From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Create a swu file for swupdate to update devices in the field.
This is done in the same step as the complete image build
to avoid diverging images.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/extract-partition.bbclass | 26 +++++++++++++
classes/wic-swu-img.bbclass | 20 ++++++++++
kas/opt/ebg-swu.yml | 4 +-
recipes-core/images/cip-core-image.bb | 10 +++++
recipes-core/images/files/sw-description.tmpl | 37 +++++++++++++++++++
5 files changed, 95 insertions(+), 2 deletions(-)
create mode 100644 classes/extract-partition.bbclass
create mode 100644 classes/wic-swu-img.bbclass
create mode 100644 recipes-core/images/files/sw-description.tmpl

diff --git a/classes/extract-partition.bbclass b/classes/extract-partition.bbclass
new file mode 100644
index 0000000..e9de8fc
--- /dev/null
+++ b/classes/extract-partition.bbclass
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SOURCE_IMAGE_FILE ?= "${WIC_IMAGE_FILE}"
+EXTRACT_PARTITIONS ?= "img4"
+
+do_extract_partition () {
+ for PARTITION in ${EXTRACT_PARTITIONS}; do
+ rm -f ${DEPLOY_DIR_IMAGE}/${PARTITION}.gz
+ PART_START=$(fdisk -lu ${SOURCE_IMAGE_FILE} | grep ${PARTITION} | awk '{ print $2 }' )
+ PART_END=$(fdisk -lu ${SOURCE_IMAGE_FILE} | grep ${PARTITION} | awk '{ print $3 }' )
+ PART_COUNT=$(expr ${PART_END} - ${PART_START} + 1 )
+
+ dd if=${SOURCE_IMAGE_FILE} of=${DEPLOY_DIR_IMAGE}/${PARTITION} bs=512 skip=${PART_START} count=${PART_COUNT}
+
+ gzip ${DEPLOY_DIR_IMAGE}/${PARTITION}
+ done
+}
diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass
new file mode 100644
index 0000000..c8532ba
--- /dev/null
+++ b/classes/wic-swu-img.bbclass
@@ -0,0 +1,20 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index 5b39730..304fa4d 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -22,5 +22,5 @@ local_conf_header:
WICVARS += "WDOG_TIMEOUT"

wic: |
- IMAGE_TYPE = "wic-img"
- WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks"
+ IMAGE_TYPE = "wic-swu-img"
+ WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 9ee4b25..b1ed491 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -17,3 +17,13 @@ DESCRIPTION = "CIP Core image"
IMAGE_INSTALL += "customizations"
# for cip-testing
IMAGE_INSTALL += "ltp-full"
+
+# for swupdate
+EXTRACT_PARTITIONS = "img4"
+ROOTFS_PARTITION_NAME="img4.gz"
+
+SRC_URI += "file://sw-description.tmpl"
+TEMPLATE_FILES += "sw-description.tmpl"
+TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE"
+
+SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
new file mode 100644
index 0000000..4d32f6f
--- /dev/null
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -0,0 +1,37 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+software =
+{
+ version = "0.2";
+ name = "cip software update"
+ images: ({
+ filename = "${ROOTFS_PARTITION_NAME}";
+ device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
+ type = "roundrobin";
+ compressed = true;
+ filesystem = "ext4";
+ });
+ files: ({
+ filename = "${KERNEL_IMAGE}";
+ path = "vmlinuz";
+ type = "kernelfile";
+ device = "sda2,sda3";
+ filesystem = "vfat";
+ },
+ {
+ filename = "${INITRD_IMAGE}";
+ path = "initrd.img";
+ type = "kernelfile";
+ device = "sda2,sda3";
+ filesystem = "vfat";
+ });
+}
+
--
2.20.1

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add wks for:
- simatic-ipc227e
- qemu-amd64

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas/opt/ebg-swu.yml | 26 ++++++++++++++++++++++++++
wic/ebg-sysparts.inc | 8 ++++++++
wic/qemu-amd64-efibootguard.wks | 5 +++++
wic/simatic-ipc227e-efibootguard.wks | 5 +++++
wic/swupdate-partition.inc | 4 ++++
5 files changed, 48 insertions(+)
create mode 100644 kas/opt/ebg-swu.yml
create mode 100644 wic/ebg-sysparts.inc
create mode 100644 wic/qemu-amd64-efibootguard.wks
create mode 100644 wic/simatic-ipc227e-efibootguard.wks
create mode 100644 wic/swupdate-partition.inc

diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
new file mode 100644
index 0000000..5b39730
--- /dev/null
+++ b/kas/opt/ebg-swu.yml
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate efibootguard"
+ BOOTLOADER = "efibootguard"
+
+ efibootguard: |
+ WDOG_TIMEOUT = "0"
+ WICVARS += "WDOG_TIMEOUT"
+
+ wic: |
+ IMAGE_TYPE = "wic-img"
+ WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks"
diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc
new file mode 100644
index 0000000..dea99e8
--- /dev/null
+++ b/wic/ebg-sysparts.inc
@@ -0,0 +1,8 @@
+# default partition layout EFI Boot Guard usage
+
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002"
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
new file mode 100644
index 0000000..3cd7360
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard.wks
@@ -0,0 +1,5 @@
+# short-description: Qemu-amd64 with Efibootguard and SWUpdate
+# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+include swupdate-partition.inc
diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks
new file mode 100644
index 0000000..74446d3
--- /dev/null
+++ b/wic/simatic-ipc227e-efibootguard.wks
@@ -0,0 +1,5 @@
+# short-description: Simatic-ipc227e with EFI Boot Guard and SWUpdate
+# long-description: Disk image for Simatic-ipc227e with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+include swupdate-partition.inc
diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc
new file mode 100644
index 0000000..15fbe80
--- /dev/null
+++ b/wic/swupdate-partition.inc
@@ -0,0 +1,4 @@
+part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4
+part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
--
2.20.1

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the bootloader efibootguard for A/B partition update
on x86 with EFI.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../efibootguard/efibootguard_0.7-git+isar.bb | 46 +++++
recipes-bsp/efibootguard/files/debian/compat | 1 +
.../efibootguard/files/debian/control.tmpl | 20 +++
.../files/debian/efibootguard-dev.install | 3 +
.../files/debian/efibootguard.install | 2 +
recipes-bsp/efibootguard/files/debian/rules | 21 +++
.../wic/plugins/source/efibootguard-boot.py | 162 ++++++++++++++++++
.../wic/plugins/source/efibootguard-efi.py | 102 +++++++++++
8 files changed, 357 insertions(+)
create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
create mode 100644 recipes-bsp/efibootguard/files/debian/compat
create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install
create mode 100755 recipes-bsp/efibootguard/files/debian/rules
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py

diff --git a/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
new file mode 100644
index 0000000..4bdf76a
--- /dev/null
+++ b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
@@ -0,0 +1,46 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "efibootguard boot loader"
+DESCRIPTION_DEV = "efibootguard development library"
+HOMEPAGE = "https://github.com/siemens/efibootguard"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+MAINTAINER = "Jan Kiszka <jan.kiszka@siemens.com>"
+
+SRC_URI = "git://github.com/siemens/efibootguard.git;branch=master;protocol=https \
+ file://debian \
+ "
+
+S = "${WORKDIR}/git"
+
+SRCREV = "442e87bafb480ada2b9074f02350a30408d4cf9c"
+
+PROVIDES = "${PN}"
+PROVIDES += "${PN}-dev"
+
+BUILD_DEB_DEPENDS = "gnu-efi,libpci-dev,check,pkg-config,libc6-dev-i386"
+
+inherit dpkg
+
+TEMPLATE_FILES = "debian/control.tmpl"
+TEMPLATE_VARS += "DESCRIPTION_DEV BUILD_DEB_DEPENDS"
+
+do_prepare_build() {
+ cp -R ${WORKDIR}/debian ${S}
+ deb_add_changelog
+}
+
+dpkg_runbuild_append() {
+ install -m 0755 -d ${DEPLOY_DIR_IMAGE}
+ install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi
+ install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv
+}
diff --git a/recipes-bsp/efibootguard/files/debian/compat b/recipes-bsp/efibootguard/files/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/recipes-bsp/efibootguard/files/debian/control.tmpl b/recipes-bsp/efibootguard/files/debian/control.tmpl
new file mode 100644
index 0000000..54b1994
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/control.tmpl
@@ -0,0 +1,20 @@
+Source: ${PN}
+Section: base
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${BUILD_DEB_DEPENDS}
+Homepage: ${HOMEPAGE}
+Maintainer: ${MAINTAINER}
+
+Package: ${PN}
+Depends: ${shlibs:Depends}
+Section: base
+Architecture: ${DISTRO_ARCH}
+Priority: required
+Description: ${DESCRIPTION}
+
+Package: ${PN}-dev
+Section: base
+Architecture: ${DISTRO_ARCH}
+Priority: optional
+Description: ${DESCRIPTION_DEV}
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
new file mode 100644
index 0000000..7b45bd8
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
@@ -0,0 +1,3 @@
+include/ebgenv.h usr/include/efibootguard
+libebgenv.a usr/lib/x86_64-linux-gnu
+
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install
new file mode 100644
index 0000000..8a8d9d3
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install
@@ -0,0 +1,2 @@
+bg_setenv usr/bin
+bg_printenv usr/bin
diff --git a/recipes-bsp/efibootguard/files/debian/rules b/recipes-bsp/efibootguard/files/debian/rules
new file mode 100755
index 0000000..82e9e0e
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/rules
@@ -0,0 +1,21 @@
+#!/usr/bin/make -f
+export DH_VERBOSE=1
+export DEB_BUILD_OPTIONS=hardening=-stackprotector
+export DPKG_EXPORT_BUILDFLAGS=1
+include /usr/share/dpkg/default.mk
+
+override_dh_auto_test:
+ # we do not run the tests; that avoids having to pull the fff submodule
+
+override_dh_auto_install:
+ # install using Debian's .install files rather than
+ # make install in order to have a proper package split.
+
+override_dh_installchangelogs:
+ # we're not interested in changelogs
+
+override_dh_installdocs:
+ # we're not interested in docs
+
+%:
+ dh $@ --with autoreconf
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
new file mode 100644
index 0000000..38d2b2e
--- /dev/null
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -0,0 +1,162 @@
+# ex:ts=4:sw=4:sts=4:et
+# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
+#
+# Copyright (c) 2014, Intel Corporation.
+# Copyright (c) 2018, Siemens AG.
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# DESCRIPTION
+# This implements the 'efibootguard-boot' source plugin class for 'wic'
+#
+# AUTHORS
+# Tom Zanussi <tom.zanussi (at] linux.intel.com>
+# Claudius Heine <ch (at] denx.de>
+# Andreas Reichel <andreas.reichel.ext (at] siemens.com>
+# Christian Storm <christian.storm (at] siemens.com>
+
+import os
+import fnmatch
+import sys
+import logging
+
+msger = logging.getLogger('wic')
+
+from wic.pluginbase import SourcePlugin
+from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE
+
+class EfibootguardBootPlugin(SourcePlugin):
+ """
+ Create EFI Boot Guard partition hosting the
+ environment file plus Kernel files.
+ """
+
+ name = 'efibootguard-boot'
+
+ @classmethod
+ def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
+ oe_builddir, deploy_dir, kernel_dir,
+ rootfs_dir, native_sysroot):
+ """
+ Called to do the actual content population for a partition, i.e.,
+ populate an EFI Boot Guard environment partition plus Kernel files.
+ """
+
+ kernel_image = get_bitbake_var("KERNEL_IMAGE")
+ if not kernel_image:
+ msger.warning("KERNEL_IMAGE not set. Use default:")
+ kernel_image = "vmlinuz"
+ boot_image = kernel_image
+
+ initrd_image = get_bitbake_var("INITRD_IMAGE")
+ if not initrd_image:
+ msger.warning("INITRD_IMAGE not set\n")
+ initrd_image = "initrd.img"
+ bootloader = creator.ks.bootloader
+
+ deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
+ if not deploy_dir:
+ msger.error("DEPLOY_DIR_IMAGE not set, exiting\n")
+ sys.exit(1)
+ creator.deploy_dir = deploy_dir
+
+ wdog_timeout = get_bitbake_var("WDOG_TIMEOUT")
+ if not wdog_timeout:
+ msger.error("Specify watchdog timeout for \
+ efibootguard in local.conf with WDOG_TIMEOUT=")
+ exit(1)
+
+
+ boot_files = source_params.get("files", "").split(' ')
+ cmdline = bootloader.append
+ root_dev = source_params.get("root", None)
+ if not root_dev:
+ msger.error("Specify root in source params")
+ exit(1)
+ root_dev = root_dev.replace(":", "=")
+
+ cmdline += " root=%s rw" % root_dev
+ boot_files.append(kernel_image)
+ boot_files.append(initrd_image)
+ cmdline += "initrd=%s" % initrd_image if initrd_image else ""
+
+ part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
+ part.label, part.lineno)
+ create_dir_cmd = "install -d %s" % part_rootfs_dir
+ exec_cmd(create_dir_cmd)
+
+ cwd = os.getcwd()
+ os.chdir(part_rootfs_dir)
+ config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \
+ % (
+ deploy_dir,
+ part.label.upper(),
+ boot_image,
+ '-a "%s"' % cmdline if cmdline else "",
+ source_params.get("revision", 1),
+ wdog_timeout
+ )
+ exec_cmd(config_cmd, True)
+ os.chdir(cwd)
+
+ boot_files = list(filter(None, boot_files))
+ for boot_file in boot_files:
+ if os.path.isfile("%s/%s" % (kernel_dir, kernel_image)):
+ install_cmd = "install -m 0644 %s/%s %s/%s" % \
+ (kernel_dir, boot_file, part_rootfs_dir, boot_file)
+ exec_cmd(install_cmd)
+ else:
+ msger.error("file %s not found in directory %s",
+ boot_file, kernel_dir)
+ exit(1)
+ cls._create_img(part_rootfs_dir, part, cr_workdir)
+
+ @classmethod
+ def _create_img(cls, part_rootfs_dir, part, cr_workdir):
+ # Write label as utf-16le to EFILABEL file
+ with open("%s/EFILABEL" % part_rootfs_dir, 'wb') as filedescriptor:
+ filedescriptor.write(part.label.upper().encode("utf-16le"))
+
+ du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
+ blocks = int(exec_cmd(du_cmd).split()[0])
+
+ extra_blocks = part.get_extra_block_count(blocks)
+ if extra_blocks < BOOTDD_EXTRA_SPACE:
+ extra_blocks = BOOTDD_EXTRA_SPACE
+
+ blocks += extra_blocks
+ blocks = blocks + (16 - (blocks % 16))
+
+ msger.debug("Added %d extra blocks to %s to get to %d total blocks",
+ extra_blocks, part.mountpoint, blocks)
+
+ # dosfs image, created by mkdosfs
+ bootimg = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno)
+
+ dosfs_cmd = "mkdosfs -F 16 -S 512 -n %s -C %s %d" % \
+ (part.label.upper(), bootimg, blocks)
+ exec_cmd(dosfs_cmd)
+
+ mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % (bootimg, part_rootfs_dir)
+ exec_cmd(mcopy_cmd, True)
+
+ chmod_cmd = "chmod 644 %s" % bootimg
+ exec_cmd(chmod_cmd)
+
+ du_cmd = "du -Lbks %s" % bootimg
+ bootimg_size = int(exec_cmd(du_cmd).split()[0])
+
+ part.size = bootimg_size
+ part.source_file = bootimg
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
new file mode 100644
index 0000000..5ee451f
--- /dev/null
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -0,0 +1,102 @@
+# ex:ts=4:sw=4:sts=4:et
+# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
+#
+# Copyright (c) 2014, Intel Corporation.
+# Copyright (c) 2018, Siemens AG.
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# DESCRIPTION
+# This implements the 'efibootguard-efi' source plugin class for 'wic'
+#
+# AUTHORS
+# Tom Zanussi <tom.zanussi (at] linux.intel.com>
+# Claudius Heine <ch (at] denx.de>
+# Andreas Reichel <andreas.reichel.ext (at] siemens.com>
+# Christian Storm <christian.storm (at] siemens.com>
+
+import logging
+import os
+
+msger = logging.getLogger('wic')
+
+from wic.pluginbase import SourcePlugin
+from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE
+
+class EfibootguardEFIPlugin(SourcePlugin):
+ """
+ Create EFI bootloader partition containing the EFI Boot Guard Bootloader.
+ """
+
+ name = 'efibootguard-efi'
+
+ @classmethod
+ def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
+ oe_builddir, deploy_dir, kernel_dir,
+ rootfs_dir, native_sysroot):
+ """
+ Called to do the actual content population for a partition, i.e.,
+ populate an EFI boot partition containing the EFI Boot Guard
+ bootloader binary.
+ """
+ deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
+ creator.deploy_dir = deploy_dir
+ bootloader_files = source_params.get("bootloader")
+ if not bootloader_files:
+ bootloader_files = "bootx64.efi"
+ bootloader_files = bootloader_files.split(' ')
+ part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
+ part.label,
+ part.lineno)
+ create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir
+ exec_cmd(create_dir_cmd)
+
+ for bootloader in bootloader_files:
+ cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir,
+ bootloader,
+ part_rootfs_dir,
+ bootloader)
+ exec_cmd(cp_cmd, True)
+ du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
+ blocks = int(exec_cmd(du_cmd).split()[0])
+
+ extra_blocks = part.get_extra_block_count(blocks)
+ if extra_blocks < BOOTDD_EXTRA_SPACE:
+ extra_blocks = BOOTDD_EXTRA_SPACE
+ blocks += extra_blocks
+ blocks = blocks + (16 - (blocks % 16))
+
+ msger.debug("Added %d extra blocks to %s to get to %d total blocks",
+ extra_blocks, part.mountpoint, blocks)
+
+ # dosfs image, created by mkdosfs
+ efi_part_image = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno)
+
+ dosfs_cmd = "mkdosfs -S 512 -n %s -C %s %d" % \
+ (part.label.upper(), efi_part_image, blocks)
+ exec_cmd(dosfs_cmd)
+
+ mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % \
+ (efi_part_image, part_rootfs_dir)
+ exec_cmd(mcopy_cmd, True)
+
+ chmod_cmd = "chmod 644 %s" % efi_part_image
+ exec_cmd(chmod_cmd)
+
+ du_cmd = "du -Lbks %s" % efi_part_image
+ efi_part_image_size = int(exec_cmd(du_cmd).split()[0])
+
+ part.size = efi_part_image_size
+ part.source_file = efi_part_image
--
2.20.1

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

swupdate 2020.04 requires libubootenv as build dependency.

libubootenv is a library that provides a hardware independent
way to access to U-Boot environment. U-Boot has its default environment
compiled board-dependently and this means that tools to access the environment
are also board specific, too.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../0001-u-boot-add-libubootenv.patch | 169 ++++++++++++++++++
kas-cip.yml | 4 +
2 files changed, 173 insertions(+)
create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch

diff --git a/isar-patches/0001-u-boot-add-libubootenv.patch b/isar-patches/0001-u-boot-add-libubootenv.patch
new file mode 100644
index 0000000..10a5b4a
--- /dev/null
+++ b/isar-patches/0001-u-boot-add-libubootenv.patch
@@ -0,0 +1,169 @@
+From 76897e89977f895495e21e37cb76f90392d55ef9 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Fri, 19 Jun 2020 17:00:36 +0200
+Subject: [PATCH v2] u-boot: add libubootenv
+
+Add the new library libubootenv and remove fw_printenv and fw_setenv
+form u-boot-tools as the are now part of the new library.
+
+libubootenv is a library that provides a hardware independent
+way to access to U-Boot environment. U-Boot has its default environment
+compiled board-dependently and this means that tools to access the environment
+are also board specific, too.
+
+libubootenv conflicts with u-boot-tools from Debian 10
+as both try to install fw_printenv and fw_sentenv. This conflict is not
+part of the control file as it breaks the installation of custom u-boot-tools
+from the u-boot-sources.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ meta-isar/conf/machine/de0-nano-soc.conf | 2 +-
+ .../libubootenv/files/debian/compat | 1 +
+ .../libubootenv/files/debian/control.tmpl | 15 +++++++++
+ .../libubootenv/files/debian/rules.tmpl | 24 ++++++++++++++
+ .../libubootenv/libubootenv_0.2.bb | 32 +++++++++++++++++++
+ .../files/debian/u-boot-tools.conffiles | 1 -
+ .../u-boot/files/debian/u-boot-tools.install | 2 --
+ .../u-boot/files/debian/u-boot-tools.links | 1 -
+ 8 files changed, 73 insertions(+), 5 deletions(-)
+ create mode 100644 meta/recipes-bsp/libubootenv/files/debian/compat
+ create mode 100644 meta/recipes-bsp/libubootenv/files/debian/control.tmpl
+ create mode 100644 meta/recipes-bsp/libubootenv/files/debian/rules.tmpl
+ create mode 100644 meta/recipes-bsp/libubootenv/libubootenv_0.2.bb
+ delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles
+ delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links
+
+diff --git a/meta-isar/conf/machine/de0-nano-soc.conf b/meta-isar/conf/machine/de0-nano-soc.conf
+index 3a2c009..6558d90 100644
+--- a/meta-isar/conf/machine/de0-nano-soc.conf
++++ b/meta-isar/conf/machine/de0-nano-soc.conf
+@@ -15,4 +15,4 @@ WKS_FILE ?= "de0-nano-soc.wks.in"
+ IMAGER_INSTALL += "u-boot-de0-nano-soc"
+ IMAGER_BUILD_DEPS += "u-boot-de0-nano-soc"
+
+-IMAGE_INSTALL += "u-boot-tools u-boot-script"
++IMAGE_INSTALL += "u-boot-tools libubootenv u-boot-script"
+diff --git a/meta/recipes-bsp/libubootenv/files/debian/compat b/meta/recipes-bsp/libubootenv/files/debian/compat
+new file mode 100644
+index 0000000..b4de394
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/files/debian/compat
+@@ -0,0 +1 @@
++11
+diff --git a/meta/recipes-bsp/libubootenv/files/debian/control.tmpl b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl
+new file mode 100644
+index 0000000..fade69a
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl
+@@ -0,0 +1,15 @@
++Source: libubootenv
++Section: embedded
++Priority: optional
++Maintainer: Stefano Babic <sbabic@denx.de>
++Build-Depends: ${BUILD_DEB_DEPENDS}
++Standards-Version: 4.2.1
++Homepage: https://sbabic.github.io/libubootenv
++
++Package: libubootenv
++Architecture: any
++Depends: ${DEBIAN_DEPENDS}
++Description: libubootenv is a library that provides a hardware independent
++ way to access to U-Boot environment. U-Boot has its default environment
++ compiled board-dependently and this means that tools to access the environment
++ are also board specific, too.
+diff --git a/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl
+new file mode 100644
+index 0000000..56ccd19
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl
+@@ -0,0 +1,24 @@
++#!/usr/bin/make -f
++
++ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
++export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
++export CC=$(DEB_HOST_GNU_TYPE)-gcc
++export LD=$(DEB_HOST_GNU_TYPE)-gcc
++endif
++
++export DH_VERBOSE = 1
++
++export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
++
++override_dh_auto_configure:
++ dh_auto_configure --
++
++%:
++ echo $@
++ dh $@
++
++override_dh_installchangelogs:
++ true
++
++override_dh_installdocs:
++ true
+diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb
+new file mode 100644
+index 0000000..1be058c
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb
+@@ -0,0 +1,32 @@
++# libubootenv
++#
++# This software is a part of ISAR.
++# Copyright (c) Siemens AG, 2020
++#
++# SPDX-License-Identifier: MIT
++
++DESCRIPTION = "swupdate utility for software updates"
++HOMEPAGE= "https://github.com/sbabic/swupdate"
++LICENSE = "GPL-2.0"
++LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
++SRC_URI = "gitsm://github.com/sbabic/libubootenv.git;branch=master;protocol=https"
++
++SRCREV = "bf6ff631c0e38cede67268ceb8bf1383b5f8848e"
++
++BUILD_DEB_DEPENDS = "cmake, zlib1g-dev"
++
++SRC_URI += "file://debian"
++TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
++TEMPLATE_VARS += "BUILD_DEB_DEPENDS DEFCONFIG DEBIAN_DEPENDS"
++
++
++inherit dpkg
++
++S = "${WORKDIR}/git"
++
++do_prepare_build() {
++ DEBDIR=${S}/debian
++ install -d ${DEBDIR}
++ cp -R ${WORKDIR}/debian ${S}
++ deb_add_changelog
++}
+diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles
+deleted file mode 100644
+index d49a8fb..0000000
+--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles
++++ /dev/null
+@@ -1 +0,0 @@
+-/etc/fw_env.config
+diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install
+index d1ae3e0..2893b9a 100644
+--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install
++++ b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install
+@@ -1,5 +1,3 @@
+ tools/dumpimage /usr/bin/
+-tools/env/fw_printenv /usr/bin/
+ tools/mkenvimage /usr/bin/
+ tools/mkimage /usr/bin/
+-tools/env/fw_env.config /etc
+diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links
+deleted file mode 100644
+index 92f5a6c..0000000
+--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links
++++ /dev/null
+@@ -1 +0,0 @@
+-/usr/bin/fw_printenv /usr/bin/fw_setenv
+--
+2.20.1
+
diff --git a/kas-cip.yml b/kas-cip.yml
index 019b31e..0da07db 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -22,6 +22,10 @@ repos:
refspec: 351af175bc54a201c6f44307d4e998bd6c0afdb8
layers:
meta:
+ patches:
+ 01-libubootenv:
+ path: isar-patches/0001-u-boot-add-libubootenv.patch
+ repo: cip-core

bblayers_conf_header:
standard: |
--
2.20.1

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patchset adds efibootguard, swupdate to allow A/B updates in
cip-core. The update mechanism is currently only implemented for x86_64.

Changes V2:
- update efibootguard to v0.7
- add swdescription and kas option to build qemu-amd64 test image
- swupdate set to upstream mirror and no longer use gitsm

Changes V3:

- change image type for ebg-swu to generate a swu image during build
- remove qemu-swupdate as it is no longer needed
- add swdescription file for updating without secureboot


Quirin Gylstorff (5):
recipes-bsp: Add efibootguard
patches: add libubootenv
recipes-core: add swupdate
wic: Add wks files for A/B Partition update
swupdate: create swu file from wic image

classes/extract-partition.bbclass | 26 +
classes/kconfig-snippets.bbclass | 90 ++++
classes/swupdate-config.bbclass | 76 +++
classes/swupdate-img.bbclass | 75 +++
classes/wic-swu-img.bbclass | 20 +
.../0001-u-boot-add-libubootenv.patch | 169 +++++++
kas-cip.yml | 4 +
kas/opt/ebg-swu.yml | 26 +
.../efibootguard/efibootguard_0.7-git+isar.bb | 46 ++
recipes-bsp/efibootguard/files/debian/compat | 1 +
.../efibootguard/files/debian/control.tmpl | 20 +
.../files/debian/efibootguard-dev.install | 3 +
.../files/debian/efibootguard.install | 2 +
recipes-bsp/efibootguard/files/debian/rules | 21 +
recipes-core/images/cip-core-image.bb | 10 +
recipes-core/images/files/sw-description.tmpl | 37 ++
.../swupdate/files/debian/changelog.tmpl | 6 +
recipes-core/swupdate/files/debian/compat | 1 +
.../swupdate/files/debian/control.tmpl | 15 +
recipes-core/swupdate/files/debian/copyright | 36 ++
recipes-core/swupdate/files/debian/rules.tmpl | 30 ++
.../swupdate/files/debian/swupdate.examples | 2 +
.../swupdate/files/debian/swupdate.install | 2 +
.../swupdate/files/debian/swupdate.manpages | 5 +
.../swupdate/files/debian/swupdate.tmpfile | 2 +
recipes-core/swupdate/files/debian/watch | 12 +
recipes-core/swupdate/files/postinst | 2 +
recipes-core/swupdate/files/swupdate.cfg | 6 +
.../swupdate/files/swupdate.service.example | 11 +
.../swupdate/files/swupdate.socket.example | 11 +
.../swupdate/files/swupdate.socket.tmpl | 13 +
.../swupdate/files/swupdate_defconfig | 83 ++++
.../swupdate_defconfig_efibootguard.snippet | 3 +
.../files/swupdate_defconfig_lua.snippet | 2 +
.../swupdate_defconfig_luahandler.snippet | 4 +
.../files/swupdate_defconfig_mtd.snippet | 1 +
.../files/swupdate_defconfig_u-boot.snippet | 3 +
.../files/swupdate_defconfig_ubi.snippet | 6 +
.../swupdate/files/swupdate_handlers.lua | 453 ++++++++++++++++++
recipes-core/swupdate/swupdate.bb | 54 +++
.../wic/plugins/source/efibootguard-boot.py | 162 +++++++
.../wic/plugins/source/efibootguard-efi.py | 102 ++++
wic/ebg-sysparts.inc | 8 +
wic/qemu-amd64-efibootguard.wks | 5 +
wic/simatic-ipc227e-efibootguard.wks | 5 +
wic/swupdate-partition.inc | 4 +
46 files changed, 1675 insertions(+)
create mode 100644 classes/extract-partition.bbclass
create mode 100644 classes/kconfig-snippets.bbclass
create mode 100644 classes/swupdate-config.bbclass
create mode 100644 classes/swupdate-img.bbclass
create mode 100644 classes/wic-swu-img.bbclass
create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch
create mode 100644 kas/opt/ebg-swu.yml
create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
create mode 100644 recipes-bsp/efibootguard/files/debian/compat
create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install
create mode 100755 recipes-bsp/efibootguard/files/debian/rules
create mode 100644 recipes-core/images/files/sw-description.tmpl
create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl
create mode 100644 recipes-core/swupdate/files/debian/compat
create mode 100644 recipes-core/swupdate/files/debian/control.tmpl
create mode 100644 recipes-core/swupdate/files/debian/copyright
create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl
create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples
create mode 100644 recipes-core/swupdate/files/debian/swupdate.install
create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages
create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile
create mode 100644 recipes-core/swupdate/files/debian/watch
create mode 100644 recipes-core/swupdate/files/postinst
create mode 100644 recipes-core/swupdate/files/swupdate.cfg
create mode 100644 recipes-core/swupdate/files/swupdate.service.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua
create mode 100644 recipes-core/swupdate/swupdate.bb
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py
create mode 100644 wic/ebg-sysparts.inc
create mode 100644 wic/qemu-amd64-efibootguard.wks
create mode 100644 wic/simatic-ipc227e-efibootguard.wks
create mode 100644 wic/swupdate-partition.inc

--
2.20.1

Is tlsdate a better alternative?

--
Mohammed Billoo
MAB Labs, LLC
www.mab-labs.com

Hi!

I'm almost done getting SSL working between the BBB and hawkbit. The last
piece of the puzzle is to get NTP working on the BBB (since I need valid
time to ensure that the server certificate is valid). Unfortunately,
I'm

Notice that in this case SSL is not adding as much security as you
think it does.

SSL attempts to protect against active attackers, and those can
manipulate NTP easily.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Hello all,

The IRC logger was down yesterday, so please see a dirty copy/paste from the meeting below.

Kind regards, Chris

/start log

patersonc
Hello
wens
hi
szlin
hi
suzuki
hi
paveltest
hi
patersonc
I'm in charge today - sorry in advance!
#startmeeting CIP IRC weekly meeting
bwh joined the room.
bwh
hi
patersonc
#topic rollcall
Say hi etc.
(Doesn't look like the logger is working for me?)
dineshk
Hi
patersonc
I guess everyone has said hi already ;)
bwh
patersonc: It's not in the channel
patersonc
Ah
szlin
patersonc: it seems like the bot is not around
paveltest
Umm, I guess we can just pretend it works and create the logs manually or something.
patersonc
Sure
#topic AI review
Combine root filesystem with kselftest binary - iwamatsu
Any updates iwamatsu?
szlin
patersonc: Today is the national holiday in Japan
paveltest
I don't think he is around... did not say hi.
patersonc
Ah is it? I didn't realise :(
Moving on...
Post LTP results to KernelCI - patersonc
No updates from me
Issues to be fixed for swupdate "copyright correction and salsa CI testing" - iwamatsu
szlin
Done
patersonc
Huzzah. Thanks szlin
szlin
I uploaded the new version of swupdate few weeks ago.
patersonc
Thanks. It could be that the action list I'm using is out of date...
Moving on...
#topic Kernel maintenance updates
wens
3 new CVEs, all fixed and backported (if needed); 3 old CVEs fixed.
paveltest
I have reviewed patches for 4.19.134.
bwh
I have reviewed kernel-sec updates by wens
patersonc
I have a question for the mainainers
Is anyone maintaining the CIP patchwork?
(or using)
paveltest
Hmm... We used it some time ago.
...but then I somehow forgot it exists.
patersonc
#link https://patchwork.kernel.org/project/cip-dev/list/
I wonder if someone should take ownership of it?
paveltest
Ammount of patches on the list is quite low, so patchwork is not really useful.
I believe we cna
can simply declare it dead.
It is currently not useful.
patersonc
Would it become more useful when LTS support ends?
paveltest
I don't think so.
It would become useful if we got a lot of patches
from participating companies.
patersonc
Any thoughts from anyone else?
paveltest
Currently we are just getting patches from Biju and ammount is quite low.
patersonc
Okay. Thanks
paveltest
bwh
I don't have experience using patchwork, so I don't have a feel for when it's more or less useful
wens
I guess it really depends on the maintainers? It's less common for patch submitters to go on patchwork to update status for their own patches
(hence the unmaintained mess for lakml patchwork)
paveltest
I see patchwork as a service for patch submitters. If they are okay without it, it is easier for maintainer.
patersonc
I know that it's useful for those who want a nice URL to their submitted patch before it gets merged
wens
paveltest: I always thought it was the other way around.
patersonc: I believe lore takes care of that now
patersonc
I'll send an email to the wider maintainer/cip-dev group to see if everyone agrees that we should kill it, or leave it running (un)maintained
#action patersonc: Email Kernel team/cip-dev about patchwork usage
paveltest
Wens: well, if there are so many patches maintainer loses track, it is useful for maintainer too. But that is not currently the case.
patersonc
Any other topics/comments for/from the Kernel team?
5
4
3
2
1
#topic Kernel testing
KernelCI have agreed to add the CIP trees to kernelci.org
I've submitted a PR accordingly: https://github.com/kernelci/kernelci-core/pull/448
Fix renesas-soc repository and add CIP branches.
We also plan to have our own instance, initially running on KCI's servers at cip.kernelci.org.
Any testing related topics/questions from anyone else?
wens
are the instances completely separate, or sharing data / control?
patersonc
Separate. If we add any useful features on our fork we'd aim to upstream them back to kernelci
Initially we'd be using KCI's build infrastructure, with the aim of integrating it into our own
If anyone is interested in helping out with this effort please let me know.
Anyone for anymore before the next topic?
5
4
3
2
1
#topic Software update
suzuki
Hello.
I had found some problems with the current software update mechanism uploaded to cip-sw-updates-demo repository.
paveltest left the room.
suzuki
The problems had been that some needed files and settings didn't exist in the root file system.
I created gitlab issues about them: https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/15, https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/16
And I'm working on them. One of them has been already done.
Apart from that, Mohammed is working on the task which is to support HTTPS connection between SWUpdate and hawkBit: https://gitlab.com/cip-project/cip-sw-updates/cip-sw-updates-tasks/-/issues/8
That's all from me.
patersonc
Thank you suzuki-san
Any queries from anyone?
5
4
3
2
1
#topic CIP Security
dineshk
hello
I guess Kent is not around so I will update
patersonc
Thank you
dineshk
Completed verification of single node security requirements on CIP LAVA
Working with Chris to verify multi-node security requirements on LAVA
SOW signed with exida for CIP gap assessment for IEC-62443-4-2 & IEC-62443-4-1
Kick-off meeting with exida held for Gap assessment yesterday
That's all from security WG
patersonc
Thank you dineshk
Any comments/queries?
5
4
3
2
1
#topic AOB
Any other topics from anyone today?
If not, then I guess we'll close for today.
Thank you all for your time!
#endmeeting

/end log

Hi!

Add RZ/G2E Dual LVDS display support. All patches in this series are
cherry-picked from upstream kernel.

I could not find any issues besides double of_node_put in 11/.

It is currently being tested:

https://gitlab.com/cip-project/cip-kernel/linux-cip/-/pipelines/169687006

If noone objects (and tests pass), I can apply/push the series.

Applied, thanks for patches.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Hi Jan,

On Thu, Jul 23, 2020 at 04:10 PM, Jan Kiszka wrote:

On 21.07.20 10:16, Venkata Pyla wrote:

From: venkata <venkata.pyla@toshiba-tsip.com>

Signed-off-by: venkata <venkata.pyla@toshiba-tsip.com>
---
README.md | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index bbad1a0..b2c4166 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,16 @@ card, run
dd

if=build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img \

of=/dev/<medium-device> bs=1M status=progress

+## Building Security target images
+Building images for QEMU x86-64bit machine
+
+ ./kas-docker --isar build --target cip-core-image-security

kas.yml:board-qemu-amd64.yml

+
+Run the generated securiy images on QEMU (x86-64bit)
+
+ TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64
+
+
## Community Resources

TBD

This patch is fine, but I'm missing 4/4: Add this image to CI (same
comment as I had on the MR on gitlab).

Adding cip security image to CI,
i need some suggestions to use the current format present in .gitlab-ci.yml

Currently i have the below problem for using script deploy-cip-core.sh:
1. image name formation in the script should have another variable
.../$IMG_PREFIX-cip-core-$RELEASE-$TARGET
where $IMG_PREFIX is default to "cip-core-image" if not specified
for security image it will be passed as 4th argument "cip-core-image-security"
2. currently scrit is expecting the image format in *.wic.img so,
for qemu i think we should have wks file to generate image with format .wic.img

or for this security image do we need to deploy it seperatley?
please guide me

Thanks

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

On 23.07.20 15:13, Venkata Pyla wrote:

Hi Jan,
sorry i am resending this mail
On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote:

On 21.07.20 10:16, Venkata Pyla wrote:

From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>

Identified security packages are added to the target image
and that will be used for IEC-62443-4-2 evaluation

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>

^^^^^^^^^
Can you configure your git to add you written name here as well? It's in
the email, yes, but it would be nicer to have it displayed as well.

sure, i didn't notice, it was missed in my git config

---
.../images/cip-core-image-security.bb | 37 +++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100644 recipes-core/images/cip-core-image-security.bb

diff --git a/recipes-core/images/cip-core-image-security.bb

b/recipes-core/images/cip-core-image-security.bb

new file mode 100644
index 0000000..8253952
--- /dev/null
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -0,0 +1,37 @@
+#
+# A reference image which includes security packages
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+# Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image
+
+DESCRIPTION = "CIP Core image including security packages"
+
+# Use the same customizations as cip-core-image

That comment is not needed. It just creates the risk of becoming
outdated if cip-core-image decides to do something else.

Understood, i will modify and resend this patch series

+IMAGE_INSTALL += "customizations"
+
+# Debian packages that provide security features
+IMAGE_PREINSTALL += " \
+ openssl libssl1.1 \
+ fail2ban \
+ openssh-server openssh-sftp-server openssh-client \
+ syslog-ng-core syslog-ng-mod-journal \
+ aide aide-common \
+ libnftables0 nftables \
+ libpam-pkcs11 \
+ chrony \
+ tpm2-tools \
+ tpm2-abrmd \
+ libtss2-esys0 libtss2-udev \
+ libpam-cracklib \
+ acl \
+ libauparse0 audispd-plugins auditd \
+ uuid-runtime \
+ sudo \
+"

Can you close
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8
if this series obsoletes it?

I have rebased the branch and sent the patches over mail,
I think i should close this MR in gitlab, i will do that.

BTW, a cover letter would help structuring the patches together. And
please add a tag like "[isar-cip-core]" in order to clarify the series
target. That is all configurable in git format-patch/send-email.

Got it,
i was sending the patches to the community for the first time so i was missing some basic stuff.
next time i will do care of it,
thanks for showing patience on me

Don't worry. The submission looked fairly good otherwise, not like first-time!

BTW, I'm still ambivalent whether to do UI (MRs) or cip-dev based patch reviews for isar-cip-core. As contributions increase, you contributors need to express your preference. I'm used to both by now, I have troubles with both by now. However, we just need to consolidate over one system because we can't couple them reasonably.

And then we should document the current state of affairs, I know. There is a CONTRIBUTING guild missing for this repo.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Hi Jan,

sorry i am resending this mail

On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote:

On 21.07.20 10:16, Venkata Pyla wrote:

From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>

Identified security packages are added to the target image
and that will be used for IEC-62443-4-2 evaluation

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>

^^^^^^^^^
Can you configure your git to add you written name here as well? It's in
the email, yes, but it would be nicer to have it displayed as well.

sure, i didn't notice, it was missed in my git config

---
.../images/cip-core-image-security.bb | 37 +++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100644 recipes-core/images/cip-core-image-security.bb

diff --git a/recipes-core/images/cip-core-image-security.bb

b/recipes-core/images/cip-core-image-security.bb

new file mode 100644
index 0000000..8253952
--- /dev/null
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -0,0 +1,37 @@
+#
+# A reference image which includes security packages
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+# Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image
+
+DESCRIPTION = "CIP Core image including security packages"
+
+# Use the same customizations as cip-core-image

That comment is not needed. It just creates the risk of becoming
outdated if cip-core-image decides to do something else.

Understood, i will modify and resend this patch series

+IMAGE_INSTALL += "customizations"
+
+# Debian packages that provide security features
+IMAGE_PREINSTALL += " \
+ openssl libssl1.1 \
+ fail2ban \
+ openssh-server openssh-sftp-server openssh-client \
+ syslog-ng-core syslog-ng-mod-journal \
+ aide aide-common \
+ libnftables0 nftables \
+ libpam-pkcs11 \
+ chrony \
+ tpm2-tools \
+ tpm2-abrmd \
+ libtss2-esys0 libtss2-udev \
+ libpam-cracklib \
+ acl \
+ libauparse0 audispd-plugins auditd \
+ uuid-runtime \
+ sudo \
+"

Can you close
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8
if this series obsoletes it?

I have rebased the branch and sent the patches over mail,
I think i should close this MR in gitlab, i will do that.

BTW, a cover letter would help structuring the patches together. And
please add a tag like "[isar-cip-core]" in order to clarify the series
target. That is all configurable in git format-patch/send-email.

Got it,
i was sending the patches to the community for the first time so i was missing some basic stuff.
next time i will do care of it,
thanks for showing patience on me

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Hi Jan,

--
Mohammed Billoo
MAB Labs, LLC
www.mab-labs.com

Hi Pavel,

Thanks for the feedback.

Subject: Re: [PATCH 4.19.y-cip 11/17] drm: of: Add
drm_of_lvds_get_dual_link_pixel_order

Hi!

commit 6529007522ded00b8912c079250620fa7a732166 upstream.

An LVDS dual-link connection is made of two links, with even pixels
transitting on one link, and odd pixels on the other link. The device
tree can be used to fully describe dual-link LVDS connections between
encoders and bridges/panels.
The sink of an LVDS dual-link connection is made of two ports, the
corresponding OF graph port nodes can be marked with either
dual-lvds-even-pixels or dual-lvds-odd-pixels, and that fully
describes an LVDS dual-link connection, including pixel order.

There is double-free bug here, AFAICT:

+for_each_child_of_node(port_node, endpoint) {
+struct device_node *remote_port;
+int current_pt;
+
+if (!of_node_name_eq(endpoint, "endpoint"))
+continue;
+
+remote_port = of_graph_get_remote_port(endpoint);
+if (!remote_port) {
+of_node_put(remote_port);
+return -EPIPE;
+}
+
+current_pt =

drm_of_lvds_get_port_pixels_type(remote_port);

+of_node_put(remote_port);

You have put remote_port here.

+if (pixels_type < 0)
+pixels_type = current_pt;
+
+/*
+ * Sanity check, ensure that all remote endpoints have the

same

+ * pixel type. We may lift this restriction later if we need to
+ * support multiple sinks with different dual-link
+ * configurations by passing the endpoints explicitly to
+ * drm_of_lvds_get_dual_link_pixel_order().
+ */
+if (!current_pt || pixels_type != current_pt) {
+of_node_put(remote_port);
+return -EINVAL;

And again here.

Now... it is only a problem in error path, so maybe easiest way is to fix it in
the mainline and then backport the fix here...

Yes I agree with you, there is double-free bug in error path. As you suggested, We should send a patch in mainline to fix this and backport here.

Cheers,
Biju


Renesas Electronics Europe GmbH, Geschaeftsfuehrer/President: Carsten Jauch, Sitz der Gesellschaft/Registered office: Duesseldorf, Arcadiastrasse 10, 40472 Duesseldorf, Germany, Handelsregister/Commercial Register: Duesseldorf, HRB 3708 USt-IDNr./Tax identification no.: DE 119353406 WEEE-Reg.-Nr./WEEE reg. no.: DE 14978647

On 21.07.20 10:16, Venkata Pyla wrote:

From: venkata <venkata.pyla@toshiba-tsip.com>
Signed-off-by: venkata <venkata.pyla@toshiba-tsip.com>
---
README.md | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/README.md b/README.md
index bbad1a0..b2c4166 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,16 @@ card, run
dd if=build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img \
of=/dev/<medium-device> bs=1M status=progress
+## Building Security target images
+Building images for QEMU x86-64bit machine
+
+ ./kas-docker --isar build --target cip-core-image-security kas.yml:board-qemu-amd64.yml
+
+Run the generated securiy images on QEMU (x86-64bit)
+
+ TARGET_IMAGE=cip-core-image-security ./start-qemu.sh amd64
+
+
## Community Resources
TBD

This patch is fine, but I'm missing 4/4: Add this image to CI (same comment as I had on the MR on gitlab).

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

On 21.07.20 10:16, Venkata Pyla wrote:

From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
Identified security packages are added to the target image
and that will be used for IEC-62443-4-2 evaluation
Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>

^^^^^^^^^
Can you configure your git to add you written name here as well? It's in the email, yes, but it would be nicer to have it displayed as well.

---
.../images/cip-core-image-security.bb | 37 +++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100644 recipes-core/images/cip-core-image-security.bb
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
new file mode 100644
index 0000000..8253952
--- /dev/null
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -0,0 +1,37 @@
+#
+# A reference image which includes security packages
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+# Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image
+
+DESCRIPTION = "CIP Core image including security packages"
+
+# Use the same customizations as cip-core-image

That comment is not needed. It just creates the risk of becoming outdated if cip-core-image decides to do something else.

+IMAGE_INSTALL += "customizations"
+
+# Debian packages that provide security features
+IMAGE_PREINSTALL += " \
+ openssl libssl1.1 \
+ fail2ban \
+ openssh-server openssh-sftp-server openssh-client \
+ syslog-ng-core syslog-ng-mod-journal \
+ aide aide-common \
+ libnftables0 nftables \
+ libpam-pkcs11 \
+ chrony \
+ tpm2-tools \
+ tpm2-abrmd \
+ libtss2-esys0 libtss2-udev \
+ libpam-cracklib \
+ acl \
+ libauparse0 audispd-plugins auditd \
+ uuid-runtime \
+ sudo \
+"

Can you close https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8 if this series obsoletes it?

BTW, a cover letter would help structuring the patches together. And please add a tag like "[isar-cip-core]" in order to clarify the series target. That is all configurable in git format-patch/send-email.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Hello all,

CIP has a Patchwork instance [0] that monitors the cip-dev mainline list for patches.

It doesn't look like it's particularly maintained, with most patches in the "new" state.
As a project, do we want to start maintaining Patchwork? Should we kill it off? Or just stick with the status-quo?

We briefly discussed this in the IRC meeting today, but I thought we should check with a wider audience before making a decision.

So, any thoughts?

[0] https://patchwork.kernel.org/project/cip-dev/list/

Kind regards, Chris

Hi!

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.
I cannot attend the meeting today. Chris-san will host the meeting instead.

I should be able to attend the meeting, but in case reality
interferes:

I have reviewed patches for 4.19.134.

Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html