Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[akuster808 <akuster808@gmail.com>]

On 5/10/23 9:15 AM, Mikko Rapeli wrote:
> Hi,
>
> On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
>>
>> On 5/10/23 07:44, Armin Kuster wrote:
>>>
>>> On 5/9/23 2:56 PM, Jose Quaresma wrote:
>>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>>>>
>>>> The full patchset are overriding the do_configure task and also added a kernel patch
>>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
>>>> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
>>>> So the patch fails in some recipes and also do_configure task doesn't make sense.
>>>> This breaks many recipes like linux-firmware and maybe others.
>>> I fail to see how  this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
>> My suggestion would be that I post a v2 of my fix patches containing:
>>
>> 1) removal of the Linux kernel patch
>> 2) removal of the squashfs option (less important)
>> 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
>>     but modified to look like this with '&& [ -f .config ]' appended:
>>
>>   do_configure:append() {
>>       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
>>           sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
>>       fi
>>   }
>>
>> I don't want to hold things up but maybe it's worth discussing the suggested changes.
>>
>>  From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
>> and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
>> The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
>> matches the pattern linux-firmware as well and therefore its contents get included when building
>> linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
>> ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
>> I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
>> these included for linux-firmware.
> Why is the bbappend applying changes to all recipes where name starts with
> "linux-"?
>
> It is aiming at Linux kernel recipes which by default in yocto are
> called "linux-yocto", so the bbappend could simply be
> "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> and other variants too).

Well that one is on me. That change came in when I ported over the 
meta-intel-iot-security layer.

6680225 meta-integrity: port over from meta-intel-iot-security

I will send a patch correcting that.

Thanks for the reminder and pointing this out.

BR,
Armin

>
> I think it's a bad idea to try to apply this change automatically to all
> possible BSP layer kernels which may or may not have names starting with
> "linux-" and it's well known that there are a lot of recipe names which
> start with "linux-" which are not Linux kernels (linux-firmware,
> linux-libc-headers, linux-dummy etc).
>
> Cheers,
>
> -Mikko