Date   

[isar-cip-core][PATCH 02/11] Rename initrd with the gz suffix

Alice Ferrazzi
 

Generated initrd are actually gz compressed and KernelCI need
the initrd image filename to contain the gz suffix for work.

Signed-off-by: Alice Ferrazzi <alice.ferrazzi@...>
---
scripts/deploy-kernelci.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/deploy-kernelci.py b/scripts/deploy-kernelci.py
index 931504c..c2341a6 100755
--- a/scripts/deploy-kernelci.py
+++ b/scripts/deploy-kernelci.py
@@ -18,6 +18,10 @@ extension=sys.argv[3]

rootfs_filename="cip-core-image-"+extension+"-cip-core-"+release+"-"+target+".tar.gz"
initrd_filename="cip-core-image-"+extension+"-cip-core-"+release+"-"+target+"-initrd.img"
+
+# initrd is actually gz compressed
+initrd_gz_filename="cip-core-image-"+extension+"-cip-core-"+release+"-"+target+"-initrd.img.gz"
+
input_dir="build/tmp/deploy/images/"+target
upload_path="/images/rootfs/cip/"+cdate+"/"+target+"/"
rootfs=input_dir+"/"+rootfs_filename
@@ -44,5 +48,5 @@ if os.path.exists(rootfs) and os.path.exists(initrd):
print("uploading rootfs to KernelCI")
upload_file(api, token, upload_path, rootfs, rootfs_filename)
print("uploading initrd to KernelCI")
- upload_file(api, token, upload_path, initrd, initrd_filename)
+ upload_file(api, token, upload_path, initrd, initrd_gz_filename)
print("uploaded to: https://storage.staging.kernelci.org"+upload_path)
--
2.33.1


[isar-cip-core][PATCH 01/11] Deploy tarballs and initrd to kernelci

Alice Ferrazzi
 

Create script for deploy images to KernelCI file server using
KernelCI api

Signed-off-by: Alice Ferrazzi <alice.ferrazzi@...>
---
.gitlab-ci.yml | 4 +++-
scripts/deploy-kernelci.py | 48 ++++++++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
create mode 100755 scripts/deploy-kernelci.py

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5becd37..dd7d9cc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,6 +9,7 @@ variables:
targz: disable
dtb: none
deploy: enable
+ deploy_kernelci: enable

stages:
- build
@@ -37,7 +38,8 @@ default:
- if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi;
- echo "Building ${base_yaml}"
- kas build ${base_yaml}
- - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extention} ${dtb}; fi
+ - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extention} ${dtb}; fi;
+ - if [ "${deploy_kernelci}" = "enable" ]; then scripts/deploy-kernelci.py ${release} ${target} ${extention} ${dtb}; fi

# base image
build:simatic-ipc227e-base:
diff --git a/scripts/deploy-kernelci.py b/scripts/deploy-kernelci.py
new file mode 100755
index 0000000..931504c
--- /dev/null
+++ b/scripts/deploy-kernelci.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import subprocess
+import requests
+import os
+import sys
+import time
+from urllib.parse import urljoin
+
+cdate=time.strftime("%Y%m%d")
+api="https://api.staging.kernelci.org/upload"
+token=os.getenv("KERNELCI_TOKEN")
+
+release=sys.argv[1]
+target=sys.argv[2]
+extension=sys.argv[3]
+
+rootfs_filename="cip-core-image-"+extension+"-cip-core-"+release+"-"+target+".tar.gz"
+initrd_filename="cip-core-image-"+extension+"-cip-core-"+release+"-"+target+"-initrd.img"
+input_dir="build/tmp/deploy/images/"+target
+upload_path="/images/rootfs/cip/"+cdate+"/"+target+"/"
+rootfs=input_dir+"/"+rootfs_filename
+initrd=input_dir+"/"+initrd_filename
+
+print("build directory contents:")
+print(os.listdir(input_dir))
+
+def upload_file(api, token, path, input_file, input_filename):
+ headers = {
+ 'Authorization': token,
+ }
+ data = {
+ 'path': path,
+ }
+ files = {
+ 'file': (input_filename, open(input_file, 'rb').read()),
+ }
+ url = urljoin(api, 'upload')
+ resp = requests.post(url, headers=headers, data=data, files=files)
+ resp.raise_for_status()
+
+if os.path.exists(rootfs) and os.path.exists(initrd):
+ print("uploading rootfs to KernelCI")
+ upload_file(api, token, upload_path, rootfs, rootfs_filename)
+ print("uploading initrd to KernelCI")
+ upload_file(api, token, upload_path, initrd, initrd_filename)
+ print("uploaded to: https://storage.staging.kernelci.org"+upload_path)
--
2.33.1


[isar-cip-core][PATCH 00/11] cip-core-image-kernelci

Alice Ferrazzi
 

This patch series add a new image with settings for
KernelCI.

This new image is called cip-core-image-kernelci and is
based on isar-cip-core general image.
The cip-core-image-kernelci images are built by GitlabCI
and uploaded to KernelCI production fileserver.
https://storage.kernelci.org/images/rootfs/cip/

These patches are already integrated in the
isar-cip-core:alicef/kernelci_image repository branch and
are generating the images that are currently
used by KernelCI.

cip-core-image-kernelci as been tested and are
already used in KernelCI production with good results.
https://linux.kernelci.org/test/job/stable-rc/branch/queue%2F5.14/kernel/v5.14.17-9-g9f7eecaa70b3/plan/baseline-cip-nfs/

Alice Ferrazzi (11):
Deploy tarballs and initrd to kernelci
Rename initrd with the gz suffix
Add latest folder to the storage fileserver
Create kernelci build step
Ignore extension argument when not set
Enable KernelCI build step also for arm and arm64
Create cip-core-image-kernelci
Remove root password
Set the profile for KernelCI
dmesg.sh is needed for KernelCI
Upload to KernelCI production

.gitlab-ci.yml | 40 +++++++++-
kas/opt/kernelci.yml | 16 ++++
.../images/cip-core-image-kernelci.bb | 16 ++++
.../files/99-silent-printk.conf | 1 +
.../kernelci-customizations/files/dmesg.sh | 23 ++++++
.../kernelci-customizations/files/ethernet | 23 ++++++
.../kernelci-customizations/files/postinst | 34 +++++++++
.../kernelci-customizations.bb | 38 ++++++++++
scripts/deploy-kernelci.py | 76 +++++++++++++++++++
9 files changed, 266 insertions(+), 1 deletion(-)
create mode 100644 kas/opt/kernelci.yml
create mode 100644 recipes-core/images/cip-core-image-kernelci.bb
create mode 100644 recipes-core/kernelci-customizations/files/99-silent-printk.conf
create mode 100644 recipes-core/kernelci-customizations/files/dmesg.sh
create mode 100644 recipes-core/kernelci-customizations/files/ethernet
create mode 100644 recipes-core/kernelci-customizations/files/postinst
create mode 100644 recipes-core/kernelci-customizations/kernelci-customizations.bb
create mode 100755 scripts/deploy-kernelci.py

--
2.33.1


[PATCH] cip-core-image-security: remove unnecessary dependency package names

Venkata Pyla
 

From: venkata pyla <venkata.pyla@...>

It is not necessary to mention dependency package names when parent
package is present, the dependency packages will automatically
install by isar framework.

so removing the dependency packages which are not necessary.

Signed-off-by: venkata pyla <venkata.pyla@...>
---
recipes-core/images/cip-core-image-security.bb | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..6c41b00 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"

# Debian packages that provide security features
IMAGE_PREINSTALL += " \
- openssl libssl1.1 \
+ openssl \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
syslog-ng-core syslog-ng-mod-journal \
- aide aide-common \
- libnftables0 nftables \
+ aide \
+ nftables \
libpam-pkcs11 \
chrony \
tpm2-tools \
@@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
libtss2-esys0 libtss2-udev \
libpam-cracklib \
acl \
- libauparse0 audispd-plugins auditd \
+ audispd-plugins auditd \
uuid-runtime \
sudo \
"
--
2.20.1


cip/linux-4.19.y-cip build: 125 builds: 1 failed, 124 passed, 2 errors, 31 warnings (v4.19.216-cip61) #kernelci

kernelci.org bot <bot@...>
 

cip/linux-4.19.y-cip build: 125 builds: 1 failed, 124 passed, 2 errors, 31 warnings (v4.19.216-cip61)

Full Build Summary: https://kernelci.org/build/cip/branch/linux-4.19.y-cip/kernel/v4.19.216-cip61/

Tree: cip
Branch: linux-4.19.y-cip
Git Describe: v4.19.216-cip61
Git Commit: 6ecdd66903013bb4aaaacbf91a7ebfda140b3c9c
Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
Built: 3 unique architectures

Build Failure Detected:

arm:
rpc_defconfig: (gcc-10) FAIL

Errors and Warnings Detected:

arm64:
cip://4.19.y-cip/arm64/qemu_arm64_defconfig (gcc-10): 3 warnings
defconfig (gcc-10): 3 warnings
defconfig+crypto (gcc-10): 3 warnings
defconfig+ima (gcc-10): 3 warnings

arm:
omap1_defconfig (gcc-10): 1 warning
rpc_defconfig (gcc-10): 2 errors

x86_64:
cip://4.19.y-cip/x86/cip_qemu_defconfig (gcc-10): 3 warnings
x86_64_defconfig (gcc-10): 3 warnings
x86_64_defconfig+crypto (gcc-10): 3 warnings
x86_64_defconfig+ima (gcc-10): 3 warnings
x86_64_defconfig+x86-chromebook (gcc-10): 3 warnings
x86_64_defconfig+x86_kvm_guest (gcc-10): 3 warnings

Errors summary:

1 arm-linux-gnueabihf-gcc: error: unrecognized -march target: armv3
1 arm-linux-gnueabihf-gcc: error: missing argument to ‘-march=’

Warnings summary:

12 aarch64-linux-gnu-ld: warning: -z norelro ignored
6 ld: warning: creating DT_TEXTREL in a PIE
6 ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
6 arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
1 drivers/gpio/gpio-omap.c:1233:34: warning: array ‘omap_gpio_match’ assumed to have one element

================================================================================

Detailed per-defconfig build reports:

--------------------------------------------------------------------------------
acs5k_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
acs5k_tiny_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
am200epdkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
aspeed_g4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
aspeed_g5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
assabet_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
at91_dt_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
axm55xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
badge4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
bcm2835_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cerfcube_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cip://4.19.y-cip/arm/qemu_arm_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cip://4.19.y-cip/arm64/qemu_arm64_defconfig (arm64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
aarch64-linux-gnu-ld: warning: -z norelro ignored
aarch64-linux-gnu-ld: warning: -z norelro ignored
aarch64-linux-gnu-ld: warning: -z norelro ignored

--------------------------------------------------------------------------------
cip://4.19.y-cip/x86/cip_qemu_defconfig (x86_64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
cm_x2xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cm_x300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
colibri_pxa270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
colibri_pxa300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
collie_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
corgi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
davinci_all_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
defconfig (arm64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
aarch64-linux-gnu-ld: warning: -z norelro ignored
aarch64-linux-gnu-ld: warning: -z norelro ignored
aarch64-linux-gnu-ld: warning: -z norelro ignored

--------------------------------------------------------------------------------
defconfig+crypto (arm64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
aarch64-linux-gnu-ld: warning: -z norelro ignored
aarch64-linux-gnu-ld: warning: -z norelro ignored
aarch64-linux-gnu-ld: warning: -z norelro ignored

--------------------------------------------------------------------------------
defconfig+ima (arm64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
aarch64-linux-gnu-ld: warning: -z norelro ignored
aarch64-linux-gnu-ld: warning: -z norelro ignored
aarch64-linux-gnu-ld: warning: -z norelro ignored

--------------------------------------------------------------------------------
dove_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ebsa110_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
efm32_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
em_x270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ep93xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
eseries_pxa_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
exynos_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ezx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
footbridge_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
gemini_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
h3600_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
h5000_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
hackkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
hisi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
imote2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
imx_v4_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
imx_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
integrator_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
iop13xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
iop32x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
iop33x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ixp4xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
jornada720_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
keystone_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ks8695_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lart_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lpc18xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lpc32xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lpd270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lubbock_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
magician_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mainstone_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mini2440_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mmp2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
moxart_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mps2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v4t_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig+crypto (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig+ima (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mvebu_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mvebu_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mxs_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
neponset_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
netwinder_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
netx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nhk8815_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nuc910_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nuc950_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nuc960_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
omap1_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
drivers/gpio/gpio-omap.c:1233:34: warning: array ‘omap_gpio_match’ assumed to have one element

--------------------------------------------------------------------------------
omap2plus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
orion5x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
oxnas_v6_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
palmz72_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pcm027_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pleb_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
prima2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa168_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa255-idp_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa3xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa910_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
qcom_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
raumfeld_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
realview_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
rpc_defconfig (arm, gcc-10) — FAIL, 2 errors, 0 warnings, 0 section mismatches

Errors:
arm-linux-gnueabihf-gcc: error: unrecognized -march target: armv3
arm-linux-gnueabihf-gcc: error: missing argument to ‘-march=’

--------------------------------------------------------------------------------
s3c2410_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
s3c6400_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
s5pv210_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
sama5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
shannon_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
shmobile_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
simpad_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
socfpga_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spear13xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spear3xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spear6xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spitz_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
stm32_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
sunxi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tango4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tct_hammer_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tegra_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
trizeps4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
u300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
u8500_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
versatile_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vexpress_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vf610m4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
viper_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vt8500_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
x86_64_defconfig (x86_64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
x86_64_defconfig+crypto (x86_64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
x86_64_defconfig+ima (x86_64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
x86_64_defconfig+x86-chromebook (x86_64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
x86_64_defconfig+x86_kvm_guest (x86_64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
xcep_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
zeus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
zx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

---
For more info write to <info@...>


cip/linux-4.4.y-cip build: 122 builds: 2 failed, 120 passed, 2 errors, 52 warnings (v4.4.291-cip65) #kernelci

kernelci.org bot <bot@...>
 

cip/linux-4.4.y-cip build: 122 builds: 2 failed, 120 passed, 2 errors, 52 warnings (v4.4.291-cip65)

Full Build Summary: https://kernelci.org/build/cip/branch/linux-4.4.y-cip/kernel/v4.4.291-cip65/

Tree: cip
Branch: linux-4.4.y-cip
Git Describe: v4.4.291-cip65
Git Commit: 65ed894ba1119b9887f389d31fca58f662162de0
Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
Built: 3 unique architectures

Build Failures Detected:

arm:
multi_v7_defconfig+CONFIG_THUMB2_KERNEL=y: (gcc-10) FAIL
rpc_defconfig: (gcc-10) FAIL

Errors and Warnings Detected:

arm:
allmodconfig (gcc-10): 11 warnings
clps711x_defconfig (gcc-10): 1 warning
davinci_all_defconfig (gcc-10): 1 warning
lpc32xx_defconfig (gcc-10): 1 warning
mini2440_defconfig (gcc-10): 1 warning
multi_v7_defconfig+CONFIG_SMP=n (gcc-10): 1 warning
mxs_defconfig (gcc-10): 1 warning
omap1_defconfig (gcc-10): 1 warning
omap2plus_defconfig (gcc-10): 1 warning
rpc_defconfig (gcc-10): 2 errors
s3c2410_defconfig (gcc-10): 1 warning
s3c6400_defconfig (gcc-10): 2 warnings

i386:
i386_defconfig (gcc-10): 2 warnings

x86_64:
allnoconfig (gcc-10): 4 warnings
x86_64_defconfig (gcc-10): 6 warnings
x86_64_defconfig+crypto (gcc-10): 6 warnings
x86_64_defconfig+ima (gcc-10): 6 warnings
x86_64_defconfig+x86-chromebook (gcc-10): 6 warnings

Errors summary:

1 arm-linux-gnueabihf-gcc: error: unrecognized -march target: armv3
1 arm-linux-gnueabihf-gcc: error: missing argument to ‘-march=’

Warnings summary:

10 arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
5 ld: warning: creating DT_TEXTREL in a PIE
5 arch/x86/entry/entry_64.S:487: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
5 arch/x86/entry/entry_64.S:1642: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
4 ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
3 drivers/tty/serial/samsung.c:1780:34: warning: array ‘s3c24xx_uart_dt_match’ assumed to have one element
2 sound/pci/echoaudio/echoaudio_dsp.c:647:9: warning: iteration 1073741824 invokes undefined behavior [-Waggressive-loop-optimizations]
2 drivers/cpufreq/ti-cpufreq.c:250:24: warning: passing argument 1 of ‘PTR_ERR_OR_ZERO’ makes pointer from integer without a cast [-Wint-conversion]
1 sound/pci/echoaudio/echoaudio_dsp.c:658:9: warning: iteration 1073741824 invokes undefined behavior [-Waggressive-loop-optimizations]
1 ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text'
1 include/linux/cpumask.h:565:26: warning: passing argument 2 of ‘dev_pm_opp_set_sharing_cpus’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
1 drivers/scsi/qla2xxx/qla_bsg.c:2270:25: warning: overflow in conversion from ‘uint32_t’ {aka ‘unsigned int’} to ‘int’ changes value from ‘bsg_job->reply->result = 4294967290’ to ‘-6’ [-Woverflow]
1 drivers/scsi/qla2xxx/qla_bsg.c:2254:7: warning: overflow in conversion from ‘uint32_t’ {aka ‘unsigned int’} to ‘int’ changes value from ‘bsg_job->reply->result = 4294967291’ to ‘-5’ [-Woverflow]
1 drivers/scsi/nsp32.c:609:57: warning: bitwise comparison always evaluates to false [-Wtautological-compare]
1 drivers/scsi/nsp32.c:609:27: warning: bitwise comparison always evaluates to false [-Wtautological-compare]
1 drivers/net/ethernet/apm/xgene/xgene_enet_main.c:32:36: warning: array ‘xgene_enet_acpi_match’ assumed to have one element
1 drivers/mmc/host/sdhci-s3c.c:429:34: warning: array ‘sdhci_s3c_dt_match’ assumed to have one element
1 drivers/gpio/gpio-omap.c:1161:34: warning: array ‘omap_gpio_match’ assumed to have one element
1 arch/arm/mach-mxs/mach-mxs.c:285:26: warning: duplicate ‘const’ declaration specifier [-Wduplicate-decl-specifier]
1 arch/arm/mach-lpc32xx/phy3250.c:215:36: warning: duplicate ‘const’ declaration specifier [-Wduplicate-decl-specifier]
1 arch/arm/mach-davinci/da8xx-dt.c:23:34: warning: duplicate ‘const’ declaration specifier [-Wduplicate-decl-specifier]
1 arch/arm/mach-clps711x/board-autcpu12.c:163:26: warning: duplicate ‘const’ declaration specifier [-Wduplicate-decl-specifier]
1 /tmp/ccU6K0IW.s:18225: Warning: using r15 results in unpredictable behaviour
1 /tmp/ccU6K0IW.s:18153: Warning: using r15 results in unpredictable behaviour

================================================================================

Detailed per-defconfig build reports:

--------------------------------------------------------------------------------
acs5k_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
acs5k_tiny_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
allmodconfig (arm, gcc-10) — PASS, 0 errors, 11 warnings, 0 section mismatches

Warnings:
drivers/cpufreq/ti-cpufreq.c:250:24: warning: passing argument 1 of ‘PTR_ERR_OR_ZERO’ makes pointer from integer without a cast [-Wint-conversion]
/tmp/ccU6K0IW.s:18153: Warning: using r15 results in unpredictable behaviour
/tmp/ccU6K0IW.s:18225: Warning: using r15 results in unpredictable behaviour
sound/pci/echoaudio/echoaudio_dsp.c:647:9: warning: iteration 1073741824 invokes undefined behavior [-Waggressive-loop-optimizations]
sound/pci/echoaudio/echoaudio_dsp.c:658:9: warning: iteration 1073741824 invokes undefined behavior [-Waggressive-loop-optimizations]
sound/pci/echoaudio/echoaudio_dsp.c:647:9: warning: iteration 1073741824 invokes undefined behavior [-Waggressive-loop-optimizations]
drivers/net/ethernet/apm/xgene/xgene_enet_main.c:32:36: warning: array ‘xgene_enet_acpi_match’ assumed to have one element
drivers/scsi/qla2xxx/qla_bsg.c:2254:7: warning: overflow in conversion from ‘uint32_t’ {aka ‘unsigned int’} to ‘int’ changes value from ‘bsg_job->reply->result = 4294967291’ to ‘-5’ [-Woverflow]
drivers/scsi/qla2xxx/qla_bsg.c:2270:25: warning: overflow in conversion from ‘uint32_t’ {aka ‘unsigned int’} to ‘int’ changes value from ‘bsg_job->reply->result = 4294967290’ to ‘-6’ [-Woverflow]
drivers/scsi/nsp32.c:609:27: warning: bitwise comparison always evaluates to false [-Wtautological-compare]
drivers/scsi/nsp32.c:609:57: warning: bitwise comparison always evaluates to false [-Wtautological-compare]

--------------------------------------------------------------------------------
allnoconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
allnoconfig (x86_64, gcc-10) — PASS, 0 errors, 4 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:487: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/entry/entry_64.S:1642: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'

--------------------------------------------------------------------------------
allnoconfig (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
am200epdkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
assabet_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
at91_dt_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
axm55xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
badge4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
bcm2835_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
bcm_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cerfcube_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
clps711x_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
arch/arm/mach-clps711x/board-autcpu12.c:163:26: warning: duplicate ‘const’ declaration specifier [-Wduplicate-decl-specifier]

--------------------------------------------------------------------------------
cm_x2xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cm_x300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
colibri_pxa270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
colibri_pxa300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
collie_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
corgi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
davinci_all_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
arch/arm/mach-davinci/da8xx-dt.c:23:34: warning: duplicate ‘const’ declaration specifier [-Wduplicate-decl-specifier]

--------------------------------------------------------------------------------
dove_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ebsa110_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
efm32_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
em_x270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ep93xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
eseries_pxa_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
exynos_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ezx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
footbridge_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
h3600_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
h5000_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
hackkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
hisi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
i386_defconfig (i386, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches

Warnings:
ld: arch/x86/boot/compressed/head_32.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
imote2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
imx_v4_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
imx_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
integrator_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
iop13xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
iop32x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
iop33x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ixp4xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
jornada720_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
keystone_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ks8695_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lart_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lpc18xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lpc32xx_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
arch/arm/mach-lpc32xx/phy3250.c:215:36: warning: duplicate ‘const’ declaration specifier [-Wduplicate-decl-specifier]

--------------------------------------------------------------------------------
lpd270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lubbock_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
magician_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mainstone_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mini2440_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
drivers/tty/serial/samsung.c:1780:34: warning: array ‘s3c24xx_uart_dt_match’ assumed to have one element

--------------------------------------------------------------------------------
mmp2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig+CONFIG_CPU_BIG_ENDIAN=y (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig+CONFIG_EFI=y+CONFIG_ARM_LPAE=y (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig+CONFIG_SMP=n (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
include/linux/cpumask.h:565:26: warning: passing argument 2 of ‘dev_pm_opp_set_sharing_cpus’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]

--------------------------------------------------------------------------------
multi_v7_defconfig+CONFIG_THUMB2_KERNEL=y (arm, gcc-10) — FAIL, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig+crypto (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig+ima (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mv78xx0_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mvebu_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mvebu_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mxs_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
arch/arm/mach-mxs/mach-mxs.c:285:26: warning: duplicate ‘const’ declaration specifier [-Wduplicate-decl-specifier]

--------------------------------------------------------------------------------
neponset_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
netwinder_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
netx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nhk8815_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nuc910_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nuc950_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nuc960_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
omap1_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
drivers/gpio/gpio-omap.c:1161:34: warning: array ‘omap_gpio_match’ assumed to have one element

--------------------------------------------------------------------------------
omap2plus_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
drivers/cpufreq/ti-cpufreq.c:250:24: warning: passing argument 1 of ‘PTR_ERR_OR_ZERO’ makes pointer from integer without a cast [-Wint-conversion]

--------------------------------------------------------------------------------
orion5x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
palmz72_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pcm027_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pleb_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
prima2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa168_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa255-idp_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa3xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa910_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
qcom_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
raumfeld_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
realview-smp_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
realview_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
rpc_defconfig (arm, gcc-10) — FAIL, 2 errors, 0 warnings, 0 section mismatches

Errors:
arm-linux-gnueabihf-gcc: error: unrecognized -march target: armv3
arm-linux-gnueabihf-gcc: error: missing argument to ‘-march=’

--------------------------------------------------------------------------------
s3c2410_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
drivers/tty/serial/samsung.c:1780:34: warning: array ‘s3c24xx_uart_dt_match’ assumed to have one element

--------------------------------------------------------------------------------
s3c6400_defconfig (arm, gcc-10) — PASS, 0 errors, 2 warnings, 0 section mismatches

Warnings:
drivers/mmc/host/sdhci-s3c.c:429:34: warning: array ‘sdhci_s3c_dt_match’ assumed to have one element
drivers/tty/serial/samsung.c:1780:34: warning: array ‘s3c24xx_uart_dt_match’ assumed to have one element

--------------------------------------------------------------------------------
s5pv210_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
sama5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
shannon_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
shmobile_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
simpad_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
socfpga_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spear13xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spear3xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spear6xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spitz_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
stm32_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
sunxi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tct_hammer_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tegra_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
trizeps4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
u300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
u8500_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
versatile_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vexpress_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vf610m4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
viper_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vt8500_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
x86_64_defconfig (x86_64, gcc-10) — PASS, 0 errors, 6 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:487: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/entry/entry_64.S:1642: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
x86_64_defconfig+crypto (x86_64, gcc-10) — PASS, 0 errors, 6 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:487: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/entry/entry_64.S:1642: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
x86_64_defconfig+ima (x86_64, gcc-10) — PASS, 0 errors, 6 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:487: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/entry/entry_64.S:1642: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
x86_64_defconfig+x86-chromebook (x86_64, gcc-10) — PASS, 0 errors, 6 warnings, 0 section mismatches

Warnings:
arch/x86/entry/entry_64.S:487: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/entry/entry_64.S:1642: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
arch/x86/kernel/process.c:456: Warning: no instruction mnemonic suffix given and no register operands; using default for `btr'
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text'
ld: warning: creating DT_TEXTREL in a PIE

--------------------------------------------------------------------------------
xcep_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
zeus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
zx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

---
For more info write to <info@...>


[ANNOUNCE] Release v4.19.216-cip61 and v4.4.291-cip65

Nobuhiro Iwamatsu
 

Hi all,

CIP kernel team has released Linux kernel v4.19.216-cip61 and v4.4.291-cip65.
The linux-4.19.y-cip tree has been updated LTS version from v4.19.213 to v4.19.216,
and the linux-4.4.y-cip tree has been updated LTS version from v4.4.287 to v4.4.291.

The information for this release is as follows.
v4.19.216-cip61:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
branch:
linux-4.19.y-cip
commit hash:
6ecdd66903013bb4aaaacbf91a7ebfda140b3c9c
Fixed CVEs:
- CVE-2021-3896: isdn: cpai: check ctr->cnr to avoid array index out of bound
- CVE-2021-43389: isdn: cpai: check ctr->cnr to avoid array index out of bound
- CVE-2021-3760: nfc: nci: fix the UAF of rf_conn_info object
- CVE-2021-20322: ipv6: make exception cache less predictible
- CVE-2021-3772: sctp: use init_tag from inithdr for ABORT chunk
- CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
added commits:
CIP: Bump version suffix to -cip61 after merge from stable

v4.4.291-cip65:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
branch:
linux-4.4.y-cip
commit hash:
65ed894ba1119b9887f389d31fca58f662162de0
Fixed CVEs:
- CVE-2020-29374: gup: document and work around "COW can break either way" issue
- CVE-2021-3896: isdn: cpai: check ctr->cnr to avoid array index out of bound
- CVE-2021-20321: ovl: fix missing negative dentry check in ovl_rename()
- CVE-2021-3760: nfc: nci: fix the UAF of rf_conn_info object
- CVE-2021-43389: isdn: cpai: check ctr->cnr to avoid array index out of bound
- CVE-2021-3772: sctp: use init_tag from inithdr for ABORT chunk
added commits:
CIP: Bump version suffix to -cip65 after merge from stable

Best regards,
Nobuhiro


[cip-kernel-config][PATCH 1/2] x86/cip_qemu_defconfig: Add options for read-only rootfs

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Add the necessary kernel option to support a read only rootfs
with dm-verity and overlay.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
4.19.y-cip/x86/cip_qemu_defconfig | 4 ++++
5.10.y-cip/x86/cip_qemu_defconfig | 4 ++++
2 files changed, 8 insertions(+)

diff --git a/4.19.y-cip/x86/cip_qemu_defconfig b/4.19.y-cip/x86/cip_qemu_defconfig
index 4d29397..521fa52 100644
--- a/4.19.y-cip/x86/cip_qemu_defconfig
+++ b/4.19.y-cip/x86/cip_qemu_defconfig
@@ -302,3 +302,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
CONFIG_EARLY_PRINTK_DBGP=y
CONFIG_DEBUG_BOOT_PARAMS=y
CONFIG_OPTIMIZE_INLINING=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_SQUASHFS=y
+CONFIG_OVERLAY_FS=y
diff --git a/5.10.y-cip/x86/cip_qemu_defconfig b/5.10.y-cip/x86/cip_qemu_defconfig
index 899eab4..42199ca 100644
--- a/5.10.y-cip/x86/cip_qemu_defconfig
+++ b/5.10.y-cip/x86/cip_qemu_defconfig
@@ -286,3 +286,7 @@ CONFIG_BLK_DEV_IO_TRACE=y
CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
CONFIG_EARLY_PRINTK_DBGP=y
CONFIG_DEBUG_BOOT_PARAMS=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_SQUASHFS=y
+CONFIG_OVERLAY_FS=y
--
2.30.2


[cip-kernel-config][PATCH 0/2] Add options for read-only rootfs

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Add the necessary kernel options for a read-only rootfs with
dm-verity, secure-boot and swupdate + overlay of /etc.

Quirin Gylstorff (2):
x86/cip_qemu_defconfig: Add options for read-only rootfs
x86/siemens_ipc227e_defconfig: Add options for read-only rootfs

4.19.y-cip/x86/cip_qemu_defconfig | 4 ++++
4.19.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
5.10.y-cip/x86/cip_qemu_defconfig | 4 ++++
5.10.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
4 files changed, 16 insertions(+), 2 deletions(-)

--
2.30.2


[cip-kernel-config][PATCH 2/2] x86/siemens_ipc227e_defconfig: Add options for read-only rootfs

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Add the necessary kernel option to support a read only rootfs
with dm-verity and overlay.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
4.19.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
5.10.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/4.19.y-cip/x86/siemens_ipc227e_defconfig b/4.19.y-cip/x86/siemens_ipc227e_defconfig
index 3e1d305..0ad5b7a 100644
--- a/4.19.y-cip/x86/siemens_ipc227e_defconfig
+++ b/4.19.y-cip/x86/siemens_ipc227e_defconfig
@@ -378,7 +378,7 @@ CONFIG_QUOTA=y
CONFIG_QUOTA_NETLINK_INTERFACE=y
CONFIG_AUTOFS4_FS=m
CONFIG_FUSE_FS=m
-CONFIG_OVERLAY_FS=m
+CONFIG_OVERLAY_FS=y
CONFIG_MSDOS_FS=m
CONFIG_VFAT_FS=m
CONFIG_PROC_KCORE=y
@@ -449,3 +449,6 @@ CONFIG_MEMTEST=y
# CONFIG_X86_VERBOSE_BOOTUP is not set
CONFIG_EARLY_PRINTK_EFI=y
CONFIG_OPTIMIZE_INLINING=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_SQUASHFS=y
diff --git a/5.10.y-cip/x86/siemens_ipc227e_defconfig b/5.10.y-cip/x86/siemens_ipc227e_defconfig
index 2ddf145..7f98e4b 100644
--- a/5.10.y-cip/x86/siemens_ipc227e_defconfig
+++ b/5.10.y-cip/x86/siemens_ipc227e_defconfig
@@ -362,7 +362,7 @@ CONFIG_QUOTA=y
CONFIG_QUOTA_NETLINK_INTERFACE=y
CONFIG_AUTOFS4_FS=m
CONFIG_FUSE_FS=m
-CONFIG_OVERLAY_FS=m
+CONFIG_OVERLAY_FS=y
CONFIG_MSDOS_FS=m
CONFIG_VFAT_FS=m
CONFIG_PROC_KCORE=y
@@ -428,3 +428,6 @@ CONFIG_BLK_DEV_IO_TRACE=y
# CONFIG_X86_VERBOSE_BOOTUP is not set
CONFIG_TEST_USER_COPY=m
CONFIG_MEMTEST=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_SQUASHFS=y
--
2.30.2


[isar-cip-core][PATCH] start-qemu: Account for different kernel image names

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

This was changed in Isar a while ago, making arm64 images "vmlinux".

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
start-qemu.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index 6592ac6..3f62257 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -109,7 +109,7 @@ if [ -n "${SECURE_BOOT}" ]; then
else
IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)

- KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1)
+ KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinu* | tail -1)
INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1)

${QEMU_PATH}${QEMU} \
--
2.31.1


Re: [isar-cip-core][RFC 5/8] Create an read-only rootfs with dm-verity

Jan Kiszka
 

On 12.11.21 12:50, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/wic-verity-img.bbclass | 8 ++++-
kas/opt/verity.yml | 34 +++++++++++++++++++
.../images/cip-core-image-read-only.bb | 24 +++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount | 11 ++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 +++++
wic/qemu-amd64-read-only.wks.in | 13 +++++++
7 files changed, 101 insertions(+), 1 deletion(-)
create mode 100644 kas/opt/verity.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
create mode 100644 wic/qemu-amd64-read-only.wks.in

diff --git a/classes/wic-verity-img.bbclass b/classes/wic-verity-img.bbclass
index e185cf8..9b8a79e 100644
--- a/classes/wic-verity-img.bbclass
+++ b/classes/wic-verity-img.bbclass
@@ -12,6 +12,12 @@
inherit squashfs-img
inherit verity-img
inherit wic-img
+inherit extract-partition
+inherit swupdate-img
Is that still a "wic-verity-img" class then? Or rather a
secure-swupdate-img class, now with persistency?

-addtask verity_image after do_squashfs_image
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_squashfs_image
addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/verity.yml b/kas/opt/verity.yml
new file mode 100644
index 0000000..088f44a
--- /dev/null
+++ b/kas/opt/verity.yml
@@ -0,0 +1,34 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+# This kas file creates a image with a read-only rootfs
+# and secure-boot
+
+header:
+ version: 10
+ includes:
+ - efibootguard.yml
+
+target: cip-core-image-read-only
+
+local_conf_header:
+ verity-img: |
+ IMAGE_TYPE = "wic-verity-img"
+ WKS_FILE = "${MACHINE}-read-only.wks.in"
+ VERITY_IMAGE_TYPE = "squashfs"
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+ SWU_DESCRIPTION = "secureboot"
+ SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+ secure-boot: |
+ # Add snakeoil and ovmf binaries for qemu
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
+ IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..24ace3c
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,24 @@
+require cip-core-image.bb
+
+INITRAMFS_RECIPE = "cip-core-initramfs"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..4e0c467
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,9 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/wic/qemu-amd64-read-only.wks.in b/wic/qemu-amd64-read-only.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-read-only.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
Rather than adding yet another wks file, maybe better extend the
existing qemu-amd64-efibootguard-secureboot.wks. I would see dm-verity
as an extension of the secure-swupdate configuration, not as a variant
or something completely separate.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RFC 4/8] Create a initrd with support for dm-verity

Jan Kiszka
 

On 12.11.21 12:50, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

Adapt the initrd to open a dm-verity partition with a fixed
root hash.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
.../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++++++
.../initramfs-verity-hook/files/verity.script | 68 +++++++++++++++++++
.../initramfs-verity-hook_0.1.bb | 39 +++++++++++
5 files changed, 147 insertions(+)
create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb

diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
new file mode 100644
index 0000000..825fb9f
--- /dev/null
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+ initramfs-verity-hook \
+ "
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
new file mode 100644
index 0000000..9b61fb8
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
@@ -0,0 +1 @@
+BUSYBOX=y
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
new file mode 100644
index 0000000..5eada8a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
@@ -0,0 +1,23 @@
+#!/bin/sh
+PREREQ=""
+prereqs()
+{
+ echo "$PREREQ"
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
+
+manual_add_modules dm_mod
+manual_add_modules dm_verity
+
+copy_exec /sbin/veritysetup
+copy_exec /sbin/dmsetup
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
+copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script b/recipes-initramfs/initramfs-verity-hook/files/verity.script
new file mode 100644
index 0000000..a66b557
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script
@@ -0,0 +1,68 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+. /lib/cryptsetup/functions
+. /usr/share/verity-env/verity.env
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted. As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken trust chain.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
+case "$ROOT" in
+ PART*)
+ # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+ # partition
+ ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ ;;
+ "")
+ # No Root device was given. Use veritysetup verify to search matching roots
+ partitions=$(blkid -o device)
+ for part in $partitions; do
+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ if veritysetup verify \
+ "$part" "$part" "${ROOT_HASH}" \
+ --hash-offset "${HASH_OFFSET}";then
+ ROOT="$part"
+ break
+ fi
+ fi
+ done
+ ;;
+esac
+set -- "$ROOT" verityroot
+if ! veritysetup open \
+ --restart-on-corruption \
+ --data-block-size "${DATA_BLOCK_SIZE}" \
+ --hash-block-size "${HASH_BLOCK_SIZE}" \
+ --data-blocks "${DATA_BLOCKS}" \
+ --hash-offset "${HASH_OFFSET}" \
+ --salt "${SALT}" \
+ "$1" "$2" "$1" "${ROOT_HASH}"; then
+ panic "Can't open verity rootfs!"
+fi
+
+wait_for_udev 10
+
+if ! ROOT="$(dm_blkdevname verityroot)"; then
+ panic "Can't find the verity root device!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
new file mode 100644
index 0000000..e067a22
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -0,0 +1,39 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+ file://verity.conf-hook \
+ file://verity.hook \
+ file://verity.script \
+ "
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
+
+VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.${VERITY_IMAGE_TYPE}.env"
Blank line.

+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[cleandirs] += " \
+ ${D}/usr/share/initramfs-tools/hooks \
+ ${D}/usr/share/verity-env \
+ ${D}/usr/share/initramfs-tools/scripts/local-top \
+ ${D}/usr/share/initramfs-tools/conf-hooks.d"
Blank line, to be more readable.

+do_install() {
+ # Insert the veritysetup commandline into the script
+ if [ -f "${VERITY_ENV_FILE}" ]; then
+ install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
+ install -m 0755 "${WORKDIR}/verity.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
+ fi
+ install -m 0755 "${WORKDIR}/verity.hook" \
+ "${D}/usr/share/initramfs-tools/hooks/verity"
+}
Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RFC 3/8] linux-cip-common: Add options necessary for dm-verity

Jan Kiszka
 

On 12.11.21 12:50, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

CIP Kernel Config does not contain support for dm-verity
squashfs. Overlay_FS support is added for etc-overlay.
This should be quickly addressed by expanding the configs of all boards
we want to enable this way. Start with QEMU and the IPCs. Otherwise, we
risk to ignore this subsystem /wrt CVEs.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
recipes-kernel/linux/files/verity.cfg | 5 +++++
recipes-kernel/linux/linux-cip-common.inc | 6 ++++++
2 files changed, 11 insertions(+)
create mode 100644 recipes-kernel/linux/files/verity.cfg

diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg
new file mode 100644
index 0000000..35d8208
--- /dev/null
+++ b/recipes-kernel/linux/files/verity.cfg
@@ -0,0 +1,5 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_SQUASHFS=y
+CONFIG_OVERLAY_FS=y
diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 1afec88..0792371 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -28,3 +28,9 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"

S = "${WORKDIR}/linux-cip-v${PV}"
+
+SRC_URI += "file://verity.cfg"
+
+do_prepare_build_prepend() {
+ cat ${WORKDIR}/verity.cfg >> ${WORKDIR}/${KERNEL_DEFCONFIG}
+}
This should be appended conditionally, when building a secure image, I
would say.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RFC 1/8] Add new class to create a squashfs based root file system

Jan Kiszka
 

On 12.11.21 12:50, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

This file system is read only and use a reduced image size.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/squashfs-img.bbclass | 42 ++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 classes/squashfs-img.bbclass

diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
new file mode 100644
index 0000000..f827e8c
--- /dev/null
+++ b/classes/squashfs-img.bbclass
@@ -0,0 +1,42 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
+
+IMAGER_INSTALL += "squashfs-tools"
+
+SQUASHFS_EXCLUDE_DIRS ?= ""
+SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
+SQUASHFS_CREATION_ARGS ?= " "
Blank line after this.

+# Generate squashfs filesystem image
I don't think the anonymous function does that...

+python __anonymous() {
+ exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split()
+ if len(exclude_directories) == 0:
+ return
+ args=d.getVar('SQUASHFS_CREATION_ARGS')
+ args+=" -wildcards"
+ # use wildcard to exclude only content of the the directory
+ # this allows to use the directory as a mount point
+ for dir in exclude_directories:
+ args+=" -e {dir}/* ".format(dir=dir)
+ d.setVar('SQUASHFS_CREATION_ARGS', args)
How about d.appendVar?

And Python style for python functions, please.

+}
+
+do_squashfs_image() {
+ rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'
+
+ image_do_mounts
+
+ sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \
+ "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
+ ${SQUASHFS_CREATION_ARGS}
+}
+addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
This should also qualify as generic Isar class. It can start here, though.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [PATCH] recipes-core/swupdate: Update the SRC_URI and SWUPDATE_BUILD_PROFILES append for buster

Quirin Gylstorff
 

This should not be have sent.

Drop.

On 11/12/21 12:50 PM, Quirin Gylstorff via lists.cip-project.org wrote:
From: Srinuvasan A <srinuvasan_a@...>
When we build the swupdate debian package for buster some build
dependency packages are not available in stable buster repo, hence we created a
patch in cip-core upstream for buster build, here we hardcoded the distro
for buster build hence it is building fine in cip-core not the downstream layer,
added the OVERRIDES for BASE_DISTRO_CODENAME to select the particular base distro.
Signed-off-by: Srinuvasan A <srinuvasan_a@...>
Signed-off-by: Jan Kiszka <jan.kiszka@...>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
recipes-core/swupdate/swupdate.inc | 2 ++
recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb | 8 ++++----
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/recipes-core/swupdate/swupdate.inc b/recipes-core/swupdate/swupdate.inc
index a469587..191aa2b 100644
--- a/recipes-core/swupdate/swupdate.inc
+++ b/recipes-core/swupdate/swupdate.inc
@@ -13,6 +13,8 @@ HOMEPAGE= "https://github.com/sbabic/swupdate"
LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
+
def get_bootloader_build_profile(d):
bootloader = d.getVar("SWUPDATE_BOOTLOADER") or ""
if bootloader == "efibootguard":
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index a451b55..e62230f 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -35,14 +35,14 @@ SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"
# SWUPDATE_BUILD_PROFILES += "pkg.swupdate.embeddedlua"
# modify for debian buster build
-SRC_URI_append_cip-core-buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
+SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
# disable documentation due to missing packages in debian buster
# disable create filesystem due to missing symbols in debian buster
# disable webserver due to missing symbols in debian buster
-SWUPDATE_BUILD_PROFILES_append_cip-core-buster = " nodoc \
- pkg.swupdate.nocreatefs \
- pkg.swupdate.nowebserver "
+SWUPDATE_BUILD_PROFILES_append_buster = " nodoc \
+ pkg.swupdate.nocreatefs \
+ pkg.swupdate.nowebserver "
# In debian buster the git-compression defaults to gz and does not detect other
# compression formats.
GBP_EXTRA_OPTIONS += "--git-compression=xz"
--




With best regards,
Quirin Gylstorff

Siemens AG
Technology
Research in Digitalization and Automation
Smart Embedded Systems
T RDA IOT SES-DE
Otto-Hahn-Ring 6
81739 Muenchen, Germany
Mobile: +49 173 3746683
mailto:quirin.gylstorff@... <mailto:quirin.gylstorff@...>
www.siemens.com <https://siemens.com>

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
Hagemann Snabe; Managing Board: Roland Busch, Chairman, President and
Chief Executive Officer; Cedrik Neike, Matthias Rebellius, Ralf P.
Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany;
Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB
6684; WEEE-Reg.-No. DE 23691322

Important notice: This e-mail and any attachment thereof contain
corporate proprietary information. If you have received it by mistake,
please notify us immediately by reply e-mail and delete this e-mail and
its attachments from your system. Thank you.


[isar-cip-core][RFC 8/8] swupdate: Backport patches from SWUpdate Master

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
.../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
2 files changed, 193 insertions(+)
create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch

diff --git a/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
new file mode 100644
index 0000000..f143207
--- /dev/null
+++ b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
@@ -0,0 +1,188 @@
+From 4650883c2ffc4ed9e479e1eefdce044067c7de0b Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@...>
+Date: Mon, 25 Oct 2021 14:43:07 +0200
+Subject: [PATCH] add patches for dm-verity
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
+---
+ ...d-get_root-source-proc-self-mountinfo.diff | 68 +++++++++++++++
+ ...-Extend-get_root-to-find-LUKS-devices.diff | 83 +++++++++++++++++++
+ debian/patches/series | 2 +
+ 3 files changed, 153 insertions(+)
+ create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+ create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+
+diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+new file mode 100644
+index 0000000..5db0e61
+--- /dev/null
++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+@@ -0,0 +1,68 @@
++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
++From: Christian Storm <christian.storm@...>
++Date: Thu, 10 Jun 2021 00:30:24 +0200
++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
++
++Filesystems such as BTRFS report synthetic device major:minor
++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
++won't be found by get_root_from_partitions().
++
++As /proc/self/mountinfo's information is subject to mount-
++namespacing, it complements get_root_from_partitions() rather
++than replacing it.
++
++Signed-off-by: Christian Storm <christian.storm@...>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
++---
++ core/util.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/core/util.c b/core/util.c
++index 7d7673a..51a16b6 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
++ return NULL;
++ }
++
+++/*
+++ * Return the rootfs's device name from /proc/self/mountinfo.
+++ * Needed for filesystems having synthetic stat(2) st_dev
+++ * values such as BTRFS.
+++ */
+++static char *get_root_from_mountinfo(void)
+++{
+++ char *mnt_point, *device = NULL;
+++ FILE *fp = fopen("/proc/self/mountinfo", "r");
+++ while (fp && !feof(fp)){
+++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
+++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
+++ &mnt_point, &device) == 2) {
+++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
+++ free(mnt_point);
+++ break;
+++ }
+++ free(mnt_point);
+++ free(device);
+++ }
+++ device = NULL;
+++ }
+++ (void)fclose(fp);
+++ return device;
+++}
+++
++ #define MAX_CMDLINE_LENGTH 4096
++ static char *get_root_from_cmdline(void)
++ {
++@@ -936,6 +962,8 @@ char *get_root_device(void)
++ root = get_root_from_partitions();
++ if (!root)
++ root = get_root_from_cmdline();
+++ if (!root)
+++ root = get_root_from_mountinfo();
++
++ return root;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+new file mode 100644
+index 0000000..a62d59c
+--- /dev/null
++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+@@ -0,0 +1,83 @@
++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
++From: Stefano Babic <sbabic@...>
++Date: Thu, 10 Jun 2021 16:14:44 +0200
++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
++
++This helps in case of encrypted filesystem or device mapper.
++The returned device read from partitions is usually a dm-X device and
++this does not show which is the block device that contains it. Look in
++sysfs and check if the device has "slaves" entries, indicating the
++presence of an underlying device. If found, return this instead of the
++device returned parsing /proc/partitions.
++
++Signed-off-by: Stefano Babic <sbabic@...>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
++---
++ core/util.c | 26 ++++++++++++++++++++++++--
++ 1 file changed, 24 insertions(+), 2 deletions(-)
++
++diff --git a/core/util.c b/core/util.c
++index 51a16b6..3b81c09 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -24,6 +24,7 @@
++ #include <libgen.h>
++ #include <regex.h>
++ #include <string.h>
+++#include <dirent.h>
++
++ #if defined(__linux__)
++ #include <sys/statvfs.h>
++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
++ /*
++ * This returns the device name where rootfs is mounted
++ */
+++
+++static int filter_slave(const struct dirent *ent) {
+++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
+++}
++ static char *get_root_from_partitions(void)
++ {
++ struct stat info;
++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
++ char *devname = NULL;
++ unsigned long major, minor, nblocks;
++ char buf[256];
++- int ret;
+++ int ret, dev_major, dev_minor, n;
+++ struct dirent **devlist = NULL;
++
++ if (stat("/", &info) < 0)
++ return NULL;
++
+++ dev_major = info.st_dev / 256;
+++ dev_minor = info.st_dev % 256;
+++
+++ /*
+++ * Check if this is just a container, for example in case of LUKS
+++ * Search if the device has slaves pointing to another device
+++ */
+++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
+++ n = scandir(buf, &devlist, filter_slave, NULL);
+++ if (n == 1) {
+++ devname = strdup(devlist[0]->d_name);
+++ free(devlist);
+++ return devname;
+++ }
+++ free(devlist);
+++
++ fp = fopen("/proc/partitions", "r");
++ if (!fp)
++ return NULL;
++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
++ &major, &minor, &nblocks, &devname);
++ if (ret != 4)
++ continue;
++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
+++ if ((major == dev_major) && (minor == dev_minor)) {
++ fclose(fp);
++ return devname;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..f3bd00e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,3 @@
+ use-gcc-compiler.diff
++0002-util-Extend-get_root-to-find-LUKS-devices.diff
++0001-util-Add-get_root-source-proc-self-mountinfo.diff
+--
+2.30.2
+
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index 7a0fb9b..90854a4 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"

+# Patch for dm-verity based images - can be removed with SWUpdate 2021.10
+SRC_URI += "file://0001-add-patches-for-dm-verity.patch"
+
+# end patching for dm-verity based images
+
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"

--
2.30.2


[isar-cip-core][RFC 0/8] Read-only root file system with dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

This patch series adds support for a read-only squashfs based root filesystem
wit SWUpdate support and secureboot.

The build is somewhat complex as we need the output of dm-verity to generate
the initramfs. The build is split in the following steps
1. We build the root file system
2. We generate a squashfs image - this can also be replace by another image format(e.g. ext4)
3. We build from the image the dm-verity partition and add it to the end of the image
4. We add the resulting verity environment to the initrd

We build the signed efi tool chain.

This series needs SWUpdate 2021.11. The necessary changes are currently backported.

Quirin Gylstorff (8):
Add new class to create a squashfs based root file system
Add classes for dm-verity based rootfs
linux-cip-common: Add options necessary for dm-verity
Create a initrd with support for dm-verity
Create an read-only rootfs with dm-verity
Create systemd mount units for a etc overlay
Mount writable home partition
swupdate: Backport patches from SWUpdate Master

classes/squashfs-img.bbclass | 42 ++++
classes/verity-img.bbclass | 73 +++++++
classes/wic-verity-img.bbclass | 23 +++
kas/opt/verity.yml | 34 ++++
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 16 ++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++
.../etc-overlay-fs/files/etc-sysusers.service | 14 ++
recipes-core/etc-overlay-fs/files/etc.mount | 13 ++
.../files/overlay-parse-etc.service | 12 ++
recipes-core/etc-overlay-fs/files/postinst | 6 +
recipes-core/home-fs/files/home.mount | 11 +
recipes-core/home-fs/files/postinst | 3 +
recipes-core/home-fs/home-fs_0.1.bb | 10 +
.../images/cip-core-image-read-only.bb | 26 +++
.../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
recipes-core/tmp-fs/files/postinst | 3 +
recipes-core/tmp-fs/files/tmp.mount | 11 +
recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 +
.../cip-core-initramfs/cip-core-initramfs.bb | 16 ++
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++
.../initramfs-verity-hook/files/verity.script | 68 +++++++
.../initramfs-verity-hook_0.1.bb | 39 ++++
recipes-kernel/linux/files/verity.cfg | 5 +
recipes-kernel/linux/linux-cip-common.inc | 6 +
wic/qemu-amd64-read-only.wks.in | 15 ++
27 files changed, 686 insertions(+)
create mode 100644 classes/squashfs-img.bbclass
create mode 100644 classes/verity-img.bbclass
create mode 100644 classes/wic-verity-img.bbclass
create mode 100644 kas/opt/verity.yml
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
create mode 100755 recipes-core/etc-overlay-fs/files/postinst
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
create mode 100644 recipes-kernel/linux/files/verity.cfg
create mode 100644 wic/qemu-amd64-read-only.wks.in

--
2.30.2


[isar-cip-core][RFC 6/8] Create systemd mount units for a etc overlay

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

As /etc is read-only and needs to be accessed by the initrd
move the user defined settings to a overlay in /var/local/etc.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 16 ++++++++++++++++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++++++++
.../etc-overlay-fs/files/etc-sysusers.service | 14 ++++++++++++++
recipes-core/etc-overlay-fs/files/etc.mount | 13 +++++++++++++
.../files/overlay-parse-etc.service | 12 ++++++++++++
recipes-core/etc-overlay-fs/files/postinst | 6 ++++++
recipes-core/images/cip-core-image-read-only.bb | 1 +
7 files changed, 76 insertions(+)
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
create mode 100755 recipes-core/etc-overlay-fs/files/postinst

diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
new file mode 100644
index 0000000..f1c8349
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
@@ -0,0 +1,16 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://etc.mount \
+ file://overlay-parse-etc.service \
+ file://etc-hostname.service \
+ file://etc-sysusers.service"
+
+do_install[cleandirs]+="${D}/lib/systemd/system ${D}/var/local/etc ${D}/var/local/.atomic"
+do_install() {
+ TARGET=${D}/lib/systemd/system
+ install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
+ install -m 0644 ${WORKDIR}/overlay-parse-etc.service ${TARGET}/overlay-parse-etc.service
+ install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
+ install -m 0644 ${WORKDIR}/etc-sysusers.service ${TARGET}/etc-sysusers.service
+}
diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
new file mode 100644
index 0000000..2306b9f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/hostname --boot --file /etc/hostname
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.service b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
new file mode 100644
index 0000000..6caf6b0
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=make systemd-sysusers /etc overlay aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/systemd-sysusers
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
new file mode 100644
index 0000000..f0ae3c5
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc.mount
@@ -0,0 +1,13 @@
+[Unit]
+Description=Overlay-mount /etc
+Requires=var.mount
+After=var.mount
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
new file mode 100644
index 0000000..062bb40
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Reload Configuration from the etc overlay
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=!/bin/systemctl daemon-reload
+ExecStart=!/bin/systemctl --no-block isolate multi-user.target
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
new file mode 100755
index 0000000..35641af
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/postinst
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+deb-systemd-helper enable etc.mount || true
+deb-systemd-helper enable overlay-parse-etc.service || true
+deb-systemd-helper enable etc-hostname.service || true
+deb-systemd-helper enable etc-sysusers.service || true
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index 24ace3c..6e2a40a 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -6,6 +6,7 @@ do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"

SQUASHFS_EXCLUDE_DIRS += "home var"

+IMAGE_INSTALL += "etc-overlay-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"

--
2.30.2


[isar-cip-core][RFC 5/8] Create an read-only rootfs with dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/wic-verity-img.bbclass | 8 ++++-
kas/opt/verity.yml | 34 +++++++++++++++++++
.../images/cip-core-image-read-only.bb | 24 +++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount | 11 ++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 +++++
wic/qemu-amd64-read-only.wks.in | 13 +++++++
7 files changed, 101 insertions(+), 1 deletion(-)
create mode 100644 kas/opt/verity.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
create mode 100644 wic/qemu-amd64-read-only.wks.in

diff --git a/classes/wic-verity-img.bbclass b/classes/wic-verity-img.bbclass
index e185cf8..9b8a79e 100644
--- a/classes/wic-verity-img.bbclass
+++ b/classes/wic-verity-img.bbclass
@@ -12,6 +12,12 @@
inherit squashfs-img
inherit verity-img
inherit wic-img
+inherit extract-partition
+inherit swupdate-img

-addtask verity_image after do_squashfs_image
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_squashfs_image
addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/verity.yml b/kas/opt/verity.yml
new file mode 100644
index 0000000..088f44a
--- /dev/null
+++ b/kas/opt/verity.yml
@@ -0,0 +1,34 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+# This kas file creates a image with a read-only rootfs
+# and secure-boot
+
+header:
+ version: 10
+ includes:
+ - efibootguard.yml
+
+target: cip-core-image-read-only
+
+local_conf_header:
+ verity-img: |
+ IMAGE_TYPE = "wic-verity-img"
+ WKS_FILE = "${MACHINE}-read-only.wks.in"
+ VERITY_IMAGE_TYPE = "squashfs"
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+ SWU_DESCRIPTION = "secureboot"
+ SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+ secure-boot: |
+ # Add snakeoil and ovmf binaries for qemu
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
+ IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..24ace3c
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,24 @@
+require cip-core-image.bb
+
+INITRAMFS_RECIPE = "cip-core-initramfs"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..4e0c467
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,9 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/wic/qemu-amd64-read-only.wks.in b/wic/qemu-amd64-read-only.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-read-only.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2

3261 - 3280 of 10163