Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[Mikko Rapeli <mikko.rapeli@linaro.org>]

Hi,

On Wed, May 10, 2023 at 10:20:22AM -0400, Stefan Berger wrote:
> 
> 
> On 5/10/23 09:15, Mikko Rapeli wrote:
> > Hi,
> > 
> > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
> > > 
> > > 
> > > On 5/10/23 07:44, Armin Kuster wrote:
> > > > 
> > > > 
> > > > On 5/9/23 2:56 PM, Jose Quaresma wrote:
> > > > > This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
> > > > > 
> > > > > The full patchset are overriding the do_configure task and also added a kernel patch
> > > > > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
> > > > > in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
> > > > > So the patch fails in some recipes and also do_configure task doesn't make sense.
> > > > > This breaks many recipes like linux-firmware and maybe others.
> > > > 
> > > > I fail to see how� this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
> > > 
> > > My suggestion would be that I post a v2 of my fix patches containing:
> > > 
> > > 1) removal of the Linux kernel patch
> > > 2) removal of the squashfs option (less important)
> > > 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
> > >     but modified to look like this with '&& [ -f .config ]' appended:
> > > 
> > >   do_configure:append() {
> > >       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
> > >           sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
> > >       fi
> > >   }
> > > 
> > > I don't want to hold things up but maybe it's worth discussing the suggested changes.
> > > 
> > >  From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
> > > and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
> > > The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
> > > matches the pattern linux-firmware as well and therefore its contents get included when building
> > > linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
> > > ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
> > > I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
> > > these included for linux-firmware.
> > 
> > Why is the bbappend applying changes to all recipes where name starts with
> > "linux-"?
> > 
> > It is aiming at Linux kernel recipes which by default in yocto are
> > called "linux-yocto", so the bbappend could simply be
> > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> > and other variants too).
> 
> Thanks.
> 
> I am trying to enable IMA & EVM under OpenBMC. When I rename linux-%.bbappend to linux-yocto_%.bbappend
> then none of the IMA support becomes active under OpenBMC, so it doesn't help much for OpenBMC. If I rename it to
> linux-aspeed_%.bbappend then it works for OpenBMC but that's probably not the filename you would want to have in
> meta-security.
> 
> So I guess the solution is to rename the file to linux-yocto%.bbappend anyway (I won't test it in this env) but
> then require that OpenBMC include the linux_ima.inc using a statement like this
> 
> require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', '../../../../meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc', '', d)}
> 
> in its own linux-aspeed_%.bbappend.
> 
> Does this sound correct?

Yes, this sounds better. You can also document this in the layer for
users with different BSP layers and Linux kernel recipe names. Linking
to the OpenBMC example is a good idea too.

Cheers,

-Mikko