Integrating KernelSbom into linux kernel repo

[augelu-tng]

• Should the sbom.py be placed into linux/tools or linux/scripts ?

  linux/
  └── tools/
      └── sbom/
          ├── lib/
          ├── tests/
          ├── Makefile
          └── sbom.py 
  

  linux/
    └── scripts/
        └── lib/
            ├── sbom/
            │   ├── cmd_graph/
            │   ├── spdx/
            │   └── spdx_graph/
            └── sbom.py 
  

  A: I am leaning towards tools because tools seem to be more commonly invoked within the make build process. We could for example do things similar to how objtool does it.

• How to call the tool via make?
  A: If we put the sbom.py script into tools we can call it manually via make -C tools sbom. For that, a make rule needs to be added to the top level tools/Makefile:

  sbom: FORCE
    $(call descend,sbom)

  This descends into the custom tools/sbom/Makefile which then invokes the python script. However, this would create an entirely new process separate to the kernel build itself. In this process we would not have access to make variables such as ARCH or HOSTCC. Therefore, we need to call the sbom script directly from within the main make process.
  We could do things similar to how objtool does it, i.e., definining a CONFIG_SBOM option (similar to CONFIG_OBJTOOL in linux/lib/Kconfig.debug). Then we can conditionally check if this option is set similar to here:

  ifdef CONFIG_OBJTOOL
  prepare: tools/objtool
  endif

  In our case we would do:

  ifdef CONFIG_SBOM
  all: tools/sbom
  endif

  In theory via a pattern rule the make command would already be delegated to tools/Makefile. However, the tool should only run after the build has finished. This requires an explicit rule that depends on some targets. Probably something like this:

  ifdef CONFIG_SBOM
  all: tools/sbom
  tools/sbom: vmlinux modules 
  	$(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ sbom
  endif

Note: There is a comment that states that for new tools no new tools/* entry should be added but instead the "hostprogs" syntax should be used, see documentation/kbuild/makefiles. This seems to only be relevant for compiled tools.

[gregkh]

I don't have a preference, but perhaps the kbuild maintainer will. Pick which you think would work best for now, worst case you move it after the patches are submitted for review :)

And yes, doing CONFIG_SBOM makes more sense than doing a separate build invocation (like make sbom) as this way the normal build process will pick this up all in one pass.

[augelu-tng]

I setup the augelu-tng/linux fork with the integrated KernelSbom project.
One can now generate spdx documents as follows:

1. Clone the fork (kernelsbom-integration branch is based on linux-6.18.y)

   git clone https://github.com/augelu-tng/linux.git --branch kernelsbom-integration --depth 1
   cd linux

2. Build the kernel as usual. If the CONFIG_SBOM option is enabled the spdx documents are generated in the object tree.
   For example:

   make defconfig O=kernel_build
   scripts/config --file kernel_build/.config --enable SBOM
   make O=kernel_build -j$(nproc)

   This creates sbom-source.spdx.json, sbom-build.spdx.json, and sbom-output.spdx.json in the linux/kernel_build directory.

Open Questions:

• Where should the CONFIG_SBOM option be defined? At the moment I placed it in lib/Kconfig.debug because this is also where the CONFIG_OBJTOOL option is defined. "debug" sounds wrong for the sbom tool but I did not really find a better location.

Solved Questions:

• How to depend on bzImage? Currently I have the make rule tools/sbom: vmlinux modules. However, waiting for vmlinux is not enough. When enabling CONFIG_SBOM and building from scratch the sbom tool is invoked before bzImage is created. Which make target could we depend on to wait until bzImage (or KBUILD_IMAGE in general) has really been created?
  A: It seems that all architecture specific Makefiles define a target that is named exactly like the filename in KBUILD_IMAGE. Therefore we should be able to depend on $(notdir $(KBUILD_IMAGE)).