meta-arm recently changed the group name that is used by TS[1], so update
the group name to match.
[1] meta-arm 595cb0f1a0 ("arm/trusted-services: fix udev management in libts")
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Instead of calling groupmems after creating the user, we can tell useradd
to do the group membership when creating the user. There are several
reasons for this:
1) Consolidation of the calls into a single call means creation is atomic,
it either worked or it did not.
2) The existing logic doesn't work if both TPM and TS were enabled.
3) GROUPMEMS_PARAM is broken in oe-core master[1] and this will not be
fixed as groupmems has been removed from shadow[2].
Instead, construct a list of groups that parsec needs to be a member of,
and pass them to useradd.
[1] https://bugzilla.yoctoproject.org/show_bug.cgi?id=16277
[2] shadow 388ce70 "*/: groupmems(8): Remove program"
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
By :appending the TPM option we make it impossible for distros to simply
assign to PACKAGECONFIG.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes from 1.09 to 1.10:
- Shorten syslog name to work with rsyslog (#172)
- Update config file with grace period in all cases (#193)
- Remove printing QR code using Google Charts URL (service shut down)
Changes from 1.10 to 1.11:
- Change secret key bits from 128 to 160 bits (#266, #271)
- Add support for black & white terminals (#268, #270)
- Fix grace_period for IPv6 link-local addresses (#265)
Also fix the .bb recipe:
- Fix typo: RDEPNEDS -> RDEPENDS
- Use new override syntax: RDEPENDS:pam-google-authenticator
(replaces old underscore style RDEPENDS_pam-google-authenticator)
Signed-off-by: Haitao Liu <haitao.liu@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Fix the typo "tmp-layer" in "WARN_QA:append".
The right name for this layer in OVERRIDES is layer-tpm-layer
by checking "bitbake -e <recipe_name> | grep ^OVERRIDES=".
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Because "x86_64" and "arm64" aren't valid in bitbake OVERRIDES,
they should be corrected to "x86-64" and "aarch64".
On the other side, "x86_64" and "arch64" aren't valid MACHINE
name.
So correct the way to "only allow x86-64 and arm64 to build":
COMPATIBLE_MACHINE = "(-)" => disallow all machine first
COMPATIBLE_MACHINE:aarch64 = "(.*)" => when arch "aarch64" in
OVERRIDES, allow all machines.
COMPATIBLE_MACHINE:x86-64 = "(.*)" => when arch "x84-64" in
OVERRIDES, allow all machines.
Fix 1dd076d3a7 ("firejail: only allow x86-64 and arm64 to build")
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
To work around an install conflict between python3-cryptography and
python3-pyrad and unblock CI runs, remove python3-privacyidea from
the packagegroup dynamic bbappend temporarily.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Add aircrack-ng, crowdsec, ncrack, and opendnssec where appropriate
now that they have been updated to build again.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Bump to HEAD of ncrack's master branch to pick up build fixes for
newer gcc's. PV has been updated to indicate that we are now
building something newer than the 0.7 tagged commit.
License-Update: copyright years refreshed
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove libmspack recipe, and remove it from clamav's DEPENDS.
clamav now vendors its own substantially modified copy, so there's
no reason to carry a recipe for it.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Upgrade to the latest release, 1.7, and rework recipe so that it
actually builds again. Note that the extra scripts are no longer
installed by default as they seem somewhat stale and likely further
work is required to have any of them work. A PACKAGECONFIG option,
"ext-scripts" has been added to enable installing them if they are
required for some reason.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
The crowdsec recipes has seemingly been broken since soon after its
addition, rewrite it to build the latest version with the go-mod
bbclass.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Use patch submitted upstream to fix build error:
| src/lib/tpm.c: In function ‘tpm_unseal’:
| src/lib/tpm.c:1040:16: error: incompatible types when returning type ‘_Bool’ but ‘twist’ {aka ‘const char *’} was expected
| 1040 | return false;
| | ^~~~~
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Update LAYERSERIES_COMPAT in all layer.conf files with the exception
of meta-parsec to wrynose. For meta-parsec, added wrynose to the list
of supported versions.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Change the "poky" layer configuration name to "meta-yocto" in the
KAS configuration so the cloned repo name is less confusing in logs,
and fix a spot where "poky" -> "openembedded-core" had been missed
in the gitlab configuration.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Commit cd729862f6 added native/nativesdk
possibility to tpm2-pkcs11.
After 784ca4b658 which added rdepends on
python3-tpm2-pytss, there are errors like:
Missing or unbuildable dependency chain was:
['<image>', 'swtpm-native', 'tpm2-pkcs11-tools-native', 'python3-tpm2-pytss-native']
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Allow downstream users to explicitly select desired PACKAGECONFIG
options (e.g. via "=").
Users are currently forced to use ":remove" (with "ptest").
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
This is necessary for cryptsetup starting from v2.8.0 which introduced
"[units]" in its output breaking the parsing of veritysetup output.
VERITY header information for image-poky-20250701085433.squashfs-zst.verity.
UUID: 5dc16c55-79b8-4988-9d79-900f8e143f98
Hash type: 1
Data blocks: 40091
Data block size: 4096 [bytes]
Hash blocks: 318
Hash block size: 4096 [bytes]
Hash algorithm: sha256
Salt: f670bf67a32f4f5a22e052d7bf84830f8d35ea24e2d52f585f6275207899153b
Root hash: a7eab55b7933e347650671611e4b2a10571f2a28a1fb0fc8eae409f7a0d86693
This extends the value filter to remove the "[units]" from the .env file,
while retaining compatibility to older cryptsetup releases.
Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes to catch up with current kas and future-proof a bit:
* Update the kas configuration file versions to 19 to match kas 4.8.x.
* Change refspec to branch to remove deprecation warnings.
* Add quoting around URLs to match upstream examples.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Since clang is in openembedded-core now, meta-parsec no longer needs
meta-clang. Also updated maintainers in meta-parsec README.md since
it had previously been missed.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
jansson is required as of Suricata 5.0:
https://github.com/OISF/suricata/commit/e49c40428e1b9f7e5dcdb5857c3978d5cb859fd9
This is still required in the latest release:
https://github.com/OISF/suricata/blob/suricata-8.0.2/configure.ac#L828
On exclusion attempt:
[...]
| checking for jansson.h... no
| checking for json_dump_callback in -ljansson... no
|
| ERROR: Jansson is now required.
|
| Go get it from your distribution or from:
| http://www.digip.org/jansson/
|
| Ubuntu/Debian: apt install libjansson-dev
| CentOS: yum install jansson-devel
| Fedora: dnf install jansson-devel
|
| NOTE: The following config.log files may provide further information.
| NOTE: [...]/poky-whinlatter/build/tmp/work/cortexa57-poky-linux/suricata/7.0.13/sources/suricata-7.0.13/config.log
| ERROR: configure failed
| WARNING: exit code 1 from a shell command.
ERROR: Task ([...]/poky-whinlatter/layers/meta-security/recipes-ids/suricata/suricata_7.0.13.bb:do_configure) failed with exit code '1'
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Switch back to the "stable" branch in SRC_URI now that upstream
has changed its branch maintenance model so it is indeed stable.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Inherit github-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version sssd
INFO: Current version: 2.10.2
INFO: Latest version:
After the patch:
$ devtool latest-version sssd
INFO: Current version: 2.10.2
INFO: Latest version: 2.11.1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add UPSTREAM_CHECK_URI to check the correct latest stable verison.
Before the patch:
$ devtool latest-version libmash
INFO: Current version: 0.9.9.9
INFO: Latest version:
After the patch:
$ devtool latest-version libmash
INFO: Current version: 0.9.9.9
INFO: Latest version: 0.9.9.9
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Ross Burton
Anton Antonov
jason.lau
Li Zhou
Scott Murray
Marta Rybczynska
Clayton Casciato
Wenlin Kang
Haiqing Bai
Zhang Peng
Peter Marko
Khem Raj
Yi Zhao
Marta Rybczynska
Peter Kjellerstedt
Stephan Wurm
hongxu