Re: [yocto] [meta-security][PATCH] parsec-service: update from 1.1.0 to 1.2.0-rc1

[Mikko Rapeli]

Hi,

On Fri, Mar 24, 2023 at 08:05:08AM -0700, Anton Antonov wrote:
> Hi Mikko,
> 
> > 
> > +SRC_URI +=
> > "git://github.com/parallaxsecond/parsec;protocol=https;branch=main \
> 
> We noticed another small issue with your patch. Could you use gitsm instead 
> of git, so required git submodules will be fetched as well:
> 
> SRC_URI += 
> "gitsm://github.com/parallaxsecond/parsec;protocol=https;branch=main \

Sure I can change this but build and major parsec-services features also work
without this repo:

# cat .gitmodules
[submodule "trusted-services-vendor"]
path = trusted-services-vendor
url = https://git.trustedfirmware.org/TS/trusted-services.git
branch = integration

Cheers,

-Mikko

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#59522): https://lists.yoctoproject.org/g/yocto/message/59522
Mute This Topic: https://lists.yoctoproject.org/mt/97796264/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] parsec-service: update from 1.1.0 to 1.2.0-rc1

[Anton Antonov]

Hi Mikko,

> 
> +SRC_URI +=
> "git://github.com/parallaxsecond/parsec;protocol=https;branch=main \

We noticed another small issue with your patch. Could you use gitsm instead of 
git, so required git submodules will be fetched as well:

SRC_URI += "gitsm://github.com/parallaxsecond/parsec;protocol=https;branch=main 
\

Thank you,

Anton

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#59519): https://lists.yoctoproject.org/g/yocto/message/59519
Mute This Topic: https://lists.yoctoproject.org/mt/97796264/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] parsec-service: update from 1.1.0 to 1.2.0-rc1

[Mikko Rapeli]

Hi,

On Fri, Mar 24, 2023 at 05:24:31AM -0700, Anton Antonov wrote:
> Hi Mikko,
> 
> Thank you for the patch. In general I don't mind switching from "cargo 
> bitbake" to "bitbake -c update_crates" for Parsec recipes. But, in this case 
> when you use a git repository instead of a Parsec crate the 
> cargo-update-recipe-crates class includes dependency crates from 
> "fuzz/Cargo.lock" which are not required for Yocto builds.

Ok, will remove these.

> If you urgently need a new Yocto Parsec recipe then please remove all the 
> fuzz/Cargo.lock dependencies. Otherwise we can wait until Parsec 1.2.0 crate 
> released.

parsec-service recipe has been broken for weeks already. I want this
to be resolved and backporting fixes to parsec 1.1.0 doesn't seem to
work.

Cheers,

-Mikko

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#59517): https://lists.yoctoproject.org/g/yocto/message/59517
Mute This Topic: https://lists.yoctoproject.org/mt/97796264/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] parsec-service: update from 1.1.0 to 1.2.0-rc1

[Anton Antonov]

Hi Mikko,

Thank you for the patch. In general I don't mind switching from "cargo bitbake" 
to "bitbake -c update_crates" for Parsec recipes. But, in this case when you 
use a git repository instead of a Parsec crate the cargo-update-recipe-crates 
class includes dependency crates from "fuzz/Cargo.lock" which are not required 
for Yocto builds.

If you urgently need a new Yocto Parsec recipe then please remove all the 
fuzz/Cargo.lock dependencies. Otherwise we can wait until Parsec 1.2.0 crate 
released.

Cheers,

Anton

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#59516): https://lists.yoctoproject.org/g/yocto/message/59516
Mute This Topic: https://lists.yoctoproject.org/mt/97796264/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] parsec-service: update from 1.1.0 to 1.2.0-rc1

[Armin Kuster]

Anton,

On 3/23/23 3:24 AM, Mikko Rapeli wrote:

parsec-service 1.1.0 fails to compile with latest tpm2-tss update
in meta-security:


Can you Ack/Nack this patch?

-armin


| error: failed to run custom build command for `tss-esapi v7.1.0`
|
| Caused by:
|   process didn't exit successfully:
`/oe/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/parsec-service/1.1.0-r0/build/target/release/build/tss-esapi-5b5d9342bd16db73/build-script-build`
(exit status: 101)
|   --- stderr
|   thread 'main' panicked at 'Unsupported TSS version: 4',
/oe/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/parsec-service/1.1.0-r0/cargo_home/bitbake/tss-esapi-7.1.0/build.rs:9:22

and also latest meta-clang changes break the build with:

|   thread 'main' panicked at 
'"enum_(unnamed_at_/oe/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/parsec-service/1_1_0-r0/build/target/aarch64-trs-linux-gnu/release/build/psa-crypto-sys-b4f9ce2b7d8846b2/out/include/mbedtls/cipher_h_205_1)"
 is not a valid Ident', 
/oe/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/parsec-service/1.1.0-r0/cargo_home/bitbake/proc-macro2-1.0.43/src/fallback.rs:730:9
|   stack backtrace:
|  0: rust_begin_unwind
|  1: core::panicking::panic_fmt
|  2: proc_macro2::fallback::validate_ident
|  3: proc_macro2::fallback::Ident::_new
|  4: proc_macro2::fallback::Ident::new
|  5: proc_macro2::imp::Ident::new
|  6: proc_macro2::Ident::new
|  7: bindgen::ir::context::BindgenContext::rust_ident_raw
|  8: bindgen::ir::context::BindgenContext::rust_ident
|  9: ::codegen
| 10: ::codegen
| 11: ::codegen
| 12: ::codegen::{{closure}}
| 13: ::codegen
| 14: ::codegen
| 15: bindgen::codegen::codegen::{{closure}}
| 16: bindgen::ir::context::BindgenContext::gen
| 17: bindgen::codegen::codegen
| 18: bindgen::Bindings::generate
| 19: bindgen::Builder::generate
| 20: build_script_build::common::generate_mbed_crypto_bindings
| 21: build_script_build::operations::script_operations
| 22: build_script_build::main
| 23: core::ops::function::FnOnce::call_once
|   note: Some details are omitted, run with `RUST_BACKTRACE=full` for a 
verbose backtrace.

In both cases fix is to update to the master branch or 1.2.0-rc1 pre-release.
Porting the individual patches did not work due to complex rust crate depencies.

Added LICENSE file checksum. Using cargo-update-recipe-crates.bbclass from
poky to maintain list of crates in the .inc file. Tested on qemu that
parsec.service stars correctly and works with swtpm use cases.

Signed-off-by: Mikko Rapeli 
---
  .../parsec-service/parsec-service-crates.inc  | 449 ++
  .../parsec-service/parsec-service_1.1.0.inc   | 223 -
  ...e_1.1.0.bb => parsec-service_1.2.0-rc1.bb} |  14 +-
  3 files changed, 459 insertions(+), 227 deletions(-)
  create mode 100644 
meta-parsec/recipes-parsec/parsec-service/parsec-service-crates.inc
  delete mode 100644 
meta-parsec/recipes-parsec/parsec-service/parsec-service_1.1.0.inc
  rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_1.1.0.bb => 
parsec-service_1.2.0-rc1.bb} (91%)

diff --git 
a/meta-parsec/recipes-parsec/parsec-service/parsec-service-crates.inc 
b/meta-parsec/recipes-parsec/parsec-service/parsec-service-crates.inc
new file mode 100644
index 000..af7cb8d
--- /dev/null
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service-crates.inc
@@ -0,0 +1,449 @@
+# Autogenerated with 'bitbake -c update_crates parsec-service'
+
+# from Cargo.lock
+SRC_URI += " \
+crate://crates.io/ahash/0.7.6 \
+crate://crates.io/aho-corasick/0.7.20 \
+crate://crates.io/ansi_term/0.12.1 \
+crate://crates.io/anyhow/1.0.69 \
+crate://crates.io/asn1-rs/0.3.1 \
+crate://crates.io/asn1-rs-derive/0.1.0 \
+crate://crates.io/asn1-rs-impl/0.1.0 \
+crate://crates.io/atty/0.2.14 \
+crate://crates.io/autocfg/1.1.0 \
+crate://crates.io/base64/0.13.1 \
+crate://crates.io/bincode/1.3.3 \
+crate://crates.io/bindgen/0.57.0 \
+crate://crates.io/bindgen/0.63.0 \
+crate://crates.io/bitfield/0.13.2 \
+crate://crates.io/bitflags/1.3.2 \
+crate://crates.io/bumpalo/3.12.0 \
+crate://crates.io/bytes/1.4.0 \
+crate://crates.io/cc/1.0.79 \
+crate://crates.io/cexpr/0.4.0 \
+crate://crates.io/cexpr/0.6.0 \
+crate://crates.io/cfg-if/1.0.0 \
+crate://crates.io/clang-sys/1.6.0 \
+crate://crates.io/clap/2.34.0 \
+crate://crates.io/cmake/0.1.45 \
+crate://crates.io/const-oid/0.7.1 \
+crate://crates.io/cryptoauthlib-sys/0.2.2 \
+crate://crates.io/cryptoki/0.3.1 \
+crate://crates.io/cryptoki-sys/0.1.5 \
+crate://crates.io/data-encoding/2.3.3 \
+crate://crates.io/der/0.5.1 \
+crate://crates.io/der-parser/7.0.0 \
+crate://crates.io/derivative/2.2.0 \
+crate://crates.io/displaydoc/0.2.3 \
+crate://crates.io/either/1.8.1 \
+crate://crates.io/enumflags2/0.7.5 \
+