What is meta-timesys
This Yocto layer provides scripts for image manifest generation used for security monitoring and notification, customer support, recipe source mirroring, recipe modifications, demos, etc.
Some of the features are aimed at Timesys customers with active subscriptions. Using these features requires an API Keyfile, which you can learn about setting up from the LinuxLink document here:
The fastest way to try meta-timesys and its security features is to try dropping it into your existing BSP (clone alongside other layers, add to bblayers.conf). These are instructions to try it from scratch with a pretty minimal Yocto environment.
Although a build is not required to create an image manifest or use the CVE script, BitBake does need to run (to make the manifest), so it is easiest if you adhere to the Yocto system requirements as found here:
Clone poky and meta-timesys
git clone git://git.yoctoproject.org/poky.git -b rocko git clone https://github.com/TimesysGit/meta-timesys.git -b rocko
Activate yocto build environment (needed for manifest creation)
Add meta-timesys to conf/bblayers.conf
Follow format of the file, just add meta-timesys after the default poky/meta, etc.
Check an Image for CVEs
When you run the following script without any arguments, you will be prompted to select an image to check (one can also be provided as an argument to skip the GUI).
Create an image manifest (optional)
The checkcves.py script will create a manifest automatically, but you may want to save certain configurations to pass to the script, upload to LinuxLink, or share with teammates or Timesys support. Using a pregenerated image manifest speeds up the script significantly, so doing that is recommended if your configuration is not changing often.
../meta-timesys/scripts/manifest.sh core-image-minimal manifest.json
Kernel Config filter (optional)
You may pass a kernel .config file to the checkcves.py script, which will be uploaded to LinuxLink along with the image manifest. This filter will reduce the number of kernel CVEs reported by removing those related to features which are not being built for your kernel.
NOTE: This must be a full kernel config, not a defconfig!
../meta-timesys/scripts/checkcves.py -k /path/to/kernel/.config
Steve Bedford <email@example.com>