Re: Kindly review for kernel config changes


Daniel Sangorrin <daniel.sangorrin@...>
 

I see. Thank you, Daniel.
But, I'm wondering why conf/machine/qemu-amd64.conf doesn't define USE_CIP_KERNEL_CONFIG = "1".
It does now.
more accurately, it is in the next branch of isar-cip-core


Do you have any information for this, Dinesh or Venkata?
I think we should reconfirm to add these configs to
https://gitlab.com/cip-project/cip-kernel/cip-kernel-config/-/blob/mas
ter/4.19.y-
cip/x86/cip_qemu_defconfig.
Or, have you already confirmed to build the image using this?
I would prefer if cip-kernel-config had base configurations that are later extended with fragments (board-dependendencies, security layer
dependencies, etc.). However, that would be a whole new task that might take long.

For now the more realistic approach is to add the security-related kernel configs to either cip_qemu_defconfig or to a fragment in isar-cip-
core and deby.

Thanks,
Daniel




-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org>
On Behalf Of Daniel Sangorrin via lists.cip-project.org
Sent: Tuesday, July 21, 2020 4:57 PM
To: cip-dev@lists.cip-project.org
Subject: Re: [cip-dev] Kindly review for kernel config changes

Hi Kent,

The configuration should go to
https://gitlab.com/cip-project/cip-kernel/cip-kernel-config not isar-cip-core.

isar-cip-core and deby share cip-kernel-config configuration files.
*isar-cip-core still has the configuration files there but
conf/machine files with USE_CIP_KERNEL_CONFIG = "1" do not use them anymore.

Actually that is a nother AI.

Thanks,
Daniel

________________________________________
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org>
on behalf of Kento Yoshida <kento.yoshida.wz@renesas.com>
Sent: Tuesday, July 21, 2020 4:12 PM
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] Kindly review for kernel config changes

Hi,

The security working group need to use "nftables", and it requires to
add the below kernel configs to work.
Before merging to the master branch of "isar-cip-core", would you
kindly review to add the below configs by this Friday, everyone?

--- a/recipes-kernel/linux/files/qemu-amd64_defconfig
+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
@@ -351,3 +351,34 @@ CONFIG_CRYPTO_DEV_CCP=y # CONFIG_XZ_DEC_ARM is
not set # CONFIG_XZ_DEC_ARMTHUMB is not set # CONFIG_XZ_DEC_SPARC is
not set
+CONFIG_NF_TABLES=y
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NFT_EXTHDR=y
+CONFIG_NFT_META=y
+CONFIG_NFT_CT=y
+CONFIG_NFT_RBTREE=y
+CONFIG_NFT_HASH=y
+CONFIG_NFT_COUNTER=y
+CONFIG_NFT_LOG=y
+CONFIG_NFT_LIMIT=y
+CONFIG_NFT_MASQ=y
+CONFIG_NFT_REDIR=y
+CONFIG_NFT_NAT=y
+CONFIG_NFT_QUEUE=y
+CONFIG_NFT_REJECT=y
+CONFIG_NFT_REJECT_INET=y
+CONFIG_NFT_COMPAT=y
+CONFIG_NFT_CHAIN_ROUTE_IPV4=y
+CONFIG_NFT_REJECT_IPV4=y
+CONFIG_NFT_CHAIN_NAT_IPV4=y
+CONFIG_NFT_MASQ_IPV4=y
+# CONFIG_NFT_REDIR_IPV4 is not set
+CONFIG_NFT_CHAIN_ROUTE_IPV6=y
+CONFIG_NFT_REJECT_IPV6=y
+CONFIG_NFT_CHAIN_NAT_IPV6=y
+CONFIG_NFT_MASQ_IPV6=y
+# CONFIG_NFT_REDIR_IPV6 is not set
+CONFIG_NFT_BRIDGE_META=y
+CONFIG_NFT_BRIDGE_REJECT=y
+CONFIG_NF_LOG_BRIDGE=y

BR, Kent

Join cip-dev@lists.cip-project.org to automatically receive all group messages.