[yocto] [meta-openssl102-fips][PATCH 1/3] fix typo: openssl-fips -> openssl-fips-dev
The working fips package is openssl-fips-dev rather than openssl-fips. Signed-off-by: Hongxu Jia --- README.build | 2 +- templates/feature/openssl-fips/image.inc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.build b/README.build index 50bd9a5..b4e8f2e 100644 --- a/README.build +++ b/README.build @@ -132,7 +132,7 @@ Building Steps (based on section 4 of the UsersGuide-2.0.pdf): prebuilt tar archive. For Yocto, in your build directory, edit conf/local.conf, add: - IMAGE_INSTALL_append = " openssl-fips" + IMAGE_INSTALL_append = " openssl-fips-dev" OPENSSL_FIPS_ENABLED = "1" OPENSSL_FIPS_PREBUILT = "" diff --git a/templates/feature/openssl-fips/image.inc b/templates/feature/openssl-fips/image.inc index 0d62e44..3616432 100644 --- a/templates/feature/openssl-fips/image.inc +++ b/templates/feature/openssl-fips/image.inc @@ -1 +1 @@ -IMAGE_INSTALL += "openssl-fips" +IMAGE_INSTALL += "openssl-fips-dev" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 2/3] openssh_fips.inc: remove rng-tools from sshd RRECOMMENDS
While kernel enable fips, the rng-tools takes a high cpu performance
which Operation not permitted
...
Oct 12 06:08:23 qemux86-64 rngd[122]: RNDADDENTROPY failed: Operation not
permitted
...
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/openssh_fips.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/recipes-connectivity/openssh/openssh_fips.inc
b/recipes-connectivity/openssh/openssh_fips.inc
index 38db03b..0eafb98 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -3,6 +3,8 @@ DEPENDS += " \
openssl-fips \
fipscheck \
"
+RRECOMMENDS_${PN}-sshd_remove = "rng-tools"
+
SRC_URI += " \
file://0001-openssh-8.0p1-fips.patch \
file://0001-conditional-enable-fips-mode.patch \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips
Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips
...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.
$rpm -h
|error: Failed to initialize NSS library
...
Signed-off-by: Hongxu Jia
---
.../nss/nss/0001-conditionally-enable-fips.patch | 93 ++
recipes-support/nss/nss_3.%.bbappend | 4 +
recipes-support/nss/nss_fips.inc | 4 +
3 files changed, 101 insertions(+)
create mode 100644 recipes-support/nss/nss/0001-conditionally-enable-fips.patch
create mode 100644 recipes-support/nss/nss_3.%.bbappend
create mode 100644 recipes-support/nss/nss_fips.inc
diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
new file mode 100644
index 000..d11db91
--- /dev/null
+++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
@@ -0,0 +1,93 @@
+From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sat, 12 Oct 2019 10:49:28 +0800
+Subject: [PATCH] conditionally enable fips
+
+Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
+macro limitaition to fips enable test, currently we are not ready
+to support nss fips
+
+...
+$ certutil -N -d sql:. --empty-password
+|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
+module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
+with the token or slot.
+
+$rpm -h
+|error: Failed to initialize NSS library
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ nss/coreconf/config.mk | 2 ++
+ nss/lib/freebl/nsslowhash.c | 2 +-
+ nss/lib/pk11wrap/pk11util.c | 2 +-
+ nss/lib/sysinit/nsssysinit.c | 4
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 60a0841..dcca87f 100644
+--- a/nss/coreconf/config.mk
b/nss/coreconf/config.mk
+@@ -179,6 +179,8 @@ endif
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+ DEFINES += -DNSS_NO_INIT_SUPPORT
++else
++DEFINES += -DNSS_FORCE_FIPS
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
+index 22f9781..baf71c3 100644
+--- a/nss/lib/freebl/nsslowhash.c
b/nss/lib/freebl/nsslowhash.c
+@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
+ static int
+ nsslow_GetFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
+index 502c4d0..cd86270 100644
+--- a/nss/lib/pk11wrap/pk11util.c
b/nss/lib/pk11wrap/pk11util.c
+@@ -98,7 +98,7 @@ SECMOD_Shutdown()
+ int
+ secmod_GetSystemFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
+index bd0fac2..5c09e8d 100644
+--- a/nss/lib/sysinit/nsssysinit.c
b/nss/lib/sysinit/nsssysinit.c
+@@ -168,6 +168,7 @@ getFIPSEnv(void)
+ static PRBool
+ getFIPSMode(void)
+ {
++#ifdef NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+@@ -186,6 +187,9 @@ getFIPSMode(void)
+ if (d != '1')
+ return PR_FALSE;
+ return PR_TRUE;
++#else
++return PR_FALSE;
++#endif
+ }
+
+ #define NSS_DEFAULT_FLAGS "flags=readonly"
+--
+2.7.4
+
diff --git a/recipes-support/nss/nss_3.%.bbappend
b/recipes-support/nss/nss_3.%.bbappend
new file mode 100644
index 000..9608ca3
--- /dev/null
+++ b/recipes-support/nss/nss_3.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1'
else 'nss_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
new file mode 100644
index 000..b183f55
--- /dev/null
+++ b/recipes-support/nss/nss_fips.inc
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
+SRC_URI += " \
+file://0001-conditionally-enable-fips.patch \
+"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] Pyro, imx-gpu-viv and libGL.so
Hi all. I'm working with and kivy and SDL2. My problem is that the recipe imx-gpu-viv installs libGL.so.1.2. in /usr/lib, while SDL2 is compiled against libGLESv2. So when I starts the SDL application from a strange behaviour the libGL is loaded, which needs libXdamage. But the bsp is without X and sdl2 fails. If I remove libGL.so.1.2 and I symlink libGLESv2.so to libGL.so.1.2, this can solve my problem? There is some recipe which solve di problem? Mauro -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips
The original goal of this work was to enable a FIPS-140-2 OpenSSL module. Why
is NSS part of this?
Is something inside of the OpenSSL patches requesting NSS support, or is this a
different -- but related request?
--Mark
On 10/12/19 3:17 AM, Hongxu Jia wrote:
> Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
> macro limitaition to fips enable test, currently we are not ready
> to support nss fips
>
> ...
> $ certutil -N -d sql:. --empty-password
> |certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
> module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
> with the token or slot.
>
> $rpm -h
> |error: Failed to initialize NSS library
> ...
>
> Signed-off-by: Hongxu Jia
> ---
> .../nss/nss/0001-conditionally-enable-fips.patch | 93
> ++
> recipes-support/nss/nss_3.%.bbappend | 4 +
> recipes-support/nss/nss_fips.inc | 4 +
> 3 files changed, 101 insertions(+)
> create mode 100644
> recipes-support/nss/nss/0001-conditionally-enable-fips.patch
> create mode 100644 recipes-support/nss/nss_3.%.bbappend
> create mode 100644 recipes-support/nss/nss_fips.inc
>
> diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
> b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
> new file mode 100644
> index 000..d11db91
> --- /dev/null
> +++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
> @@ -0,0 +1,93 @@
> +From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
> +From: Hongxu Jia
> +Date: Sat, 12 Oct 2019 10:49:28 +0800
> +Subject: [PATCH] conditionally enable fips
> +
> +Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
> +macro limitaition to fips enable test, currently we are not ready
> +to support nss fips
> +
> +...
> +$ certutil -N -d sql:. --empty-password
> +|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
> +module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
> +with the token or slot.
> +
> +$rpm -h
> +|error: Failed to initialize NSS library
> +...
> +
> +Upstream-Status: Inappropriate [oe specific]
> +
> +Signed-off-by: Hongxu Jia
> +---
> + nss/coreconf/config.mk | 2 ++
> + nss/lib/freebl/nsslowhash.c | 2 +-
> + nss/lib/pk11wrap/pk11util.c | 2 +-
> + nss/lib/sysinit/nsssysinit.c | 4
> + 4 files changed, 8 insertions(+), 2 deletions(-)
> +
> +diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
> +index 60a0841..dcca87f 100644
> +--- a/nss/coreconf/config.mk
> b/nss/coreconf/config.mk
> +@@ -179,6 +179,8 @@ endif
> + # executing the startup tests at library load time.
> + ifndef NSS_FORCE_FIPS
> + DEFINES += -DNSS_NO_INIT_SUPPORT
> ++else
> ++DEFINES += -DNSS_FORCE_FIPS
> + endif
> +
> + ifdef NSS_SEED_ONLY_DEV_URANDOM
> +diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
> +index 22f9781..baf71c3 100644
> +--- a/nss/lib/freebl/nsslowhash.c
> b/nss/lib/freebl/nsslowhash.c
> +@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
> + static int
> + nsslow_GetFIPSEnabled(void)
> + {
> +-#ifdef LINUX
> ++#if defined LINUX && defined NSS_FORCE_FIPS
> + FILE *f;
> + char d;
> + size_t size;
> +diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
> +index 502c4d0..cd86270 100644
> +--- a/nss/lib/pk11wrap/pk11util.c
> b/nss/lib/pk11wrap/pk11util.c
> +@@ -98,7 +98,7 @@ SECMOD_Shutdown()
> + int
> + secmod_GetSystemFIPSEnabled(void)
> + {
> +-#ifdef LINUX
> ++#if defined LINUX && defined NSS_FORCE_FIPS
> + FILE *f;
> + char d;
> + size_t size;
> +diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
> +index bd0fac2..5c09e8d 100644
> +--- a/nss/lib/sysinit/nsssysinit.c
> b/nss/lib/sysinit/nsssysinit.c
> +@@ -168,6 +168,7 @@ getFIPSEnv(void)
> + static PRBool
> + getFIPSMode(void)
> + {
> ++#ifdef NSS_FORCE_FIPS
> + FILE *f;
> + char d;
> + size_t size;
> +@@ -186,6 +187,9 @@ getFIPSMode(void)
> + if (d != '1')
> + return PR_FALSE;
> + return PR_TRUE;
> ++#else
> ++return PR_FALSE;
> ++#endif
> + }
> +
> + #define NSS_DEFAULT_FLAGS "flags=readonly"
> +--
> +2.7.4
> +
> diff --git a/recipes-support/nss/nss_3.%.bbappend
> b/recipes-support/nss/nss_3.%.bbappend
> new file mode 100644
> index 000..9608ca3
> --- /dev/null
> +++ b/recipes-support/nss/nss_3.%.bbappend
> @@ -0,0 +1,4 @@
> +FIPSINC = ""
> +FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) !=
> '1' else 'nss_fips.inc'}"
> +
> +require ${FIPSINC}
> diff --git a/recipes-support/nss/nss_fips.inc
> b/recipes-support/nss/nss_fips.inc
> new file mode 100644
> index 000..b183f55
> --- /dev/null
> +++ b/recipes-support/nss/nss_fips.inc
> @@ -0,0 +1,4 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
> +SRC_URI += " \
> +file://0001-conditionally-enable-fips.patch \
> +"
>
--
___
yocto mail
[yocto] [layerindex-web] [PATCH 0/3] Some misc changes/fixes..
A few misc changes/fixes. The first two are well tested. However, I suspect the 3/3 may be incorrect and I've labeled it an RFC due to this. 1/3 - '.' wasn't allowed in branch names w/o an error. This turned out to be a fairly simple fix. 2/3 - For people who want to use 'poky' repository and not bitbake + openembedded-core. I've tested this locally in both configurations. 3/3 - When I was testing, my local git mirror is broken up with directories that are called 'git.openembedded.org' and 'git.yoctoproject.org' due to this, the system was matching and locking out the edit layer vcs_web_url submissions... so I tried to make it better.. but I'm not sure it's right. Mark Hatle (3): layerindex/urls.py: Allow branches with a '.' in the name update.py: Allow bitbake to live in a subdirectory of a repository editlayer: Be more specific on the searches docker/settings.py | 3 +++ layerindex/bulkchange.py | 8 +++- layerindex/layerconfparse.py | 8 +++- layerindex/tools/import_layer.py | 8 layerindex/tools/import_wiki_layers.py | 13 ++--- layerindex/update.py | 14 +++--- layerindex/update_layer.py | 6 +- layerindex/urls.py | 12 ++-- settings.py| 3 +++ templates/layerindex/editlayer.html| 8 10 files changed, 60 insertions(+), 23 deletions(-) -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [layerindex-web] [PATCH 1/3] layerindex/urls.py: Allow branches with a '.' in the name
Without this change the system will fail parsing various URL components
Signed-off-by: Mark Hatle
---
layerindex/urls.py | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/layerindex/urls.py b/layerindex/urls.py
index 7f4e545..89e70a2 100644
--- a/layerindex/urls.py
+++ b/layerindex/urls.py
@@ -107,7 +107,7 @@ urlpatterns = [
BulkChangeDeleteView.as_view(
template_name='layerindex/deleteconfirm.html'),
name="bulk_change_delete"),
-url(r'^branch/(?P[-\w]+)/',
+url(r'^branch/(?P[-.\w]+)/',
include('layerindex.urls_branch')),
url(r'^updates/$',
UpdateListView.as_view(
@@ -146,17 +146,17 @@ urlpatterns = [
ClassicRecipeDetailView.as_view(
template_name='layerindex/classicrecipedetail.html'),
name='classic_recipe'),
-url(r'^comparison/recipes/(?P[-\w]+)/$',
+url(r'^comparison/recipes/(?P[-.\w]+)/$',
ClassicRecipeSearchView.as_view(
template_name='layerindex/classicrecipes.html'),
name='comparison_recipe_search'),
-url(r'^comparison/search-csv/(?P[-\w]+)/$',
+url(r'^comparison/search-csv/(?P[-.\w]+)/$',
ClassicRecipeSearchView.as_view(
template_name='layerindex/classicrecipes_csv.txt',
paginate_by=0,
content_type='text/csv'),
name='comparison_recipe_search_csv'),
-url(r'^comparison/stats/(?P[-\w]+)/$',
+url(r'^comparison/stats/(?P[-.\w]+)/$',
ClassicRecipeStatsView.as_view(
template_name='layerindex/classicstats.html'),
name='comparison_recipe_stats'),
@@ -185,11 +185,11 @@ urlpatterns = [
url(r'^stoptask/(?P[-\w]+)/$',
task_stop_view,
name='task_stop'),
-url(r'^ajax/layerchecklist/(?P[-\w]+)/$',
+url(r'^ajax/layerchecklist/(?P[-.\w]+)/$',
LayerCheckListView.as_view(
template_name='layerindex/layerchecklist.html'),
name='layer_checklist'),
-url(r'^ajax/classchecklist/(?P[-\w]+)/$',
+url(r'^ajax/classchecklist/(?P[-.\w]+)/$',
BBClassCheckListView.as_view(
template_name='layerindex/classchecklist.html'),
name='class_checklist'),
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [layerindex-web] [PATCH 2/3] update.py: Allow bitbake to live in a subdirectory of a repository
Add a new BITBAKE_PATH to the settings file to specify the path within the
BITBAKE_REPO_URL where bitbake lives. This is useful when using a combined
repository, such as poky, that contains bitbake, openembedded-core and other
layers.
This change also changes the default path, in the fetch directory, for the
bitbake checkout. It no longer uses the path 'bitbake', but instead uses the
same URL processing as the layer fetching.
There is a side effect that, when using a shared fetch, the branch of the
layer will be used instead of the specified bitbake branch. Generally this
is a reasonable compromise, since in a combined repository bitbake and
openembedded-core component should already match.
Signed-off-by: Mark Hatle
---
docker/settings.py | 3 +++
layerindex/bulkchange.py | 8 +++-
layerindex/layerconfparse.py | 8 +++-
layerindex/update.py | 14 +++---
layerindex/update_layer.py | 6 +-
settings.py | 3 +++
6 files changed, 36 insertions(+), 6 deletions(-)
diff --git a/docker/settings.py b/docker/settings.py
index 616b67b..2821d82 100644
--- a/docker/settings.py
+++ b/docker/settings.py
@@ -244,6 +244,9 @@ TEMP_BASE_DIR = "/tmp"
# Fetch URL of the BitBake repository for the update script
BITBAKE_REPO_URL = "git://git.openembedded.org/bitbake"
+# Path within the BITBAKE_REPO_URL, usually empty
+BITBAKE_PATH = ""
+
# Core layer to be used by the update script for basic BitBake configuration
CORE_LAYER_NAME = "openembedded-core"
diff --git a/layerindex/bulkchange.py b/layerindex/bulkchange.py
index f6506ef..ea1f85c 100644
--- a/layerindex/bulkchange.py
+++ b/layerindex/bulkchange.py
@@ -98,7 +98,13 @@ def main():
branch = utils.get_branch('master')
fetchdir = settings.LAYER_FETCH_DIR
-bitbakepath = os.path.join(fetchdir, 'bitbake')
+
+import layerindex.models import LayerItem
+bitbakeitem = LayerItem()
+bitbakeitem.vcs_url = settings.BITBAKE_REPO_URL
+bitbakepath = os.path.join(fetchdir, bitbakeitem.get_fetch_dir())
+if settings.BITBAKE_PATH:
+bitbakepath = os.path.join(bitbakepath, settings.BITBAKE_PATH)
if not os.path.exists(bitbakepath):
sys.stderr.write("Unable to find bitbake checkout at %s" % bitbakepath)
diff --git a/layerindex/layerconfparse.py b/layerindex/layerconfparse.py
index 526d2c2..a0b7e1c 100644
--- a/layerindex/layerconfparse.py
+++ b/layerindex/layerconfparse.py
@@ -20,7 +20,13 @@ class LayerConfParse:
if not bitbakepath:
fetchdir = settings.LAYER_FETCH_DIR
-bitbakepath = os.path.join(fetchdir, 'bitbake')
+
+from layerindex.models import LayerItem
+bitbakeitem = LayerItem()
+bitbakeitem.vcs_url = settings.BITBAKE_REPO_URL
+bitbakepath = os.path.join(fetchdir, bitbakeitem.get_fetch_dir())
+if settings.BITBAKE_PATH:
+bitbakepath = os.path.join(bitbakepath, settings.BITBAKE_PATH)
self.bbpath = bitbakepath
# Set up BBPATH.
diff --git a/layerindex/update.py b/layerindex/update.py
index 7faf6b5..57dd830 100755
--- a/layerindex/update.py
+++ b/layerindex/update.py
@@ -268,8 +268,6 @@ def main():
logger.error("Layer index lock timeout expired")
sys.exit(1)
try:
-bitbakepath = os.path.join(fetchdir, 'bitbake')
-
if not options.nofetch:
# Make sure oe-core is fetched since recipe parsing requires it
layerquery_core =
LayerItem.objects.filter(comparison=False).filter(name=settings.CORE_LAYER_NAME)
@@ -285,7 +283,17 @@ def main():
if layer.vcs_url not in allrepos:
allrepos[layer.vcs_url] = (repodir, urldir, fetchdir,
layer.name)
# Add bitbake
-allrepos[settings.BITBAKE_REPO_URL] = (bitbakepath, "bitbake",
fetchdir, "bitbake")
+if settings.BITBAKE_REPO_URL not in allrepos:
+bitbakeitem = LayerItem()
+bitbakeitem.vcs_url = settings.BITBAKE_REPO_URL
+bitbakeurldir = bitbakeitem.get_fetch_dir()
+bitbakepath = os.path.join(fetchdir, bitbakeurldir)
+allrepos[settings.BITBAKE_REPO_URL] = (bitbakepath,
bitbakeurldir, fetchdir, "bitbake")
+
+(bitbakepath, _, _, _) = allrepos[settings.BITBAKE_REPO_URL]
+if settings.BITBAKE_PATH:
+bitbakepath = os.path.join(bitbakepath,
settings.BITBAKE_PATH)
+
# Parallel fetching
pool = multiprocessing.Pool(int(settings.PARALLEL_JOBS))
for url in allrepos:
diff --git a/layerindex/update_layer.py b/layerindex/update_layer.py
index 7131d70..f4111bd 100644
--- a/layerindex/update_layer.py
+++ b/layerindex/update_layer.py
@@ -300,7 +300,11 @@ def main():
logger.error("Please set LAYER_FETCH_DIR in settings.py")
[yocto] [layerindex-web] [PATCH 3/3] RFC: editlayer: Be more specific on the searches
Just because git.yoctoproject.org is in the URL, doesn't mean we can or
should force the vcs_web_url to be a specific value. If it starts with
git://git.yoctoproject.org then we can do this. git.openembedded.org
already did this.
This also changes github, gitlab and bitbucket references.
Signed-off-by: Mark Hatle
---
layerindex/tools/import_layer.py | 8
layerindex/tools/import_wiki_layers.py | 13 ++---
templates/layerindex/editlayer.html| 8
3 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/layerindex/tools/import_layer.py b/layerindex/tools/import_layer.py
index 8fcbc15..ace58e5 100755
--- a/layerindex/tools/import_layer.py
+++ b/layerindex/tools/import_layer.py
@@ -36,27 +36,27 @@ def set_vcs_fields(layer, repoval):
layer.vcs_web_tree_base_url = 'http://cgit.openembedded.org/' +
reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_file_base_url = 'http://cgit.openembedded.org/' +
reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_commit_url = 'http://cgit.openembedded.org/' + reponame
+ '/commit/?id=%hash%'
-elif 'git.yoctoproject.org/' in repoval:
+elif repoval.startswith('git://git.yoctoproject.org/'):
reponame = re.sub('^.*/', '', repoval)
layer.vcs_web_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' +
reponame
layer.vcs_web_tree_base_url =
'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame +
'/tree/%path%?h=%branch%'
layer.vcs_web_file_base_url =
'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame +
'/tree/%path%?h=%branch%'
layer.vcs_web_commit_url =
'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/commit/?id=%hash%'
-elif 'github.com/' in repoval:
+elif repoval.startswith('git://github.com/') or
repoval.startswith('http://github.com/') or
repoval.startswith('https://github.com/'):
reponame = re.sub('^.*github.com/', '', repoval)
reponame = re.sub('.git$', '', reponame)
layer.vcs_web_url = 'http://github.com/' + reponame
layer.vcs_web_tree_base_url = 'http://github.com/' + reponame +
'/tree/%branch%/'
layer.vcs_web_file_base_url = 'http://github.com/' + reponame +
'/blob/%branch%/'
layer.vcs_web_commit_url = 'http://github.com/' + reponame +
'/commit/%hash%'
-elif 'gitlab.com/' in repoval:
+elif repoval.startswith('git://gitlab.com/') or
repoval.startswith('http://gitlab.com/') or
repoval.startswith('https://gitlab.com/'):
reponame = re.sub('^.*gitlab.com/', '', repoval)
reponame = re.sub('.git$', '', reponame)
layer.vcs_web_url = 'http://gitlab.com/' + reponame
layer.vcs_web_tree_base_url = 'http://gitlab.com/' + reponame +
'/tree/%branch%/'
layer.vcs_web_file_base_url = 'http://gitlab.com/' + reponame +
'/blob/%branch%/'
layer.vcs_web_commit_url = 'http://gitlab.com/' + reponame +
'/commit/%hash%'
-elif 'bitbucket.org/' in repoval:
+elif repoval.startswith('git://bitbucket.org/') or
repoval.startswith('http://bitbucket.org/') or
repoval.startswith('https://bitbucket.org/'):
reponame = re.sub('^.*bitbucket.org/', '', repoval)
reponame = re.sub('.git$', '', reponame)
layer.vcs_web_url = 'http://bitbucket.org/' + reponame
diff --git a/layerindex/tools/import_wiki_layers.py
b/layerindex/tools/import_wiki_layers.py
index baf0c71..71f26ea 100755
--- a/layerindex/tools/import_wiki_layers.py
+++ b/layerindex/tools/import_wiki_layers.py
@@ -100,20 +100,27 @@ def main():
layer.vcs_web_tree_base_url =
'http://cgit.openembedded.org/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_file_base_url =
'http://cgit.openembedded.org/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_commit_url =
'http://cgit.openembedded.org/' + reponame + '/commit/?id=%hash%'
-elif 'git.yoctoproject.org/' in repoval:
+elif repoval.startswith('git://git.yoctoproject.org/'):
reponame = re.sub('^.*/', '', repoval)
layer.vcs_web_url =
'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame
layer.vcs_web_tree_base_url =
'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame +
'/tree/%path%?h=%branch%'
layer.vcs_web_file_base_url =
'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame +
'/tree/%path%?h=%branch%'
layer.vcs_web_commit_url =
'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/commit/?id=%hash%'
-elif 'github.com/' in repoval:
+elif repoval.startswith('git://github.com/') or
repoval.startswith('http://github.com/') or
repoval.startswith('https://github.com/'):
reponame = re.sub('^.*github.com/', '', repoval)
Re: [yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips
On 10/13/19 5:22 AM, Mark Hatle wrote:
The original goal of this work was to enable a FIPS-140-2 OpenSSL module. Why
is NSS part of this?
Is something inside of the OpenSSL patches requesting NSS support, or is this a
different -- but related request?
No, there is no relation between openssl and nss, but while kernel enable
fips "pass boot params `fips=1"', nss fips is enabled and trigger the issue,
It seems all of them are part of fips system, fips includes kernel and
userspace,
and fips 140-2 is also part of it
//Hongxu
--Mark
On 10/12/19 3:17 AM, Hongxu Jia wrote:
Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips
...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.
$rpm -h
|error: Failed to initialize NSS library
...
Signed-off-by: Hongxu Jia
---
.../nss/nss/0001-conditionally-enable-fips.patch | 93 ++
recipes-support/nss/nss_3.%.bbappend | 4 +
recipes-support/nss/nss_fips.inc | 4 +
3 files changed, 101 insertions(+)
create mode 100644
recipes-support/nss/nss/0001-conditionally-enable-fips.patch
create mode 100644 recipes-support/nss/nss_3.%.bbappend
create mode 100644 recipes-support/nss/nss_fips.inc
diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
new file mode 100644
index 000..d11db91
--- /dev/null
+++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
@@ -0,0 +1,93 @@
+From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sat, 12 Oct 2019 10:49:28 +0800
+Subject: [PATCH] conditionally enable fips
+
+Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
+macro limitaition to fips enable test, currently we are not ready
+to support nss fips
+
+...
+$ certutil -N -d sql:. --empty-password
+|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
+module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
+with the token or slot.
+
+$rpm -h
+|error: Failed to initialize NSS library
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ nss/coreconf/config.mk | 2 ++
+ nss/lib/freebl/nsslowhash.c | 2 +-
+ nss/lib/pk11wrap/pk11util.c | 2 +-
+ nss/lib/sysinit/nsssysinit.c | 4
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 60a0841..dcca87f 100644
+--- a/nss/coreconf/config.mk
b/nss/coreconf/config.mk
+@@ -179,6 +179,8 @@ endif
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+ DEFINES += -DNSS_NO_INIT_SUPPORT
++else
++DEFINES += -DNSS_FORCE_FIPS
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
+index 22f9781..baf71c3 100644
+--- a/nss/lib/freebl/nsslowhash.c
b/nss/lib/freebl/nsslowhash.c
+@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
+ static int
+ nsslow_GetFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
+index 502c4d0..cd86270 100644
+--- a/nss/lib/pk11wrap/pk11util.c
b/nss/lib/pk11wrap/pk11util.c
+@@ -98,7 +98,7 @@ SECMOD_Shutdown()
+ int
+ secmod_GetSystemFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
+index bd0fac2..5c09e8d 100644
+--- a/nss/lib/sysinit/nsssysinit.c
b/nss/lib/sysinit/nsssysinit.c
+@@ -168,6 +168,7 @@ getFIPSEnv(void)
+ static PRBool
+ getFIPSMode(void)
+ {
++#ifdef NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+@@ -186,6 +187,9 @@ getFIPSMode(void)
+ if (d != '1')
+ return PR_FALSE;
+ return PR_TRUE;
++#else
++return PR_FALSE;
++#endif
+ }
+
+ #define NSS_DEFAULT_FLAGS "flags=readonly"
+--
+2.7.4
+
diff --git a/recipes-support/nss/nss_3.%.bbappend
b/recipes-support/nss/nss_3.%.bbappend
new file mode 100644
index 000..9608ca3
--- /dev/null
+++ b/recipes-support/nss/nss_3.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else
'nss_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
new file mode 100644
index 000..b183f55
--- /dev/null
+++ b/recipes-support/nss/nss_fips.inc
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
+SRC_URI += " \
+file://0001-conditionally-enable-fips.patch \
+"
--
