[1/2] base-passwd: Add the sgx group

To avoid errors from eudev/udev we need an sgx group, but if we add it
via groupadd that causes shadow login to be brought into an image, which
causes images which have CONFIG_MULTIUSER unset to fail with `setgid:
Function not implemented` as shadow's login doesn't implement the
heuristics which busybox has to handle this kernel configuration.

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
---

 .../0001-base-passwd-Add-the-sgx-group.patch  | 30 +++++++++++++++++++
 .../base-passwd/base-passwd_3.6.1.bb          |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch

On Fri, Jul 28, 2023 at 5:40 AM Alex Kiernan <alex.kiernan@gmail.com> wrote:
>
> To avoid errors from eudev/udev we need an sgx group, but if we add it
> via groupadd that causes shadow login to be brought into an image, which
> causes images which have CONFIG_MULTIUSER unset to fail with `setgid:
> Function not implemented` as shadow's login doesn't implement the
> heuristics which busybox has to handle this kernel configuration.

Firstly, thank you very much for fixing this.  I was having lots of
trouble with it.

I just wanted to point out that the underlying sgx issue is unique to
Intel/x86.  So, it might make sense to only apply this patch in this
case.

Thanks,
Jon

> Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
> ---
>
>  .../0001-base-passwd-Add-the-sgx-group.patch  | 30 +++++++++++++++++++
>  .../base-passwd/base-passwd_3.6.1.bb          |  1 +
>  2 files changed, 31 insertions(+)
>  create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
>
> diff --git a/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
> new file mode 100644
> index 000000000000..e1340e1b70cf
> --- /dev/null
> +++ b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
> @@ -0,0 +1,30 @@
> +From 9e57771d138ac423d5139b984b8c869122ce4976 Mon Sep 17 00:00:00 2001
> +From: Alex Kiernan <alexk@zuma.ai>
> +Date: Fri, 28 Jul 2023 10:28:57 +0100
> +Subject: [PATCH] base-passwd: Add the sgx group
> +
> +To avoid errors from eudev/udev we need an sgx group, but if we add it
> +via groupadd that causes shadow login to be brought into an image, which
> +causes images which have CONFIG_MULTIUSER unset to fail with `setgid:
> +Function not implemented` as shadow's login doesn't implement the
> +heuristics which busybox has to handle this kernel configuration.
> +
> +Upstream-Status: Inappropriate [oe-specific]
> +
> +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
> +---
> + group.master | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/group.master b/group.master
> +index d34d2b832d43..e54fd1d2c6dc 100644
> +--- a/group.master
> ++++ b/group.master
> +@@ -34,6 +34,7 @@ video:*:44:
> + sasl:*:45:
> + plugdev:*:46:
> + kvm:*:47:
> ++sgx:*:48:
> + staff:*:50:
> + games:*:60:
> + shutdown:*:70:
> diff --git a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb
> index 204016b3e72e..44bcfb019930 100644
> --- a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb
> +++ b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb
> @@ -13,6 +13,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar
>             file://0005-Add-kvm-group.patch \
>             file://0006-Make-it-possible-to-configure-whether-to-use-SELinux.patch \
>             file://0007-Add-wheel-group.patch \
> +           file://0001-base-passwd-Add-the-sgx-group.patch \
>             "
>
>  SRC_URI[sha256sum] = "6ff369be59d586ba63c0c5fcb00f75f9953fe49db88bc6c6428f2c92866f79af"
> --
> 2.39.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#185015): https://lists.openembedded.org/g/openembedded-core/message/185015
> Mute This Topic: https://lists.openembedded.org/mt/100407464/3616920
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jdmason@kudzu.us]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Fri, Jul 28, 2023 at 1:52 PM Jon Mason <jdmason@kudzu.us> wrote:
>
> On Fri, Jul 28, 2023 at 5:40 AM Alex Kiernan <alex.kiernan@gmail.com> wrote:
> >
> > To avoid errors from eudev/udev we need an sgx group, but if we add it
> > via groupadd that causes shadow login to be brought into an image, which
> > causes images which have CONFIG_MULTIUSER unset to fail with `setgid:
> > Function not implemented` as shadow's login doesn't implement the
> > heuristics which busybox has to handle this kernel configuration.
>
> Firstly, thank you very much for fixing this.  I was having lots of
> trouble with it.
>
> I just wanted to point out that the underlying sgx issue is unique to
> Intel/x86.  So, it might make sense to only apply this patch in this
> case.
>

You get the noise from eudev on everything (I'm deploying onto
aarch64), I guess because it fails at parse time and everyone gets the
same rules. Obviously we could try for an sgx only rule on x86, but
tbh that feels like way too much effort!

I think we want something like this on poky-tiny so this doesn't regress:

diff --git a/meta-poky/conf/distro/poky-tiny.conf
b/meta-poky/conf/distro/poky-tiny.conf
index f65d2dabf3af..728d161d59af 100644
--- a/meta-poky/conf/distro/poky-tiny.conf
+++ b/meta-poky/conf/distro/poky-tiny.conf
@@ -122,3 +122,7 @@ SKIP_RECIPE[core-image-weston] = "not buildable
with poky-tiny"

 # Disable python usage in opkg-utils since it won't build with tiny config
 PACKAGECONFIG:remove:pn-opkg-utils = "python"
+
+# If shadow-base is brought into the image, logins will fail because it
+# doesn't have the heuristics to work when CONFIG_MULTIUSER is unset.
+PACKAGE_EXCLUDE:poky-tiny = "shadow-base"

> Thanks,
> Jon
>
> > Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
> > ---
> >
> >  .../0001-base-passwd-Add-the-sgx-group.patch  | 30 +++++++++++++++++++
> >  .../base-passwd/base-passwd_3.6.1.bb          |  1 +
> >  2 files changed, 31 insertions(+)
> >  create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
> >
> > diff --git a/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
> > new file mode 100644
> > index 000000000000..e1340e1b70cf
> > --- /dev/null
> > +++ b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
> > @@ -0,0 +1,30 @@
> > +From 9e57771d138ac423d5139b984b8c869122ce4976 Mon Sep 17 00:00:00 2001
> > +From: Alex Kiernan <alexk@zuma.ai>
> > +Date: Fri, 28 Jul 2023 10:28:57 +0100
> > +Subject: [PATCH] base-passwd: Add the sgx group
> > +
> > +To avoid errors from eudev/udev we need an sgx group, but if we add it
> > +via groupadd that causes shadow login to be brought into an image, which
> > +causes images which have CONFIG_MULTIUSER unset to fail with `setgid:
> > +Function not implemented` as shadow's login doesn't implement the
> > +heuristics which busybox has to handle this kernel configuration.
> > +
> > +Upstream-Status: Inappropriate [oe-specific]
> > +
> > +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
> > +---
> > + group.master | 1 +
> > + 1 file changed, 1 insertion(+)
> > +
> > +diff --git a/group.master b/group.master
> > +index d34d2b832d43..e54fd1d2c6dc 100644
> > +--- a/group.master
> > ++++ b/group.master
> > +@@ -34,6 +34,7 @@ video:*:44:
> > + sasl:*:45:
> > + plugdev:*:46:
> > + kvm:*:47:
> > ++sgx:*:48:
> > + staff:*:50:
> > + games:*:60:
> > + shutdown:*:70:
> > diff --git a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb
> > index 204016b3e72e..44bcfb019930 100644
> > --- a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb
> > +++ b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb
> > @@ -13,6 +13,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar
> >             file://0005-Add-kvm-group.patch \
> >             file://0006-Make-it-possible-to-configure-whether-to-use-SELinux.patch \
> >             file://0007-Add-wheel-group.patch \
> > +           file://0001-base-passwd-Add-the-sgx-group.patch \
> >             "
> >
> >  SRC_URI[sha256sum] = "6ff369be59d586ba63c0c5fcb00f75f9953fe49db88bc6c6428f2c92866f79af"
> > --
> > 2.39.0
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#185015): https://lists.openembedded.org/g/openembedded-core/message/185015
> > Mute This Topic: https://lists.openembedded.org/mt/100407464/3616920
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jdmason@kudzu.us]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

On Fri, 2023-07-28 at 15:01 +0100, Alex Kiernan wrote:
> On Fri, Jul 28, 2023 at 1:52 PM Jon Mason <jdmason@kudzu.us> wrote:
> > 
> > On Fri, Jul 28, 2023 at 5:40 AM Alex Kiernan <alex.kiernan@gmail.com> wrote:
> > > 
> > > To avoid errors from eudev/udev we need an sgx group, but if we add it
> > > via groupadd that causes shadow login to be brought into an image, which
> > > causes images which have CONFIG_MULTIUSER unset to fail with `setgid:
> > > Function not implemented` as shadow's login doesn't implement the
> > > heuristics which busybox has to handle this kernel configuration.
> > 
> > Firstly, thank you very much for fixing this.  I was having lots of
> > trouble with it.
> > 
> > I just wanted to point out that the underlying sgx issue is unique to
> > Intel/x86.  So, it might make sense to only apply this patch in this
> > case.
> > 
> 
> You get the noise from eudev on everything (I'm deploying onto
> aarch64), I guess because it fails at parse time and everyone gets the
> same rules. Obviously we could try for an sgx only rule on x86, but
> tbh that feels like way too much effort!

FWIW I agree and merged this as the best of the bad options.

> 
> I think we want something like this on poky-tiny so this doesn't regress:
> 
> diff --git a/meta-poky/conf/distro/poky-tiny.conf
> b/meta-poky/conf/distro/poky-tiny.conf
> index f65d2dabf3af..728d161d59af 100644
> --- a/meta-poky/conf/distro/poky-tiny.conf
> +++ b/meta-poky/conf/distro/poky-tiny.conf
> @@ -122,3 +122,7 @@ SKIP_RECIPE[core-image-weston] = "not buildable
> with poky-tiny"
> 
>  # Disable python usage in opkg-utils since it won't build with tiny config
>  PACKAGECONFIG:remove:pn-opkg-utils = "python"
> +
> +# If shadow-base is brought into the image, logins will fail because it
> +# doesn't have the heuristics to work when CONFIG_MULTIUSER is unset.
> +PACKAGE_EXCLUDE:poky-tiny = "shadow-base"

A patch would be welcome for that please!

Cheers,

Richard