| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
* bb.process.NotFoundError is triggered when e.g. oe.buildcfg.get_metadata_git_branch
is called on non-existent directory
(From OE-Core rev: 34c1f66c4c689b26a4c3129eb62f4ff9b6ec14be)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-ffile-prefix map is more comprehensive when it comes to reproducible
builds and its superset of all prefix-mapping options in compilers
This makes is cleaner and workable across gcc and clang, clang does not
support -fcanon-prefix-map and it has to be explicitly omitted when using
clang.
There are lambdas generated in templates by clang which still get the
absolute paths despite -fdebug-prefix-map, this helps with that as well.
nasm is an outlier and we have fixed it by adding -fdebug-prefix-map option
luckily we do not pass DEBUG_PREFIX_MAP to nasm, in all recipes which use
nasm either pass -fdebug-prefix-map explicitly to nasm or they rewrite it
to use nasm flags syntax.
We have discussed this in past [1]
[1] https://patchwork.yoctoproject.org/project/oe-core/patch/20230428032030.2047920-1-raj.khem@gmail.com/#10281
(From OE-Core rev: ff73fa7ef7666a6dbe34f15515bc3ab6e574c5b0)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Jacob Kroon <jacob.kroon@gmail.com>
Cc: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
Update the test whitespace to avoid bitbake warnings.
(From OE-Core rev: 8a324aa2111872138715bde7fbc86bcfc2d8b20e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the *.wks file contains a "--source rootfs" then
lib/wic/plugins/source/rootfs.py will be invoked to generate (what is assumed
to be) the rootfs partition. If the rootfs partition needs to be tweaked or
modified, the "rootfs.py" plugin will make a copy of the filesystem and then
perform the changes on that copy. In other words, if the "--source rootfs"
line of the *.wks file also contains any of:
--exclude-path
--include-path
--change-directory
--use-label (i.e. modify etc/fstab)
then the rootfs will be copied first, then the copy is modified.
If, for example, the unmodified IMAGE_ROOTFS is:
.../tmp/work/qemuarm64_secureboot-oe-linux/core-image-base/1.0/rootfs
then the copy would be made at:
.../tmp/work/qemuarm64_secureboot-oe-linux/core-image-base/1.0/tmp-wic/rootfs${LINENO}
where ${LINENO} is the line number where this "--source rootfs" line appears
in the *wks file.
When it comes time to make an actual partition of a specific filesystem type,
lib/wic/partition.py::prepare_rootfs() is called. It is in this function that
wic figures out if any extra size needs to be added. The bitbake variable used
to specify the ultimate rootfs size is ROOTFS_SIZE, and since this variable is
only valid for the rootfs (and not any other partitions), the code also
verifies that the partition being created is ${IMAGE_ROOTFS}:
rsize_bb = get_bitbake_var('ROOTFS_SIZE')
rdir = get_bitbake_var('IMAGE_ROOTFS')
if rsize_bb and rdir == rootfs_dir:
<use rsize_bb>
else:
<calculate the partition size using "du -ks $p">
As noted above, if lib/wic/plugins/source/rootfs.py has made a copy, then the
"rdir == rootfs_dir" clause will fail and the code will assume this partition
is not a rootfs since the strings do not compare equal.
Therefore, in order to determine if this is a rootfs, retain the existing
"rdir == rootfs_dir" comparison, but also add another one to check whether or
not this is a wic-generated copy of the rootfs.
STEPS TO REPRODUCE:
- start with the following *wks file:
bootloader --ptable gpt
part /boot --size=100M --active --fstype=ext4 --label boot
part / --source rootfs --fstype=ext4 --label root
- and the following extra variable in conf/local.conf:
IMAGE_ROOTFS_EXTRA_SPACE = "500000"
- build an image
- run it in qemu
$ runqemu slirp nographic serial
- verify the root partition has extra space:
root@qemuarm64-secureboot:~# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 721.5M 67.4M 600.6M 10% /
devtmpfs 477.7M 0 477.7M 0% /dev
tmpfs 40.0K 0 40.0K 0% /mnt
tmpfs 489.3M 92.0K 489.2M 0% /run
tmpfs 489.3M 68.0K 489.2M 0% /var/volatile
/dev/vda1 120.4M 19.9M 91.4M 18% /boot
- modify the "/" line of the *wks file to be:
part / --source rootfs --fstype=ext4 --label root --exclude-path boot/
- build image
when it fails:
root@qemuarm64-secureboot:~# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 73.4M 41.9M 25.8M 62% /
devtmpfs 477.7M 0 477.7M 0% /dev
tmpfs 40.0K 0 40.0K 0% /mnt
tmpfs 489.3M 92.0K 489.2M 0% /run
tmpfs 489.3M 68.0K 489.2M 0% /var/volatile
/dev/vda1 120.4M 19.9M 91.4M 18% /boot
after this fix:
root@qemuarm64-secureboot:~# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 721.5M 47.4M 620.6M 7% /
devtmpfs 477.7M 0 477.7M 0% /dev
tmpfs 40.0K 0 40.0K 0% /mnt
tmpfs 489.3M 92.0K 489.2M 0% /run
tmpfs 489.3M 68.0K 489.2M 0% /var/volatile
/dev/vda1 120.4M 19.9M 91.4M 18% /boot
Doing the math we see that the /boot partition is ~20MB and in the first image
the / partition contains this ~20MB in addition to the rest of the rootfs.
This ~20MB is completely wasted since it is used in the / partition, but then
the /boot partition is mounted on top of it, making the /boot directory of /
inaccessible. After the fix the / partition has an additional ~20MB since the
/boot portion is excluded.
Fixes [YOCTO #15555]
(From OE-Core rev: 1c690aa046ebca13d7b29de50d42b5d8a4a8486c)
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Marks CVE check functions which depend on non-constant variable flags as
depending on the variables. This allows changes in the flags to
correctly trigger a rebuild
(From OE-Core rev: 2cc43c72ff28aa39a417dd8d57cd7c8741c0e541)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The class sets SRCREV to AUTOINC for recipes with single
or multiple repositories. Test those cases.
(From meta-yocto rev: b7185b27b8acb43eaf9c27787903173ea34a0738)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds cve_check.py to BBIMPORTS so the functions it exposes will be
correctly scanned for dependencies in the dependency scanner
(From OE-Core rev: 52ead33c6b6e2532c57b7b28b862ba38b575f9e3)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream has released a new version (4.4) but not the tarball for it.
Adjust one of the devtool selftests, as it requires that the recipe
under test is using a tarball. Another selftest also needs to be
tweaked to correctly clean up its modifications to that same recipe on
test completion.
(From OE-Core rev: de635a9bc0392689ff36b50e7f91572d3fbaac09)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
(From OE-Core rev: 5200dcb39834790542c429d70cf54db07ff7a378)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add test to check if --exclude-path option can exclude symlinks. This
test validates commit[1].
Test result:
$ oe-selftest -r wic.Wic.test_exclude_path
2025-04-03 15:11:25,211 - oe-selftest - INFO - meta-selftest layer not found in BBLAYERS, adding it
2025-04-03 15:11:30,016 - oe-selftest - INFO - Adding layer libraries:
2025-04-03 15:11:30,017 - oe-selftest - INFO - /buildarea/poky/meta/lib
2025-04-03 15:11:30,017 - oe-selftest - INFO - /buildarea/poky/meta-yocto-bsp/lib
2025-04-03 15:11:30,017 - oe-selftest - INFO - /buildarea/poky/meta-selftest/lib
2025-04-03 15:11:30,019 - oe-selftest - INFO - Checking base configuration is valid/parsable
NOTE: Starting bitbake server...
2025-04-03 15:11:31,652 - oe-selftest - INFO - Adding: "include selftest.inc" in /buildarea/poky/build-st/conf/local.conf
2025-04-03 15:11:31,653 - oe-selftest - INFO - Adding: "include bblayers.inc" in bblayers.conf
2025-04-03 15:11:31,653 - oe-selftest - INFO - test_exclude_path (wic.Wic)
2025-04-03 15:43:11,341 - oe-selftest - INFO - ... ok
2025-04-03 15:43:11,341 - oe-selftest - INFO - ----------------------------------------------------------------------
2025-04-03 15:43:11,342 - oe-selftest - INFO - Ran 1 test in 1899.900s
2025-04-03 15:43:11,342 - oe-selftest - INFO - OK
2025-04-03 15:43:14,834 - oe-selftest - INFO - RESULTS:
2025-04-03 15:43:14,835 - oe-selftest - INFO - RESULTS - wic.Wic.test_exclude_path: PASSED (1899.69s)
2025-04-03 15:43:14,836 - oe-selftest - INFO - SUMMARY:
2025-04-03 15:43:14,836 - oe-selftest - INFO - oe-selftest () - Ran 1 test in 1899.900s
2025-04-03 15:43:14,836 - oe-selftest - INFO - oe-selftest - OK - All required tests passed (successes=1, skipped=0, failures=0, errors=0)
[1] https://git.openembedded.org/openembedded-core/commit/?id=42e829ac1e9d74646b6dfb327b18b15f6b0df60b
(From OE-Core rev: 0dd455bed9b52c0cf237ea2f8bd1a8f7890078e9)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE_STATUS can be also "Unknown" since oe-core commit
d25f1817752bc8a84c40dcbef75f7559801ce15e
When this status type is used, build fails with e.g.
ERROR: openssl-3.4.1-r0 do_create_spdx: Unknown CVE-2025-0001 status 'Unknown'
Since this is now a valid status, it needs to be handled.
It cannot be mapped to any VEX status (see below), so just skip it.
Possible VEX statuses are: NOT AFFECTED, AFFECTED, FIXED, and UNDER INVESTIGATION.
(From OE-Core rev: 2d3081ef63c8a54df62a2a08bd36008c20eed65a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
cc: Marta Rybczynska <rybczynska@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
There's no point in checking if __name__ == "__main__" (i.e., is this
module being invoked) and then doing nothing.
(From OE-Core rev: 020b6b1411c9fd3adb208808c0d56623190873f8)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When PATCHTOOL is set to 'git', and user don't setup
user.name and user.email for git, do_patch fail with
the following error, fix by passing -c options.
CmdError("git notes --ref refs/notes/devtool append -m 'original patch: 0001-PATCH-increase-to-cpp17-version.patch' HEAD", 0, 'stdout:
stderr: Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
(From OE-Core rev: a3c6706d31ae1345b571ca10b290a4e1f5a9384b)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default, still use ${PV} as the the version of a package in SBOM 3
$ bitbake acl
$ jq . tmp/deploy/spdx/3.0.1/core2-64/packages/package-acl.spdx.json
...
{
"type": "software_Package",
...
"name": "acl",
"software_packageVersion": "2.3.2"
},
...
Support to override it by setting SPDX_PACKAGE_VERSION, such as
set SPDX_PACKAGE_VERSION = "${EXTENDPKGV}" in local.conf to append
PR to software_packageVersion in SBOM 3
$ echo 'SPDX_PACKAGE_VERSION = "${EXTENDPKGV}"' >> conf/local.conf
$ bitbake acl
$ jq . tmp/deploy/spdx/3.0.1/core2-64/packages/package-acl.spdx.json
...
{
"type": "software_Package",
...
"name": "acl",
"software_packageVersion": "2.3.2-r0"
},
...
(From OE-Core rev: e6ff5f4d870624795bd36572f5c2bfeec90d83ce)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The base-files test for SPDX 2.2 did not give good coverage, since
base-files doesn't have any dependencies. Add building tar as another
test which more fully exercises the code
(From OE-Core rev: d678e25419c89e09c1c438363bf3a940ce903d43)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
cpio is not yet buildable with C23 standard which is default with
GCC 15, therefore ensure to apply needed bandage to keep it compiling
in C17 mode even with GCC 15
(From OE-Core rev: 0c637099887f1be421c8e1203f99631a1e040150)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the same as e105befbe4ee0d85e94c2048a744f0373e2dbcdf on
additional place in the code.
When a link is pointing to location inaccessible to build user (e.g. "/root/something"),
filepath.is_file() throws "PermissionError: [Errno 13] Permission denied".
Fix this by first checking if it is a link.
(From OE-Core rev: 26f35f866cf7888431963cf4fc5d2019cd28de74)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
Bitbake is dropping the need for fetcher name iteration and multiple revisions
per url. Update the code to match (removal of the for loop).
(From OE-Core rev: 4859cdf97fd9a260036e148e25f0b78eb393df1e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running, e.g., `devtool reset sdbus-c++` would result in the following
error:
re.error: multiple repeat at position 35
This was due to the ++ in the recipe name, which would be treated as an
incorrect regular expression in _reset().
Use re.escape() to make sure all characters in the recipe name are
treated literally.
(From OE-Core rev: 6e73bd9b3e6d529752db93879f2c0ed53873dd1a)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to commit [spdx30: Improve os.walk() handling][1] applied,
it reported an error if walk directory failed
While SPDX_INCLUDE_SOURCES = "1", if recipe does not provide sysroots,
the walk in function add_package_files is broken
$ echo 'SPDX_INCLUDE_SOURCES = "1"' >> conf/local.conf
$ bitbake packagegroup-core-boot
|DEBUG: Adding sysroot files to SPDX
|ERROR: packagegroup-core-boot-1.0-r0 do_create_spdx: ERROR walking tmp/sysroots-components/intel_x86_64/packagegroup-core-boot: [Errno 2]
| No such file or directory: 'tmp/sysroots-components/intel_x86_64/packagegroup-core-boot'
Test the existence of directory before walking
[1] https://git.openembedded.org/openembedded-core/commit/?id=86b581e80637cd8136ce7a7e95db94d9553d2f60
(From OE-Core rev: cb1792e4950d5075be9bbe4c5337a5215db9669e)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent freedesktop instabilities are causing 'devtool check-upgrade-status' to
fail with:
bb.fetch2.FetchError: Fetcher failure: Fetch command export PSEUDO_DISABLED=1; git -c gc.autoDetach=false -c core.pager=cat -c safe.bareRepository=all -c clone.defaultRemoteName=origin ls-remote https://gitlab.>
fatal: unable to access 'https://gitlab.freedesktop.org/mesa/kmscube/': The requested URL returned error: 502
and not print any results for this one or any unrelated recipes included in the check.
This change handles the error, so that if some upstream server isn't working
properly, latest upstream revision for that is marked as unknown, a
warning is printed and upstream version check for other recipes
isn't thwarted:
WARNING: Unable to obtain latest revision: Fetcher failure: Fetch command export PSEUDO_DISABLED=1; git -c gc.autoDetach=false -c core.pager=cat -c safe.bareRepository=all -c clone.defaultRemoteName=origin ls-remote https://gitlab.freedesktop.org/mesa/piglit.git failed with exit code 128, output:
remote: GitLab is not responding
fatal: unable to access 'https://gitlab.freedesktop.org/mesa/piglit.git/': The requested URL returned error: 502
piglit 1.0 UNKNOWN_BROKEN Ross Burton <ross.burton@arm.com>
(From OE-Core rev: c1056293f7cb32ee2bdf31441cc0b59d9ccfe556)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new test function which checks that the device-tree of U-Boot
contains the public keys which are required for checking the signature
of the kernel FIT image at run-time.
Use this new _check_kernel_dtb function in the existing
test_sign_cascaded_uboot_fit_image test case which already creates a
build configuration with UBOOT_SIGN_ENABLE = "1" and keys for the kernel.
But so far there was no check that the keys for the kernel verification
got added to U-Boot's DTB.
This test case checks the configuration where only the configuration
nodes of the kernel FIT image are signed.
A new test case test_sign_uboot_kernel_individual checks the
configuration with two keys and signed image and signed configuration
nodes.
This test case covers the use case which recently broke with commit:
OE-Core rev: 259bfa86f384206f0d0a96a5b84887186c5f689e
u-boot: kernel-fitimage: Fix dependency loop if
UBOOT_SIGN_ENABLE and UBOOT_ENV enabled
and got fixed with commit
OE-Core rev: 0106e5efab99c8016836a2ab71e2327ce58a9a9d
u-boot: kernel-fitimage: Restore FIT_SIGN_INDIVIDUAL="1"
behavior
This patch also fixes a few more details:
- Simplify the code by moving all the U-Boot related variables to the
_fit_get_bb_vars function.
- Do not set FIT_GENERATE_KEYS = "1" without inheriting the
kernel-fitimage.bbclass which handles this variable.
(From OE-Core rev: dda1fcbc85c26d1851dda6ed235238b15939998e)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make the code slightly more robust by using e.g.
bb_vars.get('UBOOT_SIGN_ENABLE') instead of bb_vars['UBOOT_SIGN_ENABLE']
for variables which are potentially undefined.
This is a general cleanup but also a preparation for additional test
cases.
Log bb_vars in verbose mode.
Drop one no longer used log message.
(From OE-Core rev: 22a554e1d5a2449c4c1b34f4d5cfe1572a72a142)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The updated kmod build (using meson) causes the output which results from `info
line kmod_help` to change. Relax the regex so that both old and new reponses
will pass.
(From OE-Core rev: 8783e7b8109b02847cf3b07421582c4fdb18949c)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to commit [lib: spdx30_tasks: Handle patched CVEs][1] applied,
duplicated CVE identifier for each CVE which increased +25% build
time (image task: do_create_image_sbom_spdx)
$ bitbake binutils-cross-x86_64
$ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584
"spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584",
"https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584"
"identifier": "CVE-2023-25584",
"https://cveawg.mitre.org/api/cve/CVE-2023-25584",
"https://www.cve.org/CVERecord?id=CVE-2023-25584"
"spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584",
"https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584"
"identifier": "CVE-2023-25584",
"https://cveawg.mitre.org/api/cve/CVE-2023-25584",
"https://www.cve.org/CVERecord?id=CVE-2023-25584"
Since the commit [cve-check: annotate CVEs during analysis][2] improved
function get_patched_cves to:
- Check each patch file;
- Search for additional patched CVEs from CVE_STATUS;
And return dictionary patched_cve for each cve:
{
"abbrev-status": "xxx",
"status": "xxx",
"justification": "xxx",
"resource": "xxx",
"affected-vendor": "xxx",
"affected-product": "xxx",
}
But while adding CVE in meta/lib/oe/spdx30_tasks.py, the cve_by_status
requires decoded_status
{
"mapping": "xxx",
"detail": "xxx",
"description": "xxx",
}
This commit converts patched_cve to decoded_status
patched_cve["abbrev-status"] --> decoded_status["mapping"]
patched_cve["status"] --> decoded_status["detail"]
patched_cve["justification"] --> decoded_status["description"]
And remove duplicated search for additional patched CVEs from CVE_STATUS
(calling oe.cve_check.decode_cve_status)
After applying this commit
$ bitbake binutils-cross-x86_64
$ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584
"spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/381bf593d99c005ecd2c2e0815b86bca2b9ff4cc2db59587aaddd3db95c67470/vulnerability/CVE-2023-25584",
"https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584"
"identifier": "CVE-2023-25584",
"https://cveawg.mitre.org/api/cve/CVE-2023-25584",
"https://www.cve.org/CVERecord?id=CVE-2023-25584"
[1] https://git.openembedded.org/openembedded-core/commit/?id=1ff496546279d8a97df5ec475007cfb095c2a0bc
[2] https://git.openembedded.org/openembedded-core/commit/?id=452e605b55ad61c08f4af7089a5a9c576ca28f7d
(From OE-Core rev: 08595b39b46ef2bf3a928d4528292ee31a990c98)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SPDX library code was being ignored from taskhash calculations due
to accidentally being omitted from BBIMPORTS. This meant that changes in
the code or dependent variables would not cause the task to rebuild
correctly.
In order to add spdx_common, convert the `Dep` object from a named tuple
to a frozen dataclass. These function more or less equivalently, but the
bitbake code parser cannot handle named tuples.
Finally, the vardepsexclude that used to be present on the recipe tasks
needs to be moved to the python code in order for the variables to be
correctly ignored. Several unused exclusions were removed
(From OE-Core rev: eb597bf61cbcb0a4d43149404c93eec0894fb4c7)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Test with only one externally provided ssh key not only with two
keys generated by the kernel-fitimage.bbclass itself.
* Add a test which signs only the configuration but not the image nodes.
There was no test case which covered the probably much more important
use case of setting FIT_SIGN_INDIVIDUAL = "0".
* Cover also the unbundled initramfs use case. Also this use case is
probably much more relevant than the bundled initramnfs use case.
(From OE-Core rev: 0a5b65b83dcd9f8d1d22d074fdfad1f1e472827c)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a comprehensive cleanup of the fitImage related test cases.
The existing test cases were essentially the same code copied and pasted
9 times. All 9 test cases contained the code to parse an its file and to
parse the output of the dumpimage utility in slightly different variants.
Changing the kernel-fitimage.bbclass or the uboot-sign.bbclass would mean
changing 9 test cases individually. This is no longer maintainable.
This cleanup converts the code into reusable functions. The new test
code is more like a reverse implementation of the bbclasses to be tested
than a collection of straightforward test sequences.
This also means that the test code evaluates the same bitbake variables
as the implementation. This makes it much easier to add new test cases,
as a test case is basically just another local.conf file. The code is
not yet complete. But it can now be improved step by step in this
direction.
(From OE-Core rev: 1dfa03a182d9d9e9e38c410847c7dac4ed7e8ce6)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is a trivial refactoring.
The goal is to have all tests for kernel-fitimage.bbclass and all tests
for uboot-sign.bbclass together. This refactoring greatly simplifies
the diff of the next commit.
(From OE-Core rev: 638abab58b653a1fb120368bd5e30bc80478757c)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For u-boot test cases (bitbake virtual/bootloader) inheriting the
kernel-fitimage.bbclass is no longer needed. Also setting any variable
which is evaluated by the kernel-fitimage.bbclass but not by
uboot-sign.bbclass is pointless since:
* Commit OE-Core rev: 5e12dc911d0c541f43aa6d0c046fb87e8b7c1f7e
changed the test case from
bitbake virtual/kernel
to
bitbake virtual/bootloader
* Commit OE-Core rev: 259bfa86f384206f0d0a96a5b84887186c5f689e has
finally removed the dependency of uboot-sign.bbclass on the
kernel-fitimage.bbclass completely.
Remove the related lines of code which are now without any effect.
The two test cases test_uboot_fit_image and test_uboot_sign_fit_image
do the exact same test. Both generate a binary equal its file:
/dts-v1/;
/ {
description = "A model description";
#address-cells = <1>;
images {
uboot {
description = "U-Boot image";
data = /incbin/("u-boot-nodtb.bin");
type = "standalone";
os = "u-boot";
arch = "arm";
compression = "none";
load = <0x80080000>;
entry = <0x80080000>;
};
fdt {
description = "U-Boot FDT";
data = /incbin/("u-boot.dtb");
type = "flat_dt";
arch = "arm";
compression = "none";
};
};
configurations {
default = "conf";
conf {
description = "Boot with signed U-Boot FIT";
loadables = "uboot";
fdt = "fdt";
};
};
};
The code diff between the two equal test cases looks like:
@@ -1,8 +1,9 @@
- def test_uboot_fit_image(self):
+ def test_uboot_sign_fit_image(self):
"""
Summary: Check if Uboot FIT image and Image Tree Source
(its) are built and the Image Tree Source has the
- correct fields.
+ correct fields, in the scenario where the Kernel
+ is also creating/signing it's fitImage.
Expected: 1. u-boot-fitImage and u-boot-its can be built
2. The type, load address, entrypoint address and
default values of U-boot image are correct in the
@@ -26,16 +27,15 @@
UBOOT_LOADADDRESS = "0x80080000"
UBOOT_ENTRYPOINT = "0x80080000"
UBOOT_FIT_DESC = "A model description"
-
-# Enable creation of Kernel fitImage
KERNEL_IMAGETYPES += " fitImage "
-KERNEL_CLASSES = " kernel-fitimage"
+KERNEL_CLASSES = " kernel-fitimage "
UBOOT_SIGN_ENABLE = "1"
FIT_GENERATE_KEYS = "1"
UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
UBOOT_SIGN_IMG_KEYNAME = "img-oe-selftest"
UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
FIT_SIGN_INDIVIDUAL = "1"
+UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart U-Boot comment'"
"""
self.write_config(config)
Conclusion: The test case test_uboot_sign_fit_image looks redundant.
Contrary to its name, it does not insert any signature nodes into the
its-file and therefore does not test any type of signature.
Code history:
- Commit OE-Core rev: e71e4c617568496ae3bd6bb678f97b4f73cb43d8
introduces both test cases.
- Commit OE-Core rev: 5e12dc911d0c541f43aa6d0c046fb87e8b7c1f7e
changes both test cases like this:
- bitbake("virtual/kernel")
+ bitbake("virtual/bootloader")
It looks like the original implementation of test_uboot_sign_fit_image
was supposed to test the interaction between the kernel-fitimage.bbclass
and uboot-sign.bbclass which does not longer work like that.
When compiling u-boot, the variable that is relevant for creating an its
file with signature nodes is: SPL_SIGN_ENABLE. This is what the test
case test_sign_standalone_uboot_fit_image verifies. Lets just delete the
now obsolete test_uboot_sign_fit_image test case.
(From OE-Core rev: de8bfdff0f997f59a2bd27842a2ffcd365f725f3)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The code to iterate over patched CVEs (e.g. those patched by a .patch
file in SRC_URI) was accidentally omitted when writing the SPDX 3
handling. Add it in now
[YOCTO #15789]
(From OE-Core rev: 1ff496546279d8a97df5ec475007cfb095c2a0bc)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Add the ELF definition for the loongarch64 architecture when building
with musl as libc.
(From OE-Core rev: c6498e4ca43dc2f8bc326bc6b6dbc8fd7f0bef79)
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
VEX Affected relationships have a mandatory action statement that
indicates the mitigation for a vulnerability. Since we don't track this
add a statement indicating that no mitigation is known.
(From OE-Core rev: 39545c955474a43d11a45d74a88a5999b02cb8b3)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If you send this forked process a SIGTERM, it will execute all of the
parent's exit code leading to two sets of console/exit output which is
extremely confusing. Wrap the code in a try/finally to ensure we always
call os._exit() to avoid this.
I spent far too long trying to work out the crazy console output from this.
(From OE-Core rev: 652e40bfae24b8e23bbf7a7f35d900d2ab8d0f92)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
The current code for multiple argument passing is horrible. Tweak the
multiprocess_launch function to only convert to a tuple if it isn't already
one, which means we can then use function arguments in a standard way.
(From OE-Core rev: 7c99f90079e722764ebdc30e8d0e781454b3a51a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add "test_uboot_atf_tee_fit_image" test caste to check u-boot FIT image and
Image Tree Source(ITS) are built and the ITS has the correct fields.
Add "test_sign_standalone_uboot_atf_tee_fit_image" test case to check if u-boot
FIT image and Image Tree Source (ITS) are created and signed correctly for the
scenario where only the u-boot proper fitImage is being created and signed.
Currently, ATF and TEE(optee-os) recipes are placed in meta-arm layer.
OpenEmbedded-Core is a basic and core meta layer. To avoid OpenEmbedded-core
depends meta-arm, both test cases are used dummy images for testing.
(From OE-Core rev: 92e51452f8831f74e0907b960135eef8cecd012a)
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the build-st/conf/local.conf does not end with a newline
when is generated then add one
[YOCTO #15734]
CC: Yoann Congal <yoann.congal@smile.fr>
CC: Randy MacLeod <randy.macleod@windriver.com>
CC: Alexander Kanavin <alex.kanavin@gmail.com>
(From OE-Core rev: d2fcd9e880126bc33be2ef14e678cc1aa72683c3)
Signed-off-by: Christos Gavros <gavrosc@yahoo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The link in the comment is broken.
It's removed together with some text.
CC: Yoann Congal <yoann.congal@smile.fr>
CC: Randy MacLeod <randy.macleod@windriver.com>
(From OE-Core rev: 4d5ce199d44bbeee7a7cff1dc7deac3d45a15d35)
Signed-off-by: Christos Gavros <gavrosc@yahoo.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
After changing naming of cargo config in cargo_common.bbclass, adapt
devtool to use the new name.
(From OE-Core rev: 715d27f0b4301c97f05ed3cbbaace0ba01c28f39)
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A few tests are getting failed with x86 arch.The unsupported/failing tests
are added to the exclude list and ignore the failing unit tests.
Upstream-Status: Pending
(From OE-Core rev: b1340173be2a3a91fbb135eb0e24e50c3b996425)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
ifconfig is obsolete and being removed, convert to use ip instead.
(From OE-Core rev: 3b2fb477750606976359884b18c33a37832e5a78)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
The tests don't need it. On top of that, this extra requirement
creates a dependency loop between systemd-systemctl-native and util-linux.
(From OE-Core rev: b5770d8c56036bdfef8d596d27433d8f408ee36f)
Signed-off-by: Vyacheslav Yurkov <uvv.mail@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test checks for an IP address and then tests if interface aliases work. We
don't run it on any of our automated testing as it only applies for non-qemu.
The connectivity test is unrealted to connman and pretty pointless as it depends
on ssh being working, so networking is probably ok.
The alias interface test is unrelated to commman and a general networking test
but seems out of place.
The code uses obsolete ifconfig calls and overall, the value of the test we're
never using seems low. Delete it.
(From OE-Core rev: 5e40277d1ee9df8dbc612a39b575f9a50806cd62)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
With all the pieces in place, the self test can be re-enabled.
(From OE-Core rev: 46e8b94582ea9734117d20cd62c39fb4450c00c4)
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There have been errors seen when assembling root file system SPDX
documents where they will references files that don't exist in the
package SPDX.
The speculation is that this is caused by os.walk() ignoring errors when
walking, causing files to be omitted. Improve the code by adding an
error handler to os.walk() to report errors when they occur.
In addition, sort the files and directories while walking to ensure
consistent ordering of the file SPDX IDs.
(From OE-Core rev: 86b581e80637cd8136ce7a7e95db94d9553d2f60)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
If networking fails, we can get useful informaiton over the serial connection. Add
this fallback code so that any issues can be more easily debugged by showing the
host and target networking states.
(From OE-Core rev: 3291f9d07ecfe7d3301dc914f5e6a80577cf1d5d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend all kernel-fitimage tests to add a boot.cmd script to the
fitImage and verify the script ends up in the fitImage.
The test covers the use case which is documented here:
https://docs.u-boot.org/en/latest/usage/cmd/source.html#fit-image.
But instead of adding the sctip inline a script file is generated.
(From OE-Core rev: 816f25359935f54881b557d55c29a390dd991609)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Provide a re-usable function which calls the dumpimage utiliy.
This is a refactoring.
(From OE-Core rev: f69f54d72d89fb381ea1945ea52f4c9963552e9f)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As well as commit counts, it is helpful to know when metadata dates from. Store
the unix timestamp for commits in a commit_time field alongside the commit count.
This is useful for performance graph analysis and saves having to recompute the
data.
(From OE-Core rev: 56d1bc3f8f45d2f9c8ca0319c429cec562a16384)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit 0d3901b768272abc2e27ba2ab807dad24917e0cf.
We've still having CDN issues so go back to the double attempt to
see if this improves things.
(From OE-Core rev: 136f0edb75d9601a0ae56e025419d3cddfb90219)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
