Re: [yocto] Error: when reparsing
Hi Can you paste your image recipe. I remember to a similar issue here but I don't remember how I solve it. The recipe can help a lot to understand. Fabien On Fri, 2017-05-19 at 08:30 +0200, Yuvarajesh Valleru wrote: > Ok. So according to you I can only build one image per day succesfully ? > > > Am 18.05.2017 um 18:00 schrieb Khem Raj: > > On Thu, May 18, 2017 at 8:14 AM, Yuvarajesh Valleru wrote: > > > Hi, > > > > > > I was building a custom-linux-image. I succesfully build the image with > > > the > > > help of bitbake tool. > > > > > > When rebuilding the same image again, i was experiencing an error. > > > > > > ERROR: When reparsing .do_install, the basehash value changed > > > from > > > 3c2401cc61fce5eb899de19dbf78862f to 558516a74162944aff656a7d01321b12. The > > > metadata is not deterministic and this needs to be fixed. > > > > > > Then i deleted the build/tmp and build/sstate, and again tried to rebuild. > > > But Now I encountered with an another errors. > > > > > > Error: > > > > > packagegroup-sdk-host_1.0-r11_all.ipk > > > Matched in b manifest-i686-nativesdk-packagegroup-sdk-host.deploy-ipk > > > Please verify which package should provide the above files. > > > NOTE: Tasks Summary: Attempted 3172 tasks of which 2449 didn't need to be > > > rerun and all succeeded. > > > > > > I deleted all the files in /deploy/ipk, build/sstate, build/tmp-glibc and > > > also deploy/sdk/ for building a new image. > > > > > > Is there any alternative for rebuilding the image without the above errors > > > and without deleting the file everytime. > > > > if you are using DATE, TIME or combination of these > > variables in metadata then this could cause > > such issues. > > > > > Best Regards, > > > Rajesh > > > > > > > > > > > > -- > > > ___ > > > yocto mailing list > > > yocto@yoctoproject.org > > > https://lists.yoctoproject.org/listinfo/yocto > > > > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] What can I share between projects?
On Thu, 2017-05-18 at 18:43 -0700, Paul D. DeRocco wrote: > If I'm doing multiple unrelated Yocto based projects, and they use the > same version of Yocto, and the same metadata (except for my own layers), > am I right in assuming that I can share everything in poky, downloads, and > sstate-cache, and I only need separate build directories? (I normally put > downloads and sstate-cache next to my build directory, rather than inside > it.) > I do it successfully with poky and downloads. I think the sstate-cache question is more complex and I cannot ensure it works fine in all case. For example, What happen if you modify a software with different CFLAGS or build option? > -- > > Ciao, Paul D. DeRocco > Paulmailto:pdero...@ix.netcom.com > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Install Torch7
On Thu, 2017-05-18 at 13:34 +, Abayiz wrote: > Dear Fabien and Jussi, > > Thank you very much for your time and concern. > After your suggestion I tried to find out all those packages installed by > "bash install-deps". > However I found that these deps are required to build JIT version of Lua, as > mentioned on the > official Torch website. good > So instead I used Lua 5.2 instead of JIT, which does not require to run "bash > install-deps" first. > And this time after I generated Torch recipe using devtool and tried to build > it, the compilation > proceeded to nearly 96%, then thows an error saying: > > Could NOT find Wget (missing: WGET_EXECUTABLE) > | -- Could NOT find MD5 (missing: MD5_EXECUTABLE) > | -- curl found instead of wget > :/home/abayiz/trunk/poky/build-hello/tmp/work/i586-poky- > linux/torch/2.1devel+git999-r0/recipe-sysroot-native/usr/bin/curl > | CMake Error at exe/luajit-rocks/luarocks/CMakeLists.txt:77 (MESSAGE): > | MD5 checker not found > > However in the 'devtool' generated recipe file, I found this line: > > # NOTE: unable to map the following CMake package dependencies: CUDA CUDNN > BLAS ARM Torch SSE MD5 > MAGMA LAPACK Readline > Seems like wget is already set as built-time dependency but the system > doesn't see it, as well as > MD5. Do you have any suggestion for that? maybe wget is needed for host and not target. As they expect "EXECUTABLE", I think it is more a RDEPENDS needed. Maybe your soft is not cross compilable as is nad should be patches. You need to understand why tools are necessary and fix accordingly. > Thank you again. > Best. > > > On Thursday, May 18, 2017 4:17 PM, Fabien Lahoudere > wrote: > > > On Thu, 2017-05-18 at 12:02 +, Abayiz wrote: > > Dear Fabien, > > > > Thank you very much for your reply. > > No, I didn't try 'devtool edit-recipe torch' to add dependencies. Actually > > I didn't know how to > > add them. Is there any way to directly call that .sh file there?? > > Could you give me a minimal example to illustrate it? > > Usually we add build dependencies with DEPENDS = "..." and runtime > dependencies with RDEPENDS = > "..." > > So you need to check dependencies installed by "bash install-deps". > Can you list them? Maybe recipes exists in which case you have to add them to > the variable > described > above. > > > > > > > Thank you. > > > > > > > > On Thursday, May 18, 2017 10:17 AM, Fabien Lahoudere > > wrote: > > > > > > On Wed, 2017-05-17 at 08:37 +, Abayiz wrote: > > > Dear all, > > > > > > I'm quite new to Yocto, I've successfully built qemu and ran helloworld > > > example on it. Now I'm > > > trying to install Torch 7 (https://github.com/torch/torch7) library. What > > > I did is: > > > > > > devtool add torch https://github.com/torch/torch7.git > > > devtool build torch > > > > > > But the build exits with error, in the attachment I share the log file > > > with you. > > > My host machine runs Ubuntu 16.04 LTS, and Torch7 is successfully running > > > on it. The > > installation > > > of Torch first requires to run the 'bash install-deps' command on Ubuntu. > > > My rough estimation > is > > > that Yocto seems like cannot build those dependencies automatically. > > > > > > Could someone give any help on it? Installing Torch7 is very important to > > > my project now, > thank > > > you in advance. > > > > > > > Do you try "devtool edit-recipe torch" to add dependencies to the recipe > > and configure "cache > > variables" approprietly? > > > > > > > Best, > > > Abayiz > > > > > > > -- > > ___ > > yocto mailing list > > yocto@yoctoproject.org > > https://lists.yoctoproject.org/listinfo/yocto > > > > > > > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [poky/classes] [PATCH] new alternatesrc.bbclass
On 05/18/2017 09:11 PM, Koehler, Yannick (HPN Aruba) wrote: +# alternatesrc.bbclass enables use of an optionally existing source tree, usually external +# to the build system to build a piece of software rather than the usual fetch/unpack +# process. +# +# To use, add alternatesrc to the global inherit and set ALTERNATESRC to point at the +# directory you want to use containing the sources e.g. from local.conf for a recipe +# called "myrecipe" you would do: +# +# INHERIT += "alternatesrc" +# ALTERNATESRC_pn-myrecipe = "/path/to/my/source/tree" Seems to me that this use case is already handled by 'devtool modify'. Alex -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [PATCHv2][meta-gplv2] gnutls: add older gnutls compatible with nettle
ping
This is needed in both pyro and master branches. And possibly in morty
branch, but I haven't seen any replies about it in my RFC.
On Mon, Apr 24, 2017 at 4:29 PM, Martin Jansa
wrote:
> * gnutls depends on nettle-3.1* since 3.4.0:
> The requirement for nettle was bumped from 3.0 to 3.1 in gnutls_3_4_0
> https://gitlab.com/gnutls/gnutls/commit/c84129af91b21d33ffe086e5076327
> 71b0e76498
> and from 2.7 to 3.0 a bit earlier also in gnutls_3_4_0
> https://gitlab.com/gnutls/gnutls/commit/3fa80cf68919f07b3351b2722278ba
> 463d6e731c
> * add recipe for last release in 3.3 branch which is compatible
> with nettle 2.7.1 used in meta-gplv2
>
> Signed-off-by: Martin Jansa
> ---
> .../gnutls/configure.ac-fix-sed-command.patch | 31
> ++
> recipes-support/gnutls/gnutls_3.3.27.bb| 23
> 2 files changed, 54 insertions(+)
> create mode 100644 recipes-support/gnutls/gnutls/
> configure.ac-fix-sed-command.patch
> create mode 100644 recipes-support/gnutls/gnutls_3.3.27.bb
>
> diff --git a/recipes-support/gnutls/gnutls/configure.ac-fix-sed-command.patch
> b/recipes-support/gnutls/gnutls/configure.ac-fix-sed-command.patch
> new file mode 100644
> index 000..44a9934
> --- /dev/null
> +++ b/recipes-support/gnutls/gnutls/configure.ac-fix-sed-command.patch
> @@ -0,0 +1,31 @@
> +From eb93aa7b986c84da60a3db40afb29d1a70c50223 Mon Sep 17 00:00:00 2001
> +From: Robert Yang
> +Date: Sat, 17 Jan 2015 17:02:15 +
> +Subject: [PATCH] configure.ac: fix sed command
> +
> +The "sed 's/.bak//g'" matchs "bitbake", which would cause strange errors
> +when the S contains "bitbake", fix to "sed 's/\.bak$//'`"
> +
> +Upstream-Status: Pending
> +
> +Signed-off-by: Robert Yang
> +---
> + configure.ac | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/configure.ac b/configure.ac
> +index c6818a0..1c4582d 100644
> +--- a/configure.ac
> b/configure.ac
> +@@ -466,7 +466,7 @@ if test "$NEED_LIBOPTS_DIR" = "true";then
> + dnl replace libopts-generated files with distributed backups, if
> present
> + missing_baks=
> + for i in ${srcdir}/src/*-args.c.bak ${srcdir}/src/*-args.h.bak; do
> +- nam=`echo $i|sed 's/.bak//g'`
> ++ nam=`echo $i|sed 's/\.bak$//'`
> + if test -f $i;then
> + cp -f $i $nam
> + else
> +--
> +2.0.1
> +
> diff --git a/recipes-support/gnutls/gnutls_3.3.27.bb
> b/recipes-support/gnutls/gnutls_3.3.27.bb
> new file mode 100644
> index 000..c98da34
> --- /dev/null
> +++ b/recipes-support/gnutls/gnutls_3.3.27.bb
> @@ -0,0 +1,23 @@
> +require recipes-support/gnutls/gnutls.inc
> +
> +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
> +file://COPYING.LESSER;md5=
> a6f89e2100d9b6cdffcea4f398e37343"
> +
> +FILESEXTRAPATHS_prepend = "${COREBASE}/meta/recipes-
> support/${BPN}/${BPN}:"
> +
> +SRC_URI += " \
> +file://correct_rpl_gettimeofday_signature.patch \
> +file://configure.ac-fix-sed-command.patch \
> +file://use-pkg-config-to-locate-zlib.patch \
> +"
> +SRC_URI[md5sum] = "8ee8cebd7f7575b11f232766a21c31d3"
> +SRC_URI[sha256sum] = "8dfda16c158ef5c134010d51d1a91d
> 02aa5d43b8cb711b1572650a7ffb56b17f"
> +
> +# This version doesn't support this option added in newer gnutls
> +# ERROR: gnutls-3.3.27-r0 do_configure: QA Issue: gnutls: configure was
> passed unrecognised options: --with-idn [unknown-configure-option]
> +PACKAGECONFIG[libidn] = ""
> +# but it still has the libidn dependency, without this option
> +EXTRA_OECONF += "--disable-crywrap"
> +
> +# This version doesn't support this option added in newer gnutls
> +EXTRA_OECONF_remove = "--without-libunistring-prefix"
> --
> 2.12.2
>
>
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] QtWebEngine cannot show google sites due to certificate errors
On 10-05-17 12:52, Andrea Picaro wrote: Hello, i compiled Yocto Morty for an mx6 machine. QtWebEngine works fine for all sites (included https by ignoring certificate errors) apart from google sites. I've found other info about this issue googling around but it seemed to be solved in latest chromium builds and none of the solutions tested gave results. All google sites gives ERR_INSECURE_RESPONSE and i see this error in console: ERROR:cert_verify_proc_openssl.cc(238)] X509 Verification error certificate has expired : 10 : 3 : 2 Sounds like a clock mismatch. Set the time and date of your machine to something close to the real world, and usually this solves it. Kind regards, Mike Looijmans System Expert TOPIC Products Materiaalweg 4, NL-5681 RJ Best Postbus 440, NL-5680 AK Best Telefoon: +31 (0) 499 33 69 79 E-mail: mike.looijm...@topicproducts.com Website: www.topicproducts.com Please consider the environment before printing this e-mail Join our presentation at Electronics & Applications 2017: FPGA for real-time data processing, subject “Hardware platform for industrial ultrasound steel plate Inspection” Topic Embedded Systems - Herman Kuster, 1st June 10 AM Visit http://eabeurs.nl/author/612884/ for more information -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] What can I share between projects?
On 19-05-17 03:43, Paul D. DeRocco wrote: If I'm doing multiple unrelated Yocto based projects, and they use the same version of Yocto, and the same metadata (except for my own layers), am I right in assuming that I can share everything in poky, downloads, and sstate-cache, and I only need separate build directories? (I normally put downloads and sstate-cache next to my build directory, rather than inside it.) You can share BOTH the downloads and sstate-cache. You can safely share sstate-cache between various versions of Yocto (OE) and distros, machines, etc., it was designed just for that. Our build server keeps a single sstate-cache for about 30 projects, with 4 versions of OE, 3 distros, and a dozen MACHINE configs. No problems encountered. Kind regards, Mike Looijmans System Expert TOPIC Products Materiaalweg 4, NL-5681 RJ Best Postbus 440, NL-5680 AK Best Telefoon: +31 (0) 499 33 69 79 E-mail: mike.looijm...@topicproducts.com Website: www.topicproducts.com Please consider the environment before printing this e-mail Join our presentation at Electronics & Applications 2017: FPGA for real-time data processing, subject “Hardware platform for industrial ultrasound steel plate Inspection” Topic Embedded Systems - Herman Kuster, 1st June 10 AM Visit http://eabeurs.nl/author/612884/ for more information -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH] packagegroup-security-tpm-i2c: fix syntax
On 05/18/2017 09:29 PM, Peter Lei wrote:
Fix "ERROR: ExpansionError during parsing" when building with multilib.
merged.
thanks
Signed-off-by: Peter Lei
---
meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
index d3d9ebc..2d93aca 100644
--- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
+++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
@@ -10,7 +10,7 @@ PACKAGES = "packagegroup-security-tpm-i2c"
SUMMARY_packagegroup-security-tpm-i2c = "Security TPM i2c support"
RDEPENDS_packagegroup-security-tpm-i2c = " \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm',
'packagegroup-security-tpm', '', d)} \
-${@bb.utils.contains('MACHINE_FEATURES', 'tpm2',
'packagegroup-security-tpm2, '', d)} \
+${@bb.utils.contains('MACHINE_FEATURES', 'tpm2',
'packagegroup-security-tpm2', '', d)} \
kernel-module-tpm-i2c-atmel \
kernel-module-tpm-i2c-infineon \
kernel-module-tpm-i2c-nuvoton \
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][morty][PATCH] tpm2.0-tss: Fix build issue with tpm2-abrmd recipe
On 05/12/2017 05:54 AM, Jagadeesh Krishnanjanappa wrote: It solves tpm2-abrmd recipe build failure (as mentioned below) as none of the tpm2.0-tss header files define MAX_LOADED_OBJECTS1 macro. The macro name should be MAX_LOADED_OBJECTS. -- snip -- | from ../tpm2-abrmd/src/include/tabrmd.h:31, | from ../tpm2-abrmd/src/access-broker.c:31: | ../tpm2-abrmd/src/access-broker.c: In function 'access_broker_get_trans_object_count': | ../tpm2-abrmd/src/access-broker.c:549:34: error: 'MAX_LOADED_OBJECTS1' undeclared (first use in this function) -- snip -- merged. Armin Signed-off-by: Jagadeesh Krishnanjanappa --- ...2_types.h-Fix-broken-TRANSIENT_LAST-macro.patch | 29 ++ recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb | 3 ++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 recipes-tpm/tpm2.0-tss/tpm2.0-tss/0001-tss2_tpm2_types.h-Fix-broken-TRANSIENT_LAST-macro.patch diff --git a/recipes-tpm/tpm2.0-tss/tpm2.0-tss/0001-tss2_tpm2_types.h-Fix-broken-TRANSIENT_LAST-macro.patch b/recipes-tpm/tpm2.0-tss/tpm2.0-tss/0001-tss2_tpm2_types.h-Fix-broken-TRANSIENT_LAST-macro.patch new file mode 100644 index 000..74f82be --- /dev/null +++ b/recipes-tpm/tpm2.0-tss/tpm2.0-tss/0001-tss2_tpm2_types.h-Fix-broken-TRANSIENT_LAST-macro.patch @@ -0,0 +1,29 @@ +From 92a0830306c2eb3081b5ac3329f7504cd58d670b Mon Sep 17 00:00:00 2001 +From: Philip Tricca +Date: Thu, 12 Jan 2017 11:55:52 -0800 +Subject: [PATCH] tss2_tpm2_types.h: Fix broken TRANSIENT_LAST macro. + +Upstream-Status: Backport + +Signed-off-by: Philip Tricca +Signed-off-by: Jagadeesh Krishnanjanappa +--- + include/sapi/tss2_tpm2_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/sapi/tss2_tpm2_types.h b/include/sapi/tss2_tpm2_types.h +index 48cc1dc..aa41c06 100644 +--- a/include/sapi/tss2_tpm2_types.h b/include/sapi/tss2_tpm2_types.h +@@ -452,7 +452,7 @@ typedefTPM_HANDLE TPM_HC; + #define TRANSIENT_FIRST (HR_TRANSIENT + 0 ) /* first transient object */ + #define ACTIVE_SESSION_FIRST(POLICY_SESSION_FIRST ) /* used in GetCapability */ + #define ACTIVE_SESSION_LAST (POLICY_SESSION_LAST ) /* used in GetCapability */ +-#define TRANSIENT_LAST (TRANSIENT_FIRST+MAX_LOADED_OBJECTS1 ) /* last transient object */ ++#define TRANSIENT_LAST (TRANSIENT_FIRST + MAX_LOADED_OBJECTS - 1 ) /* last transient object */ + #define PERSISTENT_FIRST(HR_PERSISTENT + 0 ) /* first persistent object */ + #define PERSISTENT_LAST (PERSISTENT_FIRST + 0x00FF ) /* last persistent object */ + #define PLATFORM_PERSISTENT (PERSISTENT_FIRST + 0x0080 ) /* first platform persistent object */ +-- +2.6.4 + diff --git a/recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb b/recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb index c4b5c8c..2910741 100644 --- a/recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb +++ b/recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb @@ -7,7 +7,8 @@ SECTION = "tpm" SRCREV = "8e25d0cbb287d30c93b2b77e99bc761dc67e31a9" SRC_URI = " \ git://github.com/01org/TPM2.0-TSS.git;protocol=git;branch=master;name=TPM2.0-TSS;destsuffix=TPM2.0-TSS \ -file://ax_pthread.m4" +file://ax_pthread.m4 \ +file://0001-tss2_tpm2_types.h-Fix-broken-TRANSIENT_LAST-macro.patch" inherit autotools pkgconfig -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe
On 05/17/2017 12:56 AM, jackie.hu...@windriver.com wrote:
From: Jackie Huang
eCryptfs is a stacked cryptographic filesystem that ships
in Linux kernel versions 2.6.19 and above. This package
provides the mount helper and supporting libraries to
perform key management and mount functions.
Signed-off-by: Jackie Huang
This has the following warning:
WARNING: libpam-1.3.0-r5 do_pam_sanity: Building libpam but 'pam' isn't
in DISTRO_FEATURES, PAM won't work correctly
I noticed this package has the ability to disable-pam so maybe
PACKAGECONFIG with the DISTRO_FEATURES check for PAM would be applicable
in this case?
please investigate.
everything else looks fine for inclusion to meta-security.
regards,
Armin
---
.../ecryptfs-utils/ecryptfs-utils_111.bb | 52 +
.../files/ecryptfs-utils-CVE-2016-6224.patch | 65 ++
2 files changed, 117 insertions(+)
create mode 100644 recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
create mode 100644
recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
new file mode 100644
index 000..49c2605
--- /dev/null
+++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -0,0 +1,52 @@
+SUMMARY = "The eCryptfs mount helper and support libraries"
+DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \
+that ships in Linux kernel versions 2.6.19 and above. This \
+package provides the mount helper and supporting libraries \
+to perform key management and mount functions."
+HOMEPAGE = "https://launchpad.net/ecryptfs";
+SECTION = "base"
+
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
+
+DEPENDS = "keyutils libgcrypt libpam nss intltool-native glib-2.0-native"
+
+inherit autotools pkgconfig
+
+SRC_URI = "\
+
https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \
+file://ecryptfs-utils-CVE-2016-6224.patch \
+"
+
+SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
+SRC_URI[sha256sum] =
"112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f"
+
+PARALLEL_MAKEINST=""
+
+EXTRA_OECONF = "\
+--libdir=${base_libdir} \
+--disable-pywrap \
+--disable-nls \
+--enable-openssl=no \
+"
+
+do_configure_prepend() {
+export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3"
+export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3
-lnssutil3"
+export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
+export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
+}
+
+do_install_append() {
+chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
+mkdir -p ${D}/${libdir}
+mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
+sed -i -e 's:-I${STAGING_INCDIR}::' \
+ -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc
+sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:"
${D}${bindir}/ecryptfs-setup-swap
+}
+
+FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
+
+RDEPENDS_${PN} += "cryptsetup"
+RRECOMMENDS_${PN} = "gettext-runtime"
diff --git
a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
new file mode 100644
index 000..4252f97
--- /dev/null
+++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
@@ -0,0 +1,65 @@
+From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
+From: Li Zhou
+Date: Mon, 5 Sep 2016 10:28:08 +0800
+Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
+
+src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
+being automatically enabled by systemd. This bug affected GPT partitioned
+NVMe/MMC drives and resulted in the swap partition being used without
+encryption. It also resulted in a usability issue in that users were
+erroneously prompted to enter a pass-phrase to unlock their swap partition
+at boot. (LP: #1597154)
+
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
+https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
+
+Upstream-Status: backport
+
+Signed-off-by: Li Zhou
+---
+ ChangeLog | 9 +
+ src/utils/ecryptfs-setup-swap | 10 --
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index d255a94..2c9c73e 100644
+--- a/ChangeLog
b/ChangeLog
+@@ -1,3 +1,12 @@
++ecryptfs-utils-112
++ [ Jason Gerard DeRose ]
++ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
++being automatically enabled by systemd. This bug affected GPT partitioned
++NVMe/MMC drives and resulted in the swap partition being used without
++encryption. It also resulted in a usability issue in that users were
++erroneously pro
Re: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe
> -Original Message-
> From: akuster808 [mailto:akuster...@gmail.com]
> Sent: Friday, May 19, 2017 22:50
> To: Huang, Jie (Jackie); yocto@yoctoproject.org
> Subject: Re: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe
>
>
>
> On 05/17/2017 12:56 AM, jackie.hu...@windriver.com wrote:
> > From: Jackie Huang
> >
> > eCryptfs is a stacked cryptographic filesystem that ships
> > in Linux kernel versions 2.6.19 and above. This package
> > provides the mount helper and supporting libraries to
> > perform key management and mount functions.
> >
> > Signed-off-by: Jackie Huang
>
> This has the following warning:
> WARNING: libpam-1.3.0-r5 do_pam_sanity: Building libpam but 'pam' isn't
> in DISTRO_FEATURES, PAM won't work correctly
>
> I noticed this package has the ability to disable-pam so maybe
> PACKAGECONFIG with the DISTRO_FEATURES check for PAM would be
> applicable
> in this case?
>
> please investigate.
I will investigate and fix the warning.
Thanks,
Jackie
>
> everything else looks fine for inclusion to meta-security.
>
> regards,
> Armin
>
> > ---
> > .../ecryptfs-utils/ecryptfs-utils_111.bb | 52 +
> > .../files/ecryptfs-utils-CVE-2016-6224.patch | 65
> ++
> > 2 files changed, 117 insertions(+)
> > create mode 100644 recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
> > create mode 100644
> > recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-
> 2016-6224.patch
> >
> > diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
> > b/recipes-
> security/ecryptfs-utils/ecryptfs-utils_111.bb
> > new file mode 100644
> > index 000..49c2605
> > --- /dev/null
> > +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
> > @@ -0,0 +1,52 @@
> > +SUMMARY = "The eCryptfs mount helper and support libraries"
> > +DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \
> > +that ships in Linux kernel versions 2.6.19 and above. This \
> > +package provides the mount helper and supporting libraries \
> > +to perform key management and mount functions."
> > +HOMEPAGE = "https://launchpad.net/ecryptfs";
> > +SECTION = "base"
> > +
> > +LICENSE = "GPL-2.0"
> > +LIC_FILES_CHKSUM =
> "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
> > +
> > +DEPENDS = "keyutils libgcrypt libpam nss intltool-native glib-2.0-native"
> > +
> > +inherit autotools pkgconfig
> > +
> > +SRC_URI = "\
> > +
> https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.
> gz \
> > +file://ecryptfs-utils-CVE-2016-6224.patch \
> > +"
> > +
> > +SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
> > +SRC_URI[sha256sum] =
> "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f"
> > +
> > +PARALLEL_MAKEINST=""
> > +
> > +EXTRA_OECONF = "\
> > +--libdir=${base_libdir} \
> > +--disable-pywrap \
> > +--disable-nls \
> > +--enable-openssl=no \
> > +"
> > +
> > +do_configure_prepend() {
> > +export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -
> I${STAGING_INCDIR}/nss3"
> > +export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -
> lsoftokn3 -lnssutil3"
> > +export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
> > +export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
> > +}
> > +
> > +do_install_append() {
> > +chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
> > +mkdir -p ${D}/${libdir}
> > +mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
> > +sed -i -e 's:-I${STAGING_INCDIR}::' \
> > + -e 's:-L${STAGING_LIBDIR}::'
> > ${D}/${libdir}/pkgconfig/libecryptfs.pc
> > +sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:"
> ${D}${bindir}/ecryptfs-setup-swap
> > +}
> > +
> > +FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
> > +
> > +RDEPENDS_${PN} += "cryptsetup"
> > +RRECOMMENDS_${PN} = "gettext-runtime"
> > diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-
> 6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-
> 6224.patch
> > new file mode 100644
> > index 000..4252f97
> > --- /dev/null
> > +++
> > b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
> > @@ -0,0 +1,65 @@
> > +From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00
> 2001
> > +From: Li Zhou
> > +Date: Mon, 5 Sep 2016 10:28:08 +0800
> > +Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
> > +
> > +src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
> > +being automatically enabled by systemd. This bug affected GPT partitioned
> > +NVMe/MMC drives and resulted in the swap partition being used without
> > +encryption. It also resulted in a usability issue in that users were
> > +erroneously prompted to enter a pass-phrase to unlock their swap partition
> > +at boot. (LP: #1597154)
> > +
> > +the patch comes from:
> > +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
> > +https://bazaar.launchp
Re: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe
How does this one relate to:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-ivi/tree/meta-ivi/recipes-support-ivi/ecryptfs-utils/ecryptfs-utils_106.bb?h=master
the later has also support for systemd, not sure if it has the issue with
pam or not.
On Fri, May 19, 2017 at 4:56 PM, Huang, Jie (Jackie) <
jackie.hu...@windriver.com> wrote:
>
>
> > -Original Message-
> > From: akuster808 [mailto:akuster...@gmail.com]
> > Sent: Friday, May 19, 2017 22:50
> > To: Huang, Jie (Jackie); yocto@yoctoproject.org
> > Subject: Re: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new
> recipe
> >
> >
> >
> > On 05/17/2017 12:56 AM, jackie.hu...@windriver.com wrote:
> > > From: Jackie Huang
> > >
> > > eCryptfs is a stacked cryptographic filesystem that ships
> > > in Linux kernel versions 2.6.19 and above. This package
> > > provides the mount helper and supporting libraries to
> > > perform key management and mount functions.
> > >
> > > Signed-off-by: Jackie Huang
> >
> > This has the following warning:
> > WARNING: libpam-1.3.0-r5 do_pam_sanity: Building libpam but 'pam' isn't
> > in DISTRO_FEATURES, PAM won't work correctly
> >
> > I noticed this package has the ability to disable-pam so maybe
> > PACKAGECONFIG with the DISTRO_FEATURES check for PAM would be
> > applicable
> > in this case?
> >
> > please investigate.
>
> I will investigate and fix the warning.
>
> Thanks,
> Jackie
>
> >
> > everything else looks fine for inclusion to meta-security.
> >
> > regards,
> > Armin
> >
> > > ---
> > > .../ecryptfs-utils/ecryptfs-utils_111.bb | 52
> +
> > > .../files/ecryptfs-utils-CVE-2016-6224.patch | 65
> > ++
> > > 2 files changed, 117 insertions(+)
> > > create mode 100644 recipes-security/ecryptfs-utils/
> ecryptfs-utils_111.bb
> > > create mode 100644 recipes-security/ecryptfs-
> utils/files/ecryptfs-utils-CVE-
> > 2016-6224.patch
> > >
> > > diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
> b/recipes-
> > security/ecryptfs-utils/ecryptfs-utils_111.bb
> > > new file mode 100644
> > > index 000..49c2605
> > > --- /dev/null
> > > +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
> > > @@ -0,0 +1,52 @@
> > > +SUMMARY = "The eCryptfs mount helper and support libraries"
> > > +DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \
> > > +that ships in Linux kernel versions 2.6.19 and above. This \
> > > +package provides the mount helper and supporting libraries \
> > > +to perform key management and mount functions."
> > > +HOMEPAGE = "https://launchpad.net/ecryptfs";
> > > +SECTION = "base"
> > > +
> > > +LICENSE = "GPL-2.0"
> > > +LIC_FILES_CHKSUM =
> > "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
> > > +
> > > +DEPENDS = "keyutils libgcrypt libpam nss intltool-native
> glib-2.0-native"
> > > +
> > > +inherit autotools pkgconfig
> > > +
> > > +SRC_URI = "\
> > > +
> > https://launchpad.net/ecryptfs/trunk/${PV}/+
> download/${BPN}_${PV}.orig.tar.
> > gz \
> > > +file://ecryptfs-utils-CVE-2016-6224.patch \
> > > +"
> > > +
> > > +SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
> > > +SRC_URI[sha256sum] =
> > "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f"
> > > +
> > > +PARALLEL_MAKEINST=""
> > > +
> > > +EXTRA_OECONF = "\
> > > +--libdir=${base_libdir} \
> > > +--disable-pywrap \
> > > +--disable-nls \
> > > +--enable-openssl=no \
> > > +"
> > > +
> > > +do_configure_prepend() {
> > > +export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -
> > I${STAGING_INCDIR}/nss3"
> > > +export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -
> > lsoftokn3 -lnssutil3"
> > > +export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
> > > +export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
> > > +}
> > > +
> > > +do_install_append() {
> > > +chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
> > > +mkdir -p ${D}/${libdir}
> > > +mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
> > > +sed -i -e 's:-I${STAGING_INCDIR}::' \
> > > + -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/
> libecryptfs.pc
> > > +sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:"
> > ${D}${bindir}/ecryptfs-setup-swap
> > > +}
> > > +
> > > +FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
> > > +
> > > +RDEPENDS_${PN} += "cryptsetup"
> > > +RRECOMMENDS_${PN} = "gettext-runtime"
> > > diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-
> CVE-2016-
> > 6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-
> CVE-2016-
> > 6224.patch
> > > new file mode 100644
> > > index 000..4252f97
> > > --- /dev/null
> > > +++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-
> CVE-2016-6224.patch
> > > @@ -0,0 +1,65 @@
> > > +From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00
> > 2001
> > > +From: Li Zhou
> > > +Date: Mon, 5 Sep 2016 10:28:08 +0800
> > > +S
