lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20260119064731.23879-11-luis.augenstein@tngtech.com>
Date: Mon, 19 Jan 2026 07:47:27 +0100
From: Luis Augenstein <luis.augenstein@...tech.com>
To: nathan@...nel.org,
	nsc@...nel.org
Cc: linux-kbuild@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	akpm@...ux-foundation.org,
	gregkh@...uxfoundation.org,
	maximilian.huber@...tech.com,
	Luis Augenstein <luis.augenstein@...tech.com>
Subject: [PATCH 10/14] tools/sbom: add SPDX output graph

Implement the SPDX output graph which contains the distributable
build outputs and high level metadata about the build.

Co-developed-by: Maximilian Huber <maximilian.huber@...tech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@...tech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@...tech.com>
---
 tools/sbom/Makefile                           |   4 +-
 tools/sbom/sbom/config.py                     |  64 ++++++
 tools/sbom/sbom/environment.py                | 150 ++++++++++++++
 .../sbom/sbom/spdx_graph/build_spdx_graphs.py |  18 +-
 .../sbom/sbom/spdx_graph/spdx_output_graph.py | 188 ++++++++++++++++++
 5 files changed, 422 insertions(+), 2 deletions(-)
 create mode 100644 tools/sbom/sbom/spdx_graph/spdx_output_graph.py

diff --git a/tools/sbom/Makefile b/tools/sbom/Makefile
index 1d1388851..9ed6067e9 100644
--- a/tools/sbom/Makefile
+++ b/tools/sbom/Makefile
@@ -30,7 +30,9 @@ $(SBOM_TARGETS) &:
       --obj-tree $(objtree) \
       --roots-file $(SBOM_ROOTS_FILE) \
       --output-directory $(objtree) \
-      --generate-spdx
+      --generate-spdx \
+      --package-license "GPL-2.0 WITH Linux-syscall-note" \
+      --package-version "$(KERNELVERSION)"
 
 	@rm $(SBOM_ROOTS_FILE)
 
diff --git a/tools/sbom/sbom/config.py b/tools/sbom/sbom/config.py
index 9278e2be7..de57d9d94 100644
--- a/tools/sbom/sbom/config.py
+++ b/tools/sbom/sbom/config.py
@@ -59,6 +59,21 @@ class KernelSbomConfig:
     spdxId_prefix: str
     """Prefix to use for all SPDX element IDs."""
 
+    build_type: str
+    """SPDX buildType property to use for all Build elements."""
+
+    build_id: str | None
+    """SPDX buildId property to use for all Build elements."""
+
+    package_license: str
+    """License expression applied to all SPDX Packages."""
+
+    package_version: str | None
+    """Version string applied to all SPDX Packages."""
+
+    package_copyright_text: str | None
+    """Copyright text applied to all SPDX Packages."""
+
     prettify_json: bool
     """Whether to pretty-print generated SPDX JSON documents."""
 
@@ -169,6 +184,40 @@ def _parse_cli_arguments() -> dict[str, Any]:
         default="urn:spdx.dev:",
         help="The prefix to use for all spdxId properties. (default: urn:spdx.dev:)",
     )
+    spdx_group.add_argument(
+        "--build-type",
+        default="urn:spdx.dev:Kbuild",
+        help="The SPDX buildType property to use for all Build elements. (default: urn:spdx.dev:Kbuild)",
+    )
+    spdx_group.add_argument(
+        "--build-id",
+        default=None,
+        help="The SPDX buildId property to use for all Build elements.\n"
+        "If not provided the spdxId of the high level Build element is used as the buildId. (default: None)",
+    )
+    spdx_group.add_argument(
+        "--package-license",
+        default="NOASSERTION",
+        help=(
+            "The SPDX licenseExpression property to use for the LicenseExpression "
+            "linked to all SPDX Package elements. (default: NOASSERTION)"
+        ),
+    )
+    spdx_group.add_argument(
+        "--package-version",
+        default=None,
+        help="The SPDX packageVersion property to use for all SPDX Package elements. (default: None)",
+    )
+    spdx_group.add_argument(
+        "--package-copyright-text",
+        default=None,
+        help=(
+            "The SPDX copyrightText property to use for all SPDX Package elements.\n"
+            "If not specified, and if a COPYING file exists in the source tree,\n"
+            "the package-copyright-text is set to the content of this file. "
+            "(default: None)"
+        ),
+    )
     spdx_group.add_argument(
         "--prettify-json",
         action="store_true",
@@ -220,6 +269,16 @@ def get_config() -> KernelSbomConfig:
                 "Expected ISO format (YYYY-MM-DD [HH:MM:SS])."
             )
     spdxId_prefix = args["spdxId_prefix"]
+    build_type = args["build_type"]
+    build_id = args["build_id"]
+    package_license = args["package_license"]
+    package_version = args["package_version"] if args["package_version"] is not None else None
+    package_copyright_text: str | None = None
+    if args["package_copyright_text"] is not None:
+        package_copyright_text = args["package_copyright_text"]
+    elif os.path.isfile(copying_path := os.path.join(src_tree, "COPYING")):
+        with open(copying_path, "r") as f:
+            package_copyright_text = f.read()
     prettify_json = args["prettify_json"]
 
     # Hardcoded config
@@ -244,6 +303,11 @@ def get_config() -> KernelSbomConfig:
         write_output_on_error=write_output_on_error,
         created=created,
         spdxId_prefix=spdxId_prefix,
+        build_type=build_type,
+        build_id=build_id,
+        package_license=package_license,
+        package_version=package_version,
+        package_copyright_text=package_copyright_text,
         prettify_json=prettify_json,
     )
 
diff --git a/tools/sbom/sbom/environment.py b/tools/sbom/sbom/environment.py
index b3fb2f0ba..f3a54bd61 100644
--- a/tools/sbom/sbom/environment.py
+++ b/tools/sbom/sbom/environment.py
@@ -3,12 +3,162 @@
 
 import os
 
+KERNEL_BUILD_VARIABLES_ALLOWLIST = [
+    "AFLAGS_KERNEL",
+    "AFLAGS_MODULE",
+    "AR",
+    "ARCH",
+    "ARCH_CORE",
+    "ARCH_DRIVERS",
+    "ARCH_LIB",
+    "AWK",
+    "BASH",
+    "BINDGEN",
+    "BITS",
+    "CC",
+    "CC_FLAGS_FPU",
+    "CC_FLAGS_NO_FPU",
+    "CFLAGS_GCOV",
+    "CFLAGS_KERNEL",
+    "CFLAGS_MODULE",
+    "CHECK",
+    "CHECKFLAGS",
+    "CLIPPY_CONF_DIR",
+    "CONFIG_SHELL",
+    "CPP",
+    "CROSS_COMPILE",
+    "CURDIR",
+    "GNUMAKEFLAGS",
+    "HOSTCC",
+    "HOSTCXX",
+    "HOSTPKG_CONFIG",
+    "HOSTRUSTC",
+    "INSTALLKERNEL",
+    "INSTALL_DTBS_PATH",
+    "INSTALL_HDR_PATH",
+    "INSTALL_PATH",
+    "KBUILD_AFLAGS",
+    "KBUILD_AFLAGS_KERNEL",
+    "KBUILD_AFLAGS_MODULE",
+    "KBUILD_BUILTIN",
+    "KBUILD_CFLAGS",
+    "KBUILD_CFLAGS_KERNEL",
+    "KBUILD_CFLAGS_MODULE",
+    "KBUILD_CHECKSRC",
+    "KBUILD_CLIPPY",
+    "KBUILD_CPPFLAGS",
+    "KBUILD_EXTMOD",
+    "KBUILD_EXTRA_WARN",
+    "KBUILD_HOSTCFLAGS",
+    "KBUILD_HOSTCXXFLAGS",
+    "KBUILD_HOSTLDFLAGS",
+    "KBUILD_HOSTLDLIBS",
+    "KBUILD_HOSTRUSTFLAGS",
+    "KBUILD_IMAGE",
+    "KBUILD_LDFLAGS",
+    "KBUILD_LDFLAGS_MODULE",
+    "KBUILD_LDS",
+    "KBUILD_MODULES",
+    "KBUILD_PROCMACROLDFLAGS",
+    "KBUILD_RUSTFLAGS",
+    "KBUILD_RUSTFLAGS_KERNEL",
+    "KBUILD_RUSTFLAGS_MODULE",
+    "KBUILD_USERCFLAGS",
+    "KBUILD_USERLDFLAGS",
+    "KBUILD_VERBOSE",
+    "KBUILD_VMLINUX_LIBS",
+    "KBZIP2",
+    "KCONFIG_CONFIG",
+    "KERNELDOC",
+    "KERNELRELEASE",
+    "KERNELVERSION",
+    "KGZIP",
+    "KLZOP",
+    "LC_COLLATE",
+    "LC_NUMERIC",
+    "LD",
+    "LDFLAGS_MODULE",
+    "LEX",
+    "LINUXINCLUDE",
+    "LZ4",
+    "LZMA",
+    "MAKE",
+    "MAKEFILES",
+    "MAKEFILE_LIST",
+    "MAKEFLAGS",
+    "MAKELEVEL",
+    "MAKEOVERRIDES",
+    "MAKE_COMMAND",
+    "MAKE_HOST",
+    "MAKE_TERMERR",
+    "MAKE_TERMOUT",
+    "MAKE_VERSION",
+    "MFLAGS",
+    "MODLIB",
+    "NM",
+    "NOSTDINC_FLAGS",
+    "O",
+    "OBJCOPY",
+    "OBJCOPYFLAGS",
+    "OBJDUMP",
+    "PAHOLE",
+    "PATCHLEVEL",
+    "PERL",
+    "PYTHON3",
+    "Q",
+    "RCS_FIND_IGNORE",
+    "READELF",
+    "REALMODE_CFLAGS",
+    "RESOLVE_BTFIDS",
+    "RETHUNK_CFLAGS",
+    "RETHUNK_RUSTFLAGS",
+    "RETPOLINE_CFLAGS",
+    "RETPOLINE_RUSTFLAGS",
+    "RETPOLINE_VDSO_CFLAGS",
+    "RUSTC",
+    "RUSTC_BOOTSTRAP",
+    "RUSTC_OR_CLIPPY",
+    "RUSTC_OR_CLIPPY_QUIET",
+    "RUSTDOC",
+    "RUSTFLAGS_KERNEL",
+    "RUSTFLAGS_MODULE",
+    "RUSTFMT",
+    "SRCARCH",
+    "STRIP",
+    "SUBLEVEL",
+    "SUFFIXES",
+    "TAR",
+    "UTS_MACHINE",
+    "VERSION",
+    "VPATH",
+    "XZ",
+    "YACC",
+    "ZSTD",
+    "building_out_of_srctree",
+    "cross_compiling",
+    "objtree",
+    "quiet",
+    "rust_common_flags",
+    "srcroot",
+    "srctree",
+    "sub_make_done",
+    "subdir",
+]
+
 
 class Environment:
     """
     Read-only accessor for kernel build environment variables.
     """
 
+    @classmethod
+    def KERNEL_BUILD_VARIABLES(cls) -> dict[str, str | None]:
+        return {name: os.getenv(name) for name in KERNEL_BUILD_VARIABLES_ALLOWLIST}
+
+    @classmethod
+    def ARCH(cls) -> str | None:
+        return os.getenv("ARCH")
+
     @classmethod
     def SRCARCH(cls) -> str | None:
         return os.getenv("SRCARCH")
diff --git a/tools/sbom/sbom/spdx_graph/build_spdx_graphs.py b/tools/sbom/sbom/spdx_graph/build_spdx_graphs.py
index 0f95f99d5..2af0fbe6c 100644
--- a/tools/sbom/sbom/spdx_graph/build_spdx_graphs.py
+++ b/tools/sbom/sbom/spdx_graph/build_spdx_graphs.py
@@ -10,12 +10,18 @@ from sbom.path_utils import PathStr
 from sbom.spdx_graph.kernel_file import KernelFileCollection
 from sbom.spdx_graph.spdx_graph_model import SpdxGraph, SpdxIdGeneratorCollection
 from sbom.spdx_graph.shared_spdx_elements import SharedSpdxElements
+from sbom.spdx_graph.spdx_output_graph import SpdxOutputGraph
 
 
 class SpdxGraphConfig(Protocol):
     obj_tree: PathStr
     src_tree: PathStr
     created: datetime
+    build_type: str
+    build_id: str | None
+    package_license: str
+    package_version: str | None
+    package_copyright_text: str | None
 
 
 def build_spdx_graphs(
@@ -38,4 +44,14 @@ def build_spdx_graphs(
     """
     shared_elements = SharedSpdxElements.create(spdx_id_generators.base, config.created)
     kernel_files = KernelFileCollection.create(cmd_graph, config.obj_tree, config.src_tree, spdx_id_generators)
-    return {}
+    output_graph = SpdxOutputGraph.create(
+        root_files=list(kernel_files.output.values()),
+        shared_elements=shared_elements,
+        spdx_id_generators=spdx_id_generators,
+        config=config,
+    )
+    spdx_graphs: dict[KernelSpdxDocumentKind, SpdxGraph] = {
+        KernelSpdxDocumentKind.OUTPUT: output_graph,
+    }
+
+    return spdx_graphs
diff --git a/tools/sbom/sbom/spdx_graph/spdx_output_graph.py b/tools/sbom/sbom/spdx_graph/spdx_output_graph.py
new file mode 100644
index 000000000..1ae0f935e
--- /dev/null
+++ b/tools/sbom/sbom/spdx_graph/spdx_output_graph.py
@@ -0,0 +1,188 @@
+# SPDX-License-Identifier: GPL-2.0-only OR MIT
+# Copyright (C) 2025 TNG Technology Consulting GmbH
+
+from dataclasses import dataclass
+import os
+from typing import Protocol
+from sbom.environment import Environment
+from sbom.path_utils import PathStr
+from sbom.spdx.build import Build
+from sbom.spdx.core import DictionaryEntry, NamespaceMap, Relationship, SpdxDocument
+from sbom.spdx.simplelicensing import LicenseExpression
+from sbom.spdx.software import File, Package, Sbom
+from sbom.spdx.spdxId import SpdxIdGenerator
+from sbom.spdx_graph.kernel_file import KernelFile
+from sbom.spdx_graph.shared_spdx_elements import SharedSpdxElements
+from sbom.spdx_graph.spdx_graph_model import SpdxGraph, SpdxIdGeneratorCollection
+
+
+class SpdxOutputGraphConfig(Protocol):
+    obj_tree: PathStr
+    src_tree: PathStr
+    build_type: str
+    build_id: str | None
+    package_license: str
+    package_version: str | None
+    package_copyright_text: str | None
+
+
+@...aclass
+class SpdxOutputGraph(SpdxGraph):
+    """SPDX graph representing distributable output files"""
+
+    high_level_build_element: Build
+
+    @classmethod
+    def create(
+        cls,
+        root_files: list[KernelFile],
+        shared_elements: SharedSpdxElements,
+        spdx_id_generators: SpdxIdGeneratorCollection,
+        config: SpdxOutputGraphConfig,
+    ) -> "SpdxOutputGraph":
+        """
+        Args:
+            root_files: List of distributable output files which act as roots
+                of the dependency graph.
+            shared_elements: Shared SPDX elements used across multiple documents.
+            spdx_id_generators: Collection of SPDX ID generators.
+            config: Configuration options.
+
+        Returns:
+            SpdxOutputGraph: The SPDX output graph.
+        """
+        # SpdxDocument
+        spdx_document = SpdxDocument(
+            spdxId=spdx_id_generators.output.generate(),
+            profileConformance=["core", "software", "build", "simpleLicensing"],
+            namespaceMap=[
+                NamespaceMap(prefix=generator.prefix, namespace=generator.namespace)
+                for generator in [spdx_id_generators.output, spdx_id_generators.base]
+                if generator.prefix is not None
+            ],
+        )
+
+        # Sbom
+        sbom = Sbom(
+            spdxId=spdx_id_generators.output.generate(),
+            software_sbomType=["build"],
+        )
+
+        # High-level Build elements
+        config_source_element = KernelFile.create(
+            absolute_path=os.path.join(config.obj_tree, ".config"),
+            obj_tree=config.obj_tree,
+            src_tree=config.src_tree,
+            spdx_id_generators=spdx_id_generators,
+            is_output=True,
+        ).spdx_file_element
+        high_level_build_element, high_level_build_element_hasOutput_relationship = _high_level_build_elements(
+            config.build_type,
+            config.build_id,
+            config_source_element,
+            spdx_id_generators.output,
+        )
+
+        # Root file elements
+        root_file_elements: list[File] = [file.spdx_file_element for file in root_files]
+
+        # Package elements
+        package_elements = [
+            Package(
+                spdxId=spdx_id_generators.output.generate(),
+                name=_get_package_name(file.name),
+                software_packageVersion=config.package_version,
+                software_copyrightText=config.package_copyright_text,
+                originatedBy=[shared_elements.agent],
+                comment=f"Architecture={arch}" if (arch := Environment.ARCH() or Environment.SRCARCH()) else None,
+                software_primaryPurpose=file.software_primaryPurpose,
+            )
+            for file in root_file_elements
+        ]
+        package_hasDistributionArtifact_file_relationships = [
+            Relationship(
+                spdxId=spdx_id_generators.output.generate(),
+                relationshipType="hasDistributionArtifact",
+                from_=package,
+                to=[file],
+            )
+            for package, file in zip(package_elements, root_file_elements)
+        ]
+        package_license_expression = LicenseExpression(
+            spdxId=spdx_id_generators.output.generate(),
+            simplelicensing_licenseExpression=config.package_license,
+        )
+        package_hasDeclaredLicense_relationships = [
+            Relationship(
+                spdxId=spdx_id_generators.output.generate(),
+                relationshipType="hasDeclaredLicense",
+                from_=package,
+                to=[package_license_expression],
+            )
+            for package in package_elements
+        ]
+
+        # Update relationships
+        spdx_document.rootElement = [sbom]
+
+        sbom.rootElement = [*package_elements]
+        sbom.element = [
+            config_source_element,
+            high_level_build_element,
+            high_level_build_element_hasOutput_relationship,
+            *root_file_elements,
+            *package_elements,
+            *package_hasDistributionArtifact_file_relationships,
+            package_license_expression,
+            *package_hasDeclaredLicense_relationships,
+        ]
+
+        high_level_build_element_hasOutput_relationship.to = [*root_file_elements]
+
+        output_graph = SpdxOutputGraph(
+            spdx_document,
+            shared_elements.agent,
+            shared_elements.creation_info,
+            sbom,
+            high_level_build_element,
+        )
+        return output_graph
+
+
+def _get_package_name(filename: str) -> str:
+    """
+    Generates a SPDX package name from a filename.
+    Kernel images (bzImage, Image) get a descriptive name, others use the basename of the file.
+    """
+    KERNEL_FILENAMES = ["bzImage", "Image"]
+    basename = os.path.basename(filename)
+    return f"Linux Kernel ({basename})" if basename in KERNEL_FILENAMES else basename
+
+
+def _high_level_build_elements(
+    build_type: str,
+    build_id: str | None,
+    config_source_element: File,
+    spdx_id_generator: SpdxIdGenerator,
+) -> tuple[Build, Relationship]:
+    build_spdxId = spdx_id_generator.generate()
+    high_level_build_element = Build(
+        spdxId=build_spdxId,
+        build_buildType=build_type,
+        build_buildId=build_id if build_id is not None else build_spdxId,
+        build_environment=[
+            DictionaryEntry(key=key, value=value)
+            for key, value in Environment.KERNEL_BUILD_VARIABLES().items()
+            if value
+        ],
+        build_configSourceUri=[config_source_element.spdxId],
+        build_configSourceDigest=config_source_element.verifiedUsing,
+    )
+
+    high_level_build_element_hasOutput_relationship = Relationship(
+        spdxId=spdx_id_generator.generate(),
+        relationshipType="hasOutput",
+        from_=high_level_build_element,
+        to=[],
+    )
+    return high_level_build_element, high_level_build_element_hasOutput_relationship
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ