cip-dev@lists.cip-project.org | [isar-cip-core][PATCH v3 2/8] use bullseye backports for systemd-cryptenroll

Home Messages Hashtags Subgroups

Date Date 1 - 2 of 2

[isar-cip-core][PATCH v3 2/8] use bullseye backports for systemd-cryptenroll

Quirin Gylstorff #10816 From: Quirin Gylstorff <quirin.gylstorff@...> Systemd >= 251 is required for systemd-cryptenroll. This version is part of backports. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- conf/distro/debian-bullseye-backports.list \| 1 + .../preferences.bullseye-backports.tpm.conf \| 40 +++++++++++++++++++ kas/opt/tpm.yml \| 20 ++++++++++ 3 files changed, 61 insertions(+) create mode 100644 conf/distro/debian-bullseye-backports.list create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf create mode 100644 kas/opt/tpm.yml diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list new file mode 100644 index 0000000..3a55e4c --- /dev/null +++ b/conf/distro/debian-bullseye-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf new file mode 100644 index 0000000..918745f --- /dev/null +++ b/conf/distro/preferences.bullseye-backports.tpm.conf @@ -0,0 +1,40 @@ +Package: libnss-myhostname +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-mymachines +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-resolve +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libpam-systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libudev* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libsystemd* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: systemd-* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: udev +Pin: release n=bullseye-backports +Pin-Priority: 801 + diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml new file mode 100644 index 0000000..0e4dc95 --- /dev/null +++ b/kas/opt/tpm.yml @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 12 + +local_conf_header: + systemd-cryptenroll: \| + DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list" + DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" + image-option-tpm: \| + INITRAMFS_INSTALL += " initramfs-crypt-hook" -- 2.39.1
More All Messages By This Member
Jan Kiszka #10857 On 24.02.23 17:28, Quirin Gylstorff wrote: From: Quirin Gylstorff <quirin.gylstorff@...> Systemd >= 251 is required for systemd-cryptenroll. This version is part of backports. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- conf/distro/debian-bullseye-backports.list \| 1 + .../preferences.bullseye-backports.tpm.conf \| 40 +++++++++++++++++++ kas/opt/tpm.yml \| 20 ++++++++++ 3 files changed, 61 insertions(+) create mode 100644 conf/distro/debian-bullseye-backports.list create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf create mode 100644 kas/opt/tpm.yml diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list new file mode 100644 index 0000000..3a55e4c --- /dev/null +++ b/conf/distro/debian-bullseye-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf new file mode 100644 index 0000000..918745f --- /dev/null +++ b/conf/distro/preferences.bullseye-backports.tpm.conf @@ -0,0 +1,40 @@ +Package: libnss-myhostname You can add multiple packages whitespace-separated to this line. Will make the file more readable. +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-mymachines +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-resolve +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libnss-systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libpam-systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libudev* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: libsystemd* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: systemd +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: systemd-* +Pin: release n=bullseye-backports +Pin-Priority: 801 + +Package: udev +Pin: release n=bullseye-backports +Pin-Priority: 801 + diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml new file mode 100644 index 0000000..0e4dc95 --- /dev/null +++ b/kas/opt/tpm.yml @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Quirin Gylstorff <quirin.gylstorff@...> +# +# SPDX-License-Identifier: MIT +# + +header: + version: 12 + +local_conf_header: + systemd-cryptenroll: \| + DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list" + DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf" + image-option-tpm: \| + INITRAMFS_INSTALL += " initramfs-crypt-hook" Two-sides sword: The one hand, we don't need to compile our own systemd. On the other, the question is if the choice of backports for such a central and potentially security-critical package would be a good idea for a production deployment. I don't think so. At some place, we should leave a comment that this is for demonstration only, not for production. Only bookworm will change that. Or some alternative to systemd-cryptenroll. Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member

1 - 2 of 2

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms