From patchwork Fri Dec 20 14:04:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54475
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E8533E77188
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:12 +0000 (UTC)
Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com
 [209.85.208.175])
 by mx.groups.io with SMTP id smtpd.web11.152213.1734703505609404911
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:05 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=O6Ik1opn;
 spf=pass (domain: linaro.org, ip: 209.85.208.175,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f175.google.com with SMTP id
 38308e7fff4ca-3023c51146cso20309241fa.1
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703504; x=1735308304;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2uiZu4PFPvH48mQr0f3oDLOK2l1HAKc13nLmzWRle8w=;
        b=O6Ik1opnZoYVj8Pm5C3GGEWes/arTFU9jBxJwQKQJFAoad9OHvy8URn8EVr6j9ZzCH
         5R2QnrWA5a18AjO9Nbd7WlkHad98FGAuiZLr6+Ryx4qQfm7TtGWbtGorfJ3flLx1RsTE
         KUdmBRUlaQmt2nBhqwdv9KrB4rDC3IAa7xG8qWnIjWrGnchN4Fu93mweZCXsBV3/2X9o
         x5siGtLry3mC0fB5MI9fUYD51an4quiAKIjmFZhwciIAr8xkh02/AIo+n+1KuqUxGNqS
         IC65grQPp5/xjdRqaljD/jSjEMMiUnyX51X3I+vlupb/LvD/iry+x4j/u6I62txa3iU3
         7nIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703504; x=1735308304;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=2uiZu4PFPvH48mQr0f3oDLOK2l1HAKc13nLmzWRle8w=;
        b=HxsNI1PMqLSC2VBy24W5mntHCdyJTEUCCEeKnrJyhFybjJsKDqLMyHoKutDZmKUKUn
         ysE8LaL2aEA5stfJNMgSWgUJW0QlU6WL6PBI0/cdEfbvmB/mjg3Cu7qy2O2ArwvqJdiA
         0B45AeWKHKQSsVUTXN92APx+1vfb03BDOqxqqLl33OXGt8lbbn15tVUCSP7A/ey2KmIa
         cGvU3dWCE05JZQuK/Gd6GyIConT+JbrDJvzCrL64QqNWopdsQgfazP3f/QczizXwdbvR
         JaKbVbw2xoBe/Qso0bHv/V8anZC7ATiY9RCU6n3J9KZz3Q4KyTauV55GvAX2BQPIiJ4P
         RpcA==
X-Gm-Message-State: AOJu0YzHXp8pcrW4+H5HKHECpriU0xtv18c+UjUP5Gt1uSyxZ9qcTjey
	Dw6XFWfT4ccMo05XArKBy4ZoW80oJ+wJ+IbgQLqSA4fiBg75RD2mTySchQJ4casPyfKK2vOwzOY
	Fbt8=
X-Gm-Gg: ASbGncs1ISP4AKx1LfaU4gKWgW27NLz71sIDmM7jpSfGYHtgCJte/xFGjmjactqCmrz
	oif+LrhJnaPrSzvsxjgql1QBwpJkRqngU50ljEbiSTfkdAGOetpnbZECHlODuscQIwUDunMHQ/0
	MACmoZM+mlwsO7Ahr2af+JHJz/H0o7c7Q1gPUNwtff83RKIuUjEgUPGGmlH8MwY4qCy2CDemU31
	+G0pTRIbkTWn8aL5uBfdjPXFXoC/bw76I+gGUk3eZQLGJlyiLV0KVKQIprAIJbkZ0x+kzbw7rUS
	6iDDLwzVbewZgmsyfSeL9juMfA==
X-Google-Smtp-Source: 
 AGHT+IFjj499SxTkfJGIKb39yWOBIUPDmvneuET3NuIGVXOcO0JbNt6S9ZbFG9Xb11AqA2Z6vYfIvQ==
X-Received: by 2002:a2e:be21:0:b0:300:1a4f:4619 with SMTP id
 38308e7fff4ca-30469acd023mr10454771fa.1.1734703503569;
        Fri, 20 Dec 2024 06:05:03 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:01 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 01/18] kas-security-base.yml: replace
 debug-tweaks
Date: Fri, 20 Dec 2024 16:04:24 +0200
Message-ID: <20241220140441.271395-2-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:12 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/940

debug-tweaks is now removed from oe-core and the config changes
need to be explicitly enabled. allow-empty-password,
empty-root-password and allow-root-login are needed for testing
over ssh with testimage.bbclass.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 kas/kas-security-base.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml
index fa7915c..517d087 100644
--- a/kas/kas-security-base.yml
+++ b/kas/kas-security-base.yml
@@ -43,7 +43,7 @@ local_conf_header:
     BB_TASK_IONICE_LEVEL = '2.7'
     BB_TASK_IONICE_LEVEL_task-testimage = '2.1'
     TEST_QEMUBOOT_TIMEOUT = "1500"
-    EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
+    EXTRA_IMAGE_FEATURES += "allow-empty-password empty-root-password allow-root-login"
     PACKAGE_CLASSES = "package_ipk"
 
     DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2"

From patchwork Fri Dec 20 14:04:25 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54476
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E7489E7718B
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:12 +0000 (UTC)
Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com
 [209.85.208.181])
 by mx.groups.io with SMTP id smtpd.web10.152488.1734703508866771067
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:09 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=eD1+oIZ9;
 spf=pass (domain: linaro.org, ip: 209.85.208.181,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f181.google.com with SMTP id
 38308e7fff4ca-3003943288bso19703031fa.0
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703507; x=1735308307;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=rYwv8ve/8MfY19Xwxzi8Uh/HPriySj3YFp+eWvzJ2G8=;
        b=eD1+oIZ91C3etl7/so81Wok73ogY/ScejFZHvjoay5SwnqRCgstDp3u2gEfvsNxVgi
         DxuTxLhKtMBZPi1u24wae/xGrd+3yJN84NL6a4HJ5KshSnuwK7dwXaD4l8jRJeir9nI2
         wbvnHLyeLnSAOH1qFDkbqjtv1ETZ939EhQPwgmmZ0sR7jZOpx92Ga4AhOXkrE4KIhrBa
         +XE68oilT+GDHzst1sVRWgsDoi1IYjPGhnK9ZYj6zAjMFcg1f8A2WD+abgON+z0x6IKL
         dr22xpgZq33bOFCUPLnTuKfijrpxMwLVma/4qQRL7051QI/JQnhtKkomJ7eC0ar30ULw
         SjPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703507; x=1735308307;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=rYwv8ve/8MfY19Xwxzi8Uh/HPriySj3YFp+eWvzJ2G8=;
        b=SlIAsl99JEihY4lpXKta5NmDdPfbolPsEVd1LdcHdscZKKsL8DV5EpcltwgIGLcyyX
         8Fi1cNtag81jTetPgtRTTiRzAvHMX2e2pSF19neQvhMrkT6ZEvAhC1YBwM81Tpf9/6Lf
         w0D4o3lF7YiKz1pFmqiYyG28nn/NedZm4HQBduNuZwFSL13xDwXSdeDzyZjCY3XaYlXp
         SaCMxPEpu43YuvzFSxAS1cm0ofdqJecXcbOnWpsV3Sw+ouJsDYQmVi3BxRTbVt1c/1Ym
         uWHiRADDl/9p9l+9JGJvqDtZH1TDqmvIQytXIuBRryVigd0efdgRxKxWrKmAfu4gIy/X
         B90A==
X-Gm-Message-State: AOJu0YwfaRTqM+wEeJBC2DCIBnEY4fiWdNkMIRAGvwdRkVi6HyUDl7PI
	he8CBif1qI2FGTHqQkV65CbEdBqZAFdAbE6eD/LLkzKhvbd5B2z/OCVaCGvtYGdAnISEjWwRiwt
	3aNs=
X-Gm-Gg: ASbGncsMvT4QZJNu2cbnHxiYB1LjEGmYhtz8Nb5tYs5fVHC5mrkxDZy3OIZeqdNXvqi
	taxRM7UiF8PyFqO77ff5XXeR0j3r4uvgi2EHGUeyO7QSuK43CSrPFetAR+dpgqGNeHdfkfU5anY
	YYxXG4+8RsVnXMhZrpuvsMCqoN9FVimvL98jnXKP8dZZZdcMBVe1beHkr0xmgzYCG8FN7OHTQRm
	0UYqv/2v9gyYqG/5XM/8pCeoq/iRQXDR7Gxm4spO8RB5650QDJNpfG6ONVYs/9pChM5tcveUB99
	zoPDtmmLks4KN9B3VhgqPe7mAg==
X-Google-Smtp-Source: 
 AGHT+IG2RIGL9z78TcZaDvfe71Hsdf0YCHg7UnD27XCwmA5NbfHg51yC1QG8nsOmp/HXYYYEigCR5Q==
X-Received: by 2002:a2e:b8c3:0:b0:2ff:cb47:3c77 with SMTP id
 38308e7fff4ca-30468605037mr12544131fa.26.1734703506867;
        Fri, 20 Dec 2024 06:05:06 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:04 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 02/18] kas-security-alt.yml: fix systemd config
Date: Fri, 20 Dec 2024 16:04:25 +0200
Message-ID: <20241220140441.271395-3-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:12 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/941

Adding "systemd" to DISTRO_FEATURES does not work anymore
and build failes due to udev selection etc issues.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 kas/kas-security-alt.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kas/kas-security-alt.yml b/kas/kas-security-alt.yml
index 3ee9808..8f754ac 100644
--- a/kas/kas-security-alt.yml
+++ b/kas/kas-security-alt.yml
@@ -5,4 +5,4 @@ header:
 
 local_conf_header:
   alt: |
-      DISTRO_FEATURES:append = " systemd"
+      INIT_MANAGER = "systemd"

From patchwork Fri Dec 20 14:04:26 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54477
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E3E71E7718B
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:22 +0000 (UTC)
Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com
 [209.85.208.170])
 by mx.groups.io with SMTP id smtpd.web10.152492.1734703512997113812
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:13 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=LxX6MJ6b;
 spf=pass (domain: linaro.org, ip: 209.85.208.170,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f170.google.com with SMTP id
 38308e7fff4ca-30034ad2ca3so17278331fa.1
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703511; x=1735308311;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jAn09M45qPTijb7DmjhZLK8cQN8E78bzRqk6zff92S4=;
        b=LxX6MJ6bOs3fr6u0hNRPsJN0WThfNhsz3ss2Qovnlg5NmpiBEP8mxjljr0SeFcdeOq
         EKZ4yrlyDrd3rnZIJkk02wsZSwYrObcCei0bVwbLrcIqvdAcQ9C7oyzJAtWGAdXHYOKT
         1NLqrX6fbt+SIm4KegYR4T0vtqFAVDQ0C0cmTV8RcJg9oBeW/TBaomgwB0HBAe2A/lyz
         CS3v/5uekPIhcVOZhHWr7ECW/INEi9nIgRgZUy+B3Azujj5brIH5NDoR31GGcR8ZpVEq
         rWG6Aj1/rU37b7pCbELO2UgV23JCi4NH9Cz8oNKSq5j1l+E1yeKoC8bYA+TfxQXBlNQV
         W2FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703511; x=1735308311;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jAn09M45qPTijb7DmjhZLK8cQN8E78bzRqk6zff92S4=;
        b=SypugM4m2N2CNDmFflFnz0CyoPl2106wfJorapW7Nqn9ZLFU+/ocPb5OMWCJQ1SwEt
         4G6VXpaOz4CddvN0taSUiTNZQiFfoKMOqAbBMIVoOc5DpZ+i+M2w/ziGXGUNwOezNNBH
         ZVlvVojvoKYBbfR0VHUxyVbJEn7RGA4wHo+TG8xkHdmhZWLk7wx9jp5OBamviz7ckQO/
         JpJNjCh3sGF4z7IOnOHLmOQkXEXBuQOga5Th+FyyfifdDZg9mLCrNevbdsWTOe63jKAG
         IPTksIBZT1IDrhfJEfShqef0t0ifKnFIRA+uUL/MCcxqI5O5RqmL9w4WiognHythV3i7
         Kb+A==
X-Gm-Message-State: AOJu0YybwlmGl5ZmGm26+tCBeUH7aCRKIC09oVWAPMpbQqgglGsif0PK
	ZOarLf9laRttjlgJb5PYjb9hvBgnQ0fY9OihWaPp2WQvN0yh8psbJKFa75b5aUTTl/PFY1BzdeY
	ZZeQ=
X-Gm-Gg: ASbGnctXKWx77siBKqwCsfjh5Q6ZOyJXDt6DpPhEAC5Y3sTm4Jf/93QU76mqXgThUs5
	Ji5ILbjKBLjKNOdO+b/mRbCvFj6qgppGA5p2mbGunWsKqzs3oq5/kjR6IXfP13MPEnkLNULga5N
	GKj1E0sthikpCgFCAr+Ku9TLGwo9A+nlHHHEZrszAC/8DHhUHh3yQc2p/2vJd2/evl5wXoDcKgZ
	LnU4q1HRxLiH7I4CMC0Awh1AIcNjjwLFbsvP13CZspvfP/vyRRLzij4zsqM75J0KUtX++dPP/iP
	Yvkn8RT2LpgUQ0ht0+jqckuFRA==
X-Google-Smtp-Source: 
 AGHT+IEcrev+qhFaq+LP8oogEQLsqUMHSUslz16yq6o9qN6ZssmV79u+nwL9Ld4QlzMZfNqY72v+fw==
X-Received: by 2002:a2e:bc0c:0:b0:304:57dd:2641 with SMTP id
 38308e7fff4ca-304685c27cdmr11476341fa.31.1734703510947;
        Fri, 20 Dec 2024 06:05:10 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:09 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 03/18] chkrootkit: change download from Ubuntu
 to Debian
Date: Fri, 20 Dec 2024 16:04:26 +0200
Message-ID: <20241220140441.271395-4-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:22 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/942

Ubuntu server doesn't have the file anymore but Debian has.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 recipes-scanners/rootkits/chkrootkit_0.57.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-scanners/rootkits/chkrootkit_0.57.bb b/recipes-scanners/rootkits/chkrootkit_0.57.bb
index d35f5f6..c71b45c 100644
--- a/recipes-scanners/rootkits/chkrootkit_0.57.bb
+++ b/recipes-scanners/rootkits/chkrootkit_0.57.bb
@@ -5,7 +5,7 @@ SECTION = "security"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff"
 
-SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
+SRC_URI = "https://ftp.debian.org/debian/pool/main/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
            file://musl_fix.patch"
 SRC_URI[sha256sum] = "06d1faee151aa3e3c0f91ac807ca92e60b75ed1c18268ccef2c45117156d253c"
 

From patchwork Fri Dec 20 14:04:27 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54479
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EE928E7718D
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:22 +0000 (UTC)
Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com
 [209.85.208.173])
 by mx.groups.io with SMTP id smtpd.web10.152494.1734703517267147366
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:17 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=vMJGf3Uh;
 spf=pass (domain: linaro.org, ip: 209.85.208.173,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f173.google.com with SMTP id
 38308e7fff4ca-3004028c714so21531501fa.2
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703515; x=1735308315;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=kUg4avwj9jV39CWic1dloH7XDOL/zGz9uZUhdgR/kRI=;
        b=vMJGf3Uh51pqSFJs6Cq1DeazM/QPItbhnP4peYl4qvRiBAY3rAKEKk34fc/3BWeUrB
         fvfIFCxSHQ9d29aZ5wTwdsmQXVJpbGrzSLx50CD39KwGtZtSiOjtUvDqejVtkH/WNx/4
         8Uczst2X75H/+epq/YMNaHt8R3wGB38fcPVEvHXkLkGWYs9Nx9V56vsIZ8GGetfqOTop
         f0Jh9/yx97RzeVg9GecYWPVbj+Eyp8gOH5zXhTyUWAIY96O5wneYBwMFKIzJvirQDELX
         I3NDQ7kXhOMatmoeG8dBH8oAjvyrTAx831oyFLMM6gOIJlh+GcVQlHk2azT97sjfKUzr
         zIJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703515; x=1735308315;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=kUg4avwj9jV39CWic1dloH7XDOL/zGz9uZUhdgR/kRI=;
        b=CTQNswzsbHxLCHZfEJTzxBxQpvNi9ei20QbK/bTDXGiyfS5+8uOnUBF1br1V86OLMy
         /ZOdw3EqmZvSCC2eEgdOZ13AhZGFRZAvx5dgxTd7U3H37jKpJ2Cy7DIeL911Y0itAxUT
         Fy/C8Yt/n6xAefsuEJecdFeJUyJSTfN3xtY4VuE35JHb+hMzMkI38ABiuSF9vHbfeWZ6
         ikRUxb6eRoXXYRc/cIKKrIWcM1JDzVwCjhRBQ67t/1DavGF9pQ8vEK7DqhK9g0uZtCGe
         p8uBFhXtlWsNoq2fiGeygSx+MQsaWheISHFfpFGuOyjpmmME4ReGsyYdxB9s2MnsbS2Q
         MPnA==
X-Gm-Message-State: AOJu0YzY/KgYirZ3a44O+i8oZnnPO4+fIbi9RKIGVjNthI8Q3Evd/GCv
	yguU+WOmAfL2MXhCvDaaH4UrfNGcoBST9U3i3P2f2Ec2gWyrC3PCvLc3vIgv34x2V0aoyALb4Eu
	EL/o=
X-Gm-Gg: ASbGncusguImgk4CayLgWdS+Bl9X9HgOJuNbuRJSHcRIhFWTERF7UKTJnc2+0Sw5D9V
	2qTg/50bPYVI9EHsTKXzAu1iTy4bT8fzgAjsfU/iDqJCwY7Xrk52YDPnjQGAoD8S4yi1oaGr/9n
	3JFC+n+gPS9cLgRHZI4VgxFBnxtpj19ceYNxWxD/sA5XTTWMpBQVCjq0Y++A7PhANLB0thMc5Ow
	VR8/anT8oF9dn5ui5VBQ9WaCHxZUihm/RrGfvHdH4AhWwojvpptyKlFkqY2L4mZqKRbqvOOFwqs
	mMIyuekIQUhraALBSGMxc0+lwg==
X-Google-Smtp-Source: 
 AGHT+IEg7+Nvd/YwNJH6IFoO1CN6yRQP/gz0GnGHiNe5o6H6wsBUYTuYnCgweO8OTfSzB/3vOk46/Q==
X-Received: by 2002:a2e:b888:0:b0:301:12:1ed6 with SMTP id
 38308e7fff4ca-30468545dc2mr11201891fa.11.1734703513793;
        Fri, 20 Dec 2024 06:05:13 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:11 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 04/18] apparmor: update from 3.1.3 to 4.0.3
Date: Fri, 20 Dec 2024 16:04:27 +0200
Message-ID: <20241220140441.271395-5-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:22 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/943

Fixes python 3.13 support though needed one more patch
which is also submitted upstream. oeqa runtime test
passes on qemuarm and qemuarm64. Did not fix ptest compilation.

Changes:

https://apparmor.net/news/release-4.0.2/
https://gitlab.com/apparmor/apparmor/-/releases/v4.0.3

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 .../{apparmor_3.1.3.bb => apparmor_4.0.3.bb}  |  8 +-
 .../0001-fail.py-handle-missing-cgitb.patch   | 74 +++++++++++++++++++
 2 files changed, 78 insertions(+), 4 deletions(-)
 rename recipes-mac/AppArmor/{apparmor_3.1.3.bb => apparmor_4.0.3.bb} (96%)
 create mode 100644 recipes-mac/AppArmor/files/0001-fail.py-handle-missing-cgitb.patch

diff --git a/recipes-mac/AppArmor/apparmor_3.1.3.bb b/recipes-mac/AppArmor/apparmor_4.0.3.bb
similarity index 96%
rename from recipes-mac/AppArmor/apparmor_3.1.3.bb
rename to recipes-mac/AppArmor/apparmor_4.0.3.bb
index 49ab7a7..06a5010 100644
--- a/recipes-mac/AppArmor/apparmor_3.1.3.bb
+++ b/recipes-mac/AppArmor/apparmor_4.0.3.bb
@@ -11,17 +11,18 @@ SECTION = "admin"
 LICENSE = "GPL-2.0-only & GPL-2.0-or-later & BSD-3-Clause & LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
 
-DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
+DEPENDS = "bison-native apr autoconf-archive-native gettext-native coreutils-native swig-native"
 
 SRC_URI = " \
-    git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.1 \
+    git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-4.0 \
     file://run-ptest \
     file://crosscompile_perl_bindings.patch \
     file://0001-Makefile.am-suppress-perllocal.pod.patch \
     file://0001-Makefile-fix-hardcoded-installation-directories.patch \
+    file://0001-fail.py-handle-missing-cgitb.patch \
     "
 
-SRCREV = "e69cb5047946818e6a9df326851483bb075a5cfe"
+SRCREV = "b4dfdf50f50ed1d64161424d036a2453645f0cfe"
 S = "${UNPACKDIR}/git"
 
 PARALLEL_MAKE = ""
@@ -106,7 +107,6 @@ do_install () {
     chown root:root -R ${D}/${datadir}/apparmor
 
     find ${D}${libdir}/perl5/ -type f -name ".packlist" -delete
-    find ${D}${PYTHON_SITEPACKAGES_DIR}/LibAppArmor/ -type f -name "_LibAppArmor*.so" -delete
 }
 
 #Building ptest on arm fails.
diff --git a/recipes-mac/AppArmor/files/0001-fail.py-handle-missing-cgitb.patch b/recipes-mac/AppArmor/files/0001-fail.py-handle-missing-cgitb.patch
new file mode 100644
index 0000000..28c1d9e
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-fail.py-handle-missing-cgitb.patch
@@ -0,0 +1,74 @@
+From 434e34bb510b4cab04e64cd5b21d635c6be8c8ea Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Fri, 29 Nov 2024 13:46:32 +0000
+Subject: [PATCH] fail.py: handle missing cgitb
+
+It's no longer in python standard library starting
+at version 3.13. Fixes:
+
+root@qemuarm64:~# aa-complain /etc/apparmor.d/*
+Traceback (most recent call last):
+  File "/usr/sbin/aa-complain", line 18, in <module>
+    from apparmor.fail import enable_aa_exception_handler
+  File "/usr/lib/python3.13/site-packages/apparmor/fail.py", line 12, in <module>
+    import cgitb
+ModuleNotFoundError: No module named 'cgitb'
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ utils/apparmor/fail.py | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+Upstream-Status: Backport
+
+diff --git a/utils/apparmor/fail.py b/utils/apparmor/fail.py
+index ece6efc4..a71ceb66 100644
+--- a/utils/apparmor/fail.py
++++ b/utils/apparmor/fail.py
+@@ -8,7 +8,11 @@
+ #
+ # ------------------------------------------------------------------
+ 
+-import cgitb
++try:
++    import cgitb
++except ImportError:
++    cgitb = None
++    pass
+ import sys
+ import traceback
+ from tempfile import NamedTemporaryFile
+@@ -32,20 +36,21 @@ def handle_exception(*exc_info):
+         print('', file=sys.stderr)
+         error(ex.value)
+     else:
+-        with NamedTemporaryFile('w', prefix='apparmor-bugreport-', suffix='.txt', delete=False) as file:
+-            cgitb_hook = cgitb.Hook(display=1, file=file, format='text', context=10)
+-            cgitb_hook.handle(exc_info)
+-
+-            file.write('Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues\n')
+-            file.write('and attach this file.\n')
++        if cgitb:
++            with NamedTemporaryFile('w', prefix='apparmor-bugreport-', suffix='.txt', delete=False) as file:
++                cgitb_hook = cgitb.Hook(display=1, file=file, format='text', context=10)
++                cgitb_hook.handle(exc_info)
++                file.write('Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues\n')
++                file.write('and attach this file.\n')
+ 
+         print(''.join(traceback.format_exception(*exc_info)), file=sys.stderr)
+-        print('', file=sys.stderr)
+         print('An unexpected error occurred!', file=sys.stderr)
+         print('', file=sys.stderr)
+-        print('For details, see %s' % file.name, file=sys.stderr)
++        if cgitb:
++            print('For details, see %s' % file.name, file=sys.stderr)
+         print('Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues', file=sys.stderr)
+-        print('and attach this file.', file=sys.stderr)
++        if cgitb:
++            print('and attach this file.', file=sys.stderr)
+ 
+ 
+ def enable_aa_exception_handler():
+-- 
+2.43.0
+

From patchwork Fri Dec 20 14:04:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54478
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E3E40E77188
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:22 +0000 (UTC)
Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com
 [209.85.208.169])
 by mx.groups.io with SMTP id smtpd.web11.152222.1734703519021722221
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:19 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=QiIAiHwg;
 spf=pass (domain: linaro.org, ip: 209.85.208.169,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f169.google.com with SMTP id
 38308e7fff4ca-3022484d4e4so21659011fa.1
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703517; x=1735308317;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7/msncIn+QRVtskCgKtqv4gFMsSgtlIaOLRE5sydyDk=;
        b=QiIAiHwg8MNDRVONmSmVely7Y7Hwh4zQeuAnkxbKJhFJWP7siw0VWsPiDRn+Uqoasx
         qHqEaYi+RHpm6aFyulv8vgzsqiO6UIq6BVHuqArMn9K3gLF0dWcvL5Y8QYfK5Lmix7ez
         +mAy6n5yfO5Q+vL52DWxq2FWkvTlOYT2/pBtsZ8SZ36aBM97oSYzmtVkLvVxp8952PR2
         qeSVfBJGOUpi+EvHG40V9MibnUXZoY9n4HDpjbJqE6nLXriVQ4kkBVUxJvbGVguDjnpx
         iwuqPOvJEGBKwss/GU+QgEqUq7evNsPQw/w6cKtqB6RGBXuQ+0AWFfVWIsxll2zOxmh+
         5qBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703517; x=1735308317;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=7/msncIn+QRVtskCgKtqv4gFMsSgtlIaOLRE5sydyDk=;
        b=OJlWa4dRC3v6NT3OciJ+FsTfRD37C/CaISFV2nMDYNOXCFFbyj3V7NPEtQa2AdUOnP
         ZifDe8Jv+kM46opQ2BaTYAN9hr+fksHPrTjFSORJanG5PYH2GeThRW1856PCESb8aaC2
         EQnkKrnASmp3SlbRZ5RtP2mcuWc2wiaerWO2S3JWKVk8VpXRj92PiLSdb/1q+/BZtgFi
         XFmDH3/6N/fKTZmi22rXAilHXV8eoJxzPHenU08JOHA7LK7NprTwKgxbpw7Vwjn7BX1S
         1vRl571kMHxrNzQTnSptUV+Cw2BsCB+Iumkw5+4YbiMifaT4X5NOy5KgApCifP+FJ51w
         yZ9Q==
X-Gm-Message-State: AOJu0YyHPUBYCRgWKPXvyIBt3e+mdae0idolTKE8Zye9wN7XEh2jAGe3
	SjNu+XFfdv+NIbXLi2StV1oTz63HjZWMUl/fgUs8zzVvzI2Wmjm6FTByTihg2BfnSP87Pcyy4dy
	ShrQ=
X-Gm-Gg: ASbGncvUeC4+Tf3kxzQKx4bUVLzp+chqorKBweta3BYmZmsMREs8SVo46rqKzCy8eZy
	oaQVcnJ+hBLwohVbdH3Zk916WvJztyDvH7+TOmuVSy+xnny2yxlITWBuiRCHq5+V6ZSr9jFrFJV
	t/oDSLe+7LmTPFIIl3nvtOkCr0CPYCQ/58qAyQnZmL3qBGhiOvFEQqRqmrXhfdL5k/uo954BC9O
	ORL6ogLIm40qmQLqDPRT2uB12GRIM0uz/jxf+971Dzy6CIXstpkcRBM3dr2stwcrl9dMcUtqwrv
	LFUlvf/i/e+y3j7ACKEZsctoaQ==
X-Google-Smtp-Source: 
 AGHT+IG5QiB8Kt4rw248WxsMA3O6i+bzY4hRXNvAyjO9xh3FrKO71Z5q2a1fru0Zf0NXi4dLD9nWjg==
X-Received: by 2002:a2e:b888:0:b0:301:12:1ed6 with SMTP id
 38308e7fff4ca-30468545dc2mr11203851fa.11.1734703516870;
        Fri, 20 Dec 2024 06:05:16 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:15 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 05/18] oeqa runtime clamav.py: use curl if ping
 fails
Date: Fri, 20 Dec 2024 16:04:28 +0200
Message-ID: <20241220140441.271395-6-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:22 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/944

TEST_RUNQEMUPARAMS = "slirp" does not pass ping through
but UDP and TCP will work. Thus curl the http website
even if the response is DoS blocker and not the real
website.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 lib/oeqa/runtime/cases/clamav.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/oeqa/runtime/cases/clamav.py b/lib/oeqa/runtime/cases/clamav.py
index e0cad8f..bcafc84 100644
--- a/lib/oeqa/runtime/cases/clamav.py
+++ b/lib/oeqa/runtime/cases/clamav.py
@@ -43,7 +43,7 @@ class ClamavTest(OERuntimeTestCase):
         msg = 'File could not be copied. Output: %s' % output
         self.assertEqual(status, 0, msg=msg)
 
-        status, output = self.target.run('ping -c 1 database.clamav.net')
+        status, output = self.target.run('ping -c 1 database.clamav.net || curl http://database.clamav.net')
         msg = ('ping database.clamav.net failed: output is:\n%s' % output)
         self.assertEqual(status, 0, msg = msg)
 

From patchwork Fri Dec 20 14:04:29 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54480
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E71CAE7718D
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:32 +0000 (UTC)
Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com
 [209.85.208.177])
 by mx.groups.io with SMTP id smtpd.web11.152223.1734703522768924440
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:23 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=PjsoX+MM;
 spf=pass (domain: linaro.org, ip: 209.85.208.177,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f177.google.com with SMTP id
 38308e7fff4ca-3002c324e7eso19618471fa.3
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703521; x=1735308321;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=lbHqbRbHdDOnD9FzUIBPrFO+8KXbeQWKPl/UfrKGYiw=;
        b=PjsoX+MMa0Ne2mqy7GcT8ZNA505LWCVSAStpb5jcTZqiLGRdgGlbQ8Aai+wtndBEN/
         LtAoQZ7rvMFeUWMZ40EGa82POIOxbYKvQ3ImFbR4W6pjwuCa8obZgXXmmBXG4sOWkk8i
         YvDz+awU+LKhbojVT2pzP+yBc9oQ4xGALnjewV8oI+ar1Uw0UDRCwaOAl6r4KB6oVyaT
         bUGwZSV3DkroNmi9lr6/QozYmLLBLpkyj3RTrDzXG2eNzA4urHoTujETM0CW+9hbge6i
         yBKhNXMKwbfuDZt0TcpMe9pr8n7boD8cQM2yI3CuyhaG+HYPv4fecZDGwuoMuQ5laVPs
         QE7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703521; x=1735308321;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=lbHqbRbHdDOnD9FzUIBPrFO+8KXbeQWKPl/UfrKGYiw=;
        b=TqSYoEBmEWsLe/BK0aZmULZOqsqzfTK+lqlg5FLajYR1EcaW7shKnFbtViq9blgDxy
         yz1hkwUkdAOpaa2mrP9tURlrnioJjzm+mNoBYG5uJV/eKVNY+jcrI4fOAwWqxJjipvD+
         dgMQUPaGmNPKw5ttyxSIOFlNVz1sjWOnAIAnEbqBHwoGCZHRDzvcsm0rX5HvHKQWgpNm
         eDozK1or6ERNm0RK2PDcInsM4jU79FLrWFyAs55ym2KbLPEH9hD/A8f/sunB3sKe8LEZ
         aWXoORESe0WCYq3FZxnOijl3NdDY5GyOQaM73jr2Zpe13fW2WqUru3Yf7Hrk3NT4L3Ny
         IrdA==
X-Gm-Message-State: AOJu0YxfN3HM8ZM1d/RbfydrbriAEfg8DovfOi6U1c0ToMQUIIlLeW87
	GnHHZVxN9B6kmSflSjQT/UV0yrojFKeRbsENDw0DFZhLGjjvGXElkid0jNeX5m8XNY7iotvi50E
	g/VA=
X-Gm-Gg: ASbGncvWtY4eIxRvrx+dLoeJ/kinLbNIqa8MTF0D2dSthytVCjG6bpxaPlGLz3LpKJR
	XgtqBWCZ4b6Zy1fkHVb2gQusc98ljgQmRVV1c+uYw3LwhQsdm1PWkVia1JtHRX5OjEpUteBM+8A
	HM51TITgWCwIS85vdxmNdBP0aoVIL4Q+FIt2Alyr24s8qe84CJbbSfi5lSwo84SXJabNpbAOZ5v
	bJAfVtCqj4pIqRhs5M5NI9ikOJQ8tD08RQN+r9qMNIw8guyPwkIsB/etlncupQONXDRfIe/c/XS
	tX1izGvLfFNsytJKl6jGNlHnDg==
X-Google-Smtp-Source: 
 AGHT+IFEJCXeA5BYh2RNVyJxGnG4DWlZBouEUamHYUK9CiI2JP3061XMmC9mEFNKMdarV7j0e12DpA==
X-Received: by 2002:a2e:a9a8:0:b0:304:68e5:eabf with SMTP id
 38308e7fff4ca-30468e5f351mr10598951fa.23.1734703520833;
        Fri, 20 Dec 2024 06:05:20 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:18 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 06/18] libtpm: update from 0.9.6 to 0.10.0
Date: Fri, 20 Dec 2024 16:04:29 +0200
Message-ID: <20241220140441.271395-7-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:32 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/945

Needed by newer swtpm. Improves error messages etc.

Changes:

https://github.com/stefanberger/libtpms/releases/tag/v0.10.0

version 0.10.0:

    tpm2: Support for profiles: default-v1 & custom
    tpm2: Add new API call TPMLIB_SetProfile to enable user to set a profile
    tpm2: Extende TPMLIB_GetInfo to return profiles-related info
    tpm2: Implemented crypto tests and restrictions on crypto related to
    FIPS-140-3; can be enabled with profiles
    tpm2: Enable Camellia-192 and AES-192
    tpm2: Implement TPMLIB_WasManufactured API call
    tpm2: Fixes for issues detected by static analyzers
    tpm2: Use OpenSSL-based KDFe implementation if possible
    tpm2: Update to TPM 2 spec rev 183 (many changes)
    tpm2: Better support for OpenSSL 3.x
    tpm2: Use Carmichael function for RSA priv. exponent D (>= 2048 bits)
    tpm2: Fixes for CVE-2023-1017 and CVE-2023-1018
    tpm2: Fix of SignedCompareB().
    NOTE: This fix may result in backwards compatibility issues with
    PCR policies used by TPM2_PolicyCounterTimer and TPM2_PolicyNV
    when upgrading from v0.9 to v0.10.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 .../libtpm/{libtpm_0.9.6.bb => libtpm_0.10.0.bb}            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta-tpm/recipes-tpm/libtpm/{libtpm_0.9.6.bb => libtpm_0.10.0.bb} (82%)

diff --git a/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb b/meta-tpm/recipes-tpm/libtpm/libtpm_0.10.0.bb
similarity index 82%
rename from meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
rename to meta-tpm/recipes-tpm/libtpm/libtpm_0.10.0.bb
index cd47155..a2c3a14 100644
--- a/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
+++ b/meta-tpm/recipes-tpm/libtpm/libtpm_0.10.0.bb
@@ -2,10 +2,10 @@ SUMMARY = "LIBPM - Software TPM Library"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
 
-SRCREV = "f8c2dc7e12a730dcca4220d7ac5ad86d13dfd630"
-SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.9;protocol=https"
+SRCREV = "17f253a767f6b5b7813ae33f12bc79c479576cdc"
+SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.10;protocol=https"
 
-PE = "1"
+PE = "2"
 
 S = "${WORKDIR}/git"
 inherit autotools-brokensep pkgconfig perlnative

From patchwork Fri Dec 20 14:04:30 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54482
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E74E7C3DA4A
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:32 +0000 (UTC)
Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com
 [209.85.208.178])
 by mx.groups.io with SMTP id smtpd.web11.152224.1734703526740599679
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:27 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=LVZJt5jW;
 spf=pass (domain: linaro.org, ip: 209.85.208.178,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f178.google.com with SMTP id
 38308e7fff4ca-3003943288bso19706171fa.0
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703525; x=1735308325;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qHLbIgjf+i4NnSWqWypW7KO1uBlccylQx2AxtmGOC8k=;
        b=LVZJt5jWiCBbQnG8QNjZjt9oRHWJeZdbBG75YqGTreIm2TdwJTvSoVjTV6+WsR2+zz
         waq1TBDqOTtAPjd7nz/dC1dtP/mNYhr9BGzyxOPELw24RrCKqJ94sgnUZQbyaqBCFU+U
         ZmsqK7UKlzpBtOPAC7K+Scmq9BKkbfgKXZEjaelZsOEoNI5rZs2I3jCuOM7MIv7X6Rj7
         DdwWKQNc/TE328ddZldz7eZGx3H05YFT0L7okxpWHjoWw9uBvg8UZYnxPAVYFhBBtCO8
         ONlxcrPfEXKW1zpC9khpSdtxep4aXtzo+v52sEEMH931z4EI49fd0Td1iHmAhug3uH1w
         slig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703525; x=1735308325;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=qHLbIgjf+i4NnSWqWypW7KO1uBlccylQx2AxtmGOC8k=;
        b=w0+S87oTmzBlyIqaGYt9BxCrR6wcYtbTmxt90V+iSQwVSJmeDGu8+8OH5i1POSZMTZ
         /itKDpx3BRX8MFxIc+4ZxrhqMD2rUBG91hRGXat3yaujJzPP0mgBnEKUIdUTkL9PUW8a
         9b1A4KC6BIQYvC8UpXloHP3S7XX+kYy4hbaPtvHG3uUEnGf3o9GT9i9p1ckrIz8+4+Fs
         xJ9/mczfCCV0xvT4GDFNZzfVo3FCGa8aRHjYzxeCeIrPIGWz/rCc/n1iHzhVLgXRUwWL
         oNjo3j/cE1LV9rUBCUpC1viiS9YzQ1xcHzIosr4zI3xg0toEXsZb8HaK18jfLQa4AJPs
         Qp1w==
X-Gm-Message-State: AOJu0Yw2yaEzazNMBOsXYOKtrn8pclEaC3ZamCqzarVUqLDiIWBeZ2zY
	KIy378/fLMjZG3inR0o2oBLqGaXWy8UNTQOoT9ZSQAf7obimOFAKAj1pXqJykwmrnkHHlawxGni
	kxUc=
X-Gm-Gg: ASbGnctxzYyBvPhM2SiAu5/fivfX1VHDuo4cGRrnl24aDVEm6KnOwgaAt9bt/by5SrA
	K/2VfNy9PBzG6dWKhHoWMJCwVmSW+AoXEMYZfWu2KUNpIPmikceV8OPSjZrVqZZAAadfPkTmSf7
	2bRImNJK4lmkJlkeWpFtjZzvhVKNCBsxEPIOcBWjAB2Fm4tWismVvM5vlp0S45Nw6j5tReuOCsc
	AAwje88QstRg0mT+nU0YR6kHcQRL5apFA6JotIE03mlIdoA+mrw0fIR/EJ9sL2+PkZm+W1acshO
	7zERR+/6letq4bnWO8JiE14T1g==
X-Google-Smtp-Source: 
 AGHT+IHe5Ee8DBU5WqUvvu1Li0Yawdh0Fvnms1e/9RhhO1Ehy03/KT00vJQHp31qn6qMNm4d9+nxpw==
X-Received: by 2002:a05:651c:506:b0:302:1b18:2c09 with SMTP id
 38308e7fff4ca-304685f763amr10181521fa.27.1734703524829;
        Fri, 20 Dec 2024 06:05:24 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:23 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 07/18] libtpm: rename to libtpms
Date: Fri, 20 Dec 2024 16:04:30 +0200
Message-ID: <20241220140441.271395-8-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:32 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/946

Upstream and other distros like Debian use package name
libtpms so use this name for recipe too to match CVEs etc.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-tpm/conf/distro/include/maintainers-meta-tpm.inc           | 2 +-
 .../recipes-core/packagegroup/packagegroup-security-vtpm.bb     | 2 +-
 .../recipes-tpm/libtpm/{libtpm_0.10.0.bb => libtpms_0.10.0.bb}  | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename meta-tpm/recipes-tpm/libtpm/{libtpm_0.10.0.bb => libtpms_0.10.0.bb} (100%)

diff --git a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
index e7b216d..77f843d 100644
--- a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
+++ b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
@@ -22,7 +22,7 @@
 RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER:pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER:pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-libtpm = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-libtpms = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER:pn-trousers = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER:pn-swtpm = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>"
diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
index 3a8f2fa..3c67630 100644
--- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
+++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
@@ -9,6 +9,6 @@ PACKAGES = "packagegroup-security-vtpm"
 
 SUMMARY:packagegroup-security-vtpm = "Security Software vTPM support"
 RDEPENDS:packagegroup-security-vtpm = " \
-    libtpm \
+    libtpms \
     swtpm \
     "		
diff --git a/meta-tpm/recipes-tpm/libtpm/libtpm_0.10.0.bb b/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
similarity index 100%
rename from meta-tpm/recipes-tpm/libtpm/libtpm_0.10.0.bb
rename to meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb

From patchwork Fri Dec 20 14:04:31 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54481
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E122AE7718B
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:32 +0000 (UTC)
Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com
 [209.85.208.171])
 by mx.groups.io with SMTP id smtpd.web11.152226.1734703530639250676
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:31 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=Jgnw/HW3;
 spf=pass (domain: linaro.org, ip: 209.85.208.171,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f171.google.com with SMTP id
 38308e7fff4ca-30037784fceso20981371fa.2
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703529; x=1735308329;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VNqEtZyT1ox+hsb6Vl+V/jd2CTYis0cs598tVwv8nHc=;
        b=Jgnw/HW3aPc+psWMA+YJdkw2YWXwE3c6Wopay8+nz4o2GjYe7Fv4DMzn1xUTpkkXec
         cf0T4V9a3XbUTY3QHk8koBZElcvuq7SS6qTYIkGS0m/aF0O6seQtiifnPq0/fUmPICYP
         pJYElo2RJl2qfoN1Pbb5mKaVtL2mWUjQ/fSTlVyVt4bjFSSDoMGhvVoO4fxJAxRU67tJ
         rYrtisRAQ3VM9g85rsoLWka5MAmfvmawyavs9BR1bkIKPJ78JVxuEJc/gx5uCaG64ahq
         W9nhSwYdaxWwdsvZXz4TYKnTklmB8PCUoAULNr1No8L1zYD5WqY8rrwnrNlf/BWjSFcR
         cPzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703529; x=1735308329;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=VNqEtZyT1ox+hsb6Vl+V/jd2CTYis0cs598tVwv8nHc=;
        b=hbJUjXTVy8N06VdXQQQ0lsIY2+X+IQX7j3u2+85NnUlBFPlcBS49vTKsCniRlwnMoQ
         S60JPzcoZ2qA9x3/+nHkdfgUqKPogSdYNb8Z+0PeUBQN4UYVIBVihL6So6Lee89mAy3Y
         6di6wZeroRp+RvsBTSPQLA71wLQQ3wluM26nUN+IImDkmwEjSc/UM0WoMoTBBEySKFAs
         E0DHsi6dbgQPOwmkiNabvCaHaf6/QbC6KrXy9OIMb8lxPf646lDXLMj6nZ99eW4NiJSE
         s0Nh2psKezOymqocZnoC3bYl1dk6UWjvKQKB1p5i+0t6M2lxhtvokvSl25uD3En6uabs
         GvnQ==
X-Gm-Message-State: AOJu0YzkeXL/Wf80y+Wu4Q40e1Nz3RSq98qs+mVrfVLqsbjzdSSvLzce
	XpslcQZWN+Y0/iacuS3xH2WGk2qVpWXYGR8cej2RoXFjep6mO1zBy/Du2D4vPBVftAq9hbizXCT
	KKhI=
X-Gm-Gg: ASbGncsVuu5fBzhgJksrsXEVpluZzGSjBSzQhcdxeFZzObpKCNit1eSXUT5ODstpvbR
	83+qm+lBlhgm9ROWTzY8suOv4D61C3mwM4m7Zomwnxk3mwwEZVHndoBJ921HDpPI4hkV7n88Anw
	OWjpL6BMPwIQy8etISb24J8UDUllgTqTCmmgD3WbyW9htXTAvo4wX92se99V8B5y9TVYwmTO2q2
	gLoK7x8jLFSv0r+b2AATW8sdssi+idVMzVsjW0DpmdoAzBFTrHyVNrxxJVKV0AVg3GbCD5Kb97Z
	nrESv7ZseXOCDmALX8U6saQpQA==
X-Google-Smtp-Source: 
 AGHT+IG3AH40pFjDUuVQN0nbKjlcfKGfjzHtdCXZB1JKVmIauxecGmGCyj2Argpek24pPUCzpp+slw==
X-Received: by 2002:a2e:a71f:0:b0:300:3a15:8f19 with SMTP id
 38308e7fff4ca-3046860bb6bmr9721051fa.32.1734703528684;
        Fri, 20 Dec 2024 06:05:28 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:26 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 08/18] libtpms: set CVE_PRODUCT
Date: Fri, 20 Dec 2024 16:04:31 +0200
Message-ID: <20241220140441.271395-9-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:32 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/947

Using vendor "libtpms_project" and product "libtpms"
as in https://nvd.nist.gov/vuln/detail/CVE-2021-3446

Matches CVEs better when analyzing with cve_check.bbclass.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb b/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
index a2c3a14..55a4c01 100644
--- a/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
+++ b/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
@@ -14,3 +14,5 @@ PACKAGECONFIG ?= "openssl"
 PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_PRODUCT = "libtpms_project:libtpms"

From patchwork Fri Dec 20 14:04:32 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54484
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EAE13E7718B
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:42 +0000 (UTC)
Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com
 [209.85.208.181])
 by mx.groups.io with SMTP id smtpd.web10.152500.1734703533594633754
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:33 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=Ll9yzU68;
 spf=pass (domain: linaro.org, ip: 209.85.208.181,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f181.google.com with SMTP id
 38308e7fff4ca-3004028c714so21534601fa.2
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703532; x=1735308332;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=q66dSHG8CXwyab8rm7ANHU0shijyLRm5+GYmTaBeaT0=;
        b=Ll9yzU68i/curAzibuKjGVzH4m49MPMoiJ7ED/JNjEEZWokPJJHityAVMOCtRuaIHS
         MCO9yCXwtlqV9d90sawaRo4VWyVxCNNEEJTbXB5xnEr6/a1XVdwbPtMHCvigoeeStsTT
         1yIce/ghYyM7FDQp4jWaMIP2jwZnE+coYlqGlL9y3CbaEVD0A7ZH/RzGr60EAqIFVK5N
         wjddvR8f4pCgSMazbqPJNpwoEnZHY8v7+mffhJ2l+6Z4JhUdvWch9csZYVAuBm2Sn2zD
         wdHHB1vCnxAkCRhS+Sns+KPjrK8lDm8NviNdloAj+2okap/nim7E2IZT51l4CEZp+jrZ
         Y2Bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703532; x=1735308332;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=q66dSHG8CXwyab8rm7ANHU0shijyLRm5+GYmTaBeaT0=;
        b=DIlci8hsapYjyq6sp66CC/CY08CCdG/Lb6/K6kzqXW40+uulsiYw+5iZc9vJCau0GY
         9FLjcSZ44BFh9cl4yagikteEyQ8u0AlEvVWQ+q9Aulgf+oby69hM6dFeXVg6Pro2//5B
         gPznKckM5SUDngD4ep1GQ5Mvu9g4HNi7Lid+AXLiKPE0lRZMYx9Mdtr/VhJL4zH88GYM
         BIdtWIkbc31enYhAYnraCD7a79mbnhMB71AGwSSkRxzr62ge55MXlJ2zonWh5NEBHGhg
         C4zMfPox2lbYzGU8IxH1qFj4ZksWw27tjwL+S1Tu2cxDpwSQW9LHmMzlE9iiRHDcp4pr
         zcMg==
X-Gm-Message-State: AOJu0YwqhJEaDM1n9rVxiFzYp8ZvtYsVbY0dkCPcI3QlJFOS3H5b4d+C
	KhPDLTVPftGydVx9BhUYtmZaUsoBfcXv7A5hRaj+o1WstKuZvaKWBVWJ0G8HiFuLcxoQsLJN/Us
	hUtY=
X-Gm-Gg: ASbGncs8ILhumcM4r+ZDMsm+7R8h4RhkZucGYxahYP+fEcCyLR5LVVWRgvU5WZAJR3I
	c8pIJ+tocweTJqHPWeUYdQwMxptHI3e0605yMDOM8Ghk1SUVdcEILpqMUmeCRnvdYWpRGaUkzdL
	d0arCaYefRIXllV3EkGmzGH674lh1hxBbyJcGg+DYVekyIIRynL2e6tJ/oPETnjUnCroyogiI8O
	YsJroHnMLlZCHuSEU1iBVdrkb/+NW0sonJ7CzZVyOhzXAmv6WSU0oNbV81x2xKGs8cdkUEvrmz9
	jJ96NcFR+3rhQzlFQZvGB9dDxQ==
X-Google-Smtp-Source: 
 AGHT+IFHhqpqzqm5F3vdBVb0qfHqaA1yjQfhibjayXR3QYP71IMa32+vT8RRz9UwsLV7WTlqNA3AyQ==
X-Received: by 2002:a05:651c:4cb:b0:300:1448:c526 with SMTP id
 38308e7fff4ca-3046861f16emr8352071fa.37.1734703531534;
        Fri, 20 Dec 2024 06:05:31 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:30 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 09/18] swtpm: update from 0.8.2 to 0.10.0
Date: Fri, 20 Dec 2024 16:04:32 +0200
Message-ID: <20241220140441.271395-10-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:42 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/948

Improves error reporting among other things. Changes:

https://github.com/stefanberger/swtpm/releases/tag/v0.10.0

version 0.10.0:

    swtpm:
        Requires libtpms v0.10.0
        Display tpmstate-opt-lock as a new capability
        Add support for lock option parameter to tpmstate option
        nvstore_linear: Add support for file-backend locking
        Remove broken logic to check for neither dir nor file backend
        Use ptm_cap_n to build PTM_GET_CAPABILITY response
        Define a structure to return PTM_GET_CAPABILITY result
        Implement --print-info to run TPMLIB_GetInfo with flags
        Support --profile fd= to read profile from file descriptor
        Support --profile file= to read profile from file
        Ignore remove-disabled parameter on non-'custom' profile
        Check for good entropy source in chroot environment
        Implement a check for HMAC+sha1 for testing future restriction
        Implement function to check whether a crypto algorithm is disabled
        Print cmdarg-print-profiles as part of capabilities
        Check whether SHA1 signature support is disabled in profile
        Use TPMLIB_WasManufactured to check whether profile was applied
        Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature)
        Add support for --print-profiles option
        Print profile names as part of capabilities JSON
        Display new capability to allow setting a profile
        Add support for --profile option to set a profile on TPM 2
    swtpm_setup:
        Comment flags for storage primary key and deprecate --create-spk
        Implement --print-profiles to display all profile
        Add profile entries to swtpm_setup.conf written by swtpm_setup
        Add support for --profile-name option
        Accept profiles with name starting with 'custom:'
        Support default profile from file in swtpm_setup.conf
        Support --profile-file-fd to read profile from file descriptor
        Support --profile-file to read profile from file
        Always log the active profile
        Implement --profile-remove-fips-disabled option
        Read default profile from swtpm_setup.conf
        Print profile names as part of capabilities JSON
        Add support for --profile parameter
        Get default rsa keysize from setup_setup.conf if not given
    swtpm_ioctl:
        Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response
    selinux:
        Change write to append for appending to log
        Add rule for logging to svirt_image_t labeled files from swtpm_t
    tests:
        Update IBMTSS2 test suite to v2.4.0
        Test activation of PCR banks when not all are available
        Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile
        Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file
        Consolidate custom profile test cases and check for StateFormatLevel
        Convert test_samples_create_tpmca to run installed
        Mention test_tpm2_libtpms_versions_profiles requiring env. variables
        allow running ibmtss2 tests against installed version
        Derive support for CUSE from SWTPM_EXE help screen
        Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test
        Extend test case testing across libtpms versions
        Add test case for testing profiles across libtpms versions
        Test the --profile option of swtpm_setup and swtpm
        teach them to run installed
        add installed-runner.sh
        install tests on the system
        lookup system binaries if INSTALLED is set
    build-sys:
        enable 64-bit file API on 32-bit systems
        Add -Wshadow to the CFLAGS
        Require that libtpms v0.10 is available for TPMLIB_SetProfile
    debian:
        Add rule to allow usage of /var/tmp directory (QEMU)
        Add rules for reading profiles from distro and local dirs
        Allow non-owner file write access in /var/lib/libvirt/swtpm/
        Add sys_admin capability to apparmor profile

https://github.com/stefanberger/swtpm/releases/tag/v0.9.0

version 0.9.0:
Note: The SElinux policy for swtpm was completely redone. For systems
with an SELinux policy the same policy (>= 40.17) as used in
Fedora >= 40 is required due to changes in labels related to libvirt
that made the re-development of the SELinux policy necessary.

    swtpm:
        Use umask() to create/truncated state file rather than fchmod()
        Use fchmod to set mode bits provided by user
        Replace mkstemp with g_mkstemp_full (Coverity)
        fix typo in help message
        cuse: Fix Coverity complaints regarding locks
        Fix double free in error path
        Close fd after main loop
        Restore logging to stderr on log open failure
    swtpm_setup:
        Fail --pcr-banks without --tpm2
        Fail --decryption or --allow-signing without --tpm2
        Initialized argv in get_swtpm_capabilities()
        Flush spk after persisting to create room for another key
        Refactor duplicate code into swtpm_tpm2_write_cert_nvram
        Move persisting of certificate into tpm2_persist_certificate
        Pass key_type to function creating filename for key
        Add scheme parameter before curveid to createprimary_ecc
        Rename is_ek to preserve for future extension
        Mask-out EK and plaform certificate flags and set cert_flags
        Move common code into new function read_certificate_file()
        Exit with '0' upon --version rather than '1'
        Close file descriptors passed to swtpm process on parent side
        Make stdout unbuffered
        Use medium duration on TSC_PhysicalPresence to avoid timeouts
        Add poll() after write() and before read() to detect errors
    swtpm_localca:
        Add support for up to 20 bytes serial numbers
        Introduce --key as more generic alias for --ek
        Add missing NULL option to end of array
        Make stdout unbuffered
    swtpm_cert:
        Add support for serial numbers up to 20 bytes long
    swtpm_ioctl:
        Separate return code from flags
        Repeatedly call PTM_GET_INFO for long responses
    selinux:
        Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
        New SELinux policy that requires Fedora 40 or later
    tests:
        Fixed occurrences of stray '' before '-'
        Rearrange order of test cases to run some also as 'root'
        Add tests for command line options and combinations of options
        Add softhsm_setup to shellcheck'ed files and fix issues
        Add missing 'exit 1' on unexpected file size on --reconfigure
        Add test cases for swtpm_cert with max serial number
        Fix spelling mistakes
        reformat regexs for easier readability and extension
        ibmtss2: Add patch to disable x509 test with older libtpms
        Upgrade to ibmtss2 v2.0.1
        Fixed several issues detected by shellcheck
    build-sys:
        Add support for --disable-tests to disable tests
        Display GMP_LIBS and GMP_CFLAGS
        Only display warning if pkg-config for gmp fails
        Add gmp library and devel package as dependency
        use PKG_CHECK_MODULES to check libtpms version
    rpm:
        Add gmp library and devel package as dependency
        Split off SELinux files to build an selinux package
    debian:
        Sync AppArmor profile with what is used by Ubuntu
        Add gmp library and devel package as dependency
        Allow apparmor access to qemu session bus swtpm files

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 .../swtpm/{swtpm_0.8.2.bb => swtpm_0.10.0.bb}          | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 rename meta-tpm/recipes-tpm/swtpm/{swtpm_0.8.2.bb => swtpm_0.10.0.bb} (92%)

diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.2.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb
similarity index 92%
rename from meta-tpm/recipes-tpm/swtpm/swtpm_0.8.2.bb
rename to meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb
index b987f59..3e58c33 100644
--- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.2.bb
+++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb
@@ -4,11 +4,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
 SECTION = "apps"
 
 # expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
-DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"
+DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpms json-glib"
 
-SRCREV = "507d14219dde88eb3eb2d10d15872d4044aa9d3e"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.8;protocol=https"
-PE = "1"
+SRCREV = "54f4bb1e702a8b80d990ca00b6f72d5031dd131a"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.10;protocol=https"
+PE = "2"
 
 S = "${WORKDIR}/git"
 
@@ -44,6 +44,6 @@ FILES:${PN}-cuse = "${bindir}/swtpm_cuse"
 
 INSANE_SKIP:${PN}   += "dev-so"
 
-RDEPENDS:${PN} = "libtpm"
+RDEPENDS:${PN} = "libtpms"
 
 BBCLASSEXTEND = "native nativesdk"

From patchwork Fri Dec 20 14:04:33 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54485
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F11DCE7718D
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:42 +0000 (UTC)
Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com
 [209.85.208.182])
 by mx.groups.io with SMTP id smtpd.web10.152501.1734703537809125319
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:38 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=FYbOWTi5;
 spf=pass (domain: linaro.org, ip: 209.85.208.182,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f182.google.com with SMTP id
 38308e7fff4ca-300479ca5c6so21031551fa.3
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703536; x=1735308336;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=EDpYzgIpWFnCb0ga3TmMLAeZRbiig+pTw9O5aBk+SKI=;
        b=FYbOWTi5z2zvXbBaxlNL364DdKT8jqiBAH8Y1lRF1ugepnsXqhXTHaCpAWKkOji+qe
         ksGKYkItlbUPfgeYMrUWjbFgOxmoo/F5lqgO24sL0NW+Vd+EsOaw2ZSwEH/Lw8obJiMN
         2MSFzmyVdfNxb0Byl1I2xAkD3X3OgJT8lj2ApvPmWrxtKiKaq5FDCezV3CF31XCNsqL3
         8VHP5GBTz4ouisnvYlt6HfXldns0OAcYphU3s+osSSeKcmotjRC5EU+wNdvCNSh2Mp10
         O3Sq6+wmNrO2+TBhmd8R8QqRzR2lSNRINGX3xwCMxozAgcRf7zoyzE1YlL+qqYacphIn
         3T6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703536; x=1735308336;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=EDpYzgIpWFnCb0ga3TmMLAeZRbiig+pTw9O5aBk+SKI=;
        b=dIM4uDFA3NzEY3LjIcykGbjrhREFq6Tw2GAv5tn/H/+pOPOVWLtqx20Ny5CsGDh714
         6sC4q4/KhMGot7Ini0dRq/rAcu17n9d/2KtSAG7lJqZJrKy8ddifEOlARcJ+FRH0/stA
         s5d1iyYnTHZQD+CA1KzADxesG/QxZPOEw8QhzIUzsi/qE5JHSya2+Yk8OVlfljCbqSsz
         5mEqyFVsMjKKGB/D3eLV4w/OheBkjeG/lOqiSaWPFqheuxzhAErFVM2DjtbXtxg+uVoH
         msTiwLcyiCpqe35xbazX+JVo8Vh0Gd7QdQIsGQ7Od28oHk/PHOWEgJNNS2mq5X8eChSj
         jyUw==
X-Gm-Message-State: AOJu0YwIkohMQ3J3rmoiSjxr4rzTtK+JSVF+XCLv8eevzcFLS0uobM4+
	wY+tiWj+UF6swZG8IUx+jDwAtvvwjW6YMCY7yHZmxpoKIIZCPa9rVZPzJbeADCERcu7hIXFaNK1
	7hL4=
X-Gm-Gg: ASbGncv0bBVTU3d01+08DsZC5UUatS1rzbW8o/ixy1O6HPevqs1A2s1HSC8UgpNY8nM
	YeO4NGjFEzWk4SsNzx1LS90sqxB2n1kyesijprazK4HdJBmUoUBay/rwjojcEkBqDw725UPHAEX
	oc9lU2NQQq02JVM0vklwzbnDy8KxKiXqulYHdDapXTo+sO0L0bBOVPz85RI8QKxyn8WSGjx61lj
	9OTa5dpYyjMqtpkG3JOm2LAVzJowSEbH6SnzhI/aBhkVEakmTD5Og6vDp9/UnM+8Bii1Ks4wFhR
	cP8RGUGuPjL0jywVIqNXcv5KAQ==
X-Google-Smtp-Source: 
 AGHT+IFOm6sqnBq3p4jXBl8x2JUIfHzUFGHunWq6ZcpDrD/7ca6XMiwgV+gVrbBmXomoqNRSm74Sow==
X-Received: by 2002:a2e:b8ca:0:b0:302:1b18:2bfa with SMTP id
 38308e7fff4ca-304685b9d5cmr10862001fa.23.1734703535813;
        Fri, 20 Dec 2024 06:05:35 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:34 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 10/18] tpm2-tools: add dependency to efivar
Date: Fri, 20 Dec 2024 16:04:33 +0200
Message-ID: <20241220140441.271395-11-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:42 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/949

Without this there is a floating dependency which can fall back
to build host and possibly fail if header file is found but
shared library not. Without this change do_configure log
shows:

checking for efivar... no
checking for efivar/efivar.h... no
../tpm2-tools-5.7/configure: line 15461: efivar: command not found

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb
index bb422cf..fec5e1c 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb
@@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=a846608d090aa64494c45fc147cc12e3"
 SECTION = "tpm"
 
-DEPENDS = "tpm2-tss openssl curl"
+DEPENDS = "tpm2-tss openssl curl efivar"
 
 SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
 

From patchwork Fri Dec 20 14:04:34 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54483
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EA472E77188
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:42 +0000 (UTC)
Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com
 [209.85.208.182])
 by mx.groups.io with SMTP id smtpd.web11.152232.1734703541874283550
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:42 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=VhVlz2+H;
 spf=pass (domain: linaro.org, ip: 209.85.208.182,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f182.google.com with SMTP id
 38308e7fff4ca-3043e84c687so16944351fa.1
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703540; x=1735308340;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=q3UCKYIMGhv5ah0DLq70qiLLXth1Pu0Gfaxii1och8w=;
        b=VhVlz2+HqQMh3oz8hBbes5v5FvJIuIkNN4nTTpd1e6jXrpPnZYy6wZnUAXXITl8ArD
         Nbr6BHWMeqKcJhU9JWHuAfDV4yvxbzCtakRsO2pfRv8/bmBgpct8NTFeun2NJo3h1RSg
         ecBP/KFX1+9DrvfcJ3LYcQtxvFZtBk6Hek8f0wDH5NeqfS9+ZH1iJAhTxZ1JD/gHZHZY
         hBmXoYdjwlynxVpYheOPdWNZIN/a6bldvZG7CAZt8C0DU7R+yomp712azgZTsVT8Ai1b
         VzJJpQepAE9OXg+S6cqJpeAyTeEMT018o2ScPAYzMMwAL1B1asOvD29DpEQQ+y4c/Cva
         DZgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703540; x=1735308340;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=q3UCKYIMGhv5ah0DLq70qiLLXth1Pu0Gfaxii1och8w=;
        b=e9JoYfYj/BMwa4wwCmrC2Esc7Jz5xgNfYHbOggRMxoCSO8qBn3WT9UVxfVlf6PwPyI
         6C6cRKsrHXRu6FdxKxEQ+TNZWs9nN7yVQ8qTJ29f8Ic9OXAsMhUUJul7+FjgN2wJZANj
         HYqB+mOVXV4p/mtwWPYHCRMz8AAmc42Wu+Y1XCRxnUwqv7366+wqFCLYpXks2zSwuefm
         OhwvM/u8ul91JYdj7x0SBF5oHXEC7Obv079N/f+XlihZyoY70WV+3m1HJqmLtLRI4/OI
         JLQeV70erTtwBU3TS2JCTbX3TbsjvWyCrdMoXQjA8EvnFRsNrkafDEB7/z+v6IlOcTk1
         fbxQ==
X-Gm-Message-State: AOJu0Yy1ePiMWx8hBFeHoURRuiL6SQyS7uS3gSN3Pklt0jErnpcfQlmj
	bKlgderYaHLKcbKHOzFSdMscbqhYGpePq+d6Ej9JQvn3QyFADmPogyjF24nR07lTGwPLxhR/a9x
	hmNs=
X-Gm-Gg: ASbGnctISpwEqFRqissdcoLyQRc3k1t6dBnbfZ8rIZAa/FNwZEwMlalVQZmwAZq1GRH
	b2RQaQpL7G49VSiatdtJ6zd2XupX9WNGP4XymhZt6uMqk149mIJ+cXC9PZ2twOLmx3h17TjbVjh
	u6EvpSvX6XRWHLyMr0Rq/Y28P4UJtlB8OzZ0GYH4H43M85deMIgWRpOwklxx7L6VcV9yWIZs0o9
	QZp6YGz1MRVFLy2IgriAo8Amb46QYFLFZM9XF34loef3j1GGcXS7pgaBZhvymsWzoXU3d72I6mC
	no1k2xBVu3yRp1RiVJCP48KXJQ==
X-Google-Smtp-Source: 
 AGHT+IE7mgc4EmTgWk/RRg0FvaTwyrjX9x1CSf6GDrgJiotSeUZJomSakoWgbqvHSmy2U7Hhr8hP6g==
X-Received: by 2002:a05:651c:4007:b0:2ff:d7cf:a6cb with SMTP id
 38308e7fff4ca-304685506f3mr8961611fa.11.1734703539947;
        Fri, 20 Dec 2024 06:05:39 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:38 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 11/18] u-boot: enable TPM support via "tpm2" in
 MACHINE_FEATURES
Date: Fri, 20 Dec 2024 16:04:34 +0200
Message-ID: <20241220140441.271395-12-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:42 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/950

"tpm2" is used elsewhere in distro and machine featues to
enable TPM device support.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend
index c5d2923..d1d61f8 100644
--- a/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -1,3 +1,3 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 
-SRC_URI += "${@bb.utils.contains("MACHINE_FEATURES", "measured-boot", "file://measured-boot.cfg", "", d)}"
\ No newline at end of file
+SRC_URI += "${@bb.utils.contains("MACHINE_FEATURES", "tpm2", "file://measured-boot.cfg", "", d)}"

From patchwork Fri Dec 20 14:04:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54486
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E6C77E77188
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:05:52 +0000 (UTC)
Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com
 [209.85.208.169])
 by mx.groups.io with SMTP id smtpd.web10.152505.1734703546563075831
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:46 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=mRm57W01;
 spf=pass (domain: linaro.org, ip: 209.85.208.169,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f169.google.com with SMTP id
 38308e7fff4ca-30039432861so19134231fa.2
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703545; x=1735308345;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=CTfZlznST/yf+1sY7mohvah9S8tmpSUqJywMpixElgw=;
        b=mRm57W010KRC+Ppj0OeUSbtQ9IMzxMEFqoup4dU3dlhB8aduYMCeUYGYUYzjzX7kPb
         WqH/MfNTr3Q/phBKw6auecV9eWAUAwz/iiPkzI+dJ3jnm8su9mEtFFt0laX06vbPQ/BF
         PG8UnUlvgK5V0cJhnejuApzkfHp/8bdHqaGNmVhXFLAuwTcSYriWI+iWA0AamNxAe91U
         XnXO5lwg3GSvggSlu1+Vzxo6gGinOypQzBJocWLXNRCSo9NmGrdjpymBMzWkm9PI+UbJ
         DA1xk/WNWSceotiEjut+LLWwsZUe/Gnj/RM2pZXL8u5xCv/+HBBXkYBtuKnzw6bpepgU
         9cPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703545; x=1735308345;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=CTfZlznST/yf+1sY7mohvah9S8tmpSUqJywMpixElgw=;
        b=tU8eHJuNRBh6VvsLzmvmS9cfM6f9yRLPNxH0btlnAzupPqrMEn/dXwGxKiDPnv3BWe
         sUol2qVw7L2sLCCkbXOwGidCFQEDOlVJy6YZku31Z9/0fFuigv2UmAdUEqzJCBY+4esu
         y6kd/J33UOAzM8b0DnFfgNYeIYAJ3WPSR4uvkN2vcLhXyMSVecVH1mCK3SsMevK0V4BK
         VcwaupinifRNifgXTZonoQljBDUM4cCu5C/4VVe1EqdgMuDLC5pLCM3wBgHNbBrIOk1x
         +gg/wYaQtkzyHXsWmyP4/amrZ1Hhfx+8Kc+ejD05hY2ea48e4ZQO2214aUj4Lz379pC0
         GK6Q==
X-Gm-Message-State: AOJu0YxZkfQMUQdoXIFP0mjQKlkNGdwOPPXbEiC6f3gzw1eg1sYN5+vA
	Vk8BOHSI5+01TlO8mlu9xGhA6/VIOMdIHCTbYxX9x+DtdeEYgq/hCFbVb1LvUY9cznc4X9qj251
	vPzo=
X-Gm-Gg: ASbGncvzG1rmWFgdpNOWWWb6yqaR1gvmpqoSGXYF2hjMRqdbpupxsrHjKyAonnahSiP
	lc/5SQtDj1GVA8cSYoILAJQXMZVXLSTqPUG1f2aCA3dYX1/ZpRHduR4/ijBDlj1/uYoojdfZRJl
	9GF6V0gVQIGqQl6QLPrCjawdVT4Umy6hxsUvUSL3T9wex2ARaN94+ucT3Ye6m1zH7XWDZEZrQY3
	l+KG46Va44d4hoxsDOJTaVBlXCiUKwR/yk02vTq9fsL3OlMASJ3/r9k3qvUZRjoFXprxHwz6J7w
	wmFDkynoRYi6vs0nP8VkyC4jxA==
X-Google-Smtp-Source: 
 AGHT+IFbD1Y3Q8SzC7GhUkKJgIvvSb+EjshDNuuxrQXUMMwlwq0jJIHlKiQ2gnmZnsJ9ZXZ6IFHDww==
X-Received: by 2002:a2e:a69f:0:b0:300:16c0:b67 with SMTP id
 38308e7fff4ca-304685d895cmr8861741fa.33.1734703544580;
        Fri, 20 Dec 2024 06:05:44 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:42 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 12/18] systemd: enable TPM support
Date: Fri, 20 Dec 2024 16:04:35 +0200
Message-ID: <20241220140441.271395-13-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:05:52 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/951

Enable "tpm2" support if "tpm2" is in DISTRO_FEATURES.
Also enable cryptsetup, openssl and repart features which
are needed to use TPM device to encrypt filesystems with
systemd configuration. See:

https://www.freedesktop.org/software/systemd/man/latest/systemd-repart.html#--tpm2-device=

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 .../recipes-core/systemd/systemd_%.bbappend     | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 meta-tpm/recipes-core/systemd/systemd_%.bbappend

diff --git a/meta-tpm/recipes-core/systemd/systemd_%.bbappend b/meta-tpm/recipes-core/systemd/systemd_%.bbappend
new file mode 100644
index 0000000..82b79ba
--- /dev/null
+++ b/meta-tpm/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1,17 @@
+PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'tpm2', '', d)}"
+
+# for encrypted filesystems
+PACKAGECONFIG:append = " \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'cryptsetup cryptsetup-plugins efi openssl repart', '', d)} \
+"
+
+# ukify.py and systemd-measure don't work in cross compile environment without
+# a tpm2 device, thus switch from measured-uki (new in v256) back to tpm2 
+# (default before v256).
+# TODO: use swtpm-native to calculate TPM measurements
+do_install:append() {
+    if "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'true', 'false', d)}"; then
+        sed -i -e "s/^ConditionSecurity=measured-uki/ConditionSecurity=tpm2/g" \
+            $( grep -rl ^ConditionSecurity=measured-uki ${D} )
+    fi
+}

From patchwork Fri Dec 20 14:04:36 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54487
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E781BE77188
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:06:02 +0000 (UTC)
Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com
 [209.85.208.181])
 by mx.groups.io with SMTP id smtpd.web11.152236.1734703554196187645
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:54 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=dTVibGT7;
 spf=pass (domain: linaro.org, ip: 209.85.208.181,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f181.google.com with SMTP id
 38308e7fff4ca-3003c82c95cso15253961fa.3
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703552; x=1735308352;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WPnHBSb/jE9OeRGrpgCugm74i+lSzal/70nGBjmu3Hk=;
        b=dTVibGT7mGzE1raKmuUqOpeZHHdC2bD8KS59roS4lN0Nfv2VaeyEw4SlduC8HfqxIk
         +mDKTLad1Hi2fibFLJXox/ti2WNyagZmjW6OkuIHBGwn2qhSQCh+5Wz7MkPeBIvlsO8g
         QARoqIcaYdfSvyDXA2z33+a877Uncopm5mAgAW8EEixemRXUBuuu96zJ5a4uKyEar3v+
         tSNnbiuZ3hxdJHClChAk9LxM0uue+b9NbBUtpVcstR1IOWd1UggB55g94q+tPzMCmnPs
         LuM2nAfDXl7FuxK8Ujypz9JcE26fr9eBMNwlH7HprAcDFJZQTsb5TkPjXIIOhvASYVte
         llCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703552; x=1735308352;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WPnHBSb/jE9OeRGrpgCugm74i+lSzal/70nGBjmu3Hk=;
        b=XvARKgf24iGLzGWDwlw0OnbblvChsOGkLx4D50TFnVnsgxdBSndIrOB/+rk0GZ7IPa
         yd062TaFLgdqXkuQYvfXUtLS4gfuqte2HkB5YzLocdNIG30gGDDqdSo81HmbH/DM4dxe
         yPDanw5MuHAXy/8H23QNUIfrl+KrscVLSmrG238c06I+FmeffymfuTOUqQ/OHSqtQ/5b
         UZ8EhtVp+f4/xFUlr4jhOA1xzw/Ra/t2a/dMLoWTr23d3Vkmj9bewjYca2saOXwQQeCt
         F1hPb/pRAS29xoFlS8USzdsNaVQW4gN1UdPmVnssYXIQlbOli60TRTiUpO1rTUKyVMei
         JufA==
X-Gm-Message-State: AOJu0Yy5WGb5F4An6uUa60gq2bZ3ueuh8cqB8lpvgFRJciy74BMASATG
	qseVXBci+OW6ANkP7+142Q+dOqBrsUH8rt7w/GqNXzkoCdEp1R0iTwfrKq0luj9pEE35leYhWCY
	IDEk=
X-Gm-Gg: ASbGncvj5ebDNMvMnneE7ILSxHUGwJnlFkhhWNd0m9xo8j5tQdL2VVCKoRrE93jzn14
	ohOnf6jLIGKBOIqutiSEj5yD+IwlZf7OF8oWsXfU46Lb+xZ1yhiHQhOsAll9oZEt+T4xvYm6iaT
	TiNm3FWOHCMRAQdlrH8b+3lJxZexvqlvUQk3sbzBfNy8E4uNPnB3wXeZ54AnLL2u8g0H+duECiq
	WjP9zTmy3Kz5BglGUZE/Xw3jGPUCeb9oRxhdKog+Pxxk4pyyrAuDGYqXeEIuY4SdYudYOcyeGIX
	/Y7RJGMwqC5x79YTLqtepd+ugA==
X-Google-Smtp-Source: 
 AGHT+IHuKHwQB5HLgzFIuMnDQqhBlrSY+xMusqgnmnpddXZXThfgqFJYPuDzVw9m5eH9dNOJ2Fqseg==
X-Received: by 2002:a2e:be94:0:b0:300:32a3:a322 with SMTP id
 38308e7fff4ca-3046860cef5mr10668671fa.32.1734703552290;
        Fri, 20 Dec 2024 06:05:52 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:50 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 13/18] systemd-boot: enable TPM support via
 "tpm2" in DISTRO_FEATURES
Date: Fri, 20 Dec 2024 16:04:36 +0200
Message-ID: <20241220140441.271395-14-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:06:02 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/952

systemd-boot will then measure boot components to TPM device.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-tpm/recipes-core/systemd/systemd-boot_%.bbappend | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 meta-tpm/recipes-core/systemd/systemd-boot_%.bbappend

diff --git a/meta-tpm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-tpm/recipes-core/systemd/systemd-boot_%.bbappend
new file mode 100644
index 0000000..712a764
--- /dev/null
+++ b/meta-tpm/recipes-core/systemd/systemd-boot_%.bbappend
@@ -0,0 +1,7 @@
+DEPENDS += "\
+    ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'tpm2-tss libtss2 libtss2-tcti-device', '', d)} \
+"
+
+EXTRA_OEMESON:append= "\
+    ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '-Dtpm2=true', '', d)} \
+"

From patchwork Fri Dec 20 14:04:37 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54489
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 02D2BE7718D
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:06:03 +0000 (UTC)
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com
 [209.85.167.51])
 by mx.groups.io with SMTP id smtpd.web10.152510.1734703558230291774
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:58 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=H28qLILS;
 spf=pass (domain: linaro.org, ip: 209.85.167.51,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lf1-f51.google.com with SMTP id
 2adb3069b0e04-53e28cf55cdso1604937e87.3
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703556; x=1735308356;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=h93M3TjQt6wRySILXqHDY0XbIDeFd3dYymV+ay8S/yI=;
        b=H28qLILSz8LrOQ4BrcfczAbf3mlojQy78IMMESsW3S+W/ozHu8DLXQR/1Q18ohPUgC
         iAjB39fDKA0Q9sgMBk+2BJYfszIIO2fmvWt7IVSHdMAN6Pgcz0RfZecL+c7g/3V1DqYh
         J4EUbcwk4PTWHlDRvrtKI//IbpUBZlg9KXytfgfRv/OTHOmAVZOTSG3d7PyFPajrHdWH
         UKZfDexbeqLTiGGdhc7CPI3k2yFXi81c4CUwrx2i3143oI19lKG544sgUMjxQTniYAeo
         E8UVjbYWcCNSs60TFnvxTNxAfzhQOq0OUNSIFnklrVzc92E6qjqwXCmOJnRstVDiEb6S
         0IKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703556; x=1735308356;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=h93M3TjQt6wRySILXqHDY0XbIDeFd3dYymV+ay8S/yI=;
        b=CRp+pNcvBRU6USkt9vhEFo06ZOxOqkyocNM1jJ7T7/ELb6UNLaMgNR6PWwQkCs+2Mg
         8CCGRameHKPbR/yT2u0+US6Yw5FmZDYVWHN1kOX3BnVk9wlTZXOywQobpF6BfIrXf5y+
         3WVf/Q969H/yZGTlK4kIKD/pXu7pPrHW6Fiph0riVs+Np4wGwwyMzpxB1fMkl3d6wgGE
         ceZbQPvntFWZIqxG1cpdV0GlBNqm2vpyX14Uxl1OSb5UAIUhn/ETBJgWH2ZggGSP5sQt
         Td+z9DjXG+I+YJsfqFAmWgPppcUDkRCZAbwcVKAVX+RsAg1QrtVOH/1p0HipbyxE+8/k
         GsAg==
X-Gm-Message-State: AOJu0YyMcVP8JsUG4OytqorwkUwbbF05x1/XNd8006/H5a3jc/OvvWLw
	ZK7SNgejU0i+BJ9y7nsIleSiMaeMokQaD0RvE/KPamwdgq9twDZ61Nit1pzr2PZXO0+KeRd1AmY
	VVoE=
X-Gm-Gg: ASbGncsnM7wmMX62nfCWFL7bisdI8kBDkfQMRBOINLuPTH2jCbjPYTxzb37kOJXiMr7
	+A/ACdFVyBIrvSE/GWBk1Jus277C/3VmM0+0BrDaCX4fIubfry3WVLUON7DtOScxcWxt6u/AcAB
	BBfv+NzqR6y3i/UFc7jlVamuX9SvdjL58YsAXimgxxLxxVC+1tmLIaqqE4bGWOtLzsbEPSaoNry
	iEQw9iFxwHnFL3QcPtqLyTSKw+u9ItKd7daBboKPCUwxSMIn9huLzeqWO6U5ax3z2RB+rS7zS98
	76B+/truZZcGHLIr8u7AO4XWLg==
X-Google-Smtp-Source: 
 AGHT+IH0yrCD1UxdQJAHakichVVMT6NLL9lnGRL3UEeVe2T7sKoUlz5DrqhZ5GJLFly+Mh3HfO7GOA==
X-Received: by 2002:a05:6512:12d1:b0:540:263a:131f with SMTP id
 2adb3069b0e04-5422957ae4bmr918244e87.50.1734703556351;
        Fri, 20 Dec 2024 06:05:56 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.53
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:54 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 14/18] harden.conf: exapand debug-tweaks
Date: Fri, 20 Dec 2024 16:04:37 +0200
Message-ID: <20241220140441.271395-15-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:06:03 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/953

debug-tweaks was replaced with allow-empty-password empty-root-password
and allow-root-login so remove them from build config.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-hardening/conf/distro/harden.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-hardening/conf/distro/harden.conf b/meta-hardening/conf/distro/harden.conf
index 1a5eb3d..2553152 100644
--- a/meta-hardening/conf/distro/harden.conf
+++ b/meta-hardening/conf/distro/harden.conf
@@ -6,6 +6,6 @@ DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
 
 VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
 IMAGE_ROOTFS_EXTRA_SPACE = "524288"
-EXTRA_IMAGE_FEATURES:remove = "debug-tweaks"
+EXTRA_IMAGE_FEATURES:remove = "allow-empty-password empty-root-password allow-root-login"
 
 DISABLE_ROOT ?= "True"

From patchwork Fri Dec 20 14:04:38 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54488
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E0DEAE7718B
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:06:02 +0000 (UTC)
Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com
 [209.85.208.182])
 by mx.groups.io with SMTP id smtpd.web11.152241.1734703559936889471
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:06:00 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=olfTXADY;
 spf=pass (domain: linaro.org, ip: 209.85.208.182,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f182.google.com with SMTP id
 38308e7fff4ca-3003943288bso19712091fa.0
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:05:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703558; x=1735308358;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=5XKCeN4f49FG1MJ4g10q3s4AVAS/00gBgEBK5eX+zkI=;
        b=olfTXADYe4141IG599cFiNaZdIArz9Xef/uSQG/Kiev4w9U6NRBtGFrROLovYtGBzl
         5ZN5ItXbxfyFaqz8Ng+wh/d/0ZaGknZDe99qXOs9Nu7rUQFY7nshLhZWTzs7K8xMxKU6
         xN7OhNVimdaz5g9VRX8M6hJ6Hh/3VlO/MOGukyKWVh+IhvtPMQyzTgtWE7qvYDuTYbtA
         nQkkIoC7ClCN5n6X6Ku59rSVaPex0jYatY4QukjhiOobtUvRv2nM2GsbtCth3yHYPbk1
         RI7U1k49fp4oUKBWcVj00CI8M1RaVdjqIb7FmdqnTkY0+yKDJrRfwyw4lybegVU9Y0QJ
         Vidw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703558; x=1735308358;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=5XKCeN4f49FG1MJ4g10q3s4AVAS/00gBgEBK5eX+zkI=;
        b=rx/+Pss7DObewWx+Uw6+YdhZUGEq0PVl53nLD537hRJqztTx4lCf5RKya3ymRBBytm
         Z5/zW72p9jwgGyBuQcdy/+Ner5Xo/aBRr9U3e81IrHtZUKVTgSmKWPdJxMQpIwNrBU8V
         hx+c9+8wngI12hQvODaPSsVmHNRbFrvX9S6D8BMlwPwt5eCnlIAkcFDHJ7gAfRWQFpH8
         zX6DODxmFi4jiGjFkixKxybg+vyHjpEZgz0MwzdoyUPN9lHPS+5rf/2XF8PXuUhkAXn7
         VZ7Q09acVGWv9zpMTsx736puQqVa3cuHLD4X5un4EEGW16w/+aXEOsmulsoNdkNmjLr/
         Ji6Q==
X-Gm-Message-State: AOJu0Yxto9lLJj94+EtNiuc5JY1ro7cJrdsU0P0aRHhXYbFeSN7QPcix
	VxcQfD9+S/bzf/KcG4BHvSBVOwgG9n69WTsOs8pyW1KgAVUeRYBfwUaxLH7FUkQPSxGtnrliyEw
	7jUE=
X-Gm-Gg: ASbGncvPJgTejpxYUAieV3YaIzkJN0Kc1nED6ItLkzWy4cjm0M2pPS0b0I4Or7HiMTc
	1+jSOnV4f4PuxzzSj3STB6fCeDoM+tHktoW7qlEheO2HdkYjYLI2fhuwT63Cko6n6rDD4Y3kdoq
	lHBA3jLruZYeJezqO9A8zzmd0rqmUx/s/FN5xj7TtajImU/B7Zhutfl5C0pDp8gEHir0eUtZeQO
	R7wQZfMbv+w7OZtz+kF6/AT7VpaoxKHWNuvN0sm1FaVyr75hlV0zD44syPK9gZ1TevXGnEwabNV
	B+pLKfUo3cvP3EEEkcipJmUg9w==
X-Google-Smtp-Source: 
 AGHT+IFOhbXf2yGX+izDozvOZnd1Wxw8nTW/1dQHJBB/66NvryiHihxUwRElDie1k1bzq64c8Gw+iQ==
X-Received: by 2002:a2e:a682:0:b0:304:67d4:6e2c with SMTP id
 38308e7fff4ca-3046857a7b3mr8132331fa.24.1734703558068;
        Fri, 20 Dec 2024 06:05:58 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:57 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 15/18] linux-yocto: enable ecryptfs
Date: Fri, 20 Dec 2024 16:04:38 +0200
Message-ID: <20241220140441.271395-16-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:06:02 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/954

Build ecryptfs as module. Needed by userspace counterparts in
ecryptfs-utils which are currently failing to start correctly
and thus downgrading systemd boot status from RUNNING to DEGRADED.
Fix is to build and install the kernel module.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 recipes-kernel/linux/linux-yocto_security.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-kernel/linux/linux-yocto_security.inc b/recipes-kernel/linux/linux-yocto_security.inc
index b79af80..3a2ff96 100644
--- a/recipes-kernel/linux/linux-yocto_security.inc
+++ b/recipes-kernel/linux/linux-yocto_security.inc
@@ -3,4 +3,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
 KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
 KERNEL_FEATURES:append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
+KERNEL_FEATURES:append = " features/ecryptfs/ecryptfs.scc"
 SRC_URI += " ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "file://lkrg.scc", "" ,d)}"

From patchwork Fri Dec 20 14:04:39 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54492
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E11AAE77188
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:06:12 +0000 (UTC)
Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com
 [209.85.208.176])
 by mx.groups.io with SMTP id smtpd.web10.152512.1734703562899909321
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:06:03 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=Ty7CoS+S;
 spf=pass (domain: linaro.org, ip: 209.85.208.176,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f176.google.com with SMTP id
 38308e7fff4ca-2ffd6af012eso23495651fa.2
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:06:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703561; x=1735308361;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=xb7G9iZiTHAr4zn5n25Pn+xXlUfYOsF4AMeFlgSF9Mk=;
        b=Ty7CoS+StABaZ9laqqCdfkpUZf5YIsKabaOUZQ6C1Takqy1HZgxp66/d24LjOsfMSW
         rHWJXDJO02Ivs1oaD2AbhCNbr0lUgHBs12v+ykwtdedTZeaPTdtXpvtJZc2aB6B7joTX
         NYQK/XmxuDIeEGQogQgpLC3bANj1bQI+3rN/8f+4mWtcfOHh0tj7bLRduPcNKyJmtcG1
         /Xp+oRrV8EUHxQIsdXgCAYHCA7INe0ByiaIvtqBKhTbncbaCz9UZDNLcw6zC2bRmkTuS
         VPwLYxNySZ0kuV3UpPGiRH9N4Kel7R1oWaNQ4tM8RHvJTpBHPNrToFuRaBfgk2561JpB
         /w8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703561; x=1735308361;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=xb7G9iZiTHAr4zn5n25Pn+xXlUfYOsF4AMeFlgSF9Mk=;
        b=Sz2pWnx0amPcDWRvtcNgXL/IvgLOauQVLldeiz+8m7Lo3SaLI+bBRvrEVMX3JtKJb1
         fV7ip/ZhutAO6Y9UB8uKkSO7oSuOVZ8SfZovASeAg2av4y1N89pk45v3DbHk8hD1Bdr1
         2e8V++OKnIll7f0g7gI9C3UbVYZwZWDOQKlWbMKNAqLF/4vZa7WOrTS5KlDtQ1O1/Vib
         OOXBJ7uXWVloW/MgHIKp9gdrG8hjx8DJaljjbt8lAQO3ENfHQAlkq01r4LodxrLwGxGS
         TGjSkVyFVcJAzOWhL0OrZT2xqGiuPlQKgoDA4IXKnJ/q5OAB3nEDscZI4wsIiX9JS7C7
         8iKQ==
X-Gm-Message-State: AOJu0YzgQreEpLNmblRIn9bIKVACxJQ48o5M5kG8FUcFQ9YdKPBOh5Bj
	oR0mFAEQDlBsHqshpw4mkn6qGlgiAXkUxgEXIkZ1Bh0PLLrXMFCbSlp4L6u5WoHweYM8186mA9Z
	Iq7Q=
X-Gm-Gg: ASbGnct68jRpo1LOZFY4WyIFPgsfcBEVqGQnAh+TvD41BADrOwjQ4mgXHnxcPjjhJvR
	XXK7s6bgdDu3cL5iM5WyW2XOu4WTw7aXb99fTt8jwnzgMNVfGtGWpfGAtg+BGVPmo7MLBHBxhlY
	GGjPDoQv2BwEeYXWqAVE374a7JRAe8/8ZSBS9WYB9u2BewwboT7I8xxFjJfM6kn8hdjmtnRz4JC
	yRy2jKHwO2oHrXEeUOL+0fsYtjRTsGJGa2OVrP7LKZwT5bDzncPDhDEntXOICwBmml9xsSffCDv
	bD6Bd+ghPUDPNNvuDBWGm97jwA==
X-Google-Smtp-Source: 
 AGHT+IF80BlPKuXXQH98iB8FIDP+gpJTIjXIFi77SFmxpOkHn8gotZfbReV+JdLWRLfTR/dMudXHDA==
X-Received: by 2002:a05:651c:555:b0:300:330d:a5c4 with SMTP id
 38308e7fff4ca-30468570ae5mr10374321fa.10.1734703561063;
        Fri, 20 Dec 2024 06:06:01 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.05.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:05:59 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 16/18] ecryptfs-utils: depend on ecryptfs
 kernel module
Date: Fri, 20 Dec 2024 16:04:39 +0200
Message-ID: <20241220140441.271395-17-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:06:12 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/955

ecryptfs-utils userspace daemon fails to start if kernel
module is not available on target.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
index 83d37d6..83246a2 100644
--- a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
+++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -69,4 +69,7 @@ do_install:append() {
 FILES:${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
 
 RDEPENDS:${PN} += "cryptsetup"
-RRECOMMENDS:${PN} = "gettext-runtime"
+RRECOMMENDS:${PN} = " \
+    gettext-runtime \
+    kernel-module-ecryptfs \
+"

From patchwork Fri Dec 20 14:04:40 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54491
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E5B73E7718D
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:06:12 +0000 (UTC)
Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com
 [209.85.208.169])
 by mx.groups.io with SMTP id smtpd.web11.152244.1734703567116885322
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:06:07 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=upbKBbVc;
 spf=pass (domain: linaro.org, ip: 209.85.208.169,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f169.google.com with SMTP id
 38308e7fff4ca-30037784fceso20987161fa.2
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:06:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703565; x=1735308365;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=M2ELwFg/ftmP97Fy4F+z2lKTgOXcvCEH2i2t1Db9phs=;
        b=upbKBbVc0QQPBBOt41KmX1N3h1RcuJ7Dggbdw3Yy9H33mjqoN0Xudasxc5K8HqEOMk
         0i9w06PjOU5rWy5i9HLZJ/QfHn6/ta9iUSEV7Uo38nWw049DfWWKE7rk/NiOfPoaCpw5
         Wzfmr6Xe0qGHF7EWykFj3Abk1Cp/Rz8KytCaIjMr97vyQ+JojzbV+Azq5xiGsEek+1eC
         5gL/2VKZwBXuc/YbmxXVlXU40143h9fdusUK1xid16AehfsSFkOEIJNzyc/iAx/EYWgw
         Xmya/PcH3Tof3mdTYo2Nps+NzCHro7CnxdkfaRYpzeC/xFl5spejB3IjLl31tIvXV0ZE
         ATAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703565; x=1735308365;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=M2ELwFg/ftmP97Fy4F+z2lKTgOXcvCEH2i2t1Db9phs=;
        b=NUrWSMrFOC4Xh7loeE4mjjDyjkiL+X5SdQbYYsLkaobYg+YNUQMdUsjGfuy2ICyDlO
         nOdEzTvx2HXpoQskIhd2tL2VUtwbBsFF6UyOGLk/N2nJ0JJ8jKhQPIT3f4ko0BdjGj62
         q3GO69yMdr8/JUY/D8e/ZkGahZJN46wVE1ye4UvupLh2viXWH5X+dqmHpvfzdF8U7lux
         7X9rgEjhJNlh3Dmc+2ZrUeucOWjJqquqNAzn7uGViF/lqtw3pugJMiAv6diHCXLZ+WKr
         uBZDDkMfnIiExCzcy0GFwDBftyfMrNfzvW2+apN/diRS4sx3GPhu6vBsdBWgXk6l4nT4
         FEZw==
X-Gm-Message-State: AOJu0YzHcbgE7p7GCy+X/9St5Jvpb+J9Ym7rv6IwJjlxFfccWL+jYATN
	5o6XzajiuOifYJYubiJfm9qy4YCiJE00RxkZBjpVKYRpxHBXku9+mpwBk5sCuapoOjLsd/5WJqn
	GsPY=
X-Gm-Gg: ASbGncveTThtEku2hBxzujAZZ+4V5XT+vspN6g6mthGgCJW/wDPMP58MFY5TrCHWVQH
	YIk9A4xWz1oEM6vZNcZMKe7+WjijLrYkkoJq0mFBus40HvbhiNu8Y5xgprYHiMumlzLKxjczdQO
	rs+9v3SkkMz7Jq5zsoJ+/wmCX1rZ+32qYXENZLgKdN1srAa/GpxhP8jrXzJHyxK4luz6dcR3P9O
	jcoit3efNK6bIbboHeFO5jk7o9eF3iBr8KTyTpT50TCKM4R5xVZXqNeSqM2SRbX98kFZyVOpJZ8
	MZVhu5TaneXmJN5c0kKimv6wtw==
X-Google-Smtp-Source: 
 AGHT+IEk+JA5kuXHh7aIJQ0u04dXXBKEQShwFjmhWxl8CVFtwYx8GBydQ2A3Wt1wYQuvLcVTJN4i9Q==
X-Received: by 2002:a2e:a591:0:b0:300:33b1:f0cc with SMTP id
 38308e7fff4ca-3046861f5f2mr10815681fa.34.1734703565255;
        Fri, 20 Dec 2024 06:06:05 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.06.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:06:03 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 17/18] oeqa runtime clamav.py: skip
 test_freshclam_download with systemd
Date: Fri, 20 Dec 2024 16:04:40 +0200
Message-ID: <20241220140441.271395-18-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:06:12 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/956

systemd service files already start a download at boot which locks
the files and thus the test fails. Instead of this test, with systemd
it is sufficient to check that all systemd services succeeded.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 lib/oeqa/runtime/cases/clamav.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/oeqa/runtime/cases/clamav.py b/lib/oeqa/runtime/cases/clamav.py
index bcafc84..bd451ce 100644
--- a/lib/oeqa/runtime/cases/clamav.py
+++ b/lib/oeqa/runtime/cases/clamav.py
@@ -6,6 +6,7 @@ from tempfile import mkstemp
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
 from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfFeature
 
 
 class ClamavTest(OERuntimeTestCase):
@@ -48,6 +49,7 @@ class ClamavTest(OERuntimeTestCase):
         self.assertEqual(status, 0, msg = msg)
 
     @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net'])
+    @skipIfFeature('systemd','systemd in DISTRO_FEATURES means update job is already running')
     def test_freshclam_download(self):
         status, output = self.target.run('freshclam --show-progress')
         msg = ('freshclam : DB dowbload failed. '

From patchwork Fri Dec 20 14:04:41 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikko Rapeli <mikko.rapeli@linaro.org>
X-Patchwork-Id: 54490
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E5A84E7718C
	for <webhook@archiver.kernel.org>; Fri, 20 Dec 2024 14:06:12 +0000 (UTC)
Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com
 [209.85.208.173])
 by mx.groups.io with SMTP id smtpd.web11.152247.1734703571475722241
 for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:06:11 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=Hp5Ls7By;
 spf=pass (domain: linaro.org, ip: 209.85.208.173,
 mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lj1-f173.google.com with SMTP id
 38308e7fff4ca-3003c82c95cso15255901fa.3
        for <yocto-patches@lists.yoctoproject.org>;
 Fri, 20 Dec 2024 06:06:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1734703570; x=1735308370;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=u8rTihZkR9S82ppwgigbvVS0L1Ut/Q35dWi+fpOjMWE=;
        b=Hp5Ls7ByZqo2TwrIIeyw7WgrTJNpsJVINRfsxQzOT9HbCEHd1ND4Iz52cj2pZT2KFv
         OSQJ5iAhoIe8V4jVLiaklDUXtmyf6JPxGga+brBGFDWmRkvaXMxihJXipSwVXRU+UUek
         csBnhJt5N9LgwawHvETqJ8sLh5YY8DnNdFixMssEeu1OVA9X/tbvUu93z60xQqKgaDED
         1EaWqiu9bW2GkLWVp2gOuqg2AOOzA8Am2Cs+n9eJ3h42iOWul/IEbrgb8ykU9od0OiEI
         Btug53yY6HuE7eWIbFYs86OFwRPctc2GXm7y9haVwbLhpgQEmEMk/rFBXEWcOAmyaXSh
         eLKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734703570; x=1735308370;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=u8rTihZkR9S82ppwgigbvVS0L1Ut/Q35dWi+fpOjMWE=;
        b=FZbIzBSxwjGl6+pn1CnVQxC/3qHudYo+GIyXGD6W1XDdQxbUo9lG7hvfo5xm0TQ3NI
         QNQvtUxrg60ProB36k2UI5GSzWG9BGE2a1fSlWUgE6R+8J10AX3oryi6qef2WZL/gYgi
         Tw3CcYb1KDtjgNwmJEj5uFn9fxGZa3OHCPrZpQ/vYVz/QGjHru7BpLe3dHDyNjR/szHp
         UyZ8keBsW87OEukXXiS1tTCp8gKxBY4Uo2G/HPee8Bl1APWjAyFrEbuyd5LYplW+6jjx
         SowjIIiPiXLU7o1Ro7PSAGGsWlEBEjxKs1dz4/Mc7qAlsWpoDbPXNpxwOAqGvs7Urxq0
         6i/A==
X-Gm-Message-State: AOJu0Yw2iwE96f7gwfcale2HkbMA9VWbPkfvwFpEovUw7NUImQl182fV
	6K1l2+St0p3L6aLOtmIBO4ScmEA+Up/eyOYKIy7ONCOxthQVa8cl9x+L42kBb6B06JtM/zciFmP
	aSHg=
X-Gm-Gg: ASbGncu/3ZP2g07AHflK07b10jL2NnXS+tSLQHbVxtUOpvzmPGgXDtDbGCPiSeW7UF8
	nfzcVXEKydV8VXz1s7mtJu555JV+T53Lq1ZsBTY9Eq42pZmCPHXsr+ByP29XuW6bO26OHmtgTej
	NlOBoj7XhtSSLYVp0W7P5xQG48hZ9cDPxEnKrQ4lS20rST+wQwOA618xT1eGyeALN9ZCA4MdnHZ
	46TJMoq36+5uV4VgaNVyAqy8EeKbxvmFKBtSuJWDdDjouIcD2OFTh7u/jPHssmEu6i6PlbAg8x5
	YBXSH55Rzn7AsDg9WObDrzO1xA==
X-Google-Smtp-Source: 
 AGHT+IGjc8X9dYiJVGqj7xY004j16AGA5MzWlzOcg2Kf2MlzCj4F1VxxUqJ9nlJ6+HQe1yUbrvVWSA==
X-Received: by 2002:a2e:b8cb:0:b0:300:1ea5:1655 with SMTP id
 38308e7fff4ca-30468577a10mr9499161fa.15.1734703569667;
        Fri, 20 Dec 2024 06:06:09 -0800 (PST)
Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi.
 [78.27.76.97])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-3045ad6ca8fsm5227191fa.14.2024.12.20.06.06.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 06:06:07 -0800 (PST)
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: yocto-patches@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [meta-security][PATCH 18/18] oeqa runtime ima.py: skip without
 "integrity" in DISTRO_FEATURES
Date: Fri, 20 Dec 2024 16:04:41 +0200
Message-ID: <20241220140441.271395-19-mikko.rapeli@linaro.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20241220140441.271395-1-mikko.rapeli@linaro.org>
References: <20241220140441.271395-1-mikko.rapeli@linaro.org>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Fri, 20 Dec 2024 14:06:12 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/957

ima and meta-integrity are not enabled without and the test fails.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-integrity/lib/oeqa/runtime/cases/ima.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-integrity/lib/oeqa/runtime/cases/ima.py
index 6b361ca..23d9b6a 100644
--- a/meta-integrity/lib/oeqa/runtime/cases/ima.py
+++ b/meta-integrity/lib/oeqa/runtime/cases/ima.py
@@ -27,6 +27,7 @@ class IMACheck(OERuntimeTestCase):
 
 
     @OETestDepends(['ssh.SSHTest.test_ssh'])
+    @skipIfNotFeature('integrity','Test requires "integrity" in DISTRO_FEATURES')
     def test_ima_enabled(self):
         ''' Test if IMA policy is loaded before systemd starts'''