[meta-security][PATCH 00/12] Initial fixes for master branch

[meta-security][PATCH 00/12] Initial fixes for master branch

[Scott Murray]

Thank you for your patience, this patch series is a start on getting
master branch maintenance back in order, and allowing Marta and myself
to try getting through some resource estimating for the new CI setup.
The focus has been on patches that allow getting through clean builds
of the majority of the build tests in the CI pipeline, which I have done
manually for qemux86-64.  We will shake out any other issues as the CI
setup is tested (or reported via the list).

Note that I did pick a few patches from the backlog on the mailing list,
but generally not things that were not build warning or failure fixes.
I did the S/UNPACKDIR changes myself, as I had started on them before
any of patches were posted to the list.  Additionally, there are 3
fixes for gcc 15 issues (the libhoth patches will be sent upstream
in the next day or two).

I would ask that you give us a few days before sending (or resending)
patches with any expectation of immediate turnaround.  There is still
quite a bit of work to recreate a working CI setup, as well as ensuring
walnascar and scarthgap branches are in a testable state.  This series
has been pushed to master-next, and while I'm aware of the US long
weekend holiday, the goal is to merge these changes to master by Monday
afternoon at the latest, as I have some conference travel next week, and
we do need to unblock folks testing against master branch.

Scott


Changes:

Anton Antonov (1):
  parsec-service: update PACKAGECONFIG options as lists of cargo build
    features

Clayton Casciato (1):
  smack: Use new CVE_STATUS variable

J. S. (1):
  Fix warning : lack of whitespace around assignment

Marta Rybczynska (4):
  scap-security-guide: fix fetch
  chkrootkit: use Debian mirror
  CI: update build for new CI
  .gitlab-ci.yml: add logging of jobs to files

Scott Murray (5):
  layer.conf: Update to whinlatter (5.3) release
  Adapt to S/UNPACKDIR changes
  sshguard: Update to 2.5.1
  libhoth: update to latest
  chkrootkit: fix building with gcc 15

 .gitlab-ci.yml                                |  45 +++---
 conf/layer.conf                               |   2 +-
 .../checksecurity/checksecurity_2.0.16.bb     |   5 +-
 .../bastille/bastille_3.2.1.bb                |   2 +-
 .../recipes-security/nikto/nikto_2.1.6.bb     |   2 +-
 .../python/python3-json2html_1.3.0.bb         |   2 +-
 .../python/python3-xmldiff_2.7.0.bb           |   2 +-
 .../fail2ban/python3-fail2ban_git.bb          |   2 -
 meta-hardening/conf/layer.conf                |   2 +-
 meta-integrity/conf/layer.conf                |   2 +-
 meta-parsec/README.md                         |   4 +-
 meta-parsec/conf/layer.conf                   |   2 +-
 .../parsec-service/parsec-service_1.4.1.bb    |  15 +-
 meta-tpm/conf/layer.conf                      |   2 +-
 meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb |   1 -
 meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb    |   2 -
 .../0001-Fix-building-with-gcc-15.patch       | 151 ++++++++++++++++++
 ...02-Fix-building-without-dbus-backend.patch |  36 +++++
 meta-tpm/recipes-tpm1/hoth/libhoth_git.bb     |  13 +-
 .../openssl-tpm-engine_0.5.0.bb               |   2 -
 .../recipes-tpm1/pcr-extend/pcr-extend_git.bb |   2 -
 .../tpm-quote-tools/tpm-quote-tools_1.0.4.bb  |   1 -
 .../tpm-tools/tpm-tools_1.3.9.2.bb            |   2 -
 .../recipes-tpm1/trousers/trousers_git.bb     |   2 -
 .../ibmswtpm2/ibmswtpm2_183-2024-03-27.bb     |   2 +-
 .../ibmtpm2tss/ibmtpm2tss_2.2.0.bb            |   2 -
 .../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb    |   2 -
 .../recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb |   2 -
 recipes-compliance/openscap/openscap_1.4.1.bb |   2 -
 .../scap-security-guide_0.1.76.bb             |   9 +-
 recipes-ids/aide/aide_0.18.8.bb               |   2 +-
 recipes-ids/crowdsec/crowdsec_1.1.1.bb        |   2 -
 recipes-ids/ossec/ossec-hids_3.7.0.bb         |   5 +-
 recipes-ids/suricata/libhtp_0.5.50.bb         |   4 -
 recipes-ids/tripwire/tripwire_2.4.3.7.bb      |   4 +-
 recipes-kernel/lkrg/lkrg-module_0.9.7.bb      |   4 +-
 recipes-mac/AppArmor/apparmor_4.0.3.bb        |   1 -
 recipes-mac/ccs-tools/ccs-tools_1.8.9.bb      |   4 +-
 recipes-mac/smack/mmap-smack-test_1.0.bb      |   3 +-
 recipes-mac/smack/smack-test_1.0.bb           |   3 +-
 recipes-mac/smack/smack_1.3.1.bb              |  10 +-
 recipes-mac/smack/tcp-smack-test_1.0.bb       |   3 +-
 recipes-mac/smack/udp-smack-test_1.0.bb       |   3 +-
 recipes-perl/perl/libwhisker2-perl_2.5.bb     |   2 +-
 recipes-scanners/checksec/checksec_2.6.0.bb   |   4 +-
 recipes-scanners/clamav/clamav_0.104.4.bb     |   1 -
 recipes-scanners/rootkits/chkrootkit_0.58b.bb |   7 +-
 .../files/0001-Fix-building-with-gcc-15.patch |  39 +++++
 recipes-security/Firejail/firejail_0.9.72.bb  |   2 -
 recipes-security/chipsec/chipsec_1.9.1.bb     |   2 -
 .../cryptmount/cryptmount_6.2.0.bb            |   2 +-
 recipes-security/fscrypt/fscrypt_1.1.0.bb     |   2 -
 .../fscryptctl/fscryptctl_1.1.0.bb            |   2 -
 recipes-security/glome/glome_git.bb           |   1 -
 .../google-authenticator-libpam_1.09.bb       |   2 -
 recipes-security/isic/isic_0.07.bb            |   2 +-
 recipes-security/krill/krill_0.12.3.bb        |   1 -
 recipes-security/libest/libest_3.2.0.bb       |   2 -
 recipes-security/libgssglue/libgssglue_0.9.bb |   2 -
 recipes-security/libmspack/libmspack_1.11.bb  |   2 +-
 recipes-security/ncrack/ncrack_0.7.bb         |   2 -
 .../redhat-security/redhat-security_1.0.bb    |   3 +-
 recipes-security/sshguard/sshguard_2.4.3.bb   |  11 --
 recipes-security/sshguard/sshguard_2.5.1.bb   |  11 ++
 64 files changed, 319 insertions(+), 151 deletions(-)
 create mode 100644 meta-tpm/recipes-tpm1/hoth/libhoth/0001-Fix-building-with-gcc-15.patch
 create mode 100644 meta-tpm/recipes-tpm1/hoth/libhoth/0002-Fix-building-without-dbus-backend.patch
 create mode 100644 recipes-scanners/rootkits/files/0001-Fix-building-with-gcc-15.patch
 delete mode 100644 recipes-security/sshguard/sshguard_2.4.3.bb
 create mode 100644 recipes-security/sshguard/sshguard_2.5.1.bb

-- 
2.50.0

[meta-security][PATCH 01/12] Fix warning : lack of whitespace around assignment

[Scott Murray]

From: "J. S." <schonm@gmail.com>

v2 : also fix some typos while we are here.
v3 : add fixes for isic and checksecurity

Signed-off-by: Jason Schonberg <schonm@gmail.com>
[removed already applied change]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../recipes-scanners/checksecurity/checksecurity_2.0.16.bb  | 2 +-
 .../recipes-devtools/python/python3-json2html_1.3.0.bb      | 2 +-
 .../recipes-devtools/python/python3-xmldiff_2.7.0.bb        | 2 +-
 .../scap-security-guide/scap-security-guide_0.1.76.bb       | 6 +++---
 recipes-ids/aide/aide_0.18.8.bb                             | 2 +-
 recipes-ids/ossec/ossec-hids_3.7.0.bb                       | 2 +-
 recipes-ids/tripwire/tripwire_2.4.3.7.bb                    | 2 +-
 recipes-kernel/lkrg/lkrg-module_0.9.7.bb                    | 2 +-
 recipes-mac/ccs-tools/ccs-tools_1.8.9.bb                    | 4 ++--
 recipes-perl/perl/libwhisker2-perl_2.5.bb                   | 2 +-
 recipes-scanners/checksec/checksec_2.6.0.bb                 | 2 +-
 recipes-security/cryptmount/cryptmount_6.2.0.bb             | 2 +-
 recipes-security/isic/isic_0.07.bb                          | 2 +-
 recipes-security/sshguard/sshguard_2.4.3.bb                 | 4 ++--
 14 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
index 8006c9f..bc146a9 100644
--- a/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
+++ b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
@@ -14,7 +14,7 @@ S = "${WORKDIR}/checksecurity-${PV}+nmu1"
 
 
 # allow for anylocal, no need to patch
-LOGDIR="/etc/checksecurity"
+LOGDIR = "/etc/checksecurity"
 
 do_compile() {
     sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/etc/check-setuid.conf
diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb b/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb
index 3d7e897..baf3156 100644
--- a/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb
+++ b/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb
@@ -1,4 +1,4 @@
-DESCRIPTION="Python wrapper to convert JSON into a human readable HTML Table representation."
+DESCRIPTION = "Python wrapper to convert JSON into a human readable HTML Table representation."
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8065590663ea0c10aa131841ea806767"
 
diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.7.0.bb b/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.7.0.bb
index 9d38065..a81c252 100644
--- a/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.7.0.bb
+++ b/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.7.0.bb
@@ -1,4 +1,4 @@
-DESCRIPTION="Creates diffs of XML files"
+DESCRIPTION = "Creates diffs of XML files"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=0d0e9e3949e163c3edd1e097b8b0ed62"
 
diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
index 73bd576..25309c7 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
@@ -21,9 +21,9 @@ B = "${S}/build"
 inherit cmake pkgconfig python3native python3targetconfig ptest
 
 STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
-export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
-export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas"
-export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
+export OSCAP_CPE_PATH = "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
+export OSCAP_SCHEMA_PATH = "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas"
+export OSCAP_XSLT_PATH = "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
 
 OECMAKE_GENERATOR = "Unix Makefiles"
 
diff --git a/recipes-ids/aide/aide_0.18.8.bb b/recipes-ids/aide/aide_0.18.8.bb
index e2014a1..2912cb2 100644
--- a/recipes-ids/aide/aide_0.18.8.bb
+++ b/recipes-ids/aide/aide_0.18.8.bb
@@ -16,7 +16,7 @@ UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
 
 inherit autotools pkgconfig aide-base
 
-PACKAGECONFIG ??=" gcrypt zlib e2fsattrs posix capabilities curl pthread \
+PACKAGECONFIG ??= " gcrypt zlib e2fsattrs posix capabilities curl pthread \
                  ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
                  ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \
                  "
diff --git a/recipes-ids/ossec/ossec-hids_3.7.0.bb b/recipes-ids/ossec/ossec-hids_3.7.0.bb
index fbd1294..d9f5121 100644
--- a/recipes-ids/ossec/ossec-hids_3.7.0.bb
+++ b/recipes-ids/ossec/ossec-hids_3.7.0.bb
@@ -18,7 +18,7 @@ inherit autotools-brokensep  useradd
 S = "${UNPACKDIR}/git"
 
 
-OSSEC_DIR="/var/ossec"
+OSSEC_DIR = "/var/ossec"
 OSSEC_UID ?= "ossec"
 OSSEC_RUID ?= "ossecr"
 OSSEC_GID ?= "ossec"
diff --git a/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/recipes-ids/tripwire/tripwire_2.4.3.7.bb
index e67d3c7..3c85027 100644
--- a/recipes-ids/tripwire/tripwire_2.4.3.7.bb
+++ b/recipes-ids/tripwire/tripwire_2.4.3.7.bb
@@ -1,7 +1,7 @@
 SUMMARY = "Tripwire: A system integrity assessment tool (IDS)"
 DESCRIPTION = "Open Source Tripwire® software is a security and data \
 integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems"
-HOMEPAGE="http://sourceforge.net/projects/tripwire"
+HOMEPAGE = "http://sourceforge.net/projects/tripwire"
 SECTION = "security Monitor/Admin"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127"
diff --git a/recipes-kernel/lkrg/lkrg-module_0.9.7.bb b/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
index 751c045..20982a8 100644
--- a/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
+++ b/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
@@ -1,5 +1,5 @@
 SUMMARY = "Linux Kernel Runtime Guard"
-DESCRIPTION="LKRG performs runtime integrity checking of the Linux \
+DESCRIPTION = "LKRG performs runtime integrity checking of the Linux \
 kernel and detection of security vulnerability exploits against the kernel."
 SECTION = "security"
 HOMEPAGE = "https://www.openwall.com/lkrg/"
diff --git a/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb b/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
index a746c56..3f754e9 100644
--- a/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
+++ b/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
@@ -26,7 +26,7 @@ do_install(){
     oe_runmake INSTALLDIR=${D}  USRLIBDIR=${libdir} SBINDIR=${sbindir} install
 }
 
-PACKAGE="${PN} ${PN}-dbg ${PN}-doc"
+PACKAGES = "${PN} ${PN}-dbg ${PN}-doc"
 
 FILES:${PN} = "\
     ${sbindir}/* \
@@ -46,4 +46,4 @@ FILES:${PN}-dbg = "\
     /usr/src/debug/* \
 "
 
-REQUIRED_DISTRO_FEATURES ?=" tomoyo"
+REQUIRED_DISTRO_FEATURES ?= " tomoyo"
diff --git a/recipes-perl/perl/libwhisker2-perl_2.5.bb b/recipes-perl/perl/libwhisker2-perl_2.5.bb
index 2c32bfc..e16e5f2 100644
--- a/recipes-perl/perl/libwhisker2-perl_2.5.bb
+++ b/recipes-perl/perl/libwhisker2-perl_2.5.bb
@@ -15,7 +15,7 @@ S = "${UNPACKDIR}/libwhisker2-2.5"
 
 inherit cpan-base
 
-PACKAGEGROUP ??=""
+PACKAGEGROUP ??= ""
 PACKAGEGROUP[ssl] = ", , libnet-ssleay-perl, libnet-ssleay-perl"
 
 do_install() {
diff --git a/recipes-scanners/checksec/checksec_2.6.0.bb b/recipes-scanners/checksec/checksec_2.6.0.bb
index 3712e68..4767239 100644
--- a/recipes-scanners/checksec/checksec_2.6.0.bb
+++ b/recipes-scanners/checksec/checksec_2.6.0.bb
@@ -2,7 +2,7 @@ SUMMARY = "Linux system security checks"
 DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used."
 SECTION = "security"
 LICENSE = "BSD-3-Clause"
-HOMEPAGE="https://github.com/slimm609/checksec.sh"
+HOMEPAGE = "https://github.com/slimm609/checksec.sh"
 
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=879b2147c754bc040c29e9c3b84da836"
 
diff --git a/recipes-security/cryptmount/cryptmount_6.2.0.bb b/recipes-security/cryptmount/cryptmount_6.2.0.bb
index d69d88b..424ff56 100644
--- a/recipes-security/cryptmount/cryptmount_6.2.0.bb
+++ b/recipes-security/cryptmount/cryptmount_6.2.0.bb
@@ -10,7 +10,7 @@ inherit autotools-brokensep gettext pkgconfig systemd
 
 EXTRA_OECONF = " --enable-cswap --enable-fsck --enable-argv0switch"
 
-PACKAGECONFIG ?="intl luks gcrypt nls"
+PACKAGECONFIG ?= "intl luks gcrypt nls"
 PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
 
 PACKAGECONFIG[systemd] = "--with-systemd, --without-systemd, systemd"
diff --git a/recipes-security/isic/isic_0.07.bb b/recipes-security/isic/isic_0.07.bb
index d39184e..8e0f5ce 100644
--- a/recipes-security/isic/isic_0.07.bb
+++ b/recipes-security/isic/isic_0.07.bb
@@ -17,7 +17,7 @@ SRC_URI = "http://prdownloads.sourceforge.net/isic/${BPN}-${PV}.tgz \
 SRC_URI[md5sum] = "29f70c9bde9aa9128b8f7e66a315f9a4"
 SRC_URI[sha256sum] = "e033c53e03e26a4c72b723e2a5a1c433ee70eb4d23a1ba0d7d7e14ee1a80429d"
 
-S="${UNPACKDIR}/${BPN}-${PV}"
+S = "${UNPACKDIR}/${BPN}-${PV}"
 
 inherit autotools-brokensep
 
diff --git a/recipes-security/sshguard/sshguard_2.4.3.bb b/recipes-security/sshguard/sshguard_2.4.3.bb
index 37b414e..de3d856 100644
--- a/recipes-security/sshguard/sshguard_2.4.3.bb
+++ b/recipes-security/sshguard/sshguard_2.4.3.bb
@@ -1,10 +1,10 @@
-SUMARRY=" Intelligently block brute-force attacks by aggregating system logs "
+SUMMARY = " Intelligently block brute-force attacks by aggregating system logs "
 HOMEPAGE = "https://www.sshguard.net/"
 LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
 LICENSE = "BSD-1-Clause"
 
 
-SRC_URI="https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz"
+SRC_URI = "https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz"
 
 SRC_URI[sha256sum] = "64029deff6de90fdeefb1f497d414f0e4045076693a91da1a70eb7595e97efeb"
 
-- 
2.50.0

[meta-security][PATCH 02/12] smack: Use new CVE_STATUS variable

[Scott Murray]

From: Clayton Casciato <majortomtosourcecontrol@gmail.com>

Fix "CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS"

https://docs.yoctoproject.org/dev/ref-manual/variables.html#term-CVE_STATUS

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-mac/smack/smack_1.3.1.bb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/recipes-mac/smack/smack_1.3.1.bb b/recipes-mac/smack/smack_1.3.1.bb
index 6c52392..7b20e6b 100644
--- a/recipes-mac/smack/smack_1.3.1.bb
+++ b/recipes-mac/smack/smack_1.3.1.bb
@@ -13,10 +13,9 @@ SRC_URI = " \
 
 PV = "1.3.1"
 
-# CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 is valnerble for other product.
-CVE_CHECK_IGNORE += "CVE-2014-0363"
-CVE_CHECK_IGNORE += "CVE-2014-0364"
-CVE_CHECK_IGNORE += "CVE-2016-10027"
+CVE_STATUS[CVE-2014-0363] = "cpe-incorrect: different product"
+CVE_STATUS[CVE-2014-0364] = "cpe-incorrect: different product"
+CVE_STATUS[CVE-2016-10027] = "cpe-incorrect: different product"
 
 inherit autotools update-rc.d pkgconfig ptest
 inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
-- 
2.50.0

[meta-security][PATCH 03/12] layer.conf: Update to whinlatter (5.3) release

[Scott Murray]

Update LAYERSERIES_COMPAT in all layer.conf files with the exception
of meta-parsec to whinlatter.  For meta-parsec, whinlatter has been
added, and the EOL releases removed, as an initial update.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 conf/layer.conf                | 2 +-
 meta-hardening/conf/layer.conf | 2 +-
 meta-integrity/conf/layer.conf | 2 +-
 meta-parsec/conf/layer.conf    | 2 +-
 meta-tpm/conf/layer.conf       | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 84d40a1..7a86054 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security"
 BBFILE_PATTERN_security = "^${LAYERDIR}/"
 BBFILE_PRIORITY_security = "8"
 
-LAYERSERIES_COMPAT_security = "styhead walnascar"
+LAYERSERIES_COMPAT_security = "whinlatter"
 
 LAYERDEPENDS_security = "core openembedded-layer"
 
diff --git a/meta-hardening/conf/layer.conf b/meta-hardening/conf/layer.conf
index a7e32e5..367d3d7 100644
--- a/meta-hardening/conf/layer.conf
+++ b/meta-hardening/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "harden-layer"
 BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_harden-layer = "6"
 
-LAYERSERIES_COMPAT_harden-layer = "styhead walnascar"
+LAYERSERIES_COMPAT_harden-layer = "whinlatter"
 
 LAYERDEPENDS_harden-layer = "core openembedded-layer"
 
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index 33127c7..23d6848 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}'
 # interactive shell is enough.
 OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 
-LAYERSERIES_COMPAT_integrity = "styhead walnascar"
+LAYERSERIES_COMPAT_integrity = "whinlatter"
 # ima-evm-utils depends on keyutils from meta-oe
 LAYERDEPENDS_integrity = "core openembedded-layer"
 
diff --git a/meta-parsec/conf/layer.conf b/meta-parsec/conf/layer.conf
index 614c17e..29a8f11 100644
--- a/meta-parsec/conf/layer.conf
+++ b/meta-parsec/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer"
 BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_parsec-layer = "5"
 
-LAYERSERIES_COMPAT_parsec-layer = "walnascar styhead nanbield scarthgap"
+LAYERSERIES_COMPAT_parsec-layer = "whinlatter walnascar scarthgap"
 
 LAYERDEPENDS_parsec-layer = "core clang-layer"
 BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf
index 5f96114..582fe1e 100644
--- a/meta-tpm/conf/layer.conf
+++ b/meta-tpm/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer"
 BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_tpm-layer = "6"
 
-LAYERSERIES_COMPAT_tpm-layer = "styhead walnascar"
+LAYERSERIES_COMPAT_tpm-layer = "whinlatter"
 
 LAYERDEPENDS_tpm-layer = " \
     core \
-- 
2.50.0

[meta-security][PATCH 04/12] Adapt to S/UNPACKDIR changes

[Scott Murray]

Remove or update S definitions as required to work with oe-core
S/UNPACKDIR changes.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../recipes-scanners/checksecurity/checksecurity_2.0.16.bb    | 3 +--
 .../meta-perl/recipes-security/bastille/bastille_3.2.1.bb     | 2 +-
 .../meta-perl/recipes-security/nikto/nikto_2.1.6.bb           | 2 +-
 .../recipes-security/fail2ban/python3-fail2ban_git.bb         | 2 --
 meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb                 | 1 -
 meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb                    | 2 --
 meta-tpm/recipes-tpm1/hoth/libhoth_git.bb                     | 2 --
 .../openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb            | 2 --
 meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb            | 2 --
 .../recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb     | 1 -
 meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb          | 2 --
 meta-tpm/recipes-tpm1/trousers/trousers_git.bb                | 2 --
 meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_183-2024-03-27.bb   | 2 +-
 meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_2.2.0.bb          | 2 --
 meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb  | 2 --
 meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb            | 2 --
 recipes-compliance/openscap/openscap_1.4.1.bb                 | 2 --
 .../scap-security-guide/scap-security-guide_0.1.76.bb         | 1 -
 recipes-ids/crowdsec/crowdsec_1.1.1.bb                        | 2 --
 recipes-ids/ossec/ossec-hids_3.7.0.bb                         | 3 ---
 recipes-ids/suricata/libhtp_0.5.50.bb                         | 4 ----
 recipes-ids/tripwire/tripwire_2.4.3.7.bb                      | 2 --
 recipes-kernel/lkrg/lkrg-module_0.9.7.bb                      | 2 --
 recipes-mac/AppArmor/apparmor_4.0.3.bb                        | 1 -
 recipes-mac/smack/mmap-smack-test_1.0.bb                      | 3 +--
 recipes-mac/smack/smack-test_1.0.bb                           | 3 +--
 recipes-mac/smack/smack_1.3.1.bb                              | 3 ---
 recipes-mac/smack/tcp-smack-test_1.0.bb                       | 3 +--
 recipes-mac/smack/udp-smack-test_1.0.bb                       | 3 +--
 recipes-scanners/checksec/checksec_2.6.0.bb                   | 2 --
 recipes-scanners/clamav/clamav_0.104.4.bb                     | 1 -
 recipes-security/Firejail/firejail_0.9.72.bb                  | 2 --
 recipes-security/chipsec/chipsec_1.9.1.bb                     | 2 --
 recipes-security/fscrypt/fscrypt_1.1.0.bb                     | 2 --
 recipes-security/fscryptctl/fscryptctl_1.1.0.bb               | 2 --
 recipes-security/glome/glome_git.bb                           | 1 -
 .../google-authenticator-libpam_1.09.bb                       | 2 --
 recipes-security/krill/krill_0.12.3.bb                        | 1 -
 recipes-security/libest/libest_3.2.0.bb                       | 2 --
 recipes-security/libgssglue/libgssglue_0.9.bb                 | 2 --
 recipes-security/libmspack/libmspack_1.11.bb                  | 2 +-
 recipes-security/ncrack/ncrack_0.7.bb                         | 2 --
 recipes-security/redhat-security/redhat-security_1.0.bb       | 3 +--
 43 files changed, 10 insertions(+), 79 deletions(-)

diff --git a/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
index bc146a9..8dfb1cc 100644
--- a/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
+++ b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
@@ -10,8 +10,7 @@ SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecuri
 
 SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0"
 
-S = "${WORKDIR}/checksecurity-${PV}+nmu1"
-
+S = "${UNPACKDIR}/checksecurity-${PV}+nmu1"
 
 # allow for anylocal, no need to patch
 LOGDIR = "/etc/checksecurity"
diff --git a/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb b/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
index 7074f68..b95ec2d 100644
--- a/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
@@ -35,7 +35,7 @@ SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3
 SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
 SRC_URI[sha256sum] = "0ea25191b1dc1c8f91e1b6f8cb5436a3aa1e57418809ef902293448efed5021a"
 
-S = "${WORKDIR}/Bastille"
+S = "${UNPACKDIR}/Bastille"
 
 do_install () {
 	install -d ${D}${sbindir}
diff --git a/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb b/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
index 8c21b30..6d83265 100644
--- a/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
+++ b/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
@@ -10,7 +10,7 @@ SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79"
 SRC_URI = "git://github.com/sullo/nikto.git;branch=master;protocol=https \
            file://location.patch"
 
-S = "${WORKDIR}/git/program"
+S = "${UNPACKDIR}/${BP}/program"
 
 do_install() {
     install -d ${D}${bindir}
diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
index 52d35f8..7312bf8 100644
--- a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
+++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
@@ -26,8 +26,6 @@ inherit systemd
 
 SYSTEMD_SERVICE:${PN} = "fail2ban.service"
 
-S = "${UNPACKDIR}/git"
-
 do_install:append () {
     rm  -f ${D}/${bindir}/fail2ban-python
     install -d ${D}/${sysconfdir}/fail2ban
diff --git a/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb b/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
index 55a4c01..3727bb3 100644
--- a/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
+++ b/meta-tpm/recipes-tpm/libtpm/libtpms_0.10.0.bb
@@ -7,7 +7,6 @@ SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.10;protocol
 
 PE = "2"
 
-S = "${WORKDIR}/git"
 inherit autotools-brokensep pkgconfig perlnative
 
 PACKAGECONFIG ?= "openssl"
diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb
index c7159e0..d5470f4 100644
--- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb
+++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb
@@ -10,8 +10,6 @@ SRCREV = "54f4bb1e702a8b80d990ca00b6f72d5031dd131a"
 SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.10;protocol=https"
 PE = "2"
 
-S = "${WORKDIR}/git"
-
 PARALLEL_MAKE = ""
 inherit autotools pkgconfig perlnative
 
diff --git a/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb b/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
index df1dc04..9d29f78 100644
--- a/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
+++ b/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
@@ -11,7 +11,5 @@ SRCREV = "e4827163741e0804f12ac96c81b8e97649be6795"
 
 DEPENDS += "libusb1"
 
-S = "${WORKDIR}/git"
-
 inherit pkgconfig meson
 
diff --git a/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
index e3e643e..b792151 100644
--- a/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
+++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
@@ -17,8 +17,6 @@ SRC_URI = "\
 "
 SRCREV = "b28de5065e6eb9aa5d5afe2276904f7624c2cbaf"
 
-S = "${WORKDIR}/git"
-
 inherit autotools-brokensep pkgconfig
 
 # The definitions below are used to decrypt the srk password.
diff --git a/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb b/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb
index 2e5814b..efd8181 100644
--- a/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb
+++ b/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb
@@ -14,8 +14,6 @@ SRC_URI = "git://github.com/flihp/pcr-extend.git;branch=master;protocol=https \
 
 inherit autotools
 
-S = "${WORKDIR}/git"
-
 do_configure[noexec] = "1"
 
 do_compile() {
diff --git a/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
index 4672bba..4b82faf 100644
--- a/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
+++ b/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
@@ -18,5 +18,4 @@ DEPENDS = "libtspi tpm-tools"
 SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools;branch=master"
 SRCREV = "4511874d5c9b4504bb96e94f8a14bd6c39a36295"
 
-S = "${WORKDIR}/git"
 inherit autotools
diff --git a/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
index 816f382..6d911c9 100644
--- a/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
+++ b/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
@@ -22,8 +22,6 @@ SRC_URI = " \
 
 inherit autotools-brokensep gettext
 
-S = "${UNPACKDIR}/git"
-
 # Compile failing with gcc-14
 CFLAGS += " -Wno-incompatible-pointer-types -Wno-stringop-truncation -Wno-error=implicit-function-declaration"
 BUILD_CFLAGS += " -Wno-incompatible-pointer-types -Wno-stringop-truncation -Wno-error=implicit-function-declaration"
diff --git a/meta-tpm/recipes-tpm1/trousers/trousers_git.bb b/meta-tpm/recipes-tpm1/trousers/trousers_git.bb
index 44a4ee6..abbb436 100644
--- a/meta-tpm/recipes-tpm1/trousers/trousers_git.bb
+++ b/meta-tpm/recipes-tpm1/trousers/trousers_git.bb
@@ -18,8 +18,6 @@ SRC_URI = " \
         file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
     	"
 
-S = "${WORKDIR}/git"
-
 inherit autotools pkgconfig useradd update-rc.d ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
 
 PACKAGECONFIG ?= "gmp "
diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_183-2024-03-27.bb b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_183-2024-03-27.bb
index 7ed9569..64df708 100644
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_183-2024-03-27.bb
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_183-2024-03-27.bb
@@ -23,7 +23,7 @@ SRCREV = "c37c74438429e1d5fe465232e7bf894b239a2cd4"
 
 UPSTREAM_CHECK_GITTAGREGEX = "rev(?P<pver>\d+(\-\d+)+)"
 
-S = "${WORKDIR}/git/src"
+S = "${UNPACKDIR}/${BP}/src"
 
 CFLAGS += "-Wno-error=maybe-uninitialized"
 
diff --git a/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_2.2.0.bb b/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_2.2.0.bb
index 8e941d1..797222e 100644
--- a/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_2.2.0.bb
+++ b/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_2.2.0.bb
@@ -25,5 +25,3 @@ SRCREV = "0b9d77e304f68228b13b20ff0d72b0c16ffd2651"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 
 EXTRA_OECONF = "--disable-tpm-1.2"
-
-S = "${WORKDIR}/git"
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index 9c60e2b..09bbef2 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -14,8 +14,6 @@ SRCREV = "0241b08f069f0fdb3612f5c1b938144dbe9be811"
 
 UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
 
-S = "${WORKDIR}/git"
-
 inherit autotools pkgconfig
 
 EFIDIR ?= "/EFI/BOOT"
diff --git a/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb b/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
index d324e33..9c9f4c5 100644
--- a/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
@@ -13,5 +13,3 @@ SRCREV = "96a1448753a48974149003bc90ea3990ae8e8d0b"
 SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=master;protocol=https"
 
 inherit autotools-brokensep pkgconfig
-
-S = "${WORKDIR}/git"
diff --git a/recipes-compliance/openscap/openscap_1.4.1.bb b/recipes-compliance/openscap/openscap_1.4.1.bb
index 47034ad..3e5f00a 100644
--- a/recipes-compliance/openscap/openscap_1.4.1.bb
+++ b/recipes-compliance/openscap/openscap_1.4.1.bb
@@ -15,8 +15,6 @@ SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=main;protocol=https \
 
 SRCREV = "23a8ea3de3c4fd6017db4067675a81287177166e"
 
-S = "${UNPACKDIR}/git"
-
 inherit cmake pkgconfig python3native python3targetconfig perlnative systemd
 
 PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
index 25309c7..d5a9406 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
@@ -15,7 +15,6 @@ SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=stable;protocol=
 
 DEPENDS = "openscap-native python3-pyyaml-native python3-jinja2-native libxml2-native expat-native coreutils-native"
 
-S = "${UNPACKDIR}/git"
 B = "${S}/build"
 
 inherit cmake pkgconfig python3native python3targetconfig ptest
diff --git a/recipes-ids/crowdsec/crowdsec_1.1.1.bb b/recipes-ids/crowdsec/crowdsec_1.1.1.bb
index deccecf..fa13e9d 100644
--- a/recipes-ids/crowdsec/crowdsec_1.1.1.bb
+++ b/recipes-ids/crowdsec/crowdsec_1.1.1.bb
@@ -12,8 +12,6 @@ GO_IMPORT = "import"
 
 inherit go
 
-S = "${UNPACKDIR}/git"
-
 do_compile() {
     export GOARCH="${TARGET_GOARCH}"
     export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go"
diff --git a/recipes-ids/ossec/ossec-hids_3.7.0.bb b/recipes-ids/ossec/ossec-hids_3.7.0.bb
index d9f5121..f8ee993 100644
--- a/recipes-ids/ossec/ossec-hids_3.7.0.bb
+++ b/recipes-ids/ossec/ossec-hids_3.7.0.bb
@@ -15,9 +15,6 @@ UPSTREAM_CHECK_COMMITS = "1"
 
 inherit autotools-brokensep  useradd
 
-S = "${UNPACKDIR}/git"
-
-
 OSSEC_DIR = "/var/ossec"
 OSSEC_UID ?= "ossec"
 OSSEC_RUID ?= "ossecr"
diff --git a/recipes-ids/suricata/libhtp_0.5.50.bb b/recipes-ids/suricata/libhtp_0.5.50.bb
index 3a795ae..7695539 100644
--- a/recipes-ids/suricata/libhtp_0.5.50.bb
+++ b/recipes-ids/suricata/libhtp_0.5.50.bb
@@ -13,10 +13,6 @@ inherit autotools-brokensep pkgconfig
 
 CFLAGS += "-D_DEFAULT_SOURCE"
 
-#S = "${UNPACKDIR}/suricata-${VER}/${BPN}"
-
-S = "${UNPACKDIR}/git"
-
 do_configure () {
     cd ${S}
     ./autogen.sh
diff --git a/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/recipes-ids/tripwire/tripwire_2.4.3.7.bb
index 3c85027..e2968e4 100644
--- a/recipes-ids/tripwire/tripwire_2.4.3.7.bb
+++ b/recipes-ids/tripwire/tripwire_2.4.3.7.bb
@@ -19,8 +19,6 @@ SRC_URI = "\
 	file://run-ptest \
        "
 
-S = "${UNPACKDIR}/git"
-
 inherit autotools-brokensep update-rc.d ptest
 
 INITSCRIPT_NAME = "tripwire"
diff --git a/recipes-kernel/lkrg/lkrg-module_0.9.7.bb b/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
index 20982a8..85a9644 100644
--- a/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
+++ b/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
@@ -13,8 +13,6 @@ SRC_URI = "git://github.com/lkrg-org/lkrg.git;protocol=https;branch=main"
 
 SRCREV = "5dc5cfea1f4dc8febdd5274d99e277c17df06acc"
 
-S = "${UNPACKDIR}/git"
-
 inherit module kernel-module-split
 
 MAKE_TARGETS = "modules"
diff --git a/recipes-mac/AppArmor/apparmor_4.0.3.bb b/recipes-mac/AppArmor/apparmor_4.0.3.bb
index 06a5010..9983157 100644
--- a/recipes-mac/AppArmor/apparmor_4.0.3.bb
+++ b/recipes-mac/AppArmor/apparmor_4.0.3.bb
@@ -23,7 +23,6 @@ SRC_URI = " \
     "
 
 SRCREV = "b4dfdf50f50ed1d64161424d036a2453645f0cfe"
-S = "${UNPACKDIR}/git"
 
 PARALLEL_MAKE = ""
 
diff --git a/recipes-mac/smack/mmap-smack-test_1.0.bb b/recipes-mac/smack/mmap-smack-test_1.0.bb
index b11fbf3..df2896c 100644
--- a/recipes-mac/smack/mmap-smack-test_1.0.bb
+++ b/recipes-mac/smack/mmap-smack-test_1.0.bb
@@ -5,8 +5,7 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda
 
 SRC_URI = "file://mmap.c" 
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_compile() {
     ${CC} mmap.c ${LDFLAGS} -o mmap_test
diff --git a/recipes-mac/smack/smack-test_1.0.bb b/recipes-mac/smack/smack-test_1.0.bb
index 0949cd5..4a581ee 100644
--- a/recipes-mac/smack/smack-test_1.0.bb
+++ b/recipes-mac/smack/smack-test_1.0.bb
@@ -10,8 +10,7 @@ SRC_URI = " \
            file://test_smack_onlycap.sh \
 "
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 inherit features_check
 
diff --git a/recipes-mac/smack/smack_1.3.1.bb b/recipes-mac/smack/smack_1.3.1.bb
index 7b20e6b..99f79b7 100644
--- a/recipes-mac/smack/smack_1.3.1.bb
+++ b/recipes-mac/smack/smack_1.3.1.bb
@@ -23,9 +23,6 @@ inherit features_check
 
 REQUIRED_DISTRO_FEATURES = "smack"
 
-
-S = "${WORKDIR}/git"
-
 PACKAGECONFIG ??= ""
 PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
 
diff --git a/recipes-mac/smack/tcp-smack-test_1.0.bb b/recipes-mac/smack/tcp-smack-test_1.0.bb
index 370905d..8b7704f 100644
--- a/recipes-mac/smack/tcp-smack-test_1.0.bb
+++ b/recipes-mac/smack/tcp-smack-test_1.0.bb
@@ -8,8 +8,7 @@ SRC_URI = "file://tcp_server.c \
            file://test_smack_tcp_sockets.sh \
 "
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_compile() {
     ${CC} tcp_client.c ${LDFLAGS} -o tcp_client
diff --git a/recipes-mac/smack/udp-smack-test_1.0.bb b/recipes-mac/smack/udp-smack-test_1.0.bb
index 861138d..1a2e011 100644
--- a/recipes-mac/smack/udp-smack-test_1.0.bb
+++ b/recipes-mac/smack/udp-smack-test_1.0.bb
@@ -8,8 +8,7 @@ SRC_URI = "file://udp_server.c \
            file://test_smack_udp_sockets.sh \
 "
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_compile() {
     ${CC} udp_client.c ${LDFLAGS} -o udp_client
diff --git a/recipes-scanners/checksec/checksec_2.6.0.bb b/recipes-scanners/checksec/checksec_2.6.0.bb
index 4767239..192e249 100644
--- a/recipes-scanners/checksec/checksec_2.6.0.bb
+++ b/recipes-scanners/checksec/checksec_2.6.0.bb
@@ -9,8 +9,6 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=879b2147c754bc040c29e9c3b84da836"
 SRCREV = "2753ebb89fcdc96433ae8a4c4e5a49214a845be2"
 SRC_URI = "git://github.com/slimm609/checksec.sh;branch=main;protocol=https"
 
-S = "${UNPACKDIR}/git"
-
 do_install() {
     install -d ${D}${bindir}
     install -m 0755 ${S}/checksec ${D}${bindir}
diff --git a/recipes-scanners/clamav/clamav_0.104.4.bb b/recipes-scanners/clamav/clamav_0.104.4.bb
index 48cc75c..7b81fd0 100644
--- a/recipes-scanners/clamav/clamav_0.104.4.bb
+++ b/recipes-scanners/clamav/clamav_0.104.4.bb
@@ -21,7 +21,6 @@ SRC_URI = "git://github.com/Cisco-Talos/clamav;branch=rel/0.104;protocol=https \
     file://headers_fixup.patch \
     file://oe_cmake_fixup.patch \
 "
-S = "${UNPACKDIR}/git"
 
 LEAD_SONAME = "libclamav.so"
 SO_VER = "9.6.0"
diff --git a/recipes-security/Firejail/firejail_0.9.72.bb b/recipes-security/Firejail/firejail_0.9.72.bb
index 10023c1..cf0190d 100644
--- a/recipes-security/Firejail/firejail_0.9.72.bb
+++ b/recipes-security/Firejail/firejail_0.9.72.bb
@@ -16,8 +16,6 @@ SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master
 
 DEPENDS = "libseccomp"
 
-S = "${UNPACKDIR}/git"
-
 inherit autotools-brokensep pkgconfig bash-completion features_check
 
 REQUIRED_DISTRO_FEATURES = "seccomp"
diff --git a/recipes-security/chipsec/chipsec_1.9.1.bb b/recipes-security/chipsec/chipsec_1.9.1.bb
index 213b047..ef293bc 100644
--- a/recipes-security/chipsec/chipsec_1.9.1.bb
+++ b/recipes-security/chipsec/chipsec_1.9.1.bb
@@ -12,8 +12,6 @@ DEPENDS = "virtual/kernel nasm-native"
 SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https"
 SRCREV = "d8c2a606bf440c32196c6289a7a458f3ae3107cc"
 
-S = "${UNPACKDIR}/git"
-
 inherit module setuptools3
 
 EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
diff --git a/recipes-security/fscrypt/fscrypt_1.1.0.bb b/recipes-security/fscrypt/fscrypt_1.1.0.bb
index c620c6e..6ccb8fe 100644
--- a/recipes-security/fscrypt/fscrypt_1.1.0.bb
+++ b/recipes-security/fscrypt/fscrypt_1.1.0.bb
@@ -20,8 +20,6 @@ inherit go goarch features_check
 
 REQUIRED_DISTRO_FEATURES = "pam"
 
-S = "${UNPACKDIR}/git"
-
 do_compile() {
 	export GOARCH=${TARGET_GOARCH}
 	export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go"
diff --git a/recipes-security/fscryptctl/fscryptctl_1.1.0.bb b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
index cf03a18..edd6943 100644
--- a/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
+++ b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
@@ -12,8 +12,6 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23"
 SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https"
 
-S = "${UNPACKDIR}/git"
-
 do_compile:prepend() {
     sed -i 's/fscryptctl\.1//g' ${S}/Makefile
     sed -i 's/install-man//g' ${S}/Makefile
diff --git a/recipes-security/glome/glome_git.bb b/recipes-security/glome/glome_git.bb
index b99239e..5a0300f 100644
--- a/recipes-security/glome/glome_git.bb
+++ b/recipes-security/glome/glome_git.bb
@@ -10,7 +10,6 @@ inherit meson pkgconfig
 
 DEPENDS += "openssl"
 
-S = "${UNPACKDIR}/git"
 SRC_URI = "git://github.com/google/glome.git;branch=master;protocol=https"
 SRCREV = "48d28f82bd51ae4bccc84fbbee93c375b026596b"
 
diff --git a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
index ba0531c..60f2c9e 100644
--- a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
+++ b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
@@ -8,8 +8,6 @@ SRCREV = "962f353aac6cfc7b804547319db40f8b804f0b6c"
 
 DEPENDS = "libpam"
 
-S = "${UNPACKDIR}/git"
-
 inherit autotools features_check
 
 REQUIRED_DISTRO_FEATURES = "pam"
diff --git a/recipes-security/krill/krill_0.12.3.bb b/recipes-security/krill/krill_0.12.3.bb
index d5917a1..472bac9 100644
--- a/recipes-security/krill/krill_0.12.3.bb
+++ b/recipes-security/krill/krill_0.12.3.bb
@@ -15,7 +15,6 @@ include krill-crates.inc
 UPSTREAM_CHECK_URI = "https://github.com/NLnetLabs/${BPN}/releases"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 
-S = "${UNPACKDIR}/git"
 CARGO_SRC_DIR = ""
 
 inherit pkgconfig useradd systemd cargo cargo-update-recipe-crates
diff --git a/recipes-security/libest/libest_3.2.0.bb b/recipes-security/libest/libest_3.2.0.bb
index 04bfcee..e6af2c6 100644
--- a/recipes-security/libest/libest_3.2.0.bb
+++ b/recipes-security/libest/libest_3.2.0.bb
@@ -20,8 +20,6 @@ EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}"
 CFLAGS += "-fcommon"
 LDFLAGS:append:libc-musl = " -lexecinfo"
 
-S = "${UNPACKDIR}/git"
-
 PACKAGES = "${PN} ${PN}-dbg ${PN}-dev"
 
 FILES:${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so"
diff --git a/recipes-security/libgssglue/libgssglue_0.9.bb b/recipes-security/libgssglue/libgssglue_0.9.bb
index 73e6dec..532227a 100644
--- a/recipes-security/libgssglue/libgssglue_0.9.bb
+++ b/recipes-security/libgssglue/libgssglue_0.9.bb
@@ -26,8 +26,6 @@ SRC_URI = "git://gitlab.com/gsasl/libgssglue.git;protocol=https;branch=master \
           "
 SRCREV = "ada76bdaec665f70505f0b3aefe871b873e7c4b6"
 
-S = "${WORKDIR}/git"
-
 inherit autotools-brokensep ptest
 
 do_configure:prepend() {
diff --git a/recipes-security/libmspack/libmspack_1.11.bb b/recipes-security/libmspack/libmspack_1.11.bb
index 338701e..7203dee 100644
--- a/recipes-security/libmspack/libmspack_1.11.bb
+++ b/recipes-security/libmspack/libmspack_1.11.bb
@@ -11,6 +11,6 @@ SRC_URI = "git://github.com/kyz/libmspack.git;branch=master;protocol=https"
 
 inherit autotools
 
-S = "${UNPACKDIR}/git/${BPN}"
+S = "${UNPACKDIR}/${BP}/${BPN}"
 
 inherit autotools
diff --git a/recipes-security/ncrack/ncrack_0.7.bb b/recipes-security/ncrack/ncrack_0.7.bb
index 881ee38..f389e3c 100644
--- a/recipes-security/ncrack/ncrack_0.7.bb
+++ b/recipes-security/ncrack/ncrack_0.7.bb
@@ -13,6 +13,4 @@ DEPENDS = "openssl zlib"
 
 inherit autotools-brokensep
 
-S = "${UNPACKDIR}/git"
-
 INSANE_SKIP:${PN} = "already-stripped"
diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb
index 1f0ba6c..edd34f7 100644
--- a/recipes-security/redhat-security/redhat-security_1.0.bb
+++ b/recipes-security/redhat-security/redhat-security_1.0.bb
@@ -18,8 +18,7 @@ SRC_URI = "file://find-chroot-py.sh \
            file://selinux-check-devices.sh \
            file://selinux-ls-unconfined.sh"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
 	install -d ${D}${bindir}
-- 
2.50.0

[meta-security][PATCH 05/12] parsec-service: update PACKAGECONFIG options as lists of cargo build features

[Scott Murray]

From: Anton Antonov <anton.antonov@arm.com>

After commit 7a2b9acef2 "cargo: pass PACKAGECONFIG_CONFARGS to cargo build"
we don't need to include Parsec cargo build features into CARGO_BUILD_FLAGS.
Let's update PACKAGECONFIG options as lists of features.

A small fix in readme.md as well.

Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 meta-parsec/README.md                             |  4 ++--
 .../parsec-service/parsec-service_1.4.1.bb        | 15 ++++++---------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/meta-parsec/README.md b/meta-parsec/README.md
index 9dea718..a5472ae 100644
--- a/meta-parsec/README.md
+++ b/meta-parsec/README.md
@@ -112,7 +112,7 @@ You might need to change permissions or add the account into `kvm` unix group.
 
 - Add into your `local.conf`:
 ```
-INHERIT += "testimage"
+IMAGE_CLASSES += "testimage"
 TEST_SUITES = "ping ssh parsec"
 ```
 - Build your image
@@ -129,7 +129,7 @@ bitbake <your-image> -c testimage
 - Add into your `local.conf`:
 ```
 DISTRO_FEATURES += " tpm2"
-INHERIT += "testimage"
+IMAGE_CLASSES += "testimage"
 TEST_SUITES = "ping ssh parsec"
 ```
 - Build security-parsec-image image
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb
index 49467cd..baa02fb 100644
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb
@@ -21,15 +21,12 @@ PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO"
 have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}"
 PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}"
 
-PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts"
-PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device"
-PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings,"
-PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider,"
-PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider,"
-PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts"
-
-PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS').strip().replace(' ', ',')}"
-CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}"
+PACKAGECONFIG[ALL] = "-F all-providers -F cryptoki/generate-bindings -F tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts"
+PACKAGECONFIG[TPM] = "-F tpm-provider -F tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device"
+PACKAGECONFIG[PKCS11] = "-F pkcs11-provider -F cryptoki/generate-bindings,"
+PACKAGECONFIG[MBED-CRYPTO] = "-F mbed-crypto-provider,"
+PACKAGECONFIG[CRYPTOAUTHLIB] = "-F cryptoauthlib-provider,"
+PACKAGECONFIG[TS] = "-F trusted-service-provider,,libts,libts"
 
 export BINDGEN_EXTRA_CLANG_ARGS
 target = "${@d.getVar('TARGET_SYS').replace('-', ' ')}"
-- 
2.50.0

[meta-security][PATCH 06/12] scap-security-guide: fix fetch

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

The project does not use release branches; their release model currently
rebases the stable branch each release and relies on the release tags to
keep the commits referenced.  Until their release model changes, just
use the release commit with nobranch.

See upstream issue [1] for details.

[1] https://github.com/ComplianceAsCode/content/issues/13543

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
[tweaked commit message]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../scap-security-guide/scap-security-guide_0.1.76.bb           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
index d5a9406..b9f7a70 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
 LICENSE = "BSD-3-Clause"
 
 SRCREV = "616d4363527acb61c6494a97f3ceb47ec90f65fd"
-SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=stable;protocol=https \
+SRC_URI = "git://github.com/ComplianceAsCode/content.git;nobranch=1;protocol=https \
            file://run_eval.sh \
            file://run-ptest \
            "
-- 
2.50.0

[meta-security][PATCH 07/12] sshguard: Update to 2.5.1

[Scott Murray]

This picks up required gcc 15 fixes.

Changelog: https://bitbucket.org/sshguard/sshguard/src/master/CHANGELOG.rst

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../sshguard/{sshguard_2.4.3.bb => sshguard_2.5.1.bb}           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-security/sshguard/{sshguard_2.4.3.bb => sshguard_2.5.1.bb} (79%)

diff --git a/recipes-security/sshguard/sshguard_2.4.3.bb b/recipes-security/sshguard/sshguard_2.5.1.bb
similarity index 79%
rename from recipes-security/sshguard/sshguard_2.4.3.bb
rename to recipes-security/sshguard/sshguard_2.5.1.bb
index de3d856..db5bad8 100644
--- a/recipes-security/sshguard/sshguard_2.4.3.bb
+++ b/recipes-security/sshguard/sshguard_2.5.1.bb
@@ -6,6 +6,6 @@ LICENSE = "BSD-1-Clause"
 
 SRC_URI = "https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "64029deff6de90fdeefb1f497d414f0e4045076693a91da1a70eb7595e97efeb"
+SRC_URI[sha256sum] = "997a1e0ec2b2165b4757c42f8948162eb534183946af52efc406885d97cb89fc"
 
 inherit autotools-brokensep
-- 
2.50.0

[meta-security][PATCH 08/12] libhoth: update to latest

[Scott Murray]

Update libhoth SRCREV to its latest commit, and add patches to fix
gcc 15 and build dependency issues.  Since the last update was
so long ago, the changelog is longer than seems reasonable to
include here, please refer to:

https://github.com/google/libhoth/commits/main/?since=2024-01-16&until=2025-07-03

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../0001-Fix-building-with-gcc-15.patch       | 151 ++++++++++++++++++
 ...02-Fix-building-without-dbus-backend.patch |  36 +++++
 meta-tpm/recipes-tpm1/hoth/libhoth_git.bb     |  11 +-
 3 files changed, 196 insertions(+), 2 deletions(-)
 create mode 100644 meta-tpm/recipes-tpm1/hoth/libhoth/0001-Fix-building-with-gcc-15.patch
 create mode 100644 meta-tpm/recipes-tpm1/hoth/libhoth/0002-Fix-building-without-dbus-backend.patch

diff --git a/meta-tpm/recipes-tpm1/hoth/libhoth/0001-Fix-building-with-gcc-15.patch b/meta-tpm/recipes-tpm1/hoth/libhoth/0001-Fix-building-with-gcc-15.patch
new file mode 100644
index 0000000..5004c66
--- /dev/null
+++ b/meta-tpm/recipes-tpm1/hoth/libhoth/0001-Fix-building-with-gcc-15.patch
@@ -0,0 +1,151 @@
+From 59dfffdb03654e004d848e8f6639ba066f7786a1 Mon Sep 17 00:00:00 2001
+From: Scott Murray <scott.murray@konsulko.com>
+Date: Thu, 3 Jul 2025 17:41:16 -0400
+Subject: [PATCH 1/2] Fix building with gcc 15
+
+Correct function signatures of a few of the htool command functions
+to fix gcc 15 errors from incompatible function pointer types.
+
+Upstream-Status: Pending
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ examples/htool_key_rotation.c   | 6 +++---
+ examples/htool_key_rotation.h   | 6 +++---
+ examples/htool_payload.c        | 2 +-
+ examples/htool_payload.h        | 2 +-
+ examples/htool_payload_update.c | 2 +-
+ examples/htool_payload_update.h | 2 +-
+ examples/htool_statistics.c     | 2 +-
+ examples/htool_statistics.h     | 3 ++-
+ 8 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/examples/htool_key_rotation.c b/examples/htool_key_rotation.c
+index af7ef59..3b938cd 100644
+--- a/examples/htool_key_rotation.c
++++ b/examples/htool_key_rotation.c
+@@ -43,7 +43,7 @@ static const char *get_validation_method_string(uint32_t validation_method) {
+   }
+ }
+ 
+-int htool_key_rotation_get_status(void) {
++int htool_key_rotation_get_status(const struct htool_invocation* inv) {
+   struct libhoth_device *dev = htool_libhoth_device();
+   if (!dev) {
+     return -1;
+@@ -65,7 +65,7 @@ int htool_key_rotation_get_status(void) {
+   return 0;
+ }
+ 
+-int htool_key_rotation_get_version(void) {
++int htool_key_rotation_get_version(const struct htool_invocation* inv) {
+   struct libhoth_device *dev = htool_libhoth_device();
+   if (!dev) {
+     return -1;
+@@ -161,7 +161,7 @@ int htool_key_rotation_update(const struct htool_invocation *inv) {
+   return result;
+ }
+ 
+-int htool_key_rotation_payload_status() {
++int htool_key_rotation_payload_status(const struct htool_invocation* inv) {
+   struct libhoth_device *dev = htool_libhoth_device();
+   if (!dev) {
+     return -1;
+diff --git a/examples/htool_key_rotation.h b/examples/htool_key_rotation.h
+index 1dbfc02..cbcde98 100644
+--- a/examples/htool_key_rotation.h
++++ b/examples/htool_key_rotation.h
+@@ -23,9 +23,9 @@ extern "C" {
+ #endif
+ 
+ struct htool_invocation;
+-int htool_key_rotation_get_status();
+-int htool_key_rotation_get_version();
+-int htool_key_rotation_payload_status();
++int htool_key_rotation_get_status(const struct htool_invocation* inv);
++int htool_key_rotation_get_version(const struct htool_invocation* inv);
++int htool_key_rotation_payload_status(const struct htool_invocation* inv);
+ int htool_key_rotation_read(const struct htool_invocation* inv);
+ int htool_key_rotation_read_chunk_type(const struct htool_invocation* inv);
+ int htool_key_rotation_update(const struct htool_invocation* inv);
+diff --git a/examples/htool_payload.c b/examples/htool_payload.c
+index cada560..5a87660 100644
+--- a/examples/htool_payload.c
++++ b/examples/htool_payload.c
+@@ -29,7 +29,7 @@
+ #include "protocol/payload_info.h"
+ #include "protocol/payload_status.h"
+ 
+-int htool_payload_status() {
++int htool_payload_status(const struct htool_invocation* inv) {
+   struct libhoth_device* dev = htool_libhoth_device();
+   if (!dev) {
+     return -1;
+diff --git a/examples/htool_payload.h b/examples/htool_payload.h
+index f218034..82c77ac 100644
+--- a/examples/htool_payload.h
++++ b/examples/htool_payload.h
+@@ -24,7 +24,7 @@
+ extern "C" {
+ #endif
+ 
+-int htool_payload_status();
++int htool_payload_status(const struct htool_invocation* inv);
+ int htool_payload_info(const struct htool_invocation* inv);
+ 
+ #ifdef __cplusplus
+diff --git a/examples/htool_payload_update.c b/examples/htool_payload_update.c
+index 8e3beb3..6cf44f1 100644
+--- a/examples/htool_payload_update.c
++++ b/examples/htool_payload_update.c
+@@ -125,7 +125,7 @@ const char *payload_update_getstatus_half_string(uint8_t h) {
+   }
+ }
+ 
+-int htool_payload_update_getstatus() {
++int htool_payload_update_getstatus(const struct htool_invocation* inv) {
+   struct libhoth_device *dev = htool_libhoth_device();
+   if (!dev) {
+     return -1;
+diff --git a/examples/htool_payload_update.h b/examples/htool_payload_update.h
+index f87c5e7..55c6b44 100644
+--- a/examples/htool_payload_update.h
++++ b/examples/htool_payload_update.h
+@@ -24,7 +24,7 @@ extern "C" {
+ 
+ struct htool_invocation;
+ int htool_payload_update(const struct htool_invocation* inv);
+-int htool_payload_update_getstatus();
++int htool_payload_update_getstatus(const struct htool_invocation* inv);
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/examples/htool_statistics.c b/examples/htool_statistics.c
+index 4c5b536..6bca31a 100644
+--- a/examples/htool_statistics.c
++++ b/examples/htool_statistics.c
+@@ -178,7 +178,7 @@ const char* PayloadUpdateErrorToString(uint16_t reason) {
+   }
+ }
+ 
+-int htool_statistics() {
++int htool_statistics(const struct htool_invocation* inv) {
+   struct libhoth_device* dev = htool_libhoth_device();
+   if (!dev) {
+     return -1;
+diff --git a/examples/htool_statistics.h b/examples/htool_statistics.h
+index 2dd59b6..fe54eda 100644
+--- a/examples/htool_statistics.h
++++ b/examples/htool_statistics.h
+@@ -19,7 +19,8 @@
+ extern "C" {
+ #endif
+ 
+-int htool_statistics();
++struct htool_invocation;
++int htool_statistics(const struct htool_invocation* inv);
+ 
+ #ifdef __cplusplus
+ }
+-- 
+2.50.0
+
diff --git a/meta-tpm/recipes-tpm1/hoth/libhoth/0002-Fix-building-without-dbus-backend.patch b/meta-tpm/recipes-tpm1/hoth/libhoth/0002-Fix-building-without-dbus-backend.patch
new file mode 100644
index 0000000..ca98609
--- /dev/null
+++ b/meta-tpm/recipes-tpm1/hoth/libhoth/0002-Fix-building-without-dbus-backend.patch
@@ -0,0 +1,36 @@
+From ee75dcb0ea9818a10a6f7f85a3b5ee37572a3b08 Mon Sep 17 00:00:00 2001
+From: Scott Murray <scott.murray@konsulko.com>
+Date: Thu, 3 Jul 2025 17:41:50 -0400
+Subject: [PATCH 2/2] Fix building without dbus backend
+
+Move libsystemd and libcap dependencies into conditional logic for
+dbus_backend option so that building without the backend works when
+libsystemd and libcap are not available in the build environment.
+This situation occurs when building with OpenEmbedded.
+
+Upstream-Status: Pending
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ transports/meson.build | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/transports/meson.build b/transports/meson.build
+index e9f30d4..5abd103 100644
+--- a/transports/meson.build
++++ b/transports/meson.build
+@@ -9,10 +9,10 @@ transport_srcs = [
+ 
+ incdir = include_directories('..')
+ libusb = dependency('libusb-1.0')
+-libsystemd = dependency('libsystemd')
+-libcap = dependency('libcap')
+ 
+ if get_option('dbus_backend')
++    libsystemd = dependency('libsystemd')
++    libcap = dependency('libcap')
+     libhoth_dbus = static_library(
+         'hoth_dbus',
+         'libhoth_dbus.c',
+-- 
+2.50.0
+
diff --git a/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb b/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
index 9d29f78..2608acf 100644
--- a/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
+++ b/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
@@ -6,10 +6,17 @@ HOMEPAGE = "https://github.com/google/libhoth"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
-SRC_URI = "git://github.com/google/libhoth;protocol=https;branch=main"
-SRCREV = "e4827163741e0804f12ac96c81b8e97649be6795"
+SRC_URI = "git://github.com/google/libhoth;protocol=https;branch=main \
+           file://0001-Fix-building-with-gcc-15.patch \
+           file://0002-Fix-building-without-dbus-backend.patch \
+"
+SRCREV = "69661d3ea542604353c48a00beee9a6247b27686"
 
 DEPENDS += "libusb1"
 
 inherit pkgconfig meson
 
+PACKAGECONFIG ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'dbus', '', d)}"
+
+PACKAGECONFIG[dbus] = "-Ddbus_backend=true,-Ddbus_backend=false,systemd libcap"
+
-- 
2.50.0

[meta-security][PATCH 09/12] chkrootkit: use Debian mirror

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Use the Debian mirror as the Ubuntu one is failing frequently.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-scanners/rootkits/chkrootkit_0.58b.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-scanners/rootkits/chkrootkit_0.58b.bb b/recipes-scanners/rootkits/chkrootkit_0.58b.bb
index a6c4090..0fcc55d 100644
--- a/recipes-scanners/rootkits/chkrootkit_0.58b.bb
+++ b/recipes-scanners/rootkits/chkrootkit_0.58b.bb
@@ -5,7 +5,7 @@ SECTION = "security"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=6db4d77fb8f0cc84d175e7a1211e4c13"
 
-SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
+SRC_URI = "${DEBIAN_MIRROR}/main/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
            file://musl_fix.patch"
 
 SRC_URI[sha256sum] = "75ed2ace81f0fa3e9c3fb64dab0e8857ed59247ea755f5898416feb2c66807b9"
-- 
2.50.0

[meta-security][PATCH 10/12] chkrootkit: fix building with gcc 15

[Scott Murray]

Add a patch to fix building chkrootkit with gcc 15.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-scanners/rootkits/chkrootkit_0.58b.bb |  5 ++-
 .../files/0001-Fix-building-with-gcc-15.patch | 39 +++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 recipes-scanners/rootkits/files/0001-Fix-building-with-gcc-15.patch

diff --git a/recipes-scanners/rootkits/chkrootkit_0.58b.bb b/recipes-scanners/rootkits/chkrootkit_0.58b.bb
index 0fcc55d..e5912fe 100644
--- a/recipes-scanners/rootkits/chkrootkit_0.58b.bb
+++ b/recipes-scanners/rootkits/chkrootkit_0.58b.bb
@@ -6,8 +6,9 @@ LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=6db4d77fb8f0cc84d175e7a1211e4c13"
 
 SRC_URI = "${DEBIAN_MIRROR}/main/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
-           file://musl_fix.patch"
-
+           file://musl_fix.patch \
+           file://0001-Fix-building-with-gcc-15.patch \
+"
 SRC_URI[sha256sum] = "75ed2ace81f0fa3e9c3fb64dab0e8857ed59247ea755f5898416feb2c66807b9"
 
 inherit autotools-brokensep
diff --git a/recipes-scanners/rootkits/files/0001-Fix-building-with-gcc-15.patch b/recipes-scanners/rootkits/files/0001-Fix-building-with-gcc-15.patch
new file mode 100644
index 0000000..8c2a111
--- /dev/null
+++ b/recipes-scanners/rootkits/files/0001-Fix-building-with-gcc-15.patch
@@ -0,0 +1,39 @@
+From 9834ad9f0b8a10de22512772222a9c51014c750d Mon Sep 17 00:00:00 2001
+From: Scott Murray <scott.murray@konsulko.com>
+Date: Thu, 3 Jul 2025 18:11:24 -0400
+Subject: [PATCH] Fix building with gcc 15
+
+Fix read_status signature to avoid incompatible function pointer
+error with gcc 15.
+
+Upstream-Status: Inactive-Upstream [lastrelease: July 5, 2024]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ chklastlog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/chklastlog.c b/chklastlog.c
+index 2fffd9e..1566c76 100644
+--- a/chklastlog.c
++++ b/chklastlog.c
+@@ -78,7 +78,7 @@ int main () { return 0; }
+ long total_wtmp_bytes_read=0;
+ size_t wtmp_file_size;
+ uid_t *uid;
+-void read_status();
++void read_status(int signum);
+ 
+ struct s_localpwd {
+      int numentries;
+@@ -214,7 +214,7 @@ int nonuser(struct utmp utmp_ent)
+ }
+ #endif
+ 
+-void read_status() {
++void read_status(int signum) {
+    double remaining_time;
+    static long last_total_bytes_read=0;
+    int diff;
+-- 
+2.50.0
+
-- 
2.50.0

[meta-security][PATCH 11/12] CI: update build for new CI

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories

Assume that python3 and pip are installed.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .gitlab-ci.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 46ab4a9..32ce2b9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,10 +1,12 @@
 .before-my-script: &before-my-script
     - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error
     - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error
+    - echo "$CI_PROJECT_DIR" >> ~/.ci_project_dir
     - export PATH=~/.local/bin:$PATH
-    - wget https://bootstrap.pypa.io/get-pip.py
-    - python3 get-pip.py
+    - python3 -m venv ~/kas_env/
+    - source ~/kas_env/bin/activate
     - python3 -m pip install kas
+    - mkdir -p $CI_PROJECT_DIR/build/tmp/log/error-report/
 
 .after-my-script: &after-my-script
     - cd $CI_PROJECT_DIR/poky
-- 
2.50.0

[meta-security][PATCH 12/12] .gitlab-ci.yml: add logging of jobs to files

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Log kas commands to files and export them as artefacts

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .gitlab-ci.yml | 39 ++++++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 17 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 32ce2b9..628b0e6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,6 +7,7 @@
     - source ~/kas_env/bin/activate
     - python3 -m pip install kas
     - mkdir -p $CI_PROJECT_DIR/build/tmp/log/error-report/
+    - mkdir -p $CI_PROJECT_DIR/log/
 
 .after-my-script: &after-my-script
     - cd $CI_PROJECT_DIR/poky
@@ -28,6 +29,10 @@ stages:
   stage: base 
   after_script:
     - *after-my-script
+  artifacts:
+    paths:
+      - $CI_PROJECT_DIR/log/*
+    when: always
 
 .parsec:
   before_script:
@@ -53,72 +58,72 @@ stages:
 qemux86:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image integrity-image-minimal"
-  - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_security_image.txt
+  - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml 2>&1 | tee CI_PROJECT_DIR/log/qemux86_harden_image.txt
 
 qemux86-musl:
   extends: .musl
   needs: ['qemux86']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_musl_security_image.txt
 
 qemux86-parsec:
   extends: .parsec
   needs: ['qemux86']
   script:
-  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_parsec_security_image.txt
 
 qemux86-test:
   extends: .test
   needs: ['qemux86']
   allow_failure: true
   script:
-  - kas build --target security-test-image kas/$CI_JOB_NAME.yml
-  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_test_security_image.txt
+  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_testimage_security_image.txt
 
 qemux86-64:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k core-image-minimal security-build-image security-tpm-image security-tpm2-image integrity-image-minimal"
-  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml
-  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k core-image-minimal security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_image.txt
+  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_dm_verify.txt
+  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_build_image.txt
 
 qemux86-64-parsec:
   extends: .parsec
   needs: ['qemux86-64']
   script:
-  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_parsec_security_image.txt
 
 qemuarm:
   extends: .base
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_security_image.txt
 
 qemuarm-parsec:
   extends: .parsec
   needs: ['qemuarm']
   script:
-  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_parsec_security_image.txt
 
 qemuarm64:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal"
-  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_parsec_security_image.txt
+  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_build_security_image.txt
 
 qemuarm64-musl:
   extends: .musl
   needs: ['qemuarm64']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_musl_security_image.txt
 
 qemuarm64-parsec:
   extends: .parsec
   needs: ['qemuarm64']
   script:
-  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_parsec_security_image.txt
 
 qemuriscv64:
   extends: .base
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuriscv64_security_image.txt
-- 
2.50.0

Re: [yocto-patches] [meta-security][PATCH 00/12] Initial fixes for master branch

[Gyorgy Sarvari]

On 7/4/25 19:11, Scott Murray via lists.yoctoproject.org wrote:
> There is still
> quite a bit of work to recreate a working CI setup, as well as ensuring
> walnascar and scarthgap branches are in a testable state.  

Is the Scarthgap branch still planned to be resurrected?

Re: [yocto-patches] [meta-security][PATCH 00/12] Initial fixes for master branch

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1051 bytes --]

Hello Gyorgy,
Positively yes, it is on my list just after the poky split. On the news
side, we have the CI working now.

Kind regards,
Marta

On Fri, Nov 7, 2025 at 5:35 PM Gyorgy Sarvari via lists.yoctoproject.org
<skandigraun=gmail.com@lists.yoctoproject.org> wrote:

> On 7/4/25 19:11, Scott Murray via lists.yoctoproject.org wrote:
> > There is still
> > quite a bit of work to recreate a working CI setup, as well as ensuring
> > walnascar and scarthgap branches are in a testable state.
>
> Is the Scarthgap branch still planned to be resurrected?
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#2430):
> https://lists.yoctoproject.org/g/yocto-patches/message/2430
> Mute This Topic: https://lists.yoctoproject.org/mt/113986841/5827677
> Group Owner: yocto-patches+owner@lists.yoctoproject.org
> Unsubscribe:
> https://lists.yoctoproject.org/g/yocto-patches/leave/13234581/5827677/971106717/xyzzy
> [rybczynska@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
>

[-- Attachment #2: Type: text/html, Size: 2053 bytes --]