* [PATCH] classes/kernel: add QA to check required or forbidden kernel configs
@ 2025-03-06 15:03 Louis Rannou
2025-03-06 15:36 ` [OE-core] " Bruce Ashfield
0 siblings, 1 reply; 6+ messages in thread
From: Louis Rannou @ 2025-03-06 15:03 UTC (permalink / raw)
To: openembedded-core; +Cc: pascal.eberhard, bruce.ashfield, Louis Rannou
From: Louis Rannou <louis.rannou@non.se.com>
Add a QARECIPETEST kernel-config to the kernel to check the kernel config has
set (or unset) config listed in variables QA_KERNEL_CONFIGS_REQUIRED (or
QA_KERNEL_CONFIGS_FORBIDDEN).
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
---
meta/classes-recipe/kernel.bbclass | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass
index 64a685a964dab942db05b8d9e08cc22a3bbb152e..4a82b84d479667bf4a6e64ad3e99d934c6868b98 100644
--- a/meta/classes-recipe/kernel.bbclass
+++ b/meta/classes-recipe/kernel.bbclass
@@ -867,3 +867,41 @@ EXPORT_FUNCTIONS do_deploy
# Add using Device Tree support
inherit kernel-devicetree
+
+
+# Add QA test to check some required/forbidden kernel configs are set or not.
+QA_KERNEL_CONFIGS_REQUIRED ??= ""
+QA_KERNEL_CONFIGS_FORBIDDEN ??= ""
+
+WARN_QA:append = " kernel-config"
+
+QARECIPETEST[kernel-config] = "package_qa_check_kernel_config"
+def package_qa_check_kernel_config(pn, d):
+ from pathlib import Path
+ import re
+
+ config_path = Path(d.getVar("B"), ".config")
+ if not config_path.exists():
+ oe.qa.handle_error("kernel-config",
+ "Kernel configs have not been checked "\
+ "as the kernel .config is not found: "\
+ "%s." % config_path)
+ return
+
+ config_list = {}
+ with config_path.open('r') as f_config:
+ for line in f_config.read().splitlines():
+ configset = re.match(r'# (\w+) is not set|(\w+)=([ymn])', line)
+ if configset is not None:
+ if configset.group(1) is not None:
+ config_list[configset.group(1)] = "n"
+ else:
+ config_list[configset.group(2)] = configset.group(3)
+
+ for conf in d.getVar("QA_KERNEL_CONFIGS_REQUIRED").split():
+ if conf not in config_list or config_list[conf] == "n":
+ oe.qa.handle_error("kernel-config", "Kernel config is required: %s" % conf, d)
+
+ for conf in d.getVar("QA_KERNEL_CONFIGS_FORBIDDEN").split():
+ if conf in config_list and config_list[conf] in "ym":
+ oe.qa.handle_error("kernel-config", "Kernel config is forbidden: %s" % conf, d)
---
base-commit: b72823fc09674f78ad452250f453f6e47d9444de
change-id: 20250306-qa_kernel-061a37e316c4
Best regards,
--
Louis Rannou <louis.rannou@syslinbit.com>
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] classes/kernel: add QA to check required or forbidden kernel configs
2025-03-06 15:03 [PATCH] classes/kernel: add QA to check required or forbidden kernel configs Louis Rannou
@ 2025-03-06 15:36 ` Bruce Ashfield
2025-03-07 7:45 ` Louis Rannou
0 siblings, 1 reply; 6+ messages in thread
From: Bruce Ashfield @ 2025-03-06 15:36 UTC (permalink / raw)
To: louis.rannou; +Cc: openembedded-core, pascal.eberhard, Louis Rannou
[-- Attachment #1: Type: text/plain, Size: 3773 bytes --]
On Thu, Mar 6, 2025 at 10:04 AM Louis Rannou via lists.openembedded.org
<louis.rannou=syslinbit.com@lists.openembedded.org> wrote:
> From: Louis Rannou <louis.rannou@non.se.com>
>
> Add a QARECIPETEST kernel-config to the kernel to check the kernel config
> has
> set (or unset) config listed in variables QA_KERNEL_CONFIGS_REQUIRED (or
> QA_KERNEL_CONFIGS_FORBIDDEN).
>
>
We already have audit tools that can do this, the approach of opening
the .config, iterating and then hard binding ourselves to the very specific
kernel configuration names has been considered and rejected many
times.
What exactly isn't working with the already supported mechanism ?
Bruce
> Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
> ---
> meta/classes-recipe/kernel.bbclass | 38
> ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 38 insertions(+)
>
> diff --git a/meta/classes-recipe/kernel.bbclass
> b/meta/classes-recipe/kernel.bbclass
> index
> 64a685a964dab942db05b8d9e08cc22a3bbb152e..4a82b84d479667bf4a6e64ad3e99d934c6868b98
> 100644
> --- a/meta/classes-recipe/kernel.bbclass
> +++ b/meta/classes-recipe/kernel.bbclass
> @@ -867,3 +867,41 @@ EXPORT_FUNCTIONS do_deploy
>
> # Add using Device Tree support
> inherit kernel-devicetree
> +
> +
> +# Add QA test to check some required/forbidden kernel configs are set or
> not.
> +QA_KERNEL_CONFIGS_REQUIRED ??= ""
> +QA_KERNEL_CONFIGS_FORBIDDEN ??= ""
> +
> +WARN_QA:append = " kernel-config"
> +
> +QARECIPETEST[kernel-config] = "package_qa_check_kernel_config"
> +def package_qa_check_kernel_config(pn, d):
> + from pathlib import Path
> + import re
> +
> + config_path = Path(d.getVar("B"), ".config")
> + if not config_path.exists():
> + oe.qa.handle_error("kernel-config",
> + "Kernel configs have not been checked "\
> + "as the kernel .config is not found: "\
> + "%s." % config_path)
> + return
> +
> + config_list = {}
> + with config_path.open('r') as f_config:
> + for line in f_config.read().splitlines():
> + configset = re.match(r'# (\w+) is not set|(\w+)=([ymn])',
> line)
> + if configset is not None:
> + if configset.group(1) is not None:
> + config_list[configset.group(1)] = "n"
> + else:
> + config_list[configset.group(2)] = configset.group(3)
> +
> + for conf in d.getVar("QA_KERNEL_CONFIGS_REQUIRED").split():
> + if conf not in config_list or config_list[conf] == "n":
> + oe.qa.handle_error("kernel-config", "Kernel config is
> required: %s" % conf, d)
> +
> + for conf in d.getVar("QA_KERNEL_CONFIGS_FORBIDDEN").split():
> + if conf in config_list and config_list[conf] in "ym":
> + oe.qa.handle_error("kernel-config", "Kernel config is
> forbidden: %s" % conf, d)
>
> ---
> base-commit: b72823fc09674f78ad452250f453f6e47d9444de
> change-id: 20250306-qa_kernel-061a37e316c4
>
> Best regards,
> --
> Louis Rannou <louis.rannou@syslinbit.com>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#212394):
> https://lists.openembedded.org/g/openembedded-core/message/212394
> Mute This Topic: https://lists.openembedded.org/mt/111549046/1050810
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II
[-- Attachment #2: Type: text/html, Size: 6123 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] classes/kernel: add QA to check required or forbidden kernel configs
2025-03-06 15:36 ` [OE-core] " Bruce Ashfield
@ 2025-03-07 7:45 ` Louis Rannou
2025-03-07 13:54 ` Bruce Ashfield
0 siblings, 1 reply; 6+ messages in thread
From: Louis Rannou @ 2025-03-07 7:45 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: openembedded-core, pascal.eberhard, Louis Rannou
On 06/03/2025 16:36, Bruce Ashfield wrote:
>
>
> On Thu, Mar 6, 2025 at 10:04 AM Louis Rannou via lists.openembedded.org
> <http://lists.openembedded.org>
> <louis.rannou=syslinbit.com@lists.openembedded.org
> <mailto:syslinbit.com@lists.openembedded.org>> wrote:
>
> From: Louis Rannou <louis.rannou@non.se.com
> <mailto:louis.rannou@non.se.com>>
>
> Add a QARECIPETEST kernel-config to the kernel to check the kernel
> config has
> set (or unset) config listed in variables QA_KERNEL_CONFIGS_REQUIRED (or
> QA_KERNEL_CONFIGS_FORBIDDEN).
>
>
> We already have audit tools that can do this, the approach of opening
> the .config, iterating and then hard binding ourselves to the very specific
> kernel configuration names has been considered and rejected many
> times.
>
> What exactly isn't working with the already supported mechanism ?
My ignorance I suppose. I didn't know about the audit phase and
kernel-cache. I guess I have to read the doc...
Louis
>
> Bruce
>
> Signed-off-by: Louis Rannou <louis.rannou@non.se.com
> <mailto:louis.rannou@non.se.com>>
> ---
> meta/classes-recipe/kernel.bbclass | 38 ++++++++++++++++++++++++++
> ++++++++++++
> 1 file changed, 38 insertions(+)
>
> diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-
> recipe/kernel.bbclass
> index
> 64a685a964dab942db05b8d9e08cc22a3bbb152e..4a82b84d479667bf4a6e64ad3e99d934c6868b98 100644
> --- a/meta/classes-recipe/kernel.bbclass
> +++ b/meta/classes-recipe/kernel.bbclass
> @@ -867,3 +867,41 @@ EXPORT_FUNCTIONS do_deploy
>
> # Add using Device Tree support
> inherit kernel-devicetree
> +
> +
> +# Add QA test to check some required/forbidden kernel configs are
> set or not.
> +QA_KERNEL_CONFIGS_REQUIRED ??= ""
> +QA_KERNEL_CONFIGS_FORBIDDEN ??= ""
> +
> +WARN_QA:append = " kernel-config"
> +
> +QARECIPETEST[kernel-config] = "package_qa_check_kernel_config"
> +def package_qa_check_kernel_config(pn, d):
> + from pathlib import Path
> + import re
> +
> + config_path = Path(d.getVar("B"), ".config")
> + if not config_path.exists():
> + oe.qa.handle_error("kernel-config",
> + "Kernel configs have not been checked "\
> + "as the kernel .config is not found: "\
> + "%s." % config_path)
> + return
> +
> + config_list = {}
> + with config_path.open('r') as f_config:
> + for line in f_config.read().splitlines():
> + configset = re.match(r'# (\w+) is not set|
> (\w+)=([ymn])', line)
> + if configset is not None:
> + if configset.group(1) is not None:
> + config_list[configset.group(1)] = "n"
> + else:
> + config_list[configset.group(2)] =
> configset.group(3)
> +
> + for conf in d.getVar("QA_KERNEL_CONFIGS_REQUIRED").split():
> + if conf not in config_list or config_list[conf] == "n":
> + oe.qa.handle_error("kernel-config", "Kernel config is
> required: %s" % conf, d)
> +
> + for conf in d.getVar("QA_KERNEL_CONFIGS_FORBIDDEN").split():
> + if conf in config_list and config_list[conf] in "ym":
> + oe.qa.handle_error("kernel-config", "Kernel config is
> forbidden: %s" % conf, d)
>
> ---
> base-commit: b72823fc09674f78ad452250f453f6e47d9444de
> change-id: 20250306-qa_kernel-061a37e316c4
>
> Best regards,
> --
> Louis Rannou <louis.rannou@syslinbit.com
> <mailto:louis.rannou@syslinbit.com>>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#212394): https://lists.openembedded.org/g/
> openembedded-core/message/212394 <https://lists.openembedded.org/g/
> openembedded-core/message/212394>
> Mute This Topic: https://lists.openembedded.org/mt/111549046/1050810
> <https://lists.openembedded.org/mt/111549046/1050810>
> Group Owner: openembedded-core+owner@lists.openembedded.org
> <mailto:openembedded-core%2Bowner@lists.openembedded.org>
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/
> unsub <https://lists.openembedded.org/g/openembedded-core/unsub>
> [bruce.ashfield@gmail.com <mailto:bruce.ashfield@gmail.com>]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] classes/kernel: add QA to check required or forbidden kernel configs
2025-03-07 7:45 ` Louis Rannou
@ 2025-03-07 13:54 ` Bruce Ashfield
2025-03-10 16:38 ` Louis Rannou
0 siblings, 1 reply; 6+ messages in thread
From: Bruce Ashfield @ 2025-03-07 13:54 UTC (permalink / raw)
To: Louis Rannou; +Cc: openembedded-core, pascal.eberhard, Louis Rannou
[-- Attachment #1: Type: text/plain, Size: 5574 bytes --]
On Fri, Mar 7, 2025 at 2:45 AM Louis Rannou <louis.rannou@syslinbit.com>
wrote:
>
>
> On 06/03/2025 16:36, Bruce Ashfield wrote:
> >
> >
> > On Thu, Mar 6, 2025 at 10:04 AM Louis Rannou via lists.openembedded.org
> > <http://lists.openembedded.org>
> > <louis.rannou=syslinbit.com@lists.openembedded.org
> > <mailto:syslinbit.com@lists.openembedded.org>> wrote:
> >
> > From: Louis Rannou <louis.rannou@non.se.com
> > <mailto:louis.rannou@non.se.com>>
> >
> > Add a QARECIPETEST kernel-config to the kernel to check the kernel
> > config has
> > set (or unset) config listed in variables QA_KERNEL_CONFIGS_REQUIRED
> (or
> > QA_KERNEL_CONFIGS_FORBIDDEN).
> >
> >
> > We already have audit tools that can do this, the approach of opening
> > the .config, iterating and then hard binding ourselves to the very
> specific
> > kernel configuration names has been considered and rejected many
> > times.
> >
> > What exactly isn't working with the already supported mechanism ?
>
> My ignorance I suppose. I didn't know about the audit phase and
> kernel-cache. I guess I have to read the doc...
>
If it doesn't work for your use case, or is otherwise causing issues, let
me know and I'll make changes as required.
I've taken a note to pull together a short presentation on this, as more
documentation/examples can only be a good thing.
Cheers,
Bruce
>
> Louis
>
> >
> > Bruce
> >
> > Signed-off-by: Louis Rannou <louis.rannou@non.se.com
> > <mailto:louis.rannou@non.se.com>>
> > ---
> > meta/classes-recipe/kernel.bbclass | 38 ++++++++++++++++++++++++++
> > ++++++++++++
> > 1 file changed, 38 insertions(+)
> >
> > diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-
> > recipe/kernel.bbclass
> > index
> >
> 64a685a964dab942db05b8d9e08cc22a3bbb152e..4a82b84d479667bf4a6e64ad3e99d934c6868b98
> 100644
> > --- a/meta/classes-recipe/kernel.bbclass
> > +++ b/meta/classes-recipe/kernel.bbclass
> > @@ -867,3 +867,41 @@ EXPORT_FUNCTIONS do_deploy
> >
> > # Add using Device Tree support
> > inherit kernel-devicetree
> > +
> > +
> > +# Add QA test to check some required/forbidden kernel configs are
> > set or not.
> > +QA_KERNEL_CONFIGS_REQUIRED ??= ""
> > +QA_KERNEL_CONFIGS_FORBIDDEN ??= ""
> > +
> > +WARN_QA:append = " kernel-config"
> > +
> > +QARECIPETEST[kernel-config] = "package_qa_check_kernel_config"
> > +def package_qa_check_kernel_config(pn, d):
> > + from pathlib import Path
> > + import re
> > +
> > + config_path = Path(d.getVar("B"), ".config")
> > + if not config_path.exists():
> > + oe.qa.handle_error("kernel-config",
> > + "Kernel configs have not been checked "\
> > + "as the kernel .config is not found: "\
> > + "%s." % config_path)
> > + return
> > +
> > + config_list = {}
> > + with config_path.open('r') as f_config:
> > + for line in f_config.read().splitlines():
> > + configset = re.match(r'# (\w+) is not set|
> > (\w+)=([ymn])', line)
> > + if configset is not None:
> > + if configset.group(1) is not None:
> > + config_list[configset.group(1)] = "n"
> > + else:
> > + config_list[configset.group(2)] =
> > configset.group(3)
> > +
> > + for conf in d.getVar("QA_KERNEL_CONFIGS_REQUIRED").split():
> > + if conf not in config_list or config_list[conf] == "n":
> > + oe.qa.handle_error("kernel-config", "Kernel config is
> > required: %s" % conf, d)
> > +
> > + for conf in d.getVar("QA_KERNEL_CONFIGS_FORBIDDEN").split():
> > + if conf in config_list and config_list[conf] in "ym":
> > + oe.qa.handle_error("kernel-config", "Kernel config is
> > forbidden: %s" % conf, d)
> >
> > ---
> > base-commit: b72823fc09674f78ad452250f453f6e47d9444de
> > change-id: 20250306-qa_kernel-061a37e316c4
> >
> > Best regards,
> > --
> > Louis Rannou <louis.rannou@syslinbit.com
> > <mailto:louis.rannou@syslinbit.com>>
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#212394): https://lists.openembedded.org/g/
> > openembedded-core/message/212394 <https://lists.openembedded.org/g/
> > openembedded-core/message/212394>
> > Mute This Topic: https://lists.openembedded.org/mt/111549046/1050810
> > <https://lists.openembedded.org/mt/111549046/1050810>
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > <mailto:openembedded-core%2Bowner@lists.openembedded.org>
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/
> > unsub <https://lists.openembedded.org/g/openembedded-core/unsub>
> > [bruce.ashfield@gmail.com <mailto:bruce.ashfield@gmail.com>]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
> >
> >
> > --
> > - Thou shalt not follow the NULL pointer, for chaos and madness await
> > thee at its end
> > - "Use the force Harry" - Gandalf, Star Trek II
> >
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II
[-- Attachment #2: Type: text/html, Size: 9658 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] classes/kernel: add QA to check required or forbidden kernel configs
2025-03-07 13:54 ` Bruce Ashfield
@ 2025-03-10 16:38 ` Louis Rannou
2025-03-10 18:09 ` Bruce Ashfield
0 siblings, 1 reply; 6+ messages in thread
From: Louis Rannou @ 2025-03-10 16:38 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: openembedded-core, pascal.eberhard, Louis Rannou
On 07/03/2025 14:54, Bruce Ashfield wrote:
>
>
> On Fri, Mar 7, 2025 at 2:45 AM Louis Rannou <louis.rannou@syslinbit.com
> <mailto:louis.rannou@syslinbit.com>> wrote:
>
>
>
> On 06/03/2025 16:36, Bruce Ashfield wrote:
> >
> >
> > On Thu, Mar 6, 2025 at 10:04 AM Louis Rannou via
> lists.openembedded.org <http://lists.openembedded.org>
> > <http://lists.openembedded.org <http://lists.openembedded.org>>
> > <louis.rannou=syslinbit.com@lists.openembedded.org
> <mailto:syslinbit.com@lists.openembedded.org>
> > <mailto:syslinbit.com@lists.openembedded.org
> <mailto:syslinbit.com@lists.openembedded.org>>> wrote:
> >
> > From: Louis Rannou <louis.rannou@non.se.com
> <mailto:louis.rannou@non.se.com>
> > <mailto:louis.rannou@non.se.com
> <mailto:louis.rannou@non.se.com>>>
> >
> > Add a QARECIPETEST kernel-config to the kernel to check the
> kernel
> > config has
> > set (or unset) config listed in variables
> QA_KERNEL_CONFIGS_REQUIRED (or
> > QA_KERNEL_CONFIGS_FORBIDDEN).
> >
> >
> > We already have audit tools that can do this, the approach of opening
> > the .config, iterating and then hard binding ourselves to the
> very specific
> > kernel configuration names has been considered and rejected many
> > times.
> >
> > What exactly isn't working with the already supported mechanism ?
>
> My ignorance I suppose. I didn't know about the audit phase and
> kernel-cache. I guess I have to read the doc...
>
>
> If it doesn't work for your use case, or is otherwise causing issues, let
> me know and I'll make changes as required.
Thanks, the main issue for us is that it does not handle in-tree kernel
configs such as hardening.config
https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/configs/hardening.config
Louis
>
> I've taken a note to pull together a short presentation on this, as more
> documentation/examples can only be a good thing.
>
> Cheers,
>
> Bruce
>
>
> Louis
>
> >
> > Bruce
> >
> > Signed-off-by: Louis Rannou <louis.rannou@non.se.com
> <mailto:louis.rannou@non.se.com>
> > <mailto:louis.rannou@non.se.com
> <mailto:louis.rannou@non.se.com>>>
> > ---
> > meta/classes-recipe/kernel.bbclass | 38 +++++++++++++++++++
> +++++++
> > ++++++++++++
> > 1 file changed, 38 insertions(+)
> >
> > diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-
> > recipe/kernel.bbclass
> > index
> >
> 64a685a964dab942db05b8d9e08cc22a3bbb152e..4a82b84d479667bf4a6e64ad3e99d934c6868b98 100644
> > --- a/meta/classes-recipe/kernel.bbclass
> > +++ b/meta/classes-recipe/kernel.bbclass
> > @@ -867,3 +867,41 @@ EXPORT_FUNCTIONS do_deploy
> >
> > # Add using Device Tree support
> > inherit kernel-devicetree
> > +
> > +
> > +# Add QA test to check some required/forbidden kernel
> configs are
> > set or not.
> > +QA_KERNEL_CONFIGS_REQUIRED ??= ""
> > +QA_KERNEL_CONFIGS_FORBIDDEN ??= ""
> > +
> > +WARN_QA:append = " kernel-config"
> > +
> > +QARECIPETEST[kernel-config] = "package_qa_check_kernel_config"
> > +def package_qa_check_kernel_config(pn, d):
> > + from pathlib import Path
> > + import re
> > +
> > + config_path = Path(d.getVar("B"), ".config")
> > + if not config_path.exists():
> > + oe.qa.handle_error("kernel-config",
> > + "Kernel configs have not been
> checked "\
> > + "as the kernel .config is not
> found: "\
> > + "%s." % config_path)
> > + return
> > +
> > + config_list = {}
> > + with config_path.open('r') as f_config:
> > + for line in f_config.read().splitlines():
> > + configset = re.match(r'# (\w+) is not set|
> > (\w+)=([ymn])', line)
> > + if configset is not None:
> > + if configset.group(1) is not None:
> > + config_list[configset.group(1)] = "n"
> > + else:
> > + config_list[configset.group(2)] =
> > configset.group(3)
> > +
> > + for conf in d.getVar("QA_KERNEL_CONFIGS_REQUIRED").split():
> > + if conf not in config_list or config_list[conf] == "n":
> > + oe.qa.handle_error("kernel-config", "Kernel
> config is
> > required: %s" % conf, d)
> > +
> > + for conf in d.getVar("QA_KERNEL_CONFIGS_FORBIDDEN").split():
> > + if conf in config_list and config_list[conf] in "ym":
> > + oe.qa.handle_error("kernel-config", "Kernel
> config is
> > forbidden: %s" % conf, d)
> >
> > ---
> > base-commit: b72823fc09674f78ad452250f453f6e47d9444de
> > change-id: 20250306-qa_kernel-061a37e316c4
> >
> > Best regards,
> > --
> > Louis Rannou <louis.rannou@syslinbit.com
> <mailto:louis.rannou@syslinbit.com>
> > <mailto:louis.rannou@syslinbit.com
> <mailto:louis.rannou@syslinbit.com>>>
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#212394): https://lists.openembedded.org/
> g/ <https://lists.openembedded.org/g/>
> > openembedded-core/message/212394 <https://
> lists.openembedded.org/g/ <https://lists.openembedded.org/g/>
> > openembedded-core/message/212394>
> > Mute This Topic: https://lists.openembedded.org/
> mt/111549046/1050810 <https://lists.openembedded.org/
> mt/111549046/1050810>
> > <https://lists.openembedded.org/mt/111549046/1050810
> <https://lists.openembedded.org/mt/111549046/1050810>>
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> <mailto:openembedded-core%2Bowner@lists.openembedded.org>
> > <mailto:openembedded-core%2Bowner@lists.openembedded.org
> <mailto:openembedded-core%252Bowner@lists.openembedded.org>>
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-
> core/ <https://lists.openembedded.org/g/openembedded-core/>
> > unsub <https://lists.openembedded.org/g/openembedded-core/
> unsub <https://lists.openembedded.org/g/openembedded-core/unsub>>
> > [bruce.ashfield@gmail.com <mailto:bruce.ashfield@gmail.com>
> <mailto:bruce.ashfield@gmail.com <mailto:bruce.ashfield@gmail.com>>]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
> >
> >
> > --
> > - Thou shalt not follow the NULL pointer, for chaos and madness
> await
> > thee at its end
> > - "Use the force Harry" - Gandalf, Star Trek II
> >
>
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] classes/kernel: add QA to check required or forbidden kernel configs
2025-03-10 16:38 ` Louis Rannou
@ 2025-03-10 18:09 ` Bruce Ashfield
0 siblings, 0 replies; 6+ messages in thread
From: Bruce Ashfield @ 2025-03-10 18:09 UTC (permalink / raw)
To: Louis Rannou; +Cc: openembedded-core, pascal.eberhard, Louis Rannou
[-- Attachment #1: Type: text/plain, Size: 8590 bytes --]
On Mon, Mar 10, 2025 at 12:38 PM Louis Rannou <louis.rannou@syslinbit.com>
wrote:
>
>
> On 07/03/2025 14:54, Bruce Ashfield wrote:
> >
> >
> > On Fri, Mar 7, 2025 at 2:45 AM Louis Rannou <louis.rannou@syslinbit.com
> > <mailto:louis.rannou@syslinbit.com>> wrote:
> >
> >
> >
> > On 06/03/2025 16:36, Bruce Ashfield wrote:
> > >
> > >
> > > On Thu, Mar 6, 2025 at 10:04 AM Louis Rannou via
> > lists.openembedded.org <http://lists.openembedded.org>
> > > <http://lists.openembedded.org <http://lists.openembedded.org>>
> > > <louis.rannou=syslinbit.com@lists.openembedded.org
> > <mailto:syslinbit.com@lists.openembedded.org>
> > > <mailto:syslinbit.com@lists.openembedded.org
> > <mailto:syslinbit.com@lists.openembedded.org>>> wrote:
> > >
> > > From: Louis Rannou <louis.rannou@non.se.com
> > <mailto:louis.rannou@non.se.com>
> > > <mailto:louis.rannou@non.se.com
> > <mailto:louis.rannou@non.se.com>>>
> > >
> > > Add a QARECIPETEST kernel-config to the kernel to check the
> > kernel
> > > config has
> > > set (or unset) config listed in variables
> > QA_KERNEL_CONFIGS_REQUIRED (or
> > > QA_KERNEL_CONFIGS_FORBIDDEN).
> > >
> > >
> > > We already have audit tools that can do this, the approach of
> opening
> > > the .config, iterating and then hard binding ourselves to the
> > very specific
> > > kernel configuration names has been considered and rejected many
> > > times.
> > >
> > > What exactly isn't working with the already supported mechanism ?
> >
> > My ignorance I suppose. I didn't know about the audit phase and
> > kernel-cache. I guess I have to read the doc...
> >
> >
> > If it doesn't work for your use case, or is otherwise causing issues, let
> > me know and I'll make changes as required.
>
> Thanks, the main issue for us is that it does not handle in-tree kernel
> configs such as hardening.config
>
>
> https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/configs/hardening.config
>
>
In which sense ? The meta-data handling can now apply them (I did a change
about
three months ago to support it).
For them to be part of the audit, you then either need to increase the
verbosity level
of the audit or promote them to "hardware" or "required" configuration
values.
If you have a public layer showing an issue, I'll definitely have a look.
Bruce
> Louis
>
> >
> > I've taken a note to pull together a short presentation on this, as more
> > documentation/examples can only be a good thing.
> >
> > Cheers,
> >
> > Bruce
> >
> >
> > Louis
> >
> > >
> > > Bruce
> > >
> > > Signed-off-by: Louis Rannou <louis.rannou@non.se.com
> > <mailto:louis.rannou@non.se.com>
> > > <mailto:louis.rannou@non.se.com
> > <mailto:louis.rannou@non.se.com>>>
> > > ---
> > > meta/classes-recipe/kernel.bbclass | 38 +++++++++++++++++++
> > +++++++
> > > ++++++++++++
> > > 1 file changed, 38 insertions(+)
> > >
> > > diff --git a/meta/classes-recipe/kernel.bbclass
> b/meta/classes-
> > > recipe/kernel.bbclass
> > > index
> > >
> >
> 64a685a964dab942db05b8d9e08cc22a3bbb152e..4a82b84d479667bf4a6e64ad3e99d934c6868b98
> 100644
> > > --- a/meta/classes-recipe/kernel.bbclass
> > > +++ b/meta/classes-recipe/kernel.bbclass
> > > @@ -867,3 +867,41 @@ EXPORT_FUNCTIONS do_deploy
> > >
> > > # Add using Device Tree support
> > > inherit kernel-devicetree
> > > +
> > > +
> > > +# Add QA test to check some required/forbidden kernel
> > configs are
> > > set or not.
> > > +QA_KERNEL_CONFIGS_REQUIRED ??= ""
> > > +QA_KERNEL_CONFIGS_FORBIDDEN ??= ""
> > > +
> > > +WARN_QA:append = " kernel-config"
> > > +
> > > +QARECIPETEST[kernel-config] =
> "package_qa_check_kernel_config"
> > > +def package_qa_check_kernel_config(pn, d):
> > > + from pathlib import Path
> > > + import re
> > > +
> > > + config_path = Path(d.getVar("B"), ".config")
> > > + if not config_path.exists():
> > > + oe.qa.handle_error("kernel-config",
> > > + "Kernel configs have not been
> > checked "\
> > > + "as the kernel .config is not
> > found: "\
> > > + "%s." % config_path)
> > > + return
> > > +
> > > + config_list = {}
> > > + with config_path.open('r') as f_config:
> > > + for line in f_config.read().splitlines():
> > > + configset = re.match(r'# (\w+) is not set|
> > > (\w+)=([ymn])', line)
> > > + if configset is not None:
> > > + if configset.group(1) is not None:
> > > + config_list[configset.group(1)] = "n"
> > > + else:
> > > + config_list[configset.group(2)] =
> > > configset.group(3)
> > > +
> > > + for conf in
> d.getVar("QA_KERNEL_CONFIGS_REQUIRED").split():
> > > + if conf not in config_list or config_list[conf] ==
> "n":
> > > + oe.qa.handle_error("kernel-config", "Kernel
> > config is
> > > required: %s" % conf, d)
> > > +
> > > + for conf in
> d.getVar("QA_KERNEL_CONFIGS_FORBIDDEN").split():
> > > + if conf in config_list and config_list[conf] in "ym":
> > > + oe.qa.handle_error("kernel-config", "Kernel
> > config is
> > > forbidden: %s" % conf, d)
> > >
> > > ---
> > > base-commit: b72823fc09674f78ad452250f453f6e47d9444de
> > > change-id: 20250306-qa_kernel-061a37e316c4
> > >
> > > Best regards,
> > > --
> > > Louis Rannou <louis.rannou@syslinbit.com
> > <mailto:louis.rannou@syslinbit.com>
> > > <mailto:louis.rannou@syslinbit.com
> > <mailto:louis.rannou@syslinbit.com>>>
> > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#212394): https://lists.openembedded.org/
> > g/ <https://lists.openembedded.org/g/>
> > > openembedded-core/message/212394 <https://
> > lists.openembedded.org/g/ <https://lists.openembedded.org/g/>
> > > openembedded-core/message/212394>
> > > Mute This Topic: https://lists.openembedded.org/
> > mt/111549046/1050810 <https://lists.openembedded.org/
> > mt/111549046/1050810>
> > > <https://lists.openembedded.org/mt/111549046/1050810
> > <https://lists.openembedded.org/mt/111549046/1050810>>
> > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > <mailto:openembedded-core%2Bowner@lists.openembedded.org>
> > > <mailto:openembedded-core%2Bowner@lists.openembedded.org
> > <mailto:openembedded-core%252Bowner@lists.openembedded.org>>
> > > Unsubscribe: https://lists.openembedded.org/g/openembedded-
> > core/ <https://lists.openembedded.org/g/openembedded-core/>
> > > unsub <https://lists.openembedded.org/g/openembedded-core/
> > unsub <https://lists.openembedded.org/g/openembedded-core/unsub>>
> > > [bruce.ashfield@gmail.com <mailto:bruce.ashfield@gmail.com>
> > <mailto:bruce.ashfield@gmail.com <mailto:bruce.ashfield@gmail.com>>]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >
> > >
> > >
> > > --
> > > - Thou shalt not follow the NULL pointer, for chaos and madness
> > await
> > > thee at its end
> > > - "Use the force Harry" - Gandalf, Star Trek II
> > >
> >
> >
> >
> > --
> > - Thou shalt not follow the NULL pointer, for chaos and madness await
> > thee at its end
> > - "Use the force Harry" - Gandalf, Star Trek II
> >
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II
[-- Attachment #2: Type: text/html, Size: 15723 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-03-10 18:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-06 15:03 [PATCH] classes/kernel: add QA to check required or forbidden kernel configs Louis Rannou
2025-03-06 15:36 ` [OE-core] " Bruce Ashfield
2025-03-07 7:45 ` Louis Rannou
2025-03-07 13:54 ` Bruce Ashfield
2025-03-10 16:38 ` Louis Rannou
2025-03-10 18:09 ` Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.