[meta-security,6/7] meta-integrity: add sanity check

Submitted by Armin Kuster on June 5, 2021, 10:02 p.m. | Patch ID: 179863

Details

Message ID 20210605220258.414233-7-akuster808@gmail.com
State New
Headers show

Commit Message

Armin Kuster June 5, 2021, 10:02 p.m.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-integrity/README.md                       | 18 +++++++++++++++++-
 .../classes/sanity-meta-integrity.bbclass      | 10 ++++++++++
 meta-integrity/conf/layer.conf                 |  4 ++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 meta-integrity/classes/sanity-meta-integrity.bbclass

Patch hide | download patch | download mbox

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 5048fba..8254b0d 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -1,8 +1,24 @@ 
 This README file contains information on the contents of the
 integrity layer.
 
-Please see the corresponding sections below for details.
 
+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'integrity' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+  DISTRO_FEATURES_append = " integrity"
+
+If meta-integrity is included, but integrity is not enabled as a
+distro feature a warning is printed at parse time:
+
+    You have included the meta-integritry layer, but
+    'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+    and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+
+  SKIP_META_INTEGRITY_SANITY_CHECK = 1
 
 Dependencies
 ============
diff --git a/meta-integrity/classes/sanity-meta-integrity.bbclass b/meta-integrity/classes/sanity-meta-integrity.bbclass
new file mode 100644
index 0000000..6ba7e3f
--- /dev/null
+++ b/meta-integrity/classes/sanity-meta-integrity.bbclass
@@ -0,0 +1,10 @@ 
+addhandler integrity_bbappend_distrocheck
+integrity_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python integrity_bbappend_distrocheck() {
+    skip_check = e.data.getVar('SKIP_META_INTEGRITY_SANITY_CHECK') == "1"
+    if 'integrity' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+        bb.warn("You have included the meta-integrity layer, but \
+'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-integrity README \
+for details on enabling integrity support.")
+}
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index ba028da..37776f8 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -26,6 +26,10 @@  LAYERDEPENDS_integrity = "core openembedded-layer"
 
 BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity"
 
+# Sanity check for meta-integrity layer.
+# Setting SKIP_META_INTEGRITY_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-integrity"
+
 BBFILES_DYNAMIC += " \
 networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \
 "