Re: [yocto] General Question: Device specific value store

[Morné Lamprecht]

On Tue, Jun 25, 2019 at 09:25:13AM -0400, Larry Brown wrote:
I wonder, if there are best practices, how to protect the data from getting 
corrupted (intentionally by an attacker or by accident through ... flash 
corruption or whatever).


Ideally your hardware should have some sort of hw-based secure key storage, and 
use that to support some sort of secure boot scheme. You can then implement a 
chain of trust, allowing you to securely verify a hash signature of the data 
during bootup, to ensure that it hadn't been tampered with or gotten corrupted.


Atmel / Microchip, for example, offers a range of Crypto Authentication ICs that 
could be added to your hardware to support this, if you hardware didn't have 
built in support for something like this. Their offering also included tools to 
securely inject the data into the secure ICs during manufacturing, or 
alternatively, you could write your own tool to interface with their API.


- Morné
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] General Question: Device specific value store

[Andrea Adami]

On Wed, Jun 26, 2019 at 12:03 PM Morné Lamprecht  wrote:
>
> On Tue, Jun 25, 2019 at 09:25:13AM -0400, Larry Brown wrote:
> >>> I wonder, if there are best practices, how to protect the data from 
> >>> getting
> >>> corrupted (intentionally by an attacker or by accident through ... flash
> >>> corruption or whatever).
>
> Ideally your hardware should have some sort of hw-based secure key storage, 
> and
> use that to support some sort of secure boot scheme. You can then implement a
> chain of trust, allowing you to securely verify a hash signature of the data
> during bootup, to ensure that it hadn't been tampered with or gotten 
> corrupted.
>
> Atmel / Microchip, for example, offers a range of Crypto Authentication ICs 
> that
> could be added to your hardware to support this, if you hardware didn't have
> built in support for something like this. Their offering also included tools 
> to
> securely inject the data into the secure ICs during manufacturing, or
> alternatively, you could write your own tool to interface with their API.
>
> - Morné
> --
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto


Hi,
almost all flash have a non-volatile storage.
It was OTP on old NOR, now there are more flavors: your board appears
to have eMMC and so OTP/MTP should be supported by the mmc stack.
Check out this link:
https://www.synopsys.com/designware-ip/technical-bulletin/memory-options.html

Regards
Andrea
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-security][PATCH] kernel: Add conditional inclusion of fragments for linux-yocto-dev

[zhe.he]

From: He Zhe 

Signed-off-by: He Zhe 
---
 recipes-kernel/linux/linux-yocto-dev.bbappend | 11 +++
 1 file changed, 11 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-yocto-dev.bbappend

diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend 
b/recipes-kernel/linux/linux-yocto-dev.bbappend
new file mode 100644
index 000..68b2b8b
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto-dev.bbappend
@@ -0,0 +1,11 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto-5.0:"
+
+SRC_URI += "\
+${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' 
file://apparmor.cfg', '', d)} \
+${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' 
file://apparmor_on_boot.cfg', '', d)} \
+"
+
+SRC_URI += "\
+${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', 
'', d)} \
+${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' 
file://smack-default-lsm.cfg', '', d)} \
+"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [ptest-runner][PATCH v2 4/4] utils: ensure child can be session leader

[Randy MacLeod]

On 6/25/19 9:51 PM, Anibal Limon wrote:



On Wed, 19 Jun 2019 at 12:50, Randy MacLeod > wrote:


On 6/14/19 10:48 AM, Randy MacLeod wrote:
 > When running the run-execscript bash ptest as a user rather than
root, a warning:
 >    bash: cannot set terminal process group (16036): Inappropriate
ioctl for device
 >    bash: no job control in this shell
 > contaminates the bash log files causing the test to fail. This
happens only
 > when run under ptest-runner and not when interactively testing!
 >
 > The changes made to fix this include:
 > 1. Get the process group id (pgid) before forking,
 > 2. Set the pgid in both the parent and child to avoid a race,
 > 3. Find, open and set permission on the child tty, and
 > 4. Allow the child to attach to controlling tty.
 >
 > Also add '-lutil' to Makefile. This lib is from libc and provides
openpty.


Hmmm, I was making the code compile cleanly under clang using
    -Weverything
when I noticed:

1. the 'make check' tests. They still work fine.
2. The './ptest-runner -d tests/data -t 1' tests
     which now generate loads of error like:
      ERROR: Unable to detach from controlling tty, Inappropriate ioctl
for device

so while this change fixed the bash-ptest, the ptest-runner self-test
it did something wrong Ah, I'm calling:
     ioctl(0, TIOCNOTTY) == -1)
repeatedly in the parent so that's what's generating the extra logs.
Fixed locally and I'll send a patch but it's not urgent. Phew! :)

Anibal,

If you could reply to explain your plans for Richard's patches
that would help me figure out when to send the clang warning clean-ups
commits and what commit to base my work on.


Hi,

I plan to take the Richard patches, He added in the recipe to have real 
testing and looks like

there aren't problems related to, Richard can you confirm it?,

Regarding the openpty include, I see some linkage problem when running 
make check, proposed fix:


Yes, I had noticed that and fixed it as well.

I'll send my latest patch series once you have merged
Richard's changes into master. Hopefully that will be today... :)

I decided to compile with:
  clang -Weverything
to see if there were any problems and there
were quite a few things to fix. Now, for the most part,
neither clang nor gcc complain about the code.

../Randy



...
--- a/Makefile
+++ b/Makefile
@@ -22,19 +22,20 @@ TEST_SOURCES=tests/main.c tests/ptest_list.c 
tests/utils.c $(BASE_SOURCES)

  TEST_OBJECTS=$(TEST_SOURCES:.c=.o)
  TEST_EXECUTABLE=ptest-runner-test
  TEST_LDFLAGS=-lm -lrt -lpthread
-TEST_LIBSTATIC=-lcheck -lsubunit
+TEST_LIBSTATIC=-lutil
+TEST_LIBSTATIC_TEST=$(TEST_LIBSTATIC) -lcheck -lsubunit

  TEST_DATA=$(shell echo `pwd`/tests/data)

  all: $(SOURCES) $(EXECUTABLE)

  $(EXECUTABLE): $(OBJECTS)
-       $(CC) $(LDFLAGS) $(OBJECTS) -lutil -o $@
+       $(CC) $(LDFLAGS) $(OBJECTS) -o $@ $(TEST_LIBSTATIC)

  tests: $(TEST_SOURCES) $(TEST_EXECUTABLE)

  $(TEST_EXECUTABLE): $(TEST_OBJECTS)
-       $(CC) $(LDFLAGS) $(TEST_LDFLAGS) $(TEST_OBJECTS) -o $@ 
$(TEST_LIBSTATIC)
+       $(CC) $(LDFLAGS) $(TEST_LDFLAGS) $(TEST_OBJECTS) -o $@ 
$(TEST_LIBSTATIC_TEST)


  check: $(TEST_EXECUTABLE)
         ./$(TEST_EXECUTABLE) -d $(TEST_DATA)
...

Best regards,
Anibal



../Randy

 >
 > Signed-off-by: Sakib Sajal mailto:sakib.sa...@windriver.com>>
 > Signed-off-by: Randy MacLeod mailto:randy.macl...@windriver.com>>
 > ---
 >   Makefile |   2 +-
 >   utils.c  | 102
+--
 >   2 files changed, 92 insertions(+), 12 deletions(-)
 >
 > diff --git a/Makefile b/Makefile
 > index 1bde7be..439eb79 100644
 > --- a/Makefile
 > +++ b/Makefile
 > @@ -29,7 +29,7 @@ TEST_DATA=$(shell echo `pwd`/tests/data)
 >   all: $(SOURCES) $(EXECUTABLE)
 >
 >   $(EXECUTABLE): $(OBJECTS)
 > -     $(CC) $(LDFLAGS) $(OBJECTS) -o $@
 > +     $(CC) $(LDFLAGS) $(OBJECTS) -lutil -o $@
 >
 >   tests: $(TEST_SOURCES) $(TEST_EXECUTABLE)
 >
 > diff --git a/utils.c b/utils.c
 > index ad737c2..f11ce39 100644
 > --- a/utils.c
 > +++ b/utils.c
 > @@ -1,5 +1,6 @@
 >   /**
 >    * Copyright (c) 2016 Intel Corporation
 > + * Copyright (C) 2019 Wind River Systems, Inc.
 >    *
 >    * This program is free software; you can redistribute it and/or
 >    * modify it under the terms of the GNU General Public License
 > @@ -22,23 +23,27 @@
 >    */
 >
 >   #define _GNU_SOURCE
 > +
 >   #include 
 >
 > +#include 
 > +#include 
 > +#include 
 > +#include 
 >   #include 
 > -#include 
 >   #include 
 > -#include 
 > +#include 
 > +#include 
 > +#include 
 > +#include 
 >   #include 
 > -#include 
 > +#include 
 > +
 > +#incl

Re: [yocto] Are native packages dependencies listed in license.manifest?

[Pierre-Luc Buhler]

Thanks for the response.

Have a nice day.

PLB

Le lun. 24 juin 2019, à 17 h 49, Burton, Ross  a
écrit :

> The image manifest lists what is being *distributed* so doesn't
> include native dependencies.
>
> Ross
>
> On Mon, 24 Jun 2019 at 19:50,  wrote:
> >
> > Hi,
> > I’m currently working to remove all GPLv3 packages included in my image.
> > I was using the license manifest file to list the remaining GPLv3
> packages to remove.
> > While I was trying to remove gdbm, I ecountered some native dependencies.
> > When I looked at the license.manifest file, gdbm was still listed.
> > So I was asking myself if I still had packages that depends/includes
> gdbm hidden somewhere or it’s because the license.manifest also list
> packages used on the build host even if they are not included in the image.
> > For example, if curl-native is used in a recipe will curl be listed in
> license.manifest even if curl is not in the image?
> >
> > So in other words, does license.manifest also includes native packages
> or it only lists the packages that make up the image (included in the
> image)?
> >
> > Thanks for the support,
> >
> > PLB
> >
> > --
> > ___
> > yocto mailing list
> > yocto@yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/yocto
>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-cgl][PATCH 1/3] packagegroup-cgl-middleware: remove ipsec-tools and umip

[Yi Zhao]

The ipsec-tools and umip had been removed from meta-openembedded. We
should remove them from the packagegroup.

Signed-off-by: Yi Zhao 
---
 meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb 
b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb
index 6ec68c4..4fa7d48 100644
--- a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb
+++ b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb
@@ -23,7 +23,6 @@ MULTIPATH_TOOLS = " \
 "
 
 RDEPENDS_packagegroup-cgl-middleware = "\
-ipsec-tools \
 net-snmp-server \
 net-snmp-client \
 net-snmp-libs \
@@ -51,7 +50,6 @@ RDEPENDS_packagegroup-cgl-middleware = "\
 ifenslave \
 drbd-utils \
 openl2tp \
-umip \
 dmidecode \
 "
 
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-cgl][PATCH 2/3] packagegroup-cgl-applications: only install libpam and pam-passwdqc if pam distro flag set

[Yi Zhao]

Fix build error when pam distro flag is not set:

$ bitbake packagegroup-cgl-applications
ERROR: Nothing RPROVIDES 'pam-passwdqc' (but
/buildarea/poky/meta-cgl/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
RDEPENDS on or otherwise requires it)
ERROR: Nothing RPROVIDES 'libpam' (but
/buildarea/poky/meta-cgl/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
RDEPENDS on or otherwise requires it)

Signed-off-by: Yi Zhao 
---
 meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb 
b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
index 5e7170d..6b7a630 100644
--- a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
+++ b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
@@ -46,9 +46,8 @@ RDEPENDS_${PN} = " \
 samhain-server \
 audit \
 crash \
-pam-passwdqc \
-libpam \
 makedumpfile \
+${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-passwdqc libpam', '', 
d)} \
 "
 
 LTTNG ?= "\
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-cgl][PATCH 3/3] libhtml-tagset-perl: remove recipe

[Yi Zhao]

The libhtml-tagset-perl recipe was added to meta-perl layer with commit:
4058e65f3c4e17ad04423f4c9edf8607fe6fdb4f
We can drop this duplicate recipe.

Signed-off-by: Yi Zhao 
---
 .../recipes-perl/perl/libhtml-tagset-perl_3.20.bb   | 17 -
 1 file changed, 17 deletions(-)
 delete mode 100644 
meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb

diff --git a/meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb 
b/meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb
deleted file mode 100644
index 2765cd2..000
--- a/meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-DESCRIPTION = "HTML Tagset bits."
-HOMEPAGE = "http://search.cpan.org/dist/HTML-Tagset/";
-SECTION = "libs"
-LICENSE = "Artistic-1.0 | GPL-1.0+"
-LIC_FILES_CHKSUM = 
"file://README;beginline=60;md5=16ddda2d845a5546f615e6b122d1dbad"
-PR = "r4"
-
-SRC_URI = 
"http://search.cpan.org/CPAN/authors/id/P/PE/PETDANCE/HTML-Tagset-${PV}.tar.gz";
-
-S = "${WORKDIR}/HTML-Tagset-${PV}"
-
-inherit cpan
-
-BBCLASSEXTEND="native"
-
-SRC_URI[md5sum] = "d2bfa18fe1904df7f683e96611e87437"
-SRC_URI[sha256sum] = 
"adb17dac9e36cd011f5243881c9739417fd102fce760f8de4e9be4c7131108e2"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] bitbak command: No recipe available for

[danwe]

while using the command:
daniel@daniel-VirtualBox:~/bbb$ MACHINE=beaglebone bitbake core-immage-full
cmdline I get the following ouput:


Loading cache: 100% || Time:
0:00:03

Loaded 1358 entries from dependency cache.

Parsing recipes: 100% |##| Time:
0:00:12

Parsing of 832 .bb files complete (829 cached, 3 parsed). 1361 targets, 65
skipped, 0 masked, 0 errors.

ERROR: No recipes available for:

  /home/daniel/meta-bbb/recipes-connectivity/openssh/openssh_7.%.bbappend

  /home/daniel/meta-bbb/recipes-qt/qt5/qtbase_git.bbappend

  /home/daniel/meta-bbb/recipes-support/ntp/ntp_4.2.%.bbappend



Summary: There was 1 ERROR message shown, returning a non-zero exit code.


How can I solve this?

Thanks.

Daniel
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto