Missing ''features/ima/ima.scc" when trying to integrate "meta-integrity"

marc.windisch · August 29, 2023, 4:01pm

Hi Toradex community,

I’m currently trying to enable DISTRO_FEATURES ‘integrity’ and ‘ima’ from meta-security/meta-integrity in our BSPs using the pinned versions from Toradex BSP 5.7.2 respectively 6.2.0. As soon as I add the ‘ima’ feature, kernel compilation fails with this error:

NOTE: do_kernel_metadata: for summary/debug, set KCONF_AUDIT_LEVEL > 0
| ERROR: Feature 'features/ima/ima.scc' not found, this will cause configuration failures.

To excludes effects from our own distribution and machine configuration, I tried with standard Toradex BSP, colibri-imx7-emmc as machine and tdx-reference-minimal-image (where I removed connman-plugin-wifi due this caused an error when enabling the ‘integrity’ feature). The behaviour is exactly the same as for our BSPs.

The missing file is part of Yocto kernel metadata yocto-kernel-cache. Walking through Toradex’ kernel recipes I understood that ‘linux-toradex-mainline_x.y.bb’ recipes inherit ‘kernel-yocto’, so I would expect the kernel recipes to be “linux-yocto style” recipes already containing metadata. But I don’t find any *.scc file in my build folder, what would fit the error message above. When browsing [ima « features - yocto-kernel-cache - Patches and configuration for the linux-yocto kernel tree] I can see that the files are definitely there, so my question is: Where is my mistake? Is the kernel metadata not pulled? If it is pulled, where is it normally located?

Hope someone can help me out! Thanks in advance!
Cheers, Marc

Colibri iMX7 Dual 1GB
Linux BSP 5.7.2
Linux BSP 6.2.0

stefanberger · August 31, 2023, 12:38pm

features/ima/ima.scc is a file that needs to be place into the right directory. I had to do this as well due to recent changes in Yocto. You can have a look at my branch here how I resolved it: Commits · stefanberger/openbmc · GitHub

The challenge for me was to find the right directory where to create features/ima/ima.scc under but once that was done it just worked (as before the Yocto change).

marc.windisch · September 7, 2023, 4:23pm

Hello Stefan,

this is indeed working, but should not kernel metadata from ‘yocto-kernel-cache’ be pulled automatically in the right version? So that, for example, if I would switch from kernel version 5 to 6, I would get changed config options automatically instead of having to manually maintain scc and cfg files in my recipe together with bbappend files for different kernel versions?

Cheers, Marc

Thanks for the reply, btw

henrique.tx · September 20, 2023, 1:54pm

Hi @marc.windisch !

Toradex’s BSP doesn’t have the yocto-kernel-cache (Advanced Metadata - https://docs.yoctoproject.org/kernel-dev/advanced.html) in place, so, if you need it, you will have to handle/maintain it yourself.

As an example, our TorizonCore distro makes use of Advanced Metadata and it is kept outside of the basic BSP layers: GitHub - toradex/toradex-kernel-cache: Patches and configuration for the Toradex kernel tree.

Best regards,