Stefan Berger <stef...@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s) 19:19:
> > > On 5/9/23 14:11, Jose Quaresma wrote: > > Hi Stefan, Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia > terça, 9/05/2023 à(s) 18: 55: This PR removes a kernel patch related to > overlayfs and IMA appraisal file change notifictions and a squashfs xattr > kernel config option. > > ZjQcmQRYFpfptBannerStart > > This Message Is From an External Sender > > This message came from outside your organization. > > ZjQcmQRYFpfptBannerEnd > > Hi Stefan, > > > > Stefan Berger <stef...@linux.ibm.com <mailto:stef...@linux.ibm.com>> > escreveu no dia terça, 9/05/2023 à(s) 18:55: > > > > This PR removes a kernel patch related to overlayfs and IMA > appraisal file change > > notifictions and a squashfs xattr kernel config option. > > > > Stefan > > > > Stefan Berger (2): > > linux: overlayfs: Drop kernel patch resolving a file change > > notification issue > > ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from > ima.cfg > > > > ...Increment-iversion-upon-file-changes.patch | 42 > ------------------- > > .../recipes-kernel/linux/linux/ima.cfg | 1 - > > .../recipes-kernel/linux/linux_ima.inc | 1 - > > > > CONFIG_SYSTEM_TRUSTED_KEYS= > > Unfortunately this is not enough because in the full patchset you are > overriding the do_configure task > > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is > included in every recipe that follies the > > pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). > > You are referring tho this here? > > do_configure() { > sed -i > "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" > .config > } > > You are saying that this deactivates some other do_configure's ? If this > is the case, what would be the right syntax to fix it? > Yes, this is the problem. The right fix IMHO is reverting because we can't assume that the .config it's always there on the bitbake build directory and this only happens when building the kernel. Another no less significant side effect is that this change is also applied to a wide range of recipes, anyone starting with the name linux-*.bb. So the full patch set should be reverted in my opinion and be more tested locally, building for example some recipe that respects the pattern linux-*.bb and also other kernels and re-submitted again. Jose > > It's a no-op on a .config that does not contain the > CONFIG_SYSTEM_TRUSTED_KEYS= option already.= > > Stefan > > > > > This breaks many recipes like linux-firmware and maybe others. > > The root cause of the issue is now on f4f7624d2e but because this patch > is too evasive, maybe everything has to be reversed. > > I am now building with the full patchset revert and so far the build is > looking good. > > > > > > Jose > > > > 3 files changed, 44 deletions(-) > > delete mode 100644 > meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > > > > -- > > 2.34.1 > > > > > > > > -- > > Best regards, > > > > José Quaresma > > > > > > > > > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59945): https://lists.yoctoproject.org/g/yocto/message/59945 Mute This Topic: https://lists.yoctoproject.org/mt/98789504/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
