<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-openembedded.git/meta-oe/classes, branch styhead-next</title>
<subtitle>Mirror of git.openembedded.org/meta-openembedded</subtitle>
<id>https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=styhead-next</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=styhead-next'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/'/>
<updated>2024-04-23T22:18:30+00:00</updated>
<entry>
<title>Add class for appending dm-verity hash data to block device images</title>
<updated>2024-04-23T22:18:30+00:00</updated>
<author>
<name>Jan Luebbe</name>
<email>jlu@pengutronix.de</email>
</author>
<published>2024-04-23T10:21:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=6f4501734f28f3133ad9ac70b8d320cca8b40c4e'/>
<id>urn:sha1:6f4501734f28f3133ad9ac70b8d320cca8b40c4e</id>
<content type='text'>
Add support to generate a dm-verity image and the parameters required to
assemble the corresponding table for the device-mapper driver. The latter will
be stored in the file ${DEPLOY_DIR_IMAGE}/&lt;IMAGE_LINK_NAME&gt;.verity-params.
Note that in the resulting image the hash tree data is appended to the contents
of the original image without an explicit superblock to keep things simple and
compact.

The above mentioned parameter file can be sourced by a shell to finally create
the desired blockdevice via "dmsetup" (found in meta-oe's recipe
"libdevmapper"), e.g.

  . &lt;IMAGE_LINK_NAME&gt;.verity-params
  dmsetup create &lt;dm_dev_name&gt; --readonly --table "0 $VERITY_DATA_SECTORS verity \
      1 &lt;dev&gt; &lt;hash_dev&gt; \
      $VERITY_DATA_BLOCK_SIZE  $VERITY_HASH_BLOCK_SIZE \
      $VERITY_DATA_BLOCKS  $VERITY_DATA_BLOCKS \
      $VERITY_HASH_ALGORITHM  $VERITY_ROOT_HASH  $VERITY_SALT \
      1 ignore_zero_blocks"

As the hash tree data is found at the end of the image, &lt;dev&gt; and &lt;hash_dev&gt;
should be the same blockdevice in the command shown above while &lt;dm_dev_name&gt; is
the name of the to be created dm-verity-device.

The root hash is calculated using a salt to make attacks more difficult. Thus,
please grant each image recipe its own salt which could be generated e.g. via

  dd if=/dev/random bs=1k count=1 | sha256sum

and assign it to the parameter VERITY_SALT.

Signed-off-by: Jan Luebbe &lt;jlu@pengutronix.de&gt;
Signed-off-by: Rouven Czerwinski &lt;r.czerwinski@pengutronix.de&gt;
Signed-off-by: Marco Felsch &lt;m.felsch@pengutronix.de&gt;
Signed-off-by: Ulrich Ölmann &lt;u.oelmann@pengutronix.de&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>signing.bbclass: fix typos</title>
<updated>2024-03-05T23:09:24+00:00</updated>
<author>
<name>Ulrich Ölmann</name>
<email>u.oelmann@pengutronix.de</email>
</author>
<published>2024-03-05T20:07:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=123c58693ac786c3cef8a74b03c1557a66dc0142'/>
<id>urn:sha1:123c58693ac786c3cef8a74b03c1557a66dc0142</id>
<content type='text'>
Signed-off-by: Ulrich Ölmann &lt;u.oelmann@pengutronix.de&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>signing.bbclass: fix wrong function name</title>
<updated>2024-02-23T17:17:42+00:00</updated>
<author>
<name>Sascha Hauer</name>
<email>sha@pengutronix.de</email>
</author>
<published>2024-02-23T08:45:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=30d1eb08b42e9eeb76037fdc8613610878ba1092'/>
<id>urn:sha1:30d1eb08b42e9eeb76037fdc8613610878ba1092</id>
<content type='text'>
The function signing_import_pubkey_from_pem is defined twice, one of
them should really be named signing_import_pubkey_from_der. Fix this and
while at it fix some argument names in the comments above the functions
as well.

Reported-by: Miklos Toth &lt;Miklos.Toth@knorr-bremse.com&gt;
Fixes: 4a6ac691f ("add signing.bbclass as infrastructure for build artifact signing")
Signed-off-by: Sascha Hauer &lt;sha@pengutronix.de&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>signing.bbclass: make it work with eliptic curve keys</title>
<updated>2024-02-13T20:41:23+00:00</updated>
<author>
<name>Sascha Hauer</name>
<email>s.hauer@pengutronix.de</email>
</author>
<published>2024-02-13T09:18:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=c9ddb71d35c68ba58f5318a5bcc504a2ee1026a9'/>
<id>urn:sha1:c9ddb71d35c68ba58f5318a5bcc504a2ee1026a9</id>
<content type='text'>
"openssl rsa" works with RSA keys only. Use "openssl pkey" instead which
is a frontend that picks the right operation automatically and works
with RSA keys, eliptic curve keys and also DSA keys.

Signed-off-by: Sascha Hauer &lt;s.hauer@pengutronix.de&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>gitpkgv.bbclass: adjust the example in comment a bit</title>
<updated>2024-02-09T17:52:12+00:00</updated>
<author>
<name>Martin Jansa</name>
<email>martin.jansa@gmail.com</email>
</author>
<published>2024-02-06T13:18:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=3482f8973ec493337dd0f0a7d459c1861f951b4f'/>
<id>urn:sha1:3482f8973ec493337dd0f0a7d459c1861f951b4f</id>
<content type='text'>
* the first example isn't very useful anymore since:
  SRCPV is deferred now from PV to PKGV since:
  https://git.openembedded.org/openembedded-core/commit/?h=nanbield&amp;id=a8e7b0f932b9ea69b3a218fca18041676c65aba0

* but keep it in the bbclass in case someone is still using it
  for whatever reason (the version with tag still makes some sense)

Signed-off-by: Martin Jansa &lt;martin.jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>signing.bbclass: don't export OPENSSL environment variables globally</title>
<updated>2023-10-09T16:38:49+00:00</updated>
<author>
<name>Ahmad Fatoum</name>
<email>a.fatoum@pengutronix.de</email>
</author>
<published>2023-09-20T14:33:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=4ad790c7334b02d6d150285a952d84a02645773f'/>
<id>urn:sha1:4ad790c7334b02d6d150285a952d84a02645773f</id>
<content type='text'>
OPENSSL_{MODULES,ENGINES,CONF} and SSL_CERT_{DIR,FILE} are currently
exported globally for any recipe that inherits signing. This not only
affects the tasks that use the signing infrastructure, but also unrelated
tasks like e.g. do_fetch. Avoid this by exporting the variables only
for these tasks that actually call signing_prepare.

This resolves a breakage I observed on Ubuntu 18.04, where the host
tool wget is called with the environment variables set and then fails
with a SSL error (exit code 5).

Signed-off-by: Ahmad Fatoum &lt;a.fatoum@pengutronix.de&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>image_types_sparse: Fix syntax error</title>
<updated>2023-08-01T17:26:51+00:00</updated>
<author>
<name>Chris Dimich</name>
<email>chris.dimich@boundarydevices.com</email>
</author>
<published>2023-08-01T16:40:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=dff205f5a3b15cbe1d63c5e351dae7a659042213'/>
<id>urn:sha1:dff205f5a3b15cbe1d63c5e351dae7a659042213</id>
<content type='text'>
When using the image type:

	IMAGE_FSTYPES += " wic.sparse"
	IMAGE_CLASSES += " image_types_sparse"

The following error arises:

	Syntax error: Bad function name

So need to remove function in favor of variable.

Also remove IMAGE_NAME_SUFFIX as per:

https://git.openembedded.org/openembedded-core/commit/?id=26d97acc71379ab6702fa54a23b6542a3f51779c

Signed-off-by: Chris Dimich &lt;chris.dimich@boundarydevices.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>gitpkgv: Fix python deprecation warning</title>
<updated>2023-05-03T23:26:17+00:00</updated>
<author>
<name>Khem Raj</name>
<email>raj.khem@gmail.com</email>
</author>
<published>2023-05-03T15:29:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=5d33d2c530c85b3dbbac135234855be10f58351b'/>
<id>urn:sha1:5d33d2c530c85b3dbbac135234855be10f58351b</id>
<content type='text'>
Fixes
DeprecationWarning: 'pipes' is deprecated and slated for removal in Python 3.13

pipes is an alias for shlex therefore switch to using shlex

Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>add signing.bbclass as infrastructure for build artifact signing</title>
<updated>2023-02-15T16:23:49+00:00</updated>
<author>
<name>Jan Luebbe</name>
<email>jlu@pengutronix.de</email>
</author>
<published>2023-02-13T11:20:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=4a6ac691f209204434da38fd271a91455391e728'/>
<id>urn:sha1:4a6ac691f209204434da38fd271a91455391e728</id>
<content type='text'>
This adds common infrastructure to access and used asymmetric keys to
sign build artifacts. The approach and implementation was presented at
the recent OpenEmbedded Workshop:
https://pretalx.com/openembedded-workshop-2023/talk/3C8MFF/

A working demo setup for verified boot based on qemu is available at
https://github.com/jluebbe/meta-code-signing.

Signed-off-by: Jan Luebbe &lt;jlu@pengutronix.de&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>image_types_sparse: Generate "don't care" chunks</title>
<updated>2022-08-13T14:05:31+00:00</updated>
<author>
<name>Sean Anderson</name>
<email>sean.anderson@seco.com</email>
</author>
<published>2022-08-12T19:44:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=9862a017fa7f88424f0670ba89af58e5051550b0'/>
<id>urn:sha1:9862a017fa7f88424f0670ba89af58e5051550b0</id>
<content type='text'>
By default, img2simg will only generate raw and fill chunks. This adds
support for "don't care" chunks, based on file holes. This is similar to
how bmaptool works. "don't care" chunks do not need to be written,
speeding up flashing time.

Signed-off-by: Sean Anderson &lt;sean.anderson@seco.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
</feed>
