|
[isar-cip-core][PATCH 1/2] swupdate: Secure-boot fix paths
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- recipes-core/images/secureboot.inc | 2 ++ recipes-core/images/swupdate.inc | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc index 3e284e0..f048497 100644 --- a/recipes-core/images/secureboot.inc +++ b/recipes-core/images/secureboot.inc @@ -9,6 +9,8 @@ # SPDX-License-Identifier: MIT # +FILESEXTRAPATHS_prepend := "${THISDIR}/files/secure-boot:" + EXTRACT_PARTITIONS = "img4" ROOTFS_PARTITION_NAME="img4.gz" diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index a88ed14..6708a7e 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -9,8 +9,6 @@ # SPDX-License-Identifier: MIT # -FILESEXTRAPATHS_prepend := "${THISDIR}/files/secure-boot:" - EXTRACT_PARTITIONS = "img4" ROOTFS_PARTITION_NAME="img4.gz" -- 2.20.1
|
|
|
|
[isar-cip-core][PATCH 2/2] secure-boot: Move image-uuid to own file
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
/etc/os-release is controlled by the Debian Package base-files and will be silently overwritten if the package updates the file. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- classes/image_uuid.bbclass | 4 +--- .../initramfs-config/files/initramfs.image_uuid.hook | 6 +++--- .../initramfs-config/files/secure-boot-debian-local-patch | 4 ++-- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass index 2813ed9..a0ab202 100644 --- a/classes/image_uuid.bbclass +++ b/classes/image_uuid.bbclass @@ -22,9 +22,7 @@ IMAGE_UUID ?= "${@generate_image_uuid(d)}" do_generate_image_uuid[vardeps] += "IMAGE_UUID" do_generate_image_uuid[depends] = "buildchroot-target:do_build" do_generate_image_uuid() { - sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release' - echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \ - sudo tee -a '${IMAGE_ROOTFS}/etc/os-release' + sudo sh -c 'echo "IMAGE_UUID=\"${IMAGE_UUID}\"" > "${IMAGE_ROOTFS}/etc/secureboot-image-uuid"' image_do_mounts # update initramfs to add uuid diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook index 910ce84..bf39abb 100644 --- a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook +++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook @@ -22,12 +22,12 @@ esac . /usr/share/initramfs-tools/scripts/functions . /usr/share/initramfs-tools/hook-functions -if [ ! -e /etc/os-release ]; then - echo "Warning: couldn't find /etc/os-release!" +if [ ! -e /etc/secureboot-image-uuid ]; then + echo "Warning: couldn't find /etc/secureboot-image-uuid!" exit 0 fi -IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release) +IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/secureboot-image-uuid) echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid" exit 0 \ No newline at end of file diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch index cd2d271..82d325a 100644 --- a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch +++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch @@ -58,8 +58,8 @@ + # Mount root + # shellcheck disable=SC2086 + if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then -+ if [ -e "${rootmnt?}"/etc/os-release ]; then -+ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' ) ++ if [ -e "${rootmnt?}"/etc/secureboot-image-uuid ]; then ++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/secureboot-image-uuid | tr -d '"' ) + if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then + return 0 + fi -- 2.20.1
|
|
|
|
[isar-cip-core][PATCH 0/2] Secureboot fixes
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Use correct swu-description.tmpl and use own file for image-uuid to avoid overwrite by Debian package `base-files`. Quirin Gylstorff (2): swupdate: Secure-boot fix paths secure-boot: Move image-uuid to own file classes/image_uuid.bbclass | 4 +--- recipes-core/images/secureboot.inc | 2 ++ recipes-core/images/swupdate.inc | 2 -- .../initramfs-config/files/initramfs.image_uuid.hook | 6 +++--- .../initramfs-config/files/secure-boot-debian-local-patch | 4 ++-- 5 files changed, 8 insertions(+), 10 deletions(-) -- 2.20.1
|
|
|
|
Re: [isar-cip-core][PATCH] Use u-boot-config instead of tools
Jan Kiszka
On 01.02.21 13:33, Quirin Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>Applied, thanks. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
[isar-cip-core][PATCH] Use u-boot-config instead of tools
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Swupdate requires libubootenv0.1 and u-boot-config to access the u-boot environment. u-boot-config adds the configuration files. Add the flag `USE_U_BOOT_CONFIG` to deactivate the addition of 'u-boot-${MACHINE}-config.' If the image uses an upstream u-boot binary (e.g. [1]) remove the package by setting `USE_U_BOOT_CONFIG` to `false`. [1]: https://packages.debian.org/buster/u-boot-omap Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- classes/swupdate-config.bbclass | 8 +++++--- recipes-core/swupdate/swupdate.bb | 2 -- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass index dd0317f..9909113 100644 --- a/classes/swupdate-config.bbclass +++ b/classes/swupdate-config.bbclass @@ -45,10 +45,13 @@ KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet" KFEATURE_DEPS[ubi] = "mtd" +USE_U_BOOT_CONFIG ?= "true" KFEATURE_u-boot = "" KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev" -KFEATURE_u-boot[DEBIAN_DEPENDS] = "libubootenv-tool, u-boot-tools" -KFEATURE_u-boot[DEPENDS] = "${U_BOOT}" +KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \ + if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \ + else 'libubootenv0.1'}" +KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv" KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet" SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua" @@ -73,4 +76,3 @@ python do_check_bootloader () { bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader) } addtask check_bootloader before do_fetch - diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb index b4d64fe..526c72f 100644 --- a/recipes-core/swupdate/swupdate.bb +++ b/recipes-core/swupdate/swupdate.bb @@ -24,8 +24,6 @@ SRC_URI += "file://debian \ file://${DEFCONFIG} \ file://${PN}.cfg" -DEPENDS += "libubootenv" - DEBIAN_DEPENDS = "${shlibs:Depends}, ${misc:Depends}" inherit dpkg -- 2.20.1
|
|
|
|
Re: [isar-cip-core][PATCH] linux: Fix warning if USE_CIP_KERNEL_CONFIG is not defined
Quirin Gylstorff
On 1/29/21 3:18 PM, Jan Kiszka wrote:
On 29.01.21 13:22, Gylstorff Quirin wrote:I'm fine with Florian's patch.Means you are fine with Florian's patch? If there are no downsides, I Quirin
|
|
|
|
Re: [isar-cip-core][PATCH] linux: Fix warning if USE_CIP_KERNEL_CONFIG is not defined
Jan Kiszka
On 29.01.21 13:22, Gylstorff Quirin wrote:
Means you are fine with Florian's patch? If there are no downsides, I would prefer that pattern as well. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
Re: [isar-cip-core][PATCH] linux: Fix warning if USE_CIP_KERNEL_CONFIG is not defined
Quirin Gylstorff
On 1/28/21 3:13 PM, Jan Kiszka wrote:
On 25.01.21 19:23, Gylstorff Quirin wrote:I'm not yet sure which string should be empty and would break with the I will skip the url. You could have written SRC_URI_append = "${@conditional("USE_CIP_KERNEL_CONFIG", "1","git://...","",d)" instead of SRC_URI_append = "${@ "git://..." if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else ''}" The result is the same. The second method saves some code in form of a function. Quirin +SRC_URI_append = "${@Quirin
|
|
|
|
Re: [isar-cip-core][PATCH] linux: Fix warning if USE_CIP_KERNEL_CONFIG is not defined
Jan Kiszka
On 25.01.21 19:23, Gylstorff Quirin wrote:
I'm not yet sure which string should be empty and would break with the new version. Can you elaborate? Jan --+SRC_URI_append = " ${@Quirin Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
Re: Siemens board failed to boot testing 5.10
Chris Paterson
Hello,
From: Pavel Machek <pavel@...>It seems a bit random as to which tests fail. We have three boards and most of the time they pass the 5.10 tests, but sometimes they fail. With all three of our IPC227E boards we randomly have issues getting the serial connection to work, or sometimes another issue prevents booting. Even our healthchecks randomly fail. So obviously there is still some work to do to get testing on these boards to be reliable. You can see the status of the latest tests on these devices here: https://lava.ciplatform.org/scheduler/device_type/x86-simatic-ipc227e?dt_length=100 So in short - There isn't an issue caused by a specific Kernel version - We need to work out why the IPC227E boards aren't "stable" in our LAVA environment Kind regards, Chris
|
|
|
|
Re: Cip-kernel-sec Updates for Week of 2021-01-28
Chen-Yu Tsai (Moxa) <wens@...>
Hi,
On Thu, Jan 28, 2021 at 4:52 PM Pavel Machek <pavel@...> wrote: Debian maintainers speculate it might be related to 4c59406ed003 ("xfrm: policy: Fix doulbe free in xfrm_policy_timer"). Of course we won't really know until Google discloses the facts. ChenYu Many of our configs enable it as a module:
|
|
|
|
Re: Cip-kernel-sec Updates for Week of 2021-01-28
Chen-Yu Tsai (Moxa) <wens@...>
On Thu, Jan 28, 2021 at 10:47 AM Chen-Yu Tsai <wens@...> wrote:
Looks like there's an update: https://lore.kernel.org/stable/20210125142126.70d6a33c@gandalf.local.home/ I will update the tracker. ChenYu Regards
|
|
|
|
Cip-kernel-sec Updates for Week of 2021-01-28
Chen-Yu Tsai <wens213@...>
Hi everyone,
One new issue this week: - CVE-2020-35513 [nfsd: incorrect umask] - fixed in all branches In addition, the fix for CVE-2021-3178 was backported to all stable kernels. The security concerns for this issue are being disputed though. Also, information for CVE-2020-27066 still hasn't been disclosed, and the affected commit is still unclear. Last, for CVE-2020-27825 the Fixes tag was incorrect; it is actually a Depends-On [1]. The issue is known to affect at least in 4.14, 4.19 and 5.4. A sample backport for 4.4+ [2] was posted, but a proper backport is still pending [3]. Regards ChenYu [1] https://lore.kernel.org/linux-arm-msm/20200915141304.41fa7c30@gandalf.local.home/ [2] https://lore.kernel.org/stable/021b1b38-47ce-bc8b-3867-99160cc85523@linux.com/ [3] https://lore.kernel.org/stable/YA1GU+xjL+zUDIjN@kroah.com/ * All from the same mail thread
|
|
|
|
CIP IRC weekly meeting today
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi all,
Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today. *Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting* https://www.timeanddate.com/worldclock/meetingdetails.html?year=2021&month=1&day=28&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248 USWest USEast UK DE TW JP 01:00 04:00 9:00 10:00 17:00 18:00 Channel: * irc:chat.freenode.net:6667/cip Last meeting minutes: https://irclogs.baserock.org/meetings/cip/2021/01/cip.2021-01-21-09.00.log.html * Action item 1. Combine root filesystem with kselftest binary - iwamatsu 2. Do some experiment to lower burdens on CI - patersonc 3. Check hitachi_omap defconfigs wrt CVE-2020-27820 [drm/nouveau UAF] - Hitachi-team * Kernel maintenance updates * Kernel testing * CIP Security * AOB The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting. Best regards, -- M. Kudo Cybertrust Japan Co., Ltd.
|
|
|
|
Re: Siemens board failed to boot testing 5.10
Pavel Machek
Hi!
I don't believe it is dead hw.Do you mean the board does not come up with any job, or just with 5.10?Something went wrong on siemens board... I'll try to resubmit the job.It still fails. https://lava.ciplatform.org/scheduler/job/148674. I'll And where is this one located? We have IPC227E at Mentor and at Denx now.I'm sorry, I don't know much about test infrastructure. 5.10.11-rc2 tests passed okay, but I'm not sure if it has any implications. https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-5.10.y Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
|
Re: Siemens board failed to boot testing 5.10
Jan Kiszka
On 25.01.21 21:44, Pavel Machek wrote:
On Mon 2021-01-25 21:17:34, Pavel Machek wrote:Do you mean the board does not come up with any job, or just with 5.10?Hi!It still fails. https://lava.ciplatform.org/scheduler/job/148674. I'll Doesn't it react at all (dead hw)? And where is this one located? We have IPC227E at Mentor and at Denx now. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
Re: Siemens board failed to boot testing 5.10
Pavel Machek
On Mon 2021-01-25 21:17:34, Pavel Machek wrote:
Hi!It still fails. https://lava.ciplatform.org/scheduler/job/148674. I'll retry one more time, but this looks like permanent problem. Best regards, Pavel -- http://www.livejournal.com/~pavelmachek
|
|
|
|
Siemens board failed to boot testing 5.10
Pavel Machek
Hi!
Something went wrong on siemens board... I'll try to resubmit the job. https://lava.ciplatform.org/scheduler/job/148648#L266 Best regards, Pavel InfrastructureError: The Infrastructure is not working correctly. Please report this error to LAVA admins. case: job case_id: 3494716 definition: lava error_msg: bootloader-commands timed out after 96 seconds error_type: Infrastructure -- http://www.livejournal.com/~pavelmachek
|
|
|
|
Re: [isar-cip-core][PATCH] linux: Fix warning if USE_CIP_KERNEL_CONFIG is not defined
Quirin Gylstorff
On 1/25/21 6:28 PM, Bezdeka, Florian (T RDA IOT SES-DE) wrote:
USE_CIP_KERNEL_CONFIG may not be defined in all layers using theThe easier way would have been to delete file://${KERNEL_DEFCONFIG} instead of create the logic anew. The conditional function should allow an empty string. +SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-config.git;protocol=https;destsuffix=cip-kernel-config;name=cip-kernel-config" \Quirin
|
|
|
|
[isar-cip-core][PATCH] linux: Fix warning if USE_CIP_KERNEL_CONFIG is not defined
Florian Bezdeka
USE_CIP_KERNEL_CONFIG may not be defined in all layers using the
isar-cip-core layer, so we end up with the following warnings: WARNING: /work/cip-core/recipes-kernel/linux/linux-cip_4.19.140-cip33.bb: Unable to get checksum for linux-cip SRC_URI entry ${MACHINE}_defconfig: file could not be found WARNING: /work/cip-core/recipes-kernel/linux/linux-cip-rt_4.4.231-cip47-rt30.bb: Unable to get checksum for linux-cip-rt SRC_URI entry ${MACHINE}_defconfig: file could not be found WARNING: /work/cip-core/recipes-kernel/linux/linux-cip_4.4.230-cip47.bb: Unable to get checksum for linux-cip SRC_URI entry ${MACHINE}_defconfig: file could not be found WARNING: /work/cip-core/recipes-kernel/linux/linux-cip-rt_4.19.135-cip31-rt13.bb: Unable to get checksum for linux-cip-rt SRC_URI entry ${MACHINE}_defconfig: file could not be found ${MACHINE}_defconfig needs to be added to SRC_URI only if USE_CIP_KERNEL_CONFIG is set to "1". There is one in-tree machine definition (the bbb) that does not set USE_CIP_KERNEL_CONFIG to "1" but still needs the defconfig added. A machine specific SRC_URI was set to take care of that. Closes #7. Signed-off-by: Florian Bezdeka <florian.bezdeka@...> --- Some additional notes: - That's my first contribution, so review carefully ;-) - Both branches (master, next) are affected - The gitlab MR: [1] - The gitlab issue: [2] [1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/10 [2] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/7 recipes-kernel/linux/linux-cip-common.inc | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 6db1d1d..9aca9af 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -11,21 +11,18 @@ KERNEL_DEFCONFIG ?= "${MACHINE}_defconfig" -def conditional(variable, checkvalue, truevalue, falsevalue, d): - if d.getVar(variable) == checkvalue: - return truevalue - else: - return falsevalue - require recipes-kernel/linux/linux-custom.inc SRC_URI += " \ https://gitlab.com/cip-project/cip-kernel/linux-cip/-/archive/v${PV}/linux-cip-v${PV}.tar.gz \ " -SRC_URI_append = " ${@conditional("USE_CIP_KERNEL_CONFIG", "1", \ - "git://gitlab.com/cip-project/cip-kernel/cip-kernel-config.git;protocol=https;destsuffix=cip-kernel-config;name=cip-kernel-config", \ - "file://${KERNEL_DEFCONFIG}",d)}" +SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-config.git;protocol=https;destsuffix=cip-kernel-config;name=cip-kernel-config" \ + if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \ + }" + +SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}" + SRCREV_cip-kernel-config ?= "7f2930b9667372f94f2edb42ca9cf6fc6c0aed50" S = "${WORKDIR}/linux-cip-v${PV}" -- 2.29.2
|
|
|