minkipc: Add libraries and applications for security feature support

[jiaxli-QC]

• Minkipc is designed to facilitate secure communication between different domains.
  Add the minkipc component to dynamic-layer because it depends on the qcbor library from the meta-openembedded dynamic layer.
• The Mink-idl-compiler (minkidlc) is used by security components to convert .idl files into header files. Since minkipc depends on this tool and is part of dynamic-layer, add minkidlc to dynamic-layer.

[ricardosalveti]

Also please drop 'meta-qcom: security: from the commit subjects, use 'Add recipe <>' with short meaning to the recipe.

[ricardosalveti]

And split the commits that are including the packages in the packagegroup.

[lumag]

And split the commits that are including the packages in the packagegroup.

I don't think we need packagegroup at all. In the end, we only need the qtee_supplicant to be installed into the rootfs. The rest seems to be test programs (which don't belong to the production environment) and libraries (which should be pulled via dependencies).

[lumag]

Please go through all review comments and implement all of them or at least provide some response to the comments that think are not correct or not applicable.

[jiaxli-QC]

#1094 (comment)

Hi @lumag . Currently, minkidlc has only released an x86 version binary for users, and all use cases are based on x86 hosts. More validation is needed on different hosts before expanding minkidlc support.
Since minkidlc is compiled with Rust, further testing is required to ensure Rust compilation works on other platforms.
For now, we provide minkidlc via file downloads to meet the integration needs of security components. I will coordinate with the minkidlc owner and continue to work on optimizations.

[lumag]

More validation is needed on different hosts before expanding minkidlc support. Since minkidlc is compiled with Rust, further testing is required to ensure Rust compilation works on other platforms. For now, we provide minkidlc via file downloads to meet the integration needs of security components. I will coordinate with the minkidlc owner and continue to work on optimizations.

OE provides support for building Rust binaries. minkidlc is provided in the source form. It has 0 tests to check for regressions, but that's a different topic. So, no. I don't think we should accept downloading a binary to be executed on the build host.

[jiaxli-QC]

More validation is needed on different hosts before expanding minkidlc support. Since minkidlc is compiled with Rust, further testing is required to ensure Rust compilation works on other platforms. For now, we provide minkidlc via file downloads to meet the integration needs of security components. I will coordinate with the minkidlc owner and continue to work on optimizations.

OE provides support for building Rust binaries. minkidlc is provided in the source form. It has 0 tests to check for regressions, but that's a different topic. So, no. I don't think we should accept downloading a binary to be executed on the build host.

Hi @lumag , Do you mean we should raised the minkidlc compilation change in OE-core repo? I tried to compile the minkidlc in meta-qcom, but encountered some issues.

ERROR: minkidlc-native-git-r0 do_compile: Execution of '/local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/temp/run.do_compile.2240678' failed with exit code 101
ERROR: Logfile of failure stored in: /local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/temp/log.do_compile.2240678
Log data follows:
| DEBUG: Executing shell function do_compile
| NOTE: Using rust targets from /local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/rust-targets/
| NOTE: cargo = /local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/recipe-sysroot-native/usr/bin/cargo
| NOTE: cargo build -v --frozen --target x86_64-unknown-linux-gnu --release --manifest-path=/local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/sources/minkidlc-git//Cargo.toml
| error: no matching package named `clap` found
| location searched: directory source `/local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/sources/cargo_home/bitbake` (which is replacing registry `crates-io`)
| required by package `idlc v0.2.1 (/local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/sources/minkidlc-git/idlc)`
| As a reminder, you're using offline mode (--frozen) which can sometimes cause surprising resolution failures, if this error is too confusing you may wish to retry without `--frozen`.
| WARNING: /local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/temp/run.do_compile.2240678:186 exit 101 from '"cargo" build -v --frozen --target x86_64-unknown-linux-gnu --release --manifest-path=/local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/sources/minkidlc-git//Cargo.toml "$@"'
| WARNING: Backtrace (BB generated script):
|       #1: oe_cargo_build, /local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/temp/run.do_compile.2240678, line 186
|       #2: cargo_do_compile, /local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/temp/run.do_compile.2240678, line 158
|       #3: do_compile, /local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/temp/run.do_compile.2240678, line 153
|       #4: main, /local/mnt2/workspace/K2L/upstream/build/tmp/work/x86_64-linux/minkidlc-native/git/temp/run.do_compile.2240678, line 199
ERROR: Task (/local/mnt2/workspace/K2L/upstream/build/../meta-qcom/recipes-devtools/minkidlc/minkidlc-native_git.bb:do_compile) failed with exit code '1'

[lumag]

Hi @lumag , Do you mean we should raised the minkidlc compilation change in OE-core repo? I tried to compile the minkidlc in meta-qcom, but encountered some issues.

Please add the source code for the recipe that you are trying to build. I can't comment the failure without looking at your recipe.

[jiaxli-QC]

Hi @lumag , Do you mean we should raised the minkidlc compilation change in OE-core repo? I tried to compile the minkidlc in meta-qcom, but encountered some issues.

Please add the source code for the recipe that you are trying to build. I can't comment the failure without looking at your recipe.

Here is the bb file that has been created for minkidlc compilation.

SUMMARY = "Mink IDL compiler (prebuilt binary)"
DESCRIPTION = " \
Mink IDL is used to describe programming interfaces that can be used to communicate across security domain boundaries. \
Once an interface is described in an IDL source file, the Mink IDL compiler can generate target language header files. \
"

LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=acff25b0ff46523fa016b260dbf64945"

SRC_URI = "git://github.com/quic/mink-idl-compiler.git;branch=main;protocol=https"
SRCREV = "1a52cd017ae21750c23e01851fdffd143f9c85d0"

inherit cargo native

DEPENDS += "rust-native cargo-native"

do_install() {
    install -d ${D}${bindir}
    install -m 0755 ${S}/target/debug/idlc ${D}${bindir}/minkidlc
}

FILES:${PN} += "${bindir}/minkidlc"

[lumag]

Use cargo-update-recipe-crates class, BBCLASSEXTEND += "native", drop the defaults.

[jiaxli-QC]

Use cargo-update-recipe-crates class, BBCLASSEXTEND += "native", drop the defaults.

I updated the bb file based on the comments, but the same issue occurred during compilation. error: no matching package named clap found

DEBUG: Executing shell function do_compile
NOTE: Using rust targets from /local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/rust-targets/
NOTE: cargo = /local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/recipe-sysroot-native/usr/bin/cargo
NOTE: cargo build -v --frozen --target aarch64-poky-linux-gnu --release --manifest-path=/local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/sources/minkidlc-git//Cargo.toml
error: no matching package named `clap` found
location searched: directory source `/local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/sources/cargo_home/ bitbake` (which is replacing registry `crates-io`)
required by package `idlc v0.2.1 (/local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/sources/minkidlc-git/idlc)`
As a reminder, you're using offline mode (--frozen) which can sometimes cause surprising resolution failures, if this error is too confusing you may wish to retry without `--frozen`.
WARNING: /local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/temp/run.do_compile.3351729:185 exit 101 from '"cargo" build -v --frozen --target aarch64-poky-linux-gnu --release --manifest-path=/local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/sources/minkidlc-git//Cargo.toml "$@"'
WARNING: Backtrace (BB generated script):
    #1: oe_cargo_build, /local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/temp/run.do_compile.3351729, line 185
    #2: cargo_do_compile, /local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/temp/run.do_compile.3351729, line 157
    #3: do_compile, /local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/temp/run.do_compile.3351729, line 152
    #4: main, /local/mnt2/workspace/K2L/upstream/build/tmp/work/armv8-2a-poky-linux/minkidlc/git/temp/run.do_compile.3351729, line 198

Here is the patch

@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=acff25b0ff46523fa016b260dbf64945"
 SRC_URI = "git://github.com/quic/mink-idl-compiler.git;branch=main;protocol=https"
 SRCREV = "1a52cd017ae21750c23e01851fdffd143f9c85d0"

-inherit cargo native
+cargo rust cargo-update-recipe-crates
+BBCLASSEXTEND += "native"
-DEPENDS += "rust-native cargo-native"

[jiaxli-QC]

The update masks arm32 builds by using COMPATIBLE_MACHINE.

+# The module is only promised to support ARMv8 machines
+COMPATIBLE_MACHINE = "^$"
+COMPATIBLE_MACHINE:aarch64 = "(.*)"

57a216e

[github-actions]

Test run workflow

Test jobs for commit 57a216e

• Job 123925 on qcs9100 - boot test (qcs9100-ride-sx) 20126434452
• Job 123928 on qcs6490 - boot test (rb3gen2-core-kit) 20126434452
• Job 123924 on qcs9100 - boot test (qcs9100-ride-sx) 20126434452
• Job 123936 on dragonboard-820c - boot test (dragonboard-820c) 20126434452
• Job 123934 on dragonboard-410c - boot test (dragonboard-410c) 20126434452
• Job 123923 on qcs9100-rb8 - boot test (iq-9075-evk) 20126434452
• Job 123927 on qcs8300 - boot test (qcs8300-ride-sx) 20126434452
• Job 123931 on qcs8300 - boot test (qcs8300-ride-sx) 20126434452
• Job 123933 on dragonboard-820c - boot test (dragonboard-820c) 20126434452
• Job 123932 on qrb2210-rb1 - boot test (rb1-core-kit) 20126434452
• Job 123929 on qcs6490 - boot test (rb3gen2-core-kit) 20126434452
• Job 123935 on qcs9100-rb8 - boot test (iq-9075-evk) 20126434452
• Job 123926 on dragonboard-410c - boot test (dragonboard-410c) 20126434452
• Job 123930 on qrb2210-rb1 - boot test (rb1-core-kit) 20126434452

[test-reporting-app]

Test Results

 12 files  + 1   24 suites  +2   34m 41s ⏱️ + 3m 55s
 45 tests ± 0   45 ✅ ± 0  0 💤 ±0  0 ❌ ±0 
264 runs  +26  264 ✅ +26  0 💤 ±0  0 ❌ ±0 

Results for commit 869fcee. ± Comparison against base commit e5217aa.

♻️ This comment has been updated with latest results.

[github-actions]

Test run workflow

Test jobs for commit 57a216e

• Job 123925 on qcs9100 - boot test (qcs9100-ride-sx) 20126434452
• Job 123943 on qcs8300 - boot test (qcs8300-ride-sx) 20126434452
• Job 123928 on qcs6490 - boot test (rb3gen2-core-kit) 20126434452
• Job 123924 on qcs9100 - boot test (qcs9100-ride-sx) 20126434452
• Job 123936 on dragonboard-820c - boot test (dragonboard-820c) 20126434452
• Job 123934 on dragonboard-410c - boot test (dragonboard-410c) 20126434452
• Job 123941 on qcs6490 - boot test (rb3gen2-core-kit) 20126434452
• Job 123923 on qcs9100-rb8 - boot test (iq-9075-evk) 20126434452
• Job 123927 on qcs8300 - boot test (qcs8300-ride-sx) 20126434452
• Job 123931 on qcs8300 - boot test (qcs8300-ride-sx) 20126434452
• Job 123933 on dragonboard-820c - boot test (dragonboard-820c) 20126434452
• Job 123942 on qcs8300 - boot test (qcs8300-ride-sx) 20126434452
• Job 123932 on qrb2210-rb1 - boot test (rb1-core-kit) 20126434452
• Job 123929 on qcs6490 - boot test (rb3gen2-core-kit) 20126434452
• Job 123935 on qcs9100-rb8 - boot test (iq-9075-evk) 20126434452
• Job 123926 on dragonboard-410c - boot test (dragonboard-410c) 20126434452
• Job 123930 on qrb2210-rb1 - boot test (rb1-core-kit) 20126434452

[jiaxli-QC]

Updated the comment at minkipc_git.bb, line 36 for 869fcee

[jiaxli-QC]

The failing job 57914060847 failed during the compile step for libvirt (libvirt-v11.8.0+git). The error is:

error: '__xmlIndentTreeOutput' is deprecated: See https://gnome.pages.gitlab.gnome.org/libxml2/html/deprecated.html [-Werror=deprecated-declarations]

The log shows it's caused by code like this in src/util/virxml.c:

int oldIndentTreeOutput = xmlIndentTreeOutput;
/* ... */
xmlIndentTreeOutput = 1;
/* ... */
xmlIndentTreeOutput = oldIndentTreeOutput;

All these use the deprecated libxml2 internal variable (and function).

Solution

You need to patch libvirt to stop using xmlIndentTreeOutput. Since libxml2 >= 2.12, this symbol is deprecated and triggers -Werror=deprecated-declarations errors.

Suggested patch

If you do not need pretty-printed XML output:
Remove or comment out all assignments and uses of xmlIndentTreeOutput in src/util/virxml.c.

If you want pretty-printed XML output:
The new libxml2 uses formatting flags via the API, not a global variable.
Replace use of xmlIndentTreeOutput with calls to set formatting through xmlSaveOptions.

For example, update code like:

int oldIndentTreeOutput = xmlIndentTreeOutput;
xmlIndentTreeOutput = 1;
/* ... */
xmlIndentTreeOutput = oldIndentTreeOutput;

To something like (pseudocode):

int saveOptions = XML_SAVE_FORMAT;
/* use xmlNodeDump, xmlSaveTo* etc with saveOptions */

Minimal fix for compilation (removing usage):

-    int oldIndentTreeOutput = xmlIndentTreeOutput;
-    xmlIndentTreeOutput = 1;
+    // xmlIndentTreeOutput is deprecated in libxml2 >= 2.12
     /* your print/save logic here */
-    xmlIndentTreeOutput = oldIndentTreeOutput;

Steps

1. Open src/util/virxml.c in the libvirt source.
2. Remove or refactor all use of xmlIndentTreeOutput.
3. If compatible with your project, update to use xmlSaveToBuffer() or xmlSaveToFd() with appropriate flags.
4. Rebuild.

Reference:

• libxml2 deprecations: https://gnome.pages.gitlab.gnome.org/libxml2/html/deprecated.html

If you need a working patch, let me know which code style to apply and I can generate one for you.

Hi @lumag , @ricardosalveti , @vkraleti , this was generated by Github Copilot. Could you review it to help address the gating issue? It appears that the merge process is currently blocked. Many thanks

[ricardosalveti]

Hi @lumag , @ricardosalveti , @vkraleti , this was generated by Github Copilot. Could you review it to help address the gating issue? It appears that the merge process is currently blocked. Many thanks

Should be fixed with qualcomm-linux/meta-qcom-distro#115

[lumag]

@jiaxli-QC please stop randomly requesting reviews. The PR could have been merged if you didn't retrigger (unnecessarily) review requests.

[lumag]

Also please don't post useless blobs from Copilot, the posted "solution" is pretty useless here.

[github-actions]

Test run workflow

Test jobs for commit 869fcee

• Job 124881 on qrb2210-rb1 - boot test (rb1-core-kit) 20186399613
• Job 124872 on qcs9100 - boot test (qcs9100-ride-sx) 20186399613
• Job 124879 on qcs8300 - boot test (qcs8300-ride-sx) 20186399613
• Job 124878 on dragonboard-820c - boot test (dragonboard-820c) 20186399613
• Job 124870 on qcs9100-rb8 - boot test (iq-9075-evk) 20186399613
• Job 124875 on qcs8300 - boot test (qcs8300-ride-sx) 20186399613
• Job 124871 on dragonboard-410c - boot test (dragonboard-410c) 20186399613
• Job 124869 on qcs9100-rb8 - boot test (iq-9075-evk) 20186399613
• Job 124877 on qcs6490 - boot test (rb3gen2-core-kit) 20186399613
• Job 124876 on dragonboard-410c - boot test (dragonboard-410c) 20186399613
• Job 124868 on dragonboard-820c - boot test (dragonboard-820c) 20186399613
• Job 124873 on qcs9100 - boot test (qcs9100-ride-sx) 20186399613
• Job 124874 on qrb2210-rb1 - boot test (rb1-core-kit) 20186399613
• Job 124880 on qcs6490 - boot test (rb3gen2-core-kit) 20186399613

[github-actions]

Test run workflow

Test jobs for commit 869fcee

• Job 124888 on qcs9100-rb8 - boot test (iq-9075-evk) 20186399613
• Job 124895 on dragonboard-410c - boot test (dragonboard-410c) 20186399613
• Job 124893 on dragonboard-820c - boot test (dragonboard-820c) 20186399613
• Job 124896 on qcs8300 - boot test (qcs8300-ride-sx) 20186399613
• Job 124886 on qrb2210-rb1 - boot test (rb1-core-kit) 20186399613
• Job 124894 on qcs6490 - boot test (rb3gen2-core-kit) 20186399613
• Job 124892 on dragonboard-820c - boot test (dragonboard-820c) 20186399613
• Job 124887 on qcs9100-rb8 - boot test (iq-9075-evk) 20186399613
• Job 124884 on qcs6490 - boot test (rb3gen2-core-kit) 20186399613
• Job 124889 on qcs9100 - boot test (qcs9100-ride-sx) 20186399613
• Job 124891 on qcs9100 - boot test (qcs9100-ride-sx) 20186399613
• Job 124883 on dragonboard-410c - boot test (dragonboard-410c) 20186399613
• Job 124885 on qrb2210-rb1 - boot test (rb1-core-kit) 20186399613
• Job 124890 on qcs8300 - boot test (qcs8300-ride-sx) 20186399613