From 6846321a29c9ab27caf0d43c1dce320ae5135284 Mon Sep 17 00:00:00 2001
From: Mikhail Malyshev <mike.malyshev@gmail.com>
Date: Sat, 28 Oct 2023 23:38:55 +0000
Subject: [PATCH 1/4] Override ACS capability even if it is supported by device

Revert ACS override logic to its original form. Trusting
ACS capabilities on root ports breaks IOMMU groups on
Siemens IPC127.

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
---
 drivers/pci/quirks.c | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index 911125181c559..d402e82e8430b 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -267,9 +267,8 @@ static int pcie_acs_overrides(struct pci_dev *dev, u16 acs_flags)
 {
 	int i;
 
-	/* Never override ACS for legacy devices or devices with ACS caps */
-	if (!pci_is_pcie(dev) ||
-		pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ACS))
+	/* Never override ACS for legacy devices */
+	if (!pci_is_pcie(dev))
 			return -ENOTTY;
 
 	for (i = 0; i < max_acs_id; i++)
@@ -277,18 +276,18 @@ static int pcie_acs_overrides(struct pci_dev *dev, u16 acs_flags)
 			acs_on_ids[i].device == dev->device)
 				return 1;
 
-switch (pci_pcie_type(dev)) {
-	case PCI_EXP_TYPE_DOWNSTREAM:
-	case PCI_EXP_TYPE_ROOT_PORT:
-		if (acs_on_downstream)
-			return 1;
-		break;
-	case PCI_EXP_TYPE_ENDPOINT:
-	case PCI_EXP_TYPE_UPSTREAM:
-	case PCI_EXP_TYPE_LEG_END:
-	case PCI_EXP_TYPE_RC_END:
-		if (acs_on_multifunction && dev->multifunction)
-			return 1;
+	switch (pci_pcie_type(dev)) {
+		case PCI_EXP_TYPE_DOWNSTREAM:
+		case PCI_EXP_TYPE_ROOT_PORT:
+			if (acs_on_downstream)
+				return 1;
+			break;
+		case PCI_EXP_TYPE_ENDPOINT:
+		case PCI_EXP_TYPE_UPSTREAM:
+		case PCI_EXP_TYPE_LEG_END:
+		case PCI_EXP_TYPE_RC_END:
+			if (acs_on_multifunction && dev->multifunction)
+				return 1;
 	}
 
 	return -ENOTTY;

From e0f492255a5a6cde8bf7d237aba4f9d071a38823 Mon Sep 17 00:00:00 2001
From: Mikhail Malyshev <mike.malyshev@gmail.com>
Date: Sat, 28 Oct 2023 23:56:31 +0000
Subject: [PATCH 2/4] Set a number of commit hash digits for kernel version

Different git versions may produce different number of
digits for short commit hash. We should set a number
of digits explicitly to have predictable results

For Linux kernel 12 is a recommended number

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
---
 Makefile.eve | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.eve b/Makefile.eve
index 652b9ff1af243..2eeee4acde969 100644
--- a/Makefile.eve
+++ b/Makefile.eve
@@ -1,5 +1,5 @@
 # Title: Dockerfile for building the EVE kernel
-VERSION=$(shell git rev-parse --short HEAD)
+VERSION=$(shell git rev-parse --short=12 HEAD)
 DIRTY=$(shell git diff --quiet || echo '-dirty')
 EVE_FLAVOR=generic
 ARCHITECTURE=amd64

From 81f0b6d46693c5d569777512420eced89134ba12 Mon Sep 17 00:00:00 2001
From: Mikhail Malyshev <mike.malyshev@gmail.com>
Date: Sun, 29 Oct 2023 00:16:03 +0000
Subject: [PATCH 3/4] Set LOCALVERSION variable to display commit hash in
 kernel version

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
---
 Dockerfile.gcc | 16 +++++++++-------
 Makefile.eve   |  1 +
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/Dockerfile.gcc b/Dockerfile.gcc
index e0c9338721f71..e1360a20f23f4 100644
--- a/Dockerfile.gcc
+++ b/Dockerfile.gcc
@@ -5,6 +5,7 @@ ARG KERNEL_BIN=arch/x86/boot/bzImage
 # set from a Makefile.eve
 ARG SOURCE_DATE_EPOCH
 ARG KBUILD_BUILD_TIMESTAMP
+ARG LOCALVERSION
 
 FROM --platform=${BUILDPLATFORM} alpine:${ALPINE_VERSION} as builder-native-base
 RUN apk add make flex bison elfutils-dev openssl-dev findutils diffutils perl ccache gcc libgcc musl-dev \
@@ -75,6 +76,7 @@ ARG SOURCE_DATE_EPOCH
 ARG KBUILD_BUILD_TIMESTAMP
 ARG KERNEL_CONFIG
 ARG KERNEL_BIN
+ARG LOCALVERSION
 # ARCH and CROSS_COMPILE are inherited from builder-${TARGETARCH}-${BUILDARCH}
 # ARCH is always set to the target arch
 # CROSS_COMPILE is set to empty string for native builds
@@ -95,12 +97,12 @@ RUN --mount=type=cache,target=/root/.cache/ccache,id=kernel-ccache-${TARGETARCH}
     echo "Building kernel for ${TARGETARCH} with ARCH=${ARCH} and CROSS_COMPILE=${CROSS_COMPILE}" && \
     make -j$(nproc) mrproper \
     && make O=/kernel-out ${KERNEL_CONFIG} \
-    && make O=/kernel-out -j$(nproc) prepare \
-    && make O=/kernel-out -j$(nproc) \
-    && make O=/kernel-out -j$(nproc) modules \
-    && make O=/kernel-out -j$(nproc) modules_install INSTALL_MOD_STRIP=1 \
-        INSTALL_MOD_PATH=/tmp/kernel-modules && \
-    ccache -s
+    && make O=/kernel-out LOCALVERSION="-${LOCALVERSION}" -j$(nproc) prepare \
+    && make O=/kernel-out LOCALVERSION="-${LOCALVERSION}" -j$(nproc) \
+    && make O=/kernel-out LOCALVERSION="-${LOCALVERSION}" -j$(nproc) modules \
+    && make O=/kernel-out LOCALVERSION="-${LOCALVERSION}" -j$(nproc) modules_install INSTALL_MOD_STRIP=1 \
+        INSTALL_MOD_PATH=/tmp/kernel-modules \
+    && ccache -s
 
 ADD https://github.com/mikem-zed/zfs.git#eve-zfs-2.1.12 /tmp/zfs
 WORKDIR /tmp/zfs
@@ -171,4 +173,4 @@ FROM scratch
 ENTRYPOINT []
 CMD []
 WORKDIR /
-COPY --from=artifacts /out/* /
\ No newline at end of file
+COPY --from=artifacts /out/* /
diff --git a/Makefile.eve b/Makefile.eve
index 2eeee4acde969..d194330180c0c 100644
--- a/Makefile.eve
+++ b/Makefile.eve
@@ -35,6 +35,7 @@ kernel-%: Dockerfile.%
 	docker buildx build \
 	--build-arg="SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)" \
 	--build-arg="KBUILD_BUILD_TIMESTAMP=$(KBUILD_BUILD_TIMESTAMP)" \
+	--build-arg="LOCALVERSION=$(VERSION)$(DIRTY)" \
 	--platform $(PLATFORM) -t lfedge/eve-kernel:$(BRANCH)-$(VERSION)$(DIRTY)-$* --load -f Dockerfile.$* .
 
 docker-tag-%:

From c37a7dc3f0d66276db09135a0a495927a8cb0716 Mon Sep 17 00:00:00 2001
From: Mikhail Malyshev <mike.malyshev@gmail.com>
Date: Mon, 30 Oct 2023 23:32:44 +0000
Subject: [PATCH 4/4] Add SBOM generation

Two *.spdx.json files are produced: one for Dockerfile.* that covers
external dependencies e.g. ZFS and one for current source tree

These files then copied into root folder of a docker image and will be
picked up by syft automatically during rootfs extraction

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
---
 Dockerfile.gcc |  4 ++++
 Makefile.eve   | 48 +++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/Dockerfile.gcc b/Dockerfile.gcc
index e1360a20f23f4..1841ad9f3e71f 100644
--- a/Dockerfile.gcc
+++ b/Dockerfile.gcc
@@ -169,6 +169,10 @@ RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdept
          tar cf - -T - | (cd $dir; tar xf -) && \
     ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
 
+# copy SBOM files
+RUN cp /kernel-src/kernel-sbom-docker.spdx.json /out/ && \
+    cp /kernel-src/kernel-sbom-gh.spdx.json /out/
+
 FROM scratch
 ENTRYPOINT []
 CMD []
diff --git a/Makefile.eve b/Makefile.eve
index d194330180c0c..13fda2ea9a402 100644
--- a/Makefile.eve
+++ b/Makefile.eve
@@ -28,9 +28,37 @@ help: Makefile
 	@echo "  kernel-clang: build kernel with clang"
 	@echo "  docker-tag-gcc: print docker tag for gcc kernel"
 	@echo "  docker-tag-clang: print docker tag for clang kernel"
+	@echo "  push-gcc: push gcc kernel to docker.io"
+	@echo "  push-clang: push clang kernel to docker.io"
+	@echo "  clean: remove generated files"
 	@echo
 
-kernel-%: Dockerfile.%
+pull-eve-build-tools:
+	docker pull lfedge/eve-build-tools:main
+.PHONY: pull-eve-build-tools
+
+# do not build sbom target directly, it depends on DOCKERFILE varuable set by kernel-gcc or kernel-clang
+SBOM_TARGETS=kernel-sbom-gh.spdx.json kernel-sbom-docker.spdx.json
+sbom: $(SBOM_TARGETS)
+
+kernel-sbom-gh.spdx.json: pull-eve-build-tools
+	docker run  -v $(PWD):/in lfedge/eve-build-tools:main github-sbom-generator \
+			generate --format spdx-json /in/ | jq . > ./kernel-sbom-gh.spdx.json
+
+#if DOCKERFILE is not set, this target will fail
+kernel-sbom-docker.spdx.json: pull-eve-build-tools $(DOCKERFILE)
+	@if [ -z "$(DOCKERFILE)" ]; then \
+		echo "DOCKERFILE not set. Do not build 'sbom' target directly"; \
+		exit 1; \
+	fi
+	@echo "Generating SBOM for $(DOCKERFILE)"
+	docker run -v $(PWD):/in lfedge/eve-build-tools:main dockerfile-add-scanner scan /in/$(DOCKERFILE) \
+		--format spdx-json | jq . > ./kernel-sbom-docker.spdx.json
+
+kernel-gcc: DOCKERFILE:=Dockerfile.gcc
+kernel-clang: DOCKERFILE:=Dockerfile.clang
+
+kernel-build-%: sbom Makefile.eve
 	@echo "Building kernel version $(BRANCH):$(VERSION)-$* with compiler $*"
 	docker buildx build \
 	--build-arg="SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)" \
@@ -38,9 +66,23 @@ kernel-%: Dockerfile.%
 	--build-arg="LOCALVERSION=$(VERSION)$(DIRTY)" \
 	--platform $(PLATFORM) -t lfedge/eve-kernel:$(BRANCH)-$(VERSION)$(DIRTY)-$* --load -f Dockerfile.$* .
 
-docker-tag-%:
+# we need these intermediate targets to make .PHONY work for pattern rules
+kernel-gcc: kernel-build-gcc
+kernel-clang: kernel-build-clang
+docker-tag-gcc: docker-tag-generate-gcc
+docker-tag-clang: docker-tag-generate-clang
+push-gcc: push-image-gcc
+push-clang: push-image-clang
+
+.PHONY: kernel-gcc kernel-clang docker-tag-gcc docker-tag-clang push-gcc push-clang
+
+docker-tag-generate-%:
 	@echo "docker.io/lfedge/eve-kernel:$(BRANCH)-$(VERSION)$(DIRTY)-$*"
 
-push-%: kernel-%
+push-image-%: kernel-%
 	$(if $(DIRTY), $(error "Not pushing since the repo is dirty"))
 	docker push lfedge/eve-kernel:$(BRANCH)-$(VERSION)-$*
+
+.PHONY: clean
+clean:
+	rm -f $(SBOM_TARGETS)