Date   

[PATCH linux-4.4.y-cip-rt 2/2] arm: dts: moxa: am335x-moxa-uc-8100-me: Add new MOXA model

Jimmy Chen (陳永達) <jimmy.chen@...>
 

Fixed Makefile file to support new MOXA model (none -t version).

Signed-off-by: Jimmy Chen <jimmy.chen@...>
---
diff --git a/arch/arm/boot/dts/am335x-moxa-uc-8100-me.dts b/arch/arm/boot/dts/am335x-moxa-uc-8100-me.dts
new file mode 100644
index 000000000000..f4df56341bcb
--- /dev/null
+++ b/arch/arm/boot/dts/am335x-moxa-uc-8100-me.dts
@@ -0,0 +1,595 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2015 MOXA Inc. - https://www.moxa.com/
+ *
+ * Authors: Wes Huang (暺殿瘝? <wes.huang@...>
+ * Ken CJ Chou <KenCJ.Chou@...>
+ */
+
+/dts-v1/;
+
+#include "am33xx.dtsi"
+
+/ {
+ model = "Moxa UC-8100-ME";
+ compatible = "ti,moxa-uc8100-me", "ti,am33xx";
+
+ cpus {
+ cpu@0 {
+ cpu0-supply = <&vdd1_reg>;
+ };
+ };
+
+ cpu0_opp_table: opp_table0 {
+
+ opp50@300000000 {
+ status = "okay";
+ };
+
+ opp100@275000000 {
+ status = "disabled";
+ };
+
+ opp100@300000000 {
+ status = "disabled";
+ };
+
+ opp100@500000000 {
+ status = "disabled";
+ };
+
+ opp100@600000000 {
+ status = "okay";
+ };
+
+ opp120@600000000 {
+ status = "disabled";
+ };
+
+ opp120@720000000 {
+ status = "okay";
+ };
+
+ oppturbo@720000000 {
+ status = "disabled";
+ };
+
+ oppturbo@800000000 {
+ status = "disabled";
+ };
+
+ oppnitro@1000000000 {
+ status = "okay";
+ };
+
+ };
+
+ aliases {
+ serial0 = &uart0; /* assign uart0 to /dev/ttyS0 */
+ serial1 = &uart1; /* assign uart1 to /dev/ttyS1 */
+ serial2 = &uart5; /* assign uart5 to /dev/ttyS2 */
+ };
+
+ memory {
+ device_type = "memory";
+ reg = <0x80000000 0x20000000>; /* 512 MB */
+ };
+
+ vbat: fixedregulator@0 {
+ compatible = "regulator-fixed";
+ //regulator-boot-on;
+ };
+
+ /* Power supply provides a fixed 3.3V @3A */
+ vmmcsd_fixed: fixedregulator@1 {
+ compatible = "regulator-fixed";
+ regulator-name = "vmmcsd_fixed";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
+ regulator-boot-on;
+ };
+
+ leds {
+ compatible = "gpio-leds";
+ led@1 {
+ label = "UC8100ME:RED:CEL1";
+ gpios = <&gpio_xten 8 0>;
+ default-state = "off";
+ };
+
+ led@2 {
+ label = "UC8100ME:YELLOW:CEL2";
+ gpios = <&gpio_xten 9 0>;
+ default-state = "off";
+ };
+
+ led@3 {
+ label = "UC8100ME:GREEN:CEL3";
+ gpios = <&gpio_xten 10 0>;
+ default-state = "off";
+ };
+
+ led@4 {
+ label = "UC8100ME:RED:DIA1";
+ gpios = <&gpio_xten 11 0>;
+ default-state = "off";
+ };
+ led@5 {
+ label = "UC8100ME:YELLOW:DIA2";
+ gpios = <&gpio_xten 12 0>;
+ default-state = "off";
+ };
+ led@6 {
+ label = "UC8100ME:GREEN:DIA3";
+ gpios = <&gpio_xten 13 0>;
+ default-state = "off";
+ };
+ led@7 {
+ label = "UC8100ME:GREEN:SD";
+ gpios = <&gpio_xten 14 0>;
+ default-state = "off";
+ };
+ led@8 {
+ label = "UC8100ME:GREEN:USB";
+ gpios = <&gpio_xten 15 0>;
+ default-state = "off";
+ };
+ led@9 {
+ label = "UC8100ME:GREEN:USER";
+ gpios = <&gpio0 20 0>;
+ default-state = "off";
+ };
+ };
+
+ buttons: push_button {
+ compatible = "gpio-keys";
+ };
+
+};
+
+&am33xx_pinmux {
+ pinctrl-names = "default";
+ pinctrl-0 = <&minipcie_pins>;
+
+ minipcie_pins: pinmux_minipcie {
+ pinctrl-single,pins = <
+ AM33XX_IOPAD(0x8e8 ,PIN_INPUT_PULLDOWN | MUX_MODE7) /* lcd_pclk.gpio2_24 */
+ AM33XX_IOPAD(0x8ec ,PIN_INPUT_PULLDOWN | MUX_MODE7) /* lcd_ac_bias_en.gpio2_25 */
+ AM33XX_IOPAD(0x8e0 ,PIN_INPUT_PULLDOWN | MUX_MODE7) /* lcd_vsync.gpio2_22 Power off PIN*/
+ >;
+ };
+
+ push_button_pins: pinmux_push_button {
+ pinctrl-single,pins = <
+ AM33XX_IOPAD(0x9ac ,PIN_INPUT_PULLDOWN | MUX_MODE7) /* mcasp0_ahcklx.gpio3_21 */
+ >;
+ };
+
+ i2c0_pins: pinmux_i2c0_pins {
+ pinctrl-single,pins = <
+ AM33XX_IOPAD(0x988 ,PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_sda.i2c0_sda */
+ AM33XX_IOPAD(0x98c ,PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_scl.i2c0_scl */
+ >;
+ };
+
+
+ i2c1_pins: pinmux_i2c1_pins {
+ pinctrl-single,pins = <
+ 0x168 (PIN_INPUT_PULLUP | MUX_MODE3) /* uart0_ctsn.i2c1_sda */
+ 0x16c (PIN_INPUT_PULLUP | MUX_MODE3) /* uart0_rtsn.i2c1_scl */
+ >;
+ };
+
+ uart0_pins: pinmux_uart0_pins {
+ pinctrl-single,pins = <
+ AM33XX_IOPAD(0x970 ,PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */
+ AM33XX_IOPAD(0x974 ,PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart0_txd.uart0_txd */
+ >;
+ };
+
+ uart1_pins: pinmux_uart1_pins {
+ pinctrl-single,pins = <
+ AM33XX_IOPAD(0x978 ,PIN_INPUT | MUX_MODE0) /* uart1_ctsn.uart1_ctsn */
+ AM33XX_IOPAD(0x97C ,PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart1_rtsn.uart1_rtsn */
+ AM33XX_IOPAD(0x980 ,PIN_INPUT_PULLUP | MUX_MODE0) /* uart1_rxd.uart1_rxd */
+ AM33XX_IOPAD(0x984 ,PIN_OUTPUT | MUX_MODE0) /* uart1_txd.uart1_txd */
+ >;
+ };
+
+ uart2_pins: pinmux_uart2_pins {
+ pinctrl-single,pins = <
+ AM33XX_IOPAD(0x8d8 ,PIN_INPUT | MUX_MODE6) /* lcd_data14.uart5_ctsn */
+ AM33XX_IOPAD(0x8dc ,PIN_OUTPUT_PULLDOWN | MUX_MODE6) /* lcd_data15.uart5_rtsn */
+ AM33XX_IOPAD(0x8c4 ,PIN_INPUT_PULLUP | MUX_MODE4) /* lcd_data9.uart5_rxd */
+ AM33XX_IOPAD(0x8c0 ,PIN_OUTPUT | MUX_MODE4) /* lcd_data8.uart5_txd */
+ >;
+ };
+
+ cpsw_default: cpsw_default {
+ pinctrl-single,pins = <
+ /* Slave 1 */
+ AM33XX_IOPAD(0x90c ,PIN_INPUT_PULLDOWN | MUX_MODE1) /* mii1_crs.rmii1_crs_dv */
+ AM33XX_IOPAD(0x910 ,PIN_INPUT_PULLUP | MUX_MODE1) /* mii1_rxerr.rmii1_rxerr */
+ AM33XX_IOPAD(0x914 ,PIN_OUTPUT_PULLDOWN | MUX_MODE1) /* mii1_txen.rmii1_txen */
+ AM33XX_IOPAD(0x924 ,PIN_OUTPUT_PULLDOWN | MUX_MODE1) /* mii1_txd1.rmii1_txd1 */
+ AM33XX_IOPAD(0x928 ,PIN_OUTPUT_PULLDOWN | MUX_MODE1) /* mii1_txd0.rmii1_txd0 */
+ AM33XX_IOPAD(0x93c ,PIN_INPUT_PULLUP | MUX_MODE1) /* mii1_rxd1.rmii1_rxd1 */
+ AM33XX_IOPAD(0x940 ,PIN_INPUT_PULLUP | MUX_MODE1) /* mii1_rxd0.rmii1_rxd0 */
+ AM33XX_IOPAD(0x944 ,PIN_INPUT_PULLDOWN | MUX_MODE0) /* mii1_refclk.rmii1_refclk */
+
+ /* Slave 2 */
+ AM33XX_IOPAD(0x870 ,PIN_INPUT_PULLDOWN | MUX_MODE3) /* rmii2_crs_dv */
+ AM33XX_IOPAD(0x874 ,PIN_INPUT_PULLDOWN | MUX_MODE3) /* rmii2_rxer */
+ AM33XX_IOPAD(0x840 ,PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* rmii2_txen */
+ AM33XX_IOPAD(0x850 ,PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* rmii2_td1 */
+ AM33XX_IOPAD(0x854 ,PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* rmii2_td0 */
+ AM33XX_IOPAD(0x868 ,PIN_INPUT_PULLDOWN | MUX_MODE3) /* rmii2_rd1 */
+ AM33XX_IOPAD(0x86c ,PIN_INPUT_PULLDOWN | MUX_MODE3) /* rmii2_rd0 */
+ AM33XX_IOPAD(0x908 ,PIN_INPUT_PULLDOWN | MUX_MODE1) /* rmii2_refclk */
+
+ >;
+ };
+
+ davinci_mdio_default: davinci_mdio_default {
+ pinctrl-single,pins = <
+ /* MDIO */
+ AM33XX_IOPAD(0x948 ,PIN_INPUT_PULLUP | SLEWCTRL_FAST | MUX_MODE0) /* mdio_data.mdio_data */
+ AM33XX_IOPAD(0x94c ,PIN_OUTPUT_PULLUP | MUX_MODE0) /* mdio_clk.mdio_clk */
+ >;
+ };
+
+ mmc0_pins_default: pinmux_mmc0_pins {
+ pinctrl-single,pins = <
+ AM33XX_IOPAD(0x8f0 ,PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_dat3 */
+ AM33XX_IOPAD(0x8f4 ,PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_dat2 */
+ AM33XX_IOPAD(0x8f8 ,PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_dat1 */
+ AM33XX_IOPAD(0x8fc ,PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_dat0 */
+ AM33XX_IOPAD(0x900 ,PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_clk */
+ AM33XX_IOPAD(0x904 ,PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_cmd */
+ AM33XX_IOPAD(0x990 ,PIN_INPUT_PULLUP | MUX_MODE7) /* mcasp0_aclkx.gpio3_14 */
+ AM33XX_IOPAD(0x9a0 ,PIN_INPUT_PULLUP | MUX_MODE7) /* mcasp0_aclkx.gpio3_18 */
+ >;
+ };
+
+
+ mmc2_pins_default: pinmux_mmc2_pins {
+ pinctrl-single,pins = <
+ /* eMMC */
+ AM33XX_IOPAD(0x830 ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_ad12.mmc2_dat0 */
+ AM33XX_IOPAD(0x834 ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_ad13.mmc2_dat1 */
+ AM33XX_IOPAD(0x838 ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_ad14.mmc2_dat2 */
+ AM33XX_IOPAD(0x83c ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_ad15.mmc2_dat3 */
+ AM33XX_IOPAD(0x820 ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_ad8.mmc2_dat4 */
+ AM33XX_IOPAD(0x824 ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_ad9.mmc2_dat5 */
+ AM33XX_IOPAD(0x828 ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_ad10.mmc2_dat6 */
+ AM33XX_IOPAD(0x82c ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_ad11.mmc2_dat7 */
+ AM33XX_IOPAD(0x888 ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_csn3.mmc2_cmd */
+ AM33XX_IOPAD(0x88c ,PIN_INPUT_PULLUP | MUX_MODE3) /* gpmc_clk.mmc2_clk */
+ >;
+ };
+
+ spi0_pins: pinmux_spi0 {
+ pinctrl-single,pins = <
+ AM33XX_IOPAD(0x950 ,PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_sclk.spi0_sclk */
+ AM33XX_IOPAD(0x95C ,PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_cs0.spi0_cs0 */
+ AM33XX_IOPAD(0x954 ,PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_d0.spi0_d0 */
+ AM33XX_IOPAD(0x958 ,PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_d1.spi0_d1 */
+ AM33XX_IOPAD(0x960 ,PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_cs1.spi0_cs1 */
+ >;
+ };
+
+};
+
+&uart0 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&uart0_pins>;
+ status = "okay";
+};
+
+&uart1 {
+ /* UART 1 setting */
+ status = "okay";
+ pinctrl-names = "default";
+ pinctrl-0 = <&uart1_pins>;
+};
+
+&uart5 {
+ /* UART 2 setting */
+ status = "okay";
+ pinctrl-names = "default";
+ pinctrl-0 = <&uart2_pins>;
+};
+
+&i2c0 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&i2c0_pins>;
+
+ status = "okay";
+ clock-frequency = <400000>;
+
+ tpm: tpm@20 {
+ compatible = "infineon,slb9645tt";
+ reg = <0x20>;
+ };
+
+ tps: tps@2d {
+ compatible = "ti,tps65910";
+ reg = <0x2d>;
+ };
+
+ eeprom: eeprom@50 {
+ compatible = "at,24c16";
+ pagesize = <16>;
+ reg = <0x50>;
+ };
+
+ rtc_wdt: rtc_wdt@68 {
+ compatible = "dallas,ds1374";
+ reg = <0x68>;
+ };
+};
+
+&i2c1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&i2c1_pins>;
+
+ status = "okay";
+ clock-frequency = <400000>;
+ gpio_xten: gpio_xten@27 {
+ compatible = "nxp,pca9535";
+ gpio-controller;
+ #gpio-cells = <2>;
+ reg = <0x27>;
+ };
+};
+
+&usb {
+ status = "okay";
+};
+
+&usb_ctrl_mod {
+ status = "okay";
+};
+
+&usb0_phy {
+ status = "okay";
+};
+
+&usb1_phy {
+ status = "okay";
+};
+
+&usb0 {
+ status = "okay";
+ dr_mode = "host";
+};
+
+
+&usb1 {
+ status = "okay";
+ dr_mode = "host";
+};
+
+&cppi41dma {
+ status = "okay";
+};
+
+
+#include "tps65910.dtsi"
+
+&tps {
+ vcc1-supply = <&vbat>;
+ vcc2-supply = <&vbat>;
+ vcc3-supply = <&vbat>;
+ vcc4-supply = <&vbat>;
+ vcc5-supply = <&vbat>;
+ vcc6-supply = <&vbat>;
+ vcc7-supply = <&vbat>;
+ vccio-supply = <&vbat>;
+
+ regulators {
+ vrtc_reg: regulator@0 {
+ regulator-always-on;
+ };
+
+ vio_reg: regulator@1 {
+ regulator-always-on;
+ };
+
+ vdd1_reg: regulator@2 {
+ /* VDD_MPU voltage limits 0.95V - 1.26V with +/-4% tolerance */
+ regulator-name = "vdd_mpu";
+ regulator-min-microvolt = <600000>;
+ regulator-max-microvolt = <1500000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+
+ vdd2_reg: regulator@3 {
+ /* VDD_CORE voltage limits 0.95V - 1.1V with +/-4% tolerance */
+ regulator-name = "vdd_core";
+ regulator-min-microvolt = <600000>;
+ regulator-max-microvolt = <1500000>;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+
+ vdd3_reg: regulator@4 {
+ regulator-always-on;
+ };
+
+ vdig1_reg: regulator@5 {
+ regulator-always-on;
+ };
+
+ vdig2_reg: regulator@6 {
+ regulator-always-on;
+ };
+
+ vpll_reg: regulator@7 {
+ regulator-always-on;
+ };
+
+ vdac_reg: regulator@8 {
+ regulator-always-on;
+ };
+
+ vaux1_reg: regulator@9 {
+ regulator-always-on;
+ };
+
+ vaux2_reg: regulator@10 {
+ regulator-always-on;
+ };
+
+ vaux33_reg: regulator@11 {
+ regulator-always-on;
+ };
+
+ vmmc_reg: regulator@12 {
+ compatible = "regulator-fixed";
+ regulator-name = "vmmc_reg";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
+ regulator-always-on;
+ };
+ };
+};
+
+/* Power */
+&vbat {
+ regulator-name = "vbat";
+ regulator-min-microvolt = <5000000>;
+ regulator-max-microvolt = <5000000>;
+};
+
+&mac {
+ pinctrl-names = "default";
+ pinctrl-0 = <&cpsw_default>;
+ dual_emac = <1>;
+ status = "okay";
+};
+
+&davinci_mdio {
+ pinctrl-names = "default";
+ pinctrl-0 = <&davinci_mdio_default>;
+ status = "okay";
+};
+
+&cpsw_emac0 {
+ status = "okay";
+ phy_id = <&davinci_mdio>, <4>;
+ phy-mode = "rmii";
+ dual_emac_res_vlan = <1>;
+};
+
+&cpsw_emac1 {
+ status = "okay";
+ phy_id = <&davinci_mdio>, <5>;
+ phy-mode = "rmii";
+ dual_emac_res_vlan = <2>;
+};
+
+&phy_sel {
+ reg= <0x44e10650 0xf5>;
+ rmii-clock-ext;
+};
+
+&sham {
+ status = "okay";
+};
+
+&aes {
+ status = "okay";
+};
+
+&gpio0 {
+ ti,no-reset-on-init;
+};
+
+&mmc1 {
+ pinctrl-names = "default";
+ vmmc-supply = <&vmmcsd_fixed>;
+ bus-width = <4>;
+ pinctrl-0 = <&mmc0_pins_default>;
+ cd-gpios = <&gpio3 14 GPIO_ACTIVE_HIGH>;
+ wp-gpios = <&gpio3 18 GPIO_ACTIVE_HIGH>;
+ status = "okay";
+};
+
+&mmc3 {
+ /* these are on the crossbar and are outlined in the
+ xbar-event-map element */
+ dmas = <&edma_xbar 12 0 1
+ &edma_xbar 13 0 2>;
+ dma-names = "tx", "rx";
+ pinctrl-names = "default";
+ vmmc-supply = <&vmmcsd_fixed>;
+ bus-width = <8>;
+ pinctrl-0 = <&mmc2_pins_default>;
+ ti,non-removable;
+ status = "okay";
+};
+
+&buttons {
+ pinctrl-names = "default";
+ pinctrl-0 = <&push_button_pins>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ button@0 {
+ label = "push_button";
+ linux,code = <0x100>;
+ gpios = <&gpio3 21 GPIO_ACTIVE_LOW>;
+ };
+};
+
+/* SPI Busses */
+&spi0 {
+ status = "okay";
+ pinctrl-names = "default";
+ pinctrl-0 = <&spi0_pins>;
+
+ m25p80@0 {
+ compatible = "mx25l6405d";
+ spi-max-frequency = <40000000>;
+
+ reg = <0>;
+ spi-cpol;
+ spi-cpha;
+
+ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+ /* reg : The partition's offset and size within the mtd bank. */
+ partitions@0 {
+ label = "MLO";
+ reg = <0x0 0x80000>;
+ };
+
+ partitions@1 {
+ label = "U-Boot";
+ reg = <0x80000 0x100000>;
+ };
+
+ partitions@2 {
+ label = "U-Boot Env";
+ reg = <0x180000 0x20000>;
+ };
+ };
+
+
+ };
+
+ tpm_spi_tis@1{
+ compatible = "tcg,tpm_tis-spi";
+ reg = <1>; /* CE1 */
+ spi-max-frequency = <500000>;
+ };
+};
+
+&wdt2 {
+ status = "disabled";
+};
--
2.20.1


[PATCH linux-4.4.y-cip-rt 1/2] arm: dts: moxa: am335x-moxa-uc-8100-me: Add new MOXA model

Jimmy Chen (陳永達) <jimmy.chen@...>
 

Add DTS file to support new MOXA model (none -t version).

Signed-off-by: Jimmy Chen <jimmy.chen@...>
---
diff --git a/arch/arm/boot/dts/Makefile b/arch/arm/boot/dts/Makefile index 0bc7ae92cdf7..b706d47413ff 100644
--- a/arch/arm/boot/dts/Makefile
+++ b/arch/arm/boot/dts/Makefile
@@ -464,6 +464,7 @@ dtb-$(CONFIG_SOC_AM33XX) += \
am335x-evm.dtb \
am335x-evmsk.dtb \
am335x-moxa-uc-8100-me-t.dtb \
+ am335x-moxa-uc-8100-me.dtb \
am335x-nano.dtb \
am335x-pepper.dtb \
am335x-lxm.dtb \


[isar-cip-core][PATCH 16/19] linux-cip: Update cip-kernel-config

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

This specifically brings iTCO support for QEMU which will be needed to
run SWUpdate full-featured.
---
recipes-kernel/linux/linux-cip-common.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 84515c2..238e5b0 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi

SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"

-SRCREV_cip-kernel-config ?= "3f527304fdadd163e20b7a5a9cfabaca7506c716"
+SRCREV_cip-kernel-config ?= "0150b63d0e74d64cc0d5baa9b9440cc148abad8b"

S = "${WORKDIR}/linux-cip-v${PV}"
--
2.34.1


[isar-cip-core][PATCH 13/19] swupdate: Add patch to fix EBG bootloader_env_get

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

Will be required for using bootenv_rrmap with the roundrobin handler.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
...onfig-Make-image-encryption-optional.patch | 8 +--
.../0002-debian-rules-Add-CONFIG_MTD.patch | 6 +-
...es-Add-option-to-disable-fs-creation.patch | 8 +--
...ules-Add-option-to-disable-webserver.patch | 8 +--
...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 8 +--
...ules-Add-Embedded-Lua-handler-option.patch | 6 +-
...-SWUpdate-USB-service-and-Udev-rules.patch | 10 +--
...option-to-disable-CONFIG_HASH_VERIFY.patch | 6 +-
...ch-to-fix-bootloader_env_get-for-EBG.patch | 66 +++++++++++++++++++
...repare-build-for-isar-debian-buster.patch} | 10 +--
.../swupdate/swupdate_2021.11-1+debian-gbp.bb | 5 +-
11 files changed, 104 insertions(+), 37 deletions(-)
create mode 100644 recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch
rename recipes-core/swupdate/files/{0009-debian-prepare-build-for-isar-debian-buster.patch => 0010-debian-prepare-build-for-isar-debian-buster.patch} (92%)

diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
index c501e42..aa20ab6 100644
--- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
+++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
@@ -1,7 +1,7 @@
-From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001
+From 5d78de76eab1218494c714e9816152e4d821fa86 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 15:28:21 +0200
-Subject: [PATCH 1/9] debian/config: Make image encryption optional
+Subject: [PATCH 01/10] debian/config: Make image encryption optional

This can be use to ease the setup with SWUpdate.

@@ -12,7 +12,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/configs/defconfig b/debian/configs/defconfig
-index 02681e53..b34168e3 100644
+index 02681e5..b34168e 100644
--- a/debian/configs/defconfig
+++ b/debian/configs/defconfig
@@ -3,7 +3,6 @@ CONFIG_HW_COMPATIBILITY=y
@@ -24,7 +24,7 @@ index 02681e53..b34168e3 100644
CONFIG_SURICATTA_SSL=y
CONFIG_UPDATE_STATE_CHOICE_BOOTLOADER=y
diff --git a/debian/rules b/debian/rules
-index 864add23..08b74a1d 100755
+index 864add2..08b74a1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -41,6 +41,9 @@ endif
diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
index 50cf805..e62a4fc 100644
--- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
+++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
@@ -1,7 +1,7 @@
-From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001
+From c3adc5d2be41e151c811c96f2bed245778fec82c Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 11:29:57 +0200
-Subject: [PATCH 2/9] debian/rules: Add CONFIG_MTD
+Subject: [PATCH 02/10] debian/rules: Add CONFIG_MTD

if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled.

@@ -11,7 +11,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
1 file changed, 1 insertion(+)

diff --git a/debian/rules b/debian/rules
-index 08b74a1d..6705140b 100755
+index 08b74a1..6705140 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,6 +20,7 @@ endif
diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
index c5815cb..08ba9b9 100644
--- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
+++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
@@ -1,7 +1,7 @@
-From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001
+From 17d962a9b43f5debaed85affc6dccb2c471bffe9 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 4 Oct 2021 17:15:56 +0200
-Subject: [PATCH 3/9] debian/rules: Add option to disable fs creation
+Subject: [PATCH 03/10] debian/rules: Add option to disable fs creation

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
@@ -10,7 +10,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/debian/configs/defconfig b/debian/configs/defconfig
-index b34168e3..d011deb1 100644
+index b34168e..d011deb 100644
--- a/debian/configs/defconfig
+++ b/debian/configs/defconfig
@@ -9,12 +9,6 @@ CONFIG_UPDATE_STATE_CHOICE_BOOTLOADER=y
@@ -27,7 +27,7 @@ index b34168e3..d011deb1 100644
CONFIG_RAW=y
CONFIG_RDIFFHANDLER=y
diff --git a/debian/rules b/debian/rules
-index 6705140b..983e122f 100755
+index 6705140..983e122 100755
--- a/debian/rules
+++ b/debian/rules
@@ -45,6 +45,15 @@ endif
diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
index 4a9076d..eaa6fcf 100644
--- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
+++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
@@ -1,7 +1,7 @@
-From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001
+From a02a6d4385f314601ef5c7094ecb26f5b5c3f134 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 4 Oct 2021 17:27:11 +0200
-Subject: [PATCH 4/9] debian/rules: Add option to disable webserver
+Subject: [PATCH 04/10] debian/rules: Add option to disable webserver

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
@@ -10,7 +10,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/debian/configs/defconfig b/debian/configs/defconfig
-index d011deb1..337fcce0 100644
+index d011deb..337fcce 100644
--- a/debian/configs/defconfig
+++ b/debian/configs/defconfig
@@ -6,8 +6,6 @@ CONFIG_SIGALG_CMS=y
@@ -23,7 +23,7 @@ index d011deb1..337fcce0 100644
CONFIG_UNIQUEUUID=y
CONFIG_RAW=y
diff --git a/debian/rules b/debian/rules
-index 983e122f..6078ed89 100755
+index 983e122..6078ed8 100755
--- a/debian/rules
+++ b/debian/rules
@@ -39,6 +39,10 @@ else ifneq (,$(filter pkg.swupdate.efibootguard,$(DEB_BUILD_PROFILES)))
diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
index 87eba2c..eb19e5f 100644
--- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
+++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
@@ -1,7 +1,7 @@
-From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001
+From 8315d5ff8168fca1bd3752764e71f98e8b55f2ad Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Tue, 5 Oct 2021 10:56:25 +0200
-Subject: [PATCH 5/9] debian: Make CONFIG_HW_COMPATIBILTY optional
+Subject: [PATCH 05/10] debian: Make CONFIG_HW_COMPATIBILTY optional

Add option for qemu.

@@ -12,7 +12,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/configs/defconfig b/debian/configs/defconfig
-index 337fcce0..6fc1137f 100644
+index 337fcce..6fc1137 100644
--- a/debian/configs/defconfig
+++ b/debian/configs/defconfig
@@ -1,5 +1,4 @@
@@ -22,7 +22,7 @@ index 337fcce0..6fc1137f 100644
CONFIG_DOWNLOAD_SSL=y
CONFIG_SIGALG_CMS=y
diff --git a/debian/rules b/debian/rules
-index 6078ed89..19870e98 100755
+index 6078ed8..19870e9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -39,6 +39,9 @@ else ifneq (,$(filter pkg.swupdate.efibootguard,$(DEB_BUILD_PROFILES)))
diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
index 5d7543b..1d6a247 100644
--- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
@@ -1,7 +1,7 @@
-From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001
+From 19969a388e414db84e54a706e9227c301b0408a2 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 6/9] debian/rules: Add Embedded Lua handler option
+Subject: [PATCH 06/10] debian/rules: Add Embedded Lua handler option

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
@@ -9,7 +9,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
1 file changed, 5 insertions(+)

diff --git a/debian/rules b/debian/rules
-index 19870e98..12eb0ba5 100755
+index 19870e9..12eb0ba 100755
--- a/debian/rules
+++ b/debian/rules
@@ -68,7 +68,12 @@ ifneq (,$(LUA_VERSION))
diff --git a/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
index 2779d8b..90c8d98 100644
--- a/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
+++ b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
@@ -1,7 +1,7 @@
-From 625db939a1dec7d1aa6fbcb01c2c4cbd699bfe7b Mon Sep 17 00:00:00 2001
+From db391d1dd34806ae6694205b08b4661318bef37b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 7 Feb 2022 09:28:39 +0100
-Subject: [PATCH 7/9] debian: Remove SWUpdate USB service and Udev rules
+Subject: [PATCH 07/10] debian: Remove SWUpdate USB service and Udev rules

The current implementation will install an abitrary SWUpdate binary
from a plug-in USB stick. This is a major security risk for devices
@@ -19,7 +19,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
delete mode 100644 debian/swupdate.udev

diff --git a/debian/rules b/debian/rules
-index 12eb0ba5..76fce010 100755
+index 12eb0ba..76fce01 100755
--- a/debian/rules
+++ b/debian/rules
@@ -101,7 +101,6 @@ override_dh_auto_install:
@@ -32,7 +32,7 @@ index 12eb0ba5..76fce010 100755
override_dh_gencontrol:
diff --git a/debian/swupdate.swupdate-usb@.service b/debian/swupdate.swupdate-usb@.service
deleted file mode 100644
-index eda9d153..00000000
+index eda9d15..0000000
--- a/debian/swupdate.swupdate-usb@.service
+++ /dev/null
@@ -1,8 +0,0 @@
@@ -46,7 +46,7 @@ index eda9d153..00000000
-ExecStopPost=/bin/umount /mnt
diff --git a/debian/swupdate.udev b/debian/swupdate.udev
deleted file mode 100644
-index b4efd0b7..00000000
+index b4efd0b..0000000
--- a/debian/swupdate.udev
+++ /dev/null
@@ -1,2 +0,0 @@
diff --git a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
index a7c5ee7..a5207ee 100644
--- a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
+++ b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
@@ -1,7 +1,7 @@
-From cddd3472aad2d8e48d557705b82ffcc0c7d14a02 Mon Sep 17 00:00:00 2001
+From 2776a4817eb91be3df001e04d548a702e9f5291a Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Mon, 14 Feb 2022 12:27:43 +0100
-Subject: [PATCH 8/9] Add Profile option to disable CONFIG_HASH_VERIFY
+Subject: [PATCH 08/10] Add Profile option to disable CONFIG_HASH_VERIFY

This change also enables CONFIG_HASH_VERIFY by default.

@@ -11,7 +11,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
1 file changed, 3 insertions(+)

diff --git a/debian/rules b/debian/rules
-index 76fce010..4dc9e170 100755
+index 76fce01..4dc9e17 100755
--- a/debian/rules
+++ b/debian/rules
@@ -42,6 +42,9 @@ endif
diff --git a/recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch b/recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch
new file mode 100644
index 0000000..fd263ee
--- /dev/null
+++ b/recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch
@@ -0,0 +1,66 @@
+From 09a736a651ae05378d9ef8018589c9f834b729a6 Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@...>
+Date: Tue, 12 Apr 2022 08:01:21 +0200
+Subject: [PATCH 09/10] debian: Add patch to fix bootloader_env_get for EBG
+
+Signed-off-by: Jan Kiszka <jan.kiszka@...>
+---
+ ...ix-do_env_get-for-anything-but-globa.patch | 38 +++++++++++++++++++
+ debian/patches/series | 1 +
+ 2 files changed, 39 insertions(+)
+ create mode 100644 debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch
+
+diff --git a/debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch b/debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch
+new file mode 100644
+index 0000000..f99f7ee
+--- /dev/null
++++ b/debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch
+@@ -0,0 +1,38 @@
++From 62cd7c93dc31e5ad8dccdd1db791892864fbbccf Mon Sep 17 00:00:00 2001
++From: Jan Kiszka <jan.kiszka@...>
++Date: Tue, 12 Apr 2022 07:49:14 +0200
++Subject: [PATCH] bootloader: EBG: fix do_env_get for anything but global state
++
++The return value conversion must only be applied on STATE_KEY. This
++fixes strangely broken strings for all other keys.
++
++Signed-off-by: Jan Kiszka <jan.kiszka@...>
++---
++ bootloader/ebg.c | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/bootloader/ebg.c b/bootloader/ebg.c
++index 2aa9010..a0b45dc 100644
++--- a/bootloader/ebg.c
+++++ b/bootloader/ebg.c
++@@ -115,6 +115,8 @@ char *bootloader_env_get(const char *name)
++ if (strncmp(name, (char *)STATE_KEY, strlen((char *)STATE_KEY) + 1) == 0) {
++ value = (char *)malloc(sizeof(char));
++ *value = ebg_env_getglobalstate(&ebgenv);
+++ /* Map EFI Boot Guard's int return to update_state_t's char value */
+++ *value = *value + '0';
++ } else {
++ if ((size = ebg_env_get(&ebgenv, (char *)name, NULL)) != 0) {
++ value = malloc(size);
++@@ -133,8 +135,6 @@ char *bootloader_env_get(const char *name)
++ name, strerror(errno));
++ }
++
++- /* Map EFI Boot Guard's int return to update_state_t's char value */
++- *value = *value + '0';
++ return value;
++ }
++
++--
++2.34.1
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..98628a7 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,2 @@
+ use-gcc-compiler.diff
++0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch
+--
+2.34.1
+
diff --git a/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0010-debian-prepare-build-for-isar-debian-buster.patch
similarity index 92%
rename from recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
rename to recipes-core/swupdate/files/0010-debian-prepare-build-for-isar-debian-buster.patch
index 8afef74..1d476e9 100644
--- a/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
+++ b/recipes-core/swupdate/files/0010-debian-prepare-build-for-isar-debian-buster.patch
@@ -1,7 +1,7 @@
-From 5dda7f815dafdfbd1b187ccc912eca38e9aee7bb Mon Sep 17 00:00:00 2001
+From c9661853aea11f090b5936363b0bae10fe6ebed6 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@...>
Date: Wed, 29 Sep 2021 16:17:03 +0200
-Subject: [PATCH 9/9] debian: prepare build for isar debian buster
+Subject: [PATCH 10/10] debian: prepare build for isar debian buster

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
@@ -13,13 +13,13 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>

diff --git a/debian/compat b/debian/compat
new file mode 100644
-index 00000000..f599e28b
+index 0000000..f599e28
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/debian/control b/debian/control
-index 192c4a2a..9318fa12 100644
+index 192c4a2..9318fa1 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
@@ -47,7 +47,7 @@ index 192c4a2a..9318fa12 100644
libebgenv-dev <pkg.swupdate.efibootguard> | efibootguard-dev <pkg.swupdate.efibootguard>,
libcmocka-dev,
diff --git a/debian/rules b/debian/rules
-index 4dc9e170..370ca3d8 100755
+index 4dc9e17..370ca3d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -19,13 +19,15 @@ endif
diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
index bf060b4..7edefe7 100644
--- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
@@ -23,7 +23,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \
file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \
file://0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch \
- file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch"
+ file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch \
+ file://0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch"

# end patching for dm-verity based images

@@ -39,7 +40,7 @@ DEB_BUILD_PROFILES += "cross nocheck"
# DEB_BUILD_PROFILES += "pkg.swupdate.embeddedlua"

# modify for debian buster build
-SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
+SRC_URI_append_buster = " file://0010-debian-prepare-build-for-isar-debian-buster.patch"

# disable create filesystem due to missing symbols in debian buster
# disable webserver due to missing symbols in debian buster
--
2.34.1


[isar-cip-core][PATCH 14/19] swupdate: Switch to bootenv_rrmap+kernelfile for device selection

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

This allows for a medium-independent sw-description. Not required so far
for QEMU, but it may become useful in the future or for downstream
layers, at least as reference.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
recipes-core/images/files/sw-description.tmpl | 4 ++--
.../files/swupdate.handler.efibootguard.ini | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index 7dd67f9..f5cafeb 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -14,7 +14,7 @@ software =
name = "cip software update";
images: ({
filename = "${ROOTFS_PARTITION_NAME}";
- device = "sda4,sda5";
+ device = "C:BOOT0:linux.efi->fedcba98-7654-3210-cafe-5e0710000001,C:BOOT1:linux.efi->fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
compressed = "zlib";
filesystem = "ext4";
@@ -26,7 +26,7 @@ software =
filename = "linux.efi";
path = "linux.efi";
type = "roundrobin";
- device = "sda4->BOOT0,sda5->BOOT1";
+ device = "C:BOOT0:linux.efi->BOOT0,C:BOOT1:linux.efi->BOOT1";
filesystem = "vfat";
properties: {
subtype = "kernel";
diff --git a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
index b5e8070..58271da 100644
--- a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
+++ b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
@@ -2,15 +2,15 @@
chainhandler=raw

[image.selector]
-method=getroot_rr
-key=root
+method=bootenv_rrmap
+key=kernelfile

[kernel]
chainhandler=rawfile

[kernel.selector]
-method=getroot_rrmap
-key=root
+method=bootenv_rrmap
+key=kernelfile

[kernel.bootenv]
kernelfile=C:BOOT${rrindex}:linux.efi
--
2.34.1


[isar-cip-core][PATCH 19/19] doc: README.secureboot polishing

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

There has never been a uefikernel parameter for efibootguard-boot, so
drop this.

Furthermore, spell-out "EFI Boot Guard" and adjust some section levels
and titles.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
doc/README.secureboot.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 3c2d524..b2d7be9 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -1,11 +1,11 @@
-# Efibootguard Secure boot
+# EFI Boot Guard secure boot

This document describes how to generate a secure boot capable image with
[efibootguard](https://github.com/siemens/efibootguard).

## Description

-The image build signs the efibootguard bootloader (bootx64.efi) and generates
+The image build signs the EFI Boot Guard bootloader (bootx64.efi) and generates
a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
A unified kernel image packs the kernel, initramfs and the kernel command-line
in one binary object. As the kernel command-line is immutable after the build
@@ -19,12 +19,12 @@ If a match is found the rootfs is used for the boot.

## Adaptation for Images

-### WIC
+### WIC
The following elements must be present in a wks file to create a secure boot capable image.

```
part --source efibootguard-efi --sourceparams "signwith=<script or executable to sign the image>"
-part --source efibootguard-boot --sourceparams "uefikernel=<name of the unified kernel>,signwith=<script or executable to sign the image>"
+part --source efibootguard-boot --sourceparams "signwith=<script or executable to sign the image>"
```

#### Script or executable to sign the image
@@ -43,7 +43,6 @@ executable or script with the following interface:
Supply the script name and path to wic by adding
`signwith=<path and name of the script to sign>"` to sourceparams of the partition.

-
### Existing packages to sign an image

#### ebg-secure-boot-snakeoil
@@ -63,7 +62,7 @@ The following variable and steps are necessary to build a secure boot capable im

The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in `recipes-devtools/ebg-secure-boot-secrets/files/`

-## QEMU
+## Running in QEMU

Set up a secure boot test environment with [QEMU](https://www.qemu.org/)

@@ -138,7 +137,7 @@ scripts/start-efishell.sh secureboot-tools

### Build image

-Build the image with a signed efibootguard and unified kernel image
+Build the image with a signed EFI Boot Guard and unified kernel image
with the snakeoil keys by executing:

```
@@ -202,7 +201,8 @@ OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd \
OVMF_VARS=<path to the modified OVMF_VARS.fd> \
./start-qemu.sh amd64
```
-# Example: Update the image
+
+## Example: Update the image

For updating the image, the following steps are necessary:
- [Build the image with snakeoil keys](### Build image)
--
2.34.1


[isar-cip-core][PATCH 18/19] doc: Update README.swupdate

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

Reflect the changes on the non-secure SWUpdate procedure in the
documentation and streamline it a bit. Also switch to host-originated
scp to transfer the swu image to avoid the need for sshd on the host.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
doc/README.swupdate.md | 166 ++++++++++++++++++++++-------------------
1 file changed, 90 insertions(+), 76 deletions(-)

diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
index 05768da..e28db24 100644
--- a/doc/README.swupdate.md
+++ b/doc/README.swupdate.md
@@ -1,31 +1,38 @@
+# SWUpdate support for the CIP core image

-Clone the isar-cip-core repository
+This document describes how to build and test the SWUpdate pre-integration for
+isar-cip-core, targeting a QEMU x86 virtual machine.
+
+Start with cloning the isar-cip-core repository:
```
host$ git clone https://gitlab.com/cip-project/cip-core/isar-cip-core.git
```

-Build the CIP Core image
+# Building and testing the CIP Core image

Set up `kas-container` as described in the [top-level README](../README.md).
-Then build the image:
+Then build the image which will later serve as update package:
```
host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
```
-- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp)
-- modify the image for example add a new version to the image by adding PV=2.0.0 to cip-core-image.bb
-- rebuild the image using above command and start the new target
+Save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu` into a separate folder (ex: /tmp).
+
+Next, rebuild the image, switching to the RT kernel as modification:
```
-host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/rt.yml
```

-Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system
+Now start the image which will contain the RT kernel:
+```
+host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+```

+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder into the running system:
```
-root@demo:~# scp <host-user>@10.0.2.2:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu .
+host$ scp -P 22222 /tmp/cip-core-image-cip-core-buster-qemu-amd64.swu root@localhost:
```

Check which partition is booted, e.g. with lsblk:
-
```
root@demo:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
@@ -37,11 +44,22 @@ sda 8:0 0 2G 0 disk
└─sda5 8:5 0 1000M 0 part
```

-Apply swupdate and reboot
+Also check that you are running the RT kernel:
+```
+root@demo:~# uname -a
+Linux demo 4.19.233-cip69-rt24 #1 SMP PREEMPT RT Tue Apr 12 09:23:51 UTC 2022 x86_64 GNU/Linux
+root@demo:~# ls /lib/modules
+4.19.233-cip69-rt24
+root@demo:~# cat /sys/kernel/realtime
+1
+```
+
+Now apply swupdate and reboot
```
root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
root@demo:~# reboot
```
+
Check which partition is booted, e.g. with lsblk and the rootfs should have changed
```
root@demo:~# lsblk
@@ -54,150 +72,146 @@ sda 8:0 0 2G 0 disk
└─sda5 8:5 0 1000M 0 part /
```

+Check the active kernel:
+```
+root@demo:~# uname -a
+Linux demo 4.19.235-cip70 #1 SMP Tue Apr 12 09:08:39 UTC 2022 x86_64 GNU/Linux
+root@demo:~# ls /lib/modules
+4.19.235-cip70
+```
+
Check bootloader ustate after swupdate
```
root@demo:~# bg_printenv
+
----------------------------
-Config Partition #0 Values:
+ Config Partition #0 Values:
in_progress: no
revision: 2
-kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+kernel: C:BOOT0:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 0 (OK)

user variables:

+
+
----------------------------
Config Partition #1 Values:
in_progress: no
revision: 3
-kernel: C:BOOT1:vmlinuz
-kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+kernel: C:BOOT1:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 2 (TESTING)
+
+user variables:
+
+
```

-if Partition #1 usate is 2 (TESTING) then execute below command to confirm swupdate and the command will set ustate to "OK"
+If Partition #1 ustate is 2 (TESTING) then execute below command to confirm swupdate and the command will set ustate to "OK".
```
root@demo:~# bg_setenv -c
```

-# swupdate rollback example
+## SWUpdate rollback example

-Build the image for swupdate with service which causes kernel panic during system boot using below command.
+Build the image for swupdate with a service which causes kernel panic during system boot using below command:

```
host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/kernel-panic.yml
```
-- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp)
-- build the image again without `kernel-panic.yml` recipe using below command
+Save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu` in a separate folder.
+Then build the image without `kernel-panic.yml` recipe using below command:
```
host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
```

-Start the target on QEMU
+Start the target on QEMU:
```
host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
```

-Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system
-
+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder into the running system:
```
-root@demo:~# scp <host-user>@10.0.2.2:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu .
+host$ scp -P 22222 /tmp/cip-core-image-cip-core-buster-qemu-amd64.swu root@localhost:
```

-Check which partition is booted, e.g. with lsblk:
-
+Apply swupdate as below:
```
-root@demo:~# lsblk
-NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
-sda 8:0 0 2G 0 disk
-├─sda1 8:1 0 16.4M 0 part
-├─sda2 8:2 0 32M 0 part
-├─sda3 8:3 0 32M 0 part
-├─sda4 8:4 0 1000M 0 part /
-└─sda5 8:5 0 1000M 0 part
+root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
```

-Check bootloader ustate before swupdate and should be as below
+Check bootloader ustate after swupdate. If the swupdate is successful then **revision number** should be **3** and status should be changed to **INSTALLED** for Partition #1.
```
root@demo:~# bg_printenv
+
----------------------------
-Config Partition #0 Values:
+ Config Partition #0 Values:
in_progress: no
revision: 2
-kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+kernel: C:BOOT0:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 0 (OK)

user variables:
-----------------------------
-Config Partition #1 Values:
-in_progress: no
-revision: 1
-kernel: C:BOOT1:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
-watchdog timeout: 60 seconds
-ustate: 0 (OK)
-```

-Apply swupdate as below
-```
-root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
-```

-check bootloader ustate after swupdate. if the swupdate is successful then **revision number** should increase to **3** and status should be changed to **INSTALLED** for Partition #1.
-```
-root@demo:~# bg_printenv
-----------------------------
-Config Partition #0 Values:
-in_progress: no
-revision: 2
-kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
-watchdog timeout: 60 seconds
-ustate: 0 (OK)

-user variables:
----------------------------
-Config Partition #1 Values:
+ Config Partition #1 Values:
in_progress: no
revision: 3
-kernel: C:BOOT1:vmlinuz
-kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+kernel: C:BOOT1:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 1 (INSTALLED)
+
+user variables:
+
+
```

-Execute reboot command
-- reboot command should cause kernel panic error.
-- watchdog timer should expire and restart the qemu. bootloader should select previous partition to boot.
+Execute the reboot command.
```
root@demo:~# reboot
```

-Once the system is restarted, check the bootloader ustate
-- if update is failed then **revision number** should reduce to **0** and status should change to **FAILED** for Partition #1.
+The new kernel should cause a kernel panic error.
+The watchdog timer should expire and restart the VM (it will take 2 minutes due to an issue in.
+The bootloader will then select the previous, working partition and boot from it.
+
+Once the system is restarted, check the bootloader ustate.
+If update is failed then **revision number** should be reduced to **0** and status should have changed to **FAILED** for Partition #1.
```
root@demo:~# bg_printenv
+
----------------------------
Config Partition #0 Values:
in_progress: no
revision: 2
-kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-corg
+kernel: C:BOOT0:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 0 (OK)

user variables:
+
+
+
----------------------------
Config Partition #1 Values:
in_progress: no
revision: 0
-kernel: C:BOOT1:vmlinuz
-kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-corg
+kernel: C:BOOT1:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 3 (FAILED)
+
+user variables:
+
+
```
--
2.34.1


[isar-cip-core][PATCH 17/19] start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

Allows full testing of the SWUpdate feature.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
start-qemu.sh | 1 +
1 file changed, 1 insertion(+)

diff --git a/start-qemu.sh b/start-qemu.sh
index c5cd9fa..fe08ebd 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -53,6 +53,7 @@ case "$1" in
-cpu qemu64 \
-smp 4 \
-machine q35,accel=kvm:tcg \
+ -global ICH9-LPC.noreboot=off \
-device virtio-net-pci,netdev=net"
if [ -n "${SECURE_BOOT}" ]; then
# set bootindex=0 to boot disk instead of EFI-shell
--
2.34.1


[isar-cip-core][PATCH 15/19] customizations: Enable systemd watchdog

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

This is needed for proper SWUpdate processing and does not harm in other
cases, even if the platform has no watchdog.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
recipes-core/customizations/common.inc | 6 +++++-
recipes-core/customizations/files/99-watchdog.conf | 3 +++
2 files changed, 8 insertions(+), 1 deletion(-)
create mode 100644 recipes-core/customizations/files/99-watchdog.conf

diff --git a/recipes-core/customizations/common.inc b/recipes-core/customizations/common.inc
index d3eb7b8..1124ff2 100644
--- a/recipes-core/customizations/common.inc
+++ b/recipes-core/customizations/common.inc
@@ -16,7 +16,8 @@ FILESPATH_append := ":${FILE_DIRNAME}/files"
SRC_URI = " \
file://postinst \
file://ethernet \
- file://99-silent-printk.conf"
+ file://99-silent-printk.conf \
+ file://99-watchdog.conf"

WIRELESS_FIRMWARE_PACKAGE ?= ""
INSTALL_WIRELESS_TOOLS ??= "0"
@@ -34,4 +35,7 @@ do_install() {

install -v -d ${D}/etc/sysctl.d
install -v -m 644 ${WORKDIR}/99-silent-printk.conf ${D}/etc/sysctl.d/
+
+ install -v -d ${D}/etc/systemd/system.conf.d
+ install -v -m 644 ${WORKDIR}/99-watchdog.conf ${D}/etc/systemd/system.conf.d/
}
diff --git a/recipes-core/customizations/files/99-watchdog.conf b/recipes-core/customizations/files/99-watchdog.conf
new file mode 100644
index 0000000..c02756d
--- /dev/null
+++ b/recipes-core/customizations/files/99-watchdog.conf
@@ -0,0 +1,3 @@
+[Manager]
+RuntimeWatchdogSec=60s
+ShutdownWatchdogSec=60s
--
2.34.1


[isar-cip-core][PATCH 03/19] swupdate: Drop no longer used SOURCE_IMAGE_FILE

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

Obsoleted by aed961de08e1.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
classes/wic-swu-img.bbclass | 2 --
1 file changed, 2 deletions(-)

diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass
index 5e6de40..f03befa 100644
--- a/classes/wic-swu-img.bbclass
+++ b/classes/wic-swu-img.bbclass
@@ -12,6 +12,4 @@
inherit wic-img
inherit swupdate-img

-SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
-
addtask do_swupdate_image after do_wic_image
--
2.34.1


[isar-cip-core][PATCH 10/19] Unify configuration of secure vs. non-secure SWUpdate

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

The sw-descriptions are practically identical, the roundrobin-handler
ini files are absolutely the same. So drop them and use unified configs.
That allows to drop kas/opt/ebg-secure-boot-base.yml as well.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
kas/opt/ebg-secure-boot-base.yml | 20 -----------
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
.../files/secure-boot/sw-description.tmpl | 35 -------------------
recipes-core/images/secureboot.inc | 21 -----------
.../swupdate.handler.efibootguard.ini | 16 ---------
5 files changed, 1 insertion(+), 93 deletions(-)
delete mode 100644 kas/opt/ebg-secure-boot-base.yml
delete mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
delete mode 100644 recipes-core/images/secureboot.inc
delete mode 100644 recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini

diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
deleted file mode 100644
index 299b663..0000000
--- a/kas/opt/ebg-secure-boot-base.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@...>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/efibootguard.yml
-
-local_conf_header:
- secure_swu: |
- SWU_DESCRIPTION = "secureboot"
- SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 10414fb..28b3545 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -12,7 +12,7 @@
header:
version: 10
includes:
- - kas/opt/ebg-secure-boot-base.yml
+ - kas/opt/efibootguard.yml

local_conf_header:
image-options: |
diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
deleted file mode 100644
index 7dc070a..0000000
--- a/recipes-core/images/files/secure-boot/sw-description.tmpl
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@...>
-#
-# SPDX-License-Identifier: MIT
-#
-software =
-{
- version = "0.2";
- name = "secure boot update"
- images: ({
- filename = "${ROOTFS_PARTITION_NAME}";
- device = "sda4,sda5";
- type = "roundrobin";
- compressed = "zlib";
- filesystem = "ext4";
- properties: {
- subtype = "image";
- };
- });
- files: ({
- filename = "linux.efi";
- path = "linux.efi";
- type = "roundrobin";
- device = "sda4->BOOT0,sda5->BOOT1";
- filesystem = "vfat";
- properties: {
- subtype = "kernel";
- };
- })
-}
diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc
deleted file mode 100644
index 6182080..0000000
--- a/recipes-core/images/secureboot.inc
+++ /dev/null
@@ -1,21 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@...>
-#
-# SPDX-License-Identifier: MIT
-#
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/files/secure-boot:"
-
-ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
-
-SRC_URI += "file://sw-description.tmpl"
-TEMPLATE_FILES += "sw-description.tmpl"
-
-TEMPLATE_VARS += "ROOTFS_PARTITION_NAME"
-
-SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
deleted file mode 100644
index b5e8070..0000000
--- a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
+++ /dev/null
@@ -1,16 +0,0 @@
-[image]
-chainhandler=raw
-
-[image.selector]
-method=getroot_rr
-key=root
-
-[kernel]
-chainhandler=rawfile
-
-[kernel.selector]
-method=getroot_rrmap
-key=root
-
-[kernel.bootenv]
-kernelfile=C:BOOT${rrindex}:linux.efi
--
2.34.1


[isar-cip-core][PATCH 12/19] cip-core-image: Make image-uuid an image option

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

This allows to avoid running this needless task for the secure image
where we use the dm-verity hash as image identification.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
kas/opt/ebg-swu.yml | 3 +++
recipes-core/images/cip-core-image.bb | 1 -
recipes-core/images/image-uuid.inc | 12 ++++++++++++
3 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 recipes-core/images/image-uuid.inc

diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index a58f0ed..d811929 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -18,3 +18,6 @@ header:
local_conf_header:
initramfs: |
IMAGE_INSTALL += "initramfs-abrootfs-hook"
+
+ image-option-uuid: |
+ CIP_IMAGE_OPTIONS_append = " image-uuid.inc"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index ecba06d..3f8c320 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -10,7 +10,6 @@
#

inherit image
-inherit image_uuid

ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'"
DESCRIPTION = "CIP Core image"
diff --git a/recipes-core/images/image-uuid.inc b/recipes-core/images/image-uuid.inc
new file mode 100644
index 0000000..5e5a727
--- /dev/null
+++ b/recipes-core/images/image-uuid.inc
@@ -0,0 +1,12 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Jan Kiszka <jan.kiszka@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image_uuid
--
2.34.1


[isar-cip-core][PATCH 11/19] cip-core-image: Do not include swupdate.inc unless it is used

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

Was harmless to do so for non-swupdate images, but also unneeded.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
kas/opt/ebg-secure-boot-snakeoil.yml | 5 +++--
kas/opt/swupdate.yml | 3 +++
recipes-core/images/cip-core-image.bb | 5 ++---
3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 28b3545..be58b15 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -15,8 +15,9 @@ header:
- kas/opt/efibootguard.yml

local_conf_header:
- image-options: |
- CIP_IMAGE_OPTIONS_append = " read-only.inc"
+ image-options-swupdate-ro: |
+ CIP_IMAGE_OPTIONS_append = " swupdate.inc read-only.inc"
+
swupdate: |
IMAGE_INSTALL_append = " swupdate"
IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml
index a8b903f..1b2aff4 100644
--- a/kas/opt/swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -19,6 +19,9 @@ local_conf_header:
IMAGE_INSTALL_append = " swupdate"
IMAGE_INSTALL_append = " swupdate-handler-roundrobin"

+ image-option-swupdate: |
+ CIP_IMAGE_OPTIONS_append = " swupdate.inc"
+
wic-swu: |
IMAGE_FSTYPES = "wic-swu-img"
WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 9bf21ff..ecba06d 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -11,12 +11,11 @@

inherit image
inherit image_uuid
+
ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'"
DESCRIPTION = "CIP Core image"

IMAGE_INSTALL += "customizations"

-# for swupdate
-SWU_DESCRIPTION ??= "swupdate"
-CIP_IMAGE_OPTIONS ?= "${SWU_DESCRIPTION}.inc"
+CIP_IMAGE_OPTIONS ?= ""
include ${CIP_IMAGE_OPTIONS}
--
2.34.1


[isar-cip-core][PATCH 09/19] efibootguard: Avoid rename linux.efi when signing it

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

This will simplify handling of secure vs. non-secure configurations.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
.../files/secure-boot/sw-description.tmpl | 4 ++--
recipes-core/images/secureboot.inc | 2 +-
.../swupdate.handler.efibootguard.ini | 2 +-
.../wic/plugins/source/efibootguard-boot.py | 20 +++++++++----------
4 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
index f8e5375..7dc070a 100644
--- a/recipes-core/images/files/secure-boot/sw-description.tmpl
+++ b/recipes-core/images/files/secure-boot/sw-description.tmpl
@@ -23,8 +23,8 @@ software =
};
});
files: ({
- filename = "linux.signed.efi";
- path = "linux.signed.efi";
+ filename = "linux.efi";
+ path = "linux.efi";
type = "roundrobin";
device = "sda4->BOOT0,sda5->BOOT1";
filesystem = "vfat";
diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc
index e01c834..6182080 100644
--- a/recipes-core/images/secureboot.inc
+++ b/recipes-core/images/secureboot.inc
@@ -18,4 +18,4 @@ TEMPLATE_FILES += "sw-description.tmpl"

TEMPLATE_VARS += "ROOTFS_PARTITION_NAME"

-SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}"
+SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
index 4a109b7..b5e8070 100644
--- a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
+++ b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
@@ -13,4 +13,4 @@ method=getroot_rrmap
key=root

[kernel.bootenv]
-kernelfile=C:BOOT${rrindex}:linux.signed.efi
+kernelfile=C:BOOT${rrindex}:linux.efi
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 4291dc2..909e629 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -215,23 +215,21 @@ class EfibootguardBootPlugin(SourcePlugin):
uefi_kernel_file=uefi_kernel_file)
exec_cmd(objcopy_cmd)

- return cls._sign_file(name=uefi_kernel_name,
- signee=uefi_kernel_file,
- deploy_dir=deploy_dir,
- source_params=source_params)
+ cls._sign_file(signee=uefi_kernel_file, source_params=source_params)
+
+ return uefi_kernel_name

@classmethod
- def _sign_file(cls, name, signee, deploy_dir, source_params):
+ def _sign_file(cls, signee, source_params):
sign_script = source_params.get("signwith")
if sign_script and os.path.exists(sign_script):
msger.info("sign with script %s", sign_script)
- name = name.replace(".efi", ".signed.efi")
- sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\
- .format(sign_script=sign_script, signee=signee,
- deploy_dir=deploy_dir, name=name)
+ orig_signee = signee + ".unsigned"
+ os.rename(signee, orig_signee)
+ sign_cmd = "{sign_script} {orig_signee} {signee}"\
+ .format(sign_script=sign_script, orig_signee=orig_signee,
+ signee=signee)
exec_cmd(sign_cmd)
elif sign_script and not os.path.exists(sign_script):
msger.error("Could not find script %s", sign_script)
exit(1)
-
- return name
--
2.34.1


[isar-cip-core][PATCH 01/19] start-qemu.sh: Add ssh access to guest from localhost

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

Permit ssh logins to the guest from the host using port 22222
forwarding, but only from the local machine. This is useful, e.g., to
send an swu file into the VM for testing swupdate.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
start-qemu.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index e986791..c5cd9fa 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -117,7 +117,7 @@ shift 1
QEMU_COMMON_OPTIONS=" \
-m 1G \
-serial mon:stdio \
- -netdev user,id=net \
+ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
${QEMU_EXTRA_ARGS}"

if [ -n "${SECURE_BOOT}" ]; then
--
2.34.1


[isar-cip-core][PATCH 04/19] swupdate: Rename secure-swupdate-img class

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

Align the name to the non-secure counter part wic-swu-img.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
...{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} | 0
kas/opt/ebg-secure-boot-snakeoil.yml | 3 +--
2 files changed, 1 insertion(+), 2 deletions(-)
rename classes/{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} (100%)

diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-wic-swu-img.bbclass
similarity index 100%
rename from classes/secure-swupdate-img.bbclass
rename to classes/secure-wic-swu-img.bbclass
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index a7d644b..10414fb 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,7 +14,6 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml

-
local_conf_header:
image-options: |
CIP_IMAGE_OPTIONS_append = " read-only.inc"
@@ -24,7 +23,7 @@ local_conf_header:

verity-img: |
SECURE_IMAGE_FSTYPE = "squashfs"
- IMAGE_FSTYPES = "secure-swupdate-img"
+ IMAGE_FSTYPES = "secure-wic-swu-img"
WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"

secure-boot: |
--
2.34.1


[isar-cip-core][PATCH 07/19] swupdate: Switch to unified kernel image by default

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

This will help to move non-secure and secure boot closer. It will also
be required when booting non-x86 kernels with device trees that shall be
replaceable via updates, thus shall be embedded into the unified kernel
image.

The change obsoletes the need to specify "unified-kernel=y" as
efibootguard-boot plugin parameter. Users can still select the classic
boot method by providing "unified-kernel=n".

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
kas/opt/ebg-swu.yml | 4 ++++
recipes-core/images/files/sw-description.tmpl | 20 +++++--------------
recipes-core/images/swupdate.inc | 4 ++--
.../files/swupdate.handler.efibootguard.ini | 16 +++------------
.../wic/plugins/source/efibootguard-boot.py | 10 ++++------
wic/ebg-sysparts.inc | 4 ++--
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
7 files changed, 22 insertions(+), 40 deletions(-)

diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index e708d0a..a58f0ed 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -14,3 +14,7 @@ header:
includes:
- kas/opt/efibootguard.yml
- kas/opt/swupdate.yml
+
+local_conf_header:
+ initramfs: |
+ IMAGE_INSTALL += "initramfs-abrootfs-hook"
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index c44c2a8..7dd67f9 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -11,10 +11,10 @@
software =
{
version = "0.2";
- name = "cip software update"
+ name = "cip software update";
images: ({
filename = "${ROOTFS_PARTITION_NAME}";
- device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
+ device = "sda4,sda5";
type = "roundrobin";
compressed = "zlib";
filesystem = "ext4";
@@ -23,23 +23,13 @@ software =
};
});
files: ({
- filename = "${KERNEL_IMAGE}";
- path = "vmlinuz";
+ filename = "linux.efi";
+ path = "linux.efi";
type = "roundrobin";
- device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1";
+ device = "sda4->BOOT0,sda5->BOOT1";
filesystem = "vfat";
properties: {
subtype = "kernel";
};
- },
- {
- filename = "${INITRD_IMAGE}";
- path = "${INITRD_IMAGE}";
- type = "roundrobin";
- device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1";
- filesystem = "vfat";
- properties: {
- subtype = "initrd";
- };
});
}
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index c23c103..2c3ad65 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"

-TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE"
+TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME"

-SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}"
+SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
index 3aee76c..b5e8070 100644
--- a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
+++ b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
@@ -2,25 +2,15 @@
chainhandler=raw

[image.selector]
-method=cmdline_rr
+method=getroot_rr
key=root

-[image.bootenv]
-kernelparams=root=PARTUUID=${rrtarget} ${cmdline_root}
-
[kernel]
chainhandler=rawfile

[kernel.selector]
-method=cmdline_rrmap
+method=getroot_rrmap
key=root

[kernel.bootenv]
-kernelfile=C:BOOT${rrindex}:vmlinuz
-
-[initrd]
-chainhandler=rawfile
-
-[initrd.selector]
-method=cmdline_rrmap
-key=root
+kernelfile=C:BOOT${rrindex}:linux.efi
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 98a327c..4291dc2 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -78,15 +78,13 @@ class EfibootguardBootPlugin(SourcePlugin):
efibootguard in local.conf with WDOG_TIMEOUT=")
exit(1)

-
boot_files = source_params.get("files", "").split(' ')
- uefi_kernel = source_params.get("unified-kernel")
+ unified_kernel = source_params.get("unified-kernel") or 'y'
cmdline = bootloader.append
- if uefi_kernel:
+ if unified_kernel == 'y':
boot_image = cls._create_unified_kernel_image(rootfs_dir,
cr_workdir,
cmdline,
- uefi_kernel,
deploy_dir,
kernel_image,
initrd_image,
@@ -174,8 +172,8 @@ class EfibootguardBootPlugin(SourcePlugin):

@classmethod
def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
- uefi_kernel, deploy_dir, kernel_image,
- initrd_image, source_params):
+ deploy_dir, kernel_image, initrd_image,
+ source_params):
# we need to map the distro_arch to uefi values
distro_to_efi_arch = {
"amd64": "x64",
diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc
index dea99e8..18c879a 100644
--- a/wic/ebg-sysparts.inc
+++ b/wic/ebg-sysparts.inc
@@ -4,5 +4,5 @@
part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active

# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index 72a6f8c..c47257b 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -2,8 +2,8 @@
include ebg-signed-bootloader.inc

# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh"

part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
--
2.34.1


[isar-cip-core][PATCH 08/19] swupdate: Drop PN from TEMPLATE_VARS

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

Was never used in any of the template files.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
recipes-core/images/secureboot.inc | 2 +-
recipes-core/images/swupdate.inc | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc
index 3e6eef8..e01c834 100644
--- a/recipes-core/images/secureboot.inc
+++ b/recipes-core/images/secureboot.inc
@@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"

-TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME"
+TEMPLATE_VARS += "ROOTFS_PARTITION_NAME"

SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index 2c3ad65..64887df 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"

-TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME"
+TEMPLATE_VARS += "ROOTFS_PARTITION_NAME"

SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
--
2.34.1


[isar-cip-core][PATCH 06/19] Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

It had nothing to do with secure boot at all, only with selecting the
rootfs from the initramfs via a uuid match.

Relocate to recipes-initramfs as well at this chance as this is more
logical, even if initramfs-abrootfs-hook is not using the initramfs
image class yet.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
.../initramfs-abrootfs-hook/files/debian-local-patch | 0
.../files/initramfs.image_uuid.hook | 0
.../initramfs-abrootfs-hook}/files/initramfs.lsblk.hook | 0
.../initramfs-abrootfs-hook}/files/postinst | 2 +-
.../initramfs-abrootfs-hook_0.1.bb | 8 ++++----
5 files changed, 5 insertions(+), 5 deletions(-)
rename recipes-support/initramfs-config/files/secure-boot-debian-local-patch => recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch (100%)
rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.image_uuid.hook (100%)
rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.lsblk.hook (100%)
rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/postinst (73%)
rename recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb => recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb (74%)

diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch
similarity index 100%
rename from recipes-support/initramfs-config/files/secure-boot-debian-local-patch
rename to recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch
diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook
similarity index 100%
rename from recipes-support/initramfs-config/files/initramfs.image_uuid.hook
rename to recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook
diff --git a/recipes-support/initramfs-config/files/initramfs.lsblk.hook b/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.lsblk.hook
similarity index 100%
rename from recipes-support/initramfs-config/files/initramfs.lsblk.hook
rename to recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.lsblk.hook
diff --git a/recipes-support/initramfs-config/files/postinst b/recipes-initramfs/initramfs-abrootfs-hook/files/postinst
similarity index 73%
rename from recipes-support/initramfs-config/files/postinst
rename to recipes-initramfs/initramfs-abrootfs-hook/files/postinst
index 2d4256d..e065524 100644
--- a/recipes-support/initramfs-config/files/postinst
+++ b/recipes-initramfs/initramfs-abrootfs-hook/files/postinst
@@ -1,6 +1,6 @@
#!/bin/sh

# patch local script
-patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/initramfs-abrootfs-hook/debian-local.patch

update-initramfs -v -u
diff --git a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
similarity index 74%
rename from recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
rename to recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
index 4b257fa..9c1776a 100644
--- a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
+++ b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
@@ -16,13 +16,13 @@ DEBIAN_DEPENDS += ", busybox, patch"
SRC_URI += "file://postinst \
file://initramfs.lsblk.hook \
file://initramfs.image_uuid.hook \
- file://secure-boot-debian-local-patch"
+ file://debian-local-patch"

do_install() {
- # add patch for local to /usr/share/secure boot
- TARGET=${D}/usr/share/secureboot
+ # add patch for local to /usr/share/initramfs-abrootfs-hook
+ TARGET=${D}/usr/share/initramfs-abrootfs-hook
install -m 0755 -d ${TARGET}
- install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch
+ install -m 0644 ${WORKDIR}/debian-local-patch ${TARGET}/debian-local.patch

# add hooks for secure boot
HOOKS=${D}/etc/initramfs-tools/hooks
--
2.34.1


[isar-cip-core][PATCH 05/19] Drop initramfs-abrootfs-secureboot references

Jan Kiszka
 

From: Jan Kiszka <jan.kiszka@...>

As secure boot implies for isar-cip-core dm-verity with read-only
rootfs, we only added initramfs-abrootfs-secureboot to remove it again.
So don't reference it at all. It will be used differently soon,
therefore keep the recipe.

Signed-off-by: Jan Kiszka <jan.kiszka@...>
---
kas/opt/ebg-secure-boot-base.yml | 3 +--
recipes-core/images/read-only.inc | 1 -
2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 8f769b6..299b663 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -15,7 +15,6 @@ header:
- kas/opt/efibootguard.yml

local_conf_header:
- initramfs: |
- IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
+ secure_swu: |
SWU_DESCRIPTION = "secureboot"
SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
diff --git a/recipes-core/images/read-only.inc b/recipes-core/images/read-only.inc
index 604caa0..c031e39 100644
--- a/recipes-core/images/read-only.inc
+++ b/recipes-core/images/read-only.inc
@@ -14,7 +14,6 @@ SQUASHFS_EXCLUDE_DIRS += "home var"
IMAGE_INSTALL += "etc-overlay-fs"
IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
-IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"

image_configure_fstab() {
sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
--
2.34.1

1201 - 1220 of 9269