These options should only be enabled when using SELinux, so apply them only
when "selinux" is in the DISTRO_FEATURES. The fragment is a copy of the one in
meta-selinux with the addition of DEFAULT_SECURITY_DAC and LSM.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The default policy provided by meta-selinux breaks a lot of the features in
DEY, so adapt it to make most features work. Note that this is simply an
example, end users should create their own policies for their own needs.
Make these changes toggleable so that users can use the reference policy
instead.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This packagegroup includes all of the userspace packages needed to use SELinux.
For now, use the same variant of the packagegroup, which contains all available
packages.
Since the meta-selinux layer isn't available in all platforms, implement this
change via a dynamic layer.
https://onedigi.atlassian.net/browse/DEL-7641
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This fixes the following CVEs:
* CVE-2021-3711
* CVE-2021-3712
Port the recipe and patches from the dunfell poky branch, since the hardknott
version contains additional changes aside from the revision update.
https://onedigi.atlassian.net/browse/DEL-7647
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Adapt the format_ubi_volume() function to wipe out UBI volumes
instead of formatting MTD partitions.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7614
The function uboot_getenv() is a wrapper over libuboot_get_env() and
requires that the returned strings are freed when no longer in use.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 27ce7a4f20)
- The function is only used internally in this file, so make it static.
- Convert the function from 'int' to 'bool', since no other values are
evaluated.
- Only return true if the variable 'dualboot' is set to 'yes'. Before,
the function returned true if 'dualboot' was different than 'no'.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
(cherry picked from commit 9a519570ba)
The use of this function, which is a wrapper over libuboot_get_env(),
requires checking if the returned string is NULL.
Manipulations of such string without checking whether it's NULL may lead
to segfault errors.
This was seen during firmware update on a device that didn't have the
'dualboot' variable set.
Reported-by: Chandrababu Pigilam <chandrababu.pigilam@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-7645
(cherry picked from commit 8a4484bbd6)
NetworkManager's main library went through a major overhaul in v1.22, changing
the way it interacts with glib among other things. When using a NetworkManager
version equal or newer than v1.22 along with a glib version between 2.63.3 and
2.65, a race condition can happen, randomly causing segmentation faults.
Since Yocto 3.2 uses NetworkManager 1.22.14 and glib 2.64.5, the race condition
is reproducible, but it can be fixed with the patch introduced in this commit.
The patch in question is commit e4a690f5dd959e74b2d6054826f61509892c8aa7 in the
glib git repo.
https://onedigi.atlassian.net/browse/DEL-7523
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit sets the GLIBC version to 2.32. The newest
eIQ packages require a newer glibc, but since said packages
are optional, make sure to use the gatesgarth glibc version
by default.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7625
This commit add a verification into the recovery library to avoid
that it is executed when in dualboot mode.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
https://onedigi.atlassian.net/browse/DEL-7580
(cherry picked from commit 30aa4a7444)
swupdate has the necessary logic to handle compressed images, so take advantage
of this to save space and reduce update package transfer times.
https://onedigi.atlassian.net/browse/DEL-7582
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Since these images are highly compressable, this greatly reduces the amount of
space taken up by build artifacts.
Modify the code used to generate the .sdcard and .installer.zip files so that
they contain the decompressed .ext4 image.
https://onedigi.atlassian.net/browse/DEL-7582
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds the required libraries and packages to exercise the Google
Coral devices with Digi Embedded Yocto.
https://onedigi.atlassian.net/browse/DEL-7547
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
'mdev -s' run on ramfs initialization is able to mount external media already
detected but fails to automatically mount any media detected afterwards.
Running it as a daemon first it will also be able to mount any media detected
after 'mdev -s' is run.
Use argument '-d' to first run mdev as daemon in background.
Move 2 seconds delay to after mdev has been initialized to give external
hardware all the time possible to be successfully detected and mounted.
https://onedigi.atlassian.net/browse/DEL-7285
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Otherwise, Yocto will use the recipes in meta-webkit, which are slightly older.
https://onedigi.atlassian.net/browse/DEL-7578
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
By default, we only support the latest versions of the webkit packages anyway,
so use a wildcard so we don't have to update the recipes every time a new
version is available.
https://onedigi.atlassian.net/browse/DEL-7578
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Igalia has included performance improvements for i.MX platforms in the latest
versions of different packages related to webkit. Even though the recipes for
these versions are not yet available in meta-webkit, we can add our own to
meta-digi to take advantage of these improvements.
Update the cog patches so they apply cleanly over v0.9.90.
https://onedigi.atlassian.net/browse/DEL-7578
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit adds some swupdate parameter to select the sw-description
configuration depending on the used platform.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Without this call, swupdate will be built with a default configuration which
is incompatible with our package format. Even though this function is already
called in the original recipe, it was done in the package's "git" directory.
Make sure the function is called at least once so that our defconfig is used in
the build.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Commit 28d9e025ea used += to append
a dependency to RDEPENDS but this was not working fine and was removing
previous dependencies.
Use instead _append override.
Reported-by: Francisco Gil Martinez <francisco.gilmartinez@digi.com>
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Otherwise, swupdate will treat the update process like it's an OTA one and it
will try to store the package contents in /tmp, which won't fit.
swupdate commit 8b70ae5796e75c2ff856e8c46b3a3c09cb8fcccd states that all local
SWU packages should include this flag, since the old implementation had this
information implicitly.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Technically, partition unencryption is safe to do in open devices, although it
implies that at least one partition has already been encrypted. If we aren't
going to encrypt any partitions, there's no need to print the warning.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Instead of checking for the existence of /proc/mtd, which might lead to false
positives, check the "root" parameter in /proc/cmdline. Assume eMMC in case of
any error.
https://onedigi.atlassian.net/browse/DEL-7539
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
There are some init packages from the poky layer that remain using only a SysV
init script. Systemd converts these init scripts to systemd service format on
boot and shows an ugly warning for each one. To avoid flooding the console with
this kind of messages, we reduce the verbosity of these messages.
https://onedigi.atlassian.net/browse/DEL-7540
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
In the libubootenv implementation of fw_setenv, multiple variables can be set
in one call. When setting a variable with a space-separated list, the app
interprets the list as new variable/value tuples, for example:
fw_setenv myvar value1 value2 value3
Results in:
myvar=value1
value2=value3
This was causing the encrypted eMMC partition mechanism to break, because the
list of encrypted partitions is stored as a space-separated list in an
environment variable. Avoid this by enclosing the variable argument of
set_uboot_var() with double quotes.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Update version from 2.28.1 to 2.32.0, remove patch that is already included in
the source tarball and stop removing the qtwpe PACKAGECONFIG, since it's no
longer being included by default.
https://onedigi.atlassian.net/browse/DEL-7545
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Update the version from 0.7.1 to 0.8.0 and remove two patches that are already
being applied in meta-webkit.
https://onedigi.atlassian.net/browse/DEL-7545
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Before using the encrypted partition functionality, users have to manually
install the encryption key in the system. Failing to install said key will
result in errors later on.
Even though the installation isn't a difficult operation from a user's point of
view, the recovery script has the necessary logic to detect cases where a
partition is going to be encrypted with no key installed. Automatically
generate a key in these cases to avoid undesired behavior and to improve the
overall user experience.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This version adds new functionality to check if an encryption key is installed
as well as a fix for an issue that happens when encrypting partitions with long
names (over 12 characters).
https://onedigi.atlassian.net/browse/DEL-7535
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Gabriel Valcazar
Hector Palacios
Mike Engel
Gonzalo Ruiz
Arturo Buzarra
Francisco Gil Martinez