olani has quit [Remote host closed the connection]
hnez has joined #yocto
ptsneves has joined #yocto
ablu has quit [Ping timeout: 265 seconds]
ablu has joined #yocto
dvergatal has joined #yocto
<dvergatal>
hi all what can be the cause that when running oe_runmake in do_compile nothing happens but when i run make -j $(nproc) it compiles?
<rburton>
dvergatal: you're in the wrong directory probably
<rburton>
(oe_runmake is just a wrapper around make)
<dvergatal>
rburton: hmmm im doing it with source coude in devtool
<dvergatal>
rburton: so maybe this is the issue?
<rburton>
you're not giving enough information, but check that your task is in the directory you think it is. do_compile() normally executes in ${B}.
<dvergatal>
rburton: hmmm i dunno what additional information would be enough :/ i'm just running one command in do_compile which is oe_runmake and i see in logfile that it is make with additional parameters and it looks like this make -j 16 CC=x86_64-welotec-linux-gcc -m64 -march=core2 -mtune=core2 -msse3 -mfpmath=sse
<dvergatal>
--sysroot=/work/build/tmp/default-glibc/work/eg500-welotec-linux/communication/1.0+git+bb36e9b9e8/recipe-sysroot CXXFLAGS=-DMACHINE MACHINE=eg500 and nothing more in my logfile but if i change this oe_runmake to make -j $(nproc) it compiles
<bjdooks>
is there anyone who could do a big-endian riscv qemu machine? I can supply kernel repo, but i'm not very good at yocto and I've got a pile of other things currently ongoing wiht big-endian riscv
mckoan is now known as mckoan|away
Deepesh has joined #yocto
sunil has joined #yocto
Vonter has quit [Ping timeout: 252 seconds]
Vonter has joined #yocto
Vonter has quit [Ping timeout: 248 seconds]
Tyaku has joined #yocto
Deepesh has quit [Quit: Client closed]
Vonter has joined #yocto
<Tyaku>
Hello, I am reading a lot about security in embedded devices. Currently this is what I see:
<Tyaku>
1. Use secure boot to make sure the bootloaders, kernel, DTB, rootfs, files are correct (on startup, not at runtime)
<Tyaku>
2. To have some secure storage we can use TA (OP-TEE)
<Tyaku>
3. We can limit which app have access to /dev/tee0 using AppArmor
<Tyaku>
4. Run application with non root user (to prevent any vulnerability in an app that permits to execute code/commands as root)
<Tyaku>
5. In my opinion: IMA and EVM doesn't seems to be necessary, because if no applications have root privilege, then if an attacker arrive to execute commands from the application he will not be able to replace a file or a configuration owned by root.
<Tyaku>
-> What do you think about IMA / EVM is it really needed ?
<Tyaku>
-> Is there some document with good practices or like tutorial to setup all of this with yocto ?
Vonter has quit [Ping timeout: 252 seconds]
Vonter has joined #yocto
PeterM has quit [Quit: Client closed]
<rburton>
5 is a bad assumption: root escalation exploits exist
<rburton>
and you can't have _no_ services running as root
berton has joined #yocto
<neverpanic>
Tyaku: Instead of IMA/EVM, dm-verify might be an option if you don't need a writable rootfs.
PeterM has joined #yocto
<neverpanic>
Also, files can be modified offline, which is something IMA/EVM or dm-verity protect against. You don't need root *on your device* to modify the storage, somebody could unplug your disk or solder a connector to your eMMC lines.
<neverpanic>
And, you've left out the most important point in securing your embedded device, and that's: 0. Patch CVEs and actually update your devices.
<neverpanic>
Nobody will even bother attempting to modify your boot sequence if they can just send a malicous packet to your kernel and get code execution that way.
sunil has quit [Ping timeout: 240 seconds]
<Tyaku>
neverpanic: Yes and for this point, it's miraculous, we are using the RZG2UL Security package from renesas, still in Hardknott
<Tyaku>
But They plan to make another one available with most recent yocto version :D
olani has joined #yocto
PeterM79 has joined #yocto
PeterM has quit [Quit: Client closed]
PeterM79 has quit [Client Quit]
Chaser has joined #yocto
<RP>
bjdooks: it would be nice to have something like that. Might be worth asking khem or the mailing list
<bjdooks>
I tried to find people at riscv-summit, but their yocto senses must have been tingling
frieder has quit [Remote host closed the connection]
goliath has quit [Quit: SIGSEGV]
florian_kc has quit [Ping timeout: 252 seconds]
kpo has quit [Ping timeout: 248 seconds]
florian has quit [Quit: Ex-Chat]
<mcfrisk>
Tyaku: secureboot to bind firmware to kernel, kernel cmdline and initrd (if any), then dm-verity for rest of read-only rootfs. For secure writable storage use TPM (fTPM with OP-TEE). The TPM can be used in many ways, e.g. remote attestation.
<RP>
bjdooks: perhaps a bug in bugzilla might attract the right attention?
<RP>
(feature request/enhancement)
<Tyaku>
Thanks I will check it
Tyaku has quit [Quit: leaving]
tepperson has joined #yocto
<tepperson>
I have built an image that installs an image onto a hard drive. It is intended to boot from usb. I am booting that image with runqemu (runqemu qemuparams="-drive file=./xjrad.img,format=raw -boot menu=on"), I install grub with grub-install /dev/sda, but when rebooting into grub on the extra disc, grub says no known filesystem found and doesn't even
<tepperson>
to see the 4 partitions I had created
alessio has quit [Quit: alessio]
alessio has joined #yocto
alessio has quit [Client Quit]
philipl_ has quit [Ping timeout: 276 seconds]
alessio has joined #yocto
alessio has quit [Client Quit]
Articulus has quit [Quit: Leaving]
jmd has joined #yocto
paulg has quit [Ping timeout: 252 seconds]
tepperson has quit [Quit: Client closed]
vvn has joined #yocto
leon-anavi has quit [Quit: Leaving]
Chaser has quit [Ping timeout: 244 seconds]
tepperson has joined #yocto
rfuentess has quit [Remote host closed the connection]
<tepperson>
Im trying to make a virtual package to put a configuration file on an image. I added PROVIDES += "virtual/bootconf" to my recipe, added an appropriate "PREFERRED_PROVIDER_virtual/bootconf" to my configuration. How do I get virtual/bootconf into an image recipe?
<bjdooks>
Hmm. Is it really a bug? I really need to sit down and work on this more but I've had twenty distractions
tepperson has quit [Quit: Client closed]
tangofoxtrot has quit [Ping timeout: 272 seconds]
tangofoxtrot has joined #yocto
tepperson has joined #yocto
bst has joined #yocto
druppy has joined #yocto
Chaser has joined #yocto
<bst>
Hey, I'm running into errors on scarthgap such as "do_rootfs: Cannot find any SPDX file for document http://spdx.org/spdxdocs/recipe-ptx-rauc-dev-keys-native-95474123-1287-5255-b429-f255fd8220c6" after renaming the recipe ptx-rauc-dev-keys-native -> ptx-dev-keys-rauc-rsa2048-native. Looks like the previous recipe name is part of my sstate and it's probably used due to the matching hash? Does anybody have an
<bst>
idea (other than dropping parts of my sstate)? /cc JPEW
Chaser has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
Chaser has joined #yocto
florian_kc has joined #yocto
tepperson has quit [Quit: Client closed]
<JPEW>
bst: Hmm
<JPEW>
That bugs been kicking around a while and I've not been able to reproduce it. Probably delete some sstate, but that will hopefully be a helpful reproducer
<khem>
bjdooks:with yocto hat on, I Think having a BE configuration will help testing, so I can help out, although not with forks, we need to ensure that its something thats on upstream path for various components that distro will need
tepperson has joined #yocto
Chaser_ has joined #yocto
druppy has quit [Ping timeout: 252 seconds]
Chaser has quit [Ping timeout: 252 seconds]
Chaser_ has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
Chaser has joined #yocto
Chaser has quit [Client Quit]
berton has quit [Quit: Connection closed for inactivity]
Chaser has joined #yocto
<bst>
JPEW: ok
LegsFullyCasted has joined #yocto
LegsFullyCasted has quit [Quit: Client closed]
tepperson has quit [Quit: Client closed]
Kubu_work has quit [Quit: Leaving.]
jmd has quit [Remote host closed the connection]
tepperson has joined #yocto
florian_kc has quit [Quit: Ex-Chat]
Kubu_work has joined #yocto
florian has joined #yocto
Chaser has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
CWiz has quit [Quit: WeeChat 4.6.0]
zeemate has quit [Ping timeout: 268 seconds]
Guest48 has joined #yocto
<Guest48>
Hi. I'm trying to build a Go app on scarthgap, but it requires a newer version of Go. I tried updating to the latest version, using devtool upgrade, but I still get the same error in do_compile: (go: go.mod requires go >= 1.23.6 (running go 1.22.12)). I'm absolutely clueless at this point.