It appears that rngd is not needed as of linux-5.6 and later[1]
and should not be installed by default since the purpose of rngd
is to provide additional trusted sources of entropy.
We did some testing on real hardware, the result seems to support that
we no longer need rngd by default on kernel v5.6 and later.
Testing result as below:
1. observing the crng init stage.
the "random: crng init done" always available before fs being mounted.
2. generating random number without rngd.
testing command: dd if=/dev/random of=/dev/null status=progress
on Marvell CN96xx RDB board, speed almost 20.4 MB/s without block
on NXP i.mx6q board, speed almost 31.9 MB/s without block
on qemu x86-64, speed almost 2.6MB/s without block
3. using rngtest command without rngd
testing command: rngtest -c 1000 </dev/random
on Marvell CN96xx RDB board:
rngtest: input channel speed: (min=4.340; avg=135.364; max=146.719)Mibits/s
rngtest: FIPS tests speed: (min=8.197; avg=69.020; max=72.800)Mibits/s
rngtest: Program run time: 418771 microseconds
on NXP i.mx6q board:
rngtest: input channel speed: (min=96.820; avg=326.769; max=340.598)Mibits/s
rngtest: FIPS tests speed: (min=15.090; avg=37.543; max=40.324)Mibits/s
rngtest: Program run time: 570229 microseconds
on qemu x86-64:
rngtest: input channel speed: (min=37.769; avg=101.136; max=136.239)Mibits/s
rngtest: FIPS tests speed: (min=10.288; avg=30.682; max=40.155)Mibits/s
rngtest: Program run time: 836800 microseconds
4. observing sshd service.
using "systemctl disable rng-tools" disable service and reboot system.
system boot up normal, sshd service also start in normal time without
block.
Reference:
[1] 30c08efec8
(From OE-Core rev: 868dfb46d96a27ec9041cb902fb769330277257d)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
texrels are generated while compiling on x86/clang because pic/pie flags
that are passed via bitbake do not make it everywhere evenly.
--enable-pie is default way of getting it enabled in bluez5
PIE is enabled by default which ensures that textrels are not generated
(From OE-Core rev: 804aa082e4c4fdd4881ff668f52790bea818eabb)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
Fix a crash that could happen when you change
a dnssec-policy zone with NSEC3 to start using
inline-signing. [GL #3591]
Don't trust a placeholder KEYDATA from the managed-keys
zone by adding it into secroots. [GL #2895]
Fixed a race condition that could cause a crash
in dns_zone_synckeyzone(). [GL #3617]
Don't enforce the jemalloc use on NetBSD. [GL #3634]
Fix an inheritance bug when setting the port on
remote servers in configuration. [GL #3627]
Fix a resolver prefetch bug when the record's TTL value
is equal to the configured prefetch eligibility value,
but the record was erroneously not treated as eligible
for prefetching. [GL #3603]
Always call dns_adb_endudpfetch() after calling
dns_adb_beginudpfetch() for UDP queries in resolver.c,
in order to adjust back the quota. [GL #3598]
Fix a startup issue on Solaris systems with many
(reportedly > 510) CPUs. Thanks to Stacey Marshall from
Oracle for deep investigation of the problem. [GL #3563]
rpz-ip rules could be ineffective in some scenarios
with CD=1 queries. [GL #3247]
The RecursClients statistics counter could overflow
in certain resolution scenarios. [GL #3584]
Less ceremonial UNEXPECTED_ERROR() and FATAL_ERROR()
reporting macros. [GL !6914]
Fix a couple of bugs in cfg_print_duration(), which
could result in generating incomplete duration values
when printing the configuration using named-checkconf.
[GL !6880]
Refactor the isc_httpd implementation used in the
statistics channel. [GL !6879]
(From OE-Core rev: e57fe26b3f85ebfabdc8b574caa5c97602e4d771)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently, dhcpcd does not work well with systemd. When using dhcpcd
to configure network, the /etc/resolv.conf contents are not correct.
This issue could easily be reproduced by using 'qemu + slirp' to
start a systemd based image and using dhcpcd to configure network.
The expected 'nameserver 10.0.2.3' is not in /etc/resolv.conf.
The root cause of this problem is that dhcpcd assumes the resolvconf
should recognize .protocol suffix[1]. But systemd's resolvconf (which
is a symlink to resolvectl) has a limited support for traditional
resolvconf interface[2], and "may not work with all clients"[3]. This
of cource includes the clients that use the .protocol suffix.
The current situation is:
1. systemd is not going to support the .protocol suffix in the foreseeable
near future[4].
2. dhcpcd does not want to merge systemd specific patch and insists
systemd needs to consider the .protocol suffix[5][6].
It's a normal thing that people have different opinions. As a build system
that supports such combination, however, we do need to come up with a
solution to fix this typical integration problem, making dhcpcd and systemd
work together.
This patch solves this integration problem by relying on dhcpcd's ability
to manage its own resolv.conf contents. But instead of letting it to write
to /etc/resolv.conf directly, we supply the generated contents to resolvconf.
In this way, the resolvconf still stands in the central place and dhcpcd remains
a supplier to it. And the /etc/resolv.conf can get the correct contents.
With this patch, dhcpcd could work with both sysvinit and systemd.
[1] https://man.archlinux.org/man/resolvconf.8.en
[2] https://man.archlinux.org/man/resolvectl.1#COMPATIBILITY_WITH_RESOLVCONF(8)
[3] https://wiki.archlinux.org/title/systemd-resolved
[4] https://github.com/systemd/systemd/issues/25032
[5] https://github.com/NetworkConfiguration/dhcpcd/pull/152
[6] https://github.com/NetworkConfiguration/dhcpcd/issues/146
(From OE-Core rev: 935ae419f51d911c73f5dc7b4a2e5e9a7b206985)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current resolvconf does not work. Make it work with the
following changes.
1. Install normalize-resolvconf, which is used by resolvconf.
2. Add dependencies: sed, util-linux-flock.
util-linux-flock is needed by our busybox does not support '-w'
by default. sed is needed because we want to avoid package
QA issue complaining sed is needed by no one provides it.
3. Add a patch to replace 'readlink -m' with 'readlink -l'.
This could avoid the runtime dependency on coreutils. The replacement
is safe as /etc always exits in OE's system.
4. Remove allarch inheritage. This is because the above RDEPENDS
change does not allow this any more. test_sstate_allarch_samesigs
would fail if we don't do this.
(From OE-Core rev: 1b0581fd241cc9de2feda896aefbf055dc0099dc)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add the trailing '.git' to git repo uri in SRC_URI then it could share
source code repo on premirror with grpc which uses libuv as a git
submodule with fixed revision.
(From OE-Core rev: cecdf616e7cf192cdc723a446be1d14c197c980d)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch
removed since it's included in 1.7.4.4
(From OE-Core rev: c00e9d66f0b8449ff1bf24546f232345eb6feebd)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently the hciattach bcm43xx firmware loader looks up the firmware
blob in /etc/firmware . Change this to /lib/firmware instead, so that
the path is consistent with Linux kernel which also looks up firmware
for the WiFi part in /lib/firmware .
(From OE-Core rev: 72b3b79ad8b980e8dd9470d16b72c2c70072bbc0)
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In OE-Core d6b15d1e70b99185cf245d829ada5b6fb99ec1af,
"openssl: export necessary env vars in SDK", the value added for
SSL_CERT_FILE was in conflict with the value used elsewhere, such as
in buildtools. This makes them match and fixes buildtools testsdk
failures.
(From OE-Core rev: 7d383a7fc6da666c80f2fc037af5f49a3388eb2b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In current SDK, when running the following command in python
shell, we get an error.
$ python3
>>> from cryptography.hazmat.backends import openssl
The error message is as below:
cryptography.exceptions.InternalError: Unknown OpenSSL error.
We could set OPENSSL_MODULES explicitly in nativesdk-openssl package
so that when SDK is set up, it's in environment and we can
get rid of the above error.
Also, there are other env vars that need to be exported. And we export
all of them to keep sync with openssl-native.bbclass.
(From OE-Core rev: d6b15d1e70b99185cf245d829ada5b6fb99ec1af)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Unless we're using systemd, dbus is not pulled into the system
automatically. Bluez5 will not work without dbus so add it to RDEPENDS
explicitly.
(From OE-Core rev: 377ef7009a8638efe688b6b61f67ae399eb1f23d)
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Possible options would be wpa-supplicant or iwd.
iwd is a wireless daemon written by intel and supported by all major network managers.
It can be run in standalone mode and configured with 'iwctl' from the terminal, and
with 'iwgtk' or 'iwdgui' from the gui. It can also work as a wpa_supplicant drop-in
replacement for network-manager, connman or systemd-networkd.
iwd makes heavy use of the kernel api, so it is not portable but does not need
additional external libraries like openssl.
The PACKAGECONFIG name for wpa-supplicant in the connman recipe is changed accordingly,
so that it also works there when WIRELESS_DAEMON is set globally.
(From OE-Core rev: c54f3847349173ed3a8e77a5c2732e1bbcddd540)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This makes it simpler to set specific ssh/sshd config options by adding
snippet files to /etc/ssh/ssh_config.d/ or /etc/ssh/sshd_config.d/
instead of modifying a copy of the full configuration file. As new
snippets can be added from separate recipes, targeted changes can be
done in multiple layers.
These specific directories are also used in Debian's default
configuration.
(From OE-Core rev: 70447c1680672bb4741a9e1c98aadc274e1ed5a0)
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Check would fail with compilers using -Werror since _GNU_SOURCE is
needed for this function.
(From OE-Core rev: f820e177f9d1d1f1c3c9411003e44d04961e1ba4)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Python support was dropped upstream and removed in 8a9a5885995c ("bind:
update 9.16.26 -> 9.18.1"), clean up the remaining pieces of python3 in
the recipe.
(From OE-Core rev: ee4e4eb16a3729dcafad075c42aec1695b8ea15f)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes a fix for CVE-2022-2068.
(From OE-Core rev: f034faebd45e63385849078e6ee4b51257763e99)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is a pattern that several recipes need to break the dependency of ${PN}-dev
on ${PN}, most often as ${PN} may be be empty. Add a new variable to parameterise
this and allow it to be changed more easily.
(From OE-Core rev: a5b381c0f45c590a762647a9956a8f41e2e2315e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
[func] Don't try to process DNSSEC-related and ZONEMD records
in catz. [GL #3380]
[func] Add some more dnssec-policy checks to detect weird
policies. [GL #1611]
[test] Add new set of unit test macros and move the unit
tests under single namespace in /tests/. [GL !6243]
[func] Key timing options for 'dnssec-settime' and related
utilities now accept "UNSET" times as printed by
'dnssec-settime -p'. [GL #3361]
[bug] When the fetches-per-server quota was adjusted
because of an authoritative server timing out more
or less frequently, it was incorrectly set to 1
rather than the intended value. This has been
fixed. [GL #3327]
[bug] Only write key files if the dnssec-policy keymgr has
changed the metadata. [GL #3302]
[func] Key timing options for 'dnssec-keygen' and
'dnssec-settime' now accept times as printed by
'dnssec-settime -p'. [GL !2947]
(From OE-Core rev: d5a12d549209f01324d03963db96449ee43452eb)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptests in in openssl have started failing as one of the test certificates has
expired. Backport a fix for this from upstream, replacing the test
certificate to allow the ptests to pass again.
(From OE-Core rev: f26f0b34f12bbca2beed153da402a3594d127374)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
