On 5/10/23 07:44, Armin Kuster wrote:
On 5/9/23 2:56 PM, Jose Quaresma wrote:
This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
The full patchset are overriding the do_configure task and also added a kernel
patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux-
(recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make
sense.
This breaks many recipes like linux-firmware and maybe others.
I fail to see how this package update is part of the issue above. I am still
trying to sort out the store here to figure out how we move forward.
My suggestion would be that I post a v2 of my fix patches containing:
1) removal of the Linux kernel patch
2) removal of the squashfs option (less important)
3) the suggestion outlined here:
https://lists.yoctoproject.org/g/yocto/message/59955
but modified to look like this with '&& [ -f .config ]' appended:
do_configure:append() {
if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ]
&& [ -f .config ] ; then
sed -i
"s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|"
.config
fi
}
I don't want to hold things up but maybe it's worth discussing the suggested
changes.
From what I can see 'bitbake linux-firmware' builds under OpenBMC now with
these suggested changes
and it did NOT build before. My suggestion would be to discuss the proposal
under that thread there.
The problems seem to be that the file
meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
matches the pattern linux-firmware as well and therefore its contents get
included when building
linux-firmware. When building linux-firmware while having also DISTRO_FEATURES
ima set in local.conf then the
ima.scc is added to SRC_URI and the do_configure is also appended. The latter
will not have side-effects but
I don't know about the former nor how to create a better filter (other than
DISTRO_FEATURES) for not having
these included for linux-firmware.
Stefan
- armin
Signed-off-by: Jose Quaresma <jose.quare...@foundries.io>
---
...ation-using-ioctl-when-evm_portable-.patch | 35 -------------------
...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} | 9 ++---
2 files changed, 2 insertions(+), 42 deletions(-)
delete mode 100644
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb =>
ima-evm-utils_1.4.bb} (71%)
diff --git
a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
deleted file mode 100644
index 3624576..0000000
---
a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stef...@linux.ibm.com>
-Date: Tue, 18 Apr 2023 11:43:55 -0400
-Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
-
-If a signatures is detected as being portable do not attempt to read the
-generation with the ioctl since in some cases this may not be supported
-by the filesystem and is also not needed for computing a portable
-signature.
-
-This avoids the current work-around of passing --generation 0 when the
-ioctl is not supported by the filesystem.
-
-Signed-off-by: Stefan Berger <stef...@linux.ibm.com>
----
- src/evmctl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index 6d2bb67..c35a28c 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char
*hash)
- if (mode_str)
- st.st_mode = strtoul(mode_str, NULL, 10);
-
-- if (!evm_immutable) {
-+ if (!evm_immutable && !evm_portable) {
- if (S_ISREG(st.st_mode) && !generation_str) {
- int fd = open(file, 0);
-
----
-2.39.2
-
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
similarity index 71%
rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
index 8ac080c..873aeeb 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
@@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils"
DEPENDS:class-native += "openssl-native keyutils-native"
-FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
-
-SRC_URI = " \
-
https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz
\
- file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
-"
-SRC_URI[sha256sum] =
"45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
+SRC_URI =
"https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz";
+SRC_URI[sha256sum] =
"fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
inherit pkgconfig autotools features_check
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#59960): https://lists.yoctoproject.org/g/yocto/message/59960
Mute This Topic: https://lists.yoctoproject.org/mt/98790790/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
