From patchwork Mon Dec 15 15:54:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamel Bouhara X-Patchwork-Id: 76547 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 359B8D5B847 for ; Mon, 15 Dec 2025 15:54:46 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.52227.1765814076909812714 for ; Mon, 15 Dec 2025 07:54:38 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=crh9GmK2; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: kamel.bouhara@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 1D21C4E41C1A for ; Mon, 15 Dec 2025 15:54:35 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id E8AA560664; Mon, 15 Dec 2025 15:54:34 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 976BE119426D1; Mon, 15 Dec 2025 16:54:29 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1765814070; h=from:subject:date:message-id:to:cc:mime-version: content-transfer-encoding:in-reply-to:references; bh=6X1foISwKmlvcPnUX4kkJmYOx0x3WvfsF06k4WqVdcA=; b=crh9GmK2YClH65+hjD9bWsksw7RW4jYcZcleBlxQEQzFYJI6MKQzHf3/Q+M5q4sQIA4BSA 1IbIjZPUiBW2UJCZm/QgM7ftJQ5fsEK8HcCrCMbgwkc2HzsQpLB9xCJ+JynFVyAycRsxbh 9IhPjd4dfI9Wr5qXcsjUE4kZu3OAKVyZ0ZdI5DsStNKSEGdFT1m4tx+8AVoIUZmiO9ksgC II22I/BjL7XRely3O2WKDzpN3+8aGgtJ/+oG+kPfh+9kOFnNe8pxfueHB+5w6fWAycOjqz f6T6EP3bJaLN9qWbL6Vv5U2K/5e0OkbLg4FETyZjaYXNx27BpDmup58JxiqRQQ== From: Kamel Bouhara To: openembedded-core@lists.openembedded.org Cc: JPEWhacker@gmail.com, thomas.petazzoni@bootlin.com, Miquel Raynal , mathieu.dubois-briand@bootlin.com, antonin.godard@bootlin.com, Pascal Eberhard , "Kamel Bouhara (Schneider Electric)" , Richard Purdie Subject: [scarthgap 1/3] kernel.bbclass: Add task to export kernel configuration to SPDX Date: Mon, 15 Dec 2025 16:54:22 +0100 Message-ID: <20251215155424.237662-2-kamel.bouhara@bootlin.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251215155424.237662-1-kamel.bouhara@bootlin.com> References: <20251215155424.237662-1-kamel.bouhara@bootlin.com> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 15 Dec 2025 15:54:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227744 From: "Kamel Bouhara (Schneider Electric)" Introduce a new bitbake task do_create_kernel_config_spdx that extracts the kernel configuration from ${B}/.config and exports it into the recipe's SPDX document as a separate build_Build object. The kernel config parameters are stored as SPDX DictionaryEntry objects and linked to the main kernel build using an ancestorOf relationship. This enables the kernel build's configuration to be explicitly captured in the SPDX document for compliance, auditing, and reproducibility. The task is gated by SPDX_INCLUDE_KERNEL_CONFIG (default = "0"). Reviewed-by: Joshua Watt Signed-off-by: Kamel Bouhara (Schneider Electric) Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 228a968e7c47d811c06143279bdb0f9c5f374bef) --- meta/classes-recipe/kernel.bbclass | 64 ++++++++++++++++++++++++++++ meta/classes/create-spdx-3.0.bbclass | 6 +++ 2 files changed, 70 insertions(+) diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass index 4c1cb89a46..d557e98d65 100644 --- a/meta/classes-recipe/kernel.bbclass +++ b/meta/classes-recipe/kernel.bbclass @@ -873,5 +873,69 @@ addtask deploy after do_populate_sysroot do_packagedata EXPORT_FUNCTIONS do_deploy +python __anonymous() { + inherits = (d.getVar("INHERIT") or "") + if "create-spdx" in inherits: + bb.build.addtask('do_create_kernel_config_spdx', 'do_populate_lic do_deploy', 'do_create_spdx', d) +} + +python do_create_kernel_config_spdx() { + if d.getVar("SPDX_INCLUDE_KERNEL_CONFIG", True) == "1": + import oe.spdx30 + import oe.spdx30_tasks + from pathlib import Path + from datetime import datetime, timezone + + pkg_arch = d.getVar("SSTATE_PKGARCH") + deploydir = Path(d.getVar("SPDXDEPLOY")) + pn = d.getVar("PN") + + config_path = d.expand("${B}/.config") + kernel_params = [] + if not os.path.exists(config_path): + bb.warn(f"SPDX: Kernel config file not found at: {config_path}") + return + + try: + with open(config_path, 'r') as f: + for line in f: + line = line.strip() + if not line or line.startswith("#"): + continue + if "=" in line: + key, value = line.split("=", 1) + kernel_params.append(oe.spdx30.DictionaryEntry( + key=key, + value=value.strip('"') + )) + bb.note(f"Parsed {len(kernel_params)} kernel config entries from {config_path}") + except Exception as e: + bb.error(f"Failed to parse kernel config file: {e}") + + build, build_objset = oe.sbom30.find_root_obj_in_jsonld( + d, "recipes", f"recipe-{pn}", oe.spdx30.build_Build + ) + + kernel_build = build_objset.add_root( + oe.spdx30.build_Build( + _id=build_objset.new_spdxid("kernel-config"), + creationInfo=build_objset.doc.creationInfo, + build_buildType="https://openembedded.org/kernel-configuration", + build_parameter=kernel_params + ) + ) + + oe.spdx30_tasks.set_timestamp_now(d, kernel_build, "build_buildStartTime") + + build_objset.new_relationship( + [build], + oe.spdx30.RelationshipType.ancestorOf, + [kernel_build] + ) + + oe.sbom30.write_jsonld_doc(d, build_objset, deploydir / pkg_arch / "recipes" / f"recipe-{pn}.spdx.json") +} +do_create_kernel_config_spdx[depends] = "virtual/kernel:do_configure" + # Add using Device Tree support inherit kernel-devicetree diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index c0a5436ad6..15c31ba9a3 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -50,6 +50,12 @@ SPDX_INCLUDE_TIMESTAMPS[doc] = "Include time stamps in SPDX output. This is \ useful if you want to know when artifacts were produced and when builds \ occurred, but will result in non-reproducible SPDX output" +SPDX_INCLUDE_KERNEL_CONFIG ??= "0" +SPDX_INCLUDE_KERNEL_CONFIG[doc] = "If set to '1', the .config file for the kernel will be parsed \ +and each CONFIG_* value will be included in the Build.build_parameter list as DictionaryEntry \ +items. Set to '0' to disable exporting kernel configuration to improve performance or reduce \ +SPDX document size." + SPDX_IMPORTS ??= "" SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \ reference external SPDX ids. Each import is defined as a key in this \ From patchwork Mon Dec 15 15:54:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamel Bouhara X-Patchwork-Id: 76548 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44C8ED5B846 for ; Mon, 15 Dec 2025 15:54:46 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.52233.1765814081966863663 for ; Mon, 15 Dec 2025 07:54:42 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=gJ1WWO76; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: kamel.bouhara@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id 4A40A1A21E1 for ; Mon, 15 Dec 2025 15:54:40 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 205FF60664; Mon, 15 Dec 2025 15:54:40 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 44A51119426CF; Mon, 15 Dec 2025 16:54:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1765814075; h=from:subject:date:message-id:to:cc:mime-version: content-transfer-encoding:in-reply-to:references; bh=PKfhtknpGX8YDBr8ZTyzb2xSlK12nbqhlHDP9MJNm1A=; b=gJ1WWO76cGBFTlZQ5xEPctK2422vSimwhjn1LujhsB2EyIl51VfdPY9osxbqfMn157k+N8 GXHzMbSQOk7PfV63fdZhttJ7IHCF3opaE+RXfJs43XJJSBZDMdmCJjerTp48FgyOG0mA48 OTlzQ7hFTdPBW4qe1w3uLcdH1FBnKR6XhLE80+7fK2A03WYwkVdGL1vjeNOdpMKBqGGhSh Yr5JvOrZxiNZXxK/eLCQ6NDb7VJ4WsrFmgml37ouy428A5EywQxZIzKVp1hzNuXoWCVpWy TqV1ClFcDbGfVFv1dTuYcjlH//jjR8sfF7GpU6R55UrKuEJE4tWpdqBqQGGw+g== From: Kamel Bouhara To: openembedded-core@lists.openembedded.org Cc: JPEWhacker@gmail.com, thomas.petazzoni@bootlin.com, Miquel Raynal , mathieu.dubois-briand@bootlin.com, antonin.godard@bootlin.com, Pascal Eberhard , "Kamel Bouhara (Schneider Electric)" , Richard Purdie Subject: [scarthgap 2/3] spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX Date: Mon, 15 Dec 2025 16:54:23 +0100 Message-ID: <20251215155424.237662-3-kamel.bouhara@bootlin.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251215155424.237662-1-kamel.bouhara@bootlin.com> References: <20251215155424.237662-1-kamel.bouhara@bootlin.com> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 15 Dec 2025 15:54:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227745 From: "Kamel Bouhara (Schneider Electric)" Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes PACKAGECONFIG features to be recorded in the SPDX document as build parameters. Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG: and value enabled or disabled, depending on whether the feature is active in the current build. This makes the build-time configuration more transparent in SPDX output and improves reproducibility tracking. This makes the build-time configuration more transparent in SPDX output and improves reproducibility tracking. In particular, it allows consumers of the SBOM to identify enabled/disabled features that may affect security posture or feature set. Reviewed-by: Joshua Watt Signed-off-by: Kamel Bouhara (Schneider Electric) Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 7ec61ac40345a5c0ef1ce20513a4596989c91ef4) --- meta/classes/create-spdx-3.0.bbclass | 5 +++++ meta/lib/oe/spdx30_tasks.py | 20 ++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index 15c31ba9a3..6125e8b547 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -56,6 +56,11 @@ and each CONFIG_* value will be included in the Build.build_parameter list as Di items. Set to '0' to disable exporting kernel configuration to improve performance or reduce \ SPDX document size." +SPDX_INCLUDE_PACKAGECONFIG ??= "0" +SPDX_INCLUDE_PACKAGECONFIG[doc] = "If set to '1', each PACKAGECONFIG feature is recorded in the \ +build_Build object's build_parameter list as a DictionaryEntry with key \ +'PACKAGECONFIG:' and value 'enabled' or 'disabled'" + SPDX_IMPORTS ??= "" SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \ reference external SPDX ids. Each import is defined as a key in this \ diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index e425958991..a3d848ceb1 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -809,6 +809,26 @@ def create_spdx(d): sorted(list(build_inputs)) + sorted(list(debug_source_ids)), ) + if d.getVar("SPDX_INCLUDE_PACKAGECONFIG", True) != "0": + packageconfig = (d.getVar("PACKAGECONFIG") or "").split() + all_features = (d.getVarFlags("PACKAGECONFIG") or {}).keys() + + if all_features: + enabled = set(packageconfig) + all_features_set = set(all_features) + disabled = all_features_set - enabled + + for feature in sorted(all_features): + status = "enabled" if feature in enabled else "disabled" + build.build_parameter.append( + oe.spdx30.DictionaryEntry( + key=f"PACKAGECONFIG:{feature}", + value=status + ) + ) + + bb.note(f"Added PACKAGECONFIG entries: {len(enabled)} enabled, {len(disabled)} disabled") + oe.sbom30.write_recipe_jsonld_doc(d, build_objset, "recipes", deploydir) From patchwork Mon Dec 15 15:54:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamel Bouhara X-Patchwork-Id: 76546 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 346F2D5B16C for ; Mon, 15 Dec 2025 15:54:46 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.52234.1765814084230158581 for ; Mon, 15 Dec 2025 07:54:44 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=zygL6TRv; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: kamel.bouhara@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 974F8C19D1E; Mon, 15 Dec 2025 15:54:17 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 011FC60664; Mon, 15 Dec 2025 15:54:42 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 806CC119426D3; Mon, 15 Dec 2025 16:54:40 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1765814081; h=from:subject:date:message-id:to:cc:mime-version: content-transfer-encoding:in-reply-to:references; bh=PeGnVTVPhcrlBTkgBoGMZl76TjRRp33D7zda0HgYH/k=; b=zygL6TRvP3pV562FVBE23WPoMbZeVWrzxlmjS2MA3zqW9oLMtuEB1gGuNrY7cnaUZ2IRgU gZPS5COm6w5Qv4lgwS8jIotofPLlUFQA4jCcVSwuqFpfEGrFLEGAqQdIEKEHirqXTPGsKQ BZKrEyFCyd46KOtXfE1ED/pNdskbxUU3EqfNaoKI1K3WNgegkyktIBeRAeoEkCv4VAyZhd tZ9N5AR9jYdmhHilGC+B5T8P2TZdGf96MnYEnT2KLV9ET7Em1pt1sJB2cjFqXwhxWDEvmg J2jyGW2i2LVfuT+CtJFQ5QNjUDXTbg8BDk/GH4y1WUdi8sS8BgOgKURHpPVqbA== From: Kamel Bouhara To: openembedded-core@lists.openembedded.org Cc: JPEWhacker@gmail.com, thomas.petazzoni@bootlin.com, Miquel Raynal , mathieu.dubois-briand@bootlin.com, antonin.godard@bootlin.com, Pascal Eberhard , "Kamel Bouhara (Schneider Electric)" , Richard Purdie Subject: [scarthgap 3/3] oeqa/selftest: oe-selftest: Add SPDX tests for kernel config and PACKAGECONFIG Date: Mon, 15 Dec 2025 16:54:24 +0100 Message-ID: <20251215155424.237662-4-kamel.bouhara@bootlin.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251215155424.237662-1-kamel.bouhara@bootlin.com> References: <20251215155424.237662-1-kamel.bouhara@bootlin.com> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 15 Dec 2025 15:54:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227746 From: "Kamel Bouhara (Schneider Electric)" Add test_kernel_config_spdx and test_packageconfig_spdx to verify SPDX document generation includes kernel configuration and package feature metadata when enabled. Signed-off-by: Kamel Bouhara (Schneider Electric) Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 2f0ab110d7521510c60e0493ef3cb021130758cd) Signed-off-by: Kamel Bouhara --- meta/lib/oeqa/selftest/cases/spdx.py | 57 ++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/meta/lib/oeqa/selftest/cases/spdx.py b/meta/lib/oeqa/selftest/cases/spdx.py index 8cd4e83ca2..035f3fe336 100644 --- a/meta/lib/oeqa/selftest/cases/spdx.py +++ b/meta/lib/oeqa/selftest/cases/spdx.py @@ -286,3 +286,60 @@ class SPDX30Check(SPDX3CheckBase, OESelftestTestCase): break else: self.assertTrue(False, "Unable to find imported Host SpdxID") + + def test_kernel_config_spdx(self): + kernel_recipe = get_bb_var("PREFERRED_PROVIDER_virtual/kernel") + spdx_file = f"recipe-{kernel_recipe}.spdx.json" + spdx_path = f"{{DEPLOY_DIR_SPDX}}/{{SSTATE_PKGARCH}}/recipes/{spdx_file}" + + # Make sure kernel is configured first + bitbake(f"-c configure {kernel_recipe}") + + objset = self.check_recipe_spdx( + kernel_recipe, + spdx_path, + task="do_create_kernel_config_spdx", + extraconf="""\ + INHERIT += "create-spdx" + SPDX_INCLUDE_KERNEL_CONFIG = "1" + """, + ) + + # Check that at least one CONFIG_* entry exists + found_kernel_config = False + for build_obj in objset.foreach_type(oe.spdx30.build_Build): + if getattr(build_obj, "build_buildType", "") == "https://openembedded.org/kernel-configuration": + found_kernel_config = True + self.assertTrue( + len(getattr(build_obj, "build_parameter", [])) > 0, + "Kernel configuration build_Build has no CONFIG_* entries" + ) + break + + self.assertTrue(found_kernel_config, "Kernel configuration build_Build not found in SPDX output") + + def test_packageconfig_spdx(self): + objset = self.check_recipe_spdx( + "tar", + "{DEPLOY_DIR_SPDX}/{SSTATE_PKGARCH}/recipes/recipe-tar.spdx.json", + extraconf="""\ + SPDX_INCLUDE_PACKAGECONFIG = "1" + """, + ) + + found_entries = [] + for build_obj in objset.foreach_type(oe.spdx30.build_Build): + for param in getattr(build_obj, "build_parameter", []): + if param.key.startswith("PACKAGECONFIG:"): + found_entries.append((param.key, param.value)) + + self.assertTrue( + found_entries, + "No PACKAGECONFIG entries found in SPDX output for 'tar'" + ) + + for key, value in found_entries: + self.assertIn( + value, ["enabled", "disabled"], + f"Unexpected PACKAGECONFIG value '{value}' for {key}" + )