Date   

Re: New kernel patches review management

Nobuhiro Iwamatsu
 

Hi Pavel,

It can be created using the API on the project wiki[0]. Since
namespaces are available, we can also create hierarchies such as
5.10.y/v5.10.77 [1].
The wiki page is first filled with the commit ID, then the CIP kernel
developer writes the name after the commit they plan to review.
I believe this is too simple. We should include patch titles, so that
it is easier to review whole series. I also believe we should include
related patches from 4.19/4.4, so that they are reviewed together with
corresponding 5.10 change.
Agree. I have a question.
What are the triggers for creating pages for management?
Perhaps I think each LTS version and RC release will be the trigger. And a page will be created for each trigger.
And we will mainly review the list created on 5.10.y. We will also review patches that are only included in 4.4.y and 4.19.y.
Is this understanding correct?


I'm currently using this format, and scripts to generate it are
already in the repository. Could we use that for review management,
too?
                            v-- patch title
                      v-- stable tree version
                   v-- "o" means we are building it in some
                       configuration, " " means likely not relevant to us
            v-- stable commit id, not quite reliable
  v-- upstream commit id
 |50d50ca00 88c42f  : 5.10| perf bpf: Add missing free to bpf_event__print_bpf_prog_info()
 |51444729b 8ac9df o: 5.10| llc: fix out-of-bound array index in llc_sk_dev_hash()
 |df8fa74a0 8ac9df o: 4.19| llc: fix out-of-bound array index in llc_sk_dev_hash()
 |bf70e4f7d 8ac9df o: 4.4| llc: fix out-of-bound array index in llc_sk_dev_hash()
 |3dd3e81ad 9fec40 .: 5.10| nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
 |b5cb963e8 9fec40 .: 4.19| nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
 |21e4958e2 9fec40 .: 4.4| nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
 |2a126e22e c7c386 o: 5.10| arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
 |f9ee3718b c7c386 o: 4.19| arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
 |78570c445 b8b831 .: 5.10| bpf, sockmap: Remove unhash handler for BPF sockmap usage
 |dbe525054 e0dc3b o: 5.10| bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
 |c45dfa514 1c360c .: 5.10| gve: Fix off by one in gve_tx_timeout()
 |3737feeca 10a6de o: 5.10| seq_file: fix passing wrong private data
 |614a5f5c0 6dc254 .: 5.10| net/sched: sch_taprio: fix undefined behavior in ktime_mono_to_any
 |25381c855 e140c7 .: 5.10| net: hns3: fix kernel crash when unload VF while it is being reset
 |14ec321cf 688db0 .: 5.10| net: hns3: allow configure ETS bandwidth of all TCs
 |379d4165f f64ab8 o: 5.10| net: stmmac: allow a tc-taprio base-time of zero
 |3772974cc c7cd82 o: 5.10| vsock: prevent unnecessary refcnt inc for nonblocking connect
 |69eb06075 c7cd82 o: 4.19| vsock: prevent unnecessary refcnt inc for nonblocking connect
 |5a54ee129 c7cd82 o: 4.4| vsock: prevent unnecessary refcnt inc for nonblocking connect
 |6ecbca5bf e5d5aa .: 5.10| net/smc: fix sk_refcnt underflow on linkdown and fallback
 |38bf1ce3e 4ca110 o: 5.10| cxgb4: fix eeprom len when diagnostics not implemented
 |41a958b00 4ca110 o: 4.19| cxgb4: fix eeprom len when diagnostics not implemented
Yes, I had that idea too.

Best regards,
Nobuhiro
________________________________________
差出人: Pavel Machek
送信: 2021 11 月 18 日 (木曜日) 3:09
宛先: iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT)
Cc: pavel@denx.de; cip-dev@lists.cip-project.org; uli@fpond.eu; jan.kiszka@siemens.com; masami.ichikawa@cybertrust.co.jp
件名: Re: New kernel patches review management


Hi!

I considered using the gitlab wiki to switch the current patch review
management to another.

The gitlab wiki can be used as a regular git repository and can be
viewed from his browser by writing its contents in markdown.

   e.g. git clone git@gitlab.com:cip-project/cip-kernel/linux-cip.wiki.git
This looks good.

It can be created using the API on the project wiki[0]. Since
namespaces are available, we can also create hierarchies such as
5.10.y/v5.10.77 [1].
The wiki page is first filled with the commit ID, then the CIP kernel
developer writes the name after the commit they plan to review.
I believe this is too simple. We should include patch titles, so that
it is easier to review whole series. I also believe we should include
related patches from 4.19/4.4, so that they are reviewed together with
corresponding 5.10 change.

I'm currently using this format, and scripts to generate it are
already in the repository. Could we use that for review management,
too?
                            v-- patch title
                      v-- stable tree version
                   v-- "o" means we are building it in some
                       configuration, " " means likely not relevant to us
            v-- stable commit id, not quite reliable
  v-- upstream commit id
 |50d50ca00 88c42f  : 5.10| perf bpf: Add missing free to bpf_event__print_bpf_prog_info()
 |51444729b 8ac9df o: 5.10| llc: fix out-of-bound array index in llc_sk_dev_hash()
 |df8fa74a0 8ac9df o: 4.19| llc: fix out-of-bound array index in llc_sk_dev_hash()
 |bf70e4f7d 8ac9df o: 4.4| llc: fix out-of-bound array index in llc_sk_dev_hash()
 |3dd3e81ad 9fec40 .: 5.10| nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
 |b5cb963e8 9fec40 .: 4.19| nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
 |21e4958e2 9fec40 .: 4.4| nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
 |2a126e22e c7c386 o: 5.10| arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
 |f9ee3718b c7c386 o: 4.19| arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
 |78570c445 b8b831 .: 5.10| bpf, sockmap: Remove unhash handler for BPF sockmap usage
 |dbe525054 e0dc3b o: 5.10| bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
 |c45dfa514 1c360c .: 5.10| gve: Fix off by one in gve_tx_timeout()
 |3737feeca 10a6de o: 5.10| seq_file: fix passing wrong private data
 |614a5f5c0 6dc254 .: 5.10| net/sched: sch_taprio: fix undefined behavior in ktime_mono_to_any
 |25381c855 e140c7 .: 5.10| net: hns3: fix kernel crash when unload VF while it is being reset
 |14ec321cf 688db0 .: 5.10| net: hns3: allow configure ETS bandwidth of all TCs
 |379d4165f f64ab8 o: 5.10| net: stmmac: allow a tc-taprio base-time of zero
 |3772974cc c7cd82 o: 5.10| vsock: prevent unnecessary refcnt inc for nonblocking connect
 |69eb06075 c7cd82 o: 4.19| vsock: prevent unnecessary refcnt inc for nonblocking connect
 |5a54ee129 c7cd82 o: 4.4| vsock: prevent unnecessary refcnt inc for nonblocking connect
 |6ecbca5bf e5d5aa .: 5.10| net/smc: fix sk_refcnt underflow on linkdown and fallback
 |38bf1ce3e 4ca110 o: 5.10| cxgb4: fix eeprom len when diagnostics not implemented
 |41a958b00 4ca110 o: 4.19| cxgb4: fix eeprom len when diagnostics not implemented

Best regards,
                                                                Pavel
--
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: New kernel patches review management

Nobuhiro Iwamatsu
 

Hi Ulrich,

The commit content of [1] is an example, so please let me know if you
have any opinions about the format and others.
It would be helpful if each line would also contain the commit title.
I agree.

Other than that it looks good to me.
Thanks!

Best regards,
Nobuhiro

________________________________________
差出人: Ulrich Hecht <uli@fpond.eu>
送信日時: 2021年11月11日 18:04
宛先: cip-dev@lists.cip-project.org; iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT); pavel@denx.de
CC: jan.kiszka@siemens.com; masami.ichikawa@cybertrust.co.jp
件名: Re: [cip-dev] New kernel patches review management


On 11/11/2021 7:29 AM Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
I considered using the gitlab wiki to switch the current patch review
management to another.

The gitlab wiki can be used as a regular git repository and can be
viewed from his browser by writing its contents in markdown.

e.g. git clone git@gitlab.com:cip-project/cip-kernel/linux-cip.wiki.git

It can be created using the API on the project wiki[0]. Since
namespaces are available, we can also create hierarchies such as
5.10.y/v5.10.77 [1].
The wiki page is first filled with the commit ID, then the CIP kernel
developer writes the name after the commit they plan to review.

The commit content of [1] is an example, so please let me know if you
have any opinions about the format and others.
It would be helpful if each line would also contain the commit title.
Other than that it looks good to me.

CU
Uli


CIP IRC weekly meeting today on libera.chat

Jan Kiszka
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today.

Please note that we moved from Freenode to libera.chat. Our channel is
the following:

irc:irc.libera.chat:6667/cip

Furthermore note that the IRC meeting is now scheduled to UTC (GMT) 13:00:

https://www.timeanddate.com/worldclock/meetingdetails.html?year=2021&month=11&day=11&hour=13&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
06:00 09:00 13:00 14:00 21:00 22:00

Last meeting minutes:

https://irclogs.baserock.org/meetings/cip/2021/11/cip.2021-11-11-13.01.log.html

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu & alicef
2. Look into S3 artifact upload issues - patersonc
* Kernel maintenance updates
* Kernel testing
* AOB

Jan


FYI: meta-spdxscanner with meta-debian/deby

Masami Ichikawa
 

Hello !

I modified meta-spdxscanner warrior branch[1] to work with meta-debian.
I tested meta-debian and deby(cip-core/deby). I could build without
errors building core-image-minimal with do_spdx task on both
deby-tiny(DISTRO=deby-tine) and deby(DISTRO=deby) distributions. The
do_spdx task seems working.

From output of spdx files, I can see following lines.

openssl

##File

FileName: spdx_temp/openssl-1.1.1d/include/openssl/x509_vfy.h
SPDXID: SPDXRef-item195247
FileChecksum: SHA1: 5dca1c0a935f3f075642539d399e7c6969ff1214
FileChecksum: MD5: 99fd343f8b3970195c79684291fb6fc9
LicenseConcluded: NOASSERTION
LicenseInfoInFile: LicenseRef-UnclassifiedLicense
FileCopyrightText: <text> Copyright 1995-2019 The OpenSSL Project
Authors. All Rights Reserved. </text>

coreutils

##File

FileName: spdx_temp/coreutils-8.30/src/expand-common.c
SPDXID: SPDXRef-item396438
FileChecksum: SHA1: a11068900b49e7c1732f096ca21ccd1343375eeb
FileChecksum: MD5: 4a6529ea8806170c9be8169a29360fd8
LicenseConcluded: NOASSERTION
LicenseInfoInFile: GPL-3.0+
FileCopyrightText: <text> Copyright (C) 1989-2018 Free Software
Foundation, Inc. </text>


I use following tools and version/revision for fossology related tools.

* fossology

Docker image tag 3.3.0[2].

* fossdriver

master branch commit 18410187b0a90654510f34dd783b456c53e681dd [3].

unfortunately, I'm not sure how to add fossdriver to kas docker
container, so I didn't use docker to build image.

1: https://github.com/masami256/meta-spdxscanner/tree/warrior-metadebian
2: https://hub.docker.com/layers/fossology/fossology/3.3.0/images/sha256-b596124b47a29d24d2fdd63f7ba19b9fc27ce67f090e7ee527b02c07c66b54ee?context=explore
3: https://github.com/fossology/fossdriver/tree/18410187b0a90654510f34dd783b456c53e681dd

Regards,

--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com


New CVE entries in this week

Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported two new CVEs. They have not been fixed in the mainline yet.

* New CVEs

CVE-2021-43975: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait

CVSS v3 score is not provided.

OOB read/write bug in aQuantia device driver code. Patch was merged
into the netdev tree on Nov 15.

Fixed status

Not fixed in the mainline yet.

CVE-2021-43976: mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv

CVSS v3 score is not provided.

Bug is in the Marvell WiFi-Ex driver code. Patch is being in reviewed
on the linux-wireless list
(https://patchwork.kernel.org/project/linux-wireless/patch/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home/).

Fixed status

Not yet.

* Updated CVEs

CVE-2021-37159: net: hso: do not call unregister if not registered

4.4 and 4.9 have been fixed. All stable kernels are fixed.

Fixed status

mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
stable/4.14: [4c0db9c4b3701c29f47bac0721e2f7d2b15d8edb]
stable/4.19: [f6cf22a1ef49f8e131f99c3f5fd80ab6b23a2d21]
stable/4.4: [cbefdf724282e6a948885f379dc92ab841c2fee0]
stable/4.9: [88b912e02d75bacbb957d817db70e6a54ea3a21c]
stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]
stable/5.4: [fe57d53dd91d7823f1ceef5ea8e9458a4aeb47fa]


CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

stable/4.14 has been fixed.

Fixed status

stable/4.14: [8d6c05da808f8351db844b69a9d6ce7f295214bb]
stable/4.19: [53ec9dab4eb0a8140fc85760fb50effb526fe219]
stable/5.10: [d7fc85f6104259541ec136199d3bf7c8a736613d]
stable/5.14: [02a476ca886dc8155025fe99cbbad4121d029fa7]
stable/5.15: [cb667140875a3b1db92e4c50b4617a7cbf84659b]
stable/5.4: [2461f38384d50dd966e1db44fe165b1896f5df5a]

CVE-2020-27820: use-after-free in nouveau kernel module

Fixed status

Patches were merged in 5.16-rc1.

mainline: [aff2299e0d81b26304ccc6a1ec0170e437f38efc,
abae9164a421bc4a41a3769f01ebcd1f9d955e0e,
f55aaf63bde0d0336c3823bb3713bd4a464abbcf]

CVE-2021-3640: UAF in sco_send_frame function

Patch was merged in 5.16-rc1. Patch for 4.4, 4.9, 4.14, 4.19, and 5.10
are in the stable-rc tree.

Fixed status

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com


Re: New kernel patches review management

Pavel Machek
 

Hi!

I considered using the gitlab wiki to switch the current patch review
management to another.

The gitlab wiki can be used as a regular git repository and can be
viewed from his browser by writing its contents in markdown.

e.g. git clone git@gitlab.com:cip-project/cip-kernel/linux-cip.wiki.git
This looks good.

It can be created using the API on the project wiki[0]. Since
namespaces are available, we can also create hierarchies such as
5.10.y/v5.10.77 [1].
The wiki page is first filled with the commit ID, then the CIP kernel
developer writes the name after the commit they plan to review.
I believe this is too simple. We should include patch titles, so that
it is easier to review whole series. I also believe we should include
related patches from 4.19/4.4, so that they are reviewed together with
corresponding 5.10 change.

I'm currently using this format, and scripts to generate it are
already in the repository. Could we use that for review management,
too?
v-- patch title
v-- stable tree version
v-- "o" means we are building it in some
configuration, " " means likely not relevant to us
v-- stable commit id, not quite reliable
v-- upstream commit id
|50d50ca00 88c42f : 5.10| perf bpf: Add missing free to bpf_event__print_bpf_prog_info()
|51444729b 8ac9df o: 5.10| llc: fix out-of-bound array index in llc_sk_dev_hash()
|df8fa74a0 8ac9df o: 4.19| llc: fix out-of-bound array index in llc_sk_dev_hash()
|bf70e4f7d 8ac9df o: 4.4| llc: fix out-of-bound array index in llc_sk_dev_hash()
|3dd3e81ad 9fec40 .: 5.10| nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
|b5cb963e8 9fec40 .: 4.19| nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
|21e4958e2 9fec40 .: 4.4| nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
|2a126e22e c7c386 o: 5.10| arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
|f9ee3718b c7c386 o: 4.19| arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
|78570c445 b8b831 .: 5.10| bpf, sockmap: Remove unhash handler for BPF sockmap usage
|dbe525054 e0dc3b o: 5.10| bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
|c45dfa514 1c360c .: 5.10| gve: Fix off by one in gve_tx_timeout()
|3737feeca 10a6de o: 5.10| seq_file: fix passing wrong private data
|614a5f5c0 6dc254 .: 5.10| net/sched: sch_taprio: fix undefined behavior in ktime_mono_to_any
|25381c855 e140c7 .: 5.10| net: hns3: fix kernel crash when unload VF while it is being reset
|14ec321cf 688db0 .: 5.10| net: hns3: allow configure ETS bandwidth of all TCs
|379d4165f f64ab8 o: 5.10| net: stmmac: allow a tc-taprio base-time of zero
|3772974cc c7cd82 o: 5.10| vsock: prevent unnecessary refcnt inc for nonblocking connect
|69eb06075 c7cd82 o: 4.19| vsock: prevent unnecessary refcnt inc for nonblocking connect
|5a54ee129 c7cd82 o: 4.4| vsock: prevent unnecessary refcnt inc for nonblocking connect
|6ecbca5bf e5d5aa .: 5.10| net/smc: fix sk_refcnt underflow on linkdown and fallback
|38bf1ce3e 4ca110 o: 5.10| cxgb4: fix eeprom len when diagnostics not implemented
|41a958b00 4ca110 o: 4.19| cxgb4: fix eeprom len when diagnostics not implemented

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: [isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity

Christian Storm
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Adapt the initrd to open a dm-verity partition with a fixed
root hash.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++++++
.../files/verity.script.tmpl | 68 +++++++++++++++++++
.../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++
5 files changed, 159 insertions(+)
create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb

diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
new file mode 100644
index 0000000..825fb9f
--- /dev/null
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+ initramfs-verity-hook \
+ "
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
new file mode 100644
index 0000000..9b61fb8
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
@@ -0,0 +1 @@
+BUSYBOX=y
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
new file mode 100644
index 0000000..5eada8a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
@@ -0,0 +1,23 @@
+#!/bin/sh
+PREREQ=""
+prereqs()
+{
+ echo "$PREREQ"
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
+
+manual_add_modules dm_mod
+manual_add_modules dm_verity
+
+copy_exec /sbin/veritysetup
+copy_exec /sbin/dmsetup
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
+copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..c4f3dc4
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,68 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
Hm, so you explicitly enumerate all scripts except for cryptroot so that
you run (hopefully right?) thereafter.
Isn't it sufficient to make cryptroot dependent on this?
Looks too verbose and complicated...


+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+. /lib/cryptsetup/functions
+. /usr/share/verity-env/verity.env
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted. As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken trust chain.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
Why this hard timeout? Shouldn't this be configurable so to match to
different setups of hardware?


+case "$ROOT" in
+ PART*)
+ # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+ # partition
+ ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ ;;
+ "")
+ # No Root device was given. Use veritysetup verify to search matching roots
+ partitions=$(blkid -o device)
+ for part in $partitions; do
+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ if veritysetup verify \
+ "$part" "$part" "${ROOT_HASH}" \
+ --hash-offset "${HASH_OFFSET}";then
+ ROOT="$part"
+ break
+ fi
+ fi
+ done
+ ;;
+esac
+set -- "$ROOT" verityroot
+if ! veritysetup open \
+ ${VERITY_BEHAVIOR_ON_CORRUPTION} \
+ --data-block-size "${DATA_BLOCK_SIZE}" \
+ --hash-block-size "${HASH_BLOCK_SIZE}" \
+ --data-blocks "${DATA_BLOCKS}" \
+ --hash-offset "${HASH_OFFSET}" \
+ --salt "${SALT}" \
+ "$1" "$2" "$1" "${ROOT_HASH}"; then
+ panic "Can't open verity rootfs!"
The above comment's gist may also help here in case you run into this
output on a machine.


+fi
+
+wait_for_udev 10
Same as above.


+
+if ! ROOT="$(dm_blkdevname verityroot)"; then
+ panic "Can't find the verity root device!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
new file mode 100644
index 0000000..a7fbf5a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+ file://verity.conf-hook \
+ file://verity.hook \
+ file://verity.script.tmpl \
+ "
+
+VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption"
+
+TEMPLATE_FILES = "verity.script.tmpl"
+TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION"
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
+
+VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
+
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
+
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[cleandirs] += " \
+ ${D}/usr/share/initramfs-tools/hooks \
+ ${D}/usr/share/verity-env \
+ ${D}/usr/share/initramfs-tools/scripts/local-top \
+ ${D}/usr/share/initramfs-tools/conf-hooks.d"
+
+do_install() {
+ # Insert the veritysetup commandline into the script
+ if [ -f "${VERITY_ENV_FILE}" ]; then
+ install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
+ else
+ bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
+ fi
+ install -m 0755 "${WORKDIR}/verity.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
+ install -m 0755 "${WORKDIR}/verity.hook" \
+ "${D}/usr/share/initramfs-tools/hooks/verity"
+}
+
+addtask do_install after do_transform_template
--
2.30.2


Kind regards,
Christian

--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany


Re: [isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity

Christian Storm
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 3 +-
classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
kas/opt/ebg-secure-boot-base.yml | 2 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
kas/opt/ebg-snakeoil-swu.yml | 16 ----------
.../images/cip-core-image-read-only.bb | 20 ++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount | 11 +++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 ++++++
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
11 files changed, 103 insertions(+), 30 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

diff --git a/Kconfig b/Kconfig
index 8421f1b..e97cb03 100644
--- a/Kconfig
+++ b/Kconfig
@@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
config KAS_INCLUDE_SWUPDATE_SECBOOT
string
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
- default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
- default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
+ default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT

endif
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 8f769b6..acb4de0 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -19,3 +19,5 @@ local_conf_header:
IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
SWU_DESCRIPTION = "secureboot"
SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+ kernel: |
+ SECURE_BOOT_KERNEL = "1"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..4a9185c 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,24 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml

+target: cip-core-image-read-only

local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+ verity-img: |
+ SECURE_BOOT_KERNEL = "1"
+ SECURE_IMAGE_FSTYPE = "squashfs"
+ VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+ IMAGE_TYPE = "secure-swupdate-img"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
secure-boot: |
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/ebg-secure-boot-snakeoil.yml
- - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
Hm, shouldn't size be configurable?


+
+[Install]
+WantedBy=local-fs.target
Is this the right point in time? Isn't /tmp needed before this?


diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..4e0c467
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,9 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
deleted file mode 100644
index ff351db..0000000
--- a/wic/qemu-amd64-efibootguard-secureboot.wks
+++ /dev/null
@@ -1,11 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-signed-bootloader.inc
-
-# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2


Kind regards,
Christian

--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany


Re: [isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay

Christian Storm
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

As /etc is read-only and needs to be accessed by the initrd
move the user defined settings to a overlay in /var/local/etc.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 16 ++++++++++++++++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++++++++
.../etc-overlay-fs/files/etc-sysusers.service | 14 ++++++++++++++
recipes-core/etc-overlay-fs/files/etc.mount | 13 +++++++++++++
.../files/overlay-parse-etc.service | 12 ++++++++++++
recipes-core/etc-overlay-fs/files/postinst | 6 ++++++
recipes-core/images/cip-core-image-read-only.bb | 1 +
7 files changed, 76 insertions(+)
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
create mode 100755 recipes-core/etc-overlay-fs/files/postinst

diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
new file mode 100644
index 0000000..f1c8349
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
@@ -0,0 +1,16 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://etc.mount \
+ file://overlay-parse-etc.service \
+ file://etc-hostname.service \
+ file://etc-sysusers.service"
+
+do_install[cleandirs]+="${D}/lib/systemd/system ${D}/var/local/etc ${D}/var/local/.atomic"
+do_install() {
+ TARGET=${D}/lib/systemd/system
+ install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
+ install -m 0644 ${WORKDIR}/overlay-parse-etc.service ${TARGET}/overlay-parse-etc.service
+ install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
+ install -m 0644 ${WORKDIR}/etc-sysusers.service ${TARGET}/etc-sysusers.service
+}
diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
new file mode 100644
index 0000000..2306b9f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/hostname --boot --file /etc/hostname
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.service b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
new file mode 100644
index 0000000..6caf6b0
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=make systemd-sysusers /etc overlay aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/systemd-sysusers
+
+[Install]
+WantedBy=basic.target
Hm, why do you replace/create those services instead of augmenting the
current default ones via conf.d'lets?
Why is this one here dependent on network?
Why does this differ that much from upstream service files, see, e.g.,
https://github.com/systemd/systemd/blob/main/units/systemd-sysusers.service


diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
new file mode 100644
index 0000000..f0ae3c5
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc.mount
@@ -0,0 +1,13 @@
+[Unit]
+Description=Overlay-mount /etc
+Requires=var.mount
+After=var.mount
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
new file mode 100644
index 0000000..062bb40
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Reload Configuration from the etc overlay
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=!/bin/systemctl daemon-reload
+ExecStart=!/bin/systemctl --no-block isolate multi-user.target
Wow, this is a big cannon, why do you need this? Isn't there another way?


+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
new file mode 100755
index 0000000..35641af
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/postinst
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+deb-systemd-helper enable etc.mount || true
+deb-systemd-helper enable overlay-parse-etc.service || true
+deb-systemd-helper enable etc-hostname.service || true
+deb-systemd-helper enable etc-sysusers.service || true
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index 7ef2dc2..ceb6ac4 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -2,6 +2,7 @@ require cip-core-image.bb

SQUASHFS_EXCLUDE_DIRS += "home var"

+IMAGE_INSTALL += "etc-overlay-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"

--
2.30.2


Kind regards,
Christian

--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany


Re: [isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home

Quirin Gylstorff
 

On 11/17/21 11:27 AM, Christian Storm via lists.cip-project.org wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
A note where this comes from, where it's supposed to go in oder to get
rid of this patch here eventually would be helpful.
I will add a link to the discussion of the Patch on the ISAR mailing list[1] in the next version.

[1]: https://groups.google.com/g/isar-users/c/wlanc7f7UnQ

Kind regards
Quirin


Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas-cip.yml | 4 +++
...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch

diff --git a/kas-cip.yml b/kas-cip.yml
index dc56729..8226954 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -25,6 +25,10 @@ repos:
refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3
layers:
meta:
+ patches:
+ fix-pseudo:
+ repo: cip-core
+ path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
bblayers_conf_header:
standard: |
diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
new file mode 100644
index 0000000..34704f0
--- /dev/null
+++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
@@ -0,0 +1,35 @@
+From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+Date: Wed, 3 Nov 2021 13:53:00 +0100
+Subject: [PATCH] Fix permissions when splitting rootfs folders across
+ partitions.
+
+This patches ensures that the file database containing the file and
+folder usernames and permissions is always located relative to the
+source and not to the appended rootfs-dir.
+
+Prior to this patch, the database was not found when using
+-rootfs-dir in the WIC script, leading to erronous file
+permissions and ownership.
+
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+---
+ scripts/lib/wic/plugins/source/rootfs.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
+index 96d940a9..5ab771e5 100644
+--- a/scripts/lib/wic/plugins/source/rootfs.py
++++ b/scripts/lib/wic/plugins/source/rootfs.py
+@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin):
+
+ part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
+ part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
+- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo")
+ if not os.path.lexists(pseudo_dir):
+ logger.warn("%s folder does not exist. "
+ "Usernames and permissions will be invalid " % pseudo_dir)
+--
+2.30.2
+
--
2.30.2
Kind regards,
Christian


Re: [isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master

Quirin Gylstorff
 

On 11/17/21 11:40 AM, Christian Storm via lists.cip-project.org wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices
Why not upgrade to a newer version of SWUpdate instead of backporting
stuff? There's no real advantage to stay on a "release" as SWUpdate
follows rolling releases -- granted, you have to do the qualification
but that applies to "releases" as well...
The build of SWUpdate uses dpkg-gbp to follow the Debian build of SWUpdate with sources from [1].

As Debian only follows fixed release , currently 2021.04, I patched the version.
This patchset is no longer necessary after Debian uses the next Release
SWUpdate version.

[1]: https://salsa.debian.org/debian/swupdate.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
2 files changed, 193 insertions(+)
create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch

diff --git a/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
new file mode 100644
index 0000000..f143207
--- /dev/null
+++ b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
@@ -0,0 +1,188 @@
+From 4650883c2ffc4ed9e479e1eefdce044067c7de0b Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Mon, 25 Oct 2021 14:43:07 +0200
+Subject: [PATCH] add patches for dm-verity
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ ...d-get_root-source-proc-self-mountinfo.diff | 68 +++++++++++++++
+ ...-Extend-get_root-to-find-LUKS-devices.diff | 83 +++++++++++++++++++
+ debian/patches/series | 2 +
+ 3 files changed, 153 insertions(+)
+ create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+ create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+
+diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+new file mode 100644
+index 0000000..5db0e61
+--- /dev/null
++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+@@ -0,0 +1,68 @@
++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
++From: Christian Storm <christian.storm@siemens.com>
++Date: Thu, 10 Jun 2021 00:30:24 +0200
++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
++
++Filesystems such as BTRFS report synthetic device major:minor
++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
++won't be found by get_root_from_partitions().
++
++As /proc/self/mountinfo's information is subject to mount-
++namespacing, it complements get_root_from_partitions() rather
++than replacing it.
++
++Signed-off-by: Christian Storm <christian.storm@siemens.com>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Hm, why is your sign-off needed here as you've grabbed that directly
from SWUpdate's repo?
I will fix it in a new version.

++---
++ core/util.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/core/util.c b/core/util.c
++index 7d7673a..51a16b6 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
++ return NULL;
++ }
++
+++/*
+++ * Return the rootfs's device name from /proc/self/mountinfo.
+++ * Needed for filesystems having synthetic stat(2) st_dev
+++ * values such as BTRFS.
+++ */
+++static char *get_root_from_mountinfo(void)
+++{
+++ char *mnt_point, *device = NULL;
+++ FILE *fp = fopen("/proc/self/mountinfo", "r");
+++ while (fp && !feof(fp)){
+++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
+++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
+++ &mnt_point, &device) == 2) {
+++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
+++ free(mnt_point);
+++ break;
+++ }
+++ free(mnt_point);
+++ free(device);
+++ }
+++ device = NULL;
+++ }
+++ (void)fclose(fp);
+++ return device;
+++}
+++
++ #define MAX_CMDLINE_LENGTH 4096
++ static char *get_root_from_cmdline(void)
++ {
++@@ -936,6 +962,8 @@ char *get_root_device(void)
++ root = get_root_from_partitions();
++ if (!root)
++ root = get_root_from_cmdline();
+++ if (!root)
+++ root = get_root_from_mountinfo();
++
++ return root;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+new file mode 100644
+index 0000000..a62d59c
+--- /dev/null
++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+@@ -0,0 +1,83 @@
++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
++From: Stefano Babic <sbabic@denx.de>
++Date: Thu, 10 Jun 2021 16:14:44 +0200
++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
++
++This helps in case of encrypted filesystem or device mapper.
++The returned device read from partitions is usually a dm-X device and
++this does not show which is the block device that contains it. Look in
++sysfs and check if the device has "slaves" entries, indicating the
++presence of an underlying device. If found, return this instead of the
++device returned parsing /proc/partitions.
++
++Signed-off-by: Stefano Babic <sbabic@denx.de>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Same question as above applies here.
New version is in work

++---
++ core/util.c | 26 ++++++++++++++++++++++++--
++ 1 file changed, 24 insertions(+), 2 deletions(-)
++
++diff --git a/core/util.c b/core/util.c
++index 51a16b6..3b81c09 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -24,6 +24,7 @@
++ #include <libgen.h>
++ #include <regex.h>
++ #include <string.h>
+++#include <dirent.h>
++
++ #if defined(__linux__)
++ #include <sys/statvfs.h>
++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
++ /*
++ * This returns the device name where rootfs is mounted
++ */
+++
+++static int filter_slave(const struct dirent *ent) {
+++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
+++}
++ static char *get_root_from_partitions(void)
++ {
++ struct stat info;
++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
++ char *devname = NULL;
++ unsigned long major, minor, nblocks;
++ char buf[256];
++- int ret;
+++ int ret, dev_major, dev_minor, n;
+++ struct dirent **devlist = NULL;
++
++ if (stat("/", &info) < 0)
++ return NULL;
++
+++ dev_major = info.st_dev / 256;
+++ dev_minor = info.st_dev % 256;
+++
+++ /*
+++ * Check if this is just a container, for example in case of LUKS
+++ * Search if the device has slaves pointing to another device
+++ */
+++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
+++ n = scandir(buf, &devlist, filter_slave, NULL);
+++ if (n == 1) {
+++ devname = strdup(devlist[0]->d_name);
+++ free(devlist);
+++ return devname;
+++ }
+++ free(devlist);
+++
++ fp = fopen("/proc/partitions", "r");
++ if (!fp)
++ return NULL;
++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
++ &major, &minor, &nblocks, &devname);
++ if (ret != 4)
++ continue;
++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
+++ if ((major == dev_major) && (minor == dev_minor)) {
++ fclose(fp);
++ return devname;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..f3bd00e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,3 @@
+ use-gcc-compiler.diff
++0002-util-Extend-get_root-to-find-LUKS-devices.diff
++0001-util-Add-get_root-source-proc-self-mountinfo.diff
+--
+2.30.2
+
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index 7a0fb9b..90854a4 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"
+# Patch for dm-verity based images - can be removed with SWUpdate 2021.10
+SRC_URI += "file://0001-add-patches-for-dm-verity.patch"
+
+# end patching for dm-verity based images
+
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"
--
2.30.2
Kind regards,
Christian
Quirin


[isar-cip-core v2 1/3] cip-core-image-security: remove unnecessary dependency package names

Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

It is not necessary to mention the dependency package names in the recipe
because their names are changed when different distribution version
is used, and anyway the package manager will install the correct version
of dependencies when installing the main package, so it is safer to remove
the dependency packages here.

e.g:
For the Package: nftables
Dependecy package name in buster: libnftables0
Dependecy package name in bullseye: libnftables1

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
recipes-core/images/cip-core-image-security.bb | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..c613dc9 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -17,20 +17,20 @@ IMAGE_INSTALL += "security-customizations"

# Debian packages that provide security features
IMAGE_PREINSTALL += " \
- openssl libssl1.1 \
+ openssl \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
syslog-ng-core syslog-ng-mod-journal \
- aide aide-common \
- libnftables0 nftables \
+ aide \
+ nftables \
libpam-pkcs11 \
chrony \
tpm2-tools \
tpm2-abrmd \
- libtss2-esys0 libtss2-udev \
+ libtss2-esys0 \
libpam-cracklib \
acl \
- libauparse0 audispd-plugins auditd \
+ audispd-plugins auditd \
uuid-runtime \
sudo \
"
--
2.20.1


[isar-cip-core v2 3/3] Kconfig: Enable Security extensions for bullseye image

Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
Kconfig | 1 -
1 file changed, 1 deletion(-)

diff --git a/Kconfig b/Kconfig
index 8421f1b..3b882d6 100644
--- a/Kconfig
+++ b/Kconfig
@@ -115,7 +115,6 @@ config KAS_INCLUDE_IMAGE_FORMAT

config IMAGE_SECURITY
bool "Security extensions"
- depends on DEBIAN_BUSTER

config KAS_INCLUDE_SECURITY
string
--
2.20.1


[isar-cip-core v2 2/3] cip-core-image-security: Install packages based on DISTRO version

Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

Package names like below have different names in different DISTRO versions
and those packages should be installed based on the Distro version is
selected.

Package name in Buster: libtss2-esys0
Package name in Bullseye: libtss2-esys-3.0.2-0

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
recipes-core/images/cip-core-image-security.bb | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index c613dc9..3ea544a 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -27,10 +27,15 @@ IMAGE_PREINSTALL += " \
chrony \
tpm2-tools \
tpm2-abrmd \
- libtss2-esys0 \
libpam-cracklib \
acl \
audispd-plugins auditd \
uuid-runtime \
sudo \
"
+
+OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
+
+# Package names based on the distro version
+IMAGE_PREINSTALL_append_buster = " libtss2-esys0"
+IMAGE_PREINSTALL_append_bullseye = " libtss2-esys-3.0.2-0"
--
2.20.1


[isar-cip-core v2 0/3] Security extensions for bullseye image

Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

This patch series enable security extension for bullseye image.

It fixes the below two problems
- package not found due to dependency package names are changed in
bullseye version, so remove the dependency packages and allowed
package manager to install correct package names.
- package not found due to main package name is changed in bullseye
version, so install the packages based on DISTRO version selected.

venkata pyla (3):
cip-core-image-security: remove unnecessary dependency package names
cip-core-image-security: Install packages based on DISTRO version
Kconfig: Enable Security extensions for bullseye image

Kconfig | 1 -
recipes-core/images/cip-core-image-security.bb | 15 ++++++++++-----
2 files changed, 10 insertions(+), 6 deletions(-)

--
2.20.1


Re: [isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master

Christian Storm
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices
Why not upgrade to a newer version of SWUpdate instead of backporting
stuff? There's no real advantage to stay on a "release" as SWUpdate
follows rolling releases -- granted, you have to do the qualification
but that applies to "releases" as well...


Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
2 files changed, 193 insertions(+)
create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch

diff --git a/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
new file mode 100644
index 0000000..f143207
--- /dev/null
+++ b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
@@ -0,0 +1,188 @@
+From 4650883c2ffc4ed9e479e1eefdce044067c7de0b Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Mon, 25 Oct 2021 14:43:07 +0200
+Subject: [PATCH] add patches for dm-verity
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ ...d-get_root-source-proc-self-mountinfo.diff | 68 +++++++++++++++
+ ...-Extend-get_root-to-find-LUKS-devices.diff | 83 +++++++++++++++++++
+ debian/patches/series | 2 +
+ 3 files changed, 153 insertions(+)
+ create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+ create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+
+diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+new file mode 100644
+index 0000000..5db0e61
+--- /dev/null
++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+@@ -0,0 +1,68 @@
++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
++From: Christian Storm <christian.storm@siemens.com>
++Date: Thu, 10 Jun 2021 00:30:24 +0200
++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
++
++Filesystems such as BTRFS report synthetic device major:minor
++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
++won't be found by get_root_from_partitions().
++
++As /proc/self/mountinfo's information is subject to mount-
++namespacing, it complements get_root_from_partitions() rather
++than replacing it.
++
++Signed-off-by: Christian Storm <christian.storm@siemens.com>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Hm, why is your sign-off needed here as you've grabbed that directly
from SWUpdate's repo?

++---
++ core/util.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/core/util.c b/core/util.c
++index 7d7673a..51a16b6 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
++ return NULL;
++ }
++
+++/*
+++ * Return the rootfs's device name from /proc/self/mountinfo.
+++ * Needed for filesystems having synthetic stat(2) st_dev
+++ * values such as BTRFS.
+++ */
+++static char *get_root_from_mountinfo(void)
+++{
+++ char *mnt_point, *device = NULL;
+++ FILE *fp = fopen("/proc/self/mountinfo", "r");
+++ while (fp && !feof(fp)){
+++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
+++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
+++ &mnt_point, &device) == 2) {
+++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
+++ free(mnt_point);
+++ break;
+++ }
+++ free(mnt_point);
+++ free(device);
+++ }
+++ device = NULL;
+++ }
+++ (void)fclose(fp);
+++ return device;
+++}
+++
++ #define MAX_CMDLINE_LENGTH 4096
++ static char *get_root_from_cmdline(void)
++ {
++@@ -936,6 +962,8 @@ char *get_root_device(void)
++ root = get_root_from_partitions();
++ if (!root)
++ root = get_root_from_cmdline();
+++ if (!root)
+++ root = get_root_from_mountinfo();
++
++ return root;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+new file mode 100644
+index 0000000..a62d59c
+--- /dev/null
++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+@@ -0,0 +1,83 @@
++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
++From: Stefano Babic <sbabic@denx.de>
++Date: Thu, 10 Jun 2021 16:14:44 +0200
++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
++
++This helps in case of encrypted filesystem or device mapper.
++The returned device read from partitions is usually a dm-X device and
++this does not show which is the block device that contains it. Look in
++sysfs and check if the device has "slaves" entries, indicating the
++presence of an underlying device. If found, return this instead of the
++device returned parsing /proc/partitions.
++
++Signed-off-by: Stefano Babic <sbabic@denx.de>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Same question as above applies here.

++---
++ core/util.c | 26 ++++++++++++++++++++++++--
++ 1 file changed, 24 insertions(+), 2 deletions(-)
++
++diff --git a/core/util.c b/core/util.c
++index 51a16b6..3b81c09 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -24,6 +24,7 @@
++ #include <libgen.h>
++ #include <regex.h>
++ #include <string.h>
+++#include <dirent.h>
++
++ #if defined(__linux__)
++ #include <sys/statvfs.h>
++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
++ /*
++ * This returns the device name where rootfs is mounted
++ */
+++
+++static int filter_slave(const struct dirent *ent) {
+++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
+++}
++ static char *get_root_from_partitions(void)
++ {
++ struct stat info;
++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
++ char *devname = NULL;
++ unsigned long major, minor, nblocks;
++ char buf[256];
++- int ret;
+++ int ret, dev_major, dev_minor, n;
+++ struct dirent **devlist = NULL;
++
++ if (stat("/", &info) < 0)
++ return NULL;
++
+++ dev_major = info.st_dev / 256;
+++ dev_minor = info.st_dev % 256;
+++
+++ /*
+++ * Check if this is just a container, for example in case of LUKS
+++ * Search if the device has slaves pointing to another device
+++ */
+++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
+++ n = scandir(buf, &devlist, filter_slave, NULL);
+++ if (n == 1) {
+++ devname = strdup(devlist[0]->d_name);
+++ free(devlist);
+++ return devname;
+++ }
+++ free(devlist);
+++
++ fp = fopen("/proc/partitions", "r");
++ if (!fp)
++ return NULL;
++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
++ &major, &minor, &nblocks, &devname);
++ if (ret != 4)
++ continue;
++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
+++ if ((major == dev_major) && (minor == dev_minor)) {
++ fclose(fp);
++ return devname;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..f3bd00e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,3 @@
+ use-gcc-compiler.diff
++0002-util-Extend-get_root-to-find-LUKS-devices.diff
++0001-util-Add-get_root-source-proc-self-mountinfo.diff
+--
+2.30.2
+
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index 7a0fb9b..90854a4 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"

+# Patch for dm-verity based images - can be removed with SWUpdate 2021.10
+SRC_URI += "file://0001-add-patches-for-dm-verity.patch"
+
+# end patching for dm-verity based images
+
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"

--
2.30.2

Kind regards,
Christian

--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany


Re: [isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home

Christian Storm
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

A note where this comes from, where it's supposed to go in oder to get
rid of this patch here eventually would be helpful.


Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas-cip.yml | 4 +++
...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch

diff --git a/kas-cip.yml b/kas-cip.yml
index dc56729..8226954 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -25,6 +25,10 @@ repos:
refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3
layers:
meta:
+ patches:
+ fix-pseudo:
+ repo: cip-core
+ path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch

bblayers_conf_header:
standard: |
diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
new file mode 100644
index 0000000..34704f0
--- /dev/null
+++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
@@ -0,0 +1,35 @@
+From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+Date: Wed, 3 Nov 2021 13:53:00 +0100
+Subject: [PATCH] Fix permissions when splitting rootfs folders across
+ partitions.
+
+This patches ensures that the file database containing the file and
+folder usernames and permissions is always located relative to the
+source and not to the appended rootfs-dir.
+
+Prior to this patch, the database was not found when using
+-rootfs-dir in the WIC script, leading to erronous file
+permissions and ownership.
+
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+---
+ scripts/lib/wic/plugins/source/rootfs.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
+index 96d940a9..5ab771e5 100644
+--- a/scripts/lib/wic/plugins/source/rootfs.py
++++ b/scripts/lib/wic/plugins/source/rootfs.py
+@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin):
+
+ part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
+ part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
+- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo")
+ if not os.path.lexists(pseudo_dir):
+ logger.warn("%s folder does not exist. "
+ "Usernames and permissions will be invalid " % pseudo_dir)
+--
+2.30.2
+
--
2.30.2


Kind regards,
Christian

--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany


[isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
2 files changed, 193 insertions(+)
create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch

diff --git a/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
new file mode 100644
index 0000000..f143207
--- /dev/null
+++ b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
@@ -0,0 +1,188 @@
+From 4650883c2ffc4ed9e479e1eefdce044067c7de0b Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Mon, 25 Oct 2021 14:43:07 +0200
+Subject: [PATCH] add patches for dm-verity
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ ...d-get_root-source-proc-self-mountinfo.diff | 68 +++++++++++++++
+ ...-Extend-get_root-to-find-LUKS-devices.diff | 83 +++++++++++++++++++
+ debian/patches/series | 2 +
+ 3 files changed, 153 insertions(+)
+ create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+ create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+
+diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+new file mode 100644
+index 0000000..5db0e61
+--- /dev/null
++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+@@ -0,0 +1,68 @@
++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
++From: Christian Storm <christian.storm@siemens.com>
++Date: Thu, 10 Jun 2021 00:30:24 +0200
++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
++
++Filesystems such as BTRFS report synthetic device major:minor
++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
++won't be found by get_root_from_partitions().
++
++As /proc/self/mountinfo's information is subject to mount-
++namespacing, it complements get_root_from_partitions() rather
++than replacing it.
++
++Signed-off-by: Christian Storm <christian.storm@siemens.com>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
++---
++ core/util.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/core/util.c b/core/util.c
++index 7d7673a..51a16b6 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
++ return NULL;
++ }
++
+++/*
+++ * Return the rootfs's device name from /proc/self/mountinfo.
+++ * Needed for filesystems having synthetic stat(2) st_dev
+++ * values such as BTRFS.
+++ */
+++static char *get_root_from_mountinfo(void)
+++{
+++ char *mnt_point, *device = NULL;
+++ FILE *fp = fopen("/proc/self/mountinfo", "r");
+++ while (fp && !feof(fp)){
+++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
+++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
+++ &mnt_point, &device) == 2) {
+++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
+++ free(mnt_point);
+++ break;
+++ }
+++ free(mnt_point);
+++ free(device);
+++ }
+++ device = NULL;
+++ }
+++ (void)fclose(fp);
+++ return device;
+++}
+++
++ #define MAX_CMDLINE_LENGTH 4096
++ static char *get_root_from_cmdline(void)
++ {
++@@ -936,6 +962,8 @@ char *get_root_device(void)
++ root = get_root_from_partitions();
++ if (!root)
++ root = get_root_from_cmdline();
+++ if (!root)
+++ root = get_root_from_mountinfo();
++
++ return root;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+new file mode 100644
+index 0000000..a62d59c
+--- /dev/null
++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+@@ -0,0 +1,83 @@
++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
++From: Stefano Babic <sbabic@denx.de>
++Date: Thu, 10 Jun 2021 16:14:44 +0200
++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
++
++This helps in case of encrypted filesystem or device mapper.
++The returned device read from partitions is usually a dm-X device and
++this does not show which is the block device that contains it. Look in
++sysfs and check if the device has "slaves" entries, indicating the
++presence of an underlying device. If found, return this instead of the
++device returned parsing /proc/partitions.
++
++Signed-off-by: Stefano Babic <sbabic@denx.de>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
++---
++ core/util.c | 26 ++++++++++++++++++++++++--
++ 1 file changed, 24 insertions(+), 2 deletions(-)
++
++diff --git a/core/util.c b/core/util.c
++index 51a16b6..3b81c09 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -24,6 +24,7 @@
++ #include <libgen.h>
++ #include <regex.h>
++ #include <string.h>
+++#include <dirent.h>
++
++ #if defined(__linux__)
++ #include <sys/statvfs.h>
++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
++ /*
++ * This returns the device name where rootfs is mounted
++ */
+++
+++static int filter_slave(const struct dirent *ent) {
+++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
+++}
++ static char *get_root_from_partitions(void)
++ {
++ struct stat info;
++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
++ char *devname = NULL;
++ unsigned long major, minor, nblocks;
++ char buf[256];
++- int ret;
+++ int ret, dev_major, dev_minor, n;
+++ struct dirent **devlist = NULL;
++
++ if (stat("/", &info) < 0)
++ return NULL;
++
+++ dev_major = info.st_dev / 256;
+++ dev_minor = info.st_dev % 256;
+++
+++ /*
+++ * Check if this is just a container, for example in case of LUKS
+++ * Search if the device has slaves pointing to another device
+++ */
+++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
+++ n = scandir(buf, &devlist, filter_slave, NULL);
+++ if (n == 1) {
+++ devname = strdup(devlist[0]->d_name);
+++ free(devlist);
+++ return devname;
+++ }
+++ free(devlist);
+++
++ fp = fopen("/proc/partitions", "r");
++ if (!fp)
++ return NULL;
++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
++ &major, &minor, &nblocks, &devname);
++ if (ret != 4)
++ continue;
++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
+++ if ((major == dev_major) && (minor == dev_minor)) {
++ fclose(fp);
++ return devname;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..f3bd00e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,3 @@
+ use-gcc-compiler.diff
++0002-util-Extend-get_root-to-find-LUKS-devices.diff
++0001-util-Add-get_root-source-proc-self-mountinfo.diff
+--
+2.30.2
+
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index 7a0fb9b..90854a4 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"

+# Patch for dm-verity based images - can be removed with SWUpdate 2021.10
+SRC_URI += "file://0001-add-patches-for-dm-verity.patch"
+
+# end patching for dm-verity based images
+
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"

--
2.30.2


[isar-cip-core]RFC v2 7/9] Mount writable home partition

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add an example how to add an writable home partition

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/home-fs/files/home.mount | 11 +++++++++++
recipes-core/home-fs/files/postinst | 3 +++
recipes-core/home-fs/home-fs_0.1.bb | 10 ++++++++++
recipes-core/images/cip-core-image-read-only.bb | 1 +
wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 ++
5 files changed, 27 insertions(+)
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb

diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount
new file mode 100644
index 0000000..31272a0
--- /dev/null
+++ b/recipes-core/home-fs/files/home.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Mount /home partition
+
+[Mount]
+What=/dev/disk/by-partlabel/home
+Where=/home
+Type=auto
+Options=defaults
+
+[Install]
+WantedBy=local-fs.target
\ No newline at end of file
diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst
new file mode 100755
index 0000000..f6184d6
--- /dev/null
+++ b/recipes-core/home-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable home.mount || true
diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb
new file mode 100644
index 0000000..c2b31c1
--- /dev/null
+++ b/recipes-core/home-fs/home-fs_0.1.bb
@@ -0,0 +1,10 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://home.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount
+
+}
\ No newline at end of file
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index ceb6ac4..79cd6bf 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -3,6 +3,7 @@ require cip-core-image.bb
SQUASHFS_EXCLUDE_DIRS += "home var"

IMAGE_INSTALL += "etc-overlay-fs"
+IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index c4ea0c8..81fd4fe 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024 --size 1G
part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G

bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2


[isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 3 +-
classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
kas/opt/ebg-secure-boot-base.yml | 2 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
kas/opt/ebg-snakeoil-swu.yml | 16 ----------
.../images/cip-core-image-read-only.bb | 20 ++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount | 11 +++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 ++++++
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
11 files changed, 103 insertions(+), 30 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

diff --git a/Kconfig b/Kconfig
index 8421f1b..e97cb03 100644
--- a/Kconfig
+++ b/Kconfig
@@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
config KAS_INCLUDE_SWUPDATE_SECBOOT
string
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
- default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
- default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
+ default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT

endif
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 8f769b6..acb4de0 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -19,3 +19,5 @@ local_conf_header:
IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
SWU_DESCRIPTION = "secureboot"
SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+ kernel: |
+ SECURE_BOOT_KERNEL = "1"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..4a9185c 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,24 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml

+target: cip-core-image-read-only

local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+ verity-img: |
+ SECURE_BOOT_KERNEL = "1"
+ SECURE_IMAGE_FSTYPE = "squashfs"
+ VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+ IMAGE_TYPE = "secure-swupdate-img"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
secure-boot: |
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/ebg-secure-boot-snakeoil.yml
- - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..4e0c467
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,9 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
deleted file mode 100644
index ff351db..0000000
--- a/wic/qemu-amd64-efibootguard-secureboot.wks
+++ /dev/null
@@ -1,11 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-signed-bootloader.inc
-
-# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2

1421 - 1440 of 8370