1
0
mirror of https://git.yoctoproject.org/meta-arm synced 2026-07-18 04:27:08 +00:00

Compare commits

..

37 Commits

Author SHA1 Message Date
Ross Burton 23b572c40e meta-arm-systemready/arm-systemready-linux-distros-fedora: remove
Fedora 39 is very obsolete and has been removed from the Fedora mirrors.

If someone needs this then this commit can be reverted and the recipe
upgraded to the latest Fedora release.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-06-18 09:46:22 -04:00
Hugo SIMELIERE c4fd56386e optee-os: Fix CVE-2026-33662
Pick patch from [1] as mentioned in OP-TEE os security report in [2].

[1] https://github.com/OP-TEE/optee_os/commit/caeaa2ae551666068894005387cca4113b10873f
[2] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4cf8-v5g3-73gr

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-05-21 06:00:08 -04:00
Hugo SIMELIERE 313a5da55a optee-os: Fix CVE-2026-33317
Pick patches from [1], [2] and [3] as mentioned in Debian report in [4].

[1] https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9
[2] https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900
[3] https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca
[4] https://security-tracker.debian.org/tracker/CVE-2026-33317

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-05-21 06:00:08 -04:00
Ross Burton a81c19915b CI: only run pending-updates on master
This job takes a few minutes and isn't useful unless it's being ran for
master, or is being actively worked on.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-11-05 09:35:03 -05:00
Jon Mason 0f1e7bf92c arm-systemready/ir-acs: Update URL
The github URL where the image was located has gone away on the master
branch.  Update the URL to point to the legacy branch, which should stay
around (according to the documentation).

Fixes: aebe535aa8 ("arm-systemready: Introduce the Arm SystemReady layer")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-09-08 10:00:15 -04:00
Ross Burton 8e0f8af90f arm/fvp-base-a-aem: remove spurious executable stack from one library
There are some objects in the FVP binary that are assembler source and
fail to declare what permissions the stack needs to have, so GCC falls
back to assuming that the final binary needs an executable stack.

glibc 2.41 (as now used in uninative) introduces changes here[1]: whether
to have an executable stack or not when the binary doesn't specify a
need (defaults to executable, but this is a tunable), and any binaries
that are dlopen()ed that require an executable stack will fail.

Thus, some FVPs on some platforms (notable, fvp-base-a-aem on x86-64)
now fail on startup:

  libarmctmodel.so: cannot enable executable stack as shared object requires: Invalid argument

Luckily the solution here is to simply clear the executable bit, as
an executable stack is not actually needed.  Until a new release of the
FVP is made we can fix the binary in our package using execstack.

[1] https://lists.gnu.org/archive/html/info-gnu/2025-01/msg00014.html

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-29 11:00:13 -04:00
Ross Burton f5f8dfb5a8 arm/execstack-native: add new recipe
Add a recipe for the execstack binary from prelink-cross. This tool is
used to manipulate the GNU_STACK segment in ELF binaries, specifically
to control whether the binary requests an executable stack or not.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-29 11:00:13 -04:00
Ross Burton f3640941c6 CI: use canonical git.yoctoproject.org URLs
The canonical repository URLs don't use /git/.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:55:39 -04:00
Ross Burton b6e214752a arm-system-ready/arm-systemready-ir-acs: add version to download filename
The download filename wasn't versioned so multiple versions would write
to the same file on disk and conflict, causing repeated downloads and
fetch failures.

Add the PV to the filename on disk to resolve this.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:00:12 -04:00
Jose Quaresma 3cadb81ffa bsp: optee-client: cleanup old tee-supplicant
The same tee-supplicant is available in the meta-arm layer
along with the recipe.

| meta-arm/recipes-security/optee/optee-client
| meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
| meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
| meta-arm/recipes-security/optee/optee-client.inc
| meta-arm/recipes-security/optee/optee-client_4.1.0.bb

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-21 08:00:14 -05:00
Romain Naour a8fe9d22ea external-arm-toolchain: rebuild libmvec.so symlink if any
On some architectures (namely Aarch64), glibc may provide a libmvec
library since glibc 2.22, which programs built with gcc OpenMP
support might get linked to.

In order for these programs to work on the target, we need to copy this
library to the target filesystem.

Make sure that libmvec.so symlink is correct with or without usermerge
enabled otherwise libmvec.so symlink is broken.

For more details on libmvec, see
https://sourceware.org/glibc/wiki/libmvec.

(cherry picked from commit de47f836e2)

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Romain Naour c22b4f89f7 external-arm-toolchain: override dynamic loader path with usrmerge enabled
usrmerge nowaday required by systemd [1] but it broke
external-arm-toolchain in several ways...

When usrmerge is enabled, /lib is no longer part of SYSROOT_DIRS list
while the prebuilt toolchain expect the dynamic loader to be placed in
/lib not /usr/lib.

There is no /lib directory in the per-package sysroot directory
generated to build each package:

  [...]/build/tmp/sysroots-components/<target>/<package>/
  sysroot-providers/ usr/

But the cross-compiler still generate binaries with dynamic loarder
path set to "/lib/ld-linux-<target>.so*"

  strings sanitycheckc_cross.exe | grep ld
  /lib/ld-linux-aarch64.so.1

A symlink /lib -> /usr/lib is crated in the final rootfs image.

But this broke the meson-qemuwrapper used when "qemu-usermode"
(MACHINE_FEATURES) is available:

See [2]:
  do_write_config:append:class-target() {
       # Write out a qemu wrapper that will be used as exe_wrapper so that meson
       # can run target helper binaries through that.
       qemu_binary="${@qemu_wrapper_cmdline(d, '$STAGING_DIR_HOST', ['$STAGING_DIR_HOST/${libdir}','$STAGING_DIR_HOST/${base_libdir}'])}"

It produce a runtime issue while running a meson sanity check:

  meson-qemuwrapper [...]/build/meson-private/sanitycheckc_cross.exe

  qemu-aarch64: Could not open '/lib/ld-linux-aarch64.so.1': No such file or directory

Note: The binaries build by the Yocto internal toolchain seems be "patched" [3]
to look at /usr/lib instead of /lib.

We use -Wl,--dynamic-linker to make sure that the cross-compiler
generate binaries using the dynamic loader path defined by usrmerge
for all packages build by Yocto.

[1] https://git.openembedded.org/openembedded-core/commit/?id=802e853eeddf16d73db1900546cc5f045d1fb7ed
[2] https://git.openembedded.org/openembedded-core/tree/meta/classes-recipe/meson.bbclass?h=2024-04.3-scarthgap#n130
[3] https://github.com/openembedded/openembedded-core/blob/scarthgap/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch

(cherry picked from commit cb4c0c9a93)

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Vasyl Vavrychuk 309d93f9e5 external-arm-toolchain: remove ${base_libdir}/libpthread*.so from FILES:${PN}
When `usrmerge` distro feature is not enabled, then `${base_libdir}`
resolves to `/lib` and `/lib/libpthread*.so` does not match any files.
But, with `usrmerge` distro feature, `${base_libdir}` is `/usr/lib`, so
removed line leads to `/usr/lib/libpthread.so` symlink included in
`${PN}` which causes QA check failure.

(cherry picked from commit 8634bdc2f2)

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Vasyl Vavrychuk a6233bf5fd external-arm-toolchain: in libc.so GNU ld script use base_libdir
`base_libdir` gets replaced with `/lib` or `/usr/lib` depending on
`usrmerge` distro feature.

(cherry picked from commit 4b2cef379f)

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Romain Naour 415215c074 external-arm-toolchain: wrap symlink handling under usrmerge check
Rework the symlink handling when usermerge is enabled.
Indeed, "ln -sf ../../lib/librt.so.1 ${D}${libdir}/librt.so" create a
dead link with usermerge...

Based on: https://lists.yoctoproject.org/g/meta-arm/message/5765

(cherry picked from commit a6f44bbb80)

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: "Parthiban" <parthiban@linumiz.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Vasyl Vavrychuk a7f27d1641 external-arm-toolchain: wrap base_libdir vs libdir manipulations under usrmerge check
With `usrmerge` disto feature `base_libdir` and `libdir` are the same,
so it does not make sense to:

* removing "duplicates" between them
* move files from `base_libdir` to `libdir`

This fixes build error

| mv: '.../tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/external-arm-toolchain/12.2.Rel1/image/usr/lib/libasan.a' and '.../tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/external-arm-toolchain/12.2.Rel1/image/usr/lib/libasan.a' are the same file

in case of `usrmerge` feature enabled.

(cherry picked from commit 98eea62962)

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Romain Naour acbba48ee5 external-arm-toolchain: remove old sed fixup for libc.so
As reported by Vasyl Vavrychuk [1], /${EAT_LIBDIR}/${EAT_TARGET_SYS}
is not present in libc.so in the latest prebuilt toolchains:

ARM32:
  $ cat ./gcc-arm-8.3-2019.03-x86_64-arm-linux-gnueabihf/arm-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./gcc-arm-9.2-2019.12-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./arm-gnu-toolchain-12.3.rel1-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./arm-gnu-toolchain-13.3.rel1-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

Aarch64:
  $ cat ./gcc-linaro-7.3.1-2018.05-x86_64_aarch64-linux-gnu/aarch64-linux-gnu/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./gcc-arm-9.2-2019.12-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./arm-gnu-toolchain-12.3.rel1-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

We can safely remove old sed fixup for libc.so.

[1] https://lists.yoctoproject.org/g/meta-arm/message/5565

(cherry picked from commit 9a0451a959)

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Hugues KAMBA MPIANA 7088279c0a arm-bsp/documentation: corstone1000: Add SystemReady IR v2.0 certification
- Add details on SystemReady IR v2.0 certification achievement
- Document additional patch added
- Update release notes with new milestone tag `CORSTONE1000-2024.06-systemready-ir-v2.0`

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-06 07:00:12 -05:00
Ross Burton d67a9b6070 arm-base/linux-yocto: revert interim 6.10 patch for fvp-base
oe-core master now has 6.6.54 which incorporates this patch, so we don't
need to carry it anymore.

This reverts commit 60fd47edd0.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-05 10:42:16 -05:00
Jon Mason 60e31ef2c4 arm/linux-yocto: disable CONFIG_MTD_NAND_FSL_IFC
Linux stable kernel v6.6.44 added commit c22649e217457d732a51112aaa8721a0e79e2c30,
which modifies the depends for the Freescale IFC NAND controller.  See
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.6.y&id=c22649e217457d732a51112aaa8721a0e79e2c30

Because of this change, do_kernel_configcheck is logging an warning
about values not matching.  To address this issue, disable it manually
in a config fragment, but only for the affected machines in meta-arm.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-21 12:00:17 -04:00
Jon Mason 0ce566fb86 arm-bsp/fvp-base: Get 6.10 kernel working
Apply upstream patch to get virtio networking functioning again and
switch to the 6.10 kernel.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-21 12:00:17 -04:00
Ben 218c3bbfea kas: Include unattended openSUSE test
Add unattended installation class to openSUSE target

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-15 12:00:13 -04:00
Ben 62a4a0a71a arm-systemready/oeqa: Add unattended installation testcase
Add test for openSUSE unattended installation

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-15 12:00:13 -04:00
Ben ba9451a818 arm-systemready/linux-distros: Implement unattended openSUSE
Implement unattended installation for openSUSE

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-15 12:00:13 -04:00
Luca Fancellu 950a4afce4 arm/lib: Handle timeout for spawn object on stop()
The current code is waiting 5 seconds to get an EOF on the
console pexpect spawn object, on a particularly slow machine
this timeout was not enough ending up into a TIMEOUT exception.

To solve this, increase the timeout and handle the TIMEOUT exception
by printing an error on the debug console instead of letting the
exception raise up to the stack, force the spawn object close() call
as well, since at this stage we would like the process to terminate
anyway.

Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-23 13:00:14 -04:00
Jon Mason ea21deb5e9 arm-toolchain: remove libmount-mountfd-support when using binary toolchain
util-linux is failing when compiling with:
| configure: error: libmount_mountfd_support selected, but required mount FDs based API not available
Remove this feature when building with the binary toolchain to avoid
this issue.

Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-20 14:36:14 -04:00
Bence Balogh 1947c00029 arm-bsp/trusted-firmware-m: corstone1000: Fix MPU configuration
The Application Root of Trust and the PSA Root of Trust was not
isolated in TF-M Isolation Level 2 beacuse of the misconfiguration of
the MPU. The added patch fixes this issue.

Fixes: a8f47e9 (arm-bsp/trusted-firmware-m: corstone1000: update to 2.0)
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 17:00:19 -04:00
Harsimran Singh Tungal 313ad2a0e6 arm-bsp,kas: corstone1000: enable External System based on new yml file
Create new yml file "corstone1000-extsys.yml" which adds "corstone1000-extsys" as
new MACHINE_FEATURE.
Based on this, external system components can be enabled or disabled from the
Linux Kernel and U-Boot.

Reason for change:
DT-schema test is failing for the SystemReady-IR v2.0 certification because
device tree binding for remoteproc dts node corresponds to external system has
not been upstreamed in the Linux Kernel yet.
So, it has been decided to make enablement of external system configurable in
order to make Corstone1000 FVP SystemReady-IR v2.0 certifiable.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-30 05:00:25 -04:00
Luca Fancellu 38bce82e42 arm/oeqa: Introduce retry mechanism for fvp_devices run_cmd
Currently the run_cmd, which is a wrapper for self.target.run()
that uses SSH to spawn commands on the target, can fail spuriously
with error 255 and cause the test to fail on slow systems.

In order to address that, introduce a retry mechanism for the call,
that is able to wait some time for the system to settle and retry
the command when the error code from SSH is 255.

Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-01 11:33:42 -04:00
Amr Mohamed ecece16871 kas: Add new yml file for Distros unattended installation
Define “DISTRO_UNATTENDED_INST_TESTS” variable in meta-arm-systemready
independently from meta-arm-auto-solutions. This will allow running
the unattended installation without meta-arm-auto-solutions.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-31 11:00:22 -04:00
Amr Mohamed aa85142b5b arm-systemready/oeqa: Add new test for Fedora unattended installation
The oeqa test responds to the boot loader prompt error message and
waits till the distro installation is finished.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-31 11:00:22 -04:00
Amr Mohamed 54fa370dde arm-systemready/linux-distros: Add kickstart file for Fedora unattended
Add the Fedora kickstart configuration file and define a function to
modify the unpacked ISO image to add the kickstart file inside and
modify the grub.cfg file.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-31 11:00:22 -04:00
Amr Mohamed 79c41bb917 arm-systemready/linux-distros: new inc file for unattended installation
Add a new inc file to unpack and repack the distro ISO image after
adding the kickstart configuration file inside.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-31 11:00:22 -04:00
Amr Mohamed 1b85bbb4ca kas: Update kas configuration for fvp-base.yml file
Change defaults repo refspec in fvp-base.yml file from master to
scarthgap.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-19 10:00:23 -04:00
Ziad Elhanafy 58268ddccb arm/oeqa: Enable pexpect profiling for testcase debugging
This patch enables logging with timestamps for individual pexpect
assertions to ease the debugging of failed tests and the tuning of
timeouts. It measures the execution time of all pexpect calls and logs
the actual duration for each.

Only "callable" pexpect calls are timed (e.g. expect, sendline, but not
before or after).

Signed-off-by: Divin Raj <divin.raj@arm.com>
Signed-off-by: Ziad Elhanafy <ziad.elhanafy@arm.com>
Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-27 10:00:26 -04:00
Ross Burton 29799b787d Revert "CI: temporarily backport the procps fix"
This procps fix has been merged upstream in oe-core aaced482, so we can
remove this patch now.

This reverts commit fef5eafc08.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-20 14:22:59 +01:00
Amr Mohamed a88dd94883 arm-systemready/linux-distros: Add a third Linux distribution installation
Add Fedora distribution version 39.1.5 installation to fulfill
the SystemReady IR.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-17 14:00:29 -04:00
38 changed files with 1600 additions and 209 deletions
+5
View File
@@ -255,6 +255,11 @@ n1sdp:
pending-updates:
extends: .setup
# Only run this job for the default branch (master), or if forced with
# BUILD_FORCE_PENDING_UPDATES.
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $BUILD_FORCE_PENDING_UPDATES != null
artifacts:
paths:
- update-report
@@ -1,79 +0,0 @@
From 42358d889ed652a8c386862f8c65e5fbe7484de2 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Fri, 26 Apr 2024 10:38:28 +0000
Subject: [PATCH] procps: fix build with new glibc but old kernel headers
If you're building procps with a newer glibc (with pidfd_open()) but
older kernel headers (say 4.x, before __NR_pidfd_open) then procps will
fail to build because of a typo in configure.ac.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
.../procps/procps/pidfd.patch | 42 +++++++++++++++++++
meta/recipes-extended/procps/procps_4.0.4.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-extended/procps/procps/pidfd.patch
diff --git a/meta/recipes-extended/procps/procps/pidfd.patch b/meta/recipes-extended/procps/procps/pidfd.patch
new file mode 100644
index 00000000000..f5e8183e547
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/pidfd.patch
@@ -0,0 +1,42 @@
+From c8f625e085b8249cc009e8b19c3a19100217eb35 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Thu, 25 Apr 2024 13:33:15 +0000
+Subject: [PATCH] Fix pidfd_open detection
+
+This check for pidfd_open uses AC_CHECK_FUNC which just runs the specified code, but
+src/pgrep.c checks HAVE_PIDFD_OPEN which will only be defined by AC_CHECK_FUNCS.
+
+Also pidfd_open is defined in sys/pidfd.h so that needs including.
+
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+
+diff --git a/configure.ac b/configure.ac
+index fec27e3f..024731c7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -170,7 +170,7 @@ AC_TRY_COMPILE([#include <errno.h>],
+ AC_MSG_RESULT(yes),
+ AC_MSG_RESULT(no))
+
+-AC_CHECK_FUNC([pidfd_open], [enable_pidwait=yes], [
++AC_CHECK_FUNCS([pidfd_open], [enable_pidwait=yes], [
+ AC_MSG_CHECKING([for __NR_pidfd_open])
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE([
+ #include <sys/syscall.h>
+diff --git a/src/pgrep.c b/src/pgrep.c
+index d8e57dff..c5211aec 100644
+--- a/src/pgrep.c
++++ b/src/pgrep.c
+@@ -44,7 +44,9 @@
+
+ #ifdef ENABLE_PIDWAIT
+ #include <sys/epoll.h>
+-#ifndef HAVE_PIDFD_OPEN
++#ifdef HAVE_PIDFD_OPEN
++#include <sys/pidfd.h>
++#else
+ #include <sys/syscall.h>
+ #endif /* !HAVE_PIDFD_OPEN */
+ #endif
diff --git a/meta/recipes-extended/procps/procps_4.0.4.bb b/meta/recipes-extended/procps/procps_4.0.4.bb
index 800384f22f7..ec8c4b0261b 100644
--- a/meta/recipes-extended/procps/procps_4.0.4.bb
+++ b/meta/recipes-extended/procps/procps_4.0.4.bb
@@ -14,6 +14,7 @@ inherit autotools gettext pkgconfig update-alternatives
SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
file://sysctl.conf \
+ file://pidfd.patch \
"
SRCREV = "4ddcef2fd843170c8e2d59a83042978f41037a2b"
--
2.34.1
+1 -5
View File
@@ -17,14 +17,10 @@ repos:
meta-arm-toolchain:
poky:
url: https://git.yoctoproject.org/git/poky
url: https://git.yoctoproject.org/poky
layers:
meta:
meta-poky:
patches:
procps:
path: 0001-procps-fix-build-with-new-glibc-but-old-kernel-heade.patch
repo: meta-arm
env:
BB_LOGCONFIG: ""
+2 -2
View File
@@ -20,9 +20,9 @@ def repo_shortname(url):
.replace('*', '.'))
repositories = (
"https://git.yoctoproject.org/git/poky",
"https://git.yoctoproject.org/poky",
"https://git.openembedded.org/meta-openembedded",
"https://git.yoctoproject.org/git/meta-virtualization",
"https://git.yoctoproject.org/meta-virtualization",
"https://github.com/kraj/meta-clang",
)
@@ -2,6 +2,7 @@ header:
version: 13
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-opensuse
@@ -0,0 +1,11 @@
header:
version: 16
env:
DISTRO_UNATTENDED_INST_TESTS:
# The full testimage run typically takes around 12-24h on fvp-base.
TEST_OVERALL_TIMEOUT: "${@ 24*60*60}"
local_conf_header:
systemready-unattended-inst: |
TESTIMAGE_AUTO = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "1", "", d)}"
+6
View File
@@ -0,0 +1,6 @@
header:
version: 14
local_conf_header:
extsys: |
MACHINE_FEATURES += "corstone1000-extsys"
+1 -1
View File
@@ -14,7 +14,7 @@ machine: fvp-base
defaults:
repos:
refspec: master
refspec: scarthgap
repos:
meta-arm:
@@ -38,6 +38,16 @@ Platform Support
- This software release is tested on Corstone-1000 Fast Model platform (FVP) version 11.23_25
https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
SystemReady IR v2.0 Certification Milestone
-------------------------------------------
As of this release, Corstone-1000 has achieved `SystemReady IR v2.0 certification <https://www.arm.com/architecture/system-architectures/systemready-certification-program/ve>`__.
This milestone confirms compliance with the SystemReady IR requirements, ensuring broader compatibility and reliability for deployment.
Applied patch `313ad2a0e600 <https://git.yoctoproject.org/meta-arm/commit/?h=scarthgap&id=313ad2a0e600655d9bfbe53646e356372ff02644>`__ to address compatibility requirements for SystemReady IR v2.0.
This update is included in tag `CORSTONE1000-2024.06-systemready-ir-v2.0 <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.06-systemready-ir-v2.0>`__ and builds on the `CORSTONE1000-2024.06` release.
***********************
Release notes - 2023.11
***********************
@@ -180,6 +180,12 @@ then run:
kas build meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml
By default, the external system is disabled. To build the Corstone-1000 image with external system enabled, run:
::
kas build meta-arm/kas/corstone1000-<fvp,mps3>.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-extsys.yml
The initial clean build will be lengthy, given that all host utilities are to
be built as well as the target images. This includes host executables (python,
cmake, etc.) and the required toolchain(s).
@@ -1444,6 +1450,7 @@ The above commands will delete the Platform key (PK) and allow the normal system
Testing the External System
---------------------------
Before testing the external system, please make sure to build the Corstone-1000 image with external system enabled as mentioned in section `Building the software stack`_.
During Linux boot the remoteproc subsystem automatically starts
the external system.
@@ -0,0 +1,88 @@
From 4d3ebb03b89b122af490824ca73287954a35bd07 Mon Sep 17 00:00:00 2001
From: Jamie Fox <jamie.fox@arm.com>
Date: Thu, 22 Aug 2024 16:54:45 +0100
Subject: [PATCH] Platform: corstone1000: Fix isolation L2 memory protection
The whole of the SRAM was configured unprivileged on this platform, so
the memory protection required for isolation level 2 was not present.
This patch changes the S_DATA_START to S_DATA_LIMIT MPU region to be
configured for privileged access only. It also reorders the MPU regions
so that the App RoT sub-region overlapping S_DATA has a higher region
number and so takes priority in the operation of the Armv6-M MPU.
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/30951]
---
.../arm/corstone1000/tfm_hal_isolation.c | 43 +++++++++----------
1 file changed, 21 insertions(+), 22 deletions(-)
diff --git a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
index 39b19c535..498f14ed2 100644
--- a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
+++ b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
* Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon
* company) or an affiliate of Cypress Semiconductor Corporation. All rights
* reserved.
@@ -99,6 +99,26 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
return ret;
}
+ /* Set the RAM attributes. It is needed because the first region overlaps the whole
+ * SRAM and it has to be overridden.
+ * The RAM_MPU_REGION_BLOCK_1_SIZE and RAM_MPU_REGION_BLOCK_2_SIZE are calculated manually
+ * and added to the platform_region_defs compile definitions.
+ */
+ base = S_DATA_START;
+ limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
+ ret = configure_mpu(rnr++, base, limit,
+ XN_EXEC_NOT_OK, AP_RW_PRIV_ONLY);
+ if (ret != TFM_HAL_SUCCESS) {
+ return ret;
+ }
+
+ base = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
+ limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE;
+ ret = configure_mpu(rnr++, base, limit,
+ XN_EXEC_NOT_OK, AP_RW_PRIV_ONLY);
+ if (ret != TFM_HAL_SUCCESS) {
+ return ret;
+ }
/* RW, ZI and stack as one region */
base = (uint32_t)&REGION_NAME(Image$$, TFM_APP_RW_STACK_START, $$Base);
@@ -133,27 +153,6 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
#endif
- /* Set the RAM attributes. It is needed because the first region overlaps the whole
- * SRAM and it has to be overridden.
- * The RAM_MPU_REGION_BLOCK_1_SIZE and RAM_MPU_REGION_BLOCK_2_SIZE are calculated manually
- * and added to the platform_region_defs compile definitions.
- */
- base = S_DATA_START;
- limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
- ret = configure_mpu(rnr++, base, limit,
- XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
- if (ret != TFM_HAL_SUCCESS) {
- return ret;
- }
-
- base = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
- limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE;
- ret = configure_mpu(rnr++, base, limit,
- XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
- if (ret != TFM_HAL_SUCCESS) {
- return ret;
- }
-
arm_mpu_enable();
#endif /* CONFIG_TFM_ENABLE_MEMORY_PROTECT */
--
2.25.1
@@ -29,6 +29,7 @@ SRC_URI:append:corstone1000 = " \
file://0010-CC312-alignment-of-cc312-differences-between-fvp-and.patch \
file://0011-Platform-corstone1000-Increase-buffers-for-EFI-vars.patch \
file://0012-corstone1000-Remove-reset-after-capsule-update.patch \
file://0013-Platform-corstone1000-Fix-isolation-L2-memory-protection.patch \
"
# TF-M ships patches for external dependencies that needs to be applied
@@ -64,6 +64,8 @@ SRC_URI:append = " \
file://0046-Corstone1000-Change-MMCOMM-buffer-location.patch \
file://0047-corstone1000-dts-add-external-system-node.patch \
file://0048-corstone1000-Enable-UEFI-Secure-boot.patch \
${@bb.utils.contains('MACHINE_FEATURES', 'corstone1000-extsys', \
'', 'file://0049-corstone1000-purge-remoteproc-dts-node.patch' , d)} \
"
do_configure:append() {
@@ -0,0 +1,34 @@
From 4e0ab7af882fcf498fd8beb4024ea024e6464cef Mon Sep 17 00:00:00 2001
From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Date: Wed, 14 Aug 2024 14:33:50 +0000
Subject: [PATCH] corstone1000: purge remoteproc DTS node
Purge remoteproc DTS node
This is done to remove the remote proc node from the DTS passed
to Linux from U-Boot because the device tree binding for remoteproc
has not been upstreamed yet. Existence of remoteproc DTS node in Linux
is causing dt-schema test for SystemReady-IR v2.0 certification to fail.
Upstream-Status: Pending
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
---
board/armltd/corstone1000/corstone1000.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c
index ef74dc9032..d474fce1b2 100644
--- a/board/armltd/corstone1000/corstone1000.c
+++ b/board/armltd/corstone1000/corstone1000.c
@@ -30,8 +30,7 @@ DT_NON_COMPLIANT_PURGE_LIST(foo) = {
{ .node_path = "/soc/mhu@1b010000" },
{ .node_path = "/soc/mhu@1b020000" },
{ .node_path = "/soc/mhu@1b030000" },
- { .node_path = "/soc/client" },
- { .node_path = "/soc/extsys@1A010310" },
+ { .node_path = "/soc/remoteproc@1a010310" },
};
#define CORSTONE1000_KERNEL_PARTS 2
--
2.34.1
@@ -0,0 +1 @@
CONFIG_MTD_NAND_FSL_IFC=n
@@ -36,13 +36,21 @@ SRC_URI:append:corstone1000 = " ${@bb.utils.contains('MACHINE_FEATURES', \
'file://corstone1000_kernel_debug.cfg', \
'', \
d)}"
SRC_URI:append:corstone1000 = " \
file://extsys.cfg \
file://0001-remoteproc-Add-Arm-remoteproc-driver.patch \
file://0002-arm64-dts-Add-corstone1000-external-system-device-no.patch \
file://0003-dt-bindings-remoteproc-Add-Arm-remoteproc.patch \
"
${@bb.utils.contains( \
'MACHINE_FEATURES', \
'corstone1000-extsys', \
' \
file://extsys.cfg \
file://0001-remoteproc-Add-Arm-remoteproc-driver.patch \
file://0002-arm64-dts-Add-corstone1000-external-system-device-no.patch \
file://0003-dt-bindings-remoteproc-Add-Arm-remoteproc.patch \
', \
'', \
d \
) \
} \
"
# Default kernel features not needed for corstone1000
# otherwise the extra kernel modules will increase the rootfs size
@@ -69,6 +77,9 @@ SRC_URI:append:fvp-base = " \
#
COMPATIBLE_MACHINE:juno = "juno"
FILESEXTRAPATHS:prepend:juno := "${ARMBSPFILESPATHS}"
SRC_URI:append:juno = " \
file://no-fsl-ifc-nand.cfg \
"
#
# Musca B1/S2 can't run Linux
@@ -95,6 +106,7 @@ SRC_URI:append:n1sdp = " \
file://enable-realtek-R8169.cfg \
file://enable-usb_conn_gpio.cfg \
file://usb_xhci_pci_renesas.cfg \
file://no-fsl-ifc-nand.cfg \
"
# Since we use the intree defconfig and the preempt-rt turns off some configs
# do_kernel_configcheck will display warnings. So, lets disable it.
@@ -1,46 +0,0 @@
#!/bin/sh
# Source function library
. /etc/init.d/functions
NAME=tee-supplicant
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="OP-TEE Supplicant"
DAEMON=@sbindir@/$NAME
test -f $DAEMON || exit 0
test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
set -e
case $1 in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start $SSD_OPTIONS
echo "${DAEMON##*/}."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop $SSD_OPTIONS
echo "${DAEMON##*/}."
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
status)
status ${DAEMON} || exit $?
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
@@ -1,10 +0,0 @@
[Unit]
Description=TEE Supplicant on %i
[Service]
User=root
EnvironmentFile=-@sysconfdir@/default/tee-supplicant
ExecStart=@sbindir@/tee-supplicant $OPTARGS
[Install]
WantedBy=basic.target
@@ -0,0 +1,42 @@
from oeqa.runtime.case import OERuntimeTestCase
class SystemReadyOpenSUSEUnattendedTest(OERuntimeTestCase):
def setUp(self):
super().setUp()
self.console = self.target.DEFAULT_CONSOLE
def test_opensuse_unattended(self):
# Turn on the FVP.
self.target.transition('on')
# Timeout value = elapsed time * 2; where elapsed time was collected
# from the elapsed time in the log.do_testimage for each function after
# the build is finished on the development machine.
self.target.expect(self.console,
'Booting `Installation\'',
timeout=(2 * 60))
bb.plain('Installation status: Loading the kernel, initrd and basic drivers...')
self.target.expect(self.console,
'Starting hardware detection...',
timeout=(40 * 60))
bb.plain('Installation status: Starting hardware detection...')
self.target.expect(self.console,
'Loading Installation System',
timeout=(60 * 60))
bb.plain('Installation status: Loading Installation System...')
self.target.expect(self.console,
'Starting Installer',
timeout=(40 * 60))
bb.plain('Installation status: Performing Installation...')
self.target.expect(self.console,
'Finishing Configuration',
timeout=(15 * 60 * 60))
bb.plain('Installation status: Finishing Configuration...')
# Waiting till the installation is finished.
self.target.expect(self.console, r'.*login: ', timeout=(6 * 60 * 60))
bb.plain('Installation status: openSUSE installation finished successfully.')
@@ -48,10 +48,10 @@ TEST_SUITES = "arm_systemready_ir_acs"
PV = "2.0.0"
PV_DATE = "23.03"
FULL_PV = "v${PV_DATE}_${PV}"
ARM_SYSTEMREADY_IR_ACS_BRANCH ?= "main"
IMAGE_FILENAME = "ir-acs-live-image-generic-arm64.wic"
ARM_SYSTEMREADY_IR_ACS_BRANCH ?= "legacy_systemready"
IMAGE_FILENAME = "ir-acs-live-image-generic-arm64-${PV}.wic"
SRC_URI = " \
https://github.com/ARM-software/arm-systemready/raw/${ARM_SYSTEMREADY_IR_ACS_BRANCH}/IR/prebuilt_images/${FULL_PV}/${IMAGE_FILENAME}.xz;name=acs-img \
https://github.com/ARM-software/arm-systemready/raw/${ARM_SYSTEMREADY_IR_ACS_BRANCH}/IR/prebuilt_images/${FULL_PV}/ir-acs-live-image-generic-arm64.wic.xz;name=acs-img;downloadfilename=${IMAGE_FILENAME}.xz \
git://git.gitlab.arm.com/systemready/systemready-ir-template.git;protocol=https;nobranch=1;destsuffix=systemready-ir-template;name=sr-ir-template \
"
SRC_URI[acs-img.sha256sum] = "ea52f84dab44bde97de3e2d2224d883acaae35724dd8e2bdfb125de49040f9b3"
@@ -72,3 +72,18 @@ ISO_TYPE = "DVD"
BUILD_NO = "491.1"
SRC_URI = "https://download.opensuse.org/distribution/leap/${PV}/iso/openSUSE-Leap-${PV}-${ISO_TYPE}-aarch64-Build${BUILD_NO}-Media.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso"
SRC_URI[sha256sum] = "456cc4f99b044429d8a89bd302c06e9e382d6ac4dc590139a7096ebb54f5357b"
TEST_SUITES = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "arm_systemready_opensuse_unattended", "", d)}"
ISO_LABEL = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "OEMDRV", "", d)}"
BOOT_CATALOG = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot.catalog", "", d)}"
BOOT_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "EFI/BOOT/bootaa64.efi", "", d)}"
EFI_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot/aarch64/efi", "", d)}"
modifyiso() {
UNATTENDED_CONF_DIR="${THISDIR}/unattended-boot-conf/openSUSE"
#create installation configuration files, remove grub timeout, setup network
cp "${UNATTENDED_CONF_DIR}/autoinst.xml" ${EXTRACTED_ISO_TEMP_DIR}
sed -i 's/timeout=60/timeout=0/g' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
}
@@ -0,0 +1,45 @@
SUMMARY = "Arm SystemReady Linux distros unattended requirements"
DESCRIPTION = "Arm SystemReady Linux distro unattended configurations \
and ISO image modification"
EXTRACTED_ISO_TEMP_DIR = "${WORKDIR}/extracted_iso_temp_dir"
NEW_ISO_TEMP_DIR = "${WORKDIR}/new_iso_temp_dir"
# oeqa test case must be added to TEST_SUITES to acknowledge that the unattended
# installation was successful.
inherit testimage
python () {
unattended_required_vars = ['ISO_LABEL', 'BOOT_CATALOG', 'BOOT_IMAGE', 'EFI_IMAGE']
for var in unattended_required_vars:
if not d.getVar(var):
raise bb.parse.SkipRecipe(f'{var} variable is not set')
}
unpackiso() {
# Unpack the ISO image
bsdtar -xf ${WORKDIR}/${ISO_IMAGE_NAME}.iso -C ${EXTRACTED_ISO_TEMP_DIR}
chmod -R u+rw ${EXTRACTED_ISO_TEMP_DIR}
}
modifyiso() {
}
repackiso() {
# Repack the ISO image
mkisofs -o ${NEW_ISO_TEMP_DIR}/${ISO_IMAGE_NAME}.iso -U -r -v -T -J -joliet-long -V ${ISO_LABEL} \
-volset ${ISO_LABEL} -A ${ISO_LABEL} -b ${BOOT_IMAGE} -c ${BOOT_CATALOG} -no-emul-boot \
-boot-load-size 4 -boot-info-table -J -R -V ${ISO_LABEL} -eltorito-alt-boot \
-eltorito-boot ${EFI_IMAGE} -no-emul-boot ${EXTRACTED_ISO_TEMP_DIR}
mv -f ${NEW_ISO_TEMP_DIR}/${ISO_IMAGE_NAME}.iso ${WORKDIR}
}
# Write the test data in IMAGE_POSTPROCESS_COMMAND
IMAGE_POSTPROCESS_COMMAND += "write_image_test_data; "
do_unpack[depends] += "cdrtools-native:do_populate_sysroot libarchive-native:do_populate_sysroot"
do_unpack[postfuncs] += "unpackiso modifyiso repackiso"
do_unpack[cleandirs] += "${EXTRACTED_ISO_TEMP_DIR} ${NEW_ISO_TEMP_DIR}"
@@ -2,7 +2,12 @@ SUMMARY = "Arm SystemReady Linux distros installation"
DESCRIPTION = "Arm SystemReady Linux distro CD/DVD images and installation \
target disk image"
IMAGE_CLASSES:remove = "license_image testimage"
DISTRO_UNATTENDED_INST_TESTS ?= "0"
require ${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "arm-systemready-linux-distros-unattended.inc", "", d)}
IMAGE_CLASSES:remove = "license_image"
IMAGE_CLASSES:remove = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "", "testimage", d)}"
BUILDHISTORY_FEATURES:remove = "image"
INHIBIT_DEFAULT_DEPS = "1"
@@ -15,7 +20,7 @@ do_configure[noexec] = "1"
do_compile[noexec] = "1"
ISO_IMAGE_NAME = "${PN}-${PV}"
IMAGE_LINK_NAME = "${PN}-${PV}-${MACHINE}"
IMAGE_LINK_NAME = "${PN}-${MACHINE}"
ARM_SYSTEMREADY_LINUX_DISTRO_ISO_IMAGE = \
"${DEPLOY_DIR_IMAGE}/${ISO_IMAGE_NAME}.iso"
@@ -44,7 +49,13 @@ python do_image_complete() {
from oe.utils import execute_pre_post_process
post_process_cmds = d.getVar("IMAGE_POSTPROCESS_COMMAND")
execute_pre_post_process(d, post_process_cmds)
if d.getVar('DISTRO_UNATTENDED_INST_TESTS') == "1":
# Ensure an empty rootfs manifest exists (required by testimage)
fname = os.path.join(d.getVar('IMGDEPLOYDIR'), d.getVar('IMAGE_LINK_NAME') + ".manifest")
open(fname, 'w').close()
}
do_image_complete[nostamp] = "1"
addtask image_complete after do_deploy before do_build
@@ -0,0 +1,935 @@
<?xml version="1.0"?>
<!DOCTYPE profile>
<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns">
<bootloader t="map">
<global t="map">
<append>splash=silent preempt=full mitigations=auto quiet security=apparmor</append>
<cpu_mitigations>auto</cpu_mitigations>
<gfxmode>auto</gfxmode>
<hiddenmenu>false</hiddenmenu>
<os_prober>true</os_prober>
<secure_boot>true</secure_boot>
<terminal>gfxterm</terminal>
<timeout t="integer">8</timeout>
<update_nvram>true</update_nvram>
</global>
<loader_type>grub2-efi</loader_type>
</bootloader>
<firewall t="map">
<default_zone>public</default_zone>
<enable_firewall t="boolean">true</enable_firewall>
<log_denied_packets>off</log_denied_packets>
<start_firewall t="boolean">true</start_firewall>
<zones t="list">
<zone t="map">
<description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>block</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Block</short>
<target>%%REJECT%%</target>
</zone>
<zone t="map">
<description>For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>dmz</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>ssh</service>
</services>
<short>DMZ</short>
<target>default</target>
</zone>
<zone t="map">
<description>All network connections are accepted.</description>
<interfaces t="list">
<interface>docker0</interface>
</interfaces>
<masquerade t="boolean">false</masquerade>
<name>docker</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>docker</short>
<target>ACCEPT</target>
</zone>
<zone t="map">
<description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>drop</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Drop</short>
<target>DROP</target>
</zone>
<zone t="map">
<description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">true</masquerade>
<name>external</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>ssh</service>
</services>
<short>External</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>home</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>mdns</service>
<service>samba-client</service>
<service>ssh</service>
</services>
<short>Home</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>internal</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>mdns</service>
<service>samba-client</service>
<service>ssh</service>
</services>
<short>Internal</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list">
<interface>eth0</interface>
</interfaces>
<masquerade t="boolean">false</masquerade>
<name>public</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>ssh</service>
</services>
<short>Public</short>
<target>default</target>
</zone>
<zone t="map">
<description>All network connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>trusted</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Trusted</short>
<target>ACCEPT</target>
</zone>
<zone t="map">
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>work</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>ssh</service>
</services>
<short>Work</short>
<target>default</target>
</zone>
</zones>
</firewall>
<general t="map">
<mode t="map">
<confirm t="boolean">false</confirm>
</mode>
</general>
<groups t="list">
<group t="map">
<gid>100</gid>
<groupname>users</groupname>
<userlist/>
</group>
<group t="map">
<gid>499</gid>
<groupname>messagebus</groupname>
<userlist/>
</group>
<group t="map">
<gid>1</gid>
<groupname>bin</groupname>
<userlist>daemon</userlist>
</group>
<group t="map">
<gid>488</gid>
<groupname>input</groupname>
<userlist/>
</group>
<group t="map">
<gid>495</gid>
<groupname>kmem</groupname>
<userlist/>
</group>
<group t="map">
<gid>493</gid>
<groupname>utmp</groupname>
<userlist/>
</group>
<group t="map">
<gid>62</gid>
<groupname>man</groupname>
<userlist/>
</group>
<group t="map">
<gid>477</gid>
<groupname>polkitd</groupname>
<userlist/>
</group>
<group t="map">
<gid>479</gid>
<groupname>systemd-timesync</groupname>
<userlist/>
</group>
<group t="map">
<gid>2</gid>
<groupname>daemon</groupname>
<userlist/>
</group>
<group t="map">
<gid>480</gid>
<groupname>systemd-network</groupname>
<userlist/>
</group>
<group t="map">
<gid>71</gid>
<groupname>ntadmin</groupname>
<userlist/>
</group>
<group t="map">
<gid>490</gid>
<groupname>dialout</groupname>
<userlist/>
</group>
<group t="map">
<gid>59</gid>
<groupname>maildrop</groupname>
<userlist>postfix</userlist>
</group>
<group t="map">
<gid>478</gid>
<groupname>nscd</groupname>
<userlist/>
</group>
<group t="map">
<gid>51</gid>
<groupname>postfix</groupname>
<userlist/>
</group>
<group t="map">
<gid>485</gid>
<groupname>tape</groupname>
<userlist/>
</group>
<group t="map">
<gid>487</gid>
<groupname>render</groupname>
<userlist/>
</group>
<group t="map">
<gid>476</gid>
<groupname>sshd</groupname>
<userlist/>
</group>
<group t="map">
<gid>491</gid>
<groupname>cdrom</groupname>
<userlist/>
</group>
<group t="map">
<gid>486</gid>
<groupname>sgx</groupname>
<userlist/>
</group>
<group t="map">
<gid>0</gid>
<groupname>root</groupname>
<userlist/>
</group>
<group t="map">
<gid>489</gid>
<groupname>disk</groupname>
<userlist/>
</group>
<group t="map">
<gid>15</gid>
<groupname>shadow</groupname>
<userlist/>
</group>
<group t="map">
<gid>484</gid>
<groupname>video</groupname>
<userlist/>
</group>
<group t="map">
<gid>496</gid>
<groupname>wheel</groupname>
<userlist/>
</group>
<group t="map">
<gid>483</gid>
<groupname>audit</groupname>
<userlist/>
</group>
<group t="map">
<gid>498</gid>
<groupname>mail</groupname>
<userlist>postfix</userlist>
</group>
<group t="map">
<gid>5</gid>
<groupname>tty</groupname>
<userlist/>
</group>
<group t="map">
<gid>65533</gid>
<groupname>nogroup</groupname>
<userlist/>
</group>
<group t="map">
<gid>65534</gid>
<groupname>nobody</groupname>
<userlist/>
</group>
<group t="map">
<gid>497</gid>
<groupname>lp</groupname>
<userlist/>
</group>
<group t="map">
<gid>482</gid>
<groupname>chrony</groupname>
<userlist/>
</group>
<group t="map">
<gid>492</gid>
<groupname>audio</groupname>
<userlist/>
</group>
<group t="map">
<gid>494</gid>
<groupname>lock</groupname>
<userlist/>
</group>
<group t="map">
<gid>36</gid>
<groupname>kvm</groupname>
<userlist/>
</group>
<group t="map">
<gid>42</gid>
<groupname>trusted</groupname>
<userlist/>
</group>
<group t="map">
<gid>481</gid>
<groupname>systemd-journal</groupname>
<userlist/>
</group>
</groups>
<host t="map">
<hosts t="list">
<hosts_entry t="map">
<host_address>127.0.0.1</host_address>
<names t="list">
<name>localhost</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>::1</host_address>
<names t="list">
<name>localhost ipv6-localhost ipv6-loopback</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>fe00::0</host_address>
<names t="list">
<name>ipv6-localnet</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff00::0</host_address>
<names t="list">
<name>ipv6-mcastprefix</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::1</host_address>
<names t="list">
<name>ipv6-allnodes</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::2</host_address>
<names t="list">
<name>ipv6-allrouters</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::3</host_address>
<names t="list">
<name>ipv6-allhosts</name>
</names>
</hosts_entry>
</hosts>
</host>
<language t="map">
<language>en_GB</language>
<languages>en_GB</languages>
</language>
<networking t="map">
<dhcp_options t="map">
<dhclient_client_id/>
<dhclient_hostname_option>AUTO</dhclient_hostname_option>
</dhcp_options>
<dns t="map">
<dhcp_hostname t="boolean">true</dhcp_hostname>
<hostname>localhost</hostname>
<resolv_conf_policy>auto</resolv_conf_policy>
</dns>
<interfaces t="list">
<interface t="map">
<bootproto>dhcp</bootproto>
<name>eth0</name>
<startmode>auto</startmode>
<zone>public</zone>
</interface>
</interfaces>
<ipv6 t="boolean">true</ipv6>
<keep_install_network t="boolean">true</keep_install_network>
<managed t="boolean">false</managed>
<routing t="map">
<ipv4_forward t="boolean">false</ipv4_forward>
<ipv6_forward t="boolean">false</ipv6_forward>
</routing>
</networking>
<ntp-client t="map">
<ntp_policy>auto</ntp_policy>
<ntp_servers t="list"/>
<ntp_sync>systemd</ntp_sync>
</ntp-client>
<partitioning t="list">
<drive t="map">
<device>/dev/vda</device>
<disklabel>gpt</disklabel>
<enable_snapshots t="boolean">false</enable_snapshots>
<partitions t="list">
<partition t="map">
<create t="boolean">true</create>
<filesystem t="symbol">vfat</filesystem>
<format t="boolean">true</format>
<fstopt>utf8</fstopt>
<mount>/boot/efi</mount>
<mountby t="symbol">uuid</mountby>
<partition_id t="integer">259</partition_id>
<partition_nr t="integer">1</partition_nr>
<resize t="boolean">false</resize>
<size>134217728</size>
</partition>
<partition t="map">
<create t="boolean">true</create>
<create_subvolumes t="boolean">true</create_subvolumes>
<filesystem t="symbol">btrfs</filesystem>
<format t="boolean">true</format>
<mount>/</mount>
<mountby t="symbol">uuid</mountby>
<partition_id t="integer">131</partition_id>
<partition_nr t="integer">2</partition_nr>
<quotas t="boolean">false</quotas>
<resize t="boolean">false</resize>
<size>6307167744</size>
<subvolumes t="list">
<subvolume t="map">
<copy_on_write t="boolean">false</copy_on_write>
<path>var</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>usr/local</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>tmp</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>srv</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>root</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>opt</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>home</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>boot/grub2/arm64-efi</path>
</subvolume>
</subvolumes>
<subvolumes_prefix>@</subvolumes_prefix>
</partition>
</partitions>
<type t="symbol">CT_DISK</type>
<use>all</use>
</drive>
</partitioning>
<proxy t="map">
<enabled t="boolean">false</enabled>
</proxy>
<services-manager t="map">
<default_target>multi-user</default_target>
<services t="map">
<enable t="list">
<service>YaST2-Firstboot</service>
<service>YaST2-Second-Stage</service>
<service>apparmor</service>
<service>auditd</service>
<service>klog</service>
<service>chronyd</service>
<service>cron</service>
<service>cups</service>
<service>firewalld</service>
<service>wickedd-auto4</service>
<service>wickedd-dhcp4</service>
<service>wickedd-dhcp6</service>
<service>wickedd-nanny</service>
<service>irqbalance</service>
<service>issue-generator</service>
<service>kbdsettings</service>
<service>wicked</service>
<service>nscd</service>
<service>postfix</service>
<service>purge-kernels</service>
<service>rsyslog</service>
<service>smartd</service>
<service>sshd</service>
<service>systemd-pstore</service>
<service>systemd-remount-fs</service>
</enable>
</services>
</services-manager>
<software t="map">
<install_recommended t="boolean">true</install_recommended>
<instsource/>
<packages t="list">
<package>wicked</package>
<package>shim</package>
<package>os-prober</package>
<package>openssh</package>
<package>openSUSE-release</package>
<package>mokutil</package>
<package>kexec-tools</package>
<package>grub2-arm64-efi</package>
<package>glibc</package>
<package>firewalld</package>
<package>e2fsprogs</package>
<package>dosfstools</package>
<package>chrony</package>
<package>btrfsprogs</package>
<package>autoyast2</package>
</packages>
<patterns t="list">
<pattern>apparmor</pattern>
<pattern>base</pattern>
<pattern>documentation</pattern>
<pattern>enhanced_base</pattern>
<pattern>minimal_base</pattern>
<pattern>sw_management</pattern>
<pattern>yast2_basis</pattern>
</patterns>
<products t="list">
<product>Leap</product>
</products>
</software>
<ssh_import t="map">
<copy_config t="boolean">false</copy_config>
<import t="boolean">false</import>
</ssh_import>
<user_defaults t="map">
<expire/>
<group>100</group>
<home>/home</home>
<inactive>-1</inactive>
<shell>/bin/bash</shell>
<umask>022</umask>
</user_defaults>
<users t="list">
<user t="map">
<authorized_keys t="list"/>
<encrypted t="boolean">true</encrypted>
<fullname>user</fullname>
<gid>100</gid>
<home>/home/user</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max>99999</max>
<min>0</min>
<warn>7</warn>
</password_settings>
<shell>/bin/bash</shell>
<uid>1000</uid>
<user_password>$6$WV8CB/c6j0zhAi5S$4euhbt4alH7WNfaatS9IJgPiiKDJ48d5Ru1zCZCA0N9GiyOPuefN2PAUWlyYeTgqAInpyvPh1frdp4fFVjvEn0</user_password>
<username>user</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for nscd</fullname>
<gid>478</gid>
<home>/run/nscd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>478</uid>
<user_password>!</user_password>
<username>nscd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>systemd Network Management</fullname>
<gid>480</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>480</uid>
<user_password>!*</user_password>
<username>systemd-network</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Daemon</fullname>
<gid>2</gid>
<home>/sbin</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>2</uid>
<user_password>!</user_password>
<username>daemon</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>systemd Time Synchronization</fullname>
<gid>479</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>479</uid>
<user_password>!*</user_password>
<username>systemd-timesync</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>user for rpcbind</fullname>
<gid>65534</gid>
<home>/var/lib/empty</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>475</uid>
<user_password>!</user_password>
<username>rpc</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>SSH daemon</fullname>
<gid>476</gid>
<home>/var/lib/sshd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>476</uid>
<user_password>!</user_password>
<username>sshd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Postfix Daemon</fullname>
<gid>51</gid>
<home>/var/spool/postfix</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>51</uid>
<user_password>!</user_password>
<username>postfix</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>NFS statd daemon</fullname>
<gid>65533</gid>
<home>/var/lib/nfs</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>474</uid>
<user_password>!</user_password>
<username>statd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>bin</fullname>
<gid>1</gid>
<home>/bin</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>1</uid>
<user_password>!</user_password>
<username>bin</username>
</user>
<user t="map">
<authorized_keys t="list"/>
<encrypted t="boolean">true</encrypted>
<fullname>root</fullname>
<gid>0</gid>
<home>/root</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/bin/bash</shell>
<uid>0</uid>
<user_password>$6$zAe5W7gw/kja9aKy$mM.BWtNyjalXrDNig4CUfN3bgfmehUIs8.zvBwWn1XroK104G.rY3lyup3OH8TujieUmgO4J74Df.LktV4A1K1</user_password>
<username>root</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for D-Bus</fullname>
<gid>499</gid>
<home>/run/dbus</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/bin/false</shell>
<uid>499</uid>
<user_password>!</user_password>
<username>messagebus</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Manual pages viewer</fullname>
<gid>62</gid>
<home>/var/lib/empty</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>13</uid>
<user_password>!</user_password>
<username>man</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Printing daemon</fullname>
<gid>497</gid>
<home>/var/spool/lpd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>497</uid>
<user_password>!</user_password>
<username>lp</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for polkitd</fullname>
<gid>477</gid>
<home>/var/lib/polkit</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>477</uid>
<user_password>!</user_password>
<username>polkitd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Chrony Daemon</fullname>
<gid>482</gid>
<home>/var/lib/chrony</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>496</uid>
<user_password>!</user_password>
<username>chrony</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>nobody</fullname>
<gid>65534</gid>
<home>/var/lib/nobody</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/bin/bash</shell>
<uid>65534</uid>
<user_password>!</user_password>
<username>nobody</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Mailer daemon</fullname>
<gid>498</gid>
<home>/var/spool/clientmqueue</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>498</uid>
<user_password>!</user_password>
<username>mail</username>
</user>
</users>
</profile>
@@ -15,6 +15,11 @@ EAT_TARGET_SYS:aarch64 ?= "${@ 'aarch64-none-linux-gnu' if os.path.exists('${EXT
EAT_TARGET_SYS = "${TARGET_SYS}"
TARGET_PREFIX = "${EAT_TARGET_SYS}-"
EXTERNAL_TOOLCHAIN_LIBDIR = "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/usr/lib', '/lib', d)}"
EXTERNAL_TOOLCHAIN_DYN_LINKER_PATH:arm ?= " -Wl,--dynamic-linker=${EXTERNAL_TOOLCHAIN_LIBDIR}/ld-linux-armhf.so.3"
EXTERNAL_TOOLCHAIN_DYN_LINKER_PATH:aarch64 ?= " -Wl,--dynamic-linker=${EXTERNAL_TOOLCHAIN_LIBDIR}/ld-linux-aarch64.so.1"
TARGET_LDFLAGS:append:class-target = "${EXTERNAL_TOOLCHAIN_DYN_LINKER_PATH}"
EAT_LIBDIR:arm = "lib"
EAT_LIBDIR:aarch64 = "lib64"
@@ -0,0 +1 @@
PACKAGECONFIG:remove = "${@bb.utils.contains('TCMODE', 'external-arm', 'libmount-mountfd-support', '' , d)}"
@@ -118,54 +118,80 @@ do_install() {
else
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/lib/${linker_name} ${D}${base_libdir}/
fi
ln -sf ../../lib/librt.so.1 ${D}${libdir}/librt.so
ln -sf ../../lib/libcrypt.so.1 ${D}${libdir}/libcrypt.so
ln -sf ../../lib/libresolv.so.2 ${D}${libdir}/libresolv.so
ln -sf ../../lib/libnss_hesiod.so.2 ${D}${libdir}/libnss_hesiod.so
ln -sf ../../lib/libutil.so.1 ${D}${libdir}/libutil.so
ln -sf ../../lib/libBrokenLocale.so.1 ${D}${libdir}/libBrokenLocale.so
ln -sf ../../lib/libpthread.so.0 ${D}${libdir}/libpthread.so
ln -sf ../../lib/libthread_db.so.1 ${D}${libdir}/libthread_db.so
ln -sf ../../lib/libanl.so.1 ${D}${libdir}/libanl.so
ln -sf ../../lib/libdl.so.2 ${D}${libdir}/libdl.so
ln -sf ../../lib/libnss_db.so.2 ${D}${libdir}/libnss_db.so
ln -sf ../../lib/libnss_dns.so.2 ${D}${libdir}/libnss_dns.so
ln -sf ../../lib/libnss_files.so.2 ${D}${libdir}/libnss_files.so
ln -sf ../../lib/libnss_compat.so.2 ${D}${libdir}/libnss_compat.so
ln -sf ../../lib/libm.so.6 ${D}${libdir}/libm.so
ln -sf ../../lib/libc_malloc_debug.so.0 ${D}${libdir}/libc_malloc_debug.so
# remove potential .so duplicates from base_libdir
# for all symlinks created above in libdir
rm -f ${D}${base_libdir}/librt.so
rm -f ${D}${base_libdir}/libcrypt.so
rm -f ${D}${base_libdir}/libresolv.so
rm -f ${D}${base_libdir}/libnss_hesiod.so
rm -f ${D}${base_libdir}/libutil.so
rm -f ${D}${base_libdir}/libBrokenLocale.so
rm -f ${D}${base_libdir}/libpthread.so
rm -f ${D}${base_libdir}/libthread_db.so
rm -f ${D}${base_libdir}/libanl.so
rm -f ${D}${base_libdir}/libdl.so
rm -f ${D}${base_libdir}/libnss_db.so
rm -f ${D}${base_libdir}/libnss_dns.so
rm -f ${D}${base_libdir}/libnss_files.so
rm -f ${D}${base_libdir}/libnss_compat.so
rm -f ${D}${base_libdir}/libm.so
# Move these completely to ${libdir} and delete duplicates in ${base_libdir}
for lib in asan hwasan atomic gfortran gomp itm lsan sanitizer stdc++ tsan ubsan; do
if [ -e ${D}${base_libdir}/lib${lib}.spec ] ; then
mv ${D}${base_libdir}/lib${lib}.spec ${D}${libdir}
if ${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', 'false', 'true', d)}; then
ln -sf ../../lib/librt.so.1 ${D}${libdir}/librt.so
ln -sf ../../lib/libcrypt.so.1 ${D}${libdir}/libcrypt.so
ln -sf ../../lib/libresolv.so.2 ${D}${libdir}/libresolv.so
ln -sf ../../lib/libnss_hesiod.so.2 ${D}${libdir}/libnss_hesiod.so
ln -sf ../../lib/libutil.so.1 ${D}${libdir}/libutil.so
ln -sf ../../lib/libBrokenLocale.so.1 ${D}${libdir}/libBrokenLocale.so
ln -sf ../../lib/libpthread.so.0 ${D}${libdir}/libpthread.so
ln -sf ../../lib/libthread_db.so.1 ${D}${libdir}/libthread_db.so
ln -sf ../../lib/libanl.so.1 ${D}${libdir}/libanl.so
ln -sf ../../lib/libdl.so.2 ${D}${libdir}/libdl.so
ln -sf ../../lib/libnss_db.so.2 ${D}${libdir}/libnss_db.so
ln -sf ../../lib/libnss_dns.so.2 ${D}${libdir}/libnss_dns.so
ln -sf ../../lib/libnss_files.so.2 ${D}${libdir}/libnss_files.so
ln -sf ../../lib/libnss_compat.so.2 ${D}${libdir}/libnss_compat.so
ln -sf ../../lib/libm.so.6 ${D}${libdir}/libm.so
ln -sf ../../lib/libc_malloc_debug.so.0 ${D}${libdir}/libc_malloc_debug.so
if [ -f ${D}${base_libdir}/libmvec.so.1 ]; then
ln -sf ../../lib/libmvec.so.1 ${D}${libdir}/libmvec.so
fi
if [ -e ${D}${base_libdir}/lib${lib}.a ] ; then
mv ${D}${base_libdir}/lib${lib}.a ${D}${libdir}
fi
rm -f ${D}${base_libdir}/lib${lib}*
done
# Clean up duplicate libs that are both in base_libdir and libdir
rm -f ${D}${libdir}/libgcc*
# remove potential .so duplicates from base_libdir
# for all symlinks created above in libdir
rm -f ${D}${base_libdir}/librt.so
rm -f ${D}${base_libdir}/libcrypt.so
rm -f ${D}${base_libdir}/libresolv.so
rm -f ${D}${base_libdir}/libnss_hesiod.so
rm -f ${D}${base_libdir}/libutil.so
rm -f ${D}${base_libdir}/libBrokenLocale.so
rm -f ${D}${base_libdir}/libpthread.so
rm -f ${D}${base_libdir}/libthread_db.so
rm -f ${D}${base_libdir}/libanl.so
rm -f ${D}${base_libdir}/libdl.so
rm -f ${D}${base_libdir}/libnss_db.so
rm -f ${D}${base_libdir}/libnss_dns.so
rm -f ${D}${base_libdir}/libnss_files.so
rm -f ${D}${base_libdir}/libnss_compat.so
rm -f ${D}${base_libdir}/libm.so
rm -f ${D}${base_libdir}/libmvec.so
# Move these completely to ${libdir} and delete duplicates in ${base_libdir}
for lib in asan hwasan atomic gfortran gomp itm lsan sanitizer stdc++ tsan ubsan; do
if [ -e ${D}${base_libdir}/lib${lib}.spec ] ; then
mv ${D}${base_libdir}/lib${lib}.spec ${D}${libdir}
fi
if [ -e ${D}${base_libdir}/lib${lib}.a ] ; then
mv ${D}${base_libdir}/lib${lib}.a ${D}${libdir}
fi
rm -f ${D}${base_libdir}/lib${lib}*
done
# Clean up duplicate libs that are both in base_libdir and libdir
rm -f ${D}${libdir}/libgcc*
else
ln -sf libcrypt.so.1 ${D}${libdir}/libcrypt.so
ln -sf libresolv.so.2 ${D}${libdir}/libresolv.so
ln -sf libnss_hesiod.so.2 ${D}${libdir}/libnss_hesiod.so
ln -sf libutil.so.1 ${D}${libdir}/libutil.so
ln -sf libBrokenLocale.so.1 ${D}${libdir}/libBrokenLocale.so
ln -sf libpthread.so.0 ${D}${libdir}/libpthread.so
ln -sf libthread_db.so.1 ${D}${libdir}/libthread_db.so
ln -sf libanl.so.1 ${D}${libdir}/libanl.so
ln -sf libdl.so.2 ${D}${libdir}/libdl.so
ln -sf libnss_db.so.2 ${D}${libdir}/libnss_db.so
ln -sf libnss_dns.so.2 ${D}${libdir}/libnss_dns.so
ln -sf libnss_files.so.2 ${D}${libdir}/libnss_files.so
ln -sf libnss_compat.so.2 ${D}${libdir}/libnss_compat.so
ln -sf libm.so.6 ${D}${libdir}/libm.so
ln -sf libc_malloc_debug.so.0 ${D}${libdir}/libc_malloc_debug.so
if [ -f ${D}${libdir}/libmvec.so.1 ]; then
ln -sf libmvec.so.1 ${D}${libdir}/libmvec.so
fi
fi
# Besides ld-${EAT_VER_LIBC}.so, other libs can have duplicates like lib*-${EAT_VER_LIBC}.so
# Only remove them if both are regular files and are identical
@@ -205,13 +231,13 @@ do_install() {
rm -rf ${D}${includedir}/rpcsvc/rquota.*
if [ -f ${D}${libdir}/libc.so ];then
sed -i -e "s# /${EAT_LIBDIR}/${EAT_TARGET_SYS}# ../../${EAT_LIBDIR}#g" -e "s# /usr/${EAT_LIBDIR}/# /usr/lib/#g" -e "s# /usr/${EAT_LIBDIR}/${EAT_TARGET_SYS}# .#g" -e "s# /${EAT_LIBDIR}/ld-linux# ../../${EAT_LIBDIR}/ld-linux#g" ${D}${libdir}/libc.so
sed -i -e "s# /usr/${EAT_LIBDIR}/# /usr/lib/#g" -e "s# /${EAT_LIBDIR}/ld-linux# ../../${base_libdir}/ld-linux#g" ${D}${libdir}/libc.so
sed -i -e "s# /${EAT_LIBDIR}/libc.so.6# /lib/libc.so.6#g" ${D}${libdir}/libc.so
sed -i -e "s# /lib# ../../lib#g" -e "s# /usr/lib# .#g" ${D}${libdir}/libc.so
sed -i -e "s# /lib# ../../${base_libdir}#g" -e "s# /usr/lib# .#g" ${D}${libdir}/libc.so
fi
if [ -f ${D}${base_libdir}/libc.so ];then
sed -i -e "s# /${EAT_LIBDIR}/${EAT_TARGET_SYS}# ../../lib#g" -e "s# /usr/${EAT_LIBDIR}/${EAT_TARGET_SYS}# .#g" -e "s# /${EAT_LIBDIR}/# /lib/#g" ${D}${base_libdir}/libc.so
sed -i -e "s# /${EAT_LIBDIR}/# /lib/#g" ${D}${base_libdir}/libc.so
if [ -f ${D}${base_libdir}/libc.so.6 ]; then
sed -i -e "s# /usr/${EAT_LIBDIR}/libc.so.6# /lib/libc.so.6#g" -e "s# /${EAT_LIBDIR}/libc.so.6# /lib/libc.so.6#g" ${D}${base_libdir}/libc.so.6
fi
@@ -527,7 +553,6 @@ FILES:${PN} += "\
${base_libdir}/ld*.so.* \
${base_libdir}/ld-*.so \
${base_libdir}/libpthread*.so.* \
${base_libdir}/libpthread*.so \
${base_libdir}/libpthread-*.so \
${base_libdir}/libresolv*.so.* \
${base_libdir}/libresolv-*.so \
+8 -2
View File
@@ -134,8 +134,14 @@ class FVPRunner:
for console in self._pexpects:
import pexpect
# Ensure pexpect logs all remaining output to the logfile
console.expect(pexpect.EOF, timeout=5.0)
console.close()
try:
console.expect(pexpect.EOF, timeout=30.0)
except pexpect.TIMEOUT:
pexpect_logfile = ""
if console.logfile is not None:
pexpect_logfile = f" ({console.logfile})"
self._logger.debug(f"Unable to get EOF on pexpect spawn obj{pexpect_logfile}.")
console.close(force=True)
if self._fvp_process and self._fvp_process.returncode and \
self._fvp_process.returncode > 0:
+13 -2
View File
@@ -3,6 +3,7 @@ import enum
import pathlib
import pexpect
import os
import time
from oeqa.core.target.ssh import OESSHTarget
from fvp import runner
@@ -127,9 +128,19 @@ class OEFVPTarget(OESSHTarget):
def call_pexpect(terminal, *args, **kwargs):
attr = getattr(self.terminals[terminal], name)
if callable(attr):
return attr(*args, **kwargs)
self.logger.debug(f"Calling {name} on {terminal} : with arguments -> {args} : {kwargs}")
start_time = time.monotonic() # Record the start time
attr = getattr(self.terminals[terminal], name)
result = attr(*args, **kwargs)
end_time = time.monotonic() # Record the end time
elapsed_time = end_time - start_time
self.logger.debug(f"Execution time for result: [ {result} ] - elapsed_time: {elapsed_time} seconds")
else:
return attr
result = attr
return result
return call_pexpect
+15 -2
View File
@@ -1,16 +1,29 @@
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.data import skipIfNotInDataVar
from oeqa.core.decorator.depends import OETestDepends
from time import sleep
class FvpDevicesTest(OERuntimeTestCase):
def run_cmd(self, cmd, check=True):
def run_cmd(self, cmd, check=True, retry=3):
"""
A wrapper around self.target.run, which:
* Fails the test on command failure by default
* Allows the "run" behavior to be overridden in sub-classes
* Has a retry mechanism when SSH returns 255
"""
(status, output) = self.target.run(cmd)
status = 255
# The loop is retrying the self.target.run() which uses SSH only when
# the SSH return code is 255, which might be an issue with
# "Connection refused" because the port isn't open yet
while status == 255 and retry > 0:
(status, output) = self.target.run(cmd)
retry -= 1
# In case the status is 255, delay the next retry to give time to
# the system to settle
if status == 255:
sleep(30)
if status and check:
self.fail("Command '%s' returned non-zero exit "
"status %d:\n%s" % (cmd, status, output))
@@ -0,0 +1,21 @@
SUMMARY = "execstack tool"
LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
DEPENDS = "binutils-native elfutils-native"
SRC_URI = "git://git.yoctoproject.org/prelink-cross;protocol=https;branch=master"
SRCREV = "ff2561c02ade96c5d4d56ddd4e27ff064840a176"
PV = "1.0+git${SRCPV}"
S = "${WORKDIR}/git"
inherit autotools native
do_compile() {
oe_runmake -C ${B}/src execstack
}
do_install() {
oe_runmake -C ${B}/src install-binPROGRAMS DESTDIR="${D}"
}
@@ -14,3 +14,6 @@ UPSTREAM_VERSION_UNKNOWN = "1"
MODEL_CODE = "FVP_Base_RevC-2xAEMvA"
COMPATIBLE_HOST = "(aarch64|x86_64).*-linux"
require remove-execstack.inc
REMOVE_EXECSTACKS:x86-64 = "${FVPDIR}/models/${FVP_ARCH_DIR}*/libarmctmodel.so"
@@ -0,0 +1,26 @@
# Clear the executable stack flag on named shared libraries. This are typically
# not needed, and glibc 2.41 will refuse to dlopen() a library that expects
# an executable stack.
#
# The stack permissions can be checked with readelf -lW <.so> | grep GNU_STACK.
# RW is read/write, RWE is read/write/execute.
DEPENDS += "execstack-native"
REMOVE_EXECSTACKS ?= ""
do_install:append() {
for SO in ${REMOVE_EXECSTACKS}; do
NAME=$(basename $SO)
SO=${D}$SO
test -f $SO || bbfatal remove-execstack: cannot find $SO
if execstack --query $SO | grep -q ^X; then
bbnote "Stripping executable stack bit on $NAME"
execstack --clear-execstack $SO
else
bbwarn "Executable stack stripping no longer required for $NAME, remove"
fi
done
}
@@ -0,0 +1,51 @@
From fcacaa1f80c601907299b8f9de8b57cc35cd5a68 Mon Sep 17 00:00:00 2001
From: Etienne Carriere <etienne.carriere@st.com>
Date: Wed, 21 Jan 2026 13:55:33 +0100
Subject: [PATCH 1/3] ta: pkcs11: check output buffer size on get attribute
value
Check client output buffer input size and update its output
size on PKCS11_CMD_GET_ATTRIBUTE_VALUE command.
CVE: CVE-2026-33317
Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9]
Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value")
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
ta/pkcs11/src/object.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c
index c9a95e1b2..ba3be7a71 100644
--- a/ta/pkcs11/src/object.c
+++ b/ta/pkcs11/src/object.c
@@ -800,6 +800,15 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
goto out;
}
+ /*
+ * We will update the template with relevant data, without resizing it.
+ * Upon completion, it will be copied to client output buffer.
+ */
+ if (out->memref.size < sizeof(*template) + template->attrs_size) {
+ rc = PKCS11_CKR_ARGUMENTS_BAD;
+ goto out;
+ }
+
/* Iterate over attributes and set their values */
/*
* 1. If the specified attribute (i.e., the attribute specified by the
@@ -912,6 +921,7 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
rc = PKCS11_CKR_BUFFER_TOO_SMALL;
/* Move updated template to out buffer */
+ out->memref.size = sizeof(*template) + template->attrs_size;
TEE_MemMove(out->memref.buffer, template, out->memref.size);
DMSG("PKCS11 session %"PRIu32": get attributes %#"PRIx32,
--
2.43.0
@@ -0,0 +1,52 @@
From 7e57efa90820489f123708f8ae5ee13706e8f4ce Mon Sep 17 00:00:00 2001
From: Etienne Carriere <etienne.carriere@st.com>
Date: Wed, 21 Jan 2026 13:58:09 +0100
Subject: [PATCH 2/3] ta: pkcs11: check template consistency on get attribute
value
Check client template holds consistent attribute area sizes
value on PKCS11_CMD_GET_ATTRIBUTE_SIZE.
CVE: CVE-2026-33317
Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900]
Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value")
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
ta/pkcs11/src/object.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c
index ba3be7a71..470eeb247 100644
--- a/ta/pkcs11/src/object.c
+++ b/ta/pkcs11/src/object.c
@@ -840,12 +840,23 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
for (; cur < end; cur += len) {
struct pkcs11_attribute_head *cli_ref = (void *)cur;
struct pkcs11_attribute_head cli_head = { };
+ uintptr_t cli_end = 0;
void *data_ptr = NULL;
+ if ((char *)(cli_ref + 1) > end) {
+ rc = PKCS11_CKR_ARGUMENTS_BAD;
+ goto out;
+ }
+
/* Make copy of header so that is aligned properly. */
TEE_MemMove(&cli_head, cli_ref, sizeof(cli_head));
- len = sizeof(*cli_ref) + cli_head.size;
+ if (ADD_OVERFLOW(sizeof(*cli_ref), cli_head.size, &len) ||
+ ADD_OVERFLOW((uintptr_t)cur, len, &cli_end) ||
+ (char *)cli_end > end) {
+ rc = PKCS11_CKR_ARGUMENTS_BAD;
+ goto out;
+ }
/* Treat hidden attributes as missing attributes */
if (attribute_is_hidden(&cli_head)) {
--
2.43.0
@@ -0,0 +1,46 @@
From 75c1a999d6b51520234276b207ceefbd5e18ed02 Mon Sep 17 00:00:00 2001
From: Etienne Carriere <etienne.carriere@st.com>
Date: Wed, 21 Jan 2026 14:03:26 +0100
Subject: [PATCH 3/3] ta: pkcs11: fix attribute output size if too small on get
attribute value
Correct the size field output value for attributes fetched with
PKCS11_CMD_GET_ATTRIBUTE_VALUE where a too short buffer was provided.
As per the PKCS#11 specification, in such case, the related attributes
size field should be filled with CK_UNAVAILABLE_INFORMATION and the
function to return an non-true-error code like CKR_BUFFER_TOO_SMALL.
The implementation complied for the return value but was loading the
required attribute data value size instead in CK_UNAVAILABLE_INFORMATION
in the attribute size field.
CVE: CVE-2026-33317
Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca]
Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value")
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
ta/pkcs11/src/object.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c
index 470eeb247..ed2ce2a95 100644
--- a/ta/pkcs11/src/object.c
+++ b/ta/pkcs11/src/object.c
@@ -900,8 +900,11 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
attr_type_invalid = 1;
break;
case PKCS11_CKR_BUFFER_TOO_SMALL:
- if (data_ptr)
+ if (data_ptr) {
+ cli_head.size =
+ PKCS11_CK_UNAVAILABLE_INFORMATION;
buffer_too_small = 1;
+ }
break;
default:
rc = PKCS11_CKR_GENERAL_ERROR;
--
2.43.0
@@ -0,0 +1,40 @@
From 2fdf0aa10bd23c0e4633efa087a27ff07f79015f Mon Sep 17 00:00:00 2001
From: Jens Wiklander <jens.wiklander@linaro.org>
Date: Thu, 22 Jan 2026 14:19:36 +0100
Subject: [PATCH] core: crypto_api: fix underflow in emsa_pkcs1_v1_5_encode()
Guard against an integer underflow in emsa_pkcs1_v1_5_encode() that can
occur when calculating the padding field in the EMA-PKCS1-v1_5 encoding.
CVE: CVE-2026-33662
Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/caeaa2ae551666068894005387cca4113b10873f]
Fixes: f5a70e3efb80 ("drivers: crypto: generic resources for crypto device driver - RSA")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
core/drivers/crypto/crypto_api/acipher/rsassa.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/core/drivers/crypto/crypto_api/acipher/rsassa.c b/core/drivers/crypto/crypto_api/acipher/rsassa.c
index 0f71b84cc..01f8d7dc9 100644
--- a/core/drivers/crypto/crypto_api/acipher/rsassa.c
+++ b/core/drivers/crypto/crypto_api/acipher/rsassa.c
@@ -45,9 +45,10 @@ static TEE_Result emsa_pkcs1_v1_5_encode(struct drvcrypt_rsa_ssa *ssa_data,
* Calculate the PS size
* EM Size (modulus size) - 3 bytes - DigestInfo DER format size
*/
- ps_size = ssa_data->key.n_size - 3;
- ps_size -= ssa_data->digest_size;
- ps_size -= 10 + hash_oid->asn1_length;
+ if (SUB_OVERFLOW(ssa_data->key.n_size, 3, &ps_size) ||
+ SUB_OVERFLOW(ps_size, ssa_data->digest_size, &ps_size) ||
+ SUB_OVERFLOW(ps_size, 10 + hash_oid->asn1_length, &ps_size))
+ return TEE_ERROR_BAD_PARAMETERS;
CRYPTO_TRACE("PS size = %zu (n %zu)", ps_size, ssa_data->key.n_size);
--
2.43.0
@@ -7,4 +7,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRCREV = "18b424c23aa5a798dfe2e4d20b4bde3919dc4e99"
SRC_URI += " \
file://0003-optee-enable-clang-support.patch \
file://CVE-2026-33317-1.patch \
file://CVE-2026-33317-2.patch \
file://CVE-2026-33317-3.patch \
file://CVE-2026-33662.patch \
"