11-21-2019 04:14 PM
I am using Petalinux 2018.3. I want to start using Petalinux to build images with buildhistory turned on as part of an effort to make my builds more secure and easier to audit.
The default local.conf placed in build/conf/local.conf contains this line:
INHERIT_remove = "buildhistory icecc"
I am not supposed to edit this file, but rather project-spec/meta-user/conf/petalinuxbsp.conf which is included at the end of local.conf.
One would think that I could simply turn on build history again by adding this text to petalinuxbsp.conf:
INHERIT += "buildhistory"
BUILDHISTORY_COMMIT = "1"
BUILDHISTORY_FEATURES = "image package"
However, this is ineffective, because Yocto doesn't allow overriding a "_remove" statement:
NOTE: the _remove operation is final - you cannot "undo" it with other operations elsewhere, thus you should really only make use of it in your distro / local configuration and not in layers that you expect others to re-use for different purposes (and therefore they may need to undo your changes).
What seems most frustrating to me is that in the base yocto source in petalinux, buildhistory is enabled in meta-petalinux/conf/distro/petalinux.conf. I can see from screen dumps in this forum that users who build directly with bitbake do get build history written. So the Xilinx product of Petalinux has disabled a feature that the Xilinx contribution to Yocto turned on. I see that icecc is also disabled for unspecified reasons, but as I'm not building on a cluster that is less relevant.
Anyway, what is the best way to enable this feature? Right now I'm going against the advice in the file comments and directly modifying build/conf/local.conf to remove buildhistory from the INHERIT_remove statement. Is the only other alternative to abandon the petalinux tool and do everything in straight Yocto? That also seems to be a requirement if I want to use SELinux.
11-21-2019 04:32 PM
Apparently this forum is also how we report bugs, so I'd like this to be considered one. An easy fix is to move the INHERIT_remove statement into the boilerplate text that is installed in conf/distro/petalinuxbsp.conf when it is generated. It keeps buildhistory disabled by default, but the user can turn it on if they wish.
Furthermore, I think that the purpose of conf/distro/petalinuxbsp.conf should be more expressly described in UG1144. There are several points in the document where the user is told to modify the file, but zero discussion of why the file exists at all.
11-26-2019 09:40 PM
One possibility is to modify this in you petelinux install. I like to have the source and build artifacts remain in my build. But local.conf always has rm-work enabled, so I just modified the petelinux source so any petalinux project I do automatically gets the change.