Date   

Re: [isar-cip-core][PATCH 0/3] start-qemu.sh: Add some ease of use functionality

Jan Kiszka
 

On 24.11.21 12:12, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Fix booting of secure-boot image
Parse .config.yaml for ease of use and reduced commandline clutter

Quirin Gylstorff (3):
start-qemu.sh: set bootindex for SECURE_BOOT
start-qemu.sh: parse .config.yaml for ease of use
start-qemu.sh: Simplify qemu call

start-qemu.sh | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
Definitely an improvement! But the fact that secure boot comes with a
different target image is not reflected yet.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RFC v3 5/9] Create an read-only rootfs with dm-verity

Jan Kiszka
 

On 23.11.21 15:57, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

The mount point for /tmp is created during the systemd target
local-fs according to [1].

Before `Remount Root and Kernel File Systems.` the tmp of the initrd
is used.

[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 3 +-
classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
kas/opt/ebg-secure-boot-base.yml | 2 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
kas/opt/ebg-snakeoil-swu.yml | 16 ----------
.../images/cip-core-image-read-only.bb | 20 ++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++++++++++++++
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
11 files changed, 120 insertions(+), 30 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

diff --git a/Kconfig b/Kconfig
index 8421f1b..e97cb03 100644
--- a/Kconfig
+++ b/Kconfig
@@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
config KAS_INCLUDE_SWUPDATE_SECBOOT
string
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
- default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
- default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
+ default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
The user can still configure IMAGE_SECURE_BOOT && !IMAGE_SWUPDATE. If
the former implies the latter, it should also select it.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


[isar-cip-core][PATCH 2/3] start-qemu.sh: parse .config.yaml for ease of use

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Suggested-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
start-qemu.sh | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index 2c0a751..21b303a 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -20,13 +20,24 @@ usage()
exit 1
}

+if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then
+ SECURE_BOOT="true"
+fi
+
if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
fi

if [ -z "${DISTRO_RELEASE}" ]; then
- DISTRO_RELEASE="buster"
+ if grep -s -q "DEBIAN_BULLSEYE: true" .config.yaml; then
+ DISTRO_RELEASE="bullseye"
+ elif grep -s -q "DEBIAN_STRETCH: true" .config.yaml; then
+ DISTRO_RELEASE="stretch"
+ else
+ DISTRO_RELEASE="buster"
+ fi
fi
+
if [ -z "${TARGET_IMAGE}" ];then
TARGET_IMAGE="cip-core-image"
fi
--
2.30.2


[isar-cip-core][PATCH 1/3] start-qemu.sh: set bootindex for SECURE_BOOT

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Set the bootindex to avoid booting into the default uefi shell.

An if-clause is used to avoid the following error message for non-secure-boot images:
```
qemu-system-x86_64: -device ide-hd,drive=disk,bootindex=0: The bootindex 0 has already been used
```

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
start-qemu.sh | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index 3f62257..2c0a751 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -39,8 +39,14 @@ case "$1" in
-cpu qemu64 \
-smp 4 \
-machine q35,accel=kvm:tcg \
- -device ide-hd,drive=disk \
-device virtio-net-pci,netdev=net"
+ if [ -n "${SECURE_BOOT}" ]; then
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk,bootindex=0"
+ else
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk"
+ fi
KERNEL_CMDLINE=" \
root=/dev/sda"
;;
--
2.30.2


[isar-cip-core][PATCH 3/3] start-qemu.sh: Simplify qemu call

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Move qemu call out of if clause to avoid code duplications and
use the same behavior for secure boot and non secure boot images.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
start-qemu.sh | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index 21b303a..4817790 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -120,18 +120,16 @@ if [ -n "${SECURE_BOOT}" ]; then
BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-drive if=pflash,format=raw,file=${ovmf_vars} \
-drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw"
- ${QEMU_PATH}${QEMU} \
- -m 1G -serial mon:stdio -netdev user,id=net \
- ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@"
else
IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)

KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinu* | tail -1)
INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1)

- ${QEMU_PATH}${QEMU} \
- -m 1G -serial mon:stdio -netdev user,id=net \
- -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
+ BOOT_FILES="-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
- -initrd ${INITRD_FILE} ${QEMU_EXTRA_ARGS} "$@"
+ -initrd ${INITRD_FILE}"
fi
+${QEMU_PATH}${QEMU} \
+ -m 1G -serial mon:stdio -netdev user,id=net \
+ ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@"
--
2.30.2


[isar-cip-core][PATCH 0/3] start-qemu.sh: Add some ease of use functionality

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Fix booting of secure-boot image
Parse .config.yaml for ease of use and reduced commandline clutter

Quirin Gylstorff (3):
start-qemu.sh: set bootindex for SECURE_BOOT
start-qemu.sh: parse .config.yaml for ease of use
start-qemu.sh: Simplify qemu call

start-qemu.sh | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)

--
2.30.2


Re: [cip-kernel-config][PATCH 0/2] Add options for read-only rootfs

Nobuhiro Iwamatsu
 

Hi,

Add the necessary kernel options for a read-only rootfs with
dm-verity, secure-boot and swupdate + overlay of /etc.

Quirin Gylstorff (2):
x86/cip_qemu_defconfig: Add options for read-only rootfs
x86/siemens_ipc227e_defconfig: Add options for read-only rootfs

4.19.y-cip/x86/cip_qemu_defconfig | 4 ++++
4.19.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
5.10.y-cip/x86/cip_qemu_defconfig | 4 ++++
5.10.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
4 files changed, 16 insertions(+), 2 deletions(-)
Ping. Are merge requests preferred for this?
Sorry, reply was too late.
I reviewed this patch, applied.

Best regards,
Nobuhiro
________________________________________
差出人: Jan Kiszka <jan.kiszka@siemens.com>
送信日時: 2021年11月24日 16:36
宛先: Q. Gylstorff; cip-dev@lists.cip-project.org; iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT)
件名: Re: [cip-dev][cip-kernel-config][PATCH 0/2] Add options for read-only rootfs

On 12.11.21 17:38, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the necessary kernel options for a read-only rootfs with
dm-verity, secure-boot and swupdate + overlay of /etc.

Quirin Gylstorff (2):
x86/cip_qemu_defconfig: Add options for read-only rootfs
x86/siemens_ipc227e_defconfig: Add options for read-only rootfs

4.19.y-cip/x86/cip_qemu_defconfig | 4 ++++
4.19.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
5.10.y-cip/x86/cip_qemu_defconfig | 4 ++++
5.10.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
4 files changed, 16 insertions(+), 2 deletions(-)
Ping. Are merge requests preferred for this?

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [cip-kernel-config][PATCH 0/2] Add options for read-only rootfs

Jan Kiszka
 

On 12.11.21 17:38, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the necessary kernel options for a read-only rootfs with
dm-verity, secure-boot and swupdate + overlay of /etc.

Quirin Gylstorff (2):
x86/cip_qemu_defconfig: Add options for read-only rootfs
x86/siemens_ipc227e_defconfig: Add options for read-only rootfs

4.19.y-cip/x86/cip_qemu_defconfig | 4 ++++
4.19.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
5.10.y-cip/x86/cip_qemu_defconfig | 4 ++++
5.10.y-cip/x86/siemens_ipc227e_defconfig | 5 ++++-
4 files changed, 16 insertions(+), 2 deletions(-)
Ping. Are merge requests preferred for this?

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RESEND PATCH 0/2] Add support to test WiFi on RZ/G2M

Jan Kiszka
 

On 23.11.21 19:23, Lad Prabhakar wrote:
Hi All,

This patch series adds support to install required tools and firmware
for testing WiFi on HiHope RZ/G2M platform.

Cheers,
Prabhakar

Lad Prabhakar (2):
customizations: Add support to include tools and Firmware required for
WiFi testing
conf: hihope-rzg2m: Enable tools and firmware for testing WiFi

conf/machine/hihope-rzg2m.conf | 3 +++
recipes-core/customizations/customizations.bb | 7 ++++++-
2 files changed, 9 insertions(+), 1 deletion(-)
thanks, applied.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


[isar-cip-core][RESEND PATCH 2/2] conf: hihope-rzg2m: Enable tools and firmware for testing WiFi

Lad Prabhakar
 

HiHope RZ/G2M platform has WiFi module (WL1837) which requires additional
firmware (provided by firmware-ti-connectivity) for the chip to work.

This patch enables tools and firmware required for testing WiFi on
HiHope RZ/G2M platform.

Suggested-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
conf/machine/hihope-rzg2m.conf | 3 +++
1 file changed, 3 insertions(+)

diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf
index a2ae03d..4f4ee81 100644
--- a/conf/machine/hihope-rzg2m.conf
+++ b/conf/machine/hihope-rzg2m.conf
@@ -17,3 +17,6 @@ KERNEL_DEFCONFIG = "cip-kernel-config/4.19.y-cip/arm64/renesas_defconfig"
USE_CIP_KERNEL_CONFIG = "1"
DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
+
+WIRELESS_FIRMWARE_PACKAGE = "firmware-ti-connectivity"
+INSTALL_WIRELESS_TOOLS ?= "1"
--
2.17.1


[isar-cip-core][RESEND PATCH 0/2] Add support to test WiFi on RZ/G2M

Lad Prabhakar
 

Hi All,

This patch series adds support to install required tools and firmware
for testing WiFi on HiHope RZ/G2M platform.

Cheers,
Prabhakar

Lad Prabhakar (2):
customizations: Add support to include tools and Firmware required for
WiFi testing
conf: hihope-rzg2m: Enable tools and firmware for testing WiFi

conf/machine/hihope-rzg2m.conf | 3 +++
recipes-core/customizations/customizations.bb | 7 ++++++-
2 files changed, 9 insertions(+), 1 deletion(-)

--
2.17.1


[isar-cip-core][RESEND PATCH 1/2] customizations: Add support to include tools and Firmware required for WiFi testing

Lad Prabhakar
 

Include iw tools, wireless-regdb (to include regulatory database) and any
additional firmware pointed by WIRELESS_FIRMWARE_PACKAGE variable only if
INSTALL_WIRELESS_TOOLS is set to "1".

Suggested-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
recipes-core/customizations/customizations.bb | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index 932b11c..d302b4a 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -18,10 +18,15 @@ SRC_URI = " \
file://ethernet \
file://99-silent-printk.conf"

+WIRELESS_FIRMWARE_PACKAGE ?= ""
+INSTALL_WIRELESS_TOOLS ??= "0"
+
DEPENDS += "sshd-regen-keys"

DEBIAN_DEPENDS = " \
- ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys"
+ ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys \
+ ${@(', iw, wireless-regdb, ' + d.getVar('WIRELESS_FIRMWARE_PACKAGE')) \
+ if d.getVar('INSTALL_WIRELESS_TOOLS') == '1' else ''}"

do_install() {
install -v -d ${D}/etc/network/interfaces.d
--
2.17.1


Re: [PATCH 2/2] conf: hihope-rzg2m: Enable tools and firmware for testing WiFi

Lad Prabhakar
 

-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Lad Prabhakar via
lists.cip-project.org
Sent: 23 November 2021 18:17
To: cip-dev@lists.cip-project.org; Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>; Pavel Machek
<pavel@denx.de>; Jan Kiszka <jan.kiszka@siemens.com>
Subject: [cip-dev] [PATCH 2/2] conf: hihope-rzg2m: Enable tools and firmware for testing WiFi
Sorry for the missing subject line. I will resend "[isar-cip-core]" in subject line.

Cheers,
Prabhakar

HiHope RZ/G2M platform has WiFi module (WL1837) which requires additional firmware (provided by
firmware-ti-connectivity) for the chip to work.

This patch enables tools and firmware required for testing WiFi on HiHope RZ/G2M platform.

Suggested-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
conf/machine/hihope-rzg2m.conf | 3 +++
1 file changed, 3 insertions(+)

diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf index a2ae03d..4f4ee81
100644
--- a/conf/machine/hihope-rzg2m.conf
+++ b/conf/machine/hihope-rzg2m.conf
@@ -17,3 +17,6 @@ KERNEL_DEFCONFIG = "cip-kernel-config/4.19.y-cip/arm64/renesas_defconfig"
USE_CIP_KERNEL_CONFIG = "1"
DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
+
+WIRELESS_FIRMWARE_PACKAGE = "firmware-ti-connectivity"
+INSTALL_WIRELESS_TOOLS ?= "1"
--
2.17.1


[PATCH 1/2] customizations: Add support to include tools and Firmware required for WiFi testing

Lad Prabhakar
 

Include iw tools, wireless-regdb (to include regulatory database) and any
additional firmware pointed by WIRELESS_FIRMWARE_PACKAGE variable only if
INSTALL_WIRELESS_TOOLS is set to "1".

Suggested-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
recipes-core/customizations/customizations.bb | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index 932b11c..d302b4a 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -18,10 +18,15 @@ SRC_URI = " \
file://ethernet \
file://99-silent-printk.conf"

+WIRELESS_FIRMWARE_PACKAGE ?= ""
+INSTALL_WIRELESS_TOOLS ??= "0"
+
DEPENDS += "sshd-regen-keys"

DEBIAN_DEPENDS = " \
- ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys"
+ ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys \
+ ${@(', iw, wireless-regdb, ' + d.getVar('WIRELESS_FIRMWARE_PACKAGE')) \
+ if d.getVar('INSTALL_WIRELESS_TOOLS') == '1' else ''}"

do_install() {
install -v -d ${D}/etc/network/interfaces.d
--
2.17.1


[PATCH 2/2] conf: hihope-rzg2m: Enable tools and firmware for testing WiFi

Lad Prabhakar
 

HiHope RZ/G2M platform has WiFi module (WL1837) which requires additional
firmware (provided by firmware-ti-connectivity) for the chip to work.

This patch enables tools and firmware required for testing WiFi on
HiHope RZ/G2M platform.

Suggested-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
---
conf/machine/hihope-rzg2m.conf | 3 +++
1 file changed, 3 insertions(+)

diff --git a/conf/machine/hihope-rzg2m.conf b/conf/machine/hihope-rzg2m.conf
index a2ae03d..4f4ee81 100644
--- a/conf/machine/hihope-rzg2m.conf
+++ b/conf/machine/hihope-rzg2m.conf
@@ -17,3 +17,6 @@ KERNEL_DEFCONFIG = "cip-kernel-config/4.19.y-cip/arm64/renesas_defconfig"
USE_CIP_KERNEL_CONFIG = "1"
DTB_FILES = "r8a774a1-hihope-rzg2m-ex.dtb"
IMAGE_BOOT_FILES = "${KERNEL_IMAGE} ${DTB_FILES}"
+
+WIRELESS_FIRMWARE_PACKAGE = "firmware-ti-connectivity"
+INSTALL_WIRELESS_TOOLS ?= "1"
--
2.17.1


[isar-cip-core][RFC v3 9/9] swupdate: Backport patches from SWUpdate Master

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
2 files changed, 196 insertions(+)
create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch

diff --git a/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
new file mode 100644
index 0000000..a4c8856
--- /dev/null
+++ b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
@@ -0,0 +1,191 @@
+From 9904222a872e1707d8e1205009962fd68c3e5c7d Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Mon, 25 Oct 2021 14:43:07 +0200
+Subject: [PATCH] debian/patches: add patches for dm-verity
+
+Backport the following patches to detect the correct partition to
+update.
+388f1777 util: Add get_root source /proc/self/mountinfo
+3914d2b7 util: Extend get_root to find LUKS devices
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ ...d-get_root-source-proc-self-mountinfo.diff | 67 +++++++++++++++
+ ...-Extend-get_root-to-find-LUKS-devices.diff | 82 +++++++++++++++++++
+ debian/patches/series | 2 +
+ 3 files changed, 151 insertions(+)
+ create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+ create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+
+diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+new file mode 100644
+index 0000000..2b25a19
+--- /dev/null
++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+@@ -0,0 +1,67 @@
++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
++From: Christian Storm <christian.storm@siemens.com>
++Date: Thu, 10 Jun 2021 00:30:24 +0200
++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
++
++Filesystems such as BTRFS report synthetic device major:minor
++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
++won't be found by get_root_from_partitions().
++
++As /proc/self/mountinfo's information is subject to mount-
++namespacing, it complements get_root_from_partitions() rather
++than replacing it.
++
++Signed-off-by: Christian Storm <christian.storm@siemens.com>
++---
++ core/util.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/core/util.c b/core/util.c
++index 7d7673a..51a16b6 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
++ return NULL;
++ }
++
+++/*
+++ * Return the rootfs's device name from /proc/self/mountinfo.
+++ * Needed for filesystems having synthetic stat(2) st_dev
+++ * values such as BTRFS.
+++ */
+++static char *get_root_from_mountinfo(void)
+++{
+++ char *mnt_point, *device = NULL;
+++ FILE *fp = fopen("/proc/self/mountinfo", "r");
+++ while (fp && !feof(fp)){
+++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
+++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
+++ &mnt_point, &device) == 2) {
+++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
+++ free(mnt_point);
+++ break;
+++ }
+++ free(mnt_point);
+++ free(device);
+++ }
+++ device = NULL;
+++ }
+++ (void)fclose(fp);
+++ return device;
+++}
+++
++ #define MAX_CMDLINE_LENGTH 4096
++ static char *get_root_from_cmdline(void)
++ {
++@@ -936,6 +962,8 @@ char *get_root_device(void)
++ root = get_root_from_partitions();
++ if (!root)
++ root = get_root_from_cmdline();
+++ if (!root)
+++ root = get_root_from_mountinfo();
++
++ return root;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+new file mode 100644
+index 0000000..039bfb8
+--- /dev/null
++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+@@ -0,0 +1,82 @@
++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
++From: Stefano Babic <sbabic@denx.de>
++Date: Thu, 10 Jun 2021 16:14:44 +0200
++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
++
++This helps in case of encrypted filesystem or device mapper.
++The returned device read from partitions is usually a dm-X device and
++this does not show which is the block device that contains it. Look in
++sysfs and check if the device has "slaves" entries, indicating the
++presence of an underlying device. If found, return this instead of the
++device returned parsing /proc/partitions.
++
++Signed-off-by: Stefano Babic <sbabic@denx.de>
++---
++ core/util.c | 26 ++++++++++++++++++++++++--
++ 1 file changed, 24 insertions(+), 2 deletions(-)
++
++diff --git a/core/util.c b/core/util.c
++index 51a16b6..3b81c09 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -24,6 +24,7 @@
++ #include <libgen.h>
++ #include <regex.h>
++ #include <string.h>
+++#include <dirent.h>
++
++ #if defined(__linux__)
++ #include <sys/statvfs.h>
++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
++ /*
++ * This returns the device name where rootfs is mounted
++ */
+++
+++static int filter_slave(const struct dirent *ent) {
+++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
+++}
++ static char *get_root_from_partitions(void)
++ {
++ struct stat info;
++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
++ char *devname = NULL;
++ unsigned long major, minor, nblocks;
++ char buf[256];
++- int ret;
+++ int ret, dev_major, dev_minor, n;
+++ struct dirent **devlist = NULL;
++
++ if (stat("/", &info) < 0)
++ return NULL;
++
+++ dev_major = info.st_dev / 256;
+++ dev_minor = info.st_dev % 256;
+++
+++ /*
+++ * Check if this is just a container, for example in case of LUKS
+++ * Search if the device has slaves pointing to another device
+++ */
+++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
+++ n = scandir(buf, &devlist, filter_slave, NULL);
+++ if (n == 1) {
+++ devname = strdup(devlist[0]->d_name);
+++ free(devlist);
+++ return devname;
+++ }
+++ free(devlist);
+++
++ fp = fopen("/proc/partitions", "r");
++ if (!fp)
++ return NULL;
++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
++ &major, &minor, &nblocks, &devname);
++ if (ret != 4)
++ continue;
++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
+++ if ((major == dev_major) && (minor == dev_minor)) {
++ fclose(fp);
++ return devname;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..f3bd00e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,3 @@
+ use-gcc-compiler.diff
++0002-util-Extend-get_root-to-find-LUKS-devices.diff
++0001-util-Add-get_root-source-proc-self-mountinfo.diff
+--
+2.30.2
+
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index 7a0fb9b..a4d67fe 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"

+# Patch for dm-verity based images - can be removed with next SWUpdate release
+SRC_URI += "file://0001-debian-patches-add-patches-for-dm-verity.patch"
+
+# end patching for dm-verity based images
+
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"

--
2.30.2


[isar-cip-core][RFC v3 8/9] kas: Patch isar for correct permissions in var and home

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Get patch from isar mailing list[1].

[1]: https://groups.google.com/g/isar-users/c/wlanc7f7UnQ

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas-cip.yml | 4 +++
...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch

diff --git a/kas-cip.yml b/kas-cip.yml
index dc56729..8226954 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -25,6 +25,10 @@ repos:
refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3
layers:
meta:
+ patches:
+ fix-pseudo:
+ repo: cip-core
+ path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch

bblayers_conf_header:
standard: |
diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
new file mode 100644
index 0000000..34704f0
--- /dev/null
+++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
@@ -0,0 +1,35 @@
+From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+Date: Wed, 3 Nov 2021 13:53:00 +0100
+Subject: [PATCH] Fix permissions when splitting rootfs folders across
+ partitions.
+
+This patches ensures that the file database containing the file and
+folder usernames and permissions is always located relative to the
+source and not to the appended rootfs-dir.
+
+Prior to this patch, the database was not found when using
+-rootfs-dir in the WIC script, leading to erronous file
+permissions and ownership.
+
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+---
+ scripts/lib/wic/plugins/source/rootfs.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
+index 96d940a9..5ab771e5 100644
+--- a/scripts/lib/wic/plugins/source/rootfs.py
++++ b/scripts/lib/wic/plugins/source/rootfs.py
+@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin):
+
+ part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
+ part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
+- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo")
+ if not os.path.lexists(pseudo_dir):
+ logger.warn("%s folder does not exist. "
+ "Usernames and permissions will be invalid " % pseudo_dir)
+--
+2.30.2
+
--
2.30.2


[isar-cip-core][RFC v3 6/9] Create systemd mount units for a etc overlay

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

As /etc is read-only and needs to be accessed by the initrd
move the user defined settings to a overlay in /var/local/etc.

As systemd sets the hostname directly on start reread the /etc/hostname
after mounting the overlay.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++++++++++++++++++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++
.../files/etc-sshd-regen-keys.conf | 7 ++++
.../etc-overlay-fs/files/etc-sysusers.conf | 4 +++
recipes-core/etc-overlay-fs/files/etc.mount | 13 ++++++++
recipes-core/etc-overlay-fs/files/postinst | 4 +++
.../images/cip-core-image-read-only.bb | 1 +
7 files changed, 75 insertions(+)
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100755 recipes-core/etc-overlay-fs/files/postinst

diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
new file mode 100644
index 0000000..4e2b80b
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://etc.mount \
+ file://etc-hostname.service \
+ file://etc-sshd-regen-keys.conf \
+ file://etc-sysusers.conf"
+
+do_install[cleandirs]+="${D}/usr/lib/systemd/system \
+ ${D}/usr/lib/systemd/system/local-fs.target.wants \
+ ${D}/usr/lib/systemd/system/systemd-sysusers.service.d \
+ ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d \
+ ${D}/var/local/etc \
+ ${D}/var/local/.atomic \
+ "
+do_install() {
+ TARGET=${D}/usr/lib/systemd/system
+ install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
+ install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
+ install -m 0644 ${WORKDIR}/etc-sshd-regen-keys.conf ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d/etc-sshd-regen-keys.conf
+ install -m 0644 ${WORKDIR}/etc-sysusers.conf ${D}/usr/lib/systemd/system/systemd-sysusers.service.d/etc-sysusers.service
+}
diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
new file mode 100644
index 0000000..2306b9f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/hostname --boot --file /etc/hostname
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
new file mode 100644
index 0000000..014b5a6
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
@@ -0,0 +1,7 @@
+[Unit]
+# set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.conf b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf
new file mode 100644
index 0000000..ad45d7f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf
@@ -0,0 +1,4 @@
+[Unit]
+# make systemd-sysusers /etc overlay aware
+Requires=etc.mount
+After=etc.mount
diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
new file mode 100644
index 0000000..f0ae3c5
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc.mount
@@ -0,0 +1,13 @@
+[Unit]
+Description=Overlay-mount /etc
+Requires=var.mount
+After=var.mount
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
new file mode 100755
index 0000000..e436b53
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/postinst
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+deb-systemd-helper enable etc.mount || true
+deb-systemd-helper enable etc-hostname.service || true
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index 7ef2dc2..ceb6ac4 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -2,6 +2,7 @@ require cip-core-image.bb

SQUASHFS_EXCLUDE_DIRS += "home var"

+IMAGE_INSTALL += "etc-overlay-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"

--
2.30.2


[isar-cip-core][RFC v3 7/9] Mount writable home partition

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add an example how to add an writable home partition

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/home-fs/files/home.mount | 12 +++++++++++
recipes-core/home-fs/files/postinst | 3 +++
recipes-core/home-fs/home-fs_0.1.bb | 20 +++++++++++++++++++
.../images/cip-core-image-read-only.bb | 1 +
wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 ++
5 files changed, 38 insertions(+)
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb

diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount
new file mode 100644
index 0000000..062517a
--- /dev/null
+++ b/recipes-core/home-fs/files/home.mount
@@ -0,0 +1,12 @@
+[Unit]
+Description=Mount /home partition
+Before=local-fs.target
+
+[Mount]
+What=/dev/disk/by-partlabel/home
+Where=/home
+Type=auto
+Options=defaults
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst
new file mode 100755
index 0000000..f6184d6
--- /dev/null
+++ b/recipes-core/home-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable home.mount || true
diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb
new file mode 100644
index 0000000..93e08e6
--- /dev/null
+++ b/recipes-core/home-fs/home-fs_0.1.bb
@@ -0,0 +1,20 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://home.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount
+
+}
\ No newline at end of file
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index ceb6ac4..79cd6bf 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -3,6 +3,7 @@ require cip-core-image.bb
SQUASHFS_EXCLUDE_DIRS += "home var"

IMAGE_INSTALL += "etc-overlay-fs"
+IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index c4ea0c8..81fd4fe 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024 --size 1G
part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G

bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2


[isar-cip-core][RFC v3 4/9] Create a initrd with support for dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Adapt the initrd to open a dm-verity partition with a fixed
root hash.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++++++
.../files/verity.script.tmpl | 68 +++++++++++++++++++
.../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++
5 files changed, 159 insertions(+)
create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb

diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
new file mode 100644
index 0000000..825fb9f
--- /dev/null
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+ initramfs-verity-hook \
+ "
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
new file mode 100644
index 0000000..9b61fb8
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
@@ -0,0 +1 @@
+BUSYBOX=y
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
new file mode 100644
index 0000000..5eada8a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
@@ -0,0 +1,23 @@
+#!/bin/sh
+PREREQ=""
+prereqs()
+{
+ echo "$PREREQ"
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
+
+manual_add_modules dm_mod
+manual_add_modules dm_verity
+
+copy_exec /sbin/veritysetup
+copy_exec /sbin/dmsetup
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
+copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..c4f3dc4
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,68 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+. /lib/cryptsetup/functions
+. /usr/share/verity-env/verity.env
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted. As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken trust chain.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
+case "$ROOT" in
+ PART*)
+ # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+ # partition
+ ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ ;;
+ "")
+ # No Root device was given. Use veritysetup verify to search matching roots
+ partitions=$(blkid -o device)
+ for part in $partitions; do
+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ if veritysetup verify \
+ "$part" "$part" "${ROOT_HASH}" \
+ --hash-offset "${HASH_OFFSET}";then
+ ROOT="$part"
+ break
+ fi
+ fi
+ done
+ ;;
+esac
+set -- "$ROOT" verityroot
+if ! veritysetup open \
+ ${VERITY_BEHAVIOR_ON_CORRUPTION} \
+ --data-block-size "${DATA_BLOCK_SIZE}" \
+ --hash-block-size "${HASH_BLOCK_SIZE}" \
+ --data-blocks "${DATA_BLOCKS}" \
+ --hash-offset "${HASH_OFFSET}" \
+ --salt "${SALT}" \
+ "$1" "$2" "$1" "${ROOT_HASH}"; then
+ panic "Can't open verity rootfs!"
+fi
+
+wait_for_udev 10
+
+if ! ROOT="$(dm_blkdevname verityroot)"; then
+ panic "Can't find the verity root device!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
new file mode 100644
index 0000000..a7fbf5a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+ file://verity.conf-hook \
+ file://verity.hook \
+ file://verity.script.tmpl \
+ "
+
+VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption"
+
+TEMPLATE_FILES = "verity.script.tmpl"
+TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION"
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
+
+VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
+
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
+
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[cleandirs] += " \
+ ${D}/usr/share/initramfs-tools/hooks \
+ ${D}/usr/share/verity-env \
+ ${D}/usr/share/initramfs-tools/scripts/local-top \
+ ${D}/usr/share/initramfs-tools/conf-hooks.d"
+
+do_install() {
+ # Insert the veritysetup commandline into the script
+ if [ -f "${VERITY_ENV_FILE}" ]; then
+ install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
+ else
+ bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
+ fi
+ install -m 0755 "${WORKDIR}/verity.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
+ install -m 0755 "${WORKDIR}/verity.hook" \
+ "${D}/usr/share/initramfs-tools/hooks/verity"
+}
+
+addtask do_install after do_transform_template
--
2.30.2

1381 - 1400 of 8370