Jose Quaresma via lists.yoctoproject.org <quaresma.jose= gmail....@lists.yoctoproject.org> escreveu no dia quarta, 10/05/2023 à(s) 15:33:
> > > akuster808 <akuster...@gmail.com> escreveu no dia quarta, 10/05/2023 à(s) > 15:25: > >> >> >> On 5/10/23 9:15 AM, Mikko Rapeli wrote: >> > Hi, >> > >> > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote: >> >> >> >> On 5/10/23 07:44, Armin Kuster wrote: >> >>> >> >>> On 5/9/23 2:56 PM, Jose Quaresma wrote: >> >>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. >> >>>> >> >>>> The full patchset are overriding the do_configure task and also >> added a kernel patch >> >>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file >> is included >> >>>> in every recipe that follows the pattern pattern starting by linux- >> (recipes-kernel/linux/linux-%.bbappend). >> >>>> So the patch fails in some recipes and also do_configure task >> doesn't make sense. >> >>>> This breaks many recipes like linux-firmware and maybe others. >> >>> I fail to see how this package update is part of the issue above. I >> am still trying to sort out the store here to figure out how we move >> forward. >> >> My suggestion would be that I post a v2 of my fix patches containing: >> >> >> >> 1) removal of the Linux kernel patch >> >> 2) removal of the squashfs option (less important) >> >> 3) the suggestion outlined here: >> https://lists.yoctoproject.org/g/yocto/message/59955 >> >> but modified to look like this with '&& [ -f .config ]' appended: >> >> >> >> do_configure:append() { >> >> if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', >> d)}" = "yes" ] && [ -f .config ] ; then >> >> sed -i >> "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" >> .config >> >> fi >> >> } >> >> >> >> I don't want to hold things up but maybe it's worth discussing the >> suggested changes. >> >> >> >> From what I can see 'bitbake linux-firmware' builds under OpenBMC now >> with these suggested changes >> >> and it did NOT build before. My suggestion would be to discuss the >> proposal under that thread there. >> >> The problems seem to be that the file >> meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend >> >> matches the pattern linux-firmware as well and therefore its contents >> get included when building >> >> linux-firmware. When building linux-firmware while having also >> DISTRO_FEATURES ima set in local.conf then the >> >> ima.scc is added to SRC_URI and the do_configure is also appended. The >> latter will not have side-effects but >> >> I don't know about the former nor how to create a better filter (other >> than DISTRO_FEATURES) for not having >> >> these included for linux-firmware. >> > Why is the bbappend applying changes to all recipes where name starts >> with >> > "linux-"? >> > >> > It is aiming at Linux kernel recipes which by default in yocto are >> > called "linux-yocto", so the bbappend could simply be >> > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt >> > and other variants too). >> >> Well that one is on me. That change came in when I ported over the >> meta-intel-iot-security layer. >> > > Renaming the bbappend to linux-yocto%.bbappend will break all other linux > kernels around > that follow the pattern linux-%.bbappend. > > A better solution is needed here like the one pointed by Bruce > https://lists.yoctoproject.org/g/yocto/message/59954 > > I send the revert because currently the master is broken and the cause is > IMA patchset. > Maybe this patch can be dropped because it only bumps a version but the > others should be dropped. > typo: this patch can be dropped but the others should be merged. Jose > > Jose > > >> >> 6680225 meta-integrity: port over from meta-intel-iot-security >> >> I will send a patch correcting that. >> >> Thanks for the reminder and pointing this out. >> >> BR, >> Armin >> >> > >> > I think it's a bad idea to try to apply this change automatically to all >> > possible BSP layer kernels which may or may not have names starting with >> > "linux-" and it's well known that there are a lot of recipe names which >> > start with "linux-" which are not Linux kernels (linux-firmware, >> > linux-libc-headers, linux-dummy etc). >> > >> > Cheers, >> > >> > -Mikko >> >> > > -- > Best regards, > > José Quaresma > > > > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59966): https://lists.yoctoproject.org/g/yocto/message/59966 Mute This Topic: https://lists.yoctoproject.org/mt/98790790/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
