[isar-cip-core][RFC 3/4] Adapt swupdate and verity to use new IMAGE_CMD_*


Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

The image types wic-swu-img and secure-wic-swu-img were removed.
Rename `squashfs-img` to squashfs according new naming scheme.

To use squashfs include:

IMAGE_CLASSES += "squashfs"
IMAGE_TYPEDEP_wic += "squashfs"

The modifications for a read-only root file system are now part
of a bbclass which can be include directly into the image
recipe.

The modifications to generate a SWUpdate update package are
also no longer part of the image build process and in a seperate
bbclass. This class needs to be included in the image recipe.

To create a verity based image to following line need to be added
to the local.conf or similar configuration:

IMAGE_CLASSES += "verity"

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
...u-img.bbclass => read-only-rootfs.bbclass} | 11 +---
classes/secure-wic-swu-img.bbclass | 15 ------
...{squashfs-img.bbclass => squashfs.bbclass} | 15 ++----
...{swupdate-img.bbclass => swupdate.bbclass} | 8 +--
.../{verity-img.bbclass => verity.bbclass} | 51 +++++++++----------
kas/opt/ebg-secure-boot-snakeoil.yml | 3 +-
kas/opt/swupdate.yml | 2 +
recipes-core/images/files/sw-description.tmpl | 1 -
recipes-core/images/swupdate.inc | 6 ++-
.../initramfs-verity-hook_0.1.bb | 2 +-
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +-
wic/x86-efibootguard.wks.in | 4 +-
13 files changed, 50 insertions(+), 76 deletions(-)
rename classes/{wic-swu-img.bbclass => read-only-rootfs.bbclass} (75%)
delete mode 100644 classes/secure-wic-swu-img.bbclass
rename classes/{squashfs-img.bbclass => squashfs.bbclass} (66%)
rename classes/{swupdate-img.bbclass => swupdate.bbclass} (92%)
rename classes/{verity-img.bbclass => verity.bbclass} (78%)

diff --git a/classes/wic-swu-img.bbclass b/classes/read-only-rootfs.bbclass
similarity index 75%
rename from classes/wic-swu-img.bbclass
rename to classes/read-only-rootfs.bbclass
index 41b2164..6f91f66 100644
--- a/classes/wic-swu-img.bbclass
+++ b/classes/read-only-rootfs.bbclass
@@ -9,16 +9,10 @@
# SPDX-License-Identifier: MIT
#

-SQUASHFS_EXCLUDE_DIRS += "home var"
-
-inherit squashfs-img
-inherit wic-img
-inherit swupdate-img
-
INITRAMFS_RECIPE ?= "cip-core-initramfs"
INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"

-do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"

IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
@@ -37,6 +31,3 @@ devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
EOF
}

-addtask do_wic_image after do_squashfs_image
-
-addtask do_swupdate_image after do_wic_image
diff --git a/classes/secure-wic-swu-img.bbclass b/classes/secure-wic-swu-img.bbclass
deleted file mode 100644
index 5e8e48a..0000000
--- a/classes/secure-wic-swu-img.bbclass
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021-2022
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@...>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit verity-img
-inherit wic-swu-img
-
-addtask do_wic_image after do_verity_image
diff --git a/classes/squashfs-img.bbclass b/classes/squashfs.bbclass
similarity index 66%
rename from classes/squashfs-img.bbclass
rename to classes/squashfs.bbclass
index c22d7d6..376ddfe 100644
--- a/classes/squashfs-img.bbclass
+++ b/classes/squashfs.bbclass
@@ -9,9 +9,7 @@
# SPDX-License-Identifier: MIT
#

-SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
-
-IMAGER_INSTALL += "squashfs-tools"
+IMAGER_INSTALL_squashfs += "squashfs-tools"

SQUASHFS_EXCLUDE_DIRS ?= ""
SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
@@ -29,14 +27,11 @@ python __anonymous() {
d.appendVar('SQUASHFS_CREATION_ARGS', args)
}

-do_squashfs_image[dirs] = "${DEPLOY_DIR_IMAGE}"
-do_squashfs_image() {
+IMAGE_CMD_squashfs[depends] = "${PN}:do_transform_template"
+IMAGE_CMD_squashfs() {
rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'

- image_do_mounts
-
- sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \
- "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
+ ${SUDO_CHROOT} /bin/mksquashfs \
+ '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \
${SQUASHFS_CREATION_ARGS}
}
-addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
diff --git a/classes/swupdate-img.bbclass b/classes/swupdate.bbclass
similarity index 92%
rename from classes/swupdate-img.bbclass
rename to classes/swupdate.bbclass
index 1437c07..c3fc303 100644
--- a/classes/swupdate-img.bbclass
+++ b/classes/swupdate.bbclass
@@ -18,9 +18,9 @@ SWU_SIGNATURE_TYPE ?= "rsa"

IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"

-do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}"
-do_swupdate_image[cleandirs] += "${WORKDIR}/swu"
-do_swupdate_image() {
+do_swupdate_binary[stamp-extra-info] = "${DISTRO}-${MACHINE}"
+do_swupdate_binary[cleandirs] += "${WORKDIR}/swu"
+do_swupdate_binary() {
rm -f '${SWU_IMAGE_FILE}'
cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'

@@ -91,4 +91,4 @@ do_swupdate_image() {
cd -
}

-addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template
+addtask swupdate_binary before do_build after do_deploy do_copy_boot_files do_install_imager_deps do_transform_template
diff --git a/classes/verity-img.bbclass b/classes/verity.bbclass
similarity index 78%
rename from classes/verity-img.bbclass
rename to classes/verity.bbclass
index b7d7f08..bbc57b0 100644
--- a/classes/verity-img.bbclass
+++ b/classes/verity.bbclass
@@ -8,13 +8,16 @@
#
# SPDX-License-Identifier: MIT
#
-
VERITY_IMAGE_TYPE ?= "squashfs"

-inherit ${VERITY_IMAGE_TYPE}-img
+inherit ${VERITY_IMAGE_TYPE}
+
+IMAGE_TYPEDEP_verity = "${VERITY_IMAGE_TYPE}"
+IMAGE_TYPEDEP_wic += "verity"
+IMAGER_INSTALL_verity += "cryptsetup"

-VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
-VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
+VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}"
+VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.verity"
VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
VERITY_HASH_BLOCK_SIZE ?= "1024"
VERITY_DATA_BLOCK_SIZE ?= "1024"
@@ -37,14 +40,28 @@ create_verity_env_file() {
done < $input
}

-verity_setup() {
+python calculate_verity_data_blocks() {
+ import os
+
+ image_file = os.path.join(
+ d.getVar("DEPLOY_DIR_IMAGE"),
+ d.getVar("VERITY_INPUT_IMAGE")
+ )
+ data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
+ size = os.stat(image_file).st_size
+ assert size % data_block_size == 0, f"image is not well-sized!"
+ d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
+ d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
+}
+do_image_verity[cleandirs] = "${WORKDIR}/verity"
+do_image_verity[prefuncs] = "calculate_verity_data_blocks"
+IMAGE_CMD_verity() {
rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA}

cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}

- image_do_mounts
- sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \
+ ${SUDO_CHROOT} /sbin/veritysetup format \
--hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \
--data-block-size "${VERITY_DATA_BLOCK_SIZE}" \
--data-blocks "${VERITY_DATA_BLOCKS}" \
@@ -55,23 +72,5 @@ verity_setup() {

echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \
>>"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+ create_verity_env_file
}
-
-do_verity_image[cleandirs] = "${WORKDIR}/verity"
-python do_verity_image() {
- import os
-
- image_file = os.path.join(
- d.getVar("DEPLOY_DIR_IMAGE"),
- d.getVar("VERITY_INPUT_IMAGE")
- )
- data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
- size = os.stat(image_file).st_size
- assert size % data_block_size == 0, f"image is not well-sized!"
- d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
- d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
-
- bb.build.exec_func('verity_setup', d)
- bb.build.exec_func('create_verity_env_file', d)
-}
-addtask verity_image before do_image after do_${VERITY_IMAGE_TYPE}_image
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 3f2a794..2822cef 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -23,7 +23,8 @@ local_conf_header:
IMAGE_INSTALL_append = " swupdate-handler-roundrobin"

secure-boot-image: |
- IMAGE_FSTYPES = "secure-wic-swu-img"
+ IMAGE_CLASSES += "verity"
+ IMAGE_FSTYPES = "wic"
WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
INITRAMFS_INSTALL_append = " initramfs-verity-hook"

diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml
index 72429c6..c2bd15c 100644
--- a/kas/opt/swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -23,5 +23,7 @@ local_conf_header:
CIP_IMAGE_OPTIONS_append = " swupdate.inc"

wic-swu: |
+ IMAGE_CLASSES += "squashfs"
+ IMAGE_TYPEDEP_wic += "squashfs"
IMAGE_FSTYPES = "wic"
WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in"
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index f5cafeb..1eb7758 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -16,7 +16,6 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "C:BOOT0:linux.efi->fedcba98-7654-3210-cafe-5e0710000001,C:BOOT1:linux.efi->fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "zlib";
filesystem = "ext4";
properties: {
subtype = "image";
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index 64887df..2ec767f 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -8,10 +8,12 @@
#
# SPDX-License-Identifier: MIT
#
+inherit swupdate
+inherit read-only-rootfs

-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.p4"

-ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"

SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
index f0d2d68..60ee8da 100644
--- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -28,7 +28,7 @@ VERITY_IMAGE_RECIPE ?= "cip-core-image"

VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"

-do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity"
do_install[cleandirs] += " \
${D}/usr/share/initramfs-tools/hooks \
${D}/usr/share/verity-env \
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index e097eac..0e298bc 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc

-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

# home and var are extra partitions
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
index b3bbed4..3b8dadd 100644
--- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc

-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

# home and var are extra partitions
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index f60ebcf..c71253d 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -3,8 +3,8 @@

include ebg-sysparts.inc

-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

# home and var are extra partitions
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
--
2.35.1


Jan Kiszka
 

On 03.06.22 13:56, Quirin Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

The image types wic-swu-img and secure-wic-swu-img were removed.
Rename `squashfs-img` to squashfs according new naming scheme.

To use squashfs include:

IMAGE_CLASSES += "squashfs"
IMAGE_TYPEDEP_wic += "squashfs"
Now that squashfs is converted, that class should be pushed to Isar
soon. Will "just" need a test case there.


The modifications for a read-only root file system are now part
of a bbclass which can be include directly into the image
recipe.

The modifications to generate a SWUpdate update package are
also no longer part of the image build process and in a seperate
bbclass. This class needs to be included in the image recipe.

To create a verity based image to following line need to be added
to the local.conf or similar configuration:

IMAGE_CLASSES += "verity"
Maybe verity could go upstream as well, though it is more specific and
may not make too much sense without the full image integration. Still,
worth to think about it.


Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
...u-img.bbclass => read-only-rootfs.bbclass} | 11 +---
classes/secure-wic-swu-img.bbclass | 15 ------
...{squashfs-img.bbclass => squashfs.bbclass} | 15 ++----
...{swupdate-img.bbclass => swupdate.bbclass} | 8 +--
.../{verity-img.bbclass => verity.bbclass} | 51 +++++++++----------
kas/opt/ebg-secure-boot-snakeoil.yml | 3 +-
kas/opt/swupdate.yml | 2 +
recipes-core/images/files/sw-description.tmpl | 1 -
recipes-core/images/swupdate.inc | 6 ++-
.../initramfs-verity-hook_0.1.bb | 2 +-
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +-
wic/x86-efibootguard.wks.in | 4 +-
13 files changed, 50 insertions(+), 76 deletions(-)
rename classes/{wic-swu-img.bbclass => read-only-rootfs.bbclass} (75%)
delete mode 100644 classes/secure-wic-swu-img.bbclass
rename classes/{squashfs-img.bbclass => squashfs.bbclass} (66%)
rename classes/{swupdate-img.bbclass => swupdate.bbclass} (92%)
rename classes/{verity-img.bbclass => verity.bbclass} (78%)

diff --git a/classes/wic-swu-img.bbclass b/classes/read-only-rootfs.bbclass
similarity index 75%
rename from classes/wic-swu-img.bbclass
rename to classes/read-only-rootfs.bbclass
index 41b2164..6f91f66 100644
--- a/classes/wic-swu-img.bbclass
+++ b/classes/read-only-rootfs.bbclass
There is still a "wic" relationship in this class, no?

@@ -9,16 +9,10 @@
# SPDX-License-Identifier: MIT
#

-SQUASHFS_EXCLUDE_DIRS += "home var"
-
-inherit squashfs-img
-inherit wic-img
-inherit swupdate-img
-
INITRAMFS_RECIPE ?= "cip-core-initramfs"
INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"

-do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"

IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
@@ -37,6 +31,3 @@ devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
EOF
}

-addtask do_wic_image after do_squashfs_image
-
-addtask do_swupdate_image after do_wic_image
diff --git a/classes/secure-wic-swu-img.bbclass b/classes/secure-wic-swu-img.bbclass
deleted file mode 100644
index 5e8e48a..0000000
--- a/classes/secure-wic-swu-img.bbclass
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021-2022
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@...>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit verity-img
-inherit wic-swu-img
-
-addtask do_wic_image after do_verity_image
diff --git a/classes/squashfs-img.bbclass b/classes/squashfs.bbclass
similarity index 66%
rename from classes/squashfs-img.bbclass
rename to classes/squashfs.bbclass
index c22d7d6..376ddfe 100644
--- a/classes/squashfs-img.bbclass
+++ b/classes/squashfs.bbclass
@@ -9,9 +9,7 @@
# SPDX-License-Identifier: MIT
#

-SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
-
-IMAGER_INSTALL += "squashfs-tools"
+IMAGER_INSTALL_squashfs += "squashfs-tools"

SQUASHFS_EXCLUDE_DIRS ?= ""
SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
@@ -29,14 +27,11 @@ python __anonymous() {
d.appendVar('SQUASHFS_CREATION_ARGS', args)
}

-do_squashfs_image[dirs] = "${DEPLOY_DIR_IMAGE}"
-do_squashfs_image() {
+IMAGE_CMD_squashfs[depends] = "${PN}:do_transform_template"
+IMAGE_CMD_squashfs() {
rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'

- image_do_mounts
-
- sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \
- "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
+ ${SUDO_CHROOT} /bin/mksquashfs \
+ '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \
${SQUASHFS_CREATION_ARGS}
}
-addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
diff --git a/classes/swupdate-img.bbclass b/classes/swupdate.bbclass
similarity index 92%
rename from classes/swupdate-img.bbclass
rename to classes/swupdate.bbclass
index 1437c07..c3fc303 100644
--- a/classes/swupdate-img.bbclass
+++ b/classes/swupdate.bbclass
@@ -18,9 +18,9 @@ SWU_SIGNATURE_TYPE ?= "rsa"

IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"

-do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}"
-do_swupdate_image[cleandirs] += "${WORKDIR}/swu"
-do_swupdate_image() {
+do_swupdate_binary[stamp-extra-info] = "${DISTRO}-${MACHINE}"
+do_swupdate_binary[cleandirs] += "${WORKDIR}/swu"
+do_swupdate_binary() {
rm -f '${SWU_IMAGE_FILE}'
cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'

@@ -91,4 +91,4 @@ do_swupdate_image() {
cd -
}

-addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template
+addtask swupdate_binary before do_build after do_deploy do_copy_boot_files do_install_imager_deps do_transform_template
diff --git a/classes/verity-img.bbclass b/classes/verity.bbclass
similarity index 78%
rename from classes/verity-img.bbclass
rename to classes/verity.bbclass
index b7d7f08..bbc57b0 100644
--- a/classes/verity-img.bbclass
+++ b/classes/verity.bbclass
@@ -8,13 +8,16 @@
#
# SPDX-License-Identifier: MIT
#
-
Unrelated whitespace change.

VERITY_IMAGE_TYPE ?= "squashfs"

-inherit ${VERITY_IMAGE_TYPE}-img
+inherit ${VERITY_IMAGE_TYPE}
+
+IMAGE_TYPEDEP_verity = "${VERITY_IMAGE_TYPE}"
+IMAGE_TYPEDEP_wic += "verity"
+IMAGER_INSTALL_verity += "cryptsetup"

-VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
-VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
+VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}"
+VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.verity"
VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
VERITY_HASH_BLOCK_SIZE ?= "1024"
VERITY_DATA_BLOCK_SIZE ?= "1024"
@@ -37,14 +40,28 @@ create_verity_env_file() {
done < $input
}

-verity_setup() {
+python calculate_verity_data_blocks() {
+ import os
+
+ image_file = os.path.join(
+ d.getVar("DEPLOY_DIR_IMAGE"),
+ d.getVar("VERITY_INPUT_IMAGE")
+ )
+ data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
+ size = os.stat(image_file).st_size
+ assert size % data_block_size == 0, f"image is not well-sized!"
+ d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
+ d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
+}
+do_image_verity[cleandirs] = "${WORKDIR}/verity"
+do_image_verity[prefuncs] = "calculate_verity_data_blocks"
+IMAGE_CMD_verity() {
rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA}

cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}

- image_do_mounts
- sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \
+ ${SUDO_CHROOT} /sbin/veritysetup format \
--hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \
--data-block-size "${VERITY_DATA_BLOCK_SIZE}" \
--data-blocks "${VERITY_DATA_BLOCKS}" \
@@ -55,23 +72,5 @@ verity_setup() {

echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \
>>"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+ create_verity_env_file
}
-
-do_verity_image[cleandirs] = "${WORKDIR}/verity"
-python do_verity_image() {
- import os
-
- image_file = os.path.join(
- d.getVar("DEPLOY_DIR_IMAGE"),
- d.getVar("VERITY_INPUT_IMAGE")
- )
- data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
- size = os.stat(image_file).st_size
- assert size % data_block_size == 0, f"image is not well-sized!"
- d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
- d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
-
- bb.build.exec_func('verity_setup', d)
- bb.build.exec_func('create_verity_env_file', d)
-}
-addtask verity_image before do_image after do_${VERITY_IMAGE_TYPE}_image
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 3f2a794..2822cef 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -23,7 +23,8 @@ local_conf_header:
IMAGE_INSTALL_append = " swupdate-handler-roundrobin"

secure-boot-image: |
- IMAGE_FSTYPES = "secure-wic-swu-img"
+ IMAGE_CLASSES += "verity"
+ IMAGE_FSTYPES = "wic"
WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
INITRAMFS_INSTALL_append = " initramfs-verity-hook"

diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml
index 72429c6..c2bd15c 100644
--- a/kas/opt/swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -23,5 +23,7 @@ local_conf_header:
CIP_IMAGE_OPTIONS_append = " swupdate.inc"

wic-swu: |
+ IMAGE_CLASSES += "squashfs"
+ IMAGE_TYPEDEP_wic += "squashfs"
IMAGE_FSTYPES = "wic"
WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in"
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index f5cafeb..1eb7758 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -16,7 +16,6 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "C:BOOT0:linux.efi->fedcba98-7654-3210-cafe-5e0710000001,C:BOOT1:linux.efi->fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "zlib";
Why that? Looks at least unrelated.

filesystem = "ext4";
properties: {
subtype = "image";
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index 64887df..2ec767f 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -8,10 +8,12 @@
#
# SPDX-License-Identifier: MIT
#
Please add a blank line here.

+inherit swupdate
+inherit read-only-rootfs

-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.p4"

-ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"

SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
index f0d2d68..60ee8da 100644
--- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -28,7 +28,7 @@ VERITY_IMAGE_RECIPE ?= "cip-core-image"

VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"

-do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity"
do_install[cleandirs] += " \
${D}/usr/share/initramfs-tools/hooks \
${D}/usr/share/verity-env \
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index e097eac..0e298bc 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc

-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

# home and var are extra partitions
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
index b3bbed4..3b8dadd 100644
--- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc

-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

# home and var are extra partitions
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index f60ebcf..c71253d 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -3,8 +3,8 @@

include ebg-sysparts.inc

-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

# home and var are extra partitions
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


Quirin Gylstorff
 

On 6/7/22 09:32, Jan Kiszka wrote:
On 03.06.22 13:56, Quirin Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

The image types wic-swu-img and secure-wic-swu-img were removed.
Rename `squashfs-img` to squashfs according new naming scheme.

To use squashfs include:

IMAGE_CLASSES += "squashfs"
IMAGE_TYPEDEP_wic += "squashfs"
Now that squashfs is converted, that class should be pushed to Isar
soon. Will "just" need a test case there.
The testcase can also be a seperated rootfs for qemu.


The modifications for a read-only root file system are now part
of a bbclass which can be include directly into the image
recipe.

The modifications to generate a SWUpdate update package are
also no longer part of the image build process and in a seperate
bbclass. This class needs to be included in the image recipe.

To create a verity based image to following line need to be added
to the local.conf or similar configuration:

IMAGE_CLASSES += "verity"
Maybe verity could go upstream as well, though it is more specific and
may not make too much sense without the full image integration. Still,
worth to think about it.


Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
...u-img.bbclass => read-only-rootfs.bbclass} | 11 +---
classes/secure-wic-swu-img.bbclass | 15 ------
...{squashfs-img.bbclass => squashfs.bbclass} | 15 ++----
...{swupdate-img.bbclass => swupdate.bbclass} | 8 +--
.../{verity-img.bbclass => verity.bbclass} | 51 +++++++++----------
kas/opt/ebg-secure-boot-snakeoil.yml | 3 +-
kas/opt/swupdate.yml | 2 +
recipes-core/images/files/sw-description.tmpl | 1 -
recipes-core/images/swupdate.inc | 6 ++-
.../initramfs-verity-hook_0.1.bb | 2 +-
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +-
wic/x86-efibootguard.wks.in | 4 +-
13 files changed, 50 insertions(+), 76 deletions(-)
rename classes/{wic-swu-img.bbclass => read-only-rootfs.bbclass} (75%)
delete mode 100644 classes/secure-wic-swu-img.bbclass
rename classes/{squashfs-img.bbclass => squashfs.bbclass} (66%)
rename classes/{swupdate-img.bbclass => swupdate.bbclass} (92%)
rename classes/{verity-img.bbclass => verity.bbclass} (78%)

diff --git a/classes/wic-swu-img.bbclass b/classes/read-only-rootfs.bbclass
similarity index 75%
rename from classes/wic-swu-img.bbclass
rename to classes/read-only-rootfs.bbclass
index 41b2164..6f91f66 100644
--- a/classes/wic-swu-img.bbclass
+++ b/classes/read-only-rootfs.bbclass
There is still a "wic" relationship in this class, no?
I can rename it to wic-read-only-rootfs. only the following
line is wic specific.

``
do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"

``



@@ -9,16 +9,10 @@
# SPDX-License-Identifier: MIT
#
-SQUASHFS_EXCLUDE_DIRS += "home var"
-
-inherit squashfs-img
-inherit wic-img
-inherit swupdate-img
-
INITRAMFS_RECIPE ?= "cip-core-initramfs"
INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
-do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
@@ -37,6 +31,3 @@ devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
EOF
}
-addtask do_wic_image after do_squashfs_image
-
-addtask do_swupdate_image after do_wic_image
diff --git a/classes/secure-wic-swu-img.bbclass b/classes/secure-wic-swu-img.bbclass
deleted file mode 100644
index 5e8e48a..0000000
--- a/classes/secure-wic-swu-img.bbclass
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021-2022
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@...>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit verity-img
-inherit wic-swu-img
-
-addtask do_wic_image after do_verity_image
diff --git a/classes/squashfs-img.bbclass b/classes/squashfs.bbclass
similarity index 66%
rename from classes/squashfs-img.bbclass
rename to classes/squashfs.bbclass
index c22d7d6..376ddfe 100644
--- a/classes/squashfs-img.bbclass
+++ b/classes/squashfs.bbclass
@@ -9,9 +9,7 @@
# SPDX-License-Identifier: MIT
#
-SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
-
-IMAGER_INSTALL += "squashfs-tools"
+IMAGER_INSTALL_squashfs += "squashfs-tools"
SQUASHFS_EXCLUDE_DIRS ?= ""
SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
@@ -29,14 +27,11 @@ python __anonymous() {
d.appendVar('SQUASHFS_CREATION_ARGS', args)
}
-do_squashfs_image[dirs] = "${DEPLOY_DIR_IMAGE}"
-do_squashfs_image() {
+IMAGE_CMD_squashfs[depends] = "${PN}:do_transform_template"
+IMAGE_CMD_squashfs() {
rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'
- image_do_mounts
-
- sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \
- "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
+ ${SUDO_CHROOT} /bin/mksquashfs \
+ '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \
${SQUASHFS_CREATION_ARGS}
}
-addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
diff --git a/classes/swupdate-img.bbclass b/classes/swupdate.bbclass
similarity index 92%
rename from classes/swupdate-img.bbclass
rename to classes/swupdate.bbclass
index 1437c07..c3fc303 100644
--- a/classes/swupdate-img.bbclass
+++ b/classes/swupdate.bbclass
@@ -18,9 +18,9 @@ SWU_SIGNATURE_TYPE ?= "rsa"
IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
-do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}"
-do_swupdate_image[cleandirs] += "${WORKDIR}/swu"
-do_swupdate_image() {
+do_swupdate_binary[stamp-extra-info] = "${DISTRO}-${MACHINE}"
+do_swupdate_binary[cleandirs] += "${WORKDIR}/swu"
+do_swupdate_binary() {
rm -f '${SWU_IMAGE_FILE}'
cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
@@ -91,4 +91,4 @@ do_swupdate_image() {
cd -
}
-addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template
+addtask swupdate_binary before do_build after do_deploy do_copy_boot_files do_install_imager_deps do_transform_template
diff --git a/classes/verity-img.bbclass b/classes/verity.bbclass
similarity index 78%
rename from classes/verity-img.bbclass
rename to classes/verity.bbclass
index b7d7f08..bbc57b0 100644
--- a/classes/verity-img.bbclass
+++ b/classes/verity.bbclass
@@ -8,13 +8,16 @@
#
# SPDX-License-Identifier: MIT
#
-
Unrelated whitespace change.
Will remove in v2

VERITY_IMAGE_TYPE ?= "squashfs"
-inherit ${VERITY_IMAGE_TYPE}-img
+inherit ${VERITY_IMAGE_TYPE}
+
+IMAGE_TYPEDEP_verity = "${VERITY_IMAGE_TYPE}"
+IMAGE_TYPEDEP_wic += "verity"
+IMAGER_INSTALL_verity += "cryptsetup"
-VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
-VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
+VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}"
+VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.verity"
VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
VERITY_HASH_BLOCK_SIZE ?= "1024"
VERITY_DATA_BLOCK_SIZE ?= "1024"
@@ -37,14 +40,28 @@ create_verity_env_file() {
done < $input
}
-verity_setup() {
+python calculate_verity_data_blocks() {
+ import os
+
+ image_file = os.path.join(
+ d.getVar("DEPLOY_DIR_IMAGE"),
+ d.getVar("VERITY_INPUT_IMAGE")
+ )
+ data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
+ size = os.stat(image_file).st_size
+ assert size % data_block_size == 0, f"image is not well-sized!"
+ d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
+ d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
+}
+do_image_verity[cleandirs] = "${WORKDIR}/verity"
+do_image_verity[prefuncs] = "calculate_verity_data_blocks"
+IMAGE_CMD_verity() {
rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA}
cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
- image_do_mounts
- sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \
+ ${SUDO_CHROOT} /sbin/veritysetup format \
--hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \
--data-block-size "${VERITY_DATA_BLOCK_SIZE}" \
--data-blocks "${VERITY_DATA_BLOCKS}" \
@@ -55,23 +72,5 @@ verity_setup() {
echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \
>>"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+ create_verity_env_file
}
-
-do_verity_image[cleandirs] = "${WORKDIR}/verity"
-python do_verity_image() {
- import os
-
- image_file = os.path.join(
- d.getVar("DEPLOY_DIR_IMAGE"),
- d.getVar("VERITY_INPUT_IMAGE")
- )
- data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
- size = os.stat(image_file).st_size
- assert size % data_block_size == 0, f"image is not well-sized!"
- d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
- d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
-
- bb.build.exec_func('verity_setup', d)
- bb.build.exec_func('create_verity_env_file', d)
-}
-addtask verity_image before do_image after do_${VERITY_IMAGE_TYPE}_image
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 3f2a794..2822cef 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -23,7 +23,8 @@ local_conf_header:
IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
secure-boot-image: |
- IMAGE_FSTYPES = "secure-wic-swu-img"
+ IMAGE_CLASSES += "verity"
+ IMAGE_FSTYPES = "wic"
WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
INITRAMFS_INSTALL_append = " initramfs-verity-hook"
diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml
index 72429c6..c2bd15c 100644
--- a/kas/opt/swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -23,5 +23,7 @@ local_conf_header:
CIP_IMAGE_OPTIONS_append = " swupdate.inc"
wic-swu: |
+ IMAGE_CLASSES += "squashfs"
+ IMAGE_TYPEDEP_wic += "squashfs"
IMAGE_FSTYPES = "wic"
WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in"
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index f5cafeb..1eb7758 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -16,7 +16,6 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "C:BOOT0:linux.efi->fedcba98-7654-3210-cafe-5e0710000001,C:BOOT1:linux.efi->fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = "zlib";
Why that? Looks at least unrelated.
This was a workaround during develop and should have been remove.
Will be revert to the origin in v2.

filesystem = "ext4";
properties: {
subtype = "image";
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index 64887df..2ec767f 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -8,10 +8,12 @@
#
# SPDX-License-Identifier: MIT
#
Please add a blank line here.
Done

+inherit swupdate
+inherit read-only-rootfs
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.p4"
-ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
index f0d2d68..60ee8da 100644
--- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -28,7 +28,7 @@ VERITY_IMAGE_RECIPE ?= "cip-core-image"
VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
-do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity"
do_install[cleandirs] += " \
${D}/usr/share/initramfs-tools/hooks \
${D}/usr/share/verity-env \
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index e097eac..0e298bc 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
# home and var are extra partitions
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
index b3bbed4..3b8dadd 100644
--- a/wic/qemu-arm64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
@@ -1,7 +1,7 @@
include ebg-signed-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
# home and var are extra partitions
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index f60ebcf..c71253d 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -3,8 +3,8 @@
include ebg-sysparts.inc
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
# home and var are extra partitions
part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
Jan

Quirin