[yocto] dynamic layer dependencies in meta-security

Patrick Ohly patrick.ohly at intel.com
Thu Jul 20 21:37:49 PDT 2017 

On Thu, 2017-07-20 at 14:39 -0700, akuster808 wrote:
> > I would certainly caution against dynamic layerdepends/layerrecommends and
> > instead focus on listing everything between what is required and what you want
> > to add in addition -- then using the meta-freescale approach of only extending
> > (the recommends) when present.

FWIW, the meta-freescale approach has been superseeded by
BBFILES_DYNAMIC.

> This appears to be more beneficial in a  bbappends than a recipe needing 
> a package from another layer.

BBFILES_DYNAMIC can be used for both .bb and .bbappend files.

In refkit, I ended up just using it for .bbappend files:
https://github.com/intel/intel-iot-refkit/blob/master/meta-refkit-core/conf/layer.conf#L7

        # All our .bbappends for other layers are in a separate
        # "bbappends/<layer>" hierarchy. We activate only those
        # bbappends for which the layer they apply to is actually
        # present.
        #
        # Sorted by layer path to keep related layers together.
        BBFILES_DYNAMIC += " \
        clang-layer:${LAYERDIR}/bbappends/meta-clang/*/*/*.bbappend \
        flatpak:${LAYERDIR}/bbappends/meta-flatpak/*/*/*.bbappend \
        
For recipes, I wanted to have a bit more flexibility:
- let developers decide from where they get the dependency - the
  well-known layer or a copy elsewhere
- let recipes decide which features they enable based on which
  dependencies are available
        
Also, "bitbake foo" should result in an error about "dependency bar
required for foo not found", not a blunt "nothing provides foo". With
BBFILES_DYNAMIC for .bb files one only gets the latter.

Here's how it is defined what's available:
https://github.com/intel/intel-iot-refkit/blob/master/meta-refkit-core/conf/layer.conf#L51
        
                # There are multiple different ways for providing some of the
                # dependencies. Here we assume that the dependencies are available if
                # the layers that the refkit distro takes them from are present.
                HAVE_META_OE = "${@ bb.utils.contains('BBFILE_COLLECTIONS', 'openembedded-layer', 'True', 'False', d) }"
                HAVE_ATOP ??= "${HAVE_META_OE}"
            HAVE_CRYPTSETUP ??= "${HAVE_META_OE}"
            ...

And here's how it is used:
https://github.com/intel/intel-iot-refkit/blob/master/meta-refkit-core/recipes-images/images/initramfs-framework-refkit-dm-verity.bb#L22

        python () {
            if not oe.types.boolean(d.getVar('HAVE_CRYPTSETUP') or '0'):
                raise bb.parse.SkipRecipe('cryptsetup dependency not available')
        }


-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

More information about the yocto mailing list