build-appliance-image: Update to dunfell head revision

(From OE-Core rev: b885888df67eb5cdb3b82f4f0a07369a449e223b)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml

@@ -1124,6 +1124,67 @@
             </glossdef>
         </glossentry>
 
+        <glossentry id='var-BBFILES_DYNAMIC'><glossterm>BBFILES_DYNAMIC</glossterm>
+            <info>
+                BBFILES_DYNAMIC[doc] = "Activates content depending on presence of identified layers."
+            </info>
+            <glossdef>
+                <para role="glossdeffirst">
+                    Activates content depending on presence of identified layers.
+                    You identify the layers by the collections that the layers
+                    define.
+                </para>
+
+                <para>
+                    Use the <filename>BBFILES_DYNAMIC</filename> variable to
+                    avoid <filename>.bbappend</filename> files whose
+                    corresponding <filename>.bb</filename> file is in a layer
+                    that attempts to modify other layers through
+                    <filename>.bbappend</filename> but does not want to
+                    introduce a hard dependency on those other layers.
+                </para>
+
+                <para>
+                    Additionally you can prefix the rule with "!" to add 
+                    <filename>.bbappend</filename> and <filename>.bb</filename> files
+                    in case a layer is not present.
+                    Use this avoid hard dependency on those other layers.
+                </para>
+
+                <para>
+                    Use the following form for
+                    <filename>BBFILES_DYNAMIC</filename>:
+                    <literallayout class='monospaced'>
+                        <replaceable>collection_name</replaceable>:<replaceable>filename_pattern</replaceable>
+                    </literallayout>
+                    The following example identifies two collection names and
+                    two filename patterns:
+                    <literallayout class='monospaced'>
+                        BBFILES_DYNAMIC += "\
+                            clang-layer:${LAYERDIR}/bbappends/meta-clang/*/*/*.bbappend \
+                            core:${LAYERDIR}/bbappends/openembedded-core/meta/*/*/*.bbappend \
+                        "
+                    </literallayout>
+                    When the collection name is prefixed with "!" it will add the file pattern in case
+                    the layer is absent:
+                    <literallayout class='monospaced'>
+                        BBFILES_DYNAMIC += "\
+                            !clang-layer:${LAYERDIR}/backfill/meta-clang/*/*/*.bb \
+                        "
+                    </literallayout>
+                    
+                    This next example shows an error message that occurs
+                    because invalid entries are found, which cause parsing to
+                    abort:
+                    <literallayout class='monospaced'>
+                    ERROR: BBFILES_DYNAMIC entries must be of the form {!}&lt;collection name&gt;:&lt;filename pattern&gt;, not:
+                        /work/my-layer/bbappends/meta-security-isafw/*/*/*.bbappend
+                        /work/my-layer/bbappends/openembedded-core/meta/*/*/*.bbappend
+                    </literallayout>
+                </para>
+            </glossdef>
+        </glossentry>
+
         <glossentry id='var-bb-BBINCLUDED'><glossterm>BBINCLUDED</glossterm>
             <glossdef>
                 <para>

bitbake/lib/bb/fetch2/git.py

@@ -236,7 +236,7 @@ class Git(FetchMethod):
                     ud.unresolvedrev[name] = ud.revisions[name]
                 ud.revisions[name] = self.latest_revision(ud, d, name)
 
-        gitsrcname = '%s%s' % (ud.host.replace(':', '.'), ud.path.replace('/', '.').replace('*', '.'))
+        gitsrcname = '%s%s' % (ud.host.replace(':', '.'), ud.path.replace('/', '.').replace('*', '.').replace(' ','_'))
         if gitsrcname.startswith('.'):
             gitsrcname = gitsrcname[1:]
 
@@ -342,7 +342,7 @@ class Git(FetchMethod):
             # We do this since git will use a "-l" option automatically for local urls where possible
             if repourl.startswith("file://"):
                 repourl = repourl[7:]
-            clone_cmd = "LANG=C %s clone --bare --mirror %s %s --progress" % (ud.basecmd, repourl, ud.clonedir)
+            clone_cmd = "LANG=C %s clone --bare --mirror \"%s\" %s --progress" % (ud.basecmd, repourl, ud.clonedir)
             if ud.proto.lower() != 'file':
                 bb.fetch2.check_network_access(d, clone_cmd, ud.url)
             progresshandler = GitProgressHandler(d)
@@ -354,8 +354,8 @@ class Git(FetchMethod):
             if "origin" in output:
               runfetchcmd("%s remote rm origin" % ud.basecmd, d, workdir=ud.clonedir)
 
-            runfetchcmd("%s remote add --mirror=fetch origin %s" % (ud.basecmd, repourl), d, workdir=ud.clonedir)
-            fetch_cmd = "LANG=C %s fetch -f --progress %s refs/*:refs/*" % (ud.basecmd, repourl)
+            runfetchcmd("%s remote add --mirror=fetch origin \"%s\"" % (ud.basecmd, repourl), d, workdir=ud.clonedir)
+            fetch_cmd = "LANG=C %s fetch -f --progress \"%s\" refs/*:refs/*" % (ud.basecmd, repourl)
             if ud.proto.lower() != 'file':
                 bb.fetch2.check_network_access(d, fetch_cmd, ud.url)
             progresshandler = GitProgressHandler(d)
@@ -501,7 +501,7 @@ class Git(FetchMethod):
             raise bb.fetch2.UnpackError("No up to date source found: " + "; ".join(source_error), ud.url)
 
         repourl = self._get_repo_url(ud)
-        runfetchcmd("%s remote set-url origin %s" % (ud.basecmd, repourl), d, workdir=destdir)
+        runfetchcmd("%s remote set-url origin \"%s\"" % (ud.basecmd, repourl), d, workdir=destdir)
 
         if self._contains_lfs(ud, d, destdir):
             if need_lfs and not self._find_git_lfs(d):
@@ -613,7 +613,7 @@ class Git(FetchMethod):
         d.setVar('_BB_GIT_IN_LSREMOTE', '1')
         try:
             repourl = self._get_repo_url(ud)
-            cmd = "%s ls-remote %s %s" % \
+            cmd = "%s ls-remote \"%s\" %s" % \
                 (ud.basecmd, repourl, search)
             if ud.proto.lower() != 'file':
                 bb.fetch2.check_network_access(d, cmd, repourl)

bitbake/lib/bb/tests/fetch.py

@@ -223,6 +223,21 @@ class URITest(unittest.TestCase):
             'query': {},
             'relative': False
         },
+        "git://tfs-example.org:22/tfs/example%20path/example.git": {
+            'uri': 'git://tfs-example.org:22/tfs/example%20path/example.git',
+            'scheme': 'git',
+            'hostname': 'tfs-example.org',
+            'port': 22,
+            'hostport': 'tfs-example.org:22',
+            'path': '/tfs/example path/example.git',
+            'userinfo': '',
+            'userinfo': '',
+            'username': '',
+            'password': '',
+            'params': {},
+            'query': {},
+            'relative': False
+        },
         "http://somesite.net;someparam=1": {
             'uri': 'http://somesite.net;someparam=1',
             'scheme': 'http',
@@ -903,7 +918,7 @@ class FetcherNetworkTest(FetcherTest):
     def test_git_submodule_dbus_broker(self):
         # The following external repositories have show failures in fetch and unpack operations
         # We want to avoid regressions!
-        url = "gitsm://github.com/bus1/dbus-broker;protocol=git;rev=fc874afa0992d0c75ec25acb43d344679f0ee7d2"
+        url = "gitsm://github.com/bus1/dbus-broker;protocol=git;rev=fc874afa0992d0c75ec25acb43d344679f0ee7d2;branch=main"
         fetcher = bb.fetch.Fetch([url], self.d)
         fetcher.download()
         # Previous cwd has been deleted
@@ -2080,6 +2095,38 @@ class GitLfsTest(FetcherTest):
         shutil.rmtree(self.gitdir, ignore_errors=True)
         fetcher.unpack(self.d.getVar('WORKDIR'))
 
+class GitURLWithSpacesTest(FetcherTest):
+    test_git_urls = {
+        "git://tfs-example.org:22/tfs/example%20path/example.git" : {
+            'url': 'git://tfs-example.org:22/tfs/example%20path/example.git',
+            'gitsrcname': 'tfs-example.org.22.tfs.example_path.example.git',
+            'path': '/tfs/example path/example.git'
+        },
+        "git://tfs-example.org:22/tfs/example%20path/example%20repo.git" : {
+            'url': 'git://tfs-example.org:22/tfs/example%20path/example%20repo.git',
+            'gitsrcname': 'tfs-example.org.22.tfs.example_path.example_repo.git',
+            'path': '/tfs/example path/example repo.git'
+        }
+    }
+
+    def test_urls(self):
+
+        # Set fake SRCREV to stop git fetcher from trying to contact non-existent git repo
+        self.d.setVar('SRCREV', '82ea737a0b42a8b53e11c9cde141e9e9c0bd8c40')
+
+        for test_git_url, ref in self.test_git_urls.items():
+
+            fetcher = bb.fetch.Fetch([test_git_url], self.d)
+            ud = fetcher.ud[fetcher.urls[0]]
+
+            self.assertEqual(ud.url, ref['url'])
+            self.assertEqual(ud.path, ref['path'])
+            self.assertEqual(ud.localfile, os.path.join(self.dldir, "git2", ref['gitsrcname']))
+            self.assertEqual(ud.localpath, os.path.join(self.dldir, "git2", ref['gitsrcname']))
+            self.assertEqual(ud.lockfile, os.path.join(self.dldir, "git2", ref['gitsrcname'] + '.lock'))
+            self.assertEqual(ud.clonedir, os.path.join(self.dldir, "git2", ref['gitsrcname']))
+            self.assertEqual(ud.fullmirror, os.path.join(self.dldir, "git2_" + ref['gitsrcname'] + '.tar.gz'))
+
 class NPMTest(FetcherTest):
     def skipIfNoNpm():
         import shutil

documentation/bsp-guide/bsp-guide.xml

@@ -142,9 +142,14 @@
             </revision>
             <revision>
                 <revnumber>3.1.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>October 2020</date>
                 <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>3.1.4</revnumber>
+                <date>&REL_MONTH_YEAR;</date>
+                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/dev-manual/dev-manual.xml

@@ -132,9 +132,14 @@
             </revision>
             <revision>
                 <revnumber>3.1.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>October 2020</date>
                 <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>3.1.4</revnumber>
+                <date>&REL_MONTH_YEAR;</date>
+                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/kernel-dev/kernel-dev.xml

@@ -117,9 +117,14 @@
             </revision>
             <revision>
                 <revnumber>3.1.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>October 2020</date>
                 <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>3.1.4</revnumber>
+                <date>&REL_MONTH_YEAR;</date>
+                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/mega-manual/mega-manual.xml

@@ -108,9 +108,14 @@
             </revision>
             <revision>
                 <revnumber>3.1.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>October 2020</date>
                 <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>3.1.4</revnumber>
+                <date>&REL_MONTH_YEAR;</date>
+                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>

documentation/overview-manual/overview-manual.xml

@@ -67,9 +67,14 @@
             </revision>
             <revision>
                 <revnumber>3.1.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>October 2020</date>
                 <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>3.1.4</revnumber>
+                <date>&REL_MONTH_YEAR;</date>
+                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/poky.ent

@@ -1,17 +1,17 @@
-<!ENTITY DISTRO "3.1.3">
-<!ENTITY DISTRO_COMPRESSED "313">
+<!ENTITY DISTRO "3.1.4">
+<!ENTITY DISTRO_COMPRESSED "314">
 <!ENTITY DISTRO_NAME_NO_CAP "dunfell">
 <!ENTITY DISTRO_NAME "Dunfell">
 <!ENTITY DISTRO_NAME_NO_CAP_MINUS_ONE "zeus">
 <!ENTITY DISTRO_NAME_MINUS_ONE "Zeus">
-<!ENTITY YOCTO_DOC_VERSION "3.1.3">
+<!ENTITY YOCTO_DOC_VERSION "3.1.4">
 <!ENTITY YOCTO_DOC_VERSION_MINUS_ONE "3.0.2">
-<!ENTITY DISTRO_REL_TAG "yocto-3.1.3">
+<!ENTITY DISTRO_REL_TAG "yocto-3.1.4">
 <!ENTITY METAINTELVERSION "12.0">
-<!ENTITY REL_MONTH_YEAR "September 2020">
+<!ENTITY REL_MONTH_YEAR "November 2020">
 <!ENTITY META_INTEL_REL_TAG "&METAINTELVERSION;-&DISTRO_NAME_NO_CAP;-&YOCTO_DOC_VERSION;">
-<!ENTITY POKYVERSION "23.0.3">
-<!ENTITY POKYVERSION_COMPRESSED "2303">
+<!ENTITY POKYVERSION "23.0.4">
+<!ENTITY POKYVERSION_COMPRESSED "2304">
 <!ENTITY YOCTO_POKY "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;">
 <!ENTITY COPYRIGHT_YEAR "2010-2020">
 <!ENTITY ORGNAME "The Yocto Project">

documentation/profile-manual/profile-manual.xml

@@ -117,9 +117,14 @@
             </revision>
             <revision>
                 <revnumber>3.1.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>October 2020</date>
                 <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>3.1.4</revnumber>
+                <date>&REL_MONTH_YEAR;</date>
+                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/ref-manual/ref-manual.xml

@@ -143,9 +143,14 @@
             </revision>
             <revision>
                 <revnumber>3.1.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>October 2020</date>
                 <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>3.1.4</revnumber>
+                <date>&REL_MONTH_YEAR;</date>
+                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>

documentation/sdk-manual/sdk-manual.xml

@@ -87,9 +87,14 @@
             </revision>
             <revision>
                 <revnumber>3.1.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>October 2020</date>
                 <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>3.1.4</revnumber>
+                <date>&REL_MONTH_YEAR;</date>
+                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>

documentation/toaster-manual/toaster-manual.xml

@@ -97,9 +97,14 @@
             </revision>
             <revision>
                 <revnumber>3.1.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>October 2020</date>
                 <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>3.1.4</revnumber>
+                <date>&REL_MONTH_YEAR;</date>
+                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>

documentation/tools/mega-manual.sed

@@ -1,36 +1,36 @@
 # Processes bitbake-user-manual (<word>-<word>-<word> style).
 # This style is for manual three-word folders, which currently is only the BitBake User Manual.
 # We used to have the "yocto-project-qs" and "poky-ref-manual" folders but no longer do.
-# s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/[a-z]*-[a-z]*-[a-z]*/[a-z]*-[a-z]*-[a-z]*.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/bitbake-user-manual/bitbake-user-manual.html#@"link" href="#@g
+# s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/[a-z]*-[a-z]*-[a-z]*/[a-z]*-[a-z]*-[a-z]*.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/bitbake-user-manual/bitbake-user-manual.html#@"link" href="#@g
 
 # Processes all other manuals (<word>-<word> style).
 # This style is for manual folders that use two word, which is the standard now (e.g. "ref-manual").
 # Here is the one-liner:
-# s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/[a-z]*-[a-z]*/[a-z]*-[a-z]*.html#@"link" href="#@g
+# s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/[a-z]*-[a-z]*/[a-z]*-[a-z]*.html#@"link" href="#@g
 
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/sdk-manual/sdk-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/bsp-guide/bsp-guide.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/dev-manual/dev-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/overview-manual/overview-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/brief-yoctoprojectqs/brief-yoctoprojectqs.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/kernel-dev/kernel-dev.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/profile-manual/profile-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/ref-manual/ref-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.3/toaster-manual/toaster-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/sdk-manual/sdk-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/bsp-guide/bsp-guide.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/dev-manual/dev-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/overview-manual/overview-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/brief-yoctoprojectqs/brief-yoctoprojectqs.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/kernel-dev/kernel-dev.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/profile-manual/profile-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/ref-manual/ref-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/toaster-manual/toaster-manual.html#@"link" href="#@g
 
 # Process cases where just an external manual is referenced without an id anchor
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/brief-yoctoprojectqs/brief-yoctoprojectqs.html" target="_top">Yocto Project Quick Build</a>@Yocto Project Quick Build@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/bitbake-user-manual/bitbake-user-manual.html" target="_top">BitBake User Manual</a>@BitBake User Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/dev-manual/dev-manual.html" target="_top">Yocto Project Development Tasks Manual</a>@Yocto Project Development Tasks Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/overview-manual/overview-manual.html" target="_top">Yocto Project Overview and Concepts Manual</a>@Yocto project Overview and Concepts Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/sdk-manual/sdk-manual.html" target="_top">Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</a>@Yocto Project Application Development and the Extensible Software Development Kit (eSDK)@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/bsp-guide/bsp-guide.html" target="_top">Yocto Project Board Support Package (BSP) Developer's Guide</a>@Yocto Project Board Support Package (BSP) Developer's Guide@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/profile-manual/profile-manual.html" target="_top">Yocto Project Profiling and Tracing Manual</a>@Yocto Project Profiling and Tracing Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/kernel-dev/kernel-dev.html" target="_top">Yocto Project Linux Kernel Development Manual</a>@Yocto Project Linux Kernel Development Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/ref-manual/ref-manual.html" target="_top">Yocto Project Reference Manual</a>@Yocto Project Reference Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/toaster-manual/toaster-manual.html" target="_top">Toaster User Manual</a>@Toaster User Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/brief-yoctoprojectqs/brief-yoctoprojectqs.html" target="_top">Yocto Project Quick Build</a>@Yocto Project Quick Build@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/bitbake-user-manual/bitbake-user-manual.html" target="_top">BitBake User Manual</a>@BitBake User Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/dev-manual/dev-manual.html" target="_top">Yocto Project Development Tasks Manual</a>@Yocto Project Development Tasks Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/overview-manual/overview-manual.html" target="_top">Yocto Project Overview and Concepts Manual</a>@Yocto project Overview and Concepts Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/sdk-manual/sdk-manual.html" target="_top">Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</a>@Yocto Project Application Development and the Extensible Software Development Kit (eSDK)@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/bsp-guide/bsp-guide.html" target="_top">Yocto Project Board Support Package (BSP) Developer's Guide</a>@Yocto Project Board Support Package (BSP) Developer's Guide@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/profile-manual/profile-manual.html" target="_top">Yocto Project Profiling and Tracing Manual</a>@Yocto Project Profiling and Tracing Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/kernel-dev/kernel-dev.html" target="_top">Yocto Project Linux Kernel Development Manual</a>@Yocto Project Linux Kernel Development Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/ref-manual/ref-manual.html" target="_top">Yocto Project Reference Manual</a>@Yocto Project Reference Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/toaster-manual/toaster-manual.html" target="_top">Toaster User Manual</a>@Toaster User Manual@g
 
 # Process a single, rouge occurrence of a linked reference to the Mega-Manual.
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.3/mega-manual/mega-manual.html" target="_top">Yocto Project Mega-Manual</a>@Yocto Project Mega-Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/mega-manual/mega-manual.html" target="_top">Yocto Project Mega-Manual</a>@Yocto Project Mega-Manual@g
 

meta-poky/conf/distro/poky.conf

@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "3.1.3"
+DISTRO_VERSION = "3.1.4"
 DISTRO_CODENAME = "dunfell"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}', 'snapshot')}"

meta-selftest/lib/oeqa/runtime/cases/virgl.py

@@ -13,6 +13,6 @@ class VirglTest(OERuntimeTestCase):
 
     @OETestDepends(['virgl.VirglTest.test_kernel_driver'])
     def test_kmscube(self):
-        status, output = self.target.run('kmscube', timeout=30)
+        status, output = self.target.run('kmscube')
         self.assertEqual(status, 0, "kmscube exited with non-zero status %d and output:\n%s" %(status, output))
         self.assertIn('renderer: "virgl"', output, "kmscube does not seem to use virgl:\n%s" %(output))

meta/classes/insane.bbclass

@@ -28,7 +28,8 @@ WARN_QA ?= "ldflags useless-rpaths rpaths staticdev libdir xorg-driver-abi \
             pn-overrides infodir build-deps src-uri-bad \
             unknown-configure-option symlink-to-sysroot multilib \
             invalid-packageconfig host-user-contaminated uppercase-pn patch-fuzz \
-            mime mime-xdg unlisted-pkg-lics \
+            mime mime-xdg unlisted-pkg-lics unhandled-features-check \
+            missing-update-alternatives \
             "
 ERROR_QA ?= "dev-so debug-deps dev-deps debug-files arch pkgconfig la \
             perms dep-cmp pkgvarcheck perm-config perm-line perm-link \
@@ -974,9 +975,27 @@ def package_qa_check_src_uri(pn, d, messages):
         package_qa_handle_error("src-uri-bad", "%s: SRC_URI uses PN not BPN" % pn, d)
 
     for url in d.getVar("SRC_URI").split():
-        if re.search(r"github\.com/.+/.+/archive/.+", url):
-            package_qa_handle_error("src-uri-bad", "%s: SRC_URI uses unstable GitHub archives" % pn, d)
+        if re.search(r"git(hu|la)b\.com/.+/.+/archive/.+", url):
+            package_qa_handle_error("src-uri-bad", "%s: SRC_URI uses unstable GitHub/GitLab archives, convert recipe to use git protocol" % pn, d)
 
+QARECIPETEST[unhandled-features-check] = "package_qa_check_unhandled_features_check"
+def package_qa_check_unhandled_features_check(pn, d, messages):
+    if not bb.data.inherits_class('features_check', d):
+        var_set = False
+        for kind in ['DISTRO', 'MACHINE', 'COMBINED']:
+            for var in ['ANY_OF_' + kind + '_FEATURES', 'REQUIRED_' + kind + '_FEATURES', 'CONFLICT_' + kind + '_FEATURES']:
+                if d.getVar(var) is not None or d.overridedata.get(var) is not None:
+                    var_set = True
+        if var_set:
+            package_qa_handle_error("unhandled-features-check", "%s: recipe doesn't inherit features_check" % pn, d)
+
+QARECIPETEST[missing-update-alternatives] = "package_qa_check_missing_update_alternatives"
+def package_qa_check_missing_update_alternatives(pn, d, messages):
+    # Look at all packages and find out if any of those sets ALTERNATIVE variable
+    # without inheriting update-alternatives class
+    for pkg in (d.getVar('PACKAGES') or '').split():
+        if d.getVar('ALTERNATIVE_%s' % pkg) and not bb.data.inherits_class('update-alternatives', d):
+            package_qa_handle_error("missing-update-alternatives", "%s: recipe defines ALTERNATIVE_%s but doesn't inherit update-alternatives. This might fail during do_rootfs later!" % (pn, pkg), d)
 
 # The PACKAGE FUNC to scan each package
 python do_package_qa () {

meta/classes/kernel-module-split.bbclass

@@ -120,6 +120,7 @@ python split_kernel_module_packages () {
         files = d.getVar('FILES_%s' % pkg)
         files = "%s /etc/modules-load.d/%s.conf /etc/modprobe.d/%s.conf" % (files, basename, basename)
         d.setVar('FILES_%s' % pkg, files)
+        d.setVar('CONFFILES_%s' % pkg, files)
 
         if "description" in vals:
             old_desc = d.getVar('DESCRIPTION_' + pkg) or ""

meta/classes/kernel-yocto.bbclass

@@ -148,7 +148,7 @@ do_kernel_metadata() {
 			fi
 			in_tree_defconfig="${WORKDIR}/defconfig"
 		else
-			bbfatal "A KBUILD_DEFCONFIG '${KBUILD_DEFCONFIG}' was specified, but not present in the source tree"
+			bbfatal "A KBUILD_DEFCONFIG '${KBUILD_DEFCONFIG}' was specified, but not present in the source tree (${S}/arch/${ARCH}/configs/)"
 		fi
 	fi
 

meta/classes/qemuboot.bbclass

@@ -40,7 +40,7 @@
 #                          QB_NETWORK_DEVICE_prepend might be used, since Qemu enumerates the eth*
 #                          devices in reverse order to -device arguments.
 #
-# QB_TAP_OPT: netowrk option for 'tap' mode, e.g.,
+# QB_TAP_OPT: network option for 'tap' mode, e.g.,
 #             "-netdev tap,id=net0,ifname=@TAP@,script=no,downscript=no"
 #              Note, runqemu will replace "@TAP@" with the one which is used, such as tap0, tap1 ...
 #

meta/classes/reproducible_build.bbclass

@@ -70,100 +70,16 @@ do_deploy_source_date_epoch[sstate-plaindirs] = "${SDE_DEPLOYDIR}"
 addtask do_deploy_source_date_epoch_setscene
 addtask do_deploy_source_date_epoch before do_configure after do_patch
 
-def get_source_date_epoch_from_known_files(d, sourcedir):
-    source_date_epoch = None
-    newest_file = None
-    known_files = set(["NEWS", "ChangeLog", "Changelog", "CHANGES"])
-    for file in known_files:
-        filepath = os.path.join(sourcedir, file)
-        if os.path.isfile(filepath):
-            mtime = int(os.lstat(filepath).st_mtime)
-            # There may be more than one "known_file" present, if so, use the youngest one
-            if not source_date_epoch or mtime > source_date_epoch:
-                source_date_epoch = mtime
-                newest_file = filepath
-    if newest_file:
-        bb.debug(1, "SOURCE_DATE_EPOCH taken from: %s" % newest_file)
-    return source_date_epoch
-
-def find_git_folder(d, sourcedir):
-    # First guess: WORKDIR/git
-    # This is the default git fetcher unpack path
-    workdir = d.getVar('WORKDIR')
-    gitpath = os.path.join(workdir, "git/.git")
-    if os.path.isdir(gitpath):
-        return gitpath
-
-    # Second guess: ${S}
-    gitpath = os.path.join(sourcedir, ".git")
-    if os.path.isdir(gitpath):
-        return gitpath
-
-    # Perhaps there was a subpath or destsuffix specified.
-    # Go looking in the WORKDIR
-    exclude = set(["build", "image", "license-destdir", "patches", "pseudo",
-                   "recipe-sysroot", "recipe-sysroot-native", "sysroot-destdir", "temp"])
-    for root, dirs, files in os.walk(workdir, topdown=True):
-        dirs[:] = [d for d in dirs if d not in exclude]
-        if '.git' in dirs:
-            return root
-
-    bb.warn("Failed to find a git repository in WORKDIR: %s" % workdir)
-    return None
-
-def get_source_date_epoch_from_git(d, sourcedir):
-    source_date_epoch = None
-    if "git://" in d.getVar('SRC_URI'):
-        gitpath = find_git_folder(d, sourcedir)
-        if gitpath:
-            import subprocess
-            source_date_epoch = int(subprocess.check_output(['git','log','-1','--pretty=%ct'], cwd=gitpath))
-            bb.debug(1, "git repository: %s" % gitpath)
-    return source_date_epoch
-
-def get_source_date_epoch_from_youngest_file(d, sourcedir):
-    if sourcedir == d.getVar('WORKDIR'):
-       # These sources are almost certainly not from a tarball
-       return None
-
-    # Do it the hard way: check all files and find the youngest one...
-    source_date_epoch = None
-    newest_file = None
-    for root, dirs, files in os.walk(sourcedir, topdown=True):
-        files = [f for f in files if not f[0] == '.']
-
-        for fname in files:
-            filename = os.path.join(root, fname)
-            try:
-                mtime = int(os.lstat(filename).st_mtime)
-            except ValueError:
-                mtime = 0
-            if not source_date_epoch or mtime > source_date_epoch:
-                source_date_epoch = mtime
-                newest_file = filename
-
-    if newest_file:
-        bb.debug(1, "Newest file found: %s" % newest_file)
-    return source_date_epoch
-
-def fixed_source_date_epoch():
-    bb.debug(1, "No tarball or git repo found to determine SOURCE_DATE_EPOCH")
-    return 0
-
 python create_source_date_epoch_stamp() {
+    import oe.reproducible
+
     epochfile = d.getVar('SDE_FILE')
     # If it exists we need to regenerate as the sources may have changed
     if os.path.isfile(epochfile):
         bb.debug(1, "Deleting existing SOURCE_DATE_EPOCH from: %s" % epochfile)
         os.remove(epochfile)
 
-    sourcedir = d.getVar('S')
-    source_date_epoch = (
-        get_source_date_epoch_from_git(d, sourcedir) or
-        get_source_date_epoch_from_known_files(d, sourcedir) or
-        get_source_date_epoch_from_youngest_file(d, sourcedir) or
-        fixed_source_date_epoch()       # Last resort
-    )
+    source_date_epoch = oe.reproducible.get_source_date_epoch(d, d.getVar('S'))
 
     bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch)
     bb.utils.mkdirhier(d.getVar('SDE_DIR'))

meta/classes/sanity.bbclass

@@ -769,8 +769,8 @@ def check_sanity_everybuild(status, d):
 
     # Check the Python version, we now have a minimum of Python 3.4
     import sys
-    if sys.hexversion < 0x03040000:
-        status.addresult('The system requires at least Python 3.4 to run. Please update your Python interpreter.\n')
+    if sys.hexversion < 0x030500F0:
+        status.addresult('The system requires at least Python 3.5 to run. Please update your Python interpreter.\n')
 
     # Check the bitbake version meets minimum requirements
     from distutils.version import LooseVersion

meta/classes/siteinfo.bbclass

@@ -45,6 +45,7 @@ def siteinfo_data_for_machine(arch, os, d):
         "mipsisa32r6": "endian-big bit-32 mips-common",
         "mipsisa32r6el": "endian-little bit-32 mips-common",
         "powerpc": "endian-big bit-32 powerpc-common",
+        "powerpcle": "endian-little bit-32 powerpc-common",
         "nios2": "endian-little bit-32 nios2-common",
         "powerpc64": "endian-big bit-64 powerpc-common",
         "powerpc64le": "endian-little bit-64 powerpc-common",
@@ -54,7 +55,9 @@ def siteinfo_data_for_machine(arch, os, d):
         "riscv32": "endian-little bit-32 riscv-common",
         "riscv64": "endian-little bit-64 riscv-common",
         "sh3": "endian-little bit-32 sh-common",
+        "sh3eb": "endian-big bit-32 sh-common",
         "sh4": "endian-little bit-32 sh-common",
+        "sh4eb": "endian-big bit-32 sh-common",
         "sparc": "endian-big bit-32",
         "viac3": "endian-little bit-32 ix86-common",
         "x86_64": "endian-little", # bitinfo specified in targetinfo
@@ -100,6 +103,8 @@ def siteinfo_data_for_machine(arch, os, d):
         "mipsisa64r6el-linux-gnun32": "mipsisa32r6el-linux bit-32",
         "powerpc-linux": "powerpc32-linux",
         "powerpc-linux-musl": "powerpc-linux powerpc32-linux",
+        "powerpcle-linux": "powerpc32-linux",
+        "powerpcle-linux-musl": "powerpc-linux powerpc32-linux",
         "powerpc-linux-gnuspe": "powerpc-linux powerpc32-linux",
         "powerpc-linux-muslspe": "powerpc-linux powerpc32-linux",
         "powerpc64-linux-gnuspe": "powerpc-linux powerpc64-linux",

meta/classes/sstate.bbclass

@@ -847,7 +847,7 @@ python sstate_report_unihash() {
 sstate_unpack_package () {
 	tar -xvzf ${SSTATE_PKG}
 	# update .siginfo atime on local/NFS mirror
-	[ -w ${SSTATE_PKG}.siginfo ] && [ -h ${SSTATE_PKG}.siginfo ] && touch -a ${SSTATE_PKG}.siginfo
+	[ -O ${SSTATE_PKG}.siginfo ] && [ -w ${SSTATE_PKG}.siginfo ] && [ -h ${SSTATE_PKG}.siginfo ] && touch -a ${SSTATE_PKG}.siginfo
 	# Use "! -w ||" to return true for read only files
 	[ ! -w ${SSTATE_PKG} ] || touch --no-dereference ${SSTATE_PKG}
 	[ ! -w ${SSTATE_PKG}.sig ] || [ ! -e ${SSTATE_PKG}.sig ] || touch --no-dereference ${SSTATE_PKG}.sig

meta/classes/testexport.bbclass

@@ -137,7 +137,7 @@ def copy_needed_files(d, tc):
                 shutil.rmtree(os.path.join(subdir, dir))
 
     # Create tar file for common parts of testexport
-    create_tarball(d, "testexport.tar.gz", d.getVar("TEST_EXPORT_DIR"))
+    testexport_create_tarball(d, "testexport.tar.gz", d.getVar("TEST_EXPORT_DIR"))
 
     # Copy packages needed for runtime testing
     package_extraction(d, tc.suites)
@@ -146,7 +146,7 @@ def copy_needed_files(d, tc):
         export_pkg_dir = os.path.join(d.getVar("TEST_EXPORT_DIR"), "packages")
         oe.path.copytree(test_pkg_dir, export_pkg_dir)
         # Create tar file for packages needed by the DUT
-        create_tarball(d, "testexport_packages_%s.tar.gz" % d.getVar("MACHINE"), export_pkg_dir)
+        testexport_create_tarball(d, "testexport_packages_%s.tar.gz" % d.getVar("MACHINE"), export_pkg_dir)
 
     # Copy SDK
     if d.getVar("TEST_EXPORT_SDK_ENABLED") == "1":
@@ -159,11 +159,11 @@ def copy_needed_files(d, tc):
         shutil.copy2(tarball_path, export_sdk_dir)
 
         # Create tar file for the sdk
-        create_tarball(d, "testexport_sdk_%s.tar.gz" % d.getVar("SDK_ARCH"), export_sdk_dir)
+        testexport_create_tarball(d, "testexport_sdk_%s.tar.gz" % d.getVar("SDK_ARCH"), export_sdk_dir)
 
     bb.plain("Exported tests to: %s" % export_path)
 
-def create_tarball(d, tar_name, src_dir):
+def testexport_create_tarball(d, tar_name, src_dir):
 
     import tarfile
 

meta/classes/testimage.bbclass

@@ -364,6 +364,7 @@ def testimage_main(d):
     package_extraction(d, tc.suites)
 
     results = None
+    complete = False
     orig_sigterm_handler = signal.signal(signal.SIGTERM, sigterm_exception)
     try:
         # We need to check if runqemu ends unexpectedly
@@ -375,6 +376,7 @@ def testimage_main(d):
         except ValueError:
             pass
         results = tc.runTests()
+        complete = True
     except (KeyboardInterrupt, BlockingIOError) as err:
         if isinstance(err, KeyboardInterrupt):
             bb.error('testimage interrupted, shutting down...')
@@ -382,20 +384,21 @@ def testimage_main(d):
             bb.error('runqemu failed, shutting down...')
         if results:
             results.stop()
-            results = None
+        results = tc.results
     finally:
         signal.signal(signal.SIGTERM, orig_sigterm_handler)
         tc.target.stop()
 
     # Show results (if we have them)
-    if not results:
+    if results:
+        configuration = get_testimage_configuration(d, 'runtime', machine)
+        results.logDetails(get_testimage_json_result_dir(d),
+                        configuration,
+                        get_testimage_result_id(configuration),
+                        dump_streams=d.getVar('TESTREPORT_FULLLOGS'))
+        results.logSummary(pn)
+    if not results or not complete:
         bb.fatal('%s - FAILED - tests were interrupted during execution' % pn, forcelog=True)
-    configuration = get_testimage_configuration(d, 'runtime', machine)
-    results.logDetails(get_testimage_json_result_dir(d),
-                       configuration,
-                       get_testimage_result_id(configuration),
-                       dump_streams=d.getVar('TESTREPORT_FULLLOGS'))
-    results.logSummary(pn)
     if not results.wasSuccessful():
         bb.fatal('%s - FAILED - check the task log and the ssh log' % pn, forcelog=True)
 

meta/classes/uninative.bbclass

@@ -89,7 +89,7 @@ python uninative_event_fetchloader() {
         # ldd output is "ldd (Ubuntu GLIBC 2.23-0ubuntu10) 2.23", extract last option from first line
         glibcver = subprocess.check_output(["ldd", "--version"]).decode('utf-8').split('\n')[0].split()[-1]
         if bb.utils.vercmp_string(d.getVar("UNINATIVE_MAXGLIBCVERSION"), glibcver) < 0:
-            raise RuntimeError("Your host glibc verson (%s) is newer than that in uninative (%s). Disabling uninative so that sstate is not corrupted." % (glibcver, d.getVar("UNINATIVE_MAXGLIBCVERSION")))
+            raise RuntimeError("Your host glibc version (%s) is newer than that in uninative (%s). Disabling uninative so that sstate is not corrupted." % (glibcver, d.getVar("UNINATIVE_MAXGLIBCVERSION")))
 
         cmd = d.expand("\
 mkdir -p ${UNINATIVE_STAGING_DIR}-uninative; \

meta/conf/distro/include/maintainers.inc

@@ -582,9 +582,11 @@ RECIPE_MAINTAINER_pn-python3-extras = "Oleksandr Kravchuk <open.source@oleksandr
 RECIPE_MAINTAINER_pn-python3-git = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
 RECIPE_MAINTAINER_pn-python3-gitdb = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
 RECIPE_MAINTAINER_pn-python3-iniparse = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
+RECIPE_MAINTAINER_pn-python3-jinja2 = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-python3-libarchive-c = "Joshua Watt <JPEWhacker@gmail.com>"
 RECIPE_MAINTAINER_pn-python3-magic = "Joshua Watt <JPEWhacker@gmail.com>"
 RECIPE_MAINTAINER_pn-python3-mako = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
+RECIPE_MAINTAINER_pn-python3-markupsafe = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-python3-nose = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
 RECIPE_MAINTAINER_pn-python3-numpy = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
 RECIPE_MAINTAINER_pn-python3-pbr = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
@@ -640,6 +642,7 @@ RECIPE_MAINTAINER_pn-speex = "Tanu Kaskinen <tanuk@iki.fi>"
 RECIPE_MAINTAINER_pn-speexdsp = "Tanu Kaskinen <tanuk@iki.fi>"
 RECIPE_MAINTAINER_pn-sqlite3 = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER_pn-squashfs-tools = "Robert Yang <liezhi.yang@windriver.com>"
+RECIPE_MAINTAINER_pn-ssh-pregen-hostkeys = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-startup-notification = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-strace = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER_pn-stress-ng = "Anuj Mittal <anuj.mittal@intel.com>"

meta/conf/licenses.conf

@@ -45,9 +45,11 @@ SPDXLICENSEMAP[MIT-style] = "MIT"
 #Openssl variations
 SPDXLICENSEMAP[openssl] = "OpenSSL"
 
+#PSF variations
+SPDXLICENSEMAP[PSF] = "PSF-2.0"
+SPDXLICENSEMAP[PSFv2] = "PSF-2.0"
+
 #Python variations
-SPDXLICENSEMAP[PSF] = "Python-2.0"
-SPDXLICENSEMAP[PSFv2] = "Python-2.0"
 SPDXLICENSEMAP[Python-2] = "Python-2.0"
 
 #Apache variations

meta/conf/machine/include/arm/arch-armv7a.inc

@@ -120,7 +120,7 @@ PACKAGE_EXTRA_ARCHS_tune-armv7atb-vfpv3d16   = "${PACKAGE_EXTRA_ARCHS_tune-armv7
 PACKAGE_EXTRA_ARCHS_tune-armv7ab-vfpv3       = "${PACKAGE_EXTRA_ARCHS_tune-armv7ab-vfpv3d16} armv7ab-vfpv3"
 PACKAGE_EXTRA_ARCHS_tune-armv7atb-vfpv3      = "${PACKAGE_EXTRA_ARCHS_tune-armv7atb-vfpv3d16} armv7ab-vfpv3 armv7at2b-vfpv3"
 PACKAGE_EXTRA_ARCHS_tune-armv7ab-vfpv4d16    = "${PACKAGE_EXTRA_ARCHS_tune-armv7ab} armv7ab-vfpv4d16"
-PACKAGE_EXTRA_ARCHS_tune-armv7atb-vfp43d16   = "${PACKAGE_EXTRA_ARCHS_tune-armv7atb} armv7ab-vfpv4d16 armv7at2b-vfpv4d16"
+PACKAGE_EXTRA_ARCHS_tune-armv7atb-vfpv4d16   = "${PACKAGE_EXTRA_ARCHS_tune-armv7atb} armv7ab-vfpv4d16 armv7at2b-vfpv4d16"
 PACKAGE_EXTRA_ARCHS_tune-armv7ab-neon        = "${PACKAGE_EXTRA_ARCHS_tune-armv7ab} armv7ab-neon"
 PACKAGE_EXTRA_ARCHS_tune-armv7atb-neon       = "${PACKAGE_EXTRA_ARCHS_tune-armv7atb} armv7ab-neon armv7at2b-neon"
 PACKAGE_EXTRA_ARCHS_tune-armv7ab-neon-vfpv4  = "${PACKAGE_EXTRA_ARCHS_tune-armv7ab-neon} armv7ab-neon-vfpv4"

meta/conf/machine/include/mips/arch-mips.inc

@@ -135,7 +135,7 @@ PACKAGE_EXTRA_ARCHS_tune-mips64-o32 = "mips mips64-o32"
 TUNE_FEATURES_tune-mips64el-o32 = "o32 fpu-hard"
 BASE_LIB_tune-mips64el-o32 = "lib"
 MIPSPKGSFX_VARIANT_tune-mips64el-o32 = "${TUNE_ARCH}"
-PACKAGE_EXTRA_ARCHS_tune-mips64el-o32 = "mipsel mips64el-o32 mips64el-o32"
+PACKAGE_EXTRA_ARCHS_tune-mips64el-o32 = "mipsel mips64el-o32"
 
 # MIPS 64 o32 and Soft Float
 AVAILTUNES += "mips64-nf-o32 mips64el-nf-o32"

meta/conf/machine/include/riscv/tune-riscv.inc

@@ -24,10 +24,10 @@ PACKAGE_EXTRA_ARCHS_tune-riscv32 = "riscv32"
 # No float
 TUNE_FEATURES_tune-riscv64nf = "${TUNE_FEATURES_tune-riscv64} riscv64nf"
 TUNE_ARCH_tune-riscv64nf = "riscv64"
-TUNE_PKGARCH_tune-riscv64nf = "riscv64"
+TUNE_PKGARCH_tune-riscv64nf = "riscv64nf"
 PACKAGE_EXTRA_ARCHS_tune-riscv64nf = "riscv64nf"
 
 TUNE_FEATURES_tune-riscv32nf = "${TUNE_FEATURES_tune-riscv32} riscv32nf"
 TUNE_ARCH_tune-riscv32nf = "riscv32"
-TUNE_PKGARCH_tune-riscv32nf = "riscv32"
+TUNE_PKGARCH_tune-riscv32nf = "riscv32nf"
 PACKAGE_EXTRA_ARCHS_tune-riscv32nf = "riscv32nf"

meta/conf/machine/include/tune-ep9312.inc

@@ -8,6 +8,5 @@ MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'ep9312', 'armv4:', '
 
 AVAILTUNES += "ep9312"
 ARMPKGARCH_tune-ep9312 = "ep9312"
-# this tune does not include TUNE_FEATURES_tune-armv4t, so there is no armv4 TUNE_FEATURES => no 't' in ARMPKGSFX_THUMB
 TUNE_FEATURES_tune-ep9312 = "thumb ep9312"
-PACKAGE_EXTRA_ARCHS_tune-ep9312 = "${PACKAGE_EXTRA_ARCHS_tune-armv4t} ep9312"
+PACKAGE_EXTRA_ARCHS_tune-ep9312 = "${PACKAGE_EXTRA_ARCHS_tune-armv4t} ep9312t"

meta/conf/machine/include/tune-mips64r6.inc

@@ -24,7 +24,7 @@ AVAILTUNES += "mipsisa64r6-nf mipsisa64r6el-nf"
 TUNE_FEATURES_tune-mipsisa64r6-nf = "bigendian r6 n64 mipsisa64r6"
 MIPSPKGSFX_VARIANT_tune-mipsisa64r6-nf = "${TUNE_ARCH}"
 BASE_LIB_tune-mipsisa64r6-nf = "lib64"
-PACKAGE_EXTRA_ARCHS_tune-mipsisa64r6-nf = "mipsisa64r6"
+PACKAGE_EXTRA_ARCHS_tune-mipsisa64r6-nf = "mipsisa64r6-nf"
 
 TUNE_FEATURES_tune-mipsisa64r6el-nf = "r6 n64 mipsisa64r6"
 MIPSPKGSFX_VARIANT_tune-mipsisa64r6el-nf = "${TUNE_ARCH}"

meta/files/common-licenses/PSF-2.0

@@ -0,0 +1,49 @@
+
+PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2
+--------------------------------------------
+
+1. This LICENSE AGREEMENT is between the Python Software Foundation
+("PSF"), and the Individual or Organization ("Licensee") accessing and
+otherwise using this software ("Python") in source or binary form and
+its associated documentation.
+
+2. Subject to the terms and conditions of this License Agreement, PSF
+hereby grants Licensee a nonexclusive, royalty-free, world-wide
+license to reproduce, analyze, test, perform and/or display publicly,
+prepare derivative works, distribute, and otherwise use Python
+alone or in any derivative version, provided, however, that PSF's
+License Agreement and PSF's notice of copyright, i.e., "Copyright (c)
+2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights
+Reserved" are retained in Python alone or in any derivative version
+prepared by Licensee.
+
+3. In the event Licensee prepares a derivative work that is based on
+or incorporates Python or any part thereof, and wants to make
+the derivative work available to others as provided herein, then
+Licensee hereby agrees to include in any such work a brief summary of
+the changes made to Python.
+
+4. PSF is making Python available to Licensee on an "AS IS"
+basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
+IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND
+DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS
+FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT
+INFRINGE ANY THIRD PARTY RIGHTS.
+
+5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON
+FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS
+A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON,
+OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
+
+6. This License Agreement will automatically terminate upon a material
+breach of its terms and conditions.
+
+7. Nothing in this License Agreement shall be deemed to create any
+relationship of agency, partnership, or joint venture between PSF and
+Licensee. This License Agreement does not grant permission to use PSF
+trademarks or trade name in a trademark sense to endorse or promote
+products or services of Licensee, or any third party.
+
+8. By copying, installing or otherwise using Python, Licensee
+agrees to be bound by the terms and conditions of this License
+Agreement.

meta/files/common-licenses/bzip2-1.0.4

@@ -0,0 +1,43 @@
+
+--------------------------------------------------------------------------
+
+This program, "bzip2", the associated library "libbzip2", and all
+documentation, are copyright (C) 1996-2006 Julian R Seward.  All
+rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. The origin of this software must not be misrepresented; you must 
+   not claim that you wrote the original software.  If you use this 
+   software in a product, an acknowledgment in the product 
+   documentation would be appreciated but is not required.
+
+3. Altered source versions must be plainly marked as such, and must
+   not be misrepresented as being the original software.
+
+4. The name of the author may not be used to endorse or promote 
+   products derived from this software without specific prior written 
+   permission.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
+OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Julian Seward, Cambridge, UK.
+jseward@bzip.org
+bzip2/libbzip2 version 1.0.4 of 20 December 2006
+
+--------------------------------------------------------------------------

meta/files/toolchain-shar-extract.sh

@@ -26,7 +26,7 @@ tweakpath /sbin
 INST_ARCH=$(uname -m | sed -e "s/i[3-6]86/ix86/" -e "s/x86[-_]64/x86_64/")
 SDK_ARCH=$(echo @SDK_ARCH@ | sed -e "s/i[3-6]86/ix86/" -e "s/x86[-_]64/x86_64/")
 
-INST_GCC_VER=$(gcc --version | sed -ne 's/.* \([0-9]\+\.[0-9]\+\)\.[0-9]\+.*/\1/p')
+INST_GCC_VER=$(gcc --version 2>/dev/null | sed -ne 's/.* \([0-9]\+\.[0-9]\+\)\.[0-9]\+.*/\1/p')
 SDK_GCC_VER='@SDK_GCC_VER@'
 
 verlte () {

meta/lib/bblayers/templates/example.bb

@@ -2,10 +2,12 @@ SUMMARY = "bitbake-layers recipe"
 DESCRIPTION = "Recipe created by bitbake-layers"
 LICENSE = "MIT"
 
-python do_build() {
+python do_display_banner() {
     bb.plain("***********************************************");
     bb.plain("*                                             *");
     bb.plain("*  Example recipe created by bitbake-layers   *");
     bb.plain("*                                             *");
     bb.plain("***********************************************");
 }
+
+addtask display_banner before do_build

meta/lib/oe/patch.py

@@ -416,7 +416,7 @@ class GitApplyTree(PatchTree):
                     date = newdate
                 if not subject:
                     subject = newsubject
-        if subject and outlines and not outlines[0].strip() == subject:
+        if subject and not (outlines and outlines[0].strip() == subject):
             outlines.insert(0, '%s\n\n' % subject.strip())
 
         # Write out commit message to a file
@@ -439,7 +439,6 @@ class GitApplyTree(PatchTree):
     def extractPatches(tree, startcommit, outdir, paths=None):
         import tempfile
         import shutil
-        import re
         tempdir = tempfile.mkdtemp(prefix='oepatch')
         try:
             shellcmd = ["git", "format-patch", "--no-signature", "--no-numbered", startcommit, "-o", tempdir]
@@ -455,13 +454,10 @@ class GitApplyTree(PatchTree):
                         try:
                             with open(srcfile, 'r', encoding=encoding) as f:
                                 for line in f:
-                                    checkline = line
-                                    if checkline.startswith('Subject: '):
-                                        checkline = re.sub(r'\[.+?\]\s*', '', checkline[9:])
-                                    if checkline.startswith(GitApplyTree.patch_line_prefix):
+                                    if line.startswith(GitApplyTree.patch_line_prefix):
                                         outfile = line.split()[-1].strip()
                                         continue
-                                    if checkline.startswith(GitApplyTree.ignore_commit_prefix):
+                                    if line.startswith(GitApplyTree.ignore_commit_prefix):
                                         continue
                                     patchlines.append(line)
                         except UnicodeDecodeError:
@@ -508,8 +504,7 @@ class GitApplyTree(PatchTree):
         with open(commithook, 'w') as f:
             # NOTE: the formatting here is significant; if you change it you'll also need to
             # change other places which read it back
-            f.write('echo >> $1\n')
-            f.write('echo "%s: $PATCHFILE" >> $1\n' % GitApplyTree.patch_line_prefix)
+            f.write('echo "\n%s: $PATCHFILE" >> $1' % GitApplyTree.patch_line_prefix)
         os.chmod(commithook, 0o755)
         shutil.copy2(commithook, applyhook)
         try:

meta/lib/oe/reproducible.py

@@ -0,0 +1,104 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+import os
+import subprocess
+import bb
+
+def get_source_date_epoch_from_known_files(d, sourcedir):
+    source_date_epoch = None
+    newest_file = None
+    known_files = set(["NEWS", "ChangeLog", "Changelog", "CHANGES"])
+    for file in known_files:
+        filepath = os.path.join(sourcedir, file)
+        if os.path.isfile(filepath):
+            mtime = int(os.lstat(filepath).st_mtime)
+            # There may be more than one "known_file" present, if so, use the youngest one
+            if not source_date_epoch or mtime > source_date_epoch:
+                source_date_epoch = mtime
+                newest_file = filepath
+    if newest_file:
+        bb.debug(1, "SOURCE_DATE_EPOCH taken from: %s" % newest_file)
+    return source_date_epoch
+
+def find_git_folder(d, sourcedir):
+    # First guess: WORKDIR/git
+    # This is the default git fetcher unpack path
+    workdir = d.getVar('WORKDIR')
+    gitpath = os.path.join(workdir, "git/.git")
+    if os.path.isdir(gitpath):
+        return gitpath
+
+    # Second guess: ${S}
+    gitpath = os.path.join(sourcedir, ".git")
+    if os.path.isdir(gitpath):
+        return gitpath
+
+    # Perhaps there was a subpath or destsuffix specified.
+    # Go looking in the WORKDIR
+    exclude = set(["build", "image", "license-destdir", "patches", "pseudo",
+                   "recipe-sysroot", "recipe-sysroot-native", "sysroot-destdir", "temp"])
+    for root, dirs, files in os.walk(workdir, topdown=True):
+        dirs[:] = [d for d in dirs if d not in exclude]
+        if '.git' in dirs:
+            return root
+
+    bb.warn("Failed to find a git repository in WORKDIR: %s" % workdir)
+    return None
+
+def get_source_date_epoch_from_git(d, sourcedir):
+    if not "git://" in d.getVar('SRC_URI'):
+        return None
+
+    gitpath = find_git_folder(d, sourcedir)
+    if not gitpath:
+        return None
+
+    # Check that the repository has a valid HEAD; it may not if subdir is used
+    # in SRC_URI
+    p = subprocess.run(['git', '--git-dir', gitpath, 'rev-parse', 'HEAD'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+    if p.returncode != 0:
+        bb.debug(1, "%s does not have a valid HEAD: %s" % (gitpath, p.stdout.decode('utf-8')))
+        return None
+
+    bb.debug(1, "git repository: %s" % gitpath)
+    p = subprocess.run(['git', '--git-dir', gitpath, 'log', '-1', '--pretty=%ct'], check=True, stdout=subprocess.PIPE)
+    return int(p.stdout.decode('utf-8'))
+
+def get_source_date_epoch_from_youngest_file(d, sourcedir):
+    if sourcedir == d.getVar('WORKDIR'):
+       # These sources are almost certainly not from a tarball
+       return None
+
+    # Do it the hard way: check all files and find the youngest one...
+    source_date_epoch = None
+    newest_file = None
+    for root, dirs, files in os.walk(sourcedir, topdown=True):
+        files = [f for f in files if not f[0] == '.']
+
+        for fname in files:
+            filename = os.path.join(root, fname)
+            try:
+                mtime = int(os.lstat(filename).st_mtime)
+            except ValueError:
+                mtime = 0
+            if not source_date_epoch or mtime > source_date_epoch:
+                source_date_epoch = mtime
+                newest_file = filename
+
+    if newest_file:
+        bb.debug(1, "Newest file found: %s" % newest_file)
+    return source_date_epoch
+
+def fixed_source_date_epoch():
+    bb.debug(1, "No tarball or git repo found to determine SOURCE_DATE_EPOCH")
+    return 0
+
+def get_source_date_epoch(d, sourcedir):
+    return (
+        get_source_date_epoch_from_git(d, sourcedir) or
+        get_source_date_epoch_from_known_files(d, sourcedir) or
+        get_source_date_epoch_from_youngest_file(d, sourcedir) or
+        fixed_source_date_epoch()       # Last resort
+    )
+

meta/lib/oe/sstatesig.py

@@ -477,6 +477,9 @@ def OEOuthashBasic(path, sigfile, task, d):
     h = hashlib.sha256()
     prev_dir = os.getcwd()
     include_owners = os.environ.get('PSEUDO_DISABLED') == '0'
+    include_timestamps = False
+    if task == "package":
+        include_timestamps = d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1'
     extra_content = d.getVar('HASHEQUIV_HASH_VERSION')
 
     try:
@@ -551,6 +554,9 @@ def OEOuthashBasic(path, sigfile, task, d):
                         bb.warn("KeyError in %s" % path)
                         raise
 
+                if include_timestamps:
+                    update_hash(" %10d" % s.st_mtime)
+
                 update_hash(" ")
                 if stat.S_ISBLK(s.st_mode) or stat.S_ISCHR(s.st_mode):
                     update_hash("%9s" % ("%d.%d" % (os.major(s.st_rdev), os.minor(s.st_rdev))))

meta/lib/oeqa/core/context.py

@@ -31,6 +31,9 @@ class OETestContext(object):
         self._registry = {}
         self._registry['cases'] = collections.OrderedDict()
 
+        self.results = unittest.TestResult()
+        unittest.registerResult(self.results)
+
     def _read_modules_from_manifest(self, manifest):
         if not os.path.exists(manifest):
             raise OEQAMissingManifest("Manifest does not exist on %s" % manifest)
@@ -82,6 +85,7 @@ class OETestContext(object):
         self.skipTests(skips)
 
         self._run_start_time = time.time()
+        self._run_end_time = self._run_start_time
         if not processes:
             self.runner.buffer = True
         result = self.runner.run(self.prepareSuite(self.suites, processes))

meta/lib/oeqa/selftest/cases/containerimage.py

@@ -42,6 +42,9 @@ IMAGE_FSTYPES = "container"
 PACKAGE_CLASSES = "package_ipk"
 IMAGE_FEATURES = ""
 IMAGE_BUILDINFO_FILE = ""
+INIT_MANAGER = "sysvinit"
+IMAGE_INSTALL_remove = "ssh-pregen-hostkeys"
+
 """)
 
         bbvars = get_bb_vars(['bindir', 'sysconfdir', 'localstatedir',

meta/lib/oeqa/selftest/cases/devtool.py

@@ -56,7 +56,8 @@ def setUpModule():
                     if pth.startswith(canonical_layerpath):
                         if relpth.endswith('/'):
                             destdir = os.path.join(corecopydir, relpth)
-                            shutil.copytree(pth, destdir)
+                            # avoid race condition by not copying .pyc files YPBZ#13421,13803
+                            shutil.copytree(pth, destdir, ignore=ignore_patterns('*.pyc', '__pycache__'))
                         else:
                             destdir = os.path.join(corecopydir, os.path.dirname(relpth))
                             bb.utils.mkdirhier(destdir)

meta/lib/oeqa/selftest/cases/incompatible_lic.py

@@ -85,7 +85,7 @@ class IncompatibleLicenseTests(OESelftestTestCase):
 class IncompatibleLicensePerImageTests(OESelftestTestCase):
     def default_config(self):
         return """
-IMAGE_INSTALL_append = "bash"
+IMAGE_INSTALL_append = " bash"
 INCOMPATIBLE_LICENSE_pn-core-image-minimal = "GPL-3.0 LGPL-3.0"
 """
 

meta/lib/oeqa/selftest/cases/runcmd.py

@@ -64,12 +64,12 @@ class RunCmdTests(OESelftestTestCase):
                                 runCmd, "echo foobar >&2; false", shell=True, assert_error=False)
 
     def test_output(self):
-        result = runCmd("echo stdout; echo stderr >&2", shell=True)
+        result = runCmd("echo stdout; echo stderr >&2", shell=True, sync=False)
         self.assertEqual("stdout\nstderr", result.output)
         self.assertEqual("", result.error)
 
     def test_output_split(self):
-        result = runCmd("echo stdout; echo stderr >&2", shell=True, stderr=subprocess.PIPE)
+        result = runCmd("echo stdout; echo stderr >&2", shell=True, stderr=subprocess.PIPE, sync=False)
         self.assertEqual("stdout", result.output)
         self.assertEqual("stderr", result.error)
 
@@ -77,7 +77,7 @@ class RunCmdTests(OESelftestTestCase):
         numthreads = threading.active_count()
         start = time.time()
         # Killing a hanging process only works when not using a shell?!
-        result = runCmd(['sleep', '60'], timeout=self.TIMEOUT, ignore_status=True)
+        result = runCmd(['sleep', '60'], timeout=self.TIMEOUT, ignore_status=True, sync=False)
         self.assertEqual(result.status, -signal.SIGTERM)
         end = time.time()
         self.assertLess(end - start, self.TIMEOUT + self.DELTA)
@@ -87,7 +87,7 @@ class RunCmdTests(OESelftestTestCase):
         numthreads = threading.active_count()
         start = time.time()
         # Killing a hanging process only works when not using a shell?!
-        result = runCmd(['sleep', '60'], timeout=self.TIMEOUT, ignore_status=True, stderr=subprocess.PIPE)
+        result = runCmd(['sleep', '60'], timeout=self.TIMEOUT, ignore_status=True, stderr=subprocess.PIPE, sync=False)
         self.assertEqual(result.status, -signal.SIGTERM)
         end = time.time()
         self.assertLess(end - start, self.TIMEOUT + self.DELTA)
@@ -95,7 +95,7 @@ class RunCmdTests(OESelftestTestCase):
 
     def test_stdin(self):
         numthreads = threading.active_count()
-        result = runCmd("cat", data=b"hello world", timeout=self.TIMEOUT)
+        result = runCmd("cat", data=b"hello world", timeout=self.TIMEOUT, sync=False)
         self.assertEqual("hello world", result.output)
         self.assertEqual(numthreads, threading.active_count(), msg="Thread counts were not equal before (%s) and after (%s), active threads: %s" % (numthreads, threading.active_count(), threading.enumerate()))
         self.assertEqual(numthreads, 1)
@@ -103,7 +103,7 @@ class RunCmdTests(OESelftestTestCase):
     def test_stdin_timeout(self):
         numthreads = threading.active_count()
         start = time.time()
-        result = runCmd(['sleep', '60'], data=b"hello world", timeout=self.TIMEOUT, ignore_status=True)
+        result = runCmd(['sleep', '60'], data=b"hello world", timeout=self.TIMEOUT, ignore_status=True, sync=False)
         self.assertEqual(result.status, -signal.SIGTERM)
         end = time.time()
         self.assertLess(end - start, self.TIMEOUT + self.DELTA)
@@ -111,12 +111,12 @@ class RunCmdTests(OESelftestTestCase):
 
     def test_log(self):
         log = MemLogger()
-        result = runCmd("echo stdout; echo stderr >&2", shell=True, output_log=log)
+        result = runCmd("echo stdout; echo stderr >&2", shell=True, output_log=log, sync=False)
         self.assertEqual(["Running: echo stdout; echo stderr >&2", "stdout", "stderr"], log.info_msgs)
         self.assertEqual([], log.error_msgs)
 
     def test_log_split(self):
         log = MemLogger()
-        result = runCmd("echo stdout; echo stderr >&2", shell=True, output_log=log, stderr=subprocess.PIPE)
+        result = runCmd("echo stdout; echo stderr >&2", shell=True, output_log=log, stderr=subprocess.PIPE, sync=False)
         self.assertEqual(["Running: echo stdout; echo stderr >&2", "stdout"], log.info_msgs)
         self.assertEqual(["stderr"], log.error_msgs)

meta/lib/oeqa/selftest/cases/wic.py

@@ -639,41 +639,50 @@ class Wic2(WicTestCase):
             tempf.write("part " \
                      "--source rootfs --ondisk hda --align 4 --fixed-size %d "
                      "--fstype=ext4\n" % size)
+
+        return wkspath
+
+    def _get_wic_partitions(self, wkspath, native_sysroot=None, ignore_status=False):
+        p = runCmd("wic create %s -e core-image-minimal -o %s" % (wkspath, self.resultdir),
+                   ignore_status=ignore_status)
+
+        if p.status:
+            return (p, None)
+
         wksname = os.path.splitext(os.path.basename(wkspath))[0]
 
-        return wkspath, wksname
-
-    def test_fixed_size(self):
-        """
-        Test creation of a simple image with partition size controlled through
-        --fixed-size flag
-        """
-        wkspath, wksname = Wic2._make_fixed_size_wks(200)
-
-        runCmd("wic create %s -e core-image-minimal -o %s" \
-                                   % (wkspath, self.resultdir))
-        os.remove(wkspath)
         wicout = glob(self.resultdir + "%s-*direct" % wksname)
-        self.assertEqual(1, len(wicout))
+
+        if not wicout:
+            return (p, None)
 
         wicimg = wicout[0]
 
-        native_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "wic-tools")
+        if not native_sysroot:
+            native_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "wic-tools")
 
         # verify partition size with wic
-        res = runCmd("parted -m %s unit mib p 2>/dev/null" % wicimg,
+        res = runCmd("parted -m %s unit kib p 2>/dev/null" % wicimg,
                      native_sysroot=native_sysroot)
 
         # parse parted output which looks like this:
         # BYT;\n
         # /var/tmp/wic/build/tmpfwvjjkf_-201611101222-hda.direct:200MiB:file:512:512:msdos::;\n
         # 1:0.00MiB:200MiB:200MiB:ext4::;\n
-        partlns = res.output.splitlines()[2:]
+        return (p, res.output.splitlines()[2:])
 
-        self.assertEqual(1, len(partlns),
-                         msg="Partition list '%s'" % res.output)
-        self.assertEqual("1:0.00MiB:200MiB:200MiB:ext4::;", partlns[0],
-                         msg="Partition list '%s'" % res.output)
+    def test_fixed_size(self):
+        """
+        Test creation of a simple image with partition size controlled through
+        --fixed-size flag
+        """
+        wkspath = Wic2._make_fixed_size_wks(200)
+        _, partlns = self._get_wic_partitions(wkspath)
+        os.remove(wkspath)
+
+        self.assertEqual(partlns, [
+                        "1:4.00kiB:204804kiB:204800kiB:ext4::;",
+                        ])
 
     def test_fixed_size_error(self):
         """
@@ -681,13 +690,111 @@ class Wic2(WicTestCase):
         --fixed-size flag. The size of partition is intentionally set to 1MiB
         in order to trigger an error in wic.
         """
-        wkspath, wksname = Wic2._make_fixed_size_wks(1)
-
-        self.assertEqual(1, runCmd("wic create %s -e core-image-minimal -o %s" \
-                                   % (wkspath, self.resultdir), ignore_status=True).status)
+        wkspath = Wic2._make_fixed_size_wks(1)
+        p, _ = self._get_wic_partitions(wkspath, ignore_status=True)
         os.remove(wkspath)
-        wicout = glob(self.resultdir + "%s-*direct" % wksname)
-        self.assertEqual(0, len(wicout))
+
+        self.assertNotEqual(p.status, 0, "wic exited successfully when an error was expected:\n%s" % p.output)
+
+    def test_offset(self):
+        native_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "wic-tools")
+
+        with NamedTemporaryFile("w", suffix=".wks") as tempf:
+            # Test that partitions are placed at the correct offsets, default KB
+            tempf.write("bootloader --ptable gpt\n" \
+                        "part /    --source rootfs --ondisk hda --offset 32     --fixed-size 100M --fstype=ext4\n" \
+                        "part /bar                 --ondisk hda --offset 102432 --fixed-size 100M --fstype=ext4\n")
+            tempf.flush()
+
+            _, partlns = self._get_wic_partitions(tempf.name, native_sysroot)
+            self.assertEqual(partlns, [
+                "1:32.0kiB:102432kiB:102400kiB:ext4:primary:;",
+                "2:102432kiB:204832kiB:102400kiB:ext4:primary:;",
+                ])
+
+        with NamedTemporaryFile("w", suffix=".wks") as tempf:
+            # Test that partitions are placed at the correct offsets, same with explicit KB
+            tempf.write("bootloader --ptable gpt\n" \
+                        "part /    --source rootfs --ondisk hda --offset 32K     --fixed-size 100M --fstype=ext4\n" \
+                        "part /bar                 --ondisk hda --offset 102432K --fixed-size 100M --fstype=ext4\n")
+            tempf.flush()
+
+            _, partlns = self._get_wic_partitions(tempf.name, native_sysroot)
+            self.assertEqual(partlns, [
+                "1:32.0kiB:102432kiB:102400kiB:ext4:primary:;",
+                "2:102432kiB:204832kiB:102400kiB:ext4:primary:;",
+                ])
+
+        with NamedTemporaryFile("w", suffix=".wks") as tempf:
+            # Test that partitions are placed at the correct offsets using MB
+            tempf.write("bootloader --ptable gpt\n" \
+                        "part /    --source rootfs --ondisk hda --offset 32K  --fixed-size 100M --fstype=ext4\n" \
+                        "part /bar                 --ondisk hda --offset 101M --fixed-size 100M --fstype=ext4\n")
+            tempf.flush()
+
+            _, partlns = self._get_wic_partitions(tempf.name, native_sysroot)
+            self.assertEqual(partlns, [
+                "1:32.0kiB:102432kiB:102400kiB:ext4:primary:;",
+                "2:103424kiB:205824kiB:102400kiB:ext4:primary:;",
+                ])
+
+        with NamedTemporaryFile("w", suffix=".wks") as tempf:
+            # Test that partitions can be placed on a 512 byte sector boundary
+            tempf.write("bootloader --ptable gpt\n" \
+                        "part /    --source rootfs --ondisk hda --offset 65s --fixed-size 99M --fstype=ext4\n" \
+                        "part /bar                 --ondisk hda --offset 102432 --fixed-size 100M --fstype=ext4\n")
+            tempf.flush()
+
+            _, partlns = self._get_wic_partitions(tempf.name, native_sysroot)
+            self.assertEqual(partlns, [
+                "1:32.5kiB:101408kiB:101376kiB:ext4:primary:;",
+                "2:102432kiB:204832kiB:102400kiB:ext4:primary:;",
+                ])
+
+        with NamedTemporaryFile("w", suffix=".wks") as tempf:
+            # Test that a partition can be placed immediately after a MSDOS partition table
+            tempf.write("bootloader --ptable msdos\n" \
+                        "part /    --source rootfs --ondisk hda --offset 1s --fixed-size 100M --fstype=ext4\n")
+            tempf.flush()
+
+            _, partlns = self._get_wic_partitions(tempf.name, native_sysroot)
+            self.assertEqual(partlns, [
+                "1:0.50kiB:102400kiB:102400kiB:ext4::;",
+                ])
+
+        with NamedTemporaryFile("w", suffix=".wks") as tempf:
+            # Test that image creation fails if the partitions would overlap
+            tempf.write("bootloader --ptable gpt\n" \
+                        "part /    --source rootfs --ondisk hda --offset 32     --fixed-size 100M --fstype=ext4\n" \
+                        "part /bar                 --ondisk hda --offset 102431 --fixed-size 100M --fstype=ext4\n")
+            tempf.flush()
+
+            p, _ = self._get_wic_partitions(tempf.name, ignore_status=True)
+            self.assertNotEqual(p.status, 0, "wic exited successfully when an error was expected:\n%s" % p.output)
+
+        with NamedTemporaryFile("w", suffix=".wks") as tempf:
+            # Test that partitions are not allowed to overlap with the booloader
+            tempf.write("bootloader --ptable gpt\n" \
+                        "part /    --source rootfs --ondisk hda --offset 8 --fixed-size 100M --fstype=ext4\n")
+            tempf.flush()
+
+            p, _ = self._get_wic_partitions(tempf.name, ignore_status=True)
+            self.assertNotEqual(p.status, 0, "wic exited successfully when an error was expected:\n%s" % p.output)
+
+    def test_extra_space(self):
+        native_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "wic-tools")
+
+        with NamedTemporaryFile("w", suffix=".wks") as tempf:
+            tempf.write("bootloader --ptable gpt\n" \
+                        "part /     --source rootfs --ondisk hda --extra-space 200M --fstype=ext4\n")
+            tempf.flush()
+
+            _, partlns = self._get_wic_partitions(tempf.name, native_sysroot)
+            self.assertEqual(len(partlns), 1)
+            size = partlns[0].split(':')[3]
+            self.assertRegex(size, r'^[0-9]+kiB$')
+            size = int(size[:-3])
+            self.assertGreaterEqual(size, 204800)
 
     @only_for_arch(['i586', 'i686', 'x86_64'])
     def test_rawcopy_plugin_qemu(self):

meta/lib/oeqa/utils/commands.py

@@ -167,7 +167,7 @@ class Result(object):
     pass
 
 
-def runCmd(command, ignore_status=False, timeout=None, assert_error=True,
+def runCmd(command, ignore_status=False, timeout=None, assert_error=True, sync=True,
           native_sysroot=None, limit_exc_output=0, output_log=None, **options):
     result = Result()
 
@@ -184,6 +184,12 @@ def runCmd(command, ignore_status=False, timeout=None, assert_error=True,
     cmd = Command(command, timeout=timeout, output_log=output_log, **options)
     cmd.run()
 
+    # tests can be heavy on IO and if bitbake can't write out its caches, we see timeouts.
+    # call sync around the tests to ensure the IO queue doesn't get too large, taking any IO
+    # hit here rather than in bitbake shutdown.
+    if sync:
+        os.system("sync")
+
     result.command = command
     result.status = cmd.status
     result.output = cmd.output

meta/lib/oeqa/utils/qemurunner.py

@@ -393,7 +393,7 @@ class QemuRunner:
 
         # If we are not able to login the tests can continue
         try:
-            (status, output) = self.run_serial(self.boot_patterns['send_login_user'], raw=True)
+            (status, output) = self.run_serial(self.boot_patterns['send_login_user'], raw=True, timeout=120)
             if re.search(self.boot_patterns['search_login_succeeded'], output):
                 self.logged = True
                 self.logger.debug("Logged as root in serial console")

meta/recipes-bsp/grub/files/CVE-2020-10713.patch

@@ -0,0 +1,73 @@
+From a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 15 Apr 2020 15:45:02 -0400
+Subject: yylex: Make lexer fatal errors actually be fatal
+
+When presented with a command that can't be tokenized to anything
+smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
+expecting that will stop further processing, as such:
+
+  #define YY_DO_BEFORE_ACTION \
+        yyg->yytext_ptr = yy_bp; \
+        yyleng = (int) (yy_cp - yy_bp); \
+        yyg->yy_hold_char = *yy_cp; \
+        *yy_cp = '\0'; \
+        if ( yyleng >= YYLMAX ) \
+                YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
+        yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
+        yyg->yy_c_buf_p = yy_cp;
+
+The code flex generates expects that YY_FATAL_ERROR() will either return
+for it or do some form of longjmp(), or handle the error in some way at
+least, and so the strncpy() call isn't in an "else" clause, and thus if
+YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
+questionable limit, and predictable results ensue.
+
+Unfortunately, our implementation of YY_FATAL_ERROR() is:
+
+   #define YY_FATAL_ERROR(msg)                     \
+     do {                                          \
+       grub_printf (_("fatal error: %s\n"), _(msg));     \
+     } while (0)
+
+The same pattern exists in yyless(), and similar problems exist in users
+of YY_INPUT(), several places in the main parsing loop,
+yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
+yy_scan_buffer(), etc.
+
+All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
+the things they do if it returns after calling it are wildly unsafe.
+
+Fixes: CVE-2020-10713
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e]
+CVE: CVE-2020-10713
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ grub-core/script/yylex.l | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
+index 7b44c37b7..b7203c823 100644
+--- a/grub-core/script/yylex.l
++++ b/grub-core/script/yylex.l
+@@ -37,11 +37,11 @@
+ 
+ /* 
+  * As we don't have access to yyscanner, we cannot do much except to
+- * print the fatal error.
++ * print the fatal error and exit.
+  */
+ #define YY_FATAL_ERROR(msg)                     \
+   do {                                          \
+-    grub_printf (_("fatal error: %s\n"), _(msg));     \
++    grub_fatal (_("fatal error: %s\n"), _(msg));\
+   } while (0)
+ 
+ #define COPY(str, hint)                         \
+-- 
+cgit v1.2.1
+

meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch

@@ -0,0 +1,117 @@
+From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 10 Jul 2020 14:41:45 +0100
+Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function
+ during execution
+
+Defining a new function with the same name as a previously defined
+function causes the grub_script and associated resources for the
+previous function to be freed. If the previous function is currently
+executing when a function with the same name is defined, this results
+in use-after-frees when processing subsequent commands in the original
+function.
+
+Instead, reject a new function definition if it has the same name as
+a previously defined function, and that function is currently being
+executed. Although a behavioural change, this should be backwards
+compatible with existing configurations because they can't be
+dependent on the current behaviour without being broken.
+
+Fixes: CVE-2020-15706
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-15706
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=426f57383d647406ae9c628c472059c27cd6e040
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/script/execute.c  |  2 ++
+ grub-core/script/function.c | 16 +++++++++++++---
+ grub-core/script/parser.y   |  3 ++-
+ include/grub/script_sh.h    |  2 ++
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index c8d6806..7e028e1 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
+   old_scope = scope;
+   scope = &new_scope;
+ 
++  func->executing++;
+   ret = grub_script_execute (func->func);
++  func->executing--;
+ 
+   function_return = 0;
+   active_loops = loops;
+diff --git a/grub-core/script/function.c b/grub-core/script/function.c
+index d36655e..3aad04b 100644
+--- a/grub-core/script/function.c
++++ b/grub-core/script/function.c
+@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
+   func = (grub_script_function_t) grub_malloc (sizeof (*func));
+   if (! func)
+     return 0;
++  func->executing = 0;
+ 
+   func->name = grub_strdup (functionname_arg->str);
+   if (! func->name)
+@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
+       grub_script_function_t q;
+ 
+       q = *p;
+-      grub_script_free (q->func);
+-      q->func = cmd;
+       grub_free (func);
+-      func = q;
++      if (q->executing > 0)
++        {
++          grub_error (GRUB_ERR_BAD_ARGUMENT,
++		      N_("attempt to redefine a function being executed"));
++          func = NULL;
++        }
++      else
++        {
++          grub_script_free (q->func);
++          q->func = cmd;
++          func = q;
++        }
+     }
+   else
+     {
+diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
+index 4f0ab83..f80b86b 100644
+--- a/grub-core/script/parser.y
++++ b/grub-core/script/parser.y
+@@ -289,7 +289,8 @@ function: "function" "name"
+ 	      grub_script_mem_free (state->func_mem);
+ 	    else {
+ 	      script->children = state->scripts;
+-	      grub_script_function_create ($2, script);
++	      if (!grub_script_function_create ($2, script))
++		grub_script_free (script);
+ 	    }
+ 
+ 	    state->scripts = $<scripts>3;
+diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
+index b382bcf..6c48e07 100644
+--- a/include/grub/script_sh.h
++++ b/include/grub/script_sh.h
+@@ -361,6 +361,8 @@ struct grub_script_function
+ 
+   /* The next element.  */
+   struct grub_script_function *next;
++
++  unsigned executing;
+ };
+ typedef struct grub_script_function *grub_script_function_t;
+ 
+-- 
+2.14.4
+

meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch

@@ -0,0 +1,177 @@
+From 68a09a74f6d726d79709847f3671c0a08e4fb5a0 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sat, 25 Jul 2020 12:15:37 +0100
+Subject: [PATCH 9/9] linux: Fix integer overflows in initrd size handling
+
+These could be triggered by a crafted filesystem with very large files.
+
+Fixes: CVE-2020-15707
+
+Signed-off-by: Colin Watson <cjwatson@debian.org>
+Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-15707
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e7b8856f8be3292afdb38d2e8c70ad8d62a61e10
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 54 insertions(+), 20 deletions(-)
+
+diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
+index 471b214..8c8565a 100644
+--- a/grub-core/loader/linux.c
++++ b/grub-core/loader/linux.c
+@@ -4,6 +4,7 @@
+ #include <grub/misc.h>
+ #include <grub/file.h>
+ #include <grub/mm.h>
++#include <grub/safemath.h>
+ 
+ struct newc_head
+ {
+@@ -98,13 +99,13 @@ free_dir (struct dir *root)
+   grub_free (root);
+ }
+ 
+-static grub_size_t
++static grub_err_t
+ insert_dir (const char *name, struct dir **root,
+-	    grub_uint8_t *ptr)
++	    grub_uint8_t *ptr, grub_size_t *size)
+ {
+   struct dir *cur, **head = root;
+   const char *cb, *ce = name;
+-  grub_size_t size = 0;
++  *size = 0;
+   while (1)
+     {
+       for (cb = ce; *cb == '/'; cb++);
+@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
+ 	      ptr = make_header (ptr, name, ce - name,
+ 				 040777, 0);
+ 	    }
+-	  size += ALIGN_UP ((ce - (char *) name)
+-			    + sizeof (struct newc_head), 4);
++	  if (grub_add (*size,
++		        ALIGN_UP ((ce - (char *) name)
++				  + sizeof (struct newc_head), 4),
++			size))
++	    {
++	      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++	      grub_free (n->name);
++	      grub_free (n);
++	      return grub_errno;
++	    }
+ 	  *head = n;
+ 	  cur = n;
+ 	}
+       root = &cur->next;
+     }
+-  return size;
++  return GRUB_ERR_NONE;
+ }
+ 
+ grub_err_t
+@@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[],
+ 	  eptr = grub_strchr (ptr, ':');
+ 	  if (eptr)
+ 	    {
++	      grub_size_t dir_size, name_len;
++
+ 	      initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
+-	      if (!initrd_ctx->components[i].newc_name)
++	      if (!initrd_ctx->components[i].newc_name ||
++		  insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
++			      &dir_size))
+ 		{
+ 		  grub_initrd_close (initrd_ctx);
+ 		  return grub_errno;
+ 		}
+-	      initrd_ctx->size
+-		+= ALIGN_UP (sizeof (struct newc_head)
+-			    + grub_strlen (initrd_ctx->components[i].newc_name),
+-			     4);
+-	      initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
+-					      &root, 0);
++	      name_len = grub_strlen (initrd_ctx->components[i].newc_name);
++	      if (grub_add (initrd_ctx->size,
++			    ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
++			    &initrd_ctx->size) ||
++		  grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
++		goto overflow;
+ 	      newc = 1;
+ 	      fname = eptr + 1;
+ 	    }
+ 	}
+       else if (newc)
+ 	{
+-	  initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
+-					+ sizeof ("TRAILER!!!") - 1, 4);
++	  if (grub_add (initrd_ctx->size,
++			ALIGN_UP (sizeof (struct newc_head)
++				  + sizeof ("TRAILER!!!") - 1, 4),
++			&initrd_ctx->size))
++	    goto overflow;
+ 	  free_dir (root);
+ 	  root = 0;
+ 	  newc = 0;
+@@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[],
+       initrd_ctx->nfiles++;
+       initrd_ctx->components[i].size
+ 	= grub_file_size (initrd_ctx->components[i].file);
+-      initrd_ctx->size += initrd_ctx->components[i].size;
++      if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
++		    &initrd_ctx->size))
++	goto overflow;
+     }
+ 
+   if (newc)
+     {
+       initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
+-      initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
+-				    + sizeof ("TRAILER!!!") - 1, 4);
++      if (grub_add (initrd_ctx->size,
++		    ALIGN_UP (sizeof (struct newc_head)
++			      + sizeof ("TRAILER!!!") - 1, 4),
++		    &initrd_ctx->size))
++	goto overflow;
+       free_dir (root);
+       root = 0;
+     }
+   
+   return GRUB_ERR_NONE;
++
++ overflow:
++  free_dir (root);
++  grub_initrd_close (initrd_ctx);
++  return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ }
+ 
+ grub_size_t
+@@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+ 
+       if (initrd_ctx->components[i].newc_name)
+ 	{
+-	  ptr += insert_dir (initrd_ctx->components[i].newc_name,
+-			     &root, ptr);
++	  grub_size_t dir_size;
++
++	  if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
++			  &dir_size))
++	    {
++	      free_dir (root);
++	      grub_initrd_close (initrd_ctx);
++	      return grub_errno;
++	    }
++	  ptr += dir_size;
+ 	  ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
+ 			     grub_strlen (initrd_ctx->components[i].newc_name),
+ 			     0100777,
+-- 
+2.14.4
+

meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch

@@ -0,0 +1,246 @@
+From c005f62f5c4b26a77b916c8f76a852324439ecb3 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 12:15:29 -0400
+Subject: [PATCH 2/9] calloc: Make sure we always have an overflow-checking
+ calloc() available
+
+This tries to make sure that everywhere in this source tree, we always have
+an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
+available, and that they all safely check for overflow and return NULL when
+it would occur.
+
+Upstream-Status: Backport [commit 64e26162ebfe68317c143ca5ec996c892019f8f8
+from https://git.savannah.gnu.org/git/grub.git]
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/kern/emu/misc.c          | 12 ++++++++++++
+ grub-core/kern/emu/mm.c            | 10 ++++++++++
+ grub-core/kern/mm.c                | 40 ++++++++++++++++++++++++++++++++++++++
+ grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++--
+ grub-core/lib/posix_wrap/stdlib.h  |  8 +++++++-
+ include/grub/emu/misc.h            |  1 +
+ include/grub/mm.h                  |  6 ++++++
+ 7 files changed, 85 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
+index 65db79b..dfd8a8e 100644
+--- a/grub-core/kern/emu/misc.c
++++ b/grub-core/kern/emu/misc.c
+@@ -85,6 +85,18 @@ grub_util_error (const char *fmt, ...)
+   exit (1);
+ }
+ 
++void *
++xcalloc (grub_size_t nmemb, grub_size_t size)
++{
++  void *p;
++
++  p = calloc (nmemb, size);
++  if (!p)
++    grub_util_error ("%s", _("out of memory"));
++
++  return p;
++}
++
+ void *
+ xmalloc (grub_size_t size)
+ {
+diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
+index f262e95..145b01d 100644
+--- a/grub-core/kern/emu/mm.c
++++ b/grub-core/kern/emu/mm.c
+@@ -25,6 +25,16 @@
+ #include <string.h>
+ #include <grub/i18n.h>
+ 
++void *
++grub_calloc (grub_size_t nmemb, grub_size_t size)
++{
++  void *ret;
++  ret = calloc (nmemb, size);
++  if (!ret)
++    grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
++  return ret;
++}
++
+ void *
+ grub_malloc (grub_size_t size)
+ {
+diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c
+index ee88ff6..f2822a8 100644
+--- a/grub-core/kern/mm.c
++++ b/grub-core/kern/mm.c
+@@ -67,8 +67,10 @@
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
+ #include <grub/mm_private.h>
++#include <grub/safemath.h>
+ 
+ #ifdef MM_DEBUG
++# undef grub_calloc
+ # undef grub_malloc
+ # undef grub_zalloc
+ # undef grub_realloc
+@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size)
+   return 0;
+ }
+ 
++/*
++ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
++ * integer overflow.
++ */
++void *
++grub_calloc (grub_size_t nmemb, grub_size_t size)
++{
++  void *ret;
++  grub_size_t sz = 0;
++
++  if (grub_mul (nmemb, size, &sz))
++    {
++      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++      return NULL;
++    }
++
++  ret = grub_memalign (0, sz);
++  if (!ret)
++    return NULL;
++
++  grub_memset (ret, 0, sz);
++  return ret;
++}
++
+ /* Allocate SIZE bytes and return the pointer.  */
+ void *
+ grub_malloc (grub_size_t size)
+@@ -561,6 +587,20 @@ grub_mm_dump (unsigned lineno)
+   grub_printf ("\n");
+ }
+ 
++void *
++grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
++{
++  void *ptr;
++
++  if (grub_mm_debug)
++    grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
++		 file, line, size);
++  ptr = grub_calloc (nmemb, size);
++  if (grub_mm_debug)
++    grub_printf ("%p\n", ptr);
++  return ptr;
++}
++
+ void *
+ grub_debug_malloc (const char *file, int line, grub_size_t size)
+ {
+diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c
+index beeb661..74c6eaf 100644
+--- a/grub-core/lib/libgcrypt_wrap/mem.c
++++ b/grub-core/lib/libgcrypt_wrap/mem.c
+@@ -4,6 +4,7 @@
+ #include <grub/crypto.h>
+ #include <grub/dl.h>
+ #include <grub/env.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -36,7 +37,10 @@ void *
+ gcry_xcalloc (size_t n, size_t m)
+ {
+   void *ret;
+-  ret = grub_zalloc (n * m);
++  size_t sz;
++  if (grub_mul (n, m, &sz))
++    grub_fatal ("gcry_xcalloc would overflow");
++  ret = grub_zalloc (sz);
+   if (!ret)
+     grub_fatal ("gcry_xcalloc failed");
+   return ret;
+@@ -56,7 +60,10 @@ void *
+ gcry_xcalloc_secure (size_t n, size_t m)
+ {
+   void *ret;
+-  ret = grub_zalloc (n * m);
++  size_t sz;
++  if (grub_mul (n, m, &sz))
++    grub_fatal ("gcry_xcalloc would overflow");
++  ret = grub_zalloc (sz);
+   if (!ret)
+     grub_fatal ("gcry_xcalloc failed");
+   return ret;
+diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
+index 3b46f47..7a8d385 100644
+--- a/grub-core/lib/posix_wrap/stdlib.h
++++ b/grub-core/lib/posix_wrap/stdlib.h
+@@ -21,6 +21,7 @@
+ 
+ #include <grub/mm.h>
+ #include <grub/misc.h>
++#include <grub/safemath.h>
+ 
+ static inline void 
+ free (void *ptr)
+@@ -37,7 +38,12 @@ malloc (grub_size_t size)
+ static inline void *
+ calloc (grub_size_t size, grub_size_t nelem)
+ {
+-  return grub_zalloc (size * nelem);
++  grub_size_t sz;
++
++  if (grub_mul (size, nelem, &sz))
++    return NULL;
++
++  return grub_zalloc (sz);
+ }
+ 
+ static inline void *
+diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h
+index ce464cf..ff9c48a 100644
+--- a/include/grub/emu/misc.h
++++ b/include/grub/emu/misc.h
+@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev);
+ #define GRUB_HOST_PRIuLONG_LONG "llu"
+ #define GRUB_HOST_PRIxLONG_LONG "llx"
+ 
++void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
+ void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
+ void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
+ char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
+diff --git a/include/grub/mm.h b/include/grub/mm.h
+index 28e2e53..9c38dd3 100644
+--- a/include/grub/mm.h
++++ b/include/grub/mm.h
+@@ -29,6 +29,7 @@
+ #endif
+ 
+ void grub_mm_init_region (void *addr, grub_size_t size);
++void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
+ void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
+ void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
+ void EXPORT_FUNC(grub_free) (void *ptr);
+@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
+ void grub_mm_dump_free (void);
+ void grub_mm_dump (unsigned lineno);
+ 
++#define grub_calloc(nmemb, size)	\
++  grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
++
+ #define grub_malloc(size)	\
+   grub_debug_malloc (GRUB_FILE, __LINE__, size)
+ 
+@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
+ #define grub_free(ptr)	\
+   grub_debug_free (GRUB_FILE, __LINE__, ptr)
+ 
++void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
++				      grub_size_t nmemb, grub_size_t size);
+ void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
+ 				      grub_size_t size);
+ void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
+-- 
+2.14.4
+

meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch

@@ -0,0 +1,287 @@
+From 8eb02bcb5897b238b29ff762402bb0c3028f0eab Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Thu, 19 Mar 2020 13:56:13 +0800
+Subject: [PATCH 3/9] lvm: Add LVM cache logical volume handling
+
+The LVM cache logical volume is the logical volume consisting of the original
+and the cache pool logical volume. The original is usually on a larger and
+slower storage device while the cache pool is on a smaller and faster one. The
+performance of the original volume can be improved by storing the frequently
+used data on the cache pool to utilize the greater performance of faster
+device.
+
+The default cache mode "writethrough" ensures that any data written will be
+stored both in the cache and on the origin LV, therefore grub can be straight
+to read the original lv as no data loss is guarenteed.
+
+The second cache mode is "writeback", which delays writing from the cache pool
+back to the origin LV to have increased performance. The drawback is potential
+data loss if losing the associated cache device.
+
+During the boot time grub reads the LVM offline i.e. LVM volumes are not
+activated and mounted, hence it should be fine to read directly from original
+lv since all cached data should have been flushed back in the process of taking
+it offline.
+
+It is also not much helpful to the situation by adding fsync calls to the
+install code. The fsync did not force to write back dirty cache to the original
+device and rather it would update associated cache metadata to complete the
+write transaction with the cache device. IOW the writes to cached blocks still
+go only to the cache device.
+
+To write back dirty cache, as LVM cache did not support dirty cache flush per
+block range, there'no way to do it for file. On the other hand the "cleaner"
+policy is implemented and can be used to write back "all" dirty blocks in a
+cache, which effectively drain all dirty cache gradually to attain and last in
+the "clean" state, which can be useful for shrinking or decommissioning a
+cache. The result and effect is not what we are looking for here.
+
+In conclusion, as it seems no way to enforce file writes to the original
+device, grub may suffer from power failure as it cannot assemble the cache
+device and read the dirty data from it. However since the case is only
+applicable to writeback mode which is sensitive to data lost in nature, I'd
+still like to propose my (relatively simple) patch and treat reading dirty
+cache as improvement.
+
+Upstream-Status: Backport [commit 0454b0445393aafc5600e92ef0c39494e333b135
+from https://git.savannah.gnu.org/git/grub.git]
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/disk/lvm.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 190 insertions(+)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index 7b265c7..dc6b83b 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -33,6 +33,14 @@
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
++struct cache_lv
++{
++  struct grub_diskfilter_lv *lv;
++  char *cache_pool;
++  char *origin;
++  struct cache_lv *next;
++};
++
+ 
+ /* Go the string STR and return the number after STR.  *P will point
+    at the number.  In case STR is not found, *P will be NULL and the
+@@ -95,6 +103,34 @@ grub_lvm_check_flag (char *p, const char *str, const char *flag)
+     }
+ }
+ 
++static void
++grub_lvm_free_cache_lvs (struct cache_lv *cache_lvs)
++{
++  struct cache_lv *cache;
++
++  while ((cache = cache_lvs))
++    {
++      cache_lvs = cache_lvs->next;
++
++      if (cache->lv)
++	{
++	  unsigned int i;
++
++	  for (i = 0; i < cache->lv->segment_count; ++i)
++	    if (cache->lv->segments)
++	      grub_free (cache->lv->segments[i].nodes);
++	  grub_free (cache->lv->segments);
++	  grub_free (cache->lv->fullname);
++	  grub_free (cache->lv->idname);
++	  grub_free (cache->lv->name);
++	}
++      grub_free (cache->lv);
++      grub_free (cache->origin);
++      grub_free (cache->cache_pool);
++      grub_free (cache);
++    }
++}
++
+ static struct grub_diskfilter_vg * 
+ grub_lvm_detect (grub_disk_t disk,
+ 		 struct grub_diskfilter_pv_id *id,
+@@ -242,6 +278,8 @@ grub_lvm_detect (grub_disk_t disk,
+ 
+   if (! vg)
+     {
++      struct cache_lv *cache_lvs = NULL;
++
+       /* First time we see this volume group. We've to create the
+ 	 whole volume group structure. */
+       vg = grub_malloc (sizeof (*vg));
+@@ -671,6 +709,106 @@ grub_lvm_detect (grub_disk_t disk,
+ 			  seg->nodes[seg->node_count - 1].name = tmp;
+ 			}
+ 		    }
++		  else if (grub_memcmp (p, "cache\"",
++				   sizeof ("cache\"") - 1) == 0)
++		    {
++		      struct cache_lv *cache = NULL;
++
++		      char *p2, *p3;
++		      grub_size_t sz;
++
++		      cache = grub_zalloc (sizeof (*cache));
++		      if (!cache)
++			goto cache_lv_fail;
++		      cache->lv = grub_zalloc (sizeof (*cache->lv));
++		      if (!cache->lv)
++			goto cache_lv_fail;
++		      grub_memcpy (cache->lv, lv, sizeof (*cache->lv));
++
++		      if (lv->fullname)
++			{
++			  cache->lv->fullname = grub_strdup (lv->fullname);
++			  if (!cache->lv->fullname)
++			    goto cache_lv_fail;
++			}
++		      if (lv->idname)
++			{
++			  cache->lv->idname = grub_strdup (lv->idname);
++			  if (!cache->lv->idname)
++			    goto cache_lv_fail;
++			}
++		      if (lv->name)
++			{
++			  cache->lv->name = grub_strdup (lv->name);
++			  if (!cache->lv->name)
++			    goto cache_lv_fail;
++			}
++
++		      skip_lv = 1;
++
++		      p2 = grub_strstr (p, "cache_pool = \"");
++		      if (!p2)
++			goto cache_lv_fail;
++
++		      p2 = grub_strchr (p2, '"');
++		      if (!p2)
++			goto cache_lv_fail;
++
++		      p3 = ++p2;
++		      p3 = grub_strchr (p3, '"');
++		      if (!p3)
++			goto cache_lv_fail;
++
++		      sz = p3 - p2;
++
++		      cache->cache_pool = grub_malloc (sz + 1);
++		      if (!cache->cache_pool)
++			goto cache_lv_fail;
++		      grub_memcpy (cache->cache_pool, p2, sz);
++		      cache->cache_pool[sz] = '\0';
++
++		      p2 = grub_strstr (p, "origin = \"");
++		      if (!p2)
++			goto cache_lv_fail;
++
++		      p2 = grub_strchr (p2, '"');
++		      if (!p2)
++			goto cache_lv_fail;
++
++		      p3 = ++p2;
++		      p3 = grub_strchr (p3, '"');
++		      if (!p3)
++			goto cache_lv_fail;
++
++		      sz = p3 - p2;
++
++		      cache->origin = grub_malloc (sz + 1);
++		      if (!cache->origin)
++			goto cache_lv_fail;
++		      grub_memcpy (cache->origin, p2, sz);
++		      cache->origin[sz] = '\0';
++
++		      cache->next = cache_lvs;
++		      cache_lvs = cache;
++		      break;
++
++		    cache_lv_fail:
++		      if (cache)
++			{
++			  grub_free (cache->origin);
++			  grub_free (cache->cache_pool);
++			  if (cache->lv)
++			    {
++			      grub_free (cache->lv->fullname);
++			      grub_free (cache->lv->idname);
++			      grub_free (cache->lv->name);
++			    }
++			  grub_free (cache->lv);
++			  grub_free (cache);
++			}
++		      grub_lvm_free_cache_lvs (cache_lvs);
++		      goto fail4;
++		    }
+ 		  else
+ 		    {
+ #ifdef GRUB_UTIL
+@@ -747,6 +885,58 @@ grub_lvm_detect (grub_disk_t disk,
+ 	      }
+ 	
+       }
++
++      {
++	struct cache_lv *cache;
++
++	for (cache = cache_lvs; cache; cache = cache->next)
++	  {
++	    struct grub_diskfilter_lv *lv;
++
++	    for (lv = vg->lvs; lv; lv = lv->next)
++	      if (grub_strcmp (lv->name, cache->origin) == 0)
++		break;
++	    if (lv)
++	      {
++		cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
++		if (!cache->lv->segments)
++		  {
++		    grub_lvm_free_cache_lvs (cache_lvs);
++		    goto fail4;
++		  }
++		grub_memcpy (cache->lv->segments, lv->segments, lv->segment_count * sizeof (*lv->segments));
++
++		for (i = 0; i < lv->segment_count; ++i)
++		  {
++		    struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
++		    grub_size_t node_count = lv->segments[i].node_count;
++
++		    cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
++		    if (!cache->lv->segments[i].nodes)
++		      {
++			for (j = 0; j < i; ++j)
++			  grub_free (cache->lv->segments[j].nodes);
++			grub_free (cache->lv->segments);
++			cache->lv->segments = NULL;
++			grub_lvm_free_cache_lvs (cache_lvs);
++			goto fail4;
++		      }
++		    grub_memcpy (cache->lv->segments[i].nodes, nodes, node_count * sizeof (*nodes));
++		  }
++
++		if (cache->lv->segments)
++		  {
++		    cache->lv->segment_count = lv->segment_count;
++		    cache->lv->vg = vg;
++		    cache->lv->next = vg->lvs;
++		    vg->lvs = cache->lv;
++		    cache->lv = NULL;
++		  }
++	      }
++	  }
++      }
++
++      grub_lvm_free_cache_lvs (cache_lvs);
+       if (grub_diskfilter_vg_register (vg))
+ 	goto fail4;
+     }
+-- 
+2.14.4
+

meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch

@@ -0,0 +1,94 @@
+From 06c361a71c4998635493610e5d76d0d223925251 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 10:58:42 -0400
+Subject: [PATCH 5/9] safemath: Add some arithmetic primitives that check for
+ overflow
+
+This adds a new header, include/grub/safemath.h, that includes easy to
+use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
+
+  bool OP(a, b, res)
+
+where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
+case where the operation would overflow and res is not modified.
+Otherwise, false is returned and the operation is executed.
+
+These arithmetic primitives require newer compiler versions. So, bump
+these requirements in the INSTALL file too.
+
+Upstream-Status: Backport [commit 68708c4503018d61dbcce7ac11cbb511d6425f4d
+from https://git.savannah.gnu.org/git/grub.git]
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[YL: omit the change to INSTALL from original patch]
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ include/grub/compiler.h |  8 ++++++++
+ include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 45 insertions(+)
+ create mode 100644 include/grub/safemath.h
+
+diff --git a/include/grub/compiler.h b/include/grub/compiler.h
+index c9e1d7a..8f3be3a 100644
+--- a/include/grub/compiler.h
++++ b/include/grub/compiler.h
+@@ -48,4 +48,12 @@
+ #  define WARN_UNUSED_RESULT
+ #endif
+ 
++#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
++#  define CLANG_PREREQ(maj,min) \
++          ((__clang_major__ > (maj)) || \
++	   (__clang_major__ == (maj) && __clang_minor__ >= (min)))
++#else
++#  define CLANG_PREREQ(maj,min) 0
++#endif
++
+ #endif /* ! GRUB_COMPILER_HEADER */
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+new file mode 100644
+index 0000000..c17b89b
+--- /dev/null
++++ b/include/grub/safemath.h
+@@ -0,0 +1,37 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2020  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ *  Arithmetic operations that protect against overflow.
++ */
++
++#ifndef GRUB_SAFEMATH_H
++#define GRUB_SAFEMATH_H 1
++
++#include <grub/compiler.h>
++
++/* These appear in gcc 5.1 and clang 3.8. */
++#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
++
++#define grub_add(a, b, res)	__builtin_add_overflow(a, b, res)
++#define grub_sub(a, b, res)	__builtin_sub_overflow(a, b, res)
++#define grub_mul(a, b, res)	__builtin_mul_overflow(a, b, res)
++
++#else
++#error gcc 5.1 or newer or clang 3.8 or newer is required
++#endif
++
++#endif /* GRUB_SAFEMATH_H */
+-- 
+2.14.4
+

meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch

@@ -0,0 +1,37 @@
+From e219bad8cee67b2bb21712df8f055706f8da25d2 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 10 Jul 2020 11:21:14 +0100
+Subject: [PATCH 7/9] script: Remove unused fields from grub_script_function
+ struct
+
+Upstream-Status: Backport [commit 1a8d9c9b4ab6df7669b5aa36a56477f297825b96
+from https://git.savannah.gnu.org/git/grub.git]
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ include/grub/script_sh.h | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
+index 360c2be..b382bcf 100644
+--- a/include/grub/script_sh.h
++++ b/include/grub/script_sh.h
+@@ -359,13 +359,8 @@ struct grub_script_function
+   /* The script function.  */
+   struct grub_script *func;
+ 
+-  /* The flags.  */
+-  unsigned flags;
+-
+   /* The next element.  */
+   struct grub_script_function *next;
+-
+-  int references;
+ };
+ typedef struct grub_script_function *grub_script_function_t;
+ 
+-- 
+2.14.4
+

meta/recipes-bsp/grub/grub2.inc

@@ -18,6 +18,15 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://autogen.sh-exclude-pc.patch \
            file://grub-module-explicitly-keeps-symbole-.module_license.patch \
            file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
+           file://CVE-2020-10713.patch \
+           file://calloc-Make-sure-we-always-have-an-overflow-checking.patch \
+           file://lvm-Add-LVM-cache-logical-volume-handling.patch \
+           file://CVE-2020-14308-calloc-Use-calloc-at-most-places.patch \
+           file://safemath-Add-some-arithmetic-primitives-that-check-f.patch \
+           file://CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch \
+           file://script-Remove-unused-fields-from-grub_script_functio.patch \
+           file://CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch \
+           file://CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch \
 "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"

meta/recipes-bsp/v86d/v86d_0.1.10.bb

@@ -1,5 +1,5 @@
 SUMMARY = "User support binary for the uvesafb kernel module"
-HOMEPAGE = "http://dev.gentoo.org/~spock/projects/uvesafb/"
+HOMEPAGE = "https://tracker.debian.org/pkg/v86d"
 
 # the copyright info is at the bottom of README, expect break
 LICENSE = "GPLv2"

meta/recipes-connectivity/bind/bind_9.11.22.bb

@@ -1,5 +1,5 @@
 SUMMARY = "ISC Internet Domain Name Server"
-HOMEPAGE = "http://www.isc.org/sw/bind/"
+HOMEPAGE = "https://www.isc.org/bind/"
 SECTION = "console/network"
 
 LICENSE = "ISC & BSD"

meta/recipes-connectivity/bluez5/bluez5_5.55.bb

@@ -1,7 +1,7 @@
 require bluez5.inc
 
-SRC_URI[md5sum] = "e637feb2dbb7582bbbff1708367a847c"
-SRC_URI[sha256sum] = "68cdab9e63e8832b130d5979dc8c96fdb087b31278f342874d992af3e56656dc"
+SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
+SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support

meta/recipes-connectivity/iw/iw_5.4.bb

@@ -2,7 +2,7 @@ SUMMARY = "nl80211 based CLI configuration utility for wireless devices"
 DESCRIPTION = "iw is a new nl80211 based CLI configuration utility for \
 wireless devices. It supports almost all new drivers that have been added \
 to the kernel recently. "
-HOMEPAGE = "http://wireless.kernel.org/en/users/Documentation/iw"
+HOMEPAGE = "https://wireless.wiki.kernel.org/en/users/documentation/iw"
 SECTION = "base"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=878618a5c4af25e9b93ef0be1a93f774"

meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service

@@ -6,3 +6,4 @@ RequiresMountsFor=/var /run
 ExecStart=@LIBEXECDIR@/sshd_check_keys
 Type=oneshot
 RemainAfterExit=yes
+Nice=10

meta/recipes-connectivity/openssh/openssh_8.2p1.bb

@@ -28,6 +28,10 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
 SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
 SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
 
+# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
+# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
+CVE_CHECK_WHITELIST += "CVE-2014-9278"
+
 PAM_SRC_URI = "file://sshd"
 
 inherit manpages useradd update-rc.d update-alternatives systemd
@@ -43,12 +47,15 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
 
 inherit autotools-brokensep ptest
 
-PACKAGECONFIG ??= ""
+PACKAGECONFIG ??= "rng-tools"
 PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
 PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
 PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
 PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
 
+# Add RRECOMMENDS to rng-tools for sshd package
+PACKAGECONFIG[rng-tools] = ""
+
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
 # login path is hardcoded in sshd
@@ -150,7 +157,10 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
 
 RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
 RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
-RRECOMMENDS_${PN}-sshd_append_class-target = " rng-tools"
+RRECOMMENDS_${PN}-sshd_append_class-target = "\
+    ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
+"
+
 # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
 RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
 

meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key

@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRJR6iZxr/NTqQN9NOwV+WPtu42r2eF
+rJ0xsnlqw5bpmfz6aDR8RQvVHUZjRGQfR/RXPbQ5x+bjjdm176TuXNhHAAAAqAoE27MKBN
+uzAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBElHqJnGv81OpA30
+07BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2E
+cAAAAgLiHv/IWhxwosz9BiNILOOPlXaueL5hVTBKUJkpOi48sAAAANcm9vdEBxZW11bWlw
+cwECAw==
+-----END OPENSSH PRIVATE KEY-----

meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBElHqJnGv81OpA3007BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2Ec= root@qemupregen

meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbwAAAJChFtV0oRbV
+dAAAAAtzc2gtZWQyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbw
+AAAEA8UiUsygsTbP0HkDi5leXpQaVXihDyCHeitkBCItJGhcdIVMBsnc5N3WvUTwbkmV4K
+awkSlAeZ1Ma0xxirBZtvAAAADXJvb3RAcWVtdW1pcHM=
+-----END OPENSSH PRIVATE KEY-----

meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdIVMBsnc5N3WvUTwbkmV4KawkSlAeZ1Ma0xxirBZtv root@qemupregen

meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA2Q6dzF1xziCQCFq+e+Fv6w0607gNlyKnkhuoRq8G7/HEqXU2eEtC
+i3AMUrAP8k7s9kP5vI5CyfSgFuC9MxDV2YL2bsmvRxBSKgg6KbNxkoTaFBqyqHopuWQca8
+KRahvzt5dh9fsmeqamIwgMWKTSwtDHcsbyt84nmO2Z2ZrNXobgueMIj+HiJVgmWn86FQFL
+EoONAA+qb4SciPsxvmTlaQ/DMAh3llVo/IMLD9oyAyAI2kbHNnZttlYv5TmY7ICd3yCW8z
+PXrxNcEF3Qs1d68gVJxLjLKTlYGzJW2J+RwY+1DJZ0w4lozeQiZXTXVtzcJB0tm2DcvQMz
+kqyARmncSUwcPbEClEW6Y2xQnLeSHjexzlCCndiUbBTeG5iRl4OL6DN40iI9Lw2VROtj2Y
+59n9PCfaoUs08dsgJLaNrDbRHrCRLSdZJ6OQFiC/nAx/t4e4+wdUgNOqLyJqomdNdaLXPq
+tzr9ssrcY5j1DmmwKtzfTI5VM9LRQo+REIiUCNTFAAAFiFh232tYdt9rAAAAB3NzaC1yc2
+EAAAGBANkOncxdcc4gkAhavnvhb+sNOtO4DZcip5IbqEavBu/xxKl1NnhLQotwDFKwD/JO
+7PZD+byOQsn0oBbgvTMQ1dmC9m7Jr0cQUioIOimzcZKE2hQasqh6KblkHGvCkWob87eXYf
+X7JnqmpiMIDFik0sLQx3LG8rfOJ5jtmdmazV6G4LnjCI/h4iVYJlp/OhUBSxKDjQAPqm+E
+nIj7Mb5k5WkPwzAId5ZVaPyDCw/aMgMgCNpGxzZ2bbZWL+U5mOyAnd8glvMz168TXBBd0L
+NXevIFScS4yyk5WBsyVtifkcGPtQyWdMOJaM3kImV011bc3CQdLZtg3L0DM5KsgEZp3ElM
+HD2xApRFumNsUJy3kh43sc5Qgp3YlGwU3huYkZeDi+gzeNIiPS8NlUTrY9mOfZ/Twn2qFL
+NPHbICS2jaw20R6wkS0nWSejkBYgv5wMf7eHuPsHVIDTqi8iaqJnTXWi1z6rc6/bLK3GOY
+9Q5psCrc30yOVTPS0UKPkRCIlAjUxQAAAAMBAAEAAAGAGIj+bUtiwdoMbeVUAszIydkE/U
+mgv6S7LFjT/KlsL1M017LYJWDcdMaFnhMouksRngSxBg9OnWV5cxyURmFwytVy5bMGjRHb
+N8UWTgBqphU+UWdzKngkn0AhtkyYA1aFhgsml5d8EgEkZnFSc/KtoDfZU7AJX519/FtfOK
+m27Shx3pE7Nohh97avHyuidR1gTwdvuMIMke57g0BhrxPYmredaKCMZAHjjCeD6JbRcGj+
+ly3I9u8MF8BGSbLpBlLDUFCwP8G5CdmMua8bPJYhPSRqMLQhclI7hc6FaYk+gZV9B74Iv/
+SAxcCwI97dNbE0IAsbbWoUdoKGpAYQ5gOdhu5ioqZwKWjNjB3Xx48mq8xtmIR9HEnYzEnk
+b/tDWNRWrGkvNK7vpLvnbsSSKBqOAbMzmQdJxogTgjE5doSmu2/krIMR6KUcUox2ZrR8Ot
+JM6bXyNFBviiXmYvw/SZTDrVJu8BPMu5EMS5pBl8jPFBGI/ePk4qg7lWAJeQ89ThtBAAAA
+wQDEU4HjomWwJsn9UWdoodXTV5aPY9B1OPkmYnRPtsjSAcXgtBzUXMEOsmXODOK3aQjsE0
+jQKpWDAUcUf6KKZKRehxUN4MlwujCG9czn65S6B8BsP1YUfZQjpNyub8vDBfeKzlxKBEEM
+lb4iBT+LEGkihK13H5CbqRg1GDAThZzwrV4pj3S40zgyHhn8JjK4x4djEY6NwkWH8E2DgD
+8vYG/FKh5E/VIZtCgtAHa4QNAgGB4VMRn1VpSJzxjCxb1wancAAADBAPT7F34WYEI3Vc52
+p1U5rPa6dZtg5QM14V0+KtMlb3frd0/F+JVj4t6COQ8J9pkOuD0YjOYJuFXIWAAYIjCdWt
+cbTi/sSERawOWxrgSwJo2vjt5izrBQtr3N8tiB6KDGa5sdgJl5XzJ0SsdStfBbyhcJO4RV
+p9lc+X8OsUfFsClmyIs45vlxBRH06DP6/zmYCAmqvlrfZJKqlpKAEWDDObRy/3+mSNhZ0J
+BdmncASiASRlPPIoIHznyA1COUn6+TnwAAAMEA4tH89Dez2JauyPVeCyHAC680vrBKjmMx
+WYdpq2Xzd/LNl2L9oc0IEZzerLTuaCh6qsbbk2wWj1nrYXvefz/xUtDR427tvRXckcsWhP
+2HYohdYBkwTpp9QuscIV76GdwbTImuNEzvABH1hpTG6DSzqeyf/EVmSq07nptJIs5lpU49
+tW2aWraSvswHR9xfts1U79w9f4BNDy1rTmfuLERTRNF/T9CIFsk9tArLUNT64mhHtoEs8F
+9AyGuq6v49bN0bAAAADXJvb3RAcWVtdW1pcHMBAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----

meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZDp3MXXHOIJAIWr574W/rDTrTuA2XIqeSG6hGrwbv8cSpdTZ4S0KLcAxSsA/yTuz2Q/m8jkLJ9KAW4L0zENXZgvZuya9HEFIqCDops3GShNoUGrKoeim5ZBxrwpFqG/O3l2H1+yZ6pqYjCAxYpNLC0MdyxvK3zieY7ZnZms1ehuC54wiP4eIlWCZafzoVAUsSg40AD6pvhJyI+zG+ZOVpD8MwCHeWVWj8gwsP2jIDIAjaRsc2dm22Vi/lOZjsgJ3fIJbzM9evE1wQXdCzV3ryBUnEuMspOVgbMlbYn5HBj7UMlnTDiWjN5CJldNdW3NwkHS2bYNy9AzOSrIBGadxJTBw9sQKURbpjbFCct5IeN7HOUIKd2JRsFN4bmJGXg4voM3jSIj0vDZVE62PZjn2f08J9qhSzTx2yAkto2sNtEesJEtJ1kno5AWIL+cDH+3h7j7B1SA06ovImqiZ011otc+q3Ov2yytxjmPUOabAq3N9MjlUz0tFCj5EQiJQI1MU= root@qemupregen

meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb

@@ -0,0 +1,19 @@
+SUMMARY = "Pre generated host keys mainly for speeding up our qemu tests"
+
+SRC_URI = "file://dropbear_rsa_host_key \
+           file://openssh"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+do_install () {
+	install -d ${D}${sysconfdir}/dropbear
+	install ${WORKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/
+
+	install -d ${D}${sysconfdir}/ssh
+	install ${WORKDIR}/openssh/* ${D}${sysconfdir}/ssh/
+	chmod 0600 ${D}${sysconfdir}/ssh/*
+	chmod 0644 ${D}${sysconfdir}/ssh/*.pub
+}

meta/recipes-core/busybox/busybox.inc

@@ -5,10 +5,11 @@ BUGTRACKER = "https://bugs.busybox.net/"
 
 DEPENDS += "kern-tools-native virtual/crypt"
 
-# bzip2 applet in busybox is based on lightly-modified bzip2 source
+# bzip2 applet in busybox is based on lightly-modified bzip2-1.0.4 source
 # the GPL is version 2 only
-LICENSE = "GPLv2 & bzip2-1.0.6"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=de10de48642ab74318e893a61105afbb"
+LICENSE = "GPLv2 & bzip2-1.0.4"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=de10de48642ab74318e893a61105afbb \
+                    file://archival/libarchive/bz/LICENSE;md5=28e3301eae987e8cfe19988e98383dae"
 
 SECTION = "base"
 

meta/recipes-core/dropbear/dropbear/dropbearkey.service

@@ -11,3 +11,4 @@ Type=oneshot
 ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR}
 ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key
 RemainAfterExit=yes
+Nice=10

meta/recipes-core/glib-2.0/glib-2.0/meson.cross.d/common-linux

@@ -2,4 +2,4 @@
 have_proc_self_cmdline = true
 
 [binaries]
-env = "/usr/bin/env"
+env = '/usr/bin/env'

meta/recipes-core/glib-2.0/glib-2.0/tzdata-update.patch

@@ -0,0 +1,458 @@
+Backport a number of patches from upstream to fix reading of the new 'slim'
+encoding for tzdata files.
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+commit 18cbd5e5a4812e9bd0b06a058322d2b44ed2ad92
+Author: Paul Eggert <eggert@cs.ucla.edu>
+Date:   Thu Jul 16 12:41:49 2020 -0700
+
+    Clarify memset in set_tz_name
+
+    * glib/gtimezone.c (set_tz_name): Use size, not NAME_SIZE,
+    to clear the buffer.  Suggested by Philip Withnall in:
+    https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1533#note_867859
+
+commit 1ab3f927d6d09a8cf3349a3545f5351446f43d47
+Author: Paul Eggert <eggert@cs.ucla.edu>
+Date:   Thu Jul 16 12:41:49 2020 -0700
+
+    gtimezone: support footers in TZif files
+
+    Since tzcode95f (1995), TZif files have had a trailing
+    TZ string, used for timestamps after the last transition.
+    This string is specified in Internet RFC 8536 section 3.3.
+    init_zone_from_iana_info has ignored this string, causing it
+    to mishandle timestamps past the year 2038.  With zic's new -b
+    slim flag, init_zone_from_iana_info would even mishandle current
+    timestamps.  Fix this by parsing the trailing TZ string and adding
+    its transitions.
+
+    Closes #2129
+
+commit e8b763e35235a2c6b4bdd48a5099c00f72741059
+Author: Paul Eggert <eggert@cs.ucla.edu>
+Date:   Thu Jul 16 12:41:49 2020 -0700
+
+    gtimezone: add support for RFC 8536 time zone transitions
+
+    Time zone transition times can range from -167:59:59 through
+    +167:59:59, according to Internet RFC 8536 section 3.3.1;
+    this is an extension to POSIX.  It is needed for proper
+    support of TZif version 3 files.
+
+commit 1c65dd48b8ebd31af8bc9b2263f83c0c411f7519
+Author: Paul Eggert <eggert@cs.ucla.edu>
+Date:   Thu Jul 16 12:41:49 2020 -0700
+
+    gtimezone: allow hh to be 24, as per POSIX
+
+    POSIX allows hh to be 24; see
+    https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03
+
+commit 368b65cb4cb17e29a4f55654149f554a14f48bc6
+Author: Paul Eggert <eggert@cs.ucla.edu>
+Date:   Thu Jul 16 12:41:49 2020 -0700
+
+    gtimezone: support POSIX 1003.1-2001 quoted TZ abbreviations
+
+    TZ strings like '<-03>3' were introduced in POSIX 1003.1-2001 and
+    are currently specified in:
+    https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03
+
+commit fd528aaab6bb077c6d217e62f2228ec9fe3ed760
+Author: Paul Eggert <eggert@cs.ucla.edu>
+Date:   Thu Jul 16 12:41:49 2020 -0700
+
+    gtimezone: get 64-bit data from version-3 TZif files
+
+    Version 3 was introduced in tzdb 2013e (2013).
+    See Internet RFC 8536 section 3.1 under "ver(sion)".
+
+diff --git a/glib/gtimezone.c b/glib/gtimezone.c
+index 5a835dea9..f9eee1967 100644
+--- a/glib/gtimezone.c
++++ b/glib/gtimezone.c
+@@ -142,9 +142,7 @@ typedef struct
+   gint     mday;
+   gint     wday;
+   gint     week;
+-  gint     hour;
+-  gint     min;
+-  gint     sec;
++  gint32   offset;  /* hour*3600 + min*60 + sec; can be negative.  */
+ } TimeZoneDate;
+ 
+ /* POSIX Timezone abbreviations are typically 3 or 4 characters, but
+@@ -205,6 +203,10 @@ static GTimeZone *tz_local = NULL;
+                            there's no point in getting carried
+                            away. */
+ 
++#ifdef G_OS_UNIX
++static GTimeZone *parse_footertz (const gchar *, size_t);
++#endif
++
+ /**
+  * g_time_zone_unref:
+  * @tz: a #GTimeZone
+@@ -286,13 +288,20 @@ g_time_zone_ref (GTimeZone *tz)
+ /* fake zoneinfo creation (for RFC3339/ISO 8601 timezones) {{{1 */
+ /*
+  * parses strings of the form h or hh[[:]mm[[[:]ss]]] where:
+- *  - h[h] is 0 to 23
++ *  - h[h] is 0 to 24
+  *  - mm is 00 to 59
+  *  - ss is 00 to 59
++ * If RFC8536, TIME_ is a transition time sans sign,
++ * so colons are required before mm and ss, and hh can be up to 167.
++ * See Internet RFC 8536 section 3.3.1:
++ * https://tools.ietf.org/html/rfc8536#section-3.3.1
++ * and POSIX Base Definitions 8.3 TZ rule time:
++ * https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03
+  */
+ static gboolean
+ parse_time (const gchar *time_,
+-            gint32      *offset)
++            gint32      *offset,
++            gboolean    rfc8536)
+ {
+   if (*time_ < '0' || '9' < *time_)
+     return FALSE;
+@@ -310,7 +319,20 @@ parse_time (const gchar *time_,
+       *offset *= 10;
+       *offset += 60 * 60 * (*time_++ - '0');
+ 
+-      if (*offset > 23 * 60 * 60)
++      if (rfc8536)
++        {
++          /* Internet RFC 8536 section 3.3.1 and POSIX 8.3 TZ together say
++             that a transition time must be of the form [+-]hh[:mm[:ss]] where
++             the hours part can range from -167 to 167.  */
++          if ('0' <= *time_ && *time_ <= '9')
++            {
++              *offset *= 10;
++              *offset += 60 * 60 * (*time_++ - '0');
++            }
++          if (*offset > 167 * 60 * 60)
++            return FALSE;
++        }
++      else if (*offset > 24 * 60 * 60)
+         return FALSE;
+ 
+       if (*time_ == '\0')
+@@ -319,6 +341,8 @@ parse_time (const gchar *time_,
+ 
+   if (*time_ == ':')
+     time_++;
++  else if (rfc8536)
++    return FALSE;
+ 
+   if (*time_ < '0' || '5' < *time_)
+     return FALSE;
+@@ -335,6 +359,8 @@ parse_time (const gchar *time_,
+ 
+   if (*time_ == ':')
+     time_++;
++  else if (rfc8536)
++    return FALSE;
+ 
+   if (*time_ < '0' || '5' < *time_)
+     return FALSE;
+@@ -351,28 +377,32 @@ parse_time (const gchar *time_,
+ 
+ static gboolean
+ parse_constant_offset (const gchar *name,
+-                       gint32      *offset)
++                       gint32      *offset,
++                       gboolean    rfc8536)
+ {
+-  if (g_strcmp0 (name, "UTC") == 0)
++  /* Internet RFC 8536 section 3.3.1 and POSIX 8.3 TZ together say
++     that a transition time must be numeric.  */
++  if (!rfc8536 && g_strcmp0 (name, "UTC") == 0)
+     {
+       *offset = 0;
+       return TRUE;
+     }
+ 
+   if (*name >= '0' && '9' >= *name)
+-    return parse_time (name, offset);
++    return parse_time (name, offset, rfc8536);
+ 
+   switch (*name++)
+     {
+     case 'Z':
+       *offset = 0;
+-      return !*name;
++      /* Internet RFC 8536 section 3.3.1 requires a numeric zone.  */
++      return !rfc8536 && !*name;
+ 
+     case '+':
+-      return parse_time (name, offset);
++      return parse_time (name, offset, rfc8536);
+ 
+     case '-':
+-      if (parse_time (name, offset))
++      if (parse_time (name, offset, rfc8536))
+         {
+           *offset = -*offset;
+           return TRUE;
+@@ -391,7 +421,7 @@ zone_for_constant_offset (GTimeZone *gtz, const gchar *name)
+   gint32 offset;
+   TransitionInfo info;
+ 
+-  if (name == NULL || !parse_constant_offset (name, &offset))
++  if (name == NULL || !parse_constant_offset (name, &offset, FALSE))
+     return;
+ 
+   info.gmt_offset = offset;
+@@ -529,12 +559,17 @@ init_zone_from_iana_info (GTimeZone *gtz,
+   guint8 *tz_transitions, *tz_type_index, *tz_ttinfo;
+   guint8 *tz_abbrs;
+   gsize timesize = sizeof (gint32);
+-  const struct tzhead *header = g_bytes_get_data (zoneinfo, &size);
++  gconstpointer header_data = g_bytes_get_data (zoneinfo, &size);
++  const gchar *data = header_data;
++  const struct tzhead *header = header_data;
++  GTimeZone *footertz = NULL;
++  guint extra_time_count = 0, extra_type_count = 0;
++  gint64 last_explicit_transition_time;
+ 
+   g_return_if_fail (size >= sizeof (struct tzhead) &&
+                     memcmp (header, "TZif", 4) == 0);
+ 
+-  if (header->tzh_version == '2')
++  if (header->tzh_version >= '2')
+       {
+         /* Skip ahead to the newer 64-bit data if it's available. */
+         header = (const struct tzhead *)
+@@ -550,6 +585,30 @@ init_zone_from_iana_info (GTimeZone *gtz,
+   time_count = guint32_from_be(header->tzh_timecnt);
+   type_count = guint32_from_be(header->tzh_typecnt);
+ 
++  if (header->tzh_version >= '2')
++    {
++      const gchar *footer = (((const gchar *) (header + 1))
++                             + guint32_from_be(header->tzh_ttisgmtcnt)
++                             + guint32_from_be(header->tzh_ttisstdcnt)
++                             + 12 * guint32_from_be(header->tzh_leapcnt)
++                             + 9 * time_count
++                             + 6 * type_count
++                             + guint32_from_be(header->tzh_charcnt));
++      const gchar *footerlast;
++      size_t footerlen;
++      g_return_if_fail (footer <= data + size - 2 && footer[0] == '\n');
++      footerlast = memchr (footer + 1, '\n', data + size - (footer + 1));
++      g_return_if_fail (footerlast);
++      footerlen = footerlast + 1 - footer;
++      if (footerlen != 2)
++        {
++          footertz = parse_footertz (footer, footerlen);
++          g_return_if_fail (footertz);
++          extra_type_count = footertz->t_info->len;
++          extra_time_count = footertz->transitions->len;
++        }
++    }
++
+   tz_transitions = ((guint8 *) (header) + sizeof (*header));
+   tz_type_index = tz_transitions + timesize * time_count;
+   tz_ttinfo = tz_type_index + time_count;
+@@ -557,9 +616,9 @@ init_zone_from_iana_info (GTimeZone *gtz,
+ 
+   gtz->name = g_steal_pointer (&identifier);
+   gtz->t_info = g_array_sized_new (FALSE, TRUE, sizeof (TransitionInfo),
+-                                   type_count);
++                                   type_count + extra_type_count);
+   gtz->transitions = g_array_sized_new (FALSE, TRUE, sizeof (Transition),
+-                                        time_count);
++                                        time_count + extra_time_count);
+ 
+   for (index = 0; index < type_count; index++)
+     {
+@@ -574,15 +633,50 @@ init_zone_from_iana_info (GTimeZone *gtz,
+   for (index = 0; index < time_count; index++)
+     {
+       Transition trans;
+-      if (header->tzh_version == '2')
++      if (header->tzh_version >= '2')
+         trans.time = gint64_from_be (((gint64_be*)tz_transitions)[index]);
+       else
+         trans.time = gint32_from_be (((gint32_be*)tz_transitions)[index]);
++      last_explicit_transition_time = trans.time;
+       trans.info_index = tz_type_index[index];
+       g_assert (trans.info_index >= 0);
+       g_assert ((guint) trans.info_index < gtz->t_info->len);
+       g_array_append_val (gtz->transitions, trans);
+     }
++
++  if (footertz)
++    {
++      /* Append footer time types.  Don't bother to coalesce
++         duplicates with existing time types.  */
++      for (index = 0; index < extra_type_count; index++)
++        {
++          TransitionInfo t_info;
++          TransitionInfo *footer_t_info
++            = &g_array_index (footertz->t_info, TransitionInfo, index);
++          t_info.gmt_offset = footer_t_info->gmt_offset;
++          t_info.is_dst = footer_t_info->is_dst;
++          t_info.abbrev = g_steal_pointer (&footer_t_info->abbrev);
++          g_array_append_val (gtz->t_info, t_info);
++        }
++
++      /* Append footer transitions that follow the last explicit
++         transition.  */
++      for (index = 0; index < extra_time_count; index++)
++        {
++          Transition *footer_transition
++            = &g_array_index (footertz->transitions, Transition, index);
++          if (time_count <= 0
++              || last_explicit_transition_time < footer_transition->time)
++            {
++              Transition trans;
++              trans.time = footer_transition->time;
++              trans.info_index = type_count + footer_transition->info_index;
++              g_array_append_val (gtz->transitions, trans);
++            }
++        }
++
++      g_time_zone_unref (footertz);
++    }
+ }
+ 
+ #elif defined (G_OS_WIN32)
+@@ -590,9 +684,8 @@ init_zone_from_iana_info (GTimeZone *gtz,
+ static void
+ copy_windows_systemtime (SYSTEMTIME *s_time, TimeZoneDate *tzdate)
+ {
+-  tzdate->sec = s_time->wSecond;
+-  tzdate->min = s_time->wMinute;
+-  tzdate->hour = s_time->wHour;
++  tzdate->offset
++    = s_time->wHour * 3600 + s_time->wMinute * 60 + s_time->wSecond;
+   tzdate->mon = s_time->wMonth;
+   tzdate->year = s_time->wYear;
+   tzdate->wday = s_time->wDayOfWeek ? s_time->wDayOfWeek : 7;
+@@ -979,7 +1072,7 @@ boundary_for_year (TimeZoneDate *boundary,
+   g_date_clear (&date, 1);
+   g_date_set_dmy (&date, buffer.mday, buffer.mon, buffer.year);
+   return ((g_date_get_julian (&date) - unix_epoch_start) * seconds_per_day +
+-          buffer.hour * 3600 + buffer.min * 60 + buffer.sec - offset);
++          buffer.offset - offset);
+ }
+ 
+ static void
+@@ -1156,7 +1249,7 @@ init_zone_from_rules (GTimeZone    *gtz,
+  * - N is 0 to 365
+  *
+  * time is either h or hh[[:]mm[[[:]ss]]]
+- *  - h[h] is 0 to 23
++ *  - h[h] is 0 to 24
+  *  - mm is 00 to 59
+  *  - ss is 00 to 59
+  */
+@@ -1289,25 +1382,10 @@ parse_tz_boundary (const gchar  *identifier,
+   /* Time */
+ 
+   if (*pos == '/')
+-    {
+-      gint32 offset;
+-
+-      if (!parse_time (++pos, &offset))
+-        return FALSE;
+-
+-      boundary->hour = offset / 3600;
+-      boundary->min = (offset / 60) % 60;
+-      boundary->sec = offset % 3600;
+-
+-      return TRUE;
+-    }
+-
++    return parse_constant_offset (pos + 1, &boundary->offset, TRUE);
+   else
+     {
+-      boundary->hour = 2;
+-      boundary->min = 0;
+-      boundary->sec = 0;
+-
++      boundary->offset = 2 * 60 * 60;
+       return *pos == '\0';
+     }
+ }
+@@ -1341,7 +1419,7 @@ parse_offset (gchar **pos, gint32 *target)
+     ++(*pos);
+ 
+   buffer = g_strndup (target_pos, *pos - target_pos);
+-  ret = parse_constant_offset (buffer, target);
++  ret = parse_constant_offset (buffer, target, FALSE);
+   g_free (buffer);
+ 
+   return ret;
+@@ -1366,21 +1444,32 @@ parse_identifier_boundary (gchar **pos, TimeZoneDate *target)
+ static gboolean
+ set_tz_name (gchar **pos, gchar *buffer, guint size)
+ {
++  gboolean quoted = **pos == '<';
+   gchar *name_pos = *pos;
+   guint len;
+ 
+-  /* Name is ASCII alpha (Is this necessarily true?) */
+-  while (g_ascii_isalpha (**pos))
+-    ++(*pos);
++  if (quoted)
++    {
++      name_pos++;
++      do
++        ++(*pos);
++      while (g_ascii_isalnum (**pos) || **pos == '-' || **pos == '+');
++      if (**pos != '>')
++        return FALSE;
++    }
++  else
++    while (g_ascii_isalpha (**pos))
++      ++(*pos);
+ 
+-  /* Name should be three or more alphabetic characters */
++  /* Name should be three or more characters */
+   if (*pos - name_pos < 3)
+     return FALSE;
+ 
+-  memset (buffer, 0, NAME_SIZE);
++  memset (buffer, 0, size);
+   /* name_pos isn't 0-terminated, so we have to limit the length expressly */
+   len = *pos - name_pos > size - 1 ? size - 1 : *pos - name_pos;
+   strncpy (buffer, name_pos, len);
++  *pos += quoted;
+   return TRUE;
+ }
+ 
+@@ -1483,6 +1572,28 @@ rules_from_identifier (const gchar   *identifier,
+   return create_ruleset_from_rule (rules, &tzr);
+ }
+ 
++#ifdef G_OS_UNIX
++static GTimeZone *
++parse_footertz (const gchar *footer, size_t footerlen)
++{
++  gchar *tzstring = g_strndup (footer + 1, footerlen - 2);
++  GTimeZone *footertz = NULL;
++  gchar *ident;
++  TimeZoneRule *rules;
++  guint rules_num = rules_from_identifier (tzstring, &ident, &rules);
++  g_free (ident);
++  g_free (tzstring);
++  if (rules_num > 1)
++    {
++      footertz = g_slice_new0 (GTimeZone);
++      init_zone_from_rules (footertz, rules, rules_num, NULL);
++      footertz->ref_count++;
++    }
++  g_free (rules);
++  return footertz;
++}
++#endif
++
+ /* Construction {{{1 */
+ /**
+  * g_time_zone_new:

meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb

@@ -16,6 +16,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
            file://0001-Do-not-write-bindir-into-pkg-config-files.patch \
            file://0001-meson-Run-atomics-test-on-clang-as-well.patch \
            file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
+           file://tzdata-update.patch \
            "
 
 SRC_URI_append_class-native = " file://relocate-modules.patch"

meta/recipes-core/glibc/glibc-package.inc

@@ -192,7 +192,6 @@ do_stash_locale () {
 	fi
 
 	cp -fpPR ${D}${datadir}/* $dest${datadir}
-	rm -rf ${D}${datadir}/locale/
 	cp -fpPR ${WORKDIR}/SUPPORTED $dest
 
 	target=$dest/scripts

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk"
 
 inherit core-image module-base setuptools3
 
-SRCREV ?= "5ad59495782e8dbcb2b9d18e27ca4bde131465b4"
+SRCREV ?= "235dff82276a8a2ff4d0ee1cf93243925537551c"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=dunfell \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-core/meta/buildtools-tarball.bb

@@ -10,6 +10,7 @@ TOOLCHAIN_HOST_TASK ?= "\
     nativesdk-python3-modules \
     nativesdk-python3-misc \
     nativesdk-python3-git \
+    nativesdk-python3-jinja2 \
     nativesdk-python3-testtools \
     nativesdk-python3-subunit \
     nativesdk-ncurses-terminfo-base \
@@ -66,16 +67,22 @@ create_sdk_files_append () {
 	script=${1:-${SDK_OUTPUT}/${SDKPATH}/environment-setup-${SDK_SYS}}
 	touch $script
 	echo 'export PATH=${SDKPATHNATIVE}${bindir_nativesdk}:$PATH' >> $script
-	# In order for the self-extraction script to correctly extract and set up things,
-	# we need a 'OECORE_NATIVE_SYSROOT=xxx' line in environment setup script.
-	# However, buildtools-tarball is inherently a tool set instead of a fully functional SDK,
-	# so instead of exporting the variable, we use a comment here.
-	echo '#OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script
-	toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS}
-
+	echo 'export OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script
 	echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
 	echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
-	echo 'export OPENSSL_CONF="${SDKPATHNATIVE}${sysconfdir}/ssl/openssl.cnf"' >>$script
+
+	toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS}
+
+	cat >> $script <<EOF
+if [ -d "\$OECORE_NATIVE_SYSROOT/environment-setup.d" ]; then
+	for envfile in \$OECORE_NATIVE_SYSROOT/environment-setup.d/*.sh; do
+		. \$envfile
+	done
+fi
+# We have to unset this else it can confuse oe-selftest and other tools
+# which may also use the overlapping namespace.
+unset OECORE_NATIVE_SYSROOT
+EOF
 
 	mkdir -p ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/
 	echo '${SDKPATHNATIVE}${libdir}

meta/recipes-core/meta/cve-update-db-native.bb

@@ -13,15 +13,8 @@ deltask do_install
 deltask do_populate_sysroot
 
 python () {
-    cve_check_db_file = d.getVar("CVE_CHECK_DB_FILE")
-    if not cve_check_db_file:
+    if not bb.data.inherits_class("cve-check", d):
         raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
-
-    if os.path.exists("%s-journal" % cve_check_db_file ):
-        os.remove("%s-journal" % cve_check_db_file)
-
-        if os.path.exists(cve_check_db_file):
-            os.remove(cve_check_db_file)
 }
 
 python do_populate_cve_db() {
@@ -40,7 +33,14 @@ python do_populate_cve_db() {
 
     db_file = d.getVar("CVE_CHECK_DB_FILE")
     db_dir = os.path.dirname(db_file)
-    json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
+
+    if os.path.exists("{0}-journal".format(db_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_file))
+
+        if os.path.exists(db_file):
+            os.remove(db_file)
 
     # Don't refresh the database more than once an hour
     try:

meta/recipes-core/netbase/netbase_6.1.bb

@@ -4,12 +4,13 @@ HOMEPAGE = "http://packages.debian.org/netbase"
 SECTION = "base"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://debian/copyright;md5=3dd6192d306f582dee7687da3d8748ab"
-PE = "1"
+PE = "2"
 
-SRC_URI = "${DEBIAN_MIRROR}/main/n/${BPN}/${BPN}_${PV}.tar.xz"
+SRC_URI = "${DEBIAN_MIRROR}/main/n/${BPN}/${BPN}_${PV}~bpo10+1.tar.xz"
+S = "${WORKDIR}/${BPN}-${PV}~bpo10+1"
 
-SRC_URI[md5sum] = "e5871a3a5c8390557b8033cf19316a55"
-SRC_URI[sha256sum] = "084d743bd84d4d9380bac4c71c51e57406dce44f5a69289bb823c903e9b035d8"
+SRC_URI[md5sum] = "4fa7517285b4045ac0dc8dbf6730dd7a"
+SRC_URI[sha256sum] = "4e9c3082dff8896cb6b6bea9bb2200d82fb0d7c8d8c8fc9b18704fe553316237"
 
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netbase/"
 do_install () {

meta/recipes-core/packagegroups/packagegroup-core-tools-debug.bb

@@ -13,9 +13,12 @@ PR = "r3"
 MTRACE = ""
 MTRACE_libc-glibc = "libc-mtrace"
 
+STRACE = "strace"
+STRACE_riscv32 = ""
+
 RDEPENDS_${PN} = "\
     gdb \
     gdbserver \
-    strace \
     ${MTRACE} \
+    ${STRACE} \
     "

meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb

@@ -28,6 +28,7 @@ PROFILETOOLS = "\
     "
 PERF = "perf"
 PERF_libc-musl = ""
+PERF_libc-musl_arm = "perf"
 
 # systemtap needs elfutils which is not fully buildable on some arches/libcs
 SYSTEMTAP = "systemtap"
@@ -41,6 +42,7 @@ LTTNGUST_arc = ""
 
 LTTNGTOOLS = "lttng-tools"
 LTTNGTOOLS_arc = ""
+LTTNGTOOLS_riscv32_libc-musl = ""
 
 LTTNGMODULES = "lttng-modules"
 LTTNGMODULES_arc = ""

meta/recipes-core/readline/readline.inc

@@ -4,7 +4,7 @@ command lines as they are typed in. Both Emacs and vi editing modes are availabl
 additional functions to maintain a list of previously-entered command lines, to recall and perhaps reedit those   \
 lines, and perform csh-like history expansion on previous commands."
 SECTION = "libs"
-HOMEPAGE = "https://cnswww.cns.cwru.edu/php/chet/readline/rltop.html"
+HOMEPAGE = "https://tiswww.case.edu/php/chet/readline/rltop.html"
 
 # GPLv2+ (< 6.0), GPLv3+ (>= 6.0)
 LICENSE = "GPLv3+"

meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch

@@ -0,0 +1,30 @@
+From 0335d110afc08baf47d76b7011ce02510dfdd524 Mon Sep 17 00:00:00 2001
+From: Valery0xff <valery.chernous@gmail.com>
+Date: Wed, 11 Mar 2020 02:20:36 +0200
+Subject: [PATCH] udev: fix SECLABEL{selinux} issue (#15064)
+
+Add SECLABEL{selinux}="some value" cause udevadm crash
+systemd-udevd[x]: Worker [x] terminated by signal 11 (SEGV)
+ 
+It happens since 25de7aa7b90 (Yu Watanabe 2019-04-25 01:21:11 +0200)
+when udev rules processing changed to token model. Yu forgot store
+attr to SECLABEL token so fix it.
+---
+ src/udev/udev-rules.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/0335d110afc08baf47d76b7011ce02510dfdd524.patch]
+---
+diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
+index b9b350d1ef..b990f68e93 100644
+--- a/src/udev/udev-rules.c
++++ b/src/udev/udev-rules.c
+@@ -921,7 +921,7 @@ static int parse_token(UdevRules *rules, const char *key, char *attr, UdevRuleOp
+                         op = OP_ASSIGN;
+                 }
+ 
+-                r = rule_line_add_token(rule_line, TK_A_SECLABEL, op, value, NULL);
++                r = rule_line_add_token(rule_line, TK_A_SECLABEL, op, value, attr);
+         } else if (streq(key, "RUN")) {
+                 if (is_match || op == OP_REMOVE)
+                         return log_token_invalid_op(rules, key);

meta/recipes-core/systemd/systemd_244.3.bb

@@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \
            file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
            file://0003-implment-systemd-sysv-install-for-OE.patch \
            file://CVE-2020-13776.patch \
+           file://systemd-udev-seclabel-options-crash-fix.patch \
            "
 
 # patches needed by musl

meta/recipes-core/sysvinit/sysvinit/rc

@@ -26,11 +26,8 @@ startup_progress() {
         progress=$progress_size
     fi
     #echo "PROGRESS is $progress $runlevel $first_step + ($step of $num_steps) $step_change $progress_size"
-    #if type psplash-write >/dev/null 2>&1; then
-    #    TMPDIR=/mnt/.psplash psplash-write "PROGRESS $progress" || true
-    #fi
-    if [ -e /mnt/.psplash/psplash_fifo ]; then
-        echo "PROGRESS $progress" > /mnt/.psplash/psplash_fifo
+    if type psplash-write >/dev/null 2>&1; then
+        PSPLASH_FIFO_DIR=/mnt/.psplash psplash-write "PROGRESS $progress" || true
     fi
 }
 
@@ -176,7 +173,7 @@ startup() {
 #Uncomment to cause psplash to exit manually, otherwise it exits when it sees a VC switch
 if [ "x$runlevel" != "xS" ] && [ ! -x /etc/rc${runlevel}.d/S??xserver-nodm ]; then
     if type psplash-write >/dev/null 2>&1; then
-        TMPDIR=/mnt/.psplash psplash-write "QUIT" || true
+        PSPLASH_FIFO_DIR=/mnt/.psplash psplash-write "QUIT" || true
     	umount -l /mnt/.psplash
     fi
 fi

meta/recipes-core/util-linux/util-linux.inc

@@ -1,5 +1,5 @@
 SUMMARY = "A suite of basic system administration utilities"
-HOMEPAGE = "http://userweb.kernel.org/~kzak/util-linux/"
+HOMEPAGE = "https://en.wikipedia.org/wiki/Util-linux"
 DESCRIPTION = "Util-linux includes a suite of basic system administration utilities \
 commonly found on most Linux systems.  Some of the more important utilities include \
 disk partitioning, kernel message management, filesystem creation, and system login."
@@ -113,7 +113,7 @@ EXTRA_OECONF_append = " --disable-hwclock-gplv3"
 #
 PACKAGECONFIG ?= "pcre2"
 PACKAGECONFIG_class-target ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
-# inherit manpages requires this to be present, however util-linux does not have 
+# inherit manpages requires this to be present, however util-linux does not have
 # configuration options, and installs manpages always
 PACKAGECONFIG[manpages] = ""
 PACKAGECONFIG[pam] = "--enable-su --enable-runuser,--disable-su --disable-runuser, libpam,"

meta/recipes-devtools/binutils/binutils-2.34.inc

@@ -43,5 +43,6 @@ SRC_URI = "\
      file://0016-Check-for-clang-before-checking-gcc-version.patch \
      file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \
      file://CVE-2020-0551.patch \
+     file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \
 "
 S  = "${WORKDIR}/git"

meta/recipes-devtools/binutils/binutils/0001-gas-improve-reproducibility-for-stabs-debugging-data.patch

@@ -0,0 +1,32 @@
+From 96882eb9263b6b1c953e33a6764a83f4a87a9a41 Mon Sep 17 00:00:00 2001
+From: Denys Zagorui <dzagorui@cisco.com>
+Date: Mon, 9 Nov 2020 15:39:10 +0000
+Subject: [PATCH] gas: improve reproducibility for stabs debugging data format
+
+	* config/obj-elf (obj_elf_init_stab_section): Improve
+	reproducibility for stabs debugging data format
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0541201782c006c09d029d18a45c6e743cfea906]
+---
+ gas/config/obj-elf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gas/config/obj-elf.c b/gas/config/obj-elf.c
+index 7cf921c051..92b55e06c2 100644
+--- a/gas/config/obj-elf.c
++++ b/gas/config/obj-elf.c
+@@ -2186,12 +2186,13 @@ obj_elf_init_stab_section (segT seg)
+   p = frag_more (12);
+   /* Zero it out.  */
+   memset (p, 0, 12);
+-  file = as_where (NULL);
++  file = remap_debug_filename (as_where (NULL));
+   stabstr_name = concat (segment_name (seg), "str", (char *) NULL);
+   stroff = get_stab_string_offset (file, stabstr_name, TRUE);
+   know (stroff == 1 || (stroff == 0 && file[0] == '\0'));
+   md_number_to_chars (p, stroff, 4);
+   seg_info (seg)->stabu.p = p;
++  xfree ((char *) file);
+ }
+ 
+ #endif

meta/recipes-devtools/bison/bison_3.5.4.bb

@@ -14,7 +14,7 @@ SRC_URI = "${GNU_MIRROR}/bison/bison-${PV}.tar.xz \
            file://add-with-bisonlocaledir.patch \
            file://0001-bison-fix-the-parallel-build.patch \
 "
-SRC_URI[sha256sum] = "2bf85b5f88a5f2fa8069aed2a2dfc3a9f8d15a97e59c713e3906e5fdd982a7c4"
+SRC_URI[sha256sum] = "4c17e99881978fa32c05933c5262457fa5b2b611668454f8dc2a695cd6b3720c"
 
 # No point in hardcoding path to m4, just use PATH
 EXTRA_OECONF += "M4=m4"

meta/recipes-devtools/chrpath/chrpath_0.16.bb

@@ -2,8 +2,7 @@ SUMMARY = "Tool to edit rpath in ELF binaries"
 DESCRIPTION = "chrpath allows you to change the rpath (where the \
 application looks for libraries) in an application. It does not \
 (yet) allow you to add an rpath if there isn't one already."
-HOMEPAGE = "http://alioth.debian.org/projects/chrpath/"
-BUGTRACKER = "http://alioth.debian.org/tracker/?atid=412807&group_id=31052"
+HOMEPAGE = "https://tracker.debian.org/pkg/chrpath"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"
 

meta/recipes-devtools/diffstat/diffstat_1.63.bb

@@ -27,3 +27,5 @@ LDFLAGS += "${TOOLCHAIN_OPTIONS}"
 do_install_ptest() {
 	cp -r ${S}/testing ${D}${PTEST_PATH}
 }
+
+BBCLASSEXTEND = "nativesdk"

meta/recipes-devtools/dosfstools/dosfstools_4.1.bb

@@ -16,7 +16,7 @@ SRC_URI[sha256sum] = "e6b2aca70ccc3fe3687365009dd94a2e18e82b688ed4e260e04b741247
 
 UPSTREAM_CHECK_URI = "https://github.com/dosfstools/dosfstools/releases"
 
-inherit autotools pkgconfig
+inherit autotools pkgconfig update-alternatives
 
 EXTRA_OECONF = "--without-udev --enable-compat-symlinks"
 
@@ -26,3 +26,7 @@ BBCLASSEXTEND = "native"
 
 # Add codepage437 to avoid error from `dosfsck -l`
 RRECOMMENDS_${PN}_append_libc-glibc = " glibc-gconv-ibm437"
+
+ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE_${PN} = "mkfs.vfat"
+ALTERNATIVE_LINK_NAME[mkfs.vfat] = "${sbindir}/mkfs.vfat"

meta/recipes-devtools/gcc/gcc-9.3.inc

@@ -69,6 +69,9 @@ SRC_URI = "\
            file://0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch \
            file://0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch \
            file://0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch \
+           file://0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch \
+           file://0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch \
+           file://0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch \
 "
 S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}"
 SRC_URI[sha256sum] = "71e197867611f6054aa1119b13a0c0abac12834765fe2d81f35ac57f84f742d1"

meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch

@@ -0,0 +1,204 @@
+CVE: CVE-2020-13844
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 20da13e395bde597d8337167c712039c8f923c3b Mon Sep 17 00:00:00 2001
+From: Matthew Malcomson <matthew.malcomson@arm.com>
+Date: Thu, 9 Jul 2020 09:11:58 +0100
+Subject: [PATCH 1/3] aarch64: New Straight Line Speculation (SLS) mitigation
+ flags
+
+Here we introduce the flags that will be used for straight line speculation.
+
+The new flag introduced is `-mharden-sls=`.
+This flag can take arguments of `none`, `all`, or a comma seperated list
+of one or more of `retbr` or `blr`.
+`none` indicates no special mitigation of the straight line speculation
+vulnerability.
+`all` requests all mitigations currently implemented.
+`retbr` requests that the RET and BR instructions have a speculation
+barrier inserted after them.
+`blr` requests that BLR instructions are replaced by a BL to a function
+stub using a BR with a speculation barrier after it.
+
+Setting this on a per-function basis using attributes or the like is not
+enabled, but may be in the future.
+
+(cherry picked from commit a9ba2a9b77bec7eacaf066801f22d1c366a2bc86)
+
+gcc/ChangeLog:
+
+2020-06-02  Matthew Malcomson  <matthew.malcomson@arm.com>
+
+	* config/aarch64/aarch64-protos.h (aarch64_harden_sls_retbr_p):
+	New.
+	(aarch64_harden_sls_blr_p): New.
+	* config/aarch64/aarch64.c (enum aarch64_sls_hardening_type):
+	New.
+	(aarch64_harden_sls_retbr_p): New.
+	(aarch64_harden_sls_blr_p): New.
+	(aarch64_validate_sls_mitigation): New.
+	(aarch64_override_options): Parse options for SLS mitigation.
+	* config/aarch64/aarch64.opt (-mharden-sls): New option.
+	* doc/invoke.texi: Document new option.
+---
+ gcc/config/aarch64/aarch64-protos.h |  3 ++
+ gcc/config/aarch64/aarch64.c        | 76 +++++++++++++++++++++++++++++
+ gcc/config/aarch64/aarch64.opt      |  4 ++
+ gcc/doc/invoke.texi                 | 12 +++++
+ 4 files changed, 95 insertions(+)
+
+diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h
+index c083cad53..31493f412 100644
+--- a/gcc/config/aarch64/aarch64-protos.h
++++ b/gcc/config/aarch64/aarch64-protos.h
+@@ -644,4 +644,7 @@ poly_uint64 aarch64_regmode_natural_size (machine_mode);
+ 
+ bool aarch64_high_bits_all_ones_p (HOST_WIDE_INT);
+ 
++extern bool aarch64_harden_sls_retbr_p (void);
++extern bool aarch64_harden_sls_blr_p (void);
++
+ #endif /* GCC_AARCH64_PROTOS_H */
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index b452a53af..269ff6c92 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -11734,6 +11734,79 @@ aarch64_validate_mcpu (const char *str, const struct processor **res,
+   return false;
+ }
+ 
++/* Straight line speculation indicators.  */
++enum aarch64_sls_hardening_type
++{
++  SLS_NONE = 0,
++  SLS_RETBR = 1,
++  SLS_BLR = 2,
++  SLS_ALL = 3,
++};
++static enum aarch64_sls_hardening_type aarch64_sls_hardening;
++
++/* Return whether we should mitigatate Straight Line Speculation for the RET
++   and BR instructions.  */
++bool
++aarch64_harden_sls_retbr_p (void)
++{
++  return aarch64_sls_hardening & SLS_RETBR;
++}
++
++/* Return whether we should mitigatate Straight Line Speculation for the BLR
++   instruction.  */
++bool
++aarch64_harden_sls_blr_p (void)
++{
++  return aarch64_sls_hardening & SLS_BLR;
++}
++
++/* As of yet we only allow setting these options globally, in the future we may
++   allow setting them per function.  */
++static void
++aarch64_validate_sls_mitigation (const char *const_str)
++{
++  char *token_save = NULL;
++  char *str = NULL;
++
++  if (strcmp (const_str, "none") == 0)
++    {
++      aarch64_sls_hardening = SLS_NONE;
++      return;
++    }
++  if (strcmp (const_str, "all") == 0)
++    {
++      aarch64_sls_hardening = SLS_ALL;
++      return;
++    }
++
++  char *str_root = xstrdup (const_str);
++  str = strtok_r (str_root, ",", &token_save);
++  if (!str)
++    error ("invalid argument given to %<-mharden-sls=%>");
++
++  int temp = SLS_NONE;
++  while (str)
++    {
++      if (strcmp (str, "blr") == 0)
++	temp |= SLS_BLR;
++      else if (strcmp (str, "retbr") == 0)
++	temp |= SLS_RETBR;
++      else if (strcmp (str, "none") == 0 || strcmp (str, "all") == 0)
++	{
++	  error ("%<%s%> must be by itself for %<-mharden-sls=%>", str);
++	  break;
++	}
++      else
++	{
++	  error ("invalid argument %<%s%> for %<-mharden-sls=%>", str);
++	  break;
++	}
++      str = strtok_r (NULL, ",", &token_save);
++    }
++  aarch64_sls_hardening = (aarch64_sls_hardening_type) temp;
++  free (str_root);
++}
++
+ /* Parses CONST_STR for branch protection features specified in
+    aarch64_branch_protect_types, and set any global variables required.  Returns
+    the parsing result and assigns LAST_STR to the last processed token from
+@@ -11972,6 +12045,9 @@ aarch64_override_options (void)
+   selected_arch = NULL;
+   selected_tune = NULL;
+ 
++  if (aarch64_harden_sls_string)
++    aarch64_validate_sls_mitigation (aarch64_harden_sls_string);
++
+   if (aarch64_branch_protection_string)
+     aarch64_validate_mbranch_protection (aarch64_branch_protection_string);
+ 
+diff --git a/gcc/config/aarch64/aarch64.opt b/gcc/config/aarch64/aarch64.opt
+index 3c6d1cc90..d27ab6df8 100644
+--- a/gcc/config/aarch64/aarch64.opt
++++ b/gcc/config/aarch64/aarch64.opt
+@@ -71,6 +71,10 @@ mgeneral-regs-only
+ Target Report RejectNegative Mask(GENERAL_REGS_ONLY) Save
+ Generate code which uses only the general registers.
+ 
++mharden-sls=
++Target RejectNegative Joined Var(aarch64_harden_sls_string)
++Generate code to mitigate against straight line speculation.
++
+ mfix-cortex-a53-835769
+ Target Report Var(aarch64_fix_a53_err835769) Init(2) Save
+ Workaround for ARM Cortex-A53 Erratum number 835769.
+diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
+index 2f7ffe456..5f04a7d2b 100644
+--- a/gcc/doc/invoke.texi
++++ b/gcc/doc/invoke.texi
+@@ -638,6 +638,7 @@ Objective-C and Objective-C++ Dialects}.
+ -mpc-relative-literal-loads @gol
+ -msign-return-address=@var{scope} @gol
+ -mbranch-protection=@var{none}|@var{standard}|@var{pac-ret}[+@var{leaf}]|@var{bti} @gol
++-mharden-sls=@var{opts} @gol
+ -march=@var{name}  -mcpu=@var{name}  -mtune=@var{name}  @gol
+ -moverride=@var{string}  -mverbose-cost-dump @gol
+ -mstack-protector-guard=@var{guard} -mstack-protector-guard-reg=@var{sysreg} @gol
+@@ -15955,6 +15956,17 @@ argument @samp{leaf} can be used to extend the signing to include leaf
+ functions.
+ @samp{bti} turns on branch target identification mechanism.
+ 
++@item -mharden-sls=@var{opts}
++@opindex mharden-sls
++Enable compiler hardening against straight line speculation (SLS).
++@var{opts} is a comma-separated list of the following options:
++@table @samp
++@item retbr
++@item blr
++@end table
++In addition, @samp{-mharden-sls=all} enables all SLS hardening while
++@samp{-mharden-sls=none} disables all SLS hardening.
++
+ @item -msve-vector-bits=@var{bits}
+ @opindex msve-vector-bits
+ Specify the number of bits in an SVE vector register.  This option only has
+-- 
+2.25.1
+

meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch

@@ -0,0 +1,600 @@
+CVE: CVE-2020-13844
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From dc586a749228ecfb71f72ec2ca10e6f7b6874af3 Mon Sep 17 00:00:00 2001
+From: Matthew Malcomson <matthew.malcomson@arm.com>
+Date: Thu, 9 Jul 2020 09:11:59 +0100
+Subject: [PATCH 2/3] aarch64: Introduce SLS mitigation for RET and BR
+ instructions
+
+Instructions following RET or BR are not necessarily executed.  In order
+to avoid speculation past RET and BR we can simply append a speculation
+barrier.
+
+Since these speculation barriers will not be architecturally executed,
+they are not expected to add a high performance penalty.
+
+The speculation barrier is to be SB when targeting architectures which
+have this enabled, and DSB SY + ISB otherwise.
+
+We add tests for each of the cases where such an instruction was seen.
+
+This is implemented by modifying each machine description pattern that
+emits either a RET or a BR instruction.  We choose not to use something
+like `TARGET_ASM_FUNCTION_EPILOGUE` since it does not affect the
+`indirect_jump`, `jump`, `sibcall_insn` and `sibcall_value_insn`
+patterns and we find it preferable to implement the functionality in the
+same way for every pattern.
+
+There is one particular case which is slightly tricky.  The
+implementation of TARGET_ASM_TRAMPOLINE_TEMPLATE uses a BR which needs
+to be mitigated against.  The trampoline template is used *once* per
+compilation unit, and the TRAMPOLINE_SIZE is exposed to the user via the
+builtin macro __LIBGCC_TRAMPOLINE_SIZE__.
+In the future we may implement function specific attributes to turn on
+and off hardening on a per-function basis.
+The fixed nature of the trampoline described above implies it will be
+safer to ensure this speculation barrier is always used.
+
+Testing:
+  Bootstrap and regtest done on aarch64-none-linux
+  Used a temporary hack(1) to use these options on every test in the
+  testsuite and a script to check that the output never emitted an
+  unmitigated RET or BR.
+
+1) Temporary hack was a change to the testsuite to always use
+`-save-temps` and run a script on the assembly output of those
+compilations which produced one to ensure every RET or BR is immediately
+followed by a speculation barrier.
+
+(cherry picked from be178ecd5ac1fe1510d960ff95c66d0ff831afe1)
+
+gcc/ChangeLog:
+
+	* config/aarch64/aarch64-protos.h (aarch64_sls_barrier): New.
+	* config/aarch64/aarch64.c (aarch64_output_casesi): Emit
+	speculation barrier after BR instruction if needs be.
+	(aarch64_trampoline_init): Handle ptr_mode value & adjust size
+	of code copied.
+	(aarch64_sls_barrier): New.
+	(aarch64_asm_trampoline_template): Add needed barriers.
+	* config/aarch64/aarch64.h (AARCH64_ISA_SB): New.
+	(TARGET_SB): New.
+	(TRAMPOLINE_SIZE): Account for barrier.
+	* config/aarch64/aarch64.md (indirect_jump, *casesi_dispatch,
+	simple_return, *do_return, *sibcall_insn, *sibcall_value_insn):
+	Emit barrier if needs be, also account for possible barrier using
+	"sls_length" attribute.
+	(sls_length): New attribute.
+	(length): Determine default using any non-default sls_length
+	value.
+
+gcc/testsuite/ChangeLog:
+
+	* gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c: New test.
+	* gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c:
+	New test.
+	* gcc.target/aarch64/sls-mitigation/sls-mitigation.exp: New file.
+	* lib/target-supports.exp (check_effective_target_aarch64_asm_sb_ok):
+	New proc.
+---
+ gcc/config/aarch64/aarch64-protos.h           |   1 +
+ gcc/config/aarch64/aarch64.c                  |  41 +++++-
+ gcc/config/aarch64/aarch64.h                  |  10 +-
+ gcc/config/aarch64/aarch64.md                 |  75 ++++++++---
+ .../sls-mitigation/sls-miti-retbr-pacret.c    |  15 +++
+ .../aarch64/sls-mitigation/sls-miti-retbr.c   | 119 ++++++++++++++++++
+ .../aarch64/sls-mitigation/sls-mitigation.exp |  73 +++++++++++
+ gcc/testsuite/lib/target-supports.exp         |   3 +-
+ 8 files changed, 312 insertions(+), 25 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp
+
+diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h
+index 31493f412..885eae893 100644
+--- a/gcc/config/aarch64/aarch64-protos.h
++++ b/gcc/config/aarch64/aarch64-protos.h
+@@ -644,6 +644,7 @@ poly_uint64 aarch64_regmode_natural_size (machine_mode);
+ 
+ bool aarch64_high_bits_all_ones_p (HOST_WIDE_INT);
+ 
++const char *aarch64_sls_barrier (int);
+ extern bool aarch64_harden_sls_retbr_p (void);
+ extern bool aarch64_harden_sls_blr_p (void);
+ 
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index 269ff6c92..dff61105c 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -8412,8 +8412,8 @@ aarch64_return_addr (int count, rtx frame ATTRIBUTE_UNUSED)
+ static void
+ aarch64_asm_trampoline_template (FILE *f)
+ {
+-  int offset1 = 16;
+-  int offset2 = 20;
++  int offset1 = 24;
++  int offset2 = 28;
+ 
+   if (aarch64_bti_enabled ())
+     {
+@@ -8436,6 +8436,17 @@ aarch64_asm_trampoline_template (FILE *f)
+     }
+   asm_fprintf (f, "\tbr\t%s\n", reg_names [IP1_REGNUM]);
+ 
++  /* We always emit a speculation barrier.
++     This is because the same trampoline template is used for every nested
++     function.  Since nested functions are not particularly common or
++     performant we don't worry too much about the extra instructions to copy
++     around.
++     This is not yet a problem, since we have not yet implemented function
++     specific attributes to choose between hardening against straight line
++     speculation or not, but such function specific attributes are likely to
++     happen in the future.  */
++  asm_fprintf (f, "\tdsb\tsy\n\tisb\n");
++
+   /* The trampoline needs an extra padding instruction.  In case if BTI is
+      enabled the padding instruction is replaced by the BTI instruction at
+      the beginning.  */
+@@ -8450,10 +8461,14 @@ static void
+ aarch64_trampoline_init (rtx m_tramp, tree fndecl, rtx chain_value)
+ {
+   rtx fnaddr, mem, a_tramp;
+-  const int tramp_code_sz = 16;
++  const int tramp_code_sz = 24;
+ 
+   /* Don't need to copy the trailing D-words, we fill those in below.  */
+-  emit_block_move (m_tramp, assemble_trampoline_template (),
++  /* We create our own memory address in Pmode so that `emit_block_move` can
++     use parts of the backend which expect Pmode addresses.  */
++  rtx temp = convert_memory_address (Pmode, XEXP (m_tramp, 0));
++  emit_block_move (gen_rtx_MEM (BLKmode, temp),
++		   assemble_trampoline_template (),
+ 		   GEN_INT (tramp_code_sz), BLOCK_OP_NORMAL);
+   mem = adjust_address (m_tramp, ptr_mode, tramp_code_sz);
+   fnaddr = XEXP (DECL_RTL (fndecl), 0);
+@@ -8640,6 +8655,8 @@ aarch64_output_casesi (rtx *operands)
+   output_asm_insn (buf, operands);
+   output_asm_insn (patterns[index][1], operands);
+   output_asm_insn ("br\t%3", operands);
++  output_asm_insn (aarch64_sls_barrier (aarch64_harden_sls_retbr_p ()),
++		   operands);
+   assemble_label (asm_out_file, label);
+   return "";
+ }
+@@ -18976,6 +18993,22 @@ aarch64_file_end_indicate_exec_stack ()
+ #undef GNU_PROPERTY_AARCH64_FEATURE_1_BTI
+ #undef GNU_PROPERTY_AARCH64_FEATURE_1_AND
+ 
++/* Helper function for straight line speculation.
++   Return what barrier should be emitted for straight line speculation
++   mitigation.
++   When not mitigating against straight line speculation this function returns
++   an empty string.
++   When mitigating against straight line speculation, use:
++   * SB when the v8.5-A SB extension is enabled.
++   * DSB+ISB otherwise.  */
++const char *
++aarch64_sls_barrier (int mitigation_required)
++{
++  return mitigation_required
++    ? (TARGET_SB ? "sb" : "dsb\tsy\n\tisb")
++    : "";
++}
++
+ /* Target-specific selftests.  */
+ 
+ #if CHECKING_P
+diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
+index 772a97296..72ddc6fd9 100644
+--- a/gcc/config/aarch64/aarch64.h
++++ b/gcc/config/aarch64/aarch64.h
+@@ -235,6 +235,7 @@ extern unsigned aarch64_architecture_version;
+ #define AARCH64_ISA_F16FML	   (aarch64_isa_flags & AARCH64_FL_F16FML)
+ #define AARCH64_ISA_RCPC8_4	   (aarch64_isa_flags & AARCH64_FL_RCPC8_4)
+ #define AARCH64_ISA_V8_5	   (aarch64_isa_flags & AARCH64_FL_V8_5)
++#define AARCH64_ISA_SB		   (aarch64_isa_flags & AARCH64_FL_SB)
+ 
+ /* Crypto is an optional extension to AdvSIMD.  */
+ #define TARGET_CRYPTO (TARGET_SIMD && AARCH64_ISA_CRYPTO)
+@@ -285,6 +286,9 @@ extern unsigned aarch64_architecture_version;
+ #define TARGET_FIX_ERR_A53_835769_DEFAULT 1
+ #endif
+ 
++/* SB instruction is enabled through +sb.  */
++#define TARGET_SB (AARCH64_ISA_SB)
++
+ /* Apply the workaround for Cortex-A53 erratum 835769.  */
+ #define TARGET_FIX_ERR_A53_835769	\
+   ((aarch64_fix_a53_err835769 == 2)	\
+@@ -931,8 +935,10 @@ typedef struct
+ 
+ #define RETURN_ADDR_RTX aarch64_return_addr
+ 
+-/* BTI c + 3 insns + 2 pointer-sized entries.  */
+-#define TRAMPOLINE_SIZE	(TARGET_ILP32 ? 24 : 32)
++/* BTI c + 3 insns
++   + sls barrier of DSB + ISB.
++   + 2 pointer-sized entries.  */
++#define TRAMPOLINE_SIZE	(24 + (TARGET_ILP32 ? 8 : 16))
+ 
+ /* Trampolines contain dwords, so must be dword aligned.  */
+ #define TRAMPOLINE_ALIGNMENT 64
+diff --git a/gcc/config/aarch64/aarch64.md b/gcc/config/aarch64/aarch64.md
+index cc5a887d4..494aee964 100644
+--- a/gcc/config/aarch64/aarch64.md
++++ b/gcc/config/aarch64/aarch64.md
+@@ -331,10 +331,25 @@
+ ;; Attribute that specifies whether the alternative uses MOVPRFX.
+ (define_attr "movprfx" "no,yes" (const_string "no"))
+ 
++;; Attribute to specify that an alternative has the length of a single
++;; instruction plus a speculation barrier.
++(define_attr "sls_length" "none,retbr,casesi" (const_string "none"))
++
+ (define_attr "length" ""
+   (cond [(eq_attr "movprfx" "yes")
+            (const_int 8)
+-        ] (const_int 4)))
++
++	 (eq_attr "sls_length" "retbr")
++	   (cond [(match_test "!aarch64_harden_sls_retbr_p ()") (const_int 4)
++		  (match_test "TARGET_SB") (const_int 8)]
++		 (const_int 12))
++
++	 (eq_attr "sls_length" "casesi")
++	   (cond [(match_test "!aarch64_harden_sls_retbr_p ()") (const_int 16)
++		  (match_test "TARGET_SB") (const_int 20)]
++		 (const_int 24))
++	]
++	  (const_int 4)))
+ 
+ ;; Strictly for compatibility with AArch32 in pipeline models, since AArch64 has
+ ;; no predicated insns.
+@@ -370,8 +385,12 @@
+ (define_insn "indirect_jump"
+   [(set (pc) (match_operand:DI 0 "register_operand" "r"))]
+   ""
+-  "br\\t%0"
+-  [(set_attr "type" "branch")]
++  {
++    output_asm_insn ("br\\t%0", operands);
++    return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
++  }
++  [(set_attr "type" "branch")
++   (set_attr "sls_length" "retbr")]
+ )
+ 
+ (define_insn "jump"
+@@ -657,7 +676,7 @@
+   "*
+   return aarch64_output_casesi (operands);
+   "
+-  [(set_attr "length" "16")
++  [(set_attr "sls_length" "casesi")
+    (set_attr "type" "branch")]
+ )
+ 
+@@ -736,14 +755,18 @@
+   [(return)]
+   ""
+   {
++    const char *ret = NULL;
+     if (aarch64_return_address_signing_enabled ()
+ 	&& TARGET_ARMV8_3
+ 	&& !crtl->calls_eh_return)
+-      return "retaa";
+-
+-    return "ret";
++      ret = "retaa";
++    else
++      ret = "ret";
++    output_asm_insn (ret, operands);
++    return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
+   }
+-  [(set_attr "type" "branch")]
++  [(set_attr "type" "branch")
++   (set_attr "sls_length" "retbr")]
+ )
+ 
+ (define_expand "return"
+@@ -755,8 +778,12 @@
+ (define_insn "simple_return"
+   [(simple_return)]
+   "aarch64_use_simple_return_insn_p ()"
+-  "ret"
+-  [(set_attr "type" "branch")]
++  {
++    output_asm_insn ("ret", operands);
++    return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
++  }
++  [(set_attr "type" "branch")
++   (set_attr "sls_length" "retbr")]
+ )
+ 
+ (define_insn "*cb<optab><mode>1"
+@@ -947,10 +974,16 @@
+ 	 (match_operand 1 "" ""))
+    (return)]
+   "SIBLING_CALL_P (insn)"
+-  "@
+-   br\\t%0
+-   b\\t%c0"
+-  [(set_attr "type" "branch, branch")]
++  {
++    if (which_alternative == 0)
++      {
++	output_asm_insn ("br\\t%0", operands);
++	return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
++      }
++    return "b\\t%c0";
++  }
++  [(set_attr "type" "branch, branch")
++   (set_attr "sls_length" "retbr,none")]
+ )
+ 
+ (define_insn "*sibcall_value_insn"
+@@ -960,10 +993,16 @@
+ 	      (match_operand 2 "" "")))
+    (return)]
+   "SIBLING_CALL_P (insn)"
+-  "@
+-   br\\t%1
+-   b\\t%c1"
+-  [(set_attr "type" "branch, branch")]
++  {
++    if (which_alternative == 0)
++      {
++	output_asm_insn ("br\\t%1", operands);
++	return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
++      }
++    return "b\\t%c1";
++  }
++  [(set_attr "type" "branch, branch")
++   (set_attr "sls_length" "retbr,none")]
+ )
+ 
+ ;; Call subroutine returning any type.
+diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c
+new file mode 100644
+index 000000000..7656123ee
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c
+@@ -0,0 +1,15 @@
++/* Avoid ILP32 since pacret is only available for LP64 */
++/* { dg-do compile { target { ! ilp32 } } } */
++/* { dg-additional-options "-mharden-sls=retbr -mbranch-protection=pac-ret -march=armv8.3-a" } */
++
++/* Testing the do_return pattern for retaa.  */
++long retbr_subcall(void);
++long retbr_do_return_retaa(void)
++{
++    return retbr_subcall()+1;
++}
++
++/* Ensure there are no BR or RET instructions which are not directly followed
++   by a speculation barrier.  */
++/* { dg-final { scan-assembler-not {\t(br|ret|retaa)\tx[0-9][0-9]?\n\t(?!dsb\tsy\n\tisb)} } } */
++/* { dg-final { scan-assembler-not {ret\t} } } */
+diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c
+new file mode 100644
+index 000000000..573b30cdc
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c
+@@ -0,0 +1,119 @@
++/* We ensure that -Wpedantic is off since it complains about the trampolines
++   we explicitly want to test.  */
++/* { dg-additional-options "-mharden-sls=retbr -Wno-pedantic " } */
++/*
++   Ensure that the SLS hardening of RET and BR leaves no unprotected RET/BR
++   instructions.
++  */
++typedef int (foo) (int, int);
++typedef void (bar) (int, int);
++struct sls_testclass {
++    foo *x;
++    bar *y;
++    int left;
++    int right;
++};
++
++int
++retbr_sibcall_value_insn (struct sls_testclass x)
++{
++  return x.x(x.left, x.right);
++}
++
++void
++retbr_sibcall_insn (struct sls_testclass x)
++{
++  x.y(x.left, x.right);
++}
++
++/* Aim to test two different returns.
++   One that introduces a tail call in the middle of the function, and one that
++   has a normal return.  */
++int
++retbr_multiple_returns (struct sls_testclass x)
++{
++  int temp;
++  if (x.left % 10)
++    return x.x(x.left, 100);
++  else if (x.right % 20)
++    {
++      return x.x(x.left * x.right, 100);
++    }
++  temp = x.left % x.right;
++  temp *= 100;
++  temp /= 2;
++  return temp % 3;
++}
++
++void
++retbr_multiple_returns_void (struct sls_testclass x)
++{
++  if (x.left % 10)
++    {
++      x.y(x.left, 100);
++    }
++  else if (x.right % 20)
++    {
++      x.y(x.left * x.right, 100);
++    }
++  return;
++}
++
++/* Testing the casesi jump via register.  */
++__attribute__ ((optimize ("Os")))
++int
++retbr_casesi_dispatch (struct sls_testclass x)
++{
++  switch (x.left)
++    {
++    case -5:
++      return -2;
++    case -3:
++      return -1;
++    case 0:
++      return 0;
++    case 3:
++      return 1;
++    case 5:
++      break;
++    default:
++      __builtin_unreachable ();
++    }
++  return x.right;
++}
++
++/* Testing the BR in trampolines is mitigated against.  */
++void f1 (void *);
++void f3 (void *, void (*)(void *));
++void f2 (void *);
++
++int
++retbr_trampolines (void *a, int b)
++{
++  if (!b)
++    {
++      f1 (a);
++      return 1;
++    }
++  if (b)
++    {
++      void retbr_tramp_internal (void *c)
++      {
++	if (c == a)
++	  f2 (c);
++      }
++      f3 (a, retbr_tramp_internal);
++    }
++  return 0;
++}
++
++/* Testing the indirect_jump pattern.  */
++void
++retbr_indirect_jump (int *buf)
++{
++  __builtin_longjmp(buf, 1);
++}
++
++/* Ensure there are no BR or RET instructions which are not directly followed
++   by a speculation barrier.  */
++/* { dg-final { scan-assembler-not {\t(br|ret|retaa)\tx[0-9][0-9]?\n\t(?!dsb\tsy\n\tisb|sb)} } } */
+diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp
+new file mode 100644
+index 000000000..812250379
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp
+@@ -0,0 +1,73 @@
++#  Regression driver for SLS mitigation on AArch64.
++#  Copyright (C) 2020 Free Software Foundation, Inc.
++#  Contributed by ARM Ltd.
++#
++#  This file is part of GCC.
++#
++#  GCC is free software; you can redistribute it and/or modify it
++#  under the terms of the GNU General Public License as published by
++#  the Free Software Foundation; either version 3, or (at your option)
++#  any later version.
++#
++#  GCC is distributed in the hope that it will be useful, but
++#  WITHOUT ANY WARRANTY; without even the implied warranty of
++#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++#  General Public License for more details.
++#
++#  You should have received a copy of the GNU General Public License
++#  along with GCC; see the file COPYING3.  If not see
++#  <http://www.gnu.org/licenses/>.  */
++
++# Exit immediately if this isn't an AArch64 target.
++if {![istarget aarch64*-*-*] } then {
++  return
++}
++
++# Load support procs.
++load_lib gcc-dg.exp
++load_lib torture-options.exp
++
++# If a testcase doesn't have special options, use these.
++global DEFAULT_CFLAGS
++if ![info exists DEFAULT_CFLAGS] then {
++    set DEFAULT_CFLAGS " "
++}
++
++# Initialize `dg'.
++dg-init
++torture-init
++
++# Use different architectures as well as the normal optimisation options.
++# (i.e. use both SB and DSB+ISB barriers).
++
++set save-dg-do-what-default ${dg-do-what-default}
++# Main loop.
++# Run with torture tests (i.e. a bunch of different optimisation levels) just
++# to increase test coverage.
++set dg-do-what-default assemble
++gcc-dg-runtest [lsort [glob -nocomplain $srcdir/$subdir/*.\[cCS\]]] \
++	"-save-temps" $DEFAULT_CFLAGS
++
++# Run the same tests but this time with SB extension.
++# Since not all supported assemblers will support that extension we decide
++# whether to assemble or just compile based on whether the extension is
++# supported for the available assembler.
++
++set templist {}
++foreach x $DG_TORTURE_OPTIONS {
++  lappend templist "$x -march=armv8.3-a+sb "
++  lappend templist "$x -march=armv8-a+sb "
++}
++set-torture-options $templist
++if { [check_effective_target_aarch64_asm_sb_ok] } {
++    set dg-do-what-default assemble
++} else {
++    set dg-do-what-default compile
++}
++gcc-dg-runtest [lsort [glob -nocomplain $srcdir/$subdir/*.\[cCS\]]] \
++	"-save-temps" $DEFAULT_CFLAGS
++set dg-do-what-default ${save-dg-do-what-default}
++
++# All done.
++torture-finish
++dg-finish
+diff --git a/gcc/testsuite/lib/target-supports.exp b/gcc/testsuite/lib/target-supports.exp
+index ea9a50ccb..79482f9b6 100644
+--- a/gcc/testsuite/lib/target-supports.exp
++++ b/gcc/testsuite/lib/target-supports.exp
+@@ -8579,7 +8579,8 @@ proc check_effective_target_aarch64_tiny { } {
+ # Create functions to check that the AArch64 assembler supports the
+ # various architecture extensions via the .arch_extension pseudo-op.
+ 
+-foreach { aarch64_ext } { "fp" "simd" "crypto" "crc" "lse" "dotprod" "sve"} {
++foreach { aarch64_ext } { "fp" "simd" "crypto" "crc" "lse" "dotprod" "sve"
++			  "sb"} {
+     eval [string map [list FUNC $aarch64_ext] {
+ 	proc check_effective_target_aarch64_asm_FUNC_ok { } {
+ 	  if { [istarget aarch64*-*-*] } {
+-- 
+2.25.1
+

meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch

@@ -0,0 +1,659 @@
+CVE: CVE-2020-13844
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 2155170525f93093b90a1a065e7ed71a925566e9 Mon Sep 17 00:00:00 2001
+From: Matthew Malcomson <matthew.malcomson@arm.com>
+Date: Thu, 9 Jul 2020 09:11:59 +0100
+Subject: [PATCH 3/3] aarch64: Mitigate SLS for BLR instruction
+
+This patch introduces the mitigation for Straight Line Speculation past
+the BLR instruction.
+
+This mitigation replaces BLR instructions with a BL to a stub which uses
+a BR to jump to the original value.  These function stubs are then
+appended with a speculation barrier to ensure no straight line
+speculation happens after these jumps.
+
+When optimising for speed we use a set of stubs for each function since
+this should help the branch predictor make more accurate predictions
+about where a stub should branch.
+
+When optimising for size we use one set of stubs for all functions.
+This set of stubs can have human readable names, and we are using
+`__call_indirect_x<N>` for register x<N>.
+
+When BTI branch protection is enabled the BLR instruction can jump to a
+`BTI c` instruction using any register, while the BR instruction can
+only jump to a `BTI c` instruction using the x16 or x17 registers.
+Hence, in order to ensure this transformation is safe we mov the value
+of the original register into x16 and use x16 for the BR.
+
+As an example when optimising for size:
+a
+    BLR x0
+instruction would get transformed to something like
+    BL __call_indirect_x0
+where __call_indirect_x0 labels a thunk that contains
+__call_indirect_x0:
+    MOV X16, X0
+    BR X16
+    <speculation barrier>
+
+The first version of this patch used local symbols specific to a
+compilation unit to try and avoid relocations.
+This was mistaken since functions coming from the same compilation unit
+can still be in different sections, and the assembler will insert
+relocations at jumps between sections.
+
+On any relocation the linker is permitted to emit a veneer to handle
+jumps between symbols that are very far apart.  The registers x16 and
+x17 may be clobbered by these veneers.
+Hence the function stubs cannot rely on the values of x16 and x17 being
+the same as just before the function stub is called.
+
+Similar can be said for the hot/cold partitioning of single functions,
+so function-local stubs have the same restriction.
+
+This updated version of the patch never emits function stubs for x16 and
+x17, and instead forces other registers to be used.
+
+Given the above, there is now no benefit to local symbols (since they
+are not enough to avoid dealing with linker intricacies).  This patch
+now uses global symbols with hidden visibility each stored in their own
+COMDAT section.  This means stubs can be shared between compilation
+units while still avoiding the PLT indirection.
+
+This patch also removes the `__call_indirect_x30` stub (and
+function-local equivalent) which would simply jump back to the original
+location.
+
+The function-local stubs are emitted to the assembly output file in one
+chunk, which means we need not add the speculation barrier directly
+after each one.
+This is because we know for certain that the instructions directly after
+the BR in all but the last function stub will be from another one of
+these stubs and hence will not contain a speculation gadget.
+Instead we add a speculation barrier at the end of the sequence of
+stubs.
+
+The global stubs are emitted in COMDAT/.linkonce sections by
+themselves so that the linker can remove duplicates from multiple object
+files.  This means they are not emitted in one chunk, and each one must
+include the speculation barrier.
+
+Another difference is that since the global stubs are shared across
+compilation units we do not know that all functions will be targeting an
+architecture supporting the SB instruction.
+Rather than provide multiple stubs for each architecture, we provide a
+stub that will work for all architectures -- using the DSB+ISB barrier.
+
+This mitigation does not apply for BLR instructions in the following
+places:
+- Some accesses to thread-local variables use a code sequence with a BLR
+  instruction.  This code sequence is part of the binary interface between
+  compiler and linker. If this BLR instruction needs to be mitigated, it'd
+  probably be best to do so in the linker. It seems that the code sequence
+  for thread-local variable access is unlikely to lead to a Spectre Revalation
+  Gadget.
+- PLT stubs are produced by the linker and each contain a BLR instruction.
+  It seems that at most only after the last PLT stub a Spectre Revalation
+  Gadget might appear.
+
+Testing:
+  Bootstrap and regtest on AArch64
+    (with BOOT_CFLAGS="-mharden-sls=retbr,blr")
+  Used a temporary hack(1) in gcc-dg.exp to use these options on every
+  test in the testsuite, a slight modification to emit the speculation
+  barrier after every function stub, and a script to check that the
+  output never emitted a BLR, or unmitigated BR or RET instruction.
+  Similar on an aarch64-none-elf cross-compiler.
+
+1) Temporary hack emitted a speculation barrier at the end of every stub
+function, and used a script to ensure that:
+  a) Every RET or BR is immediately followed by a speculation barrier.
+  b) No BLR instruction is emitted by compiler.
+
+(cherry picked from 96b7f495f9269d5448822e4fc28882edb35a58d7)
+
+gcc/ChangeLog:
+
+	* config/aarch64/aarch64-protos.h (aarch64_indirect_call_asm):
+	New declaration.
+	* config/aarch64/aarch64.c (aarch64_regno_regclass): Handle new
+	stub registers class.
+	(aarch64_class_max_nregs): Likewise.
+	(aarch64_register_move_cost): Likewise.
+	(aarch64_sls_shared_thunks): Global array to store stub labels.
+	(aarch64_sls_emit_function_stub): New.
+	(aarch64_create_blr_label): New.
+	(aarch64_sls_emit_blr_function_thunks): New.
+	(aarch64_sls_emit_shared_blr_thunks): New.
+	(aarch64_asm_file_end): New.
+	(aarch64_indirect_call_asm): New.
+	(TARGET_ASM_FILE_END): Use aarch64_asm_file_end.
+	(TARGET_ASM_FUNCTION_EPILOGUE): Use
+	aarch64_sls_emit_blr_function_thunks.
+	* config/aarch64/aarch64.h (STB_REGNUM_P): New.
+	(enum reg_class): Add STUB_REGS class.
+	(machine_function): Introduce `call_via` array for
+	function-local stub labels.
+	* config/aarch64/aarch64.md (*call_insn, *call_value_insn): Use
+	aarch64_indirect_call_asm to emit code when hardening BLR
+	instructions.
+	* config/aarch64/constraints.md (Ucr): New constraint
+	representing registers for indirect calls.  Is GENERAL_REGS
+	usually, and STUB_REGS when hardening BLR instruction against
+	SLS.
+	* config/aarch64/predicates.md (aarch64_general_reg): STUB_REGS class
+	is also a general register.
+
+gcc/testsuite/ChangeLog:
+
+	* gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c: New test.
+	* gcc.target/aarch64/sls-mitigation/sls-miti-blr.c: New test.
+---
+ gcc/config/aarch64/aarch64-protos.h           |   1 +
+ gcc/config/aarch64/aarch64.c                  | 225 +++++++++++++++++-
+ gcc/config/aarch64/aarch64.h                  |  15 ++
+ gcc/config/aarch64/aarch64.md                 |  11 +-
+ gcc/config/aarch64/constraints.md             |   9 +
+ gcc/config/aarch64/predicates.md              |   3 +-
+ .../aarch64/sls-mitigation/sls-miti-blr-bti.c |  40 ++++
+ .../aarch64/sls-mitigation/sls-miti-blr.c     |  33 +++
+ 8 files changed, 328 insertions(+), 9 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c
+
+diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h
+index 885eae893..2676e43ae 100644
+--- a/gcc/config/aarch64/aarch64-protos.h
++++ b/gcc/config/aarch64/aarch64-protos.h
+@@ -645,6 +645,7 @@ poly_uint64 aarch64_regmode_natural_size (machine_mode);
+ bool aarch64_high_bits_all_ones_p (HOST_WIDE_INT);
+ 
+ const char *aarch64_sls_barrier (int);
++const char *aarch64_indirect_call_asm (rtx);
+ extern bool aarch64_harden_sls_retbr_p (void);
+ extern bool aarch64_harden_sls_blr_p (void);
+ 
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index dff61105c..bc6c02c3a 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -8190,6 +8190,9 @@ aarch64_label_mentioned_p (rtx x)
+ enum reg_class
+ aarch64_regno_regclass (unsigned regno)
+ {
++  if (STUB_REGNUM_P (regno))
++    return STUB_REGS;
++
+   if (GP_REGNUM_P (regno))
+     return GENERAL_REGS;
+ 
+@@ -8499,6 +8502,7 @@ aarch64_class_max_nregs (reg_class_t regclass, machine_mode mode)
+   unsigned int nregs;
+   switch (regclass)
+     {
++    case STUB_REGS:
+     case TAILCALL_ADDR_REGS:
+     case POINTER_REGS:
+     case GENERAL_REGS:
+@@ -10693,10 +10697,12 @@ aarch64_register_move_cost (machine_mode mode,
+     = aarch64_tune_params.regmove_cost;
+ 
+   /* Caller save and pointer regs are equivalent to GENERAL_REGS.  */
+-  if (to == TAILCALL_ADDR_REGS || to == POINTER_REGS)
++  if (to == TAILCALL_ADDR_REGS || to == POINTER_REGS
++      || to == STUB_REGS)
+     to = GENERAL_REGS;
+ 
+-  if (from == TAILCALL_ADDR_REGS || from == POINTER_REGS)
++  if (from == TAILCALL_ADDR_REGS || from == POINTER_REGS
++      || from == STUB_REGS)
+     from = GENERAL_REGS;
+ 
+   /* Moving between GPR and stack cost is the same as GP2GP.  */
+@@ -19009,6 +19015,215 @@ aarch64_sls_barrier (int mitigation_required)
+     : "";
+ }
+ 
++static GTY (()) tree aarch64_sls_shared_thunks[30];
++static GTY (()) bool aarch64_sls_shared_thunks_needed = false;
++const char *indirect_symbol_names[30] = {
++    "__call_indirect_x0",
++    "__call_indirect_x1",
++    "__call_indirect_x2",
++    "__call_indirect_x3",
++    "__call_indirect_x4",
++    "__call_indirect_x5",
++    "__call_indirect_x6",
++    "__call_indirect_x7",
++    "__call_indirect_x8",
++    "__call_indirect_x9",
++    "__call_indirect_x10",
++    "__call_indirect_x11",
++    "__call_indirect_x12",
++    "__call_indirect_x13",
++    "__call_indirect_x14",
++    "__call_indirect_x15",
++    "", /* "__call_indirect_x16",  */
++    "", /* "__call_indirect_x17",  */
++    "__call_indirect_x18",
++    "__call_indirect_x19",
++    "__call_indirect_x20",
++    "__call_indirect_x21",
++    "__call_indirect_x22",
++    "__call_indirect_x23",
++    "__call_indirect_x24",
++    "__call_indirect_x25",
++    "__call_indirect_x26",
++    "__call_indirect_x27",
++    "__call_indirect_x28",
++    "__call_indirect_x29",
++};
++
++/* Function to create a BLR thunk.  This thunk is used to mitigate straight
++   line speculation.  Instead of a simple BLR that can be speculated past,
++   we emit a BL to this thunk, and this thunk contains a BR to the relevant
++   register.  These thunks have the relevant speculation barries put after
++   their indirect branch so that speculation is blocked.
++
++   We use such a thunk so the speculation barriers are kept off the
++   architecturally executed path in order to reduce the performance overhead.
++
++   When optimizing for size we use stubs shared by the linked object.
++   When optimizing for performance we emit stubs for each function in the hope
++   that the branch predictor can better train on jumps specific for a given
++   function.  */
++rtx
++aarch64_sls_create_blr_label (int regnum)
++{
++  gcc_assert (STUB_REGNUM_P (regnum));
++  if (optimize_function_for_size_p (cfun))
++    {
++      /* For the thunks shared between different functions in this compilation
++	 unit we use a named symbol -- this is just for users to more easily
++	 understand the generated assembly.  */
++      aarch64_sls_shared_thunks_needed = true;
++      const char *thunk_name = indirect_symbol_names[regnum];
++      if (aarch64_sls_shared_thunks[regnum] == NULL)
++	{
++	  /* Build a decl representing this function stub and record it for
++	     later.  We build a decl here so we can use the GCC machinery for
++	     handling sections automatically (through `get_named_section` and
++	     `make_decl_one_only`).  That saves us a lot of trouble handling
++	     the specifics of different output file formats.  */
++	  tree decl = build_decl (BUILTINS_LOCATION, FUNCTION_DECL,
++				  get_identifier (thunk_name),
++				  build_function_type_list (void_type_node,
++							    NULL_TREE));
++	  DECL_RESULT (decl) = build_decl (BUILTINS_LOCATION, RESULT_DECL,
++					   NULL_TREE, void_type_node);
++	  TREE_PUBLIC (decl) = 1;
++	  TREE_STATIC (decl) = 1;
++	  DECL_IGNORED_P (decl) = 1;
++	  DECL_ARTIFICIAL (decl) = 1;
++	  make_decl_one_only (decl, DECL_ASSEMBLER_NAME (decl));
++	  resolve_unique_section (decl, 0, false);
++	  aarch64_sls_shared_thunks[regnum] = decl;
++	}
++
++      return gen_rtx_SYMBOL_REF (Pmode, thunk_name);
++    }
++
++  if (cfun->machine->call_via[regnum] == NULL)
++    cfun->machine->call_via[regnum]
++      = gen_rtx_LABEL_REF (Pmode, gen_label_rtx ());
++  return cfun->machine->call_via[regnum];
++}
++
++/* Helper function for aarch64_sls_emit_blr_function_thunks and
++   aarch64_sls_emit_shared_blr_thunks below.  */
++static void
++aarch64_sls_emit_function_stub (FILE *out_file, int regnum)
++{
++  /* Save in x16 and branch to that function so this transformation does
++     not prevent jumping to `BTI c` instructions.  */
++  asm_fprintf (out_file, "\tmov\tx16, x%d\n", regnum);
++  asm_fprintf (out_file, "\tbr\tx16\n");
++}
++
++/* Emit all BLR stubs for this particular function.
++   Here we emit all the BLR stubs needed for the current function.  Since we
++   emit these stubs in a consecutive block we know there will be no speculation
++   gadgets between each stub, and hence we only emit a speculation barrier at
++   the end of the stub sequences.
++
++   This is called in the TARGET_ASM_FUNCTION_EPILOGUE hook.  */
++void
++aarch64_sls_emit_blr_function_thunks (FILE *out_file)
++{
++  if (! aarch64_harden_sls_blr_p ())
++    return;
++
++  bool any_functions_emitted = false;
++  /* We must save and restore the current function section since this assembly
++     is emitted at the end of the function.  This means it can be emitted *just
++     after* the cold section of a function.  That cold part would be emitted in
++     a different section.  That switch would trigger a `.cfi_endproc` directive
++     to be emitted in the original section and a `.cfi_startproc` directive to
++     be emitted in the new section.  Switching to the original section without
++     restoring would mean that the `.cfi_endproc` emitted as a function ends
++     would happen in a different section -- leaving an unmatched
++     `.cfi_startproc` in the cold text section and an unmatched `.cfi_endproc`
++     in the standard text section.  */
++  section *save_text_section = in_section;
++  switch_to_section (function_section (current_function_decl));
++  for (int regnum = 0; regnum < 30; ++regnum)
++    {
++      rtx specu_label = cfun->machine->call_via[regnum];
++      if (specu_label == NULL)
++	continue;
++
++      targetm.asm_out.print_operand (out_file, specu_label, 0);
++      asm_fprintf (out_file, ":\n");
++      aarch64_sls_emit_function_stub (out_file, regnum);
++      any_functions_emitted = true;
++    }
++  if (any_functions_emitted)
++    /* Can use the SB if needs be here, since this stub will only be used
++      by the current function, and hence for the current target.  */
++    asm_fprintf (out_file, "\t%s\n", aarch64_sls_barrier (true));
++  switch_to_section (save_text_section);
++}
++
++/* Emit shared BLR stubs for the current compilation unit.
++   Over the course of compiling this unit we may have converted some BLR
++   instructions to a BL to a shared stub function.  This is where we emit those
++   stub functions.
++   This function is for the stubs shared between different functions in this
++   compilation unit.  We share when optimizing for size instead of speed.
++
++   This function is called through the TARGET_ASM_FILE_END hook.  */
++void
++aarch64_sls_emit_shared_blr_thunks (FILE *out_file)
++{
++  if (! aarch64_sls_shared_thunks_needed)
++    return;
++
++  for (int regnum = 0; regnum < 30; ++regnum)
++    {
++      tree decl = aarch64_sls_shared_thunks[regnum];
++      if (!decl)
++	continue;
++
++      const char *name = indirect_symbol_names[regnum];
++      switch_to_section (get_named_section (decl, NULL, 0));
++      ASM_OUTPUT_ALIGN (out_file, 2);
++      targetm.asm_out.globalize_label (out_file, name);
++      /* Only emits if the compiler is configured for an assembler that can
++	 handle visibility directives.  */
++      targetm.asm_out.assemble_visibility (decl, VISIBILITY_HIDDEN);
++      ASM_OUTPUT_TYPE_DIRECTIVE (out_file, name, "function");
++      ASM_OUTPUT_LABEL (out_file, name);
++      aarch64_sls_emit_function_stub (out_file, regnum);
++      /* Use the most conservative target to ensure it can always be used by any
++	 function in the translation unit.  */
++      asm_fprintf (out_file, "\tdsb\tsy\n\tisb\n");
++      ASM_DECLARE_FUNCTION_SIZE (out_file, name, decl);
++    }
++}
++
++/* Implement TARGET_ASM_FILE_END.  */
++void
++aarch64_asm_file_end ()
++{
++  aarch64_sls_emit_shared_blr_thunks (asm_out_file);
++  /* Since this function will be called for the ASM_FILE_END hook, we ensure
++     that what would be called otherwise (e.g. `file_end_indicate_exec_stack`
++     for FreeBSD) still gets called.  */
++#ifdef TARGET_ASM_FILE_END
++  TARGET_ASM_FILE_END ();
++#endif
++}
++
++const char *
++aarch64_indirect_call_asm (rtx addr)
++{
++  gcc_assert (REG_P (addr));
++  if (aarch64_harden_sls_blr_p ())
++    {
++      rtx stub_label = aarch64_sls_create_blr_label (REGNO (addr));
++      output_asm_insn ("bl\t%0", &stub_label);
++    }
++  else
++   output_asm_insn ("blr\t%0", &addr);
++  return "";
++}
++
+ /* Target-specific selftests.  */
+ 
+ #if CHECKING_P
+@@ -19529,6 +19744,12 @@ aarch64_libgcc_floating_mode_supported_p
+ #define TARGET_RUN_TARGET_SELFTESTS selftest::aarch64_run_selftests
+ #endif /* #if CHECKING_P */
+ 
++#undef TARGET_ASM_FILE_END
++#define TARGET_ASM_FILE_END aarch64_asm_file_end
++
++#undef TARGET_ASM_FUNCTION_EPILOGUE
++#define TARGET_ASM_FUNCTION_EPILOGUE aarch64_sls_emit_blr_function_thunks
++
+ struct gcc_target targetm = TARGET_INITIALIZER;
+ 
+ #include "gt-aarch64.h"
+diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
+index 72ddc6fd9..60682a100 100644
+--- a/gcc/config/aarch64/aarch64.h
++++ b/gcc/config/aarch64/aarch64.h
+@@ -540,6 +540,16 @@ extern unsigned aarch64_architecture_version;
+ #define GP_REGNUM_P(REGNO)						\
+   (((unsigned) (REGNO - R0_REGNUM)) <= (R30_REGNUM - R0_REGNUM))
+ 
++/* Registers known to be preserved over a BL instruction.  This consists of the
++   GENERAL_REGS without x16, x17, and x30.  The x30 register is changed by the
++   BL instruction itself, while the x16 and x17 registers may be used by
++   veneers which can be inserted by the linker.  */
++#define STUB_REGNUM_P(REGNO) \
++  (GP_REGNUM_P (REGNO) \
++   && (REGNO) != R16_REGNUM \
++   && (REGNO) != R17_REGNUM \
++   && (REGNO) != R30_REGNUM) \
++
+ #define FP_REGNUM_P(REGNO)			\
+   (((unsigned) (REGNO - V0_REGNUM)) <= (V31_REGNUM - V0_REGNUM))
+ 
+@@ -561,6 +571,7 @@ enum reg_class
+ {
+   NO_REGS,
+   TAILCALL_ADDR_REGS,
++  STUB_REGS,
+   GENERAL_REGS,
+   STACK_REG,
+   POINTER_REGS,
+@@ -580,6 +591,7 @@ enum reg_class
+ {						\
+   "NO_REGS",					\
+   "TAILCALL_ADDR_REGS",				\
++  "STUB_REGS",					\
+   "GENERAL_REGS",				\
+   "STACK_REG",					\
+   "POINTER_REGS",				\
+@@ -596,6 +608,7 @@ enum reg_class
+ {									\
+   { 0x00000000, 0x00000000, 0x00000000 },	/* NO_REGS */		\
+   { 0x00030000, 0x00000000, 0x00000000 },	/* TAILCALL_ADDR_REGS */\
++  { 0x3ffcffff, 0x00000000, 0x00000000 },	/* STUB_REGS */		\
+   { 0x7fffffff, 0x00000000, 0x00000003 },	/* GENERAL_REGS */	\
+   { 0x80000000, 0x00000000, 0x00000000 },	/* STACK_REG */		\
+   { 0xffffffff, 0x00000000, 0x00000003 },	/* POINTER_REGS */	\
+@@ -735,6 +748,8 @@ typedef struct GTY (()) machine_function
+   struct aarch64_frame frame;
+   /* One entry for each hard register.  */
+   bool reg_is_wrapped_separately[LAST_SAVED_REGNUM];
++  /* One entry for each general purpose register.  */
++  rtx call_via[SP_REGNUM];
+   bool label_is_assembled;
+ } machine_function;
+ #endif
+diff --git a/gcc/config/aarch64/aarch64.md b/gcc/config/aarch64/aarch64.md
+index 494aee964..ed8cf8ece 100644
+--- a/gcc/config/aarch64/aarch64.md
++++ b/gcc/config/aarch64/aarch64.md
+@@ -908,15 +908,14 @@
+ )
+ 
+ (define_insn "*call_insn"
+-  [(call (mem:DI (match_operand:DI 0 "aarch64_call_insn_operand" "r, Usf"))
++  [(call (mem:DI (match_operand:DI 0 "aarch64_call_insn_operand" "Ucr, Usf"))
+ 	 (match_operand 1 "" ""))
+    (clobber (reg:DI LR_REGNUM))]
+   ""
+   "@
+-  blr\\t%0
++  * return aarch64_indirect_call_asm (operands[0]);
+   bl\\t%c0"
+-  [(set_attr "type" "call, call")]
+-)
++  [(set_attr "type" "call, call")])
+ 
+ (define_expand "call_value"
+   [(parallel [(set (match_operand 0 "" "")
+@@ -934,12 +933,12 @@
+ 
+ (define_insn "*call_value_insn"
+   [(set (match_operand 0 "" "")
+-	(call (mem:DI (match_operand:DI 1 "aarch64_call_insn_operand" "r, Usf"))
++	(call (mem:DI (match_operand:DI 1 "aarch64_call_insn_operand" "Ucr, Usf"))
+ 		      (match_operand 2 "" "")))
+    (clobber (reg:DI LR_REGNUM))]
+   ""
+   "@
+-  blr\\t%1
++  * return aarch64_indirect_call_asm (operands[1]);
+   bl\\t%c1"
+   [(set_attr "type" "call, call")]
+ )
+diff --git a/gcc/config/aarch64/constraints.md b/gcc/config/aarch64/constraints.md
+index 21f9549e6..7756dbe83 100644
+--- a/gcc/config/aarch64/constraints.md
++++ b/gcc/config/aarch64/constraints.md
+@@ -24,6 +24,15 @@
+ (define_register_constraint "Ucs" "TAILCALL_ADDR_REGS"
+   "@internal Registers suitable for an indirect tail call")
+ 
++(define_register_constraint "Ucr"
++    "aarch64_harden_sls_blr_p () ? STUB_REGS : GENERAL_REGS"
++  "@internal Registers to be used for an indirect call.
++   This is usually the general registers, but when we are hardening against
++   Straight Line Speculation we disallow x16, x17, and x30 so we can use
++   indirection stubs.  These indirection stubs cannot use the above registers
++   since they will be reached by a BL that may have to go through a linker
++   veneer.")
++
+ (define_register_constraint "w" "FP_REGS"
+   "Floating point and SIMD vector registers.")
+ 
+diff --git a/gcc/config/aarch64/predicates.md b/gcc/config/aarch64/predicates.md
+index 8e1b78421..4250aecb3 100644
+--- a/gcc/config/aarch64/predicates.md
++++ b/gcc/config/aarch64/predicates.md
+@@ -32,7 +32,8 @@
+ 
+ (define_predicate "aarch64_general_reg"
+   (and (match_operand 0 "register_operand")
+-       (match_test "REGNO_REG_CLASS (REGNO (op)) == GENERAL_REGS")))
++       (match_test "REGNO_REG_CLASS (REGNO (op)) == STUB_REGS
++		    || REGNO_REG_CLASS (REGNO (op)) == GENERAL_REGS")))
+ 
+ ;; Return true if OP a (const_int 0) operand.
+ (define_predicate "const0_operand"
+diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c
+new file mode 100644
+index 000000000..b1fb754c7
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c
+@@ -0,0 +1,40 @@
++/* { dg-do compile } */
++/* { dg-additional-options "-mharden-sls=blr -mbranch-protection=bti" } */
++/*
++   Ensure that the SLS hardening of BLR leaves no BLR instructions.
++   Here we also check that there are no BR instructions with anything except an
++   x16 or x17 register.  This is because a `BTI c` instruction can be branched
++   to using a BLR instruction using any register, but can only be branched to
++   with a BR using an x16 or x17 register.
++  */
++typedef int (foo) (int, int);
++typedef void (bar) (int, int);
++struct sls_testclass {
++    foo *x;
++    bar *y;
++    int left;
++    int right;
++};
++
++/* We test both RTL patterns for a call which returns a value and a call which
++   does not.  */
++int blr_call_value (struct sls_testclass x)
++{
++  int retval = x.x(x.left, x.right);
++  if (retval % 10)
++    return 100;
++  return 9;
++}
++
++int blr_call (struct sls_testclass x)
++{
++  x.y(x.left, x.right);
++  if (x.left % 10)
++    return 100;
++  return 9;
++}
++
++/* { dg-final { scan-assembler-not {\tblr\t} } } */
++/* { dg-final { scan-assembler-not {\tbr\tx(?!16|17)} } } */
++/* { dg-final { scan-assembler {\tbr\tx(16|17)} } } */
++
+diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c
+new file mode 100644
+index 000000000..88baffffe
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c
+@@ -0,0 +1,33 @@
++/* { dg-additional-options "-mharden-sls=blr -save-temps" } */
++/* Ensure that the SLS hardening of BLR leaves no BLR instructions.
++   We only test that all BLR instructions have been removed, not that the
++   resulting code makes sense.  */
++typedef int (foo) (int, int);
++typedef void (bar) (int, int);
++struct sls_testclass {
++    foo *x;
++    bar *y;
++    int left;
++    int right;
++};
++
++/* We test both RTL patterns for a call which returns a value and a call which
++   does not.  */
++int blr_call_value (struct sls_testclass x)
++{
++  int retval = x.x(x.left, x.right);
++  if (retval % 10)
++    return 100;
++  return 9;
++}
++
++int blr_call (struct sls_testclass x)
++{
++  x.y(x.left, x.right);
++  if (x.left % 10)
++    return 100;
++  return 9;
++}
++
++/* { dg-final { scan-assembler-not {\tblr\t} } } */
++/* { dg-final { scan-assembler {\tbr\tx[0-9][0-9]?} } } */
+-- 
+2.25.1
+