Re: [isar-cip-core][RFC 5/8] Create an read-only rootfs with dm-verity


Jan Kiszka
 

On 12.11.21 12:50, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/wic-verity-img.bbclass | 8 ++++-
kas/opt/verity.yml | 34 +++++++++++++++++++
.../images/cip-core-image-read-only.bb | 24 +++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount | 11 ++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 +++++
wic/qemu-amd64-read-only.wks.in | 13 +++++++
7 files changed, 101 insertions(+), 1 deletion(-)
create mode 100644 kas/opt/verity.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
create mode 100644 wic/qemu-amd64-read-only.wks.in

diff --git a/classes/wic-verity-img.bbclass b/classes/wic-verity-img.bbclass
index e185cf8..9b8a79e 100644
--- a/classes/wic-verity-img.bbclass
+++ b/classes/wic-verity-img.bbclass
@@ -12,6 +12,12 @@
inherit squashfs-img
inherit verity-img
inherit wic-img
+inherit extract-partition
+inherit swupdate-img
Is that still a "wic-verity-img" class then? Or rather a
secure-swupdate-img class, now with persistency?

-addtask verity_image after do_squashfs_image
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_squashfs_image
addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/verity.yml b/kas/opt/verity.yml
new file mode 100644
index 0000000..088f44a
--- /dev/null
+++ b/kas/opt/verity.yml
@@ -0,0 +1,34 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+# This kas file creates a image with a read-only rootfs
+# and secure-boot
+
+header:
+ version: 10
+ includes:
+ - efibootguard.yml
+
+target: cip-core-image-read-only
+
+local_conf_header:
+ verity-img: |
+ IMAGE_TYPE = "wic-verity-img"
+ WKS_FILE = "${MACHINE}-read-only.wks.in"
+ VERITY_IMAGE_TYPE = "squashfs"
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+ SWU_DESCRIPTION = "secureboot"
+ SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+ secure-boot: |
+ # Add snakeoil and ovmf binaries for qemu
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
+ IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..24ace3c
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,24 @@
+require cip-core-image.bb
+
+INITRAMFS_RECIPE = "cip-core-initramfs"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..4e0c467
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,9 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/wic/qemu-amd64-read-only.wks.in b/wic/qemu-amd64-read-only.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-read-only.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
Rather than adding yet another wks file, maybe better extend the
existing qemu-amd64-efibootguard-secureboot.wks. I would see dm-verity
as an extension of the secure-swupdate configuration, not as a variant
or something completely separate.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Join cip-dev@lists.cip-project.org to automatically receive all group messages.