Re: [yocto] [meta-integrity] layer.conf: switch to keyutils from meta-oe
пн, 29 июл. 2019 г. в 13:45, : > > From: Dmitry Eremin-Solenikov > > As pointer by Martin Jansa, keyutils package is now a part of meta-oe, > so switch to using keyutils from that layer. > > Signed-off-by: Dmitry Eremin-Solenikov This patch is still necessary. -- With best wishes Dmitry -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security 2/3] kernel-modsign.bbclass: add support for kernel modules signing
Hellol, вс, 4 авг. 2019 г. в 23:53, akuster808 : > On 8/4/19 1:24 PM, Dmitry Eremin-Solenikov wrote: > > вс, 4 авг. 2019 г. в 18:30, akuster808 : > >> On 7/28/19 8:31 AM, Dmitry Eremin-Solenikov wrote: > >>> From: Dmitry Eremin-Solenikov > >>> > >>> Add bbclass responsible for handling signing of kernel modules. > >>> > >>> Signed-off-by: Dmitry Eremin-Solenikov > >>> > >>> --- > >>> meta-integrity/classes/kernel-modsign.bbclass | 29 +++ > >>> .../data/debug-keys/privkey_modsign.pem | 28 ++ > >>> .../data/debug-keys/x509_modsign.crt | 22 ++ > >>> 3 files changed, 79 insertions(+) > >>> create mode 100644 meta-integrity/classes/kernel-modsign.bbclass > >>> create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem > >>> create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt > >>> > >>> diff --git a/meta-integrity/classes/kernel-modsign.bbclass > >>> b/meta-integrity/classes/kernel-modsign.bbclass > >>> new file mode 100644 > >>> index ..1e4d94b79091 > >>> --- /dev/null > >>> +++ b/meta-integrity/classes/kernel-modsign.bbclass > >>> @@ -0,0 +1,29 @@ > >>> +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be > >>> +# set explicitly in a local.conf before activating kernel-modsign. > >>> +# To use the insecure (because public) example keys, use > >>> +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" > >>> +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" > >>> + > >>> +# Private key for modules signing. The default is okay when > >>> +# using the example key directory. > >>> +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" > >>> + > >>> +# Public part of certificates used for modules signing. > >>> +# The default is okay when using the example key directory. > >>> +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" > >>> + > >>> +# If this class is enabled, disable stripping signatures from modules > >>> +INHIBIT_PACKAGE_STRIP = "1" > >>> + > >>> +do_configure_prepend() { > >> This is being pulled in with every configure task and causing parsing > >> issues. > >> > >> I changed it to "kernel_do_configure_prepend" and that fixed the issue I > >> was seeing. > > Interesting. I haven't seen this issue. Could you please share any details? > > > > Changed bbclass appears to work for me, so either of them is fine from my > > point of view. > with 'INHERIT += "kernel-modsign"' added to my local.conf I see this. I see. My intent is to use DISTRO_FEATURES_append += "modsign". A corresponding patch for oe-core/meta/classes/module.bbclass will be submitted after this one goes in. > bitbake integrity-image-minimal > WARNING: > /home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb: > Exception during build_dependencies for do_configure > WARNING: > /home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb: > Error during finalise of > /home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb > ERROR: Unable to parse > /home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb > Traceback (most recent call last): > File "/home/build/releases/master/poky/bitbake/lib/bb/siggen.py", line > 149, in > SignatureGeneratorOEBasicHash.finalise(fn='/home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb', > d=, variant=None): > try: > >taskdeps = self._build_data(fn, d) > except bb.parse.SkipRecipe: > File "/home/build/releases/master/poky/bitbake/lib/bb/siggen.py", line > 120, in > SignatureGeneratorOEBasicHash._build_data(fn='/home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb', > d=): > ignore_mismatch = ((d.getVar("BB_HASH_IGNORE_MISMATCH") or > '') == '1') > >tasklist, gendeps, lookupcache = > bb.data.generate_dependencies(d) > > File "/home/build/releases/master/poky/bitbake/lib/bb/data.py", line > 379, in generate_dependencies(d= 0x7f9905e4e7f0>): > for task in tasklist: > >deps[task], values[task] = build_dependencies(task, keys, > shelldeps, varflagsexc
Re: [yocto] [meta-security 2/3] kernel-modsign.bbclass: add support for kernel modules signing
вс, 4 авг. 2019 г. в 18:30, akuster808 : > On 7/28/19 8:31 AM, Dmitry Eremin-Solenikov wrote: > > From: Dmitry Eremin-Solenikov > > > > Add bbclass responsible for handling signing of kernel modules. > > > > Signed-off-by: Dmitry Eremin-Solenikov > > --- > > meta-integrity/classes/kernel-modsign.bbclass | 29 +++ > > .../data/debug-keys/privkey_modsign.pem | 28 ++ > > .../data/debug-keys/x509_modsign.crt | 22 ++ > > 3 files changed, 79 insertions(+) > > create mode 100644 meta-integrity/classes/kernel-modsign.bbclass > > create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem > > create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt > > > > diff --git a/meta-integrity/classes/kernel-modsign.bbclass > > b/meta-integrity/classes/kernel-modsign.bbclass > > new file mode 100644 > > index ..1e4d94b79091 > > --- /dev/null > > +++ b/meta-integrity/classes/kernel-modsign.bbclass > > @@ -0,0 +1,29 @@ > > +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be > > +# set explicitly in a local.conf before activating kernel-modsign. > > +# To use the insecure (because public) example keys, use > > +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" > > +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" > > + > > +# Private key for modules signing. The default is okay when > > +# using the example key directory. > > +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" > > + > > +# Public part of certificates used for modules signing. > > +# The default is okay when using the example key directory. > > +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" > > + > > +# If this class is enabled, disable stripping signatures from modules > > +INHIBIT_PACKAGE_STRIP = "1" > > + > > +do_configure_prepend() { > > This is being pulled in with every configure task and causing parsing > issues. > > I changed it to "kernel_do_configure_prepend" and that fixed the issue I > was seeing. Interesting. I haven't seen this issue. Could you please share any details? Changed bbclass appears to work for me, so either of them is fine from my point of view. > things appear to be still working, Can you double check. -- With best wishes Dmitry -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-integrity][PATCH] ima-evm-utils: bump to release 1.2.1
чт, 1 авг. 2019 г. в 14:43, akuster808 : > > Dmitry, > > > On 7/31/19 1:24 PM, dbarysh...@gmail.com wrote: > > From: Dmitry Eremin-Solenikov > > > > Signed-off-by: Dmitry Eremin-Solenikov > > --- > > ...link-to-libcrypto-instead-of-OpenSSL.patch | 65 --- > > ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 > > ...clude-hash-info.gen-into-distributio.patch | 31 - > > ...ma-evm-utils-update-.gitignore-files.patch | 34 -- > > .../ima-evm-utils/ima-evm-utils_git.bb| 12 +--- > > 5 files changed, 3 insertions(+), 182 deletions(-) > > delete mode 100644 > > meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch > > delete mode 100644 > > meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch > > delete mode 100644 > > meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch > > delete mode 100644 > > meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch > I am evaluation all your updates to this layer. I am traveling (PTO) and > have limited access to test system. I will either merge them or send > feedback in the next few days. Thank you for the update. I'll wait for the feedback. -- With best wishes Dmitry -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-integrity][PATCH 1/3] layer.conf: add dependency on meta-security
пн, 29 июл. 2019 г. в 12:49, Martin Jansa : > > On Wed, Jul 24, 2019 at 02:23:24PM +0300, Dmitry Eremin-Solenikov wrote: > > ima-evm-utils recipe depends on keyutils recipe which is a part of > > meta-security layer. > > > > Signed-off-by: Dmitry Eremin-Solenikov > > --- > > meta-integrity/conf/layer.conf | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf > > index 2f696cf7c332..917aa86e11d7 100644 > > --- a/meta-integrity/conf/layer.conf > > +++ b/meta-integrity/conf/layer.conf > > @@ -22,3 +22,5 @@ IMA_EVM_BASE := '${LAYERDIR}' > > OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" > > > > LAYERSERIES_COMPAT_integrity = "warrior" > > +# ima-evm-utils depends on keyutils from meta-security > > +LAYERDEPENDS_integrity = "core security" > > keyutils are now in meta-oe: > http://git.openembedded.org/meta-openembedded/commit/?id=415e213ad75ec9a93171c963395a1c4b92c6233b Thank you! -- With best wishes Dmitry -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security 3/3] linux: add support for kernel modules signing
From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- meta-integrity/recipes-kernel/linux/linux-%.bbappend | 3 +++ meta-integrity/recipes-kernel/linux/linux/modsign.cfg | 5 + meta-integrity/recipes-kernel/linux/linux/modsign.scc | 4 3 files changed, 12 insertions(+) create mode 100644 meta-integrity/recipes-kernel/linux/linux/modsign.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux/modsign.scc diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend index 931854ef8257..ca96c8d1901e 100644 --- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,3 +1,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}" +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' file://modsign.scc file://modsign.cfg', '', d)}" + +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.cfg b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg new file mode 100644 index ..c0c4ebcf2e7b --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg @@ -0,0 +1,5 @@ +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_SHA256=y +CONFIG_MODULE_SIG_HASH="sha256" +CONFIG_MODULE_SIG_KEY="modsign_key.pem" diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.scc b/meta-integrity/recipes-kernel/linux/linux/modsign.scc new file mode 100644 index ..bce78ae9b145 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/modsign.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware modsign.cfg -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security 2/3] kernel-modsign.bbclass: add support for kernel modules signing
From: Dmitry Eremin-Solenikov Add bbclass responsible for handling signing of kernel modules. Signed-off-by: Dmitry Eremin-Solenikov --- meta-integrity/classes/kernel-modsign.bbclass | 29 +++ .../data/debug-keys/privkey_modsign.pem | 28 ++ .../data/debug-keys/x509_modsign.crt | 22 ++ 3 files changed, 79 insertions(+) create mode 100644 meta-integrity/classes/kernel-modsign.bbclass create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass new file mode 100644 index ..1e4d94b79091 --- /dev/null +++ b/meta-integrity/classes/kernel-modsign.bbclass @@ -0,0 +1,29 @@ +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be +# set explicitly in a local.conf before activating kernel-modsign. +# To use the insecure (because public) example keys, use +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" + +# Private key for modules signing. The default is okay when +# using the example key directory. +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" + +# Public part of certificates used for modules signing. +# The default is okay when using the example key directory. +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" + +# If this class is enabled, disable stripping signatures from modules +INHIBIT_PACKAGE_STRIP = "1" + +do_configure_prepend() { +if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then +cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ +> "${B}/modsign_key.pem" +else +bberror "Either modsign key or certificate are invalid" +fi +} + +do_shared_workdir_append() { +cp modsign_key.pem $kerneldir/ +} diff --git a/meta-integrity/data/debug-keys/privkey_modsign.pem b/meta-integrity/data/debug-keys/privkey_modsign.pem new file mode 100644 index ..4cac00ae303a --- /dev/null +++ b/meta-integrity/data/debug-keys/privkey_modsign.pem @@ -0,0 +1,28 @@ +-BEGIN PRIVATE KEY- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEWsJjB2pA5Ih6 +EelXvVjwWY1ix1azMciNRNPPQN1AMXF0K/VUkfOYbaPajg1cQYEf9gk3q7OZ5Axk +UY/e5piZORaPcsmj0lV0L+NSlRYydR5M/QxtEz26585FgqRGdAe6umStPmVKdqa2 +d68O4PgQgJJtVuz6ndm+0uNEUDCVLwhkGQSwNB3qBbZAUX9escZ/a8eUiBfMYKaO +k8JRyM+2br9dgpTFg4UfBYexgNSQo8g5TIBGc8KgQiKCuFj1fQEhV5z4RusHthjc +NYXa3RHmdclxyrGeYr5ZRc47HqE1gd5NDR0WeHn4C4YKcfK1rZZz/2+6hfsIRfGx +6cQKk23hAgMBAAECggEAJ0ULiWirPG04SkmYxF5vEiqm1zGMymvTc0VnoxSS60q4 +KQa9mvtRn5OV6JjuXRwQqga30zV4xvdP7yRMxMSTkllThL7tSuE/C+yj5xlABjlc +JQOa35mwh9fibg5xslF0Vkj+55MKCPlv4CBRl4Uwt4QvRMTUwk6dhMeCgmATR1J1 +2/7AipjtfFYreDx7sLbRVvSzUhmZS0iCbNOhtTWPLNW+9YKHTOffKa04HzNtnAXq +OjJ0IRZD/C6LfkBUsnHg2eEiA97QXh/Srsl9nc8DaUK1IXRywEdmYIoNMWMav2Hm +RO8kkU30BqKW+/EO2ZbH2GmkxvwWd0ocBnLC3FRWEQKBgQDu4T8CB3YsOcVjqem4 +iBlaSht/b46YQc7A1SOqZCimehmmXNSxQOkapIG3wlIr5edtXQA+xv09+WrproUB +SjAnqaH6pYeCvbNlY5k344gtYs+Kco2rq5GYa+LumAeX2Sam8F7u4LxvEogCecX7 +e4rnG3lt3AVuuRE7zpCQtaWcJQKBgQDSbUvea9pcYli9pssTl+ijQKkgG9DdaYbA +I5w5bY1TPYZ/Ocysljefv/ssaHFh4DPxE1MQ5JHwZgZRo1EICxxYzGsLjyR/fmjz +1c/NJlTtalCNtLvWaf7b02ag/abnP8neiSpLL5xqHvGo5ikWwgYQD+9HVKGvL3S1 +kI7x/ziADQKBgQCqFbkuMa/jh3LTJp0iZc1fa1qu3vhx0pFq3Zeab9w9xLxUps5O +MwCGltFBzNuDJBwm00wkZrzTjq6gGkHbjD5DT1XkyE13OqjsLQFgOOKyJiPN2Qik +TfHJzC91YMwvQ09xF78QaPXiRBiRYrEkAXACY56PKVS45I6vvcFTN/Ll/QKBgA9m +KDMyuVwhZlUaq6nXaBLqXHYZEwPhARd2g6xANCNvUTRmSnAm3hM2vW7WhdWfzq1J +uL53u6ZYEQZQaVGpXn2xF/RUmVsrKQsPDpH4yCZHrXVxUH20bA4yPkRxy5EIvgEn +EI1IAq5RbWXq0f70W/U49U3HB74GPwg6d/uFreDRAoGAN+v9gMQA6A1vM7LvbYR8 +5CwwyqS/CfI9zKPLn53QstguXC/ObafIYQzVRqGb9lCQgtlmmKw4jMY0B/lDzpcH +zS8rqoyvDj/m7i17NYkqXErJKLRQ0ptXKdLXHlG0u185e7Y5p4O3Z5dk8bACkpHi +hp764y+BtU4qIcVaPsPK4uU= +-END PRIVATE KEY- diff --git a/meta-integrity/data/debug-keys/x509_modsign.crt b/meta-integrity/data/debug-keys/x509_modsign.crt new file mode 100644 index ..5fa2a9062a89 --- /dev/null +++ b/meta-integrity/data/debug-keys/x509_modsign.crt @@ -0,0 +1,22 @@ +-BEGIN CERTIFICATE- +MIIDnjCCAoagAwIBAgIUUqmBj5Q8edHMMTXsoGVGEEKdwV4wDQYJKoZIhvcNAQEL +BQAwZzEqMCgGA1UEAxMhbWV0YS1zZWN1cml0eSBtb2R1bGVzIHNpZ25pbmcga2V5 +MRQwEgYDVQQKEwtleGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUam9obi5kb2VA +ZXhhbXBsZS5jb20wIBcNMTkwNzI3MjIzOTA3WhgPMjExOTA3MjcyMjM5MTVaMGcx +KjAoBgNVBAMTIW1ldGEtc2VjdXJpdHkgbW9kdWxlcyBzaWduaW5nIGtleTEUMBIG +A1UEChMLZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGpvaG4uZG9lQGV4YW1w +bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFrCYwdqQOSI +ehHpV71Y8FmNYsdWszHIjUTTz0DdQDFxdCv1VJHzmG2j2o4NXEGBH/YJN6uzmeQM +ZFGP3uaYmTkWj3LJo9JVdC/jUpUWMnUeTP0MbRM9uufORYKkRnQHurpkrT5lSnam +tnevDuD4EICSbVbs+p3ZvtLjRFAwlS8IZBkEsDQd6gW2QFF/XrHGf2vHlIgXzGCm +jpPCUcjPtm6/XYKUx
[yocto] [meta-security 1/3] meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE
From: Dmitry Eremin-Solenikov data/debug-keys will be reused for demo modsign keys, so rename IMA_EVM_BASE to more generic INTEGRITY_BASE. Signed-off-by: Dmitry Eremin-Solenikov --- meta-integrity/README.md | 12 ++-- meta-integrity/classes/ima-evm-rootfs.bbclass| 2 +- meta-integrity/conf/layer.conf | 6 +++--- .../recipes-core/images/integrity-image-minimal.bb | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 5bef76e8dcd4..4607948781e2 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: INHERIT += "ima-evm-rootfs" -IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image @@ -96,7 +96,7 @@ for that are included in the layer. This is also how the # In that shell, create the keys. Several options exist: # 1. Self-signed keys. -$IMA_EVM_BASE/scripts/ima-gen-self-signed.sh +$INTEGRITY_BASE/scripts/ima-gen-self-signed.sh # 2. Keys signed by a new CA. # When asked for a PEM passphrase, that will be for the root CA. @@ -104,11 +104,11 @@ for that are included in the layer. This is also how the # only creating new certificates does. Most likely the default # attributes for these certificates need to be adapted; modify # the scripts as needed. -# $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh -# $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh +# $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh +# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh # 3. Keys signed by an existing CA. -# $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh +# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh exit When using ``ima-self-signed.sh`` as described above, self-signed keys @@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd changes. To activate policy loading via systemd, place a policy file in `/etc/ima/ima-policy`, for example with: -IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple" +IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 8aec388dffed..d6ade3bf914f 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -1,7 +1,7 @@ # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be # set explicitly in a local.conf before activating ima-evm-rootfs. # To use the insecure (because public) example keys, use -# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" # Private key for IMA signing. The default is okay when diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index 917aa86e11d7..1d31edd9b151 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf @@ -13,13 +13,13 @@ BBFILE_PRIORITY_integrity = "6" # Set a variable to get to the top of the metadata location. Needed # for finding scripts (when following the README.md instructions) and # default debug keys (in ima-evm-rootfs.bbclass). -IMA_EVM_BASE := '${LAYERDIR}' +INTEGRITY_BASE := '${LAYERDIR}' # We must not export this path to all shell scripts (as in "export -# IMA_EVM_BASE"), because that causes problems with sstate (becames +# INTEGRITY_BASE"), because that causes problems with sstate (becames # dependent on location of the layer). Exporting it to just the # interactive shell is enough. -OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" +OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" LAYERSERIES_COMPAT_integrity = "warrior" # ima-evm-utils depends on keyutils from meta-security diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 6ed724df2267..e1bc6ffa0ed7 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -17,6 +17,6 @@ inherit core-image export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/dat
[yocto] [meta-security][PATCH v2 6/6] tpm2-tcti-uefi: build and install examples
From: Dmitry Eremin-Solenikov Examples are usefull to actually check TPM2 from UEFI shell. Add them to tpm2-tcti-uefi package. Signed-off-by: Dmitry Eremin-Solenikov --- .../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 13 + 1 file changed, 13 insertions(+) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index b2d0b85af280..e822e2974f37 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -14,6 +14,17 @@ S = "${WORKDIR}/git" inherit autotools pkgconfig +EFIDIR ?= "/EFI/BOOT" + +do_compile_append() { + oe_runmake example +} + +do_install_append() { + install -d "${D}${EFIDIR}" + install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}" +} + EFI_ARCH_x86 = "ia32" EFI_ARCH_x86-64 = "x86_64" @@ -24,3 +35,5 @@ EXTRA_OECONF_append = "\ --with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \ " RDEPENDS_${PN} = "gnu-efi" + +FILES_${PN} += "${EFIDIR}" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 5/6] tpm2-tcti-uefi: stop inserting host directories into build path
From: Dmitry Eremin-Solenikov Do not insert /usr/lib and /usr/lib64 into LDFLAGS. Signed-off-by: Dmitry Eremin-Solenikov --- ...p-inserting-host-directories-into-co.patch | 27 +++ .../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb| 1 + 2 files changed, 28 insertions(+) create mode 100644 meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch new file mode 100644 index ..3b54dddf763f --- /dev/null +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch @@ -0,0 +1,27 @@ +From b74837184cfdefb45e48f3fdc974fc67691fc861 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Wed, 3 Jul 2019 19:16:35 +0300 +Subject: [PATCH] configure.ac: stop inserting host directories into compile + path + +Do not insert /usr/lib and /usr/lib64 into library search path. + +Upstream-Status: OE specific +Signed-off-by: Dmitry Eremin-Solenikov +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: git/configure.ac +=== +--- git.orig/configure.ac git/configure.ac +@@ -81,7 +81,7 @@ AC_ARG_WITH([efi-lds], + AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]), + [], + [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"]) +-EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}" ++EXTRA_LDFLAGS="-Wl,--script=${with_efi_lds}" + + # path to object file from gnu-efi + AC_ARG_WITH([efi-crt0], diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 03140506931d..b2d0b85af280 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -6,6 +6,7 @@ DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ + file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ " SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 3/6] tpm2-tcti-uefi: add autoconf-archive-native dependency
From: Dmitry Eremin-Solenikov Add dependency on autoconf-archive-native to receive AX_* macro definitions. Signed-off-by: Dmitry Eremin-Solenikov --- meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 43854c414c22..983f72ebeb68 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -2,7 +2,7 @@ SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment" SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig" +DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 2/6] tpm2-tss: fix compilation when using updated AX_CODE_COVERAGE macro
From: Dmitry Eremin-Solenikov New autoconf-archive comes with updated AX_CODE_COVERAGE macro, which is not compatible with current tpm2-tss source base. Apply upstream patch to fix this incompatibility. Signed-off-by: Dmitry Eremin-Solenikov --- ...-ax_code_coverage.m4-version-2019.01.patch | 84 +++ .../recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb | 3 +- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch new file mode 100644 index ..86b2cb6dd7d3 --- /dev/null +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch @@ -0,0 +1,84 @@ +From ec08ab41495ac40641475707c46e844503ada5b3 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel +Date: Mon, 7 Jan 2019 22:15:06 +0100 +Subject: [PATCH] build: update for ax_code_coverage.m4 version 2019.01.06 + +@CODE_COVERAGE_RULES@ doesn't exist any more and needs to be replaced. +Also includes a compatibility switch for older versions of the file. + +Signed-off-by: Jonas Witschel +--- + .gitignore | 1 + + .travis.yml | 10 +- + Makefile.am | 6 ++ + configure.ac | 3 +++ + 4 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/.gitignore b/.gitignore +index 7c6a7b62e6c1..aa1a7efdff71 100644 +--- a/.gitignore b/.gitignore +@@ -26,6 +26,7 @@ + AUTHORS + tags + aclocal.m4 ++aminclude_static.am + autom4te.cache/ + [Bb]uild/ + [Dd]ebug/ +diff --git a/.travis.yml b/.travis.yml +index 55f88e22999b..a668e2953dc2 100644 +--- a/.travis.yml b/.travis.yml +@@ -44,11 +44,11 @@ addons: + + install: + # Autoconf archive +- - wget https://download.01.org/tpm2/autoconf-archive-2017.09.28.tar.xz +- - sha256sum autoconf-archive-2017.09.28.tar.xz | grep -q 5c9fb5845b38b28982a3ef12836f76b35f46799ef4a2e46b48e2bd3c6182fa01 || travis_terminate 1 +- - tar xJf autoconf-archive-2017.09.28.tar.xz +- - cp autoconf-archive-2017.09.28/m4/ax_code_coverage.m4 m4/ +- - cp autoconf-archive-2017.09.28/m4/ax_prog_doxygen.m4 m4/ ++ - wget http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz ++ - sha256sum autoconf-archive-2019.01.06.tar.xz | grep -q 17195c833098da79de5778ee90948f4c5d90ed1a0cf8391b4ab348e2ec511e3f || travis_terminate 1 ++ - tar xJf autoconf-archive-2019.01.06.tar.xz ++ - cp autoconf-archive-2019.01.06/m4/ax_code_coverage.m4 m4/ ++ - cp autoconf-archive-2019.01.06/m4/ax_prog_doxygen.m4 m4/ + # IBM-TPM + - wget https://download.01.org/tpm2/ibmtpm974.tar.gz + # OpenSSL 1.0.2 +diff --git a/Makefile.am b/Makefile.am +index 1b792d89a392..8e62e9c77c7d 100644 +--- a/Makefile.am b/Makefile.am +@@ -19,7 +19,13 @@ noinst_PROGRAMS = + + ### Add ax_* rules ### + # ax_code_coverage ++if AUTOCONF_CODE_COVERAGE_2019_01_06 ++include $(top_srcdir)/aminclude_static.am ++clean-local: code-coverage-clean ++dist-clean-local: code-coverage-dist-clean ++else + @CODE_COVERAGE_RULES@ ++endif + + # ax_doxygen + @DX_RULES@ +diff --git a/configure.ac b/configure.ac +index 6c7b0fd96399..22b79c50c015 100644 +--- a/configure.ac b/configure.ac +@@ -312,6 +312,9 @@ AS_IF([test "x$enable_doxygen_doc" != xno], + [ERROR_IF_NO_PROG([doxygen])]) + + AX_CODE_COVERAGE ++m4_ifdef([_AX_CODE_COVERAGE_RULES], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])]) + + AC_OUTPUT + +-- +2.20.1 + diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb index cf93159ce40f..ffbd3f4e4eff 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb @@ -8,7 +8,8 @@ DEPENDS = "autoconf-archive-native libgcrypt openssl" SRCREV = "36b1539c82bf675265d6f6a6cd808a189b6971f4" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x \ +file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch" inherit autotools-brokensep pkgconfig systemd -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 4/6] tpm2-tcti-uefi: fix configure arguments
From: Dmitry Eremin-Solenikov Pass correct location of EFI's crt0 and ld script. Signed-off-by: Dmitry Eremin-Solenikov --- .../recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 983f72ebeb68..03140506931d 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -13,6 +13,13 @@ S = "${WORKDIR}/git" inherit autotools pkgconfig +EFI_ARCH_x86 = "ia32" +EFI_ARCH_x86-64 = "x86_64" + COMPATIBLE_HOST = "(i.86|x86_64).*-linux" -EXTRA_OECONF_append = " --with-efi-includedir=${STAGING_INCDIR}/efi --with-efi-lds=${STAGING_LIBDIR_NATIVE}/" +EXTRA_OECONF_append = "\ +--with-efi-includedir=${STAGING_INCDIR}/efi \ +--with-efi-crt0=${STAGING_LIBDIR_NATIVE}/crt0-efi-${EFI_ARCH}.o \ +--with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \ +" RDEPENDS_${PN} = "gnu-efi" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 1/6] packagegroup-security-tpm2: stop including tpm2-tcti-uefi
From: Dmitry Eremin-Solenikov tpm2-tcti-uefi is a EFI module, so it should not be included in the rootfs. Signed-off-by: Dmitry Eremin-Solenikov --- .../recipes-core/packagegroup/packagegroup-security-tpm2.bb| 3 --- 1 file changed, 3 deletions(-) diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 9296d9967e32..8f5c537b9505 100644 --- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -21,6 +21,3 @@ RDEPENDS_packagegroup-security-tpm2 = " \ ibmswtpm2 \ cryptsetup-tpm-incubator \ " - -RDEPENDS_packagegroup-security-tpm2_append_x86 = " tpm2-tcti-uefi" -RDEPENDS_packagegroup-security-tpm2_append_x86-64 = " tpm2-tcti-uefi" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 5/6] tpm2-tcti-uefi: stop inserting host directories into build path
From: Dmitry Eremin-Solenikov Do not insert /usr/lib and /usr/lib64 into LDFLAGS. Signed-off-by: Dmitry Eremin-Solenikov --- ...p-inserting-host-directories-into-co.patch | 30 +++ .../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb| 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch new file mode 100644 index ..bf9f8ff4a12a --- /dev/null +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch @@ -0,0 +1,30 @@ +From b74837184cfdefb45e48f3fdc974fc67691fc861 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Wed, 3 Jul 2019 19:16:35 +0300 +Subject: [PATCH] configure.ac: stop inserting host directories into compile + path + +Do not insert /usr/lib and /usr/lib64 into library search path. + +Upstream-Status: OE specific +Signed-off-by: Dmitry Eremin-Solenikov +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 4e94f1eda363..54a1f39c019b 100644 +--- a/configure.ac b/configure.ac +@@ -84,7 +84,7 @@ AC_ARG_WITH([efi-lds], + AC_CHECK_FILE(["${with_efi_lds}"], + [], + [AC_MSG_ERROR([Missing file: ${with_efi_lds}.])]) +-EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}" ++EXTRA_LDFLAGS="-Wl,--script=${with_efi_lds}" + + # path to object file from gnu-efi + AC_ARG_WITH([efi-crt0], +-- +2.20.1 + diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index ed9b7e1ddc8e..78392289d7d9 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ + file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ " SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 6/6] tpm2-tcti-uefi: build and install examples
From: Dmitry Eremin-Solenikov Examples are usefull to actually check TPM2 from UEFI shell. Add them to tpm2-tcti-uefi package. Signed-off-by: Dmitry Eremin-Solenikov --- .../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 13 + 1 file changed, 13 insertions(+) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 78392289d7d9..958bb603aa7a 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -13,6 +13,17 @@ S = "${WORKDIR}/git" inherit autotools pkgconfig +EFIDIR ?= "/EFI/BOOT" + +do_compile_append() { + oe_runmake example +} + +do_install_append() { + install -d "${D}${EFIDIR}" + install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}" +} + EFI_ARCH_x86 = "ia32" EFI_ARCH_x86-64 = "x86_64" @@ -23,3 +34,5 @@ EXTRA_OECONF_append = "\ --with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \ " RDEPENDS_${PN} = "gnu-efi" + +FILES_${PN} += "${EFIDIR}" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 4/6] tpm2-tcti-uefi: fix configure arguments
From: Dmitry Eremin-Solenikov Pass correct location of EFI's crt0 and ld script thus removing the need to patch configure.ac. Signed-off-by: Dmitry Eremin-Solenikov --- .../files/configure_oe_fixup.patch| 27 --- .../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb| 10 +-- 2 files changed, 8 insertions(+), 29 deletions(-) delete mode 100644 meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch deleted file mode 100644 index 8a216cd45eff.. --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch +++ /dev/null @@ -1,27 +0,0 @@ -Upstream-Status: OE specific -Signed-off-by: Armin Kuster - -Index: git/configure.ac -=== git.orig/configure.ac -+++ git/configure.ac -@@ -84,9 +84,6 @@ AC_ARG_WITH([efi-lds], - AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]), - [], - [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"]) --AC_CHECK_FILE(["${with_efi_lds}"], -- [], -- [AC_MSG_ERROR([Missing file: ${with_efi_lds}.])]) - EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}" - - # path to object file from gnu-efi -@@ -94,9 +91,6 @@ AC_ARG_WITH([efi-crt0], - AS_HELP_STRING([--with-efi-crt0=OBJ_PATH],[Path to gnu-efi crt0 object file.]), - [], - [with_efi_crt0="/usr/lib/crt0-efi-${ARCH}.o"]) --AC_CHECK_FILE(["${with_efi_crt0}"], -- [], -- [AC_MSG_ERROR([Missing ${with_efi_crt0} file.])]) - EXTRA_LDLIBS="${with_efi_crt0}" - - # check for efi and gnuefi libraries diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 983f72ebeb68..ed9b7e1ddc8e 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -5,7 +5,6 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ - file://configure_oe_fixup.patch \ " SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d" @@ -13,6 +12,13 @@ S = "${WORKDIR}/git" inherit autotools pkgconfig +EFI_ARCH_x86 = "ia32" +EFI_ARCH_x86-64 = "x86_64" + COMPATIBLE_HOST = "(i.86|x86_64).*-linux" -EXTRA_OECONF_append = " --with-efi-includedir=${STAGING_INCDIR}/efi --with-efi-lds=${STAGING_LIBDIR_NATIVE}/" +EXTRA_OECONF_append = "\ +--with-efi-includedir=${STAGING_INCDIR}/efi \ +--with-efi-crt0=${STAGING_LIBDIR_NATIVE}/crt0-efi-${EFI_ARCH}.o \ +--with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \ +" RDEPENDS_${PN} = "gnu-efi" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/6] tpm2-tss: fix compilation when using updated AX_CODE_COVERAGE macro
From: Dmitry Eremin-Solenikov New autoconf-archive comes with updated AX_CODE_COVERAGE macro, which is not compatible with current tpm2-tss source base. Apply upstream patch to fix this incompatibility. Signed-off-by: Dmitry Eremin-Solenikov --- ...-ax_code_coverage.m4-version-2019.01.patch | 84 +++ .../recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb | 3 +- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch new file mode 100644 index ..86b2cb6dd7d3 --- /dev/null +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch @@ -0,0 +1,84 @@ +From ec08ab41495ac40641475707c46e844503ada5b3 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel +Date: Mon, 7 Jan 2019 22:15:06 +0100 +Subject: [PATCH] build: update for ax_code_coverage.m4 version 2019.01.06 + +@CODE_COVERAGE_RULES@ doesn't exist any more and needs to be replaced. +Also includes a compatibility switch for older versions of the file. + +Signed-off-by: Jonas Witschel +--- + .gitignore | 1 + + .travis.yml | 10 +- + Makefile.am | 6 ++ + configure.ac | 3 +++ + 4 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/.gitignore b/.gitignore +index 7c6a7b62e6c1..aa1a7efdff71 100644 +--- a/.gitignore b/.gitignore +@@ -26,6 +26,7 @@ + AUTHORS + tags + aclocal.m4 ++aminclude_static.am + autom4te.cache/ + [Bb]uild/ + [Dd]ebug/ +diff --git a/.travis.yml b/.travis.yml +index 55f88e22999b..a668e2953dc2 100644 +--- a/.travis.yml b/.travis.yml +@@ -44,11 +44,11 @@ addons: + + install: + # Autoconf archive +- - wget https://download.01.org/tpm2/autoconf-archive-2017.09.28.tar.xz +- - sha256sum autoconf-archive-2017.09.28.tar.xz | grep -q 5c9fb5845b38b28982a3ef12836f76b35f46799ef4a2e46b48e2bd3c6182fa01 || travis_terminate 1 +- - tar xJf autoconf-archive-2017.09.28.tar.xz +- - cp autoconf-archive-2017.09.28/m4/ax_code_coverage.m4 m4/ +- - cp autoconf-archive-2017.09.28/m4/ax_prog_doxygen.m4 m4/ ++ - wget http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz ++ - sha256sum autoconf-archive-2019.01.06.tar.xz | grep -q 17195c833098da79de5778ee90948f4c5d90ed1a0cf8391b4ab348e2ec511e3f || travis_terminate 1 ++ - tar xJf autoconf-archive-2019.01.06.tar.xz ++ - cp autoconf-archive-2019.01.06/m4/ax_code_coverage.m4 m4/ ++ - cp autoconf-archive-2019.01.06/m4/ax_prog_doxygen.m4 m4/ + # IBM-TPM + - wget https://download.01.org/tpm2/ibmtpm974.tar.gz + # OpenSSL 1.0.2 +diff --git a/Makefile.am b/Makefile.am +index 1b792d89a392..8e62e9c77c7d 100644 +--- a/Makefile.am b/Makefile.am +@@ -19,7 +19,13 @@ noinst_PROGRAMS = + + ### Add ax_* rules ### + # ax_code_coverage ++if AUTOCONF_CODE_COVERAGE_2019_01_06 ++include $(top_srcdir)/aminclude_static.am ++clean-local: code-coverage-clean ++dist-clean-local: code-coverage-dist-clean ++else + @CODE_COVERAGE_RULES@ ++endif + + # ax_doxygen + @DX_RULES@ +diff --git a/configure.ac b/configure.ac +index 6c7b0fd96399..22b79c50c015 100644 +--- a/configure.ac b/configure.ac +@@ -312,6 +312,9 @@ AS_IF([test "x$enable_doxygen_doc" != xno], + [ERROR_IF_NO_PROG([doxygen])]) + + AX_CODE_COVERAGE ++m4_ifdef([_AX_CODE_COVERAGE_RULES], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])]) + + AC_OUTPUT + +-- +2.20.1 + diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb index cf93159ce40f..ffbd3f4e4eff 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb @@ -8,7 +8,8 @@ DEPENDS = "autoconf-archive-native libgcrypt openssl" SRCREV = "36b1539c82bf675265d6f6a6cd808a189b6971f4" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x \ +file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch" inherit autotools-brokensep pkgconfig systemd -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 3/6] tpm2-tcti-uefi: add autoconf-archive-native dependency
From: Dmitry Eremin-Solenikov Add dependency on autoconf-archive-native to receive AX_* macro definitions. Signed-off-by: Dmitry Eremin-Solenikov --- meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 43854c414c22..983f72ebeb68 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -2,7 +2,7 @@ SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment" SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig" +DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/6] packagegroup-security-tpm2: stop including tpm2-tcti-uefi
From: Dmitry Eremin-Solenikov tpm2-tcti-uefi is a EFI module, so it should not be included in the rootfs. Signed-off-by: Dmitry Eremin-Solenikov --- .../recipes-core/packagegroup/packagegroup-security-tpm2.bb| 3 --- 1 file changed, 3 deletions(-) diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 9296d9967e32..8f5c537b9505 100644 --- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -21,6 +21,3 @@ RDEPENDS_packagegroup-security-tpm2 = " \ ibmswtpm2 \ cryptsetup-tpm-incubator \ " - -RDEPENDS_packagegroup-security-tpm2_append_x86 = " tpm2-tcti-uefi" -RDEPENDS_packagegroup-security-tpm2_append_x86-64 = " tpm2-tcti-uefi" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-integrity][PATCH 3/3] ima-evm-utils: refresh xattr patch
Signed-off-by: Dmitry Eremin-Solenikov --- .../evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch index c0bdd9b496de..ffa65dfb00a1 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -23,9 +23,9 @@ diff --git a/src/evmctl.c b/src/evmctl.c index c54efbb..23cf54c 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -56,6 +56,18 @@ - #include +@@ -57,6 +57,18 @@ #include + #include +/* + * linux/xattr.h might be old to have this. Allow compilation on older -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-integrity][PATCH 2/3] ima-evm-utils: bump version
Currently selected SRCREV (782224f33cd711050cbf6146a12122cd73f9136b) comes after 1.1 ima-evm-utils release, so bump PV accordingly. Signed-off-by: Dmitry Eremin-Solenikov --- .../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index 623de09c3ad7..6d4f008df334 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -6,7 +6,7 @@ DEPENDS += "openssl attr keyutils" DEPENDS_class-native += "openssl-native keyutils-native" -PV = "1.0+git${SRCPV}" +PV = "1.1+git${SRCPV}" SRCREV = "782224f33cd711050cbf6146a12122cd73f9136b" SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-integrity][PATCH 1/3] layer.conf: add dependency on meta-security
ima-evm-utils recipe depends on keyutils recipe which is a part of meta-security layer. Signed-off-by: Dmitry Eremin-Solenikov --- meta-integrity/conf/layer.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index 2f696cf7c332..917aa86e11d7 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf @@ -22,3 +22,5 @@ IMA_EVM_BASE := '${LAYERDIR}' OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" LAYERSERIES_COMPAT_integrity = "warrior" +# ima-evm-utils depends on keyutils from meta-security +LAYERDEPENDS_integrity = "core security" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 07/10] ocfs2-tools: properly handle systemd DISTRO_FEATURE
Always inherit systemd bbclass (otherwise it is not pulled in even if systemd is enabled). This makes few other settings in the recipe unnecessary, thus they are dropped. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb b/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb index 4e171f4..1296fd6 100644 --- a/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb +++ b/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb @@ -42,11 +42,8 @@ do_compile_prepend() { done } -inherit ${@base_contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} +inherit systemd SYSTEMD_SERVICE_${PN} = o2cb.service ocfs2.service -SYSTEMD_AUTO_ENABLE = enable - -FILES_${PN} += ${@base_contains('VIRTUAL-RUNTIME_init_manager','systemd','${systemd_unitdir}','', d)} do_install() { install -d ${D}/etc/init.d -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 01/10] cgl_common_security_flags.inc: add to fix building with security flags
Package openhpi is currently broken if distro uses security_flags.inc. Flx that by adding layer-wide include file for such exceptions. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc | 1 + meta-cgl-common/conf/layer.conf | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc diff --git a/meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc b/meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc new file mode 100644 index 000..358ce58 --- /dev/null +++ b/meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc @@ -0,0 +1 @@ +SECURITY_CFLAGS_pn-openhpi = ${SECURITY_NO_PIE_CFLAGS} diff --git a/meta-cgl-common/conf/layer.conf b/meta-cgl-common/conf/layer.conf index f5a0190..0c19a95 100644 --- a/meta-cgl-common/conf/layer.conf +++ b/meta-cgl-common/conf/layer.conf @@ -10,3 +10,5 @@ BBFILES += ${LAYERDIR}/recipes-*/*/*.bb \ BBFILE_COLLECTIONS += cgl-common BBFILE_PATTERN_cgl-common = ^${LAYERDIR}/ BBFILE_PRIORITY_cgl-common = 7 + +require conf/distro/include/cgl_common_security_flags.inc -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 03/10] pacemaker: provide tmpfiles configuration
provide systemd-tmpfiles configuration for distributions using systemd. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles | 5 + meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb | 11 ++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles diff --git a/meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles b/meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles new file mode 100644 index 000..1d2b295 --- /dev/null +++ b/meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles @@ -0,0 +1,5 @@ +d /var/lib/heartbeat/crm 0750 hacluster haclient - +d /var/lib/pengine 0755 hacluster haclient - +d /var/run/heartbeat 0755 hacluster haclient - +d /var/run/heartbeat/rsctmp 0755 hacluster haclient - +d /var/run/crm 0755 hacluster haclient - diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb index 8bef6f4..a5cd284 100644 --- a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb +++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb @@ -28,6 +28,7 @@ SRC_URI = \ file://pacemaker-fix-xml-config.patch \ file://pacemaker-no-bash.patch \ file://volatiles \ + file://tmpfiles \ SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch SRC_URI[md5sum] = 103fb2e804be3f8ace17021c5d9ad15d @@ -47,13 +48,21 @@ GROUPADD_PARAM_${PN} = -r haclient do_install_append() { install -d ${D}${sysconfdir}/default/volatiles install -m 0644 ${WORKDIR}/volatiles ${D}${sysconfdir}/default/volatiles/06_pacemaker + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/tmpfiles ${D}${sysconfdir}/tmpfiles.d/${PN}.conf find ${D} -name *.pyo -exec rm {} \; find ${D} -name *.pyc -exec rm {} \; find ${D} -name *.py | xargs sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g } pkg_postinst_${PN} () { - /etc/init.d/populate-volatile.sh update + if [ -z $D ]; then + if type systemd-tmpfiles /dev/null; then + systemd-tmpfiles --create + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + fi } FILES_${PN}-doc += ${datadir}/pacemaker/crm_cli.txt ${datadir}/pacemaker/templates/ FILES_${PN} += \ -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 10/10] heartbeat: properly handle systemd DISTRO_FEATURE
Always inherit systemd bbclass (otherwise it is not pulled in even if systemd is enabled). This makes few other settings in the recipe unnecessary, thus they are dropped. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb index 5128c53..3a02d35 100644 --- a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb +++ b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb @@ -100,10 +100,8 @@ do_install() { install -m 0600 ${S}/doc/authkeys ${D}/etc/ha.d/authkeys } -inherit ${@base_contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','',d)} -SYSTEMD_PACKAGES = ${PN} +inherit systemd SYSTEMD_SERVICE_${PN} = heartbeat.service -SYSTEMD_AUTO_ENABLE = disable USERADD_PACKAGES = ${PN} GROUPADD_PARAM_${PN} = -r haclient -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 02/10] pacemaker: use useradd class to add required user and group
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb index 43769bf..8bef6f4 100644 --- a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb +++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb @@ -32,7 +32,7 @@ SRC_URI = \ SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch SRC_URI[md5sum] = 103fb2e804be3f8ace17021c5d9ad15d SRC_URI[sha256sum] = aabfc9ee1c66804151d973d0ed0323798ffebe49e1c2219fa804dc6898a69a1e -inherit autotools-brokensep python-dir pkgconfig +inherit autotools-brokensep python-dir pkgconfig useradd S = ${WORKDIR}/pacemaker-1.0-Pacemaker-${PV} @@ -40,6 +40,10 @@ EXTRA_OECONF = --with-ais --without-heartbeat --disable-fatal-warnings --disabl CFLAGS += -I${STAGING_INCDIR}/heartbeat -lncurses +USERADD_PACKAGES = ${PN} +USERADD_PARAM_${PN} = --home-dir=${localstatedir}/lib/heartbeat -g haclient -r hacluster +GROUPADD_PARAM_${PN} = -r haclient + do_install_append() { install -d ${D}${sysconfdir}/default/volatiles install -m 0644 ${WORKDIR}/volatiles ${D}${sysconfdir}/default/volatiles/06_pacemaker @@ -49,9 +53,6 @@ do_install_append() { } pkg_postinst_${PN} () { - set -e - grep haclient /etc/group || addgroup haclient - grep hacluster /etc/passwd || adduser --disabled-password --home=${localstatedir}/lib/heartbeat --ingroup haclient -g HA cluster hacluster /etc/init.d/populate-volatile.sh update } FILES_${PN}-doc += ${datadir}/pacemaker/crm_cli.txt ${datadir}/pacemaker/templates/ -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 08/10] heartbeat: make bootstrap work without checking for libtool command
There is no use for just 'libtool' script, other than deriving libtoolize from it. Make bootstrap script look for libtoolize directly and forget about libtool completely. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- .../heartbeat/heartbeat-bootstrap-libtool.patch| 52 ++ .../recipes-cgl/heartbeat/heartbeat_3.0.5.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta-cgl-common/recipes-cgl/heartbeat/heartbeat/heartbeat-bootstrap-libtool.patch diff --git a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat/heartbeat-bootstrap-libtool.patch b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat/heartbeat-bootstrap-libtool.patch new file mode 100644 index 000..bcddab2 --- /dev/null +++ b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat/heartbeat-bootstrap-libtool.patch @@ -0,0 +1,52 @@ +Index: Heartbeat-3-0-7e3a82377fa8/bootstrap +=== +--- Heartbeat-3-0-7e3a82377fa8.orig/bootstrap Heartbeat-3-0-7e3a82377fa8/bootstrap +@@ -173,23 +173,22 @@ ln -s `which $automake` ./automake + + # Check for Libtool + pkg=libtool +-for command in libtool libtool14 libtool15 glibtool ++for command in libtoolize libtoolize14 libtoolize15 glibtoolize + do + URL=$gnu/$pkg/ + if + testProgram $command + then + : OK $pkg is installed +-libtool=$command +-libtoolize=`echo $libtool | sed -e 's/libtool/libtoolize/'` ++libtoolize=$command + fi + done + + # Check to see if we got a valid command. + if +-$libtool --version /dev/null /dev/null 21 ++$libtoolize --version /dev/null /dev/null 21 + then +-echo Libtool package $libtool found. ++echo Libtool package $libtoolize found. + else + RC=$? + cat -EOF 2 +@@ -200,10 +199,6 @@ else + EOF + fi + +-# Create local copy so that the incremental updates will work. +-rm -f ./libtool +-ln -s `which $libtool` ./libtool +- + case $RC in + 0) ;; + *) exit $RC;; +@@ -217,7 +212,7 @@ oneline() { + read x; echo $x + } + +-LT_version=`$libtool --version | oneline | sed -e 's%^[^0-9]*%%' -e s'% .*%%'` ++LT_version=`$libtoolize --version | oneline | sed -e 's%^[^0-9]*%%' -e s'% .*%%'` + LT_majvers=`echo $LT_version | sed -e 's%\..*%%'` + LT_minvers=`echo $LT_version | sed -e 's%^[^.]*\.%%' ` + LT_minnum=`echo $LT_minvers | sed -e 's%[^0-9].*%%'` diff --git a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb index 369bd23..184ad22 100644 --- a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb +++ b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb @@ -34,6 +34,7 @@ SRC_URI = \ file://ucast.c-fix-compile-errors.patch \ file://configure.in-Error-and-warning-fix.patch \ file://heartbeat-init.d-heartbeat.in-modify-parameter.patch \ +file://heartbeat-bootstrap-libtool.patch \ file://heartbeat.service \ SRC_URI[md5sum] = 396510e3c143a9c2288bc52cfc9caa3c -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 09/10] heartbeat: add gnutls dependency
Add dependency on gnutls as noted by the following QA warnings: WARNING: QA Issue: heartbeat rdepends on nettle, but it isn't a build dependency? [build-deps] WARNING: QA Issue: heartbeat rdepends on gnutls, but it isn't a build dependency? [build-deps] WARNING: QA Issue: heartbeat rdepends on gmp, but it isn't a build dependency? [build-deps] Both nettle and gmp are used by gnutls, so there is no point adding them to the dependencies list -- those are indirect dependencies anyway. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb index 184ad22..5128c53 100644 --- a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb +++ b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb @@ -40,7 +40,7 @@ SRC_URI = \ SRC_URI[md5sum] = 396510e3c143a9c2288bc52cfc9caa3c SRC_URI[sha256sum] = 085013154511f3c270b5e9a3281732dbbb9812924ae24d9c3c6db1af4dd260d0 S = ${WORKDIR}/Heartbeat-3-0-7e3a82377fa8/ -DEPENDS = cluster-glue corosync +DEPENDS = cluster-glue corosync gnutls inherit autotools-brokensep pkgconfig useradd EXTRA_OECONF = \ STAGING_DIR_TARGET=${STAGING_DIR_TARGET} \ -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 06/10] cluster-glue: add another directory to volatiles and tmpfiles config
Add /var/run/heartbeat directory to volatiles and tmpfiles configuration. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles | 1 + meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles index 252e13f..b683b28 100644 --- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles +++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles @@ -4,4 +4,5 @@ d /var/lib/heartbeat/cores 0755 hacluster haclient - d /var/lib/heartbeat/cores/hacluster 0700 hacluster haclient - d /var/lib/heartbeat/cores/root 0700 root root - d /var/lib/heartbeat/cores/nobody 0700 nobody nogroup - +d /var/run/heartbeat 0755 root root - diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles index 892db1b..d6f0c87 100644 --- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles +++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles @@ -3,4 +3,5 @@ d hacluster haclient 0750 /var/lib/heartbeat/pengine none d hacluster haclient 0755 /var/lib/heartbeat/cores none d hacluster haclient 0700 /var/lib/heartbeat/cores/hacluster none d root root 0700 /var/lib/heartbeat/cores/root none -d nobody nogroup 0700 /var/lib/heartbeat/cores/nobody none \ No newline at end of file +d nobody nogroup 0700 /var/lib/heartbeat/cores/nobody none +d root root 0755 /var/run/heartbeat none -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 05/10] cluster-glue: provide tmpfiles configuration
provide systemd-tmpfiles configuration for distributions using systemd. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- .../recipes-cgl/cluster-glue/cluster-glue/tmpfiles| 7 +++ .../recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb| 11 ++- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles new file mode 100644 index 000..252e13f --- /dev/null +++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles @@ -0,0 +1,7 @@ +d /var/lib/heartbeat 0755 root root - +d /var/lib/heartbeat/pengine 0750 hacluster haclient - +d /var/lib/heartbeat/cores 0755 hacluster haclient - +d /var/lib/heartbeat/cores/hacluster 0700 hacluster haclient - +d /var/lib/heartbeat/cores/root 0700 root root - +d /var/lib/heartbeat/cores/nobody 0700 nobody nogroup - + diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb index adf3b48..f1b4a78 100644 --- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb +++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb @@ -13,6 +13,7 @@ SRC_URI = \ file://glue-remove-getpid-check.patch \ file://fix-const-cast.patch \ file://volatiles \ +file://tmpfiles \ SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch SRC_URI[md5sum] = d2b6f798e58ef2497526e404b8ad640a @@ -39,10 +40,18 @@ do_configure_prepend() { do_install_append() { install -d ${D}${sysconfdir}/default/volatiles install -m 0644 ${WORKDIR}/volatiles ${D}${sysconfdir}/default/volatiles/04_cluster-glue + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/tmpfiles ${D}${sysconfdir}/tmpfiles.d/${PN}.conf } pkg_postinst_${PN} () { - /etc/init.d/populate-volatile.sh update + if [ -z $D ]; then + if type systemd-tmpfiles /dev/null; then + systemd-tmpfiles --create + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + fi } PACKAGES += \ -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 04/10] cluster-glue: use useradd class to add required user and group
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb index c31c85d..adf3b48 100644 --- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb +++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb @@ -20,7 +20,7 @@ SRC_URI[sha256sum] = 0e1922373aba1c3811f6ef61559a9c407c0bec71d2ebc451a4db5b940d LIC_FILES_CHKSUM = file://${COREBASE}/meta/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe -inherit autotools +inherit autotools useradd S = ${WORKDIR}/Reusable-Cluster-Components-glue--glue-${PV} @@ -28,6 +28,10 @@ EXTRA_OECONF = --with-daemon-user=hacluster --with-daemon-group=haclient --disa CACHED_CONFIGUREVARS=ac_cv_path_XML2CONFIG=0 +USERADD_PACKAGES = ${PN} +USERADD_PARAM_${PN} = --home-dir=${localstatedir}/lib/heartbeat -g haclient -r hacluster +GROUPADD_PARAM_${PN} = -r haclient + do_configure_prepend() { ln -sf ${PKG_CONFIG_SYSROOT_DIR}/usr/include/libxml2/libxml ${PKG_CONFIG_SYSROOT_DIR}/usr/include/libxml } @@ -38,9 +42,6 @@ do_install_append() { } pkg_postinst_${PN} () { - set -e - grep haclient /etc/group || addgroup haclient - grep hacluster /etc/passwd || adduser --disabled-password --home=${localstatedir}/lib/heartbeat --ingroup haclient -g HA cluster hacluster /etc/init.d/populate-volatile.sh update } -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 2/9] packagegroup-cgl-swdevtools: don't depend on numactl on arm
Package numactl is disabled on ARM platform. Do no depend on it if we are building for this platform. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb b/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb index 84e747f..9f9ae03 100644 --- a/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb +++ b/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb @@ -9,6 +9,9 @@ inherit packagegroup PACKAGES = packagegroup-cgl-swdevtools +NUMACTL = numactl +NUMACTL_arm = + RDEPENDS_packagegroup-cgl-swdevtools = \ libuio \ libcap-ng \ @@ -17,7 +20,7 @@ RDEPENDS_packagegroup-cgl-swdevtools = \ libsocket6-perl \ libmailtools-perl \ libhtml-tagset-perl \ -numactl \ +${NUMACTL} \ RRECOMMENDS_packagegroup-cgl-swdevtools = -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 3/9] cluster-glue: add openhpi and net-snmp to DEPENDS
cluster-glue makes use of openhpi and net-snmp libraries, so DEPEND on them as pointed by the following QA warnings: cluster-glue-1.0.5: cluster-glue-plugin-stonith2 rdepends on net-snmp-libs, but it isn't a build dependency? [build-deps] cluster-glue-1.0.5: cluster-glue-plugin-stonith2 rdepends on openhpi, but it isn't a build dependency? [build-deps] Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb index de348e8..c31c85d 100644 --- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb +++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb @@ -4,7 +4,7 @@ is not the cluster messaging layer (Heartbeat), nor the cluster resource manager (Pacemaker), nor a Resource Agent. LICENSE = GPLv2 -DEPENDS = libxml2 libtool glib-2.0 bzip2 util-linux +DEPENDS = libxml2 libtool glib-2.0 bzip2 util-linux net-snmp openhpi SRC_URI = \ http://hg.linux-ha.org/glue/archive/glue-${PV}.tar.bz2 \ -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 7/9] openais: make openais script use sh instead of bash
There is no point in using bash for the openais script, if just sh is enough. In addition this fixes the following QA warning: openais-1.1.3: /etc/init.d/openais_openais contained in package openais requires /bin/bash, but no providers found in its RDEPENDS [file-rdeps] Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- .../recipes-cgl/openais/files/openais-fix-bash.patch | 10 ++ meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb | 1 + 2 files changed, 11 insertions(+) create mode 100644 meta-cgl-common/recipes-cgl/openais/files/openais-fix-bash.patch diff --git a/meta-cgl-common/recipes-cgl/openais/files/openais-fix-bash.patch b/meta-cgl-common/recipes-cgl/openais/files/openais-fix-bash.patch new file mode 100644 index 000..ede77e8 --- /dev/null +++ b/meta-cgl-common/recipes-cgl/openais/files/openais-fix-bash.patch @@ -0,0 +1,10 @@ +Index: openais-1.1.3/init/generic.in +=== +--- openais-1.1.3.orig/init/generic.in openais-1.1.3/init/generic.in +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # Authors: + # Andrew Beekhof abeek...@redhat.com diff --git a/meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb b/meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb index 2a03b9a..f4563c9 100644 --- a/meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb +++ b/meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb @@ -9,6 +9,7 @@ SRC_URI = \ ftp://f...@tux.rainside.sk/gentoo/distfiles/openais-${PV}.tar.gz \ file://fix-lcrso-linkage.patch \ file://build-cleanup-configure-ac.patch \ +file://openais-fix-bash.patch \ SRC_URI[md5sum] = 13d8d590f806fb396d750b086c6c0b78 SRC_URI[sha256sum] = eeef58dd2df3eb16ba68b3fbdc6f0d4dfb537443f1c091ec6f0431594f2f00b6 -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 4/9] cluster-resource-agents: add sha256 sum of the tarball
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- .../recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb b/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb index 0ac89b2..5372786 100644 --- a/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb +++ b/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb @@ -13,6 +13,7 @@ SRC_URI = \ SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch SRC_URI[md5sum] = fcaa2cfd83a28d1965200e11db2ddd41 +SRC_URI[sha256sum] = 09b58332e34cf128c8d53d5bb4b3f61e402c2e0c0c809f5abae53ca144ad101e inherit autotools -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 1/9] packagegroup-cgl-*: fix LIC_FILES_CHKSUM variables
LIC_FILES_CHKSUM variables in all packagegroup files reference wrong location of the COPYING.MIT file resulting in warnings during build. Fix them by pointing to the main COPYING.MIT file in OE-Core. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb | 2 +- meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb | 2 +- meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb | 2 +- meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb | 2 +- meta-cgl-common/packagegroups/packagegroup-cgl.bb | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb index 532712e..f823ece 100644 --- a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb +++ b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb @@ -2,7 +2,7 @@ SUMMARY = Application packages required to satisfy the Carrier Grade Linux (CGL DESCRIPTION = This package group includes the application with which the user interacts \ when using a Linux operation system. LICENSE = MIT -LIC_FILES_CHKSUM = file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 +LIC_FILES_CHKSUM = file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 inherit packagegroup inherit pkgconfig diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb b/meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb index 2925535..bff7c4c 100644 --- a/meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb +++ b/meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb @@ -3,7 +3,7 @@ DESCRIPTION = This package group contains hardened device drivers, HW configura management, standard, high availability, service and co-processor interfaces. LICENSE = MIT -LIC_FILES_CHKSUM = file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 +LIC_FILES_CHKSUM = file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 inherit packagegroup diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb index d0a5213..effdb81 100644 --- a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb +++ b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb @@ -2,7 +2,7 @@ SUMMARY = Middleware packages required to satisfy the Carrier Grade Linux (CGL) DESCRIPTION = This package group contains high availability application and platform \ interfaces, databases, application servers, communication protocols etc. LICENSE = MIT -LIC_FILES_CHKSUM = file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 +LIC_FILES_CHKSUM = file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 inherit packagegroup diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb b/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb index 591f120..84e747f 100644 --- a/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb +++ b/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb @@ -2,7 +2,7 @@ SUMMARY = Software development tools packages required to satisfy the Carrier G DESCRIPTION = This package group contains programs or applications used to create, debug, maintain, \ or otherwise support other programs and applications. LICENSE = MIT -LIC_FILES_CHKSUM = file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 +LIC_FILES_CHKSUM = file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 inherit packagegroup diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl.bb b/meta-cgl-common/packagegroups/packagegroup-cgl.bb index 3a64bbf..2c999e0 100644 --- a/meta-cgl-common/packagegroups/packagegroup-cgl.bb +++ b/meta-cgl-common/packagegroups/packagegroup-cgl.bb @@ -2,7 +2,7 @@ SUMMARY = Packages required to satisfy the Carrier Grade Linux (CGL) specificat DESCRIPTION = This package group is the one that gathers all the available \ package groups. LICENSE = MIT -LIC_FILES_CHKSUM = file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 +LIC_FILES_CHKSUM = file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20421 inherit packagegroup -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 5/9] cluster-resource-agents: add bash to RDEPENDS for ocft and ${PN}
Add bash to respective RDEPENDS as pointed by QA WARNINGS: cluster-resource-agents-1.0.3: /usr/sbin/ocft_ocft contained in package ocft requires /bin/bash, but no providers found in its RDEPENDS [file-rdeps] cluster-resource-agents-1.0.3: /usr/lib/ocf/resource.d/heartbeat/AoEtarget_cluster-resource-agents contained in package cluster-resource-agents requires /bin/bash, but no providers found in its RDEPENDS [file-rdeps] Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- .../cluster-resource-agents/cluster-resource-agents_1.0.3.bb | 8 1 file changed, 8 insertions(+) diff --git a/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb b/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb index 5372786..ee733f7 100644 --- a/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb +++ b/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb @@ -76,9 +76,17 @@ FILES_${PN} += \ ${datadir}/resource-agents/ra-api-1.dtd \ +RDEPENDS_ocft += \ + bash \ + + FILES_ocft += \ ${datadir}/resource-agents/ocft \ ${sbindir}/ocft \ +RDEPENDS_${PN} += \ + bash \ + + FILES_${PN}-dbg += ${libdir}/heartbeat/.debug/ ${libdir}/ocf/resource.d/heartbeat/.debug/ -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 9/9] pacemaker: fix runtime dependencies on bash
Add bash to the pacemaker-tests RDEPENDS. Also make all scripts that are installed in main pacemaker package use sh instead of bash. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- .../pacemaker-1.0.9.1/pacemaker-no-bash.patch | 40 ++ .../recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb | 3 +- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 meta-cgl-common/recipes-cgl/pacemaker/pacemaker-1.0.9.1/pacemaker-no-bash.patch diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker-1.0.9.1/pacemaker-no-bash.patch b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker-1.0.9.1/pacemaker-no-bash.patch new file mode 100644 index 000..6f9639d --- /dev/null +++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker-1.0.9.1/pacemaker-no-bash.patch @@ -0,0 +1,40 @@ +Index: pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_failcount +=== +--- pacemaker-1.0-Pacemaker-1.0.9.1.orig/tools/crm_failcount pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_failcount +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + options= + target=`uname -n` +Index: pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_master +=== +--- pacemaker-1.0-Pacemaker-1.0.9.1.orig/tools/crm_master pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_master +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + TEMP=`getopt -o DGQVN:U:v:i:l:r: --long resource:,node:,uname:,attr-value:,delete-attr,get-value,attr-id:,lifetime:,quiet \ + -n 'crm_master' -- $@` +Index: pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_standby +=== +--- pacemaker-1.0-Pacemaker-1.0.9.1.orig/tools/crm_standby pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_standby +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + op= + options= +Index: pacemaker-1.0-Pacemaker-1.0.9.1/extra/resources/o2cb +=== +--- pacemaker-1.0-Pacemaker-1.0.9.1.orig/extra/resources/o2cb pacemaker-1.0-Pacemaker-1.0.9.1/extra/resources/o2cb +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + # Copyright (c) 2005,2008 Oracle + # Copyright (c) 2008 Andrew Beekhof + #All Rights Reserved. diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb index 174ebd1..43769bf 100644 --- a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb +++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb @@ -26,6 +26,7 @@ SRC_URI = \ file://fix-header-defs-lookup.patch \ file://pacemaker-remove-ptest-functionality.patch \ file://pacemaker-fix-xml-config.patch \ +file://pacemaker-no-bash.patch \ file://volatiles \ SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch @@ -80,5 +81,5 @@ RDEPENDS_${PN}-hb2openais += python-core FILES_${PN}-haresources2cib = ${libdir}/heartbeat/haresources2cib.py RDEPENDS_${PN}-haresources2cib += python-core FILES_${PN}-tests = ${datadir}/pacemaker/tests ${datadir}/pacemaker/stonithdtest ${libdir}/heartbeat/atest ${libdir}/heartbeat/stonithdtest/* -RDEPENDS_${PN}-test += python-core +RDEPENDS_${PN}-tests += python-core bash FILES_${PN}-snmp = ${datadir}/snmp/mibs/PCMK-MIB.txt -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 6/9] ocfs2-tools: drop clutter-1.0 dependency
There is nothing in ocfs2-tools that depends on clutter. Drop corresponding package from DEPENDS list. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb b/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb index 92d79d3..4e171f4 100644 --- a/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb +++ b/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb @@ -24,7 +24,7 @@ SRC_URI[md5sum] = 296f1242f4d00d188231d726d7a1d148 SRC_URI[sha256sum] = a809f03c62e515a4c23e98c4b4c3f8150377af2cf44cd2a2ee56e175b0e4d0b3 S = ${WORKDIR}/ocfs2-tools-ocfs2-tools-1.4.3 inherit autotools-brokensep pkgconfig -DEPENDS = corosync openais clutter-1.0 cluster-glue pacemaker libxml2 linux-libc-headers e2fsprogs +DEPENDS = corosync openais cluster-glue pacemaker libxml2 linux-libc-headers e2fsprogs RDEPENDS_${PN} = bash coreutils net-tools module-init-tools e2fsprogs chkconfig glib-2.0 ASNEEDED_pn-${PN} = PARALLEL_MAKE = -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Procedure to setup icecc for performing a distributed build
On Thu, Sep 6, 2012 at 2:17 PM, Paul Eggleton paul.eggle...@linux.intel.com wrote: On Thursday 16 August 2012 00:30:15 Elvis Dowson wrote: Otherwise, Dmitry, any suggestions? I'm assuming you made use of icecc.bbclass since you made some changes to it a while ago... I'm sorry, I had not tried icecc.bbclass lately. I should give it a try. Probably either on Weekend, or next week. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -- With best wishes Dmitry ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto