Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

On 5/9/23 13:05, Jose Quaresma wrote: Stefan Berger escreveu no dia terça, 9/05/2023 à(s) 17: 21: On 5/9/23 10: 53, Jose Quaresma wrote: > Hi Stefan, > > Having this patch applied  unconditionally to all kernels doesn't work and the patch ZjQcmQRYFpfptBannerStart This Message Is From an

Re: [yocto] [meta-security][PATCH 0/2] Drop a kernel patch and a kernel config option

On Tue, May 9, 2023 at 2:43 PM Jose Quaresma wrote: > > > > Stefan Berger escreveu no dia terça, 9/05/2023 à(s) > 19:19: >> >> >> >> On 5/9/23 14:11, Jose Quaresma wrote: >> > Hi Stefan, Stefan Berger escreveu no dia terça, >> > 9/05/2023 à(s) 18: 55: This PR removes a kernel patch related to

Re: [yocto] [meta-security][PATCH 0/2] Drop a kernel patch and a kernel config option

Stefan Berger escreveu no dia terça, 9/05/2023 à(s) 19:19: > > > On 5/9/23 14:11, Jose Quaresma wrote: > > Hi Stefan, Stefan Berger escreveu no dia > terça, 9/05/2023 à(s) 18: 55: This PR removes a kernel patch related to > overlayfs and IMA appraisal file change notifictions and a squashfs

Re: [yocto] [meta-security][PATCH 0/2] Drop a kernel patch and a kernel config option

On 5/9/23 14:19, Stefan Berger wrote: On 5/9/23 14:11, Jose Quaresma wrote: CONFIG_SYSTEM_TRUSTED_KEYS= Unfortunately this is not enough because in the full patchset you are overriding the do_configure task on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included

Re: [yocto] [meta-security][PATCH 0/2] Drop a kernel patch and a kernel config option

Hi Stefan, Stefan Berger escreveu no dia terça, 9/05/2023 à(s) 18:55: > This PR removes a kernel patch related to overlayfs and IMA appraisal file > change > notifictions and a squashfs xattr kernel config option. > >Stefan > > Stefan Berger (2): > linux: overlayfs: Drop kernel patch

Re: [yocto] [meta-security][PATCH 0/2] Drop a kernel patch and a kernel config option

On 5/9/23 14:11, Jose Quaresma wrote: Hi Stefan, Stefan Berger escreveu no dia terça, 9/05/2023 à(s) 18: 55: This PR removes a kernel patch related to overlayfs and IMA appraisal file change notifictions and a squashfs xattr kernel config option. ZjQcmQRYFpfptBannerStart This Message Is

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

On 5/9/23 14:13, Jose Quaresma wrote: it's easy, just call the following: bitbake linux-firmware How do you initialize this environment? If I was to do this from meta-security I get this here: $ bitbake linux-firmware ERROR: The BBPATH variable is not set and bitbake did not find a

[yocto] [meta-security][PATCH 6/8] Revert "ima: Fix the IMA kernel feature"

This reverts commit f4f7624d2e50e19249e7a2a3798c1120e5183424. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux-

[yocto] [meta-security][PATCH 3/8] Revert "integrity: Update the README for IMA support"

This reverts commit b9abf0e09bfea8f08cc7f2d68998f014abba5b3b. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux-

[yocto] [meta-security][PATCH 8/8] Revert "ima: Document and replace keys and adapt scripts for EC keys"

This reverts commit 0652c9fd7496d021f91759cc7489b6faad3e04bd. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux-

[yocto] [meta-security][PATCH 2/8] Revert "linux: overlayfs: Add kernel patch resolving a file change notification issue"

This reverts commit 319522e00dfd23c78cbe28ab26b87e08a8f46993. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux-

[yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux-

[yocto] [meta-security][PATCH 4/8] Revert "ima: Sign all executables and the ima-policy in the root filesystem"

This reverts commit 76f1f539a678725211283294c8b6735186055694. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux-

[yocto] [meta-security][PATCH 5/8] Revert "ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY"

This reverts commit 292b49342cb47da59525a44227598cf136311e1b. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux-

[yocto] [meta-security][PATCH 7/8] Revert "ima: Fix the ima_policy_appraise_all to appraise executables & libraries"

This reverts commit cb8f26d82a35ba56f3bd40cd6ba105de03602a4b. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux-

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

Stefan Berger escreveu no dia terça, 9/05/2023 à(s) 19:05: > > > On 5/9/23 13:05, Jose Quaresma wrote: > > Stefan Berger escreveu no dia terça, > 9/05/2023 à(s) 17: 21: On 5/9/23 10: 53, Jose Quaresma wrote: > Hi Stefan, > > > Having this patch applied unconditionally to all kernels doesn't

Re: [yocto] [meta-security][PATCH 0/2] Drop a kernel patch and a kernel config option

On 5/9/23 14:43, Jose Quaresma wrote: You are referring tho this here? do_configure() {      sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config } You are saying that this deactivates some other do_configure's ? If

[yocto] [PATCH yocto-autobuilder-helper] scripts/publish-artefacts: remove all reference to deprecated edgerouter

edgerouter is no longer part of meta-yocto so we removed it from the autobuilder configuration as well. Signed-off-by: Michael Halstead --- config.json | 8 scripts/publish-artefacts | 12 +--- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git

Re: [yocto] Install complete Rust and toolchans for image? #rust #yocto #sdk

On 2023-04-30 19:01, Livius via lists.yoctoproject.org wrote: Hi, Hi, I'm a bit late but here is some of what you were looking for: What recipes should I use in IMAGE_INSTALL to install all of Rust

Re: [yocto] [meta-parsec][master,mickledore][PATCH] meta-parsec/layer.conf: Insert addpylib declaration

Hi again Armin, On 03/05/2023 13:38, Peter Hoyes via lists.yoctoproject.org wrote: Hi Armin, On 27/04/2023 16:01, Peter Hoyes via lists.yoctoproject.org wrote: From: Peter Hoyes Yocto mickledore introduced the addpylib directive for explicitly adding layer paths to the PYTHONPATH.

[yocto] [meta-security][langdale][PATCH] Revert "meta-parsec/layer.conf: Insert addpylib declaration"

This reverts commit ffd9eb59c7d35c3f9acc29be661bdcd0c6332897. Applied to wrong branch. Signed-off-by: Armin Kuster --- meta-parsec/conf/layer.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta-parsec/conf/layer.conf b/meta-parsec/conf/layer.conf index 5451351..a748d77 100644 ---

Re: [yocto] [meta-parsec][master,mickledore][PATCH] meta-parsec/layer.conf: Insert addpylib declaration

On 5/9/23 2:43 AM, Peter Hoyes wrote: Hi again Armin, On 03/05/2023 13:38, Peter Hoyes via lists.yoctoproject.org wrote: Hi Armin, On 27/04/2023 16:01, Peter Hoyes via lists.yoctoproject.org wrote: From: Peter Hoyes Yocto mickledore introduced the addpylib directive for explicitly

Re: [yocto] [meta-security][kirkstone][PATCH v2] tpm2-tss: upgrade to 3.2.2 to fix CVE-2023-22745

Hi Peter On 08.05.23 at 16:50, Peter Marko via lists.yoctoproject.org wrote: Changelog: 3.2.2 A buffer overflow in tss2-rc as CVE-2023-22745. The drv layer in tss2-rc should have been the policy layer. Spec deviation in Fapi_GetDescription caused description to be NULL when

Re: [yocto] [meta-security][kirkstone][PATCH v2] tpm2-tss: upgrade to 3.2.2 to fix CVE-2023-22745

Hi Michael, Unfortunately, my corporate email server does not support me in this. I have sent you a test email after explicitly configuring this in git, but I think it won't do anything better. Last patch to yocto mailing list had to be sent by my colleague as the server has bounced it.

Re: [yocto] [meta-security][kirkstone][PATCH v2] tpm2-tss: upgrade to 3.2.2 to fix CVE-2023-22745

Hi Peter, Thanks for your efforts. On 09.05.23 at 10:33, Marko, Peter wrote: Hi Michael, Unfortunately, my corporate email server does not support me in this. I have sent you a test email after explicitly configuring this in git, but I think it won't do anything better. Last patch to yocto

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

Hi Stefan, Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels. I suggest reverting this one if no other solutions come up. Jose Stefan Berger escreveu no dia sexta, 28/04/2023 à(s) 13:55: > > > On 4/28/23 08:48, Mikko Rapeli

[yocto] Yocto Project Status 9 May 2023 (WW19)

Current Dev Position: YP 4.3 M1 Next Deadline: 5th June 2023 YP 4.3 M1 build date Next Team Meetings: * Bug Triage meeting Thursday May 11th 7:30 am PDT (

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

And it fails in other recipes like linux-firmware. Because bitbake also tries to apply the patch to linux-firmware because it uses the recipes-kernel/linux/linux-%.bbappend to check when the integrity is enabled. Jose Jose Quaresma via lists.yoctoproject.org escreveu no dia terça, 9/05/2023

[yocto] [meta-security][PATCH v2 3/8] ima: Fix the IMA kernel feature

Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding kernel configuration options for IMA and EVM. Signed-off-by: Stefan Berger --- meta-integrity/classes/ima-evm-rootfs.bbclass | 5 +- .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ---

[yocto] [meta-security][PATCH v2 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

Add a temporary patch that resolves a file change notification issue with overlayfs where IMA did not become aware of the file changes since the 'lower' inode's i_version had not changed. The issue will be resolved in later kernels with the following patch that builds on newly addd feature

[yocto] [meta-security][PATCH v2 5/8] ima: Sign all executables and the ima-policy in the root filesystem

Signed-off-by: Stefan Berger --- meta-integrity/classes/ima-evm-rootfs.bbclass | 25 +++ 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 6902d69..98c4bc1 100644 ---

[yocto] [meta-security][PATCH v2 2/8] ima: Fix the ima_policy_appraise_all to appraise executables & libraries

Fix the ima_policy_appraise_all policy to appraise all executables and libraries. Also update the list of files that are not appraised to not appraise cgroup related files. Signed-off-by: Stefan Berger --- .../files/ima_policy_appraise_all| 9 - 1 file changed, 8

[yocto] [meta-security][PATCH v2 0/8] Fix IMA and EVM support

This series of patches fixes the current support for IMA and EVM by removing outdated patches for example and adding kernel config options. I have tried out these patches with OpenBMC where the appraisal policy now enforces signed executables and libraries. Stefan v2: - appended

[yocto] [meta-security][PATCH v2 1/8] ima: Document and replace keys and adapt scripts for EC keys

For shorted file signatures use EC keys rather than RSA keys. Document the debug keys and their purpose. Adapt the scripts for creating these types of keys to now create EC keys. Signed-off-by: Stefan Berger --- meta-integrity/data/debug-keys/README.md | 17

[yocto] [meta-security][PATCH v2 6/8] integrity: Update the README for IMA support

Update the README describing how IMA support can be used. Signed-off-by: Stefan Berger --- meta-integrity/README.md | 20 +++- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 816b40d..1a37280 100644 ---

[yocto] [meta-security][PATCH v2 4/8] ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY

The IMA policy will be specified using the IMA_EVM_POLICY variable since systemd will not be involved in loading the policy but the init script will load it. Signed-off-by: Stefan Berger --- meta-integrity/README.md | 2 +- meta-integrity/classes/ima-evm-rootfs.bbclass | 4

[yocto] [meta-security][PATCH v2 8/8] ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch

Signed-off-by: Stefan Berger --- ...ation-using-ioctl-when-evm_portable-.patch | 35 +++ ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} | 9 +++-- 2 files changed, 42 insertions(+), 2 deletions(-) create mode 100644

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

Jose Quaresma via lists.yoctoproject.org escreveu no dia terça, 9/05/2023 à(s) 16:06: > And it fails in other recipes like linux-firmware. > Because bitbake also tries to apply the patch to linux-firmware because it > uses the recipes-kernel/linux/linux-%.bbappend to check when the > integrity

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

Stefan Berger escreveu no dia terça, 9/05/2023 à(s) 17:21: > > > On 5/9/23 10:53, Jose Quaresma wrote: > > Hi Stefan, > > > > Having this patch applied unconditionally to all kernels doesn't work > and the patch fails in many downstream kernels. > > I suggest reverting this one if no other

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

On 5/9/23 10:53, Jose Quaresma wrote: Hi Stefan, Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels. I suggest reverting this one if no other solutions come up. Oh, I just saw the patches were applied to meta-security

[yocto] [meta-zephyr][PATCH 2/2][mickledore] CI: Disable testimage on qemu-cortex-a9

From: Peter Hoyes Runtime validation is currently failing on qemu-cortex-a9 for undiagnosed reasons. Disable testimage on this machine for now until it has been fixed. Signed-off-by: Peter Hoyes --- .gitlab-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab-ci.yml

[yocto] [meta-zephyr][PATCH 1/2][mickledore] CI: Update to mickledore

From: Peter Hoyes Signed-off-by: Peter Hoyes --- ci/base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/base.yml b/ci/base.yml index 70adac1..4bf59d1 100644 --- a/ci/base.yml +++ b/ci/base.yml @@ -7,7 +7,7 @@ distro: zephyr defaults: repos: -refspec:

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

On 5/9/23 10:53, Jose Quaresma wrote: Hi Stefan, Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels. I suggest reverting this one if no other solutions come up. Then let me drop this one. I just posted v2 of this series and

[yocto] [meta-security][PATCH 0/2] Drop a kernel patch and a kernel config option

This PR removes a kernel patch related to overlayfs and IMA appraisal file change notifictions and a squashfs xattr kernel config option. Stefan Stefan Berger (2): linux: overlayfs: Drop kernel patch resolving a file change notification issue ima: Drop kernel config option

[yocto] [meta-security][PATCH 2/2] ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg

Drop the kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg. Instead, require projects that use squashfs to set this option. Signed-off-by: Stefan Berger --- meta-integrity/recipes-kernel/linux/linux/ima.cfg | 1 - 1 file changed, 1 deletion(-) diff --git

[yocto] [meta-security][PATCH 1/2] linux: overlayfs: Drop kernel patch resolving a file change notification issue

Revert the patch resolving a file change notitfication issue (for IMA appraisal) since this patch fails in 'many downstream kernels'. - https://lists.yoctoproject.org/g/yocto/message/59928 - https://lists.yoctoproject.org/g/yocto/message/59929 Signed-off-by: Stefan Berger ---

[linux-yocto] [yocto-kernel-cache v6.1]: nxp-s32g: add scc and cfg files for S32G platform

Hi Bruce, The following patch is to add scc and cfg files for S32G platform, would you please help to merge it into yocto-6.1 branch? Thanks, Zhantao -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#12478):

[linux-yocto] [PATCH] nxp-s32g: add scc and cfg files for S32G platform

Refer to scc and cfg files on branch yocto-5.15, add new scc and cfg files for BSP nxp-s32g on branch yocto-6.1. Both standard and preempt-rt are supported. Signed-off-by: Zhantao Tang --- bsp/nxp-s32g/nxp-s32g-preempt-rt.scc | 8 ++ bsp/nxp-s32g/nxp-s32g-standard.scc | 8 ++

[linux-yocto] [linux-yocto std/rt kernel v6.1]: nxp-s32g: update kernel to v6.1 based on SDK BSP36 v5.15 release kernel

Hi Bruce, The following patches are to update kernel to v6.1 based on SDK BSP36 v5.15 release kernel. Would you please help to create branches: v6.1/standard/nxp-sdk-5.15/nxp-s32g v6.1/standard/preempt-rt/nxp-sdk-5.15/nxp-s32g based on v6.1/standard/base and

[linux-yocto] [yocto-kernel-cache][yocto-6.1][PATCH 1/2] bsp: xilinx-zynq: add preempt-rt support

From: Quanyang Wang Signed-off-by: Quanyang Wang --- bsp/xilinx-zynq/xilinx-zynq-preempt-rt.scc | 8 1 file changed, 8 insertions(+) create mode 100644 bsp/xilinx-zynq/xilinx-zynq-preempt-rt.scc diff --git a/bsp/xilinx-zynq/xilinx-zynq-preempt-rt.scc

[linux-yocto] [yocto-kernel-cache][yocto-6.1][PATCH 0/2] add preempt-rt for

From: Quanyang Wang Hi Bruce, Would you please help merge these 2 patches to the branch: yocto-6.1 Thanks, Quanyang Quanyang Wang (2): bsp: xilinx-zynq: add preempt-rt support bsp: xilinx-zynqmp: add preempt-rt support bsp/xilinx-zynq/xilinx-zynq-preempt-rt.scc | 8

[linux-yocto] [yocto-kernel-cache][yocto-6.1][PATCH 2/2] bsp: xilinx-zynqmp: add preempt-rt support

From: Quanyang Wang Signed-off-by: Quanyang Wang --- bsp/xilinx-zynqmp/xilinx-zynqmp-preempt-rt.scc | 8 1 file changed, 8 insertions(+) create mode 100644 bsp/xilinx-zynqmp/xilinx-zynqmp-preempt-rt.scc diff --git a/bsp/xilinx-zynqmp/xilinx-zynqmp-preempt-rt.scc