Re: [yocto] [meta-integrity] layer.conf: switch to keyutils from meta-oe
пн, 29 июл. 2019 г. в 13:45, : > > From: Dmitry Eremin-Solenikov > > As pointer by Martin Jansa, keyutils package is now a part of meta-oe, > so switch to using keyutils from that layer. > > Signed-off-by: Dmitry Eremin-Solenikov This patch is still necessary. -- With best wishes Dmitry -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security 2/3] kernel-modsign.bbclass: add support for kernel modules signing
Hellol,
вс, 4 авг. 2019 г. в 23:53, akuster808 :
> On 8/4/19 1:24 PM, Dmitry Eremin-Solenikov wrote:
> > вс, 4 авг. 2019 г. в 18:30, akuster808 :
> >> On 7/28/19 8:31 AM, Dmitry Eremin-Solenikov wrote:
> >>> From: Dmitry Eremin-Solenikov
> >>>
> >>> Add bbclass responsible for handling signing of kernel modules.
> >>>
> >>> Signed-off-by: Dmitry Eremin-Solenikov
> >>>
> >>> ---
> >>> meta-integrity/classes/kernel-modsign.bbclass | 29 +++
> >>> .../data/debug-keys/privkey_modsign.pem | 28 ++
> >>> .../data/debug-keys/x509_modsign.crt | 22 ++
> >>> 3 files changed, 79 insertions(+)
> >>> create mode 100644 meta-integrity/classes/kernel-modsign.bbclass
> >>> create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem
> >>> create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt
> >>>
> >>> diff --git a/meta-integrity/classes/kernel-modsign.bbclass
> >>> b/meta-integrity/classes/kernel-modsign.bbclass
> >>> new file mode 100644
> >>> index ..1e4d94b79091
> >>> --- /dev/null
> >>> +++ b/meta-integrity/classes/kernel-modsign.bbclass
> >>> @@ -0,0 +1,29 @@
> >>> +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be
> >>> +# set explicitly in a local.conf before activating kernel-modsign.
> >>> +# To use the insecure (because public) example keys, use
> >>> +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
> >>> +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
> >>> +
> >>> +# Private key for modules signing. The default is okay when
> >>> +# using the example key directory.
> >>> +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
> >>> +
> >>> +# Public part of certificates used for modules signing.
> >>> +# The default is okay when using the example key directory.
> >>> +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
> >>> +
> >>> +# If this class is enabled, disable stripping signatures from modules
> >>> +INHIBIT_PACKAGE_STRIP = "1"
> >>> +
> >>> +do_configure_prepend() {
> >> This is being pulled in with every configure task and causing parsing
> >> issues.
> >>
> >> I changed it to "kernel_do_configure_prepend" and that fixed the issue I
> >> was seeing.
> > Interesting. I haven't seen this issue. Could you please share any details?
> >
> > Changed bbclass appears to work for me, so either of them is fine from my
> > point of view.
> with 'INHERIT += "kernel-modsign"' added to my local.conf I see this.
I see. My intent is to use DISTRO_FEATURES_append += "modsign".
A corresponding patch for oe-core/meta/classes/module.bbclass will be submitted
after this one goes in.
> bitbake integrity-image-minimal
> WARNING:
> /home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb:
> Exception during build_dependencies for do_configure
> WARNING:
> /home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb:
> Error during finalise of
> /home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb
> ERROR: Unable to parse
> /home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb
> Traceback (most recent call last):
> File "/home/build/releases/master/poky/bitbake/lib/bb/siggen.py", line
> 149, in
> SignatureGeneratorOEBasicHash.finalise(fn='/home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb',
> d=, variant=None):
> try:
> >taskdeps = self._build_data(fn, d)
> except bb.parse.SkipRecipe:
> File "/home/build/releases/master/poky/bitbake/lib/bb/siggen.py", line
> 120, in
> SignatureGeneratorOEBasicHash._build_data(fn='/home/build/releases/master/poky/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb',
> d=):
> ignore_mismatch = ((d.getVar("BB_HASH_IGNORE_MISMATCH") or
> '') == '1')
> >tasklist, gendeps, lookupcache =
> bb.data.generate_dependencies(d)
>
> File "/home/build/releases/master/poky/bitbake/lib/bb/data.py", line
> 379, in generate_dependencies(d= 0x7f9905e4e7f0>):
> for task in tasklist:
> >deps[task], values[task] = build_dependencies(task, keys,
> shelldeps, varflagsexc
Re: [yocto] [meta-security 2/3] kernel-modsign.bbclass: add support for kernel modules signing
вс, 4 авг. 2019 г. в 18:30, akuster808 :
> On 7/28/19 8:31 AM, Dmitry Eremin-Solenikov wrote:
> > From: Dmitry Eremin-Solenikov
> >
> > Add bbclass responsible for handling signing of kernel modules.
> >
> > Signed-off-by: Dmitry Eremin-Solenikov
> > ---
> > meta-integrity/classes/kernel-modsign.bbclass | 29 +++
> > .../data/debug-keys/privkey_modsign.pem | 28 ++
> > .../data/debug-keys/x509_modsign.crt | 22 ++
> > 3 files changed, 79 insertions(+)
> > create mode 100644 meta-integrity/classes/kernel-modsign.bbclass
> > create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem
> > create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt
> >
> > diff --git a/meta-integrity/classes/kernel-modsign.bbclass
> > b/meta-integrity/classes/kernel-modsign.bbclass
> > new file mode 100644
> > index ..1e4d94b79091
> > --- /dev/null
> > +++ b/meta-integrity/classes/kernel-modsign.bbclass
> > @@ -0,0 +1,29 @@
> > +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be
> > +# set explicitly in a local.conf before activating kernel-modsign.
> > +# To use the insecure (because public) example keys, use
> > +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
> > +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
> > +
> > +# Private key for modules signing. The default is okay when
> > +# using the example key directory.
> > +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
> > +
> > +# Public part of certificates used for modules signing.
> > +# The default is okay when using the example key directory.
> > +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
> > +
> > +# If this class is enabled, disable stripping signatures from modules
> > +INHIBIT_PACKAGE_STRIP = "1"
> > +
> > +do_configure_prepend() {
>
> This is being pulled in with every configure task and causing parsing
> issues.
>
> I changed it to "kernel_do_configure_prepend" and that fixed the issue I
> was seeing.
Interesting. I haven't seen this issue. Could you please share any details?
Changed bbclass appears to work for me, so either of them is fine from my
point of view.
> things appear to be still working, Can you double check.
--
With best wishes
Dmitry
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-integrity][PATCH] ima-evm-utils: bump to release 1.2.1
чт, 1 авг. 2019 г. в 14:43, akuster808 : > > Dmitry, > > > On 7/31/19 1:24 PM, dbarysh...@gmail.com wrote: > > From: Dmitry Eremin-Solenikov > > > > Signed-off-by: Dmitry Eremin-Solenikov > > --- > > ...link-to-libcrypto-instead-of-OpenSSL.patch | 65 --- > > ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 > > ...clude-hash-info.gen-into-distributio.patch | 31 - > > ...ma-evm-utils-update-.gitignore-files.patch | 34 -- > > .../ima-evm-utils/ima-evm-utils_git.bb| 12 +--- > > 5 files changed, 3 insertions(+), 182 deletions(-) > > delete mode 100644 > > meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch > > delete mode 100644 > > meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch > > delete mode 100644 > > meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch > > delete mode 100644 > > meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch > I am evaluation all your updates to this layer. I am traveling (PTO) and > have limited access to test system. I will either merge them or send > feedback in the next few days. Thank you for the update. I'll wait for the feedback. -- With best wishes Dmitry -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-integrity][PATCH 1/3] layer.conf: add dependency on meta-security
пн, 29 июл. 2019 г. в 12:49, Martin Jansa :
>
> On Wed, Jul 24, 2019 at 02:23:24PM +0300, Dmitry Eremin-Solenikov wrote:
> > ima-evm-utils recipe depends on keyutils recipe which is a part of
> > meta-security layer.
> >
> > Signed-off-by: Dmitry Eremin-Solenikov
> > ---
> > meta-integrity/conf/layer.conf | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
> > index 2f696cf7c332..917aa86e11d7 100644
> > --- a/meta-integrity/conf/layer.conf
> > +++ b/meta-integrity/conf/layer.conf
> > @@ -22,3 +22,5 @@ IMA_EVM_BASE := '${LAYERDIR}'
> > OE_TERMINAL_EXPORTS += "IMA_EVM_BASE"
> >
> > LAYERSERIES_COMPAT_integrity = "warrior"
> > +# ima-evm-utils depends on keyutils from meta-security
> > +LAYERDEPENDS_integrity = "core security"
>
> keyutils are now in meta-oe:
> http://git.openembedded.org/meta-openembedded/commit/?id=415e213ad75ec9a93171c963395a1c4b92c6233b
Thank you!
--
With best wishes
Dmitry
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security 3/3] linux: add support for kernel modules signing
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
meta-integrity/recipes-kernel/linux/linux-%.bbappend | 3 +++
meta-integrity/recipes-kernel/linux/linux/modsign.cfg | 5 +
meta-integrity/recipes-kernel/linux/linux/modsign.scc | 4
3 files changed, 12 insertions(+)
create mode 100644 meta-integrity/recipes-kernel/linux/linux/modsign.cfg
create mode 100644 meta-integrity/recipes-kernel/linux/linux/modsign.scc
diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
index 931854ef8257..ca96c8d1901e 100644
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,3 +1,6 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg',
'', d)}"
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', '
file://modsign.scc file://modsign.cfg', '', d)}"
+
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign',
'', d)}
diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.cfg
b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg
new file mode 100644
index ..c0c4ebcf2e7b
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg
@@ -0,0 +1,5 @@
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_SHA256=y
+CONFIG_MODULE_SIG_HASH="sha256"
+CONFIG_MODULE_SIG_KEY="modsign_key.pem"
diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.scc
b/meta-integrity/recipes-kernel/linux/linux/modsign.scc
new file mode 100644
index ..bce78ae9b145
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/modsign.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement"
+define KFEATURE_COMPATIBILITY all
+
+kconf non-hardware modsign.cfg
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security 2/3] kernel-modsign.bbclass: add support for kernel modules signing
From: Dmitry Eremin-Solenikov
Add bbclass responsible for handling signing of kernel modules.
Signed-off-by: Dmitry Eremin-Solenikov
---
meta-integrity/classes/kernel-modsign.bbclass | 29 +++
.../data/debug-keys/privkey_modsign.pem | 28 ++
.../data/debug-keys/x509_modsign.crt | 22 ++
3 files changed, 79 insertions(+)
create mode 100644 meta-integrity/classes/kernel-modsign.bbclass
create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem
create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt
diff --git a/meta-integrity/classes/kernel-modsign.bbclass
b/meta-integrity/classes/kernel-modsign.bbclass
new file mode 100644
index ..1e4d94b79091
--- /dev/null
+++ b/meta-integrity/classes/kernel-modsign.bbclass
@@ -0,0 +1,29 @@
+# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be
+# set explicitly in a local.conf before activating kernel-modsign.
+# To use the insecure (because public) example keys, use
+# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
+MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
+
+# Private key for modules signing. The default is okay when
+# using the example key directory.
+MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
+
+# Public part of certificates used for modules signing.
+# The default is okay when using the example key directory.
+MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
+
+# If this class is enabled, disable stripping signatures from modules
+INHIBIT_PACKAGE_STRIP = "1"
+
+do_configure_prepend() {
+if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then
+cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \
+> "${B}/modsign_key.pem"
+else
+bberror "Either modsign key or certificate are invalid"
+fi
+}
+
+do_shared_workdir_append() {
+cp modsign_key.pem $kerneldir/
+}
diff --git a/meta-integrity/data/debug-keys/privkey_modsign.pem
b/meta-integrity/data/debug-keys/privkey_modsign.pem
new file mode 100644
index ..4cac00ae303a
--- /dev/null
+++ b/meta-integrity/data/debug-keys/privkey_modsign.pem
@@ -0,0 +1,28 @@
+-BEGIN PRIVATE KEY-
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEWsJjB2pA5Ih6
+EelXvVjwWY1ix1azMciNRNPPQN1AMXF0K/VUkfOYbaPajg1cQYEf9gk3q7OZ5Axk
+UY/e5piZORaPcsmj0lV0L+NSlRYydR5M/QxtEz26585FgqRGdAe6umStPmVKdqa2
+d68O4PgQgJJtVuz6ndm+0uNEUDCVLwhkGQSwNB3qBbZAUX9escZ/a8eUiBfMYKaO
+k8JRyM+2br9dgpTFg4UfBYexgNSQo8g5TIBGc8KgQiKCuFj1fQEhV5z4RusHthjc
+NYXa3RHmdclxyrGeYr5ZRc47HqE1gd5NDR0WeHn4C4YKcfK1rZZz/2+6hfsIRfGx
+6cQKk23hAgMBAAECggEAJ0ULiWirPG04SkmYxF5vEiqm1zGMymvTc0VnoxSS60q4
+KQa9mvtRn5OV6JjuXRwQqga30zV4xvdP7yRMxMSTkllThL7tSuE/C+yj5xlABjlc
+JQOa35mwh9fibg5xslF0Vkj+55MKCPlv4CBRl4Uwt4QvRMTUwk6dhMeCgmATR1J1
+2/7AipjtfFYreDx7sLbRVvSzUhmZS0iCbNOhtTWPLNW+9YKHTOffKa04HzNtnAXq
+OjJ0IRZD/C6LfkBUsnHg2eEiA97QXh/Srsl9nc8DaUK1IXRywEdmYIoNMWMav2Hm
+RO8kkU30BqKW+/EO2ZbH2GmkxvwWd0ocBnLC3FRWEQKBgQDu4T8CB3YsOcVjqem4
+iBlaSht/b46YQc7A1SOqZCimehmmXNSxQOkapIG3wlIr5edtXQA+xv09+WrproUB
+SjAnqaH6pYeCvbNlY5k344gtYs+Kco2rq5GYa+LumAeX2Sam8F7u4LxvEogCecX7
+e4rnG3lt3AVuuRE7zpCQtaWcJQKBgQDSbUvea9pcYli9pssTl+ijQKkgG9DdaYbA
+I5w5bY1TPYZ/Ocysljefv/ssaHFh4DPxE1MQ5JHwZgZRo1EICxxYzGsLjyR/fmjz
+1c/NJlTtalCNtLvWaf7b02ag/abnP8neiSpLL5xqHvGo5ikWwgYQD+9HVKGvL3S1
+kI7x/ziADQKBgQCqFbkuMa/jh3LTJp0iZc1fa1qu3vhx0pFq3Zeab9w9xLxUps5O
+MwCGltFBzNuDJBwm00wkZrzTjq6gGkHbjD5DT1XkyE13OqjsLQFgOOKyJiPN2Qik
+TfHJzC91YMwvQ09xF78QaPXiRBiRYrEkAXACY56PKVS45I6vvcFTN/Ll/QKBgA9m
+KDMyuVwhZlUaq6nXaBLqXHYZEwPhARd2g6xANCNvUTRmSnAm3hM2vW7WhdWfzq1J
+uL53u6ZYEQZQaVGpXn2xF/RUmVsrKQsPDpH4yCZHrXVxUH20bA4yPkRxy5EIvgEn
+EI1IAq5RbWXq0f70W/U49U3HB74GPwg6d/uFreDRAoGAN+v9gMQA6A1vM7LvbYR8
+5CwwyqS/CfI9zKPLn53QstguXC/ObafIYQzVRqGb9lCQgtlmmKw4jMY0B/lDzpcH
+zS8rqoyvDj/m7i17NYkqXErJKLRQ0ptXKdLXHlG0u185e7Y5p4O3Z5dk8bACkpHi
+hp764y+BtU4qIcVaPsPK4uU=
+-END PRIVATE KEY-
diff --git a/meta-integrity/data/debug-keys/x509_modsign.crt
b/meta-integrity/data/debug-keys/x509_modsign.crt
new file mode 100644
index ..5fa2a9062a89
--- /dev/null
+++ b/meta-integrity/data/debug-keys/x509_modsign.crt
@@ -0,0 +1,22 @@
+-BEGIN CERTIFICATE-
+MIIDnjCCAoagAwIBAgIUUqmBj5Q8edHMMTXsoGVGEEKdwV4wDQYJKoZIhvcNAQEL
+BQAwZzEqMCgGA1UEAxMhbWV0YS1zZWN1cml0eSBtb2R1bGVzIHNpZ25pbmcga2V5
+MRQwEgYDVQQKEwtleGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUam9obi5kb2VA
+ZXhhbXBsZS5jb20wIBcNMTkwNzI3MjIzOTA3WhgPMjExOTA3MjcyMjM5MTVaMGcx
+KjAoBgNVBAMTIW1ldGEtc2VjdXJpdHkgbW9kdWxlcyBzaWduaW5nIGtleTEUMBIG
+A1UEChMLZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGpvaG4uZG9lQGV4YW1w
+bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFrCYwdqQOSI
+ehHpV71Y8FmNYsdWszHIjUTTz0DdQDFxdCv1VJHzmG2j2o4NXEGBH/YJN6uzmeQM
+ZFGP3uaYmTkWj3LJo9JVdC/jUpUWMnUeTP0MbRM9uufORYKkRnQHurpkrT5lSnam
+tnevDuD4EICSbVbs+p3ZvtLjRFAwlS8IZBkEsDQd6gW2QFF/XrHGf2vHlIgXzGCm
+jpPCUcjPtm6/XYKUx
[yocto] [meta-security 1/3] meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE
From: Dmitry Eremin-Solenikov
data/debug-keys will be reused for demo modsign keys, so rename
IMA_EVM_BASE to more generic INTEGRITY_BASE.
Signed-off-by: Dmitry Eremin-Solenikov
---
meta-integrity/README.md | 12 ++--
meta-integrity/classes/ima-evm-rootfs.bbclass| 2 +-
meta-integrity/conf/layer.conf | 6 +++---
.../recipes-core/images/integrity-image-minimal.bb | 2 +-
4 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 5bef76e8dcd4..4607948781e2 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when
building
the image, enable image signing in the local.conf like this:
INHERIT += "ima-evm-rootfs"
-IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
This uses the default keys provided in the "data" directory of the layer.
Because everyone has access to these private keys, such an image
@@ -96,7 +96,7 @@ for that are included in the layer. This is also how the
# In that shell, create the keys. Several options exist:
# 1. Self-signed keys.
-$IMA_EVM_BASE/scripts/ima-gen-self-signed.sh
+$INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
# 2. Keys signed by a new CA.
# When asked for a PEM passphrase, that will be for the root CA.
@@ -104,11 +104,11 @@ for that are included in the layer. This is also how the
# only creating new certificates does. Most likely the default
# attributes for these certificates need to be adapted; modify
# the scripts as needed.
-# $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh
-# $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh
+# $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
+# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
# 3. Keys signed by an existing CA.
-# $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh
+# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
exit
When using ``ima-self-signed.sh`` as described above, self-signed keys
@@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The
modified systemd
changes. To activate policy loading via systemd, place a policy file
in `/etc/ima/ima-policy`, for example with:
-IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple"
+IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
To check that measuring works, look at
`/sys/kernel/security/ima/ascii_runtime_measurements`
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass
b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 8aec388dffed..d6ade3bf914f 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -1,7 +1,7 @@
# No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be
# set explicitly in a local.conf before activating ima-evm-rootfs.
# To use the insecure (because public) example keys, use
-# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"
# Private key for IMA signing. The default is okay when
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index 917aa86e11d7..1d31edd9b151 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -13,13 +13,13 @@ BBFILE_PRIORITY_integrity = "6"
# Set a variable to get to the top of the metadata location. Needed
# for finding scripts (when following the README.md instructions) and
# default debug keys (in ima-evm-rootfs.bbclass).
-IMA_EVM_BASE := '${LAYERDIR}'
+INTEGRITY_BASE := '${LAYERDIR}'
# We must not export this path to all shell scripts (as in "export
-# IMA_EVM_BASE"), because that causes problems with sstate (becames
+# INTEGRITY_BASE"), because that causes problems with sstate (becames
# dependent on location of the layer). Exporting it to just the
# interactive shell is enough.
-OE_TERMINAL_EXPORTS += "IMA_EVM_BASE"
+OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
LAYERSERIES_COMPAT_integrity = "warrior"
# ima-evm-utils depends on keyutils from meta-security
diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb
b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
index 6ed724df2267..e1bc6ffa0ed7 100644
--- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb
+++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -17,6 +17,6 @@ inherit core-image
export IMAGE_BASENAME = "integrity-image-minimal"
INHERIT += "ima-evm-rootfs"
-IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/dat
[yocto] [meta-security][PATCH v2 6/6] tpm2-tcti-uefi: build and install examples
From: Dmitry Eremin-Solenikov
Examples are usefull to actually check TPM2 from UEFI shell. Add them to
tpm2-tcti-uefi package.
Signed-off-by: Dmitry Eremin-Solenikov
---
.../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 13 +
1 file changed, 13 insertions(+)
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index b2d0b85af280..e822e2974f37 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -14,6 +14,17 @@ S = "${WORKDIR}/git"
inherit autotools pkgconfig
+EFIDIR ?= "/EFI/BOOT"
+
+do_compile_append() {
+ oe_runmake example
+}
+
+do_install_append() {
+ install -d "${D}${EFIDIR}"
+ install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}"
+}
+
EFI_ARCH_x86 = "ia32"
EFI_ARCH_x86-64 = "x86_64"
@@ -24,3 +35,5 @@ EXTRA_OECONF_append = "\
--with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \
"
RDEPENDS_${PN} = "gnu-efi"
+
+FILES_${PN} += "${EFIDIR}"
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 5/6] tpm2-tcti-uefi: stop inserting host directories into build path
From: Dmitry Eremin-Solenikov
Do not insert /usr/lib and /usr/lib64 into LDFLAGS.
Signed-off-by: Dmitry Eremin-Solenikov
---
...p-inserting-host-directories-into-co.patch | 27 +++
.../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb| 1 +
2 files changed, 28 insertions(+)
create mode 100644
meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
diff --git
a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
new file mode 100644
index ..3b54dddf763f
--- /dev/null
+++
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
@@ -0,0 +1,27 @@
+From b74837184cfdefb45e48f3fdc974fc67691fc861 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov
+Date: Wed, 3 Jul 2019 19:16:35 +0300
+Subject: [PATCH] configure.ac: stop inserting host directories into compile
+ path
+
+Do not insert /usr/lib and /usr/lib64 into library search path.
+
+Upstream-Status: OE specific
+Signed-off-by: Dmitry Eremin-Solenikov
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: git/configure.ac
+===
+--- git.orig/configure.ac
git/configure.ac
+@@ -81,7 +81,7 @@ AC_ARG_WITH([efi-lds],
+ AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds
file.]),
+ [],
+ [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"])
+-EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}"
++EXTRA_LDFLAGS="-Wl,--script=${with_efi_lds}"
+
+ # path to object file from gnu-efi
+ AC_ARG_WITH([efi-crt0],
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index 03140506931d..b2d0b85af280 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -6,6 +6,7 @@ DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig
autoconf-archive-native"
SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \
file://configure_oe_fixup.patch \
+
file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \
"
SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d"
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 3/6] tpm2-tcti-uefi: add autoconf-archive-native dependency
From: Dmitry Eremin-Solenikov Add dependency on autoconf-archive-native to receive AX_* macro definitions. Signed-off-by: Dmitry Eremin-Solenikov --- meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 43854c414c22..983f72ebeb68 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -2,7 +2,7 @@ SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment" SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig" +DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 2/6] tpm2-tss: fix compilation when using updated AX_CODE_COVERAGE macro
From: Dmitry Eremin-Solenikov New autoconf-archive comes with updated AX_CODE_COVERAGE macro, which is not compatible with current tpm2-tss source base. Apply upstream patch to fix this incompatibility. Signed-off-by: Dmitry Eremin-Solenikov --- ...-ax_code_coverage.m4-version-2019.01.patch | 84 +++ .../recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb | 3 +- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch new file mode 100644 index ..86b2cb6dd7d3 --- /dev/null +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch @@ -0,0 +1,84 @@ +From ec08ab41495ac40641475707c46e844503ada5b3 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel +Date: Mon, 7 Jan 2019 22:15:06 +0100 +Subject: [PATCH] build: update for ax_code_coverage.m4 version 2019.01.06 + +@CODE_COVERAGE_RULES@ doesn't exist any more and needs to be replaced. +Also includes a compatibility switch for older versions of the file. + +Signed-off-by: Jonas Witschel +--- + .gitignore | 1 + + .travis.yml | 10 +- + Makefile.am | 6 ++ + configure.ac | 3 +++ + 4 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/.gitignore b/.gitignore +index 7c6a7b62e6c1..aa1a7efdff71 100644 +--- a/.gitignore b/.gitignore +@@ -26,6 +26,7 @@ + AUTHORS + tags + aclocal.m4 ++aminclude_static.am + autom4te.cache/ + [Bb]uild/ + [Dd]ebug/ +diff --git a/.travis.yml b/.travis.yml +index 55f88e22999b..a668e2953dc2 100644 +--- a/.travis.yml b/.travis.yml +@@ -44,11 +44,11 @@ addons: + + install: + # Autoconf archive +- - wget https://download.01.org/tpm2/autoconf-archive-2017.09.28.tar.xz +- - sha256sum autoconf-archive-2017.09.28.tar.xz | grep -q 5c9fb5845b38b28982a3ef12836f76b35f46799ef4a2e46b48e2bd3c6182fa01 || travis_terminate 1 +- - tar xJf autoconf-archive-2017.09.28.tar.xz +- - cp autoconf-archive-2017.09.28/m4/ax_code_coverage.m4 m4/ +- - cp autoconf-archive-2017.09.28/m4/ax_prog_doxygen.m4 m4/ ++ - wget http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz ++ - sha256sum autoconf-archive-2019.01.06.tar.xz | grep -q 17195c833098da79de5778ee90948f4c5d90ed1a0cf8391b4ab348e2ec511e3f || travis_terminate 1 ++ - tar xJf autoconf-archive-2019.01.06.tar.xz ++ - cp autoconf-archive-2019.01.06/m4/ax_code_coverage.m4 m4/ ++ - cp autoconf-archive-2019.01.06/m4/ax_prog_doxygen.m4 m4/ + # IBM-TPM + - wget https://download.01.org/tpm2/ibmtpm974.tar.gz + # OpenSSL 1.0.2 +diff --git a/Makefile.am b/Makefile.am +index 1b792d89a392..8e62e9c77c7d 100644 +--- a/Makefile.am b/Makefile.am +@@ -19,7 +19,13 @@ noinst_PROGRAMS = + + ### Add ax_* rules ### + # ax_code_coverage ++if AUTOCONF_CODE_COVERAGE_2019_01_06 ++include $(top_srcdir)/aminclude_static.am ++clean-local: code-coverage-clean ++dist-clean-local: code-coverage-dist-clean ++else + @CODE_COVERAGE_RULES@ ++endif + + # ax_doxygen + @DX_RULES@ +diff --git a/configure.ac b/configure.ac +index 6c7b0fd96399..22b79c50c015 100644 +--- a/configure.ac b/configure.ac +@@ -312,6 +312,9 @@ AS_IF([test "x$enable_doxygen_doc" != xno], + [ERROR_IF_NO_PROG([doxygen])]) + + AX_CODE_COVERAGE ++m4_ifdef([_AX_CODE_COVERAGE_RULES], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])]) + + AC_OUTPUT + +-- +2.20.1 + diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb index cf93159ce40f..ffbd3f4e4eff 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb @@ -8,7 +8,8 @@ DEPENDS = "autoconf-archive-native libgcrypt openssl" SRCREV = "36b1539c82bf675265d6f6a6cd808a189b6971f4" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x \ +file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch" inherit autotools-brokensep pkgconfig systemd -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 4/6] tpm2-tcti-uefi: fix configure arguments
From: Dmitry Eremin-Solenikov
Pass correct location of EFI's crt0 and ld script.
Signed-off-by: Dmitry Eremin-Solenikov
---
.../recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index 983f72ebeb68..03140506931d 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -13,6 +13,13 @@ S = "${WORKDIR}/git"
inherit autotools pkgconfig
+EFI_ARCH_x86 = "ia32"
+EFI_ARCH_x86-64 = "x86_64"
+
COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
-EXTRA_OECONF_append = " --with-efi-includedir=${STAGING_INCDIR}/efi
--with-efi-lds=${STAGING_LIBDIR_NATIVE}/"
+EXTRA_OECONF_append = "\
+--with-efi-includedir=${STAGING_INCDIR}/efi \
+--with-efi-crt0=${STAGING_LIBDIR_NATIVE}/crt0-efi-${EFI_ARCH}.o \
+--with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \
+"
RDEPENDS_${PN} = "gnu-efi"
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH v2 1/6] packagegroup-security-tpm2: stop including tpm2-tcti-uefi
From: Dmitry Eremin-Solenikov tpm2-tcti-uefi is a EFI module, so it should not be included in the rootfs. Signed-off-by: Dmitry Eremin-Solenikov --- .../recipes-core/packagegroup/packagegroup-security-tpm2.bb| 3 --- 1 file changed, 3 deletions(-) diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 9296d9967e32..8f5c537b9505 100644 --- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -21,6 +21,3 @@ RDEPENDS_packagegroup-security-tpm2 = " \ ibmswtpm2 \ cryptsetup-tpm-incubator \ " - -RDEPENDS_packagegroup-security-tpm2_append_x86 = " tpm2-tcti-uefi" -RDEPENDS_packagegroup-security-tpm2_append_x86-64 = " tpm2-tcti-uefi" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 5/6] tpm2-tcti-uefi: stop inserting host directories into build path
From: Dmitry Eremin-Solenikov
Do not insert /usr/lib and /usr/lib64 into LDFLAGS.
Signed-off-by: Dmitry Eremin-Solenikov
---
...p-inserting-host-directories-into-co.patch | 30 +++
.../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb| 1 +
2 files changed, 31 insertions(+)
create mode 100644
meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
diff --git
a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
new file mode 100644
index ..bf9f8ff4a12a
--- /dev/null
+++
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
@@ -0,0 +1,30 @@
+From b74837184cfdefb45e48f3fdc974fc67691fc861 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov
+Date: Wed, 3 Jul 2019 19:16:35 +0300
+Subject: [PATCH] configure.ac: stop inserting host directories into compile
+ path
+
+Do not insert /usr/lib and /usr/lib64 into library search path.
+
+Upstream-Status: OE specific
+Signed-off-by: Dmitry Eremin-Solenikov
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 4e94f1eda363..54a1f39c019b 100644
+--- a/configure.ac
b/configure.ac
+@@ -84,7 +84,7 @@ AC_ARG_WITH([efi-lds],
+ AC_CHECK_FILE(["${with_efi_lds}"],
+ [],
+ [AC_MSG_ERROR([Missing file: ${with_efi_lds}.])])
+-EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}"
++EXTRA_LDFLAGS="-Wl,--script=${with_efi_lds}"
+
+ # path to object file from gnu-efi
+ AC_ARG_WITH([efi-crt0],
+--
+2.20.1
+
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index ed9b7e1ddc8e..78392289d7d9 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM =
"file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig
autoconf-archive-native"
SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \
+
file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \
"
SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d"
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 6/6] tpm2-tcti-uefi: build and install examples
From: Dmitry Eremin-Solenikov
Examples are usefull to actually check TPM2 from UEFI shell. Add them to
tpm2-tcti-uefi package.
Signed-off-by: Dmitry Eremin-Solenikov
---
.../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 13 +
1 file changed, 13 insertions(+)
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index 78392289d7d9..958bb603aa7a 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -13,6 +13,17 @@ S = "${WORKDIR}/git"
inherit autotools pkgconfig
+EFIDIR ?= "/EFI/BOOT"
+
+do_compile_append() {
+ oe_runmake example
+}
+
+do_install_append() {
+ install -d "${D}${EFIDIR}"
+ install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}"
+}
+
EFI_ARCH_x86 = "ia32"
EFI_ARCH_x86-64 = "x86_64"
@@ -23,3 +34,5 @@ EXTRA_OECONF_append = "\
--with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \
"
RDEPENDS_${PN} = "gnu-efi"
+
+FILES_${PN} += "${EFIDIR}"
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 4/6] tpm2-tcti-uefi: fix configure arguments
From: Dmitry Eremin-Solenikov
Pass correct location of EFI's crt0 and ld script thus removing the need
to patch configure.ac.
Signed-off-by: Dmitry Eremin-Solenikov
---
.../files/configure_oe_fixup.patch| 27 ---
.../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb| 10 +--
2 files changed, 8 insertions(+), 29 deletions(-)
delete mode 100644
meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
diff --git
a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
deleted file mode 100644
index 8a216cd45eff..
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Upstream-Status: OE specific
-Signed-off-by: Armin Kuster
-
-Index: git/configure.ac
-===
git.orig/configure.ac
-+++ git/configure.ac
-@@ -84,9 +84,6 @@ AC_ARG_WITH([efi-lds],
- AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds
file.]),
- [],
- [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"])
--AC_CHECK_FILE(["${with_efi_lds}"],
-- [],
-- [AC_MSG_ERROR([Missing file: ${with_efi_lds}.])])
- EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}"
-
- # path to object file from gnu-efi
-@@ -94,9 +91,6 @@ AC_ARG_WITH([efi-crt0],
- AS_HELP_STRING([--with-efi-crt0=OBJ_PATH],[Path to gnu-efi crt0
object file.]),
- [],
- [with_efi_crt0="/usr/lib/crt0-efi-${ARCH}.o"])
--AC_CHECK_FILE(["${with_efi_crt0}"],
-- [],
-- [AC_MSG_ERROR([Missing ${with_efi_crt0} file.])])
- EXTRA_LDLIBS="${with_efi_crt0}"
-
- # check for efi and gnuefi libraries
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index 983f72ebeb68..ed9b7e1ddc8e 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -5,7 +5,6 @@ LIC_FILES_CHKSUM =
"file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig
autoconf-archive-native"
SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \
- file://configure_oe_fixup.patch \
"
SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d"
@@ -13,6 +12,13 @@ S = "${WORKDIR}/git"
inherit autotools pkgconfig
+EFI_ARCH_x86 = "ia32"
+EFI_ARCH_x86-64 = "x86_64"
+
COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
-EXTRA_OECONF_append = " --with-efi-includedir=${STAGING_INCDIR}/efi
--with-efi-lds=${STAGING_LIBDIR_NATIVE}/"
+EXTRA_OECONF_append = "\
+--with-efi-includedir=${STAGING_INCDIR}/efi \
+--with-efi-crt0=${STAGING_LIBDIR_NATIVE}/crt0-efi-${EFI_ARCH}.o \
+--with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \
+"
RDEPENDS_${PN} = "gnu-efi"
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/6] tpm2-tss: fix compilation when using updated AX_CODE_COVERAGE macro
From: Dmitry Eremin-Solenikov New autoconf-archive comes with updated AX_CODE_COVERAGE macro, which is not compatible with current tpm2-tss source base. Apply upstream patch to fix this incompatibility. Signed-off-by: Dmitry Eremin-Solenikov --- ...-ax_code_coverage.m4-version-2019.01.patch | 84 +++ .../recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb | 3 +- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch new file mode 100644 index ..86b2cb6dd7d3 --- /dev/null +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch @@ -0,0 +1,84 @@ +From ec08ab41495ac40641475707c46e844503ada5b3 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel +Date: Mon, 7 Jan 2019 22:15:06 +0100 +Subject: [PATCH] build: update for ax_code_coverage.m4 version 2019.01.06 + +@CODE_COVERAGE_RULES@ doesn't exist any more and needs to be replaced. +Also includes a compatibility switch for older versions of the file. + +Signed-off-by: Jonas Witschel +--- + .gitignore | 1 + + .travis.yml | 10 +- + Makefile.am | 6 ++ + configure.ac | 3 +++ + 4 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/.gitignore b/.gitignore +index 7c6a7b62e6c1..aa1a7efdff71 100644 +--- a/.gitignore b/.gitignore +@@ -26,6 +26,7 @@ + AUTHORS + tags + aclocal.m4 ++aminclude_static.am + autom4te.cache/ + [Bb]uild/ + [Dd]ebug/ +diff --git a/.travis.yml b/.travis.yml +index 55f88e22999b..a668e2953dc2 100644 +--- a/.travis.yml b/.travis.yml +@@ -44,11 +44,11 @@ addons: + + install: + # Autoconf archive +- - wget https://download.01.org/tpm2/autoconf-archive-2017.09.28.tar.xz +- - sha256sum autoconf-archive-2017.09.28.tar.xz | grep -q 5c9fb5845b38b28982a3ef12836f76b35f46799ef4a2e46b48e2bd3c6182fa01 || travis_terminate 1 +- - tar xJf autoconf-archive-2017.09.28.tar.xz +- - cp autoconf-archive-2017.09.28/m4/ax_code_coverage.m4 m4/ +- - cp autoconf-archive-2017.09.28/m4/ax_prog_doxygen.m4 m4/ ++ - wget http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz ++ - sha256sum autoconf-archive-2019.01.06.tar.xz | grep -q 17195c833098da79de5778ee90948f4c5d90ed1a0cf8391b4ab348e2ec511e3f || travis_terminate 1 ++ - tar xJf autoconf-archive-2019.01.06.tar.xz ++ - cp autoconf-archive-2019.01.06/m4/ax_code_coverage.m4 m4/ ++ - cp autoconf-archive-2019.01.06/m4/ax_prog_doxygen.m4 m4/ + # IBM-TPM + - wget https://download.01.org/tpm2/ibmtpm974.tar.gz + # OpenSSL 1.0.2 +diff --git a/Makefile.am b/Makefile.am +index 1b792d89a392..8e62e9c77c7d 100644 +--- a/Makefile.am b/Makefile.am +@@ -19,7 +19,13 @@ noinst_PROGRAMS = + + ### Add ax_* rules ### + # ax_code_coverage ++if AUTOCONF_CODE_COVERAGE_2019_01_06 ++include $(top_srcdir)/aminclude_static.am ++clean-local: code-coverage-clean ++dist-clean-local: code-coverage-dist-clean ++else + @CODE_COVERAGE_RULES@ ++endif + + # ax_doxygen + @DX_RULES@ +diff --git a/configure.ac b/configure.ac +index 6c7b0fd96399..22b79c50c015 100644 +--- a/configure.ac b/configure.ac +@@ -312,6 +312,9 @@ AS_IF([test "x$enable_doxygen_doc" != xno], + [ERROR_IF_NO_PROG([doxygen])]) + + AX_CODE_COVERAGE ++m4_ifdef([_AX_CODE_COVERAGE_RULES], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])]) + + AC_OUTPUT + +-- +2.20.1 + diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb index cf93159ce40f..ffbd3f4e4eff 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb @@ -8,7 +8,8 @@ DEPENDS = "autoconf-archive-native libgcrypt openssl" SRCREV = "36b1539c82bf675265d6f6a6cd808a189b6971f4" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x \ +file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch" inherit autotools-brokensep pkgconfig systemd -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 3/6] tpm2-tcti-uefi: add autoconf-archive-native dependency
From: Dmitry Eremin-Solenikov Add dependency on autoconf-archive-native to receive AX_* macro definitions. Signed-off-by: Dmitry Eremin-Solenikov --- meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 43854c414c22..983f72ebeb68 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -2,7 +2,7 @@ SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment" SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig" +DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/6] packagegroup-security-tpm2: stop including tpm2-tcti-uefi
From: Dmitry Eremin-Solenikov tpm2-tcti-uefi is a EFI module, so it should not be included in the rootfs. Signed-off-by: Dmitry Eremin-Solenikov --- .../recipes-core/packagegroup/packagegroup-security-tpm2.bb| 3 --- 1 file changed, 3 deletions(-) diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 9296d9967e32..8f5c537b9505 100644 --- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -21,6 +21,3 @@ RDEPENDS_packagegroup-security-tpm2 = " \ ibmswtpm2 \ cryptsetup-tpm-incubator \ " - -RDEPENDS_packagegroup-security-tpm2_append_x86 = " tpm2-tcti-uefi" -RDEPENDS_packagegroup-security-tpm2_append_x86-64 = " tpm2-tcti-uefi" -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-integrity][PATCH 3/3] ima-evm-utils: refresh xattr patch
Signed-off-by: Dmitry Eremin-Solenikov --- .../evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch index c0bdd9b496de..ffa65dfb00a1 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -23,9 +23,9 @@ diff --git a/src/evmctl.c b/src/evmctl.c index c54efbb..23cf54c 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -56,6 +56,18 @@ - #include +@@ -57,6 +57,18 @@ #include + #include +/* + * linux/xattr.h might be old to have this. Allow compilation on older -- 2.20.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-integrity][PATCH 2/3] ima-evm-utils: bump version
Currently selected SRCREV (782224f33cd711050cbf6146a12122cd73f9136b)
comes after 1.1 ima-evm-utils release, so bump PV accordingly.
Signed-off-by: Dmitry Eremin-Solenikov
---
.../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
index 623de09c3ad7..6d4f008df334 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
@@ -6,7 +6,7 @@ DEPENDS += "openssl attr keyutils"
DEPENDS_class-native += "openssl-native keyutils-native"
-PV = "1.0+git${SRCPV}"
+PV = "1.1+git${SRCPV}"
SRCREV = "782224f33cd711050cbf6146a12122cd73f9136b"
SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils"
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-integrity][PATCH 1/3] layer.conf: add dependency on meta-security
ima-evm-utils recipe depends on keyutils recipe which is a part of
meta-security layer.
Signed-off-by: Dmitry Eremin-Solenikov
---
meta-integrity/conf/layer.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index 2f696cf7c332..917aa86e11d7 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -22,3 +22,5 @@ IMA_EVM_BASE := '${LAYERDIR}'
OE_TERMINAL_EXPORTS += "IMA_EVM_BASE"
LAYERSERIES_COMPAT_integrity = "warrior"
+# ima-evm-utils depends on keyutils from meta-security
+LAYERDEPENDS_integrity = "core security"
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 07/10] ocfs2-tools: properly handle systemd DISTRO_FEATURE
Always inherit systemd bbclass (otherwise it is not pulled in even if
systemd is enabled). This makes few other settings in the recipe
unnecessary, thus they are dropped.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb
b/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb
index 4e171f4..1296fd6 100644
--- a/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb
+++ b/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb
@@ -42,11 +42,8 @@ do_compile_prepend() {
done
}
-inherit
${@base_contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
+inherit systemd
SYSTEMD_SERVICE_${PN} = o2cb.service ocfs2.service
-SYSTEMD_AUTO_ENABLE = enable
-
-FILES_${PN} +=
${@base_contains('VIRTUAL-RUNTIME_init_manager','systemd','${systemd_unitdir}','',
d)}
do_install() {
install -d ${D}/etc/init.d
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 01/10] cgl_common_security_flags.inc: add to fix building with security flags
Package openhpi is currently broken if distro uses security_flags.inc.
Flx that by adding layer-wide include file for such exceptions.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc | 1 +
meta-cgl-common/conf/layer.conf | 2 ++
2 files changed, 3 insertions(+)
create mode 100644
meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc
diff --git a/meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc
b/meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc
new file mode 100644
index 000..358ce58
--- /dev/null
+++ b/meta-cgl-common/conf/distro/include/cgl_common_security_flags.inc
@@ -0,0 +1 @@
+SECURITY_CFLAGS_pn-openhpi = ${SECURITY_NO_PIE_CFLAGS}
diff --git a/meta-cgl-common/conf/layer.conf b/meta-cgl-common/conf/layer.conf
index f5a0190..0c19a95 100644
--- a/meta-cgl-common/conf/layer.conf
+++ b/meta-cgl-common/conf/layer.conf
@@ -10,3 +10,5 @@ BBFILES += ${LAYERDIR}/recipes-*/*/*.bb \
BBFILE_COLLECTIONS += cgl-common
BBFILE_PATTERN_cgl-common = ^${LAYERDIR}/
BBFILE_PRIORITY_cgl-common = 7
+
+require conf/distro/include/cgl_common_security_flags.inc
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 03/10] pacemaker: provide tmpfiles configuration
provide systemd-tmpfiles configuration for distributions using systemd.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles | 5 +
meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb | 11 ++-
2 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles
diff --git a/meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles
b/meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles
new file mode 100644
index 000..1d2b295
--- /dev/null
+++ b/meta-cgl-common/recipes-cgl/pacemaker/files/tmpfiles
@@ -0,0 +1,5 @@
+d /var/lib/heartbeat/crm 0750 hacluster haclient -
+d /var/lib/pengine 0755 hacluster haclient -
+d /var/run/heartbeat 0755 hacluster haclient -
+d /var/run/heartbeat/rsctmp 0755 hacluster haclient -
+d /var/run/crm 0755 hacluster haclient -
diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
index 8bef6f4..a5cd284 100644
--- a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
+++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
@@ -28,6 +28,7 @@ SRC_URI = \
file://pacemaker-fix-xml-config.patch \
file://pacemaker-no-bash.patch \
file://volatiles \
+ file://tmpfiles \
SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch
SRC_URI[md5sum] = 103fb2e804be3f8ace17021c5d9ad15d
@@ -47,13 +48,21 @@ GROUPADD_PARAM_${PN} = -r haclient
do_install_append() {
install -d ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/volatiles
${D}${sysconfdir}/default/volatiles/06_pacemaker
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ install -m 0644 ${WORKDIR}/tmpfiles
${D}${sysconfdir}/tmpfiles.d/${PN}.conf
find ${D} -name *.pyo -exec rm {} \;
find ${D} -name *.pyc -exec rm {} \;
find ${D} -name *.py | xargs sed -i -e
s:${STAGING_BINDIR_NATIVE}:${bindir}:g
}
pkg_postinst_${PN} () {
- /etc/init.d/populate-volatile.sh update
+ if [ -z $D ]; then
+ if type systemd-tmpfiles /dev/null; then
+ systemd-tmpfiles --create
+ elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+ ${sysconfdir}/init.d/populate-volatile.sh update
+ fi
+ fi
}
FILES_${PN}-doc += ${datadir}/pacemaker/crm_cli.txt
${datadir}/pacemaker/templates/
FILES_${PN} += \
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 10/10] heartbeat: properly handle systemd DISTRO_FEATURE
Always inherit systemd bbclass (otherwise it is not pulled in even if
systemd is enabled). This makes few other settings in the recipe
unnecessary, thus they are dropped.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
index 5128c53..3a02d35 100644
--- a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
+++ b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
@@ -100,10 +100,8 @@ do_install() {
install -m 0600 ${S}/doc/authkeys ${D}/etc/ha.d/authkeys
}
-inherit
${@base_contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','',d)}
-SYSTEMD_PACKAGES = ${PN}
+inherit systemd
SYSTEMD_SERVICE_${PN} = heartbeat.service
-SYSTEMD_AUTO_ENABLE = disable
USERADD_PACKAGES = ${PN}
GROUPADD_PARAM_${PN} = -r haclient
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 02/10] pacemaker: use useradd class to add required user and group
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
index 43769bf..8bef6f4 100644
--- a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
+++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
@@ -32,7 +32,7 @@ SRC_URI = \
SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch
SRC_URI[md5sum] = 103fb2e804be3f8ace17021c5d9ad15d
SRC_URI[sha256sum] =
aabfc9ee1c66804151d973d0ed0323798ffebe49e1c2219fa804dc6898a69a1e
-inherit autotools-brokensep python-dir pkgconfig
+inherit autotools-brokensep python-dir pkgconfig useradd
S = ${WORKDIR}/pacemaker-1.0-Pacemaker-${PV}
@@ -40,6 +40,10 @@ EXTRA_OECONF = --with-ais --without-heartbeat
--disable-fatal-warnings --disabl
CFLAGS += -I${STAGING_INCDIR}/heartbeat -lncurses
+USERADD_PACKAGES = ${PN}
+USERADD_PARAM_${PN} = --home-dir=${localstatedir}/lib/heartbeat -g haclient
-r hacluster
+GROUPADD_PARAM_${PN} = -r haclient
+
do_install_append() {
install -d ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/volatiles
${D}${sysconfdir}/default/volatiles/06_pacemaker
@@ -49,9 +53,6 @@ do_install_append() {
}
pkg_postinst_${PN} () {
- set -e
- grep haclient /etc/group || addgroup haclient
- grep hacluster /etc/passwd || adduser --disabled-password
--home=${localstatedir}/lib/heartbeat --ingroup haclient -g HA cluster
hacluster
/etc/init.d/populate-volatile.sh update
}
FILES_${PN}-doc += ${datadir}/pacemaker/crm_cli.txt
${datadir}/pacemaker/templates/
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 08/10] heartbeat: make bootstrap work without checking for libtool command
There is no use for just 'libtool' script, other than deriving
libtoolize from it. Make bootstrap script look for libtoolize directly
and forget about libtool completely.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
.../heartbeat/heartbeat-bootstrap-libtool.patch| 52 ++
.../recipes-cgl/heartbeat/heartbeat_3.0.5.bb | 1 +
2 files changed, 53 insertions(+)
create mode 100644
meta-cgl-common/recipes-cgl/heartbeat/heartbeat/heartbeat-bootstrap-libtool.patch
diff --git
a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat/heartbeat-bootstrap-libtool.patch
b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat/heartbeat-bootstrap-libtool.patch
new file mode 100644
index 000..bcddab2
--- /dev/null
+++
b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat/heartbeat-bootstrap-libtool.patch
@@ -0,0 +1,52 @@
+Index: Heartbeat-3-0-7e3a82377fa8/bootstrap
+===
+--- Heartbeat-3-0-7e3a82377fa8.orig/bootstrap
Heartbeat-3-0-7e3a82377fa8/bootstrap
+@@ -173,23 +173,22 @@ ln -s `which $automake` ./automake
+
+ # Check for Libtool
+ pkg=libtool
+-for command in libtool libtool14 libtool15 glibtool
++for command in libtoolize libtoolize14 libtoolize15 glibtoolize
+ do
+ URL=$gnu/$pkg/
+ if
+ testProgram $command
+ then
+ : OK $pkg is installed
+-libtool=$command
+-libtoolize=`echo $libtool | sed -e 's/libtool/libtoolize/'`
++libtoolize=$command
+ fi
+ done
+
+ # Check to see if we got a valid command.
+ if
+-$libtool --version /dev/null /dev/null 21
++$libtoolize --version /dev/null /dev/null 21
+ then
+-echo Libtool package $libtool found.
++echo Libtool package $libtoolize found.
+ else
+ RC=$?
+ cat -EOF 2
+@@ -200,10 +199,6 @@ else
+ EOF
+ fi
+
+-# Create local copy so that the incremental updates will work.
+-rm -f ./libtool
+-ln -s `which $libtool` ./libtool
+-
+ case $RC in
+ 0) ;;
+ *) exit $RC;;
+@@ -217,7 +212,7 @@ oneline() {
+ read x; echo $x
+ }
+
+-LT_version=`$libtool --version | oneline | sed -e 's%^[^0-9]*%%' -e s'% .*%%'`
++LT_version=`$libtoolize --version | oneline | sed -e 's%^[^0-9]*%%' -e s'%
.*%%'`
+ LT_majvers=`echo $LT_version | sed -e 's%\..*%%'`
+ LT_minvers=`echo $LT_version | sed -e 's%^[^.]*\.%%' `
+ LT_minnum=`echo $LT_minvers | sed -e 's%[^0-9].*%%'`
diff --git a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
index 369bd23..184ad22 100644
--- a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
+++ b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
@@ -34,6 +34,7 @@ SRC_URI = \
file://ucast.c-fix-compile-errors.patch \
file://configure.in-Error-and-warning-fix.patch \
file://heartbeat-init.d-heartbeat.in-modify-parameter.patch \
+file://heartbeat-bootstrap-libtool.patch \
file://heartbeat.service \
SRC_URI[md5sum] = 396510e3c143a9c2288bc52cfc9caa3c
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 09/10] heartbeat: add gnutls dependency
Add dependency on gnutls as noted by the following QA warnings:
WARNING: QA Issue: heartbeat rdepends on nettle, but it isn't a build
dependency? [build-deps]
WARNING: QA Issue: heartbeat rdepends on gnutls, but it isn't a build
dependency? [build-deps]
WARNING: QA Issue: heartbeat rdepends on gmp, but it isn't a build dependency?
[build-deps]
Both nettle and gmp are used by gnutls, so there is no point adding them
to the dependencies list -- those are indirect dependencies anyway.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
index 184ad22..5128c53 100644
--- a/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
+++ b/meta-cgl-common/recipes-cgl/heartbeat/heartbeat_3.0.5.bb
@@ -40,7 +40,7 @@ SRC_URI = \
SRC_URI[md5sum] = 396510e3c143a9c2288bc52cfc9caa3c
SRC_URI[sha256sum] =
085013154511f3c270b5e9a3281732dbbb9812924ae24d9c3c6db1af4dd260d0
S = ${WORKDIR}/Heartbeat-3-0-7e3a82377fa8/
-DEPENDS = cluster-glue corosync
+DEPENDS = cluster-glue corosync gnutls
inherit autotools-brokensep pkgconfig useradd
EXTRA_OECONF = \
STAGING_DIR_TARGET=${STAGING_DIR_TARGET} \
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 06/10] cluster-glue: add another directory to volatiles and tmpfiles config
Add /var/run/heartbeat directory to volatiles and tmpfiles configuration. Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles | 1 + meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles index 252e13f..b683b28 100644 --- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles +++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles @@ -4,4 +4,5 @@ d /var/lib/heartbeat/cores 0755 hacluster haclient - d /var/lib/heartbeat/cores/hacluster 0700 hacluster haclient - d /var/lib/heartbeat/cores/root 0700 root root - d /var/lib/heartbeat/cores/nobody 0700 nobody nogroup - +d /var/run/heartbeat 0755 root root - diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles index 892db1b..d6f0c87 100644 --- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles +++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/volatiles @@ -3,4 +3,5 @@ d hacluster haclient 0750 /var/lib/heartbeat/pengine none d hacluster haclient 0755 /var/lib/heartbeat/cores none d hacluster haclient 0700 /var/lib/heartbeat/cores/hacluster none d root root 0700 /var/lib/heartbeat/cores/root none -d nobody nogroup 0700 /var/lib/heartbeat/cores/nobody none \ No newline at end of file +d nobody nogroup 0700 /var/lib/heartbeat/cores/nobody none +d root root 0755 /var/run/heartbeat none -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 05/10] cluster-glue: provide tmpfiles configuration
provide systemd-tmpfiles configuration for distributions using systemd.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
.../recipes-cgl/cluster-glue/cluster-glue/tmpfiles| 7 +++
.../recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb| 11 ++-
2 files changed, 17 insertions(+), 1 deletion(-)
create mode 100644
meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles
diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles
b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles
new file mode 100644
index 000..252e13f
--- /dev/null
+++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue/tmpfiles
@@ -0,0 +1,7 @@
+d /var/lib/heartbeat 0755 root root -
+d /var/lib/heartbeat/pengine 0750 hacluster haclient -
+d /var/lib/heartbeat/cores 0755 hacluster haclient -
+d /var/lib/heartbeat/cores/hacluster 0700 hacluster haclient -
+d /var/lib/heartbeat/cores/root 0700 root root -
+d /var/lib/heartbeat/cores/nobody 0700 nobody nogroup -
+
diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
index adf3b48..f1b4a78 100644
--- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
+++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
@@ -13,6 +13,7 @@ SRC_URI = \
file://glue-remove-getpid-check.patch \
file://fix-const-cast.patch \
file://volatiles \
+file://tmpfiles \
SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch
SRC_URI[md5sum] = d2b6f798e58ef2497526e404b8ad640a
@@ -39,10 +40,18 @@ do_configure_prepend() {
do_install_append() {
install -d ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/volatiles
${D}${sysconfdir}/default/volatiles/04_cluster-glue
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ install -m 0644 ${WORKDIR}/tmpfiles
${D}${sysconfdir}/tmpfiles.d/${PN}.conf
}
pkg_postinst_${PN} () {
- /etc/init.d/populate-volatile.sh update
+ if [ -z $D ]; then
+ if type systemd-tmpfiles /dev/null; then
+ systemd-tmpfiles --create
+ elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+ ${sysconfdir}/init.d/populate-volatile.sh update
+ fi
+ fi
}
PACKAGES += \
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 04/10] cluster-glue: use useradd class to add required user and group
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
index c31c85d..adf3b48 100644
--- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
+++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
@@ -20,7 +20,7 @@ SRC_URI[sha256sum] =
0e1922373aba1c3811f6ef61559a9c407c0bec71d2ebc451a4db5b940d
LIC_FILES_CHKSUM =
file://${COREBASE}/meta/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe
-inherit autotools
+inherit autotools useradd
S = ${WORKDIR}/Reusable-Cluster-Components-glue--glue-${PV}
@@ -28,6 +28,10 @@ EXTRA_OECONF = --with-daemon-user=hacluster
--with-daemon-group=haclient --disa
CACHED_CONFIGUREVARS=ac_cv_path_XML2CONFIG=0
+USERADD_PACKAGES = ${PN}
+USERADD_PARAM_${PN} = --home-dir=${localstatedir}/lib/heartbeat -g haclient
-r hacluster
+GROUPADD_PARAM_${PN} = -r haclient
+
do_configure_prepend() {
ln -sf ${PKG_CONFIG_SYSROOT_DIR}/usr/include/libxml2/libxml
${PKG_CONFIG_SYSROOT_DIR}/usr/include/libxml
}
@@ -38,9 +42,6 @@ do_install_append() {
}
pkg_postinst_${PN} () {
- set -e
- grep haclient /etc/group || addgroup haclient
- grep hacluster /etc/passwd || adduser --disabled-password
--home=${localstatedir}/lib/heartbeat --ingroup haclient -g HA cluster
hacluster
/etc/init.d/populate-volatile.sh update
}
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 2/9] packagegroup-cgl-swdevtools: don't depend on numactl on arm
Package numactl is disabled on ARM platform. Do no depend on it if we
are building for this platform.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb
b/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb
index 84e747f..9f9ae03 100644
--- a/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb
+++ b/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb
@@ -9,6 +9,9 @@ inherit packagegroup
PACKAGES = packagegroup-cgl-swdevtools
+NUMACTL = numactl
+NUMACTL_arm =
+
RDEPENDS_packagegroup-cgl-swdevtools = \
libuio \
libcap-ng \
@@ -17,7 +20,7 @@ RDEPENDS_packagegroup-cgl-swdevtools = \
libsocket6-perl \
libmailtools-perl \
libhtml-tagset-perl \
-numactl \
+${NUMACTL} \
RRECOMMENDS_packagegroup-cgl-swdevtools =
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 3/9] cluster-glue: add openhpi and net-snmp to DEPENDS
cluster-glue makes use of openhpi and net-snmp libraries, so DEPEND on
them as pointed by the following QA warnings:
cluster-glue-1.0.5: cluster-glue-plugin-stonith2 rdepends on net-snmp-libs, but
it isn't a build dependency? [build-deps]
cluster-glue-1.0.5: cluster-glue-plugin-stonith2 rdepends on openhpi, but it
isn't a build dependency? [build-deps]
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
index de348e8..c31c85d 100644
--- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
+++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.5.bb
@@ -4,7 +4,7 @@ is not the cluster messaging layer (Heartbeat), nor the cluster
resource manager
(Pacemaker), nor a Resource Agent.
LICENSE = GPLv2
-DEPENDS = libxml2 libtool glib-2.0 bzip2 util-linux
+DEPENDS = libxml2 libtool glib-2.0 bzip2 util-linux net-snmp openhpi
SRC_URI = \
http://hg.linux-ha.org/glue/archive/glue-${PV}.tar.bz2 \
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 7/9] openais: make openais script use sh instead of bash
There is no point in using bash for the openais script, if just sh is
enough. In addition this fixes the following QA warning:
openais-1.1.3: /etc/init.d/openais_openais contained in package openais
requires /bin/bash, but no providers found in its RDEPENDS [file-rdeps]
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
.../recipes-cgl/openais/files/openais-fix-bash.patch | 10 ++
meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb | 1 +
2 files changed, 11 insertions(+)
create mode 100644
meta-cgl-common/recipes-cgl/openais/files/openais-fix-bash.patch
diff --git a/meta-cgl-common/recipes-cgl/openais/files/openais-fix-bash.patch
b/meta-cgl-common/recipes-cgl/openais/files/openais-fix-bash.patch
new file mode 100644
index 000..ede77e8
--- /dev/null
+++ b/meta-cgl-common/recipes-cgl/openais/files/openais-fix-bash.patch
@@ -0,0 +1,10 @@
+Index: openais-1.1.3/init/generic.in
+===
+--- openais-1.1.3.orig/init/generic.in
openais-1.1.3/init/generic.in
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+
+ # Authors:
+ # Andrew Beekhof abeek...@redhat.com
diff --git a/meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb
b/meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb
index 2a03b9a..f4563c9 100644
--- a/meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb
+++ b/meta-cgl-common/recipes-cgl/openais/openais_1.1.3.bb
@@ -9,6 +9,7 @@ SRC_URI = \
ftp://f...@tux.rainside.sk/gentoo/distfiles/openais-${PV}.tar.gz \
file://fix-lcrso-linkage.patch \
file://build-cleanup-configure-ac.patch \
+file://openais-fix-bash.patch \
SRC_URI[md5sum] = 13d8d590f806fb396d750b086c6c0b78
SRC_URI[sha256sum] =
eeef58dd2df3eb16ba68b3fbdc6f0d4dfb537443f1c091ec6f0431594f2f00b6
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 4/9] cluster-resource-agents: add sha256 sum of the tarball
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com --- .../recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb b/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb index 0ac89b2..5372786 100644 --- a/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb +++ b/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb @@ -13,6 +13,7 @@ SRC_URI = \ SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch SRC_URI[md5sum] = fcaa2cfd83a28d1965200e11db2ddd41 +SRC_URI[sha256sum] = 09b58332e34cf128c8d53d5bb4b3f61e402c2e0c0c809f5abae53ca144ad101e inherit autotools -- 2.1.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 1/9] packagegroup-cgl-*: fix LIC_FILES_CHKSUM variables
LIC_FILES_CHKSUM variables in all packagegroup files reference wrong
location of the COPYING.MIT file resulting in warnings during build. Fix
them by pointing to the main COPYING.MIT file in OE-Core.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb | 2 +-
meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb | 2 +-
meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb | 2 +-
meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb | 2 +-
meta-cgl-common/packagegroups/packagegroup-cgl.bb | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
index 532712e..f823ece 100644
--- a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
+++ b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
@@ -2,7 +2,7 @@ SUMMARY = Application packages required to satisfy the Carrier
Grade Linux (CGL
DESCRIPTION = This package group includes the application with which the user
interacts \
when using a Linux operation system.
LICENSE = MIT
-LIC_FILES_CHKSUM =
file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420
+LIC_FILES_CHKSUM =
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420
inherit packagegroup
inherit pkgconfig
diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb
b/meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb
index 2925535..bff7c4c 100644
--- a/meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb
+++ b/meta-cgl-common/packagegroups/packagegroup-cgl-kernel.bb
@@ -3,7 +3,7 @@ DESCRIPTION = This package group contains hardened device
drivers, HW configura
management, standard, high availability, service and
co-processor interfaces.
LICENSE = MIT
-LIC_FILES_CHKSUM =
file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420
+LIC_FILES_CHKSUM =
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420
inherit packagegroup
diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb
b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb
index d0a5213..effdb81 100644
--- a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb
+++ b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb
@@ -2,7 +2,7 @@ SUMMARY = Middleware packages required to satisfy the Carrier
Grade Linux (CGL)
DESCRIPTION = This package group contains high availability application and
platform \
interfaces, databases, application servers, communication
protocols etc.
LICENSE = MIT
-LIC_FILES_CHKSUM =
file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420
+LIC_FILES_CHKSUM =
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420
inherit packagegroup
diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb
b/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb
index 591f120..84e747f 100644
--- a/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb
+++ b/meta-cgl-common/packagegroups/packagegroup-cgl-swdevtools.bb
@@ -2,7 +2,7 @@ SUMMARY = Software development tools packages required to
satisfy the Carrier G
DESCRIPTION = This package group contains programs or applications used to
create, debug, maintain, \
or otherwise support other programs and applications.
LICENSE = MIT
-LIC_FILES_CHKSUM =
file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420
+LIC_FILES_CHKSUM =
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420
inherit packagegroup
diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl.bb
b/meta-cgl-common/packagegroups/packagegroup-cgl.bb
index 3a64bbf..2c999e0 100644
--- a/meta-cgl-common/packagegroups/packagegroup-cgl.bb
+++ b/meta-cgl-common/packagegroups/packagegroup-cgl.bb
@@ -2,7 +2,7 @@ SUMMARY = Packages required to satisfy the Carrier Grade Linux
(CGL) specificat
DESCRIPTION = This package group is the one that gathers all the available \
package groups.
LICENSE = MIT
-LIC_FILES_CHKSUM =
file://${COREBASE}/meta-cgl/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420
+LIC_FILES_CHKSUM =
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20421
inherit packagegroup
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 5/9] cluster-resource-agents: add bash to RDEPENDS for ocft and ${PN}
Add bash to respective RDEPENDS as pointed by QA WARNINGS:
cluster-resource-agents-1.0.3: /usr/sbin/ocft_ocft contained in package ocft
requires /bin/bash, but no providers found in its RDEPENDS [file-rdeps]
cluster-resource-agents-1.0.3:
/usr/lib/ocf/resource.d/heartbeat/AoEtarget_cluster-resource-agents contained
in package cluster-resource-agents requires /bin/bash, but no providers found
in its RDEPENDS [file-rdeps]
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
.../cluster-resource-agents/cluster-resource-agents_1.0.3.bb | 8
1 file changed, 8 insertions(+)
diff --git
a/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb
b/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb
index 5372786..ee733f7 100644
---
a/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb
+++
b/meta-cgl-common/recipes-cgl/cluster-resource-agents/cluster-resource-agents_1.0.3.bb
@@ -76,9 +76,17 @@ FILES_${PN} += \
${datadir}/resource-agents/ra-api-1.dtd \
+RDEPENDS_ocft += \
+ bash \
+
+
FILES_ocft += \
${datadir}/resource-agents/ocft \
${sbindir}/ocft \
+RDEPENDS_${PN} += \
+ bash \
+
+
FILES_${PN}-dbg += ${libdir}/heartbeat/.debug/
${libdir}/ocf/resource.d/heartbeat/.debug/
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 9/9] pacemaker: fix runtime dependencies on bash
Add bash to the pacemaker-tests RDEPENDS. Also make all scripts that are
installed in main pacemaker package use sh instead of bash.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
.../pacemaker-1.0.9.1/pacemaker-no-bash.patch | 40 ++
.../recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb | 3 +-
2 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644
meta-cgl-common/recipes-cgl/pacemaker/pacemaker-1.0.9.1/pacemaker-no-bash.patch
diff --git
a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker-1.0.9.1/pacemaker-no-bash.patch
b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker-1.0.9.1/pacemaker-no-bash.patch
new file mode 100644
index 000..6f9639d
--- /dev/null
+++
b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker-1.0.9.1/pacemaker-no-bash.patch
@@ -0,0 +1,40 @@
+Index: pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_failcount
+===
+--- pacemaker-1.0-Pacemaker-1.0.9.1.orig/tools/crm_failcount
pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_failcount
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+
+ options=
+ target=`uname -n`
+Index: pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_master
+===
+--- pacemaker-1.0-Pacemaker-1.0.9.1.orig/tools/crm_master
pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_master
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+
+ TEMP=`getopt -o DGQVN:U:v:i:l:r: --long
resource:,node:,uname:,attr-value:,delete-attr,get-value,attr-id:,lifetime:,quiet
\
+ -n 'crm_master' -- $@`
+Index: pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_standby
+===
+--- pacemaker-1.0-Pacemaker-1.0.9.1.orig/tools/crm_standby
pacemaker-1.0-Pacemaker-1.0.9.1/tools/crm_standby
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+
+ op=
+ options=
+Index: pacemaker-1.0-Pacemaker-1.0.9.1/extra/resources/o2cb
+===
+--- pacemaker-1.0-Pacemaker-1.0.9.1.orig/extra/resources/o2cb
pacemaker-1.0-Pacemaker-1.0.9.1/extra/resources/o2cb
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ # Copyright (c) 2005,2008 Oracle
+ # Copyright (c) 2008 Andrew Beekhof
+ #All Rights Reserved.
diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
index 174ebd1..43769bf 100644
--- a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
+++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.0.9.1.bb
@@ -26,6 +26,7 @@ SRC_URI = \
file://fix-header-defs-lookup.patch \
file://pacemaker-remove-ptest-functionality.patch \
file://pacemaker-fix-xml-config.patch \
+file://pacemaker-no-bash.patch \
file://volatiles \
SRC_URI_append_libc-uclibc = file://kill-stack-protector.patch
@@ -80,5 +81,5 @@ RDEPENDS_${PN}-hb2openais += python-core
FILES_${PN}-haresources2cib = ${libdir}/heartbeat/haresources2cib.py
RDEPENDS_${PN}-haresources2cib += python-core
FILES_${PN}-tests = ${datadir}/pacemaker/tests
${datadir}/pacemaker/stonithdtest ${libdir}/heartbeat/atest
${libdir}/heartbeat/stonithdtest/*
-RDEPENDS_${PN}-test += python-core
+RDEPENDS_${PN}-tests += python-core bash
FILES_${PN}-snmp = ${datadir}/snmp/mibs/PCMK-MIB.txt
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 6/9] ocfs2-tools: drop clutter-1.0 dependency
There is nothing in ocfs2-tools that depends on clutter. Drop
corresponding package from DEPENDS list.
Signed-off-by: Dmitry Eremin-Solenikov dmitry_ere...@mentor.com
---
meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb
b/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb
index 92d79d3..4e171f4 100644
--- a/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb
+++ b/meta-cgl-common/recipes-cgl/ocfs2-tools/ocfs2-tools_1.4.3.bb
@@ -24,7 +24,7 @@ SRC_URI[md5sum] = 296f1242f4d00d188231d726d7a1d148
SRC_URI[sha256sum] =
a809f03c62e515a4c23e98c4b4c3f8150377af2cf44cd2a2ee56e175b0e4d0b3
S = ${WORKDIR}/ocfs2-tools-ocfs2-tools-1.4.3
inherit autotools-brokensep pkgconfig
-DEPENDS = corosync openais clutter-1.0 cluster-glue pacemaker libxml2
linux-libc-headers e2fsprogs
+DEPENDS = corosync openais cluster-glue pacemaker libxml2 linux-libc-headers
e2fsprogs
RDEPENDS_${PN} = bash coreutils net-tools module-init-tools e2fsprogs
chkconfig glib-2.0
ASNEEDED_pn-${PN} =
PARALLEL_MAKE =
--
2.1.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Procedure to setup icecc for performing a distributed build
On Thu, Sep 6, 2012 at 2:17 PM, Paul Eggleton paul.eggle...@linux.intel.com wrote: On Thursday 16 August 2012 00:30:15 Elvis Dowson wrote: Otherwise, Dmitry, any suggestions? I'm assuming you made use of icecc.bbclass since you made some changes to it a while ago... I'm sorry, I had not tried icecc.bbclass lately. I should give it a try. Probably either on Weekend, or next week. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -- With best wishes Dmitry ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
