|
Re: [isar-cip-core][PATCH 0/3] start-qemu.sh: Add some ease of use functionality
Jan Kiszka
On 24.11.21 12:12, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>Definitely an improvement! But the fact that secure boot comes with a different target image is not reflected yet. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
Re: [isar-cip-core][RFC v3 5/9] Create an read-only rootfs with dm-verity
Jan Kiszka
On 23.11.21 15:57, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>The user can still configure IMAGE_SECURE_BOOT && !IMAGE_SWUPDATE. If the former implies the latter, it should also select it. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
[isar-cip-core][PATCH 2/3] start-qemu.sh: parse .config.yaml for ease of use
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Suggested-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- start-qemu.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/start-qemu.sh b/start-qemu.sh index 2c0a751..21b303a 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -20,13 +20,24 @@ usage() exit 1 } +if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then + SECURE_BOOT="true" +fi + if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" fi if [ -z "${DISTRO_RELEASE}" ]; then - DISTRO_RELEASE="buster" + if grep -s -q "DEBIAN_BULLSEYE: true" .config.yaml; then + DISTRO_RELEASE="bullseye" + elif grep -s -q "DEBIAN_STRETCH: true" .config.yaml; then + DISTRO_RELEASE="stretch" + else + DISTRO_RELEASE="buster" + fi fi + if [ -z "${TARGET_IMAGE}" ];then TARGET_IMAGE="cip-core-image" fi -- 2.30.2
|
|
|
|
[isar-cip-core][PATCH 1/3] start-qemu.sh: set bootindex for SECURE_BOOT
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Set the bootindex to avoid booting into the default uefi shell. An if-clause is used to avoid the following error message for non-secure-boot images: ``` qemu-system-x86_64: -device ide-hd,drive=disk,bootindex=0: The bootindex 0 has already been used ``` Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- start-qemu.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/start-qemu.sh b/start-qemu.sh index 3f62257..2c0a751 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -39,8 +39,14 @@ case "$1" in -cpu qemu64 \ -smp 4 \ -machine q35,accel=kvm:tcg \ - -device ide-hd,drive=disk \ -device virtio-net-pci,netdev=net" + if [ -n "${SECURE_BOOT}" ]; then + QEMU_EXTRA_ARGS=" \ + ${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk,bootindex=0" + else + QEMU_EXTRA_ARGS=" \ + ${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk" + fi KERNEL_CMDLINE=" \ root=/dev/sda" ;; -- 2.30.2
|
|
|
|
[isar-cip-core][PATCH 3/3] start-qemu.sh: Simplify qemu call
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Move qemu call out of if clause to avoid code duplications and use the same behavior for secure boot and non secure boot images. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- start-qemu.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index 21b303a..4817790 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -120,18 +120,16 @@ if [ -n "${SECURE_BOOT}" ]; then BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ -drive if=pflash,format=raw,file=${ovmf_vars} \ -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw" - ${QEMU_PATH}${QEMU} \ - -m 1G -serial mon:stdio -netdev user,id=net \ - ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@" else IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img) KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinu* | tail -1) INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1) - ${QEMU_PATH}${QEMU} \ - -m 1G -serial mon:stdio -netdev user,id=net \ - -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ + BOOT_FILES="-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ - -initrd ${INITRD_FILE} ${QEMU_EXTRA_ARGS} "$@" + -initrd ${INITRD_FILE}" fi +${QEMU_PATH}${QEMU} \ + -m 1G -serial mon:stdio -netdev user,id=net \ + ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@" -- 2.30.2
|
|
|
|
[isar-cip-core][PATCH 0/3] start-qemu.sh: Add some ease of use functionality
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Fix booting of secure-boot image Parse .config.yaml for ease of use and reduced commandline clutter Quirin Gylstorff (3): start-qemu.sh: set bootindex for SECURE_BOOT start-qemu.sh: parse .config.yaml for ease of use start-qemu.sh: Simplify qemu call start-qemu.sh | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) -- 2.30.2
|
|
|
|
Re: [cip-kernel-config][PATCH 0/2] Add options for read-only rootfs
Nobuhiro Iwamatsu
Hi,
Sorry, reply was too late.Add the necessary kernel options for a read-only rootfs withPing. Are merge requests preferred for this? I reviewed this patch, applied. Best regards, Nobuhiro ________________________________________ 差出人: Jan Kiszka <jan.kiszka@siemens.com> 送信日時: 2021年11月24日 16:36 宛先: Q. Gylstorff; cip-dev@lists.cip-project.org; iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT) 件名: Re: [cip-dev][cip-kernel-config][PATCH 0/2] Add options for read-only rootfs On 12.11.21 17:38, Q. Gylstorff wrote: From: Quirin Gylstorff <quirin.gylstorff@siemens.com>Ping. Are merge requests preferred for this? Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
Re: [cip-kernel-config][PATCH 0/2] Add options for read-only rootfs
Jan Kiszka
On 12.11.21 17:38, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>Ping. Are merge requests preferred for this? Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
Re: [isar-cip-core][RESEND PATCH 0/2] Add support to test WiFi on RZ/G2M
Jan Kiszka
On 23.11.21 19:23, Lad Prabhakar wrote:
Hi All,thanks, applied. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
[isar-cip-core][RESEND PATCH 2/2] conf: hihope-rzg2m: Enable tools and firmware for testing WiFi
Lad Prabhakar
HiHope RZ/G2M platform has WiFi module (WL1837) which requires additional
firmware (provided by firmware-ti-connectivity) for the chip to work. This patch enables tools and firmware required for testing WiFi on HiHope RZ/G2M platform. Suggested-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> --- conf/machine/hihope-rzg2m.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf index a2ae03d..4f4ee81 100644 --- a/conf/machine/hihope-rzg2m.conf +++ b/conf/machine/hihope-rzg2m.conf @@ -17,3 +17,6 @@ KERNEL_DEFCONFIG = "cip-kernel-config/4.19.y-cip/arm64/renesas_defconfig" USE_CIP_KERNEL_CONFIG = "1" DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb" IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}" + +WIRELESS_FIRMWARE_PACKAGE = "firmware-ti-connectivity" +INSTALL_WIRELESS_TOOLS ?= "1" -- 2.17.1
|
|
|
|
[isar-cip-core][RESEND PATCH 0/2] Add support to test WiFi on RZ/G2M
Lad Prabhakar
Hi All,
This patch series adds support to install required tools and firmware for testing WiFi on HiHope RZ/G2M platform. Cheers, Prabhakar Lad Prabhakar (2): customizations: Add support to include tools and Firmware required for WiFi testing conf: hihope-rzg2m: Enable tools and firmware for testing WiFi conf/machine/hihope-rzg2m.conf | 3 +++ recipes-core/customizations/customizations.bb | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) -- 2.17.1
|
|
|
|
[isar-cip-core][RESEND PATCH 1/2] customizations: Add support to include tools and Firmware required for WiFi testing
Lad Prabhakar
Include iw tools, wireless-regdb (to include regulatory database) and any
additional firmware pointed by WIRELESS_FIRMWARE_PACKAGE variable only if INSTALL_WIRELESS_TOOLS is set to "1". Suggested-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> --- recipes-core/customizations/customizations.bb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb index 932b11c..d302b4a 100644 --- a/recipes-core/customizations/customizations.bb +++ b/recipes-core/customizations/customizations.bb @@ -18,10 +18,15 @@ SRC_URI = " \ file://ethernet \ file://99-silent-printk.conf" +WIRELESS_FIRMWARE_PACKAGE ?= "" +INSTALL_WIRELESS_TOOLS ??= "0" + DEPENDS += "sshd-regen-keys" DEBIAN_DEPENDS = " \ - ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys" + ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys \ + ${@(', iw, wireless-regdb, ' + d.getVar('WIRELESS_FIRMWARE_PACKAGE')) \ + if d.getVar('INSTALL_WIRELESS_TOOLS') == '1' else ''}" do_install() { install -v -d ${D}/etc/network/interfaces.d -- 2.17.1
|
|
|
|
Re: [PATCH 2/2] conf: hihope-rzg2m: Enable tools and firmware for testing WiFi
Lad Prabhakar
toggle quoted messageShow quoted text
-----Original Message-----Sorry for the missing subject line. I will resend "[isar-cip-core]" in subject line. Cheers, Prabhakar HiHope RZ/G2M platform has WiFi module (WL1837) which requires additional firmware (provided by
|
|
|
|
[PATCH 1/2] customizations: Add support to include tools and Firmware required for WiFi testing
Lad Prabhakar
Include iw tools, wireless-regdb (to include regulatory database) and any
additional firmware pointed by WIRELESS_FIRMWARE_PACKAGE variable only if INSTALL_WIRELESS_TOOLS is set to "1". Suggested-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> --- recipes-core/customizations/customizations.bb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb index 932b11c..d302b4a 100644 --- a/recipes-core/customizations/customizations.bb +++ b/recipes-core/customizations/customizations.bb @@ -18,10 +18,15 @@ SRC_URI = " \ file://ethernet \ file://99-silent-printk.conf" +WIRELESS_FIRMWARE_PACKAGE ?= "" +INSTALL_WIRELESS_TOOLS ??= "0" + DEPENDS += "sshd-regen-keys" DEBIAN_DEPENDS = " \ - ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys" + ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys \ + ${@(', iw, wireless-regdb, ' + d.getVar('WIRELESS_FIRMWARE_PACKAGE')) \ + if d.getVar('INSTALL_WIRELESS_TOOLS') == '1' else ''}" do_install() { install -v -d ${D}/etc/network/interfaces.d -- 2.17.1
|
|
|
|
[PATCH 2/2] conf: hihope-rzg2m: Enable tools and firmware for testing WiFi
Lad Prabhakar
HiHope RZ/G2M platform has WiFi module (WL1837) which requires additional
firmware (provided by firmware-ti-connectivity) for the chip to work. This patch enables tools and firmware required for testing WiFi on HiHope RZ/G2M platform. Suggested-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> --- conf/machine/hihope-rzg2m.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf index a2ae03d..4f4ee81 100644 --- a/conf/machine/hihope-rzg2m.conf +++ b/conf/machine/hihope-rzg2m.conf @@ -17,3 +17,6 @@ KERNEL_DEFCONFIG = "cip-kernel-config/4.19.y-cip/arm64/renesas_defconfig" USE_CIP_KERNEL_CONFIG = "1" DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb" IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}" + +WIRELESS_FIRMWARE_PACKAGE = "firmware-ti-connectivity" +INSTALL_WIRELESS_TOOLS ?= "1" -- 2.17.1
|
|
|
|
[isar-cip-core][RFC v3 9/9] swupdate: Backport patches from SWUpdate Master
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Backport the following patches to detect the correct partition to update. 388f1777 util: Add get_root source /proc/self/mountinfo 3914d2b7 util: Extend get_root to find LUKS devices Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- ...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++ .../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 + 2 files changed, 196 insertions(+) create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch diff --git a/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch new file mode 100644 index 0000000..a4c8856 --- /dev/null +++ b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch @@ -0,0 +1,191 @@ +From 9904222a872e1707d8e1205009962fd68c3e5c7d Mon Sep 17 00:00:00 2001 +From: Quirin Gylstorff <quirin.gylstorff@siemens.com> +Date: Mon, 25 Oct 2021 14:43:07 +0200 +Subject: [PATCH] debian/patches: add patches for dm-verity + +Backport the following patches to detect the correct partition to +update. +388f1777 util: Add get_root source /proc/self/mountinfo +3914d2b7 util: Extend get_root to find LUKS devices + +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> +--- + ...d-get_root-source-proc-self-mountinfo.diff | 67 +++++++++++++++ + ...-Extend-get_root-to-find-LUKS-devices.diff | 82 +++++++++++++++++++ + debian/patches/series | 2 + + 3 files changed, 151 insertions(+) + create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff + create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff + +diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff +new file mode 100644 +index 0000000..2b25a19 +--- /dev/null ++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff +@@ -0,0 +1,67 @@ ++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001 ++From: Christian Storm <christian.storm@siemens.com> ++Date: Thu, 10 Jun 2021 00:30:24 +0200 ++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo ++ ++Filesystems such as BTRFS report synthetic device major:minor ++numbers in stat(2)'s st_dev value. Hence, such a root filesystem ++won't be found by get_root_from_partitions(). ++ ++As /proc/self/mountinfo's information is subject to mount- ++namespacing, it complements get_root_from_partitions() rather ++than replacing it. ++ ++Signed-off-by: Christian Storm <christian.storm@siemens.com> ++--- ++ core/util.c | 28 ++++++++++++++++++++++++++++ ++ 1 file changed, 28 insertions(+) ++ ++diff --git a/core/util.c b/core/util.c ++index 7d7673a..51a16b6 100644 ++--- a/core/util.c +++++ b/core/util.c ++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void) ++ return NULL; ++ } ++ +++/* +++ * Return the rootfs's device name from /proc/self/mountinfo. +++ * Needed for filesystems having synthetic stat(2) st_dev +++ * values such as BTRFS. +++ */ +++static char *get_root_from_mountinfo(void) +++{ +++ char *mnt_point, *device = NULL; +++ FILE *fp = fopen("/proc/self/mountinfo", "r"); +++ while (fp && !feof(fp)){ +++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */ +++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s", +++ &mnt_point, &device) == 2) { +++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) { +++ free(mnt_point); +++ break; +++ } +++ free(mnt_point); +++ free(device); +++ } +++ device = NULL; +++ } +++ (void)fclose(fp); +++ return device; +++} +++ ++ #define MAX_CMDLINE_LENGTH 4096 ++ static char *get_root_from_cmdline(void) ++ { ++@@ -936,6 +962,8 @@ char *get_root_device(void) ++ root = get_root_from_partitions(); ++ if (!root) ++ root = get_root_from_cmdline(); +++ if (!root) +++ root = get_root_from_mountinfo(); ++ ++ return root; ++ } ++-- ++2.30.2 ++ +diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff +new file mode 100644 +index 0000000..039bfb8 +--- /dev/null ++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff +@@ -0,0 +1,82 @@ ++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001 ++From: Stefano Babic <sbabic@denx.de> ++Date: Thu, 10 Jun 2021 16:14:44 +0200 ++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices ++ ++This helps in case of encrypted filesystem or device mapper. ++The returned device read from partitions is usually a dm-X device and ++this does not show which is the block device that contains it. Look in ++sysfs and check if the device has "slaves" entries, indicating the ++presence of an underlying device. If found, return this instead of the ++device returned parsing /proc/partitions. ++ ++Signed-off-by: Stefano Babic <sbabic@denx.de> ++--- ++ core/util.c | 26 ++++++++++++++++++++++++-- ++ 1 file changed, 24 insertions(+), 2 deletions(-) ++ ++diff --git a/core/util.c b/core/util.c ++index 51a16b6..3b81c09 100644 ++--- a/core/util.c +++++ b/core/util.c ++@@ -24,6 +24,7 @@ ++ #include <libgen.h> ++ #include <regex.h> ++ #include <string.h> +++#include <dirent.h> ++ ++ #if defined(__linux__) ++ #include <sys/statvfs.h> ++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src) ++ /* ++ * This returns the device name where rootfs is mounted ++ */ +++ +++static int filter_slave(const struct dirent *ent) { +++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, "..")); +++} ++ static char *get_root_from_partitions(void) ++ { ++ struct stat info; ++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void) ++ char *devname = NULL; ++ unsigned long major, minor, nblocks; ++ char buf[256]; ++- int ret; +++ int ret, dev_major, dev_minor, n; +++ struct dirent **devlist = NULL; ++ ++ if (stat("/", &info) < 0) ++ return NULL; ++ +++ dev_major = info.st_dev / 256; +++ dev_minor = info.st_dev % 256; +++ +++ /* +++ * Check if this is just a container, for example in case of LUKS +++ * Search if the device has slaves pointing to another device +++ */ +++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor); +++ n = scandir(buf, &devlist, filter_slave, NULL); +++ if (n == 1) { +++ devname = strdup(devlist[0]->d_name); +++ free(devlist); +++ return devname; +++ } +++ free(devlist); +++ ++ fp = fopen("/proc/partitions", "r"); ++ if (!fp) ++ return NULL; ++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void) ++ &major, &minor, &nblocks, &devname); ++ if (ret != 4) ++ continue; ++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) { +++ if ((major == dev_major) && (minor == dev_minor)) { ++ fclose(fp); ++ return devname; ++ } ++-- ++2.30.2 ++ +diff --git a/debian/patches/series b/debian/patches/series +index 8c5564a..f3bd00e 100644 +--- a/debian/patches/series ++++ b/debian/patches/series +@@ -1 +1,3 @@ + use-gcc-compiler.diff ++0002-util-Extend-get_root-to-find-LUKS-devices.diff ++0001-util-Add-get_root-source-proc-self-mountinfo.diff +-- +2.30.2 + diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb index 7a0fb9b..a4d67fe 100644 --- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb +++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb @@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \ file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \ file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch" +# Patch for dm-verity based images - can be removed with next SWUpdate release +SRC_URI += "file://0001-debian-patches-add-patches-for-dm-verity.patch" + +# end patching for dm-verity based images + # deactivate signing and encryption for simple a/b rootfs update SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption" -- 2.30.2
|
|
|
|
[isar-cip-core][RFC v3 8/9] kas: Patch isar for correct permissions in var and home
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Get patch from isar mailing list[1]. [1]: https://groups.google.com/g/isar-users/c/wlanc7f7UnQ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- kas-cip.yml | 4 +++ ...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch diff --git a/kas-cip.yml b/kas-cip.yml index dc56729..8226954 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -25,6 +25,10 @@ repos: refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3 layers: meta: + patches: + fix-pseudo: + repo: cip-core + path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch bblayers_conf_header: standard: | diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch new file mode 100644 index 0000000..34704f0 --- /dev/null +++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch @@ -0,0 +1,35 @@ +From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001 +From: Felix Moessbauer <felix.moessbauer@siemens.com> +Date: Wed, 3 Nov 2021 13:53:00 +0100 +Subject: [PATCH] Fix permissions when splitting rootfs folders across + partitions. + +This patches ensures that the file database containing the file and +folder usernames and permissions is always located relative to the +source and not to the appended rootfs-dir. + +Prior to this patch, the database was not found when using +-rootfs-dir in the WIC script, leading to erronous file +permissions and ownership. + +Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com> +--- + scripts/lib/wic/plugins/source/rootfs.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py +index 96d940a9..5ab771e5 100644 +--- a/scripts/lib/wic/plugins/source/rootfs.py ++++ b/scripts/lib/wic/plugins/source/rootfs.py +@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin): + + part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir) + part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab")) +- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo") ++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo") + if not os.path.lexists(pseudo_dir): + logger.warn("%s folder does not exist. " + "Usernames and permissions will be invalid " % pseudo_dir) +-- +2.30.2 + -- 2.30.2
|
|
|
|
[isar-cip-core][RFC v3 6/9] Create systemd mount units for a etc overlay
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
As /etc is read-only and needs to be accessed by the initrd move the user defined settings to a overlay in /var/local/etc. As systemd sets the hostname directly on start reread the /etc/hostname after mounting the overlay. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- .../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++++++++++++++++++ .../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++ .../files/etc-sshd-regen-keys.conf | 7 ++++ .../etc-overlay-fs/files/etc-sysusers.conf | 4 +++ recipes-core/etc-overlay-fs/files/etc.mount | 13 ++++++++ recipes-core/etc-overlay-fs/files/postinst | 4 +++ .../images/cip-core-image-read-only.bb | 1 + 7 files changed, 75 insertions(+) create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount create mode 100755 recipes-core/etc-overlay-fs/files/postinst diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb new file mode 100644 index 0000000..4e2b80b --- /dev/null +++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb @@ -0,0 +1,32 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://etc.mount \ + file://etc-hostname.service \ + file://etc-sshd-regen-keys.conf \ + file://etc-sysusers.conf" + +do_install[cleandirs]+="${D}/usr/lib/systemd/system \ + ${D}/usr/lib/systemd/system/local-fs.target.wants \ + ${D}/usr/lib/systemd/system/systemd-sysusers.service.d \ + ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d \ + ${D}/var/local/etc \ + ${D}/var/local/.atomic \ + " +do_install() { + TARGET=${D}/usr/lib/systemd/system + install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount + install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service + install -m 0644 ${WORKDIR}/etc-sshd-regen-keys.conf ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d/etc-sshd-regen-keys.conf + install -m 0644 ${WORKDIR}/etc-sysusers.conf ${D}/usr/lib/systemd/system/systemd-sysusers.service.d/etc-sysusers.service +} diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service new file mode 100644 index 0000000..2306b9f --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service @@ -0,0 +1,14 @@ +[Unit] +Description=set hostname /etc overlay-aware +Before=network-pre.target +Wants=network-pre.target +Requires=etc.mount +After=etc.mount + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/hostname --boot --file /etc/hostname + +[Install] +WantedBy=basic.target diff --git a/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf new file mode 100644 index 0000000..014b5a6 --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf @@ -0,0 +1,7 @@ +[Unit] +# set hostname /etc overlay-aware +Before=network-pre.target +Wants=network-pre.target +Requires=etc.mount +After=etc.mount + diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.conf b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf new file mode 100644 index 0000000..ad45d7f --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf @@ -0,0 +1,4 @@ +[Unit] +# make systemd-sysusers /etc overlay aware +Requires=etc.mount +After=etc.mount diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount new file mode 100644 index 0000000..f0ae3c5 --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc.mount @@ -0,0 +1,13 @@ +[Unit] +Description=Overlay-mount /etc +Requires=var.mount +After=var.mount + +[Mount] +What=overlay +Where=/etc +Type=overlay +Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic + +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst new file mode 100755 index 0000000..e436b53 --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/postinst @@ -0,0 +1,4 @@ +#!/bin/sh + +deb-systemd-helper enable etc.mount || true +deb-systemd-helper enable etc-hostname.service || true diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb index 7ef2dc2..ceb6ac4 100644 --- a/recipes-core/images/cip-core-image-read-only.bb +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -2,6 +2,7 @@ require cip-core-image.bb SQUASHFS_EXCLUDE_DIRS += "home var" +IMAGE_INSTALL += "etc-overlay-fs" IMAGE_INSTALL += "tmp-fs" IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" -- 2.30.2
|
|
|
|
[isar-cip-core][RFC v3 7/9] Mount writable home partition
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add an example how to add an writable home partition Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- recipes-core/home-fs/files/home.mount | 12 +++++++++++ recipes-core/home-fs/files/postinst | 3 +++ recipes-core/home-fs/home-fs_0.1.bb | 20 +++++++++++++++++++ .../images/cip-core-image-read-only.bb | 1 + wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 ++ 5 files changed, 38 insertions(+) create mode 100644 recipes-core/home-fs/files/home.mount create mode 100755 recipes-core/home-fs/files/postinst create mode 100644 recipes-core/home-fs/home-fs_0.1.bb diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount new file mode 100644 index 0000000..062517a --- /dev/null +++ b/recipes-core/home-fs/files/home.mount @@ -0,0 +1,12 @@ +[Unit] +Description=Mount /home partition +Before=local-fs.target + +[Mount] +What=/dev/disk/by-partlabel/home +Where=/home +Type=auto +Options=defaults + +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst new file mode 100755 index 0000000..f6184d6 --- /dev/null +++ b/recipes-core/home-fs/files/postinst @@ -0,0 +1,3 @@ +#!/bin/sh + +deb-systemd-helper enable home.mount || true diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb new file mode 100644 index 0000000..93e08e6 --- /dev/null +++ b/recipes-core/home-fs/home-fs_0.1.bb @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://home.mount" + +do_install[cleandirs]+="${D}/lib/systemd/system" +do_install() { + install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount + +} \ No newline at end of file diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb index ceb6ac4..79cd6bf 100644 --- a/recipes-core/images/cip-core-image-read-only.bb +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -3,6 +3,7 @@ require cip-core-image.bb SQUASHFS_EXCLUDE_DIRS += "home var" IMAGE_INSTALL += "etc-overlay-fs" +IMAGE_INSTALL += "home-fs" IMAGE_INSTALL += "tmp-fs" IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index c4ea0c8..81fd4fe 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" +# home and var are extra partitions +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024 --size 1G part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk" -- 2.30.2
|
|
|
|
[isar-cip-core][RFC v3 4/9] Create a initrd with support for dm-verity
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Adapt the initrd to open a dm-verity partition with a fixed root hash. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- .../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++ .../files/verity.conf-hook | 1 + .../initramfs-verity-hook/files/verity.hook | 23 +++++++ .../files/verity.script.tmpl | 68 +++++++++++++++++++ .../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++ 5 files changed, 159 insertions(+) create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb new file mode 100644 index 0000000..825fb9f --- /dev/null +++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +inherit initramfs + +INITRAMFS_INSTALL += " \ + initramfs-verity-hook \ + " diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook new file mode 100644 index 0000000..9b61fb8 --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook @@ -0,0 +1 @@ +BUSYBOX=y diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook new file mode 100644 index 0000000..5eada8a --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook @@ -0,0 +1,23 @@ +#!/bin/sh +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +# Begin real processing below this line + +manual_add_modules dm_mod +manual_add_modules dm_verity + +copy_exec /sbin/veritysetup +copy_exec /sbin/dmsetup +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions +copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl new file mode 100644 index 0000000..c4f3dc4 --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl @@ -0,0 +1,68 @@ +#!/bin/sh +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions +. /lib/cryptsetup/functions +. /usr/share/verity-env/verity.env +# Even if this script fails horribly, make sure there won't be a chance the +# current $ROOT will be attempted. As this device most likely contains a +# perfectly valid filesystem, it would be mounted successfully, leading to a +# broken trust chain. +echo "ROOT=/dev/null" >/conf/param.conf +wait_for_udev 10 +case "$ROOT" in + PART*) + # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching + # partition + ROOT=$(blkid --list-one --output device --match-token "$ROOT") + ;; + "") + # No Root device was given. Use veritysetup verify to search matching roots + partitions=$(blkid -o device) + for part in $partitions; do + if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then + if veritysetup verify \ + "$part" "$part" "${ROOT_HASH}" \ + --hash-offset "${HASH_OFFSET}";then + ROOT="$part" + break + fi + fi + done + ;; +esac +set -- "$ROOT" verityroot +if ! veritysetup open \ + ${VERITY_BEHAVIOR_ON_CORRUPTION} \ + --data-block-size "${DATA_BLOCK_SIZE}" \ + --hash-block-size "${HASH_BLOCK_SIZE}" \ + --data-blocks "${DATA_BLOCKS}" \ + --hash-offset "${HASH_OFFSET}" \ + --salt "${SALT}" \ + "$1" "$2" "$1" "${ROOT_HASH}"; then + panic "Can't open verity rootfs!" +fi + +wait_for_udev 10 + +if ! ROOT="$(dm_blkdevname verityroot)"; then + panic "Can't find the verity root device!" +fi + +echo "ROOT=${ROOT}" >/conf/param.conf diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb new file mode 100644 index 0000000..a7fbf5a --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb @@ -0,0 +1,51 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +SRC_URI += " \ + file://verity.conf-hook \ + file://verity.hook \ + file://verity.script.tmpl \ + " + +VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption" + +TEMPLATE_FILES = "verity.script.tmpl" +TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION" + +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup" + +VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only" + +VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env" + +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image" +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/verity-env \ + ${D}/usr/share/initramfs-tools/scripts/local-top \ + ${D}/usr/share/initramfs-tools/conf-hooks.d" + +do_install() { + # Insert the veritysetup commandline into the script + if [ -f "${VERITY_ENV_FILE}" ]; then + install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env" + else + bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!" + fi + install -m 0755 "${WORKDIR}/verity.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-top/verity" + install -m 0755 "${WORKDIR}/verity.hook" \ + "${D}/usr/share/initramfs-tools/hooks/verity" +} + +addtask do_install after do_transform_template -- 2.30.2
|
|
|