If start-of-line is not enforced, then bogus tag 'gstreamer-sharp-1.13.0.1' would
match as 13.0.1.
(From OE-Core rev: 094cbd4f6a9f57eb146207355a921eaae44012ab)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This adds a new selftest case `test_sign_uboot_fit_image_without_spl` to verify
that the build can correctly generate and sign a U-Boot FIT image in a scenario
where no SPL is used.
Background:
- Some boards build only the U-Boot proper FIT image and do not require an SPL.
- The signing flow must handle this case gracefully: generate the ITS, sign
the FIT image, and skip signing/injecting a key into the SPL DTB.
What this test does:
1) Enables `UBOOT_FITIMAGE_ENABLE` and `SPL_SIGN_ENABLE` but explicitly sets
`SPL_DTB_BINARY` to an empty string to indicate that no SPL is present.
2) Verifies that the U-Boot ITS and FIT image are built successfully.
3) Confirms that the generated ITS file includes signature metadata as requested.
4) Dumps the FIT image to ensure that the signature nodes exist.
5) Confirms that the log for `do_uboot_assemble_fitimage` shows the expected
mkimage/mkimage_sign invocation.
This ensures that signing works correctly even when only the U-Boot proper is built,
which matches real-world configurations that do not require an SPL.
(From OE-Core rev: cdb4f4249a386113bebc65918a1b088c64e59182)
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit cleans up and modernizes the shell condition expressions in
`uboot-sign.bbclass` to follow best practices for portable and reliable shell usage.
Key changes:
- Replace legacy `[ -a ]` and `[ -o ]` with explicit `[ ] && [ ]` and `[ ] || [ ]`.
Modern POSIX and busybox sh recommend using `&&` and `||` instead of `-a` and `-o`
because `-a` and `-o` are less robust and can cause parsing ambiguities in some shells.
- Simplify `concat_dtb()` by moving the DTB existence check to the top and using
early `return` to avoid deep nesting.
- Remove redundant fallback `else` blocks; use clearer control flow with direct checks.
This improves maintainability, reduces shell syntax pitfalls, and aligns with
current shell scripting best practices.
References:
- POSIX recommends avoiding `-a` and `-o` in `[ ]` and using explicit `&&` and `||`:
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
(From OE-Core rev: d2740e39800a044d557b620e38ca0ac1b8c6d030)
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Previously, the signing flow in "uboot-sign.bbclass" assumed that SPL was always
present and that the FIT signing process must inject the public key into the
SPL DTB. This made it inflexible for use cases where only the U-Boot proper
FIT image is built and signed, with no SPL binary at all.
This change introduces the following adjustments:
- The `SPL_DTB_BINARY` variable can be explicitly set to an empty string
to indicate that no SPL is present.
- The signing logic checks `SPL_DTB_BINARY` and skips injecting the
key or verifying the SPL DTB if it is empty.
- The FIT image generation and deployment are always performed if
`UBOOT_FITIMAGE_ENABLE` is enabled, regardless of the SPL settings.
- The deploy helper now uses a single check on `SPL_DTB_BINARY` to decide
whether to deploy the signed SPL DTB.
Now the sign step checks if SPL_DTB_BINARY is empty:
If present, it signs the FIT image and injects the public key into the SPL DTB,
then verifies both.
If empty, it only signs the FIT image and generates the ITS with the signature
node, but does not attempt to verify or add the key to a non-existent SPL DTB.
Key Behavior Explained
If SPL_DTB_BINARY is empty, we assume there is no SPL.
If UBOOT_FITIMAGE_ENABLE=1, we always create the FIT image and ITS.
If SPL_SIGN_ENABLE=1, we always sign the FIT image, but only inject the key into
the SPL DTB if it exists.
Example usage:
UBOOT_FITIMAGE_ENABLE = "1"
SPL_SIGN_ENABLE = "1"
SPL_DTB_BINARY = ""
This means:
- Generate and sign the FIT image.
- Do not attempt to sign or deploy an SPL DTB.
This aligns the implementation with real scenarios where some boards do not
require an SPL.
(From OE-Core rev: 7ad6acd8841752a5b75b8e2666bca5b609347cc1)
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Install libpng test-suite to run it as a ptest.
As the test-suite takes more than 30 seconds to run,
add libpng-ptest to PTESTS_SLOW in ptest-packagelists.inc
(From OE-Core rev: 8dca5305c950e6a06b3f344ffdbbb7386d802095)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adding postprocessing script to process data from linux CNA that includes more accurate metadata and it is updated directly by the source.
Example of enhanced CVE from a report from cve-check:
{
"id": "CVE-2024-26710",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
"summary": "In the Linux kernel, the following vulnerability [...]",
"scorev2": "0.0",
"scorev3": "5.5",
"scorev4": "0.0",
"modified": "2025-03-17T15:36:11.620",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"detail": "not-applicable-config",
"description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
},
And same from a report generated with vex:
{
"id": "CVE-2024-26710",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
"detail": "not-applicable-config",
"description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
},
For unpatched CVEs, provide more context in the description:
Tested with 6.12.22 kernel
{
"id": "CVE-2025-39728",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728",
"summary": "In the Linux kernel, the following vulnerability has been [...],
"scorev2": "0.0",
"scorev3": "0.0",
"scorev4": "0.0",
"modified": "2025-04-21T14:23:45.950",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"detail": "version-in-range",
"description": "Needs backporting (fixed from 6.12.23)"
},
CC: Peter Marko <peter.marko@siemens.com>
CC: Marta Rybczynska <rybczynska@gmail.com>
(From OE-Core rev: e60b1759c1aea5b8f5317e46608f0a3e782ecf57)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We don't have a recipe for subunit in core (or any layer in the layer
index), and unfortunately a bug in the CMakeLists means that the native
build can detect subunit on the host (so host contamination) and only
half-enable it, so the build fails.
Take a patch from upstream's github to add an option for subunit, and
explicitly disable it.
(From OE-Core rev: 155f0f65fa0f08a4586d3c9a02976f43a10b08aa)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is specific to the autotools build of libcheck, but we use
CMake now.
(From OE-Core rev: 98091331829bd88b57fef5b811a4117b8db16032)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.
It uses debugsource information generated during do_package.
This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.
As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.
Tested with bitbake world on oe-core.
CC: Quentin Schulz <quentin.schulz@cherry.de>
CC: Joshua Watt <JPEWhacker@gmail.com>
CC: Peter Marko <peter.marko@siemens.com>
(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Exein is a platinum member and has primary support
(https://www.yoctoproject.org/members).
(From yocto-docs rev: b13bccbf3fb1890ac428a396f8c5081057edf555)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
And mention the new supported features document.
Suggested-by: Robert P. J. Day <rpjday@crashcourse.ca>
(From yocto-docs rev: d852a2d20e876440a48a240ca68d5f440ef2cfbe)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Set the contact address for meta-arm.
(From yocto-docs rev: 8ad91366ed89204affef6a72bd403b0d0a4525fa)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As currently written, the PREFERRED_PROVIDER entries don't work with multilib
since they are added after the manipulations by multilib_global at ConfigParsed
time. We therefore need to spell out the configs correctly for multilib.
To avoid variable overwritten warnings from the expansion, we then have to
expand out the nativesdk providers usng class overrides.
(From OE-Core rev: 1f69850b62d1e022055d0f3b93ad270c2980462e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This change implements a toolchain selection mechanism. Selection is
made using a set of variables, primarily PREFERRED_TOOLCHAIN_TARGET which
defaults to gcc.
It uses the familiar name for toolchain e.g. "gcc" which selects GNU
compiler + binutils as default C/C++ toolchain or "clang" which will
use LLVM/Clang Compiler. Layers an add their own toolchain definitions
too.
There are also PREFERRED_TOOLCHAIN_NATIVE and PREFERRED_TOOLCHAIN_SDK
which will ulitmately allow selection of the toolchain used for the
native/cross and nativesdk/crosssdk compilers. This currently isn't
functional but is essential to the patch to ensure things are set
to the existing gcc support in those cases.
Users would most commonly want to set:
PREFERRED_TOOLCHAIN_TARGET ?= "clang"
in local.conf or other distro specific global configuration metadata.
It is also selectable at recipe scope, since not all packages are
buildable with either clang or gcc, a recipe can explicitly require
a given toolchain using the TOOLCAHIN variable, e.g. glibc can not
be built with clang therefore glibc recipe sets:
TOOLCHAIN = "gcc"
The TOOLCHAIN variable is distinct from the user preference so recipes
with specific requirements can be identified. This also allows different
polcies to be be specified for native/SDK cases in the future.
(From OE-Core rev: 45bdedd213aff8df3214b95ef2a8551c0abd93a0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use the new deferred class event to set the class overrides earlier.
This improves interaction of the override with PACKAGECONFIG values
that control conditional inherits (such as python support).
This also allows toolchain configuration in an easier and more user
friendly way.
(From OE-Core rev: d58f94d5684332bd4fac3747688558bb261b9c63)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This brings in the features we need to toolchain selection.
(From OE-Core rev: 78c1061dc3916677bd9c2825820a1bab7e75f28a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update version to 2.15.0 for the development series and features needed for
toolchain selection in OE.
(Bitbake rev: c2f29c9475c4b9cdd12af1f8610f2675f8fdd964)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Calling oe-debuginfod in a build failed:
...
$ oe-debuginfod
|Getting sysroot...
|Error: NOTE: Reconnecting to bitbake server...
|NOTE: Retrying server connection (#1)... (18:55:53.009687)
|path-to-build/tmp/work/x86_64-linux/elfutils-native/0.192/recipe-sysroot-native doesn't exist.
|Have you run 'bitbake elfutils-native -caddto_recipe_sysroot'?
...
The script oe-debuginfod calls bitbake-getvar to get sysroot, the
output of bitbake-getvar was mixed with info output of bitbake
...
NOTE: Reconnecting to bitbake server...
NOTE: Retrying server connection (#1)... (18:55:53.009687)
...
Set logger level to logging.WARNING to skip info output
for quiet
(Bitbake rev: 873c524e1a33846df8f34b7c87b298349277b3d5)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add support for automatically promoting class inherits to deferred inherits
by listing them in the BB_DEFER_BBCLASSES variable.
(Bitbake rev: 8e741b2e885a12d119788d04aa4efcd724dd6bfa)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Now that deferred inherits are extension specific, we can pass this
list to an event, which our metadata can use to set class overrides
earlier (as an example).
There are limitations to this, the list of classes is unexpanded and
recursive classes are not visible. There isn't much that can be done
about this, the ones we are interested in would usually be visible
at the top level (such as class extensions).
(Bitbake rev: 205d461c05fc7b4a7c81039af3bc3fd71cbb982c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently deferred inherits get processed once for all class extensions
as a minor speed optimisation. Unfortunately this limits our options for
being able to report deferred classes to our code.
There are two challenges with using our deferred classes in OE at present.
One is that PACKAGECONFIG values don't work well with class overrides like
class-native if there are deferred classes based on PACKAGECONFIG, such
as python support. The second is that toolchain selection is proving
problematic to implement due to interactions between the toolchain deferred
inherit, the class extensions and class overrides being very late.
By changing deferred inherits to be recipe extension specific, we open
the way to generate events and "peek" at where things will end up,
allowing the class overrides to be set earlier.
The class extension code is updated to use a deferred inherit for the
class extension inheriting so that it is still inherited last.
(Bitbake rev: 29277cf4d88eb4dfa9572851177d009eab5afd0c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update the plugin names to account for the "-" to "_" plugin name change.
(From meta-yocto rev: ff4a8af7917d2e7c862d381577219f2c7beff669)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remap "-" characters in plugin names to "_" so wic plugins
can be extended using standard python class inheritance.
This change means wic files can be incrementally updated over time
to the correct name rather than breaking everything. Actual plugin
module files will need to be renamed as done in previous patches.
Also remove a double call to get_plugins() which isn't needed.
(From OE-Core rev: 6d9c76196ffad39e628aff76d53d6ecbb517cfa1)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update the plugin names to account for the "-" to "_" plugin name change.
(From OE-Core rev: afa1b5c9f6ed17c021e37a54d0d6abee50a60bf9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Python not support importing modules with - so change to _.
(From OE-Core rev: 2de444fc3ef450f45f8f93403544e8f7461657b0)
Signed-off-by: Anibal Limon <anibal@limonsoftware.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
To support extensions on wic plugins, the load order needs
to be grauntee matching BBLAYERS variable.
Fix cases when try to import a plugin from another layer,
example of the case to fix,
```
Traceback (most recent call last):
File "/workspaces/ls/linux/layers/openembedded-core/scripts/wic",line
547, in <module>
sys.exit(main(sys.argv[1:]))
^^^^^^^^^^^^^^^^^^
...
File "/workspaces/ls/linux/layers/openembedded-core/scripts/lib/wic/
engine.py", line 137, in list_source_plugins
plugins = PluginMgr.get_plugins('source')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/ls/linux/layers/openembedded-core/scripts/lib/wic/
pluginbase.py", line 73, in get_plugins
spec.loader.exec_module(module)
File "<frozen importlib._bootstrap_external>", line 940, in exec_module
File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
File "/workspaces/ls/linux/limonsoftware/bsp/scripts/lib/wic/plugins/
source/bootimg_rpi_autoboot_partition.py", line 1, in <module>
from wic.plugins.source.bootimg_partition import BootimgPartitionPlugin
ModuleNotFoundError: No module named 'wic.plugins.source.bootimg_partition'
```
(From OE-Core rev: 16c8251e5272510ad96613b8c6623550c5a72a34)
Signed-off-by: Anibal Limon <anibal@limonsoftware.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=============
- Fix duplicated dependencies added to the lock file when the same dependency with extras is requested.
- Stabilize order of the extras and dependency-groups fields in pylock output.
- Fix Windows 11 install pdm error, which is because of msgpack install failure.
- Change the return type of array_of_inline_tables to list[dict] from list[str]
- Ensure uv resolver to include hash for package files.
- Avoid infinite recursion when reading pyproject.toml with circular file dependencies.
- Support pylock as alternative lock format and make it opt-in by config.
- Search for package metadata in lock file first when reuse strategy is used.
(From OE-Core rev: 121c609e91dd7eb72670513eef8c31a5f2271c89)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: Copyright year updated to 2025
(From OE-Core rev: 2ac6a959f32214d958a7a0cf1973a9bc66839a9b)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
- Fix a longstanding ordering issue with extracting type information
from properties which have a reference to another property. 'mac-mode'
is the one in the Linux kernel.
- Fix a false positive warning about missing
unevaluatedProperties/additionalProperties
(From OE-Core rev: e36601ca6454ec62ad2dd0db47724e2ad4c240cd)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bugs fixed
----------
* Attribute lookups failed on the "bool" builtin type.
* Type checks on or-ed union types could incorrectly return false.
* Negative list indexing could accidentally wrap around twice in PyPy and the Limited API.
* Iterating over literal sequences with starred (unpacked) items could infer a wrong
type for the loop variable and fail to assign the values.
* Calls to C functions taking exception types failed to check for a 'None' argument.
* Fused functions had an incorrect "__module__" attribute.
* The type of Cython implemented functions had an incorrect "__module__" attribute.
* Errors while indexing into "bytearray" or "str" in "nogil" sections could crash.
* "bytearray.append()" could silently accept some invalid character numbers.
* The C++11 "<type_traits>" header was included regardless of the C++ version.
* "PyDict_GetItemStringRef()" was accidentally used in older Limited API versions.
* "abort()" was used but not always available in the Limited API.
* Some dependencies were missing from the "depfile".
* Embedded function signatures were not always separated from the existing docstring.
* "numpy.math" was missing from "Cython/Includes/" and could not be cimported.
* Some tests were adapted for NumPy 2.x.
* Some C compiler warnings were fixed.
* "Cython.Build" was not officially exposing the "cythonize" function.
(From OE-Core rev: ad9e2ba3d7c1af3f7084427eb9ddb0822460b108)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
* Fix missing override when CONFIG_COMPAT_OLD_SIGACTION is not defined
* fix: writeback: 'balance_dirty_pages' Respect 'CONFIG_CGROUP_WRITEBACK'
* Fix: scsi: RESERVE and RELEASE renamed in Linux v6.15-rc1
* Fix: del_timer[_sync] deleted in linux v6.15-rc1
* Fix: Use 'nonseekable_open' for proc files
* Fix: trace_balance_dirty_pages in Linux v6.14.2
* fix: version constraint for building lttng-probe-9p
(From OE-Core rev: 8f8b8e72ff4ea562630b428ff8ab7f163d0c7084)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
- selected bug fixes:
* improve transaction ordering by allowing more uninst->uninst
edges
* implement color filtering when adding update targets
- new features:
* support orderwithrequires dependencies in susedata.xml
(From OE-Core rev: 000d105135c6ae871bfa8699d9008a1f4324c7f7)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
- Hardened the libjpeg API against hypothetical calling applications that may
erroneously change the value of the 'data_precision' field in
'jpeg_compress_struct' or 'jpeg_decompress_struct' after calling
'jpeg_start_compress()' or 'jpeg_start_decompress()'.
(From OE-Core rev: 49a69532bc2b4a7d6ae8136123e92b10b5e657f5)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: Copyright year updated to 2025
not-win32.patch
refreshed for 3.5.1
(From OE-Core rev: 4c32496a8b89cb1355672d6b7159aff09c69797b)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bugs fixed:
- Wrong behavior of GdkKeymap on macOS
- cups: NULL-terminate array of choices
- Fix the android build
- icontheme: Load the missing image icon from the theme
(From OE-Core rev: 1a31f269130429b7c690340c688c1f503f6473d3)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
