Re: [isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity


Jan Kiszka
 

On 18.11.21 19:10, Gylstorff Quirin wrote:


On 11/17/21 1:18 PM, Christian Storm via lists.cip-project.org wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
  Kconfig                                       |  3 +-
  classes/secure-swupdate-img.bbclass           | 32 +++++++++++++++++++
  kas/opt/ebg-secure-boot-base.yml              |  2 ++
  kas/opt/ebg-secure-boot-snakeoil.yml          | 13 +++++++-
  kas/opt/ebg-snakeoil-swu.yml                  | 16 ----------
  .../images/cip-core-image-read-only.bb        | 20 ++++++++++++
  recipes-core/tmp-fs/files/postinst            |  3 ++
  recipes-core/tmp-fs/files/tmp.mount           | 11 +++++++
  recipes-core/tmp-fs/tmp-fs_0.1.bb             |  9 ++++++
  wic/qemu-amd64-efibootguard-secureboot.wks    | 11 -------
  wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
  11 files changed, 103 insertions(+), 30 deletions(-)
  create mode 100644 classes/secure-swupdate-img.bbclass
  delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
  create mode 100644 recipes-core/images/cip-core-image-read-only.bb
  create mode 100755 recipes-core/tmp-fs/files/postinst
  create mode 100644 recipes-core/tmp-fs/files/tmp.mount
  create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
  delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
  create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

diff --git a/Kconfig b/Kconfig
index 8421f1b..e97cb03 100644
--- a/Kconfig
+++ b/Kconfig
@@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
  config KAS_INCLUDE_SWUPDATE_SECBOOT
      string
      default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE &&
!IMAGE_SECURE_BOOT
-    default "kas/opt/ebg-secure-boot-snakeoil.yml" if
!IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
-    default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE &&
IMAGE_SECURE_BOOT
+    default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
    endif
diff --git a/classes/secure-swupdate-img.bbclass
b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-base.yml
b/kas/opt/ebg-secure-boot-base.yml
index 8f769b6..acb4de0 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -19,3 +19,5 @@ local_conf_header:
      IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
      SWU_DESCRIPTION = "secureboot"
      SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG =
"secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+  kernel: |
+    SECURE_BOOT_KERNEL = "1"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml
b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..4a9185c 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,24 @@ header:
    includes:
     - kas/opt/ebg-secure-boot-base.yml
  +target: cip-core-image-read-only
    local_conf_header:
+  swupdate: |
+    IMAGE_INSTALL_append = " swupdate"
+    IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+  verity-img: |
+    SECURE_BOOT_KERNEL = "1"
+    SECURE_IMAGE_FSTYPE = "squashfs"
+    VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+    IMAGE_TYPE = "secure-swupdate-img"
+    WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
    secure-boot: |
      # Add snakeoil and ovmf binaries for qemu
      IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
      IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
-    WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
      ovmf: |
      # snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
-  version: 10
-  includes:
-   - kas/opt/ebg-secure-boot-snakeoil.yml
-   - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb
b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+    sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root    /        auto        defaults,ro            0    0
+LABEL=var    /var        auto        defaults            0    0
+proc        /proc        proc        nosuid,noexec,nodev        0    0
+sysfs        /sys        sysfs        nosuid,noexec,nodev        0    0
+devpts        /dev/pts    devpts        gid=5,mode=620           
0    0
+tmpfs        /run        tmpfs       
nodev,nosuid,size=500M,mode=755    0    0
+devtmpfs    /dev        devtmpfs    mode=0755,nosuid        0    0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst
b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount  || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount
b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
Hm, shouldn't size be configurable?
I will make it configurable in the next version.


+
+[Install]
+WantedBy=local-fs.target
Is this the right point in time? Isn't /tmp needed before this?

According my testing and [1] if /tmp is mount a in /etc/fstab. systemd
mounts before the local-fs.target.

In the cip-core-image /tmp is not need before this as the /tmp of the
initrd is used.

The systemd log looks like this
```
[  OK  ] Started Remount Root and Kernel File Systems.
         Starting Create Static Device Nodes in /dev...
[  OK  ] Started Create Static Device Nodes in /dev.
         Starting udev Kernel Device Manager...
[  OK  ] Reached target Local File Systems (Pre).
         Mounting Create /tmp...
[  OK  ] Mounted Create /tmp.
[  OK  ] Started Journal Service.

```

[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html
Reason should also be recorded then, e.g. in the commit message.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Join cip-dev@lists.cip-project.org to automatically receive all group messages.