|
[isar-cip-core PATCH v3 5/5] swupdate: create swu file from wic image
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Create a swu file for swupdate to update devices in the field. This is done in the same step as the complete image build to avoid diverging images. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- classes/extract-partition.bbclass | 26 +++++++++++++ classes/wic-swu-img.bbclass | 20 ++++++++++ kas/opt/ebg-swu.yml | 4 +- recipes-core/images/cip-core-image.bb | 10 +++++ recipes-core/images/files/sw-description.tmpl | 37 +++++++++++++++++++ 5 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 classes/extract-partition.bbclass create mode 100644 classes/wic-swu-img.bbclass create mode 100644 recipes-core/images/files/sw-description.tmpl diff --git a/classes/extract-partition.bbclass b/classes/extract-partition.bbclass new file mode 100644 index 0000000..e9de8fc --- /dev/null +++ b/classes/extract-partition.bbclass @@ -0,0 +1,26 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +SOURCE_IMAGE_FILE ?= "${WIC_IMAGE_FILE}" +EXTRACT_PARTITIONS ?= "img4" + +do_extract_partition () { + for PARTITION in ${EXTRACT_PARTITIONS}; do + rm -f ${DEPLOY_DIR_IMAGE}/${PARTITION}.gz + PART_START=$(fdisk -lu ${SOURCE_IMAGE_FILE} | grep ${PARTITION} | awk '{ print $2 }' ) + PART_END=$(fdisk -lu ${SOURCE_IMAGE_FILE} | grep ${PARTITION} | awk '{ print $3 }' ) + PART_COUNT=$(expr ${PART_END} - ${PART_START} + 1 ) + + dd if=${SOURCE_IMAGE_FILE} of=${DEPLOY_DIR_IMAGE}/${PARTITION} bs=512 skip=${PART_START} count=${PART_COUNT} + + gzip ${DEPLOY_DIR_IMAGE}/${PARTITION} + done +} diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass new file mode 100644 index 0000000..c8532ba --- /dev/null +++ b/classes/wic-swu-img.bbclass @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + + +inherit wic-img +inherit extract-partition +inherit swupdate-img + +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}" + +addtask do_extract_partition after do_wic_image +addtask do_swupdate_image after do_extract_partition diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml index 5b39730..304fa4d 100644 --- a/kas/opt/ebg-swu.yml +++ b/kas/opt/ebg-swu.yml @@ -22,5 +22,5 @@ local_conf_header: WICVARS += "WDOG_TIMEOUT" wic: | - IMAGE_TYPE = "wic-img" - WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks" + IMAGE_TYPE = "wic-swu-img" + WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks" diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb index 9ee4b25..b1ed491 100644 --- a/recipes-core/images/cip-core-image.bb +++ b/recipes-core/images/cip-core-image.bb @@ -17,3 +17,13 @@ DESCRIPTION = "CIP Core image" IMAGE_INSTALL += "customizations" # for cip-testing IMAGE_INSTALL += "ltp-full" + +# for swupdate +EXTRACT_PARTITIONS = "img4" +ROOTFS_PARTITION_NAME="img4.gz" + +SRC_URI += "file://sw-description.tmpl" +TEMPLATE_FILES += "sw-description.tmpl" +TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE" + +SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl new file mode 100644 index 0000000..4d32f6f --- /dev/null +++ b/recipes-core/images/files/sw-description.tmpl @@ -0,0 +1,37 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# +software = +{ + version = "0.2"; + name = "cip software update" + images: ({ + filename = "${ROOTFS_PARTITION_NAME}"; + device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002"; + type = "roundrobin"; + compressed = true; + filesystem = "ext4"; + }); + files: ({ + filename = "${KERNEL_IMAGE}"; + path = "vmlinuz"; + type = "kernelfile"; + device = "sda2,sda3"; + filesystem = "vfat"; + }, + { + filename = "${INITRD_IMAGE}"; + path = "initrd.img"; + type = "kernelfile"; + device = "sda2,sda3"; + filesystem = "vfat"; + }); +} + -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 4/5] wic: Add wks files for A/B Partition update
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Add wks for: - simatic-ipc227e - qemu-amd64 Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- kas/opt/ebg-swu.yml | 26 ++++++++++++++++++++++++++ wic/ebg-sysparts.inc | 8 ++++++++ wic/qemu-amd64-efibootguard.wks | 5 +++++ wic/simatic-ipc227e-efibootguard.wks | 5 +++++ wic/swupdate-partition.inc | 4 ++++ 5 files changed, 48 insertions(+) create mode 100644 kas/opt/ebg-swu.yml create mode 100644 wic/ebg-sysparts.inc create mode 100644 wic/qemu-amd64-efibootguard.wks create mode 100644 wic/simatic-ipc227e-efibootguard.wks create mode 100644 wic/swupdate-partition.inc diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml new file mode 100644 index 0000000..5b39730 --- /dev/null +++ b/kas/opt/ebg-swu.yml @@ -0,0 +1,26 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + +local_conf_header: + swupdate: | + IMAGE_INSTALL_append = " swupdate efibootguard" + BOOTLOADER = "efibootguard" + + efibootguard: | + WDOG_TIMEOUT = "0" + WICVARS += "WDOG_TIMEOUT" + + wic: | + IMAGE_TYPE = "wic-img" + WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks" diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc new file mode 100644 index 0000000..dea99e8 --- /dev/null +++ b/wic/ebg-sysparts.inc @@ -0,0 +1,8 @@ +# default partition layout EFI Boot Guard usage + +# EFI partition containing efibootguard bootloader binary +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active + +# EFI Boot Guard environment/config partitions plus Kernel files +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002" diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks new file mode 100644 index 0000000..3cd7360 --- /dev/null +++ b/wic/qemu-amd64-efibootguard.wks @@ -0,0 +1,5 @@ +# short-description: Qemu-amd64 with Efibootguard and SWUpdate +# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate + +include ebg-sysparts.inc +include swupdate-partition.inc diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks new file mode 100644 index 0000000..74446d3 --- /dev/null +++ b/wic/simatic-ipc227e-efibootguard.wks @@ -0,0 +1,5 @@ +# short-description: Simatic-ipc227e with EFI Boot Guard and SWUpdate +# long-description: Disk image for Simatic-ipc227e with EFI Boot Guard and SWUpdate + +include ebg-sysparts.inc +include swupdate-partition.inc diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc new file mode 100644 index 0000000..15fbe80 --- /dev/null +++ b/wic/swupdate-partition.inc @@ -0,0 +1,4 @@ +part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4 +part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4 + +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 1/5] recipes-bsp: Add efibootguard
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Add the bootloader efibootguard for A/B partition update on x86 with EFI. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- .../efibootguard/efibootguard_0.7-git+isar.bb | 46 +++++ recipes-bsp/efibootguard/files/debian/compat | 1 + .../efibootguard/files/debian/control.tmpl | 20 +++ .../files/debian/efibootguard-dev.install | 3 + .../files/debian/efibootguard.install | 2 + recipes-bsp/efibootguard/files/debian/rules | 21 +++ .../wic/plugins/source/efibootguard-boot.py | 162 ++++++++++++++++++ .../wic/plugins/source/efibootguard-efi.py | 102 +++++++++++ 8 files changed, 357 insertions(+) create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb create mode 100644 recipes-bsp/efibootguard/files/debian/compat create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install create mode 100755 recipes-bsp/efibootguard/files/debian/rules create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py diff --git a/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb new file mode 100644 index 0000000..4bdf76a --- /dev/null +++ b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb @@ -0,0 +1,46 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +DESCRIPTION = "efibootguard boot loader" +DESCRIPTION_DEV = "efibootguard development library" +HOMEPAGE = "https://github.com/siemens/efibootguard" +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" +MAINTAINER = "Jan Kiszka <jan.kiszka@...>" + +SRC_URI = "git://github.com/siemens/efibootguard.git;branch=master;protocol=https \ + file://debian \ + " + +S = "${WORKDIR}/git" + +SRCREV = "442e87bafb480ada2b9074f02350a30408d4cf9c" + +PROVIDES = "${PN}" +PROVIDES += "${PN}-dev" + +BUILD_DEB_DEPENDS = "gnu-efi,libpci-dev,check,pkg-config,libc6-dev-i386" + +inherit dpkg + +TEMPLATE_FILES = "debian/control.tmpl" +TEMPLATE_VARS += "DESCRIPTION_DEV BUILD_DEB_DEPENDS" + +do_prepare_build() { + cp -R ${WORKDIR}/debian ${S} + deb_add_changelog +} + +dpkg_runbuild_append() { + install -m 0755 -d ${DEPLOY_DIR_IMAGE} + install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi + install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv +} diff --git a/recipes-bsp/efibootguard/files/debian/compat b/recipes-bsp/efibootguard/files/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/compat @@ -0,0 +1 @@ +9 diff --git a/recipes-bsp/efibootguard/files/debian/control.tmpl b/recipes-bsp/efibootguard/files/debian/control.tmpl new file mode 100644 index 0000000..54b1994 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/control.tmpl @@ -0,0 +1,20 @@ +Source: ${PN} +Section: base +Priority: optional +Standards-Version: 3.9.6 +Build-Depends: ${BUILD_DEB_DEPENDS} +Homepage: ${HOMEPAGE} +Maintainer: ${MAINTAINER} + +Package: ${PN} +Depends: ${shlibs:Depends} +Section: base +Architecture: ${DISTRO_ARCH} +Priority: required +Description: ${DESCRIPTION} + +Package: ${PN}-dev +Section: base +Architecture: ${DISTRO_ARCH} +Priority: optional +Description: ${DESCRIPTION_DEV} diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install new file mode 100644 index 0000000..7b45bd8 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install @@ -0,0 +1,3 @@ +include/ebgenv.h usr/include/efibootguard +libebgenv.a usr/lib/x86_64-linux-gnu + diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install new file mode 100644 index 0000000..8a8d9d3 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install @@ -0,0 +1,2 @@ +bg_setenv usr/bin +bg_printenv usr/bin diff --git a/recipes-bsp/efibootguard/files/debian/rules b/recipes-bsp/efibootguard/files/debian/rules new file mode 100755 index 0000000..82e9e0e --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/rules @@ -0,0 +1,21 @@ +#!/usr/bin/make -f +export DH_VERBOSE=1 +export DEB_BUILD_OPTIONS=hardening=-stackprotector +export DPKG_EXPORT_BUILDFLAGS=1 +include /usr/share/dpkg/default.mk + +override_dh_auto_test: + # we do not run the tests; that avoids having to pull the fff submodule + +override_dh_auto_install: + # install using Debian's .install files rather than + # make install in order to have a proper package split. + +override_dh_installchangelogs: + # we're not interested in changelogs + +override_dh_installdocs: + # we're not interested in docs + +%: + dh $@ --with autoreconf diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py new file mode 100644 index 0000000..38d2b2e --- /dev/null +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -0,0 +1,162 @@ +# ex:ts=4:sw=4:sts=4:et +# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*- +# +# Copyright (c) 2014, Intel Corporation. +# Copyright (c) 2018, Siemens AG. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# DESCRIPTION +# This implements the 'efibootguard-boot' source plugin class for 'wic' +# +# AUTHORS +# Tom Zanussi <tom.zanussi (at] linux.intel.com> +# Claudius Heine <ch (at] denx.de> +# Andreas Reichel <andreas.reichel.ext (at] siemens.com> +# Christian Storm <christian.storm (at] siemens.com> + +import os +import fnmatch +import sys +import logging + +msger = logging.getLogger('wic') + +from wic.pluginbase import SourcePlugin +from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE + +class EfibootguardBootPlugin(SourcePlugin): + """ + Create EFI Boot Guard partition hosting the + environment file plus Kernel files. + """ + + name = 'efibootguard-boot' + + @classmethod + def do_prepare_partition(cls, part, source_params, creator, cr_workdir, + oe_builddir, deploy_dir, kernel_dir, + rootfs_dir, native_sysroot): + """ + Called to do the actual content population for a partition, i.e., + populate an EFI Boot Guard environment partition plus Kernel files. + """ + + kernel_image = get_bitbake_var("KERNEL_IMAGE") + if not kernel_image: + msger.warning("KERNEL_IMAGE not set. Use default:") + kernel_image = "vmlinuz" + boot_image = kernel_image + + initrd_image = get_bitbake_var("INITRD_IMAGE") + if not initrd_image: + msger.warning("INITRD_IMAGE not set\n") + initrd_image = "initrd.img" + bootloader = creator.ks.bootloader + + deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE") + if not deploy_dir: + msger.error("DEPLOY_DIR_IMAGE not set, exiting\n") + sys.exit(1) + creator.deploy_dir = deploy_dir + + wdog_timeout = get_bitbake_var("WDOG_TIMEOUT") + if not wdog_timeout: + msger.error("Specify watchdog timeout for \ + efibootguard in local.conf with WDOG_TIMEOUT=") + exit(1) + + + boot_files = source_params.get("files", "").split(' ') + cmdline = bootloader.append + root_dev = source_params.get("root", None) + if not root_dev: + msger.error("Specify root in source params") + exit(1) + root_dev = root_dev.replace(":", "=") + + cmdline += " root=%s rw" % root_dev + boot_files.append(kernel_image) + boot_files.append(initrd_image) + cmdline += "initrd=%s" % initrd_image if initrd_image else "" + + part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, + part.label, part.lineno) + create_dir_cmd = "install -d %s" % part_rootfs_dir + exec_cmd(create_dir_cmd) + + cwd = os.getcwd() + os.chdir(part_rootfs_dir) + config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ + % ( + deploy_dir, + part.label.upper(), + boot_image, + '-a "%s"' % cmdline if cmdline else "", + source_params.get("revision", 1), + wdog_timeout + ) + exec_cmd(config_cmd, True) + os.chdir(cwd) + + boot_files = list(filter(None, boot_files)) + for boot_file in boot_files: + if os.path.isfile("%s/%s" % (kernel_dir, kernel_image)): + install_cmd = "install -m 0644 %s/%s %s/%s" % \ + (kernel_dir, boot_file, part_rootfs_dir, boot_file) + exec_cmd(install_cmd) + else: + msger.error("file %s not found in directory %s", + boot_file, kernel_dir) + exit(1) + cls._create_img(part_rootfs_dir, part, cr_workdir) + + @classmethod + def _create_img(cls, part_rootfs_dir, part, cr_workdir): + # Write label as utf-16le to EFILABEL file + with open("%s/EFILABEL" % part_rootfs_dir, 'wb') as filedescriptor: + filedescriptor.write(part.label.upper().encode("utf-16le")) + + du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir + blocks = int(exec_cmd(du_cmd).split()[0]) + + extra_blocks = part.get_extra_block_count(blocks) + if extra_blocks < BOOTDD_EXTRA_SPACE: + extra_blocks = BOOTDD_EXTRA_SPACE + + blocks += extra_blocks + blocks = blocks + (16 - (blocks % 16)) + + msger.debug("Added %d extra blocks to %s to get to %d total blocks", + extra_blocks, part.mountpoint, blocks) + + # dosfs image, created by mkdosfs + bootimg = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno) + + dosfs_cmd = "mkdosfs -F 16 -S 512 -n %s -C %s %d" % \ + (part.label.upper(), bootimg, blocks) + exec_cmd(dosfs_cmd) + + mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % (bootimg, part_rootfs_dir) + exec_cmd(mcopy_cmd, True) + + chmod_cmd = "chmod 644 %s" % bootimg + exec_cmd(chmod_cmd) + + du_cmd = "du -Lbks %s" % bootimg + bootimg_size = int(exec_cmd(du_cmd).split()[0]) + + part.size = bootimg_size + part.source_file = bootimg diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py new file mode 100644 index 0000000..5ee451f --- /dev/null +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py @@ -0,0 +1,102 @@ +# ex:ts=4:sw=4:sts=4:et +# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*- +# +# Copyright (c) 2014, Intel Corporation. +# Copyright (c) 2018, Siemens AG. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# DESCRIPTION +# This implements the 'efibootguard-efi' source plugin class for 'wic' +# +# AUTHORS +# Tom Zanussi <tom.zanussi (at] linux.intel.com> +# Claudius Heine <ch (at] denx.de> +# Andreas Reichel <andreas.reichel.ext (at] siemens.com> +# Christian Storm <christian.storm (at] siemens.com> + +import logging +import os + +msger = logging.getLogger('wic') + +from wic.pluginbase import SourcePlugin +from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE + +class EfibootguardEFIPlugin(SourcePlugin): + """ + Create EFI bootloader partition containing the EFI Boot Guard Bootloader. + """ + + name = 'efibootguard-efi' + + @classmethod + def do_prepare_partition(cls, part, source_params, creator, cr_workdir, + oe_builddir, deploy_dir, kernel_dir, + rootfs_dir, native_sysroot): + """ + Called to do the actual content population for a partition, i.e., + populate an EFI boot partition containing the EFI Boot Guard + bootloader binary. + """ + deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE") + creator.deploy_dir = deploy_dir + bootloader_files = source_params.get("bootloader") + if not bootloader_files: + bootloader_files = "bootx64.efi" + bootloader_files = bootloader_files.split(' ') + part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, + part.label, + part.lineno) + create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir + exec_cmd(create_dir_cmd) + + for bootloader in bootloader_files: + cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir, + bootloader, + part_rootfs_dir, + bootloader) + exec_cmd(cp_cmd, True) + du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir + blocks = int(exec_cmd(du_cmd).split()[0]) + + extra_blocks = part.get_extra_block_count(blocks) + if extra_blocks < BOOTDD_EXTRA_SPACE: + extra_blocks = BOOTDD_EXTRA_SPACE + blocks += extra_blocks + blocks = blocks + (16 - (blocks % 16)) + + msger.debug("Added %d extra blocks to %s to get to %d total blocks", + extra_blocks, part.mountpoint, blocks) + + # dosfs image, created by mkdosfs + efi_part_image = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno) + + dosfs_cmd = "mkdosfs -S 512 -n %s -C %s %d" % \ + (part.label.upper(), efi_part_image, blocks) + exec_cmd(dosfs_cmd) + + mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % \ + (efi_part_image, part_rootfs_dir) + exec_cmd(mcopy_cmd, True) + + chmod_cmd = "chmod 644 %s" % efi_part_image + exec_cmd(chmod_cmd) + + du_cmd = "du -Lbks %s" % efi_part_image + efi_part_image_size = int(exec_cmd(du_cmd).split()[0]) + + part.size = efi_part_image_size + part.source_file = efi_part_image -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 2/5] patches: add libubootenv
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
swupdate 2020.04 requires libubootenv as build dependency. libubootenv is a library that provides a hardware independent way to access to U-Boot environment. U-Boot has its default environment compiled board-dependently and this means that tools to access the environment are also board specific, too. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- .../0001-u-boot-add-libubootenv.patch | 169 ++++++++++++++++++ kas-cip.yml | 4 + 2 files changed, 173 insertions(+) create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch diff --git a/isar-patches/0001-u-boot-add-libubootenv.patch b/isar-patches/0001-u-boot-add-libubootenv.patch new file mode 100644 index 0000000..10a5b4a --- /dev/null +++ b/isar-patches/0001-u-boot-add-libubootenv.patch @@ -0,0 +1,169 @@ +From 76897e89977f895495e21e37cb76f90392d55ef9 Mon Sep 17 00:00:00 2001 +From: Quirin Gylstorff <quirin.gylstorff@...> +Date: Fri, 19 Jun 2020 17:00:36 +0200 +Subject: [PATCH v2] u-boot: add libubootenv + +Add the new library libubootenv and remove fw_printenv and fw_setenv +form u-boot-tools as the are now part of the new library. + +libubootenv is a library that provides a hardware independent +way to access to U-Boot environment. U-Boot has its default environment +compiled board-dependently and this means that tools to access the environment +are also board specific, too. + +libubootenv conflicts with u-boot-tools from Debian 10 +as both try to install fw_printenv and fw_sentenv. This conflict is not +part of the control file as it breaks the installation of custom u-boot-tools +from the u-boot-sources. + +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> +--- + meta-isar/conf/machine/de0-nano-soc.conf | 2 +- + .../libubootenv/files/debian/compat | 1 + + .../libubootenv/files/debian/control.tmpl | 15 +++++++++ + .../libubootenv/files/debian/rules.tmpl | 24 ++++++++++++++ + .../libubootenv/libubootenv_0.2.bb | 32 +++++++++++++++++++ + .../files/debian/u-boot-tools.conffiles | 1 - + .../u-boot/files/debian/u-boot-tools.install | 2 -- + .../u-boot/files/debian/u-boot-tools.links | 1 - + 8 files changed, 73 insertions(+), 5 deletions(-) + create mode 100644 meta/recipes-bsp/libubootenv/files/debian/compat + create mode 100644 meta/recipes-bsp/libubootenv/files/debian/control.tmpl + create mode 100644 meta/recipes-bsp/libubootenv/files/debian/rules.tmpl + create mode 100644 meta/recipes-bsp/libubootenv/libubootenv_0.2.bb + delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles + delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links + +diff --git a/meta-isar/conf/machine/de0-nano-soc.conf b/meta-isar/conf/machine/de0-nano-soc.conf +index 3a2c009..6558d90 100644 +--- a/meta-isar/conf/machine/de0-nano-soc.conf ++++ b/meta-isar/conf/machine/de0-nano-soc.conf +@@ -15,4 +15,4 @@ WKS_FILE ?= "de0-nano-soc.wks.in" + IMAGER_INSTALL += "u-boot-de0-nano-soc" + IMAGER_BUILD_DEPS += "u-boot-de0-nano-soc" + +-IMAGE_INSTALL += "u-boot-tools u-boot-script" ++IMAGE_INSTALL += "u-boot-tools libubootenv u-boot-script" +diff --git a/meta/recipes-bsp/libubootenv/files/debian/compat b/meta/recipes-bsp/libubootenv/files/debian/compat +new file mode 100644 +index 0000000..b4de394 +--- /dev/null ++++ b/meta/recipes-bsp/libubootenv/files/debian/compat +@@ -0,0 +1 @@ ++11 +diff --git a/meta/recipes-bsp/libubootenv/files/debian/control.tmpl b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl +new file mode 100644 +index 0000000..fade69a +--- /dev/null ++++ b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl +@@ -0,0 +1,15 @@ ++Source: libubootenv ++Section: embedded ++Priority: optional ++Maintainer: Stefano Babic <sbabic@...> ++Build-Depends: ${BUILD_DEB_DEPENDS} ++Standards-Version: 4.2.1 ++Homepage: https://sbabic.github.io/libubootenv ++ ++Package: libubootenv ++Architecture: any ++Depends: ${DEBIAN_DEPENDS} ++Description: libubootenv is a library that provides a hardware independent ++ way to access to U-Boot environment. U-Boot has its default environment ++ compiled board-dependently and this means that tools to access the environment ++ are also board specific, too. +diff --git a/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl +new file mode 100644 +index 0000000..56ccd19 +--- /dev/null ++++ b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl +@@ -0,0 +1,24 @@ ++#!/usr/bin/make -f ++ ++ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) ++export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- ++export CC=$(DEB_HOST_GNU_TYPE)-gcc ++export LD=$(DEB_HOST_GNU_TYPE)-gcc ++endif ++ ++export DH_VERBOSE = 1 ++ ++export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow ++ ++override_dh_auto_configure: ++ dh_auto_configure -- ++ ++%: ++ echo $@ ++ dh $@ ++ ++override_dh_installchangelogs: ++ true ++ ++override_dh_installdocs: ++ true +diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb +new file mode 100644 +index 0000000..1be058c +--- /dev/null ++++ b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb +@@ -0,0 +1,32 @@ ++# libubootenv ++# ++# This software is a part of ISAR. ++# Copyright (c) Siemens AG, 2020 ++# ++# SPDX-License-Identifier: MIT ++ ++DESCRIPTION = "swupdate utility for software updates" ++HOMEPAGE= "https://github.com/sbabic/swupdate" ++LICENSE = "GPL-2.0" ++LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" ++SRC_URI = "gitsm://github.com/sbabic/libubootenv.git;branch=master;protocol=https" ++ ++SRCREV = "bf6ff631c0e38cede67268ceb8bf1383b5f8848e" ++ ++BUILD_DEB_DEPENDS = "cmake, zlib1g-dev" ++ ++SRC_URI += "file://debian" ++TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl" ++TEMPLATE_VARS += "BUILD_DEB_DEPENDS DEFCONFIG DEBIAN_DEPENDS" ++ ++ ++inherit dpkg ++ ++S = "${WORKDIR}/git" ++ ++do_prepare_build() { ++ DEBDIR=${S}/debian ++ install -d ${DEBDIR} ++ cp -R ${WORKDIR}/debian ${S} ++ deb_add_changelog ++} +diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles +deleted file mode 100644 +index d49a8fb..0000000 +--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles ++++ /dev/null +@@ -1 +0,0 @@ +-/etc/fw_env.config +diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install +index d1ae3e0..2893b9a 100644 +--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install ++++ b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install +@@ -1,5 +1,3 @@ + tools/dumpimage /usr/bin/ +-tools/env/fw_printenv /usr/bin/ + tools/mkenvimage /usr/bin/ + tools/mkimage /usr/bin/ +-tools/env/fw_env.config /etc +diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links +deleted file mode 100644 +index 92f5a6c..0000000 +--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links ++++ /dev/null +@@ -1 +0,0 @@ +-/usr/bin/fw_printenv /usr/bin/fw_setenv +-- +2.20.1 + diff --git a/kas-cip.yml b/kas-cip.yml index 019b31e..0da07db 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -22,6 +22,10 @@ repos: refspec: 351af175bc54a201c6f44307d4e998bd6c0afdb8 layers: meta: + patches: + 01-libubootenv: + path: isar-patches/0001-u-boot-add-libubootenv.patch + repo: cip-core bblayers_conf_header: standard: | -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 0/5] A/B Rootfs update with software update
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
This patchset adds efibootguard, swupdate to allow A/B updates in cip-core. The update mechanism is currently only implemented for x86_64. Changes V2: - update efibootguard to v0.7 - add swdescription and kas option to build qemu-amd64 test image - swupdate set to upstream mirror and no longer use gitsm Changes V3: - change image type for ebg-swu to generate a swu image during build - remove qemu-swupdate as it is no longer needed - add swdescription file for updating without secureboot Quirin Gylstorff (5): recipes-bsp: Add efibootguard patches: add libubootenv recipes-core: add swupdate wic: Add wks files for A/B Partition update swupdate: create swu file from wic image classes/extract-partition.bbclass | 26 + classes/kconfig-snippets.bbclass | 90 ++++ classes/swupdate-config.bbclass | 76 +++ classes/swupdate-img.bbclass | 75 +++ classes/wic-swu-img.bbclass | 20 + .../0001-u-boot-add-libubootenv.patch | 169 +++++++ kas-cip.yml | 4 + kas/opt/ebg-swu.yml | 26 + .../efibootguard/efibootguard_0.7-git+isar.bb | 46 ++ recipes-bsp/efibootguard/files/debian/compat | 1 + .../efibootguard/files/debian/control.tmpl | 20 + .../files/debian/efibootguard-dev.install | 3 + .../files/debian/efibootguard.install | 2 + recipes-bsp/efibootguard/files/debian/rules | 21 + recipes-core/images/cip-core-image.bb | 10 + recipes-core/images/files/sw-description.tmpl | 37 ++ .../swupdate/files/debian/changelog.tmpl | 6 + recipes-core/swupdate/files/debian/compat | 1 + .../swupdate/files/debian/control.tmpl | 15 + recipes-core/swupdate/files/debian/copyright | 36 ++ recipes-core/swupdate/files/debian/rules.tmpl | 30 ++ .../swupdate/files/debian/swupdate.examples | 2 + .../swupdate/files/debian/swupdate.install | 2 + .../swupdate/files/debian/swupdate.manpages | 5 + .../swupdate/files/debian/swupdate.tmpfile | 2 + recipes-core/swupdate/files/debian/watch | 12 + recipes-core/swupdate/files/postinst | 2 + recipes-core/swupdate/files/swupdate.cfg | 6 + .../swupdate/files/swupdate.service.example | 11 + .../swupdate/files/swupdate.socket.example | 11 + .../swupdate/files/swupdate.socket.tmpl | 13 + .../swupdate/files/swupdate_defconfig | 83 ++++ .../swupdate_defconfig_efibootguard.snippet | 3 + .../files/swupdate_defconfig_lua.snippet | 2 + .../swupdate_defconfig_luahandler.snippet | 4 + .../files/swupdate_defconfig_mtd.snippet | 1 + .../files/swupdate_defconfig_u-boot.snippet | 3 + .../files/swupdate_defconfig_ubi.snippet | 6 + .../swupdate/files/swupdate_handlers.lua | 453 ++++++++++++++++++ recipes-core/swupdate/swupdate.bb | 54 +++ .../wic/plugins/source/efibootguard-boot.py | 162 +++++++ .../wic/plugins/source/efibootguard-efi.py | 102 ++++ wic/ebg-sysparts.inc | 8 + wic/qemu-amd64-efibootguard.wks | 5 + wic/simatic-ipc227e-efibootguard.wks | 5 + wic/swupdate-partition.inc | 4 + 46 files changed, 1675 insertions(+) create mode 100644 classes/extract-partition.bbclass create mode 100644 classes/kconfig-snippets.bbclass create mode 100644 classes/swupdate-config.bbclass create mode 100644 classes/swupdate-img.bbclass create mode 100644 classes/wic-swu-img.bbclass create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch create mode 100644 kas/opt/ebg-swu.yml create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb create mode 100644 recipes-bsp/efibootguard/files/debian/compat create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install create mode 100755 recipes-bsp/efibootguard/files/debian/rules create mode 100644 recipes-core/images/files/sw-description.tmpl create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl create mode 100644 recipes-core/swupdate/files/debian/compat create mode 100644 recipes-core/swupdate/files/debian/control.tmpl create mode 100644 recipes-core/swupdate/files/debian/copyright create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples create mode 100644 recipes-core/swupdate/files/debian/swupdate.install create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile create mode 100644 recipes-core/swupdate/files/debian/watch create mode 100644 recipes-core/swupdate/files/postinst create mode 100644 recipes-core/swupdate/files/swupdate.cfg create mode 100644 recipes-core/swupdate/files/swupdate.service.example create mode 100644 recipes-core/swupdate/files/swupdate.socket.example create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl create mode 100644 recipes-core/swupdate/files/swupdate_defconfig create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua create mode 100644 recipes-core/swupdate/swupdate.bb create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py create mode 100644 wic/ebg-sysparts.inc create mode 100644 wic/qemu-amd64-efibootguard.wks create mode 100644 wic/simatic-ipc227e-efibootguard.wks create mode 100644 wic/swupdate-partition.inc -- 2.20.1
|
|
|
|
Re: Resource describing the Deby workflow?
Mohammed Billoo <mab@...>
Is tlsdate a better alternative?
-- Mohammed Billoo MAB Labs, LLC www.mab-labs.com
|
|
|
|
Re: Resource describing the Deby workflow?
Pavel Machek
Hi!
I'm almost done getting SSL working between the BBB and hawkbit. The lastNotice that in this case SSL is not adding as much security as you think it does. SSL attempts to protect against active attackers, and those can manipulate NTP easily. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
|
Re: CIP IRC weekly meeting today
Chris Paterson
Hello all,
toggle quoted messageShow quoted text
The IRC logger was down yesterday, so please see a dirty copy/paste from the meeting below. Kind regards, Chris /start log patersonc Hello wens hi szlin hi suzuki hi paveltest hi patersonc I'm in charge today - sorry in advance! #startmeeting CIP IRC weekly meeting bwh joined the room. bwh hi patersonc #topic rollcall Say hi etc. (Doesn't look like the logger is working for me?) dineshk Hi patersonc I guess everyone has said hi already ;) bwh patersonc: It's not in the channel patersonc Ah szlin patersonc: it seems like the bot is not around paveltest Umm, I guess we can just pretend it works and create the logs manually or something. patersonc Sure #topic AI review Combine root filesystem with kselftest binary - iwamatsu Any updates iwamatsu? szlin patersonc: Today is the national holiday in Japan paveltest I don't think he is around... did not say hi. patersonc Ah is it? I didn't realise :( Moving on... Post LTP results to KernelCI - patersonc No updates from me Issues to be fixed for swupdate "copyright correction and salsa CI testing" - iwamatsu szlin Done patersonc Huzzah. Thanks szlin szlin I uploaded the new version of swupdate few weeks ago. patersonc Thanks. It could be that the action list I'm using is out of date... Moving on... #topic Kernel maintenance updates wens 3 new CVEs, all fixed and backported (if needed); 3 old CVEs fixed. paveltest I have reviewed patches for 4.19.134. bwh I have reviewed kernel-sec updates by wens patersonc I have a question for the mainainers Is anyone maintaining the CIP patchwork? (or using) paveltest Hmm... We used it some time ago. ...but then I somehow forgot it exists. patersonc #link https://patchwork.kernel.org/project/cip-dev/list/ I wonder if someone should take ownership of it? paveltest Ammount of patches on the list is quite low, so patchwork is not really useful. I believe we cna can simply declare it dead. It is currently not useful. patersonc Would it become more useful when LTS support ends? paveltest I don't think so. It would become useful if we got a lot of patches from participating companies. patersonc Any thoughts from anyone else? paveltest Currently we are just getting patches from Biju and ammount is quite low. patersonc Okay. Thanks paveltest bwh I don't have experience using patchwork, so I don't have a feel for when it's more or less useful wens I guess it really depends on the maintainers? It's less common for patch submitters to go on patchwork to update status for their own patches (hence the unmaintained mess for lakml patchwork) paveltest I see patchwork as a service for patch submitters. If they are okay without it, it is easier for maintainer. patersonc I know that it's useful for those who want a nice URL to their submitted patch before it gets merged wens paveltest: I always thought it was the other way around. patersonc: I believe lore takes care of that now patersonc I'll send an email to the wider maintainer/cip-dev group to see if everyone agrees that we should kill it, or leave it running (un)maintained #action patersonc: Email Kernel team/cip-dev about patchwork usage paveltest Wens: well, if there are so many patches maintainer loses track, it is useful for maintainer too. But that is not currently the case. patersonc Any other topics/comments for/from the Kernel team? 5 4 3 2 1 #topic Kernel testing KernelCI have agreed to add the CIP trees to kernelci.org I've submitted a PR accordingly: https://github.com/kernelci/kernelci-core/pull/448 Fix renesas-soc repository and add CIP branches. We also plan to have our own instance, initially running on KCI's servers at cip.kernelci.org. Any testing related topics/questions from anyone else? wens are the instances completely separate, or sharing data / control? patersonc Separate. If we add any useful features on our fork we'd aim to upstream them back to kernelci Initially we'd be using KCI's build infrastructure, with the aim of integrating it into our own If anyone is interested in helping out with this effort please let me know. Anyone for anymore before the next topic? 5 4 3 2 1 #topic Software update suzuki Hello. I had found some problems with the current software update mechanism uploaded to cip-sw-updates-demo repository. paveltest left the room. suzuki The problems had been that some needed files and settings didn't exist in the root file system. I created gitlab issues about them: https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/15, https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/16 And I'm working on them. One of them has been already done. Apart from that, Mohammed is working on the task which is to support HTTPS connection between SWUpdate and hawkBit: https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/8 That's all from me. patersonc Thank you suzuki-san Any queries from anyone? 5 4 3 2 1 #topic CIP Security dineshk hello I guess Kent is not around so I will update patersonc Thank you dineshk Completed verification of single node security requirements on CIP LAVA Working with Chris to verify multi-node security requirements on LAVA SOW signed with exida for CIP gap assessment for IEC-62443-4-2 & IEC-62443-4-1 Kick-off meeting with exida held for Gap assessment yesterday That's all from security WG patersonc Thank you dineshk Any comments/queries? 5 4 3 2 1 #topic AOB Any other topics from anyone today? If not, then I guess we'll close for today. Thank you all for your time! #endmeeting /end log
From: cip-dev@... <cip-dev@...> On
|
|
|
|
Re: [PATCH 4.19.y-cip 00/17] Add RZ/G2E Dual LVDS display
Pavel Machek
Hi!
Applied, thanks for patches.Add RZ/G2E Dual LVDS display support. All patches in this series areI could not find any issues besides double of_node_put in 11/. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
|
Re: [PATCH 3/3] README: Add steps to build cip-security image
Venkata Pyla
Hi Jan,
On Thu, Jul 23, 2020 at 04:10 PM, Jan Kiszka wrote: Adding cip security image to CI, i need some suggestions to use the current format present in .gitlab-ci.yml Currently i have the below problem for using script deploy-cip-core.sh: 1. image name formation in the script should have another variable .../$IMG_PREFIX-cip-core-$RELEASE-$TARGET where $IMG_PREFIX is default to "cip-core-image" if not specified for security image it will be passed as 4th argument "cip-core-image-security" 2. currently scrit is expecting the image format in *.wic.img so, for qemu i think we should have wks file to generate image with format .wic.img or for this security image do we need to deploy it seperatley? please guide me Thanks Jan
|
|
|
|
Re: [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.
Jan Kiszka
On 23.07.20 15:13, Venkata Pyla wrote:
Hi Jan,Don't worry. The submission looked fairly good otherwise, not like first-time! BTW, I'm still ambivalent whether to do UI (MRs) or cip-dev based patch reviews for isar-cip-core. As contributions increase, you contributors need to express your preference. I'm used to both by now, I have troubles with both by now. However, we just need to consolidate over one system because we can't couple them reasonably. And then we should document the current state of affairs, I know. There is a CONTRIBUTING guild missing for this repo. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
|
|
|
|
Re: Resource describing the Deby workflow?
Akihiro Suzuki
Hi Mohammed,
Are you using isar-cip-core, not Deby, to create the rootfs for BBB, right? If you use isar-cip-core and its cip-sw-updates/swupdate branch, you can add Debian packages by adding package names to DEBIAN_DEPENDS used at isar-cip-core/recipes-core/customizations/customizations.bb
e.g.) add ntp package to the rootfs DEBIAN_DEPENDS = " \ ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys, \ - rt-tests, stress-ng" + rt-tests, stress-ng, ntp"
Then, you can customize the rootfs at isar-cip-core/recipes-core/images/cip-core-image.bb. Keep in mind to change from do_rootfs_append() to ROOTFS_FEATURES, ROOTFS_POSTPROCESS_COMMAND and some function name like the following: The above function (rootfs_put_swupdate_setting()) adds setting to mount the rootfs as RO. Actually this function was not executed until recently. This was resolved by https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/15, but it hasn’t been merged to the master yet.
BTW, if you want to use NTP client, please consider using systemd-timesyncd instead. systemd-timesyncd is a simple NTP client. It has been already installed in the rootfs but when I tried to use it, the following error occurred. So dbus package or something might need to be installed in the rootfs by adding the package name to DEBIAN_DEPENDS.
# timedatectl status Failed to create bus connection: No such file or directory
Thanks, Suzuki
From: cip-dev@... <cip-dev@...>
On Behalf Of Mohammed Billoo
Sent: Thursday, July 23, 2020 9:08 AM To: cip-dev@... Subject: [cip-dev] Resource describing the Deby workflow?
Hi,
I'm almost done getting SSL working between the BBB and hawkbit. The last piece of the puzzle is to get NTP working on the BBB (since I need valid time to ensure that the server certificate is valid). Unfortunately, I'm having a hard time understanding the proper way to add utilities or modify configurations in Deby. It's similar enough to Yocto where I tried creating bbappend recipes and failed miserably. I stumbled upon successfully adding openssl to the rfs, but don't know why it worked. Can anybody point me to a good resource that can describe the proper Deby workflow?
As an example, I want to install NTP and then modify its configuration so that it points to the hawkbit server.
Thanks --
|
|
|
|
Re: [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.
Venkata Pyla
Hi Jan,
sorry i am resending this mail On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote: sure, i didn't notice, it was missed in my git config Understood, i will modify and resend this patch series---b/recipes-core/images/cip-core-image-security.bb I have rebased the branch and sent the patches over mail,+IMAGE_INSTALL += "customizations"Can you close I think i should close this MR in gitlab, i will do that. BTW, a cover letter would help structuring the patches together. AndGot it, i was sending the patches to the community for the first time so i was missing some basic stuff. next time i will do care of it, thanks for showing patience on me Jan
|
|
|
|
Re: [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.
Venkata Pyla
Hi Jan,
On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote:
|
|
|
|
Resource on Debt workflow?
Mohammed Billoo <mab@...>
Hi,
I'm almost done getting SSL working between the BBB and hawkbit. The last piece of the puzzle is to get NTP working on the BBB (since I need valid time to ensure that the server certificate is valid). Unfortunately, I'm having a hard time understanding the proper way to add utilities or modify configurations in Deby. It's similar enough to Yocto where I tried creating bbappend recipes and failed miserably. I stumbled upon successfully adding openssl to the rfs, but don't know why it worked. Can anybody point me to a good resource that can describe the proper Deby workflow?
As an example, I want to install NTP and then modify its configuration so that it points to the hawkbit server.
Thanks
-- Mohammed Billoo MAB Labs, LLC www.mab-labs.com
|
|
|
|
Re: [PATCH 4.19.y-cip 11/17] drm: of: Add drm_of_lvds_get_dual_link_pixel_order
Biju Das <biju.das.jz@...>
Hi Pavel,
Thanks for the feedback. Subject: Re: [PATCH 4.19.y-cip 11/17] drm: of: AddYes I agree with you, there is double-free bug in error path. As you suggested, We should send a patch in mainline to fix this and backport here. Cheers, Biju Renesas Electronics Europe GmbH, Geschaeftsfuehrer/President: Carsten Jauch, Sitz der Gesellschaft/Registered office: Duesseldorf, Arcadiastrasse 10, 40472 Duesseldorf, Germany, Handelsregister/Commercial Register: Duesseldorf, HRB 3708 USt-IDNr./Tax identification no.: DE 119353406 WEEE-Reg.-Nr./WEEE reg. no.: DE 14978647
|
|
|
|
Re: [PATCH 3/3] README: Add steps to build cip-security image
Jan Kiszka
On 21.07.20 10:16, Venkata Pyla wrote:
From: venkata <venkata.pyla@...>This patch is fine, but I'm missing 4/4: Add this image to CI (same comment as I had on the MR on gitlab). Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
|
|
|
|
Re: [PATCH 1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.
Jan Kiszka
On 21.07.20 10:16, Venkata Pyla wrote:
From: Kazuhiro Hayashi <kazuhiro3.hayashi@...>^^^^^^^^^ Can you configure your git to add you written name here as well? It's in the email, yes, but it would be nicer to have it displayed as well. ---That comment is not needed. It just creates the risk of becoming outdated if cip-core-image decides to do something else. +IMAGE_INSTALL += "customizations"Can you close https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8 if this series obsoletes it? BTW, a cover letter would help structuring the patches together. And please add a tag like "[isar-cip-core]" in order to clarify the series target. That is all configurable in git format-patch/send-email. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
|
|
|
|
CIP Patchwork
Chris Paterson
Hello all,
CIP has a Patchwork instance [0] that monitors the cip-dev mainline list for patches. It doesn't look like it's particularly maintained, with most patches in the "new" state. As a project, do we want to start maintaining Patchwork? Should we kill it off? Or just stick with the status-quo? We briefly discussed this in the IRC meeting today, but I thought we should check with a wider audience before making a decision. So, any thoughts? [0] https://patchwork.kernel.org/project/cip-dev/list/ Kind regards, Chris
|
|
|
|
Re: CIP IRC weekly meeting today
Pavel Machek
Hi!
Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.I should be able to attend the meeting, but in case reality interferes: I have reviewed patches for 4.19.134. Best regards, Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
|
|
|