Date   

[isar-cip-core][RESEND PATCH 2/9] Add verity-img.bbclass for dm-verity based rootfs

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

As we need the output of `veritysetup` to generate
the initrd. Therefore do_verity_image must be called before wic
generates the final disk image.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/verity-img.bbclass | 73 ++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
create mode 100644 classes/verity-img.bbclass

diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass
new file mode 100644
index 0000000..3c94643
--- /dev/null
+++ b/classes/verity-img.bbclass
@@ -0,0 +1,73 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+IMAGER_INSTALL += "cryptsetup"
+
+VERITY_IMAGE_TYPE ?= "squashfs"
+VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
+VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
+VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
+VERITY_HASH_BLOCK_SIZE ?= "1024"
+VERITY_DATA_BLOCK_SIZE ?= "1024"
+
+create_verity_env_file() {
+
+ local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env"
+ rm -f $ENV
+
+ local input="${WORKDIR}/${VERITY_IMAGE_METADATA}"
+ # remove header from verity meta data
+ sed -i '/VERITY header information for/d' $input
+ IFS=":"
+ while read KEY VAL; do
+ printf '%s=%s\n' \
+ "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
+ "$(echo "$VAL" | tr -d ' \t')" >> $ENV
+ done < $input
+}
+
+verity_setup() {
+ rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+ rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA}
+
+ cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+
+ image_do_mounts
+ sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \
+ --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \
+ --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \
+ --data-blocks "${VERITY_DATA_BLOCKS}" \
+ --hash-offset "${VERITY_INPUT_IMAGE_SIZE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ >"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+
+ echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \
+ >>"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+}
+
+do_verity_image[cleandirs] = "${WORKDIR}/verity"
+python do_verity_image() {
+ import os
+
+ image_file = os.path.join(
+ d.getVar("DEPLOY_DIR_IMAGE"),
+ d.getVar("VERITY_INPUT_IMAGE")
+ )
+ data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
+ size = os.stat(image_file).st_size
+ assert size % data_block_size == 0, f"image is not well-sized!"
+ d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
+ d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
+
+ bb.build.exec_func('verity_setup', d)
+ bb.build.exec_func('create_verity_env_file', d)
+}
+addtask verity_image before do_image after do_image_tools
--
2.30.2


[isar-cip-core][RESEND PATCH 3/9] linux-cip-common: Increase revision kernel config

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Add support for verity and overlay fs.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
recipes-kernel/linux/linux-cip-common.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 1afec88..8fa8988 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi

SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"

-SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"
+SRCREV_cip-kernel-config ?= "4f80764b80a81f9590e927fb202f358465b322a6"

S = "${WORKDIR}/linux-cip-v${PV}"
--
2.30.2


[isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

*This patch series adds support for a read-only squashfs based root filesystem
wit SWUpdate support and secureboot.

The build is somewhat complex as we need the output of dm-verity to generate
the initramfs. The build is split in the following steps
1. Build the root file system
2. Generate a squashfs image - this can also be replace by another image format(e.g. ext4)
3. Build from the image the dm-verity partition and add it to the end of the image
4. Add the resulting verity environment to the initrd
5. Build the signed efi tool chain.

This series needs SWUpdate 2021.11. The necessary changes are currently backported.

Changes in RFC V2:
- rebase onto orgin/next
- adapt Kconfig to new ebg-secure-boot-snakeoil.yml by deleting unnecessary options
- Cleanup to support different file-systems for verity-img
- tested with ext4 and squashfs
- simplified kernel patching
- prepend not necessary
- added flag to enable/disable
- whitespaces for readability
- integrated into ebg-secure-boot-snakeoil
- make behavior on corruption configurable during build time.
- default is restart on corruption
- add ISAR patch for correct permissions

Changes in RFC V3:
- Configurable size of /tmp
- remove unnecessary overlay-parse-etc.service
- convert etc-sysusers to drop in configuration of systemd-sysusers.service
- extend commit messages

Changes in Patch:
- rebased onto origin/next 2550c34a03ae3c035a1593585f2d8e545c83140d
- initrd verity warning message
- Kconfig: secure-boot element selects also swupdate
as the secureboot kas option contains swupdate
- fixed ci build

Quirin Gylstorff (9):
Add new class to create a squashfs based root file system
Add verity-img.bbclass for dm-verity based rootfs
linux-cip-common: Increase revision kernel config
Create a initrd with support for dm-verity
Create an read-only rootfs with dm-verity
Create systemd mount units for a etc overlay
Mount writable home partition
kas: Patch isar for correct permissions in var and home
swupdate: Backport patches from SWUpdate Master

.gitlab-ci.yml | 11 -
Kconfig | 4 +-
classes/secure-swupdate-img.bbclass | 32 +++
classes/squashfs-img.bbclass | 41 ++++
classes/verity-img.bbclass | 73 +++++++
kas-cip.yml | 4 +
kas/opt/ebg-secure-boot-snakeoil.yml | 12 +-
...when-splitting-rootfs-folders-across.patch | 35 ++++
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++
.../files/etc-sshd-regen-keys.conf | 7 +
.../etc-overlay-fs/files/etc-sysusers.conf | 4 +
recipes-core/etc-overlay-fs/files/etc.mount | 13 ++
recipes-core/etc-overlay-fs/files/postinst | 4 +
recipes-core/home-fs/files/home.mount | 12 ++
recipes-core/home-fs/files/postinst | 3 +
recipes-core/home-fs/home-fs_0.1.bb | 20 ++
.../images/cip-core-image-read-only.bb | 22 ++
...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
recipes-core/tmp-fs/files/postinst | 3 +
recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +
recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++
.../cip-core-initramfs/cip-core-initramfs.bb | 10 +-
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++
.../files/verity.script.tmpl | 70 +++++++
.../initramfs-verity-hook_0.1.bb | 51 +++++
recipes-kernel/linux/linux-cip-common.inc | 2 +-
start-qemu.sh | 4 +
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -
wic/qemu-amd64-efibootguard-secureboot.wks.in | 15 ++
32 files changed, 735 insertions(+), 31 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
create mode 100644 classes/squashfs-img.bbclass
create mode 100644 classes/verity-img.bbclass
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100755 recipes-core/etc-overlay-fs/files/postinst
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
rename kas/opt/ebg-snakeoil-swu.yml => recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb (61%)
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

--
2.30.2


[isar-cip-core][RESEND PATCH 5/9] Create an read-only rootfs with dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

The mount point for /tmp is created during the systemd target
local-fs according to [1].

Before `Remount Root and Kernel File Systems.` the tmp of the initrd
is used.

[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
.gitlab-ci.yml | 11 -------
Kconfig | 4 +--
classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
kas/opt/ebg-secure-boot-snakeoil.yml | 12 ++++++-
kas/opt/ebg-snakeoil-swu.yml | 16 ----------
.../images/cip-core-image-read-only.bb | 20 ++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++++++++++++++
start-qemu.sh | 4 +++
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
12 files changed, 122 insertions(+), 41 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5becd37..d407f0f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -179,17 +179,6 @@ build:qemu-amd64-swupdate:
targz: disable
deploy: disable

-build:qemu-amd64-secure-boot-swu:
- extends:
- - .build_base
- variables:
- target: qemu-amd64
- extention: ebg-snakeoil-swu
- use_rt: disable
- wic_targz: disable
- targz: disable
- deploy: disable
-
# bullseye images
build:simatic-ipc227e-bullseye:
extends:
diff --git a/Kconfig b/Kconfig
index 3b882d6..e5ce257 100644
--- a/Kconfig
+++ b/Kconfig
@@ -136,11 +136,11 @@ config IMAGE_SWUPDATE
config IMAGE_SECURE_BOOT
bool "Secure boot support"
depends on TARGET_QEMU_AMD64
+ select IMAGE_SWUPDATE

config KAS_INCLUDE_SWUPDATE_SECBOOT
string
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
- default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
- default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
+ default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT

endif
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..1cfbacc 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,23 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml

+target: cip-core-image-read-only

local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+ verity-img: |
+ SECURE_IMAGE_FSTYPE = "squashfs"
+ VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+ IMAGE_TYPE = "secure-swupdate-img"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
secure-boot: |
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@...>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/ebg-secure-boot-snakeoil.yml
- - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount.tmpl b/recipes-core/tmp-fs/files/tmp.mount.tmpl
new file mode 100644
index 0000000..fcb2f3e
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount.tmpl
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=${TMP_OPTIONS}
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..3ec20c7
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount.tmpl"
+
+TMP_FS_SIZE ?= "500M"
+TMP_FS_MODE ?= "755"
+TMP_FS_OPTIONS = "nodev,nosuid,size=${TMP_SIZE},mode=${TMP_MODE}"
+
+TEMPLATE_FILES = "tmp.mount.tmpl"
+TEMPLATE_VARS += "TMP_FS_OPTIONS"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/start-qemu.sh b/start-qemu.sh
index a92e9f4..c700974 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -42,6 +42,9 @@ if [ -z "${TARGET_IMAGE}" ];then
TARGET_IMAGE="cip-core-image"
if grep -s -q "IMAGE_SECURITY: true" .config.yaml; then
TARGET_IMAGE="cip-core-image-security"
+ fi
+ if [ -n "${SECURE_BOOT}" ]; then
+ TARGET_IMAGE="cip-core-image-read-only"
fi
fi

@@ -55,6 +58,7 @@ case "$1" in
-machine q35,accel=kvm:tcg \
-device virtio-net-pci,netdev=net"
if [ -n "${SECURE_BOOT}" ]; then
+ # set bootindex=0 to boot disk instead of EFI-shell
QEMU_EXTRA_ARGS=" \
${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk,bootindex=0"
else
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
deleted file mode 100644
index ff351db..0000000
--- a/wic/qemu-amd64-efibootguard-secureboot.wks
+++ /dev/null
@@ -1,11 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-signed-bootloader.inc
-
-# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2


[isar-cip-core][RESEND PATCH 4/9] Create a initrd with support for dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Adapt the initrd to open a dm-verity partition with a fixed
root hash.

The initramfs script is based on [1].

[1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
.../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 ++++++
.../files/verity.script.tmpl | 70 +++++++++++++++++++
.../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++
5 files changed, 161 insertions(+)
create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb

diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
new file mode 100644
index 0000000..825fb9f
--- /dev/null
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+ initramfs-verity-hook \
+ "
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
new file mode 100644
index 0000000..9b61fb8
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
@@ -0,0 +1 @@
+BUSYBOX=y
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
new file mode 100644
index 0000000..5eada8a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
@@ -0,0 +1,23 @@
+#!/bin/sh
+PREREQ=""
+prereqs()
+{
+ echo "$PREREQ"
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
+
+manual_add_modules dm_mod
+manual_add_modules dm_verity
+
+copy_exec /sbin/veritysetup
+copy_exec /sbin/dmsetup
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
+copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..7c75b5b
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,70 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ # If the script cryptroot is installed this script
+ # should be second to last
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+. /lib/cryptsetup/functions
+. /usr/share/verity-env/verity.env
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted. As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken trust chain.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
+case "$ROOT" in
+ PART*)
+ # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+ # partition
+ ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ ;;
+ "")
+ # No Root device was given. Use veritysetup verify to search matching roots
+ partitions=$(blkid -o device)
+ for part in $partitions; do
+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ if veritysetup verify \
+ "$part" "$part" "${ROOT_HASH}" \
+ --hash-offset "${HASH_OFFSET}";then
+ ROOT="$part"
+ break
+ fi
+ fi
+ done
+ ;;
+esac
+set -- "$ROOT" verityroot
+if ! veritysetup open \
+ ${VERITY_BEHAVIOR_ON_CORRUPTION} \
+ --data-block-size "${DATA_BLOCK_SIZE}" \
+ --hash-block-size "${HASH_BLOCK_SIZE}" \
+ --data-blocks "${DATA_BLOCKS}" \
+ --hash-offset "${HASH_OFFSET}" \
+ --salt "${SALT}" \
+ "$1" "$2" "$1" "${ROOT_HASH}"; then
+ panic "Can't open verity rootfs - continuing will lead to a broken trust chain!"
+fi
+
+wait_for_udev 10
+
+if ! ROOT="$(dm_blkdevname verityroot)"; then
+ panic "Can't find the verity root device!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
new file mode 100644
index 0000000..a7fbf5a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+ file://verity.conf-hook \
+ file://verity.hook \
+ file://verity.script.tmpl \
+ "
+
+VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption"
+
+TEMPLATE_FILES = "verity.script.tmpl"
+TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION"
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
+
+VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
+
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
+
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[cleandirs] += " \
+ ${D}/usr/share/initramfs-tools/hooks \
+ ${D}/usr/share/verity-env \
+ ${D}/usr/share/initramfs-tools/scripts/local-top \
+ ${D}/usr/share/initramfs-tools/conf-hooks.d"
+
+do_install() {
+ # Insert the veritysetup commandline into the script
+ if [ -f "${VERITY_ENV_FILE}" ]; then
+ install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
+ else
+ bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
+ fi
+ install -m 0755 "${WORKDIR}/verity.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
+ install -m 0755 "${WORKDIR}/verity.hook" \
+ "${D}/usr/share/initramfs-tools/hooks/verity"
+}
+
+addtask do_install after do_transform_template
--
2.30.2


Re: cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62) #kernelci

Chris Paterson
 

+kernelci ML as they will appreciate the feedback.

From: Pavel Machek <pavel@...>
Sent: 30 November 2021 08:33

Hi!

So... I tried to understand this report, and still could not.

First problem is actually in the From: line. By placing bot there, it
is not clear who is responsible for this, and if someone reads replies
to the bot address.

I feel posts to mailing lists should be signed by human responsible
for them.

Then we have:

cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62)
Ok, so we may have an regression. That means it worked before and it
does not work now. I'd expect two versions "worked in v4.19.123-cip12,
now broken in v4.19.217-cip62", but we only have one.

Regressions Summary
-------------------

platform | arch | lab | compiler | defconfig | regressions
-----------------+-------+---------------+----------+-----------+------------
rk3399-gru-kevin | arm64 | lab-collabora | gcc-10 | defconfig | 1
Did you not have a "details" link here? In my copy of the email (attached) it links to
https://linux.kernelci.org/test/job/cip/branch/linux-4.19.y-cip/kernel/v4.19.217-cip62/plan/baseline-nfs/

If you click on the platform in question it says: "New regression, last pass: v4.19.216-cip61", which also links to the relevant build job.
I think it also says this in the email below the failed test case? (baseline-nfs.login)


URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
SHA: dc62e26e3be875a7324b85b8274c13a335e610dd
Still no note when it worked last.

HTML log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-
cip62/arm64/defconfig/gcc-10/lab-collabora/baseline-nfs-rk3399-gru-
kevin.html
Again, there should also be a link to the specific failed test case, in this case:
https://linux.kernelci.org/test/plan/id/61a58c2989f6953bd118f6e4/

This includes a link to the defconfig used, although perhaps you'd like to know more about the platform.

Kind regards, Chris

Ok, so we have bootlog from a machine, that's quite unhappy. Part of
it are kernel problems, but we see missing firmware, too. In the end,
it looks like it has no usable network card, so it can not do NFS
boot... and panics.

It is hard to tell config problem vs. kernel bug without knowing more
about machine configuration. Best seeing previous successful runs...

Is there human here who believes this is a problem in -cip kernel that
is worth solving, and is willing to answer questions and test patches?

Best regards,

Pavel

02:27:34.443815 <4>[ 1.401574] cacheinfo: Unable to detect cache
hierarchy for CPU 0
02:27:34.452441 <6>[ 1.413496] loop: module loaded
02:27:34.464113 <4>[ 1.421343] rockchip-spi ff1d0000.spi: Failed
to request TX DMA channel
02:27:34.471531 <4>[ 1.429063] rockchip-spi ff1d0000.spi: Failed
to request RX DMA channel
02:27:34.487460 <6>[ 1.446867] m25p80 spi0.0: gd25lq64c (8192
Kbytes)
02:27:34.501792 <4>[ 1.459399] rockchip-spi ff1e0000.spi: Failed
to request TX DMA channel
...
02:27:48.313465 <6>[ 15.264576] atmel_mxt_ts 3-004b: Family: 164
Variant: 14 Firmware V2.3.AA Objects: 40
02:27:48.362782 <4>[ 15.318381] atmel_mxt_ts 3-004b: Direct
firmware load for maxtouch.cfg failed with error -2
02:27:48.535527 <4>[ 15.377455] atmel_mxt_ts 5-004a: Direct
firmware load for maxtouch.cfg failed with error -2
02:27:48.827088 ipconfig: no devices to configure
02:27:48.831012 ipconfig: no devices to configure
02:27:48.926132 <4>[ 15.866511] platform regulatory.0: Direct
firmware load for regulatory.db failed with error -2
02:27:48.931359 <6>[ 15.879008] pci 0000:00:00.0: PCI bridge to
[bus 01]
02:27:48.938653 <6>[ 15.879016] pci 0000:00:00.0: bridge window
[mem 0xfa000000-0xfa1fffff]

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


[isar-cip-core][PATCH 8/9] kas: Patch isar for correct permissions in var and home

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Get patch from isar mailing list[1].

[1]: https://groups.google.com/g/isar-users/c/wlanc7f7UnQ

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
kas-cip.yml | 4 +++
...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch

diff --git a/kas-cip.yml b/kas-cip.yml
index dc56729..8226954 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -25,6 +25,10 @@ repos:
refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3
layers:
meta:
+ patches:
+ fix-pseudo:
+ repo: cip-core
+ path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch

bblayers_conf_header:
standard: |
diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
new file mode 100644
index 0000000..34704f0
--- /dev/null
+++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
@@ -0,0 +1,35 @@
+From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001
+From: Felix Moessbauer <felix.moessbauer@...>
+Date: Wed, 3 Nov 2021 13:53:00 +0100
+Subject: [PATCH] Fix permissions when splitting rootfs folders across
+ partitions.
+
+This patches ensures that the file database containing the file and
+folder usernames and permissions is always located relative to the
+source and not to the appended rootfs-dir.
+
+Prior to this patch, the database was not found when using
+-rootfs-dir in the WIC script, leading to erronous file
+permissions and ownership.
+
+Signed-off-by: Felix Moessbauer <felix.moessbauer@...>
+---
+ scripts/lib/wic/plugins/source/rootfs.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
+index 96d940a9..5ab771e5 100644
+--- a/scripts/lib/wic/plugins/source/rootfs.py
++++ b/scripts/lib/wic/plugins/source/rootfs.py
+@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin):
+
+ part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
+ part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
+- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo")
+ if not os.path.lexists(pseudo_dir):
+ logger.warn("%s folder does not exist. "
+ "Usernames and permissions will be invalid " % pseudo_dir)
+--
+2.30.2
+
--
2.30.2


[isar-cip-core][PATCH 9/9] swupdate: Backport patches from SWUpdate Master

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
2 files changed, 196 insertions(+)
create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch

diff --git a/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
new file mode 100644
index 0000000..a4c8856
--- /dev/null
+++ b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
@@ -0,0 +1,191 @@
+From 9904222a872e1707d8e1205009962fd68c3e5c7d Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@...>
+Date: Mon, 25 Oct 2021 14:43:07 +0200
+Subject: [PATCH] debian/patches: add patches for dm-verity
+
+Backport the following patches to detect the correct partition to
+update.
+388f1777 util: Add get_root source /proc/self/mountinfo
+3914d2b7 util: Extend get_root to find LUKS devices
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
+---
+ ...d-get_root-source-proc-self-mountinfo.diff | 67 +++++++++++++++
+ ...-Extend-get_root-to-find-LUKS-devices.diff | 82 +++++++++++++++++++
+ debian/patches/series | 2 +
+ 3 files changed, 151 insertions(+)
+ create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+ create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+
+diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+new file mode 100644
+index 0000000..2b25a19
+--- /dev/null
++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+@@ -0,0 +1,67 @@
++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
++From: Christian Storm <christian.storm@...>
++Date: Thu, 10 Jun 2021 00:30:24 +0200
++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
++
++Filesystems such as BTRFS report synthetic device major:minor
++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
++won't be found by get_root_from_partitions().
++
++As /proc/self/mountinfo's information is subject to mount-
++namespacing, it complements get_root_from_partitions() rather
++than replacing it.
++
++Signed-off-by: Christian Storm <christian.storm@...>
++---
++ core/util.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/core/util.c b/core/util.c
++index 7d7673a..51a16b6 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
++ return NULL;
++ }
++
+++/*
+++ * Return the rootfs's device name from /proc/self/mountinfo.
+++ * Needed for filesystems having synthetic stat(2) st_dev
+++ * values such as BTRFS.
+++ */
+++static char *get_root_from_mountinfo(void)
+++{
+++ char *mnt_point, *device = NULL;
+++ FILE *fp = fopen("/proc/self/mountinfo", "r");
+++ while (fp && !feof(fp)){
+++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
+++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
+++ &mnt_point, &device) == 2) {
+++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
+++ free(mnt_point);
+++ break;
+++ }
+++ free(mnt_point);
+++ free(device);
+++ }
+++ device = NULL;
+++ }
+++ (void)fclose(fp);
+++ return device;
+++}
+++
++ #define MAX_CMDLINE_LENGTH 4096
++ static char *get_root_from_cmdline(void)
++ {
++@@ -936,6 +962,8 @@ char *get_root_device(void)
++ root = get_root_from_partitions();
++ if (!root)
++ root = get_root_from_cmdline();
+++ if (!root)
+++ root = get_root_from_mountinfo();
++
++ return root;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+new file mode 100644
+index 0000000..039bfb8
+--- /dev/null
++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+@@ -0,0 +1,82 @@
++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
++From: Stefano Babic <sbabic@...>
++Date: Thu, 10 Jun 2021 16:14:44 +0200
++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
++
++This helps in case of encrypted filesystem or device mapper.
++The returned device read from partitions is usually a dm-X device and
++this does not show which is the block device that contains it. Look in
++sysfs and check if the device has "slaves" entries, indicating the
++presence of an underlying device. If found, return this instead of the
++device returned parsing /proc/partitions.
++
++Signed-off-by: Stefano Babic <sbabic@...>
++---
++ core/util.c | 26 ++++++++++++++++++++++++--
++ 1 file changed, 24 insertions(+), 2 deletions(-)
++
++diff --git a/core/util.c b/core/util.c
++index 51a16b6..3b81c09 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -24,6 +24,7 @@
++ #include <libgen.h>
++ #include <regex.h>
++ #include <string.h>
+++#include <dirent.h>
++
++ #if defined(__linux__)
++ #include <sys/statvfs.h>
++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
++ /*
++ * This returns the device name where rootfs is mounted
++ */
+++
+++static int filter_slave(const struct dirent *ent) {
+++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
+++}
++ static char *get_root_from_partitions(void)
++ {
++ struct stat info;
++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
++ char *devname = NULL;
++ unsigned long major, minor, nblocks;
++ char buf[256];
++- int ret;
+++ int ret, dev_major, dev_minor, n;
+++ struct dirent **devlist = NULL;
++
++ if (stat("/", &info) < 0)
++ return NULL;
++
+++ dev_major = info.st_dev / 256;
+++ dev_minor = info.st_dev % 256;
+++
+++ /*
+++ * Check if this is just a container, for example in case of LUKS
+++ * Search if the device has slaves pointing to another device
+++ */
+++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
+++ n = scandir(buf, &devlist, filter_slave, NULL);
+++ if (n == 1) {
+++ devname = strdup(devlist[0]->d_name);
+++ free(devlist);
+++ return devname;
+++ }
+++ free(devlist);
+++
++ fp = fopen("/proc/partitions", "r");
++ if (!fp)
++ return NULL;
++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
++ &major, &minor, &nblocks, &devname);
++ if (ret != 4)
++ continue;
++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
+++ if ((major == dev_major) && (minor == dev_minor)) {
++ fclose(fp);
++ return devname;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..f3bd00e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,3 @@
+ use-gcc-compiler.diff
++0002-util-Extend-get_root-to-find-LUKS-devices.diff
++0001-util-Add-get_root-source-proc-self-mountinfo.diff
+--
+2.30.2
+
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index 7a0fb9b..a4d67fe 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"

+# Patch for dm-verity based images - can be removed with next SWUpdate release
+SRC_URI += "file://0001-debian-patches-add-patches-for-dm-verity.patch"
+
+# end patching for dm-verity based images
+
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"

--
2.30.2


[isar-cip-core][PATCH 6/9] Create systemd mount units for a etc overlay

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

As /etc is read-only and needs to be accessed by the initrd
move the user defined settings to a overlay in /var/local/etc.

As systemd sets the hostname directly on start reread the /etc/hostname
after mounting the overlay.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++++++++++++++++++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++
.../files/etc-sshd-regen-keys.conf | 7 ++++
.../etc-overlay-fs/files/etc-sysusers.conf | 4 +++
recipes-core/etc-overlay-fs/files/etc.mount | 13 ++++++++
recipes-core/etc-overlay-fs/files/postinst | 4 +++
.../images/cip-core-image-read-only.bb | 1 +
7 files changed, 75 insertions(+)
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100755 recipes-core/etc-overlay-fs/files/postinst

diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
new file mode 100644
index 0000000..4e2b80b
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://etc.mount \
+ file://etc-hostname.service \
+ file://etc-sshd-regen-keys.conf \
+ file://etc-sysusers.conf"
+
+do_install[cleandirs]+="${D}/usr/lib/systemd/system \
+ ${D}/usr/lib/systemd/system/local-fs.target.wants \
+ ${D}/usr/lib/systemd/system/systemd-sysusers.service.d \
+ ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d \
+ ${D}/var/local/etc \
+ ${D}/var/local/.atomic \
+ "
+do_install() {
+ TARGET=${D}/usr/lib/systemd/system
+ install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
+ install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
+ install -m 0644 ${WORKDIR}/etc-sshd-regen-keys.conf ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d/etc-sshd-regen-keys.conf
+ install -m 0644 ${WORKDIR}/etc-sysusers.conf ${D}/usr/lib/systemd/system/systemd-sysusers.service.d/etc-sysusers.service
+}
diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
new file mode 100644
index 0000000..2306b9f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/hostname --boot --file /etc/hostname
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
new file mode 100644
index 0000000..014b5a6
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
@@ -0,0 +1,7 @@
+[Unit]
+# set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.conf b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf
new file mode 100644
index 0000000..ad45d7f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf
@@ -0,0 +1,4 @@
+[Unit]
+# make systemd-sysusers /etc overlay aware
+Requires=etc.mount
+After=etc.mount
diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
new file mode 100644
index 0000000..f0ae3c5
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc.mount
@@ -0,0 +1,13 @@
+[Unit]
+Description=Overlay-mount /etc
+Requires=var.mount
+After=var.mount
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
new file mode 100755
index 0000000..e436b53
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/postinst
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+deb-systemd-helper enable etc.mount || true
+deb-systemd-helper enable etc-hostname.service || true
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index 7ef2dc2..ceb6ac4 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -2,6 +2,7 @@ require cip-core-image.bb

SQUASHFS_EXCLUDE_DIRS += "home var"

+IMAGE_INSTALL += "etc-overlay-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"

--
2.30.2


[isar-cip-core][PATCH 3/9] linux-cip-common: Increase revision kernel config

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Add support for verity and overlay fs.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
recipes-kernel/linux/linux-cip-common.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 1afec88..8fa8988 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi

SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"

-SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"
+SRCREV_cip-kernel-config ?= "4f80764b80a81f9590e927fb202f358465b322a6"

S = "${WORKDIR}/linux-cip-v${PV}"
--
2.30.2


[isar-cip-core][PATCH 7/9] Mount writable home partition

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Add an example how to add an writable home partition

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
recipes-core/home-fs/files/home.mount | 12 +++++++++++
recipes-core/home-fs/files/postinst | 3 +++
recipes-core/home-fs/home-fs_0.1.bb | 20 +++++++++++++++++++
.../images/cip-core-image-read-only.bb | 1 +
wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 ++
5 files changed, 38 insertions(+)
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb

diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount
new file mode 100644
index 0000000..062517a
--- /dev/null
+++ b/recipes-core/home-fs/files/home.mount
@@ -0,0 +1,12 @@
+[Unit]
+Description=Mount /home partition
+Before=local-fs.target
+
+[Mount]
+What=/dev/disk/by-partlabel/home
+Where=/home
+Type=auto
+Options=defaults
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst
new file mode 100755
index 0000000..f6184d6
--- /dev/null
+++ b/recipes-core/home-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable home.mount || true
diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb
new file mode 100644
index 0000000..93e08e6
--- /dev/null
+++ b/recipes-core/home-fs/home-fs_0.1.bb
@@ -0,0 +1,20 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://home.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount
+
+}
\ No newline at end of file
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index ceb6ac4..79cd6bf 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -3,6 +3,7 @@ require cip-core-image.bb
SQUASHFS_EXCLUDE_DIRS += "home var"

IMAGE_INSTALL += "etc-overlay-fs"
+IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index c4ea0c8..81fd4fe 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024 --size 1G
part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G

bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2


[isar-cip-core][PATCH 5/9] Create an read-only rootfs with dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

The mount point for /tmp is created during the systemd target
local-fs according to [1].

Before `Remount Root and Kernel File Systems.` the tmp of the initrd
is used.

[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
.gitlab-ci.yml | 11 -------
Kconfig | 4 +--
classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
kas/opt/ebg-secure-boot-snakeoil.yml | 12 ++++++-
kas/opt/ebg-snakeoil-swu.yml | 16 ----------
.../images/cip-core-image-read-only.bb | 20 ++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++++++++++++++
start-qemu.sh | 4 +++
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
12 files changed, 122 insertions(+), 41 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5becd37..d407f0f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -179,17 +179,6 @@ build:qemu-amd64-swupdate:
targz: disable
deploy: disable

-build:qemu-amd64-secure-boot-swu:
- extends:
- - .build_base
- variables:
- target: qemu-amd64
- extention: ebg-snakeoil-swu
- use_rt: disable
- wic_targz: disable
- targz: disable
- deploy: disable
-
# bullseye images
build:simatic-ipc227e-bullseye:
extends:
diff --git a/Kconfig b/Kconfig
index 3b882d6..e5ce257 100644
--- a/Kconfig
+++ b/Kconfig
@@ -136,11 +136,11 @@ config IMAGE_SWUPDATE
config IMAGE_SECURE_BOOT
bool "Secure boot support"
depends on TARGET_QEMU_AMD64
+ select IMAGE_SWUPDATE

config KAS_INCLUDE_SWUPDATE_SECBOOT
string
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
- default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
- default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
+ default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT

endif
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..1cfbacc 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,23 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml

+target: cip-core-image-read-only

local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+ verity-img: |
+ SECURE_IMAGE_FSTYPE = "squashfs"
+ VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+ IMAGE_TYPE = "secure-swupdate-img"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
secure-boot: |
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@...>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/ebg-secure-boot-snakeoil.yml
- - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount.tmpl b/recipes-core/tmp-fs/files/tmp.mount.tmpl
new file mode 100644
index 0000000..fcb2f3e
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount.tmpl
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=${TMP_OPTIONS}
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..3ec20c7
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount.tmpl"
+
+TMP_FS_SIZE ?= "500M"
+TMP_FS_MODE ?= "755"
+TMP_FS_OPTIONS = "nodev,nosuid,size=${TMP_SIZE},mode=${TMP_MODE}"
+
+TEMPLATE_FILES = "tmp.mount.tmpl"
+TEMPLATE_VARS += "TMP_FS_OPTIONS"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/start-qemu.sh b/start-qemu.sh
index a92e9f4..c700974 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -42,6 +42,9 @@ if [ -z "${TARGET_IMAGE}" ];then
TARGET_IMAGE="cip-core-image"
if grep -s -q "IMAGE_SECURITY: true" .config.yaml; then
TARGET_IMAGE="cip-core-image-security"
+ fi
+ if [ -n "${SECURE_BOOT}" ]; then
+ TARGET_IMAGE="cip-core-image-read-only"
fi
fi

@@ -55,6 +58,7 @@ case "$1" in
-machine q35,accel=kvm:tcg \
-device virtio-net-pci,netdev=net"
if [ -n "${SECURE_BOOT}" ]; then
+ # set bootindex=0 to boot disk instead of EFI-shell
QEMU_EXTRA_ARGS=" \
${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk,bootindex=0"
else
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
deleted file mode 100644
index ff351db..0000000
--- a/wic/qemu-amd64-efibootguard-secureboot.wks
+++ /dev/null
@@ -1,11 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-signed-bootloader.inc
-
-# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2


[isar-cip-core][PATCH 1/9] Add new class to create a squashfs based root file system

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

This file system is read only and use a reduced image size.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/squashfs-img.bbclass | 41 ++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 classes/squashfs-img.bbclass

diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
new file mode 100644
index 0000000..0fcfca5
--- /dev/null
+++ b/classes/squashfs-img.bbclass
@@ -0,0 +1,41 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
+
+IMAGER_INSTALL += "squashfs-tools"
+
+SQUASHFS_EXCLUDE_DIRS ?= ""
+SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
+SQUASHFS_CREATION_ARGS ?= " "
+# Generate squashfs filesystem image
+python __anonymous() {
+ exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split()
+ if len(exclude_directories) == 0:
+ return
+ # use wildcard to exclude only content of the the directory
+ # this allows to use the directory as a mount point
+ args = " -wildcards"
+ for dir in exclude_directories:
+ args += " -e {dir}/* ".format(dir=dir)
+ d.appendVar('SQUASHFS_CREATION_ARGS', args)
+}
+
+do_squashfs_image() {
+ rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'
+
+ image_do_mounts
+
+ sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \
+ "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
+ ${SQUASHFS_CREATION_ARGS}
+}
+addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
--
2.30.2


[isar-cip-core][PATCH 2/9] Add verity-img.bbclass for dm-verity based rootfs

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

As we need the output of `veritysetup` to generate
the initrd. Therefore do_verity_image must be called before wic
generates the final disk image.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/verity-img.bbclass | 73 ++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
create mode 100644 classes/verity-img.bbclass

diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass
new file mode 100644
index 0000000..3c94643
--- /dev/null
+++ b/classes/verity-img.bbclass
@@ -0,0 +1,73 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+IMAGER_INSTALL += "cryptsetup"
+
+VERITY_IMAGE_TYPE ?= "squashfs"
+VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
+VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
+VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
+VERITY_HASH_BLOCK_SIZE ?= "1024"
+VERITY_DATA_BLOCK_SIZE ?= "1024"
+
+create_verity_env_file() {
+
+ local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env"
+ rm -f $ENV
+
+ local input="${WORKDIR}/${VERITY_IMAGE_METADATA}"
+ # remove header from verity meta data
+ sed -i '/VERITY header information for/d' $input
+ IFS=":"
+ while read KEY VAL; do
+ printf '%s=%s\n' \
+ "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
+ "$(echo "$VAL" | tr -d ' \t')" >> $ENV
+ done < $input
+}
+
+verity_setup() {
+ rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+ rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA}
+
+ cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+
+ image_do_mounts
+ sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \
+ --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \
+ --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \
+ --data-blocks "${VERITY_DATA_BLOCKS}" \
+ --hash-offset "${VERITY_INPUT_IMAGE_SIZE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ >"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+
+ echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \
+ >>"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+}
+
+do_verity_image[cleandirs] = "${WORKDIR}/verity"
+python do_verity_image() {
+ import os
+
+ image_file = os.path.join(
+ d.getVar("DEPLOY_DIR_IMAGE"),
+ d.getVar("VERITY_INPUT_IMAGE")
+ )
+ data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
+ size = os.stat(image_file).st_size
+ assert size % data_block_size == 0, f"image is not well-sized!"
+ d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
+ d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
+
+ bb.build.exec_func('verity_setup', d)
+ bb.build.exec_func('create_verity_env_file', d)
+}
+addtask verity_image before do_image after do_image_tools
--
2.30.2


From b1699e5e1fd0d9617e0d6850c157809c42e2cb99 Mon Sep 17 00:00:00 2001

Quirin Gylstorff
 

*This patch series adds support for a read-only squashfs based root filesystem
wit SWUpdate support and secureboot.

The build is somewhat complex as we need the output of dm-verity to generate
the initramfs. The build is split in the following steps
1. Build the root file system
2. Generate a squashfs image - this can also be replace by another image format(e.g. ext4)
3. Build from the image the dm-verity partition and add it to the end of the image
4. Add the resulting verity environment to the initrd
5. Build the signed efi tool chain.

This series needs SWUpdate 2021.11. The necessary changes are currently backported.

Changes in RFC V2:
- rebase onto orgin/next
- adapt Kconfig to new ebg-secure-boot-snakeoil.yml by deleting unnecessary options
- Cleanup to support different file-systems for verity-img
- tested with ext4 and squashfs
- simplified kernel patching
- prepend not necessary
- added flag to enable/disable
- whitespaces for readability
- integrated into ebg-secure-boot-snakeoil
- make behavior on corruption configurable during build time.
- default is restart on corruption
- add ISAR patch for correct permissions

Changes in RFC V3:
- Configurable size of /tmp
- remove unnecessary overlay-parse-etc.service
- convert etc-sysusers to drop in configuration of systemd-sysusers.service
- extend commit messages

Changes in Patch:
- rebased onto origin/next 2550c34a03ae3c035a1593585f2d8e545c83140d
- initrd verity warning message
- Kconfig: secure-boot element selects also swupdate
as the secureboot kas option contains swupdate
- fixed ci build

Quirin Gylstorff (9):
Add new class to create a squashfs based root file system
Add verity-img.bbclass for dm-verity based rootfs
linux-cip-common: Increase revision kernel config
Create a initrd with support for dm-verity
Create an read-only rootfs with dm-verity
Create systemd mount units for a etc overlay
Mount writable home partition
kas: Patch isar for correct permissions in var and home
swupdate: Backport patches from SWUpdate Master

.gitlab-ci.yml | 11 -
Kconfig | 4 +-
classes/secure-swupdate-img.bbclass | 32 +++
classes/squashfs-img.bbclass | 41 ++++
classes/verity-img.bbclass | 73 +++++++
kas-cip.yml | 4 +
kas/opt/ebg-secure-boot-snakeoil.yml | 12 +-
...when-splitting-rootfs-folders-across.patch | 35 ++++
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++
.../files/etc-sshd-regen-keys.conf | 7 +
.../etc-overlay-fs/files/etc-sysusers.conf | 4 +
recipes-core/etc-overlay-fs/files/etc.mount | 13 ++
recipes-core/etc-overlay-fs/files/postinst | 4 +
recipes-core/home-fs/files/home.mount | 12 ++
recipes-core/home-fs/files/postinst | 3 +
recipes-core/home-fs/home-fs_0.1.bb | 20 ++
.../images/cip-core-image-read-only.bb | 22 ++
...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
recipes-core/tmp-fs/files/postinst | 3 +
recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +
recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++
.../cip-core-initramfs/cip-core-initramfs.bb | 10 +-
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++
.../files/verity.script.tmpl | 70 +++++++
.../initramfs-verity-hook_0.1.bb | 51 +++++
recipes-kernel/linux/linux-cip-common.inc | 2 +-
start-qemu.sh | 4 +
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -
wic/qemu-amd64-efibootguard-secureboot.wks.in | 15 ++
32 files changed, 735 insertions(+), 31 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
create mode 100644 classes/squashfs-img.bbclass
create mode 100644 classes/verity-img.bbclass
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100755 recipes-core/etc-overlay-fs/files/postinst
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
rename kas/opt/ebg-snakeoil-swu.yml => recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb (61%)
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in

--
2.30.2


[isar-cip-core][PATCH 4/9] Create a initrd with support for dm-verity

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Adapt the initrd to open a dm-verity partition with a fixed
root hash.

The initramfs script is based on [1].

[1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
.../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 ++++++
.../files/verity.script.tmpl | 70 +++++++++++++++++++
.../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++
5 files changed, 161 insertions(+)
create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb

diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
new file mode 100644
index 0000000..825fb9f
--- /dev/null
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+ initramfs-verity-hook \
+ "
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
new file mode 100644
index 0000000..9b61fb8
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
@@ -0,0 +1 @@
+BUSYBOX=y
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
new file mode 100644
index 0000000..5eada8a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
@@ -0,0 +1,23 @@
+#!/bin/sh
+PREREQ=""
+prereqs()
+{
+ echo "$PREREQ"
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
+
+manual_add_modules dm_mod
+manual_add_modules dm_verity
+
+copy_exec /sbin/veritysetup
+copy_exec /sbin/dmsetup
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
+copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..7c75b5b
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,70 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ # If the script cryptroot is installed this script
+ # should be second to last
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+. /lib/cryptsetup/functions
+. /usr/share/verity-env/verity.env
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted. As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken trust chain.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
+case "$ROOT" in
+ PART*)
+ # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+ # partition
+ ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ ;;
+ "")
+ # No Root device was given. Use veritysetup verify to search matching roots
+ partitions=$(blkid -o device)
+ for part in $partitions; do
+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ if veritysetup verify \
+ "$part" "$part" "${ROOT_HASH}" \
+ --hash-offset "${HASH_OFFSET}";then
+ ROOT="$part"
+ break
+ fi
+ fi
+ done
+ ;;
+esac
+set -- "$ROOT" verityroot
+if ! veritysetup open \
+ ${VERITY_BEHAVIOR_ON_CORRUPTION} \
+ --data-block-size "${DATA_BLOCK_SIZE}" \
+ --hash-block-size "${HASH_BLOCK_SIZE}" \
+ --data-blocks "${DATA_BLOCKS}" \
+ --hash-offset "${HASH_OFFSET}" \
+ --salt "${SALT}" \
+ "$1" "$2" "$1" "${ROOT_HASH}"; then
+ panic "Can't open verity rootfs - continuing will lead to a broken trust chain!"
+fi
+
+wait_for_udev 10
+
+if ! ROOT="$(dm_blkdevname verityroot)"; then
+ panic "Can't find the verity root device!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
new file mode 100644
index 0000000..a7fbf5a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+ file://verity.conf-hook \
+ file://verity.hook \
+ file://verity.script.tmpl \
+ "
+
+VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption"
+
+TEMPLATE_FILES = "verity.script.tmpl"
+TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION"
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
+
+VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
+
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
+
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[cleandirs] += " \
+ ${D}/usr/share/initramfs-tools/hooks \
+ ${D}/usr/share/verity-env \
+ ${D}/usr/share/initramfs-tools/scripts/local-top \
+ ${D}/usr/share/initramfs-tools/conf-hooks.d"
+
+do_install() {
+ # Insert the veritysetup commandline into the script
+ if [ -f "${VERITY_ENV_FILE}" ]; then
+ install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
+ else
+ bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
+ fi
+ install -m 0755 "${WORKDIR}/verity.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
+ install -m 0755 "${WORKDIR}/verity.hook" \
+ "${D}/usr/share/initramfs-tools/hooks/verity"
+}
+
+addtask do_install after do_transform_template
--
2.30.2


Re: cip/linux-4.19.y-cip baseline: 121 runs, 1 regressions (v4.19.217-cip62) #kernelci

Pavel Machek
 

Hi!

platform | arch | lab | compiler | defconfig | regressions
---------+------+---------------+----------+---------------------+------------
panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1

Details: https://kernelci.org/test/plan/id/61a587a0ab3b0079bd18f6d7

Results: 5 PASS, 1 FAIL, 0 SKIP
Full config: omap2plus_defconfig
Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110)
Plain log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm/omap2plus_defconfig/gcc-10/lab-collabora/baseline-panda.txt
HTML log:
https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm/omap2plus_defconfig/gcc-10/lab-collabora/baseline-panda.html
So this has enough information to tell me that we have a kernel
problem there, good:

02:08:17.792502 <6>[ 18.847320] omap-mailbox 4a0f4000.mailbox: omap
mailbox rev 0x400
02:08:17.800596 <0>[ 18.857543] BUG: spinlock bad magic on CPU#0,
udevd/110
02:08:17.808843 <6>[ 18.857788] emif 4c000000.emif: emif_probe:
device configured with addr = (ptrval) and IRQ26
02:08:17.818753 <0>[ 18.863311] lock: emif_lock+0x0/0xffffecfc
[emif], .magic: dead4ead, .owner: <none>/-1, .owner_cpu: -1
02:08:17.825277 <4>[ 18.877502] CPU: 0 PID: 110 Comm: udevd Not
tainted 4.19.217-cip62 #1
02:08:17.831655 <4>[ 18.888275] Hardware name: Generic OMAP4
(Flattened Device Tree)
02:08:17.839660 <4>[ 18.894195] [<c01123bc>] (unwind_backtrace)
from [<c010cc28>] (show_stack+0x10/0x14)
02:08:17.847570 <4>[ 18.900482] [<c010cc28>] (show_stack) from
[<c0949dd4>] (dump_stack+0xe0/0x114)
02:08:17.855211 <4>[ 18.905761] [<c0949dd4>] (dump_stack) from
[<c01a9168>] (do_raw_spin_lock+0xbc/0x124)

Unfortunately, not enough information to debug the problem, I'm
afraid. Questions to start debugging this would be:

a) is the problem deterministic?

b) is the problem present in v4.19.217 ?

c) what were the last -stable and -cip kernels that worked?

d) what device/module is causing the BUG?

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62) #kernelci

Pavel Machek
 

Hi!

So... I tried to understand this report, and still could not.

First problem is actually in the From: line. By placing bot there, it
is not clear who is responsible for this, and if someone reads replies
to the bot address.

I feel posts to mailing lists should be signed by human responsible
for them.

Then we have:

cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62)
Ok, so we may have an regression. That means it worked before and it
does not work now. I'd expect two versions "worked in v4.19.123-cip12,
now broken in v4.19.217-cip62", but we only have one.

Regressions Summary
-------------------

platform | arch | lab | compiler | defconfig | regressions
-----------------+-------+---------------+----------+-----------+------------
rk3399-gru-kevin | arm64 | lab-collabora | gcc-10 | defconfig | 1
URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
SHA: dc62e26e3be875a7324b85b8274c13a335e610dd
Still no note when it worked last.

HTML log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm64/defconfig/gcc-10/lab-collabora/baseline-nfs-rk3399-gru-kevin.html
Ok, so we have bootlog from a machine, that's quite unhappy. Part of
it are kernel problems, but we see missing firmware, too. In the end,
it looks like it has no usable network card, so it can not do NFS
boot... and panics.

It is hard to tell config problem vs. kernel bug without knowing more
about machine configuration. Best seeing previous successful runs...

Is there human here who believes this is a problem in -cip kernel that
is worth solving, and is willing to answer questions and test patches?

Best regards,

Pavel

02:27:34.443815 <4>[ 1.401574] cacheinfo: Unable to detect cache
hierarchy for CPU 0
02:27:34.452441 <6>[ 1.413496] loop: module loaded
02:27:34.464113 <4>[ 1.421343] rockchip-spi ff1d0000.spi: Failed
to request TX DMA channel
02:27:34.471531 <4>[ 1.429063] rockchip-spi ff1d0000.spi: Failed
to request RX DMA channel
02:27:34.487460 <6>[ 1.446867] m25p80 spi0.0: gd25lq64c (8192
Kbytes)
02:27:34.501792 <4>[ 1.459399] rockchip-spi ff1e0000.spi: Failed
to request TX DMA channel
...
02:27:48.313465 <6>[ 15.264576] atmel_mxt_ts 3-004b: Family: 164
Variant: 14 Firmware V2.3.AA Objects: 40
02:27:48.362782 <4>[ 15.318381] atmel_mxt_ts 3-004b: Direct
firmware load for maxtouch.cfg failed with error -2
02:27:48.535527 <4>[ 15.377455] atmel_mxt_ts 5-004a: Direct
firmware load for maxtouch.cfg failed with error -2
02:27:48.827088 ipconfig: no devices to configure
02:27:48.831012 ipconfig: no devices to configure
02:27:48.926132 <4>[ 15.866511] platform regulatory.0: Direct
firmware load for regulatory.db failed with error -2
02:27:48.931359 <6>[ 15.879008] pci 0000:00:00.0: PCI bridge to
[bus 01]
02:27:48.938653 <6>[ 15.879016] pci 0000:00:00.0: bridge window
[mem 0xfa000000-0xfa1fffff]

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


cip/linux-4.19.y-cip baseline: 121 runs, 1 regressions (v4.19.217-cip62) #kernelci

kernelci.org bot <bot@...>
 

cip/linux-4.19.y-cip baseline: 121 runs, 1 regressions (v4.19.217-cip62)

Regressions Summary
-------------------

platform | arch | lab | compiler | defconfig | regressions
---------+------+---------------+----------+---------------------+------------
panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1

Details: https://kernelci.org/test/job/cip/branch/linux-4.19.y-cip/kernel/v4.19.217-cip62/plan/baseline/

Test: baseline
Tree: cip
Branch: linux-4.19.y-cip
Describe: v4.19.217-cip62
URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
SHA: dc62e26e3be875a7324b85b8274c13a335e610dd


Test Regressions
----------------


platform | arch | lab | compiler | defconfig | regressions
---------+------+---------------+----------+---------------------+------------
panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1

Details: https://kernelci.org/test/plan/id/61a587a0ab3b0079bd18f6d7

Results: 5 PASS, 1 FAIL, 0 SKIP
Full config: omap2plus_defconfig
Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110)
Plain log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm/omap2plus_defconfig/gcc-10/lab-collabora/baseline-panda.txt
HTML log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm/omap2plus_defconfig/gcc-10/lab-collabora/baseline-panda.html
Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-6-g8983f3b738df/armel/baseline/rootfs.cpio.gz


* baseline.dmesg.emerg: https://kernelci.org/test/case/id/61a587a0ab3b0079bd18f6dd
new failure (last pass: v4.19.216-cip61)
2 lines

2021-11-30T02:08:20.120053 kern :emerg : BUG: spinlock bad magic on CPU#0, udevd/110
2021-11-30T02:08:20.129545 kern :emerg : lock: emif_lock+0x0/0xffffecfc [emif], .magic: dead4ead, .owner: <none>/-1, .owner_cpu: -1
2021-11-30T02:08:20.143995 <8>[ 21.198120] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=emerg RESULT=fail UNITS=lines MEASUREMENT=2>


cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62) #kernelci

kernelci.org bot <bot@...>
 

cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62)

Regressions Summary
-------------------

platform | arch | lab | compiler | defconfig | regressions
-----------------+-------+---------------+----------+-----------+------------
rk3399-gru-kevin | arm64 | lab-collabora | gcc-10 | defconfig | 1

Details: https://kernelci.org/test/job/cip/branch/linux-4.19.y-cip/kernel/v4.19.217-cip62/plan/baseline-nfs/

Test: baseline-nfs
Tree: cip
Branch: linux-4.19.y-cip
Describe: v4.19.217-cip62
URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
SHA: dc62e26e3be875a7324b85b8274c13a335e610dd


Test Regressions
----------------


platform | arch | lab | compiler | defconfig | regressions
-----------------+-------+---------------+----------+-----------+------------
rk3399-gru-kevin | arm64 | lab-collabora | gcc-10 | defconfig | 1

Details: https://kernelci.org/test/plan/id/61a58c2989f6953bd118f6e4

Results: 0 PASS, 1 FAIL, 0 SKIP
Full config: defconfig
Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110)
Plain log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm64/defconfig/gcc-10/lab-collabora/baseline-nfs-rk3399-gru-kevin.txt
HTML log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm64/defconfig/gcc-10/lab-collabora/baseline-nfs-rk3399-gru-kevin.html
Rootfs: http://storage.kernelci.org/images/rootfs/debian/bullseye/20211126.0/arm64/initrd.cpio.gz


* baseline-nfs.login: https://kernelci.org/test/case/id/61a58c2989f6953bd118f6e5
new failure (last pass: v4.19.216-cip61)

3121 - 3140 of 10161