summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* meta-security: move perl and python recipes to dynamic layers structureArmin Kuster2022-05-1434-0/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* fscrypt: add distro_check on pamArmin Kuster2022-05-141-5/+7
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Add EROFS support to dm-verity-img classJosh Harley2022-05-011-2/+2
| | | | | | | | | | | | | | | | | [PATCH] Add support for the EROFS image, and it's compressed options, to the dm-verity-img.bbclass setup, theoretically this is a simple addition to the list of types however there is a quirk in how Poky handles the filesystems in poky/meta/classes/image_types.bbclass. Specifically the 'IMAGE_CMD' and 'IMAGE_FSTYPES' use a hyphen, e.g. erofs-lz4, however in the image_type bbclass the task for that would be "do_image_erofs_lz4", replacing the hyphen with an underscore. As the dm-verity-img.bbclass adds a dependency to the wic image creation on the do_image_* task then it fails as there is no "do_image_erofs-lz4", so simply replace the hypen with an underscore. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* LICENSE: update to SPDX standard namesJoe Slater2022-04-1320-20/+20
| | | | | | | Use convert-spdx-licenses.py to update LICENSE in recipes. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain.inc: Correct LICENSE to GPL-2.0-onlyRanjitsinh Rathod2022-04-131-1/+1
| | | | | | | | | It seems below change done manually and so LICENSE variable modified from GPLv2 to GPL-2.0-or-later. But it should be GPL-2.0-only Link: https://git.yoctoproject.org/meta-security/commit/?id=c56ae450c93a1383a1ce800a32a6ef2c3fbbae1c Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-pkcs11: update to 1.8.0Petr Gotthard2022-04-135-1498/+7
| | | | | | | | | The build patches are now included in the upstream, the local binary checkes can be disabled with --disable-ptool-checks, the boostrap doesn't need to be called if the release .tar.gz is used. Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss-engine: fix version string and build with openssl 3.0Petr Gotthard2022-04-131-6/+13
| | | | | | | | | | | Calling autoreconf outside git repo causes the version number to be null. This patch makes the version number fixed. Since Yocto now uses OpenSSL 3.0, the file packaging need to be updated. Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-abrmd: update to 2.4.1Petr Gotthard2022-04-131-4/+2
| | | | | | | | The version number is correctly assigned only when the release .tar.gz is used. Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss: update to 3.2.0Petr Gotthard2022-04-134-377/+22
| | | | | | | | | This deletes the patches that were unused for a long time, updates the tpm2-tss package and introduces a fix to the version number problem that got introduced with the 3.2.0 version. Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-openssl: update to 1.1.0Petr Gotthard2022-04-132-11/+19
| | | | | | | | | | | | | Also, the recipe is fixed to correctly package the openssl provider. This new tpm2-openssl: - Fixed segmentation fault when a signature algorithm is beging initialized without a private key. - Fixed RSA/EC key equality checks. Works with OpenSSL 3.0.1. - Added support for the `TPM2OPENSSL_PARENT_AUTH` environment variable. Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tools: fix missing version numberPetr Gotthard2022-04-131-0/+5
| | | | | | | | Calling autoreconf outside git repo causes the version number to be null. This patch makes the version number fixed. Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2Anton Antonov2022-04-137-344/+351
| | | | | Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* fscrypt: update dependecy from go-dep-native to go-nativeDavide Gardenal2022-04-071-1/+1
| | | | | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* clamav: add COMPATIBLE_HOST to fix build errorDavide Gardenal2022-04-071-0/+2
| | | | | | | | Add COMPATIBLE_HOST to match what is found in glibc to avoid build error when using musl Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: update to 4.4.7Armin Kuster2022-04-071-2/+2
| | | | | | This fixes musl builds too. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto_security.inc: add lkrg kfragsArmin Kuster2022-04-073-0/+12
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lkrg-module: covert to git fetcherArmin Kuster2022-04-072-8/+8
| | | | | | | | This allows to track tip easier. refresh patch Fix LICENSE to match SPDX format Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-fail2ban: fix compile issue on some hostsArmin Kuster2022-04-021-0/+7
| | | | | | | | | | Use python3-native to use 2to3 Fix build issue on some hosts with this error: (result, consumed) = self._buffer_decode(data, self.errors, final) | UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd8 in position 152: invalid continuation byte Signed-off-by: Armin Kuster <akuster808@gmail.com>
* LICENSE: adopt SPDX standard namesRobert Yang2022-04-022-2/+2
| | | | | | | Modify LICENSE for ding-libs and libmhash. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security : Use SPDX style licensing formatAshish Sharma2022-04-028-8/+8
| | | | | | | | | | | | | | WARNING: selinux-sandbox-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: selinux-gui-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: semodule-utils-3.3-r0.1 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: selinux-dbus-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: libwhisker2-perl-2.5-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPL-1.0+ [obsolete-license] \ WARNING: lib-perl-0.63-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPL-1.0+ [obsolete-license] \ WARNING: libhtp-0.5.39-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license] \ ... Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap-daemon: use renamaed python_setuptools_build_metaArmin Kuster2022-04-021-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* kas-security-alt: drop rust layerArmin Kuster2022-03-131-5/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-privacyidea: drop old package ref.Armin Kuster2022-03-131-1/+1
| | | | | | | | | meta-python dropped package via commit: 620689d4efba28bc8dd60e2d82908bfb3531fbd0 python3-backports-functional-lru-cache: remove, not needed for Python 3 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Subject: [PATCH] Subject: python3-fail2ban: switch to legacy setuptools3Ashish Sharma2022-03-111-1/+1
| | | | | | | | | | | raise InvalidWheelFilename(f"{filename} is not a valid wheel filename.") pip._internal.exceptions.InvalidWheelFilename: fail2ban-*-*.whl is not a valid wheel filename. Removed build tracker: '/tmp/pip-req-tracker-qnepnk46' ERROR: Failed to pip install wheel. Check the logs. Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-fail2ban: fix SPDX license.Armin Kuster2022-03-111-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss: fix user permsArmin Kuster2022-03-111-5/+4
| | | | | | [Yocto #14724] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm-tools: Fix pod2man raceArmin Kuster2022-03-111-1/+1
| | | | | | On some systems, pod2man is not available so add native depends. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-keys: don't use lnrArmin Kuster2022-03-111-1/+1
| | | | | | | | | | | | lnr is a script in oe-core that creates relative symlinks, with the same behaviour as `ln --relative --symlink`. It was added back in 2014[1] as not all of the supported host distributions at the time shipped coreutils 8.16, the first release with --relative. However the oldest coreutils release in the supported distributions is now 8.22 in CentOS 7, so lnr can be deprecated and users switched to ln. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libtpm: update to 0.9.2Armin Kuster2022-03-111-2/+2
| | | | | | includes: CVE-2021-3623 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* swtpm: update to 0.7.1Armin Kuster2022-03-112-68/+2
| | | | | | | fixes: CVE-2022-23645. Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap-daemon: fix wheels and License issues.Armin Kuster2022-03-111-2/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-privacyidea: update to 3.6.2Armin Kuster2022-03-111-2/+2
| | | | | | Fix license. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-privacyidea: fix QA ERRORArmin Kuster2022-03-111-3/+1
| | | | | | | | | | ERROR: python3-privacyidea-3.5.2-r0 do_package: QA Issue: python3-privacyidea: Files/directories were installed but not shipped in any package: /usr/etc /usr/etc/privacyidea /usr/etc/privacyidea/dictionary /usr/etc/privacyidea/privacyideaapp.wsgi Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security-isafw: Fixes to work with oe-core masterAkshay Bhat2022-03-111-2/+1
| | | | | | | | | | Update isafw bbclass to build with oe-core master - prelink support was dropped in oe-core as part of 23c0be78106f - do_populate_cve_db was renamed to do_fetch in oe-core as part of f5f97d33a1703d Signed-off-by: Akshay Bhat <akshay.bhat@timesys.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* parsec-service: Only enable TPM is layer and DISTRO_FEATURE is defined.Armin Kuster2022-03-111-1/+6
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: enable apparmor for qemu machineArmin Kuster2022-03-111-0/+3
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* apparmor: update to 3.0.4Armin Kuster2022-03-113-130/+2
| | | | | | | drop to patches no longer needed use setuptools Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-security-tpm: Fix QA ErrorArmin Kuster2022-03-111-1/+0
| | | | | | | | ERROR: packagegroup-security-tpm-1.0-r0 do_package_write_rpm: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (libtpm-dbg to libtpms-dbg) ERROR: packagegroup-security-tpm-1.0-r0 do_package_write_rpm: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (libtpm to libtpms0) ERROR: packagegroup-security-tpm-1.0-r0 do_package_write_rpm: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (libtpm-dev to libtpms-dev) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README.md: fix typoArmin Kuster2022-03-111-1/+1
| | | | | | Fix typo in parsec-tools to parsec-tool Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Upgrade parsec-tool to 0.5.1Anton Antonov2022-02-253-94/+74
| | | | | Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* smack: Use new CVE_CHECK_IGNORE variableArmin Kuster2022-02-221-3/+3
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* chipsec: fix WARNINGArmin Kuster2022-02-221-1/+1
| | | | | | distutils3.bbclass is deprecated, please use setuptools3.bbclass instead Signed-off-by: Armin Kuster <akuster808@gmail.com>
* recipes: Use renamed SKIP_RECIPE varFlagArmin Kuster2022-02-223-3/+3
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update to use kirkstoneArmin Kuster2022-02-207-7/+7
| | | | | | | Update the layers to use the kirkstone namespace. No compatibility is made for honister due to the variable renaming. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-pkcs11: fix RDEPENDS variablePatrick Williams2022-02-201-1/+1
| | | | | | | | The RDEPENDS variable was misspelled and as a result was never fixed up with the `_${PN}` to `:${PN}` transition. Fix both aspects. Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* scap-security-guide: Fix openembedded platform testsAkshay Bhat2022-02-202-0/+31
| | | | | | | | | Update the installed_OS_is_openembedded check to drop the quotes in the VERSION_ID string to match f451c68667cca of openembedded-core. Without this fix, all tests are reported as "notapplicable". Signed-off-by: Akshay Bhat <akshay.bhat@timesys.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-hardening: Fix override syntaxAkshay Bhat2022-02-205-8/+8
| | | | | | | | | | Commit 352e6498a missed updating the override syntax for the "harden" distro override. Fixes: 352e6498a ("meta-hardening: Convert to new override syntax") Signed-off-by: Akshay Bhat <akshay.bhat@timesys.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* parsec-service: fix compile issue.Armin Kuster2022-02-201-1/+1
| | | | | | | | | thread 'main' panicked at 'Failed to find tss2-sys library.: Command { command: "\"pkg-config\" \"--libs\" \"--cflags\" \"tss2-sys\" \"tss2-sys >= 2.3.3\"", cause: Os { code: 2, kind: NotFound, message: "No such file or directory" } }', /home/akuster/oss/clean/poky/build/tmp-glibc/work/cortexa57-oe-linux/parsec-service/0.8.1-r0/cargo_home/bitbake/tss-esapi-sys-0.2.0/build.rs:62:10 add inherit pkgconfig Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss: update to 3.1.0Armin Kuster2022-02-203-52/+38
| | | | | | Drop 001-configure.ac-fix-compatibility-with-autoconf-2.70.patch which is included in update. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: update to 6.0.4Armin Kuster2022-02-042-3/+3
| | | | | | bump lexical-core to 0.6.8 Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-03 15:41:26 +0000