| Message ID | OSYPR01MB53662AC2C72A42E9C766B989DF780@OSYPR01MB5366.jpnprd01.prod.outlook.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Kindly review for kernel config changes | expand |
Hi Kent, The configuration should go to https://gitlab.com/cip-project/cip-kernel/cip-kernel-config not isar-cip-core. isar-cip-core and deby share cip-kernel-config configuration files. *isar-cip-core still has the configuration files there but conf/machine files with USE_CIP_KERNEL_CONFIG = "1" do not use them anymore. Actually that is a nother AI. Thanks, Daniel
>isar-cip-core and deby share cip-kernel-config configuration files. >*isar-cip-core still has the configuration files there but conf/machine files with >USE_CIP_KERNEL_CONFIG = "1" do not use them anymore. I see. Thank you, Daniel. But, I'm wondering why conf/machine/qemu-amd64.conf doesn't define USE_CIP_KERNEL_CONFIG = "1". Do you have any information for this, Dinesh or Venkata? I think we should reconfirm to add these configs to https://gitlab.com/cip-project/cip-kernel/cip-kernel-config/-/blob/master/4.19.y-cip/x86/cip_qemu_defconfig. Or, have you already confirmed to build the image using this? BR, Kent >-----Original Message----- >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of >Daniel Sangorrin via lists.cip-project.org >Sent: Tuesday, July 21, 2020 4:57 PM >To: cip-dev@lists.cip-project.org >Subject: Re: [cip-dev] Kindly review for kernel config changes > >Hi Kent, > >The configuration should go to >https://gitlab.com/cip-project/cip-kernel/cip-kernel-config not isar-cip-core. > >isar-cip-core and deby share cip-kernel-config configuration files. >*isar-cip-core still has the configuration files there but conf/machine files with >USE_CIP_KERNEL_CONFIG = "1" do not use them anymore. > >Actually that is a nother AI. > >Thanks, >Daniel > >________________________________________ >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> on behalf of >Kento Yoshida <kento.yoshida.wz@renesas.com> >Sent: Tuesday, July 21, 2020 4:12 PM >To: cip-dev@lists.cip-project.org >Subject: [cip-dev] Kindly review for kernel config changes > >Hi, > >The security working group need to use "nftables", and it requires to add the >below kernel configs to work. >Before merging to the master branch of "isar-cip-core", would you kindly review to >add the below configs by this Friday, everyone? > >--- a/recipes-kernel/linux/files/qemu-amd64_defconfig >+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig >@@ -351,3 +351,34 @@ CONFIG_CRYPTO_DEV_CCP=y # CONFIG_XZ_DEC_ARM >is not set # CONFIG_XZ_DEC_ARMTHUMB is not set # CONFIG_XZ_DEC_SPARC is >not set >+CONFIG_NF_TABLES=y >+CONFIG_NF_TABLES_INET=y >+CONFIG_NF_TABLES_NETDEV=y >+CONFIG_NFT_EXTHDR=y >+CONFIG_NFT_META=y >+CONFIG_NFT_CT=y >+CONFIG_NFT_RBTREE=y >+CONFIG_NFT_HASH=y >+CONFIG_NFT_COUNTER=y >+CONFIG_NFT_LOG=y >+CONFIG_NFT_LIMIT=y >+CONFIG_NFT_MASQ=y >+CONFIG_NFT_REDIR=y >+CONFIG_NFT_NAT=y >+CONFIG_NFT_QUEUE=y >+CONFIG_NFT_REJECT=y >+CONFIG_NFT_REJECT_INET=y >+CONFIG_NFT_COMPAT=y >+CONFIG_NFT_CHAIN_ROUTE_IPV4=y >+CONFIG_NFT_REJECT_IPV4=y >+CONFIG_NFT_CHAIN_NAT_IPV4=y >+CONFIG_NFT_MASQ_IPV4=y >+# CONFIG_NFT_REDIR_IPV4 is not set >+CONFIG_NFT_CHAIN_ROUTE_IPV6=y >+CONFIG_NFT_REJECT_IPV6=y >+CONFIG_NFT_CHAIN_NAT_IPV6=y >+CONFIG_NFT_MASQ_IPV6=y >+# CONFIG_NFT_REDIR_IPV6 is not set >+CONFIG_NFT_BRIDGE_META=y >+CONFIG_NFT_BRIDGE_REJECT=y >+CONFIG_NF_LOG_BRIDGE=y > >BR, Kent -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4949): https://lists.cip-project.org/g/cip-dev/message/4949 Mute This Topic: https://lists.cip-project.org/mt/75699231/4520428 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org] -=-=-=-=-=-=-=-=-=-=-=-
Hi Kent, Let me check if we can use the cip-kernel-config version on ISAR and remove the one in isar-cip-core. I will also add nftables as a fragment to isar-cip-core until you tell me that it needs long-term support. If it needs long-term support we will have to move it to cip-kernel-config. Thanks, Daniel
Hi kent > -----Original Message----- > From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Kento Yoshida > Sent: Tuesday, July 21, 2020 5:40 PM > To: cip-dev@lists.cip-project.org > Subject: Re: [cip-dev] Kindly review for kernel config changes > > >isar-cip-core and deby share cip-kernel-config configuration files. > >*isar-cip-core still has the configuration files there but conf/machine > >files with USE_CIP_KERNEL_CONFIG = "1" do not use them anymore. > > I see. Thank you, Daniel. > But, I'm wondering why conf/machine/qemu-amd64.conf doesn't define USE_CIP_KERNEL_CONFIG = "1". It does now. > Do you have any information for this, Dinesh or Venkata? > I think we should reconfirm to add these configs to https://gitlab.com/cip-project/cip-kernel/cip-kernel-config/-/blob/master/4.19.y- > cip/x86/cip_qemu_defconfig. > Or, have you already confirmed to build the image using this? I would prefer if cip-kernel-config had base configurations that are later extended with fragments (board-dependendencies, security layer dependencies, etc.). However, that would be a whole new task that might take long. For now the more realistic approach is to add the security-related kernel configs to either cip_qemu_defconfig or to a fragment in isar-cip-core and deby. Thanks, Daniel > >-----Original Message----- > >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On > >Behalf Of Daniel Sangorrin via lists.cip-project.org > >Sent: Tuesday, July 21, 2020 4:57 PM > >To: cip-dev@lists.cip-project.org > >Subject: Re: [cip-dev] Kindly review for kernel config changes > > > >Hi Kent, > > > >The configuration should go to > >https://gitlab.com/cip-project/cip-kernel/cip-kernel-config not isar-cip-core. > > > >isar-cip-core and deby share cip-kernel-config configuration files. > >*isar-cip-core still has the configuration files there but conf/machine > >files with USE_CIP_KERNEL_CONFIG = "1" do not use them anymore. > > > >Actually that is a nother AI. > > > >Thanks, > >Daniel > > > >________________________________________ > >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> on > >behalf of Kento Yoshida <kento.yoshida.wz@renesas.com> > >Sent: Tuesday, July 21, 2020 4:12 PM > >To: cip-dev@lists.cip-project.org > >Subject: [cip-dev] Kindly review for kernel config changes > > > >Hi, > > > >The security working group need to use "nftables", and it requires to > >add the below kernel configs to work. > >Before merging to the master branch of "isar-cip-core", would you > >kindly review to add the below configs by this Friday, everyone? > > > >--- a/recipes-kernel/linux/files/qemu-amd64_defconfig > >+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig > >@@ -351,3 +351,34 @@ CONFIG_CRYPTO_DEV_CCP=y # CONFIG_XZ_DEC_ARM is not > >set # CONFIG_XZ_DEC_ARMTHUMB is not set # CONFIG_XZ_DEC_SPARC is not > >set > >+CONFIG_NF_TABLES=y > >+CONFIG_NF_TABLES_INET=y > >+CONFIG_NF_TABLES_NETDEV=y > >+CONFIG_NFT_EXTHDR=y > >+CONFIG_NFT_META=y > >+CONFIG_NFT_CT=y > >+CONFIG_NFT_RBTREE=y > >+CONFIG_NFT_HASH=y > >+CONFIG_NFT_COUNTER=y > >+CONFIG_NFT_LOG=y > >+CONFIG_NFT_LIMIT=y > >+CONFIG_NFT_MASQ=y > >+CONFIG_NFT_REDIR=y > >+CONFIG_NFT_NAT=y > >+CONFIG_NFT_QUEUE=y > >+CONFIG_NFT_REJECT=y > >+CONFIG_NFT_REJECT_INET=y > >+CONFIG_NFT_COMPAT=y > >+CONFIG_NFT_CHAIN_ROUTE_IPV4=y > >+CONFIG_NFT_REJECT_IPV4=y > >+CONFIG_NFT_CHAIN_NAT_IPV4=y > >+CONFIG_NFT_MASQ_IPV4=y > >+# CONFIG_NFT_REDIR_IPV4 is not set > >+CONFIG_NFT_CHAIN_ROUTE_IPV6=y > >+CONFIG_NFT_REJECT_IPV6=y > >+CONFIG_NFT_CHAIN_NAT_IPV6=y > >+CONFIG_NFT_MASQ_IPV6=y > >+# CONFIG_NFT_REDIR_IPV6 is not set > >+CONFIG_NFT_BRIDGE_META=y > >+CONFIG_NFT_BRIDGE_REJECT=y > >+CONFIG_NF_LOG_BRIDGE=y > > > >BR, Kent -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5085): https://lists.cip-project.org/g/cip-dev/message/5085 Mute This Topic: https://lists.cip-project.org/mt/75699231/4520428 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org] -=-=-=-=-=-=-=-=-=-=-=-
> > I see. Thank you, Daniel. > > But, I'm wondering why conf/machine/qemu-amd64.conf doesn't define USE_CIP_KERNEL_CONFIG = "1". > > It does now. more accurately, it is in the next branch of isar-cip-core > > > Do you have any information for this, Dinesh or Venkata? > > I think we should reconfirm to add these configs to > > https://gitlab.com/cip-project/cip-kernel/cip-kernel-config/-/blob/mas > > ter/4.19.y- > > cip/x86/cip_qemu_defconfig. > > Or, have you already confirmed to build the image using this? > > I would prefer if cip-kernel-config had base configurations that are later extended with fragments (board-dependendencies, security layer > dependencies, etc.). However, that would be a whole new task that might take long. > > For now the more realistic approach is to add the security-related kernel configs to either cip_qemu_defconfig or to a fragment in isar-cip- > core and deby. > > Thanks, > Daniel > > > > > > >-----Original Message----- > > >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> > > >On Behalf Of Daniel Sangorrin via lists.cip-project.org > > >Sent: Tuesday, July 21, 2020 4:57 PM > > >To: cip-dev@lists.cip-project.org > > >Subject: Re: [cip-dev] Kindly review for kernel config changes > > > > > >Hi Kent, > > > > > >The configuration should go to > > >https://gitlab.com/cip-project/cip-kernel/cip-kernel-config not isar-cip-core. > > > > > >isar-cip-core and deby share cip-kernel-config configuration files. > > >*isar-cip-core still has the configuration files there but > > >conf/machine files with USE_CIP_KERNEL_CONFIG = "1" do not use them anymore. > > > > > >Actually that is a nother AI. > > > > > >Thanks, > > >Daniel > > > > > >________________________________________ > > >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> > > >on behalf of Kento Yoshida <kento.yoshida.wz@renesas.com> > > >Sent: Tuesday, July 21, 2020 4:12 PM > > >To: cip-dev@lists.cip-project.org > > >Subject: [cip-dev] Kindly review for kernel config changes > > > > > >Hi, > > > > > >The security working group need to use "nftables", and it requires to > > >add the below kernel configs to work. > > >Before merging to the master branch of "isar-cip-core", would you > > >kindly review to add the below configs by this Friday, everyone? > > > > > >--- a/recipes-kernel/linux/files/qemu-amd64_defconfig > > >+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig > > >@@ -351,3 +351,34 @@ CONFIG_CRYPTO_DEV_CCP=y # CONFIG_XZ_DEC_ARM is > > >not set # CONFIG_XZ_DEC_ARMTHUMB is not set # CONFIG_XZ_DEC_SPARC is > > >not set > > >+CONFIG_NF_TABLES=y > > >+CONFIG_NF_TABLES_INET=y > > >+CONFIG_NF_TABLES_NETDEV=y > > >+CONFIG_NFT_EXTHDR=y > > >+CONFIG_NFT_META=y > > >+CONFIG_NFT_CT=y > > >+CONFIG_NFT_RBTREE=y > > >+CONFIG_NFT_HASH=y > > >+CONFIG_NFT_COUNTER=y > > >+CONFIG_NFT_LOG=y > > >+CONFIG_NFT_LIMIT=y > > >+CONFIG_NFT_MASQ=y > > >+CONFIG_NFT_REDIR=y > > >+CONFIG_NFT_NAT=y > > >+CONFIG_NFT_QUEUE=y > > >+CONFIG_NFT_REJECT=y > > >+CONFIG_NFT_REJECT_INET=y > > >+CONFIG_NFT_COMPAT=y > > >+CONFIG_NFT_CHAIN_ROUTE_IPV4=y > > >+CONFIG_NFT_REJECT_IPV4=y > > >+CONFIG_NFT_CHAIN_NAT_IPV4=y > > >+CONFIG_NFT_MASQ_IPV4=y > > >+# CONFIG_NFT_REDIR_IPV4 is not set > > >+CONFIG_NFT_CHAIN_ROUTE_IPV6=y > > >+CONFIG_NFT_REJECT_IPV6=y > > >+CONFIG_NFT_CHAIN_NAT_IPV6=y > > >+CONFIG_NFT_MASQ_IPV6=y > > >+# CONFIG_NFT_REDIR_IPV6 is not set > > >+CONFIG_NFT_BRIDGE_META=y > > >+CONFIG_NFT_BRIDGE_REJECT=y > > >+CONFIG_NF_LOG_BRIDGE=y > > > > > >BR, Kent -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5086): https://lists.cip-project.org/g/cip-dev/message/5086 Mute This Topic: https://lists.cip-project.org/mt/75699231/4520428 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org] -=-=-=-=-=-=-=-=-=-=-=-
--- a/recipes-kernel/linux/files/qemu-amd64_defconfig +++ b/recipes-kernel/linux/files/qemu-amd64_defconfig @@ -351,3 +351,34 @@ CONFIG_CRYPTO_DEV_CCP=y # CONFIG_XZ_DEC_ARM is not set # CONFIG_XZ_DEC_ARMTHUMB is not set # CONFIG_XZ_DEC_SPARC is not set +CONFIG_NF_TABLES=y +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y +CONFIG_NFT_EXTHDR=y +CONFIG_NFT_META=y +CONFIG_NFT_CT=y +CONFIG_NFT_RBTREE=y +CONFIG_NFT_HASH=y +CONFIG_NFT_COUNTER=y +CONFIG_NFT_LOG=y +CONFIG_NFT_LIMIT=y +CONFIG_NFT_MASQ=y +CONFIG_NFT_REDIR=y +CONFIG_NFT_NAT=y +CONFIG_NFT_QUEUE=y +CONFIG_NFT_REJECT=y +CONFIG_NFT_REJECT_INET=y +CONFIG_NFT_COMPAT=y +CONFIG_NFT_CHAIN_ROUTE_IPV4=y +CONFIG_NFT_REJECT_IPV4=y +CONFIG_NFT_CHAIN_NAT_IPV4=y +CONFIG_NFT_MASQ_IPV4=y +# CONFIG_NFT_REDIR_IPV4 is not set +CONFIG_NFT_CHAIN_ROUTE_IPV6=y +CONFIG_NFT_REJECT_IPV6=y +CONFIG_NFT_CHAIN_NAT_IPV6=y +CONFIG_NFT_MASQ_IPV6=y +# CONFIG_NFT_REDIR_IPV6 is not set +CONFIG_NFT_BRIDGE_META=y +CONFIG_NFT_BRIDGE_REJECT=y +CONFIG_NF_LOG_BRIDGE=y