From ba72aa48fbfb33323e680fcbdd72633bca2cb6ae Mon Sep 17 00:00:00 2001 From: Jia Zhang Date: Thu, 20 Sep 2018 10:08:23 -0400 Subject: Maintain the stable branch sumo The following commits are reverted by the way: - meta-integrity: rpm: Add back in required patches for rocko (5fa9c85) - meta-intel-sgx: Initial support of linux-sgx-driver (7d4f711) The former is applicable to rocko only, and the latter is still experimental. Signed-off-by: Jia Zhang --- MAINTAINERS | 2 +- README | 6 +- meta-efi-secure-boot/conf/layer.conf | 2 +- .../recipes-bsp/seloader/seloader_git.bb | 3 +- meta-encrypted-storage/conf/layer.conf | 2 +- meta-ids/conf/layer.conf | 2 +- meta-integrity/conf/layer.conf | 2 +- .../recipes-devtools/rpm/rpm-integrity.inc | 15 -- ...-sign-arguments-to-signature-deletion-too.patch | 162 --------------------- ...-Beat-some-sense-into-rpmsign-cli-parsing.patch | 43 ------ ...thinko-typo-in-file-signing-error-message.patch | 25 ---- ...4-Bury-get_fskpass-inside-rpmsign-utility.patch | 145 ------------------ ...ise-file-signing-features-if-support-not-.patch | 87 ----------- ...e-bunch-of-redundant-environ-declarations.patch | 85 ----------- ...ULL-bodied-macros-in-case-of-get_fskpass-.patch | 43 ------ ...-password-helper-variables-to-local-scope.patch | 58 -------- ...ory-allocator-so-we-dont-need-to-check-fo.patch | 33 ----- ...0-Fix-a-number-of-problems-in-get_fskpass.patch | 54 ------- ...file-digests-to-SHA256-by-default-finally.patch | 47 ------ meta-intel-sgx/README.md | 23 --- meta-intel-sgx/conf/layer.conf | 18 --- .../intel-sgx-driver/intel-sgx-driver_2.1.bb | 34 ----- meta-signing-key/conf/layer.conf | 2 +- meta-tpm/conf/layer.conf | 2 +- meta-tpm2/conf/layer.conf | 2 +- meta/conf/layer.conf | 2 +- 26 files changed, 13 insertions(+), 886 deletions(-) delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch delete mode 100644 meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch delete mode 100644 meta-intel-sgx/README.md delete mode 100644 meta-intel-sgx/conf/layer.conf delete mode 100644 meta-intel-sgx/recipes-kernel/intel-sgx-driver/intel-sgx-driver_2.1.bb diff --git a/MAINTAINERS b/MAINTAINERS index 60f11fa..34d0fc4 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1 +1 @@ -Jia Zhang +Tom Rini diff --git a/README b/README index 8c0ebff..82abedc 100644 --- a/README +++ b/README @@ -10,11 +10,11 @@ Dependencies This layer depends on: URI: git://git.openembedded.org/bitbake - branch: master + branch: sumo URI: git://git.openembedded.org/openembedded-core layers: meta - branch: master + branch: sumo Patches @@ -23,7 +23,7 @@ Patches Please submit any patches against the meta-secure-core layer to the maintainer: -Maintainer: Jia Zhang +Maintainer: Tom Rini Table of Contents diff --git a/meta-efi-secure-boot/conf/layer.conf b/meta-efi-secure-boot/conf/layer.conf index 7d69fea..167ca22 100644 --- a/meta-efi-secure-boot/conf/layer.conf +++ b/meta-efi-secure-boot/conf/layer.conf @@ -19,4 +19,4 @@ LAYERDEPENDS_efi-secure-boot = "\ perl-layer \ " -LAYERSERIES_COMPAT_efi-secure-boot = "rocko sumo" +LAYERSERIES_COMPAT_efi-secure-boot = "sumo" diff --git a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb index 5d5fe2d..3275cc5 100644 --- a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb @@ -43,10 +43,9 @@ EXTRA_OEMAKE = "\ SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \ gnuefi_libdir=${STAGING_LIBDIR} \ LIB_GCC="`${CC} -print-libgcc-file-name`" \ + GNU_EFI_VERSION=306 \ " -EXTRA_OEMAKE += "${@bb.utils.contains('LAYERSERIES_CORENAMES', 'rocko', 'GNU_EFI_VERSION=306', '', d)}" - EFI_ARCH_x86 = "ia32" EFI_ARCH_x86-64 = "x64" diff --git a/meta-encrypted-storage/conf/layer.conf b/meta-encrypted-storage/conf/layer.conf index 18fa131..9772e96 100644 --- a/meta-encrypted-storage/conf/layer.conf +++ b/meta-encrypted-storage/conf/layer.conf @@ -17,4 +17,4 @@ LAYERDEPENDS_encrypted-storage = "\ openembedded-layer \ " -LAYERSERIES_COMPAT_encrypted-storage = "rocko sumo" +LAYERSERIES_COMPAT_encrypted-storage = "sumo" diff --git a/meta-ids/conf/layer.conf b/meta-ids/conf/layer.conf index 50cc3cc..a2f29c9 100644 --- a/meta-ids/conf/layer.conf +++ b/meta-ids/conf/layer.conf @@ -16,4 +16,4 @@ LAYERDEPENDS_ids = "\ networking-layer \ " -LAYERSERIES_COMPAT_ids = "rocko sumo" +LAYERSERIES_COMPAT_ids = "sumo" diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index 74961cc..2565080 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf @@ -27,4 +27,4 @@ BB_HASHBASE_WHITELIST_append += "\ RPM_FSK_PATH \ " -LAYERSERIES_COMPAT_integrity = "rocko sumo" +LAYERSERIES_COMPAT_integrity = "sumo" diff --git a/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc b/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc index 172d5a2..1945cc2 100644 --- a/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc +++ b/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc @@ -1,20 +1,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/rpm:" -ROCKO_SRC_URI = "\ - file://0001-Pass-sign-arguments-to-signature-deletion-too.patch \ - file://0002-Beat-some-sense-into-rpmsign-cli-parsing.patch \ - file://0003-Fix-thinko-typo-in-file-signing-error-message.patch \ - file://0004-Bury-get_fskpass-inside-rpmsign-utility.patch \ - file://0005-Dont-advertise-file-signing-features-if-support-not-.patch \ - file://0006-Remove-bunch-of-redundant-environ-declarations.patch \ - file://0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch \ - file://0008-Move-key-password-helper-variables-to-local-scope.patch \ - file://0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch \ - file://0010-Fix-a-number-of-problems-in-get_fskpass.patch \ - file://0011-Bump-file-digests-to-SHA256-by-default-finally.patch \ -" -SRC_URI += "${@bb.utils.contains('LAYERSERIES_CORENAMES', 'rocko', '${ROCKO_SRC_URI}', '', d)}" - PACKAGECONFIG = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'imaevm', '', d)}" # IMA signing support is provided by RPM plugin. diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch b/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch deleted file mode 100644 index a2c453f..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 23dc36f0d587495f2d29ebefd9e46437069b5a2d Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Mon, 29 May 2017 16:11:55 +0300 -Subject: [PATCH] Pass sign arguments to signature deletion too - -Refactor rpmsign and python bindings to be more similar on both -addsign/delsign operations, and always pass the signing arguments -along. Deletion doesn't actually (yet) use the arguments for anything -but makes things more symmetric (I remember having doubts about -this when adding - reminder to self: if in doubt, add more arguments ;) - -Yet another API break, but what the hey... Other than that, behavior is -not supposed to change here. ---- - python/rpmsmodule.c | 28 ++++++++++++++++------------ - rpmsign.c | 13 +++++++------ - sign/rpmgensig.c | 2 +- - sign/rpmsign.h | 3 ++- - 4 files changed, 26 insertions(+), 20 deletions(-) - -diff --git a/python/rpmsmodule.c b/python/rpmsmodule.c -index 0601353b9..72465221d 100644 ---- a/python/rpmsmodule.c -+++ b/python/rpmsmodule.c -@@ -5,32 +5,36 @@ - static char rpms__doc__[] = - ""; - -+static int parseSignArgs(PyObject * args, PyObject *kwds, -+ const char **path, struct rpmSignArgs *sargs) -+{ -+ char * kwlist[] = { "path", "keyid", "hashalgo", NULL }; -+ -+ memset(sargs, 0, sizeof(*sargs)); -+ return PyArg_ParseTupleAndKeywords(args, kwds, "s|si", kwlist, -+ path, &sargs->keyid, &sargs->hashalgo); -+} -+ - static PyObject * addSign(PyObject * self, PyObject * args, PyObject *kwds) - { - const char *path = NULL; -- char * kwlist[] = { "path", "keyid", "hashalgo", NULL }; -- struct rpmSignArgs sig, *sigp = NULL; -+ struct rpmSignArgs sargs; - -- memset(&sig, 0, sizeof(sig)); -- if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|si", kwlist, -- &path, &sig.keyid, &sig.hashalgo)) -+ if (parseSignArgs(args, kwds, &path, &sargs)) - return NULL; - -- if (sig.keyid || sig.hashalgo) -- sigp = &sig; -- -- return PyBool_FromLong(rpmPkgSign(path, sigp) == 0); -+ return PyBool_FromLong(rpmPkgSign(path, &sargs) == 0); - } - - static PyObject * delSign(PyObject * self, PyObject * args, PyObject *kwds) - { - const char *path = NULL; -- char * kwlist[] = { "path", NULL }; -+ struct rpmSignArgs sargs; - -- if (!PyArg_ParseTupleAndKeywords(args, kwds, "s", kwlist, &path)) -+ if (parseSignArgs(args, kwds, &path, &sargs)) - return NULL; - -- return PyBool_FromLong(rpmPkgDelSign(path) == 0); -+ return PyBool_FromLong(rpmPkgDelSign(path, &sargs) == 0); - } - - /* -diff --git a/rpmsign.c b/rpmsign.c -index 3834b505e..0402af556 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -25,6 +25,8 @@ static int signfiles = 0, fskpass = 0; - static char * fileSigningKey = NULL; - static char * fileSigningKeyPassword = NULL; - -+static struct rpmSignArgs sargs = {NULL, 0, 0}; -+ - static struct poptOption signOptsTable[] = { - { "addsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_ADDSIGN, - N_("sign package(s)"), NULL }, -@@ -54,11 +56,10 @@ static struct poptOption optionsTable[] = { - }; - - /* TODO: permit overriding macro setup on the command line */ --static int doSign(poptContext optCon) -+static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - { - int rc = EXIT_FAILURE; - char * name = rpmExpand("%{?_gpg_name}", NULL); -- struct rpmSignArgs sig = {NULL, 0, 0}; - char *key = NULL; - - if (rstreq(name, "")) { -@@ -92,13 +93,13 @@ static int doSign(poptContext optCon) - free(fileSigningKeyPassword); - } - -- sig.signfiles = 1; -+ sargs->signfiles = 1; - } - - const char *arg; - rc = 0; - while ((arg = poptGetArg(optCon)) != NULL) { -- rc += rpmPkgSign(arg, &sig); -+ rc += rpmPkgSign(arg, sargs); - } - - exit: -@@ -133,12 +134,12 @@ int main(int argc, char *argv[]) - switch (mode) { - case MODE_ADDSIGN: - case MODE_RESIGN: -- ec = doSign(optCon); -+ ec = doSign(optCon, &sargs); - break; - case MODE_DELSIGN: - ec = 0; - while ((arg = poptGetArg(optCon)) != NULL) { -- ec += rpmPkgDelSign(arg); -+ ec += rpmPkgDelSign(arg, &sargs); - } - break; - default: -diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c -index 4f5ff7b59..32bcfb3fb 100644 ---- a/sign/rpmgensig.c -+++ b/sign/rpmgensig.c -@@ -863,7 +863,7 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args) - return rc; - } - --int rpmPkgDelSign(const char *path) -+int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args) - { - return rpmSign(path, 1, 0); - } -diff --git a/sign/rpmsign.h b/sign/rpmsign.h -index b41e3caab..bed8d6245 100644 ---- a/sign/rpmsign.h -+++ b/sign/rpmsign.h -@@ -31,9 +31,10 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args); - /** \ingroup rpmsign - * Delete signature(s) from a package - * @param path path to package -+ * @param args signing parameters (or NULL for defaults) - * @return 0 on success - */ --int rpmPkgDelSign(const char *path); -+int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args); - - #ifdef __cplusplus - } --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch b/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch deleted file mode 100644 index 34f35bc..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 8bcfd98c0545eaf98bbc99e56cc2118c995a8fad Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Thu, 8 Jun 2017 12:39:53 +0300 -Subject: [PATCH] Beat some sense into rpmsign cli parsing - -Separate missing mode and several modes, print usage in the former -and mumble about modes only if more than one actually specified. ---- - rpmsign.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/rpmsign.c b/rpmsign.c -index 0402af556..de6f79384 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -14,12 +14,13 @@ char ** environ = NULL; - #endif - - enum modes { -+ MODE_NONE = 0, - MODE_ADDSIGN = (1 << 0), - MODE_RESIGN = (1 << 1), - MODE_DELSIGN = (1 << 2), - }; - --static int mode = 0; -+static int mode = MODE_NONE; - - static int signfiles = 0, fskpass = 0; - static char * fileSigningKey = NULL; -@@ -142,6 +143,9 @@ int main(int argc, char *argv[]) - ec += rpmPkgDelSign(arg, &sargs); - } - break; -+ case MODE_NONE: -+ printUsage(optCon, stderr, 0); -+ break; - default: - argerror(_("only one major mode may be specified")); - break; --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch b/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch deleted file mode 100644 index 5452778..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 26cae3941f68c96e44d8126fea330ef7f0327913 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Thu, 8 Jun 2017 12:42:00 +0300 -Subject: [PATCH] Fix %% -> $$ thinko/typo in file signing error message - ---- - rpmsign.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rpmsign.c b/rpmsign.c -index de6f79384..66ab8e5eb 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -75,7 +75,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - if (signfiles) { - key = rpmExpand("%{?_file_signing_key}", NULL); - if (rstreq(key, "")) { -- fprintf(stderr, _("You must set \"$$_file_signing_key\" in your macro file or on the command line with --fskpath\n")); -+ fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n")); - goto exit; - } - --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch b/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch deleted file mode 100644 index 6906a39..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 5a76125050c2f389cdc1c3017dff5fec4aef7e57 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Thu, 8 Jun 2017 16:55:16 +0300 -Subject: [PATCH] Bury get_fskpass() inside rpmsign utility - -librpm is not in the business of providing terminal utility functions, -file signing might well need to ask for passwords but it doesn't -have to be a non-prefixed function in a shared library. The library -provides means to *pass* the password and its up to calling applications -to ask for it if needed. ---- - lib/rpmsignfiles.c | 35 ----------------------------------- - lib/rpmsignfiles.h | 2 -- - rpmsign.c | 37 ++++++++++++++++++++++++++++++++++++- - 3 files changed, 36 insertions(+), 38 deletions(-) - -diff --git a/lib/rpmsignfiles.c b/lib/rpmsignfiles.c -index 87e4e4265..aacb34647 100644 ---- a/lib/rpmsignfiles.c -+++ b/lib/rpmsignfiles.c -@@ -7,8 +7,6 @@ - #include "system.h" - #include "imaevm.h" - --#include -- - #include /* rpmlog */ - #include /* rnibble */ - #include /* rpmDigestLength */ -@@ -34,39 +32,6 @@ static const char *hash_algo_name[] = { - - #define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) - --char *get_fskpass(void) --{ -- struct termios flags, tmp_flags; -- char *password, *pwd; -- int passlen = 64; -- -- password = malloc(passlen); -- if (!password) { -- perror("malloc"); -- return NULL; -- } -- -- tcgetattr(fileno(stdin), &flags); -- tmp_flags = flags; -- tmp_flags.c_lflag &= ~ECHO; -- tmp_flags.c_lflag |= ECHONL; -- -- if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) { -- perror("tcsetattr"); -- return NULL; -- } -- -- printf("PEM password: "); -- pwd = fgets(password, passlen, stdin); -- pwd[strlen(pwd) - 1] = '\0'; /* remove newline */ -- -- if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { -- perror("tcsetattr"); -- return NULL; -- } -- return pwd; --} -- - static char *signFile(const char *algo, const char *fdigest, int diglen, - const char *key, char *keypass) - { -diff --git a/lib/rpmsignfiles.h b/lib/rpmsignfiles.h -index 52e2482a9..70ed69412 100644 ---- a/lib/rpmsignfiles.h -+++ b/lib/rpmsignfiles.h -@@ -14,8 +14,6 @@ extern "C" { - */ - rpmRC rpmSignFiles(Header h, const char *key, char *keypass); - --char *get_fskpass(void); /* get file signing key password */ -- - #ifdef _cplusplus - } - #endif -diff --git a/rpmsign.c b/rpmsign.c -index 66ab8e5eb..6cd63d872 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -1,12 +1,12 @@ - #include "system.h" - #include - #include -+#include - - #include - #include - #include - #include "cliutils.h" --#include "lib/rpmsignfiles.h" - #include "debug.h" - - #if !defined(__GLIBC__) && !defined(__APPLE__) -@@ -56,6 +56,41 @@ static struct poptOption optionsTable[] = { - POPT_TABLEEND - }; - -+#ifdef WITH_IMAEVM -+static char *get_fskpass(void) -+{ -+ struct termios flags, tmp_flags; -+ char *password, *pwd; -+ int passlen = 64; -+ -+ password = malloc(passlen); -+ if (!password) { -+ perror("malloc"); -+ return NULL; -+ } -+ -+ tcgetattr(fileno(stdin), &flags); -+ tmp_flags = flags; -+ tmp_flags.c_lflag &= ~ECHO; -+ tmp_flags.c_lflag |= ECHONL; -+ -+ if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) { -+ perror("tcsetattr"); -+ return NULL; -+ } -+ -+ printf("PEM password: "); -+ pwd = fgets(password, passlen, stdin); -+ pwd[strlen(pwd) - 1] = '\0'; /* remove newline */ -+ -+ if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { -+ perror("tcsetattr"); -+ return NULL; -+ } -+ return pwd; -+} -+#endif -+ - /* TODO: permit overriding macro setup on the command line */ - static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - { --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch b/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch deleted file mode 100644 index a3d0e24..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch +++ /dev/null @@ -1,87 +0,0 @@ -From a77d2d3476919fdbcba9baf0dd44c98db1620360 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Thu, 8 Jun 2017 17:36:28 +0300 -Subject: [PATCH] Dont advertise file signing features if support not built in - -ifdef the whole thing out when not enabled, instead of blurting out -obscure error messages. A few to many ifdefs for my taste but -that's a topic for another day... ---- - rpmsign.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/rpmsign.c b/rpmsign.c -index 6cd63d872..dce342af0 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -22,9 +22,11 @@ enum modes { - - static int mode = MODE_NONE; - -+#ifdef WITH_IMAEVM - static int signfiles = 0, fskpass = 0; - static char * fileSigningKey = NULL; - static char * fileSigningKeyPassword = NULL; -+#endif - - static struct rpmSignArgs sargs = {NULL, 0, 0}; - -@@ -35,6 +37,7 @@ static struct poptOption signOptsTable[] = { - N_("sign package(s) (identical to --addsign)"), NULL }, - { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN, - N_("delete package signatures"), NULL }, -+#ifdef WITH_IMAEVM - { "signfiles", '\0', POPT_ARG_NONE, &signfiles, 0, - N_("sign package(s) files"), NULL}, - { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0, -@@ -42,6 +45,7 @@ static struct poptOption signOptsTable[] = { - N_("") }, - { "fskpass", '\0', POPT_ARG_NONE, &fskpass, 0, - N_("prompt for file signing key password"), NULL}, -+#endif - POPT_TABLEEND - }; - -@@ -103,6 +107,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - goto exit; - } - -+#ifdef WITH_IMAEVM - if (fileSigningKey) { - rpmPushMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL); - } -@@ -115,11 +120,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - } - - if (fskpass) { --#ifndef WITH_IMAEVM -- argerror(_("--fskpass may only be specified when signing files")); --#else - fileSigningKeyPassword = get_fskpass(); --#endif - } - - rpmPushMacro(NULL, "_file_signing_key_password", NULL, -@@ -131,6 +132,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - - sargs->signfiles = 1; - } -+#endif - - const char *arg; - rc = 0; -@@ -163,9 +165,11 @@ int main(int argc, char *argv[]) - argerror(_("no arguments given")); - } - -+#ifdef WITH_IMAEVM - if (fileSigningKey && !signfiles) { - argerror(_("--fskpath may only be specified when signing files")); - } -+#endif - - switch (mode) { - case MODE_ADDSIGN: --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch b/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch deleted file mode 100644 index 8260865..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 8fae14f4dfc655dabd3de11be4d7e9b7c1cb6898 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Fri, 9 Jun 2017 11:37:03 +0300 -Subject: [PATCH] Remove bunch of redundant environ declarations - -rpmsign.c used to actually use "environ" to pass to execve(), but -that call moved to librpmsign a long, long time ago. rpmdb.c and -rpmkeys.c never used it at all but guess it was copy-paste inherited -from rpmsign.c back in the day (dfbaa77152ccf98524c4f27afe85d32e6f690522) - -rpmgensig.c actually refers to environ, but this is a POSIX required -variable and while Apple has managed to screw it up, it's handled -in system.h and that must be sufficient for all relevant systems -as we also refer to environ in rpmfileutil.c open_dso() and there's -no fake environ definition there. So drop the one in rpmgensig.c too. ---- - rpmdb.c | 4 ---- - rpmkeys.c | 4 ---- - rpmsign.c | 4 ---- - sign/rpmgensig.c | 4 ---- - 4 files changed, 16 deletions(-) - -diff --git a/rpmdb.c b/rpmdb.c -index 67630d00c..25c088da9 100644 ---- a/rpmdb.c -+++ b/rpmdb.c -@@ -6,10 +6,6 @@ - #include "cliutils.h" - #include "debug.h" - --#if !defined(__GLIBC__) && !defined(__APPLE__) --char ** environ = NULL; --#endif -- - enum modes { - MODE_INITDB = (1 << 0), - MODE_REBUILDDB = (1 << 1), -diff --git a/rpmkeys.c b/rpmkeys.c -index 0ecc65ed1..2b60a729e 100644 ---- a/rpmkeys.c -+++ b/rpmkeys.c -@@ -5,10 +5,6 @@ - #include "cliutils.h" - #include "debug.h" - --#if !defined(__GLIBC__) && !defined(__APPLE__) --char ** environ = NULL; --#endif -- - enum modes { - MODE_CHECKSIG = (1 << 0), - MODE_IMPORTKEY = (1 << 1), -diff --git a/rpmsign.c b/rpmsign.c -index dce342af0..04738c052 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -9,10 +9,6 @@ - #include "cliutils.h" - #include "debug.h" - --#if !defined(__GLIBC__) && !defined(__APPLE__) --char ** environ = NULL; --#endif -- - enum modes { - MODE_NONE = 0, - MODE_ADDSIGN = (1 << 0), -diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c -index 141ad1530..5c04e9218 100644 ---- a/sign/rpmgensig.c -+++ b/sign/rpmgensig.c -@@ -25,10 +25,6 @@ - - #include "debug.h" - --#if !defined(__GLIBC__) && !defined(__APPLE__) --char ** environ = NULL; --#endif -- - typedef struct sigTarget_s { - FD_t fd; - const char *fileName; --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch b/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch deleted file mode 100644 index cdfc2a0..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5a6acd24a55d31a7c7e68dc4e46149598f1699a4 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Fri, 9 Jun 2017 12:33:23 +0300 -Subject: [PATCH] Dont push NULL-bodied macros (in case of get_fskpass() - failure) - ---- - rpmsign.c | 4 ++-- - sign/rpmgensig.c | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/rpmsign.c b/rpmsign.c -index 04738c052..578079a4d 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -119,9 +119,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - fileSigningKeyPassword = get_fskpass(); - } - -- rpmPushMacro(NULL, "_file_signing_key_password", NULL, -- fileSigningKeyPassword, RMIL_CMDLINE); - if (fileSigningKeyPassword) { -+ rpmPushMacro(NULL, "_file_signing_key_password", NULL, -+ fileSigningKeyPassword, RMIL_CMDLINE); - memset(fileSigningKeyPassword, 0, strlen(fileSigningKeyPassword)); - free(fileSigningKeyPassword); - } -diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c -index 5c04e9218..073136364 100644 ---- a/sign/rpmgensig.c -+++ b/sign/rpmgensig.c -@@ -538,7 +538,7 @@ static rpmRC includeFileSignatures(FD_t fd, const char *rpm, - - key = rpmExpand("%{?_file_signing_key}", NULL); - -- keypass = rpmExpand("%{_file_signing_key_password}", NULL); -+ keypass = rpmExpand("%{?_file_signing_key_password}", NULL); - if (rstreq(keypass, "")) { - free(keypass); - keypass = NULL; --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch b/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch deleted file mode 100644 index 362e0c1..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 46eadbf33d06a0a97be0845afe09873acb44af3c Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Fri, 9 Jun 2017 12:35:43 +0300 -Subject: [PATCH] Move key/password helper variables to local scope - ---- - rpmsign.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/rpmsign.c b/rpmsign.c -index 578079a4d..35c5ee966 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -21,7 +21,6 @@ static int mode = MODE_NONE; - #ifdef WITH_IMAEVM - static int signfiles = 0, fskpass = 0; - static char * fileSigningKey = NULL; --static char * fileSigningKeyPassword = NULL; - #endif - - static struct rpmSignArgs sargs = {NULL, 0, 0}; -@@ -96,7 +95,6 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - { - int rc = EXIT_FAILURE; - char * name = rpmExpand("%{?_gpg_name}", NULL); -- char *key = NULL; - - if (rstreq(name, "")) { - fprintf(stderr, _("You must set \"%%_gpg_name\" in your macro file\n")); -@@ -109,7 +107,8 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - } - - if (signfiles) { -- key = rpmExpand("%{?_file_signing_key}", NULL); -+ char *fileSigningKeyPassword = NULL; -+ char *key = rpmExpand("%{?_file_signing_key}", NULL); - if (rstreq(key, "")) { - fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n")); - goto exit; -@@ -127,6 +126,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - } - - sargs->signfiles = 1; -+ free(key); - } - #endif - -@@ -137,7 +137,6 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) - } - - exit: -- free(key); - free(name); - return rc; - } --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch b/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch deleted file mode 100644 index 4937c46..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 542f41a8bdc385ed849170565ac353956a47683a Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Fri, 9 Jun 2017 12:45:21 +0300 -Subject: [PATCH] Use rpm memory allocator so we dont need to check for return - ---- - rpmsign.c | 9 ++------- - 1 file changed, 2 insertions(+), 7 deletions(-) - -diff --git a/rpmsign.c b/rpmsign.c -index 35c5ee966..a59f2dc1c 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -59,14 +59,9 @@ static struct poptOption optionsTable[] = { - static char *get_fskpass(void) - { - struct termios flags, tmp_flags; -- char *password, *pwd; - int passlen = 64; -- -- password = malloc(passlen); -- if (!password) { -- perror("malloc"); -- return NULL; -- } -+ char *password = xmalloc(passlen); -+ char *pwd; - - tcgetattr(fileno(stdin), &flags); - tmp_flags = flags; --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch b/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch deleted file mode 100644 index 923de03..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 46c7bf438e5349676139dba0655faed3b2230827 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Fri, 9 Jun 2017 12:52:08 +0300 -Subject: [PATCH] Fix a number of problems in get_fskpass() - -Fix segfault in case of fgets() failure, fix memleak on password -buffer on failure. ---- - rpmsign.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/rpmsign.c b/rpmsign.c -index a59f2dc1c..ae86f666d 100644 ---- a/rpmsign.c -+++ b/rpmsign.c -@@ -61,7 +61,7 @@ static char *get_fskpass(void) - struct termios flags, tmp_flags; - int passlen = 64; - char *password = xmalloc(passlen); -- char *pwd; -+ char *pwd = NULL; - - tcgetattr(fileno(stdin), &flags); - tmp_flags = flags; -@@ -70,17 +70,23 @@ static char *get_fskpass(void) - - if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) { - perror("tcsetattr"); -- return NULL; -+ goto exit; - } - - printf("PEM password: "); - pwd = fgets(password, passlen, stdin); -- pwd[strlen(pwd) - 1] = '\0'; /* remove newline */ - - if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { - perror("tcsetattr"); -- return NULL; -+ pwd = NULL; -+ goto exit; - } -+ -+exit: -+ if (pwd) -+ pwd[strlen(pwd) - 1] = '\0'; /* remove newline */ -+ else -+ free(password); - return pwd; - } - #endif --- -2.11.0 - diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch b/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch deleted file mode 100644 index 68d54ad..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0cd74ade37d16d282d13e781deb68a219b2c04b9 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Wed, 8 Mar 2017 14:51:45 +0200 -Subject: [PATCH] Bump file digests to SHA256 by default, finally - -As a part of modernizing the crypto used by rpm, it's way past time -to use a stronger algorithm for the file digests. The jump from MD5 -is not entirely smooth but at least Fedora and RHEL did that ages ago -and survived, others should too. And of course you can always flip -it back to MD5 if you really need to, for eg building packages for -ancient distro versions. - -Signed-off-by: Lans Zhang ---- - macros.in | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/macros.in b/macros.in -index 72d4a51ed..49a3dab04 100644 ---- a/macros.in -+++ b/macros.in -@@ -355,17 +355,17 @@ package or when debugging this package.\ - - # Algorithm to use for generating file checksum digests on build. - # If not specified or 0, MD5 is used. --# WARNING: non-MD5 is backwards incompatible, don't enable lightly! --# The supported algorithms may depend on NSS version, as of NSS --# 3.11.99.5 the following are supported: -+# WARNING: non-MD5 is backwards incompatible with rpm < 4.6! -+# The supported algorithms may depend on the underlying crypto -+# implementation but generally at least the following are supported: - # 1 MD5 (default) - # 2 SHA1 - # 8 SHA256 - # 9 SHA384 - # 10 SHA512 - # --#%_source_filedigest_algorithm 1 --#%_binary_filedigest_algorithm 1 -+%_source_filedigest_algorithm 8 -+%_binary_filedigest_algorithm 8 - - # Configurable vendor information, same as Vendor: in a specfile. - # --- -2.11.0 - diff --git a/meta-intel-sgx/README.md b/meta-intel-sgx/README.md deleted file mode 100644 index d1b8444..0000000 --- a/meta-intel-sgx/README.md +++ /dev/null @@ -1,23 +0,0 @@ -### Overview -This layer provides the support of Intel Software Guard Extensions -(Intel SGX), which is an Intel technology for application developers -seeking to protect select code and data from disclosure or modification. - -The Linux SGX software stack is comprised of the Intel SGX driver, the -Intel SGX SDK, and the Intel SGX Platform Software. - -### Intel SGX Driver -The recipe sgx-driver provides a out-of-tree driver for the Linux Intel -SGX software stack, which will be used until the driver upstreaming process -is complete. - -### Intel SGX SDK and PSW -The recipes are still in development. - -### Hardware Support -Please check [this site](https://github.com/ayeks/SGX-hardware) for the -latest information. - -### Reference -- [SGX driver](https://github.com/intel/linux-sgx-driver) -- [SGX SDK and PSW](https://github.com/intel/linux-sgx) diff --git a/meta-intel-sgx/conf/layer.conf b/meta-intel-sgx/conf/layer.conf deleted file mode 100644 index 8dca356..0000000 --- a/meta-intel-sgx/conf/layer.conf +++ /dev/null @@ -1,18 +0,0 @@ -# We have a conf and classes directory, add to BBPATH -BBPATH .= ":${LAYERDIR}" - -# We have recipes-* directories, add to BBFILES -BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ - ${LAYERDIR}/recipes-*/*/*.bbappend" - -BBFILE_COLLECTIONS += "intel-sgx" -BBFILE_PATTERN_intel-sgx = "^${LAYERDIR}/" -BBFILE_PRIORITY_intel-sgx = "10" - -BBLAYERS_LAYERINDEX_NAME_intel-sgx = "meta-intel-sgx" - -LAYERDEPENDS_intel-sgx = "\ - core \ -" - -LAYERSERIES_COMPAT_intel-sgx = "rocko sumo" diff --git a/meta-intel-sgx/recipes-kernel/intel-sgx-driver/intel-sgx-driver_2.1.bb b/meta-intel-sgx/recipes-kernel/intel-sgx-driver/intel-sgx-driver_2.1.bb deleted file mode 100644 index b1abcd5..0000000 --- a/meta-intel-sgx/recipes-kernel/intel-sgx-driver/intel-sgx-driver_2.1.bb +++ /dev/null @@ -1,34 +0,0 @@ -SUMMARY = "Intel SGX Linux DDDriver" -DESCRIPTION = "Intel(R) Software Guard Extensions (Intel(R) SGX) \ -is an Intel technology for application developers seeking to \ -protect select code and data from disclosure or modification." -HOMEPAGE = "https://github.com/intel/linux-sgx-driver" - -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://License.txt;md5=b54f8941f6087efb6be3deb0f1e617f7" - -DEPENDS = "virtual/kernel" - -PV = "2.1+git${SRCPV}" - -SRC_URI = "\ - git://github.com/intel/linux-sgx-driver.git \ -" -SRCREV = "2a509c203533f9950fa3459fe91864051bc021a2" - -S = "${WORKDIR}/git" - -inherit module - -EXTRA_OEMAKE += "KDIR='${STAGING_KERNEL_DIR}'" - -MODULE_NAME = "isgx" - -do_install () { - dir="${D}/lib/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}" - - install -d "$dir" - install -m 0644 "${MODULE_NAME}.ko" "$dir" -} - -RPROVIDES_${PN} += "kernel-module-${MODULE_NAME}" diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 67fc8d3..1b735d2 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf @@ -13,7 +13,7 @@ BBLAYERS_LAYERINDEX_NAME_signing-key = "meta-signing-key" LAYERDEPENDS_signing-key = "core" -LAYERSERIES_COMPAT_signing-key = "rocko sumo" +LAYERSERIES_COMPAT_signing-key = "sumo" SIGNING_MODEL ??= "sample" SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys" diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf index 2b2dd3e..2b9964a 100644 --- a/meta-tpm/conf/layer.conf +++ b/meta-tpm/conf/layer.conf @@ -13,4 +13,4 @@ BBLAYERS_LAYERINDEX_NAME_tpm = "meta-tpm" LAYERDEPENDS_tpm = "core" -LAYERSERIES_COMPAT_tpm = "rocko sumo" +LAYERSERIES_COMPAT_tpm = "sumo" diff --git a/meta-tpm2/conf/layer.conf b/meta-tpm2/conf/layer.conf index 9957c6e..3842160 100644 --- a/meta-tpm2/conf/layer.conf +++ b/meta-tpm2/conf/layer.conf @@ -13,4 +13,4 @@ BBLAYERS_LAYERINDEX_NAME_tpm2 = "meta-tpm2" LAYERDEPENDS_tpm2 = "core" -LAYERSERIES_COMPAT_tpm2 = "rocko sumo" +LAYERSERIES_COMPAT_tpm2 = "sumo" diff --git a/meta/conf/layer.conf b/meta/conf/layer.conf index 301b017..4caf70c 100644 --- a/meta/conf/layer.conf +++ b/meta/conf/layer.conf @@ -15,4 +15,4 @@ LAYERDEPENDS_secure-core = "\ core \ " -LAYERSERIES_COMPAT_secure-core = "rocko sumo" +LAYERSERIES_COMPAT_secure-core = "sumo" -- cgit v1.2.3-54-g00ecf