[Buildroot] [PATCH] boot/arm-trusted-firmware: add config option for custom patches

Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH] boot/arm-trusted-firmware: add config option for custom patches
@ 2022-01-28 14:51 Andreas Ehmanns
  2022-01-28 16:25 ` Robert Hancock via buildroot
  2022-04-25 15:40 ` [Buildroot] Enable missing security options for ISC dhcp server Andreas Ehmanns
  0 siblings, 2 replies; 5+ messages in thread
From: Andreas Ehmanns @ 2022-01-28 14:51 UTC (permalink / raw)
  To: buildroot; +Cc: Andreas Ehmanns

Many embedded board manufacturer provide their BSP as patches to
linux kernel and u-boot. They can simply be applied by setting the
corresponding buildroot config (custom patches).
Nowadays patches for the arm trusted firmware (ATF) are also part of
BSP deliveries but there is no config option in buildroot for ATF
to apply custom patches.
This patch adds (similar to linux kernel and u-boot) an option to
apply custom patches to ATF.

Signed-off-by: Andreas Ehmanns <universeiii@gmx.de>
---
 boot/arm-trusted-firmware/Config.in           |  8 +++++++
 .../arm-trusted-firmware.mk                   | 21 +++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
index b1fc03e10b..786a3083a2 100644
--- a/boot/arm-trusted-firmware/Config.in
+++ b/boot/arm-trusted-firmware/Config.in
@@ -63,6 +63,14 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_VERSION

 endif

+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_PATCH
+	string "Custom ATF patches"
+	help
+	  A space-separated list of patches to apply to ATF.
+	  Each patch can be described as an URL, a local file path,
+	  or a directory. In the case of a directory, all files
+	  matching *.patch in the directory will be applied.
+
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM
 	string "ATF platform"
 	help
diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 03fa83b7b5..d329bdbfc3 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -29,6 +29,27 @@ ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST
 BR_NO_CHECK_HASH_FOR += $(ARM_TRUSTED_FIRMWARE_SOURCE)
 endif

+# Analogous code exists in linux/linux.mk. Basically, the generic
+# package infrastructure handles downloading and applying remote
+# patches. Local patches are handled depending on whether they are
+# directories or files.
+ARM_TRUSTED_FIRMWARE_PATCHES = $(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_PATCH))
+ARM_TRUSTED_FIRMWARE_PATCH = $(filter ftp://% http://% https://%,$(ARM_TRUSTED_FIRMWARE_PATCHES))
+
+define ARM_TRUSTED_FIRMWARE_APPLY_LOCAL_PATCHES
+	for p in $(filter-out ftp://% http://% https://%,$(ARM_TRUSTED_FIRMWARE_PATCHES)) ; do \
+		if test -d $$p ; then \
+			$(APPLY_PATCHES) $(@D) $$p \*.patch || exit 1 ; \
+		else \
+			$(APPLY_PATCHES) $(@D) `dirname $$p` `basename $$p` || exit 1; \
+		fi \
+	done
+endef
+ARM_TRUSTED_FIRMWARE_POST_PATCH_HOOKS += ARM_TRUSTED_FIRMWARE_APPLY_LOCAL_PATCHES
+
+# We have no way to know the hashes for user-supplied patches.
+BR_NO_CHECK_HASH_FOR += $(notdir $(ARM_TRUSTED_FIRMWARE_PATCHES))
+
 ARM_TRUSTED_FIRMWARE_INSTALL_IMAGES = YES

 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_DTC),y)
--
2.26.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH] boot/arm-trusted-firmware: add config option for custom patches
  2022-01-28 14:51 [Buildroot] [PATCH] boot/arm-trusted-firmware: add config option for custom patches Andreas Ehmanns
@ 2022-01-28 16:25 ` Robert Hancock via buildroot
  2022-01-28 17:16   ` Yann E. MORIN
  2022-01-28 20:27   ` Andreas Ehmanns
  2022-04-25 15:40 ` [Buildroot] Enable missing security options for ISC dhcp server Andreas Ehmanns
  1 sibling, 2 replies; 5+ messages in thread
From: Robert Hancock via buildroot @ 2022-01-28 16:25 UTC (permalink / raw)
  To: buildroot@buildroot.org, universeiii@gmx.de

On Fri, 2022-01-28 at 15:51 +0100, Andreas Ehmanns wrote:
> Many embedded board manufacturer provide their BSP as patches to
> linux kernel and u-boot. They can simply be applied by setting the
> corresponding buildroot config (custom patches).
> Nowadays patches for the arm trusted firmware (ATF) are also part of
> BSP deliveries but there is no config option in buildroot for ATF
> to apply custom patches.
> This patch adds (similar to linux kernel and u-boot) an option to
> apply custom patches to ATF.

Hi Andreas,

You shouldn't need a custom option to add patches for each package. If you add
patches to $(BR2_EXTERNAL)/patches/arm-trusted-firmware then they will get
applied automatically, we are using this mechanism already.

I think the specific patch options for the kernel and U-Boot may predate that
mechanism but don't need to be used anymore either.

> 
> Signed-off-by: Andreas Ehmanns <universeiii@gmx.de>
> ---
>  boot/arm-trusted-firmware/Config.in           |  8 +++++++
>  .../arm-trusted-firmware.mk                   | 21 +++++++++++++++++++
>  2 files changed, 29 insertions(+)
> 
> diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-
> firmware/Config.in
> index b1fc03e10b..786a3083a2 100644
> --- a/boot/arm-trusted-firmware/Config.in
> +++ b/boot/arm-trusted-firmware/Config.in
> @@ -63,6 +63,14 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_VERSION
> 
>  endif
> 
> +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_PATCH
> +	string "Custom ATF patches"
> +	help
> +	  A space-separated list of patches to apply to ATF.
> +	  Each patch can be described as an URL, a local file path,
> +	  or a directory. In the case of a directory, all files
> +	  matching *.patch in the directory will be applied.
> +
>  config BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM
>  	string "ATF platform"
>  	help
> diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-
> trusted-firmware/arm-trusted-firmware.mk
> index 03fa83b7b5..d329bdbfc3 100644
> --- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> +++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> @@ -29,6 +29,27 @@ ifeq
> ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST
>  BR_NO_CHECK_HASH_FOR += $(ARM_TRUSTED_FIRMWARE_SOURCE)
>  endif
> 
> +# Analogous code exists in linux/linux.mk. Basically, the generic
> +# package infrastructure handles downloading and applying remote
> +# patches. Local patches are handled depending on whether they are
> +# directories or files.
> +ARM_TRUSTED_FIRMWARE_PATCHES = $(call
> qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_PATCH))
> +ARM_TRUSTED_FIRMWARE_PATCH = $(filter 
> https://urldefense.com/v3/__ftp://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-rcq9bSBMIxBB8jTXDxe6jH78mYZP6cg$
>   https://urldefense.com/v3/__http://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128
> fh66I9s3_Ij-
> rcq9bSBMIxBB8jTXDxe6jH78b3MIP3A$  https://urldefense.com/v3/__https://*,$(ARM
> _TRUSTED_FIRMWARE_PATCHES)__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-
> rcq9bSBMIxBB8jTXDxe6jH78N2PO7_g$ )
> +
> +define ARM_TRUSTED_FIRMWARE_APPLY_LOCAL_PATCHES
> +	for p in $(filter-out 
> https://urldefense.com/v3/__ftp://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-rcq9bSBMIxBB8jTXDxe6jH78mYZP6cg$
>   https://urldefense.com/v3/__http://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128
> fh66I9s3_Ij-
> rcq9bSBMIxBB8jTXDxe6jH78b3MIP3A$  https://urldefense.com/v3/__https://*,$(ARM
> _TRUSTED_FIRMWARE_PATCHES)__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-
> rcq9bSBMIxBB8jTXDxe6jH78N2PO7_g$ ) ; do \
> +		if test -d $$p ; then \
> +			$(APPLY_PATCHES) $(@D) $$p \*.patch || exit 1 ; \
> +		else \
> +			$(APPLY_PATCHES) $(@D) `dirname $$p` `basename $$p` ||
> exit 1; \
> +		fi \
> +	done
> +endef
> +ARM_TRUSTED_FIRMWARE_POST_PATCH_HOOKS +=
> ARM_TRUSTED_FIRMWARE_APPLY_LOCAL_PATCHES
> +
> +# We have no way to know the hashes for user-supplied patches.
> +BR_NO_CHECK_HASH_FOR += $(notdir $(ARM_TRUSTED_FIRMWARE_PATCHES))
> +
>  ARM_TRUSTED_FIRMWARE_INSTALL_IMAGES = YES
> 
>  ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_DTC),y)
> --
> 2.26.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://urldefense.com/v3/__https://lists.buildroot.org/mailman/listinfo/buildroot__;!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-rcq9bSBMIxBB8jTXDxe6jH78CXtWZJI$ 
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH] boot/arm-trusted-firmware: add config option for custom patches
  2022-01-28 16:25 ` Robert Hancock via buildroot
@ 2022-01-28 17:16   ` Yann E. MORIN
  2022-01-28 20:27   ` Andreas Ehmanns
  1 sibling, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2022-01-28 17:16 UTC (permalink / raw)
  To: Robert Hancock; +Cc: Andreas Ehmanns, buildroot@buildroot.org

Robert, Andreas, All,

On 2022-01-28 16:25 +0000, Robert Hancock via buildroot spake thusly:
> On Fri, 2022-01-28 at 15:51 +0100, Andreas Ehmanns wrote:
> > Many embedded board manufacturer provide their BSP as patches to
> > linux kernel and u-boot. They can simply be applied by setting the
> > corresponding buildroot config (custom patches).
> > Nowadays patches for the arm trusted firmware (ATF) are also part of
> > BSP deliveries but there is no config option in buildroot for ATF
> > to apply custom patches.
> > This patch adds (similar to linux kernel and u-boot) an option to
> > apply custom patches to ATF.
> You shouldn't need a custom option to add patches for each package. If you add
> patches to $(BR2_EXTERNAL)/patches/arm-trusted-firmware then they will get
> applied automatically, we are using this mechanism already.

I think you forgot a part to this:

    ... as long as you set BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL)/patches"
    in your Buildroot configuration.

BR2_GLOBAL_PATCH_DIR is the generic solution to apply custom patches to
any package in Buildroot. BR2_GLOBAL_PATCH_DIR can even be a
space-separated list of directories. And it can also use a 'series' file
rather than just globing *.patch.

> I think the specific patch options for the kernel and U-Boot may predate that
> mechanism but don't need to be used anymore either.

Indeed. We're keeping them just because of inertia...

Regards,
Yann E. MORIN.

> > Signed-off-by: Andreas Ehmanns <universeiii@gmx.de>
> > ---
> >  boot/arm-trusted-firmware/Config.in           |  8 +++++++
> >  .../arm-trusted-firmware.mk                   | 21 +++++++++++++++++++
> >  2 files changed, 29 insertions(+)
> > 
> > diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-
> > firmware/Config.in
> > index b1fc03e10b..786a3083a2 100644
> > --- a/boot/arm-trusted-firmware/Config.in
> > +++ b/boot/arm-trusted-firmware/Config.in
> > @@ -63,6 +63,14 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_VERSION
> > 
> >  endif
> > 
> > +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_PATCH
> > +	string "Custom ATF patches"
> > +	help
> > +	  A space-separated list of patches to apply to ATF.
> > +	  Each patch can be described as an URL, a local file path,
> > +	  or a directory. In the case of a directory, all files
> > +	  matching *.patch in the directory will be applied.
> > +
> >  config BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM
> >  	string "ATF platform"
> >  	help
> > diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-
> > trusted-firmware/arm-trusted-firmware.mk
> > index 03fa83b7b5..d329bdbfc3 100644
> > --- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> > +++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> > @@ -29,6 +29,27 @@ ifeq
> > ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST
> >  BR_NO_CHECK_HASH_FOR += $(ARM_TRUSTED_FIRMWARE_SOURCE)
> >  endif
> > 
> > +# Analogous code exists in linux/linux.mk. Basically, the generic
> > +# package infrastructure handles downloading and applying remote
> > +# patches. Local patches are handled depending on whether they are
> > +# directories or files.
> > +ARM_TRUSTED_FIRMWARE_PATCHES = $(call
> > qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_PATCH))
> > +ARM_TRUSTED_FIRMWARE_PATCH = $(filter 
> > https://urldefense.com/v3/__ftp://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-rcq9bSBMIxBB8jTXDxe6jH78mYZP6cg$
> >   https://urldefense.com/v3/__http://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128
> > fh66I9s3_Ij-
> > rcq9bSBMIxBB8jTXDxe6jH78b3MIP3A$  https://urldefense.com/v3/__https://*,$(ARM
> > _TRUSTED_FIRMWARE_PATCHES)__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-
> > rcq9bSBMIxBB8jTXDxe6jH78N2PO7_g$ )
> > +
> > +define ARM_TRUSTED_FIRMWARE_APPLY_LOCAL_PATCHES
> > +	for p in $(filter-out 
> > https://urldefense.com/v3/__ftp://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-rcq9bSBMIxBB8jTXDxe6jH78mYZP6cg$
> >   https://urldefense.com/v3/__http://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128
> > fh66I9s3_Ij-
> > rcq9bSBMIxBB8jTXDxe6jH78b3MIP3A$  https://urldefense.com/v3/__https://*,$(ARM
> > _TRUSTED_FIRMWARE_PATCHES)__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-
> > rcq9bSBMIxBB8jTXDxe6jH78N2PO7_g$ ) ; do \
> > +		if test -d $$p ; then \
> > +			$(APPLY_PATCHES) $(@D) $$p \*.patch || exit 1 ; \
> > +		else \
> > +			$(APPLY_PATCHES) $(@D) `dirname $$p` `basename $$p` ||
> > exit 1; \
> > +		fi \
> > +	done
> > +endef
> > +ARM_TRUSTED_FIRMWARE_POST_PATCH_HOOKS +=
> > ARM_TRUSTED_FIRMWARE_APPLY_LOCAL_PATCHES
> > +
> > +# We have no way to know the hashes for user-supplied patches.
> > +BR_NO_CHECK_HASH_FOR += $(notdir $(ARM_TRUSTED_FIRMWARE_PATCHES))
> > +
> >  ARM_TRUSTED_FIRMWARE_INSTALL_IMAGES = YES
> > 
> >  ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_DTC),y)
> > --
> > 2.26.2
> > 
> > _______________________________________________
> > buildroot mailing list
> > buildroot@buildroot.org
> > https://urldefense.com/v3/__https://lists.buildroot.org/mailman/listinfo/buildroot__;!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-rcq9bSBMIxBB8jTXDxe6jH78CXtWZJI$ 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH] boot/arm-trusted-firmware: add config option for custom patches
  2022-01-28 16:25 ` Robert Hancock via buildroot
  2022-01-28 17:16   ` Yann E. MORIN
@ 2022-01-28 20:27   ` Andreas Ehmanns
  1 sibling, 0 replies; 5+ messages in thread
From: Andreas Ehmanns @ 2022-01-28 20:27 UTC (permalink / raw)
  To: Robert Hancock, buildroot, Yann E. MORIN

On 1/28/22 17:25, Robert Hancock via buildroot wrote:
> On Fri, 2022-01-28 at 15:51 +0100, Andreas Ehmanns wrote:
>> Many embedded board manufacturer provide their BSP as patches to
>> linux kernel and u-boot. They can simply be applied by setting the
>> corresponding buildroot config (custom patches).
>> Nowadays patches for the arm trusted firmware (ATF) are also part of
>> BSP deliveries but there is no config option in buildroot for ATF
>> to apply custom patches.
>> This patch adds (similar to linux kernel and u-boot) an option to
>> apply custom patches to ATF.
> Hi Andreas,
>
> You shouldn't need a custom option to add patches for each package. If you add
> patches to $(BR2_EXTERNAL)/patches/arm-trusted-firmware then they will get
> applied automatically, we are using this mechanism already.
>
> I think the specific patch options for the kernel and U-Boot may predate that
> mechanism but don't need to be used anymore either.


Hi Robert, Hi Yann,
I typically store BSP Patches under board/<manufacturer>/<board
name>/patches/<linux,uboot,atf>/<version number> ...
This is necessary for me since I have to manage a lot of different
embedded boards with buildroot. Every manufacturer has its own patches,
often different patches for different boards and also for different
releases. A global patch directory
does not help because I have to configure in each defconfig which
patches from which manufacturer/board/version combination should be applied.
For that I use the custom patch option of linux and uboot since a lot of
years and it works perfectly for me. So I transferred this mechanism to
ATF too. This patch helps me managing all the different combination of
BSP versions, therefore I thought it may be helpful for others too.

Regards,
Andreas

>> Signed-off-by: Andreas Ehmanns <universeiii@gmx.de>
>> ---
>>   boot/arm-trusted-firmware/Config.in           |  8 +++++++
>>   .../arm-trusted-firmware.mk                   | 21 +++++++++++++++++++
>>   2 files changed, 29 insertions(+)
>>
>> diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-
>> firmware/Config.in
>> index b1fc03e10b..786a3083a2 100644
>> --- a/boot/arm-trusted-firmware/Config.in
>> +++ b/boot/arm-trusted-firmware/Config.in
>> @@ -63,6 +63,14 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_VERSION
>>
>>   endif
>>
>> +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_PATCH
>> +	string "Custom ATF patches"
>> +	help
>> +	  A space-separated list of patches to apply to ATF.
>> +	  Each patch can be described as an URL, a local file path,
>> +	  or a directory. In the case of a directory, all files
>> +	  matching *.patch in the directory will be applied.
>> +
>>   config BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM
>>   	string "ATF platform"
>>   	help
>> diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-
>> trusted-firmware/arm-trusted-firmware.mk
>> index 03fa83b7b5..d329bdbfc3 100644
>> --- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
>> +++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
>> @@ -29,6 +29,27 @@ ifeq
>> ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST
>>   BR_NO_CHECK_HASH_FOR += $(ARM_TRUSTED_FIRMWARE_SOURCE)
>>   endif
>>
>> +# Analogous code exists in linux/linux.mk. Basically, the generic
>> +# package infrastructure handles downloading and applying remote
>> +# patches. Local patches are handled depending on whether they are
>> +# directories or files.
>> +ARM_TRUSTED_FIRMWARE_PATCHES = $(call
>> qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_PATCH))
>> +ARM_TRUSTED_FIRMWARE_PATCH = $(filter
>> https://urldefense.com/v3/__ftp://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-rcq9bSBMIxBB8jTXDxe6jH78mYZP6cg$
>>    https://urldefense.com/v3/__http://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128
>> fh66I9s3_Ij-
>> rcq9bSBMIxBB8jTXDxe6jH78b3MIP3A$  https://urldefense.com/v3/__https://*,$(ARM
>> _TRUSTED_FIRMWARE_PATCHES)__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-
>> rcq9bSBMIxBB8jTXDxe6jH78N2PO7_g$ )
>> +
>> +define ARM_TRUSTED_FIRMWARE_APPLY_LOCAL_PATCHES
>> +	for p in $(filter-out
>> https://urldefense.com/v3/__ftp://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-rcq9bSBMIxBB8jTXDxe6jH78mYZP6cg$
>>    https://urldefense.com/v3/__http://*__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128
>> fh66I9s3_Ij-
>> rcq9bSBMIxBB8jTXDxe6jH78b3MIP3A$  https://urldefense.com/v3/__https://*,$(ARM
>> _TRUSTED_FIRMWARE_PATCHES)__;JQ!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-
>> rcq9bSBMIxBB8jTXDxe6jH78N2PO7_g$ ) ; do \
>> +		if test -d $$p ; then \
>> +			$(APPLY_PATCHES) $(@D) $$p \*.patch || exit 1 ; \
>> +		else \
>> +			$(APPLY_PATCHES) $(@D) `dirname $$p` `basename $$p` ||
>> exit 1; \
>> +		fi \
>> +	done
>> +endef
>> +ARM_TRUSTED_FIRMWARE_POST_PATCH_HOOKS +=
>> ARM_TRUSTED_FIRMWARE_APPLY_LOCAL_PATCHES
>> +
>> +# We have no way to know the hashes for user-supplied patches.
>> +BR_NO_CHECK_HASH_FOR += $(notdir $(ARM_TRUSTED_FIRMWARE_PATCHES))
>> +
>>   ARM_TRUSTED_FIRMWARE_INSTALL_IMAGES = YES
>>
>>   ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_DTC),y)
>> --
>> 2.26.2
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot@buildroot.org
>> https://urldefense.com/v3/__https://lists.buildroot.org/mailman/listinfo/buildroot__;!!IOGos0k!zefK7OglGeltoASai_ZVP128fh66I9s3_Ij-rcq9bSBMIxBB8jTXDxe6jH78CXtWZJI$


_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Buildroot] Enable missing security options for ISC dhcp server
  2022-01-28 14:51 [Buildroot] [PATCH] boot/arm-trusted-firmware: add config option for custom patches Andreas Ehmanns
  2022-01-28 16:25 ` Robert Hancock via buildroot
@ 2022-04-25 15:40 ` Andreas Ehmanns
  1 sibling, 0 replies; 5+ messages in thread
From: Andreas Ehmanns @ 2022-04-25 15:40 UTC (permalink / raw)
  To: buildroot

[-- Attachment #1.1: Type: text/plain, Size: 1256 bytes --]

Dear all,
I was trying to make the ISC dhcp daemon more secure by using the -user
and -group option to let dhcp server run as non-root user.
Unfortunately these options are not available when building ISC dhcp
server with buildroot.
The reason is, that the configure script must be called with the
additional option --enable-paranoia to activate these options.
But this option is not set in the dhcp.mk file.

To be backward compatible I added a new option to the dhcp's Config.in
to enable this feature when desired.

If you are interested in this feature and can create a patch and send it
this list to make the change available to all buildroot users.
Let me know what you think. Below are some details.

Regards,
Andreas

1) Add this to Config.in:
config BR2_PACKAGE_DHCP_SERVER_ENABLE_PARANOIA
         bool "Enable paranoia options"
         depends on BR2_PACKAGE_DHCP_SERVER
         help
           Add option --enable-paranoia to configure script. This activates
           additional server options (-user, -group and -chroot) to make
dhcp server more secure.

2) And to dhcp.mk:
ifeq ($(BR2_PACKAGE_DHCP_SERVER_ENABLE_PARANOIA),y)
DHCP_CONF_OPTS += --enable-paranoia
endif

[-- Attachment #1.2: Type: text/html, Size: 2338 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-04-25 15:41 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-28 14:51 [Buildroot] [PATCH] boot/arm-trusted-firmware: add config option for custom patches Andreas Ehmanns
2022-01-28 16:25 ` Robert Hancock via buildroot
2022-01-28 17:16   ` Yann E. MORIN
2022-01-28 20:27   ` Andreas Ehmanns
2022-04-25 15:40 ` [Buildroot] Enable missing security options for ISC dhcp server Andreas Ehmanns

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox