Re: [yocto] [meta-raspberrypi][PATCH V3] wic: support to set /root size and add extra partition
On 11/14/19 8:40 PM, Paul Barker wrote: On Thu, 14 Nov 2019, at 07:33, Hongxu Jia wrote: - Support to add extra partition, such as add swap partition to workaround memory limitation - Support to set /root size Signed-off-by: Hongxu Jia If you want to make changes like this in a distro or local configuration, I think it'd be easier to add a new .wks file and override WKS_FILE. FYI, for meta-raspberrypi we usually take patches through GitHub pull requests at https://github.com/agherzan/meta-raspberrypi/pulls. OK, I will do it on our own //Hongxu -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-raspberrypi][PATCH V3] wic: support to set /root size and add extra partition
- Support to add extra partition, such as add swap partition
to workaround memory limitation
- Support to set /root size
Signed-off-by: Hongxu Jia
---
conf/machine/include/rpi-base.inc | 11 ++-
...age-raspberrypi.wks => sdimage-raspberrypi.wks.in} | 3 ++-
2 files changed, 12 insertions(+), 2 deletions(-)
rename wic/{sdimage-raspberrypi.wks => sdimage-raspberrypi.wks.in} (85%)
diff --git a/conf/machine/include/rpi-base.inc
b/conf/machine/include/rpi-base.inc
index af1418d..c4dffd3 100644
--- a/conf/machine/include/rpi-base.inc
+++ b/conf/machine/include/rpi-base.inc
@@ -6,7 +6,16 @@ SOC_FAMILY = "rpi"
include conf/machine/include/soc-family.inc
IMAGE_FSTYPES ?= "tar.bz2 ext3 rpi-sdimg"
-WKS_FILE ?= "sdimage-raspberrypi.wks"
+
+# Set size of /root partition, such as 4G
+# PI_WKS_ROOT_SIZE ?= "--size=4096M --overhead-factor 1"
+PI_WKS_ROOT_SIZE ?= ""
+
+# Add extra partition, such as 1G size /swap
+# PI_WKS_EXTRA_PARTTION = "part swap --ondisk mmcblk0 --label swap
--fstype=swap --size=1024M --overhead-factor 1"
+PI_WKS_EXTRA_PARTTION ?= ""
+
+WKS_FILE ?= "sdimage-raspberrypi.wks.in"
XSERVER = " \
xserver-xorg \
diff --git a/wic/sdimage-raspberrypi.wks b/wic/sdimage-raspberrypi.wks.in
similarity index 85%
rename from wic/sdimage-raspberrypi.wks
rename to wic/sdimage-raspberrypi.wks.in
index 01fbaea..743d757 100644
--- a/wic/sdimage-raspberrypi.wks
+++ b/wic/sdimage-raspberrypi.wks.in
@@ -3,4 +3,5 @@
# Raspberry Pi. Boot files are located in the first vfat partition.
part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label
boot --active --align 4096 --size 20
-part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root --align 4096
+part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root --align
4096 ${PI_WKS_ROOT_SIZE}
+${PI_WKS_EXTRA_PARTTION}
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-raspberrypi][PATCH V2] wic: support to set /root size and add extra partition
- Support to add extra partition, such as add swap partition
to workaround memory limitation
- Support to set /root size
Signed-off-by: Hongxu Jia
---
conf/machine/include/rpi-base.inc | 11 ++-
...age-raspberrypi.wks => sdimage-raspberrypi.wks.in} | 3 ++-
2 files changed, 12 insertions(+), 2 deletions(-)
rename wic/{sdimage-raspberrypi.wks => sdimage-raspberrypi.wks.in} (85%)
diff --git a/conf/machine/include/rpi-base.inc
b/conf/machine/include/rpi-base.inc
index af1418d..9d0b688 100644
--- a/conf/machine/include/rpi-base.inc
+++ b/conf/machine/include/rpi-base.inc
@@ -6,7 +6,16 @@ SOC_FAMILY = "rpi"
include conf/machine/include/soc-family.inc
IMAGE_FSTYPES ?= "tar.bz2 ext3 rpi-sdimg"
-WKS_FILE ?= "sdimage-raspberrypi.wks"
+
+# Set size of /root partition, such as 4G
+# PI_WKS_ROOT_SIZE ?= "--size=4096M --overhead-factor 1"
+PI_WKS_ROOT_SIZE ?= ""
+
+# Add extra partition, such as 1G size /swap
+# PI_WKS_EXTRA_PARTTION = "part swap --ondisk mmcblk0 --size 44 --label swap
--fstype=swap --size=1024M --overhead-factor 1"
+PI_WKS_EXTRA_PARTTION ?= ""
+
+WKS_FILE ?= "sdimage-raspberrypi.wks.in"
XSERVER = " \
xserver-xorg \
diff --git a/wic/sdimage-raspberrypi.wks b/wic/sdimage-raspberrypi.wks.in
similarity index 85%
rename from wic/sdimage-raspberrypi.wks
rename to wic/sdimage-raspberrypi.wks.in
index 01fbaea..743d757 100644
--- a/wic/sdimage-raspberrypi.wks
+++ b/wic/sdimage-raspberrypi.wks.in
@@ -3,4 +3,5 @@
# Raspberry Pi. Boot files are located in the first vfat partition.
part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label
boot --active --align 4096 --size 20
-part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root --align 4096
+part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root --align
4096 ${PI_WKS_ROOT_SIZE}
+${PI_WKS_EXTRA_PARTTION}
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-raspberrypi][PATCH] wic: add swap partition and set /root and /swap size
On 11/14/19 2:30 PM, Khem Raj wrote:
On Thu, 2019-11-14 at 06:04 +, Hongxu Jia wrote:
- Add swap partition to workaround memory limitation
- Support to set /root and /swap size, 4G /root and 1G /swap by
default
Signed-off-by: Hongxu Jia
---
conf/machine/include/rpi-base.inc | 5
-
wic/{sdimage-raspberrypi.wks => sdimage-raspberrypi.wks.in} | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)
rename wic/{sdimage-raspberrypi.wks => sdimage-raspberrypi.wks.in}
(75%)
diff --git a/conf/machine/include/rpi-base.inc
b/conf/machine/include/rpi-base.inc
index 36a8daf..de2f366 100644
--- a/conf/machine/include/rpi-base.inc
+++ b/conf/machine/include/rpi-base.inc
@@ -6,7 +6,10 @@ SOC_FAMILY = "rpi"
include conf/machine/include/soc-family.inc
IMAGE_FSTYPES ?= "tar.bz2 ext3 rpi-sdimg"
-WKS_FILE ?= "sdimage-raspberrypi.wks"
+
+PI_WKS_ROOT_SIZE ?= "--size=4096M --overhead-factor 1"
this means we need minimum 4G cards.
+PI_WKS_SWAP_SIZE ?= "--size=1024M --overhead-factor 1"
I think these options should be not set here. if someone wants they
should be injected by local config.
OK, I will comments them out as a example
//Hongxu
+WKS_FILE ?= "sdimage-raspberrypi.wks.in"
XSERVER = " \
xserver-xorg \
diff --git a/wic/sdimage-raspberrypi.wks b/wic/sdimage-
raspberrypi.wks.in
similarity index 75%
rename from wic/sdimage-raspberrypi.wks
rename to wic/sdimage-raspberrypi.wks.in
index 01fbaea..81707c7 100644
--- a/wic/sdimage-raspberrypi.wks
+++ b/wic/sdimage-raspberrypi.wks.in
@@ -3,4 +3,5 @@
# Raspberry Pi. Boot files are located in the first vfat partition.
part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat
--label boot --active --align 4096 --size 20
-part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root
--align 4096
+part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root
--align 4096 ${PI_WKS_ROOT_SIZE}
+part swap --ondisk mmcblk0 --size 44 --label swap --fstype=swap
${PI_WKS_SWAP_SIZE}
its using --size 44, perhaps thats default if its not set via
PI_WKS_SWAP_SIZE
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-raspberrypi][PATCH] wic: add swap partition and set /root and /swap size
- Add swap partition to workaround memory limitation
- Support to set /root and /swap size, 4G /root and 1G /swap by default
Signed-off-by: Hongxu Jia
---
conf/machine/include/rpi-base.inc | 5 -
wic/{sdimage-raspberrypi.wks => sdimage-raspberrypi.wks.in} | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)
rename wic/{sdimage-raspberrypi.wks => sdimage-raspberrypi.wks.in} (75%)
diff --git a/conf/machine/include/rpi-base.inc
b/conf/machine/include/rpi-base.inc
index 36a8daf..de2f366 100644
--- a/conf/machine/include/rpi-base.inc
+++ b/conf/machine/include/rpi-base.inc
@@ -6,7 +6,10 @@ SOC_FAMILY = "rpi"
include conf/machine/include/soc-family.inc
IMAGE_FSTYPES ?= "tar.bz2 ext3 rpi-sdimg"
-WKS_FILE ?= "sdimage-raspberrypi.wks"
+
+PI_WKS_ROOT_SIZE ?= "--size=4096M --overhead-factor 1"
+PI_WKS_SWAP_SIZE ?= "--size=1024M --overhead-factor 1"
+WKS_FILE ?= "sdimage-raspberrypi.wks.in"
XSERVER = " \
xserver-xorg \
diff --git a/wic/sdimage-raspberrypi.wks b/wic/sdimage-raspberrypi.wks.in
similarity index 75%
rename from wic/sdimage-raspberrypi.wks
rename to wic/sdimage-raspberrypi.wks.in
index 01fbaea..81707c7 100644
--- a/wic/sdimage-raspberrypi.wks
+++ b/wic/sdimage-raspberrypi.wks.in
@@ -3,4 +3,5 @@
# Raspberry Pi. Boot files are located in the first vfat partition.
part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label
boot --active --align 4096 --size 20
-part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root --align 4096
+part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root --align
4096 ${PI_WKS_ROOT_SIZE}
+part swap --ondisk mmcblk0 --size 44 --label swap --fstype=swap
${PI_WKS_SWAP_SIZE}
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102][PATCH V2] conf/layer.conf: Add zeus to LAYERSERIES_COMPAT
Signed-off-by: Hongxu Jia --- conf/layer.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/conf/layer.conf b/conf/layer.conf index f1df15d..6e62f62 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -10,8 +10,9 @@ BBFILE_PRIORITY_meta-openssl-one-zero-two = "5" LAYERVERSION_meta-openssl-one-zero-two = "1" -LAYERSERIES_COMPAT_meta-openssl-one-zero-two = "thud warrior" +LAYERSERIES_COMPAT_meta-openssl-one-zero-two = "thud warrior zeus" LAYERDEPENDS_meta-openssl-one-zero-two = " \ core \ " + -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102][PATCH 2/2] conf/layer.conf: workaround No bb files matched BBFILE_PATTERN_meta-openssl-one-zero-two warning
No bb but bbappend in meta-openssl102
Signed-off-by: Hongxu Jia
---
conf/layer.conf | 1 +
1 file changed, 1 insertion(+)
diff --git a/conf/layer.conf b/conf/layer.conf
index 6e62f62..be6b8a4 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -6,6 +6,7 @@ BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
BBFILE_COLLECTIONS += "meta-openssl-one-zero-two"
BBFILE_PATTERN_meta-openssl-one-zero-two = "^${LAYERDIR}/"
+BBFILE_PATTERN_IGNORE_EMPTY_meta-openssl-one-zero-two = "1"
BBFILE_PRIORITY_meta-openssl-one-zero-two = "5"
LAYERVERSION_meta-openssl-one-zero-two = "1"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102][PATCH 1/2] conf/layer.conf: Add zeus to LAYERSERIES_COMPAT
Signed-off-by: Hongxu Jia --- conf/layer.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/conf/layer.conf b/conf/layer.conf index f1df15d..6e62f62 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -10,8 +10,9 @@ BBFILE_PRIORITY_meta-openssl-one-zero-two = "5" LAYERVERSION_meta-openssl-one-zero-two = "1" -LAYERSERIES_COMPAT_meta-openssl-one-zero-two = "thud warrior" +LAYERSERIES_COMPAT_meta-openssl-one-zero-two = "thud wrl warrior" LAYERDEPENDS_meta-openssl-one-zero-two = " \ core \ " + -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips
On 10/13/19 5:22 AM, Mark Hatle wrote:
The original goal of this work was to enable a FIPS-140-2 OpenSSL module. Why
is NSS part of this?
Is something inside of the OpenSSL patches requesting NSS support, or is this a
different -- but related request?
No, there is no relation between openssl and nss, but while kernel enable
fips "pass boot params `fips=1"', nss fips is enabled and trigger the issue,
It seems all of them are part of fips system, fips includes kernel and
userspace,
and fips 140-2 is also part of it
//Hongxu
--Mark
On 10/12/19 3:17 AM, Hongxu Jia wrote:
Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips
...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.
$rpm -h
|error: Failed to initialize NSS library
...
Signed-off-by: Hongxu Jia
---
.../nss/nss/0001-conditionally-enable-fips.patch | 93 ++
recipes-support/nss/nss_3.%.bbappend | 4 +
recipes-support/nss/nss_fips.inc | 4 +
3 files changed, 101 insertions(+)
create mode 100644
recipes-support/nss/nss/0001-conditionally-enable-fips.patch
create mode 100644 recipes-support/nss/nss_3.%.bbappend
create mode 100644 recipes-support/nss/nss_fips.inc
diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
new file mode 100644
index 000..d11db91
--- /dev/null
+++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
@@ -0,0 +1,93 @@
+From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sat, 12 Oct 2019 10:49:28 +0800
+Subject: [PATCH] conditionally enable fips
+
+Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
+macro limitaition to fips enable test, currently we are not ready
+to support nss fips
+
+...
+$ certutil -N -d sql:. --empty-password
+|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
+module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
+with the token or slot.
+
+$rpm -h
+|error: Failed to initialize NSS library
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ nss/coreconf/config.mk | 2 ++
+ nss/lib/freebl/nsslowhash.c | 2 +-
+ nss/lib/pk11wrap/pk11util.c | 2 +-
+ nss/lib/sysinit/nsssysinit.c | 4
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 60a0841..dcca87f 100644
+--- a/nss/coreconf/config.mk
b/nss/coreconf/config.mk
+@@ -179,6 +179,8 @@ endif
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+ DEFINES += -DNSS_NO_INIT_SUPPORT
++else
++DEFINES += -DNSS_FORCE_FIPS
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
+index 22f9781..baf71c3 100644
+--- a/nss/lib/freebl/nsslowhash.c
b/nss/lib/freebl/nsslowhash.c
+@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
+ static int
+ nsslow_GetFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
+index 502c4d0..cd86270 100644
+--- a/nss/lib/pk11wrap/pk11util.c
b/nss/lib/pk11wrap/pk11util.c
+@@ -98,7 +98,7 @@ SECMOD_Shutdown()
+ int
+ secmod_GetSystemFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
+index bd0fac2..5c09e8d 100644
+--- a/nss/lib/sysinit/nsssysinit.c
b/nss/lib/sysinit/nsssysinit.c
+@@ -168,6 +168,7 @@ getFIPSEnv(void)
+ static PRBool
+ getFIPSMode(void)
+ {
++#ifdef NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+@@ -186,6 +187,9 @@ getFIPSMode(void)
+ if (d != '1')
+ return PR_FALSE;
+ return PR_TRUE;
++#else
++return PR_FALSE;
++#endif
+ }
+
+ #define NSS_DEFAULT_FLAGS "flags=readonly"
+--
+2.7.4
+
diff --git a/recipes-support/nss/nss_3.%.bbappend
b/recipes-support/nss/nss_3.%.bbappend
new file mode 100644
index 000..9608ca3
--- /dev/null
+++ b/recipes-support/nss/nss_3.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else
'nss_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
new file mode 100644
index 000..b183f55
--- /dev/null
+++ b/recipes-support/nss/nss_fips.inc
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
[yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips
Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips
...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.
$rpm -h
|error: Failed to initialize NSS library
...
Signed-off-by: Hongxu Jia
---
.../nss/nss/0001-conditionally-enable-fips.patch | 93 ++
recipes-support/nss/nss_3.%.bbappend | 4 +
recipes-support/nss/nss_fips.inc | 4 +
3 files changed, 101 insertions(+)
create mode 100644 recipes-support/nss/nss/0001-conditionally-enable-fips.patch
create mode 100644 recipes-support/nss/nss_3.%.bbappend
create mode 100644 recipes-support/nss/nss_fips.inc
diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
new file mode 100644
index 000..d11db91
--- /dev/null
+++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
@@ -0,0 +1,93 @@
+From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sat, 12 Oct 2019 10:49:28 +0800
+Subject: [PATCH] conditionally enable fips
+
+Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
+macro limitaition to fips enable test, currently we are not ready
+to support nss fips
+
+...
+$ certutil -N -d sql:. --empty-password
+|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
+module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
+with the token or slot.
+
+$rpm -h
+|error: Failed to initialize NSS library
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ nss/coreconf/config.mk | 2 ++
+ nss/lib/freebl/nsslowhash.c | 2 +-
+ nss/lib/pk11wrap/pk11util.c | 2 +-
+ nss/lib/sysinit/nsssysinit.c | 4
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 60a0841..dcca87f 100644
+--- a/nss/coreconf/config.mk
b/nss/coreconf/config.mk
+@@ -179,6 +179,8 @@ endif
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+ DEFINES += -DNSS_NO_INIT_SUPPORT
++else
++DEFINES += -DNSS_FORCE_FIPS
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
+index 22f9781..baf71c3 100644
+--- a/nss/lib/freebl/nsslowhash.c
b/nss/lib/freebl/nsslowhash.c
+@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
+ static int
+ nsslow_GetFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
+index 502c4d0..cd86270 100644
+--- a/nss/lib/pk11wrap/pk11util.c
b/nss/lib/pk11wrap/pk11util.c
+@@ -98,7 +98,7 @@ SECMOD_Shutdown()
+ int
+ secmod_GetSystemFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
+index bd0fac2..5c09e8d 100644
+--- a/nss/lib/sysinit/nsssysinit.c
b/nss/lib/sysinit/nsssysinit.c
+@@ -168,6 +168,7 @@ getFIPSEnv(void)
+ static PRBool
+ getFIPSMode(void)
+ {
++#ifdef NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+@@ -186,6 +187,9 @@ getFIPSMode(void)
+ if (d != '1')
+ return PR_FALSE;
+ return PR_TRUE;
++#else
++return PR_FALSE;
++#endif
+ }
+
+ #define NSS_DEFAULT_FLAGS "flags=readonly"
+--
+2.7.4
+
diff --git a/recipes-support/nss/nss_3.%.bbappend
b/recipes-support/nss/nss_3.%.bbappend
new file mode 100644
index 000..9608ca3
--- /dev/null
+++ b/recipes-support/nss/nss_3.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1'
else 'nss_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
new file mode 100644
index 000..b183f55
--- /dev/null
+++ b/recipes-support/nss/nss_fips.inc
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
+SRC_URI += " \
+file://0001-conditionally-enable-fips.patch \
+"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 2/3] openssh_fips.inc: remove rng-tools from sshd RRECOMMENDS
While kernel enable fips, the rng-tools takes a high cpu performance
which Operation not permitted
...
Oct 12 06:08:23 qemux86-64 rngd[122]: RNDADDENTROPY failed: Operation not
permitted
...
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/openssh_fips.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/recipes-connectivity/openssh/openssh_fips.inc
b/recipes-connectivity/openssh/openssh_fips.inc
index 38db03b..0eafb98 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -3,6 +3,8 @@ DEPENDS += " \
openssl-fips \
fipscheck \
"
+RRECOMMENDS_${PN}-sshd_remove = "rng-tools"
+
SRC_URI += " \
file://0001-openssh-8.0p1-fips.patch \
file://0001-conditional-enable-fips-mode.patch \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 1/3] fix typo: openssl-fips -> openssl-fips-dev
The working fips package is openssl-fips-dev rather than openssl-fips. Signed-off-by: Hongxu Jia --- README.build | 2 +- templates/feature/openssl-fips/image.inc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.build b/README.build index 50bd9a5..b4e8f2e 100644 --- a/README.build +++ b/README.build @@ -132,7 +132,7 @@ Building Steps (based on section 4 of the UsersGuide-2.0.pdf): prebuilt tar archive. For Yocto, in your build directory, edit conf/local.conf, add: - IMAGE_INSTALL_append = " openssl-fips" + IMAGE_INSTALL_append = " openssl-fips-dev" OPENSSL_FIPS_ENABLED = "1" OPENSSL_FIPS_PREBUILT = "" diff --git a/templates/feature/openssl-fips/image.inc b/templates/feature/openssl-fips/image.inc index 0d62e44..3616432 100644 --- a/templates/feature/openssl-fips/image.inc +++ b/templates/feature/openssl-fips/image.inc @@ -1 +1 @@ -IMAGE_INSTALL += "openssl-fips" +IMAGE_INSTALL += "openssl-fips-dev" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH] fix typo: openssl-fips -> openssl-fips-dev
The working fips package is openssl-fips-dev rather than openssl-fips. Signed-off-by: Hongxu Jia --- README.build | 2 +- templates/feature/openssl-fips/image.inc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.build b/README.build index 50bd9a5..b4e8f2e 100644 --- a/README.build +++ b/README.build @@ -132,7 +132,7 @@ Building Steps (based on section 4 of the UsersGuide-2.0.pdf): prebuilt tar archive. For Yocto, in your build directory, edit conf/local.conf, add: - IMAGE_INSTALL_append = " openssl-fips" + IMAGE_INSTALL_append = " openssl-fips-dev" OPENSSL_FIPS_ENABLED = "1" OPENSSL_FIPS_PREBUILT = "" diff --git a/templates/feature/openssl-fips/image.inc b/templates/feature/openssl-fips/image.inc index 0d62e44..3616432 100644 --- a/templates/feature/openssl-fips/image.inc +++ b/templates/feature/openssl-fips/image.inc @@ -1 +1 @@ -IMAGE_INSTALL += "openssl-fips" +IMAGE_INSTALL += "openssl-fips-dev" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH] README.build/image.inc: add missing openssl-fips to image
For Yocto and WRLinux, openssl fips works only if installing package openssl-fips Signed-off-by: Hongxu Jia --- README.build | 1 + templates/feature/openssl-fips/image.inc | 1 + 2 files changed, 2 insertions(+) create mode 100644 templates/feature/openssl-fips/image.inc diff --git a/README.build b/README.build index c6e..50bd9a5 100644 --- a/README.build +++ b/README.build @@ -132,6 +132,7 @@ Building Steps (based on section 4 of the UsersGuide-2.0.pdf): prebuilt tar archive. For Yocto, in your build directory, edit conf/local.conf, add: + IMAGE_INSTALL_append = " openssl-fips" OPENSSL_FIPS_ENABLED = "1" OPENSSL_FIPS_PREBUILT = "" diff --git a/templates/feature/openssl-fips/image.inc b/templates/feature/openssl-fips/image.inc new file mode 100644 index 000..0d62e44 --- /dev/null +++ b/templates/feature/openssl-fips/image.inc @@ -0,0 +1 @@ +IMAGE_INSTALL += "openssl-fips" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH V3 4/16] classes/image-enable-fips.bbclass: enable user space fips mode in image
Refer Fedora/RedHat's way
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
To enable user space fips mode in the image recipe as part of an
'IMAGE_CLASSES'. Basically if FIPS-140-2 is enabled, then we can
touch the file as a post image generation activity.
Signed-off-by: Hongxu Jia
---
classes/image-enable-fips.bbclass | 5 +
conf/layer.conf | 2 ++
2 files changed, 7 insertions(+)
create mode 100644 classes/image-enable-fips.bbclass
diff --git a/classes/image-enable-fips.bbclass
b/classes/image-enable-fips.bbclass
new file mode 100644
index 000..6c5b370
--- /dev/null
+++ b/classes/image-enable-fips.bbclass
@@ -0,0 +1,5 @@
+ROOTFS_POSTPROCESS_COMMAND_append = "enable_system_fips;"
+enable_system_fips() {
+install -d ${IMAGE_ROOTFS}${sysconfdir}
+touch ${IMAGE_ROOTFS}${sysconfdir}/system-fips
+}
diff --git a/conf/layer.conf b/conf/layer.conf
index 27a872e..185f422 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,3 +18,5 @@ LAYERDEPENDS_meta-openssl-one-zero-two-fips = " \
meta-openssl-one-zero-two \
wr-template \
"
+
+IMAGE_CLASSES_append = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1'
else ' image-enable-fips'}"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Review request V2 0/16: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
On 9/25/19 10:33 PM, Mark Hatle wrote: On 9/25/19 2:23 AM, Hongxu Jia wrote: Changed in V1: - Follow Mark H's suggestions Hi Mark, Once openssh enables FIPS mode, openssh ptest will fail (mess of failure). It seems the test case of upstream openssh does not consider FIPS mode support. I search fedora, there is nothing about openssh `regress'(test suits) in FIPS mode support So I do not add additional cavs test to the ptest, just add a note to README.enable_fips Ok, that is good to know. I suspect the issue is that many of the tests are trying to use unapproved algorithms and should be skipped in FIPS mode. Something for a future patch set. I don't think it's necessary to adjust now. I did modify patch 4. We want to use the more generic IMAGE_POSTPROCESS_COMMAND instead. But otherwise I've taken it as is. I'm currently running it through a test pass, once that is complete I'll push the commits. Hi Mark, I am afraid we have to use var-ROOTFS_POSTPROCESS_COMMAND to replace, var-IMAGE_POSTPROCESS_COMMAND is used at do_image_complete, we require it to run at do_rootfs //Hongxu --Mark //Hongxu == Comments (indicate scope for each "y" above) == * Git logs [meta-openssl102-fips] commit 38849c1c52ae04eb2a3931624cd2d1446ab389d6 Author: Hongxu Jia Date: Wed Sep 25 15:03:24 2019 +0800 README.enable_fips: openssh ptest failed in fips mode Signed-off-by: Hongxu Jia commit f5b8a66c226541e73cc509a73452bbafc59f2555 Author: Hongxu Jia Date: Sun Sep 22 22:40:56 2019 +0800 README.openssh_cavstest: add CAVS tests for FIPS validation Signed-off-by: Hongxu Jia commit bd5de039c60fd2ab89f7925d3801520d742ba09a Author: Hongxu Jia Date: Sun Sep 22 21:54:41 2019 +0800 openssh: add CAVS tests for FIPS validation Refer the latest Fedora to add cavs test binary for the aes-ctr [1] and SSH KDF CAVS test driver [2] [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch [2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce) Signed-off-by: Hongxu Jia commit b40cef8f89461342da5c6a621d95cdb19a4d8cff Author: Hongxu Jia Date: Sun Sep 22 20:55:30 2019 +0800 README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode Refer RedHat/Fedora/SUSE/Oracle/IBM ways 1. Add `fips=1' to kernel option to enable FIPS mode in kernel 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space, currently openssh only Refer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard https://access.redhat.com/discussions/3293631 https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html Signed-off-by: Hongxu Jia commit a4e3e55688b7a3666bcec95c342dab7984e7e0a3 Author: Hongxu Jia Date: Sun Sep 22 19:27:45 2019 +0800 rng-tools: fix rngd failed in fips mode The FIPS test is something done on government or more secure organizations for extra security check. ... root@qemux86-64:~# systemctl status rngd Unit rngd-tools.service could not be found. root@qemux86-64:~# systemctl status rngd rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS) Main PID: 317 (code=exited, status=0/SUCCESS) Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source ... From rngd manual, add `-i' to default ... -i, --ignorefail Ignore repeated fips failures ... After applying the fix ... rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago Main PID: 121 (rngd) Tasks: 2 Memory: 1.8M CGroup: /system.slice/rngd.service /usr/sbin/rngd -f -r /dev/hwrng -i Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed:
[yocto] [meta-openssl102-fips][PATCH 15/16] README.openssh_cavstest: add CAVS tests for FIPS validation
Signed-off-by: Hongxu Jia --- README.openssh_cavstest | 28 1 file changed, 28 insertions(+) create mode 100644 README.openssh_cavstest diff --git a/README.openssh_cavstest b/README.openssh_cavstest new file mode 100644 index 000..5d69ee5 --- /dev/null +++ b/README.openssh_cavstest @@ -0,0 +1,28 @@ +1. Install openssh-cavs to images +$ echo "IMAGE_INSTALL += 'openssh-cavs'" >> conf/local.conf +$ bitbake + +2. Run tests on target +1) ctr-cavstest +invocation (all of the following are equal): +./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 +./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv +echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt + +$ cd /usr/libexec +$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 +58E33554D51B0DD7A63F44B22381B1CA +$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv +58E33554D51B0DD7A63F44B22381B1CA +$ echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt +58E33554D51B0DD7A63F44B22381B1CA + +2) ssh-cavs +$ cd /usr/libexec +$ ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20 +Initial IV (client to server) = 4bb320d1679dfd3a +Initial IV (server to client) = 43dea6fdf263a308 +Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed +Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0 +Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640 +Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479 -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 16/16] README.enable_fips: openssh ptest failed in fips mode
Signed-off-by: Hongxu Jia --- README.enable_fips | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.enable_fips b/README.enable_fips index 8016346..676698b 100644 --- a/README.enable_fips +++ b/README.enable_fips @@ -54,3 +54,6 @@ FIPS mode initialized - ssh-keygen # ssh-keygen -A ssh-keygen: generating new host keys: DSA DSA keys are not allowed in FIPS mode + +NOTE: Once openssh enables FIPS mode, openssh ptest will fail. The test case +of openssh does not consider FIPS mode support. -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 12/16] rng-tools: fix rngd failed in fips mode
The FIPS test is something done on government or more secure organizations for extra security check. ... root@qemux86-64:~# systemctl status rngd Unit rngd-tools.service could not be found. root@qemux86-64:~# systemctl status rngd rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS) Main PID: 317 (code=exited, status=0/SUCCESS) Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source ... >From rngd manual, add `-i' to default ... -i, --ignorefail Ignore repeated fips failures ... After applying the fix ... rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago Main PID: 121 (rngd) Tasks: 2 Memory: 1.8M CGroup: /system.slice/rngd.service /usr/sbin/rngd -f -r /dev/hwrng -i Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted ... Refer: https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html Signed-off-by: Hongxu Jia --- recipes-support/rng-tools/rng-tools/default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-support/rng-tools/rng-tools/default b/recipes-support/rng-tools/rng-tools/default index b9f8e03..1ae6b33 100644 --- a/recipes-support/rng-tools/rng-tools/default +++ b/recipes-support/rng-tools/rng-tools/default @@ -1 +1 @@ -EXTRA_ARGS="-r /dev/hwrng" +EXTRA_ARGS="-r /dev/hwrng -i" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 11/16] rng-tools bbappend: port a copy of default from oe-core
Port it at the following commit in oe-core
http://cgit.openembedded.org/openembedded-core/commit/?id=16ced1a253c74c01ca414db2f1a010c083213b91
Signed-off-by: Hongxu Jia
---
recipes-support/rng-tools/rng-tools/default | 1 +
recipes-support/rng-tools/rng-tools_6.%.bbappend | 4
recipes-support/rng-tools/rng-tools_fips.inc | 2 ++
3 files changed, 7 insertions(+)
create mode 100644 recipes-support/rng-tools/rng-tools/default
create mode 100644 recipes-support/rng-tools/rng-tools_6.%.bbappend
create mode 100644 recipes-support/rng-tools/rng-tools_fips.inc
diff --git a/recipes-support/rng-tools/rng-tools/default
b/recipes-support/rng-tools/rng-tools/default
new file mode 100644
index 000..b9f8e03
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools/default
@@ -0,0 +1 @@
+EXTRA_ARGS="-r /dev/hwrng"
diff --git a/recipes-support/rng-tools/rng-tools_6.%.bbappend
b/recipes-support/rng-tools/rng-tools_6.%.bbappend
new file mode 100644
index 000..c487175
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools_6.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1'
else 'rng-tools_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/rng-tools/rng-tools_fips.inc
b/recipes-support/rng-tools/rng-tools_fips.inc
new file mode 100644
index 000..d5f6435
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools_fips.inc
@@ -0,0 +1,2 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/rng-tools:"
+
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 13/16] README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode
Refer RedHat/Fedora/SUSE/Oracle/IBM ways 1. Add `fips=1' to kernel option to enable FIPS mode in kernel 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space, currently openssh only Refer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard https://access.redhat.com/discussions/3293631 https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html Signed-off-by: Hongxu Jia --- README.enable_fips | 56 ++ 1 file changed, 56 insertions(+) create mode 100644 README.enable_fips diff --git a/README.enable_fips b/README.enable_fips new file mode 100644 index 000..8016346 --- /dev/null +++ b/README.enable_fips @@ -0,0 +1,56 @@ +To turn your system (kernel and user space) into FIPS mode, follow these steps: + +1. Enable FIPS mode in kernel: +The `fips=1' kernel option needs to be added to the kernel command line so that key +generation is done with FIPS approved algorithms and continuous monitoring tests in +place: +... +[0.00] Linux version 5.3.0-yoctodev-standard (oe-user@oe-host) (gcc version 9.2.0 (GCC)) #1 SMP PREEMPT Sun Sep 22 07:03:58 UTC 2019 +[0.00] Command line: root=/dev/vda rw highres=off console=ttyS0 fips=1 +[0.281178] alg: self-tests for rsa-generic (rsa) passed +[0.283124] alg: self-tests for cipher_null-generic (cipher_null) passed +[0.284199] alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed +[0.285596] alg: self-tests for sha1-generic (sha1) passed +[0.287474] alg: self-tests for sha256-generic (sha256) passed +[0.289138] alg: self-tests for sha224-generic (sha224) passed +[0.290277] alg: self-tests for des3_ede-generic (des3_ede) passed +[0.292005] alg: self-tests for aes-generic (aes) passed +[0.294431] alg: self-tests for crc32c-generic (crc32c) passed +[0.295046] alg: self-tests for drbg_pr_hmac_sha1 (stdrng) passed +[0.296927] alg: self-tests for drbg_pr_hmac_sha384 (stdrng) passed +[0.298001] alg: self-tests for drbg_pr_hmac_sha512 (stdrng) passed +[0.301064] alg: self-tests for hmac(sha256-generic) (hmac(sha256)) passed +[0.303057] alg: self-tests for drbg_pr_hmac_sha256 (stdrng) passed +[0.304026] alg: self-tests for drbg_nopr_hmac_sha1 (stdrng) passed +[0.304999] alg: self-tests for drbg_nopr_hmac_sha384 (stdrng) passed +[0.306001] alg: self-tests for drbg_nopr_hmac_sha512 (stdrng) passed +[0.307377] alg: self-tests for drbg_nopr_hmac_sha256 (stdrng) passed +[0.311120] DRBG: Continuing without Jitter RNG +[0.316952] alg: self-tests for ecdh-generic (ecdh) passed +[0.996938] alg: self-tests for jitterentropy_rng (jitterentropy_rng) passed +[3.330824] alg: self-tests for cbc(aes-generic) (cbc(aes)) passed +... + +Kernel FIPS mode verification +You have two options: +1) cat /proc/sys/crypto/fips_enabled +2) sysctl crypto.fips_enabled + +NOTE: 1 indicates enabled, while 0 indicates disabled. + + +2. Enable FIPS mode in user space (default yes) +File /etc/system-fips to determine if a FIPS module is installed and +FIPS mode is enabled + +1) openssh: +- sshd +2019-09-22T12:20:04.631097+00:00 qemux86-64 sshd[437]: FIPS mode initialized + +- ssh +# ssh root@localhost +FIPS mode initialized + +- ssh-keygen +# ssh-keygen -A +ssh-keygen: generating new host keys: DSA DSA keys are not allowed in FIPS mode -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH V2 14/16] openssh: add CAVS tests for FIPS validation
Refer the latest Fedora to add cavs test binary for the aes-ctr [1]
and SSH KDF CAVS test driver [2]
[1]
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
[2]
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch
(as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
Signed-off-by: Hongxu Jia
---
.../openssh/openssh-6.6p1-ctr-cavstest.patch | 289 +
.../openssh/openssh/openssh-6.7p1-kdf-cavs.patch | 654 +
recipes-connectivity/openssh/openssh_fips.inc | 9 +
3 files changed, 952 insertions(+)
create mode 100644
recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
create mode 100644
recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
diff --git
a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
new file mode 100644
index 000..29371f8
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -0,0 +1,289 @@
+From a94a3d95439018dc7d276ec72de91af369ea413e Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sun, 22 Sep 2019 21:32:18 +0800
+Subject: [PATCH 1/2] add CAVS test driver for the aes-ctr ciphers
+
+Original submission to Fedora, see:
+
https://lists.fedoraproject.org/pipermail/scm-commits/2012-January/715044.html
+
+this version download from:
+
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
+ (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
+
+Makefile.in slightly modified for integration
+
+This is the makefile.in change for the normal configuration.
+
+Signed-off-by: Mark Hatle
+
+Upstream-Status: Inappropriate [oe specific]
+Signed-off-by: Hongxu Jia
+---
+ Makefile.in| 7 +-
+ ctr-cavstest.c | 215 +
+ 2 files changed, 221 insertions(+), 1 deletion(-)
+ create mode 100644 ctr-cavstest.c
+
+diff --git a/Makefile.in b/Makefile.in
+index ddd1804..cb34681 100644
+--- a/Makefile.in
b/Makefile.in
+@@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
++CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
+@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
+ MANFMT=@MANFMT@
+ MKDIR_P=@MKDIR_P@
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ctr-cavstest$(EXEEXT)
+
+ XMSS_OBJS=\
+ ssh-xmss.o \
+@@ -193,6 +194,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
readconf.o uidswap.o c
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o
ssh-pkcs11.o
+ $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
++ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
++ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lfipscheck $(LIBS)
++
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lfipscheck $(LIBS)
+
+@@ -343,6 +347,7 @@ install-files:
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT)
$(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT)
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+ $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT)
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT)
$(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+diff --git a/ctr-cavstest.c b/ctr-cavstest.c
+new file mode 100644
+index 000..0d4776b
+--- /dev/null
b/ctr-cavstest.c
+@@ -0,0 +1,215 @@
++/*
++ *
++ * invocation (all of the following are equal):
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv
++ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo
aes128-ctr --key
[yocto] [meta-openssl102-fips][PATCH 8/16] openssh: conditional enable fips mode
Enable fips mode according to the existence of "/etc/system-fips"
Signed-off-by: Hongxu Jia
---
.../0001-conditional-enable-fips-mode.patch| 63 ++
recipes-connectivity/openssh/openssh_fips.inc | 1 +
2 files changed, 64 insertions(+)
create mode 100644
recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
diff --git
a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
new file mode 100644
index 000..b47e184
--- /dev/null
+++
b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -0,0 +1,63 @@
+From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sun, 22 Sep 2019 14:31:51 +0800
+Subject: [PATCH] conditional enable fips mode
+
+Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke,
+enable fips mode according to the existence of "/etc/system-fips"
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ xmalloc.c | 24
+ 1 file changed, 24 insertions(+)
+
+diff --git a/xmalloc.c b/xmalloc.c
+index 5cc0310..0218ccd 100644
+--- a/xmalloc.c
b/xmalloc.c
+@@ -23,12 +23,20 @@
+ #include
+ #include
+
++#include
++#include
++#include
++
+ #include "xmalloc.h"
+ #include "log.h"
+
++void ssh_enable_fips_mode(void);
++
+ void
+ ssh_malloc_init(void)
+ {
++ ssh_enable_fips_mode();
++
+ #if defined(__OpenBSD__)
+ extern char *malloc_options;
+
+@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...)
+
+ return (i);
+ }
++
++void
++ssh_enable_fips_mode(void)
++{
++if (access("/etc/system-fips", F_OK) == 0) {
++if (!FIPS_mode_set(1)) {
++/* make sure the error stack is available for some hint as
++ * to why this operation failed
++ */
++ERR_load_crypto_strings();
++ERR_print_errors_fp(stdout);
++fatal("FIPS_mode_set(): failed to enter FIPS mode!\n");
++exit(1);
++}
++}
++}
+--
+2.7.4
+
diff --git a/recipes-connectivity/openssh/openssh_fips.inc
b/recipes-connectivity/openssh/openssh_fips.inc
index 8f21264..9d25b5b 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -5,6 +5,7 @@ DEPENDS += " \
"
SRC_URI += " \
file://0001-openssh-8.0p1-fips.patch \
+file://0001-conditional-enable-fips-mode.patch \
"
do_install_append() {
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 10/16] openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode
Run sshd_check_keys failed:
...
2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]: generating
ssh ED25519 host key...
2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys
are not allowed in FIPS mode
...
If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519
host
keys in FIPS mode
Refers Fedora:
https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/openssh/sshd_check_keys | 4
1 file changed, 4 insertions(+)
diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys
b/recipes-connectivity/openssh/openssh/sshd_check_keys
index 1931dc7..338531d 100644
--- a/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -71,6 +71,10 @@ for key in ${HOST_KEYS} ; do
generate_key $key ecdsa
;;
*_ed25519_key)
+FIPS=/etc/system-fips
+if [[ -r "$FIPS" ]]; then
+continue
+fi
echo " generating ssh ED25519 host key..."
generate_key $key ed25519
;;
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH V2 9/16] openssh: port a copy of sshd_check_keys from oe-core
Port it at the following commit in oe-core
http://cgit.openembedded.org/openembedded-core/commit/?id=2303d795ae96f1a60caf145a0ddf100e89c4b5b0
Signed-off-by: Hongxu Jia
---
.../openssh/openssh/sshd_check_keys| 78 ++
1 file changed, 78 insertions(+)
create mode 100644 recipes-connectivity/openssh/openssh/sshd_check_keys
diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys
b/recipes-connectivity/openssh/openssh/sshd_check_keys
new file mode 100644
index 000..1931dc7
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -0,0 +1,78 @@
+#! /bin/sh
+
+generate_key() {
+local FILE=$1
+local TYPE=$2
+local DIR="$(dirname "$FILE")"
+
+mkdir -p "$DIR"
+ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
+
+# Atomically rename file public key
+mv -f "${FILE}.tmp.pub" "${FILE}.pub"
+
+# This sync does double duty: Ensuring that the data in the temporary
+# private key file is on disk before the rename, and ensuring that the
+# public key rename is completed before the private key rename, since we
+# switch on the existence of the private key to trigger key generation.
+# This does mean it is possible for the public key to exist, but be garbage
+# but this is OK because in that case the private key won't exist and the
+# keys will be regenerated.
+#
+# In the event that sync understands arguments that limit what it tries to
+# fsync(), we provided them. If it does not, it will simply call sync()
+# which is just as well
+sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
+
+mv "${FILE}.tmp" "$FILE"
+
+# sync to ensure the atomic rename is committed
+sync "$DIR"
+}
+
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
+if test -f /etc/default/ssh; then
+. /etc/default/ssh
+fi
+
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+# parse sshd options
+set -- ${SSHD_OPTS} --
+sshd_config=/etc/ssh/sshd_config
+while true ; do
+case "$1" in
+-f*) if [ "$1" = "-f" ] ; then
+sshd_config="$2"
+shift
+else
+sshd_config="${1#-f}"
+fi
+shift
+;;
+--) shift; break;;
+*) shift;;
+esac
+done
+
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key
$SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
+
+for key in ${HOST_KEYS} ; do
+[ -f $key ] && continue
+case $key in
+*_rsa_key)
+echo " generating ssh RSA host key..."
+generate_key $key rsa
+;;
+*_ecdsa_key)
+echo " generating ssh ECDSA host key..."
+generate_key $key ecdsa
+;;
+*_ed25519_key)
+echo " generating ssh ED25519 host key..."
+generate_key $key ed25519
+;;
+esac
+done
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH V2 5/16] openssh: add generation of HMAC checksums in pkg_postinst
Refer
https://src.fedoraproject.org/rpms/openssh/c/13fa787ecc35d6c9eea9e64c1f42f49e2ee978ce
(See __spec_install_post in openssh.spec for detail)
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/openssh_fips.inc | 34 +++
1 file changed, 34 insertions(+)
diff --git a/recipes-connectivity/openssh/openssh_fips.inc
b/recipes-connectivity/openssh/openssh_fips.inc
index 99a3482..8f21264 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,3 +6,37 @@ DEPENDS += " \
SRC_URI += " \
file://0001-openssh-8.0p1-fips.patch \
"
+
+do_install_append() {
+install -d ${D}${libdir}/fipscheck
+}
+
+inherit qemu
+
+pkg_postinst_append_${PN}-ssh () {
+if [ -n "$D" ]; then
+if ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode',
'true','false', d)}; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${bindir}/ssh.${BPN}
+else
+$INTERCEPT_DIR/postinst_intercept delay_to_first_boot ${PKG}
mlprefix=${MLPREFIX}
+fi
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/ssh.${BPN}
+fi
+}
+
+pkg_postinst_append_${PN}-sshd () {
+if [ -n "$D" ]; then
+if ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode',
'true','false', d)}; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${sbindir}/sshd
+else
+$INTERCEPT_DIR/postinst_intercept delay_to_first_boot ${PKG}
mlprefix=${MLPREFIX}
+fi
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${sbindir}/sshd
+fi
+}
+
+FILES_${PN} += "${libdir}/fipscheck"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 7/16] kernel: workaround alg self-tests failure in fips mode
While kernel enable fips mode, it start alg self-test, and there is
a kernel panic at ecdh-generic
...
[0.311313] alg: ecdh: test failed on vector 2, err=-14
[0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic
(ecdh) failed in fips mode!
...
Continue without Jitter RNG for fips to workaround alg self-tests failure,
after applying the fix:
...
[0.306633] DRBG: Continuing without Jitter RNG
[0.310550] alg: self-tests for ecdh-generic (ecdh) passed
...
Refer: https://lore.kernel.org/patchwork/patch/568693/
Signed-off-by: Hongxu Jia
---
.../0001-fips-continuing-without-Jitter-RNG.patch | 34 ++
recipes-kernel/linux/files/crypto_fips.scc | 1 +
2 files changed, 35 insertions(+)
create mode 100644
recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
diff --git
a/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
new file mode 100644
index 000..140d6a1
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
@@ -0,0 +1,34 @@
+From fd82384acc0405ead38ea0d9712c9a1b57913c35 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sun, 22 Sep 2019 10:57:02 +0800
+Subject: [PATCH] fips: continuing without Jitter RNG
+
+Continue without Jitter RNG for fips to workaround alg self-tests failure
+...
+[0.311313] alg: ecdh: test failed on vector 2, err=-14
+[0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic
(ecdh) failed in fips mode!
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ crypto/drbg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/drbg.c b/crypto/drbg.c
+index b6929eb..d677da5 100644
+--- a/crypto/drbg.c
b/crypto/drbg.c
+@@ -1577,7 +1577,7 @@ static int drbg_instantiate(struct drbg_state *drbg,
struct drbg_string *pers,
+ if (IS_ERR(drbg->jent)) {
+ ret = PTR_ERR(drbg->jent);
+ drbg->jent = NULL;
+- if (fips_enabled || ret != -ENOENT)
++ if (ret != -ENOENT)
+ goto free_everything;
+ pr_info("DRBG: Continuing without Jitter RNG\n");
+ }
+--
+2.7.4
+
diff --git a/recipes-kernel/linux/files/crypto_fips.scc
b/recipes-kernel/linux/files/crypto_fips.scc
index f64380a..85f8f44 100644
--- a/recipes-kernel/linux/files/crypto_fips.scc
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -1 +1,2 @@
kconf non-hardware crypto_fips.cfg
+patch 0001-fips-continuing-without-Jitter-RNG.patch
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 6/16] add kernel fips mode support
A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
by specifying fips=1 as kernel parameter. [1][2]
/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL.[3]
[1] https://www.linux.org/docs/man8/fipscheck.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
[3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html
Signed-off-by: Hongxu Jia
---
classes/fips_kernel.bbclass| 4
conf/layer.conf| 4
recipes-kernel/linux/files/crypto_fips.cfg | 3 +++
recipes-kernel/linux/files/crypto_fips.scc | 1 +
4 files changed, 12 insertions(+)
create mode 100644 classes/fips_kernel.bbclass
create mode 100644 recipes-kernel/linux/files/crypto_fips.cfg
create mode 100644 recipes-kernel/linux/files/crypto_fips.scc
diff --git a/classes/fips_kernel.bbclass b/classes/fips_kernel.bbclass
new file mode 100644
index 000..064088f
--- /dev/null
+++ b/classes/fips_kernel.bbclass
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend :=
"${LAYER_PATH_meta-openssl-one-zero-two-fips}/recipes-kernel/linux/files/:"
+SRC_URI_append = " \
+file://crypto_fips.scc \
+"
diff --git a/conf/layer.conf b/conf/layer.conf
index 185f422..bcf34b3 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -20,3 +20,7 @@ LAYERDEPENDS_meta-openssl-one-zero-two-fips = " \
"
IMAGE_CLASSES_append = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1'
else ' image-enable-fips'}"
+
+LAYER_PATH_meta-openssl-one-zero-two-fips = "${LAYERDIR}"
+
+KERNEL_CLASSES_append = " ${@bb.utils.contains('OPENSSL_FIPS_ENABLED', '1', '
fips_kernel', '',d)}"
diff --git a/recipes-kernel/linux/files/crypto_fips.cfg
b/recipes-kernel/linux/files/crypto_fips.cfg
new file mode 100644
index 000..cffdc02
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.cfg
@@ -0,0 +1,3 @@
+CONFIG_CRYPTO_FIPS=y
+CONFIG_MODULE_SIG=y
+# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
diff --git a/recipes-kernel/linux/files/crypto_fips.scc
b/recipes-kernel/linux/files/crypto_fips.scc
new file mode 100644
index 000..f64380a
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -0,0 +1 @@
+kconf non-hardware crypto_fips.cfg
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH V2 2/16] openssh_8.%.bbappend: support fips 140-2
Port openssh-7.7p1-fips.patch from Fedora https://src.fedoraproject.org/rpms/openssh.git (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce) Signed-off-by: Hongxu Jia --- .../openssh/openssh/0001-openssh-8.0p1-fips.patch | 529 + recipes-connectivity/openssh/openssh_8.%.bbappend | 4 + recipes-connectivity/openssh/openssh_fips.inc | 8 + 3 files changed, 541 insertions(+) create mode 100644 recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch create mode 100644 recipes-connectivity/openssh/openssh_8.%.bbappend create mode 100644 recipes-connectivity/openssh/openssh_fips.inc diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch new file mode 100644 index 000..a4b5836 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch @@ -0,0 +1,529 @@ +From 255e5dcdec36df7222f69b253dfc05be63927ed2 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Fri, 20 Sep 2019 17:59:00 +0800 +Subject: [PATCH] openssh 8.0p1 fips + +Port openssh-7.7p1-fips.patch from Fedora +https://src.fedoraproject.org/rpms/openssh.git +(as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce) + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia +--- + Makefile.in | 14 +++--- + cipher-ctr.c | 3 ++- + clientloop.c | 3 ++- + dh.c | 40 + dh.h | 1 + + kex.c| 5 - + kexgexc.c| 5 + + myproposal.h | 40 + readconf.c | 17 + + sandbox-seccomp-filter.c | 3 +++ + servconf.c | 19 ++- + ssh-keygen.c | 6 ++ + ssh.c| 16 + sshconnect2.c| 11 --- + sshd.c | 19 +++ + sshkey.c | 4 + 16 files changed, 176 insertions(+), 30 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 6f001bb..ddd1804 100644 +--- a/Makefile.in b/Makefile.in +@@ -170,31 +170,31 @@ libssh.a: $(LIBSSH_OBJS) + $(RANLIB) $@ + + ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) ++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o +- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o +- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o +- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o +- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o +- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +diff --git a/cipher-ctr.c b/cipher-ctr.c +index 32771f2..74fac3b 100644 +--- a/cipher-ctr.c b/cipher-ctr.c +@@ -138,7 +138,8 @@ evp_aes_128_ctr(void) + aes_ctr.do_cipher = ssh_aes_ctr; + #ifndef SSH_OLD_EVP + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH
[yocto] [meta-openssl102-fips][PATCH V2 1/16] fipscheck: add 1.5.0
Port it from fedora:
https://src.fedoraproject.org/rpms/fipscheck
(as of commit 7e44bec705fb2b3263734f30a05c2245738cf01a)
It is required by openssh fips.
Signed-off-by: Hongxu Jia
---
.../0001-compat-fip-with-openssl-1.0.2.patch | 34 ++
recipes-support/fipscheck/fipscheck_1.5.0.bb | 30 +++
templates/feature/openssl-fips/template.conf | 2 +-
3 files changed, 65 insertions(+), 1 deletion(-)
create mode 100644
recipes-support/fipscheck/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
create mode 100644 recipes-support/fipscheck/fipscheck_1.5.0.bb
diff --git
a/recipes-support/fipscheck/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
b/recipes-support/fipscheck/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
new file mode 100644
index 000..22e5a62
--- /dev/null
+++
b/recipes-support/fipscheck/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
@@ -0,0 +1,34 @@
+From 3147ae2a63f10f9bbdd0a617b450ff8b9868e60f Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Fri, 20 Sep 2019 17:51:09 +0800
+Subject: [PATCH] compat fip with openssl 1.0.2
+
+In /usr/lib64/ssl/fips-2.0/include/openssl/opensslv.h
+...
+define OPENSSL_VERSION_NUMBER 0x1010L
+...
+Since fips include file compat with openssl 1.1.0, do not include it
+in Yocto
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ src/filehmac.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/filehmac.c b/src/filehmac.c
+index a8eef00..0b36cec 100644
+--- a/src/filehmac.c
b/src/filehmac.c
+@@ -41,7 +41,6 @@
+ #include
+
+ #if defined(WITH_OPENSSL)
+-#include
+ #include
+ #include
+ #elif defined(WITH_NSS)
+--
+2.7.4
+
diff --git a/recipes-support/fipscheck/fipscheck_1.5.0.bb
b/recipes-support/fipscheck/fipscheck_1.5.0.bb
new file mode 100644
index 000..68051d2
--- /dev/null
+++ b/recipes-support/fipscheck/fipscheck_1.5.0.bb
@@ -0,0 +1,30 @@
+SUMMARY = "A library for integrity verification of FIPS validated modules"
+DESCRIPTION = "FIPSCheck is a library for integrity verification of FIPS
validated \
+modules. The package also provides helper binaries for creation and \
+verification of the HMAC-SHA256 checksum files."
+HOMEPAGE = "https://pagure.io/fipscheck;
+SECTION = "libs/network"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://COPYING;md5=35f2904ce138ac5fa63e7cedf96bbedf"
+
+SRC_URI = "https://releases.pagure.org/fipscheck/${BPN}-${PV}.tar.bz2 \
+ file://0001-compat-fip-with-openssl-1.0.2.patch \
+"
+SRC_URI[md5sum] = "86e756a7d2aa15f3f91033fb3eced99b"
+SRC_URI[sha256sum] =
"7ba38100ced187f44b12dd52c8c74db8f366a2a8b9da819bd3e7c6ea17f469d5"
+
+DEPENDS = " \
+openssl \
+openssl-fips \
+"
+
+inherit autotools pkgconfig
+
+EXTRA_OECONF += " \
+--disable-static \
+"
+EXTRA_OEMAKE += " \
+-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
+"
+
diff --git a/templates/feature/openssl-fips/template.conf
b/templates/feature/openssl-fips/template.conf
index 6da678c..9a551c3 100644
--- a/templates/feature/openssl-fips/template.conf
+++ b/templates/feature/openssl-fips/template.conf
@@ -8,4 +8,4 @@ OPENSSL_FIPS_PREBUILT ??= ""
PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips'
PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips-example'
-
+PNWHITELIST_meta-openssl-one-zero-two-fips += 'fipscheck'
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] Review request V2 0/16: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
Changed in V1: - Follow Mark H's suggestions Hi Mark, Once openssh enables FIPS mode, openssh ptest will fail (mess of failure). It seems the test case of upstream openssh does not consider FIPS mode support. I search fedora, there is nothing about openssh `regress'(test suits) in FIPS mode support So I do not add additional cavs test to the ptest, just add a note to README.enable_fips //Hongxu == Comments (indicate scope for each "y" above) == * Git logs [meta-openssl102-fips] commit 38849c1c52ae04eb2a3931624cd2d1446ab389d6 Author: Hongxu Jia Date: Wed Sep 25 15:03:24 2019 +0800 README.enable_fips: openssh ptest failed in fips mode Signed-off-by: Hongxu Jia commit f5b8a66c226541e73cc509a73452bbafc59f2555 Author: Hongxu Jia Date: Sun Sep 22 22:40:56 2019 +0800 README.openssh_cavstest: add CAVS tests for FIPS validation Signed-off-by: Hongxu Jia commit bd5de039c60fd2ab89f7925d3801520d742ba09a Author: Hongxu Jia Date: Sun Sep 22 21:54:41 2019 +0800 openssh: add CAVS tests for FIPS validation Refer the latest Fedora to add cavs test binary for the aes-ctr [1] and SSH KDF CAVS test driver [2] [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch [2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce) Signed-off-by: Hongxu Jia commit b40cef8f89461342da5c6a621d95cdb19a4d8cff Author: Hongxu Jia Date: Sun Sep 22 20:55:30 2019 +0800 README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode Refer RedHat/Fedora/SUSE/Oracle/IBM ways 1. Add `fips=1' to kernel option to enable FIPS mode in kernel 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space, currently openssh only Refer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard https://access.redhat.com/discussions/3293631 https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html Signed-off-by: Hongxu Jia commit a4e3e55688b7a3666bcec95c342dab7984e7e0a3 Author: Hongxu Jia Date: Sun Sep 22 19:27:45 2019 +0800 rng-tools: fix rngd failed in fips mode The FIPS test is something done on government or more secure organizations for extra security check. ... root@qemux86-64:~# systemctl status rngd Unit rngd-tools.service could not be found. root@qemux86-64:~# systemctl status rngd rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS) Main PID: 317 (code=exited, status=0/SUCCESS) Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source ... From rngd manual, add `-i' to default ... -i, --ignorefail Ignore repeated fips failures ... After applying the fix ... rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago Main PID: 121 (rngd) Tasks: 2 Memory: 1.8M CGroup: /system.slice/rngd.service /usr/sbin/rngd -f -r /dev/hwrng -i Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted ... Refer: https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html Signed-off-by: Hongxu Jia commit c3224883bec9155fb51686a908c59da31d9918f5 Author: Hongxu Jia Date: Sun Sep 22 19:27:01 2019 +0800 rng-tools bbappend: port a copy of default from oe-core Port it at the following commit in oe-core http://cgit.openembedded.org/openembedded-core/commit/?id=16ced1a253c74c01ca414db2f1a010c083213b91 Signed-off-by: Hongxu Jia commit aecc01c2e49825dcb2a78875e0562028b2636fab Author: Hongxu Jia Date: Sun Sep 22 18:48:08 2019 +0800 openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode Run sshd_check_keys failed: ... 2019-09-22T09:59:10.878738+00:00
[yocto] [meta-openssl102-fips][PATCH V2 4/16] classes/image-enable-fips.bbclass: enable user space fips mode in image
Refer Fedora/RedHat's way
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
To enable user space fips mode in the image recipe as part of an
'IMAGE_CLASSES'. Basically if FIPS-140-2 is enabled, then we can
touch the file as a post image generation activity.
Signed-off-by: Hongxu Jia
---
classes/image-enable-fips.bbclass | 5 +
conf/layer.conf | 2 ++
2 files changed, 7 insertions(+)
create mode 100644 classes/image-enable-fips.bbclass
diff --git a/classes/image-enable-fips.bbclass
b/classes/image-enable-fips.bbclass
new file mode 100644
index 000..10cc1bd
--- /dev/null
+++ b/classes/image-enable-fips.bbclass
@@ -0,0 +1,5 @@
+RPM_POSTPROCESS_COMMANDS_append = "enable_system_fips;"
+enable_system_fips() {
+install -d ${IMAGE_ROOTFS}${sysconfdir}
+touch ${IMAGE_ROOTFS}${sysconfdir}/system-fips
+}
diff --git a/conf/layer.conf b/conf/layer.conf
index 27a872e..185f422 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,3 +18,5 @@ LAYERDEPENDS_meta-openssl-one-zero-two-fips = " \
meta-openssl-one-zero-two \
wr-template \
"
+
+IMAGE_CLASSES_append = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1'
else ' image-enable-fips'}"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH V2 3/16] fipscheck: add generation of the checksums in pkg_postinst
Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70
(* fipscheck.spec.in: Add generation of the checksums in __spec_install_post.)
Signed-off-by: Hongxu Jia
---
recipes-support/fipscheck/fipscheck_1.5.0.bb | 22 ++
1 file changed, 22 insertions(+)
diff --git a/recipes-support/fipscheck/fipscheck_1.5.0.bb
b/recipes-support/fipscheck/fipscheck_1.5.0.bb
index 68051d2..9faed9c 100644
--- a/recipes-support/fipscheck/fipscheck_1.5.0.bb
+++ b/recipes-support/fipscheck/fipscheck_1.5.0.bb
@@ -27,4 +27,26 @@ EXTRA_OECONF += " \
EXTRA_OEMAKE += " \
-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
"
+do_install_append() {
+install -d ${D}${libdir}/fipscheck
+}
+inherit qemu
+
+pkg_postinst_${PN} () {
+if [ -n "$D" ]; then
+if ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode',
'true','false', d)}; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${bindir}/fipscheck
$D${libdir}/libfipscheck.so.1.2.1 && \
+ln -s libfipscheck.so.1.2.1.hmac
$D${libdir}/fipscheck/libfipscheck.so.1.hmac
+else
+$INTERCEPT_DIR/postinst_intercept delay_to_first_boot ${PKG}
mlprefix=${MLPREFIX}
+fi
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/fipscheck \
+${libdir}/libfipscheck.so.1.2.1 && \
+ln -s libfipscheck.so.1.2.1.hmac
${libdir}/fipscheck/libfipscheck.so.1.hmac
+fi
+}
+
+FILES_${PN} += "${libdir}/fipscheck"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-anaconda][PATCH 1/1] initramfs-module-setup-live: call udev settle before umounting /run/media/*
Merged
//Hongxu
On 9/23/19 2:41 PM, Ovidiu Panait wrote:
This fixes a race conditition which leaves devices mounted, causing the
following anaconda installation failure:
File "/usr/lib64/python3.5/site-packages/gi/overrides/BlockDev.py", line 963,
in wrapped
raise transform[1](msg)
File "/usr/lib64/python3.5/site-packages/blivet/devices/lvm.py", line 913, in
_teardown
blockdev.lvm.lvdeactivate(self.vg.name, self._name)
File "/usr/lib64/python3.5/site-packages/blivet/threads.py", line 53, in
run_with_lock
return m(*args, **kwargs)
File "/usr/lib64/python3.5/site-packages/blivet/devices/storage.py", line 431,
in teardown
self._teardown(recursive=recursive)
File "/usr/lib64/python3.5/site-packages/blivet/threads.py", line 53, in
run_with_lock
return m(*args, **kwargs)
File "/usr/lib64/python3.5/site-packages/blivet/devices/lvm.py", line 1933, in
teardown
return DMDevice.teardown(self, recursive)
gi.overrides.BlockDev.LVMError: Process reported exit code 5: Logical volume
wrll_intel-x86-64/root contains a filesystem in use.
Signed-off-by: Ovidiu Panait
---
recipes-installer/initrdscripts/files/umountfs | 3 +++
1 file changed, 3 insertions(+)
diff --git a/recipes-installer/initrdscripts/files/umountfs
b/recipes-installer/initrdscripts/files/umountfs
index f01adea..4792110 100644
--- a/recipes-installer/initrdscripts/files/umountfs
+++ b/recipes-installer/initrdscripts/files/umountfs
@@ -3,6 +3,9 @@ umountfs_enabled() {
}
umountfs_run() {
+# Make sure /run/media is fully populated
+udevadm settle
+
# Umount other media for anaconda
for dir in `awk '/\/dev.* \/run\/media/{print $2}' /proc/mounts`; do
umount $dir
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 14/15] openssh: add CAVS tests for FIPS validation
Refer the latest Fedora to add cavs test binary for the aes-ctr [1]
and SSH KDF CAVS test driver [2]
[1]
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
[2]
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch
Signed-off-by: Hongxu Jia
---
.../openssh/openssh-6.6p1-ctr-cavstest.patch | 289 +
.../openssh/openssh/openssh-6.7p1-kdf-cavs.patch | 654 +
recipes-connectivity/openssh/openssh_fips.inc | 9 +
3 files changed, 952 insertions(+)
create mode 100644
recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
create mode 100644
recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
diff --git
a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
new file mode 100644
index 000..038efa0
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -0,0 +1,289 @@
+From a94a3d95439018dc7d276ec72de91af369ea413e Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sun, 22 Sep 2019 21:32:18 +0800
+Subject: [PATCH 1/2] add CAVS test driver for the aes-ctr ciphers
+
+Original submission to Fedora, see:
+
https://lists.fedoraproject.org/pipermail/scm-commits/2012-January/715044.html
+
+this version download from:
+
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
+ (as of commit 991b66246f5151884b63c6d1232610a4569642a5)
+
+Makefile.in slightly modified for integration
+
+This is the makefile.in change for the normal configuration.
+
+Signed-off-by: Mark Hatle
+
+Upstream-Status: Inappropriate [oe specific]
+Signed-off-by: Hongxu Jia
+---
+ Makefile.in| 7 +-
+ ctr-cavstest.c | 215 +
+ 2 files changed, 221 insertions(+), 1 deletion(-)
+ create mode 100644 ctr-cavstest.c
+
+diff --git a/Makefile.in b/Makefile.in
+index ddd1804..cb34681 100644
+--- a/Makefile.in
b/Makefile.in
+@@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
++CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
+@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
+ MANFMT=@MANFMT@
+ MKDIR_P=@MKDIR_P@
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ctr-cavstest$(EXEEXT)
+
+ XMSS_OBJS=\
+ ssh-xmss.o \
+@@ -193,6 +194,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
readconf.o uidswap.o c
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o
ssh-pkcs11.o
+ $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
++ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
++ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lfipscheck $(LIBS)
++
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lfipscheck $(LIBS)
+
+@@ -343,6 +347,7 @@ install-files:
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT)
$(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT)
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+ $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT)
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT)
$(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+diff --git a/ctr-cavstest.c b/ctr-cavstest.c
+new file mode 100644
+index 000..0d4776b
+--- /dev/null
b/ctr-cavstest.c
+@@ -0,0 +1,215 @@
++/*
++ *
++ * invocation (all of the following are equal):
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv
++ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo
aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
[yocto] [meta-openssl102-fips][PATCH 15/15] README.openssh_cavstest: add CAVS tests for FIPS validation
Signed-off-by: Hongxu Jia --- README.openssh_cavstest | 28 1 file changed, 28 insertions(+) create mode 100644 README.openssh_cavstest diff --git a/README.openssh_cavstest b/README.openssh_cavstest new file mode 100644 index 000..5d69ee5 --- /dev/null +++ b/README.openssh_cavstest @@ -0,0 +1,28 @@ +1. Install openssh-cavs to images +$ echo "IMAGE_INSTALL += 'openssh-cavs'" >> conf/local.conf +$ bitbake + +2. Run tests on target +1) ctr-cavstest +invocation (all of the following are equal): +./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 +./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv +echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt + +$ cd /usr/libexec +$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 +58E33554D51B0DD7A63F44B22381B1CA +$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv +58E33554D51B0DD7A63F44B22381B1CA +$ echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt +58E33554D51B0DD7A63F44B22381B1CA + +2) ssh-cavs +$ cd /usr/libexec +$ ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20 +Initial IV (client to server) = 4bb320d1679dfd3a +Initial IV (server to client) = 43dea6fdf263a308 +Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed +Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0 +Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640 +Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479 -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 13/15] README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode
Rerfer RedHat/Fedora/SUSE/Oracle/IBM ways 1. Add `fips=1' to kernel option to enable FIPS mode in kernel 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space, currently openssh only Refer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard https://access.redhat.com/discussions/3293631 https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html Signed-off-by: Hongxu Jia --- README.enable_fips | 56 ++ 1 file changed, 56 insertions(+) create mode 100644 README.enable_fips diff --git a/README.enable_fips b/README.enable_fips new file mode 100644 index 000..8016346 --- /dev/null +++ b/README.enable_fips @@ -0,0 +1,56 @@ +To turn your system (kernel and user space) into FIPS mode, follow these steps: + +1. Enable FIPS mode in kernel: +The `fips=1' kernel option needs to be added to the kernel command line so that key +generation is done with FIPS approved algorithms and continuous monitoring tests in +place: +... +[0.00] Linux version 5.3.0-yoctodev-standard (oe-user@oe-host) (gcc version 9.2.0 (GCC)) #1 SMP PREEMPT Sun Sep 22 07:03:58 UTC 2019 +[0.00] Command line: root=/dev/vda rw highres=off console=ttyS0 fips=1 +[0.281178] alg: self-tests for rsa-generic (rsa) passed +[0.283124] alg: self-tests for cipher_null-generic (cipher_null) passed +[0.284199] alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed +[0.285596] alg: self-tests for sha1-generic (sha1) passed +[0.287474] alg: self-tests for sha256-generic (sha256) passed +[0.289138] alg: self-tests for sha224-generic (sha224) passed +[0.290277] alg: self-tests for des3_ede-generic (des3_ede) passed +[0.292005] alg: self-tests for aes-generic (aes) passed +[0.294431] alg: self-tests for crc32c-generic (crc32c) passed +[0.295046] alg: self-tests for drbg_pr_hmac_sha1 (stdrng) passed +[0.296927] alg: self-tests for drbg_pr_hmac_sha384 (stdrng) passed +[0.298001] alg: self-tests for drbg_pr_hmac_sha512 (stdrng) passed +[0.301064] alg: self-tests for hmac(sha256-generic) (hmac(sha256)) passed +[0.303057] alg: self-tests for drbg_pr_hmac_sha256 (stdrng) passed +[0.304026] alg: self-tests for drbg_nopr_hmac_sha1 (stdrng) passed +[0.304999] alg: self-tests for drbg_nopr_hmac_sha384 (stdrng) passed +[0.306001] alg: self-tests for drbg_nopr_hmac_sha512 (stdrng) passed +[0.307377] alg: self-tests for drbg_nopr_hmac_sha256 (stdrng) passed +[0.311120] DRBG: Continuing without Jitter RNG +[0.316952] alg: self-tests for ecdh-generic (ecdh) passed +[0.996938] alg: self-tests for jitterentropy_rng (jitterentropy_rng) passed +[3.330824] alg: self-tests for cbc(aes-generic) (cbc(aes)) passed +... + +Kernel FIPS mode verification +You have two options: +1) cat /proc/sys/crypto/fips_enabled +2) sysctl crypto.fips_enabled + +NOTE: 1 indicates enabled, while 0 indicates disabled. + + +2. Enable FIPS mode in user space (default yes) +File /etc/system-fips to determine if a FIPS module is installed and +FIPS mode is enabled + +1) openssh: +- sshd +2019-09-22T12:20:04.631097+00:00 qemux86-64 sshd[437]: FIPS mode initialized + +- ssh +# ssh root@localhost +FIPS mode initialized + +- ssh-keygen +# ssh-keygen -A +ssh-keygen: generating new host keys: DSA DSA keys are not allowed in FIPS mode -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 12/15] rng-tools: fix rngd failed in fips mode
The FIPS test is something done on government or more secure organizations for extra security check. ... root@qemux86-64:~# systemctl status rngd Unit rngd-tools.service could not be found. root@qemux86-64:~# systemctl status rngd rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS) Main PID: 317 (code=exited, status=0/SUCCESS) Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source ... >From rngd manual, add `-i' to default ... -i, --ignorefail Ignore repeated fips failures ... After applying the fix ... rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago Main PID: 121 (rngd) Tasks: 2 Memory: 1.8M CGroup: /system.slice/rngd.service /usr/sbin/rngd -f -r /dev/hwrng -i Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted ... Refer: https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html Signed-off-by: Hongxu Jia --- recipes-support/rng-tools/rng-tools/default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-support/rng-tools/rng-tools/default b/recipes-support/rng-tools/rng-tools/default index b9f8e03..1ae6b33 100644 --- a/recipes-support/rng-tools/rng-tools/default +++ b/recipes-support/rng-tools/rng-tools/default @@ -1 +1 @@ -EXTRA_ARGS="-r /dev/hwrng" +EXTRA_ARGS="-r /dev/hwrng -i" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 9/15] openssh: port sshd_check_keys from oe-core
Signed-off-by: Hongxu Jia
---
.../openssh/openssh/sshd_check_keys| 78 ++
1 file changed, 78 insertions(+)
create mode 100644 recipes-connectivity/openssh/openssh/sshd_check_keys
diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys
b/recipes-connectivity/openssh/openssh/sshd_check_keys
new file mode 100644
index 000..1931dc7
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -0,0 +1,78 @@
+#! /bin/sh
+
+generate_key() {
+local FILE=$1
+local TYPE=$2
+local DIR="$(dirname "$FILE")"
+
+mkdir -p "$DIR"
+ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
+
+# Atomically rename file public key
+mv -f "${FILE}.tmp.pub" "${FILE}.pub"
+
+# This sync does double duty: Ensuring that the data in the temporary
+# private key file is on disk before the rename, and ensuring that the
+# public key rename is completed before the private key rename, since we
+# switch on the existence of the private key to trigger key generation.
+# This does mean it is possible for the public key to exist, but be garbage
+# but this is OK because in that case the private key won't exist and the
+# keys will be regenerated.
+#
+# In the event that sync understands arguments that limit what it tries to
+# fsync(), we provided them. If it does not, it will simply call sync()
+# which is just as well
+sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
+
+mv "${FILE}.tmp" "$FILE"
+
+# sync to ensure the atomic rename is committed
+sync "$DIR"
+}
+
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
+if test -f /etc/default/ssh; then
+. /etc/default/ssh
+fi
+
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+# parse sshd options
+set -- ${SSHD_OPTS} --
+sshd_config=/etc/ssh/sshd_config
+while true ; do
+case "$1" in
+-f*) if [ "$1" = "-f" ] ; then
+sshd_config="$2"
+shift
+else
+sshd_config="${1#-f}"
+fi
+shift
+;;
+--) shift; break;;
+*) shift;;
+esac
+done
+
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key
$SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
+
+for key in ${HOST_KEYS} ; do
+[ -f $key ] && continue
+case $key in
+*_rsa_key)
+echo " generating ssh RSA host key..."
+generate_key $key rsa
+;;
+*_ecdsa_key)
+echo " generating ssh ECDSA host key..."
+generate_key $key ecdsa
+;;
+*_ed25519_key)
+echo " generating ssh ED25519 host key..."
+generate_key $key ed25519
+;;
+esac
+done
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 11/15] rng-tools append: port default from oe-core
Signed-off-by: Hongxu Jia
---
recipes-support/rng-tools/rng-tools/default | 1 +
recipes-support/rng-tools/rng-tools_6.%.bbappend | 4
recipes-support/rng-tools/rng-tools_fips.inc | 2 ++
3 files changed, 7 insertions(+)
create mode 100644 recipes-support/rng-tools/rng-tools/default
create mode 100644 recipes-support/rng-tools/rng-tools_6.%.bbappend
create mode 100644 recipes-support/rng-tools/rng-tools_fips.inc
diff --git a/recipes-support/rng-tools/rng-tools/default
b/recipes-support/rng-tools/rng-tools/default
new file mode 100644
index 000..b9f8e03
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools/default
@@ -0,0 +1 @@
+EXTRA_ARGS="-r /dev/hwrng"
diff --git a/recipes-support/rng-tools/rng-tools_6.%.bbappend
b/recipes-support/rng-tools/rng-tools_6.%.bbappend
new file mode 100644
index 000..c487175
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools_6.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1'
else 'rng-tools_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/rng-tools/rng-tools_fips.inc
b/recipes-support/rng-tools/rng-tools_fips.inc
new file mode 100644
index 000..d5f6435
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools_fips.inc
@@ -0,0 +1,2 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/rng-tools:"
+
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 10/15] openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode
Run sshd_check_keys failed:
...
2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]: generating
ssh ED25519 host key...
2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys
are not allowed in FIPS mode
...
If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519
host
keys in FIPS mode
Refers Fedora:
https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/openssh/sshd_check_keys | 4
1 file changed, 4 insertions(+)
diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys
b/recipes-connectivity/openssh/openssh/sshd_check_keys
index 1931dc7..338531d 100644
--- a/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -71,6 +71,10 @@ for key in ${HOST_KEYS} ; do
generate_key $key ecdsa
;;
*_ed25519_key)
+FIPS=/etc/system-fips
+if [[ -r "$FIPS" ]]; then
+continue
+fi
echo " generating ssh ED25519 host key..."
generate_key $key ed25519
;;
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 6/15] kernel: enable fips mode
A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
by specifying fips=1 as kernel parameter. [1][2]
/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL.[3]
[1] https://www.linux.org/docs/man8/fipscheck.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
[3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html
Signed-off-by: Hongxu Jia
---
classes/fips_kernel.bbclass| 4
conf/layer.conf| 4
recipes-kernel/linux/files/crypto_fips.cfg | 3 +++
recipes-kernel/linux/files/crypto_fips.scc | 1 +
4 files changed, 12 insertions(+)
create mode 100644 classes/fips_kernel.bbclass
create mode 100644 recipes-kernel/linux/files/crypto_fips.cfg
create mode 100644 recipes-kernel/linux/files/crypto_fips.scc
diff --git a/classes/fips_kernel.bbclass b/classes/fips_kernel.bbclass
new file mode 100644
index 000..064088f
--- /dev/null
+++ b/classes/fips_kernel.bbclass
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend :=
"${LAYER_PATH_meta-openssl-one-zero-two-fips}/recipes-kernel/linux/files/:"
+SRC_URI_append = " \
+file://crypto_fips.scc \
+"
diff --git a/conf/layer.conf b/conf/layer.conf
index 27a872e..b64c036 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,3 +18,7 @@ LAYERDEPENDS_meta-openssl-one-zero-two-fips = " \
meta-openssl-one-zero-two \
wr-template \
"
+
+LAYER_PATH_meta-openssl-one-zero-two-fips = "${LAYERDIR}"
+
+KERNEL_CLASSES_append = " ${@bb.utils.contains('OPENSSL_FIPS_ENABLED', '1', '
fips_kernel', '',d)}"
diff --git a/recipes-kernel/linux/files/crypto_fips.cfg
b/recipes-kernel/linux/files/crypto_fips.cfg
new file mode 100644
index 000..cffdc02
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.cfg
@@ -0,0 +1,3 @@
+CONFIG_CRYPTO_FIPS=y
+CONFIG_MODULE_SIG=y
+# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
diff --git a/recipes-kernel/linux/files/crypto_fips.scc
b/recipes-kernel/linux/files/crypto_fips.scc
new file mode 100644
index 000..f64380a
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -0,0 +1 @@
+kconf non-hardware crypto_fips.cfg
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 8/15] openssh: conditional enable fips mode
Enable fips mode according to the existence of "/etc/system-fips"
Signed-off-by: Hongxu Jia
---
.../0001-conditional-enable-fips-mode.patch| 63 ++
recipes-connectivity/openssh/openssh_fips.inc | 1 +
2 files changed, 64 insertions(+)
create mode 100644
recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
diff --git
a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
new file mode 100644
index 000..b47e184
--- /dev/null
+++
b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -0,0 +1,63 @@
+From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sun, 22 Sep 2019 14:31:51 +0800
+Subject: [PATCH] conditional enable fips mode
+
+Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke,
+enable fips mode according to the existence of "/etc/system-fips"
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ xmalloc.c | 24
+ 1 file changed, 24 insertions(+)
+
+diff --git a/xmalloc.c b/xmalloc.c
+index 5cc0310..0218ccd 100644
+--- a/xmalloc.c
b/xmalloc.c
+@@ -23,12 +23,20 @@
+ #include
+ #include
+
++#include
++#include
++#include
++
+ #include "xmalloc.h"
+ #include "log.h"
+
++void ssh_enable_fips_mode(void);
++
+ void
+ ssh_malloc_init(void)
+ {
++ ssh_enable_fips_mode();
++
+ #if defined(__OpenBSD__)
+ extern char *malloc_options;
+
+@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...)
+
+ return (i);
+ }
++
++void
++ssh_enable_fips_mode(void)
++{
++if (access("/etc/system-fips", F_OK) == 0) {
++if (!FIPS_mode_set(1)) {
++/* make sure the error stack is available for some hint as
++ * to why this operation failed
++ */
++ERR_load_crypto_strings();
++ERR_print_errors_fp(stdout);
++fatal("FIPS_mode_set(): failed to enter FIPS mode!\n");
++exit(1);
++}
++}
++}
+--
+2.7.4
+
diff --git a/recipes-connectivity/openssh/openssh_fips.inc
b/recipes-connectivity/openssh/openssh_fips.inc
index df84c39..33a84c9 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -5,6 +5,7 @@ DEPENDS += " \
"
SRC_URI += " \
file://0001-openssh-8.0p1-fips.patch \
+file://0001-conditional-enable-fips-mode.patch \
"
do_install_append() {
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 7/15] kernel: workaround alg self-tests failure in fips mode
While kernel enable fips mode, it start alg self-test, and there is
a kernel panic at ecdh-generic
...
[0.311313] alg: ecdh: test failed on vector 2, err=-14
[0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic
(ecdh) failed in fips mode!
...
Continue without Jitter RNG for fips to workaround alg self-tests failure,
after applying the fix:
...
[0.306633] DRBG: Continuing without Jitter RNG
[0.310550] alg: self-tests for ecdh-generic (ecdh) passed
...
Refer: https://lore.kernel.org/patchwork/patch/568693/
Signed-off-by: Hongxu Jia
---
.../0001-fips-continuing-without-Jitter-RNG.patch | 34 ++
recipes-kernel/linux/files/crypto_fips.scc | 1 +
2 files changed, 35 insertions(+)
create mode 100644
recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
diff --git
a/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
new file mode 100644
index 000..140d6a1
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
@@ -0,0 +1,34 @@
+From fd82384acc0405ead38ea0d9712c9a1b57913c35 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sun, 22 Sep 2019 10:57:02 +0800
+Subject: [PATCH] fips: continuing without Jitter RNG
+
+Continue without Jitter RNG for fips to workaround alg self-tests failure
+...
+[0.311313] alg: ecdh: test failed on vector 2, err=-14
+[0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic
(ecdh) failed in fips mode!
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ crypto/drbg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/drbg.c b/crypto/drbg.c
+index b6929eb..d677da5 100644
+--- a/crypto/drbg.c
b/crypto/drbg.c
+@@ -1577,7 +1577,7 @@ static int drbg_instantiate(struct drbg_state *drbg,
struct drbg_string *pers,
+ if (IS_ERR(drbg->jent)) {
+ ret = PTR_ERR(drbg->jent);
+ drbg->jent = NULL;
+- if (fips_enabled || ret != -ENOENT)
++ if (ret != -ENOENT)
+ goto free_everything;
+ pr_info("DRBG: Continuing without Jitter RNG\n");
+ }
+--
+2.7.4
+
diff --git a/recipes-kernel/linux/files/crypto_fips.scc
b/recipes-kernel/linux/files/crypto_fips.scc
index f64380a..85f8f44 100644
--- a/recipes-kernel/linux/files/crypto_fips.scc
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -1 +1,2 @@
kconf non-hardware crypto_fips.cfg
+patch 0001-fips-continuing-without-Jitter-RNG.patch
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 3/15] fipscheck: add generation of the checksums in pkg_postinst
Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/fipscheck_1.5.0.bb | 18 ++
1 file changed, 18 insertions(+)
diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
index 68051d2..0a06bd3 100644
--- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
+++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
@@ -27,4 +27,22 @@ EXTRA_OECONF += " \
EXTRA_OEMAKE += " \
-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
"
+do_install_append() {
+install -d ${D}${libdir}/fipscheck
+}
+inherit qemu
+
+pkg_postinst_${PN} () {
+if [ -n "$D" ]; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${bindir}/fipscheck
$D${libdir}/libfipscheck.so.1.2.1 && \
+ln -s libfipscheck.so.1.2.1.hmac
$D${libdir}/fipscheck/libfipscheck.so.1.hmac
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/fipscheck \
+${libdir}/libfipscheck.so.1.2.1 && \
+ln -s libfipscheck.so.1.2.1.hmac
${libdir}/fipscheck/libfipscheck.so.1.hmac
+fi
+}
+
+FILES_${PN} += "${libdir}/fipscheck"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 5/15] openssh: add generation of HMAC checksums in pkg_postinst
Refer
https://src.fedoraproject.org/rpms/openssh/c/d93958db19129e0f4615865eab22fb36e1f4fb8a
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/openssh_fips.inc | 26 ++
1 file changed, 26 insertions(+)
diff --git a/recipes-connectivity/openssh/openssh_fips.inc
b/recipes-connectivity/openssh/openssh_fips.inc
index 99a3482..df84c39 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,3 +6,29 @@ DEPENDS += " \
SRC_URI += " \
file://0001-openssh-8.0p1-fips.patch \
"
+
+do_install_append() {
+install -d ${D}${libdir}/fipscheck
+}
+
+inherit qemu
+
+pkg_postinst_append_${PN}-ssh () {
+if [ -n "$D" ]; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${bindir}/ssh.${BPN}
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/ssh.${BPN}
+fi
+}
+
+pkg_postinst_append_${PN}-sshd () {
+if [ -n "$D" ]; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${sbindir}/sshd
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${sbindir}/sshd
+fi
+}
+
+FILES_${PN} += "${libdir}/fipscheck"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 4/15] fipscheck: enable fipscheck on target
Refer Fedora/RedHat's way
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/fipscheck_1.5.0.bb | 4
1 file changed, 4 insertions(+)
diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
index 0a06bd3..23a4123 100644
--- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
+++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
@@ -28,6 +28,10 @@ EXTRA_OEMAKE += " \
-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
"
do_install_append() {
+# Is't the fedora way to enable fipscheck
+install -d ${D}${sysconfdir}
+touch ${D}${sysconfdir}/system-fips
+
install -d ${D}${libdir}/fipscheck
}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] Review request 0/15: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
Hi Mark, I apply a kernel patch to workaround alg self-tests failure, which the test is too early and Jitter RNG is not ready at that time. The latter alg: self-tests for jitterentropy_rng is passed, so I think the `Continuing without Jitter RNG' workaround is OK == Testing == * Commands See README.build README.enable_fips README.openssh_cavstest * Expected Results README.build README.enable_fips README.openssh_cavstest -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 2/15] openssh_8.%.bbappend: support fips 140-2
Signed-off-by: Hongxu Jia --- .../openssh/openssh/0001-openssh-8.0p1-fips.patch | 528 + recipes-connectivity/openssh/openssh_8.%.bbappend | 4 + recipes-connectivity/openssh/openssh_fips.inc | 8 + 3 files changed, 540 insertions(+) create mode 100644 recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch create mode 100644 recipes-connectivity/openssh/openssh_8.%.bbappend create mode 100644 recipes-connectivity/openssh/openssh_fips.inc diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch new file mode 100644 index 000..fd0a411 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch @@ -0,0 +1,528 @@ +From 255e5dcdec36df7222f69b253dfc05be63927ed2 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Fri, 20 Sep 2019 17:59:00 +0800 +Subject: [PATCH] openssh 8.0p1 fips + +Port openssh-7.7p1-fips.patch from Fedora +https://src.fedoraproject.org/rpms/openssh.git + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia +--- + Makefile.in | 14 +++--- + cipher-ctr.c | 3 ++- + clientloop.c | 3 ++- + dh.c | 40 + dh.h | 1 + + kex.c| 5 - + kexgexc.c| 5 + + myproposal.h | 40 + readconf.c | 17 + + sandbox-seccomp-filter.c | 3 +++ + servconf.c | 19 ++- + ssh-keygen.c | 6 ++ + ssh.c| 16 + sshconnect2.c| 11 --- + sshd.c | 19 +++ + sshkey.c | 4 + 16 files changed, 176 insertions(+), 30 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 6f001bb..ddd1804 100644 +--- a/Makefile.in b/Makefile.in +@@ -170,31 +170,31 @@ libssh.a: $(LIBSSH_OBJS) + $(RANLIB) $@ + + ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) ++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o +- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o +- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o +- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o +- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o +- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +diff --git a/cipher-ctr.c b/cipher-ctr.c +index 32771f2..74fac3b 100644 +--- a/cipher-ctr.c b/cipher-ctr.c +@@ -138,7 +138,8 @@ evp_aes_128_ctr(void) + aes_ctr.do_cipher = ssh_aes_ctr; + #ifndef SSH_OLD_EVP + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | +- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; ++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | ++ EVP_CIPH_FLAG_FIPS; + #endif + return (_ctr); + } +diff --git a/clientloop.c b/clientloop.c
[yocto] [meta-openssl102-fips][PATCH 1/15] fipscheck: add 1.5.0
Port it from fedora:
https://src.fedoraproject.org/rpms/fipscheck
It is required by openssh fips.
Signed-off-by: Hongxu Jia
---
.../0001-compat-fip-with-openssl-1.0.2.patch | 34 ++
recipes-connectivity/openssh/fipscheck_1.5.0.bb| 30 +++
templates/feature/openssl-fips/template.conf | 2 +-
3 files changed, 65 insertions(+), 1 deletion(-)
create mode 100644
recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
create mode 100644 recipes-connectivity/openssh/fipscheck_1.5.0.bb
diff --git
a/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
new file mode 100644
index 000..22e5a62
--- /dev/null
+++
b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
@@ -0,0 +1,34 @@
+From 3147ae2a63f10f9bbdd0a617b450ff8b9868e60f Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Fri, 20 Sep 2019 17:51:09 +0800
+Subject: [PATCH] compat fip with openssl 1.0.2
+
+In /usr/lib64/ssl/fips-2.0/include/openssl/opensslv.h
+...
+define OPENSSL_VERSION_NUMBER 0x1010L
+...
+Since fips include file compat with openssl 1.1.0, do not include it
+in Yocto
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ src/filehmac.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/filehmac.c b/src/filehmac.c
+index a8eef00..0b36cec 100644
+--- a/src/filehmac.c
b/src/filehmac.c
+@@ -41,7 +41,6 @@
+ #include
+
+ #if defined(WITH_OPENSSL)
+-#include
+ #include
+ #include
+ #elif defined(WITH_NSS)
+--
+2.7.4
+
diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
new file mode 100644
index 000..68051d2
--- /dev/null
+++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
@@ -0,0 +1,30 @@
+SUMMARY = "A library for integrity verification of FIPS validated modules"
+DESCRIPTION = "FIPSCheck is a library for integrity verification of FIPS
validated \
+modules. The package also provides helper binaries for creation and \
+verification of the HMAC-SHA256 checksum files."
+HOMEPAGE = "https://pagure.io/fipscheck;
+SECTION = "libs/network"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://COPYING;md5=35f2904ce138ac5fa63e7cedf96bbedf"
+
+SRC_URI = "https://releases.pagure.org/fipscheck/${BPN}-${PV}.tar.bz2 \
+ file://0001-compat-fip-with-openssl-1.0.2.patch \
+"
+SRC_URI[md5sum] = "86e756a7d2aa15f3f91033fb3eced99b"
+SRC_URI[sha256sum] =
"7ba38100ced187f44b12dd52c8c74db8f366a2a8b9da819bd3e7c6ea17f469d5"
+
+DEPENDS = " \
+openssl \
+openssl-fips \
+"
+
+inherit autotools pkgconfig
+
+EXTRA_OECONF += " \
+--disable-static \
+"
+EXTRA_OEMAKE += " \
+-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
+"
+
diff --git a/templates/feature/openssl-fips/template.conf
b/templates/feature/openssl-fips/template.conf
index 6da678c..9a551c3 100644
--- a/templates/feature/openssl-fips/template.conf
+++ b/templates/feature/openssl-fips/template.conf
@@ -8,4 +8,4 @@ OPENSSL_FIPS_PREBUILT ??= ""
PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips'
PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips-example'
-
+PNWHITELIST_meta-openssl-one-zero-two-fips += 'fipscheck'
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH] README.build: add steps to include openssl102
The openssl fips only works with old openssl(<=1.0.2), update steps to clarify it for Yocto and Wind River Linux Signed-off-by: Hongxu Jia --- README.build | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.build b/README.build index bc8fcf3..3da03da 100644 --- a/README.build +++ b/README.build @@ -40,13 +40,15 @@ The easiest way to do this with Yocto is include this layer [1] and meta-openssl102 [2], and install packagegroup-core-buildessential to image [3] -[1] git://git.yoctoproject.org/meta-openssl102 -[2] git://git.yoctoproject.org/meta-openssl102-fips +[1] git://git.yoctoproject.org/meta-openssl102-fips +[2] git://git.yoctoproject.org/meta-openssl102 +Manually set 1.0.2% to openssl preferred version +echo "PREFERRED_VERSION_openssl = '1.0.2%'" >> conf/local.conf [3] echo "IMAGE_INSTALL += 'packagegroup-core-buildessential'" >> conf/local.conf The easiest way to do this with Wind River Linux is include: ---templates features/target-toolchain --layers meta-openssl102-fips +--templates features/target-toolchain --templates feature/openssl102 --layers meta-openssl102-fips Note: do not include template feature/openssl-fips -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 2/2] README.build: add FAQ to support fips on arm/aarch64/x86
Signed-off-by: Hongxu Jia
---
README.build | 36
1 file changed, 36 insertions(+)
diff --git a/README.build b/README.build
index 9735028..bc8fcf3 100644
--- a/README.build
+++ b/README.build
@@ -245,3 +245,39 @@ Note this sample command is functionally equivalent to:
$ env OPENSSL_FIPS=1 openssl sha1 -hmac etaonrishdlcupfm fips_hmac.c
HMAC-SHA1(fips_hmac.c)= ae25ad68d9a8cc04075100563a437fa37829afcc
+===
+FAQ
+===
+1. How to support fips on 32bit arm (such as MACHINE = qemuarm)?
+Set env MACHINE='arm' before Building the FIPS Object Module
+(Building Steps 3), which affects fips config not to add option
+`-march=armv7-a' to avoid failure on gcc8:
+[snip]
+|`cc1: error: -mfloat-abi=hard: selected processor lacks an FPU'
+[snip]
+
+2. How to support fips on aarch64 (such as MACHINE = qemuarm64)?
+For aarch64, FIPS 140-2 module only support android, wrapper gcc
+at Building the FIPS Object Module(Building Steps 3) to define
+macro FIPS_REF_POINT_IS_CROSS_COMPILER_AWARE to simulate what
+android did. Provide a way to add bbappend to wrapper gcc:
+mkdir -p recipes-devtools/gcc
+cat << ENDOF > recipes-devtools/gcc/gcc_9.%.bbappend
+do_install_append_aarch64() {
+create_cmdline_wrapper \${D}/\${bindir}/gcc
-DFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE
+}
+
+FILES_\${PN}-symlinks += "\${bindir}/gcc.real"
+ENDOF
+
+3. How to support fips on 32bit x86? (Such as MACHINE = qemux86,
+or lib32-image on qemux86-64)
+Set env MACHINE='i686' before Building the FIPS Object Module
+(Building Steps 3) which affect fips config not to add option
+`-m 64' on lib32-image which workaround the following failure
+[snip]
+|/usr/include/bits/long-double.h:44:10: fatal error:
+bits/long-double-64.h: No such file or directory
+| 44 | #include
+[snip]
+
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 1/2] README.build: update steps for communtiy
Since the layer is now published via the Yocto Project and git.yoctoproject.org, we should update steps in README.build Signed-off-by: Hongxu Jia --- README.build | 21 - 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/README.build b/README.build index df3f4e4..9735028 100644 --- a/README.build +++ b/README.build @@ -36,6 +36,14 @@ In order to build a precompiled version of the binary, you must first construct a target system that includes a target development environment and meta-openssl102-fips layer without feature/openssl-fips +The easiest way to do this with Yocto is include this layer [1] +and meta-openssl102 [2], and install packagegroup-core-buildessential +to image [3] + +[1] git://git.yoctoproject.org/meta-openssl102 +[2] git://git.yoctoproject.org/meta-openssl102-fips +[3] echo "IMAGE_INSTALL += 'packagegroup-core-buildessential'" >> conf/local.conf + The easiest way to do this with Wind River Linux is include: --templates features/target-toolchain --layers meta-openssl102-fips @@ -112,13 +120,16 @@ Building Steps (based on section 4 of the UsersGuide-2.0.pdf): Move the tar archive back to your host project into a directory accessable by the build system. -5. Configure the build system to include the template feature/openssl-fips -and locate your custom prebuilt tar archive: -In your build directory, edit conf/local.conf, add: +5. Configure the build system to enable openssl-fips and locate your custom +prebuilt tar archive. -WRTEMPLATE += "feature/openssl-fips" +For Yocto, in your build directory, edit conf/local.conf, add: + OPENSSL_FIPS_ENABLED = "1" + OPENSSL_FIPS_PREBUILT = "" -OPENSSL_FIPS_PREBUILT = "" +For Wind River Linux, in your build directory, edit conf/local.conf, add: + WRTEMPLATE += "feature/openssl-fips" + OPENSSL_FIPS_PREBUILT = "" Where path is the location on the host with the prebuilt openssl-fips. -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [PATCH 1/3] intel-media-driver: check for "opengl" feature
On 7/29/19 9:12 AM, Mittal, Anuj wrote: Hi Hongxu I have merged these changes but could you send these to meta-intel list in future please? OK, I got it //Hongxu On Wed, 2019-07-24 at 18:11 +0800, Hongxu Jia wrote: Since comit [a78c420 libva: check for "opengl" feature] applied in oe-core, and intel-media-driver depends on libva, it should check for "opengl" feature too. Signed-off-by: Hongxu Jia --- recipes-multimedia/libva/intel-media-driver_19.2.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/recipes-multimedia/libva/intel-media-driver_19.2.0.bb b/recipes-multimedia/libva/intel-media-driver_19.2.0.bb index 8656992..8084567 100644 --- a/recipes-multimedia/libva/intel-media-driver_19.2.0.bb +++ b/recipes-multimedia/libva/intel-media-driver_19.2.0.bb @@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = " file://LICENSE.md;md5=6aab5363823095ce682b155fef0231f0 \ # Only for 64 bit until this is resolved: https://github.com/intel/media-driver/issues/356 COMPATIBLE_HOST = '(x86_64).*-linux' +inherit distro_features_check +REQUIRED_DISTRO_FEATURES = "opengl" + DEPENDS += "libva gmmlib" SRC_URI = "git://github.com/intel/media- driver.git;protocol=https;branch=intel-media-19.2 \ -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH V2 3/3] intel-graphics-compiler: skip it if clang is not ready
Since intel-graphics-compiler depends on clang, skip it if clang is not ready
Issue: LIN1019-1846
(LOCAL REV: NOT UPSTREAM) -- Sent to Yocto on 20190724
Signed-off-by: Hongxu Jia
---
recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb | 8
1 file changed, 8 insertions(+)
diff --git a/recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb
b/recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb
index f64b97f..2c33b12 100644
--- a/recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb
+++ b/recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb
@@ -25,3 +25,11 @@ DEPENDS_class-target = " flex-native bison-native clang
clang-cross-x86_64"
EXTRA_OECMAKE = "-DIGC_PREFERRED_LLVM_VERSION=8.0.0
-DPYTHON_EXECUTABLE=${HOSTTOOLS_DIR}/python2"
EXTRA_OECMAKE += "-DCOMMON_CLANG_LIBRARY_NAME=common_clang"
+
+python __anonymous() {
+toolchain = d.getVar('TOOLCHAIN')
+if toolchain != "clang" or 'clang-layer' not in
d.getVar('BBFILE_COLLECTIONS').split():
+msg = "Add 'TOOLCHAIN = \"clang\"' in local.conf\n"
+msg += "And meta-clang should be present"
+raise bb.parse.SkipRecipe(msg)
+}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 1/3] intel-media-driver: check for "opengl" feature
Since comit [a78c420 libva: check for "opengl" feature] applied in oe-core, and intel-media-driver depends on libva, it should check for "opengl" feature too. Signed-off-by: Hongxu Jia --- recipes-multimedia/libva/intel-media-driver_19.2.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/recipes-multimedia/libva/intel-media-driver_19.2.0.bb b/recipes-multimedia/libva/intel-media-driver_19.2.0.bb index 8656992..8084567 100644 --- a/recipes-multimedia/libva/intel-media-driver_19.2.0.bb +++ b/recipes-multimedia/libva/intel-media-driver_19.2.0.bb @@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=6aab5363823095ce682b155fef0231f0 \ # Only for 64 bit until this is resolved: https://github.com/intel/media-driver/issues/356 COMPATIBLE_HOST = '(x86_64).*-linux' +inherit distro_features_check +REQUIRED_DISTRO_FEATURES = "opengl" + DEPENDS += "libva gmmlib" SRC_URI = "git://github.com/intel/media-driver.git;protocol=https;branch=intel-media-19.2 \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-intel][PATCH 3/3] intel-graphics-compiler: skip it if clang is not ready
Since intel-graphics-compiler depends on clang, skip it if clang is not ready
Signed-off-by: Hongxu Jia
---
recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb | 8
1 file changed, 8 insertions(+)
diff --git a/recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb
b/recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb
index f64b97f..2bce574 100644
--- a/recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb
+++ b/recipes-opencl/igc/intel-graphics-compiler_1.0.6.bb
@@ -25,3 +25,11 @@ DEPENDS_class-target = " flex-native bison-native clang
clang-cross-x86_64"
EXTRA_OECMAKE = "-DIGC_PREFERRED_LLVM_VERSION=8.0.0
-DPYTHON_EXECUTABLE=${HOSTTOOLS_DIR}/python2"
EXTRA_OECMAKE += "-DCOMMON_CLANG_LIBRARY_NAME=common_clang"
+
+python __anonymous() {
+toolchain = d.getVar('TOOLCHAIN')
+if toolchain != "clang" or 'clang-layer' not in
d.getVar('BBFILE_COLLECTIONS').split():
+msg = "Set 'TOOLCHAIN = \"clang\"' to local.conf\n"
+msg += "And require meta-clang to be present"
+raise bb.parse.SkipRecipe(msg)
+}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-intel][PATCH 2/3] intel-mediasdk: check for "opengl" feature
Since comit [a78c420 libva: check for "opengl" feature] applied in oe-core,
and intel-mediasdk depends on libva, it should check for "opengl"
feature too.
Signed-off-by: Hongxu Jia
---
recipes-multimedia/mediasdk/intel-mediasdk_19.2.0.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/recipes-multimedia/mediasdk/intel-mediasdk_19.2.0.bb
b/recipes-multimedia/mediasdk/intel-mediasdk_19.2.0.bb
index 1e2c70f..ffbd915 100644
--- a/recipes-multimedia/mediasdk/intel-mediasdk_19.2.0.bb
+++ b/recipes-multimedia/mediasdk/intel-mediasdk_19.2.0.bb
@@ -11,6 +11,9 @@ LIC_FILES_CHKSUM =
"file://LICENSE;md5=3cb331af679cd8f968bf799a9c55b46e"
# Only for 64 bit until media-driver issues aren't fixed
COMPATIBLE_HOST = '(x86_64).*-linux'
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES = "opengl"
+
DEPENDS += "libdrm libva intel-media-driver"
PACKAGECONFIG ??= "${@bb.utils.contains("DISTRO_FEATURES", "x11", "dri3", "",
d)} \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH] resource-agents: improve reproducibility
Script ocf-binaries contains build path
$ grep tmp-glibc -rn image/
|image/usr/lib64/ocf/lib/heartbeat/ocf-binaries:11:: ${EGREP:="/buildarea1/hjia/
wrlinux-1019/build_master-wr_qemux86-64_2019053109/build/tmp-glibc/hosttools/grep
-E"}
|image/usr/lib64/ocf/lib/heartbeat/ocf-binaries:16:: ${TEST:=/buildarea1/hjia/
wrlinux-1019/build_master-wr_qemux86-64_2019053109/build/tmp-glibc/hosttools/test}
Set grep/test path rather than using hosttools which refers
commit in oe-core [f6e7a3b libtool: Don't hardcode grep paths]
Signed-off-by: Hongxu Jia
---
.../recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb | 5 +
1 file changed, 5 insertions(+)
diff --git
a/meta-cgl-common/recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb
b/meta-cgl-common/recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb
index 8b2b8e1..ba00a80 100644
---
a/meta-cgl-common/recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb
+++
b/meta-cgl-common/recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb
@@ -44,6 +44,11 @@ RDEPENDS_${PN} += "bash perl lvm2 \
inherit autotools systemd pkgconfig
+CACHED_CONFIGUREVARS += " \
+ac_cv_path_GREP=grep \
+ac_cv_path_TEST=test \
+"
+
EXTRA_OECONF += "--disable-fatal-warnings \
--with-rsctmpdir=/var/run/heartbeat/rsctmp"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] setools: do not use unstable github archive tarballs
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs
Signed-off-by: Hongxu Jia
---
recipes-security/setools/setools_4.1.1.bb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/recipes-security/setools/setools_4.1.1.bb
b/recipes-security/setools/setools_4.1.1.bb
index c5a2d34..8bdbfba 100644
--- a/recipes-security/setools/setools_4.1.1.bb
+++ b/recipes-security/setools/setools_4.1.1.bb
@@ -8,14 +8,14 @@ SETools."
SECTION = "base"
LICENSE = "GPLv2 & LGPLv2.1"
-SRC_URI =
"https://github.com/TresysTechnology/setools/archive/${PV}.tar.gz;downloadfilename=setools-${PV}.tar.gz
\
+S = "${WORKDIR}/git"
+SRC_URI = "git://github.com/TresysTechnology/${BPN}.git;branch=4.1 \
file://setools4-fixes-for-cross-compiling.patch \
file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \
file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \
"
-SRC_URI[md5sum] = "54cf5c0ca2aa4ef7c6ac153981af34cd"
-SRC_URI[sha256sum] =
"46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610"
+SRCREV = "e03617eb7ab5a035633bff66500b95d25232e331"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \
file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 2/2] pacemaker: do not use unstable github archive tarballs
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs
Signed-off-by: Hongxu Jia
---
meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb
b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb
index 00893d1..a7c38df 100644
--- a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb
+++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM =
"file://COPYING;md5=19a64afd3a35d044a80579d7aafc30ff"
DEPENDS = "corosync libxslt libxml2 gnutls resource-agents libqb python-native"
-SRC_URI = "https://github.com/ClusterLabs/${BPN}/archive/Pacemaker-${PV}.zip \
+SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=1.1 \
file://0001-pacemaker-fix-xml-config.patch \
file://0002-pacemaker-search-header-from-STAGING_INCDIR-to-walka.patch \
file://0003-pacemaker-fix-header-defs-lookup.patch \
@@ -28,12 +28,11 @@ SRC_URI =
"https://github.com/ClusterLabs/${BPN}/archive/Pacemaker-${PV}.zip \
SRC_URI_append_libc-musl =
"file://0001-pacemaker-fix-compile-error-of-musl-libc.patch"
-SRC_URI[md5sum] = "deb7017c5a9d3f39895d9ea2c34bc8eb"
-SRC_URI[sha256sum] =
"6e222046487c2dc6ae61d49089ecbf6a0bcb495e8cdcb76d115fd987d0df8f7f"
+SRCREV = "c3c624ea3d98a74a8a287671a156db126c99a7bb"
inherit autotools-brokensep pkgconfig systemd python-dir useradd
-S="${WORKDIR}/pacemaker-Pacemaker-${PV}"
+S = "${WORKDIR}/git"
CLEANBROKEN = "1"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 1/2] crmsh: do not use unstable github archive tarballs
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs
Signed-off-by: Hongxu Jia
---
meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb
b/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb
index b28a826..7563c99 100644
--- a/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb
+++ b/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb
@@ -13,12 +13,12 @@ DEPENDS = "asciidoc-native \
"
RDEPENDS_${PN} = "pacemaker python-lxml gawk"
-SRC_URI =
"https://github.com/ClusterLabs/crmsh/archive/${PV}.tar.gz;downloadfilename=${BP}.tar.gz
\
+S = "${WORKDIR}/git"
+SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=crmsh-3.0 \
file://tweaks_for_build.patch \
"
-SRC_URI[md5sum] = "563b463155a652820c8d1319418e88b7"
-SRC_URI[sha256sum] =
"364fadb0d0c9619676e10bb75f4ea833a49019aa77ddb26229bc9d1c435585c0"
+SRCREV = "41845ca5511b844593cf25ae4eb7f307aa78c5be"
inherit autotools-brokensep distutils-base
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[linux-yocto] [linux_yocto_v5.0/standard/preempt-rt/base][PATCH] genirq: Prevent use-after-free and work list corruption on rt
Since commit [70a44a0 genirq: Prevent use-after-free and work list
corruption] applied, the patch makes it work on rt
Signed-off-by: Hongxu Jia
---
kernel/irq/manage.c | 4
1 file changed, 4 insertions(+)
diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
index f72bd3a..143f87b 100644
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -385,7 +385,11 @@ irq_set_affinity_notifier(unsigned int irq, struct
irq_affinity_notify *notify)
raw_spin_unlock_irqrestore(>lock, flags);
if (old_notify) {
+#ifdef CONFIG_PREEMPT_RT_BASE
+ kthread_cancel_work_sync(_notify->work);
+#else
cancel_work_sync(_notify->work);
+#endif
kref_put(_notify->kref, old_notify->release);
}
--
2.8.1
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [yocto] Review request 0/13: Contribute meta-tensorflow to Yocto
On 2019/2/24 上午1:04, Khem Raj wrote: On Sat, Feb 23, 2019 at 7:29 AM Richard Purdie wrote: On Fri, 2019-02-22 at 20:49 +, Manjukumar Harthikote Matha wrote: You might be interested in the yocto layers for tensorflow, tensorflow-lite and caffe2 on github here [1]. I'm not part of the team that developed that work but I forwarded your announcement to them. Perhaps there is the opportunity for some collaboration on the platform independent parts. The maintainer details are in the readme. Thanks for the layer Hongxu. I agree with Steve, it would be good if you could collaborate with meta-renesas-ai and introduce the layer as meta-ai under meta-openembedded. Please don't do the meta-openembedded part! I would agree to not make it a sub layer under meta-openembedded, but it can be hosted on openembedded git infrastructure, I dont see much problem with that if thats the case I believe that meta-oe is too large to be maintainable and that we need a larger number of smaller layers. There is a fine balance to be had, that I have come to realize over years now but AI is large enough and segmented enough to have a layer of its own. Having tensorflow in its own layer which as a specific purpose and its specific maintainers who understand it is in my view much more desirable and sustainable. I think its a good idea to have various AI infras in one layer including tensorflow unless we have large enough dev community to maintain each of them so I like meta-ai conceptually. I know to create a standalone meta-ai than meta-tensorflow is more reasonable, that's my initial layer naming, but - It will dramatically increase the maintainer burden, so I limit the scope to the specific framework name. There are lots of TODO in tensorflow and I am afraid I do not have extra attention to other AI framework recently. - Tensorflow is standalone enough, its build system is google's `bazel', like bitbake, it has special rules to build everything from scratch. (I've already sent other unbazel built recipes to meta-openembedded) - Bazel is built by java, if we do not create sub layer in meta-ai (such as meta-ai/meta-tensorflow), the number of meta-ai layer deps will be more and more along with other AI frameworks are added. For other AI framework customer, depends unused layer is not a good idea. - For future AI framework integration, if the framework is huge like TensorFlow (another well known is Facebook's PyTorch), we could create a standalone layer and appoint special maintainer to maintain it; if the framework is small and light, or fundamental algorithm packages used by multiple frameworks, we could create a meta-ai for collection, or directly add them to meta-openembedded. (For TensorFlow integration, I added 11 fundamental recipes to meta-openembedded ) //Hongxu Cheers, Richard -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Review request 0/13: Contribute meta-tensorflow to Yocto
On 2019/2/23 下午11:29, Richard Purdie wrote: Please don't do the meta-openembedded part! OK, I can't agree more, for tensorflow, if we move it to meta-openembedded/meta-ai, we have to move the depending layer `meta-java' to meta-openembedded but it has been already as a standalone layer , otherwise the meta-openembedded will depend outer layer. //Hongxu I believe that meta-oe is too large to be maintainable and that we need a larger number of smaller layers. Having tensorflow in its own layer which as a specific purpose and its specific maintainers who understand it is in my view much more desirable and sustainable. Cheers, Richard -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Review request 0/13: Contribute meta-tensorflow to Yocto
On 2019/2/23 上午4:49, Manjukumar Harthikote Matha wrote: Hi Hongxu, -Original Message- From: yocto-boun...@yoctoproject.org [mailto:yocto-boun...@yoctoproject.org] On Behalf Of Stephen Lawrence Sent: Friday, February 22, 2019 8:52 AM To: Hongxu Jia ; richard.pur...@linuxfoundation.org; mhalst...@linuxfoundation.org; ross.bur...@intel.com; raj.k...@gmail.com; paul.eggle...@linux.intel.com; yocto@yoctoproject.org Cc: lpd-cdc-core-...@windriver.com; zhangle.y...@windriver.com Subject: Re: [yocto] Review request 0/13: Contribute meta-tensorflow to Yocto Hi Hongxu, -Original Message- From: yocto-boun...@yoctoproject.org On Behalf Of Hongxu Jia Sent: 21 February 2019 11:37 To: richard.pur...@linuxfoundation.org; mhalst...@linuxfoundation.org; ross.bur...@intel.com; raj.k...@gmail.com; paul.eggle...@linux.intel.com; yocto@yoctoproject.org Cc: lpd-cdc-core-...@windriver.com; zhangle.y...@windriver.com Subject: [yocto] Review request 0/13: Contribute meta-tensorflow to Yocto Hi RP and Yocto folks, Currently AI on IoT edge becomes more and more popular, but there is no machine learning framework in Yocto/OE. With the support of Eric , Robert and Randy , after two months effort, I've integrated TensorFlow to Yocto. Good work. You might be interested in the yocto layers for tensorflow, tensorflow-lite and caffe2 on github here [1]. I'm not part of the team that developed that work but I forwarded your announcement to them. Perhaps there is the opportunity for some collaboration on the platform independent parts. The maintainer details are in the readme. Thanks for the layer Hongxu. I agree with Steve, it would be good if you could collaborate with meta-renesas-ai and introduce the layer as meta-ai under meta-openembedded. Agree, I will add it to my TODO list, more AI, more machine learning framework should be integrated to Yocto. //Hongxu Thanks, Manju [1] https://github.com/renesas-rz/meta-renesas-ai The layers were developed for the industrial focused Renesas RZ/G1 platforms. Regards Steve -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Review request 0/13: Contribute meta-tensorflow to Yocto
On 2019/2/23 上午12:51, Stephen Lawrence wrote: Good work. You might be interested in the yocto layers for tensorflow, tensorflow-lite and caffe2 on github here [1]. I'm not part of the team that developed that work but I forwarded your announcement to them. Perhaps there is the opportunity for some collaboration on the platform independent parts. The maintainer details are in the readme. Yes, I know meta-renesas-ai, my first try of tensorflow build was based on it, but failed, I am afraid its version is old and no maintenance. So I choose to refer upstream arm compiler which `Build from source for the Raspberry Pi' https://www.tensorflow.org/install/source_rpi For tensorflow-lite, I am afraid it is not completed in meta-renesas-ai. But tensorflow-lite is on my TODO list, Currently I am not sure what to build (may be c/c++ framework) and how to use (use cases). For caffe2, it is another story `pytorch', I am afraid I don't have resources(time) to focus //Hongxu [1]https://github.com/renesas-rz/meta-renesas-ai The layers were developed for the industrial focused Renesas RZ/G1 platforms. Regards -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-tensorflow][PATCH 13/13] add README
Signed-off-by: Hongxu Jia --- README | 170 + 1 file changed, 170 insertions(+) create mode 100644 README diff --git a/README b/README new file mode 100644 index 000..3da4e76 --- /dev/null +++ b/README @@ -0,0 +1,170 @@ +Introduction +--- +TensorFlow is an open source software library for high performance numerical +computation primarily used in machine learning. Its flexible architecture +allows easy deployment of computation across a variety of types of platforms +(CPUs, GPUs, TPUs), and a range of systems from single desktops to clusters +of servers to mobile and edge devices. +(https://www.tensorflow.org/) + +The build system of TensorFlow is Bazel (https://bazel.build/). + +This layer integrates TensorFlow to OE/Yocto platform +- Integrate Google's bazel to Yocto +- Add Yocto toolchain for bazel to support cross compiling. +- Replace python package system(pip/wheel) with Yocto package system(rpm/deb/ipk). + +Dependencies + +URI: git://github.com/openembedded/openembedded-core.git +branch: master +revision: HEAD + +URI: git://github.com/openembedded/bitbake.git +branch: master +revision: HEAD + +URI: git://github.com/openembedded/meta-openembedded.git +layers: meta-python, meta-oe +branch: master +revision: HEAD + +URI: git://git.yoctoproject.org/meta-java +branch: master +revision: HEAD + +Source code +--- +git://git.yoctoproject.org/meta-tensorflow (TODO, github first?) + +Maintenance +--- +Maintainers: Hongxu Jia | + +Contributing +--- +Contributions and patches can be sent to the Yocto Project mailing +list: yocto@yoctoproject.org" + +When sending patches please take a look at the contribution guide available +here: https://wiki.yoctoproject.org/wiki/Contribution_Guidelines + +example: +git send-email -1 -M --to yocto@yoctoproject.org --subject-prefix=meta-tensorflow][PATCH + +Limitation +--- +- Bazel build takes lots of time, since it like bitbake which has own rules and builds + everything from scratch. Currently bazel could not reuse Yocto DEPENDS/RDEPENDS. + +- Do not support offline build since bazel build system require fetches archive + tarballs through network. + +- In order to run tensorflow cases in a reasonable time, although it builds + successfully on qemuarm, qemuarm64, qemumips, qemumips64, qemux86 and qemux86-64, + only qemux86-64 with kvm for runtime test. + +- Do not support 32-bit powerpc (qemuppc) since BoringSSL does not support it. + (BoringSSL is a fork of OpenSSL used to implement cryptography and TLS across + most of Google's products) + +Future plan +--- +- Support offline build which bazel build system fetches archive tarballs + from Yocto download mirror. + +- Support more BSP, such as atom, beagleboard, raspberrypi. + +- Introduce more machine learning cases to meta-tensorflow. + +- Recipe maintenance and upgrade + +Build and run +--- +1. Clone away +$ mkdir +$ cd +$ git clone git://git.yoctoproject.org/meta-tensorflow +$ git clone git://git.yoctoproject.org/meta-java +$ git clone git://git.openembedded.org/meta-openembedded +$ git clone git://git.openembedded.org/openembedded-core oe-core +$ cd oe-core +$ git clone git://git.openembedded.org/bitbake + +2. Prepare build +$ . /oe-core/oe-init-build-env + +# Build qemux86-64 which runqemu supports kvm. +$ echo 'MACHINE = "qemux86-64"' >> conf/local.conf + +$ echo 'IMAGE_INSTALL_append = " tensorflow"' >> conf/local.conf + +Edit conf/bblayers.conf to include other layers +BBLAYERS ?= " \ +/oe-core/meta \ +/meta-openembedded/meta-python \ +/meta-openembedded/meta-oe \ +/meta-java \ +/meta-tensorflow \ +" + + +3. Build image in . +$ bitbake core-image-minimal + +4. Start qemu with slrip + kvm + 5GB memory: +$ runqemu qemux86-64 core-image-minimal slirp kvm qemuparams="-m 5120" + +5. Verify the install +root@qemux86-64:~# python3 -c "import tensorflow as tf; tf.enable_eager_execution(); print(tf.reduce_sum(tf.random_normal([1000, 1000])))" +tf.Tensor(-604.65454, shape=(), dtype=float32) + +6. Run tutorial case +https://www.tensorflow.org/tutorials + +root@qemux86-64:~# cat >code.py <https://storage.googleapis.com/tensorflow/tf-keras-datasets/mnist.npz +11493376/11490434 [==] - 7s 1us/step +Instructions for updating: +Colocations handled automatically by placer. +Instructions for updating: +Please use `rate` instead of `keep_prob`. Rate should be set to `rate = 1 - keep_prob`. +Epoch 1/5 +6/6 [==] - 27s 449us/sample - loss: 0.2211 - acc: 0.9346 +Epoch 2/5 +6/6 [==] - 24s 408us/sample - loss: 0.0969 - acc: 0.9702 +Epoch 3/5 +6/6 [==] - 26s 439us/sample - loss: 0.0694 - acc: 0.9780 +Epoch 4/5 +6/6 [==]
[yocto] [meta-tensorflow][PATCH 11/13] tensorflow: support musl
Build fails looking for `execinfo.h` when building against musl |In file included from ./tensorflow/core/platform/stacktrace.h:26, | from tensorflow/core/platform/stacktrace_handler.cc:34: |./tensorflow/core/platform/default/stacktrace.h:27:10: fatal error: execinfo.h: No such file or directory Signed-off-by: Hongxu Jia --- .../tensorflow/files/0001-support-musl.patch | 49 ++ recipes-framework/tensorflow/tensorflow_1.13.0.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 recipes-framework/tensorflow/files/0001-support-musl.patch diff --git a/recipes-framework/tensorflow/files/0001-support-musl.patch b/recipes-framework/tensorflow/files/0001-support-musl.patch new file mode 100644 index 000..f76041b --- /dev/null +++ b/recipes-framework/tensorflow/files/0001-support-musl.patch @@ -0,0 +1,49 @@ +From 02e58aa624aa6c330984474b9119c6b29a1ed77d Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Thu, 14 Feb 2019 10:26:27 -0500 +Subject: [PATCH] support musl + +Build fails looking for `execinfo.h` when building against musl +|In file included from ./tensorflow/core/platform/stacktrace.h:26, +| from tensorflow/core/platform/stacktrace_handler.cc:34: +|./tensorflow/core/platform/default/stacktrace.h:27:10: fatal error: +execinfo.h: No such file or directory + +Upstream-Status: Pending +Signed-off-by: Hongxu Jia +--- + tensorflow/core/platform/default/stacktrace.h | 3 ++- + tensorflow/core/platform/stacktrace_handler.cc | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tensorflow/core/platform/default/stacktrace.h b/tensorflow/core/platform/default/stacktrace.h +index c8e297f..8fecf05 100644 +--- a/tensorflow/core/platform/default/stacktrace.h b/tensorflow/core/platform/default/stacktrace.h +@@ -18,7 +18,8 @@ limitations under the License. + + #include "tensorflow/core/platform/platform.h" + #if !defined(IS_MOBILE_PLATFORM) && defined(PLATFORM_POSIX) && \ +-(defined(__clang__) || defined(__GNUC__)) ++(defined(__clang__) || defined(__GNUC__)) && \ ++defined(__GLIBC__) + #define TF_GENERATE_BACKTRACE + #endif + +diff --git a/tensorflow/core/platform/stacktrace_handler.cc b/tensorflow/core/platform/stacktrace_handler.cc +index ff31c97..41d62f7 100644 +--- a/tensorflow/core/platform/stacktrace_handler.cc b/tensorflow/core/platform/stacktrace_handler.cc +@@ -16,7 +16,8 @@ limitations under the License. + #include "tensorflow/core/platform/platform.h" + + #if !defined(PLATFORM_GOOGLE) && !defined(IS_MOBILE_PLATFORM) && \ +-defined(PLATFORM_POSIX) && (defined(__clang__) || defined(__GNUC__)) ++defined(PLATFORM_POSIX) && (defined(__clang__) || defined(__GNUC__)) && \ ++defined(__GLIBC__) + #define TF_GENERATE_STACKTRACE + #endif + +-- +2.8.1 + diff --git a/recipes-framework/tensorflow/tensorflow_1.13.0.bb b/recipes-framework/tensorflow/tensorflow_1.13.0.bb index 9e493dc..24986f5 100644 --- a/recipes-framework/tensorflow/tensorflow_1.13.0.bb +++ b/recipes-framework/tensorflow/tensorflow_1.13.0.bb @@ -8,6 +8,7 @@ SRC_URI = "git://github.com/tensorflow/tensorflow.git;branch=r1.13 \ file://0001-add-yocto-toolchain-to-support-cross-compiling.patch \ file://0001-fix-gcc-internal-compile-error-on-qemuarm64.patch \ file://0001-SyntaxError-around-async-keyword-on-Python-3.7.patch \ + file://0001-support-musl.patch \ file://BUILD \ file://BUILD.yocto_compiler \ file://CROSSTOOL.tpl \ -- 2.8.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-tensorflow][PATCH 10/13] tensorflow: fix gcc internal compile error on qemuarm64
Signed-off-by: Hongxu Jia
---
...x-gcc-internal-compile-error-on-qemuarm64.patch | 64 ++
recipes-framework/tensorflow/tensorflow_1.13.0.bb | 1 +
2 files changed, 65 insertions(+)
create mode 100644
recipes-framework/tensorflow/files/0001-fix-gcc-internal-compile-error-on-qemuarm64.patch
diff --git
a/recipes-framework/tensorflow/files/0001-fix-gcc-internal-compile-error-on-qemuarm64.patch
b/recipes-framework/tensorflow/files/0001-fix-gcc-internal-compile-error-on-qemuarm64.patch
new file mode 100644
index 000..aca3de4
--- /dev/null
+++
b/recipes-framework/tensorflow/files/0001-fix-gcc-internal-compile-error-on-qemuarm64.patch
@@ -0,0 +1,64 @@
+From e9871369eee1d98652eaf1c7dcc6adaf72733f55 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Wed, 13 Feb 2019 20:58:17 -0500
+Subject: [PATCH] fix gcc internal compile error on qemuarm64
+
+Backport a fix from eigen upstream to fix the error.
+
+Upstream-Status: Inappropriate [oe specific]
+Signed-off-by: Hongxu Jia
+---
+ tensorflow/workspace.bzl | 1 +
+ ...ling-workaround-on-architectures-with-SSE.patch | 28 ++
+ 2 files changed, 29 insertions(+)
+ create mode 100644
third_party/0001-enable-spilling-workaround-on-architectures-with-SSE.patch
+
+diff --git a/tensorflow/workspace.bzl b/tensorflow/workspace.bzl
+index 12c6fab..aa49190 100755
+--- a/tensorflow/workspace.bzl
b/tensorflow/workspace.bzl
+@@ -144,6 +144,7 @@ def tf_workspace(path_prefix = "", tf_repo_name = ""):
+ tf_http_archive(
+ name = "eigen_archive",
+ build_file = clean_dep("//third_party:eigen.BUILD"),
++patch_file =
clean_dep("//third_party:0001-enable-spilling-workaround-on-architectures-with-SSE.patch"),
+ sha256 =
"753fbb58d0a49b6bcbcfb126ebfa2e21fc97f7471529ba835a096008ce588d8a",
+ strip_prefix = "eigen-eigen-9f48e814419e",
+ urls = [
+diff --git
a/third_party/0001-enable-spilling-workaround-on-architectures-with-SSE.patch
b/third_party/0001-enable-spilling-workaround-on-architectures-with-SSE.patch
+new file mode 100644
+index 000..e3848bd
+--- /dev/null
b/third_party/0001-enable-spilling-workaround-on-architectures-with-SSE.patch
+@@ -0,0 +1,28 @@
++From c1b4d0195674d4196683d4988d774e74e3cc291a Mon Sep 17 00:00:00 2001
++From: Gael Guennebaud
++Date: Mon, 10 Dec 2018 23:22:44 +0100
++Subject: [PATCH] enable spilling workaround on architectures with SSE/AVX
++
++Upstream-Status: Backport [https://github.com/eigenteam/eigen-git-mirror.git]
++Signed-off-by: Hongxu Jia
++
++---
++ Eigen/src/Core/products/GeneralBlockPanelKernel.h | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/Eigen/src/Core/products/GeneralBlockPanelKernel.h
b/Eigen/src/Core/products/GeneralBlockPanelKernel.h
++index 61521e2..b1e98b6 100644
++--- a/Eigen/src/Core/products/GeneralBlockPanelKernel.h
+ b/Eigen/src/Core/products/GeneralBlockPanelKernel.h
++@@ -1391,7 +1391,7 @@ void
gebp_kernel=6 without FMA (bug 1637)
++- #if EIGEN_GNUC_AT_LEAST(6,0)
+++ #if EIGEN_GNUC_AT_LEAST(6,0) && defined(EIGEN_VECTORIZE_SSE)
++ #define EIGEN_GEBP_2PX4_SPILLING_WORKAROUND __asm__ ("" : [a0]
"+rm" (A0),[a1] "+rm" (A1));
++ #else
++ #define EIGEN_GEBP_2PX4_SPILLING_WORKAROUND
++--
++2.8.1
++
+--
+2.8.1
+
diff --git a/recipes-framework/tensorflow/tensorflow_1.13.0.bb
b/recipes-framework/tensorflow/tensorflow_1.13.0.bb
index 33649ea..9e493dc 100644
--- a/recipes-framework/tensorflow/tensorflow_1.13.0.bb
+++ b/recipes-framework/tensorflow/tensorflow_1.13.0.bb
@@ -6,6 +6,7 @@ DEPENDS = "bazel-native protobuf-native util-linux-native
protobuf"
SRCREV = "c8875cbb1341f6ca14dd0ec908f1dde7d67f7808"
SRC_URI = "git://github.com/tensorflow/tensorflow.git;branch=r1.13 \
file://0001-add-yocto-toolchain-to-support-cross-compiling.patch \
+ file://0001-fix-gcc-internal-compile-error-on-qemuarm64.patch \
file://0001-SyntaxError-around-async-keyword-on-Python-3.7.patch \
file://BUILD \
file://BUILD.yocto_compiler \
--
2.8.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-tensorflow][PATCH 09/13] tensorflow: add version 1.13.0
Signed-off-by: Hongxu Jia
---
...octo-toolchain-to-support-cross-compiling.patch | 108 +++
recipes-framework/tensorflow/tensorflow_1.13.0.bb | 154 +
2 files changed, 262 insertions(+)
create mode 100644
recipes-framework/tensorflow/files/0001-add-yocto-toolchain-to-support-cross-compiling.patch
create mode 100644 recipes-framework/tensorflow/tensorflow_1.13.0.bb
diff --git
a/recipes-framework/tensorflow/files/0001-add-yocto-toolchain-to-support-cross-compiling.patch
b/recipes-framework/tensorflow/files/0001-add-yocto-toolchain-to-support-cross-compiling.patch
new file mode 100644
index 000..5fa5f91
--- /dev/null
+++
b/recipes-framework/tensorflow/files/0001-add-yocto-toolchain-to-support-cross-compiling.patch
@@ -0,0 +1,108 @@
+From dd303f745d159a2359c81922a2171a409998a71d Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Thu, 31 Jan 2019 20:37:26 +0800
+Subject: [PATCH] add yocto toolchain to support cross compiling
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ WORKSPACE | 6 ++
+ tensorflow/BUILD| 9 +
+ tensorflow/workspace.bzl| 8
+ third_party/aws/BUILD.bazel | 3 +++
+ third_party/repo.bzl| 1 +
+ 5 files changed, 27 insertions(+)
+
+diff --git a/WORKSPACE b/WORKSPACE
+index 7057d3f..869c180 100644
+--- a/WORKSPACE
b/WORKSPACE
+@@ -53,6 +53,12 @@ android_configure(name="local_config_android")
+ load("@local_config_android//:android.bzl", "android_workspace")
+ android_workspace()
+
++new_local_repository(
++name = "yocto_compiler",
++path = "%%WORKDIR%%",
++build_file = "//:BUILD.yocto_compiler",
++)
++
+ # Please add all new TensorFlow dependencies in workspace.bzl.
+ tf_workspace()
+
+diff --git a/tensorflow/BUILD b/tensorflow/BUILD
+index 823ad8f..6270301 100644
+--- a/tensorflow/BUILD
b/tensorflow/BUILD
+@@ -100,6 +100,15 @@ config_setting(
+ )
+
+ config_setting(
++name = "yocto_armeabi",
++values = {
++"crosstool_top": "@local_config_yocto_compiler//:toolchain",
++"cpu": "armeabi",
++},
++visibility = ["//visibility:public"],
++)
++
++config_setting(
+ name = "android_arm",
+ values = {
+ "crosstool_top": "//external:android/crosstool",
+diff --git a/tensorflow/workspace.bzl b/tensorflow/workspace.bzl
+index aefab03..12c6fab 100755
+--- a/tensorflow/workspace.bzl
b/tensorflow/workspace.bzl
+@@ -12,6 +12,7 @@ load("//third_party/sycl:sycl_configure.bzl",
"sycl_configure")
+ load("//third_party/systemlibs:syslibs_configure.bzl", "syslibs_configure")
+ load("//third_party/toolchains/clang6:repo.bzl", "clang6_configure")
+ load("//third_party/toolchains/cpus/arm:arm_compiler_configure.bzl",
"arm_compiler_configure")
++load("//third_party/toolchains/yocto:yocto_compiler_configure.bzl",
"yocto_compiler_configure")
+ load("//third_party:repo.bzl", "tf_http_archive")
+ load("//third_party/clang_toolchain:cc_configure_clang.bzl",
"cc_download_clang_toolchain")
+ load("@io_bazel_rules_closure//closure/private:java_import_external.bzl",
"java_import_external")
+@@ -76,6 +77,13 @@ def tf_workspace(path_prefix = "", tf_repo_name = ""):
+ remote_config_repo = "../arm_compiler",
+ )
+
++# Point //external/local_config_yocto_compiler to
//external/yocto_compiler
++yocto_compiler_configure(
++name = "local_config_yocto_compiler",
++build_file = clean_dep("//third_party/toolchains/yocto:BUILD"),
++remote_config_repo = "../yocto_compiler",
++)
++
+ mkl_repository(
+ name = "mkl_linux",
+ build_file = clean_dep("//third_party/mkl:mkl.BUILD"),
+diff --git a/third_party/aws/BUILD.bazel b/third_party/aws/BUILD.bazel
+index 5426f79..b106b12 100644
+--- a/third_party/aws/BUILD.bazel
b/third_party/aws/BUILD.bazel
+@@ -24,6 +24,9 @@ cc_library(
+ "@org_tensorflow//tensorflow:raspberry_pi_armeabi": glob([
+ "aws-cpp-sdk-core/source/platform/linux-shared/*.cpp",
+ ]),
++"@org_tensorflow//tensorflow:yocto_armeabi": glob([
++"aws-cpp-sdk-core/source/platform/linux-shared/*.cpp",
++]),
+ "//conditions:default": [],
+ }) + glob([
+ "aws-cpp-sdk-core/include/**/*.h",
+diff --git a/third_party/repo.bzl b/third_party/repo.bzl
+index bad6d20..9823cab 100644
+--- a/third_party/repo.bzl
b/third_party/repo.bzl
+@@ -16,6 +16,7 @@
+
+ _SINGLE_URL_WHITELIST = depset([
+ "arm_compiler",
++&quo
[yocto] [meta-tensorflow][PATCH 05/13] tensorflow-native: add Python 3.7 compatibility
SyntaxError around async keyword on Python 3.7
Signed-off-by: Hongxu Jia
---
...xError-around-async-keyword-on-Python-3.7.patch | 116 +
.../tensorflow/tensorflow-native_1.13.0.bb | 1 +
2 files changed, 117 insertions(+)
create mode 100644
recipes-framework/tensorflow/files/0001-SyntaxError-around-async-keyword-on-Python-3.7.patch
diff --git
a/recipes-framework/tensorflow/files/0001-SyntaxError-around-async-keyword-on-Python-3.7.patch
b/recipes-framework/tensorflow/files/0001-SyntaxError-around-async-keyword-on-Python-3.7.patch
new file mode 100644
index 000..75cb572
--- /dev/null
+++
b/recipes-framework/tensorflow/files/0001-SyntaxError-around-async-keyword-on-Python-3.7.patch
@@ -0,0 +1,116 @@
+From 8abbdce7a7ec7428b7f657e313ee0b6642c1de76 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Thu, 14 Feb 2019 10:45:55 +0800
+Subject: [PATCH] SyntaxError around async keyword on Python 3.7
+
+Backport a fix from upstream astor to fix the error
+
+Upstream-Status: Pending
+
+Signed-off-by: Hongxu Jia
+---
+ tensorflow/workspace.bzl | 1 +
+ ...-Don-t-use-async-as-a-keyword-argument-94.patch | 79 ++
+ 2 files changed, 80 insertions(+)
+ create mode 100644
third_party/systemlibs/0001-Don-t-use-async-as-a-keyword-argument-94.patch
+
+diff --git a/tensorflow/workspace.bzl b/tensorflow/workspace.bzl
+index aefab03..a281803 100755
+--- a/tensorflow/workspace.bzl
b/tensorflow/workspace.bzl
+@@ -278,6 +278,7 @@ def tf_workspace(path_prefix = "", tf_repo_name = ""):
+ tf_http_archive(
+ name = "astor_archive",
+ build_file = clean_dep("//third_party:astor.BUILD"),
++patch_file =
clean_dep("//third_party/systemlibs:0001-Don-t-use-async-as-a-keyword-argument-94.patch"),
+ sha256 =
"ff6d2e2962d834acb125cc4dcc80c54a8c17c253f4cc9d9c43b5102a560bb75d",
+ strip_prefix = "astor-0.6.2",
+ system_build_file = clean_dep("//third_party/systemlibs:astor.BUILD"),
+diff --git
a/third_party/systemlibs/0001-Don-t-use-async-as-a-keyword-argument-94.patch
b/third_party/systemlibs/0001-Don-t-use-async-as-a-keyword-argument-94.patch
+new file mode 100644
+index 000..aafb172
+--- /dev/null
b/third_party/systemlibs/0001-Don-t-use-async-as-a-keyword-argument-94.patch
+@@ -0,0 +1,79 @@
++From fe1ef7f9d746847c157197e4cb2ab6505fe19faf Mon Sep 17 00:00:00 2001
++From: Berker Peksag
++Date: Fri, 23 Mar 2018 16:50:21 +0300
++Subject: [PATCH] Don't use 'async' as a keyword argument (#94)
++
++Fixes #86
++
++Upstream-Status: Backport[https://github.com/berkerpeksag/astor.git]
++Signed-off-by: Hongxu Jia
++---
++ astor/code_gen.py | 18 +-
++ 1 file changed, 9 insertions(+), 9 deletions(-)
++
++diff --git a/astor/code_gen.py b/astor/code_gen.py
++index 7c27f70..47d6acc 100644
++--- a/astor/code_gen.py
+ b/astor/code_gen.py
++@@ -308,8 +308,8 @@ class SourceGenerator(ExplicitNodeVisitor):
++ self.statement(node)
++ self.generic_visit(node)
++
++-def visit_FunctionDef(self, node, async=False):
++-prefix = 'async ' if async else ''
+++def visit_FunctionDef(self, node, is_async=False):
+++prefix = 'async ' if is_async else ''
++ self.decorators(node, 1 if self.indentation else 2)
++ self.statement(node, '%sdef %s' % (prefix, node.name), '(')
++ self.visit_arguments(node.args)
++@@ -322,7 +322,7 @@ class SourceGenerator(ExplicitNodeVisitor):
++
++ # introduced in Python 3.5
++ def visit_AsyncFunctionDef(self, node):
++-self.visit_FunctionDef(node, async=True)
+++self.visit_FunctionDef(node, is_async=True)
++
++ def visit_ClassDef(self, node):
++ have_args = []
++@@ -364,24 +364,24 @@ class SourceGenerator(ExplicitNodeVisitor):
++ self.else_body(else_)
++ break
++
++-def visit_For(self, node, async=False):
+++def visit_For(self, node, is_async=False):
++ set_precedence(node, node.target)
++-prefix = 'async ' if async else ''
+++prefix = 'async ' if is_async else ''
++ self.statement(node, '%sfor ' % prefix,
++node.target, ' in ', node.iter, ':')
++ self.body_or_else(node)
++
++ # introduced in Python 3.5
++ def visit_AsyncFor(self, node):
++-self.visit_For(node, async=True)
+++self.visit_For(node, is_async=True)
++
++ def visit_While(self, node):
++ set_precedence(node, node.test)
++ self.statement(node, 'while ', node.test, ':')
++ self.body_or_else(node)
++
++-def visit_With(self, node, async=False):
++-prefix = 'async ' if async else ''
+++def visit_With(self, node, is_async=False):
+++prefix = 'async ' if is_async else ''
++ self.statement(node, '%swith ' % prefix)
++ if hasattr(node, "
[yocto] [meta-tensorflow][PATCH 12/13] build tensorflow-native and tensorflow in order
Add tensorflow-native to tensorflow's DEPENDS, actually tensorflow
does not require tensorflow-native, but to avoid do_compile at
the same time. Bazel build system does not support parallel build
very well (very slowly).
Signed-off-by: Hongxu Jia
---
recipes-framework/tensorflow/tensorflow_1.13.0.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-framework/tensorflow/tensorflow_1.13.0.bb
b/recipes-framework/tensorflow/tensorflow_1.13.0.bb
index 24986f5..5d41f5a 100644
--- a/recipes-framework/tensorflow/tensorflow_1.13.0.bb
+++ b/recipes-framework/tensorflow/tensorflow_1.13.0.bb
@@ -23,6 +23,7 @@ DEPENDS += " \
python3-keras-preprocessing-native \
python3-pip-native \
python3-wheel-native \
+tensorflow-native \
"
RDEPENDS_${PN} += " \
--
2.8.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-tensorflow][PATCH 08/13] tensorboard: add version 1.12.2
Signed-off-by: Hongxu Jia
---
.../tensorboard/0001-customize-for-Yocto.patch | 128 +
recipes-framework/tensorflow/tensorboard_1.12.2.bb | 62 ++
2 files changed, 190 insertions(+)
create mode 100644
recipes-framework/tensorflow/tensorboard/0001-customize-for-Yocto.patch
create mode 100644 recipes-framework/tensorflow/tensorboard_1.12.2.bb
diff --git
a/recipes-framework/tensorflow/tensorboard/0001-customize-for-Yocto.patch
b/recipes-framework/tensorflow/tensorboard/0001-customize-for-Yocto.patch
new file mode 100644
index 000..1f0b309
--- /dev/null
+++ b/recipes-framework/tensorflow/tensorboard/0001-customize-for-Yocto.patch
@@ -0,0 +1,128 @@
+From 3834b8ecb55ebf2527aaa2502d9030460882931c Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Thu, 31 Jan 2019 22:24:54 +0800
+Subject: [PATCH] customize for Yocto
+
+- Remove virtualenv/pip/bdist_wheel calling which Yocto does not support
+
+- Add Yocto toolchain to support cross compiling
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ WORKSPACE| 6 ++
+ tensorboard/pip_package/build_pip_package.sh | 27 +++
+ third_party/workspace.bzl| 8
+ 3 files changed, 17 insertions(+), 24 deletions(-)
+
+diff --git a/WORKSPACE b/WORKSPACE
+index 8ab70cc..0c18f6f 100644
+--- a/WORKSPACE
b/WORKSPACE
+@@ -1,5 +1,11 @@
+ workspace(name = "org_tensorflow_tensorboard")
+
++new_local_repository(
++name = "yocto_compiler",
++path = "%%WORKDIR%%",
++build_file = "BUILD.yocto_compiler",
++)
++
+ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+ # Needed as a transitive dependency of rules_webtesting below.
+diff --git a/tensorboard/pip_package/build_pip_package.sh
b/tensorboard/pip_package/build_pip_package.sh
+index 754fa83..e473f51 100755
+--- a/tensorboard/pip_package/build_pip_package.sh
b/tensorboard/pip_package/build_pip_package.sh
+@@ -23,7 +23,7 @@ else
+ sedi="sed -i"
+ fi
+
+-run_smoke_test=1
++run_smoke_test=0
+ while [ "$#" -gt 0 ]; do
+ case "$1" in
+ "--no-smoke")
+@@ -75,27 +75,20 @@ command -v curl >/dev/null
+ command -v perl >/dev/null
+ command -v python2 >/dev/null
+ command -v python3 >/dev/null
+-command -v virtualenv >/dev/null
+ [ -d "${RUNFILES}" ]
+
+-dest=/tmp/tensorboard
++dest=${DESTDIR}
+ if [ ! -e $dest ]; then
+- mkdir $dest
++ mkdir -p $dest
+ else
+ dest="$(mktemp -d -p /tmp -t tensorboard-pip.XX)"
+ fi
+ cd "${dest}"
+
+ cp -LR "${RUNFILES}/org_tensorflow_tensorboard/tensorboard" .
+-mv -f "tensorboard/pip_package/LICENSE" .
+-mv -f "tensorboard/pip_package/MANIFEST.in" .
+-mv -f "tensorboard/pip_package/README.rst" .
+-mv -f "tensorboard/pip_package/setup.cfg" .
+-mv -f "tensorboard/pip_package/setup.py" .
+ rm -rf tensorboard/pip_package
+
+ rm -f tensorboard/tensorboard # bazel py_binary sh wrapper
+-chmod -x LICENSE # bazel symlinks confuse cp
+ find . -name __init__.py | xargs chmod -x # which goes for all genfiles
+
+ mkdir -p tensorboard/_vendor
+@@ -117,21 +110,7 @@ find tensorboard -name \*.py |
+ s/from tensorflow_serving/from tensorboard._vendor.tensorflow_serving/
+ '
+
+-virtualenv venv
+-export VIRTUAL_ENV=venv
+-export PATH="$PWD/venv/bin:${PATH}"
+-unset PYTHON_HOME
+-
+-# Require wheel for bdist_wheel command, and setuptools 36.2.0+ so that
+-# env markers are handled (https://github.com/pypa/setuptools/pull/1081)
+-pip install -qU wheel 'setuptools>=36.2.0'
+-
+-python setup.py bdist_wheel --python-tag py2 >/dev/null
+-python setup.py bdist_wheel --python-tag py3 >/dev/null
+-
+ if [ "$run_smoke_test" = 1 ]; then
+ smoke 2
+ smoke 3
+ fi
+-
+-ls -hal "$PWD/dist"
+diff --git a/third_party/workspace.bzl b/third_party/workspace.bzl
+index 083c441..24786f8 100644
+--- a/third_party/workspace.bzl
b/third_party/workspace.bzl
+@@ -24,6 +24,7 @@ load("//third_party:polymer.bzl",
"tensorboard_polymer_workspace")
+ load("//third_party:python.bzl", "tensorboard_python_workspace")
+ load("//third_party:js.bzl", "tensorboard_js_workspace")
+ load("//third_party:typings.bzl", "tensorboard_typings_workspace")
++load("//third_party/toolchains/yocto:yocto_compiler_configure.bzl",
"yocto_compiler_configure")
+
+ def tensorboard_workspace():
+ tensorboard_fonts_workspace()
+@@ -32,6 +33,13 @@ def tensorboard_workspace():
+ tensorboard_typings_workspace()
+ tensorboard_js_workspace()
+
++ # Point //external/local_config_yocto_compiler to //external/yocto_compiler
++ yocto_compiler_con
[yocto] [meta-tensorflow][PATCH 06/13] tensorflow-estimator: add version 1.13
The build steps refers README of https://github.com/tensorflow/estimator
Signed-off-by: Hongxu Jia
---
.../tensorflow/tensorflow-estimator_1.13.bb| 50 ++
1 file changed, 50 insertions(+)
create mode 100644 recipes-framework/tensorflow/tensorflow-estimator_1.13.bb
diff --git a/recipes-framework/tensorflow/tensorflow-estimator_1.13.bb
b/recipes-framework/tensorflow/tensorflow-estimator_1.13.bb
new file mode 100644
index 000..5400888
--- /dev/null
+++ b/recipes-framework/tensorflow/tensorflow-estimator_1.13.bb
@@ -0,0 +1,50 @@
+DESCRIPTION = "A high-level TensorFlow API that greatly simplifies machine \
+learning programming."
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=01e86893010a1b87e69a213faa753ebd"
+
+SRC_URI = "git://github.com/tensorflow/estimator.git;branch=r1.13 \
+ "
+SRCREV = "340703eed78ba4854862f749ed94f91598826e79"
+S = "${WORKDIR}/git"
+
+inherit python3native bazel
+
+DEPENDS += " \
+python3-pip-native \
+python3-wheel-native \
+python3-six-native \
+python3-protobuf-native \
+python3-absl-native \
+python3-astor-native \
+python3-gast-native \
+python3-termcolor-native \
+tensorflow-native \
+"
+
+do_compile () {
+unset CC
+export TMPDIR="${WORKDIR}"
+${STAGING_BINDIR_NATIVE}/bazel build \
+--subcommands --explain=${T}/explain.log \
+--verbose_explanations --verbose_failures \
+--verbose_failures \
+--python_path="${PYTHON}" \
+//tensorflow_estimator/tools/pip_package:build_pip_package
+
+${STAGING_BINDIR_NATIVE}/bazel shutdown
+
+PYTHON_BIN_PATH="${PYTHON}" \
+${S}/bazel-bin/tensorflow_estimator/tools/pip_package/build_pip_package \
+${WORKDIR}/estimator_pip
+}
+
+do_install () {
+echo "Installing pip package"
+install -d ${D}${PYTHON_SITEPACKAGES_DIR}
+${STAGING_BINDIR_NATIVE}/pip3 install --disable-pip-version-check -v
--no-deps \
+-t ${D}/${PYTHON_SITEPACKAGES_DIR} --no-cache-dir
${WORKDIR}/estimator_pip/*.whl
+
+}
+
+FILES_${PN} += "${libdir}/*"
--
2.8.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-tensorflow][PATCH 01/13] initial
Signed-off-by: Hongxu Jia
---
conf/layer.conf | 23 +++
1 file changed, 23 insertions(+)
create mode 100644 conf/layer.conf
diff --git a/conf/layer.conf b/conf/layer.conf
new file mode 100644
index 000..352c2bc
--- /dev/null
+++ b/conf/layer.conf
@@ -0,0 +1,23 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH =. "${LAYERDIR}:"
+
+# We have a packages directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "meta-tensorflow"
+BBFILE_PATTERN_meta-tensorflow = "^${LAYERDIR}/"
+BBFILE_PRIORITY_meta-tensorflow = "10"
+
+LAYERVERSION_meta-tensorflow = "1"
+
+LAYERSERIES_COMPAT_meta-tensorflow = "thud"
+
+LAYERDEPENDS_meta-tensorflow = " \
+core \
+meta-java \
+meta-python \
+openembedded-layer \
+"
+
+LAYER_PATH_meta-tensorflow = "${LAYERDIR}"
--
2.8.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-tensorflow][PATCH 02/13] bazel-native: add version 0.21.0
It is the build system of tensorflow.
The build steps refers:
https://docs.bazel.build/versions/master/install-compile-source.html
Signed-off-by: Hongxu Jia
---
recipes-devtools/bazel/bazel-native_0.21.0.bb | 33 +++
1 file changed, 33 insertions(+)
create mode 100644 recipes-devtools/bazel/bazel-native_0.21.0.bb
diff --git a/recipes-devtools/bazel/bazel-native_0.21.0.bb
b/recipes-devtools/bazel/bazel-native_0.21.0.bb
new file mode 100644
index 000..122e507
--- /dev/null
+++ b/recipes-devtools/bazel/bazel-native_0.21.0.bb
@@ -0,0 +1,33 @@
+DESCRIPTION = "Bazel build and test tool"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+SRC_URI[md5sum] = "8c8240b178a35c0f3c1bc03017550270"
+SRC_URI[sha256sum] =
"6ccb831e683179e0cfb351cb11ea297b4db48f9eab987601c038aa0f83037db4"
+
+SRC_URI =
"https://github.com/bazelbuild/bazel/releases/download/${PV}/bazel-${PV}-dist.zip;
+
+inherit native
+
+INHIBIT_SYSROOT_STRIP = "1"
+
+DEPENDS = "coreutils-native \
+ zip-native \
+ openjdk-8-native \
+ "
+
+S="${WORKDIR}"
+
+do_compile () {
+export JAVA_HOME="${RECIPE_SYSROOT_NATIVE}/usr/lib/jvm/openjdk-8-native"
+TMPDIR="${TOPDIR}/bazel" \
+VERBOSE=yes \
+EXTRA_BAZEL_ARGS="--distdir=${DL_DIR}" \
+./compile.sh
+}
+
+do_install () {
+install -d ${D}${bindir}
+install -m 0755 ${S}/output/bazel ${D}${bindir}
+create_cmdline_wrapper ${D}/${bindir}/bazel \$BAZEL_ARGS
+}
--
2.8.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-tensorflow][PATCH 04/13] tensorflow-native: add version 1.13.0
It is required by tensorflow-estimator.
Signed-off-by: Hongxu Jia
---
.../tensorflow/tensorflow-native_1.13.0.bb | 60 ++
1 file changed, 60 insertions(+)
create mode 100644 recipes-framework/tensorflow/tensorflow-native_1.13.0.bb
diff --git a/recipes-framework/tensorflow/tensorflow-native_1.13.0.bb
b/recipes-framework/tensorflow/tensorflow-native_1.13.0.bb
new file mode 100644
index 000..bb979ab
--- /dev/null
+++ b/recipes-framework/tensorflow/tensorflow-native_1.13.0.bb
@@ -0,0 +1,60 @@
+DESCRIPTION = "TensorFlow C/C++ Libraries"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=01e86893010a1b87e69a213faa753ebd"
+
+DEPENDS = "bazel-native protobuf-native util-linux-native protobuf"
+SRCREV = "c8875cbb1341f6ca14dd0ec908f1dde7d67f7808"
+SRC_URI = "git://github.com/tensorflow/tensorflow.git;branch=r1.13 \
+ "
+S = "${WORKDIR}/git"
+
+DEPENDS += " \
+python3 \
+python3-numpy-native \
+python3-keras-applications-native \
+python3-keras-preprocessing-native \
+python3-pip-native \
+python3-wheel-native \
+"
+
+inherit python3native bazel native
+
+export PYTHON_BIN_PATH="${PYTHON}"
+export PYTHON_LIB_PATH="${PYTHON_SITEPACKAGES_DIR}"
+
+do_configure_append () {
+TF_NEED_CUDA=0 \
+TF_NEED_OPENCL_SYCL=0 \
+TF_NEED_OPENCL=0 \
+TF_CUDA_CLANG=0 \
+TF_DOWNLOAD_CLANG=0 \
+TF_ENABLE_XLA=0 \
+TF_NEED_MPI=0 \
+TF_SET_ANDROID_WORKSPACE=0 \
+./configure
+}
+
+do_compile () {
+unset CC
+${STAGING_BINDIR_NATIVE}/bazel build \
+-c opt \
+--subcommands --explain=${T}/explain.log \
+--verbose_explanations --verbose_failures \
+--verbose_failures \
+//tensorflow/tools/pip_package:build_pip_package
+
+${STAGING_BINDIR_NATIVE}/bazel shutdown
+}
+
+do_install() {
+export TMPDIR="${WORKDIR}"
+echo "Generating pip package"
+BDIST_OPTS="--universal" \
+${S}/bazel-bin/tensorflow/tools/pip_package/build_pip_package
${WORKDIR}
+
+echo "Installing pip package"
+install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
+${STAGING_BINDIR_NATIVE}/pip3 install --disable-pip-version-check -v
--no-deps \
+-t ${D}/${PYTHON_SITEPACKAGES_DIR} --no-cache-dir
${WORKDIR}/tensorflow*.whl
+
+}
--
2.8.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-tensorflow][PATCH 07/13] Customize Yocto toolchain for cross compiling
The idea comes from upstream arm compiler which `Build from
source for the Raspberry Pi'
$ ls /third_party/toolchains/cpus/arm/
arm_compiler_configure.bzl BUILD CROSSTOOL.tpl
https://www.tensorflow.org/install/source_rpi
Signed-off-by: Hongxu Jia
---
recipes-framework/tensorflow/files/BUILD | 56 +
.../tensorflow/files/BUILD.yocto_compiler | 82
recipes-framework/tensorflow/files/CROSSTOOL.tpl | 229 +
.../tensorflow/files/yocto_compiler_configure.bzl | 24 +++
4 files changed, 391 insertions(+)
create mode 100644 recipes-framework/tensorflow/files/BUILD
create mode 100644 recipes-framework/tensorflow/files/BUILD.yocto_compiler
create mode 100644 recipes-framework/tensorflow/files/CROSSTOOL.tpl
create mode 100644
recipes-framework/tensorflow/files/yocto_compiler_configure.bzl
diff --git a/recipes-framework/tensorflow/files/BUILD
b/recipes-framework/tensorflow/files/BUILD
new file mode 100644
index 000..fd1f99a
--- /dev/null
+++ b/recipes-framework/tensorflow/files/BUILD
@@ -0,0 +1,56 @@
+package(default_visibility = ["//visibility:public"])
+
+cc_toolchain_suite(
+name = "toolchain",
+toolchains = {
+"armeabi|compiler": ":cc-compiler-armeabi",
+"local|compiler": ":cc-compiler-local",
+"armeabi": ":cc-compiler-armeabi",
+"k8": ":cc-compiler-local",
+"piii": ":cc-compiler-local",
+"arm": ":cc-compiler-local",
+"s390x": ":cc-compiler-local",
+},
+)
+
+filegroup(
+name = "empty",
+srcs = [],
+)
+
+filegroup(
+name = "arm_linux_all_files",
+srcs = [
+"@yocto_compiler//:compiler_pieces",
+],
+)
+
+cc_toolchain(
+name = "cc-compiler-local",
+all_files = ":empty",
+compiler_files = ":empty",
+cpu = "local",
+dwp_files = ":empty",
+dynamic_runtime_libs = [":empty"],
+linker_files = ":empty",
+objcopy_files = ":empty",
+static_runtime_libs = [":empty"],
+strip_files = ":empty",
+supports_param_files = 1,
+toolchain_identifier = "local_linux",
+)
+
+cc_toolchain(
+name = "cc-compiler-armeabi",
+all_files = ":arm_linux_all_files",
+compiler_files = ":arm_linux_all_files",
+cpu = "armeabi",
+dwp_files = ":empty",
+dynamic_runtime_libs = [":empty"],
+linker_files = ":arm_linux_all_files",
+objcopy_files = "arm_linux_all_files",
+static_runtime_libs = [":empty"],
+strip_files = "arm_linux_all_files",
+supports_param_files = 1,
+toolchain_identifier = "yocto-linux-gnueabihf",
+)
diff --git a/recipes-framework/tensorflow/files/BUILD.yocto_compiler
b/recipes-framework/tensorflow/files/BUILD.yocto_compiler
new file mode 100644
index 000..0dd84d3
--- /dev/null
+++ b/recipes-framework/tensorflow/files/BUILD.yocto_compiler
@@ -0,0 +1,82 @@
+package(default_visibility = ['//visibility:public'])
+
+filegroup(
+ name = 'gcc',
+ srcs = [
+'recipe-sysroot-native/usr/bin/%%CT_NAME%%/%%CT_NAME%%-gcc',
+ ],
+)
+
+filegroup(
+ name = 'ar',
+ srcs = [
+'recipe-sysroot-native/usr/bin/%%CT_NAME%%/%%CT_NAME%%-ar',
+ ],
+)
+
+filegroup(
+ name = 'ld',
+ srcs = [
+'recipe-sysroot-native/usr/bin/%%CT_NAME%%/%%CT_NAME%%-ld',
+ ],
+)
+
+filegroup(
+ name = 'nm',
+ srcs = [
+'recipe-sysroot-native/usr/bin/%%CT_NAME%%/%%CT_NAME%%-nm',
+ ],
+)
+
+filegroup(
+ name = 'objcopy',
+ srcs = [
+'recipe-sysroot-native/usr/bin/%%CT_NAME%%/%%CT_NAME%%-objcopy',
+ ],
+)
+
+filegroup(
+ name = 'objdump',
+ srcs = [
+'recipe-sysroot-native/usr/bin/%%CT_NAME%%/%%CT_NAME%%-objdump',
+ ],
+)
+
+filegroup(
+ name = 'strip',
+ srcs = [
+'recipe-sysroot-native/usr/bin/%%CT_NAME%%/%%CT_NAME%%-strip',
+ ],
+)
+
+filegroup(
+ name = 'as',
+ srcs = [
+'recipe-sysroot-native/usr/bin/%%CT_NAME%%/%%CT_NAME%%-as',
+ ],
+)
+
+filegroup(
+ name = 'compiler_pieces',
+ srcs = glob([
+'recipe-sysroot-native/usr/include/**',
+'recipe-sysroot-native/usr/lib/%%CT_NAME%%/**',
+'recipe-sysroot-native/usr/lib/%%CT_NAME%%/gcc/**',
+'recipe-sysroot-native/usr/libexec/%%CT_NAME%%/**',
+'recipe-sysroot/usr/include/**',
+ ]),
+)
+
+filegroup(
+ name = 'compiler_components',
+ srcs = [
+':gcc',
+':ar',
+':ld',
+':nm',
+':objcopy',
+':objdump',
+':strip',
+':as',
+ ],
+)
diff --git a/recipes-framework/tensorflow/files/CROSSTOOL.tpl
b/recipes-framework/tensorflow/files/CROSSTOOL.tpl
new file mode 100644
index 000..296d6a6
--- /dev/null
+++ b/recipes-framework/tensorflow/files/CROSSTOO
[yocto] [meta-tensorflow][PATCH 03/13] create classes/bazel.bbclass
Inherit the bbclass to use bazel to build tensorflow-native,
tensorflow, tensorboard and tensorflow-estimator.
Signed-off-by: Hongxu Jia
---
classes/bazel.bbclass | 80 +++
1 file changed, 80 insertions(+)
create mode 100644 classes/bazel.bbclass
diff --git a/classes/bazel.bbclass b/classes/bazel.bbclass
new file mode 100644
index 000..3bda2c8
--- /dev/null
+++ b/classes/bazel.bbclass
@@ -0,0 +1,80 @@
+DEPENDS += "bazel-native \
+ openjdk-8-native \
+ "
+
+BAZEL_OUTPUTBASE_DIR ?= "${WORKDIR}/bazel/output_base"
+export BAZEL_ARGS="--output_user_root=${WORKDIR}/bazel/user_root \
+ --output_base=${BAZEL_OUTPUTBASE_DIR} \
+ --bazelrc=${S}/bazelrc \
+ "
+
+export JAVA_HOME="${RECIPE_SYSROOT_NATIVE}/usr/lib/jvm/openjdk-8-native"
+
+def bazel_get_flags(d):
+flags = ""
+for i in d.getVar("CC").split()[1:]:
+flags += "--conlyopt=%s --cxxopt=%s " % (i, i)
+
+for i in d.getVar("CFLAGS").split():
+if i == "-g":
+continue
+flags += "--conlyopt=%s " % i
+
+for i in d.getVar("BUILD_CFLAGS").split():
+flags += "--host_conlyopt=%s " % i
+
+for i in d.getVar("CXXFLAGS").split():
+if i == "-g":
+continue
+flags += "--cxxopt=%s " % i
+
+for i in d.getVar("BUILD_CXXFLAGS").split():
+flags += "--host_cxxopt=%s " % i
+
+for i in d.getVar("CPPFLAGS").split():
+if i == "-g":
+continue
+flags += "--conlyopt=%s --cxxopt=%s " % (i, i)
+
+for i in d.getVar("BUILD_CPPFLAGS").split():
+flags += "--host_conlyopt=%s --host_cxxopt=%s " % (i, i)
+
+for i in d.getVar("LDFLAGS").split():
+flags += "--linkopt=%s " % i
+
+for i in d.getVar("BUILD_LDFLAGS").split():
+flags += "--host_linkopt=%s " % i
+
+for i in d.getVar("TOOLCHAIN_OPTIONS").split():
+flags += "--linkopt=%s " % i
+
+return flags
+
+bazel_do_configure () {
+cat > "${S}/bazelrc" <<-EOF
+build --verbose_failures
+build --spawn_strategy=standalone --genrule_strategy=standalone
+build --jobs=${@oe.utils.cpu_count()}
+test --verbose_failures --verbose_test_summary
+test --spawn_strategy=standalone --genrule_strategy=standalone
+
+build --linkopt=-Wl,-latomic
+build --strip=never
+
+fetch --distdir=${DL_DIR}
+build --distdir=${DL_DIR}
+
+EOF
+
+}
+
+bazel_do_configure_append_class-target () {
+cat >> "${S}/bazelrc" <<-EOF
+# FLAGS
+build ${@bazel_get_flags(d)}
+EOF
+
+sed -i "s:${WORKDIR}:${BAZEL_OUTPUTBASE_DIR}/external/yocto_compiler:g"
${S}/bazelrc
+}
+
+EXPORT_FUNCTIONS do_configure
--
2.8.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] Review request 0/13: Contribute meta-tensorflow to Yocto
Hi RP and Yocto folks, Currently AI on IoT edge becomes more and more popular, but there is no machine learning framework in Yocto/OE. With the support of Eric , Robert and Randy , after two months effort, I've integrated TensorFlow to Yocto. Now, I contribute the patches to Yocto for review, and apply for creating a layer named `meta-tensorflow' on Yocto. For test convenient, there is a fork on github: https://github.com/hongxu-jia/meta-tensorflow BTW, I have contributed other 11 fundamental recipes to meta-openembedded and all of them have been merged to master branch. Please no hesitate to share your suggestion. //Hongxu Testing Commands: - See README Testing, Expected Results: -- See README -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [linux-yocto] [linux-yocto/linux-yocto-dev 4.18][PATCH] perf arm64: Fix generate system call table failed with /tmp mounted with noexec
On 2018年10月18日 21:20, Bruce Ashfield wrote:
I tried to apply this to 4.18, but the commit which creates
the issue is only in 4.19+
commit 2b5882435606c209ebc052230f03505ea477a252
Author: Kim Phillips
Date: Fri Jul 6 16:34:43 2018 -0500
perf arm64: Generate system call table from asm/unistd.h
% git tag --contains 2b5882435606c209ebc052230f03505ea477a252
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
So I'll merge this to linux-yocto-dev, but the other linux-yocto
variants should be unaffected.
Got it, thanks for the affected check, and I've submitted the fix to
upstream
mailing list linux-perf-us...@vger.kernel.org
//Hongxu
Bruce
On 10/18/18 5:12 AM, Hongxu Jia wrote:
Which /tmp mounted with noexec, generate system call table failed.
[snip]
|perf-1.0/tools/perf/arch/arm64/entry/syscalls//mksyscalltbl:
/tmp/create-table-6VGPSt: Permission denied
[snip]
Add variable TMPDIR as prefix dir of the temporary file, if it is set,
replace default /tmp
Fixes: 2b5882435606 ("perf arm64: Generate system call table from
asm/unistd.h")
Signed-off-by: Hongxu Jia
---
tools/perf/arch/arm64/entry/syscalls/mksyscalltbl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/arch/arm64/entry/syscalls/mksyscalltbl
b/tools/perf/arch/arm64/entry/syscalls/mksyscalltbl
index 2dbb8cad..c88fd32 100755
--- a/tools/perf/arch/arm64/entry/syscalls/mksyscalltbl
+++ b/tools/perf/arch/arm64/entry/syscalls/mksyscalltbl
@@ -23,7 +23,7 @@ create_table_from_c()
{
local sc nr last_sc
- create_table_exe=`mktemp /tmp/create-table-XX`
+ create_table_exe=`mktemp ${TMPDIR:-/tmp}/create-table-XX`
{
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
[linux-yocto] [linux-yocto/linux-yocto-dev 4.18][PATCH] perf arm64: Fix generate system call table failed with /tmp mounted with noexec
Which /tmp mounted with noexec, generate system call table failed.
[snip]
|perf-1.0/tools/perf/arch/arm64/entry/syscalls//mksyscalltbl:
/tmp/create-table-6VGPSt: Permission denied
[snip]
Add variable TMPDIR as prefix dir of the temporary file, if it is set,
replace default /tmp
Fixes: 2b5882435606 ("perf arm64: Generate system call table from asm/unistd.h")
Signed-off-by: Hongxu Jia
---
tools/perf/arch/arm64/entry/syscalls/mksyscalltbl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/arch/arm64/entry/syscalls/mksyscalltbl
b/tools/perf/arch/arm64/entry/syscalls/mksyscalltbl
index 2dbb8cad..c88fd32 100755
--- a/tools/perf/arch/arm64/entry/syscalls/mksyscalltbl
+++ b/tools/perf/arch/arm64/entry/syscalls/mksyscalltbl
@@ -23,7 +23,7 @@ create_table_from_c()
{
local sc nr last_sc
- create_table_exe=`mktemp /tmp/create-table-XX`
+ create_table_exe=`mktemp ${TMPDIR:-/tmp}/create-table-XX`
{
--
2.7.4
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
[yocto] [meta-cgl][PATCH 1/2] cluster-glue: support multiple dbg packages
Since `da5ec06 package: Add auto package splitting of .debug file'
applied in oe-core, only one dbg package is split by default,
set NOAUTOPACKAGEDEBUG = '1' to support multiple dbg packages
Use `=+' to replace `+=', it will split user define sub package first
Add missing dirs to FILES_${PN}-dbg
Signed-off-by: Hongxu Jia
---
meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.12.bb | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.12.bb
b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.12.bb
index c8a3ff6..0673482 100644
--- a/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.12.bb
+++ b/meta-cgl-common/recipes-cgl/cluster-glue/cluster-glue_1.0.12.bb
@@ -70,7 +70,8 @@ pkg_postinst_${PN} () {
fi
}
-PACKAGES += "\
+NOAUTOPACKAGEDEBUG = "1"
+PACKAGES =+ "\
${PN}-plugin-test \
${PN}-plugin-test-dbg \
${PN}-plugin-test-staticdev \
@@ -104,7 +105,10 @@ FILES_${PN} = "${sysconfdir} /var ${libdir}/lib*.so.*
${sbindir} ${datadir}/clus
"
FILES_${PN}-dbg += "${libdir}/heartbeat/.debug/ \
+${sbindir}/.debug/ \
+${libdir}/.debug/ \
"
+
FILES_${PN}-plugin-compress = "${libdir}/heartbeat/plugins/compress/*.so"
FILES_${PN}-plugin-compress-staticdev =
"${libdir}/heartbeat/plugins/compress/*.*a"
FILES_${PN}-plugin-compress-dbg =
"${libdir}/heartbeat/plugins/compress/.debug/"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 2/2] resource-agents: support multiple dbg packages
Since `da5ec06 package: Add auto package splitting of .debug file'
applied in oe-core, only one dbg package is split by default,
set NOAUTOPACKAGEDEBUG = '1' to support multiple dbg packages
Correct dirs for FILES_${PN}-extra/FILES_${PN}-extra-dbg/
FILES_${PN}-dbg, previously dirs are obsolete.
Signed-off-by: Hongxu Jia
---
.../recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git
a/meta-cgl-common/recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb
b/meta-cgl-common/recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb
index 2a9643b..8b2b8e1 100644
---
a/meta-cgl-common/recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb
+++
b/meta-cgl-common/recipes-cgl/cluster-resource-agents/resource-agents_4.0.1.bb
@@ -55,11 +55,12 @@ do_install_append() {
# tickle_tcp is published under GPLv3, we just split it into ${PN}-extra,
# and it's required by portblock, so move portblock into ${PN}-extra together.
PACKAGES_prepend = "${PN}-extra ${PN}-extra-dbg ldirectord "
-FILES_${PN}-extra = "${libdir}/resource-agents/heartbeat/tickle_tcp \
+NOAUTOPACKAGEDEBUG = "1"
+FILES_${PN}-extra = "${libexecdir}/heartbeat/tickle_tcp \
${libdir}/ocf/resource.d/heartbeat/portblock \
${datadir}/resource-agents/ocft/configs/portblock \
"
-FILES_${PN}-extra-dbg +=
"${libdir}/resource-agents/heartbeat/.debug/tickle_tcp"
+FILES_${PN}-extra-dbg = "${libexecdir}/heartbeat/.debug/tickle_tcp"
FILES_ldirectord = " \
${sbindir}/ldirectord \
@@ -101,4 +102,5 @@ FILES_${PN} += "${datadir}/cluster/* \
"
FILES_${PN}-dbg += "${libdir}/ocf/resource.d/heartbeat/.debug \
-${libdir}/resource-agents/heartbeat/.debug "
+${sbindir}/.debug \
+${libexecdir}/heartbeat/.debug "
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] layer.conf: update LAYERSERIES_COMPAT `sumo' -> `thud'
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and `9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core, update LAYERSERIES_COMPAT `sumo' -> `thud' Signed-off-by: Hongxu Jia --- conf/layer.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/layer.conf b/conf/layer.conf index 0f9ea41..5fecac6 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -18,7 +18,7 @@ BBFILE_PRIORITY_selinux = "5" # cause compatibility issues with other layers LAYERVERSION_selinux = "1" -LAYERSERIES_COMPAT_selinux = "sumo" +LAYERSERIES_COMPAT_selinux = "thud" LAYERDEPENDS_selinux = " \ core \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH] layer.conf: update LAYERSERIES_COMPAT `sumo' -> `thud'
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and `9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core, update LAYERSERIES_COMPAT `sumo' -> `thud' Signed-off-by: Hongxu Jia --- meta-cgl-common/conf/layer.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-cgl-common/conf/layer.conf b/meta-cgl-common/conf/layer.conf index 4b8552f..bf2c93e 100644 --- a/meta-cgl-common/conf/layer.conf +++ b/meta-cgl-common/conf/layer.conf @@ -13,6 +13,6 @@ BBFILE_PRIORITY_cgl-common = "7" LAYERDEPENDS_cgl-common = "core openembedded-layer networking-layer perl-layer filesystems-layer security selinux" -LAYERSERIES_COMPAT_cgl-common = "sumo" +LAYERSERIES_COMPAT_cgl-common = "thud" require conf/distro/include/cgl_common_security_flags.inc -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Any Linux/Yocto Image Installer (for target system)
On 2018年07月07日 05:52, Raymond Yeung wrote: Is there any installer that I could download along with the .hddimg (or .iso) image to the RAM, invoke the installer, so we could have a bootable image installed on a SSD? Sorry for replying late There is a target installer meta-anaconda in yocto, which is derived from fedora's installer (anaconda) Here is the README: http://git.yoctoproject.org/cgit/cgit.cgi/meta-anaconda/tree/README //Hongxu History: I can already create USB live image with dd and .hddimg. I could also dd the .hddimg onto SSD and make it bootable. The problem is that I need multiple partitions on my 250MB SSD, some reserved for other purposes. I find that when booting up with USB running SysLinux, I could install GRUB, vmlinuz, along with boot.img and core.img under /boot directory, and the rootFs under root (i.e. '/') directory. That's 4 partitions. I believe I could resize the largest partition after installation to do what I want. Is there a way to do this manually, possibly with a utility or a shell script? Thanks, Raymond -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[linux-yocto] [kernel-cache][PATCH] mti-malta32: enable CONFIG_HIGHMEM for qemumips to support up to 2GiB RAM
OE uses qemumips to simulate a Malta board by default. As upstream qemu introduced: https://git.qemu.org/?p=qemu.git;a=commit;h=94c2b6aff43cdfcfdfb552773a6b6b973a72ef0b The Malta board can support up to 2GiB of RAM which should be able to boot a Linux kernel built with CONFIG_HIGHMEM enabled. For mips, the `High Memory Support' only makes sense for the 32-bit kernel. Signed-off-by: Hongxu Jia <hongxu@windriver.com> --- bsp/mti-malta32/mti-malta32-common.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/bsp/mti-malta32/mti-malta32-common.cfg b/bsp/mti-malta32/mti-malta32-common.cfg index 104caf2..d30a38d 100644 --- a/bsp/mti-malta32/mti-malta32-common.cfg +++ b/bsp/mti-malta32/mti-malta32-common.cfg @@ -14,6 +14,7 @@ CONFIG_MIPS=y CONFIG_MIPS_MALTA=y CONFIG_CPU_MIPS32_R1=y +CONFIG_HIGHMEM=y CONFIG_MTD=y CONFIG_MTD_BLKDEVS=y -- 2.8.1 -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [yocto] Contribute meta-installer to yocto
On 2017年11月28日 01:20, Mark Hatle wrote: On 11/21/17 3:24 PM, Burton, Ross wrote: On 21 November 2017 at 08:55, Hongxu Jia <hongxu@windriver.com <mailto:hongxu@windriver.com>> wrote: If yocto is interested in this layer and will accept it, I could send pull request or some one directly fetch from above github master branch. Are you asking for a git repo on git.yoctoproject.org <http://git.yoctoproject.org>? If you want one I believe the process is to ask Michael Halstead. There's no reason why it can't be maintained in this repository forever though, just submit it to the layer index. The request is for more then just a repository. (We can get a repository anywhere..) What he is asking for is, is this something that the Yocto Project itself wants to own. He is still offering to be the maintainer of the layer, but the project being owned by the Yocto Project itself has more implications. I.e. using the bugzilla, discussion on the @yoctoproject.org mailing lists, etc... what happens if he is no longer able to willing to maintain the layer.. etc. In addition, my understanding is a target based installer has places to insert logos. Currently these are blank. If the Yocto Project wants to be the home for this, then I would also hope that specific logos would be approved for use within the default installer instance. If this is outside of the scope of what the Yocto Project itself wants to own, then OpenEmbedded is the next place that might see value in this if not, then a github project will be fine. Update the status: I have applied the request to Michael, and he replied. As he asked, I submit the code to ssh://g...@push.yoctoproject.org/meta-anaconda And Michael waits for Richard's approval. //Hongxu Ross -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [oe] [PATCH 00/15] create meta-installer layer
On 2017年11月25日 03:34, akuster808 wrote: These are sitting in the meta-openembedded patch queue. Did I miss the reject request? - armin I marked them as `rejected' in OE's patch work, I have applied to submit meta-anaconda to yocto as a standalone repository. //Hongxu -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [oe] [PATCH 00/15] create meta-installer layer
On 2017年11月24日 09:55, Hongxu Jia wrote: On 2017年11月24日 08:35, Khem Raj wrote: On Thu, Nov 23, 2017 at 4:15 AM Burton, Ross <ross.bur...@intel.com <mailto:ross.bur...@intel.com>> wrote: I honestly don't see why this has to belong in meta-openembedded and can't live in a standalone repository. I share the same opinion it should probably be Repo of its own Hi Ross & Khem, Since both of you think it should be as a standalone repository, I do not insist on it. Hi Michael, Would you please create a repository on http://git.yoctoproject.org/ the layer name called `meta-installer', should I resend pull request for review or directly push the repo contents to it once it's created. Hi Michael, I think we should called the layer `meta-anaconda', Alex suggestion is reasonable. There are many available installers, and this would make it clear what the directory contains //Hongxu If the latter one, should I send my ssh pub key to you privately? //Hongxu Ross -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [oe] [PATCH 00/15] create meta-installer layer
On 2017年11月24日 08:35, Khem Raj wrote: On Thu, Nov 23, 2017 at 4:15 AM Burton, Ross <ross.bur...@intel.com <mailto:ross.bur...@intel.com>> wrote: I honestly don't see why this has to belong in meta-openembedded and can't live in a standalone repository. I share the same opinion it should probably be Repo of its own Hi Ross & Khem, Since both of you think it should be as a standalone repository, I do not insist on it. Hi Michael, Would you please create a repository on http://git.yoctoproject.org/ the layer name called `meta-installer', should I resend pull request for review or directly push the repo contents to it once it's created. If the latter one, should I send my ssh pub key to you privately? //Hongxu Ross On 23 November 2017 at 12:09, Hongxu Jia <hongxu@windriver.com <mailto:hongxu@windriver.com>> wrote: The meta-installer layer provides a collection of installation programs based on OE platform. One implementation is the target installer 'anaconda', the version is 26.21.11 which is based on Fedora 26. The anacoda requires: - systemd as init manager - python3 - dnf2/rpm4 - gobject-introspection which requires qemu-usermode in MACHINE_FEATURES The anaconda provides: - graphic install and text install. - package based (dnf/rpm) install and image (copy) based install. - package based (dnf/rpm) install from local and remote rpm sources such as CDs and DVDs, images stored on a hard drive, NFS, HTTP, and FTP. - kickstart install which provides a fully unattended installation that can be duplicated on scores of machines. - install over VNC on headless machines. - timezone setting. - root password setting. - user account creation. - a variety of advanced storage devices including LVM, Btrfs, Ext4, and filesystem encryption. TODO (currently not support): - keyboard setting - language support setting - network & host name setting //Hongxu The following changes since commit 34aa4c3202b427f59f843dc43a4e1afda4f81d13: usb-modeswitch: add usb-modeswitch@.service (2017-11-19 13:45:38 -0800) are available in the git repository at: git://git.openembedded.org/openembedded-core-contrib <http://git.openembedded.org/openembedded-core-contrib> hongxu/meta-installer http://cgit.openembedded.org/openembedded-core-contrib/log/?h=hongxu/meta-installer Hongxu Jia (15): meta-installer: create layer meta-installer: add kernel config meta-installer: add anaconda support for target build meta-installer: add distro anaconda for host build meta-installer: add systemd/systemd-serialgetty bbappend meta-installer: add gtk+3 bbappend meta-installer: add initramfs-live-boot bbappend meta-installer: add xserver-xf86-config bbappend meta-installer: add multipath-tools bbappend meta-installer: add recipe packagegroup-installer-x11-anaconda meta-installer: add recipe yocto-compat-logos meta-installer: add recipe anaconda-init meta-installer: add recipe anaconda 26.21.11 meta-installer: add recipe core-image-anaconda meta-installer: add recipe core-image-anaconda-initramfs meta-installer/COPYING.MIT | 17 + meta-installer/README | 47 ++ meta-installer/README.anaconda | 341 meta-installer/classes/anaconda_image.bbclass | 321 +++ meta-installer/classes/anaconda_kernel.bbclass | 14 + .../classes/anaconda_support_image.bbclass | 40 ++ .../classes/anaconda_support_kernel.bbclass | 8 + meta-installer/conf/distro/anaconda.conf | 33 ++ meta-installer/conf/layer.conf | 31 ++ meta-installer/licenses/FLTK | 530 ++ .../systemd/files/serial-getty@.service | 40 ++ .../systemd/files/serial-screen-anaconda.sh | 5 + .../systemd/systemd-serialgetty.bbappend | 12 + .../recipes-core/systemd/systemd_%.bbappend | 6 + ...for-anaconda-installer-while-loading-libA.patch | 84 +++ .../recipes-gnome/gtk+/gtk+3_%.%.%.bbappend | 3 + .../xorg-xserver/xserver-xf86-config_0.1.bbappend | 12 + .../anaconda-init/anaconda-init.bb <http://anaconda-init.bb> | 77 +++ .../anaconda-init/anaconda-init/COPYING | 339
Re: [yocto] Contribute meta-installer to yocto
On 2017年11月22日 23:41, Khem Raj wrote: If yocto is interested in this layer and will accept it, I could send pull request or some one directly fetch from above github master branch. This is a very good work. Thanks for contributing it. We should definitely put it under meta-openembedded framework. Thanks very much, I will send the pull request for review. //Hongxu //Hongxu -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Contribute meta-installer to yocto
On 2017年11月22日 11:20, Paul Eggleton wrote: Hi Hongxu, On Wednesday, 22 November 2017 3:56:31 PM NZDT Hongxu Jia wrote: On 2017年11月22日 06:28, Paul Eggleton wrote: On Wednesday, 22 November 2017 10:24:59 AM NZDT Burton, Ross wrote: On 21 November 2017 at 08:55, Hongxu Jia <hongxu@windriver.com> wrote: If yocto is interested in this layer and will accept it, I could send pull request or some one directly fetch from above github master branch. Are you asking for a git repo on git.yoctoproject.org? If you want one I believe the process is to ask Michael Halstead. There's no reason why it can't be maintained in this repository forever though, just submit it to the layer index. It's now in the layer index FYI, though actual metadata updates are currently broken unfortunately - Michael is working on the latter I believe. I have already submitted it to layer index, but the git repository is still point to the github. http://layers.openembedded.org/layerindex/branch/master/layer/meta-installer/ Right. Does the metadata updates clone it from github to yocto if it is accepted? I think I should ask Michael for help. That's separate, you'd need to ask Michael for a repository and then push the repo contents to it once it's created. If/when you do move the layer I am happy to update the layer index entry, just let me know. Thank you very much, I will talk with Michael first. Thanks again. //Hongxu Cheers, Paul -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Contribute meta-installer to yocto
On 2017年11月22日 06:28, Paul Eggleton wrote: On Wednesday, 22 November 2017 10:24:59 AM NZDT Burton, Ross wrote: On 21 November 2017 at 08:55, Hongxu Jia <hongxu@windriver.com> wrote: If yocto is interested in this layer and will accept it, I could send pull request or some one directly fetch from above github master branch. Are you asking for a git repo on git.yoctoproject.org? If you want one I believe the process is to ask Michael Halstead. There's no reason why it can't be maintained in this repository forever though, just submit it to the layer index. It's now in the layer index FYI, though actual metadata updates are currently broken unfortunately - Michael is working on the latter I believe. I have already submitted it to layer index, but the git repository is still point to the github. http://layers.openembedded.org/layerindex/branch/master/layer/meta-installer/ Does the metadata updates clone it from github to yocto if it is accepted? I think I should ask Michael for help. The OE guy (Armin) seems interested to meta-installer (previously I have added/submitted 40+ recipes to OE for the preparation of meta-instaler public). If OE could accept meta-installer, it is very convenience to maintain all of them in one place. //Hongxu Cheers, Paul -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [linux-yocto] Contribute meta-installer to yocto
On 2017年11月21日 16:30, Paul Gortmaker wrote: On 2017-11-21 12:41 AM, Hongxu Jia wrote: Hi all, Wind River has maintained meta-installer for several years, and now we want to contribute it to yocto community. This layer provides an installation program based on OE platform. The installation program is anaconda from fedora, which is the installer of distribution Fedora, RedHat and Centos. I think you have missed your target audience. This list is for yocto specific kernel changes. It is not for addition of new layers. Sorry for the wrong place, I will correct it and resend //Hongxu Paul. -- The version of anaconda in meta-installer is 26.21.11 which is based on Fedora 26. The meta-insatller requires: - systemd as init manager - python3 - dnf2/rpm4 - gobject-introspection which requires qemu-usermode in MACHINE_FEATURES The meta-installer provides: - graphic install and text install. - package based (dnf/rpm) install and image (copy) based install. - package based (dnf/rpm) install from local and remote rpm sources such as CDs and DVDs, images stored on a hard drive, NFS, HTTP, and FTP. - kickstart install which provides a fully unattended installation that can be duplicated on scores of machines. - install over VNC on headless machines. - timezone setting. - root password setting. - user account creation. - a variety of advanced storage devices including LVM, Btrfs, Ext4, and filesystem encryption. The repository of meta-installer is temporary on the github for review: https://github.com/jiahongxujia/meta-installer In above github, the logo picture is undefined, if yocto could accept this layer, I will update the picture with "Yocto project Compatible". The attachments are the snapshots of a package based installation. Hopefully it is helpful for yocto, and any feedback is appreciated. If yocto is interested in this layer and will accept it, I could send pull request or some one directly fetch from above github master branch. //Hongxu -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] [linux-yocto-4.12][PATCH 1/1] ide:ide-cd: fix kernel panic resulting from missing scsi_req_init
On 2017年11月02日 01:54, Bruce Ashfield wrote:
Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
Upstream-Status: Submitted [linux-bl...@vger.kernel.org]
I'll drop this during merge, but do you have a link to the mailing
list archive for this ?
https://www.mail-archive.com/linux-block@vger.kernel.org/msg15114.html
//Hongxu
We should capture that, and I'd like to follow along to see what
upstream says.
Bruce
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
Re: [linux-yocto] [linux-yocto-4.12][PATCH 1/1] ide:ide-cd: fix kernel panic resulting from missing scsi_req_init
Hi Bruce,
The upstream accepted it, and merged to kernel 4.14.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=79d73346ac05bc31f2e96f899c4e9616a8d4
For 4.12, we could not directly backport from 4.14,
please merge this patch.
//Hongxu
On 2017年11月02日 01:54, Bruce Ashfield wrote:
On 2017-10-31 10:01 PM, Hongxu Jia wrote:
Since we split the scsi_request out of struct request, while the
standard prep_rq_fn builds 10 byte cmds, it missed to invoke
scsi_req_init() to initialize certain fields of a scsi_request
structure (.__cmd[], .cmd, .cmd_len and .sense_len but no other
members of struct scsi_request).
An example panic on virtual machines (qemu/virtualbox) to boot
from IDE cdrom:
...
[ 8.754381] Call Trace:
[ 8.755419] blk_peek_request+0x182/0x2e0
[ 8.755863] blk_fetch_request+0x1c/0x40
[ 8.756148] ? ktime_get+0x40/0xa0
[ 8.756385] do_ide_request+0x37d/0x660
[ 8.756704] ? cfq_group_service_tree_add+0x98/0xc0
[ 8.757011] ? cfq_service_tree_add+0x1e5/0x2c0
[ 8.757313] ? ktime_get+0x40/0xa0
[ 8.757544] __blk_run_queue+0x3d/0x60
[ 8.757837] queue_unplugged+0x2f/0xc0
[ 8.758088] blk_flush_plug_list+0x1f4/0x240
[ 8.758362] blk_finish_plug+0x2c/0x40
...
[ 8.770906] RIP: ide_cdrom_prep_fn+0x63/0x180 RSP: 92aec018bae8
[ 8.772329] ---[ end trace 6408481e551a85c9 ]---
...
Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
Upstream-Status: Submitted [linux-bl...@vger.kernel.org]
I'll drop this during merge, but do you have a link to the mailing
list archive for this ?
We should capture that, and I'd like to follow along to see what
upstream says.
Bruce
Signed-off-by: Hongxu Jia <hongxu@windriver.com>
---
drivers/ide/ide-cd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
index 07e5ff3..f13ad9d 100644
--- a/drivers/ide/ide-cd.c
+++ b/drivers/ide/ide-cd.c
@@ -1329,6 +1329,7 @@ static int ide_cdrom_prep_fs(struct
request_queue *q, struct request *rq)
unsigned long blocks = blk_rq_sectors(rq) / (hard_sect >> 9);
struct scsi_request *req = scsi_req(rq);
+ scsi_req_init(rq);
memset(req->cmd, 0, BLK_MAX_CDB);
if (rq_data_dir(rq) == READ)
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
[linux-yocto] [linux-yocto-4.12][PATCH 1/1] ide:ide-cd: fix kernel panic resulting from missing scsi_req_init
Since we split the scsi_request out of struct request, while the
standard prep_rq_fn builds 10 byte cmds, it missed to invoke
scsi_req_init() to initialize certain fields of a scsi_request
structure (.__cmd[], .cmd, .cmd_len and .sense_len but no other
members of struct scsi_request).
An example panic on virtual machines (qemu/virtualbox) to boot
from IDE cdrom:
...
[8.754381] Call Trace:
[8.755419] blk_peek_request+0x182/0x2e0
[8.755863] blk_fetch_request+0x1c/0x40
[8.756148] ? ktime_get+0x40/0xa0
[8.756385] do_ide_request+0x37d/0x660
[8.756704] ? cfq_group_service_tree_add+0x98/0xc0
[8.757011] ? cfq_service_tree_add+0x1e5/0x2c0
[8.757313] ? ktime_get+0x40/0xa0
[8.757544] __blk_run_queue+0x3d/0x60
[8.757837] queue_unplugged+0x2f/0xc0
[8.758088] blk_flush_plug_list+0x1f4/0x240
[8.758362] blk_finish_plug+0x2c/0x40
...
[8.770906] RIP: ide_cdrom_prep_fn+0x63/0x180 RSP: 92aec018bae8
[8.772329] ---[ end trace 6408481e551a85c9 ]---
...
Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
Upstream-Status: Submitted [linux-bl...@vger.kernel.org]
Signed-off-by: Hongxu Jia <hongxu@windriver.com>
---
drivers/ide/ide-cd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
index 07e5ff3..f13ad9d 100644
--- a/drivers/ide/ide-cd.c
+++ b/drivers/ide/ide-cd.c
@@ -1329,6 +1329,7 @@ static int ide_cdrom_prep_fs(struct request_queue *q,
struct request *rq)
unsigned long blocks = blk_rq_sectors(rq) / (hard_sect >> 9);
struct scsi_request *req = scsi_req(rq);
+ scsi_req_init(rq);
memset(req->cmd, 0, BLK_MAX_CDB);
if (rq_data_dir(rq) == READ)
--
2.8.1
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
