aboutsummaryrefslogtreecommitdiffstats
path: root/meta-app-framework/recipes-kernel
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2021-06-27 14:36:00 -0400
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2021-06-29 21:31:01 +0000
commit74a7b60c94e21caa47334aeb975bb1af8fcb4efd (patch)
tree07355e73b63fc33afc5c43cb88f28862e9c93a55 /meta-app-framework/recipes-kernel
parent820d8ac3e5c2ff3e110932e1ed08ea24ffad156c (diff)
Refactor kernel configuration fragment handling
Refactor the kernel configuration fragment handling to shift all AGL applied configuration fragments into a new AGL_KCONFIG_FRAGMENTS variable that is used to generate SRC_URI and KERNEL_CONFIG_FRAGMENTS additions for the various BSPs. The intent is to make it simple to disable AGL provided configuration in downstream builds as the IC EG has expressed as a requirement. Additionally, the rework has allowed for some clean up of accumulated cruft. In practice, clearing AGL_KCONFIG_FRAGMENTS drops all non-BSP provided kernel configuration with the exception of some qemu BSP related additions required for AGL CI and some explicitly configurable things like netboot support. Notable changes: - Instead of always using AGL's own fragment merging logic on top of the BSP kernel recipe, an effort is now made to leverage the BSP recipes' own merging schemes, so there are now separate include files for kernel-yocto.bbclass and plain kernel.bbclass based kernel recipes, as well as a common include file that defines the AGL_KCONFIG_FRAGMENTS variable and its derivations. That file can be included directly in bbappends for BSP kernel recipes that use the KERNEL_CONFIG_FRAGMENTS scheme (e.g. meta-ti, meta-qcom). - The SMACK enabling configuration in meta-app-framework has been updated to supply different fragments for enabling SMACK by default for 4.x and 5.x kernels. This removes a warning from always supplying the old configuration, and allows providing a CONFIG_LSM definition to ensure over-riding any BSP modifications. This allows removing the previous hack to handle CONFIG_LSM being set in the defconfigs in linux-raspberrypi. - By request, the linux-yocto support from meta-agl-bsp/meta-core has been rationalized into meta-agl-core to improve the experience when using meta-agl-core standalone for testing. - All demo supporting kernel configuration has been removed, a subsequent change to meta-agl-demo will add it there by leveraging AGL_KCONFIG_FRAGMENTS. - The hardware device support has been split out of the can-bus.cfg fragment, in favor of shifting it to meta-agl-demo. A few other stray non-CAN configuration options have also been removed from can-bus.cfg, as they do not seem to be required. Bug-AGL: SPEC-3983 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: If6662fd36e26cec767b1d53b1188a74d01ef9dcf Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26460 Reviewed-by: Hiroyuki Ishii <ishii.hiroyuki002@jp.panasonic.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account
Diffstat (limited to 'meta-app-framework/recipes-kernel')
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux-%.bbappend3
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux-appfw.inc36
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm-old.cfg2
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm.cfg2
4 files changed, 23 insertions, 20 deletions
diff --git a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend
index acce6cc1b..807da11f1 100644
--- a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend
@@ -1,2 +1 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'linux-appfw.inc', '', d)}
-
+require ${@bb.utils.contains('APPFW_ENABLED', '1', 'linux-appfw.inc', '', d) if bb.data.inherits_class('kernel', d) else ''}
diff --git a/meta-app-framework/recipes-kernel/linux/linux-appfw.inc b/meta-app-framework/recipes-kernel/linux/linux-appfw.inc
index cbf6567e0..1b6d1b6a8 100644
--- a/meta-app-framework/recipes-kernel/linux/linux-appfw.inc
+++ b/meta-app-framework/recipes-kernel/linux/linux-appfw.inc
@@ -1,21 +1,23 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
-IS_KERNEL_RECIPE := "${@bb.data.inherits_class('kernel', d) and 'yes' or 'no'}"
-SMACK_KERNEL_SRC_URI_no = ""
-SMACK_KERNEL_SRC_URI_yes = ""
+# Enable SMACK support without making it the default explicitly.
+AGL_KCONFIG_FRAGMENTS += "smack.cfg"
-# Kernel config fragment enabling Smack, without making it the default explicitly.
-SMACK_KERNEL_SRC_URI_yes += "file://smack.cfg"
-
-# When added, set Smack as the default LSM.
-SMACK_DEFAULT_SECURITY_CFG = "file://smack-default-lsm.cfg"
-# Add it by default, can be overridden by changing this variable here.
-SMACK_DEFAULT_SECURITY ??= "${SMACK_DEFAULT_SECURITY_CFG}"
-SMACK_KERNEL_SRC_URI_yes += " ${SMACK_DEFAULT_SECURITY}"
-
-# add audit.cfg
-SMACK_KERNEL_SRC_URI_yes += " file://audit.cfg"
-
-
-SRC_URI_append_with-lsm-smack = "${SMACK_KERNEL_SRC_URI_${IS_KERNEL_RECIPE}}"
+# Enable SMACK as default LSM, can be overridden by changing this
+# variable to e.g. "".
+#
+# NOTE:
+# We use a different fragment for kernels older than 5.x that predate
+# the switch to using CONFIG_LSM instead of CONFIG_DEFAULT_SECURITY.
+# For simplicity, logic to handle the change being made in 5.1 instead
+# of 5.0 has been omitted; in practice this should not be a problem
+# since no current BSPs have been seen that use 5.0.x. If a BSP
+# kernel recipe does not set LINUX_VERSION, the kernel being 5.x or
+# newer is assumed as the default behavior.
+LINUX_VERSION_MAJOR = "${@(d.getVar('LINUX_VERSION') or "5.x").split('.')[0]}"
+SMACK_DEFAULT_SUFFIX = "${@'' if int(d.getVar('LINUX_VERSION_MAJOR') or 0) >= 5 else '-old'}"
+SMACK_DEFAULT_SECURITY ??= "smack-default-lsm${SMACK_DEFAULT_SUFFIX}.cfg"
+AGL_KCONFIG_FRAGMENTS += "${SMACK_DEFAULT_SECURITY}"
+# Enable audit support
+AGL_KCONFIG_FRAGMENTS += "audit.cfg"
diff --git a/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm-old.cfg b/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm-old.cfg
new file mode 100644
index 000000000..b5c48454e
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm-old.cfg
@@ -0,0 +1,2 @@
+CONFIG_DEFAULT_SECURITY="smack"
+CONFIG_DEFAULT_SECURITY_SMACK=y
diff --git a/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm.cfg b/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm.cfg
index b5c48454e..4791ebab3 100644
--- a/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm.cfg
+++ b/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm.cfg
@@ -1,2 +1,2 @@
-CONFIG_DEFAULT_SECURITY="smack"
CONFIG_DEFAULT_SECURITY_SMACK=y
+CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor"