[meta-oe][scarthgap][PATCH] kernel-hardening-checker: backport recipe

[michael.opdenacker@rootcommit.com]

From: Michael Opdenacker <michael.opdenacker@rootcommit.com>

This recipe is a Scarthgap backport of kernel-hardening-checker_0.6.10.2.bb
in the master branch as of August 19, 2025.

Tested on qemux86-64 and on beaglebone-yocto

Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
---
 ...ject.toml-fix-up-license-information.patch | 31 ++++++++++++++
 ...-relax-setuptool-version-requirement.patch | 29 +++++++++++++
 .../kernel-hardening-checker_0.6.10.2.bb      | 41 +++++++++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/files/0001-pyproject.toml-fix-up-license-information.patch
 create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/files/0002-pyproject.toml-relax-setuptool-version-requirement.patch
 create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.2.bb

diff --git a/meta-oe/recipes-security/kernel-hardening-checker/files/0001-pyproject.toml-fix-up-license-information.patch b/meta-oe/recipes-security/kernel-hardening-checker/files/0001-pyproject.toml-fix-up-license-information.patch
new file mode 100644
index 0000000000..4460146722
--- /dev/null
+++ b/meta-oe/recipes-security/kernel-hardening-checker/files/0001-pyproject.toml-fix-up-license-information.patch
@@ -0,0 +1,31 @@
+From e94c486c6c3473979ce5be627f030cc95ce165e6 Mon Sep 17 00:00:00 2001
+From: Michael Opdenacker <michael.opdenacker@rootcommit.com>
+Date: Sun, 17 Aug 2025 17:27:21 +0200
+Subject: [PATCH 1/2] pyproject.toml: fix up license information
+
+Without this change, the Python tooling complains that you
+can't have both "license" and "license-files" settings in pyproject.toml.
+
+This issue doesn't happen any more with the Python tooling
+in master (as of August 2025), so it's irrelevant for upstream.
+
+Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
+Upstream-Status: Inappropriate [oe specific]
+---
+ pyproject.toml | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index a0b75c3..79e710b 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -20,8 +20,7 @@ authors = [
+ maintainers = [
+   {name = "Alexander Popov", email = "alex.popov@linux.com"}
+ ]
+-license = "GPL-3.0-only"
+-license-files = ["LICENSE.txt"]
++license = { text = "GPL-3.0-only" }
+ classifiers = [
+     "Development Status :: 5 - Production/Stable",
+     "Topic :: Security",
diff --git a/meta-oe/recipes-security/kernel-hardening-checker/files/0002-pyproject.toml-relax-setuptool-version-requirement.patch b/meta-oe/recipes-security/kernel-hardening-checker/files/0002-pyproject.toml-relax-setuptool-version-requirement.patch
new file mode 100644
index 0000000000..05a8126c4e
--- /dev/null
+++ b/meta-oe/recipes-security/kernel-hardening-checker/files/0002-pyproject.toml-relax-setuptool-version-requirement.patch
@@ -0,0 +1,29 @@
+From 7c64511d2dcb58bc4d83dd41667c1f9295ca9712 Mon Sep 17 00:00:00 2001
+From: Michael Opdenacker <michael.opdenacker@rootcommit.com>
+Date: Tue, 19 Aug 2025 21:47:05 +0200
+Subject: [PATCH 2/2] pyproject.toml: relax setuptool version requirement
+
+To match with what's available in Scarthgap
+It turns out that setuptools 69 is sufficient for building this tool.
+The developer may have aligned the version with his testing environment.
+
+This patch is not needed on meta-openembedded master which has a recent enough
+version.
+
+Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
+Upstream-Status: Inappropriate [oe specific]
+---
+ pyproject.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index 79e710b..a8b59d8 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -1,5 +1,5 @@
+ [build-system]
+-requires = ["setuptools >= 77.0.3"]
++requires = ["setuptools >= 69"]
+ build-backend = "setuptools.build_meta"
+ 
+ [tool.setuptools.packages.find]
diff --git a/meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.2.bb b/meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.2.bb
new file mode 100644
index 0000000000..c0ae0f0d3c
--- /dev/null
+++ b/meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.2.bb
@@ -0,0 +1,41 @@
+SUMMARY = "A tool for checking the security hardening options of the Linux kernel"
+DESCRIPTION = "\
+    There are plenty of security hardening options for the Linux kernel; Kconfig \
+    options (compile-time); Kernel cmdline arguments (boot-time); Sysctl \
+    parameters (runtime). A lot of them have to be enabled manually to make the \
+    system more secure which is difficult to track. This tool helps with this \
+    task by checking and reporting about the settings compared to a list of \
+    recommendation. \
+"
+HOMEPAGE = "https://github.com/a13xp0p0v/kernel-hardening-checker"
+BUGTRACKER = "https://github.com/a13xp0p0v/kernel-hardening-checker/issues"
+LICENSE = "GPL-3.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=d32239bcb673463ab874e80d47fae504"
+
+SRC_URI = "git://github.com/a13xp0p0v/kernel-hardening-checker;protocol=https;branch=master \
+	   file://0001-pyproject.toml-fix-up-license-information.patch \
+	   file://0002-pyproject.toml-relax-setuptool-version-requirement.patch"
+
+SRCREV = "0ebece346f187e7d3589883cc1d194fcd1c3cda8"
+
+S = "${WORKDIR}/git"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+RDEPENDS:${PN} = "\
+    python3-json \
+    python3-misc \
+    python3-compression \
+    bash \
+"
+
+# /boot/config is required for the analysis
+RRECOMMENDS:${PN}:class-target = "\
+    kernel-dev \
+"
+
+inherit python_setuptools_build_meta
+
+# allow to run on build host, if you don't want it in the image
+# oe-run-native kernel-hardening-checker-native kernel-hardening-checker ...
+BBCLASSEXTEND = "native"