<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-security.git/recipes-core, branch scarthgap-next</title>
<subtitle>Mirror of git.yoctoproject.org/meta-security.git</subtitle>
<id>https://git.enea.com/cgit/linux/meta-security.git/atom?h=scarthgap-next</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-security.git/atom?h=scarthgap-next'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/'/>
<updated>2025-11-24T17:04:14+00:00</updated>
<entry>
<title>packagegroup-core-security: add missing packages</title>
<updated>2025-11-24T17:04:14+00:00</updated>
<author>
<name>Scott Murray</name>
<email>scott.murray@konsulko.com</email>
</author>
<published>2025-10-07T18:32:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=a9fce67cff4977d6366e35a6083e6b6c232792a5'/>
<id>urn:sha1:a9fce67cff4977d6366e35a6083e6b6c232792a5</id>
<content type='text'>
Changes:
- Add libmhash and libgssglue so they will get tested by CI.
- Switch to MACHINE_ARCH to facilitate the above, but it makes sense
  anyway due to all the machine overrides used in the packagegroup
  definition.  Since this packagegroup is to facilitate testing and
  unlikely to be used by downstreams, it is believed this will have
  minimal impact.

(adapted from 26e745243d6d28768ed4a237d9a48f68210c70a6)
Signed-off-by: Scott Murray &lt;scott.murray@konsulko.com&gt;
</content>
</entry>
<entry>
<title>dm-verity-image-initramfs: Set IMAGE_NAME_SUFFIX to empty</title>
<updated>2024-03-27T16:36:58+00:00</updated>
<author>
<name>Kevin Hao</name>
<email>kexin.hao@windriver.com</email>
</author>
<published>2024-03-05T09:05:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=40ddb9e5ed71cc8787c929d5011f09e244123ef0'/>
<id>urn:sha1:40ddb9e5ed71cc8787c929d5011f09e244123ef0</id>
<content type='text'>
According to the Yocto reference manual [1], the IMAGE_NAME_SUFFIX should
be set to empty for the initramfs image. Otherwise, we may incur a build
error like following due to the initrd check in live-vm-common.bbclass:
  ERROR: core-image-minimal-1.0-r0 do_bootimg: build-test/tmp/deploy/images/genericx86-64/dm-verity-image-initramfs-genericx86-64.cpio.gz is invalid. initrd image creation failed.
  ERROR: core-image-minimal-1.0-r0 do_bootimg: ExecutionError('build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/run.build_hddimg.1961965', 1, None, None)
  ERROR: Logfile of failure stored in: build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/log.do_bootimg.1961965
  ERROR: Task (poky/meta/recipes-core/images/core-image-minimal.bb:do_bootimg) failed with exit code '1'

[1] https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_NAME_SUFFIX

Signed-off-by: Kevin Hao &lt;kexin.hao@windriver.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>dm-verity-image-initramfs: Allow compressed image types</title>
<updated>2023-08-06T15:31:18+00:00</updated>
<author>
<name>Wurm, Stephan</name>
<email>Stephan.Wurm@a-eberle.de</email>
</author>
<published>2023-07-21T08:44:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=a94674c5bc380580d9219d2bc470c408c1779de6'/>
<id>urn:sha1:a94674c5bc380580d9219d2bc470c408c1779de6</id>
<content type='text'>
Using &lt;DM_VERITY_IMAGE_TYPE&gt; in the depends variable does not work for
compressed image types like squashfs-zst, as the resulting task
dependency still contains the incompatible dash. Replacing the dash by
an underscore resolves this issue.

Signed-off-by: Stephan Wurm &lt;stephan.wurm@a-eberle.de&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>packagegroup-core-security: only include firejail x86-64 and arch64</title>
<updated>2023-07-31T10:18:52+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2023-06-30T11:15:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=e4318a3c5aa7772f3ed713552b9c82ffeffbd47d'/>
<id>urn:sha1:e4318a3c5aa7772f3ed713552b9c82ffeffbd47d</id>
<content type='text'>
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>qemu: move qemu setting to image and out of layer.conf</title>
<updated>2023-07-31T10:18:52+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2023-06-28T18:13:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=cfe73355683894ad30cc43a51973f55c2fcbf1c6'/>
<id>urn:sha1:cfe73355683894ad30cc43a51973f55c2fcbf1c6</id>
<content type='text'>
I suspect its better form to have these in the image definition.

Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>packagegroup-core-security: add os-release</title>
<updated>2023-06-25T19:05:28+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2023-06-22T16:16:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=515dd792bacac1e6c594990c80f4bccf8cd082a0'/>
<id>urn:sha1:515dd792bacac1e6c594990c80f4bccf8cd082a0</id>
<content type='text'>
Exclude openscap and scap-security-guide if musl

Fix RDEPENDS list to include compliance packages.

Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>dm-verity: hook separate hash into initramfs framework</title>
<updated>2023-06-25T19:05:28+00:00</updated>
<author>
<name>Paul Gortmaker</name>
<email>paul.gortmaker@windriver.com</email>
</author>
<published>2023-06-21T17:13:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=521e7b040a6011fd66d22be0c98b14ab40eca28b'/>
<id>urn:sha1:521e7b040a6011fd66d22be0c98b14ab40eca28b</id>
<content type='text'>
The prior commits create the separate hash so now it is time to update
the initramfs framework so that veritysetup, which is responsible for
binding the data and hash, is aware of when separate hash is in use,
and can react accordingly.

The added code follows the existing appended hash code style, but is
considerably smaller because it doesn't have the large case statement
that supports all possible identification schemes (label, UUID, ...).

With the root hash split in two to create the respective partition
UUIDs, we know exactly how to identify it, and the UUIDs used.

Signed-off-by: Paul Gortmaker &lt;paul.gortmaker@windriver.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>packagegroup-core-security: add compliance pkg group</title>
<updated>2023-06-20T15:07:20+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2023-06-14T13:07:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=6ae25c767337b0659544d0b5a2e46b4e73a5b069'/>
<id>urn:sha1:6ae25c767337b0659544d0b5a2e46b4e73a5b069</id>
<content type='text'>
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;

---
v2]
Missed to include trailing \
</content>
</entry>
<entry>
<title>dmverity: Suppress the realpath errors</title>
<updated>2023-06-11T14:40:33+00:00</updated>
<author>
<name>Kevin Hao</name>
<email>kexin.hao@windriver.com</email>
</author>
<published>2023-06-08T09:59:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=c50757b2f17abb5e26d069b280933451f6190829'/>
<id>urn:sha1:c50757b2f17abb5e26d069b280933451f6190829</id>
<content type='text'>
If we use a non PARTUUID root parameter, we would always get a error
like below:
  realpath: /dev/disk/by-partuuid//dev/mmcblk0p2: No such file or directory

This seems pretty confusion and it also seems no need to emit this kind
of error when we are waiting for the root device. So suppress all the
realpath errors.

Signed-off-by: Kevin Hao &lt;kexin.hao@windriver.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>packagegroup-core-security: refactor the inclusion of krill</title>
<updated>2023-03-22T12:02:50+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2023-03-21T12:12:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=4ed311eaf7cc0c8529cb2ec25a5dcfe2631b15ee'/>
<id>urn:sha1:4ed311eaf7cc0c8529cb2ec25a5dcfe2631b15ee</id>
<content type='text'>
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
</feed>
