Message ID | 20230509175457.1038298-1-stefanb@linux.ibm.com |
---|---|
Headers | show |
Series | Drop a kernel patch and a kernel config option | expand |
Hi Stefan, Stefan Berger <stefanb@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s) 18:55: > This PR removes a kernel patch related to overlayfs and IMA appraisal file > change > notifictions and a squashfs xattr kernel config option. > > Stefan > > Stefan Berger (2): > linux: overlayfs: Drop kernel patch resolving a file change > notification issue > ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg > > ...Increment-iversion-upon-file-changes.patch | 42 ------------------- > .../recipes-kernel/linux/linux/ima.cfg | 1 - > .../recipes-kernel/linux/linux_ima.inc | 1 - > Unfortunately this is not enough because in the full patchset you are overriding the do_configure task on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follies the pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). This breaks many recipes like linux-firmware and maybe others. The root cause of the issue is now on f4f7624d2e but because this patch is too evasive, maybe everything has to be reversed. I am now building with the full patchset revert and so far the build is looking good. Jose > 3 files changed, 44 deletions(-) > delete mode 100644 > meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > -- > 2.34.1 > >
On 5/9/23 14:11, Jose Quaresma wrote: > Hi Stefan, Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia terça, 9/05/2023 à(s) 18: 55: This PR removes a kernel patch related to overlayfs and IMA appraisal file change notifictions and a squashfs xattr kernel config option. > ZjQcmQRYFpfptBannerStart > This Message Is From an External Sender > This message came from outside your organization. > ZjQcmQRYFpfptBannerEnd > Hi Stefan, > > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia terça, 9/05/2023 à(s) 18:55: > > This PR removes a kernel patch related to overlayfs and IMA appraisal file change > notifictions and a squashfs xattr kernel config option. > > Stefan > > Stefan Berger (2): > linux: overlayfs: Drop kernel patch resolving a file change > notification issue > ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg > > ...Increment-iversion-upon-file-changes.patch | 42 ------------------- > .../recipes-kernel/linux/linux/ima.cfg | 1 - > .../recipes-kernel/linux/linux_ima.inc | 1 - > > CONFIG_SYSTEM_TRUSTED_KEYS= > Unfortunately this is not enough because in the full patchset you are overriding the do_configure task > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follies the > pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). You are referring tho this here? do_configure() { sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config } You are saying that this deactivates some other do_configure's ? If this is the case, what would be the right syntax to fix it? It's a no-op on a .config that does not contain the CONFIG_SYSTEM_TRUSTED_KEYS= option already.= Stefan > > This breaks many recipes like linux-firmware and maybe others. > The root cause of the issue is now on f4f7624d2e but because this patch is too evasive, maybe everything has to be reversed. > I am now building with the full patchset revert and so far the build is looking good. > > Jose > > 3 files changed, 44 deletions(-) > delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > -- > 2.34.1 > > > > -- > Best regards, > > José Quaresma > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59940): https://lists.yoctoproject.org/g/yocto/message/59940 > Mute This Topic: https://lists.yoctoproject.org/mt/98789504/1792208 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 5/9/23 14:19, Stefan Berger wrote: > > > On 5/9/23 14:11, Jose Quaresma wrote: >> CONFIG_SYSTEM_TRUSTED_KEYS= >> Unfortunately this is not enough because in the full patchset you are overriding the do_configure task >> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follies the >> pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). > > You are referring tho this here? > > do_configure() { > sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config > } > > You are saying that this deactivates some other do_configure's ? If this is the case, what would be the right syntax to fix it? > Jose, is the correct syntax to use do_configure:append () ? Can you try with this syntax? Stefan > > It's a no-op on a .config that does not contain the CONFIG_SYSTEM_TRUSTED_KEYS= option already.= > > Stefan > >> >> This breaks many recipes like linux-firmware and maybe others. >> The root cause of the issue is now on f4f7624d2e but because this patch is too evasive, maybe everything has to be reversed. >> I am now building with the full patchset revert and so far the build is looking good. > > >> >> Jose >> >> 3 files changed, 44 deletions(-) >> delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> >> -- 2.34.1 >> >> >> >> -- >> Best regards, >> >> José Quaresma >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#59940): https://lists.yoctoproject.org/g/yocto/message/59940 >> Mute This Topic: https://lists.yoctoproject.org/mt/98789504/1792208 >> Group Owner: yocto+owner@lists.yoctoproject.org >> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
Stefan Berger <stefanb@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s) 19:19: > > > On 5/9/23 14:11, Jose Quaresma wrote: > > Hi Stefan, Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia > terça, 9/05/2023 à(s) 18: 55: This PR removes a kernel patch related to > overlayfs and IMA appraisal file change notifictions and a squashfs xattr > kernel config option. > > ZjQcmQRYFpfptBannerStart > > This Message Is From an External Sender > > This message came from outside your organization. > > ZjQcmQRYFpfptBannerEnd > > Hi Stefan, > > > > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> > escreveu no dia terça, 9/05/2023 à(s) 18:55: > > > > This PR removes a kernel patch related to overlayfs and IMA > appraisal file change > > notifictions and a squashfs xattr kernel config option. > > > > Stefan > > > > Stefan Berger (2): > > linux: overlayfs: Drop kernel patch resolving a file change > > notification issue > > ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from > ima.cfg > > > > ...Increment-iversion-upon-file-changes.patch | 42 > ------------------- > > .../recipes-kernel/linux/linux/ima.cfg | 1 - > > .../recipes-kernel/linux/linux_ima.inc | 1 - > > > > CONFIG_SYSTEM_TRUSTED_KEYS= > > Unfortunately this is not enough because in the full patchset you are > overriding the do_configure task > > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is > included in every recipe that follies the > > pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). > > You are referring tho this here? > > do_configure() { > sed -i > "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" > .config > } > > You are saying that this deactivates some other do_configure's ? If this > is the case, what would be the right syntax to fix it? > Yes, this is the problem. The right fix IMHO is reverting because we can't assume that the .config it's always there on the bitbake build directory and this only happens when building the kernel. Another no less significant side effect is that this change is also applied to a wide range of recipes, anyone starting with the name linux-*.bb. So the full patch set should be reverted in my opinion and be more tested locally, building for example some recipe that respects the pattern linux-*.bb and also other kernels and re-submitted again. Jose > > It's a no-op on a .config that does not contain the > CONFIG_SYSTEM_TRUSTED_KEYS= option already.= > > Stefan > > > > > This breaks many recipes like linux-firmware and maybe others. > > The root cause of the issue is now on f4f7624d2e but because this patch > is too evasive, maybe everything has to be reversed. > > I am now building with the full patchset revert and so far the build is > looking good. > > > > > > Jose > > > > 3 files changed, 44 deletions(-) > > delete mode 100644 > meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > > > -- > > 2.34.1 > > > > > > > > -- > > Best regards, > > > > José Quaresma > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#59940): > https://lists.yoctoproject.org/g/yocto/message/59940 > > Mute This Topic: https://lists.yoctoproject.org/mt/98789504/1792208 > > Group Owner: yocto+owner@lists.yoctoproject.org > > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [ > stefanb@linux.ibm.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
On Tue, May 9, 2023 at 2:43 PM Jose Quaresma <quaresma.jose@gmail.com> wrote: > > > > Stefan Berger <stefanb@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s) 19:19: >> >> >> >> On 5/9/23 14:11, Jose Quaresma wrote: >> > Hi Stefan, Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia terça, 9/05/2023 à(s) 18: 55: This PR removes a kernel patch related to overlayfs and IMA appraisal file change notifictions and a squashfs xattr kernel config option. >> > ZjQcmQRYFpfptBannerStart >> > This Message Is From an External Sender >> > This message came from outside your organization. >> > ZjQcmQRYFpfptBannerEnd >> > Hi Stefan, >> > >> > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia terça, 9/05/2023 à(s) 18:55: >> > >> > This PR removes a kernel patch related to overlayfs and IMA appraisal file change >> > notifictions and a squashfs xattr kernel config option. >> > >> > Stefan >> > >> > Stefan Berger (2): >> > linux: overlayfs: Drop kernel patch resolving a file change >> > notification issue >> > ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg >> > >> > ...Increment-iversion-upon-file-changes.patch | 42 ------------------- >> > .../recipes-kernel/linux/linux/ima.cfg | 1 - >> > .../recipes-kernel/linux/linux_ima.inc | 1 - >> > >> > CONFIG_SYSTEM_TRUSTED_KEYS= >> > Unfortunately this is not enough because in the full patchset you are overriding the do_configure task >> > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follies the >> > pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). >> >> You are referring tho this here? >> >> do_configure() { >> sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config >> } >> >> You are saying that this deactivates some other do_configure's ? If this is the case, what would be the right syntax to fix it? > > > Yes, this is the problem. The right fix IMHO is reverting because we can't assume that the .config it's always there > on the bitbake build directory and this only happens when building the kernel. > > Another no less significant side effect is that this change is also applied to a wide range of recipes, > anyone starting with the name linux-*.bb. > > So the full patch set should be reverted in my opinion and be more tested locally, building for example > some recipe that respects the pattern linux-*.bb and also other kernels and re-submitted again. I had to deal with the need for a similarly broad bbappend, and both distro / kernel version conditions in meta-virtualization. This isn't exactly what Stefan is looking for, but it is a starting point: https://git.yoctoproject.org/meta-virtualization/tree/recipes-kernel/linux/linux-%25.bbappend Bruce > > Jose > >> >> >> It's a no-op on a .config that does not contain the CONFIG_SYSTEM_TRUSTED_KEYS= option already.= >> >> Stefan >> >> > >> > This breaks many recipes like linux-firmware and maybe others. >> > The root cause of the issue is now on f4f7624d2e but because this patch is too evasive, maybe everything has to be reversed. >> > I am now building with the full patchset revert and so far the build is looking good. >> >> >> > >> > Jose >> > >> > 3 files changed, 44 deletions(-) >> > delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> > >> > -- >> > 2.34.1 >> > >> > >> > >> > -- >> > Best regards, >> > >> > José Quaresma >> > >> > >> > >> > > > > > -- > Best regards, > > José Quaresma > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59945): https://lists.yoctoproject.org/g/yocto/message/59945 > Mute This Topic: https://lists.yoctoproject.org/mt/98789504/1050810 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 5/9/23 14:43, Jose Quaresma wrote: > > You are referring tho this here? > > do_configure() { > sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config > } > > You are saying that this deactivates some other do_configure's ? If this is the case, what would be the right syntax to fix it? > > > Yes, this is the problem. The right fix IMHO is reverting because we can't assume that the .config it's always there > on the bitbake build directory and this only happens when building the kernel. > > Another no less significant side effect is that this change is also applied to a wide range of recipes, > anyone starting with the name linux-*.bb. I suppose it only included linux_ima.inc since 'integrity' was set in DISTRO_FEATURES. $ cat meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)} I modified the linux_ima.inc to look like this here now: $ cat meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc FILESEXTRAPATHS:append := "${THISDIR}/linux:" SRC_URI += " \ ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ " do_configure:append() { if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ]; then sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config fi } KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} ---------------------------------------------------------------------------------------- This now filters the inclusion of ima.scc and the configure only runs under that same condition. Stefan