aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitlab-ci.yml41
-rw-r--r--README.md (renamed from README)35
-rw-r--r--classes/aide-base.bbclass11
-rw-r--r--classes/aide-db-init.bbclass52
-rw-r--r--classes/dm-verity-img.bbclass148
-rw-r--r--classes/sanity-meta-security.bbclass2
-rw-r--r--conf/distro/include/maintainers-meta-security.inc57
-rw-r--r--conf/distro/include/maintainers.inc57
-rw-r--r--conf/layer.conf19
-rw-r--r--docs/dm-verity-beaglebone.txt37
-rw-r--r--docs/dm-verity-systemd-hash-x86-64.txt43
-rw-r--r--docs/dm-verity-systemd-x86-64.txt77
-rw-r--r--docs/dm-verity.txt123
-rw-r--r--dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend18
-rw-r--r--dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb (renamed from recipes-scanners/checksecurity/checksecurity_2.0.15.bb)22
-rw-r--r--dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch (renamed from recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch)17
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb (renamed from recipes-security/bastille/bastille_3.2.1.bb)25
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/API.pm (renamed from recipes-security/bastille/files/API.pm)0
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/AccountPermission.pm (renamed from recipes-security/bastille/files/AccountPermission.pm)16
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/FileContent.pm (renamed from recipes-security/bastille/files/FileContent.pm)16
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm (renamed from recipes-security/bastille/files/HPSpecific.pm)0
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/Miscellaneous.pm (renamed from recipes-security/bastille/files/Miscellaneous.pm)0
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/ServiceAdmin.pm (renamed from recipes-security/bastille/files/ServiceAdmin.pm)0
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch (renamed from recipes-security/bastille/files/accept_os_flag_in_backend.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch (renamed from recipes-security/bastille/files/allow_os_with_assess.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch (renamed from recipes-security/bastille/files/call_output_config.patch)2
-rwxr-xr-xdynamic-layers/meta-perl/recipes-security/bastille/files/config (renamed from recipes-security/bastille/files/config)0
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch (renamed from recipes-security/bastille/files/do_not_apply_config.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch (renamed from recipes-security/bastille/files/edit_usage_message.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch (renamed from recipes-security/bastille/files/find_existing_config.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch (renamed from recipes-security/bastille/files/fix_missing_use_directives.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch (renamed from recipes-security/bastille/files/fix_number_of_modules.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch (renamed from recipes-security/bastille/files/fix_version_parse.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch (renamed from recipes-security/bastille/files/fixed_defined_warnings.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch (renamed from recipes-security/bastille/files/organize_distro_discovery.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch (renamed from recipes-security/bastille/files/remove_questions_text_file_references.patch)2
-rwxr-xr-xdynamic-layers/meta-perl/recipes-security/bastille/files/set_required_questions.py (renamed from recipes-security/bastille/files/set_required_questions.py)0
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch (renamed from recipes-security/bastille/files/simplify_B_place.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch (renamed from recipes-security/bastille/files/upgrade_options_processing.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch (renamed from recipes-security/nikto/files/location.patch)2
-rw-r--r--dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb (renamed from recipes-security/nikto/nikto_2.1.6.bb)6
-rw-r--r--dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend10
-rw-r--r--dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb14
-rw-r--r--dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb9
-rw-r--r--dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify/0001-Make-asyncore-support-optional-for-Python-3.patch92
-rw-r--r--dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb22
-rw-r--r--dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb9
-rw-r--r--dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb9
-rw-r--r--dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb9
-rw-r--r--dynamic-layers/meta-python/recipes-security/fail2ban/files/initd (renamed from recipes-security/fail2ban/files/initd)0
-rw-r--r--dynamic-layers/meta-python/recipes-security/fail2ban/files/run-ptest (renamed from recipes-security/fail2ban/files/run-ptest)0
-rw-r--r--dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb74
-rw-r--r--dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb37
-rw-r--r--dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb (renamed from recipes-python/python/python3-oauth2client_4.1.3.bb)2
-rw-r--r--dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest3
-rw-r--r--dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service20
-rw-r--r--dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml1326
-rw-r--r--dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata2
-rw-r--r--dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata2
-rw-r--r--dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc8
-rw-r--r--dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb193
-rw-r--r--dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend4
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch318
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch (renamed from recipes-security/sssd/files/drop_ntpdate_chk.patch)0
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch25
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch (renamed from recipes-security/sssd/files/fix_gid.patch)8
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch53
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch (renamed from recipes-security/sssd/files/no_gen.patch)8
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf15
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd (renamed from recipes-security/sssd/files/volatiles.99_sssd)0
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb (renamed from recipes-security/sssd/sssd_2.5.0.bb)80
-rw-r--r--kas/kas-security-alt.yml2
-rw-r--r--kas/kas-security-base.yml24
-rw-r--r--kas/kas-security-dm.yml1
-rw-r--r--kas/kas-security-parsec.yml6
-rw-r--r--kas/qemuarm64-multi.yml12
-rw-r--r--kas/qemumips64-multi.yml4
-rw-r--r--kas/qemuppc-parsec.yml6
-rw-r--r--kas/qemuppc.yml6
-rw-r--r--kas/qemux86-64-multi.yml12
-rw-r--r--kas/qemux86-comp.yml11
-rw-r--r--lib/oeqa/runtime/cases/aide.py26
-rw-r--r--lib/oeqa/runtime/cases/checksec.py2
-rw-r--r--lib/oeqa/runtime/cases/clamav.py21
-rw-r--r--lib/oeqa/runtime/cases/firejail.py18
-rw-r--r--lib/oeqa/runtime/cases/smack.py142
-rw-r--r--lib/oeqa/runtime/cases/sssd.py4
-rw-r--r--meta-hardening/README.md (renamed from meta-hardening/README)6
-rw-r--r--meta-hardening/conf/distro/harden.conf2
-rw-r--r--meta-hardening/conf/layer.conf6
-rw-r--r--meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend2
-rw-r--r--meta-hardening/recipes-core/base-files/base-files_%.bbappend2
-rw-r--r--meta-hardening/recipes-core/images/harden-image-minimal.bb13
-rw-r--r--meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend6
-rw-r--r--meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb2
-rw-r--r--meta-hardening/recipes-extended/shadow/shadow_%.bbappend2
-rw-r--r--meta-hardening/recipes-extended/sudo/sudo_%.bbappend4
-rw-r--r--meta-integrity/README.md34
-rw-r--r--meta-integrity/classes/ima-evm-rootfs.bbclass48
-rw-r--r--meta-integrity/classes/kernel-modsign.bbclass8
-rw-r--r--meta-integrity/conf/layer.conf6
-rw-r--r--meta-integrity/data/debug-keys/README.md17
-rw-r--r--meta-integrity/data/debug-keys/ima-local-ca.pem15
-rw-r--r--meta-integrity/data/debug-keys/ima-local-ca.priv7
-rw-r--r--meta-integrity/data/debug-keys/privkey_ima.pem17
-rw-r--r--meta-integrity/data/debug-keys/x509_ima.derbin707 -> 620 bytes
-rw-r--r--meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc61
-rw-r--r--meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend1
-rw-r--r--meta-integrity/lib/oeqa/runtime/cases/ima.py10
-rw-r--r--meta-integrity/recipes-core/base-files/base-files-ima.inc2
-rw-r--r--meta-integrity/recipes-core/images/integrity-image-minimal.bb12
-rw-r--r--meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb6
-rw-r--r--meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb2
-rw-r--r--meta-integrity/recipes-core/systemd/systemd_%.bbappend4
-rw-r--r--meta-integrity/recipes-kernel/linux/linux-%.bbappend5
-rw-r--r--meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend3
-rw-r--r--meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch51
-rw-r--r--meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch138
-rw-r--r--meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch60
-rw-r--r--meta-integrity/recipes-kernel/linux/linux/audit.cfg2
-rw-r--r--meta-integrity/recipes-kernel/linux/linux_ima.inc11
-rw-r--r--meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb4
-rw-r--r--meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch39
-rw-r--r--meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch68
-rw-r--r--meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch50
-rw-r--r--meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch47
-rw-r--r--meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb30
-rw-r--r--meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb38
-rw-r--r--meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all9
-rw-r--r--meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb4
-rw-r--r--meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb4
-rw-r--r--meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb4
-rwxr-xr-xmeta-integrity/scripts/ima-gen-CA-signed.sh9
-rwxr-xr-xmeta-integrity/scripts/ima-gen-local-ca.sh6
-rwxr-xr-xmeta-integrity/scripts/ima-gen-self-signed.sh41
-rw-r--r--meta-parsec/README.md138
-rw-r--r--meta-parsec/conf/layer.conf8
-rw-r--r--meta-parsec/lib/oeqa/runtime/cases/parsec.py232
-rw-r--r--meta-parsec/recipes-core/images/security-parsec-image.bb18
-rw-r--r--meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb16
-rw-r--r--meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch18
-rw-r--r--meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf1
-rw-r--r--meta-parsec/recipes-parsec/parsec-service/files/systemd.patch21
-rw-r--r--meta-parsec/recipes-parsec/parsec-service/parsec-service-crates.inc474
-rw-r--r--meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb67
-rw-r--r--meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.inc147
-rw-r--r--meta-parsec/recipes-parsec/parsec-service/parsec-service_1.3.0.bb96
-rw-r--r--meta-parsec/recipes-parsec/parsec-tool/files/0001-parsec-cli-tests.sh-adapt-to-new-serialNumber-output.patch33
-rw-r--r--meta-parsec/recipes-parsec/parsec-tool/parsec-tool-crates.inc366
-rw-r--r--meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb17
-rw-r--r--meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.inc127
-rw-r--r--meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.7.0.bb29
-rw-r--r--meta-security-compliance/README41
-rw-r--r--meta-security-compliance/conf/layer.conf15
-rw-r--r--meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb32
-rw-r--r--meta-security-compliance/recipes-core/os-release/os-release.bbappend1
-rw-r--r--meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml14
-rw-r--r--meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml83
-rw-r--r--meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt72
-rw-r--r--meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh7
-rw-r--r--meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh5
-rw-r--r--meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb33
-rw-r--r--meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch130
-rw-r--r--meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb23
-rw-r--r--meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb9
-rw-r--r--meta-security-compliance/recipes-openscap/openscap/openscap_git.bb12
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch39
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-platform-spec-file-check-tests-in-installed-OS-d.patch46
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-fix-deprecated-instance-of-element.getchildren.patch43
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fix-missing-openembedded-from-ssg-constants.py.patch34
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch35
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-fix-deprecated-getiterator-function.patch58
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/files/0003-fix-remaining-getchildren-and-getiterator-functions.patch57
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc35
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb8
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb17
-rw-r--r--meta-security-isafw/.gitignore2
-rw-r--r--meta-security-isafw/COPYING.MIT17
-rw-r--r--meta-security-isafw/README.md92
-rw-r--r--meta-security-isafw/classes/isafw.bbclass318
-rw-r--r--meta-security-isafw/conf/layer.conf17
-rw-r--r--meta-security-isafw/lib/isafw/__init__.py40
-rw-r--r--meta-security-isafw/lib/isafw/isafw.py158
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py392
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py217
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py185
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py323
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py273
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/__init__.py42
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py0
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py0
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py24
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py242
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py38
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi43
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions0
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses105
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/violations7
-rw-r--r--meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb25
-rw-r--r--meta-tpm/README.md (renamed from meta-tpm/README)8
-rw-r--r--meta-tpm/classes/sanity-meta-tpm.bbclass4
-rw-r--r--meta-tpm/conf/distro/include/maintainers-meta-tpm.inc38
-rw-r--r--meta-tpm/conf/distro/include/maintainers.inc38
-rw-r--r--meta-tpm/conf/layer.conf8
-rw-r--r--meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch38
-rw-r--r--meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc12
-rw-r--r--meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend1
-rw-r--r--meta-tpm/lib/oeqa/runtime/cases/swtpm.py26
-rw-r--r--meta-tpm/lib/oeqa/runtime/cases/tpm2.py54
-rw-r--r--meta-tpm/recipes-core/images/security-tpm2-image.bb1
-rw-r--r--meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb4
-rw-r--r--meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb10
-rw-r--r--meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb13
-rw-r--r--meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb4
-rw-r--r--meta-tpm/recipes-kernel/linux/linux-yocto-rt_%.bbappend1
-rw-r--r--meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg4
-rw-r--r--meta-tpm/recipes-kernel/linux/linux-yocto_%.bbappend1
-rw-r--r--meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend1
-rw-r--r--meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc13
-rw-r--r--meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch26
-rw-r--r--meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch33
-rw-r--r--meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch48
-rw-r--r--meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb (renamed from meta-tpm/recipes-tpm/libtpm/libtpm_0.8.2.bb)4
-rw-r--r--meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch31
-rw-r--r--meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch66
-rw-r--r--meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch22
-rw-r--r--meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch65
-rw-r--r--meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb12
-rw-r--r--meta-tpm/recipes-tpm/swtpm/swtpm_0.8.1.bb (renamed from meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb)37
-rw-r--r--meta-tpm/recipes-tpm1/hoth/libhoth_git.bb17
-rw-r--r--meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch (renamed from meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch)2
-rw-r--r--meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch (renamed from meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch)2
-rw-r--r--meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch (renamed from meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch)2
-rw-r--r--meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch (renamed from meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch)2
-rw-r--r--meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch (renamed from meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch)0
-rw-r--r--meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb (renamed from meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb)34
-rw-r--r--meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch (renamed from meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch)0
-rw-r--r--meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb (renamed from meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb)4
-rw-r--r--meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb (renamed from meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb)7
-rw-r--r--meta-tpm/recipes-tpm1/tpm-tools/files/04-fix-FTBFS-clang.patch (renamed from meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch)0
-rw-r--r--meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch (renamed from meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch)0
-rw-r--r--meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch (renamed from meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch)2
-rw-r--r--meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb (renamed from meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb)16
-rw-r--r--meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch (renamed from meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch)0
-rw-r--r--meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch (renamed from meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch)0
-rw-r--r--meta-tpm/recipes-tpm1/trousers/files/tcsd.service (renamed from meta-tpm/recipes-tpm/trousers/files/tcsd.service)0
-rw-r--r--meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules (renamed from meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules)0
-rw-r--r--meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh (renamed from meta-tpm/recipes-tpm/trousers/files/trousers.init.sh)0
-rw-r--r--meta-tpm/recipes-tpm1/trousers/trousers_git.bb (renamed from meta-tpm/recipes-tpm/trousers/trousers_git.bb)36
-rw-r--r--meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch7
-rw-r--r--meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_164-2020-192.1.bb (renamed from meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb)12
-rw-r--r--meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1661.bb (renamed from meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb)6
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_3.0.0.bb (renamed from meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb)20
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.1.bb21
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch77
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch295
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch12
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb55
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb47
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb15
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch2
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch2
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch2
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb20
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb13
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb15
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb2
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb23
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-configure.ac-fix-compatibility-with-autoconf-2.70.patch48
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4332
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch31
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch29
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb78
-rw-r--r--meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb97
-rw-r--r--recipes-compliance/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch51
-rw-r--r--recipes-compliance/lynis/lynis_3.0.9.bb (renamed from meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb)16
-rw-r--r--recipes-compliance/openscap/openscap_1.3.9.bb (renamed from meta-security-compliance/recipes-openscap/openscap/openscap.inc)43
-rw-r--r--recipes-compliance/scap-security-guide/files/run-ptest7
-rw-r--r--recipes-compliance/scap-security-guide/files/run_eval.sh3
-rw-r--r--recipes-compliance/scap-security-guide/scap-security-guide_0.1.71.bb92
-rw-r--r--recipes-core/images/dm-verity-image-initramfs.bb11
-rw-r--r--recipes-core/images/security-build-image.bb6
-rw-r--r--recipes-core/images/security-test-image.bb11
-rw-r--r--recipes-core/initrdscripts/initramfs-framework-dm/dmverity (renamed from recipes-core/initrdscripts/initramfs-framework/dmverity)46
-rw-r--r--recipes-core/initrdscripts/initramfs-framework.inc14
-rw-r--r--recipes-core/initrdscripts/initramfs-framework_1.0.bbappend2
-rw-r--r--recipes-core/packagegroup/packagegroup-core-security.bb87
-rw-r--r--recipes-ids/aide/aide/aide.conf11
-rw-r--r--recipes-ids/aide/aide_0.17.3.bb41
-rw-r--r--recipes-ids/aide/aide_0.17.4.bb74
-rw-r--r--recipes-ids/crowdsec/crowdsec_1.1.1.bb42
-rw-r--r--recipes-ids/ossec/ossec-hids_3.6.0.bb165
-rw-r--r--recipes-ids/ossec/ossec-hids_3.7.0.bb170
-rw-r--r--recipes-ids/samhain/files/0001-Don-t-expose-configure-args.patch44
-rw-r--r--recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch2
-rw-r--r--recipes-ids/samhain/files/samhain-pid-path.patch12
-rw-r--r--recipes-ids/samhain/samhain-client.bb7
-rw-r--r--recipes-ids/samhain/samhain-server.bb9
-rw-r--r--recipes-ids/samhain/samhain-standalone.bb12
-rw-r--r--recipes-ids/samhain/samhain.inc38
-rw-r--r--recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch26
-rw-r--r--recipes-ids/suricata/files/fixup.patch (renamed from dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch)28
-rw-r--r--recipes-ids/suricata/files/no_libhtp_build.patch38
-rw-r--r--recipes-ids/suricata/libhtp_0.5.36.bb15
-rw-r--r--recipes-ids/suricata/libhtp_0.5.45.bb (renamed from dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb)4
-rw-r--r--recipes-ids/suricata/python3-suricata-update_1.2.1.bb17
-rw-r--r--recipes-ids/suricata/suricata-crates.inc1150
-rw-r--r--recipes-ids/suricata/suricata.inc7
-rw-r--r--recipes-ids/suricata/suricata_7.0.0.bb (renamed from recipes-ids/suricata/suricata_4.1.10.bb)77
-rw-r--r--recipes-ids/tripwire/files/add_armeb_arch.patch18
-rw-r--r--recipes-ids/tripwire/tripwire_2.4.3.7.bb20
-rw-r--r--recipes-kernel/linux/files/lkrg.cfg4
-rw-r--r--recipes-kernel/linux/files/lkrg.scc5
-rw-r--r--recipes-kernel/linux/linux-yocto-rt_%.bbappend1
-rw-r--r--recipes-kernel/linux/linux-yocto_%.bbappend (renamed from recipes-kernel/linux/linux-yocto_5.%.bbappend)0
-rw-r--r--recipes-kernel/linux/linux-yocto_security.inc9
-rw-r--r--recipes-kernel/lkrg/files/makefile_cleanup.patch73
-rw-r--r--recipes-kernel/lkrg/lkrg-module_0.9.7.bb (renamed from recipes-kernel/lkrg/lkrg-module_0.9.1.bb)21
-rw-r--r--recipes-mac/AppArmor/apparmor_3.1.3.bb (renamed from recipes-mac/AppArmor/apparmor_3.0.bb)82
-rw-r--r--recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch51
-rw-r--r--recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch91
-rw-r--r--recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch31
-rw-r--r--recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch43
-rw-r--r--recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch36
-rw-r--r--recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch37
-rw-r--r--recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch37
-rw-r--r--recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch34
-rw-r--r--recipes-mac/AppArmor/files/apparmor226
-rw-r--r--recipes-mac/AppArmor/files/apparmor.rc98
-rw-r--r--recipes-mac/AppArmor/files/apparmor.service22
-rw-r--r--recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch2
-rw-r--r--recipes-mac/AppArmor/files/disable_pdf.patch33
-rw-r--r--recipes-mac/AppArmor/files/disable_perl_h_check.patch19
-rw-r--r--recipes-mac/AppArmor/files/functions271
-rw-r--r--recipes-mac/ccs-tools/README2
-rw-r--r--recipes-mac/ccs-tools/ccs-tools_1.8.9.bb (renamed from recipes-mac/ccs-tools/ccs-tools_1.8.4.bb)15
-rw-r--r--recipes-mac/smack/smack-test/notroot.py12
-rw-r--r--recipes-mac/smack/smack-test/smack_test_file_access.sh10
-rw-r--r--recipes-mac/smack/smack-test_1.0.bb2
-rw-r--r--recipes-mac/smack/smack_1.3.1.bb23
-rw-r--r--recipes-mac/smack/tcp-smack-test/tcp_client.c222
-rw-r--r--recipes-mac/smack/tcp-smack-test/tcp_server.c236
-rw-r--r--recipes-mac/smack/udp-smack-test/udp_client.c150
-rw-r--r--recipes-mac/smack/udp-smack-test/udp_server.c186
-rw-r--r--recipes-perl/perl/files/libwhisker2.patch2
-rw-r--r--recipes-perl/perl/lib-perl_0.63.bb9
-rw-r--r--recipes-perl/perl/libwhisker2-perl_2.5.bb11
-rw-r--r--recipes-scanners/arpwatch/arpwatch_3.3.bb (renamed from recipes-scanners/arpwatch/arpwatch_3.1.bb)33
-rw-r--r--recipes-scanners/arpwatch/files/host_contam_fix.patch8
-rw-r--r--recipes-scanners/arpwatch/files/postfix_workaround.patch91
-rw-r--r--recipes-scanners/buck-security/buck-security_0.7.bb9
-rw-r--r--recipes-scanners/checksec/checksec_2.6.0.bb (renamed from recipes-scanners/checksec/checksec_2.4.0.bb)12
-rw-r--r--recipes-scanners/checksecurity/files/setuid-log-folder.patch52
-rw-r--r--recipes-scanners/clamav/clamav_0.104.4.bb (renamed from recipes-scanners/clamav/clamav_0.104.0.bb)64
-rw-r--r--recipes-scanners/clamav/files/fix_systemd_socket.patch25
-rw-r--r--recipes-scanners/clamav/files/headers_fixup.patch8
-rw-r--r--recipes-scanners/clamav/files/oe_cmake_fixup.patch2
-rw-r--r--recipes-scanners/rootkits/chkrootkit_0.57.bb (renamed from recipes-scanners/rootkits/chkrootkit_0.53.bb)6
-rw-r--r--recipes-scanners/rootkits/files/musl_fix.patch58
-rw-r--r--recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch45
-rw-r--r--recipes-security/Firejail/firejail_0.9.72.bb65
-rw-r--r--recipes-security/aircrack-ng/aircrack-ng_1.6.bb (renamed from recipes-security/aircrack-ng/aircrack-ng_1.3.bb)12
-rw-r--r--recipes-security/chipsec/chipsec_1.9.1.bb34
-rw-r--r--recipes-security/cryptmount/cryptmount_6.2.0.bb36
-rw-r--r--recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb16
-rw-r--r--recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch2
-rw-r--r--recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch2
-rw-r--r--recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch28
-rwxr-xr-xrecipes-security/fail2ban/files/fail2ban_setup.py174
-rw-r--r--recipes-security/fail2ban/python3-fail2ban_0.11.2.bb53
-rw-r--r--recipes-security/fscrypt/fscrypt_1.1.0.bb51
-rw-r--r--recipes-security/fscryptctl/fscryptctl_1.1.0.bb (renamed from recipes-security/fscryptctl/fscryptctl_1.0.0.bb)11
-rw-r--r--recipes-security/glome/glome_git.bb24
-rw-r--r--recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb (renamed from recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb)6
-rw-r--r--recipes-security/isic/files/configure_fix.patch3
-rw-r--r--recipes-security/isic/files/isic-0.07-make.patch2
-rw-r--r--recipes-security/isic/files/isic-0.07-netinet.patch2
-rw-r--r--recipes-security/isic/isic_0.07.bb2
-rw-r--r--recipes-security/krill/files/panic_workaround.patch16
-rw-r--r--recipes-security/krill/krill-crates.inc550
-rw-r--r--recipes-security/krill/krill_0.12.3.bb42
-rw-r--r--recipes-security/libdhash/ding-libs_0.6.1.bb2
-rw-r--r--recipes-security/libest/libest_3.2.0.bb11
-rw-r--r--recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch43
-rw-r--r--recipes-security/libgssglue/files/libgssglue-g-initialize.patch21
-rw-r--r--recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch27
-rw-r--r--recipes-security/libgssglue/files/libgssglue-mglueP.patch21
-rw-r--r--recipes-security/libgssglue/libgssglue_0.8.bb (renamed from recipes-security/libgssglue/libgssglue_0.4.bb)28
-rw-r--r--recipes-security/libmhash/libmhash_0.9.9.9.bb10
-rw-r--r--recipes-security/libmspack/libmspack_1.11.bb (renamed from recipes-security/libmspack/libmspack_1.9.1.bb)6
-rw-r--r--recipes-security/mfa/python3-privacyidea_3.5.2.bb40
-rw-r--r--recipes-security/ncrack/ncrack_0.7.bb6
-rw-r--r--recipes-security/opendnssec/files/libdns_conf_fix.patch2
-rw-r--r--recipes-security/opendnssec/files/libxml2_conf.patch2
-rw-r--r--recipes-security/opendnssec/opendnssec_2.1.10.bb (renamed from recipes-security/opendnssec/opendnssec_2.1.9.bb)10
-rw-r--r--recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch26
-rw-r--r--recipes-security/paxctl/paxctl_0.9.bb10
-rw-r--r--recipes-security/redhat-security/redhat-security_1.0.bb4
-rw-r--r--recipes-security/sshguard/sshguard_2.4.3.bb11
-rw-r--r--recipes-security/sssd/files/sssd.conf8
-rw-r--r--wic/beaglebone-yocto-verity.wks.in5
-rw-r--r--wic/systemd-bootdisk-dmverity-hash.wks.in18
-rw-r--r--wic/systemd-bootdisk-dmverity.wks.in4
403 files changed, 7312 insertions, 10713 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 206d724..1e82a87 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -17,7 +17,6 @@
stages:
- base
- parsec
- - multi
- musl
- test
@@ -35,14 +34,6 @@ stages:
after_script:
- *after-my-script
-
-.multi:
- before_script:
- - *before-my-script
- stage: multi
- after_script:
- - *after-my-script
-
.musl:
before_script:
- *before-my-script
@@ -61,12 +52,11 @@ qemux86:
extends: .base
script:
- kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image integrity-image-minimal"
- - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml
- kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml
qemux86-musl:
extends: .musl
- needs: ['qemux86-parsec']
+ needs: ['qemux86']
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
@@ -97,12 +87,6 @@ qemux86-64-parsec:
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
-qemux86-64-multi:
- extends: .multi
- needs: ['qemux86-64']
- script:
- - kas build --target security-build-image kas/$CI_JOB_NAME.yml
-
qemuarm:
extends: .base
script:
@@ -120,12 +104,6 @@ qemuarm64:
- kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal"
- kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
-qemuarm64-multi:
- extends: .multi
- needs: ['qemuarm64']
- script:
- - kas build --target security-build-image kas/$CI_JOB_NAME.yml
-
qemuarm64-musl:
extends: .musl
needs: ['qemuarm64']
@@ -138,28 +116,11 @@ qemuarm64-parsec:
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
-qemuppc:
- extends: .base
- script:
- - kas build --target security-build-image kas/$CI_JOB_NAME.yml
-
-qemuppc-parsec:
- extends: .parsec
- needs: ['qemuppc']
- script:
- - kas build --target security-build-image kas/$CI_JOB_NAME.yml
-
qemumips64:
extends: .base
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
-qemumips64-multi:
- extends: .multi
- needs: ['qemumips64']
- script:
- - kas build --target security-build-image kas/$CI_JOB_NAME.yml
-
qemuriscv64:
extends: .base
script:
diff --git a/README b/README.md
index 4047b86..2d1996b 100644
--- a/README
+++ b/README.md
@@ -5,7 +5,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need
to have 'security' in DISTRO_FEATURES to have effect.
To enable them, add in configuration file the following line.
- DISTRO_FEATURES_append = " security"
+ DISTRO_FEATURES:append = " security"
If meta-security is included, but security is not enabled as a
distro feature a warning is printed at parse time:
@@ -28,20 +28,10 @@ Dependencies
This layer depends on:
URI: git://git.openembedded.org/openembedded-core
- branch: master
+ branch: [same one as checked out for this layer]
URI: git://git.openembedded.org/meta-openembedded/meta-oe
- branch: master
-
- URI: git://git.openembedded.org/meta-openembedded/meta-perl
- branch: master
-
- URI: git://git.openembedded.org/meta-openembedded/meta-python
- branch: master
-
- URI: git://git.openembedded.org/meta-openembedded/meta-networking
- branch: master
-
+ branch: [same one as checked out for this layer]
Adding the security layer to your build
========================================
@@ -57,21 +47,22 @@ other layers needed. e.g.:
BBLAYERS ?= " \
/path/to/oe-core/meta \
/path/to/meta-openembedded/meta-oe \
- /path/to/meta-openembedded/meta-perl \
- /path/to/meta-openembedded/meta-python \
- /path/to/meta-openembedded/meta-networking \
/path/to/layer/meta-security "
-Optional Rust dependancy
+Optional Dynamic layer dependancy
======================================
-If you want to use the latest Suricata that needs rust, you will need to clone
- URI: https://github.com/meta-rust/meta-rust.git
- branch: master
+ URI: git://git.openembedded.org/meta-openembedded/meta-oe
+
+ URI: git://git.openembedded.org/meta-openembedded/meta-perl
+
+ URI: git://git.openembedded.org/meta-openembedded/meta-python
- BBLAYERS += "/path/to/layer/meta-rust"
+ BBLAYERS += "/path/to/layer/meta-openembedded/meta-oe"
+ BBLAYERS += "/path/to/layer/meta-openembedded/meta-perl"
+ BBLAYERS += "/path/to/layer/meta-openembedded/meta-python"
-This will activate the dynamic-layer mechanism and pull in the newer suricata
+This will activate the dynamic-layer mechanism.
diff --git a/classes/aide-base.bbclass b/classes/aide-base.bbclass
new file mode 100644
index 0000000..36cc454
--- /dev/null
+++ b/classes/aide-base.bbclass
@@ -0,0 +1,11 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+
+STAGING_AIDE_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/aida"
+AIDE_INCLUDE_DIRS ?= "/lib"
+AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+
+AIDE_SCAN_POSTINIT ?= "0"
+AIDE_RESCAN_POSTINIT ?= "0"
+
diff --git a/classes/aide-db-init.bbclass b/classes/aide-db-init.bbclass
new file mode 100644
index 0000000..800006f
--- /dev/null
+++ b/classes/aide-db-init.bbclass
@@ -0,0 +1,52 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+# This class creates the initial aide database durning
+# the build cycle allowing for that set being skipped during boot
+# It has an additional benefit of having not being tamper with
+# after build.
+#
+# To have the aide db created during build
+# 1. Extend local.conf:
+# INHERIT += "adie-init-db"
+#
+# These are the defaults as defined in aide-base.bbclass
+# They can be overriden in your local.conf or other distro include
+#
+# To define where the share directory should be.
+# STAGING_AIDE_DIR = "${TMPDIR}/work-shared/${MACHINE}/aida"
+#
+# To define which directories should be inclued in a scan
+# AIDE_INCLUDE_DIRS ?= "/lib"
+#
+# To exclude directories and files from being scanned
+# AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+#
+# To controll if a db init should happen at postint
+# AIDE_SCAN_POSTINIT ?= "0"
+#
+# To cotroll if a db recan should be run at postinit
+# AIDE_RESCAN_POSTINIT ?= "0"
+
+inherit aide-base
+
+aide_init_db() {
+ for dir in ${AIDE_INCLUDE_DIRS}; do
+ echo "${IMAGE_ROOTFS}${dir} NORMAL" >> ${STAGING_AIDE_DIR}/aide.conf
+ done
+ for dir in ${AIDE_SKIP_DIRS}; do
+ echo "!${IMAGE_ROOTFS}${dir}" >> ${STAGING_AIDE_DIR}/aide.conf
+ done
+
+
+ ${STAGING_AIDE_DIR}/bin/aide -c ${STAGING_AIDE_DIR}/aide.conf --init
+ gunzip ${STAGING_AIDE_DIR}/lib/aide.db.gz
+ # strip out native path
+ sed -i -e 's:${IMAGE_ROOTFS}::' ${STAGING_AIDE_DIR}/lib/aide.db
+ gzip -9 ${STAGING_AIDE_DIR}/lib/aide.db
+ cp -f ${STAGING_AIDE_DIR}/lib/aide.db.gz ${IMAGE_ROOTFS}${libdir}/aide
+}
+
+EXTRA_IMAGEDEPENDS:append = " aide-native"
+
+ROOTFS_POSTPROCESS_COMMAND:append = " aide_init_db;"
diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 16d395b..7f79548 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -10,11 +10,22 @@
# assure data integrity, the root hash must be stored in a trusted location
# or cryptographically signed and verified.
#
+# Optionally, we can store the hash data on a separate device or partition
+# for improved compartmentalization and ease of use/deployment.
+#
# Usage:
# DM_VERITY_IMAGE = "core-image-full-cmdline" # or other image
# DM_VERITY_IMAGE_TYPE = "ext4" # or ext2, ext3 & btrfs
+# DM_VERITY_SEPARATE_HASH = "1" # optional; store hash on separate dev
# IMAGE_CLASSES += "dm-verity-img"
#
+# Using the GPT UUIDs specified in the standard can also be useful in that
+# they are displayed and translated in cfdisk output.
+#
+# DM_VERITY_ROOT_GUID = <UUID for your architecture and root-fs>
+# DM_VERITY_RHASH_GUID = <UUID for your architecture and verity-hash>
+# https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+
# The resulting image can then be used to implement the device mapper block
# integrity checking on the target device.
@@ -22,13 +33,35 @@
# is stored where it can be installed into associated initramfs rootfs.
STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
+# location of images, default current image recipe. Set to DEPLOY_DIR_IMAGE
+# if non-verity images want to embed the .wks and verity image.
+DM_VERITY_DEPLOY_DIR ?= "${IMGDEPLOYDIR}"
+
+# Define the data block size to use in veritysetup.
+DM_VERITY_IMAGE_DATA_BLOCK_SIZE ?= "1024"
+
+# Define the hash block size to use in veritysetup.
+DM_VERITY_IMAGE_HASH_BLOCK_SIZE ?= "4096"
+
+# Should we store the hash data on a separate device/partition?
+DM_VERITY_SEPARATE_HASH ?= "0"
+
+# These are arch specific. We could probably intelligently auto-assign these?
+# Take x86-64 values as defaults. No impact on functionality currently.
+# See SD_GPT_ROOT_X86_64 and SD_GPT_ROOT_X86_64_VERITY in the spec.
+# Note - these are passed directly to sgdisk so hyphens needed.
+DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709"
+DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5"
+
+DEPENDS += "bc-native"
+
# Process the output from veritysetup and generate the corresponding .env
# file. The output from veritysetup is not very machine-friendly so we need to
# convert it to some better format. Let's drop the first line (doesn't contain
# any useful info) and feed the rest to a script.
process_verity() {
local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env"
- install -d ${STAGING_VERITY_DIR}
+ local WKS_INC="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.wks.in"
rm -f $ENV
# Each line contains a key and a value string delimited by ':'. Read the
@@ -45,30 +78,127 @@ process_verity() {
# Add partition size
echo "DATA_SIZE=$SIZE" >> $ENV
+
+ # Add whether we are storing the hash data separately
+ echo "SEPARATE_HASH=${DM_VERITY_SEPARATE_HASH}" >> $ENV
+
+ # Configured for single partition use of veritysetup? OK, we are done.
+ if [ ${DM_VERITY_SEPARATE_HASH} -eq 0 ]; then
+ return
+ fi
+
+ # Craft up the UUIDs that are part of the verity standard for root & hash
+ # while we are here and in shell. Re-read our output to get ROOT_HASH
+ # and then cut it in 1/2 ; HI for data UUID and LO for hash-data UUID.
+ # https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+
+ ROOT_HASH=$(cat $ENV | grep ^ROOT_HASH | sed 's/ROOT_HASH=//' | tr a-f A-F)
+ ROOT_HI=$(echo "obase=16;ibase=16;$ROOT_HASH/2^80" | bc)
+ ROOT_LO=$(echo "obase=16;ibase=16;$ROOT_HASH%2^80" | bc)
+
+ # Hyphenate as per UUID spec and as expected by wic+sgdisk parameters.
+ # Prefix with leading zeros, in case hash chunks weren't using highest bits
+ # "bc" needs upper case, /dev/disk/by-partuuid/ is lower case. <sigh>
+ ROOT_UUID=$(echo 00000000$ROOT_HI | sed 's/.*\(.\{32\}\)$/\1/' | \
+ sed 's/./-&/9;s/./-&/14;s/./-&/19;s/./-&/24' | tr A-F a-f )
+ RHASH_UUID=$(echo 00000000$ROOT_LO | sed 's/.*\(.\{32\}\)$/\1/' | \
+ sed 's/./-&/9;s/./-&/14;s/./-&/19;s/./-&/24' | tr A-F a-f )
+
+ # Emit the values needed for a veritysetup run in the initramfs
+ echo "ROOT_UUID=$ROOT_UUID" >> $ENV
+ echo "RHASH_UUID=$RHASH_UUID" >> $ENV
+
+ # Create wks.in fragment with build specific UUIDs for partitions.
+ # Unfortunately the wks.in does not support line continuations...
+ # First, the unappended filesystem data partition.
+ echo 'part / --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verityroot --part-type="${DM_VERITY_ROOT_GUID}"'" --uuid=\"$ROOT_UUID\"" > $WKS_INC
+
+ # note: no default mount point for hash data partition
+ echo 'part --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.vhash" --part-name verityhash --part-type="${DM_VERITY_RHASH_GUID}"'" --uuid=\"$RHASH_UUID\"" >> $WKS_INC
}
verity_setup() {
local TYPE=$1
- local INPUT=${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.$TYPE
+ local INPUT=${IMAGE_NAME}.$TYPE
local SIZE=$(stat --printf="%s" $INPUT)
local OUTPUT=$INPUT.verity
+ local OUTPUT_HASH=$INPUT.verity
+ local HASH_OFFSET=""
+ local SETUP_ARGS=""
+ local SAVED_ARGS="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.args"
+
+ install -d ${STAGING_VERITY_DIR}
+
+ if [ ${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} -ge ${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} ]; then
+ align=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE}
+ else
+ align=${DM_VERITY_IMAGE_HASH_BLOCK_SIZE}
+ fi
+ SIZE=$(expr \( $SIZE + $align - 1 \) / $align \* $align)
+
+ # Assume some users may want separate hash vs. appended hash
+ if [ ${DM_VERITY_SEPARATE_HASH} -eq 1 ]; then
+ OUTPUT_HASH=$INPUT.vhash
+ else
+ HASH_OFFSET="--hash-offset="$SIZE
+ fi
cp -a $INPUT $OUTPUT
+ SETUP_ARGS=" \
+ --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} \
+ --hash-block-size=${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} \
+ $HASH_OFFSET format $OUTPUT $OUTPUT_HASH \
+ "
+
+ echo "veritysetup $SETUP_ARGS" > $SAVED_ARGS
+
# Let's drop the first line of output (doesn't contain any useful info)
# and feed the rest to another function.
- veritysetup --data-block-size=1024 --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity
+ veritysetup $SETUP_ARGS | tail -n +2 | process_verity
+}
+
+# make "dateless" symlink for the hash so the wks can find it.
+verity_hash() {
+ cd ${IMGDEPLOYDIR}
+ ln -sf ${IMAGE_NAME}.${DM_VERITY_IMAGE_TYPE}.vhash \
+ ${IMAGE_BASENAME}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.vhash
}
-VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity"
+VERITY_TYPES = " \
+ ext2.verity ext3.verity ext4.verity \
+ btrfs.verity \
+ erofs.verity erofs-lz4.verity erofs-lz4hc.verity \
+ squashfs.verity squashfs-xz.verity squashfs-lzo.verity squashfs-lz4.verity squashfs-zst.verity \
+"
IMAGE_TYPES += "${VERITY_TYPES}"
CONVERSIONTYPES += "verity"
-CONVERSION_CMD_verity = "verity_setup ${type}"
+CONVERSION_CMD:verity = "verity_setup ${type}"
CONVERSION_DEPENDS_verity = "cryptsetup-native"
+IMAGE_CMD:vhash = "verity_hash"
+
+def get_verity_fstypes(d):
+ verity_image = d.getVar('DM_VERITY_IMAGE')
+ verity_type = d.getVar('DM_VERITY_IMAGE_TYPE')
+ verity_hash = d.getVar('DM_VERITY_SEPARATE_HASH')
+ pn = d.getVar('PN')
+
+ fstypes = ""
+ if not pn.endswith(verity_image):
+ return fstypes # This doesn't concern this image
+
+ fstypes = verity_type + ".verity"
+ if verity_hash == "1":
+ fstypes += " vhash"
+
+ return fstypes
+
+IMAGE_FSTYPES += "${@get_verity_fstypes(d)}"
python __anonymous() {
verity_image = d.getVar('DM_VERITY_IMAGE')
verity_type = d.getVar('DM_VERITY_IMAGE_TYPE')
+ verity_hash = d.getVar('DM_VERITY_SEPARATE_HASH')
image_fstypes = d.getVar('IMAGE_FSTYPES')
pn = d.getVar('PN')
@@ -76,17 +206,15 @@ python __anonymous() {
bb.warn('dm-verity-img class inherited but not used')
return
- if verity_image != pn:
+ if not pn.endswith(verity_image):
return # This doesn't concern this image
- if len(verity_type.split()) is not 1:
+ if len(verity_type.split()) != 1:
bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type')
- d.appendVar('IMAGE_FSTYPES', ' %s.verity' % verity_type)
-
# If we're using wic: we'll have to use partition images and not the rootfs
# source plugin so add the appropriate dependency.
if 'wic' in image_fstypes:
- dep = ' %s:do_image_%s' % (pn, verity_type)
+ dep = ' %s:do_image_%s' % (pn, verity_type.replace("-", "_"))
d.appendVarFlag('do_image_wic', 'depends', dep)
}
diff --git a/classes/sanity-meta-security.bbclass b/classes/sanity-meta-security.bbclass
index b6c6b9c..f9e2698 100644
--- a/classes/sanity-meta-security.bbclass
+++ b/classes/sanity-meta-security.bbclass
@@ -1,7 +1,7 @@
addhandler security_bbappend_distrocheck
security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
python security_bbappend_distrocheck() {
- skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1"
+ skip_check = e.data.getVar('SKIP_META_SECURITY_SANITY_CHECK') == "1"
if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
bb.warn("You have included the meta-security layer, but \
'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
diff --git a/conf/distro/include/maintainers-meta-security.inc b/conf/distro/include/maintainers-meta-security.inc
new file mode 100644
index 0000000..f623d70
--- /dev/null
+++ b/conf/distro/include/maintainers-meta-security.inc
@@ -0,0 +1,57 @@
+# meta-security Maintainers File
+#
+# This file contains a list of recipe maintainers.
+#
+# Please submit any patches against recipes in meta to the
+# Yocto mail list (yocto@yoctoproject.org)
+#
+# If you have problems with or questions about a particular recipe, feel
+# free to contact the maintainer directly (cc:ing the appropriate mailing list
+# puts it in the archive and helps other people who might have the same
+# questions in the future), but please try to do the following first:
+#
+# - look in the Yocto Project Bugzilla
+# (http://bugzilla.yoctoproject.org/) to see if a problem has
+# already been reported
+#
+# The format is as a bitbake variable override for each recipe
+#
+# RECIPE_MAINTAINER:pn-<recipe name> = "Full Name <address@domain>"
+#
+# Please keep this list in alphabetical order.
+RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-apparmor = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-bastille = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-buck-security = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-ccs-tools = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-checksec = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-checksecurity = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-clamav = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-ding-libs = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-ecryptfs-utils = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-fscryptctl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-google-authenticator-libpam = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-hash-perl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-isic = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-keyutils = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-libaes-siv = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-libgssglue = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-libhtp = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-libmhash = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-libmspack = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-lib-perl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-libseccomp = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-libwhisker2-perl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-ncrack = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-nikto = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-paxctl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-python3-fail2ban = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-python3-scapy = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-python-fail2ban = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-python-scapy = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-redhat-security = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-samhain = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-smack = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-sssd = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-suricata = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tripwire = "Armin Kuster <akuster808@gmail.com>"
diff --git a/conf/distro/include/maintainers.inc b/conf/distro/include/maintainers.inc
deleted file mode 100644
index e02b903..0000000
--- a/conf/distro/include/maintainers.inc
+++ /dev/null
@@ -1,57 +0,0 @@
-# meta-security Maintainers File
-#
-# This file contains a list of recipe maintainers.
-#
-# Please submit any patches against recipes in meta to the
-# Yocto mail list (yocto@yoctoproject.org)
-#
-# If you have problems with or questions about a particular recipe, feel
-# free to contact the maintainer directly (cc:ing the appropriate mailing list
-# puts it in the archive and helps other people who might have the same
-# questions in the future), but please try to do the following first:
-#
-# - look in the Yocto Project Bugzilla
-# (http://bugzilla.yoctoproject.org/) to see if a problem has
-# already been reported
-#
-# The format is as a bitbake variable override for each recipe
-#
-# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>"
-#
-# Please keep this list in alphabetical order.
-RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-apparmor = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-bastille = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-buck-security = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-ccs-tools = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-checksec = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-checksecurity = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-clamav = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-ding-libs = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-ecryptfs-utils = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-fscryptctl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-google-authenticator-libpam = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-hash-perl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-isic = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-keyutils = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-libaes-siv = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-libgssglue = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-libhtp = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-libmhash = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-libmspack = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-lib-perl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-libseccomp = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-libwhisker2-perl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-ncrack = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-nikto = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-paxctl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-python3-fail2ban = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-python3-scapy = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-python-fail2ban = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-python-scapy = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-redhat-security = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-samhain = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-smack = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-sssd = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-suricata = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tripwire = "Armin Kuster <akuster808@gmail.com>"
diff --git a/conf/layer.conf b/conf/layer.conf
index 7853d6e..471674c 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -9,14 +9,23 @@ BBFILE_COLLECTIONS += "security"
BBFILE_PATTERN_security = "^${LAYERDIR}/"
BBFILE_PRIORITY_security = "8"
-LAYERSERIES_COMPAT_security = "hardknott"
+LAYERSERIES_COMPAT_security = "nanbield scarthgap"
-LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
+LAYERDEPENDS_security = "core openembedded-layer"
+
+BBFILES_DYNAMIC += " \
+ perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bb \
+ perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bbappend \
+ meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bb \
+ meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bbappend \
+ networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/recipes-*/*/*.bb \
+ networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/recipes-*/*/*.bbappend \
+"
# Sanity check for meta-security layer.
# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
INHERIT += "sanity-meta-security"
-BBFILES_DYNAMIC += " \
-rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \
-"
+addpylib ${LAYERDIR}/lib oeqa
+
+WARN_QA:append:security = " patch-status missing-metadata"
diff --git a/docs/dm-verity-beaglebone.txt b/docs/dm-verity-beaglebone.txt
new file mode 100644
index 0000000..5f0caa4
--- /dev/null
+++ b/docs/dm-verity-beaglebone.txt
@@ -0,0 +1,37 @@
+dm-verity and beaglebone-black
+------------------------------
+Set/uncomment the MACHINE line for "beaglebone-yocto" if you haven't yet.
+
+In addition to the basic dm-verity settings, you'll also want in local.conf:
+
+IMAGE_BOOT_FILES:remove = "zImage"
+IMAGE_BOOT_FILES:append = " zImage-initramfs-${MACHINE}.bin;zImage"
+WKS_FILES = "${MACHINE}-verity.wks.in"
+
+Read-only issues: The beaglebone BSP by default declares the following:
+
+ SERIAL_CONSOLES ?= "115200;ttyS0 115200;ttyO0 115200;ttyAMA0"
+ SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
+
+...which are variables used by sysV init, in order to determine the
+appropriate /etc/inittab entries. The problem that arises is that by
+default, an on-target runtime check of /proc/consoles is used to finalize
+the /etc/inittab -- and of course that fails a build with read-only-rootfs
+[see the pkg_postinst_ontarget rule in the sysvinit rule for details.]
+
+If you don't need a serial console, the quick fix is to add in local.conf
+
+SERIAL_CONSOLES = ""
+
+If you do need/want a serial console, then probably a local bbappend to
+manually set the /etc/inittab as desired is easiest.
+
+After running "wic create -e core-image-minimal beaglebone-yocto-verity"
+you should have a "direct" image ready to write to a u-SD card. Remember
+that the "direct" image contains the bootloader and partition table
+already, so you'll be writing it to a device such as /dev/sdb and not
+just a partition -- like /dev/sdb1
+
+Also recall that booting from u-SD requires pressing and holding the S2
+(SYSBOOT) button during power-on in order to divert the boot from the normal
+soldered on storage and to the removable u-SD card.
diff --git a/docs/dm-verity-systemd-hash-x86-64.txt b/docs/dm-verity-systemd-hash-x86-64.txt
new file mode 100644
index 0000000..673b810
--- /dev/null
+++ b/docs/dm-verity-systemd-hash-x86-64.txt
@@ -0,0 +1,43 @@
+dm-verity and x86-64 and systemd - separate hash device
+-------------------------------------------------------
+
+Everything said in "dm-verity-systemd-x86-64.txt" applies here.
+However booting under QEMU is not tested - only on real hardware.
+So for your MACHINE you need to choose "genericx86-64".
+
+Also, you'll need to point at the hash specific WKS file:
+
+WKS_FILES += " systemd-bootdisk-dmverity-hash.wks.in"
+
+The fundamental difference is to use a separate device/partition for
+storage of the hash data -- instead of "hiding" it beyond the filesystem
+in what is essentially a 5-10% oversized partition. This takes any manual
+math calculations of size/offset out of the picture, and uses the kernel's
+natural behaviour of compartmentalizing devices to ensure they are separate.
+
+The example hash.wks file added here essentially adds a hash-only partition
+directly after the filesystem partition. So the filesystem partition is
+no longer "oversized" and no offsets are needed/used.
+
+Since we are now using multiple partitions, we make a better effort to use
+accepted GPT partition types and UUIDs based on the roothash. This means
+easier sysadmin level use/debugging based on cfdisk output etc.
+
+Generating the separate root hash image is driven off enabling this:
+ DM_VERITY_SEPARATE_HASH = "1"
+
+Two other variables control the GPT UUIDs - set to x86-64 defaults:
+
+ DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709"
+ DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5"
+
+See: https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+
+Finally, the UUIDs (not the "partition types" above) are based off of
+the root node hash value as per the systemd "autodetect" proposed standard.
+These will obviously change with every update/rebuild of the root image.
+
+While not strictly coupled to any functionality at this point in time, it
+does aid in easier debugging, and puts us in alignment with using systemd
+inside the initramfs to replace manual veritysetup like configuration we
+currently do in the initramfs today, should we decide to do so later on.
diff --git a/docs/dm-verity-systemd-x86-64.txt b/docs/dm-verity-systemd-x86-64.txt
new file mode 100644
index 0000000..a47b02c
--- /dev/null
+++ b/docs/dm-verity-systemd-x86-64.txt
@@ -0,0 +1,77 @@
+dm-verity and x86-64 and systemd
+--------------------------------
+In this example, we'll target combining qemux86-64 with dm-verity and
+also systemd - systemd has dm-verity bindings and is more likely to be
+used on x86.
+
+While dm-verity in a qemu environment doesn't make practial sense as a
+deployment - it can be a useful stepping stone for testing and getting to
+a final physical deployment.
+
+Set/uncomment the MACHINE line for "qemux86-64" if you haven't yet. It
+should be the default if unspecified, but check to be sure. As of this
+writing (kernel v6.1) the resulting qemux86-64 build can also be booted
+successfully on physical hardware, but if you don't intend to use qemu,
+you might instead want to choose "genericx86-64"
+
+This will make use of wic/systemd-bootdisk-dmverity.wks.in -- note that it
+contains a dependency on the meta-intel layer for microcode, so you'll need
+to fetch and add that layer in addition to the meta-security related layers.
+
+In addition to the basic dm-verity settings, choose systemd in local.conf:
+
+DISTRO_FEATURES:append = " security systemd"
+VIRTUAL-RUNTIME_init_manager = "systemd"
+EFI_PROVIDER = "systemd-boot"
+PACKAGECONFIG:append:pn-systemd = " cryptsetup"
+
+Note the last line - you won't typically see that in on-line instructions
+for enabling systemd. It is important for dm-verity, since it triggers
+the build and installation of components like this onto the rootfs:
+
+ /lib/systemd/system-generators/systemd-veritysetup-generator
+ /lib/systemd/systemd-veritysetup
+
+Now build the components for the wic image:
+
+ bitbake intel-microcode
+ bitbake core-image-minimal
+
+Assemble the image:
+
+ ------------------------------
+build-qemu-x86_64$wic create systemd-bootdisk-dmverity -e core-image-minimal
+INFO: Building wic-tools...
+
+[...]
+
+INFO: Creating image(s)...
+
+INFO: The new image(s) can be found here:
+ ./systemd-bootdisk-dmverity.wks-202304181413-sda.direct
+
+The following build artifacts were used to create the image(s):
+ BOOTIMG_DIR: /home/paul/poky/build-qemu-x86_64/tmp/work/qemux86_64-poky-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
+ KERNEL_DIR: /home/paul/poky/build-qemu-x86_64/tmp/deploy/images/qemux86-64
+ NATIVE_SYSROOT: /home/paul/poky/build-qemu-x86_64/tmp/work/core2-64-poky-linux/wic-tools/1.0-r0/recipe-sysroot-native
+
+INFO: The image(s) were created using OE kickstart file:
+ /home/paul/poky/meta-security/wic/systemd-bootdisk-dmverity.wks.in
+build-qemu-x86_64$
+ ------------------------------
+
+The "runqemu" script defaults were acceptable for testing with only the
+verity image needing to be specified, i.e.
+
+ runqemu \
+ nographic \
+ qemux86-64 \
+ tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity
+
+You will see the above "direct" image file and also similarly named
+individual partition images. To boot on UEFI enabled physical hardware,
+you need to simply write the "direct" image file to a USB stick with dd
+and the partition images can largely be ignored.
+
+Further information on interacting with the systemd UEFI loader is here:
+https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/
diff --git a/docs/dm-verity.txt b/docs/dm-verity.txt
new file mode 100644
index 0000000..a538fa2
--- /dev/null
+++ b/docs/dm-verity.txt
@@ -0,0 +1,123 @@
+dm-verity and Yocto/OE
+----------------------
+The dm-verity feature provides a level of data integrity and resistance to
+data tampering. It does this by creating a hash for each data block of
+the underlying device as the base of a hash tree. There are many
+documents out there to further explain the implementation, such as the
+in-kernel one itself:
+
+https://docs.kernel.org/admin-guide/device-mapper/verity.html
+
+The goal of this document is not to reproduce that content, but instead to
+capture the Yocto/OE specifics of the dm-verity infrastructure used here.
+
+Ideally this should enable a person to build and deploy an image on one of
+the supported reference platforms, and then further adapt to their own
+platform and specific storage requirements.
+
+Basic Settings
+--------------
+Largely everything is driven off of a dm-verity image class; a typical
+block of non MACHINE specific settings are shown below:
+
+INITRAMFS_IMAGE = "dm-verity-image-initramfs"
+DM_VERITY_IMAGE = "core-image-minimal"
+DM_VERITY_IMAGE_TYPE = "ext4"
+IMAGE_CLASSES += "dm-verity-img"
+INITRAMFS_IMAGE_BUNDLE = "1"
+
+Kernel Configuration
+--------------------
+Kernel configuration for dm-verity happens automatically via IMAGE_CLASSES
+which will source features/device-mapper/dm-verity.scc when dm-verity-img
+is used. [See commit d9feafe991c]
+IMPORTANT: As per the top level README, you *must* put security in the
+DISTRO_FEATURES, or else you won't get the dm-verity kernel settings.
+
+Supported Platforms
+-------------------
+In theory, you can use dm-verity anywhere - there is nothing arch/BSP
+specific in the core kernel support. However, at the BSP level, one
+eventually has to decide what device(s) are to be hashed, and where the
+hash tables are stored.
+
+To that end, the BSP storage specifics live in meta-security/wic dir and
+represent the current set of example configurations that have been tested
+and submitted at some point.
+
+Getting Started
+---------------
+This document assumes you are starting from the basic auto-created
+conf/local.conf and conf/bblayers.conf from the oe-init-build-env
+
+Firstly, you need the meta-security layer to conf/bblayers.conf along with
+the dependencies it has -- see the top level meta-security README for that.
+
+Note that if you are using dm-verity for your rootfs, then it enforces a
+read-only mount right at the kernel level, so be prepared for issues such
+as failed creation of temporary files and similar.
+
+Yocto does support additional checks and changes via setting:
+
+EXTRA_IMAGE_FEATURES = "read-only-rootfs"
+
+...but since read-only is enforced at the kernel level already, using
+this feature isn't a hard requirement. It may be best to delay/defer
+making use of this until after you've established basic booting.
+
+For more details, see the associated documentation:
+
+https://docs.yoctoproject.org/dev/dev-manual/read-only-rootfs.html
+
+Also add the basic block of dm-verity settings shown above, and select
+your MACHINE from one of the supported platforms.
+
+If there is a dm-verity-<MACHINE>.txt file for your BSP, check that for
+any additional platform specific recommended settings, such as the
+WKS_FILES which can specify board specific storage layout discussed below.
+
+Then you should be able to do a "bitbake core-image-minimal" just like any
+other normal build. What you will notice, is the content in
+tmp/deploy/images/<MACHINE>/ now have suffixes like "rootfs.ext4.verity"
+
+While you can manually work with these images just like any other build,
+this is where the BSP specific recipes in meta-security/wic can simplify
+things and remove a bunch of manual steps that might be error prone.
+
+Consider for example, the beaglebone black WIC file, which contains:
+
+part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat
+--label boot --active --align 4 --fixed-size 32 --sourceparams="loader=u-boot" --use-uuid
+part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
+bootloader --append="console=ttyS0,115200"
+
+As can be seen, it maps out the partitions, including the bootloader, and
+saves doing a whole bunch of manual partitioning and dd steps.
+
+This file is copied into tmp/deploy/images/<MACHINE>/ with bitbake
+variables expanded with their corresponding values for wic to make use of.
+
+Continuing with the beaglebone example, we'll see output similar to:
+
+ ----------------------
+$ wic create -e core-image-minimal beaglebone-yocto-verity
+
+[...]
+
+INFO: Creating image(s)...
+
+INFO: The new image(s) can be found here:
+ ./beaglebone-yocto-verity.wks-202303070223-mmcblk0.direct
+
+The following build artifacts were used to create the image(s):
+ BOOTIMG_DIR: /home/paul/poky/build-bbb-verity/tmp/work/beaglebone_yocto-poky-linux-gnueabi/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
+ KERNEL_DIR: /home/paul/poky/build-bbb-verity/tmp/deploy/images/beaglebone-yocto
+ NATIVE_SYSROOT: /home/paul/poky/build-bbb-verity/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/wic-tools/1.0-r0/recipe-sysroot-native
+
+INFO: The image(s) were created using OE kickstart file:
+ /home/paul/poky/meta-security/wic/beaglebone-yocto-verity.wks.in
+ ----------------------
+
+The "direct" image contains the partition table, bootloader, and dm-verity
+enabled ext4 image all in one -- ready to write to a raw device, such as a
+u-SD card in the case of the beaglebone.
diff --git a/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend b/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend
new file mode 100644
index 0000000..475a24d
--- /dev/null
+++ b/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend
@@ -0,0 +1,18 @@
+
+
+PACKAGES += "\
+ packagegroup-security-hardening \
+ "
+RDEPENDS:packagegroup-core-security += "\
+ packagegroup-security-hardening \
+ "
+
+SUMMARY:packagegroup-security-hardening = "Security Hardening tools"
+RDEPENDS:packagegroup-security-hardening = " \
+ bastille \
+ "
+
+RDEPENDS:packagegroup-security-scanners += "\
+ nikto \
+ checksecurity \
+ "
diff --git a/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
index 0161b4c..8006c9f 100644
--- a/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
+++ b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
@@ -1,21 +1,29 @@
SUMMARY = "basic system security checks"
DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes."
SECTION = "security"
-LICENSE = "GPL-2.0"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
-SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
- file://setuid-log-folder.patch \
- file://check-setuid-use-more-portable-find-args.patch"
+SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu1.tar.gz \
+ file://check-setuid-use-more-portable-find-args.patch \
+ "
-SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f"
-SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32"
+SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0"
+
+S = "${WORKDIR}/checksecurity-${PV}+nmu1"
+
+
+# allow for anylocal, no need to patch
+LOGDIR="/etc/checksecurity"
do_compile() {
+ sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/etc/check-setuid.conf
+ sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/plugins/check-setuid
+ sed -i -e "s;LOGDIR:=/var/log/setuid;LOGDIR:=${LOGDIR};g" ${B}/plugins/check-setuid
}
do_install() {
oe_runmake PREFIX=${D}
}
-RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob perl-module-carp perl-module-env perl-module-tap-parser-iterator-array util-linux findutils coreutils"
+RDEPENDS:${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob perl-module-carp perl-module-env perl-module-tap-parser-iterator-array util-linux findutils coreutils"
diff --git a/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
index f1fe8ed..1754e1e 100644
--- a/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
+++ b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
@@ -3,21 +3,22 @@ From: Christopher Larson <chris_larson@mentor.com>
Date: Wed, 5 Sep 2018 23:21:43 +0500
Subject: [PATCH] check-setuid: use more portable find args
+Upstream-Status: Pending
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
---
plugins/check-setuid | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
-Index: checksecurity-2.0.15/plugins/check-setuid
+Index: checksecurity-2.0.16+nmu1/plugins/check-setuid
===================================================================
---- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500
-+++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500
-@@ -99,7 +99,7 @@
- ionice -t -c3 \
+--- checksecurity-2.0.16+nmu1.orig/plugins/check-setuid
++++ checksecurity-2.0.16+nmu1/plugins/check-setuid
+@@ -100,7 +100,7 @@ ionice -t -c3 \
find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
+ -ignore_readdir_race \
-xdev $PATHCHK \
-- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \
-+ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
+- \( -type f -perm /06000 -o \( \( -type b -o -type c \) \
++ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
$DEVCHK \) \) \
- -ignore_readdir_race \
-printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
+ sort -k 12 >$TMPSETUID
diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
index 0290cae..f2ef335 100644
--- a/recipes-security/bastille/bastille_3.2.1.bb
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
@@ -2,12 +2,12 @@
#consult the README file for the meta-security layer for additional information.
SUMMARY = "Linux hardening tool"
DESCRIPTION = "Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling."
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
# Bash is needed for set +o privileged (check busybox), might also need ncurses
DEPENDS = "virtual/kernel"
-RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils"
-FILES_${PN} += "/run/lock/subsys/bastille"
+RDEPENDS:${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils"
+FILES:${PN} += "/run/lock/subsys/bastille"
SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \
file://AccountPermission.pm \
@@ -48,7 +48,6 @@ do_install () {
install -d ${D}${datadir}/Bastille/OSMap/Modules
install -d ${D}${datadir}/Bastille/Questions
install -d ${D}${datadir}/Bastille/FKL/configs/
- install -d ${D}${localstatedir}/log/Bastille
install -d ${D}${sysconfdir}/Bastille
install -m 0755 AutomatedBastille ${D}${sbindir}
install -m 0755 BastilleBackEnd ${D}${sbindir}
@@ -139,7 +138,7 @@ do_install () {
install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap
- install -m 0777 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config
+ install -m 0644 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config
for file in `cat Modules.txt` ; do
install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions
@@ -148,6 +147,20 @@ do_install () {
${THISDIR}/files/set_required_questions.py ${D}${sysconfdir}/Bastille/config ${D}${datadir}/Bastille/Questions
ln -s RevertBastille ${D}${sbindir}/UndoBastille
+
+ # Create /var/log/Bastille in runtime.
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then
+ install -d ${D}${nonarch_libdir}/tmpfiles.d
+ echo "d ${localstatedir}/log/Bastille - - - -" > ${D}${nonarch_libdir}/tmpfiles.d/Bastille.conf
+ fi
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
+ install -d ${D}${sysconfdir}/default/volatiles
+ echo "d root root 0755 ${localstatedir}/log/Bastille none" > ${D}${sysconfdir}/default/volatiles/99_Bastille
+ fi
}
-FILES_${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*"
+FILES:${PN} += "${datadir}/Bastille \
+ ${libdir}/Bastille \
+ ${libdir}/perl* \
+ ${sysconfdir}/* \
+ ${nonarch_libdir}/tmpfiles.d"
diff --git a/recipes-security/bastille/files/API.pm b/dynamic-layers/meta-perl/recipes-security/bastille/files/API.pm
index 5060f52..5060f52 100644
--- a/recipes-security/bastille/files/API.pm
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/API.pm
diff --git a/recipes-security/bastille/files/AccountPermission.pm b/dynamic-layers/meta-perl/recipes-security/bastille/files/AccountPermission.pm
index cfbaab1..132b30c 100644
--- a/recipes-security/bastille/files/AccountPermission.pm
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/AccountPermission.pm
@@ -16,7 +16,7 @@ B_chgrp
B_chgrp_link
B_userdel
B_groupdel
-B_remove_user_from_group
+B:remove_user_from_group
B_check_owner_group
B_is_unowned_file
B_is_ungrouped_file
@@ -28,7 +28,7 @@ B_is_suid
B_is_sgid
B_get_user_list
B_get_group_list
-B_remove_suid
+B:remove_suid
);
our @EXPORT = @EXPORT_OK;
@@ -74,7 +74,7 @@ sub B_chmod($$) {
if ($new_perm =~ /([ugo]+)([+-]{1})([rwxst]+)/) {
$symbolic = 1;
$chmod_noun = $1;
- $add_remove = $2;
+ $add:remove = $2;
$capability = $3;
}
@@ -466,7 +466,7 @@ sub B_chgrp_link($$) {
#
# In the future, we may also choose to make a B_lock_account routine.
#
-# This routine depends on B_remove_user_from_group.
+# This routine depends on B:remove_user_from_group.
###########################################################################
sub B_userdel($) {
@@ -506,7 +506,7 @@ sub B_userdel($) {
#
# Next find out what groups the user is in, so we can call
- # B_remove_user_from_group($user,$group)
+ # B:remove_user_from_group($user,$group)
#
# TODO: add this to the helper functions for the test suite.
#
@@ -586,7 +586,7 @@ sub B_groupdel($) {
###########################################################################
-# B_remove_user_from_group($user,$group) removes $user from $group,
+# B:remove_user_from_group($user,$group) removes $user from $group,
# by modifying $group's /etc/group line, pulling the user out. This
# uses B_chunk_replace thrice to replace these patterns:
#
@@ -595,7 +595,7 @@ sub B_groupdel($) {
#
###########################################################################
-sub B_remove_user_from_group($$) {
+sub B:remove_user_from_group($$) {
my ($user_to_remove,$group) = @_;
@@ -1022,7 +1022,7 @@ sub B_get_group_list()
#
###########################################################################
-sub B_remove_suid($) {
+sub B:remove_suid($) {
my $file_expr = $_[0];
&B_log("ACTION","Removing SUID bit from \"$file_expr\".");
diff --git a/recipes-security/bastille/files/FileContent.pm b/dynamic-layers/meta-perl/recipes-security/bastille/files/FileContent.pm
index 0a5d609..1ef89dd 100644
--- a/recipes-security/bastille/files/FileContent.pm
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/FileContent.pm
@@ -10,8 +10,8 @@ B_blank_file
B_insert_line_after
B_insert_line_before
B_insert_line
-B_append_line
-B_prepend_line
+B:append_line
+B:prepend_line
B_replace_line
B_replace_lines
B_replace_pattern
@@ -262,7 +262,7 @@ sub B_insert_line($$$$) {
#
# Additionally, if $pattern is set equal to "", the line is always appended.
#
-# B_append_line uses B_open_plus and B_close_plus, so that the file
+# B:append_line uses B_open_plus and B_close_plus, so that the file
# modified is backed up...
#
# Here's examples of where you might use this:
@@ -273,7 +273,7 @@ sub B_insert_line($$$$) {
#
###########################################################################
-sub B_append_line($$$) {
+sub B:append_line($$$) {
my ($filename,$pattern,$line_to_append) = @_;
@@ -308,11 +308,11 @@ sub B_append_line($$$) {
###########################################################################
# &B_prepend_line ($filename,$pattern,$line_to_prepend) modifies $filename,
-# pre-pending $line_to_prepend unless one or more lines in the file matches
+# pre-pending $line_to:prepend unless one or more lines in the file matches
# $pattern. This is an enhancement to the prepend_line_if_no_such_line_exists
# idea.
#
-# B_prepend_line uses B_open_plus and B_close_plus, so that the file
+# B:prepend_line uses B_open_plus and B_close_plus, so that the file
# modified is backed up...
#
# Here's examples of where you might use this:
@@ -322,7 +322,7 @@ sub B_append_line($$$) {
#
###########################################################################
-sub B_prepend_line($$$) {
+sub B:prepend_line($$$) {
my ($filename,$pattern,$line_to_prepend) = @_;
@@ -348,7 +348,7 @@ sub B_prepend_line($$$) {
# Log the action
&B_log("ACTION","Pre-pended the following line to $filename:\n");
- &B_log("ACTION","$line_to_prepend");
+ &B_log("ACTION","$line_to:prepend");
}
else {
$retval=0;
diff --git a/recipes-security/bastille/files/HPSpecific.pm b/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm
index 7e7d709..7e7d709 100644
--- a/recipes-security/bastille/files/HPSpecific.pm
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm
diff --git a/recipes-security/bastille/files/Miscellaneous.pm b/dynamic-layers/meta-perl/recipes-security/bastille/files/Miscellaneous.pm
index b3bdf10..b3bdf10 100644
--- a/recipes-security/bastille/files/Miscellaneous.pm
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/Miscellaneous.pm
diff --git a/recipes-security/bastille/files/ServiceAdmin.pm b/dynamic-layers/meta-perl/recipes-security/bastille/files/ServiceAdmin.pm
index 879223a..879223a 100644
--- a/recipes-security/bastille/files/ServiceAdmin.pm
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/ServiceAdmin.pm
diff --git a/recipes-security/bastille/files/accept_os_flag_in_backend.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch
index 4a438e4..907d86b 100644
--- a/recipes-security/bastille/files/accept_os_flag_in_backend.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/allow_os_with_assess.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch
index e112f90..4edb1f3 100644
--- a/recipes-security/bastille/files/allow_os_with_assess.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/call_output_config.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch
index 1e898b1..f01cc47 100644
--- a/recipes-security/bastille/files/call_output_config.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/config b/dynamic-layers/meta-perl/recipes-security/bastille/files/config
index 9e5e206..9e5e206 100755
--- a/recipes-security/bastille/files/config
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/config
diff --git a/recipes-security/bastille/files/do_not_apply_config.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch
index 574aa98..640d5ff 100644
--- a/recipes-security/bastille/files/do_not_apply_config.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/edit_usage_message.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch
index 72cdc2f..4ca9c63 100644
--- a/recipes-security/bastille/files/edit_usage_message.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/find_existing_config.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch
index c075875..7f6aea0 100644
--- a/recipes-security/bastille/files/find_existing_config.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/fix_missing_use_directives.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch
index 05f145a..d909f10 100644
--- a/recipes-security/bastille/files/fix_missing_use_directives.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/fix_number_of_modules.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch
index 743e549..4f46924 100644
--- a/recipes-security/bastille/files/fix_number_of_modules.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/fix_version_parse.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch
index 5923c04..c38f45e 100644
--- a/recipes-security/bastille/files/fix_version_parse.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/fixed_defined_warnings.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch
index e7996e3..5a6476b 100644
--- a/recipes-security/bastille/files/fixed_defined_warnings.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch
@@ -11,7 +11,7 @@ in Bastille.
Fixed also some warnings regarding defined statements
in API.pm.
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
diff --git a/recipes-security/bastille/files/organize_distro_discovery.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch
index d64d1e2..5a5be6f 100644
--- a/recipes-security/bastille/files/organize_distro_discovery.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/remove_questions_text_file_references.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch
index bd094ee..f95579d 100644
--- a/recipes-security/bastille/files/remove_questions_text_file_references.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/set_required_questions.py b/dynamic-layers/meta-perl/recipes-security/bastille/files/set_required_questions.py
index f306109..f306109 100755
--- a/recipes-security/bastille/files/set_required_questions.py
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/set_required_questions.py
diff --git a/recipes-security/bastille/files/simplify_B_place.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch
index 307fdca..afbd4e0 100644
--- a/recipes-security/bastille/files/simplify_B_place.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/bastille/files/upgrade_options_processing.patch b/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch
index 4093867..5052bd8 100644
--- a/recipes-security/bastille/files/upgrade_options_processing.patch
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/recipes-security/nikto/files/location.patch b/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch
index edaa204..0715f31 100644
--- a/recipes-security/nikto/files/location.patch
+++ b/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch
@@ -3,7 +3,7 @@ From: Scott Ellis <scott@jumpnowtek.com>
Date: Fri, 28 Dec 2018 11:08:25 -0500
Subject: [PATCH] Set custom paths
-Upstream Status: Inappropriate
+Upstream-Status: Inappropriate
Signed-off-by: Scott Ellis <scott@jumpnowtek.com>
---
diff --git a/recipes-security/nikto/nikto_2.1.6.bb b/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
index 615cc30..8c21b30 100644
--- a/recipes-security/nikto/nikto_2.1.6.bb
+++ b/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
@@ -3,11 +3,11 @@ DESCRIPTION = "Nikto is an Open Source web server scanner which performs compreh
SECTION = "security"
HOMEPAGE = "https://cirt.net/Nikto2"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79"
-SRC_URI = "git://github.com/sullo/nikto.git \
+SRC_URI = "git://github.com/sullo/nikto.git;branch=master;protocol=https \
file://location.patch"
S = "${WORKDIR}/git/program"
@@ -111,7 +111,7 @@ do_install() {
install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto
}
-RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \
+RDEPENDS:${PN} = "perl libnet-ssleay-perl libwhisker2-perl \
perl-module-getopt-long perl-module-time-local \
perl-module-io-socket perl-module-overloading \
perl-module-base perl-module-b perl-module-bytes"
diff --git a/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend b/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend
new file mode 100644
index 0000000..828931d
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend
@@ -0,0 +1,10 @@
+
+
+RDEPENDS:packagegroup-security-utils += "\
+ python3-privacyidea \
+ python3-fail2ban \
+ "
+
+RDEPENDS:packagegroup-meta-security-ptest-packages += "\
+ python3-fail2ban-ptest \
+ "
diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb b/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb
new file mode 100644
index 0000000..ba0f974
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb
@@ -0,0 +1,14 @@
+DESCRIPTION = "Scripting support for flask"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e686048adb69341fc8a08caeda528b41"
+
+SRC_URI[md5sum] = "3fbd91fe13cebedfb2431331f6eabb68"
+SRC_URI[sha256sum] = "6425963d91054cfcc185807141c7314a9c5ad46325911bd24dcb489bd0161c65"
+
+PYPI_PACKAGE = "Flask-Script"
+
+inherit pypi setuptools3
+
+RDEPENDS:${PN} += "\
+ python3-flask \
+ "
diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb b/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb
new file mode 100644
index 0000000..638c56f
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb
@@ -0,0 +1,9 @@
+DESCRIPTION="Python wrapper to convert JSON into a human readable HTML Table representation."
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8065590663ea0c10aa131841ea806767"
+
+SRC_URI[sha256sum] = "8951a53662ae9cfd812685facdba693fc950ffc1c1fd1a8a2d3cf4c34600689c"
+
+PYPI_PACKAGE = "json2html"
+
+inherit pypi setuptools3
diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify/0001-Make-asyncore-support-optional-for-Python-3.patch b/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify/0001-Make-asyncore-support-optional-for-Python-3.patch
new file mode 100644
index 0000000..075a035
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify/0001-Make-asyncore-support-optional-for-Python-3.patch
@@ -0,0 +1,92 @@
+From 478d595a7d086423733e9f5da5edfe9f1df48682 Mon Sep 17 00:00:00 2001
+From: Troy Curtis Jr <troy@troycurtisjr.com>
+Date: Thu, 10 Aug 2023 21:51:15 -0400
+Subject: [PATCH] Make asyncore support optional for Python 3.
+
+Fixes #204.
+
+Upstream-Status: Submitted [https://github.com/seb-m/pyinotify/pull/205]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+
+---
+ python3/pyinotify.py | 50 +++++++++++++++++++++++++-------------------
+ 1 file changed, 28 insertions(+), 22 deletions(-)
+
+diff --git a/python3/pyinotify.py b/python3/pyinotify.py
+index bc24313..f4a5a90 100755
+--- a/python3/pyinotify.py
++++ b/python3/pyinotify.py
+@@ -68,7 +68,6 @@ from collections import deque
+ from datetime import datetime, timedelta
+ import time
+ import re
+-import asyncore
+ import glob
+ import locale
+ import subprocess
+@@ -1494,33 +1493,40 @@ class ThreadedNotifier(threading.Thread, Notifier):
+ self.loop()
+
+
+-class AsyncNotifier(asyncore.file_dispatcher, Notifier):
+- """
+- This notifier inherits from asyncore.file_dispatcher in order to be able to
+- use pyinotify along with the asyncore framework.
++try:
++ import asyncore
+
+- """
+- def __init__(self, watch_manager, default_proc_fun=None, read_freq=0,
+- threshold=0, timeout=None, channel_map=None):
++ class AsyncNotifier(asyncore.file_dispatcher, Notifier):
+ """
+- Initializes the async notifier. The only additional parameter is
+- 'channel_map' which is the optional asyncore private map. See
+- Notifier class for the meaning of the others parameters.
++ This notifier inherits from asyncore.file_dispatcher in order to be able to
++ use pyinotify along with the asyncore framework.
+
+ """
+- Notifier.__init__(self, watch_manager, default_proc_fun, read_freq,
+- threshold, timeout)
+- asyncore.file_dispatcher.__init__(self, self._fd, channel_map)
++ def __init__(self, watch_manager, default_proc_fun=None, read_freq=0,
++ threshold=0, timeout=None, channel_map=None):
++ """
++ Initializes the async notifier. The only additional parameter is
++ 'channel_map' which is the optional asyncore private map. See
++ Notifier class for the meaning of the others parameters.
+
+- def handle_read(self):
+- """
+- When asyncore tells us we can read from the fd, we proceed processing
+- events. This method can be overridden for handling a notification
+- differently.
++ """
++ Notifier.__init__(self, watch_manager, default_proc_fun, read_freq,
++ threshold, timeout)
++ asyncore.file_dispatcher.__init__(self, self._fd, channel_map)
+
+- """
+- self.read_events()
+- self.process_events()
++ def handle_read(self):
++ """
++ When asyncore tells us we can read from the fd, we proceed processing
++ events. This method can be overridden for handling a notification
++ differently.
++
++ """
++ self.read_events()
++ self.process_events()
++except ImportError:
++ # asyncore was removed in Python 3.12, but try the import instead of a
++ # version check in case the compatibility package is installed.
++ pass
+
+
+ class TornadoAsyncNotifier(Notifier):
+--
+2.25.1
+
diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb b/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb
new file mode 100644
index 0000000..ff1b611
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb
@@ -0,0 +1,22 @@
+DESCRIPTION = "Python pyinotify: Linux filesystem events monitoring"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://COPYING;md5=ab173cade7965b411528464589a08382"
+
+RDEPENDS:${PN} += "\
+ python3-ctypes \
+ python3-fcntl \
+ python3-io \
+ python3-logging \
+ python3-misc \
+ python3-shell \
+ python3-threading \
+"
+
+SRC_URI[md5sum] = "8e580fa1ff3971f94a6f81672b76c406"
+SRC_URI[sha256sum] = "9c998a5d7606ca835065cdabc013ae6c66eb9ea76a00a1e3bc6e0cfe2b4f71f4"
+
+SRC_URI += " \
+ file://0001-Make-asyncore-support-optional-for-Python-3.patch \
+"
+
+inherit pypi setuptools3
diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb b/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb
new file mode 100644
index 0000000..f8a6552
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb
@@ -0,0 +1,9 @@
+DESCRIPTION = "QR Code and Micro QR Code generator for Python 2 and Python 3"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=8e8db3765a57bcb968140e0a353c1a35"
+
+SRC_URI[sha256sum] = "983424b296e62189d70fc73460cd946cf56dcbe82b9bda18c066fc1b24371cdc"
+
+#PYPI_PACKAGE = "Flask-Script"
+
+inherit pypi setuptools3
diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb b/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb
new file mode 100644
index 0000000..517ed87
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb
@@ -0,0 +1,9 @@
+DESCRIPTION="Creates diffs of XML files"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=0d0e9e3949e163c3edd1e097b8b0ed62"
+
+SRC_URI[sha256sum] = "19b030b3fa37d1f0b5c5ad9ada9059884c3bf2c751c5dd8f1eb4ed49cfe3fc60"
+
+PYPI_PACKAGE = "xmldiff"
+
+inherit pypi setuptools3
diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb b/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb
new file mode 100644
index 0000000..5d88951
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb
@@ -0,0 +1,9 @@
+DESCRIPTION="YAML Path and Command-Line Tools"
+LICENSE = "ISC"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=5abda174c5040dd12ed2b225e3a096f0"
+
+SRC_URI[sha256sum] = "81d5b8baba60c255b519ccd31a691f9bc064223ff196709d41119bde81bba49e"
+
+PYPI_PACKAGE = "yamlpath"
+
+inherit pypi setuptools3
diff --git a/recipes-security/fail2ban/files/initd b/dynamic-layers/meta-python/recipes-security/fail2ban/files/initd
index 586b3da..586b3da 100644
--- a/recipes-security/fail2ban/files/initd
+++ b/dynamic-layers/meta-python/recipes-security/fail2ban/files/initd
diff --git a/recipes-security/fail2ban/files/run-ptest b/dynamic-layers/meta-python/recipes-security/fail2ban/files/run-ptest
index 64d07d5..64d07d5 100644
--- a/recipes-security/fail2ban/files/run-ptest
+++ b/dynamic-layers/meta-python/recipes-security/fail2ban/files/run-ptest
diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb
new file mode 100644
index 0000000..bf5f87d
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb
@@ -0,0 +1,74 @@
+SUMMARY = "Daemon to ban hosts that cause multiple authentication errors."
+DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \
+many failed login attempts. It does this by updating system firewall rules to reject new \
+connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \
+out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \
+and is easy to configure to read any log file you choose, for any error you choose."
+HOMEPAGE = "http://www.fail2ban.org"
+
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
+
+DEPENDS = "python3-native"
+
+SRCREV = "e1d3006b0330e9777705a7baafe3989d442ed120"
+SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \
+ file://initd \
+ file://run-ptest \
+ "
+
+UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
+
+inherit update-rc.d ptest setuptools3_legacy
+inherit systemd
+
+SYSTEMD_SERVICE:${PN} = "fail2ban.service"
+
+S = "${WORKDIR}/git"
+
+do_compile () {
+ cd ${S}
+
+ #remove symlink to python3
+ # otherwise 2to3 is run against it
+ rm -f bin/fail2ban-python
+
+ ./fail2ban-2to3
+}
+
+do_install:append () {
+ rm -f ${D}/${bindir}/fail2ban-python
+ install -d ${D}/${sysconfdir}/fail2ban
+ install -d ${D}/${sysconfdir}/init.d
+ install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${B}/fail2ban.service ${D}${systemd_system_unitdir}
+ fi
+
+ chown -R root:root ${D}/${bindir}
+ rm -rf ${D}/run
+}
+
+do_install_ptest:append () {
+ install -d ${D}${PTEST_PATH}
+ install -d ${D}${PTEST_PATH}/bin
+ sed -i -e 's/##PYTHON##/python3/g' ${D}${PTEST_PATH}/run-ptest
+ install -D ${S}/bin/* ${D}${PTEST_PATH}/bin
+ rm -f ${D}${PTEST_PATH}/bin/fail2ban-python
+}
+
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME = "fail2ban-server"
+INITSCRIPT_PARAMS = "defaults 25"
+
+INSANE_SKIP:${PN}:append = "already-stripped"
+
+RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables python3-core python3-pyinotify"
+RDEPENDS:${PN} += "python3-sqlite3"
+RDEPENDS:${PN} += " python3-logging python3-fcntl python3-json"
+RDEPENDS:${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
+
+RRECOMMENDS:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'python3-systemd', '', d)}"
diff --git a/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb b/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb
new file mode 100644
index 0000000..8268345
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb
@@ -0,0 +1,37 @@
+SUMMARY = "identity, multifactor authentication (OTP), authorization, audit"
+DESCRIPTION = "privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications."
+
+HOMEPAGE = "http://www.privacyidea.org/"
+LICENSE = "AGPL-3.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55"
+
+PYPI_PACKAGE = "privacyIDEA"
+SRC_URI[sha256sum] = "7c70feb44980a3fd7501457777a1ec30e73541e54d3b31f2b9b5ab6cd73cff4f"
+
+inherit pypi setuptools3
+
+do_install:append () {
+ rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests
+}
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system privacyidea"
+USERADD_PARAM:${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \
+ --shell /bin/false privacyidea"
+
+FILES:${PN} += " ${prefix}/etc/privacyidea/* ${prefix}/lib/privacyidea/*"
+
+RDEPENDS:${PN} = " bash perl freeradius-mysql freeradius-utils"
+RDEPENDS:${PN} += "python3 python3-alembic python3-babel python3-bcrypt"
+RDEPENDS:${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet"
+RDEPENDS:${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml"
+RDEPENDS:${PN} += "python3-ecdsa python3-flask python3-flask-babel python3-flask-migrate"
+RDEPENDS:${PN} += "python3-flask-script python3-flask-sqlalchemy python3-flask-versioned"
+RDEPENDS:${PN} += "python3-future python3-httplib2 python3-huey python3-idna python3-ipaddress"
+RDEPENDS:${PN} += "python3-itsdangerous python3-jinja2 python3-ldap python3-lxml python3-mako"
+RDEPENDS:${PN} += "python3-markupsafe python3-netaddr python3-oauth2client python3-passlib python3-pillow"
+RDEPENDS:${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql"
+RDEPENDS:${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg"
+RDEPENDS:${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa"
+RDEPENDS:${PN} += "python3-smpplib python3-soupsieve python3-segno python3-importlib-metadata"
+RDEPENDS:${PN} += "python3-sqlalchemy python3-urllib3 python3-werkzeug"
diff --git a/recipes-python/python/python3-oauth2client_4.1.3.bb b/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb
index ca25d14..3a07461 100644
--- a/recipes-python/python/python3-oauth2client_4.1.3.bb
+++ b/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb
@@ -8,4 +8,4 @@ SRC_URI[sha256sum] = "d486741e451287f69568a4d26d70d9acd73a2bbfa275746c535b420989
inherit pypi setuptools3
-RDEPENDS_${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules"
+RDEPENDS:${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules"
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest b/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest
deleted file mode 100644
index 666ba9c..0000000
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-suricata -u
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service b/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service
deleted file mode 100644
index a99a76e..0000000
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service
+++ /dev/null
@@ -1,20 +0,0 @@
-[Unit]
-Description=Suricata IDS/IDP daemon
-After=network.target
-Requires=network.target
-Documentation=man:suricata(8) man:suricatasc(8)
-Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
-
-[Service]
-Type=simple
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
-RestrictAddressFamilies=
-ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0
-ExecReload=/bin/kill -HUP $MAINPID
-PrivateTmp=yes
-ProtectHome=yes
-ProtectSystem=yes
-
-[Install]
-WantedBy=multi-user.target
-
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml b/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml
deleted file mode 100644
index 8d06a27..0000000
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml
+++ /dev/null
@@ -1,1326 +0,0 @@
-%YAML 1.1
----
-
-# Suricata configuration file. In addition to the comments describing all
-# options in this file, full documentation can be found at:
-# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
-
-
-# Number of packets allowed to be processed simultaneously. Default is a
-# conservative 1024. A higher number will make sure CPU's/CPU cores will be
-# more easily kept busy, but may negatively impact caching.
-#
-# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
-# apply. In that case try something like 60000 or more. This is because the CUDA
-# pattern matcher buffers and scans as many packets as possible in parallel.
-#max-pending-packets: 1024
-
-# Runmode the engine should use. Please check --list-runmodes to get the available
-# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
-# load balancing).
-#runmode: autofp
-
-# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
-#
-# Supported schedulers are:
-#
-# round-robin - Flows assigned to threads in a round robin fashion.
-# active-packets - Flows assigned to threads that have the lowest number of
-# unprocessed packets (default).
-# hash - Flow alloted usihng the address hash. More of a random
-# technique. Was the default in Suricata 1.2.1 and older.
-#
-#autofp-scheduler: active-packets
-
-# If suricata box is a router for the sniffed networks, set it to 'router'. If
-# it is a pure sniffing setup, set it to 'sniffer-only'.
-# If set to auto, the variable is internally switch to 'router' in IPS mode
-# and 'sniffer-only' in IDS mode.
-# This feature is currently only used by the reject* keywords.
-host-mode: auto
-
-# Run suricata as user and group.
-#run-as:
-# user: suri
-# group: suri
-
-# Default pid file.
-# Will use this file if no --pidfile in command options.
-#pid-file: /var/run/suricata.pid
-
-# Daemon working directory
-# Suricata will change directory to this one if provided
-# Default: "/"
-#daemon-directory: "/"
-
-# Preallocated size for packet. Default is 1514 which is the classical
-# size for pcap on ethernet. You should adjust this value to the highest
-# packet size (MTU + hardware header) on your system.
-#default-packet-size: 1514
-
-# The default logging directory. Any log or output file will be
-# placed here if its not specified with a full path name. This can be
-# overridden with the -l command line parameter.
-default-log-dir: /var/log/suricata/
-
-# Unix command socket can be used to pass commands to suricata.
-# An external tool can then connect to get information from suricata
-# or trigger some modifications of the engine. Set enabled to yes
-# to activate the feature. You can use the filename variable to set
-# the file name of the socket.
-unix-command:
- enabled: no
- #filename: custom.socket
-
-# Configure the type of alert (and other) logging you would like.
-outputs:
-
- # a line based alerts log similar to Snort's fast.log
- - fast:
- enabled: yes
- filename: fast.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # Extensible Event Format (nicknamed EVE) event log in JSON format
- - eve-log:
- enabled: yes
- type: file #file|syslog|unix_dgram|unix_stream
- filename: eve.json
- # the following are valid when type: syslog above
- #identity: "suricata"
- #facility: local5
- #level: Info ## possible levels: Emergency, Alert, Critical,
- ## Error, Warning, Notice, Info, Debug
- types:
- - alert
- - http:
- extended: yes # enable this for extended logging information
- # custom allows additional http fields to be included in eve-log
- # the example below adds three additional fields when uncommented
- #custom: [Accept-Encoding, Accept-Language, Authorization]
- - dns
- - tls:
- extended: yes # enable this for extended logging information
- - files:
- force-magic: no # force logging magic on all logged files
- force-md5: no # force logging of md5 checksums
- #- drop
- - ssh
-
- # alert output for use with Barnyard2
- - unified2-alert:
- enabled: yes
- filename: unified2.alert
-
- # File size limit. Can be specified in kb, mb, gb. Just a number
- # is parsed as bytes.
- #limit: 32mb
-
- # Sensor ID field of unified2 alerts.
- #sensor-id: 0
-
- # HTTP X-Forwarded-For support by adding the unified2 extra header that
- # will contain the actual client IP address or by overwriting the source
- # IP address (helpful when inspecting traffic that is being reversed
- # proxied).
- xff:
- enabled: no
- # Two operation modes are available, "extra-data" and "overwrite". Note
- # that in the "overwrite" mode, if the reported IP address in the HTTP
- # X-Forwarded-For header is of a different version of the packet
- # received, it will fall-back to "extra-data" mode.
- mode: extra-data
- # Header name were the actual IP address will be reported, if more than
- # one IP address is present, the last IP address will be the one taken
- # into consideration.
- header: X-Forwarded-For
-
- # a line based log of HTTP requests (no alerts)
- - http-log:
- enabled: yes
- filename: http.log
- append: yes
- #extended: yes # enable this for extended logging information
- #custom: yes # enabled the custom logging format (defined by customformat)
- #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # a line based log of TLS handshake parameters (no alerts)
- - tls-log:
- enabled: no # Log TLS connections.
- filename: tls.log # File to store TLS logs.
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
- #extended: yes # Log extended information like fingerprint
- certs-log-dir: certs # directory to store the certificates files
-
- # a line based log of DNS requests and/or replies (no alerts)
- - dns-log:
- enabled: no
- filename: dns.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # a line based log to used with pcap file study.
- # this module is dedicated to offline pcap parsing (empty output
- # if used with another kind of input). It can interoperate with
- # pcap parser like wireshark via the suriwire plugin.
- - pcap-info:
- enabled: no
-
- # Packet log... log packets in pcap format. 2 modes of operation: "normal"
- # and "sguil".
- #
- # In normal mode a pcap file "filename" is created in the default-log-dir,
- # or are as specified by "dir". In Sguil mode "dir" indicates the base directory.
- # In this base dir the pcaps are created in th directory structure Sguil expects:
- #
- # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
- #
- # By default all packets are logged except:
- # - TCP streams beyond stream.reassembly.depth
- # - encrypted streams after the key exchange
- #
- - pcap-log:
- enabled: no
- filename: log.pcap
-
- # File size limit. Can be specified in kb, mb, gb. Just a number
- # is parsed as bytes.
- limit: 1000mb
-
- # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
- max-files: 2000
-
- mode: normal # normal or sguil.
- #sguil-base-dir: /nsm_data/
- #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
- use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
-
- # a full alerts log containing much information for signature writers
- # or for investigating suspected false positives.
- - alert-debug:
- enabled: no
- filename: alert-debug.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # alert output to prelude (http://www.prelude-technologies.com/) only
- # available if Suricata has been compiled with --enable-prelude
- - alert-prelude:
- enabled: no
- profile: suricata
- log-packet-content: no
- log-packet-header: yes
-
- # Stats.log contains data from various counters of the suricata engine.
- # The interval field (in seconds) tells after how long output will be written
- # on the log file.
- - stats:
- enabled: yes
- filename: stats.log
- interval: 8
-
- # a line based alerts log similar to fast.log into syslog
- - syslog:
- enabled: no
- # reported identity to syslog. If ommited the program name (usually
- # suricata) will be used.
- #identity: "suricata"
- facility: local5
- #level: Info ## possible levels: Emergency, Alert, Critical,
- ## Error, Warning, Notice, Info, Debug
-
- # a line based information for dropped packets in IPS mode
- - drop:
- enabled: no
- filename: drop.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- # output module to store extracted files to disk
- #
- # The files are stored to the log-dir in a format "file.<id>" where <id> is
- # an incrementing number starting at 1. For each file "file.<id>" a meta
- # file "file.<id>.meta" is created.
- #
- # File extraction depends on a lot of things to be fully done:
- # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
- # - http request / response body sizes. Again set to 0 for optimal results.
- # - rules that contain the "filestore" keyword.
- - file-store:
- enabled: no # set to yes to enable
- log-dir: files # directory to store the files
- force-magic: no # force logging magic on all stored files
- force-md5: no # force logging of md5 checksums
- #waldo: file.waldo # waldo file to store the file_id across runs
-
- # output module to log files tracked in a easily parsable json format
- - file-log:
- enabled: no
- filename: files-json.log
- append: yes
- #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
- force-magic: no # force logging magic on all logged files
- force-md5: no # force logging of md5 checksums
-
-# Magic file. The extension .mgc is added to the value here.
-#magic-file: /usr/share/file/magic
-magic-file: /usr/share/misc/magic.mgc
-
-# When running in NFQ inline mode, it is possible to use a simulated
-# non-terminal NFQUEUE verdict.
-# This permit to do send all needed packet to suricata via this a rule:
-# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
-# And below, you can have your standard filtering ruleset. To activate
-# this mode, you need to set mode to 'repeat'
-# If you want packet to be sent to another queue after an ACCEPT decision
-# set mode to 'route' and set next-queue value.
-# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
-# by processing several packets before sending a verdict (worker runmode only).
-# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
-# accept the packet if suricata is not able to keep pace.
-nfq:
-# mode: accept
-# repeat-mark: 1
-# repeat-mask: 1
-# route-queue: 2
-# batchcount: 20
-# fail-open: yes
-
-#nflog support
-nflog:
- # netlink multicast group
- # (the same as the iptables --nflog-group param)
- # Group 0 is used by the kernel, so you can't use it
- - group: 2
- # netlink buffer size
- buffer-size: 18432
- # put default value here
- - group: default
- # set number of packet to queue inside kernel
- qthreshold: 1
- # set the delay before flushing packet in the queue inside kernel
- qtimeout: 100
- # netlink max buffer size
- max-size: 20000
-
-# af-packet support
-# Set threads to > 1 to use PACKET_FANOUT support
-af-packet:
- - interface: eth0
- # Number of receive threads (>1 will enable experimental flow pinned
- # runmode)
- threads: 1
- # Default clusterid. AF_PACKET will load balance packets based on flow.
- # All threads/processes that will participate need to have the same
- # clusterid.
- cluster-id: 99
- # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
- # This is only supported for Linux kernel > 3.1
- # possible value are:
- # * cluster_round_robin: round robin load balancing
- # * cluster_flow: all packets of a given flow are send to the same socket
- # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
- cluster-type: cluster_flow
- # In some fragmentation case, the hash can not be computed. If "defrag" is set
- # to yes, the kernel will do the needed defragmentation before sending the packets.
- defrag: yes
- # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
- use-mmap: yes
- # Ring size will be computed with respect to max_pending_packets and number
- # of threads. You can set manually the ring size in number of packets by setting
- # the following value. If you are using flow cluster-type and have really network
- # intensive single-flow you could want to set the ring-size independantly of the number
- # of threads:
- #ring-size: 2048
- # On busy system, this could help to set it to yes to recover from a packet drop
- # phase. This will result in some packets (at max a ring flush) being non treated.
- #use-emergency-flush: yes
- # recv buffer size, increase value could improve performance
- # buffer-size: 32768
- # Set to yes to disable promiscuous mode
- # disable-promisc: no
- # Choose checksum verification mode for the interface. At the moment
- # of the capture, some packets may be with an invalid checksum due to
- # offloading to the network card of the checksum computation.
- # Possible values are:
- # - kernel: use indication sent by kernel for each packet (default)
- # - yes: checksum validation is forced
- # - no: checksum validation is disabled
- # - auto: suricata uses a statistical approach to detect when
- # checksum off-loading is used.
- # Warning: 'checksum-validation' must be set to yes to have any validation
- #checksum-checks: kernel
- # BPF filter to apply to this interface. The pcap filter syntax apply here.
- #bpf-filter: port 80 or udp
- # You can use the following variables to activate AF_PACKET tap od IPS mode.
- # If copy-mode is set to ips or tap, the traffic coming to the current
- # interface will be copied to the copy-iface interface. If 'tap' is set, the
- # copy is complete. If 'ips' is set, the packet matching a 'drop' action
- # will not be copied.
- #copy-mode: ips
- #copy-iface: eth1
- - interface: eth1
- threads: 1
- cluster-id: 98
- cluster-type: cluster_flow
- defrag: yes
- # buffer-size: 32768
- # disable-promisc: no
- # Put default values here
- - interface: default
- #threads: 2
- #use-mmap: yes
-
-legacy:
- uricontent: enabled
-
-# You can specify a threshold config file by setting "threshold-file"
-# to the path of the threshold config file:
-# threshold-file: /etc/suricata/threshold.config
-
-# The detection engine builds internal groups of signatures. The engine
-# allow us to specify the profile to use for them, to manage memory on an
-# efficient way keeping a good performance. For the profile keyword you
-# can use the words "low", "medium", "high" or "custom". If you use custom
-# make sure to define the values at "- custom-values" as your convenience.
-# Usually you would prefer medium/high/low.
-#
-# "sgh mpm-context", indicates how the staging should allot mpm contexts for
-# the signature groups. "single" indicates the use of a single context for
-# all the signature group heads. "full" indicates a mpm-context for each
-# group head. "auto" lets the engine decide the distribution of contexts
-# based on the information the engine gathers on the patterns from each
-# group head.
-#
-# The option inspection-recursion-limit is used to limit the recursive calls
-# in the content inspection code. For certain payload-sig combinations, we
-# might end up taking too much time in the content inspection code.
-# If the argument specified is 0, the engine uses an internally defined
-# default limit. On not specifying a value, we use no limits on the recursion.
-detect-engine:
- - profile: medium
- - custom-values:
- toclient-src-groups: 2
- toclient-dst-groups: 2
- toclient-sp-groups: 2
- toclient-dp-groups: 3
- toserver-src-groups: 2
- toserver-dst-groups: 4
- toserver-sp-groups: 2
- toserver-dp-groups: 25
- - sgh-mpm-context: auto
- - inspection-recursion-limit: 3000
- # When rule-reload is enabled, sending a USR2 signal to the Suricata process
- # will trigger a live rule reload. Experimental feature, use with care.
- #- rule-reload: true
- # If set to yes, the loading of signatures will be made after the capture
- # is started. This will limit the downtime in IPS mode.
- #- delayed-detect: yes
-
-# Suricata is multi-threaded. Here the threading can be influenced.
-threading:
- # On some cpu's/architectures it is beneficial to tie individual threads
- # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
- # and each extra CPU/core has one "detect" thread.
- #
- # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
- #
- set-cpu-affinity: no
- # Tune cpu affinity of suricata threads. Each family of threads can be bound
- # on specific CPUs.
- cpu-affinity:
- - management-cpu-set:
- cpu: [ 0 ] # include only these cpus in affinity settings
- - receive-cpu-set:
- cpu: [ 0 ] # include only these cpus in affinity settings
- - decode-cpu-set:
- cpu: [ 0, 1 ]
- mode: "balanced"
- - stream-cpu-set:
- cpu: [ "0-1" ]
- - detect-cpu-set:
- cpu: [ "all" ]
- mode: "exclusive" # run detect threads in these cpus
- # Use explicitely 3 threads and don't compute number by using
- # detect-thread-ratio variable:
- # threads: 3
- prio:
- low: [ 0 ]
- medium: [ "1-2" ]
- high: [ 3 ]
- default: "medium"
- - verdict-cpu-set:
- cpu: [ 0 ]
- prio:
- default: "high"
- - reject-cpu-set:
- cpu: [ 0 ]
- prio:
- default: "low"
- - output-cpu-set:
- cpu: [ "all" ]
- prio:
- default: "medium"
- #
- # By default Suricata creates one "detect" thread per available CPU/CPU core.
- # This setting allows controlling this behaviour. A ratio setting of 2 will
- # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
- # will result in 4 detect threads. If values below 1 are used, less threads
- # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
- # thread being created. Regardless of the setting at a minimum 1 detect
- # thread will always be created.
- #
- detect-thread-ratio: 1.5
-
-# Cuda configuration.
-cuda:
- # The "mpm" profile. On not specifying any of these parameters, the engine's
- # internal default values are used, which are same as the ones specified in
- # in the default conf file.
- mpm:
- # The minimum length required to buffer data to the gpu.
- # Anything below this is MPM'ed on the CPU.
- # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
- # A value of 0 indicates there's no limit.
- data-buffer-size-min-limit: 0
- # The maximum length for data that we would buffer to the gpu.
- # Anything over this is MPM'ed on the CPU.
- # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
- data-buffer-size-max-limit: 1500
- # The ring buffer size used by the CudaBuffer API to buffer data.
- cudabuffer-buffer-size: 500mb
- # The max chunk size that can be sent to the gpu in a single go.
- gpu-transfer-size: 50mb
- # The timeout limit for batching of packets in microseconds.
- batching-timeout: 2000
- # The device to use for the mpm. Currently we don't support load balancing
- # on multiple gpus. In case you have multiple devices on your system, you
- # can specify the device to use, using this conf. By default we hold 0, to
- # specify the first device cuda sees. To find out device-id associated with
- # the card(s) on the system run "suricata --list-cuda-cards".
- device-id: 0
- # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
- # For this option you need a device with Compute Capability > 1.0.
- cuda-streams: 2
-
-# Select the multi pattern algorithm you want to run for scan/search the
-# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,
-# ac and ac-gfbs.
-#
-# The mpm you choose also decides the distribution of mpm contexts for
-# signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
-# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
-# to be set to "single", because of ac's memory requirements, unless the
-# ruleset is small enough to fit in one's memory, in which case one can
-# use "full" with "ac". Rest of the mpms can be run in "full" mode.
-#
-# There is also a CUDA pattern matcher (only available if Suricata was
-# compiled with --enable-cuda: b2g_cuda. Make sure to update your
-# max-pending-packets setting above as well if you use b2g_cuda.
-
-mpm-algo: ac
-
-# The memory settings for hash size of these algorithms can vary from lowest
-# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
-# (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
-# medium (1024) - high (2048).
-#
-# For B2g/B3g algorithms, there is a support for two different scan/search
-# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
-# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
-# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
-# B3gSearchBNDMq.
-#
-# For B2g the different scan/search algorithms and, hash and bloom
-# filter size settings. For B3g the different scan/search algorithms and, hash
-# and bloom filter size settings. For wumanber the hash and bloom filter size
-# settings.
-
-pattern-matcher:
- - b2gc:
- search-algo: B2gSearchBNDMq
- hash-size: low
- bf-size: medium
- - b2gm:
- search-algo: B2gSearchBNDMq
- hash-size: low
- bf-size: medium
- - b2g:
- search-algo: B2gSearchBNDMq
- hash-size: low
- bf-size: medium
- - b3g:
- search-algo: B3gSearchBNDMq
- hash-size: low
- bf-size: medium
- - wumanber:
- hash-size: low
- bf-size: medium
-
-# Defrag settings:
-
-defrag:
- memcap: 32mb
- hash-size: 65536
- trackers: 65535 # number of defragmented flows to follow
- max-frags: 65535 # number of fragments to keep (higher than trackers)
- prealloc: yes
- timeout: 60
-
-# Enable defrag per host settings
-# host-config:
-#
-# - dmz:
-# timeout: 30
-# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
-#
-# - lan:
-# timeout: 45
-# address:
-# - 192.168.0.0/24
-# - 192.168.10.0/24
-# - 172.16.14.0/24
-
-# Flow settings:
-# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
-# for flow allocation inside the engine. You can change this value to allow
-# more memory usage for flows.
-# The hash-size determine the size of the hash used to identify flows inside
-# the engine, and by default the value is 65536.
-# At the startup, the engine can preallocate a number of flows, to get a better
-# performance. The number of flows preallocated is 10000 by default.
-# emergency-recovery is the percentage of flows that the engine need to
-# prune before unsetting the emergency state. The emergency state is activated
-# when the memcap limit is reached, allowing to create new flows, but
-# prunning them with the emergency timeouts (they are defined below).
-# If the memcap is reached, the engine will try to prune flows
-# with the default timeouts. If it doens't find a flow to prune, it will set
-# the emergency bit and it will try again with more agressive timeouts.
-# If that doesn't work, then it will try to kill the last time seen flows
-# not in use.
-# The memcap can be specified in kb, mb, gb. Just a number indicates it's
-# in bytes.
-
-flow:
- memcap: 64mb
- hash-size: 65536
- prealloc: 10000
- emergency-recovery: 30
-
-# This option controls the use of vlan ids in the flow (and defrag)
-# hashing. Normally this should be enabled, but in some (broken)
-# setups where both sides of a flow are not tagged with the same vlan
-# tag, we can ignore the vlan id's in the flow hashing.
-vlan:
- use-for-tracking: true
-
-# Specific timeouts for flows. Here you can specify the timeouts that the
-# active flows will wait to transit from the current state to another, on each
-# protocol. The value of "new" determine the seconds to wait after a hanshake or
-# stream startup before the engine free the data of that flow it doesn't
-# change the state to established (usually if we don't receive more packets
-# of that flow). The value of "established" is the amount of
-# seconds that the engine will wait to free the flow if it spend that amount
-# without receiving new packets or closing the connection. "closed" is the
-# amount of time to wait after a flow is closed (usually zero).
-#
-# There's an emergency mode that will become active under attack circumstances,
-# making the engine to check flow status faster. This configuration variables
-# use the prefix "emergency-" and work similar as the normal ones.
-# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
-# icmp.
-
-flow-timeouts:
-
- default:
- new: 30
- established: 300
- closed: 0
- emergency-new: 10
- emergency-established: 100
- emergency-closed: 0
- tcp:
- new: 60
- established: 3600
- closed: 120
- emergency-new: 10
- emergency-established: 300
- emergency-closed: 20
- udp:
- new: 30
- established: 300
- emergency-new: 10
- emergency-established: 100
- icmp:
- new: 30
- established: 300
- emergency-new: 10
- emergency-established: 100
-
-# Stream engine settings. Here the TCP stream tracking and reassembly
-# engine is configured.
-#
-# stream:
-# memcap: 32mb # Can be specified in kb, mb, gb. Just a
-# # number indicates it's in bytes.
-# checksum-validation: yes # To validate the checksum of received
-# # packet. If csum validation is specified as
-# # "yes", then packet with invalid csum will not
-# # be processed by the engine stream/app layer.
-# # Warning: locally generated trafic can be
-# # generated without checksum due to hardware offload
-# # of checksum. You can control the handling of checksum
-# # on a per-interface basis via the 'checksum-checks'
-# # option
-# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
-# midstream: false # don't allow midstream session pickups
-# async-oneside: false # don't enable async stream handling
-# inline: no # stream inline mode
-# max-synack-queued: 5 # Max different SYN/ACKs to queue
-#
-# reassembly:
-# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
-# # indicates it's in bytes.
-# depth: 1mb # Can be specified in kb, mb, gb. Just a number
-# # indicates it's in bytes.
-# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
-# # this size. Can be specified in kb, mb,
-# # gb. Just a number indicates it's in bytes.
-# # The max acceptable size is 4024 bytes.
-# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
-# # this size. Can be specified in kb, mb,
-# # gb. Just a number indicates it's in bytes.
-# # The max acceptable size is 4024 bytes.
-# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
-# # This lower the risk of some evasion technics but could lead
-# # detection change between runs. It is set to 'yes' by default.
-# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
-# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size
-# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value
-# # of randomize-chunk-range is 10.
-#
-# raw: yes # 'Raw' reassembly enabled or disabled.
-# # raw is for content inspection by detection
-# # engine.
-#
-# chunk-prealloc: 250 # Number of preallocated stream chunks. These
-# # are used during stream inspection (raw).
-# segments: # Settings for reassembly segment pool.
-# - size: 4 # Size of the (data)segment for a pool
-# prealloc: 256 # Number of segments to prealloc and keep
-# # in the pool.
-#
-stream:
- memcap: 32mb
- checksum-validation: yes # reject wrong csums
- inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
- reassembly:
- memcap: 128mb
- depth: 1mb # reassemble 1mb into a stream
- toserver-chunk-size: 2560
- toclient-chunk-size: 2560
- randomize-chunk-size: yes
- #randomize-chunk-range: 10
- #raw: yes
- #chunk-prealloc: 250
- #segments:
- # - size: 4
- # prealloc: 256
- # - size: 16
- # prealloc: 512
- # - size: 112
- # prealloc: 512
- # - size: 248
- # prealloc: 512
- # - size: 512
- # prealloc: 512
- # - size: 768
- # prealloc: 1024
- # - size: 1448
- # prealloc: 1024
- # - size: 65535
- # prealloc: 128
-
-# Host table:
-#
-# Host table is used by tagging and per host thresholding subsystems.
-#
-host:
- hash-size: 4096
- prealloc: 1000
- memcap: 16777216
-
-# Logging configuration. This is not about logging IDS alerts, but
-# IDS output about what its doing, errors, etc.
-logging:
-
- # The default log level, can be overridden in an output section.
- # Note that debug level logging will only be emitted if Suricata was
- # compiled with the --enable-debug configure option.
- #
- # This value is overriden by the SC_LOG_LEVEL env var.
- default-log-level: notice
-
- # The default output format. Optional parameter, should default to
- # something reasonable if not provided. Can be overriden in an
- # output section. You can leave this out to get the default.
- #
- # This value is overriden by the SC_LOG_FORMAT env var.
- #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
-
- # A regex to filter output. Can be overridden in an output section.
- # Defaults to empty (no filter).
- #
- # This value is overriden by the SC_LOG_OP_FILTER env var.
- default-output-filter:
-
- # Define your logging outputs. If none are defined, or they are all
- # disabled you will get the default - console output.
- outputs:
- - console:
- enabled: yes
- - file:
- enabled: no
- filename: /var/log/suricata.log
- - syslog:
- enabled: yes
- facility: local5
- format: "[%i] <%d> -- "
-
-# Tilera mpipe configuration. for use on Tilera TILE-Gx.
-mpipe:
-
- # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
- load-balance: dynamic
-
- # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
- iqueue-packets: 2048
-
- # List of interfaces we will listen on.
- inputs:
- - interface: xgbe2
- - interface: xgbe3
- - interface: xgbe4
-
-
- # Relative weight of memory for packets of each mPipe buffer size.
- stack:
- size128: 0
- size256: 9
- size512: 0
- size1024: 0
- size1664: 7
- size4096: 0
- size10386: 0
- size16384: 0
-
-# PF_RING configuration. for use with native PF_RING support
-# for more info see http://www.ntop.org/PF_RING.html
-pfring:
- - interface: eth0
- # Number of receive threads (>1 will enable experimental flow pinned
- # runmode)
- threads: 1
-
- # Default clusterid. PF_RING will load balance packets based on flow.
- # All threads/processes that will participate need to have the same
- # clusterid.
- cluster-id: 99
-
- # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
- # This is only supported in versions of PF_RING > 4.1.1.
- cluster-type: cluster_flow
- # bpf filter for this interface
- #bpf-filter: tcp
- # Choose checksum verification mode for the interface. At the moment
- # of the capture, some packets may be with an invalid checksum due to
- # offloading to the network card of the checksum computation.
- # Possible values are:
- # - rxonly: only compute checksum for packets received by network card.
- # - yes: checksum validation is forced
- # - no: checksum validation is disabled
- # - auto: suricata uses a statistical approach to detect when
- # checksum off-loading is used. (default)
- # Warning: 'checksum-validation' must be set to yes to have any validation
- #checksum-checks: auto
- # Second interface
- #- interface: eth1
- # threads: 3
- # cluster-id: 93
- # cluster-type: cluster_flow
- # Put default values here
- - interface: default
- #threads: 2
-
-pcap:
- - interface: eth0
- # On Linux, pcap will try to use mmaped capture and will use buffer-size
- # as total of memory used by the ring. So set this to something bigger
- # than 1% of your bandwidth.
- #buffer-size: 16777216
- #bpf-filter: "tcp and port 25"
- # Choose checksum verification mode for the interface. At the moment
- # of the capture, some packets may be with an invalid checksum due to
- # offloading to the network card of the checksum computation.
- # Possible values are:
- # - yes: checksum validation is forced
- # - no: checksum validation is disabled
- # - auto: suricata uses a statistical approach to detect when
- # checksum off-loading is used. (default)
- # Warning: 'checksum-validation' must be set to yes to have any validation
- #checksum-checks: auto
- # With some accelerator cards using a modified libpcap (like myricom), you
- # may want to have the same number of capture threads as the number of capture
- # rings. In this case, set up the threads variable to N to start N threads
- # listening on the same interface.
- #threads: 16
- # set to no to disable promiscuous mode:
- #promisc: no
- # set snaplen, if not set it defaults to MTU if MTU can be known
- # via ioctl call and to full capture if not.
- #snaplen: 1518
- # Put default values here
- - interface: default
- #checksum-checks: auto
-
-pcap-file:
- # Possible values are:
- # - yes: checksum validation is forced
- # - no: checksum validation is disabled
- # - auto: suricata uses a statistical approach to detect when
- # checksum off-loading is used. (default)
- # Warning: 'checksum-validation' must be set to yes to have checksum tested
- checksum-checks: auto
-
-# For FreeBSD ipfw(8) divert(4) support.
-# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
-# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
-# Additionally, you need to have an ipfw rule for the engine to see
-# the packets from ipfw. For Example:
-#
-# ipfw add 100 divert 8000 ip from any to any
-#
-# The 8000 above should be the same number you passed on the command
-# line, i.e. -d 8000
-#
-ipfw:
-
- # Reinject packets at the specified ipfw rule number. This config
- # option is the ipfw rule number AT WHICH rule processing continues
- # in the ipfw processing system after the engine has finished
- # inspecting the packet for acceptance. If no rule number is specified,
- # accepted packets are reinjected at the divert rule which they entered
- # and IPFW rule processing continues. No check is done to verify
- # this will rule makes sense so care must be taken to avoid loops in ipfw.
- #
- ## The following example tells the engine to reinject packets
- # back into the ipfw firewall AT rule number 5500:
- #
- # ipfw-reinjection-rule-number: 5500
-
-# Set the default rule path here to search for the files.
-# if not set, it will look at the current working dir
-default-rule-path: /etc/suricata/rules
-rule-files:
- - botcc.rules
- - ciarmy.rules
- - compromised.rules
- - drop.rules
- - dshield.rules
- - emerging-activex.rules
- - emerging-attack_response.rules
- - emerging-chat.rules
- - emerging-current_events.rules
- - emerging-dns.rules
- - emerging-dos.rules
- - emerging-exploit.rules
- - emerging-ftp.rules
- - emerging-games.rules
- - emerging-icmp_info.rules
-# - emerging-icmp.rules
- - emerging-imap.rules
- - emerging-inappropriate.rules
- - emerging-malware.rules
- - emerging-misc.rules
- - emerging-mobile_malware.rules
- - emerging-netbios.rules
- - emerging-p2p.rules
- - emerging-policy.rules
- - emerging-pop3.rules
- - emerging-rpc.rules
- - emerging-scada.rules
- - emerging-scan.rules
- - emerging-shellcode.rules
- - emerging-smtp.rules
- - emerging-snmp.rules
- - emerging-sql.rules
- - emerging-telnet.rules
- - emerging-tftp.rules
- - emerging-trojan.rules
- - emerging-user_agents.rules
- - emerging-voip.rules
- - emerging-web_client.rules
- - emerging-web_server.rules
- - emerging-web_specific_apps.rules
- - emerging-worm.rules
- - tor.rules
- - decoder-events.rules # available in suricata sources under rules dir
- - stream-events.rules # available in suricata sources under rules dir
- - http-events.rules # available in suricata sources under rules dir
- - smtp-events.rules # available in suricata sources under rules dir
- - dns-events.rules # available in suricata sources under rules dir
- - tls-events.rules # available in suricata sources under rules dir
-
-classification-file: /etc/suricata/classification.config
-reference-config-file: /etc/suricata/reference.config
-
-# Holds variables that would be used by the engine.
-vars:
-
- # Holds the address group vars that would be passed in a Signature.
- # These would be retrieved during the Signature address parsing stage.
- address-groups:
-
- HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
-
- EXTERNAL_NET: "!$HOME_NET"
-
- HTTP_SERVERS: "$HOME_NET"
-
- SMTP_SERVERS: "$HOME_NET"
-
- SQL_SERVERS: "$HOME_NET"
-
- DNS_SERVERS: "$HOME_NET"
-
- TELNET_SERVERS: "$HOME_NET"
-
- AIM_SERVERS: "$EXTERNAL_NET"
-
- DNP3_SERVER: "$HOME_NET"
-
- DNP3_CLIENT: "$HOME_NET"
-
- MODBUS_CLIENT: "$HOME_NET"
-
- MODBUS_SERVER: "$HOME_NET"
-
- ENIP_CLIENT: "$HOME_NET"
-
- ENIP_SERVER: "$HOME_NET"
-
- # Holds the port group vars that would be passed in a Signature.
- # These would be retrieved during the Signature port parsing stage.
- port-groups:
-
- HTTP_PORTS: "80"
-
- SHELLCODE_PORTS: "!80"
-
- ORACLE_PORTS: 1521
-
- SSH_PORTS: 22
-
- DNP3_PORTS: 20000
-
-# Set the order of alerts bassed on actions
-# The default order is pass, drop, reject, alert
-action-order:
- - pass
- - drop
- - reject
- - alert
-
-# IP Reputation
-#reputation-categories-file: /etc/suricata/iprep/categories.txt
-#default-reputation-path: /etc/suricata/iprep
-#reputation-files:
-# - reputation.list
-
-# Host specific policies for defragmentation and TCP stream
-# reassembly. The host OS lookup is done using a radix tree, just
-# like a routing table so the most specific entry matches.
-host-os-policy:
- # Make the default policy windows.
- windows: [0.0.0.0/0]
- bsd: []
- bsd-right: []
- old-linux: []
- linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
- old-solaris: []
- solaris: ["::1"]
- hpux10: []
- hpux11: []
- irix: []
- macos: []
- vista: []
- windows2k3: []
-
-
-# Limit for the maximum number of asn1 frames to decode (default 256)
-asn1-max-frames: 256
-
-# When run with the option --engine-analysis, the engine will read each of
-# the parameters below, and print reports for each of the enabled sections
-# and exit. The reports are printed to a file in the default log dir
-# given by the parameter "default-log-dir", with engine reporting
-# subsection below printing reports in its own report file.
-engine-analysis:
- # enables printing reports for fast-pattern for every rule.
- rules-fast-pattern: yes
- # enables printing reports for each rule
- rules: yes
-
-#recursion and match limits for PCRE where supported
-pcre:
- match-limit: 3500
- match-limit-recursion: 1500
-
-# Holds details on the app-layer. The protocols section details each protocol.
-# Under each protocol, the default value for detection-enabled and "
-# parsed-enabled is yes, unless specified otherwise.
-# Each protocol covers enabling/disabling parsers for all ipprotos
-# the app-layer protocol runs on. For example "dcerpc" refers to the tcp
-# version of the protocol as well as the udp version of the protocol.
-# The option "enabled" takes 3 values - "yes", "no", "detection-only".
-# "yes" enables both detection and the parser, "no" disables both, and
-# "detection-only" enables detection only(parser disabled).
-app-layer:
- protocols:
- tls:
- enabled: yes
- detection-ports:
- dp: 443
-
- #no-reassemble: yes
- dcerpc:
- enabled: yes
- ftp:
- enabled: yes
- ssh:
- enabled: yes
- smtp:
- enabled: yes
- imap:
- enabled: detection-only
- msn:
- enabled: detection-only
- smb:
- enabled: yes
- detection-ports:
- dp: 139
- # smb2 detection is disabled internally inside the engine.
- #smb2:
- # enabled: yes
- dns:
- # memcaps. Globally and per flow/state.
- #global-memcap: 16mb
- #state-memcap: 512kb
-
- # How many unreplied DNS requests are considered a flood.
- # If the limit is reached, app-layer-event:dns.flooded; will match.
- #request-flood: 500
-
- tcp:
- enabled: yes
- detection-ports:
- dp: 53
- udp:
- enabled: yes
- detection-ports:
- dp: 53
- http:
- enabled: yes
- # memcap: 64mb
-
- ###########################################################################
- # Configure libhtp.
- #
- #
- # default-config: Used when no server-config matches
- # personality: List of personalities used by default
- # request-body-limit: Limit reassembly of request body for inspection
- # by http_client_body & pcre /P option.
- # response-body-limit: Limit reassembly of response body for inspection
- # by file_data, http_server_body & pcre /Q option.
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
- #
- # server-config: List of server configurations to use if address matches
- # address: List of ip addresses or networks for this block
- # personalitiy: List of personalities used by this block
- # request-body-limit: Limit reassembly of request body for inspection
- # by http_client_body & pcre /P option.
- # response-body-limit: Limit reassembly of response body for inspection
- # by file_data, http_server_body & pcre /Q option.
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
- #
- # uri-include-all: Include all parts of the URI. By default the
- # 'scheme', username/password, hostname and port
- # are excluded. Setting this option to true adds
- # all of them to the normalized uri as inspected
- # by http_uri, urilen, pcre with /U and the other
- # keywords that inspect the normalized uri.
- # Note that this does not affect http_raw_uri.
- # Also, note that including all was the default in
- # 1.4 and 2.0beta1.
- #
- # meta-field-limit: Hard size limit for request and response size
- # limits. Applies to request line and headers,
- # response line and headers. Does not apply to
- # request or response bodies. Default is 18k.
- # If this limit is reached an event is raised.
- #
- # Currently Available Personalities:
- # Minimal
- # Generic
- # IDS (default)
- # IIS_4_0
- # IIS_5_0
- # IIS_5_1
- # IIS_6_0
- # IIS_7_0
- # IIS_7_5
- # Apache_2
- ###########################################################################
- libhtp:
-
- default-config:
- personality: IDS
-
- # Can be specified in kb, mb, gb. Just a number indicates
- # it's in bytes.
- request-body-limit: 3072
- response-body-limit: 3072
-
- # inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 32kb
- response-body-inspect-window: 4kb
- # Take a random value for inspection sizes around the specified value.
- # This lower the risk of some evasion technics but could lead
- # detection change between runs. It is set to 'yes' by default.
- #randomize-inspection-sizes: yes
- # If randomize-inspection-sizes is active, the value of various
- # inspection size will be choosen in the [1 - range%, 1 + range%]
- # range
- # Default value of randomize-inspection-range is 10.
- #randomize-inspection-range: 10
-
- # decoding
- double-decode-path: no
- double-decode-query: no
-
- server-config:
-
- #- apache:
- # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
- # personality: Apache_2
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- #- iis7:
- # address:
- # - 192.168.0.0/24
- # - 192.168.10.0/24
- # personality: IIS_7_0
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
-# Profiling settings. Only effective if Suricata has been built with the
-# the --enable-profiling configure flag.
-#
-profiling:
- # Run profiling for every xth packet. The default is 1, which means we
- # profile every packet. If set to 1000, one packet is profiled for every
- # 1000 received.
- #sample-rate: 1000
-
- # rule profiling
- rules:
-
- # Profiling can be disabled here, but it will still have a
- # performance impact if compiled in.
- enabled: yes
- filename: rule_perf.log
- append: yes
-
- # Sort options: ticks, avgticks, checks, matches, maxticks
- sort: avgticks
-
- # Limit the number of items printed at exit.
- limit: 100
-
- # per keyword profiling
- keywords:
- enabled: yes
- filename: keyword_perf.log
- append: yes
-
- # packet profiling
- packets:
-
- # Profiling can be disabled here, but it will still have a
- # performance impact if compiled in.
- enabled: yes
- filename: packet_stats.log
- append: yes
-
- # per packet csv output
- csv:
-
- # Output can be disabled here, but it will still have a
- # performance impact if compiled in.
- enabled: no
- filename: packet_stats.csv
-
- # profiling of locking. Only available when Suricata was built with
- # --enable-profiling-locks.
- locks:
- enabled: no
- filename: lock_stats.log
- append: yes
-
-# Suricata core dump configuration. Limits the size of the core dump file to
-# approximately max-dump. The actual core dump size will be a multiple of the
-# page size. Core dumps that would be larger than max-dump are truncated. On
-# Linux, the actual core dump size may be a few pages larger than max-dump.
-# Setting max-dump to 0 disables core dumping.
-# Setting max-dump to 'unlimited' will give the full core dump file.
-# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
-# to be 'unlimited'.
-
-coredump:
- max-dump: unlimited
-
-napatech:
- # The Host Buffer Allowance for all streams
- # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
- hba: -1
-
- # use_all_streams set to "yes" will query the Napatech service for all configured
- # streams and listen on all of them. When set to "no" the streams config array
- # will be used.
- use-all-streams: yes
-
- # The streams to listen on
- streams: [1, 2, 3]
-
-# Includes. Files included here will be handled as if they were
-# inlined in this configuration file.
-#include: include1.yaml
-#include: include2.yaml
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata b/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata
deleted file mode 100644
index fbf3784..0000000
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata
+++ /dev/null
@@ -1,2 +0,0 @@
-#Type Path Mode UID GID Age Argument
-d /var/log/suricata 0755 root root
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata b/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata
deleted file mode 100644
index 4627bd3..0000000
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata
+++ /dev/null
@@ -1,2 +0,0 @@
-# <type> <owner> <group> <mode> <path> <linksource>
-d root root 0755 /var/log/suricata none
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
deleted file mode 100644
index 85f419e..0000000
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
+++ /dev/null
@@ -1,8 +0,0 @@
-HOMEPAGE = "http://suricata-ids.org/"
-SECTION = "security Monitor/Admin"
-LICENSE = "GPLv2"
-
-VER = "6.0.2"
-SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
-
-SRC_URI[sha256sum] = "5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52"
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb
deleted file mode 100644
index a4255d2..0000000
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb
+++ /dev/null
@@ -1,193 +0,0 @@
-SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine"
-
-require suricata.inc
-
-DEPENDS = "lz4 libhtp"
-
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
-
-SRC_URI += " \
- file://volatiles.03_suricata \
- file://tmpfiles.suricata \
- file://suricata.yaml \
- file://suricata.service \
- file://run-ptest \
- file://fixup.patch \
- "
-
-SRC_URI += " \
- crate://crates.io/autocfg/1.0.1 \
- crate://crates.io/semver-parser/0.7.0 \
- crate://crates.io/arrayvec/0.4.12 \
- crate://crates.io/ryu/1.0.5 \
- crate://crates.io/libc/0.2.86 \
- crate://crates.io/bitflags/1.2.1 \
- crate://crates.io/version_check/0.9.2 \
- crate://crates.io/memchr/2.3.4 \
- crate://crates.io/nodrop/0.1.14 \
- crate://crates.io/cfg-if/0.1.9 \
- crate://crates.io/static_assertions/0.3.4 \
- crate://crates.io/getrandom/0.1.16 \
- crate://crates.io/cfg-if/1.0.0 \
- crate://crates.io/siphasher/0.3.3 \
- crate://crates.io/ppv-lite86/0.2.10 \
- crate://crates.io/proc-macro-hack/0.5.19 \
- crate://crates.io/proc-macro2/0.4.30 \
- crate://crates.io/unicode-xid/0.1.0 \
- crate://crates.io/syn/0.15.44 \
- crate://crates.io/build_const/0.2.1 \
- crate://crates.io/num-derive/0.2.5 \
- crate://crates.io/base64/0.11.0 \
- crate://crates.io/widestring/0.4.3 \
- crate://crates.io/md5/0.7.0 \
- crate://crates.io/uuid/0.8.2 \
- crate://crates.io/byteorder/1.4.2 \
- crate://crates.io/semver/0.9.0 \
- crate://crates.io/nom/5.1.1 \
- crate://crates.io/num-traits/0.2.14 \
- crate://crates.io/num-integer/0.1.44 \
- crate://crates.io/num-bigint/0.2.6 \
- crate://crates.io/num-bigint/0.3.1 \
- crate://crates.io/num-rational/0.2.4 \
- crate://crates.io/num-complex/0.2.4 \
- crate://crates.io/num-iter/0.1.42 \
- crate://crates.io/phf_shared/0.8.0 \
- crate://crates.io/crc/1.8.1 \
- crate://crates.io/rustc_version/0.2.3 \
- crate://crates.io/phf/0.8.0 \
- crate://crates.io/lexical-core/0.6.7 \
- crate://crates.io/time/0.1.44 \
- crate://crates.io/quote/0.6.13 \
- crate://crates.io/rand_core/0.5.1 \
- crate://crates.io/rand_chacha/0.2.2 \
- crate://crates.io/rand_pcg/0.2.1 \
- crate://crates.io/num-traits/0.1.43 \
- crate://crates.io/rand/0.7.3 \
- crate://crates.io/enum_primitive/0.1.1 \
- crate://crates.io/phf_generator/0.8.0 \
- crate://crates.io/phf_codegen/0.8.0 \
- crate://crates.io/tls-parser/0.9.4 \
- crate://crates.io/num/0.2.1 \
- crate://crates.io/rusticata-macros/2.1.0 \
- crate://crates.io/ntp-parser/0.4.0 \
- crate://crates.io/der-oid-macro/0.2.0 \
- crate://crates.io/der-parser/3.0.4 \
- crate://crates.io/ipsec-parser/0.5.0 \
- crate://crates.io/x509-parser/0.6.5 \
- crate://crates.io/der-parser/4.1.0 \
- crate://crates.io/snmp-parser/0.6.0 \
- crate://crates.io/kerberos-parser/0.5.0 \
- crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \
- crate://crates.io/winapi/0.3.9 \
- crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
- crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
- crate://crates.io/log/0.4.0 \
- crate://crates.io/rand_hc/0.2.0 \
- crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \
- "
-
-# test case support
-SRC_URI += " \
- crate://crates.io/test-case/1.0.1 \
- crate://crates.io/proc-macro2/1.0.1 \
- crate://crates.io/quote/1.0.1 \
- crate://crates.io/syn/1.0.1 \
- crate://crates.io/unicode-xid/0.2.0 \
- "
-
-inherit autotools pkgconfig python3native systemd ptest cargo
-
-EXTRA_OECONF += " --disable-debug \
- --disable-gccmarch-native \
- --enable-non-bundled-htp \
- --disable-suricata-update \
- --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \
- "
-
-CARGO_SRC_DIR = "rust"
-
-B = "${S}"
-
-PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr "
-PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
-
-PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ,"
-PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
-PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap"
-PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , "
-PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet,"
-PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ,"
-PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue,"
-
-PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson"
-PACKAGECONFIG[file] = ",,file, file"
-PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss,"
-PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr,"
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core"
-PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests,"
-
-export logdir = "${localstatedir}/log"
-
-CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes"
-
-do_configure_prepend () {
- oe_runconf
-}
-
-do_compile () {
- # we do this to bypass the make provided by this pkg
- # patches Makefile to skip the subdir
- cargo_do_compile
-
- # Finish building
- cd ${S}
- make
-}
-
-do_install () {
- install -d ${D}${sysconfdir}/suricata
-
- oe_runmake install DESTDIR=${D}
-
- install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
- install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata
-
- install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
- install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata
-
- if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
- install -d ${D}${sysconfdir}/tmpfiles.d
- install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf
-
- install -d ${D}${systemd_unitdir}/system
- sed -e s:/etc:${sysconfdir}:g \
- -e s:/var/run:/run:g \
- -e s:/var:${localstatedir}:g \
- -e s:/usr/bin:${bindir}:g \
- -e s:/bin/kill:${base_bindir}/kill:g \
- -e s:/usr/lib:${libdir}:g \
- ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
- fi
-
- # Remove /var/run as it is created on startup
- rm -rf ${D}${localstatedir}/run
-
- sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc
- sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl
-}
-
-pkg_postinst_ontarget_${PN} () {
-if command -v systemd-tmpfiles >/dev/null; then
- systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf
-elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
- ${sysconfdir}/init.d/populate-volatile.sh update
-fi
-}
-
-SYSTEMD_PACKAGES = "${PN}"
-
-PACKAGES =+ "${PN}-python"
-FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
-FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
-
-CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
diff --git a/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend b/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend
new file mode 100644
index 0000000..6bafd9f
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend
@@ -0,0 +1,4 @@
+
+RDEPENDS:packagegroup-security-utils += "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
+"
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
new file mode 100644
index 0000000..6880405
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
@@ -0,0 +1,318 @@
+Backport patch to fix interpreter of sss_analyze.
+
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001
+From: roy214 <abroy@redhat.com>
+Date: Tue, 25 Apr 2023 20:01:24 +0530
+Subject: [PATCH] sssctl: add error analyzer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Also removing unused variable and import.
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/tools/analyzer/Makefile.am | 2 +
+ src/tools/analyzer/modules/error.py | 61 +++++++++++++++++++++++++++
+ src/tools/analyzer/modules/request.py | 54 +++++-------------------
+ src/tools/analyzer/sss_analyze | 2 +-
+ src/tools/analyzer/sss_analyze.py | 3 ++
+ src/tools/analyzer/util.py | 44 +++++++++++++++++++
+ 6 files changed, 121 insertions(+), 45 deletions(-)
+ create mode 100644 src/tools/analyzer/modules/error.py
+ create mode 100644 src/tools/analyzer/util.py
+
+diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
+index b40043d043..7692af8528 100644
+--- a/src/tools/analyzer/Makefile.am
++++ b/src/tools/analyzer/Makefile.am
+@@ -13,10 +13,12 @@ dist_pkgpython_DATA = \
+ source_reader.py \
+ parser.py \
+ sss_analyze.py \
++ util.py \
+ $(NULL)
+
+ modulesdir = $(pkgpythondir)/modules
+ dist_modules_DATA = \
+ modules/__init__.py \
+ modules/request.py \
++ modules/error.py \
+ $(NULL)
+diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py
+new file mode 100644
+index 0000000000..71173670c5
+--- /dev/null
++++ b/src/tools/analyzer/modules/error.py
+@@ -0,0 +1,61 @@
++from sssd import util
++from sssd.parser import SubparsersAction
++from sssd import sss_analyze
++
++class ErrorAnalyzer:
++ """
++ An error analyzer module, list if there is any error reported by sssd_be
++ """
++ module_parser = None
++ print_opts = []
++
++ def print_module_help(self, args):
++ """
++ Print the module parser help output
++
++ Args:
++ args (Namespace): argparse parsed arguments
++ """
++ self.module_parser.print_help()
++
++ def setup_args(self, parser_grp, cli):
++ """
++ Setup module parser, subcommands, and options
++
++ Args:
++ parser_grp (argparse.Action): Parser group to nest
++ module and subcommands under
++ """
++ desc = "Analyze error check module"
++ self.module_parser = parser_grp.add_parser('error',
++ description=desc,
++ help='Error checker')
++
++ subparser = self.module_parser.add_subparsers(title=None,
++ dest='subparser',
++ action=SubparsersAction,
++ metavar='COMMANDS')
++
++ subcmd_grp = subparser.add_parser_group('Operation Modes')
++ cli.add_subcommand(subcmd_grp, 'list', 'Print error messages found in backend',
++ self.print_error, self.print_opts)
++
++ self.module_parser.set_defaults(func=self.print_module_help)
++
++ return self.module_parser
++
++ def print_error(self, args):
++ err = 0
++ utl = util.Utils()
++ source = utl.load(args)
++ component = source.Component.BE
++ source.set_component(component, False)
++ patterns = ['sdap_async_sys_connect request failed', 'terminated by own WATCHDOG',
++ 'ldap_sasl_interactive_bind_s failed', 'Communication with KDC timed out', 'SSSD is offline', 'Backend is offline',
++ 'tsig verify failure', 'ldap_install_tls failed', 's2n exop request failed']
++ for line in utl.matched_line(source, patterns):
++ err +=1
++ print(line)
++ if err > 0:
++ print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html")
++ return
+diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
+index d661dddb84..e4d5f060c7 100644
+--- a/src/tools/analyzer/modules/request.py
++++ b/src/tools/analyzer/modules/request.py
+@@ -1,6 +1,6 @@
+ import re
+ import logging
+-
++from sssd import util
+ from sssd.parser import SubparsersAction
+ from sssd.parser import Option
+
+@@ -38,7 +38,6 @@ def print_module_help(self, args):
+ def setup_args(self, parser_grp, cli):
+ """
+ Setup module parser, subcommands, and options
+-
+ Args:
+ parser_grp (argparse.Action): Parser group to nest
+ module and subcommands under
+@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli):
+
+ return self.module_parser
+
+- def load(self, args):
+- """
+- Load the appropriate source reader.
+-
+- Args:
+- args (Namespace): argparse parsed arguments
+-
+- Returns:
+- Instantiated source object
+- """
+- if args.source == "journald":
+- from sssd.source_journald import Journald
+- source = Journald()
+- else:
+- from sssd.source_files import Files
+- source = Files(args.logdir)
+- return source
+-
+- def matched_line(self, source, patterns):
+- """
+- Yield lines which match any number of patterns (OR) in
+- provided patterns list.
+-
+- Args:
+- source (Reader): source Reader object
+- Yields:
+- lines matching the provided pattern(s)
+- """
+- for line in source:
+- for pattern in patterns:
+- re_obj = re.compile(pattern)
+- if re_obj.search(line):
+- if line.startswith(' * '):
+- continue
+- yield line
+-
+ def get_linked_ids(self, source, pattern, regex):
+ """
+ Retrieve list of associated REQ_TRACE ids. Filter
+@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex):
+ Returns:
+ List of linked ids discovered
+ """
++ utl = util.Utils()
+ linked_ids = []
+- for match in self.matched_line(source, pattern):
++ for match in utl.matched_line(source, pattern):
+ id_re = re.compile(regex)
+ match = id_re.search(match)
+ if match:
+@@ -250,7 +214,8 @@ def list_requests(self, args):
+ Args:
+ args (Namespace): populated argparse namespace
+ """
+- source = self.load(args)
++ utl = util.Utils()
++ source = utl.load(args)
+ component = source.Component.NSS
+ resp = "nss"
+ # Log messages matching the following regex patterns contain
+@@ -266,7 +231,7 @@ def list_requests(self, args):
+ if args.verbose:
+ self.print_formatted_verbose(source)
+ else:
+- for line in self.matched_line(source, patterns):
++ for line in utl.matched_line(source, patterns):
+ if type(source).__name__ == 'Journald':
+ print(line)
+ else:
+@@ -279,7 +244,8 @@ def track_request(self, args):
+ Args:
+ args (Namespace): populated argparse namespace
+ """
+- source = self.load(args)
++ utl = util.Utils()
++ source = utl.load(args)
+ cid = args.cid
+ resp_results = False
+ be_results = False
+@@ -294,7 +260,7 @@ def track_request(self, args):
+ logger.info(f"******** Checking {resp} responder for Client ID"
+ f" {cid} *******")
+ source.set_component(component, args.child)
+- for match in self.matched_line(source, pattern):
++ for match in utl.matched_line(source, pattern):
+ resp_results = self.consume_line(match, source, args.merge)
+
+ logger.info(f"********* Checking Backend for Client ID {cid} ********")
+@@ -307,7 +273,7 @@ def track_request(self, args):
+ pattern.clear()
+ [pattern.append(f'\\{id}') for id in be_ids]
+
+- for match in self.matched_line(source, pattern):
++ for match in utl.matched_line(source, pattern):
+ be_results = self.consume_line(match, source, args.merge)
+
+ if args.merge:
+diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze
+index 3f1beaf38b..6d4b5b30c6 100755
+--- a/src/tools/analyzer/sss_analyze
++++ b/src/tools/analyzer/sss_analyze
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+
+ from sssd import sss_analyze
+
+diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py
+index 18b998f380..dafc84fc03 100644
+--- a/src/tools/analyzer/sss_analyze.py
++++ b/src/tools/analyzer/sss_analyze.py
+@@ -1,6 +1,7 @@
+ import argparse
+
+ from sssd.modules import request
++from sssd.modules import error
+ from sssd.parser import SubparsersAction
+
+
+@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp):
+ """
+ # Currently only the 'request' module exists
+ req = request.RequestAnalyzer()
++ err = error.ErrorAnalyzer()
+ cli = Analyzer()
+
+ req.setup_args(parser_grp, cli)
++ err.setup_args(parser_grp, cli)
+
+ def setup_args(self):
+ """
+diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py
+new file mode 100644
+index 0000000000..2a8d153a71
+--- /dev/null
++++ b/src/tools/analyzer/util.py
+@@ -0,0 +1,44 @@
++import re
++import logging
++
++from sssd.source_files import Files
++from sssd.source_journald import Journald
++
++logger = logging.getLogger()
++
++
++class Utils:
++
++ def load(self, args):
++ """
++ Load the appropriate source reader.
++
++ Args:
++ args (Namespace): argparse parsed arguments
++
++ Returns:
++ Instantiated source object
++ """
++ if args.source == "journald":
++ source = Journald()
++ else:
++ source = Files(args.logdir)
++ return source
++
++ def matched_line(self, source, patterns):
++ """
++ Yield lines which match any number of patterns (OR) in
++ provided patterns list.
++
++ Args:
++ source (Reader): source Reader object
++ Yields:
++ lines matching the provided pattern(s)
++ """
++ for line in source:
++ for pattern in patterns:
++ re_obj = re.compile(pattern)
++ if re_obj.search(line):
++ if line.startswith(' * '):
++ continue
++ yield line
diff --git a/recipes-security/sssd/files/drop_ntpdate_chk.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
index 338af5d..338af5d 100644
--- a/recipes-security/sssd/files/drop_ntpdate_chk.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
new file mode 100644
index 0000000..e350baf
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
@@ -0,0 +1,25 @@
+When calculate value of ldblibdir, it checks whether the directory of
+$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not
+suitable for cross compile. Fix it that only re-assign ldblibdir when its value
+is empty.
+
+Upstream-Status: Inappropriate [cross compile specific]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/external/libldb.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/external/libldb.m4 b/src/external/libldb.m4
+index c400add..5e5f06d 100644
+--- a/src/external/libldb.m4
++++ b/src/external/libldb.m4
+@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then
+ ldblibdir=$with_ldb_lib_dir
+ else
+ ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`"
+- if ! test -d $ldblibdir; then
++ if test -z $ldblibdir; then
+ ldblibdir="${libdir}/ldb"
+ fi
+ fi
diff --git a/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
index 9b481cc..419b83f 100644
--- a/recipes-security/sssd/files/fix_gid.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -12,10 +12,10 @@ from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: sssd-2.5.0/src/util/debug.h
+Index: sssd-2.7.1/src/util/debug.h
===================================================================
---- sssd-2.5.0.orig/src/util/debug.h
-+++ sssd-2.5.0/src/util/debug.h
+--- sssd-2.7.1.orig/src/util/debug.h
++++ sssd-2.7.1/src/util/debug.h
@@ -24,6 +24,8 @@
#include "config.h"
@@ -23,5 +23,5 @@ Index: sssd-2.5.0/src/util/debug.h
+#include <unistd.h>
+#include <sys/types.h>
#include <stdbool.h>
+ #include <sys/types.h>
- #include "util/util_errors.h"
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
new file mode 100644
index 0000000..68f267c
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
@@ -0,0 +1,53 @@
+fix musl build failures
+
+Missing _PATH_HOSTS and some NETDB defines when musl is enabled.
+
+These are work arounds for now while we figure out where the real fix should reside (musl, gcompact, sssd):
+
+./sssd-2.5.1/src/providers/fail_over.c:1199:19: error: '_PATH_HOSTS' undeclared (first use in this function)
+| 1199 | _PATH_HOSTS);
+| | ^~~~~~~~~~~
+
+and
+
+i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' undeclared (first use in this function)
+| 415 | *h_errnop = NETDB_INTERNAL;
+
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: sssd-2.5.1/src/providers/fail_over.c
+===================================================================
+--- sssd-2.5.1.orig/src/providers/fail_over.c
++++ sssd-2.5.1/src/providers/fail_over.c
+@@ -31,6 +31,10 @@
+ #include <talloc.h>
+ #include <netdb.h>
+
++#if !defined(_PATH_HOSTS)
++#define _PATH_HOSTS "/etc/hosts"
++#endif
++
+ #include "util/dlinklist.h"
+ #include "util/refcount.h"
+ #include "util/util.h"
+Index: sssd-2.5.1/src/sss_client/sss_cli.h
+===================================================================
+--- sssd-2.5.1.orig/src/sss_client/sss_cli.h
++++ sssd-2.5.1/src/sss_client/sss_cli.h
+@@ -44,6 +44,14 @@ typedef int errno_t;
+ #define EOK 0
+ #endif
+
++#ifndef NETDB_INTERNAL
++# define NETDB_INTERNAL (-1)
++#endif
++
++#ifndef NETDB_SUCCESS
++# define NETDB_SUCCESS (0)
++#endif
++
+ #define SSS_NSS_PROTOCOL_VERSION 1
+ #define SSS_PAM_PROTOCOL_VERSION 3
+ #define SSS_SUDO_PROTOCOL_VERSION 1
diff --git a/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
index 5c83777..7d8e80b 100644
--- a/recipes-security/sssd/files/no_gen.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -4,11 +4,11 @@ Upstream-Status: Inappropriate [OE Specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: sssd-2.5.0/Makefile.am
+Index: sssd-2.7.1/Makefile.am
===================================================================
---- sssd-2.5.0.orig/Makefile.am
-+++ sssd-2.5.0/Makefile.am
-@@ -1033,8 +1033,6 @@ generate-sbus-code:
+--- sssd-2.7.1.orig/Makefile.am
++++ sssd-2.7.1/Makefile.am
+@@ -1023,8 +1023,6 @@ generate-sbus-code:
.PHONY: generate-sbus-code
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
new file mode 100644
index 0000000..1e8b537
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
@@ -0,0 +1,15 @@
+[sssd]
+services = nss, pam
+domains = shadowutils
+
+[nss]
+
+[pam]
+
+[domain/shadowutils]
+id_provider = files
+
+auth_provider = proxy
+proxy_pam_target = sssd-shadowutils
+
+proxy_fast_alias = True
diff --git a/recipes-security/sssd/files/volatiles.99_sssd b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
index 2a82413..2a82413 100644
--- a/recipes-security/sssd/files/volatiles.99_sssd
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
diff --git a/recipes-security/sssd/sssd_2.5.0.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
index 4c92519..d61471c 100644
--- a/recipes-security/sssd/sssd_2.5.0.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
@@ -2,27 +2,33 @@ SUMMARY = "system security services daemon"
DESCRIPTION = "SSSD is a system security services daemon"
HOMEPAGE = "https://pagure.io/SSSD/sssd/"
SECTION = "base"
-LICENSE = "GPLv3+"
+LICENSE = "GPL-3.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
-DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
-DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit"
+DEPENDS = "acl attr cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
+DEPENDS:append = " libldb dbus libtalloc libpcre2 glib-2.0 popt e2fsprogs libtevent"
+DEPENDS:append = " openldap bind p11-kit jansson softhsm openssl libunistring"
-DEPENDS_append_libc-musl = " musl-nscd"
+DEPENDS:append:libc-musl = " musl-nscd"
# If no crypto has been selected, default to DEPEND on nss, since that's what
# sssd will pick if no active choice is made during configure
DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}"
-SRC_URI = "https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz \
+SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
file://sssd.conf \
file://volatiles.99_sssd \
file://no_gen.patch \
file://fix_gid.patch \
file://drop_ntpdate_chk.patch \
+ file://fix-ldblibdir.patch \
+ file://musl_fixup.patch \
+ file://0001-sssctl-add-error-analyzer.patch \
"
-SRC_URI[sha256sum] = "afa62d7d8d23fca3aba093abe4ec0d14e7d9346c5b28ceb7c2c624bed98caa06"
+SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba"
+
+UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
inherit autotools pkgconfig gettext python3-dir features_check systemd
@@ -35,7 +41,7 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
"
-PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
+PACKAGECONFIG ?="nss autofs sudo infopipe"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
@@ -45,14 +51,14 @@ PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
-PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
PACKAGECONFIG[nss] = ", ,nss,"
+PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, "
-PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv"
+PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv,,python3-systemd"
EXTRA_OECONF += " \
--disable-cifs-idmap-plugin \
@@ -61,51 +67,67 @@ EXTRA_OECONF += " \
--without-python2-bindings \
--enable-pammoddir=${base_libdir}/security \
--without-python2-bindings \
- --without-secrets \
--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
+ --with-pid-path=/run \
"
-do_configure_prepend() {
+do_configure:prepend() {
mkdir -p ${AUTOTOOLS_AUXDIR}/build
cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
- # libresove has host path, remove it
- sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4
+ # additional_libdir defaults to /usr/lib so replace with staging_libdir globally
+ sed -i -e "s#\$additional_libdir#\${STAGING_LIBDIR}#" ${S}/src/build_macros.m4
}
-do_compile_prepend () {
+do_compile:prepend () {
+ sed -i -e "s/__useconds_t/useconds_t/g" ${S}/src/tools/tools_mc_util.c
echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h
}
do_install () {
oe_runmake install DESTDIR="${D}"
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
+
install -d ${D}/${sysconfdir}/${BPN}
+ install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
+ mv ${D}/${BPN} ${D}/${PYTHON_SITEPACKAGES_DIR}
+
install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
- install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd
+
+ # /var/log/sssd needs to be created in runtime. Use rmdir to catch if
+ # upstream stops creating /var/log/sssd, or adds something else in
+ # /var/log.
+ rmdir ${D}${localstatedir}/log/${BPN} ${D}${localstatedir}/log
+ rmdir --ignore-fail-on-non-empty ${D}${localstatedir}
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/tmpfiles.d
echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
fi
- # Remove /var/run as it is created on startup
- rm -rf ${D}${localstatedir}/run
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
+ install -d ${D}${sysconfdir}/default/volatiles
+ echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
+ fi
+
+ # Remove /run as it is created on startup
+ rm -rf ${D}/run
+# rm -fr ${D}/sssd
rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
}
-pkg_postinst_ontarget_${PN} () {
+pkg_postinst_ontarget:${PN} () {
if [ -e /etc/init.d/populate-volatile.sh ] ; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}
-CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
+CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
INITSCRIPT_NAME = "sssd"
INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
-SYSTEMD_SERVICE_${PN} = " \
+SYSTEMD_SERVICE:${PN} = " \
${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \
@@ -120,10 +142,18 @@ SYSTEMD_SERVICE_${PN} = " \
"
SYSTEMD_AUTO_ENABLE = "disable"
-FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so"
-FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la"
+PACKAGES =+ "libsss-sudo"
+ALLOW_EMPTY:libsss-sudo = "1"
+
+FILES:${PN} += "${base_libdir}/security/pam_sss*.so \
+ ${nonarch_libdir}/tmpfiles.d \
+ ${datadir}/dbus-1/system.d/*.conf \
+ ${datadir}/dbus-1/system-services/*.service \
+ ${libdir}/krb5/* \
+ ${libdir}/ldb/* \
+ ${PYTHON_SITEPACKAGES_DIR}/sssd \
+ "
-# The package contains symlinks that trip up insane
-INSANE_SKIP_${PN} = "dev-so"
+FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
-RDEPENDS_${PN} = "bind bind-utils dbus libldb libpam"
+RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"
diff --git a/kas/kas-security-alt.yml b/kas/kas-security-alt.yml
index 1514524..3ee9808 100644
--- a/kas/kas-security-alt.yml
+++ b/kas/kas-security-alt.yml
@@ -5,4 +5,4 @@ header:
local_conf_header:
alt: |
- DISTRO_FEATURES_append = " systemd"
+ DISTRO_FEATURES:append = " systemd"
diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml
index c6cc4fc..fa7915c 100644
--- a/kas/kas-security-base.yml
+++ b/kas/kas-security-base.yml
@@ -1,5 +1,5 @@
header:
- version: 8
+ version: 9
distro: poky
@@ -9,7 +9,6 @@ repos:
../meta-security:
meta-tpm:
meta-integrity:
- meta-security-compliance:
meta-hardening:
poky:
@@ -32,15 +31,11 @@ repos:
local_conf_header:
base: |
- CONF_VERSION = "1"
+ CONF_VERSION = "2"
SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/"
- SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n"
- BB_HASHSERVE = "auto"
- BB_SIGNATURE_HANDLER = "OEEquivHash"
INHERIT += "buildstats buildstats-summary buildhistory"
INHERIT += "report-error"
- INHERIT += "testimage"
- INHERIT += "rm_work"
+ IMAGE_CLASSES += "testimage"
BB_NUMBER_THREADS="24"
BB_NUMBER_PARSE_THREADS="12"
BB_TASK_NICE_LEVEL = '5'
@@ -51,8 +46,8 @@ local_conf_header:
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
PACKAGE_CLASSES = "package_ipk"
- DISTRO_FEATURES_append = " pam apparmor smack ima"
- MACHINE_FEATURES_append = " tpm tpm2"
+ DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2"
+ MACHINE_FEATURES:append = " tpm tpm2"
diskmon: |
BB_DISKMON_DIRS = "\
@@ -60,14 +55,13 @@ local_conf_header:
STOPTASKS,${DL_DIR},1G,100K \
STOPTASKS,${SSTATE_DIR},1G,100K \
STOPTASKS,/tmp,100M,100K \
- ABORT,${TMPDIR},100M,1K \
- ABORT,${DL_DIR},100M,1K \
- ABORT,${SSTATE_DIR},100M,1K \
- ABORT,/tmp,10M,1K"
+ HALT,${TMPDIR},100M,1K \
+ HALT,${DL_DIR},100M,1K \
+ HALT,${SSTATE_DIR},100M,1K \
+ HALT,/tmp,10M,1K"
bblayers_conf_header:
base: |
- POKY_BBLAYERS_CONF_VERSION = "2"
BBPATH = "${TOPDIR}"
BBFILES ?= ""
diff --git a/kas/kas-security-dm.yml b/kas/kas-security-dm.yml
index 7ce0e9d..c03b336 100644
--- a/kas/kas-security-dm.yml
+++ b/kas/kas-security-dm.yml
@@ -5,6 +5,7 @@ header:
local_conf_header:
dm-verify: |
+ DISTRO_FEATURES:append = " integrity"
DM_VERITY_IMAGE = "core-image-minimal"
DM_VERITY_IMAGE_TYPE = "ext4"
IMAGE_CLASSES += "dm-verity-img"
diff --git a/kas/kas-security-parsec.yml b/kas/kas-security-parsec.yml
index 6152f0c..9a009be 100644
--- a/kas/kas-security-parsec.yml
+++ b/kas/kas-security-parsec.yml
@@ -8,14 +8,10 @@ repos:
layers:
meta-parsec:
- meta-rust:
- url: https://github.com/meta-rust/meta-rust.git
- refspec: master
-
meta-clang:
url: https://github.com/kraj/meta-clang.git
refspec: master
local_conf_header:
meta-parsec: |
- IMAGE_INSTALL_append = " parsec-service parsec-tool"
+ IMAGE_INSTALL:append = " parsec-service parsec-tool"
diff --git a/kas/qemuarm64-multi.yml b/kas/qemuarm64-multi.yml
deleted file mode 100644
index d79142c..0000000
--- a/kas/qemuarm64-multi.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- multi: |
- require conf/multilib.conf
- MULTILIBS = "multilib:lib32"
- DEFAULTTUNE_virtclass-multilib-lib32 = "armv7athf-neon"
-
-machine: qemuarm64
diff --git a/kas/qemumips64-multi.yml b/kas/qemumips64-multi.yml
index c8cf94b..6ef8b39 100644
--- a/kas/qemumips64-multi.yml
+++ b/kas/qemumips64-multi.yml
@@ -8,7 +8,7 @@ local_conf_header:
require conf/multilib.conf
MULTILIBS = "multilib:lib64 multilib:lib32"
DEFAULTTUNE = "mips64-n32"
- DEFAULTTUNE_virtclass-multilib-lib64 = "mips64"
- DEFAULTTUNE_virtclass-multilib-lib32 = "mips32r2"
+ DEFAULTTUNE:virtclass-multilib-lib64 = "mips64"
+ DEFAULTTUNE:virtclass-multilib-lib32 = "mips32r2"
machine: qemumips64
diff --git a/kas/qemuppc-parsec.yml b/kas/qemuppc-parsec.yml
deleted file mode 100644
index 1176d13..0000000
--- a/kas/qemuppc-parsec.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-parsec.yml
-
-machine: qemuppc
diff --git a/kas/qemuppc.yml b/kas/qemuppc.yml
deleted file mode 100644
index 3dad81c..0000000
--- a/kas/qemuppc.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-machine: qemuppc
diff --git a/kas/qemux86-64-multi.yml b/kas/qemux86-64-multi.yml
deleted file mode 100644
index 711ce28..0000000
--- a/kas/qemux86-64-multi.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- multi: |
- require conf/multilib.conf
- MULTILIBS = "multilib:lib32"
- DEFAULTTUNE_virtclass-multilib-lib32 = "x86"
-
-machine: qemux86-64
diff --git a/kas/qemux86-comp.yml b/kas/qemux86-comp.yml
deleted file mode 100644
index 14c5dca..0000000
--- a/kas/qemux86-comp.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- meta-compliance: |
- IMAGE_INSTALL_append = " lynis"
- IMAGE_INSTALL_append = " openscap openscap-daemon scap-security-guide"
-
-machine: qemux86
diff --git a/lib/oeqa/runtime/cases/aide.py b/lib/oeqa/runtime/cases/aide.py
new file mode 100644
index 0000000..4c7633c
--- /dev/null
+++ b/lib/oeqa/runtime/cases/aide.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class AideTest(OERuntimeTestCase):
+
+ @OEHasPackage(['aide'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_aide_help(self):
+ status, output = self.target.run('aide --help')
+ msg = ('Aide help command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['aide.AideTest.test_aide_help'])
+ def test_aide_dbinit(self):
+ status, output = self.target.run('aide --init')
+ match = re.search('Number of entries:', output)
+ if not match:
+ msg = ('Aide db init failed: output is:\n%s' % output)
+ self.assertEqual(status, 0, msg = msg)
diff --git a/lib/oeqa/runtime/cases/checksec.py b/lib/oeqa/runtime/cases/checksec.py
index e46744c..53e6c1d 100644
--- a/lib/oeqa/runtime/cases/checksec.py
+++ b/lib/oeqa/runtime/cases/checksec.py
@@ -19,7 +19,7 @@ class CheckSecTest(OERuntimeTestCase):
@OETestDepends(['checksec.CheckSecTest.test_checksec_help'])
def test_checksec_xml(self):
- status, output = self.target.run('checksec --format xml --proc-all')
+ status, output = self.target.run('checksec --format=xml --proc=1')
msg = ('checksec xml failed. Output: %s' % output)
self.assertEqual(status, 0, msg = msg)
diff --git a/lib/oeqa/runtime/cases/clamav.py b/lib/oeqa/runtime/cases/clamav.py
index cf83937..e0cad8f 100644
--- a/lib/oeqa/runtime/cases/clamav.py
+++ b/lib/oeqa/runtime/cases/clamav.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com>
#
import re
from tempfile import mkstemp
@@ -48,21 +48,8 @@ class ClamavTest(OERuntimeTestCase):
self.assertEqual(status, 0, msg = msg)
@OETestDepends(['clamav.ClamavTest.test_ping_clamav_net'])
- def test_freshclam_check_mirrors(self):
- status, output = self.target.run('freshclam --list-mirrors')
- match = re.search('Failures: 0', output)
- if not match:
- msg = ('freshclam --list-mirrors: failed. '
- 'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 1, msg = msg)
-
- @OETestDepends(['clamav.ClamavTest.test_freshclam_check_mirrors'])
def test_freshclam_download(self):
status, output = self.target.run('freshclam --show-progress')
- match = re.search('Database updated', output)
- #match = re.search('main.cvd is up to date', output)
- if not match:
- msg = ('freshclam : DB dowbload failed. '
- 'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 1, msg = msg)
-
+ msg = ('freshclam : DB dowbload failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
diff --git a/lib/oeqa/runtime/cases/firejail.py b/lib/oeqa/runtime/cases/firejail.py
new file mode 100644
index 0000000..88a8dda
--- /dev/null
+++ b/lib/oeqa/runtime/cases/firejail.py
@@ -0,0 +1,18 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+class FirejailTest(OERuntimeTestCase):
+
+ @OEHasPackage(['firejail'])
+ @OEHasPackage(['libseccomp'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_firejail_basic(self):
+ status, output = self.target.run('firejail --help')
+ msg = ('Firejail --help command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
diff --git a/lib/oeqa/runtime/cases/smack.py b/lib/oeqa/runtime/cases/smack.py
index 35e87ef..6b87574 100644
--- a/lib/oeqa/runtime/cases/smack.py
+++ b/lib/oeqa/runtime/cases/smack.py
@@ -15,22 +15,19 @@ class SmackBasicTest(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
- cls.smack_path = ""
cls.current_label = ""
cls.uid = 1000
+ status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'")
+ cls.smack_path = output
@skipIfNotFeature('smack',
'Test requires smack to be in DISTRO_FEATURES')
@OEHasPackage(['smack-test'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
def test_smack_basic(self):
- status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
- self.smack_path = output
status,output = self.target.run("cat /proc/self/attr/current")
self.current_label = output.strip()
-class SmackAccessLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_access_label(self):
''' Test if chsmack can correctly set a SMACK label '''
@@ -43,19 +40,17 @@ class SmackAccessLabel(SmackBasicTest):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=access=")\S+(?=")', output)
+ m = re.search('(access=")\S+(?=")', output)
if m is None:
self.fail("Did not find access attribute")
else:
- label_retrieved = m .group(0)
+ label_retrieved = re.split("access=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: "
"%s %s" %(LABEL,label_retrieved))
-class SmackExecLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_exec_label(self):
'''Test if chsmack can correctly set a SMACK Exec label'''
@@ -68,19 +63,17 @@ class SmackExecLabel(SmackBasicTest):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m= re.search('(?<=execute=")\S+(?=")', output)
+ m= re.search('(execute=")\S+(?=")', output)
if m is None:
self.fail("Did not find execute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("execute=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
"%s %s" %(LABEL,label_retrieved))
-class SmackMmapLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_mmap_label(self):
'''Test if chsmack can correctly set a SMACK mmap label'''
@@ -93,19 +86,17 @@ class SmackMmapLabel(SmackBasicTest):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=mmap=")\S+(?=")', output)
+ m = re.search('(mmap=")\S+(?=")', output)
if m is None:
self.fail("Did not find mmap attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("mmap=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
"%s %s" %(LABEL,label_retrieved))
-class SmackTransmutable(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_transmutable(self):
'''Test if chsmack can correctly set a SMACK transmutable mode'''
@@ -117,19 +108,17 @@ class SmackTransmutable(SmackBasicTest):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %directory)
self.target.run("rmdir %s" %directory)
- m = re.search('(?<=transmute=")\S+(?=")', output)
+ m = re.search('(transmute=")\S+(?=")', output)
if m is None:
self.fail("Did not find transmute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("transmute=\"", output)[1][:-1]
self.assertEqual(
"TRUE", label_retrieved,
"label not set correctly. expected and gotten: " +
"%s %s" %(LABEL,label_retrieved))
-class SmackChangeSelfLabelPrivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_privileged_change_self_label(self):
'''Test if privileged process (with CAP_MAC_ADMIN privilege)
@@ -137,16 +126,14 @@ class SmackChangeSelfLabelPrivilege(SmackBasicTest):
'''
labelf = "/proc/self/attr/current"
- command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+ command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf)
status, output = self.target.run(
- "notroot.py 0 %s %s" %(self.current_label, command))
+ "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command))
self.assertIn("PRIVILEGED", output,
"Privilege process did not change label.Output: %s" %output)
-class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_unprivileged_change_self_label(self):
'''Test if unprivileged process (without CAP_MAC_ADMIN privilege)
@@ -154,7 +141,7 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
status, output = self.target.run(
- "notroot.py %d %s %s"
+ "/usr/sbin/notroot.py %d %s %s"
%(self.uid, self.current_label, command) +
" 2>&1 | grep 'Operation not permitted'" )
@@ -163,8 +150,6 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
"Unprivileged process should not be able to change its label")
-class SmackChangeFileLabelPrivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_unprivileged_change_file_label(self):
'''Test if unprivileged process cannot change file labels'''
@@ -174,17 +159,15 @@ class SmackChangeFileLabelPrivilege(SmackBasicTest):
filename = "/tmp/test_unprivileged_change_file_label"
self.target.run("touch %s" % filename)
- self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
+ self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label))
status, output = self.target.run(
- "notroot.py " +
+ "/usr/sbin/notroot.py " +
"%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
"| grep 'Operation not permitted'" )
self.target.run("rm %s" % filename)
self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename)
-class SmackLoadRule(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_load_smack_rule(self):
'''Test if new smack access rules can be loaded'''
@@ -211,8 +194,6 @@ class SmackLoadRule(SmackBasicTest):
self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path))
-class SmackOnlycap(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_onlycap(self):
'''Test if smack onlycap label can be set
@@ -223,7 +204,6 @@ class SmackOnlycap(SmackBasicTest):
status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh")
self.assertEqual(status, 0, output)
-class SmackNetlabel(SmackBasicTest):
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_netlabel(self):
@@ -246,7 +226,6 @@ class SmackNetlabel(SmackBasicTest):
test_label, output,
"Did not find expected label in output: %s" %output)
-class SmackCipso(SmackBasicTest):
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_cipso(self):
@@ -287,7 +266,6 @@ class SmackCipso(SmackBasicTest):
self.assertEqual(status, 0, "Cipso rule C was not set")
self.assertIn("/17,33", output, "Rule C was not set correctly")
-class SmackDirect(SmackBasicTest):
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_direct(self):
@@ -308,8 +286,6 @@ class SmackDirect(SmackBasicTest):
"Smack direct label does not match.")
-class SmackAmbient(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_ambient(self):
test_ambient = "test_ambient"
@@ -330,8 +306,6 @@ class SmackAmbient(SmackBasicTest):
"Ambient label does not match")
-class SmackloadBinary(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smackload(self):
'''Test if smackload command works'''
@@ -345,8 +319,6 @@ class SmackloadBinary(SmackBasicTest):
self.assertEqual(status, 0, "Smackload rule was loaded correctly")
-class SmackcipsoBinary(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smackcipso(self):
'''Test if smackcipso command works'''
@@ -362,8 +334,6 @@ class SmackcipsoBinary(SmackBasicTest):
self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output)
-class SmackEnforceFileAccess(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_enforce_file_access(self):
'''Test if smack file access is enforced (rwx)
@@ -375,82 +345,6 @@ class SmackEnforceFileAccess(SmackBasicTest):
self.assertEqual(status, 0, output)
-class SmackEnforceMmap(SmackBasicTest):
-
- @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
- def test_smack_mmap_enforced(self):
- '''Test if smack mmap access is enforced'''
- raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
-
- # 12345678901234567890123456789012345678901234567890123456
- delr1="mmap_label mmap_test_label1 -----"
- delr2="mmap_label mmap_test_label2 -----"
- delr3="mmap_file_label mmap_test_label1 -----"
- delr4="mmap_file_label mmap_test_label2 -----"
-
- RuleA="mmap_label mmap_test_label1 rw---"
- RuleB="mmap_label mmap_test_label2 r--at"
- RuleC="mmap_file_label mmap_test_label1 rw---"
- RuleD="mmap_file_label mmap_test_label2 rwxat"
-
- mmap_label="mmap_label"
- file_label="mmap_file_label"
- test_file = "/usr/sbin/smack_test_mmap"
- mmap_exe = "/tmp/mmap_test"
- status, echo = self.target.run("which echo")
- status, output = self.target.run(
- "notroot.py %d %s %s 'test' > %s" \
- %(self.uid, self.current_label, echo, test_file))
- status, output = self.target.run("ls %s" %test_file)
- self.assertEqual(status, 0, "Could not create mmap test file")
- self.target.run("chsmack -m %s %s" %(file_label, test_file))
- self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
-
- # test with no rules with mmap label or exec label as subject
- # access should be granted
- self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access without rules. Output: %s" %output)
-
- # add rules that do not match access required
- self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with unmatching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with unmatching rules")
-
- # add rule to match only partially (one way)
- self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with partial matching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with partial matching rules")
-
- # add rule to match fully
- self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access with full matching rules." +
- "Output: %s" %output)
-
-
-class SmackEnforceTransmutable(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_transmute_dir(self):
'''Test if smack transmute attribute works
@@ -473,8 +367,6 @@ class SmackEnforceTransmutable(SmackBasicTest):
"Did not get expected label. Output: %s" % output)
-class SmackTcpSockets(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_tcp_sockets(self):
'''Test if smack is enforced on tcp sockets
@@ -485,8 +377,6 @@ class SmackTcpSockets(SmackBasicTest):
self.assertEqual(status, 0, output)
-class SmackUdpSockets(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_udp_sockets(self):
'''Test if smack is enforced on udp sockets
@@ -497,8 +387,6 @@ class SmackUdpSockets(SmackBasicTest):
self.assertEqual(status, 0, output)
-class SmackFileLabels(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_labels(self):
'''Check for correct Smack labels.'''
diff --git a/lib/oeqa/runtime/cases/sssd.py b/lib/oeqa/runtime/cases/sssd.py
index 4644836..1dfdb94 100644
--- a/lib/oeqa/runtime/cases/sssd.py
+++ b/lib/oeqa/runtime/cases/sssd.py
@@ -28,10 +28,10 @@ class SSSDTest(OERuntimeTestCase):
@OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk'])
def test_sssd_sssctl_deamon(self):
- status, output = self.target.run('sssctl domain-status')
+ status, output = self.target.run('sssctl domain-list')
match = re.search('No domains configured, fatal error!', output)
if match:
- msg = ('sssctl domain-status failed, sssd.conf not setup correctly. '
+ msg = ('sssctl domain-list failed, sssd.conf not setup correctly. '
'Status and output:%s and %s' % (status, output))
self.assertEqual(status, 0, msg = msg)
diff --git a/meta-hardening/README b/meta-hardening/README.md
index 37a0b7e..191253c 100644
--- a/meta-hardening/README
+++ b/meta-hardening/README.md
@@ -64,14 +64,14 @@ layers: meta-oe
Maintenance
-----------
-Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-hardening][PATCH'
These values can be set as defaults for this repository:
-$ git config sendemail.to yocto@yoctoproject.org
+$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-hardening][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
diff --git a/meta-hardening/conf/distro/harden.conf b/meta-hardening/conf/distro/harden.conf
index 66db9b7..1a5eb3d 100644
--- a/meta-hardening/conf/distro/harden.conf
+++ b/meta-hardening/conf/distro/harden.conf
@@ -6,6 +6,6 @@ DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
IMAGE_ROOTFS_EXTRA_SPACE = "524288"
-EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
+EXTRA_IMAGE_FEATURES:remove = "debug-tweaks"
DISABLE_ROOT ?= "True"
diff --git a/meta-hardening/conf/layer.conf b/meta-hardening/conf/layer.conf
index 085ea45..8da050b 100644
--- a/meta-hardening/conf/layer.conf
+++ b/meta-hardening/conf/layer.conf
@@ -6,8 +6,10 @@ BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
BBFILE_COLLECTIONS += "harden-layer"
BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
-BBFILE_PRIORITY_harden-layer = "10"
+BBFILE_PRIORITY_harden-layer = "6"
-LAYERSERIES_COMPAT_harden-layer = "hardknott"
+LAYERSERIES_COMPAT_harden-layer = "nanbield scarthgap"
LAYERDEPENDS_harden-layer = "core openembedded-layer"
+
+WARN_QA:append:harden-layer = " patch-status missing-metadata"
diff --git a/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
index 67be3f3..e192d3d 100644
--- a/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
+++ b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
@@ -1,4 +1,4 @@
-do_install_append_harden () {
+do_install:append:harden () {
# to hardend
sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
diff --git a/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
index 3956304..4710b49 100644
--- a/meta-hardening/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
@@ -1,4 +1,4 @@
-do_install_append_harden () {
+do_install:append:harden () {
sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
}
diff --git a/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-hardening/recipes-core/images/harden-image-minimal.bb
index daed3fb..38771cd 100644
--- a/meta-hardening/recipes-core/images/harden-image-minimal.bb
+++ b/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -1,7 +1,7 @@
SUMMARY = "A small image for an example hardening OE."
IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
-IMAGE_INSTALL_append = " os-release"
+IMAGE_INSTALL:append = " os-release"
IMAGE_FEATURES = ""
IMAGE_LINGUAS = " "
@@ -10,7 +10,8 @@ LICENSE = "MIT"
IMAGE_ROOTFS_SIZE ?= "8192"
-inherit core-image extrausers
+inherit core-image
+IMAGE_CLASSES:append = " extrausers"
ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
@@ -19,7 +20,7 @@ DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
-EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};"
-EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};"
-EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
-EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS:append = " useradd ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS:append = " groupadd ${DEFAULT_ADMIN_GROUP};"
+EXTRA_USERS_PARAMS:append = " usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS:append = " usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};"
diff --git a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
index f943cb3..92e364c 100644
--- a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
+++ b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -1,8 +1,8 @@
-FILESEXTRAPATHS_prepend_harden := "${THISDIR}/files:"
+FILESEXTRAPATHS:prepend:harden := "${THISDIR}/files:"
-SRC_URI_append_harden = " file://mountall.sh"
+SRC_URI:append:harden = " file://mountall.sh"
-do_install_append_harden() {
+do_install:append:harden() {
install -d ${D}${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
}
diff --git a/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
index 1dcd5fc..51676b2 100644
--- a/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
+++ b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
@@ -11,7 +11,7 @@ PACKAGES = "${PN} \
packagegroup-${PN} \
"
-RDEPENDS_${PN} = "\
+RDEPENDS:${PN} = "\
init-ifupdown \
${VIRTUAL-RUNTIME_base-utils-syslog} \
sudo \
diff --git a/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
index 3f363f0..793a075 100644
--- a/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
+++ b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
@@ -1,4 +1,4 @@
-do_install_append_harden () {
+do_install:append:harden () {
# to hardend
sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
diff --git a/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
index a31c081..2860e8a 100644
--- a/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
+++ b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
@@ -1,6 +1,6 @@
-PACKAGECONFIG_append_harden = " pam-wheel"
-do_install_append_harden () {
+PACKAGECONFIG:append:harden = " pam-wheel"
+do_install:append:harden () {
if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers
fi
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 8254b0d..2f30e78 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -6,7 +6,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need
to have 'integrity' in DISTRO_FEATURES to have effect.
To enable them, add in configuration file the following line.
- DISTRO_FEATURES_append = " integrity"
+ DISTRO_FEATURES:append = " integrity"
If meta-integrity is included, but integrity is not enabled as a
distro feature a warning is printed at parse time:
@@ -76,7 +76,7 @@ other layers needed. e.g.:
It has some dependencies on a suitable BSP; in particular the kernel
must have a recent enough IMA/EVM subsystem. The layer was tested with
-Linux 3.19 and uses some features (like loading X509 certificates
+Linux 6.1 and uses some features (like loading X509 certificates
directly from the kernel) which were added in that release. Your
mileage may vary with older kernels.
@@ -89,10 +89,17 @@ Adding the layer only enables IMA (see below regarding EVM) during
compilation of the Linux kernel. To also activate it when building
the image, enable image signing in the local.conf like this:
+ DISTRO_FEATURES:append = " integrity ima"
+
IMAGE_CLASSES += "ima-evm-rootfs"
+
IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
+ IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
+
+ # The following policy enforces IMA & EVM signatures
+ IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all"
This uses the default keys provided in the "data" directory of the layer.
Because everyone has access to these private keys, such an image
@@ -113,10 +120,7 @@ for that are included in the layer. This is also how the
cd $IMA_EVM_KEY_DIR
# In that shell, create the keys. Several options exist:
- # 1. Self-signed keys.
- $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
-
- # 2. Keys signed by a new CA.
+ # 1. Keys signed by a new CA.
# When asked for a PEM passphrase, that will be for the root CA.
# Signing images then will not require entering that passphrase,
# only creating new certificates does. Most likely the default
@@ -125,13 +129,11 @@ for that are included in the layer. This is also how the
# $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
- # 3. Keys signed by an existing CA.
+ # 2. Keys signed by an existing CA.
# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
exit
-When using ``ima-self-signed.sh`` as described above, self-signed keys
-are created. Alternatively, one can also use keys signed by a CA. The
-``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
+The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then
supports adding tha CA's public key to the kernel's system keyring by
compiling it directly into the kernel. Because it is unknown whether
@@ -187,7 +189,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
changes. To activate policy loading via systemd, place a policy file
in `/etc/ima/ima-policy`, for example with:
- IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
+ IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple"
To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
@@ -217,12 +219,16 @@ executing the file is no longer allowed:
-sh: /usr/bin/rpm: Permission denied
Enabling the audit kernel subsystem may help to debug appraisal
-issues. Enable it by adding the meta-security-framework layer and
+issues. Enable it by adding a kernel configuration fragment and
changing your local.conf:
- SRC_URI_append_pn-linux-yocto = " file://audit.cfg"
+ SRC_URI:append:pn-linux-yocto = " file://audit.cfg"
CORE_IMAGE_EXTRA_INSTALL += "auditd"
-Then boot with "ima_appraise=log ima_appraise_tcb".
+Then boot with "ima_appraise=log ima_appraise_tcb integrity_audit=1".
+For example, for QEMU by changing variable QB_KERNEL_CMDLINE_APPEND
+in your local.conf:
+ QB_KERNEL_CMDLINE_APPEND:remove:pn-integrity-image-minimal = "ima_policy=tcb ima_appraise=fix"
+ QB_KERNEL_CMDLINE_APPEND:append:pn-integrity-image-minimal = " ima_appraise=log ima_appraise_tcb integrity_audit=1"
Adding auditd is not strictly necessary but helps to capture a
more complete set of events in /var/log/audit/ and search in
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 0acd6e7..7b73373 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
# with a .x509 suffix. See linux-%.bbappend for details.
#
# ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
-IMA_EVM_ROOT_CA ?= ""
+IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
# Sign all regular files by default.
IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
@@ -29,7 +29,10 @@ IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false"
IMA_EVM_ROOTFS_IVERSION ?= ""
# Avoid re-generating fstab when ima is enabled.
-WIC_CREATE_EXTRA_ARGS_append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
+WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
+
+# Add necessary tools (e.g., keyctl) to image
+IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}"
ima_evm_sign_rootfs () {
cd ${IMAGE_ROOTFS}
@@ -59,17 +62,44 @@ ima_evm_sign_rootfs () {
perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab
fi
- # Sign file with private IMA key. EVM not supported at the moment.
- bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'"
- find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY}
- bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'"
- find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
+ # Detect 32bit target to pass --m32 to evmctl by looking at libc
+ tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')"
+ if [ "${tmp}" = "ELF 32-bit" ]; then
+ evmctl_param="--m32"
+ elif [ "${tmp}" = "ELF 64-bit" ]; then
+ evmctl_param=""
+ else
+ bberror "Unknown target architecture bitness: '${tmp}'" >&2
+ exit 1
+ fi
+
+ bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
+ evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
+
+ # check signing key and signature verification key
+ evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+ evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
# Optionally install custom policy for loading by systemd.
- if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
+ if [ "${IMA_EVM_POLICY}" ]; then
install -d ./${sysconfdir}/ima
rm -f ./${sysconfdir}/ima/ima-policy
- install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
+ install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
+
+ bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
+ evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"
+ fi
+
+ # Optionally write the file names and ima and evm signatures into files
+ if [ "${IMA_FILE_SIGNATURES_FILE}" ]; then
+ getfattr -R -m security.ima --e hex --dump ./ 2>/dev/null | \
+ sed -n -e 's|# file: |/|p' -e 's|security.ima=|ima:|p' | \
+ sed '$!N;s/\n/ /' > ./${IMA_FILE_SIGNATURES_FILE}
+ fi
+ if [ "${EVM_FILE_SIGNATURES_FILE}" ]; then
+ getfattr -R -m security.evm --e hex --dump ./ 2>/dev/null | \
+ sed -n -e 's|# file: |/|p' -e 's|security.evm=|evm:|p' | \
+ sed '$!N;s/\n/ /' > ./${EVM_FILE_SIGNATURES_FILE}
fi
}
diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass
index 09025ba..d3aa7fb 100644
--- a/meta-integrity/classes/kernel-modsign.bbclass
+++ b/meta-integrity/classes/kernel-modsign.bbclass
@@ -2,7 +2,7 @@
# set explicitly in a local.conf before activating kernel-modsign.
# To use the insecure (because public) example keys, use
# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
-MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
+MODSIGN_KEY_DIR ??= "MODSIGN_KEY_DIR_NOT_SET"
# Private key for modules signing. The default is okay when
# using the example key directory.
@@ -13,9 +13,11 @@ MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
# If this class is enabled, disable stripping signatures from modules
+# as well disable the debug symbols split
INHIBIT_PACKAGE_STRIP = "1"
+INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
-kernel_do_configure_prepend() {
+kernel_do_configure:prepend() {
if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then
cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \
> "${B}/modsign_key.pem"
@@ -24,6 +26,6 @@ kernel_do_configure_prepend() {
fi
}
-do_shared_workdir_append() {
+do_shared_workdir:append() {
cp modsign_key.pem $kerneldir/
}
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index 37776f8..aab9652 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}'
# interactive shell is enough.
OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
-LAYERSERIES_COMPAT_integrity = "hardknott"
+LAYERSERIES_COMPAT_integrity = "nanbield scarthgap"
# ima-evm-utils depends on keyutils from meta-oe
LAYERDEPENDS_integrity = "core openembedded-layer"
@@ -33,3 +33,7 @@ INHERIT += "sanity-meta-integrity"
BBFILES_DYNAMIC += " \
networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \
"
+
+addpylib ${LAYERDIR}/lib oeqa
+
+WARN_QA:append:integrity = " patch-status missing-metadata"
diff --git a/meta-integrity/data/debug-keys/README.md b/meta-integrity/data/debug-keys/README.md
new file mode 100644
index 0000000..e613968
--- /dev/null
+++ b/meta-integrity/data/debug-keys/README.md
@@ -0,0 +1,17 @@
+# EVM & IMA keys
+
+The following IMA & EVM debug/test keys are in this directory
+
+- ima-local-ca.priv: The CA's private key (password: 1234)
+- ima-local-ca.pem: The CA's self-signed certificate
+- privkey_ima.pem: IMA & EVM private key used for signing files
+- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures
+
+The CA's (self-signed) certificate can be used to verify the validity of
+the x509_ima.der certificate. Since the CA certificate will be built into
+the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must
+pass this test:
+
+```
+ openssl verify -CAfile ima-local-ca.pem x509_ima.der
+````
diff --git a/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-integrity/data/debug-keys/ima-local-ca.pem
new file mode 100644
index 0000000..4b48be4
--- /dev/null
+++ b/meta-integrity/data/debug-keys/ima-local-ca.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9
+MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt
+c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG
+SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP
+MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD
+DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp
+Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU
+rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud
+IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO
+PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu
+clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw==
+-----END CERTIFICATE-----
diff --git a/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-integrity/data/debug-keys/ima-local-ca.priv
new file mode 100644
index 0000000..e13de23
--- /dev/null
+++ b/meta-integrity/data/debug-keys/ima-local-ca.priv
@@ -0,0 +1,7 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw
+DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK
+x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems
+lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY
+LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-integrity/data/debug-keys/privkey_ima.pem
index 502a0b6..8362cfe 100644
--- a/meta-integrity/data/debug-keys/privkey_ima.pem
+++ b/meta-integrity/data/debug-keys/privkey_ima.pem
@@ -1,16 +1,5 @@
-----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU
-Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6
-IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p
-OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1
-lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW
-HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV
-aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA
-TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue
-WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb
-SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1
-xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+
-CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q
-1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ
-3vVaxg2EfqB1
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm
+SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj
+cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv
-----END PRIVATE KEY-----
diff --git a/meta-integrity/data/debug-keys/x509_ima.der b/meta-integrity/data/debug-keys/x509_ima.der
index 087ca6b..3f6f24e 100644
--- a/meta-integrity/data/debug-keys/x509_ima.der
+++ b/meta-integrity/data/debug-keys/x509_ima.der
Binary files differ
diff --git a/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc b/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc
deleted file mode 100644
index a45182e..0000000
--- a/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc
+++ /dev/null
@@ -1,61 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-DEPENDS = "libtspi"
-
-SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch"
-
-PACKAGECONFIG += " \
- aikgen \
- tpm \
-"
-
-PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,,"
-PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,,"
-
-PACKAGECONFIG_ima += "\
- imc-test \
- imv-test \
- imc-scanner \
- imv-scanner \
- imc-os \
- imv-os \
- imc-attestation \
- imv-attestation \
- tnc-ifmap \
- tnc-imc \
- tnc-imv \
- tnc-pdp \
- tnccs-11 \
- tnccs-20 \
- tnccs-dynamic \
- "
-
-EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}"
-
-PACKAGECONFIG[imc-test] = "--enable-imc-test,--disable-imc-test,,"
-PACKAGECONFIG[imc-scanner] = "--enable-imc-scanner,--disable-imc-scanner,,"
-PACKAGECONFIG[imc-os] = "--enable-imc-os,--disable-imc-os,,"
-PACKAGECONFIG[imc-attestation] = "--enable-imc-attestation,--disable-imc-attestation,,"
-PACKAGECONFIG[imc-swima] = "--enable-imc-swima, --disable-imc-swima,,"
-PACKAGECONFIG[imc-hcd] = "--enable-imc-hcd, --disable-imc-hcd,,"
-PACKAGECONFIG[tnc-imc] = "--enable-tnc-imc,--disable-tnc-imc,,"
-
-PACKAGECONFIG[imv-test] = "--enable-imv-test,--disable-imv-test,,"
-PACKAGECONFIG[imv-scanner] = "--enable-imv-scanner,--disable-imv-scanner,,"
-PACKAGECONFIG[imv-os] = "--enable-imv-os,--disable-imv-os,,"
-PACKAGECONFIG[imv-attestation] = "--enable-imv-attestation,--disable-imv-attestation,,"
-PACKAGECONFIG[imv-swima] = "--enable-imv-swima, --disable-imv-swima,,"
-PACKAGECONFIG[imv-hcd] = "--enable-imv-hcd, --disable-imv-hcd,,"
-PACKAGECONFIG[tnc-imv] = "--enable-tnc-imv,--disable-tnc-imv,,"
-
-PACKAGECONFIG[tnc-ifmap] = "--enable-tnc-ifmap,--disable-tnc-ifmap,libxml2,"
-PACKAGECONFIG[tnc-pdp] = "--enable-tnc-pdp,--disable-tnc-pdp,,"
-
-PACKAGECONFIG[tnccs-11] = "--enable-tnccs-11,--disable-tnccs-11,libxml2,"
-PACKAGECONFIG[tnccs-20] = "--enable-tnccs-20,--disable-tnccs-20,,"
-PACKAGECONFIG[tnccs-dynamic] = "--enable-tnccs-dynamic,--disable-tnccs-dynamic,,"
-
-#FILES_${PN} += "${libdir}/ipsec/imcvs/*.so ${datadir}/regid.2004-03.org.strongswan"
-#FILES_${PN}-dbg += "${libdir}/ipsec/imcvs/.debug"
-#FILES_${PN}-dev += "${libdir}/ipsec/imcvs/*.la"
-#FILES_${PN}-staticdev += "${libdir}/ipsec/imcvs/*.a"
diff --git a/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
deleted file mode 100644
index 4669fd2..0000000
--- a/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'imp', 'strongswan-ima.inc', '', d)}
diff --git a/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-integrity/lib/oeqa/runtime/cases/ima.py
index 0c8617a..6b361ca 100644
--- a/meta-integrity/lib/oeqa/runtime/cases/ima.py
+++ b/meta-integrity/lib/oeqa/runtime/cases/ima.py
@@ -58,21 +58,19 @@ class IMACheck(OERuntimeTestCase):
@OETestDepends(['ima.IMACheck.test_ima_enabled'])
def test_ima_hash(self):
''' Test if IMA stores correct file hash '''
- filename = "/etc/filetest"
+ filename = "/etc/ld.so.cache"
ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements"
- status, output = self.target.run("echo test > %s" % filename)
- self.assertEqual(status, 0, "Cannot create file %s on target" % filename)
# wait for the IMA system to update the entry
- maximum_tries = 30
+ maximum_tries = 3
tries = 0
- status, output = self.target.run("sha1sum %s" %filename)
+ status, output = self.target.run("sha256sum %s" %filename)
sleep(2)
current_hash = output.split()[0]
ima_hash = ""
while tries < maximum_tries:
- status, output = self.target.run("cat %s | grep %s" \
+ status, output = self.target.run("cat %s | grep -e '%s'" \
% (ima_measure_file, filename))
# get last entry, 4th field
if status == 0:
diff --git a/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-integrity/recipes-core/base-files/base-files-ima.inc
index 7e9e210..cfa65a2 100644
--- a/meta-integrity/recipes-core/base-files/base-files-ima.inc
+++ b/meta-integrity/recipes-core/base-files/base-files-ima.inc
@@ -1,5 +1,5 @@
# Append iversion option for auto types
-do_install_append() {
+do_install:append() {
sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab"
echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab"
}
diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
index 1a3a30a..856249f 100644
--- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb
+++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -2,20 +2,18 @@ DESCRIPTION = "An image as an exmaple for Ima support"
IMAGE_FEATURES += "ssh-server-openssh"
+LICENSE = "MIT"
+
+inherit core-image
-IMAGE_INSTALL = "\
+IMAGE_INSTALL += "\
packagegroup-base \
packagegroup-core-boot \
packagegroup-ima-evm-utils \
os-release"
-
-LICENSE = "MIT"
-
-inherit core-image
-
export IMAGE_BASENAME = "integrity-image-minimal"
INHERIT += "ima-evm-rootfs"
-QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb"
+QB_KERNEL_CMDLINE_APPEND:append = " ima_policy=tcb ima_appraise=fix"
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index 6471c53..58cbe6e 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -30,7 +30,7 @@ do_install () {
sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima
}
-FILES_${PN} = "/init.d ${sysconfdir}"
+FILES:${PN} = "/init.d ${sysconfdir}"
-RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}"
-RDEPENDS_${PN} += "initramfs-framework-base"
+RDEPENDS:${PN} = "keyutils ima-evm-keys ${IMA_POLICY}"
+RDEPENDS:${PN} += "initramfs-framework-base"
diff --git a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
index 8196edb..484859f 100644
--- a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
+++ b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
@@ -6,6 +6,6 @@ inherit packagegroup features_check
REQUIRED_DISTRO_FEATURES = "ima"
# Only one at the moment, but perhaps more will come in the future.
-RDEPENDS_${PN} = " \
+RDEPENDS:${PN} = " \
ima-evm-utils \
"
diff --git a/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-integrity/recipes-core/systemd/systemd_%.bbappend
index 3b45541..57b3684 100644
--- a/meta-integrity/recipes-core/systemd/systemd_%.bbappend
+++ b/meta-integrity/recipes-core/systemd/systemd_%.bbappend
@@ -1,11 +1,11 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI += " \
file://machine-id-commit-sync.conf \
file://random-seed-sync.conf \
"
-do_install_append () {
+do_install:append () {
for i in machine-id-commit random-seed; do
install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d
install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d
diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
deleted file mode 100644
index f9a48cd..0000000
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ /dev/null
@@ -1,5 +0,0 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
-
-KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
-
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
new file mode 100644
index 0000000..9c599aa
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/linux:"
+
+require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)}
diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
deleted file mode 100644
index 64016dd..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Tue, 8 Mar 2016 16:43:55 -0500
-Subject: [PATCH] ima: fix ima_inode_post_setattr
-
-Changing file metadata (eg. uid, guid) could result in having to
-re-appraise a file's integrity, but does not change the "new file"
-status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
-IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
-only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
-
-With this patch, changing the file timestamp will not remove the
-file signature on new files.
-
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
-
-Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- security/integrity/ima/ima_appraise.c | 2 +-
- security/integrity/integrity.h | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..a384ba1 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
- if (iint) {
- iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
- IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-- IMA_ACTION_FLAGS);
-+ IMA_ACTION_RULE_FLAGS);
- if (must_appraise)
- iint->flags |= IMA_APPRAISE;
- }
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index 0fc9519..f9decae 100644
---- a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -28,6 +28,7 @@
-
- /* iint cache flags */
- #define IMA_ACTION_FLAGS 0xff000000
-+#define IMA_ACTION_RULE_FLAGS 0x06000000
- #define IMA_DIGSIG 0x01000000
- #define IMA_DIGSIG_REQUIRED 0x02000000
- #define IMA_PERMIT_DIRECTIO 0x04000000
---
-2.5.0
-
diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
deleted file mode 100644
index 6ab7ce2..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Thu, 10 Mar 2016 18:19:20 +0200
-Subject: [PATCH] ima: add support for creating files using the mknodat
- syscall
-
-Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
-stopped identifying empty files as new files. However new empty files
-can be created using the mknodat syscall. On systems with IMA-appraisal
-enabled, these empty files are not labeled with security.ima extended
-attributes properly, preventing them from subsequently being opened in
-order to write the file data contents. This patch marks these empty
-files, created using mknodat, as new in order to allow the file data
-contents to be written.
-
-Files with security.ima xattrs containing a file signature are considered
-"immutable" and can not be modified. The file contents need to be
-written, before signing the file. This patch relaxes this requirement
-for new files, allowing the file signature to be written before the file
-contents.
-
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356]
-
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- fs/namei.c | 2 ++
- include/linux/ima.h | 7 ++++++-
- security/integrity/ima/ima_appraise.c | 3 +++
- security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++-
- 4 files changed, 42 insertions(+), 2 deletions(-)
-
-diff --git a/fs/namei.c b/fs/namei.c
-index ccd7f98..19502da 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -3526,6 +3526,8 @@ retry:
- switch (mode & S_IFMT) {
- case 0: case S_IFREG:
- error = vfs_create(path.dentry->d_inode,dentry,mode,true);
-+ if (!error)
-+ ima_post_path_mknod(dentry);
- break;
- case S_IFCHR: case S_IFBLK:
- error = vfs_mknod(path.dentry->d_inode,dentry,mode,
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index 120ccc5..7f51971 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file);
- extern int ima_file_mmap(struct file *file, unsigned long prot);
- extern int ima_module_check(struct file *file);
- extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
--
-+extern void ima_post_path_mknod(struct dentry *dentry);
- #else
- static inline int ima_bprm_check(struct linux_binprm *bprm)
- {
-@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
- return 0;
- }
-
-+static inline void ima_post_path_mknod(struct dentry *dentry)
-+{
-+ return;
-+}
-+
- #endif /* CONFIG_IMA */
-
- #ifdef CONFIG_IMA_APPRAISE
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..20806ea 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -274,6 +274,11 @@ out:
- xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
- if (!ima_fix_xattr(dentry, iint))
- status = INTEGRITY_PASS;
-+ } else if ((inode->i_size == 0) &&
-+ (iint->flags & IMA_NEW_FILE) &&
-+ (xattr_value &&
-+ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
-+ status = INTEGRITY_PASS;
- }
- integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
- op, cause, rc, 0);
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index eeee00dc..705bf78 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function,
- ima_audit_measurement(iint, pathname);
-
- out_digsig:
-- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
-+ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
-+ !(iint->flags & IMA_NEW_FILE))
- rc = -EACCES;
- kfree(xattr_value);
- out_free:
-@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened)
- EXPORT_SYMBOL_GPL(ima_file_check);
-
- /**
-+ * ima_post_path_mknod - mark as a new inode
-+ * @dentry: newly created dentry
-+ *
-+ * Mark files created via the mknodat syscall as new, so that the
-+ * file data can be written later.
-+ */
-+void ima_post_path_mknod(struct dentry *dentry)
-+{
-+ struct integrity_iint_cache *iint;
-+ struct inode *inode;
-+ int must_appraise;
-+
-+ if (!dentry || !dentry->d_inode)
-+ return;
-+
-+ inode = dentry->d_inode;
-+ if (inode->i_size != 0)
-+ return;
-+
-+ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
-+ if (!must_appraise)
-+ return;
-+
-+ iint = integrity_inode_get(inode);
-+ if (iint)
-+ iint->flags |= IMA_NEW_FILE;
-+}
-+
-+/**
- * ima_module_check - based on policy, collect/store/appraise measurement.
- * @file: pointer to the file to be measured/appraised
- *
---
-2.5.0
-
diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
deleted file mode 100644
index 157c007..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Tue, 15 Nov 2016 10:10:23 +0100
-Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log
- modes"
-
-This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533.
-
-The original motivation was security hardening ("File hashes are
-automatically set and updated and should not be manually set.")
-
-However, that hardening ignores and breaks some valid use cases:
-- File hashes might not be set because the file is currently
- outside of the policy and therefore have to be set by the
- creator. Examples:
- - Booting into an initramfs with an IMA-enabled kernel but
- without setting an IMA policy, then installing
- the OS onto the target partition by unpacking a rootfs archive
- which has the file hashes pre-computed.
- - Unpacking a file into a staging area with meta data (like owner)
- that leaves the file outside of the current policy, then changing
- the meta data such that it becomes part of the current policy.
-- "should not be set manually" implies that the creator is aware
- of IMA semantic, the current system's configuration, and then
- skips setting file hashes in security.ima if (and only if) the
- kernel would prevent it. That's not the case for standard, unmodified
- tools. Example: unpacking an archive with security.ima xattrs with
- bsdtar or GNU tar.
-
-Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- security/integrity/ima/ima_appraise.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4b9b4a4..b8b2dd9 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
- result = ima_protect_xattr(dentry, xattr_name, xattr_value,
- xattr_value_len);
- if (result == 1) {
-- bool digsig;
--
- if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
- return -EINVAL;
-- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
-- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
-- return -EPERM;
-- ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
-+ ima_reset_appraise_flags(d_backing_inode(dentry),
-+ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
- result = 0;
- }
- return result;
---
-2.1.4
-
diff --git a/meta-integrity/recipes-kernel/linux/linux/audit.cfg b/meta-integrity/recipes-kernel/linux/linux/audit.cfg
new file mode 100644
index 0000000..214dbe3
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/audit.cfg
@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
new file mode 100644
index 0000000..415476a
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -0,0 +1,11 @@
+
+do_configure:append() {
+ if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
+ sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
+ fi
+}
+
+KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
+KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' features/ima/ima.scc', '', d)}"
+
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}
diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
index 7708aef..230c859 100644
--- a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
+++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
@@ -5,13 +5,13 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
inherit features_check
REQUIRED_DISTRO_FEATURES = "ima"
-ALLOW_EMPTY_${PN} = "1"
+ALLOW_EMPTY:${PN} = "1"
do_install () {
if [ -e "${IMA_EVM_X509}" ]; then
install -d ${D}/${sysconfdir}/keys
install "${IMA_EVM_X509}" ${D}${sysconfdir}/keys/x509_evm.der
- lnr ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x509_ima.der
+ ln -rs ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x509_ima.der
fi
}
do_install[file-checksums] += "${@'${IMA_EVM_X509}:%s' % os.path.exists('${IMA_EVM_X509}')}"
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
new file mode 100644
index 0000000..f0d8975
--- /dev/null
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
@@ -0,0 +1,39 @@
+From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 18 Apr 2023 11:43:55 -0400
+Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
+
+If a signatures is detected as being portable do not attempt to read the
+generation with the ioctl since in some cases this may not be supported
+by the filesystem and is also not needed for computing a portable
+signature.
+
+This avoids the current work-around of passing --generation 0 when the
+ioctl is not supported by the filesystem.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+Upstream-Status: Pending
+
+ src/evmctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index 6d2bb67..c35a28c 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
+ if (mode_str)
+ st.st_mode = strtoul(mode_str, NULL, 10);
+
+- if (!evm_immutable) {
++ if (!evm_immutable && !evm_portable) {
+ if (S_ISREG(st.st_mode) && !generation_str) {
+ int fd = open(file, 0);
+
+---
+Upstream-Status: Pending
+
+2.39.2
+
+
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
deleted file mode 100644
index 35c3162..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Fri, 30 Sep 2016 10:22:16 +0200
-Subject: [PATCH] command line: apply operation to all paths
-
-Previously, invocations like "evmctl ima_hash foo bar" silently
-ignored all parameters after the first path name ("foo" in this
-example).
-
-Now evmctl iterates over all specified paths. It aborts with an
-error as soon as the selected operation fails for a path.
-
-Supporting more than one parameter is useful in combination with
-"find" and "xargs" because it is noticably faster than invoking
-evmutil separately for each file, in particular when run under pseudo
-(a fakeroot environment used by the OpenEmbedded build system).
-
-This complements the recursive mode and can be used when more control
-over file selection is needed.
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- src/evmctl.c | 21 ++++++++++++---------
- 1 file changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index 23cf54c..2072034 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type)
- static int do_cmd(struct command *cmd, find_cb_t func)
- {
- char *path = g_argv[optind++];
-- int err, dts = REG_MASK; /* only regular files by default */
-+ int err = 0, dts = REG_MASK; /* only regular files by default */
-
- if (!path) {
- log_err("Parameters missing\n");
-@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func)
- return -1;
- }
-
-- if (recursive) {
-- if (search_type) {
-- dts = get_file_type(path, search_type);
-- if (dts < 0)
-- return dts;
-+ while (path && !err) {
-+ if (recursive) {
-+ if (search_type) {
-+ dts = get_file_type(path, search_type);
-+ if (dts < 0)
-+ return dts;
-+ }
-+ err = find(path, dts, func);
-+ } else {
-+ err = func(path);
- }
-- err = find(path, dts, func);
-- } else {
-- err = func(path);
-+ path = g_argv[optind++];
- }
-
- return err;
---
-2.1.4
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
deleted file mode 100644
index 75076f5..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Wed, 13 May 2015 03:41:02 -0700
-Subject: [PATCH] Makefile.am: disable man page creation
-
-Depends on asciidoc, which is not available.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- Makefile.am | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 06ebf59..4ddd52c 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1,5 +1,5 @@
- SUBDIRS = src
--dist_man_MANS = evmctl.1
-+# dist_man_MANS = evmctl.1
-
- doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
- EXTRA_DIST = autogen.sh $(doc_DATA)
-@@ -39,4 +39,21 @@ rmman:
-
- doc: evmctl.1.html rmman evmctl.1
-
-+# requires asciidoc, xslproc, docbook-xsl
-+# FIXME Disabled until docbook-xsl is unavaliable on tizen.org
-+#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
-+#
-+#evmctl.1.html: README
-+# @asciidoc -o $@ $<
-+#
-+#evmctl.1:
-+# asciidoc -d manpage -b docbook -o evmctl.1.xsl README
-+# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl
-+# rm -f evmctl.1.xsl
-+#
-+#rmman:
-+# rm -f evmctl.1
-+#
-+#doc: evmctl.1.html rmman evmctl.1
-+
- .PHONY: $(tarname)
---
-1.8.4.5
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
deleted file mode 100644
index ffa65df..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Wed, 17 Jun 2015 14:28:18 +0200
-Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines
-
-Compilation on older Linux distros (like Ubuntu 12.04) fails
-because linux/xattr.h does not yet have the IMA defines. Compiling
-there makes sense when only the tools are needed, for example when
-signing an image in cross-compile mode.
-
-To support this, add fallbacks for the two defines which are needed.
-Their value is part of the Linux ABI and thus fixed.
-
-Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
----
- src/evmctl.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index c54efbb..23cf54c 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -57,6 +57,18 @@
- #include <termios.h>
- #include <assert.h>
-
-+/*
-+ * linux/xattr.h might be old to have this. Allow compilation on older
-+ * Linux distros (like Ubuntu 12.04) by falling back to our own
-+ * definition.
-+ */
-+#ifndef XATTR_IMA_SUFFIX
-+# define XATTR_IMA_SUFFIX "ima"
-+#endif
-+#ifndef XATTR_NAME_IMA
-+# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX
-+#endif
-+
- #include <openssl/sha.h>
- #include <openssl/pem.h>
- #include <openssl/hmac.h>
---
-2.1.4
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
new file mode 100644
index 0000000..8ac080c
--- /dev/null
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
@@ -0,0 +1,30 @@
+DESCRIPTION = "IMA/EVM control utility"
+LICENSE = "GPL-2.0-with-OpenSSL-exception"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+DEPENDS += "openssl attr keyutils"
+
+DEPENDS:class-native += "openssl-native keyutils-native"
+
+FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
+
+SRC_URI = " \
+ https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
+ file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
+"
+SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
+
+inherit pkgconfig autotools features_check
+
+REQUIRED_DISTRO_FEATURES = "ima"
+REQUIRED_DISTRO_FEATURES:class-native = ""
+
+EXTRA_OECONF += "MANPAGE_DOCBOOK_XSL=0"
+EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"
+
+# blkid is called by evmctl when creating evm checksums.
+# This is less useful when signing files on the build host,
+# so disable it when compiling on the host.
+RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
deleted file mode 100644
index bd85583..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
+++ /dev/null
@@ -1,38 +0,0 @@
-DESCRIPTION = "IMA/EVM control utility"
-LICENSE = "GPL-2.0-with-OpenSSL-exception"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-
-DEPENDS += "openssl attr keyutils"
-
-DEPENDS_class-native += "openssl-native keyutils-native"
-
-PV = "1.2.1+git${SRCPV}"
-SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e"
-SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y"
-
-# Documentation depends on asciidoc, which we do not have, so
-# do not build documentation.
-SRC_URI += "file://disable-doc-creation.patch"
-
-# Workaround for upstream incompatibility with older Linux distros.
-# Relevant for us when compiling ima-evm-utils-native.
-SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch"
-
-# Required for xargs with more than one path as argument (better for performance).
-SRC_URI += "file://command-line-apply-operation-to-all-paths.patch"
-
-S = "${WORKDIR}/git"
-
-inherit pkgconfig autotools features_check
-
-REQUIRED_DISTRO_FEATURES = "ima"
-REQUIRED_DISTRO_FEATURES_class-native = ""
-
-EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"
-
-# blkid is called by evmctl when creating evm checksums.
-# This is less useful when signing files on the build host,
-# so disable it when compiling on the host.
-RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
index 36e71a7..3498025 100644
--- a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -25,5 +25,12 @@ dont_appraise fsmagic=0xf97cff8c
dont_appraise fsmagic=0x6e736673
# EFIVARFS_MAGIC
dont_appraise fsmagic=0xde5e81e4
+# Cgroup
+dont_appraise fsmagic=0x27e0eb
+# Cgroup2
+dont_appraise fsmagic=0x63677270
-appraise
+# Appraise libraries
+appraise func=MMAP_CHECK mask=MAY_EXEC
+# Appraise executables
+appraise func=BPRM_CHECK
diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
index 84ea161..5f2244e 100644
--- a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
@@ -12,5 +12,5 @@ do_install () {
install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy
}
-FILES_${PN} = "${sysconfdir}/ima"
-RDEPENDS_${PN} = "ima-evm-utils"
+FILES:${PN} = "${sysconfdir}/ima"
+RDEPENDS:${PN} = "ima-evm-utils"
diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
index ff7169e..57c0640 100644
--- a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
+++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
@@ -14,5 +14,5 @@ do_install () {
install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy
}
-FILES_${PN} = "${sysconfdir}/ima"
-RDEPENDS_${PN} = "ima-evm-utils"
+FILES:${PN} = "${sysconfdir}/ima"
+RDEPENDS:${PN} = "ima-evm-utils"
diff --git a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
index 0e56aec..8fed410 100644
--- a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
+++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
@@ -12,5 +12,5 @@ do_install () {
install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy
}
-FILES_${PN} = "${sysconfdir}/ima"
-RDEPENDS_${PN} = "ima-evm-utils"
+FILES:${PN} = "${sysconfdir}/ima"
+RDEPENDS:${PN} = "ima-evm-utils"
diff --git a/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-integrity/scripts/ima-gen-CA-signed.sh
index 5f3a728..b10b1ba 100755
--- a/meta-integrity/scripts/ima-gen-CA-signed.sh
+++ b/meta-integrity/scripts/ima-gen-CA-signed.sh
@@ -20,7 +20,6 @@ CAKEY=${2:-ima-local-ca.priv}
cat << __EOF__ >$GENKEY
[ req ]
-default_bits = 1024
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@@ -36,13 +35,15 @@ basicConstraints=critical,CA:FALSE
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
__EOF__
-openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
- -out csr_ima.pem -keyout privkey_ima.pem
-openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+ -out csr_ima.pem -keyout privkey_ima.pem \
+ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \
-CA $CA -CAkey $CAKEY -CAcreateserial \
-outform DER -out x509_ima.der
diff --git a/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-integrity/scripts/ima-gen-local-ca.sh
index b600761..339d3e3 100755
--- a/meta-integrity/scripts/ima-gen-local-ca.sh
+++ b/meta-integrity/scripts/ima-gen-local-ca.sh
@@ -18,7 +18,6 @@ GENKEY=ima-local-ca.genkey
cat << __EOF__ >$GENKEY
[ req ]
-default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@@ -33,10 +32,11 @@ emailAddress = john.doe@example.com
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
__EOF__
-openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
diff --git a/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-integrity/scripts/ima-gen-self-signed.sh
deleted file mode 100755
index 5ee876c..0000000
--- a/meta-integrity/scripts/ima-gen-self-signed.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-#
-# Copied from ima-evm-utils.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# version 2 as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-GENKEY=ima.genkey
-
-cat << __EOF__ >$GENKEY
-[ req ]
-default_bits = 1024
-distinguished_name = req_distinguished_name
-prompt = no
-string_mask = utf8only
-x509_extensions = myexts
-
-[ req_distinguished_name ]
-O = example.com
-CN = meta-intel-iot-security example signing key
-emailAddress = john.doe@example.com
-
-[ myexts ]
-basicConstraints=critical,CA:FALSE
-keyUsage=digitalSignature
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
-__EOF__
-
-openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
- -x509 -config $GENKEY \
- -outform DER -out x509_ima.der -keyout privkey_ima.pem
diff --git a/meta-parsec/README.md b/meta-parsec/README.md
index a2736b6..9b231f6 100644
--- a/meta-parsec/README.md
+++ b/meta-parsec/README.md
@@ -1,8 +1,7 @@
meta-parsec layer
==============
-This layer contains recipes for the Parsec service with Mbed-Crypto,
-Pkcs11 and TPM providers and parsec tools.
+This layer contains recipes for the Parsec service and parsec tools.
Dependencies
============
@@ -11,23 +10,12 @@ This layer depends on:
URI: git://git.openembedded.org/meta-openembedded
branch: master
- revision: HEAD
- prio: default
URI git://git.yoctoproject.org/meta-security
branch: master
- revision: HEAD
- prio: default
-
- URI https://github.com/meta-rust/meta-rust.git
- branch: master
- revision: HEAD
- prio: default
URI https://github.com/kraj/meta-clang.git
branch: master
- revision: HEAD
- prio: default
Adding the meta-parsec layer to your build
==========================================
@@ -44,7 +32,6 @@ other layers needed. e.g.:
/path/to/yocto/meta-yocto-bsp \
/path/to/meta-openembedded/meta-oe \
/path/to/meta-openembedded/meta-python \
- /path/to/meta-rust \
/path/to/meta-clang \
/path/to/meta-security/meta-tpm \
/path/to/meta-security/meta-parsec \
@@ -53,16 +40,38 @@ other layers needed. e.g.:
To include the Parsec service into your image add following into the
local.conf:
- IMAGE_INSTALL_append = " parsec-service"
+ IMAGE_INSTALL:append = " parsec-service"
+
+ By default the Parsec service will be deployed into the image with
+PKCS11 and MBED-CRYPTO providers build-in.
+ The TPM provider will also be built by default if:
+- DISTRO_FEATURES contains "tmp2" and
+- "tpm-layer" (meta-tpm) is included in BBLAYERS
+
+The trusted service provider depends on libts recipe from meta-arm layer.
+
+You can use PACKAGECONFIG for Parsec servic recipe to define
+what providers should be built in. For example:
- The Parsec service will be deployed into the image built with all the supported
-providers and with the default config file from the Parsec repository:
+ PACKAGECONFIG:pn-parsec-service = "TS"
+
+
+The default Parsec service config file is taken from the Parsec repository:
https://github.com/parallaxsecond/parsec/blob/main/config.toml
- The default Parsec service config file contains the MbedCrypto provider
-enabled. The config file needs to be updated to use the Parsec service
-with other providers like TPM or PKCS11. The required procedures are
-covered in Parsec documentation.
-https://parallaxsecond.github.io/parsec-book/
+This config file contains the MbedCrypto provider enabled.
+The config needs to be updated to use the Parsec service
+with other providers like TPM or PKCS11. The required changes are
+covered in Parsec documentation https://parallaxsecond.github.io/parsec-book/
+
+ PARSEC_CONFIG can be used in a bbappend file to replace the default config.
+For example:
+
+```
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://config-TS.toml \
+ "
+PARSEC_CONFIG = "${WORKDIR}/config-TS.toml"
+```
Updating recipes
================
@@ -80,30 +89,103 @@ https://github.com/meta-rust/cargo-bitbake
2. Run cargo-bitbake inside the repository. It will produce a BB file.
3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file.
+Automated Parsec testing with runqemu
+=====================================
+
+ The Yocto build system has the ability to run a series of automated tests for qemu images.
+All the tests are actually commands run on the target system over ssh.
+
+ Meta-parsec includes automated unittests which run end to end Parsec tests.
+The tests are run against:
+- all providers pre-configured in the Parsec config file included in the image.
+- PKCS11 and TPM providers with software backends if softhsm and
+ swtpm packages included in the image.
+- TS Provider if Parsec is built with it included.
+
+Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec,
+softhsm and swtpm included.
+
+ Please notice that the account you use to run bitbake should have access to `/dev/kvm`.
+You might need to change permissions or add the account into `kvm` unix group.
+
+1. Testing Parsec with your own image where `parsec-service` and `parsec-tool` are already included.
+
+- Add into your `local.conf`:
+```
+INHERIT += "testimage"
+TEST_SUITES = "ping ssh parsec"
+```
+- Build your image
+```bash
+bitbake <your-image>
+```
+- Run tests
+```bash
+bitbake <your-image> -c testimage
+```
+
+2. Testing Parsec with pre-defined `security-parsec-image` image.
+
+- Add into your `local.conf`:
+```
+DISTRO_FEATURES += " tpm2"
+INHERIT += "testimage"
+TEST_SUITES = "ping ssh parsec"
+```
+- Build security-parsec-image image
+```bash
+bitbake security-parsec-image
+```
+- Run tests
+```bash
+bitbake security-parsec-image -c testimage
+```
+
+Output of a successfull tests run should look similar to:
+```
+RESULTS:
+RESULTS - ping.PingTest.test_ping: PASSED (0.05s)
+RESULTS - ssh.SSHTest.test_ssh: PASSED (0.25s)
+RESULTS - parsec.ParsecTest.test_all_providers: PASSED (1.84s)
+RESULTS - parsec.ParsecTest.test_pkcs11_provider: PASSED (2.91s)
+RESULTS - parsec.ParsecTest.test_tpm_provider: PASSED (3.33s)
+SUMMARY:
+security-parsec-image () - Ran 5 tests in 8.386s
+security-parsec-image - OK - All required tests passed (successes=5, skipped=0, failures=0, errors=0)
+```
+
+
Manual testing with runqemu
===========================
This layer also contains a recipe for pasec-tool which can be used for
manual testing of the Parsec service:
- IMAGE_INSTALL_append += " parsec-tools"
+ IMAGE_INSTALL:append = " parsec-tool"
There are a series of Parsec Demo videos showing how to use parsec-tool
to test the Parsec service base functionality:
https://www.youtube.com/watch?v=ido0CyUdMHM&list=PLKjl7IFAwc4S7WQqqphCsyy6DPDxJ2Skg&index=4
+ The parsec-tool recipe also includes `parsec-cli-tests.sh` script
+which runs e2e tests against all providers enabled and configured
+in Parsec service.
+
You can use runqemu to start a VM with a built image file and run
manual tests with parsec-tool.
+Enabling Parsec providers for manual testing
+============================================
+
1. MbedCrypto provider
The default Parsec service config file contains the MbedCrypto provider
-enabled. No changes required for manual testing.
+enabled. No changes required.
2. PKCS11 provider
The Software HSM can be used for manual testing of the provider by
including it into your test image:
- IMAGE_INSTALL_append += " softhsm"
+ IMAGE_INSTALL:append = " softhsm"
Inside the running VM:
- Stop Parsec
@@ -134,7 +216,7 @@ systemctl start parsec
The IBM Software TPM service can be used for manual testing of the provider by
including it into your test image:
- IMAGE_INSTALL_append += " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
+ IMAGE_INSTALL:append = " swtpm tpm2-tools libtss2 libtss2-tcti-mssim"
Inside the running VM:
- Stop Parsec
@@ -165,11 +247,11 @@ Maintenance
Send pull requests, patches, comments or questions to yocto@yoctoproject.org
When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-parsec][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-parsec][PATCH'
These values can be set as defaults for this repository:
-$ git config sendemail.to yocto@yoctoproject.org
+$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-parsec][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
diff --git a/meta-parsec/conf/layer.conf b/meta-parsec/conf/layer.conf
index 2d4aa12..e9d0230 100644
--- a/meta-parsec/conf/layer.conf
+++ b/meta-parsec/conf/layer.conf
@@ -8,7 +8,11 @@ BBFILE_COLLECTIONS += "parsec-layer"
BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_parsec-layer = "5"
-LAYERSERIES_COMPAT_parsec-layer = "hardknott gatesgarth"
+LAYERSERIES_COMPAT_parsec-layer = "nanbield scarthgap"
-LAYERDEPENDS_parsec-layer = "core rust-layer clang-layer tpm-layer"
+LAYERDEPENDS_parsec-layer = "core clang-layer"
BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
+
+addpylib ${LAYERDIR}/lib oeqa
+
+WARN_QA:append:parsec-layer = " patch-status missing-metadata"
diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py
new file mode 100644
index 0000000..004717d
--- /dev/null
+++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py
@@ -0,0 +1,232 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2022 Anton Antonov <Anton.Antonov@arm.com>
+#
+import re
+from tempfile import mkstemp
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+
+class ParsecTest(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.toml_file = '/etc/parsec/config.toml'
+ cls.tc.target.run('cp -p %s %s-original' % (cls.toml_file, cls.toml_file))
+
+ def setUp(self):
+ super(ParsecTest, self).setUp()
+ if 'systemd' in self.tc.td['DISTRO_FEATURES']:
+ self.parsec_status='systemctl status -l parsec'
+ self.parsec_reload='systemctl restart parsec'
+ else:
+ self.parsec_status='pgrep -l parsec'
+ self.parsec_reload='/etc/init.d/parsec reload'
+
+ def tearDown(self):
+ self.target.run('sync')
+ super(ParsecTest, self).tearDown()
+
+ def copy_subconfig(self, cfg, provider):
+ """ Copy a provider configuration to target and append it to Parsec config """
+
+ tmp_fd, tmp_path = mkstemp()
+ with os.fdopen(tmp_fd, 'w') as f:
+ f.write('\n'.join(cfg))
+
+ (status, output) = self.target.copyTo(tmp_path, "%s-%s" % (self.toml_file, provider))
+ self.assertEqual(status, 0, msg='File could not be copied.\n%s' % output)
+ status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file))
+ os.remove(tmp_path)
+
+ def restore_parsec_config(self):
+ """ Restore original Parsec config """
+ self.target.run('cp -p %s-original %s' % (self.toml_file, self.toml_file))
+ self.target.run(self.parsec_reload)
+
+ def check_parsec_providers(self, provider=None, prov_id=None):
+ """ Get Parsec providers list and check for one if defined """
+
+ status, output = self.target.run(self.parsec_status)
+ self.assertEqual(status, 0, msg='Parsec service is not running.\n%s' % output)
+
+ status, output = self.target.run('parsec-tool list-providers')
+ self.assertEqual(status, 0, msg='Cannot get a list of Parsec providers.\n%s' % output)
+ if provider and prov_id:
+ self.assertIn("ID: 0x0%d (%s provider)" % (prov_id, provider),
+ output, msg='%s provider is not configured.' % provider)
+
+ def run_cli_tests(self, prov_id=None, extra_params=""):
+ """ Run Parsec CLI end-to-end tests against one or all providers """
+
+ status, output = self.target.run('parsec-cli-tests.sh %s %s' % ("-%d" % prov_id if prov_id else "", extra_params))
+ self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output)
+
+ def check_packageconfig(self, prov):
+ """ Check that the require provider is included in Parsec """
+
+ if 'PACKAGECONFIG:pn-parsec-service' in self.tc.td.keys():
+ providers = self.tc.td['PACKAGECONFIG:pn-parsec-service']
+ else:
+ # PACKAGECONFIG is not defined in local.conf
+ # Let's use the default value
+ providers = "PKCS11 MBED-CRYPTO"
+ if 'tpm2' in self.tc.td['DISTRO_FEATURES']:
+ providers += " TPM"
+ if prov not in providers:
+ self.skipTest('%s provider is not included in Parsec. Parsec PACKAGECONFIG: "%s"' % \
+ (prov, providers))
+
+ def check_packages(self, prov, packages):
+ """ Check for the required packages for Parsec providers software backends """
+ if isinstance(packages, str):
+ need_pkgs = set([packages,])
+ else:
+ need_pkgs = set(packages)
+
+ if not self.tc.image_packages.issuperset(need_pkgs):
+ self.skipTest('%s provider is not configured and packages "%s" are not included into the image' % \
+ (prov, need_pkgs))
+
+ @OEHasPackage(['parsec-service'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_all_providers(self):
+ """ Test Parsec service with all pre-defined providers """
+
+ self.check_parsec_providers()
+ self.run_cli_tests()
+
+ def configure_tpm_provider(self):
+ """ Create Parsec TPM provider configuration """
+
+ cfg = [
+ '',
+ '[[provider]]',
+ 'name = "tpm-provider"',
+ 'provider_type = "Tpm"',
+ 'key_info_manager = "sqlite-manager"',
+ 'tcti = "swtpm:port=2321"',
+ 'owner_hierarchy_auth = ""',
+ ]
+ self.copy_subconfig(cfg, "TPM")
+
+ cmds = [
+ 'mkdir /tmp/myvtpm',
+ 'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
+ 'tpm2_startup -c -T "swtpm:port=2321"',
+ 'chown -R parsec /tmp/myvtpm',
+ self.parsec_reload,
+ 'sleep 5',
+ ]
+
+ for cmd in cmds:
+ status, output = self.target.run(cmd)
+ self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
+
+ @OEHasPackage(['parsec-service'])
+ @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES')
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_tpm_provider(self):
+ """ Configure and test Parsec TPM provider with swtpm as a backend """
+
+ self.check_packageconfig("TPM")
+
+ reconfigure = False
+ prov_id = 3
+ try:
+ # Chech if the provider is already configured
+ self.check_parsec_providers("TPM", prov_id)
+ except:
+ # Try to test the provider with a software backend
+ self.check_packages("TPM", ['swtpm', 'tpm2-tools'])
+ reconfigure = True
+ self.configure_tpm_provider()
+ self.check_parsec_providers("TPM", prov_id)
+
+ self.run_cli_tests(prov_id)
+ self.restore_parsec_config()
+
+ if reconfigure:
+ self.target.run('swtpm_ioctl -s --tcp :2322')
+
+ def configure_pkcs11_provider(self):
+ """ Create Parsec PKCS11 provider configuration """
+
+ status, output = self.target.run('softhsm2-util --init-token --free --label "Parsec Service" --pin 123456 --so-pin 123456')
+ self.assertEqual(status, 0, msg='Failed to init PKCS11 token.\n%s' % output)
+
+ slot = re.search('The token has been initialized and is reassigned to slot (\d*)', output)
+ if slot is None:
+ self.fail('Failed to get PKCS11 slot serial number.\n%s' % output)
+ self.assertNotEqual(slot.group(1), None, msg='Failed to get PKCS11 slot serial number.\n%s' % output)
+
+ cfg = [
+ '',
+ '[[provider]]',
+ 'name = "pkcs11-provider"',
+ 'provider_type = "Pkcs11"',
+ 'key_info_manager = "sqlite-manager"',
+ 'library_path = "/usr/lib/softhsm/libsofthsm2.so"',
+ 'slot_number = %s' % slot.group(1),
+ 'user_pin = "123456"',
+ 'allow_export = true',
+ ]
+ self.copy_subconfig(cfg, "PKCS11")
+
+ status, output = self.target.run('for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done')
+ status, output = self.target.run(self.parsec_reload)
+ self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output)
+
+ @OEHasPackage(['parsec-service'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_pkcs11_provider(self):
+ """ Configure and test Parsec PKCS11 provider with softhsm as a backend """
+
+ self.check_packageconfig("PKCS11")
+ prov_id = 2
+ try:
+ # Chech if the provider is already configured
+ self.check_parsec_providers("PKCS #11", prov_id)
+ except:
+ # Try to test the provider with a software backend
+ self.check_packages("PKCS11", 'softhsm')
+ self.configure_pkcs11_provider()
+ self.check_parsec_providers("PKCS #11", prov_id)
+
+ # Software PKCS11 we use for OE QA testing
+ # doesn't support RSA-OAEP(SHA256) encryption/decryption operations
+ self.run_cli_tests(prov_id, "--no-oaep")
+ self.restore_parsec_config()
+
+ def configure_TS_provider(self):
+ """ Create Trusted Services provider configuration """
+
+ cfg = [
+ '',
+ '[[provider]]',
+ 'name = "trusted-service-provider"',
+ 'provider_type = "TrustedService"',
+ 'key_info_manager = "sqlite-manager"',
+ ]
+ self.copy_subconfig(cfg, "TS")
+
+ status, output = self.target.run(self.parsec_reload)
+ self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output)
+
+ @OEHasPackage(['parsec-service'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_TS_provider(self):
+ """ Configure and test Parsec PKCS11 provider with softhsm as a backend """
+
+ self.check_packageconfig("TS")
+ prov_id = 4
+ try:
+ # Chech if the provider is already configured
+ self.check_parsec_providers("Trusted Service", prov_id)
+ except:
+ self.configure_TS_provider()
+ self.check_parsec_providers("Trusted Service", prov_id)
+
+ self.run_cli_tests(prov_id)
+ self.restore_parsec_config()
diff --git a/meta-parsec/recipes-core/images/security-parsec-image.bb b/meta-parsec/recipes-core/images/security-parsec-image.bb
new file mode 100644
index 0000000..7add74b
--- /dev/null
+++ b/meta-parsec/recipes-core/images/security-parsec-image.bb
@@ -0,0 +1,18 @@
+DESCRIPTION = "A small image for testing Parsec service with MbedCrypto, TPM and PKCS11 providers"
+
+inherit core-image
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+ packagegroup-base \
+ packagegroup-core-boot \
+ packagegroup-security-tpm2 \
+ packagegroup-security-parsec \
+ swtpm \
+ softhsm \
+ os-release"
+
+export IMAGE_BASENAME = "security-parsec-image"
+
+IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
diff --git a/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb b/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb
new file mode 100644
index 0000000..0af9c3d
--- /dev/null
+++ b/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb
@@ -0,0 +1,16 @@
+DESCRIPTION = "Parsec Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "\
+ packagegroup-security-parsec \
+ "
+
+SUMMARY:packagegroup-security-parsec = "Security Parsec"
+RDEPENDS:packagegroup-security-parsec = "\
+ parsec-tool \
+ parsec-service \
+ "
diff --git a/meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch b/meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch
deleted file mode 100644
index c234479..0000000
--- a/meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-
-Use cryptoki v0.1.1 which supports the "generate-bindings" feature
-required for building Parsec service 0.7.0 in Yocto.
-
-Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
-Upstream-Status: Submitted
-
---- a/Cargo.toml 2021-04-01 10:29:50.333687763 +0100
-+++ b/Cargo.toml 2021-04-01 10:27:13.051860002 +0100
-@@ -37,7 +37,7 @@
- version = "1.3.1"
-
- [dependencies.cryptoki]
--version = "0.1.0"
-+version = "0.1.1"
- features = ["psa-crypto-conversions"]
- optional = true
-
diff --git a/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf b/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
index fe576a2..954bfa3 100644
--- a/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
+++ b/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
@@ -1,2 +1,3 @@
#Type Path Mode User Group Age Argument
d /run/parsec 755 parsec parsec - -
+d /var/lib/parsec 700 parsec parsec - -
diff --git a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
index c01ff06..2525898 100644
--- a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
+++ b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
@@ -4,16 +4,25 @@ Run the Parsec service as parsec user in /var/lib/parsec/ working directory.
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Upstream-Status: Inappropriate [deployment configuration]
---- a/systemd-daemon/parsec.service 2021-03-28 18:34:18.703196235 +0100
-+++ b/systemd-daemon/parsec.service 2021-03-28 18:35:14.279830299 +0100
-@@ -3,7 +3,9 @@
+diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service
+index c07c3b9..a6fe6a3 100644
+--- a/systemd-daemon/parsec.service
++++ b/systemd-daemon/parsec.service
+@@ -3,13 +3,15 @@ Description=Parsec Service
Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html
-
+
[Service]
-WorkingDirectory=/home/parsec/
+User=parsec
+Group=parsec
+WorkingDirectory=/var/lib/parsec/
ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml
-
- [Install]
+ # Systemd hardening
+ ProtectSystem=full
+ ProtectHome=true
+ ProtectHostname=true
+-ProtectKernelTunables=true
++#ProtectKernelTunables=true
+ ProtectKernelModules=true
+ ProtectKernelLogs=true
+ ProtectControlGroups=true
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service-crates.inc b/meta-parsec/recipes-parsec/parsec-service/parsec-service-crates.inc
new file mode 100644
index 0000000..bf2c7d4
--- /dev/null
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service-crates.inc
@@ -0,0 +1,474 @@
+# Autogenerated with 'bitbake -c update_crates parsec-service'
+
+# from Cargo.lock
+SRC_URI += " \
+ crate://crates.io/ahash/0.8.3 \
+ crate://crates.io/aho-corasick/1.1.2 \
+ crate://crates.io/allocator-api2/0.2.16 \
+ crate://crates.io/anyhow/1.0.75 \
+ crate://crates.io/asn1-rs/0.3.1 \
+ crate://crates.io/asn1-rs-derive/0.1.0 \
+ crate://crates.io/asn1-rs-impl/0.1.0 \
+ crate://crates.io/autocfg/1.1.0 \
+ crate://crates.io/base64/0.13.1 \
+ crate://crates.io/base64/0.21.4 \
+ crate://crates.io/bincode/1.3.3 \
+ crate://crates.io/bindgen/0.57.0 \
+ crate://crates.io/bindgen/0.66.1 \
+ crate://crates.io/bitfield/0.14.0 \
+ crate://crates.io/bitflags/1.3.2 \
+ crate://crates.io/bitflags/2.4.0 \
+ crate://crates.io/bumpalo/3.14.0 \
+ crate://crates.io/bytes/1.5.0 \
+ crate://crates.io/cc/1.0.83 \
+ crate://crates.io/cexpr/0.4.0 \
+ crate://crates.io/cexpr/0.6.0 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/clang-sys/1.6.1 \
+ crate://crates.io/clap/2.34.0 \
+ crate://crates.io/cmake/0.1.45 \
+ crate://crates.io/const-oid/0.7.1 \
+ crate://crates.io/cryptoauthlib-sys/0.2.2 \
+ crate://crates.io/cryptoki/0.6.0 \
+ crate://crates.io/cryptoki-sys/0.1.7 \
+ crate://crates.io/data-encoding/2.4.0 \
+ crate://crates.io/der/0.5.1 \
+ crate://crates.io/der-parser/7.0.0 \
+ crate://crates.io/deranged/0.3.8 \
+ crate://crates.io/derivative/2.2.0 \
+ crate://crates.io/displaydoc/0.2.4 \
+ crate://crates.io/either/1.9.0 \
+ crate://crates.io/enumflags2/0.7.8 \
+ crate://crates.io/enumflags2_derive/0.7.8 \
+ crate://crates.io/env_logger/0.10.0 \
+ crate://crates.io/equivalent/1.0.1 \
+ crate://crates.io/errno/0.3.5 \
+ crate://crates.io/fallible-iterator/0.2.0 \
+ crate://crates.io/fallible-streaming-iterator/0.1.9 \
+ crate://crates.io/fastrand/2.0.1 \
+ crate://crates.io/fixedbitset/0.4.2 \
+ crate://crates.io/form_urlencoded/1.2.0 \
+ crate://crates.io/futures/0.3.28 \
+ crate://crates.io/futures-channel/0.3.28 \
+ crate://crates.io/futures-core/0.3.28 \
+ crate://crates.io/futures-executor/0.3.28 \
+ crate://crates.io/futures-io/0.3.28 \
+ crate://crates.io/futures-macro/0.3.28 \
+ crate://crates.io/futures-sink/0.3.28 \
+ crate://crates.io/futures-task/0.3.28 \
+ crate://crates.io/futures-util/0.3.28 \
+ crate://crates.io/generic-array/0.14.7 \
+ crate://crates.io/getrandom/0.2.10 \
+ crate://crates.io/glob/0.3.1 \
+ crate://crates.io/grpcio/0.9.1 \
+ crate://crates.io/grpcio-sys/0.9.1+1.38.0 \
+ crate://crates.io/hashbrown/0.14.1 \
+ crate://crates.io/hashlink/0.8.4 \
+ crate://crates.io/heck/0.3.3 \
+ crate://crates.io/hermit-abi/0.3.3 \
+ crate://crates.io/hex/0.4.3 \
+ crate://crates.io/home/0.5.5 \
+ crate://crates.io/hostname-validator/1.1.1 \
+ crate://crates.io/humantime/2.1.0 \
+ crate://crates.io/idna/0.4.0 \
+ crate://crates.io/indexmap/2.0.2 \
+ crate://crates.io/instant/0.1.12 \
+ crate://crates.io/is-terminal/0.4.9 \
+ crate://crates.io/itertools/0.10.5 \
+ crate://crates.io/itoa/1.0.9 \
+ crate://crates.io/js-sys/0.3.64 \
+ crate://crates.io/jsonwebkey/0.3.5 \
+ crate://crates.io/jsonwebtoken/8.3.0 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/lazycell/1.3.0 \
+ crate://crates.io/libc/0.2.149 \
+ crate://crates.io/libloading/0.7.4 \
+ crate://crates.io/libsqlite3-sys/0.26.0 \
+ crate://crates.io/libz-sys/1.1.12 \
+ crate://crates.io/linux-raw-sys/0.4.10 \
+ crate://crates.io/lock_api/0.4.10 \
+ crate://crates.io/log/0.4.20 \
+ crate://crates.io/mbox/0.6.0 \
+ crate://crates.io/memchr/2.6.4 \
+ crate://crates.io/minimal-lexical/0.2.1 \
+ crate://crates.io/multimap/0.8.3 \
+ crate://crates.io/nom/5.1.3 \
+ crate://crates.io/nom/7.1.3 \
+ crate://crates.io/num/0.4.1 \
+ crate://crates.io/num-bigint/0.4.4 \
+ crate://crates.io/num-complex/0.4.4 \
+ crate://crates.io/num-derive/0.4.1 \
+ crate://crates.io/num-integer/0.1.45 \
+ crate://crates.io/num-iter/0.1.43 \
+ crate://crates.io/num-rational/0.4.1 \
+ crate://crates.io/num-traits/0.2.17 \
+ crate://crates.io/num_cpus/1.16.0 \
+ crate://crates.io/oid/0.2.1 \
+ crate://crates.io/oid-registry/0.4.0 \
+ crate://crates.io/once_cell/1.18.0 \
+ crate://crates.io/parking_lot/0.11.2 \
+ crate://crates.io/parking_lot_core/0.8.6 \
+ crate://crates.io/parsec-interface/0.29.1 \
+ crate://crates.io/paste/1.0.14 \
+ crate://crates.io/peeking_take_while/0.1.2 \
+ crate://crates.io/pem/1.1.1 \
+ crate://crates.io/percent-encoding/2.3.0 \
+ crate://crates.io/pest/2.7.4 \
+ crate://crates.io/petgraph/0.6.4 \
+ crate://crates.io/picky-asn1/0.8.0 \
+ crate://crates.io/picky-asn1-der/0.4.1 \
+ crate://crates.io/picky-asn1-x509/0.12.0 \
+ crate://crates.io/pin-project-lite/0.2.13 \
+ crate://crates.io/pin-utils/0.1.0 \
+ crate://crates.io/pkcs8/0.8.0 \
+ crate://crates.io/pkg-config/0.3.27 \
+ crate://crates.io/ppv-lite86/0.2.17 \
+ crate://crates.io/prettyplease/0.2.15 \
+ crate://crates.io/proc-macro-error/1.0.4 \
+ crate://crates.io/proc-macro-error-attr/1.0.4 \
+ crate://crates.io/proc-macro2/1.0.69 \
+ crate://crates.io/prost/0.9.0 \
+ crate://crates.io/prost-build/0.9.0 \
+ crate://crates.io/prost-derive/0.9.0 \
+ crate://crates.io/prost-types/0.9.0 \
+ crate://crates.io/protobuf/2.28.0 \
+ crate://crates.io/psa-crypto/0.12.0 \
+ crate://crates.io/psa-crypto-sys/0.12.0 \
+ crate://crates.io/quote/1.0.33 \
+ crate://crates.io/rand/0.8.5 \
+ crate://crates.io/rand_chacha/0.3.1 \
+ crate://crates.io/rand_core/0.6.4 \
+ crate://crates.io/redox_syscall/0.2.16 \
+ crate://crates.io/redox_syscall/0.3.5 \
+ crate://crates.io/regex/1.9.6 \
+ crate://crates.io/regex-automata/0.3.9 \
+ crate://crates.io/regex-syntax/0.7.5 \
+ crate://crates.io/ring/0.16.20 \
+ crate://crates.io/rusqlite/0.29.0 \
+ crate://crates.io/rust-cryptoauthlib/0.4.5 \
+ crate://crates.io/rustc-hash/1.1.0 \
+ crate://crates.io/rustc_version/0.3.3 \
+ crate://crates.io/rusticata-macros/4.1.0 \
+ crate://crates.io/rustix/0.38.18 \
+ crate://crates.io/ryu/1.0.15 \
+ crate://crates.io/same-file/1.0.6 \
+ crate://crates.io/scopeguard/1.2.0 \
+ crate://crates.io/sd-notify/0.4.1 \
+ crate://crates.io/secrecy/0.8.0 \
+ crate://crates.io/semver/0.11.0 \
+ crate://crates.io/semver-parser/0.10.2 \
+ crate://crates.io/serde/1.0.188 \
+ crate://crates.io/serde_bytes/0.11.12 \
+ crate://crates.io/serde_derive/1.0.188 \
+ crate://crates.io/serde_json/1.0.107 \
+ crate://crates.io/serde_spanned/0.6.3 \
+ crate://crates.io/shlex/0.1.1 \
+ crate://crates.io/shlex/1.2.0 \
+ crate://crates.io/signal-hook/0.3.17 \
+ crate://crates.io/signal-hook-registry/1.4.1 \
+ crate://crates.io/simple_asn1/0.6.2 \
+ crate://crates.io/slab/0.4.9 \
+ crate://crates.io/smallvec/1.11.1 \
+ crate://crates.io/spiffe/0.2.1 \
+ crate://crates.io/spin/0.5.2 \
+ crate://crates.io/spki/0.5.4 \
+ crate://crates.io/stable_deref_trait/1.2.0 \
+ crate://crates.io/structopt/0.3.26 \
+ crate://crates.io/structopt-derive/0.4.18 \
+ crate://crates.io/strum_macros/0.21.1 \
+ crate://crates.io/syn/1.0.109 \
+ crate://crates.io/syn/2.0.38 \
+ crate://crates.io/synstructure/0.12.6 \
+ crate://crates.io/target-lexicon/0.12.11 \
+ crate://crates.io/tempfile/3.8.0 \
+ crate://crates.io/termcolor/1.3.0 \
+ crate://crates.io/textwrap/0.11.0 \
+ crate://crates.io/thiserror/1.0.49 \
+ crate://crates.io/thiserror-impl/1.0.49 \
+ crate://crates.io/threadpool/1.8.1 \
+ crate://crates.io/time/0.3.29 \
+ crate://crates.io/time-core/0.1.2 \
+ crate://crates.io/time-macros/0.2.15 \
+ crate://crates.io/tinyvec/1.6.0 \
+ crate://crates.io/tinyvec_macros/0.1.1 \
+ crate://crates.io/toml/0.8.2 \
+ crate://crates.io/toml_datetime/0.6.3 \
+ crate://crates.io/toml_edit/0.20.2 \
+ crate://crates.io/tss-esapi/7.4.0 \
+ crate://crates.io/tss-esapi-sys/0.5.0 \
+ crate://crates.io/typenum/1.17.0 \
+ crate://crates.io/ucd-trie/0.1.6 \
+ crate://crates.io/unicode-bidi/0.3.13 \
+ crate://crates.io/unicode-ident/1.0.12 \
+ crate://crates.io/unicode-normalization/0.1.22 \
+ crate://crates.io/unicode-segmentation/1.10.1 \
+ crate://crates.io/unicode-width/0.1.11 \
+ crate://crates.io/unicode-xid/0.2.4 \
+ crate://crates.io/untrusted/0.7.1 \
+ crate://crates.io/url/2.4.1 \
+ crate://crates.io/uuid/0.8.2 \
+ crate://crates.io/vcpkg/0.2.15 \
+ crate://crates.io/version_check/0.9.4 \
+ crate://crates.io/walkdir/2.4.0 \
+ crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1 \
+ crate://crates.io/wasm-bindgen/0.2.87 \
+ crate://crates.io/wasm-bindgen-backend/0.2.87 \
+ crate://crates.io/wasm-bindgen-macro/0.2.87 \
+ crate://crates.io/wasm-bindgen-macro-support/0.2.87 \
+ crate://crates.io/wasm-bindgen-shared/0.2.87 \
+ crate://crates.io/web-sys/0.3.64 \
+ crate://crates.io/which/4.4.2 \
+ crate://crates.io/winapi/0.3.9 \
+ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+ crate://crates.io/winapi-util/0.1.6 \
+ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
+ crate://crates.io/windows-sys/0.48.0 \
+ crate://crates.io/windows-targets/0.48.5 \
+ crate://crates.io/windows_aarch64_gnullvm/0.48.5 \
+ crate://crates.io/windows_aarch64_msvc/0.48.5 \
+ crate://crates.io/windows_i686_gnu/0.48.5 \
+ crate://crates.io/windows_i686_msvc/0.48.5 \
+ crate://crates.io/windows_x86_64_gnu/0.48.5 \
+ crate://crates.io/windows_x86_64_gnullvm/0.48.5 \
+ crate://crates.io/windows_x86_64_msvc/0.48.5 \
+ crate://crates.io/winnow/0.5.16 \
+ crate://crates.io/x509-parser/0.13.2 \
+ crate://crates.io/yasna/0.4.0 \
+ crate://crates.io/zeroize/1.6.0 \
+ crate://crates.io/zeroize_derive/1.4.2 \
+"
+
+SRC_URI[ahash-0.8.3.sha256sum] = "2c99f64d1e06488f620f932677e24bc6e2897582980441ae90a671415bd7ec2f"
+SRC_URI[aho-corasick-1.1.2.sha256sum] = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0"
+SRC_URI[allocator-api2-0.2.16.sha256sum] = "0942ffc6dcaadf03badf6e6a2d0228460359d5e34b57ccdc720b7382dfbd5ec5"
+SRC_URI[anyhow-1.0.75.sha256sum] = "a4668cab20f66d8d020e1fbc0ebe47217433c1b6c8f2040faf858554e394ace6"
+SRC_URI[asn1-rs-0.3.1.sha256sum] = "30ff05a702273012438132f449575dbc804e27b2f3cbe3069aa237d26c98fa33"
+SRC_URI[asn1-rs-derive-0.1.0.sha256sum] = "db8b7511298d5b7784b40b092d9e9dcd3a627a5707e4b5e507931ab0d44eeebf"
+SRC_URI[asn1-rs-impl-0.1.0.sha256sum] = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed"
+SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+SRC_URI[base64-0.13.1.sha256sum] = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+SRC_URI[base64-0.21.4.sha256sum] = "9ba43ea6f343b788c8764558649e08df62f86c6ef251fdaeb1ffd010a9ae50a2"
+SRC_URI[bincode-1.3.3.sha256sum] = "b1f45e9417d87227c7a56d22e471c6206462cba514c7590c09aff4cf6d1ddcad"
+SRC_URI[bindgen-0.57.0.sha256sum] = "fd4865004a46a0aafb2a0a5eb19d3c9fc46ee5f063a6cfc605c69ac9ecf5263d"
+SRC_URI[bindgen-0.66.1.sha256sum] = "f2b84e06fc203107bfbad243f4aba2af864eb7db3b1cf46ea0a023b0b433d2a7"
+SRC_URI[bitfield-0.14.0.sha256sum] = "2d7e60934ceec538daadb9d8432424ed043a904d8e0243f3c6446bce549a46ac"
+SRC_URI[bitflags-1.3.2.sha256sum] = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+SRC_URI[bitflags-2.4.0.sha256sum] = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635"
+SRC_URI[bumpalo-3.14.0.sha256sum] = "7f30e7476521f6f8af1a1c4c0b8cc94f0bee37d91763d0ca2665f299b6cd8aec"
+SRC_URI[bytes-1.5.0.sha256sum] = "a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223"
+SRC_URI[cc-1.0.83.sha256sum] = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0"
+SRC_URI[cexpr-0.4.0.sha256sum] = "f4aedb84272dbe89af497cf81375129abda4fc0a9e7c5d317498c15cc30c0d27"
+SRC_URI[cexpr-0.6.0.sha256sum] = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[clang-sys-1.6.1.sha256sum] = "c688fc74432808e3eb684cae8830a86be1d66a2bd58e1f248ed0960a590baf6f"
+SRC_URI[clap-2.34.0.sha256sum] = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
+SRC_URI[cmake-0.1.45.sha256sum] = "eb6210b637171dfba4cda12e579ac6dc73f5165ad56133e5d72ef3131f320855"
+SRC_URI[const-oid-0.7.1.sha256sum] = "e4c78c047431fee22c1a7bb92e00ad095a02a983affe4d8a72e2a2c62c1b94f3"
+SRC_URI[cryptoauthlib-sys-0.2.2.sha256sum] = "da232dd4f06ee4600b33a455bb17fcc6c2c3a54ee7fd60496d3a73668a6cb6e4"
+SRC_URI[cryptoki-0.6.0.sha256sum] = "e08651cefd925cd83d8d1b4f96276c18fe5ee148ab8c8a47f462316d36bc01af"
+SRC_URI[cryptoki-sys-0.1.7.sha256sum] = "7a978e5e226446ac68eded4f92796947130f0d21de1e21bf80298f9f50d917d5"
+SRC_URI[data-encoding-2.4.0.sha256sum] = "c2e66c9d817f1720209181c316d28635c050fa304f9c79e47a520882661b7308"
+SRC_URI[der-0.5.1.sha256sum] = "6919815d73839e7ad218de758883aae3a257ba6759ce7a9992501efbb53d705c"
+SRC_URI[der-parser-7.0.0.sha256sum] = "fe398ac75057914d7d07307bf67dc7f3f574a26783b4fc7805a20ffa9f506e82"
+SRC_URI[deranged-0.3.8.sha256sum] = "f2696e8a945f658fd14dc3b87242e6b80cd0f36ff04ea560fa39082368847946"
+SRC_URI[derivative-2.2.0.sha256sum] = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
+SRC_URI[displaydoc-0.2.4.sha256sum] = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d"
+SRC_URI[either-1.9.0.sha256sum] = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07"
+SRC_URI[enumflags2-0.7.8.sha256sum] = "5998b4f30320c9d93aed72f63af821bfdac50465b75428fce77b48ec482c3939"
+SRC_URI[enumflags2_derive-0.7.8.sha256sum] = "f95e2801cd355d4a1a3e3953ce6ee5ae9603a5c833455343a8bfe3f44d418246"
+SRC_URI[env_logger-0.10.0.sha256sum] = "85cdab6a89accf66733ad5a1693a4dcced6aeff64602b634530dd73c1f3ee9f0"
+SRC_URI[equivalent-1.0.1.sha256sum] = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
+SRC_URI[errno-0.3.5.sha256sum] = "ac3e13f66a2f95e32a39eaa81f6b95d42878ca0e1db0c7543723dfe12557e860"
+SRC_URI[fallible-iterator-0.2.0.sha256sum] = "4443176a9f2c162692bd3d352d745ef9413eec5782a80d8fd6f8a1ac692a07f7"
+SRC_URI[fallible-streaming-iterator-0.1.9.sha256sum] = "7360491ce676a36bf9bb3c56c1aa791658183a54d2744120f27285738d90465a"
+SRC_URI[fastrand-2.0.1.sha256sum] = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5"
+SRC_URI[fixedbitset-0.4.2.sha256sum] = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80"
+SRC_URI[form_urlencoded-1.2.0.sha256sum] = "a62bc1cf6f830c2ec14a513a9fb124d0a213a629668a4186f329db21fe045652"
+SRC_URI[futures-0.3.28.sha256sum] = "23342abe12aba583913b2e62f22225ff9c950774065e4bfb61a19cd9770fec40"
+SRC_URI[futures-channel-0.3.28.sha256sum] = "955518d47e09b25bbebc7a18df10b81f0c766eaf4c4f1cccef2fca5f2a4fb5f2"
+SRC_URI[futures-core-0.3.28.sha256sum] = "4bca583b7e26f571124fe5b7561d49cb2868d79116cfa0eefce955557c6fee8c"
+SRC_URI[futures-executor-0.3.28.sha256sum] = "ccecee823288125bd88b4d7f565c9e58e41858e47ab72e8ea2d64e93624386e0"
+SRC_URI[futures-io-0.3.28.sha256sum] = "4fff74096e71ed47f8e023204cfd0aa1289cd54ae5430a9523be060cdb849964"
+SRC_URI[futures-macro-0.3.28.sha256sum] = "89ca545a94061b6365f2c7355b4b32bd20df3ff95f02da9329b34ccc3bd6ee72"
+SRC_URI[futures-sink-0.3.28.sha256sum] = "f43be4fe21a13b9781a69afa4985b0f6ee0e1afab2c6f454a8cf30e2b2237b6e"
+SRC_URI[futures-task-0.3.28.sha256sum] = "76d3d132be6c0e6aa1534069c705a74a5997a356c0dc2f86a47765e5617c5b65"
+SRC_URI[futures-util-0.3.28.sha256sum] = "26b01e40b772d54cf6c6d721c1d1abd0647a0106a12ecaa1c186273392a69533"
+SRC_URI[generic-array-0.14.7.sha256sum] = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+SRC_URI[getrandom-0.2.10.sha256sum] = "be4136b2a15dd319360be1c07d9933517ccf0be8f16bf62a3bee4f0d618df427"
+SRC_URI[glob-0.3.1.sha256sum] = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+SRC_URI[grpcio-0.9.1.sha256sum] = "24d99e00eed7e0a04ee2705112e7cfdbe1a3cc771147f22f016a8cd2d002187b"
+SRC_URI[grpcio-sys-0.9.1+1.38.0.sha256sum] = "9447d1a926beeef466606cc45717f80897998b548e7dc622873d453e1ecb4be4"
+SRC_URI[hashbrown-0.14.1.sha256sum] = "7dfda62a12f55daeae5015f81b0baea145391cb4520f86c248fc615d72640d12"
+SRC_URI[hashlink-0.8.4.sha256sum] = "e8094feaf31ff591f651a2664fb9cfd92bba7a60ce3197265e9482ebe753c8f7"
+SRC_URI[heck-0.3.3.sha256sum] = "6d621efb26863f0e9924c6ac577e8275e5e6b77455db64ffa6c65c904e9e132c"
+SRC_URI[hermit-abi-0.3.3.sha256sum] = "d77f7ec81a6d05a3abb01ab6eb7590f6083d08449fe5a1c8b1e620283546ccb7"
+SRC_URI[hex-0.4.3.sha256sum] = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+SRC_URI[home-0.5.5.sha256sum] = "5444c27eef6923071f7ebcc33e3444508466a76f7a2b93da00ed6e19f30c1ddb"
+SRC_URI[hostname-validator-1.1.1.sha256sum] = "f558a64ac9af88b5ba400d99b579451af0d39c6d360980045b91aac966d705e2"
+SRC_URI[humantime-2.1.0.sha256sum] = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
+SRC_URI[idna-0.4.0.sha256sum] = "7d20d6b07bfbc108882d88ed8e37d39636dcc260e15e30c45e6ba089610b917c"
+SRC_URI[indexmap-2.0.2.sha256sum] = "8adf3ddd720272c6ea8bf59463c04e0f93d0bbf7c5439b691bca2987e0270897"
+SRC_URI[instant-0.1.12.sha256sum] = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c"
+SRC_URI[is-terminal-0.4.9.sha256sum] = "cb0889898416213fab133e1d33a0e5858a48177452750691bde3666d0fdbaf8b"
+SRC_URI[itertools-0.10.5.sha256sum] = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
+SRC_URI[itoa-1.0.9.sha256sum] = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38"
+SRC_URI[js-sys-0.3.64.sha256sum] = "c5f195fe497f702db0f318b07fdd68edb16955aed830df8363d837542f8f935a"
+SRC_URI[jsonwebkey-0.3.5.sha256sum] = "c57c852b14147e2bd58c14fde40398864453403ef632b1101db130282ee6e2cc"
+SRC_URI[jsonwebtoken-8.3.0.sha256sum] = "6971da4d9c3aa03c3d8f3ff0f4155b534aad021292003895a469716b2a230378"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[lazycell-1.3.0.sha256sum] = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
+SRC_URI[libc-0.2.149.sha256sum] = "a08173bc88b7955d1b3145aa561539096c421ac8debde8cbc3612ec635fee29b"
+SRC_URI[libloading-0.7.4.sha256sum] = "b67380fd3b2fbe7527a606e18729d21c6f3951633d0500574c4dc22d2d638b9f"
+SRC_URI[libsqlite3-sys-0.26.0.sha256sum] = "afc22eff61b133b115c6e8c74e818c628d6d5e7a502afea6f64dee076dd94326"
+SRC_URI[libz-sys-1.1.12.sha256sum] = "d97137b25e321a73eef1418d1d5d2eda4d77e12813f8e6dead84bc52c5870a7b"
+SRC_URI[linux-raw-sys-0.4.10.sha256sum] = "da2479e8c062e40bf0066ffa0bc823de0a9368974af99c9f6df941d2c231e03f"
+SRC_URI[lock_api-0.4.10.sha256sum] = "c1cc9717a20b1bb222f333e6a92fd32f7d8a18ddc5a3191a11af45dcbf4dcd16"
+SRC_URI[log-0.4.20.sha256sum] = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f"
+SRC_URI[mbox-0.6.0.sha256sum] = "0f88d5c34d63aad11aa4321ef55ccb064af58b3ad8091079ae22bf83e5eb75d6"
+SRC_URI[memchr-2.6.4.sha256sum] = "f665ee40bc4a3c5590afb1e9677db74a508659dfd71e126420da8274909a0167"
+SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+SRC_URI[multimap-0.8.3.sha256sum] = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a"
+SRC_URI[nom-5.1.3.sha256sum] = "08959a387a676302eebf4ddbcbc611da04285579f76f88ee0506c63b1a61dd4b"
+SRC_URI[nom-7.1.3.sha256sum] = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+SRC_URI[num-0.4.1.sha256sum] = "b05180d69e3da0e530ba2a1dae5110317e49e3b7f3d41be227dc5f92e49ee7af"
+SRC_URI[num-bigint-0.4.4.sha256sum] = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0"
+SRC_URI[num-complex-0.4.4.sha256sum] = "1ba157ca0885411de85d6ca030ba7e2a83a28636056c7c699b07c8b6f7383214"
+SRC_URI[num-derive-0.4.1.sha256sum] = "cfb77679af88f8b125209d354a202862602672222e7f2313fdd6dc349bad4712"
+SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+SRC_URI[num-iter-0.1.43.sha256sum] = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252"
+SRC_URI[num-rational-0.4.1.sha256sum] = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0"
+SRC_URI[num-traits-0.2.17.sha256sum] = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c"
+SRC_URI[num_cpus-1.16.0.sha256sum] = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43"
+SRC_URI[oid-0.2.1.sha256sum] = "9c19903c598813dba001b53beeae59bb77ad4892c5c1b9b3500ce4293a0d06c2"
+SRC_URI[oid-registry-0.4.0.sha256sum] = "38e20717fa0541f39bd146692035c37bedfa532b3e5071b35761082407546b2a"
+SRC_URI[once_cell-1.18.0.sha256sum] = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"
+SRC_URI[parking_lot-0.11.2.sha256sum] = "7d17b78036a60663b797adeaee46f5c9dfebb86948d1255007a1d6be0271ff99"
+SRC_URI[parking_lot_core-0.8.6.sha256sum] = "60a2cfe6f0ad2bfc16aefa463b497d5c7a5ecd44a23efa72aa342d90177356dc"
+SRC_URI[parsec-interface-0.29.1.sha256sum] = "cc706e09209b30f10baa35709d41b9cc01d4931b21c00679f59db96cd1650add"
+SRC_URI[paste-1.0.14.sha256sum] = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c"
+SRC_URI[peeking_take_while-0.1.2.sha256sum] = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
+SRC_URI[pem-1.1.1.sha256sum] = "a8835c273a76a90455d7344889b0964598e3316e2a79ede8e36f16bdcf2228b8"
+SRC_URI[percent-encoding-2.3.0.sha256sum] = "9b2a4787296e9989611394c33f193f676704af1686e70b8f8033ab5ba9a35a94"
+SRC_URI[pest-2.7.4.sha256sum] = "c022f1e7b65d6a24c0dbbd5fb344c66881bc01f3e5ae74a1c8100f2f985d98a4"
+SRC_URI[petgraph-0.6.4.sha256sum] = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9"
+SRC_URI[picky-asn1-0.8.0.sha256sum] = "295eea0f33c16be21e2a98b908fdd4d73c04dd48c8480991b76dbcf0cb58b212"
+SRC_URI[picky-asn1-der-0.4.1.sha256sum] = "5df7873a9e36d42dadb393bea5e211fe83d793c172afad5fb4ec846ec582793f"
+SRC_URI[picky-asn1-x509-0.12.0.sha256sum] = "2c5f20f71a68499ff32310f418a6fad8816eac1a2859ed3f0c5c741389dd6208"
+SRC_URI[pin-project-lite-0.2.13.sha256sum] = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58"
+SRC_URI[pin-utils-0.1.0.sha256sum] = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+SRC_URI[pkcs8-0.8.0.sha256sum] = "7cabda3fb821068a9a4fab19a683eac3af12edf0f34b94a8be53c4972b8149d0"
+SRC_URI[pkg-config-0.3.27.sha256sum] = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
+SRC_URI[ppv-lite86-0.2.17.sha256sum] = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
+SRC_URI[prettyplease-0.2.15.sha256sum] = "ae005bd773ab59b4725093fd7df83fd7892f7d8eafb48dbd7de6e024e4215f9d"
+SRC_URI[proc-macro-error-1.0.4.sha256sum] = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
+SRC_URI[proc-macro-error-attr-1.0.4.sha256sum] = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
+SRC_URI[proc-macro2-1.0.69.sha256sum] = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da"
+SRC_URI[prost-0.9.0.sha256sum] = "444879275cb4fd84958b1a1d5420d15e6fcf7c235fe47f053c9c2a80aceb6001"
+SRC_URI[prost-build-0.9.0.sha256sum] = "62941722fb675d463659e49c4f3fe1fe792ff24fe5bbaa9c08cd3b98a1c354f5"
+SRC_URI[prost-derive-0.9.0.sha256sum] = "f9cc1a3263e07e0bf68e96268f37665207b49560d98739662cdfaae215c720fe"
+SRC_URI[prost-types-0.9.0.sha256sum] = "534b7a0e836e3c482d2693070f982e39e7611da9695d4d1f5a4b186b51faef0a"
+SRC_URI[protobuf-2.28.0.sha256sum] = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
+SRC_URI[psa-crypto-0.12.0.sha256sum] = "89c2256e525b9a45ec3bbb3382a43dd8809240279e0aab8ea7ee220e9295445b"
+SRC_URI[psa-crypto-sys-0.12.0.sha256sum] = "f170cac3a328e1678916b276067ec170a5a51db1b9b8b4c00b44c2839819a963"
+SRC_URI[quote-1.0.33.sha256sum] = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae"
+SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+SRC_URI[rand_core-0.6.4.sha256sum] = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+SRC_URI[redox_syscall-0.2.16.sha256sum] = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
+SRC_URI[redox_syscall-0.3.5.sha256sum] = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29"
+SRC_URI[regex-1.9.6.sha256sum] = "ebee201405406dbf528b8b672104ae6d6d63e6d118cb10e4d51abbc7b58044ff"
+SRC_URI[regex-automata-0.3.9.sha256sum] = "59b23e92ee4318893fa3fe3e6fb365258efbfe6ac6ab30f090cdcbb7aa37efa9"
+SRC_URI[regex-syntax-0.7.5.sha256sum] = "dbb5fb1acd8a1a18b3dd5be62d25485eb770e05afb408a9627d14d451bae12da"
+SRC_URI[ring-0.16.20.sha256sum] = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+SRC_URI[rusqlite-0.29.0.sha256sum] = "549b9d036d571d42e6e85d1c1425e2ac83491075078ca9a15be021c56b1641f2"
+SRC_URI[rust-cryptoauthlib-0.4.5.sha256sum] = "adab07508c090715a5cd3d072f2b8ab60d7e9e04c5af19e1d3d819651b5b25a2"
+SRC_URI[rustc-hash-1.1.0.sha256sum] = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+SRC_URI[rustc_version-0.3.3.sha256sum] = "f0dfe2087c51c460008730de8b57e6a320782fbfb312e1f4d520e6c6fae155ee"
+SRC_URI[rusticata-macros-4.1.0.sha256sum] = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+SRC_URI[rustix-0.38.18.sha256sum] = "5a74ee2d7c2581cd139b42447d7d9389b889bdaad3a73f1ebb16f2a3237bb19c"
+SRC_URI[ryu-1.0.15.sha256sum] = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741"
+SRC_URI[same-file-1.0.6.sha256sum] = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+SRC_URI[scopeguard-1.2.0.sha256sum] = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+SRC_URI[sd-notify-0.4.1.sha256sum] = "621e3680f3e07db4c9c2c3fb07c6223ab2fab2e54bd3c04c3ae037990f428c32"
+SRC_URI[secrecy-0.8.0.sha256sum] = "9bd1c54ea06cfd2f6b63219704de0b9b4f72dcc2b8fdef820be6cd799780e91e"
+SRC_URI[semver-0.11.0.sha256sum] = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6"
+SRC_URI[semver-parser-0.10.2.sha256sum] = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7"
+SRC_URI[serde-1.0.188.sha256sum] = "cf9e0fcba69a370eed61bcf2b728575f726b50b55cba78064753d708ddc7549e"
+SRC_URI[serde_bytes-0.11.12.sha256sum] = "ab33ec92f677585af6d88c65593ae2375adde54efdbf16d597f2cbc7a6d368ff"
+SRC_URI[serde_derive-1.0.188.sha256sum] = "4eca7ac642d82aa35b60049a6eccb4be6be75e599bd2e9adb5f875a737654af2"
+SRC_URI[serde_json-1.0.107.sha256sum] = "6b420ce6e3d8bd882e9b243c6eed35dbc9a6110c9769e74b584e0d68d1f20c65"
+SRC_URI[serde_spanned-0.6.3.sha256sum] = "96426c9936fd7a0124915f9185ea1d20aa9445cc9821142f0a73bc9207a2e186"
+SRC_URI[shlex-0.1.1.sha256sum] = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2"
+SRC_URI[shlex-1.2.0.sha256sum] = "a7cee0529a6d40f580e7a5e6c495c8fbfe21b7b52795ed4bb5e62cdf92bc6380"
+SRC_URI[signal-hook-0.3.17.sha256sum] = "8621587d4798caf8eb44879d42e56b9a93ea5dcd315a6487c357130095b62801"
+SRC_URI[signal-hook-registry-1.4.1.sha256sum] = "d8229b473baa5980ac72ef434c4415e70c4b5e71b423043adb4ba059f89c99a1"
+SRC_URI[simple_asn1-0.6.2.sha256sum] = "adc4e5204eb1910f40f9cfa375f6f05b68c3abac4b6fd879c8ff5e7ae8a0a085"
+SRC_URI[slab-0.4.9.sha256sum] = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
+SRC_URI[smallvec-1.11.1.sha256sum] = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a"
+SRC_URI[spiffe-0.2.1.sha256sum] = "f30161ecb25b9acc06eb61d750aaf1c4b3a536e22ff19fc2d250976537e93a11"
+SRC_URI[spin-0.5.2.sha256sum] = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+SRC_URI[spki-0.5.4.sha256sum] = "44d01ac02a6ccf3e07db148d2be087da624fea0221a16152ed01f0496a6b0a27"
+SRC_URI[stable_deref_trait-1.2.0.sha256sum] = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
+SRC_URI[structopt-0.3.26.sha256sum] = "0c6b5c64445ba8094a6ab0c3cd2ad323e07171012d9c98b0b15651daf1787a10"
+SRC_URI[structopt-derive-0.4.18.sha256sum] = "dcb5ae327f9cc13b68763b5749770cb9e048a99bd9dfdfa58d0cf05d5f64afe0"
+SRC_URI[strum_macros-0.21.1.sha256sum] = "d06aaeeee809dbc59eb4556183dd927df67db1540de5be8d3ec0b6636358a5ec"
+SRC_URI[syn-1.0.109.sha256sum] = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+SRC_URI[syn-2.0.38.sha256sum] = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b"
+SRC_URI[synstructure-0.12.6.sha256sum] = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
+SRC_URI[target-lexicon-0.12.11.sha256sum] = "9d0e916b1148c8e263850e1ebcbd046f333e0683c724876bb0da63ea4373dc8a"
+SRC_URI[tempfile-3.8.0.sha256sum] = "cb94d2f3cc536af71caac6b6fcebf65860b347e7ce0cc9ebe8f70d3e521054ef"
+SRC_URI[termcolor-1.3.0.sha256sum] = "6093bad37da69aab9d123a8091e4be0aa4a03e4d601ec641c327398315f62b64"
+SRC_URI[textwrap-0.11.0.sha256sum] = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060"
+SRC_URI[thiserror-1.0.49.sha256sum] = "1177e8c6d7ede7afde3585fd2513e611227efd6481bd78d2e82ba1ce16557ed4"
+SRC_URI[thiserror-impl-1.0.49.sha256sum] = "10712f02019e9288794769fba95cd6847df9874d49d871d062172f9dd41bc4cc"
+SRC_URI[threadpool-1.8.1.sha256sum] = "d050e60b33d41c19108b32cea32164033a9013fe3b46cbd4457559bfbf77afaa"
+SRC_URI[time-0.3.29.sha256sum] = "426f806f4089c493dcac0d24c29c01e2c38baf8e30f1b716ee37e83d200b18fe"
+SRC_URI[time-core-0.1.2.sha256sum] = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
+SRC_URI[time-macros-0.2.15.sha256sum] = "4ad70d68dba9e1f8aceda7aa6711965dfec1cac869f311a51bd08b3a2ccbce20"
+SRC_URI[tinyvec-1.6.0.sha256sum] = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
+SRC_URI[tinyvec_macros-0.1.1.sha256sum] = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+SRC_URI[toml-0.8.2.sha256sum] = "185d8ab0dfbb35cf1399a6344d8484209c088f75f8f68230da55d48d95d43e3d"
+SRC_URI[toml_datetime-0.6.3.sha256sum] = "7cda73e2f1397b1262d6dfdcef8aafae14d1de7748d66822d3bfeeb6d03e5e4b"
+SRC_URI[toml_edit-0.20.2.sha256sum] = "396e4d48bbb2b7554c944bde63101b5ae446cff6ec4a24227428f15eb72ef338"
+SRC_URI[tss-esapi-7.4.0.sha256sum] = "de234df360c349f78ecd33f0816ab3842db635732212b5cfad67f2638336864e"
+SRC_URI[tss-esapi-sys-0.5.0.sha256sum] = "535cd192581c2ec4d5f82e670b1d3fbba6a23ccce8c85de387642051d7cad5b5"
+SRC_URI[typenum-1.17.0.sha256sum] = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+SRC_URI[ucd-trie-0.1.6.sha256sum] = "ed646292ffc8188ef8ea4d1e0e0150fb15a5c2e12ad9b8fc191ae7a8a7f3c4b9"
+SRC_URI[unicode-bidi-0.3.13.sha256sum] = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
+SRC_URI[unicode-ident-1.0.12.sha256sum] = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
+SRC_URI[unicode-normalization-0.1.22.sha256sum] = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
+SRC_URI[unicode-segmentation-1.10.1.sha256sum] = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36"
+SRC_URI[unicode-width-0.1.11.sha256sum] = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85"
+SRC_URI[unicode-xid-0.2.4.sha256sum] = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+SRC_URI[untrusted-0.7.1.sha256sum] = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+SRC_URI[url-2.4.1.sha256sum] = "143b538f18257fac9cad154828a57c6bf5157e1aa604d4816b5995bf6de87ae5"
+SRC_URI[uuid-0.8.2.sha256sum] = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
+SRC_URI[vcpkg-0.2.15.sha256sum] = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+SRC_URI[version_check-0.9.4.sha256sum] = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+SRC_URI[walkdir-2.4.0.sha256sum] = "d71d857dc86794ca4c280d616f7da00d2dbfd8cd788846559a6813e6aa4b54ee"
+SRC_URI[wasi-0.11.0+wasi-snapshot-preview1.sha256sum] = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+SRC_URI[wasm-bindgen-0.2.87.sha256sum] = "7706a72ab36d8cb1f80ffbf0e071533974a60d0a308d01a5d0375bf60499a342"
+SRC_URI[wasm-bindgen-backend-0.2.87.sha256sum] = "5ef2b6d3c510e9625e5fe6f509ab07d66a760f0885d858736483c32ed7809abd"
+SRC_URI[wasm-bindgen-macro-0.2.87.sha256sum] = "dee495e55982a3bd48105a7b947fd2a9b4a8ae3010041b9e0faab3f9cd028f1d"
+SRC_URI[wasm-bindgen-macro-support-0.2.87.sha256sum] = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b"
+SRC_URI[wasm-bindgen-shared-0.2.87.sha256sum] = "ca6ad05a4870b2bf5fe995117d3728437bd27d7cd5f06f13c17443ef369775a1"
+SRC_URI[web-sys-0.3.64.sha256sum] = "9b85cbef8c220a6abc02aefd892dfc0fc23afb1c6a426316ec33253a3877249b"
+SRC_URI[which-4.4.2.sha256sum] = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-util-0.1.6.sha256sum] = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+SRC_URI[windows-sys-0.48.0.sha256sum] = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+SRC_URI[windows-targets-0.48.5.sha256sum] = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+SRC_URI[windows_aarch64_gnullvm-0.48.5.sha256sum] = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
+SRC_URI[windows_aarch64_msvc-0.48.5.sha256sum] = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
+SRC_URI[windows_i686_gnu-0.48.5.sha256sum] = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
+SRC_URI[windows_i686_msvc-0.48.5.sha256sum] = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
+SRC_URI[windows_x86_64_gnu-0.48.5.sha256sum] = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
+SRC_URI[windows_x86_64_gnullvm-0.48.5.sha256sum] = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
+SRC_URI[windows_x86_64_msvc-0.48.5.sha256sum] = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+SRC_URI[winnow-0.5.16.sha256sum] = "037711d82167854aff2018dfd193aa0fef5370f456732f0d5a0c59b0f1b4b907"
+SRC_URI[x509-parser-0.13.2.sha256sum] = "9fb9bace5b5589ffead1afb76e43e34cff39cd0f3ce7e170ae0c29e53b88eb1c"
+SRC_URI[yasna-0.4.0.sha256sum] = "e262a29d0e61ccf2b6190d7050d4b237535fc76ce4c1210d9caa316f71dffa75"
+SRC_URI[zeroize-1.6.0.sha256sum] = "2a0956f1ba7c7909bfb66c2e9e4124ab6f6482560f6628b5aaeba39207c9aad9"
+SRC_URI[zeroize_derive-1.4.2.sha256sum] = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
deleted file mode 100644
index 0e14955..0000000
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
+++ /dev/null
@@ -1,67 +0,0 @@
-SUMMARY = "Platform AbstRaction for SECurity Daemon"
-HOMEPAGE = "https://github.com/parallaxsecond/parsec"
-LICENSE = "Apache-2.0"
-
-inherit cargo
-
-SRC_URI += "crate://crates.io/parsec-service/${PV} \
- file://parsec_init \
- file://systemd.patch \
- file://parsec-tmpfiles.conf \
-"
-
-DEPENDS = "tpm2-tss"
-TOOLCHAIN = "clang"
-
-CARGO_BUILD_FLAGS += " --features all-providers,cryptoki/generate-bindings,tss-esapi/generate-bindings"
-
-inherit systemd
-SYSTEMD_SERVICE_${PN} = "parsec.service"
-
-inherit update-rc.d
-INITSCRIPT_NAME = "parsec"
-
-# A local file can be defined in build/local.conf
-# The file should also be included into SRC_URI then
-PARSEC_CONFIG ?= "${S}/config.toml"
-
-do_install_append () {
- # Binaries
- install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec"
- install -m 700 -o parsec -g parsec "${WORKDIR}/build/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec
-
- # Config file
- install -d -m 700 -o parsec -g parsec "${D}${sysconfdir}/parsec"
- install -m 400 -o parsec -g parsec "${PARSEC_CONFIG}" ${D}${sysconfdir}/parsec/config.toml
-
- # Data dir
- install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec"
-
- if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
- install -d ${D}${systemd_unitdir}/system
- install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system
-
- install -d ${D}${libdir}/tmpfiles.d
- install -m 644 ${WORKDIR}/parsec-tmpfiles.conf ${D}${libdir}/tmpfiles.d
- fi
-
- if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
- install -d ${D}${sysconfdir}/init.d
- install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec
- fi
-}
-
-inherit useradd
-USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
-GROUPADD_PARAM_${PN} = "-r parsec"
-
-FILES_${PN} += " \
- ${sysconfdir}/parsec/config.toml \
- ${libexecdir}/parsec/parsec \
- ${systemd_unitdir}/system/parsec.service \
- ${libdir}/tmpfiles.d/parsec-tmpfiles.conf \
- ${sysconfdir}/init.d/parsec \
-"
-
-require parsec-service_${PV}.inc
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.inc b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.inc
deleted file mode 100644
index 59a47f9..0000000
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.inc
+++ /dev/null
@@ -1,147 +0,0 @@
-# This file is created from parsec-service repository Cargo.lock using cargo-bitbake tool
-
-SRC_URI += " \
- crate://crates.io/aho-corasick/0.7.15 \
- crate://crates.io/ansi_term/0.11.0 \
- crate://crates.io/anyhow/1.0.38 \
- crate://crates.io/atty/0.2.14 \
- crate://crates.io/autocfg/1.0.1 \
- crate://crates.io/base64/0.12.3 \
- crate://crates.io/base64/0.13.0 \
- crate://crates.io/bincode/1.3.2 \
- crate://crates.io/bindgen/0.56.0 \
- crate://crates.io/bindgen/0.57.0 \
- crate://crates.io/bitfield/0.13.2 \
- crate://crates.io/bitflags/1.2.1 \
- crate://crates.io/byteorder/1.3.4 \
- crate://crates.io/bytes/0.5.6 \
- crate://crates.io/bytes/1.0.1 \
- crate://crates.io/cc/1.0.67 \
- crate://crates.io/cexpr/0.4.0 \
- crate://crates.io/cfg-if/1.0.0 \
- crate://crates.io/clang-sys/1.1.1 \
- crate://crates.io/clap/2.33.3 \
- crate://crates.io/cmake/0.1.45 \
- crate://crates.io/cryptoauthlib-sys/0.1.0 \
- crate://crates.io/cryptoki-sys/0.1.1 \
- crate://crates.io/cryptoki/0.1.1 \
- crate://crates.io/derivative/2.2.0 \
- crate://crates.io/either/1.6.1 \
- crate://crates.io/enumflags2/0.6.4 \
- crate://crates.io/enumflags2_derive/0.6.4 \
- crate://crates.io/env_logger/0.8.3 \
- crate://crates.io/fixedbitset/0.2.0 \
- crate://crates.io/getrandom/0.2.2 \
- crate://crates.io/glob/0.3.0 \
- crate://crates.io/hashbrown/0.9.1 \
- crate://crates.io/heck/0.3.2 \
- crate://crates.io/hermit-abi/0.1.18 \
- crate://crates.io/hex/0.4.3 \
- crate://crates.io/hostname-validator/1.0.0 \
- crate://crates.io/humantime/2.1.0 \
- crate://crates.io/indexmap/1.6.2 \
- crate://crates.io/itertools/0.8.2 \
- crate://crates.io/itertools/0.9.0 \
- crate://crates.io/lazy_static/1.4.0 \
- crate://crates.io/lazycell/1.3.0 \
- crate://crates.io/libc/0.2.89 \
- crate://crates.io/libloading/0.7.0 \
- crate://crates.io/log/0.4.14 \
- crate://crates.io/mbox/0.5.0 \
- crate://crates.io/memchr/2.3.4 \
- crate://crates.io/multimap/0.8.3 \
- crate://crates.io/nom/5.1.2 \
- crate://crates.io/num-bigint/0.3.2 \
- crate://crates.io/num-complex/0.3.1 \
- crate://crates.io/num-derive/0.3.3 \
- crate://crates.io/num-integer/0.1.44 \
- crate://crates.io/num-iter/0.1.42 \
- crate://crates.io/num-rational/0.3.2 \
- crate://crates.io/num-traits/0.2.14 \
- crate://crates.io/num/0.3.1 \
- crate://crates.io/num_cpus/1.13.0 \
- crate://crates.io/oid/0.1.1 \
- crate://crates.io/parsec-interface/0.24.0 \
- crate://crates.io/peeking_take_while/0.1.2 \
- crate://crates.io/petgraph/0.5.1 \
- crate://crates.io/picky-asn1-der/0.2.4 \
- crate://crates.io/picky-asn1-x509/0.4.0 \
- crate://crates.io/picky-asn1/0.3.1 \
- crate://crates.io/pkg-config/0.3.19 \
- crate://crates.io/ppv-lite86/0.2.10 \
- crate://crates.io/proc-macro-error-attr/1.0.4 \
- crate://crates.io/proc-macro-error/1.0.4 \
- crate://crates.io/proc-macro2/1.0.24 \
- crate://crates.io/prost-build/0.6.1 \
- crate://crates.io/prost-build/0.7.0 \
- crate://crates.io/prost-derive/0.6.1 \
- crate://crates.io/prost-derive/0.7.0 \
- crate://crates.io/prost-types/0.6.1 \
- crate://crates.io/prost-types/0.7.0 \
- crate://crates.io/prost/0.6.1 \
- crate://crates.io/prost/0.7.0 \
- crate://crates.io/psa-crypto-sys/0.8.0 \
- crate://crates.io/psa-crypto/0.8.0 \
- crate://crates.io/quote/1.0.9 \
- crate://crates.io/rand/0.8.3 \
- crate://crates.io/rand_chacha/0.3.0 \
- crate://crates.io/rand_core/0.6.2 \
- crate://crates.io/rand_hc/0.3.0 \
- crate://crates.io/redox_syscall/0.2.5 \
- crate://crates.io/regex-syntax/0.6.23 \
- crate://crates.io/regex/1.4.5 \
- crate://crates.io/remove_dir_all/0.5.3 \
- crate://crates.io/rust-cryptoauthlib/0.1.0 \
- crate://crates.io/rustc-hash/1.1.0 \
- crate://crates.io/rustc_version/0.2.3 \
- crate://crates.io/same-file/1.0.6 \
- crate://crates.io/sd-notify/0.2.0 \
- crate://crates.io/secrecy/0.7.0 \
- crate://crates.io/semver-parser/0.7.0 \
- crate://crates.io/semver/0.9.0 \
- crate://crates.io/serde/1.0.124 \
- crate://crates.io/serde_bytes/0.11.5 \
- crate://crates.io/serde_derive/1.0.124 \
- crate://crates.io/shlex/0.1.1 \
- crate://crates.io/signal-hook-registry/1.3.0 \
- crate://crates.io/signal-hook/0.3.7 \
- crate://crates.io/stable_deref_trait/1.2.0 \
- crate://crates.io/strsim/0.8.0 \
- crate://crates.io/structopt-derive/0.4.14 \
- crate://crates.io/structopt/0.3.21 \
- crate://crates.io/strum_macros/0.19.4 \
- crate://crates.io/syn/1.0.64 \
- crate://crates.io/synstructure/0.12.4 \
- crate://crates.io/tempfile/3.2.0 \
- crate://crates.io/termcolor/1.1.2 \
- crate://crates.io/textwrap/0.11.0 \
- crate://crates.io/thiserror-impl/1.0.24 \
- crate://crates.io/thiserror/1.0.24 \
- crate://crates.io/threadpool/1.8.1 \
- crate://crates.io/toml/0.5.8 \
- crate://crates.io/tss-esapi-sys/0.1.0 \
- crate://crates.io/tss-esapi/5.0.0 \
- crate://crates.io/unicode-segmentation/1.7.1 \
- crate://crates.io/unicode-width/0.1.8 \
- crate://crates.io/unicode-xid/0.2.1 \
- crate://crates.io/users/0.11.0 \
- crate://crates.io/uuid/0.8.2 \
- crate://crates.io/vec_map/0.8.2 \
- crate://crates.io/version/3.0.0 \
- crate://crates.io/version_check/0.9.3 \
- crate://crates.io/walkdir/2.3.1 \
- crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \
- crate://crates.io/which/3.1.1 \
- crate://crates.io/which/4.0.2 \
- crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
- crate://crates.io/winapi-util/0.1.5 \
- crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
- crate://crates.io/winapi/0.3.9 \
- crate://crates.io/zeroize/1.2.0 \
- crate://crates.io/zeroize_derive/1.0.1 \
- file://cryptoki.patch \
-"
-
-LIC_FILES_CHKSUM = " \
- file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57 \
-"
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.3.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.3.0.bb
new file mode 100644
index 0000000..477988e
--- /dev/null
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.3.0.bb
@@ -0,0 +1,96 @@
+SUMMARY = "Platform AbstRaction for SECurity Daemon"
+HOMEPAGE = "https://github.com/parallaxsecond/parsec"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+inherit cargo pkgconfig cargo-update-recipe-crates
+
+DEPENDS += "clang-native"
+
+SRC_URI += "crate://crates.io/parsec-service/${PV} \
+ file://parsec_init \
+ file://systemd.patch \
+ file://parsec-tmpfiles.conf \
+"
+SRC_URI[parsec-service-1.3.0.sha256sum] = "6e171f6394f900e0356947fb7ee42f825fba7ad8cada44b520b4bec5f1c853c8"
+
+B = "${CARGO_VENDORING_DIRECTORY}/${BP}"
+
+PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO"
+have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}"
+PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}"
+
+PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts"
+PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device"
+PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings,"
+PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider,"
+PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider,"
+PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts"
+
+PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}"
+CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}"
+
+export BINDGEN_EXTRA_CLANG_ARGS
+target = "${@d.getVar('TARGET_SYS',True).replace('-', ' ')}"
+BINDGEN_EXTRA_CLANG_ARGS = "${@bb.utils.contains('target', 'arm', \
+ '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include -mfloat-abi=hard', \
+ '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include', \
+ d)}"
+
+inherit systemd
+SYSTEMD_SERVICE:${PN} = "parsec.service"
+
+inherit update-rc.d
+INITSCRIPT_NAME = "parsec"
+
+# A local file can be defined in build/local.conf
+# The file should also be included into SRC_URI then
+PARSEC_CONFIG ?= "${S}/config.toml"
+
+do_install () {
+ # Binaries
+ install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec"
+ install -m 700 -o parsec -g parsec "${B}/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec
+
+ # Config file
+ install -d -m 700 -o parsec -g parsec "${D}${sysconfdir}/parsec"
+ install -m 400 -o parsec -g parsec "${PARSEC_CONFIG}" ${D}${sysconfdir}/parsec/config.toml
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${systemd_unitdir}/system
+ install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system
+
+ install -d ${D}${libdir}/tmpfiles.d
+ install -m 644 ${WORKDIR}/parsec-tmpfiles.conf ${D}${libdir}/tmpfiles.d
+ fi
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/init.d
+ install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec
+ # Data dir
+ install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec"
+ fi
+}
+
+inherit useradd
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "-r parsec"
+USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
+GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss ;', '', d)}"
+GROUPMEMS_PARAM:${PN} += "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'trusted-service-provider', '-a parsec -g teeclnt', '', d)}"
+
+FILES:${PN} += " \
+ ${sysconfdir}/parsec/config.toml \
+ ${libexecdir}/parsec/parsec \
+ ${systemd_unitdir}/system/parsec.service \
+ ${libdir}/tmpfiles.d/parsec-tmpfiles.conf \
+ ${sysconfdir}/init.d/parsec \
+"
+
+require parsec-service-crates.inc
+
+# The QA check has been temporarily disabled. An issue has been created
+# upstream to fix this.
+# https://github.com/parallaxsecond/parsec/issues/645
+INSANE_SKIP:${PN}-dbg += "buildpaths"
+
diff --git a/meta-parsec/recipes-parsec/parsec-tool/files/0001-parsec-cli-tests.sh-adapt-to-new-serialNumber-output.patch b/meta-parsec/recipes-parsec/parsec-tool/files/0001-parsec-cli-tests.sh-adapt-to-new-serialNumber-output.patch
new file mode 100644
index 0000000..6c5a94f
--- /dev/null
+++ b/meta-parsec/recipes-parsec/parsec-tool/files/0001-parsec-cli-tests.sh-adapt-to-new-serialNumber-output.patch
@@ -0,0 +1,33 @@
+From b5cbf8635483e2c1254d15af7427696a378dadf7 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Wed, 3 Jan 2024 12:30:38 +0000
+Subject: [PATCH] parsec-cli-tests.sh: adapt to new serialNumber output
+
+openssl 3.2.0 from yocto prints serialNumber to output
+without spaces so support both that and the old with
+spaces output to pass the test. Not using regular
+expressions to work on simpler grep implementations.
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ tests/parsec-cli-tests.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Upstream-Status: Submitted [https://github.com/parallaxsecond/parsec-tool/pull/120]
+
+diff --git a/tests/parsec-cli-tests.sh b/tests/parsec-cli-tests.sh
+index 7693072..4dad2bb 100755
+--- a/tests/parsec-cli-tests.sh
++++ b/tests/parsec-cli-tests.sh
+@@ -225,7 +225,7 @@ test_csr() {
+ run_cmd $OPENSSL req -text -noout -verify -in ${MY_TMP}/${KEY}.csr >${MY_TMP}/${KEY}.txt
+ debug cat ${MY_TMP}/${KEY}.txt
+
+- if ! cat ${MY_TMP}/${KEY}.txt | grep "Subject:" | grep "serialNumber = ${TEST_SERIAL}"; then
++ if ! cat ${MY_TMP}/${KEY}.txt | grep "Subject:" | grep -e "serialNumber = ${TEST_SERIAL}" -e "serialNumber=${TEST_SERIAL}"; then
+ echo "Error: The CSR does not contain the serialNumber field of the Distinguished Name"
+ EXIT_CODE=$(($EXIT_CODE+1))
+ fi
+--
+2.34.1
+
diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool-crates.inc b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool-crates.inc
new file mode 100644
index 0000000..6cfd123
--- /dev/null
+++ b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool-crates.inc
@@ -0,0 +1,366 @@
+# Autogenerated with 'bitbake -c update_crates parsec-tool'
+
+# from Cargo.lock
+SRC_URI += " \
+ crate://crates.io/aho-corasick/1.1.2 \
+ crate://crates.io/anyhow/1.0.75 \
+ crate://crates.io/asn1-rs/0.3.1 \
+ crate://crates.io/asn1-rs-derive/0.1.0 \
+ crate://crates.io/asn1-rs-impl/0.1.0 \
+ crate://crates.io/autocfg/1.1.0 \
+ crate://crates.io/base64/0.13.1 \
+ crate://crates.io/base64/0.21.4 \
+ crate://crates.io/bincode/1.3.3 \
+ crate://crates.io/bindgen/0.57.0 \
+ crate://crates.io/bitflags/1.3.2 \
+ crate://crates.io/bitflags/2.4.1 \
+ crate://crates.io/block-buffer/0.9.0 \
+ crate://crates.io/bumpalo/3.14.0 \
+ crate://crates.io/bytes/1.5.0 \
+ crate://crates.io/cc/1.0.83 \
+ crate://crates.io/cexpr/0.4.0 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/clang-sys/1.6.1 \
+ crate://crates.io/clap/2.34.0 \
+ crate://crates.io/cmake/0.1.50 \
+ crate://crates.io/const-oid/0.7.1 \
+ crate://crates.io/cpufeatures/0.2.9 \
+ crate://crates.io/data-encoding/2.4.0 \
+ crate://crates.io/der/0.5.1 \
+ crate://crates.io/der-parser/7.0.0 \
+ crate://crates.io/derivative/2.2.0 \
+ crate://crates.io/digest/0.9.0 \
+ crate://crates.io/displaydoc/0.2.4 \
+ crate://crates.io/either/1.9.0 \
+ crate://crates.io/env_logger/0.10.0 \
+ crate://crates.io/errno/0.3.5 \
+ crate://crates.io/form_urlencoded/1.2.0 \
+ crate://crates.io/futures/0.3.28 \
+ crate://crates.io/futures-channel/0.3.28 \
+ crate://crates.io/futures-core/0.3.28 \
+ crate://crates.io/futures-executor/0.3.28 \
+ crate://crates.io/futures-io/0.3.28 \
+ crate://crates.io/futures-macro/0.3.28 \
+ crate://crates.io/futures-sink/0.3.28 \
+ crate://crates.io/futures-task/0.3.28 \
+ crate://crates.io/futures-util/0.3.28 \
+ crate://crates.io/generic-array/0.14.7 \
+ crate://crates.io/glob/0.3.1 \
+ crate://crates.io/grpcio/0.9.1 \
+ crate://crates.io/grpcio-sys/0.9.1+1.38.0 \
+ crate://crates.io/heck/0.3.3 \
+ crate://crates.io/hermit-abi/0.3.3 \
+ crate://crates.io/humantime/2.1.0 \
+ crate://crates.io/idna/0.4.0 \
+ crate://crates.io/instant/0.1.12 \
+ crate://crates.io/is-terminal/0.4.9 \
+ crate://crates.io/itertools/0.10.5 \
+ crate://crates.io/itoa/1.0.9 \
+ crate://crates.io/js-sys/0.3.64 \
+ crate://crates.io/jsonwebkey/0.3.5 \
+ crate://crates.io/jsonwebtoken/8.3.0 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/lazycell/1.3.0 \
+ crate://crates.io/libc/0.2.149 \
+ crate://crates.io/libloading/0.7.4 \
+ crate://crates.io/libz-sys/1.1.12 \
+ crate://crates.io/linux-raw-sys/0.4.10 \
+ crate://crates.io/lock_api/0.4.10 \
+ crate://crates.io/log/0.4.20 \
+ crate://crates.io/memchr/2.6.4 \
+ crate://crates.io/minimal-lexical/0.2.1 \
+ crate://crates.io/nom/5.1.3 \
+ crate://crates.io/nom/7.1.3 \
+ crate://crates.io/num/0.4.1 \
+ crate://crates.io/num-bigint/0.4.4 \
+ crate://crates.io/num-complex/0.4.4 \
+ crate://crates.io/num-derive/0.4.1 \
+ crate://crates.io/num-integer/0.1.45 \
+ crate://crates.io/num-iter/0.1.43 \
+ crate://crates.io/num-rational/0.4.1 \
+ crate://crates.io/num-traits/0.2.17 \
+ crate://crates.io/oid/0.2.1 \
+ crate://crates.io/oid-registry/0.4.0 \
+ crate://crates.io/once_cell/1.18.0 \
+ crate://crates.io/opaque-debug/0.3.0 \
+ crate://crates.io/parking_lot/0.11.2 \
+ crate://crates.io/parking_lot_core/0.8.6 \
+ crate://crates.io/parsec-client/0.16.0 \
+ crate://crates.io/parsec-interface/0.29.1 \
+ crate://crates.io/peeking_take_while/0.1.2 \
+ crate://crates.io/pem/1.1.1 \
+ crate://crates.io/percent-encoding/2.3.0 \
+ crate://crates.io/picky-asn1/0.8.0 \
+ crate://crates.io/picky-asn1-der/0.4.1 \
+ crate://crates.io/picky-asn1-x509/0.12.0 \
+ crate://crates.io/pin-project-lite/0.2.13 \
+ crate://crates.io/pin-utils/0.1.0 \
+ crate://crates.io/pkcs8/0.8.0 \
+ crate://crates.io/pkg-config/0.3.27 \
+ crate://crates.io/proc-macro-error/1.0.4 \
+ crate://crates.io/proc-macro-error-attr/1.0.4 \
+ crate://crates.io/proc-macro2/1.0.69 \
+ crate://crates.io/prost/0.9.0 \
+ crate://crates.io/prost-derive/0.9.0 \
+ crate://crates.io/protobuf/2.28.0 \
+ crate://crates.io/psa-crypto/0.12.0 \
+ crate://crates.io/psa-crypto-sys/0.12.0 \
+ crate://crates.io/quote/1.0.33 \
+ crate://crates.io/rcgen/0.9.3 \
+ crate://crates.io/redox_syscall/0.2.16 \
+ crate://crates.io/regex/1.10.0 \
+ crate://crates.io/regex-automata/0.4.1 \
+ crate://crates.io/regex-syntax/0.8.0 \
+ crate://crates.io/ring/0.16.20 \
+ crate://crates.io/rustc-hash/1.1.0 \
+ crate://crates.io/rusticata-macros/4.1.0 \
+ crate://crates.io/rustix/0.38.19 \
+ crate://crates.io/ryu/1.0.15 \
+ crate://crates.io/same-file/1.0.6 \
+ crate://crates.io/scopeguard/1.2.0 \
+ crate://crates.io/secrecy/0.8.0 \
+ crate://crates.io/serde/1.0.188 \
+ crate://crates.io/serde_bytes/0.11.12 \
+ crate://crates.io/serde_derive/1.0.188 \
+ crate://crates.io/serde_json/1.0.107 \
+ crate://crates.io/sha2/0.9.9 \
+ crate://crates.io/shlex/0.1.1 \
+ crate://crates.io/simple_asn1/0.6.2 \
+ crate://crates.io/slab/0.4.9 \
+ crate://crates.io/smallvec/1.11.1 \
+ crate://crates.io/spiffe/0.2.1 \
+ crate://crates.io/spin/0.5.2 \
+ crate://crates.io/spki/0.5.4 \
+ crate://crates.io/structopt/0.3.26 \
+ crate://crates.io/structopt-derive/0.4.18 \
+ crate://crates.io/syn/1.0.109 \
+ crate://crates.io/syn/2.0.38 \
+ crate://crates.io/synstructure/0.12.6 \
+ crate://crates.io/termcolor/1.3.0 \
+ crate://crates.io/textwrap/0.11.0 \
+ crate://crates.io/thiserror/1.0.49 \
+ crate://crates.io/thiserror-impl/1.0.49 \
+ crate://crates.io/time/0.3.23 \
+ crate://crates.io/time-core/0.1.1 \
+ crate://crates.io/time-macros/0.2.10 \
+ crate://crates.io/tinyvec/1.6.0 \
+ crate://crates.io/tinyvec_macros/0.1.1 \
+ crate://crates.io/typenum/1.17.0 \
+ crate://crates.io/unicode-bidi/0.3.13 \
+ crate://crates.io/unicode-ident/1.0.12 \
+ crate://crates.io/unicode-normalization/0.1.22 \
+ crate://crates.io/unicode-segmentation/1.10.1 \
+ crate://crates.io/unicode-width/0.1.11 \
+ crate://crates.io/unicode-xid/0.2.4 \
+ crate://crates.io/untrusted/0.7.1 \
+ crate://crates.io/url/2.4.1 \
+ crate://crates.io/uuid/0.8.2 \
+ crate://crates.io/vcpkg/0.2.15 \
+ crate://crates.io/version_check/0.9.4 \
+ crate://crates.io/walkdir/2.4.0 \
+ crate://crates.io/wasm-bindgen/0.2.87 \
+ crate://crates.io/wasm-bindgen-backend/0.2.87 \
+ crate://crates.io/wasm-bindgen-macro/0.2.87 \
+ crate://crates.io/wasm-bindgen-macro-support/0.2.87 \
+ crate://crates.io/wasm-bindgen-shared/0.2.87 \
+ crate://crates.io/web-sys/0.3.64 \
+ crate://crates.io/winapi/0.3.9 \
+ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+ crate://crates.io/winapi-util/0.1.6 \
+ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
+ crate://crates.io/windows-sys/0.48.0 \
+ crate://crates.io/windows-targets/0.48.5 \
+ crate://crates.io/windows_aarch64_gnullvm/0.48.5 \
+ crate://crates.io/windows_aarch64_msvc/0.48.5 \
+ crate://crates.io/windows_i686_gnu/0.48.5 \
+ crate://crates.io/windows_i686_msvc/0.48.5 \
+ crate://crates.io/windows_x86_64_gnu/0.48.5 \
+ crate://crates.io/windows_x86_64_gnullvm/0.48.5 \
+ crate://crates.io/windows_x86_64_msvc/0.48.5 \
+ crate://crates.io/x509-parser/0.13.2 \
+ crate://crates.io/yasna/0.4.0 \
+ crate://crates.io/yasna/0.5.2 \
+ crate://crates.io/zeroize/1.6.0 \
+ crate://crates.io/zeroize_derive/1.4.2 \
+"
+
+SRC_URI[aho-corasick-1.1.2.sha256sum] = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0"
+SRC_URI[anyhow-1.0.75.sha256sum] = "a4668cab20f66d8d020e1fbc0ebe47217433c1b6c8f2040faf858554e394ace6"
+SRC_URI[asn1-rs-0.3.1.sha256sum] = "30ff05a702273012438132f449575dbc804e27b2f3cbe3069aa237d26c98fa33"
+SRC_URI[asn1-rs-derive-0.1.0.sha256sum] = "db8b7511298d5b7784b40b092d9e9dcd3a627a5707e4b5e507931ab0d44eeebf"
+SRC_URI[asn1-rs-impl-0.1.0.sha256sum] = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed"
+SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+SRC_URI[base64-0.13.1.sha256sum] = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+SRC_URI[base64-0.21.4.sha256sum] = "9ba43ea6f343b788c8764558649e08df62f86c6ef251fdaeb1ffd010a9ae50a2"
+SRC_URI[bincode-1.3.3.sha256sum] = "b1f45e9417d87227c7a56d22e471c6206462cba514c7590c09aff4cf6d1ddcad"
+SRC_URI[bindgen-0.57.0.sha256sum] = "fd4865004a46a0aafb2a0a5eb19d3c9fc46ee5f063a6cfc605c69ac9ecf5263d"
+SRC_URI[bitflags-1.3.2.sha256sum] = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+SRC_URI[bitflags-2.4.1.sha256sum] = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07"
+SRC_URI[block-buffer-0.9.0.sha256sum] = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
+SRC_URI[bumpalo-3.14.0.sha256sum] = "7f30e7476521f6f8af1a1c4c0b8cc94f0bee37d91763d0ca2665f299b6cd8aec"
+SRC_URI[bytes-1.5.0.sha256sum] = "a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223"
+SRC_URI[cc-1.0.83.sha256sum] = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0"
+SRC_URI[cexpr-0.4.0.sha256sum] = "f4aedb84272dbe89af497cf81375129abda4fc0a9e7c5d317498c15cc30c0d27"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[clang-sys-1.6.1.sha256sum] = "c688fc74432808e3eb684cae8830a86be1d66a2bd58e1f248ed0960a590baf6f"
+SRC_URI[clap-2.34.0.sha256sum] = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
+SRC_URI[cmake-0.1.50.sha256sum] = "a31c789563b815f77f4250caee12365734369f942439b7defd71e18a48197130"
+SRC_URI[const-oid-0.7.1.sha256sum] = "e4c78c047431fee22c1a7bb92e00ad095a02a983affe4d8a72e2a2c62c1b94f3"
+SRC_URI[cpufeatures-0.2.9.sha256sum] = "a17b76ff3a4162b0b27f354a0c87015ddad39d35f9c0c36607a3bdd175dde1f1"
+SRC_URI[data-encoding-2.4.0.sha256sum] = "c2e66c9d817f1720209181c316d28635c050fa304f9c79e47a520882661b7308"
+SRC_URI[der-0.5.1.sha256sum] = "6919815d73839e7ad218de758883aae3a257ba6759ce7a9992501efbb53d705c"
+SRC_URI[der-parser-7.0.0.sha256sum] = "fe398ac75057914d7d07307bf67dc7f3f574a26783b4fc7805a20ffa9f506e82"
+SRC_URI[derivative-2.2.0.sha256sum] = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
+SRC_URI[digest-0.9.0.sha256sum] = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
+SRC_URI[displaydoc-0.2.4.sha256sum] = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d"
+SRC_URI[either-1.9.0.sha256sum] = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07"
+SRC_URI[env_logger-0.10.0.sha256sum] = "85cdab6a89accf66733ad5a1693a4dcced6aeff64602b634530dd73c1f3ee9f0"
+SRC_URI[errno-0.3.5.sha256sum] = "ac3e13f66a2f95e32a39eaa81f6b95d42878ca0e1db0c7543723dfe12557e860"
+SRC_URI[form_urlencoded-1.2.0.sha256sum] = "a62bc1cf6f830c2ec14a513a9fb124d0a213a629668a4186f329db21fe045652"
+SRC_URI[futures-0.3.28.sha256sum] = "23342abe12aba583913b2e62f22225ff9c950774065e4bfb61a19cd9770fec40"
+SRC_URI[futures-channel-0.3.28.sha256sum] = "955518d47e09b25bbebc7a18df10b81f0c766eaf4c4f1cccef2fca5f2a4fb5f2"
+SRC_URI[futures-core-0.3.28.sha256sum] = "4bca583b7e26f571124fe5b7561d49cb2868d79116cfa0eefce955557c6fee8c"
+SRC_URI[futures-executor-0.3.28.sha256sum] = "ccecee823288125bd88b4d7f565c9e58e41858e47ab72e8ea2d64e93624386e0"
+SRC_URI[futures-io-0.3.28.sha256sum] = "4fff74096e71ed47f8e023204cfd0aa1289cd54ae5430a9523be060cdb849964"
+SRC_URI[futures-macro-0.3.28.sha256sum] = "89ca545a94061b6365f2c7355b4b32bd20df3ff95f02da9329b34ccc3bd6ee72"
+SRC_URI[futures-sink-0.3.28.sha256sum] = "f43be4fe21a13b9781a69afa4985b0f6ee0e1afab2c6f454a8cf30e2b2237b6e"
+SRC_URI[futures-task-0.3.28.sha256sum] = "76d3d132be6c0e6aa1534069c705a74a5997a356c0dc2f86a47765e5617c5b65"
+SRC_URI[futures-util-0.3.28.sha256sum] = "26b01e40b772d54cf6c6d721c1d1abd0647a0106a12ecaa1c186273392a69533"
+SRC_URI[generic-array-0.14.7.sha256sum] = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+SRC_URI[glob-0.3.1.sha256sum] = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+SRC_URI[grpcio-0.9.1.sha256sum] = "24d99e00eed7e0a04ee2705112e7cfdbe1a3cc771147f22f016a8cd2d002187b"
+SRC_URI[grpcio-sys-0.9.1+1.38.0.sha256sum] = "9447d1a926beeef466606cc45717f80897998b548e7dc622873d453e1ecb4be4"
+SRC_URI[heck-0.3.3.sha256sum] = "6d621efb26863f0e9924c6ac577e8275e5e6b77455db64ffa6c65c904e9e132c"
+SRC_URI[hermit-abi-0.3.3.sha256sum] = "d77f7ec81a6d05a3abb01ab6eb7590f6083d08449fe5a1c8b1e620283546ccb7"
+SRC_URI[humantime-2.1.0.sha256sum] = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
+SRC_URI[idna-0.4.0.sha256sum] = "7d20d6b07bfbc108882d88ed8e37d39636dcc260e15e30c45e6ba089610b917c"
+SRC_URI[instant-0.1.12.sha256sum] = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c"
+SRC_URI[is-terminal-0.4.9.sha256sum] = "cb0889898416213fab133e1d33a0e5858a48177452750691bde3666d0fdbaf8b"
+SRC_URI[itertools-0.10.5.sha256sum] = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
+SRC_URI[itoa-1.0.9.sha256sum] = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38"
+SRC_URI[js-sys-0.3.64.sha256sum] = "c5f195fe497f702db0f318b07fdd68edb16955aed830df8363d837542f8f935a"
+SRC_URI[jsonwebkey-0.3.5.sha256sum] = "c57c852b14147e2bd58c14fde40398864453403ef632b1101db130282ee6e2cc"
+SRC_URI[jsonwebtoken-8.3.0.sha256sum] = "6971da4d9c3aa03c3d8f3ff0f4155b534aad021292003895a469716b2a230378"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[lazycell-1.3.0.sha256sum] = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
+SRC_URI[libc-0.2.149.sha256sum] = "a08173bc88b7955d1b3145aa561539096c421ac8debde8cbc3612ec635fee29b"
+SRC_URI[libloading-0.7.4.sha256sum] = "b67380fd3b2fbe7527a606e18729d21c6f3951633d0500574c4dc22d2d638b9f"
+SRC_URI[libz-sys-1.1.12.sha256sum] = "d97137b25e321a73eef1418d1d5d2eda4d77e12813f8e6dead84bc52c5870a7b"
+SRC_URI[linux-raw-sys-0.4.10.sha256sum] = "da2479e8c062e40bf0066ffa0bc823de0a9368974af99c9f6df941d2c231e03f"
+SRC_URI[lock_api-0.4.10.sha256sum] = "c1cc9717a20b1bb222f333e6a92fd32f7d8a18ddc5a3191a11af45dcbf4dcd16"
+SRC_URI[log-0.4.20.sha256sum] = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f"
+SRC_URI[memchr-2.6.4.sha256sum] = "f665ee40bc4a3c5590afb1e9677db74a508659dfd71e126420da8274909a0167"
+SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+SRC_URI[nom-5.1.3.sha256sum] = "08959a387a676302eebf4ddbcbc611da04285579f76f88ee0506c63b1a61dd4b"
+SRC_URI[nom-7.1.3.sha256sum] = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+SRC_URI[num-0.4.1.sha256sum] = "b05180d69e3da0e530ba2a1dae5110317e49e3b7f3d41be227dc5f92e49ee7af"
+SRC_URI[num-bigint-0.4.4.sha256sum] = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0"
+SRC_URI[num-complex-0.4.4.sha256sum] = "1ba157ca0885411de85d6ca030ba7e2a83a28636056c7c699b07c8b6f7383214"
+SRC_URI[num-derive-0.4.1.sha256sum] = "cfb77679af88f8b125209d354a202862602672222e7f2313fdd6dc349bad4712"
+SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+SRC_URI[num-iter-0.1.43.sha256sum] = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252"
+SRC_URI[num-rational-0.4.1.sha256sum] = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0"
+SRC_URI[num-traits-0.2.17.sha256sum] = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c"
+SRC_URI[oid-0.2.1.sha256sum] = "9c19903c598813dba001b53beeae59bb77ad4892c5c1b9b3500ce4293a0d06c2"
+SRC_URI[oid-registry-0.4.0.sha256sum] = "38e20717fa0541f39bd146692035c37bedfa532b3e5071b35761082407546b2a"
+SRC_URI[once_cell-1.18.0.sha256sum] = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"
+SRC_URI[opaque-debug-0.3.0.sha256sum] = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
+SRC_URI[parking_lot-0.11.2.sha256sum] = "7d17b78036a60663b797adeaee46f5c9dfebb86948d1255007a1d6be0271ff99"
+SRC_URI[parking_lot_core-0.8.6.sha256sum] = "60a2cfe6f0ad2bfc16aefa463b497d5c7a5ecd44a23efa72aa342d90177356dc"
+SRC_URI[parsec-client-0.16.0.sha256sum] = "a36f9d8e27166cf0586913812454174286e094d594cc8b28d8a8d02d64406bbc"
+SRC_URI[parsec-interface-0.29.1.sha256sum] = "cc706e09209b30f10baa35709d41b9cc01d4931b21c00679f59db96cd1650add"
+SRC_URI[peeking_take_while-0.1.2.sha256sum] = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
+SRC_URI[pem-1.1.1.sha256sum] = "a8835c273a76a90455d7344889b0964598e3316e2a79ede8e36f16bdcf2228b8"
+SRC_URI[percent-encoding-2.3.0.sha256sum] = "9b2a4787296e9989611394c33f193f676704af1686e70b8f8033ab5ba9a35a94"
+SRC_URI[picky-asn1-0.8.0.sha256sum] = "295eea0f33c16be21e2a98b908fdd4d73c04dd48c8480991b76dbcf0cb58b212"
+SRC_URI[picky-asn1-der-0.4.1.sha256sum] = "5df7873a9e36d42dadb393bea5e211fe83d793c172afad5fb4ec846ec582793f"
+SRC_URI[picky-asn1-x509-0.12.0.sha256sum] = "2c5f20f71a68499ff32310f418a6fad8816eac1a2859ed3f0c5c741389dd6208"
+SRC_URI[pin-project-lite-0.2.13.sha256sum] = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58"
+SRC_URI[pin-utils-0.1.0.sha256sum] = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+SRC_URI[pkcs8-0.8.0.sha256sum] = "7cabda3fb821068a9a4fab19a683eac3af12edf0f34b94a8be53c4972b8149d0"
+SRC_URI[pkg-config-0.3.27.sha256sum] = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
+SRC_URI[proc-macro-error-1.0.4.sha256sum] = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
+SRC_URI[proc-macro-error-attr-1.0.4.sha256sum] = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
+SRC_URI[proc-macro2-1.0.69.sha256sum] = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da"
+SRC_URI[prost-0.9.0.sha256sum] = "444879275cb4fd84958b1a1d5420d15e6fcf7c235fe47f053c9c2a80aceb6001"
+SRC_URI[prost-derive-0.9.0.sha256sum] = "f9cc1a3263e07e0bf68e96268f37665207b49560d98739662cdfaae215c720fe"
+SRC_URI[protobuf-2.28.0.sha256sum] = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
+SRC_URI[psa-crypto-0.12.0.sha256sum] = "89c2256e525b9a45ec3bbb3382a43dd8809240279e0aab8ea7ee220e9295445b"
+SRC_URI[psa-crypto-sys-0.12.0.sha256sum] = "f170cac3a328e1678916b276067ec170a5a51db1b9b8b4c00b44c2839819a963"
+SRC_URI[quote-1.0.33.sha256sum] = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae"
+SRC_URI[rcgen-0.9.3.sha256sum] = "6413f3de1edee53342e6138e75b56d32e7bc6e332b3bd62d497b1929d4cfbcdd"
+SRC_URI[redox_syscall-0.2.16.sha256sum] = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
+SRC_URI[regex-1.10.0.sha256sum] = "d119d7c7ca818f8a53c300863d4f87566aac09943aef5b355bb83969dae75d87"
+SRC_URI[regex-automata-0.4.1.sha256sum] = "465c6fc0621e4abc4187a2bda0937bfd4f722c2730b29562e19689ea796c9a4b"
+SRC_URI[regex-syntax-0.8.0.sha256sum] = "c3cbb081b9784b07cceb8824c8583f86db4814d172ab043f3c23f7dc600bf83d"
+SRC_URI[ring-0.16.20.sha256sum] = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+SRC_URI[rustc-hash-1.1.0.sha256sum] = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+SRC_URI[rusticata-macros-4.1.0.sha256sum] = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+SRC_URI[rustix-0.38.19.sha256sum] = "745ecfa778e66b2b63c88a61cb36e0eea109e803b0b86bf9879fbc77c70e86ed"
+SRC_URI[ryu-1.0.15.sha256sum] = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741"
+SRC_URI[same-file-1.0.6.sha256sum] = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+SRC_URI[scopeguard-1.2.0.sha256sum] = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+SRC_URI[secrecy-0.8.0.sha256sum] = "9bd1c54ea06cfd2f6b63219704de0b9b4f72dcc2b8fdef820be6cd799780e91e"
+SRC_URI[serde-1.0.188.sha256sum] = "cf9e0fcba69a370eed61bcf2b728575f726b50b55cba78064753d708ddc7549e"
+SRC_URI[serde_bytes-0.11.12.sha256sum] = "ab33ec92f677585af6d88c65593ae2375adde54efdbf16d597f2cbc7a6d368ff"
+SRC_URI[serde_derive-1.0.188.sha256sum] = "4eca7ac642d82aa35b60049a6eccb4be6be75e599bd2e9adb5f875a737654af2"
+SRC_URI[serde_json-1.0.107.sha256sum] = "6b420ce6e3d8bd882e9b243c6eed35dbc9a6110c9769e74b584e0d68d1f20c65"
+SRC_URI[sha2-0.9.9.sha256sum] = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800"
+SRC_URI[shlex-0.1.1.sha256sum] = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2"
+SRC_URI[simple_asn1-0.6.2.sha256sum] = "adc4e5204eb1910f40f9cfa375f6f05b68c3abac4b6fd879c8ff5e7ae8a0a085"
+SRC_URI[slab-0.4.9.sha256sum] = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
+SRC_URI[smallvec-1.11.1.sha256sum] = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a"
+SRC_URI[spiffe-0.2.1.sha256sum] = "f30161ecb25b9acc06eb61d750aaf1c4b3a536e22ff19fc2d250976537e93a11"
+SRC_URI[spin-0.5.2.sha256sum] = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+SRC_URI[spki-0.5.4.sha256sum] = "44d01ac02a6ccf3e07db148d2be087da624fea0221a16152ed01f0496a6b0a27"
+SRC_URI[structopt-0.3.26.sha256sum] = "0c6b5c64445ba8094a6ab0c3cd2ad323e07171012d9c98b0b15651daf1787a10"
+SRC_URI[structopt-derive-0.4.18.sha256sum] = "dcb5ae327f9cc13b68763b5749770cb9e048a99bd9dfdfa58d0cf05d5f64afe0"
+SRC_URI[syn-1.0.109.sha256sum] = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+SRC_URI[syn-2.0.38.sha256sum] = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b"
+SRC_URI[synstructure-0.12.6.sha256sum] = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
+SRC_URI[termcolor-1.3.0.sha256sum] = "6093bad37da69aab9d123a8091e4be0aa4a03e4d601ec641c327398315f62b64"
+SRC_URI[textwrap-0.11.0.sha256sum] = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060"
+SRC_URI[thiserror-1.0.49.sha256sum] = "1177e8c6d7ede7afde3585fd2513e611227efd6481bd78d2e82ba1ce16557ed4"
+SRC_URI[thiserror-impl-1.0.49.sha256sum] = "10712f02019e9288794769fba95cd6847df9874d49d871d062172f9dd41bc4cc"
+SRC_URI[time-0.3.23.sha256sum] = "59e399c068f43a5d116fedaf73b203fa4f9c519f17e2b34f63221d3792f81446"
+SRC_URI[time-core-0.1.1.sha256sum] = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb"
+SRC_URI[time-macros-0.2.10.sha256sum] = "96ba15a897f3c86766b757e5ac7221554c6750054d74d5b28844fce5fb36a6c4"
+SRC_URI[tinyvec-1.6.0.sha256sum] = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
+SRC_URI[tinyvec_macros-0.1.1.sha256sum] = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+SRC_URI[typenum-1.17.0.sha256sum] = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+SRC_URI[unicode-bidi-0.3.13.sha256sum] = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
+SRC_URI[unicode-ident-1.0.12.sha256sum] = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
+SRC_URI[unicode-normalization-0.1.22.sha256sum] = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
+SRC_URI[unicode-segmentation-1.10.1.sha256sum] = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36"
+SRC_URI[unicode-width-0.1.11.sha256sum] = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85"
+SRC_URI[unicode-xid-0.2.4.sha256sum] = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+SRC_URI[untrusted-0.7.1.sha256sum] = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+SRC_URI[url-2.4.1.sha256sum] = "143b538f18257fac9cad154828a57c6bf5157e1aa604d4816b5995bf6de87ae5"
+SRC_URI[uuid-0.8.2.sha256sum] = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
+SRC_URI[vcpkg-0.2.15.sha256sum] = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+SRC_URI[version_check-0.9.4.sha256sum] = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+SRC_URI[walkdir-2.4.0.sha256sum] = "d71d857dc86794ca4c280d616f7da00d2dbfd8cd788846559a6813e6aa4b54ee"
+SRC_URI[wasm-bindgen-0.2.87.sha256sum] = "7706a72ab36d8cb1f80ffbf0e071533974a60d0a308d01a5d0375bf60499a342"
+SRC_URI[wasm-bindgen-backend-0.2.87.sha256sum] = "5ef2b6d3c510e9625e5fe6f509ab07d66a760f0885d858736483c32ed7809abd"
+SRC_URI[wasm-bindgen-macro-0.2.87.sha256sum] = "dee495e55982a3bd48105a7b947fd2a9b4a8ae3010041b9e0faab3f9cd028f1d"
+SRC_URI[wasm-bindgen-macro-support-0.2.87.sha256sum] = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b"
+SRC_URI[wasm-bindgen-shared-0.2.87.sha256sum] = "ca6ad05a4870b2bf5fe995117d3728437bd27d7cd5f06f13c17443ef369775a1"
+SRC_URI[web-sys-0.3.64.sha256sum] = "9b85cbef8c220a6abc02aefd892dfc0fc23afb1c6a426316ec33253a3877249b"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-util-0.1.6.sha256sum] = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+SRC_URI[windows-sys-0.48.0.sha256sum] = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+SRC_URI[windows-targets-0.48.5.sha256sum] = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+SRC_URI[windows_aarch64_gnullvm-0.48.5.sha256sum] = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
+SRC_URI[windows_aarch64_msvc-0.48.5.sha256sum] = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
+SRC_URI[windows_i686_gnu-0.48.5.sha256sum] = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
+SRC_URI[windows_i686_msvc-0.48.5.sha256sum] = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
+SRC_URI[windows_x86_64_gnu-0.48.5.sha256sum] = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
+SRC_URI[windows_x86_64_gnullvm-0.48.5.sha256sum] = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
+SRC_URI[windows_x86_64_msvc-0.48.5.sha256sum] = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+SRC_URI[x509-parser-0.13.2.sha256sum] = "9fb9bace5b5589ffead1afb76e43e34cff39cd0f3ce7e170ae0c29e53b88eb1c"
+SRC_URI[yasna-0.4.0.sha256sum] = "e262a29d0e61ccf2b6190d7050d4b237535fc76ce4c1210d9caa316f71dffa75"
+SRC_URI[yasna-0.5.2.sha256sum] = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
+SRC_URI[zeroize-1.6.0.sha256sum] = "2a0956f1ba7c7909bfb66c2e9e4124ab6f6482560f6628b5aaeba39207c9aad9"
+SRC_URI[zeroize_derive-1.4.2.sha256sum] = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
deleted file mode 100644
index 35c65c0..0000000
--- a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-SUMMARY = "Parsec Command Line Interface"
-HOMEPAGE = "https://github.com/parallaxsecond/parsec-tool"
-LICENSE = "Apache-2.0"
-
-inherit cargo
-
-SRC_URI += "crate://crates.io/parsec-tool/${PV} \
-"
-
-TOOLCHAIN = "clang"
-
-do_install() {
- install -d ${D}/${bindir}
- install -m 755 "${B}/target/${TARGET_SYS}/release/parsec-tool" "${D}${bindir}/parsec-tool"
-}
-
-require parsec-tool_${PV}.inc
diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.inc b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.inc
deleted file mode 100644
index 9560dcf..0000000
--- a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.inc
+++ /dev/null
@@ -1,127 +0,0 @@
-# This file is created from parsec-tool repository Cargo.lock using cargo-bitbake tool
-
-SRC_URI += " \
- crate://crates.io/aho-corasick/0.7.15 \
- crate://crates.io/ansi_term/0.11.0 \
- crate://crates.io/ansi_term/0.12.1 \
- crate://crates.io/anyhow/1.0.38 \
- crate://crates.io/atty/0.2.14 \
- crate://crates.io/autocfg/1.0.1 \
- crate://crates.io/base64/0.13.0 \
- crate://crates.io/bincode/1.3.1 \
- crate://crates.io/bitflags/1.2.1 \
- crate://crates.io/block-buffer/0.9.0 \
- crate://crates.io/byteorder/1.4.2 \
- crate://crates.io/bytes/0.5.6 \
- crate://crates.io/cc/1.0.66 \
- crate://crates.io/cfg-if/1.0.0 \
- crate://crates.io/clap/2.33.3 \
- crate://crates.io/clap/3.0.0-beta.2 \
- crate://crates.io/clap_derive/3.0.0-beta.2 \
- crate://crates.io/cmake/0.1.45 \
- crate://crates.io/cpuid-bool/0.1.2 \
- crate://crates.io/derivative/2.2.0 \
- crate://crates.io/digest/0.9.0 \
- crate://crates.io/either/1.6.1 \
- crate://crates.io/env_logger/0.8.3 \
- crate://crates.io/fixedbitset/0.2.0 \
- crate://crates.io/form_urlencoded/1.0.0 \
- crate://crates.io/generic-array/0.14.4 \
- crate://crates.io/getrandom/0.2.2 \
- crate://crates.io/hashbrown/0.9.1 \
- crate://crates.io/heck/0.3.2 \
- crate://crates.io/hermit-abi/0.1.18 \
- crate://crates.io/humantime/2.1.0 \
- crate://crates.io/idna/0.2.1 \
- crate://crates.io/indexmap/1.6.1 \
- crate://crates.io/itertools/0.8.2 \
- crate://crates.io/lazy_static/1.4.0 \
- crate://crates.io/libc/0.2.86 \
- crate://crates.io/log/0.4.14 \
- crate://crates.io/matches/0.1.8 \
- crate://crates.io/memchr/2.3.4 \
- crate://crates.io/multimap/0.8.2 \
- crate://crates.io/num-bigint/0.3.1 \
- crate://crates.io/num-complex/0.3.1 \
- crate://crates.io/num-derive/0.3.3 \
- crate://crates.io/num-integer/0.1.44 \
- crate://crates.io/num-iter/0.1.42 \
- crate://crates.io/num-rational/0.3.2 \
- crate://crates.io/num-traits/0.2.14 \
- crate://crates.io/num/0.3.1 \
- crate://crates.io/oid/0.1.1 \
- crate://crates.io/once_cell/1.5.2 \
- crate://crates.io/opaque-debug/0.3.0 \
- crate://crates.io/os_str_bytes/2.4.0 \
- crate://crates.io/parsec-client/0.12.0 \
- crate://crates.io/parsec-interface/0.24.0 \
- crate://crates.io/pem/0.8.3 \
- crate://crates.io/percent-encoding/2.1.0 \
- crate://crates.io/petgraph/0.5.1 \
- crate://crates.io/picky-asn1-der/0.2.4 \
- crate://crates.io/picky-asn1/0.3.1 \
- crate://crates.io/ppv-lite86/0.2.10 \
- crate://crates.io/proc-macro-error-attr/1.0.4 \
- crate://crates.io/proc-macro-error/1.0.4 \
- crate://crates.io/proc-macro2/1.0.24 \
- crate://crates.io/prost-build/0.6.1 \
- crate://crates.io/prost-derive/0.6.1 \
- crate://crates.io/prost-types/0.6.1 \
- crate://crates.io/prost/0.6.1 \
- crate://crates.io/psa-crypto-sys/0.8.0 \
- crate://crates.io/psa-crypto/0.8.0 \
- crate://crates.io/quote/1.0.9 \
- crate://crates.io/rand/0.8.3 \
- crate://crates.io/rand_chacha/0.3.0 \
- crate://crates.io/rand_core/0.6.2 \
- crate://crates.io/rand_hc/0.3.0 \
- crate://crates.io/redox_syscall/0.2.5 \
- crate://crates.io/regex-syntax/0.6.22 \
- crate://crates.io/regex/1.4.3 \
- crate://crates.io/remove_dir_all/0.5.3 \
- crate://crates.io/same-file/1.0.6 \
- crate://crates.io/secrecy/0.7.0 \
- crate://crates.io/serde/1.0.123 \
- crate://crates.io/serde_bytes/0.11.5 \
- crate://crates.io/serde_derive/1.0.123 \
- crate://crates.io/sha2/0.9.3 \
- crate://crates.io/strsim/0.10.0 \
- crate://crates.io/strsim/0.8.0 \
- crate://crates.io/structopt-derive/0.4.14 \
- crate://crates.io/structopt/0.3.21 \
- crate://crates.io/syn/1.0.60 \
- crate://crates.io/synstructure/0.12.4 \
- crate://crates.io/tempfile/3.2.0 \
- crate://crates.io/termcolor/1.1.2 \
- crate://crates.io/textwrap/0.11.0 \
- crate://crates.io/textwrap/0.12.1 \
- crate://crates.io/thiserror-impl/1.0.23 \
- crate://crates.io/thiserror/1.0.23 \
- crate://crates.io/thread_local/1.1.3 \
- crate://crates.io/tinyvec/1.1.1 \
- crate://crates.io/tinyvec_macros/0.1.0 \
- crate://crates.io/typenum/1.12.0 \
- crate://crates.io/unicode-bidi/0.3.4 \
- crate://crates.io/unicode-normalization/0.1.17 \
- crate://crates.io/unicode-segmentation/1.7.1 \
- crate://crates.io/unicode-width/0.1.8 \
- crate://crates.io/unicode-xid/0.2.1 \
- crate://crates.io/url/2.2.0 \
- crate://crates.io/users/0.10.0 \
- crate://crates.io/uuid/0.8.2 \
- crate://crates.io/vec_map/0.8.2 \
- crate://crates.io/version_check/0.9.2 \
- crate://crates.io/walkdir/2.3.1 \
- crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \
- crate://crates.io/which/3.1.1 \
- crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
- crate://crates.io/winapi-util/0.1.5 \
- crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
- crate://crates.io/winapi/0.3.9 \
- crate://crates.io/zeroize/1.2.0 \
- crate://crates.io/zeroize_derive/1.0.1 \
-"
-
-LIC_FILES_CHKSUM = " \
- file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57 \
-"
diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.7.0.bb b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.7.0.bb
new file mode 100644
index 0000000..af0d362
--- /dev/null
+++ b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.7.0.bb
@@ -0,0 +1,29 @@
+SUMMARY = "Parsec Command Line Interface"
+HOMEPAGE = "https://github.com/parallaxsecond/parsec-tool"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+inherit cargo cargo-update-recipe-crates
+
+SRC_URI += "\
+ crate://crates.io/parsec-tool/${PV} \
+ file://0001-parsec-cli-tests.sh-adapt-to-new-serialNumber-output.patch \
+"
+SRC_URI[parsec-tool-0.7.0.sha256sum] = "76afb4416d04c5af9f81285dfff390b09c6926aabd6b4ee20dc07470a9698732"
+
+B = "${CARGO_VENDORING_DIRECTORY}/${BP}"
+
+do_install() {
+ install -d ${D}/${bindir}
+ install -m 755 "${B}/target/${CARGO_TARGET_SUBDIR}/parsec-tool" "${D}${bindir}/parsec-tool"
+ install -m 755 "${S}/tests/parsec-cli-tests.sh" "${D}${bindir}/parsec-cli-tests.sh"
+}
+
+require parsec-tool-crates.inc
+
+RDEPENDS:${PN} = "openssl-bin"
+
+# The QA check has been temporarily disabled. An issue has been created
+# upstream to fix this.
+# https://github.com/parallaxsecond/parsec-tool/issues/94
+INSANE_SKIP:${PN}-dbg += "buildpaths"
diff --git a/meta-security-compliance/README b/meta-security-compliance/README
deleted file mode 100644
index 320f856..0000000
--- a/meta-security-compliance/README
+++ /dev/null
@@ -1,41 +0,0 @@
-# Meta-security-compliance
-
-This layer is meant to contain programs to help in security compliance and auditing
-
-
-Dependencies
-============
-
-This layer depends on:
-
- URI: git://git.openembedded.org/bitbake
- branch: master
-
- URI: git://git.openembedded.org/openembedded-core
- layers: meta
- branch: master
-
-or
-
- URI: git://git.yoctoproject.org/poky
- branch: master
-
-
-
-Maintenance
------------
-
-Send pull requests, patches, comments or questions to yocto@yoctoproject.org
-
-When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH'
-
-Layer Maintainer: Armin Kuster <akuster808@gmail.com>
-
-
-License
-=======
-
-All metadata is MIT licensed unless otherwise stated. Source code included
-in tree for individual recipes is under the LICENSE stated in each recipe
-(.bb file) unless otherwise stated.
diff --git a/meta-security-compliance/conf/layer.conf b/meta-security-compliance/conf/layer.conf
deleted file mode 100644
index 2024d4a..0000000
--- a/meta-security-compliance/conf/layer.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# We have a conf and classes directory, add to BBPATH
-BBPATH .= ":${LAYERDIR}"
-
-# We have a recipes directory, add to BBFILES
-BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
-
-BBFILE_COLLECTIONS += "scanners-layer"
-BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
-BBFILE_PRIORITY_scanners-layer = "10"
-
-LAYERSERIES_COMPAT_scanners-layer = "hardknott"
-
-LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
-
-BBLAYERS_LAYERINDEX_NAME_scanners-layer = "meta-security-compliance"
diff --git a/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb b/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb
deleted file mode 100644
index 0ad427d..0000000
--- a/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb
+++ /dev/null
@@ -1,32 +0,0 @@
-inherit allarch
-
-SUMMARY = "Operating release identification"
-DESCRIPTION = "The /etc/openembedded-release file contains operating system identification data."
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-INHIBIT_DEFAULT_DEPS = "1"
-
-do_fetch[noexec] = "1"
-do_unpack[noexec] = "1"
-do_patch[noexec] = "1"
-do_configure[noexec] = "1"
-
-VERSION = "0"
-RELEASE_NAME = "${DISTRO_NAME} ${DISTRO} ${VERSION}"
-
-def sanitise_version(ver):
- ret = ver.replace('+', '-').replace(' ','_')
- return ret.lower()
-
-python do_compile () {
- import shutil
- release_name = d.getVar('RELEASE_NAME')
- with open(d.expand('${B}/openemebedded-release'), 'w') as f:
- f.write('%s\n' % release_name)
-}
-do_compile[vardeps] += "${RELEASE_NAME}"
-
-do_install () {
- install -d ${D}${sysconfdir}
- install -m 0644 openemebedded-release ${D}${sysconfdir}/
-}
diff --git a/meta-security-compliance/recipes-core/os-release/os-release.bbappend b/meta-security-compliance/recipes-core/os-release/os-release.bbappend
deleted file mode 100644
index 604bacb..0000000
--- a/meta-security-compliance/recipes-core/os-release/os-release.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-CPE_NAME="cpe:/o:openembedded:nodistro:0"
diff --git a/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml b/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml
deleted file mode 100644
index d3b2c9a..0000000
--- a/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<xccdf:Benchmark xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" id="generated-xccdf" resolved="1">
- <xccdf:status>incomplete</xccdf:status>
- <xccdf:title>Automatically generated XCCDF from OVAL file: OpenEmbedded_nodistro_0.xml</xccdf:title>
- <xccdf:description>This file has been generated automatically from oval definitions file.</xccdf:description>
- <xccdf:version time="2017-06-07T04:05:05">None, generated from OVAL file.</xccdf:version>
- <xccdf:Rule selected="true" id="oval-com.redhat.rhsa-def-20171365">
- <xccdf:title>CPE-2017:1365: nss security and bug fix update (Important)</xccdf:title>
- <xccdf:ident system="http://cve.mitre.org">CVE-2017-7502</xccdf:ident>
- <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <xccdf:check-content-ref href="OpenEmbedded_nodistro_0.xml" name="oval:com.redhat.rhsa:def:20171365"/>
- </xccdf:check>
- </xccdf:Rule>
-</xccdf:Benchmark>
diff --git a/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml b/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml
deleted file mode 100644
index a9bf2a0..0000000
--- a/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml
+++ /dev/null
@@ -1,83 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:red-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
- <generator>
- <oval:product_name>OpenEmbedded Errata Test System</oval:product_name>
- <oval:schema_version>5.10.1</oval:schema_version>
- <oval:timestamp>2017-06-07T04:05:05</oval:timestamp>
- </generator>
-
- <definitions>
- <definition class="patch" id="oval:com.redhat.rhsa:def:20171365" version="604">
- <metadata>
- <title>CPE-2017:1365: nss security and bug fix update (Important)</title>
- <affected family="unix">
- <platform>OpenEmbedded Nodistro</platform>
- </affected>
- <reference ref_id="RHSA-2017:1365-03" ref_url="https://access.redhat.com/errata/RHSA-2017:1365" source="RHSA"/>
- <reference ref_id="CVE-2017-7502" ref_url="https://access.redhat.com/security/cve/CVE-2017-7502" source="CVE"/>
- <description>Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
-
-Security Fix(es):
-
-* A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502)
-
-Bug Fix(es):
-
-* The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1451421)</description>
-
-<!-- ~~~~~~~~~~~~~~~~~~~~ advisory details ~~~~~~~~~~~~~~~~~~~ -->
-
-<advisory from="example.com">
- <severity>Important</severity>
- <rights>NA</rights>
- <issued date="2017-05-30"/>
- <updated date="2017-05-30"/>
- <cve cvss3="7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" cwe="CWE-476" href="https://access.redhat.com/security/cve/CVE-2017-7502">CVE-2017-7502</cve>
- <bugzilla href="https://bugzilla.redhat.com/1446631" id="1446631">CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages</bugzilla>
- <affected_cpe_list>
- <cpe>cpe:/o:openembedded:nodistro:0</cpe>
- </affected_cpe_list>
-</advisory>
- </metadata>
-
-<criteria operator="AND">
- <criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20171365001"/>
- <criterion comment="nss is earlier than 0:3.28.4-r0" test_ref="oval:com.redhat.rhsa:tst:20171365007"/>
-</criteria>
-
- </definition>
- </definitions>
- <tests>
- <!-- ~~~~~~~~~~~~~~~~~~~~~ rpminfo tests ~~~~~~~~~~~~~~~~~~~~~ -->
- <rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 7 Client is installed" id="oval:com.redhat.rhsa:tst:20171365001" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <object object_ref="oval:com.redhat.rhsa:obj:20171365001"/>
- <state state_ref="oval:com.redhat.rhsa:ste:20171365002"/>
-</rpminfo_test>
-<rpminfo_test check="at least one" comment="nss is earlier than 0:3.31.4-r0" id="oval:com.redhat.rhsa:tst:20171365007" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <object object_ref="oval:com.redhat.rhsa:obj:20171365006"/>
- <state state_ref="oval:com.redhat.rhsa:ste:20171365003"/>
-</rpminfo_test>
-
- </tests>
-
- <objects>
- <!-- ~~~~~~~~~~~~~~~~~~~~ rpminfo objects ~~~~~~~~~~~~~~~~~~~~ -->
- <rpminfo_object id="oval:com.redhat.rhsa:obj:20171365006" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <name>nss</name>
-</rpminfo_object>
-<rpminfo_object id="oval:com.redhat.rhsa:obj:20171365001" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <name>openembedded-release</name>
-</rpminfo_object>
-
- </objects>
- <states>
- <!-- ~~~~~~~~~~~~~~~~~~~~ rpminfo states ~~~~~~~~~~~~~~~~~~~~~ -->
-<rpminfo_state id="oval:com.redhat.rhsa:ste:20171365002" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <version operation="pattern match">^1[^\d]</version>
-</rpminfo_state>
-<rpminfo_state id="oval:com.redhat.rhsa:ste:20171365003" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <evr datatype="evr_string" operation="less than">0:3.31.4-r0</evr>
-</rpminfo_state>
-
- </states>
-</oval_definitions>
diff --git a/meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt b/meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt
deleted file mode 100644
index 2243ac4..0000000
--- a/meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt
+++ /dev/null
@@ -1,72 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Copyright 2012 Red Hat Inc., Durham, North Carolina. All Rights Reserved.
-
-This transformation is free software; you can redistribute it and/or modify
-it under the terms of the GNU Lesser General Public License as published by
-the Free Software Foundation; either version 2.1 of the License.
-
-This transformation is distributed in the hope that it will be useful, but
-WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
-for more details.
-
-You should have received a copy of the GNU Lesser General Public License along
-with this library; if not, write to the Free Software Foundation, Inc., 59
-Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-Authors:
- Šimon Lukašík <slukasik@redhat.com>
--->
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"
- xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1"
- xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
- xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <xsl:output method="xml" encoding="UTF-8"/>
-
- <xsl:template match="/">
- <xccdf:Benchmark id="generated-xccdf" resolved="1">
- <xccdf:status>incomplete</xccdf:status>
- <xccdf:title>
- <xsl:text>Automatically generated XCCDF from OVAL file: </xsl:text>
- <xsl:value-of select="$ovalfile"/>
- </xccdf:title>
- <xccdf:description>This file has been generated automatically from oval definitions file.</xccdf:description>
- <xccdf:version>
- <xsl:attribute name="time">
- <xsl:value-of select="normalize-space(oval-def:oval_definitions/oval-def:generator/oval:timestamp[1]/text())"/>
- </xsl:attribute>
- <xsl:text>None, generated from OVAL file.</xsl:text>
- </xccdf:version>
- <xsl:apply-templates select="oval-def:oval_definitions/oval-def:definitions/oval-def:definition"/>
- </xccdf:Benchmark>
- </xsl:template>
-
- <xsl:template match="oval-def:definition">
- <xccdf:Rule selected="true">
- <xsl:attribute name="id">
- <xsl:value-of select="translate(@id,':','-')"/>
- </xsl:attribute>
- <xccdf:title>
- <xsl:copy-of select="oval-def:metadata/oval-def:title/text()"/>
- </xccdf:title>
- <xsl:apply-templates select="oval-def:metadata/oval-def:advisory/oval-def:cve"/>
- <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <xccdf:check-content-ref href="file">
- <xsl:attribute name="name">
- <xsl:value-of select="@id"/>
- </xsl:attribute>
- <xsl:attribute name="href">
- <xsl:value-of select="$ovalfile"/>
- </xsl:attribute>
- </xccdf:check-content-ref>
- </xccdf:check>
- </xccdf:Rule>
- </xsl:template>
-
- <xsl:template match="oval-def:cve">
- <xccdf:ident system="http://cve.mitre.org">
- <xsl:copy-of select="text()"/>
- </xccdf:ident>
- </xsl:template>
-</xsl:stylesheet>
-
diff --git a/meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh b/meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh
deleted file mode 100644
index 48a7485..0000000
--- a/meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-oscap oval eval \
---report oval.html \
---verbose-log-file filedevel.log \
---verbose DEVEL \
-/usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml
diff --git a/meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh b/meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh
deleted file mode 100644
index 70cd82c..0000000
--- a/meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-#oscap oval eval --result-file ./myresults.xml ./OpenEmbedded_nodistro_0.xml
-
-oscap xccdf eval --results results.xml --report report.html OpenEmbedded_nodistro_0.xccdf.xml
diff --git a/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
deleted file mode 100644
index fd53fcb..0000000
--- a/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
+++ /dev/null
@@ -1,33 +0,0 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
-# Released under the MIT license (see COPYING.MIT for the terms)
-
-SUMARRY = "OE SCAP files"
-LIC_FILES_CHKSUM = "file://README.md;md5=46dec9f167b6e05986cb4023df6d92f4"
-LICENSE = "MIT"
-
-SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98"
-SRC_URI = "git://github.com/akuster/oe-scap.git"
-SRC_URI += " \
- file://run_cve.sh \
- file://run_test.sh \
- file://OpenEmbedded_nodistro_0.xml \
- file://OpenEmbedded_nodistro_0.xccdf.xml \
- "
-
-S = "${WORKDIR}/git"
-
-do_configure[noexec] = "1"
-do_compile[noexec] = "1"
-
-do_install () {
- install -d ${D}/${datadir}/oe-scap
- install ${WORKDIR}/run_cve.sh ${D}/${datadir}/oe-scap/.
- install ${WORKDIR}/run_test.sh ${D}/${datadir}/oe-scap/.
- install ${WORKDIR}/OpenEmbedded_nodistro_0.xml ${D}/${datadir}/oe-scap/.
- install ${WORKDIR}/OpenEmbedded_nodistro_0.xccdf.xml ${D}/${datadir}/oe-scap/.
- cp ${S}/* ${D}/${datadir}/oe-scap/.
-}
-
-FILES_${PN} += "${datadir}/oe-scap"
-
-RDEPENDS_${PN} = "openscap bash"
diff --git a/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch b/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
deleted file mode 100644
index 2a518bf..0000000
--- a/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From c34349720a57997d30946286756e2ba9dbab6ace Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Mon, 2 Jul 2018 11:21:19 +0200
-Subject: [PATCH] Renamed module and variables to get rid of async.
-
-async is a reserved word in Python 3.7.
-
-Upstream-Status: Backport
-[https://github.com/OpenSCAP/openscap-daemon/commit/c34349720a57997d30946286756e2ba9dbab6ace]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- openscap_daemon/{async.py => async_tools.py} | 0
- openscap_daemon/dbus_daemon.py | 2 +-
- openscap_daemon/system.py | 16 ++++++++--------
- tests/unit/test_basic_update.py | 3 ++-
- 4 files changed, 11 insertions(+), 10 deletions(-)
- rename openscap_daemon/{async.py => async_tools.py} (100%)
-
-diff --git a/openscap_daemon/async.py b/openscap_daemon/async_tools.py
-similarity index 100%
-rename from openscap_daemon/async.py
-rename to openscap_daemon/async_tools.py
-diff --git a/openscap_daemon/dbus_daemon.py b/openscap_daemon/dbus_daemon.py
-index e6eadf9..cb6a8b6 100644
---- a/openscap_daemon/dbus_daemon.py
-+++ b/openscap_daemon/dbus_daemon.py
-@@ -81,7 +81,7 @@ class OpenSCAPDaemonDbus(dbus.service.Object):
- @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
- in_signature="", out_signature="a(xsi)")
- def GetAsyncActionsStatus(self):
-- return self.system.async.get_status()
-+ return self.system.async_manager.get_status()
-
- @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
- in_signature="s", out_signature="(sssn)")
-diff --git a/openscap_daemon/system.py b/openscap_daemon/system.py
-index 2012f6e..85c2680 100644
---- a/openscap_daemon/system.py
-+++ b/openscap_daemon/system.py
-@@ -26,7 +26,7 @@ import logging
- from openscap_daemon.task import Task
- from openscap_daemon.config import Configuration
- from openscap_daemon import oscap_helpers
--from openscap_daemon import async
-+from openscap_daemon import async_tools
-
-
- class ResultsNotAvailable(Exception):
-@@ -40,7 +40,7 @@ TASK_ACTION_PRIORITY = 10
-
- class System(object):
- def __init__(self, config_file):
-- self.async = async.AsyncManager()
-+ self.async_manager = async_tools.AsyncManager()
-
- logging.info("Loading configuration from '%s'.", config_file)
- self.config = Configuration()
-@@ -90,7 +90,7 @@ class System(object):
- input_file, tailoring_file, None
- )
-
-- class AsyncEvaluateSpecAction(async.AsyncAction):
-+ class AsyncEvaluateSpecAction(async_tools.AsyncAction):
- def __init__(self, system, spec):
- super(System.AsyncEvaluateSpecAction, self).__init__()
-
-@@ -113,7 +113,7 @@ class System(object):
- return "Evaluate Spec '%s'" % (self.spec)
-
- def evaluate_spec_async(self, spec):
-- return self.async.enqueue(
-+ return self.async_manager.enqueue(
- System.AsyncEvaluateSpecAction(
- self,
- spec
-@@ -488,7 +488,7 @@ class System(object):
-
- return ret
-
-- class AsyncUpdateTaskAction(async.AsyncAction):
-+ class AsyncUpdateTaskAction(async_tools.AsyncAction):
- def __init__(self, system, task_id, reference_datetime):
- super(System.AsyncUpdateTaskAction, self).__init__()
-
-@@ -536,7 +536,7 @@ class System(object):
-
- if task.should_be_updated(reference_datetime):
- self.tasks_scheduled.add(task.id_)
-- self.async.enqueue(
-+ self.async_manager.enqueue(
- System.AsyncUpdateTaskAction(
- self,
- task.id_,
-@@ -662,7 +662,7 @@ class System(object):
- fix_type
- )
-
-- class AsyncEvaluateCVEScannerWorkerAction(async.AsyncAction):
-+ class AsyncEvaluateCVEScannerWorkerAction(async_tools.AsyncAction):
- def __init__(self, system, worker):
- super(System.AsyncEvaluateCVEScannerWorkerAction, self).__init__()
-
-@@ -680,7 +680,7 @@ class System(object):
- return "Evaluate CVE Scanner Worker '%s'" % (self.worker)
-
- def evaluate_cve_scanner_worker_async(self, worker):
-- return self.async.enqueue(
-+ return self.async_manager.enqueue(
- System.AsyncEvaluateCVEScannerWorkerAction(
- self,
- worker
-diff --git a/tests/unit/test_basic_update.py b/tests/unit/test_basic_update.py
-index 6f683e6..7f953f7 100755
---- a/tests/unit/test_basic_update.py
-+++ b/tests/unit/test_basic_update.py
-@@ -37,8 +37,9 @@ class BasicUpdateTest(unit_test_harness.APITest):
- print(self.system.tasks)
- self.system.schedule_tasks()
-
-- while len(self.system.async.actions) > 0:
-+ while len(self.system.async_manager.actions) > 0:
- time.sleep(1)
-
-+
- if __name__ == "__main__":
- BasicUpdateTest.run()
---
-2.7.4
-
diff --git a/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
deleted file mode 100644
index a775021..0000000
--- a/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
+++ /dev/null
@@ -1,23 +0,0 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
-# Released under the MIT license (see COPYING.MIT for the terms)
-
-SUMARRY = "The OpenSCAP Daemon is a service that runs in the background."
-HOME_URL = "https://www.open-scap.org/tools/openscap-daemon/"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=40d2542b8c43a3ec2b7f5da31a697b88"
-LICENSE = "LGPL-2.1"
-
-DEPENDS = "python3-dbus"
-
-SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76"
-SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git \
- file://0001-Renamed-module-and-variables-to-get-rid-of-async.patch \
- "
-
-inherit setuptools3
-
-S = "${WORKDIR}/git"
-
-RDEPENDS_${PN} = "openscap scap-security-guide \
- python3-core python3-dbus \
- python3-pygobject \
- "
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb
deleted file mode 100644
index 51fa9ee..0000000
--- a/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-SUMARRY = "NIST Certified SCAP 1.2 toolkit"
-
-require openscap.inc
-
-SRCREV = "0cb55c55af6be9934d6fd0caf4563b206f289732"
-SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \
-"
-
-DEFAULT_PREFERENCE = "-1"
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
deleted file mode 100644
index 73a4729..0000000
--- a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
+++ /dev/null
@@ -1,12 +0,0 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
-# Released under the MIT license (see COPYING.MIT for the terms)
-
-SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes"
-
-include openscap.inc
-
-SRCREV = "a85943eee400fdbe59234d1c4a02d8cf710c4625"
-SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \
-"
-
-PV = "1.3.3+git${SRCPV}"
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch b/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch
deleted file mode 100644
index c0b93e4..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 174293162e5840684d967e36840fc1f9f57c90be Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Thu, 5 Dec 2019 15:02:05 +0100
-Subject: [PATCH] Fix XML "parsing" of the remediation functions file.
-
-A proper fix is not worth the effort, as we aim to kill shared Bash remediation
-with Jinja2 macros.
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/174293162e5840684d967e36840fc1f9f57c90be]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- ssg/build_remediations.py | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 7da807bd6..13e90f732 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -56,11 +56,11 @@ def get_available_functions(build_dir):
- remediation_functions = []
- with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile:
- filestring = xmlfile.read()
-- # This regex looks implementation dependent but we can rely on
-- # ElementTree sorting XML attrs alphabetically. Hidden is guaranteed
-- # to be the first attr and ID is guaranteed to be second.
-+ # This regex looks implementation dependent but we can rely on the element attributes
-+ # being present on one line.
-+ # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7.
- remediation_functions = re.findall(
-- r'<Value hidden=\"true\" id=\"function_(\S+)\"',
-+ r'<Value.*id=\"function_(\S+)\"',
- filestring, re.DOTALL
- )
-
---
-2.17.1
-
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-platform-spec-file-check-tests-in-installed-OS-d.patch b/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-platform-spec-file-check-tests-in-installed-OS-d.patch
deleted file mode 100644
index 60664a3..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-platform-spec-file-check-tests-in-installed-OS-d.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 2beb4bc83a157b21edb1a3fef295cd4cced467df Mon Sep 17 00:00:00 2001
-From: Jate Sujjavanich <jatedev@gmail.com>
-Date: Thu, 7 Jan 2021 18:10:01 -0500
-Subject: [PATCH 1/3] Fix platform spec, file check, tests in installed OS
- detect for openembedded
-
-Change platform to multi in openembedded installed check matching others
-and allowing compile of xml into oval
----
- shared/checks/oval/installed_OS_is_openembedded.xml | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
-index 763d17bcb..01df16b43 100644
---- a/shared/checks/oval/installed_OS_is_openembedded.xml
-+++ b/shared/checks/oval/installed_OS_is_openembedded.xml
-@@ -1,11 +1,9 @@
--</def-group>
--
- <def-group>
- <definition class="inventory" id="installed_OS_is_openembedded" version="2">
- <metadata>
- <title>OpenEmbedded</title>
- <affected family="unix">
-- <platform>OPENEMBEDDED</platform>
-+ <platform>multi_platform_all</platform>
- </affected>
- <reference ref_id="cpe:/o:openembedded:openembedded:0"
- source="CPE" />
-@@ -20,8 +18,11 @@
- </criteria>
- </definition>
-
-- <ind:textfilecontent54_object id="test_openembedded" version="1" comment="Check OPenEmbedded version">
-- <ind:filepath>/etc/os-release/ind:filepath>
-+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded version" id="test_openembedded" version="1">
-+ <ind:object object_ref="obj_openembedded" />
-+ </ind:textfilecontent54_test>
-+ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded version">
-+ <ind:filepath>/etc/os-release</ind:filepath>
- <ind:pattern operation="pattern match">^VERSION_ID=\"nodistro\.[0-9].$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
---
-2.24.3 (Apple Git-128)
-
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-fix-deprecated-instance-of-element.getchildren.patch b/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-fix-deprecated-instance-of-element.getchildren.patch
deleted file mode 100644
index 01e3dd6..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-fix-deprecated-instance-of-element.getchildren.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From e435bf2dc59d652710104a1c59332e410b12bb64 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 8 Jun 2020 12:33:48 +0200
-Subject: [PATCH] fix deprecated instance of element.getchildren
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/e435bf2dc59d652710104a1c59332e410b12bb64]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- ssg/build_remediations.py | 2 +-
- ssg/build_stig.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index fdde0f268..c18d6bd54 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -735,7 +735,7 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
- # First concat output form of modified fix text (including text appended
- # to all children of the fix)
- modfix = [fix.text]
-- for child in fix.getchildren():
-+ for child in list(fix):
- if child is not None and child.text is not None:
- modfix.append(child.text)
- modfixtext = "".join(modfix)
-diff --git a/ssg/build_stig.py b/ssg/build_stig.py
-index 528285f3d..6122981fc 100644
---- a/ssg/build_stig.py
-+++ b/ssg/build_stig.py
-@@ -38,7 +38,7 @@ def add_references(reference, destination):
- for ref in refs:
- if (ref.get('href').startswith(stig_refs) and
- ref.text in dictionary):
-- index = rule.getchildren().index(ref)
-+ index = list(rule).index(ref)
- new_ref = ET.Element(
- '{%s}reference' % XCCDF11_NS, {'href': stig_ns})
- new_ref.text = dictionary[ref.text]
---
-2.17.1
-
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fix-missing-openembedded-from-ssg-constants.py.patch b/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fix-missing-openembedded-from-ssg-constants.py.patch
deleted file mode 100644
index 1e712f6..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fix-missing-openembedded-from-ssg-constants.py.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 037a12301968a56f0c7e492ea4a05d2eecbd4cc6 Mon Sep 17 00:00:00 2001
-From: Jate Sujjavanich <jatedev@gmail.com>
-Date: Fri, 8 Jan 2021 20:18:00 -0500
-Subject: [PATCH 2/3] Fix missing openembedded from ssg/constants.py
-
----
- ssg/constants.py | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/ssg/constants.py b/ssg/constants.py
-index fab7cda5d..2ca289f84 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -234,7 +234,8 @@ PRODUCT_TO_CPE_MAPPING = {
- }
-
- MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
-- "wrlinux", "opensuse", "sle", "ol", "ocp", "example"]
-+ "wrlinux", "opensuse", "sle", "ol", "ocp", "example",
-+ "openembedded"]
-
- MULTI_PLATFORM_MAPPING = {
- "multi_platform_debian": ["debian8"],
-@@ -249,6 +250,7 @@ MULTI_PLATFORM_MAPPING = {
- "multi_platform_sle": ["sle11", "sle12"],
- "multi_platform_ubuntu": ["ubuntu1404", "ubuntu1604", "ubuntu1804"],
- "multi_platform_wrlinux": ["wrlinux"],
-+ "multi_platform_openembedded": ["openembedded"],
- }
-
- RHEL_CENTOS_CPE_MAPPING = {
---
-2.24.3 (Apple Git-128)
-
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch b/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch
deleted file mode 100644
index f0c9909..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 28a35d63a0cc6b7beb51c77d93bb30778e6960cd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Mon, 9 Dec 2019 13:41:47 +0100
-Subject: [PATCH] Fixed the broken fix, when greedy regex ate the whole file.
-
-We want to match attributes in an XML element, not in the whole file.
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/28a35d63a0cc6b7beb51c77d93bb30778e6960cd]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- ssg/build_remediations.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 13e90f732..edf31c0cf 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -57,10 +57,10 @@ def get_available_functions(build_dir):
- with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile:
- filestring = xmlfile.read()
- # This regex looks implementation dependent but we can rely on the element attributes
-- # being present on one line.
-+ # being present. Beware, DOTALL means we go through the whole file at once.
- # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7.
- remediation_functions = re.findall(
-- r'<Value.*id=\"function_(\S+)\"',
-+ r'<Value[^>]+id=\"function_(\S+)\"',
- filestring, re.DOTALL
- )
-
---
-2.17.1
-
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-fix-deprecated-getiterator-function.patch b/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-fix-deprecated-getiterator-function.patch
deleted file mode 100644
index 84271c4..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-fix-deprecated-getiterator-function.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From b0adc1d53780def4a95e310b6d26bb91ee97177e Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 8 Jun 2020 13:27:41 +0200
-Subject: [PATCH] fix deprecated getiterator function
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/b0adc1d53780def4a95e310b6d26bb91ee97177e]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- ssg/build_cpe.py | 6 +++---
- ssg/id_translate.py | 2 +-
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/ssg/build_cpe.py b/ssg/build_cpe.py
-index 2e5d24a5d..8c046777a 100644
---- a/ssg/build_cpe.py
-+++ b/ssg/build_cpe.py
-@@ -17,7 +17,7 @@ def extract_subelement(objects, sub_elem_type):
- """
-
- for obj in objects:
-- for subelement in obj.getiterator():
-+ for subelement in obj.iter():
- if subelement.get(sub_elem_type):
- sub_element = subelement.get(sub_elem_type)
- return sub_element
-@@ -44,12 +44,12 @@ def extract_referred_nodes(tree_with_refs, tree_with_ids, attrname):
- reflist = []
- elementlist = []
-
-- for element in tree_with_refs.getiterator():
-+ for element in tree_with_refs.iter():
- value = element.get(attrname)
- if value is not None:
- reflist.append(value)
-
-- for element in tree_with_ids.getiterator():
-+ for element in tree_with_ids.iter():
- if element.get("id") in reflist:
- elementlist.append(element)
-
-diff --git a/ssg/id_translate.py b/ssg/id_translate.py
-index 72b07be18..ba9225904 100644
---- a/ssg/id_translate.py
-+++ b/ssg/id_translate.py
-@@ -64,7 +64,7 @@ class IDTranslator(object):
- )
-
- def translate(self, tree, store_defname=False):
-- for element in tree.getiterator():
-+ for element in tree.iter():
- idname = element.get("id")
- if idname:
- # store the old name if requested (for OVAL definitions)
---
-2.17.1
-
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0003-fix-remaining-getchildren-and-getiterator-functions.patch b/meta-security-compliance/recipes-openscap/scap-security-guide/files/0003-fix-remaining-getchildren-and-getiterator-functions.patch
deleted file mode 100644
index 8162292..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/files/0003-fix-remaining-getchildren-and-getiterator-functions.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From a0da16c5eeb9a7414f7f2a37a6b270c8d04b2ddf Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 8 Jun 2020 14:01:55 +0200
-Subject: [PATCH] fix remaining getchildren and getiterator functions
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/a0da16c5eeb9a7414f7f2a37a6b270c8d04b2ddf]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- build-scripts/sds_move_ocil_to_checks.py | 2 +-
- build-scripts/verify_references.py | 2 +-
- shared/transforms/pcidss/transform_benchmark_to_pcidss.py | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/build-scripts/sds_move_ocil_to_checks.py b/build-scripts/sds_move_ocil_to_checks.py
-index 5f5139659..64dc19084 100755
---- a/build-scripts/sds_move_ocil_to_checks.py
-+++ b/build-scripts/sds_move_ocil_to_checks.py
-@@ -106,7 +106,7 @@ def move_ocil_content_from_ds_extended_component_to_ds_component(datastreamtree,
- timestamp = extendedcomp.get('timestamp')
-
- # Get children elements of <ds:extended-component> containing OCIL content
-- extchildren = extendedcomp.getchildren()
-+ extchildren = list(extendedcomp)
- # There should be just one OCIL subcomponent in <ds:extended-component>
- if len(extchildren) != 1:
- sys.stderr.write("ds:extended-component contains more than one element!"
-diff --git a/build-scripts/verify_references.py b/build-scripts/verify_references.py
-index 69b3e2d1f..95d387f46 100755
---- a/build-scripts/verify_references.py
-+++ b/build-scripts/verify_references.py
-@@ -179,7 +179,7 @@ def main():
- check_content_refs = xccdftree.findall(".//{%s}check-content-ref"
- % xccdf_ns)
-
-- xccdf_parent_map = dict((c, p) for p in xccdftree.getiterator() for c in p)
-+ xccdf_parent_map = dict((c, p) for p in xccdftree.iter() for c in p)
- # now we can actually do the verification work here
- if options.rules_with_invalid_checks or options.all_checks:
- for check_content_ref in check_content_refs:
-diff --git a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
-index 0ceaf727d..c94b12c45 100755
---- a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
-+++ b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
-@@ -111,7 +111,7 @@ def main():
- benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
- values.append(value)
-
-- parent_map = dict((c, p) for p in benchmark.getiterator() for c in p)
-+ parent_map = dict((c, p) for p in benchmark.iter() for c in p)
- for rule in \
- benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
- parent_map[rule].remove(rule)
---
-2.17.1
-
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
deleted file mode 100644
index d1a9511..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
-# Released under the MIT license (see COPYING.MIT for the terms)
-
-SUMARRY = "SCAP content for various platforms"
-HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a"
-LICENSE = "LGPL-2.1"
-
-DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native expat-native"
-
-S = "${WORKDIR}/git"
-
-inherit cmake pkgconfig python3native python3targetconfig
-
-STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
-export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
-export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas"
-export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
-
-OECMAKE_GENERATOR = "Unix Makefiles"
-
-EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF"
-
-B = "${S}/build"
-
-do_configure[depends] += "openscap-native:do_install"
-
-do_configure_prepend () {
- sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt
- sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt
-}
-
-FILES_${PN} += "${datadir}/xml"
-
-RDEPENDS_${PN} = "openscap"
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb
deleted file mode 100644
index d80ecd7..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-SUMARRY = "SCAP content for various platforms, upstream version"
-
-SRCREV = "8cb2d0f351faff5440742258782281164953b0a6"
-SRC_URI = "git://github.com/ComplianceAsCode/content.git"
-
-DEFAULT_PREFERENCE = "-1"
-
-require scap-security-guide.inc
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
deleted file mode 100644
index 0617c56..0000000
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-SUMARRY = "SCAP content for various platforms, OE changes"
-
-SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed"
-SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44; \
- file://0001-Fix-XML-parsing-of-the-remediation-functions-file.patch \
- file://0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch \
- file://0001-fix-deprecated-instance-of-element.getchildren.patch \
- file://0002-fix-deprecated-getiterator-function.patch \
- file://0003-fix-remaining-getchildren-and-getiterator-functions.patch \
- file://0001-Fix-platform-spec-file-check-tests-in-installed-OS-d.patch \
- file://0002-Fix-missing-openembedded-from-ssg-constants.py.patch \
- "
-PV = "0.1.44+git${SRCPV}"
-
-require scap-security-guide.inc
-
-EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON"
diff --git a/meta-security-isafw/.gitignore b/meta-security-isafw/.gitignore
deleted file mode 100644
index 2f836aa..0000000
--- a/meta-security-isafw/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-*~
-*.pyc
diff --git a/meta-security-isafw/COPYING.MIT b/meta-security-isafw/COPYING.MIT
deleted file mode 100644
index fb950dc..0000000
--- a/meta-security-isafw/COPYING.MIT
+++ /dev/null
@@ -1,17 +0,0 @@
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
diff --git a/meta-security-isafw/README.md b/meta-security-isafw/README.md
deleted file mode 100644
index 16041cb..0000000
--- a/meta-security-isafw/README.md
+++ /dev/null
@@ -1,92 +0,0 @@
-**meta-security-isafw** is an OE layer that allows enabling the Image
-Security Analysis Framework (isafw) for your image builds.
-
-The primary purpose of isafw is to provide an extensible
-framework for analysing different security aspects of images
-during the build process.
-
-The isafw project itself can be found at
- https://github.com/01org/isafw
-
-The framework supports a number of callbacks (such as
-process_package(), process_filesystem(), and etc.) that are invoked
-by the bitbake during different stages of package and image build.
-These callbacks are then forwarded for processing to the avaliable
-ISA FW plugins that have registered for these callbacks.
-Plugins can do their own processing on each stage of the build
-process and produce security reports.
-
-Dependencies
-------------
-
-The **meta-security-isafw** layer depends on the Open Embeeded
-core layer:
-
- git://git.openembedded.org/openembedded-core
-
-
-Usage
------
-
-In order to enable the isafw during the image build, please add
-the following line to your build/conf/local.conf file:
-
-```python
-INHERIT += "isafw"
-```
-
-Next you need to update your build/conf/bblayers.conf file with the
-location of meta-security-isafw layer on your filesystem along with
-any other layers needed. e.g.:
-
-```python
-BBLAYERS ?= " \
- /OE/oe-core/meta \
- /OE/meta-security/meta-security-isafw \
- "
-```
-
-Also, some isafw plugins require network connection, so in case of a
-proxy setup please make sure to export http_proxy variable into your
-environment.
-
-In order to produce image reports, you can execute image build
-normally. For example:
-
-```shell
-bitbake core-image-minimal
-```
-
-If you are only interested to produce a report based on packages
-and without building an image, please use:
-
-```shell
-bitbake -c analyse_sources_all core-image-minimal
-```
-
-
-Logs
-----
-
-All isafw plugins by default create their logs under the
-${LOG_DIR}/isafw-report/ directory, where ${LOG_DIR} is a bitbake
-default location for log files. If you wish to change this location,
-please define ISAFW_REPORTDIR variable in your local.conf file.
-
-Patches
--------
-end pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
-
-When sending single patches, please using something like:
-'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-isafw][PATCH'
-
-These values can be set as defaults for this repository:
-
-$ git config sendemail.to yocto@lists.yoctoproject.org
-$ git config format.subjectPrefix meta-security-isafw][PATCH
-
-Now you can just do 'git send-email origin/master' to send all local patches.
-
-For pull requests, please use create-pull-request and send-pull-request.
-
-Maintainers: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security-isafw/classes/isafw.bbclass b/meta-security-isafw/classes/isafw.bbclass
deleted file mode 100644
index 146acdf..0000000
--- a/meta-security-isafw/classes/isafw.bbclass
+++ /dev/null
@@ -1,318 +0,0 @@
-# Security scanning class
-#
-# Based in part on buildhistory.bbclass which was in turn based on
-# testlab.bbclass and packagehistory.bbclass
-#
-# Copyright (C) 2011-2015 Intel Corporation
-# Copyright (C) 2007-2011 Koen Kooi <koen@openembedded.org>
-#
-
-LICENSE = "MIT"
-
-require conf/distro/include/distro_alias.inc
-
-ISAFW_WORKDIR = "${WORKDIR}/isafw"
-ISAFW_REPORTDIR ?= "${LOG_DIR}/isafw-report"
-ISAFW_LOGDIR ?= "${LOG_DIR}/isafw-logs"
-
-ISAFW_PLUGINS_WHITELIST ?= ""
-ISAFW_PLUGINS_BLACKLIST ?= ""
-
-ISAFW_LA_PLUGIN_IMAGE_WHITELIST ?= ""
-ISAFW_LA_PLUGIN_IMAGE_BLACKLIST ?= ""
-
-# First, code to handle scanning each recipe that goes into the build
-
-do_analysesource[nostamp] = "1"
-do_analysesource[cleandirs] = "${ISAFW_WORKDIR}"
-
-python do_analysesource() {
- from isafw import isafw
-
- imageSecurityAnalyser = isafw_init(isafw, d)
-
- if not d.getVar('SRC_URI', True):
- # Recipe didn't fetch any sources, nothing to do here I assume?
- return
-
- recipe = isafw.ISA_package()
- recipe.name = d.getVar('BPN', True)
- recipe.version = d.getVar('PV', True)
- recipe.version = recipe.version.split('+git', 1)[0]
-
- for p in d.getVar('PACKAGES', True).split():
- license = str(d.getVar('LICENSE_' + p, True))
- if license == "None":
- license = d.getVar('LICENSE', True)
- license = license.replace("(", "")
- license = license.replace(")", "")
- licenses = license.split()
- while '|' in licenses:
- licenses.remove('|')
- while '&' in licenses:
- licenses.remove('&')
- for l in licenses:
- recipe.licenses.append(p + ":" + canonical_license(d, l))
-
- aliases = d.getVar('DISTRO_PN_ALIAS', True)
- if aliases:
- recipe.aliases = aliases.split()
- faliases = []
- for a in recipe.aliases:
- if (a != "OSPDT") and (not (a.startswith("upstream="))):
- faliases.append(a.split('=', 1)[-1])
- # remove possible duplicates in pkg names
- faliases = list(set(faliases))
- recipe.aliases = faliases
-
- for patch in src_patches(d):
- _,_,local,_,_,_=bb.fetch.decodeurl(patch)
- recipe.patch_files.append(os.path.basename(local))
- if (not recipe.patch_files) :
- recipe.patch_files.append("None")
-
- # Pass the recipe object to the security framework
- bb.debug(1, '%s: analyse sources' % (d.getVar('PN', True)))
- imageSecurityAnalyser.process_package(recipe)
-
- return
-}
-
-addtask do_analysesource before do_build
-
-# This task intended to be called after default task to process reports
-
-PR_ORIG_TASK := "${BB_DEFAULT_TASK}"
-addhandler process_reports_handler
-process_reports_handler[eventmask] = "bb.event.BuildCompleted"
-
-python process_reports_handler() {
- from isafw import isafw
-
- dd = d.createCopy()
- target_sysroot = dd.expand("${STAGING_DIR}/${MACHINE}")
- native_sysroot = dd.expand("${STAGING_DIR}/${BUILD_ARCH}")
- staging_populate_sysroot_dir(target_sysroot, native_sysroot, True, dd)
-
- dd.setVar("STAGING_DIR_NATIVE", native_sysroot)
- savedenv = os.environ.copy()
- os.environ["PATH"] = dd.getVar("PATH", True)
-
- imageSecurityAnalyser = isafw_init(isafw, dd)
- bb.debug(1, 'isafw: process reports')
- imageSecurityAnalyser.process_report()
-
- os.environ["PATH"] = savedenv["PATH"]
-}
-
-do_build[depends] += "cve-update-db-native:do_populate_cve_db ca-certificates-native:do_populate_sysroot"
-do_build[depends] += "python3-lxml-native:do_populate_sysroot"
-
-# These tasks are intended to be called directly by the user (e.g. bitbake -c)
-
-addtask do_analyse_sources after do_analysesource
-do_analyse_sources[doc] = "Produce ISAFW reports based on given package without building it"
-do_analyse_sources[nostamp] = "1"
-do_analyse_sources() {
- :
-}
-
-addtask do_analyse_sources_all after do_analysesource
-do_analyse_sources_all[doc] = "Produce ISAFW reports for all packages in given target without building them"
-do_analyse_sources_all[recrdeptask] = "do_analyse_sources_all do_analysesource"
-do_analyse_sources_all[recideptask] = "do_${PR_ORIG_TASK}"
-do_analyse_sources_all[nostamp] = "1"
-do_analyse_sources_all() {
- :
-}
-
-python() {
- # We probably don't need to scan these
- if bb.data.inherits_class('native', d) or \
- bb.data.inherits_class('nativesdk', d) or \
- bb.data.inherits_class('cross', d) or \
- bb.data.inherits_class('crosssdk', d) or \
- bb.data.inherits_class('cross-canadian', d) or \
- bb.data.inherits_class('packagegroup', d) or \
- bb.data.inherits_class('image', d):
- bb.build.deltask('do_analysesource', d)
-}
-
-fakeroot python do_analyse_image() {
-
- from isafw import isafw
-
- imageSecurityAnalyser = isafw_init(isafw, d)
-
- # Directory where the image's entire contents can be examined
- rootfsdir = d.getVar('IMAGE_ROOTFS', True)
-
- imagebasename = d.getVar('IMAGE_BASENAME', True)
-
- kernelconf = d.getVar('STAGING_KERNEL_BUILDDIR', True) + "/.config"
- if os.path.exists(kernelconf):
- kernel = isafw.ISA_kernel()
- kernel.img_name = imagebasename
- kernel.path_to_config = kernelconf
- bb.debug(1, 'do kernel conf analysis on %s' % kernelconf)
- imageSecurityAnalyser.process_kernel(kernel)
- else:
- bb.debug(1, 'Kernel configuration file is missing. Not performing analysis on %s' % kernelconf)
-
- pkglist = manifest2pkglist(d)
-
- imagebasename = d.getVar('IMAGE_BASENAME', True)
-
- if (pkglist):
- pkg_list = isafw.ISA_pkg_list()
- pkg_list.img_name = imagebasename
- pkg_list.path_to_list = pkglist
- bb.debug(1, 'do pkg list analysis on %s' % pkglist)
- imageSecurityAnalyser.process_pkg_list(pkg_list)
-
- fs = isafw.ISA_filesystem()
- fs.img_name = imagebasename
- fs.path_to_fs = rootfsdir
-
- bb.debug(1, 'do image analysis on %s' % rootfsdir)
- imageSecurityAnalyser.process_filesystem(fs)
-}
-
-do_rootfs[depends] += "checksec-native:do_populate_sysroot ca-certificates-native:do_populate_sysroot"
-do_rootfs[depends] += "prelink-native:do_populate_sysroot"
-do_rootfs[depends] += "python3-lxml-native:do_populate_sysroot"
-
-isafw_init[vardepsexclude] = "DATETIME"
-def isafw_init(isafw, d):
- import re, errno
-
- isafw_config = isafw.ISA_config()
- # Override the builtin default in curl-native (used by cve-update-db-nativ)
- # because that default is a path that may not be valid: when curl-native gets
- # installed from sstate, we end up with the sysroot path as it was on the
- # original build host, which is not necessarily the same path used now
- # (see https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883).
- #
- # Can't use ${sysconfdir} here, it already includes ${STAGING_DIR_NATIVE}
- # when the current recipe is native.
- isafw_config.cacert = d.expand('${STAGING_DIR_NATIVE}/etc/ssl/certs/ca-certificates.crt')
-
- bb.utils.export_proxies(d)
-
- isafw_config.machine = d.getVar('MACHINE', True)
- isafw_config.timestamp = d.getVar('DATETIME', True)
- isafw_config.reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + isafw_config.timestamp
- if not os.path.exists(os.path.dirname(isafw_config.reportdir + "/test")):
- try:
- os.makedirs(os.path.dirname(isafw_config.reportdir + "/test"))
- except OSError as exc:
- if exc.errno == errno.EEXIST and os.path.isdir(isafw_config.reportdir):
- pass
- else: raise
- isafw_config.logdir = d.getVar('ISAFW_LOGDIR', True)
- # Adding support for arm
- # TODO: Add support for other platforms
- isafw_config.arch = d.getVar('TARGET_ARCH', True)
- if ( isafw_config.arch != "arm" ):
- isafw_config.arch = "x86"
-
- whitelist = d.getVar('ISAFW_PLUGINS_WHITELIST', True)
- blacklist = d.getVar('ISAFW_PLUGINS_BLACKLIST', True)
- if whitelist:
- isafw_config.plugin_whitelist = re.split(r'[,\s]*', whitelist)
- if blacklist:
- isafw_config.plugin_blacklist = re.split(r'[,\s]*', blacklist)
-
- la_image_whitelist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_WHITELIST', True)
- la_image_blacklist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_BLACKLIST', True)
- if la_image_whitelist:
- isafw_config.la_plugin_image_whitelist = re.split(r'[,\s]*', la_image_whitelist)
- if la_image_blacklist:
- isafw_config.la_plugin_image_blacklist = re.split(r'[,\s]*', la_image_blacklist)
-
- return isafw.ISA(isafw_config)
-
-# based on toaster.bbclass _toaster_load_pkgdatafile function
-def binary2source(dirpath, filepath):
- import re
- originPkg = ""
- with open(os.path.join(dirpath, filepath), "r") as fin:
- for line in fin:
- try:
- kn, kv = line.strip().split(": ", 1)
- m = re.match(r"^PKG_([^A-Z:]*)", kn)
- if m:
- originPkg = str(m.group(1))
- except ValueError:
- pass # ignore lines without valid key: value pairs:
- if not originPkg:
- originPkg = "UNKNOWN"
- return originPkg
-
-manifest2pkglist[vardepsexclude] = "DATETIME"
-def manifest2pkglist(d):
- import glob
-
- manifest_file = d.getVar('IMAGE_MANIFEST', True)
- imagebasename = d.getVar('IMAGE_BASENAME', True)
- reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + d.getVar('DATETIME', True)
- pkgdata_dir = d.getVar("PKGDATA_DIR", True)
- rr_dir = "%s/runtime-reverse/" % pkgdata_dir
- pkglist = reportdir + "/pkglist"
-
- with open(pkglist, 'a') as foutput:
- foutput.write("Packages for image " + imagebasename + "\n")
- try:
- with open(manifest_file, 'r') as finput:
- for line in finput:
- items = line.split()
- if items and (len(items) >= 3):
- pkgnames = map(os.path.basename, glob.glob(os.path.join(rr_dir, items[0])))
- for pkgname in pkgnames:
- originPkg = binary2source(rr_dir, pkgname)
- version = items[2]
- if not version:
- version = "undetermined"
- foutput.write(pkgname + " " + version + " " + originPkg + "\n")
- except IOError:
- bb.debug(1, 'isafw: manifest file not found. Skip pkg list analysis')
- return "";
-
-
- return pkglist
-
-# NOTE: by the time IMAGE_POSTPROCESS_COMMAND items are called, the image
-# has been stripped of the package manager database (if runtime package management
-# is not enabled, i.e. 'package-management' is not in IMAGE_FEATURES). If you
-# do want to be using the package manager to operate on the image contents, you'll
-# need to call your function from ROOTFS_POSTINSTALL_COMMAND or
-# ROOTFS_POSTUNINSTALL_COMMAND instead - however if you do that you should then be
-# aware that what you'll be looking at isn't exactly what you will see in the image
-# at runtime (there will be other postprocessing functions called after yours).
-#
-# do_analyse_image does not need the package manager database. Making it
-# a separate task instead of a IMAGE_POSTPROCESS_COMMAND has several
-# advantages:
-# - all other image commands are guaranteed to have completed
-# - it can run in parallel to other tasks which depend on the complete
-# image, instead of blocking those other tasks
-# - meta-swupd helper images do not need to be analysed and won't be
-# because nothing depends on their "do_build" task, only on
-# do_image_complete
-python () {
- if bb.data.inherits_class('image', d):
- bb.build.addtask('do_analyse_image', 'do_build', 'do_image_complete', d)
-}
-
-python isafwreport_handler () {
-
- import shutil
-
- logdir = e.data.getVar('ISAFW_LOGDIR', True)
- if os.path.exists(os.path.dirname(logdir+"/test")):
- shutil.rmtree(logdir)
- os.makedirs(os.path.dirname(logdir+"/test"))
-
-}
-addhandler isafwreport_handler
-isafwreport_handler[eventmask] = "bb.event.BuildStarted"
diff --git a/meta-security-isafw/conf/layer.conf b/meta-security-isafw/conf/layer.conf
deleted file mode 100644
index 1f1095f..0000000
--- a/meta-security-isafw/conf/layer.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# We have a conf and classes directory, add to BBPATH
-BBPATH .= ":${LAYERDIR}"
-
-# We have recipes-* directories, add to BBFILES
-BBFILES += "${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend"
-
-BBFILE_COLLECTIONS += "security-isafw"
-BBFILE_PATTERN_security-isafw = "^${LAYERDIR}/"
-BBFILE_PRIORITY_security-isafw = "6"
-
-# This should only be incremented on significant changes that will
-# cause compatibility issues with other layers
-LAYERVERSION_security-isafw = "1"
-
-LAYERDEPENDS_security-isafw = "core"
-
-LAYERSERIES_COMPAT_security-isafw = "hardknott"
diff --git a/meta-security-isafw/lib/isafw/__init__.py b/meta-security-isafw/lib/isafw/__init__.py
deleted file mode 100644
index 50527fb..0000000
--- a/meta-security-isafw/lib/isafw/__init__.py
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# __init__.py - part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-"""isafw
-
-Current Contents:
-
-* isafw.py - main class
-* plugins - ISA plugins
-* plugins/configs - configuration data for the plugins
-"""
-
-__all__ = [
- 'isafw',
-]
diff --git a/meta-security-isafw/lib/isafw/isafw.py b/meta-security-isafw/lib/isafw/isafw.py
deleted file mode 100644
index a1a76b8..0000000
--- a/meta-security-isafw/lib/isafw/isafw.py
+++ /dev/null
@@ -1,158 +0,0 @@
-#
-# isafw.py - Main classes for ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-from __future__ import absolute_import, print_function
-
-import sys
-import traceback
-try:
- # absolute import
- import isafw.isaplugins as isaplugins
-except ImportError:
- # relative import when installing as separate modules
- import isaplugins
-try:
- from bb import error
-except ImportError:
- error = print
-
-__all__ = [
- 'ISA_package',
- 'ISA_pkg_list',
- 'ISA_kernel',
- 'ISA_filesystem',
- 'ISA_config',
- 'ISA',
-]
-
-# classes for representing objects for ISA plugins
-
-# source package
-
-
-class ISA_package:
- # pkg name (mandatory argument)
- name = ""
- # full version (mandatory argument)
- version = ""
- licenses = [] # list of licences for all subpackages
- aliases = [] # list of alias names for packages if exist
- source_files = [] # list of strings of source files
- patch_files = [] # list of patch files to be applied
- path_to_sources = "" # path to the source files
-
-# package list
-
-
-class ISA_pkg_list:
- # image name (mandatory argument)
- img_name = ""
- # path to the pkg list file (mandatory argument)
- path_to_list = ""
-
-# kernel
-
-
-class ISA_kernel:
- # image name (mandatory argument)
- img_name = ""
- # path to the kernel config file (mandatory argument)
- path_to_config = ""
-
-# filesystem
-
-
-class ISA_filesystem:
- # image name (mandatory argument)
- img_name = ""
- type = "" # filesystem type
- # path to the fs location (mandatory argument)
- path_to_fs = ""
-
-# configuration of ISAFW
-# if both whitelist and blacklist is empty, all avaliable plugins will be used
-# if whitelist has entries, then only whitelisted plugins will be used from a set of avaliable plugins
-# if blacklist has entries, then the specified plugins won't be used even
-# if avaliable and even if specified in whitelist
-
-
-class ISA_config:
- plugin_whitelist = "" # comma separated list of plugins to whitelist
- plugin_blacklist = "" # comma separated list of plugins to blacklist
- cacert = None # If set, a CA certificate file that replaces the system default one
- reportdir = "" # location of produced reports
- logdir = "" # location of produced logs
- timestamp = "" # timestamp of the build provided by build system
- full_reports = False # produce full reports for plugins, False by default
- machine = "" # name of machine build is produced for
- la_plugin_image_whitelist = ""# whitelist of images for violating license checks
- la_plugin_image_blacklist = ""# blacklist of images for violating license checks
- arch = "" # target architecture
-
-class ISA:
- def call_plugins(self, methodname, *parameters, **keywords):
- for name in isaplugins.__all__:
- plugin = getattr(isaplugins, name)
- method = getattr(plugin, methodname, None)
- if not method:
- # Not having init() is an error, everything else is optional.
- if methodname == "init":
- error("No init() defined for plugin %s.\n"
- "Skipping this plugin." %
- (methodname, plugin.getPluginName()))
- continue
- if self.ISA_config.plugin_whitelist and plugin.getPluginName() not in self.ISA_config.plugin_whitelist:
- continue
- if self.ISA_config.plugin_blacklist and plugin.getPluginName() in self.ISA_config.plugin_blacklist:
- continue
- try:
- method(*parameters, **keywords)
- except:
- error("Exception in plugin %s %s():\n%s" %
- (plugin.getPluginName(),
- methodname,
- traceback.format_exc()))
-
- def __init__(self, ISA_config):
- self.ISA_config = ISA_config
- self.call_plugins("init", ISA_config)
-
- def process_package(self, ISA_package):
- self.call_plugins("process_package", ISA_package)
-
- def process_pkg_list(self, ISA_pkg_list):
- self.call_plugins("process_pkg_list", ISA_pkg_list)
-
- def process_kernel(self, ISA_kernel):
- self.call_plugins("process_kernel", ISA_kernel)
-
- def process_filesystem(self, ISA_filesystem):
- self.call_plugins("process_filesystem", ISA_filesystem)
-
- def process_report(self):
- self.call_plugins("process_report")
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
deleted file mode 100644
index daecba1..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
+++ /dev/null
@@ -1,392 +0,0 @@
-#
-# ISA_cfa_plugin.py - Compile flag analyzer plugin, part of ISA FW
-# Main functionality is based on build_comp script from Clear linux project
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import subprocess
-import os
-import sys
-import re
-import copy
-try:
- from lxml import etree
-except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
-
-
-CFChecker = None
-
-
-class ISA_CFChecker():
- initialized = False
- no_relro = []
- partial_relro = []
- no_canary = []
- no_pie = []
- execstack = []
- execstack_not_defined = []
- nodrop_groups = []
- no_mpx = []
-
- def __init__(self, ISA_config):
- self.logfile = ISA_config.logdir + "/isafw_cfalog"
- self.full_report_name = ISA_config.reportdir + "/cfa_full_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.problems_report_name = ISA_config.reportdir + \
- "/cfa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
- self.full_reports = ISA_config.full_reports
- self.ISA_filesystem = ""
- # check that checksec and other tools are installed
- tools_errors = _check_tools()
- if tools_errors:
- with open(self.logfile, 'w') as flog:
- flog.write(tools_errors)
- return
- self.initialized = True
- with open(self.logfile, 'w') as flog:
- flog.write("\nPlugin ISA_CFChecker initialized!\n")
- return
-
- def process_filesystem(self, ISA_filesystem):
- self.ISA_filesystem = ISA_filesystem
- fs_path = self.ISA_filesystem.path_to_fs
- img_name = self.ISA_filesystem.img_name
- if (self.initialized):
- if (img_name and fs_path):
- with open(self.logfile, 'a') as flog:
- flog.write("\n\nFilesystem path is: " + fs_path)
- if self.full_reports:
- with open(self.full_report_name + "_" + img_name, 'w') as ffull_report:
- ffull_report.write(
- "Security-relevant flags for executables for image: " + img_name + '\n')
- ffull_report.write("With rootfs location at " + fs_path + "\n\n")
- files = self.find_files(fs_path)
- import multiprocessing
- pool = multiprocessing.Pool()
- results = pool.imap(process_file_wrapper, files)
- pool.close()
- pool.join()
- self.process_results(results)
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory arguments such as image name and path to the filesystem are not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write("Plugin hasn't initialized! Not performing the call.\n")
-
- def process_results(self, results):
- fs_path = self.ISA_filesystem.path_to_fs
- for result in results:
- if not result:
- with open(self.logfile, 'a') as flog:
- flog.write("\nError in returned result")
- continue
- with open(self.logfile, 'a') as flog:
- flog.write("\n\nFor file: " + str(result[0]) + "\nlog is: " + str(result[5]))
- if result[1]:
- with open(self.logfile, 'a') as flog:
- flog.write("\n\nsec_field: " + str(result[1]))
- if "No RELRO" in result[1]:
- self.no_relro.append(result[0].replace(fs_path, ""))
- elif "Partial RELRO" in result[1]:
- self.partial_relro.append(result[0].replace(fs_path, ""))
- if "No canary found" in result[1]:
- self.no_canary.append(result[0].replace(fs_path, ""))
- if "No PIE" in result[1]:
- self.no_pie.append(result[0].replace(fs_path, ""))
- if result[2]:
- if result[2] == "execstack":
- self.execstack.append(result[0].replace(fs_path, ""))
- elif result[2] == "not_defined":
- self.execstack_not_defined.append(result[0].replace(fs_path, ""))
- if result[3] and (result[3] == True):
- self.nodrop_groups.append(result[0].replace(fs_path, ""))
- if result[4] and (result[4] == True):
- self.no_mpx.append(result[0].replace(fs_path, ""))
- self.write_full_report(result)
- self.write_report()
- self.write_report_xml()
-
- def write_full_report(self, result):
- if not self.full_reports:
- return
- fs_path = self.ISA_filesystem.path_to_fs
- img_name = self.ISA_filesystem.img_name
- with open(self.full_report_name + "_" + img_name, 'a') as ffull_report:
- ffull_report.write('\nFile: ' + result[0].replace(fs_path, ""))
- ffull_report.write('\nsecurity flags: ' + str(result[1]))
- ffull_report.write('\nexecstack: ' + str(result[2]))
- ffull_report.write('\nnodrop_groups: ' + str(result[3]))
- ffull_report.write('\nno mpx: ' + str(result[4]))
- ffull_report.write('\n')
-
- def write_report(self):
- fs_path = self.ISA_filesystem.path_to_fs
- img_name = self.ISA_filesystem.img_name
- with open(self.problems_report_name + "_" + img_name, 'w') as fproblems_report:
- fproblems_report.write("Report for image: " + img_name + '\n')
- fproblems_report.write("With rootfs location at " + fs_path + "\n\n")
- fproblems_report.write("Relocation Read-Only\n")
- fproblems_report.write("More information about RELRO and how to enable it:")
- fproblems_report.write(
- " http://tk-blog.blogspot.de/2009/02/relro-not-so-well-known-memory.html\n")
- fproblems_report.write("Files with no RELRO:\n")
- for item in self.no_relro:
- fproblems_report.write(item + '\n')
- fproblems_report.write("Files with partial RELRO:\n")
- for item in self.partial_relro:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nStack protection\n")
- fproblems_report.write(
- "More information about canary stack protection and how to enable it:")
- fproblems_report.write("https://lwn.net/Articles/584225/ \n")
- fproblems_report.write("Files with no canary:\n")
- for item in self.no_canary:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nPosition Independent Executable\n")
- fproblems_report.write("More information about PIE protection and how to enable it:")
- fproblems_report.write(
- "https://securityblog.redhat.com/2012/11/28/position-independent-executables-pie/\n")
- fproblems_report.write("Files with no PIE:\n")
- for item in self.no_pie:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nNon-executable stack\n")
- fproblems_report.write("Files with executable stack enabled:\n")
- for item in self.execstack:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nFiles with no ability to fetch executable stack status:\n")
- for item in self.execstack_not_defined:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nGrop initialization:\n")
- fproblems_report.write(
- "If using setuid/setgid calls in code, one must call initgroups or setgroups\n")
- fproblems_report.write(
- "Files that don't initialize groups while using setuid/setgid:\n")
- for item in self.nodrop_groups:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nMemory Protection Extensions\n")
- fproblems_report.write("More information about MPX protection and how to enable it:")
- fproblems_report.write(
- "https://software.intel.com/sites/default/files/managed/9d/f6/Intel_MPX_EnablingGuide.pdf\n")
- fproblems_report.write("Files that don't have MPX protection enabled:\n")
- for item in self.no_mpx:
- fproblems_report.write(item + '\n')
-
- def write_report_xml(self):
- numTests = len(self.no_relro) + len(self.partial_relro) + len(self.no_canary) + len(self.no_pie) + \
- len(self.execstack) + len(self.execstack_not_defined) + \
- len(self.nodrop_groups) + len(self.no_mpx)
- root = etree.Element('testsuite', name='ISA_CFChecker', tests=str(numTests))
- if self.no_relro:
- for item in self.no_relro:
- tcase1 = etree.SubElement(
- root, 'testcase', classname='files_with_no_RELRO', name=item)
- etree.SubElement(tcase1, 'failure', message=item, type='violation')
- if self.partial_relro:
- for item in self.partial_relro:
- tcase1 = etree.SubElement(
- root, 'testcase', classname='files_with_partial_RELRO', name=item)
- etree.SubElement(tcase1, 'failure', message=item, type='violation')
- if self.no_canary:
- for item in self.no_canary:
- tcase2 = etree.SubElement(
- root, 'testcase', classname='files_with_no_canary', name=item)
- etree.SubElement(tcase2, 'failure', message=item, type='violation')
- if self.no_pie:
- for item in self.no_pie:
- tcase3 = etree.SubElement(
- root, 'testcase', classname='files_with_no_PIE', name=item)
- etree.SubElement(tcase3, 'failure', message=item, type='violation')
- if self.execstack:
- for item in self.execstack:
- tcase5 = etree.SubElement(
- root, 'testcase', classname='files_with_execstack', name=item)
- etree.SubElement(tcase5, 'failure', message=item, type='violation')
- if self.execstack_not_defined:
- for item in self.execstack_not_defined:
- tcase6 = etree.SubElement(
- root, 'testcase', classname='files_with_execstack_not_defined', name=item)
- etree.SubElement(tcase6, 'failure', message=item, type='violation')
- if self.nodrop_groups:
- for item in self.nodrop_groups:
- tcase7 = etree.SubElement(
- root, 'testcase', classname='files_with_nodrop_groups', name=item)
- etree.SubElement(tcase7, 'failure', message=item, type='violation')
- if self.no_mpx:
- for item in self.no_mpx:
- tcase8 = etree.SubElement(
- root, 'testcase', classname='files_with_no_mpx', name=item)
- etree.SubElement(tcase8, 'failure', message=item, type='violation')
- tree = etree.ElementTree(root)
- output = self.problems_report_name + "_" + self.ISA_filesystem.img_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8', pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
- def find_files(self, init_path):
- list_of_files = []
- for (dirpath, dirnames, filenames) in os.walk(init_path):
- for f in filenames:
- list_of_files.append(str(dirpath + "/" + f)[:])
- return list_of_files
-
-
-def _check_tools():
-
- def _is_in_path(executable):
- "Check for presence of executable in PATH"
- for path in os.environ["PATH"].split(os.pathsep):
- path = path.strip('"')
- if (os.path.isfile(os.path.join(path, executable)) and
- os.access(os.path.join(path, executable), os.X_OK)):
- return True
- return False
-
- tools = {
- "checksec.sh": "Please install checksec from http://www.trapkit.de/tools/checksec.html\n",
- "execstack": "Please install execstack from prelink package\n",
- "readelf": "Please install binutils\n",
- "objdump": "Please install binutils\n",
- }
- output = ""
- for tool in tools:
- if not _is_in_path(tool):
- output += tools[tool]
- return output
-
-
-def get_info(tool, args, file_name):
- env = copy.deepcopy(os.environ)
- env['PSEUDO_UNLOAD'] = "1"
- cmd = [tool, args, file_name]
- with open(os.devnull, 'wb') as DEVNULL:
- try:
- result = subprocess.check_output(cmd, stderr=DEVNULL, env=env).decode('utf-8')
- except:
- return ""
- else:
- return result
-
-def get_security_flags(file_name):
- env = copy.deepcopy(os.environ)
- env['PSEUDO_UNLOAD'] = "1"
- cmd = ['checksec.sh', '--file', file_name]
- try:
- result = subprocess.check_output(cmd, env=env).decode('utf-8').splitlines()[1]
- except:
- return "Not able to fetch flags"
- else:
- # remove ansi escape color sequences
- result = re.sub(r'\x1b[^m]*m', '', result)
- return re.split(r' {2,}', result)[:-1]
-
-
-def process_file(file):
- log = "File from map " + file
- fun_results = [file, [], "", False, False, log]
- if not os.path.isfile(file):
- return fun_results
- env = copy.deepcopy(os.environ)
- env['PSEUDO_UNLOAD'] = "1"
- # getting file type
- cmd = ['file', '--mime-type', file]
- try:
- result = subprocess.check_output(cmd, env=env).decode('utf-8')
- except:
- fun_results[-1] += "\nNot able to decode mime type"
- return fun_results
- file_type = result.split()[-1]
- # looking for links
- if "symlink" in file_type:
- file = os.path.realpath(file)
- cmd = ['file', '--mime-type', file]
- try:
- result = subprocess.check_output(cmd, env=env).decode('utf-8')
- except:
- fun_results[-1] += "\nNot able to decode mime type"
- return fun_results
- file_type = result.split()[-1]
- # checking security flags if applies
- if "application" not in file_type:
- return fun_results
- fun_results[-1] += "\nFile type: " + file_type
- if (("octet-stream" in file_type) or ("dosexec" in file_type) or
- ("archive" in file_type) or ("xml" in file_type) or
- ("gzip" in file_type) or ("postscript" in file_type) or
- ("pdf" in file_type)):
- return fun_results
- fun_results[1] = get_security_flags(file)
- tmp = get_info("execstack", '-q', file)
- if tmp.startswith("X "):
- fun_results[2] = "execstack"
- elif tmp.startswith("? "):
- fun_results[2] = "not_defined"
- tmp = get_info("readelf", '-s', file)
- if ("setgid@GLIBC" in tmp) or ("setegid@GLIBC" in tmp) or ("setresgid@GLIBC" in tmp):
- if ("setuid@GLIBC" in tmp) or ("seteuid@GLIBC" in tmp) or ("setresuid@GLIBC" in tmp):
- if ("setgroups@GLIBC" not in tmp) and ("initgroups@GLIBC" not in tmp):
- fun_results[3] = True
- tmp = get_info("objdump", '-d', file)
- if ("bndcu" not in tmp) and ("bndcl" not in tmp) and ("bndmov" not in tmp):
- fun_results[4] = True
- return fun_results
-
-def process_file_wrapper(file):
- # Ensures that exceptions get logged with the original backtrace.
- # Without this, they appear with a backtrace rooted in
- # the code which transfers back the result to process_results().
- try:
- return process_file(file)
- except:
- from isafw import isafw
- import traceback
- isafw.error('Internal error:\n%s' % traceback.format_exc())
- raise
-
-# ======== supported callbacks from ISA ============ #
-
-
-def init(ISA_config):
- global CFChecker
- CFChecker = ISA_CFChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_CFChecker"
-
-
-def process_filesystem(ISA_filesystem):
- global CFChecker
- return CFChecker.process_filesystem(ISA_filesystem)
-
-# =================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py
deleted file mode 100644
index 268aa45..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py
+++ /dev/null
@@ -1,217 +0,0 @@
-#
-# ISA_cve_plugin.py - CVE checker plugin, part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import subprocess
-import os, sys
-import re
-
-CVEChecker = None
-pkglist = "/cve_check_tool_pkglist"
-
-
-class ISA_CVEChecker:
- initialized = False
-
- def __init__(self, ISA_config):
- self.cacert = ISA_config.cacert
- self.reportdir = ISA_config.reportdir
- self.timestamp = ISA_config.timestamp
- self.logfile = ISA_config.logdir + "/isafw_cvelog"
- self.report_name = ISA_config.reportdir + "/cve_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.initialized = True
- with open(self.logfile, 'a') as flog:
- flog.write("\nPlugin ISA_CVEChecker initialized!\n")
- output = ""
- # check that cve-check-tool is installed
-
- def process_package(self, ISA_pkg):
- if (self.initialized):
- if (ISA_pkg.name and ISA_pkg.version and ISA_pkg.patch_files):
- alias_pkgs_faux = []
- # need to compose faux format line for cve-check-tool
- cve_patch_info = self.process_patch_list(ISA_pkg.patch_files)
- pkgline_faux = ISA_pkg.name + "," + ISA_pkg.version + "," + cve_patch_info + ",\n"
- if ISA_pkg.aliases:
- for a in ISA_pkg.aliases:
- alias_pkgs_faux.append(
- a + "," + ISA_pkg.version + "," + cve_patch_info + ",\n")
- pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
- with open(self.reportdir + pkglist_faux, 'a') as fauxfile:
- fauxfile.write(pkgline_faux)
- for a in alias_pkgs_faux:
- fauxfile.write(a)
-
- with open(self.logfile, 'a') as flog:
- flog.write("\npkg info: " + pkgline_faux)
- else:
- self.initialized = False
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory arguments such as pkg name, version and list of patches are not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Plugin hasn't initialized! Not performing the call.\n")
-
- def process_report(self):
- if not os.path.isfile(self.reportdir + pkglist + "_" + self.timestamp + ".faux"):
- return
- if (self.initialized):
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report in HTML format.\n")
- result = self.process_report_type("html")
-
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report in CSV format.\n")
- result = self.process_report_type("csv")
-
- pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
- os.remove(self.reportdir + pkglist_faux)
-
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report in XML format.\n")
- self.write_report_xml(result)
-
- def write_report_xml(self, result):
- try:
- from lxml import etree
- except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
- num_tests = 0
- root = etree.Element('testsuite', name='CVE_Plugin', tests='1')
-
- if result :
- num_tests = 1
- tcase = etree.SubElement(
- root, 'testcase', classname='ISA_CVEChecker', name="Error in cve-check-tool")
- etree.SubElement( tcase, 'failure', message=result, type='violation')
- else:
- with open(self.report_name + ".csv", 'r') as f:
- for line in f:
- num_tests += 1
- line = line.strip()
- line_sp = line.split(',', 2)
- if (len(line_sp) >= 3) and (line_sp[2].startswith('CVE')):
- tcase = etree.SubElement(
- root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
- etree.SubElement(
- tcase, 'failure', message=line, type='violation')
- else:
- tcase = etree.SubElement(
- root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
-
- root.set('tests', str(num_tests))
- tree = etree.ElementTree(root)
- output = self.report_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8',
- pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
- def process_report_type(self, rtype):
- # now faux file is ready and we can process it
- args = ""
- result = ""
- tool_stderr_value = ""
- args += "cve-check-tool "
- if self.cacert:
- args += "--cacert '%s' " % self.cacert
- if rtype != "html":
- args += "-c "
- rtype = "csv"
- pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
- args += "-a -t faux '" + self.reportdir + pkglist_faux + "'"
- with open(self.logfile, 'a') as flog:
- flog.write("Args: " + args)
- try:
- popen = subprocess.Popen(
- args, shell=True, env=os.environ, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- result = popen.communicate()
- except:
- tool_stderr_value = "Error in executing cve-check-tool" + str(sys.exc_info())
- with open(self.logfile, 'a') as flog:
- flog.write("Error in executing cve-check-tool: " +
- str(sys.exc_info()))
- else:
- stdout_value = result[0]
- tool_stderr_value = result[1].decode('utf-8')
- if not tool_stderr_value and popen.returncode == 0:
- report = self.report_name + "." + rtype
- with open(report, 'wb') as freport:
- freport.write(stdout_value)
- else:
- tool_stderr_value = tool_stderr_value + \
- "\ncve-check-tool terminated with exit code " + str(popen.returncode)
- return tool_stderr_value
-
- def process_patch_list(self, patch_files):
- patch_info = ""
- for patch in patch_files:
- patch1 = patch.partition("cve")
- if (patch1[0] == patch):
- # no cve substring, try CVE
- patch1 = patch.partition("CVE")
- if (patch1[0] == patch):
- continue
- patchstripped = patch1[2].split('-')
- try:
- patch_info += " CVE-" + \
- patchstripped[1] + "-" + re.findall('\d+', patchstripped[2])[0]
- except IndexError:
- # string parsing attempt failed, so just skip this patch
- continue
- return patch_info
-
-# ======== supported callbacks from ISA ============= #
-
-
-def init(ISA_config):
- global CVEChecker
- CVEChecker = ISA_CVEChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_CVEChecker"
-
-
-def process_package(ISA_pkg):
- global CVEChecker
- return CVEChecker.process_package(ISA_pkg)
-
-
-def process_report():
- global CVEChecker
- return CVEChecker.process_report()
-
-# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py
deleted file mode 100644
index 0909756..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py
+++ /dev/null
@@ -1,185 +0,0 @@
-#
-# ISA_fsa_plugin.py - Filesystem analyser plugin, part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-import os
-from stat import *
-try:
- from lxml import etree
-except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
-
-
-FSAnalyzer = None
-
-
-class ISA_FSChecker():
- initialized = False
-
- def __init__(self, ISA_config):
- self.logfile = ISA_config.logdir + "/isafw_fsalog"
- self.full_report_name = ISA_config.reportdir + "/fsa_full_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.problems_report_name = ISA_config.reportdir + \
- "/fsa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
- self.full_reports = ISA_config.full_reports
- self.initialized = True
- self.setuid_files = []
- self.setgid_files = []
- self.ww_files = []
- self.no_sticky_bit_ww_dirs = []
- with open(self.logfile, 'w') as flog:
- flog.write("\nPlugin ISA_FSChecker initialized!\n")
-
- def process_filesystem(self, ISA_filesystem):
- if (self.initialized):
- if (ISA_filesystem.img_name and ISA_filesystem.path_to_fs):
- with open(self.logfile, 'a') as flog:
- flog.write("Analyzing filesystem at: " + ISA_filesystem.path_to_fs +
- " for the image: " + ISA_filesystem.img_name + "\n")
- self.files = self.find_fsobjects(ISA_filesystem.path_to_fs)
- with open(self.logfile, 'a') as flog:
- flog.write("\nFilelist is: " + str(self.files))
- if self.full_reports:
- with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'w') as ffull_report:
- ffull_report.write(
- "Report for image: " + ISA_filesystem.img_name + '\n')
- ffull_report.write(
- "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n")
- for f in self.files:
- st = os.lstat(f)
- i = f.replace(ISA_filesystem.path_to_fs, "")
- if self.full_reports:
- with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'a') as ffull_report:
- ffull_report.write("File: " + i + ' mode: ' + str(oct(st.st_mode)) +
- " uid: " + str(st.st_uid) + " gid: " + str(st.st_gid) + '\n')
- if ((st.st_mode & S_ISUID) == S_ISUID):
- self.setuid_files.append(i)
- if ((st.st_mode & S_ISGID) == S_ISGID):
- self.setgid_files.append(i)
- if ((st.st_mode & S_IWOTH) == S_IWOTH):
- if (((st.st_mode & S_IFDIR) == S_IFDIR) and ((st.st_mode & S_ISVTX) != S_ISVTX)):
- self.no_sticky_bit_ww_dirs.append(i)
- if (((st.st_mode & S_IFREG) == S_IFREG) and ((st.st_mode & S_IFLNK) != S_IFLNK)):
- self.ww_files.append(i)
- self.write_problems_report(ISA_filesystem)
- self.write_problems_report_xml(ISA_filesystem)
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory arguments such as image name and path to the filesystem are not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Plugin hasn't initialized! Not performing the call.\n")
-
- def write_problems_report(self, ISA_filesystem):
- with open(self.problems_report_name + "_" + ISA_filesystem.img_name, 'w') as fproblems_report:
- fproblems_report.write(
- "Report for image: " + ISA_filesystem.img_name + '\n')
- fproblems_report.write(
- "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n")
- fproblems_report.write("Files with SETUID bit set:\n")
- for item in self.setuid_files:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nFiles with SETGID bit set:\n")
- for item in self.setgid_files:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nWorld-writable files:\n")
- for item in self.ww_files:
- fproblems_report.write(item + '\n')
- fproblems_report.write(
- "\n\nWorld-writable dirs with no sticky bit:\n")
- for item in self.no_sticky_bit_ww_dirs:
- fproblems_report.write(item + '\n')
-
- def write_problems_report_xml(self, ISA_filesystem):
- num_tests = len(self.setuid_files) + len(self.setgid_files) + \
- len(self.ww_files) + len(self.no_sticky_bit_ww_dirs)
- root = etree.Element(
- 'testsuite', name='FSA_Plugin', tests=str(num_tests))
- if self.setuid_files:
- for item in self.setuid_files:
- tcase1 = etree.SubElement(
- root, 'testcase', classname='Files_with_SETUID_bit_set', name=item)
- etree.SubElement(
- tcase1, 'failure', message=item, type='violation')
- if self.setgid_files:
- for item in self.setgid_files:
- tcase2 = etree.SubElement(
- root, 'testacase', classname='Files_with_SETGID_bit_set', name=item)
- etree.SubElement(
- tcase2, 'failure', message=item, type='violation')
- if self.ww_files:
- for item in self.ww_files:
- tcase3 = etree.SubElement(
- root, 'testase', classname='World-writable_files', name=item)
- etree.SubElement(
- tcase3, 'failure', message=item, type='violation')
- if self.no_sticky_bit_ww_dirs:
- for item in self.no_sticky_bit_ww_dirs:
- tcase4 = etree.SubElement(
- root, 'testcase', classname='World-writable_dirs_with_no_sticky_bit', name=item)
- etree.SubElement(
- tcase4, 'failure', message=item, type='violation')
- tree = etree.ElementTree(root)
- output = self.problems_report_name + "_" + ISA_filesystem.img_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8',
- pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
- def find_fsobjects(self, init_path):
- list_of_files = []
- for (dirpath, dirnames, filenames) in os.walk(init_path):
- if (dirpath != init_path):
- list_of_files.append(str(dirpath)[:])
- for f in filenames:
- list_of_files.append(str(dirpath + "/" + f)[:])
- return list_of_files
-
-# ======== supported callbacks from ISA ============= #
-
-
-def init(ISA_config):
- global FSAnalyzer
- FSAnalyzer = ISA_FSChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_FSChecker"
-
-
-def process_filesystem(ISA_filesystem):
- global FSAnalyzer
- return FSAnalyzer.process_filesystem(ISA_filesystem)
-
-# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py
deleted file mode 100644
index ba09819..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py
+++ /dev/null
@@ -1,323 +0,0 @@
-#
-# ISA_kca_plugin.py - Kernel config options analyzer plugin, part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-try:
- from lxml import etree
-except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
-import importlib
-
-KCAnalyzer = None
-
-
-class ISA_KernelChecker():
- initialized = False
-
- def __init__(self, ISA_config):
- self.logfile = ISA_config.logdir + "/isafw_kcalog"
- self.full_report_name = ISA_config.reportdir + "/kca_full_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.problems_report_name = ISA_config.reportdir + \
- "/kca_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
- self.full_reports = ISA_config.full_reports
- self.initialized = True
- self.arch = ISA_config.arch
- with open(self.logfile, 'w') as flog:
- flog.write("\nPlugin ISA_KernelChecker initialized!\n")
-
- def append_recommendation(self, report, key, value):
- report.write("Recommended value:\n")
- report.write(key + ' : ' + str(value) + '\n')
- comment = self.comments.get(key, '')
- if comment != '':
- report.write("Comment:\n")
- report.write(comment + '\n')
-
- def process_kernel(self, ISA_kernel):
- if (self.initialized):
- if (ISA_kernel.img_name and ISA_kernel.path_to_config):
- # Merging common and arch configs
- common_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format('common'))
- arch_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format(self.arch))
-
- for c in ["hardening_kco", "keys_kco", "security_kco", "integrity_kco",
- "hardening_kco_ref", "keys_kco_ref", "security_kco_ref", "integrity_kco_ref",
- "comments"]:
- setattr(self, c, merge_config(getattr(arch_config_module, c), getattr(common_config_module, c)))
- with open(self.logfile, 'a') as flog:
- flog.write("Analyzing kernel config file at: " + ISA_kernel.path_to_config +
- " for the image: " + ISA_kernel.img_name + "\n")
- with open(ISA_kernel.path_to_config, 'r') as fkernel_conf:
- for line in fkernel_conf:
- line = line.strip('\n')
- for key in self.hardening_kco:
- if key + '=' in line:
- self.hardening_kco[key] = line.split('=')[1]
- for key in self.keys_kco:
- if key + '=' in line:
- self.keys_kco[key] = line.split('=')[1]
- for key in self.security_kco:
- if key + '=' in line:
- self.security_kco[key] = line.split('=')[1]
- for key in self.integrity_kco:
- if key + '=' in line:
- self.integrity_kco[key] = line.split('=')[1]
- with open(self.logfile, 'a') as flog:
- flog.write("\n\nhardening_kco values: " +
- str(self.hardening_kco))
- flog.write("\n\nkeys_kco values: " + str(self.keys_kco))
- flog.write("\n\nsecurity_kco values: " +
- str(self.security_kco))
- flog.write("\n\nintegrity_kco values: " +
- str(self.integrity_kco))
- self.write_full_report(ISA_kernel)
- self.write_problems_report(ISA_kernel)
-
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory arguments such as image name and path to config are not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Plugin hasn't initialized! Not performing the call!\n")
-
- def write_full_report(self, ISA_kernel):
- if self.full_reports:
- with open(self.full_report_name + "_" + ISA_kernel.img_name, 'w') as freport:
- freport.write("Report for image: " +
- ISA_kernel.img_name + '\n')
- freport.write("With the kernel conf at: " +
- ISA_kernel.path_to_config + '\n\n')
- freport.write("Hardening options:\n")
- for key in sorted(self.hardening_kco):
- freport.write(
- key + ' : ' + str(self.hardening_kco[key]) + '\n')
- freport.write("\nKey-related options:\n")
- for key in sorted(self.keys_kco):
- freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n')
- freport.write("\nSecurity options:\n")
- for key in sorted(self.security_kco):
- freport.write(
- key + ' : ' + str(self.security_kco[key]) + '\n')
- freport.write("\nIntegrity options:\n")
- for key in sorted(self.integrity_kco):
- freport.write(
- key + ' : ' + str(self.integrity_kco[key]) + '\n')
-
- def write_problems_report(self, ISA_kernel):
- self.write_text_problems_report(ISA_kernel)
- self.write_xml_problems_report(ISA_kernel)
-
- def write_text_problems_report(self, ISA_kernel):
- with open(self.problems_report_name + "_" + ISA_kernel.img_name, 'w') as freport:
- freport.write("Report for image: " + ISA_kernel.img_name + '\n')
- freport.write("With the kernel conf at: " +
- ISA_kernel.path_to_config + '\n\n')
- freport.write("Hardening options that need improvement:\n")
- for key in sorted(self.hardening_kco):
- if (self.hardening_kco[key] != self.hardening_kco_ref[key]):
- valid = False
- if (key == "CONFIG_CMDLINE"):
- if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0):
- valid = True
- if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"):
- if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'):
- valid = True
- if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"):
- options = self.hardening_kco_ref[key].split(',')
- for option in options:
- if (option == self.hardening_kco[key]):
- valid = True
- break
- if not valid:
- freport.write("\nActual value:\n")
- freport.write(
- key + ' : ' + str(self.hardening_kco[key]) + '\n')
- self.append_recommendation(freport, key, self.hardening_kco_ref[key])
- freport.write("\nKey-related options that need improvement:\n")
- for key in sorted(self.keys_kco):
- if (self.keys_kco[key] != self.keys_kco_ref[key]):
- freport.write("\nActual value:\n")
- freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n')
- self.append_recommendation(freport, key, self.keys_kco_ref[key])
- freport.write("\nSecurity options that need improvement:\n")
- for key in sorted(self.security_kco):
- if (self.security_kco[key] != self.security_kco_ref[key]):
- valid = False
- if (key == "CONFIG_DEFAULT_SECURITY"):
- options = self.security_kco_ref[key].split(',')
- for option in options:
- if (option == self.security_kco[key]):
- valid = True
- break
- if ((key == "CONFIG_SECURITY_SELINUX") or
- (key == "CONFIG_SECURITY_SMACK") or
- (key == "CONFIG_SECURITY_APPARMOR") or
- (key == "CONFIG_SECURITY_TOMOYO")):
- if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')):
- valid = True
- if not valid:
- freport.write("\nActual value:\n")
- freport.write(
- key + ' : ' + str(self.security_kco[key]) + '\n')
- self.append_recommendation(freport, key, self.security_kco_ref[key])
- freport.write("\nIntegrity options that need improvement:\n")
- for key in sorted(self.integrity_kco):
- if (self.integrity_kco[key] != self.integrity_kco_ref[key]):
- valid = False
- if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or
- (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or
- (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or
- (key == "CONFIG_IMA_DEFAULT_HASH_WP512")):
- if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or
- (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')):
- valid = True
- if not valid:
- freport.write("\nActual value:\n")
- freport.write(
- key + ' : ' + str(self.integrity_kco[key]) + '\n')
- self.append_recommendation(freport, key, self.integrity_kco_ref[key])
-
- def write_xml_problems_report(self, ISA_kernel):
- # write_problems_report_xml
- num_tests = len(self.hardening_kco) + len(self.keys_kco) + \
- len(self.security_kco) + len(self.integrity_kco)
- root = etree.Element(
- 'testsuite', name='KCA_Plugin', tests=str(num_tests))
- for key in sorted(self.hardening_kco):
- tcase1 = etree.SubElement(
- root, 'testcase', classname='Hardening options', name=key)
- if (self.hardening_kco[key] != self.hardening_kco_ref[key]):
- valid = False
- if (key == "CONFIG_CMDLINE"):
- if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0):
- valid = True
- if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"):
- if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'):
- valid = True
- if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"):
- options = self.hardening_kco_ref[key].split(',')
- for option in options:
- if (option == self.hardening_kco[key]):
- valid = True
- break
- if not valid:
- msg1 = 'current=' + key + ' is ' + \
- str(self.hardening_kco[
- key]) + ', recommended=' + key + ' is ' + str(self.hardening_kco_ref[key])
- etree.SubElement(
- tcase1, 'failure', message=msg1, type='violation')
- for key in sorted(self.keys_kco):
- tcase2 = etree.SubElement(
- root, 'testcase', classname='Key-related options', name=key)
- if (self.keys_kco[key] != self.keys_kco_ref[key]):
- msg2 = 'current=' + key + ' is ' + \
- str(self.keys_kco[key] + ', recommended=' +
- key + ' is ' + str(self.keys_kco_ref[key]))
- etree.SubElement(
- tcase2, 'failure', message=msg2, type='violation')
- for key in sorted(self.security_kco):
- tcase3 = etree.SubElement(
- root, 'testcase', classname='Security options', name=key)
- if (self.security_kco[key] != self.security_kco_ref[key]):
- valid = False
- if (key == "CONFIG_DEFAULT_SECURITY"):
- options = self.security_kco_ref[key].split(',')
- for option in options:
- if (option == self.security_kco[key]):
- valid = True
- break
- if ((key == "CONFIG_SECURITY_SELINUX") or
- (key == "CONFIG_SECURITY_SMACK") or
- (key == "CONFIG_SECURITY_APPARMOR") or
- (key == "CONFIG_SECURITY_TOMOYO")):
- if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')):
- valid = True
- if not valid:
- msg3 = 'current=' + key + ' is ' + \
- str(self.security_kco[key]) + ', recommended=' + \
- key + ' is ' + str(self.security_kco_ref[key])
- etree.SubElement(
- tcase3, 'failure', message=msg3, type='violation')
- for key in sorted(self.integrity_kco):
- tcase4 = etree.SubElement(
- root, 'testcase', classname='Integrity options', name=key)
- if (self.integrity_kco[key] != self.integrity_kco_ref[key]):
- valid = False
- if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or
- (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or
- (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or
- (key == "CONFIG_IMA_DEFAULT_HASH_WP512")):
- if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or
- (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')):
- valid = True
- if not valid:
- msg4 = 'current=' + key + ' is ' + \
- str(self.integrity_kco[
- key]) + ', recommended=' + key + ' is ' + str(self.integrity_kco_ref[key])
- etree.SubElement(
- tcase4, 'failure', message=msg4, type='violation')
- tree = etree.ElementTree(root)
- output = self.problems_report_name + "_" + ISA_kernel.img_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8',
- pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
-
-def merge_config(arch_kco, common_kco):
- merged = arch_kco.copy()
- merged.update(common_kco)
- return merged
-
-# ======== supported callbacks from ISA ============= #
-def init(ISA_config):
- global KCAnalyzer
- KCAnalyzer = ISA_KernelChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_KernelChecker"
-
-
-def process_kernel(ISA_kernel):
- global KCAnalyzer
- return KCAnalyzer.process_kernel(ISA_kernel)
-# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
deleted file mode 100644
index 20e7e26..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
+++ /dev/null
@@ -1,273 +0,0 @@
-#
-# ISA_la_plugin.py - License analyzer plugin, part of ISA FW
-# Functionality is based on similar scripts from Clear linux project
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import subprocess
-import os, sys
-
-LicenseChecker = None
-
-flicenses = "/configs/la/licenses"
-fapproved_non_osi = "/configs/la/approved-non-osi"
-fexceptions = "/configs/la/exceptions"
-funwanted = "/configs/la/violations"
-
-
-class ISA_LicenseChecker():
- initialized = False
- rpm_present = False
-
- def __init__(self, ISA_config):
- self.logfile = ISA_config.logdir + "/isafw_lalog"
- self.unwanted = []
- self.report_name = ISA_config.reportdir + "/la_problems_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.image_pkg_list = ISA_config.reportdir + "/pkglist"
- self.image_pkgs = []
- self.la_plugin_image_whitelist = ISA_config.la_plugin_image_whitelist
- self.la_plugin_image_blacklist = ISA_config.la_plugin_image_blacklist
- self.initialized = True
- with open(self.logfile, 'a') as flog:
- flog.write("\nPlugin ISA_LA initialized!\n")
- # check that rpm is installed (supporting only rpm packages for now)
- DEVNULL = open(os.devnull, 'wb')
- rc = subprocess.call(["which", "rpm"], stdout=DEVNULL, stderr=DEVNULL)
- DEVNULL.close()
- if rc == 0:
- self.rpm_present = True
- else:
- with open(self.logfile, 'a') as flog:
- flog.write("rpm tool is missing! Licence info is expected from build system\n")
-
- def process_package(self, ISA_pkg):
- if (self.initialized):
- if ISA_pkg.name:
- if (not ISA_pkg.licenses):
- # need to determine licenses first
- # for this we need rpm tool to be present
- if (not self.rpm_present):
- with open(self.logfile, 'a') as flog:
- flog.write("rpm tool is missing and licence info is not provided. Cannot proceed.\n")
- return;
- if (not ISA_pkg.source_files):
- if (not ISA_pkg.path_to_sources):
- self.initialized = False
- with open(self.logfile, 'a') as flog:
- flog.write(
- "No path to sources or source file list is provided!")
- flog.write(
- "\nNot able to determine licenses for package: " + ISA_pkg.name)
- return
- # need to build list of source files
- ISA_pkg.source_files = self.find_files(
- ISA_pkg.path_to_sources)
- for i in ISA_pkg.source_files:
- if (i.endswith(".spec")):# supporting rpm only for now
- args = ("rpm", "-q", "--queryformat",
- "%{LICENSE} ", "--specfile", i)
- try:
- popen = subprocess.Popen(
- args, stdout=subprocess.PIPE)
- popen.wait()
- ISA_pkg.licenses = popen.stdout.read().split()
- except:
- self.initialized = False
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Error in executing rpm query: " + str(sys.exc_info()))
- flog.write(
- "\nNot able to process package: " + ISA_pkg.name)
- return
- for l in ISA_pkg.licenses:
- if (not self.check_license(l, flicenses) and
- not self.check_license(l, fapproved_non_osi) and
- not self.check_exceptions(ISA_pkg.name, l, fexceptions)):
- # log the package as not following correct license
- with open(self.report_name, 'a') as freport:
- freport.write(l + "\n")
- if (self.check_license(l, funwanted)):
- # log the package as having license that should not be
- # used
- with open(self.report_name + "_unwanted", 'a') as freport:
- freport.write(l + "\n")
- else:
- self.initialized = False
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory argument package name is not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Plugin hasn't initialized! Not performing the call.")
-
- def process_report(self):
- if (self.initialized):
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report with violating licenses.\n")
- self.process_pkg_list()
- self.write_report_unwanted()
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report in XML format.\n")
- self.write_report_xml()
-
- def process_pkg_list(self):
- if os.path.isfile (self.image_pkg_list):
- img_name = ""
- with open(self.image_pkg_list, 'r') as finput:
- for line in finput:
- line = line.strip()
- if not line:
- continue
- if line.startswith("Packages "):
- img_name = line.split()[3]
- with open(self.logfile, 'a') as flog:
- flog.write("img_name: " + img_name + "\n")
- continue
- package_info = line.split()
- pkg_name = package_info[0]
- orig_pkg_name = package_info[2]
- if (not self.image_pkgs) or ((pkg_name + " from " + img_name) not in self.image_pkgs):
- self.image_pkgs.append(pkg_name + " from " + img_name + " " + orig_pkg_name)
-
- def write_report_xml(self):
- try:
- from lxml import etree
- except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
- num_tests = 0
- root = etree.Element('testsuite', name='LA_Plugin', tests='2')
- if os.path.isfile(self.report_name):
- with open(self.report_name, 'r') as f:
- class_name = "Non-approved-licenses"
- for line in f:
- line = line.strip()
- if line == "":
- continue
- if line.startswith("Packages that "):
- class_name = "Violating-licenses"
- continue
- num_tests += 1
- tcase1 = etree.SubElement(
- root, 'testcase', classname=class_name, name=line.split(':', 1)[0])
- etree.SubElement(
- tcase1, 'failure', message=line, type='violation')
- else:
- tcase1 = etree.SubElement(
- root, 'testcase', classname='ISA_LAChecker', name='none')
- num_tests = 1
- root.set('tests', str(num_tests))
- tree = etree.ElementTree(root)
- output = self.report_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8',
- pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
- def write_report_unwanted(self):
- if os.path.isfile(self.report_name + "_unwanted"):
- with open(self.logfile, 'a') as flog:
- flog.write("image_pkgs: " + str(self.image_pkgs) + "\n")
- flog.write("self.la_plugin_image_whitelist: " + str(self.la_plugin_image_whitelist) + "\n")
- flog.write("self.la_plugin_image_blacklist: " + str(self.la_plugin_image_blacklist) + "\n")
- with open(self.report_name, 'a') as fout:
- with open(self.report_name + "_unwanted", 'r') as f:
- fout.write(
- "\n\nPackages that violate mandatory license requirements:\n")
- for line in f:
- line = line.strip()
- pkg_name = line.split(':',1)[0]
- if (not self.image_pkgs):
- fout.write(line + " from image name not available \n")
- continue
- for pkg_info in self.image_pkgs:
- image_pkg_name = pkg_info.split()[0]
- image_name = pkg_info.split()[2]
- image_orig_pkg_name = pkg_info.split()[3]
- if ((image_pkg_name == pkg_name) or (image_orig_pkg_name == pkg_name)):
- if self.la_plugin_image_whitelist and (image_name not in self.la_plugin_image_whitelist):
- continue
- if self.la_plugin_image_blacklist and (image_name in self.la_plugin_image_blacklist):
- continue
- fout.write(line + " from image " + image_name)
- if (image_pkg_name != image_orig_pkg_name):
- fout.write(" binary_pkg_name " + image_pkg_name + "\n")
- continue
- fout.write("\n")
- os.remove(self.report_name + "_unwanted")
-
- def find_files(self, init_path):
- list_of_files = []
- for (dirpath, dirnames, filenames) in os.walk(init_path):
- for f in filenames:
- list_of_files.append(str(dirpath + "/" + f)[:])
- return list_of_files
-
- def check_license(self, license, file_path):
- with open(os.path.dirname(__file__) + file_path, 'r') as f:
- for line in f:
- s = line.rstrip()
- curr_license = license.split(':',1)[1]
- if s == curr_license:
- return True
- return False
-
- def check_exceptions(self, pkg_name, license, file_path):
- with open(os.path.dirname(__file__) + file_path, 'r') as f:
- for line in f:
- s = line.rstrip()
- curr_license = license.split(':',1)[1]
- if s == pkg_name + " " + curr_license:
- return True
- return False
-
-# ======== supported callbacks from ISA ============= #
-
-def init(ISA_config):
- global LicenseChecker
- LicenseChecker = ISA_LicenseChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_LicenseChecker"
-
-
-def process_package(ISA_pkg):
- global LicenseChecker
- return LicenseChecker.process_package(ISA_pkg)
-
-
-def process_report():
- global LicenseChecker
- return LicenseChecker.process_report()
-
-# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/__init__.py b/meta-security-isafw/lib/isafw/isaplugins/__init__.py
deleted file mode 100644
index ad1997d..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/__init__.py
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# __init__.py - part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import glob
-import keyword
-import os
-import sys
-
-basedir = os.path.dirname(__file__)
-
-__all__ = []
-for name in glob.glob(os.path.join(basedir, '*.py')):
- module = os.path.splitext(os.path.split(name)[-1])[0]
- if not module.startswith('_') and not keyword.iskeyword(module):
- __import__(__name__ + '.' + module)
- __all__.append(module)
-__all__.sort()
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py b/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py
+++ /dev/null
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py
+++ /dev/null
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py
deleted file mode 100644
index d47ba9f..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py
+++ /dev/null
@@ -1,24 +0,0 @@
-############################################################################################
-# Kernel Hardening Configurations
-############################################################################################
-hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set',}
-hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '32768',}
-############################################################################################
-# Keys Kernel Configuration
-############################################################################################
-keys_kco = {}
-keys_kco_ref = {}
-############################################################################################
-# Security Kernel Configuration
-############################################################################################
-security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set',}
-security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '32768',}
-############################################################################################
-# Integrity Kernel Configuration
-############################################################################################
-integrity_kco = {}
-integrity_kco_ref = {}
-############################################################################################
-# Comments
-############################################################################################
-comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.'}
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py
deleted file mode 100644
index faa388c..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py
+++ /dev/null
@@ -1,242 +0,0 @@
-############################################################################################
-# Kernel Hardening Configurations
-############################################################################################
-hardening_kco = {'CONFIG_SERIAL_8250_CONSOLE': 'not set',
- 'CONFIG_SERIAL_CORE': 'not set',
- 'CONFIG_SERIAL_CORE_CONSOLE': 'not set',
- 'CONFIG_CMDLINE_BOOL': 'not set',
- 'CONFIG_CMDLINE': 'not set',
- 'CONFIG_CMDLINE_OVERRIDE': 'not set',
- 'CONFIG_DEBUG_INFO': 'not set',
- 'CONFIG_KGDB': 'not set',
- 'CONFIG_KPROBES': 'not set',
- 'CONFIG_FTRACE': 'not set',
- 'CONFIG_OPROFILE': 'not set',
- 'CONFIG_PROFILING': 'not set',
- 'CONFIG_MAGIC_SYSRQ': 'not set',
- 'CONFIG_DEBUG_BUGVERBOSE': 'not set',
- 'CONFIG_IP_PNP': 'not set',
- 'CONFIG_IKCONFIG': 'not set',
- 'CONFIG_SWAP': 'not set',
- 'CONFIG_NAMESPACES': 'not set',
- 'CONFIG_NFSD': 'not set',
- 'CONFIG_NFS_FS': 'not set',
- 'CONFIG_BINFMT_MISC': 'not set',
- 'CONFIG_KALLSYMS': 'not set',
- 'CONFIG_KALLSYMS_ALL': 'not set',
- 'CONFIG_BUG': 'not set',
- 'CONFIG_SYSCTL_SYSCALL': 'not set',
- 'CONFIG_MODULE_UNLOAD': 'not set',
- 'CONFIG_MODULE_FORCE_LOAD': 'not set',
- 'CONFIG_DEVMEM': 'not set',
- 'CONFIG_COREDUMP': 'not set',
- 'CONFIG_CROSS_MEMORY_ATTACH': 'not set',
- 'CONFIG_UNIX_DIAG': 'not set',
- 'CONFIG_CHECKPOINT_RESTORE': 'not set',
- 'CONFIG_PANIC_ON_OOPS': 'not set',
- 'CONFIG_PACKET_DIAG': 'not set',
- 'CONFIG_FW_LOADER_USER_HELPER': 'not set',
- 'CONFIG_BPF_JIT': 'not set',
- 'CONFIG_USELIB': 'not set',
- 'CONFIG_CC_STACKPROTECTOR': 'not set',
- 'CONFIG_KEXEC': 'not set',
- 'CONFIG_PROC_KCORE': 'not set',
- 'CONFIG_SECURITY_DMESG_RESTRICT': 'not set',
- 'CONFIG_DEBUG_STACKOVERFLOW': 'not set',
- 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'not set',
- 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'not set',
- 'CONFIG_IKCONFIG_PROC': 'not set',
- 'CONFIG_RANDOMIZE_BASE': 'not set',
- 'CONFIG_DEBUG_RODATA': 'not set',
- 'CONFIG_STRICT_DEVMEM': 'not set',
- 'CONFIG_DEVKMEM': 'not set',
- 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'not set',
- 'CONFIG_DEBUG_KERNEL': 'not set',
- 'CONFIG_DEBUG_FS': 'not set',
- 'CONFIG_MODULE_SIG_FORCE': 'not set',
- }
-hardening_kco_ref = {'CONFIG_SERIAL_8250_CONSOLE': 'not set',
- 'CONFIG_SERIAL_CORE': 'not set',
- 'CONFIG_SERIAL_CORE_CONSOLE': 'not set',
- 'CONFIG_CMDLINE_BOOL': 'y',
- 'CONFIG_CMDLINE': '"cmd_line"',
- 'CONFIG_CMDLINE_OVERRIDE': 'y',
- 'CONFIG_DEBUG_INFO': 'not set',
- 'CONFIG_KGDB': 'not set',
- 'CONFIG_KPROBES': 'not set',
- 'CONFIG_FTRACE': 'not set',
- 'CONFIG_OPROFILE': 'not set',
- 'CONFIG_PROFILING': 'not set',
- 'CONFIG_MAGIC_SYSRQ': 'not set',
- 'CONFIG_DEBUG_BUGVERBOSE': 'not set',
- 'CONFIG_IP_PNP': 'not set',
- 'CONFIG_IKCONFIG': 'not set',
- 'CONFIG_SWAP': 'not set',
- 'CONFIG_NAMESPACES': 'not set',
- 'CONFIG_NFSD': 'not set',
- 'CONFIG_NFS_FS': 'not set',
- 'CONFIG_BINFMT_MISC': 'not set',
- 'CONFIG_KALLSYMS': 'not set',
- 'CONFIG_KALLSYMS_ALL': 'not set',
- 'CONFIG_BUG': 'not set',
- 'CONFIG_SYSCTL_SYSCALL': 'not set',
- 'CONFIG_MODULE_UNLOAD': 'not set',
- 'CONFIG_MODULE_FORCE_LOAD': 'not set',
- 'CONFIG_DEVMEM': 'not set',
- 'CONFIG_COREDUMP': 'not set',
- 'CONFIG_CROSS_MEMORY_ATTACH': 'not set',
- 'CONFIG_UNIX_DIAG': 'not set',
- 'CONFIG_CHECKPOINT_RESTORE': 'not set',
- 'CONFIG_PANIC_ON_OOPS': 'y',
- 'CONFIG_PACKET_DIAG': 'not set',
- 'CONFIG_FW_LOADER_USER_HELPER': 'not set',
- 'CONFIG_BPF_JIT': 'not set',
- 'CONFIG_USELIB': 'not set',
- 'CONFIG_CC_STACKPROTECTOR': 'y',
- 'CONFIG_KEXEC': 'not set',
- 'CONFIG_PROC_KCORE': 'not set',
- 'CONFIG_SECURITY_DMESG_RESTRICT': 'y',
- 'CONFIG_DEBUG_STACKOVERFLOW': 'y',
- 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'y',
- 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'y',
- 'CONFIG_IKCONFIG_PROC': 'not set',
- 'CONFIG_RANDOMIZE_BASE': 'y',
- 'CONFIG_DEBUG_RODATA': 'y',
- 'CONFIG_STRICT_DEVMEM': 'y',
- 'CONFIG_DEVKMEM': 'not set',
- 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'y',
- 'CONFIG_DEBUG_KERNEL': 'not set',
- 'CONFIG_DEBUG_FS': 'not set',
- 'CONFIG_MODULE_SIG_FORCE': 'y',
- }
-############################################################################################
-# Keys Kernel Configuration
-############################################################################################
-keys_kco = {'CONFIG_KEYS': 'not set',
- 'CONFIG_TRUSTED_KEYS': 'not set',
- 'CONFIG_ENCRYPTED_KEYS': 'not set',
- 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set'
- }
-keys_kco_ref = {'CONFIG_KEYS': 'y',
- 'CONFIG_TRUSTED_KEYS': 'y',
- 'CONFIG_ENCRYPTED_KEYS': 'y',
- 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set'
- }
-############################################################################################
-# Security Kernel Configuration
-############################################################################################
-security_kco = {'CONFIG_SECURITY': 'not set',
- 'CONFIG_SECURITYFS': 'not set',
- 'CONFIG_SECURITY_NETWORKING': 'not set',
- 'CONFIG_DEFAULT_SECURITY': 'not set',
- 'CONFIG_SECURITY_SELINUX': 'not set',
- 'CONFIG_SECURITY_SMACK': 'not set',
- 'CONFIG_SECURITY_TOMOYO': 'not set',
- 'CONFIG_SECURITY_APPARMOR': 'not set',
- 'CONFIG_SECURITY_YAMA': 'not set',
- 'CONFIG_SECURITY_YAMA_STACKED': 'not set'
- }
-security_kco_ref = {'CONFIG_SECURITY': 'y',
- 'CONFIG_SECURITYFS': 'y',
- 'CONFIG_SECURITY_NETWORKING': 'y',
- 'CONFIG_DEFAULT_SECURITY': '"selinux","smack","apparmor","tomoyo"',
- 'CONFIG_SECURITY_SELINUX': 'y',
- 'CONFIG_SECURITY_SMACK': 'y',
- 'CONFIG_SECURITY_TOMOYO': 'y',
- 'CONFIG_SECURITY_APPARMOR': 'y',
- 'CONFIG_SECURITY_YAMA': 'y',
- 'CONFIG_SECURITY_YAMA_STACKED': 'y'
- }
-############################################################################################
-# Integrity Kernel Configuration
-############################################################################################
-integrity_kco = {'CONFIG_INTEGRITY': 'not set',
- 'CONFIG_INTEGRITY_SIGNATURE': 'not set',
- 'CONFIG_INTEGRITY_AUDIT': 'not set',
- 'CONFIG_IMA': 'not set',
- 'CONFIG_IMA_LSM_RULES': 'not set',
- 'CONFIG_IMA_APPRAISE': 'not set',
- 'CONFIG_IMA_TRUSTED_KEYRING': 'not set',
- 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'not set',
- 'CONFIG_EVM': 'not set',
- 'CONFIG_EVM_ATTR_FSUUID': 'not set',
- 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set'
- }
-integrity_kco_ref = {'CONFIG_INTEGRITY': 'y',
- 'CONFIG_INTEGRITY_SIGNATURE': 'y',
- 'CONFIG_INTEGRITY_AUDIT': 'y',
- 'CONFIG_IMA': 'y',
- 'CONFIG_IMA_LSM_RULES': 'y',
- 'CONFIG_IMA_APPRAISE': 'y',
- 'CONFIG_IMA_TRUSTED_KEYRING': 'y',
- 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'y',
- 'CONFIG_EVM': 'y',
- 'CONFIG_EVM_ATTR_FSUUID': 'y',
- 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'y',
- 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'y',
- 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'y',
- 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set'
- }
-############################################################################################
-# Comments
-############################################################################################
-comments = { # Kernel Hardening Configurations
- 'CONFIG_SERIAL_8250_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
- 'CONFIG_SERIAL_CORE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
- 'CONFIG_SERIAL_CORE_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
- 'CONFIG_CMDLINE_BOOL': 'Enables the kernel command line to be hardcoded directly into the kernel. Hardcoding the command line allows tighter control over kernel command line options.',
- 'CONFIG_CMDLINE': 'Defines the kernel command line to be hardcoded into the kernel. Hardcoding the command line allows tighter control over kernel command line options.',
- 'CONFIG_CMDLINE_OVERRIDE': 'Enables the kernel to ignore the boot loader command line and to use only the hardcoded command line. Hardcoding the command line allows tighter control over kernel command line options.',
- 'CONFIG_DEBUG_INFO': 'Enables debug symbols in the kernel. Providing debug symbols would assist an attacker in discovering attack vectors.',
- 'CONFIG_KGDB': 'Enables KGDB over USB and console ports. Providing KGDB would assist an attacker in discovering attack vectors.',
- 'CONFIG_KPROBES': 'Enables Kernel Dynamic Probes. Providing kprobes allows the attacker to collect debug and performance information.',
- 'CONFIG_FTRACE': 'Enables the kernel to trace every function. Providing kernel trace functionality would assist an attacker in discovering attack vectors.',
- 'CONFIG_OPROFILE': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.',
- 'CONFIG_PROFILING': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.',
- 'CONFIG_MAGIC_SYSRQ': 'Enables a console device to interpret special characters as SysRQ system commands. SysRQ commands are an immediate attack vector as they provide the ability to dump information or reboot the device.',
- 'CONFIG_DEBUG_BUGVERBOSE': 'Enables verbose logging for BUG() panics. Verbose logging would assist an attacker in discovering attack vectors.',
- 'CONFIG_IP_PNP': 'Enables automatic configuration of IP addresses of devices and of the routing table during kernel boot. Providing networking functionality before the system has come up would assist an attacker in discovering attack vectors.',
- 'CONFIG_IKCONFIG': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.',
- 'CONFIG_SWAP': 'Enables swap files for kernel. The ability to read kernel memory pages in swap files would assist an attacker in discovering attack vectors.',
- 'CONFIG_NAMESPACES': 'Enabling this can result in duplicates of dev nodes, pids and mount points, which can be useful to attackers trying to spoof running environments on devices.',
- 'CONFIG_NFSD': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.',
- 'CONFIG_NFS_FS': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.',
- 'CONFIG_BINFMT_MISC': 'Enables support for binary formats other than ELF. Providing the ability to use alternate interpreters would assist an attacker in discovering attack vectors.',
- 'CONFIG_KALLSYMS': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.',
- 'CONFIG_KALLSYMS_ALL': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.',
- 'CONFIG_BUG': 'Enables display of backtrace and register information for BUGs and WARNs in kernel space. Verbose logging would assist an attacker in discovering attack vectors.',
- 'CONFIG_SYSCTL_SYSCALL': 'Enables sysctl to read and write kernel parameters. Use of deprecated and unmaintained features is not recommended.',
- 'CONFIG_MODULE_UNLOAD': 'Enables the ability to unload a kernel module. Allowing module unloading enables the attacker to disable security modules.',
- 'CONFIG_MODULE_FORCE_LOAD': 'Enables forced loading of modules without version information. Providing an attacker with the ability to force load a module assists in discovering attack vectors.',
- 'CONFIG_DEVMEM': 'Enables mem device, which provides access to physical memory. Providing a view into physical memory would assist an attacker in discovering attack vectors.',
- 'CONFIG_COREDUMP': 'Enables support for performing core dumps. Providing core dumps would assist an attacker in discovering attack vectors.',
- 'CONFIG_CROSS_MEMORY_ATTACH': 'Enables cross-process virtual memory access. Providing virtual memory access to and from a hostile process would assist an attacker in discovering attack vectors.',
- 'CONFIG_UNIX_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.',
- 'CONFIG_CHECKPOINT_RESTORE': 'Enables the checkpoint/restore service which can freeze and migrate processes. Providing a method for manipulating process state would assist an attacker in discovering attack vectors.',
- 'CONFIG_PANIC_ON_OOPS': 'Enables conversion of kernel OOPs to PANIC. When fuzzing the kernel or attempting kernel exploits, attackers are likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their progress.',
- 'CONFIG_PACKET_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.',
- 'CONFIG_FW_LOADER_USER_HELPER': 'Enables the invocation of user-helper (e.g. udev) for loading firmware files as a fallback after the direct file loading in kernel fails. Providing firmware auto loader functionality would assist an attacker in discovering attack vectors.',
- 'CONFIG_BPF_JIT': 'Enables Berkeley Packet Filter filtering capabilities. The BPF JIT can be used to create kernel-payloads from firewall table rules which assist an attacker in discovering attack vectors.',
- 'CONFIG_USELIB': 'Enables the uselib syscall. The uselib system call has no valid use in any libc6 or uclibc system. Legacy features would assist an attacker in discovering attack vectors.',
- 'CONFIG_CC_STACKPROTECTOR': 'Enables the stack protector GCC feature which defends against stack-based buffer overflows',
- 'CONFIG_KEXEC': 'Enables the ability to shutdown your current kernel, and start another one. If enabled, this can be used as a way to bypass signed kernels.',
- 'CONFIG_PROC_KCORE': 'Enables access to a kernel core dump from userspace. Providing access to core dumps of the kernel would assist an attacker in discovering attack vectors.',
- 'CONFIG_SECURITY_DMESG_RESTRICT': 'Enables restrictions on unprivileged users reading the kernel syslog via dmesg(8). Unrestricted access to kernel syslogs would assist an attacker in discovering attack vectors.',
- 'CONFIG_DEBUG_STACKOVERFLOW': 'Enables messages to be printed if free stack space drops below a certain limit. Leaking information about resources used by the kernel would assist an attacker in discovering attack vectors.',
- 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'Converts a certain set of sanity checks for user copy operations into compile time failures. The copy_from_user() etc checks help test if there are sufficient security checks on the length argument of the copy operation by having gcc prove that the argument is within bounds.',
- 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'Required to enable DEBUG_STRICT_USER_COPY_CHECKS, but alone does not provide security.',
- 'CONFIG_IKCONFIG_PROC': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.',
- 'CONFIG_RANDOMIZE_BASE': 'Enables Kernel Address Space Layout randomization (kASLR). This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.',
- 'CONFIG_DEBUG_RODATA': 'Sets kernel text and rodata sections as read-only and write-protected. This guards against malicious attempts to change the kernel\'s executable code.',
- 'CONFIG_STRICT_DEVMEM': 'Enables restriction of userspace access to kernel memory. Failure to enable this option provides an immediate attack vector.',
- 'CONFIG_DEVKMEM': 'Enables kmem device, which direct maps kernel memory. Providing a view into kernel memory would assist an attacker in discovering attack vectors.',
- 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'Enables randomization of PIE load address for ELF binaries. This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.',
- 'CONFIG_DEBUG_KERNEL': 'Enables sysfs output intended to assist with debugging a kernel. The information output to sysfs would assist an attacker in discovering attack vectors.',
- 'CONFIG_DEBUG_FS': 'Enables the kernel debug filesystem. The kernel debug filesystem presents a lot of useful information and means of manipulation of the kernel to an attacker.',
- 'CONFIG_MODULE_SIG_FORCE': 'Enables validation of module signature. Disabling this option enables an attacker to load unsigned modules.',
-}
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py
deleted file mode 100644
index cbaddf8..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py
+++ /dev/null
@@ -1,38 +0,0 @@
-############################################################################################
-# Kernel Hardening Configurations
-############################################################################################
-hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set',
- 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'not set',
- 'CONFIG_X86_INTEL_MPX': 'not set',
- 'CONFIG_X86_MSR': 'not set'
- }
-hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '65536', # x86 specific
- 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': '0x20000000,0x40000000', # x86 specific
- 'CONFIG_X86_INTEL_MPX': 'y', # x86 and certain HW variants specific
- 'CONFIG_X86_MSR': 'not set'
- }
-############################################################################################
-# Keys Kernel Configuration
-############################################################################################
-keys_kco = {}
-keys_kco_ref = {}
-############################################################################################
-# Security Kernel Configuration
-############################################################################################
-security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set',
- 'CONFIG_INTEL_TXT': 'not set'}
-security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '65536', # x86 specific
- 'CONFIG_INTEL_TXT': 'y'}
-############################################################################################
-# Integrity Kernel Configuration
-############################################################################################
-integrity_kco = {}
-integrity_kco_ref = {}
-############################################################################################
-# Comments
-############################################################################################
-comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.',
- 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'Defines the maximal offset in bytes that will be applied to the kernel when kernel Address Space Layout Randomization (kASLR) is active.',
- 'CONFIG_X86_INTEL_MPX': 'Enables MPX hardware features that can be used with compiler-instrumented code to check memory references. It is designed to detect buffer overflow or underflow bugs.',
- 'CONFIG_X86_MSR': 'Enables privileged processes access to the x86 Model-Specific Registers (MSRs). MSR accesses are directed to a specific CPU on multi-processor systems. This alone does not provide security.'
- }
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi b/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi
deleted file mode 100644
index 5e7a69f..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi
+++ /dev/null
@@ -1,43 +0,0 @@
-Artistic-1.0-perl
-BSD-2-Clause-FreeBSD
-BSD-3-Clause-Clear
-BSD-4-Clause
-BSD-4-Clause-UC
-bzip2-1.0.5
-bzip2-1.0.6
-CC0-1.0
-CC-BY-SA-3.0
-ErlPL-1.1
-FTL
-GFDL-1.1
-GFDL-1.1+
-GFDL-1.2
-GFDL-1.2+
-GFDL-1.3
-GFDL-1.3+
-GPL-1.0
-GPL-1.0+
-ICU
-IJG
-Libpng
-libtiff
-MIT-feh
-MIT-Opengroup
-mpich2
-Muddy-MIT
-OFL-1.0
-OLDAP-2.0.1
-OLDAP-2.8
-OpenSSL
-PHP-3.01
-Qhull
-Ruby
-SGI-B-2.0
-TCL
-Vim
-X11
-Zend-2.0
-zlib-acknowledgement
-ZPL-1.1
-ZPL-2.0
-ZPL-2.1
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions b/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions
deleted file mode 100644
index e69de29..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions
+++ /dev/null
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses b/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses
deleted file mode 100644
index 8fff0b1..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses
+++ /dev/null
@@ -1,105 +0,0 @@
-AFL-1.1
-AFL-1.2
-AFL-2.0
-AFL-2.1
-AFL-3.0
-APL-1.0
-Apache-1.1
-Apache-2.0
-APSL-1.0
-APSL-1.1
-APSL-1.2
-APSL-2.0
-Artistic-1.0
-Artistic-1.0-Perl
-Artistic-1.0-cl8
-Artistic-2.0
-AAL
-BSL-1.0
-BSD-2-Clause
-BSD-3-Clause
-CNRI-Python
-CDDL-1.0
-CPAL-1.0
-CPL-1.0
-CATOSL-1.1
-CUA-OPL-1.0
-EPL-1.0
-ECL-1.0
-ECL-2.0
-EFL-1.0
-EFL-2.0
-Entessa
-EUDatagrid
-EUPL-1.1
-Fair
-Frameworx-1.0
-AGPL-3.0
-GPL-2.0
-GPL-2.0+
-GPL-2.0-with-autoconf-exception
-GPL-2.0-with-bison-exception
-GPL-2.0-with-classpath-exception
-GPL-2.0-with-font-exception
-GPL-2.0-with-GCC-exception
-GPL-3.0
-GPL-3.0+
-GPL-3.0-with-autoconf-exception
-GPL-3.0-with-GCC-exception
-LGPL-2.1
-LGPL-2.1+
-LGPL-3.0
-LGPL-3.0+
-LGPL-2.0
-LGPL-2.0+
-HPND
-IPL-1.0
-Intel
-IPA
-ISC
-LPPL-1.3c
-LPL-1.02
-LPL-1.0
-MS-PL
-MS-RL
-MirOS
-MIT
-Motosoto
-MPL-1.0
-MPL-1.1
-MPL-2.0
-MPL-2.0-no-copyleft-exception
-Multics
-NASA-1.3
-Naumen
-NGPL
-Nokia
-NPOSL-3.0
-NTP
-OCLC-2.0
-OGTSL
-OSL-1.0
-OSL-2.0
-OSL-2.1
-OSL-3.0
-PHP-3.0
-PostgreSQL
-Python-2.0
-QPL-1.0
-RPSL-1.0
-RPL-1.1
-RPL-1.5
-RSCPL
-OFL-1.1
-SimPL-2.0
-Sleepycat
-SISSL
-SPL-1.0
-Watcom-1.0
-NCSA
-VSL-1.0
-W3C
-WXwindows
-Xnet
-Zlib
-ZPL-2.0
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations b/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations
deleted file mode 100644
index 5da203b..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations
+++ /dev/null
@@ -1,7 +0,0 @@
-GPL-3.0
-GPL-3.0+
-GPL-3.0-with-autoconf-exception
-GPL-3.0-with-GCC-exception
-LGPL-3.0
-LGPL-3.0+
-
diff --git a/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb b/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb
deleted file mode 100644
index 247ec76..0000000
--- a/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb
+++ /dev/null
@@ -1,25 +0,0 @@
-SUMMARY = "Checksec tool"
-DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used."
-SECTION = "security"
-LICENSE = "BSD-3-Clause"
-HOMEPAGE="http://www.trapkit.de/tools/checksec.html"
-
-LIC_FILES_CHKSUM = "file://checksec-${PV}.sh;beginline=3;endline=34;md5=6dab14470bfdf12634b866dbdd7a04b0"
-
-SRC_URI = "http://www.trapkit.de/tools/checksec.sh;downloadfilename=checksec-${PV}.sh"
-
-SRC_URI[md5sum] = "57cc3fbbbe48e8ebd4672c569954374d"
-SRC_URI[sha256sum] = "05822cd8668589038d20650faa0e56f740911d8ad06f7005b3d12a5c76591b90"
-
-
-S = "${WORKDIR}"
-
-do_install() {
- install -d ${D}${bindir}
- install -m 0755 ${WORKDIR}/checksec-${PV}.sh ${D}${bindir}/checksec.sh
- sed -i 's/\r//' ${D}${bindir}/checksec.sh
-}
-
-RDEPENDS_${PN} = "bash binutils"
-
-BBCLASSEXTEND = "native"
diff --git a/meta-tpm/README b/meta-tpm/README.md
index 59d2ee3..5722a92 100644
--- a/meta-tpm/README
+++ b/meta-tpm/README.md
@@ -5,7 +5,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need
to have 'tpm' in DISTRO_FEATURES to have effect.
To enable them, add in configuration file the following line.
- DISTRO_FEATURES_append = " tmp"
+ DISTRO_FEATURES:append = " tpm"
If meta-tpm is included, but tpm is not enabled as a
distro feature a warning is printed at parse time:
@@ -57,14 +57,14 @@ other layers needed. e.g.:
Maintenance
-----------
-Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH'
These values can be set as defaults for this repository:
-$ git config sendemail.to yocto@yoctoproject.org
+$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-security][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
diff --git a/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-tpm/classes/sanity-meta-tpm.bbclass
index 2f8b52d..1ab03c8 100644
--- a/meta-tpm/classes/sanity-meta-tpm.bbclass
+++ b/meta-tpm/classes/sanity-meta-tpm.bbclass
@@ -2,7 +2,9 @@ addhandler tpm_machinecheck
tpm_machinecheck[eventmask] = "bb.event.SanityCheck"
python tpm_machinecheck() {
skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1"
- if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+ if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and \
+ 'tpm2' not in e.data.getVar('DISTRO_FEATURES').split() and \
+ not skip_check:
bb.warn("You have included the meta-tpm layer, but \
'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
and preferred version setting may not take effect. See the meta-tpm README \
diff --git a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
new file mode 100644
index 0000000..e7b216d
--- /dev/null
+++ b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
@@ -0,0 +1,38 @@
+# meta-tpm Maintainers File
+#
+# This file contains a list of recipe maintainers.
+#
+# Please submit any patches against recipes in meta to the
+# Yocto mail list (yocto@yoctoproject.org)
+#
+# If you have problems with or questions about a particular recipe, feel
+# free to contact the maintainer directly (cc:ing the appropriate mailing list
+# puts it in the archive and helps other people who might have the same
+# questions in the future), but please try to do the following first:
+#
+# - look in the Yocto Project Bugzilla
+# (http://bugzilla.yoctoproject.org/) to see if a problem has
+# already been reported
+#
+# The format is as a bitbake variable override for each recipe
+#
+# RECIPE_MAINTAINER:pn-<recipe name> = "Full Name <address@domain>"
+#
+# Please keep this list in alphabetical order.
+RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-libtpm = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-trousers = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-swtpm = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tpm-tools = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tpm2-abrmd = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tpm2-totp = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>"
+
diff --git a/meta-tpm/conf/distro/include/maintainers.inc b/meta-tpm/conf/distro/include/maintainers.inc
deleted file mode 100644
index dcf53d0..0000000
--- a/meta-tpm/conf/distro/include/maintainers.inc
+++ /dev/null
@@ -1,38 +0,0 @@
-# meta-tpm Maintainers File
-#
-# This file contains a list of recipe maintainers.
-#
-# Please submit any patches against recipes in meta to the
-# Yocto mail list (yocto@yoctoproject.org)
-#
-# If you have problems with or questions about a particular recipe, feel
-# free to contact the maintainer directly (cc:ing the appropriate mailing list
-# puts it in the archive and helps other people who might have the same
-# questions in the future), but please try to do the following first:
-#
-# - look in the Yocto Project Bugzilla
-# (http://bugzilla.yoctoproject.org/) to see if a problem has
-# already been reported
-#
-# The format is as a bitbake variable override for each recipe
-#
-# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>"
-#
-# Please keep this list in alphabetical order.
-RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-libtpm = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-trousers = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-swtpm = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tpm-tools = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tpm2-abrmd = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tpm2-totp = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>"
-
diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf
index 0b102c5..58b61d4 100644
--- a/meta-tpm/conf/layer.conf
+++ b/meta-tpm/conf/layer.conf
@@ -6,9 +6,9 @@ BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
BBFILE_COLLECTIONS += "tpm-layer"
BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
-BBFILE_PRIORITY_tpm-layer = "10"
+BBFILE_PRIORITY_tpm-layer = "6"
-LAYERSERIES_COMPAT_tpm-layer = "hardknott"
+LAYERSERIES_COMPAT_tpm-layer = "nanbield scarthgap"
LAYERDEPENDS_tpm-layer = " \
core \
@@ -24,3 +24,7 @@ INHERIT += "sanity-meta-tpm"
BBFILES_DYNAMIC += " \
networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \
"
+
+addpylib ${LAYERDIR}/lib oeqa
+
+WARN_QA:append:tmp-layer = " patch-status missing-metadata"
diff --git a/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch b/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
deleted file mode 100644
index 8250282..0000000
--- a/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From db772305c6baa01f6c6750be74733e4bfc1d6106 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 14 Apr 2020 10:44:19 +0200
-Subject: [PATCH] xfrmi: Only build if libcharon is built
-
-The kernel-netlink plugin is only built if libcharon is.
-
-Closes strongswan/strongswan#167.
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- src/Makefile.am | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-Index: strongswan-5.8.4/src/Makefile.am
-===================================================================
---- strongswan-5.8.4.orig/src/Makefile.am
-+++ strongswan-5.8.4/src/Makefile.am
-@@ -42,6 +42,9 @@ endif
-
- if USE_LIBCHARON
- SUBDIRS += libcharon
-+if USE_KERNEL_NETLINK
-+ SUBDIRS += xfrmi
-+endif
- endif
-
- if USE_FILE_CONFIG
-@@ -143,7 +146,3 @@ endif
- if USE_TPM
- SUBDIRS += tpm_extendpcr
- endif
--
--if USE_KERNEL_NETLINK
-- SUBDIRS += xfrmi
--endif
diff --git a/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc b/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
deleted file mode 100644
index d8604e1..0000000
--- a/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
+++ /dev/null
@@ -1,12 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-DEPENDS = "libtspi"
-
-SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch"
-
-PACKAGECONFIG += "aikgen tpm"
-
-PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,,"
-PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,,"
-
-EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}"
diff --git a/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
deleted file mode 100644
index 34757bb..0000000
--- a/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'tpm', 'strongswan-tpm.inc', '', d)}
diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
new file mode 100644
index 0000000..0be5c59
--- /dev/null
+++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+
+class SwTpmTest(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
+ cls.tc.target.run('mkdir /tmp/myvtpm2')
+ cls.tc.target.run('chown tss:root /tmp/myvtpm2')
+
+ @classmethod
+ def tearDownClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
+ cls.tc.target.run('rm -fr /tmp/myvtpm2')
+
+ @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ @OEHasPackage(['swtpm'])
+ def test_swtpm2_ek_cert(self):
+ cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
+ status, output = self.target.run(cmd)
+ self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)
diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index c6f9d92..8e90dc9 100644
--- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -1,11 +1,21 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com>
#
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
from oeqa.runtime.decorator.package import OEHasPackage
-
+from oeqa.core.decorator.data import skipIfNotFeature
class Tpm2Test(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
+ cls.tc.target.run('mkdir /tmp/myvtpm2')
+
+ @classmethod
+ def tearDownClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
+ cls.tc.target.run('rm -fr /tmp/myvtpm2')
+
def check_endlines(self, results, expected_endlines):
for line in results.splitlines():
for el in expected_endlines:
@@ -16,28 +26,44 @@ class Tpm2Test(OERuntimeTestCase):
if expected_endlines:
self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines))
- @OEHasPackage(['tpm2-tss'])
- @OEHasPackage(['tpm2-abrmd'])
@OEHasPackage(['tpm2-tools'])
- @OEHasPackage(['ibmswtpm2'])
+ @OEHasPackage(['tpm2-abrmd'])
+ @OEHasPackage(['swtpm'])
+ @skipIfNotFeature('tpm2','Test tpm2_startup requires tpm2 to be in DISTRO_FEATURES')
@OETestDepends(['ssh.SSHTest.test_ssh'])
- def test_tpm2_sim(self):
+ def test_tpm2_startup(self):
cmds = [
- 'tpm_server &',
- 'tpm2-abrmd --allow-root --tcti=mssim &'
+ 'swtpm socket -d --tpmstate dir=/tmp/myvtpm2 --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
+ 'tpm2_startup -c -T "swtpm:port=2321"',
]
for cmd in cmds:
status, output = self.target.run(cmd)
self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
- @OETestDepends(['tpm2.Tpm2Test.test_tpm2_sim'])
- def test_tpm2(self):
- (status, output) = self.target.run('tpm2_pcrlist')
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_startup'])
+ def test_tpm2_pcrread(self):
+ (status, output) = self.target.run('tpm2_pcrread')
expected_endlines = []
- expected_endlines.append('sha1 :')
- expected_endlines.append(' 0 : 0000000000000000000000000000000000000003')
- expected_endlines.append(' 1 : 0000000000000000000000000000000000000000')
+ expected_endlines.append(' sha1:')
+ expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000')
+ expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000')
+ expected_endlines.append(' sha256:')
+ expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000000000000000000000000000')
+ expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000000000000000000000000000')
+
self.check_endlines(output, expected_endlines)
+
+ @OEHasPackage(['p11-kit'])
+ @OEHasPackage(['tpm2-pkcs11'])
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pcrread'])
+ def test_tpm2_pkcs11(self):
+ (status, output) = self.target.run('p11-kit list-modules -v')
+ self.assertEqual(status, 0, msg="Modules missing: %s" % output)
+
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pkcs11'])
+ def test_tpm2_swtpm_reset(self):
+ (status, output) = self.target.run('swtpm_ioctl -i --tcp :2322')
+ self.assertEqual(status, 0, msg="swtpm reset failed: %s" % output)
diff --git a/meta-tpm/recipes-core/images/security-tpm2-image.bb b/meta-tpm/recipes-core/images/security-tpm2-image.bb
index 7e047d1..941a661 100644
--- a/meta-tpm/recipes-core/images/security-tpm2-image.bb
+++ b/meta-tpm/recipes-core/images/security-tpm2-image.bb
@@ -7,6 +7,7 @@ IMAGE_INSTALL = "\
packagegroup-core-boot \
packagegroup-security-tpm2 \
os-release \
+ swtpm \
"
IMAGE_LINGUAS ?= " "
diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
index 3b9d271..e3de797 100644
--- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
+++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
@@ -7,8 +7,8 @@ inherit packagegroup
PACKAGES = "packagegroup-security-tpm-i2c"
-SUMMARY_packagegroup-security-tpm-i2c = "Security TPM i2c support"
-RDEPENDS_packagegroup-security-tpm-i2c = " \
+SUMMARY:packagegroup-security-tpm-i2c = "Security TPM i2c support"
+RDEPENDS:packagegroup-security-tpm-i2c = " \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \
kernel-module-tpm-i2c-atmel \
diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
index 3844c7f..a1d4d44 100644
--- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
+++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
@@ -7,27 +7,27 @@ inherit packagegroup
PACKAGES = "packagegroup-security-tpm"
-SUMMARY_packagegroup-security-tpm = "Security TPM support"
-RDEPENDS_packagegroup-security-tpm = " \
+SUMMARY:packagegroup-security-tpm = "Security TPM support"
+RDEPENDS:packagegroup-security-tpm = " \
tpm-tools \
trousers \
pcr-extend \
tpm-quote-tools \
swtpm \
+ libhoth \
openssl-tpm-engine \
- libtpm \
${X86_TPM_MODULES} \
"
X86_TPM_MODULES ?= ""
-X86_TPM_MODULES_x86 = " \
+X86_TPM_MODULES:x86 = " \
kernel-module-tpm-atmel \
kernel-module-tpm-infineon \
kernel-module-tpm-nsc \
"
-X86_TPM_MODULES_x86-64 = " \
+X86_TPM_MODULES:x86-64 = " \
kernel-module-tpm-atmel \
kernel-module-tpm-infineon \
kernel-module-tpm-nsc \
diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index 8b6f030..b986097 100644
--- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -3,20 +3,25 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+PACKAGE_ARCH = "${TUNE_PKGARCH}"
+
inherit packagegroup
PACKAGES = "${PN}"
-SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support"
-RDEPENDS_packagegroup-security-tpm2 = " \
+SUMMARY:packagegroup-security-tpm2 = "Security TPM 2.0 support"
+RDEPENDS:packagegroup-security-tpm2 = " \
tpm2-tools \
trousers \
tpm2-tss \
- libtss2 \
libtss2-mu \
libtss2-tcti-device \
libtss2-tcti-mssim \
+ libtss2 \
tpm2-abrmd \
tpm2-pkcs11 \
- ibmswtpm2 \
+ tpm2-openssl \
+ tpm2-tss-engine \
+ tpm2-tss-engine-engines \
+ python3-tpm2-pytss \
"
diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
index 2e9394f..3a8f2fa 100644
--- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
+++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
@@ -7,8 +7,8 @@ inherit packagegroup
PACKAGES = "packagegroup-security-vtpm"
-SUMMARY_packagegroup-security-vtpm = "Security Software vTPM support"
-RDEPENDS_packagegroup-security-vtpm = " \
+SUMMARY:packagegroup-security-vtpm = "Security Software vTPM support"
+RDEPENDS:packagegroup-security-vtpm = " \
libtpm \
swtpm \
"
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto-rt_%.bbappend b/meta-tpm/recipes-kernel/linux/linux-yocto-rt_%.bbappend
new file mode 100644
index 0000000..e8027ff
--- /dev/null
+++ b/meta-tpm/recipes-kernel/linux/linux-yocto-rt_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm tpm2', 'linux-yocto_tpm.inc', '', d)}
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg b/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg
deleted file mode 100644
index 8be331a..0000000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg
+++ /dev/null
@@ -1,4 +0,0 @@
-CONFIG_TCG_NSC=m
-CONFIG_TCG_ATMEL=m
-CONFIG_TCG_INFINEON=m
-CONFIG_TCG_TIS_ST33ZP24=m
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-tpm/recipes-kernel/linux/linux-yocto_%.bbappend
new file mode 100644
index 0000000..e8027ff
--- /dev/null
+++ b/meta-tpm/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm tpm2', 'linux-yocto_tpm.inc', '', d)}
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
deleted file mode 100644
index 2cf1453..0000000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm', 'linux-yocto_tpm.inc', '', d)}
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc b/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
index cea8b1b..7a27683 100644
--- a/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
+++ b/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
@@ -1,17 +1,8 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/linux-yocto:"
-# Enable tpm in kernel
-SRC_URI_append_x86 = " \
- ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
- ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
- "
-
-SRC_URI_append_x86-64 = " \
+SRC_URI += " \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
- "
-
-SRC_URI += " \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \
${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \
"
diff --git a/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch b/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch
deleted file mode 100644
index 9e1021a..0000000
--- a/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 09e7dd42e5201d079bad70e9f7cc6033ce1c7cad Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stefanb@linux.vnet.ibm.com>
-Date: Fri, 3 Feb 2017 10:58:22 -0500
-Subject: [PATCH] Convert another vdprintf to dprintf
-
-Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/tpm_library.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: git/src/tpm_library.c
-===================================================================
---- git.orig/src/tpm_library.c
-+++ git/src/tpm_library.c
-@@ -427,7 +427,7 @@ void TPMLIB_LogPrintfA(unsigned int inde
- indent = sizeof(spaces) - 1;
- memset(spaces, ' ', indent);
- spaces[indent] = 0;
-- vdprintf(debug_fd, spaces, NULL);
-+ dprintf(debug_fd, "%s", spaces);
- }
-
- va_start(args, format);
diff --git a/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch b/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch
deleted file mode 100644
index a71b5c1..0000000
--- a/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 6a9b4e5d70f770aa9ca31e3e6d3b1ae72c192070 Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stefanb@linux.vnet.ibm.com>
-Date: Tue, 31 Jan 2017 20:10:51 -0500
-Subject: [PATCH] Use format '%s' for call to dprintf
-
-Fix the dprintf call to use a format parameter that otherwise causes
-errors with gcc on certain platforms.
-
-Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
-
-Upstream-Status: Backport
-replaces local patch
-Signed-off-by: Armin Kuster <akuster@mvsita.com>
-
----
- src/tpm_library.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: git/src/tpm_library.c
-===================================================================
---- git.orig/src/tpm_library.c
-+++ git/src/tpm_library.c
-@@ -405,8 +405,8 @@ int TPMLIB_LogPrintf(const char *format,
- }
-
- if (debug_prefix)
-- dprintf(debug_fd, debug_prefix);
-- dprintf(debug_fd, buffer);
-+ dprintf(debug_fd, "%s", debug_prefix);
-+ dprintf(debug_fd, "%s", buffer);
-
- return i;
- }
diff --git a/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch b/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch
deleted file mode 100644
index fc13aa5..0000000
--- a/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Upstream-Status: Pending
-Signed-off-by: Armin kuster <akuster808@gmail.com>
-
-Index: git/src/swtpm/ctrlchannel.c
-===================================================================
---- git.orig/src/swtpm/ctrlchannel.c
-+++ git/src/swtpm/ctrlchannel.c
-@@ -152,7 +152,8 @@ static int ctrlchannel_receive_state(ptm
- uint32_t tpm_number = 0;
- unsigned char *blob = NULL;
- uint32_t blob_length = be32toh(pss->u.req.length);
-- uint32_t remain = blob_length, offset = 0;
-+ ssize_t remain = (ssize_t) blob_length;
-+ uint32_t offset = 0;
- TPM_RESULT res;
- uint32_t flags = be32toh(pss->u.req.state_flags);
- TPM_BOOL is_encrypted = (flags & PTM_STATE_FLAG_ENCRYPTED) != 0;
-Index: git/src/swtpm_ioctl/tpm_ioctl.c
-===================================================================
---- git.orig/src/swtpm_ioctl/tpm_ioctl.c
-+++ git/src/swtpm_ioctl/tpm_ioctl.c
-@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo
- numbytes = write(file_fd, pgs.u.resp.data,
- devtoh32(is_chardev, pgs.u.resp.length));
-
-- if (numbytes != devtoh32(is_chardev, pgs.u.resp.length)) {
-+ if (numbytes != (ssize_t) devtoh32(is_chardev, pgs.u.resp.length)) {
- fprintf(stderr,
- "Could not write to file '%s': %s\n",
- filename, strerror(errno));
-@@ -420,7 +420,7 @@ static int do_load_state_blob(int fd, bo
- had_error = true;
- break;
- }
-- pss.u.req.length = htodev32(is_chardev, numbytes);
-+ pss.u.req.length = htodev32(is_chardev, (uint32_t) numbytes);
-
- /* the returnsize is zero on all intermediate packets */
- returnsize = ((size_t)numbytes < sizeof(pss.u.req.data))
-@@ -863,7 +863,7 @@ int main(int argc, char *argv[])
- return EXIT_FAILURE;
- }
- /* no tpm_result here */
-- printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap));
-+ printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
-
- } else if (!strcmp(command, "-i")) {
- init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE);
diff --git a/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.2.bb b/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
index 9784aa1..a860319 100644
--- a/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.2.bb
+++ b/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
@@ -2,8 +2,8 @@ SUMMARY = "LIBPM - Software TPM Library"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
-SRCREV = "f66a719eda0b492ea3ec7852421a9d98db0a0621"
-SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.8"
+SRCREV = "f8c2dc7e12a730dcca4220d7ac5ad86d13dfd630"
+SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.9;protocol=https"
PE = "1"
diff --git a/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch b/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch
deleted file mode 100644
index 3d16431..0000000
--- a/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 8750a6c3f0b4d9e7e45b4079150d29eb44774e9c Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster@mvista.com>
-Date: Tue, 14 Mar 2017 22:59:36 -0700
-Subject: [PATCH 2/4] logging: Fix musl build issue with fcntl
-
- error: #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h> [-Werror=cpp]
- #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/swtpm/logging.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/swtpm/logging.c b/src/swtpm/logging.c
-index f16cab6..7da8606 100644
---- a/src/swtpm/logging.c
-+++ b/src/swtpm/logging.c
-@@ -45,7 +45,7 @@
- #include <errno.h>
- #include <string.h>
- #include <sys/types.h>
--#include <sys/fcntl.h>
-+#include <fcntl.h>
- #include <sys/stat.h>
- #include <stdio.h>
- #include <stdlib.h>
---
-2.11.0
-
diff --git a/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch
deleted file mode 100644
index 60958f7..0000000
--- a/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 672bb4ee625da3141ba6cecb0601c7563de4c483 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Thu, 13 Oct 2016 02:03:56 -0700
-Subject: [PATCH 1/4] swtpm: add new package
-
-Upstream-Status: Inappropriate [OE config]
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Rebased to current tip.
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
----
- configure.ac | 34 ++++++++++------------------------
- 1 file changed, 10 insertions(+), 24 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index abf5be1..85ed6ac 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -395,31 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security"
- dnl We have to make sure libtpms is using the same crypto library
- dnl to avoid problems
- AC_MSG_CHECKING([the crypto library libtpms is using])
--dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \
-- sed -n '/SEARCH_DIR/p' | \
-- sed 's/SEARCH_DIR("\(@<:@^"@:>@*\)"); */\1 /g' | \
-- sed 's|=/|/|g')
--for dir in $dirs $LIBRARY_PATH; do
-- if test -r $dir/libtpms.so; then
-- if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
-- libtpms_cryptolib="openssl"
-- break
-- fi
-- if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
-- libtpms_cryptolib="freebl"
-- break
-- fi
-+dir="$SEARCH_DIR"
-+if test -r $dir/libtpms.so; then
-+ if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
-+ libtpms_cryptolib="openssl"
-+ break
- fi
-- case $host_os in
-- cygwin|openbsd*)
-- if test -r $dir/libtpms.a; then
-- if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then
-- libtpms_cryptolib="openssl"
-- fi
-- fi
-- ;;
-- esac
--done
-+ if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
-+ libtpms_cryptolib="freebl"
-+ break
-+ fi
-+fi
-
- if test -z "$libtpms_cryptolib"; then
- AC_MSG_ERROR([Could not determine libtpms crypto library.])
---
-2.11.0
-
diff --git a/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch b/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch
deleted file mode 100644
index d736bc6..0000000
--- a/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-tpm_ioctl: fix musl for missing ioctl
-
-tpm_ioctl.c: In function 'ioctl_to_cmd':
-tpm_ioctl.c:86:26: error: '_IOC_NRSHIFT' undeclared (first use in this function)
- return ((ioctlnum >> _IOC_NRSHIFT) & _IOC_NRMASK) + 1;
-
-
-Upstream-status:
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
-Index: git/src/swtpm_ioctl/tpm_ioctl.c
-===================================================================
---- git.orig/src/swtpm_ioctl/tpm_ioctl.c
-+++ git/src/swtpm_ioctl/tpm_ioctl.c
-@@ -58,6 +58,7 @@
- #include <fcntl.h>
- #include <unistd.h>
- #include <sys/ioctl.h>
-+#include <asm/ioctl.h>
- #include <getopt.h>
- #include <sys/un.h>
- #include <sys/types.h>
diff --git a/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch b/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch
deleted file mode 100644
index 5aee933..0000000
--- a/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-Don't check for tscd deamon on host.
-
-Upstream-Status: OE Specific
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/configure.ac
-===================================================================
---- git.orig/configure.ac
-+++ git/configure.ac
-@@ -179,15 +179,6 @@ AC_SUBST([LIBTPMS_LIBS])
- AC_CHECK_LIB(c, clock_gettime, LIBRT_LIBS="", LIBRT_LIBS="-lrt")
- AC_SUBST([LIBRT_LIBS])
-
--AC_PATH_PROG([TCSD], tcsd)
--if test "x$TCSD" = "x"; then
-- have_tcsd=no
-- AC_MSG_WARN([tcsd could not be found; typically need it for tss user account and tests])
--else
-- have_tcsd=yes
--fi
--AM_CONDITIONAL([HAVE_TCSD], test "$have_tcsd" != "no")
--
- dnl We either need netstat (more common across systems) or 'ss' for test cases
- AC_PATH_PROG([NETSTAT], [netstat])
- if test "x$NETSTAT" = "x"; then
-@@ -440,23 +431,6 @@ AC_ARG_WITH([tss-group],
- [TSS_GROUP="tss"]
- )
-
--case $have_tcsd in
--yes)
-- AC_MSG_CHECKING([whether TSS_USER $TSS_USER is available])
-- if ! test $(id -u $TSS_USER); then
-- AC_MSG_ERROR(["$TSS_USER is not available"])
-- else
-- AC_MSG_RESULT([yes])
-- fi
-- AC_MSG_CHECKING([whether TSS_GROUP $TSS_GROUP is available])
-- if ! test $(id -g $TSS_GROUP); then
-- AC_MSG_ERROR(["$TSS_GROUP is not available"])
-- else
-- AC_MSG_RESULT([yes])
-- fi
-- ;;
--esac
--
- AC_SUBST([TSS_USER])
- AC_SUBST([TSS_GROUP])
-
-Index: git/tests/Makefile.am
-===================================================================
---- git.orig/tests/Makefile.am
-+++ git/tests/Makefile.am
-@@ -83,10 +83,6 @@ TESTS += \
- test_tpm2_swtpm_cert \
- test_tpm2_swtpm_cert_ecc \
- test_tpm2_swtpm_setup_create_cert
--if HAVE_TCSD
--TESTS += \
-- test_tpm2_samples_create_tpmca
--endif
- endif
-
- EXTRA_DIST=$(TESTS) \
diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb b/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
index 644f3ac..bb93374 100644
--- a/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
+++ b/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
@@ -1,6 +1,6 @@
SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
LICENSE = "MIT"
-DEPENDS = "swtpm-native tpm-tools-native net-tools-native"
+DEPENDS = "swtpm-native"
inherit native
@@ -14,23 +14,19 @@ do_create_wrapper () {
for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do
exe=`basename $i`
case $exe in
- swtpm_setup.sh)
+ swtpm_setup)
cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
#! /bin/sh
#
-# Wrapper around swtpm_setup.sh which adds parameters required to
+# Wrapper around swtpm_setup which adds parameters required to
# run the setup as non-root directly from the native sysroot.
PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
export PATH
-# tcsd only allows to be run as root or tss. Pretend to be root...
-exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
+exec swtpm_setup --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
EOF
;;
- swtpm_setup)
- true
- ;;
*)
cat >${WORKDIR}/${exe}_oe.sh <<EOF
#! /bin/sh
diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.1.bb
index caf99e8..7a538da 100644
--- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
+++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.1.bb
@@ -3,32 +3,30 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
SECTION = "apps"
-DEPENDS = "libtasn1 coreutils-native expect socat glib-2.0 net-tools-native libtpm libtpm-native"
+# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
+DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"
-# configure checks for the tools already during compilation and
-# then swtpm_setup needs them at runtime
-DEPENDS_append = " tpm-tools-native expect-native socat-native python3-pip-native python3-cryptography-native"
-
-SRCREV = "e59c0c1a7b4c8d652dbb280fd6126895a7057464"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.5 \
- file://ioctl_h.patch \
- file://oe_configure.patch \
- "
+SRCREV = "d2849a9f5ced70438d67036693438344b47b4161"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.8;protocol=https"
PE = "1"
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
-inherit autotools pkgconfig python3native
+inherit autotools pkgconfig perlnative
TSS_USER="tss"
TSS_GROUP="tss"
-PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG ?= "openssl gnutls"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
-PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
+# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is
+# used by swtpm-create-tpmca (the last two is provided by gnutls)
+# gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert
+PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls-native gnutls, gnutls-bin expect bash tpm2-pkcs11-tools"
PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse"
PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp"
@@ -36,19 +34,16 @@ PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp"
EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"
USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "--system ${TSS_USER}"
-USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \
+GROUPADD_PARAM:${PN} = "--system ${TSS_USER}"
+USERADD_PARAM:${PN} = "--system -g ${TSS_GROUP} --home-dir / \
--no-create-home --shell /bin/false ${BPN}"
-PACKAGES =+ "${PN}-python"
-FILES_${PN}-python = "${PYTHON_SITEPACKAGES_DIR}"
-
PACKAGE_BEFORE_PN = "${PN}-cuse"
-FILES_${PN}-cuse = "${bindir}/swtpm_cuse"
+FILES:${PN}-cuse = "${bindir}/swtpm_cuse"
-INSANE_SKIP_${PN} += "dev-so"
+INSANE_SKIP:${PN} += "dev-so"
-RDEPENDS_${PN} = "libtpm expect socat bash tpm-tools python3 python3-cryptography python3-twisted"
+RDEPENDS:${PN} = "libtpm"
BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb b/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
new file mode 100644
index 0000000..df1dc04
--- /dev/null
+++ b/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Google Hoth USB library"
+DESCRIPTION = "Libraries and example programs for interacting with a \
+ hoth-class root of trust."
+HOMEPAGE = "https://github.com/google/libhoth"
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+SRC_URI = "git://github.com/google/libhoth;protocol=https;branch=main"
+SRCREV = "e4827163741e0804f12ac96c81b8e97649be6795"
+
+DEPENDS += "libusb1"
+
+S = "${WORKDIR}/git"
+
+inherit pkgconfig meson
+
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
index bed8b92..e6068af 100644
--- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
+++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
@@ -1,3 +1,5 @@
+Upstream-Status: Pending
+
commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
Date: Wed Jun 19 18:57:13 2013 +0800
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
index 2caaaf0..74def4f 100644
--- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
+++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
@@ -1,3 +1,5 @@
+Upstream-Status: Pending
+
commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
Date: Wed Jun 19 18:57:13 2013 +0800
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
index cc8772d..732961d 100644
--- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
+++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
@@ -17,6 +17,8 @@ export TPM_SRK_ENC_PW=xxxxxxxx
Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
+Upstream-Status: Pending
+
e_tpm.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
e_tpm.h | 4 ++
e_tpm_err.c | 4 ++
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
index 535472a..3cbfc3c 100644
--- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
+++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
@@ -12,6 +12,8 @@ wrong case.
Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
+Upstream-Status: Pending
+
create_tpm_key.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch
index 2f8eb81..2f8eb81 100644
--- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch
+++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
index 0f98b79..e3e643e 100644
--- a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
+++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
@@ -2,13 +2,13 @@ DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine"
SECTION = "security/tpm"
-LICENSE = "openssl"
+LICENSE = "OpenSSL"
LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
DEPENDS += "openssl trousers"
SRC_URI = "\
- git://github.com/mgerstner/openssl_tpm_engine.git \
+ git://github.com/mgerstner/openssl_tpm_engine.git;branch=master;protocol=https \
file://0001-create-tpm-key-support-well-known-key-option.patch \
file://0002-libtpm-support-env-TPM_SRK_PW.patch \
file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
@@ -35,31 +35,31 @@ inherit autotools-brokensep pkgconfig
srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
-CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
+CFLAGS:append = " -DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
# Uncomment below line if using the plain srk password for development
-#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
+#CFLAGS:append = " -DTPM_SRK_PLAIN_PW"
-do_configure_prepend() {
+do_configure:prepend() {
cd ${B}
cp LICENSE COPYING
touch NEWS AUTHORS ChangeLog README
}
-FILES_${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la"
-FILES_${PN}-dbg += "\
- ${libdir}/ssl/engines-1.1/.debug \
- ${libdir}/engines-1.1/.debug \
- ${prefix}/local/ssl/lib/engines-1.1/.debug \
+FILES:${PN}-staticdev += "${libdir}/ssl/engines-3/tpm.la"
+FILES:${PN}-dbg += "\
+ ${libdir}/ssl/engines-3/.debug \
+ ${libdir}/engines-3/.debug \
+ ${prefix}/local/ssl/lib/engines-3/.debug \
"
-FILES_${PN} += "\
- ${libdir}/ssl/engines-1.1/tpm.so* \
- ${libdir}/engines-1.1/tpm.so* \
+FILES:${PN} += "\
+ ${libdir}/ssl/engines-3/tpm.so* \
+ ${libdir}/engines-3/tpm.so* \
${libdir}/libtpm.so* \
- ${prefix}/local/ssl/lib/engines-1.1/tpm.so* \
+ ${prefix}/local/ssl/lib/engines-3/tpm.so* \
"
-RDEPENDS_${PN} += "libcrypto libtspi"
+RDEPENDS:${PN} += "libcrypto libtspi"
-INSANE_SKIP_${PN} = "libdir"
-INSANE_SKIP_${PN}-dbg = "libdir"
+INSANE_SKIP:${PN} = "libdir"
+INSANE_SKIP:${PN}-dbg = "libdir"
diff --git a/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch b/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch
index cf2d437..cf2d437 100644
--- a/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch
+++ b/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch
diff --git a/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb
index f8347b7..45da416 100644
--- a/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
+++ b/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb
@@ -1,7 +1,7 @@
SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR."
HOMEPAGE = "https://github.com/flihp/pcr-extend"
SECTION = "security/tpm"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
DEPENDS = "libtspi"
@@ -9,7 +9,7 @@ DEPENDS = "libtspi"
PV = "0.1+git${SRCPV}"
SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316"
-SRC_URI = "git://github.com/flihp/pcr-extend.git \
+SRC_URI = "git://github.com/flihp/pcr-extend.git;branch=master;protocol=https \
file://fix_openssl11_build.patch "
inherit autotools
diff --git a/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
index 8486d00..4672bba 100644
--- a/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
+++ b/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
@@ -15,9 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8ec30b01163d242ecf07d9cd84e3611f"
DEPENDS = "libtspi tpm-tools"
-SRC_URI = "${SOURCEFORGE_MIRROR}/tpmquotetools/${PV}/${BP}.tar.gz"
-
-SRC_URI[md5sum] = "6e194f5bc534301bbaef53dc6d22c233"
-SRC_URI[sha256sum] = "10dc4eade02635557a9496b388360844cd18e7864e2eb882f5e45ab2fa405ae2"
+SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools;branch=master"
+SRCREV = "4511874d5c9b4504bb96e94f8a14bd6c39a36295"
+S = "${WORKDIR}/git"
inherit autotools
diff --git a/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch b/meta-tpm/recipes-tpm1/tpm-tools/files/04-fix-FTBFS-clang.patch
index 5018d45..5018d45 100644
--- a/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch
+++ b/meta-tpm/recipes-tpm1/tpm-tools/files/04-fix-FTBFS-clang.patch
diff --git a/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch b/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch
index 9ae3f72..9ae3f72 100644
--- a/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch
+++ b/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch
diff --git a/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch
index 40150af..d427d67 100644
--- a/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
+++ b/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch
@@ -1,3 +1,5 @@
+Upstream-Status: Pending
+
Index: git/include/tpm_tspi.h
===================================================================
--- git.orig/include/tpm_tspi.h
diff --git a/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
index 8aeb8ac..b47d53a 100644
--- a/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
+++ b/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
@@ -9,22 +9,22 @@ SECTION = "tpm"
LICENSE = "CPL-1.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9"
-DEPENDS = "libtspi openssl"
-DEPENDS_class-native = "trousers-native"
+DEPENDS = "libtspi openssl perl-native"
+DEPENDS:class-native = "trousers-native"
SRCREV = "bf43837575c5f7d31865562dce7778eae970052e"
SRC_URI = " \
- git://git.code.sf.net/p/trousers/tpm-tools \
- file://tpm-tools-extendpcr.patch \
- file://04-fix-FTBFS-clang.patch \
- file://openssl1.1_fix.patch \
- "
+ git://git.code.sf.net/p/trousers/tpm-tools;branch=master \
+ file://tpm-tools-extendpcr.patch \
+ file://04-fix-FTBFS-clang.patch \
+ file://openssl1.1_fix.patch \
+ "
inherit autotools-brokensep gettext
S = "${WORKDIR}/git"
-do_configure_prepend () {
+do_configure:prepend () {
mkdir -p po
mkdir -p m4
cp -R po_/* po/
diff --git a/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch b/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
index 7b3cc77..7b3cc77 100644
--- a/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
+++ b/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
diff --git a/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch b/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
index 3f5a144..3f5a144 100644
--- a/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
+++ b/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
diff --git a/meta-tpm/recipes-tpm/trousers/files/tcsd.service b/meta-tpm/recipes-tpm1/trousers/files/tcsd.service
index 787d4e9..787d4e9 100644
--- a/meta-tpm/recipes-tpm/trousers/files/tcsd.service
+++ b/meta-tpm/recipes-tpm1/trousers/files/tcsd.service
diff --git a/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules b/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules
index 256babd..256babd 100644
--- a/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules
+++ b/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules
diff --git a/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh b/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh
index d0d6cb3..d0d6cb3 100644
--- a/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh
+++ b/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh
diff --git a/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-tpm/recipes-tpm1/trousers/trousers_git.bb
index 32c9a49..192c66c 100644
--- a/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ b/meta-tpm/recipes-tpm1/trousers/trousers_git.bb
@@ -1,5 +1,5 @@
SUMMARY = "TrouSerS - An open-source TCG Software Stack implementation."
-LICENSE = "BSD"
+LICENSE = "BSD-3-Clause"
HOMEPAGE = "http://sourceforge.net/projects/trousers/"
LIC_FILES_CHKSUM = "file://README;startline=3;endline=4;md5=2af28fbed0832e4d83a9e6dd68bb4413"
SECTION = "security/tpm"
@@ -10,7 +10,7 @@ SRCREV = "94144b0a1dcef6e31845d6c319e9bd7357208eb9"
PV = "0.3.15+git${SRCPV}"
SRC_URI = " \
- git://git.code.sf.net/p/trousers/trousers \
+ git://git.code.sf.net/p/trousers/trousers;branch=master \
file://trousers.init.sh \
file://trousers-udev.rules \
file://tcsd.service \
@@ -30,7 +30,7 @@ do_install () {
oe_runmake DESTDIR=${D} install
}
-do_install_append() {
+do_install:append() {
install -d ${D}${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/trousers.init.sh ${D}${sysconfdir}/init.d/trousers
install -d ${D}${sysconfdir}/udev/rules.d
@@ -43,7 +43,7 @@ do_install_append() {
fi
}
-CONFFILES_${PN} += "${sysconfig}/tcsd.conf"
+CONFFILES:${PN} += "${sysconfig}/tcsd.conf"
PROVIDES = "${PACKAGES}"
PACKAGES = " \
@@ -59,39 +59,39 @@ PACKAGES = " \
# libtspi needs tcsd for most (all?) operations, so suggest to
# install that.
-RRECOMMENDS_libtspi = "${PN}"
+RRECOMMENDS:libtspi = "${PN}"
-FILES_libtspi = " \
+FILES:libtspi = " \
${libdir}/*.so.1 \
${libdir}/*.so.1.2.0 \
"
-FILES_libtspi-dbg = " \
+FILES:libtspi-dbg = " \
${libdir}/.debug \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tspi \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trspi \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/*.h \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/tss \
"
-FILES_libtspi-dev = " \
+FILES:libtspi-dev = " \
${includedir} \
${libdir}/*.so \
"
-FILES_libtspi-doc = " \
+FILES:libtspi-doc = " \
${mandir}/man3 \
"
-FILES_libtspi-staticdev = " \
+FILES:libtspi-staticdev = " \
${libdir}/*.la \
${libdir}/*.a \
"
-FILES_${PN} = " \
+FILES:${PN} = " \
${sbindir}/tcsd \
${sysconfdir} \
${localstatedir} \
"
-FILES_${PN}-dev += "${libdir}/trousers"
+FILES:${PN}-dev += "${libdir}/trousers"
-FILES_${PN}-dbg = " \
+FILES:${PN}-dbg = " \
${sbindir}/.debug \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcs \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcsd \
@@ -99,22 +99,22 @@ FILES_${PN}-dbg = " \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trousers \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/trousers \
"
-FILES_${PN}-doc = " \
+FILES:${PN}-doc = " \
${mandir}/man5 \
${mandir}/man8 \
"
-FILES_${PN} += "${systemd_unitdir}/*"
+FILES:${PN} += "${systemd_unitdir}/*"
INITSCRIPT_NAME = "trousers"
INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "--system tss"
-USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
+GROUPADD_PARAM:${PN} = "--system tss"
+USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
SYSTEMD_PACKAGES = "${PN}"
-SYSTEMD_SERVICE_${PN} = "tcsd.service"
+SYSTEMD_SERVICE:${PN} = "tcsd.service"
SYSTEMD_AUTO_ENABLE = "disable"
BBCLASSEXTEND = "native"
diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch b/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
index eebddb9..09aab78 100644
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
@@ -12,7 +12,7 @@ fixes:
ERROR: QA Issue: File /usr/bin/tpm_server in package ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags]
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Jens Rehsack <sno@NetBSD.org>
@@ -20,7 +20,7 @@ Index: src/makefile
===================================================================
--- src.orig/makefile
+++ src/makefile
-@@ -38,12 +38,10 @@
+@@ -38,13 +38,11 @@
#################################################################################
@@ -29,12 +29,13 @@ Index: src/makefile
CCFLAGS = -Wall \
-Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
-Werror -Wsign-compare \
+ -Wno-deprecated-declarations \
- -c -ggdb -O0 \
+ -c -ggdb -O \
-DTPM_POSIX \
-D_POSIX_ \
-DTPM_NUVOTON
-@@ -79,11 +77,11 @@
+@@ -80,11 +78,11 @@ TcpServerPosix.o : $(HEADERS)
.PRECIOUS: %.o
tpm_server: $(OBJFILES)
diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_164-2020-192.1.bb
index 7ea40a8..7060a64 100644
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_164-2020-192.1.bb
@@ -9,21 +9,21 @@ Advantages of this approach: \
* Application software errors are easily reversed by simply removing the TPM state and starting over. \
* Difficult crypto errors are quickly debugged by looking inside the TPM."
HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html"
-LICENSE = "BSD"
+LICENSE = "BSD-2-Clause"
SECTION = "securty/tpm"
LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
+LIC_FILES_CHKSUM += "file://LICENSE;md5=c75e465155c42c14154bf6a2acb7347b"
DEPENDS = "openssl"
-SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
+SRC_URI = "git://git.code.sf.net/p/ibmswtpm2/tpm2;protocol=https;branch=master \
file://tune-makefile.patch \
"
+SRCREV = "5452af422edeff70fcae8ea99dd28a0922051d7b"
-SRC_URI[sha256sum] = "55145928ad2b24f34be6a0eacf9fb492e10e0ea919b8428c721fa970e85d6147"
+UPSTREAM_CHECK_URI = "https://git.code.sf.net/p/ibmswtpm2/tpm2"
-UPSTREAM_CHECK_REGEX = "libtpm(?P<pver>).tar.gz"
-
-S = "${WORKDIR}/src"
+S = "${WORKDIR}/git/src"
CFLAGS += "-Wno-error=maybe-uninitialized -DALG_CAMELLIA=ALG_NO"
diff --git a/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb b/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1661.bb
index ae8974b..2daca5a 100644
--- a/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
+++ b/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1661.bb
@@ -9,7 +9,7 @@ It also comes with a web based TPM interface, suitable for a demo to an \
audience that is unfamiliar with TCG technology. It is also useful for \
basic TPM management."
HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmtss2.html"
-LICENSE = "BSD"
+LICENSE = "BSD-2-Clause"
SECTION = "securty/tpm"
LIC_FILES_CHKSUM = "file://LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
@@ -18,11 +18,13 @@ DEPENDS = "openssl ibmswtpm2"
inherit autotools pkgconfig
SRCREV = "c4e131e34ec0ed09411aa3bc76f76129ef881573"
-SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \
+SRC_URI = "git://git.code.sf.net/p/ibmtpm20tss/tss;protocol=https;branch=master \
file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \
"
UPSTREAM_CHECK_COMMITS = "1"
+UPSTREAM_CHECK_URI = "https://git.code.sf.net/p/ibmswtpm2/tpm2"
+UPSTREAM_CHECK_GITTAGREGEX = "rev.*)"
EXTRA_OECONF = "--disable-tpm-1.2"
diff --git a/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb b/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_3.0.0.bb
index edfcce9..ea2433c 100644
--- a/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_3.0.0.bb
@@ -13,32 +13,32 @@ DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \
libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"
SRC_URI = "\
- git://github.com/tpm2-software/tpm2-abrmd.git \
+ https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
file://tpm2-abrmd-init.sh \
file://tpm2-abrmd.default \
"
-SRCREV = "4f332013a02c422e186c4aaf127ab6a40b996028"
+SRC_URI[sha256sum] = "d59aff34164aa705b05155b86607f6b66918a433104f754a3fcf76216dd9f465"
-S = "${WORKDIR}/git"
+UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
inherit autotools pkgconfig systemd update-rc.d useradd
SYSTEMD_PACKAGES += "${PN}"
-SYSTEMD_SERVICE_${PN} = "tpm2-abrmd.service"
-SYSTEMD_AUTO_ENABLE_${PN} = "disable"
+SYSTEMD_SERVICE:${PN} = "tpm2-abrmd.service"
+SYSTEMD_AUTO_ENABLE:${PN} = "disable"
INITSCRIPT_NAME = "${PN}"
INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "tss"
-USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
+GROUPADD_PARAM:${PN} = "tss"
+USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
PACKAGECONFIG ?="${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}"
PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no"
-do_install_append() {
+do_install:append() {
install -d "${D}${sysconfdir}/init.d"
install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd"
@@ -46,9 +46,9 @@ do_install_append() {
install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd"
}
-FILES_${PN} += "${libdir}/systemd/system-preset \
+FILES:${PN} += "${libdir}/systemd/system-preset \
${datadir}/dbus-1"
-RDEPENDS_${PN} += "tpm2-tss"
+RDEPENDS:${PN} += "tpm2-tss"
BBCLASSEXTEND = "native"
diff --git a/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.1.bb b/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.1.bb
new file mode 100644
index 0000000..b676871
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.1.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab"
+
+DEPENDS = "autoconf-archive-native tpm2-tss openssl"
+
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "5a9bb0c6c61d026272b8843cbc291b5dfa9a55c1661a513b1c980807ad2dad01"
+
+UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
+
+inherit autotools pkgconfig
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}
+
+FILES:${PN} = "\
+ ${libdir}/ossl-modules/tpm2.so"
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
deleted file mode 100644
index 9d3f073..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 9e3ef6f253f9427596baf3e7d748a79854cadfa9 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Wed, 14 Oct 2020 08:55:33 -0700
-Subject: [PATCH] remove local binary checkes
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Upsteam-Status: Inappropriate
-These are only needed to run on the tartget so we add an RDPENDS.
-Not needed for building.
-
----
- configure.ac | 48 ------------------------------------------------
- 1 file changed, 48 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 50e7d4b..2b9abcf 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -219,54 +219,6 @@ AX_PROG_JAVAC()
- AX_PROG_JAVA()
- m4_popdef([AC_MSG_ERROR])
-
--AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no])
-- AS_IF([test "x$tpm2_createprimary" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_createprimary, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_create], [tpm2_create], [yes], [no])
-- AS_IF([test "x$tpm2_create" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_create, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_evictcontrol], [tpm2_evictcontrol], [yes], [no])
-- AS_IF([test "x$tpm2_evictcontrol" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_evictcontrol, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_readpublic], [tpm2_readpublic], [yes], [no])
-- AS_IF([test "x$tpm2_readpublic" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_readpublic, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_load], [tpm2_load], [yes], [no])
-- AS_IF([test "x$tpm2_load" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_load, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_loadexternal], [tpm2_loadexternal], [yes], [no])
-- AS_IF([test "x$tpm2_loadexternal" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_loadexternal, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_unseal], [tpm2_unseal], [yes], [no])
-- AS_IF([test "x$tpm2_unseal" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_unseal, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_encryptdecrypt], [tpm2_encryptdecrypt], [yes], [no])
-- AS_IF([test "x$tpm2_encryptdecrypt" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_encryptdecrypt, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_sign], [tpm2_sign], [yes], [no])
-- AS_IF([test "x$tpm2_sign" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_sign, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_getcap], [tpm2_getcap], [yes], [no])
-- AS_IF([test "x$tpm2_getcap" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_getcap, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_import], [tpm2_import], [yes], [no])
-- AS_IF([test "x$tpm2_import" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_import, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_changeauth], [tpm2_changeauth], [yes], [no])
-- AS_IF([test "x$tpm2_changeauth" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_changeauth, but executable not found.])])
--
- AC_DEFUN([integration_test_checks], [
-
- PKG_CHECK_MODULES([OPENSC_PKCS11],[opensc-pkcs11],,
---
-2.17.1
-
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
deleted file mode 100644
index 5c91a5e..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
+++ /dev/null
@@ -1,295 +0,0 @@
-From 2b74d3df9b3b6932052ace627b21ff1352aa2932 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 13:32:05 -0500
-Subject: [PATCH 1/4] test: fix build for gcc11
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes 0 size regions by ignoring them. The test code intentionally does
-bad things.
-
-test/unit/test_twist.c: In function ‘test_twistbin_aappend_twist_null’:
-test/unit/test_twist.c:327:18: error: ‘twistbin_aappend’ accessing 16 bytes in a region of size 0 [-Werror=stringop-overflow=]
- 327 | actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-
-Upstream-Status: Pending
-Fix out for merge to offical repo
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- test/unit/test_twist.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c
-index ec66f69f..58d4530a 100644
---- a/test/unit/test_twist.c
-+++ b/test/unit/test_twist.c
-@@ -244,15 +244,23 @@ void test_twistbin_create(void **state) {
- void test_twistbin_new_overflow_1(void **state) {
- (void) state;
-
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- twist actual = twistbin_new((void *) 0xDEADBEEF, ~0);
- assert_null(actual);
-+#pragma GCC diagnostic pop
- }
-
- void test_twistbin_new_overflow_2(void **state) {
- (void) state;
-
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- twist actual = twistbin_new((void *) 0xDEADBEEF, ~0 - sizeof(void *));
- assert_null(actual);
-+#pragma GCC diagnostic pop
- }
-
- void test_twistbin_new_overflow_3(void **state) {
-@@ -318,8 +326,12 @@ void test_twistbin_aappend_twist_null(void **state) {
- twist actual = twistbin_aappend(expected, NULL, 42);
- assert_ptr_equal((void * )actual, (void * )expected);
-
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
- assert_ptr_equal((void * )actual, (void * )expected);
-+#pragma GCC diagnostic pop
-
- twist_free(actual);
- }
-
-From 5bea05613e638375b73e29e5d56a9dabcfd2269d Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 11:52:23 -0500
-Subject: [PATCH 2/4] utils: fix stringop-overread in str_padded_copy
-
-cc1: all warnings being treated as errors
-| make: *** [Makefile:1953: src/lib/slot.lo] Error 1
-| make: *** Waiting for unfinished jobs....
-| In file included from src/lib/mutex.h:10,
-| from src/lib/session_ctx.h:6,
-| from src/lib/digest.h:13,
-| from src/lib/tpm.c:28:
-| In function 'str_padded_copy',
-| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5:
-| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread]
-| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len));
-| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-| src/lib/utils.h: In function 'tpm_get_token_info':
-| src/lib/tpm.c:739:19: note: source object declared here
-| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
-| | ^~~~~~~~~~~~~~
-| cc1: all warnings being treated as errors
-| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1
-| WARNING: exit code 1 from a shell command.
-
-Fixes #676
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.c | 8 ++++----
- src/lib/general.h | 2 +-
- src/lib/slot.c | 4 ++--
- src/lib/token.c | 4 ++--
- src/lib/tpm.c | 7 +++----
- src/lib/utils.h | 6 ++++--
- 6 files changed, 16 insertions(+), 15 deletions(-)
-
-diff --git a/src/lib/general.c b/src/lib/general.c
-index 9b7327c1..eaddaf82 100644
---- a/src/lib/general.c
-+++ b/src/lib/general.c
-@@ -19,8 +19,8 @@
- #define VERSION "UNKNOWN"
- #endif
-
--#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki"
--#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io"
-+static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki";
-+static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io";
-
- #define CRYPTOKI_VERSION { \
- .major = CRYPTOKI_VERSION_MAJOR, \
-@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) {
-
- static CK_INFO *_info = NULL;
- if (!_info) {
-- str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID));
-- str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription));
-+ str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER);
-+ str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION);
-
- parse_lib_version(&_info_.libraryVersion.major,
- &_info_.libraryVersion.minor);
-diff --git a/src/lib/general.h b/src/lib/general.h
-index 14a18e46..356c142d 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -10,7 +10,7 @@
- #define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token"
- #define TPM2_TOKEN_MANUFACTURER "Intel"
- #define TPM2_TOKEN_MODEL "TPM2 PKCS#11"
--#define TPM2_TOKEN_SERIAL_NUMBER "0000000000000000"
-+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
- #define TPM2_TOKEN_HW_VERSION { 0, 0 }
- #define TPM2_TOKEN_FW_VERSION { 0, 0 }
-
-diff --git a/src/lib/slot.c b/src/lib/slot.c
-index 548d22b5..6db5bb93 100644
---- a/src/lib/slot.c
-+++ b/src/lib/slot.c
-@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) {
- return CKR_GENERAL_ERROR;
- }
-
-- str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID));
-- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription));
-+ str_padded_copy(info->manufacturerID, token_info.manufacturerID);
-+ str_padded_copy(info->slotDescription, token_info.label);
-
- info->hardwareVersion = token_info.hardwareVersion;
- info->firmwareVersion = token_info.firmwareVersion;
-diff --git a/src/lib/token.c b/src/lib/token.c
-index 6d7ebd27..c7211296 100644
---- a/src/lib/token.c
-+++ b/src/lib/token.c
-@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) {
- }
-
- // Identification
-- str_padded_copy(info->label, t->label, sizeof(info->label));
-- str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber));
-+ str_padded_copy(info->label, t->label);
-+ str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER);
-
-
- // Memory: TODO not sure what memory values should go here, the platform?
-diff --git a/src/lib/tpm.c b/src/lib/tpm.c
-index 1639df48..7f9f052a 100644
---- a/src/lib/tpm.c
-+++ b/src/lib/tpm.c
-@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
- unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
- UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value);
- memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t));
-- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID));
-+ str_padded_copy(info->manufacturerID, manufacturerID);
-
- // Map human readable Manufacturer String, if available,
- // otherwise 4 byte ID was already padded and will be used.
- for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){
- if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) {
- str_padded_copy(info->manufacturerID,
-- (unsigned char *)TPM2_MANUFACTURER_MAP[i][1],
-- sizeof(info->manufacturerID));
-+ (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]);
- }
- }
-
-@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
- vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value);
- vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value);
- vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value);
-- str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model));
-+ str_padded_copy(info->model, (unsigned char*) &vendor);
-
- return CKR_OK;
- }
-diff --git a/src/lib/utils.h b/src/lib/utils.h
-index 81c61fae..cf357464 100644
---- a/src/lib/utils.h
-+++ b/src/lib/utils.h
-@@ -39,9 +39,11 @@
-
- int str_to_ul(const char *val, size_t *res);
-
--static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) {
-+#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src)))
-+static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) {
- memset(dst, ' ', dst_len);
-- memcpy(dst, src, strnlen((char *)(src), dst_len));
-+ memcpy(dst, src, src_len);
-+ LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst);
- }
-
- twist utils_hash_pass(const twist pin, const twist salt);
-
-From afeae8a3846e06152fafb180077fbad4381a124d Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 14:09:27 -0500
-Subject: [PATCH 3/4] general: drop unused macros
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.h | 10 ----------
- 1 file changed, 10 deletions(-)
-
-diff --git a/src/lib/general.h b/src/lib/general.h
-index 356c142d..b3089554 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -7,17 +7,7 @@
-
- #include "pkcs11.h"
-
--#define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token"
--#define TPM2_TOKEN_MANUFACTURER "Intel"
--#define TPM2_TOKEN_MODEL "TPM2 PKCS#11"
- static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
--#define TPM2_TOKEN_HW_VERSION { 0, 0 }
--#define TPM2_TOKEN_FW_VERSION { 0, 0 }
--
--#define TPM2_SLOT_DESCRIPTION "Intel TPM2.0 Cryptoki"
--#define TPM2_SLOT_MANUFACTURER TPM2_TOKEN_MANUFACTURER
--#define TPM2_SLOT_HW_VERSION TPM2_TOKEN_HW_VERSION
--#define TPM2_SLOT_FW_VERSION TPM2_TOKEN_FW_VERSION
-
- CK_RV general_init(void *init_args);
- CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
-
-From 8b43a99c5ff604d890bdc23fd2fa5f98aa087d83 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 14:11:04 -0500
-Subject: [PATCH 4/4] token: move TPM2_TOKEN_SERIAL_NUMBER local to use
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.h | 2 --
- src/lib/token.c | 2 ++
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/general.h b/src/lib/general.h
-index b3089554..9afd61ec 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -7,8 +7,6 @@
-
- #include "pkcs11.h"
-
--static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
--
- CK_RV general_init(void *init_args);
- CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
- CK_RV general_get_info(CK_INFO *info);
-diff --git a/src/lib/token.c b/src/lib/token.c
-index c7211296..63a9a71b 100644
---- a/src/lib/token.c
-+++ b/src/lib/token.c
-@@ -20,6 +20,8 @@
- #include "token.h"
- #include "utils.h"
-
-+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
-+
- void pobject_config_free(pobject_config *c) {
-
- if (c->is_transient) {
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
deleted file mode 100644
index d38e237..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Upstream-Status: OE specific
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/bootstrap
-===================================================================
---- git.orig/bootstrap
-+++ git/bootstrap
-@@ -27,4 +27,3 @@ echo "Generating file lists: ${VARS_FILE
- ) > ${VARS_FILE}
-
- mkdir -p m4
--${AUTORECONF} --install --sym $@
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
deleted file mode 100644
index 63ec18d..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
+++ /dev/null
@@ -1,55 +0,0 @@
-SUMMARY = "A PKCS#11 interface for TPM2 hardware"
-DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token."
-SECTION = "security/tpm"
-LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab"
-
-DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
-
-SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master \
- file://bootstrap_fixup.patch \
- file://0001-remove-local-binary-checkes.patch \
- file://677.patch \
- "
-
-SRCREV = "c2d53cc1af6b9df13c832715442853b21048c273"
-
-S = "${WORKDIR}/git"
-
-inherit autotools-brokensep pkgconfig python3native
-
-do_configure_prepend () {
- ${S}/bootstrap
-}
-
-do_compile_append() {
- cd ${S}/tools
- python3 setup.py build
-}
-
-do_install_append() {
- install -d ${D}${libdir}/pkcs11
- install -d ${D}${datadir}/p11-kit
- rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
-
- cd ${S}/tools
- export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
- ${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
-
- sed -i -e "s:${PYTHON}:${USRBINPATH}/env ${PYTHON_PN}:g" "${D}${bindir}"/tpm2_ptool
-}
-
-PACKAGES =+ "${PN}-tools"
-
-FILES_${PN}-tools = "\
- ${bindir}/tpm2_ptool \
- ${libdir}/${PYTHON_DIR}/* \
- "
-
-FILES_${PN} += "\
- ${libdir}/pkcs11/* \
- ${datadir}/p11-kit/* \
- "
-
-RDEPNDS_${PN} = "tpm2-tools"
-RDEPENDS_${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb
new file mode 100644
index 0000000..9dea957
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb
@@ -0,0 +1,47 @@
+SUMMARY = "A PKCS#11 interface for TPM2 hardware"
+DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token."
+SECTION = "security/tpm"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab"
+
+DEPENDS = "autoconf-archive pkgconfig sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
+
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "35bf06c30cfa76fc0eba2c5f503cf7dd0d34a66afb2d292fee896b90362f633b"
+
+UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
+
+inherit autotools-brokensep pkgconfig python3native
+
+EXTRA_OECONF += "--disable-ptool-checks"
+
+do_compile:append() {
+ cd ${S}/tools
+ python3 setup.py build
+}
+
+do_install:append() {
+ cd ${S}/tools
+ export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
+ python3 setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
+
+ sed -i -e "s:${PYTHON}:${USRBINPATH}/env python3:g" "${D}${bindir}"/tpm2_ptool
+}
+
+PACKAGES =+ "${PN}-tools"
+
+FILES:${PN}-tools = "\
+ ${bindir}/tpm2_ptool \
+ ${libdir}/${PYTHON_DIR}/* \
+ "
+
+FILES:${PN} += "\
+ ${libdir}/pkcs11/* \
+ ${datadir}/p11-kit/* \
+ "
+
+INSANE_SKIP:${PN} += "dev-so"
+
+RDEPENDS:${PN} = "p11-kit tpm2-tools "
+RDEPENDS:${PN}-tools = "python3-pyyaml python3-cryptography python3-pyasn1-modules"
diff --git a/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb b/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb
new file mode 100644
index 0000000..c98d4ab
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb
@@ -0,0 +1,15 @@
+DESCRIPTION = "TPM2 TSS Python bindings for Enhanced System API (ESYS), Feature API (FAPI), Marshaling (MU), TCTI Loader (TCTILdr), TCTIs, policy, and RC Decoding (rcdecode) libraries"
+HOMEPAGE = "https://github.com/tpm2-software/tpm2-pytss"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
+
+SRC_URI[sha256sum] = "5b5b4b1456fdc1aeef3d2c3970beaa078c8f7f2648c97a69bcf60c5a2f95c897"
+
+PYPI_PACKAGE = "tpm2-pytss"
+
+DEPENDS = "python3-pkgconfig-native python3-pycparser-native python3-asn1crypto-native"
+DEPENDS:append = " python3-cryptography-native tpm2-tss"
+
+inherit autotools pkgconfig pypi setuptools3_legacy
+
+RDEPENDS:${PN} = "libtss2"
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
index 8a216cd..a238c7f 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
@@ -1,4 +1,4 @@
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/configure.ac
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch
index fc730e1..2554282 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch
@@ -4,7 +4,7 @@ Error building for i386 target in cross env
ARCH is host arch, not target arch
-Upstream-Status: Submitted
+Upstream-Status: Submitted
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/src/uefi-types.h
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
index b3f2287..fe96b40 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
@@ -6,7 +6,7 @@ Subject: [PATCH] configure.ac: stop inserting host directories into compile
Do not insert /usr/lib and /usr/lib64 into library search path.
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
configure.ac | 2 +-
diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index a67e3c3..9c60e2b 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -4,7 +4,7 @@ LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
DEPENDS = "libtss2-dev libtss2-mu-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \
+SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git;branch=master;protocol=https \
file://configure_oe_fixup.patch \
file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \
file://fix_header_file.patch \
@@ -12,34 +12,36 @@ SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \
SRCREV = "0241b08f069f0fdb3612f5c1b938144dbe9be811"
+UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
+
S = "${WORKDIR}/git"
inherit autotools pkgconfig
EFIDIR ?= "/EFI/BOOT"
-EFI_ARCH_x86 = "ia32"
-EFI_ARCH_x86-64 = "x86_64"
+EFI_ARCH:x86 = "ia32"
+EFI_ARCH:x86-64 = "x86_64"
-CFLAGS_append = " -I${STAGING_INCDIR}/efi -I${STAGING_INCDIR}/efi/${EFI_ARCH}"
+CFLAGS:append = " -I${STAGING_INCDIR}/efi -I${STAGING_INCDIR}/efi/${EFI_ARCH}"
-EXTRA_OECONF_append = " \
+EXTRA_OECONF:append = " \
--with-efi-includedir=${STAGING_INCDIR} \
--with-efi-crt0=${STAGING_LIBDIR}/crt0-efi-${EFI_ARCH}.o \
--with-efi-lds=${STAGING_LIBDIR}/elf_${EFI_ARCH}_efi.lds \
"
-do_compile_append() {
+do_compile:append() {
oe_runmake example
}
-do_install_append() {
+do_install:append() {
install -d "${D}${EFIDIR}"
install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}"
}
COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
-FILES_${PN} += "${EFIDIR}"
+FILES:${PN} += "${EFIDIR}"
-RDEPENDS_${PN} = "gnu-efi libtss2-mu"
+RDEPENDS:${PN} = "gnu-efi libtss2-mu"
diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
deleted file mode 100644
index dbd324a..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-SUMMARY = "Tools for TPM2."
-DESCRIPTION = "tpm2-tools"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=a846608d090aa64494c45fc147cc12e3"
-SECTION = "tpm"
-
-DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive"
-
-SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
-
-SRC_URI[sha256sum] = "e1b907fe29877628052e08ad84eebc6c3f7646d29505ed4862e96162a8c91ba1"
-
-inherit autotools pkgconfig bash-completion
diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb
new file mode 100644
index 0000000..8119bb1
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Tools for TPM2."
+DESCRIPTION = "tpm2-tools"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=a846608d090aa64494c45fc147cc12e3"
+SECTION = "tpm"
+
+DEPENDS = "tpm2-tss openssl curl"
+
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "1fdb49c730537bfdaed088884881a61e3bfd121e957ec0bdceeec0261236c123"
+
+UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
+
+inherit autotools pkgconfig bash-completion
diff --git a/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb b/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
index dfebc07..d324e33 100644
--- a/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
@@ -10,7 +10,7 @@ DEPENDS = "autoconf-archive libtss2-dev qrencode"
PE = "1"
SRCREV = "96a1448753a48974149003bc90ea3990ae8e8d0b"
-SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git"
+SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=master;protocol=https"
inherit autotools-brokensep pkgconfig
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
index 5395695..89162ee 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
@@ -8,16 +8,25 @@ SECTION = "security/tpm"
DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
-SRCREV = "6f387a4efe2049f1b4833e8f621c77231bc1eef4"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x"
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "ea2941695ac221d23a7f3e1321140e75b1495ae6ade876f2f4c2ed807c65e2a5"
+
+UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
inherit autotools-brokensep pkgconfig systemd
-S = "${WORKDIR}/git"
+# It uses the API deprecated since the OpenSSL 3.0
+CFLAGS:append = ' -Wno-deprecated-declarations -Wno-unused-parameter'
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}
PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion"
-FILES_${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*"
-FILES_${PN}-engines = "${libdir}/engines-1.1/lib*.so*"
-FILES_${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a"
-FILES_${PN}-bash-completion += "${datadir}/bash-completion/completions"
+FILES:${PN}-dev = "${libdir}/engines-3/tpm2tss.so ${includedir}/*"
+FILES:${PN}-engines = "${libdir}/engines-3/lib*.so*"
+FILES:${PN}-engines-staticdev = "${libdir}/engines-3/libtpm2tss.a"
+FILES:${PN}-bash-completion += "${datadir}/bash-completion/completions"
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-configure.ac-fix-compatibility-with-autoconf-2.70.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-configure.ac-fix-compatibility-with-autoconf-2.70.patch
deleted file mode 100644
index cae2e76..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-configure.ac-fix-compatibility-with-autoconf-2.70.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 03cca78d24d716eec792f86f5b0bc69886fad981 Mon Sep 17 00:00:00 2001
-From: Patrick McCarty <patrick.mccarty@intel.com>
-Date: Fri, 18 Dec 2020 01:54:05 +0000
-Subject: [PATCH] configure.ac: fix compatibility with autoconf 2.70
-
-With autoconf 2.70, not quoting the second argument to one of the AS_IF
-macro expansions leads to generation of invalid shell code affecting the
-first nested ERROR_IF_NO_PROG expansion.
-
-The invalid shell code leads to an error resembling:
-
- ./configure: line 18826: syntax error near unexpected token `newline'
- ./configure: line 18826: ` '''
-
-Fix the issue by quoting the second argument to the affected AS_IF,
-similar to the quoting found elsewhere in configure.ac.
-
-Signed-off-by: Patrick McCarty <patrick.mccarty@intel.com>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- configure.ac | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: tpm2-tss-3.0.3/configure.ac
-===================================================================
---- tpm2-tss-3.0.3.orig/configure.ac
-+++ tpm2-tss-3.0.3/configure.ac
-@@ -279,7 +279,7 @@ AC_ARG_ENABLE([integration],
- [build and execute integration tests])],,
- [enable_integration=no])
- AS_IF([test "x$enable_integration" = "xyes"],
-- AS_IF([test "$HOSTOS" = "Linux"],
-+ [AS_IF([test "$HOSTOS" = "Linux"],
- [ERROR_IF_NO_PROG([ss])],
- [ERROR_IF_NO_PROG([sockstat])])
- ERROR_IF_NO_PROG([echo])
-@@ -328,7 +328,7 @@ AS_IF([test "x$enable_integration" = "xy
- [AC_MSG_ERROR([No simulator executable found in PATH for testing TCTI.])])
- AC_SUBST([INTEGRATION_TCTI], [$integration_tcti])
- AC_SUBST([INTEGRATION_ARGS], [$integration_args])
-- AC_SUBST([ENABLE_INTEGRATION], [$enable_integration]))
-+ AC_SUBST([ENABLE_INTEGRATION], [$enable_integration])])
- AM_CONDITIONAL([ENABLE_INTEGRATION],[test "x$enable_integration" = "xyes"])
- #
- # sanitizer compiler flags
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
deleted file mode 100644
index d383ad5..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
+++ /dev/null
@@ -1,332 +0,0 @@
-# ===========================================================================
-# http://www.gnu.org/software/autoconf-archive/ax_pthread.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
-#
-# DESCRIPTION
-#
-# This macro figures out how to build C programs using POSIX threads. It
-# sets the PTHREAD_LIBS output variable to the threads library and linker
-# flags, and the PTHREAD_CFLAGS output variable to any special C compiler
-# flags that are needed. (The user can also force certain compiler
-# flags/libs to be tested by setting these environment variables.)
-#
-# Also sets PTHREAD_CC to any special C compiler that is needed for
-# multi-threaded programs (defaults to the value of CC otherwise). (This
-# is necessary on AIX to use the special cc_r compiler alias.)
-#
-# NOTE: You are assumed to not only compile your program with these flags,
-# but also link it with them as well. e.g. you should link with
-# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
-#
-# If you are only building threads programs, you may wish to use these
-# variables in your default LIBS, CFLAGS, and CC:
-#
-# LIBS="$PTHREAD_LIBS $LIBS"
-# CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-# CC="$PTHREAD_CC"
-#
-# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
-# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name
-# (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
-#
-# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
-# PTHREAD_PRIO_INHERIT symbol is defined when compiling with
-# PTHREAD_CFLAGS.
-#
-# ACTION-IF-FOUND is a list of shell commands to run if a threads library
-# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
-# is not found. If ACTION-IF-FOUND is not specified, the default action
-# will define HAVE_PTHREAD.
-#
-# Please let the authors know if this macro fails on any platform, or if
-# you have any other suggestions or comments. This macro was based on work
-# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
-# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
-# Alejandro Forero Cuervo to the autoconf macro repository. We are also
-# grateful for the helpful feedback of numerous users.
-#
-# Updated for Autoconf 2.68 by Daniel Richard G.
-#
-# LICENSE
-#
-# Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
-# Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
-#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation, either version 3 of the License, or (at your
-# option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-# Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-# As a special exception, the respective Autoconf Macro's copyright owner
-# gives unlimited permission to copy, distribute and modify the configure
-# scripts that are the output of Autoconf when processing the Macro. You
-# need not follow the terms of the GNU General Public License when using
-# or distributing such scripts, even though portions of the text of the
-# Macro appear in them. The GNU General Public License (GPL) does govern
-# all other use of the material that constitutes the Autoconf Macro.
-#
-# This special exception to the GPL applies to versions of the Autoconf
-# Macro released by the Autoconf Archive. When you make and distribute a
-# modified version of the Autoconf Macro, you may extend this special
-# exception to the GPL to apply to your modified version as well.
-
-#serial 21
-
-AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
-AC_DEFUN([AX_PTHREAD], [
-AC_REQUIRE([AC_CANONICAL_HOST])
-AC_LANG_PUSH([C])
-ax_pthread_ok=no
-
-# We used to check for pthread.h first, but this fails if pthread.h
-# requires special compiler flags (e.g. on True64 or Sequent).
-# It gets checked for in the link test anyway.
-
-# First of all, check if the user has set any of the PTHREAD_LIBS,
-# etcetera environment variables, and if threads linking works using
-# them:
-if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
- save_CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
- save_LIBS="$LIBS"
- LIBS="$PTHREAD_LIBS $LIBS"
- AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS])
- AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes])
- AC_MSG_RESULT([$ax_pthread_ok])
- if test x"$ax_pthread_ok" = xno; then
- PTHREAD_LIBS=""
- PTHREAD_CFLAGS=""
- fi
- LIBS="$save_LIBS"
- CFLAGS="$save_CFLAGS"
-fi
-
-# We must check for the threads library under a number of different
-# names; the ordering is very important because some systems
-# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
-# libraries is broken (non-POSIX).
-
-# Create a list of thread flags to try. Items starting with a "-" are
-# C compiler flags, and other items are library names, except for "none"
-# which indicates that we try without any flags at all, and "pthread-config"
-# which is a program returning the flags for the Pth emulation library.
-
-ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
-
-# The ordering *is* (sometimes) important. Some notes on the
-# individual items follow:
-
-# pthreads: AIX (must check this before -lpthread)
-# none: in case threads are in libc; should be tried before -Kthread and
-# other compiler flags to prevent continual compiler warnings
-# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
-# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
-# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
-# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads)
-# -pthreads: Solaris/gcc
-# -mthreads: Mingw32/gcc, Lynx/gcc
-# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
-# doesn't hurt to check since this sometimes defines pthreads too;
-# also defines -D_REENTRANT)
-# ... -mt is also the pthreads flag for HP/aCC
-# pthread: Linux, etcetera
-# --thread-safe: KAI C++
-# pthread-config: use pthread-config program (for GNU Pth library)
-
-case ${host_os} in
- solaris*)
-
- # On Solaris (at least, for some versions), libc contains stubbed
- # (non-functional) versions of the pthreads routines, so link-based
- # tests will erroneously succeed. (We need to link with -pthreads/-mt/
- # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather
- # a function called by this macro, so we could check for that, but
- # who knows whether they'll stub that too in a future libc.) So,
- # we'll just look for -pthreads and -lpthread first:
-
- ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags"
- ;;
-
- darwin*)
- ax_pthread_flags="-pthread $ax_pthread_flags"
- ;;
-esac
-
-# Clang doesn't consider unrecognized options an error unless we specify
-# -Werror. We throw in some extra Clang-specific options to ensure that
-# this doesn't happen for GCC, which also accepts -Werror.
-
-AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags])
-save_CFLAGS="$CFLAGS"
-ax_pthread_extra_flags="-Werror"
-CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument"
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])],
- [AC_MSG_RESULT([yes])],
- [ax_pthread_extra_flags=
- AC_MSG_RESULT([no])])
-CFLAGS="$save_CFLAGS"
-
-if test x"$ax_pthread_ok" = xno; then
-for flag in $ax_pthread_flags; do
-
- case $flag in
- none)
- AC_MSG_CHECKING([whether pthreads work without any flags])
- ;;
-
- -*)
- AC_MSG_CHECKING([whether pthreads work with $flag])
- PTHREAD_CFLAGS="$flag"
- ;;
-
- pthread-config)
- AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
- if test x"$ax_pthread_config" = xno; then continue; fi
- PTHREAD_CFLAGS="`pthread-config --cflags`"
- PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
- ;;
-
- *)
- AC_MSG_CHECKING([for the pthreads library -l$flag])
- PTHREAD_LIBS="-l$flag"
- ;;
- esac
-
- save_LIBS="$LIBS"
- save_CFLAGS="$CFLAGS"
- LIBS="$PTHREAD_LIBS $LIBS"
- CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags"
-
- # Check for various functions. We must include pthread.h,
- # since some functions may be macros. (On the Sequent, we
- # need a special flag -Kthread to make this header compile.)
- # We check for pthread_join because it is in -lpthread on IRIX
- # while pthread_create is in libc. We check for pthread_attr_init
- # due to DEC craziness with -lpthreads. We check for
- # pthread_cleanup_push because it is one of the few pthread
- # functions on Solaris that doesn't have a non-functional libc stub.
- # We try pthread_create on general principles.
- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
- static void routine(void *a) { a = 0; }
- static void *start_routine(void *a) { return a; }],
- [pthread_t th; pthread_attr_t attr;
- pthread_create(&th, 0, start_routine, 0);
- pthread_join(th, 0);
- pthread_attr_init(&attr);
- pthread_cleanup_push(routine, 0);
- pthread_cleanup_pop(0) /* ; */])],
- [ax_pthread_ok=yes],
- [])
-
- LIBS="$save_LIBS"
- CFLAGS="$save_CFLAGS"
-
- AC_MSG_RESULT([$ax_pthread_ok])
- if test "x$ax_pthread_ok" = xyes; then
- break;
- fi
-
- PTHREAD_LIBS=""
- PTHREAD_CFLAGS=""
-done
-fi
-
-# Various other checks:
-if test "x$ax_pthread_ok" = xyes; then
- save_LIBS="$LIBS"
- LIBS="$PTHREAD_LIBS $LIBS"
- save_CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-
- # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
- AC_MSG_CHECKING([for joinable pthread attribute])
- attr_name=unknown
- for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
- [int attr = $attr; return attr /* ; */])],
- [attr_name=$attr; break],
- [])
- done
- AC_MSG_RESULT([$attr_name])
- if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then
- AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name],
- [Define to necessary symbol if this constant
- uses a non-standard name on your system.])
- fi
-
- AC_MSG_CHECKING([if more special flags are required for pthreads])
- flag=no
- case ${host_os} in
- aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";;
- osf* | hpux*) flag="-D_REENTRANT";;
- solaris*)
- if test "$GCC" = "yes"; then
- flag="-D_REENTRANT"
- else
- # TODO: What about Clang on Solaris?
- flag="-mt -D_REENTRANT"
- fi
- ;;
- esac
- AC_MSG_RESULT([$flag])
- if test "x$flag" != xno; then
- PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
- fi
-
- AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
- [ax_cv_PTHREAD_PRIO_INHERIT], [
- AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
- [[int i = PTHREAD_PRIO_INHERIT;]])],
- [ax_cv_PTHREAD_PRIO_INHERIT=yes],
- [ax_cv_PTHREAD_PRIO_INHERIT=no])
- ])
- AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"],
- [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])])
-
- LIBS="$save_LIBS"
- CFLAGS="$save_CFLAGS"
-
- # More AIX lossage: compile with *_r variant
- if test "x$GCC" != xyes; then
- case $host_os in
- aix*)
- AS_CASE(["x/$CC"],
- [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
- [#handle absolute path differently from PATH based program lookup
- AS_CASE(["x$CC"],
- [x/*],
- [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
- [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
- ;;
- esac
- fi
-fi
-
-test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
-
-AC_SUBST([PTHREAD_LIBS])
-AC_SUBST([PTHREAD_CFLAGS])
-AC_SUBST([PTHREAD_CC])
-
-# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
-if test x"$ax_pthread_ok" = xyes; then
- ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
- :
-else
- ax_pthread_ok=no
- $2
-fi
-AC_LANG_POP
-])dnl AX_PTHREAD
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
deleted file mode 100644
index ecaca6e..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-This fixes musl build issue do to missing FD_* defines.
-Add sys/select.h
-
-Upstream-Status: Pending
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
-Index: TPM2.0-TSS/tcti/tcti_socket.cpp
-===================================================================
---- TPM2.0-TSS.orig/tcti/tcti_socket.cpp
-+++ TPM2.0-TSS/tcti/tcti_socket.cpp
-@@ -28,6 +28,7 @@
- #include <stdio.h>
- #include <stdlib.h> // Needed for _wtoi
-
-+#include "sys/select.h"
- #include <sapi/tpm20.h>
- #include <tcti/tcti_socket.h>
- #include "sysapi_util.h"
-Index: TPM2.0-TSS/resourcemgr/resourcemgr.c
-===================================================================
---- TPM2.0-TSS.orig/resourcemgr/resourcemgr.c
-+++ TPM2.0-TSS/resourcemgr/resourcemgr.c
-@@ -28,6 +28,7 @@
- #include <stdio.h>
- #include <stdlib.h> // Needed for _wtoi
-
-+#include "sys/select.h"
- #include <sapi/tpm20.h>
- #include <tcti/tcti_device.h>
- #include <tcti/tcti_socket.h>
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
new file mode 100644
index 0000000..3f680ba
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
@@ -0,0 +1,29 @@
+revert configure: add checks for all tools used by make install
+
+Not appropriate for cross build env.
+
+Upstream-Status: Inappropriate [OE specific]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: tpm2-tss-4.0.1/configure.ac
+===================================================================
+--- tpm2-tss-4.0.1.orig/configure.ac
++++ tpm2-tss-4.0.1/configure.ac
+@@ -554,17 +554,6 @@ AM_CONDITIONAL(SYSD_SYSUSERS, test "x$systemd_sysusers" = "xyes")
+ AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes)
+ AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes")
+
+-# Check all tools used by make install
+-AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"],
+- [ AC_CHECK_PROG(useradd, useradd, yes)
+- AC_CHECK_PROG(groupadd, groupadd, yes)
+- AC_CHECK_PROG(adduser, adduser, yes)
+- AC_CHECK_PROG(addgroup, addgroup, yes)
+- AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
+- [AC_MSG_ERROR([addgroup or groupadd are needed.])])
+- AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
+- [AC_MSG_ERROR([adduser or useradd are needed.])])])
+-
+ AC_SUBST([PATH])
+
+ dnl --------- Doxy Gen -----------------------
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
deleted file mode 100644
index cc4f191..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
+++ /dev/null
@@ -1,78 +0,0 @@
-SUMMARY = "Software stack for TPM2."
-DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) "
-LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
-SECTION = "tpm"
-
-DEPENDS = "autoconf-archive-native libgcrypt openssl"
-
-SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
- file://0001-configure.ac-fix-compatibility-with-autoconf-2.70.patch \
- "
-SRC_URI[sha256sum] = "78392be7309baf47f51b122f566ac915fd4d1760ea78571cba2e1484f9b5be17"
-
-inherit autotools pkgconfig systemd extrausers
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, "
-PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c "
-
-EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/"
-EXTRA_OECONF_remove = " --disable-static"
-
-
-EXTRA_USERS_PARAMS = "\
- useradd -p '' tss; \
- groupadd tss; \
- "
-
-PROVIDES = "${PACKAGES}"
-PACKAGES = " \
- ${PN} \
- ${PN}-dbg \
- ${PN}-doc \
- libtss2-mu \
- libtss2-mu-dev \
- libtss2-mu-staticdev \
- libtss2-tcti-device \
- libtss2-tcti-device-dev \
- libtss2-tcti-device-staticdev \
- libtss2-tcti-mssim \
- libtss2-tcti-mssim-dev \
- libtss2-tcti-mssim-staticdev \
- libtss2 \
- libtss2-dev \
- libtss2-staticdev \
-"
-
-FILES_libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*"
-FILES_libtss2-tcti-device-dev = " \
- ${includedir}/tss2/tss2_tcti_device.h \
- ${libdir}/pkgconfig/tss2-tcti-device.pc \
- ${libdir}/libtss2-tcti-device.so"
-FILES_libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a"
-
-FILES_libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*"
-FILES_libtss2-tcti-mssim-dev = " \
- ${includedir}/tss2/tss2_tcti_mssim.h \
- ${libdir}/pkgconfig/tss2-tcti-mssim.pc \
- ${libdir}/libtss2-tcti-mssim.so"
-FILES_libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a"
-
-FILES_libtss2-mu = "${libdir}/libtss2-mu.so.*"
-FILES_libtss2-mu-dev = " \
- ${includedir}/tss2/tss2_mu.h \
- ${libdir}/pkgconfig/tss2-mu.pc \
- ${libdir}/libtss2-mu.so"
-FILES_libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a"
-
-FILES_libtss2 = "${libdir}/libtss2*so.*"
-FILES_libtss2-dev = " \
- ${includedir} \
- ${libdir}/pkgconfig \
- ${libdir}/libtss2*so"
-FILES_libtss2-staticdev = "${libdir}/libtss*a"
-
-FILES_${PN} = "${libdir}/udev ${nonarch_base_libdir}/udev"
-
-RDEPENDS_libtss2 = "libgcrypt"
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
new file mode 100644
index 0000000..dceebc2
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
@@ -0,0 +1,97 @@
+SUMMARY = "Software stack for TPM2."
+DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) "
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
+SECTION = "tpm"
+
+DEPENDS = "autoconf-archive-native libgcrypt openssl"
+
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
+ file://fixup_hosttools.patch \
+ "
+
+SRC_URI[sha256sum] = "532a70133910b6bd842289915b3f9423c0205c0ea009d65294ca18a74087c950"
+
+UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
+
+CVE_PRODUCT = "tpm2_software_stack"
+
+inherit autotools pkgconfig systemd useradd
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, "
+PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,curl json-c util-linux-libuuid "
+PACKAGECONFIG[policy] = "--enable-policy,--disable-policy,json-c util-linux-libuuid "
+
+EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/"
+EXTRA_OECONF += "--runstatedir=/run"
+EXTRA_OECONF:remove = " --disable-static"
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system tss"
+USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
+
+do_install:append() {
+ # Remove /run as it is created on startup
+ rm -rf ${D}/run
+}
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = " \
+ ${PN} \
+ ${PN}-dbg \
+ ${PN}-doc \
+ libtss2-mu \
+ libtss2-mu-dev \
+ libtss2-mu-staticdev \
+ libtss2-tcti-device \
+ libtss2-tcti-device-dev \
+ libtss2-tcti-device-staticdev \
+ libtss2-tcti-mssim \
+ libtss2-tcti-mssim-dev \
+ libtss2-tcti-mssim-staticdev \
+ libtss2 \
+ libtss2-dev \
+ libtss2-staticdev \
+"
+
+FILES:libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*"
+FILES:libtss2-tcti-device-dev = " \
+ ${includedir}/tss2/tss2_tcti_device.h \
+ ${libdir}/pkgconfig/tss2-tcti-device.pc \
+ ${libdir}/libtss2-tcti-device.so"
+FILES:libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a"
+
+FILES:libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*"
+FILES:libtss2-tcti-mssim-dev = " \
+ ${includedir}/tss2/tss2_tcti_mssim.h \
+ ${libdir}/pkgconfig/tss2-tcti-mssim.pc \
+ ${libdir}/libtss2-tcti-mssim.so"
+FILES:libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a"
+
+FILES:libtss2-mu = "${libdir}/libtss2-mu.so.*"
+FILES:libtss2-mu-dev = " \
+ ${includedir}/tss2/tss2_mu.h \
+ ${libdir}/pkgconfig/tss2-mu.pc \
+ ${libdir}/libtss2-mu.so"
+FILES:libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a"
+
+FILES:libtss2 = "${libdir}/libtss2*so.*"
+FILES:libtss2-dev = " \
+ ${includedir} \
+ ${libdir}/pkgconfig \
+ ${libdir}/libtss2*so"
+FILES:libtss2-staticdev = "${libdir}/libtss*a"
+
+FILES:${PN} = "\
+ ${libdir}/udev \
+ /var/lib/tpm2-tss \
+ /var/run \
+ ${nonarch_base_libdir}/udev \
+ ${sysconfdir}/tmpfiles.d \
+ ${sysconfdir}/tpm2-tss \
+ ${sysconfdir}/sysusers.d"
+
+RDEPENDS:libtss2 = "libgcrypt"
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-compliance/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch b/recipes-compliance/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch
new file mode 100644
index 0000000..d365ec1
--- /dev/null
+++ b/recipes-compliance/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch
@@ -0,0 +1,51 @@
+From 4b1de197ee0dd259cc05d5faf7fd38b580d841d2 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Tue, 2 May 2023 16:22:13 -0400
+Subject: [PATCH] osdetection: add OpenEmbedded and Poky
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Upstream-Status: Pending
+https://github.com/CISOfy/lynis/pull/1390
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ include/osdetection | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/include/osdetection b/include/osdetection
+index 989b1b3..e5974e5 100644
+--- a/include/osdetection
++++ b/include/osdetection
+@@ -308,6 +308,12 @@
+ OS_REDHAT_OR_CLONE=1
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+ ;;
++ "nodistro")
++ LINUX_VERSION="openembedded"
++ OS_NAME="OpenEmbedded"
++ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++ ;;
+ "opensuse-tumbleweed")
+ LINUX_VERSION="openSUSE Tumbleweed"
+ # It's rolling release but has a snapshot version (the date of the snapshot)
+@@ -330,6 +336,14 @@
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+ OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+ ;;
++ "poky")
++ LINUX_VERSION="Poky"
++ OS_NAME="openembedded"
++ LINUX_VERSION_LIKE="openembedded"
++ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++ OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++
++ ;;
+ "pop")
+ LINUX_VERSION="Pop!_OS"
+ LINUX_VERSION_LIKE="Ubuntu"
+--
+2.25.1
+
diff --git a/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/recipes-compliance/lynis/lynis_3.0.9.bb
index 2d59623..b8b97a5 100644
--- a/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
+++ b/recipes-compliance/lynis/lynis_3.0.9.bb
@@ -3,12 +3,16 @@
SUMMARY = "Lynis is a free and open source security and auditing tool."
HOMEDIR = "https://cisofy.com/"
-LICENSE = "GPL-3.0"
+LICENSE = "GPL-3.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
-SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"
+SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz \
+ file://0001-osdetection-add-OpenEmbedded-and-Poky.patch \
+ "
-SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2"
+SRC_URI[sha256sum] = "f394df7d20391fb76e975ae88f3eba1da05ac9c4945e2c7f709326e185e17025"
+
+#UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
S = "${WORKDIR}/${BPN}"
@@ -34,7 +38,7 @@ do_install () {
cp ${S}/*.prf ${D}/${sysconfdir}/lynis
}
-FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf"
-FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md"
+FILES:${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf"
+FILES:${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md"
-RDEPENDS_${PN} += "procps findutils"
+RDEPENDS:${PN} += "procps findutils coreutils iproute2-ip iproute2-ss net-tools"
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/recipes-compliance/openscap/openscap_1.3.9.bb
index 812ea9f..b35ce9f 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/recipes-compliance/openscap/openscap_1.3.9.bb
@@ -1,17 +1,21 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2017 - 2023 Armin Kuster <akuster808@gmail.com>
# Released under the MIT license (see COPYING.MIT for the terms)
SUMARRY = "NIST Certified SCAP 1.2 toolkit"
HOME_URL = "https://www.open-scap.org/tools/openscap-base/"
LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
-LICENSE = "LGPL-2.1"
+LICENSE = "LGPL-2.1-only"
-DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig"
-DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native"
+DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libpcre xmlsec1"
+DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native libpcre-native xmlsec1-native"
+
+#March 18th, 2024
+SRCREV = "0e7f654570971c1acee6dd3f34b17121372d6152"
+SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https "
S = "${WORKDIR}/git"
-inherit cmake pkgconfig python3native python3targetconfig perlnative
+inherit cmake pkgconfig python3native python3targetconfig perlnative systemd
PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3"
@@ -20,6 +24,7 @@ PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm"
PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt"
PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss"
PACKAGECONFIG[selinux] = ", ,libselinux"
+PACKAGECONFIG[remdediate_service] = "-DENABLE_OSCAP_REMEDIATE_SERVICE=ON,-DENABLE_OSCAP_REMEDIATE_SERVICE=NO,"
EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \
-DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \
@@ -29,27 +34,43 @@ EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \
-DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \
-DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS=OFF \
-DCMAKE_SKIP_INSTALL_RPATH=ON -DCMAKE_SKIP_RPATH=ON \
- "
+ -DPREFERRED_PYTHON_PATH=${bindir}/python3 \
+ -DPYTHON3_PATH=${bindir}/python3 \
+ "
STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source"
STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
-do_configure_append_class-native () {
+do_configure:append:class-native () {
sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h
sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h
sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h
}
-do_install_class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}"
-do_install_append_class-native () {
+do_install:append () {
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ if ${@bb.utils.contains('PACKAGECONFIG','remdediate_service','true','false',d)}; then
+ install -D -m 0644 ${B}/oscap-remediate.service ${D}${systemd_system_unitdir}/oscap-remediate.service
+ fi
+ fi
+}
+
+do_install:class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}"
+do_install:append:class-native () {
oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native}
install -d $oscapdir
cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir
}
-FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}"
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('PACKAGECONFIG','remdediate_service', 'oscap-remediate.service', '',d)}"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+
+FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR}"
-RDEPENDS_${PN} += "libxml2 python3-core libgcc bash"
+RDEPENDS:${PN} = "libxml2 python3-core libgcc bash"
+RDEPENDS:${PN}-class-target = "libxml2 python3-core libgcc bash os-release"
BBCLASSEXTEND = "native"
diff --git a/recipes-compliance/scap-security-guide/files/run-ptest b/recipes-compliance/scap-security-guide/files/run-ptest
new file mode 100644
index 0000000..e8d270f
--- /dev/null
+++ b/recipes-compliance/scap-security-guide/files/run-ptest
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+export PYTHONPATH="/usr/lib/scap-security-guide/ptest/git:$PYTHONPATH"
+
+cd git/build
+
+ctest --output-on-failure -E unique-stigids
diff --git a/recipes-compliance/scap-security-guide/files/run_eval.sh b/recipes-compliance/scap-security-guide/files/run_eval.sh
new file mode 100644
index 0000000..cc79bac
--- /dev/null
+++ b/recipes-compliance/scap-security-guide/files/run_eval.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+oscap xccdf eval --results results.xml --report report.html --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml
diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.71.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.71.bb
new file mode 100644
index 0000000..5e45332
--- /dev/null
+++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.71.bb
@@ -0,0 +1,92 @@
+# Copyright (C) 2017 - 2024 Armin Kuster <akuster808@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+SUMARRY = "SCAP content for various platforms, upstream version"
+HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
+LICENSE = "BSD-3-Clause"
+
+SRCREV = "459f0abf2ac08d36e5fc4a2619bc75cff7000da9"
+SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=stable;protocol=https \
+ file://run_eval.sh \
+ file://run-ptest \
+ "
+
+
+DEPENDS = "openscap-native python3-pyyaml-native python3-jinja2-native libxml2-native expat-native coreutils-native"
+
+S = "${WORKDIR}/git"
+B = "${S}/build"
+
+inherit cmake pkgconfig python3native python3targetconfig ptest
+
+STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
+export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
+export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas"
+export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
+
+OECMAKE_GENERATOR = "Unix Makefiles"
+
+EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OPENEMBEDDED=ON"
+
+do_configure[depends] += "openscap-native:do_install"
+
+do_configure:prepend () {
+ sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt
+ sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt
+}
+
+do_install:append() {
+ install -d ${D}${datadir}/openscap
+ install ${WORKDIR}/run_eval.sh ${D}${datadir}/openscap/.
+}
+
+do_compile_ptest() {
+ cd ${S}/build
+ cmake ../
+ make
+}
+
+do_install_ptest() {
+
+ # remove host & work dir from tests
+ for x in $(find ${S}/build -type f) ;
+ do
+ sed -e 's#${HOSTTOOLS_DIR}/##g' \
+ -e 's#${RECIPE_SYSROOT_NATIVE}##g' \
+ -e 's#${WORKDIR}#${PTEST_PATH}#g' \
+ -e 's#/.*/xmllint#/usr/bin/xmllint#g' \
+ -e 's#/.*/oscap#/usr/bin/oscap#g' \
+ -e 's#/python3-native##g' \
+ -i ${x}
+ done
+
+ for x in $(find ${S}/build-scripts -type f) ;
+ do
+ sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' ${x}
+ done
+
+ for x in $(find ${S}/tests -type f) ;
+ do
+ sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' ${x}
+ done
+
+ for x in $(find ${S}/utils -type f) ;
+ do
+ sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' ${x}
+ done
+
+ PDIRS="apple_os build controls products shared components applications linux_os ocp-resources tests utils ssg build-scripts"
+ t=${D}/${PTEST_PATH}/git
+ for d in ${PDIRS}; do
+ install -d ${t}/$d
+ cp -fr ${S}/$d/* ${t}/$d/.
+ done
+}
+
+FILES:${PN} += "${datadir}/xml ${datadir}/openscap"
+
+RDEPENDS:${PN} = "openscap"
+RDEPENDS:${PN}-ptest = "cmake grep sed bash git python3 python3-modules python3-mypy python3-pyyaml python3-yamlpath python3-xmldiff python3-json2html python3-pandas python3-openpyxl python3-pytest libxml2-utils libxslt-bin"
+
+COMPATIBLE_HOST:libc-musl = "null"
diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 187aeae..4256e19 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -18,8 +18,17 @@ PACKAGE_INSTALL = " \
IMAGE_FEATURES = ""
IMAGE_LINGUAS = ""
+IMAGE_NAME_SUFFIX ?= ""
+
# Can we somehow inspect reverse dependencies to avoid these variables?
-do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
+python __anonymous() {
+ verity_image = d.getVar('DM_VERITY_IMAGE')
+ verity_type = d.getVar('DM_VERITY_IMAGE_TYPE')
+
+ if verity_image and verity_type:
+ dep = ' %s:do_image_%s' % (verity_image, verity_type.replace('-', '_'))
+ d.appendVarFlag('do_image', 'depends', dep)
+}
# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
do_image[nostamp] = "1"
diff --git a/recipes-core/images/security-build-image.bb b/recipes-core/images/security-build-image.bb
index a8757f9..9c82049 100644
--- a/recipes-core/images/security-build-image.bb
+++ b/recipes-core/images/security-build-image.bb
@@ -3,6 +3,7 @@ DESCRIPTION = "A small image for building meta-security packages"
IMAGE_FEATURES += "ssh-server-openssh"
IMAGE_INSTALL = "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "lkrg-module", "",d)} \
packagegroup-base \
packagegroup-core-boot \
packagegroup-core-security \
@@ -17,3 +18,8 @@ inherit core-image
export IMAGE_BASENAME = "security-build-image"
IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
+
+QB_KERNEL_CMDLINE_APPEND = " ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor=1 security=apparmor', '', d)}"
+
+# We need more mem to run many apps in this layer
+QB_MEM = "-m 2048"
diff --git a/recipes-core/images/security-test-image.bb b/recipes-core/images/security-test-image.bb
index 54d8978..81f69dd 100644
--- a/recipes-core/images/security-test-image.bb
+++ b/recipes-core/images/security-test-image.bb
@@ -4,7 +4,16 @@ require security-build-image.bb
IMAGE_FEATURES += "ssh-server-openssh"
-TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
+IMAGE_INSTALL:append = "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm2","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "parsec-layer", "packagegroup-security-parsec","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
+"
+
+TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata aide firejail"
+TEST_SUITES:append = " parsec tpm2 swtpm ima"
INSTALL_CLAMAV_CVD = "1"
diff --git a/recipes-core/initrdscripts/initramfs-framework/dmverity b/recipes-core/initrdscripts/initramfs-framework-dm/dmverity
index 888052c..1923490 100644
--- a/recipes-core/initrdscripts/initramfs-framework/dmverity
+++ b/recipes-core/initrdscripts/initramfs-framework-dm/dmverity
@@ -6,14 +6,44 @@ dmverity_enabled() {
dmverity_run() {
DATA_SIZE="__not_set__"
+ DATA_BLOCK_SIZE="__not_set__"
ROOT_HASH="__not_set__"
+ SEPARATE_HASH="__not_set__"
. /usr/share/misc/dm-verity.env
C=0
delay=${bootparam_rootdelay:-1}
timeout=${bootparam_roottimeout:-5}
- RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+
+ # we know exactly what we are looking for; don't need the wide hunt below
+ if [ "${SEPARATE_HASH}" -eq "1" ]; then
+ while [ ! -b "/dev/disk/by-partuuid/${ROOT_UUID}" ]; do
+ if [ $(( $C * $delay )) -gt $timeout ]; then
+ fatal "Root device (data) resolution failed"
+ exit 1
+ fi
+ debug "Sleeping for $delay second(s) to wait for root data to settle..."
+ sleep $delay
+ C=$(( $C + 1 ))
+ done
+
+ veritysetup \
+ --data-block-size=${DATA_BLOCK_SIZE} \
+ create rootfs \
+ /dev/disk/by-partuuid/${ROOT_UUID} \
+ /dev/disk/by-partuuid/${RHASH_UUID} \
+ ${ROOT_HASH}
+
+ mount \
+ -o ro \
+ /dev/mapper/rootfs \
+ ${ROOTFS_DIR} || exit 2
+
+ return
+ fi
+
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)"
while [ ! -b "${RDEV}" ]; do
if [ $(( $C * $delay )) -gt $timeout ]; then
fatal "Root device resolution failed"
@@ -22,22 +52,22 @@ dmverity_run() {
case "${bootparam_root}" in
ID=*)
- RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+ RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=} 2>/dev/null)"
;;
LABEL=*)
- RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+ RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=} 2>/dev/null)"
;;
PARTLABEL=*)
- RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+ RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=} 2>/dev/null)"
;;
PARTUUID=*)
- RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)"
;;
PATH=*)
- RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+ RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=} 2>/dev/null)"
;;
UUID=*)
- RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+ RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=} 2>/dev/null)"
;;
*)
RDEV="${bootparam_root}"
@@ -49,7 +79,7 @@ dmverity_run() {
done
veritysetup \
- --data-block-size=1024 \
+ --data-block-size=${DATA_BLOCK_SIZE} \
--hash-offset=${DATA_SIZE} \
create rootfs \
${RDEV} \
diff --git a/recipes-core/initrdscripts/initramfs-framework.inc b/recipes-core/initrdscripts/initramfs-framework.inc
index dad9c96..1a724d6 100644
--- a/recipes-core/initrdscripts/initramfs-framework.inc
+++ b/recipes-core/initrdscripts/initramfs-framework.inc
@@ -1,16 +1,16 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/initramfs-framework-dm:"
-SRC_URI_append = "\
+SRC_URI:append = "\
file://dmverity \
"
-do_install_append() {
+do_install:append() {
# dm-verity
install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
}
-PACKAGES_append = " initramfs-module-dmverity"
+PACKAGES:append = " initramfs-module-dmverity"
-SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support"
-RDEPENDS_initramfs-module-dmverity = "${PN}-base"
-FILES_initramfs-module-dmverity = "/init.d/80-dmverity"
+SUMMARY:initramfs-module-dmverity = "initramfs dm-verity rootfs support"
+RDEPENDS:initramfs-module-dmverity = "${PN}-base"
+FILES:initramfs-module-dmverity = "/init.d/80-dmverity"
diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
index dc74e01..f5d476e 100644
--- a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
+++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -1 +1 @@
-require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity', 'initramfs-framework.inc', '', d)}
+require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 'initramfs-framework.inc', '', d)}
diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb
index e7b6d9b..3ef77e5 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -10,85 +10,106 @@ PACKAGES = "\
packagegroup-security-utils \
packagegroup-security-scanners \
packagegroup-security-audit \
- packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
+ packagegroup-security-compliance \
${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
"
-RDEPENDS_packagegroup-core-security = "\
+RDEPENDS:packagegroup-core-security = "\
packagegroup-security-utils \
packagegroup-security-scanners \
packagegroup-security-audit \
- packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
+ packagegroup-security-compliance \
${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
"
-SUMMARY_packagegroup-security-utils = "Security utilities"
-RDEPENDS_packagegroup-security-utils = "\
+SUMMARY:packagegroup-security-utils = "Security utilities"
+RDEPENDS:packagegroup-security-utils = "\
+ bubblewrap \
checksec \
+ cryptmount \
ding-libs \
ecryptfs-utils \
fscryptctl \
+ glome \
keyutils \
nmap \
pinentry \
- python3-privacyidea \
- python3-fail2ban \
softhsm \
- libest \
- opendnssec \
+ sshguard \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
"
-SUMMARY_packagegroup-security-scanners = "Security scanners"
-RDEPENDS_packagegroup-security-scanners = "\
+have_krill = "${@bb.utils.contains("DISTRO_FEATURES", "pam", "krill", "",d)}"
+RDEPENDS:packagegroup-security-utils:append:x86 = " chipsec ${have_krill}"
+RDEPENDS:packagegroup-security-utils:append:x86-64 = " firejail chipsec ${have_krill}"
+RDEPENDS:packagegroup-security-utils:append:aarch64 = " firejail ${have_krill}"
+RDEPENDS:packagegroup-security-utils:remove:libc-musl = "krill"
+
+SUMMARY:packagegroup-security-scanners = "Security scanners"
+RDEPENDS:packagegroup-security-scanners = "\
+ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " arpwatch",d)} \
+ chkrootkit \
isic \
- nikto \
- checksecurity \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \
"
-RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-daemon clamav-freshclam"
+RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "clamav clamav-daemon clamav-freshclam"
+RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "arpwatch"
-SUMMARY_packagegroup-security-audit = "Security Audit tools "
-RDEPENDS_packagegroup-security-audit = " \
+SUMMARY:packagegroup-security-audit = "Security Audit tools "
+RDEPENDS:packagegroup-security-audit = " \
buck-security \
redhat-security \
"
-SUMMARY_packagegroup-security-hardening = "Security Hardening tools"
-RDEPENDS_packagegroup-security-hardening = " \
- bastille \
- "
-
-SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems"
-RDEPENDS_packagegroup-security-ids = " \
+SUMMARY:packagegroup-security-ids = "Security Intrusion Detection systems"
+RDEPENDS:packagegroup-security-ids = " \
samhain-standalone \
- ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \
+ suricata \
ossec-hids \
aide \
"
-RDEPENDS_packagegroup-security-ids_remove_libc-musl = "ossec-hids"
+RDEPENDS:packagegroup-security-ids:remove:powerpc = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:powerpc64le = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:powerpc64 = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:riscv32 = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:riscv64 = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:libc-musl = "ossec-hids"
-SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
-RDEPENDS_packagegroup-security-mac = " \
+SUMMARY:packagegroup-security-mac = "Security Mandatory Access Control systems"
+RDEPENDS:packagegroup-security-mac = " \
${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
"
-RDEPENDS_packagegroup-security-mac_remove_mipsarch = "apparmor"
+RDEPENDS:packagegroup-security-mac:remove:mipsarch = "apparmor"
-RDEPENDS_packagegroup-meta-security-ptest-packages = "\
+SUMMARY:packagegroup-security-compliance = "Security Compliance applications"
+RDEPENDS:packagegroup-security-compliance = " \
+ lynis \
+ openscap \
+ scap-security-guide \
+ os-release \
+ "
+
+RDEPENDS:packagegroup-security-compliance:remove:libc-musl = "openscap scap-security-guide"
+
+RDEPENDS:packagegroup-meta-security-ptest-packages = "\
ptest-runner \
samhain-standalone-ptest \
- libseccomp-ptest \
- suricata-ptest \
- python3-fail2ban-ptest \
+ ${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata-ptest","", d)} \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
"
+
+RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64le = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64 = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:riscv32 = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:riscv64 = "suricata-ptest"
diff --git a/recipes-ids/aide/aide/aide.conf b/recipes-ids/aide/aide/aide.conf
index 2c99e07..c4b917e 100644
--- a/recipes-ids/aide/aide/aide.conf
+++ b/recipes-ids/aide/aide/aide.conf
@@ -51,7 +51,7 @@ report_url=stdout
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
-FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+FIPSR = p+u+g+s+acl+xattrs+sha256
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
@@ -70,10 +70,10 @@ EVERYTHING = R+ALLXTRAHASHES
NORMAL = FIPSR+sha512
# For directories, don't bother doing hashes
-DIR = p+i+n+u+g+acl+selinux+xattrs
+DIR = p+u+g+acl+xattrs
# Access control only
-PERMS = p+i+u+g+acl+selinux
+PERMS = p+u+g+acl
# Logfile are special, in that they often change
LOG = >
@@ -83,12 +83,9 @@ LSPP = FIPSR+sha512
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
-DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
+DATAONLY = p+u+g+s+acl+xattrs+sha256
# Next decide what directories/files you want in the database.
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
-/bin NORMAL
-/sbin NORMAL
-/lib NORMAL
diff --git a/recipes-ids/aide/aide_0.17.3.bb b/recipes-ids/aide/aide_0.17.3.bb
deleted file mode 100644
index 522cd85..0000000
--- a/recipes-ids/aide/aide_0.17.3.bb
+++ /dev/null
@@ -1,41 +0,0 @@
-SUMMARY = "Advanced Intrusion Detection Environment"
-HOMEPAGE = "https://aide.github.io"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-LICENSE = "GPL-2.0"
-
-DEPENDS = "bison-native libpcre"
-
-SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
- file://aide.conf"
-
-SRC_URI[sha256sum] = "a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8"
-
-inherit autotools pkgconfig
-
-PACKAGECONFIG ??=" mhash zlib e2fsattrs \
- ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
- ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \
- "
-PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux, libselinux"
-PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib "
-PACKAGECONFIG[xattr] = "--with-xattr, --without-xattr, attr, attr"
-PACKAGECONFIG[curl] = "--with-curl, --without-curl, curl, libcurl"
-PACKAGECONFIG[audit] = "--with-audit, --without-audit,"
-PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt"
-PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
-PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs"
-
-do_install_append () {
- install -d ${D}${libdir}/${PN}/logs
- install -d ${D}${sysconfdir}
- install ${WORKDIR}/aide.conf ${D}${sysconfdir}/
-}
-
-CONF_FILE = "${sysconfdir}/aide.conf"
-
-FILES_${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf"
-
-pkg_postinst_ontarget_${PN} () {
- /usr/bin/aide -i
-}
-RDPENDS_${PN} = "bison, libpcre"
diff --git a/recipes-ids/aide/aide_0.17.4.bb b/recipes-ids/aide/aide_0.17.4.bb
new file mode 100644
index 0000000..52ddc43
--- /dev/null
+++ b/recipes-ids/aide/aide_0.17.4.bb
@@ -0,0 +1,74 @@
+SUMMARY = "Advanced Intrusion Detection Environment"
+HOMEPAGE = "https://aide.github.io"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+LICENSE = "GPL-2.0-only"
+
+DEPENDS = "bison-native libpcre"
+
+SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
+ file://aide.conf"
+
+SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846"
+
+UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
+
+inherit autotools pkgconfig aide-base
+
+PACKAGECONFIG ??=" mhash zlib e2fsattrs posix capabilities curl \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \
+ "
+PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux, libselinux"
+PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib "
+PACKAGECONFIG[xattr] = "--with-xattr, --without-xattr, attr, attr"
+PACKAGECONFIG[curl] = "--with-curl, --without-curl, curl, libcurl"
+PACKAGECONFIG[audit] = "--with-audit, --without-audit,audit"
+PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt"
+PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
+PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs"
+PACKAGECONFIG[capabilities] = "--with-capabilities, --without-capabilities, libcap, libcap"
+PACKAGECONFIG[posix] = "--with-posix-acl, --without-posix-acl, acl, acl"
+
+
+do_install[nostamp] = "1"
+
+do_install:append () {
+ install -d ${D}${libdir}/${PN}/logs
+ install -d ${D}${sysconfdir}
+ install ${WORKDIR}/aide.conf ${D}${sysconfdir}/
+
+ for dir in ${AIDE_INCLUDE_DIRS}; do
+ echo "${dir} NORMAL" >> ${D}${sysconfdir}/aide.conf
+ done
+ for dir in ${AIDE_SKIP_DIRS}; do
+ echo "!${dir}" >> ${D}${sysconfdir}/aide.conf
+ done
+}
+
+do_install:class-native () {
+ install -d ${STAGING_AIDE_DIR}/bin
+ install -d ${STAGING_AIDE_DIR}/lib/logs
+
+ install ${B}/aide ${STAGING_AIDE_DIR}/bin
+ install ${WORKDIR}/aide.conf ${STAGING_AIDE_DIR}/
+
+ sed -i -s "s:\@\@define DBDIR.*:\@\@define DBDIR ${STAGING_AIDE_DIR}/lib:" ${STAGING_AIDE_DIR}/aide.conf
+ sed -i -e "s:\@\@define LOGDIR.*:\@\@define LOGDIR ${STAGING_AIDE_DIR}/lib/logs:" ${STAGING_AIDE_DIR}/aide.conf
+}
+
+CONF_FILE = "${sysconfdir}/aide.conf"
+
+FILES:${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf"
+
+pkg_postinst_ontarget:${PN} () {
+ if [ ${AIDE_SCAN_POSTINIT} ]; then
+ ${bindir}/aide -i
+ fi
+ if [ ${AIDE_RESCAN_POSTINIT} && -e ${libdir}/aide/aide.db.gz ]; then
+ ${bindir}/aide -C
+ fi
+}
+
+RDEPENDS:${PN} = "bison libpcre"
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-ids/crowdsec/crowdsec_1.1.1.bb b/recipes-ids/crowdsec/crowdsec_1.1.1.bb
new file mode 100644
index 0000000..81f2b8f
--- /dev/null
+++ b/recipes-ids/crowdsec/crowdsec_1.1.1.bb
@@ -0,0 +1,42 @@
+SUMMARY = "CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=105e75b680b2ab82fa5718661b41f3bf"
+
+SRC_URI = "git://github.com/crowdsecurity/crowdsec.git;branch=master;protocol=https"
+SRCREV = "73e0bbaf93070f4a640eb5a22212b5dcf26699de"
+
+DEPENDS = "jq-native"
+
+GO_IMPORT = "import"
+
+inherit go
+
+S = "${WORKDIR}/git"
+
+do_compile() {
+ export GOARCH="${TARGET_GOARCH}"
+ export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go"
+
+ # Pass the needed cflags/ldflags so that cgo
+ # can find the needed headers files and libraries
+ export CGO_ENABLED="1"
+ export CFLAGS=""
+ export LDFLAGS=""
+ export CGO_CFLAGS="${BUILDSDK_CFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+ export CGO_LDFLAGS="${BUILDSDK_LDFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+
+ cd ${S}/src/import
+ oe_runmake release
+}
+
+do_install_ () {
+ chmod +x -R --silent ${B}/pkg
+}
+
+
+INSANE_SKIP:${PN} = "already-stripped"
+INSANE_SKIP:${PN}-dev = "ldflags"
+
+RDEPENDS:${PN} = "go"
+RDEPENDS:${PN}-dev = "bash"
diff --git a/recipes-ids/ossec/ossec-hids_3.6.0.bb b/recipes-ids/ossec/ossec-hids_3.6.0.bb
deleted file mode 100644
index 778278b..0000000
--- a/recipes-ids/ossec/ossec-hids_3.6.0.bb
+++ /dev/null
@@ -1,165 +0,0 @@
-SUMMARY = "A full platform to monitor and control your systems"
-LICENSE = "GPL-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=d625d1520b5e38faefb81cf9772badc9"
-
-
-DEPENDS = "openssl libpcre2 zlib libevent"
-SRC_URI = "git://github.com/ossec/ossec-hids;branch=master \
- file://0001-Makefile-drop-running-scrips-install.patch \
- file://0002-Makefile-don-t-set-uid-gid.patch \
- "
-
-SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2"
-
-UPSTREAM_CHECK_COMMITS = "1"
-
-inherit autotools-brokensep useradd
-
-S = "${WORKDIR}/git"
-
-OSSEC_UID ?= "ossec"
-OSSEC_RUID ?= "ossecr"
-OSSEC_GID ?= "ossec"
-OSSEC_EMAIL ?= "ossecm"
-
-do_configure[noexec] = "1"
-
-do_compile() {
- cd ${S}/src
- make PREFIX=${prefix} TARGET=local USE_SYSTEMD=No build
-}
-
-do_install(){
- install -d ${D}${sysconfdir}
- install -d ${D}/var/ossec/${sysconfdir}
-
- cd ${S}/src
- make TARGET=local PREFIX=${D}/var/ossec install
-
- echo "DIRECTORY=\"/var/ossec\"" > ${D}/${sysconfdir}/ossec-init.conf
- echo "VERSION=\"${PV}\"" >> ${D}/${sysconfdir}/ossec-init.conf
- echo "DATE=\"`date`\"" >> ${D}/${sysconfdir}/ossec-init.conf
- echo "TYPE=\"local\"" >> ${D}/${sysconfdir}/ossec-init.conf
- chmod 600 ${D}/${sysconfdir}/ossec-init.conf
- install -m 640 ${D}/${sysconfdir}/ossec-init.conf ${D}/var/ossec/${sysconfdir}/ossec-init.conf
-}
-
-pkg_postinst_ontarget_${PN} () {
- DIR="/var/ossec"
-
- usermod -g ossec -G ossec -a root
-
- # Default for all directories
- chmod -R 550 ${DIR}
- chown -R root:${OSSEC_GID} ${DIR}
-
- # To the ossec queue (default for agentd to read)
- chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/ossec
- chmod -R 770 ${DIR}/queue/ossec
-
- # For the logging user
- chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs
- chmod -R 750 ${DIR}/logs
- chmod -R 775 ${DIR}/queue/rids
- touch ${DIR}/logs/ossec.log
- chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs/ossec.log
- chmod 664 ${DIR}/logs/ossec.log
-
- chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/diff
- chmod -R 750 ${DIR}/queue/diff
- chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true
-
- # For the etc dir
- chmod 550 ${DIR}/etc
- chown -R root:${OSSEC_GID} ${DIR}/etc
- if [ -f /etc/localtime ]; then
- cp -pL /etc/localtime ${DIR}/etc/;
- chmod 555 ${DIR}/etc/localtime
- chown root:${OSSEC_GID} ${DIR}/etc/localtime
- fi
-
- if [ -f /etc/TIMEZONE ]; then
- cp -p /etc/TIMEZONE ${DIR}/etc/;
- chmod 555 ${DIR}/etc/TIMEZONE
- fi
-
- # More files
- chown root:${OSSEC_GID} ${DIR}/etc/internal_options.conf
- chown root:${OSSEC_GID} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
- chown root:${OSSEC_GID} ${DIR}/etc/client.keys >/dev/null 2>&1 || true
- chown root:${OSSEC_GID} ${DIR}/agentless/*
- chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/.ssh
- chown root:${OSSEC_GID} ${DIR}/etc/shared/*
-
- chmod 550 ${DIR}/etc
- chmod 440 ${DIR}/etc/internal_options.conf
- chmod 660 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
- chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true
- chmod 550 ${DIR}/agentless/*
- chmod 700 ${DIR}/.ssh
- chmod 770 ${DIR}/etc/shared
- chmod 660 ${DIR}/etc/shared/*
-
- # For the /var/run
- chmod 770 ${DIR}/var/run
- chown root:${OSSEC_GID} ${DIR}/var/run
-
- # For util.sh
- chown root:${OSSEC_GID} ${DIR}/bin/util.sh
- chmod +x ${DIR}/bin/util.sh
-
- # For binaries and active response
- chmod 755 ${DIR}/active-response/bin/*
- chown root:${OSSEC_GID} ${DIR}/active-response/bin/*
- chown root:${OSSEC_GID} ${DIR}/bin/*
- chmod 550 ${DIR}/bin/*
-
- # For ossec.conf
- chown root:${OSSEC_GID} ${DIR}/etc/ossec.conf
- chmod 660 ${DIR}/etc/ossec.conf
-
- # Debconf
- . /usr/share/debconf/confmodule
- db_input high ossec-hids-agent/server-ip || true
- db_go
-
- db_get ossec-hids-agent/server-ip
- SERVER_IP=$RET
-
- sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${DIR}/etc/ossec.conf
- db_stop
-
- # ossec-init.conf
- if [ -e ${DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then
- if [ -e /etc/ossec-init.conf ]; then
- rm -f /etc/ossec-init.conf
- fi
- ln -s ${DIR}/etc/ossec-init.conf /etc/ossec-init.conf
- fi
-
- # init.d/ossec file
- if [ -x ${DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then
- if [ -e /etc/init.d/ossec ]; then
- rm -f /etc/init.d/ossec
- fi
- ln -s ${DIR}/etc/init.d/ossec /etc/init.d/ossec
- fi
-
- # Service
- if [ -x /etc/init.d/ossec ]; then
- update-rc.d -f ossec defaults
- fi
-
- # Delete tmp directory
- if [ -d ${OSSEC_HIDS_TMP_DIR} ]; then
- rm -r ${OSSEC_HIDS_TMP_DIR}
- fi
-}
-
-USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "--system --home-dir /var/ossec -g ossec --shell /bin/false ossec"
-GROUPADD_PARAM_${PN} = "--system ossec"
-
-RDEPENDS_${PN} = "openssl bash"
-
-COMPATIBLE_HOST_libc-musl = "null"
diff --git a/recipes-ids/ossec/ossec-hids_3.7.0.bb b/recipes-ids/ossec/ossec-hids_3.7.0.bb
new file mode 100644
index 0000000..829715b
--- /dev/null
+++ b/recipes-ids/ossec/ossec-hids_3.7.0.bb
@@ -0,0 +1,170 @@
+SUMMARY = "A full platform to monitor and control your systems"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d625d1520b5e38faefb81cf9772badc9"
+
+
+DEPENDS = "openssl libpcre2 zlib libevent"
+SRC_URI = "git://github.com/ossec/ossec-hids;branch=master;protocol=https \
+ file://0001-Makefile-drop-running-scrips-install.patch \
+ file://0002-Makefile-don-t-set-uid-gid.patch \
+ "
+
+SRCREV = "bf797c759994015274f3bc31fe2bed278cce67ee"
+
+UPSTREAM_CHECK_COMMITS = "1"
+
+inherit autotools-brokensep useradd
+
+S = "${WORKDIR}/git"
+
+
+OSSEC_DIR="/var/ossec"
+OSSEC_UID ?= "ossec"
+OSSEC_RUID ?= "ossecr"
+OSSEC_GID ?= "ossec"
+OSSEC_EMAIL ?= "ossecm"
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system ${OSSEC_UID}"
+USERADD_PARAM:${PN} = "--system -g ${OSSEC_GID} --home-dir \
+ ${OSSEC_DIR} --no-create-home \
+ --shell /sbin/nologin ${BPN}"
+
+do_configure[noexec] = "1"
+
+do_compile() {
+ cd ${S}/src
+ make PREFIX=${prefix} TARGET=local USE_SYSTEMD=No build
+}
+
+do_install(){
+ install -d ${D}${sysconfdir}
+ install -d ${D}/var/ossec/${sysconfdir}
+
+ cd ${S}/src
+ make TARGET=local PREFIX=${D}/var/ossec install
+
+ echo "DIRECTORY=\"/var/ossec\"" > ${D}/${sysconfdir}/ossec-init.conf
+ echo "VERSION=\"${PV}\"" >> ${D}/${sysconfdir}/ossec-init.conf
+ echo "DATE=\"`date`\"" >> ${D}/${sysconfdir}/ossec-init.conf
+ echo "TYPE=\"local\"" >> ${D}/${sysconfdir}/ossec-init.conf
+ chmod 600 ${D}/${sysconfdir}/ossec-init.conf
+ install -m 640 ${D}/${sysconfdir}/ossec-init.conf ${D}/var/ossec/${sysconfdir}/ossec-init.conf
+}
+
+pkg_postinst_ontarget:${PN} () {
+
+ # Default for all directories
+ chmod -R 550 ${OSSEC_DIR}
+ chown -R root:${OSSEC_GID} ${OSSEC_DIR}
+
+ # To the ossec queue (default for agentd to read)
+ chown -R ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/queue/ossec
+ chmod -R 770 ${OSSEC_DIR}/queue/ossec
+
+ # For the logging user
+ chown -R ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/logs
+ chmod -R 750 ${OSSEC_DIR}/logs
+ chmod -R 775 ${OSSEC_DIR}/queue/rids
+ touch ${OSSEC_DIR}/logs/ossec.log
+ chown ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/logs/ossec.log
+ chmod 664 ${OSSEC_DIR}/logs/ossec.log
+
+ chown -R ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/queue/diff
+ chmod -R 750 ${OSSEC_DIR}/queue/diff
+ chmod 740 ${OSSEC_DIR}/queue/diff/* > /dev/null 2>&1 || true
+
+ # For the etc dir
+ chmod 550 ${OSSEC_DIR}/etc
+ chown -R root:${OSSEC_GID} ${OSSEC_DIR}/etc
+ if [ -f /etc/localtime ]; then
+ cp -pL /etc/localtime ${OSSEC_DIR}/etc/;
+ chmod 555 ${OSSEC_DIR}/etc/localtime
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/localtime
+ fi
+
+ if [ -f /etc/TIMEZONE ]; then
+ cp -p /etc/TIMEZONE ${OSSEC_DIR}/etc/;
+ chmod 555 ${OSSEC_DIR}/etc/TIMEZONE
+ fi
+
+ # More files
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/internal_options.conf
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/client.keys >/dev/null 2>&1 || true
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/agentless/*
+ chown ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/.ssh
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/shared/*
+
+ chmod 550 ${OSSEC_DIR}/etc
+ chmod 440 ${OSSEC_DIR}/etc/internal_options.conf
+ chmod 660 ${OSSEC_DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
+ chmod 440 ${OSSEC_DIR}/etc/client.keys >/dev/null 2>&1 || true
+ chmod 550 ${OSSEC_DIR}/agentless/*
+ chmod 700 ${OSSEC_DIR}/.ssh
+ chmod 770 ${OSSEC_DIR}/etc/shared
+ chmod 660 ${OSSEC_DIR}/etc/shared/*
+
+ # For the /var/run
+ chmod 770 ${OSSEC_DIR}/var/run
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/var/run
+
+ # For util.sh
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/bin/util.sh
+ chmod +x ${OSSEC_DIR}/bin/util.sh
+
+ # For binaries and active response
+ chmod 755 ${OSSEC_DIR}/active-response/bin/*
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/active-response/bin/*
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/bin/*
+ chmod 550 ${OSSEC_DIR}/bin/*
+
+ # For ossec.conf
+ chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/ossec.conf
+ chmod 660 ${OSSEC_DIR}/etc/ossec.conf
+
+ # Debconf
+ . /usr/share/debconf/confmodule
+ db_input high ossec-hids-agent/server-ip || true
+ db_go
+
+ db_get ossec-hids-agent/server-ip
+ SERVER_IP=$RET
+
+ sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${OSSEC_DIR}/etc/ossec.conf
+ db_stop
+
+ # ossec-init.conf
+ if [ -e ${OSSEC_DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then
+ if [ -e /etc/ossec-init.conf ]; then
+ rm -f /etc/ossec-init.conf
+ fi
+ ln -s ${OSSEC_DIR}/etc/ossec-init.conf /etc/ossec-init.conf
+ fi
+
+ # init.d/ossec file
+ if [ -x ${OSSEC_DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then
+ if [ -e /etc/init.d/ossec ]; then
+ rm -f /etc/init.d/ossec
+ fi
+ ln -s ${OSSEC_DIR}/etc/init.d/ossec /etc/init.d/ossec
+ fi
+
+ # Service
+ if [ -x /etc/init.d/ossec ]; then
+ update-rc.d -f ossec defaults
+ fi
+
+ # Delete tmp directory
+ if [ -d ${OSSEC_HIDS_TMP_DIR} ]; then
+ rm -r ${OSSEC_HIDS_TMP_DIR}
+ fi
+}
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM:${PN} = "--system --home-dir /var/ossec -g ossec --shell /bin/false ossec"
+GROUPADD_PARAM:${PN} = "--system ossec"
+
+RDEPENDS:${PN} = "openssl bash"
+
+COMPATIBLE_HOST:libc-musl = "null"
diff --git a/recipes-ids/samhain/files/0001-Don-t-expose-configure-args.patch b/recipes-ids/samhain/files/0001-Don-t-expose-configure-args.patch
new file mode 100644
index 0000000..fedbe5b
--- /dev/null
+++ b/recipes-ids/samhain/files/0001-Don-t-expose-configure-args.patch
@@ -0,0 +1,44 @@
+From 111b1e8f35e989513d8961a45a806767109f6e1e Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Thu, 11 Aug 2022 17:15:30 +0800
+Subject: [PATCH] Don't expose configure args
+
+Don't expost configure args to fix buildpath issue.
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ scripts/samhain.ebuild-light.in | 2 +-
+ scripts/samhain.ebuild.in | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/samhain.ebuild-light.in b/scripts/samhain.ebuild-light.in
+index 2b09cdb..b7f7062 100644
+--- a/scripts/samhain.ebuild-light.in
++++ b/scripts/samhain.ebuild-light.in
+@@ -55,7 +55,7 @@ src_compile() {
+ # --with-state-dir=/var/lib/${PN} \
+ # --with-log-file=/var/log/${PN}.log \
+
+- ./configure ${myconf} @mydefargs@ || die
++ ./configure ${myconf} mydefargs || die
+ emake || die
+
+ echo '#!/bin/sh' > ./sstrip
+diff --git a/scripts/samhain.ebuild.in b/scripts/samhain.ebuild.in
+index 635a746..b9a42e7 100644
+--- a/scripts/samhain.ebuild.in
++++ b/scripts/samhain.ebuild.in
+@@ -55,7 +55,7 @@ src_compile() {
+ # --with-state-dir=/var/lib/${PN} \
+ # --with-log-file=/var/log/${PN}.log \
+
+- ./configure ${myconf} @mydefargs@ || die
++ ./configure ${myconf} mydefargs || die
+ emake || die
+
+ echo '#!/bin/sh' > ./sstrip
+--
+2.25.1
+
diff --git a/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch b/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
index 5284313..e00fc2a 100644
--- a/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
+++ b/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
@@ -1,6 +1,6 @@
not run test on host, since we are doing cross-compile
-Upstream-status: Inappropriate [cross compile specific]
+Upstream-Status: Inappropriate [cross compile specific]
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
diff --git a/recipes-ids/samhain/files/samhain-pid-path.patch b/recipes-ids/samhain/files/samhain-pid-path.patch
index 592bd16..8fdadd1 100644
--- a/recipes-ids/samhain/files/samhain-pid-path.patch
+++ b/recipes-ids/samhain/files/samhain-pid-path.patch
@@ -2,15 +2,15 @@ commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04
Author: Aws Ismail <aws.ismail@windriver.com>
Date: Thu Jan 10 16:29:05 2013 -0500
- Set the PID Lock path for samhain.pid
+Set the PID Lock path for samhain.pid
- The explicit path for samhain.pid inorder
- for samhain to work properly after it initial
- database build.
+The explicit path for samhain.pid inorder
+for samhain to work properly after it initial
+database build.
- Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Inappropriate [configuration]
- Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
diff --git a/samhainrc.linux b/samhainrc.linux
index 10a8176..a7b06e6 100644
diff --git a/recipes-ids/samhain/samhain-client.bb b/recipes-ids/samhain/samhain-client.bb
index 0f53a8c..0de9c34 100644
--- a/recipes-ids/samhain/samhain-client.bb
+++ b/recipes-ids/samhain/samhain-client.bb
@@ -8,5 +8,8 @@ EXTRA_OECONF += " \
--with-port=${SAMHAIN_PORT} \
"
-RDEPENDS_${PN} = "acl zlib attr bash"
-RCONFLICTS_${PN} = "samhain-standalone"
+MODE_NAME = "client"
+SAMHAIN_MODE = "client"
+
+RDEPENDS:${PN} = "acl zlib attr bash"
+RCONFLICTS:${PN} = "samhain-standalone"
diff --git a/recipes-ids/samhain/samhain-server.bb b/recipes-ids/samhain/samhain-server.bb
index e7a3aa6..8bae2d2 100644
--- a/recipes-ids/samhain/samhain-server.bb
+++ b/recipes-ids/samhain/samhain-server.bb
@@ -8,9 +8,12 @@ SRC_URI += "file://samhain-server-volatiles \
file://samhain-server-volatiles.conf \
"
+MODE_NAME = "server"
+SAMHAIN_MODE = "server"
+
TARGET_CC_ARCH += "${LDFLAGS}"
-do_install_append() {
+do_install:append() {
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/tmpfiles.d
install -m 0644 ${WORKDIR}/samhain-server-volatiles.conf \
@@ -25,5 +28,5 @@ do_install_append() {
init/samhain.startLSB ${D}/var/lib/samhain
}
-RDEPENDS_${PN} += "gmp bash perl"
-RCONFLICTS_${PN} = "samhain-standalone"
+RDEPENDS:${PN} += "gmp bash perl"
+RCONFLICTS:${PN} = "samhain-standalone"
diff --git a/recipes-ids/samhain/samhain-standalone.bb b/recipes-ids/samhain/samhain-standalone.bb
index 4fed9e9..ae9ed2b 100644
--- a/recipes-ids/samhain/samhain-standalone.bb
+++ b/recipes-ids/samhain/samhain-standalone.bb
@@ -1,12 +1,16 @@
require samhain.inc
SRC_URI += "file://samhain-not-run-ptest-on-host.patch \
+ file://0001-Don-t-expose-configure-args.patch \
file://run-ptest \
"
PROVIDES += "samhain"
-SYSTEMD_SERVICE_${PN} = "samhain.service"
+MODE_NAME = "standalone"
+SAMHAIN_MODE = "no"
+
+SYSTEMD_SERVICE:${PN} = "samhain.service"
inherit ptest
@@ -18,7 +22,7 @@ do_compile() {
oe_runmake "$@"
}
-do_install_append() {
+do_install:append() {
ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain
}
@@ -27,5 +31,5 @@ do_install_ptest() {
install ${S}/cutest ${D}${PTEST_PATH}
}
-RPROVIDES_${PN} += "samhain"
-RCONFLICTS_${PN} = "samhain-client samhain-server"
+RPROVIDES:${PN} += "samhain"
+RCONFLICTS:${PN} = "samhain-client samhain-server"
diff --git a/recipes-ids/samhain/samhain.inc b/recipes-ids/samhain/samhain.inc
index 0148e46..f5bea1d 100644
--- a/recipes-ids/samhain/samhain.inc
+++ b/recipes-ids/samhain/samhain.inc
@@ -1,9 +1,9 @@
DESCRIPTION = "Provides file integrity checking and log file monitoring/analysis"
HOMEPAGE = "http://www.la-samhna.de/samhain/"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"
-PV = "4.4.3"
+PV = "4.4.10"
SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://${INITSCRIPT_NAME}.init \
@@ -21,7 +21,7 @@ SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://samhain-fix-initializer-element-is-not-constant.patch \
"
-SRC_URI[sha256sum] = "3e57574036d5055e9557ec5095818b419ea6c4365370fc2ccce1e9f87f9fad08"
+SRC_URI[sha256sum] = "ae6ee8eff3cb111b7fc14a57bcc258443dd0bcf1bfacfdf229935ed053c1ce3d"
UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html"
UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar"
@@ -37,17 +37,9 @@ INITSCRIPT_NAME = "${BPN}"
INITSCRIPT_PARAMS ?= "defaults"
SYSTEMD_PACKAGES = "${PN}"
-SYSTEMD_SERVICE_${PN} = "${INITSCRIPT_NAME}.service"
+SYSTEMD_SERVICE:${PN} = "${INITSCRIPT_NAME}.service"
SYSTEMD_AUTO_ENABLE = "disable"
-# mode mapping:
-# BPN MODE_NAME SAMHAIN_MODE
-# samhain-standalone standalone no
-# samhain-client client client
-# samhain-server server server
-MODE_NAME = "${@d.getVar('BPN').split('-')[1]}"
-SAMHAIN_MODE = "${@oe.utils.ifelse(d.getVar('MODE_NAME') == 'standalone', 'no', '${MODE_NAME}')}"
-
# supports mysql|postgresql|oracle|odbc but postgresql is the only one available
PACKAGECONFIG ??= "postgresql ps \
@@ -67,23 +59,24 @@ PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl"
PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit"
PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps"
-EXTRA_OEMAKE_append_aarch64 = " CPPFLAGS+=-DCONFIG_ARCH_AARCH64=1"
-EXTRA_OEMAKE_append_mips64 = " CPPFLAGS+=-DCONFIG_ARCH_MIPS64=1"
+EXTRA_OECONF += "INSTALL='install -p'"
+EXTRA_OEMAKE:append:aarch64 = " CPPFLAGS+=-DCONFIG_ARCH_AARCH64=1"
+EXTRA_OEMAKE:append:mips64 = " CPPFLAGS+=-DCONFIG_ARCH_MIPS64=1"
do_unpack_samhain() {
cd ${WORKDIR}
tar -xzvf samhain-${PV}.tar.gz
}
-python do_unpack_append() {
+python do_unpack:append() {
bb.build.exec_func('do_unpack_samhain', d)
}
-do_configure_prepend_arm() {
+do_configure:prepend:arm() {
export sh_cv___va_copy=yes
}
-do_configure_prepend_aarch64() {
+do_configure:prepend:aarch64() {
export sh_cv___va_copy=yes
}
@@ -91,12 +84,15 @@ do_configure_prepend_aarch64() {
# use the prefix --oldincludedir=/usr/include which is not
# recognized by Samhain's configure script and would invariably
# throw back the error "unrecognized option: --oldincludedir=/usr/include"
-do_configure_prepend () {
+do_configure:prepend () {
cat << EOF > ${S}/config-site.${BP}
ssp_cv_lib=no
sh_cv_va_copy=yes
EOF
export CONFIG_SITE=${S}/config-site.${BP}
+ # remove the buildpath
+ sed -i -e 's;mydefarg;mydefargholder;g' ${S}/scripts/samhain.ebuild.in
+ sed -i -e 's;mydefarg;mydefargholder;g' ${S}/scripts/samhain.ebuild-light.in
}
do_configure () {
@@ -124,13 +120,13 @@ do_configure () {
${EXTRA_OECONF}
}
-do_compile_prepend_libc-musl () {
+do_compile:prepend:libc-musl () {
sed -i 's/^#define HAVE_MALLOC_H.*//' ${B}/config.h
}
# Install the init script, it's default file, and the extraneous
# documentation.
-do_install_append () {
+do_install:append () {
oe_runmake install DESTDIR='${D}' INSTALL=install-boot
install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \
@@ -165,4 +161,4 @@ do_install_append () {
rm -rf ${D}${localstatedir}/log
}
-FILES_${PN} += "${systemd_system_unitdir}"
+FILES:${PN} += "${systemd_system_unitdir}"
diff --git a/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch b/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch
deleted file mode 100644
index 530568b..0000000
--- a/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From b37554e0bc3cf383e6547c5c6a69c6f6849c09e3 Mon Sep 17 00:00:00 2001
-From: Eric Leblond <eric@regit.org>
-Date: Wed, 17 Jul 2019 12:35:12 +0200
-Subject: [PATCH] af-packet: fix build on recent Linux kernels
-
-Upstream-Status: Backport
-Signed-off-by: Armin kuster <akuster808@gmail.com>
----
- src/source-af-packet.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-Index: suricata-4.1.5/src/source-af-packet.c
-===================================================================
---- suricata-4.1.5.orig/src/source-af-packet.c
-+++ suricata-4.1.5/src/source-af-packet.c
-@@ -68,6 +68,10 @@
- #include <linux/sockios.h>
- #endif
-
-+#if HAVE_LINUX_SOCKIOS_H
-+#include <linux/sockios.h>
-+#endif
-+
- #ifdef HAVE_PACKET_EBPF
- #include "util-ebpf.h"
- #include <bpf/libbpf.h>
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch b/recipes-ids/suricata/files/fixup.patch
index fc44ce6..0b2ae7c 100644
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch
+++ b/recipes-ids/suricata/files/fixup.patch
@@ -1,30 +1,30 @@
Skip pkg Makefile from using its own rust steps
-Upstream-Status: OE Specific
+Upstream-Status: Inappropriate [OE Specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: suricata-6.0.2/Makefile.am
+Index: suricata-7.0.0/Makefile.in
===================================================================
---- suricata-6.0.2.orig/Makefile.am
-+++ suricata-6.0.2/Makefile.am
-@@ -7,7 +7,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
- $(SURICATA_UPDATE_DIR) \
- lua \
- acsite.m4
+--- suricata-7.0.0.orig/Makefile.in
++++ suricata-7.0.0/Makefile.in
+@@ -424,7 +424,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
+ acsite.m4 \
+ scripts/generate-images.sh
+
-SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \
+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \
$(SURICATA_UPDATE_DIR)
CLEANFILES = stamp-h[0-9]*
-Index: suricata-6.0.2/Makefile.in
+Index: suricata-7.0.0/Makefile.am
===================================================================
---- suricata-6.0.2.orig/Makefile.in
-+++ suricata-6.0.2/Makefile.in
-@@ -426,7 +426,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
+--- suricata-7.0.0.orig/Makefile.am
++++ suricata-7.0.0/Makefile.am
+@@ -8,7 +8,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
lua \
- acsite.m4
-
+ acsite.m4 \
+ scripts/generate-images.sh
-SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \
+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \
$(SURICATA_UPDATE_DIR)
diff --git a/recipes-ids/suricata/files/no_libhtp_build.patch b/recipes-ids/suricata/files/no_libhtp_build.patch
deleted file mode 100644
index 2ebf021..0000000
--- a/recipes-ids/suricata/files/no_libhtp_build.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Upstream-Status: Inappropriate [configuration]
-
-Signed-of_by: Armin Kuster <akuster808@gmail.com>
-
-Index: suricata-2.0.5/Makefile.am
-===================================================================
---- suricata-2.0.5.orig/Makefile.am
-+++ suricata-2.0.5/Makefile.am
-@@ -5,7 +5,7 @@ ACLOCAL_AMFLAGS = -I m4
- EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \
- classification.config threshold.config \
- reference.config
--SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts
-+SUBDIRS = src qa rules doc contrib scripts
-
- CLEANFILES = stamp-h[0-9]*
-
-Index: suricata-2.0.5/Makefile.in
-===================================================================
---- suricata-2.0.5.orig/Makefile.in
-+++ suricata-2.0.5/Makefile.in
-@@ -229,7 +229,6 @@ HAVE_PCAP_CONFIG = @HAVE_PCAP_CONFIG@
- HAVE_PKG_CONFIG = @HAVE_PKG_CONFIG@
- HAVE_PYTHON_CONFIG = @HAVE_PYTHON_CONFIG@
- HAVE_WGET = @HAVE_WGET@
--HTP_DIR = @HTP_DIR@
- HTP_LDADD = @HTP_LDADD@
- INSTALL = @INSTALL@
- INSTALL_DATA = @INSTALL_DATA@
-@@ -369,7 +368,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
- classification.config threshold.config \
- reference.config
-
--SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts
-+SUBDIRS = src qa rules doc contrib scripts
- CLEANFILES = stamp-h[0-9]*
- all: config.h
- $(MAKE) $(AM_MAKEFLAGS) all-recursive
diff --git a/recipes-ids/suricata/libhtp_0.5.36.bb b/recipes-ids/suricata/libhtp_0.5.36.bb
deleted file mode 100644
index 8305f70..0000000
--- a/recipes-ids/suricata/libhtp_0.5.36.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces."
-
-require suricata.inc
-
-LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
-
-DEPENDS = "zlib"
-
-inherit autotools pkgconfig
-
-CFLAGS += "-D_DEFAULT_SOURCE"
-
-S = "${WORKDIR}/suricata-${VER}/${BPN}"
-
-RDEPENDS_${PN} += "zlib"
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb b/recipes-ids/suricata/libhtp_0.5.45.bb
index 34e72e9..cc8285c 100644
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb
+++ b/recipes-ids/suricata/libhtp_0.5.45.bb
@@ -5,7 +5,7 @@ require suricata.inc
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
-SRCREV = "eaa2db29e65e7f2691c18a9022aeb5fb836ec5f1"
+SRCREV = "8bdfe7b9d04e5e948c8fbaa7472e14d884cc00af"
DEPENDS = "zlib"
@@ -23,5 +23,5 @@ do_configure () {
oe_runconf
}
-RDEPENDS_${PN} += "zlib"
+RDEPENDS:${PN} += "zlib"
diff --git a/recipes-ids/suricata/python3-suricata-update_1.2.1.bb b/recipes-ids/suricata/python3-suricata-update_1.2.1.bb
deleted file mode 100644
index bbdce69..0000000
--- a/recipes-ids/suricata/python3-suricata-update_1.2.1.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-SUMMARY = "The tool for updating your Suricata rules. "
-HOMEPAGE = "http://suricata-ids.org/"
-SECTION = "security Monitor/Admin"
-LICENSE = "GPLv2"
-
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
-
-SRCREV = "50e857f75e576e239d8306a6ac55946a1ce252a6"
-SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.2.x'"
-
-S = "${WORKDIR}/git"
-
-inherit python3native python3targetconfig setuptools3
-
-RDEPENDS_${PN} = "python3-pyyaml python3-logging python3-compression"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/recipes-ids/suricata/suricata-crates.inc b/recipes-ids/suricata/suricata-crates.inc
new file mode 100644
index 0000000..386d8d1
--- /dev/null
+++ b/recipes-ids/suricata/suricata-crates.inc
@@ -0,0 +1,1150 @@
+# Autogenerated with 'bitbake -c update_crates suricata'
+
+# from rust/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/adler/1.0.2 \
+ crate://crates.io/aead/0.4.3 \
+ crate://crates.io/aes/0.7.5 \
+ crate://crates.io/aes-gcm/0.9.4 \
+ crate://crates.io/aho-corasick/0.7.20 \
+ crate://crates.io/alloc-no-stdlib/2.0.4 \
+ crate://crates.io/alloc-stdlib/0.2.2 \
+ crate://crates.io/asn1-rs/0.5.2 \
+ crate://crates.io/asn1-rs-derive/0.4.0 \
+ crate://crates.io/asn1-rs-impl/0.1.0 \
+ crate://crates.io/autocfg/1.1.0 \
+ crate://crates.io/base64/0.13.1 \
+ crate://crates.io/bendy/0.3.3 \
+ crate://crates.io/bitflags/1.2.1 \
+ crate://crates.io/block-buffer/0.10.4 \
+ crate://crates.io/brotli/3.3.4 \
+ crate://crates.io/brotli-decompressor/2.3.4 \
+ crate://crates.io/build_const/0.2.2 \
+ crate://crates.io/byteorder/1.4.3 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/cipher/0.3.0 \
+ crate://crates.io/cpufeatures/0.2.9 \
+ crate://crates.io/crc/1.8.1 \
+ crate://crates.io/crc32fast/1.3.2 \
+ crate://crates.io/crypto-common/0.1.6 \
+ crate://crates.io/ctr/0.8.0 \
+ crate://crates.io/data-encoding/2.4.0 \
+ crate://crates.io/der-oid-macro/0.5.0 \
+ crate://crates.io/der-parser/6.0.1 \
+ crate://crates.io/der-parser/8.2.0 \
+ crate://crates.io/digest/0.10.7 \
+ crate://crates.io/displaydoc/0.2.4 \
+ crate://crates.io/enum_primitive/0.1.1 \
+ crate://crates.io/failure/0.1.8 \
+ crate://crates.io/failure_derive/0.1.8 \
+ crate://crates.io/flate2/1.0.26 \
+ crate://crates.io/generic-array/0.14.7 \
+ crate://crates.io/getrandom/0.2.10 \
+ crate://crates.io/ghash/0.4.4 \
+ crate://crates.io/hex/0.4.3 \
+ crate://crates.io/hkdf/0.12.3 \
+ crate://crates.io/hmac/0.12.1 \
+ crate://crates.io/ipsec-parser/0.7.0 \
+ crate://crates.io/itoa/1.0.8 \
+ crate://crates.io/kerberos-parser/0.7.1 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/libc/0.2.147 \
+ crate://crates.io/lzma-rs/0.2.0 \
+ crate://crates.io/md-5/0.10.5 \
+ crate://crates.io/memchr/2.4.1 \
+ crate://crates.io/minimal-lexical/0.2.1 \
+ crate://crates.io/miniz_oxide/0.7.1 \
+ crate://crates.io/nom/7.1.3 \
+ crate://crates.io/nom-derive/0.10.1 \
+ crate://crates.io/nom-derive-impl/0.10.1 \
+ crate://crates.io/ntp-parser/0.6.0 \
+ crate://crates.io/num/0.2.1 \
+ crate://crates.io/num-bigint/0.2.6 \
+ crate://crates.io/num-bigint/0.4.3 \
+ crate://crates.io/num-complex/0.2.4 \
+ crate://crates.io/num-derive/0.2.5 \
+ crate://crates.io/num-integer/0.1.45 \
+ crate://crates.io/num-iter/0.1.43 \
+ crate://crates.io/num-rational/0.2.4 \
+ crate://crates.io/num-traits/0.1.43 \
+ crate://crates.io/num-traits/0.2.15 \
+ crate://crates.io/num_enum/0.5.11 \
+ crate://crates.io/num_enum_derive/0.5.11 \
+ crate://crates.io/num_threads/0.1.6 \
+ crate://crates.io/oid-registry/0.6.1 \
+ crate://crates.io/opaque-debug/0.3.0 \
+ crate://crates.io/phf/0.10.1 \
+ crate://crates.io/phf_codegen/0.10.0 \
+ crate://crates.io/phf_generator/0.10.0 \
+ crate://crates.io/phf_shared/0.10.0 \
+ crate://crates.io/polyval/0.5.3 \
+ crate://crates.io/ppv-lite86/0.2.17 \
+ crate://crates.io/proc-macro-crate/1.1.0 \
+ crate://crates.io/proc-macro2/0.4.30 \
+ crate://crates.io/proc-macro2/1.0.64 \
+ crate://crates.io/quote/0.6.13 \
+ crate://crates.io/quote/1.0.29 \
+ crate://crates.io/rand/0.8.5 \
+ crate://crates.io/rand_chacha/0.3.1 \
+ crate://crates.io/rand_core/0.6.4 \
+ crate://crates.io/regex/1.5.6 \
+ crate://crates.io/regex-syntax/0.6.29 \
+ crate://crates.io/rusticata-macros/4.1.0 \
+ crate://crates.io/rustversion/1.0.13 \
+ crate://crates.io/sawp/0.12.1 \
+ crate://crates.io/sawp-flags/0.12.1 \
+ crate://crates.io/sawp-flags-derive/0.12.1 \
+ crate://crates.io/sawp-modbus/0.12.1 \
+ crate://crates.io/serde/1.0.171 \
+ crate://crates.io/sha1/0.10.5 \
+ crate://crates.io/sha2/0.10.7 \
+ crate://crates.io/siphasher/0.3.10 \
+ crate://crates.io/snmp-parser/0.9.0 \
+ crate://crates.io/subtle/2.4.1 \
+ crate://crates.io/syn/0.15.44 \
+ crate://crates.io/syn/1.0.109 \
+ crate://crates.io/syn/2.0.25 \
+ crate://crates.io/synstructure/0.12.6 \
+ crate://crates.io/test-case/1.1.0 \
+ crate://crates.io/thiserror/1.0.43 \
+ crate://crates.io/thiserror-impl/1.0.43 \
+ crate://crates.io/time/0.3.13 \
+ crate://crates.io/time-macros/0.2.4 \
+ crate://crates.io/tls-parser/0.11.0 \
+ crate://crates.io/toml/0.5.11 \
+ crate://crates.io/typenum/1.16.0 \
+ crate://crates.io/unicode-ident/1.0.10 \
+ crate://crates.io/unicode-xid/0.1.0 \
+ crate://crates.io/unicode-xid/0.2.4 \
+ crate://crates.io/universal-hash/0.4.1 \
+ crate://crates.io/uuid/0.8.2 \
+ crate://crates.io/version_check/0.9.4 \
+ crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1 \
+ crate://crates.io/widestring/0.4.3 \
+ crate://crates.io/x509-parser/0.15.0 \
+"
+
+SRC_URI[adler-1.0.2.sha256sum] = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
+SRC_URI[aead-0.4.3.sha256sum] = "0b613b8e1e3cf911a086f53f03bf286f52fd7a7258e4fa606f0ef220d39d8877"
+SRC_URI[aes-0.7.5.sha256sum] = "9e8b47f52ea9bae42228d07ec09eb676433d7c4ed1ebdf0f1d1c29ed446f1ab8"
+SRC_URI[aes-gcm-0.9.4.sha256sum] = "df5f85a83a7d8b0442b6aa7b504b8212c1733da07b98aae43d4bc21b2cb3cdf6"
+SRC_URI[aho-corasick-0.7.20.sha256sum] = "cc936419f96fa211c1b9166887b38e5e40b19958e5b895be7c1f93adec7071ac"
+SRC_URI[alloc-no-stdlib-2.0.4.sha256sum] = "cc7bb162ec39d46ab1ca8c77bf72e890535becd1751bb45f64c597edb4c8c6b3"
+SRC_URI[alloc-stdlib-0.2.2.sha256sum] = "94fb8275041c72129eb51b7d0322c29b8387a0386127718b096429201a5d6ece"
+SRC_URI[asn1-rs-0.5.2.sha256sum] = "7f6fd5ddaf0351dff5b8da21b2fb4ff8e08ddd02857f0bf69c47639106c0fff0"
+SRC_URI[asn1-rs-derive-0.4.0.sha256sum] = "726535892e8eae7e70657b4c8ea93d26b8553afb1ce617caee529ef96d7dee6c"
+SRC_URI[asn1-rs-impl-0.1.0.sha256sum] = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed"
+SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+SRC_URI[base64-0.13.1.sha256sum] = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+SRC_URI[bendy-0.3.3.sha256sum] = "8133e404c8bec821e531f347dab1247bf64f60882826e7228f8ffeb33a35a658"
+SRC_URI[bitflags-1.2.1.sha256sum] = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
+SRC_URI[block-buffer-0.10.4.sha256sum] = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+SRC_URI[brotli-3.3.4.sha256sum] = "a1a0b1dbcc8ae29329621f8d4f0d835787c1c38bb1401979b49d13b0b305ff68"
+SRC_URI[brotli-decompressor-2.3.4.sha256sum] = "4b6561fd3f895a11e8f72af2cb7d22e08366bebc2b6b57f7744c4bda27034744"
+SRC_URI[build_const-0.2.2.sha256sum] = "b4ae4235e6dac0694637c763029ecea1a2ec9e4e06ec2729bd21ba4d9c863eb7"
+SRC_URI[byteorder-1.4.3.sha256sum] = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[cipher-0.3.0.sha256sum] = "7ee52072ec15386f770805afd189a01c8841be8696bed250fa2f13c4c0d6dfb7"
+SRC_URI[cpufeatures-0.2.9.sha256sum] = "a17b76ff3a4162b0b27f354a0c87015ddad39d35f9c0c36607a3bdd175dde1f1"
+SRC_URI[crc-1.8.1.sha256sum] = "d663548de7f5cca343f1e0a48d14dcfb0e9eb4e079ec58883b7251539fa10aeb"
+SRC_URI[crc32fast-1.3.2.sha256sum] = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d"
+SRC_URI[crypto-common-0.1.6.sha256sum] = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+SRC_URI[ctr-0.8.0.sha256sum] = "049bb91fb4aaf0e3c7efa6cd5ef877dbbbd15b39dad06d9948de4ec8a75761ea"
+SRC_URI[data-encoding-2.4.0.sha256sum] = "c2e66c9d817f1720209181c316d28635c050fa304f9c79e47a520882661b7308"
+SRC_URI[der-oid-macro-0.5.0.sha256sum] = "c73af209b6a5dc8ca7cbaba720732304792cddc933cfea3d74509c2b1ef2f436"
+SRC_URI[der-parser-6.0.1.sha256sum] = "4cddf120f700b411b2b02ebeb7f04dc0b7c8835909a6c2f52bf72ed0dd3433b2"
+SRC_URI[der-parser-8.2.0.sha256sum] = "dbd676fbbab537128ef0278adb5576cf363cff6aa22a7b24effe97347cfab61e"
+SRC_URI[digest-0.10.7.sha256sum] = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+SRC_URI[displaydoc-0.2.4.sha256sum] = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d"
+SRC_URI[enum_primitive-0.1.1.sha256sum] = "be4551092f4d519593039259a9ed8daedf0da12e5109c5280338073eaeb81180"
+SRC_URI[failure-0.1.8.sha256sum] = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
+SRC_URI[failure_derive-0.1.8.sha256sum] = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
+SRC_URI[flate2-1.0.26.sha256sum] = "3b9429470923de8e8cbd4d2dc513535400b4b3fef0319fb5c4e1f520a7bef743"
+SRC_URI[generic-array-0.14.7.sha256sum] = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+SRC_URI[getrandom-0.2.10.sha256sum] = "be4136b2a15dd319360be1c07d9933517ccf0be8f16bf62a3bee4f0d618df427"
+SRC_URI[ghash-0.4.4.sha256sum] = "1583cc1656d7839fd3732b80cf4f38850336cdb9b8ded1cd399ca62958de3c99"
+SRC_URI[hex-0.4.3.sha256sum] = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+SRC_URI[hkdf-0.12.3.sha256sum] = "791a029f6b9fc27657f6f188ec6e5e43f6911f6f878e0dc5501396e09809d437"
+SRC_URI[hmac-0.12.1.sha256sum] = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+SRC_URI[ipsec-parser-0.7.0.sha256sum] = "2cf8413e5de78bcbc51880ff71f4b64105719abe6efb8b4b877d3c7dc494ddd1"
+SRC_URI[itoa-1.0.8.sha256sum] = "62b02a5381cc465bd3041d84623d0fa3b66738b52b8e2fc3bab8ad63ab032f4a"
+SRC_URI[kerberos-parser-0.7.1.sha256sum] = "c10e7cfd4759cbce37ea65e2f48caebd695c246196a38e97ba4f731da48996da"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[libc-0.2.147.sha256sum] = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3"
+SRC_URI[lzma-rs-0.2.0.sha256sum] = "aba8ecb0450dfabce4ad72085eed0a75dffe8f21f7ada05638564ea9db2d7fb1"
+SRC_URI[md-5-0.10.5.sha256sum] = "6365506850d44bff6e2fbcb5176cf63650e48bd45ef2fe2665ae1570e0f4b9ca"
+SRC_URI[memchr-2.4.1.sha256sum] = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
+SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+SRC_URI[miniz_oxide-0.7.1.sha256sum] = "e7810e0be55b428ada41041c41f32c9f1a42817901b4ccf45fa3d4b6561e74c7"
+SRC_URI[nom-7.1.3.sha256sum] = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+SRC_URI[nom-derive-0.10.1.sha256sum] = "1ff943d68b88d0b87a6e0d58615e8fa07f9fd5a1319fa0a72efc1f62275c79a7"
+SRC_URI[nom-derive-impl-0.10.1.sha256sum] = "cd0b9a93a84b0d3ec3e70e02d332dc33ac6dfac9cde63e17fcb77172dededa62"
+SRC_URI[ntp-parser-0.6.0.sha256sum] = "76084be9bf432d487336dd4e39b31ad93f94aecb14b81f08724f4a37b9abb7a5"
+SRC_URI[num-0.2.1.sha256sum] = "b8536030f9fea7127f841b45bb6243b27255787fb4eb83958aa1ef9d2fdc0c36"
+SRC_URI[num-bigint-0.2.6.sha256sum] = "090c7f9998ee0ff65aa5b723e4009f7b217707f1fb5ea551329cc4d6231fb304"
+SRC_URI[num-bigint-0.4.3.sha256sum] = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
+SRC_URI[num-complex-0.2.4.sha256sum] = "b6b19411a9719e753aff12e5187b74d60d3dc449ec3f4dc21e3989c3f554bc95"
+SRC_URI[num-derive-0.2.5.sha256sum] = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2"
+SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+SRC_URI[num-iter-0.1.43.sha256sum] = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252"
+SRC_URI[num-rational-0.2.4.sha256sum] = "5c000134b5dbf44adc5cb772486d335293351644b801551abe8f75c84cfa4aef"
+SRC_URI[num-traits-0.1.43.sha256sum] = "92e5113e9fd4cc14ded8e499429f396a20f98c772a47cc8622a736e1ec843c31"
+SRC_URI[num-traits-0.2.15.sha256sum] = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
+SRC_URI[num_enum-0.5.11.sha256sum] = "1f646caf906c20226733ed5b1374287eb97e3c2a5c227ce668c1f2ce20ae57c9"
+SRC_URI[num_enum_derive-0.5.11.sha256sum] = "dcbff9bc912032c62bf65ef1d5aea88983b420f4f839db1e9b0c281a25c9c799"
+SRC_URI[num_threads-0.1.6.sha256sum] = "2819ce041d2ee131036f4fc9d6ae7ae125a3a40e97ba64d04fe799ad9dabbb44"
+SRC_URI[oid-registry-0.6.1.sha256sum] = "9bedf36ffb6ba96c2eb7144ef6270557b52e54b20c0a8e1eb2ff99a6c6959bff"
+SRC_URI[opaque-debug-0.3.0.sha256sum] = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
+SRC_URI[phf-0.10.1.sha256sum] = "fabbf1ead8a5bcbc20f5f8b939ee3f5b0f6f281b6ad3468b84656b658b455259"
+SRC_URI[phf_codegen-0.10.0.sha256sum] = "4fb1c3a8bc4dd4e5cfce29b44ffc14bedd2ee294559a294e2a4d4c9e9a6a13cd"
+SRC_URI[phf_generator-0.10.0.sha256sum] = "5d5285893bb5eb82e6aaf5d59ee909a06a16737a8970984dd7746ba9283498d6"
+SRC_URI[phf_shared-0.10.0.sha256sum] = "b6796ad771acdc0123d2a88dc428b5e38ef24456743ddb1744ed628f9815c096"
+SRC_URI[polyval-0.5.3.sha256sum] = "8419d2b623c7c0896ff2d5d96e2cb4ede590fed28fcc34934f4c33c036e620a1"
+SRC_URI[ppv-lite86-0.2.17.sha256sum] = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
+SRC_URI[proc-macro-crate-1.1.0.sha256sum] = "1ebace6889caf889b4d3f76becee12e90353f2b8c7d875534a71e5742f8f6f83"
+SRC_URI[proc-macro2-0.4.30.sha256sum] = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759"
+SRC_URI[proc-macro2-1.0.64.sha256sum] = "78803b62cbf1f46fde80d7c0e803111524b9877184cfe7c3033659490ac7a7da"
+SRC_URI[quote-0.6.13.sha256sum] = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1"
+SRC_URI[quote-1.0.29.sha256sum] = "573015e8ab27661678357f27dc26460738fd2b6c86e46f386fde94cb5d913105"
+SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+SRC_URI[rand_core-0.6.4.sha256sum] = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+SRC_URI[regex-1.5.6.sha256sum] = "d83f127d94bdbcda4c8cc2e50f6f84f4b611f69c902699ca385a39c3a75f9ff1"
+SRC_URI[regex-syntax-0.6.29.sha256sum] = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"
+SRC_URI[rusticata-macros-4.1.0.sha256sum] = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+SRC_URI[rustversion-1.0.13.sha256sum] = "dc31bd9b61a32c31f9650d18add92aa83a49ba979c143eefd27fe7177b05bd5f"
+SRC_URI[sawp-0.12.1.sha256sum] = "7e74f84d736420afcba72f689a494d275c97cf4775c3fe248f937e9d3bf83e30"
+SRC_URI[sawp-flags-0.12.1.sha256sum] = "1f2b22023d224b5314d51e53bfb2dbca53dc2cf90a4435aa4feb78172799dad0"
+SRC_URI[sawp-flags-derive-0.12.1.sha256sum] = "49a585d3c22887d23bb06dd602b8ce96c2a716e1fa89beec8bfb49e466f2d643"
+SRC_URI[sawp-modbus-0.12.1.sha256sum] = "2cbad9b003999a0f3016fb3603da113ff86f06279ccf6aacb577058168c0568d"
+SRC_URI[serde-1.0.171.sha256sum] = "30e27d1e4fd7659406c492fd6cfaf2066ba8773de45ca75e855590f856dc34a9"
+SRC_URI[sha1-0.10.5.sha256sum] = "f04293dc80c3993519f2d7f6f511707ee7094fe0c6d3406feb330cdb3540eba3"
+SRC_URI[sha2-0.10.7.sha256sum] = "479fb9d862239e610720565ca91403019f2f00410f1864c5aa7479b950a76ed8"
+SRC_URI[siphasher-0.3.10.sha256sum] = "7bd3e3206899af3f8b12af284fafc038cc1dc2b41d1b89dd17297221c5d225de"
+SRC_URI[snmp-parser-0.9.0.sha256sum] = "773a26ad6742636f4259e7cc32262efb31feabd56bc34f0b2f28de9801aa24b3"
+SRC_URI[subtle-2.4.1.sha256sum] = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
+SRC_URI[syn-0.15.44.sha256sum] = "9ca4b3b69a77cbe1ffc9e198781b7acb0c7365a883670e8f1c1bc66fba79a5c5"
+SRC_URI[syn-1.0.109.sha256sum] = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+SRC_URI[syn-2.0.25.sha256sum] = "15e3fc8c0c74267e2df136e5e5fb656a464158aa57624053375eb9c8c6e25ae2"
+SRC_URI[synstructure-0.12.6.sha256sum] = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
+SRC_URI[test-case-1.1.0.sha256sum] = "956044ef122917dde830c19dec5f76d0670329fde4104836d62ebcb14f4865f1"
+SRC_URI[thiserror-1.0.43.sha256sum] = "a35fc5b8971143ca348fa6df4f024d4d55264f3468c71ad1c2f365b0a4d58c42"
+SRC_URI[thiserror-impl-1.0.43.sha256sum] = "463fe12d7993d3b327787537ce8dd4dfa058de32fc2b195ef3cde03dc4771e8f"
+SRC_URI[time-0.3.13.sha256sum] = "db76ff9fa4b1458b3c7f077f3ff9887394058460d21e634355b273aaf11eea45"
+SRC_URI[time-macros-0.2.4.sha256sum] = "42657b1a6f4d817cda8e7a0ace261fe0cc946cf3a80314390b22cc61ae080792"
+SRC_URI[tls-parser-0.11.0.sha256sum] = "409206e2de64edbf7ea99a44ac31680daf9ef1a57895fb3c5bd738a903691be0"
+SRC_URI[toml-0.5.11.sha256sum] = "f4f7f0dd8d50a853a531c426359045b1998f04219d88799810762cd4ad314234"
+SRC_URI[typenum-1.16.0.sha256sum] = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
+SRC_URI[unicode-ident-1.0.10.sha256sum] = "22049a19f4a68748a168c0fc439f9516686aa045927ff767eca0a85101fb6e73"
+SRC_URI[unicode-xid-0.1.0.sha256sum] = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
+SRC_URI[unicode-xid-0.2.4.sha256sum] = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+SRC_URI[universal-hash-0.4.1.sha256sum] = "9f214e8f697e925001e66ec2c6e37a4ef93f0f78c2eed7814394e10c62025b05"
+SRC_URI[uuid-0.8.2.sha256sum] = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
+SRC_URI[version_check-0.9.4.sha256sum] = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+SRC_URI[wasi-0.11.0+wasi-snapshot-preview1.sha256sum] = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+SRC_URI[widestring-0.4.3.sha256sum] = "c168940144dd21fd8046987c16a46a33d5fc84eec29ef9dcddc2ac9e31526b7c"
+SRC_URI[x509-parser-0.15.0.sha256sum] = "bab0c2f54ae1d92f4fcb99c0b7ccf0b1e3451cbd395e5f115ccbdbcb18d4f634"
+# from rust/vendor/base64/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/ansi_term/0.12.1 \
+ crate://crates.io/atty/0.2.14 \
+ crate://crates.io/autocfg/0.1.8 \
+ crate://crates.io/autocfg/1.1.0 \
+ crate://crates.io/bitflags/1.3.2 \
+ crate://crates.io/bstr/0.2.17 \
+ crate://crates.io/bumpalo/3.11.1 \
+ crate://crates.io/cast/0.2.7 \
+ crate://crates.io/cast/0.3.0 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/clap/2.34.0 \
+ crate://crates.io/cloudabi/0.0.3 \
+ crate://crates.io/criterion/0.3.2 \
+ crate://crates.io/criterion-plot/0.4.5 \
+ crate://crates.io/crossbeam-channel/0.5.6 \
+ crate://crates.io/crossbeam-deque/0.8.2 \
+ crate://crates.io/crossbeam-epoch/0.9.11 \
+ crate://crates.io/crossbeam-utils/0.8.12 \
+ crate://crates.io/csv/1.1.6 \
+ crate://crates.io/csv-core/0.1.10 \
+ crate://crates.io/either/1.8.0 \
+ crate://crates.io/fuchsia-cprng/0.1.1 \
+ crate://crates.io/heck/0.3.3 \
+ crate://crates.io/hermit-abi/0.1.19 \
+ crate://crates.io/itertools/0.9.0 \
+ crate://crates.io/itertools/0.10.5 \
+ crate://crates.io/itoa/0.4.8 \
+ crate://crates.io/itoa/1.0.4 \
+ crate://crates.io/js-sys/0.3.60 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/libc/0.2.135 \
+ crate://crates.io/log/0.4.17 \
+ crate://crates.io/memchr/2.5.0 \
+ crate://crates.io/memoffset/0.6.5 \
+ crate://crates.io/num-traits/0.2.15 \
+ crate://crates.io/num_cpus/1.13.1 \
+ crate://crates.io/once_cell/1.15.0 \
+ crate://crates.io/oorandom/11.1.3 \
+ crate://crates.io/plotters/0.2.15 \
+ crate://crates.io/proc-macro-error/1.0.4 \
+ crate://crates.io/proc-macro-error-attr/1.0.4 \
+ crate://crates.io/proc-macro2/1.0.47 \
+ crate://crates.io/quote/1.0.21 \
+ crate://crates.io/rand/0.6.5 \
+ crate://crates.io/rand_chacha/0.1.1 \
+ crate://crates.io/rand_core/0.3.1 \
+ crate://crates.io/rand_core/0.4.2 \
+ crate://crates.io/rand_hc/0.1.0 \
+ crate://crates.io/rand_isaac/0.1.1 \
+ crate://crates.io/rand_jitter/0.1.4 \
+ crate://crates.io/rand_os/0.1.3 \
+ crate://crates.io/rand_pcg/0.1.2 \
+ crate://crates.io/rand_xorshift/0.1.1 \
+ crate://crates.io/rayon/1.5.3 \
+ crate://crates.io/rayon-core/1.9.3 \
+ crate://crates.io/rdrand/0.4.0 \
+ crate://crates.io/regex/1.6.0 \
+ crate://crates.io/regex-automata/0.1.10 \
+ crate://crates.io/regex-syntax/0.6.27 \
+ crate://crates.io/rustc_version/0.4.0 \
+ crate://crates.io/ryu/1.0.11 \
+ crate://crates.io/same-file/1.0.6 \
+ crate://crates.io/scopeguard/1.1.0 \
+ crate://crates.io/semver/1.0.14 \
+ crate://crates.io/serde/1.0.146 \
+ crate://crates.io/serde_derive/1.0.146 \
+ crate://crates.io/serde_json/1.0.87 \
+ crate://crates.io/strsim/0.8.0 \
+ crate://crates.io/structopt/0.3.26 \
+ crate://crates.io/structopt-derive/0.4.18 \
+ crate://crates.io/syn/1.0.103 \
+ crate://crates.io/textwrap/0.11.0 \
+ crate://crates.io/tinytemplate/1.2.1 \
+ crate://crates.io/unicode-ident/1.0.5 \
+ crate://crates.io/unicode-segmentation/1.10.0 \
+ crate://crates.io/unicode-width/0.1.10 \
+ crate://crates.io/vec_map/0.8.2 \
+ crate://crates.io/version_check/0.9.4 \
+ crate://crates.io/walkdir/2.3.2 \
+ crate://crates.io/wasm-bindgen/0.2.83 \
+ crate://crates.io/wasm-bindgen-backend/0.2.83 \
+ crate://crates.io/wasm-bindgen-macro/0.2.83 \
+ crate://crates.io/wasm-bindgen-macro-support/0.2.83 \
+ crate://crates.io/wasm-bindgen-shared/0.2.83 \
+ crate://crates.io/web-sys/0.3.60 \
+ crate://crates.io/winapi/0.3.9 \
+ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+ crate://crates.io/winapi-util/0.1.5 \
+ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
+"
+
+SRC_URI[ansi_term-0.12.1.sha256sum] = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"
+SRC_URI[atty-0.2.14.sha256sum] = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
+SRC_URI[autocfg-0.1.8.sha256sum] = "0dde43e75fd43e8a1bf86103336bc699aa8d17ad1be60c76c0bdfd4828e19b78"
+SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+SRC_URI[bitflags-1.3.2.sha256sum] = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+SRC_URI[bstr-0.2.17.sha256sum] = "ba3569f383e8f1598449f1a423e72e99569137b47740b1da11ef19af3d5c3223"
+SRC_URI[bumpalo-3.11.1.sha256sum] = "572f695136211188308f16ad2ca5c851a712c464060ae6974944458eb83880ba"
+SRC_URI[cast-0.2.7.sha256sum] = "4c24dab4283a142afa2fdca129b80ad2c6284e073930f964c3a1293c225ee39a"
+SRC_URI[cast-0.3.0.sha256sum] = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[clap-2.34.0.sha256sum] = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
+SRC_URI[cloudabi-0.0.3.sha256sum] = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f"
+SRC_URI[criterion-0.3.2.sha256sum] = "63f696897c88b57f4ffe3c69d8e1a0613c7d0e6c4833363c8560fbde9c47b966"
+SRC_URI[criterion-plot-0.4.5.sha256sum] = "2673cc8207403546f45f5fd319a974b1e6983ad1a3ee7e6041650013be041876"
+SRC_URI[crossbeam-channel-0.5.6.sha256sum] = "c2dd04ddaf88237dc3b8d8f9a3c1004b506b54b3313403944054d23c0870c521"
+SRC_URI[crossbeam-deque-0.8.2.sha256sum] = "715e8152b692bba2d374b53d4875445368fdf21a94751410af607a5ac677d1fc"
+SRC_URI[crossbeam-epoch-0.9.11.sha256sum] = "f916dfc5d356b0ed9dae65f1db9fc9770aa2851d2662b988ccf4fe3516e86348"
+SRC_URI[crossbeam-utils-0.8.12.sha256sum] = "edbafec5fa1f196ca66527c1b12c2ec4745ca14b50f1ad8f9f6f720b55d11fac"
+SRC_URI[csv-1.1.6.sha256sum] = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1"
+SRC_URI[csv-core-0.1.10.sha256sum] = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90"
+SRC_URI[either-1.8.0.sha256sum] = "90e5c1c8368803113bf0c9584fc495a58b86dc8a29edbf8fe877d21d9507e797"
+SRC_URI[fuchsia-cprng-0.1.1.sha256sum] = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba"
+SRC_URI[heck-0.3.3.sha256sum] = "6d621efb26863f0e9924c6ac577e8275e5e6b77455db64ffa6c65c904e9e132c"
+SRC_URI[hermit-abi-0.1.19.sha256sum] = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
+SRC_URI[itertools-0.9.0.sha256sum] = "284f18f85651fe11e8a991b2adb42cb078325c996ed026d994719efcfca1d54b"
+SRC_URI[itertools-0.10.5.sha256sum] = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
+SRC_URI[itoa-0.4.8.sha256sum] = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4"
+SRC_URI[itoa-1.0.4.sha256sum] = "4217ad341ebadf8d8e724e264f13e593e0648f5b3e94b3896a5df283be015ecc"
+SRC_URI[js-sys-0.3.60.sha256sum] = "49409df3e3bf0856b916e2ceaca09ee28e6871cf7d9ce97a692cacfdb2a25a47"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[libc-0.2.135.sha256sum] = "68783febc7782c6c5cb401fbda4de5a9898be1762314da0bb2c10ced61f18b0c"
+SRC_URI[log-0.4.17.sha256sum] = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e"
+SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
+SRC_URI[memoffset-0.6.5.sha256sum] = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce"
+SRC_URI[num-traits-0.2.15.sha256sum] = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
+SRC_URI[num_cpus-1.13.1.sha256sum] = "19e64526ebdee182341572e50e9ad03965aa510cd94427a4549448f285e957a1"
+SRC_URI[once_cell-1.15.0.sha256sum] = "e82dad04139b71a90c080c8463fe0dc7902db5192d939bd0950f074d014339e1"
+SRC_URI[oorandom-11.1.3.sha256sum] = "0ab1bc2a289d34bd04a330323ac98a1b4bc82c9d9fcb1e66b63caa84da26b575"
+SRC_URI[plotters-0.2.15.sha256sum] = "0d1685fbe7beba33de0330629da9d955ac75bd54f33d7b79f9a895590124f6bb"
+SRC_URI[proc-macro-error-1.0.4.sha256sum] = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
+SRC_URI[proc-macro-error-attr-1.0.4.sha256sum] = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
+SRC_URI[proc-macro2-1.0.47.sha256sum] = "5ea3d908b0e36316caf9e9e2c4625cdde190a7e6f440d794667ed17a1855e725"
+SRC_URI[quote-1.0.21.sha256sum] = "bbe448f377a7d6961e30f5955f9b8d106c3f5e449d493ee1b125c1d43c2b5179"
+SRC_URI[rand-0.6.5.sha256sum] = "6d71dacdc3c88c1fde3885a3be3fbab9f35724e6ce99467f7d9c5026132184ca"
+SRC_URI[rand_chacha-0.1.1.sha256sum] = "556d3a1ca6600bfcbab7c7c91ccb085ac7fbbcd70e008a98742e7847f4f7bcef"
+SRC_URI[rand_core-0.3.1.sha256sum] = "7a6fdeb83b075e8266dcc8762c22776f6877a63111121f5f8c7411e5be7eed4b"
+SRC_URI[rand_core-0.4.2.sha256sum] = "9c33a3c44ca05fa6f1807d8e6743f3824e8509beca625669633be0acbdf509dc"
+SRC_URI[rand_hc-0.1.0.sha256sum] = "7b40677c7be09ae76218dc623efbf7b18e34bced3f38883af07bb75630a21bc4"
+SRC_URI[rand_isaac-0.1.1.sha256sum] = "ded997c9d5f13925be2a6fd7e66bf1872597f759fd9dd93513dd7e92e5a5ee08"
+SRC_URI[rand_jitter-0.1.4.sha256sum] = "1166d5c91dc97b88d1decc3285bb0a99ed84b05cfd0bc2341bdf2d43fc41e39b"
+SRC_URI[rand_os-0.1.3.sha256sum] = "7b75f676a1e053fc562eafbb47838d67c84801e38fc1ba459e8f180deabd5071"
+SRC_URI[rand_pcg-0.1.2.sha256sum] = "abf9b09b01790cfe0364f52bf32995ea3c39f4d2dd011eac241d2914146d0b44"
+SRC_URI[rand_xorshift-0.1.1.sha256sum] = "cbf7e9e623549b0e21f6e97cf8ecf247c1a8fd2e8a992ae265314300b2455d5c"
+SRC_URI[rayon-1.5.3.sha256sum] = "bd99e5772ead8baa5215278c9b15bf92087709e9c1b2d1f97cdb5a183c933a7d"
+SRC_URI[rayon-core-1.9.3.sha256sum] = "258bcdb5ac6dad48491bb2992db6b7cf74878b0384908af124823d118c99683f"
+SRC_URI[rdrand-0.4.0.sha256sum] = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2"
+SRC_URI[regex-1.6.0.sha256sum] = "4c4eb3267174b8c6c2f654116623910a0fef09c4753f8dd83db29c48a0df988b"
+SRC_URI[regex-automata-0.1.10.sha256sum] = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+SRC_URI[regex-syntax-0.6.27.sha256sum] = "a3f87b73ce11b1619a3c6332f45341e0047173771e8b8b73f87bfeefb7b56244"
+SRC_URI[rustc_version-0.4.0.sha256sum] = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366"
+SRC_URI[ryu-1.0.11.sha256sum] = "4501abdff3ae82a1c1b477a17252eb69cee9e66eb915c1abaa4f44d873df9f09"
+SRC_URI[same-file-1.0.6.sha256sum] = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+SRC_URI[scopeguard-1.1.0.sha256sum] = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
+SRC_URI[semver-1.0.14.sha256sum] = "e25dfac463d778e353db5be2449d1cce89bd6fd23c9f1ea21310ce6e5a1b29c4"
+SRC_URI[serde-1.0.146.sha256sum] = "6df50b7a60a0ad48e1b42eb38373eac8ff785d619fb14db917b4e63d5439361f"
+SRC_URI[serde_derive-1.0.146.sha256sum] = "a714fd32ba1d66047ce7d53dabd809e9922d538f9047de13cc4cffca47b36205"
+SRC_URI[serde_json-1.0.87.sha256sum] = "6ce777b7b150d76b9cf60d28b55f5847135a003f7d7350c6be7a773508ce7d45"
+SRC_URI[strsim-0.8.0.sha256sum] = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a"
+SRC_URI[structopt-0.3.26.sha256sum] = "0c6b5c64445ba8094a6ab0c3cd2ad323e07171012d9c98b0b15651daf1787a10"
+SRC_URI[structopt-derive-0.4.18.sha256sum] = "dcb5ae327f9cc13b68763b5749770cb9e048a99bd9dfdfa58d0cf05d5f64afe0"
+SRC_URI[syn-1.0.103.sha256sum] = "a864042229133ada95abf3b54fdc62ef5ccabe9515b64717bcb9a1919e59445d"
+SRC_URI[textwrap-0.11.0.sha256sum] = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060"
+SRC_URI[tinytemplate-1.2.1.sha256sum] = "be4d6b5f19ff7664e8c98d03e2139cb510db9b0a60b55f8e8709b689d939b6bc"
+SRC_URI[unicode-ident-1.0.5.sha256sum] = "6ceab39d59e4c9499d4e5a8ee0e2735b891bb7308ac83dfb4e80cad195c9f6f3"
+SRC_URI[unicode-segmentation-1.10.0.sha256sum] = "0fdbf052a0783de01e944a6ce7a8cb939e295b1e7be835a1112c3b9a7f047a5a"
+SRC_URI[unicode-width-0.1.10.sha256sum] = "c0edd1e5b14653f783770bce4a4dabb4a5108a5370a5f5d8cfe8710c361f6c8b"
+SRC_URI[vec_map-0.8.2.sha256sum] = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
+SRC_URI[version_check-0.9.4.sha256sum] = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+SRC_URI[walkdir-2.3.2.sha256sum] = "808cf2735cd4b6866113f648b791c6adc5714537bc222d9347bb203386ffda56"
+SRC_URI[wasm-bindgen-0.2.83.sha256sum] = "eaf9f5aceeec8be17c128b2e93e031fb8a4d469bb9c4ae2d7dc1888b26887268"
+SRC_URI[wasm-bindgen-backend-0.2.83.sha256sum] = "4c8ffb332579b0557b52d268b91feab8df3615f265d5270fec2a8c95b17c1142"
+SRC_URI[wasm-bindgen-macro-0.2.83.sha256sum] = "052be0f94026e6cbc75cdefc9bae13fd6052cdcaf532fa6c45e7ae33a1e6c810"
+SRC_URI[wasm-bindgen-macro-support-0.2.83.sha256sum] = "07bc0c051dc5f23e307b13285f9d75df86bfdf816c5721e573dec1f9b8aa193c"
+SRC_URI[wasm-bindgen-shared-0.2.83.sha256sum] = "1c38c045535d93ec4f0b4defec448e4291638ee608530863b1e2ba115d4fff7f"
+SRC_URI[web-sys-0.3.60.sha256sum] = "bcda906d8be16e728fd5adc5b729afad4e444e106ab28cd1c7256e54fa61510f"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+# from rust/vendor/displaydoc/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/ansi_term/0.11.0 \
+ crate://crates.io/basic-toml/0.1.2 \
+ crate://crates.io/ctor/0.1.26 \
+ crate://crates.io/difference/2.0.0 \
+ crate://crates.io/glob/0.3.1 \
+ crate://crates.io/itoa/1.0.6 \
+ crate://crates.io/libc/0.2.142 \
+ crate://crates.io/once_cell/1.17.1 \
+ crate://crates.io/output_vt100/0.1.3 \
+ crate://crates.io/pretty_assertions/0.6.1 \
+ crate://crates.io/proc-macro2/1.0.56 \
+ crate://crates.io/quote/1.0.26 \
+ crate://crates.io/rustversion/1.0.12 \
+ crate://crates.io/ryu/1.0.13 \
+ crate://crates.io/serde/1.0.160 \
+ crate://crates.io/serde_derive/1.0.160 \
+ crate://crates.io/serde_json/1.0.96 \
+ crate://crates.io/static_assertions/1.1.0 \
+ crate://crates.io/syn/1.0.109 \
+ crate://crates.io/syn/2.0.15 \
+ crate://crates.io/termcolor/1.2.0 \
+ crate://crates.io/thiserror/1.0.40 \
+ crate://crates.io/thiserror-impl/1.0.40 \
+ crate://crates.io/trybuild/1.0.80 \
+ crate://crates.io/unicode-ident/1.0.8 \
+ crate://crates.io/winapi/0.3.9 \
+ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+ crate://crates.io/winapi-util/0.1.5 \
+ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
+"
+
+SRC_URI[ansi_term-0.11.0.sha256sum] = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
+SRC_URI[basic-toml-0.1.2.sha256sum] = "5c0de75129aa8d0cceaf750b89013f0e08804d6ec61416da787b35ad0d7cddf1"
+SRC_URI[ctor-0.1.26.sha256sum] = "6d2301688392eb071b0bf1a37be05c469d3cc4dbbd95df672fe28ab021e6a096"
+SRC_URI[difference-2.0.0.sha256sum] = "524cbf6897b527295dff137cec09ecf3a05f4fddffd7dfcd1585403449e74198"
+SRC_URI[glob-0.3.1.sha256sum] = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+SRC_URI[itoa-1.0.6.sha256sum] = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6"
+SRC_URI[libc-0.2.142.sha256sum] = "6a987beff54b60ffa6d51982e1aa1146bc42f19bd26be28b0586f252fccf5317"
+SRC_URI[once_cell-1.17.1.sha256sum] = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3"
+SRC_URI[output_vt100-0.1.3.sha256sum] = "628223faebab4e3e40667ee0b2336d34a5b960ff60ea743ddfdbcf7770bcfb66"
+SRC_URI[pretty_assertions-0.6.1.sha256sum] = "3f81e1644e1b54f5a68959a29aa86cde704219254669da328ecfdf6a1f09d427"
+SRC_URI[proc-macro2-1.0.56.sha256sum] = "2b63bdb0cd06f1f4dedf69b254734f9b45af66e4a031e42a7480257d9898b435"
+SRC_URI[quote-1.0.26.sha256sum] = "4424af4bf778aae2051a77b60283332f386554255d722233d09fbfc7e30da2fc"
+SRC_URI[rustversion-1.0.12.sha256sum] = "4f3208ce4d8448b3f3e7d168a73f5e0c43a61e32930de3bceeccedb388b6bf06"
+SRC_URI[ryu-1.0.13.sha256sum] = "f91339c0467de62360649f8d3e185ca8de4224ff281f66000de5eb2a77a79041"
+SRC_URI[serde-1.0.160.sha256sum] = "bb2f3770c8bce3bcda7e149193a069a0f4365bda1fa5cd88e03bca26afc1216c"
+SRC_URI[serde_derive-1.0.160.sha256sum] = "291a097c63d8497e00160b166a967a4a79c64f3facdd01cbd7502231688d77df"
+SRC_URI[serde_json-1.0.96.sha256sum] = "057d394a50403bcac12672b2b18fb387ab6d289d957dab67dd201875391e52f1"
+SRC_URI[static_assertions-1.1.0.sha256sum] = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
+SRC_URI[syn-1.0.109.sha256sum] = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+SRC_URI[syn-2.0.15.sha256sum] = "a34fcf3e8b60f57e6a14301a2e916d323af98b0ea63c599441eec8558660c822"
+SRC_URI[termcolor-1.2.0.sha256sum] = "be55cf8942feac5c765c2c993422806843c9a9a45d4d5c407ad6dd2ea95eb9b6"
+SRC_URI[thiserror-1.0.40.sha256sum] = "978c9a314bd8dc99be594bc3c175faaa9794be04a5a5e153caba6915336cebac"
+SRC_URI[thiserror-impl-1.0.40.sha256sum] = "f9456a42c5b0d803c8cd86e73dd7cc9edd429499f37a3550d286d5e86720569f"
+SRC_URI[trybuild-1.0.80.sha256sum] = "501dbdbb99861e4ab6b60eb6a7493956a9defb644fd034bc4a5ef27c693c8a3a"
+SRC_URI[unicode-ident-1.0.8.sha256sum] = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+# from rust/vendor/asn1-rs/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/asn1-rs/0.5.1 \
+ crate://crates.io/asn1-rs-derive/0.4.0 \
+ crate://crates.io/asn1-rs-impl/0.1.0 \
+ crate://crates.io/atty/0.2.14 \
+ crate://crates.io/autocfg/1.1.0 \
+ crate://crates.io/base64/0.13.1 \
+ crate://crates.io/basic-toml/0.1.2 \
+ crate://crates.io/bitvec/1.0.1 \
+ crate://crates.io/colored/2.0.0 \
+ crate://crates.io/cookie-factory/0.3.2 \
+ crate://crates.io/displaydoc/0.2.3 \
+ crate://crates.io/funty/2.0.0 \
+ crate://crates.io/glob/0.3.1 \
+ crate://crates.io/hermit-abi/0.1.19 \
+ crate://crates.io/hex-literal/0.3.4 \
+ crate://crates.io/itoa/1.0.6 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/libc/0.2.139 \
+ crate://crates.io/memchr/2.5.0 \
+ crate://crates.io/minimal-lexical/0.2.1 \
+ crate://crates.io/nom/7.1.3 \
+ crate://crates.io/num-bigint/0.4.3 \
+ crate://crates.io/num-integer/0.1.45 \
+ crate://crates.io/num-traits/0.2.15 \
+ crate://crates.io/oid-registry/0.6.1 \
+ crate://crates.io/once_cell/1.17.1 \
+ crate://crates.io/pem/1.1.1 \
+ crate://crates.io/proc-macro2/1.0.51 \
+ crate://crates.io/quote/1.0.23 \
+ crate://crates.io/radium/0.7.0 \
+ crate://crates.io/rusticata-macros/4.1.0 \
+ crate://crates.io/ryu/1.0.13 \
+ crate://crates.io/serde/1.0.152 \
+ crate://crates.io/serde_derive/1.0.152 \
+ crate://crates.io/serde_json/1.0.94 \
+ crate://crates.io/syn/1.0.109 \
+ crate://crates.io/synstructure/0.12.6 \
+ crate://crates.io/tap/1.0.1 \
+ crate://crates.io/termcolor/1.2.0 \
+ crate://crates.io/thiserror/1.0.39 \
+ crate://crates.io/thiserror-impl/1.0.39 \
+ crate://crates.io/time/0.3.20 \
+ crate://crates.io/time-core/0.1.0 \
+ crate://crates.io/time-macros/0.2.8 \
+ crate://crates.io/trybuild/1.0.79 \
+ crate://crates.io/unicode-ident/1.0.8 \
+ crate://crates.io/unicode-xid/0.2.4 \
+ crate://crates.io/winapi/0.3.9 \
+ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+ crate://crates.io/winapi-util/0.1.5 \
+ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
+ crate://crates.io/wyz/0.5.1 \
+"
+
+SRC_URI[asn1-rs-0.5.1.sha256sum] = "cf6690c370453db30743b373a60ba498fc0d6d83b11f4abfd87a84a075db5dd4"
+SRC_URI[asn1-rs-derive-0.4.0.sha256sum] = "726535892e8eae7e70657b4c8ea93d26b8553afb1ce617caee529ef96d7dee6c"
+SRC_URI[asn1-rs-impl-0.1.0.sha256sum] = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed"
+SRC_URI[atty-0.2.14.sha256sum] = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
+SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+SRC_URI[base64-0.13.1.sha256sum] = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+SRC_URI[basic-toml-0.1.2.sha256sum] = "5c0de75129aa8d0cceaf750b89013f0e08804d6ec61416da787b35ad0d7cddf1"
+SRC_URI[bitvec-1.0.1.sha256sum] = "1bc2832c24239b0141d5674bb9174f9d68a8b5b3f2753311927c172ca46f7e9c"
+SRC_URI[colored-2.0.0.sha256sum] = "b3616f750b84d8f0de8a58bda93e08e2a81ad3f523089b05f1dffecab48c6cbd"
+SRC_URI[cookie-factory-0.3.2.sha256sum] = "396de984970346b0d9e93d1415082923c679e5ae5c3ee3dcbd104f5610af126b"
+SRC_URI[displaydoc-0.2.3.sha256sum] = "3bf95dc3f046b9da4f2d51833c0d3547d8564ef6910f5c1ed130306a75b92886"
+SRC_URI[funty-2.0.0.sha256sum] = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c"
+SRC_URI[glob-0.3.1.sha256sum] = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+SRC_URI[hermit-abi-0.1.19.sha256sum] = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
+SRC_URI[hex-literal-0.3.4.sha256sum] = "7ebdb29d2ea9ed0083cd8cece49bbd968021bd99b0849edb4a9a7ee0fdf6a4e0"
+SRC_URI[itoa-1.0.6.sha256sum] = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[libc-0.2.139.sha256sum] = "201de327520df007757c1f0adce6e827fe8562fbc28bfd9c15571c66ca1f5f79"
+SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
+SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+SRC_URI[nom-7.1.3.sha256sum] = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+SRC_URI[num-bigint-0.4.3.sha256sum] = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
+SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+SRC_URI[num-traits-0.2.15.sha256sum] = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
+SRC_URI[oid-registry-0.6.1.sha256sum] = "9bedf36ffb6ba96c2eb7144ef6270557b52e54b20c0a8e1eb2ff99a6c6959bff"
+SRC_URI[once_cell-1.17.1.sha256sum] = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3"
+SRC_URI[pem-1.1.1.sha256sum] = "a8835c273a76a90455d7344889b0964598e3316e2a79ede8e36f16bdcf2228b8"
+SRC_URI[proc-macro2-1.0.51.sha256sum] = "5d727cae5b39d21da60fa540906919ad737832fe0b1c165da3a34d6548c849d6"
+SRC_URI[quote-1.0.23.sha256sum] = "8856d8364d252a14d474036ea1358d63c9e6965c8e5c1885c18f73d70bff9c7b"
+SRC_URI[radium-0.7.0.sha256sum] = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09"
+SRC_URI[rusticata-macros-4.1.0.sha256sum] = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+SRC_URI[ryu-1.0.13.sha256sum] = "f91339c0467de62360649f8d3e185ca8de4224ff281f66000de5eb2a77a79041"
+SRC_URI[serde-1.0.152.sha256sum] = "bb7d1f0d3021d347a83e556fc4683dea2ea09d87bccdf88ff5c12545d89d5efb"
+SRC_URI[serde_derive-1.0.152.sha256sum] = "af487d118eecd09402d70a5d72551860e788df87b464af30e5ea6a38c75c541e"
+SRC_URI[serde_json-1.0.94.sha256sum] = "1c533a59c9d8a93a09c6ab31f0fd5e5f4dd1b8fc9434804029839884765d04ea"
+SRC_URI[syn-1.0.109.sha256sum] = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+SRC_URI[synstructure-0.12.6.sha256sum] = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
+SRC_URI[tap-1.0.1.sha256sum] = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
+SRC_URI[termcolor-1.2.0.sha256sum] = "be55cf8942feac5c765c2c993422806843c9a9a45d4d5c407ad6dd2ea95eb9b6"
+SRC_URI[thiserror-1.0.39.sha256sum] = "a5ab016db510546d856297882807df8da66a16fb8c4101cb8b30054b0d5b2d9c"
+SRC_URI[thiserror-impl-1.0.39.sha256sum] = "5420d42e90af0c38c3290abcca25b9b3bdf379fc9f55c528f53a269d9c9a267e"
+SRC_URI[time-0.3.20.sha256sum] = "cd0cbfecb4d19b5ea75bb31ad904eb5b9fa13f21079c3b92017ebdf4999a5890"
+SRC_URI[time-core-0.1.0.sha256sum] = "2e153e1f1acaef8acc537e68b44906d2db6436e2b35ac2c6b42640fff91f00fd"
+SRC_URI[time-macros-0.2.8.sha256sum] = "fd80a657e71da814b8e5d60d3374fc6d35045062245d80224748ae522dd76f36"
+SRC_URI[trybuild-1.0.79.sha256sum] = "db3115bddce1b5f52dd4b5e0ec8298a66ce733e4cc6759247dc2d1c11508ec38"
+SRC_URI[unicode-ident-1.0.8.sha256sum] = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4"
+SRC_URI[unicode-xid-0.2.4.sha256sum] = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+SRC_URI[wyz-0.5.1.sha256sum] = "05f360fc0b24296329c78fda852a1e9ae82de9cf7b27dae4b7f62f118f77b9ed"
+# from rust/vendor/flate2/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/adler/1.0.2 \
+ crate://crates.io/cc/1.0.73 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/cloudflare-zlib-sys/0.3.0 \
+ crate://crates.io/cmake/0.1.48 \
+ crate://crates.io/crc32fast/1.3.2 \
+ crate://crates.io/getrandom/0.2.6 \
+ crate://crates.io/libc/0.2.124 \
+ crate://crates.io/libz-ng-sys/1.1.8 \
+ crate://crates.io/libz-sys/1.1.8 \
+ crate://crates.io/miniz_oxide/0.7.1 \
+ crate://crates.io/pkg-config/0.3.25 \
+ crate://crates.io/ppv-lite86/0.2.16 \
+ crate://crates.io/quickcheck/1.0.3 \
+ crate://crates.io/rand/0.8.5 \
+ crate://crates.io/rand_chacha/0.3.1 \
+ crate://crates.io/rand_core/0.6.3 \
+ crate://crates.io/vcpkg/0.2.15 \
+ crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \
+"
+
+SRC_URI[adler-1.0.2.sha256sum] = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
+SRC_URI[cc-1.0.73.sha256sum] = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[cloudflare-zlib-sys-0.3.0.sha256sum] = "2040b6d1edfee6d75f172d81e2d2a7807534f3f294ce18184c70e7bb0105cd6f"
+SRC_URI[cmake-0.1.48.sha256sum] = "e8ad8cef104ac57b68b89df3208164d228503abbdce70f6880ffa3d970e7443a"
+SRC_URI[crc32fast-1.3.2.sha256sum] = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d"
+SRC_URI[getrandom-0.2.6.sha256sum] = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad"
+SRC_URI[libc-0.2.124.sha256sum] = "21a41fed9d98f27ab1c6d161da622a4fa35e8a54a8adc24bbf3ddd0ef70b0e50"
+SRC_URI[libz-ng-sys-1.1.8.sha256sum] = "4399ae96a9966bf581e726de86969f803a81b7ce795fcd5480e640589457e0f2"
+SRC_URI[libz-sys-1.1.8.sha256sum] = "9702761c3935f8cc2f101793272e202c72b99da8f4224a19ddcf1279a6450bbf"
+SRC_URI[miniz_oxide-0.7.1.sha256sum] = "e7810e0be55b428ada41041c41f32c9f1a42817901b4ccf45fa3d4b6561e74c7"
+SRC_URI[pkg-config-0.3.25.sha256sum] = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae"
+SRC_URI[ppv-lite86-0.2.16.sha256sum] = "eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872"
+SRC_URI[quickcheck-1.0.3.sha256sum] = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6"
+SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7"
+SRC_URI[vcpkg-0.2.15.sha256sum] = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+SRC_URI[wasi-0.10.2+wasi-snapshot-preview1.sha256sum] = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
+# from rust/vendor/toml/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/autocfg/1.1.0 \
+ crate://crates.io/hashbrown/0.12.3 \
+ crate://crates.io/indexmap/1.9.2 \
+ crate://crates.io/itoa/1.0.5 \
+ crate://crates.io/proc-macro2/1.0.50 \
+ crate://crates.io/quote/1.0.23 \
+ crate://crates.io/ryu/1.0.12 \
+ crate://crates.io/serde/1.0.152 \
+ crate://crates.io/serde_derive/1.0.152 \
+ crate://crates.io/serde_json/1.0.91 \
+ crate://crates.io/syn/1.0.107 \
+ crate://crates.io/unicode-ident/1.0.6 \
+"
+
+SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+SRC_URI[hashbrown-0.12.3.sha256sum] = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
+SRC_URI[indexmap-1.9.2.sha256sum] = "1885e79c1fc4b10f0e172c475f458b7f7b93061064d98c3293e98c5ba0c8b399"
+SRC_URI[itoa-1.0.5.sha256sum] = "fad582f4b9e86b6caa621cabeb0963332d92eea04729ab12892c2533951e6440"
+SRC_URI[proc-macro2-1.0.50.sha256sum] = "6ef7d57beacfaf2d8aee5937dab7b7f28de3cb8b1828479bb5de2a7106f2bae2"
+SRC_URI[quote-1.0.23.sha256sum] = "8856d8364d252a14d474036ea1358d63c9e6965c8e5c1885c18f73d70bff9c7b"
+SRC_URI[ryu-1.0.12.sha256sum] = "7b4b9743ed687d4b4bcedf9ff5eaa7398495ae14e61cba0a295704edbc7decde"
+SRC_URI[serde-1.0.152.sha256sum] = "bb7d1f0d3021d347a83e556fc4683dea2ea09d87bccdf88ff5c12545d89d5efb"
+SRC_URI[serde_derive-1.0.152.sha256sum] = "af487d118eecd09402d70a5d72551860e788df87b464af30e5ea6a38c75c541e"
+SRC_URI[serde_json-1.0.91.sha256sum] = "877c235533714907a8c2464236f5c4b2a17262ef1bd71f38f35ea592c8da6883"
+SRC_URI[syn-1.0.107.sha256sum] = "1f4064b5b16e03ae50984a5a8ed5d4f8803e6bc1fd170a3cda91a1be4b18e3f5"
+SRC_URI[unicode-ident-1.0.6.sha256sum] = "84a22b9f218b40614adcb3f4ff08b703773ad44fa9423e4e0d346d5db86e4ebc"
+# from rust/vendor/nom/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/autocfg/1.0.1 \
+ crate://crates.io/bit-set/0.5.2 \
+ crate://crates.io/bit-vec/0.6.3 \
+ crate://crates.io/bitflags/1.3.2 \
+ crate://crates.io/byteorder/1.4.3 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/doc-comment/0.3.3 \
+ crate://crates.io/fnv/1.0.7 \
+ crate://crates.io/getrandom/0.2.3 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/libc/0.2.106 \
+ crate://crates.io/memchr/2.4.1 \
+ crate://crates.io/minimal-lexical/0.2.1 \
+ crate://crates.io/num-traits/0.2.14 \
+ crate://crates.io/ppv-lite86/0.2.15 \
+ crate://crates.io/proptest/1.0.0 \
+ crate://crates.io/quick-error/1.2.3 \
+ crate://crates.io/quick-error/2.0.1 \
+ crate://crates.io/rand/0.8.4 \
+ crate://crates.io/rand_chacha/0.3.1 \
+ crate://crates.io/rand_core/0.6.3 \
+ crate://crates.io/rand_hc/0.3.1 \
+ crate://crates.io/rand_xorshift/0.3.0 \
+ crate://crates.io/redox_syscall/0.2.10 \
+ crate://crates.io/regex-syntax/0.6.25 \
+ crate://crates.io/remove_dir_all/0.5.3 \
+ crate://crates.io/rusty-fork/0.3.0 \
+ crate://crates.io/tempfile/3.2.0 \
+ crate://crates.io/wait-timeout/0.2.0 \
+ crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \
+ crate://crates.io/winapi/0.3.9 \
+ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
+"
+
+SRC_URI[autocfg-1.0.1.sha256sum] = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
+SRC_URI[bit-set-0.5.2.sha256sum] = "6e11e16035ea35e4e5997b393eacbf6f63983188f7a2ad25bfb13465f5ad59de"
+SRC_URI[bit-vec-0.6.3.sha256sum] = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
+SRC_URI[bitflags-1.3.2.sha256sum] = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+SRC_URI[byteorder-1.4.3.sha256sum] = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[doc-comment-0.3.3.sha256sum] = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10"
+SRC_URI[fnv-1.0.7.sha256sum] = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+SRC_URI[getrandom-0.2.3.sha256sum] = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[libc-0.2.106.sha256sum] = "a60553f9a9e039a333b4e9b20573b9e9b9c0bb3a11e201ccc48ef4283456d673"
+SRC_URI[memchr-2.4.1.sha256sum] = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
+SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+SRC_URI[num-traits-0.2.14.sha256sum] = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290"
+SRC_URI[ppv-lite86-0.2.15.sha256sum] = "ed0cfbc8191465bed66e1718596ee0b0b35d5ee1f41c5df2189d0fe8bde535ba"
+SRC_URI[proptest-1.0.0.sha256sum] = "1e0d9cc07f18492d879586c92b485def06bc850da3118075cd45d50e9c95b0e5"
+SRC_URI[quick-error-1.2.3.sha256sum] = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
+SRC_URI[quick-error-2.0.1.sha256sum] = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3"
+SRC_URI[rand-0.8.4.sha256sum] = "2e7573632e6454cf6b99d7aac4ccca54be06da05aca2ef7423d22d27d4d4bcd8"
+SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7"
+SRC_URI[rand_hc-0.3.1.sha256sum] = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7"
+SRC_URI[rand_xorshift-0.3.0.sha256sum] = "d25bf25ec5ae4a3f1b92f929810509a2f53d7dca2f50b794ff57e3face536c8f"
+SRC_URI[redox_syscall-0.2.10.sha256sum] = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff"
+SRC_URI[regex-syntax-0.6.25.sha256sum] = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
+SRC_URI[remove_dir_all-0.5.3.sha256sum] = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
+SRC_URI[rusty-fork-0.3.0.sha256sum] = "cb3dcc6e454c328bb824492db107ab7c0ae8fcffe4ad210136ef014458c1bc4f"
+SRC_URI[tempfile-3.2.0.sha256sum] = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22"
+SRC_URI[wait-timeout-0.2.0.sha256sum] = "9f200f5b12eb75f8c1ed65abd4b2db8a6e1b138a20de009dacee265a2498f3f6"
+SRC_URI[wasi-0.10.2+wasi-snapshot-preview1.sha256sum] = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+# from rust/vendor/brotli/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/alloc-no-stdlib/2.0.3 \
+ crate://crates.io/alloc-stdlib/0.2.1 \
+ crate://crates.io/block-buffer/0.7.3 \
+ crate://crates.io/block-padding/0.1.5 \
+ crate://crates.io/brotli-decompressor/2.3.2 \
+ crate://crates.io/byte-tools/0.3.1 \
+ crate://crates.io/byteorder/1.4.3 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/digest/0.8.1 \
+ crate://crates.io/fake-simd/0.1.2 \
+ crate://crates.io/generic-array/0.12.4 \
+ crate://crates.io/libm/0.1.4 \
+ crate://crates.io/opaque-debug/0.2.3 \
+ crate://crates.io/packed_simd_2/0.3.7 \
+ crate://crates.io/sha2/0.8.2 \
+ crate://crates.io/typenum/1.15.0 \
+"
+
+SRC_URI[alloc-no-stdlib-2.0.3.sha256sum] = "35ef4730490ad1c4eae5c4325b2a95f521d023e5c885853ff7aca0a6a1631db3"
+SRC_URI[alloc-stdlib-0.2.1.sha256sum] = "697ed7edc0f1711de49ce108c541623a0af97c6c60b2f6e2b65229847ac843c2"
+SRC_URI[block-buffer-0.7.3.sha256sum] = "c0940dc441f31689269e10ac70eb1002a3a1d3ad1390e030043662eb7fe4688b"
+SRC_URI[block-padding-0.1.5.sha256sum] = "fa79dedbb091f449f1f39e53edf88d5dbe95f895dae6135a8d7b881fb5af73f5"
+SRC_URI[brotli-decompressor-2.3.2.sha256sum] = "59ad2d4653bf5ca36ae797b1f4bb4dbddb60ce49ca4aed8a2ce4829f60425b80"
+SRC_URI[byte-tools-0.3.1.sha256sum] = "e3b5ca7a04898ad4bcd41c90c5285445ff5b791899bb1b0abdd2a2aa791211d7"
+SRC_URI[byteorder-1.4.3.sha256sum] = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[digest-0.8.1.sha256sum] = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5"
+SRC_URI[fake-simd-0.1.2.sha256sum] = "e88a8acf291dafb59c2d96e8f59828f3838bb1a70398823ade51a84de6a6deed"
+SRC_URI[generic-array-0.12.4.sha256sum] = "ffdf9f34f1447443d37393cc6c2b8313aebddcd96906caf34e54c68d8e57d7bd"
+SRC_URI[libm-0.1.4.sha256sum] = "7fc7aa29613bd6a620df431842069224d8bc9011086b1db4c0e0cd47fa03ec9a"
+SRC_URI[opaque-debug-0.2.3.sha256sum] = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c"
+SRC_URI[packed_simd_2-0.3.7.sha256sum] = "defdcfef86dcc44ad208f71d9ff4ce28df6537a4e0d6b0e8e845cb8ca10059a6"
+SRC_URI[sha2-0.8.2.sha256sum] = "a256f46ea78a0c0d9ff00077504903ac881a1dafdc20da66545699e7776b3e69"
+SRC_URI[typenum-1.15.0.sha256sum] = "dcf81ac59edc17cc8697ff311e8f5ef2d99fcbd9817b34cec66f90b6c3dfd987"
+# from rust/vendor/failure/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/backtrace/0.3.46 \
+ crate://crates.io/backtrace-sys/0.1.37 \
+ crate://crates.io/cc/1.0.52 \
+ crate://crates.io/cfg-if/0.1.10 \
+ crate://crates.io/failure_derive/0.1.7 \
+ crate://crates.io/libc/0.2.69 \
+ crate://crates.io/proc-macro2/1.0.12 \
+ crate://crates.io/quote/1.0.4 \
+ crate://crates.io/rustc-demangle/0.1.16 \
+ crate://crates.io/syn/1.0.18 \
+ crate://crates.io/synstructure/0.12.3 \
+ crate://crates.io/unicode-xid/0.2.0 \
+"
+
+SRC_URI[backtrace-0.3.46.sha256sum] = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e"
+SRC_URI[backtrace-sys-0.1.37.sha256sum] = "18fbebbe1c9d1f383a9cc7e8ccdb471b91c8d024ee9c2ca5b5346121fe8b4399"
+SRC_URI[cc-1.0.52.sha256sum] = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d"
+SRC_URI[cfg-if-0.1.10.sha256sum] = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
+SRC_URI[failure_derive-0.1.7.sha256sum] = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
+SRC_URI[libc-0.2.69.sha256sum] = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
+SRC_URI[proc-macro2-1.0.12.sha256sum] = "8872cf6f48eee44265156c111456a700ab3483686b3f96df4cf5481c89157319"
+SRC_URI[quote-1.0.4.sha256sum] = "4c1f4b0efa5fc5e8ceb705136bfee52cfdb6a4e3509f770b478cd6ed434232a7"
+SRC_URI[rustc-demangle-0.1.16.sha256sum] = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783"
+SRC_URI[syn-1.0.18.sha256sum] = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213"
+SRC_URI[synstructure-0.12.3.sha256sum] = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
+SRC_URI[unicode-xid-0.2.0.sha256sum] = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c"
+# from rust/vendor/alloc-stdlib/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/alloc-no-stdlib/2.0.4 \
+"
+
+SRC_URI[alloc-no-stdlib-2.0.4.sha256sum] = "cc7bb162ec39d46ab1ca8c77bf72e890535becd1751bb45f64c597edb4c8c6b3"
+# from rust/vendor/bendy/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/addr2line/0.14.0 \
+ crate://crates.io/adler/0.2.3 \
+ crate://crates.io/aho-corasick/0.7.15 \
+ crate://crates.io/autocfg/1.0.1 \
+ crate://crates.io/backtrace/0.3.54 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/failure/0.1.8 \
+ crate://crates.io/failure_derive/0.1.8 \
+ crate://crates.io/gimli/0.23.0 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/libc/0.2.80 \
+ crate://crates.io/memchr/2.3.4 \
+ crate://crates.io/miniz_oxide/0.4.3 \
+ crate://crates.io/object/0.22.0 \
+ crate://crates.io/proc-macro2/1.0.24 \
+ crate://crates.io/quote/1.0.7 \
+ crate://crates.io/regex/1.4.2 \
+ crate://crates.io/regex-syntax/0.6.21 \
+ crate://crates.io/rustc-demangle/0.1.18 \
+ crate://crates.io/serde/1.0.117 \
+ crate://crates.io/serde_bytes/0.11.5 \
+ crate://crates.io/serde_derive/1.0.117 \
+ crate://crates.io/syn/1.0.48 \
+ crate://crates.io/synstructure/0.12.4 \
+ crate://crates.io/thread_local/1.0.1 \
+ crate://crates.io/unicode-xid/0.2.1 \
+"
+
+SRC_URI[addr2line-0.14.0.sha256sum] = "7c0929d69e78dd9bf5408269919fcbcaeb2e35e5d43e5815517cdc6a8e11a423"
+SRC_URI[adler-0.2.3.sha256sum] = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
+SRC_URI[aho-corasick-0.7.15.sha256sum] = "7404febffaa47dac81aa44dba71523c9d069b1bdc50a77db41195149e17f68e5"
+SRC_URI[autocfg-1.0.1.sha256sum] = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
+SRC_URI[backtrace-0.3.54.sha256sum] = "2baad346b2d4e94a24347adeee9c7a93f412ee94b9cc26e5b59dea23848e9f28"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[failure-0.1.8.sha256sum] = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
+SRC_URI[failure_derive-0.1.8.sha256sum] = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
+SRC_URI[gimli-0.23.0.sha256sum] = "f6503fe142514ca4799d4c26297c4248239fe8838d827db6bd6065c6ed29a6ce"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[libc-0.2.80.sha256sum] = "4d58d1b70b004888f764dfbf6a26a3b0342a1632d33968e4a179d8011c760614"
+SRC_URI[memchr-2.3.4.sha256sum] = "0ee1c47aaa256ecabcaea351eae4a9b01ef39ed810004e298d2511ed284b1525"
+SRC_URI[miniz_oxide-0.4.3.sha256sum] = "0f2d26ec3309788e423cfbf68ad1800f061638098d76a83681af979dc4eda19d"
+SRC_URI[object-0.22.0.sha256sum] = "8d3b63360ec3cb337817c2dbd47ab4a0f170d285d8e5a2064600f3def1402397"
+SRC_URI[proc-macro2-1.0.24.sha256sum] = "1e0704ee1a7e00d7bb417d0770ea303c1bccbabf0ef1667dae92b5967f5f8a71"
+SRC_URI[quote-1.0.7.sha256sum] = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
+SRC_URI[regex-1.4.2.sha256sum] = "38cf2c13ed4745de91a5eb834e11c00bcc3709e773173b2ce4c56c9fbde04b9c"
+SRC_URI[regex-syntax-0.6.21.sha256sum] = "3b181ba2dcf07aaccad5448e8ead58db5b742cf85dfe035e2227f137a539a189"
+SRC_URI[rustc-demangle-0.1.18.sha256sum] = "6e3bad0ee36814ca07d7968269dd4b7ec89ec2da10c4bb613928d3077083c232"
+SRC_URI[serde-1.0.117.sha256sum] = "b88fa983de7720629c9387e9f517353ed404164b1e482c970a90c1a4aaf7dc1a"
+SRC_URI[serde_bytes-0.11.5.sha256sum] = "16ae07dd2f88a366f15bd0632ba725227018c69a1c8550a927324f8eb8368bb9"
+SRC_URI[serde_derive-1.0.117.sha256sum] = "cbd1ae72adb44aab48f325a02444a5fc079349a8d804c1fc922aed3f7454c74e"
+SRC_URI[syn-1.0.48.sha256sum] = "cc371affeffc477f42a221a1e4297aedcea33d47d19b61455588bd9d8f6b19ac"
+SRC_URI[synstructure-0.12.4.sha256sum] = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
+SRC_URI[thread_local-1.0.1.sha256sum] = "d40c6d1b69745a6ec6fb1ca717914848da4b44ae29d9b3080cbee91d72a69b14"
+SRC_URI[unicode-xid-0.2.1.sha256sum] = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
+# from rust/vendor/regex/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/aho-corasick/0.7.18 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/getrandom/0.2.6 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/libc/0.2.125 \
+ crate://crates.io/memchr/2.5.0 \
+ crate://crates.io/quickcheck/1.0.3 \
+ crate://crates.io/rand/0.8.5 \
+ crate://crates.io/rand_core/0.6.3 \
+ crate://crates.io/regex-syntax/0.6.26 \
+ crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \
+"
+
+SRC_URI[aho-corasick-0.7.18.sha256sum] = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[getrandom-0.2.6.sha256sum] = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[libc-0.2.125.sha256sum] = "5916d2ae698f6de9bfb891ad7a8d65c09d232dc58cc4ac433c7da3b2fd84bc2b"
+SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
+SRC_URI[quickcheck-1.0.3.sha256sum] = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6"
+SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7"
+SRC_URI[regex-syntax-0.6.26.sha256sum] = "49b3de9ec5dc0a3417da371aab17d729997c15010e7fd24ff707773a33bddb64"
+SRC_URI[wasi-0.10.2+wasi-snapshot-preview1.sha256sum] = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
+# from rust/vendor/brotli-decompressor/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/alloc-no-stdlib/2.0.4 \
+ crate://crates.io/alloc-stdlib/0.2.2 \
+"
+
+SRC_URI[alloc-no-stdlib-2.0.4.sha256sum] = "cc7bb162ec39d46ab1ca8c77bf72e890535becd1751bb45f64c597edb4c8c6b3"
+SRC_URI[alloc-stdlib-0.2.2.sha256sum] = "94fb8275041c72129eb51b7d0322c29b8387a0386127718b096429201a5d6ece"
+# from rust/vendor/phf_generator/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/atty/0.2.14 \
+ crate://crates.io/autocfg/1.0.1 \
+ crate://crates.io/bitflags/1.2.1 \
+ crate://crates.io/bstr/0.2.16 \
+ crate://crates.io/bumpalo/3.7.0 \
+ crate://crates.io/cast/0.2.7 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/clap/2.33.3 \
+ crate://crates.io/criterion/0.3.4 \
+ crate://crates.io/criterion-plot/0.4.4 \
+ crate://crates.io/crossbeam-channel/0.5.1 \
+ crate://crates.io/crossbeam-deque/0.8.1 \
+ crate://crates.io/crossbeam-epoch/0.9.5 \
+ crate://crates.io/crossbeam-utils/0.8.5 \
+ crate://crates.io/csv/1.1.6 \
+ crate://crates.io/csv-core/0.1.10 \
+ crate://crates.io/either/1.6.1 \
+ crate://crates.io/getrandom/0.2.3 \
+ crate://crates.io/half/1.7.1 \
+ crate://crates.io/hermit-abi/0.1.19 \
+ crate://crates.io/itertools/0.10.1 \
+ crate://crates.io/itoa/0.4.7 \
+ crate://crates.io/js-sys/0.3.52 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/libc/0.2.99 \
+ crate://crates.io/log/0.4.14 \
+ crate://crates.io/memchr/2.4.0 \
+ crate://crates.io/memoffset/0.6.4 \
+ crate://crates.io/num-traits/0.2.14 \
+ crate://crates.io/num_cpus/1.13.0 \
+ crate://crates.io/oorandom/11.1.3 \
+ crate://crates.io/phf_shared/0.10.0 \
+ crate://crates.io/plotters/0.3.1 \
+ crate://crates.io/plotters-backend/0.3.2 \
+ crate://crates.io/plotters-svg/0.3.1 \
+ crate://crates.io/ppv-lite86/0.2.10 \
+ crate://crates.io/proc-macro2/1.0.28 \
+ crate://crates.io/quote/1.0.9 \
+ crate://crates.io/rand/0.8.4 \
+ crate://crates.io/rand_chacha/0.3.1 \
+ crate://crates.io/rand_core/0.6.3 \
+ crate://crates.io/rand_hc/0.3.1 \
+ crate://crates.io/rayon/1.5.1 \
+ crate://crates.io/rayon-core/1.9.1 \
+ crate://crates.io/regex/1.5.4 \
+ crate://crates.io/regex-automata/0.1.10 \
+ crate://crates.io/regex-syntax/0.6.25 \
+ crate://crates.io/rustc_version/0.4.0 \
+ crate://crates.io/ryu/1.0.5 \
+ crate://crates.io/same-file/1.0.6 \
+ crate://crates.io/scopeguard/1.1.0 \
+ crate://crates.io/semver/1.0.4 \
+ crate://crates.io/serde/1.0.127 \
+ crate://crates.io/serde_cbor/0.11.1 \
+ crate://crates.io/serde_derive/1.0.127 \
+ crate://crates.io/serde_json/1.0.66 \
+ crate://crates.io/siphasher/0.3.6 \
+ crate://crates.io/syn/1.0.74 \
+ crate://crates.io/textwrap/0.11.0 \
+ crate://crates.io/tinytemplate/1.2.1 \
+ crate://crates.io/unicode-width/0.1.8 \
+ crate://crates.io/unicode-xid/0.2.2 \
+ crate://crates.io/walkdir/2.3.2 \
+ crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \
+ crate://crates.io/wasm-bindgen/0.2.75 \
+ crate://crates.io/wasm-bindgen-backend/0.2.75 \
+ crate://crates.io/wasm-bindgen-macro/0.2.75 \
+ crate://crates.io/wasm-bindgen-macro-support/0.2.75 \
+ crate://crates.io/wasm-bindgen-shared/0.2.75 \
+ crate://crates.io/web-sys/0.3.52 \
+ crate://crates.io/winapi/0.3.9 \
+ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+ crate://crates.io/winapi-util/0.1.5 \
+ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
+"
+
+SRC_URI[atty-0.2.14.sha256sum] = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
+SRC_URI[autocfg-1.0.1.sha256sum] = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
+SRC_URI[bitflags-1.2.1.sha256sum] = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
+SRC_URI[bstr-0.2.16.sha256sum] = "90682c8d613ad3373e66de8c6411e0ae2ab2571e879d2efbf73558cc66f21279"
+SRC_URI[bumpalo-3.7.0.sha256sum] = "9c59e7af012c713f529e7a3ee57ce9b31ddd858d4b512923602f74608b009631"
+SRC_URI[cast-0.2.7.sha256sum] = "4c24dab4283a142afa2fdca129b80ad2c6284e073930f964c3a1293c225ee39a"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[clap-2.33.3.sha256sum] = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
+SRC_URI[criterion-0.3.4.sha256sum] = "ab327ed7354547cc2ef43cbe20ef68b988e70b4b593cbd66a2a61733123a3d23"
+SRC_URI[criterion-plot-0.4.4.sha256sum] = "d00996de9f2f7559f7f4dc286073197f83e92256a59ed395f9aac01fe717da57"
+SRC_URI[crossbeam-channel-0.5.1.sha256sum] = "06ed27e177f16d65f0f0c22a213e17c696ace5dd64b14258b52f9417ccb52db4"
+SRC_URI[crossbeam-deque-0.8.1.sha256sum] = "6455c0ca19f0d2fbf751b908d5c55c1f5cbc65e03c4225427254b46890bdde1e"
+SRC_URI[crossbeam-epoch-0.9.5.sha256sum] = "4ec02e091aa634e2c3ada4a392989e7c3116673ef0ac5b72232439094d73b7fd"
+SRC_URI[crossbeam-utils-0.8.5.sha256sum] = "d82cfc11ce7f2c3faef78d8a684447b40d503d9681acebed6cb728d45940c4db"
+SRC_URI[csv-1.1.6.sha256sum] = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1"
+SRC_URI[csv-core-0.1.10.sha256sum] = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90"
+SRC_URI[either-1.6.1.sha256sum] = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
+SRC_URI[getrandom-0.2.3.sha256sum] = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
+SRC_URI[half-1.7.1.sha256sum] = "62aca2aba2d62b4a7f5b33f3712cb1b0692779a56fb510499d5c0aa594daeaf3"
+SRC_URI[hermit-abi-0.1.19.sha256sum] = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
+SRC_URI[itertools-0.10.1.sha256sum] = "69ddb889f9d0d08a67338271fa9b62996bc788c7796a5c18cf057420aaed5eaf"
+SRC_URI[itoa-0.4.7.sha256sum] = "dd25036021b0de88a0aff6b850051563c6516d0bf53f8638938edbb9de732736"
+SRC_URI[js-sys-0.3.52.sha256sum] = "ce791b7ca6638aae45be056e068fc756d871eb3b3b10b8efa62d1c9cec616752"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[libc-0.2.99.sha256sum] = "a7f823d141fe0a24df1e23b4af4e3c7ba9e5966ec514ea068c93024aa7deb765"
+SRC_URI[log-0.4.14.sha256sum] = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710"
+SRC_URI[memchr-2.4.0.sha256sum] = "b16bd47d9e329435e309c58469fe0791c2d0d1ba96ec0954152a5ae2b04387dc"
+SRC_URI[memoffset-0.6.4.sha256sum] = "59accc507f1338036a0477ef61afdae33cde60840f4dfe481319ce3ad116ddf9"
+SRC_URI[num-traits-0.2.14.sha256sum] = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290"
+SRC_URI[num_cpus-1.13.0.sha256sum] = "05499f3756671c15885fee9034446956fff3f243d6077b91e5767df161f766b3"
+SRC_URI[oorandom-11.1.3.sha256sum] = "0ab1bc2a289d34bd04a330323ac98a1b4bc82c9d9fcb1e66b63caa84da26b575"
+SRC_URI[phf_shared-0.10.0.sha256sum] = "b6796ad771acdc0123d2a88dc428b5e38ef24456743ddb1744ed628f9815c096"
+SRC_URI[plotters-0.3.1.sha256sum] = "32a3fd9ec30b9749ce28cd91f255d569591cdf937fe280c312143e3c4bad6f2a"
+SRC_URI[plotters-backend-0.3.2.sha256sum] = "d88417318da0eaf0fdcdb51a0ee6c3bed624333bff8f946733049380be67ac1c"
+SRC_URI[plotters-svg-0.3.1.sha256sum] = "521fa9638fa597e1dc53e9412a4f9cefb01187ee1f7413076f9e6749e2885ba9"
+SRC_URI[ppv-lite86-0.2.10.sha256sum] = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857"
+SRC_URI[proc-macro2-1.0.28.sha256sum] = "5c7ed8b8c7b886ea3ed7dde405212185f423ab44682667c8c6dd14aa1d9f6612"
+SRC_URI[quote-1.0.9.sha256sum] = "c3d0b9745dc2debf507c8422de05d7226cc1f0644216dfdfead988f9b1ab32a7"
+SRC_URI[rand-0.8.4.sha256sum] = "2e7573632e6454cf6b99d7aac4ccca54be06da05aca2ef7423d22d27d4d4bcd8"
+SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7"
+SRC_URI[rand_hc-0.3.1.sha256sum] = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7"
+SRC_URI[rayon-1.5.1.sha256sum] = "c06aca804d41dbc8ba42dfd964f0d01334eceb64314b9ecf7c5fad5188a06d90"
+SRC_URI[rayon-core-1.9.1.sha256sum] = "d78120e2c850279833f1dd3582f730c4ab53ed95aeaaaa862a2a5c71b1656d8e"
+SRC_URI[regex-1.5.4.sha256sum] = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461"
+SRC_URI[regex-automata-0.1.10.sha256sum] = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+SRC_URI[regex-syntax-0.6.25.sha256sum] = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
+SRC_URI[rustc_version-0.4.0.sha256sum] = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366"
+SRC_URI[ryu-1.0.5.sha256sum] = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
+SRC_URI[same-file-1.0.6.sha256sum] = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+SRC_URI[scopeguard-1.1.0.sha256sum] = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
+SRC_URI[semver-1.0.4.sha256sum] = "568a8e6258aa33c13358f81fd834adb854c6f7c9468520910a9b1e8fac068012"
+SRC_URI[serde-1.0.127.sha256sum] = "f03b9878abf6d14e6779d3f24f07b2cfa90352cfec4acc5aab8f1ac7f146fae8"
+SRC_URI[serde_cbor-0.11.1.sha256sum] = "1e18acfa2f90e8b735b2836ab8d538de304cbb6729a7360729ea5a895d15a622"
+SRC_URI[serde_derive-1.0.127.sha256sum] = "a024926d3432516606328597e0f224a51355a493b49fdd67e9209187cbe55ecc"
+SRC_URI[serde_json-1.0.66.sha256sum] = "336b10da19a12ad094b59d870ebde26a45402e5b470add4b5fd03c5048a32127"
+SRC_URI[siphasher-0.3.6.sha256sum] = "729a25c17d72b06c68cb47955d44fda88ad2d3e7d77e025663fdd69b93dd71a1"
+SRC_URI[syn-1.0.74.sha256sum] = "1873d832550d4588c3dbc20f01361ab00bfe741048f71e3fecf145a7cc18b29c"
+SRC_URI[textwrap-0.11.0.sha256sum] = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060"
+SRC_URI[tinytemplate-1.2.1.sha256sum] = "be4d6b5f19ff7664e8c98d03e2139cb510db9b0a60b55f8e8709b689d939b6bc"
+SRC_URI[unicode-width-0.1.8.sha256sum] = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
+SRC_URI[unicode-xid-0.2.2.sha256sum] = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
+SRC_URI[walkdir-2.3.2.sha256sum] = "808cf2735cd4b6866113f648b791c6adc5714537bc222d9347bb203386ffda56"
+SRC_URI[wasi-0.10.2+wasi-snapshot-preview1.sha256sum] = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
+SRC_URI[wasm-bindgen-0.2.75.sha256sum] = "b608ecc8f4198fe8680e2ed18eccab5f0cd4caaf3d83516fa5fb2e927fda2586"
+SRC_URI[wasm-bindgen-backend-0.2.75.sha256sum] = "580aa3a91a63d23aac5b6b267e2d13cb4f363e31dce6c352fca4752ae12e479f"
+SRC_URI[wasm-bindgen-macro-0.2.75.sha256sum] = "171ebf0ed9e1458810dfcb31f2e766ad6b3a89dbda42d8901f2b268277e5f09c"
+SRC_URI[wasm-bindgen-macro-support-0.2.75.sha256sum] = "6c2657dd393f03aa2a659c25c6ae18a13a4048cebd220e147933ea837efc589f"
+SRC_URI[wasm-bindgen-shared-0.2.75.sha256sum] = "2e0c4a743a309662d45f4ede961d7afa4ba4131a59a639f29b0069c3798bbcc2"
+SRC_URI[web-sys-0.3.52.sha256sum] = "01c70a82d842c9979078c772d4a1344685045f1a5628f677c2b2eab4dd7d2696"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+# from rust/vendor/x509-parser/Cargo.lock
+SRC_URI += " \
+ crate://crates.io/asn1-rs/0.5.2 \
+ crate://crates.io/asn1-rs-derive/0.4.0 \
+ crate://crates.io/asn1-rs-impl/0.1.0 \
+ crate://crates.io/autocfg/1.1.0 \
+ crate://crates.io/bumpalo/3.12.0 \
+ crate://crates.io/cc/1.0.79 \
+ crate://crates.io/cfg-if/1.0.0 \
+ crate://crates.io/data-encoding/2.3.3 \
+ crate://crates.io/der-parser/8.2.0 \
+ crate://crates.io/displaydoc/0.2.3 \
+ crate://crates.io/itoa/1.0.6 \
+ crate://crates.io/js-sys/0.3.61 \
+ crate://crates.io/lazy_static/1.4.0 \
+ crate://crates.io/libc/0.2.140 \
+ crate://crates.io/log/0.4.17 \
+ crate://crates.io/memchr/2.5.0 \
+ crate://crates.io/minimal-lexical/0.2.1 \
+ crate://crates.io/nom/7.1.3 \
+ crate://crates.io/num-bigint/0.4.3 \
+ crate://crates.io/num-integer/0.1.45 \
+ crate://crates.io/num-traits/0.2.15 \
+ crate://crates.io/oid-registry/0.6.1 \
+ crate://crates.io/once_cell/1.17.1 \
+ crate://crates.io/proc-macro2/1.0.52 \
+ crate://crates.io/quote/1.0.26 \
+ crate://crates.io/ring/0.16.20 \
+ crate://crates.io/rusticata-macros/4.1.0 \
+ crate://crates.io/serde/1.0.156 \
+ crate://crates.io/spin/0.5.2 \
+ crate://crates.io/syn/1.0.109 \
+ crate://crates.io/synstructure/0.12.6 \
+ crate://crates.io/thiserror/1.0.39 \
+ crate://crates.io/thiserror-impl/1.0.39 \
+ crate://crates.io/time/0.3.20 \
+ crate://crates.io/time-core/0.1.0 \
+ crate://crates.io/time-macros/0.2.8 \
+ crate://crates.io/unicode-ident/1.0.8 \
+ crate://crates.io/unicode-xid/0.2.4 \
+ crate://crates.io/untrusted/0.7.1 \
+ crate://crates.io/wasm-bindgen/0.2.84 \
+ crate://crates.io/wasm-bindgen-backend/0.2.84 \
+ crate://crates.io/wasm-bindgen-macro/0.2.84 \
+ crate://crates.io/wasm-bindgen-macro-support/0.2.84 \
+ crate://crates.io/wasm-bindgen-shared/0.2.84 \
+ crate://crates.io/web-sys/0.3.61 \
+ crate://crates.io/winapi/0.3.9 \
+ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
+"
+
+SRC_URI[asn1-rs-0.5.2.sha256sum] = "7f6fd5ddaf0351dff5b8da21b2fb4ff8e08ddd02857f0bf69c47639106c0fff0"
+SRC_URI[asn1-rs-derive-0.4.0.sha256sum] = "726535892e8eae7e70657b4c8ea93d26b8553afb1ce617caee529ef96d7dee6c"
+SRC_URI[asn1-rs-impl-0.1.0.sha256sum] = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed"
+SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+SRC_URI[bumpalo-3.12.0.sha256sum] = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535"
+SRC_URI[cc-1.0.79.sha256sum] = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[data-encoding-2.3.3.sha256sum] = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb"
+SRC_URI[der-parser-8.2.0.sha256sum] = "dbd676fbbab537128ef0278adb5576cf363cff6aa22a7b24effe97347cfab61e"
+SRC_URI[displaydoc-0.2.3.sha256sum] = "3bf95dc3f046b9da4f2d51833c0d3547d8564ef6910f5c1ed130306a75b92886"
+SRC_URI[itoa-1.0.6.sha256sum] = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6"
+SRC_URI[js-sys-0.3.61.sha256sum] = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[libc-0.2.140.sha256sum] = "99227334921fae1a979cf0bfdfcc6b3e5ce376ef57e16fb6fb3ea2ed6095f80c"
+SRC_URI[log-0.4.17.sha256sum] = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e"
+SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
+SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+SRC_URI[nom-7.1.3.sha256sum] = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+SRC_URI[num-bigint-0.4.3.sha256sum] = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
+SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+SRC_URI[num-traits-0.2.15.sha256sum] = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
+SRC_URI[oid-registry-0.6.1.sha256sum] = "9bedf36ffb6ba96c2eb7144ef6270557b52e54b20c0a8e1eb2ff99a6c6959bff"
+SRC_URI[once_cell-1.17.1.sha256sum] = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3"
+SRC_URI[proc-macro2-1.0.52.sha256sum] = "1d0e1ae9e836cc3beddd63db0df682593d7e2d3d891ae8c9083d2113e1744224"
+SRC_URI[quote-1.0.26.sha256sum] = "4424af4bf778aae2051a77b60283332f386554255d722233d09fbfc7e30da2fc"
+SRC_URI[ring-0.16.20.sha256sum] = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+SRC_URI[rusticata-macros-4.1.0.sha256sum] = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+SRC_URI[serde-1.0.156.sha256sum] = "314b5b092c0ade17c00142951e50ced110ec27cea304b1037c6969246c2469a4"
+SRC_URI[spin-0.5.2.sha256sum] = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+SRC_URI[syn-1.0.109.sha256sum] = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+SRC_URI[synstructure-0.12.6.sha256sum] = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
+SRC_URI[thiserror-1.0.39.sha256sum] = "a5ab016db510546d856297882807df8da66a16fb8c4101cb8b30054b0d5b2d9c"
+SRC_URI[thiserror-impl-1.0.39.sha256sum] = "5420d42e90af0c38c3290abcca25b9b3bdf379fc9f55c528f53a269d9c9a267e"
+SRC_URI[time-0.3.20.sha256sum] = "cd0cbfecb4d19b5ea75bb31ad904eb5b9fa13f21079c3b92017ebdf4999a5890"
+SRC_URI[time-core-0.1.0.sha256sum] = "2e153e1f1acaef8acc537e68b44906d2db6436e2b35ac2c6b42640fff91f00fd"
+SRC_URI[time-macros-0.2.8.sha256sum] = "fd80a657e71da814b8e5d60d3374fc6d35045062245d80224748ae522dd76f36"
+SRC_URI[unicode-ident-1.0.8.sha256sum] = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4"
+SRC_URI[unicode-xid-0.2.4.sha256sum] = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+SRC_URI[untrusted-0.7.1.sha256sum] = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+SRC_URI[wasm-bindgen-0.2.84.sha256sum] = "31f8dcbc21f30d9b8f2ea926ecb58f6b91192c17e9d33594b3df58b2007ca53b"
+SRC_URI[wasm-bindgen-backend-0.2.84.sha256sum] = "95ce90fd5bcc06af55a641a86428ee4229e44e07033963a2290a8e241607ccb9"
+SRC_URI[wasm-bindgen-macro-0.2.84.sha256sum] = "4c21f77c0bedc37fd5dc21f897894a5ca01e7bb159884559461862ae90c0b4c5"
+SRC_URI[wasm-bindgen-macro-support-0.2.84.sha256sum] = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6"
+SRC_URI[wasm-bindgen-shared-0.2.84.sha256sum] = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d"
+SRC_URI[web-sys-0.3.61.sha256sum] = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
diff --git a/recipes-ids/suricata/suricata.inc b/recipes-ids/suricata/suricata.inc
index 1ce0d74..906423c 100644
--- a/recipes-ids/suricata/suricata.inc
+++ b/recipes-ids/suricata/suricata.inc
@@ -1,8 +1,5 @@
HOMEPAGE = "http://suricata-ids.org/"
SECTION = "security Monitor/Admin"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
-VER = "4.1.10"
-SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
-
-SRC_URI[sha256sum] = "4013cb13a2f3f7854328cf072319bba41896fad86d6b85b1cff4004f82aa7276"
+COMPATIBLE_HOST:powerpc = 'null'
diff --git a/recipes-ids/suricata/suricata_4.1.10.bb b/recipes-ids/suricata/suricata_7.0.0.bb
index bf08843..a01b3d9 100644
--- a/recipes-ids/suricata/suricata_4.1.10.bb
+++ b/recipes-ids/suricata/suricata_7.0.0.bb
@@ -4,36 +4,45 @@ require suricata.inc
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
+SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz"
+SRC_URI[sha256sum] = "7bcd1313118366451465dc3f8385a3f6aadd084ffe44dd257dda8105863bb769"
+
+DEPENDS = "lz4 libhtp"
+
SRC_URI += " \
file://volatiles.03_suricata \
file://tmpfiles.suricata \
file://suricata.yaml \
file://suricata.service \
file://run-ptest \
+ file://fixup.patch \
"
-UPSTREAM_CHECK_URI = "www.openinfosecfoundation.org/download"
-
-inherit autotools-brokensep pkgconfig python3-dir systemd ptest
-
-CFLAGS += "-D_DEFAULT_SOURCE -fcommon"
+inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates
-CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \
- ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no "
+require ${BPN}-crates.inc
EXTRA_OECONF += " --disable-debug \
- --enable-non-bundled-htp \
--disable-gccmarch-native \
+ --enable-non-bundled-htp \
--disable-suricata-update \
+ --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \
"
-PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr"
-PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
+CARGO_SRC_DIR = "rust"
+
+CARGO_BUILD_FLAGS:remove = "--frozen"
+CARGO_BUILD_FLAGS:append = " --offline"
+
+B = "${S}"
-PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp,"
-PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ,"
+# nfnetlink has a dependancy to meta-networking
+PACKAGECONFIG ??= "jansson file pcre2 yaml python pcap cap-ng net nss nspr "
+PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
+
+PACKAGECONFIG[pcre2] = "--with-libpcre2-includes=${STAGING_INCDIR} --with-libpcre2-libraries=${STAGING_LIBDIR}, ,libpcre2 ,"
PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
-PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ,"
+PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap"
PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , "
PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet,"
PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ,"
@@ -43,23 +52,40 @@ PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-li
PACKAGECONFIG[file] = ",,file, file"
PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss,"
PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr,"
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3"
+PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core"
PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests,"
export logdir = "${localstatedir}/log"
-do_install_append () {
+CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes"
- install -d ${D}${sysconfdir}/suricata
+do_configure:prepend () {
+ # use host for RUST_SURICATA_LIB_XC_DIR
+ sed -i -e 's,\${host_alias},${RUST_HOST_SYS},' ${S}/configure.ac
+ sed -i -e 's,libsuricata_rust.a,libsuricata.a,' ${S}/configure.ac
+ oe_runconf
+}
+
+do_compile () {
+ # we do this to bypass the make provided by this pkg
+ # patches Makefile to skip the subdir
+ cargo_do_compile
- oe_runmake install-conf DESTDIR=${D}
+ # Finish building
+ cd ${S}
+ make
+}
+
+do_install () {
+ install -d ${D}${sysconfdir}/suricata
- oe_runmake install-rules DESTDIR=${D}
+ oe_runmake install DESTDIR=${D}
install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata
install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
+ install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/tmpfiles.d
@@ -78,9 +104,12 @@ do_install_append () {
# Remove /var/run as it is created on startup
rm -rf ${D}${localstatedir}/run
+ sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${bindir}/suricatasc
+ sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${bindir}/suricatactl
+ sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${libdir}/suricata/python/suricata/sc/suricatasc.py
}
-pkg_postinst_ontarget_${PN} () {
+pkg_postinst_ontarget:${PN} () {
if command -v systemd-tmpfiles >/dev/null; then
systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf
elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
@@ -90,10 +119,8 @@ fi
SYSTEMD_PACKAGES = "${PN}"
-PACKAGES =+ "${PN}-socketcontrol"
-FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
-FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
-
-CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
+PACKAGES =+ "${PN}-python"
+FILES:${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
+FILES:${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
-RDEPENDS_${PN}-python = "python"
+CONFFILES:${PN} = "${sysconfdir}/suricata/suricata.yaml"
diff --git a/recipes-ids/tripwire/files/add_armeb_arch.patch b/recipes-ids/tripwire/files/add_armeb_arch.patch
deleted file mode 100644
index 2379d66..0000000
--- a/recipes-ids/tripwire/files/add_armeb_arch.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-tripwire: Add armeb support
-
-Upstream-Status: Submitted to tripwire-dev
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
-diff -Naurp tripwire-2.4.2.2-src_org/config.sub tripwire-2.4.2.2-src/config.sub
---- tripwire-2.4.2.2-src_org/config.sub 2015-07-20 15:03:04.161452573 +0530
-+++ tripwire-2.4.2.2-src/config.sub 2015-07-20 15:06:07.077673139 +0530
-@@ -268,7 +268,7 @@ case $basic_machine in
- # FIXME: clean up the formatting here.
- vax-* | tahoe-* | i*86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \
- | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | c[123]* | aarch64-* | aarch64be-* \
-- | arm-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \
-+ | arm-* | armeb-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \
- | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
- | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
- | xmp-* | ymp-* \
diff --git a/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/recipes-ids/tripwire/tripwire_2.4.3.7.bb
index 36e5d00..9149e89 100644
--- a/recipes-ids/tripwire/tripwire_2.4.3.7.bb
+++ b/recipes-ids/tripwire/tripwire_2.4.3.7.bb
@@ -3,13 +3,13 @@ DESCRIPTION = "Open Source Tripwire® software is a security and data \
integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems"
HOMEPAGE="http://sourceforge.net/projects/tripwire"
SECTION = "security Monitor/Admin"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127"
SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0"
SRC_URI = "\
- git://github.com/Tripwire/tripwire-open-source.git \
+ git://github.com/Tripwire/tripwire-open-source.git;branch=master;protocol=https \
file://tripwire.cron \
file://tripwire.sh \
file://tripwire.txt \
@@ -60,18 +60,18 @@ do_install () {
install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN}
}
-do_install_ptest_append () {
+do_install_ptest:append () {
install -d ${D}${PTEST_PATH}/tests
cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH}
sed -i -e 's@../../../../bin@${sbindir}@' ${D}${PTEST_PATH}/twtools.pm
}
-FILES_${PN} += "${libdir} ${docdir}/${PN}/*"
-FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug"
-FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a"
-FILES_${PN}-ptest += "${PTEST_PATH}/tests "
+FILES:${PN} += "${libdir} ${docdir}/${PN}/*"
+FILES:${PN}-dbg += "${sysconfdir}/${PN}/.debug"
+FILES:${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a"
+FILES:${PN}-ptest += "${PTEST_PATH}/tests "
-RDEPENDS_${PN} += " perl nano msmtp cronie"
-RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules "
+RDEPENDS:${PN} += " perl nano msmtp cronie"
+RDEPENDS:${PN}-ptest = " perl lib-perl perl-modules "
-PNBLACKLIST[tripwire] ?= "Upsteram project appears to be abondoned, fails to build with gcc11"
+SKIP_RECIPE[tripwire] ?= "Upsteram project appears to be abondoned, fails to build with gcc11"
diff --git a/recipes-kernel/linux/files/lkrg.cfg b/recipes-kernel/linux/files/lkrg.cfg
new file mode 100644
index 0000000..e02bf76
--- /dev/null
+++ b/recipes-kernel/linux/files/lkrg.cfg
@@ -0,0 +1,4 @@
+CONFIG_DEBUG_KERNEL=y
+CONFIG_KALLSYMS_ALL=y
+CONFIG_JUMP_LABEL=y
+CONFIG_DEBUG_SECTION_MISMATCH=y
diff --git a/recipes-kernel/linux/files/lkrg.scc b/recipes-kernel/linux/files/lkrg.scc
new file mode 100644
index 0000000..83397f8
--- /dev/null
+++ b/recipes-kernel/linux/files/lkrg.scc
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: MIT
+define KFEATURE_DESCRIPTION "Enable Support for LKRG"
+define KFEATURE_COMPATIBILITY board
+
+kconf hardware lkrg.cfg
diff --git a/recipes-kernel/linux/linux-yocto-rt_%.bbappend b/recipes-kernel/linux/linux-yocto-rt_%.bbappend
new file mode 100644
index 0000000..79dfeac
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto-rt_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'security', 'linux-yocto_security.inc', '', d)}
diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend b/recipes-kernel/linux/linux-yocto_%.bbappend
index 1d9054f..1d9054f 100644
--- a/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_%.bbappend
diff --git a/recipes-kernel/linux/linux-yocto_security.inc b/recipes-kernel/linux/linux-yocto_security.inc
index fa536d0..b79af80 100644
--- a/recipes-kernel/linux/linux-yocto_security.inc
+++ b/recipes-kernel/linux/linux-yocto_security.inc
@@ -1,3 +1,6 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
+KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
+KERNEL_FEATURES:append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
+SRC_URI += " ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "file://lkrg.scc", "" ,d)}"
diff --git a/recipes-kernel/lkrg/files/makefile_cleanup.patch b/recipes-kernel/lkrg/files/makefile_cleanup.patch
deleted file mode 100644
index 106dc3f..0000000
--- a/recipes-kernel/lkrg/files/makefile_cleanup.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-Upstream-Status: Pending
-
-This needs more work. Its my starting point.
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: lkrg-0.9.0/Makefile
-===================================================================
---- lkrg-0.9.0.orig/Makefile
-+++ lkrg-0.9.0/Makefile
-@@ -4,28 +4,10 @@
- # Author:
- # - Adam 'pi3' Zabrocki (http://pi3.com.pl)
- ##
--
--P_OUTPUT = output
- P_PWD ?= $(shell pwd)
--P_KVER ?= $(shell uname -r)
--P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh
--TARGET := p_lkrg
--ifneq ($(KERNELRELEASE),)
-- KERNEL := /lib/modules/$(KERNELRELEASE)/build
--else
-- ## KERNELRELEASE not set.
-- KERNEL := /lib/modules/$(P_KVER)/build
--endif
--
--#
--# Uncomment for debug compilation
--#
--# ccflags-m := -ggdb -DP_LKRG_DEBUG_BUILD -finstrument-functions
--# ccflags-y := ${ccflags-m}
--# p_lkrg-objs += src/modules/print_log/p_lkrg_debug_log.o
-
--obj-m += $(TARGET).o
--$(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \
-+obj-m := p_lkrg.o
-+p_lkrg-y := src/modules/ksyms/p_resolve_ksym.o \
- src/modules/hashing/p_lkrg_fast_hash.o \
- src/modules/comm_channel/p_comm_channel.o \
- src/modules/integrity_timer/p_integrity_timer.o \
-@@ -91,23 +73,14 @@ $(TARGET)-objs += src/modules/ksyms/p_re
- src/p_lkrg_main.o
-
-
--all:
--# $(MAKE) -C $(KERNEL) M=$(P_PWD) modules CONFIG_DEBUG_SECTION_MISMATCH=y
-- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules
-- mkdir -p $(P_OUTPUT)
-- cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT)
--
--install:
-- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install
-- depmod -a
-- $(P_PWD)/$(P_BOOTUP_SCRIPT) install
-
--uninstall:
-- $(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall
-+modules:
-+ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules
-+
-+modules_install:
-+ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules_install
-
- clean:
-- $(MAKE) -C $(KERNEL) M=$(P_PWD) clean
-- $(RM) Module.markers modules.order
-- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers
-- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order
-- $(RM) -rf $(P_OUTPUT)
-+ rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c
-+ rm -f Module.markers Module.symvers modules.order
-+ rm -rf .tmp_versions Modules.symvers
diff --git a/recipes-kernel/lkrg/lkrg-module_0.9.1.bb b/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
index 287b4e8..020c3a1 100644
--- a/recipes-kernel/lkrg/lkrg-module_0.9.1.bb
+++ b/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
@@ -3,24 +3,29 @@ DESCRIPTION="LKRG performs runtime integrity checking of the Linux \
kernel and detection of security vulnerability exploits against the kernel."
SECTION = "security"
HOMEPAGE = "https://www.openwall.com/lkrg/"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=5105ead24b08a32954f34cbaa7112432"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=57534ed9f03a5810945cd9be4a81db41"
DEPENDS = "virtual/kernel elfutils"
-SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \
- file://makefile_cleanup.patch "
+SRC_URI = "git://github.com/lkrg-org/lkrg.git;protocol=https;branch=main"
-SRC_URI[sha256sum] = "cabbee1addbf3ae23a584203831e4bd1b730d22bfd1b3e44883214f220b3babd"
+SRCREV = "5dc5cfea1f4dc8febdd5274d99e277c17df06acc"
-S = "${WORKDIR}/lkrg-${PV}"
+S = "${WORKDIR}/git"
inherit module kernel-module-split
MAKE_TARGETS = "modules"
-MODULE_NAME = "p_lkrg"
+MODULE_NAME = "lkrg"
+
+do_configure:append () {
+ sed -i -e 's/^all/modules/' ${S}/Makefile
+ sed -i -e 's/^install/modules_install/' ${S}/Makefile
+ sed -i -e 's/KERNEL/KERNEL_SRC/g' ${S}/Makefile
+}
module_do_install() {
install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}
@@ -28,6 +33,6 @@ module_do_install() {
${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko
}
-RPROVIDES_${PN} += "kernel-module-lkrg"
+RPROVIDES:${PN} += "kernel-module-lkrg"
COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
diff --git a/recipes-mac/AppArmor/apparmor_3.0.bb b/recipes-mac/AppArmor/apparmor_3.1.3.bb
index d9c3e4d..fd649e4 100644
--- a/recipes-mac/AppArmor/apparmor_3.0.bb
+++ b/recipes-mac/AppArmor/apparmor_3.1.3.bb
@@ -5,41 +5,30 @@ DESCRIPTION = "user-space parser utility for AppArmor \
which is required to convert AppArmor text profiles into machine-readable \
policies that are loaded into the kernel for use with the AppArmor Linux \
Security Module."
-HOMEAPAGE = "http://apparmor.net/"
+HOMEPAGE = "http://apparmor.net/"
SECTION = "admin"
-LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+"
+LICENSE = "GPL-2.0-only & GPL-2.0-or-later & BSD-3-Clause & LGPL-2.1-or-later"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
SRC_URI = " \
- git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
- file://disable_perl_h_check.patch \
+ git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.1 \
+ file://run-ptest \
file://crosscompile_perl_bindings.patch \
- file://apparmor.rc \
- file://functions \
- file://apparmor \
- file://apparmor.service \
file://0001-Makefile.am-suppress-perllocal.pod.patch \
- file://run-ptest \
- file://0001-apparmor-fix-manpage-order.patch \
- file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
- file://0001-libapparmor-add-missing-include-for-socklen_t.patch \
- file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \
- file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \
- file://0001-aa_status-Fix-build-issue-with-musl.patch \
- file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \
+ file://0001-Makefile-fix-hardcoded-installation-directories.patch \
"
-SRCREV = "5d51483bfecf556183558644dc8958135397a7e2"
+SRCREV = "e69cb5047946818e6a9df326851483bb075a5cfe"
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
-COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"
+COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*"
-inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion
+inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion setuptools3
REQUIRED_DISTRO_FEATURES = "apparmor"
@@ -85,8 +74,6 @@ do_compile () {
}
do_install () {
- install -d ${D}/${INIT_D_DIR}
- install -d ${D}/lib/apparmor
oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
oe_runmake -C ${B}/binutils DESTDIR="${D}" install
oe_runmake -C ${B}/utils DESTDIR="${D}" install
@@ -102,25 +89,27 @@ do_install () {
fi
if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
- install -d ${D}/lib/security
oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
fi
- install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
- install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor
+ if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
+ install -d ${D}${sysconfdir}/init.d
+ install -m 755 ${B}/parser/rc.apparmor.functions ${D}${sysconfdir}/init.d/apparmor
+ fi
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
- install -d ${D}${systemd_system_unitdir}
- install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+ oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
fi
+ chown root:root -R ${D}/${sysconfdir}/apparmor.d
+ chown root:root -R ${D}/${datadir}/apparmor
}
#Building ptest on arm fails.
-do_compile_ptest_aarch64 () {
+do_compile_ptest:aarch64 () {
:
}
-do_compile_ptest_arm () {
+do_compile_ptest:arm () {
:
}
@@ -150,45 +139,36 @@ do_install_ptest () {
}
#Building ptest on arm fails.
-do_install_ptest_aarch64 () {
+do_install_ptest:aarch64 () {
:
}
-do_install_ptest_arm() {
+do_install_ptest:arm() {
:
}
-pkg_postinst_ontarget_${PN} () {
-if [ ! -d /etc/apparmor.d/cache ] ; then
- mkdir /etc/apparmor.d/cache
-fi
-}
-
-# We need the init script so don't rm it
-RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
-
INITSCRIPT_PACKAGES = "${PN}"
INITSCRIPT_NAME = "apparmor"
INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
SYSTEMD_PACKAGES = "${PN}"
-SYSTEMD_SERVICE_${PN} = "apparmor.service"
+SYSTEMD_SERVICE:${PN} = "apparmor.service"
SYSTEMD_AUTO_ENABLE ?= "enable"
PACKAGES += "mod-${PN}"
-FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
-FILES_mod-${PN} = "${libdir}/apache2/modules/*"
-FILES_${PN}-dbg += "/lib/security/"
+FILES:${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
+FILES:mod-${PN} = "${libdir}/apache2/modules/*"
+FILES:${PN}-dbg += "${base_libdir}/security/.debug"
-DEPENDS_append_libc-musl = " fts "
-RDEPENDS_${PN}_libc-musl += "musl-utils"
-RDEPENDS_${PN}_libc-glibc += "glibc-utils"
+DEPENDS:append:libc-musl = " fts "
+RDEPENDS:${PN}:libc-musl += "musl-utils"
+RDEPENDS:${PN}:libc-glibc += "glibc-utils"
# Add coreutils and findutils only if sysvinit scripts are in use
-RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
-RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
-RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
+RDEPENDS:${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
+RDEPENDS:${PN}:remove = "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
+RDEPENDS:${PN}-ptest += "perl coreutils dbus-lib bash"
-INSANE_SKIP_${PN} = "ldflags"
-PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*"
+INSANE_SKIP:${PN} = "ldflags"
+PRIVATE_LIBS:${PN}-ptest = "libapparmor.so*"
diff --git a/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
new file mode 100644
index 0000000..f10acb1
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
@@ -0,0 +1,51 @@
+From 363114dcd72abf1c0dcd637c66037227b8be229b Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 21 Jun 2021 14:18:30 +0800
+Subject: [PATCH 1/2] Makefile: fix hardcoded installation directories
+
+Update the installation directories to fix the do_install error for
+multilib and usrmerge.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ changehat/pam_apparmor/Makefile | 2 +-
+ parser/Makefile | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/changehat/pam_apparmor/Makefile b/changehat/pam_apparmor/Makefile
+index f6ece2d1..0143ae9f 100644
+--- a/changehat/pam_apparmor/Makefile
++++ b/changehat/pam_apparmor/Makefile
+@@ -77,7 +77,7 @@ $(NAME).so: ${OBJECTS}
+
+ # need some better way of determining this
+ DESTDIR=/
+-SECDIR ?= ${DESTDIR}/lib/security
++SECDIR ?= ${DESTDIR}/${base_libdir}/security
+
+ .PHONY: install
+ install: $(NAME).so
+diff --git a/parser/Makefile b/parser/Makefile
+index 8250ac45..cf18bc11 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -23,10 +23,10 @@ COMMONDIR=../common/
+ include $(COMMONDIR)/Make.rules
+
+ DESTDIR=/
+-APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor
+-SBINDIR=${DESTDIR}/sbin
+-USR_SBINDIR=${DESTDIR}/usr/sbin
+-SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system
++APPARMOR_BIN_PREFIX=${DESTDIR}/${nonarch_base_libdir}/apparmor
++SBINDIR=${DESTDIR}/${base_sbindir}
++USR_SBINDIR=${DESTDIR}/${sbindir}
++SYSTEMD_UNIT_DIR=${DESTDIR}/${systemd_system_unitdir}
+ CONFDIR=/etc/apparmor
+ INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
+ LOCALEDIR=/usr/share/locale
+--
+2.17.1
+
diff --git a/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
deleted file mode 100644
index 791437d..0000000
--- a/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 5ed21abbef4d4c2983e70bd2868fb817150e883e Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Sat, 3 Oct 2020 11:26:46 -0700
-Subject: [PATCH] Revert "profiles: Update 'make check' to select tools based
- on USE_SYSTEM"
-
-This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e.
-
-Upstream-Statue: OE specific
-These changes cause during packaging with perms changing.
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- profiles/Makefile | 50 ++++++++++-------------------------------------
- 1 file changed, 10 insertions(+), 40 deletions(-)
-
-diff --git a/profiles/Makefile b/profiles/Makefile
-index ba47fc16..5384cb05 100644
---- a/profiles/Makefile
-+++ b/profiles/Makefile
-@@ -35,49 +35,9 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/
- SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
- TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*))
-
--ifdef USE_SYSTEM
-- PYTHONPATH=
-- PARSER?=apparmor_parser
-- LOGPROF?=aa-logprof
--else
-- # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
-- PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))")
-- LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/
-- LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
-- PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH)
-- PARSER?=../parser/apparmor_parser
-- # use ../utils logprof
-- LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof
--endif
--
- # $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value
- PWD=$(shell pwd)
-
--.PHONY: test-dependencies
--test-dependencies: __parser __libapparmor
--
--
--.PHONY: __parser __libapparmor
--__parser:
--ifndef USE_SYSTEM
-- @if [ ! -f $(PARSER) ]; then \
-- echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \
-- echo " 1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \
-- echo " 2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \
-- exit 1; \
-- fi
--endif
--
--__libapparmor:
--ifndef USE_SYSTEM
-- @if [ ! -f $(LIBAPPARMOR_PATH)libapparmor.so ]; then \
-- echo "error: $(LIBAPPARMOR_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \
-- echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
-- echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \
-- exit 1; \
-- fi
--endif
--
- local:
- for profile in ${TOPLEVEL_PROFILES}; do \
- fn=$$(basename $$profile); \
-@@ -109,6 +69,16 @@ else
- Q=
- endif
-
-+ifndef PARSER
-+# use system parser
-+PARSER=../parser/apparmor_parser
-+endif
-+
-+ifndef LOGPROF
-+# use ../utils logprof
-+LOGPROF=PYTHONPATH=../utils $(PYTHON) ../utils/aa-logprof
-+endif
-+
- .PHONY: docs
- # docs: should we have some here?
- docs:
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
deleted file mode 100644
index 239562a..0000000
--- a/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Wed, 7 Oct 2020 08:27:11 -0700
-Subject: [PATCH] aa_status: Fix build issue with musl
-
-add limits.h
-
-aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
-| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char));
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
----
- binutils/aa_status.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/binutils/aa_status.c b/binutils/aa_status.c
-index 78b03409..41f1954e 100644
---- a/binutils/aa_status.c
-+++ b/binutils/aa_status.c
-@@ -10,6 +10,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/wait.h>
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
deleted file mode 100644
index 9f3dce4..0000000
--- a/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Fri, 2 Oct 2020 19:43:44 -0700
-Subject: [PATCH] apparmor: fix manpage order
-
-It trys to create a symlink before the man pages are installed.
-
- ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8
- | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-...
-
-install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8;
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
----
- binutils/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/binutils/Makefile b/binutils/Makefile
-index 99e54875..3f1d0011 100644
---- a/binutils/Makefile
-+++ b/binutils/Makefile
-@@ -156,12 +156,12 @@ install-arch: arch
- install -m 755 -d ${SBINDIR}
- ln -sf aa-status ${SBINDIR}/apparmor_status
- install -m 755 ${SBINTOOLS} ${SBINDIR}
-- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
-
- .PHONY: install-indep
- install-indep: indep
- $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
- $(MAKE) install_manpages DESTDIR=${DESTDIR}
-+ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
-
- ifndef VERBOSE
- .SILENT: clean
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
deleted file mode 100644
index 2a56d8b..0000000
--- a/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Sat, 3 Oct 2020 20:37:55 +0200
-Subject: [PATCH] libapparmor: add missing include for `socklen_t`
-
-While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
-include the `<sys/socket.h>` header to make its declaration available.
-While this works on systems using glibc via transitive includes, it
-breaks compilation on musl libc.
-
-Fix the issue by including the header.
-
-Signed-off-by: Patrick Steinhardt <ps@pks.im>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- libraries/libapparmor/include/sys/apparmor.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
-index 32892d06..d70eff94 100644
---- a/libraries/libapparmor/include/sys/apparmor.h
-+++ b/libraries/libapparmor/include/sys/apparmor.h
-@@ -21,6 +21,7 @@
- #include <stdbool.h>
- #include <stdint.h>
- #include <unistd.h>
-+#include <sys/socket.h>
- #include <sys/types.h>
-
- #ifdef __cplusplus
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
deleted file mode 100644
index 9f7ad3c..0000000
--- a/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster@mvista.com>
-Date: Wed, 7 Oct 2020 20:50:38 -0700
-Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray
-
-In cross build environments, using the hosts cpp gives incorrect
-detection of reallocarray. Change cpp to a variable.
-
-fixes:
-parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)':
-| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope
-| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Upstream-Status: Pending
-
----
- parser/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/parser/Makefile b/parser/Makefile
-index acef3d77..8250ac45 100644
---- a/parser/Makefile
-+++ b/parser/Makefile
-@@ -54,7 +54,7 @@ endif
- CPPFLAGS += -D_GNU_SOURCE
-
- STDLIB_INCLUDE:="\#include <stdlib.h>"
--HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true)
-+HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true)
-
- WARNINGS = -Wall
- CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
deleted file mode 100644
index 333f40f..0000000
--- a/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Sat, 3 Oct 2020 20:58:45 +0200
-Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public
- symbols
-
-With AppArmor release 3.0, a new function `aa_features_new_from_file`
-was added, but not added to the list of public symbols. As a result,
-it's not possible to make use of this function when linking against
-libapparmor.so.
-
-Fix the issue by adding it to the symbol map.
-
-Signed-off-by: Patrick Steinhardt <ps@pks.im>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- libraries/libapparmor/src/libapparmor.map | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
-index bbff51f5..1579509a 100644
---- a/libraries/libapparmor/src/libapparmor.map
-+++ b/libraries/libapparmor/src/libapparmor.map
-@@ -117,6 +117,7 @@ APPARMOR_2.13.1 {
-
- APPARMOR_3.0 {
- global:
-+ aa_features_new_from_file;
- aa_features_write_to_fd;
- aa_features_value;
- local:
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
deleted file mode 100644
index 543c7a1..0000000
--- a/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Sat, 3 Oct 2020 21:04:57 +0200
-Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols
-
-While `_aa_asprintf` is supposed to be of private visibility, it's used
-by apparmor_parser and thus required to be visible when linking. This
-commit thus adds it to the list of private symbols to make it available
-for linking in apparmor_parser.
-
-Signed-off-by: Patrick Steinhardt <ps@pks.im>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- libraries/libapparmor/src/libapparmor.map | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
-index 1579509a..41e541ac 100644
---- a/libraries/libapparmor/src/libapparmor.map
-+++ b/libraries/libapparmor/src/libapparmor.map
-@@ -127,6 +127,7 @@ APPARMOR_3.0 {
- PRIVATE {
- global:
- _aa_is_blacklisted;
-+ _aa_asprintf;
- _aa_autofree;
- _aa_autoclose;
- _aa_autofclose;
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/apparmor b/recipes-mac/AppArmor/files/apparmor
deleted file mode 100644
index 604e48d..0000000
--- a/recipes-mac/AppArmor/files/apparmor
+++ /dev/null
@@ -1,226 +0,0 @@
-#!/bin/sh
-# ----------------------------------------------------------------------
-# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
-# NOVELL (All rights reserved)
-# Copyright (c) 2008, 2009 Canonical, Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, contact Novell, Inc.
-# ----------------------------------------------------------------------
-# Authors:
-# Steve Beattie <steve.beattie@canonical.com>
-# Kees Cook <kees@ubuntu.com>
-#
-# /etc/init.d/apparmor
-#
-### BEGIN INIT INFO
-# Provides: apparmor
-# Required-Start: $local_fs
-# Required-Stop: umountfs
-# Default-Start: S
-# Default-Stop:
-# Short-Description: AppArmor initialization
-# Description: AppArmor init script. This script loads all AppArmor profiles.
-### END INIT INFO
-
-log_daemon_msg() {
- echo $*
-}
-
-log_end_msg () {
- retval=$1
- if [ $retval -eq 0 ]; then
- echo "."
- else
- echo " failed!"
- fi
- return $retval
-}
-
-. /lib/apparmor/functions
-
-usage() {
- echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
-}
-
-test -x ${PARSER} || exit 0 # by debian policy
-# LSM is built-in, so it is either there or not enabled for this boot
-test -d /sys/module/apparmor || exit 0
-
-securityfs() {
- # Need securityfs for any mode
- if [ ! -d "${AA_SFS}" ]; then
- if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
- log_daemon_msg "AppArmor not available as kernel LSM."
- log_end_msg 1
- exit 1
- else
- log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
- if ! mount -t securityfs none "${SECURITYFS}"; then
- log_end_msg 1
- exit 1
- fi
- fi
- fi
- if [ ! -w "$AA_SFS"/.load ]; then
- log_daemon_msg "Insufficient privileges to change profiles."
- log_end_msg 1
- exit 1
- fi
-}
-
-handle_system_policy_package_updates() {
- apparmor_was_updated=0
-
- if ! compare_previous_version ; then
- # On snappy flavors, if the current and previous versions are
- # different then clear the system cache. snappy will handle
- # "$PROFILES_CACHE_VAR" itself (on Touch flavors
- # compare_previous_version always returns '0' since snappy
- # isn't available).
- clear_cache_system
- apparmor_was_updated=1
- elif ! compare_and_save_debsums apparmor ; then
- # If the system policy has been updated since the last time we
- # ran, clear the cache to prevent potentially stale binary
- # cache files after an Ubuntu image based upgrade (LP:
- # #1350673). This can be removed once all system image flavors
- # move to snappy (on snappy systems compare_and_save_debsums
- # always returns '0' since /var/lib/dpkg doesn't exist).
- clear_cache
- apparmor_was_updated=1
- fi
-
- if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
- # If packages for system policy that affect click packages have
- # been updated since the last time we ran, run aa-clickhook -f
- force_clickhook=0
- force_profile_hook=0
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums click-apparmor ; then
- force_clickhook=1
- force_profile_hook=1
- fi
- if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-clickhook -f
- fi
- if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-profile-hook -f
- fi
- fi
-}
-
-# Allow "recache" even when running on the liveCD
-if [ "$1" = "recache" ]; then
- log_daemon_msg "Recaching AppArmor profiles"
- recache_profiles
- rc=$?
- log_end_msg "$rc"
- exit $rc
-fi
-
-# do not perform start/stop/reload actions when running from liveCD
-test -d /rofs/etc/apparmor.d && exit 0
-
-rc=255
-case "$1" in
- start)
- if test -x /sbin/systemd-detect-virt && \
- systemd-detect-virt --quiet --container && \
- ! is_container_with_internal_policy; then
- log_daemon_msg "Not starting AppArmor in container"
- log_end_msg 0
- exit 0
- fi
- log_daemon_msg "Starting AppArmor profiles"
- securityfs
- # That is only useful for click, snappy and system images,
- # i.e. not in Debian. And it reads and writes to /var, that
- # can be remote-mounted, so it would prevent us from using
- # Before=sysinit.target without possibly introducing dependency
- # loops.
- handle_system_policy_package_updates
- load_configured_profiles
- rc=$?
- log_end_msg "$rc"
- ;;
- stop)
- log_daemon_msg "Clearing AppArmor profiles cache"
- clear_cache
- rc=$?
- log_end_msg "$rc"
- cat >&2 <<EOM
-All profile caches have been cleared, but no profiles have been unloaded.
-Unloading profiles will leave already running processes permanently
-unconfined, which can lead to unexpected situations.
-
-To set a process to complain mode, use the command line tool
-'aa-complain'. To really tear down all profiles, run the init script
-with the 'teardown' option."
-EOM
- ;;
- teardown)
- if test -x /sbin/systemd-detect-virt && \
- systemd-detect-virt --quiet --container && \
- ! is_container_with_internal_policy; then
- log_daemon_msg "Not tearing down AppArmor in container"
- log_end_msg 0
- exit 0
- fi
- log_daemon_msg "Unloading AppArmor profiles"
- securityfs
- running_profile_names | while read profile; do
- if ! unload_profile "$profile" ; then
- log_end_msg 1
- exit 1
- fi
- done
- rc=0
- log_end_msg $rc
- ;;
- restart|reload|force-reload)
- if test -x /sbin/systemd-detect-virt && \
- systemd-detect-virt --quiet --container && \
- ! is_container_with_internal_policy; then
- log_daemon_msg "Not reloading AppArmor in container"
- log_end_msg 0
- exit 0
- fi
- log_daemon_msg "Reloading AppArmor profiles"
- securityfs
- clear_cache
- load_configured_profiles
- rc=$?
- unload_obsolete_profiles
-
- log_end_msg "$rc"
- ;;
- status)
- securityfs
- if [ -x /usr/sbin/aa-status ]; then
- aa-status --verbose
- else
- cat "$AA_SFS"/profiles
- fi
- rc=$?
- ;;
- *)
- usage
- rc=1
- ;;
- esac
-exit $rc
diff --git a/recipes-mac/AppArmor/files/apparmor.rc b/recipes-mac/AppArmor/files/apparmor.rc
deleted file mode 100644
index 1507d7b..0000000
--- a/recipes-mac/AppArmor/files/apparmor.rc
+++ /dev/null
@@ -1,98 +0,0 @@
-description "Pre-cache and pre-load apparmor profiles"
-author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
-
-task
-
-start on starting rc-sysinit
-
-script
- [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
- [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
- [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
-
- . /lib/apparmor/functions
-
- systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
-
- # Need securityfs for any mode
- if [ ! -d /sys/kernel/security/apparmor ]; then
- if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
- exit 0
- else
- mount -t securityfs none /sys/kernel/security || exit 0
- fi
- fi
-
- [ -w /sys/kernel/security/apparmor/.load ] || exit 0
-
- apparmor_was_updated=0
- if ! compare_previous_version ; then
- # On snappy flavors, if the current and previous versions are
- # different then clear the system cache. snappy will handle
- # "$PROFILES_CACHE_VAR" itself (on Touch flavors
- # compare_previous_version always returns '0' since snappy
- # isn't available).
- clear_cache_system
- apparmor_was_updated=1
- elif ! compare_and_save_debsums apparmor ; then
- # If the system policy has been updated since the last time we
- # ran, clear the cache to prevent potentially stale binary
- # cache files after an Ubuntu image based upgrade (LP:
- # #1350673). This can be removed once all system image flavors
- # move to snappy (on snappy systems compare_and_save_debsums
- # always returns '0' since /var/lib/dpkg doesn't exist).
- clear_cache
- apparmor_was_updated=1
- fi
-
- if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
- # If packages for system policy that affect click packages have
- # been updated since the last time we ran, run aa-clickhook -f
- force_clickhook=0
- force_profile_hook=0
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums click-apparmor ; then
- force_clickhook=1
- force_profile_hook=1
- fi
- if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-clickhook -f
- fi
- if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-profile-hook -f
- fi
- fi
-
- if [ "$ACTION" = "teardown" ]; then
- running_profile_names | while read profile; do
- unload_profile "$profile"
- done
- exit 0
- fi
-
- if [ "$ACTION" = "clear" ]; then
- clear_cache
- exit 0
- fi
-
- if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
- clear_cache
- load_configured_profiles
- unload_obsolete_profiles
- exit 0
- fi
-
- # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
- # aa-clickhook will have already compiled the policy, generated the cache
- # files and loaded them into the kernel by this point, so reloading click
- # policy from cache, while fairly fast (<2 seconds for 250 profiles on
- # armhf), is redundant. Fixing this would complicate the logic quite a bit
- # and it wouldn't improve the (by far) common case (ie, when
- # 'aa-clickhook -f' is not run).
- load_configured_profiles
-end script
diff --git a/recipes-mac/AppArmor/files/apparmor.service b/recipes-mac/AppArmor/files/apparmor.service
deleted file mode 100644
index e66afe4..0000000
--- a/recipes-mac/AppArmor/files/apparmor.service
+++ /dev/null
@@ -1,22 +0,0 @@
-[Unit]
-Description=AppArmor initialization
-After=local-fs.target
-Before=sysinit.target
-AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
-ConditionSecurity=apparmor
-DefaultDependencies=no
-Documentation=man:apparmor(7)
-Documentation=http://wiki.apparmor.net/
-
-# Don't start this unit on the Ubuntu Live CD
-ConditionPathExists=!/rofs/etc/apparmor.d
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/etc/init.d/apparmor start
-ExecStop=/etc/init.d/apparmor stop
-ExecReload=/etc/init.d/apparmor reload
-
-[Install]
-WantedBy=sysinit.target
diff --git a/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch b/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch
index ef55de7..585f306 100644
--- a/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch
+++ b/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch
@@ -5,7 +5,7 @@ stuck in the generated Makefile with our cross tools. In this case, linking is
done via the compiler rather than the linker directly so pass in CC not LD
here.
-Signed-Off-By: Tom Rini <trini@konsulko.com>
+Signed-off-by: Tom Rini <trini@konsulko.com>
--- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400
+++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400
diff --git a/recipes-mac/AppArmor/files/disable_pdf.patch b/recipes-mac/AppArmor/files/disable_pdf.patch
deleted file mode 100644
index c6b4bdd..0000000
--- a/recipes-mac/AppArmor/files/disable_pdf.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Index: apparmor-2.10.95/parser/Makefile
-===================================================================
---- apparmor-2.10.95.orig/parser/Makefile
-+++ apparmor-2.10.95/parser/Makefile
-@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT
- po/${NAME}.pot: ${SRCS} ${HDRS}
- $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
-
--techdoc.pdf: techdoc.tex
-- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\
-- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \
-- grep -q "Label(s) may have changed" techdoc.log; \
-- do :; done
--
--techdoc/index.html: techdoc.pdf
-- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT}
--
--techdoc.txt: techdoc/index.html
-- w3m -dump $< > $@
-
- # targets arranged this way so that people who don't want full docs can
- # pick specific targets they want.
-@@ -159,9 +148,7 @@ manpages: $(MANPAGES)
-
- htmlmanpages: $(HTMLMANPAGES)
-
--pdf: techdoc.pdf
--
--docs: manpages htmlmanpages pdf
-+docs: manpages htmlmanpages
-
- indep: docs
- $(Q)$(MAKE) -C po all
diff --git a/recipes-mac/AppArmor/files/disable_perl_h_check.patch b/recipes-mac/AppArmor/files/disable_perl_h_check.patch
deleted file mode 100644
index cf2640f..0000000
--- a/recipes-mac/AppArmor/files/disable_perl_h_check.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Upstream-Status: Inappropriate [configuration]
-
-Remove file check for $perl_includedir/perl.h. AC_CHECK_FILE will fail on
-cross compilation. Rather than try and get a compile check to work here,
-we know that we have what's required via our metadata so remove only this
-check.
-
-Signed-Off-By: Tom Rini <trini@konsulko.com>
-
---- a/libraries/libapparmor/configure.ac.orig 2017-06-13 16:41:38.668471495 -0400
-+++ b/libraries/libapparmor/configure.ac 2017-06-13 16:41:40.708471543 -0400
-@@ -58,7 +58,6 @@
- AC_PATH_PROG(PERL, perl)
- test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings])
- perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE"
-- AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no)
- fi
-
-
diff --git a/recipes-mac/AppArmor/files/functions b/recipes-mac/AppArmor/files/functions
deleted file mode 100644
index e9e2bbf..0000000
--- a/recipes-mac/AppArmor/files/functions
+++ /dev/null
@@ -1,271 +0,0 @@
-# /lib/apparmor/functions for Debian -*- shell-script -*-
-# ----------------------------------------------------------------------
-# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
-# NOVELL (All rights reserved)
-# Copyright (c) 2008-2010 Canonical, Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, contact Novell, Inc.
-# ----------------------------------------------------------------------
-# Authors:
-# Kees Cook <kees@ubuntu.com>
-
-PROFILES="/etc/apparmor.d"
-PROFILES_CACHE="$PROFILES/cache"
-PROFILES_VAR="/var/lib/apparmor/profiles"
-PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
-PROFILES_CACHE_VAR="/var/cache/apparmor"
-PARSER="/sbin/apparmor_parser"
-SECURITYFS="/sys/kernel/security"
-export AA_SFS="$SECURITYFS/apparmor"
-
-# Suppress warnings when booting in quiet mode
-quiet_arg=""
-[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
-[ "${quiet:-n}" = y ] && quiet_arg="-q"
-
-foreach_configured_profile() {
- rc_all="0"
- for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
- if [ ! -d "$pdir" ]; then
- continue
- fi
- num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l`
- if [ "$num" = "0" ]; then
- continue
- fi
-
- cache_dir="$PROFILES_CACHE"
- if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
- cache_dir="$PROFILES_CACHE_VAR"
- fi
- cache_args="--cache-loc=$cache_dir"
- if [ ! -d "$cache_dir" ]; then
- cache_args=
- fi
-
- # LP: #1383858 - expr tree simplification is too slow for
- # Touch policy on ARM, so disable it for now
- cache_extra_args=
- if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
- cache_extra_args="-O no-expr-simplify"
- fi
-
- # If need to compile everything, then use -n1 with xargs to
- # take advantage of -P. When cache files are in use, omit -n1
- # since it is considerably faster on moderately sized profile
- # sets to give the parser all the profiles to load at once
- n1_args=
- num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
- if [ "$num" = "0" ]; then
- n1_args="-n1"
- fi
-
- (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
- while read profile; do
- if [ -f "$pdir"/"$profile" ]; then
- echo "$pdir"/"$profile"
- fi
- done) | \
- xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
- rc_all="$?"
- # FIXME: when the parser properly handles broken
- # profiles (LP: #1377338), remove this if statement.
- # For now, if the xargs returns with error, just run
- # through everything with -n1. (This could be broken
- # out and refactored, but this is temporary so make it
- # easy to understand and revert)
- if [ "$rc_all" != "0" ]; then
- (ls -1 "$pdir" | \
- egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
- while read profile; do
- if [ -f "$pdir"/"$profile" ]; then
- echo "$pdir"/"$profile"
- fi
- done) | \
- xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
- rc_all="$?"
- }
- fi
- }
- done
- return $rc_all
-}
-
-load_configured_profiles() {
- clear_cache_if_outdated
- foreach_configured_profile $quiet_arg --write-cache --replace
-}
-
-load_configured_profiles_without_caching() {
- foreach_configured_profile $quiet_arg --replace
-}
-
-recache_profiles() {
- clear_cache
- foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
-}
-
-configured_profile_names() {
- foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//'
-}
-
-running_profile_names() {
- # Output a sorted list of loaded profiles, skipping libvirt's
- # dynamically generated files
- cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//'
-}
-
-unload_profile() {
- echo -n "$1" > "$AA_SFS"/.remove
-}
-
-clear_cache() {
- clear_cache_system
- clear_cache_var
-}
-
-clear_cache_system() {
- find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
-}
-
-clear_cache_var() {
- find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
-}
-
-read_features_dir()
-{
- for f in `ls -A "$1"` ; do
- if [ -f "$1/$f" ] ; then
- read -r KF < "$1/$f" || true
- echo -n "$f {$KF } "
- elif [ -d "$1/$f" ] ; then
- echo -n "$f {"
- KF=`read_features_dir "$1/$f"` || true
- echo -n "$KF} "
- fi
- done
-}
-
-clear_cache_if_outdated() {
- if [ -r "$PROFILES_CACHE"/.features ]; then
- if [ -d "$AA_SFS"/features ]; then
- KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
- else
- read -r KERN_FEATURES < "$AA_SFS"/features
- fi
- CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
- if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
- clear_cache
- fi
- fi
-}
-
-unload_obsolete_profiles() {
- # Currently we must re-parse all the profiles to get policy names. :(
- aa_configured=$(mktemp -t aa-XXXXXX)
- configured_profile_names > "$aa_configured" || true
- aa_loaded=$(mktemp -t aa-XXXXXX)
- running_profile_names > "$aa_loaded" || true
- LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
- unload_profile "$profile"
- done
- rm -f "$aa_configured" "$aa_loaded"
-}
-
-# If the system debsum differs from the saved debsum, the new system debsum is
-# saved and non-zero is returned. Returns 0 if the two debsums matched or if
-# the system debsum file does not exist. This can be removed when system image
-# flavors all move to snappy.
-compare_and_save_debsums() {
- pkg="$1"
-
- if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
- sums="/var/lib/dpkg/info/${pkg}.md5sums"
- # store saved md5sums in /var/lib/apparmor/profiles since
- # /var/cache/apparmor might be cleared by apparmor
- saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
-
- if [ -f "$sums" ] && \
- ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
- cp -f "$sums" "$saved_sums"
- return 1
- fi
- fi
-
- return 0
-}
-
-compare_previous_version() {
- installed="/usr/share/snappy/security-policy-version"
- previous="/var/lib/snappy/security-policy-version"
-
- # When just $previous doesn't exist, assume this is a new system with
- # no cache and don't do anything special.
- if [ -f "$installed" ] && [ -f "$previous" ]; then
- pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2`
- iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2`
- if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
- # snappy updates $previous elsewhere, so just return
- return 1
- fi
- fi
-
- return 0
-}
-
-# Checks to see if the current container is capable of having internal AppArmor
-# profiles that should be loaded. Callers of this function should have already
-# verified that they're running inside of a container environment with
-# something like `systemd-detect-virt --container`.
-#
-# The only known container environments capable of supporting internal policy
-# are LXD and LXC environment.
-#
-# Returns 0 if the container environment is capable of having its own internal
-# policy and non-zero otherwise.
-#
-# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
-# system container technology being nested inside of a LXD/LXC container that
-# utilized an AppArmor namespace and profile stacking. The reason 0 will be
-# returned is because .ns_stacked will be "yes" and .ns_name will still match
-# "lx[dc]-*" since the nested system container technology will not have set up
-# a new AppArmor profile namespace. This will result in the nested system
-# container's boot process to experience failed policy loads but the boot
-# process should continue without any loss of functionality. This is an
-# unsupported configuration that cannot be properly handled by this function.
-is_container_with_internal_policy() {
- local ns_stacked_path="${AA_SFS}/.ns_stacked"
- local ns_name_path="${AA_SFS}/.ns_name"
- local ns_stacked
- local ns_name
-
- if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
- return 1
- fi
-
- read -r ns_stacked < "$ns_stacked_path"
- if [ "$ns_stacked" != "yes" ]; then
- return 1
- fi
-
- # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
- # "lxc-", respectively. Return non-zero for all other namespace
- # identifiers.
- read -r ns_name < "$ns_name_path"
- if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
- [ "${ns_name#lxc-*}" = "$ns_name" ]; then
- return 1
- fi
-
- return 0
-}
diff --git a/recipes-mac/ccs-tools/README b/recipes-mac/ccs-tools/README
index 4a4faa7..0381814 100644
--- a/recipes-mac/ccs-tools/README
+++ b/recipes-mac/ccs-tools/README
@@ -9,4 +9,4 @@ To start via command line add:
To initialize:
/usr/lib/ccs/init_policy
-DISTRO_FEATURES_append = " tomoyo"
+DISTRO_FEATURES:append = " tomoyo"
diff --git a/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
index 79af6a5..8185e51 100644
--- a/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb
+++ b/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
@@ -2,16 +2,15 @@ SUMMARY = "Tomoyo"
DESCRIPTION = "TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. \nTo start via command line add: \nsecurity=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd \nTo initialize: \n/usr/lib/ccs/init_policy"
SECTION = "security"
-LICENSE = "GPL-2.0"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING.ccs;md5=751419260aa954499f7abaabaa882bbe"
DEPENDS = "ncurses"
-DS = "20150505"
+DS = "20210910"
SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz"
-SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44"
-SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4"
+SRC_URI[sha256sum] = "7900126cf2dd8706c42c2c1ef7a37fd8b50f1505abd7d9c3d653dc390fb4d620"
S = "${WORKDIR}/${BPN}"
@@ -24,22 +23,22 @@ do_make(){
}
do_install(){
- oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} install
+ oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} SBINDIR=${sbindir} install
}
PACKAGE="${PN} ${PN}-dbg ${PN}-doc"
-FILES_${PN} = "\
+FILES:${PN} = "\
${sbindir}/* \
${base_sbindir}/* \
${libdir}/* \
"
-FILES_${PN}-doc = "\
+FILES:${PN}-doc = "\
${mandir}/man8/* \
"
-FILES_${PN}-dbg = "\
+FILES:${PN}-dbg = "\
${base_sbindir}/.debug/* \
${sbindir}/.debug/* \
${libdir}/.debug/* \
diff --git a/recipes-mac/smack/smack-test/notroot.py b/recipes-mac/smack/smack-test/notroot.py
index f0eb0b5..89f83f4 100644
--- a/recipes-mac/smack/smack-test/notroot.py
+++ b/recipes-mac/smack/smack-test/notroot.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
#
# Script used for running executables with custom labels, as well as custom uid/gid
# Process label is changed by writing to /proc/self/attr/curent
@@ -9,8 +9,8 @@
# """By default, each user in Debian GNU/Linux is given a corresponding group
# with the same name. """
#
-# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
-# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+# Usage: root@desk:~# python3 notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python3 notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
#
# Author: Alexandru Cornea <alexandru.cornea@intel.com>
import os
@@ -28,6 +28,6 @@ try:
os.setuid(uid)
os.execv(path,sys.argv)
-except Exception,e:
- print e.message
- sys.exit(1)
+except Exception as e:
+ print(e.strerror)
+ sys.exit(-1)
diff --git a/recipes-mac/smack/smack-test/smack_test_file_access.sh b/recipes-mac/smack/smack-test/smack_test_file_access.sh
index 5a0ce84..598f1df 100644
--- a/recipes-mac/smack/smack-test/smack_test_file_access.sh
+++ b/recipes-mac/smack/smack-test/smack_test_file_access.sh
@@ -8,7 +8,7 @@ CAT=`which cat`
ECHO=`which echo`
uid=1000
initial_label=`cat /proc/self/attr/current`
-python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
chsmack -a "TheOther" $test_file
# 12345678901234567890123456789012345678901234567890123456
@@ -17,7 +17,7 @@ rule_ro="TheOne TheOther r----"
# Remove pre-existent rules for "TheOne TheOther <access>"
echo -n "$delrule" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file and no read access on it can read it"
exit $RC
@@ -25,7 +25,7 @@ fi
# adding read access
echo -n "$rule_ro" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file but with read access on it cannot read it"
exit $RC
@@ -36,7 +36,7 @@ echo -n "$delrule" > $SMACK_PATH/load
# changing label of test file to *
# according to SMACK documentation, read access on a * object is always permitted
chsmack -a '*' $test_file
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process cannot read file with * label"
exit $RC
@@ -45,7 +45,7 @@ fi
# changing subject label to *
# according to SMACK documentation, every access requested by a star labeled subject is rejected
TOUCH=`which touch`
-python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
if [ $RC -ne 0 ];then
echo "Process with label '*' should not have any access"
diff --git a/recipes-mac/smack/smack-test_1.0.bb b/recipes-mac/smack/smack-test_1.0.bb
index d5de607..3ab57c6 100644
--- a/recipes-mac/smack/smack-test_1.0.bb
+++ b/recipes-mac/smack/smack-test_1.0.bb
@@ -22,4 +22,4 @@ do_install() {
install -m 0755 *.sh ${D}${sbindir}
}
-RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test"
+RDEPENDS:${PN} = "smack python3-core mmap-smack-test tcp-smack-test udp-smack-test"
diff --git a/recipes-mac/smack/smack_1.3.1.bb b/recipes-mac/smack/smack_1.3.1.bb
index b1ea4e9..6c52392 100644
--- a/recipes-mac/smack/smack_1.3.1.bb
+++ b/recipes-mac/smack/smack_1.3.1.bb
@@ -1,18 +1,23 @@
DESCRIPTION = "Selection of tools for developers working with Smack"
HOMEPAGE = "https://github.com/smack-team/smack"
SECTION = "Security/Access Control"
-LICENSE = "LGPL-2.1"
+LICENSE = "LGPL-2.1-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8"
SRC_URI = " \
- git://github.com/smack-team/smack.git \
+ git://github.com/smack-team/smack.git;branch=master;protocol=https \
file://smack_generator_make_fixup.patch \
file://run-ptest"
PV = "1.3.1"
+# CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 is valnerble for other product.
+CVE_CHECK_IGNORE += "CVE-2014-0363"
+CVE_CHECK_IGNORE += "CVE-2014-0364"
+CVE_CHECK_IGNORE += "CVE-2016-10027"
+
inherit autotools update-rc.d pkgconfig ptest
inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
inherit features_check
@@ -23,15 +28,15 @@ REQUIRED_DISTRO_FEATURES = "smack"
S = "${WORKDIR}/git"
PACKAGECONFIG ??= ""
-PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
+PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd"
-do_compile_append () {
+do_compile:append () {
oe_runmake -C ${S}/tests generator
}
-do_install_append () {
+do_install:append () {
install -d ${D}${sysconfdir}/init.d
install -d ${D}${sysconfdir}/smack
install -d ${D}${sysconfdir}/smack/accesses.d
@@ -50,10 +55,10 @@ INITSCRIPT_PACKAGES = "${PN}"
INITSCRIPT_NAME = "smack"
INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
-FILES_${PN} += "${sysconfdir}/init.d/smack"
-FILES_${PN}-ptest += "generator"
+FILES:${PN} += "${sysconfdir}/init.d/smack"
+FILES:${PN}-ptest += "generator"
-RDEPENDS_${PN} += "coreutils python3-core"
-RDEPENDS_${PN}-ptest += "make bash bc"
+RDEPENDS:${PN} += "coreutils python3-core"
+RDEPENDS:${PN}-ptest += "make bash bc"
BBCLASSEXTEND = "native"
diff --git a/recipes-mac/smack/tcp-smack-test/tcp_client.c b/recipes-mac/smack/tcp-smack-test/tcp_client.c
index 185f973..6c0a474 100644
--- a/recipes-mac/smack/tcp-smack-test/tcp_client.c
+++ b/recipes-mac/smack/tcp-smack-test/tcp_client.c
@@ -1,111 +1,111 @@
-// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <string.h>
-#include <sys/xattr.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- char message[255] = "hello";
- struct sockaddr_in server_addr;
- char* label_in;
- char* label_out;
- char* attr_out = "security.SMACK64IPOUT";
- char* attr_in = "security.SMACK64IPIN";
- char out[256];
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- struct hostent* host = gethostbyname("localhost");
-
- if (argc != 4)
- {
- perror("Client: Arguments missing, please provide socket labels");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- label_out = argv[3];
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPOUT");
- return 2;
- }
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPIN");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Client: Set timeout failed\n");
- return 2;
- }
-
- if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
- {
- perror("Client: Connection failure");
- close(sock);
- return 1;
- }
-
-
- if(write(sock, message, strlen(message)) < 0)
- {
- perror("Client: Error sending data\n");
- close(sock);
- return 1;
- }
- close(sock);
- return 0;
-}
-
-
-
-
-
-
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <string.h>
+#include <sys/xattr.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ char message[255] = "hello";
+ struct sockaddr_in server_addr;
+ char* label_in;
+ char* label_out;
+ char* attr_out = "security.SMACK64IPOUT";
+ char* attr_in = "security.SMACK64IPIN";
+ char out[256];
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ struct hostent* host = gethostbyname("localhost");
+
+ if (argc != 4)
+ {
+ perror("Client: Arguments missing, please provide socket labels");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ label_out = argv[3];
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPOUT");
+ return 2;
+ }
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPIN");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Client: Set timeout failed\n");
+ return 2;
+ }
+
+ if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
+ {
+ perror("Client: Connection failure");
+ close(sock);
+ return 1;
+ }
+
+
+ if(write(sock, message, strlen(message)) < 0)
+ {
+ perror("Client: Error sending data\n");
+ close(sock);
+ return 1;
+ }
+ close(sock);
+ return 0;
+}
+
+
+
+
+
+
diff --git a/recipes-mac/smack/tcp-smack-test/tcp_server.c b/recipes-mac/smack/tcp-smack-test/tcp_server.c
index 9285dc6..3c8921f 100644
--- a/recipes-mac/smack/tcp-smack-test/tcp_server.c
+++ b/recipes-mac/smack/tcp-smack-test/tcp_server.c
@@ -1,118 +1,118 @@
-// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- int clientsock;
- char message[255];
- socklen_t client_length;
- struct sockaddr_in server_addr, client_addr;
- char* label_in;
- char* attr_in = "security.SMACK64IPIN";
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- if (argc != 3)
- {
- perror("Server: Argument missing please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- bzero(message,255);
-
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Server: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
- {
- perror("Server: Unable to set attribute ipin 2");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure ");
- return 2;
- }
-
- listen(sock, 1);
- client_length = sizeof(client_addr);
-
- clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
-
- if (clientsock < 0)
- {
- perror("Server: Connection failed");
- close(sock);
- return 1;
- }
-
-
- if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
- {
- perror(" Server: Unable to set attribute ipin 2");
- close(sock);
- return 2;
- }
-
- if(read(clientsock, message, 254) < 0)
- {
- perror("Server: Error when reading from socket");
- close(clientsock);
- close(sock);
- return 1;
- }
-
-
- close(clientsock);
- close(sock);
-
- return 0;
-}
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ int clientsock;
+ char message[255];
+ socklen_t client_length;
+ struct sockaddr_in server_addr, client_addr;
+ char* label_in;
+ char* attr_in = "security.SMACK64IPIN";
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ if (argc != 3)
+ {
+ perror("Server: Argument missing please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ bzero(message,255);
+
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Server: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
+ {
+ perror("Server: Unable to set attribute ipin 2");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure ");
+ return 2;
+ }
+
+ listen(sock, 1);
+ client_length = sizeof(client_addr);
+
+ clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
+
+ if (clientsock < 0)
+ {
+ perror("Server: Connection failed");
+ close(sock);
+ return 1;
+ }
+
+
+ if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
+ {
+ perror(" Server: Unable to set attribute ipin 2");
+ close(sock);
+ return 2;
+ }
+
+ if(read(clientsock, message, 254) < 0)
+ {
+ perror("Server: Error when reading from socket");
+ close(clientsock);
+ close(sock);
+ return 1;
+ }
+
+
+ close(clientsock);
+ close(sock);
+
+ return 0;
+}
diff --git a/recipes-mac/smack/udp-smack-test/udp_client.c b/recipes-mac/smack/udp-smack-test/udp_client.c
index 4d3afbe..23f3e00 100644
--- a/recipes-mac/smack/udp-smack-test/udp_client.c
+++ b/recipes-mac/smack/udp-smack-test/udp_client.c
@@ -1,75 +1,75 @@
-// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- char* message = "hello";
- int sock, ret;
- struct sockaddr_in server_addr;
- struct hostent* host = gethostbyname("localhost");
- char* label;
- char* attr = "security.SMACK64IPOUT";
- int port;
- if (argc != 3)
- {
- perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
- sock = socket(AF_INET, SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
- {
- perror("Client: Unable to set attribute ");
- return 2;
- }
-
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
- sizeof(struct sockaddr_in));
-
- close(sock);
- if(ret < 0)
- {
- perror("Client: Error sending message\n");
- return 1;
- }
-
- return 0;
-}
-
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ char* message = "hello";
+ int sock, ret;
+ struct sockaddr_in server_addr;
+ struct hostent* host = gethostbyname("localhost");
+ char* label;
+ char* attr = "security.SMACK64IPOUT";
+ int port;
+ if (argc != 3)
+ {
+ perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+ sock = socket(AF_INET, SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
+ {
+ perror("Client: Unable to set attribute ");
+ return 2;
+ }
+
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
+ sizeof(struct sockaddr_in));
+
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Client: Error sending message\n");
+ return 1;
+ }
+
+ return 0;
+}
+
diff --git a/recipes-mac/smack/udp-smack-test/udp_server.c b/recipes-mac/smack/udp-smack-test/udp_server.c
index cbab71e..7d2fcf5 100644
--- a/recipes-mac/smack/udp-smack-test/udp_server.c
+++ b/recipes-mac/smack/udp-smack-test/udp_server.c
@@ -1,93 +1,93 @@
-// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- int sock,ret;
- struct sockaddr_in server_addr, client_addr;
- socklen_t len;
- char message[5];
- char* label;
- char* attr = "security.SMACK64IPIN";
- int port;
-
- if(argc != 3)
- {
- perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- sock = socket(AF_INET,SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Server: Socket error");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
- {
- perror("Server: Unable to set attribute ");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure");
- return 2;
- }
-
- len = sizeof(client_addr);
- ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
- &len);
- close(sock);
- if(ret < 0)
- {
- perror("Server: Error receiving");
- return 1;
-
- }
- return 0;
-}
-
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ int sock,ret;
+ struct sockaddr_in server_addr, client_addr;
+ socklen_t len;
+ char message[5];
+ char* label;
+ char* attr = "security.SMACK64IPIN";
+ int port;
+
+ if(argc != 3)
+ {
+ perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ sock = socket(AF_INET,SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Server: Socket error");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
+ {
+ perror("Server: Unable to set attribute ");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure");
+ return 2;
+ }
+
+ len = sizeof(client_addr);
+ ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
+ &len);
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Server: Error receiving");
+ return 1;
+
+ }
+ return 0;
+}
+
diff --git a/recipes-perl/perl/files/libwhisker2.patch b/recipes-perl/perl/files/libwhisker2.patch
index c066366..4ea1ee5 100644
--- a/recipes-perl/perl/files/libwhisker2.patch
+++ b/recipes-perl/perl/files/libwhisker2.patch
@@ -7,6 +7,8 @@ Subject: [PATCH] Mandir and perl install dir were overwritten with faulty
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
---
+Upstream-Status: Pending
+
Makefile.pl | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/recipes-perl/perl/lib-perl_0.63.bb b/recipes-perl/perl/lib-perl_0.63.bb
index 7895864..25d0890 100644
--- a/recipes-perl/perl/lib-perl_0.63.bb
+++ b/recipes-perl/perl/lib-perl_0.63.bb
@@ -4,7 +4,7 @@ directories to Perl's search path so that later 'use' or 'require' statements \
will find modules which are not located in the default search path."
SECTION = "libs"
-LICENSE = "Artistic-1.0 | GPL-1.0+"
+LICENSE = "Artistic-1.0 | GPL-1.0-or-later"
PR = "r0"
LIC_FILES_CHKSUM = "file://README;beginline=26;endline=30;md5=94b119f1a7b8d611efc89b5d562a1a50"
@@ -26,3 +26,10 @@ do_compile() {
export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
cpan_do_compile
}
+
+do_install:append() {
+ # Man pages here conflict wtih the main perl documentation
+ for page in ${D}${mandir}/man*/*; do
+ mv $page $(dirname $page)/${BPN}-$(basename $page)
+ done
+}
diff --git a/recipes-perl/perl/libwhisker2-perl_2.5.bb b/recipes-perl/perl/libwhisker2-perl_2.5.bb
index 71857ab..c58d883 100644
--- a/recipes-perl/perl/libwhisker2-perl_2.5.bb
+++ b/recipes-perl/perl/libwhisker2-perl_2.5.bb
@@ -1,7 +1,7 @@
DESCRIPTION = "Libwhisker is a Perl module geared specificly for HTTP testing."
SECTION = "libs"
-LICENSE = "Artistic-1.0 | GPL-1.0+"
+LICENSE = "Artistic-1.0 | GPL-1.0-or-later"
LIC_FILES_CHKSUM = "file://LICENSE;md5=254b8e29606fce6d1c1a4c9e32354573"
@@ -19,11 +19,12 @@ PACKAGEGROUP ??=""
PACKAGEGROUP[ssl] = ", , libnet-ssleay-perl, libnet-ssleay-perl"
do_install() {
- install -d 755 ${D}${PERLLIBDIRS}/vendor_perl/${PERLVERSION}
- install -d 755 ${D}${datadir}/perl/${PERLVERSION}
- oe_runmake install DESTDIR=${D} INSTALLDIR=${PERLLIBDIRS}/vendor_perl/${PERLVERSION} MANDIR=${datadir}/perl/${PERLVERSION}
+ perl_version="${@get_perl_version(d)}"
+ install -d 755 ${D}${PERLLIBDIRS}/vendor_perl/${perl_version}
+ install -d 755 ${D}${datadir}/perl/${perl_version}
+ oe_runmake install DESTDIR=${D} INSTALLDIR=${PERLLIBDIRS}/vendor_perl/${perl_version} MANDIR=${datadir}/perl/${perl_version}
}
-FILES_${PN} += "${datadir}/perl"
+FILES:${PN} += "${datadir}/perl"
BBCLASSEXTEND = "native"
diff --git a/recipes-scanners/arpwatch/arpwatch_3.1.bb b/recipes-scanners/arpwatch/arpwatch_3.3.bb
index 44aeca0..e547938 100644
--- a/recipes-scanners/arpwatch/arpwatch_3.1.bb
+++ b/recipes-scanners/arpwatch/arpwatch_3.3.bb
@@ -1,18 +1,18 @@
SUMARRY = "The ethernet monitor program; for keeping track of ethernet/ip address pairings"
LICENSE = "BSD-4-Clause"
HOME_PAGE = "http://ee.lbl.gov/"
-LIC_FILES_CHKSUM = "file://configure;md5=74ca964ed34fda7b46c6fe3e50bded9d"
+LIC_FILES_CHKSUM = "file://configure;md5=0f6cca2f69f384a14e2f5803210ca92e"
-DEPENDS += "libpcap postfix"
+DEPENDS += "libpcap"
SRC_URI = "https://ee.lbl.gov/downloads/arpwatch/${BP}.tar.gz \
file://arpwatch.conf \
file://arpwatch.default \
file://arpwatch_init \
- file://postfix_workaround.patch \
- file://host_contam_fix.patch "
+ file://host_contam_fix.patch \
+ "
-SRC_URI[sha256sum] = "ee1d15d9a07952c0c017908b9dbfd5ac988fed0058c3cc4fa6c13e0be36f3a9f"
+SRC_URI[sha256sum] = "d47fa8b291fc37a25a2d0f3e1b64f451dc0be82d714a10ffa6ef8b0b9e33e166"
inherit autotools-brokensep update-rc.d useradd
@@ -21,7 +21,9 @@ ARPWATCH_GID ?= "arpwatch"
APRWATCH_FROM ?= "root "
ARPWATH_REPLY ?= "${ARPWATCH_UID}"
-EXTRA_OECONF = " --srcdir=${S} --with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}"
+PACKAGECONFIG ??= ""
+
+PACKAGECONFIG[email] = "-with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}, , postfix, postfix postfix-cfg"
CONFIGUREOPTS = " --build=${BUILD_SYS} \
--host=${HOST_SYS} \
@@ -37,19 +39,20 @@ CONFIGUREOPTS = " --build=${BUILD_SYS} \
--localstatedir=${localstatedir} \
--libdir=${libdir} \
--includedir=${includedir} \
- --oldincludedir=${oldincludedir} \
--infodir=${infodir} \
--mandir=${mandir} \
+ --srcdir=${S} \
+ --with-sendmail=${sbindir}/sendmail \
"
do_configure () {
- ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+ ${S}/configure ${CONFIGUREOPTS}
}
do_install () {
install -d ${D}${bindir}
install -d ${D}${sbindir}
- install -d ${D}${mandir}
+ install -d ${D}${mandir}/man8
install -d ${D}${sysconfdir}
install -d ${D}${sysconfdir}/default
install -d ${D}${sysconfdir}/init.d
@@ -66,14 +69,18 @@ INITSCRIPT_NAME = "arpwatch"
INITSCRIPT_PARAMS = "start 02 2 3 4 5 . stop 20 0 1 6 ."
USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "--system ${ARPWATCH_UID}"
-USERADD_PARAM_${PN} = "--system -g ${ARPWATCH_GID} --home-dir \
+GROUPADD_PARAM:${PN} = "--system ${ARPWATCH_UID}"
+USERADD_PARAM:${PN} = "--system -g ${ARPWATCH_GID} --home-dir \
${localstatedir}/spool/${BPN} \
--no-create-home --shell /bin/false ${BPN}"
CONFFILE_FILES = "${sysconfdir}/${PN}.conf"
-FILES_${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \
+FILES:${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \
${sysconfdir} /var/lib/arpwatch"
-RDEPENDS_${PN} = "libpcap postfix postfix-cfg"
+COMPATIBLE_HOST:riscv32 = "null"
+COMPATIBLE_HOST:riscv64 = "null"
+COMPATIBLE_HOST:libc-musl = "null"
+
+RDEPENDS:${PN} = "libpcap"
diff --git a/recipes-scanners/arpwatch/files/host_contam_fix.patch b/recipes-scanners/arpwatch/files/host_contam_fix.patch
index 7d7ffac..2e27aa4 100644
--- a/recipes-scanners/arpwatch/files/host_contam_fix.patch
+++ b/recipes-scanners/arpwatch/files/host_contam_fix.patch
@@ -4,11 +4,11 @@ Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: arpwatch-3.0/configure
+Index: arpwatch-3.3/configure
===================================================================
---- arpwatch-3.0.orig/configure
-+++ arpwatch-3.0/configure
-@@ -4349,8 +4349,8 @@ fi
+--- arpwatch-3.3.orig/configure
++++ arpwatch-3.3/configure
+@@ -4353,8 +4353,8 @@ fi
CC=cc
export CC
fi
diff --git a/recipes-scanners/arpwatch/files/postfix_workaround.patch b/recipes-scanners/arpwatch/files/postfix_workaround.patch
deleted file mode 100644
index 95213f2..0000000
--- a/recipes-scanners/arpwatch/files/postfix_workaround.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-Sendmail exists after the system boots. We are using postfix
-so no need to check if it exists.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: arpwatch-3.0/configure
-===================================================================
---- arpwatch-3.0.orig/configure
-+++ arpwatch-3.0/configure
-@@ -636,7 +636,6 @@ LBL_LIBS
- HAVE_FREEBSD_TRUE
- HAVE_FREEBSD_FALSE
- PYTHON
--V_SENDMAIL
- LIBOBJS
- INSTALL_DATA
- INSTALL_SCRIPT
-@@ -5573,53 +5572,6 @@ fi
- done
-
-
--# Extract the first word of "sendmail", so it can be a program name with args.
--set dummy sendmail; ac_word=$2
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
--$as_echo_n "checking for $ac_word... " >&6; }
--if ${ac_cv_path_V_SENDMAIL+:} false; then :
-- $as_echo_n "(cached) " >&6
--else
-- case $V_SENDMAIL in
-- [\\/]* | ?:[\\/]*)
-- ac_cv_path_V_SENDMAIL="$V_SENDMAIL" # Let the user override the test with a path.
-- ;;
-- *)
-- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--as_dummy="$PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc"
--for as_dir in $as_dummy
--do
-- IFS=$as_save_IFS
-- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-- ac_cv_path_V_SENDMAIL="$as_dir/$ac_word$ac_exec_ext"
-- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-- break 2
-- fi
--done
-- done
--IFS=$as_save_IFS
--
-- ;;
--esac
--fi
--V_SENDMAIL=$ac_cv_path_V_SENDMAIL
--if test -n "$V_SENDMAIL"; then
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $V_SENDMAIL" >&5
--$as_echo "$V_SENDMAIL" >&6; }
--else
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--fi
--
--
--
--if test -z "${V_SENDMAIL}" ; then
-- as_fn_error $? "Can't find sendmail" "$LINENO" 5
--fi
--
--
- python=${PYTHON:-python}
- # Extract the first word of "${python}", so it can be a program name with args.
- set dummy ${python}; ac_word=$2
-Index: arpwatch-3.0/configure.in
-===================================================================
---- arpwatch-3.0.orig/configure.in
-+++ arpwatch-3.0/configure.in
-@@ -76,13 +76,6 @@ AC_LBL_UNION_WAIT
- AC_CHECK_LIB(resolv, res_query)
- AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS)
-
--AC_PATH_PROG(V_SENDMAIL, sendmail,,
-- $PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc)
--
--if test -z "${V_SENDMAIL}" ; then
-- AC_MSG_ERROR([Can't find sendmail])
--fi
--
- dnl AC_LBL_CHECK_TYPE(int32_t, int)
- dnl AC_LBL_CHECK_TYPE(u_int32_t, u_int)
-
diff --git a/recipes-scanners/buck-security/buck-security_0.7.bb b/recipes-scanners/buck-security/buck-security_0.7.bb
index 20a1fb0..85884a7 100644
--- a/recipes-scanners/buck-security/buck-security_0.7.bb
+++ b/recipes-scanners/buck-security/buck-security_0.7.bb
@@ -2,7 +2,7 @@ SUMMARY = "Linux security scanner"
DESCRIPTION = "Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux \
system. This enables you to quickly overview the security status of your Linux system."
SECTION = "security"
-LICENSE = "GPL-2.0"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_${PV}/${BPN}_${PV}.tar.gz"
@@ -26,16 +26,17 @@ do_install() {
}
-FILES_${PN} = "${bindir}/*"
+FILES:${PN} = "${bindir}/*"
-RDEPENDS_${PN} = "coreutils gnupg net-tools perl perl-module-data-dumper \
+RDEPENDS:${PN} = "coreutils gnupg net-tools perl perl-module-data-dumper \
perl-module-file-basename perl-module-file-spec perl-module-getopt-long \
perl-module-lib perl-module-posix perl-module-term-ansicolor \
perl-module-time-localtime pinentry perl-module-pod-usage \
perl-module-pod-text perl-module-file-glob \
+ perl-module-cwd perl-module-encode perl-module-encode-encoding \
"
-RDEPENDS_${PN}_class-native = "coreutils net-tools perl perl-module-data-dumper \
+RDEPENDS:${PN}:class-native = "coreutils net-tools perl perl-module-data-dumper \
perl-module-file-basename perl-module-file-spec perl-module-getopt-long \
perl-module-lib perl-module-posix perl-module-term-ansicolor \
perl-module-time-localtime perl-module-file-glob\
diff --git a/recipes-scanners/checksec/checksec_2.4.0.bb b/recipes-scanners/checksec/checksec_2.6.0.bb
index 52bcf7c..1ba3721 100644
--- a/recipes-scanners/checksec/checksec_2.4.0.bb
+++ b/recipes-scanners/checksec/checksec_2.6.0.bb
@@ -1,13 +1,13 @@
SUMMARY = "Linux system security checks"
DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used."
SECTION = "security"
-LICENSE = "BSD"
+LICENSE = "BSD-3-Clause"
HOMEPAGE="https://github.com/slimm609/checksec.sh"
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8d90285f711cf1f378e2c024457066d8"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=879b2147c754bc040c29e9c3b84da836"
-SRCREV = "c3754e45e04f9104db93b2048afd094427102d48"
-SRC_URI = "git://github.com/slimm609/checksec.sh"
+SRCREV = "2753ebb89fcdc96433ae8a4c4e5a49214a845be2"
+SRC_URI = "git://github.com/slimm609/checksec.sh;branch=main;protocol=https"
S = "${WORKDIR}/git"
@@ -16,4 +16,6 @@ do_install() {
install -m 0755 ${S}/checksec ${D}${bindir}
}
-RDEPENDS_${PN} = "bash openssl-bin binutils"
+RDEPENDS:${PN} = "bash openssl-bin binutils findutils file procps"
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-scanners/checksecurity/files/setuid-log-folder.patch b/recipes-scanners/checksecurity/files/setuid-log-folder.patch
deleted file mode 100644
index 540ea9c..0000000
--- a/recipes-scanners/checksecurity/files/setuid-log-folder.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001
-From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
-Date: Thu, 20 Jun 2013 15:14:55 +0300
-Subject: [PATCH] changed log folder for check-setuid
-
-check-setuid was creating logs in /var/log directory,
-which cannot be created persistently. To avoid errors
-the log folder was changed to /etc/checksecurity/.
-
-Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
----
- etc/check-setuid.conf | 2 +-
- plugins/check-setuid | 6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf
-index 621336f..e1532c0 100644
---- a/etc/check-setuid.conf
-+++ b/etc/check-setuid.conf
-@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false"
- #
- # Location of setuid file databases.
- #
--LOGDIR=/var/log/setuid
-+LOGDIR=/etc/checksecurity/
-diff --git a/plugins/check-setuid b/plugins/check-setuid
-index 8d6f90b..bdb21c1 100755
---- a/plugins/check-setuid
-+++ b/plugins/check-setuid
-@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then
- exit 1
- fi
-
--TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp
--TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp
-+TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp
-+TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp
-
- #
- # Check for NFS/AFS mounts that are not nosuid/nodev
-@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
- fi
-
- # Guard against undefined vars
--[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid
-+[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/
- if [ ! -e "$LOGDIR" ] ; then
- echo "ERROR: Log directory $LOGDIR does not exist"
- exit 1
---
-1.7.9.5
-
diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.4.bb
index 4f20309..102f267 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.4.bb
@@ -2,23 +2,24 @@ SUMMARY = "ClamAV anti-virus utility for Unix - command-line interface"
DESCRIPTION = "ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats."
HOMEPAGE = "http://www.clamav.net/index.html"
SECTION = "security"
-LICENSE = "LGPL-2.1"
+LICENSE = "LGPL-2.1-only"
DEPENDS = "glibc llvm libtool db openssl zlib curl libxml2 bison pcre2 json-c libcheck"
+COMPATIBLE_HOST:libc-musl:class-target = "null"
+
LIC_FILES_CHKSUM = "file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b273d5902896f7bbe17"
-# May 15th
-SRCREV = "fe96de86bb90c489aa509ee9135f776b7a2a7eb4"
+# July 30th, 2022
+SRCREV = "563ba93052f3b7b46fb8725a65ee6299a9c332cf"
-SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=dev/0.104 \
+SRC_URI = "git://github.com/Cisco-Talos/clamav;branch=rel/0.104;protocol=https \
file://clamd.conf \
file://freshclam.conf \
file://volatiles.03_clamav \
file://tmpfiles.clamav \
file://headers_fixup.patch \
file://oe_cmake_fixup.patch \
- file://fix_systemd_socket.patch \
"
S = "${WORKDIR}/git"
@@ -52,9 +53,9 @@ PACKAGECONFIG[systemd] = "-DENABLE_SYSTEMD=ON -DSYSTEMD_UNIT_DIR=${systemd_syste
export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_libdir} -L${STAGING_LIBDIR} -lpthread"
-do_install_append () {
+do_install:append () {
install -d ${D}/${sysconfdir}
- install -d ${D}/${localstatedir}/lib/clamav
+ install -d -o ${PN} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
@@ -67,7 +68,6 @@ do_install_append () {
fi
rm ${D}/${libdir}/libfreshclam.so
- rm ${D}/${libdir}/libmspack.so
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
install -d ${D}${sysconfdir}/tmpfiles.d
@@ -76,30 +76,29 @@ do_install_append () {
oe_multilib_header clamav-types.h
}
-pkg_postinst_${PN} () {
+pkg_postinst:${PN} () {
if [ -z "$D" ]; then
if command -v systemd-tmpfiles >/dev/null; then
systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
- chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
fi
}
PACKAGES += "${PN}-daemon ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav"
-FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit ${sbindir}/clamonacc \
+FILES:${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit ${sbindir}/clamonacc \
${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \
${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit* \
${docdir}/clamav/*"
-FILES_${PN}-clamdscan = " ${bindir}/clamdscan \
+FILES:${PN}-clamdscan = " ${bindir}/clamdscan \
${docdir}/clamdscan/* \
${mandir}/man1/clamdscan* \
"
-FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
+FILES:${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \
${mandir}/man5/clamd* ${mandir}/man8/clamd* \
${sysconfdir}/clamd.conf* \
@@ -111,7 +110,7 @@ FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
${systemd_system_unitdir}/clamav-clamonacc.service \
"
-FILES_${PN}-freshclam = "${bindir}/freshclam \
+FILES:${PN}-freshclam = "${bindir}/freshclam \
${sysconfdir}/freshclam.conf* \
/usr/etc/freshclam.conf* \
${sysconfdir}/clamav ${sysconfdir}/default/volatiles \
@@ -121,33 +120,38 @@ FILES_${PN}-freshclam = "${bindir}/freshclam \
${mandir}/man5/freshclam.conf.* \
${systemd_system_unitdir}/clamav-freshclam.service"
-FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
+FILES:${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
${libdir}/pkgconfig/*.pc \
${mandir}/man1/clamav-config.* \
- ${includedir}/*.h ${docdir}/libclamav* "
+ ${includedir}/*.h ${docdir}/libclamav* \
+ ${libdir}/libmspack.so"
-FILES_${PN}-staticdev = "${libdir}/*.a"
+FILES:${PN}-staticdev = "${libdir}/*.a"
-FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so* \
+FILES:${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so* \
${libdir}/libfreshclam.so* ${docdir}/libclamav/* \
${libdir}/libmspack* "
-FILES_${PN}-doc = "${mandir}/man/* \
+FILES:${PN}-doc = "${mandir}/man/* \
${datadir}/man/* \
${docdir}/* "
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}"
-USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir \
+USERADD_PACKAGES = "${PN}-freshclam "
+GROUPADD_PARAM:${PN}-freshclam = "--system ${CLAMAV_UID}"
+USERADD_PARAM:${PN}-freshclam = "--system -g ${CLAMAV_GID} --home-dir \
${localstatedir}/lib/${BPN} \
- --no-create-home --shell /sbin/nologin ${BPN}"
+ --no-create-home --shell /sbin/nologin ${PN}"
-RPROVIDES_${PN} += "${PN}-systemd"
-RREPLACES_${PN} += "${PN}-systemd"
-RCONFLICTS_${PN} += "${PN}-systemd"
+RPROVIDES:${PN} += "${PN}-systemd"
+RREPLACES:${PN} += "${PN}-systemd"
+RCONFLICTS:${PN} += "${PN}-systemd"
SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-freshclam"
-SYSTEMD_SERVICE_${PN}-daemon = "clamav-daemon.service"
-SYSTEMD_SERVICE_${PN}-freshclam = "clamav-freshclam.service"
+SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service"
+SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service"
+
+INSANE_SKIP:${PN}-libclamav += "dev-so"
-RDEPENDS_${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
-RDEPENDS_${PN}-daemon = "clamav"
+RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav"
+RRECOMMENDS:${PN} = "clamav-freshclam"
+RDEPENDS:${PN}-freshclam = "clamav"
+RDEPENDS:${PN}-daemon = "clamav clamav-freshclam"
diff --git a/recipes-scanners/clamav/files/fix_systemd_socket.patch b/recipes-scanners/clamav/files/fix_systemd_socket.patch
deleted file mode 100644
index 3e9abe2..0000000
--- a/recipes-scanners/clamav/files/fix_systemd_socket.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-clamd not installing clamav-daemon.socket
-
-Fixes:
-__main__.SystemdUnitNotFoundError: (PosixPath('../security-build-image/1.0-r0/rootfs'), 'clamav-daemon.socket')
-%post(clamav-daemon-0.104.0-r0.core2_64): waitpid(3587571) rc 3587571 status 100
-warning: %post(clamav-daemon-0.104.0-r0.core2_64) scriptlet failed, exit status 1
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/clamd/CMakeLists.txt
-===================================================================
---- git.orig/clamd/CMakeLists.txt
-+++ git/clamd/CMakeLists.txt
-@@ -54,4 +54,10 @@ if(SYSTEMD_FOUND)
- install(
- FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.service
- DESTINATION ${SYSTEMD_UNIT_DIR})
-+ configure_file(
-+ ${CMAKE_CURRENT_SOURCE_DIR}/clamav-daemon.socket.in
-+ ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.socket @ONLY)
-+ install(
-+ FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.socket
-+ DESTINATION ${SYSTEMD_UNIT_DIR})
- endif()
diff --git a/recipes-scanners/clamav/files/headers_fixup.patch b/recipes-scanners/clamav/files/headers_fixup.patch
index 9de0a26..369aa58 100644
--- a/recipes-scanners/clamav/files/headers_fixup.patch
+++ b/recipes-scanners/clamav/files/headers_fixup.patch
@@ -7,7 +7,7 @@ Index: git/CMakeLists.txt
===================================================================
--- git.orig/CMakeLists.txt
+++ git/CMakeLists.txt
-@@ -374,8 +373,6 @@ check_include_file("stdlib.h"
+@@ -443,8 +443,6 @@ check_include_file("stdlib.h"
check_include_file("string.h" HAVE_STRING_H)
check_include_file("strings.h" HAVE_STRINGS_H)
check_include_file("sys/cdefs.h" HAVE_SYS_CDEFS_H)
@@ -16,7 +16,7 @@ Index: git/CMakeLists.txt
check_include_file("sys/mman.h" HAVE_SYS_MMAN_H)
check_include_file("sys/param.h" HAVE_SYS_PARAM_H)
check_include_file("sys/queue.h" HAVE_SYS_QUEUE_H)
-@@ -410,8 +407,6 @@ endif()
+@@ -479,8 +477,6 @@ endif()
# int-types variants
check_include_file("inttypes.h" HAVE_INTTYPES_H)
@@ -25,7 +25,7 @@ Index: git/CMakeLists.txt
check_include_file("stdint.h" HAVE_STDINT_H)
# this hack required to silence warnings on systems with inttypes.h
-@@ -539,17 +528,11 @@ check_type_size("time_t" SIZEOF_TIME_T)
+@@ -608,17 +604,11 @@ check_type_size("time_t" SIZEOF_TIME_T)
# Checks for library functions.
include(CheckSymbolExists)
check_symbol_exists(_Exit "stdlib.h" HAVE__EXIT)
@@ -44,7 +44,7 @@ Index: git/CMakeLists.txt
check_symbol_exists(timegm "time.h" HAVE_TIMEGM)
check_symbol_exists(vsnprintf "stdio.h" HAVE_VSNPRINTF)
-@@ -563,10 +546,9 @@ else()
+@@ -632,10 +622,9 @@ else()
check_symbol_exists(fseeko "stdio.h" HAVE_FSEEKO)
check_symbol_exists(getaddrinfo "netdb.h" HAVE_GETADDRINFO)
check_symbol_exists(getpagesize "unistd.h" HAVE_GETPAGESIZE)
diff --git a/recipes-scanners/clamav/files/oe_cmake_fixup.patch b/recipes-scanners/clamav/files/oe_cmake_fixup.patch
index b284915..c9c88b9 100644
--- a/recipes-scanners/clamav/files/oe_cmake_fixup.patch
+++ b/recipes-scanners/clamav/files/oe_cmake_fixup.patch
@@ -22,7 +22,7 @@ Index: git/CMakeLists.txt
if(C_LINUX)
if(CMAKE_COMPILER_IS_GNUCXX)
# Set _GNU_SOURCE for O_LARGEFILE, O_CLOEXEC, O_DIRECTORY, O_NOFOLLOW, etc flags on older systems
-@@ -512,14 +506,8 @@ include(TestInline)
+@@ -581,14 +575,8 @@ include(TestInline)
include(CheckFileOffsetBits)
# Determine how to pack structs on this platform.
include(CheckStructPacking)
diff --git a/recipes-scanners/rootkits/chkrootkit_0.53.bb b/recipes-scanners/rootkits/chkrootkit_0.57.bb
index 4536be3..d35f5f6 100644
--- a/recipes-scanners/rootkits/chkrootkit_0.53.bb
+++ b/recipes-scanners/rootkits/chkrootkit_0.57.bb
@@ -5,9 +5,9 @@ SECTION = "security"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff"
-SRC_URI = "ftp://ftp.pangeia.com.br/pub/seg/pac/${BPN}.tar.gz"
-SRC_URI[sha256sum] = "7262dae33b338976828b5d156b70d159e0043c0db43ada8dee66c97387cf45b5"
-
+SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
+ file://musl_fix.patch"
+SRC_URI[sha256sum] = "06d1faee151aa3e3c0f91ac807ca92e60b75ed1c18268ccef2c45117156d253c"
inherit autotools-brokensep
diff --git a/recipes-scanners/rootkits/files/musl_fix.patch b/recipes-scanners/rootkits/files/musl_fix.patch
new file mode 100644
index 0000000..a33523b
--- /dev/null
+++ b/recipes-scanners/rootkits/files/musl_fix.patch
@@ -0,0 +1,58 @@
+chkrootkit: Fix missing includes for musl
+
+
+Upstream-Status: Backport
+https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07737b95af2452c0055e1ed0660590c1487befdb
+https://bugs.gentoo.org/715552
+
+Signed-off-by: Armin Kuster <akuster808@gamil.com>
+
+Index: chkrootkit-0.55/chkdirs.c
+===================================================================
+--- chkrootkit-0.55.orig/chkdirs.c
++++ chkrootkit-0.55/chkdirs.c
+@@ -33,7 +33,7 @@
+ #elif defined(__APPLE__) && defined(__MACH__)
+ #include <sys/syslimits.h>
+ #endif
+-
++#include <limits.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <sys/types.h>
+Index: chkrootkit-0.55/chklastlog.c
+===================================================================
+--- chkrootkit-0.55.orig/chklastlog.c
++++ chkrootkit-0.55/chklastlog.c
+@@ -41,6 +41,7 @@ int main () { return 0; }
+ #include <stdlib.h>
+ #endif
+ #include <sys/stat.h>
++#include <fcntl.h>
+ #include <unistd.h>
+ #include <string.h>
+ #include <signal.h>
+Index: chkrootkit-0.55/chkproc.c
+===================================================================
+--- chkrootkit-0.55.orig/chkproc.c
++++ chkrootkit-0.55/chkproc.c
+@@ -65,6 +65,7 @@ int main (){ return 0; }
+ #include <string.h>
+ #include <errno.h>
+ #include <sys/types.h>
++#include <fcntl.h>
+ #include <dirent.h>
+ #include <ctype.h>
+ #include <stdlib.h>
+Index: chkrootkit-0.55/chkwtmp.c
+===================================================================
+--- chkrootkit-0.55.orig/chkwtmp.c
++++ chkrootkit-0.55/chkwtmp.c
+@@ -25,6 +25,7 @@ int main () { return 0; }
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
++#include <fcntl.h>
+ #include <string.h>
+ #include <utmp.h>
+ #include <time.h>
diff --git a/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch b/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
new file mode 100644
index 0000000..7e70692
--- /dev/null
+++ b/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
@@ -0,0 +1,45 @@
+Exclude all the seccomp files to run during build.
+
+Upstream-Status: Inappropriate [embedded specific]
+There are some files that need to run to generate the appropriate files
+we are currently doing this on the target.
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/Makefile
+===================================================================
+--- git.orig/Makefile
++++ git/Makefile
+@@ -18,7 +18,6 @@ MYDIRS = src/lib $(MAN_SRC) $(COMPLETION
+ MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
+ COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
+ MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+ ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
+
+ .PHONY: all
+@@ -43,7 +42,7 @@ $(MANPAGES): src/man config.mk
+
+ man: $(MANPAGES)
+
+-filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
++filters: $(SBOX_APPS_NON_DUMPABLE)
+ seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+ src/fseccomp/fseccomp default seccomp
+ src/fsec-optimize/fsec-optimize seccomp
+@@ -72,7 +71,6 @@ clean:
+ done
+ $(MAKE) -C test clean
+ rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+- rm -f $(SECCOMP_FILTERS)
+ rm -f test/utils/index.html*
+ rm -f test/utils/wget-log
+ rm -f test/utils/firejail-test-file*
+@@ -110,7 +108,7 @@ endif
+ # libraries and plugins
+ install -m 0755 -d $(DESTDIR)$(libdir)/firejail
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
+- install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
++ install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS)
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
+ # plugins w/o read permission (non-dumpable)
diff --git a/recipes-security/Firejail/firejail_0.9.72.bb b/recipes-security/Firejail/firejail_0.9.72.bb
new file mode 100644
index 0000000..5713f46
--- /dev/null
+++ b/recipes-security/Firejail/firejail_0.9.72.bb
@@ -0,0 +1,65 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+SUMMARY = "Linux namespaces and seccomp-bpf sandbox"
+DESCRIPTION = "Firejail is a SUID sandbox program that reduces the risk of security breaches \
+by restricting the running environment of untrusted applications using Linux namespaces, \
+seccomp-bpf and Linux capabilities."
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+LICENSE = "GPL-2.0-only"
+
+SRCREV = "2551bc71f14052344666f3ca2ad67f5b798020b9"
+SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master \
+ file://exclude_seccomp_util_compiles.patch \
+ "
+
+DEPENDS = "libseccomp"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig bash-completion features_check
+
+REQUIRED_DISTRO_FEATURES = "seccomp"
+
+PACKAGECONFIG ?= ""
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}"
+
+PACKAGECONFIG[apparmor] = "--enable-apparmor, --disable-apparmor, apparmor, apparmor"
+PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
+PACKAGECONFIG[x11] = " --enable-x11, --disable-x11, "
+PACKAGECONFIG[dbusproxy] = ", --disable-dbusproxy, "
+PACKAGECONFIG[notmpfs] = ", --disable-usertmpfs ,"
+PACKAGECONFIG[nofiretunnel] = ", --disable-firetunnel , "
+PACKAGECONFIG[noprivatehome] = ", --disable-private-home, "
+PACKAGECONFIG[nochroot] = ", --disable-chroot, "
+PACKAGECONFIG[nonetwork] = ", --disable-network, "
+PACKAGECONFIG[nouserns] = ", --disable-userns, "
+PACKAGECONFIG[nofiletransfer] = ", --disable-file-transfer, "
+PACKAGECONFIG[nosuid] = ", --disable-suid, "
+
+EXTRA_OECONF = "--disable-man --enable-busybox-workaround"
+
+PACKAGES:append = " ${PN}-vim ${PN}-zsh"
+
+FILES:${PN}-vim = "${datadir}/vim/"
+FILES:${PN}-zsh = "${datadir}/zsh/"
+FILES:${PN}-dev = "${datadir}/gtksourceview-5/"
+
+pkg_postinst_ontarget:${PN} () {
+ ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp
+ ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp
+ ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp.debug allow-debuggers
+ ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.debug
+ ${libdir}/${BPN}/fseccomp secondary 32 ${libdir}/${BPN}/seccomp.32
+ ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.32
+ ${libdir}/${BPN}/fseccomp secondary block ${libdir}/${BPN}/seccomp.block_secondary
+ ${libdir}/${BPN}/fseccomp memory-deny-write-execute ${libdir}/${BPN}/seccomp.mdwx
+}
+
+COMPATIBLE_MACHINE:x86_64 = "x86_64"
+COMPATIBLE_MACHINE:arm64 = "arch64"
+
+RDEPENDS:${PN} = "bash"
diff --git a/recipes-security/aircrack-ng/aircrack-ng_1.3.bb b/recipes-security/aircrack-ng/aircrack-ng_1.6.bb
index d739227..d3722c0 100644
--- a/recipes-security/aircrack-ng/aircrack-ng_1.3.bb
+++ b/recipes-security/aircrack-ng/aircrack-ng_1.6.bb
@@ -1,7 +1,7 @@
SUMMARY = "Aircrack-ng is a set of tools for auditing wireless networks"
DESCRIPTION = "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools."
SECTION = "security"
-LICENSE = "GPL-2.0"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8"
@@ -9,8 +9,8 @@ DEPENDS = "libnl openssl sqlite3 libpcre libpcap"
SRC_URI = "http://download.aircrack-ng.org/${BP}.tar.gz"
-SRC_URI[md5sum] = "c7c5b076dee0c25ee580b0f56f455623"
-SRC_URI[sha256sum] = "8ae08a7c28741f6ace2769267112053366550e7f746477081188ad38410383ca"
+SRC_URI[md5sum] = "22ddc85549b51ed0da0931d01ef215e5"
+SRC_URI[sha256sum] = "4f0bfd486efc6ea7229f7fbc54340ff8b2094a0d73e9f617e0a39f878999a247"
inherit autotools-brokensep pkgconfig
@@ -29,6 +29,8 @@ do_install () {
make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install
}
-FILES_${PN} += "/usr/local/"
+FILES:${PN} += "${libdir}/*.so"
+FILES_SOLIBSDEV = ""
+INSANE_SKIP:${PN} += "dev-so"
-RDEPENDS_${PN} = "libpcap"
+RDEPENDS:${PN} = "libpcap"
diff --git a/recipes-security/chipsec/chipsec_1.9.1.bb b/recipes-security/chipsec/chipsec_1.9.1.bb
new file mode 100644
index 0000000..9fbdaa7
--- /dev/null
+++ b/recipes-security/chipsec/chipsec_1.9.1.bb
@@ -0,0 +1,34 @@
+SUMMARY = "CHIPSEC: Platform Security Assessment Framework"
+
+DESCRIPTION = "CHIPSEC is a framework for analyzing the security \
+ of PC platforms including hardware, system firmware \
+ (BIOS/UEFI), and platform components."
+
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d"
+
+DEPENDS = "virtual/kernel nasm-native"
+
+SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https"
+SRCREV = "d8c2a606bf440c32196c6289a7a458f3ae3107cc"
+
+S = "${WORKDIR}/git"
+
+inherit module setuptools3
+
+EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
+
+do_compile:append() {
+ cd ${S}/drivers/linux
+ oe_runmake KSRC=${STAGING_KERNEL_BUILDDIR}
+}
+
+do_install:append() {
+ install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux
+}
+
+COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+
+FILES:${PN} += "${exec_prefix}"
+
+RDEPENDS:${PN} = "python3 python3-modules"
diff --git a/recipes-security/cryptmount/cryptmount_6.2.0.bb b/recipes-security/cryptmount/cryptmount_6.2.0.bb
new file mode 100644
index 0000000..d69d88b
--- /dev/null
+++ b/recipes-security/cryptmount/cryptmount_6.2.0.bb
@@ -0,0 +1,36 @@
+SUMMARY = "Linux encrypted filesystem management tool"
+HOMEPAGE = "http://cryptmount.sourceforge.net/"
+LIC_FILES_CHKSUM = "file://COPYING;beginline=1;endline=4;md5=6e69c425bf32ecf9b1e11d29d146d03d"
+LICENSE = "GPL-2.0-only"
+SRC_URI = "https://sourceforge.net/projects/cryptmount/files/${BPN}/${BPN}-6.2/${BPN}-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "90cc49fd598d636929c70479b1305f12b011edadf4a54578ace6c0fca8cb5ed2"
+
+inherit autotools-brokensep gettext pkgconfig systemd
+
+EXTRA_OECONF = " --enable-cswap --enable-fsck --enable-argv0switch"
+
+PACKAGECONFIG ?="intl luks gcrypt nls"
+PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
+
+PACKAGECONFIG[systemd] = "--with-systemd, --without-systemd, systemd"
+PACKAGECONFIG[intl] = "--with-libintl-prefix, --without-libintl-prefix"
+PACKAGECONFIG[gcrypt] = "--with-libgcrypt, --without-libgcrypt, libgcrypt"
+PACKAGECONFIG[luks] = "--enable-luks, --disable-luks, cryptsetup"
+PACKAGECONFIG[nls] = "--enable-nls, --disable-nls, "
+
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE:${PN} = "cryptmount.service"
+
+do_install:append () {
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ install -D -m 0644 ${S}/sysinit/cryptmount.service ${D}${systemd_system_unitdir}/cryptmount.service
+ if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','false','true',d)}; then
+ rm -fr ${D}/usr/lib
+ fi
+ fi
+}
+
+FILES:${PN} += "${systemd_system_unitdir}"
+
+RDEPENDS:${PN} = "libdevmapper"
diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
index 4a99b5a..00e8997 100644
--- a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
+++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -6,7 +6,7 @@ DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \
HOMEPAGE = "https://launchpad.net/ecryptfs"
SECTION = "base"
-LICENSE = "GPL-2.0"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native"
@@ -22,10 +22,12 @@ SRC_URI = "\
SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
SRC_URI[sha256sum] = "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f"
+UPSTREAM_CHECK_URI = "https://launchpad.net/ecryptfs/+download"
+
inherit autotools pkgconfig systemd
SYSTEMD_PACKAGES = "${PN}"
-SYSTEMD_SERVICE_${PN} = "ecryptfs.service"
+SYSTEMD_SERVICE:${PN} = "ecryptfs.service"
EXTRA_OECONF = "\
--libdir=${base_libdir} \
@@ -41,7 +43,7 @@ PACKAGECONFIG ??= "nss \
PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss,"
PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,"
-do_configure_prepend() {
+do_configure:prepend() {
export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3"
export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3"
export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
@@ -49,7 +51,7 @@ do_configure_prepend() {
sed -i -e "s;rootsbindir=\"/sbin\";rootsbindir=\"\${base_sbindir}\";g" ${S}/configure.ac
}
-do_install_append() {
+do_install:append() {
chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
# ${base_libdir} is identical to ${libdir} when usrmerge enabled
if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then
@@ -64,7 +66,7 @@ do_install_append() {
fi
}
-FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
+FILES:${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
-RDEPENDS_${PN} += "cryptsetup"
-RRECOMMENDS_${PN} = "gettext-runtime"
+RDEPENDS:${PN} += "cryptsetup"
+RRECOMMENDS:${PN} = "gettext-runtime"
diff --git a/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
index 3b29be0..01b7dd8 100644
--- a/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
+++ b/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
@@ -1,3 +1,5 @@
+Upstream-Status: Pending
+
Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
===================================================================
--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c
diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
index 4252f97..a457d79 100644
--- a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
+++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
@@ -14,7 +14,7 @@ the patch comes from:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
-Upstream-Status: backport
+Upstream-Status: Backport
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
diff --git a/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch
deleted file mode 100644
index 7f0812c..0000000
--- a/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From fe3436d65518099d35c643848cba50253abc249c Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Thu, 9 May 2019 14:44:51 +0900
-Subject: [PATCH] To fix build error of xrange.
-
-NameError: name 'xrange' is not defined
-
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
----
- fail2ban/__init__.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py
-index fa6dcf7..61789a4 100644
---- a/fail2ban/__init__.py
-+++ b/fail2ban/__init__.py
-@@ -82,7 +82,7 @@ strptime("2012", "%Y")
-
- # short names for pure numeric log-level ("Level 25" could be truncated by short formats):
- def _init():
-- for i in xrange(50):
-+ for i in range(50):
- if logging.getLevelName(i).startswith('Level'):
- logging.addLevelName(i, '#%02d-Lev.' % i)
- _init()
---
-2.7.4
-
diff --git a/recipes-security/fail2ban/files/fail2ban_setup.py b/recipes-security/fail2ban/files/fail2ban_setup.py
deleted file mode 100755
index e231949..0000000
--- a/recipes-security/fail2ban/files/fail2ban_setup.py
+++ /dev/null
@@ -1,174 +0,0 @@
-# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
-# vi: set ft=python sts=4 ts=4 sw=4 noet :
-
-# This file is part of Fail2Ban.
-#
-# Fail2Ban is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# Fail2Ban is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Fail2Ban; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
-__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko"
-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors"
-__license__ = "GPL"
-
-import platform
-
-try:
- import setuptools
- from setuptools import setup
- from setuptools.command.install import install
- from setuptools.command.install_scripts import install_scripts
-except ImportError:
- setuptools = None
- from distutils.core import setup
-
-# all versions
-from distutils.command.build_py import build_py
-from distutils.command.build_scripts import build_scripts
-if setuptools is None:
- from distutils.command.install import install
- from distutils.command.install_scripts import install_scripts
-try:
- # python 3.x
- from distutils.command.build_py import build_py_2to3
- from distutils.command.build_scripts import build_scripts_2to3
- _2to3 = True
-except ImportError:
- # python 2.x
- _2to3 = False
-
-import os
-from os.path import isfile, join, isdir, realpath
-import sys
-import warnings
-from glob import glob
-
-from fail2ban.setup import updatePyExec
-
-if setuptools and "test" in sys.argv:
- import logging
- logSys = logging.getLogger("fail2ban")
- hdlr = logging.StreamHandler(sys.stdout)
- fmt = logging.Formatter("%(asctime)-15s %(message)s")
- hdlr.setFormatter(fmt)
- logSys.addHandler(hdlr)
- if set(["-q", "--quiet"]) & set(sys.argv):
- logSys.setLevel(logging.CRITICAL)
- warnings.simplefilter("ignore")
- sys.warnoptions.append("ignore")
- elif set(["-v", "--verbose"]) & set(sys.argv):
- logSys.setLevel(logging.DEBUG)
- else:
- logSys.setLevel(logging.INFO)
-elif "test" in sys.argv:
- print("python distribute required to execute fail2ban tests")
- print("")
-
-longdesc = '''
-Fail2Ban scans log files like /var/log/pwdfail or
-/var/log/apache/error_log and bans IP that makes
-too many password failures. It updates firewall rules
-to reject the IP address or executes user defined
-commands.'''
-
-if setuptools:
- setup_extra = {
- 'test_suite': "fail2ban.tests.utils.gatherTests",
- 'use_2to3': True,
- }
-else:
- setup_extra = {}
-
-data_files_extra = []
-
-# Installing documentation files only under Linux or other GNU/ systems
-# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding
-# installation there (see e.g. #1233)
-platform_system = platform.system().lower()
-doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt']
-if platform_system in ('solaris', 'sunos'):
- doc_files.append('README.Solaris')
-if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'):
- data_files_extra.append(
- ('/usr/share/doc/fail2ban', doc_files)
- )
-
-# Get version number, avoiding importing fail2ban.
-# This is due to tests not functioning for python3 as 2to3 takes place later
-exec(open(join("fail2ban", "version.py")).read())
-
-setup(
- name = "fail2ban",
- version = version,
- description = "Ban IPs that make too many password failures",
- long_description = longdesc,
- author = "Cyril Jaquier & Fail2Ban Contributors",
- author_email = "cyril.jaquier@fail2ban.org",
- url = "http://www.fail2ban.org",
- license = "GPL",
- platforms = "Posix",
- cmdclass = {
- 'build_py': build_py, 'build_scripts': build_scripts,
- },
- scripts = [
- 'bin/fail2ban-client',
- 'bin/fail2ban-server',
- 'bin/fail2ban-regex',
- 'bin/fail2ban-testcases',
- # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper
- ],
- packages = [
- 'fail2ban',
- 'fail2ban.client',
- 'fail2ban.server',
- 'fail2ban.tests',
- 'fail2ban.tests.action_d',
- ],
- package_data = {
- 'fail2ban.tests':
- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
- for w in os.walk('fail2ban/tests/files')
- for f in w[2]] +
- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
- for w in os.walk('fail2ban/tests/config')
- for f in w[2]] +
- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
- for w in os.walk('fail2ban/tests/action_d')
- for f in w[2]]
- },
- data_files = [
- ('/etc/fail2ban',
- glob("config/*.conf")
- ),
- ('/etc/fail2ban/filter.d',
- glob("config/filter.d/*.conf")
- ),
- ('/etc/fail2ban/filter.d/ignorecommands',
- [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)]
- ),
- ('/etc/fail2ban/action.d',
- glob("config/action.d/*.conf") +
- glob("config/action.d/*.py")
- ),
- ('/etc/fail2ban/fail2ban.d',
- ''
- ),
- ('/etc/fail2ban/jail.d',
- ''
- ),
- ('/var/lib/fail2ban',
- ''
- ),
- ] + data_files_extra,
- **setup_extra
-)
diff --git a/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb b/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
deleted file mode 100644
index b480c76..0000000
--- a/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
+++ /dev/null
@@ -1,53 +0,0 @@
-SUMMARY = "Daemon to ban hosts that cause multiple authentication errors."
-DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \
-many failed login attempts. It does this by updating system firewall rules to reject new \
-connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \
-out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \
-and is easy to configure to read any log file you choose, for any error you choose."
-HOMEPAGE = "http://www.fail2ban.org"
-
-LICENSE = "GPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
-
-SRCREV ="eea1881b734b73599a21df2bfbe58b11f78d0a46"
-SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \
- file://initd \
- file://fail2ban_setup.py \
- file://run-ptest \
-"
-
-inherit update-rc.d ptest setuptools3
-
-S = "${WORKDIR}/git"
-
-do_compile_prepend () {
- cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py
- cd ${S}
- ./fail2ban-2to3
-}
-
-do_install_append () {
- install -d ${D}/${sysconfdir}/fail2ban
- install -d ${D}/${sysconfdir}/init.d
- install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
- chown -R root:root ${D}/${bindir}
-}
-
-do_install_ptest_append () {
- install -d ${D}${PTEST_PATH}
- install -d ${D}${PTEST_PATH}/bin
- sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
- install -D ${S}/bin/* ${D}${PTEST_PATH}/bin
-}
-
-FILES_${PN} += "/run"
-
-INITSCRIPT_PACKAGES = "${PN}"
-INITSCRIPT_NAME = "fail2ban-server"
-INITSCRIPT_PARAMS = "defaults 25"
-
-INSANE_SKIP_${PN}_append = "already-stripped"
-
-RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify"
-RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json"
-RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
diff --git a/recipes-security/fscrypt/fscrypt_1.1.0.bb b/recipes-security/fscrypt/fscrypt_1.1.0.bb
new file mode 100644
index 0000000..ea9593b
--- /dev/null
+++ b/recipes-security/fscrypt/fscrypt_1.1.0.bb
@@ -0,0 +1,51 @@
+SUMMARY = "fscrypt is a high-level tool for the management of Linux filesystem encryption"
+DESCIPTION = "fscrypt manages metadata, key generation, key wrapping, PAM integration, \
+and provides a uniform interface for creating and modifying encrypted directories. For \
+a small, low-level tool that directly sets policies, see fscryptctl \
+(https://github.com/google/fscryptcl)."
+HOMEPAGE = "https://github.com/google/fscrypt"
+SECTION = "base"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+# fscrypt depends on go and libpam
+DEPENDS += "go-native libpam"
+
+SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23"
+SRC_URI = "git://github.com/google/fscrypt.git;branch=master;protocol=https"
+
+GO_IMPORT = "import"
+
+inherit go goarch features_check
+
+REQUIRED_DISTRO_FEATURES = "pam"
+
+S = "${WORKDIR}/git"
+
+do_compile() {
+ export GOARCH=${TARGET_GOARCH}
+ export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go"
+ export GOPATH="${WORKDIR}/git"
+
+ # Pass the needed cflags/ldflags so that cgo
+ # can find the needed headers files and libraries
+ export CGO_ENABLED="1"
+ export CGO_CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+ export CGO_LDFLAGS="${LDFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+
+ cd ${S}/src/${GO_IMPORT}
+ oe_runmake
+
+ # Golang forces permissions to 0500 on directories and 0400 on files in
+ # the module cache which prevents us from easily cleaning up the build
+ # directory. Let's just fix the permissions here so we don't have to
+ # hack the clean tasks.
+ chmod -R u+w ${S}/pkg/mod
+}
+
+do_install() {
+ install -d ${D}/${bindir}
+ install ${S}/src/${GO_IMPORT}/bin/fscrypt ${D}/${bindir}/fscrypt
+}
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/recipes-security/fscryptctl/fscryptctl_1.0.0.bb b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
index df76a3d..3de2bfa 100644
--- a/recipes-security/fscryptctl/fscryptctl_1.0.0.bb
+++ b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
@@ -9,16 +9,21 @@ SECTION = "base"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-SRCREV = "56b898c896240328adef7407090215abbe9ee03d"
-SRC_URI = "git://github.com/google/fscryptctl.git"
+SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23"
+SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
+do_compile:prepend() {
+ sed -i 's/fscryptctl\.1//g' ${S}/Makefile
+ sed -i 's/install-man//g' ${S}/Makefile
+}
+
do_install() {
oe_runmake DESTDIR=${D} PREFIX=/usr install
}
-RRECOMMENDS_${PN} += "\
+RRECOMMENDS:${PN} += "\
keyutils \
kernel-module-cbc \
kernel-module-cts \
diff --git a/recipes-security/glome/glome_git.bb b/recipes-security/glome/glome_git.bb
new file mode 100644
index 0000000..8787ddc
--- /dev/null
+++ b/recipes-security/glome/glome_git.bb
@@ -0,0 +1,24 @@
+SUMMARY = "GLOME Login Client"
+HOME_PAGE = "https://github.com/google/glome"
+DESCRIPTION = "GLOME is used to authorize serial console access to Linux machines"
+PV = "0.1+git${SRCPV}"
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+inherit meson pkgconfig
+
+DEPENDS += "openssl"
+
+S = "${WORKDIR}/git"
+SRC_URI = "git://github.com/google/glome.git;branch=master;protocol=https"
+SRCREV = "48d28f82bd51ae4bccc84fbbee93c375b026596b"
+
+FILES:${PN} += "${libdir}/security"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[glome-cli] = "-Dglome-cli=true,-Dglome-cli=false"
+PACKAGECONFIG[pam-glome] = "-Dpam-glome=true,-Dpam-glome=false,libpam"
+
+EXTRA_OEMESON = "-Dtests=false"
+
diff --git a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
index f9ca092..8a0b1ee 100644
--- a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
+++ b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
@@ -3,8 +3,8 @@ HOME_PAGE = "https://github.com/google/google-authenticator-libpam"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
LICENSE = "Apache-2.0"
-SRC_URI = "git://github.com/google/google-authenticator-libpam.git"
-SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef"
+SRC_URI = "git://github.com/google/google-authenticator-libpam.git;branch=master;protocol=https"
+SRCREV = "962f353aac6cfc7b804547319db40f8b804f0b6c"
DEPENDS = "libpam"
@@ -18,6 +18,6 @@ REQUIRED_DISTRO_FEATURES = "pam"
EXTRA_OECONF = "--libdir=${base_libdir}"
PACKAGES += "pam-google-authenticator"
-FILES_pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so"
+FILES:pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so"
RDEPNEDS_pam-google-authenticator = "libpam"
diff --git a/recipes-security/isic/files/configure_fix.patch b/recipes-security/isic/files/configure_fix.patch
index fc2a774..ed2bf7a 100644
--- a/recipes-security/isic/files/configure_fix.patch
+++ b/recipes-security/isic/files/configure_fix.patch
@@ -1,6 +1,7 @@
isic: add with-libnet remove libnet test
-Inappropriate - builds fine on non-oe systems. We need to exlude
+Upstream-Status: Inappropriate [embedded specific]
+builds fine on non-oe systems. We need to exlude
cross compile libnet test. Pass in the location for libnet.a. Path
did not support mulitlib either.
diff --git a/recipes-security/isic/files/isic-0.07-make.patch b/recipes-security/isic/files/isic-0.07-make.patch
index 9cffa8a..94349ce 100644
--- a/recipes-security/isic/files/isic-0.07-make.patch
+++ b/recipes-security/isic/files/isic-0.07-make.patch
@@ -1,6 +1,6 @@
isic: Fixup makefile to support destination
-Backport:
+Upstream-Status: Backport
http://pkgs.fedoraproject.org/cgit/isic.git/tree/isic-0.07-make.patch
Signed-off-by: Armin Kuster <akuser808@gmail.com>
diff --git a/recipes-security/isic/files/isic-0.07-netinet.patch b/recipes-security/isic/files/isic-0.07-netinet.patch
index c4ea74e..448ba68 100644
--- a/recipes-security/isic/files/isic-0.07-netinet.patch
+++ b/recipes-security/isic/files/isic-0.07-netinet.patch
@@ -1,6 +1,6 @@
isic: add missing header file
-Backport:
+Upstream-Status: Backport
http://pkgs.fedoraproject.org/cgit/isic.git/tree/isic-0.07-netinet.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
diff --git a/recipes-security/isic/isic_0.07.bb b/recipes-security/isic/isic_0.07.bb
index fb6e904..28153e3 100644
--- a/recipes-security/isic/isic_0.07.bb
+++ b/recipes-security/isic/isic_0.07.bb
@@ -2,7 +2,7 @@ SUMMARY = "ISIC -- IP Stack Integrity Checker"
DESCRIPTION = "ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.)"
HOMEPAGE = "http://isic.sourceforge.net/"
SECTION = "security"
-LICENSE = "BSD"
+LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=d41d8cd98f00b204e9800998ecf8427e"
DEPENDS = "libnet"
diff --git a/recipes-security/krill/files/panic_workaround.patch b/recipes-security/krill/files/panic_workaround.patch
new file mode 100644
index 0000000..f63169f
--- /dev/null
+++ b/recipes-security/krill/files/panic_workaround.patch
@@ -0,0 +1,16 @@
+Upstream-Status: Inappropriate [OE specific]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/Cargo.toml
+===================================================================
+--- git.orig/Cargo.toml
++++ git/Cargo.toml
+@@ -91,7 +91,7 @@ hsm-tests-pkcs11 = [ "hsm" ]
+ # Make sure that Krill crashes on panics, rather than losing threads and
+ # limping on in a bad state.
+ [profile.release]
+-panic = "abort"
++#panic = "abort"
+
+ [dev-dependencies]
+ regex = "1.5.5"
diff --git a/recipes-security/krill/krill-crates.inc b/recipes-security/krill/krill-crates.inc
new file mode 100644
index 0000000..85830ec
--- /dev/null
+++ b/recipes-security/krill/krill-crates.inc
@@ -0,0 +1,550 @@
+# Autogenerated with 'bitbake -c update_crates krill'
+
+# from Cargo.lock
+SRC_URI += " \
+ crate://crates.io/addr2line/0.17.0;name=addr2line-0.17.0 \
+ crate://crates.io/adler/1.0.2;name=adler-1.0.2 \
+ crate://crates.io/adler32/1.2.0;name=adler32-1.2.0 \
+ crate://crates.io/aho-corasick/0.7.18;name=aho-corasick-0.7.18 \
+ crate://crates.io/android_system_properties/0.1.5;name=android_system_properties-0.1.5 \
+ crate://crates.io/ansi_term/0.12.1;name=ansi_term-0.12.1 \
+ crate://crates.io/ascii/1.0.0;name=ascii-1.0.0 \
+ crate://crates.io/ascii-canvas/3.0.0;name=ascii-canvas-3.0.0 \
+ crate://crates.io/atty/0.2.14;name=atty-0.2.14 \
+ crate://crates.io/autocfg/1.1.0;name=autocfg-1.1.0 \
+ crate://crates.io/backoff/0.3.0;name=backoff-0.3.0 \
+ crate://crates.io/backtrace/0.3.66;name=backtrace-0.3.66 \
+ crate://crates.io/base64/0.13.0;name=base64-0.13.0 \
+ crate://crates.io/basic-cookies/0.1.4;name=basic-cookies-0.1.4 \
+ crate://crates.io/bcder/0.7.0;name=bcder-0.7.0 \
+ crate://crates.io/bit-set/0.5.2;name=bit-set-0.5.2 \
+ crate://crates.io/bit-vec/0.6.3;name=bit-vec-0.6.3 \
+ crate://crates.io/bitflags/1.3.2;name=bitflags-1.3.2 \
+ crate://crates.io/block-buffer/0.9.0;name=block-buffer-0.9.0 \
+ crate://crates.io/block-buffer/0.10.2;name=block-buffer-0.10.2 \
+ crate://crates.io/bumpalo/3.10.0;name=bumpalo-3.10.0 \
+ crate://crates.io/bytes/1.1.0;name=bytes-1.1.0 \
+ crate://crates.io/cc/1.0.73;name=cc-1.0.73 \
+ crate://crates.io/cfg-if/1.0.0;name=cfg-if-1.0.0 \
+ crate://crates.io/chrono/0.4.22;name=chrono-0.4.22 \
+ crate://crates.io/chunked_transfer/1.4.0;name=chunked_transfer-1.4.0 \
+ crate://crates.io/cipher/0.2.5;name=cipher-0.2.5 \
+ crate://crates.io/clap/2.34.0;name=clap-2.34.0 \
+ crate://crates.io/codespan-reporting/0.11.1;name=codespan-reporting-0.11.1 \
+ crate://crates.io/core-foundation/0.9.3;name=core-foundation-0.9.3 \
+ crate://crates.io/core-foundation-sys/0.8.3;name=core-foundation-sys-0.8.3 \
+ crate://crates.io/cpufeatures/0.2.2;name=cpufeatures-0.2.2 \
+ crate://crates.io/crc32fast/1.3.2;name=crc32fast-1.3.2 \
+ crate://crates.io/crunchy/0.2.2;name=crunchy-0.2.2 \
+ crate://crates.io/crypto-common/0.1.6;name=crypto-common-0.1.6 \
+ crate://crates.io/crypto-mac/0.10.1;name=crypto-mac-0.10.1 \
+ crate://crates.io/cryptoki/0.3.0;name=cryptoki-0.3.0 \
+ crate://crates.io/cryptoki-sys/0.1.4;name=cryptoki-sys-0.1.4 \
+ crate://crates.io/ctrlc/3.2.2;name=ctrlc-3.2.2 \
+ crate://crates.io/cxx/1.0.79;name=cxx-1.0.79 \
+ crate://crates.io/cxx-build/1.0.79;name=cxx-build-1.0.79 \
+ crate://crates.io/cxxbridge-flags/1.0.79;name=cxxbridge-flags-1.0.79 \
+ crate://crates.io/cxxbridge-macro/1.0.79;name=cxxbridge-macro-1.0.79 \
+ crate://crates.io/derivative/2.2.0;name=derivative-2.2.0 \
+ crate://crates.io/deunicode/0.4.3;name=deunicode-0.4.3 \
+ crate://crates.io/diff/0.1.13;name=diff-0.1.13 \
+ crate://crates.io/digest/0.9.0;name=digest-0.9.0 \
+ crate://crates.io/digest/0.10.3;name=digest-0.10.3 \
+ crate://crates.io/dirs-next/2.0.0;name=dirs-next-2.0.0 \
+ crate://crates.io/dirs-sys-next/0.1.2;name=dirs-sys-next-0.1.2 \
+ crate://crates.io/either/1.7.0;name=either-1.7.0 \
+ crate://crates.io/ena/0.14.0;name=ena-0.14.0 \
+ crate://crates.io/encoding_rs/0.8.31;name=encoding_rs-0.8.31 \
+ crate://crates.io/enum-display-derive/0.1.1;name=enum-display-derive-0.1.1 \
+ crate://crates.io/enum-flags/0.1.8;name=enum-flags-0.1.8 \
+ crate://crates.io/error-chain/0.11.0;name=error-chain-0.11.0 \
+ crate://crates.io/fastrand/1.7.0;name=fastrand-1.7.0 \
+ crate://crates.io/fern/0.5.9;name=fern-0.5.9 \
+ crate://crates.io/fixedbitset/0.4.2;name=fixedbitset-0.4.2 \
+ crate://crates.io/fnv/1.0.7;name=fnv-1.0.7 \
+ crate://crates.io/foreign-types/0.3.2;name=foreign-types-0.3.2 \
+ crate://crates.io/foreign-types-shared/0.1.1;name=foreign-types-shared-0.1.1 \
+ crate://crates.io/form_urlencoded/1.0.1;name=form_urlencoded-1.0.1 \
+ crate://crates.io/fslock/0.2.1;name=fslock-0.2.1 \
+ crate://crates.io/futures/0.3.21;name=futures-0.3.21 \
+ crate://crates.io/futures-channel/0.3.21;name=futures-channel-0.3.21 \
+ crate://crates.io/futures-core/0.3.21;name=futures-core-0.3.21 \
+ crate://crates.io/futures-executor/0.3.21;name=futures-executor-0.3.21 \
+ crate://crates.io/futures-io/0.3.21;name=futures-io-0.3.21 \
+ crate://crates.io/futures-macro/0.3.21;name=futures-macro-0.3.21 \
+ crate://crates.io/futures-sink/0.3.21;name=futures-sink-0.3.21 \
+ crate://crates.io/futures-task/0.3.21;name=futures-task-0.3.21 \
+ crate://crates.io/futures-util/0.3.21;name=futures-util-0.3.21 \
+ crate://crates.io/generic-array/0.14.5;name=generic-array-0.14.5 \
+ crate://crates.io/getrandom/0.2.7;name=getrandom-0.2.7 \
+ crate://crates.io/gimli/0.26.2;name=gimli-0.26.2 \
+ crate://crates.io/h2/0.3.13;name=h2-0.3.13 \
+ crate://crates.io/hashbrown/0.12.3;name=hashbrown-0.12.3 \
+ crate://crates.io/hermit-abi/0.1.19;name=hermit-abi-0.1.19 \
+ crate://crates.io/hex/0.4.3;name=hex-0.4.3 \
+ crate://crates.io/hmac/0.10.1;name=hmac-0.10.1 \
+ crate://crates.io/http/0.2.8;name=http-0.2.8 \
+ crate://crates.io/http-body/0.4.5;name=http-body-0.4.5 \
+ crate://crates.io/httparse/1.7.1;name=httparse-1.7.1 \
+ crate://crates.io/httpdate/1.0.2;name=httpdate-1.0.2 \
+ crate://crates.io/hyper/0.14.20;name=hyper-0.14.20 \
+ crate://crates.io/hyper-tls/0.5.0;name=hyper-tls-0.5.0 \
+ crate://crates.io/iana-time-zone/0.1.51;name=iana-time-zone-0.1.51 \
+ crate://crates.io/iana-time-zone-haiku/0.1.1;name=iana-time-zone-haiku-0.1.1 \
+ crate://crates.io/idna/0.2.3;name=idna-0.2.3 \
+ crate://crates.io/impl-trait-for-tuples/0.2.2;name=impl-trait-for-tuples-0.2.2 \
+ crate://crates.io/indexmap/1.9.1;name=indexmap-1.9.1 \
+ crate://crates.io/instant/0.1.12;name=instant-0.1.12 \
+ crate://crates.io/intervaltree/0.2.7;name=intervaltree-0.2.7 \
+ crate://crates.io/ipnet/2.5.0;name=ipnet-2.5.0 \
+ crate://crates.io/itertools/0.10.3;name=itertools-0.10.3 \
+ crate://crates.io/itoa/1.0.2;name=itoa-1.0.2 \
+ crate://crates.io/jmespatch/0.3.0;name=jmespatch-0.3.0 \
+ crate://crates.io/js-sys/0.3.58;name=js-sys-0.3.58 \
+ crate://crates.io/kmip-protocol/0.4.2;name=kmip-protocol-0.4.2 \
+ crate://crates.io/kmip-ttlv/0.3.3;name=kmip-ttlv-0.3.3 \
+ crate://crates.io/lalrpop/0.19.8;name=lalrpop-0.19.8 \
+ crate://crates.io/lalrpop-util/0.19.8;name=lalrpop-util-0.19.8 \
+ crate://crates.io/lazy_static/1.4.0;name=lazy_static-1.4.0 \
+ crate://crates.io/libc/0.2.126;name=libc-0.2.126 \
+ crate://crates.io/libflate/1.2.0;name=libflate-1.2.0 \
+ crate://crates.io/libflate_lz77/1.1.0;name=libflate_lz77-1.1.0 \
+ crate://crates.io/libloading/0.7.3;name=libloading-0.7.3 \
+ crate://crates.io/link-cplusplus/1.0.7;name=link-cplusplus-1.0.7 \
+ crate://crates.io/lock_api/0.4.7;name=lock_api-0.4.7 \
+ crate://crates.io/log/0.4.17;name=log-0.4.17 \
+ crate://crates.io/maplit/1.0.2;name=maplit-1.0.2 \
+ crate://crates.io/matchers/0.0.1;name=matchers-0.0.1 \
+ crate://crates.io/matches/0.1.9;name=matches-0.1.9 \
+ crate://crates.io/maybe-async/0.2.6;name=maybe-async-0.2.6 \
+ crate://crates.io/memchr/2.5.0;name=memchr-2.5.0 \
+ crate://crates.io/mime/0.3.16;name=mime-0.3.16 \
+ crate://crates.io/miniz_oxide/0.5.3;name=miniz_oxide-0.5.3 \
+ crate://crates.io/mio/0.8.4;name=mio-0.8.4 \
+ crate://crates.io/native-tls/0.2.10;name=native-tls-0.2.10 \
+ crate://crates.io/new_debug_unreachable/1.0.4;name=new_debug_unreachable-1.0.4 \
+ crate://crates.io/nix/0.24.2;name=nix-0.24.2 \
+ crate://crates.io/num-bigint/0.4.3;name=num-bigint-0.4.3 \
+ crate://crates.io/num-integer/0.1.45;name=num-integer-0.1.45 \
+ crate://crates.io/num-traits/0.2.15;name=num-traits-0.2.15 \
+ crate://crates.io/num_cpus/1.13.1;name=num_cpus-1.13.1 \
+ crate://crates.io/oauth2/4.2.3;name=oauth2-4.2.3 \
+ crate://crates.io/object/0.29.0;name=object-0.29.0 \
+ crate://crates.io/once_cell/1.13.0;name=once_cell-1.13.0 \
+ crate://crates.io/opaque-debug/0.3.0;name=opaque-debug-0.3.0 \
+ crate://crates.io/openidconnect/2.3.2;name=openidconnect-2.3.2 \
+ crate://crates.io/openssl/0.10.41;name=openssl-0.10.41 \
+ crate://crates.io/openssl-macros/0.1.0;name=openssl-macros-0.1.0 \
+ crate://crates.io/openssl-probe/0.1.5;name=openssl-probe-0.1.5 \
+ crate://crates.io/openssl-src/111.25.0+1.1.1t;name=openssl-src-111.25.0+1.1.1t \
+ crate://crates.io/openssl-sys/0.9.75;name=openssl-sys-0.9.75 \
+ crate://crates.io/ordered-float/2.10.0;name=ordered-float-2.10.0 \
+ crate://crates.io/oso/0.12.4;name=oso-0.12.4 \
+ crate://crates.io/parking_lot/0.12.1;name=parking_lot-0.12.1 \
+ crate://crates.io/parking_lot_core/0.9.3;name=parking_lot_core-0.9.3 \
+ crate://crates.io/pbkdf2/0.7.5;name=pbkdf2-0.7.5 \
+ crate://crates.io/percent-encoding/2.1.0;name=percent-encoding-2.1.0 \
+ crate://crates.io/petgraph/0.6.2;name=petgraph-0.6.2 \
+ crate://crates.io/phf_shared/0.10.0;name=phf_shared-0.10.0 \
+ crate://crates.io/pico-args/0.4.2;name=pico-args-0.4.2 \
+ crate://crates.io/pin-project-lite/0.2.9;name=pin-project-lite-0.2.9 \
+ crate://crates.io/pin-utils/0.1.0;name=pin-utils-0.1.0 \
+ crate://crates.io/pkg-config/0.3.25;name=pkg-config-0.3.25 \
+ crate://crates.io/polar-core/0.12.4;name=polar-core-0.12.4 \
+ crate://crates.io/ppv-lite86/0.2.16;name=ppv-lite86-0.2.16 \
+ crate://crates.io/precomputed-hash/0.1.1;name=precomputed-hash-0.1.1 \
+ crate://crates.io/priority-queue/1.2.2;name=priority-queue-1.2.2 \
+ crate://crates.io/proc-macro2/1.0.40;name=proc-macro2-1.0.40 \
+ crate://crates.io/quick-xml/0.23.0;name=quick-xml-0.23.0 \
+ crate://crates.io/quote/1.0.20;name=quote-1.0.20 \
+ crate://crates.io/r2d2/0.8.10;name=r2d2-0.8.10 \
+ crate://crates.io/rand/0.8.5;name=rand-0.8.5 \
+ crate://crates.io/rand_chacha/0.3.1;name=rand_chacha-0.3.1 \
+ crate://crates.io/rand_core/0.6.3;name=rand_core-0.6.3 \
+ crate://crates.io/redox_syscall/0.2.13;name=redox_syscall-0.2.13 \
+ crate://crates.io/redox_users/0.4.3;name=redox_users-0.4.3 \
+ crate://crates.io/regex/1.6.0;name=regex-1.6.0 \
+ crate://crates.io/regex-automata/0.1.10;name=regex-automata-0.1.10 \
+ crate://crates.io/regex-syntax/0.6.27;name=regex-syntax-0.6.27 \
+ crate://crates.io/remove_dir_all/0.5.3;name=remove_dir_all-0.5.3 \
+ crate://crates.io/reqwest/0.11.11;name=reqwest-0.11.11 \
+ crate://crates.io/ring/0.16.20;name=ring-0.16.20 \
+ crate://crates.io/rle-decode-fast/1.0.3;name=rle-decode-fast-1.0.3 \
+ crate://crates.io/routecore/0.2.0;name=routecore-0.2.0 \
+ crate://crates.io/rpassword/5.0.1;name=rpassword-5.0.1 \
+ crate://crates.io/rpki/0.15.8;name=rpki-0.15.8 \
+ crate://crates.io/rustc-demangle/0.1.21;name=rustc-demangle-0.1.21 \
+ crate://crates.io/rustc_version/0.4.0;name=rustc_version-0.4.0 \
+ crate://crates.io/rustls/0.19.1;name=rustls-0.19.1 \
+ crate://crates.io/rustversion/1.0.8;name=rustversion-1.0.8 \
+ crate://crates.io/ryu/1.0.10;name=ryu-1.0.10 \
+ crate://crates.io/salsa20/0.7.2;name=salsa20-0.7.2 \
+ crate://crates.io/schannel/0.1.20;name=schannel-0.1.20 \
+ crate://crates.io/scheduled-thread-pool/0.2.6;name=scheduled-thread-pool-0.2.6 \
+ crate://crates.io/scopeguard/1.1.0;name=scopeguard-1.1.0 \
+ crate://crates.io/scratch/1.0.2;name=scratch-1.0.2 \
+ crate://crates.io/scrypt/0.6.5;name=scrypt-0.6.5 \
+ crate://crates.io/sct/0.6.1;name=sct-0.6.1 \
+ crate://crates.io/security-framework/2.6.1;name=security-framework-2.6.1 \
+ crate://crates.io/security-framework-sys/2.6.1;name=security-framework-sys-2.6.1 \
+ crate://crates.io/semver/1.0.12;name=semver-1.0.12 \
+ crate://crates.io/serde/1.0.139;name=serde-1.0.139 \
+ crate://crates.io/serde-value/0.7.0;name=serde-value-0.7.0 \
+ crate://crates.io/serde_bytes/0.11.6;name=serde_bytes-0.11.6 \
+ crate://crates.io/serde_derive/1.0.139;name=serde_derive-1.0.139 \
+ crate://crates.io/serde_json/1.0.82;name=serde_json-1.0.82 \
+ crate://crates.io/serde_path_to_error/0.1.7;name=serde_path_to_error-0.1.7 \
+ crate://crates.io/serde_urlencoded/0.7.1;name=serde_urlencoded-0.7.1 \
+ crate://crates.io/sha2/0.9.9;name=sha2-0.9.9 \
+ crate://crates.io/sha2/0.10.2;name=sha2-0.10.2 \
+ crate://crates.io/sharded-slab/0.1.4;name=sharded-slab-0.1.4 \
+ crate://crates.io/signal-hook-registry/1.4.0;name=signal-hook-registry-1.4.0 \
+ crate://crates.io/siphasher/0.3.10;name=siphasher-0.3.10 \
+ crate://crates.io/slab/0.4.6;name=slab-0.4.6 \
+ crate://crates.io/slug/0.1.4;name=slug-0.1.4 \
+ crate://crates.io/smallvec/1.9.0;name=smallvec-1.9.0 \
+ crate://crates.io/socket2/0.4.4;name=socket2-0.4.4 \
+ crate://crates.io/spin/0.5.2;name=spin-0.5.2 \
+ crate://crates.io/string_cache/0.8.4;name=string_cache-0.8.4 \
+ crate://crates.io/strsim/0.8.0;name=strsim-0.8.0 \
+ crate://crates.io/subtle/2.4.1;name=subtle-2.4.1 \
+ crate://crates.io/syn/1.0.98;name=syn-1.0.98 \
+ crate://crates.io/syslog/4.0.1;name=syslog-4.0.1 \
+ crate://crates.io/target-lexicon/0.12.4;name=target-lexicon-0.12.4 \
+ crate://crates.io/tempfile/3.3.0;name=tempfile-3.3.0 \
+ crate://crates.io/term/0.7.0;name=term-0.7.0 \
+ crate://crates.io/termcolor/1.1.3;name=termcolor-1.1.3 \
+ crate://crates.io/textwrap/0.11.0;name=textwrap-0.11.0 \
+ crate://crates.io/thiserror/1.0.31;name=thiserror-1.0.31 \
+ crate://crates.io/thiserror-impl/1.0.31;name=thiserror-impl-1.0.31 \
+ crate://crates.io/thread_local/1.1.4;name=thread_local-1.1.4 \
+ crate://crates.io/time/0.1.44;name=time-0.1.44 \
+ crate://crates.io/tiny-keccak/2.0.2;name=tiny-keccak-2.0.2 \
+ crate://crates.io/tiny_http/0.8.2;name=tiny_http-0.8.2 \
+ crate://crates.io/tinyvec/1.6.0;name=tinyvec-1.6.0 \
+ crate://crates.io/tinyvec_macros/0.1.0;name=tinyvec_macros-0.1.0 \
+ crate://crates.io/tokio/1.20.4;name=tokio-1.20.4 \
+ crate://crates.io/tokio-macros/1.8.0;name=tokio-macros-1.8.0 \
+ crate://crates.io/tokio-native-tls/0.3.0;name=tokio-native-tls-0.3.0 \
+ crate://crates.io/tokio-rustls/0.22.0;name=tokio-rustls-0.22.0 \
+ crate://crates.io/tokio-util/0.7.3;name=tokio-util-0.7.3 \
+ crate://crates.io/toml/0.5.9;name=toml-0.5.9 \
+ crate://crates.io/tower-service/0.3.2;name=tower-service-0.3.2 \
+ crate://crates.io/tracing/0.1.35;name=tracing-0.1.35 \
+ crate://crates.io/tracing-attributes/0.1.22;name=tracing-attributes-0.1.22 \
+ crate://crates.io/tracing-core/0.1.28;name=tracing-core-0.1.28 \
+ crate://crates.io/tracing-log/0.1.3;name=tracing-log-0.1.3 \
+ crate://crates.io/tracing-serde/0.1.3;name=tracing-serde-0.1.3 \
+ crate://crates.io/tracing-subscriber/0.2.25;name=tracing-subscriber-0.2.25 \
+ crate://crates.io/trait-set/0.2.0;name=trait-set-0.2.0 \
+ crate://crates.io/try-lock/0.2.3;name=try-lock-0.2.3 \
+ crate://crates.io/typenum/1.15.0;name=typenum-1.15.0 \
+ crate://crates.io/unicode-bidi/0.3.8;name=unicode-bidi-0.3.8 \
+ crate://crates.io/unicode-ident/1.0.2;name=unicode-ident-1.0.2 \
+ crate://crates.io/unicode-normalization/0.1.21;name=unicode-normalization-0.1.21 \
+ crate://crates.io/unicode-width/0.1.9;name=unicode-width-0.1.9 \
+ crate://crates.io/unicode-xid/0.2.3;name=unicode-xid-0.2.3 \
+ crate://crates.io/untrusted/0.7.1;name=untrusted-0.7.1 \
+ crate://crates.io/url/2.2.2;name=url-2.2.2 \
+ crate://crates.io/urlparse/0.7.3;name=urlparse-0.7.3 \
+ crate://crates.io/uuid/1.1.2;name=uuid-1.1.2 \
+ crate://crates.io/valuable/0.1.0;name=valuable-0.1.0 \
+ crate://crates.io/vcpkg/0.2.15;name=vcpkg-0.2.15 \
+ crate://crates.io/vec_map/0.8.2;name=vec_map-0.8.2 \
+ crate://crates.io/version_check/0.9.4;name=version_check-0.9.4 \
+ crate://crates.io/want/0.3.0;name=want-0.3.0 \
+ crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1;name=wasi-0.10.0+wasi-snapshot-preview1 \
+ crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1;name=wasi-0.11.0+wasi-snapshot-preview1 \
+ crate://crates.io/wasm-bindgen/0.2.81;name=wasm-bindgen-0.2.81 \
+ crate://crates.io/wasm-bindgen-backend/0.2.81;name=wasm-bindgen-backend-0.2.81 \
+ crate://crates.io/wasm-bindgen-futures/0.4.31;name=wasm-bindgen-futures-0.4.31 \
+ crate://crates.io/wasm-bindgen-macro/0.2.81;name=wasm-bindgen-macro-0.2.81 \
+ crate://crates.io/wasm-bindgen-macro-support/0.2.81;name=wasm-bindgen-macro-support-0.2.81 \
+ crate://crates.io/wasm-bindgen-shared/0.2.81;name=wasm-bindgen-shared-0.2.81 \
+ crate://crates.io/web-sys/0.3.58;name=web-sys-0.3.58 \
+ crate://crates.io/webpki/0.21.4;name=webpki-0.21.4 \
+ crate://crates.io/winapi/0.3.9;name=winapi-0.3.9 \
+ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0;name=winapi-i686-pc-windows-gnu-0.4.0 \
+ crate://crates.io/winapi-util/0.1.5;name=winapi-util-0.1.5 \
+ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0;name=winapi-x86_64-pc-windows-gnu-0.4.0 \
+ crate://crates.io/windows-sys/0.36.1;name=windows-sys-0.36.1 \
+ crate://crates.io/windows_aarch64_msvc/0.36.1;name=windows_aarch64_msvc-0.36.1 \
+ crate://crates.io/windows_i686_gnu/0.36.1;name=windows_i686_gnu-0.36.1 \
+ crate://crates.io/windows_i686_msvc/0.36.1;name=windows_i686_msvc-0.36.1 \
+ crate://crates.io/windows_x86_64_gnu/0.36.1;name=windows_x86_64_gnu-0.36.1 \
+ crate://crates.io/windows_x86_64_msvc/0.36.1;name=windows_x86_64_msvc-0.36.1 \
+ crate://crates.io/winreg/0.10.1;name=winreg-0.10.1 \
+"
+
+SRC_URI[addr2line-0.17.0.sha256sum] = "b9ecd88a8c8378ca913a680cd98f0f13ac67383d35993f86c90a70e3f137816b"
+SRC_URI[adler-1.0.2.sha256sum] = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
+SRC_URI[adler32-1.2.0.sha256sum] = "aae1277d39aeec15cb388266ecc24b11c80469deae6067e17a1a7aa9e5c1f234"
+SRC_URI[aho-corasick-0.7.18.sha256sum] = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
+SRC_URI[android_system_properties-0.1.5.sha256sum] = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+SRC_URI[ansi_term-0.12.1.sha256sum] = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"
+SRC_URI[ascii-1.0.0.sha256sum] = "bbf56136a5198c7b01a49e3afcbef6cf84597273d298f54432926024107b0109"
+SRC_URI[ascii-canvas-3.0.0.sha256sum] = "8824ecca2e851cec16968d54a01dd372ef8f95b244fb84b84e70128be347c3c6"
+SRC_URI[atty-0.2.14.sha256sum] = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
+SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+SRC_URI[backoff-0.3.0.sha256sum] = "9fe17f59a06fe8b87a6fc8bf53bb70b3aba76d7685f432487a68cd5552853625"
+SRC_URI[backtrace-0.3.66.sha256sum] = "cab84319d616cfb654d03394f38ab7e6f0919e181b1b57e1fd15e7fb4077d9a7"
+SRC_URI[base64-0.13.0.sha256sum] = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd"
+SRC_URI[basic-cookies-0.1.4.sha256sum] = "cb53b6b315f924c7f113b162e53b3901c05fc9966baf84d201dfcc7432a4bb38"
+SRC_URI[bcder-0.7.0.sha256sum] = "f007d8acfb8ef7d219911c7164c025a6d3504735120fc5df59c3c479ab84ea51"
+SRC_URI[bit-set-0.5.2.sha256sum] = "6e11e16035ea35e4e5997b393eacbf6f63983188f7a2ad25bfb13465f5ad59de"
+SRC_URI[bit-vec-0.6.3.sha256sum] = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
+SRC_URI[bitflags-1.3.2.sha256sum] = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+SRC_URI[block-buffer-0.9.0.sha256sum] = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
+SRC_URI[block-buffer-0.10.2.sha256sum] = "0bf7fe51849ea569fd452f37822f606a5cabb684dc918707a0193fd4664ff324"
+SRC_URI[bumpalo-3.10.0.sha256sum] = "37ccbd214614c6783386c1af30caf03192f17891059cecc394b4fb119e363de3"
+SRC_URI[bytes-1.1.0.sha256sum] = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8"
+SRC_URI[cc-1.0.73.sha256sum] = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[chrono-0.4.22.sha256sum] = "bfd4d1b31faaa3a89d7934dbded3111da0d2ef28e3ebccdb4f0179f5929d1ef1"
+SRC_URI[chunked_transfer-1.4.0.sha256sum] = "fff857943da45f546682664a79488be82e69e43c1a7a2307679ab9afb3a66d2e"
+SRC_URI[cipher-0.2.5.sha256sum] = "12f8e7987cbd042a63249497f41aed09f8e65add917ea6566effbc56578d6801"
+SRC_URI[clap-2.34.0.sha256sum] = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
+SRC_URI[codespan-reporting-0.11.1.sha256sum] = "3538270d33cc669650c4b093848450d380def10c331d38c768e34cac80576e6e"
+SRC_URI[core-foundation-0.9.3.sha256sum] = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146"
+SRC_URI[core-foundation-sys-0.8.3.sha256sum] = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc"
+SRC_URI[cpufeatures-0.2.2.sha256sum] = "59a6001667ab124aebae2a495118e11d30984c3a653e99d86d58971708cf5e4b"
+SRC_URI[crc32fast-1.3.2.sha256sum] = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d"
+SRC_URI[crunchy-0.2.2.sha256sum] = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7"
+SRC_URI[crypto-common-0.1.6.sha256sum] = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+SRC_URI[crypto-mac-0.10.1.sha256sum] = "bff07008ec701e8028e2ceb8f83f0e4274ee62bd2dbdc4fefff2e9a91824081a"
+SRC_URI[cryptoki-0.3.0.sha256sum] = "503aa2bd88796da9bc6baf2c47696da40f135721b3d6680c7c6cee0b7d1f7a59"
+SRC_URI[cryptoki-sys-0.1.4.sha256sum] = "1e4895bb04269df9a14f2692c6499dc2769e9a93caa33ef37c4df134f76956d2"
+SRC_URI[ctrlc-3.2.2.sha256sum] = "b37feaa84e6861e00a1f5e5aa8da3ee56d605c9992d33e082786754828e20865"
+SRC_URI[cxx-1.0.79.sha256sum] = "3f83d0ebf42c6eafb8d7c52f7e5f2d3003b89c7aa4fd2b79229209459a849af8"
+SRC_URI[cxx-build-1.0.79.sha256sum] = "07d050484b55975889284352b0ffc2ecbda25c0c55978017c132b29ba0818a86"
+SRC_URI[cxxbridge-flags-1.0.79.sha256sum] = "99d2199b00553eda8012dfec8d3b1c75fce747cf27c169a270b3b99e3448ab78"
+SRC_URI[cxxbridge-macro-1.0.79.sha256sum] = "dcb67a6de1f602736dd7eaead0080cf3435df806c61b24b13328db128c58868f"
+SRC_URI[derivative-2.2.0.sha256sum] = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
+SRC_URI[deunicode-0.4.3.sha256sum] = "850878694b7933ca4c9569d30a34b55031b9b139ee1fc7b94a527c4ef960d690"
+SRC_URI[diff-0.1.13.sha256sum] = "56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8"
+SRC_URI[digest-0.9.0.sha256sum] = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
+SRC_URI[digest-0.10.3.sha256sum] = "f2fb860ca6fafa5552fb6d0e816a69c8e49f0908bf524e30a90d97c85892d506"
+SRC_URI[dirs-next-2.0.0.sha256sum] = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1"
+SRC_URI[dirs-sys-next-0.1.2.sha256sum] = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d"
+SRC_URI[either-1.7.0.sha256sum] = "3f107b87b6afc2a64fd13cac55fe06d6c8859f12d4b14cbcdd2c67d0976781be"
+SRC_URI[ena-0.14.0.sha256sum] = "d7402b94a93c24e742487327a7cd839dc9d36fec9de9fb25b09f2dae459f36c3"
+SRC_URI[encoding_rs-0.8.31.sha256sum] = "9852635589dc9f9ea1b6fe9f05b50ef208c85c834a562f0c6abb1c475736ec2b"
+SRC_URI[enum-display-derive-0.1.1.sha256sum] = "f16ef37b2a9b242295d61a154ee91ae884afff6b8b933b486b12481cc58310ca"
+SRC_URI[enum-flags-0.1.8.sha256sum] = "3682d2328e61f5529088a02cd20bb0a9aeaeeeb2f26597436dd7d75d1340f8f5"
+SRC_URI[error-chain-0.11.0.sha256sum] = "ff511d5dc435d703f4971bc399647c9bc38e20cb41452e3b9feb4765419ed3f3"
+SRC_URI[fastrand-1.7.0.sha256sum] = "c3fcf0cee53519c866c09b5de1f6c56ff9d647101f81c1964fa632e148896cdf"
+SRC_URI[fern-0.5.9.sha256sum] = "e69ab0d5aca163e388c3a49d284fed6c3d0810700e77c5ae2756a50ec1a4daaa"
+SRC_URI[fixedbitset-0.4.2.sha256sum] = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80"
+SRC_URI[fnv-1.0.7.sha256sum] = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+SRC_URI[foreign-types-0.3.2.sha256sum] = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+SRC_URI[foreign-types-shared-0.1.1.sha256sum] = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+SRC_URI[form_urlencoded-1.0.1.sha256sum] = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191"
+SRC_URI[fslock-0.2.1.sha256sum] = "04412b8935272e3a9bae6f48c7bfff74c2911f60525404edfdd28e49884c3bfb"
+SRC_URI[futures-0.3.21.sha256sum] = "f73fe65f54d1e12b726f517d3e2135ca3125a437b6d998caf1962961f7172d9e"
+SRC_URI[futures-channel-0.3.21.sha256sum] = "c3083ce4b914124575708913bca19bfe887522d6e2e6d0952943f5eac4a74010"
+SRC_URI[futures-core-0.3.21.sha256sum] = "0c09fd04b7e4073ac7156a9539b57a484a8ea920f79c7c675d05d289ab6110d3"
+SRC_URI[futures-executor-0.3.21.sha256sum] = "9420b90cfa29e327d0429f19be13e7ddb68fa1cccb09d65e5706b8c7a749b8a6"
+SRC_URI[futures-io-0.3.21.sha256sum] = "fc4045962a5a5e935ee2fdedaa4e08284547402885ab326734432bed5d12966b"
+SRC_URI[futures-macro-0.3.21.sha256sum] = "33c1e13800337f4d4d7a316bf45a567dbcb6ffe087f16424852d97e97a91f512"
+SRC_URI[futures-sink-0.3.21.sha256sum] = "21163e139fa306126e6eedaf49ecdb4588f939600f0b1e770f4205ee4b7fa868"
+SRC_URI[futures-task-0.3.21.sha256sum] = "57c66a976bf5909d801bbef33416c41372779507e7a6b3a5e25e4749c58f776a"
+SRC_URI[futures-util-0.3.21.sha256sum] = "d8b7abd5d659d9b90c8cba917f6ec750a74e2dc23902ef9cd4cc8c8b22e6036a"
+SRC_URI[generic-array-0.14.5.sha256sum] = "fd48d33ec7f05fbfa152300fdad764757cbded343c1aa1cff2fbaf4134851803"
+SRC_URI[getrandom-0.2.7.sha256sum] = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6"
+SRC_URI[gimli-0.26.2.sha256sum] = "22030e2c5a68ec659fde1e949a745124b48e6fa8b045b7ed5bd1fe4ccc5c4e5d"
+SRC_URI[h2-0.3.13.sha256sum] = "37a82c6d637fc9515a4694bbf1cb2457b79d81ce52b3108bdeea58b07dd34a57"
+SRC_URI[hashbrown-0.12.3.sha256sum] = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
+SRC_URI[hermit-abi-0.1.19.sha256sum] = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
+SRC_URI[hex-0.4.3.sha256sum] = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+SRC_URI[hmac-0.10.1.sha256sum] = "c1441c6b1e930e2817404b5046f1f989899143a12bf92de603b69f4e0aee1e15"
+SRC_URI[http-0.2.8.sha256sum] = "75f43d41e26995c17e71ee126451dd3941010b0514a81a9d11f3b341debc2399"
+SRC_URI[http-body-0.4.5.sha256sum] = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1"
+SRC_URI[httparse-1.7.1.sha256sum] = "496ce29bb5a52785b44e0f7ca2847ae0bb839c9bd28f69acac9b99d461c0c04c"
+SRC_URI[httpdate-1.0.2.sha256sum] = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421"
+SRC_URI[hyper-0.14.20.sha256sum] = "02c929dc5c39e335a03c405292728118860721b10190d98c2a0f0efd5baafbac"
+SRC_URI[hyper-tls-0.5.0.sha256sum] = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905"
+SRC_URI[iana-time-zone-0.1.51.sha256sum] = "f5a6ef98976b22b3b7f2f3a806f858cb862044cfa66805aa3ad84cb3d3b785ed"
+SRC_URI[iana-time-zone-haiku-0.1.1.sha256sum] = "0703ae284fc167426161c2e3f1da3ea71d94b21bedbcc9494e92b28e334e3dca"
+SRC_URI[idna-0.2.3.sha256sum] = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8"
+SRC_URI[impl-trait-for-tuples-0.2.2.sha256sum] = "11d7a9f6330b71fea57921c9b61c47ee6e84f72d394754eff6163ae67e7395eb"
+SRC_URI[indexmap-1.9.1.sha256sum] = "10a35a97730320ffe8e2d410b5d3b69279b98d2c14bdb8b70ea89ecf7888d41e"
+SRC_URI[instant-0.1.12.sha256sum] = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c"
+SRC_URI[intervaltree-0.2.7.sha256sum] = "270bc34e57047cab801a8c871c124d9dc7132f6473c6401f645524f4e6edd111"
+SRC_URI[ipnet-2.5.0.sha256sum] = "879d54834c8c76457ef4293a689b2a8c59b076067ad77b15efafbb05f92a592b"
+SRC_URI[itertools-0.10.3.sha256sum] = "a9a9d19fa1e79b6215ff29b9d6880b706147f16e9b1dbb1e4e5947b5b02bc5e3"
+SRC_URI[itoa-1.0.2.sha256sum] = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d"
+SRC_URI[jmespatch-0.3.0.sha256sum] = "7acf91a732ade34d8eda2dee9500a051833f14f0d3d10d77c149845d6ac6a5f0"
+SRC_URI[js-sys-0.3.58.sha256sum] = "c3fac17f7123a73ca62df411b1bf727ccc805daa070338fda671c86dac1bdc27"
+SRC_URI[kmip-protocol-0.4.2.sha256sum] = "396744d490b405f4ff293057bae5625e03dcf8be70fd4ba8c6346a54e78fd837"
+SRC_URI[kmip-ttlv-0.3.3.sha256sum] = "1aa943fd7166db2cc2deaea17bd5c2862ccf68eef9ce15576bcee9e4b494685c"
+SRC_URI[lalrpop-0.19.8.sha256sum] = "b30455341b0e18f276fa64540aff54deafb54c589de6aca68659c63dd2d5d823"
+SRC_URI[lalrpop-util-0.19.8.sha256sum] = "bcf796c978e9b4d983414f4caedc9273aa33ee214c5b887bd55fde84c85d2dc4"
+SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+SRC_URI[libc-0.2.126.sha256sum] = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836"
+SRC_URI[libflate-1.2.0.sha256sum] = "05605ab2bce11bcfc0e9c635ff29ef8b2ea83f29be257ee7d730cac3ee373093"
+SRC_URI[libflate_lz77-1.1.0.sha256sum] = "39a734c0493409afcd49deee13c006a04e3586b9761a03543c6272c9c51f2f5a"
+SRC_URI[libloading-0.7.3.sha256sum] = "efbc0f03f9a775e9f6aed295c6a1ba2253c5757a9e03d55c6caa46a681abcddd"
+SRC_URI[link-cplusplus-1.0.7.sha256sum] = "9272ab7b96c9046fbc5bc56c06c117cb639fe2d509df0c421cad82d2915cf369"
+SRC_URI[lock_api-0.4.7.sha256sum] = "327fa5b6a6940e4699ec49a9beae1ea4845c6bab9314e4f84ac68742139d8c53"
+SRC_URI[log-0.4.17.sha256sum] = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e"
+SRC_URI[maplit-1.0.2.sha256sum] = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d"
+SRC_URI[matchers-0.0.1.sha256sum] = "f099785f7595cc4b4553a174ce30dd7589ef93391ff414dbb67f62392b9e0ce1"
+SRC_URI[matches-0.1.9.sha256sum] = "a3e378b66a060d48947b590737b30a1be76706c8dd7b8ba0f2fe3989c68a853f"
+SRC_URI[maybe-async-0.2.6.sha256sum] = "6007f9dad048e0a224f27ca599d669fca8cfa0dac804725aab542b2eb032bce6"
+SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
+SRC_URI[mime-0.3.16.sha256sum] = "2a60c7ce501c71e03a9c9c0d35b861413ae925bd979cc7a4e30d060069aaac8d"
+SRC_URI[miniz_oxide-0.5.3.sha256sum] = "6f5c75688da582b8ffc1f1799e9db273f32133c49e048f614d22ec3256773ccc"
+SRC_URI[mio-0.8.4.sha256sum] = "57ee1c23c7c63b0c9250c339ffdc69255f110b298b901b9f6c82547b7b87caaf"
+SRC_URI[native-tls-0.2.10.sha256sum] = "fd7e2f3618557f980e0b17e8856252eee3c97fa12c54dff0ca290fb6266ca4a9"
+SRC_URI[new_debug_unreachable-1.0.4.sha256sum] = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54"
+SRC_URI[nix-0.24.2.sha256sum] = "195cdbc1741b8134346d515b3a56a1c94b0912758009cfd53f99ea0f57b065fc"
+SRC_URI[num-bigint-0.4.3.sha256sum] = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
+SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+SRC_URI[num-traits-0.2.15.sha256sum] = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
+SRC_URI[num_cpus-1.13.1.sha256sum] = "19e64526ebdee182341572e50e9ad03965aa510cd94427a4549448f285e957a1"
+SRC_URI[oauth2-4.2.3.sha256sum] = "6d62c436394991641b970a92e23e8eeb4eb9bca74af4f5badc53bcd568daadbd"
+SRC_URI[object-0.29.0.sha256sum] = "21158b2c33aa6d4561f1c0a6ea283ca92bc54802a93b263e910746d679a7eb53"
+SRC_URI[once_cell-1.13.0.sha256sum] = "18a6dbe30758c9f83eb00cbea4ac95966305f5a7772f3f42ebfc7fc7eddbd8e1"
+SRC_URI[opaque-debug-0.3.0.sha256sum] = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
+SRC_URI[openidconnect-2.3.2.sha256sum] = "e26afc60b2bf11b9a039db1f3a3c0d5fe201eebdbe646a8ecb8342c8240e3271"
+SRC_URI[openssl-0.10.41.sha256sum] = "618febf65336490dfcf20b73f885f5651a0c89c64c2d4a8c3662585a70bf5bd0"
+SRC_URI[openssl-macros-0.1.0.sha256sum] = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c"
+SRC_URI[openssl-probe-0.1.5.sha256sum] = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
+SRC_URI[openssl-src-111.25.0+1.1.1t.sha256sum] = "3173cd3626c43e3854b1b727422a276e568d9ec5fe8cec197822cf52cfb743d6"
+SRC_URI[openssl-sys-0.9.75.sha256sum] = "e5f9bd0c2710541a3cda73d6f9ac4f1b240de4ae261065d309dbe73d9dceb42f"
+SRC_URI[ordered-float-2.10.0.sha256sum] = "7940cf2ca942593318d07fcf2596cdca60a85c9e7fab408a5e21a4f9dcd40d87"
+SRC_URI[oso-0.12.4.sha256sum] = "aec41e2da1ce3a82eb807396f802c172f08aa03e1be31e5df49592a04e12c8c7"
+SRC_URI[parking_lot-0.12.1.sha256sum] = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
+SRC_URI[parking_lot_core-0.9.3.sha256sum] = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929"
+SRC_URI[pbkdf2-0.7.5.sha256sum] = "bf916dd32dd26297907890d99dc2740e33f6bd9073965af4ccff2967962f5508"
+SRC_URI[percent-encoding-2.1.0.sha256sum] = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e"
+SRC_URI[petgraph-0.6.2.sha256sum] = "e6d5014253a1331579ce62aa67443b4a658c5e7dd03d4bc6d302b94474888143"
+SRC_URI[phf_shared-0.10.0.sha256sum] = "b6796ad771acdc0123d2a88dc428b5e38ef24456743ddb1744ed628f9815c096"
+SRC_URI[pico-args-0.4.2.sha256sum] = "db8bcd96cb740d03149cbad5518db9fd87126a10ab519c011893b1754134c468"
+SRC_URI[pin-project-lite-0.2.9.sha256sum] = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116"
+SRC_URI[pin-utils-0.1.0.sha256sum] = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+SRC_URI[pkg-config-0.3.25.sha256sum] = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae"
+SRC_URI[polar-core-0.12.4.sha256sum] = "53d2b6ee5b5ff6312ca55e2ba75fbd438c72bc041c799055388d815726eca69b"
+SRC_URI[ppv-lite86-0.2.16.sha256sum] = "eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872"
+SRC_URI[precomputed-hash-0.1.1.sha256sum] = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c"
+SRC_URI[priority-queue-1.2.2.sha256sum] = "de9cde7493f5f5d2d163b174be9f9a72d756b79b0f6ed85654128d238c347c1e"
+SRC_URI[proc-macro2-1.0.40.sha256sum] = "dd96a1e8ed2596c337f8eae5f24924ec83f5ad5ab21ea8e455d3566c69fbcaf7"
+SRC_URI[quick-xml-0.23.0.sha256sum] = "9279fbdacaad3baf559d8cabe0acc3d06e30ea14931af31af79578ac0946decc"
+SRC_URI[quote-1.0.20.sha256sum] = "3bcdf212e9776fbcb2d23ab029360416bb1706b1aea2d1a5ba002727cbcab804"
+SRC_URI[r2d2-0.8.10.sha256sum] = "51de85fb3fb6524929c8a2eb85e6b6d363de4e8c48f9e2c2eac4944abc181c93"
+SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7"
+SRC_URI[redox_syscall-0.2.13.sha256sum] = "62f25bc4c7e55e0b0b7a1d43fb893f4fa1361d0abe38b9ce4f323c2adfe6ef42"
+SRC_URI[redox_users-0.4.3.sha256sum] = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b"
+SRC_URI[regex-1.6.0.sha256sum] = "4c4eb3267174b8c6c2f654116623910a0fef09c4753f8dd83db29c48a0df988b"
+SRC_URI[regex-automata-0.1.10.sha256sum] = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+SRC_URI[regex-syntax-0.6.27.sha256sum] = "a3f87b73ce11b1619a3c6332f45341e0047173771e8b8b73f87bfeefb7b56244"
+SRC_URI[remove_dir_all-0.5.3.sha256sum] = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
+SRC_URI[reqwest-0.11.11.sha256sum] = "b75aa69a3f06bbcc66ede33af2af253c6f7a86b1ca0033f60c580a27074fbf92"
+SRC_URI[ring-0.16.20.sha256sum] = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+SRC_URI[rle-decode-fast-1.0.3.sha256sum] = "3582f63211428f83597b51b2ddb88e2a91a9d52d12831f9d08f5e624e8977422"
+SRC_URI[routecore-0.2.0.sha256sum] = "9afd872857e85411c0ba7d18dfe650fc4864b292c02cde997e86c511314fdfc3"
+SRC_URI[rpassword-5.0.1.sha256sum] = "ffc936cf8a7ea60c58f030fd36a612a48f440610214dc54bc36431f9ea0c3efb"
+SRC_URI[rpki-0.15.8.sha256sum] = "46970b82ec6bfec47c88addaaef3d345cec2a5cf9cb89039ef904123e65ba41a"
+SRC_URI[rustc-demangle-0.1.21.sha256sum] = "7ef03e0a2b150c7a90d01faf6254c9c48a41e95fb2a8c2ac1c6f0d2b9aefc342"
+SRC_URI[rustc_version-0.4.0.sha256sum] = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366"
+SRC_URI[rustls-0.19.1.sha256sum] = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7"
+SRC_URI[rustversion-1.0.8.sha256sum] = "24c8ad4f0c00e1eb5bc7614d236a7f1300e3dbd76b68cac8e06fb00b015ad8d8"
+SRC_URI[ryu-1.0.10.sha256sum] = "f3f6f92acf49d1b98f7a81226834412ada05458b7364277387724a237f062695"
+SRC_URI[salsa20-0.7.2.sha256sum] = "399f290ffc409596022fce5ea5d4138184be4784f2b28c62c59f0d8389059a15"
+SRC_URI[schannel-0.1.20.sha256sum] = "88d6731146462ea25d9244b2ed5fd1d716d25c52e4d54aa4fb0f3c4e9854dbe2"
+SRC_URI[scheduled-thread-pool-0.2.6.sha256sum] = "977a7519bff143a44f842fd07e80ad1329295bd71686457f18e496736f4bf9bf"
+SRC_URI[scopeguard-1.1.0.sha256sum] = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
+SRC_URI[scratch-1.0.2.sha256sum] = "9c8132065adcfd6e02db789d9285a0deb2f3fcb04002865ab67d5fb103533898"
+SRC_URI[scrypt-0.6.5.sha256sum] = "19230d10daad7f163d8c1fc8edf84fbe52ac71c2ebe5adf3f763aa1557b843e3"
+SRC_URI[sct-0.6.1.sha256sum] = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce"
+SRC_URI[security-framework-2.6.1.sha256sum] = "2dc14f172faf8a0194a3aded622712b0de276821addc574fa54fc0a1167e10dc"
+SRC_URI[security-framework-sys-2.6.1.sha256sum] = "0160a13a177a45bfb43ce71c01580998474f556ad854dcbca936dd2841a5c556"
+SRC_URI[semver-1.0.12.sha256sum] = "a2333e6df6d6598f2b1974829f853c2b4c5f4a6e503c10af918081aa6f8564e1"
+SRC_URI[serde-1.0.139.sha256sum] = "0171ebb889e45aa68b44aee0859b3eede84c6f5f5c228e6f140c0b2a0a46cad6"
+SRC_URI[serde-value-0.7.0.sha256sum] = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c"
+SRC_URI[serde_bytes-0.11.6.sha256sum] = "212e73464ebcde48d723aa02eb270ba62eff38a9b732df31f33f1b4e145f3a54"
+SRC_URI[serde_derive-1.0.139.sha256sum] = "dc1d3230c1de7932af58ad8ffbe1d784bd55efd5a9d84ac24f69c72d83543dfb"
+SRC_URI[serde_json-1.0.82.sha256sum] = "82c2c1fdcd807d1098552c5b9a36e425e42e9fbd7c6a37a8425f390f781f7fa7"
+SRC_URI[serde_path_to_error-0.1.7.sha256sum] = "d7868ad3b8196a8a0aea99a8220b124278ee5320a55e4fde97794b6f85b1a377"
+SRC_URI[serde_urlencoded-0.7.1.sha256sum] = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+SRC_URI[sha2-0.9.9.sha256sum] = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800"
+SRC_URI[sha2-0.10.2.sha256sum] = "55deaec60f81eefe3cce0dc50bda92d6d8e88f2a27df7c5033b42afeb1ed2676"
+SRC_URI[sharded-slab-0.1.4.sha256sum] = "900fba806f70c630b0a382d0d825e17a0f19fcd059a2ade1ff237bcddf446b31"
+SRC_URI[signal-hook-registry-1.4.0.sha256sum] = "e51e73328dc4ac0c7ccbda3a494dfa03df1de2f46018127f60c693f2648455b0"
+SRC_URI[siphasher-0.3.10.sha256sum] = "7bd3e3206899af3f8b12af284fafc038cc1dc2b41d1b89dd17297221c5d225de"
+SRC_URI[slab-0.4.6.sha256sum] = "eb703cfe953bccee95685111adeedb76fabe4e97549a58d16f03ea7b9367bb32"
+SRC_URI[slug-0.1.4.sha256sum] = "b3bc762e6a4b6c6fcaade73e77f9ebc6991b676f88bb2358bddb56560f073373"
+SRC_URI[smallvec-1.9.0.sha256sum] = "2fd0db749597d91ff862fd1d55ea87f7855a744a8425a64695b6fca237d1dad1"
+SRC_URI[socket2-0.4.4.sha256sum] = "66d72b759436ae32898a2af0a14218dbf55efde3feeb170eb623637db85ee1e0"
+SRC_URI[spin-0.5.2.sha256sum] = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+SRC_URI[string_cache-0.8.4.sha256sum] = "213494b7a2b503146286049378ce02b482200519accc31872ee8be91fa820a08"
+SRC_URI[strsim-0.8.0.sha256sum] = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a"
+SRC_URI[subtle-2.4.1.sha256sum] = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
+SRC_URI[syn-1.0.98.sha256sum] = "c50aef8a904de4c23c788f104b7dddc7d6f79c647c7c8ce4cc8f73eb0ca773dd"
+SRC_URI[syslog-4.0.1.sha256sum] = "a0641142b4081d3d44beffa4eefd7346a228cdf91ed70186db2ca2cef762d327"
+SRC_URI[target-lexicon-0.12.4.sha256sum] = "c02424087780c9b71cc96799eaeddff35af2bc513278cda5c99fc1f5d026d3c1"
+SRC_URI[tempfile-3.3.0.sha256sum] = "5cdb1ef4eaeeaddc8fbd371e5017057064af0911902ef36b39801f67cc6d79e4"
+SRC_URI[term-0.7.0.sha256sum] = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f"
+SRC_URI[termcolor-1.1.3.sha256sum] = "bab24d30b911b2376f3a13cc2cd443142f0c81dda04c118693e35b3835757755"
+SRC_URI[textwrap-0.11.0.sha256sum] = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060"
+SRC_URI[thiserror-1.0.31.sha256sum] = "bd829fe32373d27f76265620b5309d0340cb8550f523c1dda251d6298069069a"
+SRC_URI[thiserror-impl-1.0.31.sha256sum] = "0396bc89e626244658bef819e22d0cc459e795a5ebe878e6ec336d1674a8d79a"
+SRC_URI[thread_local-1.1.4.sha256sum] = "5516c27b78311c50bf42c071425c560ac799b11c30b31f87e3081965fe5e0180"
+SRC_URI[time-0.1.44.sha256sum] = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
+SRC_URI[tiny-keccak-2.0.2.sha256sum] = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237"
+SRC_URI[tiny_http-0.8.2.sha256sum] = "9ce51b50006056f590c9b7c3808c3bd70f0d1101666629713866c227d6e58d39"
+SRC_URI[tinyvec-1.6.0.sha256sum] = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
+SRC_URI[tinyvec_macros-0.1.0.sha256sum] = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c"
+SRC_URI[tokio-1.20.4.sha256sum] = "eb78f30e4b41e98ca4cce5acb51168a033839a7af9e42b380355808e14e98ee0"
+SRC_URI[tokio-macros-1.8.0.sha256sum] = "9724f9a975fb987ef7a3cd9be0350edcbe130698af5b8f7a631e23d42d052484"
+SRC_URI[tokio-native-tls-0.3.0.sha256sum] = "f7d995660bd2b7f8c1568414c1126076c13fbb725c40112dc0120b78eb9b717b"
+SRC_URI[tokio-rustls-0.22.0.sha256sum] = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6"
+SRC_URI[tokio-util-0.7.3.sha256sum] = "cc463cd8deddc3770d20f9852143d50bf6094e640b485cb2e189a2099085ff45"
+SRC_URI[toml-0.5.9.sha256sum] = "8d82e1a7758622a465f8cee077614c73484dac5b836c02ff6a40d5d1010324d7"
+SRC_URI[tower-service-0.3.2.sha256sum] = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52"
+SRC_URI[tracing-0.1.35.sha256sum] = "a400e31aa60b9d44a52a8ee0343b5b18566b03a8321e0d321f695cf56e940160"
+SRC_URI[tracing-attributes-0.1.22.sha256sum] = "11c75893af559bc8e10716548bdef5cb2b983f8e637db9d0e15126b61b484ee2"
+SRC_URI[tracing-core-0.1.28.sha256sum] = "7b7358be39f2f274f322d2aaed611acc57f382e8eb1e5b48cb9ae30933495ce7"
+SRC_URI[tracing-log-0.1.3.sha256sum] = "78ddad33d2d10b1ed7eb9d1f518a5674713876e97e5bb9b7345a7984fbb4f922"
+SRC_URI[tracing-serde-0.1.3.sha256sum] = "bc6b213177105856957181934e4920de57730fc69bf42c37ee5bb664d406d9e1"
+SRC_URI[tracing-subscriber-0.2.25.sha256sum] = "0e0d2eaa99c3c2e41547cfa109e910a68ea03823cccad4a0525dcbc9b01e8c71"
+SRC_URI[trait-set-0.2.0.sha256sum] = "875c4c873cc824e362fa9a9419ffa59807244824275a44ad06fec9684fff08f2"
+SRC_URI[try-lock-0.2.3.sha256sum] = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642"
+SRC_URI[typenum-1.15.0.sha256sum] = "dcf81ac59edc17cc8697ff311e8f5ef2d99fcbd9817b34cec66f90b6c3dfd987"
+SRC_URI[unicode-bidi-0.3.8.sha256sum] = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992"
+SRC_URI[unicode-ident-1.0.2.sha256sum] = "15c61ba63f9235225a22310255a29b806b907c9b8c964bcbd0a2c70f3f2deea7"
+SRC_URI[unicode-normalization-0.1.21.sha256sum] = "854cbdc4f7bc6ae19c820d44abdc3277ac3e1b2b93db20a636825d9322fb60e6"
+SRC_URI[unicode-width-0.1.9.sha256sum] = "3ed742d4ea2bd1176e236172c8429aaf54486e7ac098db29ffe6529e0ce50973"
+SRC_URI[unicode-xid-0.2.3.sha256sum] = "957e51f3646910546462e67d5f7599b9e4fb8acdd304b087a6494730f9eebf04"
+SRC_URI[untrusted-0.7.1.sha256sum] = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+SRC_URI[url-2.2.2.sha256sum] = "a507c383b2d33b5fc35d1861e77e6b383d158b2da5e14fe51b83dfedf6fd578c"
+SRC_URI[urlparse-0.7.3.sha256sum] = "110352d4e9076c67839003c7788d8604e24dcded13e0b375af3efaa8cf468517"
+SRC_URI[uuid-1.1.2.sha256sum] = "dd6469f4314d5f1ffec476e05f17cc9a78bc7a27a6a857842170bdf8d6f98d2f"
+SRC_URI[valuable-0.1.0.sha256sum] = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
+SRC_URI[vcpkg-0.2.15.sha256sum] = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+SRC_URI[vec_map-0.8.2.sha256sum] = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
+SRC_URI[version_check-0.9.4.sha256sum] = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+SRC_URI[want-0.3.0.sha256sum] = "1ce8a968cb1cd110d136ff8b819a556d6fb6d919363c61534f6860c7eb172ba0"
+SRC_URI[wasi-0.10.0+wasi-snapshot-preview1.sha256sum] = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
+SRC_URI[wasi-0.11.0+wasi-snapshot-preview1.sha256sum] = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+SRC_URI[wasm-bindgen-0.2.81.sha256sum] = "7c53b543413a17a202f4be280a7e5c62a1c69345f5de525ee64f8cfdbc954994"
+SRC_URI[wasm-bindgen-backend-0.2.81.sha256sum] = "5491a68ab4500fa6b4d726bd67408630c3dbe9c4fe7bda16d5c82a1fd8c7340a"
+SRC_URI[wasm-bindgen-futures-0.4.31.sha256sum] = "de9a9cec1733468a8c657e57fa2413d2ae2c0129b95e87c5b72b8ace4d13f31f"
+SRC_URI[wasm-bindgen-macro-0.2.81.sha256sum] = "c441e177922bc58f1e12c022624b6216378e5febc2f0533e41ba443d505b80aa"
+SRC_URI[wasm-bindgen-macro-support-0.2.81.sha256sum] = "7d94ac45fcf608c1f45ef53e748d35660f168490c10b23704c7779ab8f5c3048"
+SRC_URI[wasm-bindgen-shared-0.2.81.sha256sum] = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be"
+SRC_URI[web-sys-0.3.58.sha256sum] = "2fed94beee57daf8dd7d51f2b15dc2bcde92d7a72304cdf662a4371008b71b90"
+SRC_URI[webpki-0.21.4.sha256sum] = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+SRC_URI[windows-sys-0.36.1.sha256sum] = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2"
+SRC_URI[windows_aarch64_msvc-0.36.1.sha256sum] = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47"
+SRC_URI[windows_i686_gnu-0.36.1.sha256sum] = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6"
+SRC_URI[windows_i686_msvc-0.36.1.sha256sum] = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024"
+SRC_URI[windows_x86_64_gnu-0.36.1.sha256sum] = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1"
+SRC_URI[windows_x86_64_msvc-0.36.1.sha256sum] = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"
+SRC_URI[winreg-0.10.1.sha256sum] = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d"
diff --git a/recipes-security/krill/krill_0.12.3.bb b/recipes-security/krill/krill_0.12.3.bb
new file mode 100644
index 0000000..ee959c2
--- /dev/null
+++ b/recipes-security/krill/krill_0.12.3.bb
@@ -0,0 +1,42 @@
+SUMMARY = "Resource Public Key Infrastructure (RPKI) daemon"
+HOMEPAGE = "https://www.nlnetlabs.nl/projects/rpki/krill/"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=9741c346eef56131163e13b9db1241b3"
+
+DEPENDS = "openssl"
+
+# SRC_URI += "crate://crates.io/krill/0.9.1"
+SRC_URI = "git://github.com/NLnetLabs/krill.git;protocol=https;branch=main"
+SRCREV = "e92098419c7ad82939e0483bc76df21eff705b80"
+SRC_URI += "file://panic_workaround.patch"
+
+include krill-crates.inc
+
+UPSTREAM_CHECK_URI = "https://github.com/NLnetLabs/${BPN}/releases"
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
+
+S = "${WORKDIR}/git"
+CARGO_SRC_DIR = ""
+
+inherit pkgconfig useradd systemd cargo cargo-update-recipe-crates
+
+do_install:append () {
+ install -d ${D}${sysconfdir}
+ install -d ${D}${datadir}/krill
+
+ install -m 664 ${S}/defaults/krill.conf ${D}${sysconfdir}/.
+ install ${S}/defaults/* ${D}${datadir}/krill/.
+}
+
+KRILL_UID ?= "krill"
+KRILL_GID ?= "krill"
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system ${KRILL_UID}"
+USERADD_PARAM:${PN} = "--system -g ${KRILL_GID} --home-dir \
+ /var/lib/krill/ --no-create-home \
+ --shell /sbin/nologin ${BPN}"
+
+FILES:${PN} += "{sysconfdir}/defaults ${datadir}"
+
+COMPATIBLE_HOST = "(i.86|x86_64|aarch64).*-linux"
diff --git a/recipes-security/libdhash/ding-libs_0.6.1.bb b/recipes-security/libdhash/ding-libs_0.6.1.bb
index 6046fa0..843850f 100644
--- a/recipes-security/libdhash/ding-libs_0.6.1.bb
+++ b/recipes-security/libdhash/ding-libs_0.6.1.bb
@@ -2,7 +2,7 @@ SUMMARY = "Dynamic hash table implementation"
DESCRIPTION = "Dynamic hash table implementation"
HOMEPAGE = "https://fedorahosted.org/released/ding-libs"
SECTION = "base"
-LICENSE = "GPLv3+"
+LICENSE = "GPL-3.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SRC_URI = "https://fedorahosted.org/released/${BPN}/${BP}.tar.gz"
diff --git a/recipes-security/libest/libest_3.2.0.bb b/recipes-security/libest/libest_3.2.0.bb
index 5b6dc99..b4c6165 100644
--- a/recipes-security/libest/libest_3.2.0.bb
+++ b/recipes-security/libest/libest_3.2.0.bb
@@ -6,22 +6,25 @@ LICENSE = "OpenSSL"
LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885"
SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b"
-SRC_URI = "git://github.com/cisco/libest;branch=main"
+SRC_URI = "git://github.com/cisco/libest;branch=main;protocol=https"
DEPENDS = "openssl"
#fatal error: execinfo.h: No such file or directory
-DEPENDS_append_libc-musl = " libexecinfo"
+DEPENDS:append:libc-musl = " libexecinfo"
inherit autotools-brokensep
EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}"
CFLAGS += "-fcommon"
-LDFLAGS_append_libc-musl = " -lexecinfo"
+LDFLAGS:append:libc-musl = " -lexecinfo"
S = "${WORKDIR}/git"
PACKAGES = "${PN} ${PN}-dbg ${PN}-dev"
-FILES_${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so"
+FILES:${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so"
+
+# https://github.com/cisco/libest/issues/104
+SKIP_RECIPE[libest] ?= "Needs porting to openssl 3.x"
diff --git a/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch b/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch
deleted file mode 100644
index 6aa1a65..0000000
--- a/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-Use secure_getenv instead of getenv for setuid programs
-
-(bnc#694598 CVE-2011-2709 bnc#831805)
-
-import from:
-https://build.opensuse.org/package/view_file/openSUSE:Factory/libgssglue/secure-getenv.patch
-
-Upstream-Status: Pending
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
-
-diff --git a/src/g_initialize.c b/src/g_initialize.c
-index 200f173..935a9fa 100644
---- a/src/g_initialize.c
-+++ b/src/g_initialize.c
-@@ -26,6 +26,7 @@
- * This function will initialize the gssapi mechglue library
- */
-
-+#define _GNU_SOURCE
- #include "mglueP.h"
- #include <stdlib.h>
-
-@@ -197,8 +198,7 @@ static void solaris_initialize ()
- void *dl;
- gss_mechanism (*sym)(void), mech;
-
-- if ((getuid() != geteuid()) ||
-- ((filename = getenv("GSSAPI_MECH_CONF")) == NULL))
-+ if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL)
- filename = MECH_CONF;
-
- if ((conffile = fopen(filename, "r")) == NULL) {
-@@ -274,8 +274,7 @@ static void linux_initialize ()
- void *dl;
- gss_mechanism (*sym)(void), mech;
-
-- if ((getuid() != geteuid()) ||
-- ((filename = getenv("GSSAPI_MECH_CONF")) == NULL))
-+ if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL)
- filename = MECH_CONF;
-
- if ((conffile = fopen(filename, "r")) == NULL) {
diff --git a/recipes-security/libgssglue/files/libgssglue-g-initialize.patch b/recipes-security/libgssglue/files/libgssglue-g-initialize.patch
deleted file mode 100644
index 4a9ba33..0000000
--- a/recipes-security/libgssglue/files/libgssglue-g-initialize.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Fix the warning for getuid, geteuid
-g_initialize.c: In function 'linux_initialize':
-g_initialize.c:275:5: warning: implicit declaration of function 'getuid' [-Wimplicit-function-declaration]
-g_initialize.c:275:5: warning: implicit declaration of function 'geteuid' [-Wimplicit-function-declaration]
-
-Upstream-Status: Pending
-Signed-off-by: Yao Zhao <yao.zhao@windriver.com>
-
-diff --git a/src/g_initialize.c b/src1/g_initialize.c
-index 82fcce1..200f173 100644
---- a/src/g_initialize.c
-+++ b/src/g_initialize.c
-@@ -29,6 +29,8 @@
- #include "mglueP.h"
- #include <stdlib.h>
-
-+#include <unistd.h> /*getuid, geteuid */
-+#include <sys/types.h>
- #include <stdio.h>
- #include <string.h>
- #include <ctype.h>
diff --git a/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch b/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch
deleted file mode 100644
index 6dce3e7..0000000
--- a/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-1) add free if malloc failed for (*mechanisms)->elements
-2) g_inq_cred.c: In function 'gss_inquire_cred':
-g_inq_cred.c:161:8: warning: passing argument 3 of 'generic_gss_copy_oid' from incompatible pointer type [enabled by default]
-
-Upstream-Status: Pending
-Signed-off-by: Yao Zhao <yao.zhao@windriver.com>
-
---- a/src/g_inq_cred.c
-+++ b/src/g_inq_cred.c
-@@ -152,13 +152,15 @@ gss_OID_set * mechanisms;
- union_cred->count);
- if ((*mechanisms)->elements == NULL) {
- *minor_status = ENOMEM;
-+ free(*mechanisms);
-+ *mechanisms = GSS_C_NO_OID_SET;
- return (GSS_S_FAILURE);
- }
-
- for (i=0; i < union_cred->count; i++) {
-- status = generic_gss_copy_oid(minor_status,
-+ status = generic_gss_add_oid_set_member(minor_status,
- &union_cred->mechs_array[i],
-- &((*mechanisms)->elements[i]));
-+ mechanisms);
- if (status != GSS_S_COMPLETE)
- break;
- }
diff --git a/recipes-security/libgssglue/files/libgssglue-mglueP.patch b/recipes-security/libgssglue/files/libgssglue-mglueP.patch
deleted file mode 100644
index 6c9ebf0..0000000
--- a/recipes-security/libgssglue/files/libgssglue-mglueP.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-fix the warning:
-warning: implicit declaration of function 'generic_gss_copy_oid_set' [-Wimplicit-function-declaration]
-
-Upstream-Status: Pending
-Signed-off-by: Yao Zhao <yao.zhao@windriver.com>
-
---- a/src/mglueP.h
-+++ b/src/mglueP.h
-@@ -447,6 +447,12 @@ OM_uint32 generic_gss_copy_oid
- gss_OID * /* new_oid */
- );
-
-+OM_uint32 generic_gss_copy_oid_set
-+ (OM_uint32 *minor_status, /* minor_status */
-+ const gss_OID_set_desc * const oidset, /* oid */
-+ gss_OID_set *new_oidset /* new_oid */
-+ );
-+
- OM_uint32 generic_gss_create_empty_oid_set
- (OM_uint32 *, /* minor_status */
- gss_OID_set * /* oid_set */
diff --git a/recipes-security/libgssglue/libgssglue_0.4.bb b/recipes-security/libgssglue/libgssglue_0.8.bb
index 88c58ed..9d01964 100644
--- a/recipes-security/libgssglue/libgssglue_0.4.bb
+++ b/recipes-security/libgssglue/libgssglue_0.8.bb
@@ -15,29 +15,26 @@ LICENSE = "BSD-3-Clause | HPND"
#Copyright 1995 by the Massachusetts Institute of Technology. HPND without Disclaimer
#Copyright 1993 by OpenVision Technologies, Inc. HPND
LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \
- file://src/g_accept_sec_context.c;beginline=3;endline=23;md5=8a7f4017cb7f4be49f8981cb8c472690 \
+ file://src/g_accept_sec_context.c;beginline=3;endline=23;md5=da8ca7a37bd26e576c23874d453751d2\
file://src/g_ccache_name.c;beginline=1;endline=32;md5=208d4de05d5c8273963a8332f084faa7 \
- file://src/oid_ops.c;beginline=1;endline=26;md5=1f194d148b396972da26759a8ec399f0 \
- file://src/oid_ops.c;beginline=378;endline=398;md5=e02c165cb8383e950214baca2fbd664b \
+ file://src/oid_ops.c;beginline=1;endline=26;md5=1f194d148b396972da26759a8ec399f0\
+ file://src/oid_ops.c;beginline=378;endline=398;md5=72457a5cdc0354cb5c25c8b150326364\
"
-SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.bz2 \
+SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.gz \
file://libgssglue-canon-name.patch \
- file://libgssglue-gss-inq-cred.patch \
- file://libgssglue-mglueP.patch \
- file://libgssglue-g-initialize.patch \
- file://libgssglue-fix-CVE-2011-2709.patch \
"
-SRC_URI[md5sum] = "5ce81940965fa68c7635c42dcafcddfe"
-SRC_URI[sha256sum] = "bb47b2de78409f461811d0db8595c66e6631a9879c3621a35e4434b104ee52f5"
+SRC_URI[sha256sum] = "a2bb183e946f6e30562a2a856950a2916c9b6d42c34d67a8400e4efc28917746"
-# gssglue can use krb5, spkm3... as gssapi library, configurable
-RRECOMMENDS_${PN} += "krb5"
+inherit autotools-brokensep
-inherit autotools
+do_configure:prepend() {
+ cd ${S}
+ ./bootstrap
+}
-do_install_append() {
+do_install:append() {
# install some docs
install -d -m 0755 ${D}${docdir}/${BPN}
install -m 0644 ${S}/AUTHORS ${S}/ChangeLog ${S}/NEWS ${S}/README ${D}${docdir}/${BPN}
@@ -49,3 +46,6 @@ do_install_append() {
# change the libgssapi_krb5.so path and name(it is .so.2)
sed -i -e "s:/usr/lib/libgssapi_krb5.so:libgssapi_krb5.so.2:" ${D}${sysconfdir}/gssapi_mech.conf
}
+
+# gssglue can use krb5, spkm3... as gssapi library, configurable
+RRECOMMENDS:${PN} += "krb5"
diff --git a/recipes-security/libmhash/libmhash_0.9.9.9.bb b/recipes-security/libmhash/libmhash_0.9.9.9.bb
index 9b34cb1..49139d2 100644
--- a/recipes-security/libmhash/libmhash_0.9.9.9.bb
+++ b/recipes-security/libmhash/libmhash_0.9.9.9.bb
@@ -7,7 +7,7 @@ DESCRIPTION = "\
"
HOMEPAGE = "http://mhash.sourceforge.net/"
-LICENSE = "LGPLv2.0"
+LICENSE = "LGPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7"
S = "${WORKDIR}/mhash-${PV}"
@@ -23,7 +23,11 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mhash/mhash-${PV}.tar.bz2 \
SRC_URI[md5sum] = "f91c74f9ccab2b574a98be5bc31eb280"
SRC_URI[sha256sum] = "56521c52a9033779154432d0ae47ad7198914785265e1f570cee21ab248dfef0"
-inherit autotools-brokensep ptest
+inherit autotools-brokensep ptest multilib_header
+
+do_install:append() {
+ oe_multilib_header mutils/mhash_config.h
+}
do_compile_ptest() {
if [ ! -d ${S}/demo ]; then mkdir ${S}/demo; fi
@@ -35,3 +39,5 @@ do_compile_ptest() {
do_install_ptest() {
install -m 0755 ${S}/demo/mhash ${D}${PTEST_PATH}
}
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-security/libmspack/libmspack_1.9.1.bb b/recipes-security/libmspack/libmspack_1.11.bb
index 8c288be..59df84b 100644
--- a/recipes-security/libmspack/libmspack_1.9.1.bb
+++ b/recipes-security/libmspack/libmspack_1.11.bb
@@ -1,13 +1,13 @@
SUMMARY = "A library for Microsoft compression formats"
HOMEPAGE = "http://www.cabextract.org.uk/libmspack/"
SECTION = "lib"
-LICENSE = "LGPL-2.1"
+LICENSE = "LGPL-2.1-only"
DEPENDS = ""
LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd"
-SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc"
-SRC_URI = "git://github.com/kyz/libmspack.git"
+SRCREV = "305907723a4e7ab2018e58040059ffb5e77db837"
+SRC_URI = "git://github.com/kyz/libmspack.git;branch=master;protocol=https"
inherit autotools
diff --git a/recipes-security/mfa/python3-privacyidea_3.5.2.bb b/recipes-security/mfa/python3-privacyidea_3.5.2.bb
deleted file mode 100644
index cd0acf8..0000000
--- a/recipes-security/mfa/python3-privacyidea_3.5.2.bb
+++ /dev/null
@@ -1,40 +0,0 @@
-SUMMARY = "identity, multifactor authentication (OTP), authorization, audit"
-DESCRIPTION = "privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications."
-
-HOMEPAGE = "http://www.privacyidea.org/"
-LICENSE = "AGPL-3.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55"
-
-PYPI_PACKAGE = "privacyIDEA"
-SRC_URI[sha256sum] = "26aeb0d353af1f212c4df476202516953c20f7f31566cfe0b67cbb553de04763"
-
-inherit pypi setuptools3
-
-do_install_append () {
- #install ${D}/var/log/privacyidea
-
- rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests
-}
-
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "--system privacyidea"
-USERADD_PARAM_${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \
- --shell /bin/false privacyidea"
-
-FILES_${PN} += " ${datadir}/etc/privacyidea/* ${datadir}/lib/privacyidea/*"
-
-RDEPENDS_${PN} += " bash perl freeradius-mysql freeradius-utils"
-
-RDEPENDS_${PN} += "python3 python3-alembic python3-babel python3-backports-functools-lru-cache python3-bcrypt"
-RDEPENDS_${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet"
-RDEPENDS_${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml"
-RDEPENDS_${PN} += "python3-ecdsa python3-flask python3-flask-babel python3-flask-migrate"
-RDEPENDS_${PN} += "python3-flask-script python3-flask-sqlalchemy python3-flask-versioned"
-RDEPENDS_${PN} += "python3-future python3-httplib2 python3-huey python3-idna python3-ipaddress"
-RDEPENDS_${PN} += "python3-itsdangerous python3-jinja2 python3-ldap python3-lxml python3-mako"
-RDEPENDS_${PN} += "python3-markupsafe python3-netaddr python3-oauth2client python3-passlib python3-pillow"
-RDEPENDS_${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql"
-RDEPENDS_${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg"
-RDEPENDS_${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa"
-RDEPENDS_${PN} += "python3-six python3-smpplib python3-soupsieve python3-soupsieve "
-RDEPENDS_${PN} += "python3-sqlalchemy python3-sqlsoup python3-urllib3 python3-werkzeug"
diff --git a/recipes-security/ncrack/ncrack_0.7.bb b/recipes-security/ncrack/ncrack_0.7.bb
index ba26965..8e6b444 100644
--- a/recipes-security/ncrack/ncrack_0.7.bb
+++ b/recipes-security/ncrack/ncrack_0.7.bb
@@ -3,11 +3,11 @@ DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network dev
HOMEPAGE = "https://nmap.org/ncrack"
SECTION = "security"
-LICENSE = "GPL-2.0"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2"
SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426"
-SRC_URI = "git://github.com/nmap/ncrack.git"
+SRC_URI = "git://github.com/nmap/ncrack.git;branch=master;protocol=https"
DEPENDS = "openssl zlib"
@@ -15,4 +15,4 @@ inherit autotools-brokensep
S = "${WORKDIR}/git"
-INSANE_SKIP_${PN} = "already-stripped"
+INSANE_SKIP:${PN} = "already-stripped"
diff --git a/recipes-security/opendnssec/files/libdns_conf_fix.patch b/recipes-security/opendnssec/files/libdns_conf_fix.patch
index 31d7252..220a2b8 100644
--- a/recipes-security/opendnssec/files/libdns_conf_fix.patch
+++ b/recipes-security/opendnssec/files/libdns_conf_fix.patch
@@ -1,6 +1,6 @@
Configure does not work with OE pkg-config for the ldns option
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
diff --git a/recipes-security/opendnssec/files/libxml2_conf.patch b/recipes-security/opendnssec/files/libxml2_conf.patch
index b4ed430..c20d5d2 100644
--- a/recipes-security/opendnssec/files/libxml2_conf.patch
+++ b/recipes-security/opendnssec/files/libxml2_conf.patch
@@ -1,6 +1,6 @@
configure does not work with OE pkg-config for the libxml2 option
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
diff --git a/recipes-security/opendnssec/opendnssec_2.1.9.bb b/recipes-security/opendnssec/opendnssec_2.1.10.bb
index 2b79609..64bacf1 100644
--- a/recipes-security/opendnssec/opendnssec_2.1.9.bb
+++ b/recipes-security/opendnssec/opendnssec_2.1.10.bb
@@ -1,6 +1,6 @@
SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones"
-LICENSE = "BSD"
+LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937"
DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml "
@@ -10,7 +10,7 @@ SRC_URI = "https://dist.opendnssec.org/source/opendnssec-${PV}.tar.gz \
file://libdns_conf_fix.patch \
"
-SRC_URI[sha256sum] = "6d1d466c8d7f507f3e665f4bfe4d16a68d6bff9d7c2ab65f852e2b2a821c28b5"
+SRC_URI[sha256sum] = "c0a8427de241118dccbf7abc508e4dd53fb75b45e9f386addbadae7ecc092756"
inherit autotools pkgconfig perlnative
@@ -27,8 +27,10 @@ PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb"
PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline"
PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind"
-do_install_append () {
+do_install:append () {
rm -rf ${D}${localstatedir}/run
}
-RDEPENDS_${PN} = "softhsm"
+RDEPENDS:${PN} = "softhsm"
+
+SKIP_RECIPE[opendnssec] ?= "Needs porting to openssl 3.x"
diff --git a/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch b/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
new file mode 100644
index 0000000..451cb7f
--- /dev/null
+++ b/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
@@ -0,0 +1,26 @@
+From 824c5d7b96aeef1b4e182f657ac002bed6e14cd5 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@fujitsu.com>
+Date: Thu, 31 Aug 2023 08:20:56 +0000
+Subject: [PATCH] To fix package error if DESTDIR is set to /usr.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 0d7bc0c..46fd664 100644
+--- a/Makefile
++++ b/Makefile
+@@ -19,7 +19,7 @@ $(PROG).o: $(PROG).c $(PROG).h $(PROG)-elf.c
+
+ install: $(PROG)
+ # $(MKDIR) $(DESTDIR)/sbin $(DESTDIR)$(MANDIR)
+- $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/sbin/$(PROG)
++ $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/usr/sbin/$(PROG)
+ $(INSTALL) -D --owner 0 --group 0 --mode a=r $(PROG).1 $(DESTDIR)/$(MANDIR)/$(PROG).1
+
+ clean:
+--
+2.34.1
diff --git a/recipes-security/paxctl/paxctl_0.9.bb b/recipes-security/paxctl/paxctl_0.9.bb
index 3c04141..3d2f2a3 100644
--- a/recipes-security/paxctl/paxctl_0.9.bb
+++ b/recipes-security/paxctl/paxctl_0.9.bb
@@ -3,12 +3,14 @@ DESCRIPTION = "paxctl is a tool that allows PaX flags to be modified on a \
kernel patches and secure distributions, such as \
GrSecurity or Adamantix and Hardened Gen-too, respectively."
HOMEPAGE = "https://pax.grsecurity.net/"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://paxctl.c;beginline=1;endline=5;md5=0ddd065c61020dda79729e6bedaed2c7 \
file://paxctl-elf.c;beginline=1;endline=5;md5=99f453ce7f6d1687ee808982e2924813 \
"
-SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz"
+SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz \
+ file://0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch \
+"
SRC_URI[md5sum] = "9bea59b1987dc4e16c2d22d745374e64"
SRC_URI[sha256sum] = "a330ddd812688169802a3ba29e5e3b19956376b8f6f73b8d7e9586eb04423c2e"
@@ -24,7 +26,7 @@ do_install() {
# install: cannot change ownership of '.../sbin/paxctl': \
# Operation not permitted
# Drop '--owner 0 --group 0' to fix the issue.
-do_install_class-native() {
+do_install:class-native() {
local PROG=paxctl
install -d ${D}${base_sbindir}
install -d ${D}${mandir}/man1
@@ -33,6 +35,6 @@ do_install_class-native() {
}
# Avoid QA Issue: No GNU_HASH in the elf binary
-INSANE_SKIP_${PN} = "ldflags"
+INSANE_SKIP:${PN} = "ldflags"
BBCLASSEXTEND = "native"
diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb
index 0d70dc6..c47688f 100644
--- a/recipes-security/redhat-security/redhat-security_1.0.bb
+++ b/recipes-security/redhat-security/redhat-security_1.0.bb
@@ -1,7 +1,7 @@
SUMMARY = "redhat security tools"
DESCRIPTION = "Tools used by redhat linux distribution for security checks"
SECTION = "security"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
SRC_URI = "file://find-chroot-py.sh \
@@ -37,4 +37,4 @@ do_install() {
install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir}
}
-RDEPENDS_${PN} = "file libcap-ng procps findutils"
+RDEPENDS:${PN} = "file libcap-ng procps findutils"
diff --git a/recipes-security/sshguard/sshguard_2.4.3.bb b/recipes-security/sshguard/sshguard_2.4.3.bb
new file mode 100644
index 0000000..37b414e
--- /dev/null
+++ b/recipes-security/sshguard/sshguard_2.4.3.bb
@@ -0,0 +1,11 @@
+SUMARRY=" Intelligently block brute-force attacks by aggregating system logs "
+HOMEPAGE = "https://www.sshguard.net/"
+LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
+LICENSE = "BSD-1-Clause"
+
+
+SRC_URI="https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "64029deff6de90fdeefb1f497d414f0e4045076693a91da1a70eb7595e97efeb"
+
+inherit autotools-brokensep
diff --git a/recipes-security/sssd/files/sssd.conf b/recipes-security/sssd/files/sssd.conf
deleted file mode 100644
index 1709a7a..0000000
--- a/recipes-security/sssd/files/sssd.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-[sssd]
-services = nss, pam
-config_file_version = 2
-
-[nss]
-
-[pam]
-
diff --git a/wic/beaglebone-yocto-verity.wks.in b/wic/beaglebone-yocto-verity.wks.in
index 658018b..2d332d8 100644
--- a/wic/beaglebone-yocto-verity.wks.in
+++ b/wic/beaglebone-yocto-verity.wks.in
@@ -3,6 +3,7 @@
# Copyright (C) 2020 BayLibre SAS
# Author: Bartosz Golaszewski <bgolaszewski@baylibre.com>
#
+# short-description: Create a u-SD image for beaglebone-black with dm-verity
# A dm-verity variant of the regular wks for beaglebone black. We need to fetch
# the partition images from the DEPLOY_DIR_IMAGE as the rootfs source plugin will
# not recreate the exact block device corresponding with the hash tree. We must
@@ -10,6 +11,6 @@
#
# This .wks only works with the dm-verity-img class.
-part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid
-part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
+part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --fixed-size 32 --sourceparams="loader=u-boot" --use-uuid
+part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity"
bootloader --append="console=ttyS0,115200"
diff --git a/wic/systemd-bootdisk-dmverity-hash.wks.in b/wic/systemd-bootdisk-dmverity-hash.wks.in
new file mode 100644
index 0000000..e400593
--- /dev/null
+++ b/wic/systemd-bootdisk-dmverity-hash.wks.in
@@ -0,0 +1,18 @@
+# short-description: Create an EFI disk image with systemd-boot and separate hash dm-verity
+# A dm-verity variant of the regular wks for IA machines. We need to fetch
+# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will
+# not recreate the exact block device corresponding with the hash tree. We must
+# not alter the label or any other setting on the image.
+# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
+#
+# This .wks only works with the dm-verity-img class and separate hash data. (DM_VERITY_SEPARATE_HASH)
+
+part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid
+
+# include the root+hash part with the dynamic hash/UUIDs from the build.
+include ${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.${DM_VERITY_IMAGE_TYPE}.wks.in
+
+# add "console=ttyS0,115200" or whatever you need to the --append="..."
+bootloader --ptable gpt --timeout=5 --append="root=/dev/mapper/rootfs"
+
+part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid
diff --git a/wic/systemd-bootdisk-dmverity.wks.in b/wic/systemd-bootdisk-dmverity.wks.in
index ef114ca..0ac9cca 100644
--- a/wic/systemd-bootdisk-dmverity.wks.in
+++ b/wic/systemd-bootdisk-dmverity.wks.in
@@ -1,3 +1,4 @@
+# short-description: Create an EFI disk image with systemd-boot and dm-verity
# A dm-verity variant of the regular wks for IA machines. We need to fetch
# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will
# not recreate the exact block device corresponding with the hash tree. We must
@@ -5,10 +6,11 @@
# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
#
# This .wks only works with the dm-verity-img class.
+# Also note that the use of microcode.cpio introduces a meta-intel layer dependency.
part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid
-part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid
+part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid
part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid