diff mbox series

[2/4] trusted-firmware-a: set version of mbed_tls for CVE check

Message ID 20231019105552.3631582-3-mikko.rapeli@linaro.org
State New
Headers show
Series RFC: detect CVEs from embedded mbedtls | expand

Commit Message

Mikko Rapeli Oct. 19, 2023, 10:55 a.m. UTC
poky side cve-check.bblass is extended to support embedded
SW components where CVE_PRODUCT and CVE_VERSION differ
from the main recipe. Set these for mbed_tls (also
used as product name in CVE database) and version 2.28.4.

With these set, CVE check build shows:

NOTE: recipe trusted-firmware-a-2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122-r0: task do_cve_check: Started
WARNING: trusted-firmware-a-2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122-r0 do_cve_check: Found unpatched CVE (CVE-2021-36647 CVE-2021-43666 CVE-2021-45451 CVE-2023-43615), for more information check /home/builder/src/base/build/tmp/work/arm64-poky-linux/trusted-firmware-a/2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122/temp/cve.log
NOTE: recipe trusted-firmware-a-2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122-r0: task do_cve_check: Succeeded

which is better but luckily the CVE issues don't actually impact trusted-firmware-a
and CVE database data and/or ignore status can be set due to used configuration
of mbed_tls.

Depends on this patch in poky side cve-check.bbclass:
cve-check.bbclass: support embedded SW components with different version number

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc  | 2 ++
 .../recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb  | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
index 89cce807..a40bf337 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@@ -57,6 +57,8 @@  LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '',
 LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
 # add mbed TLS to version
 SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}"
+CVE_PRODUCT:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', 'mbed_tls', '', d)}"
+CVE_VERSION_mbed_tls = "${@bb.utils.contains('TFA_MBEDTLS', '1', '${PV_mbedtls}', '', d)}"
 
 # U-boot support (set TFA_UBOOT to 1 to activate)
 # When U-Boot support is activated BL33 is activated with u-boot.bin file
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb
index 8f78b5e7..d8cc4df6 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb
@@ -10,7 +10,7 @@  SRC_URI:append:qemuarm64-secureboot = " \
 
 LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
 
-# mbed TLS v2.28.4
+PV_mbedtls = "2.28.4"
 SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=mbedtls-2.28"
 SRCREV_mbedtls = "aeb97a18913a86f051afab11b2c92c6be0c2eb83"