[yocto] [meta-parsec][master,langdale][PATCH] Flush caches after OEQA tests
Make sure that all changes a saved after running the tests. Signed-off-by: Anton Antonov --- meta-parsec/lib/oeqa/runtime/cases/parsec.py | 4 1 file changed, 4 insertions(+) diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py index 66932ed..004717d 100644 --- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py +++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py @@ -24,6 +24,10 @@ class ParsecTest(OERuntimeTestCase): self.parsec_status='pgrep -l parsec' self.parsec_reload='/etc/init.d/parsec reload' +def tearDown(self): +self.target.run('sync') +super(ParsecTest, self).tearDown() + def copy_subconfig(self, cfg, provider): """ Copy a provider configuration to target and append it to Parsec config """ -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59703): https://lists.yoctoproject.org/g/yocto/message/59703 Mute This Topic: https://lists.yoctoproject.org/mt/98237407/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-parsec][langdale][PATCH] Fix PACKAGECONFIG check in Parsec OEQA tests
From: Anton Antonov If PACKAGECONFIG is not defined in local.conf then its default value is not included in cls.tc.td map. Signed-off-by: Anton Antonov Signed-off-by: Armin Kuster --- meta-parsec/lib/oeqa/runtime/cases/parsec.py | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py index 6be84ba..c6e7893 100644 --- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py +++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py @@ -61,9 +61,18 @@ class ParsecTest(OERuntimeTestCase): def check_packageconfig(self, prov): """ Check that the require provider is included in Parsec """ -if prov not in self.tc.td['PACKAGECONFIG:pn-parsec-service']: + +if 'PACKAGECONFIG:pn-parsec-service' in self.tc.td.keys(): +providers = self.tc.td['PACKAGECONFIG:pn-parsec-service'] +else: +# PACKAGECONFIG is not defined in local.conf +# Let's use the default value +providers = "PKCS11 MBED-CRYPTO" +if 'tpm2' in self.tc.td['DISTRO_FEATURES']: +providers += " TPM" +if prov not in providers: self.skipTest('%s provider is not included in Parsec. Parsec PACKAGECONFIG: "%s"' % \ - (prov, self.tc.td['PACKAGECONFIG:pn-parsec-service'])) + (prov, providers)) def check_packages(self, prov, packages): """ Check for the required packages for Parsec providers software backends """ -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59691): https://lists.yoctoproject.org/g/yocto/message/59691 Mute This Topic: https://lists.yoctoproject.org/mt/98221139/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-parsec][PATCH] Fix PACKAGECONFIG check in Parsec OEQA tests
If PACKAGECONFIG is not defined in local.conf then its default value is not included in cls.tc.td map. Signed-off-by: Anton Antonov --- meta-parsec/lib/oeqa/runtime/cases/parsec.py | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py index 71061db..66932ed 100644 --- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py +++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py @@ -61,9 +61,18 @@ class ParsecTest(OERuntimeTestCase): def check_packageconfig(self, prov): """ Check that the require provider is included in Parsec """ -if prov not in self.tc.td['PACKAGECONFIG:pn-parsec-service']: + +if 'PACKAGECONFIG:pn-parsec-service' in self.tc.td.keys(): +providers = self.tc.td['PACKAGECONFIG:pn-parsec-service'] +else: +# PACKAGECONFIG is not defined in local.conf +# Let's use the default value +providers = "PKCS11 MBED-CRYPTO" +if 'tpm2' in self.tc.td['DISTRO_FEATURES']: +providers += " TPM" +if prov not in providers: self.skipTest('%s provider is not included in Parsec. Parsec PACKAGECONFIG: "%s"' % \ - (prov, self.tc.td['PACKAGECONFIG:pn-parsec-service'])) + (prov, providers)) def check_packages(self, prov, packages): """ Check for the required packages for Parsec providers software backends """ -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59658): https://lists.yoctoproject.org/g/yocto/message/59658 Mute This Topic: https://lists.yoctoproject.org/mt/98182135/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH v3] parsec-service: update from 1.1.0 to 1.2.0-rc1
On Mon, Apr 10, 2023 at 04:17 AM, Armin Kuster wrote: > > Something in latest master may have introduced another issue, this time > the runtime testing. I am see this new error: > > self.check_packageconfig("TS") > File > "/home/akuster/oss/maint/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py", > line 64, in check_packageconfig > if prov not in self.tc.td['PACKAGECONFIG:pn-parsec-service']: > KeyError: 'PACKAGECONFIG:pn-parsec-service' > > Any ideas on how to fix or what might be causing this? I thought I had a > fix but the test hangs. The default value of PACKAGECONFIG is not included into tc.td if it's not defined in local.conf for whatever reason. I will send a fix soon. Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59657): https://lists.yoctoproject.org/g/yocto/message/59657 Mute This Topic: https://lists.yoctoproject.org/mt/97876594/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-parsec][v2][PATCH] parsec-service: fix SRC_URI hash
On Sun, Apr 9, 2023 at 10:40 AM, Armin Kuster wrote: > > Fixes: > ERROR: Missing SRC_URI checksum, please add those to the recipe: > SRC_URI[parsec-service-1.2.0.sha256sum] = > "f58e7ba859c22cc1904dc8298b1a7d94ee1ba3b4d4808f28e4cc0c96ddb149c9" > > Needed to S dir too. Until a few days ago the S dir wasn't needed in the recipe if the crate fetcher was used. If it's a new fetcher behavior, then S should be defined in the cargo class instead, I think. Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59655): https://lists.yoctoproject.org/g/yocto/message/59655 Mute This Topic: https://lists.yoctoproject.org/mt/98162475/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [PATCH 1/2] meta-parsec: Disable RSA-OAEP OEQA tests for Parsec PKCS11 backend
On Thu, Apr 6, 2023 at 12:04 PM, Armin Kuster wrote: > > Does this apply to older versions ? No, it's required only after upgrade parsec-tool to 0.6.0. This version introduces new tests which are no supported by softhsm2 Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59652): https://lists.yoctoproject.org/g/yocto/message/59652 Mute This Topic: https://lists.yoctoproject.org/mt/98110115/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH v3] parsec-service: update from 1.1.0 to 1.2.0-rc1
On Thu, Apr 6, 2023 at 05:38 AM, Armin Kuster wrote: > > 1.2.0 released yesterday. Is someone planning on sending a new series. If > not, I can give it a shot. Yes, we're testing the new recipes atm. We will send them asap. Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59629): https://lists.yoctoproject.org/g/yocto/message/59629 Mute This Topic: https://lists.yoctoproject.org/mt/97876594/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH v3] parsec-service: update from 1.1.0 to 1.2.0-rc1
On Sat, Apr 1, 2023 at 05:50 AM, Armin Kuster wrote: > > >> parsec-service 1.1.0 fails to compile with latest tpm2-tss update >> in meta-security: > > Thanks for the update. > This patch is currently in a test build. > Just a note. If this version ends up being the official one being > supported in the upcoming 4.2 release, when parsec-service 1.2.0 official > drops and is added, we will need to us "EPOCH" as I believe "-rc1" being > dropped will signal the version going backwards. I think Parsec would fail to be built with this patch after these patches in OE-core: https://git.yoctoproject.org/poky/commit/?id=2b12c58724d250d1faf24072128e2de75dfe2c15 https://git.yoctoproject.org/poky/commit/?id=4d9886e1435dba3785973cc920865f8ab67e644d Updates for cargo-update-recipe-crates are under review and the 1.2.0 release recipe would solve the issue. Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59596): https://lists.yoctoproject.org/g/yocto/message/59596 Mute This Topic: https://lists.yoctoproject.org/mt/97876594/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH v3] parsec-service: update from 1.1.0 to 1.2.0-rc1
On Sat, Apr 1, 2023 at 05:50 AM, Armin Kuster wrote: > > >> parsec-service 1.1.0 fails to compile with latest tpm2-tss update >> in meta-security: > > Thanks for the update. > This patch is currently in a test build. > Just a note. If this version ends up being the official one being > supported in the upcoming 4.2 release, when parsec-service 1.2.0 official > drops and is added, we will need to us "EPOCH" as I believe "-rc1" being > dropped will signal the version going backwards. We're planning to include Parsec 1.2.0 release into 4.2. I'm not sure what to do with this rc1 recipes tbh. Miko, can you wait for the Parsec release? Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59595): https://lists.yoctoproject.org/g/yocto/message/59595 Mute This Topic: https://lists.yoctoproject.org/mt/97876594/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH v3] parsec-service: update from 1.1.0 to 1.2.0-rc1
On Sun, Mar 26, 2023 at 11:16 PM, Mikko Rapeli wrote: > > ...ce_1.1.0.inc => parsec-service-crates.inc} | 239 +- > ...e_1.1.0.bb => parsec-service_1.2.0-rc1.bb} | 14 +- > 2 files changed, 134 insertions(+), 119 deletions(-) > rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_1.1.0.inc > => parsec-service-crates.inc} (50%) > rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_1.1.0.bb > => parsec-service_1.2.0-rc1.bb} (91%) > > v3: change to gitsm fetcher Ack, although this recipe will be replaced with 1.2.0 release version in a week of two. Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59528): https://lists.yoctoproject.org/g/yocto/message/59528 Mute This Topic: https://lists.yoctoproject.org/mt/97876594/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH] parsec-service: update from 1.1.0 to 1.2.0-rc1
Hi Mikko, > > +SRC_URI += > "git://github.com/parallaxsecond/parsec;protocol=https;branch=main \ We noticed another small issue with your patch. Could you use gitsm instead of git, so required git submodules will be fetched as well: SRC_URI += "gitsm://github.com/parallaxsecond/parsec;protocol=https;branch=main \ Thank you, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59519): https://lists.yoctoproject.org/g/yocto/message/59519 Mute This Topic: https://lists.yoctoproject.org/mt/97796264/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH] parsec-service: update from 1.1.0 to 1.2.0-rc1
Hi Mikko, Thank you for the patch. In general I don't mind switching from "cargo bitbake" to "bitbake -c update_crates" for Parsec recipes. But, in this case when you use a git repository instead of a Parsec crate the cargo-update-recipe-crates class includes dependency crates from "fuzz/Cargo.lock" which are not required for Yocto builds. If you urgently need a new Yocto Parsec recipe then please remove all the fuzz/Cargo.lock dependencies. Otherwise we can wait until Parsec 1.2.0 crate released. Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59516): https://lists.yoctoproject.org/g/yocto/message/59516 Mute This Topic: https://lists.yoctoproject.org/mt/97796264/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-parsec][PATCH 1/2] tpm2-tss: restore version 3.2.x to meta-parsec
Hi Armin, We're in the process of releasing new version of Parsec where this issue is fixed. https://github.com/parallaxsecond/parsec/issues/663 We will update parsec recipes in the next few days. Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59472): https://lists.yoctoproject.org/g/yocto/message/59472 Mute This Topic: https://lists.yoctoproject.org/mt/97729028/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present
Hi Jerome, Parsec doesn't depend on optee-client and doesn't require it at all. If Parsec is built with the Trusted Services provider included then `libts` is added into DEPENDS and RDEPENDS: https://git.yoctoproject.org/meta-security/tree/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb#n23 The libts recipe (it will be merged into meta-arm later today or tomorrow together with other generic recipes for Trusted Services Secure Partitions (SWd side) and test/demo tools (NWd side)) creates `teeclnt` group. Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#57967): https://lists.yoctoproject.org/g/yocto/message/57967 Mute This Topic: https://lists.yoctoproject.org/mt/93326818/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present
The latest version of parsec-service recipe adds parsec into teeclnt group if Parsec is built with TS provider: https://git.yoctoproject.org/meta-security/tree/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb#n75 In this case teeclnt group is created by libts recipe (it will be merged into meat-arm later this week). With your change it's not clear what recipe will create the group. Could you point me to this recipe. Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#57947): https://lists.yoctoproject.org/g/yocto/message/57947 Mute This Topic: https://lists.yoctoproject.org/mt/93326818/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-parsec][PATCH] parsec-service: Update oeqa tests
Signed-off-by: Anton Antonov --- meta-parsec/README.md | 3 +- meta-parsec/lib/oeqa/runtime/cases/parsec.py | 100 +++--- .../parsec-service/parsec-service_1.0.0.bb| 5 +- 3 files changed, 92 insertions(+), 16 deletions(-) diff --git a/meta-parsec/README.md b/meta-parsec/README.md index f720cd2..99935bc 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md @@ -99,6 +99,7 @@ The tests are run against: - all providers pre-configured in the Parsec config file included in the image. - PKCS11 and TPM providers with software backends if softhsm and swtpm packages included in the image. +- TS Provider if Parsec is built with it included. Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec, softhsm and swtpm included. @@ -214,7 +215,7 @@ systemctl start parsec The IBM Software TPM service can be used for manual testing of the provider by including it into your test image: -IMAGE_INSTALL:append = " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim" +IMAGE_INSTALL:append = " swtpm tpm2-tools libtss2 libtss2-tcti-mssim" Inside the running VM: - Stop Parsec diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py index 11e5572..6be84ba 100644 --- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py +++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py @@ -12,12 +12,8 @@ from oeqa.core.decorator.data import skipIfNotFeature class ParsecTest(OERuntimeTestCase): @classmethod def setUpClass(cls): -cls.tc.target.run('swtpm_ioctl -s --tcp :2322') cls.toml_file = '/etc/parsec/config.toml' - -@classmethod -def tearDownClass(cls): -cls.tc.target.run('swtpm_ioctl -s --tcp :2322') +cls.tc.target.run('cp -p %s %s-original' % (cls.toml_file, cls.toml_file)) def setUp(self): super(ParsecTest, self).setUp() @@ -40,6 +36,11 @@ class ParsecTest(OERuntimeTestCase): status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file)) os.remove(tmp_path) +def restore_parsec_config(self): +""" Restore original Parsec config """ +self.target.run('cp -p %s-original %s' % (self.toml_file, self.toml_file)) +self.target.run(self.parsec_reload) + def check_parsec_providers(self, provider=None, prov_id=None): """ Get Parsec providers list and check for one if defined """ @@ -58,6 +59,23 @@ class ParsecTest(OERuntimeTestCase): status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else "")) self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output) +def check_packageconfig(self, prov): +""" Check that the require provider is included in Parsec """ +if prov not in self.tc.td['PACKAGECONFIG:pn-parsec-service']: +self.skipTest('%s provider is not included in Parsec. Parsec PACKAGECONFIG: "%s"' % \ + (prov, self.tc.td['PACKAGECONFIG:pn-parsec-service'])) + +def check_packages(self, prov, packages): +""" Check for the required packages for Parsec providers software backends """ +if isinstance(packages, str): +need_pkgs = set([packages,]) +else: +need_pkgs = set(packages) + +if not self.tc.image_packages.issuperset(need_pkgs): +self.skipTest('%s provider is not configured and packages "%s" are not included into the image' % \ + (prov, need_pkgs)) + @OEHasPackage(['parsec-service']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_all_providers(self): @@ -84,7 +102,9 @@ class ParsecTest(OERuntimeTestCase): 'mkdir /tmp/myvtpm', 'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init', 'tpm2_startup -c -T "swtpm:port=2321"', +'chown -R parsec /tmp/myvtpm', self.parsec_reload, +'sleep 5', ] for cmd in cmds: @@ -92,16 +112,30 @@ class ParsecTest(OERuntimeTestCase): self.assertEqual(status, 0, msg='\n'.join([cmd, output])) @OEHasPackage(['parsec-service']) -@OEHasPackage(['swtpm']) @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES') -@OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers']) +@OETestDepends(['ssh.SSHTest.test_ssh']) def test_tpm_provider(self): """ Configure and test Parsec TPM provider with swtpm as a backend """ +self.check_packageconf
[yocto] [meta-parsec][PATCH] Use CARGO_TARGET_SUBDIR in do_install
Signed-off-by: Anton Antonov --- .../recipes-parsec/parsec-service/parsec-service_1.0.0.bb | 2 +- meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.2.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb index 84539f9..2a25178 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb @@ -45,7 +45,7 @@ PARSEC_CONFIG ?= "${S}/config.toml" do_install () { # Binaries install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec" -install -m 700 -o parsec -g parsec "${WORKDIR}/build/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec +install -m 700 -o parsec -g parsec "${B}/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec # Config file install -d -m 700 -o parsec -g parsec "${D}${sysconfdir}/parsec" diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.2.bb b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.2.bb index 4b053b9..6ecce8e 100644 --- a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.2.bb +++ b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.2.bb @@ -11,7 +11,7 @@ RDEPENDS:${PN} = "openssl-bin" do_install() { install -d ${D}/${bindir} - install -m 755 "${B}/target/${TARGET_SYS}/release/parsec-tool" "${D}${bindir}/parsec-tool" + install -m 755 "${B}/target/${CARGO_TARGET_SUBDIR}/parsec-tool" "${D}${bindir}/parsec-tool" install -m 755 "${S}/tests/parsec-cli-tests.sh" "${D}${bindir}/parsec-cli-tests.sh" } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#57861): https://lists.yoctoproject.org/g/yocto/message/57861 Mute This Topic: https://lists.yoctoproject.org/mt/93099448/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] running application in user mode instead of root #yocto
Hi, You can use start-stop-daemon command with "--chiud" parameter. Here is an example: https://git.yoctoproject.org/meta-security/tree/meta-parsec/recipes-parsec/parsec-service/files/parsec_init Cheers, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#57218): https://lists.yoctoproject.org/g/yocto/message/57218 Mute This Topic: https://lists.yoctoproject.org/mt/82398575/21656 Mute #yocto:https://lists.yoctoproject.org/g/yocto/mutehashtag/yocto Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-security][PATCH] meta-parsec: Update Parsec runtime tests
Signed-off-by: Anton Antonov --- meta-parsec/README.md | 65 + meta-parsec/lib/oeqa/runtime/cases/parsec.py | 135 -- .../images/security-parsec-image.bb | 5 +- .../packagegroup-security-parsec.bb | 1 - meta-tpm/classes/sanity-meta-tpm.bbclass | 4 +- 5 files changed, 191 insertions(+), 19 deletions(-) diff --git a/meta-parsec/README.md b/meta-parsec/README.md index 97026ea..f720cd2 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md @@ -88,6 +88,71 @@ https://github.com/meta-rust/cargo-bitbake 2. Run cargo-bitbake inside the repository. It will produce a BB file. 3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file. +Automated Parsec testing with runqemu += + + The Yocto build system has the ability to run a series of automated tests for qemu images. +All the tests are actually commands run on the target system over ssh. + + Meta-parsec includes automated unittests which run end to end Parsec tests. +The tests are run against: +- all providers pre-configured in the Parsec config file included in the image. +- PKCS11 and TPM providers with software backends if softhsm and + swtpm packages included in the image. + +Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec, +softhsm and swtpm included. + + Please notice that the account you use to run bitbake should have access to `/dev/kvm`. +You might need to change permissions or add the account into `kvm` unix group. + +1. Testing Parsec with your own image where `parsec-service` and `parsec-tool` are already included. + +- Add into your `local.conf`: +``` +INHERIT += "testimage" +TEST_SUITES = "ping ssh parsec" +``` +- Build your image +```bash +bitbake +``` +- Run tests +```bash +bitbake -c testimage +``` + +2. Testing Parsec with pre-defined `security-parsec-image` image. + +- Add into your `local.conf`: +``` +DISTRO_FEATURES += " tpm2" +INHERIT += "testimage" +TEST_SUITES = "ping ssh parsec" +``` +- Build security-parsec-image image +```bash +bitbake security-parsec-image +``` +- Run tests +```bash +bitbake security-parsec-image -c testimage +``` + +Output of a successfull tests run should look similar to: +``` +RESULTS: +RESULTS - ping.PingTest.test_ping: PASSED (0.05s) +RESULTS - ssh.SSHTest.test_ssh: PASSED (0.25s) +RESULTS - parsec.ParsecTest.test_all_providers: PASSED (1.84s) +RESULTS - parsec.ParsecTest.test_pkcs11_provider: PASSED (2.91s) +RESULTS - parsec.ParsecTest.test_tpm_provider: PASSED (3.33s) +SUMMARY: +security-parsec-image () - Ran 5 tests in 8.386s +security-parsec-image - OK - All required tests passed (successes=5, skipped=0, failures=0, errors=0) +``` + + Manual testing with runqemu === diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py index 547f74c..d3d3f2e 100644 --- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py +++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py @@ -1,33 +1,138 @@ # Copyright (C) 2022 Armin Kuster +# Copyright (C) 2022 Anton Antonov # import re +from tempfile import mkstemp from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature class ParsecTest(OERuntimeTestCase): +@classmethod +def setUpClass(cls): +cls.toml_file = '/etc/parsec/config.toml' + +def setUp(self): +super(ParsecTest, self).setUp() +if 'systemd' in self.tc.td['DISTRO_FEATURES']: +self.parsec_status='systemctl status -l parsec' +self.parsec_reload='systemctl restart parsec' +else: +self.parsec_status='pgrep -l parsec' +self.parsec_reload='/etc/init.d/parsec reload' + +def copy_subconfig(self, cfg, provider): +""" Copy a provider configuration to target and append it to Parsec config """ + +tmp_fd, tmp_path = mkstemp() +with os.fdopen(tmp_fd, 'w') as f: +f.write('\n'.join(cfg)) + +(status, output) = self.target.copyTo(tmp_path, "%s-%s" % (self.toml_file, provider)) +self.assertEqual(status, 0, msg='File could not be copied.\n%s' % output) +status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file)) +os.remove(tmp_path) + +def check_parsec_providers(self, provider=None, prov_id=None): +""" Get Parsec providers list and check for one if defined """ + +status, output = self.target.run(self.parsec_status) +self.assertEqual(status, 0, msg='Parsec service is not running.\n%s' % output) + +status, output = self.target.run('parsec-tool list-pro
[yocto] [meta-security][PATCH] Parsec-service: Fix arm32 build
Signed-off-by: Anton Antonov --- .../recipes-parsec/parsec-service/parsec-service_1.0.0.bb | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb index ad7e560..84539f9 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb @@ -26,7 +26,11 @@ PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}" export BINDGEN_EXTRA_CLANG_ARGS -BINDGEN_EXTRA_CLANG_ARGS = "--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include" +target = "${@d.getVar('TARGET_SYS',True).replace('-', ' ')}" +BINDGEN_EXTRA_CLANG_ARGS = "${@bb.utils.contains('target', 'arm', \ + '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include -mfloat-abi=hard', \ + '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include', \ + d)}" inherit systemd SYSTEMD_SERVICE:${PN} = "parsec.service" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#57154): https://lists.yoctoproject.org/g/yocto/message/57154 Mute This Topic: https://lists.yoctoproject.org/mt/91286325/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-parsec][PATCH 3/3] oeqa: add parsec runtime tests
Hi Amir, Thank you very much for adding Parsec runtime testing. I have a few small comments: 1. You defined the security Parsec image without TPM (with packagegroup-security-parsec group) , but in the runtime tests you use TPM. Shouldn't you use an image with packagegroup-security-parsec-tpm2 group instead? 2. Could you add 'parsec-cli-tests.sh' script after "parsec start" in the "cmds" list. This script runs end-to-end tests against Parsec service. The script is a part of the parsec-tool package and it's already included into the image Regards, Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#57153): https://lists.yoctoproject.org/g/yocto/message/57153 Mute This Topic: https://lists.yoctoproject.org/mt/91257257/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-security][PATCH] Parsec-service: Update installation procedure
Signed-off-by: Anton Antonov --- .../parsec-service/files/parsec-tmpfiles.conf| 1 + .../parsec-service/parsec-service_1.0.0.bb | 16 +--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf b/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf index fe576a2..954bfa3 100644 --- a/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf +++ b/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf @@ -1,2 +1,3 @@ #Type PathModeUserGroup Age Argument d /run/parsec 755 parsec parsec - - +d /var/lib/parsec 700 parsec parsec - - diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb index d1d6c07..ad7e560 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb @@ -15,8 +15,8 @@ PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO" have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}" PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}" -PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts" -PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss" +PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts" +PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device" PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings," PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider," PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider," @@ -25,6 +25,9 @@ PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts" PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}" CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}" +export BINDGEN_EXTRA_CLANG_ARGS +BINDGEN_EXTRA_CLANG_ARGS = "--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include" + inherit systemd SYSTEMD_SERVICE:${PN} = "parsec.service" @@ -35,7 +38,7 @@ INITSCRIPT_NAME = "parsec" # The file should also be included into SRC_URI then PARSEC_CONFIG ?= "${S}/config.toml" -do_install:append () { +do_install () { # Binaries install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec" install -m 700 -o parsec -g parsec "${WORKDIR}/build/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec @@ -44,9 +47,6 @@ do_install:append () { install -d -m 700 -o parsec -g parsec "${D}${sysconfdir}/parsec" install -m 400 -o parsec -g parsec "${PARSEC_CONFIG}" ${D}${sysconfdir}/parsec/config.toml -# Data dir -install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec" - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${systemd_unitdir}/system install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system @@ -58,6 +58,8 @@ do_install:append () { if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/init.d install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec +# Data dir +install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec" fi } @@ -65,12 +67,12 @@ inherit useradd USERADD_PACKAGES = "${PN}" USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec" GROUPADD_PARAM:${PN} = "-r parsec" +GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}" FILES:${PN} += " \ ${sysconfdir}/parsec/config.toml \ ${libexecdir}/parsec/parsec \ ${systemd_unitdir}/system/parsec.service \ -${localstatedir}/lib/parsec \ ${libdir}/tmpfiles.d/parsec-tmpfiles.conf \ ${sysconfdir}/init.d/parsec \ " -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#57146): https://lists.yoctoproject.org/g/yocto/message/57146 Mute This Topic: https://lists.yoctoproject.org/mt/91231029/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2
Signed-off-by: Anton Antonov --- meta-parsec/README.md | 36 ++- .../parsec-service/files/systemd.patch| 21 +- .../parsec-service/parsec-service_0.8.1.inc | 246 -- ...rvice_0.8.1.bb => parsec-service_1.0.0.bb} | 12 +- .../parsec-service/parsec-service_1.0.0.inc | 232 + ...sec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} | 0 ...c-tool_0.5.1.inc => parsec-tool_0.5.2.inc} | 148 +-- 7 files changed, 351 insertions(+), 344 deletions(-) delete mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_0.8.1.bb => parsec-service_1.0.0.bb} (96%) create mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} (100%) rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.inc => parsec-tool_0.5.2.inc} (61%) diff --git a/meta-parsec/README.md b/meta-parsec/README.md index 85e0d10..97026ea 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md @@ -43,20 +43,34 @@ local.conf: IMAGE_INSTALL:append = " parsec-service" By default the Parsec service will be deployed into the image with -TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in -and with the default config file from the Parsec repository: -https://github.com/parallaxsecond/parsec/blob/main/config.toml +PKCS11 and MBED-CRYPTO providers build-in. + The TPM provider will also be built by default if: +- DISTRO_FEATURES contains "tmp2" and +- "tpm-layer" (meta-tpm) is included in BBLAYERS - You can use PACKAGECONFIG for Parsec servic recipe to define -what providers should be built in. For example, -PACKAGECONFIG:pn-parsec-service = "TPM" +You can use PACKAGECONFIG for Parsec servic recipe to define +what providers should be built in. For example: - The default Parsec service config file contains the MbedCrypto provider -enabled. The config file needs to be updated to use the Parsec service -with other providers like TPM or PKCS11. The required procedures are -covered in Parsec documentation. -https://parallaxsecond.github.io/parsec-book/ +PACKAGECONFIG:pn-parsec-service = "TS" + + +The default Parsec service config file is taken from the Parsec repository: +https://github.com/parallaxsecond/parsec/blob/main/config.toml +This config file contains the MbedCrypto provider enabled. +The config needs to be updated to use the Parsec service +with other providers like TPM or PKCS11. The required changes are +covered in Parsec documentation https://parallaxsecond.github.io/parsec-book/ + + PARSEC_CONFIG can be used in a bbappend file to replace the default config. +For example: + +``` +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +SRC_URI += "file://config-TS.toml \ + " +PARSEC_CONFIG = "${WORKDIR}/config-TS.toml" +``` Updating recipes diff --git a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch index c01ff06..2525898 100644 --- a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch +++ b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch @@ -4,16 +4,25 @@ Run the Parsec service as parsec user in /var/lib/parsec/ working directory. Signed-off-by: Anton Antonov Upstream-Status: Inappropriate [deployment configuration] a/systemd-daemon/parsec.service2021-03-28 18:34:18.703196235 +0100 -+++ b/systemd-daemon/parsec.service2021-03-28 18:35:14.279830299 +0100 -@@ -3,7 +3,9 @@ +diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service +index c07c3b9..a6fe6a3 100644 +--- a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service +@@ -3,13 +3,15 @@ Description=Parsec Service Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html - + [Service] -WorkingDirectory=/home/parsec/ +User=parsec +Group=parsec +WorkingDirectory=/var/lib/parsec/ ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml - - [Install] + # Systemd hardening + ProtectSystem=full + ProtectHome=true + ProtectHostname=true +-ProtectKernelTunables=true ++#ProtectKernelTunables=true + ProtectKernelModules=true + ProtectKernelLogs=true + ProtectControlGroups=true diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc deleted file mode 100644 index fd88e87..000 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc +++ /dev/null @@ -1,246 +0,0 @@ -# This file is created from parsec-service repository Cargo.lock using cargo-bitbake tool - -SRC_URI += " \ -crate://crates.io/addr2line/0.15.2 \ -crate://crate
[yocto] [meta-security][PATCH] Upgrade parsec-tool to 0.5.1
Signed-off-by: Anton Antonov --- meta-parsec/conf/layer.conf | 2 +- ...sec-tool_0.4.0.bb => parsec-tool_0.5.1.bb} | 0 ...c-tool_0.4.0.inc => parsec-tool_0.5.1.inc} | 166 -- 3 files changed, 74 insertions(+), 94 deletions(-) rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.4.0.bb => parsec-tool_0.5.1.bb} (100%) rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.4.0.inc => parsec-tool_0.5.1.inc} (55%) diff --git a/meta-parsec/conf/layer.conf b/meta-parsec/conf/layer.conf index 19900bb..544cc4e 100644 --- a/meta-parsec/conf/layer.conf +++ b/meta-parsec/conf/layer.conf @@ -10,5 +10,5 @@ BBFILE_PRIORITY_parsec-layer = "5" LAYERSERIES_COMPAT_parsec-layer = "kirkstone" -LAYERDEPENDS_parsec-layer = "core clang-layer tpm-layer" +LAYERDEPENDS_parsec-layer = "core clang-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.4.0.bb b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.1.bb similarity index 100% rename from meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.4.0.bb rename to meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.1.bb diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.4.0.inc b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.1.inc similarity index 55% rename from meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.4.0.inc rename to meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.1.inc index e706112..567cc37 100644 --- a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.4.0.inc +++ b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.1.inc @@ -1,93 +1,83 @@ # This file is created from parsec-tool repository Cargo.lock using cargo-bitbake tool SRC_URI += " \ -crate://crates.io/addr2line/0.15.2 \ -crate://crates.io/adler/1.0.2 \ crate://crates.io/aho-corasick/0.7.15 \ crate://crates.io/ansi_term/0.11.0 \ crate://crates.io/ansi_term/0.12.1 \ -crate://crates.io/anyhow/1.0.42 \ +crate://crates.io/anyhow/1.0.44 \ crate://crates.io/arrayvec/0.5.2 \ crate://crates.io/atty/0.2.14 \ crate://crates.io/autocfg/1.0.1 \ -crate://crates.io/backtrace/0.3.59 \ crate://crates.io/base64/0.12.3 \ crate://crates.io/base64/0.13.0 \ crate://crates.io/bincode/1.3.3 \ crate://crates.io/bindgen/0.57.0 \ -crate://crates.io/bitflags/1.2.1 \ +crate://crates.io/bitflags/1.3.2 \ crate://crates.io/bitvec/0.19.5 \ crate://crates.io/block-buffer/0.9.0 \ -crate://crates.io/boringssl-src/0.3.0+688fc5c \ -crate://crates.io/bumpalo/3.7.0 \ -crate://crates.io/bytes/0.5.6 \ -crate://crates.io/cc/1.0.69 \ +crate://crates.io/bumpalo/3.7.1 \ +crate://crates.io/bytes/1.1.0 \ +crate://crates.io/cc/1.0.70 \ crate://crates.io/cexpr/0.4.0 \ crate://crates.io/cfg-if/1.0.0 \ crate://crates.io/chrono/0.4.19 \ -crate://crates.io/clang-sys/1.2.0 \ +crate://crates.io/clang-sys/1.2.2 \ crate://crates.io/clap/2.33.3 \ -crate://crates.io/clap/3.0.0-beta.2 \ -crate://crates.io/clap_derive/3.0.0-beta.2 \ +crate://crates.io/clap/3.0.0-beta.4 \ +crate://crates.io/clap_derive/3.0.0-beta.4 \ crate://crates.io/cmake/0.1.45 \ -crate://crates.io/const-oid/0.6.0 \ -crate://crates.io/cpufeatures/0.1.5 \ +crate://crates.io/const-oid/0.6.2 \ +crate://crates.io/cpufeatures/0.2.1 \ crate://crates.io/data-encoding/2.3.2 \ crate://crates.io/der-oid-macro/0.4.0 \ crate://crates.io/der-parser/5.1.2 \ -crate://crates.io/der/0.4.0 \ +crate://crates.io/der/0.4.5 \ crate://crates.io/derivative/2.2.0 \ crate://crates.io/digest/0.9.0 \ crate://crates.io/either/1.6.1 \ crate://crates.io/env_logger/0.8.4 \ -crate://crates.io/failure/0.1.8 \ -crate://crates.io/failure_derive/0.1.8 \ crate://crates.io/form_urlencoded/1.0.1 \ crate://crates.io/funty/1.1.0 \ -crate://crates.io/futures-channel/0.3.16 \ -crate://crates.io/futures-core/0.3.16 \ -crate://crates.io/futures-executor/0.3.16 \ -crate://crates.io/futures-io/0.3.16 \ -crate://crates.io/futures-macro/0.3.16 \ -crate://crates.io/futures-sink/0.3.16 \ -crate://crates.io/futures-task/0.3.16 \ -crate://crates.io/futures-util/0.3.16 \ -crate://crates.io/futures/0.3.16 \ +crate://crates.io/futures-channel/0.3.17 \ +crate://crates.io/futures-core/0.3.17 \ +crate://crates.io/futures-executor/0.3.17 \ +crate://crates.io/futures-io/0.3.17 \ +crate://crates.io/futures-macro/0.3.17 \ +crate://crates.io/futures-sink/0.3.17 \ +crate://crates.io/futures-task/0.3.17 \ +crate://crates.io/futures-util/0.3.17 \ +crate://crates.io/futures/0.3.17 \ crate://crates.io/generic-array/0.14.4 \ -crate://crates.io/getrandom/0.2.3 \ -crate://crates.io/gimli/0.24.0
[yocto] [meta-security][PATCH] Parsec service. Update PACKAGECONFIG definitions and README.md
Signed-off-by: Anton Antonov --- meta-parsec/README.md | 23 +++ .../parsec-service/parsec-service_0.8.1.bb| 10 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/meta-parsec/README.md b/meta-parsec/README.md index aeb48a6..c5635d3 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md @@ -1,8 +1,7 @@ meta-parsec layer == -This layer contains recipes for the Parsec service with Mbed-Crypto, -Pkcs11 and TPM providers and parsec tools. +This layer contains recipes for the Parsec service and parsec tools. Dependencies @@ -43,9 +42,16 @@ local.conf: IMAGE_INSTALL:append = " parsec-service" - The Parsec service will be deployed into the image built with all the supported -providers and with the default config file from the Parsec repository: + By default the Parsec service will be deployed into the image with +TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in +and with the default config file from the Parsec repository: https://github.com/parallaxsecond/parsec/blob/main/config.toml + + You can use PACKAGECONFIG for Parsec servic recipe to define +what providers should be built in. For example, + +PACKAGECONFIG:pn-parsec-service = "TPM" + The default Parsec service config file contains the MbedCrypto provider enabled. The config file needs to be updated to use the Parsec service with other providers like TPM or PKCS11. The required procedures are @@ -80,12 +86,19 @@ manual testing of the Parsec service: to test the Parsec service base functionality: https://www.youtube.com/watch?v=ido0CyUdMHM=PLKjl7IFAwc4S7WQqqphCsyy6DPDxJ2Skg=4 + The parsec-tool recipe also includes `parsec-cli-tests.sh` script +which runs e2e tests against all providers enabled and configured +in Parsec service. + You can use runqemu to start a VM with a built image file and run manual tests with parsec-tool. +Enabling Parsec providers for manual testing + + 1. MbedCrypto provider The default Parsec service config file contains the MbedCrypto provider -enabled. No changes required for manual testing. +enabled. No changes required. 2. PKCS11 provider The Software HSM can be used for manual testing of the provider by diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb index b8bfa98..9161872 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb @@ -13,15 +13,15 @@ SRC_URI += "crate://crates.io/parsec-service/${PV} \ DEPENDS = "clang-native" PACKAGECONFIG ??= "TPM PKCS11 MBED-CRYPTO CRYPTOAUTHLIB" -PACKAGECONFIG[ALL] = "all-providers,,tpm2-tss libts,libts" -PACKAGECONFIG[TPM] = "tpm-provider,,tpm2-tss" -PACKAGECONFIG[PKCS11] = "pkcs11-provider," +PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts" +PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss" +PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings," PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider," PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider," PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts" -PARSEC_PROVIDERS = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).replace(' ', ',')}" -CARGO_BUILD_FLAGS += " --features ${PARSEC_PROVIDERS},cryptoki/generate-bindings,tss-esapi/generate-bindings" +PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}" +CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}" inherit systemd SYSTEMD_SERVICE:${PN} = "parsec.service" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#55120): https://lists.yoctoproject.org/g/yocto/message/55120 Mute This Topic: https://lists.yoctoproject.org/mt/86512471/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH] swtpm: update to 0.6.1
This recipe fails because of the wrong format in "PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools" There should be only four parts in the line separated by commas as defined here https://www.yoctoproject.org/docs/2.4.2/ref-manual/ref-manual.html#var-PACKAGECONFIG -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#54905): https://lists.yoctoproject.org/g/yocto/message/54905 Mute This Topic: https://lists.yoctoproject.org/mt/85898116/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-security][PATCH] Upgrade parsec-service 0.8.1 and parsec-tool 0.4.0
Signed-off-by: Anton Antonov --- .../parsec-service/files/cryptoki.patch | 18 -- .../parsec-service/parsec-service_0.7.0.inc | 147 --- ...rvice_0.7.0.bb => parsec-service_0.8.1.bb} | 15 +- .../parsec-service/parsec-service_0.8.1.inc | 246 ++ .../parsec-tool/parsec-tool_0.3.0.inc | 127 - ...sec-tool_0.3.0.bb => parsec-tool_0.4.0.bb} | 3 + .../parsec-tool/parsec-tool_0.4.0.inc | 216 +++ 7 files changed, 477 insertions(+), 295 deletions(-) delete mode 100644 meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch delete mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.inc rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_0.7.0.bb => parsec-service_0.8.1.bb} (77%) create mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc delete mode 100644 meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.inc rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.3.0.bb => parsec-tool_0.4.0.bb} (75%) create mode 100644 meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.4.0.inc diff --git a/meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch b/meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch deleted file mode 100644 index c234479..000 --- a/meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch +++ /dev/null @@ -1,18 +0,0 @@ - -Use cryptoki v0.1.1 which supports the "generate-bindings" feature -required for building Parsec service 0.7.0 in Yocto. - -Signed-off-by: Anton Antonov -Upstream-Status: Submitted - a/Cargo.toml 2021-04-01 10:29:50.333687763 +0100 -+++ b/Cargo.toml 2021-04-01 10:27:13.051860002 +0100 -@@ -37,7 +37,7 @@ - version = "1.3.1" - - [dependencies.cryptoki] --version = "0.1.0" -+version = "0.1.1" - features = ["psa-crypto-conversions"] - optional = true - diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.inc b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.inc deleted file mode 100644 index 59a47f9..000 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.inc +++ /dev/null @@ -1,147 +0,0 @@ -# This file is created from parsec-service repository Cargo.lock using cargo-bitbake tool - -SRC_URI += " \ -crate://crates.io/aho-corasick/0.7.15 \ -crate://crates.io/ansi_term/0.11.0 \ -crate://crates.io/anyhow/1.0.38 \ -crate://crates.io/atty/0.2.14 \ -crate://crates.io/autocfg/1.0.1 \ -crate://crates.io/base64/0.12.3 \ -crate://crates.io/base64/0.13.0 \ -crate://crates.io/bincode/1.3.2 \ -crate://crates.io/bindgen/0.56.0 \ -crate://crates.io/bindgen/0.57.0 \ -crate://crates.io/bitfield/0.13.2 \ -crate://crates.io/bitflags/1.2.1 \ -crate://crates.io/byteorder/1.3.4 \ -crate://crates.io/bytes/0.5.6 \ -crate://crates.io/bytes/1.0.1 \ -crate://crates.io/cc/1.0.67 \ -crate://crates.io/cexpr/0.4.0 \ -crate://crates.io/cfg-if/1.0.0 \ -crate://crates.io/clang-sys/1.1.1 \ -crate://crates.io/clap/2.33.3 \ -crate://crates.io/cmake/0.1.45 \ -crate://crates.io/cryptoauthlib-sys/0.1.0 \ -crate://crates.io/cryptoki-sys/0.1.1 \ -crate://crates.io/cryptoki/0.1.1 \ -crate://crates.io/derivative/2.2.0 \ -crate://crates.io/either/1.6.1 \ -crate://crates.io/enumflags2/0.6.4 \ -crate://crates.io/enumflags2_derive/0.6.4 \ -crate://crates.io/env_logger/0.8.3 \ -crate://crates.io/fixedbitset/0.2.0 \ -crate://crates.io/getrandom/0.2.2 \ -crate://crates.io/glob/0.3.0 \ -crate://crates.io/hashbrown/0.9.1 \ -crate://crates.io/heck/0.3.2 \ -crate://crates.io/hermit-abi/0.1.18 \ -crate://crates.io/hex/0.4.3 \ -crate://crates.io/hostname-validator/1.0.0 \ -crate://crates.io/humantime/2.1.0 \ -crate://crates.io/indexmap/1.6.2 \ -crate://crates.io/itertools/0.8.2 \ -crate://crates.io/itertools/0.9.0 \ -crate://crates.io/lazy_static/1.4.0 \ -crate://crates.io/lazycell/1.3.0 \ -crate://crates.io/libc/0.2.89 \ -crate://crates.io/libloading/0.7.0 \ -crate://crates.io/log/0.4.14 \ -crate://crates.io/mbox/0.5.0 \ -crate://crates.io/memchr/2.3.4 \ -crate://crates.io/multimap/0.8.3 \ -crate://crates.io/nom/5.1.2 \ -crate://crates.io/num-bigint/0.3.2 \ -crate://crates.io/num-complex/0.3.1 \ -crate://crates.io/num-derive/0.3.3 \ -crate://crates.io/num-integer/0.1.44 \ -crate://crates.io/num-iter/0.1.42 \ -crate://crates.io/num-rational/0.3.2 \ -crate://crates.io/num-traits/0.2.14 \ -crate://crates.io/num/0.3.1 \ -crate://crates.io/num_cpus/1.13.0 \ -crate://crates.io/oid/0.1.1 \ -crate://crates.io/parsec-interface/0.24.0 \ -crate://crates.io/peeking_take_while/0.1.2 \ -crate://crates.io/petgraph/0.5.1 \ -crate://crates.io/picky-asn1-de
[yocto] [meta-security][PATCH] Do not use clang toolchain in Parsec recipes
Signed-off-by: Anton Antonov --- .../recipes-parsec/parsec-service/parsec-service_0.7.0.bb | 3 +-- meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb| 2 -- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb index 0e14955..d57a43a 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb @@ -10,8 +10,7 @@ SRC_URI += "crate://crates.io/parsec-service/${PV} \ file://parsec-tmpfiles.conf \ " -DEPENDS = "tpm2-tss" -TOOLCHAIN = "clang" +DEPENDS = "tpm2-tss clang-native" CARGO_BUILD_FLAGS += " --features all-providers,cryptoki/generate-bindings,tss-esapi/generate-bindings" diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb index 35c65c0..881f8d8 100644 --- a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb +++ b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb @@ -7,8 +7,6 @@ inherit cargo SRC_URI += "crate://crates.io/parsec-tool/${PV} \ " -TOOLCHAIN = "clang" - do_install() { install -d ${D}/${bindir} install -m 755 "${B}/target/${TARGET_SYS}/release/parsec-tool" "${D}${bindir}/parsec-tool" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#54125): https://lists.yoctoproject.org/g/yocto/message/54125 Mute This Topic: https://lists.yoctoproject.org/mt/84223005/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-raspberrypi] Booting a Raspberry Pi 4 using PXE
I don't know what exactly you mean by "whenever the Raspi is booting over the network". When a machine boots from network (i,e. using DHCP/BOOTP) then usually DHCP server points to, for example, a TFTP server where the kernel and initramfs should be obtained from and kernel parameters. So, you need to check your DHCP/TFTP/etc servers configuration for kernel parameters. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53393): https://lists.yoctoproject.org/g/yocto/message/53393 Mute This Topic: https://lists.yoctoproject.org/mt/82525859/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] #yocto llvm support
Hi Steven, I used meta-clang in my recipes and I noticed that: 1. The current release of poky uses LLVM v11.1.0 by default (poky/meta/recipes-devtools/llvm/llvm_git.bb) 2. Meta-clang requires LLVM v12.0.0 (meta-clang/conf/layer.conf defines LLVMVERSION = "12.0.0") As a result just including meta-clang into bblayers.conf will require bitbake to build a new version of LLVM and rebuild everything which uses it Anton -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53192): https://lists.yoctoproject.org/g/yocto/message/53192 Mute This Topic: https://lists.yoctoproject.org/mt/82233593/21656 Mute #yocto:https://lists.yoctoproject.org/g/yocto/mutehashtag/yocto Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-security][PATCH] gitlab-ci: Move all parsec builds into a separate job
Signed-off-by: Anton Antonov --- .gitlab-ci.yml | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f673ef6..f155ba0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -27,7 +27,6 @@ qemux86: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml @@ -36,7 +35,6 @@ qemux86-64: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml @@ -44,20 +42,17 @@ qemuarm: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml qemuarm64: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml qemuppc: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml qemumips64: extends: .build @@ -127,3 +122,12 @@ qemux86-test: - kas build --target security-test-image kas/$CI_JOB_NAME.yml - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml + +parsec: + extends: .build + script: + - kas build --target security-build-image kas/qemuarm-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemuarm64-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemux86-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemux86-64-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemuppc-$CI_JOB_NAME.yml -- 2.20.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53124): https://lists.yoctoproject.org/g/yocto/message/53124 Mute This Topic: https://lists.yoctoproject.org/mt/82087779/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-security][PATCH] Clearly define clang toolchain in Parsec recipes
Signed-off-by: Anton Antonov --- .../recipes-parsec/parsec-service/parsec-service_0.7.0.bb | 4 ++-- meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb index b3f7b21..0e14955 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb @@ -10,8 +10,8 @@ SRC_URI += "crate://crates.io/parsec-service/${PV} \ file://parsec-tmpfiles.conf \ " -DEPENDS = "clang-native tpm2-tss" -INSANE_SKIP_${PN} += "dev-deps" +DEPENDS = "tpm2-tss" +TOOLCHAIN = "clang" CARGO_BUILD_FLAGS += " --features all-providers,cryptoki/generate-bindings,tss-esapi/generate-bindings" diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb index 939e771..35c65c0 100644 --- a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb +++ b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb @@ -7,8 +7,7 @@ inherit cargo SRC_URI += "crate://crates.io/parsec-tool/${PV} \ " -DEPENDS = "clang-native" -INSANE_SKIP_${PN} += "dev-deps" +TOOLCHAIN = "clang" do_install() { install -d ${D}/${bindir} -- 2.20.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53084): https://lists.yoctoproject.org/g/yocto/message/53084 Mute This Topic: https://lists.yoctoproject.org/mt/82041138/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-security][PATCH 2/2] Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI
From: Anton Antonov Signed-off-by: Anton Antonov --- .gitlab-ci.yml | 25 + kas/kas-security-parsec.yml | 21 + kas/qemuarm-parsec.yml | 6 ++ kas/qemuarm64-parsec.yml| 6 ++ kas/qemuppc-parsec.yml | 6 ++ kas/qemux86-64-parsec.yml | 6 ++ kas/qemux86-parsec.yml | 6 ++ 7 files changed, 76 insertions(+) create mode 100644 kas/kas-security-parsec.yml create mode 100644 kas/qemuarm-parsec.yml create mode 100644 kas/qemuarm64-parsec.yml create mode 100644 kas/qemuppc-parsec.yml create mode 100644 kas/qemux86-64-parsec.yml create mode 100644 kas/qemux86-parsec.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1442239..323285a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -151,3 +151,28 @@ qemux86-test: script: - kas build --target security-test-image kas/$CI_JOB_NAME.yml - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml + +qemux86-parsec: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-parsec: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm-parsec: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm-64-parsec: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuppc-parsec: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml diff --git a/kas/kas-security-parsec.yml b/kas/kas-security-parsec.yml new file mode 100644 index 000..6152f0c --- /dev/null +++ b/kas/kas-security-parsec.yml @@ -0,0 +1,21 @@ +header: +version: 9 +includes: +- kas-security-base.yml + +repos: + meta-security: +layers: + meta-parsec: + + meta-rust: +url: https://github.com/meta-rust/meta-rust.git +refspec: master + + meta-clang: +url: https://github.com/kraj/meta-clang.git +refspec: master + +local_conf_header: + meta-parsec: | +IMAGE_INSTALL_append = " parsec-service parsec-tool" diff --git a/kas/qemuarm-parsec.yml b/kas/qemuarm-parsec.yml new file mode 100644 index 000..cef2818 --- /dev/null +++ b/kas/qemuarm-parsec.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: +- kas-security-parsec.yml + +machine: qemuarm diff --git a/kas/qemuarm64-parsec.yml b/kas/qemuarm64-parsec.yml new file mode 100644 index 000..9b593bc --- /dev/null +++ b/kas/qemuarm64-parsec.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: +- kas-security-parsec.yml + +machine: qemuarm64 diff --git a/kas/qemuppc-parsec.yml b/kas/qemuppc-parsec.yml new file mode 100644 index 000..1176d13 --- /dev/null +++ b/kas/qemuppc-parsec.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: +- kas-security-parsec.yml + +machine: qemuppc diff --git a/kas/qemux86-64-parsec.yml b/kas/qemux86-64-parsec.yml new file mode 100644 index 000..ec39c14 --- /dev/null +++ b/kas/qemux86-64-parsec.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: +- kas-security-parsec.yml + +machine: qemux86-64 diff --git a/kas/qemux86-parsec.yml b/kas/qemux86-parsec.yml new file mode 100644 index 000..370947d --- /dev/null +++ b/kas/qemux86-parsec.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: +- kas-security-parsec.yml + +machine: qemux86 -- 2.20.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53065): https://lists.yoctoproject.org/g/yocto/message/53065 Mute This Topic: https://lists.yoctoproject.org/mt/81965735/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-security][PATCH 1/2] Add meta-parsec layer into meta-security.
From: Anton Antonov The layer contains recipes for Parsec service version 0.7.0 and parsec-tool version 0.3.0. The Parsec service is built with all supported providers and deployed with the MbedCrypto provider enabled. Both systemd and sysv-init are supported. Signed-off-by: Anton Antonov --- meta-parsec/README.md | 186 ++ meta-parsec/conf/layer.conf | 14 ++ .../parsec-service/files/cryptoki.patch | 18 ++ .../parsec-service/files/parsec-tmpfiles.conf | 2 + .../parsec-service/files/parsec_init | 63 ++ .../parsec-service/files/systemd.patch| 19 ++ .../parsec-service/parsec-service_0.7.0.bb| 67 +++ .../parsec-service/parsec-service_0.7.0.inc | 147 ++ .../parsec-tool/parsec-tool_0.3.0.bb | 18 ++ .../parsec-tool/parsec-tool_0.3.0.inc | 127 10 files changed, 661 insertions(+) create mode 100644 meta-parsec/README.md create mode 100644 meta-parsec/conf/layer.conf create mode 100644 meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch create mode 100644 meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf create mode 100755 meta-parsec/recipes-parsec/parsec-service/files/parsec_init create mode 100644 meta-parsec/recipes-parsec/parsec-service/files/systemd.patch create mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb create mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.inc create mode 100644 meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb create mode 100644 meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.inc diff --git a/meta-parsec/README.md b/meta-parsec/README.md new file mode 100644 index 000..a2736b6 --- /dev/null +++ b/meta-parsec/README.md @@ -0,0 +1,186 @@ +meta-parsec layer +== + +This layer contains recipes for the Parsec service with Mbed-Crypto, +Pkcs11 and TPM providers and parsec tools. + +Dependencies + + +This layer depends on: + +URI: git://git.openembedded.org/meta-openembedded +branch: master +revision: HEAD +prio: default + +URI git://git.yoctoproject.org/meta-security +branch: master +revision: HEAD +prio: default + +URI https://github.com/meta-rust/meta-rust.git +branch: master +revision: HEAD +prio: default + +URI https://github.com/kraj/meta-clang.git +branch: master +revision: HEAD +prio: default + +Adding the meta-parsec layer to your build +== + +In order to use this layer, you need to make the build system aware of it. + +You can add it to the build system by adding the +location of the meta-parsec layer to bblayers.conf, along with any +other layers needed. e.g.: + +BBLAYERS ?= " \ + /path/to/yocto/meta \ + /path/to/yocto/meta-yocto \ + /path/to/yocto/meta-yocto-bsp \ + /path/to/meta-openembedded/meta-oe \ + /path/to/meta-openembedded/meta-python \ + /path/to/meta-rust \ + /path/to/meta-clang \ + /path/to/meta-security/meta-tpm \ + /path/to/meta-security/meta-parsec \ + " + +To include the Parsec service into your image add following into the +local.conf: + +IMAGE_INSTALL_append = " parsec-service" + + The Parsec service will be deployed into the image built with all the supported +providers and with the default config file from the Parsec repository: +https://github.com/parallaxsecond/parsec/blob/main/config.toml + The default Parsec service config file contains the MbedCrypto provider +enabled. The config file needs to be updated to use the Parsec service +with other providers like TPM or PKCS11. The required procedures are +covered in Parsec documentation. +https://parallaxsecond.github.io/parsec-book/ + +Updating recipes + + + The parsec-service and parsec-tool recipes use include files with lists +of all rust crates required. This allows bitbake to fetch all the necessary +dependent crates, as well as a pegged version of the crates.io index, +to ensure maximum reproducibility. + It's recommended to use cargo-bitbake to generate include files for new +versions of parsec recipes. +https://github.com/meta-rust/cargo-bitbake + + When you have crago-bitbake built: +1. Checkout the required version of parsec repository. +2. Run cargo-bitbake inside the repository. It will produce a BB file. +3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file. + +Manual testing with runqemu +=== + + This layer also contains a recipe for pasec-tool which can be used for +manual testing of the Parsec service: + +IMAGE_INSTALL_append += " parsec-tools" + + There are a series of Parsec Demo videos showing how to use parsec-tool +to test the Parsec service base functionality: +https://www.youtube.com/watch?v=ido0CyUdMHM=PLKjl7
[yocto] [meta-security][PATCH] Use libest "main" branch instead of "master".
This patch fixes the issue: WARNING: libest-3.2.0-r0 do_fetch: Failed to fetch URL git://github.com/cisco/libest, attempting MIRRORS if available ERROR: libest-3.2.0-r0 do_fetch: Fetcher failure: Unable to find revision 4ca02c6d7540f2b1bcea278a4fbe373daac7103b in branch master even from upstream ERROR: libest-3.2.0-r0 do_fetch: Fetcher failure for URL: 'git://github.com/cisco/libest'. Unable to fetch URL from any source. Signed-off-by: Anton Antonov --- recipes-security/libest/libest_3.2.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/libest/libest_3.2.0.bb b/recipes-security/libest/libest_3.2.0.bb index f993bd6..5b6dc99 100644 --- a/recipes-security/libest/libest_3.2.0.bb +++ b/recipes-security/libest/libest_3.2.0.bb @@ -6,7 +6,7 @@ LICENSE = "OpenSSL" LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885" SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b" -SRC_URI = "git://github.com/cisco/libest" +SRC_URI = "git://github.com/cisco/libest;branch=main" DEPENDS = "openssl" -- 2.20.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53049): https://lists.yoctoproject.org/g/yocto/message/53049 Mute This Topic: https://lists.yoctoproject.org/mt/81912123/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-