[PATCH] ref-manual: add SPDX_INCLUDE_KERNEL_CONFIG and SPDX_INCLUDE_PACKAGECONFIG

[PATCH] ref-manual: add SPDX_INCLUDE_KERNEL_CONFIG and SPDX_INCLUDE_PACKAGECONFIG

[Kamel Bouhara]

From: "Kamel Bouhara (Schneider Electric)" <kamel.bouhara@bootlin.com>

Adding documentation for the new variables to export the Linux kernel
configuration and recipe PACKAGECONFIG features into the SPDX document.

Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
---
 documentation/dev-manual/sbom.rst             |  6 +++
 .../migration-guides/release-notes-6.0.rst    |  6 +++
 documentation/ref-manual/variables.rst        | 43 +++++++++++++++++++
 3 files changed, 55 insertions(+)

diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst
index 8452fb12b..95303ed70 100644
--- a/documentation/dev-manual/sbom.rst
+++ b/documentation/dev-manual/sbom.rst
@@ -56,6 +56,12 @@ more information in the output :term:`SPDX` data:
 -  Add a description of the **compiled** source files used to generate host tools
    and target packages (:term:`SPDX_INCLUDE_COMPILED_SOURCES`)
 
+-  Export the Linux kernel configuration (``CONFIG_*`` parameters) into the
+   SPDX document (:term:`SPDX_INCLUDE_KERNEL_CONFIG`).
+
+-  Export the recipe's ``PACKAGECONFIG`` features (enabled/disabled) into the
+   SPDX document (:term:`SPDX_INCLUDE_PACKAGECONFIG`).
+
 -  Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
 
 Though the toplevel :term:`SPDX` output is available in
diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst
index c6e5b5a1f..af72d1e93 100644
--- a/documentation/migration-guides/release-notes-6.0.rst
+++ b/documentation/migration-guides/release-notes-6.0.rst
@@ -31,6 +31,12 @@ New Features / Enhancements in |yocto-ver|
      directory where OpenSSH host keys are stored. The default value is
      ``/etc/ssh``.
 
+   - :term:`SPDX_INCLUDE_KERNEL_CONFIG`: export the Linux kernel
+     configuration (``CONFIG_*`` parameters) into the SPDX document.
+
+   - :term:`SPDX_INCLUDE_PACKAGECONFIG`: export a recipe's
+     :term:`PACKAGECONFIG` features (enabled/disabled) into the SPDX document.
+
 -  Kernel-related changes:
 
 -  New core recipes:
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index fb4581bae..2e812d02d 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -9121,6 +9121,49 @@ system and gives an overview of their function and contents.
       increases the SBOM size (potentially by several gigabytes for typical
       images).
 
+   :term:`SPDX_INCLUDE_KERNEL_CONFIG`
+      This option allows exporting the Linux kernel configuration
+      (the contents of the ``.config`` file) into the recipe's SPDX
+      document as a separate ``build_Build`` object. Each kernel
+      configuration parameter (``CONFIG_*``) is recorded and linked to
+      the main kernel object using an ``ancestorOf`` relationship.
+
+      .. note::
+
+         This variable only has effect when using the SPDX 3.0 output
+         format (see :ref:`ref-classes-create-spdx`).
+
+      Enable this option as follows::
+
+         SPDX_INCLUDE_KERNEL_CONFIG = "1"
+
+      When enabled, a separate SPDX object is created for the kernel
+      configuration, improving reproducibility, compliance tracking,
+      and auditing of build-time kernel features.
+
+   :term:`SPDX_INCLUDE_PACKAGECONFIG`
+      This option allows exporting a recipe's :term:`PACKAGECONFIG`
+      features into the recipe's SPDX document. Each feature is
+      recorded as a ``DictionaryEntry`` with key
+      ``PACKAGECONFIG:<feature>`` and value ``enabled`` or
+      ``disabled``, depending on whether the feature is active in
+      the current build.
+
+      .. note::
+
+         This variable only has effect when using the SPDX 3.0 output
+         format (see :ref:`ref-classes-create-spdx`).
+
+      Enable this option as follows::
+
+         SPDX_INCLUDE_PACKAGECONFIG = "1"
+
+      When enabled, the build-time configuration of each recipe is
+      captured in the SPDX document, improving transparency,
+      reproducibility, and security auditing. It allows consumers of
+      the SPDX SBOM to determine which optional features were
+      enabled or disabled in a given build.
+
    :term:`SPDX_LICENSES`
       Path to the JSON file containing SPDX license identifier mappings.
       This file maps common license names to official SPDX license
-- 
2.51.0

Re: [docs] [PATCH] ref-manual: add SPDX_INCLUDE_KERNEL_CONFIG and SPDX_INCLUDE_PACKAGECONFIG

[Antonin Godard]

Hi,

Thanks! This looks good to me.

I've just fixed the alphabetical order in variables.rst locally:

diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 2e812d02d..45073d8a0 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -9096,31 +9096,6 @@ system and gives an overview of their function and contents.
       ``qemux86-64``, the uncompressed SBOM file can grow from hundreds
       of megabytes to several gigabytes.
 
-   :term:`SPDX_INCLUDE_SOURCES`
-      This option allows to add a description of the source files used to build
-      the host tools and the target packages, to the ``spdx.json`` files in
-      ``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
-      As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
-      ``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
-      modified to include references to such source file descriptions.
-
-      Enable this option as follows::
-
-         SPDX_INCLUDE_SOURCES = "1"
-
-      For SPDX 2.2 format (release 4.1 "langdale"), building
-      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
-      this option multiplied the total size of the ``tmp/deploy/spdx``
-      directory by a factor of 3  (+291 MiB for this image),
-      and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
-      ``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
-      image), compared to just using the :ref:`ref-classes-create-spdx` class
-      with no option.
-
-      With SPDX 3.0.1 JSON format, including source files significantly
-      increases the SBOM size (potentially by several gigabytes for typical
-      images).
-
    :term:`SPDX_INCLUDE_KERNEL_CONFIG`
       This option allows exporting the Linux kernel configuration
       (the contents of the ``.config`` file) into the recipe's SPDX
@@ -9164,6 +9139,31 @@ system and gives an overview of their function and contents.
       the SPDX SBOM to determine which optional features were
       enabled or disabled in a given build.
 
+   :term:`SPDX_INCLUDE_SOURCES`
+      This option allows to add a description of the source files used to build
+      the host tools and the target packages, to the ``spdx.json`` files in
+      ``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
+      As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
+      ``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
+      modified to include references to such source file descriptions.
+
+      Enable this option as follows::
+
+         SPDX_INCLUDE_SOURCES = "1"
+
+      For SPDX 2.2 format (release 4.1 "langdale"), building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
+      this option multiplied the total size of the ``tmp/deploy/spdx``
+      directory by a factor of 3  (+291 MiB for this image),
+      and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
+      ``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
+      image), compared to just using the :ref:`ref-classes-create-spdx` class
+      with no option.
+
+      With SPDX 3.0.1 JSON format, including source files significantly
+      increases the SBOM size (potentially by several gigabytes for typical
+      images).
+
    :term:`SPDX_LICENSES`
       Path to the JSON file containing SPDX license identifier mappings.
       This file maps common license names to official SPDX license

Antonin

Re: [docs] [PATCH] ref-manual: add SPDX_INCLUDE_KERNEL_CONFIG and SPDX_INCLUDE_PACKAGECONFIG

[Kamel Bouhara]

On Wed, Feb 25, 2026 at 03:10:23PM +0100, Antonin Godard wrote:
> Hi,
>
> Thanks! This looks good to me.
>
> I've just fixed the alphabetical order in variables.rst locally:
>

Sorry for that and thanks !

> diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
> index 2e812d02d..45073d8a0 100644
> --- a/documentation/ref-manual/variables.rst
> +++ b/documentation/ref-manual/variables.rst
> @@ -9096,31 +9096,6 @@ system and gives an overview of their function and contents.
>        ``qemux86-64``, the uncompressed SBOM file can grow from hundreds
>        of megabytes to several gigabytes.
>
> -   :term:`SPDX_INCLUDE_SOURCES`
> -      This option allows to add a description of the source files used to build
> -      the host tools and the target packages, to the ``spdx.json`` files in
> -      ``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
> -      As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
> -      ``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
> -      modified to include references to such source file descriptions.
> -
> -      Enable this option as follows::
> -
> -         SPDX_INCLUDE_SOURCES = "1"
> -
> -      For SPDX 2.2 format (release 4.1 "langdale"), building
> -      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
> -      this option multiplied the total size of the ``tmp/deploy/spdx``
> -      directory by a factor of 3  (+291 MiB for this image),
> -      and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
> -      ``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
> -      image), compared to just using the :ref:`ref-classes-create-spdx` class
> -      with no option.
> -
> -      With SPDX 3.0.1 JSON format, including source files significantly
> -      increases the SBOM size (potentially by several gigabytes for typical
> -      images).
> -
>     :term:`SPDX_INCLUDE_KERNEL_CONFIG`
>        This option allows exporting the Linux kernel configuration
>        (the contents of the ``.config`` file) into the recipe's SPDX
> @@ -9164,6 +9139,31 @@ system and gives an overview of their function and contents.
>        the SPDX SBOM to determine which optional features were
>        enabled or disabled in a given build.
>
> +   :term:`SPDX_INCLUDE_SOURCES`
> +      This option allows to add a description of the source files used to build
> +      the host tools and the target packages, to the ``spdx.json`` files in
> +      ``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
> +      As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
> +      ``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
> +      modified to include references to such source file descriptions.
> +
> +      Enable this option as follows::
> +
> +         SPDX_INCLUDE_SOURCES = "1"
> +
> +      For SPDX 2.2 format (release 4.1 "langdale"), building
> +      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
> +      this option multiplied the total size of the ``tmp/deploy/spdx``
> +      directory by a factor of 3  (+291 MiB for this image),
> +      and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
> +      ``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
> +      image), compared to just using the :ref:`ref-classes-create-spdx` class
> +      with no option.
> +
> +      With SPDX 3.0.1 JSON format, including source files significantly
> +      increases the SBOM size (potentially by several gigabytes for typical
> +      images).
> +
>     :term:`SPDX_LICENSES`
>        Path to the JSON file containing SPDX license identifier mappings.
>        This file maps common license names to official SPDX license
>
> Antonin

--
Kamel Bouhara, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com

Re: [PATCH] ref-manual: add SPDX_INCLUDE_KERNEL_CONFIG and SPDX_INCLUDE_PACKAGECONFIG

[Antonin Godard]

Applied, thanks!

[1/1] ref-manual: add SPDX_INCLUDE_KERNEL_CONFIG and SPDX_INCLUDE_PACKAGECONFIG
      commit: ff3cfb0ed3515fe42ef25f055e039ebdfe66dac0