Re: [yocto] CVE Scanners and Package Version
Hi, On Sat, Dec 23, 2023 at 02:47:36AM -0800, fabian.hanke via lists.yoctoproject.org wrote: > Hello Yocto community, > > we must provide a SBOM for our Yocto based product which will then be used > for (internal) CVE scanning by the security department. Generating the base > document in cycloneDX format is fairly easy (thanks to the nature of Yocto). Note that SBOM is mostly used for documenting SW components and their licenses. Obvious but needs to be made clear. > But we do not know how to include information about CVE patches for each > package in the document. Not providing these, will cause a lot of “false” > feedback on CVEs for specific versions which are already patched (but version > number did not change). This problem was also mentioned a few days ago in the > presentation from David Reyna: https://youtu.be/PegU1G1bA80?t=1127. I like > the proposed solution of adding a vendor specific string to the package > version. But I'm still wondering: How would the CVE scanner vendor know which > CVEs are included in a yocto specific version and which are not? If the intention is to know CVE paching and analysis status of a product, then I'd use the yocto upstream tooling for this, cve-check.bbclass. SBOM and SPDX are tempting but not actually useful for CVE patching and analysis work, except when they show that a lot of old open source SW components are embedded into various binaries. The work needed to push CVE data into SPDX and SBOM is not worth it and it's better to put the saved effort into fixing the actual CVEs. If management wants reports, generate them from cve-check.bbclass output, but note that CVE database is a moving target too. AFAIK, and I'd be happy to be proven wrong, SPDX and SBOM don't help matching SW component names and version strings so that comparison against CVE database information works. Only license names are standardized. Cheers, -Mikko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62063): https://lists.yoctoproject.org/g/yocto/message/62063 Mute This Topic: https://lists.yoctoproject.org/mt/103332846/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[linux-yocto] [yocto-kernel-cache]: nxp-s32g: enable optee related kernel configs
From: Limeng Hi Bruce, This patch is used to enable optee related kernel configs. Could you please help to merge this patch into yocto-kernel-cache, branch is yocto-6.1? diffstat info ad below: nxp-s32g.cfg |4 1 file changed, 4 insertions(+) thanks, Limeng -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13448): https://lists.yoctoproject.org/g/linux-yocto/message/13448 Mute This Topic: https://lists.yoctoproject.org/mt/103477595/21656 Group Owner: linux-yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[linux-yocto] [PATCH] nxp-s32g: enable optee related kernel configs
Signed-off-by: Meng Li --- bsp/nxp-s32g/nxp-s32g.cfg | 4 1 file changed, 4 insertions(+) diff --git a/bsp/nxp-s32g/nxp-s32g.cfg b/bsp/nxp-s32g/nxp-s32g.cfg index df6458b8..fd95c31a 100644 --- a/bsp/nxp-s32g/nxp-s32g.cfg +++ b/bsp/nxp-s32g/nxp-s32g.cfg @@ -181,3 +181,7 @@ CONFIG_CRYPTO_DEV_NXP_HSE_MU1=y #RANDOM CONFIG_HW_RANDOM=y + +#OPTEE +CONFIG_TEE=y +CONFIG_OPTEE=y -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13447): https://lists.yoctoproject.org/g/linux-yocto/message/13447 Mute This Topic: https://lists.yoctoproject.org/mt/103477594/21656 Group Owner: linux-yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[linux-yocto] Trial merge of v6.1.70 for linux-yocto
Hi Bruce, This is a trial merge of the stable kernel v6.1.70 for the following branches in the linux-yocto. bd81c876a182 v6.1/standard/sdkv5.10/axxia 852fcab9cd9d v6.1/standard/preempt-rt/sdkv5.10/axxia e1400265cf9c v6.1/standard/base 46ab880eedc0 v6.1/standard/preempt-rt/base d74c7e9aad9e v6.1/standard/ti-sdk-6.1/ti-j7xxx 7082e4289668 v6.1/standard/preempt-rt/ti-sdk-6.1/ti-j7xxx 5d78b9b4b1d8 v6.1/standard/nxp-sdk-6.1/nxp-soc e616b4097edc v6.1/standard/preempt-rt/nxp-sdk-6.1/nxp-soc 43b7aeca3e7e v6.1/standard/cn-sdkv5.15/octeon #Have textual and semantic conflicts 8be05b73edbf v6.1/standard/preempt-rt/cn-sdkv5.15/octeon #Have textual and semantic conflicts fad05181dd51 v6.1/standard/microchip-polarfire-soc 5810cd8ba757 v6.1/standard/preempt-rt/microchip-polarfire-soc 95974b727541 v6.1/standard/bcm-2xxx-rpi 577aba9e4592 v6.1/standard/preempt-rt/bcm-2xxx-rpi 0291479d32f8 v6.1/standard/nxp-sdk-5.15/nxp-s32g 23021b93fc17 v6.1/standard/preempt-rt/nxp-sdk-5.15/nxp-s32g c73a3eb80c49 v6.1/standard/intel-sdk-6.1/intel-socfpga 43565be6aa19 v6.1/standard/preempt-rt/intel-sdk-6.1/intel-socfpga 2cbd2f44f6e5 v6.1/standard/x86 4de728052797 v6.1/standard/preempt-rt/x86 0c1a8de00115 v6.1/standard/sdkv6.1/xlnx-soc 145723779747 v6.1/standard/preempt-rt/sdkv6.1/xlnx-soc There are a few merge conflicts only in the octeon branches. While these conflicts are not huge, they involve semantic conflicts with the SDK patches, so we need to be more cautious. All the branches have passed my build test. I have pushed all these branches to: https://github.com/haokexin/linux You can use this as a reference for the linux-yocto stable kernel bump. Thanks, Kevin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13446): https://lists.yoctoproject.org/g/linux-yocto/message/13446 Mute This Topic: https://lists.yoctoproject.org/mt/103476913/21656 Group Owner: linux-yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] [PATCH] poky/poky-tiny: make 6.6 the default kernel
From: Bruce Ashfield
Bumping the reference distros to the latest -stable/lts
kernel.
Signed-off-by: Bruce Ashfield
---
meta-poky/conf/distro/poky-tiny.conf | 2 +-
meta-poky/conf/distro/poky.conf | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta-poky/conf/distro/poky-tiny.conf
b/meta-poky/conf/distro/poky-tiny.conf
index 24bcbee9bb..f3dfa8107a 100644
--- a/meta-poky/conf/distro/poky-tiny.conf
+++ b/meta-poky/conf/distro/poky-tiny.conf
@@ -44,7 +44,7 @@ FULL_OPTIMIZATION="-Os -pipe ${DEBUG_FLAGS}"
# Distro config is evaluated after the machine config, so we have to explicitly
# set the kernel provider to override a machine config.
PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-tiny"
-PREFERRED_VERSION_linux-yocto-tiny ?= "6.5%"
+PREFERRED_VERSION_linux-yocto-tiny ?= "6.6%"
# We can use packagegroup-core-boot, but in the future we may need a new
packagegroup-core-tiny
#POKY_DEFAULT_EXTRA_RDEPENDS += "packagegroup-core-boot"
diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
index f4d55a41c1..3b7bc66780 100644
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -19,8 +19,8 @@ POKY_DEFAULT_EXTRA_RRECOMMENDS = "kernel-module-af-packet"
DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT} ${POKY_DEFAULT_DISTRO_FEATURES}"
-PREFERRED_VERSION_linux-yocto ?= "6.5%"
-PREFERRED_VERSION_linux-yocto-rt ?= "6.5%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
+PREFERRED_VERSION_linux-yocto-rt ?= "6.6%"
SDK_NAME =
"${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#62062): https://lists.yoctoproject.org/g/yocto/message/62062
Mute This Topic: https://lists.yoctoproject.org/mt/103476607/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[yocto] [yocto-autobuilder-helper][PATCH] config.json: use INIT_MANAGER
From: Chen Qi
The default INIT_MANAGER is 'sysvinit', to use systemd as the init
manager, we use INIT_MANAGER = 'systemd' because we can make use
of the settings in conf/distro/include/init-manager-systemd.inc.
Signed-off-by: Chen Qi
---
config.json | 13 +
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/config.json b/config.json
index d504d07..6024161 100644
--- a/config.json
+++ b/config.json
@@ -1107,9 +1107,8 @@
"shortname" : "Systemd weston",
"extravars" : [
"TEST_SUITES:append = ' systemd'",
- "DISTRO_FEATURES:append = ' pam systemd usrmerge'",
- "VIRTUAL-RUNTIME_init_manager = 'systemd'",
- "DISTRO_FEATURES_BACKFILL_CONSIDERED = 'sysvinit'"
+ "INIT_MANAGER = 'systemd'",
+ "DISTRO_FEATURES:append = ' pam'",
]
}
},
@@ -1422,8 +1421,8 @@
"BBTARGETS" : "core-image-sato",
"SANITYTARGETS" : "core-image-sato:do_testimage",
"extravars" : [
-"DISTRO_FEATURES:append = ' systemd usrmerge'",
-"VIRTUAL-RUNTIME_init_manager = 'systemd'",
+"INIT_MANAGER = 'systemd'",
+"DISTRO_FEATURES_BACKFILL_CONSIDERED:remove = 'sysvinit'",
"TEST_SUITES:append = ' systemd'"
]
},
@@ -1442,9 +1441,7 @@
"SANITYTARGETS" : "core-image-sato:do_testimage",
"extravars" : [
"TEST_SUITES:append = ' systemd'",
-"DISTRO_FEATURES:append = ' systemd usrmerge'",
-"VIRTUAL-RUNTIME_init_manager = 'systemd'",
-"DISTRO_FEATURES_BACKFILL_CONSIDERED = 'sysvinit'"
+"INIT_MANAGER = 'systemd'",
]
},
"step7" : {
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#62061): https://lists.yoctoproject.org/g/yocto/message/62061
Mute This Topic: https://lists.yoctoproject.org/mt/103475364/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
