Date   

Re: Cip-kernel-sec Updates for Week of 2021-05-05

Pavel Machek
 

Hi!

Two new CVEs this week:

- CVE-2021-31829 [bpf: stack pointer protection from speculative
arithmetic] - fixed
Fixes just landed in mainline as part of the merge window. Fixes not
tagged for stable.
Could you push your changes to cip-kernel-sec?

These are queued for 5.10.35 and 4.19, I believe they may be related.

v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Cip-kernel-sec Updates for Week of 2021-05-05

Chen-Yu Tsai (Moxa) <wens@...>
 

Hi everyone,

Two new CVEs this week:

- CVE-2021-31829 [bpf: stack pointer protection from speculative
arithmetic] - fixed
Fixes just landed in mainline as part of the merge window. Fixes not
tagged for stable.

- CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
Likely needs backport to 4.9 and earlier.

Additionally, one old CVE is now fixed:

- CVE-2020-26541


Regards
ChenYu


Re: [isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Jan Kiszka
 

On 03.05.21 17:45, Gylstorff Quirin wrote:


On 5/3/21 1:44 PM, Jan Kiszka wrote:
On 03.05.21 13:28, Gylstorff Quirin wrote:


On 4/30/21 4:50 PM, Jan Kiszka wrote:
On 30.04.21 15:01, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
Changes in V2:
   - fix typo in commit message
   - use variable in kas/opt/*.yml

   classes/swupdate-config.bbclass      | 10 +++++-----
   kas/opt/ebg-secure-boot-snakeoil.yml |  2 +-
   kas/opt/ebg-swu.yml                  |  4 ++--
   kas/opt/qemu-swupdate.yml            |  2 +-
   4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass
b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] =
"libubootenv-dev"
   KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1,
u-boot-${MACHINE}-config' \
                                             if
d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
                                             else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
Still leaves me and probably other users clueless what SWUPDATE_U_BOOT
should be. Simply "u-boot-${MACHINE}"?

Jan
SWUPDATE_U_BOOT should be the name of the u-boot package.

In case the layer (e.g. isar-cip-core) supplies the u-boot binary,
`SWUPDATE_U_BOOT` should be defined as `u-boot-${MACHINE}`.


Debian provides some as package, e.g. [1].


I could add `u-boot-${MACHINE}` as default and a README section.


[1]: https://packages.debian.org/buster/u-boot-imx
But does SWUpdate really depends on the U-Boot binary that is going to
be put on the device - or rather on u-boot-config? This looks fishy.

Jan
SWUpdate does not depends on the u-boot-binary. SWUpdate needs
'fw_env.config'(u-boot-config) to interact with the u-boot environment.
And for that, it needs u-boot-config as package, not u-boot-<machine>.

As libubootenv does not request or provide 'fw_env.config' the code
above is necessary. SWUPDATE_U_BOOT is only used for creating a build
order.
Build order is meaningless if you are not consuming the output - which I
assume is the case via fw_env.config from u-boot-config /
u-boot-<machine>-config.


Another way would be add u-boot-config as dependency to libubootenv in
isar upstream. This would also mean that we maintain that package build
instead of using the one provided by Debian bullseye and later.
Is libubootenv useless without some u-boot-config package? If so, it
would also be Debian upstream bug, and both sides needed fixing.

But I still don't get the full picture: With self-built U-Boot, we
generate u-boot-<machine>-config, providing fw_env.config. That file is
required during runtime or build time by SWUpdate?

But who is providing that file if we wanted to use an upstream Debian
U-Boot? It's not packaged with any of those. So, depending on a Debian
U-Boot package seems totally pointless. In fact, using a Debian U-Boot
seems impossible with our SWUpdate requirements, no?

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Quirin Gylstorff
 

On 5/3/21 1:44 PM, Jan Kiszka wrote:
On 03.05.21 13:28, Gylstorff Quirin wrote:


On 4/30/21 4:50 PM, Jan Kiszka wrote:
On 30.04.21 15:01, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
Changes in V2:
  - fix typo in commit message
  - use variable in kas/opt/*.yml

  classes/swupdate-config.bbclass      | 10 +++++-----
  kas/opt/ebg-secure-boot-snakeoil.yml |  2 +-
  kas/opt/ebg-swu.yml                  |  4 ++--
  kas/opt/qemu-swupdate.yml            |  2 +-
  4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass
b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] =
"libubootenv-dev"
  KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1,
u-boot-${MACHINE}-config' \
                                            if
d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
                                            else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
Still leaves me and probably other users clueless what SWUPDATE_U_BOOT
should be. Simply "u-boot-${MACHINE}"?

Jan
SWUPDATE_U_BOOT should be the name of the u-boot package.

In case the layer (e.g. isar-cip-core) supplies the u-boot binary,
`SWUPDATE_U_BOOT` should be defined as `u-boot-${MACHINE}`.


Debian provides some as package, e.g. [1].


I could add `u-boot-${MACHINE}` as default and a README section.


[1]: https://packages.debian.org/buster/u-boot-imx
But does SWUpdate really depends on the U-Boot binary that is going to
be put on the device - or rather on u-boot-config? This looks fishy.
Jan
SWUpdate does not depends on the u-boot-binary. SWUpdate needs 'fw_env.config'(u-boot-config) to interact with the u-boot environment.
As libubootenv does not request or provide 'fw_env.config' the code above is necessary. SWUPDATE_U_BOOT is only used for creating a build
order.

Another way would be add u-boot-config as dependency to libubootenv in
isar upstream. This would also mean that we maintain that package build
instead of using the one provided by Debian bullseye and later.

Quirin


Re: [isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Jan Kiszka
 

On 03.05.21 13:28, Gylstorff Quirin wrote:


On 4/30/21 4:50 PM, Jan Kiszka wrote:
On 30.04.21 15:01, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
Changes in V2:
  - fix typo in commit message
  - use variable in kas/opt/*.yml

  classes/swupdate-config.bbclass      | 10 +++++-----
  kas/opt/ebg-secure-boot-snakeoil.yml |  2 +-
  kas/opt/ebg-swu.yml                  |  4 ++--
  kas/opt/qemu-swupdate.yml            |  2 +-
  4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass
b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] =
"libubootenv-dev"
  KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1,
u-boot-${MACHINE}-config' \
                                            if
d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
                                            else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
Still leaves me and probably other users clueless what SWUPDATE_U_BOOT
should be. Simply "u-boot-${MACHINE}"?

Jan
SWUPDATE_U_BOOT should be the name of the u-boot package.

In case the layer (e.g. isar-cip-core) supplies the u-boot binary,
`SWUPDATE_U_BOOT` should be defined as `u-boot-${MACHINE}`.


Debian provides some as package, e.g. [1].


I could add `u-boot-${MACHINE}` as default and a README section.


[1]: https://packages.debian.org/buster/u-boot-imx
But does SWUpdate really depends on the U-Boot binary that is going to
be put on the device - or rather on u-boot-config? This looks fishy.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Quirin Gylstorff
 

On 4/30/21 4:50 PM, Jan Kiszka wrote:
On 30.04.21 15:01, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
Changes in V2:
- fix typo in commit message
- use variable in kas/opt/*.yml

classes/swupdate-config.bbclass | 10 +++++-----
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
Still leaves me and probably other users clueless what SWUPDATE_U_BOOT
should be. Simply "u-boot-${MACHINE}"?
Jan
SWUPDATE_U_BOOT should be the name of the u-boot package.

In case the layer (e.g. isar-cip-core) supplies the u-boot binary, `SWUPDATE_U_BOOT` should be defined as `u-boot-${MACHINE}`.


Debian provides some as package, e.g. [1].


I could add `u-boot-${MACHINE}` as default and a README section.


[1]: https://packages.debian.org/buster/u-boot-imx

Quirin

KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"
SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +68,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"
-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 8a72084..c0ed1a2 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -20,7 +20,7 @@ local_conf_header:
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index aa3aed1..63dda09 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -15,7 +15,7 @@ header:
local_conf_header:
swupdate: |
IMAGE_INSTALL_append = " swupdate efibootguard"
- BOOTLOADER = "efibootguard"
+ SWUPDATE_BOOTLOADER = "efibootguard"
efibootguard: |
WDOG_TIMEOUT = "0"
@@ -23,4 +23,4 @@ local_conf_header:
wic: |
IMAGE_TYPE = "wic-swu-img"
- WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks"
+ WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/kas/opt/qemu-swupdate.yml b/kas/opt/qemu-swupdate.yml
index 3f5fedf..daebd2c 100644
--- a/kas/opt/qemu-swupdate.yml
+++ b/kas/opt/qemu-swupdate.yml
@@ -16,4 +16,4 @@ header:
local_conf_header:
qemu-wic: |
IMAGE_TYPE ?= "wic-swu-img"
- WKS_FILE = "qemu-amd64-${BOOTLOADER}.wks"
+ WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"


Re: [isar-cip-core][PATCH v2] README.secureboot: Corrections

Jan Kiszka
 

On 30.04.21 15:15, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```

### Start the image

Thanks, applied.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Jan Kiszka
 

On 30.04.21 15:01, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
Changes in V2:
- fix typo in commit message
- use variable in kas/opt/*.yml

classes/swupdate-config.bbclass | 10 +++++-----
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
Still leaves me and probably other users clueless what SWUPDATE_U_BOOT
should be. Simply "u-boot-${MACHINE}"?

Jan

KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"

def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +68,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"

-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 8a72084..c0ed1a2 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -20,7 +20,7 @@ local_conf_header:
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index aa3aed1..63dda09 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -15,7 +15,7 @@ header:
local_conf_header:
swupdate: |
IMAGE_INSTALL_append = " swupdate efibootguard"
- BOOTLOADER = "efibootguard"
+ SWUPDATE_BOOTLOADER = "efibootguard"

efibootguard: |
WDOG_TIMEOUT = "0"
@@ -23,4 +23,4 @@ local_conf_header:

wic: |
IMAGE_TYPE = "wic-swu-img"
- WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks"
+ WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/kas/opt/qemu-swupdate.yml b/kas/opt/qemu-swupdate.yml
index 3f5fedf..daebd2c 100644
--- a/kas/opt/qemu-swupdate.yml
+++ b/kas/opt/qemu-swupdate.yml
@@ -16,4 +16,4 @@ header:
local_conf_header:
qemu-wic: |
IMAGE_TYPE ?= "wic-swu-img"
- WKS_FILE = "qemu-amd64-${BOOTLOADER}.wks"
+ WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][RFC] Add option to use swupdate-handler-roundrobin

Jan Kiszka
 

On 30.04.21 15:33, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

The new swupdate round robin handler is available under[1].
Add the Option `SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO` to
use the handler directly from the repository.

The handler currently doesn't support secureboot.
...but the in-tree handler does. How much effort is needed to port that
feature into the new handler?

Jan


[1]:https://gitlab.com/cip-playground/swupdate-handler-roundrobin/

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/swupdate-config.bbclass | 12 ++++++---
kas/opt/ebg-secure-boot-base.yml | 3 +++
.../files/secure-boot/sw-description.tmpl | 2 +-
recipes-core/images/files/sw-description.tmpl | 21 ++++++++++-----
.../files/swupdate.handler.efibootguard.ini | 26 +++++++++++++++++++
recipes-core/swupdate/swupdate.bb | 9 ++++++-
6 files changed, 62 insertions(+), 11 deletions(-)
create mode 100644 recipes-core/swupdate/files/swupdate.handler.efibootguard.ini

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 8ec1104..e425aa2 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -21,9 +21,17 @@ KFEATURE_lua = ""
KFEATURE_lua[BUILD_DEB_DEPENDS] = "liblua5.3-dev"
KFEATURE_lua[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_lua.snippet"

+SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO ?= "1"
+
+SRC_URI_append = " ${@ 'git://gitlab.com/cip-playground/swupdate-handler-roundrobin.git;protocol=https;destsuffix=swupdate-handler-roundrobin;name=swupdate-handler-roundrobin' \
+ if d.getVar('SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO') == '1' else '' \
+ }"
+SRCREV_swupdate-handler-roundrobin ?= "6ac9e49eaa4e866a3eda12eee3a223820ba8e0bf"
+SWUPDATE_LUASCRIPT ?= "swupdate-handler-roundrobin/swupdate_handlers_roundrobin.lua"
KFEATURE_luahandler = ""
KFEATURE_luahandler[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_luahandler.snippet"
-KFEATURE_luahandler[SRC_URI] = "file://${SWUPDATE_LUASCRIPT}"
+KFEATURE_luahandler[SRC_URI] = "${@ 'file://${SWUPDATE_LUASCRIPT}' \
+ if d.getVar('SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO') == '0' else '' }"

KFEATURE_DEPS = ""
KFEATURE_DEPS[luahandler] = "lua"
@@ -58,8 +66,6 @@ KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config
KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

-SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
-
def get_bootloader_featureset(d):
bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 30ca35a..484d0e5 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -16,3 +16,6 @@ local_conf_header:
initramfs: |
IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
SWU_DESCRIPTION = "secureboot"
+ swupdate-secureboot: |
+ SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO = "0"
+ SWUPDATE_LUASCRIPT = "swupdate_handler.efibootguard.secureboot.lua"
diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
index bce97d0..897d819 100644
--- a/recipes-core/images/files/secure-boot/sw-description.tmpl
+++ b/recipes-core/images/files/secure-boot/sw-description.tmpl
@@ -16,7 +16,7 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "true";
+ compressed = "zlib";
filesystem = "ext4";
});
files: ({
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index bb34088..3309271 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -16,21 +16,30 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "true";
+ compressed = "zlib";
filesystem = "ext4";
+ properties: {
+ subtype = "image";
+ };
});
files: ({
filename = "${KERNEL_IMAGE}";
path = "vmlinuz";
- type = "kernelfile";
- device = "sda2,sda3";
+ type = "roundrobin";
+ device = "fedcba98-7654-3210-cafe-5e0710000001->sda2,fedcba98-7654-3210-cafe-5e0710000002->sda3";
filesystem = "vfat";
+ properties: {
+ subtype = "kernel";
+ };
},
{
filename = "${INITRD_IMAGE}";
- path = "initrd.img";
- type = "kernelfile";
- device = "sda2,sda3";
+ path = "${INITRD_IMAGE}";
+ type = "roundrobin";
+ device = "fedcba98-7654-3210-cafe-5e0710000001->sda2,fedcba98-7654-3210-cafe-5e0710000002->sda3";
filesystem = "vfat";
+ properties: {
+ subtype = "initrd";
+ };
});
}
diff --git a/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini
new file mode 100644
index 0000000..3aee76c
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini
@@ -0,0 +1,26 @@
+[image]
+chainhandler=raw
+
+[image.selector]
+method=cmdline_rr
+key=root
+
+[image.bootenv]
+kernelparams=root=PARTUUID=${rrtarget} ${cmdline_root}
+
+[kernel]
+chainhandler=rawfile
+
+[kernel.selector]
+method=cmdline_rrmap
+key=root
+
+[kernel.bootenv]
+kernelfile=C:BOOT${rrindex}:vmlinuz
+
+[initrd]
+chainhandler=rawfile
+
+[initrd.selector]
+method=cmdline_rrmap
+key=root
diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb
index 526c72f..c03c70b 100644
--- a/recipes-core/swupdate/swupdate.bb
+++ b/recipes-core/swupdate/swupdate.bb
@@ -29,6 +29,7 @@ DEBIAN_DEPENDS = "${shlibs:Depends}, ${misc:Depends}"
inherit dpkg
inherit swupdate-config

+SRC_URI += "file://swupdate.handler.${BOOTLOADER}.ini"
KFEATURES += "luahandler"

S = "${WORKDIR}/git"
@@ -46,5 +47,11 @@ do_prepare_build() {
echo "configs/${DEFCONFIG}" >> ${S}/.gitignore
fi
# luahandler
- install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S}
+ if [ -e ${WORKDIR}/${SWUPDATE_LUASCRIPT} ]; then
+ install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S}/swupdate_handlers.lua
+ fi
+ if [ -e "${WORKDIR}/swupdate.handler.${BOOTLOADER}.ini" ]; then
+ install -m 0644 ${WORKDIR}/swupdate.handler.${BOOTLOADER}.ini ${S}/swupdate.handler.ini
+ echo "swupdate.handler.ini etc/" >> ${S}/debian/swupdate.install
+ fi
}
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH v2] README.secureboot: Corrections

Dinesh Kumar
 

On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or higher as default Debian buster has older version of qemu and this step fails with older version.
Also these steps can't be executed remotely as it launches UI window for QEMU, so it should be done locally.
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```

### Start the image
Where are you taking care of my below point? I don't see it yet
Keys and certs generated by scripts/generate_secure_boot_keys.sh are not available to build command, so I have to move them in recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work

--
2.20.1


[isar-cip-core][RFC] Add option to use swupdate-handler-roundrobin

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

The new swupdate round robin handler is available under[1].
Add the Option `SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO` to
use the handler directly from the repository.

The handler currently doesn't support secureboot.

[1]:https://gitlab.com/cip-playground/swupdate-handler-roundrobin/

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/swupdate-config.bbclass | 12 ++++++---
kas/opt/ebg-secure-boot-base.yml | 3 +++
.../files/secure-boot/sw-description.tmpl | 2 +-
recipes-core/images/files/sw-description.tmpl | 21 ++++++++++-----
.../files/swupdate.handler.efibootguard.ini | 26 +++++++++++++++++++
recipes-core/swupdate/swupdate.bb | 9 ++++++-
6 files changed, 62 insertions(+), 11 deletions(-)
create mode 100644 recipes-core/swupdate/files/swupdate.handler.efibootguard.ini

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 8ec1104..e425aa2 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -21,9 +21,17 @@ KFEATURE_lua = ""
KFEATURE_lua[BUILD_DEB_DEPENDS] = "liblua5.3-dev"
KFEATURE_lua[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_lua.snippet"

+SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO ?= "1"
+
+SRC_URI_append = " ${@ 'git://gitlab.com/cip-playground/swupdate-handler-roundrobin.git;protocol=https;destsuffix=swupdate-handler-roundrobin;name=swupdate-handler-roundrobin' \
+ if d.getVar('SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO') == '1' else '' \
+ }"
+SRCREV_swupdate-handler-roundrobin ?= "6ac9e49eaa4e866a3eda12eee3a223820ba8e0bf"
+SWUPDATE_LUASCRIPT ?= "swupdate-handler-roundrobin/swupdate_handlers_roundrobin.lua"
KFEATURE_luahandler = ""
KFEATURE_luahandler[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_luahandler.snippet"
-KFEATURE_luahandler[SRC_URI] = "file://${SWUPDATE_LUASCRIPT}"
+KFEATURE_luahandler[SRC_URI] = "${@ 'file://${SWUPDATE_LUASCRIPT}' \
+ if d.getVar('SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO') == '0' else '' }"

KFEATURE_DEPS = ""
KFEATURE_DEPS[luahandler] = "lua"
@@ -58,8 +66,6 @@ KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config
KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

-SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
-
def get_bootloader_featureset(d):
bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 30ca35a..484d0e5 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -16,3 +16,6 @@ local_conf_header:
initramfs: |
IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
SWU_DESCRIPTION = "secureboot"
+ swupdate-secureboot: |
+ SWUPDATE_USE_ROUND_ROBIN_HANDLER_REPO = "0"
+ SWUPDATE_LUASCRIPT = "swupdate_handler.efibootguard.secureboot.lua"
diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
index bce97d0..897d819 100644
--- a/recipes-core/images/files/secure-boot/sw-description.tmpl
+++ b/recipes-core/images/files/secure-boot/sw-description.tmpl
@@ -16,7 +16,7 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "true";
+ compressed = "zlib";
filesystem = "ext4";
});
files: ({
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index bb34088..3309271 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -16,21 +16,30 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "true";
+ compressed = "zlib";
filesystem = "ext4";
+ properties: {
+ subtype = "image";
+ };
});
files: ({
filename = "${KERNEL_IMAGE}";
path = "vmlinuz";
- type = "kernelfile";
- device = "sda2,sda3";
+ type = "roundrobin";
+ device = "fedcba98-7654-3210-cafe-5e0710000001->sda2,fedcba98-7654-3210-cafe-5e0710000002->sda3";
filesystem = "vfat";
+ properties: {
+ subtype = "kernel";
+ };
},
{
filename = "${INITRD_IMAGE}";
- path = "initrd.img";
- type = "kernelfile";
- device = "sda2,sda3";
+ path = "${INITRD_IMAGE}";
+ type = "roundrobin";
+ device = "fedcba98-7654-3210-cafe-5e0710000001->sda2,fedcba98-7654-3210-cafe-5e0710000002->sda3";
filesystem = "vfat";
+ properties: {
+ subtype = "initrd";
+ };
});
}
diff --git a/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini
new file mode 100644
index 0000000..3aee76c
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.handler.efibootguard.ini
@@ -0,0 +1,26 @@
+[image]
+chainhandler=raw
+
+[image.selector]
+method=cmdline_rr
+key=root
+
+[image.bootenv]
+kernelparams=root=PARTUUID=${rrtarget} ${cmdline_root}
+
+[kernel]
+chainhandler=rawfile
+
+[kernel.selector]
+method=cmdline_rrmap
+key=root
+
+[kernel.bootenv]
+kernelfile=C:BOOT${rrindex}:vmlinuz
+
+[initrd]
+chainhandler=rawfile
+
+[initrd.selector]
+method=cmdline_rrmap
+key=root
diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb
index 526c72f..c03c70b 100644
--- a/recipes-core/swupdate/swupdate.bb
+++ b/recipes-core/swupdate/swupdate.bb
@@ -29,6 +29,7 @@ DEBIAN_DEPENDS = "${shlibs:Depends}, ${misc:Depends}"
inherit dpkg
inherit swupdate-config

+SRC_URI += "file://swupdate.handler.${BOOTLOADER}.ini"
KFEATURES += "luahandler"

S = "${WORKDIR}/git"
@@ -46,5 +47,11 @@ do_prepare_build() {
echo "configs/${DEFCONFIG}" >> ${S}/.gitignore
fi
# luahandler
- install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S}
+ if [ -e ${WORKDIR}/${SWUPDATE_LUASCRIPT} ]; then
+ install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S}/swupdate_handlers.lua
+ fi
+ if [ -e "${WORKDIR}/swupdate.handler.${BOOTLOADER}.ini" ]; then
+ install -m 0644 ${WORKDIR}/swupdate.handler.${BOOTLOADER}.ini ${S}/swupdate.handler.ini
+ echo "swupdate.handler.ini etc/" >> ${S}/debian/swupdate.install
+ fi
}
--
2.20.1


[isar-cip-core][PATCH v2] README.secureboot: Corrections

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```

### Start the image

--
2.20.1


[isar-cip-core][PATCH v2] swupdate-config: add prefix to variables

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
Changes in V2:
- fix typo in commit message
- use variable in kas/opt/*.yml

classes/swupdate-config.bbclass | 10 +++++-----
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..0c1067a 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -51,13 +51,13 @@ KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"

def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +68,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"

-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 8a72084..c0ed1a2 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -20,7 +20,7 @@ local_conf_header:
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index aa3aed1..63dda09 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -15,7 +15,7 @@ header:
local_conf_header:
swupdate: |
IMAGE_INSTALL_append = " swupdate efibootguard"
- BOOTLOADER = "efibootguard"
+ SWUPDATE_BOOTLOADER = "efibootguard"

efibootguard: |
WDOG_TIMEOUT = "0"
@@ -23,4 +23,4 @@ local_conf_header:

wic: |
IMAGE_TYPE = "wic-swu-img"
- WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks"
+ WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/kas/opt/qemu-swupdate.yml b/kas/opt/qemu-swupdate.yml
index 3f5fedf..daebd2c 100644
--- a/kas/opt/qemu-swupdate.yml
+++ b/kas/opt/qemu-swupdate.yml
@@ -16,4 +16,4 @@ header:
local_conf_header:
qemu-wic: |
IMAGE_TYPE ?= "wic-swu-img"
- WKS_FILE = "qemu-amd64-${BOOTLOADER}.wks"
+ WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"
--
2.20.1


Re: [isar-cip-core][PATCH] swupdate-config: add prefix to variables

Jan Kiszka
 

On 30.04.21 14:20, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

The variables U_BOOT and BOOTLOADER are only used for swupdate
mark add the prefix SWUPDATE to indicate the intended usage.
Does not fully parse to me. Do you mean

"The variables U_BOOT and BOOTLOADER are only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage."

?


Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/swupdate-config.bbclass | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..8ec1104 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -45,19 +45,23 @@ KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet"

KFEATURE_DEPS[ubi] = "mtd"

+
+SWUPDATE_BOOTLOADER ?= "${BOOTLOADER}"
This doesn't make sense. There is no generic variable "BOOTLOADER" in Isar.

+SWUPDATE_U_BOOT ?= "${U_BOOT}"
That one as well. What is "U_BOOT"?

USE_U_BOOT_CONFIG ?= "true"
+
KFEATURE_u-boot = ""
KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"

def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +72,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"

-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
Please also clean up kas/opt/ebg-swu.yml, switching to the SWUPDATE
prefixed var name.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH] README.secureboot: Corrections

Jan Kiszka
 

On 30.04.21 14:19, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
doc/README.secureboot.md | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..12787cf 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,47 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

+
+
These two look spurious.

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```
+
Unneded new-line?


### Start the image

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


[isar-cip-core][PATCH] README.secureboot: Corrections

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
doc/README.secureboot.md | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..12787cf 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,47 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

+
+
Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```
+

### Start the image

--
2.20.1


[isar-cip-core][PATCH] swupdate-config: add prefix to variables

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

The variables U_BOOT and BOOTLOADER are only used for swupdate
mark add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/swupdate-config.bbclass | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 9909113..8ec1104 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -45,19 +45,23 @@ KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet"

KFEATURE_DEPS[ubi] = "mtd"

+
+SWUPDATE_BOOTLOADER ?= "${BOOTLOADER}"
+SWUPDATE_U_BOOT ?= "${U_BOOT}"
USE_U_BOOT_CONFIG ?= "true"
+
KFEATURE_u-boot = ""
KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "libubootenv-dev"
KFEATURE_u-boot[DEBIAN_DEPENDS] = "${@ 'libubootenv0.1, u-boot-${MACHINE}-config' \
if d.getVar("USE_U_BOOT_CONFIG", True) == "true" \
else 'libubootenv0.1'}"
-KFEATURE_u-boot[DEPENDS] = "${U_BOOT} libubootenv"
+KFEATURE_u-boot[DEPENDS] = "${SWUPDATE_U_BOOT} libubootenv"
KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"

SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"

def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -68,11 +72,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"

-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
--
2.20.1


Re: [PATCH 2/2] [isar-cip-core] Add support qemu-arm

Jan Kiszka
 

On 08.04.21 04:32, Nobuhiro Iwamatsu wrote:
This adds configuration files to support QEMU/arm.
This is intended to be used for a test image of LAVA of CIP.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
---
.gitlab-ci.yml | 19 +++++++++++++++++++
conf/machine/qemu-arm.conf | 14 ++++++++++++++
kas/board/qemu-arm.yml | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
create mode 100644 conf/machine/qemu-arm.conf
create mode 100644 kas/board/qemu-arm.yml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 01d9609..b53d9cc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -84,6 +84,16 @@ build:qemu-arm64-base:
wic_targz: disable
targz: enable

+build:qemu-arm-base:
+ extends:
+ - .build_base
+ variables:
+ target: qemu-arm
+ extention: security
+ use_rt: disable
+ wic_targz: disable
+ targz: enable
+
# test
build:simatic-ipc227e-test:
extends:
@@ -124,3 +134,12 @@ build:qemu-arm64-test:
extention: test
wic_targz: disable
targz: enable
+
+build:qemu-arm-test:
+ extends:
+ - .build_base
+ variables:
+ target: qemu-arm
+ extention: test
+ wic_targz: disable
+ targz: enable
diff --git a/conf/machine/qemu-arm.conf b/conf/machine/qemu-arm.conf
new file mode 100644
index 0000000..81a22c1
--- /dev/null
+++ b/conf/machine/qemu-arm.conf
@@ -0,0 +1,14 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2019
+# Copyright (c) TOSHIBA CORPORATION, 2021
+#
+# SPDX-License-Identifier: MIT
+#
+
+DISTRO_ARCH = "armhf"
+
+IMAGE_TYPE ?= "ext4-img"
+USE_CIP_KERNEL_CONFIG = "1"
+KERNEL_DEFCONFIG ?= "cip-kernel-config/4.19.y-cip/arm/qemu_arm_defconfig"
diff --git a/kas/board/qemu-arm.yml b/kas/board/qemu-arm.yml
new file mode 100644
index 0000000..9bf9728
--- /dev/null
+++ b/kas/board/qemu-arm.yml
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2019
+# Copyright (c) TOSHIBA CORPORATION, 2021
+#
+# Authors:
+# Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 10
+
+machine: qemu-arm
It looks to me we have some regressions in master (which does
deployment), caused by these commits. Could you have a look at

https://gitlab.com/cip-project/cip-core/isar-cip-core/-/pipelines/294203272

TIA,
Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Cip-kernel-sec Updates for Week of 2021-04-29

Chen-Yu Tsai (Moxa) <wens@...>
 

Hi everyone,

This was a quiet week. Only one new issue:

- CVE-2021-3501 [x86: KVM: VMX: data race condition] - fixed

Nothing else to report on.


Regards
ChenYu


NO IRC meeting today

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi, All,

As was discussed last week, there is no IRC meeting today.
See you next week.

Best regards,
--
M. Kudo

3741 - 3760 of 10158