Avoid inheriting qemu.bbclass and use oe.qemu.xxx instead.
Also, the 'qemu-native' dep is replaced by 'qemuwrapper-cross' for
PACKAGE_WRITE_DEPS. qemuwrapper-cross is the one that is actually
used by postints and it has 'qemu-native' in DEPENDS.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Files under it are source files. And if go/src locate under
/usr/lib, this will result in very long LD_LIBRARY_PATH causing
failure.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Using qemu to run non-elf executables such as shell scripts directly
is destined to fail. In such case, we check its interperter and try
out best to run it accordingly.
We'll also need to skip the "/etc" directory as files under it are
configuration files and init scripts. And the init script will
send SIGTERM and SIGKILL to all processes, giving users annoying
behavior.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
We need to ensure sysroot is available for this version check task,
otherwise, running binaries might fail because of lack of libraries
from sysroot.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
If users set CHECK_VERSION_PN for a recipe and its value is a single
'%', then it matches anything. So there's no point doing any further
check.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Avoid a single '(' in version. For example, we want to extract the
'2.30.31' instead of '2.30.31(2' for lvm2.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
If the kernel build type uses compression, the bootloader needs to take
care of decompression. This must be configured in the FIT image via
FITIMAGE_IMAGE_myimage[comp]. So warn if the FIT image kernel compression
is not specified in such a case.
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Similar to e152f01d, this fixes another occurence of the config section
name to contain the 'conf_prefix'.
Luckily, this one is only debug output.
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
A given image type should be valid. Thus fail early here instead of
randomly failing later during mkimage call.
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
When no type is set, we simply pick 'kernel' as the default since it
is still the most common to be used for FIT images.
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
The 'image' name should be printed rather than the (unset) 'recipe'.
Also use f-strings for better readability.
Since a missing recipe configuration is fatal to a proper generation,
abort the parsing with bb.fatal instead of continuing with a broken
configuration.
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Add a mechanism to check mismatch between runtime version and build time version.
To use, add the following line to local.conf:
include conf/version-check.conf
Ideally, layers will have their own conf/version-check.conf to establish
some baseline, so that any future warning indicates some error. In such
case, users can use include_all:
include_all conf/version-check.conf
The basic idea is to use qemu to run executables at build time, extract
possible versions, and check if there's a mismatch found.
Python meta data and .pc files are also checked for quick match. This
is because such info are also easy to be checked by users.
check-version-mismatch.bbclass is the class that does the actual work.
A new variable, CHECK_VERSION_PV, is introduced. It defaults to ${PKGV},
but also allows override. This allows us to handle special cases in each
layer.
version-check.conf is the configuration file that makes this functionality
easier to use and draws some baseline. It contains some override settings
for some recipes. With these overrides, all recipes in oe-core are handled
well. All warnings are valid warnings.
Note that 'ps' is added to HOSTTOOLS in version-check.conf. This is because
we need 'ps' to find stale processes and then clean them.
The warnings are like below:
WARNING: time-1.9-r0 do_package_check_version_mismatch: Possible runtime versions ['UNKNOWN'] do not match recipe version 1.9
WARNING: python3-unittest-automake-output-0.2-r0 do_package_check_version_mismatch: Possible runtime versions ['0.1'] do not match recipe version 0.2
WARNING: pinentry-1.3.1-r0 do_package_check_version_mismatch: Possible runtime versions ['1.3.1-unknown'] do not match recipe version 1.3.1
...
There will be a data directory containing all details: tmp/check-version-mismatch.
This directory contains detailed data for each recipe that is built.
If users don't want it, they can set DEBUG_VERSION_MISMATCH_CHECK to 0.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
On some setups, the verity partition and the corresponding hash data are
handled separately. To account for this, a HASHDEV_SUFFIX is introduced
to divert the hash data to a separate image artifact. By default, this
suffix is equal to the image suffix, meaning that the hash data is
appended to the verity image, like before.
When the hash data is written to a separate file, the verity image is
padded with zeroes until its size is a multiple of block_size.
Signed-off-by: Erik Schumacher <erik.schumacher@iris-sensing.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The bitbake fetcher dropped support for multiple revisions on a single
url. Update the gitpkgver code to match.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The functions related to signing the fitimage had missing quotations and
newlines. Without this punctuation, the signing class would fail to
generate a signed fitimage.
To test this change just create a fitImage using this class and set
FITIMAGE_SIGN to 1. The resulting fitImage its file should have one
property per line with quotes around the property values.
Signed-off-by: John Ripple <john.ripple@keysight.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When linking to capnproto from another project, cmake fails to
find this package with the following error:
| CMake Error at ${RECIPE_SYSROOT}/usr/lib/cmake/CapnProto/CapnProtoTargets.cmake:176 (message):
| The imported target "CapnProto::capnp_tool" references the file
|
| "${RECIPE_SYSROOT}/usr/bin/capnp"
|
| but this file does not exist. Possible reasons include:
To solve this, this change includes the following:
1. Add a patch that removes the files installed (and exported) in
${bindir} from the target build. The CMake file originally verified
that these files exist when another recipe tried to use it, however
the ${RECIPE_SYSROOT} does not contain the binaries in ${bindir},
so it failed quick in the do_configure step. (This alone is enough
to link against the cross-compiled libraries of capnproto successfully,
but code-generation from capnproto definition fails)
2. Add a new bbclass for capnproto. To cross-compile an application
that uses capnproto, the application needs to be linked against the
cross-compiled version of the libraries, however the native version
of the binaries need to be used to generate C++ code from the
capnproto definitions. This class sets the correct CMake arguments, to
use the capnproto binaries from the native package, instead of looking
for the non-existent cross-compiled binaries. (These variables can
be found in ${libdir}/cmake/CapnProto/CapnProtoConfig.cmake file)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
xserver-common was the last recipe to use this, so remove it.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The `panel-mipi-dbi.bbclass` can be used to build a firmware file for use
with the `panel-mipi-dbi` Linux driver.
The class uses the `mipi-dbi-cmd` from `panel-mipi-dbi-native` to
assemble a human readable list of init commands into a firmware file
for use with the `panel-mipi-dbi` Linux driver.
Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a (more helpful) error message in case the Package-Name exceeds a
certain length which would have the softhsm tools error out.
The $PN is used as 'label' in the softhsm, which is a
"CK_UTF8CHAR paddedLabel[32]" in softhsm2-util.cpp,
so it must not be longer.
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add handling of ca-chains which can consist of more than one
certificate in a .pem file, which need to be split off, processed and
stored separately in the softhsm - as the tool-chain
signing.bbclass::signing_import_cert* -> softhsm -> 'extract-cert'
only supports one-per-file, due to using/expecting "plain" x509
in-/output.
The added signing_import_cert_chain_from_pem function takes a <role>
basename, and iterates through the input .pem file, creating numbered
<role>_1, _2, ... roles as needed.
Afterwards the certificates can be used or extracted one-by-one from
the softhsm, using the numbered roles; the only precondition - or
limitation - is that the PKI structure has to be known beforhand;
e.g. how many certificates are between leaf and root.
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The FIT image support in OE is quite limited:
1) No support to build an arbitrary number of FIT images since the FIT
image generation is tightly coupled to the kernel image.
2) A lot of U_BOOT-specific variables which may not be necessary for
other bootloaders.
3) No usage of the meta-oe signing.bbclass for signed FIT images.
This alternative class is added to solve the above-mentioned problems:
1) The class can be inherited by an arbitrary number of
<fit-image-name>.bb recipes to generate FIT images
2) No U_BOOT-specific variables are used
3) <fit-image-name>.bb recipes can prepend the do_fitimage() to
provide the key using the signing.bbclass e.g.:
do_fitimage:prepend() {
signing_prepare
signing_use_role "${FITIMAGE_SIGNING_KEY_ROLE}"
}
Then enable and configure signing as follows:
FITIMAGE_SIGN = "1"
FITIMAGE_MKIMAGE_EXTRA_ARGS = "--engine pkcs11"
FITIMAGE_SIGN_KEYDIR = "${PKCS11_URI}
This class is inspired by the meta-phytec fitimage.bbclass [1].
[1] https://git.phytec.de/meta-phytec/tree/classes/fitimage.bbclass
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add support to generate a dm-verity image and the parameters required to
assemble the corresponding table for the device-mapper driver. The latter will
be stored in the file ${DEPLOY_DIR_IMAGE}/<IMAGE_LINK_NAME>.verity-params.
Note that in the resulting image the hash tree data is appended to the contents
of the original image without an explicit superblock to keep things simple and
compact.
The above mentioned parameter file can be sourced by a shell to finally create
the desired blockdevice via "dmsetup" (found in meta-oe's recipe
"libdevmapper"), e.g.
. <IMAGE_LINK_NAME>.verity-params
dmsetup create <dm_dev_name> --readonly --table "0 $VERITY_DATA_SECTORS verity \
1 <dev> <hash_dev> \
$VERITY_DATA_BLOCK_SIZE $VERITY_HASH_BLOCK_SIZE \
$VERITY_DATA_BLOCKS $VERITY_DATA_BLOCKS \
$VERITY_HASH_ALGORITHM $VERITY_ROOT_HASH $VERITY_SALT \
1 ignore_zero_blocks"
As the hash tree data is found at the end of the image, <dev> and <hash_dev>
should be the same blockdevice in the command shown above while <dm_dev_name> is
the name of the to be created dm-verity-device.
The root hash is calculated using a salt to make attacks more difficult. Thus,
please grant each image recipe its own salt which could be generated e.g. via
dd if=/dev/random bs=1k count=1 | sha256sum
and assign it to the parameter VERITY_SALT.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The function signing_import_pubkey_from_pem is defined twice, one of
them should really be named signing_import_pubkey_from_der. Fix this and
while at it fix some argument names in the comments above the functions
as well.
Reported-by: Miklos Toth <Miklos.Toth@knorr-bremse.com>
Fixes: 4a6ac691f ("add signing.bbclass as infrastructure for build artifact signing")
Signed-off-by: Sascha Hauer <sha@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
"openssl rsa" works with RSA keys only. Use "openssl pkey" instead which
is a frontend that picks the right operation automatically and works
with RSA keys, eliptic curve keys and also DSA keys.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
OPENSSL_{MODULES,ENGINES,CONF} and SSL_CERT_{DIR,FILE} are currently
exported globally for any recipe that inherits signing. This not only
affects the tasks that use the signing infrastructure, but also unrelated
tasks like e.g. do_fetch. Avoid this by exporting the variables only
for these tasks that actually call signing_prepare.
This resolves a breakage I observed on Ubuntu 18.04, where the host
tool wget is called with the environment variables set and then fails
with a SSL error (exit code 5).
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When using the image type:
IMAGE_FSTYPES += " wic.sparse"
IMAGE_CLASSES += " image_types_sparse"
The following error arises:
Syntax error: Bad function name
So need to remove function in favor of variable.
Also remove IMAGE_NAME_SUFFIX as per:
https://git.openembedded.org/openembedded-core/commit/?id=26d97acc71379ab6702fa54a23b6542a3f51779c
Signed-off-by: Chris Dimich <chris.dimich@boundarydevices.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes
DeprecationWarning: 'pipes' is deprecated and slated for removal in Python 3.13
pipes is an alias for shlex therefore switch to using shlex
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This adds common infrastructure to access and used asymmetric keys to
sign build artifacts. The approach and implementation was presented at
the recent OpenEmbedded Workshop:
https://pretalx.com/openembedded-workshop-2023/talk/3C8MFF/
A working demo setup for verified boot based on qemu is available at
https://github.com/jluebbe/meta-code-signing.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
By default, img2simg will only generate raw and fill chunks. This adds
support for "don't care" chunks, based on file holes. This is similar to
how bmaptool works. "don't care" chunks do not need to be written,
speeding up flashing time.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
If the source image's size is not aligned to the sparse image's block
size, then conversion will fail with
img2simg: libsparse/sparse.cpp:133: int write_all_blocks(sparse_file*, output_file*): Assertion `pad >= 0' failed.
This is a bug in img2simg, but an easy way to work around it is to pad
the source image ourselves. The default block size of 4096 matches
img2simg's default block size.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Under some conditions ext2simg can corrupt the file system (see
https://lore.kernel.org/linux-ext4/CAP71WjwVdqmLEq1NGWK36JkEd-i05YcAu4jeY6GFjsk6TS=Mtg@mail.gmail.com/).
This has been reproduced with the ext2simg currently found meta-oe's
android-tools-native). Stop using ext2simg and always use img2simg. This
results in bigger images, but without the risk of image corruption.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
After changing image_types_sparse to follow new override syntax, using
this class generates the syntax error, because CONVERSION_CMD:sparse()
function is added to the generated shell file, but color can not be a
part of the function name. Rewrite it to be the variable rather than the
function, so that it does not end up the run.do_image_FOO file.
DEBUG: Executing shell function do_image_ext4
[.......]/temp/run.do_image_ext4.1247938: line 184: `CONVERSION_CMD:sparse': not a valid identifier
WARNING: [.......]/temp/run.do_image_ext4.1247938:151 exit 2 from 'export systemd_user_unitdir="/usr/lib/systemd/user"'
WARNING: Backtrace (BB generated script):
#1: main, [.......]/temp/run.do_image_ext4.1247938, line 151
ERROR: Execution of '[.......]/temp/run.do_image_ext4.1247938' failed with exit code 2:
[.......]/temp/run.do_image_ext4.1247938: line 184: `CONVERSION_CMD:sparse': not a valid identifier
WARNING: [.......]/temp/run.do_image_ext4.1247938:151 exit 2 from 'export systemd_user_unitdir="/usr/lib/systemd/user"'
WARNING: Backtrace (BB generated script):
#1: main, [.......]/temp/run.do_image_ext4.1247938, line 151
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Adds a class to create sparse image files using the Android tools
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Introduce GITPKGV_TAG_REGEXP (which defaults to "v(\d.*)") to support
dropping other unwanted parts of the found tags than just a leading
"v". Any matching groups in the regexp will be concatenated to yield
the final version.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When checking for commit specific tags during GITPKGVTAG resolution, use
additional '--tags' and '--exact-match' options for 'git describe'
command.
This changes the behaviour so that in case an annotated tag does not
exist for the particular commit, then the latest lightweight
(non-annotated) tag is used instead, in case that commit has at least
one such tag.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Avoid redundant shell working directory change by resorting to
'--git-dir' option for git command instead.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
A couple have still been missed in the past despite multiple
attempts at doing so (or simply have re-appeared?).
Search & replace made using the following command:
sed -e 's|\(d\.getVar \?\)( \?\([^,()]*\), \?True)|\1(\2)|g' \
-i $(git grep -E 'getVar ?\( ?([^,()]*), ?True\)' \
| cut -d':' -f1 \
| sort -u)
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Google breakpad requires a very specific folder structure which is only known after dump_syms has been executed.
Therefore the .sym file's first line has to be parsed in order to move the file where breakpad wants it.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is adding the functionality to run scancode utility on code.
You need to set the following variables to use it. You can override
these from local.conf or auto.conf.
1) SCANCODE_GIT_LOCATION: Git Path for scancode-toolkit cloning, default is set.
2) SCANCODE_TAG: Select tag, if you want.
3) SCANCODE_FORMAT: Output file format json or html-app.
4) SCANCODE_SRC_LOCATION: Location to store scancode-toolkit.
This belongs to OI-2.
Signed-off-by: H M Irfan Sadiq <irfan_sadiq@mentor.com>
Signed-off-by: Noor Ahsan <noor_ahsan@mentor.com>
