Date   

Re: [isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Jan Kiszka
 

On 03.05.21 13:28, Gylstorff Quirin wrote:


On 4/30/21 4:50 PM, Jan Kiszka wrote:
On 30.04.21 15:01, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Changes in V2:
  - fix typo in commit message
  - use variable in kas/opt/*.yml

  classes/swupdate-config.bbclass      | 10 +++++-----
  kas/opt/ebg-secure-boot-snakeoil.yml |  2 +-
  kas/opt/ebg-swu.yml                  |  4 ++--
  kas/opt/qemu-swupdate.yml            |  2 +-
  4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass
b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] =
"libubootenv-dev"
  KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1,
u-boot-${MACHINE}-config' \
                                            if
d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
                                            else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
Still leaves me and probably other users clueless what SWUPDATE_U_BOOT
should be. Simply "u-boot-${MACHINE}"?

Jan
SWUPDATE_U_BOOT should be the name of the u-boot package.

In case the layer (e.g. isar-cip-core) supplies the u-boot binary,
`SWUPDATE_U_BOOT` should be defined as `u-boot-${MACHINE}`.


Debian provides some as package, e.g. [1].


I could add `u-boot-${MACHINE}` as default and a README section.


[1]: https://packages.debian.org/buster/u-boot-imx
But does SWUpdate really depends on the U-Boot binary that is going to
be put on the device - or rather on u-boot-config? This looks fishy.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Quirin Gylstorff
 

On 4/30/21 4:50 PM, Jan Kiszka wrote:
On 30.04.21 15:01, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Changes in V2:
- fix typo in commit message
- use variable in kas/opt/*.yml

classes/swupdate-config.bbclass | 10 +++++-----
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
Still leaves me and probably other users clueless what SWUPDATE_U_BOOT
should be. Simply "u-boot-${MACHINE}"?
Jan
SWUPDATE_U_BOOT should be the name of the u-boot package.

In case the layer (e.g. isar-cip-core) supplies the u-boot binary, `SWUPDATE_U_BOOT` should be defined as `u-boot-${MACHINE}`.


Debian provides some as package, e.g. [1].


I could add `u-boot-${MACHINE}` as default and a README section.


[1]: https://packages.debian.org/buster/u-boot-imx

Quirin

KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"
SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +68,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"
-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 8a72084..c0ed1a2 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -20,7 +20,7 @@ local_conf_header:
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index aa3aed1..63dda09 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -15,7 +15,7 @@ header:
local_conf_header:
swupdate: |
IMAGE_INSTALL_append = " swupdate efibootguard"
- BOOTLOADER = "efibootguard"
+ SWUPDATE_BOOTLOADER = "efibootguard"
efibootguard: |
WDOG_TIMEOUT = "0"
@@ -23,4 +23,4 @@ local_conf_header:
wic: |
IMAGE_TYPE = "wic-swu-img"
- WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks"
+ WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/kas/opt/qemu-swupdate.yml b/kas/opt/qemu-swupdate.yml
index 3f5fedf..daebd2c 100644
--- a/kas/opt/qemu-swupdate.yml
+++ b/kas/opt/qemu-swupdate.yml
@@ -16,4 +16,4 @@ header:
local_conf_header:
qemu-wic: |
IMAGE_TYPE ?= "wic-swu-img"
- WKS_FILE = "qemu-amd64-${BOOTLOADER}.wks"
+ WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"


Re: [isar-cip-core][PATCH v2] README.secureboot: Corrections

Jan Kiszka
 

On 30.04.21 15:15, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```

### Start the image

Thanks, applied.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Jan Kiszka
 

On 30.04.21 15:01, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Changes in V2:
- fix typo in commit message
- use variable in kas/opt/*.yml

classes/swupdate-config.bbclass | 10 +++++-----
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
Still leaves me and probably other users clueless what SWUPDATE_U_BOOT
should be. Simply "u-boot-${MACHINE}"?

Jan

KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"

def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +68,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"

-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 8a72084..c0ed1a2 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -20,7 +20,7 @@ local_conf_header:
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index aa3aed1..63dda09 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -15,7 +15,7 @@ header:
local_conf_header:
swupdate: |
IMAGE_INSTALL_append = " swupdate efibootguard"
- BOOTLOADER = "efibootguard"
+ SWUPDATE_BOOTLOADER = "efibootguard"

efibootguard: |
WDOG_TIMEOUT = "0"
@@ -23,4 +23,4 @@ local_conf_header:

wic: |
IMAGE_TYPE = "wic-swu-img"
- WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks"
+ WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/kas/opt/qemu-swupdate.yml b/kas/opt/qemu-swupdate.yml
index 3f5fedf..daebd2c 100644
--- a/kas/opt/qemu-swupdate.yml
+++ b/kas/opt/qemu-swupdate.yml
@@ -16,4 +16,4 @@ header:
local_conf_header:
qemu-wic: |
IMAGE_TYPE ?= "wic-swu-img"
- WKS_FILE = "qemu-amd64-${BOOTLOADER}.wks"
+ WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RFC] Add option to use swupdate-handler-roundrobin

Jan Kiszka
 

On 30.04.21 15:33, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The new swupdate round robin handler is available under[1].
Add the Option `SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO` to
use the handler directly from the repository.

The handler currently doesn't support secureboot.
...but the in-tree handler does. How much effort is needed to port that
feature into the new handler?

Jan


[1]:https://gitlab.com/cip-playground/swupdate-handler-roundrobin/

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/swupdate-config.bbclass | 12 ++++++---
kas/opt/ebg-secure-boot-base.yml | 3 +++
.../files/secure-boot/sw-description.tmpl | 2 +-
recipes-core/images/files/sw-description.tmpl | 21 ++++++++++-----
.../files/swupdate.handler.efibootguard.ini | 26 +++++++++++++++++++
recipes-core/swupdate/swupdate.bb | 9 ++++++-
6 files changed, 62 insertions(+), 11 deletions(-)
create mode 100644 recipes-core/swupdate/files/swupdate.handler.efibootguard.ini

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 8ec1104..e425aa2 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -21,9 +21,17 @@ KFEATURE_lua = ""
KFEATURE_lua[BUILD_DEB_DEPENDS] = "liblua5.3-dev"
KFEATURE_lua[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_lua.snippet"

+SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO ?= "1"
+
+SRC_URI_append = " ${@ 'git://gitlab.com/cip-playground/swupdate-handler-roundrobin.git;protocol=https;destsuffix=swupdate-handler-roundrobin;name=swupdate-handler-roundrobin' \
+ if d.getVar('SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO') == '1' else '' \
+ }"
+SRCREV_swupdate-handler-roundrobin ?= "6ac9e49eaa4e866a3eda12eee3a223820ba8e0bf"
+SWUPDATE_LUASCRIPT ?= "swupdate-handler-roundrobin/swupdate_handlers_roundrobin.lua"
KFEATURE_luahandler = ""
KFEATURE_luahandler[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_luahandler.snippet"
-KFEATURE_luahandler[SRC_URI] = "file://${SWUPDATE_LUASCRIPT}"
+KFEATURE_luahandler[SRC_URI] = "${@ 'file://${SWUPDATE_LUASCRIPT}' \
+ if d.getVar('SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO') == '0' else '' }"

KFEATURE_DEPS = ""
KFEATURE_DEPS[luahandler] = "lua"
@@ -58,8 +66,6 @@ KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config
KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

-SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
-
def get_bootloader_featureset(d):
bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 30ca35a..484d0e5 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -16,3 +16,6 @@ local_conf_header:
initramfs: |
IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
SWU_DESCRIPTION = "secureboot"
+ swupdate-secureboot: |
+ SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO = "0"
+ SWUPDATE_LUASCRIPT = "swupdate_handler.efibootguard.secureboot.lua"
diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
index bce97d0..897d819 100644
--- a/recipes-core/images/files/secure-boot/sw-description.tmpl
+++ b/recipes-core/images/files/secure-boot/sw-description.tmpl
@@ -16,7 +16,7 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "true";
+ compressed = "zlib";
filesystem = "ext4";
});
files: ({
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index bb34088..3309271 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -16,21 +16,30 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "true";
+ compressed = "zlib";
filesystem = "ext4";
+ properties: {
+ subtype = "image";
+ };
});
files: ({
filename = "${KERNEL_IMAGE}";
path = "vmlinuz";
- type = "kernelfile";
- device = "sda2,sda3";
+ type = "roundrobin";
+ device = "fedcba98-7654-3210-cafe-5e0710000001->sda2,fedcba98-7654-3210-cafe-5e0710000002->sda3";
filesystem = "vfat";
+ properties: {
+ subtype = "kernel";
+ };
},
{
filename = "${INITRD_IMAGE}";
- path = "initrd.img";
- type = "kernelfile";
- device = "sda2,sda3";
+ path = "${INITRD_IMAGE}";
+ type = "roundrobin";
+ device = "fedcba98-7654-3210-cafe-5e0710000001->sda2,fedcba98-7654-3210-cafe-5e0710000002->sda3";
filesystem = "vfat";
+ properties: {
+ subtype = "initrd";
+ };
});
}
diff --git a/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini
new file mode 100644
index 0000000..3aee76c
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini
@@ -0,0 +1,26 @@
+[image]
+chainhandler=raw
+
+[image.selector]
+method=cmdline_rr
+key=root
+
+[image.bootenv]
+kernelparams=root=PARTUUID=${rrtarget} ${cmdline_root}
+
+[kernel]
+chainhandler=rawfile
+
+[kernel.selector]
+method=cmdline_rrmap
+key=root
+
+[kernel.bootenv]
+kernelfile=C:BOOT${rrindex}:vmlinuz
+
+[initrd]
+chainhandler=rawfile
+
+[initrd.selector]
+method=cmdline_rrmap
+key=root
diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb
index 526c72f..c03c70b 100644
--- a/recipes-core/swupdate/swupdate.bb
+++ b/recipes-core/swupdate/swupdate.bb
@@ -29,6 +29,7 @@ DEBIAN_DEPENDS = "${shlibs:Depends}, ${misc:Depends}"
inherit dpkg
inherit swupdate-config

+SRC_URI += "file://swupdate.handler.${BOOTLOADER}.ini"
KFEATURES += "luahandler"

S = "${WORKDIR}/git"
@@ -46,5 +47,11 @@ do_prepare_build() {
echo "configs/${DEFCONFIG}" >> ${S}/.gitignore
fi
# luahandler
- install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S}
+ if [ -e ${WORKDIR}/${SWUPDATE_LUASCRIPT} ]; then
+ install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S}/swupdate_handlers.lua
+ fi
+ if [ -e "${WORKDIR}/swupdate.handler.${BOOTLOADER}.ini" ]; then
+ install -m 0644 ${WORKDIR}/swupdate.handler.${BOOTLOADER}.ini ${S}/swupdate.handler.ini
+ echo "swupdate.handler.ini etc/" >> ${S}/debian/swupdate.install
+ fi
}
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH v2] README.secureboot: Corrections

Dinesh Kumar
 

On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or higher as default Debian buster has older version of qemu and this step fails with older version.
Also these steps can't be executed remotely as it launches UI window for QEMU, so it should be done locally.
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```

### Start the image
Where are you taking care of my below point? I don't see it yet
Keys and certs generated by scripts/generate_secure_boot_keys.sh are not available to build command, so I have to move them in recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work

--
2.20.1


[isar-cip-core][RFC] Add option to use swupdate-handler-roundrobin

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The new swupdate round robin handler is available under[1].
Add the Option `SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO` to
use the handler directly from the repository.

The handler currently doesn't support secureboot.

[1]:https://gitlab.com/cip-playground/swupdate-handler-roundrobin/

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/swupdate-config.bbclass | 12 ++++++---
kas/opt/ebg-secure-boot-base.yml | 3 +++
.../files/secure-boot/sw-description.tmpl | 2 +-
recipes-core/images/files/sw-description.tmpl | 21 ++++++++++-----
.../files/swupdate.handler.efibootguard.ini | 26 +++++++++++++++++++
recipes-core/swupdate/swupdate.bb | 9 ++++++-
6 files changed, 62 insertions(+), 11 deletions(-)
create mode 100644 recipes-core/swupdate/files/swupdate.handler.efibootguard.ini

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 8ec1104..e425aa2 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -21,9 +21,17 @@ KFEATURE_lua = ""
KFEATURE_lua[BUILD_DEB_DEPENDS] = "liblua5.3-dev"
KFEATURE_lua[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_lua.snippet"

+SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO ?= "1"
+
+SRC_URI_append = " ${@ 'git://gitlab.com/cip-playground/swupdate-handler-roundrobin.git;protocol=https;destsuffix=swupdate-handler-roundrobin;name=swupdate-handler-roundrobin' \
+ if d.getVar('SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO') == '1' else '' \
+ }"
+SRCREV_swupdate-handler-roundrobin ?= "6ac9e49eaa4e866a3eda12eee3a223820ba8e0bf"
+SWUPDATE_LUASCRIPT ?= "swupdate-handler-roundrobin/swupdate_handlers_roundrobin.lua"
KFEATURE_luahandler = ""
KFEATURE_luahandler[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_luahandler.snippet"
-KFEATURE_luahandler[SRC_URI] = "file://${SWUPDATE_LUASCRIPT}"
+KFEATURE_luahandler[SRC_URI] = "${@ 'file://${SWUPDATE_LUASCRIPT}' \
+ if d.getVar('SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO') == '0' else '' }"

KFEATURE_DEPS = ""
KFEATURE_DEPS[luahandler] = "lua"
@@ -58,8 +66,6 @@ KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config
KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

-SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
-
def get_bootloader_featureset(d):
bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 30ca35a..484d0e5 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -16,3 +16,6 @@ local_conf_header:
initramfs: |
IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
SWU_DESCRIPTION = "secureboot"
+ swupdate-secureboot: |
+ SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO = "0"
+ SWUPDATE_LUASCRIPT = "swupdate_handler.efibootguard.secureboot.lua"
diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
index bce97d0..897d819 100644
--- a/recipes-core/images/files/secure-boot/sw-description.tmpl
+++ b/recipes-core/images/files/secure-boot/sw-description.tmpl
@@ -16,7 +16,7 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "true";
+ compressed = "zlib";
filesystem = "ext4";
});
files: ({
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index bb34088..3309271 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -16,21 +16,30 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "true";
+ compressed = "zlib";
filesystem = "ext4";
+ properties: {
+ subtype = "image";
+ };
});
files: ({
filename = "${KERNEL_IMAGE}";
path = "vmlinuz";
- type = "kernelfile";
- device = "sda2,sda3";
+ type = "roundrobin";
+ device = "fedcba98-7654-3210-cafe-5e0710000001->sda2,fedcba98-7654-3210-cafe-5e0710000002->sda3";
filesystem = "vfat";
+ properties: {
+ subtype = "kernel";
+ };
},
{
filename = "${INITRD_IMAGE}";
- path = "initrd.img";
- type = "kernelfile";
- device = "sda2,sda3";
+ path = "${INITRD_IMAGE}";
+ type = "roundrobin";
+ device = "fedcba98-7654-3210-cafe-5e0710000001->sda2,fedcba98-7654-3210-cafe-5e0710000002->sda3";
filesystem = "vfat";
+ properties: {
+ subtype = "initrd";
+ };
});
}
diff --git a/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini
new file mode 100644
index 0000000..3aee76c
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini
@@ -0,0 +1,26 @@
+[image]
+chainhandler=raw
+
+[image.selector]
+method=cmdline_rr
+key=root
+
+[image.bootenv]
+kernelparams=root=PARTUUID=${rrtarget} ${cmdline_root}
+
+[kernel]
+chainhandler=rawfile
+
+[kernel.selector]
+method=cmdline_rrmap
+key=root
+
+[kernel.bootenv]
+kernelfile=C:BOOT${rrindex}:vmlinuz
+
+[initrd]
+chainhandler=rawfile
+
+[initrd.selector]
+method=cmdline_rrmap
+key=root
diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb
index 526c72f..c03c70b 100644
--- a/recipes-core/swupdate/swupdate.bb
+++ b/recipes-core/swupdate/swupdate.bb
@@ -29,6 +29,7 @@ DEBIAN_DEPENDS = "${shlibs:Depends}, ${misc:Depends}"
inherit dpkg
inherit swupdate-config

+SRC_URI += "file://swupdate.handler.${BOOTLOADER}.ini"
KFEATURES += "luahandler"

S = "${WORKDIR}/git"
@@ -46,5 +47,11 @@ do_prepare_build() {
echo "configs/${DEFCONFIG}" >> ${S}/.gitignore
fi
# luahandler
- install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S}
+ if [ -e ${WORKDIR}/${SWUPDATE_LUASCRIPT} ]; then
+ install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S}/swupdate_handlers.lua
+ fi
+ if [ -e "${WORKDIR}/swupdate.handler.${BOOTLOADER}.ini" ]; then
+ install -m 0644 ${WORKDIR}/swupdate.handler.${BOOTLOADER}.ini ${S}/swupdate.handler.ini
+ echo "swupdate.handler.ini etc/" >> ${S}/debian/swupdate.install
+ fi
}
--
2.20.1


[isar-cip-core][PATCH v2] README.secureboot: Corrections

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```

### Start the image

--
2.20.1


[isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Changes in V2:
- fix typo in commit message
- use variable in kas/opt/*.yml

classes/swupdate-config.bbclass | 10 +++++-----
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"

def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +68,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"

-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 8a72084..c0ed1a2 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -20,7 +20,7 @@ local_conf_header:
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index aa3aed1..63dda09 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -15,7 +15,7 @@ header:
local_conf_header:
swupdate: |
IMAGE_INSTALL_append = " swupdate efibootguard"
- BOOTLOADER = "efibootguard"
+ SWUPDATE_BOOTLOADER = "efibootguard"

efibootguard: |
WDOG_TIMEOUT = "0"
@@ -23,4 +23,4 @@ local_conf_header:

wic: |
IMAGE_TYPE = "wic-swu-img"
- WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks"
+ WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/kas/opt/qemu-swupdate.yml b/kas/opt/qemu-swupdate.yml
index 3f5fedf..daebd2c 100644
--- a/kas/opt/qemu-swupdate.yml
+++ b/kas/opt/qemu-swupdate.yml
@@ -16,4 +16,4 @@ header:
local_conf_header:
qemu-wic: |
IMAGE_TYPE ?= "wic-swu-img"
- WKS_FILE = "qemu-amd64-${BOOTLOADER}.wks"
+ WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"
--
2.20.1


Re: [isar-cip-core][PATCH] swupdate-config: add prefix to variables

Jan Kiszka
 

On 30.04.21 14:20, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The variables U_BOOT and BOOTLOADER are only used for swupdate
mark add the prefix SWUPDATE to indicate the intended usage.
Does not fully parse to me. Do you mean

"The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage."

?


Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/swupdate-config.bbclass | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..8ec1104 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -45,19 +45,23 @@ KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet"

KFEATURE_DEPS[ubi] = "mtd"

+
+SWUPDATE_BOOTLOADER ?= "${BOOTLOADER}"
This doesn't make sense. There is no generic variable "BOOTLOADER" in Isar.

+SWUPDATE_U_BOOT ?= "${U_BOOT}"
That one as well. What is "U_BOOT"?

USE_U_BOOT_CONFIG ?= "true"
+
KFEATURE_u-boot = ""
KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"

def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +72,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"

-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
Please also clean up kas/opt/ebg-swu.yml, switching to the SWUPDATE
prefixed var name.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH] README.secureboot: Corrections

Jan Kiszka
 

On 30.04.21 14:19, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.secureboot.md | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..12787cf 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,47 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

+
+
These two look spurious.

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```
+
Unneded new-line?


### Start the image

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


[isar-cip-core][PATCH] README.secureboot: Corrections

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.secureboot.md | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..12787cf 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,47 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

+
+
Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```
+

### Start the image

--
2.20.1


[isar-cip-core][PATCH] swupdate-config: add prefix to variables

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

The variables U_BOOT and BOOTLOADER are only used for swupdate
mark add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/swupdate-config.bbclass | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..8ec1104 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -45,19 +45,23 @@ KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet"

KFEATURE_DEPS[ubi] = "mtd"

+
+SWUPDATE_BOOTLOADER ?= "${BOOTLOADER}"
+SWUPDATE_U_BOOT ?= "${U_BOOT}"
USE_U_BOOT_CONFIG ?= "true"
+
KFEATURE_u-boot = ""
KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"

def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +72,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"

-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
--
2.20.1


Re: [PATCH 2/2] [isar-cip-core] Add support qemu-arm

Jan Kiszka
 

On 08.04.21 04:32, Nobuhiro Iwamatsu wrote:
This adds configuration files to support QEMU/arm.
This is intended to be used for a test image of LAVA of CIP.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
---
.gitlab-ci.yml | 19 +++++++++++++++++++
conf/machine/qemu-arm.conf | 14 ++++++++++++++
kas/board/qemu-arm.yml | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
create mode 100644 conf/machine/qemu-arm.conf
create mode 100644 kas/board/qemu-arm.yml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 01d9609..b53d9cc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -84,6 +84,16 @@ build:qemu-arm64-base:
wic_targz: disable
targz: enable

+build:qemu-arm-base:
+ extends:
+ - .build_base
+ variables:
+ target: qemu-arm
+ extention: security
+ use_rt: disable
+ wic_targz: disable
+ targz: enable
+
# test
build:simatic-ipc227e-test:
extends:
@@ -124,3 +134,12 @@ build:qemu-arm64-test:
extention: test
wic_targz: disable
targz: enable
+
+build:qemu-arm-test:
+ extends:
+ - .build_base
+ variables:
+ target: qemu-arm
+ extention: test
+ wic_targz: disable
+ targz: enable
diff --git a/conf/machine/qemu-arm.conf b/conf/machine/qemu-arm.conf
new file mode 100644
index 0000000..81a22c1
--- /dev/null
+++ b/conf/machine/qemu-arm.conf
@@ -0,0 +1,14 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2019
+# Copyright (c) TOSHIBA CORPORATION, 2021
+#
+# SPDX-License-Identifier: MIT
+#
+
+DISTRO_ARCH = "armhf"
+
+IMAGE_TYPE ?= "ext4-img"
+USE_CIP_KERNEL_CONFIG = "1"
+KERNEL_DEFCONFIG ?= "cip-kernel-config/4.19.y-cip/arm/qemu_arm_defconfig"
diff --git a/kas/board/qemu-arm.yml b/kas/board/qemu-arm.yml
new file mode 100644
index 0000000..9bf9728
--- /dev/null
+++ b/kas/board/qemu-arm.yml
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2019
+# Copyright (c) TOSHIBA CORPORATION, 2021
+#
+# Authors:
+# Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 10
+
+machine: qemu-arm
It looks to me we have some regressions in master (which does
deployment), caused by these commits. Could you have a look at

https://gitlab.com/cip-project/cip-core/isar-cip-core/-/pipelines/294203272

TIA,
Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Cip-kernel-sec Updates for Week of 2021-04-29

Chen-Yu Tsai (Moxa) <wens@...>
 

Hi everyone,

This was a quiet week. Only one new issue:

- CVE-2021-3501 [x86: KVM: VMX: data race condition] - fixed

Nothing else to report on.


Regards
ChenYu


NO IRC meeting today

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi, All,

As was discussed last week, there is no IRC meeting today.
See you next week.

Best regards,
--
M. Kudo


Re: [Inquiry for CVE-2021-23133] -- necessity of the backporting

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi, Jan-san,

Thanks for your feedback.

Iwamatsu-san,

Thanks for sharing the latest status.
So, let me drop this request.

Best regards,
--
M. Kudo

-----Original Message-----
From: nobuhiro1.iwamatsu@toshiba.co.jp <nobuhiro1.iwamatsu@toshiba.co.jp>
Sent: Tuesday, April 27, 2021 9:32 AM
To: cip-dev@lists.cip-project.org; 工藤 雅司(CTJ OSS・IoT事業部 IoT技術
本部) <masashi.kudo@cybertrust.co.jp>; minmin@plathome.co.jp
Subject: RE: [cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the
backporting

Hi,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On
Behalf Of Jan Kiszka
Sent: Monday, April 26, 2021 10:09 PM
To: masashi.kudo@cybertrust.co.jp; minmin@plathome.co.jp;
cip-dev@lists.cip-project.org
Subject: Re: [cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the
backporting

On 26.04.21 07:49, masashi.kudo@cybertrust.co.jp wrote:
Hi, Jan-san, Minda-san,

https://lists.cip-project.org/g/cip-dev/message/6382
As was reported by Chen-Yu san last week, the following CVE security patch
is not yet backported to kernels before
5.4.
CVE-2021-23133 [net/sctp: race in sctp_destroy_sock]

At this moment, sctp is enabled on PlatHome boards and Siemens boards.
We wonder whether sctp is really used or not. If not used, we would
recommend to disable sctp for those boards, and
we won't work on backporting this patch..

We are looking forward to hearing back from you.
I can try to listen around, but I see way more users (based on configs) than us:

https://gitlab.com/search?utf8=%E2%9C%93&search=CONFIG_IP_SCTP&group
_id=2748814&project_id=6052798&scope=&search_
code=true&snippets=false&repository_ref=master&nav_source=navbar

In that light, a backport might be required.
This CVE patch has already been backported and will be included if there are no
issues.

4.19.189-rc1:
https://lore.kernel.org/stable/20210426072820.621580223@linuxfoundation.org
/
4.4.268-rc1:
https://lore.kernel.org/stable/20210426072816.631201988@linuxfoundation.org
/

And 5.10.y has been fixed in 5.10.32.


Jan
Best regards,
Nobuhiro


Re: [Inquiry for CVE-2021-23133] -- necessity of the backporting

Nobuhiro Iwamatsu
 

Hi,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Jan Kiszka
Sent: Monday, April 26, 2021 10:09 PM
To: masashi.kudo@cybertrust.co.jp; minmin@plathome.co.jp; cip-dev@lists.cip-project.org
Subject: Re: [cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the backporting

On 26.04.21 07:49, masashi.kudo@cybertrust.co.jp wrote:
Hi, Jan-san, Minda-san,

https://lists.cip-project.org/g/cip-dev/message/6382
As was reported by Chen-Yu san last week, the following CVE security patch is not yet backported to kernels before
5.4.
CVE-2021-23133 [net/sctp: race in sctp_destroy_sock]

At this moment, sctp is enabled on PlatHome boards and Siemens boards.
We wonder whether sctp is really used or not. If not used, we would recommend to disable sctp for those boards, and
we won't work on backporting this patch..

We are looking forward to hearing back from you.
I can try to listen around, but I see way more users (based on configs) than us:

https://gitlab.com/search?utf8=%E2%9C%93&search=CONFIG_IP_SCTP&group_id=2748814&project_id=6052798&scope=&search_
code=true&snippets=false&repository_ref=master&nav_source=navbar

In that light, a backport might be required.
This CVE patch has already been backported and will be included if there are no issues.

4.19.189-rc1: https://lore.kernel.org/stable/20210426072820.621580223@linuxfoundation.org/
4.4.268-rc1: https://lore.kernel.org/stable/20210426072816.631201988@linuxfoundation.org/

And 5.10.y has been fixed in 5.10.32.


Jan
Best regards,
Nobuhiro


Re: [Inquiry for CVE-2021-23133] -- necessity of the backporting

Jan Kiszka
 

On 26.04.21 07:49, masashi.kudo@cybertrust.co.jp wrote:
Hi, Jan-san, Minda-san,

https://lists.cip-project.org/g/cip-dev/message/6382
As was reported by Chen-Yu san last week, the following CVE security patch is not yet backported to kernels before 5.4.
CVE-2021-23133 [net/sctp: race in sctp_destroy_sock]

At this moment, sctp is enabled on PlatHome boards and Siemens boards.
We wonder whether sctp is really used or not. If not used, we would recommend to disable sctp for those boards, and we won't work on backporting this patch..

We are looking forward to hearing back from you.
I can try to listen around, but I see way more users (based on configs) than us:

https://gitlab.com/search?utf8=%E2%9C%93&search=CONFIG_IP_SCTP&group_id=2748814&project_id=6052798&scope=&search_code=true&snippets=false&repository_ref=master&nav_source=navbar

In that light, a backport might be required.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Failing -stable-rc testing

Pavel Machek
 

Hi!

This happened several times now:

https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/jobs/1211168409

Waiting for pod gitlab/runner-z9bugs8s-project-14394223-concurrent-9kltbz to be running, status is Pending
477Running on runner-z9bugs8s-project-14394223-concurrent-9kltbz via cip-project-v4-small-gitlab-runner-65458d45f8-nsqq6...
479
Skipping Git repository setup
00:02
480Skipping Git checkout
481Skipping Git submodules setup
484
Downloading artifacts for build:arm64_defconfig (1211168356)...
02:05
485Downloading artifacts from coordinator... ok id=1211168356 responseStatus=200 OK token=U-WPxTXQ
487
$ /opt/submit_tests.sh
34:12
488-----------------
489Creating test job
490-----------------
491Version: Image_defconfig_5.10.33-rc1_f52b4f86d
492Arch: arm64
493Config: defconfig
494Device: r8a774a1-hihope-rzg2m-ex
495Kernel: Image
496DTB: r8a774a1-hihope-rzg2m-ex.dtb
497Modules: N/A
498Test: boot
499------------------
500Uploading binaries
501------------------
502upload: output/Image_defconfig_5.10.33-rc1_f52b4f86d/arm64/defconfig/modules/modules.tar.gz to s3://download.cip-project.org/ciptesting/ci/Image_defconfig_5.10.33-rc1_f52b4f86d/arm64/defconfig/modules/modules.tar.gz
506ERROR: Job failed: execution took longer than 2h0m0s seconds

Leading to -stable-rc test failure. It may have something to do with
4.19 and 5.10 -stable-rc's arriving closely together. I suspect
reruning the job will solve it.

(I don't want to do that now to preserve the debug info; but if you
could re-run it when you are done debugging, that would be nice.)

Best regards, Pavel

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

1061 - 1080 of 7474