[isar-cip-core][PATCH 3/9] linux-cip-common: Increase revision kernel config
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Add support for verity and overlay fs. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- recipes-kernel/linux/linux-cip-common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 1afec88..8fa8988 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}" -SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e" +SRCREV_cip-kernel-config ?= "4f80764b80a81f9590e927fb202f358465b322a6" S = "${WORKDIR}/linux-cip-v${PV}" -- 2.30.2
|
|
[isar-cip-core][PATCH 7/9] Mount writable home partition
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Add an example how to add an writable home partition Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- recipes-core/home-fs/files/home.mount | 12 +++++++++++ recipes-core/home-fs/files/postinst | 3 +++ recipes-core/home-fs/home-fs_0.1.bb | 20 +++++++++++++++++++ .../images/cip-core-image-read-only.bb | 1 + wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 ++ 5 files changed, 38 insertions(+) create mode 100644 recipes-core/home-fs/files/home.mount create mode 100755 recipes-core/home-fs/files/postinst create mode 100644 recipes-core/home-fs/home-fs_0.1.bb diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount new file mode 100644 index 0000000..062517a --- /dev/null +++ b/recipes-core/home-fs/files/home.mount @@ -0,0 +1,12 @@ +[Unit] +Description=Mount /home partition +Before=local-fs.target + +[Mount] +What=/dev/disk/by-partlabel/home +Where=/home +Type=auto +Options=defaults + +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst new file mode 100755 index 0000000..f6184d6 --- /dev/null +++ b/recipes-core/home-fs/files/postinst @@ -0,0 +1,3 @@ +#!/bin/sh + +deb-systemd-helper enable home.mount || true diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb new file mode 100644 index 0000000..93e08e6 --- /dev/null +++ b/recipes-core/home-fs/home-fs_0.1.bb @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://home.mount" + +do_install[cleandirs]+="${D}/lib/systemd/system" +do_install() { + install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount + +} \ No newline at end of file diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb index ceb6ac4..79cd6bf 100644 --- a/recipes-core/images/cip-core-image-read-only.bb +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -3,6 +3,7 @@ require cip-core-image.bb SQUASHFS_EXCLUDE_DIRS += "home var" IMAGE_INSTALL += "etc-overlay-fs" +IMAGE_INSTALL += "home-fs" IMAGE_INSTALL += "tmp-fs" IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index c4ea0c8..81fd4fe 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" +# home and var are extra partitions +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024 --size 1G part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk" -- 2.30.2
|
|
[isar-cip-core][PATCH 5/9] Create an read-only rootfs with dm-verity
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
This root file system supports SWUpdate and secure boot. We need a writable /tmp and /var for a boot without error messages. The mount point for /tmp is created during the systemd target local-fs according to [1]. Before `Remount Root and Kernel File Systems.` the tmp of the initrd is used. [1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- .gitlab-ci.yml | 11 ------- Kconfig | 4 +-- classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++ kas/opt/ebg-secure-boot-snakeoil.yml | 12 ++++++- kas/opt/ebg-snakeoil-swu.yml | 16 ---------- .../images/cip-core-image-read-only.bb | 20 ++++++++++++ recipes-core/tmp-fs/files/postinst | 3 ++ recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +++++++ recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++++++++++++++ start-qemu.sh | 4 +++ wic/qemu-amd64-efibootguard-secureboot.wks | 11 ------- wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++ 12 files changed, 122 insertions(+), 41 deletions(-) create mode 100644 classes/secure-swupdate-img.bbclass delete mode 100644 kas/opt/ebg-snakeoil-swu.yml create mode 100644 recipes-core/images/cip-core-image-read-only.bb create mode 100755 recipes-core/tmp-fs/files/postinst create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5becd37..d407f0f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -179,17 +179,6 @@ build:qemu-amd64-swupdate: targz: disable deploy: disable -build:qemu-amd64-secure-boot-swu: - extends: - - .build_base - variables: - target: qemu-amd64 - extention: ebg-snakeoil-swu - use_rt: disable - wic_targz: disable - targz: disable - deploy: disable - # bullseye images build:simatic-ipc227e-bullseye: extends: diff --git a/Kconfig b/Kconfig index 3b882d6..e5ce257 100644 --- a/Kconfig +++ b/Kconfig @@ -136,11 +136,11 @@ config IMAGE_SWUPDATE config IMAGE_SECURE_BOOT bool "Secure boot support" depends on TARGET_QEMU_AMD64 + select IMAGE_SWUPDATE config KAS_INCLUDE_SWUPDATE_SECBOOT string default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT - default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT - default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT + default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT endif diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass new file mode 100644 index 0000000..431939b --- /dev/null +++ b/classes/secure-swupdate-img.bbclass @@ -0,0 +1,32 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +SECURE_IMAGE_FSTYPE ?= "squashfs" + +inherit ${SECURE_IMAGE_FSTYPE}-img + +VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}" + +INITRAMFS_RECIPE ?= "cip-core-initramfs" +do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build" +INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" + +inherit verity-img +inherit wic-img +inherit extract-partition +inherit swupdate-img + +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}" + +addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image +addtask do_wic_image after do_verity_image +addtask do_extract_partition after do_wic_image +addtask do_swupdate_image after do_extract_partition diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml index 2f45bde..1cfbacc 100644 --- a/kas/opt/ebg-secure-boot-snakeoil.yml +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -14,13 +14,23 @@ header: includes: - kas/opt/ebg-secure-boot-base.yml +target: cip-core-image-read-only local_conf_header: + swupdate: | + IMAGE_INSTALL_append = " swupdate" + IMAGE_INSTALL_append = " swupdate-handler-roundrobin" + + verity-img: | + SECURE_IMAGE_FSTYPE = "squashfs" + VERITY_IMAGE_RECIPE = "cip-core-image-read-only" + IMAGE_TYPE = "secure-swupdate-img" + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" + secure-boot: | # Add snakeoil and ovmf binaries for qemu IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries" IMAGER_INSTALL += "ebg-secure-boot-snakeoil" - WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks" ovmf: | # snakeoil certs are only part of backports diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml deleted file mode 100644 index 2f15c0e..0000000 --- a/kas/opt/ebg-snakeoil-swu.yml +++ /dev/null @@ -1,16 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2021 -# -# Authors: -# Quirin Gylstorff <quirin.gylstorff@...> -# -# SPDX-License-Identifier: MIT -# - -header: - version: 10 - includes: - - kas/opt/ebg-secure-boot-snakeoil.yml - - kas/opt/swupdate.yml diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb new file mode 100644 index 0000000..7ef2dc2 --- /dev/null +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -0,0 +1,20 @@ +require cip-core-image.bb + +SQUASHFS_EXCLUDE_DIRS += "home var" + +IMAGE_INSTALL += "tmp-fs" +IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" + +image_configure_fstab() { + sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF +# Begin /etc/fstab +/dev/root / auto defaults,ro 0 0 +LABEL=var /var auto defaults 0 0 +proc /proc proc nosuid,noexec,nodev 0 0 +sysfs /sys sysfs nosuid,noexec,nodev 0 0 +devpts /dev/pts devpts gid=5,mode=620 0 0 +tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0 +devtmpfs /dev devtmpfs mode=0755,nosuid 0 0 +# End /etc/fstab +EOF +} diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst new file mode 100755 index 0000000..07017fd --- /dev/null +++ b/recipes-core/tmp-fs/files/postinst @@ -0,0 +1,3 @@ +#!/bin/sh + +deb-systemd-helper enable tmp.mount || true diff --git a/recipes-core/tmp-fs/files/tmp.mount.tmpl b/recipes-core/tmp-fs/files/tmp.mount.tmpl new file mode 100644 index 0000000..fcb2f3e --- /dev/null +++ b/recipes-core/tmp-fs/files/tmp.mount.tmpl @@ -0,0 +1,11 @@ +[Unit] +Description=Create /tmp + +[Mount] +What=tmpfs +Where=/tmp +Type=tmpfs +Options=${TMP_OPTIONS} + +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb new file mode 100644 index 0000000..3ec20c7 --- /dev/null +++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb @@ -0,0 +1,26 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://tmp.mount.tmpl" + +TMP_FS_SIZE ?= "500M" +TMP_FS_MODE ?= "755" +TMP_FS_OPTIONS = "nodev,nosuid,size=${TMP_SIZE},mode=${TMP_MODE}" + +TEMPLATE_FILES = "tmp.mount.tmpl" +TEMPLATE_VARS += "TMP_FS_OPTIONS" + +do_install[cleandirs]+="${D}/lib/systemd/system" +do_install() { + install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount +} diff --git a/start-qemu.sh b/start-qemu.sh index a92e9f4..c700974 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -42,6 +42,9 @@ if [ -z "${TARGET_IMAGE}" ];then TARGET_IMAGE="cip-core-image" if grep -s -q "IMAGE_SECURITY: true" .config.yaml; then TARGET_IMAGE="cip-core-image-security" + fi + if [ -n "${SECURE_BOOT}" ]; then + TARGET_IMAGE="cip-core-image-read-only" fi fi @@ -55,6 +58,7 @@ case "$1" in -machine q35,accel=kvm:tcg \ -device virtio-net-pci,netdev=net" if [ -n "${SECURE_BOOT}" ]; then + # set bootindex=0 to boot disk instead of EFI-shell QEMU_EXTRA_ARGS=" \ ${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk,bootindex=0" else diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks deleted file mode 100644 index ff351db..0000000 --- a/wic/qemu-amd64-efibootguard-secureboot.wks +++ /dev/null @@ -1,11 +0,0 @@ -# short-description: Qemu-amd64 with Efibootguard and SWUpdate -# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate -include ebg-signed-bootloader.inc - -# EFI Boot Guard environment/config partitions plus Kernel files -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" - -include swupdate-partition.inc - -bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in new file mode 100644 index 0000000..c4ea0c8 --- /dev/null +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -0,0 +1,13 @@ +# EFI partition containing efibootguard bootloader binary +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" + +# EFI Boot Guard environment/config partitions plus Kernel files +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" + +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" + +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G + +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk" -- 2.30.2
|
|
[isar-cip-core][PATCH 1/9] Add new class to create a squashfs based root file system
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
This file system is read only and use a reduced image size. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- classes/squashfs-img.bbclass | 41 ++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 classes/squashfs-img.bbclass diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass new file mode 100644 index 0000000..0fcfca5 --- /dev/null +++ b/classes/squashfs-img.bbclass @@ -0,0 +1,41 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img" + +IMAGER_INSTALL += "squashfs-tools" + +SQUASHFS_EXCLUDE_DIRS ?= "" +SQUASHFS_CONTENT ?= "${PP_ROOTFS}" +SQUASHFS_CREATION_ARGS ?= " " +# Generate squashfs filesystem image +python __anonymous() { + exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split() + if len(exclude_directories) == 0: + return + # use wildcard to exclude only content of the the directory + # this allows to use the directory as a mount point + args = " -wildcards" + for dir in exclude_directories: + args += " -e {dir}/* ".format(dir=dir) + d.appendVar('SQUASHFS_CREATION_ARGS', args) +} + +do_squashfs_image() { + rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}' + + image_do_mounts + + sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \ + "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \ + ${SQUASHFS_CREATION_ARGS} +} +addtask do_squashfs_image before do_image after do_image_tools do_excl_directories -- 2.30.2
|
|
[isar-cip-core][PATCH 2/9] Add verity-img.bbclass for dm-verity based rootfs
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
As we need the output of `veritysetup` to generate the initrd. Therefore do_verity_image must be called before wic generates the final disk image. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- classes/verity-img.bbclass | 73 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 classes/verity-img.bbclass diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass new file mode 100644 index 0000000..3c94643 --- /dev/null +++ b/classes/verity-img.bbclass @@ -0,0 +1,73 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# +IMAGER_INSTALL += "cryptsetup" + +VERITY_IMAGE_TYPE ?= "squashfs" +VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img" +VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" +VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata" +VERITY_HASH_BLOCK_SIZE ?= "1024" +VERITY_DATA_BLOCK_SIZE ?= "1024" + +create_verity_env_file() { + + local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env" + rm -f $ENV + + local input="${WORKDIR}/${VERITY_IMAGE_METADATA}" + # remove header from verity meta data + sed -i '/VERITY header information for/d' $input + IFS=":" + while read KEY VAL; do + printf '%s=%s\n' \ + "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \ + "$(echo "$VAL" | tr -d ' \t')" >> $ENV + done < $input +} + +verity_setup() { + rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} + rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA} + + cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} + + image_do_mounts + sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \ + --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \ + --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \ + --data-blocks "${VERITY_DATA_BLOCKS}" \ + --hash-offset "${VERITY_INPUT_IMAGE_SIZE}" \ + "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \ + "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \ + >"${WORKDIR}/${VERITY_IMAGE_METADATA}" + + echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \ + >>"${WORKDIR}/${VERITY_IMAGE_METADATA}" +} + +do_verity_image[cleandirs] = "${WORKDIR}/verity" +python do_verity_image() { + import os + + image_file = os.path.join( + d.getVar("DEPLOY_DIR_IMAGE"), + d.getVar("VERITY_INPUT_IMAGE") + ) + data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE")) + size = os.stat(image_file).st_size + assert size % data_block_size == 0, f"image is not well-sized!" + d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) + d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) + + bb.build.exec_func('verity_setup', d) + bb.build.exec_func('create_verity_env_file', d) +} +addtask verity_image before do_image after do_image_tools -- 2.30.2
|
|
From b1699e5e1fd0d9617e0d6850c157809c42e2cb99 Mon Sep 17 00:00:00 2001
Quirin Gylstorff
*This patch series adds support for a read-only squashfs based root filesystem
wit SWUpdate support and secureboot. The build is somewhat complex as we need the output of dm-verity to generate the initramfs. The build is split in the following steps 1. Build the root file system 2. Generate a squashfs image - this can also be replace by another image format(e.g. ext4) 3. Build from the image the dm-verity partition and add it to the end of the image 4. Add the resulting verity environment to the initrd 5. Build the signed efi tool chain. This series needs SWUpdate 2021.11. The necessary changes are currently backported. Changes in RFC V2: - rebase onto orgin/next - adapt Kconfig to new ebg-secure-boot-snakeoil.yml by deleting unnecessary options - Cleanup to support different file-systems for verity-img - tested with ext4 and squashfs - simplified kernel patching - prepend not necessary - added flag to enable/disable - whitespaces for readability - integrated into ebg-secure-boot-snakeoil - make behavior on corruption configurable during build time. - default is restart on corruption - add ISAR patch for correct permissions Changes in RFC V3: - Configurable size of /tmp - remove unnecessary overlay-parse-etc.service - convert etc-sysusers to drop in configuration of systemd-sysusers.service - extend commit messages Changes in Patch: - rebased onto origin/next 2550c34a03ae3c035a1593585f2d8e545c83140d - initrd verity warning message - Kconfig: secure-boot element selects also swupdate as the secureboot kas option contains swupdate - fixed ci build Quirin Gylstorff (9): Add new class to create a squashfs based root file system Add verity-img.bbclass for dm-verity based rootfs linux-cip-common: Increase revision kernel config Create a initrd with support for dm-verity Create an read-only rootfs with dm-verity Create systemd mount units for a etc overlay Mount writable home partition kas: Patch isar for correct permissions in var and home swupdate: Backport patches from SWUpdate Master .gitlab-ci.yml | 11 - Kconfig | 4 +- classes/secure-swupdate-img.bbclass | 32 +++ classes/squashfs-img.bbclass | 41 ++++ classes/verity-img.bbclass | 73 +++++++ kas-cip.yml | 4 + kas/opt/ebg-secure-boot-snakeoil.yml | 12 +- ...when-splitting-rootfs-folders-across.patch | 35 ++++ .../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++ .../etc-overlay-fs/files/etc-hostname.service | 14 ++ .../files/etc-sshd-regen-keys.conf | 7 + .../etc-overlay-fs/files/etc-sysusers.conf | 4 + recipes-core/etc-overlay-fs/files/etc.mount | 13 ++ recipes-core/etc-overlay-fs/files/postinst | 4 + recipes-core/home-fs/files/home.mount | 12 ++ recipes-core/home-fs/files/postinst | 3 + recipes-core/home-fs/home-fs_0.1.bb | 20 ++ .../images/cip-core-image-read-only.bb | 22 ++ ...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++ .../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 + recipes-core/tmp-fs/files/postinst | 3 + recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 + recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++ .../cip-core-initramfs/cip-core-initramfs.bb | 10 +- .../files/verity.conf-hook | 1 + .../initramfs-verity-hook/files/verity.hook | 23 +++ .../files/verity.script.tmpl | 70 +++++++ .../initramfs-verity-hook_0.1.bb | 51 +++++ recipes-kernel/linux/linux-cip-common.inc | 2 +- start-qemu.sh | 4 + wic/qemu-amd64-efibootguard-secureboot.wks | 11 - wic/qemu-amd64-efibootguard-secureboot.wks.in | 15 ++ 32 files changed, 735 insertions(+), 31 deletions(-) create mode 100644 classes/secure-swupdate-img.bbclass create mode 100644 classes/squashfs-img.bbclass create mode 100644 classes/verity-img.bbclass create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount create mode 100755 recipes-core/etc-overlay-fs/files/postinst create mode 100644 recipes-core/home-fs/files/home.mount create mode 100755 recipes-core/home-fs/files/postinst create mode 100644 recipes-core/home-fs/home-fs_0.1.bb create mode 100644 recipes-core/images/cip-core-image-read-only.bb create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch create mode 100755 recipes-core/tmp-fs/files/postinst create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb rename kas/opt/ebg-snakeoil-swu.yml => recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb (61%) create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in -- 2.30.2
|
|
[isar-cip-core][PATCH 4/9] Create a initrd with support for dm-verity
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Adapt the initrd to open a dm-verity partition with a fixed root hash. The initramfs script is based on [1]. [1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- .../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++ .../files/verity.conf-hook | 1 + .../initramfs-verity-hook/files/verity.hook | 23 ++++++ .../files/verity.script.tmpl | 70 +++++++++++++++++++ .../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++ 5 files changed, 161 insertions(+) create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb new file mode 100644 index 0000000..825fb9f --- /dev/null +++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +inherit initramfs + +INITRAMFS_INSTALL += " \ + initramfs-verity-hook \ + " diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook new file mode 100644 index 0000000..9b61fb8 --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook @@ -0,0 +1 @@ +BUSYBOX=y diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook new file mode 100644 index 0000000..5eada8a --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook @@ -0,0 +1,23 @@ +#!/bin/sh +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +# Begin real processing below this line + +manual_add_modules dm_mod +manual_add_modules dm_verity + +copy_exec /sbin/veritysetup +copy_exec /sbin/dmsetup +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions +copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl new file mode 100644 index 0000000..7c75b5b --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl @@ -0,0 +1,70 @@ +#!/bin/sh +prereqs() +{ + # Make sure that this script is run last in local-top + # If the script cryptroot is installed this script + # should be second to last + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions +. /lib/cryptsetup/functions +. /usr/share/verity-env/verity.env +# Even if this script fails horribly, make sure there won't be a chance the +# current $ROOT will be attempted. As this device most likely contains a +# perfectly valid filesystem, it would be mounted successfully, leading to a +# broken trust chain. +echo "ROOT=/dev/null" >/conf/param.conf +wait_for_udev 10 +case "$ROOT" in + PART*) + # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching + # partition + ROOT=$(blkid --list-one --output device --match-token "$ROOT") + ;; + "") + # No Root device was given. Use veritysetup verify to search matching roots + partitions=$(blkid -o device) + for part in $partitions; do + if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then + if veritysetup verify \ + "$part" "$part" "${ROOT_HASH}" \ + --hash-offset "${HASH_OFFSET}";then + ROOT="$part" + break + fi + fi + done + ;; +esac +set -- "$ROOT" verityroot +if ! veritysetup open \ + ${VERITY_BEHAVIOR_ON_CORRUPTION} \ + --data-block-size "${DATA_BLOCK_SIZE}" \ + --hash-block-size "${HASH_BLOCK_SIZE}" \ + --data-blocks "${DATA_BLOCKS}" \ + --hash-offset "${HASH_OFFSET}" \ + --salt "${SALT}" \ + "$1" "$2" "$1" "${ROOT_HASH}"; then + panic "Can't open verity rootfs - continuing will lead to a broken trust chain!" +fi + +wait_for_udev 10 + +if ! ROOT="$(dm_blkdevname verityroot)"; then + panic "Can't find the verity root device!" +fi + +echo "ROOT=${ROOT}" >/conf/param.conf diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb new file mode 100644 index 0000000..a7fbf5a --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb @@ -0,0 +1,51 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +SRC_URI += " \ + file://verity.conf-hook \ + file://verity.hook \ + file://verity.script.tmpl \ + " + +VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption" + +TEMPLATE_FILES = "verity.script.tmpl" +TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION" + +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup" + +VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only" + +VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env" + +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image" +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/verity-env \ + ${D}/usr/share/initramfs-tools/scripts/local-top \ + ${D}/usr/share/initramfs-tools/conf-hooks.d" + +do_install() { + # Insert the veritysetup commandline into the script + if [ -f "${VERITY_ENV_FILE}" ]; then + install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env" + else + bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!" + fi + install -m 0755 "${WORKDIR}/verity.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-top/verity" + install -m 0755 "${WORKDIR}/verity.hook" \ + "${D}/usr/share/initramfs-tools/hooks/verity" +} + +addtask do_install after do_transform_template -- 2.30.2
|
|
Re: cip/linux-4.19.y-cip baseline: 121 runs, 1 regressions (v4.19.217-cip62)
#kernelci
Pavel Machek
Hi!
platform | arch | lab | compiler | defconfig | regressionsSo this has enough information to tell me that we have a kernel problem there, good: 02:08:17.792502 <6>[ 18.847320] omap-mailbox 4a0f4000.mailbox: omap mailbox rev 0x400 02:08:17.800596 <0>[ 18.857543] BUG: spinlock bad magic on CPU#0, udevd/110 02:08:17.808843 <6>[ 18.857788] emif 4c000000.emif: emif_probe: device configured with addr = (ptrval) and IRQ26 02:08:17.818753 <0>[ 18.863311] lock: emif_lock+0x0/0xffffecfc [emif], .magic: dead4ead, .owner: <none>/-1, .owner_cpu: -1 02:08:17.825277 <4>[ 18.877502] CPU: 0 PID: 110 Comm: udevd Not tainted 4.19.217-cip62 #1 02:08:17.831655 <4>[ 18.888275] Hardware name: Generic OMAP4 (Flattened Device Tree) 02:08:17.839660 <4>[ 18.894195] [<c01123bc>] (unwind_backtrace) from [<c010cc28>] (show_stack+0x10/0x14) 02:08:17.847570 <4>[ 18.900482] [<c010cc28>] (show_stack) from [<c0949dd4>] (dump_stack+0xe0/0x114) 02:08:17.855211 <4>[ 18.905761] [<c0949dd4>] (dump_stack) from [<c01a9168>] (do_raw_spin_lock+0xbc/0x124) Unfortunately, not enough information to debug the problem, I'm afraid. Questions to start debugging this would be: a) is the problem deterministic? b) is the problem present in v4.19.217 ? c) what were the last -stable and -cip kernels that worked? d) what device/module is causing the BUG? Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
Re: cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62)
#kernelci
Pavel Machek
Hi!
So... I tried to understand this report, and still could not. First problem is actually in the From: line. By placing bot there, it is not clear who is responsible for this, and if someone reads replies to the bot address. I feel posts to mailing lists should be signed by human responsible for them. Then we have: cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62)Ok, so we may have an regression. That means it worked before and it does not work now. I'd expect two versions "worked in v4.19.123-cip12, now broken in v4.19.217-cip62", but we only have one. Regressions Summary URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.gitStill no note when it worked last. HTML log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm64/defconfig/gcc-10/lab-collabora/baseline-nfs-rk3399-gru-kevin.htmlOk, so we have bootlog from a machine, that's quite unhappy. Part of it are kernel problems, but we see missing firmware, too. In the end, it looks like it has no usable network card, so it can not do NFS boot... and panics. It is hard to tell config problem vs. kernel bug without knowing more about machine configuration. Best seeing previous successful runs... Is there human here who believes this is a problem in -cip kernel that is worth solving, and is willing to answer questions and test patches? Best regards, Pavel 02:27:34.443815 <4>[ 1.401574] cacheinfo: Unable to detect cache hierarchy for CPU 0 02:27:34.452441 <6>[ 1.413496] loop: module loaded 02:27:34.464113 <4>[ 1.421343] rockchip-spi ff1d0000.spi: Failed to request TX DMA channel 02:27:34.471531 <4>[ 1.429063] rockchip-spi ff1d0000.spi: Failed to request RX DMA channel 02:27:34.487460 <6>[ 1.446867] m25p80 spi0.0: gd25lq64c (8192 Kbytes) 02:27:34.501792 <4>[ 1.459399] rockchip-spi ff1e0000.spi: Failed to request TX DMA channel ... 02:27:48.313465 <6>[ 15.264576] atmel_mxt_ts 3-004b: Family: 164 Variant: 14 Firmware V2.3.AA Objects: 40 02:27:48.362782 <4>[ 15.318381] atmel_mxt_ts 3-004b: Direct firmware load for maxtouch.cfg failed with error -2 02:27:48.535527 <4>[ 15.377455] atmel_mxt_ts 5-004a: Direct firmware load for maxtouch.cfg failed with error -2 02:27:48.827088 ipconfig: no devices to configure 02:27:48.831012 ipconfig: no devices to configure 02:27:48.926132 <4>[ 15.866511] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 02:27:48.931359 <6>[ 15.879008] pci 0000:00:00.0: PCI bridge to [bus 01] 02:27:48.938653 <6>[ 15.879016] pci 0000:00:00.0: bridge window [mem 0xfa000000-0xfa1fffff] -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
cip/linux-4.19.y-cip baseline: 121 runs, 1 regressions (v4.19.217-cip62)
#kernelci
kernelci.org bot <bot@...>
cip/linux-4.19.y-cip baseline: 121 runs, 1 regressions (v4.19.217-cip62)
Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------+------+---------------+----------+---------------------+------------ panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/job/cip/branch/linux-4.19.y-cip/kernel/v4.19.217-cip62/plan/baseline/ Test: baseline Tree: cip Branch: linux-4.19.y-cip Describe: v4.19.217-cip62 URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git SHA: dc62e26e3be875a7324b85b8274c13a335e610dd Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------+------+---------------+----------+---------------------+------------ panda | arm | lab-collabora | gcc-10 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/plan/id/61a587a0ab3b0079bd18f6d7 Results: 5 PASS, 1 FAIL, 0 SKIP Full config: omap2plus_defconfig Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm/omap2plus_defconfig/gcc-10/lab-collabora/baseline-panda.txt HTML log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm/omap2plus_defconfig/gcc-10/lab-collabora/baseline-panda.html Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-6-g8983f3b738df/armel/baseline/rootfs.cpio.gz * baseline.dmesg.emerg: https://kernelci.org/test/case/id/61a587a0ab3b0079bd18f6dd new failure (last pass: v4.19.216-cip61) 2 lines 2021-11-30T02:08:20.120053 kern :emerg : BUG: spinlock bad magic on CPU#0, udevd/110 2021-11-30T02:08:20.129545 kern :emerg : lock: emif_lock+0x0/0xffffecfc [emif], .magic: dead4ead, .owner: <none>/-1, .owner_cpu: -1 2021-11-30T02:08:20.143995 <8>[ 21.198120] <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=emerg RESULT=fail UNITS=lines MEASUREMENT=2>
|
|
cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62)
#kernelci
kernelci.org bot <bot@...>
cip/linux-4.19.y-cip baseline-nfs: 12 runs, 1 regressions (v4.19.217-cip62)
Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -----------------+-------+---------------+----------+-----------+------------ rk3399-gru-kevin | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/job/cip/branch/linux-4.19.y-cip/kernel/v4.19.217-cip62/plan/baseline-nfs/ Test: baseline-nfs Tree: cip Branch: linux-4.19.y-cip Describe: v4.19.217-cip62 URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git SHA: dc62e26e3be875a7324b85b8274c13a335e610dd Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -----------------+-------+---------------+----------+-----------+------------ rk3399-gru-kevin | arm64 | lab-collabora | gcc-10 | defconfig | 1 Details: https://kernelci.org/test/plan/id/61a58c2989f6953bd118f6e4 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm64/defconfig/gcc-10/lab-collabora/baseline-nfs-rk3399-gru-kevin.txt HTML log: https://storage.kernelci.org//cip/linux-4.19.y-cip/v4.19.217-cip62/arm64/defconfig/gcc-10/lab-collabora/baseline-nfs-rk3399-gru-kevin.html Rootfs: http://storage.kernelci.org/images/rootfs/debian/bullseye/20211126.0/arm64/initrd.cpio.gz * baseline-nfs.login: https://kernelci.org/test/case/id/61a58c2989f6953bd118f6e5 new failure (last pass: v4.19.216-cip61)
|
|
cip/linux-4.19.y-cip build: 118 builds: 1 failed, 117 passed, 2 errors, 13 warnings (v4.19.217-cip62)
#kernelci
kernelci.org bot <bot@...>
cip/linux-4.19.y-cip build: 118 builds: 1 failed, 117 passed, 2 errors, 13 warnings (v4.19.217-cip62)
Full Build Summary: https://kernelci.org/build/cip/branch/linux-4.19.y-cip/kernel/v4.19.217-cip62/ Tree: cip Branch: linux-4.19.y-cip Git Describe: v4.19.217-cip62 Git Commit: dc62e26e3be875a7324b85b8274c13a335e610dd Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git Built: 3 unique architectures Build Failure Detected: arm: rpc_defconfig: (gcc-10) FAIL Errors and Warnings Detected: arm64: cip://4.19.y-cip/arm64/qemu_arm64_defconfig (gcc-10): 3 warnings defconfig (gcc-10): 3 warnings arm: omap1_defconfig (gcc-10): 1 warning rpc_defconfig (gcc-10): 2 errors x86_64: cip://4.19.y-cip/x86/cip_qemu_defconfig (gcc-10): 3 warnings defconfig (gcc-10): 3 warnings Errors summary: 1 arm-linux-gnueabihf-gcc: error: unrecognized -march target: armv3 1 arm-linux-gnueabihf-gcc: error: missing argument to ‘-march=’ Warnings summary: 6 aarch64-linux-gnu-ld: warning: -z norelro ignored 2 ld: warning: creating DT_TEXTREL in a PIE 2 ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' 2 arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret' 1 drivers/gpio/gpio-omap.c:1233:34: warning: array ‘omap_gpio_match’ assumed to have one element ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- acs5k_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- acs5k_tiny_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- am200epdkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- aspeed_g4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- aspeed_g5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- assabet_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- at91_dt_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- axm55xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- badge4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- bcm2835_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- cerfcube_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- cip://4.19.y-cip/arm/qemu_arm_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- cip://4.19.y-cip/arm64/qemu_arm64_defconfig (arm64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches Warnings: aarch64-linux-gnu-ld: warning: -z norelro ignored aarch64-linux-gnu-ld: warning: -z norelro ignored aarch64-linux-gnu-ld: warning: -z norelro ignored -------------------------------------------------------------------------------- cip://4.19.y-cip/x86/cip_qemu_defconfig (x86_64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches Warnings: arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret' ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- cm_x2xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- cm_x300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- colibri_pxa270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- colibri_pxa300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- collie_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- corgi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- davinci_all_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig (x86_64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches Warnings: arch/x86/entry/entry_64.S:1738: Warning: no instruction mnemonic suffix given and no register operands; using default for `sysret' ld: arch/x86/boot/compressed/head_64.o: warning: relocation in read-only section `.head.text' ld: warning: creating DT_TEXTREL in a PIE -------------------------------------------------------------------------------- defconfig (arm64, gcc-10) — PASS, 0 errors, 3 warnings, 0 section mismatches Warnings: aarch64-linux-gnu-ld: warning: -z norelro ignored aarch64-linux-gnu-ld: warning: -z norelro ignored aarch64-linux-gnu-ld: warning: -z norelro ignored -------------------------------------------------------------------------------- defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- dove_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- ebsa110_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- efm32_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- em_x270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- ep93xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- eseries_pxa_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- exynos_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- ezx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- footbridge_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- gemini_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- h3600_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- h5000_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- hackkit_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- hisi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- imote2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- imx_v4_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- imx_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- integrator_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- iop13xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- iop32x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- iop33x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- ixp4xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- jornada720_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- keystone_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- ks8695_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- lart_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- lpc18xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- lpc32xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- lpd270_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- lubbock_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- magician_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mainstone_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mini2440_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mmp2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- moxart_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mps2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v4t_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mvebu_v5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mvebu_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- mxs_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- neponset_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- netwinder_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- netx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nhk8815_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nuc910_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nuc950_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- nuc960_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- omap1_defconfig (arm, gcc-10) — PASS, 0 errors, 1 warning, 0 section mismatches Warnings: drivers/gpio/gpio-omap.c:1233:34: warning: array ‘omap_gpio_match’ assumed to have one element -------------------------------------------------------------------------------- omap2plus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- orion5x_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- oxnas_v6_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- palmz72_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- pcm027_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- pleb_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- prima2_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- pxa168_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- pxa255-idp_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- pxa3xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- pxa910_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- pxa_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- qcom_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- raumfeld_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- realview_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- rpc_defconfig (arm, gcc-10) — FAIL, 2 errors, 0 warnings, 0 section mismatches Errors: arm-linux-gnueabihf-gcc: error: unrecognized -march target: armv3 arm-linux-gnueabihf-gcc: error: missing argument to ‘-march=’ -------------------------------------------------------------------------------- s3c2410_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- s3c6400_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- s5pv210_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- sama5_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- shannon_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- shmobile_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- simpad_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- socfpga_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- spear13xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- spear3xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- spear6xx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- spitz_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- stm32_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- sunxi_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tango4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tct_hammer_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- tegra_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- trizeps4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- u300_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- u8500_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- versatile_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- vexpress_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- vf610m4_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- viper_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- vt8500_v6_v7_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- xcep_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- zeus_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- zx_defconfig (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches --- For more info write to <info@...>
|
|
Re: CVE-2021-3640: UAF in sco_send_frame function was Re: [cip-dev] New CVE entries in this week
Masami Ichikawa
Hi !
On Fri, Nov 26, 2021 at 7:03 PM Pavel Machek <pavel@...> wrote: Thank you for the patch ! Yes, applying code and works properly is different question. however, your patch is LGTM. Best regards,Regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@... :masami.ichikawa@...
|
|
Re: CVE-2021-3640: UAF in sco_send_frame function was Re: [cip-dev] New CVE entries in this week
Pavel Machek
Hi!
As far as I can tell, logic is quite simple there and the patch wouldThank you for your analysis result ! I applied it.Interesting.Aha, but we have required information in look like this. Whether the final result works and closes the security hole is different question. Best regards, Pavel commit e077740ddfa22385d53700898ea325068ca4cc6b Author: Pavel Machek <pavel@...> Date: Thu Nov 25 14:14:04 2021 +0100 Cherry pick 27c24fda62b6 ("Bluetooth: switch to lock_sock in SCO") to close CVE-2021-3640. diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 2f2b8ddc4dd5..cf165b0d15f2 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -93,10 +93,10 @@ static void sco_sock_timeout(struct work_struct *work) BT_DBG("sock %p state %d", sk, sk->sk_state); - bh_lock_sock(sk); + lock_sock(sk); sk->sk_err = ETIMEDOUT; sk->sk_state_change(sk); - bh_unlock_sock(sk); + release_sock(sk); sock_put(sk); } @@ -193,10 +193,10 @@ static void sco_conn_del(struct hci_conn *hcon, int err) if (sk) { sock_hold(sk); - bh_lock_sock(sk); + lock_sock(sk); sco_sock_clear_timer(sk); sco_chan_del(sk, err); - bh_unlock_sock(sk); + release_sock(sk); sock_put(sk); } @@ -1108,10 +1108,10 @@ static void sco_conn_ready(struct sco_conn *conn) if (sk) { sco_sock_clear_timer(sk); - bh_lock_sock(sk); + lock_sock(sk); sk->sk_state = BT_CONNECTED; sk->sk_state_change(sk); - bh_unlock_sock(sk); + release_sock(sk); } else { sco_conn_lock(conn); @@ -1126,12 +1126,12 @@ static void sco_conn_ready(struct sco_conn *conn) return; } - bh_lock_sock(parent); + lock_sock(parent); sk = sco_sock_alloc(sock_net(parent), NULL, BTPROTO_SCO, GFP_ATOMIC, 0); if (!sk) { - bh_unlock_sock(parent); + release_sock(parent); sco_conn_unlock(conn); return; } @@ -1152,7 +1152,7 @@ static void sco_conn_ready(struct sco_conn *conn) /* Wake up parent */ parent->sk_data_ready(parent); - bh_unlock_sock(parent); + release_sock(parent); sco_conn_unlock(conn); } -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
example cip/linux-4.19.y-cip and stable/linux-4.19.y results
Alice Ferrazzi
hello everyone,
following on yesterday topic about difference from cip-cip+1 and lts-lts+1 I just made a diff of what was requested yesterday v4.19.216-cip61 vs v4.19.216 the diff can be viewed on the link here under: https://www.diffchecker.com/W4dpv6ep the results are get from: https://groups.io/g/kernelci-results/message/19033 [v4.19.216-cip61] https://groups.io/g/kernelci-results/message/18808 [v4.19.216] thanks, Alicef -- ====================================== Cybertrust Japan Co.,Ltd. Alice Ferrazzi alice.ferrazzi@... ======================================
|
|
Re: CVE-2021-3640: UAF in sco_send_frame function was Re: [cip-dev] New CVE entries in this week
Masami Ichikawa
Hi !
On Thu, Nov 25, 2021 at 6:53 PM Pavel Machek <pavel@...> wrote: Thank you for your analysis result ! I applied it. I checked 27c24fda62b601d6f9ca5e992502578c4310876f is able to apply cleanly to stable/5.10 tree or not. Unfortunately it need to fix conflicts. git-am shows following two errors. Applying: Bluetooth: switch to lock_sock in SCO Checking patch net/bluetooth/sco.c... error: while searching for: BT_DBG("sock %p state %d", sk, sk->sk_state); bh_lock_sock(sk); sk->sk_err = ETIMEDOUT; sk->sk_state_change(sk); bh_unlock_sock(sk); sco_sock_kill(sk); sock_put(sk); error: patch failed: net/bluetooth/sco.c:93 error: while searching for: if (sk) { sock_hold(sk); bh_lock_sock(sk); sco_sock_clear_timer(sk); sco_chan_del(sk, err); bh_unlock_sock(sk); sco_sock_kill(sk); sock_put(sk); error: patch failed: net/bluetooth/sco.c:193 Best regards,Regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@... :masami.ichikawa@...
|
|
Re: New CVE entries in this week
Masami Ichikawa
Hi !
On Thu, Nov 25, 2021 at 6:09 PM Pavel Machek <pavel@...> wrote: Thank you for the review! I send patch to the stable list.\ Best regards,Regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@... :masami.ichikawa@...
|
|
Re: New CVE entries in this week
Masami Ichikawa
Hi !
On Thu, Nov 25, 2021 at 5:00 PM Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...> wrote: Thank you ! I added a comment and sent patch to the stable list. Best regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@... :masami.ichikawa@...
|
|
Re: Replacing BBB kernel config: Status and AIs
Quirin Gylstorff
Hi Kazu,
On 11/24/21 2:02 PM, Kazuhiro Hayashi via lists.cip-project.org wrote: Hi Quirin,[1] containts the current state of the integration of [2] into isar-cip-core. It can be tested for booting, but for SWUpdate test the u-boot environment is not correct. [1]: https://gitlab.com/cip-project/cip-core/isar-cip-core/-/tree/bbb/cip-kernel-defconfig [2]: https://gitlab.com/Quirin.Gy/cip-kernel-config/-/tree/feature/bbb-isar-config Best regards Quirin [...]
|
|
CVE-2021-3640: UAF in sco_send_frame function was Re: [cip-dev] New CVE entries in this week
Pavel Machek
Hi!
Aha, but we have required information inCVE-2021-3640: UAF in sco_send_frame functionInteresting. cip-kernel-sec/issues/CVE-2021-3640.yml. It lists patches that should be fixing this. Some searching in the trees reveals that one of those patches is buggy itself, and additionaly 49d8a5606428ca0962d09050a5af81461ff90fbb is needed. The patches fixing this are: ~ stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de, f2f856b65ac4b77049c76c0e89ecd3a177e9fcd1, 98d44b7be6f1bcfd4f824c5f8bc2b742f890879f, c20d8c197454068da758a83e09d93683f520d681, a1073aad497d0d071a71f61b721966a176d50c08] But we still miss backport of 27c24fda62b6 ("Bluetooth: switch to lock_sock in SCO") to 5.10, which has its own prerequisites according to the changelog. AFAICT those prerequisites are 734bc5ff783115aa3164f4e9dd5967ae78e0a8ab and ba316be1b6a00db7126ed9a39f9bee434a508043, and both are in 5.10. I'm not sure how to express this in yml cleanly. I came with this: diff --git a/issues/CVE-2021-3640.yml b/issues/CVE-2021-3640.yml index fb52d5a..d386093 100644 --- a/issues/CVE-2021-3640.yml +++ b/issues/CVE-2021-3640.yml @@ -23,9 +23,23 @@ comments: there is no fixed information as of 2021/07/26. Fixed in bluetooth-next tree. commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951. ubuntu/sbeattie: Possibly addressed by Desmond Cheong Zhi Xi's patchset. + pavel: We are one patch away from fixing this 5.10, 27c24fda62b6 is needed. fixed-by: - mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951] - stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de] + mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951, + e04480920d1eec9c061841399aa6f35b6f987d8b, + 734bc5ff783115aa3164f4e9dd5967ae78e0a8ab, + 49d8a5606428ca0962d09050a5af81461ff90fbb, + ba316be1b6a00db7126ed9a39f9bee434a508043, + 27c24fda62b601d6f9ca5e992502578c4310876f, + 734bc5ff783115aa3164f4e9dd5967ae78e0a8ab, + ba316be1b6a00db7126ed9a39f9bee434a508043] + stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de, + f2f856b65ac4b77049c76c0e89ecd3a177e9fcd1, + 98d44b7be6f1bcfd4f824c5f8bc2b742f890879f, + c20d8c197454068da758a83e09d93683f520d681, + a1073aad497d0d071a71f61b721966a176d50c08, + 98d44b7be6f1bcfd4f824c5f8bc2b742f890879f, + a1073aad497d0d071a71f61b721966a176d50c08] stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896] stable/5.15: [b990c219c4c9d4993ef65ea9db73d9497e70f697] stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab] Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|