getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
It was pointed out that the recipe was wrongly doing
FILESEXTRAPATHS:append, but on inspection the recipe does
not need it at all, so just remove.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
(cherry picked from commit 5770a76fc0)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
To avoid confusion, remove stray aircrack-ng entry as it is actually
in the main layer and not meta-tpm.
(cherry picked from commit 9f1d763bb1)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes:
- Add libmhash and libgssglue so they will get tested by CI.
- Switch to MACHINE_ARCH to facilitate the above, but it makes sense
anyway due to all the machine overrides used in the packagegroup
definition. Since this packagegroup is to facilitate testing and
unlikely to be used by downstreams, it is believed this will have
minimal impact.
(adapted from 26e745243d)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
The 0.8 orig.tar.gz is not in debian mirror any more. In fact, we
really should avoid using orig.tar.gz like this because distros
like debian will just delete those that they don't maintain any more.
Switch to use git source.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit baaafdf08b)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
We get an intermittent QA error about file permissions, happening roughly
on 1 build of 10.
The change adds chown to prevent host ids on files related to the
set_required_questions.py script, to avoid long debugging for now.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(cherry picked from commit 7bdd0a8b48)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
The previously used package (nmu1) is not longer available, use the latest current
one (nmu3). The changelog between the two:
checksecurity (2.0.16+nmu3) unstable; urgency=medium
* Non-maintainer upload.
* Fix "missing required debian/rules targets build-arch and/or build-
indep": Add targets to debian/rules.
(Closes: #999082)
* Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm":
Bump to 7 in debian/{compat,control}.
(Closes: #965448)
* Fix some grave packaging errors:
- move debhelper from Build-Depends-Indep to Build-Depends
- remove temporary files debian/postrm.debhelper and debian/substvars from
source package
-- gregor herrmann <gregoa@debian.org> Sun, 26 Dec 2021 01:56:10 +0100
checksecurity (2.0.16+nmu2) unstable; urgency=medium
* Non maintainer upload by the Reproducible Builds team.
* No source change upload to rebuild on buildd with .buildinfo files.
-- Holger Levsen <holger@debian.org> Fri, 01 Jan 2021 19:17:53 +0100
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(adapted from 828a78314f)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes:
- switch to scarthgap
- add required usrmerge feature to kas-security-alt configuration
- add whitespaces around assignement
- add common dldir/sstate
- don't build apparmor in musl configus
- only enable ptest for the test image
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(squashed and recent master changes backported)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories
- assume that python3 and pip are installed.
Other changes:
- add logging of jobs to files
- build parsec images where appropriate
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(squashed and updated with missing master version changes)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Add Marta and myself as maintainers for meta-security and the other
embedded layers that Armin had been maintaining. To avoid Armin
getting bugged about individual recipes, set the RECIPE_MAINTAINER
variables to myself.
(backport from master)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-osdetection-add-OpenEmbedded-and-Poky.patch
removed since it's included in 3.1.1.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Simple fix for Python 3.12 since it dropped asyncore. Catches the import
error instead of using a version check so that the user can install the
compatibility package for any uses that can't be upgraded to asyncio or
similar immediately.
Fixes:
# python3
Python 3.12.1 (main, Dec 7 2023, 20:45:44) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyinotify
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.12/site-packages/pyinotify.py", line 71, in <module>
import asyncore
ModuleNotFoundError: No module named 'asyncore'
>>>
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The install expects man8 directory to already exists. If not created
the man page gets installed as "man8", which causes conflicts with
other packages, that expect it to be a directory.
'arpsnmp' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/sbin/arpsnmp'
'./arpwatch.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8'
removed '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8'
'./arpsnmp.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8'
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
According to the Yocto reference manual [1], the IMAGE_NAME_SUFFIX should
be set to empty for the initramfs image. Otherwise, we may incur a build
error like following due to the initrd check in live-vm-common.bbclass:
ERROR: core-image-minimal-1.0-r0 do_bootimg: build-test/tmp/deploy/images/genericx86-64/dm-verity-image-initramfs-genericx86-64.cpio.gz is invalid. initrd image creation failed.
ERROR: core-image-minimal-1.0-r0 do_bootimg: ExecutionError('build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/run.build_hddimg.1961965', 1, None, None)
ERROR: Logfile of failure stored in: build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/log.do_bootimg.1961965
ERROR: Task (poky/meta/recipes-core/images/core-image-minimal.bb:do_bootimg) failed with exit code '1'
[1] https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_NAME_SUFFIX
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Arpwatch won't build on a system without a sendmail provider
installed with out this setting.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
After the using inherit_defer for the image classes in oe-core commit
451363438d38 ("classes/recipes: Switch to use inherit_defer"),
the using of anonymous python function in dm-verity-img.bbclass to
set the IMAGE_FSTYPES doesn't work anymore. The reason is that
image.bbclass also use anonymous python function to add the do_image_xxx
task for the corresponding filesystem type. The anonymous function in
dm-verity-img.bbclass is evaluated much later than the one in
image.bbclass. Then the task such as do_image_vhash will not be added
as we expect. So we choose to use "+=" to set the IMAGE_FSTYPES.
The populate_sdk_ext.bbclass may generate a dependency list like below:
core-image-minimal.do_sdk_depends -> lib32-core-image-minimal.do_image_vhash
So we also need to make sure the do_image_vhash task for the multilib
filesystem is added.
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
After the oe-core commit 26d97acc7137 ("image-artifact-names: include
${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and
${IMAGE_LINK_NAME}"), the image names have changed from
core-image-minimal-qemux86-64-20230307181808.rootfs.ext4
core-image-minimal-qemux86-64.ext4
to
core-image-minimal-qemux86-64.rootfs-20230307181456.ext4
core-image-minimal-qemux86-64.rootfs.ext4
Adjust the images name used by dm-verity according to this change.
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Backport a patch to fix build with python 3.12:
$ bitbake openscap-native
Traceback (most recent call last):
File "<string>", line 1, in <module>
ModuleNotFoundError: No module named 'distutils'
CMake Error at swig/python3/CMakeLists.txt:35 (install):
install TARGETS given no LIBRARY DESTINATION for module target
"_openscap_py".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Append to IMAGE_INSTALL rather than directly setting the variable
and does it after inheriting core-image.bbclass because in it
IMAGE_INSTALL is set with a default value CORE_IMAGE_BASE_INSTALL.
Variable CORE_IMAGE_BASE_INSTALL includes CORE_IMAGE_EXTRA_INSTALL
so the change allows adding auditd to CORE_IMAGE_EXTRA_INSTALL as
per the instructions in meta-integrity/README.md.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add audit.cfg configuration fragment. By default it is not appended
to SRC_URI. It allows enabling the audit kernel subsystem which may
help to debug appraisal issues. Boot with "integrity_audit=1" to
capture a more complete set of events in /var/log/audit/.
Previously the same configuration fragment was provided by layer
meta-security-framework but it is no longer maintained therefore it
makes sense to have audit.cfg in layer meta-integrity.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
New openssl 3.2.0 version removed spaces around serialNumber in:
Subject: CN=parallaxsecond.com, serialNumber=EZ4U2CIXL
Fixes parsec-service oeqa test on qemu.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If image recipe A wants to embed another image B which used
dm-verity-img.bbclass and generated the .wks file, then
recipe B must deploy everything to IMGDEPLOYDIR but recipe A
finds the output from DM_VERITY_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}".
Now both A and B images can use dm-verity-img.bbclass.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Reviewed-by: Erik Schilling <erik.schilling@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
