Re: Setting up SWUpdate
Akihiro Suzuki
Hi Mohammed, Â If you work on this issue, you will be able to learn about our software update mechanism well, I think. Can I assign you to work on this issue? Â Thanks, Suzuki Â
From: Mohammed Billoo <mab@...>
Sent: Wednesday, July 1, 2020 8:57 PM To: suzuki akihiro(鈴木 ç« æµ© □SWC◯ACT) <akihiro27.suzuki@...> Cc: cip-dev@... Subject: Re: [cip-dev] Setting up SWUpdate  Suzuki,  I can look into this issue as well (when my BBB comes in). It's focused enough that I can learn enough about SWUpdate and how it fits into CIP.  Let me know what you think.  Mohammed  On Wed, Jul 1, 2020 at 5:40 AM <akihiro27.suzuki@...> wrote:
|
|
CIP IRC weekly meeting today
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi all,
Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today. *Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting* https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=7&day=2&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248 USWest USEast UK DE TW JP 02:00 05:00 10:00 11:00 17:00 18:00 Channel: * irc:chat.freenode.net:6667/cip Last meeting minutes: https://irclogs.baserock.org/meetings/cip/2020/06/cip.2020-06-25-09.00.log.html Agenda: * Action item 1. Combine root filesystem with kselftest binary - iwamatsu 2. Post LTP results to KernelCI - patersonc 3. Issues to be fixed for swupdate "copyright correction and salsa CI testing" - iwamatsu * Kernel maintenance updates * Kernel testing * Software update * CIP Security * AOB The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting. Best regards, -- M. Kudo Cybertrust Japan Co., Ltd.
|
|
Building generic initramfs for the various testing
Zoran
Hello list,
Long time no see... ;-) Just for the sake of Reality: the generic initramfs building from the: https://wiki.linuxfoundation.org/civilinfrastructureplatform/cipsystembuildhowto Does not work (for me, at least) anymore. Here is the new minimalistic script, since I needed it (and reworked it, to be much more efficient): https://github.com/ZoranStojsavljevic/BBB_Workshop_Examples/blob/master/Generic_Initrd_Porting_Guide/initramfs/create_initramfs.sh Enjoy! Zoran Stojsavljevic
|
|
Re: Setting up SWUpdate
Mohammed Billoo <mab@...>
Suzuki, I can look into this issue as well (when my BBB comes in). It's focused enough that I can learn enough about SWUpdate and how it fits into CIP. Let me know what you think. Mohammed
On Wed, Jul 1, 2020 at 5:40 AM <akihiro27.suzuki@...> wrote:
-- --
Mohammed Billoo MAB Labs, LLC www.mab-labs.com
|
|
Re: Setting up SWUpdate
Akihiro Suzuki
Hi Mohammed,  > NOTE: Now I have a problem with the demo. I’ll make the issue about it in cip-sw-updates-tasks repository later. I’ve made the issue about it: https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/14 It might be better to wait for trying cip-sw-updates-demo until the issue is resolved.  Thanks, Â
From: suzuki akihiro(鈴木
ç« æµ© □SWC◯ACT)
Sent: Wednesday, July 1, 2020 2:09 PM To: Mohammed Billoo <mab@...> Cc: cip-dev@... Subject: RE: [cip-dev] Setting up SWUpdate  Hi Mohammed,  > Should I be using the instructions outlined in https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-demo to run a basic update of the CIP image on a BBB from hawkBit? Can the update process be verified using hawkbit and/or the BBB? Yes, you can verify a basic update process via README.md in cip-sw-updates-demo repository. It uses BBB and hawkBit. Please let me know if you have a problem about the instructions written in the README.md. NOTE: Now I have a problem with the demo. I’ll make the issue about it in cip-sw-updates-tasks repository later.  > Also, there looks to be a patchset to bring in swupdate to cip-core (https://patchwork.kernel.org/project/cip-dev/list/?series=309741). Should I wait for this patchset to be approved? The patchset is for x86 with UEFI to provide updatable secure boot for UEFI. It uses EFI Boot Guard (https://github.com/siemens/efibootguard) instead of u-boot. It will be able to cover the main use cases for software update on devices. Although cip-sw-updates-demo repository doesn’t include the demo for x86 with UEFI at the moment, you can try basic update features using BBB.  Thanks, Suzuki  From:
cip-dev@... <cip-dev@...>
On Behalf Of Mohammed Billoo  Hello,  Should I be using the instructions outlined in https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-demo to run a basic update of the CIP image on a BBB from hawkBit? Can the update process be verified using hawkbit and/or the BBB?  Also, there looks to be a patchset to bring in swupdate to cip-core (https://patchwork.kernel.org/project/cip-dev/list/?series=309741). Should I wait for this patchset to be approved?  --
|
|
Re: Setting up SWUpdate
Akihiro Suzuki
Hi Mohammed,  > Should I be using the instructions outlined in https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-demo to run a basic update of the CIP image on a BBB from hawkBit? Can the update process be verified using hawkbit and/or the BBB? Yes, you can verify a basic update process via README.md in cip-sw-updates-demo repository. It uses BBB and hawkBit. Please let me know if you have a problem about the instructions written in the README.md. NOTE: Now I have a problem with the demo. I’ll make the issue about it in cip-sw-updates-tasks repository later.  > Also, there looks to be a patchset to bring in swupdate to cip-core (https://patchwork.kernel.org/project/cip-dev/list/?series=309741). Should I wait for this patchset to be approved? The patchset is for x86 with UEFI to provide updatable secure boot for UEFI. It uses EFI Boot Guard (https://github.com/siemens/efibootguard) instead of u-boot. It will be able to cover the main use cases for software update on devices. Although cip-sw-updates-demo repository doesn’t include the demo for x86 with UEFI at the moment, you can try basic update features using BBB.  Thanks, Suzuki Â
From: cip-dev@... <cip-dev@...>
On Behalf Of Mohammed Billoo
Sent: Wednesday, July 1, 2020 7:49 AM To: cip-dev@... Subject: [cip-dev] Setting up SWUpdate  Hello,  Should I be using the instructions outlined in https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-demo to run a basic update of the CIP image on a BBB from hawkBit? Can the update process be verified using hawkbit and/or the BBB?  Also, there looks to be a patchset to bring in swupdate to cip-core (https://patchwork.kernel.org/project/cip-dev/list/?series=309741). Should I wait for this patchset to be approved?  --
|
|
Setting up SWUpdate
Mohammed Billoo <mab@...>
Hello, Should I be using the instructions outlined in https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-demo to run a basic update of the CIP image on a BBB from hawkBit? Can the update process be verified using hawkbit and/or the BBB? Also, there looks to be a patchset to bring in swupdate to cip-core (https://patchwork.kernel.org/project/cip-dev/list/?series=309741). Should I wait for this patchset to be approved? -- -- Mohammed Billoo MAB Labs, LLC www.mab-labs.com
|
|
Re: Working on HTTPS connection
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi, Mohammed-san,  No worries. Meeting minutes will be produced at every meeting. So, you can check them out to see what is going on afterwards.  FYI, last meeting minutes are the following: https://irclogs.baserock.org/meetings/cip/2020/06/cip.2020-06-25-09.00.log.html  Best regards, -- M. Kudo
From: cip-dev@... <cip-dev@...>
On Behalf Of Mohammed Billoo
Sent: Tuesday, June 30, 2020 8:16 PM To: akihiro27.suzuki@... Cc: cip-dev@... Subject: Re: [cip-dev] Working on HTTPS connection  Suzuki, M. Kudo: Thank you for getting back to me. I'll order the BBB, and start navigating the codebase until it arrives. I will try my best to make the meetings on Thursday, but it may be difficult since I'm in NYC and it will be 5AM. Is it OK if I post updates to the IRC channel when I'm up in the morning (in case I can't make it to the meeting) ?  Best, Mohammed  On Tue, Jun 30, 2020 at 3:40 AM <akihiro27.suzuki@...> wrote:
|
|
Re: Working on HTTPS connection
Mohammed Billoo <mab@...>
Suzuki, M. Kudo: Thank you for getting back to me. I'll order the BBB, and start navigating the codebase until it arrives. I will try my best to make the meetings on Thursday, but it may be difficult since I'm in NYC and it will be 5AM. Is it OK if I post updates to the IRC channel when I'm up in the morning (in case I can't make it to the meeting) ? Best, Mohammed
On Tue, Jun 30, 2020 at 3:40 AM <akihiro27.suzuki@...> wrote:
-- --
Mohammed Billoo MAB Labs, LLC www.mab-labs.com
|
|
Re: [isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security
Venkata Pyla
On Mon, Jun 29, 2020 at 05:26 PM, Daniel Sangorrin wrote:
I understood now, i will rebase the patches with master branch and i will resend the patches for review, sorry for the confusion-----Original Message-----It seems that opt-security.yaml was already removed in the security branch: Also, as we have talked in the meetings, it looks like the security layer at the moment is just adding some packages but don't you need to add configuration files to harden the final file system? For example, you may want to change the configuration of the ssh server so that passwords are not accepted (only ssh keys). And the same for the rest of packages. In that case, you probably want to create a new kas-security.yaml.Currently we don't have such configuration changes, but most probably in the future may be after discussion with Certification Body we may need to include configurations to fullfill the security requirement, we will keep this point in security WG discussions and get some consensus. Thanks,
|
|
Re: Working on HTTPS connection
Akihiro Suzuki
Hi Mohammed,  Thank you very much for your offer! I’m Akihiro Suzuki, a chair of SW Updates WG.  Currently, we are using BeagleBone Black (BBB) for developing our initial software update mechanism. Of course we plan to port it to other reference hardware, but it is not done at the moment. So, could you prepare BBB for the development?  Even if you can’t prepare it, you may work on the task you are interested in because it is not a hardware-specific. The task aims to connect between client (SWUpdate) and server (hawkBit) via HTTPS.  Best regards, Suzuki Â
From: cip-dev@... <cip-dev@...>
On Behalf Of masashi.kudo@...
Sent: Tuesday, June 30, 2020 7:32 AM To: cip-dev@... Subject: Re: [cip-dev] Working on HTTPS connection  Hi, Mohammed-san,  Thanks very much for watching the talk, and welcome to cip-dev!  Regarding SW Update WG, the followings are the their wiki pages.  https://wiki.linuxfoundation.org/civilinfrastructureplatform/start#cip_software_updates https://wiki.linuxfoundation.org/civilinfrastructureplatform/cip-sw-updates  Also, SW Update WG reports the latest status at IRC meetings which start at UTC (GMT) 09:00 every Thursday. Notifications of the meetings are sent 6-9 hours before the meetings.  Hope it helps.  Best regards, -- M. Kudo  From:
cip-dev@... <cip-dev@...>
On Behalf Of Mohammed Billoo  Hello!  I joined the mailing list from the recommendation on the IRC channel (after viewing the CIP talk at ELC). I'd like to work on the following issue: https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/8  I've written applications + drivers for u-boot, have worked on SSL (albeit for Amazon FreeRTOS), and have HW handy to hit the ground running (I have a DE1-SoC).  Is there any update on this task that should I be aware of?  Looking forward to contributing to this project!
|
|
Re: [isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security
Daniel Sangorrin <daniel.sangorrin@...>
toggle quoted messageShow quoted text
-----Original Message-----It seems that opt-security.yaml was already removed in the security branch: https://gitlab.com/cip-project/cip-core/isar-cip-core/-/tree/security/iec-evaluation Venkata-san: could you rebase your patches for the master branch? For example, instead of sending one patch where you add opt-security.yaml and then another patch where you remove it (which may have happened in your branch, but we don't care), just send the patch that uses core-image-security. That will make things easier to review. Also, as we have talked in the meetings, it looks like the security layer at the moment is just adding some packages but don't you need to add configuration files to harden the final file system? For example, you may want to change the configuration of the ssh server so that passwords are not accepted (only ssh keys). And the same for the rest of packages. In that case, you probably want to create a new kas-security.yaml. Thanks, Daniel
|
|
Re: Working on HTTPS connection
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi, Mohammed-san,  Thanks very much for watching the talk, and welcome to cip-dev!  Regarding SW Update WG, the followings are the their wiki pages.  https://wiki.linuxfoundation.org/civilinfrastructureplatform/start#cip_software_updates https://wiki.linuxfoundation.org/civilinfrastructureplatform/cip-sw-updates  Also, SW Update WG reports the latest status at IRC meetings which start at UTC (GMT) 09:00 every Thursday. Notifications of the meetings are sent 6-9 hours before the meetings.  Hope it helps.  Best regards, -- M. Kudo Â
From: cip-dev@... <cip-dev@...>
On Behalf Of Mohammed Billoo
Sent: Tuesday, June 30, 2020 1:57 AM To: cip-dev@... Subject: [cip-dev] Working on HTTPS connection  Hello!  I joined the mailing list from the recommendation on the IRC channel (after viewing the CIP talk at ELC). I'd like to work on the following issue: https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/8  I've written applications + drivers for u-boot, have worked on SSL (albeit for Amazon FreeRTOS), and have HW handy to hit the ground running (I have a DE1-SoC).  Is there any update on this task that should I be aware of?  Looking forward to contributing to this project!
|
|
VulnerableCode
Jan Kiszka
Hi all,
just a note after watching https://sched.co/c46p, https://github.com/nexB/vulnerablecode: Still early, but might be worth looking at if we can benefit from it for vulnerability management. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
|
|
Working on HTTPS connection
mab@...
Hello! I joined the mailing list from the recommendation on the IRC channel (after viewing the CIP talk at ELC). I'd like to work on the following issue: https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/8 I've written applications + drivers for u-boot, have worked on SSL (albeit for Amazon FreeRTOS), and have HW handy to hit the ground running (I have a DE1-SoC). Is there any update on this task that should I be aware of? Looking forward to contributing to this project! -- Mohammed Billoo MAB Labs, LLC www.mab-labs.com
|
|
Re: [isar-cip-core PATCH v2 6/6] doc: Add README for secureboot
Jan Kiszka
On 29.06.20 14:54, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>... diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.ymlYou are trying to sneak in more than a README ;) Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
|
|
[isar-cip-core PATCH v2 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Use the Debian snakeoil keys to have a demo case available without the OVMF setup. Copy the used keys from the build to the deploy directory to allow usage in non-Debian distributions. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- conf/distro/debian-buster-backports.list | 1 + conf/distro/preferences.ovmf-snakeoil.conf | 3 ++ kas/opt/ebg-secure-boot-snakeoil.yml | 27 ++++++++++++++ .../ebg-secure-boot-snakeoil_0.1.bb | 35 ++++++++++++++++++ .../files/control.tmpl | 12 +++++++ .../files/sign_secure_image.sh | 36 +++++++++++++++++++ .../ovmf-binaries/files/control.tmpl | 11 ++++++ .../ovmf-binaries/ovmf-binaries_0.1.bb | 30 ++++++++++++++++ start-qemu.sh | 4 +-- 9 files changed, 157 insertions(+), 2 deletions(-) create mode 100644 conf/distro/debian-buster-backports.list create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb diff --git a/conf/distro/debian-buster-backports.list b/conf/distro/debian-buster-backports.list new file mode 100644 index 0000000..f2dd104 --- /dev/null +++ b/conf/distro/debian-buster-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian buster-backports main contrib non-free diff --git a/conf/distro/preferences.ovmf-snakeoil.conf b/conf/distro/preferences.ovmf-snakeoil.conf new file mode 100644 index 0000000..b51d1d4 --- /dev/null +++ b/conf/distro/preferences.ovmf-snakeoil.conf @@ -0,0 +1,3 @@ +Package: ovmf +Pin: release n=buster-backports +Pin-Priority: 801 diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml new file mode 100644 index 0000000..a43ddb5 --- /dev/null +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -0,0 +1,27 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + includes: + - ebg-secure-boot-base.yml + + +local_conf_header: + secure-boot: | + # Add snakeoil and ovmf binaries for qemu + IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries" + IMAGER_INSTALL += "ebg-secure-boot-snakeoil" + + ovmf: | + # snakeoil certs are only part of backports + DISTRO_APT_SOURCES_append = " conf/distro/debian-buster-backports.list" + DISTRO_APT_PREFERENCES_append = " conf/distro/preferences.ovmf-snakeoil.conf" diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb new file mode 100644 index 0000000..89abbcf --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb @@ -0,0 +1,35 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "Add script to sign for secure boot with the debian snakeoil keys" +# used to sign the image +DEBIAN_DEPENDS = "pesign, sbsigntool, ovmf, openssl, libnss3-tools" + + +# this package cannot be install together with: +DEBIAN_CONFLICTS = "ebg-secure-boot-secrets" + +SRC_URI = "file://sign_secure_image.sh \ + file://control.tmpl" + +TEMPLATE_FILES = "control.tmpl" +TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS" + +do_install() { + TARGET=${D}/usr/bin + install -d ${TARGET} + install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh +} + +addtask do_install after do_transform_template + diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl new file mode 100644 index 0000000..8361a49 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl @@ -0,0 +1,12 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: ${MAINTAINER} +Build-Depends: debhelper (>= 9) + +Package: ${PN} +Architecture: ${DPKG_ARCH} +Depends: ${DEBIAN_DEPENDS} +Description: ${DESCRIPTION} +Conflicts: ${DEBIAN_CONFLICTS} diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh new file mode 100644 index 0000000..081dbe9 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh @@ -0,0 +1,36 @@ +#!/bin/sh +set -e +set -x +signee=$1 +signed=$2 + +usage(){ + echo "sign with debian snakeoil" + echo "$0 signee signed" + echo "signee: path to the image to be signed" + echo "signed: path to store the signed image" +} + + +if [ -z "$signee" ] || [ -z "$signed" ]; then + usage + exit 1 +fi + +name=snakeoil +keydir=$(mktemp -d) +inkey=/usr/share/ovmf/PkKek-1-snakeoil.key +incert=/usr/share/ovmf/PkKek-1-snakeoil.pem +nick_name=snakeoil +TMP=$(mktemp -d) +mkdir -p ${keydir}/${name}certdb +certutil -N --empty-password -d ${keydir}/${name}certdb +openssl pkcs12 -export -passin pass:"snakeoil" -passout pass: -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name +pk12util -W "" -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb +cp $incert ${keydir}/$(basename $incert) +rm -rf $TMP + +pesign --force --verbose --padding -n ${keydir}/${name}certdb -c "$nick_name" -s -i $signee -o $signed +sbverify --cert $incert $signed +rm -rf $keydir +exit 0 diff --git a/recipes-devtools/ovmf-binaries/files/control.tmpl b/recipes-devtools/ovmf-binaries/files/control.tmpl new file mode 100644 index 0000000..54641d6 --- /dev/null +++ b/recipes-devtools/ovmf-binaries/files/control.tmpl @@ -0,0 +1,11 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: ${MAINTAINER} +Build-Depends: debhelper (>= 9), ${DEBIAN_BUILD_DEPENDS} + +Package: ${PN} +Architecture: ${DPKG_ARCH} +Depends: ${DEBIAN_DEPENDS} +Description: ${DESCRIPTION} diff --git a/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb new file mode 100644 index 0000000..025b970 --- /dev/null +++ b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb @@ -0,0 +1,30 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "Copy the OVMF biniaries from the build changeroot to the deploy dir" + +# this is a empty debian package +SRC_URI = "file://control.tmpl" + +DEBIAN_BUILD_DEPENDS = "ovmf" +TEMPLATE_FILES = "control.tmpl" +TEMPLATE_VARS += "PN DEBIAN_DEPENDS MAINTAINER DESCRIPTION DPKG_ARCH DEBIAN_BUILD_DEPENDS" + + +do_extract_ovmf() { + install -m 0755 -d ${DEPLOY_DIR_IMAGE} + cp -r ${BUILDCHROOT_DIR}/usr/share/OVMF ${DEPLOY_DIR_IMAGE} + chown $(id -u):$(id -g) ${DEPLOY_DIR_IMAGE}/OVMF +} + +addtask do_extract_ovmf after do_install_builddeps before do_dpkg_build diff --git a/start-qemu.sh b/start-qemu.sh index 74d1b54..3a3b2f7 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -94,8 +94,8 @@ fi if [ -n "SECURE_BOOT" ]; then - ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} - ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} + ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd} + ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS.snakeoil.fd} QEMU_EXTRA_ARGS=" \ ${QEMU_EXTRA_ARGS} \ -global ICH9-LPC.disable_s3=1 \ -- 2.20.1
|
|
[isar-cip-core PATCH v2 6/6] doc: Add README for secureboot
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- doc/README.secureboot.md | 188 +++++++++++++++++++++++++++++++++++++++ kas/opt/ebg-swu.yml | 2 +- 2 files changed, 189 insertions(+), 1 deletion(-) create mode 100644 doc/README.secureboot.md diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md new file mode 100644 index 0000000..5cbbc23 --- /dev/null +++ b/doc/README.secureboot.md @@ -0,0 +1,188 @@ +# Efibootguard Secure boot + +This document describes how to generate a secure boot capable image with +[efibootguard](https://github.com/siemens/efibootguard). + +## Description + +The image build signs the efibootguard bootloader (bootx64.efi) and generates +a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/). +A unified kernel image packs the kernel, initramfs and the kernel command-line +in one binary object. As the kernel command-line is immutable after the build +process, the previous selection of the root file system with a command-line parameter is no longer +possible. Therefore the selection of the root file-system occurs now in the initramfs. + +The image uses an A/B partition layout to update the root file system. The sample implementation to +select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs. +During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs. +If a match is found the rootfs is used for the boot. + +## Adaptation for Images + +### WIC +The following elements must be present in a wks file to create a secure boot capable image. + +``` +part --source efibootguard-efi --sourceparams "signwith=<script or executable to sign the image>" +part --source efibootguard-boot --sourceparams "uefikernel=<name of the unified kernel>,signwith=<script or executable to sign the image>" +``` + +#### Script or executable to sign the image + +The wic plugins for the [bootloader](./scripts/lib/wic/plugins/source/efibootguard-efi.py) +and [boot partition](./scripts/lib/wic/plugins/source/efibootguard-boot.py) require an +executable or script with the following interface: +``` +<script_name> <inputfile> <outputfile> +``` +- script name: name and path of the script added with +`--sourceparams "signwith=/usr/bin/sign_secure_image.sh"` to the wic image +- inputfile: path and name of the file to be signed +- outputfile: path and name of the signed input + +Supply the script name and path to wic by adding +`signwith=<path and name of the script to sign>"` to sourceparams of the partition. + + +### Existing packages to sign an image + +#### ebg-secure-boot-snakeoil + +This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2) +backported from Debian bullseye and signs the image. + +#### ebg-secure-boot-secrets +This package takes a user-generated certificate and adds it to the build system. +The following variable and steps are necessary to build a secure boot capable image: +- Set certification information to sign and verify the image with: + - SB_CERTDB: The directory containing the certificate database create with certutil + - SB_VERIFY_CERT: The certificate to verify the signing process + - SB_KEY_NAME: Name of the key in the certificate database +- if necessary change the script to select the boot partition after an update + - recipes-support/initramfs-config/files/initramfs.selectrootfs.script + +The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in `recipes-devtools/ebg-secure-boot-secrets/files/` + +## QEMU + +Set up a secure boot test environment with [QEMU](https://www.qemu.org/) + +### Prerequisites + +- OVMF from edk2 release edk2-stable201911 or newer + - This documentation was tested under Debian 10 with OVMF (0.0~20200229-2) backported from Debian + bullseye +- efitools for KeyTool.efi + - This documentation was tested under Debian 10 with efitools (1.9.2-1) backported from Debian bullseye +- libnss3-tools + +### Debian Snakeoil keys + +The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF. Y +u can use them as described in section [Start Image](### Start the image). + +### Generate Keys + +#### Reuse exiting keys + +It is possible to use exiting keys like /usr/share/ovmf/PkKek-1-snakeoil.pem' from Debian +by executing the script `scripts/generate-sb-db-from-existing-certificate.sh`, e.g.: +``` +export SB_NAME=<name for the secureboot config> +export SB_KEYDIR=<location to store the database> +export INKEY=<secret key of the certificate> +export INCERT=<certificate> +export INNICK=<name of the certificate in the database> +scripts/generate-sb-db-from-existing-certificate.sh +``` +This will create the directory `SB_KEYDIR` and will store the `${SB_NAME}certdb` with the given name. + +Copy the used certificate and database to `recipes-devtools/ebg-secure-boot-secrets/files/` + +#### Generate keys + +To generate the necessary keys and information to test secure-boot with QEMU +execute the script `scripts/generate_secure_boot_keys.sh` + +##### Add Keys to OVMF +1. Create a folder and copy the generated keys and KeyTool.efi +(in Debian the file can be found at: /lib/efitools/x86_64-linux-gnu/KeyTool.efi) to the folder +``` +mkdir secureboot-tools +cp -r keys secureboot-tools +cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools +``` +2. Copy the file OVMF_VARS.fd (in Debian the file can be found at /usr/share/OVMF/OVMF_VARS.fd) +to the current directory. OVMF_VARS.fd contains no keys can be instrumented for secureboot. +3. Start QEMU with the script scripts/start-efishell.sh +``` +scripts/start-efishell.sh secureboot-tools +``` +4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps: + -> "Edit Keys" + -> "The Allowed Signatures Database (db)" + -> "Add New Key" + -> Change/Confirm device + -> Select "DB.esl" file + -> "The Key Exchange Key Database (KEK)" + -> "Add New Key" + -> Change/Confirm device + -> Select "KEK.esl" file + -> "The Platform Key (PK) + -> "Replace Key(s)" + -> Change/Confirm device + -> Select "PK.auth" file +5. quit QEMU + +### Build image + +Build the image with a signed efibootguard and unified kernel image +with the snakeoil keys by executing: +``` +kas-docker --isar build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml +``` + +For user-generated keys, create a new option file. This option file could look like this: +``` +header: + version: 8 + includes: + - opt/ebg-swu.yml + - opt/ebg-secure-boot-initramfs.yml + +local_conf_header: + secure-boot: | + IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" + IMAGER_INSTALL += "ebg-secure-boot-secrets" + user-keys: + SB_CERTDB = "democertdb" + SB_VERIFY_CERT = "demo.crt" + SB_KEY_NAME = "demo" +``` + +Replace `demo` with the name of the user-generated certificates. + +### Start the image + +#### Debian snakeoil + +Start the image with the following command: +``` +SECURE_BOOT=y \ +./start-qemu.sh amd64 +``` + +The default `OVMF_VARS.snakeoil.fd` boot to the EFI shell. To boot Linux enter the following command: +``` +FS0:\EFI\BOOT\bootx64.efi +``` +To change the boot behavior, enter `exit` in the shell to enter the bios and change the boot order. + +#### User-generated keys +Start the image with the following command: +``` +SECURE_BOOT=y \ +OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd \ +OVMF_VARS=<path to the modified OVMF_VARS.fd> \ +./start-qemu.sh amd64 +``` diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml index 5b39730..81d90ad 100644 --- a/kas/opt/ebg-swu.yml +++ b/kas/opt/ebg-swu.yml @@ -22,5 +22,5 @@ local_conf_header: WICVARS += "WDOG_TIMEOUT" wic: | - IMAGE_TYPE = "wic-img" + IMAGE_TYPE = "wic-swu-img" WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks" -- 2.20.1
|
|
[isar-cip-core PATCH v2 4/6] secure-boot: Add secure boot with unified kernel image
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
A unified kernel image contains the os-release, kernel, kernel commandline, initramfs and efi-stub in one binary. This binary can be boot by systemd-boot and efibootguard. It also allows to sign kernel and initramfs as one packages. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- kas/opt/ebg-secure-boot-base.yml | 17 ++++ recipes-core/images/cip-core-image.bb | 2 +- recipes-core/images/files/sw-description.tmpl | 6 +- .../ebg-secure-boot-secrets_0.1.bb | 51 +++++++++++ .../ebg-secure-boot-secrets/files/README.md | 1 + .../files/control.tmpl | 12 +++ .../files/sign_secure_image.sh.tmpl | 22 +++++ .../initramfs-config/files/postinst.tmpl | 31 ------- ...enerate-sb-db-from-existing-certificate.sh | 16 ++++ scripts/generate_secure_boot_keys.sh | 51 +++++++++++ .../wic/plugins/source/efibootguard-boot.py | 87 +++++++++++++++++-- .../wic/plugins/source/efibootguard-efi.py | 40 ++++++++- scripts/start-efishell.sh | 12 +++ start-qemu.sh | 54 +++++++++--- wic/ebg-signed-bootloader.inc | 2 + wic/qemu-amd64-efibootguard.wks | 6 +- 16 files changed, 350 insertions(+), 60 deletions(-) create mode 100644 kas/opt/ebg-secure-boot-base.yml create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl delete mode 100644 recipes-support/initramfs-config/files/postinst.tmpl create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh create mode 100755 scripts/generate_secure_boot_keys.sh create mode 100755 scripts/start-efishell.sh create mode 100644 wic/ebg-signed-bootloader.inc diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml new file mode 100644 index 0000000..0f9133c --- /dev/null +++ b/kas/opt/ebg-secure-boot-base.yml @@ -0,0 +1,17 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + +local_conf_header: + initramfs: | + IMAGE_INSTALL += "initramfs-abrootfs-secureboot" diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb index 4dfc983..c781623 100644 --- a/recipes-core/images/cip-core-image.bb +++ b/recipes-core/images/cip-core-image.bb @@ -10,7 +10,7 @@ # inherit image - +inherit image_uuid ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'" DESCRIPTION = "CIP Core image" diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl index bef1984..bce97d0 100644 --- a/recipes-core/images/files/sw-description.tmpl +++ b/recipes-core/images/files/sw-description.tmpl @@ -11,12 +11,12 @@ software = { version = "0.2"; - name = "ebsy secure boot update" + name = "secure boot update" images: ({ - filename = "${EXTRACTED_PARTITION_NAME}"; + filename = "${ROOTFS_PARTITION_NAME}"; device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002"; type = "roundrobin"; - compressed = true; + compressed = "true"; filesystem = "ext4"; }); files: ({ diff --git a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb new file mode 100644 index 0000000..37b35c9 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb @@ -0,0 +1,51 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \ + sign an image with the given keys" + +# variables +SB_CERT_PATH = "/usr/share/ebg-secure-boot" +SB_CERTDB ??= "" +SB_VERIFY_CERT ??= "" +SB_KEY_NAME ??= "demoDB" + +# used to sign the image +DEBIAN_DEPENDS = "pesign, sbsigntool" + +# this package cannot be install together with: +DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil" + +SRC_URI = " \ + file://sign_secure_image.sh.tmpl \ + file://control.tmpl" +SRC_URI_append = " ${@ d.getVar(SB_CERTDB) or "" }" +SRC_URI_append = " ${@ d.getVar(SB_VERIFY_CERT) or "" }" +TEMPLATE_FILES = "sign_secure_image.sh.tmpl" +TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME" + +TEMPLATE_FILES += "control.tmpl" +TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS" + +do_install() { + TARGET=${D}${SB_CERT_PATH} + install -m 0700 -d ${TARGET} + cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB} + chmod 700 ${TARGET}/${SB_CERTDB} + install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT} + TARGET=${D}/usr/bin + install -d ${TARGET} + install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh +} + +addtask do_install after do_transform_template diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/README.md b/recipes-devtools/ebg-secure-boot-secrets/files/README.md new file mode 100644 index 0000000..c739c51 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/files/README.md @@ -0,0 +1 @@ +For a secure boot image this directory needs to contain the certdb directory and the db.crt file. diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl new file mode 100644 index 0000000..8361a49 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl @@ -0,0 +1,12 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: ${MAINTAINER} +Build-Depends: debhelper (>= 9) + +Package: ${PN} +Architecture: ${DPKG_ARCH} +Depends: ${DEBIAN_DEPENDS} +Description: ${DESCRIPTION} +Conflicts: ${DEBIAN_CONFLICTS} diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl new file mode 100644 index 0000000..e84fd4c --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl @@ -0,0 +1,22 @@ +#!/bin/sh +set -e +set -x +signee=$1 +signed=$2 + +usage(){ + echo "sign with debian snakeoil" + echo "$0 signee signed" + echo "signee: path to the image to be signed" + echo "signed: path to store the signed image" +} + + +if [ -z "$signee" ] || [ -z "$signed" ]; then + usage + exit 1 +fi + +pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed +sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed +exit 0 diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl deleted file mode 100644 index 008f68d..0000000 --- a/recipes-support/initramfs-config/files/postinst.tmpl +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh -if [ -d /usr/share/secureboot ]; then - patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch -fi - -INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf -if [ -f ${INITRAMFS_CONF} ]; then - sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF} - sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF} - sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF} - sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF} - sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF} - sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF} - sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF} - if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then - sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF} - else - sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF} - fi -fi - -MODULES_LIST_FILE=/etc/initramfs-tools/modules -if [ -f ${MODULES_LIST_FILE} ]; then - for modname in ${INITRAMFS_MODULE_LIST}; do - if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then - echo "$modname" >> "${MODULES_LIST_FILE}" - fi - done -fi - -update-initramfs -v -u diff --git a/scripts/generate-sb-db-from-existing-certificate.sh b/scripts/generate-sb-db-from-existing-certificate.sh new file mode 100755 index 0000000..035f189 --- /dev/null +++ b/scripts/generate-sb-db-from-existing-certificate.sh @@ -0,0 +1,16 @@ +#!/bin/sh +name=${SB_NAME:-snakeoil} +keydir=${SB_KEYDIR:-./keys} +if [ ! -d ${keydir} ]; then + mkdir -p ${keydir} +fi +inkey=${INKEY:-/usr/share/ovmf/PkKek-1-snakeoil.key} +incert=${INCERT:-/usr/share/ovmf/PkKek-1-snakeoil.pem} +nick_name=${IN_NICK:-snakeoil} +TMP=$(mktemp -d) +mkdir -p ${keydir}/${name}certdb +certutil -N --empty-password -d ${keydir}/${name}certdb +openssl pkcs12 -export -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name +pk12util -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb +cp $incert ${keydir}/$(basename $incert) +rm -rf $TMP diff --git a/scripts/generate_secure_boot_keys.sh b/scripts/generate_secure_boot_keys.sh new file mode 100755 index 0000000..8d3f8c0 --- /dev/null +++ b/scripts/generate_secure_boot_keys.sh @@ -0,0 +1,51 @@ +#!/bin/sh +name=${SB_NAME:-demo} +keydir=${SB_KEYDIR:-./keys} +if [ ! -d ${keydir} ]; then + mkdir -p ${keydir} +fi +openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}PK/" -outform PEM \ + -keyout ${keydir}/${name}PK.key -out ${keydir}/${name}PK.crt -days 3650 -nodes -sha256 +openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}KEK/" -outform PEM \ + -keyout ${keydir}/${name}KEK.key -out ${keydir}/${name}KEK.crt -days 3650 -nodes -sha256 +openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}DB/" -outform PEM \ + -keyout ${keydir}/${name}DB.key -out ${keydir}/${name}DB.crt -days 3650 -nodes -sha256 +openssl x509 -in ${keydir}/${name}PK.crt -out ${keydir}/${name}PK.cer -outform DER +openssl x509 -in ${keydir}/${name}KEK.crt -out ${keydir}/${name}KEK.cer -outform DER +openssl x509 -in ${keydir}/${name}DB.crt -out ${keydir}/${name}DB.cer -outform DER + +openssl pkcs12 -export -out ${keydir}/${name}DB.p12 \ + -in ${keydir}/${name}DB.crt -inkey ${keydir}/${name}DB.key -passout pass: + +GUID=$(uuidgen --random) +echo $GUID > ${keydir}/${name}GUID + +cert-to-efi-sig-list -g $GUID ${keydir}/${name}PK.crt ${keydir}/${name}PK.esl +cert-to-efi-sig-list -g $GUID ${keydir}/${name}KEK.crt ${keydir}/${name}KEK.esl +cert-to-efi-sig-list -g $GUID ${keydir}/${name}DB.crt ${keydir}/${name}DB.esl +rm -f ${keydir}/${name}noPK.esl +touch ${keydir}/${name}noPK.esl + +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + PK ${keydir}/${name}PK.esl ${keydir}/${name}PK.auth +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + PK ${keydir}/${name}noPK.esl ${keydir}/${name}noPK.auth +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + KEK ${keydir}/${name}KEK.esl ${keydir}/${name}KEK.auth +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + DB ${keydir}/${name}DB.esl ${keydir}/${name}DB.auth + +chmod 0600 ${keydir}/${name}*.key +mkdir -p ${keydir}/${name}certdb +certutil -N --empty-password -d ${keydir}/${name}certdb + +certutil -A -n 'PK' -d ${keydir}/${name}certdb -t CT,CT,CT -i ${keydir}/${name}PK.crt +pk12util -W "" -d ${keydir}/${name}certdb -i ${keydir}/${name}DB.p12 +certutil -d ${keydir}/${name}certdb -A -i ${keydir}/${name}DB.crt -n "" -t u + +certutil -d ${keydir}/${name}certdb -K +certutil -d ${keydir}/${name}certdb -L diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py index 38d2b2e..d291f75 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -80,17 +80,29 @@ class EfibootguardBootPlugin(SourcePlugin): boot_files = source_params.get("files", "").split(' ') + uefi_kernel = source_params.get("unified-kernel") cmdline = bootloader.append - root_dev = source_params.get("root", None) - if not root_dev: - msger.error("Specify root in source params") - exit(1) + if uefi_kernel: + boot_image = cls._create_unified_kernel_image(rootfs_dir, + cr_workdir, + cmdline, + uefi_kernel, + deploy_dir, + kernel_image, + initrd_image, + source_params) + boot_files.append(boot_image) + else: + root_dev = source_params.get("root", None) + if not root_dev: + msger.error("Specify root in source params") + exit(1) root_dev = root_dev.replace(":", "=") - cmdline += " root=%s rw" % root_dev - boot_files.append(kernel_image) - boot_files.append(initrd_image) - cmdline += "initrd=%s" % initrd_image if initrd_image else "" + cmdline += " root=%s rw" % root_dev + boot_files.append(kernel_image) + boot_files.append(initrd_image) + cmdline += "initrd=%s" % initrd_image if initrd_image else "" part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, part.label, part.lineno) @@ -160,3 +172,62 @@ class EfibootguardBootPlugin(SourcePlugin): part.size = bootimg_size part.source_file = bootimg + + @classmethod + def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline, + uefi_kernel, deploy_dir, kernel_image, + initrd_image, source_params): + rootfs_path = rootfs_dir.get('ROOTFS_DIR') + os_release_file = "{root}/etc/os-release".format(root=rootfs_path) + efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linuxx64.efi.stub"\ + .format(rootfs_path=rootfs_path) + msger.debug("osrelease path: %s", os_release_file) + kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\ + .format(cr_workdir=cr_workdir) + with open(kernel_cmdline_file, "w") as cmd_fd: + cmd_fd.write(cmdline) + uefi_kernel_name = "linux.efi" + uefi_kernel_file = "{deploy_dir}/{uefi_kernel_name}"\ + .format(deploy_dir=deploy_dir, uefi_kernel_name=uefi_kernel_name) + kernel = "{deploy_dir}/{kernel_image}"\ + .format(deploy_dir=deploy_dir, kernel_image=kernel_image) + initrd = "{deploy_dir}/{initrd_image}"\ + .format(deploy_dir=deploy_dir, initrd_image=initrd_image) + objcopy_cmd = 'objcopy \ + --add-section .osrel={os_release_file} \ + --change-section-vma .osrel=0x20000 \ + --add-section .cmdline={kernel_cmdline_file} \ + --change-section-vma .cmdline=0x30000 \ + --add-section .linux={kernel} \ + --change-section-vma .linux=0x2000000 \ + --add-section .initrd={initrd} \ + --change-section-vma .initrd=0x3000000 \ + {efistub} {uefi_kernel_file}'.format( + os_release_file=os_release_file, + kernel_cmdline_file=kernel_cmdline_file, + kernel=kernel, + initrd=initrd, + efistub=efistub, + uefi_kernel_file=uefi_kernel_file) + exec_cmd(objcopy_cmd) + + return cls._sign_file(name=uefi_kernel_name, + signee=uefi_kernel_file, + deploy_dir=deploy_dir, + source_params=source_params) + + @classmethod + def _sign_file(cls, name, signee, deploy_dir, source_params): + sign_script = source_params.get("signwith") + if sign_script and os.path.exists(sign_script): + msger.info("sign with script %s", sign_script) + name = name.replace(".efi", ".signed.efi") + sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\ + .format(sign_script=sign_script, signee=signee, + deploy_dir=deploy_dir, name=name) + exec_cmd(sign_cmd) + elif sign_script and not os.path.exists(sign_script): + msger.error("Could not find script %s", sign_script) + exit(1) + + return name diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py index 5ee451f..6647212 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-efi.py +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py @@ -64,10 +64,17 @@ class EfibootguardEFIPlugin(SourcePlugin): exec_cmd(create_dir_cmd) for bootloader in bootloader_files: - cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir, - bootloader, - part_rootfs_dir, - bootloader) + signed_bootloader = cls._sign_file(bootloader, + "{}/{}".format(deploy_dir, + bootloader + ), + cr_workdir, + source_params) + # important the bootloader in deploy_dir is no longer signed + cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir, + signed_bootloader, + part_rootfs_dir, + bootloader) exec_cmd(cp_cmd, True) du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir blocks = int(exec_cmd(du_cmd).split()[0]) @@ -100,3 +107,28 @@ class EfibootguardEFIPlugin(SourcePlugin): part.size = efi_part_image_size part.source_file = efi_part_image + + + @classmethod + def _sign_file(cls, name, signee, cr_workdir, source_params): + sign_script = source_params.get("signwith") + if sign_script and os.path.exists(sign_script): + work_name = name.replace(".efi", ".signed.efi") + sign_cmd = "{sign_script} {signee} \ + {cr_workdir}/{work_name}".format(sign_script=sign_script, + signee=signee, + cr_workdir=cr_workdir, + work_name=work_name) + exec_cmd(sign_cmd) + elif sign_script and not os.path.exists(sign_script): + msger.error("Could not find script %s", sign_script) + exit(1) + else: + # if we do nothing copy the signee to the work directory + work_name = name + cp_cmd = "cp {signee} {cr_workdir}/{work_name}".format( + signee=signee, + cr_workdir=cr_workdir, + work_name=work_name) + exec_cmd(cp_cmd) + return work_name diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh new file mode 100755 index 0000000..3c56ebc --- /dev/null +++ b/scripts/start-efishell.sh @@ -0,0 +1,12 @@ +#!/bin/sh +ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} +ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} +DISK=$1 +qemu-system-x86_64 -enable-kvm -M q35 \ + -cpu host,hv_relaxed,hv_vapic,hv-spinlocks=0xfff -smp 2 -m 2G -no-hpet \ + -global ICH9-LPC.disable_s3=1 \ + -global isa-fdc.driveA= \ + -boot menu=on \ + -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ + -drive if=pflash,format=raw,file=${ovmf_vars} \ + -drive file=fat:rw:$DISK diff --git a/start-qemu.sh b/start-qemu.sh index 49f0266..74d1b54 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -15,6 +15,8 @@ usage() echo "Usage: $0 ARCHITECTURE [QEMU_OPTIONS]" echo -e "\nSet QEMU_PATH environment variable to use a locally " \ "built QEMU version" + echo -e "\nSet SECURE_BOOT environment variable to boot a secure boot environment " \ + "This environment also needs the variables OVMF_VARS and OVMF_CODE set" exit 1 } @@ -22,17 +24,25 @@ if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" fi +if [ -z "${DISTRO_RELEASE}" ]; then + DISTRO_RELEASE="buster" +fi +if [ -z "${TARGET_IMAGE}" ];then + TARGET_IMAGE="cip-core-image" +fi + case "$1" in x86|x86_64|amd64) DISTRO_ARCH=amd64 QEMU=qemu-system-x86_64 QEMU_EXTRA_ARGS=" \ - -cpu host -smp 4 \ - -enable-kvm -machine q35 \ + -cpu qemu64 \ + -smp 4 \ + -machine q35,accel=kvm:tcg \ -device ide-hd,drive=disk \ -device virtio-net-pci,netdev=net" KERNEL_CMDLINE=" \ - root=/dev/sda vga=0x305 console=ttyS0" + root=/dev/sda vga=0x305" ;; arm64|aarch64) DISTRO_ARCH=arm64 @@ -71,21 +81,41 @@ case "$1" in ;; esac -if [ -z "${DISTRO_RELEASE}" ]; then - DISTRO_RELEASE="buster" -fi - -IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}" -IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img) +IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}" if [ -z "${DISPLAY}" ]; then QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic" + case "$1" in + x86|x86_64|amd64) + KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0" + esac +fi + + + +if [ -n "SECURE_BOOT" ]; then + ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} + ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} + QEMU_EXTRA_ARGS=" \ + ${QEMU_EXTRA_ARGS} \ + -global ICH9-LPC.disable_s3=1 \ + -global isa-fdc.driveA= \ + " + BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ + -drive if=pflash,format=raw,file=${ovmf_vars} \ + -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw" +else + IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img) + + KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1) + INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1) + + BOOT_FILES=-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ + -initrd ${INITRD_FILE} fi shift 1 ${QEMU_PATH}${QEMU} \ - -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -m 1G -serial mon:stdio -netdev user,id=net \ - -kernel ${IMAGE_PREFIX}-vmlinuz -append "${KERNEL_CMDLINE}" \ - -initrd ${IMAGE_PREFIX}-initrd.img ${QEMU_EXTRA_ARGS} "$@" + ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@" diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc new file mode 100644 index 0000000..667e014 --- /dev/null +++ b/wic/ebg-signed-bootloader.inc @@ -0,0 +1,2 @@ +# EFI partition containing efibootguard bootloader binary +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks index 3cd7360..9ccf501 100644 --- a/wic/qemu-amd64-efibootguard.wks +++ b/wic/qemu-amd64-efibootguard.wks @@ -1,5 +1,9 @@ # short-description: Qemu-amd64 with Efibootguard and SWUpdate # long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate +include ebg-signed-bootloader.inc + +# EFI Boot Guard environment/config partitions plus Kernel files +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" -include ebg-sysparts.inc include swupdate-partition.inc -- 2.20.1
|
|
[isar-cip-core PATCH v2 2/6] isar-patch: Add initramfs-config patch
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Adapt the initramfs generation to set for example the root device in the initramfs Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- ...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++++ kas-cip.yml | 3 + 2 files changed, 210 insertions(+) create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch diff --git a/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch new file mode 100644 index 0000000..f8fb28e --- /dev/null +++ b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch @@ -0,0 +1,207 @@ +From 7c85e2e363fd39e60bf5041d02e14e8bd62c1a68 Mon Sep 17 00:00:00 2001 +From: Quirin Gylstorff <quirin.gylstorff@...> +Date: Tue, 24 Mar 2020 17:58:08 +0100 +Subject: [PATCH v7 1/3] meta/support: Generate a custom initramfs + +This package sets the Parameters for mkinitramfs/update-intramfs +before it regenerates the initrd.img of debian with a modified version. + +Use cases are the remove unnecessary kernel modules to reduce the +size of the initrd by using the parameters: +``` +INITRAMFS_MODULES = "list" +INITRAMFS_MODULE_LIST += "ext4" +``` + +Set the boot root during the initrd generation by setting `INITRAMFS_ROOT`. + +see also man pages of mkinitramfs and initramfs.conf. + +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> +--- + .../initramfs-config/initramfs-config_0.1.bb | 6 +++ + .../initramfs-config/files/control.tmpl | 12 +++++ + .../initramfs-config/files/postinst.tmpl | 50 +++++++++++++++++++ + .../initramfs-config/files/postrm.tmpl | 41 +++++++++++++++ + .../initramfs-config/initramfs-config.inc | 32 ++++++++++++ + 5 files changed, 141 insertions(+) + create mode 100644 meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb + create mode 100644 meta/recipes-support/initramfs-config/files/control.tmpl + create mode 100644 meta/recipes-support/initramfs-config/files/postinst.tmpl + create mode 100644 meta/recipes-support/initramfs-config/files/postrm.tmpl + create mode 100644 meta/recipes-support/initramfs-config/initramfs-config.inc + +diff --git a/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb +new file mode 100644 +index 0000000..c951e8a +--- /dev/null ++++ b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb +@@ -0,0 +1,6 @@ ++# ++# Copyright (C) Siemens AG, 2020 ++# ++# SPDX-License-Identifier: MIT ++ ++require recipes-support/initramfs-config/initramfs-config.inc +diff --git a/meta/recipes-support/initramfs-config/files/control.tmpl b/meta/recipes-support/initramfs-config/files/control.tmpl +new file mode 100644 +index 0000000..66984eb +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/files/control.tmpl +@@ -0,0 +1,12 @@ ++Source: ${PN} ++Section: misc ++Priority: optional ++Standards-Version: 3.9.6 ++Maintainer: isar-users <isar-users@...> ++Build-Depends: debhelper (>= 9) ++ ++ ++Package: ${PN} ++Architecture: any ++Depends: ${shlibs:Depends}, ${misc:Depends}, initramfs-tools-core, ${DEBIAN_DEPENDS} ++Description: Configuration files for a custom initramfs +diff --git a/meta/recipes-support/initramfs-config/files/postinst.tmpl b/meta/recipes-support/initramfs-config/files/postinst.tmpl +new file mode 100644 +index 0000000..e523906 +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/files/postinst.tmpl +@@ -0,0 +1,50 @@ ++#!/bin/sh ++# postinst script for initramfs-config ++# ++# see: dh_installdeb(1) ++ ++set -e ++ ++case "$1" in ++ configure) ++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf ++ if [ -f ${INITRAMFS_CONF} ]; then ++ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF} ++ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then ++ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF} ++ else ++ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF} ++ fi ++ fi ++ ++ MODULES_LIST_FILE=/etc/initramfs-tools/modules ++ if [ -f ${MODULES_LIST_FILE} ]; then ++ for modname in ${INITRAMFS_MODULE_LIST}; do ++ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then ++ echo "$modname" >> "${MODULES_LIST_FILE}" ++ fi ++ done ++ fi ++ ++ update-initramfs -v -u ++ ++ ;; ++ abort-upgrade|abort-remove|abort-deconfigure) ++ ;; ++ ++ *) ++ echo "postinst called with unknown argument \`$1'" >&2 ++ exit 1 ++ ;; ++esac ++# dh_installdeb will replace this with shell code automatically ++# generated by other debhelper scripts. ++#DEBHELPER# ++ ++exit 0 +diff --git a/meta/recipes-support/initramfs-config/files/postrm.tmpl b/meta/recipes-support/initramfs-config/files/postrm.tmpl +new file mode 100644 +index 0000000..115d9b6 +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/files/postrm.tmpl +@@ -0,0 +1,41 @@ ++#!/bin/sh ++# postrm script for initramfs-config ++# ++# see: dh_installdeb(1) ++ ++set -e ++ ++case "$1" in ++ purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ++ # back to the debian defaults ++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf ++ sed -i -E 's/(^MODULES=).*/\1most/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^BUSYBOX=).*/\1auto/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^COMPRESS=).*/\1gzip/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^KEYMAP=).*/\1n/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^DEVICE=).*/\1/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^NFSROOT=).*/\1auto/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^RUNSIZE=).*/\110%/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^ROOT=).*//' ${INITRAMFS_CONF} ++ ++ # remove the added modules ++ MODULES_LIST_FILE=/etc/initramfs-tools/modules ++ for modname in ${INITRAMFS_MODULE_LIST}; do ++ sed -i -E 's/$modname//' ++ done ++ ++ update-initramfs -v -u ++ ;; ++ ++ *) ++ echo "postrm called with unknown argument \`$1'" >&2 ++ exit 1 ++ ;; ++esac ++ ++# dh_installdeb will replace this with shell code automatically ++# generated by other debhelper scripts. ++ ++#DEBHELPER# ++ ++exit 0 +diff --git a/meta/recipes-support/initramfs-config/initramfs-config.inc b/meta/recipes-support/initramfs-config/initramfs-config.inc +new file mode 100644 +index 0000000..16049a9 +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/initramfs-config.inc +@@ -0,0 +1,32 @@ ++# This software is a part of ISAR. ++# Copyright (C) 2020 Siemens AG ++# ++# SPDX-License-Identifier: MIT ++inherit dpkg-raw ++inherit template ++DESCRIPTION = "Recipe to set the initramfs configuration and generate a new ramfs" ++ ++FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:" ++ ++SRC_URI = "file://postinst.tmpl \ ++ file://postrm.tmpl \ ++ file://control.tmpl \ ++ " ++ ++INITRAMFS_MODULES ?= "most" ++INITRAMFS_BUSYBOX ?= "auto" ++INITRAMFS_COMPRESS ?= "gzip" ++INITRAMFS_KEYMAP ?= "n" ++INITRAMFS_NET_DEVICE ?= "" ++INITRAMFS_NFSROOT ?= "auto" ++INITRAMFS_RUNSIZE ?= "10%" ++INITRAMFS_ROOT ?= "" ++INITRAMFS_MODULE_LIST ?= "" ++CREATE_NEW_INITRAMFS ?= "n" ++KERNEL_PACKAGE = "${@ ("linux-image-" + d.getVar("KERNEL_NAME", True)) if d.getVar("KERNEL_NAME", True) else ""}" ++DEBIAN_DEPENDS += ", ${KERNEL_PACKAGE}" ++TEMPLATE_FILES = "postinst.tmpl control.tmpl postrm.tmpl" ++TEMPLATE_VARS += "INITRAMFS_MODULES INITRAMFS_BUSYBOX INITRAMFS_COMPRESS \ ++ INITRAMFS_KEYMAP INITRAMFS_NET_DEVICE INITRAMFS_NFSROOT \ ++ INITRAMFS_RUNSIZE INITRAMFS_ROOT INITRAMFS_MODULE_LIST \ ++ CREATE_NEW_INITRAMFS DEBIAN_DEPENDS PN" +-- +2.20.1 + diff --git a/kas-cip.yml b/kas-cip.yml index 0da07db..da99d51 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -26,6 +26,9 @@ repos: 01-libubootenv: path: isar-patches/0001-u-boot-add-libubootenv.patch repo: cip-core + 02-initramfs: + path: isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch + repo: cip-core bblayers_conf_header: standard: | -- 2.20.1
|
|