[dunfell 00/32] Patch review

[dunfell 00/32] Patch review

[akuster]

From: Armin Kuster <akuster@mvista.com>

These are backports from master or fixes
Please have any feedback by Monday.

Clean build on https://gitlab.com/akuster/meta-security/-/pipelines/203972999

The following changes since commit d4ec0d86b4d906bfeb9355e45926e0e0f84105da:

  gitignore added (2020-09-29 07:21:24 -0700)

are available in the Git repository at:

  git://git.yoctoproject.org/meta-security dunfell-next
  http://git.yoctoproject.org/cgit.cgi//log/?h=dunfell-next

Armin Kuster (13):
  gitlab-ci: add support for dunfell
  packagegroup-core-security-ptest: update fail2ban ptest pkg name
  packagegroup-core-security: remove clamav for riscv*
  libsecomp: rv32/rv64 target builds are not supported yet
  packagegroup-core-security: remove libseccomp for riscv*
  packagegroup-core-security: dont include suricata on riscv or ppc
  apparmor: exclude mips64, not supported
  apparmor: fix build issue with ptest enabled.
  packagegroup-core-security: remove clamav from musl image
  ibmswtpm2: fix QA warning
  README: updated branch for Dunfell
  apparmor: fix issue with older use of shell in make
  apparmor: fix QA warning with systemd enabled

Jonatan Pålsson (1):
  sssd: Make manpages buildable

Kai Kang (1):
  sssd: disable build secrets

Mingli Yu (1):
  scap-security-guide: add expat-native to DEPENDS

Naveen Saini (3):
  initramfs-framework/dmverity: add retry loop for slow boot devices
  wic: add wks.in for intel dm-verity
  linux-%/5.x: Add dm-verity fragment as needed

Sajjad Ahmed (1):
  layer.conf: use += instead of := to update BBFILES

niko.mauno@vaisala.com (12):
  dm-verity-img.bbclass: Fix bashisms
  dm-verity-img.bbclass: Reorder parse-time check
  dm-verity-image-initramfs: Ensure verity hash sync
  dm-verity-image-initramfs: Bind at do_image instead
  linux-yocto(-dev): Add dm-verity fragment as needed
  dm-verity-img.bbclass: Stage verity.env file
  initramfs-framework: Add dmverity module
  dm-verity-image-initramfs: Use initramfs-framework
  dm-verity-initramfs-image: Cosmetic improvements
  dm-verity-image-initramfs: Add base-passwd package
  dm-verity-image-initramfs: Drop locales from image
  beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR

 .gitlab-ci.yml                                | 144 ++++++++++++++
 README                                        |  12 +-
 classes/dm-verity-img.bbclass                 |  22 ++-
 kas/kas-security-alt.yml                      |   8 +
 kas/kas-security-base.yml                     |  64 ++++++
 kas/kas-security-dm.yml                       |  13 ++
 kas/qemuarm.yml                               |   6 +
 kas/qemuarm64-alt.yml                         |   6 +
 kas/qemuarm64-ima.yml                         |  10 +
 kas/qemuarm64-multi.yml                       |  12 ++
 kas/qemuarm64-musl.yml                        |  10 +
 kas/qemuarm64-tpm2.yml                        |  10 +
 kas/qemuarm64.yml                             |   6 +
 kas/qemumips64-alt.yml                        |  10 +
 kas/qemumips64-multi.yml                      |  14 ++
 kas/qemumips64.yml                            |   6 +
 kas/qemuppc.yml                               |   6 +
 kas/qemuriscv64.yml                           |   6 +
 kas/qemux86-64-alt.yml                        |   6 +
 kas/qemux86-64-dm-verify.yml                  |   6 +
 kas/qemux86-64-ima.yml                        |  10 +
 kas/qemux86-64-multi.yml                      |  12 ++
 kas/qemux86-64-tpm.yml                        |  10 +
 kas/qemux86-64-tpm2.yml                       |  10 +
 kas/qemux86-64.yml                            |   6 +
 kas/qemux86-ima.yml                           |  10 +
 kas/qemux86-musl.yml                          |  10 +
 kas/qemux86-test.yml                          |  11 ++
 kas/qemux86.yml                               |   6 +
 meta-integrity/README.md                      |   8 +-
 meta-integrity/conf/layer.conf                |   3 +-
 meta-security-compliance/README               |   8 +-
 .../scap-security-guide.inc                   |   2 +-
 meta-security-isafw/README.md                 |   4 +-
 meta-tpm/README                               |   8 +-
 .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb  |   3 +-
 .../images/dm-verity-image-initramfs.bb       |  28 ++-
 .../initrdscripts/initramfs-dm-verity.bb      |  13 --
 .../initramfs-dm-verity/init-dm-verity.sh     |  46 -----
 .../initramfs-framework/dmverity              |  63 ++++++
 .../initramfs-framework_1.0.bbappend          |  16 ++
 recipes-kernel/linux/linux-%_5.%.bbappend     |   2 +-
 recipes-kernel/linux/linux-yocto-dev.bbappend |   1 +
 recipes-kernel/linux/linux-yocto_5.%.bbappend |   1 +
 recipes-mac/AppArmor/apparmor_2.13.4.bb       | 186 +++++++++---------
 ...-Don-t-build-syscall_sysctl-if-missi.patch |  96 +++++++++
 ...-fix-failure-on-older-versions-of-Ma.patch |  40 ++++
 .../libseccomp/libseccomp_2.4.3.bb            |   3 +
 .../packagegroup-core-security-ptest.bb       |   2 +-
 .../packagegroup-core-security.bb             |   9 +-
 ...AC_CHECK_FILE-when-building-manpages.patch |  34 ++++
 recipes-security/sssd/sssd_1.16.4.bb          |  11 +-
 wic/beaglebone-yocto-verity.wks.in            |   2 +-
 wic/systemd-bootdisk-dmverity.wks.in          |  15 ++
 54 files changed, 857 insertions(+), 209 deletions(-)
 create mode 100644 .gitlab-ci.yml
 create mode 100644 kas/kas-security-alt.yml
 create mode 100644 kas/kas-security-base.yml
 create mode 100644 kas/kas-security-dm.yml
 create mode 100644 kas/qemuarm.yml
 create mode 100644 kas/qemuarm64-alt.yml
 create mode 100644 kas/qemuarm64-ima.yml
 create mode 100644 kas/qemuarm64-multi.yml
 create mode 100644 kas/qemuarm64-musl.yml
 create mode 100644 kas/qemuarm64-tpm2.yml
 create mode 100644 kas/qemuarm64.yml
 create mode 100644 kas/qemumips64-alt.yml
 create mode 100644 kas/qemumips64-multi.yml
 create mode 100644 kas/qemumips64.yml
 create mode 100644 kas/qemuppc.yml
 create mode 100644 kas/qemuriscv64.yml
 create mode 100644 kas/qemux86-64-alt.yml
 create mode 100644 kas/qemux86-64-dm-verify.yml
 create mode 100644 kas/qemux86-64-ima.yml
 create mode 100644 kas/qemux86-64-multi.yml
 create mode 100644 kas/qemux86-64-tpm.yml
 create mode 100644 kas/qemux86-64-tpm2.yml
 create mode 100644 kas/qemux86-64.yml
 create mode 100644 kas/qemux86-ima.yml
 create mode 100644 kas/qemux86-musl.yml
 create mode 100644 kas/qemux86-test.yml
 create mode 100644 kas/qemux86.yml
 delete mode 100644 recipes-core/initrdscripts/initramfs-dm-verity.bb
 delete mode 100644 recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
 create mode 100644 recipes-core/initrdscripts/initramfs-framework/dmverity
 create mode 100644 recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
 create mode 100644 recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch
 create mode 100644 recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch
 create mode 100644 recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
 create mode 100644 wic/systemd-bootdisk-dmverity.wks.in

-- 
2.17.1

[dunfell 01/32] gitlab-ci: add support for dunfell

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .gitlab-ci.yml               | 144 +++++++++++++++++++++++++++++++++++
 kas/kas-security-alt.yml     |   8 ++
 kas/kas-security-base.yml    |  64 ++++++++++++++++
 kas/kas-security-dm.yml      |  13 ++++
 kas/qemuarm.yml              |   6 ++
 kas/qemuarm64-alt.yml        |   6 ++
 kas/qemuarm64-ima.yml        |  10 +++
 kas/qemuarm64-multi.yml      |  12 +++
 kas/qemuarm64-musl.yml       |  10 +++
 kas/qemuarm64-tpm2.yml       |  10 +++
 kas/qemuarm64.yml            |   6 ++
 kas/qemumips64-alt.yml       |  10 +++
 kas/qemumips64-multi.yml     |  14 ++++
 kas/qemumips64.yml           |   6 ++
 kas/qemuppc.yml              |   6 ++
 kas/qemuriscv64.yml          |   6 ++
 kas/qemux86-64-alt.yml       |   6 ++
 kas/qemux86-64-dm-verify.yml |   6 ++
 kas/qemux86-64-ima.yml       |  10 +++
 kas/qemux86-64-multi.yml     |  12 +++
 kas/qemux86-64-tpm.yml       |  10 +++
 kas/qemux86-64-tpm2.yml      |  10 +++
 kas/qemux86-64.yml           |   6 ++
 kas/qemux86-ima.yml          |  10 +++
 kas/qemux86-musl.yml         |  10 +++
 kas/qemux86-test.yml         |  11 +++
 kas/qemux86.yml              |   6 ++
 27 files changed, 428 insertions(+)
 create mode 100644 .gitlab-ci.yml
 create mode 100644 kas/kas-security-alt.yml
 create mode 100644 kas/kas-security-base.yml
 create mode 100644 kas/kas-security-dm.yml
 create mode 100644 kas/qemuarm.yml
 create mode 100644 kas/qemuarm64-alt.yml
 create mode 100644 kas/qemuarm64-ima.yml
 create mode 100644 kas/qemuarm64-multi.yml
 create mode 100644 kas/qemuarm64-musl.yml
 create mode 100644 kas/qemuarm64-tpm2.yml
 create mode 100644 kas/qemuarm64.yml
 create mode 100644 kas/qemumips64-alt.yml
 create mode 100644 kas/qemumips64-multi.yml
 create mode 100644 kas/qemumips64.yml
 create mode 100644 kas/qemuppc.yml
 create mode 100644 kas/qemuriscv64.yml
 create mode 100644 kas/qemux86-64-alt.yml
 create mode 100644 kas/qemux86-64-dm-verify.yml
 create mode 100644 kas/qemux86-64-ima.yml
 create mode 100644 kas/qemux86-64-multi.yml
 create mode 100644 kas/qemux86-64-tpm.yml
 create mode 100644 kas/qemux86-64-tpm2.yml
 create mode 100644 kas/qemux86-64.yml
 create mode 100644 kas/qemux86-ima.yml
 create mode 100644 kas/qemux86-musl.yml
 create mode 100644 kas/qemux86-test.yml
 create mode 100644 kas/qemux86.yml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..50bfe4f
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,144 @@
+stages:
+  - build
+
+.build:
+  stage: build
+  image: crops/poky
+  before_script:
+    - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error
+    - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error
+    - export PATH=~/.local/bin:$PATH
+    - wget https://bootstrap.pypa.io/get-pip.py
+    - python3 get-pip.py
+    - python3 -m pip install kas
+  after_script:
+    - cd $CI_PROJECT_DIR/poky
+    - . ./oe-init-build-env $CI_PROJECT_DIR/build
+    - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do
+    - send-error-report -y tmp/log/error-report/$x
+    - done
+    - cd $CI_PROJECT_DIR
+    - rm -rf build
+    - $CI_PROJECT_DIR/scripts/ci-cleanup.sh
+  cache:
+    paths:
+      - layers
+
+qemux86:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemux86-64:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemuarm:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemuarm64:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemuppc:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemumips64:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemuriscv64:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemux86-64-tpm:
+  extends: .build
+  script:
+  - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml 
+
+qemux86-64-tpm2:
+  extends: .build
+  script:
+  - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml 
+
+qemuarm64-tpm2:
+  extends: .build
+  script:
+  - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml 
+
+qemux86-ima:
+  extends: .build
+  script:
+  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml 
+
+qemux86-64-ima:
+  extends: .build
+  script:
+  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml 
+
+qemuarm64-ima:
+  extends: .build
+  script:
+  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml 
+
+qemux86-64-dm-verify:
+  extends: .build
+  script:
+  - kas build --target core-image-minimal kas/qemux86-64.yml 
+  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME.yml 
+
+
+qemuarm64-alt:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemuarm64-multi:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemumips64-alt:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemumips64-multi:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemux86-64-alt:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemux86-64-multi:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemux86-musl:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemuarm64-musl:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
+qemux86-test:
+  extends: .build
+  allow_failure: true
+  script:
+  - kas build --target security-test-image kas/$CI_JOB_NAME.yml 
+  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml 
diff --git a/kas/kas-security-alt.yml b/kas/kas-security-alt.yml
new file mode 100644
index 0000000..309acaa
--- /dev/null
+++ b/kas/kas-security-alt.yml
@@ -0,0 +1,8 @@
+header:
+    version: 9
+    includes: 
+        - kas-security-base.yml
+
+local_conf_header:
+  alt: |
+      DISTRO_FEATURES_append = " apparmor pam smack systemd"
diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml
new file mode 100644
index 0000000..c9ca76f
--- /dev/null
+++ b/kas/kas-security-base.yml
@@ -0,0 +1,64 @@
+header:
+  version: 8
+
+distro: poky
+
+repos:
+  meta-security:
+    layers:
+      ../meta-security:
+      meta-tpm:
+      meta-integrity:
+      meta-security-compliance:
+
+  poky:
+    url: https://git.yoctoproject.org/git/poky
+    refspec: dunfell 
+    layers:
+      meta:
+      meta-poky:
+      meta-yocto-bsp:
+
+  meta-openembedded:
+    url: http://git.openembedded.org/meta-openembedded
+    refspec: dunfell
+    layers:
+      meta-oe:
+      meta-perl:
+      meta-python:
+      meta-networking:
+
+local_conf_header:
+  base: |
+    CONF_VERSION = "1"
+    SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/"
+    SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n"
+    SSTATE_DIR = "/home/srv/sstate/dunfell"
+    DL_DIR = "/home/srv/downloads/dunfell"
+    BB_HASHSERVE = "auto"
+    BB_SIGNATURE_HANDLER = "OEEquivHash"
+    INHERIT += "buildstats buildstats-summary buildhistory"
+    INHERIT += "report-error"
+    INHERIT += "testimage"
+    TEST_QEMUBOOT_TIMEOUT = "1500"
+    EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
+    PACKAGE_CLASSES = "package_ipk"
+
+
+  diskmon: |
+    BB_DISKMON_DIRS = "\
+    STOPTASKS,${TMPDIR},1G,100K \
+    STOPTASKS,${DL_DIR},1G,100K \
+    STOPTASKS,${SSTATE_DIR},1G,100K \
+    STOPTASKS,/tmp,100M,100K \
+    ABORT,${TMPDIR},100M,1K \
+    ABORT,${DL_DIR},100M,1K \
+    ABORT,${SSTATE_DIR},100M,1K \
+    ABORT,/tmp,10M,1K"
+
+bblayers_conf_header:
+  base: |
+    POKY_BBLAYERS_CONF_VERSION = "2"
+    BBPATH = "${TOPDIR}"
+    BBFILES ?= ""
+
diff --git a/kas/kas-security-dm.yml b/kas/kas-security-dm.yml
new file mode 100644
index 0000000..7ce0e9d
--- /dev/null
+++ b/kas/kas-security-dm.yml
@@ -0,0 +1,13 @@
+header:
+    version: 9
+    includes: 
+        - kas-security-base.yml
+
+local_conf_header:
+    dm-verify: |
+        DM_VERITY_IMAGE = "core-image-minimal"
+        DM_VERITY_IMAGE_TYPE = "ext4"
+        IMAGE_CLASSES += "dm-verity-img"
+        INITRAMFS_IMAGE_BUNDLE = "1"
+        INITRAMFS_IMAGE = "dm-verity-image-initramfs"
+
diff --git a/kas/qemuarm.yml b/kas/qemuarm.yml
new file mode 100644
index 0000000..f51abac
--- /dev/null
+++ b/kas/qemuarm.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+machine: qemuarm
diff --git a/kas/qemuarm64-alt.yml b/kas/qemuarm64-alt.yml
new file mode 100644
index 0000000..48e688c
--- /dev/null
+++ b/kas/qemuarm64-alt.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-alt.yml
+
+machine: qemuarm64
diff --git a/kas/qemuarm64-ima.yml b/kas/qemuarm64-ima.yml
new file mode 100644
index 0000000..b478472
--- /dev/null
+++ b/kas/qemuarm64-ima.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-security: |
+    DISTRO_FEATURES_append = " ima"
+
+machine: qemuarm64
diff --git a/kas/qemuarm64-multi.yml b/kas/qemuarm64-multi.yml
new file mode 100644
index 0000000..d79142c
--- /dev/null
+++ b/kas/qemuarm64-multi.yml
@@ -0,0 +1,12 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  multi: |
+    require conf/multilib.conf
+    MULTILIBS = "multilib:lib32"
+    DEFAULTTUNE_virtclass-multilib-lib32 = "armv7athf-neon"
+
+machine: qemuarm64
diff --git a/kas/qemuarm64-musl.yml b/kas/qemuarm64-musl.yml
new file mode 100644
index 0000000..b353eb4
--- /dev/null
+++ b/kas/qemuarm64-musl.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+    musl: |
+        TCLIBC = "musl"
+
+machine: qemuarm64
diff --git a/kas/qemuarm64-tpm2.yml b/kas/qemuarm64-tpm2.yml
new file mode 100644
index 0000000..3a8d8fc
--- /dev/null
+++ b/kas/qemuarm64-tpm2.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-security: |
+    DISTRO_FEATURES_append = " tpm2"
+
+machine: qemuarm64 
diff --git a/kas/qemuarm64.yml b/kas/qemuarm64.yml
new file mode 100644
index 0000000..a0c2d1a
--- /dev/null
+++ b/kas/qemuarm64.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+machine: qemuarm64
diff --git a/kas/qemumips64-alt.yml b/kas/qemumips64-alt.yml
new file mode 100644
index 0000000..923c213
--- /dev/null
+++ b/kas/qemumips64-alt.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  alt: |
+     DISTRO_FEATURES_append = " pam systmed"
+
+machine: qemumips64
diff --git a/kas/qemumips64-multi.yml b/kas/qemumips64-multi.yml
new file mode 100644
index 0000000..c8cf94b
--- /dev/null
+++ b/kas/qemumips64-multi.yml
@@ -0,0 +1,14 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  multi: |
+    require conf/multilib.conf
+    MULTILIBS = "multilib:lib64 multilib:lib32"
+    DEFAULTTUNE = "mips64-n32"
+    DEFAULTTUNE_virtclass-multilib-lib64 = "mips64"
+    DEFAULTTUNE_virtclass-multilib-lib32 = "mips32r2"
+
+machine: qemumips64
diff --git a/kas/qemumips64.yml b/kas/qemumips64.yml
new file mode 100644
index 0000000..64e52f7
--- /dev/null
+++ b/kas/qemumips64.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+machine: qemumips64
diff --git a/kas/qemuppc.yml b/kas/qemuppc.yml
new file mode 100644
index 0000000..3dad81c
--- /dev/null
+++ b/kas/qemuppc.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+machine: qemuppc
diff --git a/kas/qemuriscv64.yml b/kas/qemuriscv64.yml
new file mode 100644
index 0000000..e1b1e49
--- /dev/null
+++ b/kas/qemuriscv64.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+machine: qemuriscv64
diff --git a/kas/qemux86-64-alt.yml b/kas/qemux86-64-alt.yml
new file mode 100644
index 0000000..f0d6b27
--- /dev/null
+++ b/kas/qemux86-64-alt.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-alt.yml
+
+machine: qemux86-64
diff --git a/kas/qemux86-64-dm-verify.yml b/kas/qemux86-64-dm-verify.yml
new file mode 100644
index 0000000..1f26008
--- /dev/null
+++ b/kas/qemux86-64-dm-verify.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-dm.yml
+
+machine: qemux86-64
diff --git a/kas/qemux86-64-ima.yml b/kas/qemux86-64-ima.yml
new file mode 100644
index 0000000..e64931c
--- /dev/null
+++ b/kas/qemux86-64-ima.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-security: |
+    DISTRO_FEATURES_append = " ima"
+
+machine: qemux86-64
diff --git a/kas/qemux86-64-multi.yml b/kas/qemux86-64-multi.yml
new file mode 100644
index 0000000..711ce28
--- /dev/null
+++ b/kas/qemux86-64-multi.yml
@@ -0,0 +1,12 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  multi: |
+    require conf/multilib.conf
+    MULTILIBS = "multilib:lib32"
+    DEFAULTTUNE_virtclass-multilib-lib32 = "x86"
+
+machine: qemux86-64
diff --git a/kas/qemux86-64-tpm.yml b/kas/qemux86-64-tpm.yml
new file mode 100644
index 0000000..565b423
--- /dev/null
+++ b/kas/qemux86-64-tpm.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-security: |
+    DISTRO_FEATURES_append = " tpm"
+
+machine: qemux86-64
diff --git a/kas/qemux86-64-tpm2.yml b/kas/qemux86-64-tpm2.yml
new file mode 100644
index 0000000..a43693e
--- /dev/null
+++ b/kas/qemux86-64-tpm2.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-security: |
+    DISTRO_FEATURES_append = " tpm2"
+
+machine: qemux86-64
diff --git a/kas/qemux86-64.yml b/kas/qemux86-64.yml
new file mode 100644
index 0000000..4ba2b66
--- /dev/null
+++ b/kas/qemux86-64.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+machine: qemux86-64
diff --git a/kas/qemux86-ima.yml b/kas/qemux86-ima.yml
new file mode 100644
index 0000000..6528ba6
--- /dev/null
+++ b/kas/qemux86-ima.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-security: |
+    DISTRO_FEATURES_append = " ima"
+
+machine: qemux86
diff --git a/kas/qemux86-musl.yml b/kas/qemux86-musl.yml
new file mode 100644
index 0000000..61d9572
--- /dev/null
+++ b/kas/qemux86-musl.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+    musl: |
+        TCLIBC = "musl"
+
+machine: qemux86
diff --git a/kas/qemux86-test.yml b/kas/qemux86-test.yml
new file mode 100644
index 0000000..7b5f451
--- /dev/null
+++ b/kas/qemux86-test.yml
@@ -0,0 +1,11 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+
+local_conf_header:
+  meta-security: |
+      DISTRO_FEATURES_append = " apparmor smack pam"
+
+machine: qemux86
diff --git a/kas/qemux86.yml b/kas/qemux86.yml
new file mode 100644
index 0000000..83a5353
--- /dev/null
+++ b/kas/qemux86.yml
@@ -0,0 +1,6 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+machine: qemux86
-- 
2.17.1

[dunfell 02/32] packagegroup-core-security-ptest: update fail2ban ptest pkg name

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit a2a102b2de68f31df5a3b46665c8afb2d28c0219)
---
 .../packagegroup/packagegroup-core-security-ptest.bb            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
index 83a9ed8..cf34ded 100644
--- a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
@@ -22,7 +22,7 @@ RDEPENDS_${PN} = " \
     python3-scapy-ptest \
     suricata-ptest \
     tripwire-ptest \
-    python-fail2ban-ptest \
+    python3-fail2ban-ptest \
     ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
     "
-- 
2.17.1

[dunfell 03/32] packagegroup-core-security: remove clamav for riscv*

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 98ff502d4096331e2b8a8e4044860b23bf6f8ea5)
---
 recipes-security/packagegroup/packagegroup-core-security.bb | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index e0a9d05..bb790b4 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -37,9 +37,7 @@ SUMMARY_packagegroup-security-scanners = "Security scanners"
 RDEPENDS_packagegroup-security-scanners = "\
     nikto \
     checksecurity \
-    clamav \
-    clamav-freshclam \
-    clamav-cvd \
+    ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
     "
 
 SUMMARY_packagegroup-security-audit = "Security Audit tools "
-- 
2.17.1

[dunfell 04/32] libsecomp: rv32/rv64 target builds are not supported yet

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit b5a5cbe1f511468af0b0673f88c83c3dd1c77da3)
---
 recipes-security/libseccomp/libseccomp_2.4.3.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes-security/libseccomp/libseccomp_2.4.3.bb b/recipes-security/libseccomp/libseccomp_2.4.3.bb
index 9ca41e6..37d3573 100644
--- a/recipes-security/libseccomp/libseccomp_2.4.3.bb
+++ b/recipes-security/libseccomp/libseccomp_2.4.3.bb
@@ -10,6 +10,9 @@ SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
            file://run-ptest \
 "
 
+COMPATIBLE_HOST_riscv64 = "null"
+COMPATIBLE_HOST_riscv32 = "null"
+
 S = "${WORKDIR}/git"
 
 inherit autotools-brokensep pkgconfig ptest
-- 
2.17.1

[dunfell 05/32] packagegroup-core-security: remove libseccomp for riscv*

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 29f47b44852122c5618e30037710dde009146eb5)
---
 recipes-security/packagegroup/packagegroup-core-security.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index bb790b4..539ea2a 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -28,7 +28,7 @@ RDEPENDS_packagegroup-security-utils = "\
     python3-scapy \
     ding-libs \
     keyutils \
-    libseccomp \
+    ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " libseccomp",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \
     "
-- 
2.17.1

[dunfell 06/32] sssd: disable build secrets

[akuster]

From: Kai Kang <kai.kang@windriver.com>

It requires http_parser.h to build secrets:

| configure: error:
| You must have the header file http_parser.h installed to build sssd
| with secrets responder. If you want to build sssd without secret responder
| then specify --without-secrets when running configure.

The header file is from package http-parser[1] rather than apache2. But
there is no recipe http-parser in openembedded. So disable build secrets
for sssd and remove related systemd service and socket files.

Reference:
1. https://github.com/nodejs/http-parser

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 7831969f8caa399d88d49833800fafe7324b8a59)
---
 recipes-security/sssd/sssd_1.16.4.bb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/recipes-security/sssd/sssd_1.16.4.bb b/recipes-security/sssd/sssd_1.16.4.bb
index 7ea1586..2c3c803 100644
--- a/recipes-security/sssd/sssd_1.16.4.bb
+++ b/recipes-security/sssd/sssd_1.16.4.bb
@@ -39,8 +39,7 @@ PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd',
 
 PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
 PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto"
-PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson"
-PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2"
+PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
 PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
 PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no"
 PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
@@ -60,6 +59,7 @@ EXTRA_OECONF += " \
     --without-python2-bindings \
     --enable-pammoddir=${base_libdir}/security \
     --without-python2-bindings \
+    --without-secrets \
 "
 
 do_configure_prepend() {
@@ -85,6 +85,7 @@ do_install () {
     # Remove /var/run as it is created on startup
     rm -rf ${D}${localstatedir}/run
 
+    rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
 }
 
 pkg_postinst_ontarget_${PN} () {
@@ -109,8 +110,6 @@ SYSTEMD_SERVICE_${PN} = " \
     sssd-pam-priv.socket \
     sssd-pam.service \
     sssd-pam.socket \
-    sssd-secrets.service \
-    sssd-secrets.socket \
     sssd.service \
 "
 SYSTEMD_AUTO_ENABLE = "disable"
-- 
2.17.1

[dunfell 07/32] sssd: Make manpages buildable

[akuster]

From: Jonatan Pålsson <jonatan.p@gmail.com>

Some XML related fixes are needed to make the sssd manpages buildable

Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5efa53b2b2bab6f2d8589624c1700d1e66f29683)
---
 ...AC_CHECK_FILE-when-building-manpages.patch | 34 +++++++++++++++++++
 recipes-security/sssd/sssd_1.16.4.bb          |  4 ++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch

diff --git a/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch b/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
new file mode 100644
index 0000000..b64670c
--- /dev/null
+++ b/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
@@ -0,0 +1,34 @@
+From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= <jonatan.p@gmail.com>
+Date: Fri, 21 Aug 2020 14:45:10 +0200
+Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AC_CHECK_FILE does not support cross-compilation, and will only check
+the host rootfs. Replace AC_CHECK_FILE with a 'test -f <FILE>' instead,
+to allow building manpages when cross-compiling.
+
+Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289]
+Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
+---
+ src/external/docbook.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/external/docbook.m4 b/src/external/docbook.m4
+index deb8632fa..acdc89a68 100644
+--- a/src/external/docbook.m4
++++ b/src/external/docbook.m4
+@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and
+ dnl if a particular URI appears in the XML catalog
+ AC_DEFUN([CHECK_STYLESHEET],
+ [
+-  AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])])
++  AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])])
+ 
+   AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog])
+   if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then
+-- 
+2.26.1
+
diff --git a/recipes-security/sssd/sssd_1.16.4.bb b/recipes-security/sssd/sssd_1.16.4.bb
index 2c3c803..916f1ac 100644
--- a/recipes-security/sssd/sssd_1.16.4.bb
+++ b/recipes-security/sssd/sssd_1.16.4.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \
            file://sssd.conf \
            file://volatiles.99_sssd \
            file://fix-ldblibdir.patch \
+           file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \
            "
 
 SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
@@ -41,7 +42,7 @@ PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
 PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto"
 PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
 PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
-PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no"
+PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
 PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
 PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
 PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss,"
@@ -60,6 +61,7 @@ EXTRA_OECONF += " \
     --enable-pammoddir=${base_libdir}/security \
     --without-python2-bindings \
     --without-secrets \
+    --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
 "
 
 do_configure_prepend() {
-- 
2.17.1

[dunfell 08/32] dm-verity-img.bbclass: Fix bashisms

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Resort to printf in order to avoid usage of non-POSIX compliant echo
flags. This mitigates following errors visible in console during
boot-up with image that has been built on a host that symlinks
'/bin/sh' to 'dash':

  /init: /usr/share/dm-verity.env: line 1: -NE_UUID: not found
  /init: /usr/share/dm-verity.env: line 2: -ne: not found
  /init: /usr/share/dm-verity.env: line 3: 642864e8-6a17-46b9-ba1e-9386a3909c8d: not found
  /init: /usr/share/dm-verity.env: line 4: -NE_HASH_TYPE: not found
  /init: /usr/share/dm-verity.env: line 5: -ne: not found
  /init: /usr/share/dm-verity.env: line 6: 1: not found
  /init: /usr/share/dm-verity.env: line 7: -NE_DATA_BLOCKS: not found
  /init: /usr/share/dm-verity.env: line 8: -ne: not found
  /init: /usr/share/dm-verity.env: line 9: 12064: not found
  /init: /usr/share/dm-verity.env: line 10: -NE_DATA_BLOCK_SIZE: not found
  /init: /usr/share/dm-verity.env: line 11: -ne: not found
  /init: /usr/share/dm-verity.env: line 12: 1024: not found
  /init: /usr/share/dm-verity.env: line 13: -NE_HASH_BLOCK_SIZE: not found
  /init: /usr/share/dm-verity.env: line 14: -ne: not found
  /init: /usr/share/dm-verity.env: line 15: 4096: not found
  /init: /usr/share/dm-verity.env: line 16: -NE_HASH_ALGORITHM: not found
  /init: /usr/share/dm-verity.env: line 17: -ne: not found
  /init: /usr/share/dm-verity.env: line 18: sha256: not found
  /init: /usr/share/dm-verity.env: line 19: -NE_SALT: not found
  /init: /usr/share/dm-verity.env: line 20: -ne: not found
  /init: /usr/share/dm-verity.env: line 21: 19d98185b42a897a37db6c56c7470ab2d455f0de46daa0df735eee6263816439: not found
  /init: /usr/share/dm-verity.env: line 22: -NE_ROOT_HASH: not found
  /init: /usr/share/dm-verity.env: line 23: -ne: not found
  /init: /usr/share/dm-verity.env: line 24: 298d75fc2ea27fe594b6a37158a6ae7538e77d918bab98c475934f625de0e4ab: not found

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit ad55aaca1be60f6c1b066782e7ee6f6f323ffbbf)
---
 classes/dm-verity-img.bbclass | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 1c0e29b..6faed5b 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -32,9 +32,9 @@ process_verity() {
     # just trim all white-spaces.
     IFS=":"
     while read KEY VAL; do
-        echo -ne "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g' >> $ENV
-        echo -ne "=" >> $ENV
-        echo "$VAL" | tr -d " \t" >> $ENV
+        printf '%s=%s\n' \
+            "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
+            "$(echo "$VAL" | tr -d ' \t')" >> $ENV
     done
 
     # Add partition size
-- 
2.17.1

[dunfell 09/32] dm-verity-img.bbclass: Reorder parse-time check

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Relocate checking if DM_VERITY_IMAGE and DM_VERITY_IMAGE_TYPE are
defined as non-empty strings before DM_VERITY_IMAGE vs. PN
comparison is performed. By doing so we start seeing following kind
of bitbake parse-time console warnings in case either DM_VERITY_IMAGE
or DM_VERITY_IMAGE_TYPE is not set, when 'dm-verity-img' is defined
in IMAGE_CLASSES:

  WARNING: .../meta/recipes-core/images/core-image-minimal.bb: dm-verity-img class inherited but not used
  WARNING: .../meta-openembedded/meta-oe/recipes-core/images/meta-oe-ptest-image.bb: dm-verity-img class inherited but not used

whereas before this change this warning was printed only once, when
image pointed by <DM_VERITY_IMAGE> was parsed (and recipe with that
name could be found in BBFILES mask scipe), and DM_VERITY_IMAGE_TYPE
was not set.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit fd23d5256513cdf6641d8dd421a5c75a9b78b7d9)
---
 classes/dm-verity-img.bbclass | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 6faed5b..6ad0f75 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -68,13 +68,13 @@ python __anonymous() {
     image_fstypes = d.getVar('IMAGE_FSTYPES')
     pn = d.getVar('PN')
 
-    if verity_image != pn:
-        return # This doesn't concern this image
-
     if not verity_image or not verity_type:
         bb.warn('dm-verity-img class inherited but not used')
         return
 
+    if verity_image != pn:
+        return # This doesn't concern this image
+
     if len(verity_type.split()) is not 1:
         bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type')
 
-- 
2.17.1

[dunfell 10/32] dm-verity-image-initramfs: Ensure verity hash sync

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

In order to ensure that the bundled initramfs always contains the most
recently generated DM_VERITY_IMAGE specific root filesystems' root hash,
we disable the timestamp for do_rootfs() task here, meaning that the
task will be re-executed whenever some task that depends on it executes.

Without this change, executing e.g. the following sequence

  $ bitbake <DM_VERITY_IMAGE>
  $ bitbake -c clean <DM_VERITY_IMAGE>
  $ bitbake <DM_VERITY_IMAGE>

results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like

  Mounting /dev/vda over dm-verity as the root filesystem
  [    8.729974] device-mapper: verity: sha256 using implementation sha256-generic
  [    8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read
  Verity device detected corruption after activation.
  [    8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read
  ...
  [    9.135707] EXT4-fs (dm-0): unable to read superblock
  [    9.142897] EXT4-fs (dm-0): unable to read superblock
  [    9.145393] EXT4-fs (dm-0): unable to read superblock
  [    9.147905] FAT-fs (dm-0): unable to read boot sector
  mount: /new_root: can't read superblock on /dev/mapper/rootfs.
  BusyBox v1.32.0 () multi-call binary.

  Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS]
  [    9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
  [    9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1
  [    9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
  ...
  [    9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]---

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 4cf81a584773c9e946595ded9193723ebd6425e0)
---
 recipes-core/images/dm-verity-image-initramfs.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index f9ea376..60e9892 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -16,6 +16,9 @@ PACKAGE_INSTALL = " \
 # Can we somehow inspect reverse dependencies to avoid these variables?
 do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
 
+# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
+do_rootfs[nostamp] = "1"
+
 IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
 
 inherit core-image
-- 
2.17.1

[dunfell 11/32] dm-verity-image-initramfs: Bind at do_image instead

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Bind custom actions in this image recipe in do_image() rather than
do_rootfs(), which can help shaving even dozens of seconds from duration
of 'bitbake <DM_VERITY_IMAGE>' command re-execution.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 03fdaf2f0464b28ab69114330a543b3c64c19a5d)
---
 recipes-core/images/dm-verity-image-initramfs.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 60e9892..8dd8543 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -14,10 +14,10 @@ PACKAGE_INSTALL = " \
 "
 
 # Can we somehow inspect reverse dependencies to avoid these variables?
-do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
+do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
 
 # Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
-do_rootfs[nostamp] = "1"
+do_image[nostamp] = "1"
 
 IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
 
@@ -26,4 +26,4 @@ inherit core-image
 deploy_verity_hash() {
     install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env
 }
-ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;"
+IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
-- 
2.17.1

[dunfell 12/32] linux-yocto(-dev): Add dm-verity fragment as needed

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Add checks that include dm-verity specific kernel config fragment
when dm-verity-img.bbclass is used.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 6f40921308be358ffce1a4e51a76672ad4168c21)
---
 recipes-kernel/linux/linux-yocto-dev.bbappend | 1 +
 recipes-kernel/linux/linux-yocto_5.%.bbappend | 1 +
 2 files changed, 2 insertions(+)

diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend b/recipes-kernel/linux/linux-yocto-dev.bbappend
index 39d4e6f..fa536d0 100644
--- a/recipes-kernel/linux/linux-yocto-dev.bbappend
+++ b/recipes-kernel/linux/linux-yocto-dev.bbappend
@@ -1,2 +1,3 @@
 KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
 KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend b/recipes-kernel/linux/linux-yocto_5.%.bbappend
index 39d4e6f..fa536d0 100644
--- a/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -1,2 +1,3 @@
 KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
 KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
-- 
2.17.1

[dunfell 13/32] dm-verity-img.bbclass: Stage verity.env file

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Introduce new STAGING_VERITY_DIR variable specific to this bbclass which
defines the directory where the verity.env file is stored during
<DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE> task and can
consequtively be picked up into associated initramfs rootfs (which
facilitates executing 'veritysetup' and related actions).

By doing this we mitigate failures that were thus far associated to this
facility, such as

  install: cannot stat '.../build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.ext4.verity.env': No such file or directory

and

  install: cannot stat '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity.env': No such file or directory

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 170945ff9f8835ab7b0045b722c2a480b450ef90)
---
 classes/dm-verity-img.bbclass                    | 10 +++++++---
 recipes-core/images/dm-verity-image-initramfs.bb |  2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 6ad0f75..16d395b 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -18,12 +18,18 @@
 # The resulting image can then be used to implement the device mapper block
 # integrity checking on the target device.
 
+# Define the location where the DM_VERITY_IMAGE specific dm-verity root hash
+# is stored where it can be installed into associated initramfs rootfs.
+STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
+
 # Process the output from veritysetup and generate the corresponding .env
 # file. The output from veritysetup is not very machine-friendly so we need to
 # convert it to some better format. Let's drop the first line (doesn't contain
 # any useful info) and feed the rest to a script.
 process_verity() {
-    local ENV="$OUTPUT.env"
+    local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env"
+    install -d ${STAGING_VERITY_DIR}
+    rm -f $ENV
 
     # Each line contains a key and a value string delimited by ':'. Read the
     # two parts into separate variables and process them separately. For the
@@ -39,8 +45,6 @@ process_verity() {
 
     # Add partition size
     echo "DATA_SIZE=$SIZE" >> $ENV
-
-    ln -sf $ENV ${IMAGE_BASENAME}-${MACHINE}.$TYPE.verity.env
 }
 
 verity_setup() {
diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 8dd8543..e791c19 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -24,6 +24,6 @@ IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
 inherit core-image
 
 deploy_verity_hash() {
-    install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env
+    install -D -m 0644 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}${datadir}/dm-verity.env
 }
 IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
-- 
2.17.1

[dunfell 14/32] initramfs-framework: Add dmverity module

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Add 'initramfs-module-dmverity' as an extension to poky upstream
provided initramfs-framework suite via matchingly named bbappend file.

Together with pre-existing 'initramfs-module-udev' this module can be
used to facilitate dm-verity rootfs mounting from initramfs context
that is bundled with Linux kernel.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 489f7c900c365e4b3198cff2f2fd7c38623b77e8)
---
 .../initramfs-framework/dmverity              | 53 +++++++++++++++++++
 .../initramfs-framework_1.0.bbappend          | 16 ++++++
 2 files changed, 69 insertions(+)
 create mode 100644 recipes-core/initrdscripts/initramfs-framework/dmverity
 create mode 100644 recipes-core/initrdscripts/initramfs-framework_1.0.bbappend

diff --git a/recipes-core/initrdscripts/initramfs-framework/dmverity b/recipes-core/initrdscripts/initramfs-framework/dmverity
new file mode 100644
index 0000000..bb07aab
--- /dev/null
+++ b/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+dmverity_enabled() {
+    return 0
+}
+
+dmverity_run() {
+    DATA_SIZE="__not_set__"
+    ROOT_HASH="__not_set__"
+
+    . /usr/share/misc/dm-verity.env
+
+    case "${bootparam_root}" in
+        ID=*)
+            RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+            ;;
+        LABEL=*)
+            RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+            ;;
+        PARTLABEL=*)
+            RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+            ;;
+        PARTUUID=*)
+            RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+            ;;
+        PATH=*)
+            RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+            ;;
+        UUID=*)
+            RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+            ;;
+        *)
+            RDEV="${bootparam_root}"
+    esac
+
+    if ! [ -b "${RDEV}" ]; then
+        echo "Root device resolution failed"
+        exit 1
+    fi
+
+    veritysetup \
+        --data-block-size=1024 \
+        --hash-offset=${DATA_SIZE} \
+        create rootfs \
+        ${RDEV} \
+        ${RDEV} \
+        ${ROOT_HASH}
+
+    mount \
+        -o ro \
+        /dev/mapper/rootfs \
+        ${ROOTFS_DIR} || exit 2
+}
diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
new file mode 100644
index 0000000..dad9c96
--- /dev/null
+++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -0,0 +1,16 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append = "\
+    file://dmverity \
+"
+
+do_install_append() {
+    # dm-verity
+    install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
+}
+
+PACKAGES_append = " initramfs-module-dmverity"
+
+SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support"
+RDEPENDS_initramfs-module-dmverity = "${PN}-base"
+FILES_initramfs-module-dmverity = "/init.d/80-dmverity"
-- 
2.17.1

[dunfell 15/32] dm-verity-image-initramfs: Use initramfs-framework

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Switch from this layer's initramfs-dm-verity recipe to poky-provided
initramfs-framework suite to manage veritysetup et al.

This commit also removes initramfs-dm-verity recipe which is not
referred from elsewhere in this meta layer.

Also update the install path of dm-verity.env from /usr/share to
/usr/share/misc in order to better comply with FHS3.0, see
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html#usrsharemiscMiscellaneousArchitecture

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 45e8b20cd022eb7b20d72c23db9fcc6824f08c7a)
---
 .../images/dm-verity-image-initramfs.bb       |  5 +-
 .../initrdscripts/initramfs-dm-verity.bb      | 13 ------
 .../initramfs-dm-verity/init-dm-verity.sh     | 46 -------------------
 3 files changed, 3 insertions(+), 61 deletions(-)
 delete mode 100644 recipes-core/initrdscripts/initramfs-dm-verity.bb
 delete mode 100644 recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index e791c19..6a1058d 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -4,7 +4,8 @@ DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity de
 IMAGE_FEATURES = ""
 
 PACKAGE_INSTALL = " \
-    initramfs-dm-verity \
+    initramfs-module-dmverity \
+    initramfs-module-udev \
     base-files \
     busybox \
     util-linux-mount \
@@ -24,6 +25,6 @@ IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
 inherit core-image
 
 deploy_verity_hash() {
-    install -D -m 0644 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}${datadir}/dm-verity.env
+    install -D -m 0644 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
 }
 IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
diff --git a/recipes-core/initrdscripts/initramfs-dm-verity.bb b/recipes-core/initrdscripts/initramfs-dm-verity.bb
deleted file mode 100644
index b614956..0000000
--- a/recipes-core/initrdscripts/initramfs-dm-verity.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-
-SRC_URI = "file://init-dm-verity.sh"
-
-do_install() {
-    install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init
-    install -d ${D}/dev
-    mknod -m 622 ${D}/dev/console c 5 1
-}
-
-FILES_${PN} = "/init /dev/console"
diff --git a/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
deleted file mode 100644
index 307d2c7..0000000
--- a/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/sh
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-RDEV=""
-ROOT_DIR="/new_root"
-
-mkdir -p /proc
-mkdir -p /sys
-mkdir -p /run
-mkdir -p /tmp
-mount -t proc proc /proc
-mount -t sysfs sysfs /sys
-mount -t devtmpfs none /dev
-
-udevd --daemon
-udevadm trigger --type=subsystems --action=add
-udevadm trigger --type=devices --action=add
-udevadm settle --timeout=10
-
-for PARAM in $(cat /proc/cmdline); do
-	case $PARAM in
-		root=*)
-			RDEV=${PARAM#root=}
-			;;
-	esac
-done
-
-if ! [ -b $RDEV ]; then
-	echo "Missing root command line argument!"
-	exit 1
-fi
-
-case $RDEV in
-	UUID=*)
-		RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=})
-		;;
-esac
-
-. /usr/share/dm-verity.env
-
-echo "Mounting $RDEV over dm-verity as the root filesystem"
-
-veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH
-mkdir -p $ROOT_DIR
-mount -o ro /dev/mapper/rootfs $ROOT_DIR
-exec switch_root $ROOT_DIR /sbin/init
-- 
2.17.1

[dunfell 16/32] dm-verity-initramfs-image: Cosmetic improvements

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

- revise declaration ordering as suggested by oe-stylize.py
 - sort PACKAGE_INSTALL entries in alphabetic order
 - split long command line in deploy_verity_hash()

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 1d21cec5fda489f9ed7c1132b0abc18db3af6d41)
---
 .../images/dm-verity-image-initramfs.bb       | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 6a1058d..0fdb46c 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -1,19 +1,21 @@
 DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper."
 
-# We want a clean, minimal image.
-IMAGE_FEATURES = ""
+inherit core-image
 
 PACKAGE_INSTALL = " \
-    initramfs-module-dmverity \
-    initramfs-module-udev \
     base-files \
     busybox \
-    util-linux-mount \
-    udev \
     cryptsetup \
+    initramfs-module-dmverity \
+    initramfs-module-udev \
     lvm2-udevrules \
+    udev \
+    util-linux-mount \
 "
 
+# We want a clean, minimal image.
+IMAGE_FEATURES = ""
+
 # Can we somehow inspect reverse dependencies to avoid these variables?
 do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
 
@@ -22,9 +24,9 @@ do_image[nostamp] = "1"
 
 IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
 
-inherit core-image
-
 deploy_verity_hash() {
-    install -D -m 0644 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
+    install -D -m 0644 \
+        ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \
+        ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
 }
 IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
-- 
2.17.1

[dunfell 17/32] dm-verity-image-initramfs: Add base-passwd package

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

This removes following boot-time complaints from udevd regarding
missing group declarations:

  [    6.624454] udevd[163]: specified group 'tty' unknown
  [    6.625340] udevd[163]: specified group 'dialout' unknown
  [    6.625692] udevd[163]: specified group 'kmem' unknown
  [    6.626022] udevd[163]: specified group 'input' unknown
  [    6.626541] udevd[163]: specified group 'video' unknown
  [    6.626977] udevd[163]: specified group 'audio' unknown
  [    6.627532] udevd[163]: specified group 'lp' unknown
  [    6.628187] udevd[163]: specified group 'disk' unknown
  [    6.628558] udevd[163]: specified group 'cdrom' unknown

Size impact of this change on resulting bundled zImage-initramfs
artifact is less than +1kB which is neglible.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit e88895e109929c3e97c29870275787e49faecdd4)
---
 recipes-core/images/dm-verity-image-initramfs.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 0fdb46c..05ab10c 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -4,6 +4,7 @@ inherit core-image
 
 PACKAGE_INSTALL = " \
     base-files \
+    base-passwd \
     busybox \
     cryptsetup \
     initramfs-module-dmverity \
-- 
2.17.1

[dunfell 18/32] dm-verity-image-initramfs: Drop locales from image

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Since IMAGE_LINGUAS defaults to 'en-us en-gb' and since localization is
not needed on this type of purpose-specific initramfs image, reset the
variable which helps by shaving off almost 700kB from resulting bundled
zImage-initramfs artifact.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5f196cf59dc41584750c20dcc2a8e2ed5067ab7e)
---
 recipes-core/images/dm-verity-image-initramfs.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 05ab10c..187aeae 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -16,6 +16,7 @@ PACKAGE_INSTALL = " \
 
 # We want a clean, minimal image.
 IMAGE_FEATURES = ""
+IMAGE_LINGUAS = ""
 
 # Can we somehow inspect reverse dependencies to avoid these variables?
 do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
-- 
2.17.1

[dunfell 19/32] beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR

[akuster]

From: "niko.mauno@vaisala.com" <niko.mauno@vaisala.com>

Since dm-verity-image.bbclass effectively injects

  <DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE>

dependency for do_image_wic task, we can change verity rootfs artifact
reference here from DEPLOY_DIR_IMAGE to IMGDEPLOYDIR in order to
mitigate following breakage which was observed when bitbaking
<DM_VERITY_IMAGE> target from scratch (using sstate-cache provided
artifacts):

  | wic.filemap.Error: cannot open image file '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity': [Errno 2] No such file or directory: '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity'
  | WARNING: exit code 1 from a shell command.
  |
  ERROR: Task (.../meta/recipes-core/images/core-image-minimal.bb:do_image_wic) failed with exit code '1'

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 4602d6420835a603fde6f3f25a87b19cbf721ed6)
---
 wic/beaglebone-yocto-verity.wks.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wic/beaglebone-yocto-verity.wks.in b/wic/beaglebone-yocto-verity.wks.in
index cd1702e..658018b 100644
--- a/wic/beaglebone-yocto-verity.wks.in
+++ b/wic/beaglebone-yocto-verity.wks.in
@@ -11,5 +11,5 @@
 # This .wks only works with the dm-verity-img class.
 
 part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid
-part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
+part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
 bootloader --append="console=ttyS0,115200"
-- 
2.17.1

[dunfell 20/32] packagegroup-core-security: dont include suricata on riscv or ppc

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit caf76696e8669ee48339c13f01042da9e52515ae)
---
 recipes-security/packagegroup/packagegroup-core-security.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index 539ea2a..72ca0f4 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -55,7 +55,7 @@ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems"
 RDEPENDS_packagegroup-security-ids = " \
     tripwire \
     samhain-standalone \
-    suricata \
+    ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \
     "
 
 SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
-- 
2.17.1

[dunfell 21/32] apparmor: exclude mips64, not supported

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit f176756890766bc9a6a00fe83bfe8e3c9bc13d07)
---
 recipes-mac/AppArmor/apparmor_2.13.4.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
index 552cac7..dcdc1f7 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -30,6 +30,8 @@ S = "${WORKDIR}/git"
 
 PARALLEL_MAKE = ""
 
+COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"
+
 inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check
 REQUIRED_DISTRO_FEATURES = "apparmor"
 
-- 
2.17.1

[dunfell 22/32] initramfs-framework/dmverity: add retry loop for slow boot devices

[akuster]

From: Naveen Saini <naveen.kumar.saini@intel.com>

Detection of USB devices by the kernel is slow enough. We need to
keep trying for a while (default: 5s seconds, controlled by roottimeout=<seconds>)
and sleep between each attempt (default: one second, rootdelay=<seconds>).

Fix is based on https://git.yoctoproject.org/cgit.cgi/poky/commit/meta/recipes-core/initrdscripts/initramfs-framework/rootfs?id=ee6a6c3461694ce09789bf4d852cea2e22fc95e4

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit e23767fc72040cc58e638b08925ab467221c91f9)
---
 .../initramfs-framework/dmverity              | 64 +++++++++++--------
 1 file changed, 37 insertions(+), 27 deletions(-)

diff --git a/recipes-core/initrdscripts/initramfs-framework/dmverity b/recipes-core/initrdscripts/initramfs-framework/dmverity
index bb07aab..888052c 100644
--- a/recipes-core/initrdscripts/initramfs-framework/dmverity
+++ b/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -10,33 +10,43 @@ dmverity_run() {
 
     . /usr/share/misc/dm-verity.env
 
-    case "${bootparam_root}" in
-        ID=*)
-            RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
-            ;;
-        LABEL=*)
-            RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
-            ;;
-        PARTLABEL=*)
-            RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
-            ;;
-        PARTUUID=*)
-            RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
-            ;;
-        PATH=*)
-            RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
-            ;;
-        UUID=*)
-            RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
-            ;;
-        *)
-            RDEV="${bootparam_root}"
-    esac
-
-    if ! [ -b "${RDEV}" ]; then
-        echo "Root device resolution failed"
-        exit 1
-    fi
+    C=0
+    delay=${bootparam_rootdelay:-1}
+    timeout=${bootparam_roottimeout:-5}
+    RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+    while [ ! -b "${RDEV}" ]; do
+        if [ $(( $C * $delay )) -gt $timeout ]; then
+            fatal "Root device resolution failed"
+            exit 1
+        fi
+
+        case "${bootparam_root}" in
+            ID=*)
+                RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+                ;;
+            LABEL=*)
+                RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+                ;;
+            PARTLABEL=*)
+                RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+                ;;
+            PARTUUID=*)
+                RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+                ;;
+            PATH=*)
+                RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+                ;;
+            UUID=*)
+                RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+                ;;
+            *)
+                RDEV="${bootparam_root}"
+        esac
+        debug "Sleeping for $delay second(s) to wait root to settle..."
+        sleep $delay
+        C=$(( $C + 1 ))
+
+    done
 
     veritysetup \
         --data-block-size=1024 \
-- 
2.17.1

[dunfell 23/32] wic: add wks.in for intel dm-verity

[akuster]

From: Naveen Saini <naveen.kumar.saini@intel.com>

Based on systemd-bootdisk-microcode.wks.in, this adds
the dm-verity image similar to the beaglebone wks
already in meta-security.

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 0de4f3bfb7fffe8d91026f00ce7f9384e13dfc54)
---
 wic/systemd-bootdisk-dmverity.wks.in | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 wic/systemd-bootdisk-dmverity.wks.in

diff --git a/wic/systemd-bootdisk-dmverity.wks.in b/wic/systemd-bootdisk-dmverity.wks.in
new file mode 100644
index 0000000..ef114ca
--- /dev/null
+++ b/wic/systemd-bootdisk-dmverity.wks.in
@@ -0,0 +1,15 @@
+# A dm-verity variant of the regular wks for IA machines. We need to fetch
+# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will
+# not recreate the exact block device corresponding with the hash tree. We must
+# not alter the label or any other setting on the image.
+# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
+#
+# This .wks only works with the dm-verity-img class.
+
+part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid
+
+part / --source rawcopy --ondisk sda  --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid
+
+part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid
+
+bootloader --ptable gpt --timeout=5 --append=" "
-- 
2.17.1

[dunfell 24/32] linux-%/5.x: Add dm-verity fragment as needed

[akuster]

From: Naveen Saini <naveen.kumar.saini@intel.com>

Add checks that include dm-verity specific kernel config fragment
when dm-verity-img.bbclass is used.

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit d9feafe991cdf4084746c41438526dbf0b5dc2c8)
---
 recipes-kernel/linux/linux-%_5.%.bbappend | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/linux-%_5.%.bbappend b/recipes-kernel/linux/linux-%_5.%.bbappend
index 76b5df5..6bc40cd 100644
--- a/recipes-kernel/linux/linux-%_5.%.bbappend
+++ b/recipes-kernel/linux/linux-%_5.%.bbappend
@@ -1,4 +1,4 @@
 KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
 KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
 KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}"
-
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
-- 
2.17.1

[dunfell 25/32] apparmor: fix build issue with ptest enabled.

[akuster]

minor spacing cleanup

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 2a7963df18e7f43c6209387b6e1a1e75ff74b6ca)
---
 recipes-mac/AppArmor/apparmor_2.13.4.bb       | 181 +++++++++---------
 ...-Don-t-build-syscall_sysctl-if-missi.patch |  96 ++++++++++
 2 files changed, 186 insertions(+), 91 deletions(-)
 create mode 100644 recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch

diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
index dcdc1f7..6ba1ea8 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -14,16 +14,17 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
 DEPENDS = "bison-native apr gettext-native coreutils-native"
 
 SRC_URI = " \
-	git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
-	file://disable_perl_h_check.patch \
-	file://crosscompile_perl_bindings.patch \
-	file://apparmor.rc \
-	file://functions \
-	file://apparmor \
-	file://apparmor.service \
-	file://0001-Makefile.am-suppress-perllocal.pod.patch \
-	file://run-ptest \
-	"
+    git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
+    file://disable_perl_h_check.patch \
+    file://crosscompile_perl_bindings.patch \
+    file://apparmor.rc \
+    file://functions \
+    file://apparmor \
+    file://apparmor.service \
+    file://0001-Makefile.am-suppress-perllocal.pod.patch \
+    file://run-ptest \
+    file://0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch \
+    "
 
 SRCREV = "df0ac742f7a1146181d8734d03334494f2015134"
 S = "${WORKDIR}/git"
@@ -54,76 +55,76 @@ python() {
 DISABLE_STATIC = ""
 
 do_configure() {
-	cd ${S}/libraries/libapparmor
-	aclocal
-	autoconf --force
-	libtoolize --automake -c --force
-	automake -ac
-	./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+    cd ${S}/libraries/libapparmor
+    aclocal
+    autoconf --force
+    libtoolize --automake -c --force
+    automake -ac
+    ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
 }
 
 do_compile () {
-        # Fixes:
-        # | sed -ie 's///g' Makefile.perl
-        # | sed: -e expression #1, char 0: no previous regular expression
-        #| Makefile:478: recipe for target 'Makefile.perl' failed
-        sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
-
-
-	oe_runmake -C ${B}/libraries/libapparmor
-        oe_runmake -C ${B}/binutils
-        oe_runmake -C ${B}/utils
-        oe_runmake -C ${B}/parser
-        oe_runmake -C ${B}/profiles
-
-	if test -z "${HTTPD}" ; then
-        	oe_runmake -C ${B}/changehat/mod_apparmor
-	fi	
-
-	if test -z "${PAMLIB}" ; then
-        	oe_runmake -C ${B}/changehat/pam_apparmor
-	fi
+    # Fixes:
+    # | sed -ie 's///g' Makefile.perl
+    # | sed: -e expression #1, char 0: no previous regular expression
+    #| Makefile:478: recipe for target 'Makefile.perl' failed
+    sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
+
+
+    oe_runmake -C ${B}/libraries/libapparmor
+    oe_runmake -C ${B}/binutils
+    oe_runmake -C ${B}/utils
+    oe_runmake -C ${B}/parser
+    oe_runmake -C ${B}/profiles
+
+    if test -z "${HTTPD}" ; then
+        oe_runmake -C ${B}/changehat/mod_apparmor
+    fi
+
+    if test -z "${PAMLIB}" ; then
+        oe_runmake -C ${B}/changehat/pam_apparmor
+    fi
 }
 
 do_install () {
-	install -d ${D}/${INIT_D_DIR}
-	install -d ${D}/lib/apparmor
-	oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
-	oe_runmake -C ${B}/binutils DESTDIR="${D}" install
-	oe_runmake -C ${B}/utils DESTDIR="${D}" install
-	oe_runmake -C ${B}/parser DESTDIR="${D}" install
-	oe_runmake -C ${B}/profiles DESTDIR="${D}" install
-
-	# If perl is disabled this script won't be any good
-	if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
-		rm -f ${D}${sbindir}/aa-notify
-	fi
-
-	if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
-		rm -f ${D}${sbindir}/aa-decode
-	fi
-
-	if test -z "${HTTPD}" ; then
-		oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
-	fi
-
-	if test -z "${PAMLIB}" ; then
-		oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
-	fi
-
-	# aa-easyprof is installed by python-tools-setup.py, fix it up
-	sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
-	chmod 0755 ${D}${bindir}/aa-easyprof
-
-	install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
-	install ${WORKDIR}/functions ${D}/lib/apparmor
-	sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions
-	sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions  
-
-	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-		install -d ${D}${systemd_system_unitdir}
-		install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
-	fi
+    install -d ${D}/${INIT_D_DIR}
+    install -d ${D}/lib/apparmor
+    oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
+    oe_runmake -C ${B}/binutils DESTDIR="${D}" install
+    oe_runmake -C ${B}/utils DESTDIR="${D}" install
+    oe_runmake -C ${B}/parser DESTDIR="${D}" install
+    oe_runmake -C ${B}/profiles DESTDIR="${D}" install
+
+    # If perl is disabled this script won't be any good
+    if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
+        rm -f ${D}${sbindir}/aa-notify
+    fi
+
+    if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
+        rm -f ${D}${sbindir}/aa-decode
+    fi
+
+    if test -z "${HTTPD}" ; then
+        oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
+    fi
+
+    if test -z "${PAMLIB}" ; then
+        oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
+    fi
+
+    # aa-easyprof is installed by python-tools-setup.py, fix it up
+    sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
+    chmod 0755 ${D}${bindir}/aa-easyprof
+
+    install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
+    install ${WORKDIR}/functions ${D}/lib/apparmor
+    sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions
+    sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions  
+
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        install -d ${D}${systemd_system_unitdir}
+        install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+    fi
 }
 
 #Building ptest on arm fails.
@@ -136,30 +137,28 @@ do_compile_ptest_arm () {
 }
 
 do_compile_ptest () {
-        oe_runmake -C ${B}/tests/regression/apparmor
-        oe_runmake -C ${B}/parser/tst
-        oe_runmake -C ${B}/libraries/libapparmor
+    sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile
+    oe_runmake -C ${B}/tests/regression/apparmor
+    oe_runmake -C ${B}/libraries/libapparmor
 }
 
 do_install_ptest () {
-	t=${D}/${PTEST_PATH}/testsuite
-	install -d ${t}
-	install -d ${t}/tests/regression/apparmor
-	cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
+    t=${D}/${PTEST_PATH}/testsuite
+    install -d ${t}
+    install -d ${t}/tests/regression/apparmor
+    cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
 
-	install -d ${t}/parser/tst
-	cp -rf ${B}/parser/tst ${t}/parser
-	cp ${B}/parser/apparmor_parser ${t}/parser
-	cp ${B}/parser/frob_slack_rc ${t}/parser
+    cp ${B}/parser/apparmor_parser ${t}/parser
+    cp ${B}/parser/frob_slack_rc ${t}/parser
 
-	install -d ${t}/libraries/libapparmor
-	cp -rf ${B}/libraries/libapparmor ${t}/libraries
+    install -d ${t}/libraries/libapparmor
+    cp -rf ${B}/libraries/libapparmor ${t}/libraries
 
-	install -d ${t}/common
-	cp -rf ${B}/common ${t}
+    install -d ${t}/common
+    cp -rf ${B}/common ${t}
 
-	install -d ${t}/binutils
-	cp -rf ${B}/binutils ${t}
+    install -d ${t}/binutils
+    cp -rf ${B}/binutils ${t}
 }
 
 #Building ptest on arm fails.
diff --git a/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch b/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch
new file mode 100644
index 0000000..3cd1e88
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch
@@ -0,0 +1,96 @@
+From 7a7c7fb346ded6f017c8df44486778a5f032d41a Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 29 Sep 2020 03:05:22 -0700
+Subject: [PATCH] regression tests: Don't build syscall_sysctl if missing
+ kernel headers
+
+sys/sysctl.h is not guaranteed to exist anymore since
+https://sourceware.org/pipermail/glibc-cvs/2020q2/069366.html
+
+which is a follow on to the kernel commit
+61a47c1ad3a4 sysctl: Remove the sysctl system call
+
+While the syscall_sysctl currently checks if the kernel supports
+sysctrs before running the tests. The tests can't even build if the
+kernel headers don't have the sysctl defines.
+
+Fixes: https://gitlab.com/apparmor/apparmor/-/issues/119
+Fixes: https://bugs.launchpad.net/apparmor/+bug/1897288
+MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/637
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Steve Beattie <steve.beattie@canonical.com>
+(cherry picked from commit 2e5a266eb715fc7e526520235a6450444775791f)
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ tests/regression/apparmor/Makefile          | 10 +++++++++-
+ tests/regression/apparmor/syscall_sysctl.sh | 15 +++++++++++----
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
+index 198ca421..c3d0cfb7 100644
+--- a/tests/regression/apparmor/Makefile
++++ b/tests/regression/apparmor/Makefile
+@@ -69,6 +69,9 @@ endif # USE_SYSTEM
+ 
+ CFLAGS += -g -O0 -Wall -Wstrict-prototypes
+ 
++USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true)
++
++
+ SRC=access.c \
+     at_secure.c \
+     introspect.c \
+@@ -130,7 +133,6 @@ SRC=access.c \
+     syscall_sethostname.c \
+     syscall_setdomainname.c \
+     syscall_setscheduler.c \
+-    syscall_sysctl.c \
+     sysctl_proc.c \
+     tcp.c \
+     transition.c \
+@@ -146,6 +148,12 @@ ifneq (,$(findstring $(shell uname -i),i386 i486 i586 i686 x86 x86_64))
+ SRC+=syscall_ioperm.c syscall_iopl.c
+ endif
+ 
++#only do sysctl syscall test if defines installed and OR supported by the
++# kernel
++ifeq ($(USE_SYSCTL),true)
++SRC+=syscall_sysctl.c
++endif
++
+ #only do dbus if proper libs are installl
+ ifneq (,$(shell pkg-config --exists dbus-1 && echo TRUE))
+ SRC+=dbus_eavesdrop.c dbus_message.c dbus_service.c dbus_unrequested_reply.c
+diff --git a/tests/regression/apparmor/syscall_sysctl.sh b/tests/regression/apparmor/syscall_sysctl.sh
+index f93946f3..5f856984 100644
+--- a/tests/regression/apparmor/syscall_sysctl.sh
++++ b/tests/regression/apparmor/syscall_sysctl.sh
+@@ -148,11 +148,18 @@ test_sysctl_proc()
+ # check if the kernel supports CONFIG_SYSCTL_SYSCALL
+ # generally we want to encourage kernels to disable it, but if it's
+ # enabled we want to test against it
+-settest syscall_sysctl
+-if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
+-    echo "	WARNING: syscall sysctl not implemented, skipping tests ..."
++# In addition test that sysctl exists in the kernel headers, if it does't
++# then we can't even built the syscall_sysctl test
++if  echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null ; then
++    settest syscall_sysctl
++
++    if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
++	echo "	WARNING: syscall sysctl not implemented, skipping tests ..."
++    else
++	test_syscall_sysctl
++    fi
+ else
+-    test_syscall_sysctl
++    echo "	WARNING: syscall sysctl not supported by kernel headers, skipping tests ..."
+ fi
+ 
+ # now test /proc/sys/ paths
+-- 
+2.17.1
+
-- 
2.17.1

[dunfell 26/32] packagegroup-core-security: remove clamav from musl image

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 496a734c14fc72250979a4e7eb69c5d541ffd870)
---
 recipes-security/packagegroup/packagegroup-core-security.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index 72ca0f4..fd6da9e 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -39,6 +39,7 @@ RDEPENDS_packagegroup-security-scanners = "\
     checksecurity \
     ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
     "
+RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd"
 
 SUMMARY_packagegroup-security-audit = "Security Audit tools "
 RDEPENDS_packagegroup-security-audit = " \
-- 
2.17.1

[dunfell 27/32] scap-security-guide: add expat-native to DEPENDS

[akuster]

From: Mingli Yu <mingli.yu@windriver.com>

Add expat-native to DEPENDS to fix the below do_configure error:
| CMake Error at CMakeLists.txt:165 (message):
|  xmlwf is required!

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 4c2f7ffd492c7083273aca7cc718802279f05ce2)
---
 .../scap-security-guide/scap-security-guide.inc                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index 66c2623..32fce0f 100644
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a"
 LICENSE = "LGPL-2.1"
 
-DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native"
+DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native expat-native"
 
 S = "${WORKDIR}/git"
 
-- 
2.17.1

[dunfell 28/32] layer.conf: use += instead of := to update BBFILES

[akuster]

From: Sajjad Ahmed <sajjad_ahmed@mentor.com>

Updating BBFILES with := isn't the standard way and can break
parsing under certain conditions, instead use += which is widely used.

Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 63e1cf3ffa26a4e820ec8d882e67e438aa0d23ee)
---
 meta-integrity/conf/layer.conf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index b4edac3..6072e6d 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -2,8 +2,7 @@
 BBPATH =. "${LAYERDIR}:"
 
 # We have a packages directory, add to BBFILES
-BBFILES := "${BBFILES} \
-            ${LAYERDIR}/recipes-*/*/*.bb \
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
             ${LAYERDIR}/recipes-*/*/*.bbappend"
 
 BBFILE_COLLECTIONS += "integrity"
-- 
2.17.1

[dunfell 29/32] ibmswtpm2: fix QA warning

[akuster]

ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb
index 8054226..a892761 100644
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb
@@ -16,6 +16,8 @@ SRC_URI[sha512sum] = "ff0b9e5f0d0070eb572b23641f7a0e70a8bc65cbf4b59dca1778be3bb0
 
 S = "${WORKDIR}/src"
 
+INSANE_SKIP_${PN} += "ldflags"
+
 do_compile () {
    make CC='${CC}'
 }
@@ -24,4 +26,3 @@ do_install () {
    install -d ${D}/${bindir}
    install -m 0755 tpm_server  ${D}/${bindir}
 }
-
-- 
2.17.1

[dunfell 30/32] README: updated branch for Dunfell

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 README                          | 12 ++++++------
 meta-integrity/README.md        |  8 ++------
 meta-security-compliance/README |  8 ++++----
 meta-security-isafw/README.md   |  4 ++--
 meta-tpm/README                 |  8 ++++----
 5 files changed, 18 insertions(+), 22 deletions(-)

diff --git a/README b/README
index f223fee..19b07c7 100644
--- a/README
+++ b/README
@@ -10,27 +10,27 @@ Dependencies
 This layer depends on:
 
   URI: git://git.openembedded.org/openembedded-core
-  branch: master
+  branch: dunfell
   revision: HEAD
   prio: default
 
   URI: git://git.openembedded.org/meta-openembedded/meta-oe
-  branch: master
+  branch: dunfell
   revision: HEAD
   prio: default
 
   URI: git://git.openembedded.org/meta-openembedded/meta-perl
-  branch: master
+  branch: dunfell
   revision: HEAD
   prio: default
 
   URI: git://git.openembedded.org/meta-openembedded/meta-python
-  branch: master
+  branch: dunfell
   revision: HEAD
   prio: default
 
   URI: git://git.openembedded.org/meta-openembedded/meta-networking
-  branch: master
+  branch: dunfell
   revision: HEAD
   prio: default
 
@@ -60,7 +60,7 @@ Maintenance
 Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
 
 When sending single patches, please using something like:
-'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][dunfell][PATCH'
 
 These values can be set as defaults for this repository:
 
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 4607948..f08a164 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -10,15 +10,11 @@ Dependencies
 This layer depends on:
 
     URI: git://git.openembedded.org/bitbake
-    branch: master
+    branch: dunfell
 
     URI: git://git.openembedded.org/openembedded-core
     layers: meta
-    branch: master
-
-    URI: git://github.com/01org/meta-security/meta-integrate
-    layers: security-framework
-    branch: master
+    branch: dunfell
 
 
 Patches
diff --git a/meta-security-compliance/README b/meta-security-compliance/README
index 320f856..86a95fb 100644
--- a/meta-security-compliance/README
+++ b/meta-security-compliance/README
@@ -9,16 +9,16 @@ Dependencies
 This layer depends on:
 
   URI: git://git.openembedded.org/bitbake
-  branch: master
+  branch: 1.48 
 
   URI: git://git.openembedded.org/openembedded-core
   layers: meta
-  branch: master
+  branch: dunfell
 
 or
 
   URI: git://git.yoctoproject.org/poky
-  branch: master
+  branch: dunfell
 
 
 
@@ -28,7 +28,7 @@ Maintenance
 Send pull requests, patches, comments or questions to yocto@yoctoproject.org
 
 When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH'
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][dunfell][PATCH'
 
 Layer Maintainer: Armin Kuster <akuster808@gmail.com>
 
diff --git a/meta-security-isafw/README.md b/meta-security-isafw/README.md
index 16041cb..48db167 100644
--- a/meta-security-isafw/README.md
+++ b/meta-security-isafw/README.md
@@ -78,12 +78,12 @@ Patches
 end pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
 
 When sending single patches, please using something like:
-'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-isafw][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-isafw][dunfell][PATCH'
 
 These values can be set as defaults for this repository:
 
 $ git config sendemail.to yocto@lists.yoctoproject.org
-$ git config format.subjectPrefix meta-security-isafw][PATCH
+$ git config format.subjectPrefix meta-security-isafw][dunfell][PATCH
 
 Now you can just do 'git send-email origin/master' to send all local patches.
 
diff --git a/meta-tpm/README b/meta-tpm/README
index dd662b3..90e211c 100644
--- a/meta-tpm/README
+++ b/meta-tpm/README
@@ -9,12 +9,12 @@ Dependencies
 This layer depends on:
 
   URI: git://git.openembedded.org/openembedded-core
-  branch: master
+  branch: dunfell
   revision: HEAD
   prio: default
 
   URI: git://git.openembedded.org/meta-openembedded/meta-oe
-  branch: master
+  branch: dunfell
   revision: HEAD
   prio: default
 
@@ -41,12 +41,12 @@ Maintenance
 Send pull requests, patches, comments or questions to yocto@yoctoproject.org
 
 When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][dunfell][PATCH'
 
 These values can be set as defaults for this repository:
 
 $ git config sendemail.to yocto@yoctoproject.org
-$ git config format.subjectPrefix meta-security][PATCH
+$ git config format.subjectPrefix meta-security][dunfell][PATCH
 
 Now you can just do 'git send-email origin/master' to send all local patches.
 
-- 
2.17.1

[dunfell 31/32] apparmor: fix issue with older use of shell in make

[akuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 recipes-mac/AppArmor/apparmor_2.13.4.bb       |  1 +
 ...-fix-failure-on-older-versions-of-Ma.patch | 40 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch

diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
index 6ba1ea8..c1f038f 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -24,6 +24,7 @@ SRC_URI = " \
     file://0001-Makefile.am-suppress-perllocal.pod.patch \
     file://run-ptest \
     file://0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch \
+    file://0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch \
     "
 
 SRCREV = "df0ac742f7a1146181d8734d03334494f2015134"
diff --git a/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch b/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch
new file mode 100644
index 0000000..a23d889
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch
@@ -0,0 +1,40 @@
+From bf8c4ca570c27cf58e882e03680b40357223e6e7 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 30 Sep 2020 13:36:23 -0700
+Subject: [PATCH] tests regression: fix failure on older versions of Make
+
+Older versions of Make will choke on the # character in the $(shell
+expression, treating it as the beginning of a comment. Resulting in
+the following error
+
+make unterminated call to function 'shell': missing ')'.  Stop.
+
+MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/639
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Steve Beattie <steve.beattie@canonical.com>
+(cherry picked from commit 8cf3534a5b11643c5913e5eb74e491f2f014d792)
+
+Upstream-Status: Backport
+[Minor fixup]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ tests/regression/apparmor/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
+index c3d0cfb7..1d55547c 100644
+--- a/tests/regression/apparmor/Makefile
++++ b/tests/regression/apparmor/Makefile
+@@ -69,7 +69,8 @@ endif # USE_SYSTEM
+ 
+ CFLAGS += -g -O0 -Wall -Wstrict-prototypes
+ 
+-USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true)
++SYSCTL_INCLUDE="\#include <sys/sysctl.h>"
++USE_SYSCTL:=$(shell echo $(SYSCTL_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true)
+ 
+ 
+ SRC=access.c \
+-- 
+2.17.1
+
-- 
2.17.1

[dunfell 32/32] apparmor: fix QA warning with systemd enabled

[akuster]

ERROR: apparmor-2.13.4-r0 do_package: QA Issue: apparmor: Files/directories were installed but not shipped in any package:
  /usr/lib/systemd
  /usr/lib/systemd/system
  /usr/lib/systemd/system/apparmor.service

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 recipes-mac/AppArmor/apparmor_2.13.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
index c1f038f..ba58fc5 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -190,7 +190,7 @@ SYSTEMD_AUTO_ENABLE ?= "enable"
 
 PACKAGES += "mod-${PN}"
 
-FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
+FILES_${PN} += "/lib/apparmor/  ${systemd_system_unitdir} ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
 FILES_mod-${PN} = "${libdir}/apache2/modules/*"
 
 # Add coreutils and findutils only if sysvinit scripts are in use
-- 
2.17.1