Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • eclipse/oniro-core/docs
  • agherzan/docs
  • shettygururaj/docs
  • dricci783/docs
  • lucafavaretto/docs
  • lucazizolfi/docs
  • landgraf/docs
  • nawab/docs
  • mrybczyn/docs
  • esben/docs
  • lucaseri/docs
  • kristis/docs
  • bero/docs
  • gwozdzcfs/docs
  • ghassaneben/oniro-docs
  • zyga/oniro-docs
  • pcoval/oniro-docs
  • stefanschmidt/docs2
  • kzarka/docs
19 results
Show changes
Commits on Source (12)
Expand all Hide whitespace changes
Inline Side-by-side
Showing
with 1149 additions and 84 deletions
.gitlab-ci.yml
View file @ 940f44cb
...@@ -8,11 +8,13 @@ stages: ...@@ -8,11 +8,13 @@ stages:
- deploy - deploy
include: include:
- project: eclipse/oniro-core/oniro - project: eclipse/oniro-core/oniro
ref: kirkstone ref: kirkstone
file: file:
- .oniro-ci/dco.yaml - .oniro-ci/dco.yaml
- .oniro-ci/reuse.yaml - .oniro-ci/reuse.yaml
- project: 'eclipsefdn/it/releng/gitlab-ci-templates'
file: '/jobs/eca.gitlab-ci.yml'
dco: dco:
extends: .dco extends: .dco
...@@ -25,7 +27,9 @@ reuse: ...@@ -25,7 +27,9 @@ reuse:
rules: rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"' - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
eca:
extends: .eca
# Naming scheme for variables is defined as follows: # Naming scheme for variables is defined as follows:
# #
# CI_ONIRO_*: # CI_ONIRO_*:
......
CONTRIBUTING.md
View file @ 940f44cb
...@@ -14,6 +14,7 @@ SPDX-License-Identifier: CC-BY-4.0 ...@@ -14,6 +14,7 @@ SPDX-License-Identifier: CC-BY-4.0
- <a href="#reuse-compliance" id="toc-reuse-compliance">REUSE Compliance</a> - <a href="#reuse-compliance" id="toc-reuse-compliance">REUSE Compliance</a>
- <a href="#spdx-information-and-reuse-standard" id="toc-spdx-information-and-reuse-standard">SPDX Information and REUSE Standard</a> - <a href="#spdx-information-and-reuse-standard" id="toc-spdx-information-and-reuse-standard">SPDX Information and REUSE Standard</a>
- <a href="#spdx-header-example" id="toc-spdx-header-example">SPDX Header Example</a> - <a href="#spdx-header-example" id="toc-spdx-header-example">SPDX Header Example</a>
- <a href="#dep5-files-paragraph-examples" id="toc-dep5-files-paragraph-examples">DEP5 "Files" Paragraph Examples</a>
- <a href="#substantial-contributions" id="toc-substantial-contributions">Substantial Contributions</a> - <a href="#substantial-contributions" id="toc-substantial-contributions">Substantial Contributions</a>
- <a href="#dco-sign-off" id="toc-dco-sign-off">DCO sign-off</a> - <a href="#dco-sign-off" id="toc-dco-sign-off">DCO sign-off</a>
- <a href="#overview-1" id="toc-overview-1">Overview</a> - <a href="#overview-1" id="toc-overview-1">Overview</a>
...@@ -134,17 +135,21 @@ Once your changes have been pushed to your fork, you are ready to prepare a merg ...@@ -134,17 +135,21 @@ Once your changes have been pushed to your fork, you are ready to prepare a merg
All projects and files for an hosted project **MUST** be [REUSE](https://reuse.software/) compliant. REUSE requires SPDX information for each file, rules for which are as follows: All projects and files for an hosted project **MUST** be [REUSE](https://reuse.software/) compliant. REUSE requires SPDX information for each file, rules for which are as follows:
- Any new file must have a SPDX header (copyright and license). - for files copyrighted by projects contributors (**"First Party Files"**):
- For files that don't support headers (for example binaries, patches etc.) an associated `.license` file must be included with the relevant SPDX information. - any new file MUST have a SPDX header (copyright and license);
- Do not add Copyright Year as part of the SPDX header information. - for files that don't support headers (for example binaries, patches etc.) an associated `.license` file MUST be included with the relevant SPDX information;
- The general rule of thumb for the license of a patch file is to use the license of the component for which the patch applies. - do not add Copyright Year as part of the SPDX header information;
- When modifying a file through this contribution process, you may (but don't have to) claim copyright by adding a copyright line. - the general rule for patch files is to use the MIT license and *not* the license of the component for which the patch applies - the latter solution would be error-prone and hard to manage and maintain in the long run, and there may be difficult-to-handle cases (what if the patches modifies multiple files in the same component - eg. gcc - which are subject to different licenses?);
- Never alter copyright statements made by others, but only add your own. - when modifying a file through this contribution process, you may (but don't have to) claim copyright by adding a copyright line;
- you MUST NOT alter copyright statements made by others, but only add your own;
Some files will make an exception to the above rules as described below: - for files copyrighted by third parties and just added to the project by contributors, eg. files copied from other projects or back-ported patches (**"Third Party Files"**):
- if upstream files already have SPDX headers, they MUST be left unchanged;
- Files for which copyright is not claimed and for which this information was not trivial to fetch (for example backporting patches, importing build recipes etc. when upstream doesn't provide the SPDX information in the first place) - if upstream files do *not* have SPDX headers:
- license files (for example `common-licenses` in bitbake layers) - the exact upstream provenance (repo, revision, path) MUST be identified;
- you MUST NOT add SPDX headers to Third Party Files;
- copyright and license information, as well as upstream provenance information (in the "Comment" section), MUST be stored in <span class="title-ref">.reuse/dep5</span> following [Debian dep5 specification](https://dep-team.pages.debian.net/deps/dep5/) (see examples below);
- you MUST NOT use wildcards (\*) in dep5 "Files" paragraphs even if Debian specs allow it: it may lead to unnoticed errors or inconsistencies in case of future file additions that may be covered by wildcard expressions even if they have a different license;
- in case of doubts or problems in finding the correct license and copyright information for Third Party Files, contributors may ask the project's Legal Team in the project mailing list <oniro-dev@eclipse.org>;
### SPDX Header Example ### SPDX Header Example
...@@ -158,6 +163,26 @@ Make sure all of your submitted new files have a licensing statement in the head ...@@ -158,6 +163,26 @@ Make sure all of your submitted new files have a licensing statement in the head
*/ */
``` ```
### DEP5 "Files" Paragraph Examples
``` text
Files: meta-oniro-staging/recipes-containers/buildah/buildah_git.bb
Copyright: OpenEmbedded Contributors
License: MIT
Comment: Recipe file for buildah copied from meta-virtualization project at
https://git.yoctoproject.org/meta-virtualization,
recipes-containers/buildah.
README file of meta-virtualization project states:
"All metadata is MIT licensed unless otherwise stated."
Files: meta-oniro-staging/recipes-devtools/ninja/ninja/0001-feat-support-cpu-limit-by-cgroups-on-linux.patch
Copyright: Google Inc.
License: Apache-2.0
Comment: Patch for ninja backported from Ninja project at
https://github.com/ninja-build/ninja, commit 540be33
Copyright text left as found in the header of the patched file.
```
### Substantial Contributions ### Substantial Contributions
Therefore, if your contribution is only a patch directly applied to an existing file, then you are not required to do anything. If your contribution is an entire new project, or a substantial, copyrighted contribution, you **MUST** make sure that you do that following the [IP Policy](https://git.ostc-eu.org/oss-compliance/ip-policy/) and that you comply with REUSE standard to include the licensing information where they are required. Therefore, if your contribution is only a patch directly applied to an existing file, then you are not required to do anything. If your contribution is an entire new project, or a substantial, copyrighted contribution, you **MUST** make sure that you do that following the [IP Policy](https://git.ostc-eu.org/oss-compliance/ip-policy/) and that you comply with REUSE standard to include the licensing information where they are required.
......
conf.py
View file @ 940f44cb
...@@ -25,7 +25,7 @@ project = 'Oniro Project' ...@@ -25,7 +25,7 @@ project = 'Oniro Project'
copyright = '2022' copyright = '2022'
author = 'Oniro Project' author = 'Oniro Project'
version = '2.0.0-alpha' version = '2.0.0'
release = version release = version
# -- General configuration --------------------------------------------------- # -- General configuration ---------------------------------------------------
......
contributing/reuse.rst
View file @ 940f44cb
...@@ -17,17 +17,26 @@ All projects and files for an hosted project **MUST** be `REUSE <https://reuse.s ...@@ -17,17 +17,26 @@ All projects and files for an hosted project **MUST** be `REUSE <https://reuse.s
compliant. REUSE requires SPDX information for each file, rules for which are compliant. REUSE requires SPDX information for each file, rules for which are
as follows: as follows:
* Any new file must have a SPDX header (copyright and license). * for files copyrighted by projects contributors (**"First Party Files"**):
* For files that don't support headers (for example binaries, patches etc.) an associated ``.license`` file must be included with the relevant SPDX information.
* Do not add Copyright Year as part of the SPDX header information.
* The general rule of thumb for the license of a patch file is to use the license of the component for which the patch applies.
* When modifying a file through this contribution process, you may (but don't have to) claim copyright by adding a copyright line.
* Never alter copyright statements made by others, but only add your own.
Some files will make an exception to the above rules as described below: * any new file MUST have a SPDX header (copyright and license);
* for files that don't support headers (for example binaries, patches etc.) an associated ``.license`` file MUST be included with the relevant SPDX information;
* do not add Copyright Year as part of the SPDX header information;
* the general rule for patch files is to use the MIT license and *not* the license of the component for which the patch applies - the latter solution would be error-prone and hard to manage and maintain in the long run, and there may be difficult-to-handle cases (what if the patches modifies multiple files in the same component - eg. gcc - which are subject to different licenses);
* when modifying a file through this contribution process, you may (but don't have to) claim copyright by adding a copyright line;
* you MUST NOT alter copyright statements made by others, but only add your own;
* for files copyrighted by third parties and just added to the project by contributors, eg. files copied from other projects or back-ported patches (**"Third Party Files"**):
* if upstream files already have SPDX headers, they MUST be left unchanged;
* if upstream files do *not* have SPDX headers:
* the exact upstream provenance (repo, revision, path) MUST be identified;
* you MUST NOT add SPDX headers to Third Party Files;
* copyright and license information, as well as upstream provenance information (in the "Comment" section), MUST be stored in `.reuse/dep5` following `Debian dep5 specification <https://dep-team.pages.debian.net/deps/dep5/>`_ (see examples below);
* you MUST NOT use wildcards (\*) in dep5 "Files" paragraphs even if Debian specs allow it: it may lead to unnoticed errors or inconsistencies in case of future file additions that may be covered by wildcard expressions even if they have a different license;
* in case of doubts or problems in finding the correct license and copyright information for Third Party Files, contributors may ask the project's Legal Team in the project mailing list oniro-dev@eclipse.org;
* Files for which copyright is not claimed and for which this information was not trivial to fetch (for example backporting patches, importing build recipes etc. when upstream doesn't provide the SPDX information in the first place)
* license files (for example ``common-licenses`` in bitbake layers)
SPDX Header Example SPDX Header Example
------------------- -------------------
...@@ -42,6 +51,29 @@ Make sure all of your submitted new files have a licensing statement in the head ...@@ -42,6 +51,29 @@ Make sure all of your submitted new files have a licensing statement in the head
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
DEP5 "Files" Paragraph Examples
-------------------------------
.. code-block:: text
Files: meta-oniro-staging/recipes-containers/buildah/buildah_git.bb
Copyright: OpenEmbedded Contributors
License: MIT
Comment: Recipe file for buildah copied from meta-virtualization project at
https://git.yoctoproject.org/meta-virtualization,
recipes-containers/buildah.
README file of meta-virtualization project states:
"All metadata is MIT licensed unless otherwise stated."
Files: meta-oniro-staging/recipes-devtools/ninja/ninja/0001-feat-support-cpu-limit-by-cgroups-on-linux.patch
Copyright: Google Inc.
License: Apache-2.0
Comment: Patch for ninja backported from Ninja project at
https://github.com/ninja-build/ninja, commit 540be33
Copyright text left as found in the header of the patched file.
Substantial Contributions Substantial Contributions
------------------------- -------------------------
......
releases/2.0/2.0.0/index.rst 0 → 100644
View file @ 940f44cb
.. SPDX-FileCopyrightText: Huawei Inc.
..
.. SPDX-License-Identifier: CC-BY-4.0
.. include:: ../../../definitions.rst
2.0.0
#####
**Release timeframe**: 2022-03-07 .. 2022-11-30
**Release Artefacts Download Area**: https://download.eclipse.org/oniro-core/releases/2.0.0/
**Release Tags GPG Public Key**: https://download.eclipse.org/oniro-core/releases/2.0.0/oniro-2.0.0_gpg_key.asc [*]_
.. toctree::
:maxdepth: 1
release_notes
requirements
test_report
ip_compliance_note
security_report
.. [*] All repositories released part of 2.0.0 have associated 2.0.0 `git
tags` that have been signed during the Eclipse Foundation release process.
You can use this GPG public key to verify all these signatures.
releases/2.0/2.0.0/ip_compliance_note.rst 0 → 100644
View file @ 940f44cb
.. SPDX-FileCopyrightText: Alberto Pianon <pianon@array.eu> and Carlo Piana <piana@array.eu>
..
.. SPDX-License-Identifier: CC-BY-4.0
.. _2_0_0_IPComplianceNote:
IP Compliance Note
==================
Since the very beginning, a Continuous Compliance `toolchain`_ and `process`_
have been developed and integrated into the Oniro project development so that
source components used to generate Oniro binary images are continuously scanned
by open-source tools like `Fossology`_ and `Scancode`_, and reviewed by
Software Audit Experts and IP Lawyers [*]_.
For detailed information about the why and the how of such a process, please
refer to the Oniro Compliance Toolchain’s `official documentation`_. Sources
and documentation for custom components of the toolchain (`tinfoilhat`_,
`aliens4friends`_, `dashboard`_, `pipelines`_) can be found in their respective
repositories.
*TL;DR*: we put ourselves in your shoes, a device maker willing to use Oniro to
develop its products. We simulated the IP compliance work you would have to do
(on third-party components fetched by Yocto recipes) to build your firmware
image(-s) and spot possible legal risks and issues. In the true open-source
spirit, every time we found an issue with a particular upstream component, we
raised that issue upstream, and most of the time we got it solved for you by
upstream developers.
As of Oniro’s 2.0.0 GA Release, there are just a few issues left that we cannot
address. These relate to proprietary firmware/drivers for hardware support and
some patent-covered technologies. The issues require your attention and
possible action, e.g. getting a patent license. We will briefly explain these
here.
The overall status of audit activities can be monitored through a `dedicated
dashboard`_, which gets updated after every commit to Oniro's main repository.
In the dashboard, also CVE information (collected at the time of the commit) is
shown and can be filtered based on target machines, images, and single
components.
All repositories included in the Oniro 2.0.0 Release are `REUSE compliant
<https://reuse.software/spec/>`_. It means that copyright and license metadata
for every source file are made available within each repository in a standard
machine-readable format, and that at any time one can generate an SPDX SBoM
[*]_ for such repositories with `REUSE tool
<https://github.com/fsfe/reuse-tool>`_ by just running ``reuse spdx`` command.
REUSE-generated SPDX files for all released repositories are available as part
of the `release artefacts download area
<https://download.eclipse.org/oniro-core/releases/oniro-v2.0.0_spdx_sbom.tar.gz>`_.
Last but not least, we provide reference SPDX SBoM of source packages used to
build oniro-image-base and zephyr-philosophers images for a selection of
supported target machines (qemu, raspberrypi4, arduino-nano-33ble), generated
by continuous compliance pipelines. They are provided as a convenience only,
with no express or implied warranty about the accuracy and completeness of the
information contained therein (see the disclaimers below):
============================= ====== ============ =================== ===================
SBoM kernel toolchain(s) machine(s) image
============================= ====== ============ =================== ===================
`linux-qemu`_ linux gcc,clang qemu\* oniro-image-base
`linux-raspberrypi4`_ linux gcc,clang raspberrypi4-64 oniro-image-base
`zephyr-qemu`_ zephyr gcc qemu\* zephyr-philosophers
`zephyr-arduino-nano-33-ble`_ zephyr gcc arduino-nano-33-ble zephyr-philosophers
============================= ====== ============ =================== ===================
.. _linux-qemu: https://download.eclipse.org/oniro-core/releases/2.0.0/oniro-v2.0.0_linux-qemu_images_spdx_sbom.zip
.. _linux-raspberrypi4: https://download.eclipse.org/oniro-core/releases/2.0.0/oniro-v2.0.0_linux-raspberrypi4_images_spdx_sbom.zip
.. _zephyr-qemu: https://download.eclipse.org/oniro-core/releases/2.0.0/oniro-v2.0.0_zephyr-qemu_images_spdx_sbom.zip
.. _zephyr-arduino-nano-33-ble: https://download.eclipse.org/oniro-core/releases/2.0.0/oniro-v2.0.0_zephyr-arduino-nano-33-ble_images_spdx_sbom.zip
*Disclaimer#1*: This is not legal advice. This note is provided just as a
convenience for you, to suggest some critical areas in which you should seek
legal advice if you want to develop real-world products based on Oniro. It is
not meant to be complete nor to substitute internal due-diligence activities
you need to perform before marketing your products.
*Disclaimer#2*: This note covers only source components used to generate
supported Oniro images (oniro-image-base and zephyr-philosophers) for supported
target machines (qemux86-64, qemux86, qemuarm-efi, qemuarm64-efi,
raspberrypi4-64, seco-intel-b68, seco-px30-d23, seco-imx8mm-c61-2gb,
seco-imx8mm-c61-4gb, qemu-cortex-m3, nrf52840dk-nrf52840, arduino-nano-33-ble).
*Disclaimer#3*: “supported” *referred to a board* means that a board is
officially targeted as a potential platform where an Oniro image can be
installed for any purposes; when *referred to an image*, means that the image
targeting a supported board receives thorough testing and specific attention
during the development. It does NOT mean that both will receive support
services nor that any member of the Oniro Working Group or of the Eclipse
Foundation will provide any warranty whatsoever.
Solved Issues
-------------
- There was a proprietary software font accidentally included in
zephyr-philosophers; we opened the issue upstream
(https://github.com/zephyrproject-rtos/zephyr/issues/48111), which was
solved (https://github.com/zephyrproject-rtos/zephyr/pull/49103), and the
fix was backported to Oniro.
(https://gitlab.eclipse.org/eclipse/oniro-core/meta-zephyr/-/commit/0f36ae849d59da08e445af83f711a1c0108dd3bf);
- A similar issue was found also in Harfbuzz component, raised upstream
(https://github.com/harfbuzz/harfbuzz/issues/3845), fixed
(https://github.com/harfbuzz/harfbuzz/pull/3846), and the fix was backported
to Oniro
(https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/commit/fbb4bc229b287fa293439ee0adbb0d830764b2d8).
- There were a lot of binary files found in zephyr-philosophers, without
corresponding sources and no clear license information; we opened the issue
upstream
(https://gitlab.eclipse.org/eclipse/oniro-core/meta-zephyr/-/commit/0f36ae849d59da08e445af83f711a1c0108dd3bf),
which was then fixed
(https://github.com/zephyrproject-rtos/zephyr/pull/47181), and the fix was
backported to Oniro.
(https://gitlab.eclipse.org/eclipse/oniro-core/meta-zephyr/-/commit/a00d1c4f1aad8b0ea5b9f904966c0bd8a48d8d80)
- Some proprietary license headers, not granting redistribution nor any other
rights without written permission by Intel, were found in some source files
in the Intel-Media-SDK component; we opened the issue upstream
(https://github.com/Intel-Media-SDK/MediaSDK/issues/2937) and it turned out
it was an oversight occurred when open sourcing the component; it was then
fixed (https://github.com/Intel-Media-SDK/MediaSDK/pull/2939) and the fix was
backported to Oniro.
(https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/commit/d5ee837d90903d91a1ff358ebfe985d28925484e);
- A similar issue was found also in the Intel-Media-Driver component, it was
raised upstream (https://github.com/intel/media-driver/issues/1460), fixed
(https://github.com/intel/media-driver/pull/1465), and the fix was backported
to Oniro
(https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/commit/b56de944568c8e348cb8265c59d7cfd52a0831b9)
Warnings for Downstream Users: Hardware Support
-----------------------------------------------
Linux
~~~~~
IMX Firmware
^^^^^^^^^^^^
A couple of supported target boards (seco-imx8mm-c61-2gb and
seco-imx8mm-c61-4gb) require Freescale i.MX firmware for VPU and SDMA as well
as firmware for 8M Mini family to train memory interface on SoC and DRAM during
initialization. These firmware require acceptance of a `EULA`_ by the user
(you). Such acceptance may be provided by flagging a specific environment
variable (``ACCEPT_FSL_EULA = "1"``) in your configuration file (please refer
to Oniro’s technical documentation). You should carefully read that `EULA`_ to
check whether you are actually in a position to accept it and whether you can
fulfill all of its conditions. If needed, seek legal advice for that.
Linux-firmware
^^^^^^^^^^^^^^
The third-party components ``linux-firmware`` and ``linux-firmware-rpidistro``
contain many sub-components (mainly firmware BLOBs) for specific hardware
support, coming from different hardware vendors.
Almost all firmware vendor licenses restrict firmware usage to the specific
device(s) of their own.
Some of them (apparently) contain further restrictions, stating that the binary
file is licensed *“for use with [vendor] devices, but not as a part of the
Linux kernel or in any other form which would require these files themselves to
be covered by the terms of the GNU General Public License”*. Our understanding
is that such restriction is either redundant or useless. Apart from some
debatable and contested corner cases, there is no way in which a firmware blob
may become part of the Linux kernel and therefore be covered by the GNU General
Public License - so the above provision seems redundant. But even if someone
claimed that a proprietary firmware requires such a low-level interaction with
the kernel that such firmware must be deemed as a derivative work of the kernel
itself, such (alleged) non-compliance with GPL could not be avoided or excluded
by a vendor license clause - so the above provision would be useless. You
should seek legal advice to use the affected firmware files in either case.
================================= ================================================== ======================== ============================
Source Device/driver File(s) License found in
================================= ================================================== ======================== ============================
`linux-firmware-20220913.tar.xz`_ Conexant Cx23100/101/102 USB broadcast A/V decoder v4l-cx231xx-avcore-01.fw WHENCE
`linux-firmware-20220913.tar.xz`_ meson-vdec - Amlogic video decoder meson/vdec/\* LICENSE.amlogic_vdec, WHENCE
`linux-firmware-20220913.tar.xz`_ lt9611uxc - Lontium DSI to HDMI bridge lt9611uxc_fw.bin LICENSE.Lontium, WHENCE
================================= ================================================== ======================== ============================
Some other firmware files are covered by proprietary licenses that contain
termination clauses providing that either party may terminate the license at
any time without cause, which may work as killswitches (i.e. vendor may
terminate your license at any time without any reason, so your devices -
including already distributed ones - may lose, say, Bluetooth or Wifi support).
You should seek legal advice (and possibly negotiate a different license with
the vendor) if you need to use the affected firmware files:
========================================================== ====================== ======== ================
Source Device/driver File(s) License found in
========================================================== ====================== ======== ================
[git://github.com/murata-wireless/cyw-fmac-fw@ba140e42] Murata Wi-Fi/Bluetooth cyfmac\* LICENCE, README
[git://github.com/murata-wireless/cyw-fmac-nvram@8710e74e] Murata Wi-Fi/Bluetooth cyfmac\* LICENCE.cypress
[git://github.com/murata-wireless/cyw-bt-patch@9d040c25] Broadcom BCM43455 Wifi \*.hcd LICENCE.cypress
========================================================== ====================== ======== ================
Some other firmware files (for NVIDIA hardware, that is not included in any of
Oniro’s supported boards) have been expressly excluded from installation
because they come with a proprietary license with an unclear “open source
exception”. See `issue #834`_ in Oniro main repo for further details.
Some other firmware files are covered by a limited patent license. If you need
to use them, you should check whether you fulfill the conditions of such a
license.
================================= ========================= ============================= ======================
Source Device/driver File(s) License found in
================================= ========================= ============================= ======================
`linux-firmware-20220913.tar.xz`_ WiLink4 chips WLAN driver ti-connectivity/wl1251-fw.bin LICENCE.wl1251, WHENCE
================================= ========================= ============================= ======================
Finally, some licenses have unclear license wording about use and
redistribution. If you need to use firmware covered by such files, you should
check and possibly seek legal advice.
================================= ===================================================== ================================== =======================
Source Device/driver File(s) License found in
================================= ===================================================== ================================== =======================
`linux-firmware-20220913.tar.xz`_ WiLink4 chips WLAN driver ti-connectivity/wl1251-fw.bin LICENCE.wl1251, WHENCE
`linux-firmware-20220913.tar.xz`_ Marvell Libertas 802.11b/g cards libertas/\*.bin, mrvk/\*.bin LICENCE.Marvell, WHENCE
`linux-firmware-20220913.tar.xz`_ Marvell mac80211 driver for 80211ac cards mwlwifi/\*.bin LICENCE.Marvell, WHENCE
`linux-firmware-20220913.tar.xz`_ Marvell CPT driver mrvl/cpt01/\* LICENCE.Marvell, WHENCE
`linux-firmware-20220913.tar.xz`_ Marvell driver for Prestera family ASIC devices mrvl/prestera/\*.img LICENCE.Marvell, WHENCE
`linux-firmware-20220913.tar.xz`_ wave5 - Chips&Media, Inc. video codec driver cnm/wave521c_j721s2_codec_fw.bin LICENCE.cnm, WHENCE
`linux-firmware-20220913.tar.xz`_ Broadcom 802.11n fullmac wireless LAN driver brcm/brcmfmac/\*, cypress/cyfmac\* LICENCE.cypress, WHENCE
`linux-firmware-20220913.tar.xz`_ BCM-0bb4-0306 Cypress Bluetooth firmware for HTC Vive brcm/BCM-0bb4-0306.hcd LICENCE.cypress, WHENCE
================================= ===================================================== ================================== =======================
Zephyr
~~~~~~
The third-party repository ‘`zephyr-philosophers`_’ fetched by
zephyr-philosophers recipe contains many sub-components for specific hardware
support, coming from different hardware vendors. Some of them have specific
proprietary license conditions (eg. software components to support Atmel SAM
L21, Altera Nios II, Cypress/Infineon PSoC6) but are not used to generate Oniro
images, so they are not covered here. Should you need to add support for such
hardware boards, not officially supported by Oniro, you should carefully check
hardware vendor's license conditions.
Warnings for Downstream Users: Patents
--------------------------------------
“Dropbear” component documentation contains a patent and trademark notice:
The author (Tom St Denis) is not a patent lawyer so this section is not to
be treated as legal advice. To the best of the author’s knowledge, the only
patent-related issues within the library are the RC5 and RC6 symmetric block
cyphers. They can be removed from a build by simply commenting out the two
appropriate lines in `\textit{tomcrypt\_custom.h}`. The rest of the cyphers
and hashes are patent-free or under patents that have since expired.
The RC2 and RC4 symmetric cyphers are not under patents but are under
trademark regulations. This means you can use the cyphers you just can’t
advertise that you are doing so.
To our best knowledge, also patents on RC5 and RC6 symmetric block cyphers have
expired, but you should seek legal advice to check whether there still are
active patents covering such technologies.
.. [*]
Carlo Piana and Alberto Pianon from Array (Legal); Rahul Mohan G. and
Vaishali Avhad from NOI Techpark (Audit)
.. [*] SBOM is short for Software Bill Of Material, the full and detailed list
of upstream components. SPDX is short for Software Package Data Exchange, an
`ISO standard <https://spdx.github.io/spdx-spec>`_ to communicate
information about software in a machine-readable form.
.. _toolchain: https://projects.eclipse.org/projects/oniro.oniro-compliancetoolchain
.. _process: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/docs/-/tree/main/audit_workflow
.. _Fossology: https://www.fossology.org
.. _Scancode: https://nexb.com/scancode
.. _official documentation: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/docs
.. _tinfoilhat: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/tinfoilhat
.. _aliens4friends: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/aliens4friends
.. _dashboard: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/dashboard
.. _pipelines: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/pipelines
.. _EULA: https://git.yoctoproject.org/meta-freescale/tree/EULA
.. _linux-firmware-20220913.tar.xz: https://cdn.kernel.org/pub/linux/kernel/firmware/linux-firmware-20220913.tar.xz
.. _issue #834: https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/issues/834
.. _zephyr-philosophers: https://github.com/zephyrproject-rtos/zephyr
.. _dedicated dashboard: https://sca.software.bz.it/?json=https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/mirrors/oniro-goofy/-/jobs/artifacts/kirkstone/raw/report.harvest.json?job=harvest
releases/2.0/2.0.0/release_notes.rst 0 → 100644
View file @ 940f44cb
.. SPDX-FileCopyrightText: Huawei Inc.
..
.. SPDX-License-Identifier: CC-BY-4.0
.. include:: ../../../definitions.rst
Release Notes
#############
About
*****
The objective of this document is to provide basic introductory information
about included functionalities, known issues and instructions guidance for the
2.0.0 release of the |main_project_name| project.
The |main_project_name| project serves as a solid base foundation for products.
It is not a standalone product itself but rather a platform that aims at
accelerating the development and maintenance of other projects and products.
During this release, the project's code and most of its infrastructure moved to
Eclipse Foundation as one of the top-level projects. This follows the fact that
|main_project_name| became an Eclipse Foundation project during a preview
release iteration.
Scope
*****
The Objectives of the Release
-----------------------------
The objective of the *2.0.0* release is to consolidate the features previously
released, add new outstanding features and meet the requirements defined by the
Eclipse Foundation Development Process. That includes, but is not limited to:
- Migration of code to Eclipse Foundation
- Work towards migration of the project's infrastructure to Eclipse Foundation
(eg. CI, pipelines, etc.)
- Hardware & Software roadmap expansion
- Deployment of the IP compliance toolchain and related policies
- Security and maintenance featuring CVE fixes, LEDGE support, etc.
The List of Software Features Included
--------------------------------------
- Linux Kernel LTS version supported for all ARM and X86 targets
- Zephyr kernel 3.1 supported for all ARM and X86 targets
- Over-the-Air system update, including integration with hawkbit and SysOTA
backends
- Toolchain package upgrades including LLVM, GCC, musl, etc.
- Matter 1.0 and Thread 1.2 support
- Modbus support with RTU (over RS485) and TCP modes
- New hardware supported: Raspberry Pi 3, SECO (SBC-C61, SBC-B68, SBC-D23),
QEMU ARM 32/64bit, Arduino Nano 33 BLE
- Development and integration of functional testing suites
- Integration of standard test toolkits (eg. LTP)
- More LAVA support development including new LAVA nodes
- Security OS features targeting runtime and build-time (:ref:`SecurityGuide`)
- Development for security-oriented features for Oniro upgrades and CVE fixes
- Upstream contributions in terms of fixes, backports and CVE issues
- Repackaging of |main_project_name| from monolithic to modular, leveraging the
Yocto Project layer architecture, as well as the Eclipse Foundation
sub-project structure
- Split Blueprints, Sysota, and OpenHarmony components into their sub-project
For more details, a full list of requiremnts can be seen
:ref:`here<2_0_0_Requirements>`.
Supported Hardware Platforms
----------------------------
+---------------------------------+-------------------+---------------------------------------+
| Board (chipset) | Supported kernels | Board documentation |
+=================================+===================+=======================================+
| QEMU X86 | Linux & Zephyr | :ref:`SupportedVBoardQemuX86` |
+---------------------------------+-------------------+---------------------------------------+
| QEMU X86-64 | Linux | :ref:`SupportedVBoardQemuX86-64` |
+---------------------------------+-------------------+---------------------------------------+
| QEMU ARM (EFI) | Linux | :ref:`SupportedVBoardQemuARM` |
+---------------------------------+-------------------+---------------------------------------+
| QEMU ARM64 (EFI) | Linux | :ref:`SupportedVBoardQemuARM64` |
+---------------------------------+-------------------+---------------------------------------+
| QEMU Cortex M3 | Zephyr | :ref:`Zephyr_Kernel` |
+---------------------------------+-------------------+---------------------------------------+
| SECO SBC-B68 | Linux | :ref:`SupportedBoardSecoB68` |
+---------------------------------+-------------------+---------------------------------------+
| SECO SBC-C61 | Linux | :ref:`SupportedBoardSecoC61` |
+---------------------------------+-------------------+---------------------------------------+
| SECO SBC-D23 | Linux | :ref:`SupportedBoardSecoD23` |
+---------------------------------+-------------------+---------------------------------------+
| Raspberry Pi 4 B (BCM2711) | Linux | :ref:`raspberrypi` |
+---------------------------------+-------------------+---------------------------------------+
| Raspberry Pi 3 B+ (BCM2837B0) | Linux | :ref:`raspberrypi` |
+---------------------------------+-------------------+---------------------------------------+
| Arduino Nano 33 BLE | Zephyr | :ref:`SupportedBoardArduinoNano33BLE` |
+---------------------------------+-------------------+---------------------------------------+
Installation
************
:ref:`Quick Build <OniroQuickBuild>` provides an example of how to build the
|main_project_name| project for an example target. Visit the :ref:`Hardware
Support <HardwareSupport>` section for instructions on how to build for other
supported targets.
Visit :ref:`setting up a repo workspace <RepoWorkspace>` for instructions how
to prepare the workspace for development. Since |main_project_name| uses `repo`
tool for its development, you can use the release tag for the `repo init`
commands as follows:
.. code-block:: console
repo init -u https://gitlab.eclipse.org/eclipse/oniro-core/oniro.git -b v2.0.0
Known Issues
------------
Visit `this link
<https://gitlab.eclipse.org/groups/eclipse/oniro-core/-/issues/?sort=label_priority_desc&state=all&label_name%5B%5D=KnownIssue%3A%3ARelease2.0.0&first_page_size=20>`__
to see known issues for this release.
Source Code
-----------
For more details on our repo structure, see `OniroProject's GitLab
<https://gitlab.eclipse.org/eclipse/oniro-core>`__ project group.
DevOps Infrastructure
*********************
To learn more about our approach to CI (Continuous Integration) strategy used
for this release, please see:
:doc:`/ci/index` document.
Testing
-------
Details can be found in:
:doc:`/ci/device-testing` document.
This release comes with a detailed `Test Report` accesible
:ref:`here<2_0_0_TestReport>`.
IP Compliance
-------------
This release comes with a detailed `IP Compliance note` accesible
:ref:`here<2_0_0_IPComplianceNote>`.
Security Status
---------------
This release comes with a detailed `Security report` with a list of known CVEs
accessible :ref:`here<2_0_0_SecurityReport>`.
As part of the Oniro continuous compliance process, all relevant metadata about
compliance and security are collected at build time for every commit to the
Oniro project repo, and can be inspected through a `dedicated dashboard`_. Open
CVEs on single components data may be inspected by filtering components by
status ("has unpatched CVEs") and by opening the component details: open CVEs
are displayed first, marked in red and ordered by score, while closed CVEs are
marked in green. The dashboard gets updated after every commit and contains a
CVE status snapshot at the time of the commit. However, if some previously open
CVEs are fixed, this would be visible by inspecting the component's previous
variants in the dashboard.
.. _dedicated dashboard: https://sca.software.bz.it/?json=https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/mirrors/oniro-goofy/-/jobs/artifacts/kirkstone/raw/report.harvest.json?job=harvest
Out of Scope
************
|main_project_name| bundles components from multiple upstream sources. These
upstream sources come with features that the project might not explicitly
mention as part of its supportability policy. Similarly, |main_project_name|
includes supported features that are explicitly marked as 'experimental'. All
these cases, mainly driven by the community, will imply basic support from the
project.
|main_project_name| exercises an upstream-first support policy, so even for
cases that are not strictly in the supportability scope of the project,
|main_project_name| will provide guidance and traceability while facilitating
the upstream effort.
Contributions
*************
If you are a developer eager to know more details about |main_project_name| or
just an enthusiast with a patch proposal, you are welcome to participate in our
|main_project_name| ecosystem development. To do so, please sign-up using the
process described below:
:doc:`/contributing/index` document.
License
*******
Project manifest, project-specific meta-layers, recipes, and software packages
are published under the MIT license unless specified otherwise. The whole
operating system built by users from the project manifest is an aggregate
comprised of many third-party components or component groups, each subject to
its license conditions.
Official project release includes only the project manifest, project-specific
meta-layers, and recipes. Any reference binary image, build cache, and other
build artefacts are distributed only as a convenience and are not part of the
release itself.
.. note::
"supported" `referred to a board` means that a board is officially targeted
as a potential platform where an Oniro image can be installed for any
purposes; when `referred to an image`, means that the image targeting a
supported board receives thorough testing and specific attention during the
development. It does NOT mean that both will receive support services nor
that any member of the Oniro Working Group or of the Eclipse Foundation will
provide any warranty whatsoever.
releases/2.0/2.0.0/requirements.rst 0 → 100644
View file @ 940f44cb
This diff is collapsed.
releases/2.0/2.0.0/security_report.rst 0 → 100644
View file @ 940f44cb
.. SPDX-FileCopyrightText: Linaro Ltd
.. SPDX-License-Identifier: CC-BY-4.0
.. _2_0_0_SecurityReport:
Security Test Report (as of Nov 25, 2022)
=========================================
The CVEs have been checked against the NVD database as of Nov 25th, 2022.
qemu x86-64 CVE report (root filesystem only)
---------------------------------------------
Total number of known issues: 378
Out of this, high severity (CVSSv3 >= 7.0): 122
Complete results:
.. code-block:: console
Issues for package curl (version 7.82.0):
CVE-2022-42915 CVE-2022-42916
Count: 2
Issues for package expat (version 2.4.9):
CVE-2022-43680
Count: 1
Issues for package podman (version 4.0.1+gitAUTOINC+717edd7b84):
CVE-2022-2989
Count: 1
Issues for package dropbear (version 2020.81):
CVE-2021-36369
Count: 1
Issues for package openssl (version 3.0.5):
CVE-2022-3358 CVE-2022-3602 CVE-2022-3786
Count: 3
Issues for package systemd (version 1_250.5):
CVE-2022-3821
Count: 1
Issues for package linux-oniro (version 5.10.152+gitAUTOINC+dd90d836c0_b2303e799c):
CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544
CVE-2008-4609 CVE-2010-0298 CVE-2010-4563 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774
CVE-2016-3695 CVE-2016-3699 CVE-2017-1000255 CVE-2017-1000377 CVE-2017-6264
CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902
CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873 CVE-2018-6559 CVE-2019-14899
CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887 CVE-2020-10732
CVE-2020-10742 CVE-2020-16119 CVE-2020-16120 CVE-2020-1749 CVE-2020-25639 CVE-2020-25672
CVE-2020-26558 CVE-2020-27170 CVE-2020-27171 CVE-2020-27784 CVE-2020-27820 CVE-2020-35499
CVE-2020-35501 CVE-2020-35508 CVE-2020-8834 CVE-2021-20194 CVE-2021-20226 CVE-2021-20265
CVE-2021-20320 CVE-2021-20321 CVE-2021-20322 CVE-2021-23133 CVE-2021-23134 CVE-2021-27363
CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28039 CVE-2021-28375 CVE-2021-28660
CVE-2021-28691 CVE-2021-28714 CVE-2021-28715 CVE-2021-28950 CVE-2021-28951 CVE-2021-28952
CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29154 CVE-2021-29155 CVE-2021-29264
CVE-2021-29265 CVE-2021-29266 CVE-2021-29646 CVE-2021-29647 CVE-2021-29648 CVE-2021-29649
CVE-2021-29650 CVE-2021-29657 CVE-2021-30002 CVE-2021-30178 CVE-2021-31829 CVE-2021-31916
CVE-2021-32078 CVE-2021-32399 CVE-2021-33033 CVE-2021-33034 CVE-2021-33200 CVE-2021-33624
CVE-2021-33655 CVE-2021-33909 CVE-2021-34556 CVE-2021-34693 CVE-2021-3483 CVE-2021-3501
CVE-2021-35039 CVE-2021-3506 CVE-2021-35477 CVE-2021-3564 CVE-2021-3573 CVE-2021-3609
CVE-2021-3640 CVE-2021-3653 CVE-2021-3655 CVE-2021-3656 CVE-2021-3659 CVE-2021-3669
CVE-2021-3679 CVE-2021-3714 CVE-2021-37159 CVE-2021-3732 CVE-2021-3736 CVE-2021-3739
CVE-2021-3744 CVE-2021-3752 CVE-2021-3753 CVE-2021-37576 CVE-2021-3759 CVE-2021-3764
CVE-2021-3772 CVE-2021-3773 CVE-2021-38160 CVE-2021-38166 CVE-2021-38198 CVE-2021-38199
CVE-2021-38200 CVE-2021-38201 CVE-2021-38202 CVE-2021-38203 CVE-2021-38204 CVE-2021-38205
CVE-2021-38206 CVE-2021-38207 CVE-2021-38208 CVE-2021-38209 CVE-2021-38300 CVE-2021-3847
CVE-2021-3864 CVE-2021-4001 CVE-2021-4002 CVE-2021-4023 CVE-2021-4032 CVE-2021-4037
CVE-2021-40490 CVE-2021-4083 CVE-2021-4090 CVE-2021-4093 CVE-2021-4095 CVE-2021-41073
CVE-2021-4135 CVE-2021-4148 CVE-2021-4149 CVE-2021-4150 CVE-2021-4154 CVE-2021-4155
CVE-2021-4157 CVE-2021-41864 CVE-2021-4197 CVE-2021-42008 CVE-2021-4202 CVE-2021-4203
CVE-2021-4218 CVE-2021-42252 CVE-2021-42327 CVE-2021-42739 CVE-2021-43057 CVE-2021-43389
CVE-2021-43975 CVE-2021-43976 CVE-2021-44733 CVE-2021-44879 CVE-2021-45095 CVE-2021-45402
CVE-2021-45469 CVE-2021-45480 CVE-2021-45485 CVE-2021-45486 CVE-2021-45868 CVE-2021-46283
CVE-2022-0168 CVE-2022-0171 CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0322
CVE-2022-0330 CVE-2022-0382 CVE-2022-0400 CVE-2022-0433 CVE-2022-0435 CVE-2022-0480
CVE-2022-0487 CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617
CVE-2022-0850 CVE-2022-0854 CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1012
CVE-2022-1015 CVE-2022-1016 CVE-2022-1043 CVE-2022-1048 CVE-2022-1055 CVE-2022-1158
CVE-2022-1184 CVE-2022-1195 CVE-2022-1198 CVE-2022-1199 CVE-2022-1204 CVE-2022-1205
CVE-2022-1247 CVE-2022-1263 CVE-2022-1353 CVE-2022-1462 CVE-2022-1508 CVE-2022-1651
CVE-2022-1652 CVE-2022-1671 CVE-2022-1734 CVE-2022-1786 CVE-2022-1852 CVE-2022-1882
CVE-2022-1973 CVE-2022-1976 CVE-2022-1998 CVE-2022-2078 CVE-2022-2153 CVE-2022-2308
CVE-2022-2318 CVE-2022-23222 CVE-2022-2327 CVE-2022-2380 CVE-2022-24448 CVE-2022-24958
CVE-2022-24959 CVE-2022-2503 CVE-2022-25258 CVE-2022-25265 CVE-2022-25375 CVE-2022-26365
CVE-2022-26490 CVE-2022-2663 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666
CVE-2022-2785 CVE-2022-27950 CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390
CVE-2022-2873 CVE-2022-28796 CVE-2022-28893 CVE-2022-2905 CVE-2022-29156 CVE-2022-2938
CVE-2022-29581 CVE-2022-29582 CVE-2022-2959 CVE-2022-2961 CVE-2022-2977 CVE-2022-2991
CVE-2022-29968 CVE-2022-3028 CVE-2022-3077 CVE-2022-3078 CVE-2022-3170 CVE-2022-3176
CVE-2022-3202 CVE-2022-32250 CVE-2022-32296 CVE-2022-32981 CVE-2022-3303 CVE-2022-3344
CVE-2022-33740 CVE-2022-33741 CVE-2022-33742 CVE-2022-33743 CVE-2022-33744 CVE-2022-33981
CVE-2022-3435 CVE-2022-34494 CVE-2022-34495 CVE-2022-34918 CVE-2022-3521 CVE-2022-3522
CVE-2022-3523 CVE-2022-3526 CVE-2022-3531 CVE-2022-3532 CVE-2022-3533 CVE-2022-3534
CVE-2022-3535 CVE-2022-3541 CVE-2022-3542 CVE-2022-3543 CVE-2022-3544 CVE-2022-3545
CVE-2022-3563 CVE-2022-3564 CVE-2022-3565 CVE-2022-3566 CVE-2022-3567 CVE-2022-3586
CVE-2022-3594 CVE-2022-3595 CVE-2022-3606 CVE-2022-36123 CVE-2022-3619 CVE-2022-3621
CVE-2022-3623 CVE-2022-3624 CVE-2022-3625 CVE-2022-36280 CVE-2022-3629 CVE-2022-3630
CVE-2022-3633 CVE-2022-3635 CVE-2022-3636 CVE-2022-3637 CVE-2022-3640 CVE-2022-36402
CVE-2022-3646 CVE-2022-3649 CVE-2022-36879 CVE-2022-36946 CVE-2022-38096 CVE-2022-38457
CVE-2022-39188 CVE-2022-39189 CVE-2022-39190 CVE-2022-39842 CVE-2022-40133 CVE-2022-40307
CVE-2022-40476 CVE-2022-40768 CVE-2022-41218 CVE-2022-41222 CVE-2022-41674 CVE-2022-41848
CVE-2022-41849 CVE-2022-41850 CVE-2022-42703 CVE-2022-42719 CVE-2022-42720 CVE-2022-42721
CVE-2022-42722 CVE-2022-43750 CVE-2022-43945 CVE-2022-44032 CVE-2022-44033 CVE-2022-44034
Count: 365
Issues for package sudo (version 1.9.10):
CVE-2022-43995
Count: 1
Issues for package python3 (version 3.10.7):
CVE-2022-42919 CVE-2022-45061
Count: 2
Issues for package libpam (version 1.5.2):
CVE-2022-28321
Count: 1
raspberrypi4 CVE report (rootfs only)
-------------------------------------
Total number of known issues: 249
Out of this, high severity (CVSSv3 >= 7.0): 118
Complete results:
.. code-block:: console
Issues for package systemd (version 1_250.5):
CVE-2022-3821
Count: 1
Issues for package openssl (version 3.0.5):
CVE-2022-3358 CVE-2022-3602 CVE-2022-3786
Count: 3
Issues for package libpam (version 1.5.2):
CVE-2022-28321
Count: 1
Issues for package linux-raspberrypi (version1_5.15.34+gitAUTOINC+e1b976ee4f_0086da6acd):
CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764
CVE-2007-4998 CVE-2008-2544 CVE-2008-4609 CVE-2010-0298 CVE-2010-4563
CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699
CVE-2017-1000255 CVE-2017-1000377 CVE-2017-6264 CVE-2018-1000026
CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901
CVE-2018-10902 CVE-2018-14625 CVE-2018-16880 CVE-2018-16884
CVE-2018-5873 CVE-2018-6559 CVE-2019-14899 CVE-2019-18910
CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887 CVE-2020-10732
CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672
CVE-2020-27784 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834
CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-33655
CVE-2021-3564 CVE-2021-3669 CVE-2021-3714 CVE-2021-3743 CVE-2021-3759
CVE-2021-3847 CVE-2021-3864 CVE-2021-4002 CVE-2021-4090 CVE-2021-4095
CVE-2021-4135 CVE-2021-4155 CVE-2021-4197 CVE-2021-4202 CVE-2021-4218
CVE-2021-44879 CVE-2021-45402 CVE-2022-0168 CVE-2022-0171
CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382
CVE-2022-0400 CVE-2022-0433 CVE-2022-0435 CVE-2022-0480 CVE-2022-0492
CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742
CVE-2022-0854 CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1012
CVE-2022-1015 CVE-2022-1016 CVE-2022-1048 CVE-2022-1055 CVE-2022-1158
CVE-2022-1184 CVE-2022-1195 CVE-2022-1198 CVE-2022-1199 CVE-2022-1204
CVE-2022-1205 CVE-2022-1247 CVE-2022-1263 CVE-2022-1353 CVE-2022-1462
CVE-2022-1651 CVE-2022-1652 CVE-2022-1671 CVE-2022-1734 CVE-2022-1852
CVE-2022-1882 CVE-2022-1973 CVE-2022-1976 CVE-2022-1998 CVE-2022-2078
CVE-2022-2153 CVE-2022-2308 CVE-2022-2318 CVE-2022-2327 CVE-2022-2380
CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959
CVE-2022-2503 CVE-2022-25258 CVE-2022-25265 CVE-2022-25375
CVE-2022-26365 CVE-2022-26490 CVE-2022-2663 CVE-2022-26878
CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-2785
CVE-2022-27950 CVE-2022-28356 CVE-2022-28388 CVE-2022-28389
CVE-2022-28390 CVE-2022-2873 CVE-2022-28796 CVE-2022-28893
CVE-2022-2905 CVE-2022-29156 CVE-2022-2938 CVE-2022-29581
CVE-2022-29582 CVE-2022-2959 CVE-2022-2961 CVE-2022-2977
CVE-2022-29968 CVE-2022-3028 CVE-2022-3077 CVE-2022-3078 CVE-2022-3170
CVE-2022-3176 CVE-2022-3202 CVE-2022-32250 CVE-2022-32296
CVE-2022-32981 CVE-2022-3303 CVE-2022-3344 CVE-2022-33740
CVE-2022-33741 CVE-2022-33742 CVE-2022-33743 CVE-2022-33744
CVE-2022-33981 CVE-2022-3435 CVE-2022-34494 CVE-2022-34495
CVE-2022-34918 CVE-2022-3521 CVE-2022-3522 CVE-2022-3523 CVE-2022-3526
CVE-2022-3531 CVE-2022-3532 CVE-2022-3533 CVE-2022-3534 CVE-2022-3535
CVE-2022-3541 CVE-2022-3542 CVE-2022-3543 CVE-2022-3544 CVE-2022-3545
CVE-2022-3563 CVE-2022-3564 CVE-2022-3565 CVE-2022-3566 CVE-2022-3567
CVE-2022-3586 CVE-2022-3594 CVE-2022-3595 CVE-2022-3606 CVE-2022-36123
CVE-2022-3619 CVE-2022-3621 CVE-2022-3623 CVE-2022-3624 CVE-2022-3625
CVE-2022-3629 CVE-2022-3630 CVE-2022-3633 CVE-2022-3635 CVE-2022-3636
CVE-2022-3637 CVE-2022-3640 CVE-2022-36402 CVE-2022-3646 CVE-2022-3649
CVE-2022-36879 CVE-2022-36946 CVE-2022-38096 CVE-2022-38457
CVE-2022-39188 CVE-2022-39189 CVE-2022-39190 CVE-2022-39842
CVE-2022-40133 CVE-2022-40307 CVE-2022-40476 CVE-2022-40768
CVE-2022-41218 CVE-2022-41674 CVE-2022-41848 CVE-2022-41849
CVE-2022-41850 CVE-2022-42703 CVE-2022-42719 CVE-2022-42720
CVE-2022-42721 CVE-2022-42722 CVE-2022-43750 CVE-2022-43945
CVE-2022-44032 CVE-2022-44033 CVE-2022-44034
Count: 236
Issues for package curl (version 7.82.0):
CVE-2022-42915 CVE-2022-42916
Count: 2
Issues for package python3 (version 3.10.7):
CVE-2022-42919 CVE-2022-45061
Count: 2
Issues for package expat (version 2.4.9):
CVE-2022-43680
Count: 1
Issues for package dropbear (version 2020.81):
CVE-2021-36369
Count: 1
Issues for package sudo (version 1.9.10):
CVE-2022-43995
Count: 1
Issues for package podman (version 4.0.1+gitAUTOINC+717edd7b84):
CVE-2022-2989
Count: 1
releases/2.0/2.0.0/test_report.rst 0 → 100644
View file @ 940f44cb
.. SPDX-FileCopyrightText: Luca Favaretto <luca.favaretto@kalpa.it> and Luca zizolfi <luca.zizolfi@kalpa.it>
..
.. SPDX-License-Identifier: CC-BY-4.0
.. _2_0_0_TestReport:
Test Report
==================
Results by test suite
-----------------------
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
| TESTS | Manual Automated | TEST | NO RUN | PASSED | FAILED | BLOCKED | N/A | SKIPPED |
+=====================+===================+=======+=========+=========+=========+==========+======+===========+
| Kernel Build | Both | 32 | 0 | 24 | 6 | | 2 | |
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
| OTA | Automated | 6 | 0 | 6 | | | | |
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
| Networking | Manual | 2 | 0 | | | 1 | | 1 |
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
| Reference Hardware | Manual | 48 | 0 | 10 | | 29 | 5 | 4 |
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
| Security | Manual | 170 | 0 | 157 | | | 13 | |
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
| Podman | Automated | 1300 | 0 | 234 | 960 | | 106 | |
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
| LTP | Automated | 15030 | 0 | 12381 | 520 | | 2129 | |
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
| Kernel self test | Automated | 56 | 0 | 8 | 24 | | 24 | |
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
| Libc | Automated | 2185 | 0 | 1464 | 721 | | | |
+---------------------+-------------------+-------+---------+---------+---------+----------+------+-----------+
Overall Results
-----------------
+--------------------+------------+
| **Total** | **23442** |
+--------------------+------------+
| | |
+--------------------+------------+
| *Passed* | *17994* |
+--------------------+------------+
| *Failed* | *2324* |
+--------------------+------------+
| *Blocked* | *30* |
+--------------------+------------+
| *Skipped* | *5* |
+--------------------+------------+
| *Out of scope* | *3089* |
+--------------------+------------+
| *No Run* | *0* |
+--------------------+------------+
| | |
+--------------------+------------+
| **TEST PASS RATE** | **89,94%** |
+--------------------+------------+
| % Blocked | 0,13% |
+--------------------+------------+
| % Failed | 9,91% |
+--------------------+------------+
| % Skipped | 0,02% |
+--------------------+------------+
releases/index.rst
View file @ 940f44cb
...@@ -14,3 +14,4 @@ This section contains information related to releases of |main_project_name|. ...@@ -14,3 +14,4 @@ This section contains information related to releases of |main_project_name|.
aladeen/0.1.0/release_notes aladeen/0.1.0/release_notes
jasmine/1.0.0/release_notes jasmine/1.0.0/release_notes
2.0/2.0.0/index
security/guide.rst
View file @ 940f44cb
...@@ -4,6 +4,8 @@ ...@@ -4,6 +4,8 @@
.. include:: ../definitions.rst .. include:: ../definitions.rst
.. _SecurityGuide:
Security Practices Security Practices
################## ##################
...@@ -25,7 +27,7 @@ thus increasing software quality in general. ...@@ -25,7 +27,7 @@ thus increasing software quality in general.
Hardening and security options `may` have performance costs (e.g. due to Hardening and security options `may` have performance costs (e.g. due to
additional checks in the code path). Oniro attempts to assure that security additional checks in the code path). Oniro attempts to assure that security
hardening features do not increase overhead more than %5, in general. hardening features do not increase overhead more than 5 percent, in general.
On the other hand, additional tests come with an additional computing costs On the other hand, additional tests come with an additional computing costs
and may reduce performance. The hardening options suggested are checked against and may reduce performance. The hardening options suggested are checked against
...@@ -51,17 +53,23 @@ leaking data freed from memory, and accessing wrong memory zones. ...@@ -51,17 +53,23 @@ leaking data freed from memory, and accessing wrong memory zones.
Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator.cfg`` Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator.cfg``
and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg``. and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg``.
+---------------------------------+-------------+ +-------------------------------------+-------------+
| Config option | Oniro state | | Config option | Oniro state |
+=================================+=============+ +=====================================+=============+
| CONFIG_SLAB_FREELIST_RANDOM | On | | ``CONFIG_SLAB_FREELIST_RANDOM`` | On |
| CONFIG_SLAB_FREELIST_HARDENED | On | +-------------------------------------+-------------+
| CONFIG_SHUFFLE_PAGE_ALLOCATOR | On | | ``CONFIG_SLAB_FREELIST_HARDENED`` | On |
| CONFIG_PAGE_POISONING | On | +-------------------------------------+-------------+
| CONFIG_PAGE_POISONING_NO_SANITY | On | | ``CONFIG_SHUFFLE_PAGE_ALLOCATOR`` | On |
| CONFIG_PAGE_POISONING_ZERO | On | +-------------------------------------+-------------+
| CONFIG_INIT_ON_ALLOC_DEFAULT_ON | On | | ``CONFIG_PAGE_POISONING`` | On |
+---------------------------------+-------------+ +-------------------------------------+-------------+
| ``CONFIG_PAGE_POISONING_NO_SANITY`` | On |
+-------------------------------------+-------------+
| ``CONFIG_PAGE_POISONING_ZERO`` | On |
+-------------------------------------+-------------+
| ``CONFIG_INIT_ON_ALLOC_DEFAULT_ON`` | On |
+-------------------------------------+-------------+
**CONFIG_SLAB_FREELIST_RANDOM=y** **CONFIG_SLAB_FREELIST_RANDOM=y**
...@@ -148,13 +156,15 @@ Reducing Attack Surface ...@@ -148,13 +156,15 @@ Reducing Attack Surface
The following options remove some obsolete or un-needed features, which could The following options remove some obsolete or un-needed features, which could
make attacks easier: make attacks easier:
+---------------------------------+-------------+ +-------------------------------------+-------------+
| Config option | Oniro state | | Config option | Oniro state |
+=================================+=============+ +=====================================+=============+
| CONFIG_COMPAT_BRK | Off | | ``CONFIG_COMPAT_BRK`` | Off |
| CONFIG_PROC_KCORE | Off | +-------------------------------------+-------------+
| CONFIG_BINFMT_MISC | Off | | ``CONFIG_PROC_KCORE`` | Off |
+---------------------------------+-------------+ +-------------------------------------+-------------+
| ``CONFIG_BINFMT_MISC`` | Off |
+-------------------------------------+-------------+
**Option: CONFIG_COMPAT_BRK is not set** **Option: CONFIG_COMPAT_BRK is not set**
...@@ -194,13 +204,13 @@ automatically feed it to the correct interpreter. ...@@ -194,13 +204,13 @@ automatically feed it to the correct interpreter.
Dmesg Options Dmesg Options
^^^^^^^^^^^^^ ^^^^^^^^^^^^^
Those options are related to the kernel log in dmesg: Those options are related to the kernel log in ``dmesg``:
+---------------------------------+-------------+ +-------------------------------------+-------------+
| Config option | Oniro state | | Config option | Oniro state |
+=================================+=============+ +=====================================+=============+
| CONFIG_SECURITY_DMESG_RESTRICT | On | | ``CONFIG_SECURITY_DMESG_RESTRICT`` | On |
+---------------------------------+-------------+ +-------------------------------------+-------------+
Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_dmesg.cfg`` Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_dmesg.cfg``
...@@ -219,11 +229,11 @@ Compiler-level Hardening ...@@ -219,11 +229,11 @@ Compiler-level Hardening
Those options enable checks done by the compiler: Those options enable checks done by the compiler:
+---------------------------------+-------------+ +-------------------------------------+-------------+
| Config option | Oniro state | | Config option | Oniro state |
+=================================+=============+ +=====================================+=============+
| CONFIG_FORTIFY_SOURCE | On | | ``CONFIG_FORTIFY_SOURCE`` | On |
+---------------------------------+-------------+ +-------------------------------------+-------------+
Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg``. Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg``.
...@@ -241,12 +251,13 @@ Memory Accesses ...@@ -241,12 +251,13 @@ Memory Accesses
With those options we disable the complete physical memory access and detect With those options we disable the complete physical memory access and detect
unsafe memory permissions: unsafe memory permissions:
+-------------------------------+-------------+ +----------------------------------+-------------+
| Config option | Oniro state | | Config option | Oniro state |
+===============================+=============+ +==================================+=============+
| CONFIG_DEBUG_WX | On | | ``CONFIG_DEBUG_WX`` | On |
| CONFIG_DEVMEM | Off | +----------------------------------+-------------+
+-------------------------------+-------------+ | ``CONFIG_DEVMEM`` | Off |
+----------------------------------+-------------+
Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_memory.cfg``. Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_memory.cfg``.
...@@ -286,12 +297,13 @@ Copying from Userspace ...@@ -286,12 +297,13 @@ Copying from Userspace
Those options add verification when copying potentially malicious data from Those options add verification when copying potentially malicious data from
the user space: the user space:
+-----------------------------------+-------------+ +---------------------------------------+-------------+
| Config option | Oniro state | | Config option | Oniro state |
+===================================+=============+ +=======================================+=============+
| CONFIG_HARDENED_USERCOPY | On | | ``CONFIG_HARDENED_USERCOPY`` | On |
| CONFIG_HARDENED_USERCOPY_FALLBACK | Off | +---------------------------------------+-------------+
+-----------------------------------+-------------+ | ``CONFIG_HARDENED_USERCOPY_FALLBACK`` | Off |
+---------------------------------------+-------------+
File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_usercopy.cfg``. File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_usercopy.cfg``.
...@@ -333,15 +345,19 @@ Data Validation ...@@ -333,15 +345,19 @@ Data Validation
With those options we add verification of the internal kernel data structures: With those options we add verification of the internal kernel data structures:
+---------------------------------+-------------+ +-------------------------------------+-------------+
| Config option | Oniro state | | Config option | Oniro state |
+=================================+=============+ +=====================================+=============+
| CONFIG_DEBUG_NOTIFIERS | On | | ``CONFIG_DEBUG_NOTIFIERS`` | On |
| CONFIG_DEBUG_LIST | On | +-------------------------------------+-------------+
| CONFIG_DEBUG_SG | On | | ``CONFIG_DEBUG_LIST`` | On |
| CONFIG_BUG_ON_DATA_CORRUPTION | On | +-------------------------------------+-------------+
| CONFIG_SCHED_STACK_END_CHECK | On | | ``CONFIG_DEBUG_SG`` | On |
+---------------------------------+-------------+ +-------------------------------------+-------------+
| ``CONFIG_BUG_ON_DATA_CORRUPTION`` | On |
+-------------------------------------+-------------+
| ``CONFIG_SCHED_STACK_END_CHECK`` | On |
+-------------------------------------+-------------+
File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg``. File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg``.
...@@ -426,10 +442,11 @@ IOMMU is not enabled yet. ...@@ -426,10 +442,11 @@ IOMMU is not enabled yet.
*File:* Source file: ``hardening_fortify_source.cfg`` *File:* Source file: ``hardening_fortify_source.cfg``
KSPP [2]_ recomends setting up the following: KSPP [2]_ recomends setting up the following:
```
CONFIG_PANIC_ON_OOPS=y .. code-block:: console
CONFIG_PANIC_TIMEOUT=-1
``` CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1
They cause the kernel to reboot on serious error (Oops, see They cause the kernel to reboot on serious error (Oops, see
``the Oops Wikipedia page <https://en.wikipedia.org/wiki/Linux_kernel_oops>`` ``the Oops Wikipedia page <https://en.wikipedia.org/wiki/Linux_kernel_oops>``
...@@ -442,11 +459,62 @@ file to the kernel configuration if it is safe in your product. ...@@ -442,11 +459,62 @@ file to the kernel configuration if it is safe in your product.
Module Signing Module Signing
^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^
Module signing is not enabled yet, we need the key infrastructure set up. Module signing is not enabled yet, we do include the needed tools.
Sysctls
*******
`sysctl` is used to modify kernel parameters at runtime. |main_project_name|
to set up a number of hardening options.
*Recommendation source:* KSPP [2]_
General options
^^^^^^^^^^^^^^^
|main_project_name| limits the visibility in kernel addresses in ``/proc``
files, disabled profiling for non-root users and disabled ``kexec``.
User namespaces are enabled only in case of ``podman`` configured in ``rootless``
mode.
Options affected: ``kernel.kptr_restrict``, ``kernel.perf_event_paranoid``,
``kernel.kexec_load_disabled``, ``kernel.yama.ptrace_scope``, and
``user.max_user_namespaces``.
BPF
^^^
|main_project_name| DISABLES unprivileged BPF and enabled JIT hardening,
if put in place.
Options affected: ``kernel.unprivileged_bpf_disabled`` and ``net.core.bpf_jit_harden``.
Networking
^^^^^^^^^^
|main_project_name| disabled ICMP redirects, rejects packets with the
source route option (SRR) and logs impossible addresses.
Options affected: ``net.ipv4.conf.all.rp_filter``,
``net.ipv4.conf.default.accept_redirects``,
``net.ipv4.conf.all.send_redirects``,
``net.ipv4.conf.default.accept_source_route``,
``net.ipv4.conf.default.log_martians``,
``net.ipv6.conf.all.accept_redirects``, and
``net.ipv6.conf.default.accept_redirects``.
Yocto Project/OpenEmbedded Configuration
****************************************
The current version of |main_project_name| disables `debug-tweaks` by default
in production images. It means, among other things, that the `root` login
is disabled. Instead, a log in with `oniro` user is available. See the
:ref:`Debug mode documentation <DebugMode>` for more details.
Known Issues Known Issues
^^^^^^^^^^^^ ************
None. None.
......

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent