From 1f23756ed3d8dcab6e1315273fa0e4ac2e41edbb Mon Sep 17 00:00:00 2001 From: lefosg <47362786+lefosg@users.noreply.github.com> Date: Thu, 5 Jun 2025 15:40:00 +0300 Subject: [PATCH 1/2] sign sbom --- .github/workflows/auto-release.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 3477f6591..3274b565f 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -94,6 +94,18 @@ jobs: repo_path: ./local_kernel source_path: ./ + # 1. Install cosign tool + - name: Install Cosign + uses: sigstore/cosign-installer@v3.8.1 + + # 2. Sign the sbom.spdx file using cosign. Two files are produced: sbom.sig and sbom.crt, stored in the same directory as sbom.spdx + - name: Attest SBOM + working-directory: ./local_kernel + run: | + cosign sign-blob sbom.spdx --output-certificate='sbom.crt' --output-signature='sbom.sig' -y + # The following is a sanity check. After signing, we verify the image to check that everything is OK + cosign verify-blob --signature='sbom.sig' --certificate='sbom.crt' --certificate-identity-regexp=.* --certificate-oidc-issuer-regexp='https://github.com' ./sbom.spdx + - name: commit SBOM file env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} From 32e581636f66504daa1a76afcc766be2a4b8a9de Mon Sep 17 00:00:00 2001 From: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com> Date: Thu, 24 Jul 2025 11:07:27 +0530 Subject: [PATCH 2/2] Delete thread key on process exit (#1297) Previously, the shared thread key was deleted in xPortStartScheduler after scheduler was ended. This created a race condition where prvThreadKeyDestructor (responsible for freeing thread-specific heap memory) would not be called if xPortStartScheduler deleted the key before the last task deletion, as destructors are not invoked after key deletion (see https://github.com/walac/glibc/blob/master/nptl/pthread_create.c#L145-L150). Move thread key deletion to process exit to ensure all thread-specific memory is properly freed. Signed-off-by: Gaurav Aggarwal --- portable/ThirdParty/GCC/Posix/port.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/portable/ThirdParty/GCC/Posix/port.c b/portable/ThirdParty/GCC/Posix/port.c index d0b81dc1e..2342f6034 100644 --- a/portable/ThirdParty/GCC/Posix/port.c +++ b/portable/ThirdParty/GCC/Posix/port.c @@ -140,6 +140,8 @@ static void prvThreadKeyDestructor( void * pvData ) static void prvInitThreadKey( void ) { pthread_key_create( &xThreadKey, prvThreadKeyDestructor ); + /* Destroy xThreadKey when the process exits. */ + atexit( prvDestroyThreadKey ); } /*-----------------------------------------------------------*/ @@ -315,8 +317,6 @@ BaseType_t xPortStartScheduler( void ) /* Restore original signal mask. */ ( void ) pthread_sigmask( SIG_SETMASK, &xSchedulerOriginalSignalMask, NULL ); - prvDestroyThreadKey(); - return 0; } /*-----------------------------------------------------------*/