Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories
- assume that python3 and pip are installed.
Other changes:
- add logging of jobs to files
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(reworked for kirkstone branch)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Add Marta and myself as maintainers for meta-security and the other
embedded layers that Armin had been maintaining. To avoid Armin
getting bugged about individual recipes, set the RECIPE_MAINTAINER
variables to myself.
(backport from master)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A race condition flaw was found in sssd where the GPO policy is
not consistently applied for authenticated users. This may lead
to improper authorization issues, granting or denying access to
resources inappropriately.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3758
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
As already mentioned in upgrade commit, this CVE is fixed.
But cve_check still reports it as NVD DB was not updated.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
[PATCH] Add support for the EROFS image, and it's compressed options,
to the dm-verity-img.bbclass setup, theoretically this is a simple addition
to the list of types however there is a quirk in how Poky handles the
filesystems in poky/meta/classes/image_types.bbclass.
Specifically the 'IMAGE_CMD' and 'IMAGE_FSTYPES' use a hyphen, e.g.
erofs-lz4, however in the image_type bbclass the task for that would be
"do_image_erofs_lz4", replacing the hyphen with an underscore.
As the dm-verity-img.bbclass adds a dependency to the wic image creation
on the do_image_* task then it fails as there is no
"do_image_erofs-lz4", so simply replace the hypen with an underscore.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 8ca6bb86e6)
Signed-off-by: Maciek Borzecki <maciek@thing.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
3.2.2
A buffer overflow in tss2-rc as CVE-2023-22745.
The drv layer in tss2-rc should have been the policy layer.
Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string.
This is API breaking but considered a bug since it deviated from the FAPI spec.
FAPI: undefined reference to curl_url_strerror when using curl less than 7.80.0.
3.2.1
Makefile.am: make all EXTRA_DIST includes unconditional to fix pristine tars
Fix usage of NULL pointer if Esys_TR_SetAuth is calles with ESYS_TR_NONE.
Store VERSION into the release tarball.
fapi: fix usage of policy_nv with a TPM nv index.
Tss2_Sys_Flushcontext: flushHandle was encoded as a handleArea handle and not as parameter one, this affected the contents of cpHash.
linking tcti for libtpms against tss2-tctildr. It should be linked against tss2-mu.
build: Remove erroneous trailing comma in linker option. Bug #2391.
esys: fix allow usage of HMAC sessions for Esys_TR_FromTPMPublic.
test: build with opaque FILE structure like in musl libc.
Usage of a second profile in a path was not possible because the default profile was always used.
FAPI: Fix provisioning if auth value for storage hierarchy was set.
FAPI: Fix recreation of EK.
FAPI: Fix usage of lockout auth value in Fapi_Provison.
FAPI: Fix loading of key in policy execution.
FAPI: Fix Fapi_ChangeAuth updates on hierarchy objects not being reflected across profiles.
Esys_PCR_SetAuthValue: remembers the auth like other SetAutg ESAPI functions.
tests: esys-pcr-auth-value.int moved to destructive tests.
FAPI: Fix double free if keystore is corrupted.
Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string.
This is API breaking but considered a bug since it deviated from the FAPI spec.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
fixes:
swtpm: Could not open TCP socket: Address already in use
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit b5642c519b)
[Fixup for kirkstone context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
USERADD_PARAM:${PN}-freshclam = "--system -g ${CLAMAV_GID} --home-dir \
${localstatedir}/lib/${BPN} \
--no-create-home --shell /sbin/nologin ${PN}"
The username added to the passwd file is ${PN}. When ${PN} is
multilibized, it no longer matches CLAMAV_UID. Make the two match.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Nothing in getting installed in ${datadir}/lib, it is all going to
${prefix}/lib. setuptools pulls in ${libdir}/* so for the base lib
case of ${prefix}/lib the build works. If libdir is something else
lib64 for example, its still ending up in ${prefix}/lib and it fails
to build.
Set value to correct path as it is being installed.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
CVE-2018-16838 is patched in our version of sssd but it doesn't have
a vulnerable version range in the NVD database,
that's why it needs to be ignored.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
The following occurs when pkgs-docs added to image features.
Error: Transaction test error:
file /usr/share/man/man3/lib.3 conflicts between attempted installs of lib-perl-doc-0.63-r0.corei7_64 and perl-doc-5.34.1-r0.corei7_64
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit e05ce8fb39)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| checking for libaudit.h... no
| configure: error: You don't have libaudit properly installed. Install it if you need it.
| NOTE: The following config.log files may provide further information.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit a8fba7a8ef)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The build patches are now included in the upstream,
the local binary checkes can be disabled with --disable-ptool-checks,
the boostrap doesn't need to be called if the release .tar.gz is used.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Calling autoreconf outside git repo causes the version number to
be null. This patch makes the version number fixed.
Since Yocto now uses OpenSSL 3.0, the file packaging need to
be updated.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The version number is correctly assigned only when the release .tar.gz
is used.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This deletes the patches that were unused for a long time,
updates the tpm2-tss package and introduces a fix to the version
number problem that got introduced with the 3.2.0 version.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Also, the recipe is fixed to correctly package the openssl provider.
This new tpm2-openssl:
- Fixed segmentation fault when a signature algorithm is beging initialized
without a private key.
- Fixed RSA/EC key equality checks. Works with OpenSSL 3.0.1.
- Added support for the `TPM2OPENSSL_PARENT_AUTH` environment variable.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Calling autoreconf outside git repo causes the version number to
be null. This patch makes the version number fixed.
Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add COMPATIBLE_HOST to match what is found in glibc
to avoid build error when using musl
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Use python3-native to use 2to3
Fix build issue on some hosts with this error:
(result, consumed) = self._buffer_decode(data, self.errors, final)
| UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd8 in position 152: invalid continuation byte
Signed-off-by: Armin Kuster <akuster808@gmail.com>
raise InvalidWheelFilename(f"{filename} is not a valid wheel filename.")
pip._internal.exceptions.InvalidWheelFilename: fail2ban-*-*.whl is not a valid wheel filename.
Removed build tracker: '/tmp/pip-req-tracker-qnepnk46'
ERROR: Failed to pip install wheel. Check the logs.
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Marta Rybczynska
Scott Murray
Rohini Sangam
Vijay Anusuri
Soumya Sambu
Armin Kuster
Peter Marko
Maciej Borzęcki
Josh Harley
Jose Quaresma
Jeremy A. Puhlman
Davide Gardenal
Anton Antonov
Joe Slater
Ranjitsinh Rathod
Petr Gotthard
Robert Yang
Ashish Sharma