summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* mmap-smack-test, smack-test, tcp-smack-test, udp-smack-test: don't use S = ↵Martin Jansa2024-06-174-7/+13
| | | | | | | | | | | | | | | | | | | | | ${WORKDIR} * fixes: Parsing recipes... ERROR: meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported ERROR: meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported ERROR: meta-security/recipes-mac/smack/udp-smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported ERROR: meta-security/recipes-mac/smack/smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported ERROR: Parsing halted due to errors, see error messages above * see: https://lists.openembedded.org/g/openembedded-architecture/message/2007 * it's fatal error since: https://git.openembedded.org/openembedded-core/commit/?h=master&id=32cba1cc916ad530c5e6630a927e74ca6f06289b Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* {tcp,udp}-smack-test: fix implicit-function-declaration issues fatal with gcc-14Martin Jansa2024-06-172-0/+2
| | | | | | | | | | | | | | | tcp-smack-test: http://errors.yoctoproject.org/Errors/Details/766925/ tcp_client.c:55:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration] udp-client-tests: http://errors.yoctoproject.org/Errors/Details/766927/ udp_client.c:41:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration] udp_client.c:51:12: error: implicit declaration of function 'fsetxattr' [-Wimplicit-function-declaration] udp_client.c:66:9: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration] Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss: upgrade 4.0.1 -> 4.1.2Valentin Kunin2024-06-172-8/+19
| | | | | | | | | | | | | | Bump tpm2-tss library version from 4.0.1 to 4.1.2. This simply involves renaming the recipe and chaning the target SHA256 library file hash. Also update the fixup_hosttools.patch to apply to the new version of the library. It stays the same functionally, but some line numbers needed to be updated to apply cleanly. Signed-off-by: Valentin Kunin <kunin@google.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-parsec: Update parsec-service to 1.4.1Gowtham Suresh Kumar2024-05-282-33/+47
| | | | | Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss: BBCLASSEXTEND nativesdkTim Orling2024-05-081-1/+1
| | | | | | | Dependency for nativesdk-swtpm Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libtpm: BBCLASSEXTEND nativesdkTim Orling2024-05-081-1/+1
| | | | | | | nativesdk-swtpm needs nativesdk-libtpm Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tools: BBCLASSEXTEND native and nativesdkTim Orling2024-05-081-0/+2
| | | | | | | tpm2-pkcs11-tools-native needs tpm2-tools-native Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-pkcs11: BBCLASSEXTEND native and nativesdkTim Orling2024-05-081-0/+2
| | | | | | | swtpm-native requires tpm2-pkcs11-tools-native for gnutls PACKAGECONFIG Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* swtpm: upgrade 0.8.1 -> 0.8.2Tim Orling2024-05-081-1/+1
| | | | | | | | | | | | | version 0.8.2: - swtpm: - cuse: Lock file_ops_lock before reading tpm_running - build-sys: - Add support for --disable-tests to disable tests https://github.com/stefanberger/swtpm/compare/v0.8.1...v0.8.2 Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* scap-security-guide: upgrade 0.1.71 -> 0.1.72Yi Zhao2024-05-081-1/+1
| | | | | | | | ChangeLog: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.72 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: upgrade 1.3.9 -> 1.3.10Yi Zhao2024-05-081-1/+1
| | | | | | | | ChangeLog: https://github.com/OpenSCAP/openscap/releases/tag/1.3.10 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: update libseccomp dependenciesMarta Rybczynska2024-05-081-1/+1
| | | | | | | | | | | libseccomp requires DISTRO_FEATURE seccomp enabled. This one is automatically removed for riscv, so we do not need to add an additional condition. This change is necessary for cve-check on world with meta-security Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* scap-security-guide: remove __pycache__ in ptest directoryYi Zhao2024-05-081-0/+5
| | | | | | | | | | | | Remove __pycache__ directories as they contain references to TMPDIR. Fix QA warnings: WARNING: scap-security-guide-0.1.71-r0 do_package_qa: QA Issue: File /usr/lib64/scap-security-guide/ptest/git/utils/_pycache_/gen_reference_table.cpython-312.pyc in package scap-security-guide-ptest contains reference to TMPDIR Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ibmtpm2tss: upgrade 1661 -> 2.2.0Yi Zhao2024-04-222-19/+21
| | | | | | | | * Refresh patch * Fix UPSTREAM_CHECK_GITTAGREGEX Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lynis: upgrade 3.0.9 -> 3.1.1Wang Mingyu2024-04-222-55/+2
| | | | | | | | 0001-osdetection-add-OpenEmbedded-and-Poky.patch removed since it's included in 3.1.1. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ibmswtpm2: upgrade 164-2020-192.1 -> 183-2024-03-27Yi Zhao2024-04-161-3/+3
| | | | | | | | | | Remove '-DALG_CAMELLIA=ALG_NO' from CFLAGS to fix compile error: | TpmProfile_Common.h:109: error: "ALG_CAMELLIA" redefined [-Werror] | 109 | #define ALG_CAMELLIA ALG_YES | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README.md: update to new patches mailing listArmin Kuster2024-04-095-12/+12
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pyinotify: Make asyncore support optional for Python 3Mingli Yu2024-03-272-0/+96
| | | | | | | | | | | | | | | | | | | | | | Simple fix for Python 3.12 since it dropped asyncore. Catches the import error instead of using a version check so that the user can install the compatibility package for any uses that can't be upgraded to asyncio or similar immediately. Fixes: # python3 Python 3.12.1 (main, Dec 7 2023, 20:45:44) [GCC 13.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import pyinotify Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.12/site-packages/pyinotify.py", line 71, in <module> import asyncore ModuleNotFoundError: No module named 'asyncore' >>> Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update for the scarthgap release seriesMax Krummenacher2024-03-275-5/+5
| | | | | Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* arpwatch: install man8 dirJeremy A. Puhlman2024-03-271-1/+1
| | | | | | | | | | | | | | The install expects man8 directory to already exists. If not created the man page gets installed as "man8", which causes conflicts with other packages, that expect it to be a directory. 'arpsnmp' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/sbin/arpsnmp' './arpwatch.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' removed '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' './arpsnmp.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Check for usrmerge before removing /usr/libJeremy A. Puhlman2024-03-271-1/+3
| | | | | Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Set IMAGE_NAME_SUFFIX to emptyKevin Hao2024-03-271-0/+2
| | | | | | | | | | | | | | | According to the Yocto reference manual [1], the IMAGE_NAME_SUFFIX should be set to empty for the initramfs image. Otherwise, we may incur a build error like following due to the initrd check in live-vm-common.bbclass: ERROR: core-image-minimal-1.0-r0 do_bootimg: build-test/tmp/deploy/images/genericx86-64/dm-verity-image-initramfs-genericx86-64.cpio.gz is invalid. initrd image creation failed. ERROR: core-image-minimal-1.0-r0 do_bootimg: ExecutionError('build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/run.build_hddimg.1961965', 1, None, None) ERROR: Logfile of failure stored in: build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/log.do_bootimg.1961965 ERROR: Task (poky/meta/recipes-core/images/core-image-minimal.bb:do_bootimg) failed with exit code '1' [1] https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_NAME_SUFFIX Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: update to tip to fix new build issue.Armin Kuster2024-03-272-62/+3
| | | | | | drop patch now included. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aprwatch: Add path for sendmailJeremy A. Puhlman2024-03-271-0/+1
| | | | | | | | Arpwatch won't build on a system without a sendmail provider installed with out this setting. Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* arpwatch: fix misspelling of PACKAGECONFIGJeremy A. Puhlman2024-03-271-1/+1
| | | | | Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity: Set the IMAGE_FSTYPES correctly when dm-verity is enabledKevin Hao2024-03-271-5/+19
| | | | | | | | | | | | | | | | | | | | | After the using inherit_defer for the image classes in oe-core commit 451363438d38 ("classes/recipes: Switch to use inherit_defer"), the using of anonymous python function in dm-verity-img.bbclass to set the IMAGE_FSTYPES doesn't work anymore. The reason is that image.bbclass also use anonymous python function to add the do_image_xxx task for the corresponding filesystem type. The anonymous function in dm-verity-img.bbclass is evaluated much later than the one in image.bbclass. Then the task such as do_image_vhash will not be added as we expect. So we choose to use "+=" to set the IMAGE_FSTYPES. The populate_sdk_ext.bbclass may generate a dependency list like below: core-image-minimal.do_sdk_depends -> lib32-core-image-minimal.do_image_vhash So we also need to make sure the do_image_vhash task for the multilib filesystem is added. Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity: Adjust the image names according to the oe-core changeKevin Hao2024-03-273-5/+5
| | | | | | | | | | | | | | | | After the oe-core commit 26d97acc7137 ("image-artifact-names: include ${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and ${IMAGE_LINK_NAME}"), the image names have changed from core-image-minimal-qemux86-64-20230307181808.rootfs.ext4 core-image-minimal-qemux86-64.ext4 to core-image-minimal-qemux86-64.rootfs-20230307181456.ext4 core-image-minimal-qemux86-64.rootfs.ext4 Adjust the images name used by dm-verity according to this change. Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* docs: dm-verity.txt: Fix a typoKevin Hao2024-03-271-1/+1
| | | | | Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: Drop ${PYTHON_PN}Armin Kuster2024-03-275-15/+15
| | | | | | | Signed-off-by: Armin Kuster <akuster808@gmail.com> --- V2] Fix typo in python3-pyinotify changes
* lynis: Add missing runtime dependenciesBELOUARGA Mohamed2024-02-201-1/+1
| | | | | | | | Lynis tool needs ip, ss, tr and netstat. If they are missing Lynis skips some important audit tests. Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* checksec: Add more runtime dependencies to checksec toolBELOUARGA Mohamed2024-02-201-1/+1
| | | | | | | Checksec tool depends of commands "find, file and ps" Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: fix build with python 3.12Yi Zhao2024-02-202-1/+60
| | | | | | | | | | | | | | Backport a patch to fix build with python 3.12: $ bitbake openscap-native Traceback (most recent call last): File "<string>", line 1, in <module> ModuleNotFoundError: No module named 'distutils' CMake Error at swig/python3/CMakeLists.txt:35 (install): install TARGETS given no LIBRARY DESTINATION for module target "_openscap_py". Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity-image-minimal: Fix IMAGE_INSTALLLeon Anavi2024-02-201-6/+4
| | | | | | | | | | | | | Append to IMAGE_INSTALL rather than directly setting the variable and does it after inheriting core-image.bbclass because in it IMAGE_INSTALL is set with a default value CORE_IMAGE_BASE_INSTALL. Variable CORE_IMAGE_BASE_INSTALL includes CORE_IMAGE_EXTRA_INSTALL so the change allows adding auditd to CORE_IMAGE_EXTRA_INSTALL as per the instructions in meta-integrity/README.md. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto%.bbappend: Add audit.cfgLeon Anavi2024-02-203-2/+10
| | | | | | | | | | | | | | Add audit.cfg configuration fragment. By default it is not appended to SRC_URI. It allows enabling the audit kernel subsystem which may help to debug appraisal issues. Boot with "integrity_audit=1" to capture a more complete set of events in /var/log/audit/. Previously the same configuration fragment was provided by layer meta-security-framework but it is no longer maintained therefore it makes sense to have audit.cfg in layer meta-integrity. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* scap-security-guide: update to 0.1.71Armin Kuster2024-01-281-3/+3
| | | | | | change branch name to stable. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-fail2ban: remove unused distutils dependencyArmin Kuster2024-01-281-1/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pyinotify: do not rely on smtpd moduleArmin Kuster2024-01-281-1/+0
| | | | | | | It's not mentioned anywhere in source code, and python 3.12 has removed it. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: libhoth: SRCREV bump e520f8f...e482716Yushi Sun2024-01-281-1/+1
| | | | | | | | | | | | | | | | | Nicholas Nooney (1): Update error messages in htool_exec_hostcmd (#43) Royce (1): Add ability to process raw host commands (#41) Yoan Andreev (1): Payload getstatus (#40) daimeng (1): htool: Allow console snapshot on proxy channels (#42) Signed-off-by: Yushi Sun <yushis@google.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* parsec-tool: fix serialNumber checkMikko Rapeli2024-01-282-1/+36
| | | | | | | | | | | New openssl 3.2.0 version removed spaces around serialNumber in: Subject: CN=parallaxsecond.com, serialNumber=EZ4U2CIXL Fixes parsec-service oeqa test on qemu. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pyinotify: fail2ban needs this moduleArmin Kuster2023-12-291-0/+19
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-img.bbclass: add DM_VERITY_DEPLOY_DIRMikko Rapeli2023-12-291-2/+6
| | | | | | | | | | | | | If image recipe A wants to embed another image B which used dm-verity-img.bbclass and generated the .wks file, then recipe B must deploy everything to IMGDEPLOYDIR but recipe A finds the output from DM_VERITY_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}". Now both A and B images can use dm-verity-img.bbclass. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Reviewed-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-img.bbclass: remove IMAGE_NAME_SUFFIXErik Schilling2023-12-291-2/+2
| | | | | | | | | It is embedded into IMAGE_NAME since poky master branch commit 6f6c79029bc2020907295858449c725952d560a1 Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-img.bbclass: use bc-nativeErik Schilling2023-12-291-2/+4
| | | | | | | | Build host may not have bc. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss: support native buildsMikko Rapeli2023-12-291-0/+2
| | | | | | | | | | | | | | systemd tool ukify https://www.freedesktop.org/software/systemd/man/latest/ukify.html depends on systemd-measure https://www.freedesktop.org/software/systemd/man/latest/systemd-measure.html which depends on tpm2-tss. So to support creating UKI images containing both kernel and initramfs with systemd-native, tpm2-tss support is needed for native too. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Reviewed-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* arpwatch: adjust CONFIGURE params to allow to build again.Armin Kuster2023-12-291-4/+2
| | | | | | drop EXTRA_OECONF Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layers: Move READMEs to markdown formatArmin Kuster2023-12-293-0/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lynis: Update SRC_URI to improve updaterArmin Kuster2023-12-291-1/+3
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-privacyidea: Update to 3.9.1Armin Kuster2023-12-291-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libhoth recipe updateDawid Dabrowski2023-12-291-1/+1
| | | | | | | | | | | | Changelog: Dawid Dabrowski Add support for payload update protocol for generic Titan images. Nick Nooney Add BUILD rules to support using libhoth with external tools. Yoan Andreev Add spi passthrough enable and disable commands. Add arm_coordinated_reset. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libgssglue: update to 0.8Armin Kuster2023-12-291-2/+2
| | | | | LICENSE changed Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-06 09:28:41 +0000