From patchwork Fri Feb 28 14:42:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58094 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4812BC282C1 for ; Fri, 28 Feb 2025 14:43:49 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.17293.1740753820015550693 for ; Fri, 28 Feb 2025 06:43:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=MxiRuzzP; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-22339936bbfso34157005ad.1 for ; Fri, 28 Feb 2025 06:43:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740753819; x=1741358619; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Anzw26hT0btYJggRdJNF9oeU+K3ey8K6PU2A/mhNB3Y=; b=MxiRuzzPdkZAj9gTU3hozvESIR8AnR6Z3Y3umC8jNCIs9FyfmsF8dmxF4jkF/FhT2Y apeAcrHyVHV7XtSGfqK+wC6txmpijt05Ei1bkNXYcuRVf6b8Ezu2PaazRYcd7nJYc7Xp QzpABvLaMD6b42FfPLDo/OW/rFDhDCkteYbMcC8dBBr1Ez7glzMDKa5wa0chKIGIh2sf /cWfWcYYCFnJ5TicghSyjhzV6hr1gWEH8hv1A+SDFkG99OSb8s4KnkEVvx37mGFPbRSH +wOxd/KbmpJQBepU1u8cs+cbRgabiAFpmUNlZN7VlF8OPHA3mETVUiMOJsxqBOJUnaxh zPCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740753819; x=1741358619; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Anzw26hT0btYJggRdJNF9oeU+K3ey8K6PU2A/mhNB3Y=; b=LHofQ5T6XdQNmNDq/6nOKUL98KeE1F+KRXCh5vW2zL5yGEdmGL1HyNXNfw7gL6c6zr +JTKhwiV37x9GJ/qFIhonNat3nhJb9enLbYPszmCzsRyUQiWWfbULa9+lxzMwvTzLyuz p2/JyHu//awmVdC7NSLEZJ8u183CcCAFJERWy+EXQRJ9MwZ9Os4vzzHVP9hs4WqYgJW3 uDINhUKg14G94zFKlGKMuwJWvu8pA2zLHHUsJglwWA+J5HKB44F909trMJYGSuV3pVZZ yox50uQDwtjUqkm1VLydAZGY28qx4U51hxOv6mWVl9z6bSoCFx1z+2XVmYqpYd97Hdli 9UCQ== X-Gm-Message-State: AOJu0Yw8AMEcEiMNSFcnNuYchx3Hn1N2pjcOzZrVovJWPjScmsN11Vek QF9dhtaxp5OZhXkg4DVvI1IL6shLeKkJHNe2NFRUM2TfQIzLfthOi5AEKKf1fMDclM8Xo12CTQC 4 X-Gm-Gg: ASbGncsojgbjFQPjacgH6DFKtDZQ4mF2FmJ74DciGLvOAzwoK5HsB/MVirT6NNBadnn J5THpEEQFCYuT1z8q2xCEAe/2hrZxBVIrU6+EQr6bT9SItwNLaiq9AnIi3gPETwY6gUpLZltjzQ 0JcFIXqcFLd9t4Y6EvnnVZqtr2yUo8tEdWj74aiPpF7B3J4jY1cBvCBrEqFcNYmcqb5QwOfnhmD sBLXweDbTwKGOHpzWcci0mGfxz0VDtjPVwcKChsVdf2S+t3dhrL1ipCKZiHCg1X02vyvA2eaXj4 RcRp+aj3jWPXZqw= X-Google-Smtp-Source: AGHT+IH/trhP3+UHv0CB8PkEzBsCiztt8cxJCifrQ0IN7wrEY8CjT6PIEerOItzQhBeToJlCwbkT5g== X-Received: by 2002:aa7:8888:0:b0:730:9659:ff4b with SMTP id d2e1a72fcca58-734ac401ecdmr6397505b3a.19.1740753818962; Fri, 28 Feb 2025 06:43:38 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7349fe6cd66sm3806559b3a.74.2025.02.28.06.43.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 06:43:38 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 1/4] elfutils: Fix multiple CVEs Date: Fri, 28 Feb 2025 06:42:57 -0800 Message-ID: <938676089fb5da383b7daf6c5e6348079ecf5674.1740753632.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Feb 2025 14:43:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212061 From: Hitendra Prajapati Backport fixes for: * CVE-2025-1352 - Upstream-Status: Backport from https://sourceware.org/git/?p=elfutils.git;a=commit;h=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 * CVE-2025-1365 - Upstream-Status: Backport from https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81 * CVE-2025-1372 - Upstream-Status: Backport from https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../elfutils/elfutils_0.191.bb | 3 + .../elfutils/files/CVE-2025-1352.patch | 153 ++++++++++++++++++ .../elfutils/files/CVE-2025-1365.patch | 151 +++++++++++++++++ .../elfutils/files/CVE-2025-1372.patch | 50 ++++++ 4 files changed, 357 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1352.patch create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.191.bb b/meta/recipes-devtools/elfutils/elfutils_0.191.bb index c4d872430b..85e024179b 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.191.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.191.bb @@ -23,6 +23,9 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://0001-tests-Makefile.am-compile-test_nlist-with-standard-C.patch \ file://0001-debuginfod-Remove-unused-variable.patch \ file://0001-srcfiles-fix-unused-variable-BUFFER_SIZE.patch \ + file://CVE-2025-1352.patch \ + file://CVE-2025-1365.patch \ + file://CVE-2025-1372.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1352.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1352.patch new file mode 100644 index 0000000000..5710905449 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1352.patch @@ -0,0 +1,153 @@ +From 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sat, 8 Feb 2025 20:00:12 +0100 +Subject: [PATCH] libdw: Simplify __libdw_getabbrev and fix dwarf_offabbrev + issue + +__libdw_getabbrev could crash on reading a bad abbrev by trying to +deallocate memory it didn't allocate itself. This could happen because +dwarf_offabbrev would supply its own memory when calling +__libdw_getabbrev. No other caller did this. + +Simplify the __libdw_getabbrev common code by not taking external +memory to put the abbrev result in (this would also not work correctly +if the abbrev was already cached). And make dwarf_offabbrev explicitly +copy the result (if there was no error or end of abbrev). + + * libdw/dwarf_getabbrev.c (__libdw_getabbrev): Don't take + Dwarf_Abbrev result argument. Always just allocate abb when + abbrev not found in cache. + (dwarf_getabbrev): Don't pass NULL as last argument to + __libdw_getabbrev. + * libdw/dwarf_tag.c (__libdw_findabbrev): Likewise. + * libdw/dwarf_offabbrev.c (dwarf_offabbrev): Likewise. And copy + abbrev into abbrevp on success. + * libdw/libdw.h (dwarf_offabbrev): Document return values. + * libdw/libdwP.h (__libdw_getabbrev): Don't take Dwarf_Abbrev + result argument. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32650 + +Signed-off-by: Mark Wielaard + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753] +CVE: CVE-2025-1352 +Signed-off-by: Hitendra Prajapati +--- + libdw/dwarf_getabbrev.c | 12 ++++-------- + libdw/dwarf_offabbrev.c | 10 +++++++--- + libdw/dwarf_tag.c | 3 +-- + libdw/libdw.h | 4 +++- + libdw/libdwP.h | 3 +-- + 5 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/libdw/dwarf_getabbrev.c b/libdw/dwarf_getabbrev.c +index 5b02333..d9a6c02 100644 +--- a/libdw/dwarf_getabbrev.c ++++ b/libdw/dwarf_getabbrev.c +@@ -1,5 +1,6 @@ + /* Get abbreviation at given offset. + Copyright (C) 2003, 2004, 2005, 2006, 2014, 2017 Red Hat, Inc. ++ Copyright (C) 2025 Mark J. Wielaard + This file is part of elfutils. + Written by Ulrich Drepper , 2003. + +@@ -38,7 +39,7 @@ + Dwarf_Abbrev * + internal_function + __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset, +- size_t *lengthp, Dwarf_Abbrev *result) ++ size_t *lengthp) + { + /* Don't fail if there is not .debug_abbrev section. */ + if (dbg->sectiondata[IDX_debug_abbrev] == NULL) +@@ -85,12 +86,7 @@ __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset, + Dwarf_Abbrev *abb = NULL; + if (cu == NULL + || (abb = Dwarf_Abbrev_Hash_find (&cu->abbrev_hash, code)) == NULL) +- { +- if (result == NULL) +- abb = libdw_typed_alloc (dbg, Dwarf_Abbrev); +- else +- abb = result; +- } ++ abb = libdw_typed_alloc (dbg, Dwarf_Abbrev); + else + { + foundit = true; +@@ -183,5 +179,5 @@ dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, size_t *lengthp) + return NULL; + } + +- return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp, NULL); ++ return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp); + } +diff --git a/libdw/dwarf_offabbrev.c b/libdw/dwarf_offabbrev.c +index 27cdad6..41df69b 100644 +--- a/libdw/dwarf_offabbrev.c ++++ b/libdw/dwarf_offabbrev.c +@@ -41,11 +41,15 @@ dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp, + if (dbg == NULL) + return -1; + +- Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp, +- abbrevp); ++ Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp); + + if (abbrev == NULL) + return -1; + +- return abbrev == DWARF_END_ABBREV ? 1 : 0; ++ if (abbrev == DWARF_END_ABBREV) ++ return 1; ++ ++ *abbrevp = *abbrev; ++ ++ return 0; + } +diff --git a/libdw/dwarf_tag.c b/libdw/dwarf_tag.c +index d784970..218382a 100644 +--- a/libdw/dwarf_tag.c ++++ b/libdw/dwarf_tag.c +@@ -53,8 +53,7 @@ __libdw_findabbrev (struct Dwarf_CU *cu, unsigned int code) + + /* Find the next entry. It gets automatically added to the + hash table. */ +- abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length, +- NULL); ++ abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length); + if (abb == NULL || abb == DWARF_END_ABBREV) + { + /* Make sure we do not try to search for it again. */ +diff --git a/libdw/libdw.h b/libdw/libdw.h +index d53dc78..ec4713a 100644 +--- a/libdw/libdw.h ++++ b/libdw/libdw.h +@@ -587,7 +587,9 @@ extern int dwarf_srclang (Dwarf_Die *die); + extern Dwarf_Abbrev *dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, + size_t *lengthp); + +-/* Get abbreviation at given offset in .debug_abbrev section. */ ++/* Get abbreviation at given offset in .debug_abbrev section. On ++ success return zero and fills in ABBREVP. When there is no (more) ++ abbrev at offset returns one. On error returns a negative value. */ + extern int dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp, + Dwarf_Abbrev *abbrevp) + __nonnull_attribute__ (4); +diff --git a/libdw/libdwP.h b/libdw/libdwP.h +index 8b2f06f..f0f4b78 100644 +--- a/libdw/libdwP.h ++++ b/libdw/libdwP.h +@@ -783,8 +783,7 @@ extern Dwarf_Abbrev *__libdw_findabbrev (struct Dwarf_CU *cu, + + /* Get abbreviation at given offset. */ + extern Dwarf_Abbrev *__libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, +- Dwarf_Off offset, size_t *lengthp, +- Dwarf_Abbrev *result) ++ Dwarf_Off offset, size_t *lengthp) + __nonnull_attribute__ (1) internal_function; + + /* Get abbreviation of given DIE, and optionally set *READP to the DIE memory +-- +2.25.1 + diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch new file mode 100644 index 0000000000..002ce334a3 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch @@ -0,0 +1,151 @@ +From 5e5c0394d82c53e97750fe7b18023e6f84157b81 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sat, 8 Feb 2025 21:44:56 +0100 +Subject: [PATCH] libelf, readelf: Use validate_str also to check dynamic + symstr data + +When dynsym/str was read through eu-readelf --dynamic by readelf +process_symtab the string data was not validated, possibly printing +unallocated memory past the end of the symstr data. Fix this by +turning the elf_strptr validate_str function into a generic +lib/system.h helper function and use it in readelf to validate the +strings before use. + + * libelf/elf_strptr.c (validate_str): Remove to... + * lib/system.h (validate_str): ... here. Make inline, simplify + check and document. + * src/readelf.c (process_symtab): Use validate_str on symstr_data. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32654 + +Signed-off-by: Mark Wielaard + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81] +CVE: CVE-2025-1365 +Signed-off-by: Hitendra Prajapati +--- + lib/system.h | 27 +++++++++++++++++++++++++++ + libelf/elf_strptr.c | 18 ------------------ + src/readelf.c | 18 +++++++++++++++--- + 3 files changed, 42 insertions(+), 21 deletions(-) + +diff --git a/lib/system.h b/lib/system.h +index 0db12d9..0698e5f 100644 +--- a/lib/system.h ++++ b/lib/system.h +@@ -34,6 +34,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -117,6 +118,32 @@ startswith (const char *str, const char *prefix) + return strncmp (str, prefix, strlen (prefix)) == 0; + } + ++/* Return TRUE if STR[FROM] is a valid string with a zero terminator ++ at or before STR[TO - 1]. Note FROM is an index into the STR ++ array, while TO is the maximum size of the STR array. This ++ function returns FALSE when TO is zero or FROM >= TO. */ ++static inline bool ++validate_str (const char *str, size_t from, size_t to) ++{ ++#if HAVE_DECL_MEMRCHR ++ // Check end first, which is likely a zero terminator, ++ // to prevent function call ++ return (to > 0 ++ && (str[to - 1] == '\0' ++ || (to > from ++ && memrchr (&str[from], '\0', to - from - 1) != NULL))); ++#else ++ do { ++ if (to <= from) ++ return false; ++ ++ to--; ++ } while (str[to]); ++ ++ return true; ++#endif ++} ++ + /* A special gettext function we use if the strings are too short. */ + #define sgettext(Str) \ + ({ const char *__res = strrchr (_(Str), '|'); \ +diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c +index 79a24d2..c5a94f8 100644 +--- a/libelf/elf_strptr.c ++++ b/libelf/elf_strptr.c +@@ -53,24 +53,6 @@ get_zdata (Elf_Scn *strscn) + return zdata; + } + +-static bool validate_str (const char *str, size_t from, size_t to) +-{ +-#if HAVE_DECL_MEMRCHR +- // Check end first, which is likely a zero terminator, to prevent function call +- return ((to > 0 && str[to - 1] == '\0') +- || (to - from > 0 && memrchr (&str[from], '\0', to - from - 1) != NULL)); +-#else +- do { +- if (to <= from) +- return false; +- +- to--; +- } while (str[to]); +- +- return true; +-#endif +-} +- + char * + elf_strptr (Elf *elf, size_t idx, size_t offset) + { +diff --git a/src/readelf.c b/src/readelf.c +index 0e93118..63eb548 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -2639,6 +2639,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx, + char typebuf[64]; + char bindbuf[64]; + char scnbuf[64]; ++ const char *sym_name; + Elf32_Word xndx; + GElf_Sym sym_mem; + GElf_Sym *sym +@@ -2650,6 +2651,19 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx, + /* Determine the real section index. */ + if (likely (sym->st_shndx != SHN_XINDEX)) + xndx = sym->st_shndx; ++ if (use_dynamic_segment == true) ++ { ++ if (validate_str (symstr_data->d_buf, sym->st_name, ++ symstr_data->d_size)) ++ sym_name = (char *)symstr_data->d_buf + sym->st_name; ++ else ++ sym_name = NULL; ++ } ++ else ++ sym_name = elf_strptr (ebl->elf, idx, sym->st_name); ++ ++ if (sym_name == NULL) ++ sym_name = "???"; + + printf (_ ("\ + %5u: %0*" PRIx64 " %6" PRId64 " %-7s %-6s %-9s %6s %s"), +@@ -2662,9 +2676,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx, + get_visibility_type (GELF_ST_VISIBILITY (sym->st_other)), + ebl_section_name (ebl, sym->st_shndx, xndx, scnbuf, + sizeof (scnbuf), NULL, shnum), +- use_dynamic_segment == true +- ? (char *)symstr_data->d_buf + sym->st_name +- : elf_strptr (ebl->elf, idx, sym->st_name)); ++ sym_name); + + if (versym_data != NULL) + { +-- +2.25.1 + diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch new file mode 100644 index 0000000000..812a098447 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch @@ -0,0 +1,50 @@ +From 73db9d2021cab9e23fd734b0a76a612d52a6f1db Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sun, 9 Feb 2025 00:07:39 +0100 +Subject: [PATCH] readelf: Skip trying to uncompress sections without a name + +When combining eu-readelf -z with -x or -p to dump the data or strings +in an (corrupted ELF) unnamed numbered section eu-readelf could crash +trying to check whether the section name starts with .zdebug. Fix this +by skipping sections without a name. + + * src/readelf.c (dump_data_section): Don't try to gnu decompress a + section without a name. + (print_string_section): Likewise. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32656 + +Signed-off-by: Mark Wielaard + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db] +CVE: CVE-2025-1372 +Signed-off-by: Hitendra Prajapati +--- + src/readelf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/readelf.c b/src/readelf.c +index 63eb548..fc04556 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -13327,7 +13327,7 @@ dump_data_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name) + _("Couldn't uncompress section"), + elf_ndxscn (scn)); + } +- else if (startswith (name, ".zdebug")) ++ else if (name && startswith (name, ".zdebug")) + { + if (elf_compress_gnu (scn, 0, 0) < 0) + printf ("WARNING: %s [%zd]\n", +@@ -13378,7 +13378,7 @@ print_string_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name) + _("Couldn't uncompress section"), + elf_ndxscn (scn)); + } +- else if (startswith (name, ".zdebug")) ++ else if (name && startswith (name, ".zdebug")) + { + if (elf_compress_gnu (scn, 0, 0) < 0) + printf ("WARNING: %s [%zd]\n", +-- +2.25.1 + From patchwork Fri Feb 28 14:42:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58092 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47325C19776 for ; Fri, 28 Feb 2025 14:43:49 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web10.17295.1740753821708598138 for ; Fri, 28 Feb 2025 06:43:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=HkCpdRRU; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2235908a30aso4395035ad.3 for ; Fri, 28 Feb 2025 06:43:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740753821; x=1741358621; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vgy2uuYC6gMF4V5dqjjMAl+iTc5ehZ673U+z+wetUSE=; b=HkCpdRRU+Ye77WTkaAUr9OPkcvYN31whLw2F8fysF7m4WpYTv37u6G6VFzxyrJg8iE X9T3RUc07Y4gkLRlFea+jKWIRFsIWKib6XpOErNMkaKcOSIhTo01XkjWu6RYjvW5IxM8 oB9E5A2msxRMRjfmngIoEKO7FobPlldbXOHWeMoRYnt7MjoJY9e/lQ/EgaTHSFDFFXSP /UfTjRFofwTbBt9vtEtejxJPKEGwM64RDOrzJN1B74WvDVMSIzDUVEbluAtciG36wgQg lGsDPP8OXeJgtqUzCzUuYTBjPuHa5zSdUBeGl2RHKRO4GidN75N9lTP+5lumIODaPsVv SQPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740753821; x=1741358621; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vgy2uuYC6gMF4V5dqjjMAl+iTc5ehZ673U+z+wetUSE=; b=kKUQCZP2PdHPjVMVRyNifRzG2QSdwXZhIlpazEbjcZyGDlr1kQmi9VJyk/sSR3vF5a bY/041g11TFRNZwQN7KNz187Uuh3gD2OYUSJ+nZ9YVSAJc6KiM4fR/MoRAShhEte537F 2+N26wD0h1wKRUGYbPwYK+a467cISjJOCzooWkMHGiHpuiW28kN2GbLpCCY7Hhc05HN7 qYHbnsK1mmqvxstwKMJ8CAqmo+xjNCx9QvYIhN4ZK5c9D4Zqr96mwo6EEO7iuXY+vOp0 6xM6R5vmP2MZmGE99aEGRdvVRtiHTvj/ix7ZU6VE+vQdo17ptwC2YS7E0xc2ITN0s8nb uq7Q== X-Gm-Message-State: AOJu0YyotGqpKk8eCI8/dqVJl4dEHwy99khIJjk6ZTSbuBFNXGQDSjTn 3AJh5hkEAvOt2NcrsxnoUcOYfxJn6xkokAbnfBV4Wk1NAdAt1Xm2e1q+1Hv10I/M6lG3RfhxTOS Z X-Gm-Gg: ASbGnctamN1RnqMLtzHLuk60Fju5Vy5Fk3MTZvulHh0awwfJ3+U+13wCBuQHPodHwhy m4jbfpeS8OmFAI8pSaXBG6EuPEh73y6i7e6JRJPOUiP7VL9nqEj06kQGav2V9zuxBTddqA8OrPH x9LWuRBV6pob6pgf5TbmPURSS6BWqHQniu6HQyAtV+2VunX+EImQJ1tRXuXZpzsUWV7L684qT0D fPriCdyIhZ6PoEnPreBR38tv4FzkqVNkyI9nF2mqlm2uJZ10N6Vg4bF1stcm3ab+hyFA1gLvdhP kl7fKZcbGuUIgiI= X-Google-Smtp-Source: AGHT+IHGexcCLL3DQi0X/8G+czpeXGyBYK3XOzg+ApDnGqCN3woCBiyx4ly6lw6Lhny71aSSqfpLRg== X-Received: by 2002:a17:902:e54e:b0:220:f449:7419 with SMTP id d9443c01a7336-22368f60a5emr60826235ad.7.1740753820825; Fri, 28 Feb 2025 06:43:40 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7349fe6cd66sm3806559b3a.74.2025.02.28.06.43.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 06:43:40 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 2/4] u-boot: kernel-fitimage: Restore FIT_SIGN_INDIVIDUAL="1" behavior Date: Fri, 28 Feb 2025 06:42:58 -0800 Message-ID: <699822a163a4efa32735f75d21fde4ffa195c0e0.1740753632.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Feb 2025 14:43:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212062 From: Marek Vasut OE FIT_SIGN_INDIVIDUAL is implemented in an unusual manner, where the resulting signed fitImage contains both signed images and signed configurations, possibly using different keys. This kind of signing of images is redundant, but so is the behavior of FIT_SIGN_INDIVIDUAL="1" and that is here to stay. Adjust the process of public key insertion into u-boot.dtb such that if FIT_SIGN_INDIVIDUAL==1, the image signing key is inserted into u-boot.dtb first, and in any case the configuration signing key is inserted into u-boot.dtb last. The verification of the keys inserted into u-boot.dtb against unused.itb is performed only for FIT_SIGN_INDIVIDUAL!=1 due to mkimage limitation, which does not allow mkimage -f auto-conf to update the generated unused.itb, and instead rewrites it. Fixes: 259bfa86f384 ("u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled") Signed-off-by: Marek Vasut Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 0106e5efab99c8016836a2ab71e2327ce58a9a9d) Signed-off-by: Jose Quaresma Signed-off-by: Steve Sakoman --- meta/classes-recipe/uboot-sign.bbclass | 60 ++++++++++++++++++++++---- 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 96c47ab016..5c579a9fb0 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -101,27 +101,69 @@ concat_dtb() { binary="$2" if [ -e "${UBOOT_DTB_BINARY}" ]; then - # Re-sign the kernel in order to add the keys to our dtb - UBOOT_MKIMAGE_MODE="auto-conf" # Signing individual images is not recommended as that # makes fitImage susceptible to mix-and-match attack. + # + # OE FIT_SIGN_INDIVIDUAL is implemented in an unusual manner, + # where the resulting signed fitImage contains both signed + # images and signed configurations. This is redundant. In + # order to prevent mix-and-match attack, it is sufficient + # to sign configurations. The FIT_SIGN_INDIVIDUAL = "1" + # support is kept to avoid breakage of existing layers, but + # it is highly recommended to avoid FIT_SIGN_INDIVIDUAL = "1", + # i.e. set FIT_SIGN_INDIVIDUAL = "0" . if [ "${FIT_SIGN_INDIVIDUAL}" = "1" ] ; then - UBOOT_MKIMAGE_MODE="auto" + # Sign dummy image images in order to + # add the image signing keys to our dtb + ${UBOOT_MKIMAGE_SIGN} \ + ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ + -f auto \ + -k "${UBOOT_SIGN_KEYDIR}" \ + -o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \ + -g "${UBOOT_SIGN_IMG_KEYNAME}" \ + -K "${UBOOT_DTB_BINARY}" \ + -d /dev/null \ + -r ${B}/unused.itb \ + ${UBOOT_MKIMAGE_SIGN_ARGS} fi + + # Sign dummy image configurations in order to + # add the configuration signing keys to our dtb ${UBOOT_MKIMAGE_SIGN} \ ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ - -f $UBOOT_MKIMAGE_MODE \ + -f auto-conf \ -k "${UBOOT_SIGN_KEYDIR}" \ -o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \ - -g "${UBOOT_SIGN_IMG_KEYNAME}" \ + -g "${UBOOT_SIGN_KEYNAME}" \ -K "${UBOOT_DTB_BINARY}" \ -d /dev/null \ -r ${B}/unused.itb \ ${UBOOT_MKIMAGE_SIGN_ARGS} - # Verify the kernel image and u-boot dtb - ${UBOOT_FIT_CHECK_SIGN} \ - -k "${UBOOT_DTB_BINARY}" \ - -f ${B}/unused.itb + + # Verify the dummy fitImage signature against u-boot.dtb + # augmented using public key material. + # + # This only works for FIT_SIGN_INDIVIDUAL = "0", because + # mkimage -f auto-conf does not support -F to extend the + # existing unused.itb , and instead rewrites unused.itb + # from scratch. + # + # Using two separate unused.itb for mkimage -f auto and + # mkimage -f auto-conf invocation above would not help, as + # the signature verification process below checks whether + # all keys inserted into u-boot.dtb /signature node pass + # the verification. Separate unused.itb would each miss one + # of the signatures. + # + # The FIT_SIGN_INDIVIDUAL = "1" support is kept to avoid + # breakage of existing layers, but it is highly recommended + # to not use FIT_SIGN_INDIVIDUAL = "1", i.e. set + # FIT_SIGN_INDIVIDUAL = "0" . + if [ "${FIT_SIGN_INDIVIDUAL}" != "1" ] ; then + ${UBOOT_FIT_CHECK_SIGN} \ + -k "${UBOOT_DTB_BINARY}" \ + -f ${B}/unused.itb + fi cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED} fi From patchwork Fri Feb 28 14:42:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58091 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A1FEC3DA4A for ; Fri, 28 Feb 2025 14:43:49 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web10.17297.1740753823304409714 for ; Fri, 28 Feb 2025 06:43:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=uC1HPIqy; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-223594b3c6dso35488005ad.2 for ; Fri, 28 Feb 2025 06:43:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740753822; x=1741358622; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UfxTuonsKWhZ8lX0wyfKbqKf5r/4GKXbv3+TGqzGJ1I=; b=uC1HPIqyAR/f5ICPW3ZiUUAwwKC++WTtbo2s01rwNTcU6JZFQQ9L5Ke0+otNVVi1Ga BHDKwZya1mcMFsQp2k30wzvwv1t6tOhKJIZs7tvRBLgwiWZXoejaQcdGkJfHAhoW30iH CyTTwaiDEC9yVbLZ6DGh8MPmK2ZEl9JB4SbB5b3Q1FAzXqI8NBTxWfDef0Tu2+pJaM+g BxTKVVqEppCo8bEo76J12X8K4LcawDwe3KrDwQ8oGyG34wr8l86m4iADIwV++j3zYBRG n2I4ghXqVc+/dT6d7ksL2UDPPvtOKV0jBpWdRYt1wrhwk5y7aTH5vN4Btp2kBdDxlYCH gPAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740753822; x=1741358622; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UfxTuonsKWhZ8lX0wyfKbqKf5r/4GKXbv3+TGqzGJ1I=; b=U0rjdEblOcIsyDbqys299jkLX6rc5dGFUVJraoD78S3Om9xI9jsUmlM6Vfcptk3E0g iIqs4e0GoWbKbjgYTy6omydrg8nrdWxuYPGIucWyYL3g2tf50b82XtrNjmSw1Y1icQmX 4i3jD9A3k1/ffKyyVh8gD3Xew6lsDy8R0LqrqY1fqbTLqzo/x6Un2lLzO3q/LvDXYa9g RicunEnHNoyA2LtJXNuz/rMwcUevdngj9G5okiTlRbu5T+jiCbwpuORhjPMB02RHjGiG 2g6t9Ay3ZoRd13G+mAwmr0bwcTDasnKOOL/+ibgHg1zsuo8wVeBoaOllDSqtQdeJrA72 HxvA== X-Gm-Message-State: AOJu0Yx+0bfanpoJ2BgzLoyMEzKlA1JJnkH06iMRLgyJqpDyCILxmOtK 903cGE8dJxsCtnzIKxK/Qcbjb6SijIPjrC2fqvvkNgghu1ZdXXDCLaq6/F/hKYFbHr8ITlwD36A p X-Gm-Gg: ASbGncuzwcwdUkj9eZesHMxLbRX/WhsswlDV2MNswdego9da/Pa+eawy/IMVIXZNVcZ DFDLvCGJ1yEMoaJXXuyI7Seh2te6AP5Z4h4KmSaMVFwsUp5glEKCrRLePUaO/ptqWT/GCUGbsXs 55kZiMmrXWRQmCUIXn/Rs9Jr69RJwHDGqlvkvzH4jCS/Fzy/VkWdJ2tnWomRhK4Yt04C4ZfAwNd T5NOJL7FnYTjx4RE9Bz65U+0bAUPuhA5/zOIkb66X40/yvoSTq6CSArkQheEiBwaY4X8TY9HQe1 9JKhd7htOElmyQs= X-Google-Smtp-Source: AGHT+IGBhKC/b1Y/ZIYz8ypTPLHeqom1k6LdgPrNp8v6EGz7VIBFyLuVzeiZs4bQ5gm1NbDDHuD/tw== X-Received: by 2002:a05:6a00:2d8e:b0:732:5276:4ac9 with SMTP id d2e1a72fcca58-734ac35cce9mr5634301b3a.9.1740753822500; Fri, 28 Feb 2025 06:43:42 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7349fe6cd66sm3806559b3a.74.2025.02.28.06.43.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 06:43:42 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 3/4] meta: Enable '-o pipefail' for the SDK installer Date: Fri, 28 Feb 2025 06:42:59 -0800 Message-ID: <940159f060e9a851cc9ff5a9e1c590ed8de4b38e.1740753632.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Feb 2025 14:43:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212063 From: Moritz Haase When testing a Yocto SDK installer on Alpine 3.21, we recently ended up with a broken SDK. One of the commands the relocation script calls in a piped multi-command chain failed (see [0]), but the installer did not realize that - since it doesn't use 'set -o pipefail'. Thus, the error was never reported to the user and the installer claimed to have set up the SDK correctly - which wasn't the case. Given that the SDK installer is a POSIX-compliant shell script and that the 'pipefail' option used to be missing from the standard, it's not surprising that it isn't used. Thankfully however, in June of 2024, a new version of POSIX (POSIX.1-2024) was released - and that one finally includes the 'pipefail' option (see [1]). A number of shells already support it, so let's enable it if available to make the SDK installer more robust. The change has been tested locally using SDK installers for internal projects, based on both Kirkstone and Scarthgap. [0]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/16797 [1]: https://pubs.opengroup.org/onlinepubs/9799919799.2024edition/utilities/V3_chap02.html#set (From OE-Core rev: 1cb4b41c7faf77fcc347b1276d86d4288968c926) Signed-off-by: Moritz Haase Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 10dce263f0230f94a44a017b5614811e696c5ce9) Signed-off-by: Akash Hadke Signed-off-by: Steve Sakoman --- meta/files/toolchain-shar-extract.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh index 3b4647fca7..29c52e3b13 100644 --- a/meta/files/toolchain-shar-extract.sh +++ b/meta/files/toolchain-shar-extract.sh @@ -1,6 +1,11 @@ #!/bin/sh export LC_ALL=en_US.UTF-8 + +# The pipefail option is now part of POSIX (POSIX.1-2024) and available in more +# and more shells. Enable it if available to make the SDK installer more robust. +(set -o pipefail 2> /dev/null) && set -o pipefail + #Make sure at least one python is installed INIT_PYTHON=$(which python3 2>/dev/null ) [ -z "$INIT_PYTHON" ] && INIT_PYTHON=$(which python2 2>/dev/null) From patchwork Fri Feb 28 14:43:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58093 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D0E9C282C6 for ; Fri, 28 Feb 2025 14:43:49 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.17298.1740753824919337511 for ; Fri, 28 Feb 2025 06:43:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=hvFtX5no; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2234e5347e2so45296245ad.1 for ; Fri, 28 Feb 2025 06:43:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740753824; x=1741358624; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LNRtaSGzROqf3+1Z+2n1N/KUwZ63G+BOGBlVaqoJq8U=; b=hvFtX5noeWONIspQx71gq3Ak2GSVakaAxcqnRR0snm9PRlboJ/tk/ErjRfz1DhYNLy PjUVtwh6ECWDgS7HFDJ7Id8vAMhoPkCF9JLhM+kzvkShZqm6qsJ2iv5D6NoP9XHlAyA1 viLaTP9MrxkYBjCtTnUbeVSeAAcPJxSKsDVXFdWv/GKEPwvsdK6AHhBgrzqi6OvDhBth 97eE1Xyr3+XSaxALAsxBOxJbMAfVQ183654I404i1gEnKbYtPvly8WaI1/2jxt45qXgJ NvqM9PBQhWJJPIsIHgnJTdmFI11JBRbluZMvfbviv6EvFZM0/bH2PTG7QBqAspJzseVG ttMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740753824; x=1741358624; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LNRtaSGzROqf3+1Z+2n1N/KUwZ63G+BOGBlVaqoJq8U=; b=ZLQDqD6hJRihMV1sMR54JsSgrAwWyJKDhfcfYkttVS9DryyJjLbQMAt9I+kfENL7iq QAJfh1SmPDawFBNSur03jmMI6urSsst5bqeUC4f236Qcp660X/+HqzXSjpEbyR4PsW6k g9JPusAS7lQt0N6z3EvMZ8iOj2AJQ0BnWzhUhI8UZGg2Qvtljwfg1JaJMdVYOI7y+CMg P5vhWYT4D7LCTOIZ67BIfDKRCty94W/v7kc6MO8WjtRped7en4HB48hiRWR02ElVil6J K2yjPA3gNR18DrMgeonXg7uDFfArYY5hwTbWx9U+SC2NnbbuSIL7qm20+pG+icOqJ9Tx twHA== X-Gm-Message-State: AOJu0YxuJQbYhiHhfJU4FXuPuebmAXXrMOWiMzOEtUmHcGDLnf/L/qd8 6UODEuCayv5icQaeZtgcVgnHHkSqxZKdCtmOdp2FkKHvP9fu5A2UoHFgWV3lt551jyqRhTqahSO / X-Gm-Gg: ASbGncur17Z84RVNBz1scZ+oVNyFyXOl4uaJk/lfQYi4M68XfH28Dzbzw7BDI5elKHc 5yVVJ4a4nqrN4Hx35YLnhzvW0ixd80pMKxfiEqvzwALNbVga4UsG9sI5NjGQB30K7mB9SUTCLsA 7NxPN38PAzlp3SqSJrKruhIIyqa0ocF+ZemVQ4L1hBjEK4BlMB9iGp9mgRI5VvG+OfTVxdgfU2F FkapN6Irl19IH5BjJwh1BxQoC8wqKTKxpB0oKqHTJM+EkH29dh5fpgxnEMPMNCa6SUYJGFowlS1 sOt4rwlfGGEpx8Q= X-Google-Smtp-Source: AGHT+IHtiSrUlhKFdurC161FW50ZFT5UXCz4rgjuuvTDa0GzbyPxW+uOMmysljdOWvrIooqmJuWHYQ== X-Received: by 2002:a17:903:1988:b0:223:47b4:aaf8 with SMTP id d9443c01a7336-2236921ed16mr48850045ad.52.1740753824066; Fri, 28 Feb 2025 06:43:44 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7349fe6cd66sm3806559b3a.74.2025.02.28.06.43.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 06:43:43 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 4/4] ccache.conf: Add include_file_ctime to sloppiness Date: Fri, 28 Feb 2025 06:43:00 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Feb 2025 14:43:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212064 From: Fabio Berton When multiple recipes are built in parallel, Ccache sometimes refuses to lookup some objects in cache, leading to undesired cache misses. The root cause of this is an interaction between the way how bitbake constructs a recipe sysroot and Ccache's `include_file_ctime` check. Whenever bitbake creates a recipe's sysroot it hardlinks the files provided by a recipes dependencies. Adding a hardlink to a file changes it's ctime which in turn leads Ccache to believe that the file was modified thus aborting the cache lookup. To avoid this situation, add `include_file_ctime` to the list of checks that should be ignored using the Ccache sloppiness configuration option [1]. Example of a log entry that Ccache ignores a file: / |recipe-sysroot/usr/include/bits/pthread_stack_min.h had status change |near or after invocation (ctime 1739822508.107677255, invocation time |1739822507.970071107) \ 1 - https://ccache.dev/manual/4.10.2.html#config_sloppiness Signed-off-by: Fabio Berton Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 4899698297c7783e02aba5388e0469cc83bd2f70) Signed-off-by: Steve Sakoman --- meta/conf/ccache.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta/conf/ccache.conf b/meta/conf/ccache.conf index 4406ae561b..499e5327b8 100644 --- a/meta/conf/ccache.conf +++ b/meta/conf/ccache.conf @@ -1 +1,7 @@ max_size = 0 + +# Avoid spurious cache misses caused by recipe sysroot creation: Creating a +# recipe sysroot hardlinks all dependent files into place. Hardlinking updates +# the file's ctime which in turn interferes with ccache's include_file_ctime +# check. +sloppiness = include_file_ctime