Message ID | 20230428122316.521800-8-stefanb@linux.ibm.com |
---|---|
State | New |
Headers | show |
Series | Fix IMA and EVM support | expand |
Hi, On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote: > Add a temporary patch that resolves a file change notification issue > with overlayfs where IMA did not become aware of the file changes > since the 'lower' inode's i_version had not changed. The issue will be > resolved in later kernels with the following patch that builds on > newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: > > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 Would be nice to have Upstream-Status for each patch. I guess status would be Backport here. Cheers, -Mikko > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++ > .../recipes-kernel/linux/linux_ima.inc | 1 + > 2 files changed, 43 insertions(+) > create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > new file mode 100644 > index 0000000..d2b5c28 > --- /dev/null > +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > @@ -0,0 +1,42 @@ > +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 > +From: Stefan Berger <stefanb@linux.ibm.com> > +Date: Thu, 6 Apr 2023 11:27:29 -0400 > +Subject: [PATCH] ovl: Increment iversion upon file changes > + > +This is a temporary patch for kernels that do not implement > +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: > + > +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > + > +Increment the lower inode's iversion for IMA to be able to recognize > +changes to the file. > + > +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > +--- > + fs/overlayfs/file.c | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c > +index 6011f955436b..1dfe5e7bfe1c 100644 > +--- a/fs/overlayfs/file.c > ++++ b/fs/overlayfs/file.c > +@@ -13,6 +13,7 @@ > + #include <linux/security.h> > + #include <linux/mm.h> > + #include <linux/fs.h> > ++#include <linux/iversion.h> > + #include "overlayfs.h" > + > + struct ovl_aio_req { > +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) > + if (ret != -EIOCBQUEUED) > + ovl_aio_cleanup_handler(aio_req); > + } > ++ if (ret > 0) > ++ inode_maybe_inc_iversion(inode, false); > + out: > + revert_creds(old_cred); > + out_fdput: > +-- > +2.34.1 > + > diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc > index 0b6f530..9d48e5c 100644 > --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc > +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc > @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" > > SRC_URI += " \ > ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ > + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ > " > > do_configure() { > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59800): https://lists.yoctoproject.org/g/yocto/message/59800 > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/7159507 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org] > -=-=-=-=-=-=-=-=-=-=-=- >
On 4/28/23 08:48, Mikko Rapeli wrote: > Hi, > > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote: >> Add a temporary patch that resolves a file change notification issue >> with overlayfs where IMA did not become aware of the file changes >> since the 'lower' inode's i_version had not changed. The issue will be >> resolved in later kernels with the following patch that builds on >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: >> >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > > Would be nice to have Upstream-Status for each patch. I guess status > would be Backport here. It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624 (alone?) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8) and have that referenced patch applied which isn't upstreamed so far, either. For now this two-liner seemed simpler and resolves the issue. I understand the concern, though... Stefan > > Cheers, > > -Mikko > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> --- >> ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++ >> .../recipes-kernel/linux/linux_ima.inc | 1 + >> 2 files changed, 43 insertions(+) >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> new file mode 100644 >> index 0000000..d2b5c28 >> --- /dev/null >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> @@ -0,0 +1,42 @@ >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 >> +From: Stefan Berger <stefanb@linux.ibm.com> >> +Date: Thu, 6 Apr 2023 11:27:29 -0400 >> +Subject: [PATCH] ovl: Increment iversion upon file changes >> + >> +This is a temporary patch for kernels that do not implement >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: >> + >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 >> + >> +Increment the lower inode's iversion for IMA to be able to recognize >> +changes to the file. >> + >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> +--- >> + fs/overlayfs/file.c | 3 +++ >> + 1 file changed, 3 insertions(+) >> + >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c >> +index 6011f955436b..1dfe5e7bfe1c 100644 >> +--- a/fs/overlayfs/file.c >> ++++ b/fs/overlayfs/file.c >> +@@ -13,6 +13,7 @@ >> + #include <linux/security.h> >> + #include <linux/mm.h> >> + #include <linux/fs.h> >> ++#include <linux/iversion.h> >> + #include "overlayfs.h" >> + >> + struct ovl_aio_req { >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) >> + if (ret != -EIOCBQUEUED) >> + ovl_aio_cleanup_handler(aio_req); >> + } >> ++ if (ret > 0) >> ++ inode_maybe_inc_iversion(inode, false); >> + out: >> + revert_creds(old_cred); >> + out_fdput: >> +-- >> +2.34.1 >> + >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc >> index 0b6f530..9d48e5c 100644 >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" >> >> SRC_URI += " \ >> ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ >> + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ >> " >> >> do_configure() { >> -- >> 2.34.1 >> > >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#59800): https://lists.yoctoproject.org/g/yocto/message/59800 >> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/7159507 >> Group Owner: yocto+owner@lists.yoctoproject.org >> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org] >> -=-=-=-=-=-=-=-=-=-=-=- >> >
Hi Stefan, Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels. I suggest reverting this one if no other solutions come up. Jose Stefan Berger <stefanb@linux.ibm.com> escreveu no dia sexta, 28/04/2023 à(s) 13:55: > > > On 4/28/23 08:48, Mikko Rapeli wrote: > > Hi, > > > > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote: > >> Add a temporary patch that resolves a file change notification issue > >> with overlayfs where IMA did not become aware of the file changes > >> since the 'lower' inode's i_version had not changed. The issue will be > >> resolved in later kernels with the following patch that builds on > >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: > >> > >> > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > > > > Would be nice to have Upstream-Status for each patch. I guess status > > would be Backport here. > > It's quite possible that this series here > https://lkml.org/lkml/2022/10/21/624 > (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the > infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8) > and have that referenced patch applied which isn't upstreamed so far, > either. > > For now this two-liner seemed simpler and resolves the issue. I understand > the concern, though... > > Stefan > > > > > Cheers, > > > > -Mikko > > > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > >> --- > >> ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++ > >> .../recipes-kernel/linux/linux_ima.inc | 1 + > >> 2 files changed, 43 insertions(+) > >> create mode 100644 > meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > >> > >> diff --git > a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > >> new file mode 100644 > >> index 0000000..d2b5c28 > >> --- /dev/null > >> +++ > b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > >> @@ -0,0 +1,42 @@ > >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 > >> +From: Stefan Berger <stefanb@linux.ibm.com> > >> +Date: Thu, 6 Apr 2023 11:27:29 -0400 > >> +Subject: [PATCH] ovl: Increment iversion upon file changes > >> + > >> +This is a temporary patch for kernels that do not implement > >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: > >> + > >> + > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > >> + > >> +Increment the lower inode's iversion for IMA to be able to recognize > >> +changes to the file. > >> + > >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > >> +--- > >> + fs/overlayfs/file.c | 3 +++ > >> + 1 file changed, 3 insertions(+) > >> + > >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c > >> +index 6011f955436b..1dfe5e7bfe1c 100644 > >> +--- a/fs/overlayfs/file.c > >> ++++ b/fs/overlayfs/file.c > >> +@@ -13,6 +13,7 @@ > >> + #include <linux/security.h> > >> + #include <linux/mm.h> > >> + #include <linux/fs.h> > >> ++#include <linux/iversion.h> > >> + #include "overlayfs.h" > >> + > >> + struct ovl_aio_req { > >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, > struct iov_iter *iter) > >> + if (ret != -EIOCBQUEUED) > >> + ovl_aio_cleanup_handler(aio_req); > >> + } > >> ++ if (ret > 0) > >> ++ inode_maybe_inc_iversion(inode, false); > >> + out: > >> + revert_creds(old_cred); > >> + out_fdput: > >> +-- > >> +2.34.1 > >> + > >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc > b/meta-integrity/recipes-kernel/linux/linux_ima.inc > >> index 0b6f530..9d48e5c 100644 > >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc > >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc > >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" > >> > >> SRC_URI += " \ > >> ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', > '', d)} \ > >> + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ > >> " > >> > >> do_configure() { > >> -- > >> 2.34.1 > >> > > > >> > >> > >> > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59807): > https://lists.yoctoproject.org/g/yocto/message/59807 > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [ > quaresma.jose@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
And it fails in other recipes like linux-firmware. Because bitbake also tries to apply the patch to linux-firmware because it uses the recipes-kernel/linux/linux-%.bbappend to check when the integrity is enabled. Jose Jose Quaresma via lists.yoctoproject.org <quaresma.jose= gmail.com@lists.yoctoproject.org> escreveu no dia terça, 9/05/2023 à(s) 15:53: > Hi Stefan, > > Having this patch applied unconditionally to all kernels doesn't work and > the patch fails in many downstream kernels. > I suggest reverting this one if no other solutions come up. > > Jose > > Stefan Berger <stefanb@linux.ibm.com> escreveu no dia sexta, 28/04/2023 > à(s) 13:55: > >> >> >> On 4/28/23 08:48, Mikko Rapeli wrote: >> > Hi, >> > >> > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote: >> >> Add a temporary patch that resolves a file change notification issue >> >> with overlayfs where IMA did not become aware of the file changes >> >> since the 'lower' inode's i_version had not changed. The issue will be >> >> resolved in later kernels with the following patch that builds on >> >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: >> >> >> >> >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 >> > >> > Would be nice to have Upstream-Status for each patch. I guess status >> > would be Backport here. >> >> It's quite possible that this series here >> https://lkml.org/lkml/2022/10/21/624 >> (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the >> infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8) >> and have that referenced patch applied which isn't upstreamed so far, >> either. >> >> For now this two-liner seemed simpler and resolves the issue. I >> understand the concern, though... >> >> Stefan >> >> > >> > Cheers, >> > >> > -Mikko >> > >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> >> --- >> >> ...Increment-iversion-upon-file-changes.patch | 42 >> +++++++++++++++++++ >> >> .../recipes-kernel/linux/linux_ima.inc | 1 + >> >> 2 files changed, 43 insertions(+) >> >> create mode 100644 >> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> >> >> >> diff --git >> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> >> new file mode 100644 >> >> index 0000000..d2b5c28 >> >> --- /dev/null >> >> +++ >> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> >> @@ -0,0 +1,42 @@ >> >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 >> >> +From: Stefan Berger <stefanb@linux.ibm.com> >> >> +Date: Thu, 6 Apr 2023 11:27:29 -0400 >> >> +Subject: [PATCH] ovl: Increment iversion upon file changes >> >> + >> >> +This is a temporary patch for kernels that do not implement >> >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: >> >> + >> >> + >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 >> >> + >> >> +Increment the lower inode's iversion for IMA to be able to recognize >> >> +changes to the file. >> >> + >> >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> >> +--- >> >> + fs/overlayfs/file.c | 3 +++ >> >> + 1 file changed, 3 insertions(+) >> >> + >> >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c >> >> +index 6011f955436b..1dfe5e7bfe1c 100644 >> >> +--- a/fs/overlayfs/file.c >> >> ++++ b/fs/overlayfs/file.c >> >> +@@ -13,6 +13,7 @@ >> >> + #include <linux/security.h> >> >> + #include <linux/mm.h> >> >> + #include <linux/fs.h> >> >> ++#include <linux/iversion.h> >> >> + #include "overlayfs.h" >> >> + >> >> + struct ovl_aio_req { >> >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, >> struct iov_iter *iter) >> >> + if (ret != -EIOCBQUEUED) >> >> + ovl_aio_cleanup_handler(aio_req); >> >> + } >> >> ++ if (ret > 0) >> >> ++ inode_maybe_inc_iversion(inode, false); >> >> + out: >> >> + revert_creds(old_cred); >> >> + out_fdput: >> >> +-- >> >> +2.34.1 >> >> + >> >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc >> b/meta-integrity/recipes-kernel/linux/linux_ima.inc >> >> index 0b6f530..9d48e5c 100644 >> >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc >> >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc >> >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" >> >> >> >> SRC_URI += " \ >> >> ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', >> '', d)} \ >> >> + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ >> >> " >> >> >> >> do_configure() { >> >> -- >> >> 2.34.1 >> >> >> > >> >> >> >> >> >> >> > >> >> >> >> > > -- > Best regards, > > José Quaresma > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59928): > https://lists.yoctoproject.org/g/yocto/message/59928 > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [ > quaresma.jose@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On 5/9/23 10:53, Jose Quaresma wrote: > Hi Stefan, > > Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels. > I suggest reverting this one if no other solutions come up. Then let me drop this one. I just posted v2 of this series and can repost in v3 with this patch dropped and possibly only have it applied in the OpenBMC project. I suppose my conclusion from OpenBMC, which currently works with a 6.1.15 kernel, that all other Yocto projects also now use a >= 6.1.15 kernel, was wrong? Stefan > > Jose > > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia sexta, 28/04/2023 à(s) 13:55: > > > > On 4/28/23 08:48, Mikko Rapeli wrote: > > Hi, > > > > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote: > >> Add a temporary patch that resolves a file change notification issue > >> with overlayfs where IMA did not become aware of the file changes > >> since the 'lower' inode's i_version had not changed. The issue will be > >> resolved in later kernels with the following patch that builds on > >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: > >> > >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> > > > > Would be nice to have Upstream-Status for each patch. I guess status > > would be Backport here. > > It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624 > (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8) > and have that referenced patch applied which isn't upstreamed so far, either. > > For now this two-liner seemed simpler and resolves the issue. I understand the concern, though... > > Stefan > > > > > Cheers, > > > > -Mikko > > > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> > >> --- > >> ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++ > >> .../recipes-kernel/linux/linux_ima.inc | 1 + > >> 2 files changed, 43 insertions(+) > >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > >> > >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > >> new file mode 100644 > >> index 0000000..d2b5c28 > >> --- /dev/null > >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > >> @@ -0,0 +1,42 @@ > >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 > >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> > >> +Date: Thu, 6 Apr 2023 11:27:29 -0400 > >> +Subject: [PATCH] ovl: Increment iversion upon file changes > >> + > >> +This is a temporary patch for kernels that do not implement > >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: > >> + > >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> > >> + > >> +Increment the lower inode's iversion for IMA to be able to recognize > >> +changes to the file. > >> + > >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> > >> +--- > >> + fs/overlayfs/file.c | 3 +++ > >> + 1 file changed, 3 insertions(+) > >> + > >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c > >> +index 6011f955436b..1dfe5e7bfe1c 100644 > >> +--- a/fs/overlayfs/file.c > >> ++++ b/fs/overlayfs/file.c > >> +@@ -13,6 +13,7 @@ > >> + #include <linux/security.h> > >> + #include <linux/mm.h> > >> + #include <linux/fs.h> > >> ++#include <linux/iversion.h> > >> + #include "overlayfs.h" > >> + > >> + struct ovl_aio_req { > >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) > >> + if (ret != -EIOCBQUEUED) > >> + ovl_aio_cleanup_handler(aio_req); > >> + } > >> ++ if (ret > 0) > >> ++ inode_maybe_inc_iversion(inode, false); > >> + out: > >> + revert_creds(old_cred); > >> + out_fdput: > >> +-- > >> +2.34.1 > >> + > >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc > >> index 0b6f530..9d48e5c 100644 > >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc > >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc > >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" > >> > >> SRC_URI += " \ > >> ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ > >> + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ > >> " > >> > >> do_configure() { > >> -- > >> 2.34.1 > >> > > > >> > >> > >> > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59807): https://lists.yoctoproject.org/g/yocto/message/59807 <https://lists.yoctoproject.org/g/yocto/message/59807> > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612 <https://lists.yoctoproject.org/mt/98557297/5052612> > Group Owner: yocto+owner@lists.yoctoproject.org <mailto:yocto%2Bowner@lists.yoctoproject.org> > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub <https://lists.yoctoproject.org/g/yocto/unsub> [quaresma.jose@gmail.com <mailto:quaresma.jose@gmail.com>] > -=-=-=-=-=-=-=-=-=-=-=- > > > > -- > Best regards, > > José Quaresma
Jose Quaresma via lists.yoctoproject.org <quaresma.jose= gmail.com@lists.yoctoproject.org> escreveu no dia terça, 9/05/2023 à(s) 16:06: > And it fails in other recipes like linux-firmware. > Because bitbake also tries to apply the patch to linux-firmware because it > uses the recipes-kernel/linux/linux-%.bbappend to check when the > integrity is enabled. > I believe that the full patchset needs to be reverted because it also breaks linux-firmware even reverting this patch. Jose > > Jose > > Jose Quaresma via lists.yoctoproject.org <quaresma.jose= > gmail.com@lists.yoctoproject.org> escreveu no dia terça, 9/05/2023 à(s) > 15:53: > >> Hi Stefan, >> >> Having this patch applied unconditionally to all kernels doesn't work and >> the patch fails in many downstream kernels. >> I suggest reverting this one if no other solutions come up. >> >> Jose >> >> Stefan Berger <stefanb@linux.ibm.com> escreveu no dia sexta, 28/04/2023 >> à(s) 13:55: >> >>> >>> >>> On 4/28/23 08:48, Mikko Rapeli wrote: >>> > Hi, >>> > >>> > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote: >>> >> Add a temporary patch that resolves a file change notification issue >>> >> with overlayfs where IMA did not become aware of the file changes >>> >> since the 'lower' inode's i_version had not changed. The issue will be >>> >> resolved in later kernels with the following patch that builds on >>> >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: >>> >> >>> >> >>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 >>> > >>> > Would be nice to have Upstream-Status for each patch. I guess status >>> > would be Backport here. >>> >>> It's quite possible that this series here >>> https://lkml.org/lkml/2022/10/21/624 >>> (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide >>> the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8) >>> and have that referenced patch applied which isn't upstreamed so far, >>> either. >>> >>> For now this two-liner seemed simpler and resolves the issue. I >>> understand the concern, though... >>> >>> Stefan >>> >>> > >>> > Cheers, >>> > >>> > -Mikko >>> > >>> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >>> >> --- >>> >> ...Increment-iversion-upon-file-changes.patch | 42 >>> +++++++++++++++++++ >>> >> .../recipes-kernel/linux/linux_ima.inc | 1 + >>> >> 2 files changed, 43 insertions(+) >>> >> create mode 100644 >>> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >>> >> >>> >> diff --git >>> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >>> >> new file mode 100644 >>> >> index 0000000..d2b5c28 >>> >> --- /dev/null >>> >> +++ >>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >>> >> @@ -0,0 +1,42 @@ >>> >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 >>> 2001 >>> >> +From: Stefan Berger <stefanb@linux.ibm.com> >>> >> +Date: Thu, 6 Apr 2023 11:27:29 -0400 >>> >> +Subject: [PATCH] ovl: Increment iversion upon file changes >>> >> + >>> >> +This is a temporary patch for kernels that do not implement >>> >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: >>> >> + >>> >> + >>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 >>> >> + >>> >> +Increment the lower inode's iversion for IMA to be able to recognize >>> >> +changes to the file. >>> >> + >>> >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >>> >> +--- >>> >> + fs/overlayfs/file.c | 3 +++ >>> >> + 1 file changed, 3 insertions(+) >>> >> + >>> >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c >>> >> +index 6011f955436b..1dfe5e7bfe1c 100644 >>> >> +--- a/fs/overlayfs/file.c >>> >> ++++ b/fs/overlayfs/file.c >>> >> +@@ -13,6 +13,7 @@ >>> >> + #include <linux/security.h> >>> >> + #include <linux/mm.h> >>> >> + #include <linux/fs.h> >>> >> ++#include <linux/iversion.h> >>> >> + #include "overlayfs.h" >>> >> + >>> >> + struct ovl_aio_req { >>> >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb >>> *iocb, struct iov_iter *iter) >>> >> + if (ret != -EIOCBQUEUED) >>> >> + ovl_aio_cleanup_handler(aio_req); >>> >> + } >>> >> ++ if (ret > 0) >>> >> ++ inode_maybe_inc_iversion(inode, false); >>> >> + out: >>> >> + revert_creds(old_cred); >>> >> + out_fdput: >>> >> +-- >>> >> +2.34.1 >>> >> + >>> >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc >>> b/meta-integrity/recipes-kernel/linux/linux_ima.inc >>> >> index 0b6f530..9d48e5c 100644 >>> >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc >>> >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc >>> >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" >>> >> >>> >> SRC_URI += " \ >>> >> ${@bb.utils.contains('DISTRO_FEATURES', 'ima', >>> 'file://ima.scc', '', d)} \ >>> >> + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ >>> >> " >>> >> >>> >> do_configure() { >>> >> -- >>> >> 2.34.1 >>> >> >>> > >>> >> >>> >> >>> >> >>> > >>> >>> >>> >>> >> >> -- >> Best regards, >> >> José Quaresma >> >> >> >> > > -- > Best regards, > > José Quaresma > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59929): > https://lists.yoctoproject.org/g/yocto/message/59929 > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [ > quaresma.jose@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On 5/9/23 10:53, Jose Quaresma wrote: > Hi Stefan, > > Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels. > I suggest reverting this one if no other solutions come up. Oh, I just saw the patches were applied to meta-security already. Alright, I will send a separate patch to drop this patch. Stefan > > Jose > > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia sexta, 28/04/2023 à(s) 13:55: > > > > On 4/28/23 08:48, Mikko Rapeli wrote: > > Hi, > > > > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote: > >> Add a temporary patch that resolves a file change notification issue > >> with overlayfs where IMA did not become aware of the file changes > >> since the 'lower' inode's i_version had not changed. The issue will be > >> resolved in later kernels with the following patch that builds on > >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: > >> > >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> > > > > Would be nice to have Upstream-Status for each patch. I guess status > > would be Backport here. > > It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624 > (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8) > and have that referenced patch applied which isn't upstreamed so far, either. > > For now this two-liner seemed simpler and resolves the issue. I understand the concern, though... > > Stefan > > > > > Cheers, > > > > -Mikko > > > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> > >> --- > >> ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++ > >> .../recipes-kernel/linux/linux_ima.inc | 1 + > >> 2 files changed, 43 insertions(+) > >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > >> > >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > >> new file mode 100644 > >> index 0000000..d2b5c28 > >> --- /dev/null > >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > >> @@ -0,0 +1,42 @@ > >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 > >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> > >> +Date: Thu, 6 Apr 2023 11:27:29 -0400 > >> +Subject: [PATCH] ovl: Increment iversion upon file changes > >> + > >> +This is a temporary patch for kernels that do not implement > >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: > >> + > >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> > >> + > >> +Increment the lower inode's iversion for IMA to be able to recognize > >> +changes to the file. > >> + > >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> > >> +--- > >> + fs/overlayfs/file.c | 3 +++ > >> + 1 file changed, 3 insertions(+) > >> + > >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c > >> +index 6011f955436b..1dfe5e7bfe1c 100644 > >> +--- a/fs/overlayfs/file.c > >> ++++ b/fs/overlayfs/file.c > >> +@@ -13,6 +13,7 @@ > >> + #include <linux/security.h> > >> + #include <linux/mm.h> > >> + #include <linux/fs.h> > >> ++#include <linux/iversion.h> > >> + #include "overlayfs.h" > >> + > >> + struct ovl_aio_req { > >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) > >> + if (ret != -EIOCBQUEUED) > >> + ovl_aio_cleanup_handler(aio_req); > >> + } > >> ++ if (ret > 0) > >> ++ inode_maybe_inc_iversion(inode, false); > >> + out: > >> + revert_creds(old_cred); > >> + out_fdput: > >> +-- > >> +2.34.1 > >> + > >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc > >> index 0b6f530..9d48e5c 100644 > >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc > >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc > >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" > >> > >> SRC_URI += " \ > >> ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ > >> + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ > >> " > >> > >> do_configure() { > >> -- > >> 2.34.1 > >> > > > >> > >> > >> > > > > > > > > -- > Best regards, > > José Quaresma > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59928): https://lists.yoctoproject.org/g/yocto/message/59928 > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/1792208 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Stefan Berger <stefanb@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s) 17:21: > > > On 5/9/23 10:53, Jose Quaresma wrote: > > Hi Stefan, > > > > Having this patch applied unconditionally to all kernels doesn't work > and the patch fails in many downstream kernels. > > I suggest reverting this one if no other solutions come up. > > Then let me drop this one. I just posted v2 of this series and can repost > in v3 with this patch dropped and possibly > only have it applied in the OpenBMC project. I suppose my conclusion from > OpenBMC, which currently works with a 6.1.15 > kernel, that all other Yocto projects also now use a >= 6.1.15 kernel, was > wrong? > yup! is also my opinion. but after reverting this patch some other new issues comes up because the ima side effects changes so linux-firmware dont build any more. Jose > Stefan > > > > > Jose > > > > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> > escreveu no dia sexta, 28/04/2023 à(s) 13:55: > > > > > > > > On 4/28/23 08:48, Mikko Rapeli wrote: > > > Hi, > > > > > > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote: > > >> Add a temporary patch that resolves a file change notification > issue > > >> with overlayfs where IMA did not become aware of the file changes > > >> since the 'lower' inode's i_version had not changed. The issue > will be > > >> resolved in later kernels with the following patch that builds on > > >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: > > >> > > >> > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > < > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > > > > > > > > Would be nice to have Upstream-Status for each patch. I guess > status > > > would be Backport here. > > > > It's quite possible that this series here > https://lkml.org/lkml/2022/10/21/624 > > (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would > provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8) > > and have that referenced patch applied which isn't upstreamed so > far, either. > > > > For now this two-liner seemed simpler and resolves the issue. I > understand the concern, though... > > > > Stefan > > > > > > > > Cheers, > > > > > > -Mikko > > > > > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto: > stefanb@linux.ibm.com>> > > >> --- > > >> ...Increment-iversion-upon-file-changes.patch | 42 > +++++++++++++++++++ > > >> .../recipes-kernel/linux/linux_ima.inc | 1 + > > >> 2 files changed, 43 insertions(+) > > >> create mode 100644 > meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > >> > > >> diff --git > a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > >> new file mode 100644 > > >> index 0000000..d2b5c28 > > >> --- /dev/null > > >> +++ > b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > >> @@ -0,0 +1,42 @@ > > >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 > 00:00:00 2001 > > >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto: > stefanb@linux.ibm.com>> > > >> +Date: Thu, 6 Apr 2023 11:27:29 -0400 > > >> +Subject: [PATCH] ovl: Increment iversion upon file changes > > >> + > > >> +This is a temporary patch for kernels that do not implement > > >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this > one: > > >> + > > >> + > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > < > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > > > > >> + > > >> +Increment the lower inode's iversion for IMA to be able to > recognize > > >> +changes to the file. > > >> + > > >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto: > stefanb@linux.ibm.com>> > > >> +--- > > >> + fs/overlayfs/file.c | 3 +++ > > >> + 1 file changed, 3 insertions(+) > > >> + > > >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c > > >> +index 6011f955436b..1dfe5e7bfe1c 100644 > > >> +--- a/fs/overlayfs/file.c > > >> ++++ b/fs/overlayfs/file.c > > >> +@@ -13,6 +13,7 @@ > > >> + #include <linux/security.h> > > >> + #include <linux/mm.h> > > >> + #include <linux/fs.h> > > >> ++#include <linux/iversion.h> > > >> + #include "overlayfs.h" > > >> + > > >> + struct ovl_aio_req { > > >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb > *iocb, struct iov_iter *iter) > > >> + if (ret != -EIOCBQUEUED) > > >> + ovl_aio_cleanup_handler(aio_req); > > >> + } > > >> ++ if (ret > 0) > > >> ++ inode_maybe_inc_iversion(inode, false); > > >> + out: > > >> + revert_creds(old_cred); > > >> + out_fdput: > > >> +-- > > >> +2.34.1 > > >> + > > >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc > b/meta-integrity/recipes-kernel/linux/linux_ima.inc > > >> index 0b6f530..9d48e5c 100644 > > >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc > > >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc > > >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" > > >> > > >> SRC_URI += " \ > > >> ${@bb.utils.contains('DISTRO_FEATURES', 'ima', > 'file://ima.scc', '', d)} \ > > >> + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ > > >> " > > >> > > >> do_configure() { > > >> -- > > >> 2.34.1 > > >> > > > > > >> > > >> > > >> > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#59807): > https://lists.yoctoproject.org/g/yocto/message/59807 < > https://lists.yoctoproject.org/g/yocto/message/59807> > > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612 > <https://lists.yoctoproject.org/mt/98557297/5052612> > > Group Owner: yocto+owner@lists.yoctoproject.org <mailto: > yocto%2Bowner@lists.yoctoproject.org> > > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub < > https://lists.yoctoproject.org/g/yocto/unsub> [quaresma.jose@gmail.com > <mailto:quaresma.jose@gmail.com>] > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > > > > -- > > Best regards, > > > > José Quaresma >
On 5/9/23 13:05, Jose Quaresma wrote: > Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia terça, 9/05/2023 à(s) 17: 21: On 5/9/23 10: 53, Jose Quaresma wrote: > Hi Stefan, > > Having this patch applied unconditionally to all kernels doesn't work and the patch > ZjQcmQRYFpfptBannerStart > This Message Is From an External Sender > This message came from outside your organization. > ZjQcmQRYFpfptBannerEnd > > > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia terça, 9/05/2023 à(s) 17:21: > > > > On 5/9/23 10:53, Jose Quaresma wrote: > > Hi Stefan, > > > > Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels. > > I suggest reverting this one if no other solutions come up. > > Then let me drop this one. I just posted v2 of this series and can repost in v3 with this patch dropped and possibly > only have it applied in the OpenBMC project. I suppose my conclusion from OpenBMC, which currently works with a 6.1.15 > kernel, that all other Yocto projects also now use a >= 6.1.15 kernel, was wrong? > > > yup! is also my opinion. > but after reverting this patch some other new issues comes up because the ima side effects changes > so linux-firmware dont build any more. Can you either point me to the changes or tell me how you build linux-firmware so that I can recreate the issue locally? Stefan > > Jose > > > Stefan > > > > > Jose > > > > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>> escreveu no dia sexta, 28/04/2023 à(s) 13:55: > > > > > > > > On 4/28/23 08:48, Mikko Rapeli wrote: > > > Hi, > > > > > > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote: > > >> Add a temporary patch that resolves a file change notification issue > > >> with overlayfs where IMA did not become aware of the file changes > > >> since the 'lower' inode's i_version had not changed. The issue will be > > >> resolved in later kernels with the following patch that builds on > > >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: > > >> > > >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>> > > > > > > Would be nice to have Upstream-Status for each patch. I guess status > > > would be Backport here. > > > > It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624 <https://lkml.org/lkml/2022/10/21/624> > > (alone? <https://lkml.org/lkml/2022/10/21/624(alone <https://lkml.org/lkml/2022/10/21/624(alone>?>) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8) > > and have that referenced patch applied which isn't upstreamed so far, either. > > > > For now this two-liner seemed simpler and resolves the issue. I understand the concern, though... > > > > Stefan > > > > > > > > Cheers, > > > > > > -Mikko > > > > > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>> > > >> --- > > >> ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++ > > >> .../recipes-kernel/linux/linux_ima.inc | 1 + > > >> 2 files changed, 43 insertions(+) > > >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > >> > > >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > >> new file mode 100644 > > >> index 0000000..d2b5c28 > > >> --- /dev/null > > >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > >> @@ -0,0 +1,42 @@ > > >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 > > >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>> > > >> +Date: Thu, 6 Apr 2023 11:27:29 -0400 > > >> +Subject: [PATCH] ovl: Increment iversion upon file changes > > >> + > > >> +This is a temporary patch for kernels that do not implement > > >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: > > >> + > > >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>> > > >> + > > >> +Increment the lower inode's iversion for IMA to be able to recognize > > >> +changes to the file. > > >> + > > >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>> > > >> +--- > > >> + fs/overlayfs/file.c | 3 +++ > > >> + 1 file changed, 3 insertions(+) > > >> + > > >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c > > >> +index 6011f955436b..1dfe5e7bfe1c 100644 > > >> +--- a/fs/overlayfs/file.c > > >> ++++ b/fs/overlayfs/file.c > > >> +@@ -13,6 +13,7 @@ > > >> + #include <linux/security.h> > > >> + #include <linux/mm.h> > > >> + #include <linux/fs.h> > > >> ++#include <linux/iversion.h> > > >> + #include "overlayfs.h" > > >> + > > >> + struct ovl_aio_req { > > >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) > > >> + if (ret != -EIOCBQUEUED) > > >> + ovl_aio_cleanup_handler(aio_req); > > >> + } > > >> ++ if (ret > 0) > > >> ++ inode_maybe_inc_iversion(inode, false); > > >> + out: > > >> + revert_creds(old_cred); > > >> + out_fdput: > > >> +-- > > >> +2.34.1 > > >> + > > >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc > > >> index 0b6f530..9d48e5c 100644 > > >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc > > >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc > > >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" > > >> > > >> SRC_URI += " \ > > >> ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ > > >> + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ > > >> " > > >> > > >> do_configure() { > > >> -- > > >> 2.34.1 > > >> > > > > > >> > > >> > > >> > > > > > > > > > > > > > > > -- > > Best regards, > > > > José Quaresma > > > > -- > Best regards, > > José Quaresma > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59934): https://lists.yoctoproject.org/g/yocto/message/59934 > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/1792208 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Stefan Berger <stefanb@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s) 19:05: > > > On 5/9/23 13:05, Jose Quaresma wrote: > > Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia terça, > 9/05/2023 à(s) 17: 21: On 5/9/23 10: 53, Jose Quaresma wrote: > Hi Stefan, > > > Having this patch applied unconditionally to all kernels doesn't work > and the patch > > ZjQcmQRYFpfptBannerStart > > This Message Is From an External Sender > > This message came from outside your organization. > > ZjQcmQRYFpfptBannerEnd > > > > > > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> > escreveu no dia terça, 9/05/2023 à(s) 17:21: > > > > > > > > On 5/9/23 10:53, Jose Quaresma wrote: > > > Hi Stefan, > > > > > > Having this patch applied unconditionally to all kernels doesn't > work and the patch fails in many downstream kernels. > > > I suggest reverting this one if no other solutions come up. > > > > Then let me drop this one. I just posted v2 of this series and can > repost in v3 with this patch dropped and possibly > > only have it applied in the OpenBMC project. I suppose my conclusion > from OpenBMC, which currently works with a 6.1.15 > > kernel, that all other Yocto projects also now use a >= 6.1.15 > kernel, was wrong? > > > > > > yup! is also my opinion. > > but after reverting this patch some other new issues comes up because > the ima side effects changes > > so linux-firmware dont build any more. > > Can you either point me to the changes or tell me how you build > linux-firmware so that I can recreate the issue locally? > it's easy, just call the following: bitbake linux-firmware > > Stefan > > > > > Jose > > > > > > Stefan > > > > > > > > Jose > > > > > > Stefan Berger <stefanb@linux.ibm.com <mailto: > stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto: > stefanb@linux.ibm.com>>> escreveu no dia sexta, 28/04/2023 à(s) 13:55: > > > > > > > > > > > > On 4/28/23 08:48, Mikko Rapeli wrote: > > > > Hi, > > > > > > > > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger > wrote: > > > >> Add a temporary patch that resolves a file change > notification issue > > > >> with overlayfs where IMA did not become aware of the file > changes > > > >> since the 'lower' inode's i_version had not changed. The > issue will be > > > >> resolved in later kernels with the following patch that > builds on > > > >> newly addd feature (support for STATX_CHANGE_COOKIE) in > v6.3-rc1: > > > >> > > > >> > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > < > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> > < > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > < > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > >> > > > > > > > > Would be nice to have Upstream-Status for each patch. I > guess status > > > > would be Backport here. > > > > > > It's quite possible that this series here > https://lkml.org/lkml/2022/10/21/624 <https://lkml.org/lkml/2022/10/21/624 > > > > > (alone? <https://lkml.org/lkml/2022/10/21/624(alone < > https://lkml.org/lkml/2022/10/21/624(alone>?>) would provide the > infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8) > > > and have that referenced patch applied which isn't upstreamed > so far, either. > > > > > > For now this two-liner seemed simpler and resolves the issue. > I understand the concern, though... > > > > > > Stefan > > > > > > > > > > > Cheers, > > > > > > > > -Mikko > > > > > > > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com > <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto: > stefanb@linux.ibm.com>>> > > > >> --- > > > >> ...Increment-iversion-upon-file-changes.patch | 42 > +++++++++++++++++++ > > > >> .../recipes-kernel/linux/linux_ima.inc | 1 + > > > >> 2 files changed, 43 insertions(+) > > > >> create mode 100644 > meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > > >> > > > >> diff --git > a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > > >> new file mode 100644 > > > >> index 0000000..d2b5c28 > > > >> --- /dev/null > > > >> +++ > b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > > >> @@ -0,0 +1,42 @@ > > > >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 > 00:00:00 2001 > > > >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto: > stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto: > stefanb@linux.ibm.com>>> > > > >> +Date: Thu, 6 Apr 2023 11:27:29 -0400 > > > >> +Subject: [PATCH] ovl: Increment iversion upon file > changes > > > >> + > > > >> +This is a temporary patch for kernels that do not > implement > > > >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will > be this one: > > > >> + > > > >> + > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > < > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> > < > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > < > https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 > >> > > > >> + > > > >> +Increment the lower inode's iversion for IMA to be able > to recognize > > > >> +changes to the file. > > > >> + > > > >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com > <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto: > stefanb@linux.ibm.com>>> > > > >> +--- > > > >> + fs/overlayfs/file.c | 3 +++ > > > >> + 1 file changed, 3 insertions(+) > > > >> + > > > >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c > > > >> +index 6011f955436b..1dfe5e7bfe1c 100644 > > > >> +--- a/fs/overlayfs/file.c > > > >> ++++ b/fs/overlayfs/file.c > > > >> +@@ -13,6 +13,7 @@ > > > >> + #include <linux/security.h> > > > >> + #include <linux/mm.h> > > > >> + #include <linux/fs.h> > > > >> ++#include <linux/iversion.h> > > > >> + #include "overlayfs.h" > > > >> + > > > >> + struct ovl_aio_req { > > > >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct > kiocb *iocb, struct iov_iter *iter) > > > >> + if (ret != -EIOCBQUEUED) > > > >> + ovl_aio_cleanup_handler(aio_req); > > > >> + } > > > >> ++ if (ret > 0) > > > >> ++ inode_maybe_inc_iversion(inode, false); > > > >> + out: > > > >> + revert_creds(old_cred); > > > >> + out_fdput: > > > >> +-- > > > >> +2.34.1 > > > >> + > > > >> diff --git > a/meta-integrity/recipes-kernel/linux/linux_ima.inc > b/meta-integrity/recipes-kernel/linux/linux_ima.inc > > > >> index 0b6f530..9d48e5c 100644 > > > >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc > > > >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc > > > >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := > "${THISDIR}/linux:" > > > >> > > > >> SRC_URI += " \ > > > >> ${@bb.utils.contains('DISTRO_FEATURES', 'ima', > 'file://ima.scc', '', d)} \ > > > >> + > file://0001-ovl-Increment-iversion-upon-file-changes.patch \ > > > >> " > > > >> > > > >> do_configure() { > > > >> -- > > > >> 2.34.1 > > > >> > > > > > > > >> > > > >> > > > >> > > > > > > > > > > > > > > > > > > > > > > -- > > > Best regards, > > > > > > José Quaresma > > > > > > > > -- > > Best regards, > > > > José Quaresma > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#59934): > https://lists.yoctoproject.org/g/yocto/message/59934 > > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/1792208 > > Group Owner: yocto+owner@lists.yoctoproject.org > > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [ > stefanb@linux.ibm.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
On 5/9/23 14:13, Jose Quaresma wrote: > > it's easy, just call the following: > > bitbake linux-firmware > > How do you initialize this environment? If I was to do this from meta-security I get this here: $ bitbake linux-firmware ERROR: The BBPATH variable is not set and bitbake did not find a conf/bblayers.conf file in the expected location. Maybe you accidentally invoked bitbake from the wrong directory? Stefan
diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch new file mode 100644 index 0000000..d2b5c28 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch @@ -0,0 +1,42 @@ +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.ibm.com> +Date: Thu, 6 Apr 2023 11:27:29 -0400 +Subject: [PATCH] ovl: Increment iversion upon file changes + +This is a temporary patch for kernels that do not implement +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: + +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 + +Increment the lower inode's iversion for IMA to be able to recognize +changes to the file. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +--- + fs/overlayfs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c +index 6011f955436b..1dfe5e7bfe1c 100644 +--- a/fs/overlayfs/file.c ++++ b/fs/overlayfs/file.c +@@ -13,6 +13,7 @@ + #include <linux/security.h> + #include <linux/mm.h> + #include <linux/fs.h> ++#include <linux/iversion.h> + #include "overlayfs.h" + + struct ovl_aio_req { +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) + if (ret != -EIOCBQUEUED) + ovl_aio_cleanup_handler(aio_req); + } ++ if (ret > 0) ++ inode_maybe_inc_iversion(inode, false); + out: + revert_creds(old_cred); + out_fdput: +-- +2.34.1 + diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 0b6f530..9d48e5c 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" SRC_URI += " \ ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ " do_configure() {
Add a temporary patch that resolves a file change notification issue with overlayfs where IMA did not become aware of the file changes since the 'lower' inode's i_version had not changed. The issue will be resolved in later kernels with the following patch that builds on newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++ .../recipes-kernel/linux/linux_ima.inc | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch