diff mbox series

Kindly review for kernel config changes

Message ID OSYPR01MB53662AC2C72A42E9C766B989DF780@OSYPR01MB5366.jpnprd01.prod.outlook.com
State Accepted
Headers show
Series Kindly review for kernel config changes | expand

Commit Message

Kento Yoshida July 21, 2020, 7:12 a.m. UTC
Hi,

The security working group need to use "nftables", and it requires to add the below kernel configs to work.
Before merging to the master branch of "isar-cip-core", would you kindly review to add the below configs by this Friday, everyone?


BR, Kent
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4943): https://lists.cip-project.org/g/cip-dev/message/4943
Mute This Topic: https://lists.cip-project.org/mt/75699231/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Comments

Daniel Sangorrin July 21, 2020, 7:56 a.m. UTC | #1
Hi Kent,

The configuration should go to https://gitlab.com/cip-project/cip-kernel/cip-kernel-config not isar-cip-core.

isar-cip-core and deby share cip-kernel-config configuration files.
*isar-cip-core still has the configuration files there but conf/machine files with USE_CIP_KERNEL_CONFIG = "1" do not use them anymore.

Actually that is a nother AI.

Thanks,
Daniel
Kento Yoshida July 21, 2020, 8:40 a.m. UTC | #2
>isar-cip-core and deby share cip-kernel-config configuration files.
>*isar-cip-core still has the configuration files there but conf/machine files with
>USE_CIP_KERNEL_CONFIG = "1" do not use them anymore.

I see. Thank you, Daniel.
But, I'm wondering why conf/machine/qemu-amd64.conf doesn't define USE_CIP_KERNEL_CONFIG = "1".

Do you have any information for this, Dinesh or Venkata?
I think we should reconfirm to add these configs to https://gitlab.com/cip-project/cip-kernel/cip-kernel-config/-/blob/master/4.19.y-cip/x86/cip_qemu_defconfig.
Or, have you already confirmed to build the image using this?

BR, Kent

>-----Original Message-----
>From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of
>Daniel Sangorrin via lists.cip-project.org
>Sent: Tuesday, July 21, 2020 4:57 PM
>To: cip-dev@lists.cip-project.org
>Subject: Re: [cip-dev] Kindly review for kernel config changes
>
>Hi Kent,
>
>The configuration should go to
>https://gitlab.com/cip-project/cip-kernel/cip-kernel-config not isar-cip-core.
>
>isar-cip-core and deby share cip-kernel-config configuration files.
>*isar-cip-core still has the configuration files there but conf/machine files with
>USE_CIP_KERNEL_CONFIG = "1" do not use them anymore.
>
>Actually that is a nother AI.
>
>Thanks,
>Daniel
>
>________________________________________
>From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> on behalf of
>Kento Yoshida <kento.yoshida.wz@renesas.com>
>Sent: Tuesday, July 21, 2020 4:12 PM
>To: cip-dev@lists.cip-project.org
>Subject: [cip-dev] Kindly review for kernel config changes
>
>Hi,
>
>The security working group need to use "nftables", and it requires to add the
>below kernel configs to work.
>Before merging to the master branch of "isar-cip-core", would you kindly review to
>add the below configs by this Friday, everyone?
>
>--- a/recipes-kernel/linux/files/qemu-amd64_defconfig
>+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
>@@ -351,3 +351,34 @@ CONFIG_CRYPTO_DEV_CCP=y # CONFIG_XZ_DEC_ARM
>is not set # CONFIG_XZ_DEC_ARMTHUMB is not set # CONFIG_XZ_DEC_SPARC is
>not set
>+CONFIG_NF_TABLES=y
>+CONFIG_NF_TABLES_INET=y
>+CONFIG_NF_TABLES_NETDEV=y
>+CONFIG_NFT_EXTHDR=y
>+CONFIG_NFT_META=y
>+CONFIG_NFT_CT=y
>+CONFIG_NFT_RBTREE=y
>+CONFIG_NFT_HASH=y
>+CONFIG_NFT_COUNTER=y
>+CONFIG_NFT_LOG=y
>+CONFIG_NFT_LIMIT=y
>+CONFIG_NFT_MASQ=y
>+CONFIG_NFT_REDIR=y
>+CONFIG_NFT_NAT=y
>+CONFIG_NFT_QUEUE=y
>+CONFIG_NFT_REJECT=y
>+CONFIG_NFT_REJECT_INET=y
>+CONFIG_NFT_COMPAT=y
>+CONFIG_NFT_CHAIN_ROUTE_IPV4=y
>+CONFIG_NFT_REJECT_IPV4=y
>+CONFIG_NFT_CHAIN_NAT_IPV4=y
>+CONFIG_NFT_MASQ_IPV4=y
>+# CONFIG_NFT_REDIR_IPV4 is not set
>+CONFIG_NFT_CHAIN_ROUTE_IPV6=y
>+CONFIG_NFT_REJECT_IPV6=y
>+CONFIG_NFT_CHAIN_NAT_IPV6=y
>+CONFIG_NFT_MASQ_IPV6=y
>+# CONFIG_NFT_REDIR_IPV6 is not set
>+CONFIG_NFT_BRIDGE_META=y
>+CONFIG_NFT_BRIDGE_REJECT=y
>+CONFIG_NF_LOG_BRIDGE=y
>
>BR, Kent
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4949): https://lists.cip-project.org/g/cip-dev/message/4949
Mute This Topic: https://lists.cip-project.org/mt/75699231/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Daniel Sangorrin July 22, 2020, 2:02 a.m. UTC | #3
Hi Kent,

Let me check if we can use the cip-kernel-config version on ISAR and remove the one in isar-cip-core.

I will also add nftables as a fragment to isar-cip-core until you tell me that it needs long-term support. If it needs long-term support we will have to move it to cip-kernel-config.

Thanks,
Daniel
Daniel Sangorrin Aug. 4, 2020, 4:12 a.m. UTC | #4
Hi kent

> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Kento Yoshida
> Sent: Tuesday, July 21, 2020 5:40 PM
> To: cip-dev@lists.cip-project.org
> Subject: Re: [cip-dev] Kindly review for kernel config changes
> 
> >isar-cip-core and deby share cip-kernel-config configuration files.
> >*isar-cip-core still has the configuration files there but conf/machine
> >files with USE_CIP_KERNEL_CONFIG = "1" do not use them anymore.
> 
> I see. Thank you, Daniel.
> But, I'm wondering why conf/machine/qemu-amd64.conf doesn't define USE_CIP_KERNEL_CONFIG = "1".

It does now.

> Do you have any information for this, Dinesh or Venkata?
> I think we should reconfirm to add these configs to https://gitlab.com/cip-project/cip-kernel/cip-kernel-config/-/blob/master/4.19.y-
> cip/x86/cip_qemu_defconfig.
> Or, have you already confirmed to build the image using this?

I would prefer if cip-kernel-config had base configurations that are later extended with fragments (board-dependendencies, security layer dependencies, etc.). However, that would be a whole new task that might take long.

For now the more realistic approach is to add the security-related kernel configs to either cip_qemu_defconfig or to a fragment in isar-cip-core and deby.

Thanks,
Daniel




> >-----Original Message-----
> >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On
> >Behalf Of Daniel Sangorrin via lists.cip-project.org
> >Sent: Tuesday, July 21, 2020 4:57 PM
> >To: cip-dev@lists.cip-project.org
> >Subject: Re: [cip-dev] Kindly review for kernel config changes
> >
> >Hi Kent,
> >
> >The configuration should go to
> >https://gitlab.com/cip-project/cip-kernel/cip-kernel-config not isar-cip-core.
> >
> >isar-cip-core and deby share cip-kernel-config configuration files.
> >*isar-cip-core still has the configuration files there but conf/machine
> >files with USE_CIP_KERNEL_CONFIG = "1" do not use them anymore.
> >
> >Actually that is a nother AI.
> >
> >Thanks,
> >Daniel
> >
> >________________________________________
> >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> on
> >behalf of Kento Yoshida <kento.yoshida.wz@renesas.com>
> >Sent: Tuesday, July 21, 2020 4:12 PM
> >To: cip-dev@lists.cip-project.org
> >Subject: [cip-dev] Kindly review for kernel config changes
> >
> >Hi,
> >
> >The security working group need to use "nftables", and it requires to
> >add the below kernel configs to work.
> >Before merging to the master branch of "isar-cip-core", would you
> >kindly review to add the below configs by this Friday, everyone?
> >
> >--- a/recipes-kernel/linux/files/qemu-amd64_defconfig
> >+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
> >@@ -351,3 +351,34 @@ CONFIG_CRYPTO_DEV_CCP=y # CONFIG_XZ_DEC_ARM is not
> >set # CONFIG_XZ_DEC_ARMTHUMB is not set # CONFIG_XZ_DEC_SPARC is not
> >set
> >+CONFIG_NF_TABLES=y
> >+CONFIG_NF_TABLES_INET=y
> >+CONFIG_NF_TABLES_NETDEV=y
> >+CONFIG_NFT_EXTHDR=y
> >+CONFIG_NFT_META=y
> >+CONFIG_NFT_CT=y
> >+CONFIG_NFT_RBTREE=y
> >+CONFIG_NFT_HASH=y
> >+CONFIG_NFT_COUNTER=y
> >+CONFIG_NFT_LOG=y
> >+CONFIG_NFT_LIMIT=y
> >+CONFIG_NFT_MASQ=y
> >+CONFIG_NFT_REDIR=y
> >+CONFIG_NFT_NAT=y
> >+CONFIG_NFT_QUEUE=y
> >+CONFIG_NFT_REJECT=y
> >+CONFIG_NFT_REJECT_INET=y
> >+CONFIG_NFT_COMPAT=y
> >+CONFIG_NFT_CHAIN_ROUTE_IPV4=y
> >+CONFIG_NFT_REJECT_IPV4=y
> >+CONFIG_NFT_CHAIN_NAT_IPV4=y
> >+CONFIG_NFT_MASQ_IPV4=y
> >+# CONFIG_NFT_REDIR_IPV4 is not set
> >+CONFIG_NFT_CHAIN_ROUTE_IPV6=y
> >+CONFIG_NFT_REJECT_IPV6=y
> >+CONFIG_NFT_CHAIN_NAT_IPV6=y
> >+CONFIG_NFT_MASQ_IPV6=y
> >+# CONFIG_NFT_REDIR_IPV6 is not set
> >+CONFIG_NFT_BRIDGE_META=y
> >+CONFIG_NFT_BRIDGE_REJECT=y
> >+CONFIG_NF_LOG_BRIDGE=y
> >
> >BR, Kent
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5085): https://lists.cip-project.org/g/cip-dev/message/5085
Mute This Topic: https://lists.cip-project.org/mt/75699231/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Daniel Sangorrin Aug. 4, 2020, 4:12 a.m. UTC | #5
> > I see. Thank you, Daniel.
> > But, I'm wondering why conf/machine/qemu-amd64.conf doesn't define USE_CIP_KERNEL_CONFIG = "1".
> 
> It does now.

more accurately, it is in the next branch of isar-cip-core

> 
> > Do you have any information for this, Dinesh or Venkata?
> > I think we should reconfirm to add these configs to
> > https://gitlab.com/cip-project/cip-kernel/cip-kernel-config/-/blob/mas
> > ter/4.19.y-
> > cip/x86/cip_qemu_defconfig.
> > Or, have you already confirmed to build the image using this?
> 
> I would prefer if cip-kernel-config had base configurations that are later extended with fragments (board-dependendencies, security layer
> dependencies, etc.). However, that would be a whole new task that might take long.
> 
> For now the more realistic approach is to add the security-related kernel configs to either cip_qemu_defconfig or to a fragment in isar-cip-
> core and deby.
> 
> Thanks,
> Daniel
> 
> 
> 
> 
> > >-----Original Message-----
> > >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org>
> > >On Behalf Of Daniel Sangorrin via lists.cip-project.org
> > >Sent: Tuesday, July 21, 2020 4:57 PM
> > >To: cip-dev@lists.cip-project.org
> > >Subject: Re: [cip-dev] Kindly review for kernel config changes
> > >
> > >Hi Kent,
> > >
> > >The configuration should go to
> > >https://gitlab.com/cip-project/cip-kernel/cip-kernel-config not isar-cip-core.
> > >
> > >isar-cip-core and deby share cip-kernel-config configuration files.
> > >*isar-cip-core still has the configuration files there but
> > >conf/machine files with USE_CIP_KERNEL_CONFIG = "1" do not use them anymore.
> > >
> > >Actually that is a nother AI.
> > >
> > >Thanks,
> > >Daniel
> > >
> > >________________________________________
> > >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org>
> > >on behalf of Kento Yoshida <kento.yoshida.wz@renesas.com>
> > >Sent: Tuesday, July 21, 2020 4:12 PM
> > >To: cip-dev@lists.cip-project.org
> > >Subject: [cip-dev] Kindly review for kernel config changes
> > >
> > >Hi,
> > >
> > >The security working group need to use "nftables", and it requires to
> > >add the below kernel configs to work.
> > >Before merging to the master branch of "isar-cip-core", would you
> > >kindly review to add the below configs by this Friday, everyone?
> > >
> > >--- a/recipes-kernel/linux/files/qemu-amd64_defconfig
> > >+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
> > >@@ -351,3 +351,34 @@ CONFIG_CRYPTO_DEV_CCP=y # CONFIG_XZ_DEC_ARM is
> > >not set # CONFIG_XZ_DEC_ARMTHUMB is not set # CONFIG_XZ_DEC_SPARC is
> > >not set
> > >+CONFIG_NF_TABLES=y
> > >+CONFIG_NF_TABLES_INET=y
> > >+CONFIG_NF_TABLES_NETDEV=y
> > >+CONFIG_NFT_EXTHDR=y
> > >+CONFIG_NFT_META=y
> > >+CONFIG_NFT_CT=y
> > >+CONFIG_NFT_RBTREE=y
> > >+CONFIG_NFT_HASH=y
> > >+CONFIG_NFT_COUNTER=y
> > >+CONFIG_NFT_LOG=y
> > >+CONFIG_NFT_LIMIT=y
> > >+CONFIG_NFT_MASQ=y
> > >+CONFIG_NFT_REDIR=y
> > >+CONFIG_NFT_NAT=y
> > >+CONFIG_NFT_QUEUE=y
> > >+CONFIG_NFT_REJECT=y
> > >+CONFIG_NFT_REJECT_INET=y
> > >+CONFIG_NFT_COMPAT=y
> > >+CONFIG_NFT_CHAIN_ROUTE_IPV4=y
> > >+CONFIG_NFT_REJECT_IPV4=y
> > >+CONFIG_NFT_CHAIN_NAT_IPV4=y
> > >+CONFIG_NFT_MASQ_IPV4=y
> > >+# CONFIG_NFT_REDIR_IPV4 is not set
> > >+CONFIG_NFT_CHAIN_ROUTE_IPV6=y
> > >+CONFIG_NFT_REJECT_IPV6=y
> > >+CONFIG_NFT_CHAIN_NAT_IPV6=y
> > >+CONFIG_NFT_MASQ_IPV6=y
> > >+# CONFIG_NFT_REDIR_IPV6 is not set
> > >+CONFIG_NFT_BRIDGE_META=y
> > >+CONFIG_NFT_BRIDGE_REJECT=y
> > >+CONFIG_NF_LOG_BRIDGE=y
> > >
> > >BR, Kent
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5086): https://lists.cip-project.org/g/cip-dev/message/5086
Mute This Topic: https://lists.cip-project.org/mt/75699231/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
diff mbox series

Patch

--- a/recipes-kernel/linux/files/qemu-amd64_defconfig
+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
@@ -351,3 +351,34 @@  CONFIG_CRYPTO_DEV_CCP=y
# CONFIG_XZ_DEC_ARM is not set
# CONFIG_XZ_DEC_ARMTHUMB is not set
# CONFIG_XZ_DEC_SPARC is not set
+CONFIG_NF_TABLES=y
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NFT_EXTHDR=y
+CONFIG_NFT_META=y
+CONFIG_NFT_CT=y
+CONFIG_NFT_RBTREE=y
+CONFIG_NFT_HASH=y
+CONFIG_NFT_COUNTER=y
+CONFIG_NFT_LOG=y
+CONFIG_NFT_LIMIT=y
+CONFIG_NFT_MASQ=y
+CONFIG_NFT_REDIR=y
+CONFIG_NFT_NAT=y
+CONFIG_NFT_QUEUE=y
+CONFIG_NFT_REJECT=y
+CONFIG_NFT_REJECT_INET=y
+CONFIG_NFT_COMPAT=y
+CONFIG_NFT_CHAIN_ROUTE_IPV4=y
+CONFIG_NFT_REJECT_IPV4=y
+CONFIG_NFT_CHAIN_NAT_IPV4=y
+CONFIG_NFT_MASQ_IPV4=y
+# CONFIG_NFT_REDIR_IPV4 is not set
+CONFIG_NFT_CHAIN_ROUTE_IPV6=y
+CONFIG_NFT_REJECT_IPV6=y
+CONFIG_NFT_CHAIN_NAT_IPV6=y
+CONFIG_NFT_MASQ_IPV6=y
+# CONFIG_NFT_REDIR_IPV6 is not set
+CONFIG_NFT_BRIDGE_META=y
+CONFIG_NFT_BRIDGE_REJECT=y
+CONFIG_NF_LOG_BRIDGE=y