1
0
mirror of https://git.yoctoproject.org/meta-arm synced 2026-07-18 16:37:08 +00:00

Compare commits

...

24 Commits

Author SHA1 Message Date
Ross Burton 23b572c40e meta-arm-systemready/arm-systemready-linux-distros-fedora: remove
Fedora 39 is very obsolete and has been removed from the Fedora mirrors.

If someone needs this then this commit can be reverted and the recipe
upgraded to the latest Fedora release.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-06-18 09:46:22 -04:00
Hugo SIMELIERE c4fd56386e optee-os: Fix CVE-2026-33662
Pick patch from [1] as mentioned in OP-TEE os security report in [2].

[1] https://github.com/OP-TEE/optee_os/commit/caeaa2ae551666068894005387cca4113b10873f
[2] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4cf8-v5g3-73gr

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-05-21 06:00:08 -04:00
Hugo SIMELIERE 313a5da55a optee-os: Fix CVE-2026-33317
Pick patches from [1], [2] and [3] as mentioned in Debian report in [4].

[1] https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9
[2] https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900
[3] https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca
[4] https://security-tracker.debian.org/tracker/CVE-2026-33317

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-05-21 06:00:08 -04:00
Ross Burton a81c19915b CI: only run pending-updates on master
This job takes a few minutes and isn't useful unless it's being ran for
master, or is being actively worked on.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-11-05 09:35:03 -05:00
Jon Mason 0f1e7bf92c arm-systemready/ir-acs: Update URL
The github URL where the image was located has gone away on the master
branch.  Update the URL to point to the legacy branch, which should stay
around (according to the documentation).

Fixes: aebe535aa8 ("arm-systemready: Introduce the Arm SystemReady layer")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-09-08 10:00:15 -04:00
Ross Burton 8e0f8af90f arm/fvp-base-a-aem: remove spurious executable stack from one library
There are some objects in the FVP binary that are assembler source and
fail to declare what permissions the stack needs to have, so GCC falls
back to assuming that the final binary needs an executable stack.

glibc 2.41 (as now used in uninative) introduces changes here[1]: whether
to have an executable stack or not when the binary doesn't specify a
need (defaults to executable, but this is a tunable), and any binaries
that are dlopen()ed that require an executable stack will fail.

Thus, some FVPs on some platforms (notable, fvp-base-a-aem on x86-64)
now fail on startup:

  libarmctmodel.so: cannot enable executable stack as shared object requires: Invalid argument

Luckily the solution here is to simply clear the executable bit, as
an executable stack is not actually needed.  Until a new release of the
FVP is made we can fix the binary in our package using execstack.

[1] https://lists.gnu.org/archive/html/info-gnu/2025-01/msg00014.html

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-29 11:00:13 -04:00
Ross Burton f5f8dfb5a8 arm/execstack-native: add new recipe
Add a recipe for the execstack binary from prelink-cross. This tool is
used to manipulate the GNU_STACK segment in ELF binaries, specifically
to control whether the binary requests an executable stack or not.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-29 11:00:13 -04:00
Ross Burton f3640941c6 CI: use canonical git.yoctoproject.org URLs
The canonical repository URLs don't use /git/.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:55:39 -04:00
Ross Burton b6e214752a arm-system-ready/arm-systemready-ir-acs: add version to download filename
The download filename wasn't versioned so multiple versions would write
to the same file on disk and conflict, causing repeated downloads and
fetch failures.

Add the PV to the filename on disk to resolve this.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:00:12 -04:00
Jose Quaresma 3cadb81ffa bsp: optee-client: cleanup old tee-supplicant
The same tee-supplicant is available in the meta-arm layer
along with the recipe.

| meta-arm/recipes-security/optee/optee-client
| meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
| meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
| meta-arm/recipes-security/optee/optee-client.inc
| meta-arm/recipes-security/optee/optee-client_4.1.0.bb

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-21 08:00:14 -05:00
Romain Naour a8fe9d22ea external-arm-toolchain: rebuild libmvec.so symlink if any
On some architectures (namely Aarch64), glibc may provide a libmvec
library since glibc 2.22, which programs built with gcc OpenMP
support might get linked to.

In order for these programs to work on the target, we need to copy this
library to the target filesystem.

Make sure that libmvec.so symlink is correct with or without usermerge
enabled otherwise libmvec.so symlink is broken.

For more details on libmvec, see
https://sourceware.org/glibc/wiki/libmvec.

(cherry picked from commit de47f836e2)

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Romain Naour c22b4f89f7 external-arm-toolchain: override dynamic loader path with usrmerge enabled
usrmerge nowaday required by systemd [1] but it broke
external-arm-toolchain in several ways...

When usrmerge is enabled, /lib is no longer part of SYSROOT_DIRS list
while the prebuilt toolchain expect the dynamic loader to be placed in
/lib not /usr/lib.

There is no /lib directory in the per-package sysroot directory
generated to build each package:

  [...]/build/tmp/sysroots-components/<target>/<package>/
  sysroot-providers/ usr/

But the cross-compiler still generate binaries with dynamic loarder
path set to "/lib/ld-linux-<target>.so*"

  strings sanitycheckc_cross.exe | grep ld
  /lib/ld-linux-aarch64.so.1

A symlink /lib -> /usr/lib is crated in the final rootfs image.

But this broke the meson-qemuwrapper used when "qemu-usermode"
(MACHINE_FEATURES) is available:

See [2]:
  do_write_config:append:class-target() {
       # Write out a qemu wrapper that will be used as exe_wrapper so that meson
       # can run target helper binaries through that.
       qemu_binary="${@qemu_wrapper_cmdline(d, '$STAGING_DIR_HOST', ['$STAGING_DIR_HOST/${libdir}','$STAGING_DIR_HOST/${base_libdir}'])}"

It produce a runtime issue while running a meson sanity check:

  meson-qemuwrapper [...]/build/meson-private/sanitycheckc_cross.exe

  qemu-aarch64: Could not open '/lib/ld-linux-aarch64.so.1': No such file or directory

Note: The binaries build by the Yocto internal toolchain seems be "patched" [3]
to look at /usr/lib instead of /lib.

We use -Wl,--dynamic-linker to make sure that the cross-compiler
generate binaries using the dynamic loader path defined by usrmerge
for all packages build by Yocto.

[1] https://git.openembedded.org/openembedded-core/commit/?id=802e853eeddf16d73db1900546cc5f045d1fb7ed
[2] https://git.openembedded.org/openembedded-core/tree/meta/classes-recipe/meson.bbclass?h=2024-04.3-scarthgap#n130
[3] https://github.com/openembedded/openembedded-core/blob/scarthgap/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch

(cherry picked from commit cb4c0c9a93)

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Vasyl Vavrychuk 309d93f9e5 external-arm-toolchain: remove ${base_libdir}/libpthread*.so from FILES:${PN}
When `usrmerge` distro feature is not enabled, then `${base_libdir}`
resolves to `/lib` and `/lib/libpthread*.so` does not match any files.
But, with `usrmerge` distro feature, `${base_libdir}` is `/usr/lib`, so
removed line leads to `/usr/lib/libpthread.so` symlink included in
`${PN}` which causes QA check failure.

(cherry picked from commit 8634bdc2f2)

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Vasyl Vavrychuk a6233bf5fd external-arm-toolchain: in libc.so GNU ld script use base_libdir
`base_libdir` gets replaced with `/lib` or `/usr/lib` depending on
`usrmerge` distro feature.

(cherry picked from commit 4b2cef379f)

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Romain Naour 415215c074 external-arm-toolchain: wrap symlink handling under usrmerge check
Rework the symlink handling when usermerge is enabled.
Indeed, "ln -sf ../../lib/librt.so.1 ${D}${libdir}/librt.so" create a
dead link with usermerge...

Based on: https://lists.yoctoproject.org/g/meta-arm/message/5765

(cherry picked from commit a6f44bbb80)

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: "Parthiban" <parthiban@linumiz.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Vasyl Vavrychuk a7f27d1641 external-arm-toolchain: wrap base_libdir vs libdir manipulations under usrmerge check
With `usrmerge` disto feature `base_libdir` and `libdir` are the same,
so it does not make sense to:

* removing "duplicates" between them
* move files from `base_libdir` to `libdir`

This fixes build error

| mv: '.../tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/external-arm-toolchain/12.2.Rel1/image/usr/lib/libasan.a' and '.../tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/external-arm-toolchain/12.2.Rel1/image/usr/lib/libasan.a' are the same file

in case of `usrmerge` feature enabled.

(cherry picked from commit 98eea62962)

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Romain Naour acbba48ee5 external-arm-toolchain: remove old sed fixup for libc.so
As reported by Vasyl Vavrychuk [1], /${EAT_LIBDIR}/${EAT_TARGET_SYS}
is not present in libc.so in the latest prebuilt toolchains:

ARM32:
  $ cat ./gcc-arm-8.3-2019.03-x86_64-arm-linux-gnueabihf/arm-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./gcc-arm-9.2-2019.12-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./arm-gnu-toolchain-12.3.rel1-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./arm-gnu-toolchain-13.3.rel1-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

Aarch64:
  $ cat ./gcc-linaro-7.3.1-2018.05-x86_64_aarch64-linux-gnu/aarch64-linux-gnu/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./gcc-arm-9.2-2019.12-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./arm-gnu-toolchain-12.3.rel1-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

We can safely remove old sed fixup for libc.so.

[1] https://lists.yoctoproject.org/g/meta-arm/message/5565

(cherry picked from commit 9a0451a959)

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-06 06:00:11 -05:00
Hugues KAMBA MPIANA 7088279c0a arm-bsp/documentation: corstone1000: Add SystemReady IR v2.0 certification
- Add details on SystemReady IR v2.0 certification achievement
- Document additional patch added
- Update release notes with new milestone tag `CORSTONE1000-2024.06-systemready-ir-v2.0`

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-06 07:00:12 -05:00
Ross Burton d67a9b6070 arm-base/linux-yocto: revert interim 6.10 patch for fvp-base
oe-core master now has 6.6.54 which incorporates this patch, so we don't
need to carry it anymore.

This reverts commit 60fd47edd0.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-05 10:42:16 -05:00
Jon Mason 60e31ef2c4 arm/linux-yocto: disable CONFIG_MTD_NAND_FSL_IFC
Linux stable kernel v6.6.44 added commit c22649e217457d732a51112aaa8721a0e79e2c30,
which modifies the depends for the Freescale IFC NAND controller.  See
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.6.y&id=c22649e217457d732a51112aaa8721a0e79e2c30

Because of this change, do_kernel_configcheck is logging an warning
about values not matching.  To address this issue, disable it manually
in a config fragment, but only for the affected machines in meta-arm.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-21 12:00:17 -04:00
Jon Mason 0ce566fb86 arm-bsp/fvp-base: Get 6.10 kernel working
Apply upstream patch to get virtio networking functioning again and
switch to the 6.10 kernel.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-21 12:00:17 -04:00
Ben 218c3bbfea kas: Include unattended openSUSE test
Add unattended installation class to openSUSE target

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-15 12:00:13 -04:00
Ben 62a4a0a71a arm-systemready/oeqa: Add unattended installation testcase
Add test for openSUSE unattended installation

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-15 12:00:13 -04:00
Ben ba9451a818 arm-systemready/linux-distros: Implement unattended openSUSE
Implement unattended installation for openSUSE

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-15 12:00:13 -04:00
28 changed files with 1341 additions and 317 deletions
+5
View File
@@ -255,6 +255,11 @@ n1sdp:
pending-updates:
extends: .setup
# Only run this job for the default branch (master), or if forced with
# BUILD_FORCE_PENDING_UPDATES.
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $BUILD_FORCE_PENDING_UPDATES != null
artifacts:
paths:
- update-report
-1
View File
@@ -16,4 +16,3 @@ target:
- arm-systemready-ir-acs
- arm-systemready-linux-distros-debian
- arm-systemready-linux-distros-opensuse
- arm-systemready-linux-distros-fedora
+1 -1
View File
@@ -17,7 +17,7 @@ repos:
meta-arm-toolchain:
poky:
url: https://git.yoctoproject.org/git/poky
url: https://git.yoctoproject.org/poky
layers:
meta:
meta-poky:
+2 -2
View File
@@ -20,9 +20,9 @@ def repo_shortname(url):
.replace('*', '.'))
repositories = (
"https://git.yoctoproject.org/git/poky",
"https://git.yoctoproject.org/poky",
"https://git.openembedded.org/meta-openembedded",
"https://git.yoctoproject.org/git/meta-virtualization",
"https://git.yoctoproject.org/meta-virtualization",
"https://github.com/kraj/meta-clang",
)
@@ -1,8 +0,0 @@
header:
version: 16
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-fedora
@@ -2,6 +2,7 @@ header:
version: 13
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-opensuse
@@ -38,6 +38,16 @@ Platform Support
- This software release is tested on Corstone-1000 Fast Model platform (FVP) version 11.23_25
https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
SystemReady IR v2.0 Certification Milestone
-------------------------------------------
As of this release, Corstone-1000 has achieved `SystemReady IR v2.0 certification <https://www.arm.com/architecture/system-architectures/systemready-certification-program/ve>`__.
This milestone confirms compliance with the SystemReady IR requirements, ensuring broader compatibility and reliability for deployment.
Applied patch `313ad2a0e600 <https://git.yoctoproject.org/meta-arm/commit/?h=scarthgap&id=313ad2a0e600655d9bfbe53646e356372ff02644>`__ to address compatibility requirements for SystemReady IR v2.0.
This update is included in tag `CORSTONE1000-2024.06-systemready-ir-v2.0 <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.06-systemready-ir-v2.0>`__ and builds on the `CORSTONE1000-2024.06` release.
***********************
Release notes - 2023.11
***********************
@@ -0,0 +1 @@
CONFIG_MTD_NAND_FSL_IFC=n
@@ -77,6 +77,9 @@ SRC_URI:append:fvp-base = " \
#
COMPATIBLE_MACHINE:juno = "juno"
FILESEXTRAPATHS:prepend:juno := "${ARMBSPFILESPATHS}"
SRC_URI:append:juno = " \
file://no-fsl-ifc-nand.cfg \
"
#
# Musca B1/S2 can't run Linux
@@ -103,6 +106,7 @@ SRC_URI:append:n1sdp = " \
file://enable-realtek-R8169.cfg \
file://enable-usb_conn_gpio.cfg \
file://usb_xhci_pci_renesas.cfg \
file://no-fsl-ifc-nand.cfg \
"
# Since we use the intree defconfig and the preempt-rt turns off some configs
# do_kernel_configcheck will display warnings. So, lets disable it.
@@ -1,46 +0,0 @@
#!/bin/sh
# Source function library
. /etc/init.d/functions
NAME=tee-supplicant
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="OP-TEE Supplicant"
DAEMON=@sbindir@/$NAME
test -f $DAEMON || exit 0
test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
set -e
case $1 in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start $SSD_OPTIONS
echo "${DAEMON##*/}."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop $SSD_OPTIONS
echo "${DAEMON##*/}."
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
status)
status ${DAEMON} || exit $?
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
@@ -1,10 +0,0 @@
[Unit]
Description=TEE Supplicant on %i
[Service]
User=root
EnvironmentFile=-@sysconfdir@/default/tee-supplicant
ExecStart=@sbindir@/tee-supplicant $OPTARGS
[Install]
WantedBy=basic.target
@@ -1,39 +0,0 @@
from oeqa.runtime.case import OERuntimeTestCase
class SystemReadyFedoraUnattendedTest(OERuntimeTestCase):
def setUp(self):
super().setUp()
self.console = self.target.DEFAULT_CONSOLE
def test_fedora_unattended(self):
# Turn on the FVP.
self.target.transition('on')
# Timeout value = elapsed time * 2; where elapsed time was collected
# from the elapsed time in the log.do_testimage for each function after
# the build is finished on the development machine.
self.target.expect(self.console,
' Booting `Install Fedora 39\'',
timeout=(2 * 60))
bb.plain('Installation status: Loading the installer, kernel and initrd...')
self.target.expect(self.console,
'Setting up the installation environment',
timeout=(2 * 60 * 60))
bb.plain('Installation status: Setting up the installation environment...')
self.target.expect(self.console,
'Installing the software',
timeout=(30 * 60))
bb.plain('Installation status: Installing the software packages...')
# Waiting to respond to the boot loader prompt error message.
self.target.expect(self.console,
'Please respond \'yes\' or \'no\': ',
timeout=(16 * 60 * 60))
self.target.sendline(self.console, 'yes')
# Waiting till the installation is finished.
self.target.expect(self.console, r'.*login: ', timeout=(5 * 60 * 60))
bb.plain('Installation status: Fedora installation finished successfully.')
@@ -0,0 +1,42 @@
from oeqa.runtime.case import OERuntimeTestCase
class SystemReadyOpenSUSEUnattendedTest(OERuntimeTestCase):
def setUp(self):
super().setUp()
self.console = self.target.DEFAULT_CONSOLE
def test_opensuse_unattended(self):
# Turn on the FVP.
self.target.transition('on')
# Timeout value = elapsed time * 2; where elapsed time was collected
# from the elapsed time in the log.do_testimage for each function after
# the build is finished on the development machine.
self.target.expect(self.console,
'Booting `Installation\'',
timeout=(2 * 60))
bb.plain('Installation status: Loading the kernel, initrd and basic drivers...')
self.target.expect(self.console,
'Starting hardware detection...',
timeout=(40 * 60))
bb.plain('Installation status: Starting hardware detection...')
self.target.expect(self.console,
'Loading Installation System',
timeout=(60 * 60))
bb.plain('Installation status: Loading Installation System...')
self.target.expect(self.console,
'Starting Installer',
timeout=(40 * 60))
bb.plain('Installation status: Performing Installation...')
self.target.expect(self.console,
'Finishing Configuration',
timeout=(15 * 60 * 60))
bb.plain('Installation status: Finishing Configuration...')
# Waiting till the installation is finished.
self.target.expect(self.console, r'.*login: ', timeout=(6 * 60 * 60))
bb.plain('Installation status: openSUSE installation finished successfully.')
@@ -48,10 +48,10 @@ TEST_SUITES = "arm_systemready_ir_acs"
PV = "2.0.0"
PV_DATE = "23.03"
FULL_PV = "v${PV_DATE}_${PV}"
ARM_SYSTEMREADY_IR_ACS_BRANCH ?= "main"
IMAGE_FILENAME = "ir-acs-live-image-generic-arm64.wic"
ARM_SYSTEMREADY_IR_ACS_BRANCH ?= "legacy_systemready"
IMAGE_FILENAME = "ir-acs-live-image-generic-arm64-${PV}.wic"
SRC_URI = " \
https://github.com/ARM-software/arm-systemready/raw/${ARM_SYSTEMREADY_IR_ACS_BRANCH}/IR/prebuilt_images/${FULL_PV}/${IMAGE_FILENAME}.xz;name=acs-img \
https://github.com/ARM-software/arm-systemready/raw/${ARM_SYSTEMREADY_IR_ACS_BRANCH}/IR/prebuilt_images/${FULL_PV}/ir-acs-live-image-generic-arm64.wic.xz;name=acs-img;downloadfilename=${IMAGE_FILENAME}.xz \
git://git.gitlab.arm.com/systemready/systemready-ir-template.git;protocol=https;nobranch=1;destsuffix=systemready-ir-template;name=sr-ir-template \
"
SRC_URI[acs-img.sha256sum] = "ea52f84dab44bde97de3e2d2224d883acaae35724dd8e2bdfb125de49040f9b3"
@@ -1,119 +0,0 @@
require arm-systemready-linux-distros.inc
# The Fedora project does not provide a license manifest for the distributed ISO images.
# The following list only contains the SPDX license identifiers found on the rpm
# packages from the ISO image and is not exhaustive.
# For more information about Fedora licenses, including the non-free ones, refer to
# https://docs.fedoraproject.org/en-US/legal/fedora-linux-license/.
LICENSE = "GPL-1.0-only & GPL-1.0-or-later & GPL-2.0-only & GPL-2.0-or-later & GPL-2.0-with-font-exception \
& GPL-2.0-with-GCC-exception & GPL-3.0-only & GPL-3.0-or-later & GPL-3-with-bison-exception \
& LGPL-2.0-only & LGPL-2.0-or-later & LGPL-2.1-only & LGPL-2.1-or-later & LGPL-3.0-only & LGPL-3.0-or-later \
& 0BSD & BSD-2-Clause & BSD-3-Clause & BSD-3-Clause-Modification & BSD-4-Clause & BSD-4-Clause-UC \
& ClArtistic & Artistic-2.0 & Artistic-1.0-Perl & Apache-2.0 & Apache-2.0-with-LLVM-exception & Zlib \
& zlib-acknowledgement & Sleepycat & MIT & MIT-open-group & MIT-Modern-Variant & Unlicense & ISC \
& AFL-2.1 & AGPL-3.0-only & AGPL-3.0-or-later & FSFAP & MPL-1.1 & MPL-2.0 & CC-BY-3.0 & CC-BY-4.0 \
& CC-BY-SA-4.0 & CC0-1.0 & NCSA & APSL-2.0 & IJG & psutils & Sendmail & blessing & NTP & BSL-1.0 \
& GFDL-1.1-or-later & GFDL-1.2-or-later & GFDL-1.3 & GFDL-1.3-or-later & GFDL-1.3-no-invariants-or-later \
& NPL-1.1 & libtiff & Vim & curl & EUPL-1.1 & OFL-1.1 & OFL-1.1-RFN & FTL & Info-ZIP & Interbase-1.0 \
& Unicode-DFS-2016 & SISSL & LPPL-1.3a & SGI-B-2.0 & PSF-2.0 & X11 & OLDAP-2.8 & PostgreSQL & OPUBL-1.0"
LIC_FILES_CHKSUM = "\
file://${COMMON_LICENSE_DIR}/GPL-1.0-only;md5=e9e36a9de734199567a4d769498f743d \
file://${COMMON_LICENSE_DIR}/GPL-1.0-or-later;md5=30c0b8a5048cc2f4be5ff15ef0d8cf61 \
file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6 \
file://${COMMON_LICENSE_DIR}/GPL-2.0-or-later;md5=fed54355545ffd980b814dab4a3b312c \
file://${COMMON_LICENSE_DIR}/GPL-2.0-with-font-exception;md5=bf93e21a513f6f923474e62fb920434d \
file://${COMMON_LICENSE_DIR}/GPL-2.0-with-GCC-exception;md5=14c42911132e8c9008911385aede6449 \
file://${COMMON_LICENSE_DIR}/GPL-3.0-only;md5=c79ff39f19dfec6d293b95dea7b07891 \
file://${COMMON_LICENSE_DIR}/GPL-3.0-or-later;md5=1c76c4cc354acaac30ed4d5eefea7245 \
file://${COMMON_LICENSE_DIR}/GPL-3-with-bison-exception;md5=6e1bac3dc21fcc4fa049cf5c407eb7a2 \
file://${COMMON_LICENSE_DIR}/LGPL-2.0-only;md5=9427b8ccf5cf3df47c29110424c9641a \
file://${COMMON_LICENSE_DIR}/LGPL-2.0-or-later;md5=6d2d9952d88b50a51a5c73dc431d06c7 \
file://${COMMON_LICENSE_DIR}/LGPL-2.1-only;md5=1a6d268fd218675ffea8be556788b780 \
file://${COMMON_LICENSE_DIR}/LGPL-2.1-or-later;md5=2a4f4fd2128ea2f65047ee63fbca9f68 \
file://${COMMON_LICENSE_DIR}/LGPL-3.0-only;md5=bfccfe952269fff2b407dd11f2f3083b \
file://${COMMON_LICENSE_DIR}/LGPL-3.0-or-later;md5=c51d3eef3be114124d11349ca0d7e117 \
file://${COMMON_LICENSE_DIR}/0BSD;md5=f667a3c3830a55a17ec3067709f4526c \
file://${COMMON_LICENSE_DIR}/BSD-2-Clause;md5=cb641bc04cda31daea161b1bc15da69f \
file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9 \
file://${COMMON_LICENSE_DIR}/BSD-3-Clause-Modification;md5=27b46022df7bdef61a1e404fc3573f83 \
file://${COMMON_LICENSE_DIR}/BSD-4-Clause;md5=624d9e67e8ac41a78f6b6c2c55a83a2b \
file://${COMMON_LICENSE_DIR}/BSD-4-Clause-UC;md5=1da3cf8ad50cd8d5d1de3cfc53196d01 \
file://${COMMON_LICENSE_DIR}/ClArtistic;md5=f633bbf0697ec33066b83adfa9ebe51d \
file://${COMMON_LICENSE_DIR}/Artistic-2.0;md5=8bbc66f0ba93cec26ef526117e280266 \
file://${COMMON_LICENSE_DIR}/Artistic-1.0-Perl;md5=8feedd169dbd5738981843bd7d931f9f \
file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10 \
file://${COMMON_LICENSE_DIR}/Apache-2.0-with-LLVM-exception;md5=0bcd48c3bdfef0c9d9fd17726e4b7dab \
file://${COMMON_LICENSE_DIR}/Zlib;md5=87f239f408daca8a157858e192597633 \
file://${COMMON_LICENSE_DIR}/zlib-acknowledgement;md5=c76c64e2cf99efcfb5e2b26aa86b12e6 \
file://${COMMON_LICENSE_DIR}/Sleepycat;md5=1cbb64231c94198653282f3ccab88ffb \
file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COMMON_LICENSE_DIR}/MIT-open-group;md5=a7c50bba311e4b09d48a526eedcef837 \
file://${COMMON_LICENSE_DIR}/MIT-Modern-Variant;md5=272dea2b67586002978254bc04648ab2 \
file://${COMMON_LICENSE_DIR}/Unlicense;md5=7246f848faa4e9c9fc0ea91122d6e680 \
file://${COMMON_LICENSE_DIR}/ISC;md5=f3b90e78ea0cffb20bf5cca7947a896d \
file://${COMMON_LICENSE_DIR}/AFL-2.1;md5=e40039b90e182a056bcd9ad3e47ddd71 \
file://${COMMON_LICENSE_DIR}/AGPL-3.0-only;md5=73f1eb20517c55bf9493b7dd6e480788 \
file://${COMMON_LICENSE_DIR}/AGPL-3.0-or-later;md5=a4af3f9f0c0fc9de318e4df46665906e \
file://${COMMON_LICENSE_DIR}/FSFAP;md5=232368338ef6dc99de71c2e05ff12176 \
file://${COMMON_LICENSE_DIR}/MPL-1.1;md5=1d38e87ed8d522c49f04e1efe0fab3ab \
file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad \
file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7 \
file://${COMMON_LICENSE_DIR}/CC-BY-4.0;md5=9b33bbd06fb58995fb0e299cd38d1838 \
file://${COMMON_LICENSE_DIR}/CC-BY-SA-4.0;md5=4084714af41157e38872e798eb3fe1b1 \
file://${COMMON_LICENSE_DIR}/CC0-1.0;md5=0ceb3372c9595f0a8067e55da801e4a1 \
file://${COMMON_LICENSE_DIR}/NCSA;md5=1b5fdec70ee13ad8a91667f16c1959d7 \
file://${COMMON_LICENSE_DIR}/APSL-2.0;md5=f9e4701d9a216a87ba145bbe25f54c58 \
file://${COMMON_LICENSE_DIR}/IJG;md5=d9fc5ebaa95c14466091d25e0d34e688 \
file://${COMMON_LICENSE_DIR}/psutils;md5=29046009c1f269661e7b74196fb8f6a0 \
file://${COMMON_LICENSE_DIR}/Sendmail;md5=8037c42e05a5d4bfce06a44729fb6f1a \
file://${COMMON_LICENSE_DIR}/blessing;md5=d5407b61870d6dc19d0bdc04ae4cc654 \
file://${COMMON_LICENSE_DIR}/NTP;md5=0926fd147301b2a65e45e21adb3a6f14 \
file://${COMMON_LICENSE_DIR}/BSL-1.0;md5=65a7df9ad57aacf825fd252c4c33288c \
file://${COMMON_LICENSE_DIR}/GFDL-1.1-or-later;md5=03322744a1a73f36ebf29f98cced39a4 \
file://${COMMON_LICENSE_DIR}/GFDL-1.2-or-later;md5=9f58808219e9a42ff1228309d6f83dc6 \
file://${COMMON_LICENSE_DIR}/GFDL-1.3;md5=1083add59b39991c748ea70a92166959 \
file://${COMMON_LICENSE_DIR}/GFDL-1.3-or-later;md5=e0771ae6a62dc8a2e50b1d450fea66b7 \
file://${COMMON_LICENSE_DIR}/GFDL-1.3-no-invariants-or-later;md5=e0771ae6a62dc8a2e50b1d450fea66b7 \
file://${COMMON_LICENSE_DIR}/NPL-1.1;md5=f9c017c062c1b02462efb915d9f2cb63 \
file://${COMMON_LICENSE_DIR}/libtiff;md5=b99383975855adc28712577c9cd56485 \
file://${COMMON_LICENSE_DIR}/Vim;md5=676d28582e2dca824e7e309a9865eeb1 \
file://${COMMON_LICENSE_DIR}/curl;md5=f7adb1397db248527ffed14d947e445c \
file://${COMMON_LICENSE_DIR}/EUPL-1.1;md5=3f12b8134016fd7ba5a010afd690abaa \
file://${COMMON_LICENSE_DIR}/OFL-1.1;md5=fac3a519e5e9eb96316656e0ca4f2b90 \
file://${COMMON_LICENSE_DIR}/OFL-1.1-RFN;md5=2680fce30f17e5fed9bcebd9336e5b78 \
file://${COMMON_LICENSE_DIR}/FTL;md5=f0bf6b09ee8b02121ed10709d9e49d8b \
file://${COMMON_LICENSE_DIR}/Info-ZIP;md5=83a1c8ea099b3b58beb6e55dcbe4c15f \
file://${COMMON_LICENSE_DIR}/Interbase-1.0;md5=f65304bc0e87e6700fe1e4ab5affdc6f \
file://${COMMON_LICENSE_DIR}/Unicode-DFS-2016;md5=907371994d651afe53e98adc27824669 \
file://${COMMON_LICENSE_DIR}/SISSL;md5=fded06bff75eb4a2899bd051e2e128f5 \
file://${COMMON_LICENSE_DIR}/LPPL-1.3a;md5=8e2e8e1428b39cd78927c2ad28734ff7 \
file://${COMMON_LICENSE_DIR}/SGI-B-2.0;md5=5f5dd7bd973dff1594131b1e9c7981f1 \
file://${COMMON_LICENSE_DIR}/PSF-2.0;md5=76c1502273262a5ebefb50dfb20d7c4f \
file://${COMMON_LICENSE_DIR}/X11;md5=87f08485cf6ba3c63a00eda8ecba7f1d \
file://${COMMON_LICENSE_DIR}/OLDAP-2.8;md5=bb28ada4fbb5c3f52c233899b2e410a5 \
file://${COMMON_LICENSE_DIR}/PostgreSQL;md5=a9c78964f52e27f4c01140a1a16da8e2 \
file://${COMMON_LICENSE_DIR}/OPUBL-1.0;md5=99367d4750dbf0ae6cc74209ddd52f6d \
"
ARM_SYSTEMREADY_LINUX_DISTRO_INSTALL_SIZE = "6144"
TEST_SUITES = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "arm_systemready_fedora_unattended", "", d)}"
ISO_LABEL = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "Fedora-S-dvd-aarch64-39", "", d)}"
BOOT_CATALOG = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot.catalog", "", d)}"
BOOT_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "EFI/BOOT/BOOTAA64.EFI", "", d)}"
EFI_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "images/efiboot.img", "", d)}"
PV = "39.1.5"
SRC_URI = "https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/aarch64/iso/Fedora-Server-dvd-aarch64-39-1.5.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso"
SRC_URI[sha256sum] = "d19dc2a39758155fa53e6fd555d0d173ccc8175b55dea48002d499f39cb30ce0"
modifyiso() {
UNATTENDED_CONF_DIR="${THISDIR}/unattended-boot-conf/Fedora"
cp "${UNATTENDED_CONF_DIR}/ks.cfg" ${EXTRACTED_ISO_TEMP_DIR}
sed -i 's/set default="1"/set default="0"/g' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
sed -i 's/set timeout=60/set timeout=0/g' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
sed -i '0,/vmlinuz/s/vmlinuz/& inst.ks=hd:LABEL=Fedora-S-dvd-aarch64-39:\/ks.cfg/' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
}
@@ -72,3 +72,18 @@ ISO_TYPE = "DVD"
BUILD_NO = "491.1"
SRC_URI = "https://download.opensuse.org/distribution/leap/${PV}/iso/openSUSE-Leap-${PV}-${ISO_TYPE}-aarch64-Build${BUILD_NO}-Media.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso"
SRC_URI[sha256sum] = "456cc4f99b044429d8a89bd302c06e9e382d6ac4dc590139a7096ebb54f5357b"
TEST_SUITES = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "arm_systemready_opensuse_unattended", "", d)}"
ISO_LABEL = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "OEMDRV", "", d)}"
BOOT_CATALOG = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot.catalog", "", d)}"
BOOT_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "EFI/BOOT/bootaa64.efi", "", d)}"
EFI_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot/aarch64/efi", "", d)}"
modifyiso() {
UNATTENDED_CONF_DIR="${THISDIR}/unattended-boot-conf/openSUSE"
#create installation configuration files, remove grub timeout, setup network
cp "${UNATTENDED_CONF_DIR}/autoinst.xml" ${EXTRACTED_ISO_TEMP_DIR}
sed -i 's/timeout=60/timeout=0/g' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
}
@@ -1,39 +0,0 @@
# Generated by Anaconda 39.32.6
# Generated by pykickstart v3.48
#version=DEVEL
# Use text mode install
text
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_GB.UTF-8
# Use CDROM installation media
cdrom
%packages --excludedocs --ignoremissing
@core --nodefaults
%end
# Run the Setup Agent on first boot
firstboot --enable
# Do not configure the X Window System
skipx
# System bootloader configuration
bootloader --location=mbr --boot-drive=vda
autopart
# Partition clearing information
clearpart --all --initlabel --drives=vda
# System timezone
timezone Europe/London --utc
# Root password
rootpw --lock
user --groups=wheel --name=user --password=unsafe --gecos="usr1"
# Reboot after installation with an attempt to eject the installation media
reboot --eject
@@ -0,0 +1,935 @@
<?xml version="1.0"?>
<!DOCTYPE profile>
<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns">
<bootloader t="map">
<global t="map">
<append>splash=silent preempt=full mitigations=auto quiet security=apparmor</append>
<cpu_mitigations>auto</cpu_mitigations>
<gfxmode>auto</gfxmode>
<hiddenmenu>false</hiddenmenu>
<os_prober>true</os_prober>
<secure_boot>true</secure_boot>
<terminal>gfxterm</terminal>
<timeout t="integer">8</timeout>
<update_nvram>true</update_nvram>
</global>
<loader_type>grub2-efi</loader_type>
</bootloader>
<firewall t="map">
<default_zone>public</default_zone>
<enable_firewall t="boolean">true</enable_firewall>
<log_denied_packets>off</log_denied_packets>
<start_firewall t="boolean">true</start_firewall>
<zones t="list">
<zone t="map">
<description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>block</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Block</short>
<target>%%REJECT%%</target>
</zone>
<zone t="map">
<description>For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>dmz</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>ssh</service>
</services>
<short>DMZ</short>
<target>default</target>
</zone>
<zone t="map">
<description>All network connections are accepted.</description>
<interfaces t="list">
<interface>docker0</interface>
</interfaces>
<masquerade t="boolean">false</masquerade>
<name>docker</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>docker</short>
<target>ACCEPT</target>
</zone>
<zone t="map">
<description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>drop</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Drop</short>
<target>DROP</target>
</zone>
<zone t="map">
<description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">true</masquerade>
<name>external</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>ssh</service>
</services>
<short>External</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>home</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>mdns</service>
<service>samba-client</service>
<service>ssh</service>
</services>
<short>Home</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>internal</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>mdns</service>
<service>samba-client</service>
<service>ssh</service>
</services>
<short>Internal</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list">
<interface>eth0</interface>
</interfaces>
<masquerade t="boolean">false</masquerade>
<name>public</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>ssh</service>
</services>
<short>Public</short>
<target>default</target>
</zone>
<zone t="map">
<description>All network connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>trusted</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Trusted</short>
<target>ACCEPT</target>
</zone>
<zone t="map">
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>work</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>ssh</service>
</services>
<short>Work</short>
<target>default</target>
</zone>
</zones>
</firewall>
<general t="map">
<mode t="map">
<confirm t="boolean">false</confirm>
</mode>
</general>
<groups t="list">
<group t="map">
<gid>100</gid>
<groupname>users</groupname>
<userlist/>
</group>
<group t="map">
<gid>499</gid>
<groupname>messagebus</groupname>
<userlist/>
</group>
<group t="map">
<gid>1</gid>
<groupname>bin</groupname>
<userlist>daemon</userlist>
</group>
<group t="map">
<gid>488</gid>
<groupname>input</groupname>
<userlist/>
</group>
<group t="map">
<gid>495</gid>
<groupname>kmem</groupname>
<userlist/>
</group>
<group t="map">
<gid>493</gid>
<groupname>utmp</groupname>
<userlist/>
</group>
<group t="map">
<gid>62</gid>
<groupname>man</groupname>
<userlist/>
</group>
<group t="map">
<gid>477</gid>
<groupname>polkitd</groupname>
<userlist/>
</group>
<group t="map">
<gid>479</gid>
<groupname>systemd-timesync</groupname>
<userlist/>
</group>
<group t="map">
<gid>2</gid>
<groupname>daemon</groupname>
<userlist/>
</group>
<group t="map">
<gid>480</gid>
<groupname>systemd-network</groupname>
<userlist/>
</group>
<group t="map">
<gid>71</gid>
<groupname>ntadmin</groupname>
<userlist/>
</group>
<group t="map">
<gid>490</gid>
<groupname>dialout</groupname>
<userlist/>
</group>
<group t="map">
<gid>59</gid>
<groupname>maildrop</groupname>
<userlist>postfix</userlist>
</group>
<group t="map">
<gid>478</gid>
<groupname>nscd</groupname>
<userlist/>
</group>
<group t="map">
<gid>51</gid>
<groupname>postfix</groupname>
<userlist/>
</group>
<group t="map">
<gid>485</gid>
<groupname>tape</groupname>
<userlist/>
</group>
<group t="map">
<gid>487</gid>
<groupname>render</groupname>
<userlist/>
</group>
<group t="map">
<gid>476</gid>
<groupname>sshd</groupname>
<userlist/>
</group>
<group t="map">
<gid>491</gid>
<groupname>cdrom</groupname>
<userlist/>
</group>
<group t="map">
<gid>486</gid>
<groupname>sgx</groupname>
<userlist/>
</group>
<group t="map">
<gid>0</gid>
<groupname>root</groupname>
<userlist/>
</group>
<group t="map">
<gid>489</gid>
<groupname>disk</groupname>
<userlist/>
</group>
<group t="map">
<gid>15</gid>
<groupname>shadow</groupname>
<userlist/>
</group>
<group t="map">
<gid>484</gid>
<groupname>video</groupname>
<userlist/>
</group>
<group t="map">
<gid>496</gid>
<groupname>wheel</groupname>
<userlist/>
</group>
<group t="map">
<gid>483</gid>
<groupname>audit</groupname>
<userlist/>
</group>
<group t="map">
<gid>498</gid>
<groupname>mail</groupname>
<userlist>postfix</userlist>
</group>
<group t="map">
<gid>5</gid>
<groupname>tty</groupname>
<userlist/>
</group>
<group t="map">
<gid>65533</gid>
<groupname>nogroup</groupname>
<userlist/>
</group>
<group t="map">
<gid>65534</gid>
<groupname>nobody</groupname>
<userlist/>
</group>
<group t="map">
<gid>497</gid>
<groupname>lp</groupname>
<userlist/>
</group>
<group t="map">
<gid>482</gid>
<groupname>chrony</groupname>
<userlist/>
</group>
<group t="map">
<gid>492</gid>
<groupname>audio</groupname>
<userlist/>
</group>
<group t="map">
<gid>494</gid>
<groupname>lock</groupname>
<userlist/>
</group>
<group t="map">
<gid>36</gid>
<groupname>kvm</groupname>
<userlist/>
</group>
<group t="map">
<gid>42</gid>
<groupname>trusted</groupname>
<userlist/>
</group>
<group t="map">
<gid>481</gid>
<groupname>systemd-journal</groupname>
<userlist/>
</group>
</groups>
<host t="map">
<hosts t="list">
<hosts_entry t="map">
<host_address>127.0.0.1</host_address>
<names t="list">
<name>localhost</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>::1</host_address>
<names t="list">
<name>localhost ipv6-localhost ipv6-loopback</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>fe00::0</host_address>
<names t="list">
<name>ipv6-localnet</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff00::0</host_address>
<names t="list">
<name>ipv6-mcastprefix</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::1</host_address>
<names t="list">
<name>ipv6-allnodes</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::2</host_address>
<names t="list">
<name>ipv6-allrouters</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::3</host_address>
<names t="list">
<name>ipv6-allhosts</name>
</names>
</hosts_entry>
</hosts>
</host>
<language t="map">
<language>en_GB</language>
<languages>en_GB</languages>
</language>
<networking t="map">
<dhcp_options t="map">
<dhclient_client_id/>
<dhclient_hostname_option>AUTO</dhclient_hostname_option>
</dhcp_options>
<dns t="map">
<dhcp_hostname t="boolean">true</dhcp_hostname>
<hostname>localhost</hostname>
<resolv_conf_policy>auto</resolv_conf_policy>
</dns>
<interfaces t="list">
<interface t="map">
<bootproto>dhcp</bootproto>
<name>eth0</name>
<startmode>auto</startmode>
<zone>public</zone>
</interface>
</interfaces>
<ipv6 t="boolean">true</ipv6>
<keep_install_network t="boolean">true</keep_install_network>
<managed t="boolean">false</managed>
<routing t="map">
<ipv4_forward t="boolean">false</ipv4_forward>
<ipv6_forward t="boolean">false</ipv6_forward>
</routing>
</networking>
<ntp-client t="map">
<ntp_policy>auto</ntp_policy>
<ntp_servers t="list"/>
<ntp_sync>systemd</ntp_sync>
</ntp-client>
<partitioning t="list">
<drive t="map">
<device>/dev/vda</device>
<disklabel>gpt</disklabel>
<enable_snapshots t="boolean">false</enable_snapshots>
<partitions t="list">
<partition t="map">
<create t="boolean">true</create>
<filesystem t="symbol">vfat</filesystem>
<format t="boolean">true</format>
<fstopt>utf8</fstopt>
<mount>/boot/efi</mount>
<mountby t="symbol">uuid</mountby>
<partition_id t="integer">259</partition_id>
<partition_nr t="integer">1</partition_nr>
<resize t="boolean">false</resize>
<size>134217728</size>
</partition>
<partition t="map">
<create t="boolean">true</create>
<create_subvolumes t="boolean">true</create_subvolumes>
<filesystem t="symbol">btrfs</filesystem>
<format t="boolean">true</format>
<mount>/</mount>
<mountby t="symbol">uuid</mountby>
<partition_id t="integer">131</partition_id>
<partition_nr t="integer">2</partition_nr>
<quotas t="boolean">false</quotas>
<resize t="boolean">false</resize>
<size>6307167744</size>
<subvolumes t="list">
<subvolume t="map">
<copy_on_write t="boolean">false</copy_on_write>
<path>var</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>usr/local</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>tmp</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>srv</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>root</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>opt</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>home</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>boot/grub2/arm64-efi</path>
</subvolume>
</subvolumes>
<subvolumes_prefix>@</subvolumes_prefix>
</partition>
</partitions>
<type t="symbol">CT_DISK</type>
<use>all</use>
</drive>
</partitioning>
<proxy t="map">
<enabled t="boolean">false</enabled>
</proxy>
<services-manager t="map">
<default_target>multi-user</default_target>
<services t="map">
<enable t="list">
<service>YaST2-Firstboot</service>
<service>YaST2-Second-Stage</service>
<service>apparmor</service>
<service>auditd</service>
<service>klog</service>
<service>chronyd</service>
<service>cron</service>
<service>cups</service>
<service>firewalld</service>
<service>wickedd-auto4</service>
<service>wickedd-dhcp4</service>
<service>wickedd-dhcp6</service>
<service>wickedd-nanny</service>
<service>irqbalance</service>
<service>issue-generator</service>
<service>kbdsettings</service>
<service>wicked</service>
<service>nscd</service>
<service>postfix</service>
<service>purge-kernels</service>
<service>rsyslog</service>
<service>smartd</service>
<service>sshd</service>
<service>systemd-pstore</service>
<service>systemd-remount-fs</service>
</enable>
</services>
</services-manager>
<software t="map">
<install_recommended t="boolean">true</install_recommended>
<instsource/>
<packages t="list">
<package>wicked</package>
<package>shim</package>
<package>os-prober</package>
<package>openssh</package>
<package>openSUSE-release</package>
<package>mokutil</package>
<package>kexec-tools</package>
<package>grub2-arm64-efi</package>
<package>glibc</package>
<package>firewalld</package>
<package>e2fsprogs</package>
<package>dosfstools</package>
<package>chrony</package>
<package>btrfsprogs</package>
<package>autoyast2</package>
</packages>
<patterns t="list">
<pattern>apparmor</pattern>
<pattern>base</pattern>
<pattern>documentation</pattern>
<pattern>enhanced_base</pattern>
<pattern>minimal_base</pattern>
<pattern>sw_management</pattern>
<pattern>yast2_basis</pattern>
</patterns>
<products t="list">
<product>Leap</product>
</products>
</software>
<ssh_import t="map">
<copy_config t="boolean">false</copy_config>
<import t="boolean">false</import>
</ssh_import>
<user_defaults t="map">
<expire/>
<group>100</group>
<home>/home</home>
<inactive>-1</inactive>
<shell>/bin/bash</shell>
<umask>022</umask>
</user_defaults>
<users t="list">
<user t="map">
<authorized_keys t="list"/>
<encrypted t="boolean">true</encrypted>
<fullname>user</fullname>
<gid>100</gid>
<home>/home/user</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max>99999</max>
<min>0</min>
<warn>7</warn>
</password_settings>
<shell>/bin/bash</shell>
<uid>1000</uid>
<user_password>$6$WV8CB/c6j0zhAi5S$4euhbt4alH7WNfaatS9IJgPiiKDJ48d5Ru1zCZCA0N9GiyOPuefN2PAUWlyYeTgqAInpyvPh1frdp4fFVjvEn0</user_password>
<username>user</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for nscd</fullname>
<gid>478</gid>
<home>/run/nscd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>478</uid>
<user_password>!</user_password>
<username>nscd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>systemd Network Management</fullname>
<gid>480</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>480</uid>
<user_password>!*</user_password>
<username>systemd-network</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Daemon</fullname>
<gid>2</gid>
<home>/sbin</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>2</uid>
<user_password>!</user_password>
<username>daemon</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>systemd Time Synchronization</fullname>
<gid>479</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>479</uid>
<user_password>!*</user_password>
<username>systemd-timesync</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>user for rpcbind</fullname>
<gid>65534</gid>
<home>/var/lib/empty</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>475</uid>
<user_password>!</user_password>
<username>rpc</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>SSH daemon</fullname>
<gid>476</gid>
<home>/var/lib/sshd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>476</uid>
<user_password>!</user_password>
<username>sshd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Postfix Daemon</fullname>
<gid>51</gid>
<home>/var/spool/postfix</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>51</uid>
<user_password>!</user_password>
<username>postfix</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>NFS statd daemon</fullname>
<gid>65533</gid>
<home>/var/lib/nfs</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>474</uid>
<user_password>!</user_password>
<username>statd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>bin</fullname>
<gid>1</gid>
<home>/bin</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>1</uid>
<user_password>!</user_password>
<username>bin</username>
</user>
<user t="map">
<authorized_keys t="list"/>
<encrypted t="boolean">true</encrypted>
<fullname>root</fullname>
<gid>0</gid>
<home>/root</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/bin/bash</shell>
<uid>0</uid>
<user_password>$6$zAe5W7gw/kja9aKy$mM.BWtNyjalXrDNig4CUfN3bgfmehUIs8.zvBwWn1XroK104G.rY3lyup3OH8TujieUmgO4J74Df.LktV4A1K1</user_password>
<username>root</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for D-Bus</fullname>
<gid>499</gid>
<home>/run/dbus</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/bin/false</shell>
<uid>499</uid>
<user_password>!</user_password>
<username>messagebus</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Manual pages viewer</fullname>
<gid>62</gid>
<home>/var/lib/empty</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>13</uid>
<user_password>!</user_password>
<username>man</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Printing daemon</fullname>
<gid>497</gid>
<home>/var/spool/lpd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>497</uid>
<user_password>!</user_password>
<username>lp</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for polkitd</fullname>
<gid>477</gid>
<home>/var/lib/polkit</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>477</uid>
<user_password>!</user_password>
<username>polkitd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Chrony Daemon</fullname>
<gid>482</gid>
<home>/var/lib/chrony</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>496</uid>
<user_password>!</user_password>
<username>chrony</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>nobody</fullname>
<gid>65534</gid>
<home>/var/lib/nobody</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/bin/bash</shell>
<uid>65534</uid>
<user_password>!</user_password>
<username>nobody</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Mailer daemon</fullname>
<gid>498</gid>
<home>/var/spool/clientmqueue</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>498</uid>
<user_password>!</user_password>
<username>mail</username>
</user>
</users>
</profile>
@@ -15,6 +15,11 @@ EAT_TARGET_SYS:aarch64 ?= "${@ 'aarch64-none-linux-gnu' if os.path.exists('${EXT
EAT_TARGET_SYS = "${TARGET_SYS}"
TARGET_PREFIX = "${EAT_TARGET_SYS}-"
EXTERNAL_TOOLCHAIN_LIBDIR = "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/usr/lib', '/lib', d)}"
EXTERNAL_TOOLCHAIN_DYN_LINKER_PATH:arm ?= " -Wl,--dynamic-linker=${EXTERNAL_TOOLCHAIN_LIBDIR}/ld-linux-armhf.so.3"
EXTERNAL_TOOLCHAIN_DYN_LINKER_PATH:aarch64 ?= " -Wl,--dynamic-linker=${EXTERNAL_TOOLCHAIN_LIBDIR}/ld-linux-aarch64.so.1"
TARGET_LDFLAGS:append:class-target = "${EXTERNAL_TOOLCHAIN_DYN_LINKER_PATH}"
EAT_LIBDIR:arm = "lib"
EAT_LIBDIR:aarch64 = "lib64"
@@ -118,54 +118,80 @@ do_install() {
else
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/lib/${linker_name} ${D}${base_libdir}/
fi
ln -sf ../../lib/librt.so.1 ${D}${libdir}/librt.so
ln -sf ../../lib/libcrypt.so.1 ${D}${libdir}/libcrypt.so
ln -sf ../../lib/libresolv.so.2 ${D}${libdir}/libresolv.so
ln -sf ../../lib/libnss_hesiod.so.2 ${D}${libdir}/libnss_hesiod.so
ln -sf ../../lib/libutil.so.1 ${D}${libdir}/libutil.so
ln -sf ../../lib/libBrokenLocale.so.1 ${D}${libdir}/libBrokenLocale.so
ln -sf ../../lib/libpthread.so.0 ${D}${libdir}/libpthread.so
ln -sf ../../lib/libthread_db.so.1 ${D}${libdir}/libthread_db.so
ln -sf ../../lib/libanl.so.1 ${D}${libdir}/libanl.so
ln -sf ../../lib/libdl.so.2 ${D}${libdir}/libdl.so
ln -sf ../../lib/libnss_db.so.2 ${D}${libdir}/libnss_db.so
ln -sf ../../lib/libnss_dns.so.2 ${D}${libdir}/libnss_dns.so
ln -sf ../../lib/libnss_files.so.2 ${D}${libdir}/libnss_files.so
ln -sf ../../lib/libnss_compat.so.2 ${D}${libdir}/libnss_compat.so
ln -sf ../../lib/libm.so.6 ${D}${libdir}/libm.so
ln -sf ../../lib/libc_malloc_debug.so.0 ${D}${libdir}/libc_malloc_debug.so
# remove potential .so duplicates from base_libdir
# for all symlinks created above in libdir
rm -f ${D}${base_libdir}/librt.so
rm -f ${D}${base_libdir}/libcrypt.so
rm -f ${D}${base_libdir}/libresolv.so
rm -f ${D}${base_libdir}/libnss_hesiod.so
rm -f ${D}${base_libdir}/libutil.so
rm -f ${D}${base_libdir}/libBrokenLocale.so
rm -f ${D}${base_libdir}/libpthread.so
rm -f ${D}${base_libdir}/libthread_db.so
rm -f ${D}${base_libdir}/libanl.so
rm -f ${D}${base_libdir}/libdl.so
rm -f ${D}${base_libdir}/libnss_db.so
rm -f ${D}${base_libdir}/libnss_dns.so
rm -f ${D}${base_libdir}/libnss_files.so
rm -f ${D}${base_libdir}/libnss_compat.so
rm -f ${D}${base_libdir}/libm.so
# Move these completely to ${libdir} and delete duplicates in ${base_libdir}
for lib in asan hwasan atomic gfortran gomp itm lsan sanitizer stdc++ tsan ubsan; do
if [ -e ${D}${base_libdir}/lib${lib}.spec ] ; then
mv ${D}${base_libdir}/lib${lib}.spec ${D}${libdir}
if ${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', 'false', 'true', d)}; then
ln -sf ../../lib/librt.so.1 ${D}${libdir}/librt.so
ln -sf ../../lib/libcrypt.so.1 ${D}${libdir}/libcrypt.so
ln -sf ../../lib/libresolv.so.2 ${D}${libdir}/libresolv.so
ln -sf ../../lib/libnss_hesiod.so.2 ${D}${libdir}/libnss_hesiod.so
ln -sf ../../lib/libutil.so.1 ${D}${libdir}/libutil.so
ln -sf ../../lib/libBrokenLocale.so.1 ${D}${libdir}/libBrokenLocale.so
ln -sf ../../lib/libpthread.so.0 ${D}${libdir}/libpthread.so
ln -sf ../../lib/libthread_db.so.1 ${D}${libdir}/libthread_db.so
ln -sf ../../lib/libanl.so.1 ${D}${libdir}/libanl.so
ln -sf ../../lib/libdl.so.2 ${D}${libdir}/libdl.so
ln -sf ../../lib/libnss_db.so.2 ${D}${libdir}/libnss_db.so
ln -sf ../../lib/libnss_dns.so.2 ${D}${libdir}/libnss_dns.so
ln -sf ../../lib/libnss_files.so.2 ${D}${libdir}/libnss_files.so
ln -sf ../../lib/libnss_compat.so.2 ${D}${libdir}/libnss_compat.so
ln -sf ../../lib/libm.so.6 ${D}${libdir}/libm.so
ln -sf ../../lib/libc_malloc_debug.so.0 ${D}${libdir}/libc_malloc_debug.so
if [ -f ${D}${base_libdir}/libmvec.so.1 ]; then
ln -sf ../../lib/libmvec.so.1 ${D}${libdir}/libmvec.so
fi
if [ -e ${D}${base_libdir}/lib${lib}.a ] ; then
mv ${D}${base_libdir}/lib${lib}.a ${D}${libdir}
fi
rm -f ${D}${base_libdir}/lib${lib}*
done
# Clean up duplicate libs that are both in base_libdir and libdir
rm -f ${D}${libdir}/libgcc*
# remove potential .so duplicates from base_libdir
# for all symlinks created above in libdir
rm -f ${D}${base_libdir}/librt.so
rm -f ${D}${base_libdir}/libcrypt.so
rm -f ${D}${base_libdir}/libresolv.so
rm -f ${D}${base_libdir}/libnss_hesiod.so
rm -f ${D}${base_libdir}/libutil.so
rm -f ${D}${base_libdir}/libBrokenLocale.so
rm -f ${D}${base_libdir}/libpthread.so
rm -f ${D}${base_libdir}/libthread_db.so
rm -f ${D}${base_libdir}/libanl.so
rm -f ${D}${base_libdir}/libdl.so
rm -f ${D}${base_libdir}/libnss_db.so
rm -f ${D}${base_libdir}/libnss_dns.so
rm -f ${D}${base_libdir}/libnss_files.so
rm -f ${D}${base_libdir}/libnss_compat.so
rm -f ${D}${base_libdir}/libm.so
rm -f ${D}${base_libdir}/libmvec.so
# Move these completely to ${libdir} and delete duplicates in ${base_libdir}
for lib in asan hwasan atomic gfortran gomp itm lsan sanitizer stdc++ tsan ubsan; do
if [ -e ${D}${base_libdir}/lib${lib}.spec ] ; then
mv ${D}${base_libdir}/lib${lib}.spec ${D}${libdir}
fi
if [ -e ${D}${base_libdir}/lib${lib}.a ] ; then
mv ${D}${base_libdir}/lib${lib}.a ${D}${libdir}
fi
rm -f ${D}${base_libdir}/lib${lib}*
done
# Clean up duplicate libs that are both in base_libdir and libdir
rm -f ${D}${libdir}/libgcc*
else
ln -sf libcrypt.so.1 ${D}${libdir}/libcrypt.so
ln -sf libresolv.so.2 ${D}${libdir}/libresolv.so
ln -sf libnss_hesiod.so.2 ${D}${libdir}/libnss_hesiod.so
ln -sf libutil.so.1 ${D}${libdir}/libutil.so
ln -sf libBrokenLocale.so.1 ${D}${libdir}/libBrokenLocale.so
ln -sf libpthread.so.0 ${D}${libdir}/libpthread.so
ln -sf libthread_db.so.1 ${D}${libdir}/libthread_db.so
ln -sf libanl.so.1 ${D}${libdir}/libanl.so
ln -sf libdl.so.2 ${D}${libdir}/libdl.so
ln -sf libnss_db.so.2 ${D}${libdir}/libnss_db.so
ln -sf libnss_dns.so.2 ${D}${libdir}/libnss_dns.so
ln -sf libnss_files.so.2 ${D}${libdir}/libnss_files.so
ln -sf libnss_compat.so.2 ${D}${libdir}/libnss_compat.so
ln -sf libm.so.6 ${D}${libdir}/libm.so
ln -sf libc_malloc_debug.so.0 ${D}${libdir}/libc_malloc_debug.so
if [ -f ${D}${libdir}/libmvec.so.1 ]; then
ln -sf libmvec.so.1 ${D}${libdir}/libmvec.so
fi
fi
# Besides ld-${EAT_VER_LIBC}.so, other libs can have duplicates like lib*-${EAT_VER_LIBC}.so
# Only remove them if both are regular files and are identical
@@ -205,13 +231,13 @@ do_install() {
rm -rf ${D}${includedir}/rpcsvc/rquota.*
if [ -f ${D}${libdir}/libc.so ];then
sed -i -e "s# /${EAT_LIBDIR}/${EAT_TARGET_SYS}# ../../${EAT_LIBDIR}#g" -e "s# /usr/${EAT_LIBDIR}/# /usr/lib/#g" -e "s# /usr/${EAT_LIBDIR}/${EAT_TARGET_SYS}# .#g" -e "s# /${EAT_LIBDIR}/ld-linux# ../../${EAT_LIBDIR}/ld-linux#g" ${D}${libdir}/libc.so
sed -i -e "s# /usr/${EAT_LIBDIR}/# /usr/lib/#g" -e "s# /${EAT_LIBDIR}/ld-linux# ../../${base_libdir}/ld-linux#g" ${D}${libdir}/libc.so
sed -i -e "s# /${EAT_LIBDIR}/libc.so.6# /lib/libc.so.6#g" ${D}${libdir}/libc.so
sed -i -e "s# /lib# ../../lib#g" -e "s# /usr/lib# .#g" ${D}${libdir}/libc.so
sed -i -e "s# /lib# ../../${base_libdir}#g" -e "s# /usr/lib# .#g" ${D}${libdir}/libc.so
fi
if [ -f ${D}${base_libdir}/libc.so ];then
sed -i -e "s# /${EAT_LIBDIR}/${EAT_TARGET_SYS}# ../../lib#g" -e "s# /usr/${EAT_LIBDIR}/${EAT_TARGET_SYS}# .#g" -e "s# /${EAT_LIBDIR}/# /lib/#g" ${D}${base_libdir}/libc.so
sed -i -e "s# /${EAT_LIBDIR}/# /lib/#g" ${D}${base_libdir}/libc.so
if [ -f ${D}${base_libdir}/libc.so.6 ]; then
sed -i -e "s# /usr/${EAT_LIBDIR}/libc.so.6# /lib/libc.so.6#g" -e "s# /${EAT_LIBDIR}/libc.so.6# /lib/libc.so.6#g" ${D}${base_libdir}/libc.so.6
fi
@@ -527,7 +553,6 @@ FILES:${PN} += "\
${base_libdir}/ld*.so.* \
${base_libdir}/ld-*.so \
${base_libdir}/libpthread*.so.* \
${base_libdir}/libpthread*.so \
${base_libdir}/libpthread-*.so \
${base_libdir}/libresolv*.so.* \
${base_libdir}/libresolv-*.so \
@@ -0,0 +1,21 @@
SUMMARY = "execstack tool"
LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
DEPENDS = "binutils-native elfutils-native"
SRC_URI = "git://git.yoctoproject.org/prelink-cross;protocol=https;branch=master"
SRCREV = "ff2561c02ade96c5d4d56ddd4e27ff064840a176"
PV = "1.0+git${SRCPV}"
S = "${WORKDIR}/git"
inherit autotools native
do_compile() {
oe_runmake -C ${B}/src execstack
}
do_install() {
oe_runmake -C ${B}/src install-binPROGRAMS DESTDIR="${D}"
}
@@ -14,3 +14,6 @@ UPSTREAM_VERSION_UNKNOWN = "1"
MODEL_CODE = "FVP_Base_RevC-2xAEMvA"
COMPATIBLE_HOST = "(aarch64|x86_64).*-linux"
require remove-execstack.inc
REMOVE_EXECSTACKS:x86-64 = "${FVPDIR}/models/${FVP_ARCH_DIR}*/libarmctmodel.so"
@@ -0,0 +1,26 @@
# Clear the executable stack flag on named shared libraries. This are typically
# not needed, and glibc 2.41 will refuse to dlopen() a library that expects
# an executable stack.
#
# The stack permissions can be checked with readelf -lW <.so> | grep GNU_STACK.
# RW is read/write, RWE is read/write/execute.
DEPENDS += "execstack-native"
REMOVE_EXECSTACKS ?= ""
do_install:append() {
for SO in ${REMOVE_EXECSTACKS}; do
NAME=$(basename $SO)
SO=${D}$SO
test -f $SO || bbfatal remove-execstack: cannot find $SO
if execstack --query $SO | grep -q ^X; then
bbnote "Stripping executable stack bit on $NAME"
execstack --clear-execstack $SO
else
bbwarn "Executable stack stripping no longer required for $NAME, remove"
fi
done
}
@@ -0,0 +1,51 @@
From fcacaa1f80c601907299b8f9de8b57cc35cd5a68 Mon Sep 17 00:00:00 2001
From: Etienne Carriere <etienne.carriere@st.com>
Date: Wed, 21 Jan 2026 13:55:33 +0100
Subject: [PATCH 1/3] ta: pkcs11: check output buffer size on get attribute
value
Check client output buffer input size and update its output
size on PKCS11_CMD_GET_ATTRIBUTE_VALUE command.
CVE: CVE-2026-33317
Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9]
Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value")
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
ta/pkcs11/src/object.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c
index c9a95e1b2..ba3be7a71 100644
--- a/ta/pkcs11/src/object.c
+++ b/ta/pkcs11/src/object.c
@@ -800,6 +800,15 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
goto out;
}
+ /*
+ * We will update the template with relevant data, without resizing it.
+ * Upon completion, it will be copied to client output buffer.
+ */
+ if (out->memref.size < sizeof(*template) + template->attrs_size) {
+ rc = PKCS11_CKR_ARGUMENTS_BAD;
+ goto out;
+ }
+
/* Iterate over attributes and set their values */
/*
* 1. If the specified attribute (i.e., the attribute specified by the
@@ -912,6 +921,7 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
rc = PKCS11_CKR_BUFFER_TOO_SMALL;
/* Move updated template to out buffer */
+ out->memref.size = sizeof(*template) + template->attrs_size;
TEE_MemMove(out->memref.buffer, template, out->memref.size);
DMSG("PKCS11 session %"PRIu32": get attributes %#"PRIx32,
--
2.43.0
@@ -0,0 +1,52 @@
From 7e57efa90820489f123708f8ae5ee13706e8f4ce Mon Sep 17 00:00:00 2001
From: Etienne Carriere <etienne.carriere@st.com>
Date: Wed, 21 Jan 2026 13:58:09 +0100
Subject: [PATCH 2/3] ta: pkcs11: check template consistency on get attribute
value
Check client template holds consistent attribute area sizes
value on PKCS11_CMD_GET_ATTRIBUTE_SIZE.
CVE: CVE-2026-33317
Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900]
Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value")
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
ta/pkcs11/src/object.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c
index ba3be7a71..470eeb247 100644
--- a/ta/pkcs11/src/object.c
+++ b/ta/pkcs11/src/object.c
@@ -840,12 +840,23 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
for (; cur < end; cur += len) {
struct pkcs11_attribute_head *cli_ref = (void *)cur;
struct pkcs11_attribute_head cli_head = { };
+ uintptr_t cli_end = 0;
void *data_ptr = NULL;
+ if ((char *)(cli_ref + 1) > end) {
+ rc = PKCS11_CKR_ARGUMENTS_BAD;
+ goto out;
+ }
+
/* Make copy of header so that is aligned properly. */
TEE_MemMove(&cli_head, cli_ref, sizeof(cli_head));
- len = sizeof(*cli_ref) + cli_head.size;
+ if (ADD_OVERFLOW(sizeof(*cli_ref), cli_head.size, &len) ||
+ ADD_OVERFLOW((uintptr_t)cur, len, &cli_end) ||
+ (char *)cli_end > end) {
+ rc = PKCS11_CKR_ARGUMENTS_BAD;
+ goto out;
+ }
/* Treat hidden attributes as missing attributes */
if (attribute_is_hidden(&cli_head)) {
--
2.43.0
@@ -0,0 +1,46 @@
From 75c1a999d6b51520234276b207ceefbd5e18ed02 Mon Sep 17 00:00:00 2001
From: Etienne Carriere <etienne.carriere@st.com>
Date: Wed, 21 Jan 2026 14:03:26 +0100
Subject: [PATCH 3/3] ta: pkcs11: fix attribute output size if too small on get
attribute value
Correct the size field output value for attributes fetched with
PKCS11_CMD_GET_ATTRIBUTE_VALUE where a too short buffer was provided.
As per the PKCS#11 specification, in such case, the related attributes
size field should be filled with CK_UNAVAILABLE_INFORMATION and the
function to return an non-true-error code like CKR_BUFFER_TOO_SMALL.
The implementation complied for the return value but was loading the
required attribute data value size instead in CK_UNAVAILABLE_INFORMATION
in the attribute size field.
CVE: CVE-2026-33317
Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca]
Fixes: 783c1515c2f9 ("ta: pkcs11: Add support for getting object size and attribute value")
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
ta/pkcs11/src/object.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c
index 470eeb247..ed2ce2a95 100644
--- a/ta/pkcs11/src/object.c
+++ b/ta/pkcs11/src/object.c
@@ -900,8 +900,11 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client,
attr_type_invalid = 1;
break;
case PKCS11_CKR_BUFFER_TOO_SMALL:
- if (data_ptr)
+ if (data_ptr) {
+ cli_head.size =
+ PKCS11_CK_UNAVAILABLE_INFORMATION;
buffer_too_small = 1;
+ }
break;
default:
rc = PKCS11_CKR_GENERAL_ERROR;
--
2.43.0
@@ -0,0 +1,40 @@
From 2fdf0aa10bd23c0e4633efa087a27ff07f79015f Mon Sep 17 00:00:00 2001
From: Jens Wiklander <jens.wiklander@linaro.org>
Date: Thu, 22 Jan 2026 14:19:36 +0100
Subject: [PATCH] core: crypto_api: fix underflow in emsa_pkcs1_v1_5_encode()
Guard against an integer underflow in emsa_pkcs1_v1_5_encode() that can
occur when calculating the padding field in the EMA-PKCS1-v1_5 encoding.
CVE: CVE-2026-33662
Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/caeaa2ae551666068894005387cca4113b10873f]
Fixes: f5a70e3efb80 ("drivers: crypto: generic resources for crypto device driver - RSA")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
core/drivers/crypto/crypto_api/acipher/rsassa.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/core/drivers/crypto/crypto_api/acipher/rsassa.c b/core/drivers/crypto/crypto_api/acipher/rsassa.c
index 0f71b84cc..01f8d7dc9 100644
--- a/core/drivers/crypto/crypto_api/acipher/rsassa.c
+++ b/core/drivers/crypto/crypto_api/acipher/rsassa.c
@@ -45,9 +45,10 @@ static TEE_Result emsa_pkcs1_v1_5_encode(struct drvcrypt_rsa_ssa *ssa_data,
* Calculate the PS size
* EM Size (modulus size) - 3 bytes - DigestInfo DER format size
*/
- ps_size = ssa_data->key.n_size - 3;
- ps_size -= ssa_data->digest_size;
- ps_size -= 10 + hash_oid->asn1_length;
+ if (SUB_OVERFLOW(ssa_data->key.n_size, 3, &ps_size) ||
+ SUB_OVERFLOW(ps_size, ssa_data->digest_size, &ps_size) ||
+ SUB_OVERFLOW(ps_size, 10 + hash_oid->asn1_length, &ps_size))
+ return TEE_ERROR_BAD_PARAMETERS;
CRYPTO_TRACE("PS size = %zu (n %zu)", ps_size, ssa_data->key.n_size);
--
2.43.0
@@ -7,4 +7,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRCREV = "18b424c23aa5a798dfe2e4d20b4bde3919dc4e99"
SRC_URI += " \
file://0003-optee-enable-clang-support.patch \
file://CVE-2026-33317-1.patch \
file://CVE-2026-33317-2.patch \
file://CVE-2026-33317-3.patch \
file://CVE-2026-33662.patch \
"