summaryrefslogtreecommitdiffstats
path: root/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
AgeCommit message (Collapse)AuthorFilesLines
2022-12-16linux: config: add systemd sandboxing fragmentDenys Dmytriyenko1-0/+1
Add a kernel config fragment that enables additional features needed for systemd sandboxing support, using Classic BPF (Berkeley Packet Filter) kernel framework. Eventually this will be extended with more advanced features using eBPF (extended BPF), BTF (BPF Type Format) and LSM (Lunux Security Module) frameworks. Bug-AGL: SPEC-4627 Change-Id: I9ed21c654b2e0298be66073750dab6920e49b0c9 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28297 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-12-16linux: config: move CONFIG_AUDIT* into own fragmentDenys Dmytriyenko1-0/+1
Enabling CONFIG_AUDIT* is needed by auditd and should be safe whether systemd is used or not and is not specific to SELinux. Note that systemd README has this old caveat mentioned | Note that kernel auditing is broken when used with systemd's | container code. When using systemd in conjunction with | containers, please make sure to either turn off auditing at | runtime using the kernel command line option "audit=0", or | turn it off at kernel compile time using: | CONFIG_AUDIT=n | If systemd is compiled with libseccomp support on | architectures which do not use socketcall() and where seccomp | is supported (this effectively means x86-64 and ARM, but | excludes 32-bit x86!), then nspawn will now install a | work-around seccomp filter that makes containers boot even | with audit being enabled. This works correctly only on kernels | 3.14 and newer though. TL;DR: turn audit off, still. But that seems to only apply to nspawn usage in some specific cases and on older kernels, plus there are even runtime workarounds available when needed, so let's enable it by default. Bug-AGL: SPEC-4627 Change-Id: I5fcd58ba41929d2966fadea27b6751e4fa6589c9 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28276 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-12-16linux: config: enable kernel settings that systemd requiresDenys Dmytriyenko1-0/+1
Add kernel config fragment with all settings required by systemd. Some more generic settings need to be explicitly set here as well to satisfy necessary dependencies from systemd settings down the tree, otherwise some BSPs would break. Bug-AGL: SPEC-4627 Change-Id: I7a2796ea65da58a4f1fa0556cd94df67e7df7db9 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28275 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-12-08linux-yocto: Rework virtio-aarch64 kernel configurationScott Murray1-0/+4
Changes: - Appending the virtio kernel metadata to SRC_URI in the linux-yocto bbappend was having the side-effect of overriding a lot of the changes from the other AGL configuration fragments. To avoid this, prepend the addition to AGL_KCONFIG_FRAGMENTS instead. - Add the HDA sound driver config fragment for virtio machines to allow using the QEMU emulation. - Add config fragment for the virtio kernel to ensure that CONFIG_DRM and the fbdev emulation are on. - Add config fragment for the virtio kernel to turn on CONFIG_PCI, as there are some peripherals that we may need to expose to guests with it. This and the DRM changes will be rationalized in the metadata repo once it's clear we do need them. Bug-AGL: SPEC-4618 Change-Id: I453b84d9840498772afd01404dd374f5c1d245da Signed-off-by: Scott Murray <scott.murray@konsulko.com> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28191 ci-image-build: Jenkins Job builder account Tested-by: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-12-08linux: config: move BBE-specific fragment from meta-agl-core to meta-agl-bspDenys Dmytriyenko1-1/+0
Commit d009fa0c42042a0b7d069779852953621e46469b as part of SPEC-4156 added a kernel config fragment to disable CONFIG_RELAY. Since this fragment is only applied to BBE, there's no need for it to reside in meta-agl-core and can be moved to meta-agl-bsp/meta-sancloud. Bug-AGL: SPEC-4156 Change-Id: I5da2632d6eb00bbf99ddb48cef861564d2ce868d Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28203 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-12-08linux-agl-config: correct override syntax for virtualmachineDenys Dmytriyenko1-1/+1
Commit dd6fc5dcaa0a027b7651bb365d5dd0f623498f8f as part of SPEC-4052 converted all overrides to the new syntax, but missed the one used for "virtualmachine" Bug-AGL: SPEC-4052 Change-Id: I1905c7e3b70b05c4ef06d8b4f240d0e144587fab Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28204 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-07-27Add SELinux featureScott Murray1-0/+1
Add agl-selinux feature to enable SELinux support. Notes: - SELinux is in permissive mode by default for now, and using the targeted policy by default. - The linux-yocto specific bbappend in meta-selinux is masked out in favor of adding a more universal kernel configuration fragment with AGL's own scheme. - SELinux specific recipes and bbappends are added via a meta-selinux dynamic-layers addition in meta-agl-core to keep using meta-selinux optional. This will avoid issues with the Yocto autobuilder testing of meta-agl-core. - To avoid the effectively hard-coded autorelabel on first boot, a bbappend is added to the selinux-autorelabel recipe to remove the flag creation. In the off chance that a build happens on a filesystem without xattr support, the logic in the selinux-image bbclass will still touch the /.autorelabel flag and trigger relabeling. - A systemd unit and script are added with a new systemd-selinux-relabel recipe to handle relabeling of some systemd generated files that do not get handled during root filesystem construction. Some of these can be addressed by some upstream tweaks, but /etc/machine-id will always need special handling unless there is a shift to using read-only or stateless root by default. With this workaround we still avoid doing a full relabel and reboot on first boot, which helps simplify CI. Bug-AGL: SPEC-4332 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: Ibf469e11eb3a67709074cc6794b3d12cd5071a90 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27790 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-03-05Disable CONFIG_RELAY on BBE boardJan-Simon Moeller1-0/+1
The config option does provoke an Internal error at runtime. Disable it for the BBE. Bug-AGL: SPEC-4156 Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Change-Id: I9c6c8a1279a3c4f40c383e036251f51bb4e9fc8e Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27240 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account
2021-08-23Convert to new override syntaxScott Murray1-9/+9
This is mostly the result of running a slightly customized version of the convert-overrides.py script from poky with additional overrides added. A few minor fixups were done by hand afterwards during a review of the changes. The intent of these changes is to minimize the effort to keep the "next" branch that builds against poky master up to date and tested in preparation for the switch to the next Yocto LTS release in early 2022. Bug-AGL: SPEC-4052 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: Ia3bf63b7cb1aa1d95ada373d1a3ab56def0a125d Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26564 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2021-06-29Refactor kernel configuration fragment handlingScott Murray1-0/+85
Refactor the kernel configuration fragment handling to shift all AGL applied configuration fragments into a new AGL_KCONFIG_FRAGMENTS variable that is used to generate SRC_URI and KERNEL_CONFIG_FRAGMENTS additions for the various BSPs. The intent is to make it simple to disable AGL provided configuration in downstream builds as the IC EG has expressed as a requirement. Additionally, the rework has allowed for some clean up of accumulated cruft. In practice, clearing AGL_KCONFIG_FRAGMENTS drops all non-BSP provided kernel configuration with the exception of some qemu BSP related additions required for AGL CI and some explicitly configurable things like netboot support. Notable changes: - Instead of always using AGL's own fragment merging logic on top of the BSP kernel recipe, an effort is now made to leverage the BSP recipes' own merging schemes, so there are now separate include files for kernel-yocto.bbclass and plain kernel.bbclass based kernel recipes, as well as a common include file that defines the AGL_KCONFIG_FRAGMENTS variable and its derivations. That file can be included directly in bbappends for BSP kernel recipes that use the KERNEL_CONFIG_FRAGMENTS scheme (e.g. meta-ti, meta-qcom). - The SMACK enabling configuration in meta-app-framework has been updated to supply different fragments for enabling SMACK by default for 4.x and 5.x kernels. This removes a warning from always supplying the old configuration, and allows providing a CONFIG_LSM definition to ensure over-riding any BSP modifications. This allows removing the previous hack to handle CONFIG_LSM being set in the defconfigs in linux-raspberrypi. - By request, the linux-yocto support from meta-agl-bsp/meta-core has been rationalized into meta-agl-core to improve the experience when using meta-agl-core standalone for testing. - All demo supporting kernel configuration has been removed, a subsequent change to meta-agl-demo will add it there by leveraging AGL_KCONFIG_FRAGMENTS. - The hardware device support has been split out of the can-bus.cfg fragment, in favor of shifting it to meta-agl-demo. A few other stray non-CAN configuration options have also been removed from can-bus.cfg, as they do not seem to be required. Bug-AGL: SPEC-3983 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: If6662fd36e26cec767b1d53b1188a74d01ef9dcf Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26460 Reviewed-by: Hiroyuki Ishii <ishii.hiroyuki002@jp.panasonic.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account