Date   

[isar-cip-core][RFC v3 5/9] Create an read-only rootfs with dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

The mount point for /tmp is created during the systemd target
local-fs according to [1].

Before `Remount Root and Kernel File Systems.` the tmp of the initrd
is used.

[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 3 +-
classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
kas/opt/ebg-secure-boot-base.yml | 2 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
kas/opt/ebg-snakeoil-swu.yml | 16 ----------
.../images/cip-core-image-read-only.bb | 20 ++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++++++++++++++
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
11 files changed, 120 insertions(+), 30 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

diff --git a/Kconfig b/Kconfig
index 8421f1b..e97cb03 100644
--- a/Kconfig
+++ b/Kconfig
@@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
config KAS_INCLUDE_SWUPDATE_SECBOOT
string
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
- default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
- default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
+ default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT

endif
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 8f769b6..acb4de0 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -19,3 +19,5 @@ local_conf_header:
IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
SWU_DESCRIPTION = "secureboot"
SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+ kernel: |
+ SECURE_BOOT_KERNEL = "1"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..4a9185c 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,24 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml

+target: cip-core-image-read-only

local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+ verity-img: |
+ SECURE_BOOT_KERNEL = "1"
+ SECURE_IMAGE_FSTYPE = "squashfs"
+ VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+ IMAGE_TYPE = "secure-swupdate-img"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
secure-boot: |
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/ebg-secure-boot-snakeoil.yml
- - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount.tmpl b/recipes-core/tmp-fs/files/tmp.mount.tmpl
new file mode 100644
index 0000000..fcb2f3e
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount.tmpl
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=${TMP_OPTIONS}
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..3ec20c7
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount.tmpl"
+
+TMP_FS_SIZE ?= "500M"
+TMP_FS_MODE ?= "755"
+TMP_FS_OPTIONS = "nodev,nosuid,size=${TMP_SIZE},mode=${TMP_MODE}"
+
+TEMPLATE_FILES = "tmp.mount.tmpl"
+TEMPLATE_VARS += "TMP_FS_OPTIONS"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
deleted file mode 100644
index ff351db..0000000
--- a/wic/qemu-amd64-efibootguard-secureboot.wks
+++ /dev/null
@@ -1,11 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-signed-bootloader.inc
-
-# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2


[isar-cip-core][RFC v3 2/9] Add verity-img.bbclass for dm-verity based rootfs

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

As we need the output of `veritysetup` to generate
the initrd. Therefore do_verity_image must be called before wic
generates the final disk image.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/verity-img.bbclass | 73 ++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
create mode 100644 classes/verity-img.bbclass

diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass
new file mode 100644
index 0000000..3c94643
--- /dev/null
+++ b/classes/verity-img.bbclass
@@ -0,0 +1,73 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+IMAGER_INSTALL += "cryptsetup"
+
+VERITY_IMAGE_TYPE ?= "squashfs"
+VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
+VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
+VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
+VERITY_HASH_BLOCK_SIZE ?= "1024"
+VERITY_DATA_BLOCK_SIZE ?= "1024"
+
+create_verity_env_file() {
+
+ local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env"
+ rm -f $ENV
+
+ local input="${WORKDIR}/${VERITY_IMAGE_METADATA}"
+ # remove header from verity meta data
+ sed -i '/VERITY header information for/d' $input
+ IFS=":"
+ while read KEY VAL; do
+ printf '%s=%s\n' \
+ "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
+ "$(echo "$VAL" | tr -d ' \t')" >> $ENV
+ done < $input
+}
+
+verity_setup() {
+ rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+ rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA}
+
+ cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+
+ image_do_mounts
+ sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \
+ --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \
+ --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \
+ --data-blocks "${VERITY_DATA_BLOCKS}" \
+ --hash-offset "${VERITY_INPUT_IMAGE_SIZE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ >"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+
+ echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \
+ >>"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+}
+
+do_verity_image[cleandirs] = "${WORKDIR}/verity"
+python do_verity_image() {
+ import os
+
+ image_file = os.path.join(
+ d.getVar("DEPLOY_DIR_IMAGE"),
+ d.getVar("VERITY_INPUT_IMAGE")
+ )
+ data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
+ size = os.stat(image_file).st_size
+ assert size % data_block_size == 0, f"image is not well-sized!"
+ d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
+ d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
+
+ bb.build.exec_func('verity_setup', d)
+ bb.build.exec_func('create_verity_env_file', d)
+}
+addtask verity_image before do_image after do_image_tools
--
2.30.2


[isar-cip-core][RFC v3 3/9] linux-cip-common: Add options necessary for dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

CIP Kernel Config does not contain support for dm-verity
squashfs. Overlay_FS support is added for etc-overlay.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-kernel/linux/files/verity.cfg | 5 +++++
recipes-kernel/linux/linux-cip-common.inc | 4 ++++
2 files changed, 9 insertions(+)
create mode 100644 recipes-kernel/linux/files/verity.cfg

diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg
new file mode 100644
index 0000000..35d8208
--- /dev/null
+++ b/recipes-kernel/linux/files/verity.cfg
@@ -0,0 +1,5 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_SQUASHFS=y
+CONFIG_OVERLAY_FS=y
diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 1afec88..bbbf812 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -28,3 +28,7 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"

S = "${WORKDIR}/linux-cip-v${PV}"
+
+SECURE_BOOT_KERNEL ?= "0"
+
+SRC_URI += "${@'file://verity.cfg' if d.getVar('SECURE_BOOT_KERNEL') == '1' else ''}"
--
2.30.2


[isar-cip-core][RFC v3 1/9] Add new class to create a squashfs based root file system

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This file system is read only and use a reduced image size.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/squashfs-img.bbclass | 41 ++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 classes/squashfs-img.bbclass

diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
new file mode 100644
index 0000000..0fcfca5
--- /dev/null
+++ b/classes/squashfs-img.bbclass
@@ -0,0 +1,41 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
+
+IMAGER_INSTALL += "squashfs-tools"
+
+SQUASHFS_EXCLUDE_DIRS ?= ""
+SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
+SQUASHFS_CREATION_ARGS ?= " "
+# Generate squashfs filesystem image
+python __anonymous() {
+ exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split()
+ if len(exclude_directories) == 0:
+ return
+ # use wildcard to exclude only content of the the directory
+ # this allows to use the directory as a mount point
+ args = " -wildcards"
+ for dir in exclude_directories:
+ args += " -e {dir}/* ".format(dir=dir)
+ d.appendVar('SQUASHFS_CREATION_ARGS', args)
+}
+
+do_squashfs_image() {
+ rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'
+
+ image_do_mounts
+
+ sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \
+ "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
+ ${SQUASHFS_CREATION_ARGS}
+}
+addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
--
2.30.2


[isar-cip-core][RFC v3 0/9] Read-only root file system with dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patch series adds support for a read-only squashfs based root filesystem
wit SWUpdate support and secureboot.

The build is somewhat complex as we need the output of dm-verity to generate
the initramfs. The build is split in the following steps
1. Build the root file system
2. Generate a squashfs image - this can also be replace by another image format(e.g. ext4)
3. Build from the image the dm-verity partition and add it to the end of the image
4. Add the resulting verity environment to the initrd
5. Build the signed efi tool chain.

This series needs SWUpdate 2021.11. The necessary changes are currently backported.

Changes in V2:
- rebase onto orgin/next
- adapt Kconfig to new ebg-secure-boot-snakeoil.yml by deleting unnecessary options
- Cleanup to support different file-systems for verity-img
- tested with ext4 and squashfs
- simplified kernel patching
- prepend not necessary
- added flag to enable/disable
- whitespaces for readability
- integrated into ebg-secure-boot-snakeoil
- make behavior on corruption configurable during build time.
- default is restart on corruption
- add ISAR patch for correct permissions

Changes in V3:
- Configurable size of /tmp
- remove unnecessary overlay-parse-etc.service
- convert etc-sysusers to drop in configuration of systemd-sysusers.service
- extend commit messages


Quirin Gylstorff (9):
Add new class to create a squashfs based root file system
Add verity-img.bbclass for dm-verity based rootfs
linux-cip-common: Add options necessary for dm-verity
Create a initrd with support for dm-verity
Create an read-only rootfs with dm-verity
Create systemd mount units for a etc overlay
Mount writable home partition
kas: Patch isar for correct permissions in var and home
swupdate: Backport patches from SWUpdate Master

Kconfig | 3 +-
classes/secure-swupdate-img.bbclass | 32 +++
classes/squashfs-img.bbclass | 41 ++++
classes/verity-img.bbclass | 73 +++++++
kas-cip.yml | 4 +
kas/opt/ebg-secure-boot-base.yml | 2 +
kas/opt/ebg-secure-boot-snakeoil.yml | 13 +-
...when-splitting-rootfs-folders-across.patch | 35 ++++
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++
.../files/etc-sshd-regen-keys.conf | 7 +
.../etc-overlay-fs/files/etc-sysusers.conf | 4 +
recipes-core/etc-overlay-fs/files/etc.mount | 13 ++
recipes-core/etc-overlay-fs/files/postinst | 4 +
recipes-core/home-fs/files/home.mount | 12 ++
recipes-core/home-fs/files/postinst | 3 +
recipes-core/home-fs/home-fs_0.1.bb | 20 ++
.../images/cip-core-image-read-only.bb | 22 ++
...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
recipes-core/tmp-fs/files/postinst | 3 +
recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +
recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++
.../cip-core-initramfs/cip-core-initramfs.bb | 10 +-
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++
.../files/verity.script.tmpl | 68 +++++++
.../initramfs-verity-hook_0.1.bb | 51 +++++
recipes-kernel/linux/files/verity.cfg | 5 +
recipes-kernel/linux/linux-cip-common.inc | 4 +
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -
wic/qemu-amd64-efibootguard-secureboot.wks.in | 15 ++
32 files changed, 739 insertions(+), 19 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
create mode 100644 classes/squashfs-img.bbclass
create mode 100644 classes/verity-img.bbclass
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100755 recipes-core/etc-overlay-fs/files/postinst
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
rename kas/opt/ebg-snakeoil-swu.yml => recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb (61%)
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
create mode 100644 recipes-kernel/linux/files/verity.cfg
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

--
2.30.2


Re: [isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity

Quirin Gylstorff
 

On 11/19/21 2:29 PM, Christian Storm via lists.cip-project.org wrote:
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..c4f3dc4
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,68 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
Hm, so you explicitly enumerate all scripts except for cryptroot so that
you run (hopefully right?) thereafter.
Isn't it sufficient to make cryptroot dependent on this?
Looks too verbose and complicated...
It is the same scripting as cryptroot uses in Debian 11 which inspired this
script. See [1].
[1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot
Anyway, this doesn't answer the questions?
Kind regards,
Christian

The `verity.script` should executed as last script in the local-top init phase. if the cryptroot script exists `verity.script` is the second last script.

If the package `cryptsetup-initramfs` is always installed an entry in the cryptroot script would be enough. We have currently no dependency to
`cryptsetup-initramfs`.

If we want to change the cryptroot dependency we need to patch the necessary scripts/packages. Patching other packages is something I like to avoid for this feature.


Quirin

--


Re: [isar-cip-core][RFC PATCH] customizations: Add FW and tools required for wifi testing

Lad Prabhakar
 

Hi Jan,

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com>
Sent: 23 November 2021 06:29
To: Prabhakar Mahadev Lad <prabhakar.mahadev-lad.rj@bp.renesas.com>; cip-dev@lists.cip-project.org;
Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>; Pavel Machek <pavel@denx.de>
Subject: Re: [cip-dev][isar-cip-core][RFC PATCH] customizations: Add FW and tools required for wifi
testing

On 22.11.21 18:37, Prabhakar Mahadev Lad wrote:
Hi Jan,

Thank you for the quick response.

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com>
Sent: 22 November 2021 11:28
To: Prabhakar Mahadev Lad <prabhakar.mahadev-lad.rj@bp.renesas.com>;
cip-dev@lists.cip-project.org; Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp>; Pavel Machek <pavel@denx.de>
Subject: Re: [cip-dev][isar-cip-core][RFC PATCH] customizations: Add
FW and tools required for wifi testing

On 22.11.21 12:19, Lad Prabhakar wrote:
Add firmware and tools required for testing wifin on hihope-rzg2m.

Signed-off-by: Lad Prabhakar
<prabhakar.mahadev-lad.rj@bp.renesas.com>
---
Hi All,

Sending an RFC as I am not sure if this is the right place to add
this. I wanted to add the debian package depends in machine.conf
file but didnt find any variables.
IMAGE_INSTALL_append would work there, see eg.
https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
hub.com%2Fsiemens%2Fjailhouse-&amp;data=04%7C01%7Cprabhakar.mahadev-l
ad.rj%40bp.renesas.com%7Cc8bfbda5acc14fe86de508d9ae4a87a7%7C53d82571d
a1947e49cb4625a166a4a2a%7C0%7C0%7C637732457394597401%7CUnknown%7CTWFp
bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
n0%3D%7C3000&amp;sdata=BgbTnmZaikF28kM69DHDJHQO%2B1zLX9tRFrsgFOUVztI%
3D&amp;reserved=0
images%2Fblob%2Fmaster%2Fconf%2Fmachine%2Frpi4.conf&amp;data=04%7C01%
7Cprabhakar.mahadev-
lad.rj%40bp.renesas.com%7Cae2601f49f5b4725b1ab08d9adab1943%7C53d82571
da1947e49cb4625a166a4a2a%7C0%7C0%
7C637731772644808211%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
CI6Mn0%3D%7C3000&amp;sdata=mqp0wknGyxKyY82YvgHJXl72aTu4DWSuUOHcaZPo8xA%3D&amp;reserved=0.
Adding IMAGE_INSTALL/IMAGE_PREINSTALL machine.conf didn’t help for me, I was seeing below issues:

| ERROR: Nothing PROVIDES 'wireless-regdb' (but
| /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise
| requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image',
| 'wireless-regdb']

| ERROR: Nothing PROVIDES 'wireless-tools' (but
| /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise
| requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image',
| 'wireless-tools']

| ERROR: Nothing PROVIDES 'firmware-ti-connectivity' (but
| /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise
| requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image',
| 'firmware-ti-connectivity']

| ERROR: Nothing PROVIDES 'iw' (but
| /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise
| requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image',
| 'iw']

As above didn’t work and customizations.bb is the only place were I was able to grep for
DEBIAN_DEPENDS variable I went this approach 😉.
(Note also adding DEBIAN_DEPENDS in machine.conf didn’t work.)

Is there something which I am missing that would make it work with IMAGE_INSTALL_append variable?
DEBIAN_DEPENDS is the wrong variable to touch at global configuration level. As in the references
example, you need to extend the IMAGE_PREINSTALL (for Debian packages; IMAGE_INSTALL would be for
self-built ones):
Aha I missed that, thanks for the pointer.

diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf index a2ae03d..4c611ae
100644
--- a/conf/machine/hihope-rzg2m.conf
+++ b/conf/machine/hihope-rzg2m.conf
@@ -17,3 +17,5 @@ KERNEL_DEFCONFIG = "cip-kernel-config/4.19.y-cip/arm64/renesas_defconfig"
USE_CIP_KERNEL_CONFIG = "1"
DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
+
+IMAGE_PREINSTALL_append = " firmware-ti-connectivity"


Whether we want to "hard-code" the installation wireless firmware in
the machine conf here is a different question. Maybe customizations is not that a bad place.
If adding IMAGE_INSTALL_append works in machine.conf, will go with this approach, as that would not
disturb other platform builds.
You would still have to add/request the generic wireless tools somewhere. For that, you either need to
touch the customization package
(DEBIAN_DEPENDS) or directly expand the IMAGE_PREINSTALL list in cip-core-image.bb. How about this
pattern?
+1

diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf index a2ae03d..4f4ee81
100644
--- a/conf/machine/hihope-rzg2m.conf
+++ b/conf/machine/hihope-rzg2m.conf
@@ -17,3 +17,6 @@ KERNEL_DEFCONFIG = "cip-kernel-config/4.19.y-cip/arm64/renesas_defconfig"
USE_CIP_KERNEL_CONFIG = "1"
DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
+
+WIRELESS_FIRMWARE_PACKAGE = "firmware-ti-connectivity"
+INSTALL_WIRELESS_TOOLS ?= "1"
diff --git a/recipes-core/customizations/customizations.bb b/recipes-
core/customizations/customizations.bb
index 932b11c..1c2a125 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -18,10 +18,15 @@ SRC_URI = " \
file://ethernet \
file://99-silent-printk.conf"

+WIRELESS_FIRMWARE_PACKAGE ?= ""
+INSTALL_WIRELESS_TOOLS ??= "0"
+
DEPENDS += "sshd-regen-keys"

DEBIAN_DEPENDS = " \
- ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys"
+ ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys, \
+ ${@('iw, wireless-regdb, wireless-tools, ' + d.getVar('WIRELESS_FIRMWARE_PACKAGE')) \
+ if d.getVar('INSTALL_WIRELESS_TOOLS') == '1' else ''}"

do_install() {
install -v -d ${D}/etc/network/interfaces.d

Avoids enforcing wireless installation when using the machine conf, only when using our customization
package, something that downstream layers usually don't do.
Agreed, will follow the same.

Cheers,
Prabhakar

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RFC PATCH] customizations: Add FW and tools required for wifi testing

Jan Kiszka
 

On 22.11.21 18:37, Prabhakar Mahadev Lad wrote:
Hi Jan,

Thank you for the quick response.

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com>
Sent: 22 November 2021 11:28
To: Prabhakar Mahadev Lad <prabhakar.mahadev-lad.rj@bp.renesas.com>; cip-dev@lists.cip-project.org;
Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>; Pavel Machek <pavel@denx.de>
Subject: Re: [cip-dev][isar-cip-core][RFC PATCH] customizations: Add FW and tools required for wifi
testing

On 22.11.21 12:19, Lad Prabhakar wrote:
Add firmware and tools required for testing wifin on hihope-rzg2m.

Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
Hi All,

Sending an RFC as I am not sure if this is the right place to add
this. I wanted to add the debian package depends in machine.conf file
but didnt find any variables.
IMAGE_INSTALL_append would work there, see eg.
https://github.com/siemens/jailhouse-
images%2Fblob%2Fmaster%2Fconf%2Fmachine%2Frpi4.conf&amp;data=04%7C01%7Cprabhakar.mahadev-
lad.rj%40bp.renesas.com%7Cae2601f49f5b4725b1ab08d9adab1943%7C53d82571da1947e49cb4625a166a4a2a%7C0%7C0%
7C637731772644808211%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
CI6Mn0%3D%7C3000&amp;sdata=mqp0wknGyxKyY82YvgHJXl72aTu4DWSuUOHcaZPo8xA%3D&amp;reserved=0.
Adding IMAGE_INSTALL/IMAGE_PREINSTALL machine.conf didn’t help for me, I was seeing below issues:

| ERROR: Nothing PROVIDES 'wireless-regdb' (but /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image', 'wireless-regdb']

| ERROR: Nothing PROVIDES 'wireless-tools' (but /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image', 'wireless-tools']

| ERROR: Nothing PROVIDES 'firmware-ti-connectivity' (but /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image', 'firmware-ti-connectivity']

| ERROR: Nothing PROVIDES 'iw' (but /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image', 'iw']

As above didn’t work and customizations.bb is the only place were I was able to grep for DEBIAN_DEPENDS variable I went this approach 😉.
(Note also adding DEBIAN_DEPENDS in machine.conf didn’t work.)

Is there something which I am missing that would make it work with IMAGE_INSTALL_append variable?
DEBIAN_DEPENDS is the wrong variable to touch at global configuration
level. As in the references example, you need to extend the
IMAGE_PREINSTALL (for Debian packages; IMAGE_INSTALL would be for
self-built ones):

diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf
index a2ae03d..4c611ae 100644
--- a/conf/machine/hihope-rzg2m.conf
+++ b/conf/machine/hihope-rzg2m.conf
@@ -17,3 +17,5 @@ KERNEL_DEFCONFIG = "cip-kernel-config/4.19.y-cip/arm64/renesas_defconfig"
USE_CIP_KERNEL_CONFIG = "1"
DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
+
+IMAGE_PREINSTALL_append = " firmware-ti-connectivity"


Whether we want to "hard-code" the installation wireless firmware in the machine conf here is a
different question. Maybe customizations is not that a bad place.
If adding IMAGE_INSTALL_append works in machine.conf, will go with this approach, as that would not disturb other platform builds.
You would still have to add/request the generic wireless tools
somewhere. For that, you either need to touch the customization package
(DEBIAN_DEPENDS) or directly expand the IMAGE_PREINSTALL list in
cip-core-image.bb. How about this pattern?

diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf
index a2ae03d..4f4ee81 100644
--- a/conf/machine/hihope-rzg2m.conf
+++ b/conf/machine/hihope-rzg2m.conf
@@ -17,3 +17,6 @@ KERNEL_DEFCONFIG = "cip-kernel-config/4.19.y-cip/arm64/renesas_defconfig"
USE_CIP_KERNEL_CONFIG = "1"
DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
+
+WIRELESS_FIRMWARE_PACKAGE = "firmware-ti-connectivity"
+INSTALL_WIRELESS_TOOLS ?= "1"
diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index 932b11c..1c2a125 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -18,10 +18,15 @@ SRC_URI = " \
file://ethernet \
file://99-silent-printk.conf"

+WIRELESS_FIRMWARE_PACKAGE ?= ""
+INSTALL_WIRELESS_TOOLS ??= "0"
+
DEPENDS += "sshd-regen-keys"

DEBIAN_DEPENDS = " \
- ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys"
+ ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys, \
+ ${@('iw, wireless-regdb, wireless-tools, ' + d.getVar('WIRELESS_FIRMWARE_PACKAGE')) \
+ if d.getVar('INSTALL_WIRELESS_TOOLS') == '1' else ''}"

do_install() {
install -v -d ${D}/etc/network/interfaces.d

Avoids enforcing wireless installation when using the machine conf, only
when using our customization package, something that downstream layers
usually don't do.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RFC PATCH] customizations: Add FW and tools required for wifi testing

Lad Prabhakar
 

Hi Jan,

Thank you for the quick response.

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com>
Sent: 22 November 2021 11:28
To: Prabhakar Mahadev Lad <prabhakar.mahadev-lad.rj@bp.renesas.com>; cip-dev@lists.cip-project.org;
Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>; Pavel Machek <pavel@denx.de>
Subject: Re: [cip-dev][isar-cip-core][RFC PATCH] customizations: Add FW and tools required for wifi
testing

On 22.11.21 12:19, Lad Prabhakar wrote:
Add firmware and tools required for testing wifin on hihope-rzg2m.

Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
Hi All,

Sending an RFC as I am not sure if this is the right place to add
this. I wanted to add the debian package depends in machine.conf file
but didnt find any variables.
IMAGE_INSTALL_append would work there, see eg.
https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsiemens%2Fjailhouse-
images%2Fblob%2Fmaster%2Fconf%2Fmachine%2Frpi4.conf&amp;data=04%7C01%7Cprabhakar.mahadev-
lad.rj%40bp.renesas.com%7Cae2601f49f5b4725b1ab08d9adab1943%7C53d82571da1947e49cb4625a166a4a2a%7C0%7C0%
7C637731772644808211%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
CI6Mn0%3D%7C3000&amp;sdata=mqp0wknGyxKyY82YvgHJXl72aTu4DWSuUOHcaZPo8xA%3D&amp;reserved=0.
Adding IMAGE_INSTALL/IMAGE_PREINSTALL machine.conf didn’t help for me, I was seeing below issues:

| ERROR: Nothing PROVIDES 'wireless-regdb' (but /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image', 'wireless-regdb']

| ERROR: Nothing PROVIDES 'wireless-tools' (but /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image', 'wireless-tools']

| ERROR: Nothing PROVIDES 'firmware-ti-connectivity' (but /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image', 'firmware-ti-connectivity']

| ERROR: Nothing PROVIDES 'iw' (but /repo/recipes-core/images/cip-core-image.bb DEPENDS on or otherwise requires it)
| ERROR: Required build target 'cip-core-image' has no buildable providers.
| Missing or unbuildable dependency chain was: ['cip-core-image', 'iw']

As above didn’t work and customizations.bb is the only place were I was able to grep for DEBIAN_DEPENDS variable I went this approach 😉.
(Note also adding DEBIAN_DEPENDS in machine.conf didn’t work.)

Is there something which I am missing that would make it work with IMAGE_INSTALL_append variable?


Whether we want to "hard-code" the installation wireless firmware in the machine conf here is a
different question. Maybe customizations is not that a bad place.
If adding IMAGE_INSTALL_append works in machine.conf, will go with this approach, as that would not disturb other platform builds.


Is this the right place for adding this, if not could you please point
me to the right direction.

** Do not merge this patch **

Cheers,
Prabhakar
---
recipes-core/customizations/customizations.bb | 3 +++
1 file changed, 3 insertions(+)

diff --git a/recipes-core/customizations/customizations.bb
b/recipes-core/customizations/customizations.bb
index 932b11c..c508fd4 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -23,6 +23,9 @@ DEPENDS += "sshd-regen-keys"
DEBIAN_DEPENDS = " \
ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys"

+DEBIAN_DEPENDS_hihope-rzg2m += " \
+ ,firmware-ti-connectivity, iw, wireless-regdb, wireless-tools"
+
Let's already prepare for other targets requesting the generic wireless tools as well: Put them into a
reusable variable and then add that variable here.
So just appending DEBIAN_DEPENDS above here in this file should be OK for all the platforms?

Cheers,
Prabhakar

Jan

do_install() {
install -v -d ${D}/etc/network/interfaces.d
install -v -m 644 ${WORKDIR}/ethernet ${D}/etc/network/interfaces.d/
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RFC PATCH] customizations: Add FW and tools required for wifi testing

Jan Kiszka
 

On 22.11.21 12:19, Lad Prabhakar wrote:
Add firmware and tools required for testing wifin on hihope-rzg2m.

Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
Hi All,

Sending an RFC as I am not sure if this is the right place to add
this. I wanted to add the debian package depends in machine.conf
file but didnt find any variables.
IMAGE_INSTALL_append would work there, see eg.
https://github.com/siemens/jailhouse-images/blob/master/conf/machine/rpi4.conf.

Whether we want to "hard-code" the installation wireless firmware in the
machine conf here is a different question. Maybe customizations is not
that a bad place.


Is this the right place for adding this, if not could you please point
me to the right direction.

** Do not merge this patch **

Cheers,
Prabhakar
---
recipes-core/customizations/customizations.bb | 3 +++
1 file changed, 3 insertions(+)

diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index 932b11c..c508fd4 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -23,6 +23,9 @@ DEPENDS += "sshd-regen-keys"
DEBIAN_DEPENDS = " \
ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys"

+DEBIAN_DEPENDS_hihope-rzg2m += " \
+ ,firmware-ti-connectivity, iw, wireless-regdb, wireless-tools"
+
Let's already prepare for other targets requesting the generic wireless
tools as well: Put them into a reusable variable and then add that
variable here.

Jan

do_install() {
install -v -d ${D}/etc/network/interfaces.d
install -v -m 644 ${WORKDIR}/ethernet ${D}/etc/network/interfaces.d/
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


[isar-cip-core][RFC PATCH] customizations: Add FW and tools required for wifi testing

Lad Prabhakar
 

Add firmware and tools required for testing wifin on hihope-rzg2m.

Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
Hi All,

Sending an RFC as I am not sure if this is the right place to add
this. I wanted to add the debian package depends in machine.conf
file but didnt find any variables.

Is this the right place for adding this, if not could you please point
me to the right direction.

** Do not merge this patch **

Cheers,
Prabhakar
---
recipes-core/customizations/customizations.bb | 3 +++
1 file changed, 3 insertions(+)

diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index 932b11c..c508fd4 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -23,6 +23,9 @@ DEPENDS += "sshd-regen-keys"
DEBIAN_DEPENDS = " \
ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys"

+DEBIAN_DEPENDS_hihope-rzg2m += " \
+ ,firmware-ti-connectivity, iw, wireless-regdb, wireless-tools"
+
do_install() {
install -v -d ${D}/etc/network/interfaces.d
install -v -m 644 ${WORKDIR}/ethernet ${D}/etc/network/interfaces.d/
--
2.17.1


Re: [isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master

Christian Storm
 

Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices
Why not upgrade to a newer version of SWUpdate instead of backporting
stuff? There's no real advantage to stay on a "release" as SWUpdate
follows rolling releases -- granted, you have to do the qualification
but that applies to "releases" as well...
The build of SWUpdate uses dpkg-gbp to follow the Debian build of
SWUpdate with sources from [1].

As Debian only follows fixed release , currently 2021.04, I patched the
version.
This patchset is no longer necessary after Debian uses the next Release
SWUpdate version.
I agree that a single backport is better in this case. But as 2021.11 is
to appear soon, it may resolve this automatically for v3 already.
The old version doesn't give you any advantage as there's nothing that
qualifies a "release" that other shas don't give you, except that it's
tagged at some point in time as "release". But sticking to Debian's
recipes is of course beneficial from a maintenance perspective as long
as the patch queue to be put on top is not too large....


Kind regards,
Christian

--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany


Re: [isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity

Christian Storm
 

diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..c4f3dc4
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,68 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
Hm, so you explicitly enumerate all scripts except for cryptroot so that
you run (hopefully right?) thereafter.
Isn't it sufficient to make cryptroot dependent on this?
Looks too verbose and complicated...
It is the same scripting as cryptroot uses in Debian 11 which inspired this
script. See [1].
[1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot
Anyway, this doesn't answer the questions?



Kind regards,
Christian

--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany


Planned maintenance for lab-cip-renesas: 4-5th Dec

Chris Paterson
 

Hello all,

Just a heads up, on the weekend of the 4/5th December the Renesas UK office will be undergoing maintenance on its power infrastructure.
As such I will be taking lab-cip-renesas offline for the weekend starting from Friday evening (UK time).

Apologies for any inconvenience.

Kind regards, Chris


Re: [isar-cip-core v2 0/3] Security extensions for bullseye image

Jan Kiszka
 

On 17.11.21 11:54, venkata.pyla@toshiba-tsip.com wrote:
From: venkata pyla <venkata.pyla@toshiba-tsip.com>

This patch series enable security extension for bullseye image.

It fixes the below two problems
- package not found due to dependency package names are changed in
bullseye version, so remove the dependency packages and allowed
package manager to install correct package names.
- package not found due to main package name is changed in bullseye
version, so install the packages based on DISTRO version selected.

venkata pyla (3):
cip-core-image-security: remove unnecessary dependency package names
cip-core-image-security: Install packages based on DISTRO version
Kconfig: Enable Security extensions for bullseye image

Kconfig | 1 -
recipes-core/images/cip-core-image-security.bb | 15 ++++++++++-----
2 files changed, 10 insertions(+), 6 deletions(-)
thanks, applied

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master

Jan Kiszka
 

On 17.11.21 12:36, Gylstorff Quirin wrote:


On 11/17/21 11:40 AM, Christian Storm via lists.cip-project.org wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices
Why not upgrade to a newer version of SWUpdate instead of backporting
stuff? There's no real advantage to stay on a "release" as SWUpdate
follows rolling releases -- granted, you have to do the qualification
but that applies to "releases" as well...
The build of SWUpdate uses dpkg-gbp to follow the Debian build of
SWUpdate with sources from [1].

As Debian only follows fixed release , currently 2021.04, I patched the
version.
This patchset is no longer necessary after Debian uses the next Release
SWUpdate version.
I agree that a single backport is better in this case. But as 2021.11 is
to appear soon, it may resolve this automatically for v3 already.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity

Jan Kiszka
 

On 18.11.21 19:10, Gylstorff Quirin wrote:


On 11/17/21 1:18 PM, Christian Storm via lists.cip-project.org wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
  Kconfig                                       |  3 +-
  classes/secure-swupdate-img.bbclass           | 32 +++++++++++++++++++
  kas/opt/ebg-secure-boot-base.yml              |  2 ++
  kas/opt/ebg-secure-boot-snakeoil.yml          | 13 +++++++-
  kas/opt/ebg-snakeoil-swu.yml                  | 16 ----------
  .../images/cip-core-image-read-only.bb        | 20 ++++++++++++
  recipes-core/tmp-fs/files/postinst            |  3 ++
  recipes-core/tmp-fs/files/tmp.mount           | 11 +++++++
  recipes-core/tmp-fs/tmp-fs_0.1.bb             |  9 ++++++
  wic/qemu-amd64-efibootguard-secureboot.wks    | 11 -------
  wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
  11 files changed, 103 insertions(+), 30 deletions(-)
  create mode 100644 classes/secure-swupdate-img.bbclass
  delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
  create mode 100644 recipes-core/images/cip-core-image-read-only.bb
  create mode 100755 recipes-core/tmp-fs/files/postinst
  create mode 100644 recipes-core/tmp-fs/files/tmp.mount
  create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
  delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
  create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

diff --git a/Kconfig b/Kconfig
index 8421f1b..e97cb03 100644
--- a/Kconfig
+++ b/Kconfig
@@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
  config KAS_INCLUDE_SWUPDATE_SECBOOT
      string
      default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE &&
!IMAGE_SECURE_BOOT
-    default "kas/opt/ebg-secure-boot-snakeoil.yml" if
!IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
-    default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE &&
IMAGE_SECURE_BOOT
+    default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
    endif
diff --git a/classes/secure-swupdate-img.bbclass
b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-base.yml
b/kas/opt/ebg-secure-boot-base.yml
index 8f769b6..acb4de0 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -19,3 +19,5 @@ local_conf_header:
      IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
      SWU_DESCRIPTION = "secureboot"
      SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG =
"secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+  kernel: |
+    SECURE_BOOT_KERNEL = "1"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml
b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..4a9185c 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,24 @@ header:
    includes:
     - kas/opt/ebg-secure-boot-base.yml
  +target: cip-core-image-read-only
    local_conf_header:
+  swupdate: |
+    IMAGE_INSTALL_append = " swupdate"
+    IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+  verity-img: |
+    SECURE_BOOT_KERNEL = "1"
+    SECURE_IMAGE_FSTYPE = "squashfs"
+    VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+    IMAGE_TYPE = "secure-swupdate-img"
+    WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
    secure-boot: |
      # Add snakeoil and ovmf binaries for qemu
      IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
      IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
-    WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
      ovmf: |
      # snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
-  version: 10
-  includes:
-   - kas/opt/ebg-secure-boot-snakeoil.yml
-   - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb
b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+    sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root    /        auto        defaults,ro            0    0
+LABEL=var    /var        auto        defaults            0    0
+proc        /proc        proc        nosuid,noexec,nodev        0    0
+sysfs        /sys        sysfs        nosuid,noexec,nodev        0    0
+devpts        /dev/pts    devpts        gid=5,mode=620           
0    0
+tmpfs        /run        tmpfs       
nodev,nosuid,size=500M,mode=755    0    0
+devtmpfs    /dev        devtmpfs    mode=0755,nosuid        0    0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst
b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount  || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount
b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
Hm, shouldn't size be configurable?
I will make it configurable in the next version.


+
+[Install]
+WantedBy=local-fs.target
Is this the right point in time? Isn't /tmp needed before this?

According my testing and [1] if /tmp is mount a in /etc/fstab. systemd
mounts before the local-fs.target.

In the cip-core-image /tmp is not need before this as the /tmp of the
initrd is used.

The systemd log looks like this
```
[  OK  ] Started Remount Root and Kernel File Systems.
         Starting Create Static Device Nodes in /dev...
[  OK  ] Started Create Static Device Nodes in /dev.
         Starting udev Kernel Device Manager...
[  OK  ] Reached target Local File Systems (Pre).
         Mounting Create /tmp...
[  OK  ] Mounted Create /tmp.
[  OK  ] Started Journal Service.

```

[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html
Reason should also be recorded then, e.g. in the commit message.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity

Quirin Gylstorff
 

On 11/17/21 1:33 PM, Christian Storm via lists.cip-project.org wrote:

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Adapt the initrd to open a dm-verity partition with a fixed
root hash.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++++++
.../files/verity.script.tmpl | 68 +++++++++++++++++++
.../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++
5 files changed, 159 insertions(+)
create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb

diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
new file mode 100644
index 0000000..825fb9f
--- /dev/null
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+ initramfs-verity-hook \
+ "
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
new file mode 100644
index 0000000..9b61fb8
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
@@ -0,0 +1 @@
+BUSYBOX=y
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
new file mode 100644
index 0000000..5eada8a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
@@ -0,0 +1,23 @@
+#!/bin/sh
+PREREQ=""
+prereqs()
+{
+ echo "$PREREQ"
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
+
+manual_add_modules dm_mod
+manual_add_modules dm_verity
+
+copy_exec /sbin/veritysetup
+copy_exec /sbin/dmsetup
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
+copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..c4f3dc4
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,68 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
Hm, so you explicitly enumerate all scripts except for cryptroot so that
you run (hopefully right?) thereafter.
Isn't it sufficient to make cryptroot dependent on this?
Looks too verbose and complicated...
It is the same scripting as cryptroot uses in Debian 11 which inspired this script. See [1].
[1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot

+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+. /lib/cryptsetup/functions
+. /usr/share/verity-env/verity.env
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted. As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken trust chain.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
Why this hard timeout? Shouldn't this be configurable so to match to
different setups of hardware?
I will add currently the default is from [1] and used in the Debian provided initrd scripts.



+case "$ROOT" in
+ PART*)
+ # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+ # partition
+ ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ ;;
+ "")
+ # No Root device was given. Use veritysetup verify to search matching roots
+ partitions=$(blkid -o device)
+ for part in $partitions; do
+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ if veritysetup verify \
+ "$part" "$part" "${ROOT_HASH}" \
+ --hash-offset "${HASH_OFFSET}";then
+ ROOT="$part"
+ break
+ fi
+ fi
+ done
+ ;;
+esac
+set -- "$ROOT" verityroot
+if ! veritysetup open \
+ ${VERITY_BEHAVIOR_ON_CORRUPTION} \
+ --data-block-size "${DATA_BLOCK_SIZE}" \
+ --hash-block-size "${HASH_BLOCK_SIZE}" \
+ --data-blocks "${DATA_BLOCKS}" \
+ --hash-offset "${HASH_OFFSET}" \
+ --salt "${SALT}" \
+ "$1" "$2" "$1" "${ROOT_HASH}"; then
+ panic "Can't open verity rootfs!"
The above comment's gist may also help here in case you run into this
output on a machine.

+fi
+
+wait_for_udev 10
Same as above.
Quirin

+
+if ! ROOT="$(dm_blkdevname verityroot)"; then
+ panic "Can't find the verity root device!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
new file mode 100644
index 0000000..a7fbf5a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+ file://verity.conf-hook \
+ file://verity.hook \
+ file://verity.script.tmpl \
+ "
+
+VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption"
+
+TEMPLATE_FILES = "verity.script.tmpl"
+TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION"
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
+
+VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
+
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
+
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[cleandirs] += " \
+ ${D}/usr/share/initramfs-tools/hooks \
+ ${D}/usr/share/verity-env \
+ ${D}/usr/share/initramfs-tools/scripts/local-top \
+ ${D}/usr/share/initramfs-tools/conf-hooks.d"
+
+do_install() {
+ # Insert the veritysetup commandline into the script
+ if [ -f "${VERITY_ENV_FILE}" ]; then
+ install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
+ else
+ bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
+ fi
+ install -m 0755 "${WORKDIR}/verity.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
+ install -m 0755 "${WORKDIR}/verity.hook" \
+ "${D}/usr/share/initramfs-tools/hooks/verity"
+}
+
+addtask do_install after do_transform_template
--
2.30.2
Kind regards,
Christian


Re: [isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay

Quirin Gylstorff
 

On 11/17/21 1:11 PM, Christian Storm via lists.cip-project.org wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

As /etc is read-only and needs to be accessed by the initrd
move the user defined settings to a overlay in /var/local/etc.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 16 ++++++++++++++++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++++++++
.../etc-overlay-fs/files/etc-sysusers.service | 14 ++++++++++++++
recipes-core/etc-overlay-fs/files/etc.mount | 13 +++++++++++++
.../files/overlay-parse-etc.service | 12 ++++++++++++
recipes-core/etc-overlay-fs/files/postinst | 6 ++++++
recipes-core/images/cip-core-image-read-only.bb | 1 +
7 files changed, 76 insertions(+)
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
create mode 100755 recipes-core/etc-overlay-fs/files/postinst

diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
new file mode 100644
index 0000000..f1c8349
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
@@ -0,0 +1,16 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://etc.mount \
+ file://overlay-parse-etc.service \
+ file://etc-hostname.service \
+ file://etc-sysusers.service"
+
+do_install[cleandirs]+="${D}/lib/systemd/system ${D}/var/local/etc ${D}/var/local/.atomic"
+do_install() {
+ TARGET=${D}/lib/systemd/system
+ install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
+ install -m 0644 ${WORKDIR}/overlay-parse-etc.service ${TARGET}/overlay-parse-etc.service
+ install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
+ install -m 0644 ${WORKDIR}/etc-sysusers.service ${TARGET}/etc-sysusers.service
+}
diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
new file mode 100644
index 0000000..2306b9f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/hostname --boot --file /etc/hostname
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.service b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
new file mode 100644
index 0000000..6caf6b0
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=make systemd-sysusers /etc overlay aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/systemd-sysusers
+
+[Install]
+WantedBy=basic.target
Hm, why do you replace/create those services instead of augmenting the
current default ones via conf.d'lets?
Why is this one here dependent on network?
Why does this differ that much from upstream service files, see, e.g.,
https://github.com/systemd/systemd/blob/main/units/systemd-sysusers.service
You right thats the better solution. Will test it and add it in a v3.



diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
new file mode 100644
index 0000000..f0ae3c5
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc.mount
@@ -0,0 +1,13 @@
+[Unit]
+Description=Overlay-mount /etc
+Requires=var.mount
+After=var.mount
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
new file mode 100644
index 0000000..062bb40
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Reload Configuration from the etc overlay
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=!/bin/systemctl daemon-reload
+ExecStart=!/bin/systemctl --no-block isolate multi-user.target
Wow, this is a big cannon, why do you need this? Isn't there another way?
After testing in the current cip-core-image i don't need it.

Quirin

+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
new file mode 100755
index 0000000..35641af
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/postinst
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+deb-systemd-helper enable etc.mount || true
+deb-systemd-helper enable overlay-parse-etc.service || true
+deb-systemd-helper enable etc-hostname.service || true
+deb-systemd-helper enable etc-sysusers.service || true
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index 7ef2dc2..ceb6ac4 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -2,6 +2,7 @@ require cip-core-image.bb
SQUASHFS_EXCLUDE_DIRS += "home var"
+IMAGE_INSTALL += "etc-overlay-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
--
2.30.2
Kind regards,
Christian


Re: [isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity

Quirin Gylstorff
 

On 11/17/21 1:18 PM, Christian Storm via lists.cip-project.org wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 3 +-
classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
kas/opt/ebg-secure-boot-base.yml | 2 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
kas/opt/ebg-snakeoil-swu.yml | 16 ----------
.../images/cip-core-image-read-only.bb | 20 ++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount | 11 +++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 ++++++
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
11 files changed, 103 insertions(+), 30 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

diff --git a/Kconfig b/Kconfig
index 8421f1b..e97cb03 100644
--- a/Kconfig
+++ b/Kconfig
@@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
config KAS_INCLUDE_SWUPDATE_SECBOOT
string
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
- default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
- default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
+ default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
endif
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 8f769b6..acb4de0 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -19,3 +19,5 @@ local_conf_header:
IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
SWU_DESCRIPTION = "secureboot"
SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+ kernel: |
+ SECURE_BOOT_KERNEL = "1"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..4a9185c 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,24 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml
+target: cip-core-image-read-only
local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+ verity-img: |
+ SECURE_BOOT_KERNEL = "1"
+ SECURE_IMAGE_FSTYPE = "squashfs"
+ VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+ IMAGE_TYPE = "secure-swupdate-img"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
secure-boot: |
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/ebg-secure-boot-snakeoil.yml
- - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
Hm, shouldn't size be configurable?
I will make it configurable in the next version.

+
+[Install]
+WantedBy=local-fs.target
Is this the right point in time? Isn't /tmp needed before this?

According my testing and [1] if /tmp is mount a in /etc/fstab. systemd mounts before the local-fs.target.

In the cip-core-image /tmp is not need before this as the /tmp of the initrd is used.

The systemd log looks like this
```
[ OK ] Started Remount Root and Kernel File Systems.
Starting Create Static Device Nodes in /dev...
[ OK ] Started Create Static Device Nodes in /dev.
Starting udev Kernel Device Manager...
[ OK ] Reached target Local File Systems (Pre).
Mounting Create /tmp...
[ OK ] Mounted Create /tmp.
[ OK ] Started Journal Service.

```

[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html

diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..4e0c467
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,9 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
deleted file mode 100644
index ff351db..0000000
--- a/wic/qemu-amd64-efibootguard-secureboot.wks
+++ /dev/null
@@ -1,11 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-signed-bootloader.inc
-
-# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2
Kind regards,
Christian

1401 - 1420 of 8370