Despite the name, autotools_aclocals() doesn't actually do anything with
aclocal. Instead it reads all of the available autoconf site default
files[1] and sets CONFIG_SITE appropriately. Rename the function to
autotools_sitefiles to make this clear.
Also there's no need to do this before do_configure or do_install, as
the variable is only checked when configure runs.
[1] https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Site-Defaults.html
(From OE-Core rev: 05080b48a9607e19a251c7396c1b06f08d98ed3b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We need aclocal to look in two different $datadir/aclocal/ directories:
the native (eg, for pkg.m4 from pkgconfig) and the target (eg, for
alsa.m4 from alsa-lib).
aclocal doesn't directly support this pattern, currently we use
--system-acdir to specify the target directory and then add the native
directory to the user include list.
However, since automake 1.17 there is also an --aclocal-path option to
augument the search list. As the relocated aclocal from automake-native
already knows the correct path for the native aclocal directory we can
use --aclocal-path to add the correct target aclocal directory.
For simplicity I don't bother only doing this in non-native builds as
this just adds the same path to the search twice.
This removes ACLOCALDIR and ACLOCALEXTRAPATH. Recipes using these to
add search paths should instead use EXTRA_AUTORECONF += "-I path".
(From OE-Core rev: 878e1517d4890b31332a506ce903d57e1d7dff87)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The complexity of overriding files from the bbclass made the behavior at
times hard to follow and predict. This change replaces the default file with a
heredoc equivalent that creates a default file if the user does not provide their
own version of run-ptest in the SRC_URI.
(From OE-Core rev: be3db5f4f1b857b93d08211019d9ff796ec389b6)
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The per-tune qemu options variable is QEMU_EXTRAOPTIONS_${TUNE_PKGARCH},
but this doesn't follow the pattern of all of the other tune-specific
variables in the machine configuration which is VARIABLE:tune-[name].
Rename QEMU_EXTRAOPTIONS_${TUNE_PKGARCH} to
QEMU_EXTRAOPTIONS:tune-${TUNE_PKGARCH} for consistency.
Note that this will mean that BSPs need to update any assignments of
this variable.
(From OE-Core rev: 7f981d074442b901f7e64dbdb9db851ff31c3733)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Every other architecture has the QEMU_EXTRAOPTIONS assignments in the
tune files, so move the PPC ones too.
(From OE-Core rev: ba05251c89d8cc243e861886124573c83197e949)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Using the package architecture to select the right qemu options to pass
to qemu-user is incorrect, and fails for recipes that set PACKAGE_ARCH
to MACHINE_ARCH (as the qemuppc workarounds suggest) because there are
not typically any options set for the machine name.
Solve this by using TUNE_PKGARCH instead: for the majority of recipes
this is the same value, but for machine-specific recipes it remains the
same instead of changing to the machine name.
This means we can remove the qemuppc workarounds, as they're obsolete.
Also update the gcc-testsuite recipe which uses the same pattern to use
TUNE_PKGARCH, and generalise the else codepath to avoid needing to
update the list of architectures.
[ YOCTO #15647 ]
(From OE-Core rev: 414b754a6cbb9cc354b1180efd5c3329568a2537)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The nativesdk class overrides PACKAGE_ARCH and unsets TUNE_FEATURES, but
as recipes might want to look at TUNE_PKGARCH too (for example, when
setting QEMU_EXTRAOPTIONS) we should also override that variable.
Otherwise, a nativesdk recipe will have the TUNE_PKGARCH of the target,
which leads to errors (eg passing mips arguments to an arm qemu).
(From OE-Core rev: 05322beb290e1db30bef49b4364f8a8e6e9f7408)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If a recipe has something like:
RPROVIDES:${PN}-xxx = "yyy"
then the current code will turn this into:
RPROVIDES:${BPN}-native-xxx = "yyy-native"
which can lead to errors. Add in some handling for this special case in the class
extension code.
The corresponding entry in PACKAGES is correctly remapped, the variables aren't
remapped to match though.
Note that merging this does trigger new dependencies to be exposed, some of which
can't be met or are incorrect. These need to be fixed on a case by case basis.
There was also a problem in the existing code when handling anonymous python in
PACKAGES since it would pass bizarre package names like "d)}" to the remapping code.
This patch changes it to ignore anonymous python since in the native case, this likely
isn't wanted anyway. This also then avoids ${PN}-ptest in the native case which was a
common dependency problem.
(From OE-Core rev: e2fd81e221c25fc21d532e020ddd8aaac0c22ede)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A relocated aclocal in the native sysroot has the right paths already:
$ cat /work/ross/build/tmp/work/cortexa57-poky-linux/expect/5.45.4/recipe-sysroot-native/usr/bin/aclocal
my @automake_includes = ('/work/ross/build/tmp/work/cortexa57-poky-linux/expect/5.45.4/recipe-sysroot-native/usr/share/aclocal-' . $APIVERSION);
Thus there is no need to tell aclocal the path explicitly.
(From OE-Core rev: 002e03132b8ba1f1b254c8a63ff70db2a5d16518)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some mysterious autotools errors are because upstream has a custom
aclocal.m4 that we're deleting it unless we know we're not even running
aclocal. There's a case to be made for removing this deletion logic
on the grounds that aclocal should know what it is doing, but for now
make it clear that we're deleting a file by saying so in the task log.
(From OE-Core rev: d6efd938af8a8260ae464edf4388afea73293ec7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Also known as FDTO, DTO or Device Tree Overlay.
This adds a new property per label in extlinux.conf for which device
tree overlays to apply on top of the base device tree (the one specified
in FDT or guessed by the bootloader if only FDTDIR is set). It is a
space-separated list of paths to the .dtbo file(s).
Note that the base FDT needs to have symbols enabled (DTC_FLAGS needs to
have -@ in it) for an overlay to be applicable.
This is only applicable for non-FIT setups.
(From OE-Core rev: 3ac21b32b5f5616cc7c0641fb3132eec9b27e5b7)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A large number of python packages leverage the pytest unit test
framework for their ptest functionality. Currently, many of the tests
have duplicate code for:
1. Installing pytest files
2. Declaring ptest dependencies
3. Script for executing tests (run-ptes)
To simplify adding common pytest based ptests, added a new class
enabling base functionality. Users can also override the location of
the pytest files in addition to using their own version of run-ptest
[RP: Minor whitespace tweaks to shell function and missing prepend space]
(From OE-Core rev: d66009e608256d42b2d6573d4614a99eb13fd3f1)
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop patches:
parallel.patch
(obsolete as no .a files are installed)
0001-intl-Fix-build-failure-with-make-j.patch
(backport)
Gettext no longer installs anything into $libdir/gettext by default
but still creates the directory and so it should be packaged.
(From OE-Core rev: a414f47009811fa6886e43fd2b4c928a906a65f3)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
SDKs which aren't built from an image recipe should also come with
drop-in symlinks for `/bin`, `/lib` and `/sbin`. Support this by moving
the common functionality into `populate_sdk_base` and enabling the
symlink creation when the `usrmerge` DISTRO_FEATURE is on.
(From OE-Core rev: 8e1e86cc9d5d4e866ff0ab62c8954db0e65c19e6)
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If no destsuffix parameter is supplied and the file fetcher is used,
the folder name (i.e. basepath) is added to the kernel-meta search
directories.
(From OE-Core rev: e46cc8159136ce96489e10f126405781abfbd52e)
Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add shutil import to resolve error:
Exception: NameError: name 'shutil' is not defined, Did you forget to import 'shutil'
(From OE-Core rev: b64263a43b4d82f1ebba13815bccb8a8cd3127f9)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update the UPSTREAM_CHECK_URI to leverage the simple repo API. The
project URLs require javascript which breaks the version checking fetch
and subsequent logic. The simple repo API provides similar
functionality with a well defined spec which is used by tools such as
pip. Also update the UPSTREAM_CHECK_REGEX to be compatible with the
information retrieved via the API
(From OE-Core rev: 10febb0e8193d15aec8bbf80b849ae6732da3c22)
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Starting a systemd service “Also” does not mean that both services
must be in the same package. However, the systemd.bbclass enforces
this.
Example:
a.service:
[Install]
Also=b.service
If a.service is packed in package A, b.service is automatically packed
into package A as well. This happens even if b.service is explicitly
added to package B using FILES and SYSTEMD_SERVICE variables.
The automatic packing of socket files with the corresponding service
files is probably a widely used feature of systemd.bbclass. This bahavior
does not change.
Adding regular service files to a package just because it is another
service in the same package that "Also" uses the service is a bug that
this commit fixes.
(From OE-Core rev: f836d80eb48a2a2f9b1e66980021755cf0ca2a26)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The keys variable was intended as an array of keys. But it looks like
this has not been used for more than 10 years now. Adding files
automatically to packages needs probably anyway very specific code
rather than a generic loop. Lets simplify this a bit.
Using python code should also not be slower for these usually small
files.
(From OE-Core rev: 0eda7131bf743719d6586ccd36d99cbe11c88262)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rpm2cpio has been deprecated upstream, so this prepares for its
eventual removal.
rpm2archive produces a tar archive which can be uncompressed
with tar executable from the host.
(From OE-Core rev: ed824d3fb23f0c89d8dfdacb2c4ef0b7c21a5144)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit 0d14e99aa18ee38293df63d585fafc270a4538be.
The patch removed logic required for correct handling of
UBOOT_SUFFIX=img or UBOOT_SUFFIX=rom. We need to find a better way to
handle the fix for [YOCTO #15649].
(From OE-Core rev: 5e82d33451b5662df1e7fe2518a50644d18aa70d)
Signed-off-by: Ryan Eatmon <reatmon@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
'cargo install' only installs executables and examples into the system,
and we should follow that. Libraries are vendored into
build trees from the crate registry and then baked directly into executables.
Neverthless, there's now a condition variable, so individual recipes can
opt into installing libraries if there's a use case for it.
(From OE-Core rev: 68990af9630da16fc75362ca09046ceab71a1106)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
nativesdk builds are cross-builds like target ones, and
so meson expectations regarding ability to run binaries are the same:
either provide the wrapper, or disable the build time options that
need executing target binaries during build time (if such options
are made available by upstream).
(From OE-Core rev: f210fc1d3db2e71f484bddc0b23ab252c36f4062)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A few variable dependencies were incorrect from the SPDX tasks, which
prevented rebuilds from occurring, or caused them to occur when they
should not.
(From OE-Core rev: 38a5dd136b3a3713e63d23598011efe1c4b0f459)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These two files are the only ones that are left in meta/lib.
They logically belong to meta/lib/oe, so move them there.
(From OE-Core rev: c65dd0e3e463d6072b9364ac74e1fef0d998068f)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Linux kernel supports to compress its output binary with lzma algorithm and
U-Boot support to decompress lzma compressed image.
Both xz and lzma algorithms are identical and users can use xz utility with
format parameter to compress Image which supports lzma algorithm.
Add the following command to support lzma. This command is refer to Linux
kernel, https://github.com/torvalds/linux/blob/master/arch/powerpc/boot/wrapper
"xz --format=lzma -f -6 linux.bin"
(From OE-Core rev: 211178065bdca293c84c41a9a1e79c10df95b6ad)
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The SPDX code makes heavy use of python classes. While this works very
well, the bitbake dependency parser is unable to understand how to deal
with them, and thus changes to the class code do not cause rebuilds to
occur. To correct this, add the library files that include SPDX code as
file checksums for the SPDX tasks. If this method works well for SPDX,
we will look at implementing something similar in the bitbake dependency
parser that should allow correct checksums without having to explicitly
add them to each class.
(From OE-Core rev: 6ac3033b77a0d1f7ab15801c5c65931adede3923)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When /var/log is volatile, capturing just the symlink isn't useful. Fix this.
(From OE-Core rev: 06bb8069b023c6b71f3c7dd87a6c2bebc5820083)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bb.fatal() exists right away while bb.error() does some cleanup
before exiting. Fixes running tests during image build with TESTIMAGE_AUTO
multiple times in a row when some of the tests fail:
$ killall -9 Cooker ; bitbake -c clean core-image-base ; \
bitbake core-image-base ; \
bitbake core-image-base
With bb.fatal() something in cleanup is not done and second
image build builds an empty rootfs into .wic image.
Workaround is to kill Cooker processes between bitbake calls,
or to switch testimage.bbclass from bb.fatal() to bb.error()
logging which is done here.
(From OE-Core rev: 077bdd26e6c5bd161f082524ceee9e90d56315b5)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream has solved the absolute path problem differently by taking
paths relative to the top of the module. This appears to solve the
problem, at least I've not found any cases where it breaks.
Drop my patch, and backport the relevant commit from upstream.
(From OE-Core rev: 47f7808dd93e50fb3ecddbf980e40e51dd7376cb)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This didn't seem to be possible considering the entire point of Cython
is to generate C bindings, but some Python build systems remove the
build tree once the wheel has been generated, so we never get to see the
sources. As xargs will call the specified command even without any files
this results in sed failing.
Pass --no-run-if-empty so that this case doesn't result in an error.
(From OE-Core rev: f1c1bdb05ea8f79a14a4b53e110889b70881f4d7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These INSANE_SKIPs are specific to cython and unrelated to mesonpy, so
remove them. The new cython.bbclass should resolve the cause.
(From OE-Core rev: abe08a3238d162a1bdbc68172307eb3eb127bbb1)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Recipes that use Cython typically also do some bespoke fixup. Add a
class to centralise the logic:
- Set CYTHON_PREFIX_MAP to stop build paths appearing in generated
objects
- Strip "Cython Metadata" blocks from generated code that ends up in the
-src package
(From OE-Core rev: 9752da112b618362d2fe1b61c8939b8410e98553)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove the 'debug-tweaks' IMAGE_FEATURE. It sounds friendly and kind to
developers, but it results primarily in an image which root can login
remotely without a password. This is incredibly useful for local
development and testing purposes, but we really want to be explicit that
this is what is happening instead of hiding it behind a vague "debug
tweaks" statement.
To preserve the eixsting behaviour, debug-tweaks should be replaced with
these features:
allow-empty-password empty-root-password allow-root-login post-install-logging
(From OE-Core rev: 2c229f9542c6ba608912e14c9c3f783c3fa89349)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With the ability to tag raw configuration fragments as "hardware",
there is a chance that badly behaved fragments throw warnings or
cause other issues that are not applicable during development (or
you understand the risk).
Allow kernel configuration audit to be skipped if KMETA_AUDIT is
not set (by default it is), to provide a flag for control over
auditing.
(From OE-Core rev: a39a1f7cf78ad1ca07438bce634a47e970f25047)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When .scc files are used, a configuration fragment can be declared
as "hardware" (required) or "non-hardware" (optional).
By default the configuration audit only warns about hardware
options. We can extend that default level of auditing to configuration
fragments that are on the SRC_URI or in KERNEL_FEATURES by
adding the ability to put a specifier after the fragment.
i.e. KERNEL_FEATURES:append = 'hardening.config:required'
This is particular useful for fragments that are outside of
the kernel-cache (in a layer, in a kernel tree, etc)
(From OE-Core rev: 0a84a3dd00543adffdef4fcf5381faab2984541e)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[This is currently an RFC as it depends on a separate patch to add
support for config fragments with .config file extensions in
yocto-kernel-tools:
https://lists.yoctoproject.org/g/linux-yocto/message/14431]
In Linux 6.8, the in-tree rv32_defconfig file for 32-bit RISC-V support
was dropped in favour of a Makefile target which combines the RISC-V
defconfig with a config fragment '32-bit.config'. So to build for 32-bit
RISC-V using the in-tree configuration from an upstream kernel, we need
to be able to enable this 32-bit config fragment.
We can support this via KERNEL_FEATURES if we add the in-tree arch
config directory (arch/${ARCH}/configs) to the search path.
While we're here, let's also add the generic config directory
(kernel/configs) to the search path so in-tree config fragments such as
'hardening.config' can be used.
(From OE-Core rev: e4e50a9a93d606ba5fef8f10f1ec20deaed7ab9c)
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
zst is much faster than the default xz, test result on my Precision
5680 machine:
Installing a tar.xz SDK takes 37 seconds while tar.zst only takes 17
seconds.
Let's introduce support for tar.zst.
Also add a sanity check for supported archive types.
(From OE-Core rev: 1d22562a89e91f19b818b8f9bc214be941303980)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Moves several of the functions in license.bbclass to be library code
New function dependencies were manually verified using bitbake-dumpsigs
to ensure that bitbake identified the same dependencies even though they
are now in library code (although the new function names mean that the
task hashes still change)
(From OE-Core rev: 0333e04e353991260c5f67a72f80f3ab9dcf526a)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove custom wic plugin implementation and use systemd ukify reference
implementation when generating UKI images. Fail if users still have
create-unified-kernel-image in wic image config. uki.bbclass use is
detected from IMAGE_CLASSES variable ("inherit uki" in image
recipe) so export that to wic plugins.
If UKI is used, then only generate a minimal loader config for
systemd-boot which basically just sets a timeout. Also set 5 second
timeout by default instead of failing if wic bootloader config is
missing. Boot menu is generated at runtime based on UKI binaries
found from ESP partition.
(From OE-Core rev: 725fed6ea40c7443b5e0e69dc1dd9c38ac814c56)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This class calls systemd ukify tool, which will combine
kernel/initrd/stub components to build the UKI. To sign the UKI
(i.e. SecureBoot), the keys/cert files can be specified
in a configuration file or UEFI binary signing can be done
via separate steps, see qemuarm64-secureboot in meta-arm.
UKIs are loaded by UEFI firmware on target which can improve
security by loading only correctly signed kernel, initrd and kernel
command line.
Using systemd-measure to pre-calculate TPM PCR values and sign them is
not supported since that requires a TPM device on the build host. Thus
"ConditionSecurity=measured-uki" default from systemd 256 does not work
but "ConditionSecurity=tpm2" in combination with secure boot will.
These can be used to boot securely into systemd-boot, kernel, kernel
command line and initrd which then securely mounts a read-only dm-verity
/usr partition and creates a TPM encrypted read-write / rootfs.
Tested via qemuarm64-secureboot in meta-arm with
https://lists.yoctoproject.org/g/meta-arm/topic/patch_v3_02_13/108031399
and a few more changes needed, will be posted separately.
(From OE-Core rev: da69a73491a72b46e299f874ce90d81135cd9656)
Signed-off-by: Michelle Lin <michelle.linto91@gmail.com>
Acked-by: Erik Schilling <erik.schilling@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-update: copyright years
Update 0001-Makefile.pre-use-qemu-wrapper-when-gathering-profile.patch
to only include tests that do not fail under qemu (following upstream
change that also no longer obscures failures).
Drop
0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch
(backport)
0001-python3-use-cc_basename-to-replace-CC-for-checking-c.patch
(fixed upstream)
0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch
(code completely rewritten upstream)
cgi_py.patch
(cgi and cgitb modules removed upstream)
Add fix-armv5.patch
(address armv5 crashes)
Modules removed in 3.13 (look for 'important removals'):
https://docs.python.org/3/whatsnew/3.13.html
Manifest updated accordingly.
Add an explicit dependency on libatomic (needed on mips
and ppc), as upstream has explicitly switched it off
in cross builds. It's a no-op on other targets.
Fcntl relocated to python3-core by the manifest script.
(From OE-Core rev: 0b49c9aa31279ecda565cc66b63d1d61723b37b8)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
