diff mbox series

[meta-security,1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

Message ID 20230509185631.3182570-1-jose.quaresma@foundries.io
State New
Headers show
Series [meta-security,1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch" | expand

Commit Message

Jose Quaresma May 9, 2023, 6:56 p.m. UTC
This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 ...ation-using-ioctl-when-evm_portable-.patch | 35 -------------------
 ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} |  9 ++---
 2 files changed, 2 insertions(+), 42 deletions(-)
 delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
 rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%)

Comments

akuster808 May 10, 2023, 11:44 a.m. UTC | #1
On 5/9/23 2:56 PM, Jose Quaresma wrote:
> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>
> The full patchset are overriding the do_configure task and also added a kernel patch
> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
> So the patch fails in some recipes and also do_configure task doesn't make sense.
> This breaks many recipes like linux-firmware and maybe others.

I fail to see how  this package update is part of the issue above. I am 
still trying to sort out the store here to figure out how we move forward.

- armin
>
> Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
> ---
>   ...ation-using-ioctl-when-evm_portable-.patch | 35 -------------------
>   ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} |  9 ++---
>   2 files changed, 2 insertions(+), 42 deletions(-)
>   delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>   rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%)
>
> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
> deleted file mode 100644
> index 3624576..0000000
> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
> +++ /dev/null
> @@ -1,35 +0,0 @@
> -From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
> -From: Stefan Berger <stefanb@linux.ibm.com>
> -Date: Tue, 18 Apr 2023 11:43:55 -0400
> -Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
> -
> -If a signatures is detected as being portable do not attempt to read the
> -generation with the ioctl since in some cases this may not be supported
> -by the filesystem and is also not needed for computing a portable
> -signature.
> -
> -This avoids the current work-around of passing --generation 0 when the
> -ioctl is not supported by the filesystem.
> -
> -Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ----
> - src/evmctl.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/evmctl.c b/src/evmctl.c
> -index 6d2bb67..c35a28c 100644
> ---- a/src/evmctl.c
> -+++ b/src/evmctl.c
> -@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> - 	if (mode_str)
> - 		st.st_mode = strtoul(mode_str, NULL, 10);
> -
> --	if (!evm_immutable) {
> -+	if (!evm_immutable && !evm_portable) {
> - 		if (S_ISREG(st.st_mode) && !generation_str) {
> - 			int fd = open(file, 0);
> -
> ----
> -2.39.2
> -
> -
> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
> similarity index 71%
> rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
> rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
> index 8ac080c..873aeeb 100644
> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
> +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
> @@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils"
>   
>   DEPENDS:class-native += "openssl-native keyutils-native"
>   
> -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
> -
> -SRC_URI = " \
> -    https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
> -    file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
> -"
> -SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
> +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
> +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
>   
>   inherit pkgconfig autotools features_check
>   
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59946): https://lists.yoctoproject.org/g/yocto/message/59946
> Mute This Topic: https://lists.yoctoproject.org/mt/98790790/3616698
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Stefan Berger May 10, 2023, 12:23 p.m. UTC | #2
On 5/10/23 07:44, Armin Kuster wrote:
> 
> 
> On 5/9/23 2:56 PM, Jose Quaresma wrote:
>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>>
>> The full patchset are overriding the do_configure task and also added a kernel patch
>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
>> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
>> So the patch fails in some recipes and also do_configure task doesn't make sense.
>> This breaks many recipes like linux-firmware and maybe others.
> 
> I fail to see how  this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.

My suggestion would be that I post a v2 of my fix patches containing:

1) removal of the Linux kernel patch
2) removal of the squashfs option (less important)
3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
    but modified to look like this with '&& [ -f .config ]' appended:

  do_configure:append() {
      if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
          sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
      fi
  }

I don't want to hold things up but maybe it's worth discussing the suggested changes.

 From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
matches the pattern linux-firmware as well and therefore its contents get included when building
linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
these included for linux-firmware.

   Stefan

> 
> - armin
>>
>> Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
>> ---
>>   ...ation-using-ioctl-when-evm_portable-.patch | 35 -------------------
>>   ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} |  9 ++---
>>   2 files changed, 2 insertions(+), 42 deletions(-)
>>   delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>>   rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%)
>>
>> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>> deleted file mode 100644
>> index 3624576..0000000
>> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>> +++ /dev/null
>> @@ -1,35 +0,0 @@
>> -From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
>> -From: Stefan Berger <stefanb@linux.ibm.com>
>> -Date: Tue, 18 Apr 2023 11:43:55 -0400
>> -Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
>> -
>> -If a signatures is detected as being portable do not attempt to read the
>> -generation with the ioctl since in some cases this may not be supported
>> -by the filesystem and is also not needed for computing a portable
>> -signature.
>> -
>> -This avoids the current work-around of passing --generation 0 when the
>> -ioctl is not supported by the filesystem.
>> -
>> -Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ----
>> - src/evmctl.c | 2 +-
>> - 1 file changed, 1 insertion(+), 1 deletion(-)
>> -
>> -diff --git a/src/evmctl.c b/src/evmctl.c
>> -index 6d2bb67..c35a28c 100644
>> ---- a/src/evmctl.c
>> -+++ b/src/evmctl.c
>> -@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
>> -     if (mode_str)
>> -         st.st_mode = strtoul(mode_str, NULL, 10);
>> -
>> --    if (!evm_immutable) {
>> -+    if (!evm_immutable && !evm_portable) {
>> -         if (S_ISREG(st.st_mode) && !generation_str) {
>> -             int fd = open(file, 0);
>> -
>> ----
>> -2.39.2
>> -
>> -
>> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
>> similarity index 71%
>> rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
>> rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
>> index 8ac080c..873aeeb 100644
>> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
>> +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
>> @@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils"
>>   DEPENDS:class-native += "openssl-native keyutils-native"
>> -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
>> -
>> -SRC_URI = " \
>> -    https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
>> -    file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
>> -"
>> -SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
>> +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
>> +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
>>   inherit pkgconfig autotools features_check
>>
>>
>>
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59959): https://lists.yoctoproject.org/g/yocto/message/59959
> Mute This Topic: https://lists.yoctoproject.org/mt/98790790/1792208
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Mikko Rapeli May 10, 2023, 1:15 p.m. UTC | #3
Hi,

On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
> 
> 
> On 5/10/23 07:44, Armin Kuster wrote:
> > 
> > 
> > On 5/9/23 2:56 PM, Jose Quaresma wrote:
> > > This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
> > > 
> > > The full patchset are overriding the do_configure task and also added a kernel patch
> > > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
> > > in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
> > > So the patch fails in some recipes and also do_configure task doesn't make sense.
> > > This breaks many recipes like linux-firmware and maybe others.
> > 
> > I fail to see how� this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
> 
> My suggestion would be that I post a v2 of my fix patches containing:
> 
> 1) removal of the Linux kernel patch
> 2) removal of the squashfs option (less important)
> 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
>    but modified to look like this with '&& [ -f .config ]' appended:
> 
>  do_configure:append() {
>      if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
>          sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
>      fi
>  }
> 
> I don't want to hold things up but maybe it's worth discussing the suggested changes.
> 
> From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
> and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
> The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
> matches the pattern linux-firmware as well and therefore its contents get included when building
> linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
> ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
> I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
> these included for linux-firmware.

Why is the bbappend applying changes to all recipes where name starts with
"linux-"?

It is aiming at Linux kernel recipes which by default in yocto are
called "linux-yocto", so the bbappend could simply be
"linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
and other variants too).

I think it's a bad idea to try to apply this change automatically to all
possible BSP layer kernels which may or may not have names starting with
"linux-" and it's well known that there are a lot of recipe names which
start with "linux-" which are not Linux kernels (linux-firmware,
linux-libc-headers, linux-dummy etc).

Cheers,

-Mikko
Stefan Berger May 10, 2023, 2:20 p.m. UTC | #4
On 5/10/23 09:15, Mikko Rapeli wrote:
> Hi,
> 
> On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
>>
>>
>> On 5/10/23 07:44, Armin Kuster wrote:
>>>
>>>
>>> On 5/9/23 2:56 PM, Jose Quaresma wrote:
>>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>>>>
>>>> The full patchset are overriding the do_configure task and also added a kernel patch
>>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
>>>> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
>>>> So the patch fails in some recipes and also do_configure task doesn't make sense.
>>>> This breaks many recipes like linux-firmware and maybe others.
>>>
>>> I fail to see how  this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
>>
>> My suggestion would be that I post a v2 of my fix patches containing:
>>
>> 1) removal of the Linux kernel patch
>> 2) removal of the squashfs option (less important)
>> 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
>>     but modified to look like this with '&& [ -f .config ]' appended:
>>
>>   do_configure:append() {
>>       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
>>           sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
>>       fi
>>   }
>>
>> I don't want to hold things up but maybe it's worth discussing the suggested changes.
>>
>>  From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
>> and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
>> The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
>> matches the pattern linux-firmware as well and therefore its contents get included when building
>> linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
>> ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
>> I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
>> these included for linux-firmware.
> 
> Why is the bbappend applying changes to all recipes where name starts with
> "linux-"?
> 
> It is aiming at Linux kernel recipes which by default in yocto are
> called "linux-yocto", so the bbappend could simply be
> "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> and other variants too).

Thanks.

I am trying to enable IMA & EVM under OpenBMC. When I rename linux-%.bbappend to linux-yocto_%.bbappend
then none of the IMA support becomes active under OpenBMC, so it doesn't help much for OpenBMC. If I rename it to
linux-aspeed_%.bbappend then it works for OpenBMC but that's probably not the filename you would want to have in
meta-security.

So I guess the solution is to rename the file to linux-yocto%.bbappend anyway (I won't test it in this env) but
then require that OpenBMC include the linux_ima.inc using a statement like this

require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', '../../../../meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc', '', d)}

in its own linux-aspeed_%.bbappend.

Does this sound correct?

     Stefan

> 
> I think it's a bad idea to try to apply this change automatically to all
> possible BSP layer kernels which may or may not have names starting with
> "linux-" and it's well known that there are a lot of recipe names which
> start with "linux-" which are not Linux kernels (linux-firmware,
> linux-libc-headers, linux-dummy etc).


> 
> Cheers,
> 
> -Mikko
akuster808 May 10, 2023, 2:25 p.m. UTC | #5
On 5/10/23 9:15 AM, Mikko Rapeli wrote:
> Hi,
>
> On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
>>
>> On 5/10/23 07:44, Armin Kuster wrote:
>>>
>>> On 5/9/23 2:56 PM, Jose Quaresma wrote:
>>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>>>>
>>>> The full patchset are overriding the do_configure task and also added a kernel patch
>>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
>>>> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
>>>> So the patch fails in some recipes and also do_configure task doesn't make sense.
>>>> This breaks many recipes like linux-firmware and maybe others.
>>> I fail to see how  this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
>> My suggestion would be that I post a v2 of my fix patches containing:
>>
>> 1) removal of the Linux kernel patch
>> 2) removal of the squashfs option (less important)
>> 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
>>     but modified to look like this with '&& [ -f .config ]' appended:
>>
>>   do_configure:append() {
>>       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
>>           sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
>>       fi
>>   }
>>
>> I don't want to hold things up but maybe it's worth discussing the suggested changes.
>>
>>  From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
>> and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
>> The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
>> matches the pattern linux-firmware as well and therefore its contents get included when building
>> linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
>> ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
>> I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
>> these included for linux-firmware.
> Why is the bbappend applying changes to all recipes where name starts with
> "linux-"?
>
> It is aiming at Linux kernel recipes which by default in yocto are
> called "linux-yocto", so the bbappend could simply be
> "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> and other variants too).

Well that one is on me. That change came in when I ported over the 
meta-intel-iot-security layer.

6680225 meta-integrity: port over from meta-intel-iot-security

I will send a patch correcting that.

Thanks for the reminder and pointing this out.

BR,
Armin

>
> I think it's a bad idea to try to apply this change automatically to all
> possible BSP layer kernels which may or may not have names starting with
> "linux-" and it's well known that there are a lot of recipe names which
> start with "linux-" which are not Linux kernels (linux-firmware,
> linux-libc-headers, linux-dummy etc).
>
> Cheers,
>
> -Mikko
Jose Quaresma May 10, 2023, 2:33 p.m. UTC | #6
akuster808 <akuster808@gmail.com> escreveu no dia quarta, 10/05/2023 à(s)
15:25:

>
>
> On 5/10/23 9:15 AM, Mikko Rapeli wrote:
> > Hi,
> >
> > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
> >>
> >> On 5/10/23 07:44, Armin Kuster wrote:
> >>>
> >>> On 5/9/23 2:56 PM, Jose Quaresma wrote:
> >>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
> >>>>
> >>>> The full patchset are overriding the do_configure task and also added
> a kernel patch
> >>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is
> included
> >>>> in every recipe that follows the pattern pattern starting by linux-
> (recipes-kernel/linux/linux-%.bbappend).
> >>>> So the patch fails in some recipes and also do_configure task doesn't
> make sense.
> >>>> This breaks many recipes like linux-firmware and maybe others.
> >>> I fail to see how  this package update is part of the issue above. I
> am still trying to sort out the store here to figure out how we move
> forward.
> >> My suggestion would be that I post a v2 of my fix patches containing:
> >>
> >> 1) removal of the Linux kernel patch
> >> 2) removal of the squashfs option (less important)
> >> 3) the suggestion outlined here:
> https://lists.yoctoproject.org/g/yocto/message/59955
> >>     but modified to look like this with '&& [ -f .config ]' appended:
> >>
> >>   do_configure:append() {
> >>       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '',
> d)}" = "yes" ] && [ -f .config ] ; then
> >>           sed -i
> "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|"
> .config
> >>       fi
> >>   }
> >>
> >> I don't want to hold things up but maybe it's worth discussing the
> suggested changes.
> >>
> >>  From what I can see 'bitbake linux-firmware' builds under OpenBMC now
> with these suggested changes
> >> and it did NOT build before. My suggestion would be to discuss the
> proposal under that thread there.
> >> The problems seem to be that the file
> meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
> >> matches the pattern linux-firmware as well and therefore its contents
> get included when building
> >> linux-firmware. When building linux-firmware while having also
> DISTRO_FEATURES ima set in local.conf then the
> >> ima.scc is added to SRC_URI and the do_configure is also appended. The
> latter will not have side-effects but
> >> I don't know about the former nor how to create a better filter (other
> than DISTRO_FEATURES) for not having
> >> these included for linux-firmware.
> > Why is the bbappend applying changes to all recipes where name starts
> with
> > "linux-"?
> >
> > It is aiming at Linux kernel recipes which by default in yocto are
> > called "linux-yocto", so the bbappend could simply be
> > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> > and other variants too).
>
> Well that one is on me. That change came in when I ported over the
> meta-intel-iot-security layer.
>

Renaming the bbappend to linux-yocto%.bbappend will break all other linux
kernels around
that follow the pattern linux-%.bbappend.

A better solution is needed here like the one pointed by Bruce
https://lists.yoctoproject.org/g/yocto/message/59954

I send the revert because currently the master is broken and the cause is
IMA patchset.
Maybe this patch can be dropped because it only bumps a version but the
others should be dropped.

Jose


>
> 6680225 meta-integrity: port over from meta-intel-iot-security
>
> I will send a patch correcting that.
>
> Thanks for the reminder and pointing this out.
>
> BR,
> Armin
>
> >
> > I think it's a bad idea to try to apply this change automatically to all
> > possible BSP layer kernels which may or may not have names starting with
> > "linux-" and it's well known that there are a lot of recipe names which
> > start with "linux-" which are not Linux kernels (linux-firmware,
> > linux-libc-headers, linux-dummy etc).
> >
> > Cheers,
> >
> > -Mikko
>
>
Mikko Rapeli May 10, 2023, 2:34 p.m. UTC | #7
Hi,

On Wed, May 10, 2023 at 10:20:22AM -0400, Stefan Berger wrote:
> 
> 
> On 5/10/23 09:15, Mikko Rapeli wrote:
> > Hi,
> > 
> > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
> > > 
> > > 
> > > On 5/10/23 07:44, Armin Kuster wrote:
> > > > 
> > > > 
> > > > On 5/9/23 2:56 PM, Jose Quaresma wrote:
> > > > > This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
> > > > > 
> > > > > The full patchset are overriding the do_configure task and also added a kernel patch
> > > > > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
> > > > > in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
> > > > > So the patch fails in some recipes and also do_configure task doesn't make sense.
> > > > > This breaks many recipes like linux-firmware and maybe others.
> > > > 
> > > > I fail to see how� this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
> > > 
> > > My suggestion would be that I post a v2 of my fix patches containing:
> > > 
> > > 1) removal of the Linux kernel patch
> > > 2) removal of the squashfs option (less important)
> > > 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
> > >     but modified to look like this with '&& [ -f .config ]' appended:
> > > 
> > >   do_configure:append() {
> > >       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
> > >           sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
> > >       fi
> > >   }
> > > 
> > > I don't want to hold things up but maybe it's worth discussing the suggested changes.
> > > 
> > >  From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
> > > and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
> > > The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
> > > matches the pattern linux-firmware as well and therefore its contents get included when building
> > > linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
> > > ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
> > > I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
> > > these included for linux-firmware.
> > 
> > Why is the bbappend applying changes to all recipes where name starts with
> > "linux-"?
> > 
> > It is aiming at Linux kernel recipes which by default in yocto are
> > called "linux-yocto", so the bbappend could simply be
> > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> > and other variants too).
> 
> Thanks.
> 
> I am trying to enable IMA & EVM under OpenBMC. When I rename linux-%.bbappend to linux-yocto_%.bbappend
> then none of the IMA support becomes active under OpenBMC, so it doesn't help much for OpenBMC. If I rename it to
> linux-aspeed_%.bbappend then it works for OpenBMC but that's probably not the filename you would want to have in
> meta-security.
> 
> So I guess the solution is to rename the file to linux-yocto%.bbappend anyway (I won't test it in this env) but
> then require that OpenBMC include the linux_ima.inc using a statement like this
> 
> require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', '../../../../meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc', '', d)}
> 
> in its own linux-aspeed_%.bbappend.
> 
> Does this sound correct?

Yes, this sounds better. You can also document this in the layer for
users with different BSP layers and Linux kernel recipe names. Linking
to the OpenBMC example is a good idea too.

Cheers,

-Mikko
Jose Quaresma May 10, 2023, 2:35 p.m. UTC | #8
Jose Quaresma via lists.yoctoproject.org <quaresma.jose=
gmail.com@lists.yoctoproject.org> escreveu no dia quarta, 10/05/2023 à(s)
15:33:

>
>
> akuster808 <akuster808@gmail.com> escreveu no dia quarta, 10/05/2023 à(s)
> 15:25:
>
>>
>>
>> On 5/10/23 9:15 AM, Mikko Rapeli wrote:
>> > Hi,
>> >
>> > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
>> >>
>> >> On 5/10/23 07:44, Armin Kuster wrote:
>> >>>
>> >>> On 5/9/23 2:56 PM, Jose Quaresma wrote:
>> >>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>> >>>>
>> >>>> The full patchset are overriding the do_configure task and also
>> added a kernel patch
>> >>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file
>> is included
>> >>>> in every recipe that follows the pattern pattern starting by linux-
>> (recipes-kernel/linux/linux-%.bbappend).
>> >>>> So the patch fails in some recipes and also do_configure task
>> doesn't make sense.
>> >>>> This breaks many recipes like linux-firmware and maybe others.
>> >>> I fail to see how  this package update is part of the issue above. I
>> am still trying to sort out the store here to figure out how we move
>> forward.
>> >> My suggestion would be that I post a v2 of my fix patches containing:
>> >>
>> >> 1) removal of the Linux kernel patch
>> >> 2) removal of the squashfs option (less important)
>> >> 3) the suggestion outlined here:
>> https://lists.yoctoproject.org/g/yocto/message/59955
>> >>     but modified to look like this with '&& [ -f .config ]' appended:
>> >>
>> >>   do_configure:append() {
>> >>       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '',
>> d)}" = "yes" ] && [ -f .config ] ; then
>> >>           sed -i
>> "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|"
>> .config
>> >>       fi
>> >>   }
>> >>
>> >> I don't want to hold things up but maybe it's worth discussing the
>> suggested changes.
>> >>
>> >>  From what I can see 'bitbake linux-firmware' builds under OpenBMC now
>> with these suggested changes
>> >> and it did NOT build before. My suggestion would be to discuss the
>> proposal under that thread there.
>> >> The problems seem to be that the file
>> meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
>> >> matches the pattern linux-firmware as well and therefore its contents
>> get included when building
>> >> linux-firmware. When building linux-firmware while having also
>> DISTRO_FEATURES ima set in local.conf then the
>> >> ima.scc is added to SRC_URI and the do_configure is also appended. The
>> latter will not have side-effects but
>> >> I don't know about the former nor how to create a better filter (other
>> than DISTRO_FEATURES) for not having
>> >> these included for linux-firmware.
>> > Why is the bbappend applying changes to all recipes where name starts
>> with
>> > "linux-"?
>> >
>> > It is aiming at Linux kernel recipes which by default in yocto are
>> > called "linux-yocto", so the bbappend could simply be
>> > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
>> > and other variants too).
>>
>> Well that one is on me. That change came in when I ported over the
>> meta-intel-iot-security layer.
>>
>
> Renaming the bbappend to linux-yocto%.bbappend will break all other linux
> kernels around
> that follow the pattern linux-%.bbappend.
>
> A better solution is needed here like the one pointed by Bruce
> https://lists.yoctoproject.org/g/yocto/message/59954
>
> I send the revert because currently the master is broken and the cause is
> IMA patchset.
> Maybe this patch can be dropped because it only bumps a version but the
> others should be dropped.
>

typo: this patch can be dropped but the others should be merged.

Jose


>
> Jose
>
>
>>
>> 6680225 meta-integrity: port over from meta-intel-iot-security
>>
>> I will send a patch correcting that.
>>
>> Thanks for the reminder and pointing this out.
>>
>> BR,
>> Armin
>>
>> >
>> > I think it's a bad idea to try to apply this change automatically to all
>> > possible BSP layer kernels which may or may not have names starting with
>> > "linux-" and it's well known that there are a lot of recipe names which
>> > start with "linux-" which are not Linux kernels (linux-firmware,
>> > linux-libc-headers, linux-dummy etc).
>> >
>> > Cheers,
>> >
>> > -Mikko
>>
>>
>
> --
> Best regards,
>
> José Quaresma
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59964):
> https://lists.yoctoproject.org/g/yocto/message/59964
> Mute This Topic: https://lists.yoctoproject.org/mt/98790790/5052612
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
diff mbox series

Patch

diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
deleted file mode 100644
index 3624576..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
+++ /dev/null
@@ -1,35 +0,0 @@ 
-From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stefanb@linux.ibm.com>
-Date: Tue, 18 Apr 2023 11:43:55 -0400
-Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
-
-If a signatures is detected as being portable do not attempt to read the
-generation with the ioctl since in some cases this may not be supported
-by the filesystem and is also not needed for computing a portable
-signature.
-
-This avoids the current work-around of passing --generation 0 when the
-ioctl is not supported by the filesystem.
-
-Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
----
- src/evmctl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index 6d2bb67..c35a28c 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
- 	if (mode_str)
- 		st.st_mode = strtoul(mode_str, NULL, 10);
- 
--	if (!evm_immutable) {
-+	if (!evm_immutable && !evm_portable) {
- 		if (S_ISREG(st.st_mode) && !generation_str) {
- 			int fd = open(file, 0);
- 
----
-2.39.2
-
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
similarity index 71%
rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
index 8ac080c..873aeeb 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
@@ -6,13 +6,8 @@  DEPENDS += "openssl attr keyutils"
 
 DEPENDS:class-native += "openssl-native keyutils-native"
 
-FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
-
-SRC_URI = " \
-    https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
-    file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
-"
-SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
+SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
+SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
 
 inherit pkgconfig autotools features_check