Switch to mainline TF-A that provides basic support for H5 and A64.
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bump U-Boot version in TestATFAllwinner. Updating U-Boot version to
2021.04 requires the following two changes.
First, after switching to binman, u-boot.itb is no more generated for
64-bit sunxi boards. Combined u-boot-sunxi-with-spl.bin image should
be used instead. This image contains SPL, U-Boot, and FIT image,
where FIT image contains other binaries such as BL31 and SCP.
Second, new U-Boot enables support for System Control Processor (SCP)
firmware. SCP firmware is included by default into FIT image in the
combined u-boot-sunxi-with-spl.bin binary. When SCP is not available
or not needed, it should be explicitly disabled by pointing to an
empty file. Support for Allwinner SCP firmware is not yet available
neither in Buildroot nor in mainline kernel. So disable it for now
using custom U-Boot build options.
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Switch to mainline TF-A that provides basic support for H5 and A64.
Note that Allwinner platform layer in TF-A does not provide support
for GCC stack protection, so make sure to disable this TF-A feature.
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Buildroot sets appropriate ENABLE_STACK_PROTECTOR build flag value based
on the toolchain global BR2_SSP_* options, and all packages are built
with that setting.
However it might not be always convenient to automatically infer TF-A
stack protection from the toolchain features. For instance, secure
memory constraints may become an issue and all the extra TF-A features
need to be tuned or disabled in order to shrink TF-A firmware image.
Besides, for any value other than "none", TF-A platform specific hook
'plat_get_stack_protector_canary' must be implemented. However this hook
is not implemented by all the platforms supported by TF-A. For instance,
Allwinner currently does not provide such a hook.
Add an new option that a user can toggle to enable or disable SSP in
their ATF build. If enabled, the SSP level is automatically inherited
from the global setting.
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
[yann.morin.1998@free.fr: simplify logic with a single boolean]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
As this version brings support for kernel up to 5.12, we update the
test cases to use the 5.12 kernel.
Signed-off-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Michael Fischer <mf@go-sys.de>
Reviewed-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Michael Fischer <mf@go-sys.de>
Reviewed-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Building with libgcrypt fails since the addition of the package in
commit fbff7d7289:
checking for sparc64-buildroot-linux-gnu-libgcrypt-config... no
checking for libgcrypt-config... no
checking for LIBGCRYPT - version >= 1.5.0... no
configure: error: The selected crypto backend library is not available.
Fix this build failure by helping usbguard to find libgcrypt-config
Fixes:
- http://autobuild.buildroot.org/results/4c19e50a2a5308cb31a62f1b4b538a30353022bb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Don't pass --disable-seccomp and --disable-systemd unconditionally
While at it, also add a space and a new line when needed, and split
the initial CONF_OPTS assignment to have one option per line.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The build of gesftserver in an environment without Python fails with:
checking for Python 2.4 or better... configure: error: cannot find Python 2.4 or better
However, it turns out that Python is only needed for tests, which we
don't run/use in Buildroot, so we can safely build gesftpserver
without Python.
Signed-off-by: Andreas Naumann <anaumann@ultratronik.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
resiprocate security backend assumes that if openssl is enabled that
it provides DES support. However DES support in openssl has become
optional since commit a83d418 ("package/libopenssl: add option to
enable some features").
Select openssl DES support in wpa_supplicant Kconfig to avoid build
failures.
Fixes:
http://autobuild.buildroot.net/results/f7def0d5706f9e6ab97accc4eaa5f512a11bcb4c
Signed-off-by: Ryan Barnett <ryan.barnett@collins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: check the two files are identical]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This patch implements a simple test in which a dummy file system image
is created, then `bmaptool create` and `bmaptool copy` are used to copy
it to another file.
Signed-off-by: Nicolas Carrier <nicolas.carrier@orolia.com>
[Thomas: several reworks, add myself to DEVELOPERS]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: check the two files are identical]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The pre-built vexpress kernel used by the testing infrastructure is a
4.0.0 kernel, which is getting old to be used with reasonably recent
toolchains.
This commit updates the pre-built kernels for both the versatile and
vexpress machines to 5.10.7 (they have already been put online).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
bmaptool allows to drastically reduce the amount of data to transfer
when writing to an SD card. Example with a 544 MiB sdcard.img:
$ bmaptool create sdcard.img > sdcard.bmap
$ gzip sdcard.img
$ bmaptool copy sdcard.img.gz /dev/sdc
bmaptool: info: discovered bmap file 'sdcard.bmap'
bmaptool: info: block map format version 2.0
bmaptool: info: 139265 blocks of size 4096 (544.0 MiB), mapped 23918 blocks (93.4 MiB or 17.2%)
bmaptool: info: copying image 'sdcard.img.gz' to block device '/dev/sdc' using bmap file 'sdcard.bmap'
bmaptool: info: 100% copied
bmaptool: info: synchronizing '/dev/sdc'
bmaptool: info: copying time: 7.7s, copying speed 12.1 MiB/sec
So it means that instead of writing 544 MiB, only 93.4 MiB had to be
written.
In terms of implementation details, compared to the target bmap-tools
package, there are fewer "selects" that are needed because:
- The dependency on setuptools is not needed, because the package
uses the setuptools SETUP_TYPE, so host-python-setuptools is
already a build dependency.
- host-python and host-python3 are always built with Expat XML
support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Nicolas Carrier <nicolas.carrier@orolia.com>
[Thomas: numerous reworks, add myself in DEVELOPERS]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The br-arm-internal-glibc.config is generally used as a configuration
to test the bleeding edge versions of components. However, it has been
lagging behind somewhat, so let's bring it up-to-date:
- Binutils 2.36.x
- GCC 11.x
Let the fun begin in the autobuilders!
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
We backport an upstream patch that fixes the loading of the native
library by the FFI logic. Without this, "import augeas" doesn't work
as it goes into the ctypes.utils.find_library() logic that tries to
use a compiler on the target to find the augeas native library.
Based on initial work from Nicolas Carrier <nicolas.carrier@orolia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This is to make sure that host packages that depend on `host-gawk` and that use
`awk` end up using `gawk`, instead of the `awk` symlink installed on the host
system.
On recent Debian-based distributions, `awk` is still symlinked to `mawk` [1].
[1] https://bugs.launchpad.net/ubuntu/+source/mawk/+bug/1841654
Signed-off-by: Hubert Lacote <hubert.lacote@youview.com>
Co-authored-by: Hubert Lacote <hubert.lacote@youview.com>
Co-authored-by: Vicente Olivert Riera <vincent.olivert.riera@youview.com>
[yann.morin.1998@free.fr: move after the target symlink hook]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Release note:
https://forums.openvpn.net/viewtopic.php?f=20&t=32497
CVE-2021-3606 fixed by this release is only relevant for Windows.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 04a0094f0e (configs/stm32f469_disco: fix kernel bootup) changed
the defconfig to build a vfat image, but forgot to add dosfstools/mtools
host utilities needed for this.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
================================================================================
Redis 6.2.4 Released Tue July 1 12:00:00 IST 2021
================================================================================
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. MODERATE otherwise.
Fix integer overflow in STRALGO LCS (CVE-2021-32625)
Read the whole release note on:
https://github.com/redis/redis/blob/6.2.4/00-RELEASENOTES
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Versions 2.0.11 and 1.6.15 of Mosquitto has been released.
These are a security and bugfix releases.
Read the full announcement on the blog:
https://mosquitto.org/blog/2021/06/version-2-0-11-released/
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Django 3.2.4 fixes two security issues and several bugs in 3.2.3.
- CVE-2021-33203: Potential directory traversal via ``admindocs``
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
https://github.com/django/django/blob/3.2.4/docs/releases/3.2.4.txt
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-22222: Infinite loop in DVB-S2-BB dissector in Wireshark
3.4.0 to 3.4.5 allows denial of service via packet injection or crafted
capture file
https://www.wireshark.org/security/wnpa-sec-2021-05.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libressl defaults to $prefix/etc/ssl for its "openssldir" setting, E.G.
the location where configuration files and certificates are searched:
openssl version -d
OPENSSLDIR: "/usr/etc/ssl"
Change it to /etc/ssl so it matches openssl and the expectations of packages
dealing with certificates (ca-certificates, libcurl, p11-kit)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also, since tinyproxy no longer uses a2x, remove its explicit disabling.
Signed-off-by: Alexander Mukhin <alexander.i.mukhin@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Even if gcc 9.x is still maintained for some time (gcc 9.5 will be the
last), switch to gcc 10.x since it has been released since 2020-05-07
and gcc 11.x is available since 2021-04-27.
We have been having toolchains in the autobuilders with gcc 10.x since
mid-January 2021, so the vast majority of the problems should have
already been solved.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This patch allows to use an external toolchain based on gcc 11.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This new symbol will be used by architectures introduced with gcc 11.
[1] https://gcc.gnu.org/gcc-11/changes.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
In order to add gcc 11 support for internal and external toolchain in
follow-up commits, introduce BR2_TOOLCHAIN_GCC_AT_LEAST_11 symbol.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
gcc-11 warns about what appears to be an out-of-range array access but
stop the build due to -Werror added to cflags:
arch/sparc/kernel/mdesc.c: In function 'mdesc_node_by_name':
arch/sparc/kernel/mdesc.c:647:22: error: 'strcmp' reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread]
647 | if (!strcmp(names + ep[ret].name_offset, name))
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
arch/sparc/kernel/mdesc.c:77:33: note: at offset 16 into source object 'mdesc' of size 16
77 | struct mdesc_hdr mdesc;
| ^~~~~
arch/sparc/kernel/mdesc.c: In function 'mdesc_get_property':
arch/sparc/kernel/mdesc.c:692:22: error: 'strcmp' reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread]
692 | if (!strcmp(names + ep->name_offset, name)) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
arch/sparc/kernel/mdesc.c:77:33: note: at offset 16 into source object 'mdesc' of size 16
77 | struct mdesc_hdr mdesc;
| ^~~~~
arch/sparc/kernel/mdesc.c: In function 'mdesc_next_arc':
arch/sparc/kernel/mdesc.c:719:21: error: 'strcmp' reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread]
719 | if (strcmp(names + ep->name_offset, arc_type))
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
arch/sparc/kernel/mdesc.c:77:33: note: at offset 16 into source object 'mdesc' of size 16
77 | struct mdesc_hdr mdesc;
| ^~~~~
cc1: all warnings being treated as errors
The issue was initially reported to gcc [1] where it was analized.
As suggested, change the struct mdesc_elem * accesses from the end
of mdesc to those from the beginning of the data array.
Update the prototype of node_block(), name_block() and data_block()
since the code really seems to want to do is to compute the address
somewhere into the chunk pointed to by hp.
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100262
Upstream status: Pending
https://www.spinics.net/lists/sparclinux/msg26385.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This version change does not include functional changes over 1.9.92, but
it is slated as stable (hence the even second version number). Release
notes:
https://wpewebkit.org/release/wpebackend-fdo-1.10.0.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This minor release fixes a build issue when Meson is running under
a version of Python older than 3.6; release notes:
https://wpewebkit.org/release/libwpe-1.10.1.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Always disable tls_check to avoid the following build failure since bump to
version 2.72.0 in commit 8e5f7f1cfc:
../output-1/build/libsoup-2.72.0/meson.build:184:4: ERROR: Can not run test applications in this cross environment.
Indeed, tls_check will run code since
5c45253243
That is the only thing that this option does: it runs code to check that
libgio is built with TLS support.
While at it, also drop glib-networking build-time dependency
Also mark gnutls as a runtime dependency (it already was used as such).
Fixes:
- http://autobuild.buildroot.org/results/9e539dc7185cfb81f18438dd36357cb49ef23a5a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>