[meta-security] buck-security not found in STAGING_BINDIR_NATIVE

[meta-security] buck-security not found in STAGING_BINDIR_NATIVE

[Jon Szymaniak]

I'm working with the rocko branch of the meta-security layer [1], with the
latest poky rocko branch HEAD on an Ubuntu 17.10 machine (technically an
"untested" distro but otherwise fine with Rocko the past).

From my understanding, all that should be required to run the buck-security
after an image build is adding INHERIT += "check_security" to local.conf. I see
that check_security.bbclass [2] already takes care of appending itself to
EXTRA_IMAGEDEPENDS.

However, when building an image (e.g. core-image-minimal),
check_security.bbclass is failing to find buck-security in
${STAGING_BINDIR_NATIVE}, as indicated by the following error message:

${TMPDIR}/work/raspberrypi0_wifi-poky-linux-gnueabi/core-image-minimal/1.0-r0/temp/run.check_security.24976:
  112: ${TMPDIR}/work/raspberrypi0_wifi-poky-linux-gnueabi/core-image-minimal/1.0-r0/temp/run.check_security.24976:
     ${TMPDIR}/work/raspberrypi0_wifi-poky-linux-gnueabi/core-image-minimal/1.0-r0/recipe-sysroot-native/usr/bin/buck-security:
not found

The above makes it clear what ${STAGING_BINDIR_NATIVE} expands to;
buck-security is indeed not present in this location.

My logs indicate that when buck-security-native recipe's do_install() is
executed [3], ${D} and ${bindir} are defined as follows:

D: ${TMPDIR}/work/x86_64-linux/buck-security-native/0.7-r0/image
bindir: ${TMPDIR}/work/x86_64-linux/buck-security-native/0.7-r0/recipe-sysroot-native/usr/bin

buck-security also appears to be present in the  following location:
${TMPDIR}/sysroots-components/x86_64/buck-security-native/usr/bin/buck-security


After going through the manuals, I'm still a little unclear about when exactly
buck-security-native's files should be copied or linked into the image's
respective sysroot (presumably, during do_populate_sysroot?), and where the
breakdown is happening here.

If anyone else is able to reproduce this or provide some assistance in
resolving or just debugging it, I'd greatly appreciate it.

Thank you,
Jon Szymaniak

Links:
[1] https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/
[2] https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/classes/check_security.bbclass
[3] https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/recipes-security/buck-security/buck-security_0.7.bb#n51

Re: [meta-security] buck-security not found in STAGING_BINDIR_NATIVE

[Jon Szymaniak]

On Fri, Jun 1, 2018 at 11:34 AM, Jon Szymaniak
<jon.szymaniak.foss@gmail.com> wrote:
> From my understanding, all that should be required to run the buck-security
> after an image build is adding INHERIT += "check_security" to local.conf. I see
> that check_security.bbclass [2] already takes care of appending itself to
> EXTRA_IMAGEDEPENDS.

To get this working I ended up instead inheriting check_security in
the image recipe,
and explicitly add buck-security-native to the image recipe's DEPENDS.
The latter
seems to be required -- otherwise I run into the same failure mode.

Nonetheless, I'm still digging through the do_prepare_recipe_sysroot and
do_populate_sysroot implementations to try to understand why
check_security.bbclass's assignment to EXTRA_IMAGEDEPENDS does not seem
sufficient to get buck-security installed into the image receipe's sysroot.

Is there some caveat or subtlety with respect when a recipe's sysroot-related
tasks run and aggregate dependencies, versus when the contents of
EXTRA_IMAGEDEPENDS are appended to a recipe's set of dependencies?

[meta-security] buck-security not found in STAGING_BINDIR_NATIVE

[Jon Szymaniak]

[-- Attachment #1: Type: text/plain, Size: 2336 bytes --]

I'm working with the rocko branch of the meta-security layer [1], with the
latest poky rocko branch HEAD on an Ubuntu 17.04 machine (technically an
"untested" distro but otherwise fine in the past).

From my understanding, all that should be required to run the buck-security
after an image build is adding INHERIT += "check_security" to local.conf. I
see that check_security.bbclass [2] already takes care of appending itself
to EXTRA_IMAGEDEPENDS.

However, when building an image (e.g. core-image-minimal),
check_security.bbclass is failing to find buck-security in
${STAGING_BINDIR_NATIVE}, as indicated by the following error message:

${TMPDIR}/work/raspberrypi0_wifi-poky-linux-gnueabi/core-ima
ge-minimal/1.0-r0/temp/run.check_security.24976:
  112: ${TMPDIR}/work/raspberrypi0_wifi-poky-linux-gnueabi/core-ima
ge-minimal/1.0-r0/temp/run.check_security.24976:
     ${TMPDIR}/work/raspberrypi0_wifi-poky-linux-gnueabi/core-im
age-minimal/1.0-r0/recipe-sysroot-native/usr/bin/buck-security: not found

The above makes it clear what ${STAGING_BINDIR_NATIVE} expands to;
buck-security is indeed not present in this location.

My logs indicate that when buck-security-native recipe's do_install() is
executed [3], ${D} and ${bindir} are defined as follows:

D: ${TMPDIR}/work/x86_64-linux/buck-security-native/0.7-r0/image
bindir: ${TMPDIR}/work/x86_64-linux/buck-security-native/0.7-r0/recipe-sysroot-native/usr/bin

buck-security also appears to be present in the  following location:
${TMPDIR}/sysroots-components/x86_64/buck-security-native/usr/bin/buck-security


After going through the manuals, I'm still a little unclear about when
exactly buck-security-native's files should be copied or linked into the
image's respective sysroot (presumably, during do_populate_sysroot?), and
where the breakdown is happening here.

If anyone else is able to reproduce this or provide some assistance in
resolving or just debugging it, I'd greatly appreciate it.

Thank you,
Jon Szymaniak



References:
[1] https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/
[2] https://git.yoctoproject.org/cgit/cgit.cgi/meta-security
/tree/classes/check_security.bbclass
[3] https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/recipes-
security/buck-security/buck-security_0.7.bb#n51

[-- Attachment #2: Type: text/html, Size: 3929 bytes --]