| Message ID | cover.1649834193.git.jan.kiszka@siemens.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | SWUpdate & EFI Boot Guard refactorings | expand |
On 4/13/22 09:16, Jan Kiszka wrote: > Several refactorings, simplifications and fixes of the SWUpdate and EFI > Boot Guard integration. This primarily aims at the unification of both > variants. > > For that, this switches to unified kernel images also in the non-secure > mode. This allows to share configuration files between both as well. > > Furthermore, the device selection in sw-description is abstracted from > the concrete medium, making it easier for downstream to place images on > either internal or external media without adjusting device paths. > > Finally, the watchdog support in QEMU is fixed and enabled so that we > can run update and failure sequences completely. > > Jan I tested it once and it looks good to me. Quirin > > Jan Kiszka (19): > start-qemu.sh: Add ssh access to guest from localhost > swupdate: Simplify secure-swupdate-img class > swupdate: Drop no longer used SOURCE_IMAGE_FILE > swupdate: Rename secure-swupdate-img class > Drop initramfs-abrootfs-secureboot references > Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook > swupdate: Switch to unified kernel image by default > swupdate: Drop PN from TEMPLATE_VARS > efibootguard: Avoid rename linux.efi when signing it > Unify configuration of secure vs. non-secure SWUpdate > cip-core-image: Do not include swupdate.inc unless it is used > cip-core-image: Make image-uuid an image option > swupdate: Add patch to fix EBG bootloader_env_get > swupdate: Switch to bootenv_rrmap+kernelfile for device selection > customizations: Enable systemd watchdog > linux-cip: Update cip-kernel-config > start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset > doc: Update README.swupdate > doc: README.secureboot polishing > > ...img.bbclass => secure-wic-swu-img.bbclass} | 6 +- > classes/wic-swu-img.bbclass | 2 - > doc/README.secureboot.md | 16 +- > doc/README.swupdate.md | 166 ++++++++++-------- > kas/opt/ebg-secure-boot-base.yml | 21 --- > kas/opt/ebg-secure-boot-snakeoil.yml | 10 +- > kas/opt/ebg-swu.yml | 7 + > kas/opt/swupdate.yml | 3 + > recipes-core/customizations/common.inc | 6 +- > .../customizations/files/99-watchdog.conf | 3 + > recipes-core/images/cip-core-image.bb | 6 +- > .../files/secure-boot/sw-description.tmpl | 35 ---- > recipes-core/images/files/sw-description.tmpl | 20 +-- > recipes-core/images/image-uuid.inc | 12 ++ > recipes-core/images/read-only.inc | 1 - > recipes-core/images/secureboot.inc | 21 --- > recipes-core/images/swupdate.inc | 4 +- > .../swupdate.handler.efibootguard.ini | 16 -- > .../files/swupdate.handler.efibootguard.ini | 20 +-- > ...onfig-Make-image-encryption-optional.patch | 8 +- > .../0002-debian-rules-Add-CONFIG_MTD.patch | 6 +- > ...es-Add-option-to-disable-fs-creation.patch | 8 +- > ...ules-Add-option-to-disable-webserver.patch | 8 +- > ...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 8 +- > ...ules-Add-Embedded-Lua-handler-option.patch | 6 +- > ...-SWUpdate-USB-service-and-Udev-rules.patch | 10 +- > ...option-to-disable-CONFIG_HASH_VERIFY.patch | 6 +- > ...ch-to-fix-bootloader_env_get-for-EBG.patch | 66 +++++++ > ...repare-build-for-isar-debian-buster.patch} | 10 +- > .../swupdate/swupdate_2021.11-1+debian-gbp.bb | 5 +- > .../files/debian-local-patch | 0 > .../files/initramfs.image_uuid.hook | 0 > .../files/initramfs.lsblk.hook | 0 > .../initramfs-abrootfs-hook}/files/postinst | 2 +- > .../initramfs-abrootfs-hook_0.1.bb | 8 +- > recipes-kernel/linux/linux-cip-common.inc | 2 +- > .../wic/plugins/source/efibootguard-boot.py | 30 ++-- > start-qemu.sh | 3 +- > wic/ebg-sysparts.inc | 4 +- > wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +- > 40 files changed, 277 insertions(+), 292 deletions(-) > rename classes/{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} (82%) > delete mode 100644 kas/opt/ebg-secure-boot-base.yml > create mode 100644 recipes-core/customizations/files/99-watchdog.conf > delete mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl > create mode 100644 recipes-core/images/image-uuid.inc > delete mode 100644 recipes-core/images/secureboot.inc > delete mode 100644 recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini > create mode 100644 recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch > rename recipes-core/swupdate/files/{0009-debian-prepare-build-for-isar-debian-buster.patch => 0010-debian-prepare-build-for-isar-debian-buster.patch} (92%) > rename recipes-support/initramfs-config/files/secure-boot-debian-local-patch => recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch (100%) > rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.image_uuid.hook (100%) > rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.lsblk.hook (100%) > rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/postinst (73%) > rename recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb => recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb (74%) >
Several refactorings, simplifications and fixes of the SWUpdate and EFI Boot Guard integration. This primarily aims at the unification of both variants. For that, this switches to unified kernel images also in the non-secure mode. This allows to share configuration files between both as well. Furthermore, the device selection in sw-description is abstracted from the concrete medium, making it easier for downstream to place images on either internal or external media without adjusting device paths. Finally, the watchdog support in QEMU is fixed and enabled so that we can run update and failure sequences completely. Jan Jan Kiszka (19): start-qemu.sh: Add ssh access to guest from localhost swupdate: Simplify secure-swupdate-img class swupdate: Drop no longer used SOURCE_IMAGE_FILE swupdate: Rename secure-swupdate-img class Drop initramfs-abrootfs-secureboot references Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook swupdate: Switch to unified kernel image by default swupdate: Drop PN from TEMPLATE_VARS efibootguard: Avoid rename linux.efi when signing it Unify configuration of secure vs. non-secure SWUpdate cip-core-image: Do not include swupdate.inc unless it is used cip-core-image: Make image-uuid an image option swupdate: Add patch to fix EBG bootloader_env_get swupdate: Switch to bootenv_rrmap+kernelfile for device selection customizations: Enable systemd watchdog linux-cip: Update cip-kernel-config start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset doc: Update README.swupdate doc: README.secureboot polishing ...img.bbclass => secure-wic-swu-img.bbclass} | 6 +- classes/wic-swu-img.bbclass | 2 - doc/README.secureboot.md | 16 +- doc/README.swupdate.md | 166 ++++++++++-------- kas/opt/ebg-secure-boot-base.yml | 21 --- kas/opt/ebg-secure-boot-snakeoil.yml | 10 +- kas/opt/ebg-swu.yml | 7 + kas/opt/swupdate.yml | 3 + recipes-core/customizations/common.inc | 6 +- .../customizations/files/99-watchdog.conf | 3 + recipes-core/images/cip-core-image.bb | 6 +- .../files/secure-boot/sw-description.tmpl | 35 ---- recipes-core/images/files/sw-description.tmpl | 20 +-- recipes-core/images/image-uuid.inc | 12 ++ recipes-core/images/read-only.inc | 1 - recipes-core/images/secureboot.inc | 21 --- recipes-core/images/swupdate.inc | 4 +- .../swupdate.handler.efibootguard.ini | 16 -- .../files/swupdate.handler.efibootguard.ini | 20 +-- ...onfig-Make-image-encryption-optional.patch | 8 +- .../0002-debian-rules-Add-CONFIG_MTD.patch | 6 +- ...es-Add-option-to-disable-fs-creation.patch | 8 +- ...ules-Add-option-to-disable-webserver.patch | 8 +- ...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 8 +- ...ules-Add-Embedded-Lua-handler-option.patch | 6 +- ...-SWUpdate-USB-service-and-Udev-rules.patch | 10 +- ...option-to-disable-CONFIG_HASH_VERIFY.patch | 6 +- ...ch-to-fix-bootloader_env_get-for-EBG.patch | 66 +++++++ ...repare-build-for-isar-debian-buster.patch} | 10 +- .../swupdate/swupdate_2021.11-1+debian-gbp.bb | 5 +- .../files/debian-local-patch | 0 .../files/initramfs.image_uuid.hook | 0 .../files/initramfs.lsblk.hook | 0 .../initramfs-abrootfs-hook}/files/postinst | 2 +- .../initramfs-abrootfs-hook_0.1.bb | 8 +- recipes-kernel/linux/linux-cip-common.inc | 2 +- .../wic/plugins/source/efibootguard-boot.py | 30 ++-- start-qemu.sh | 3 +- wic/ebg-sysparts.inc | 4 +- wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +- 40 files changed, 277 insertions(+), 292 deletions(-) rename classes/{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} (82%) delete mode 100644 kas/opt/ebg-secure-boot-base.yml create mode 100644 recipes-core/customizations/files/99-watchdog.conf delete mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl create mode 100644 recipes-core/images/image-uuid.inc delete mode 100644 recipes-core/images/secureboot.inc delete mode 100644 recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini create mode 100644 recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch rename recipes-core/swupdate/files/{0009-debian-prepare-build-for-isar-debian-buster.patch => 0010-debian-prepare-build-for-isar-debian-buster.patch} (92%) rename recipes-support/initramfs-config/files/secure-boot-debian-local-patch => recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch (100%) rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.image_uuid.hook (100%) rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.lsblk.hook (100%) rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/postinst (73%) rename recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb => recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb (74%)