From patchwork Mon Jul 28 13:30:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamel Bouhara X-Patchwork-Id: 67557 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B092CC87FCE for ; Mon, 28 Jul 2025 13:30:57 +0000 (UTC) Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by mx.groups.io with SMTP id smtpd.web10.81189.1753709455112387205 for ; Mon, 28 Jul 2025 06:30:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=M0/fjYvB; spf=pass (domain: bootlin.com, ip: 217.70.183.194, mailfrom: kamel.bouhara@bootlin.com) Received: by mail.gandi.net (Postfix) with ESMTPSA id 700F8441DC; Mon, 28 Jul 2025 13:30:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1753709453; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pVu1ap0jNsxKglQX1klkm7ZrWMWmq2iIjspGrE8J6VM=; b=M0/fjYvBUFCNYRXX6pJmqE9DitbhVuKPR03D36rmdkBdpTyPxa3lrilo04DteJjz8/4Yrl pSHS8G7P2Hjtw4Cojj2UuZrA0r2bztaBxZs4HeBVEtyoG8Eh31/VrD9cugOCrCjnyO3Hr3 BjHowm1mnqDL7KgYuCVfRF1uaazXpno2OSD8Qfdytip9U+7hYLnU3yC3Wb1mHtaVAdSDVC +7GbqLCSsMfs8rdWBNFQW0PauZqeUD0QfYu2HxLSPyVn/htt4nLQTXydTYgsuqOvwaNx8h JuSPohjCdsyiRPX0jtKDNBmTQAfLzXoPJFYAoGKcRdOkerPwIgrM4W+37fR4Ng== From: Kamel Bouhara To: openembedded-core@lists.openembedded.org Cc: JPEWhacker@gmail.com, thomas.petazzoni@bootlin.com, Miquel Raynal , mathieu.dubois-briand@bootlin.com, antonin.godard@bootlin.com, Kamel Bouhara Subject: [PATCH v2 1/2] kernel.bbclass: Add task to export kernel configuration to SPDX Date: Mon, 28 Jul 2025 15:30:43 +0200 Message-ID: <20250728133044.39757-2-kamel.bouhara@bootlin.com> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250728133044.39757-1-kamel.bouhara@bootlin.com> References: <20250728133044.39757-1-kamel.bouhara@bootlin.com> MIME-Version: 1.0 X-GND-State: clean X-GND-Score: -100 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdelvddvlecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfgrmhgvlhcuuehouhhhrghrrgcuoehkrghmvghlrdgsohhuhhgrrhgrsegsohhothhlihhnrdgtohhmqeenucggtffrrghtthgvrhhnpedvkefhfeeugeeifeeftedvveduhfejjefgvedvleduvedujeeugfeiiefhleejieenucffohhmrghinhepshhpugigfedtrdgsuhhilhgupdhophgvnhgvmhgsvgguuggvugdrohhrghenucfkphepkeekrdduiedtrddvvddvrddvvdelnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepkeekrdduiedtrddvvddvrddvvdelpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehkrghmvghlrdgsohhuhhgrrhgrsegsohhothhlihhnrdgtohhmpdhnsggprhgtphhtthhopeejpdhrtghpthhtohepohhpvghnvghmsggvugguvgguqdgtohhrvgeslhhishhtshdrohhpvghnvghmsggvugguvggurdhorhhgpdhrtghpthhtoheplffrgfghhhgrtghkvghrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepthhhohhmrghsrdhpvghtrgiiiihonhhisegsohhothhlihhnrdgtohhmp dhrtghpthhtohepmhhiqhhuvghlrdhrrgihnhgrlhessghoohhtlhhinhdrtghomhdprhgtphhtthhopehmrghthhhivghurdguuhgsohhishdqsghrihgrnhgusegsohhothhlihhnrdgtohhmpdhrtghpthhtoheprghnthhonhhinhdrghhouggrrhgusegsohhothhlihhnrdgtohhmpdhrtghpthhtohepkhgrmhgvlhdrsghouhhhrghrrgessghoohhtlhhinhdrtghomh X-GND-Sasl: kamel.bouhara@bootlin.com List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 28 Jul 2025 13:30:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221004 Introduce a new bitbake task do_create_kernel_config_spdx that extracts the kernel configuration from ${B}/.config and exports it into the recipe's SPDX document as a separate build_Build object. The kernel config parameters are stored as SPDX DictionaryEntry objects and linked to the main kernel build using an ancestorOf relationship. This enables the kernel build's configuration to be explicitly captured in the SPDX document for compliance, auditing, and reproducibility. The task is gated by SPDX_INCLUDE_KERNEL_CONFIG (default = "0"). Signed-off-by: Kamel Bouhara --- v2: - Disable exporting kernel config metadata by default - Move kernel config SPDX logic from spdx30_tasks to kernel.bbclass - Generate a separate build_Build for kernel config and relate via ancestorOf meta/classes-recipe/kernel.bbclass | 62 ++++++++++++++++++++++++++++ meta/classes/create-spdx-3.0.bbclass | 6 +++ 2 files changed, 68 insertions(+) -- 2.43.0 diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass index eb03424dfc..2ba8903ace 100644 --- a/meta/classes-recipe/kernel.bbclass +++ b/meta/classes-recipe/kernel.bbclass @@ -863,5 +863,67 @@ addtask deploy after do_populate_sysroot do_packagedata EXPORT_FUNCTIONS do_deploy +python __anonymous() { + if bb.data.inherits_class("create-spdx", d): + bb.build.addtask('do_create_kernel_config_spdx', 'do_populate_lic do_deploy', 'do_create_spdx', d) +} + +python do_create_kernel_config_spdx() { + if d.getVar("SPDX_INCLUDE_KERNEL_CONFIG", True) == "1": + import oe.spdx30 + import oe.spdx30_tasks + from pathlib import Path + from datetime import datetime, timezone + + pkg_arch = d.getVar("SSTATE_PKGARCH") + deploydir = Path(d.getVar("SPDXDEPLOY")) + pn = d.getVar("PN") + + config_path = d.expand("${B}/.config") + kernel_params = [] + if not os.path.exists(config_path): + bb.warn(f"SPDX: Kernel config file not found at: {config_path}") + return + + try: + with open(config_path, 'r') as f: + for line in f: + line = line.strip() + if not line or line.startswith("#"): + continue + if "=" in line: + key, value = line.split("=", 1) + kernel_params.append(oe.spdx30.DictionaryEntry( + key=key, + value=value.strip('"') + )) + bb.note(f"Parsed {len(kernel_params)} kernel config entries from {config_path}") + except Exception as e: + bb.error(f"Failed to parse kernel config file: {e}") + + build, build_objset = oe.sbom30.find_root_obj_in_jsonld( + d, "recipes", f"recipe-{pn}", oe.spdx30.build_Build + ) + + kernel_build = build_objset.add_root( + oe.spdx30.build_Build( + _id=build_objset.new_spdxid("kernel-config"), + creationInfo=build_objset.doc.creationInfo, + build_buildType="https://openembedded.org/kernel-configuration", + build_parameter=kernel_params + ) + ) + + oe.spdx30_tasks.set_timestamp_now(d, kernel_build, "build_buildStartTime") + + build_objset.new_relationship( + [build], + oe.spdx30.RelationshipType.ancestorOf, + [kernel_build] + ) + + oe.sbom30.write_jsonld_doc(d, build_objset, deploydir / pkg_arch / "recipes" / f"recipe-{pn}.spdx.json") +} + # Add using Device Tree support inherit kernel-devicetree diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index c0a5436ad6..15c31ba9a3 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -50,6 +50,12 @@ SPDX_INCLUDE_TIMESTAMPS[doc] = "Include time stamps in SPDX output. This is \ useful if you want to know when artifacts were produced and when builds \ occurred, but will result in non-reproducible SPDX output" +SPDX_INCLUDE_KERNEL_CONFIG ??= "0" +SPDX_INCLUDE_KERNEL_CONFIG[doc] = "If set to '1', the .config file for the kernel will be parsed \ +and each CONFIG_* value will be included in the Build.build_parameter list as DictionaryEntry \ +items. Set to '0' to disable exporting kernel configuration to improve performance or reduce \ +SPDX document size." + SPDX_IMPORTS ??= "" SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \ reference external SPDX ids. Each import is defined as a key in this \ From patchwork Mon Jul 28 13:30:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamel Bouhara X-Patchwork-Id: 67558 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA418C87FCB for ; Mon, 28 Jul 2025 13:30:57 +0000 (UTC) Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by mx.groups.io with SMTP id smtpd.web10.81190.1753709456392110905 for ; Mon, 28 Jul 2025 06:30:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=ZnomVPsi; spf=pass (domain: bootlin.com, ip: 217.70.183.193, mailfrom: kamel.bouhara@bootlin.com) Received: by mail.gandi.net (Postfix) with ESMTPSA id 6A0EB42E80; Mon, 28 Jul 2025 13:30:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1753709454; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=71UiAJLR4molQ6ue/JIbrDv0C+7ublut0EYr3NZZ4fs=; b=ZnomVPsiWE6eQ88e/gaBub5HG3TRJkjYFGDzkwH8Fq9o9lwyhY9tqh5PCoEA7QqrZ0iFL6 CgyJtOosDqDhJUrr/Qz22ioJZbxXBqURyOeWJumMOK9OBeP2jvE+iWCNnxxOVXxrT/jYz3 QjP3k1A6CRBV94Rriq59JtS3TzBdS3fLfV98MvaZoB/kJGnC7Wb4i0kCo0oH59seGkDFWP +3+ojImP2f1/ExPTwWc4baXWZUxvumjVjY8qAuExBgLVjRx8sJzMbNDXf+yZ2bJGgvFJ8Y 9qDVvkp/bWrOigs7L2gfNVMn9kBQq4ASYQ30Ee5/d/hQkZRkePadb/4PiBU/1w== From: Kamel Bouhara To: openembedded-core@lists.openembedded.org Cc: JPEWhacker@gmail.com, thomas.petazzoni@bootlin.com, Miquel Raynal , mathieu.dubois-briand@bootlin.com, antonin.godard@bootlin.com, Kamel Bouhara Subject: [PATCH v2 2/2] spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX Date: Mon, 28 Jul 2025 15:30:44 +0200 Message-ID: <20250728133044.39757-3-kamel.bouhara@bootlin.com> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250728133044.39757-1-kamel.bouhara@bootlin.com> References: <20250728133044.39757-1-kamel.bouhara@bootlin.com> MIME-Version: 1.0 X-GND-State: clean X-GND-Score: -100 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdelvdeftdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfgrmhgvlhcuuehouhhhrghrrgcuoehkrghmvghlrdgsohhuhhgrrhgrsegsohhothhlihhnrdgtohhmqeenucggtffrrghtthgvrhhnpeduudekkeeftefgledtgfeiueeggeegjeeijeehkeeuvefhgfffgeekgfffueekvdenucfkphepkeekrdduiedtrddvvddvrddvvdelnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepkeekrdduiedtrddvvddvrddvvdelpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehkrghmvghlrdgsohhuhhgrrhgrsegsohhothhlihhnrdgtohhmpdhnsggprhgtphhtthhopeejpdhrtghpthhtohepohhpvghnvghmsggvugguvgguqdgtohhrvgeslhhishhtshdrohhpvghnvghmsggvugguvggurdhorhhgpdhrtghpthhtoheplffrgfghhhgrtghkvghrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepthhhohhmrghsrdhpvghtrgiiiihonhhisegsohhothhlihhnrdgtohhmpdhrtghpthhtohepmhhiqhhuvghlrdhrrgihnhgrlhessghoohhtlhhinhdrtghomhdprhgtphhtt hhopehmrghthhhivghurdguuhgsohhishdqsghrihgrnhgusegsohhothhlihhnrdgtohhmpdhrtghpthhtoheprghnthhonhhinhdrghhouggrrhgusegsohhothhlihhnrdgtohhmpdhrtghpthhtohepkhgrmhgvlhdrsghouhhhrghrrgessghoohhtlhhinhdrtghomh X-GND-Sasl: kamel.bouhara@bootlin.com List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 28 Jul 2025 13:30:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221005 Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes PACKAGECONFIG features to be recorded in the SPDX document as build parameters. Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG: and value enabled or disabled, depending on whether the feature is active in the current build. This makes the build-time configuration more transparent in SPDX output and improves reproducibility tracking. This makes the build-time configuration more transparent in SPDX output and improves reproducibility tracking. In particular, it allows consumers of the SBOM to identify enabled/disabled features that may affect security posture or feature set. Signed-off-by: Kamel Bouhara --- meta/classes/create-spdx-3.0.bbclass | 5 +++++ meta/lib/oe/spdx30_tasks.py | 20 ++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index 15c31ba9a3..6125e8b547 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -56,6 +56,11 @@ and each CONFIG_* value will be included in the Build.build_parameter list as Di items. Set to '0' to disable exporting kernel configuration to improve performance or reduce \ SPDX document size." +SPDX_INCLUDE_PACKAGECONFIG ??= "0" +SPDX_INCLUDE_PACKAGECONFIG[doc] = "If set to '1', each PACKAGECONFIG feature is recorded in the \ +build_Build object's build_parameter list as a DictionaryEntry with key \ +'PACKAGECONFIG:' and value 'enabled' or 'disabled'" + SPDX_IMPORTS ??= "" SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \ reference external SPDX ids. Each import is defined as a key in this \ diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index c352dab152..d708715981 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -815,6 +815,26 @@ def create_spdx(d): sorted(list(build_inputs)) + sorted(list(debug_source_ids)), ) + if d.getVar("SPDX_INCLUDE_PACKAGECONFIG", True) != "0": + packageconfig = (d.getVar("PACKAGECONFIG") or "").split() + all_features = (d.getVarFlags("PACKAGECONFIG") or {}).keys() + + if all_features: + enabled = set(packageconfig) + all_features_set = set(all_features) + disabled = all_features_set - enabled + + for feature in sorted(all_features): + status = "enabled" if feature in enabled else "disabled" + build.build_parameter.append( + oe.spdx30.DictionaryEntry( + key=f"PACKAGECONFIG:{feature}", + value=status + ) + ) + + bb.note(f"Added PACKAGECONFIG entries: {len(enabled)} enabled, {len(disabled)} disabled") + oe.sbom30.write_recipe_jsonld_doc(d, build_objset, "recipes", deploydir)