[meta-security][walnascar][PATCH 0/7] Assorted fixes

[meta-security][walnascar][PATCH 0/7] Assorted fixes

[Scott Murray]

A variety of fixes for enabling CI against the walnascar branch and fixing
outstanding build issues, plus a bump of scap-security-guide to its latest
version to match master brnach since the changes are minimal.

I intent to merge these to walnascar branch in the next day or so if there
are no objections.

Changes:

Anton Antonov (1):
  parsec-service: update PACKAGECONFIG options as lists of cargo build
    features

Marta Rybczynska (5):
  scap-security-guide: fix fetch
  CI: update build for new CI
  .gitlab-ci.yml: add logging of jobs to files
  gitlab-ci.yml: fix file redirection for qemux86 build logs
  checksecurity: update the debian package

Scott Murray (1):
  scap-security-guide: upgrade 0.1.76 -> 0.1.77

 .gitlab-ci.yml                                | 45 +++++++++++--------
 .../checksecurity/checksecurity_2.0.16.bb     |  7 ++-
 meta-parsec/README.md                         |  4 +-
 .../parsec-service/parsec-service_1.4.1.bb    | 15 +++----
 ....1.76.bb => scap-security-guide_0.1.77.bb} |  4 +-
 5 files changed, 39 insertions(+), 36 deletions(-)
 rename recipes-compliance/scap-security-guide/{scap-security-guide_0.1.76.bb => scap-security-guide_0.1.77.bb} (95%)

-- 
2.39.5

[meta-security][walnascar][PATCH 1/7] scap-security-guide: fix fetch

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

The project does not use release branches; their release model currently
rebases the stable branch each release and relies on the release tags to
keep the commits referenced.  Until their release model changes, just
use the release commit with nobranch.

See upstream issue [1] for details.

[1] https://github.com/ComplianceAsCode/content/issues/13543

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
[tweaked commit message]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../scap-security-guide/scap-security-guide_0.1.76.bb           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
index 73bd576..8615f97 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
 LICENSE = "BSD-3-Clause"
 
 SRCREV = "616d4363527acb61c6494a97f3ceb47ec90f65fd"
-SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=stable;protocol=https \
+SRC_URI = "git://github.com/ComplianceAsCode/content.git;nobranch=1;protocol=https \
            file://run_eval.sh \
            file://run-ptest \
            "
-- 
2.39.5

[meta-security][walnascar][PATCH 2/7] CI: update build for new CI

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories

Assume that python3 and pip are installed.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .gitlab-ci.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 46ab4a9..32ce2b9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,10 +1,12 @@
 .before-my-script: &before-my-script
     - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error
     - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error
+    - echo "$CI_PROJECT_DIR" >> ~/.ci_project_dir
     - export PATH=~/.local/bin:$PATH
-    - wget https://bootstrap.pypa.io/get-pip.py
-    - python3 get-pip.py
+    - python3 -m venv ~/kas_env/
+    - source ~/kas_env/bin/activate
     - python3 -m pip install kas
+    - mkdir -p $CI_PROJECT_DIR/build/tmp/log/error-report/
 
 .after-my-script: &after-my-script
     - cd $CI_PROJECT_DIR/poky
-- 
2.39.5

[meta-security][walnascar][PATCH 3/7] .gitlab-ci.yml: add logging of jobs to files

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Log kas commands to files and export them as artefacts

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .gitlab-ci.yml | 39 ++++++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 17 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 32ce2b9..628b0e6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,6 +7,7 @@
     - source ~/kas_env/bin/activate
     - python3 -m pip install kas
     - mkdir -p $CI_PROJECT_DIR/build/tmp/log/error-report/
+    - mkdir -p $CI_PROJECT_DIR/log/
 
 .after-my-script: &after-my-script
     - cd $CI_PROJECT_DIR/poky
@@ -28,6 +29,10 @@ stages:
   stage: base 
   after_script:
     - *after-my-script
+  artifacts:
+    paths:
+      - $CI_PROJECT_DIR/log/*
+    when: always
 
 .parsec:
   before_script:
@@ -53,72 +58,72 @@ stages:
 qemux86:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image integrity-image-minimal"
-  - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_security_image.txt
+  - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml 2>&1 | tee CI_PROJECT_DIR/log/qemux86_harden_image.txt
 
 qemux86-musl:
   extends: .musl
   needs: ['qemux86']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_musl_security_image.txt
 
 qemux86-parsec:
   extends: .parsec
   needs: ['qemux86']
   script:
-  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_parsec_security_image.txt
 
 qemux86-test:
   extends: .test
   needs: ['qemux86']
   allow_failure: true
   script:
-  - kas build --target security-test-image kas/$CI_JOB_NAME.yml
-  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_test_security_image.txt
+  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_testimage_security_image.txt
 
 qemux86-64:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k core-image-minimal security-build-image security-tpm-image security-tpm2-image integrity-image-minimal"
-  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml
-  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k core-image-minimal security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_image.txt
+  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_dm_verify.txt
+  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_build_image.txt
 
 qemux86-64-parsec:
   extends: .parsec
   needs: ['qemux86-64']
   script:
-  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_parsec_security_image.txt
 
 qemuarm:
   extends: .base
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_security_image.txt
 
 qemuarm-parsec:
   extends: .parsec
   needs: ['qemuarm']
   script:
-  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_parsec_security_image.txt
 
 qemuarm64:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal"
-  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_parsec_security_image.txt
+  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_build_security_image.txt
 
 qemuarm64-musl:
   extends: .musl
   needs: ['qemuarm64']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_musl_security_image.txt
 
 qemuarm64-parsec:
   extends: .parsec
   needs: ['qemuarm64']
   script:
-  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_parsec_security_image.txt
 
 qemuriscv64:
   extends: .base
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuriscv64_security_image.txt
-- 
2.39.5

[meta-security][walnascar][PATCH 4/7] gitlab-ci.yml: fix file redirection for qemux86 build logs

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 628b0e6..80b2dfd 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -59,7 +59,7 @@ qemux86:
   extends: .base
   script:
   - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_security_image.txt
-  - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml 2>&1 | tee CI_PROJECT_DIR/log/qemux86_harden_image.txt
+  - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_harden_image.txt
 
 qemux86-musl:
   extends: .musl
-- 
2.39.5

[meta-security][walnascar][PATCH 5/7] checksecurity: update the debian package

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

The previously used package (nmu1) is not longer available, use the latest current
one (nmu3). The changelog between the two:

checksecurity (2.0.16+nmu3) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix "missing required debian/rules targets build-arch and/or build-
    indep": Add targets to debian/rules.
    (Closes: #999082)
  * Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm":
    Bump to 7 in debian/{compat,control}.
    (Closes: #965448)
  * Fix some grave packaging errors:
    - move debhelper from Build-Depends-Indep to Build-Depends
    - remove temporary files debian/postrm.debhelper and debian/substvars from
      source package

 -- gregor herrmann <gregoa@debian.org>  Sun, 26 Dec 2021 01:56:10 +0100

checksecurity (2.0.16+nmu2) unstable; urgency=medium

  * Non maintainer upload by the Reproducible Builds team.
  * No source change upload to rebuild on buildd with .buildinfo files.

 -- Holger Levsen <holger@debian.org>  Fri, 01 Jan 2021 19:17:53 +0100

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../recipes-scanners/checksecurity/checksecurity_2.0.16.bb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
index 8006c9f..6a223f8 100644
--- a/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
+++ b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
@@ -4,14 +4,13 @@ SECTION = "security"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu1.tar.gz \
+SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu3.tar.gz \
            file://check-setuid-use-more-portable-find-args.patch \
           "
 
-SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0"
-
-S = "${WORKDIR}/checksecurity-${PV}+nmu1"
+SRC_URI[sha256sum] = "12b043dc7b38512cdf0735c7c147a4f9e60d83a397b5b8ec130c65ceddbe1a0c"
 
+S = "${WORKDIR}/checksecurity-${PV}+nmu3"
 
 # allow for anylocal, no need to patch
 LOGDIR="/etc/checksecurity"
-- 
2.39.5

[meta-security][walnascar][PATCH 6/7] parsec-service: update PACKAGECONFIG options as lists of cargo build features

[Scott Murray]

From: Anton Antonov <anton.antonov@arm.com>

After commit 7a2b9acef2 "cargo: pass PACKAGECONFIG_CONFARGS to cargo build"
we don't need to include Parsec cargo build features into CARGO_BUILD_FLAGS.
Let's update PACKAGECONFIG options as lists of features.

A small fix in readme.md as well.

Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 meta-parsec/README.md                             |  4 ++--
 .../parsec-service/parsec-service_1.4.1.bb        | 15 ++++++---------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/meta-parsec/README.md b/meta-parsec/README.md
index 785c932..90decaf 100644
--- a/meta-parsec/README.md
+++ b/meta-parsec/README.md
@@ -112,7 +112,7 @@ You might need to change permissions or add the account into `kvm` unix group.
 
 - Add into your `local.conf`:
 ```
-INHERIT += "testimage"
+IMAGE_CLASSES += "testimage"
 TEST_SUITES = "ping ssh parsec"
 ```
 - Build your image
@@ -129,7 +129,7 @@ bitbake <your-image> -c testimage
 - Add into your `local.conf`:
 ```
 DISTRO_FEATURES += " tpm2"
-INHERIT += "testimage"
+IMAGE_CLASSES += "testimage"
 TEST_SUITES = "ping ssh parsec"
 ```
 - Build security-parsec-image image
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb
index 49467cd..baa02fb 100644
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb
@@ -21,15 +21,12 @@ PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO"
 have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}"
 PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}"
 
-PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts"
-PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device"
-PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings,"
-PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider,"
-PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider,"
-PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts"
-
-PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS').strip().replace(' ', ',')}"
-CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}"
+PACKAGECONFIG[ALL] = "-F all-providers -F cryptoki/generate-bindings -F tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts"
+PACKAGECONFIG[TPM] = "-F tpm-provider -F tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device"
+PACKAGECONFIG[PKCS11] = "-F pkcs11-provider -F cryptoki/generate-bindings,"
+PACKAGECONFIG[MBED-CRYPTO] = "-F mbed-crypto-provider,"
+PACKAGECONFIG[CRYPTOAUTHLIB] = "-F cryptoauthlib-provider,"
+PACKAGECONFIG[TS] = "-F trusted-service-provider,,libts,libts"
 
 export BINDGEN_EXTRA_CLANG_ARGS
 target = "${@d.getVar('TARGET_SYS').replace('-', ' ')}"
-- 
2.39.5

[meta-security][walnascar][PATCH 7/7] scap-security-guide: upgrade 0.1.76 -> 0.1.77

[Scott Murray]

Update to latest version to pick up fixes required for building with
CMake 4.0.

ChangeLog:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.77

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 ...p-security-guide_0.1.76.bb => scap-security-guide_0.1.77.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-compliance/scap-security-guide/{scap-security-guide_0.1.76.bb => scap-security-guide_0.1.77.bb} (98%)

diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.77.bb
similarity index 98%
rename from recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
rename to recipes-compliance/scap-security-guide/scap-security-guide_0.1.77.bb
index 8615f97..4da6c66 100644
--- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.76.bb
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.77.bb
@@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
 LICENSE = "BSD-3-Clause"
 
-SRCREV = "616d4363527acb61c6494a97f3ceb47ec90f65fd"
+SRCREV = "c1e1ba121d32b3c319b0e25ee2993b62386e5857"
 SRC_URI = "git://github.com/ComplianceAsCode/content.git;nobranch=1;protocol=https \
            file://run_eval.sh \
            file://run-ptest \
-- 
2.39.5

Re: [meta-security][walnascar][PATCH 0/7] Assorted fixes

[Scott Murray]

On Mon, 18 Aug 2025, Marta Rybczynska (Ygreky) wrote:

>
> On 17/08/2025 11:07 PM, Scott Murray wrote:
> > A variety of fixes for enabling CI against the walnascar branch and fixing
> > outstanding build issues, plus a bump of scap-security-guide to its latest
> > version to match master brnach since the changes are minimal.
> >
> > I intent to merge these to walnascar branch in the next day or so if there
> > are no objections.
> >
> > Changes:
> >
> > Anton Antonov (1):
> >    parsec-service: update PACKAGECONFIG options as lists of cargo build
> >      features
> >
> > Marta Rybczynska (5):
> >    scap-security-guide: fix fetch
> >    CI: update build for new CI
> >    .gitlab-ci.yml: add logging of jobs to files
> >    gitlab-ci.yml: fix file redirection for qemux86 build logs
> >    checksecurity: update the debian package
> >
> > Scott Murray (1):
> >    scap-security-guide: upgrade 0.1.76 -> 0.1.77
> >
> >   .gitlab-ci.yml                                | 45 +++++++++++--------
> >   .../checksecurity/checksecurity_2.0.16.bb     |  7 ++-
> >   meta-parsec/README.md                         |  4 +-
> >   .../parsec-service/parsec-service_1.4.1.bb    | 15 +++----
> >   ....1.76.bb => scap-security-guide_0.1.77.bb} |  4 +-
> >   5 files changed, 39 insertions(+), 36 deletions(-)
> >   rename
> >   recipes-compliance/scap-security-guide/{scap-security-guide_0.1.76.bb =>
> >   scap-security-guide_0.1.77.bb} (95%)
> >
>
> Good idea to backport those. I'll run a walnascar branch CI to make sure, but
> I expect no surprises.

I've gone ahead and merged these to the walnascar branch to unblock
anyone needing checksecurity or scap-security-guide.  There's still a
branch-specific patch to the CI configuration outstanding to make running
it against walnascar straightforward, but I have smoke tested most of
the build configurations locally with gitlab-ci-local.

Scott