Date   

[ANNOUNCE] Release v4.19.226-cip66 and v4.4.302-cip68

Nobuhiro Iwamatsu
 

Hi,

CIP kernel team has released Linux kernel v4.19.226-cip66 and v4.4.302-cip68.
The linux-4.19.y-cip tree has been updated base version from v4.19.226 to v4.19.229, and The linux-4.4.y-cip tree has been updated base version from
v4.4.296 to v4.4.302.

The 4.4.y tree is EOL[0], and the release from the LTS ends.

You can get this release via the git tree at:
v4.19.229-cip67:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
branch:
linux-4.19.y-cip
commit hash:
c390d35f51edb249e63aab6fb5086ac4e0bf90d4
Fixed CVEs:
- CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store
- CVE-2022-22942: drm/vmwgfx: Fix stale file descriptors on failed usercopy
- CVE-2022-24448: NFSv4: Handle case where the lookup of a directory fails
added commits:
CIP: Bump version suffix to -cip67 after merge from stable

v4.4.302-cip68:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
branch:
linux-4.4.y-cip
commit hash:
ea2b25643aed790866a050f9605bbe7b845b8f31
Fixed CVEs:
- CVE-2021-45095: phonet: refcount leak in pep_sock_accep
- CVE-2021-4155: xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate
- CVE-2021-43976: mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
- CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store
added commits:
CIP: Bump version suffix to -cip68 after merge from stable

[0]: https://lore.kernel.org/stable/1643877137240249@kroah.com/

Best regards,
Nobuhiro


CIP IRC weekly meeting today on libera.chat

Jan Kiszka
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today. Our channel is the following:

irc:irc.libera.chat:6667/cip

The IRC meeting is scheduled to UTC (GMT) 13:00:

https://www.timeanddate.com/worldclock/meetingdetails.html?year=2022&month=2&day=10&hour=13&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
06:00 09:00 13:00 14:00 21:00 22:00

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2022/02/cip.2022-02-03-13.08.log.html

* Action items
1. Request private KernelCI branches for CIP maintainers - patersonc
2. Make TSC motion regarding linux-4.4.y branch by CIP - jan
3. Draft press announcement about 5.10 release and 4.4 self-maintenance - jan
* Kernel maintenance updates
* Kernel testing
* AOB

Jan


New CVE entries this week

Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported 5 new CVEs.

* New CVEs

CVE-2021-3894: sctp: local DoS: unprivileged user can cause BUG()

CVSS v3 score is not provided

A local unprivileged user can cause local DoS by sctp subsystem.
The commit a2d859e3fc97 ("sctp: account stream padding length for
reconf chunk") may fix this issue.

Fixed status

Not fixed yet.

CVE-2022-0487: Use after free in moxart_remove

CVSS v3 score is not provided

UAF bug was found in moxart_remove() in drivers/mmc/host/moxart-mmc.c.
The mainline was fixed. Stable kernels are being reviewed.

Apply patch bd2db32 ("moxart: fix potential use-after-free on remove
path") to 4.4 needs to a bit modify code. However, it seems no CIP
member enables CONFIG_MMC_MOXART.

Fixed status

mainline: [bd2db32e7c3e35bd4d9b8bbff689434a50893546]

CVE-2022-0492: cgroup-v1: Require capabilities to set release_agent

CVSS v3 score is not provided

There was a bug in cgroups v1 release_agent feature to escalate
privilege and bypass namespace isolation.
The mainline and 5.X series were fixed but failed to applied the fix
to all 4.X series. This issue is affected to 2.6.24-rc1 or later
version.

Applying the commit 24f6008 ("cgroup-v1: Require capabilities to set
release_agent") depends on the following commits.

- a3ff937 ("prefix-handling analogues of errorf() and friends ")
This commit was introduced at 5.6-rc1. It added invalfc macro to
include/linux/fs_context.h. 5.4 uses cg_invalf macro which calls
invalfc in it.

- 8d2451f ("https://github.com/torvalds/linux/commit/8d2451f4994fa60a57617282bab91b98266a00b1").
This commit was introduced at 5.1-rc1. It added cgroup1_parse_param().

So 4.X series do other way to fix this issue (e.g.
https://lore.kernel.org/stable/20220209191248.652388187@linuxfoundation.org/).
4.9, 4.14, and 4.19 are being reviewed.

4.X series use struct cgroup_namespace to get namespace object which
was introduced at 4.6-rc1. So fixing 4.4 needs the other way to get
namespace object instead of struct cgroup_namespace.

Fixed status

mainline: [24f6008564183aa120d07c03d9289519c2fe02af]
stable/5.10: [1fc3444cda9a78c65b769e3fa93455e09ff7a0d3]
stable/5.15: [4b1c32bfaa02255a5df602b41587174004996477]
stable/5.16: [9c9dbb954e618e3d9110f13cc02c5db1fb73ea5d]
stable/5.4: [0e8283cbe4996ae046cd680b3ed598a8f2b0d5d8]

CVE-2022-24448: NFSv4: Handle case where the lookup of a directory fails

CVSS v3 score is not provided

Server returns uninitialized data in the file descriptor in nfs_atomic_open().
The mainline and stable kernels are fixed.

I attached 0001-NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch
for 4.4.y.

Fixed status

mainline: [ac795161c93699d600db16c1a8cc23a65a1eceaf]
stable/4.14: [516f348b759f6a92819820a3f56d678458e22cc8]
stable/4.19: [b00b4c6faad0f21e443fb1584f7a8ea222beb0de]
stable/4.9: [8788981e120694a82a3672e062fe4ea99446634a]
stable/5.10: [ce8c552b88ca25d775ecd0a0fbef4e0e03de9ed2]
stable/5.15: [4c36ca387af4a9b5d775e46a6cb9dc2d151bf057]
stable/5.16: [f0583af88e7dd413229ea5e670a0db36fdf34ba2]
stable/5.4: [0dfacee40021dcc0a9aa991edd965addc04b9370]

CVE-2022-0480: memcg: enable accounting for file lock caches

CVSS v3 score is not provided

A user can cause host memory exhaustion becase of memcg doesn't limit
the number of POSIX file locks.
This issues was fixed in 5.15-rc1.

Patch cannot be applied to 4.4 because this fix uses SLAB_ACCOUNT flag
which was introduced by commit 230e9fc ("slab: add SLAB_ACCOUNT flag
") at 4.5-rc1 is not backported to 4.4.

Fixed status

mainline: [0f12156dff2862ac54235fc72703f18770769042]

* Updated CVEs

CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions

This issue was fixed in 4.17-rc7. 4.14 was fixed this week.

Fixed status

mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb]
stable/4.14: [6824208b59a4727b8a8653f83d8e685584d04606]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...


Re: 4.4.302 is going to be last 4.4 release

Chris Paterson
 

From: Pavel Machek <pavel@...>
Sent: 08 February 2022 15:36

Hi!

BTW, do you have any future information about the RT kernel team?
We may also need to check the RT patch.
If you don't have the information, I'll ask the RT team about this.
Why should 4.4-rt continue if its former upstream retired?
Didn't CIP commit to maintaining a real-time version of each SLTS for the 10
years?

We did commit to maintaining 4.4-cip-rt, but upstream 4.4.X is going
to be discontinued, and so is 4.4.X-stable.
So does CIP need to maintain the stable version of RT as well as the non-RT stable kernel?
Is this achievable?

Regards, Chris


Best regards,
Pavel

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: [isar-cip-core] swupdate: use latest swupdate handler code

Jan Kiszka
 

On 08.02.22 12:41, Shivanand.Kunijadar@... wrote:
From: Shivanand Kunijadar <Shivanand.Kunijadar@...>

Latest swupdate handler supports to update the files with dashes.

This fixes issue [20]:

[20]: https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/20

Signed-off-by: Shivanand Kunijadar <Shivanand.Kunijadar@...>
---
.../swupdate-handler-roundrobin_0.1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb b/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb
index 3a5a51e..90803a3 100644
--- a/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb
+++ b/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb
@@ -13,7 +13,7 @@ inherit dpkg-raw
PROVIDES = "swupdate-handlers"

SRC_URI += "git://gitlab.com/cip-project/cip-sw-updates/swupdate-handler-roundrobin.git;protocol=https;destsuffix=swupdate-handler-roundrobin;name=swupdate-handler-roundrobin;nobranch=1"
-SRCREV_swupdate-handler-roundrobin ?= "ba4c5ae8e664a9624335753cb152e6e264b3f518"
+SRCREV_swupdate-handler-roundrobin ?= "bf73f04b1eec0b8714d3a1b56bfcd1431c58ba10"

SWUPDATE_LUASCRIPT = "swupdate-handler-roundrobin/swupdate_handlers_roundrobin.lua"
Thanks, applied.

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


Re: [isar-cip-core v3] README.swupdate.md: add readme file with steps to verify swupdate

Jan Kiszka
 

On 08.02.22 12:32, Shivanand.Kunijadar@... wrote:
From: Shivanand Kunijadar <Shivanand.Kunijadar@...>

Prepare readme file with necessary steps to verify swupdate feature
with rollback functionality.

Signed-off-by: Shivanand Kunijadar <Shivanand.Kunijadar@...>
---
doc/README.swupdate.md | 203 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 203 insertions(+)
create mode 100644 doc/README.swupdate.md

diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
new file mode 100644
index 0000000..05768da
--- /dev/null
+++ b/doc/README.swupdate.md
@@ -0,0 +1,203 @@
+
+Clone the isar-cip-core repository
+```
+host$ git clone https://gitlab.com/cip-project/cip-core/isar-cip-core.git
+```
+
+Build the CIP Core image
+
+Set up `kas-container` as described in the [top-level README](../README.md).
+Then build the image:
+```
+host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
+```
+- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp)
+- modify the image for example add a new version to the image by adding PV=2.0.0 to cip-core-image.bb
+- rebuild the image using above command and start the new target
+```
+host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+```
+
+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system
+
+```
+root@demo:~# scp <host-user>@10.0.2.2:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu .
+```
+
+Check which partition is booted, e.g. with lsblk:
+
+```
+root@demo:~# lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 2G 0 disk
+├─sda1 8:1 0 16.4M 0 part
+├─sda2 8:2 0 32M 0 part
+├─sda3 8:3 0 32M 0 part
+├─sda4 8:4 0 1000M 0 part /
+└─sda5 8:5 0 1000M 0 part
+```
+
+Apply swupdate and reboot
+```
+root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
+root@demo:~# reboot
+```
+Check which partition is booted, e.g. with lsblk and the rootfs should have changed
+```
+root@demo:~# lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 2G 0 disk
+├─sda1 8:1 0 16.4M 0 part
+├─sda2 8:2 0 32M 0 part
+├─sda3 8:3 0 32M 0 part
+├─sda4 8:4 0 1000M 0 part
+└─sda5 8:5 0 1000M 0 part /
+```
+
+Check bootloader ustate after swupdate
+```
+root@demo:~# bg_printenv
+----------------------------
+Config Partition #0 Values:
+in_progress: no
+revision: 2
+kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+
+user variables:
+
+----------------------------
+ Config Partition #1 Values:
+in_progress: no
+revision: 3
+kernel: C:BOOT1:vmlinuz
+kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 2 (TESTING)
+```
+
+if Partition #1 usate is 2 (TESTING) then execute below command to confirm swupdate and the command will set ustate to "OK"
+```
+root@demo:~# bg_setenv -c
+```
+
+# swupdate rollback example
+
+Build the image for swupdate with service which causes kernel panic during system boot using below command.
+
+```
+host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/kernel-panic.yml
+```
+- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp)
+- build the image again without `kernel-panic.yml` recipe using below command
+```
+host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
+```
+
+Start the target on QEMU
+```
+host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+```
+
+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system
+
+```
+root@demo:~# scp <host-user>@10.0.2.2:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu .
+```
+
+Check which partition is booted, e.g. with lsblk:
+
+```
+root@demo:~# lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 2G 0 disk
+├─sda1 8:1 0 16.4M 0 part
+├─sda2 8:2 0 32M 0 part
+├─sda3 8:3 0 32M 0 part
+├─sda4 8:4 0 1000M 0 part /
+└─sda5 8:5 0 1000M 0 part
+```
+
+Check bootloader ustate before swupdate and should be as below
+```
+root@demo:~# bg_printenv
+----------------------------
+Config Partition #0 Values:
+in_progress: no
+revision: 2
+kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+
+user variables:
+----------------------------
+Config Partition #1 Values:
+in_progress: no
+revision: 1
+kernel: C:BOOT1:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+```
+
+Apply swupdate as below
+```
+root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
+```
+
+check bootloader ustate after swupdate. if the swupdate is successful then **revision number** should increase to **3** and status should be changed to **INSTALLED** for Partition #1.
+```
+root@demo:~# bg_printenv
+----------------------------
+Config Partition #0 Values:
+in_progress: no
+revision: 2
+kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+
+user variables:
+----------------------------
+Config Partition #1 Values:
+in_progress: no
+revision: 3
+kernel: C:BOOT1:vmlinuz
+kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 1 (INSTALLED)
+```
+
+Execute reboot command
+- reboot command should cause kernel panic error.
+- watchdog timer should expire and restart the qemu. bootloader should select previous partition to boot.
+```
+root@demo:~# reboot
+```
+
+Once the system is restarted, check the bootloader ustate
+- if update is failed then **revision number** should reduce to **0** and status should change to **FAILED** for Partition #1.
+```
+root@demo:~# bg_printenv
+----------------------------
+ Config Partition #0 Values:
+in_progress: no
+revision: 2
+kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-corg
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+
+user variables:
+----------------------------
+ Config Partition #1 Values:
+in_progress: no
+revision: 0
+kernel: C:BOOT1:vmlinuz
+kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-corg
+watchdog timeout: 60 seconds
+ustate: 3 (FAILED)
+```
Thanks, applied.

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


cip/linux-5.10.y-cip-rt build: 180 builds: 3 failed, 177 passed, 4 errors, 10 warnings (v5.10.83-cip1-rt1) #kernelci

kernelci.org bot <bot@...>
 

cip/linux-5.10.y-cip-rt build: 180 builds: 3 failed, 177 passed, 4 errors, 10 warnings (v5.10.83-cip1-rt1)

Full Build Summary: https://kernelci.org/build/cip/branch/linux-5.10.y-cip-rt/kernel/v5.10.83-cip1-rt1/

Tree: cip
Branch: linux-5.10.y-cip-rt
Git Describe: v5.10.83-cip1-rt1
Git Commit: f3ca5cf9143e715b12eabc9d7dd1f9de7747dec9
Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
Built: 7 unique architectures

Build Failures Detected:

arm:
rpc_defconfig: (gcc-10) FAIL

mips:
ip27_defconfig: (gcc-10) FAIL
ip28_defconfig: (gcc-10) FAIL

Errors and Warnings Detected:

arc:

arm64:

arm:
rpc_defconfig (gcc-10): 4 errors

i386:

mips:
32r2el_defconfig (gcc-10): 1 warning
decstation_64_defconfig (gcc-10): 1 warning
decstation_defconfig (gcc-10): 1 warning
decstation_r4k_defconfig (gcc-10): 1 warning
lemote2f_defconfig (gcc-10): 1 warning
rm200_defconfig (gcc-10): 1 warning

riscv:
rv32_defconfig (gcc-10): 4 warnings

x86_64:

Errors summary:

2 arm-linux-gnueabihf-gcc: error: unrecognized -march target: armv3m
2 arm-linux-gnueabihf-gcc: error: missing argument to ‘-march=’

Warnings summary:

3 kernel/rcu/tasks.h:707:13: warning: ‘show_rcu_tasks_rude_gp_kthread’ defined but not used [-Wunused-function]
2 <stdin>:830:2: warning: #warning syscall fstat64 not implemented [-Wcpp]
2 <stdin>:1127:2: warning: #warning syscall fstatat64 not implemented [-Wcpp]
1 net/mac80211/mlme.c:4328:1: warning: the frame size of 1040 bytes is larger than 1024 bytes [-Wframe-larger-than=]
1 drivers/block/paride/bpck.c:32: warning: "PC" redefined
1 WARNING: modpost: Symbol info of vmlinux is missing. Unresolved symbol check will be entirely skipped.

================================================================================

Detailed per-defconfig build reports:

--------------------------------------------------------------------------------
32r2el_defconfig (mips, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
WARNING: modpost: Symbol info of vmlinux is missing. Unresolved symbol check will be entirely skipped.

--------------------------------------------------------------------------------
allnoconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
allnoconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
allnoconfig (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
am200epdkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ar7_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
aspeed_g4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
aspeed_g5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
at91_dt_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ath25_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ath79_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
axm55xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
axs103_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
axs103_smp_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
badge4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
bcm2835_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
bcm47xx_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
bcm63xx_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
bigsur_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
bmips_be_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
bmips_stb_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
capcella_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cavium_octeon_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cerfcube_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ci20_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cm_x300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cobalt_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
colibri_pxa270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
colibri_pxa300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
collie_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
corgi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cu1000-neo_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
cu1830-neo_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
davinci_all_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
db1xxx_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
decstation_64_defconfig (mips, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
kernel/rcu/tasks.h:707:13: warning: ‘show_rcu_tasks_rude_gp_kthread’ defined but not used [-Wunused-function]

--------------------------------------------------------------------------------
decstation_defconfig (mips, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
kernel/rcu/tasks.h:707:13: warning: ‘show_rcu_tasks_rude_gp_kthread’ defined but not used [-Wunused-function]

--------------------------------------------------------------------------------
decstation_r4k_defconfig (mips, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
kernel/rcu/tasks.h:707:13: warning: ‘show_rcu_tasks_rude_gp_kthread’ defined but not used [-Wunused-function]

--------------------------------------------------------------------------------
defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
defconfig (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
defconfig+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
defconfig+arm64-chromebook+kselftest (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
defconfig+kselftest (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
dove_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
e55_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ebsa110_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
efm32_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ep93xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
eseries_pxa_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
exynos_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ezx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
footbridge_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
fuloong2e_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
gcw0_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
gemini_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
gpr_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
h3600_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
h5000_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
hackkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
haps_hs_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
haps_hs_smp_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
hisi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
hsdk_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
i386_defconfig (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
imote2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
imx_v4_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
imx_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
iop32x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ip22_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ip27_defconfig (mips, gcc-10) — FAIL, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ip28_defconfig (mips, gcc-10) — FAIL, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ip32_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
ixp4xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
jazz_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
jmr3927_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
jornada720_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
keystone_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lart_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lemote2f_defconfig (mips, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
net/mac80211/mlme.c:4328:1: warning: the frame size of 1040 bytes is larger than 1024 bytes [-Wframe-larger-than=]

--------------------------------------------------------------------------------
loongson1b_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
loongson1c_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
loongson3_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lpc18xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lpc32xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lpd270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
lubbock_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mainstone_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
malta_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
malta_kvm_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
malta_kvm_guest_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
malta_qemu_32r6_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
maltasmvp_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
maltasmvp_eva_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
maltaup_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
maltaup_xpa_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
milbeaut_m10v_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mini2440_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
moxart_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mpc30x_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mps2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mtx1_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v4t_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
multi_v7_defconfig+kselftest (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mvebu_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mvebu_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
mxs_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
neponset_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
netwinder_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nhk8815_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nlm_xlp_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nlm_xlr_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nommu_k210_defconfig (riscv, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nsimosci_hs_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
nsimosci_hs_smp_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
omap1_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
omap2plus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
omega2p_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
orion5x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
oxnas_v6_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
palmz72_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pcm027_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pic32mzda_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pistachio_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pleb_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
prima2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa168_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa255-idp_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa3xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa910_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
pxa_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
qcom_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
qi_lb60_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
rb532_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
rbtx49xx_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
realview_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
rm200_defconfig (mips, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches

Warnings:
drivers/block/paride/bpck.c:32: warning: "PC" redefined

--------------------------------------------------------------------------------
rpc_defconfig (arm, gcc-10) — FAIL, 4 errors, 0 warnings, 0 section mismatches

Errors:
arm-linux-gnueabihf-gcc: error: unrecognized -march target: armv3m
arm-linux-gnueabihf-gcc: error: missing argument to ‘-march=’
arm-linux-gnueabihf-gcc: error: unrecognized -march target: armv3m
arm-linux-gnueabihf-gcc: error: missing argument to ‘-march=’

--------------------------------------------------------------------------------
rs90_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
rt305x_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
rv32_defconfig (riscv, gcc-10) — PASS, 0 errors, 4 warnings, 0 section mismatches

Warnings:
<stdin>:830:2: warning: #warning syscall fstat64 not implemented [-Wcpp]
<stdin>:1127:2: warning: #warning syscall fstatat64 not implemented [-Wcpp]
<stdin>:830:2: warning: #warning syscall fstat64 not implemented [-Wcpp]
<stdin>:1127:2: warning: #warning syscall fstatat64 not implemented [-Wcpp]

--------------------------------------------------------------------------------
s3c2410_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
s3c6400_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
s5pv210_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
sama5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
sb1250_swarm_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
shannon_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
shmobile_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
simpad_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
socfpga_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spear3xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spear6xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
spitz_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
stm32_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
sunxi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tango4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tb0219_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tb0226_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tb0287_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tct_hammer_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tegra_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tinyconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
tinyconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
trizeps4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
u300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
u8500_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vdk_hs38_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vdk_hs38_smp_defconfig (arc, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
versatile_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vexpress_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vocore2_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
vt8500_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
workpad_defconfig (mips, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
x86_64_defconfig (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
x86_64_defconfig+kselftest (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
x86_64_defconfig+x86-chromebook (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
x86_64_defconfig+x86-chromebook+kselftest (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
zeus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

--------------------------------------------------------------------------------
zx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches

---
For more info write to <info@...>


Re: 4.4.302 is going to be last 4.4 release

Pavel Machek
 

Hi!

BTW, do you have any future information about the RT kernel team?
We may also need to check the RT patch.
If you don't have the information, I'll ask the RT team about this.
Why should 4.4-rt continue if its former upstream retired?
Didn't CIP commit to maintaining a real-time version of each SLTS for the 10 years?
We did commit to maintaining 4.4-cip-rt, but upstream 4.4.X is going
to be discontinued, and so is 4.4.X-stable.

Best regards,
Pavel

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


[isar-cip-core] swupdate: use latest swupdate handler code

Kunijadar Shivanand
 

From: Shivanand Kunijadar <Shivanand.Kunijadar@...>

Latest swupdate handler supports to update the files with dashes.

This fixes issue [20]:

[20]: https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/20

Signed-off-by: Shivanand Kunijadar <Shivanand.Kunijadar@...>
---
.../swupdate-handler-roundrobin_0.1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb b/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb
index 3a5a51e..90803a3 100644
--- a/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb
+++ b/recipes-core/swupdate-handler-roundrobin/swupdate-handler-roundrobin_0.1.bb
@@ -13,7 +13,7 @@ inherit dpkg-raw
PROVIDES = "swupdate-handlers"

SRC_URI += "git://gitlab.com/cip-project/cip-sw-updates/swupdate-handler-roundrobin.git;protocol=https;destsuffix=swupdate-handler-roundrobin;name=swupdate-handler-roundrobin;nobranch=1"
-SRCREV_swupdate-handler-roundrobin ?= "ba4c5ae8e664a9624335753cb152e6e264b3f518"
+SRCREV_swupdate-handler-roundrobin ?= "bf73f04b1eec0b8714d3a1b56bfcd1431c58ba10"

SWUPDATE_LUASCRIPT = "swupdate-handler-roundrobin/swupdate_handlers_roundrobin.lua"

--
2.20.1


[isar-cip-core v3] README.swupdate.md: add readme file with steps to verify swupdate

Kunijadar Shivanand
 

From: Shivanand Kunijadar <Shivanand.Kunijadar@...>

Prepare readme file with necessary steps to verify swupdate feature
with rollback functionality.

Signed-off-by: Shivanand Kunijadar <Shivanand.Kunijadar@...>
---
doc/README.swupdate.md | 203 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 203 insertions(+)
create mode 100644 doc/README.swupdate.md

diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
new file mode 100644
index 0000000..05768da
--- /dev/null
+++ b/doc/README.swupdate.md
@@ -0,0 +1,203 @@
+
+Clone the isar-cip-core repository
+```
+host$ git clone https://gitlab.com/cip-project/cip-core/isar-cip-core.git
+```
+
+Build the CIP Core image
+
+Set up `kas-container` as described in the [top-level README](../README.md).
+Then build the image:
+```
+host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
+```
+- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp)
+- modify the image for example add a new version to the image by adding PV=2.0.0 to cip-core-image.bb
+- rebuild the image using above command and start the new target
+```
+host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+```
+
+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system
+
+```
+root@demo:~# scp <host-user>@10.0.2.2:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu .
+```
+
+Check which partition is booted, e.g. with lsblk:
+
+```
+root@demo:~# lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 2G 0 disk
+├─sda1 8:1 0 16.4M 0 part
+├─sda2 8:2 0 32M 0 part
+├─sda3 8:3 0 32M 0 part
+├─sda4 8:4 0 1000M 0 part /
+└─sda5 8:5 0 1000M 0 part
+```
+
+Apply swupdate and reboot
+```
+root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
+root@demo:~# reboot
+```
+Check which partition is booted, e.g. with lsblk and the rootfs should have changed
+```
+root@demo:~# lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 2G 0 disk
+├─sda1 8:1 0 16.4M 0 part
+├─sda2 8:2 0 32M 0 part
+├─sda3 8:3 0 32M 0 part
+├─sda4 8:4 0 1000M 0 part
+└─sda5 8:5 0 1000M 0 part /
+```
+
+Check bootloader ustate after swupdate
+```
+root@demo:~# bg_printenv
+----------------------------
+Config Partition #0 Values:
+in_progress: no
+revision: 2
+kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+
+user variables:
+
+----------------------------
+ Config Partition #1 Values:
+in_progress: no
+revision: 3
+kernel: C:BOOT1:vmlinuz
+kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 2 (TESTING)
+```
+
+if Partition #1 usate is 2 (TESTING) then execute below command to confirm swupdate and the command will set ustate to "OK"
+```
+root@demo:~# bg_setenv -c
+```
+
+# swupdate rollback example
+
+Build the image for swupdate with service which causes kernel panic during system boot using below command.
+
+```
+host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/kernel-panic.yml
+```
+- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp)
+- build the image again without `kernel-panic.yml` recipe using below command
+```
+host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
+```
+
+Start the target on QEMU
+```
+host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+```
+
+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system
+
+```
+root@demo:~# scp <host-user>@10.0.2.2:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu .
+```
+
+Check which partition is booted, e.g. with lsblk:
+
+```
+root@demo:~# lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 2G 0 disk
+├─sda1 8:1 0 16.4M 0 part
+├─sda2 8:2 0 32M 0 part
+├─sda3 8:3 0 32M 0 part
+├─sda4 8:4 0 1000M 0 part /
+└─sda5 8:5 0 1000M 0 part
+```
+
+Check bootloader ustate before swupdate and should be as below
+```
+root@demo:~# bg_printenv
+----------------------------
+Config Partition #0 Values:
+in_progress: no
+revision: 2
+kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+
+user variables:
+----------------------------
+Config Partition #1 Values:
+in_progress: no
+revision: 1
+kernel: C:BOOT1:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+```
+
+Apply swupdate as below
+```
+root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
+```
+
+check bootloader ustate after swupdate. if the swupdate is successful then **revision number** should increase to **3** and status should be changed to **INSTALLED** for Partition #1.
+```
+root@demo:~# bg_printenv
+----------------------------
+Config Partition #0 Values:
+in_progress: no
+revision: 2
+kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+
+user variables:
+----------------------------
+Config Partition #1 Values:
+in_progress: no
+revision: 3
+kernel: C:BOOT1:vmlinuz
+kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate: 1 (INSTALLED)
+```
+
+Execute reboot command
+- reboot command should cause kernel panic error.
+- watchdog timer should expire and restart the qemu. bootloader should select previous partition to boot.
+```
+root@demo:~# reboot
+```
+
+Once the system is restarted, check the bootloader ustate
+- if update is failed then **revision number** should reduce to **0** and status should change to **FAILED** for Partition #1.
+```
+root@demo:~# bg_printenv
+----------------------------
+ Config Partition #0 Values:
+in_progress: no
+revision: 2
+kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-corg
+watchdog timeout: 60 seconds
+ustate: 0 (OK)
+
+user variables:
+----------------------------
+ Config Partition #1 Values:
+in_progress: no
+revision: 0
+kernel: C:BOOT1:vmlinuz
+kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-corg
+watchdog timeout: 60 seconds
+ustate: 3 (FAILED)
+```
--
2.20.1


Re: 4.4.302 is going to be last 4.4 release

Chris Paterson
 

Hello,

From: cip-dev@... <cip-dev@...> On
Behalf Of Jan Kiszka via lists.cip-project.org
Sent: 06 February 2022 18:48
[...]


BTW, do you have any future information about the RT kernel team?
We may also need to check the RT patch.
If you don't have the information, I'll ask the RT team about this.
Why should 4.4-rt continue if its former upstream retired?
Didn't CIP commit to maintaining a real-time version of each SLTS for the 10 years?

Kind regards, Chris


Re: [isar-cip-core][PATCH] swupdate: Remove usb.service

Quirin Gylstorff
 

On 2/7/22 10:22, Jan Kiszka wrote:
On 07.02.22 10:17, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

Upstream adds an udev-rules and systemd service to install a swu from
a plug-in USB stick.

If the signing of the SWUpdate binary is deactivated
(current default in isar-cip-core) this service allows the installation
of a abitrary SWUpdate binary from a plug-in USB stick.

Remove the installation and the files from the debian folder to
deactivate the possibility to install from USB.

Reported-by: Lisicki, Raphael <raphael.lisicki@...>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
...onfig-Make-image-encryption-optional.patch | 2 +-
.../0002-debian-rules-Add-CONFIG_MTD.patch | 2 +-
...es-Add-option-to-disable-fs-creation.patch | 2 +-
...ules-Add-option-to-disable-webserver.patch | 2 +-
...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 2 +-
...ules-Add-Embedded-Lua-handler-option.patch | 2 +-
...prepare-build-for-isar-debian-buster.patch | 2 +-
...-SWUpdate-USB-service-and-Udev-rules.patch | 57 +++++++++++++++++++
.../swupdate/swupdate_2021.11-1+debian-gbp.bb | 3 +-
9 files changed, 66 insertions(+), 8 deletions(-)
create mode 100644 recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch

diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
index c07b103..8b186e0 100644
--- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
+++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
@@ -1,7 +1,7 @@
From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 15:28:21 +0200
-Subject: [PATCH 1/7] debian/config: Make image encryption optional
+Subject: [PATCH 1/8] debian/config: Make image encryption optional
This can be use to ease the setup with SWUpdate.
diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
index 8ebd09e..eb5067d 100644
--- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
+++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
@@ -1,7 +1,7 @@
From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 11:29:57 +0200
-Subject: [PATCH 2/7] debian/rules: Add CONFIG_MTD
+Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD
if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled.
diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
index 876e164..3671709 100644
--- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
+++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
@@ -1,7 +1,7 @@
From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 4 Oct 2021 17:15:56 +0200
-Subject: [PATCH 3/7] debian/rules: Add option to disable fs creation
+Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
index 66e48e6..8fbb722 100644
--- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
+++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
@@ -1,7 +1,7 @@
From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 4 Oct 2021 17:27:11 +0200
-Subject: [PATCH 4/7] debian/rules: Add option to disable webserver
+Subject: [PATCH 4/8] debian/rules: Add option to disable webserver
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
index 4cca3bf..96443f2 100644
--- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
+++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
@@ -1,7 +1,7 @@
From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Tue, 5 Oct 2021 10:56:25 +0200
-Subject: [PATCH 5/7] debian: Make CONFIG_HW_COMPATIBILTY optional
+Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional
Add option for qemu.
diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
index 447f6ad..324f079 100644
--- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
@@ -1,7 +1,7 @@
From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 6/7] debian/rules: Add Embedded Lua handler option
+Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
index 3ff4ca9..0b08f25 100644
--- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
+++ b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
@@ -1,7 +1,7 @@
From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 16:17:03 +0200
-Subject: [PATCH 7/7] debian: prepare build for isar debian buster
+Subject: [PATCH 7/8] debian: prepare build for isar debian buster
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
new file mode 100644
index 0000000..3cce24b
--- /dev/null
+++ b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
@@ -0,0 +1,57 @@
+From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@...>
+Date: Mon, 7 Feb 2022 09:28:39 +0100
+Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules
+
+The current implementation will install an abitrary SWUpdate binary
+from a plug-in USB stick. This is a major security risk for devices
+using the SWUpdate package from Debian.
+
+Remove the installation and the files from the debian folder.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
+---
+ debian/rules | 1 -
+ debian/swupdate.swupdate-usb@.service | 8 --------
+ debian/swupdate.udev | 2 --
+ 3 files changed, 11 deletions(-)
+ delete mode 100644 debian/swupdate.swupdate-usb@.service
+ delete mode 100644 debian/swupdate.udev
+
+diff --git a/debian/rules b/debian/rules
+index e1c4a921..84ed55d4 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -103,7 +103,6 @@ override_dh_auto_install:
+ override_dh_installsystemd:
+ dh_installsystemd --no-start
+ dh_installsystemd --name=swupdate-progress
+- dh_installsystemd --no-start --name=swupdate-usb@
+
+ ifeq (,$(filter pkg.swupdate.bpo,$(DEB_BUILD_PROFILES)))
+ override_dh_gencontrol:
+diff --git a/debian/swupdate.swupdate-usb@.service b/debian/swupdate.swupdate-usb@.service
+deleted file mode 100644
+index eda9d153..00000000
+--- a/debian/swupdate.swupdate-usb@.service
++++ /dev/null
+@@ -1,8 +0,0 @@
+-[Unit]
+-Description=usb media swupdate service
+-Requires=swupdate-progress.service
+-
+-[Service]
+-ExecStartPre=/bin/mount /dev/%I /mnt
+-ExecStart=/bin/sh -c "swupdate-client -v /mnt/*.swu"
+-ExecStopPost=/bin/umount /mnt
+diff --git a/debian/swupdate.udev b/debian/swupdate.udev
+deleted file mode 100644
+index b4efd0b7..00000000
+--- a/debian/swupdate.udev
++++ /dev/null
+@@ -1,2 +0,0 @@
+-ACTION=="add", KERNEL=="sd*", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", ENV{ID_FS_USAGE}=="filesystem", TAG+="systemd", ENV{SYSTEMD_WANTS}+="swupdate-usb@%k.service"
+-
+--
+2.34.1
+
diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
index 48a6cc1..2995d71 100644
--- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
@@ -21,7 +21,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \
file://0003-debian-rules-Add-option-to-disable-fs-creation.patch \
file://0004-debian-rules-Add-option-to-disable-webserver.patch \
file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
- file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch"
+ file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \
+ file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch"
# end patching for dm-verity based images
Thanks, applied to next as quick-fix.
Wouldn't it be more useful to make this configurable (opt-in via
/etc/something on the device), possibly also in Debian?
Jan
I currently looking into it to make it configurable in upstream.
I will also try to add a warning to the upstream build.


Quirin


Re: [isar-cip-core][PATCH] swupdate: Remove usb.service

Jan Kiszka
 

On 07.02.22 10:17, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

Upstream adds an udev-rules and systemd service to install a swu from
a plug-in USB stick.

If the signing of the SWUpdate binary is deactivated
(current default in isar-cip-core) this service allows the installation
of a abitrary SWUpdate binary from a plug-in USB stick.

Remove the installation and the files from the debian folder to
deactivate the possibility to install from USB.

Reported-by: Lisicki, Raphael <raphael.lisicki@...>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
...onfig-Make-image-encryption-optional.patch | 2 +-
.../0002-debian-rules-Add-CONFIG_MTD.patch | 2 +-
...es-Add-option-to-disable-fs-creation.patch | 2 +-
...ules-Add-option-to-disable-webserver.patch | 2 +-
...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 2 +-
...ules-Add-Embedded-Lua-handler-option.patch | 2 +-
...prepare-build-for-isar-debian-buster.patch | 2 +-
...-SWUpdate-USB-service-and-Udev-rules.patch | 57 +++++++++++++++++++
.../swupdate/swupdate_2021.11-1+debian-gbp.bb | 3 +-
9 files changed, 66 insertions(+), 8 deletions(-)
create mode 100644 recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch

diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
index c07b103..8b186e0 100644
--- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
+++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
@@ -1,7 +1,7 @@
From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 15:28:21 +0200
-Subject: [PATCH 1/7] debian/config: Make image encryption optional
+Subject: [PATCH 1/8] debian/config: Make image encryption optional

This can be use to ease the setup with SWUpdate.

diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
index 8ebd09e..eb5067d 100644
--- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
+++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
@@ -1,7 +1,7 @@
From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 11:29:57 +0200
-Subject: [PATCH 2/7] debian/rules: Add CONFIG_MTD
+Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD

if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled.

diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
index 876e164..3671709 100644
--- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
+++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
@@ -1,7 +1,7 @@
From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 4 Oct 2021 17:15:56 +0200
-Subject: [PATCH 3/7] debian/rules: Add option to disable fs creation
+Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
index 66e48e6..8fbb722 100644
--- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
+++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
@@ -1,7 +1,7 @@
From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 4 Oct 2021 17:27:11 +0200
-Subject: [PATCH 4/7] debian/rules: Add option to disable webserver
+Subject: [PATCH 4/8] debian/rules: Add option to disable webserver

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
index 4cca3bf..96443f2 100644
--- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
+++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
@@ -1,7 +1,7 @@
From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Tue, 5 Oct 2021 10:56:25 +0200
-Subject: [PATCH 5/7] debian: Make CONFIG_HW_COMPATIBILTY optional
+Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional

Add option for qemu.

diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
index 447f6ad..324f079 100644
--- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
@@ -1,7 +1,7 @@
From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 6/7] debian/rules: Add Embedded Lua handler option
+Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
index 3ff4ca9..0b08f25 100644
--- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
+++ b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
@@ -1,7 +1,7 @@
From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 16:17:03 +0200
-Subject: [PATCH 7/7] debian: prepare build for isar debian buster
+Subject: [PATCH 7/8] debian: prepare build for isar debian buster

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
new file mode 100644
index 0000000..3cce24b
--- /dev/null
+++ b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
@@ -0,0 +1,57 @@
+From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@...>
+Date: Mon, 7 Feb 2022 09:28:39 +0100
+Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules
+
+The current implementation will install an abitrary SWUpdate binary
+from a plug-in USB stick. This is a major security risk for devices
+using the SWUpdate package from Debian.
+
+Remove the installation and the files from the debian folder.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
+---
+ debian/rules | 1 -
+ debian/swupdate.swupdate-usb@.service | 8 --------
+ debian/swupdate.udev | 2 --
+ 3 files changed, 11 deletions(-)
+ delete mode 100644 debian/swupdate.swupdate-usb@.service
+ delete mode 100644 debian/swupdate.udev
+
+diff --git a/debian/rules b/debian/rules
+index e1c4a921..84ed55d4 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -103,7 +103,6 @@ override_dh_auto_install:
+ override_dh_installsystemd:
+ dh_installsystemd --no-start
+ dh_installsystemd --name=swupdate-progress
+- dh_installsystemd --no-start --name=swupdate-usb@
+
+ ifeq (,$(filter pkg.swupdate.bpo,$(DEB_BUILD_PROFILES)))
+ override_dh_gencontrol:
+diff --git a/debian/swupdate.swupdate-usb@.service b/debian/swupdate.swupdate-usb@.service
+deleted file mode 100644
+index eda9d153..00000000
+--- a/debian/swupdate.swupdate-usb@.service
++++ /dev/null
+@@ -1,8 +0,0 @@
+-[Unit]
+-Description=usb media swupdate service
+-Requires=swupdate-progress.service
+-
+-[Service]
+-ExecStartPre=/bin/mount /dev/%I /mnt
+-ExecStart=/bin/sh -c "swupdate-client -v /mnt/*.swu"
+-ExecStopPost=/bin/umount /mnt
+diff --git a/debian/swupdate.udev b/debian/swupdate.udev
+deleted file mode 100644
+index b4efd0b7..00000000
+--- a/debian/swupdate.udev
++++ /dev/null
+@@ -1,2 +0,0 @@
+-ACTION=="add", KERNEL=="sd*", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", ENV{ID_FS_USAGE}=="filesystem", TAG+="systemd", ENV{SYSTEMD_WANTS}+="swupdate-usb@%k.service"
+-
+--
+2.34.1
+
diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
index 48a6cc1..2995d71 100644
--- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
@@ -21,7 +21,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \
file://0003-debian-rules-Add-option-to-disable-fs-creation.patch \
file://0004-debian-rules-Add-option-to-disable-webserver.patch \
file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
- file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch"
+ file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \
+ file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch"

# end patching for dm-verity based images
Thanks, applied to next as quick-fix.

Wouldn't it be more useful to make this configurable (opt-in via
/etc/something on the device), possibly also in Debian?

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


[isar-cip-core][PATCH] swupdate: Remove usb.service

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

Upstream adds an udev-rules and systemd service to install a swu from
a plug-in USB stick.

If the signing of the SWUpdate binary is deactivated
(current default in isar-cip-core) this service allows the installation
of a abitrary SWUpdate binary from a plug-in USB stick.

Remove the installation and the files from the debian folder to
deactivate the possibility to install from USB.

Reported-by: Lisicki, Raphael <raphael.lisicki@...>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
...onfig-Make-image-encryption-optional.patch | 2 +-
.../0002-debian-rules-Add-CONFIG_MTD.patch | 2 +-
...es-Add-option-to-disable-fs-creation.patch | 2 +-
...ules-Add-option-to-disable-webserver.patch | 2 +-
...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 2 +-
...ules-Add-Embedded-Lua-handler-option.patch | 2 +-
...prepare-build-for-isar-debian-buster.patch | 2 +-
...-SWUpdate-USB-service-and-Udev-rules.patch | 57 +++++++++++++++++++
.../swupdate/swupdate_2021.11-1+debian-gbp.bb | 3 +-
9 files changed, 66 insertions(+), 8 deletions(-)
create mode 100644 recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch

diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
index c07b103..8b186e0 100644
--- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
+++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
@@ -1,7 +1,7 @@
From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 15:28:21 +0200
-Subject: [PATCH 1/7] debian/config: Make image encryption optional
+Subject: [PATCH 1/8] debian/config: Make image encryption optional

This can be use to ease the setup with SWUpdate.

diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
index 8ebd09e..eb5067d 100644
--- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
+++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
@@ -1,7 +1,7 @@
From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 11:29:57 +0200
-Subject: [PATCH 2/7] debian/rules: Add CONFIG_MTD
+Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD

if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled.

diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
index 876e164..3671709 100644
--- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
+++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
@@ -1,7 +1,7 @@
From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 4 Oct 2021 17:15:56 +0200
-Subject: [PATCH 3/7] debian/rules: Add option to disable fs creation
+Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
index 66e48e6..8fbb722 100644
--- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
+++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
@@ -1,7 +1,7 @@
From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 4 Oct 2021 17:27:11 +0200
-Subject: [PATCH 4/7] debian/rules: Add option to disable webserver
+Subject: [PATCH 4/8] debian/rules: Add option to disable webserver

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
index 4cca3bf..96443f2 100644
--- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
+++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
@@ -1,7 +1,7 @@
From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Tue, 5 Oct 2021 10:56:25 +0200
-Subject: [PATCH 5/7] debian: Make CONFIG_HW_COMPATIBILTY optional
+Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional

Add option for qemu.

diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
index 447f6ad..324f079 100644
--- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
@@ -1,7 +1,7 @@
From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 6/7] debian/rules: Add Embedded Lua handler option
+Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
index 3ff4ca9..0b08f25 100644
--- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
+++ b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
@@ -1,7 +1,7 @@
From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 16:17:03 +0200
-Subject: [PATCH 7/7] debian: prepare build for isar debian buster
+Subject: [PATCH 7/8] debian: prepare build for isar debian buster

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
new file mode 100644
index 0000000..3cce24b
--- /dev/null
+++ b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
@@ -0,0 +1,57 @@
+From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@...>
+Date: Mon, 7 Feb 2022 09:28:39 +0100
+Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules
+
+The current implementation will install an abitrary SWUpdate binary
+from a plug-in USB stick. This is a major security risk for devices
+using the SWUpdate package from Debian.
+
+Remove the installation and the files from the debian folder.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
+---
+ debian/rules | 1 -
+ debian/swupdate.swupdate-usb@.service | 8 --------
+ debian/swupdate.udev | 2 --
+ 3 files changed, 11 deletions(-)
+ delete mode 100644 debian/swupdate.swupdate-usb@.service
+ delete mode 100644 debian/swupdate.udev
+
+diff --git a/debian/rules b/debian/rules
+index e1c4a921..84ed55d4 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -103,7 +103,6 @@ override_dh_auto_install:
+ override_dh_installsystemd:
+ dh_installsystemd --no-start
+ dh_installsystemd --name=swupdate-progress
+- dh_installsystemd --no-start --name=swupdate-usb@
+
+ ifeq (,$(filter pkg.swupdate.bpo,$(DEB_BUILD_PROFILES)))
+ override_dh_gencontrol:
+diff --git a/debian/swupdate.swupdate-usb@.service b/debian/swupdate.swupdate-usb@.service
+deleted file mode 100644
+index eda9d153..00000000
+--- a/debian/swupdate.swupdate-usb@.service
++++ /dev/null
+@@ -1,8 +0,0 @@
+-[Unit]
+-Description=usb media swupdate service
+-Requires=swupdate-progress.service
+-
+-[Service]
+-ExecStartPre=/bin/mount /dev/%I /mnt
+-ExecStart=/bin/sh -c "swupdate-client -v /mnt/*.swu"
+-ExecStopPost=/bin/umount /mnt
+diff --git a/debian/swupdate.udev b/debian/swupdate.udev
+deleted file mode 100644
+index b4efd0b7..00000000
+--- a/debian/swupdate.udev
++++ /dev/null
+@@ -1,2 +0,0 @@
+-ACTION=="add", KERNEL=="sd*", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", ENV{ID_FS_USAGE}=="filesystem", TAG+="systemd", ENV{SYSTEMD_WANTS}+="swupdate-usb@%k.service"
+-
+--
+2.34.1
+
diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
index 48a6cc1..2995d71 100644
--- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
@@ -21,7 +21,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \
file://0003-debian-rules-Add-option-to-disable-fs-creation.patch \
file://0004-debian-rules-Add-option-to-disable-webserver.patch \
file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
- file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch"
+ file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \
+ file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch"

# end patching for dm-verity based images

--
2.34.1


Re: 4.4.302 is going to be last 4.4 release

Jan Kiszka
 

On 03.02.22 08:13, nobuhiro1.iwamatsu@... wrote:
Hi Pavel,
-----Original Message-----
From: cip-dev@... <cip-dev@...> On
Behalf Of Pavel Machek
Sent: Wednesday, February 2, 2022 6:33 AM
To: jan.kiszka@...; cip-dev@...
Subject: [cip-dev] 4.4.302 is going to be last 4.4 release

Hi!

Greg says:

# Message-Id: <20220201180822.148370751@...>
# Subject: [PATCH 4.4 00/25] 4.4.302-rc1 review # ...
# NOTE! This is the proposed LAST 4.4.y kernel release to happen under # the
rules of the normal stable kernel releases. After this one, it will # be marked
End-Of-Life as it has been 6 years and you really should know # better by now
and have moved to a newer kernel tree. After this one, no # more security fixes
will be backported and you will end up with an # insecure system over time.
# ...
# Responses should be made by Thu, 03 Feb 2022 18:08:10 +0000.
# Anything received after that time might be too late.

(He sometimes releases kernels before the deadline).

We may want to make any announcements now or just after 4.4.302 is
released... so I guess we should start working on suitable wording.

Something like:

CIP project is committed to maintain 4.4.x kernel till January of 2027 [1]. We are
maintaining -cip branch [2], that is stable kernel with about
1000 of patches to support our reference hardware [3] and -cip-rt branch, with
is merge of -rt and -cip trees.

If you for some reason need 4.4.x with bug and security fixes, and are running
similar hardware to our reference hardware (x86-64 and armv7), -cip tree may
be good base for that work. Testing of the -cip tree is welcome, as is joining the
CIP project.

[1] https://wiki.linuxfoundation.org/civilinfrastructureplatform/start
[2]
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/log/?h=linu
x-4.4.y-cip-rt
[3]
https://wiki.linuxfoundation.org/civilinfrastructureplatform/ciptesting/ciprefe
rencehardware
Thank you for taking up the issue. I think the content is fine.
Looks good to me as well.

Given that 4.4 is now history and Greg even mentioned CIP in his
discontinuation message [1] but said that we would only "consider" to
continue: Let's follow up on his post, only referring to the regular
linux-4.4.y-cip for now. Who of you two could do that?

BTW, do you have any future information about the RT kernel team?
We may also need to check the RT patch.
If you don't have the information, I'll ask the RT team about this.
Why should 4.4-rt continue if its former upstream retired?

Jan

[1] https://lkml.org/lkml/2022/2/3/91

--
Siemens AG, Technology
Competence Center Embedded Linux


Re: [isar-cip-dev][PATCH] Uprevision the cip-kernel-config to latest one

Jan Kiszka
 

On 04.02.22 06:40, Srinuvasan A wrote:
From: Srinuvasan A <srinuvasan_a@...>

Uprevision the cip-kernel-config to latest one.

Signed-off-by: Srinuvasan A <srinuvasan_a@...>
---
recipes-kernel/linux/linux-cip-common.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 8fa8988..84515c2 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -1,7 +1,7 @@
#
# CIP Core, generic profile
#
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2022
#
# Authors:
# Jan Kiszka <jan.kiszka@...>
@@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi

SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"

-SRCREV_cip-kernel-config ?= "4f80764b80a81f9590e927fb202f358465b322a6"
+SRCREV_cip-kernel-config ?= "3f527304fdadd163e20b7a5a9cfabaca7506c716"

S = "${WORKDIR}/linux-cip-v${PV}"
Thanks applied.

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


Re: [isar-cip-core v2 1/2] Add recipe to cause kernel panic during system boot

Jan Kiszka
 

On 01.02.22 16:35, Shivanand.Kunijadar@... wrote:
From: Shivanand Kunijadar <Shivanand.Kunijadar@...>

This recipe adds systemd service to cause kernel panic during system
boot.
It helps to check the swupdate-rollback feature.

Signed-off-by: Shivanand Kunijadar <Shivanand.Kunijadar@...>
---
kas/opt/kernel-panic.yml | 18 ++++++++++++++
.../kernel-panic/files/sysrq-panic.service | 10 ++++++++
recipes-core/kernel-panic/kernel-panic.bb | 24 +++++++++++++++++++
3 files changed, 52 insertions(+)
create mode 100644 kas/opt/kernel-panic.yml
create mode 100644 recipes-core/kernel-panic/files/sysrq-panic.service
create mode 100644 recipes-core/kernel-panic/kernel-panic.bb

diff --git a/kas/opt/kernel-panic.yml b/kas/opt/kernel-panic.yml
new file mode 100644
index 0000000..47df7b1
--- /dev/null
+++ b/kas/opt/kernel-panic.yml
@@ -0,0 +1,18 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Toshiba Corporation, 2022
+#
+# Authors:
+# Shivanand Kunijadar <Shivanand.Kunijadar@...>
+#
+# SPDX-License-Identifier: MIT
+#
+# This kas file adds systemd service file to cause kernel panic during system boot.
+
+header:
+ version: 10
+
+local_conf_header:
+ kernel-panic: |
+ IMAGE_INSTALL_append = " kernel-panic"
diff --git a/recipes-core/kernel-panic/files/sysrq-panic.service b/recipes-core/kernel-panic/files/sysrq-panic.service
new file mode 100644
index 0000000..169a97c
--- /dev/null
+++ b/recipes-core/kernel-panic/files/sysrq-panic.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=sysrq panic
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "echo c > /proc/sysrq-trigger"
+
+[Install]
+WantedBy=default.target
+
diff --git a/recipes-core/kernel-panic/kernel-panic.bb b/recipes-core/kernel-panic/kernel-panic.bb
new file mode 100644
index 0000000..511febb
--- /dev/null
+++ b/recipes-core/kernel-panic/kernel-panic.bb
@@ -0,0 +1,24 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Toshiba Corporation, 2022
+#
+# Authors:
+# Shivanand Kunijadar <Shivanand.Kunijadar@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Systemd service file to cause kernel panic"
+
+SRC_URI = " \
+ file://sysrq-panic.service"
+
+do_install() {
+ install -v -d ${D}/lib/systemd/system
+ install -v -m 0644 ${WORKDIR}/sysrq-panic.service ${D}/lib/systemd/system/
+ install -v -d ${D}/etc/systemd/system/default.target.wants
+ ln -s /lib/systemd/system/sysrq-panic.service ${D}/etc/systemd/system/default.target.wants/
+}
Applied already to next, dropping the extra new-line in sysrq-panic.service.

Thanks,
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


Re: [isar-cip-core v2 2/2] README.swupdate.md: add readme file with steps to verify swupdate

Jan Kiszka
 

On 03.02.22 12:57, Gylstorff Quirin wrote:
Hi,

On 2/1/22 16:35, Shivanand.Kunijadar@... wrote:
From: Shivanand Kunijadar <Shivanand.Kunijadar@...>

Prepare readme file with necessary steps to verify swupdate feature
with rollback functionality.

Signed-off-by: Shivanand Kunijadar <Shivanand.Kunijadar@...>
---
  doc/README.swupdate.md | 208 +++++++++++++++++++++++++++++++++++++++++
  1 file changed, 208 insertions(+)
  create mode 100644 doc/README.swupdate.md

diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
new file mode 100644
index 0000000..56bc77c
--- /dev/null
+++ b/doc/README.swupdate.md
@@ -0,0 +1,208 @@
+
+Clone the isar-cip-core repository
+```
+host$ git clone
https://gitlab.com/cip-project/cip-core/isar-cip-core.git
+```
+
+Install `kas-container` from the [kas
project](https://github.com/siemens/kas):
+
+```
+host$ wget
https://raw.githubusercontent.com/siemens/kas/2.6.2/kas-container
+host$ chmod a+x kas-container
+```
+
Please refer to the existing instructions, rather than duplicating them.
Otherwise, we have to patch the kas-container version information in yet
another place.

+Build the image for swupdate
+
+```
+host$ ./kas-container --isar build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
Would it be better to use ./kas-container menu?
Technically the same, but the above is probably easier to describe here.
But drop the obsolete "--isar".


+```
+- save the generated swu
build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu
in a separate folder (ex: tmp)
+- modify the image for example add a new version to the image by
adding PV=2.0.0 to cip-core-image.bb
+- rebuild the image using above command and start the new target
+```
+host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+```
OK, here that explicit building above, not using kas-container menu,
requires this explicit "SWUPDATE_BOOT=y". But not a major issue, also
given that we will add the panic option below, something that is likely
not helpful to expose in the kconfig menu.

+
+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp`
folder to the running system
+
+```
+root@demo:~# scp
<host-user>@<host-ip>:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu
.
+```
According to https://wiki.qemu.org/Documentation/Networking the default
host ip should be 10.0.2.2.
Indeed, would be one variable less.

+
+Check which partition is booted, e.g. with lsblk:
+
+```
+root@demo:~# lsblk
+NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
+sda      8:0    0    2G  0 disk
+├─sda1   8:1    0 16.4M  0 part
+├─sda2   8:2    0   32M  0 part
+├─sda3   8:3    0   32M  0 part
+├─sda4   8:4    0 1000M  0 part /
+└─sda5   8:5    0 1000M  0 part
+```
+
+Apply swupdate and reboot
+```
+root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
+root@demo:~# reboot
+```
+Check which partition is booted, e.g. with lsblk and the rootfs
should have changed
+```
+root@demo:~# lsblk
+NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
+sda      8:0    0    2G  0 disk
+├─sda1   8:1    0 16.4M  0 part
+├─sda2   8:2    0   32M  0 part
+├─sda3   8:3    0   32M  0 part
+├─sda4   8:4    0 1000M  0 part
+└─sda5   8:5    0 1000M  0 part /
+```
+
+Check bootloader ustate after swupdate
+```
+root@demo:~# bg_printenv
+----------------------------
+Config Partition #0 Values:
+in_progress:      no
+revision:         2
+kernel:          
C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs:       console=tty0 console=ttyS0,115200 rootwait
earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw
initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate:           0 (OK)
+
+user variables:
+
+----------------------------
+ Config Partition #1 Values:
+in_progress:      no
+revision:         3
+kernel:           C:BOOT1:vmlinuz
+kernelargs:       root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002
console=tty0 console=ttyS0,115200 rootwait earlyprintk rw
initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate:           2 (TESTING)
+```
+
+if Partition #1 usate is 2 (TESTING) then execute below command to
confirm swupdate and the command will set ustate to "OK"
+```
+root@demo:~# bg_setenv -c
+```
+
+# swupdate rollback example
+
+Build the image for swupdate with service which causes kernel panic
during system boot using below command.
+
+```
+host$ ./kas-container --isar build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/kernel-panic.yml
Again, no more "--isar".


+```
+- save the generated swu
build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu
in a separate folder (ex: tmp)
+- build the image again without `kernel-panic.yml` recipe using below
command
+```
+host$ ./kas-container --isar build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
Also here.

+```
+
+Start the target on QEMU
+```
+host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+```
+
+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp`
folder to the running system
+
+```
+root@demo:~# scp
<host-user>@<host-ip>:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu
.
+```
+
+Check which partition is booted, e.g. with lsblk:
+
+```
+root@demo:~# lsblk
+NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
+sda      8:0    0    2G  0 disk
+├─sda1   8:1    0 16.4M  0 part
+├─sda2   8:2    0   32M  0 part
+├─sda3   8:3    0   32M  0 part
+├─sda4   8:4    0 1000M  0 part /
+└─sda5   8:5    0 1000M  0 part
+```
+
+Check bootloader ustate before swupdate and should be as below
+```
+root@demo:~# bg_printenv
+----------------------------
+Config Partition #0 Values:
+in_progress:      no
+revision:         2
+kernel:          
C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs:       console=tty0 console=ttyS0,115200 rootwait
earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw
initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate:           0 (OK)
+
+user variables:
+----------------------------
+Config Partition #1 Values:
+in_progress:      no
+revision:         1
+kernel:          
C:BOOT1:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs:       console=tty0 console=ttyS0,115200 rootwait
earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 rw
initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate:           0 (OK > +```
+
+Apply swupdate as below
+```
+root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
+```
+
+check bootloader ustate after swupdate. if the swupdate is successful
then **revision number** should increase to **3** and status should be
changed to **INSTALLED** for Partition #1.
+```
+root@demo:~# bg_printenv
+----------------------------
+Config Partition #0 Values:
+in_progress:      no
+revision:         2
+kernel:          
C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs:       console=tty0 console=ttyS0,115200 rootwait
earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw
initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate:           0 (OK)
+
+user variables:
+----------------------------
+Config Partition #1 Values:
+in_progress:      no
+revision:         3
+kernel:           C:BOOT1:vmlinuz
+kernelargs:       root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002
console=tty0 console=ttyS0,115200 rootwait earlyprintk rw
initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+watchdog timeout: 60 seconds
+ustate:           1 (INSTALLED)
+```
+
+Execute reboot command
+- reboot command should cause kernel panic error.
+- watchdog timer should expire and restart the qemu. bootloader
should select previous partition to boot.
+```
+root@demo:~# reboot
+```
+
+Once the system is restarted, check the bootloader ustate
+- if update is failed then **revision number** should reduce to **0**
and status should change to **FAILED** for Partition #1.
+```
+root@demo:~# bg_printenv
+----------------------------
+ Config Partition #0 Values:
+in_progress:      no
+revision:         2
+kernel:          
C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
+kernelargs:       console=tty0 console=ttyS0,115200 rootwait
earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw
initrd=cip-core-image-cip-corg
+watchdog timeout: 60 seconds
+ustate:           0 (OK)
+
+user variables:
+----------------------------
+ Config Partition #1 Values:
+in_progress:      no
+revision:         0
+kernel:           C:BOOT1:vmlinuz
+kernelargs:       root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002
console=tty0 console=ttyS0,115200 rootwait earlyprintk rw
initrd=cip-core-image-cip-corg
+watchdog timeout: 60 seconds
+ustate:           3 (FAILED)
+```
Quirin
Thanks,
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


[isar-cip-dev][PATCH] Uprevision the cip-kernel-config to latest one

Srinuvasan A
 

From: Srinuvasan A <srinuvasan_a@...>

Uprevision the cip-kernel-config to latest one.

Signed-off-by: Srinuvasan A <srinuvasan_a@...>
---
recipes-kernel/linux/linux-cip-common.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 8fa8988..84515c2 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -1,7 +1,7 @@
#
# CIP Core, generic profile
#
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2022
#
# Authors:
# Jan Kiszka <jan.kiszka@...>
@@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi

SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"

-SRCREV_cip-kernel-config ?= "4f80764b80a81f9590e927fb202f358465b322a6"
+SRCREV_cip-kernel-config ?= "3f527304fdadd163e20b7a5a9cfabaca7506c716"

S = "${WORKDIR}/linux-cip-v${PV}"
--
2.25.1


Re: CIP IRC weekly meeting today on libera.chat

Pavel Machek
 

Hi!

Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today. Our channel is the
following:
I'm sorry I missed the meeting.

I was mostly reviewing 5.10.96.

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2022/01/cip.2022-01-27-13.00.log.html
Aha, and useful trick, directory listings are enabled, so going to
https://irclogs.baserock.org/meetings/cip/2022/02/ allows me to access
the logs.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

2061 - 2080 of 9648