|
[ANNOUNCE] Release v4.19.134-cip31
Nobuhiro Iwamatsu
Hi,
CIP kernel team has released Linux kernel v4.19.134-cip31. The linux-4.19.y-cip tree has been updated base version from v4.19.132 to v4.19.134, In addition, the rcar-du and display features have been backported for the RZ/G2. You can get this release via the git tree at: v4.19.134-cip31: repository: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git branch: linux-4.19.y-cip commit hash: ed5f9765186cc342cfc250e6b101cea95a921666 added commits: CIP: Bump version suffix to -cip31 after merge from stable arm64: dts: renesas: Add EK874 board with idk-2121wr display support dt-bindings: display: Add idk-2121wr binding arm64: dts: renesas: rzg2: Add reset control properties for display arm64: dts: renesas: r8a774c0: Point LVDS0 to its companion LVDS1 drm: rcar-du: lvds: Allow for even and odd pixels swap drm: rcar-du: lvds: Get dual link configuration from DT drm: of: Add drm_of_lvds_get_dual_link_pixel_order drm: rcar-du: lvds: Improve identification of panels drm: rcar-du: lvds: Get mode from state drm: Add atomic variants for bridge enable/disable drm: Add drm_atomic_get_(old|new)_connector_for_encoder() helpers drm: rcar_lvds: Fix dual link mode operations drm: rcar-du: Skip LVDS1 output on Gen3 when using dual-link LVDS mode drm: rcar-du: lvds: Add support for dual-link mode dt-bindings: display: renesas: lvds: Add renesas,companion property drm: bridge: Add dual_link field to the drm_bridge_timings structure drm: rcar-du: lvds: Remove LVDS double-enable checks arm64: defconfig: Enable additional support for Renesas platforms ASoC: rsnd: fixup SSI clock during suspend/resume modes Best regards, Nobuhiro
|
|
|
|
[ANNOUNCE] v4.4.231-cip47-rt30
Pavel Machek
Hi!
v4.4.231-cip47-rt30 should be available at kernel.org. Trees are available at https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/log/?h=linux-4.4.y-cip-rt https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/log/?h=linux-4.4.y-cip-rt-rebase And their content should be identical. There is known issue in upsream -rt: sigwaittest with hackbench as workload is able to trigger a crash on x86_64, the same as reported for the v4.4.220-rt196 release. As it turns out it was not triggered by BPF. https://paste.opensuse.org/view/raw/58939248 Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
|
Re: [PATCH 4.9 18/22] x86/fpu: Disable bottom halves while loading FPU registers
Sasha Levin <sashal@...>
On Fri, Jul 24, 2020 at 07:44:37PM +0200, Greg Kroah-Hartman wrote:
On Fri, Jul 24, 2020 at 07:07:06PM +0200, Jan Kiszka wrote:The conflict was due to a missing rename back in 4.4: e4a81bfcaae1On 28.12.18 12:52, Greg Kroah-Hartman wrote:You are asking about something we did back in 2018. I can't remember4.9-stable review patch. If anyone has any objections, please let me know.Any reason why the backport stopped back than at 4.9? I just debugged this ("x86/fpu: Rename fpu::fpstate_active to fpu::initialized"). I've fixed up the patch and queued it for 4.4, thanks for pointing it out Jan! -- Thanks, Sasha
|
|
|
|
Re: [PATCH 4.9 18/22] x86/fpu: Disable bottom halves while loading FPU registers
Greg Kroah-Hartman <gregkh@...>
On Fri, Jul 24, 2020 at 07:07:06PM +0200, Jan Kiszka wrote:
On 28.12.18 12:52, Greg Kroah-Hartman wrote:You are asking about something we did back in 2018. I can't remember4.9-stable review patch. If anyone has any objections, please let me know.Any reason why the backport stopped back than at 4.9? I just debugged this what I did last week :) If you provide a backport that works, I'll be glad to take it. The current patch does not apply cleanly there at all. thanks, greg k-h
|
|
|
|
Re: [PATCH 4.9 18/22] x86/fpu: Disable bottom halves while loading FPU registers
Jan Kiszka
On 28.12.18 12:52, Greg Kroah-Hartman wrote:
4.9-stable review patch. If anyone has any objections, please let me know.Any reason why the backport stopped back than at 4.9? I just debugged this out of a 4.4 kernel, and it is needed there as well. I'm happy to propose a backport, would just appreciate a hint if the BH protection is needed also there (my case was without BH). Thanks, Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux
|
|
|
|
[isar-cip-core PATCH v3 6/6] doc: Add README for secureboot
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- doc/README.secureboot.md | 229 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 doc/README.secureboot.md diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md new file mode 100644 index 0000000..d79248b --- /dev/null +++ b/doc/README.secureboot.md @@ -0,0 +1,229 @@ +# Efibootguard Secure boot + +This document describes how to generate a secure boot capable image with +[efibootguard](https://github.com/siemens/efibootguard). + +## Description + +The image build signs the efibootguard bootloader (bootx64.efi) and generates +a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/). +A unified kernel image packs the kernel, initramfs and the kernel command-line +in one binary object. As the kernel command-line is immutable after the build +process, the previous selection of the root file system with a command-line parameter is no longer +possible. Therefore the selection of the root file-system occurs now in the initramfs. + +The image uses an A/B partition layout to update the root file system. The sample implementation to +select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs. +During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs. +If a match is found the rootfs is used for the boot. + +## Adaptation for Images + +### WIC +The following elements must be present in a wks file to create a secure boot capable image. + +``` +part --source efibootguard-efi --sourceparams "signwith=<script or executable to sign the image>" +part --source efibootguard-boot --sourceparams "uefikernel=<name of the unified kernel>,signwith=<script or executable to sign the image>" +``` + +#### Script or executable to sign the image + +The wic plugins for the [bootloader](./scripts/lib/wic/plugins/source/efibootguard-efi.py) +and [boot partition](./scripts/lib/wic/plugins/source/efibootguard-boot.py) require an +executable or script with the following interface: +``` +<script_name> <inputfile> <outputfile> +``` +- script name: name and path of the script added with +`--sourceparams "signwith=/usr/bin/sign_secure_image.sh"` to the wic image +- inputfile: path and name of the file to be signed +- outputfile: path and name of the signed input + +Supply the script name and path to wic by adding +`signwith=<path and name of the script to sign>"` to sourceparams of the partition. + + +### Existing packages to sign an image + +#### ebg-secure-boot-snakeoil + +This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2) +backported from Debian bullseye and signs the image. + +#### ebg-secure-boot-secrets +This package takes a user-generated certificate and adds it to the build system. +The following variable and steps are necessary to build a secure boot capable image: +- Set certification information to sign and verify the image with: + - SB_CERTDB: The directory containing the certificate database create with certutil + - SB_VERIFY_CERT: The certificate to verify the signing process + - SB_KEY_NAME: Name of the key in the certificate database +- if necessary change the script to select the boot partition after an update + - recipes-support/initramfs-config/files/initramfs.selectrootfs.script + +The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in `recipes-devtools/ebg-secure-boot-secrets/files/` + +## QEMU + +Set up a secure boot test environment with [QEMU](https://www.qemu.org/) + +### Prerequisites + +- OVMF from edk2 release edk2-stable201911 or newer + - This documentation was tested under Debian 10 with OVMF (0.0~20200229-2) backported from Debian + bullseye +- efitools for KeyTool.efi + - This documentation was tested under Debian 10 with efitools (1.9.2-1) backported from Debian bullseye +- libnss3-tools + +### Debian Snakeoil keys + +The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF. Y +u can use them as described in section [Start Image](### Start the image). + +### Generate Keys + +#### Reuse exiting keys + +It is possible to use exiting keys like /usr/share/ovmf/PkKek-1-snakeoil.pem' from Debian +by executing the script `scripts/generate-sb-db-from-existing-certificate.sh`, e.g.: +``` +export SB_NAME=<name for the secureboot config> +export SB_KEYDIR=<location to store the database> +export INKEY=<secret key of the certificate> +export INCERT=<certificate> +export INNICK=<name of the certificate in the database> +scripts/generate-sb-db-from-existing-certificate.sh +``` +This will create the directory `SB_KEYDIR` and will store the `${SB_NAME}certdb` with the given name. + +Copy the used certificate and database to `recipes-devtools/ebg-secure-boot-secrets/files/` + +#### Generate keys + +To generate the necessary keys and information to test secure-boot with QEMU +execute the script `scripts/generate_secure_boot_keys.sh` + +##### Add Keys to OVMF +1. Create a folder and copy the generated keys and KeyTool.efi +(in Debian the file can be found at: /lib/efitools/x86_64-linux-gnu/KeyTool.efi) to the folder +``` +mkdir secureboot-tools +cp -r keys secureboot-tools +cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools +``` +2. Copy the file OVMF_VARS.fd (in Debian the file can be found at /usr/share/OVMF/OVMF_VARS.fd) +to the current directory. OVMF_VARS.fd contains no keys can be instrumented for secureboot. +3. Start QEMU with the script scripts/start-efishell.sh +``` +scripts/start-efishell.sh secureboot-tools +``` +4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps: + -> "Edit Keys" + -> "The Allowed Signatures Database (db)" + -> "Add New Key" + -> Change/Confirm device + -> Select "DB.esl" file + -> "The Key Exchange Key Database (KEK)" + -> "Add New Key" + -> Change/Confirm device + -> Select "KEK.esl" file + -> "The Platform Key (PK) + -> "Replace Key(s)" + -> Change/Confirm device + -> Select "PK.auth" file +5. quit QEMU + +### Build image + +Build the image with a signed efibootguard and unified kernel image +with the snakeoil keys by executing: +``` +kas-docker --isar build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml +``` + +For user-generated keys, create a new option file. This option file could look like this: +``` +header: + version: 8 + includes: + - opt/ebg-swu.yml + - opt/ebg-secure-boot-initramfs.yml + +local_conf_header: + secure-boot: | + IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" + IMAGER_INSTALL += "ebg-secure-boot-secrets" + user-keys: + SB_CERTDB = "democertdb" + SB_VERIFY_CERT = "demo.crt" + SB_KEY_NAME = "demo" +``` + +Replace `demo` with the name of the user-generated certificates. + +### Start the image + +#### Debian snakeoil + +Start the image with the following command: +``` +SECURE_BOOT=y \ +./start-qemu.sh amd64 +``` + +The default `OVMF_VARS.snakeoil.fd` boot to the EFI shell. To boot Linux enter the following command: +``` +FS0:\EFI\BOOT\bootx64.efi +``` +To change the boot behavior, enter `exit` in the shell to enter the bios and change the boot order. + +#### User-generated keys +Start the image with the following command: +``` +SECURE_BOOT=y \ +OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd \ +OVMF_VARS=<path to the modified OVMF_VARS.fd> \ +./start-qemu.sh amd64 +``` +# Example: Update the image + +For updating the image, the following steps are necessary: +- [Build the image with snakeoil keys](### Build image) +- save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu` to /tmp +- modify the image for example add a new version to the image by adding `PV=2.0.0` to + [cip-core-image.bb](recipes-core/images/cip-core-image.bb) +- start the new target and copy the swu `cip-core-image-cip-core-buster-qemu-amd64.swu` + to the running system, e.g.: +``` +SECURE=y ./start-qemu.sh amd64 -virtfs local,path=/tmp,mount_tag=host0,security_model=passthrough,id=host0 +``` +- mount `host0` on target with: +``` +mount -t 9p -o trans=virtio,version=9p2000.L host0 /mnt +``` +- check which partition is booted, e.g. with `lsblk`: +``` +root@demo:/mnt# lsblk +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT +sda 8:0 0 2G 0 disk +├─sda1 8:1 0 16.4M 0 part +├─sda2 8:2 0 32M 0 part +├─sda3 8:3 0 32M 0 part +├─sda4 8:4 0 1000M 0 part / +└─sda5 8:5 0 1000M 0 part +``` + +- install with `swupdate -i /mnt/cip-core-image-cip-core-buster-qemu-amd64.swu` +- reboot +- check which partition is booted, e.g. with `lsblk`. The rootfs should have changed: +``` +root@demo:~# lsblk +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT +sda 8:0 0 2G 0 disk +├─sda1 8:1 0 16.4M 0 part +├─sda2 8:2 0 32M 0 part +├─sda3 8:3 0 32M 0 part +├─sda4 8:4 0 1000M 0 part +└─sda5 8:5 0 1000M 0 part / +``` -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Use the Debian snakeoil keys to have a demo case available without the OVMF setup. Copy the used keys from the build to the deploy directory to allow usage in non-Debian distributions. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- conf/distro/debian-buster-backports.list | 1 + conf/distro/preferences.ovmf-snakeoil.conf | 3 ++ kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++++++++++++++ .../ebg-secure-boot-snakeoil_0.1.bb | 35 ++++++++++++++++++ .../files/control.tmpl | 12 +++++++ .../files/sign_secure_image.sh | 36 +++++++++++++++++++ .../ovmf-binaries/files/control.tmpl | 11 ++++++ .../ovmf-binaries/ovmf-binaries_0.1.bb | 30 ++++++++++++++++ start-qemu.sh | 4 +-- 9 files changed, 158 insertions(+), 2 deletions(-) create mode 100644 conf/distro/debian-buster-backports.list create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb diff --git a/conf/distro/debian-buster-backports.list b/conf/distro/debian-buster-backports.list new file mode 100644 index 0000000..f2dd104 --- /dev/null +++ b/conf/distro/debian-buster-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian buster-backports main contrib non-free diff --git a/conf/distro/preferences.ovmf-snakeoil.conf b/conf/distro/preferences.ovmf-snakeoil.conf new file mode 100644 index 0000000..b51d1d4 --- /dev/null +++ b/conf/distro/preferences.ovmf-snakeoil.conf @@ -0,0 +1,3 @@ +Package: ovmf +Pin: release n=buster-backports +Pin-Priority: 801 diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml new file mode 100644 index 0000000..cda8177 --- /dev/null +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -0,0 +1,28 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + includes: + - ebg-secure-boot-base.yml + + +local_conf_header: + secure-boot: | + # Add snakeoil and ovmf binaries for qemu + IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries" + IMAGER_INSTALL += "ebg-secure-boot-snakeoil" + WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks" + + ovmf: | + # snakeoil certs are only part of backports + DISTRO_APT_SOURCES_append = " conf/distro/debian-buster-backports.list" + DISTRO_APT_PREFERENCES_append = " conf/distro/preferences.ovmf-snakeoil.conf" diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb new file mode 100644 index 0000000..89abbcf --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb @@ -0,0 +1,35 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "Add script to sign for secure boot with the debian snakeoil keys" +# used to sign the image +DEBIAN_DEPENDS = "pesign, sbsigntool, ovmf, openssl, libnss3-tools" + + +# this package cannot be install together with: +DEBIAN_CONFLICTS = "ebg-secure-boot-secrets" + +SRC_URI = "file://sign_secure_image.sh \ + file://control.tmpl" + +TEMPLATE_FILES = "control.tmpl" +TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS" + +do_install() { + TARGET=${D}/usr/bin + install -d ${TARGET} + install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh +} + +addtask do_install after do_transform_template + diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl new file mode 100644 index 0000000..8361a49 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl @@ -0,0 +1,12 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: ${MAINTAINER} +Build-Depends: debhelper (>= 9) + +Package: ${PN} +Architecture: ${DPKG_ARCH} +Depends: ${DEBIAN_DEPENDS} +Description: ${DESCRIPTION} +Conflicts: ${DEBIAN_CONFLICTS} diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh new file mode 100644 index 0000000..081dbe9 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh @@ -0,0 +1,36 @@ +#!/bin/sh +set -e +set -x +signee=$1 +signed=$2 + +usage(){ + echo "sign with debian snakeoil" + echo "$0 signee signed" + echo "signee: path to the image to be signed" + echo "signed: path to store the signed image" +} + + +if [ -z "$signee" ] || [ -z "$signed" ]; then + usage + exit 1 +fi + +name=snakeoil +keydir=$(mktemp -d) +inkey=/usr/share/ovmf/PkKek-1-snakeoil.key +incert=/usr/share/ovmf/PkKek-1-snakeoil.pem +nick_name=snakeoil +TMP=$(mktemp -d) +mkdir -p ${keydir}/${name}certdb +certutil -N --empty-password -d ${keydir}/${name}certdb +openssl pkcs12 -export -passin pass:"snakeoil" -passout pass: -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name +pk12util -W "" -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb +cp $incert ${keydir}/$(basename $incert) +rm -rf $TMP + +pesign --force --verbose --padding -n ${keydir}/${name}certdb -c "$nick_name" -s -i $signee -o $signed +sbverify --cert $incert $signed +rm -rf $keydir +exit 0 diff --git a/recipes-devtools/ovmf-binaries/files/control.tmpl b/recipes-devtools/ovmf-binaries/files/control.tmpl new file mode 100644 index 0000000..54641d6 --- /dev/null +++ b/recipes-devtools/ovmf-binaries/files/control.tmpl @@ -0,0 +1,11 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: ${MAINTAINER} +Build-Depends: debhelper (>= 9), ${DEBIAN_BUILD_DEPENDS} + +Package: ${PN} +Architecture: ${DPKG_ARCH} +Depends: ${DEBIAN_DEPENDS} +Description: ${DESCRIPTION} diff --git a/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb new file mode 100644 index 0000000..025b970 --- /dev/null +++ b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb @@ -0,0 +1,30 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "Copy the OVMF biniaries from the build changeroot to the deploy dir" + +# this is a empty debian package +SRC_URI = "file://control.tmpl" + +DEBIAN_BUILD_DEPENDS = "ovmf" +TEMPLATE_FILES = "control.tmpl" +TEMPLATE_VARS += "PN DEBIAN_DEPENDS MAINTAINER DESCRIPTION DPKG_ARCH DEBIAN_BUILD_DEPENDS" + + +do_extract_ovmf() { + install -m 0755 -d ${DEPLOY_DIR_IMAGE} + cp -r ${BUILDCHROOT_DIR}/usr/share/OVMF ${DEPLOY_DIR_IMAGE} + chown $(id -u):$(id -g) ${DEPLOY_DIR_IMAGE}/OVMF +} + +addtask do_extract_ovmf after do_install_builddeps before do_dpkg_build diff --git a/start-qemu.sh b/start-qemu.sh index 74d1b54..3a3b2f7 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -94,8 +94,8 @@ fi if [ -n "SECURE_BOOT" ]; then - ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} - ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} + ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd} + ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS.snakeoil.fd} QEMU_EXTRA_ARGS=" \ ${QEMU_EXTRA_ARGS} \ -global ICH9-LPC.disable_s3=1 \ -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 4/6] secure-boot: Add secure boot with unified kernel image
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
A unified kernel image contains the os-release, kernel, kernel commandline, initramfs and efi-stub in one binary. This binary can be boot by systemd-boot and efibootguard. It also allows to sign kernel and initramfs as one packages. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- classes/image_uuid.bbclass | 2 +- kas/opt/ebg-secure-boot-base.yml | 18 ++++ recipes-core/images/cip-core-image.bb | 11 +-- .../files/secure-boot/sw-description.tmpl | 29 +++++++ recipes-core/images/files/sw-description.tmpl | 2 +- recipes-core/images/secureboot.inc | 21 +++++ recipes-core/images/swupdate.inc | 19 ++++ .../ebg-secure-boot-secrets_0.1.bb | 51 +++++++++++ .../ebg-secure-boot-secrets/files/README.md | 1 + .../files/control.tmpl | 12 +++ .../files/sign_secure_image.sh.tmpl | 22 +++++ .../initramfs-config/files/postinst.tmpl | 31 ------- ...enerate-sb-db-from-existing-certificate.sh | 16 ++++ scripts/generate_secure_boot_keys.sh | 51 +++++++++++ .../wic/plugins/source/efibootguard-boot.py | 87 +++++++++++++++++-- .../wic/plugins/source/efibootguard-efi.py | 40 ++++++++- scripts/start-efishell.sh | 12 +++ start-qemu.sh | 54 +++++++++--- wic/ebg-signed-bootloader.inc | 2 + wic/qemu-amd64-efibootguard-secureboot.wks | 9 ++ wic/qemu-amd64-efibootguard.wks | 6 +- 21 files changed, 430 insertions(+), 66 deletions(-) create mode 100644 kas/opt/ebg-secure-boot-base.yml create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl create mode 100644 recipes-core/images/secureboot.inc create mode 100644 recipes-core/images/swupdate.inc create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl delete mode 100644 recipes-support/initramfs-config/files/postinst.tmpl create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh create mode 100755 scripts/generate_secure_boot_keys.sh create mode 100755 scripts/start-efishell.sh create mode 100644 wic/ebg-signed-bootloader.inc create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass index 9098411..d5337b8 100644 --- a/classes/image_uuid.bbclass +++ b/classes/image_uuid.bbclass @@ -17,7 +17,7 @@ def generate_image_uuid(d): return None return str(uuid.UUID(base_hash[:32], version=4)) -IMAGE_UUID ?= "${@generate_image_uuid()}" +IMAGE_UUID ?= "${@generate_image_uuid(d)}" do_generate_image_uuid[vardeps] += "IMAGE_UUID" do_generate_image_uuid[depends] = "buildchroot-target:do_build" diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml new file mode 100644 index 0000000..c1d98b1 --- /dev/null +++ b/kas/opt/ebg-secure-boot-base.yml @@ -0,0 +1,18 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + +local_conf_header: + initramfs: | + IMAGE_INSTALL += "initramfs-abrootfs-secureboot" + SWU_DESCRIPTION = "secureboot" diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb index b1ed491..f7e22b8 100644 --- a/recipes-core/images/cip-core-image.bb +++ b/recipes-core/images/cip-core-image.bb @@ -10,7 +10,7 @@ # inherit image - +inherit image_uuid ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'" DESCRIPTION = "CIP Core image" @@ -19,11 +19,6 @@ IMAGE_INSTALL += "customizations" IMAGE_INSTALL += "ltp-full" # for swupdate -EXTRACT_PARTITIONS = "img4" -ROOTFS_PARTITION_NAME="img4.gz" - -SRC_URI += "file://sw-description.tmpl" -TEMPLATE_FILES += "sw-description.tmpl" -TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE" +SWU_DESCRIPTION ??= "swupdate" +include ${SWU_DESCRIPTION}.inc -SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl new file mode 100644 index 0000000..bce97d0 --- /dev/null +++ b/recipes-core/images/files/secure-boot/sw-description.tmpl @@ -0,0 +1,29 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# +software = +{ + version = "0.2"; + name = "secure boot update" + images: ({ + filename = "${ROOTFS_PARTITION_NAME}"; + device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002"; + type = "roundrobin"; + compressed = "true"; + filesystem = "ext4"; + }); + files: ({ + filename = "linux.signed.efi"; + path = "linux.signed.efi"; + type = "kernelfile"; + device = "sda2,sda3"; + filesystem = "vfat"; + }) +} diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl index 4d32f6f..f01b500 100644 --- a/recipes-core/images/files/sw-description.tmpl +++ b/recipes-core/images/files/sw-description.tmpl @@ -16,7 +16,7 @@ software = filename = "${ROOTFS_PARTITION_NAME}"; device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002"; type = "roundrobin"; - compressed = true; + compressed = "true"; filesystem = "ext4"; }); files: ({ diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc new file mode 100644 index 0000000..8d9f381 --- /dev/null +++ b/recipes-core/images/secureboot.inc @@ -0,0 +1,21 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +EXTRACT_PARTITIONS = "img4" +ROOTFS_PARTITION_NAME="img4.gz" + +SRC_URI += "file://secure-boot/sw-description.tmpl" +TEMPLATE_FILES += "secure-boot/sw-description.tmpl" + +TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME" + +SWU_DESCRIPTION_FILE = "secure-boot/sw-description" +SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc new file mode 100644 index 0000000..6708a7e --- /dev/null +++ b/recipes-core/images/swupdate.inc @@ -0,0 +1,19 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +EXTRACT_PARTITIONS = "img4" +ROOTFS_PARTITION_NAME="img4.gz" + +SRC_URI += "file://sw-description.tmpl" +TEMPLATE_FILES += "sw-description.tmpl" +TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE" + +SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb new file mode 100644 index 0000000..37b35c9 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb @@ -0,0 +1,51 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \ + sign an image with the given keys" + +# variables +SB_CERT_PATH = "/usr/share/ebg-secure-boot" +SB_CERTDB ??= "" +SB_VERIFY_CERT ??= "" +SB_KEY_NAME ??= "demoDB" + +# used to sign the image +DEBIAN_DEPENDS = "pesign, sbsigntool" + +# this package cannot be install together with: +DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil" + +SRC_URI = " \ + file://sign_secure_image.sh.tmpl \ + file://control.tmpl" +SRC_URI_append = " ${@ d.getVar(SB_CERTDB) or "" }" +SRC_URI_append = " ${@ d.getVar(SB_VERIFY_CERT) or "" }" +TEMPLATE_FILES = "sign_secure_image.sh.tmpl" +TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME" + +TEMPLATE_FILES += "control.tmpl" +TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS" + +do_install() { + TARGET=${D}${SB_CERT_PATH} + install -m 0700 -d ${TARGET} + cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB} + chmod 700 ${TARGET}/${SB_CERTDB} + install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT} + TARGET=${D}/usr/bin + install -d ${TARGET} + install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh +} + +addtask do_install after do_transform_template diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/README.md b/recipes-devtools/ebg-secure-boot-secrets/files/README.md new file mode 100644 index 0000000..c739c51 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/files/README.md @@ -0,0 +1 @@ +For a secure boot image this directory needs to contain the certdb directory and the db.crt file. diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl new file mode 100644 index 0000000..8361a49 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl @@ -0,0 +1,12 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: ${MAINTAINER} +Build-Depends: debhelper (>= 9) + +Package: ${PN} +Architecture: ${DPKG_ARCH} +Depends: ${DEBIAN_DEPENDS} +Description: ${DESCRIPTION} +Conflicts: ${DEBIAN_CONFLICTS} diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl new file mode 100644 index 0000000..e84fd4c --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl @@ -0,0 +1,22 @@ +#!/bin/sh +set -e +set -x +signee=$1 +signed=$2 + +usage(){ + echo "sign with debian snakeoil" + echo "$0 signee signed" + echo "signee: path to the image to be signed" + echo "signed: path to store the signed image" +} + + +if [ -z "$signee" ] || [ -z "$signed" ]; then + usage + exit 1 +fi + +pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed +sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed +exit 0 diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl deleted file mode 100644 index 008f68d..0000000 --- a/recipes-support/initramfs-config/files/postinst.tmpl +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh -if [ -d /usr/share/secureboot ]; then - patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch -fi - -INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf -if [ -f ${INITRAMFS_CONF} ]; then - sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF} - sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF} - sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF} - sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF} - sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF} - sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF} - sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF} - if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then - sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF} - else - sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF} - fi -fi - -MODULES_LIST_FILE=/etc/initramfs-tools/modules -if [ -f ${MODULES_LIST_FILE} ]; then - for modname in ${INITRAMFS_MODULE_LIST}; do - if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then - echo "$modname" >> "${MODULES_LIST_FILE}" - fi - done -fi - -update-initramfs -v -u diff --git a/scripts/generate-sb-db-from-existing-certificate.sh b/scripts/generate-sb-db-from-existing-certificate.sh new file mode 100755 index 0000000..035f189 --- /dev/null +++ b/scripts/generate-sb-db-from-existing-certificate.sh @@ -0,0 +1,16 @@ +#!/bin/sh +name=${SB_NAME:-snakeoil} +keydir=${SB_KEYDIR:-./keys} +if [ ! -d ${keydir} ]; then + mkdir -p ${keydir} +fi +inkey=${INKEY:-/usr/share/ovmf/PkKek-1-snakeoil.key} +incert=${INCERT:-/usr/share/ovmf/PkKek-1-snakeoil.pem} +nick_name=${IN_NICK:-snakeoil} +TMP=$(mktemp -d) +mkdir -p ${keydir}/${name}certdb +certutil -N --empty-password -d ${keydir}/${name}certdb +openssl pkcs12 -export -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name +pk12util -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb +cp $incert ${keydir}/$(basename $incert) +rm -rf $TMP diff --git a/scripts/generate_secure_boot_keys.sh b/scripts/generate_secure_boot_keys.sh new file mode 100755 index 0000000..8d3f8c0 --- /dev/null +++ b/scripts/generate_secure_boot_keys.sh @@ -0,0 +1,51 @@ +#!/bin/sh +name=${SB_NAME:-demo} +keydir=${SB_KEYDIR:-./keys} +if [ ! -d ${keydir} ]; then + mkdir -p ${keydir} +fi +openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}PK/" -outform PEM \ + -keyout ${keydir}/${name}PK.key -out ${keydir}/${name}PK.crt -days 3650 -nodes -sha256 +openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}KEK/" -outform PEM \ + -keyout ${keydir}/${name}KEK.key -out ${keydir}/${name}KEK.crt -days 3650 -nodes -sha256 +openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}DB/" -outform PEM \ + -keyout ${keydir}/${name}DB.key -out ${keydir}/${name}DB.crt -days 3650 -nodes -sha256 +openssl x509 -in ${keydir}/${name}PK.crt -out ${keydir}/${name}PK.cer -outform DER +openssl x509 -in ${keydir}/${name}KEK.crt -out ${keydir}/${name}KEK.cer -outform DER +openssl x509 -in ${keydir}/${name}DB.crt -out ${keydir}/${name}DB.cer -outform DER + +openssl pkcs12 -export -out ${keydir}/${name}DB.p12 \ + -in ${keydir}/${name}DB.crt -inkey ${keydir}/${name}DB.key -passout pass: + +GUID=$(uuidgen --random) +echo $GUID > ${keydir}/${name}GUID + +cert-to-efi-sig-list -g $GUID ${keydir}/${name}PK.crt ${keydir}/${name}PK.esl +cert-to-efi-sig-list -g $GUID ${keydir}/${name}KEK.crt ${keydir}/${name}KEK.esl +cert-to-efi-sig-list -g $GUID ${keydir}/${name}DB.crt ${keydir}/${name}DB.esl +rm -f ${keydir}/${name}noPK.esl +touch ${keydir}/${name}noPK.esl + +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + PK ${keydir}/${name}PK.esl ${keydir}/${name}PK.auth +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + PK ${keydir}/${name}noPK.esl ${keydir}/${name}noPK.auth +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + KEK ${keydir}/${name}KEK.esl ${keydir}/${name}KEK.auth +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + DB ${keydir}/${name}DB.esl ${keydir}/${name}DB.auth + +chmod 0600 ${keydir}/${name}*.key +mkdir -p ${keydir}/${name}certdb +certutil -N --empty-password -d ${keydir}/${name}certdb + +certutil -A -n 'PK' -d ${keydir}/${name}certdb -t CT,CT,CT -i ${keydir}/${name}PK.crt +pk12util -W "" -d ${keydir}/${name}certdb -i ${keydir}/${name}DB.p12 +certutil -d ${keydir}/${name}certdb -A -i ${keydir}/${name}DB.crt -n "" -t u + +certutil -d ${keydir}/${name}certdb -K +certutil -d ${keydir}/${name}certdb -L diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py index 38d2b2e..d291f75 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -80,17 +80,29 @@ class EfibootguardBootPlugin(SourcePlugin): boot_files = source_params.get("files", "").split(' ') + uefi_kernel = source_params.get("unified-kernel") cmdline = bootloader.append - root_dev = source_params.get("root", None) - if not root_dev: - msger.error("Specify root in source params") - exit(1) + if uefi_kernel: + boot_image = cls._create_unified_kernel_image(rootfs_dir, + cr_workdir, + cmdline, + uefi_kernel, + deploy_dir, + kernel_image, + initrd_image, + source_params) + boot_files.append(boot_image) + else: + root_dev = source_params.get("root", None) + if not root_dev: + msger.error("Specify root in source params") + exit(1) root_dev = root_dev.replace(":", "=") - cmdline += " root=%s rw" % root_dev - boot_files.append(kernel_image) - boot_files.append(initrd_image) - cmdline += "initrd=%s" % initrd_image if initrd_image else "" + cmdline += " root=%s rw" % root_dev + boot_files.append(kernel_image) + boot_files.append(initrd_image) + cmdline += "initrd=%s" % initrd_image if initrd_image else "" part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, part.label, part.lineno) @@ -160,3 +172,62 @@ class EfibootguardBootPlugin(SourcePlugin): part.size = bootimg_size part.source_file = bootimg + + @classmethod + def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline, + uefi_kernel, deploy_dir, kernel_image, + initrd_image, source_params): + rootfs_path = rootfs_dir.get('ROOTFS_DIR') + os_release_file = "{root}/etc/os-release".format(root=rootfs_path) + efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linuxx64.efi.stub"\ + .format(rootfs_path=rootfs_path) + msger.debug("osrelease path: %s", os_release_file) + kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\ + .format(cr_workdir=cr_workdir) + with open(kernel_cmdline_file, "w") as cmd_fd: + cmd_fd.write(cmdline) + uefi_kernel_name = "linux.efi" + uefi_kernel_file = "{deploy_dir}/{uefi_kernel_name}"\ + .format(deploy_dir=deploy_dir, uefi_kernel_name=uefi_kernel_name) + kernel = "{deploy_dir}/{kernel_image}"\ + .format(deploy_dir=deploy_dir, kernel_image=kernel_image) + initrd = "{deploy_dir}/{initrd_image}"\ + .format(deploy_dir=deploy_dir, initrd_image=initrd_image) + objcopy_cmd = 'objcopy \ + --add-section .osrel={os_release_file} \ + --change-section-vma .osrel=0x20000 \ + --add-section .cmdline={kernel_cmdline_file} \ + --change-section-vma .cmdline=0x30000 \ + --add-section .linux={kernel} \ + --change-section-vma .linux=0x2000000 \ + --add-section .initrd={initrd} \ + --change-section-vma .initrd=0x3000000 \ + {efistub} {uefi_kernel_file}'.format( + os_release_file=os_release_file, + kernel_cmdline_file=kernel_cmdline_file, + kernel=kernel, + initrd=initrd, + efistub=efistub, + uefi_kernel_file=uefi_kernel_file) + exec_cmd(objcopy_cmd) + + return cls._sign_file(name=uefi_kernel_name, + signee=uefi_kernel_file, + deploy_dir=deploy_dir, + source_params=source_params) + + @classmethod + def _sign_file(cls, name, signee, deploy_dir, source_params): + sign_script = source_params.get("signwith") + if sign_script and os.path.exists(sign_script): + msger.info("sign with script %s", sign_script) + name = name.replace(".efi", ".signed.efi") + sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\ + .format(sign_script=sign_script, signee=signee, + deploy_dir=deploy_dir, name=name) + exec_cmd(sign_cmd) + elif sign_script and not os.path.exists(sign_script): + msger.error("Could not find script %s", sign_script) + exit(1) + + return name diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py index 5ee451f..6647212 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-efi.py +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py @@ -64,10 +64,17 @@ class EfibootguardEFIPlugin(SourcePlugin): exec_cmd(create_dir_cmd) for bootloader in bootloader_files: - cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir, - bootloader, - part_rootfs_dir, - bootloader) + signed_bootloader = cls._sign_file(bootloader, + "{}/{}".format(deploy_dir, + bootloader + ), + cr_workdir, + source_params) + # important the bootloader in deploy_dir is no longer signed + cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir, + signed_bootloader, + part_rootfs_dir, + bootloader) exec_cmd(cp_cmd, True) du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir blocks = int(exec_cmd(du_cmd).split()[0]) @@ -100,3 +107,28 @@ class EfibootguardEFIPlugin(SourcePlugin): part.size = efi_part_image_size part.source_file = efi_part_image + + + @classmethod + def _sign_file(cls, name, signee, cr_workdir, source_params): + sign_script = source_params.get("signwith") + if sign_script and os.path.exists(sign_script): + work_name = name.replace(".efi", ".signed.efi") + sign_cmd = "{sign_script} {signee} \ + {cr_workdir}/{work_name}".format(sign_script=sign_script, + signee=signee, + cr_workdir=cr_workdir, + work_name=work_name) + exec_cmd(sign_cmd) + elif sign_script and not os.path.exists(sign_script): + msger.error("Could not find script %s", sign_script) + exit(1) + else: + # if we do nothing copy the signee to the work directory + work_name = name + cp_cmd = "cp {signee} {cr_workdir}/{work_name}".format( + signee=signee, + cr_workdir=cr_workdir, + work_name=work_name) + exec_cmd(cp_cmd) + return work_name diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh new file mode 100755 index 0000000..3c56ebc --- /dev/null +++ b/scripts/start-efishell.sh @@ -0,0 +1,12 @@ +#!/bin/sh +ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} +ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} +DISK=$1 +qemu-system-x86_64 -enable-kvm -M q35 \ + -cpu host,hv_relaxed,hv_vapic,hv-spinlocks=0xfff -smp 2 -m 2G -no-hpet \ + -global ICH9-LPC.disable_s3=1 \ + -global isa-fdc.driveA= \ + -boot menu=on \ + -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ + -drive if=pflash,format=raw,file=${ovmf_vars} \ + -drive file=fat:rw:$DISK diff --git a/start-qemu.sh b/start-qemu.sh index 49f0266..74d1b54 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -15,6 +15,8 @@ usage() echo "Usage: $0 ARCHITECTURE [QEMU_OPTIONS]" echo -e "\nSet QEMU_PATH environment variable to use a locally " \ "built QEMU version" + echo -e "\nSet SECURE_BOOT environment variable to boot a secure boot environment " \ + "This environment also needs the variables OVMF_VARS and OVMF_CODE set" exit 1 } @@ -22,17 +24,25 @@ if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" fi +if [ -z "${DISTRO_RELEASE}" ]; then + DISTRO_RELEASE="buster" +fi +if [ -z "${TARGET_IMAGE}" ];then + TARGET_IMAGE="cip-core-image" +fi + case "$1" in x86|x86_64|amd64) DISTRO_ARCH=amd64 QEMU=qemu-system-x86_64 QEMU_EXTRA_ARGS=" \ - -cpu host -smp 4 \ - -enable-kvm -machine q35 \ + -cpu qemu64 \ + -smp 4 \ + -machine q35,accel=kvm:tcg \ -device ide-hd,drive=disk \ -device virtio-net-pci,netdev=net" KERNEL_CMDLINE=" \ - root=/dev/sda vga=0x305 console=ttyS0" + root=/dev/sda vga=0x305" ;; arm64|aarch64) DISTRO_ARCH=arm64 @@ -71,21 +81,41 @@ case "$1" in ;; esac -if [ -z "${DISTRO_RELEASE}" ]; then - DISTRO_RELEASE="buster" -fi - -IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}" -IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img) +IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}" if [ -z "${DISPLAY}" ]; then QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic" + case "$1" in + x86|x86_64|amd64) + KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0" + esac +fi + + + +if [ -n "SECURE_BOOT" ]; then + ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} + ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} + QEMU_EXTRA_ARGS=" \ + ${QEMU_EXTRA_ARGS} \ + -global ICH9-LPC.disable_s3=1 \ + -global isa-fdc.driveA= \ + " + BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ + -drive if=pflash,format=raw,file=${ovmf_vars} \ + -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw" +else + IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img) + + KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1) + INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1) + + BOOT_FILES=-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ + -initrd ${INITRD_FILE} fi shift 1 ${QEMU_PATH}${QEMU} \ - -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -m 1G -serial mon:stdio -netdev user,id=net \ - -kernel ${IMAGE_PREFIX}-vmlinuz -append "${KERNEL_CMDLINE}" \ - -initrd ${IMAGE_PREFIX}-initrd.img ${QEMU_EXTRA_ARGS} "$@" + ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@" diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc new file mode 100644 index 0000000..667e014 --- /dev/null +++ b/wic/ebg-signed-bootloader.inc @@ -0,0 +1,2 @@ +# EFI partition containing efibootguard bootloader binary +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks new file mode 100644 index 0000000..9ccf501 --- /dev/null +++ b/wic/qemu-amd64-efibootguard-secureboot.wks @@ -0,0 +1,9 @@ +# short-description: Qemu-amd64 with Efibootguard and SWUpdate +# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate +include ebg-signed-bootloader.inc + +# EFI Boot Guard environment/config partitions plus Kernel files +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" + +include swupdate-partition.inc diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks index 3cd7360..9ccf501 100644 --- a/wic/qemu-amd64-efibootguard.wks +++ b/wic/qemu-amd64-efibootguard.wks @@ -1,5 +1,9 @@ # short-description: Qemu-amd64 with Efibootguard and SWUpdate # long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate +include ebg-signed-bootloader.inc + +# EFI Boot Guard environment/config partitions plus Kernel files +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" -include ebg-sysparts.inc include swupdate-partition.inc -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 3/6] secure-boot: select boot partition in initramfs
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
As the usage of a unified kernel image freeze the kernel commmandline during build time the rootfs selection for swupdate can no longer be done with the kernel commandline and must be done later in the boot process. Read the root filesystem /etc/os-release and check if it contains the same uuid as stored in the initramfs . If the uuids are the same boot the root file system. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- classes/image_uuid.bbclass | 33 ++++++++ .../files/initramfs.image_uuid.hook | 33 ++++++++ .../files/initramfs.lsblk.hook | 29 +++++++ .../initramfs-config/files/postinst.ext | 3 + .../initramfs-config/files/postinst.tmpl | 31 ++++++++ .../files/secure-boot-debian-local-patch | 79 +++++++++++++++++++ .../initramfs-abrootfs-secureboot_0.1.bb | 38 +++++++++ 7 files changed, 246 insertions(+) create mode 100644 classes/image_uuid.bbclass create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook create mode 100644 recipes-support/initramfs-config/files/postinst.ext create mode 100644 recipes-support/initramfs-config/files/postinst.tmpl create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass new file mode 100644 index 0000000..9098411 --- /dev/null +++ b/classes/image_uuid.bbclass @@ -0,0 +1,33 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +def generate_image_uuid(d): + import uuid + + base_hash = d.getVar("BB_BASEHASH_task-do_rootfs_install", True) + if base_hash is None: + return None + return str(uuid.UUID(base_hash[:32], version=4)) + +IMAGE_UUID ?= "${@generate_image_uuid()}" + +do_generate_image_uuid[vardeps] += "IMAGE_UUID" +do_generate_image_uuid[depends] = "buildchroot-target:do_build" +do_generate_image_uuid() { + sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release' + echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \ + sudo tee -a '${IMAGE_ROOTFS}/etc/os-release' + image_do_mounts + + # update initramfs to add uuid + sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u +} +addtask generate_image_uuid before do_copy_boot_files after do_rootfs_install diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook new file mode 100644 index 0000000..910ce84 --- /dev/null +++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook @@ -0,0 +1,33 @@ +# This software is a part of ISAR. +# Copyright (C) Siemens AG, 2020 +# +# SPDX-License-Identifier: MIT + +#!/bin/sh +set -x +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/scripts/functions +. /usr/share/initramfs-tools/hook-functions + +if [ ! -e /etc/os-release ]; then + echo "Warning: couldn't find /etc/os-release!" + exit 0 +fi + +IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release) +echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid" + +exit 0 \ No newline at end of file diff --git a/recipes-support/initramfs-config/files/initramfs.lsblk.hook b/recipes-support/initramfs-config/files/initramfs.lsblk.hook new file mode 100644 index 0000000..cf32404 --- /dev/null +++ b/recipes-support/initramfs-config/files/initramfs.lsblk.hook @@ -0,0 +1,29 @@ +# This software is a part of ISAR. +# Copyright (C) Siemens AG, 2020 +# +# SPDX-License-Identifier: MIT + +#!/bin/sh +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/scripts/functions +. /usr/share/initramfs-tools/hook-functions + +if [ ! -x /usr/bin/lsblk ]; then + echo "Warning: couldn't find /usr/bin/lsblk!" + exit 0 +fi + +copy_exec /usr/bin/lsblk diff --git a/recipes-support/initramfs-config/files/postinst.ext b/recipes-support/initramfs-config/files/postinst.ext new file mode 100644 index 0000000..cdafa74 --- /dev/null +++ b/recipes-support/initramfs-config/files/postinst.ext @@ -0,0 +1,3 @@ +if [ -d /usr/share/secureboot ]; then + patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch +fi diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl new file mode 100644 index 0000000..008f68d --- /dev/null +++ b/recipes-support/initramfs-config/files/postinst.tmpl @@ -0,0 +1,31 @@ +#!/bin/sh +if [ -d /usr/share/secureboot ]; then + patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch +fi + +INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf +if [ -f ${INITRAMFS_CONF} ]; then + sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF} + sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF} + sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF} + sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF} + sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF} + sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF} + sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF} + if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then + sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF} + else + sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF} + fi +fi + +MODULES_LIST_FILE=/etc/initramfs-tools/modules +if [ -f ${MODULES_LIST_FILE} ]; then + for modname in ${INITRAMFS_MODULE_LIST}; do + if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then + echo "$modname" >> "${MODULES_LIST_FILE}" + fi + done +fi + +update-initramfs -v -u diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch new file mode 100644 index 0000000..219578c --- /dev/null +++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch @@ -0,0 +1,79 @@ +--- local 2020-07-02 14:59:15.461895194 +0200 ++++ ../../../../../../../../../../../recipes-support/initramfs-config/files/local 2020-07-02 14:58:58.405730914 +0200 +@@ -1,5 +1,4 @@ + # Local filesystem mounting -*- shell-script -*- +- + local_top() + { + if [ "${local_top_used}" != "yes" ]; then +@@ -155,34 +154,47 @@ + local_mount_root() + { + local_top +- if [ -z "${ROOT}" ]; then +- panic "No root device specified. Boot arguments must include a root= parameter." +- fi +- local_device_setup "${ROOT}" "root file system" +- ROOT="${DEV}" +- +- # Get the root filesystem type if not set +- if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then +- FSTYPE=$(get_fstype "${ROOT}") +- else +- FSTYPE=${ROOTFSTYPE} ++ if [ ! -e /conf/image_uuid ]; then ++ panic "could not find image_uuid to select correct root file system" + fi ++ local INITRAMFS_IMAGE_UUID=$(cat /conf/image_uuid) ++ local partitions=$(blkid -o device) ++ for part in $partitions; do ++ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then ++ local_device_setup "${part}" "root file system" ++ ROOT="${DEV}" ++ ++ # Get the root filesystem type if not set ++ if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then ++ FSTYPE=$(get_fstype "${ROOT}") ++ else ++ FSTYPE=${ROOTFSTYPE} ++ fi + +- local_premount ++ local_premount + +- if [ "${readonly?}" = "y" ]; then +- roflag=-r +- else +- roflag=-w +- fi ++ if [ "${readonly?}" = "y" ]; then ++ roflag=-r ++ else ++ roflag=-w ++ fi ++ checkfs "${ROOT}" root "${FSTYPE}" + +- checkfs "${ROOT}" root "${FSTYPE}" ++ # Mount root ++ # shellcheck disable=SC2086 ++ if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then ++ if [ -e "${rootmnt?}"/etc/os-release ]; then ++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' ) ++ if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then ++ return ++ fi ++ fi ++ umount "${rootmnt?}" ++ fi ++ fi ++ done ++ panic "Could not find ROOTFS with matching UUID $INITRAMFS_IMAGE_UUID" + +- # Mount root +- # shellcheck disable=SC2086 +- if ! mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then +- panic "Failed to mount ${ROOT} as root file system." +- fi + } + + local_mount_fs() diff --git a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb new file mode 100644 index 0000000..0be9871 --- /dev/null +++ b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb @@ -0,0 +1,38 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT + +require recipes-support/initramfs-config/initramfs-config.inc + +FILESPATH =. "${LAYERDIR_isar-siemens}/recipes-support/initramfs-config/files:" + +DEBIAN_DEPENDS += ", busybox, patch" + +SRC_URI += "file://postinst.ext \ + file://initramfs.lsblk.hook \ + file://initramfs.image_uuid.hook \ + file://secure-boot-debian-local-patch" + +INITRAMFS_BUSYBOX = "y" + +do_install() { + # add patch for local to /usr/share/secure boot + TARGET=${D}/usr/share/secureboot + install -m 0755 -d ${TARGET} + install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch + # patch postinst + sed -i -e '/configure)/r ${WORKDIR}/postinst.ext' ${WORKDIR}/postinst + + # add hooks for secure boot + HOOKS=${D}/etc/initramfs-tools/hooks +install -m 0755 -d ${HOOKS} + install -m 0740 ${WORKDIR}/initramfs.lsblk.hook ${HOOKS}/lsblk.hook + install -m 0740 ${WORKDIR}/initramfs.image_uuid.hook ${HOOKS}/image_uuid.hook +} +addtask do_install after do_transform_template -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 0/6] secureboot with efibootguard
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patchset adds secureboot with efibootguard to cip-core. The image build signs the efibootguard bootloader (bootx64.efi) and generates a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/). A unified kernel image packs the kernel, initramfs and the kernel command-line in one binary object. As the kernel command-line is immutable after the build process, the previous selection of the root file system with a command-line parameter is no longer possible. Therefore the selection of the root file-system occurs now in the initramfs. The image uses an A/B partition layout to update the root file system. The sample implementation to select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs. During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs. If a match is found the rootfs is used for the boot. Changes V2: - rebase to [1] - removed luahandler patch as it now part of [1] - add handling for sw-description Changes V3: - rewrite the image id creation to ensure a new uuid is generated if a new package is added or another change of the rootfs - add readme section how to execute/test the software update mechnism - adapt to version v3 of [1] - update the patch - add wks file for efibootguard and swupdate [1]: a/b rootfsupdate with software update Quirin Gylstorff (6): kernel: add fat for qemu-amd64 isar-patch: Add initramfs-config patch secure-boot: select boot partition in initramfs secure-boot: Add secure boot with unified kernel image secure-boot: Add Debian snakeoil keys for ease-of-use doc: Add README for secureboot classes/image_uuid.bbclass | 33 +++ conf/distro/debian-buster-backports.list | 1 + conf/distro/preferences.ovmf-snakeoil.conf | 3 + doc/README.secureboot.md | 229 ++++++++++++++++++ ...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++ kas-cip.yml | 3 + kas/opt/ebg-secure-boot-base.yml | 18 ++ kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++ recipes-core/images/cip-core-image.bb | 11 +- .../files/secure-boot/sw-description.tmpl | 29 +++ recipes-core/images/files/sw-description.tmpl | 2 +- recipes-core/images/secureboot.inc | 21 ++ recipes-core/images/swupdate.inc | 19 ++ .../ebg-secure-boot-secrets_0.1.bb | 51 ++++ .../ebg-secure-boot-secrets/files/README.md | 1 + .../files/control.tmpl | 12 + .../files/sign_secure_image.sh.tmpl | 22 ++ .../ebg-secure-boot-snakeoil_0.1.bb | 35 +++ .../files/control.tmpl | 12 + .../files/sign_secure_image.sh | 36 +++ .../ovmf-binaries/files/control.tmpl | 11 + .../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++ .../linux/files/qemu-amd64_defconfig | 6 + .../files/initramfs.image_uuid.hook | 33 +++ .../files/initramfs.lsblk.hook | 29 +++ .../initramfs-config/files/postinst.ext | 3 + .../files/secure-boot-debian-local-patch | 79 ++++++ .../initramfs-abrootfs-secureboot_0.1.bb | 38 +++ ...enerate-sb-db-from-existing-certificate.sh | 16 ++ scripts/generate_secure_boot_keys.sh | 51 ++++ .../wic/plugins/source/efibootguard-boot.py | 87 ++++++- .../wic/plugins/source/efibootguard-efi.py | 40 ++- scripts/start-efishell.sh | 12 + start-qemu.sh | 54 ++++- wic/ebg-signed-bootloader.inc | 2 + wic/qemu-amd64-efibootguard-secureboot.wks | 9 + wic/qemu-amd64-efibootguard.wks | 6 +- 37 files changed, 1245 insertions(+), 34 deletions(-) create mode 100644 classes/image_uuid.bbclass create mode 100644 conf/distro/debian-buster-backports.list create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf create mode 100644 doc/README.secureboot.md create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch create mode 100644 kas/opt/ebg-secure-boot-base.yml create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl create mode 100644 recipes-core/images/secureboot.inc create mode 100644 recipes-core/images/swupdate.inc create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook create mode 100644 recipes-support/initramfs-config/files/postinst.ext create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh create mode 100755 scripts/generate_secure_boot_keys.sh create mode 100755 scripts/start-efishell.sh create mode 100644 wic/ebg-signed-bootloader.inc create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 2/6] isar-patch: Add initramfs-config patch
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Adapt the initramfs generation to set for example the root device in the initramfs Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- ...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++++ kas-cip.yml | 3 + 2 files changed, 210 insertions(+) create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch diff --git a/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch new file mode 100644 index 0000000..f8fb28e --- /dev/null +++ b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch @@ -0,0 +1,207 @@ +From 7c85e2e363fd39e60bf5041d02e14e8bd62c1a68 Mon Sep 17 00:00:00 2001 +From: Quirin Gylstorff <quirin.gylstorff@siemens.com> +Date: Tue, 24 Mar 2020 17:58:08 +0100 +Subject: [PATCH v7 1/3] meta/support: Generate a custom initramfs + +This package sets the Parameters for mkinitramfs/update-intramfs +before it regenerates the initrd.img of debian with a modified version. + +Use cases are the remove unnecessary kernel modules to reduce the +size of the initrd by using the parameters: +``` +INITRAMFS_MODULES = "list" +INITRAMFS_MODULE_LIST += "ext4" +``` + +Set the boot root during the initrd generation by setting `INITRAMFS_ROOT`. + +see also man pages of mkinitramfs and initramfs.conf. + +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> +--- + .../initramfs-config/initramfs-config_0.1.bb | 6 +++ + .../initramfs-config/files/control.tmpl | 12 +++++ + .../initramfs-config/files/postinst.tmpl | 50 +++++++++++++++++++ + .../initramfs-config/files/postrm.tmpl | 41 +++++++++++++++ + .../initramfs-config/initramfs-config.inc | 32 ++++++++++++ + 5 files changed, 141 insertions(+) + create mode 100644 meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb + create mode 100644 meta/recipes-support/initramfs-config/files/control.tmpl + create mode 100644 meta/recipes-support/initramfs-config/files/postinst.tmpl + create mode 100644 meta/recipes-support/initramfs-config/files/postrm.tmpl + create mode 100644 meta/recipes-support/initramfs-config/initramfs-config.inc + +diff --git a/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb +new file mode 100644 +index 0000000..c951e8a +--- /dev/null ++++ b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb +@@ -0,0 +1,6 @@ ++# ++# Copyright (C) Siemens AG, 2020 ++# ++# SPDX-License-Identifier: MIT ++ ++require recipes-support/initramfs-config/initramfs-config.inc +diff --git a/meta/recipes-support/initramfs-config/files/control.tmpl b/meta/recipes-support/initramfs-config/files/control.tmpl +new file mode 100644 +index 0000000..66984eb +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/files/control.tmpl +@@ -0,0 +1,12 @@ ++Source: ${PN} ++Section: misc ++Priority: optional ++Standards-Version: 3.9.6 ++Maintainer: isar-users <isar-users@googlegroups.com> ++Build-Depends: debhelper (>= 9) ++ ++ ++Package: ${PN} ++Architecture: any ++Depends: ${shlibs:Depends}, ${misc:Depends}, initramfs-tools-core, ${DEBIAN_DEPENDS} ++Description: Configuration files for a custom initramfs +diff --git a/meta/recipes-support/initramfs-config/files/postinst.tmpl b/meta/recipes-support/initramfs-config/files/postinst.tmpl +new file mode 100644 +index 0000000..e523906 +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/files/postinst.tmpl +@@ -0,0 +1,50 @@ ++#!/bin/sh ++# postinst script for initramfs-config ++# ++# see: dh_installdeb(1) ++ ++set -e ++ ++case "$1" in ++ configure) ++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf ++ if [ -f ${INITRAMFS_CONF} ]; then ++ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF} ++ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then ++ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF} ++ else ++ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF} ++ fi ++ fi ++ ++ MODULES_LIST_FILE=/etc/initramfs-tools/modules ++ if [ -f ${MODULES_LIST_FILE} ]; then ++ for modname in ${INITRAMFS_MODULE_LIST}; do ++ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then ++ echo "$modname" >> "${MODULES_LIST_FILE}" ++ fi ++ done ++ fi ++ ++ update-initramfs -v -u ++ ++ ;; ++ abort-upgrade|abort-remove|abort-deconfigure) ++ ;; ++ ++ *) ++ echo "postinst called with unknown argument \`$1'" >&2 ++ exit 1 ++ ;; ++esac ++# dh_installdeb will replace this with shell code automatically ++# generated by other debhelper scripts. ++#DEBHELPER# ++ ++exit 0 +diff --git a/meta/recipes-support/initramfs-config/files/postrm.tmpl b/meta/recipes-support/initramfs-config/files/postrm.tmpl +new file mode 100644 +index 0000000..115d9b6 +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/files/postrm.tmpl +@@ -0,0 +1,41 @@ ++#!/bin/sh ++# postrm script for initramfs-config ++# ++# see: dh_installdeb(1) ++ ++set -e ++ ++case "$1" in ++ purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ++ # back to the debian defaults ++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf ++ sed -i -E 's/(^MODULES=).*/\1most/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^BUSYBOX=).*/\1auto/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^COMPRESS=).*/\1gzip/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^KEYMAP=).*/\1n/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^DEVICE=).*/\1/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^NFSROOT=).*/\1auto/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^RUNSIZE=).*/\110%/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^ROOT=).*//' ${INITRAMFS_CONF} ++ ++ # remove the added modules ++ MODULES_LIST_FILE=/etc/initramfs-tools/modules ++ for modname in ${INITRAMFS_MODULE_LIST}; do ++ sed -i -E 's/$modname//' ++ done ++ ++ update-initramfs -v -u ++ ;; ++ ++ *) ++ echo "postrm called with unknown argument \`$1'" >&2 ++ exit 1 ++ ;; ++esac ++ ++# dh_installdeb will replace this with shell code automatically ++# generated by other debhelper scripts. ++ ++#DEBHELPER# ++ ++exit 0 +diff --git a/meta/recipes-support/initramfs-config/initramfs-config.inc b/meta/recipes-support/initramfs-config/initramfs-config.inc +new file mode 100644 +index 0000000..16049a9 +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/initramfs-config.inc +@@ -0,0 +1,32 @@ ++# This software is a part of ISAR. ++# Copyright (C) 2020 Siemens AG ++# ++# SPDX-License-Identifier: MIT ++inherit dpkg-raw ++inherit template ++DESCRIPTION = "Recipe to set the initramfs configuration and generate a new ramfs" ++ ++FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:" ++ ++SRC_URI = "file://postinst.tmpl \ ++ file://postrm.tmpl \ ++ file://control.tmpl \ ++ " ++ ++INITRAMFS_MODULES ?= "most" ++INITRAMFS_BUSYBOX ?= "auto" ++INITRAMFS_COMPRESS ?= "gzip" ++INITRAMFS_KEYMAP ?= "n" ++INITRAMFS_NET_DEVICE ?= "" ++INITRAMFS_NFSROOT ?= "auto" ++INITRAMFS_RUNSIZE ?= "10%" ++INITRAMFS_ROOT ?= "" ++INITRAMFS_MODULE_LIST ?= "" ++CREATE_NEW_INITRAMFS ?= "n" ++KERNEL_PACKAGE = "${@ ("linux-image-" + d.getVar("KERNEL_NAME", True)) if d.getVar("KERNEL_NAME", True) else ""}" ++DEBIAN_DEPENDS += ", ${KERNEL_PACKAGE}" ++TEMPLATE_FILES = "postinst.tmpl control.tmpl postrm.tmpl" ++TEMPLATE_VARS += "INITRAMFS_MODULES INITRAMFS_BUSYBOX INITRAMFS_COMPRESS \ ++ INITRAMFS_KEYMAP INITRAMFS_NET_DEVICE INITRAMFS_NFSROOT \ ++ INITRAMFS_RUNSIZE INITRAMFS_ROOT INITRAMFS_MODULE_LIST \ ++ CREATE_NEW_INITRAMFS DEBIAN_DEPENDS PN" +-- +2.20.1 + diff --git a/kas-cip.yml b/kas-cip.yml index 0da07db..da99d51 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -26,6 +26,9 @@ repos: 01-libubootenv: path: isar-patches/0001-u-boot-add-libubootenv.patch repo: cip-core + 02-initramfs: + path: isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch + repo: cip-core bblayers_conf_header: standard: | -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add a fat configuration to access FAT Partitions on the qemu-amd64 target. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- recipes-kernel/linux/files/qemu-amd64_defconfig | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/recipes-kernel/linux/files/qemu-amd64_defconfig b/recipes-kernel/linux/files/qemu-amd64_defconfig index 7487152..5449317 100644 --- a/recipes-kernel/linux/files/qemu-amd64_defconfig +++ b/recipes-kernel/linux/files/qemu-amd64_defconfig @@ -351,3 +351,9 @@ CONFIG_CRYPTO_DEV_CCP=y # CONFIG_XZ_DEC_ARM is not set # CONFIG_XZ_DEC_ARMTHUMB is not set # CONFIG_XZ_DEC_SPARC is not set +CONFIG_MSDOS_FS=y +CONFIG_VFAT_FS=y +CONFIG_NLS_ASCII=y +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_ISO8859_1=y +CONFIG_NLS_UTF8=y -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 3/5] recipes-core: add swupdate
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add swupdate for A/B software updates. Currently the Round Robin handler in lua supports efibootguard as bootloader. The u-boot implementation is outstanding. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- classes/kconfig-snippets.bbclass | 90 ++++ classes/swupdate-config.bbclass | 76 +++ classes/swupdate-img.bbclass | 75 +++ .../swupdate/files/debian/changelog.tmpl | 6 + recipes-core/swupdate/files/debian/compat | 1 + .../swupdate/files/debian/control.tmpl | 15 + recipes-core/swupdate/files/debian/copyright | 36 ++ recipes-core/swupdate/files/debian/rules.tmpl | 30 ++ .../swupdate/files/debian/swupdate.examples | 2 + .../swupdate/files/debian/swupdate.install | 2 + .../swupdate/files/debian/swupdate.manpages | 5 + .../swupdate/files/debian/swupdate.tmpfile | 2 + recipes-core/swupdate/files/debian/watch | 12 + recipes-core/swupdate/files/postinst | 2 + recipes-core/swupdate/files/swupdate.cfg | 6 + .../swupdate/files/swupdate.service.example | 11 + .../swupdate/files/swupdate.socket.example | 11 + .../swupdate/files/swupdate.socket.tmpl | 13 + .../swupdate/files/swupdate_defconfig | 83 ++++ .../swupdate_defconfig_efibootguard.snippet | 3 + .../files/swupdate_defconfig_lua.snippet | 2 + .../swupdate_defconfig_luahandler.snippet | 4 + .../files/swupdate_defconfig_mtd.snippet | 1 + .../files/swupdate_defconfig_u-boot.snippet | 3 + .../files/swupdate_defconfig_ubi.snippet | 6 + .../swupdate/files/swupdate_handlers.lua | 453 ++++++++++++++++++ recipes-core/swupdate/swupdate.bb | 54 +++ 27 files changed, 1004 insertions(+) create mode 100644 classes/kconfig-snippets.bbclass create mode 100644 classes/swupdate-config.bbclass create mode 100644 classes/swupdate-img.bbclass create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl create mode 100644 recipes-core/swupdate/files/debian/compat create mode 100644 recipes-core/swupdate/files/debian/control.tmpl create mode 100644 recipes-core/swupdate/files/debian/copyright create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples create mode 100644 recipes-core/swupdate/files/debian/swupdate.install create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile create mode 100644 recipes-core/swupdate/files/debian/watch create mode 100644 recipes-core/swupdate/files/postinst create mode 100644 recipes-core/swupdate/files/swupdate.cfg create mode 100644 recipes-core/swupdate/files/swupdate.service.example create mode 100644 recipes-core/swupdate/files/swupdate.socket.example create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl create mode 100644 recipes-core/swupdate/files/swupdate_defconfig create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua create mode 100644 recipes-core/swupdate/swupdate.bb diff --git a/classes/kconfig-snippets.bbclass b/classes/kconfig-snippets.bbclass new file mode 100644 index 0000000..d754654 --- /dev/null +++ b/classes/kconfig-snippets.bbclass @@ -0,0 +1,90 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Christian Storm <christian.storm@siemens.com> +# +# SPDX-License-Identifier: MIT + +KCONFIG_SNIPPETS = "" + +# The following function defines the kconfig snippet system +# with automatich debian dependency injection +# +# To define a feature set, the user has to define the following +# variable to an empty string: +# +# KFEATURE_featurename = "" +# +# Then, required additions to the variables can be defined: +# +# KFEATURE_featurename[KCONFIG_SNIPPETS] = "file://snippet-file-name.snippet" +# KFEATURE_featurename[SRC_URI] = "file://required-file.txt" +# KFEATURE_featurename[DEPENDS] = "deb-pkg1 deb-pkg2 deb-pkg3" +# KFEATURE_featurename[DEBIAN_DEPENDS] = "deb-pkg1" +# KFEATURE_featurename[BUILD_DEB_DEPENDS] = "deb-pkg1,deb-pkg2,deb-pkg3" + +# The 'KCONFIG_SNIPPETS' flag gives a list of URI entries, where only +# file:// is supported. These snippets are appended to the DEFCONFIG file. +# +# Features can depend on other features via the following mechanism: +# +# KFEATURE_DEPS[feature1] = "feature2" + +python () { + requested_features = d.getVar("KFEATURES", True) or "" + + features = set(requested_features.split()) + old_features = set() + feature_deps = d.getVarFlags("KFEATURE_DEPS") or {} + while old_features != features: + diff_features = old_features.symmetric_difference(features) + old_features = features.copy() + for i in diff_features: + features.update(feature_deps.get(i, "").split()) + + for f in sorted(features): + bb.debug(2, "Feature: " + f) + varname = "KFEATURE_" + f + dummyvar = d.getVar(varname, False) + if dummyvar == None: + bb.error("Feature var " + f + " must be defined with needed flags.") + else: + feature_flags = d.getVarFlags(varname) + for feature_varname in sorted(feature_flags): + if feature_flags.get(feature_varname, "") != "": + sep = " " + + # Required to add KCONFIG_SNIPPETS to SRC_URI here, + # because 'SRC_URI += "${KCONFIG_SNIPPETS}"' would + # conflict with SRC_APT feature. + if feature_varname == "KCONFIG_SNIPPETS": + d.appendVar('SRC_URI', + " " + feature_flags[feature_varname].strip()) + + # BUILD_DEP_DEPENDS and DEBIAN_DEPENDS is ',' separated + # Only add ',' if there is already something there + if feature_varname in ["BUILD_DEB_DEPENDS", + "DEBIAN_DEPENDS"]: + sep = "," if d.getVar(feature_varname) else "" + + d.appendVar(feature_varname, + sep + feature_flags[feature_varname].strip()) +} + +# DEFCONFIG must be a predefined bitbake variable and the corresponding file +# must exist in the WORKDIR. +# The resulting generated config is the same file suffixed with ".gen" + +do_prepare_build_prepend() { + sh -x + GENCONFIG="${WORKDIR}/${DEFCONFIG}".gen + rm -f "$GENCONFIG" + cp "${WORKDIR}/${DEFCONFIG}" "$GENCONFIG" + for CONFIG_SNIPPET in $(echo "${KCONFIG_SNIPPETS}" | sed 's#file://##g') + do + cat ${WORKDIR}/$CONFIG_SNIPPET >> "$GENCONFIG" + done +} diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass new file mode 100644 index 0000000..7ce51c5 --- /dev/null +++ b/classes/swupdate-config.bbclass @@ -0,0 +1,76 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Christian Storm <christian.storm@siemens.com> +# +# SPDX-License-Identifier: MIT + +# This class manages the config snippets together with their dependencies +# to build SWUpdate + +inherit kconfig-snippets + +BUILD_DEB_DEPENDS = " \ + zlib1g-dev, debhelper, libconfig-dev, libarchive-dev, \ + python-sphinx:native, dh-systemd, libsystemd-dev" + +KFEATURE_lua = "" +KFEATURE_lua[BUILD_DEB_DEPENDS] = "liblua5.3-dev" +KFEATURE_lua[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_lua.snippet" + +KFEATURE_luahandler = "" +KFEATURE_luahandler[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_luahandler.snippet" +KFEATURE_luahandler[SRC_URI] = "file://${SWUPDATE_LUASCRIPT}" + +KFEATURE_DEPS = "" +KFEATURE_DEPS[luahandler] = "lua" + +KFEATURE_efibootguard = "" +KFEATURE_efibootguard[BUILD_DEB_DEPENDS] = "efibootguard-dev" +KFEATURE_efibootguard[DEBIAN_DEPENDS] = "efibootguard-dev" +KFEATURE_efibootguard[DEPENDS] = "efibootguard-dev" +KFEATURE_efibootguard[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_efibootguard.snippet" + +KFEATURE_mtd = "" +KFEATURE_mtd[BUILD_DEB_DEPENDS] = "libmtd-dev" +KFEATURE_mtd[DEPENDS] = "mtd-utils" +KFEATURE_mtd[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_mtd.snippet" + +KFEATURE_ubi = "" +KFEATURE_ubi[BUILD_DEB_DEPENDS] = "libubi-dev" +KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet" + +KFEATURE_DEPS[ubi] = "mtd" + +KFEATURE_u-boot = "" +KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "u-boot-${MACHINE}-dev" +KFEATURE_u-boot[DEBIAN_DEPENDS] = "u-boot-tools" +KFEATURE_u-boot[DEPENDS] = "${U_BOOT}" +KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet" + +SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua" + +def get_bootloader_featureset(d): + bootloader = d.getVar("BOOTLOADER", True) or "" + if bootloader == "efibootguard": + return "efibootguard" + if bootloader == "u-boot": + return "u-boot" + return "" + +SWUPDATE_KFEATURES ??= "" +KFEATURES = "${SWUPDATE_KFEATURES}" +KFEATURES += "${@get_bootloader_featureset(d)}" + +# Astonishingly, as an anonymous python function, BOOTLOADER is always None +# one time before it gets set. So the following must be a task. +python do_check_bootloader () { + bootloader = d.getVar("BOOTLOADER", True) or "None" + if not bootloader in ["efibootguard", "u-boot"]: + bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader) +} +addtask check_bootloader before do_fetch + diff --git a/classes/swupdate-img.bbclass b/classes/swupdate-img.bbclass new file mode 100644 index 0000000..a21d6ec --- /dev/null +++ b/classes/swupdate-img.bbclass @@ -0,0 +1,75 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Christian Storm <christian.storm@siemens.com> +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT + +SWU_IMAGE_FILE ?= "${PN}-${DISTRO}-${MACHINE}.swu" +SWU_DESCRIPTION_FILE ?= "sw-description" +SWU_ADDITIONAL_FILES ?= "" +SWU_SIGNED ?= "" +SWU_SIGNATURE_EXT ?= "sig" +SWU_SIGNATURE_TYPE ?= "rsa" + +IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" + +do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}" +do_swupdate_image[cleandirs] += "${WORKDIR}/swu" +do_swupdate_image() { + rm -f '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}' + cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}' + + # Create symlinks for files used in the update image + for file in ${SWU_ADDITIONAL_FILES}; do + if [ -e "${WORKDIR}/$file" ]; then + ln -s "${WORKDIR}/$file" "${WORKDIR}/swu/$file" + else + ln -s "${DEPLOY_DIR_IMAGE}/$file" "${WORKDIR}/swu/$file" + fi + done + + # Prepare for signing + sign='${@'x' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}' + if [ -n "$sign" ]; then + image_do_mounts + cp -f '${SIGN_KEY}' '${WORKDIR}/dev.key' + test -e '${SIGN_CRT}' && cp -f '${SIGN_CRT}' '${WORKDIR}/dev.crt' + + # Fill in file check sums + for file in ${SWU_ADDITIONAL_FILES}; do + sed -i "s:$file-sha256:$(sha256sum '${WORKDIR}/swu/'$file | cut -f 1 -d ' '):g" \ + '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}' + done + fi + + cd "${WORKDIR}/swu" + for file in '${SWU_DESCRIPTION_FILE}' ${SWU_ADDITIONAL_FILES}; do + echo "$file" + if [ -n "$sign" -a \ + '${SWU_DESCRIPTION_FILE}' = "$file" ]; then + if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then + sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl dgst \ + -sha256 -sign '${PP_WORK}/dev.key' \ + '${PP_WORK}/swu/'"$file" \ + > '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}' + elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then + sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl cms \ + -sign -in '${PP_WORK}/swu/'"$file" \ + -out '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}' \ + -signer '${PP_WORK}/dev.crt' \ + -inkey '${PP_WORK}/dev.key' \ + -outform DER -nosmimecap -binary + fi + echo "$file".'${SWU_SIGNATURE_EXT}' + fi + done | cpio -ovL -H crc \ + > '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}' + cd - +} + +addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template diff --git a/recipes-core/swupdate/files/debian/changelog.tmpl b/recipes-core/swupdate/files/debian/changelog.tmpl new file mode 100644 index 0000000..81087d3 --- /dev/null +++ b/recipes-core/swupdate/files/debian/changelog.tmpl @@ -0,0 +1,6 @@ +swupdate (${PV}) unstable; urgency=medium + + * SWUpdate + + -- Christian Storm <christian.storm@siemens.com> Thu, 31 Jan 2019 15:23:56 +0100 + diff --git a/recipes-core/swupdate/files/debian/compat b/recipes-core/swupdate/files/debian/compat new file mode 100644 index 0000000..b4de394 --- /dev/null +++ b/recipes-core/swupdate/files/debian/compat @@ -0,0 +1 @@ +11 diff --git a/recipes-core/swupdate/files/debian/control.tmpl b/recipes-core/swupdate/files/debian/control.tmpl new file mode 100644 index 0000000..2b92850 --- /dev/null +++ b/recipes-core/swupdate/files/debian/control.tmpl @@ -0,0 +1,15 @@ +Source: swupdate +Section: embedded +Priority: optional +Maintainer: Stefano Babic <sbabic@denx.de> +Build-Depends: ${BUILD_DEB_DEPENDS} +Standards-Version: 4.2.1 +Homepage: http://sbabic.github.io/swupdate + +Package: swupdate +Architecture: any +Depends: ${DEBIAN_DEPENDS} +Description: reliable way to update an embedded system + This project is thought to help to update an embedded system from a storage media or from network. + However, it should be mainly considered as a framework, where further protocols or installers + (in SWUpdate they are called handlers) can be easily added to the application. diff --git a/recipes-core/swupdate/files/debian/copyright b/recipes-core/swupdate/files/debian/copyright new file mode 100644 index 0000000..f920942 --- /dev/null +++ b/recipes-core/swupdate/files/debian/copyright @@ -0,0 +1,36 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: swupdate +Maintainer: Stefano Babic <sbabic@denx.de> +Source: http://github.com/sbabic/swupdate + +Files: * +Copyright: 2014-2017 Stefano Babic <sbabic@denx.de> + +License: GPL-2 with OpenSSL exception + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + In addition, as a special exception, the author of this + program gives permission to link the code of its + release with the OpenSSL project's "OpenSSL" library (or + with modified versions of it that use the same license as + the "OpenSSL" library), and distribute the linked + executables. You must obey the GNU General Public + License in all respects for all of the code used other + than "OpenSSL". If you modify this file, you may extend + this exception to your version of the file, but you are + not obligated to do so. If you do not wish to do so, + delete this exception statement from your version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/> + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". diff --git a/recipes-core/swupdate/files/debian/rules.tmpl b/recipes-core/swupdate/files/debian/rules.tmpl new file mode 100755 index 0000000..54cca57 --- /dev/null +++ b/recipes-core/swupdate/files/debian/rules.tmpl @@ -0,0 +1,30 @@ +#!/usr/bin/make -f + +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- +export CC=$(DEB_HOST_GNU_TYPE)-gcc +export LD=$(DEB_HOST_GNU_TYPE)-gcc +endif + +export DH_VERBOSE = 1 + +export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow + +documentation: configure + make man + +configure: + make ${DEFCONFIG} + +build: documentation configure + dh $@ + +%: + echo $@ + dh $@ + +override_dh_installchangelogs: + true + +override_dh_installdocs: + true diff --git a/recipes-core/swupdate/files/debian/swupdate.examples b/recipes-core/swupdate/files/debian/swupdate.examples new file mode 100644 index 0000000..c257b75 --- /dev/null +++ b/recipes-core/swupdate/files/debian/swupdate.examples @@ -0,0 +1,2 @@ +examples/configuration +examples/description diff --git a/recipes-core/swupdate/files/debian/swupdate.install b/recipes-core/swupdate/files/debian/swupdate.install new file mode 100644 index 0000000..8957cc6 --- /dev/null +++ b/recipes-core/swupdate/files/debian/swupdate.install @@ -0,0 +1,2 @@ +swupdate usr/bin +swupdate.cfg /etc diff --git a/recipes-core/swupdate/files/debian/swupdate.manpages b/recipes-core/swupdate/files/debian/swupdate.manpages new file mode 100644 index 0000000..c3438e0 --- /dev/null +++ b/recipes-core/swupdate/files/debian/swupdate.manpages @@ -0,0 +1,5 @@ +doc/build/man/swupdate.1 +doc/build/man/client.1 +doc/build/man/sendtohawkbit.1 +doc/build/man/hawkbitcfg.1 +doc/build/man/progress.1 diff --git a/recipes-core/swupdate/files/debian/swupdate.tmpfile b/recipes-core/swupdate/files/debian/swupdate.tmpfile new file mode 100644 index 0000000..4743672 --- /dev/null +++ b/recipes-core/swupdate/files/debian/swupdate.tmpfile @@ -0,0 +1,2 @@ +X /tmp/datadst +X /tmp/scripts diff --git a/recipes-core/swupdate/files/debian/watch b/recipes-core/swupdate/files/debian/watch new file mode 100644 index 0000000..bc4c53e --- /dev/null +++ b/recipes-core/swupdate/files/debian/watch @@ -0,0 +1,12 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# See uscan(1) for format + +# Compulsory line, this is a version 4 file +version=4 + +# GitHub hosted projects +opts="filenamemangle="s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%<project>-$1.tar.gz%" \ + https://github.com/<user>/swupdate/tags \ + (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate diff --git a/recipes-core/swupdate/files/postinst b/recipes-core/swupdate/files/postinst new file mode 100644 index 0000000..f15ac10 --- /dev/null +++ b/recipes-core/swupdate/files/postinst @@ -0,0 +1,2 @@ +#!/bin/sh +deb-systemd-helper enable swupdate.socket || true diff --git a/recipes-core/swupdate/files/swupdate.cfg b/recipes-core/swupdate/files/swupdate.cfg new file mode 100644 index 0000000..e0222f1 --- /dev/null +++ b/recipes-core/swupdate/files/swupdate.cfg @@ -0,0 +1,6 @@ +globals : +{ + verbose = true; + loglevel = 10; + syslog = false; +}; diff --git a/recipes-core/swupdate/files/swupdate.service.example b/recipes-core/swupdate/files/swupdate.service.example new file mode 100644 index 0000000..d0b821e --- /dev/null +++ b/recipes-core/swupdate/files/swupdate.service.example @@ -0,0 +1,11 @@ +[Unit] +Description=SWUpdate daemon +Documentation=https://github.com/sbabic/swupdate + +[Service] +Type=simple +ExecStart=/usr/bin/swupdate -f /etc/swupdate.cfg +KillMode=mixed + +[Install] +WantedBy=multi-user.target diff --git a/recipes-core/swupdate/files/swupdate.socket.example b/recipes-core/swupdate/files/swupdate.socket.example new file mode 100644 index 0000000..2b75671 --- /dev/null +++ b/recipes-core/swupdate/files/swupdate.socket.example @@ -0,0 +1,11 @@ +[Unit] +Description=SWUpdate socket listener +Documentation=https://github.com/sbabic/swupdate +Documentation=https://sbabic.github.io/swupdate + +[Socket] +ListenStream=/tmp/sockinstctrl +ListenStream=/tmp/swupdateprog + +[Install] +WantedBy=sockets.target diff --git a/recipes-core/swupdate/files/swupdate.socket.tmpl b/recipes-core/swupdate/files/swupdate.socket.tmpl new file mode 100644 index 0000000..8e7fc1d --- /dev/null +++ b/recipes-core/swupdate/files/swupdate.socket.tmpl @@ -0,0 +1,13 @@ +[Unit] +Description=SWUpdate socket listener +Documentation=https://github.com/sbabic/swupdate +Documentation=https://sbabic.github.io/swupdate + +[Socket] +SocketUser=${SWUPDATE_SOCKET_OWNER} +SocketGroup=root +ListenStream=/tmp/sockinstctrl +ListenStream=/tmp/swupdateprog + +[Install] +WantedBy=sockets.target diff --git a/recipes-core/swupdate/files/swupdate_defconfig b/recipes-core/swupdate/files/swupdate_defconfig new file mode 100644 index 0000000..9ae7cb5 --- /dev/null +++ b/recipes-core/swupdate/files/swupdate_defconfig @@ -0,0 +1,83 @@ +# +# Automatically generated file; DO NOT EDIT. +# Swupdate Configuration +# +CONFIG_HAVE_DOT_CONFIG=y + +# +# Swupdate Settings +# + +# +# General Configuration +# +# CONFIG_CURL is not set +# CONFIG_CURL_SSL is not set +CONFIG_SYSTEMD=y +CONFIG_SCRIPTS=y +# CONFIG_HW_COMPATIBILITY is not set +CONFIG_SW_VERSIONS_FILE="/etc/sw-versions" + +# +# Socket Paths +# +CONFIG_SOCKET_CTRL_PATH="/tmp/sockinstctrl" +CONFIG_SOCKET_PROGRESS_PATH="/tmp/swupdateprog" +CONFIG_SOCKET_REMOTE_HANDLER_DIRECTORY="/tmp/" +# CONFIG_MTD is not set +# CONFIG_LUA is not set +# CONFIG_LUAPKG is not set +# CONFIG_FEATURE_SYSLOG is not set + +# +# Build Options +# +CONFIG_CROSS_COMPILE="" +CONFIG_SYSROOT="" +CONFIG_EXTRA_CFLAGS="" +CONFIG_EXTRA_LDFLAGS="" +CONFIG_EXTRA_LDLIBS="" + +# +# Debugging Options +# +# CONFIG_DEBUG is not set +# CONFIG_WERROR is not set +# CONFIG_NOCLEANUP is not set +# CONFIG_BOOTLOADER_EBG is not set +# CONFIG_UBOOT is not set +# CONFIG_BOOTLOADER_NONE is not set +# CONFIG_BOOTLOADER_GRUB is not set +# CONFIG_DOWNLOAD is not set +# CONFIG_DOWNLOAD_SSL is not set +# CONFIG_CHANNEL_CURL is not set +# CONFIG_HASH_VERIFY=y +# CONFIG_SIGNED_IMAGES is not set +# CONFIG_ENCRYPTED_IMAGES is not set +# CONFIG_SURICATTA is not set +# CONFIG_WEBSERVER is not set +CONFIG_GUNZIP=y + +# +# Parser Features +# +CONFIG_LIBCONFIG=y +CONFIG_PARSERROOT="" +# CONFIG_JSON is not set +# CONFIG_LUAEXTERNAL is not set +# CONFIG_SETEXTPARSERNAME is not set +# CONFIG_SETSWDESCRIPTION is not set + +# +# Image Handlers +# +CONFIG_RAW=y +# CONFIG_LUASCRIPTHANDLER is not set +# CONFIG_SHELLSCRIPTHANDLER is not set +# CONFIG_HANDLER_IN_LUA is not set +# CONFIG_EMBEDDED_LUA_HANDLER is not set +# CONFIG_EMBEDDED_LUA_HANDLER_SOURCE is not set +CONFIG_ARCHIVE=y +# CONFIG_REMOTE_HANDLER is not set +# CONFIG_SWUFORWARDER_HANDLER is not set +# CONFIG_BOOTLOADERHANDLER is not set diff --git a/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet new file mode 100644 index 0000000..8e3688c --- /dev/null +++ b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet @@ -0,0 +1,3 @@ +CONFIG_BOOTLOADER_NONE=n +CONFIG_BOOTLOADER_EBG=y +CONFIG_BOOTLOADERHANDLER=y diff --git a/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet new file mode 100644 index 0000000..b39f9df --- /dev/null +++ b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet @@ -0,0 +1,2 @@ +CONFIG_LUA=y +CONFIG_LUAPKG="lua53" diff --git a/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet new file mode 100644 index 0000000..b4a2de8 --- /dev/null +++ b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet @@ -0,0 +1,4 @@ +CONFIG_LUASCRIPTHANDLER=y +CONFIG_HANDLER_IN_LUA=y +CONFIG_EMBEDDED_LUA_HANDLER=y +CONFIG_EMBEDDED_LUA_HANDLER_SOURCE="swupdate_handlers.lua" diff --git a/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet new file mode 100644 index 0000000..eab98dd --- /dev/null +++ b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet @@ -0,0 +1 @@ +CONFIG_MTD=y diff --git a/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet new file mode 100644 index 0000000..6b5832a --- /dev/null +++ b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet @@ -0,0 +1,3 @@ +CONFIG_UBOOT=y +CONFIG_UBOOT_FWENV="/etc/fw_env.config" +CONFIG_BOOTLOADERHANDLER=y diff --git a/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet new file mode 100644 index 0000000..d1c7732 --- /dev/null +++ b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet @@ -0,0 +1,6 @@ +CONFIG_UBIVOL=y +CONFIG_UBIATTACH=y +CONFIG_UBIBLACKLIST="" +CONFIG_UBIWHITELIST="" +CONFIG_UBIVIDOFFSET=0 +CONFIG_CFI=y diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua new file mode 100644 index 0000000..f2ecc54 --- /dev/null +++ b/recipes-core/swupdate/files/swupdate_handlers.lua @@ -0,0 +1,453 @@ +--[[ + + Round-robin Image and File Handler. + + Copyright (C) 2019, Siemens AG + + Author: Christian Storm <christian.storm@siemens.com> + + SPDX-License-Identifier: GPL-2.0-or-later + + An `sw-description` file using these handlers may look like: + software = + { + version = "0.1.0"; + images: ({ + filename = "rootfs.ext4"; + device = "sda4,sda5"; + type = "roundrobin"; + compressed = false; + }); + files: ({ + filename = "vmlinuz"; + path = "vmlinuz"; + type = "kernelfile"; + device = "sda2,sda3"; + filesystem = "vfat"; + }, + { + filename = "initrd.img"; + path = "initrd.img"; + type = "kernelfile"; + device = "sda2,sda3"; + filesystem = "vfat"; + }); + } + + The semantics is as follows: Instead of having a fixed target device, + the 'roundrobin' image handler calculates the target device by parsing + /proc/cmdline, matching the root=<device> kernel parameter against its + 'device' attribute's list of devices, and sets the actual target + device to the next 'device' attribute list entry in a round-robin + manner. The actual flashing is done via chain-calling another handler, + defaulting to the "raw" handler. + + The 'kernelfile' file handler reuses the 'roundrobin' handler's target + device calculation by reading the actual target device from the same + index into its 'device' attribute's list of devices. The actual placing + of files into this partition is done via chain-calling another handler, + defaulting to the "rawfile" handler. + + In the above example, if /dev/sda4 is currently booted according to + /proc/cmdline, /dev/sda5 will be flashed and the vmlinuz and initrd.img + files will be placed on /dev/sda3. If /dev/sda5 is booted, /dev/sda4 + will be flashed and the vmlinuz and initrd.img files are placed on + /dev/sda2. + In addition to "classical" device nodes as in this example, partition + UUIDs as reported, e.g., by `blkid -s PARTUUID` are also supported. + UBI volumes are supported as well by specifying a CSV list of + ubi<number>:<label> items. + + Configuration is done via an INI-style configuration file located at + /etc/swupdate.handler.ini or via compiled-in configuration (by + embedding the Lua handler script into the SWUpdate binary via using + CONFIG_EMBEDDED_LUA_HANDLER), the latter having precedence over the + former. See the example configuration below. + If uncommenting this example block, it will take precedence over any + /etc/swupdate.handler.ini configuration file. + + The chain-called handlers can either be specified in the configuration, + i.e., a static run-time setting, or via the 'chainhandler' property of + an 'image' or 'file' section in the sw-description, with the latter + taking precedence over the former, e.g., + ... + images: ({ + filename = "rootfs.ext4"; + device = "sda4,sda5"; + type = "roundrobin"; + properties: { + chainhandler = "myraw"; + }; + }); + ... + Such a sw-description fragment will chain-call the imaginary "myraw" + handler regardless of what's been configured in the compiled-in or the + configuration file. + When chain-calling the "rdiff_image" handler, its 'rdiffbase' property + is subject to round-robin as well, i.e., the 'rdiffbase' property is + expected to be a CSV list as for the 'device' property, and the actual + 'rdiffbase' property value is calculated following the same round-robin + calculation mechanism stated above prior to chain-calling the actual + "rdiff_image" handler, e.g., + images: ({ + filename = "rootfs.ext4"; + type = "roundrobin"; + device = "sda4,sda5"; + properties: { + chainhandler = "rdiff_image"; + rdiffbase="sda1,sda2"; + }; + }); + will set the 'rdiffbase' property to /dev/sda2 (/dev/sda1) if /dev/sda4 + (/dev/sda5) is the currently booted root file system according to + /proc/cmdline parsing. + +]] + + +local configuration = [[ +[bootloader] +# Required: bootloader name, uboot and ebg currently supported. +name=ebg +# Required: bootloader-specific key-value pairs, e.g., for ebg: +kernelname=linux.signed.efi +# For relying on FAT labels, prefix bootlabels with 'L:', e.g., L:BOOT0. +# For using custom labels, i.e., relying on the contents of an EFILABEL +# file within the partition, prefix it with 'C:', e.g., C:BOOT0. +bootlabel={ "C:BOOT0:", "C:BOOT1:" } + +# Optional: handler to chain-call for the 'roundrobin' handler, +# defaulting to 'raw' +[roundrobin] +chainhandler=raw + +# Optional: handler to chain-call for the 'kernelfile' handler, +# defaulting to 'rawfile' +[kernelfile] +chainhandler=rawfile +]] + +-- Default configuration file, tried if no compiled-in config is available. +local cfgfile = "/etc/swupdate.handler.ini" + +-- Table holding the configuration. +local config = {} + +-- Mandatory configuration [section] and keys +local BOOTLOADERCFG = { + ebg = { + bootloader = {"name", "bootlabel", "kernelname"} + }, + -- TODO fill with mandatory U-Boot configuration + uboot = { + bootloader = {"name"} + } +} + +-- enum-alikes to make code more readable +local BOOTLOADER = { EBG = "ebg", UBOOT = "uboot" } +local PARTTYPE = { UUID = 1, PLAIN = 2, UBI = 3 } + +-- Target table describing the target device the image is to be/has been flashed to. +local rrtarget = { + size = function(self) + local _size = 0 + for index in pairs(self) do _size = _size + 1 end + return _size - 1 + end +} + +-- Helper function parsing CSV fields of a struct img_type such as +-- the "device" fields or the "rdiffbase" property. +local get_device_list = function(device_node_csv_list) + local device_list = {} + for item in device_node_csv_list:gmatch("([^,]+)") do + local device_node = item:gsub("/dev/", "") + device_list[#device_list+1] = device_node + device_list[device_node] = #device_list + end + return device_list +end + +-- Helper function to determine device node location. +local get_device_path = function(device_node) + if device_node:match("ubi%d+:%S+") then + return 0, device_node, PARTTYPE.UBI + end + local device_path = string.format("/dev/disk/by-partuuid/%s", device_node) + local file = io.open(device_path, "rb" ) + if file then + file:close() + return 0, device_path, PARTTYPE.UUID + end + device_path = string.format("/dev/%s", device_node) + file = io.open(device_path, "rb" ) + if file then + file:close() + return 0, device_path, PARTTYPE.PLAIN + end + swupdate.error(string.format("Cannot access target device node /dev/{,disk/by-partuuid}/%s", device_node)) + return 1, nil, nil +end + +-- Helper function parsing the INI-style configuration. +local get_config = function() + -- Return configuration right away if it's already parsed. + if config ~= nil and #config > 0 then + return config + end + + -- Get configuration INI-style string. + if not configuration then + swupdate.trace(string.format("No compiled-in config found, trying %s", cfgfile)) + local file = io.open(cfgfile, "r" ) + if not file then + swupdate.error(string.format("Cannot open config file %s", cfgfile)) + return nil + end + configuration = file:read("*a") + file:close() + end + if configuration:sub(-1) ~= "\n" then + configuration=configuration.."\n" + end + + -- Parse INI-style contents into config table. + local sec, key, value + for line in configuration:gmatch("(.-)\n") do + if line:match("^%[([%w%p]+)%][%s]*") then + sec = line:match("^%[([%w%p]+)%][%s]*") + config[sec] = {} + elseif sec then + key, value = line:match("^([%w%p]-)=(.*)$") + if key and value then + if tonumber(value) then value = tonumber(value) end + if value == "true" then value = true end + if value == "false" then value = false end + if value:sub(1,1) == "{" then + local _value = {} + for _key, _ in value:gmatch("\"(%S+)\"") do + table.insert(_value, _key) + end + value = _value + end + config[sec][key] = value + else + if not line:match("^$") and not line:match("^#") then + swupdate.warn(string.format("Syntax error, skipping '%s'", line)) + end + end + else + swupdate.error(string.format("Syntax error. no [section] encountered.")) + return nil + end + end + + -- Check config table for mandatory key existence. + if config["bootloader"] == nil or config["bootloader"]["name"] == nil then + swupdate.error(string.format("Syntax error. no [bootloader] encountered or name= missing therein.")) + return nil + end + local bcfg = BOOTLOADERCFG[config.bootloader.name] + if not bcfg then + swupdate.error(string.format("Bootloader unsupported, name=uboot|ebg missing in [bootloader]?.")) + return nil + end + for sec, _ in pairs(bcfg) do + for _, key in pairs(bcfg[sec]) do + if config[sec] == nil or config[sec][key] == nil then + swupdate.error(string.format("Mandatory config key %s= in [%s] not found.", key, sec)) + end + end + end + + return config +end + +-- Round-robin image handler for updating the root partition. +function handler_roundrobin(image) + -- Read configuration. + if not get_config() then + swupdate.error("Cannot read configuration.") + return 1 + end + + -- Check if we can chain-call the handler. + local chained_handler = "raw" + if image.properties ~= nil and image.properties["chainhandler"] ~= nil then + chained_handler = image.properties["chainhandler"] + elseif config["roundrobin"] ~= nil and config["roundrobin"]["chainhandler"] ~= nil then + chained_handler = config["roundrobin"]["chainhandler"] + end + if not swupdate.handler[chained_handler] then + swupdate.error(string.format("'%s' handler not available in SWUpdate distribution.", chained_handler)) + return 1 + end + + -- Get device list for round-robin. + local devices = get_device_list(image.device) + if #devices < 2 then + swupdate.error("Specify at least 2 devices in the device= property for 'roundrobin'.") + return 1 + end + + -- Check that rrtarget is unset, else a reboot may be pending. + if rrtarget:size() > 0 then + swupdate.warn("The 'roundrobin' handler has been run. Is a reboot pending?") + end + + -- Determine current root device. + local file = io.open("/proc/cmdline", "r") + if not file then + swupdate.error("Cannot open /proc/cmdline.") + return 1 + end + local cmdline = file:read("*l") + file:close() + + local rootparam, rootdevice + for item in cmdline:gmatch("%S+") do + rootparam, rootdevice = item:match("(root=[%u=]*[/dev/]*(%S+))") + if rootparam and rootdevice then break end + end + if not rootdevice then + -- Use findmnt to get the rootdev + rootdevice = io.popen('findmnt -nl / -o PARTUUID'):read("*l") + if not rootdevice then + swupdate.error("Cannot determine current root device.") + return 1 + end + end + swupdate.info(string.format("Current root device is: %s", rootdevice)) + + if not devices[rootdevice] then + swupdate.error(string.format("Current root device '%s' is not in round-robin root devices list: %s", rootdevice, image.device:gsub("/dev/", ""))) + return 1 + end + + -- Perform round-robin calculation for target. + local err + rrtarget.index = devices[rootdevice] % #devices + 1 + rrtarget.device_node = devices[rrtarget.index] + err, rrtarget.device_path, rrtarget.parttype = get_device_path(devices[rrtarget.index]) + if err ~= 0 then + return 1 + end + swupdate.info(string.format("Using '%s' as 'roundrobin' target via '%s' handler.", rrtarget.device_path, chained_handler)) + + -- If the chain-called handler is rdiff_image, adapt the rdiffbase property + if chained_handler == "rdiff_image" then + if image.properties ~= nil and image.properties["rdiffbase"] ~= nil then + local rdiffbase_devices = get_device_list(image.properties["rdiffbase"]) + if #rdiffbase_devices < 2 then + swupdate.error("Specify at least 2 devices in the rdiffbase= property for 'roundrobin'.") + return 1 + end + err, image.propierties["rdiffbase"], _ = get_device_path(rdiffbase_devices[rrtarget.index]) + if err ~= 0 then + return 1 + end + swupdate.info(string.format("Using device %s as rdiffbase.", image.properties["rdiffbase"])) + else + swupdate.error("Property 'rdiffbase' is missing in sw-description.") + return 1 + end + end + + -- Actually flash the partition. + local msg + image.type = chained_handler + image.device = rrtarget.device_path + err, msg = swupdate.call_handler(chained_handler, image) + if err ~= 0 then + swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or ""))) + return 1 + end + + if config.bootloader.name == BOOTLOADER.EBG then + if rootparam then + local value = cmdline:gsub( + rootparam:gsub("%-", "%%-"), + string.format("root=%s%s", + (rrtarget.parttype == PARTTYPE.PLAIN and "") or (rrtarget.parttype == PARTTYPE.UBI and "") or "PARTUUID=", + rrtarget.parttype == PARTTYPE.PLAIN and rrtarget.device_path or devices[rrtarget.index] + ) + ) + swupdate.info(string.format("Setting EFI Bootguard environment: kernelparams=%s", value)) + swupdate.set_bootenv("kernelparams", value) + end + elseif config.bootloader.name == BOOTLOADER.UBOOT then + -- Update U-Boot environment. + swupdate.info(string.format("Setting U-Boot environment")) + local value = rrtarget.index + swupdate.set_bootenv("swupdpart", value); + end + + return 0 +end + +-- File handler for updating kernel files. +function handler_kernelfile(image) + -- Check if we can chain-call the handler. + local chained_handler = "rawfile" + if image.properties ~= nil and image.properties["chainhandler"] ~= nil then + chained_handler = image.properties["chainhandler"] + elseif config["kernelfile"] ~= nil and config["kernelfile"]["chainhandler"] ~= nil then + chained_handler = config["kernelfile"]["chainhandler"] + end + if not swupdate.handler[chained_handler] then + swupdate.error(string.format("'%s' handler not available in SWUpdate distribution."), chained_handler) + return 1 + end + + -- Check that rrtarget is set, else the 'roundrobin' handler hasn't been run. + if rrtarget:size() == 0 then + swupdate.error("The 'roundrobin' handler hasn't been run.") + swupdate.info("Place 'roundrobin' above 'kernelfile' in sw-description.") + return 1 + end + + -- Get device list for round-robin. + local devices = get_device_list(image.device) + if #devices < 2 then + swupdate.error("Specify at least 2 devices in the device= property for 'kernelfile'.") + return 1 + end + if rrtarget.index > #devices then + swupdate.error("Cannot map kernel partition to root partition.") + return 1 + end + + -- Perform round-robin indexing for target. + local err + err, image.device, _ = get_device_path(devices[rrtarget.index]) + if err ~= 0 then + return 1 + end + swupdate.info(string.format("Using '%s' as 'kernelfile' target via '%s' handler.", image.device, chained_handler)) + + -- Actually copy the 'kernelfile' files. + local msg + image.type = chained_handler + err, msg = swupdate.call_handler(chained_handler, image) + if err ~= 0 then + swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or ""))) + return 1 + end + + if config.bootloader.name == BOOTLOADER.EBG then + -- Update EFI Boot Guard environment: kernelfile + local value = string.format("%s%s", config.bootloader.bootlabel[rrtarget.index], config.bootloader.kernelname) + swupdate.info(string.format("Setting EFI Bootguard environment: kernelfile=%s", value)) + swupdate.set_bootenv("kernelfile", value) + elseif config.bootloader.name == BOOTLOADER.UBOOT then + -- Update U-Boot environment. + swupdate.info(string.format("Setting U-Boot environment")) + -- TODO + end + + return 0 +end + +swupdate.register_handler("roundrobin", handler_roundrobin, swupdate.HANDLER_MASK.IMAGE_HANDLER) +swupdate.register_handler("kernelfile", handler_kernelfile, swupdate.HANDLER_MASK.FILE_HANDLER) diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb new file mode 100644 index 0000000..95cf73a --- /dev/null +++ b/recipes-core/swupdate/swupdate.bb @@ -0,0 +1,54 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT + +hDESCRIPTION = "swupdate utility for software updates" +HOMEPAGE= "https://github.com/sbabic/swupdate" +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" + +SRC_URI = "git://github.com/sbabic/swupdate.git;branch=master;protocol=https" + +SRCREV = "1a6dfbb5a0be978ac1a159758e278ab4d44167e2" +PV = "2020.4-git+isar" + +DEFCONFIG := "swupdate_defconfig" + +SRC_URI += "file://debian \ + file://${DEFCONFIG} \ + file://${PN}.cfg" + +DEPENDS += "libubootenv" + +DEBIAN_DEPENDS = "${shlibs:Depends}, ${misc:Depends}" + +inherit dpkg +inherit swupdate-config + +KFEATURES += "luahandler" + +S = "${WORKDIR}/git" + +TEMPLATE_FILES = "debian/changelog.tmpl debian/control.tmpl debian/rules.tmpl" +TEMPLATE_VARS += "BUILD_DEB_DEPENDS DEFCONFIG DEBIAN_DEPENDS" + +do_prepare_build() { + DEBDIR=${S}/debian + cp -R ${WORKDIR}/debian ${S} + + install -m 0644 ${WORKDIR}/${PN}.cfg ${S}/swupdate.cfg + install -m 0644 ${WORKDIR}/${DEFCONFIG}.gen ${S}/configs/${DEFCONFIG} + + if ! grep -q "configs/${DEFCONFIG}" ${S}/.gitignore + then + echo "configs/${DEFCONFIG}" >> ${S}/.gitignore + fi + # luahandler + install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S} +} -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 5/5] swupdate: create swu file from wic image
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Create a swu file for swupdate to update devices in the field. This is done in the same step as the complete image build to avoid diverging images. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- classes/extract-partition.bbclass | 26 +++++++++++++ classes/wic-swu-img.bbclass | 20 ++++++++++ kas/opt/ebg-swu.yml | 4 +- recipes-core/images/cip-core-image.bb | 10 +++++ recipes-core/images/files/sw-description.tmpl | 37 +++++++++++++++++++ 5 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 classes/extract-partition.bbclass create mode 100644 classes/wic-swu-img.bbclass create mode 100644 recipes-core/images/files/sw-description.tmpl diff --git a/classes/extract-partition.bbclass b/classes/extract-partition.bbclass new file mode 100644 index 0000000..e9de8fc --- /dev/null +++ b/classes/extract-partition.bbclass @@ -0,0 +1,26 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +SOURCE_IMAGE_FILE ?= "${WIC_IMAGE_FILE}" +EXTRACT_PARTITIONS ?= "img4" + +do_extract_partition () { + for PARTITION in ${EXTRACT_PARTITIONS}; do + rm -f ${DEPLOY_DIR_IMAGE}/${PARTITION}.gz + PART_START=$(fdisk -lu ${SOURCE_IMAGE_FILE} | grep ${PARTITION} | awk '{ print $2 }' ) + PART_END=$(fdisk -lu ${SOURCE_IMAGE_FILE} | grep ${PARTITION} | awk '{ print $3 }' ) + PART_COUNT=$(expr ${PART_END} - ${PART_START} + 1 ) + + dd if=${SOURCE_IMAGE_FILE} of=${DEPLOY_DIR_IMAGE}/${PARTITION} bs=512 skip=${PART_START} count=${PART_COUNT} + + gzip ${DEPLOY_DIR_IMAGE}/${PARTITION} + done +} diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass new file mode 100644 index 0000000..c8532ba --- /dev/null +++ b/classes/wic-swu-img.bbclass @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + + +inherit wic-img +inherit extract-partition +inherit swupdate-img + +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}" + +addtask do_extract_partition after do_wic_image +addtask do_swupdate_image after do_extract_partition diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml index 5b39730..304fa4d 100644 --- a/kas/opt/ebg-swu.yml +++ b/kas/opt/ebg-swu.yml @@ -22,5 +22,5 @@ local_conf_header: WICVARS += "WDOG_TIMEOUT" wic: | - IMAGE_TYPE = "wic-img" - WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks" + IMAGE_TYPE = "wic-swu-img" + WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks" diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb index 9ee4b25..b1ed491 100644 --- a/recipes-core/images/cip-core-image.bb +++ b/recipes-core/images/cip-core-image.bb @@ -17,3 +17,13 @@ DESCRIPTION = "CIP Core image" IMAGE_INSTALL += "customizations" # for cip-testing IMAGE_INSTALL += "ltp-full" + +# for swupdate +EXTRACT_PARTITIONS = "img4" +ROOTFS_PARTITION_NAME="img4.gz" + +SRC_URI += "file://sw-description.tmpl" +TEMPLATE_FILES += "sw-description.tmpl" +TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE" + +SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl new file mode 100644 index 0000000..4d32f6f --- /dev/null +++ b/recipes-core/images/files/sw-description.tmpl @@ -0,0 +1,37 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# +software = +{ + version = "0.2"; + name = "cip software update" + images: ({ + filename = "${ROOTFS_PARTITION_NAME}"; + device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002"; + type = "roundrobin"; + compressed = true; + filesystem = "ext4"; + }); + files: ({ + filename = "${KERNEL_IMAGE}"; + path = "vmlinuz"; + type = "kernelfile"; + device = "sda2,sda3"; + filesystem = "vfat"; + }, + { + filename = "${INITRD_IMAGE}"; + path = "initrd.img"; + type = "kernelfile"; + device = "sda2,sda3"; + filesystem = "vfat"; + }); +} + -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 4/5] wic: Add wks files for A/B Partition update
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add wks for: - simatic-ipc227e - qemu-amd64 Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- kas/opt/ebg-swu.yml | 26 ++++++++++++++++++++++++++ wic/ebg-sysparts.inc | 8 ++++++++ wic/qemu-amd64-efibootguard.wks | 5 +++++ wic/simatic-ipc227e-efibootguard.wks | 5 +++++ wic/swupdate-partition.inc | 4 ++++ 5 files changed, 48 insertions(+) create mode 100644 kas/opt/ebg-swu.yml create mode 100644 wic/ebg-sysparts.inc create mode 100644 wic/qemu-amd64-efibootguard.wks create mode 100644 wic/simatic-ipc227e-efibootguard.wks create mode 100644 wic/swupdate-partition.inc diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml new file mode 100644 index 0000000..5b39730 --- /dev/null +++ b/kas/opt/ebg-swu.yml @@ -0,0 +1,26 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + +local_conf_header: + swupdate: | + IMAGE_INSTALL_append = " swupdate efibootguard" + BOOTLOADER = "efibootguard" + + efibootguard: | + WDOG_TIMEOUT = "0" + WICVARS += "WDOG_TIMEOUT" + + wic: | + IMAGE_TYPE = "wic-img" + WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks" diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc new file mode 100644 index 0000000..dea99e8 --- /dev/null +++ b/wic/ebg-sysparts.inc @@ -0,0 +1,8 @@ +# default partition layout EFI Boot Guard usage + +# EFI partition containing efibootguard bootloader binary +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active + +# EFI Boot Guard environment/config partitions plus Kernel files +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002" diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks new file mode 100644 index 0000000..3cd7360 --- /dev/null +++ b/wic/qemu-amd64-efibootguard.wks @@ -0,0 +1,5 @@ +# short-description: Qemu-amd64 with Efibootguard and SWUpdate +# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate + +include ebg-sysparts.inc +include swupdate-partition.inc diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks new file mode 100644 index 0000000..74446d3 --- /dev/null +++ b/wic/simatic-ipc227e-efibootguard.wks @@ -0,0 +1,5 @@ +# short-description: Simatic-ipc227e with EFI Boot Guard and SWUpdate +# long-description: Disk image for Simatic-ipc227e with EFI Boot Guard and SWUpdate + +include ebg-sysparts.inc +include swupdate-partition.inc diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc new file mode 100644 index 0000000..15fbe80 --- /dev/null +++ b/wic/swupdate-partition.inc @@ -0,0 +1,4 @@ +part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4 +part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4 + +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk" -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 1/5] recipes-bsp: Add efibootguard
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add the bootloader efibootguard for A/B partition update on x86 with EFI. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- .../efibootguard/efibootguard_0.7-git+isar.bb | 46 +++++ recipes-bsp/efibootguard/files/debian/compat | 1 + .../efibootguard/files/debian/control.tmpl | 20 +++ .../files/debian/efibootguard-dev.install | 3 + .../files/debian/efibootguard.install | 2 + recipes-bsp/efibootguard/files/debian/rules | 21 +++ .../wic/plugins/source/efibootguard-boot.py | 162 ++++++++++++++++++ .../wic/plugins/source/efibootguard-efi.py | 102 +++++++++++ 8 files changed, 357 insertions(+) create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb create mode 100644 recipes-bsp/efibootguard/files/debian/compat create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install create mode 100755 recipes-bsp/efibootguard/files/debian/rules create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py diff --git a/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb new file mode 100644 index 0000000..4bdf76a --- /dev/null +++ b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb @@ -0,0 +1,46 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +DESCRIPTION = "efibootguard boot loader" +DESCRIPTION_DEV = "efibootguard development library" +HOMEPAGE = "https://github.com/siemens/efibootguard" +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" +MAINTAINER = "Jan Kiszka <jan.kiszka@siemens.com>" + +SRC_URI = "git://github.com/siemens/efibootguard.git;branch=master;protocol=https \ + file://debian \ + " + +S = "${WORKDIR}/git" + +SRCREV = "442e87bafb480ada2b9074f02350a30408d4cf9c" + +PROVIDES = "${PN}" +PROVIDES += "${PN}-dev" + +BUILD_DEB_DEPENDS = "gnu-efi,libpci-dev,check,pkg-config,libc6-dev-i386" + +inherit dpkg + +TEMPLATE_FILES = "debian/control.tmpl" +TEMPLATE_VARS += "DESCRIPTION_DEV BUILD_DEB_DEPENDS" + +do_prepare_build() { + cp -R ${WORKDIR}/debian ${S} + deb_add_changelog +} + +dpkg_runbuild_append() { + install -m 0755 -d ${DEPLOY_DIR_IMAGE} + install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi + install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv +} diff --git a/recipes-bsp/efibootguard/files/debian/compat b/recipes-bsp/efibootguard/files/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/compat @@ -0,0 +1 @@ +9 diff --git a/recipes-bsp/efibootguard/files/debian/control.tmpl b/recipes-bsp/efibootguard/files/debian/control.tmpl new file mode 100644 index 0000000..54b1994 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/control.tmpl @@ -0,0 +1,20 @@ +Source: ${PN} +Section: base +Priority: optional +Standards-Version: 3.9.6 +Build-Depends: ${BUILD_DEB_DEPENDS} +Homepage: ${HOMEPAGE} +Maintainer: ${MAINTAINER} + +Package: ${PN} +Depends: ${shlibs:Depends} +Section: base +Architecture: ${DISTRO_ARCH} +Priority: required +Description: ${DESCRIPTION} + +Package: ${PN}-dev +Section: base +Architecture: ${DISTRO_ARCH} +Priority: optional +Description: ${DESCRIPTION_DEV} diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install new file mode 100644 index 0000000..7b45bd8 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install @@ -0,0 +1,3 @@ +include/ebgenv.h usr/include/efibootguard +libebgenv.a usr/lib/x86_64-linux-gnu + diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install new file mode 100644 index 0000000..8a8d9d3 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install @@ -0,0 +1,2 @@ +bg_setenv usr/bin +bg_printenv usr/bin diff --git a/recipes-bsp/efibootguard/files/debian/rules b/recipes-bsp/efibootguard/files/debian/rules new file mode 100755 index 0000000..82e9e0e --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/rules @@ -0,0 +1,21 @@ +#!/usr/bin/make -f +export DH_VERBOSE=1 +export DEB_BUILD_OPTIONS=hardening=-stackprotector +export DPKG_EXPORT_BUILDFLAGS=1 +include /usr/share/dpkg/default.mk + +override_dh_auto_test: + # we do not run the tests; that avoids having to pull the fff submodule + +override_dh_auto_install: + # install using Debian's .install files rather than + # make install in order to have a proper package split. + +override_dh_installchangelogs: + # we're not interested in changelogs + +override_dh_installdocs: + # we're not interested in docs + +%: + dh $@ --with autoreconf diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py new file mode 100644 index 0000000..38d2b2e --- /dev/null +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -0,0 +1,162 @@ +# ex:ts=4:sw=4:sts=4:et +# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*- +# +# Copyright (c) 2014, Intel Corporation. +# Copyright (c) 2018, Siemens AG. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# DESCRIPTION +# This implements the 'efibootguard-boot' source plugin class for 'wic' +# +# AUTHORS +# Tom Zanussi <tom.zanussi (at] linux.intel.com> +# Claudius Heine <ch (at] denx.de> +# Andreas Reichel <andreas.reichel.ext (at] siemens.com> +# Christian Storm <christian.storm (at] siemens.com> + +import os +import fnmatch +import sys +import logging + +msger = logging.getLogger('wic') + +from wic.pluginbase import SourcePlugin +from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE + +class EfibootguardBootPlugin(SourcePlugin): + """ + Create EFI Boot Guard partition hosting the + environment file plus Kernel files. + """ + + name = 'efibootguard-boot' + + @classmethod + def do_prepare_partition(cls, part, source_params, creator, cr_workdir, + oe_builddir, deploy_dir, kernel_dir, + rootfs_dir, native_sysroot): + """ + Called to do the actual content population for a partition, i.e., + populate an EFI Boot Guard environment partition plus Kernel files. + """ + + kernel_image = get_bitbake_var("KERNEL_IMAGE") + if not kernel_image: + msger.warning("KERNEL_IMAGE not set. Use default:") + kernel_image = "vmlinuz" + boot_image = kernel_image + + initrd_image = get_bitbake_var("INITRD_IMAGE") + if not initrd_image: + msger.warning("INITRD_IMAGE not set\n") + initrd_image = "initrd.img" + bootloader = creator.ks.bootloader + + deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE") + if not deploy_dir: + msger.error("DEPLOY_DIR_IMAGE not set, exiting\n") + sys.exit(1) + creator.deploy_dir = deploy_dir + + wdog_timeout = get_bitbake_var("WDOG_TIMEOUT") + if not wdog_timeout: + msger.error("Specify watchdog timeout for \ + efibootguard in local.conf with WDOG_TIMEOUT=") + exit(1) + + + boot_files = source_params.get("files", "").split(' ') + cmdline = bootloader.append + root_dev = source_params.get("root", None) + if not root_dev: + msger.error("Specify root in source params") + exit(1) + root_dev = root_dev.replace(":", "=") + + cmdline += " root=%s rw" % root_dev + boot_files.append(kernel_image) + boot_files.append(initrd_image) + cmdline += "initrd=%s" % initrd_image if initrd_image else "" + + part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, + part.label, part.lineno) + create_dir_cmd = "install -d %s" % part_rootfs_dir + exec_cmd(create_dir_cmd) + + cwd = os.getcwd() + os.chdir(part_rootfs_dir) + config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ + % ( + deploy_dir, + part.label.upper(), + boot_image, + '-a "%s"' % cmdline if cmdline else "", + source_params.get("revision", 1), + wdog_timeout + ) + exec_cmd(config_cmd, True) + os.chdir(cwd) + + boot_files = list(filter(None, boot_files)) + for boot_file in boot_files: + if os.path.isfile("%s/%s" % (kernel_dir, kernel_image)): + install_cmd = "install -m 0644 %s/%s %s/%s" % \ + (kernel_dir, boot_file, part_rootfs_dir, boot_file) + exec_cmd(install_cmd) + else: + msger.error("file %s not found in directory %s", + boot_file, kernel_dir) + exit(1) + cls._create_img(part_rootfs_dir, part, cr_workdir) + + @classmethod + def _create_img(cls, part_rootfs_dir, part, cr_workdir): + # Write label as utf-16le to EFILABEL file + with open("%s/EFILABEL" % part_rootfs_dir, 'wb') as filedescriptor: + filedescriptor.write(part.label.upper().encode("utf-16le")) + + du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir + blocks = int(exec_cmd(du_cmd).split()[0]) + + extra_blocks = part.get_extra_block_count(blocks) + if extra_blocks < BOOTDD_EXTRA_SPACE: + extra_blocks = BOOTDD_EXTRA_SPACE + + blocks += extra_blocks + blocks = blocks + (16 - (blocks % 16)) + + msger.debug("Added %d extra blocks to %s to get to %d total blocks", + extra_blocks, part.mountpoint, blocks) + + # dosfs image, created by mkdosfs + bootimg = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno) + + dosfs_cmd = "mkdosfs -F 16 -S 512 -n %s -C %s %d" % \ + (part.label.upper(), bootimg, blocks) + exec_cmd(dosfs_cmd) + + mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % (bootimg, part_rootfs_dir) + exec_cmd(mcopy_cmd, True) + + chmod_cmd = "chmod 644 %s" % bootimg + exec_cmd(chmod_cmd) + + du_cmd = "du -Lbks %s" % bootimg + bootimg_size = int(exec_cmd(du_cmd).split()[0]) + + part.size = bootimg_size + part.source_file = bootimg diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py new file mode 100644 index 0000000..5ee451f --- /dev/null +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py @@ -0,0 +1,102 @@ +# ex:ts=4:sw=4:sts=4:et +# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*- +# +# Copyright (c) 2014, Intel Corporation. +# Copyright (c) 2018, Siemens AG. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# DESCRIPTION +# This implements the 'efibootguard-efi' source plugin class for 'wic' +# +# AUTHORS +# Tom Zanussi <tom.zanussi (at] linux.intel.com> +# Claudius Heine <ch (at] denx.de> +# Andreas Reichel <andreas.reichel.ext (at] siemens.com> +# Christian Storm <christian.storm (at] siemens.com> + +import logging +import os + +msger = logging.getLogger('wic') + +from wic.pluginbase import SourcePlugin +from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE + +class EfibootguardEFIPlugin(SourcePlugin): + """ + Create EFI bootloader partition containing the EFI Boot Guard Bootloader. + """ + + name = 'efibootguard-efi' + + @classmethod + def do_prepare_partition(cls, part, source_params, creator, cr_workdir, + oe_builddir, deploy_dir, kernel_dir, + rootfs_dir, native_sysroot): + """ + Called to do the actual content population for a partition, i.e., + populate an EFI boot partition containing the EFI Boot Guard + bootloader binary. + """ + deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE") + creator.deploy_dir = deploy_dir + bootloader_files = source_params.get("bootloader") + if not bootloader_files: + bootloader_files = "bootx64.efi" + bootloader_files = bootloader_files.split(' ') + part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, + part.label, + part.lineno) + create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir + exec_cmd(create_dir_cmd) + + for bootloader in bootloader_files: + cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir, + bootloader, + part_rootfs_dir, + bootloader) + exec_cmd(cp_cmd, True) + du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir + blocks = int(exec_cmd(du_cmd).split()[0]) + + extra_blocks = part.get_extra_block_count(blocks) + if extra_blocks < BOOTDD_EXTRA_SPACE: + extra_blocks = BOOTDD_EXTRA_SPACE + blocks += extra_blocks + blocks = blocks + (16 - (blocks % 16)) + + msger.debug("Added %d extra blocks to %s to get to %d total blocks", + extra_blocks, part.mountpoint, blocks) + + # dosfs image, created by mkdosfs + efi_part_image = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno) + + dosfs_cmd = "mkdosfs -S 512 -n %s -C %s %d" % \ + (part.label.upper(), efi_part_image, blocks) + exec_cmd(dosfs_cmd) + + mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % \ + (efi_part_image, part_rootfs_dir) + exec_cmd(mcopy_cmd, True) + + chmod_cmd = "chmod 644 %s" % efi_part_image + exec_cmd(chmod_cmd) + + du_cmd = "du -Lbks %s" % efi_part_image + efi_part_image_size = int(exec_cmd(du_cmd).split()[0]) + + part.size = efi_part_image_size + part.source_file = efi_part_image -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 2/5] patches: add libubootenv
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
swupdate 2020.04 requires libubootenv as build dependency. libubootenv is a library that provides a hardware independent way to access to U-Boot environment. U-Boot has its default environment compiled board-dependently and this means that tools to access the environment are also board specific, too. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- .../0001-u-boot-add-libubootenv.patch | 169 ++++++++++++++++++ kas-cip.yml | 4 + 2 files changed, 173 insertions(+) create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch diff --git a/isar-patches/0001-u-boot-add-libubootenv.patch b/isar-patches/0001-u-boot-add-libubootenv.patch new file mode 100644 index 0000000..10a5b4a --- /dev/null +++ b/isar-patches/0001-u-boot-add-libubootenv.patch @@ -0,0 +1,169 @@ +From 76897e89977f895495e21e37cb76f90392d55ef9 Mon Sep 17 00:00:00 2001 +From: Quirin Gylstorff <quirin.gylstorff@siemens.com> +Date: Fri, 19 Jun 2020 17:00:36 +0200 +Subject: [PATCH v2] u-boot: add libubootenv + +Add the new library libubootenv and remove fw_printenv and fw_setenv +form u-boot-tools as the are now part of the new library. + +libubootenv is a library that provides a hardware independent +way to access to U-Boot environment. U-Boot has its default environment +compiled board-dependently and this means that tools to access the environment +are also board specific, too. + +libubootenv conflicts with u-boot-tools from Debian 10 +as both try to install fw_printenv and fw_sentenv. This conflict is not +part of the control file as it breaks the installation of custom u-boot-tools +from the u-boot-sources. + +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> +--- + meta-isar/conf/machine/de0-nano-soc.conf | 2 +- + .../libubootenv/files/debian/compat | 1 + + .../libubootenv/files/debian/control.tmpl | 15 +++++++++ + .../libubootenv/files/debian/rules.tmpl | 24 ++++++++++++++ + .../libubootenv/libubootenv_0.2.bb | 32 +++++++++++++++++++ + .../files/debian/u-boot-tools.conffiles | 1 - + .../u-boot/files/debian/u-boot-tools.install | 2 -- + .../u-boot/files/debian/u-boot-tools.links | 1 - + 8 files changed, 73 insertions(+), 5 deletions(-) + create mode 100644 meta/recipes-bsp/libubootenv/files/debian/compat + create mode 100644 meta/recipes-bsp/libubootenv/files/debian/control.tmpl + create mode 100644 meta/recipes-bsp/libubootenv/files/debian/rules.tmpl + create mode 100644 meta/recipes-bsp/libubootenv/libubootenv_0.2.bb + delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles + delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links + +diff --git a/meta-isar/conf/machine/de0-nano-soc.conf b/meta-isar/conf/machine/de0-nano-soc.conf +index 3a2c009..6558d90 100644 +--- a/meta-isar/conf/machine/de0-nano-soc.conf ++++ b/meta-isar/conf/machine/de0-nano-soc.conf +@@ -15,4 +15,4 @@ WKS_FILE ?= "de0-nano-soc.wks.in" + IMAGER_INSTALL += "u-boot-de0-nano-soc" + IMAGER_BUILD_DEPS += "u-boot-de0-nano-soc" + +-IMAGE_INSTALL += "u-boot-tools u-boot-script" ++IMAGE_INSTALL += "u-boot-tools libubootenv u-boot-script" +diff --git a/meta/recipes-bsp/libubootenv/files/debian/compat b/meta/recipes-bsp/libubootenv/files/debian/compat +new file mode 100644 +index 0000000..b4de394 +--- /dev/null ++++ b/meta/recipes-bsp/libubootenv/files/debian/compat +@@ -0,0 +1 @@ ++11 +diff --git a/meta/recipes-bsp/libubootenv/files/debian/control.tmpl b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl +new file mode 100644 +index 0000000..fade69a +--- /dev/null ++++ b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl +@@ -0,0 +1,15 @@ ++Source: libubootenv ++Section: embedded ++Priority: optional ++Maintainer: Stefano Babic <sbabic@denx.de> ++Build-Depends: ${BUILD_DEB_DEPENDS} ++Standards-Version: 4.2.1 ++Homepage: https://sbabic.github.io/libubootenv ++ ++Package: libubootenv ++Architecture: any ++Depends: ${DEBIAN_DEPENDS} ++Description: libubootenv is a library that provides a hardware independent ++ way to access to U-Boot environment. U-Boot has its default environment ++ compiled board-dependently and this means that tools to access the environment ++ are also board specific, too. +diff --git a/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl +new file mode 100644 +index 0000000..56ccd19 +--- /dev/null ++++ b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl +@@ -0,0 +1,24 @@ ++#!/usr/bin/make -f ++ ++ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) ++export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- ++export CC=$(DEB_HOST_GNU_TYPE)-gcc ++export LD=$(DEB_HOST_GNU_TYPE)-gcc ++endif ++ ++export DH_VERBOSE = 1 ++ ++export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow ++ ++override_dh_auto_configure: ++ dh_auto_configure -- ++ ++%: ++ echo $@ ++ dh $@ ++ ++override_dh_installchangelogs: ++ true ++ ++override_dh_installdocs: ++ true +diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb +new file mode 100644 +index 0000000..1be058c +--- /dev/null ++++ b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb +@@ -0,0 +1,32 @@ ++# libubootenv ++# ++# This software is a part of ISAR. ++# Copyright (c) Siemens AG, 2020 ++# ++# SPDX-License-Identifier: MIT ++ ++DESCRIPTION = "swupdate utility for software updates" ++HOMEPAGE= "https://github.com/sbabic/swupdate" ++LICENSE = "GPL-2.0" ++LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" ++SRC_URI = "gitsm://github.com/sbabic/libubootenv.git;branch=master;protocol=https" ++ ++SRCREV = "bf6ff631c0e38cede67268ceb8bf1383b5f8848e" ++ ++BUILD_DEB_DEPENDS = "cmake, zlib1g-dev" ++ ++SRC_URI += "file://debian" ++TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl" ++TEMPLATE_VARS += "BUILD_DEB_DEPENDS DEFCONFIG DEBIAN_DEPENDS" ++ ++ ++inherit dpkg ++ ++S = "${WORKDIR}/git" ++ ++do_prepare_build() { ++ DEBDIR=${S}/debian ++ install -d ${DEBDIR} ++ cp -R ${WORKDIR}/debian ${S} ++ deb_add_changelog ++} +diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles +deleted file mode 100644 +index d49a8fb..0000000 +--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles ++++ /dev/null +@@ -1 +0,0 @@ +-/etc/fw_env.config +diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install +index d1ae3e0..2893b9a 100644 +--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install ++++ b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install +@@ -1,5 +1,3 @@ + tools/dumpimage /usr/bin/ +-tools/env/fw_printenv /usr/bin/ + tools/mkenvimage /usr/bin/ + tools/mkimage /usr/bin/ +-tools/env/fw_env.config /etc +diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links +deleted file mode 100644 +index 92f5a6c..0000000 +--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links ++++ /dev/null +@@ -1 +0,0 @@ +-/usr/bin/fw_printenv /usr/bin/fw_setenv +-- +2.20.1 + diff --git a/kas-cip.yml b/kas-cip.yml index 019b31e..0da07db 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -22,6 +22,10 @@ repos: refspec: 351af175bc54a201c6f44307d4e998bd6c0afdb8 layers: meta: + patches: + 01-libubootenv: + path: isar-patches/0001-u-boot-add-libubootenv.patch + repo: cip-core bblayers_conf_header: standard: | -- 2.20.1
|
|
|
|
[isar-cip-core PATCH v3 0/5] A/B Rootfs update with software update
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patchset adds efibootguard, swupdate to allow A/B updates in cip-core. The update mechanism is currently only implemented for x86_64. Changes V2: - update efibootguard to v0.7 - add swdescription and kas option to build qemu-amd64 test image - swupdate set to upstream mirror and no longer use gitsm Changes V3: - change image type for ebg-swu to generate a swu image during build - remove qemu-swupdate as it is no longer needed - add swdescription file for updating without secureboot Quirin Gylstorff (5): recipes-bsp: Add efibootguard patches: add libubootenv recipes-core: add swupdate wic: Add wks files for A/B Partition update swupdate: create swu file from wic image classes/extract-partition.bbclass | 26 + classes/kconfig-snippets.bbclass | 90 ++++ classes/swupdate-config.bbclass | 76 +++ classes/swupdate-img.bbclass | 75 +++ classes/wic-swu-img.bbclass | 20 + .../0001-u-boot-add-libubootenv.patch | 169 +++++++ kas-cip.yml | 4 + kas/opt/ebg-swu.yml | 26 + .../efibootguard/efibootguard_0.7-git+isar.bb | 46 ++ recipes-bsp/efibootguard/files/debian/compat | 1 + .../efibootguard/files/debian/control.tmpl | 20 + .../files/debian/efibootguard-dev.install | 3 + .../files/debian/efibootguard.install | 2 + recipes-bsp/efibootguard/files/debian/rules | 21 + recipes-core/images/cip-core-image.bb | 10 + recipes-core/images/files/sw-description.tmpl | 37 ++ .../swupdate/files/debian/changelog.tmpl | 6 + recipes-core/swupdate/files/debian/compat | 1 + .../swupdate/files/debian/control.tmpl | 15 + recipes-core/swupdate/files/debian/copyright | 36 ++ recipes-core/swupdate/files/debian/rules.tmpl | 30 ++ .../swupdate/files/debian/swupdate.examples | 2 + .../swupdate/files/debian/swupdate.install | 2 + .../swupdate/files/debian/swupdate.manpages | 5 + .../swupdate/files/debian/swupdate.tmpfile | 2 + recipes-core/swupdate/files/debian/watch | 12 + recipes-core/swupdate/files/postinst | 2 + recipes-core/swupdate/files/swupdate.cfg | 6 + .../swupdate/files/swupdate.service.example | 11 + .../swupdate/files/swupdate.socket.example | 11 + .../swupdate/files/swupdate.socket.tmpl | 13 + .../swupdate/files/swupdate_defconfig | 83 ++++ .../swupdate_defconfig_efibootguard.snippet | 3 + .../files/swupdate_defconfig_lua.snippet | 2 + .../swupdate_defconfig_luahandler.snippet | 4 + .../files/swupdate_defconfig_mtd.snippet | 1 + .../files/swupdate_defconfig_u-boot.snippet | 3 + .../files/swupdate_defconfig_ubi.snippet | 6 + .../swupdate/files/swupdate_handlers.lua | 453 ++++++++++++++++++ recipes-core/swupdate/swupdate.bb | 54 +++ .../wic/plugins/source/efibootguard-boot.py | 162 +++++++ .../wic/plugins/source/efibootguard-efi.py | 102 ++++ wic/ebg-sysparts.inc | 8 + wic/qemu-amd64-efibootguard.wks | 5 + wic/simatic-ipc227e-efibootguard.wks | 5 + wic/swupdate-partition.inc | 4 + 46 files changed, 1675 insertions(+) create mode 100644 classes/extract-partition.bbclass create mode 100644 classes/kconfig-snippets.bbclass create mode 100644 classes/swupdate-config.bbclass create mode 100644 classes/swupdate-img.bbclass create mode 100644 classes/wic-swu-img.bbclass create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch create mode 100644 kas/opt/ebg-swu.yml create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb create mode 100644 recipes-bsp/efibootguard/files/debian/compat create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install create mode 100755 recipes-bsp/efibootguard/files/debian/rules create mode 100644 recipes-core/images/files/sw-description.tmpl create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl create mode 100644 recipes-core/swupdate/files/debian/compat create mode 100644 recipes-core/swupdate/files/debian/control.tmpl create mode 100644 recipes-core/swupdate/files/debian/copyright create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples create mode 100644 recipes-core/swupdate/files/debian/swupdate.install create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile create mode 100644 recipes-core/swupdate/files/debian/watch create mode 100644 recipes-core/swupdate/files/postinst create mode 100644 recipes-core/swupdate/files/swupdate.cfg create mode 100644 recipes-core/swupdate/files/swupdate.service.example create mode 100644 recipes-core/swupdate/files/swupdate.socket.example create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl create mode 100644 recipes-core/swupdate/files/swupdate_defconfig create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua create mode 100644 recipes-core/swupdate/swupdate.bb create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py create mode 100644 wic/ebg-sysparts.inc create mode 100644 wic/qemu-amd64-efibootguard.wks create mode 100644 wic/simatic-ipc227e-efibootguard.wks create mode 100644 wic/swupdate-partition.inc -- 2.20.1
|
|
|
|
Re: Resource describing the Deby workflow?
Mohammed Billoo <mab@...>
Is tlsdate a better alternative?
-- Mohammed Billoo MAB Labs, LLC www.mab-labs.com
|
|
|
|
Re: Resource describing the Deby workflow?
Pavel Machek
Hi!
I'm almost done getting SSL working between the BBB and hawkbit. The lastNotice that in this case SSL is not adding as much security as you think it does. SSL attempts to protect against active attackers, and those can manipulate NTP easily. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|