Message ID | 20230509185631.3182570-1-jose.quaresma@foundries.io |
---|---|
State | New |
Headers | show |
Series | [meta-security,1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch" | expand |
On 5/9/23 2:56 PM, Jose Quaresma wrote: > This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. > > The full patchset are overriding the do_configure task and also added a kernel patch > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included > in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). > So the patch fails in some recipes and also do_configure task doesn't make sense. > This breaks many recipes like linux-firmware and maybe others. I fail to see how this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward. - armin > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > ...ation-using-ioctl-when-evm_portable-.patch | 35 ------------------- > ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} | 9 ++--- > 2 files changed, 2 insertions(+), 42 deletions(-) > delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch > rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%) > > diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch > deleted file mode 100644 > index 3624576..0000000 > --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch > +++ /dev/null > @@ -1,35 +0,0 @@ > -From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001 > -From: Stefan Berger <stefanb@linux.ibm.com> > -Date: Tue, 18 Apr 2023 11:43:55 -0400 > -Subject: [PATCH] Do not get generation using ioctl when evm_portable is true > - > -If a signatures is detected as being portable do not attempt to read the > -generation with the ioctl since in some cases this may not be supported > -by the filesystem and is also not needed for computing a portable > -signature. > - > -This avoids the current work-around of passing --generation 0 when the > -ioctl is not supported by the filesystem. > - > -Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > ---- > - src/evmctl.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/src/evmctl.c b/src/evmctl.c > -index 6d2bb67..c35a28c 100644 > ---- a/src/evmctl.c > -+++ b/src/evmctl.c > -@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > - if (mode_str) > - st.st_mode = strtoul(mode_str, NULL, 10); > - > -- if (!evm_immutable) { > -+ if (!evm_immutable && !evm_portable) { > - if (S_ISREG(st.st_mode) && !generation_str) { > - int fd = open(file, 0); > - > ---- > -2.39.2 > - > - > diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb > similarity index 71% > rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb > rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb > index 8ac080c..873aeeb 100644 > --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb > +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb > @@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils" > > DEPENDS:class-native += "openssl-native keyutils-native" > > -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" > - > -SRC_URI = " \ > - https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ > - file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ > -" > -SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d" > +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz" > +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1" > > inherit pkgconfig autotools features_check > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59946): https://lists.yoctoproject.org/g/yocto/message/59946 > Mute This Topic: https://lists.yoctoproject.org/mt/98790790/3616698 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 5/10/23 07:44, Armin Kuster wrote: > > > On 5/9/23 2:56 PM, Jose Quaresma wrote: >> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. >> >> The full patchset are overriding the do_configure task and also added a kernel patch >> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included >> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). >> So the patch fails in some recipes and also do_configure task doesn't make sense. >> This breaks many recipes like linux-firmware and maybe others. > > I fail to see how this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward. My suggestion would be that I post a v2 of my fix patches containing: 1) removal of the Linux kernel patch 2) removal of the squashfs option (less important) 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955 but modified to look like this with '&& [ -f .config ]' appended: do_configure:append() { if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config fi } I don't want to hold things up but maybe it's worth discussing the suggested changes. From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes and it did NOT build before. My suggestion would be to discuss the proposal under that thread there. The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend matches the pattern linux-firmware as well and therefore its contents get included when building linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having these included for linux-firmware. Stefan > > - armin >> >> Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> >> --- >> ...ation-using-ioctl-when-evm_portable-.patch | 35 ------------------- >> ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} | 9 ++--- >> 2 files changed, 2 insertions(+), 42 deletions(-) >> delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch >> rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%) >> >> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch >> deleted file mode 100644 >> index 3624576..0000000 >> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch >> +++ /dev/null >> @@ -1,35 +0,0 @@ >> -From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001 >> -From: Stefan Berger <stefanb@linux.ibm.com> >> -Date: Tue, 18 Apr 2023 11:43:55 -0400 >> -Subject: [PATCH] Do not get generation using ioctl when evm_portable is true >> - >> -If a signatures is detected as being portable do not attempt to read the >> -generation with the ioctl since in some cases this may not be supported >> -by the filesystem and is also not needed for computing a portable >> -signature. >> - >> -This avoids the current work-around of passing --generation 0 when the >> -ioctl is not supported by the filesystem. >> - >> -Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> ---- >> - src/evmctl.c | 2 +- >> - 1 file changed, 1 insertion(+), 1 deletion(-) >> - >> -diff --git a/src/evmctl.c b/src/evmctl.c >> -index 6d2bb67..c35a28c 100644 >> ---- a/src/evmctl.c >> -+++ b/src/evmctl.c >> -@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) >> - if (mode_str) >> - st.st_mode = strtoul(mode_str, NULL, 10); >> - >> -- if (!evm_immutable) { >> -+ if (!evm_immutable && !evm_portable) { >> - if (S_ISREG(st.st_mode) && !generation_str) { >> - int fd = open(file, 0); >> - >> ---- >> -2.39.2 >> - >> - >> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb >> similarity index 71% >> rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb >> rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb >> index 8ac080c..873aeeb 100644 >> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb >> +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb >> @@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils" >> DEPENDS:class-native += "openssl-native keyutils-native" >> -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" >> - >> -SRC_URI = " \ >> - https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ >> - file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ >> -" >> -SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d" >> +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz" >> +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1" >> inherit pkgconfig autotools features_check >> >> >> > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59959): https://lists.yoctoproject.org/g/yocto/message/59959 > Mute This Topic: https://lists.yoctoproject.org/mt/98790790/1792208 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi, On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote: > > > On 5/10/23 07:44, Armin Kuster wrote: > > > > > > On 5/9/23 2:56 PM, Jose Quaresma wrote: > > > This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. > > > > > > The full patchset are overriding the do_configure task and also added a kernel patch > > > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included > > > in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). > > > So the patch fails in some recipes and also do_configure task doesn't make sense. > > > This breaks many recipes like linux-firmware and maybe others. > > > > I fail to see how� this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward. > > My suggestion would be that I post a v2 of my fix patches containing: > > 1) removal of the Linux kernel patch > 2) removal of the squashfs option (less important) > 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955 > but modified to look like this with '&& [ -f .config ]' appended: > > do_configure:append() { > if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then > sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config > fi > } > > I don't want to hold things up but maybe it's worth discussing the suggested changes. > > From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes > and it did NOT build before. My suggestion would be to discuss the proposal under that thread there. > The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend > matches the pattern linux-firmware as well and therefore its contents get included when building > linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the > ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but > I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having > these included for linux-firmware. Why is the bbappend applying changes to all recipes where name starts with "linux-"? It is aiming at Linux kernel recipes which by default in yocto are called "linux-yocto", so the bbappend could simply be "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt and other variants too). I think it's a bad idea to try to apply this change automatically to all possible BSP layer kernels which may or may not have names starting with "linux-" and it's well known that there are a lot of recipe names which start with "linux-" which are not Linux kernels (linux-firmware, linux-libc-headers, linux-dummy etc). Cheers, -Mikko
On 5/10/23 09:15, Mikko Rapeli wrote: > Hi, > > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote: >> >> >> On 5/10/23 07:44, Armin Kuster wrote: >>> >>> >>> On 5/9/23 2:56 PM, Jose Quaresma wrote: >>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. >>>> >>>> The full patchset are overriding the do_configure task and also added a kernel patch >>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included >>>> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). >>>> So the patch fails in some recipes and also do_configure task doesn't make sense. >>>> This breaks many recipes like linux-firmware and maybe others. >>> >>> I fail to see how this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward. >> >> My suggestion would be that I post a v2 of my fix patches containing: >> >> 1) removal of the Linux kernel patch >> 2) removal of the squashfs option (less important) >> 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955 >> but modified to look like this with '&& [ -f .config ]' appended: >> >> do_configure:append() { >> if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then >> sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config >> fi >> } >> >> I don't want to hold things up but maybe it's worth discussing the suggested changes. >> >> From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes >> and it did NOT build before. My suggestion would be to discuss the proposal under that thread there. >> The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend >> matches the pattern linux-firmware as well and therefore its contents get included when building >> linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the >> ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but >> I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having >> these included for linux-firmware. > > Why is the bbappend applying changes to all recipes where name starts with > "linux-"? > > It is aiming at Linux kernel recipes which by default in yocto are > called "linux-yocto", so the bbappend could simply be > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt > and other variants too). Thanks. I am trying to enable IMA & EVM under OpenBMC. When I rename linux-%.bbappend to linux-yocto_%.bbappend then none of the IMA support becomes active under OpenBMC, so it doesn't help much for OpenBMC. If I rename it to linux-aspeed_%.bbappend then it works for OpenBMC but that's probably not the filename you would want to have in meta-security. So I guess the solution is to rename the file to linux-yocto%.bbappend anyway (I won't test it in this env) but then require that OpenBMC include the linux_ima.inc using a statement like this require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', '../../../../meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc', '', d)} in its own linux-aspeed_%.bbappend. Does this sound correct? Stefan > > I think it's a bad idea to try to apply this change automatically to all > possible BSP layer kernels which may or may not have names starting with > "linux-" and it's well known that there are a lot of recipe names which > start with "linux-" which are not Linux kernels (linux-firmware, > linux-libc-headers, linux-dummy etc). > > Cheers, > > -Mikko
On 5/10/23 9:15 AM, Mikko Rapeli wrote: > Hi, > > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote: >> >> On 5/10/23 07:44, Armin Kuster wrote: >>> >>> On 5/9/23 2:56 PM, Jose Quaresma wrote: >>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. >>>> >>>> The full patchset are overriding the do_configure task and also added a kernel patch >>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included >>>> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). >>>> So the patch fails in some recipes and also do_configure task doesn't make sense. >>>> This breaks many recipes like linux-firmware and maybe others. >>> I fail to see how this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward. >> My suggestion would be that I post a v2 of my fix patches containing: >> >> 1) removal of the Linux kernel patch >> 2) removal of the squashfs option (less important) >> 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955 >> but modified to look like this with '&& [ -f .config ]' appended: >> >> do_configure:append() { >> if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then >> sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config >> fi >> } >> >> I don't want to hold things up but maybe it's worth discussing the suggested changes. >> >> From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes >> and it did NOT build before. My suggestion would be to discuss the proposal under that thread there. >> The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend >> matches the pattern linux-firmware as well and therefore its contents get included when building >> linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the >> ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but >> I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having >> these included for linux-firmware. > Why is the bbappend applying changes to all recipes where name starts with > "linux-"? > > It is aiming at Linux kernel recipes which by default in yocto are > called "linux-yocto", so the bbappend could simply be > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt > and other variants too). Well that one is on me. That change came in when I ported over the meta-intel-iot-security layer. 6680225 meta-integrity: port over from meta-intel-iot-security I will send a patch correcting that. Thanks for the reminder and pointing this out. BR, Armin > > I think it's a bad idea to try to apply this change automatically to all > possible BSP layer kernels which may or may not have names starting with > "linux-" and it's well known that there are a lot of recipe names which > start with "linux-" which are not Linux kernels (linux-firmware, > linux-libc-headers, linux-dummy etc). > > Cheers, > > -Mikko
akuster808 <akuster808@gmail.com> escreveu no dia quarta, 10/05/2023 à(s) 15:25: > > > On 5/10/23 9:15 AM, Mikko Rapeli wrote: > > Hi, > > > > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote: > >> > >> On 5/10/23 07:44, Armin Kuster wrote: > >>> > >>> On 5/9/23 2:56 PM, Jose Quaresma wrote: > >>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. > >>>> > >>>> The full patchset are overriding the do_configure task and also added > a kernel patch > >>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is > included > >>>> in every recipe that follows the pattern pattern starting by linux- > (recipes-kernel/linux/linux-%.bbappend). > >>>> So the patch fails in some recipes and also do_configure task doesn't > make sense. > >>>> This breaks many recipes like linux-firmware and maybe others. > >>> I fail to see how this package update is part of the issue above. I > am still trying to sort out the store here to figure out how we move > forward. > >> My suggestion would be that I post a v2 of my fix patches containing: > >> > >> 1) removal of the Linux kernel patch > >> 2) removal of the squashfs option (less important) > >> 3) the suggestion outlined here: > https://lists.yoctoproject.org/g/yocto/message/59955 > >> but modified to look like this with '&& [ -f .config ]' appended: > >> > >> do_configure:append() { > >> if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', > d)}" = "yes" ] && [ -f .config ] ; then > >> sed -i > "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" > .config > >> fi > >> } > >> > >> I don't want to hold things up but maybe it's worth discussing the > suggested changes. > >> > >> From what I can see 'bitbake linux-firmware' builds under OpenBMC now > with these suggested changes > >> and it did NOT build before. My suggestion would be to discuss the > proposal under that thread there. > >> The problems seem to be that the file > meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend > >> matches the pattern linux-firmware as well and therefore its contents > get included when building > >> linux-firmware. When building linux-firmware while having also > DISTRO_FEATURES ima set in local.conf then the > >> ima.scc is added to SRC_URI and the do_configure is also appended. The > latter will not have side-effects but > >> I don't know about the former nor how to create a better filter (other > than DISTRO_FEATURES) for not having > >> these included for linux-firmware. > > Why is the bbappend applying changes to all recipes where name starts > with > > "linux-"? > > > > It is aiming at Linux kernel recipes which by default in yocto are > > called "linux-yocto", so the bbappend could simply be > > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt > > and other variants too). > > Well that one is on me. That change came in when I ported over the > meta-intel-iot-security layer. > Renaming the bbappend to linux-yocto%.bbappend will break all other linux kernels around that follow the pattern linux-%.bbappend. A better solution is needed here like the one pointed by Bruce https://lists.yoctoproject.org/g/yocto/message/59954 I send the revert because currently the master is broken and the cause is IMA patchset. Maybe this patch can be dropped because it only bumps a version but the others should be dropped. Jose > > 6680225 meta-integrity: port over from meta-intel-iot-security > > I will send a patch correcting that. > > Thanks for the reminder and pointing this out. > > BR, > Armin > > > > > I think it's a bad idea to try to apply this change automatically to all > > possible BSP layer kernels which may or may not have names starting with > > "linux-" and it's well known that there are a lot of recipe names which > > start with "linux-" which are not Linux kernels (linux-firmware, > > linux-libc-headers, linux-dummy etc). > > > > Cheers, > > > > -Mikko > >
Hi, On Wed, May 10, 2023 at 10:20:22AM -0400, Stefan Berger wrote: > > > On 5/10/23 09:15, Mikko Rapeli wrote: > > Hi, > > > > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote: > > > > > > > > > On 5/10/23 07:44, Armin Kuster wrote: > > > > > > > > > > > > On 5/9/23 2:56 PM, Jose Quaresma wrote: > > > > > This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. > > > > > > > > > > The full patchset are overriding the do_configure task and also added a kernel patch > > > > > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included > > > > > in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). > > > > > So the patch fails in some recipes and also do_configure task doesn't make sense. > > > > > This breaks many recipes like linux-firmware and maybe others. > > > > > > > > I fail to see how� this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward. > > > > > > My suggestion would be that I post a v2 of my fix patches containing: > > > > > > 1) removal of the Linux kernel patch > > > 2) removal of the squashfs option (less important) > > > 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955 > > > but modified to look like this with '&& [ -f .config ]' appended: > > > > > > do_configure:append() { > > > if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then > > > sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config > > > fi > > > } > > > > > > I don't want to hold things up but maybe it's worth discussing the suggested changes. > > > > > > From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes > > > and it did NOT build before. My suggestion would be to discuss the proposal under that thread there. > > > The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend > > > matches the pattern linux-firmware as well and therefore its contents get included when building > > > linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the > > > ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but > > > I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having > > > these included for linux-firmware. > > > > Why is the bbappend applying changes to all recipes where name starts with > > "linux-"? > > > > It is aiming at Linux kernel recipes which by default in yocto are > > called "linux-yocto", so the bbappend could simply be > > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt > > and other variants too). > > Thanks. > > I am trying to enable IMA & EVM under OpenBMC. When I rename linux-%.bbappend to linux-yocto_%.bbappend > then none of the IMA support becomes active under OpenBMC, so it doesn't help much for OpenBMC. If I rename it to > linux-aspeed_%.bbappend then it works for OpenBMC but that's probably not the filename you would want to have in > meta-security. > > So I guess the solution is to rename the file to linux-yocto%.bbappend anyway (I won't test it in this env) but > then require that OpenBMC include the linux_ima.inc using a statement like this > > require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', '../../../../meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc', '', d)} > > in its own linux-aspeed_%.bbappend. > > Does this sound correct? Yes, this sounds better. You can also document this in the layer for users with different BSP layers and Linux kernel recipe names. Linking to the OpenBMC example is a good idea too. Cheers, -Mikko
Jose Quaresma via lists.yoctoproject.org <quaresma.jose= gmail.com@lists.yoctoproject.org> escreveu no dia quarta, 10/05/2023 à(s) 15:33: > > > akuster808 <akuster808@gmail.com> escreveu no dia quarta, 10/05/2023 à(s) > 15:25: > >> >> >> On 5/10/23 9:15 AM, Mikko Rapeli wrote: >> > Hi, >> > >> > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote: >> >> >> >> On 5/10/23 07:44, Armin Kuster wrote: >> >>> >> >>> On 5/9/23 2:56 PM, Jose Quaresma wrote: >> >>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. >> >>>> >> >>>> The full patchset are overriding the do_configure task and also >> added a kernel patch >> >>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file >> is included >> >>>> in every recipe that follows the pattern pattern starting by linux- >> (recipes-kernel/linux/linux-%.bbappend). >> >>>> So the patch fails in some recipes and also do_configure task >> doesn't make sense. >> >>>> This breaks many recipes like linux-firmware and maybe others. >> >>> I fail to see how this package update is part of the issue above. I >> am still trying to sort out the store here to figure out how we move >> forward. >> >> My suggestion would be that I post a v2 of my fix patches containing: >> >> >> >> 1) removal of the Linux kernel patch >> >> 2) removal of the squashfs option (less important) >> >> 3) the suggestion outlined here: >> https://lists.yoctoproject.org/g/yocto/message/59955 >> >> but modified to look like this with '&& [ -f .config ]' appended: >> >> >> >> do_configure:append() { >> >> if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', >> d)}" = "yes" ] && [ -f .config ] ; then >> >> sed -i >> "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" >> .config >> >> fi >> >> } >> >> >> >> I don't want to hold things up but maybe it's worth discussing the >> suggested changes. >> >> >> >> From what I can see 'bitbake linux-firmware' builds under OpenBMC now >> with these suggested changes >> >> and it did NOT build before. My suggestion would be to discuss the >> proposal under that thread there. >> >> The problems seem to be that the file >> meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend >> >> matches the pattern linux-firmware as well and therefore its contents >> get included when building >> >> linux-firmware. When building linux-firmware while having also >> DISTRO_FEATURES ima set in local.conf then the >> >> ima.scc is added to SRC_URI and the do_configure is also appended. The >> latter will not have side-effects but >> >> I don't know about the former nor how to create a better filter (other >> than DISTRO_FEATURES) for not having >> >> these included for linux-firmware. >> > Why is the bbappend applying changes to all recipes where name starts >> with >> > "linux-"? >> > >> > It is aiming at Linux kernel recipes which by default in yocto are >> > called "linux-yocto", so the bbappend could simply be >> > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt >> > and other variants too). >> >> Well that one is on me. That change came in when I ported over the >> meta-intel-iot-security layer. >> > > Renaming the bbappend to linux-yocto%.bbappend will break all other linux > kernels around > that follow the pattern linux-%.bbappend. > > A better solution is needed here like the one pointed by Bruce > https://lists.yoctoproject.org/g/yocto/message/59954 > > I send the revert because currently the master is broken and the cause is > IMA patchset. > Maybe this patch can be dropped because it only bumps a version but the > others should be dropped. > typo: this patch can be dropped but the others should be merged. Jose > > Jose > > >> >> 6680225 meta-integrity: port over from meta-intel-iot-security >> >> I will send a patch correcting that. >> >> Thanks for the reminder and pointing this out. >> >> BR, >> Armin >> >> > >> > I think it's a bad idea to try to apply this change automatically to all >> > possible BSP layer kernels which may or may not have names starting with >> > "linux-" and it's well known that there are a lot of recipe names which >> > start with "linux-" which are not Linux kernels (linux-firmware, >> > linux-libc-headers, linux-dummy etc). >> > >> > Cheers, >> > >> > -Mikko >> >> > > -- > Best regards, > > José Quaresma > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59964): > https://lists.yoctoproject.org/g/yocto/message/59964 > Mute This Topic: https://lists.yoctoproject.org/mt/98790790/5052612 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [ > quaresma.jose@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch deleted file mode 100644 index 3624576..0000000 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001 -From: Stefan Berger <stefanb@linux.ibm.com> -Date: Tue, 18 Apr 2023 11:43:55 -0400 -Subject: [PATCH] Do not get generation using ioctl when evm_portable is true - -If a signatures is detected as being portable do not attempt to read the -generation with the ioctl since in some cases this may not be supported -by the filesystem and is also not needed for computing a portable -signature. - -This avoids the current work-around of passing --generation 0 when the -ioctl is not supported by the filesystem. - -Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> ---- - src/evmctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/evmctl.c b/src/evmctl.c -index 6d2bb67..c35a28c 100644 ---- a/src/evmctl.c -+++ b/src/evmctl.c -@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) - if (mode_str) - st.st_mode = strtoul(mode_str, NULL, 10); - -- if (!evm_immutable) { -+ if (!evm_immutable && !evm_portable) { - if (S_ISREG(st.st_mode) && !generation_str) { - int fd = open(file, 0); - ---- -2.39.2 - - diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb similarity index 71% rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb index 8ac080c..873aeeb 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb @@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils" DEPENDS:class-native += "openssl-native keyutils-native" -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" - -SRC_URI = " \ - https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ - file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ -" -SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d" +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz" +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1" inherit pkgconfig autotools features_check
This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> --- ...ation-using-ioctl-when-evm_portable-.patch | 35 ------------------- ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} | 9 ++--- 2 files changed, 2 insertions(+), 42 deletions(-) delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%)