/6.1: cfg: update ima.cfg to match current meta-integrity +- linux-yocto/6.1: upgrade to v6.1.38 +- ltp: Add kernel loopback module dependency +- ltp: add :term:`RDEPENDS` on findutils +- lttng-ust: upgrade to 2.13.6 +- machine/arch-arm64: add -mbranch-protection=standard +- maintainers.inc: Modify email address +- mdadm: add util-linux-blockdev ptest dependency +- mdadm: fix 07revert-inplace ptest +- mdadm: fix segfaults when running ptests +- mdadm: fix util-linux ptest dependency +- mdadm: re-add mdadm-ptest to PTESTS_SLOW +- mdadm: skip running known broken ptests +- meson.bbclass: Point to llvm-config from native sysroot +- migration-guides: add release notes for 4.0.10 +- migration-guides: add release notes for 4.0.11 +- migration-guides: add release notes for 4.2.2 +- oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case +- oeqa/runtime/ltp: Increase ltp test output timeout +- oeqa/selftest/devtool: add unit test for "devtool add -b" +- oeqa/ssh: Further improve process exit handling +- oeqa/target/ssh: Ensure EAGAIN doesn't truncate output +- oeqa/utils/nfs: allow requesting non-udp ports +- openssh: upgrade to 9.3p2 +- openssl: add PERLEXTERNAL path to test its existence +- openssl: use a glob on the PERLEXTERNAL to track updates on the path +- opkg-utils: upgrade to 0.6.2 +- opkg: upgrade to 0.6.2 +- pkgconf: update :term:`SRC_URI` +- poky.conf: bump version for 4.2.3 release +- poky.conf: update :term:`SANITY_TESTED_DISTROS` to match autobuilder +- ptest-runner: Pull in parallel test fixes and output handling +- python3-certifi: upgrade to 2023.7.22 +- python3: fix missing comma in get_module_deps3.py +- recipetool: Fix inherit in created -native* recipes +- ref-manual: LTS releases now supported for 4 years +- ref-manual: document image-specific variant of :term:`INCOMPATIBLE_LICENSE` +- ref-manual: releases.svg: updates +- resulttool/resultutils: allow index generation despite corrupt json +- rootfs-postcommands.bbclass: Revert "add post func remove_unused_dnf_log_lock" +- rootfs: Add debugfs package db file copy and cleanup +- rootfs_rpm: don't depend on opkg-native for update-alternatives +- rpm: Pick debugfs package db files/dirs explicitly +- rust-common.bbclass: move musl-specific linking fix from rust-source.inc +- scripts/oe-setup-builddir: copy conf-notes.txt to build dir +- scripts/resulttool: add mention about new detected tests +- selftest/cases/glibc.py: fix the override syntax +- selftest/cases/glibc.py: increase the memory for testing +- selftest/cases/glibc.py: switch to using NFS over TCP +- shadow-sysroot: add license information +- systemd-systemctl: fix errors in instance name expansion +- taglib: upgrade to 1.13.1 +- target/ssh: Ensure exit code set for commands +- tcf-agent: upgrade to 1.8.0 +- testimage/oeqa: Drop testimage_dump_host functionality +- tiff: upgrade to 4.5.1 +- uboot-extlinux-config.bbclass: fix old override syntax in comment +- util-linux: add alternative links for ipcs,ipcrm +- vim: upgrade to 9.0.1592 +- webkitgtk: upgrade to 2.38.6 +- weston: Cleanup and fix x11 and xwayland dependencies + + +Known Issues in Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Alejandro Hernandez Samaniego +- Alex Kiernan +- Alexander Kanavin +- Alexis Lothoré +- Andrej Valek +- Anuj Mittal +- Archana Polampalli +- BELOUARGA Mohamed +- Benjamin Bouvier +- Bruce Ashfield +- Changqing Li +- Chen Qi +- Daniel Semkowicz +- Dmitry Baryshkov +- Enrico Scholz +- Etienne Cordonnier +- Joe Slater +- Joel Stanley +- Jose Quaresma +- Julien Stephan +- Kai Kang +- Khem Raj +- Lee Chee Yang +- Marek Vasut +- Mark Hatle +- Michael Halstead +- Michael Opdenacker +- Mingli Yu +- Narpat Mali +- Oleksandr Hnatiuk +- Ovidiu Panait +- Peter Marko +- Quentin Schulz +- Richard Purdie +- Ross Burton +- Sanjana +- Sakib Sajal +- Staffan Rydén +- Steve Sakoman +- Stéphane Veyret +- Sudip Mukherjee +- Thomas Roos +- Tom Hochstein +- Trevor Gamblin +- Wang Mingyu +- Yi Zhao +- Yoann Congal +- Yogita Urade +- Yuta Hayama + + +Repositories / Downloads for Yocto-4.2.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`mickledore ` +- Tag: :yocto_git:`yocto-4.2.3 ` +- Git Revision: :yocto_git:`aa63b25cbe25d89ab07ca11ee72c17cab68df8de ` +- Release Artefact: poky-aa63b25cbe25d89ab07ca11ee72c17cab68df8de +- sha: 9e2b40fc25f7984b3227126ec9b8aa68d3747c8821fb7bf8cb635fc143f894c3 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.3/poky-aa63b25cbe25d89ab07ca11ee72c17cab68df8de.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.3/poky-aa63b25cbe25d89ab07ca11ee72c17cab68df8de.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`mickledore ` +- Tag: :oe_git:`yocto-4.2.3 ` +- Git Revision: :oe_git:`7e3489c0c5970389c8a239dc7b367bcadf554eb5 ` +- Release Artefact: oecore-7e3489c0c5970389c8a239dc7b367bcadf554eb5 +- sha: 68620aca7c9db6b9a65d9853cacff4e60578f0df39e3e37114e062e1667ba724 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.3/oecore-7e3489c0c5970389c8a239dc7b367bcadf554eb5.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.3/oecore-7e3489c0c5970389c8a239dc7b367bcadf554eb5.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`mickledore ` +- Tag: :yocto_git:`yocto-4.2.3 ` +- Git Revision: :yocto_git:`92258028e1b5664a9f832541d5c4f6de0bd05e07 ` +- Release Artefact: meta-mingw-92258028e1b5664a9f832541d5c4f6de0bd05e07 +- sha: ee081460b5dff4fb8dd4869ce5631718dbaaffbede9532b879b854c18f1b3f5d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.3/meta-mingw-92258028e1b5664a9f832541d5c4f6de0bd05e07.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.3/meta-mingw-92258028e1b5664a9f832541d5c4f6de0bd05e07.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.4 ` +- Tag: :oe_git:`yocto-4.2.3 ` +- Git Revision: :oe_git:`08033b63ae442c774bd3fce62844eac23e6882d7 ` +- Release Artefact: bitbake-08033b63ae442c774bd3fce62844eac23e6882d7 +- sha: 1d070c133bfb6502ac04befbf082cbfda7582c8b1c48296a788384352e5061fd +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.2.3/bitbake-08033b63ae442c774bd3fce62844eac23e6882d7.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.2.3/bitbake-08033b63ae442c774bd3fce62844eac23e6882d7.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`mickledore ` +- Tag: :yocto_git:`yocto-4.2.3 ` +- Git Revision: :yocto_git:`8e6752a9e55d16f3713e248b37f9d4d2745a2375 ` + diff --git a/poky/documentation/overview-manual/development-environment.rst b/poky/documentation/overview-manual/development-environment.rst index 6139e7a412..262d5cb203 100644 --- a/poky/documentation/overview-manual/development-environment.rst +++ b/poky/documentation/overview-manual/development-environment.rst @@ -232,8 +232,8 @@ and so forth. For information on finding out who is responsible for (maintains) a particular area of code in the Yocto Project, see the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" - section of the Yocto Project Development Tasks Manual. + ":doc:`../contributor-guide/identify-component`" + section of the Yocto Project and OpenEmbedded Contributor Guide. The Yocto Project ``poky`` Git repository also has an upstream contribution Git repository named ``poky-contrib``. You can see all the @@ -264,8 +264,8 @@ push them into the "contrib" area and subsequently request that the maintainer include them into an upstream branch. This process is called "submitting a patch" or "submitting a change." For information on submitting patches and changes, see the -":ref:`dev-manual/changes:submitting a change to the yocto project`" -section in the Yocto Project Development Tasks Manual. +":doc:`../contributor-guide/submit-changes`" section in the Yocto Project +and OpenEmbedded Contributor Guide. In summary, there is a single point of entry for changes into the development branch of the Git repository, which is controlled by the @@ -328,11 +328,10 @@ Book `__. software on which to develop. The Yocto Project has two scripts named ``create-pull-request`` and ``send-pull-request`` that ship with the release to facilitate this workflow. You can find these scripts in - the ``scripts`` folder of the - :term:`Source Directory`. For information + the ``scripts`` folder of the :term:`Source Directory`. For information on how to use these scripts, see the - ":ref:`dev-manual/changes:using scripts to push a change upstream and request a pull`" - section in the Yocto Project Development Tasks Manual. + ":ref:`contributor-guide/submit-changes:using scripts to push a change upstream and request a pull`" + section in the Yocto Project and OpenEmbedded Contributor Guide. - *Patch Workflow:* This workflow allows you to notify the maintainer through an email that you have a change (or patch) you would like @@ -340,8 +339,8 @@ Book `__. this type of change, you format the patch and then send the email using the Git commands ``git format-patch`` and ``git send-email``. For information on how to use these scripts, see the - ":ref:`dev-manual/changes:submitting a change to the yocto project`" - section in the Yocto Project Development Tasks Manual. + ":doc:`../contributor-guide/submit-changes`" section in the Yocto Project + and OpenEmbedded Contributor Guide. Git === diff --git a/poky/documentation/profile-manual/usage.rst b/poky/documentation/profile-manual/usage.rst index 703ac459a0..6f0b0418e7 100644 --- a/poky/documentation/profile-manual/usage.rst +++ b/poky/documentation/profile-manual/usage.rst @@ -2423,20 +2423,21 @@ tracer writes to, blktrace provides a way to trace without perturbing the traced device at all by providing native support for sending all trace data over the network. -To have blktrace operate in this mode, start blktrace on the target -system being traced with the -l option, along with the device to trace:: +To have blktrace operate in this mode, start blktrace in server mode on the +host system, which is going to store the captured data:: - root@crownbay:~# blktrace -l /dev/sdc + $ blktrace -l server: waiting for connections... -On the host system, use the -h option to connect to the target system, -also passing it the device to trace:: +On the target system that is going to be traced, start blktrace in client +mode with the -h option to connect to the host system, also passing it the +device to trace:: - $ blktrace -d /dev/sdc -h 192.168.1.43 + root@crownbay:~# blktrace -d /dev/sdc -h 192.168.1.43 blktrace: connecting to 192.168.1.43 blktrace: connected! -On the target system, you should see this:: +On the host system, you should see this:: server: connection from 192.168.1.43 @@ -2446,7 +2447,7 @@ In another shell, execute a workload you want to trace. :: Connecting to downloads.yoctoproject.org (140.211.169.59:80) linux-2.6.19.2.tar.b 100% \|*******************************\| 41727k 0:00:00 ETA -When it's done, do a Ctrl-C on the host system to stop the +When it's done, do a Ctrl-C on the target system to stop the trace:: ^C=== sdc === @@ -2454,7 +2455,7 @@ trace:: CPU 1: 4109 events, 193 KiB data Total: 11800 events (dropped 0), 554 KiB data -On the target system, you should also see a trace summary for the trace +On the host system, you should also see a trace summary for the trace just ended:: server: end of run for 192.168.1.43:sdc diff --git a/poky/documentation/ref-manual/images.rst b/poky/documentation/ref-manual/images.rst index d3aeb0829f..0f6d6bdb3f 100644 --- a/poky/documentation/ref-manual/images.rst +++ b/poky/documentation/ref-manual/images.rst @@ -14,15 +14,17 @@ image you want. Building an image without GNU General Public License Version 3 (GPLv3), GNU Lesser General Public License Version 3 (LGPLv3), and the GNU Affero General Public License Version 3 (AGPL-3.0) components - is only supported for minimal and base images. Furthermore, if you - are going to build an image using non-GPLv3 and similarly licensed - components, you must make the following changes in the ``local.conf`` - file before using the BitBake command to build the minimal or base - image: + is only tested for core-image-minimal image. Furthermore, if you would like to + build an image and verify that it does not include GPLv3 and similarly licensed + components, you must make the following changes in the image recipe + file before using the BitBake command to build the image: - #. Comment out the :term:`EXTRA_IMAGE_FEATURES` line + INCOMPATIBLE_LICENSE = "GPL-3.0* LGPL-3.0*" - #. Set :term:`INCOMPATIBLE_LICENSE` to "GPL-3.0* LGPL-3.0* AGPL-3.0*" + Alternatively, you can adjust ``local.conf`` file, repeating and adjusting the line + for all images where the license restriction must apply: + + INCOMPATIBLE_LICENSE:pn-your-image-name = "GPL-3.0* LGPL-3.0*" From within the ``poky`` Git repository, you can use the following command to display the list of directories within the :term:`Source Directory` diff --git a/poky/documentation/ref-manual/qa-checks.rst b/poky/documentation/ref-manual/qa-checks.rst index 6fdb0fbde9..4a02e7206a 100644 --- a/poky/documentation/ref-manual/qa-checks.rst +++ b/poky/documentation/ref-manual/qa-checks.rst @@ -754,7 +754,7 @@ Errors and Warnings - ``Missing Upstream-Status in patch Please add according to [patch-status-core/patch-status-noncore]`` - The Upstream-Status value is missing in the specified patch file's header. + The ``Upstream-Status`` value is missing in the specified patch file's header. This value is intended to track whether or not the patch has been sent upstream, whether or not it has been merged, etc. @@ -762,13 +762,13 @@ Errors and Warnings recipes in OE-Core) and ``patch-status-noncore`` (for recipes in any other layer). - For more information on setting Upstream-Status see: - https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status - + For more information, see the + ":ref:`contributor-guide/recipe-style-guide:patch upstream status`" + section in the Yocto Project and OpenEmbedded Contributor Guide. - ``Malformed Upstream-Status in patch Please correct according to [patch-status-core/patch-status-noncore]`` - The Upstream-Status value in the specified patch file's header is invalid - + The ``Upstream-Status`` value in the specified patch file's header is invalid - it must be a specific format. See the "Missing Upstream-Status" entry above for more information. diff --git a/poky/documentation/ref-manual/release-process.rst b/poky/documentation/ref-manual/release-process.rst index 2ffbd935c7..81c0cdb36d 100644 --- a/poky/documentation/ref-manual/release-process.rst +++ b/poky/documentation/ref-manual/release-process.rst @@ -96,22 +96,21 @@ While stable releases are supported for a duration of seven months, some specific ones are now supported for a longer period by the Yocto Project, and are called Long Term Support (:term:`LTS`) releases. -This started with version 3.1 ("Dunfell"), released in April 2020, that -the project committed to supporting until the next :term:`LTS` release was out. -This next :term:`LTS` release, version 4.0 ("Kirkstone"), was released in May 2022 -and offered with two years of support too. - -However, as an experiment, support for "Dunfell" was extended to four years, until -April 2024, therefore offering more stability to projects and leaving more time -to upgrade to the latest :term:`LTS` release. The project hasn't made any commitment to -extending "Kirkstone" support too, as this will also depend on available funding -for such an effort. - When significant issues are found, :term:`LTS` releases allow to publish fixes not only for the current stable release, but also to the :term:`LTS` releases that are still supported. Older stable releases which have reached their End of Life (EOL) won't receive such updates. +This started with version 3.1 ("Dunfell"), released in April 2020, which +the project initially committed to supporting for two years, but this duration +was later extended to four years. Similarly, the following :term:`LTS` release, +version 4.0 ("Kirkstone"), was released two years later in May 2022 and the +project committed to supporting it for four years too. + +Therefore, a new :term:`LTS` release is made every two years and is supported +for four years. This offers more stability to project users and leaves more +time to upgrade to the following :term:`LTS` release. + See :yocto_wiki:`/Stable_Release_and_LTS` for details about the management of stable and :term:`LTS` releases. diff --git a/poky/documentation/ref-manual/resources.rst b/poky/documentation/ref-manual/resources.rst index d2344e39a0..8c3726e83b 100644 --- a/poky/documentation/ref-manual/resources.rst +++ b/poky/documentation/ref-manual/resources.rst @@ -23,8 +23,7 @@ The Yocto Project gladly accepts contributions. You can submit changes to the project either by creating and sending pull requests, or by submitting patches through email. For information on how to do both as well as information on how to identify the maintainer for each area of -code, see the ":ref:`dev-manual/changes:submitting a change to the yocto project`" section in the -Yocto Project Development Tasks Manual. +code, see the :doc:`../contributor-guide/index`. .. _resources-bugtracker: @@ -46,8 +45,8 @@ your expectations). For a general procedure and guidelines on how to use Bugzilla to submit a bug against the Yocto Project, see the following: -- The ":ref:`dev-manual/changes:submitting a defect against the yocto project`" - section in the Yocto Project Development Tasks Manual. +- The ":doc:`../contributor-guide/report-defect`" + section in the Yocto Project and OpenEmbedded Contributor Guide. - The Yocto Project :yocto_wiki:`Bugzilla wiki page ` diff --git a/poky/documentation/ref-manual/svg/releases.svg b/poky/documentation/ref-manual/svg/releases.svg index d41edc1cb0..e7d5c6d502 100644 --- a/poky/documentation/ref-manual/svg/releases.svg +++ b/poky/documentation/ref-manual/svg/releases.svg @@ -2,9 +2,9 @@ + Yocto Project Release Timeline @@ -22,7 +24,30 @@ image/svg+xml + + Yocto Project Release Timeline + + + The Yocto Project + + + + + + + + + + + originx="-289.99936" + originy="325" /> + transform="translate(-289.99936,325.00004)"> + + + + + + + + + Gatesgarth3.2 4.2 + + + Nanbield4.3 + NanbieldScarthgap4.3 + id="tspan10317-2-9-1-4-6-5">4.4 3.3 2023 + Oct.2024 + Oct.2025 Oct.2022 Oct.2021 Oct.2020 Apr.2020 @@ -879,19 +999,51 @@ Apr.2024 + Apr.2025 + Apr.2026 Apr.2021 @@ -937,7 +1089,7 @@ + d="M 319.99936,219.99912 H 2300 Z" /> - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - + style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + d="m 1800,219.99997 v 9.99999 0" + id="path29548-5-1-3-6-3-1-0-3-4-2-0" /> + Oct.2026 + Oct.2027 + Apr.2027 + Apr.2028 + + + + + + + + + + + + + + + + + + + + + + + + +