Mirror of git.yoctoproject.org/meta-security.git https://git.enea.com/cgit/linux/meta-security.git/atom?h=master-next 2026-05-17T14:45:41+00:00 2026-05-17T14:45:41+00:00 Li Zhou li.zhou@windriver.com 2026-04-27T02:48:32+00:00 urn:sha1:b4c43ad77ad7eedab05d48dcbd32e4ef96b21c83 Fix the typo "aida" to "aide" in STAGING_AIDE_DIR. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com> 2026-01-16T21:25:02+00:00 Stephan Wurm stephan.wurm@a-eberle.de 2026-01-07T13:37:34+00:00 urn:sha1:9e6d962250aab6e5319215f15b0201ef233c46cd This is necessary for cryptsetup starting from v2.8.0 which introduced "[units]" in its output breaking the parsing of veritysetup output. VERITY header information for image-poky-20250701085433.squashfs-zst.verity. UUID: 5dc16c55-79b8-4988-9d79-900f8e143f98 Hash type: 1 Data blocks: 40091 Data block size: 4096 [bytes] Hash blocks: 318 Hash block size: 4096 [bytes] Hash algorithm: sha256 Salt: f670bf67a32f4f5a22e052d7bf84830f8d35ea24e2d52f585f6275207899153b Root hash: a7eab55b7933e347650671611e4b2a10571f2a28a1fb0fc8eae409f7a0d86693 This extends the value filter to remove the "[units]" from the .env file, while retaining compatibility to older cryptsetup releases. Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de> Signed-off-by: Scott Murray <scott.murray@konsulko.com> 2025-03-12T19:31:15+00:00 Lorenzo Arena arena.lor@gmail.com 2025-02-17T14:54:20+00:00 urn:sha1:674f1e3367c7cfb606047b2050338c725ba2eca2 This is needed when a verity image is used in conjunction with tools like a WIC and a bmap file, as avoiding writing "sparse" sectors can result in errors in the signature verification. Signed-off-by: Lorenzo Arena <arena.lor@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2024-12-16T17:49:13+00:00 Louis Rannou louis.rannou@non.se.com 2024-05-20T19:33:47+00:00 urn:sha1:8c9cdd60e429025ad75827eca08d37ef2725b832 Fix the verity class when the IMAGE_BASENAME has changed. Prefer DM_VERITY_IMAGE for staging env and wic fragment so it matchs what is used in the dm-verity-image-initramfs and the base wks systemd-bootdisk-dmverity.wks.in. Signed-off-by: Louis Rannou <louis.rannou@non.se.com> Signed-off-by: Louis Rannou <louis.rannou@syslinbit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2024-12-16T17:49:04+00:00 gr embeter grembeter=gmail.com@lists.yoctoproject.org 2024-11-09T11:31:45+00:00 urn:sha1:29d46054c2a3c71ae1ad164a6f32bd6ecbe1b07b Useful to pass additional arguments to veritysetup, for example '--no-superblock' to make system less vulnerable to certain types of attacks and data maniputaion on the disk. Signed-off-by: Grygorii Tertychnyi <grembeter@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2024-03-27T16:36:58+00:00 Kevin Hao kexin.hao@windriver.com 2024-02-22T01:21:54+00:00 urn:sha1:d80cd2ba6a3ef850cef12578671a5b17d86d3e7c After the using inherit_defer for the image classes in oe-core commit 451363438d38 ("classes/recipes: Switch to use inherit_defer"), the using of anonymous python function in dm-verity-img.bbclass to set the IMAGE_FSTYPES doesn't work anymore. The reason is that image.bbclass also use anonymous python function to add the do_image_xxx task for the corresponding filesystem type. The anonymous function in dm-verity-img.bbclass is evaluated much later than the one in image.bbclass. Then the task such as do_image_vhash will not be added as we expect. So we choose to use "+=" to set the IMAGE_FSTYPES. The populate_sdk_ext.bbclass may generate a dependency list like below: core-image-minimal.do_sdk_depends -> lib32-core-image-minimal.do_image_vhash So we also need to make sure the do_image_vhash task for the multilib filesystem is added. Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2024-03-27T16:36:58+00:00 Kevin Hao kexin.hao@windriver.com 2024-02-22T01:21:53+00:00 urn:sha1:7b951e3900943b5f4a05a0c06cdff6bd29b4fa00 After the oe-core commit 26d97acc7137 ("image-artifact-names: include ${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and ${IMAGE_LINK_NAME}"), the image names have changed from core-image-minimal-qemux86-64-20230307181808.rootfs.ext4 core-image-minimal-qemux86-64.ext4 to core-image-minimal-qemux86-64.rootfs-20230307181456.ext4 core-image-minimal-qemux86-64.rootfs.ext4 Adjust the images name used by dm-verity according to this change. Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2023-12-29T14:09:30+00:00 Mikko Rapeli mikko.rapeli@linaro.org 2023-12-21T07:57:30+00:00 urn:sha1:73e03651ef78d42577e052d7abfc13a9a36b3cbd If image recipe A wants to embed another image B which used dm-verity-img.bbclass and generated the .wks file, then recipe B must deploy everything to IMGDEPLOYDIR but recipe A finds the output from DM_VERITY_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}". Now both A and B images can use dm-verity-img.bbclass. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Reviewed-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2023-12-29T14:09:30+00:00 Erik Schilling erik.schilling@linaro.org 2023-12-21T07:57:29+00:00 urn:sha1:fd295b2c28219a0cd53087e7ff96edecd9b23d9d It is embedded into IMAGE_NAME since poky master branch commit 6f6c79029bc2020907295858449c725952d560a1 Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2023-12-29T14:09:30+00:00 Erik Schilling erik.schilling@linaro.org 2023-12-21T07:57:28+00:00 urn:sha1:57723ce65ebf4c8647fcf94e139c56cc4634913f Build host may not have bc. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>