@@ -57,6 +57,8 @@ LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '',
LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
# add mbed TLS to version
SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}"
+CVE_PRODUCT:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', 'mbed_tls', '', d)}"
+CVE_VERSION_mbed_tls = "${@bb.utils.contains('TFA_MBEDTLS', '1', '${PV_mbedtls}', '', d)}"
# U-boot support (set TFA_UBOOT to 1 to activate)
# When U-Boot support is activated BL33 is activated with u-boot.bin file
@@ -10,7 +10,7 @@ SRC_URI:append:qemuarm64-secureboot = " \
LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
-# mbed TLS v2.28.4
+PV_mbedtls = "2.28.4"
SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=mbedtls-2.28"
SRCREV_mbedtls = "aeb97a18913a86f051afab11b2c92c6be0c2eb83"
poky side cve-check.bblass is extended to support embedded SW components where CVE_PRODUCT and CVE_VERSION differ from the main recipe. Set these for mbed_tls (also used as product name in CVE database) and version 2.28.4. With these set, CVE check build shows: NOTE: recipe trusted-firmware-a-2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122-r0: task do_cve_check: Started WARNING: trusted-firmware-a-2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122-r0 do_cve_check: Found unpatched CVE (CVE-2021-36647 CVE-2021-43666 CVE-2021-45451 CVE-2023-43615), for more information check /home/builder/src/base/build/tmp/work/arm64-poky-linux/trusted-firmware-a/2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122/temp/cve.log NOTE: recipe trusted-firmware-a-2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122-r0: task do_cve_check: Succeeded which is better but luckily the CVE issues don't actually impact trusted-firmware-a and CVE database data and/or ignore status can be set due to used configuration of mbed_tls. Depends on this patch in poky side cve-check.bbclass: cve-check.bbclass: support embedded SW components with different version number Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> --- meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc | 2 ++ .../recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-)