[meta-security][PATCH 0/7] Assorted updates 03/07

[meta-security][PATCH 0/7] Assorted updates 03/07

[Scott Murray]

This patch series rolls up the contributed patches from the past few
weeks, plus a nikto fix from myself.  These changes are queued on the
master-next branch if you would like to check them out to test yourself.
I intend to merge these to master branch at end of day Monday (Eastern
Time, March 9) unless there are objections.

Scott


Changes:

Clayton Casciato (1):
  suricata: improve PACKAGECONFIG[unittests] control

Peter Kjellerstedt (3):
  fscrypt: Correct the spelling of DESCRIPTION
  fscryptctl: Use ${prefix} rather than /usr
  fscryptctl: Correct the spelling of DESCRIPTION

Peter Marko (1):
  python3-tpm2-pytss: BBCLASSEXTEND native and nativesdk

Scott Murray (2):
  nikto: fix branch
  A couple of small CI fixes

 .gitlab-ci.yml                                                | 2 +-
 .../meta-perl/recipes-security/nikto/nikto_2.1.6.bb           | 2 +-
 kas/kas-security-base.yml                                     | 2 +-
 meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb  | 2 ++
 recipes-ids/suricata/suricata_7.0.13.bb                       | 2 +-
 recipes-security/fscrypt/fscrypt_1.1.0.bb                     | 2 +-
 recipes-security/fscryptctl/fscryptctl_1.1.0.bb               | 4 ++--
 7 files changed, 9 insertions(+), 7 deletions(-)

-- 
2.51.0

[meta-security][PATCH 1/7] suricata: improve PACKAGECONFIG[unittests] control

[Scott Murray]

From: Clayton Casciato <majortomtosourcecontrol@gmail.com>

Allow downstream users to explicitly select desired PACKAGECONFIG
options (e.g. via "=").

Users are currently forced to use ":remove" (with "ptest").

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-ids/suricata/suricata_7.0.13.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-ids/suricata/suricata_7.0.13.bb b/recipes-ids/suricata/suricata_7.0.13.bb
index b0d2c82..936c057 100644
--- a/recipes-ids/suricata/suricata_7.0.13.bb
+++ b/recipes-ids/suricata/suricata_7.0.13.bb
@@ -46,8 +46,8 @@ PACKAGECONFIG ??= "file \
                    cap-ng \
                    net \
                    ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \
+                   ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)} \
                    "
-PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
 
 PACKAGECONFIG[pcre2] = "--with-libpcre2-includes=${STAGING_INCDIR} --with-libpcre2-libraries=${STAGING_LIBDIR}, ,libpcre2 ,"
 PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
-- 
2.51.0

[meta-security][PATCH 2/7] python3-tpm2-pytss: BBCLASSEXTEND native and nativesdk

[Scott Murray]

From: Peter Marko <peter.marko@siemens.com>

Commit cd729862f68152bc76db02cd4a93ca12a9424f88 added native/nativesdk
possibility to tpm2-pkcs11.
After 784ca4b6584101e971b2d5d76ec7b716ad1301b5 which added rdepends on
python3-tpm2-pytss, there are errors like:

Missing or unbuildable dependency chain was:
['<image>', 'swtpm-native', 'tpm2-pkcs11-tools-native', 'python3-tpm2-pytss-native']

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb b/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb
index 4ddf287..63ed8cf 100644
--- a/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb
@@ -19,3 +19,5 @@ DEPENDS = " \
 "
 
 RDEPENDS:${PN} = "libtss2 python3-asn1crypto"
+
+BBCLASSEXTEND = "native nativesdk"
-- 
2.51.0

[meta-security][PATCH 3/7] fscrypt: Correct the spelling of DESCRIPTION

[Scott Murray]

From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-security/fscrypt/fscrypt_1.1.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/fscrypt/fscrypt_1.1.0.bb b/recipes-security/fscrypt/fscrypt_1.1.0.bb
index 6ccb8fe..665648c 100644
--- a/recipes-security/fscrypt/fscrypt_1.1.0.bb
+++ b/recipes-security/fscrypt/fscrypt_1.1.0.bb
@@ -1,5 +1,5 @@
 SUMMARY = "fscrypt is a high-level tool for the management of Linux filesystem encryption"
-DESCIPTION = "fscrypt manages metadata, key generation, key wrapping, PAM integration, \
+DESCRIPTION = "fscrypt manages metadata, key generation, key wrapping, PAM integration, \
 and provides a uniform interface for creating and modifying encrypted directories. For \
 a small, low-level tool that directly sets policies, see fscryptctl \
 (https://github.com/google/fscryptcl)."
-- 
2.51.0

[meta-security][PATCH 4/7] fscryptctl: Use ${prefix} rather than /usr

[Scott Murray]

From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-security/fscryptctl/fscryptctl_1.1.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/fscryptctl/fscryptctl_1.1.0.bb b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
index edd6943..81cc1ea 100644
--- a/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
+++ b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
@@ -18,7 +18,7 @@ do_compile:prepend() {
 }
 
 do_install() {
-    oe_runmake DESTDIR=${D} PREFIX=/usr install
+    oe_runmake DESTDIR=${D} PREFIX=${prefix} install
 }
 
 RRECOMMENDS:${PN} += "\
-- 
2.51.0

[meta-security][PATCH 5/7] fscryptctl: Correct the spelling of DESCRIPTION

[Scott Murray]

From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-security/fscryptctl/fscryptctl_1.1.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/fscryptctl/fscryptctl_1.1.0.bb b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
index 81cc1ea..4c9b99a 100644
--- a/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
+++ b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
@@ -1,5 +1,5 @@
 SUMMARY = "low-level tool handling Linux filesystem encryption"
-DESCIPTION = "fscryptctl is a low-level tool written in C that handles raw keys and manages \
+DESCRIPTION = "fscryptctl is a low-level tool written in C that handles raw keys and manages \
 policies for Linux filesystem encryption (https://lwn.net/Articles/639427). \
 For a tool that presents a higher level interface and manages metadata, key \
 generation, key wrapping, PAM integration, and passphrase hashing, see \
-- 
2.51.0

[meta-security][PATCH 6/7] nikto: fix branch

[Scott Murray]

Upstream has renamed their master branch to main, adjust SRC_URI to
match.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb b/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
index 6d83265..5668f87 100644
--- a/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
+++ b/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
@@ -7,7 +7,7 @@ LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
 SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79"
-SRC_URI = "git://github.com/sullo/nikto.git;branch=master;protocol=https \
+SRC_URI = "git://github.com/sullo/nikto.git;branch=main;protocol=https \
            file://location.patch"
 
 S = "${UNPACKDIR}/${BP}/program"
-- 
2.51.0

[meta-security][PATCH 7/7] A couple of small CI fixes

[Scott Murray]

Change the "poky" layer configuration name to "meta-yocto" in the
KAS configuration so the cloned repo name is less confusing in logs,
and fix a spot where "poky" -> "openembedded-core" had been missed
in the gitlab configuration.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .gitlab-ci.yml            | 2 +-
 kas/kas-security-base.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 80b2dfd..701a65a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,7 @@
     - mkdir -p $CI_PROJECT_DIR/log/
 
 .after-my-script: &after-my-script
-    - cd $CI_PROJECT_DIR/poky
+    - cd $CI_PROJECT_DIR/openembedded-core
     - . ./oe-init-build-env $CI_PROJECT_DIR/build
     - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do
     - send-error-report -y tmp/log/error-report/$x
diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml
index 2ab81aa..38043f5 100644
--- a/kas/kas-security-base.yml
+++ b/kas/kas-security-base.yml
@@ -23,7 +23,7 @@ repos:
     layers:
       meta:
 
-  poky:
+  meta-yocto:
     url: "https://git.yoctoproject.org/git/meta-yocto"
     branch: master
     layers:
-- 
2.51.0