[yocto] How to create a signed bootloader and Linux kernel on a UEFI BIOS
Hello, Securing the full boot chain on a UEFI BIOS such as those provided on Intel platforms is possible but not that simple. Working, detailed documentation is not easy to find anywhere. Some of my students from Lorient (University of South Brittany) have done a good documentation job on a HowTo create and boot a signed kernel and Grub2 on a UEFI BIOS. As it could be useful to some of you, I share the link. https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html Thanks to Romain Brenaget, Jerôme Blanchard and Pierre Fontaine from the Master1 in Embedded Cyber Security. fontaine.e1800...@etud.univ-ubs.fr brenaget.e1803...@etud.univ-ubs.fr blanchard.e1804...@etud.univ-ubs.fr -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Errors building with Windows Subsystem for Linux (aka Bash on Ubuntu on Windows)
Le 26/09/2017 à 19:16, Bryan Evenson a écrit : > All, > > Due to what our IT department can support, I am issued a Windows laptop for > development. In the past I have used VMWare to make a Linux virtual machine > for my Yocto Project based image builds and application development. We are > starting to get Windows 10 laptops so I am evaluating doing my builds using > the Windows Subsystem for Linux (WSL) by building a poky/morty image. > Overall it seems to be working. I've had an issue that I've worked through > and other issues that I'm not quite sure what is going on. > Hi Brian, I have been trying the same thing attempting to build Automotive Grade Linux from Linux for Windows subsystem. We have many adopter of AGL who also receive Windows PC from their IT department. While VM work, they impose a serious limitation on memory and CPU usage. We all know that Linux For Windows a very green SW but, I did not expected to have so much pain to upgrade to the current Windows10 build (version 1703). Deactivating the Antivirus with the help of IT, was painful and slow. Now that I run 1703, it kind of give hope that it may work, but it does not. I see random errors on variable expansion with an error (disk I/O error). Looks like if the file system was not very happy. My IT PC does not let me run Windows pre build, so I do not know if progress is coming soon or not. Likely will do a test when the next build of Win10 is coming to me. In the mean time, I will stick to my Linux Machine which works fine. But it would be nice to have it working for many corporation. -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] AppArmor
Anders, in the Automotive Grade Linux (AGL) we are using Smack + Cynara and that has required quite a bit of side work to make it operational. - http://docs.automotivelinux.org/ I have been presenting AGL Smack based security model in quite a few conferences over the world and not many people have come to me to talk about their "solution" working either on SE Linux or AppArmor. So far I have the impression that AGL is quite unique in its full integration of an LSM module in an embedded project. One of the member of Genivi Alliance (I believe it was Bosh with its product called at the time eCore) told (about 3 years ago) that they would put their security framework which was based on AppAmor, in the Open, but I have never eared about it since that time. Initialisation and update/upgrade are where the LSM provides most of the pain. they rarely work out of the box once that LSM is active. -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre Le 20/06/2017 à 15:19, Anders Montonen a écrit : Hi, Has anyone tried using AppArmor with Yocto? The recipe in the meta-security layer is broken, and when fixed so it actually builds, it turns out the installed init script relies on functions not found in Yocto's version of LSB. Regards, Anders -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] how to activate tpm - Minnow BIOS 64 bits
Ulf; Would you know if the latest BIOS (v0.95) with tpm2 enabled for the Minnowboard Max is available for download somewhere ? The default repo does only provide tpm2 for 32 bits BIOS (what is of no use AGL. - https://firmware.intel.com/projects/minnowboard-max While the provided pointers are very valuable, they do not provide a scalable solution for general users in the Automotive Grade Linux project. Would you know why the Minnowboard does not provide tpm2 enabled for the 64 bits BIOS ? Dominig Le 09/05/2017 à 20:12, Hofemeier, Ulf a écrit : Hi Domining, Please check out this article. https://prosauce.org/blog/2016/1/11/minnowboard-max-enable-and-test-the-firmware-txe-tpm-20 Also, there has been a person in the MinnowBoard GitHub issue tracker who successfully enabled TPM2 for this platform. See the thread here: https://github.com/MinnowBoard-org/bugs-and-help/issues/29 Thanks, Ulf From: <yocto-boun...@yoctoproject.org> on behalf of Dominig Foll <dominig.arf...@fridu.net> Date: Tuesday, May 9, 2017 at 8:12 AM To: "yocto@yoctoproject.org" <yocto@yoctoproject.org> Subject: [yocto] how to activate tpm Hello, I am trying to get tpm working on a Minnowboard and a Joule. I have enabled tpm in meta-security. I can see that the Kernel config looks good (see extract bellow) tpm is enable in the BIOS (fails with TPM>PTT or dTPM 2.0) BUT i still cannot see my tpm device in /sys/class/tpm Has anyone succeeded to enable tpm with meta-security ? If yes, I would be interested to know how you have done. -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre --- log device not visible -- tcsd -f TCSD TDDL ERROR: Could not find a device to open! root@intel-corei7-64:~# modprobe -D tpm builtin tpm root@intel-corei7-64:~# modprobe -D tpm_tis builtin tpm_tis root@intel-corei7-64:/tmp# ls /sys/class/tpm root@intel-corei7-64:/tmp# - kernel config extract -- CONFIG_HW_RANDOM_TPM=m # CONFIG_NVRAM is not set # CONFIG_R3964 is not set # CONFIG_APPLICOM is not set # CONFIG_MWAVE is not set # CONFIG_RAW_DRIVER is not set CONFIG_HPET=y CONFIG_HPET_MMAP=y CONFIG_HPET_MMAP_DEFAULT=y # CONFIG_HANGCHECK_TIMER is not set CONFIG_TCG_TPM=y CONFIG_TCG_TIS_CORE=y CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_SPI is not set # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set # CONFIG_TCG_NSC is not set # CONFIG_TCG_ATMEL is not set # CONFIG_TCG_INFINEON is not set CONFIG_TCG_CRB=y CONFIG_TCG_VTPM_PROXY=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set # CONFIG_TELCLOCK is not set CONFIG_DEVPORT=y # CONFIG_XILLYBUS is not set -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH 00/10] move tpm into its own layer
-tpm/recipes-tpm}/libtpm/libtpm_1.0.bb (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/swtpm/files/fix_fcntl_h.patch (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/swtpm/files/fix_lib_search_path.patch (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/swtpm/files/fix_signed_issue.patch (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/swtpm/files/ioctl_h.patch (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/swtpm/swtpm-wrappers-native.bb (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/swtpm/swtpm_1.0.bb (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/tpm-tools/files/tpm-tools-extendpcr.patch (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/tpm-tools/tpm-tools_git.bb (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/tpm2.0-tools/tpm2.0-tools_git.bb (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/tpm2.0-tss/tpm2.0-tss_git.bb (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/tpm2simulator/tpm2simulator-native_116.bb (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/trousers/files/tcsd.service (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/trousers/files/trousers-udev.rules (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/trousers/files/trousers.init.sh (100%) rename {recipes-tpm => meta-tpm/recipes-tpm}/trousers/trousers_git.bb (100%) -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] how to activate tpm
Hello, I am trying to get tpm working on a Minnowboard and a Joule. I have enabled tpm in meta-security. I can see that the Kernel config looks good (see extract bellow) tpm is enable in the BIOS (fails with TPM>PTT or dTPM 2.0) BUT i still cannot see my tpm device in /sys/class/tpm Has anyone succeeded to enable tpm with meta-security ? If yes, I would be interested to know how you have done. -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre --- log device not visible -- tcsd -f TCSD TDDL ERROR: Could not find a device to open! root@intel-corei7-64:~# modprobe -D tpm builtin tpm root@intel-corei7-64:~# modprobe -D tpm_tis builtin tpm_tis root@intel-corei7-64:/tmp# ls /sys/class/tpm root@intel-corei7-64:/tmp# - kernel config extract -- CONFIG_HW_RANDOM_TPM=m # CONFIG_NVRAM is not set # CONFIG_R3964 is not set # CONFIG_APPLICOM is not set # CONFIG_MWAVE is not set # CONFIG_RAW_DRIVER is not set CONFIG_HPET=y CONFIG_HPET_MMAP=y CONFIG_HPET_MMAP_DEFAULT=y # CONFIG_HANGCHECK_TIMER is not set CONFIG_TCG_TPM=y CONFIG_TCG_TIS_CORE=y CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_SPI is not set # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set # CONFIG_TCG_NSC is not set # CONFIG_TCG_ATMEL is not set # CONFIG_TCG_INFINEON is not set CONFIG_TCG_CRB=y CONFIG_TCG_VTPM_PROXY=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set # CONFIG_TELCLOCK is not set CONFIG_DEVPORT=y # CONFIG_XILLYBUS is not set -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] meta-security does not set the right ACL to trouser config file (/etc/tsdc.conf)
meta-security requires to predefine a user and group tss ibn order for bitbake to build an image. But it fails to set the correct ownership to the trouser conf file (/etc/tsdc.conf) Tspi_Context_Connect failed: 0x3011 - layer=tsp, code=0011 (17), Communication failure root@intel-corei7-64:~# tcsd -f TCSD ERROR: TCSD config file (/etc/tcsd.conf) must be user/group tss/tss -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] Enabling tpm from meta-security for AGL
Hello, I am trying to enable tpm on an Intel target using yocto (morty) from meta-security When I activate the tpm-tools-2.0 feature in my configuration, I have a compilation error (see log bellow) Search for line: | /usr/src/debug/glibc/2.24-r0/git/csu/../sysdeps/x86_64/start.S:104: undefined reference to `main' Would someone knows what I could be missing? Regards -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre - log extract | x86_64-agl-linux-libtool: link: (cd "tcti/.libs" && rm -f "libtcti-device.so.0" && ln -s "libtcti-device.so.0.0.0" "libtcti-device.so.0") | x86_64-agl-linux-libtool: link: (cd "tcti/.libs" && rm -f "libtcti-device.so" && ln -s "libtcti-device.so.0.0.0" "libtcti-device.so") | x86_64-agl-linux-libtool: link: ( cd "tcti/.libs" && rm -f "libtcti-device.la" && ln -s "../libtcti-device.la" "libtcti-device.la" ) | x86_64-agl-linux-libtool: link: x86_64-agl-linux-g++ -m64 -march=corei7 -mtune=corei7 -mfpmath=sse -msse4.2 --sysroot=/home/dominig/AGL/build/tmp/sysroots/intel-corei7-64 -fPIC -DPIC -shared -nostd lib /home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/../lib/Scrt1.o /home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/../lib/crti.o /home/dominig/AGL/build/tmp/sysroots/intel-cor ei7-64/usr/lib/../lib/x86_64-agl-linux/6.2.0/crtbeginS.o tcti/.libs/tcti_libtcti_socket_la-platformcommand.o sysapi/sysapi_util/.libs/tcti_libtcti_socket_la-changeEndian.o tcti/.libs/tcti_libtcti_sock et_la-tcti_socket.o tcti/.libs/tcti_libtcti_socket_la-commonchecks.o common/.libs/tcti_libtcti_socket_la-sockets.o common/.libs/tcti_libtcti_socket_la-debug.o -L/home/dominig/AGL/build/tmp/sysroots/x 86_64-linux/usr/lib/x86_64-agl-linux/gcc/x86_64-agl-linux/6.2.0 -L/home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/lib/../lib -L/home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/../lib/x 86_64-agl-linux/6.2.0 -L/home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/x86_64-agl-linux/6.2.0 -L/home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/../lib -L/home/dominig/AGL/bui ld/tmp/sysroots/intel-corei7-64/lib -L/home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib /home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/libstdc++.so -lm /home/dominig/AGL/build/ tmp/sysroots/intel-corei7-64/usr/lib/libssp_nonshared.a -lc -lgcc_s -lgcc /home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/../lib/x86_64-agl-linux/6.2.0/crtendS.o /home/dominig/AGL/build/tm p/sysroots/intel-corei7-64/usr/lib/../lib/crtn.o -m64 -march=corei7 -mtune=corei7 -mfpmath=sse -msse4.2 --sysroot=/home/dominig/AGL/build/tmp/sysroots/intel-corei7-64 -O2 -g -fstack-protector-strong - Wl,--no-undefined -Wl,--version-script=../TPM2.0-TSS/tcti/tcti_socket.map -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -fstack-protector-strong -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,-soname -Wl,libtcti -socket.so.0 -o tcti/.libs/libtcti-socket.so.0.0.0 | /home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/../lib/Scrt1.o: In function `_start': | /usr/src/debug/glibc/2.24-r0/git/csu/../sysdeps/x86_64/start.S:104: undefined reference to `main' | /home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/libc_nonshared.a(elf-init.oS): In function `__libc_csu_init': | /usr/src/debug/glibc/2.24-r0/git/csu/elf-init.c:86: undefined reference to `__init_array_start' | /home/dominig/AGL/build/tmp/sysroots/x86_64-linux/usr/libexec/x86_64-agl-linux/gcc/x86_64-agl-linux/6.2.0/ld: /home/dominig/AGL/build/tmp/sysroots/intel-corei7-64/usr/lib/libc_nonshared.a(elf-init.oS ): relocation R_X86_64_PC32 against undefined hidden symbol `__init_array_start' can not be used when making a shared object | /home/dominig/AGL/build/tmp/sysroots/x86_64-linux/usr/libexec/x86_64-agl-linux/gcc/x86_64-agl-linux/6.2.0/ld: final link failed: Bad value | collect2: error: ld returned 1 exit status | Makefile:2696: recipe for target 'tcti/libtcti-socket.la' failed | make: *** [tcti/libtcti-socket.la] Error 1 | make: *** Waiting for unfinished jobs -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] gst-plugins-bad- Patch fails 'ensure-valid-sentinels-for-gst_structure_get-etc.patch'
Ross, as now the recipe is called because I have declared that I wanted to use vaapi. It seems to call fo gst-plugins-bad. There is obviously quite a few problem with that recipe. Regards. Dominig Le 08/03/2017 à 16:38, Burton, Ross a écrit : On 8 March 2017 at 15:10, Dominig Ar Foll <dominig.arf...@fridu.net> wrote: yes, I now that I build the latest. I am checking in advance of phase what will break in Automotive Grade Linux (AGL) when 2.3 is coming out of the wood. When 2.3 is released it won't be using the git gst-plugins-bad recipe by default either. I'll fix the recipe, but the git recipes are prone to breakage as they're not that tested. (this is why I want to remove them) Ross -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] gst-plugins-bad- Patch fails 'ensure-valid-sentinels-for-gst_structure_get-etc.patch'
Ross, yes, I now that I build the latest. I am checking in advance of phase what will break in Automotive Grade Linux (AGL) when 2.3 is coming out of the wood. By the side, I also wants a 4.10 kernel for some test on virtualisation. Regards. Dominig Le 08/03/2017 à 15:33, Burton, Ross a écrit : On 8 March 2017 at 14:29, Dominig ar Foll (Intel Open Source) < dominig.arf...@fridu.net> wrote: > ERROR: Task > (/home/dominig/AGL/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_git.bb:do_patch) > failed with exit code '1' > > Are you aware that you're building the _git recipe and not the release? Ross -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] gst-plugins-bad- Patch fails 'ensure-valid-sentinels-for-gst_structure_get-etc.patch'
For info. as the target file of this patch (gst-plugins-bad-1.10.2/sys/decklink/gstdecklink.cpp) has changed, the patch now fails when building yocto/maser It was created with gst-plugins-bad-1.10.2 but poky now download 1.10.4 the patch can be found here : poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/ensure-valid-sentinels-for-gst_structure_get-etc.patch -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- error log -- ERROR: gstreamer1.0-plugins-bad-1.8.2+gitAUTOINC+5e73b5a484-r0 do_patch: Command Error: 'quilt --quiltrc /home/dominig/build/tmp/work/corei7-64-agl-linux/gstreamer1.0-plugins-bad/1.8.2+gitAUTOINC+5e73b5a484-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch ensure-valid-sentinels-for-gst_structure_get-etc.patch patching file sys/decklink/gstdecklink.cpp Hunk #1 FAILED at 476. Hunk #2 FAILED at 489. 2 out of 2 hunks FAILED -- rejects in file sys/decklink/gstdecklink.cpp patching file sys/decklink/gstdecklinkaudiosrc.cpp Hunk #1 succeeded at 313 (offset -9 lines). patching file sys/decklink/gstdecklinkvideosink.cpp Hunk #1 succeeded at 158 (offset -5 lines). Patch ensure-valid-sentinels-for-gst_structure_get-etc.patch does not apply (enforce with -f) ERROR: gstreamer1.0-plugins-bad-1.8.2+gitAUTOINC+5e73b5a484-r0 do_patch: Function failed: patch_do_patch ERROR: Logfile of failure stored in: /home/dominig/build/tmp/work/corei7-64-agl-linux/gstreamer1.0-plugins-bad/1.8.2+gitAUTOINC+5e73b5a484-r0/temp/log.do_patch.5672 ERROR: Task (/home/dominig/AGL/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_git.bb:do_patch) failed with exit code '1' -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Error: bb.data_smart.ExpansionError: Failure expanding variable PV_MAJ, expression
o attribute 'getVar' Summary: There was 1 ERROR message shown, returning a non-zero exit code. 3. Could not get the solution, any help here. Any patches needs to appy here, if yes pls suggest. Thanks, satya -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Error with Cynara pkg_postinst when updating AGL to from morty master (solved)
Patrick, thanks for the trick. I is a good one. Dominig Le 02/03/2017 à 17:19, Patrick Ohly a écrit : On Thu, 2017-03-02 at 16:33 +0100, Dominig ar Foll (Intel Open Source) wrote: Hello, I am trying to move AGL from morty to master in order to get a stock Kernel 3.9. I have moved meta-intel, poky and open embedded to master branches. I am blocked on an error that I do not understand in th pkg_postinst section. the error code is: AttributeError: 'module' object has no attribute 'getVar' As the only getVar is happening in the Version setting VERSION=${@bb.data.getVar('PV',d,1).split('+git')[0]} I wonder if something has hanged in bb.data but I could not find anything obvious. bb.data.getVar() has been deprecated for a while and was finally removed. Use d.getVar('PV') instead on master (no additional parameters needed, expansion is on by default). -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] Error with Cynara pkg_postinst when updating AGL to from morty master
Hello, I am trying to move AGL from morty to master in order to get a stock Kernel 3.9. I have moved meta-intel, poky and open embedded to master branches. I am blocked on an error that I do not understand in th pkg_postinst section. the error code is: AttributeError: 'module' object has no attribute 'getVar' As the only getVar is happening in the Version setting VERSION=${@bb.data.getVar('PV',d,1).split('+git')[0]} I wonder if something has hanged in bb.data but I could not find anything obvious. Any help would be welcome. Dominig Log --- dominig@dominig-yocto:~/AGL/build> bitbake agl-demo-platform WARNING: /home/dominig/AGL/meta-intel-iot-security/meta-security-framework/recipes-security/cynara/cynara_git.bb: Exception during build_dependencies for pkg_postinst_cynara:49 WARNING: /home/dominig/AGL/meta-intel-iot-security/meta-security-framework/recipes-security/cynara/cynara_git.bb: Error during finalise of /home/dominig/AGL/meta-intel-iot-security/meta-security-framework/recipes-security/cynara/cynara_git.bb ERROR: ExpansionError during parsing /home/dominig/AGL/meta-intel-iot-security/meta-security-framework/recipes-security/cynara/cynara_git.bb Traceback (most recent call last): bb.data_smart.ExpansionError: Failure expanding variable pkg_postinst_cynara, _expression_ was # Fail on error. set -e # It would be nice to run the code below while building an image, # but currently the calls to cynara-db-chsgen (a binary) in # cynara-db-migration (a script) prevent that. Rely instead # on OE's support for running failed postinst scripts at first boot. if [ x"$D" != "x" ]; then exit 1 fi mkdir -p $D/etc/cynara chsmack -a System $D/etc/cynara # Strip git patch level information, the version comparison code # in cynara-db-migration only expect major.minor.patch version numbers. VERSION=${@bb.data.getVar('PV',d,1).split('+git')[0]} if [ -d $D/var/cynara ] ; then # upgrade echo "NOTE: updating cynara DB to version $VERSION" $D/usr/sbin/cynara-db-migration upgrade -f 0.0.0 -t $VERSION else # install echo "NOTE: creating cynara DB for version $VERSION" mkdir -p $D/var/cynara chsmack -a System $D/var/cynara $D/usr/sbin/cynara-db-migration install -t $VERSION fi # Workaround for systemd.bbclass issue: it would call # "systemctl start" without "--no-block", but because # the service is not ready to run at the time when # this scripts gets executed by run-postinsts.service, # booting deadlocks. echo "NOTE: enabling and starting cynara service" systemctl enable cynara systemctl start --no-block cynara which triggered exception AttributeError: 'module' object has no attribute 'getVar' -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Changing UID GID (thaks)
Le 15/02/2017 à 15:57, Patrick Ohly a écrit : > > Is that for partial updates with OSTree or something else? Yes we use OSTree in AGL but the issue is very similar to the one faced by Ostro. Thanks to Joshua and Patrick for the pointers. -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] Changing UID GID
Hello, in AGL project we are facing an issue as when we create new images the UID,GID of given packages can (and does) change depending of the build. This induces issues when we create partial update file using image diffs. Could you let us know if we need to create our own solution, or if yocto already has a model to enforce a known UID-GID on packages coming from internal or external repo such as Open-Embedded without patching (or creating a bbappend) for each imported package ? Regards -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] which meta-intel woudl build a kernel 4.8 (solved)
Le 06/10/2016 à 20:19, Khem Raj a écrit : > > Use poky or oe-core master with master of meta-intel is best shot > > thanks updating as well to 'master' my oe-core and poky has fixed that issue. -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] which meta-intel woudl build a kernel 4.8
Hello, I was happily under 'jethro' until now but I need to build a kernel 4.8 fir Intel HW to get access to some new features. I can see that the 'master' branch bump to 4.8 but unfortunately come with the following errors : ERROR: No recipes available for: /home/dominig/AGL/meta-intel/common/recipes-kernel/linux/linux-yocto-tiny_4.8.bbappend /home/dominig/AGL/meta-intel/common/recipes-kernel/linux/linux-yocto_4.8.bbappend Would someone have an idea how I could get a 4.8 working meta-intel ? Thanks in advance -- Dominig ar Foll Senior Software Architect Intel Open Source Technology Centre -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto