Changelog:
=========
** libgnutls: In FIPS140 mode, RSA signature verification is an approved
operation if the key has modulus with known sizes (1024, 1280,
1536, and 1792 bits), in addition to any modulus sizes larger than
2048 bits, according to SP800-131A rev2.
** libgnutls: gnutls_session_channel_binding performs additional checks when
GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the
"tls-exporter" channel binding is only usable when the handshake is
bound to a unique master secret (i.e., either TLS 1.3 or extended
master secret extension is negotiated). Otherwise the function now
returns error.
** libgnutls: usage of the following functions, which are designed to
loosen restrictions imposed by allowlisting mode of configuration,
has been additionally restricted. Invoking them is now only allowed
if system-wide TLS priority string has not been initialized yet:
gnutls_digest_set_secure
gnutls_sign_set_secure
gnutls_sign_set_secure_for_certs
gnutls_protocol_set_enabled
(From OE-Core rev: a583ac20cc82ede59e1a4e30708cf5434b49ce37)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 858886aa07d0c2c2ef2489996cc8eca5fbe931fa)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When machine configuration defines a mount point, which is not used in
any recipe, allow to fall through and only report a note in the logs.
This can be expected behavior, when a mount point is defined for several
machines, but not used in all of them
(From OE-Core rev: c7c6b273656a3e2b8b959004b996e56d4086ce5e)
Signed-off-by: Vyacheslav Yurkov <Vyacheslav.Yurkov@bruker.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit a9c604b5e0d943b5b5f7c8bdd5be730c2abcf866)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The code to parse arguments was inadvertently skipping all arguments in
the elif block after gl-es if it was specified on the command line.
(From OE-Core rev: dd1dcfada1fa46ecb8227c2852769b35026875d3)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 718bb8d56f6a24c86e67830a7d13af54df2ebb4e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Instead of changing the script environment to affect the child
processes, make a copy of the environment with modifications and pass
that to subprocess.
Specifically, when dri rendering is enabled, LD_PRELOAD was being passed
to all processes created by the script which resulted in other commands
(e.g. stty) exiting with a failure like:
/bin/sh: symbol lookup error: sysroots-uninative/x86_64-linux/lib/librt.so.1: undefined symbol: __libc_unwind_link_get, version GLIBC_PRIVATE
Making a copy of the environment fixes this because the LD_PRELOAD is
now only passed to qemu itself.
(From OE-Core rev: 91c2449d4e873b2cec8777d71e218a12f899669d)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 2232599d330bd5f2a9e206b490196569ad855de8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With libjack-devel or jack-audio-connection-kit-devel, qemu-native
detects the library/header and tries to build with it. Since its
missing from the sysroot, it fails to build.
-O2 -fPIE -D_REENTRANT -Wno-undef -MD -MQ libcommon.fa.p/audio_jackaudio.c.o
-MF libcommon.fa.p/audio_jackaudio.c.o.d -o libcommon.fa.p/audio_jackaudio.c.o
-c ../qemu-6.2.0/audio/jackaudio.c
| ../qemu-6.2.0/audio/jackaudio.c:34:10: fatal error: jack/jack.h: No such file
or directory
| 34 | #include <jack/jack.h>
| | ^~~~~~~~~~~~~
| compilation terminated.
(From OE-Core rev: 7c8f23aa594175f2169df0d62051bf42d491a1bb)
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 27260be388f7f9f324ff405e7d8e254925b4ae90)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The custom path of the ca-certificates.crt within the buildtools-tarball requires more
environment variables to be exported. Namely REQUESTS_CA_BUNDLE for the python requests library
and CURL_CA_BUNDLE for curl.
(From OE-Core rev: facafa0f76af9cbf80f862497b66c18b3fbfa60b)
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 5c249db9de8ad8cfe0996ff4fee4c575a5ff1e34)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-nir-nir_opt_move-fix-ALWAYS_INLINE-compiler-error.patch is not
needed by target mesa any more. But it still fails to compile
mesa-native without this patch when DEBUG_BUILD is enabled on Ubuntu
18.04 with gcc 7.5.0:
| ../mesa-22.1.6/src/compiler/nir/nir_inline_helpers.h: In function ‘nir_opt_move_block’:
| ../mesa-22.1.6/src/compiler/nir/nir_opt_move.c:55:1: error: inlining failed in call to
always_inline ‘src_is_ssa’: indirect function call with a yet undetermined callee
| src_is_ssa(nir_src *src, void *state)
| ^~~~~~~~~~
So only apply it for mesa-native.
(From OE-Core rev: f6fb2da56ef1f35b536ebf62a03e10bba59d8276)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit c6a6d0c2680799683d58968c2558a224f27caaa2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
disable-hardcoded-configs.patch
refreshed for new version
Changelo:
=========
- Made it possible again to have FAT32 filesystems with less
than 0xfff5 clusters
- Make FAT32 entries 0 and 1 match what windows 10 does
- Misc source code and configure script cleanup
(From OE-Core rev: 9ac0de44f11123876a92f7d7819d5ff2c20475b7)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit b19127f0cd0e10c7180c138284b38c97fa9db7af)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Overview of changes in 1.50.10, 16-09-2022
=========================================
- Avoid some unnecessary strdups
- Fix line height computations with a non-trivial CTM
(From OE-Core rev: 78dc0bf6384349c23a54f59d89988ad242125581)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 884ce27b9cee231e093fe53192d04133c437404e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The meson-wrapper adds setup options to facilitate cross-compilation.
The current options are exclusive to the setup sub-command and might
cause issues with other sub-commands.
Update the wrapper to make options sub-command specific.
(From OE-Core rev: 4475250ee0d83cc90322f2fcd9ec8df7c05b6903)
Signed-off-by: Liam Beguin <liambeguin@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7bcda141f2019862b4fb5d8dec7956cd8344b420)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE number in the patch is a typo. CVE-2022-2053 is not related to
libtiff. So fix it.
(From OE-Core rev: 3ef84008bf729f74f1244e8b57451cdeb3a9e262)
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c9f76ef859b0b4edb83ac098816b625f52c78173)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2022-39253 in git meant file:// urls within submodules were disabled. Add
a parameter to the commands in the tests to allow this to continue to work.
(Bitbake rev: 209f7ba352b60722830157054e3fc56cb9c693eb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a test for special characters in user and password to qualify
decodeurl() inspired by a bug report describing that '=' signs in a
password was problematic.
Add a second test to qualify decodeurl() as related to the change in
commit 628c4bf6c89b [fetch2/__init__: handle @ in package names].
Relates to [YOCTO #14476]
(Bitbake rev: ee04cf09c7022168c035affa654773652a49793e)
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In the case where hashlib is not available, the try would fail and fall
through resulting in a backtrace on the usage of the 'sig'. The backtrace
itself was confusing and made it difficult to determine what went wrong.
Update the import to be in it's own try block with an appropriate
message to indicate what went wrong.
Note, the current version of ply all of this code has been restructured
so this is not applicable upstream.
Additionally, some versions of hashlib don't appear to implement the
second FIPS related argument. Detect this and support both versions.
(Bitbake rev: 484ab42f440070c0369b81f5c69da860fa47a798)
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In OE-Core d6b15d1e70b99185cf245d829ada5b6fb99ec1af,
"openssl: export necessary env vars in SDK", the value added for
SSL_CERT_FILE was in conflict with the value used elsewhere, such as
in buildtools. This makes them match and fixes buildtools testsdk
failures.
(From OE-Core rev: d40f7ddcfbdd5cb1d9f96271fefddf67e9044bb9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the fix from upstream to fix this CVE.
(From OE-Core rev: 59f69125fb00dc8fd335f32fe6898e7a480141e4)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
create-spdx can't detect the license properly if the case doesn't
match, so fix it.
(From OE-Core rev: 9c87828493784d996910d742006268a626ef0130)
Signed-off-by: Keiya Nobuta <nobuta.keiya@fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The urlopen() call can block indefinitely under some circumstances.
This can result in the bitbake process to run endlessly because of
the 'do_fetch' task of cve-update-bb-native to remain active.
This adds a default timeout of 60 seconds to avoid this hang, while
being large enough to minimize the risk of unwanted timeouts.
(From OE-Core rev: e5f6652854f544106b40d860de2946954de642f3)
Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If a access or creation timestamp has 0 microseconds, then the test
fails as it doesn't expect this to be a valid value. Expand a previous
fix for modification times to cover these timestamps too.
[ YOCTO #14373 ]
(From OE-Core rev: 15715e6ad81c97cd50e288f3745615eb19be90d1)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In current SDK, when running the following command in python
shell, we get an error.
$ python3
>>> from cryptography.hazmat.backends import openssl
The error message is as below:
cryptography.exceptions.InternalError: Unknown OpenSSL error.
We could set OPENSSL_MODULES explicitly in nativesdk-openssl package
so that when SDK is set up, it's in environment and we can
get rid of the above error.
Also, there are other env vars that need to be exported. And we export
all of them to keep sync with openssl-native.bbclass.
(From OE-Core rev: d6b15d1e70b99185cf245d829ada5b6fb99ec1af)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Unless we're using systemd, dbus is not pulled into the system
automatically. Bluez5 will not work without dbus so add it to RDEPENDS
explicitly.
(From OE-Core rev: 377ef7009a8638efe688b6b61f67ae399eb1f23d)
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When a new zlib release is made, the top-level URL is no longer available
and it is only available as a .gz under the /fossils/ directory.
When this happens the source fetch fails and bitbake noisily warns that
it is using the mirrors. Avoid this by using the .gz tarball and add
the /fossils/ directory to PREMIRRORS so fetches will check there too.
(From OE-Core rev: c67f71abc61afec701c50e4e7941128eb701fb0a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The change in commit e903b29f (gcc-cross: pass
-Werror=poison-system-directories to compiler stages) made it impossible
to disable the error using -Wno-error=poison-system-directories.
(From OE-Core rev: 1cb0245539f7d5277fae4e9abc7f2a0130d0caa8)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
perf has need for python setuptools when scripting is enabled
from 6.0.0 onwards it seems to throw an explicit error
(From OE-Core rev: da3d00178809bbf7cc453401e0c5937796ebc2c1)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add savedefconfig task which U-Boot supports (unfortunately not all
consumers of cml1 support this).
(From OE-Core rev: efc54f1f836651c8ef27a683a9e5d583c8ce87a6)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Splitting u-boot-configure.inc out of the base left duplicate
cml1.bbclass in the base include.
Fixes: fc9a17ad38 ("u-boot: Split do_configure logic into separate file")
(From OE-Core rev: 286f91f7659307bcdf0ba541b8d6b56db5604ceb)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some versions of hashlib don't appear to implement the second FIPS
related argument. Detect this and support both versions.
(From OE-Core rev: 2bbabed51e3aca138486d3feef640f5d3249be40)
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
opkg-utils fetches using a cgit snapshot of a tag, which is not
reproducible as the tag could move, not reliable as a future dynamic
snapshot could have a different checksum, and a waste of CPU load as
these tarballs are built on demand.
Switch opkg-utils to use a proper git clone of the relevant SHA.
(From OE-Core rev: dafd2631a20ffd94e6f21c46938a010e92b57da4)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Otherwise when the installation of recommended packages is prevented
(NO_RECOMMENDATIONS = "1"), then splash screen will not be cast.
(From OE-Core rev: 2a0928532b8303858980d6df6271669dbb69e224)
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
EFI has kernel features when need to be enabled for it to boot. Add the
existing kernel config fragment to the kernel config if this machine
feature is enabled.
(From OE-Core rev: 439f23eed94438494569f286b52e4f6c70ebac2f)
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The externalsrc class was moved to classes-recipe as part of oe-core
f5c1280, but it can be used in both recipe and global contexts so move
it back to classes/.
(From OE-Core rev: 7a2edcd4b7cb5a2d829289a11eff62663268fbf3)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since the commit "populate_sdk_base/images: Drop use of 'meta' class and
hence do_build dependencies"[1], builds of images or SDKs don't
recursively depend on the top-level do_build target. This is typically
a good thing: images just depend on the packages themselves and those
dependencies already exist, but they don't need each recipes sysroot to
be populated.
However, eSDK generation is partly done via the script oe-check-sstate,
which does a 'dry-run' build of the target and collates all of the
sstate that is used. With this commit the sstate that is used is a
fraction of what would be needed in the SDK, specifically there are no
sysroots populated during the build, so there are no sysroots in the
SDK.
This is obviously a problem, as the entire point of an eSDK is to
contain a sysroot. Resolve this problem by forcing bitbake to run the
build task for all targets, so that all potentially needed sstate is
collated.
[YOCTO #14626]
[1] 41d7f1aa2c
Tested-by: Andrej Valek <andrej.valek@siemens.com>
(From OE-Core rev: 1b62344f919b5122f048b6409d09386d7d6dd3cd)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The scriptutils import isn't used, there's no need to run bitbake
in a shell environment, and invoke bitbake as a list instead of a
string.
(From OE-Core rev: 663aa284adf312eb5c8a471e5dbff2634e87897d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
