| Message ID | 20220603115618.985568-4-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | Adapt isar-cip-core to ISAR IMAGE_CMD_* | expand |
On 03.06.22 13:56, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > The image types wic-swu-img and secure-wic-swu-img were removed. > Rename `squashfs-img` to squashfs according new naming scheme. > > To use squashfs include: > > IMAGE_CLASSES += "squashfs" > IMAGE_TYPEDEP_wic += "squashfs" Now that squashfs is converted, that class should be pushed to Isar soon. Will "just" need a test case there. > > The modifications for a read-only root file system are now part > of a bbclass which can be include directly into the image > recipe. > > The modifications to generate a SWUpdate update package are > also no longer part of the image build process and in a seperate > bbclass. This class needs to be included in the image recipe. > > To create a verity based image to following line need to be added > to the local.conf or similar configuration: > > IMAGE_CLASSES += "verity" Maybe verity could go upstream as well, though it is more specific and may not make too much sense without the full image integration. Still, worth to think about it. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > ...u-img.bbclass => read-only-rootfs.bbclass} | 11 +--- > classes/secure-wic-swu-img.bbclass | 15 ------ > ...{squashfs-img.bbclass => squashfs.bbclass} | 15 ++---- > ...{swupdate-img.bbclass => swupdate.bbclass} | 8 +-- > .../{verity-img.bbclass => verity.bbclass} | 51 +++++++++---------- > kas/opt/ebg-secure-boot-snakeoil.yml | 3 +- > kas/opt/swupdate.yml | 2 + > recipes-core/images/files/sw-description.tmpl | 1 - > recipes-core/images/swupdate.inc | 6 ++- > .../initramfs-verity-hook_0.1.bb | 2 +- > wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +- > wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +- > wic/x86-efibootguard.wks.in | 4 +- > 13 files changed, 50 insertions(+), 76 deletions(-) > rename classes/{wic-swu-img.bbclass => read-only-rootfs.bbclass} (75%) > delete mode 100644 classes/secure-wic-swu-img.bbclass > rename classes/{squashfs-img.bbclass => squashfs.bbclass} (66%) > rename classes/{swupdate-img.bbclass => swupdate.bbclass} (92%) > rename classes/{verity-img.bbclass => verity.bbclass} (78%) > > diff --git a/classes/wic-swu-img.bbclass b/classes/read-only-rootfs.bbclass > similarity index 75% > rename from classes/wic-swu-img.bbclass > rename to classes/read-only-rootfs.bbclass > index 41b2164..6f91f66 100644 > --- a/classes/wic-swu-img.bbclass > +++ b/classes/read-only-rootfs.bbclass There is still a "wic" relationship in this class, no? > @@ -9,16 +9,10 @@ > # SPDX-License-Identifier: MIT > # > > -SQUASHFS_EXCLUDE_DIRS += "home var" > - > -inherit squashfs-img > -inherit wic-img > -inherit swupdate-img > - > INITRAMFS_RECIPE ?= "cip-core-initramfs" > INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" > > -do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build" > +do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" > > IMAGE_INSTALL += "home-fs" > IMAGE_INSTALL += "tmp-fs" > @@ -37,6 +31,3 @@ devtmpfs /dev devtmpfs mode=0755,nosuid 0 0 > EOF > } > > -addtask do_wic_image after do_squashfs_image > - > -addtask do_swupdate_image after do_wic_image > diff --git a/classes/secure-wic-swu-img.bbclass b/classes/secure-wic-swu-img.bbclass > deleted file mode 100644 > index 5e8e48a..0000000 > --- a/classes/secure-wic-swu-img.bbclass > +++ /dev/null > @@ -1,15 +0,0 @@ > -# > -# CIP Core, generic profile > -# > -# Copyright (c) Siemens AG, 2021-2022 > -# > -# Authors: > -# Quirin Gylstorff <quirin.gylstorff@siemens.com> > -# > -# SPDX-License-Identifier: MIT > -# > - > -inherit verity-img > -inherit wic-swu-img > - > -addtask do_wic_image after do_verity_image > diff --git a/classes/squashfs-img.bbclass b/classes/squashfs.bbclass > similarity index 66% > rename from classes/squashfs-img.bbclass > rename to classes/squashfs.bbclass > index c22d7d6..376ddfe 100644 > --- a/classes/squashfs-img.bbclass > +++ b/classes/squashfs.bbclass > @@ -9,9 +9,7 @@ > # SPDX-License-Identifier: MIT > # > > -SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img" > - > -IMAGER_INSTALL += "squashfs-tools" > +IMAGER_INSTALL_squashfs += "squashfs-tools" > > SQUASHFS_EXCLUDE_DIRS ?= "" > SQUASHFS_CONTENT ?= "${PP_ROOTFS}" > @@ -29,14 +27,11 @@ python __anonymous() { > d.appendVar('SQUASHFS_CREATION_ARGS', args) > } > > -do_squashfs_image[dirs] = "${DEPLOY_DIR_IMAGE}" > -do_squashfs_image() { > +IMAGE_CMD_squashfs[depends] = "${PN}:do_transform_template" > +IMAGE_CMD_squashfs() { > rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}' > > - image_do_mounts > - > - sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \ > - "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \ > + ${SUDO_CHROOT} /bin/mksquashfs \ > + '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ > ${SQUASHFS_CREATION_ARGS} > } > -addtask do_squashfs_image before do_image after do_image_tools do_excl_directories > diff --git a/classes/swupdate-img.bbclass b/classes/swupdate.bbclass > similarity index 92% > rename from classes/swupdate-img.bbclass > rename to classes/swupdate.bbclass > index 1437c07..c3fc303 100644 > --- a/classes/swupdate-img.bbclass > +++ b/classes/swupdate.bbclass > @@ -18,9 +18,9 @@ SWU_SIGNATURE_TYPE ?= "rsa" > > IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" > > -do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}" > -do_swupdate_image[cleandirs] += "${WORKDIR}/swu" > -do_swupdate_image() { > +do_swupdate_binary[stamp-extra-info] = "${DISTRO}-${MACHINE}" > +do_swupdate_binary[cleandirs] += "${WORKDIR}/swu" > +do_swupdate_binary() { > rm -f '${SWU_IMAGE_FILE}' > cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}' > > @@ -91,4 +91,4 @@ do_swupdate_image() { > cd - > } > > -addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template > +addtask swupdate_binary before do_build after do_deploy do_copy_boot_files do_install_imager_deps do_transform_template > diff --git a/classes/verity-img.bbclass b/classes/verity.bbclass > similarity index 78% > rename from classes/verity-img.bbclass > rename to classes/verity.bbclass > index b7d7f08..bbc57b0 100644 > --- a/classes/verity-img.bbclass > +++ b/classes/verity.bbclass > @@ -8,13 +8,16 @@ > # > # SPDX-License-Identifier: MIT > # > - Unrelated whitespace change. > VERITY_IMAGE_TYPE ?= "squashfs" > > -inherit ${VERITY_IMAGE_TYPE}-img > +inherit ${VERITY_IMAGE_TYPE} > + > +IMAGE_TYPEDEP_verity = "${VERITY_IMAGE_TYPE}" > +IMAGE_TYPEDEP_wic += "verity" > +IMAGER_INSTALL_verity += "cryptsetup" > > -VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img" > -VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" > +VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}" > +VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.verity" > VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata" > VERITY_HASH_BLOCK_SIZE ?= "1024" > VERITY_DATA_BLOCK_SIZE ?= "1024" > @@ -37,14 +40,28 @@ create_verity_env_file() { > done < $input > } > > -verity_setup() { > +python calculate_verity_data_blocks() { > + import os > + > + image_file = os.path.join( > + d.getVar("DEPLOY_DIR_IMAGE"), > + d.getVar("VERITY_INPUT_IMAGE") > + ) > + data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE")) > + size = os.stat(image_file).st_size > + assert size % data_block_size == 0, f"image is not well-sized!" > + d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) > + d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) > +} > +do_image_verity[cleandirs] = "${WORKDIR}/verity" > +do_image_verity[prefuncs] = "calculate_verity_data_blocks" > +IMAGE_CMD_verity() { > rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} > rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA} > > cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} > > - image_do_mounts > - sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \ > + ${SUDO_CHROOT} /sbin/veritysetup format \ > --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \ > --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \ > --data-blocks "${VERITY_DATA_BLOCKS}" \ > @@ -55,23 +72,5 @@ verity_setup() { > > echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \ > >>"${WORKDIR}/${VERITY_IMAGE_METADATA}" > + create_verity_env_file > } > - > -do_verity_image[cleandirs] = "${WORKDIR}/verity" > -python do_verity_image() { > - import os > - > - image_file = os.path.join( > - d.getVar("DEPLOY_DIR_IMAGE"), > - d.getVar("VERITY_INPUT_IMAGE") > - ) > - data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE")) > - size = os.stat(image_file).st_size > - assert size % data_block_size == 0, f"image is not well-sized!" > - d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) > - d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) > - > - bb.build.exec_func('verity_setup', d) > - bb.build.exec_func('create_verity_env_file', d) > -} > -addtask verity_image before do_image after do_${VERITY_IMAGE_TYPE}_image > diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml > index 3f2a794..2822cef 100644 > --- a/kas/opt/ebg-secure-boot-snakeoil.yml > +++ b/kas/opt/ebg-secure-boot-snakeoil.yml > @@ -23,7 +23,8 @@ local_conf_header: > IMAGE_INSTALL_append = " swupdate-handler-roundrobin" > > secure-boot-image: | > - IMAGE_FSTYPES = "secure-wic-swu-img" > + IMAGE_CLASSES += "verity" > + IMAGE_FSTYPES = "wic" > WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" > INITRAMFS_INSTALL_append = " initramfs-verity-hook" > > diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml > index 72429c6..c2bd15c 100644 > --- a/kas/opt/swupdate.yml > +++ b/kas/opt/swupdate.yml > @@ -23,5 +23,7 @@ local_conf_header: > CIP_IMAGE_OPTIONS_append = " swupdate.inc" > > wic-swu: | > + IMAGE_CLASSES += "squashfs" > + IMAGE_TYPEDEP_wic += "squashfs" > IMAGE_FSTYPES = "wic" > WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in" > diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl > index f5cafeb..1eb7758 100644 > --- a/recipes-core/images/files/sw-description.tmpl > +++ b/recipes-core/images/files/sw-description.tmpl > @@ -16,7 +16,6 @@ software = > filename = "${ROOTFS_PARTITION_NAME}"; > device = "C:BOOT0:linux.efi->fedcba98-7654-3210-cafe-5e0710000001,C:BOOT1:linux.efi->fedcba98-7654-3210-cafe-5e0710000002"; > type = "roundrobin"; > - compressed = "zlib"; Why that? Looks at least unrelated. > filesystem = "ext4"; > properties: { > subtype = "image"; > diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc > index 64887df..2ec767f 100644 > --- a/recipes-core/images/swupdate.inc > +++ b/recipes-core/images/swupdate.inc > @@ -8,10 +8,12 @@ > # > # SPDX-License-Identifier: MIT > # Please add a blank line here. > +inherit swupdate > +inherit read-only-rootfs > > -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" > +ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.p4" > > -ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz" > +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" > > SRC_URI += "file://sw-description.tmpl" > TEMPLATE_FILES += "sw-description.tmpl" > diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb > index f0d2d68..60ee8da 100644 > --- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb > +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb > @@ -28,7 +28,7 @@ VERITY_IMAGE_RECIPE ?= "cip-core-image" > > VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env" > > -do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image" > +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity" > do_install[cleandirs] += " \ > ${D}/usr/share/initramfs-tools/hooks \ > ${D}/usr/share/verity-env \ > diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in > index e097eac..0e298bc 100644 > --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in > +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in > @@ -1,7 +1,7 @@ > include ebg-signed-sysparts.inc > > -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" > -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" > +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" > +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" > > # home and var are extra partitions > part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G > diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in > index b3bbed4..3b8dadd 100644 > --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in > +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in > @@ -1,7 +1,7 @@ > include ebg-signed-sysparts.inc > > -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" > -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" > +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" > +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" > > # home and var are extra partitions > part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G > diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in > index f60ebcf..c71253d 100644 > --- a/wic/x86-efibootguard.wks.in > +++ b/wic/x86-efibootguard.wks.in > @@ -3,8 +3,8 @@ > > include ebg-sysparts.inc > > -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" > -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" > +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" > +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" > > # home and var are extra partitions > part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G Jan
On 6/7/22 09:32, Jan Kiszka wrote: > On 03.06.22 13:56, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> The image types wic-swu-img and secure-wic-swu-img were removed. >> Rename `squashfs-img` to squashfs according new naming scheme. >> >> To use squashfs include: >> >> IMAGE_CLASSES += "squashfs" >> IMAGE_TYPEDEP_wic += "squashfs" > > Now that squashfs is converted, that class should be pushed to Isar > soon. Will "just" need a test case there. > The testcase can also be a seperated rootfs for qemu. >> >> The modifications for a read-only root file system are now part >> of a bbclass which can be include directly into the image >> recipe. >> >> The modifications to generate a SWUpdate update package are >> also no longer part of the image build process and in a seperate >> bbclass. This class needs to be included in the image recipe. >> >> To create a verity based image to following line need to be added >> to the local.conf or similar configuration: >> >> IMAGE_CLASSES += "verity" > > Maybe verity could go upstream as well, though it is more specific and > may not make too much sense without the full image integration. Still, > worth to think about it. > >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> ...u-img.bbclass => read-only-rootfs.bbclass} | 11 +--- >> classes/secure-wic-swu-img.bbclass | 15 ------ >> ...{squashfs-img.bbclass => squashfs.bbclass} | 15 ++---- >> ...{swupdate-img.bbclass => swupdate.bbclass} | 8 +-- >> .../{verity-img.bbclass => verity.bbclass} | 51 +++++++++---------- >> kas/opt/ebg-secure-boot-snakeoil.yml | 3 +- >> kas/opt/swupdate.yml | 2 + >> recipes-core/images/files/sw-description.tmpl | 1 - >> recipes-core/images/swupdate.inc | 6 ++- >> .../initramfs-verity-hook_0.1.bb | 2 +- >> wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +- >> wic/qemu-arm64-efibootguard-secureboot.wks.in | 4 +- >> wic/x86-efibootguard.wks.in | 4 +- >> 13 files changed, 50 insertions(+), 76 deletions(-) >> rename classes/{wic-swu-img.bbclass => read-only-rootfs.bbclass} (75%) >> delete mode 100644 classes/secure-wic-swu-img.bbclass >> rename classes/{squashfs-img.bbclass => squashfs.bbclass} (66%) >> rename classes/{swupdate-img.bbclass => swupdate.bbclass} (92%) >> rename classes/{verity-img.bbclass => verity.bbclass} (78%) >> >> diff --git a/classes/wic-swu-img.bbclass b/classes/read-only-rootfs.bbclass >> similarity index 75% >> rename from classes/wic-swu-img.bbclass >> rename to classes/read-only-rootfs.bbclass >> index 41b2164..6f91f66 100644 >> --- a/classes/wic-swu-img.bbclass >> +++ b/classes/read-only-rootfs.bbclass > > There is still a "wic" relationship in this class, no? I can rename it to wic-read-only-rootfs. only the following line is wic specific. `` do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" `` > >> @@ -9,16 +9,10 @@ >> # SPDX-License-Identifier: MIT >> # >> >> -SQUASHFS_EXCLUDE_DIRS += "home var" >> - >> -inherit squashfs-img >> -inherit wic-img >> -inherit swupdate-img >> - >> INITRAMFS_RECIPE ?= "cip-core-initramfs" >> INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" >> >> -do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build" >> +do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" >> >> IMAGE_INSTALL += "home-fs" >> IMAGE_INSTALL += "tmp-fs" >> @@ -37,6 +31,3 @@ devtmpfs /dev devtmpfs mode=0755,nosuid 0 0 >> EOF >> } >> >> -addtask do_wic_image after do_squashfs_image >> - >> -addtask do_swupdate_image after do_wic_image >> diff --git a/classes/secure-wic-swu-img.bbclass b/classes/secure-wic-swu-img.bbclass >> deleted file mode 100644 >> index 5e8e48a..0000000 >> --- a/classes/secure-wic-swu-img.bbclass >> +++ /dev/null >> @@ -1,15 +0,0 @@ >> -# >> -# CIP Core, generic profile >> -# >> -# Copyright (c) Siemens AG, 2021-2022 >> -# >> -# Authors: >> -# Quirin Gylstorff <quirin.gylstorff@siemens.com> >> -# >> -# SPDX-License-Identifier: MIT >> -# >> - >> -inherit verity-img >> -inherit wic-swu-img >> - >> -addtask do_wic_image after do_verity_image >> diff --git a/classes/squashfs-img.bbclass b/classes/squashfs.bbclass >> similarity index 66% >> rename from classes/squashfs-img.bbclass >> rename to classes/squashfs.bbclass >> index c22d7d6..376ddfe 100644 >> --- a/classes/squashfs-img.bbclass >> +++ b/classes/squashfs.bbclass >> @@ -9,9 +9,7 @@ >> # SPDX-License-Identifier: MIT >> # >> >> -SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img" >> - >> -IMAGER_INSTALL += "squashfs-tools" >> +IMAGER_INSTALL_squashfs += "squashfs-tools" >> >> SQUASHFS_EXCLUDE_DIRS ?= "" >> SQUASHFS_CONTENT ?= "${PP_ROOTFS}" >> @@ -29,14 +27,11 @@ python __anonymous() { >> d.appendVar('SQUASHFS_CREATION_ARGS', args) >> } >> >> -do_squashfs_image[dirs] = "${DEPLOY_DIR_IMAGE}" >> -do_squashfs_image() { >> +IMAGE_CMD_squashfs[depends] = "${PN}:do_transform_template" >> +IMAGE_CMD_squashfs() { >> rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}' >> >> - image_do_mounts >> - >> - sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \ >> - "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \ >> + ${SUDO_CHROOT} /bin/mksquashfs \ >> + '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ >> ${SQUASHFS_CREATION_ARGS} >> } >> -addtask do_squashfs_image before do_image after do_image_tools do_excl_directories >> diff --git a/classes/swupdate-img.bbclass b/classes/swupdate.bbclass >> similarity index 92% >> rename from classes/swupdate-img.bbclass >> rename to classes/swupdate.bbclass >> index 1437c07..c3fc303 100644 >> --- a/classes/swupdate-img.bbclass >> +++ b/classes/swupdate.bbclass >> @@ -18,9 +18,9 @@ SWU_SIGNATURE_TYPE ?= "rsa" >> >> IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" >> >> -do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}" >> -do_swupdate_image[cleandirs] += "${WORKDIR}/swu" >> -do_swupdate_image() { >> +do_swupdate_binary[stamp-extra-info] = "${DISTRO}-${MACHINE}" >> +do_swupdate_binary[cleandirs] += "${WORKDIR}/swu" >> +do_swupdate_binary() { >> rm -f '${SWU_IMAGE_FILE}' >> cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}' >> >> @@ -91,4 +91,4 @@ do_swupdate_image() { >> cd - >> } >> >> -addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template >> +addtask swupdate_binary before do_build after do_deploy do_copy_boot_files do_install_imager_deps do_transform_template >> diff --git a/classes/verity-img.bbclass b/classes/verity.bbclass >> similarity index 78% >> rename from classes/verity-img.bbclass >> rename to classes/verity.bbclass >> index b7d7f08..bbc57b0 100644 >> --- a/classes/verity-img.bbclass >> +++ b/classes/verity.bbclass >> @@ -8,13 +8,16 @@ >> # >> # SPDX-License-Identifier: MIT >> # >> - > > Unrelated whitespace change. > Will remove in v2 >> VERITY_IMAGE_TYPE ?= "squashfs" >> >> -inherit ${VERITY_IMAGE_TYPE}-img >> +inherit ${VERITY_IMAGE_TYPE} >> + >> +IMAGE_TYPEDEP_verity = "${VERITY_IMAGE_TYPE}" >> +IMAGE_TYPEDEP_wic += "verity" >> +IMAGER_INSTALL_verity += "cryptsetup" >> >> -VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img" >> -VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" >> +VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}" >> +VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.verity" >> VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata" >> VERITY_HASH_BLOCK_SIZE ?= "1024" >> VERITY_DATA_BLOCK_SIZE ?= "1024" >> @@ -37,14 +40,28 @@ create_verity_env_file() { >> done < $input >> } >> >> -verity_setup() { >> +python calculate_verity_data_blocks() { >> + import os >> + >> + image_file = os.path.join( >> + d.getVar("DEPLOY_DIR_IMAGE"), >> + d.getVar("VERITY_INPUT_IMAGE") >> + ) >> + data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE")) >> + size = os.stat(image_file).st_size >> + assert size % data_block_size == 0, f"image is not well-sized!" >> + d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) >> + d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) >> +} >> +do_image_verity[cleandirs] = "${WORKDIR}/verity" >> +do_image_verity[prefuncs] = "calculate_verity_data_blocks" >> +IMAGE_CMD_verity() { >> rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} >> rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA} >> >> cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} >> >> - image_do_mounts >> - sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \ >> + ${SUDO_CHROOT} /sbin/veritysetup format \ >> --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \ >> --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \ >> --data-blocks "${VERITY_DATA_BLOCKS}" \ >> @@ -55,23 +72,5 @@ verity_setup() { >> >> echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \ >> >>"${WORKDIR}/${VERITY_IMAGE_METADATA}" >> + create_verity_env_file >> } >> - >> -do_verity_image[cleandirs] = "${WORKDIR}/verity" >> -python do_verity_image() { >> - import os >> - >> - image_file = os.path.join( >> - d.getVar("DEPLOY_DIR_IMAGE"), >> - d.getVar("VERITY_INPUT_IMAGE") >> - ) >> - data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE")) >> - size = os.stat(image_file).st_size >> - assert size % data_block_size == 0, f"image is not well-sized!" >> - d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) >> - d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) >> - >> - bb.build.exec_func('verity_setup', d) >> - bb.build.exec_func('create_verity_env_file', d) >> -} >> -addtask verity_image before do_image after do_${VERITY_IMAGE_TYPE}_image >> diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml >> index 3f2a794..2822cef 100644 >> --- a/kas/opt/ebg-secure-boot-snakeoil.yml >> +++ b/kas/opt/ebg-secure-boot-snakeoil.yml >> @@ -23,7 +23,8 @@ local_conf_header: >> IMAGE_INSTALL_append = " swupdate-handler-roundrobin" >> >> secure-boot-image: | >> - IMAGE_FSTYPES = "secure-wic-swu-img" >> + IMAGE_CLASSES += "verity" >> + IMAGE_FSTYPES = "wic" >> WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" >> INITRAMFS_INSTALL_append = " initramfs-verity-hook" >> >> diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml >> index 72429c6..c2bd15c 100644 >> --- a/kas/opt/swupdate.yml >> +++ b/kas/opt/swupdate.yml >> @@ -23,5 +23,7 @@ local_conf_header: >> CIP_IMAGE_OPTIONS_append = " swupdate.inc" >> >> wic-swu: | >> + IMAGE_CLASSES += "squashfs" >> + IMAGE_TYPEDEP_wic += "squashfs" >> IMAGE_FSTYPES = "wic" >> WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in" >> diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl >> index f5cafeb..1eb7758 100644 >> --- a/recipes-core/images/files/sw-description.tmpl >> +++ b/recipes-core/images/files/sw-description.tmpl >> @@ -16,7 +16,6 @@ software = >> filename = "${ROOTFS_PARTITION_NAME}"; >> device = "C:BOOT0:linux.efi->fedcba98-7654-3210-cafe-5e0710000001,C:BOOT1:linux.efi->fedcba98-7654-3210-cafe-5e0710000002"; >> type = "roundrobin"; >> - compressed = "zlib"; > > Why that? Looks at least unrelated. > This was a workaround during develop and should have been remove. Will be revert to the origin in v2. >> filesystem = "ext4"; >> properties: { >> subtype = "image"; >> diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc >> index 64887df..2ec767f 100644 >> --- a/recipes-core/images/swupdate.inc >> +++ b/recipes-core/images/swupdate.inc >> @@ -8,10 +8,12 @@ >> # >> # SPDX-License-Identifier: MIT >> # > > Please add a blank line here. Done > >> +inherit swupdate >> +inherit read-only-rootfs >> >> -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" >> +ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.p4" >> >> -ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz" >> +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" >> >> SRC_URI += "file://sw-description.tmpl" >> TEMPLATE_FILES += "sw-description.tmpl" >> diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb >> index f0d2d68..60ee8da 100644 >> --- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb >> +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb >> @@ -28,7 +28,7 @@ VERITY_IMAGE_RECIPE ?= "cip-core-image" >> >> VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env" >> >> -do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image" >> +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity" >> do_install[cleandirs] += " \ >> ${D}/usr/share/initramfs-tools/hooks \ >> ${D}/usr/share/verity-env \ >> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in >> index e097eac..0e298bc 100644 >> --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in >> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in >> @@ -1,7 +1,7 @@ >> include ebg-signed-sysparts.inc >> >> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" >> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" >> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" >> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" >> >> # home and var are extra partitions >> part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G >> diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in >> index b3bbed4..3b8dadd 100644 >> --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in >> +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in >> @@ -1,7 +1,7 @@ >> include ebg-signed-sysparts.inc >> >> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" >> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" >> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" >> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" >> >> # home and var are extra partitions >> part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G >> diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in >> index f60ebcf..c71253d 100644 >> --- a/wic/x86-efibootguard.wks.in >> +++ b/wic/x86-efibootguard.wks.in >> @@ -3,8 +3,8 @@ >> >> include ebg-sysparts.inc >> >> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" >> -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" >> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" >> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" >> >> # home and var are extra partitions >> part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G > > Jan > Quirin
diff --git a/classes/wic-swu-img.bbclass b/classes/read-only-rootfs.bbclass similarity index 75% rename from classes/wic-swu-img.bbclass rename to classes/read-only-rootfs.bbclass index 41b2164..6f91f66 100644 --- a/classes/wic-swu-img.bbclass +++ b/classes/read-only-rootfs.bbclass @@ -9,16 +9,10 @@ # SPDX-License-Identifier: MIT # -SQUASHFS_EXCLUDE_DIRS += "home var" - -inherit squashfs-img -inherit wic-img -inherit swupdate-img - INITRAMFS_RECIPE ?= "cip-core-initramfs" INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" -do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build" +do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" IMAGE_INSTALL += "home-fs" IMAGE_INSTALL += "tmp-fs" @@ -37,6 +31,3 @@ devtmpfs /dev devtmpfs mode=0755,nosuid 0 0 EOF } -addtask do_wic_image after do_squashfs_image - -addtask do_swupdate_image after do_wic_image diff --git a/classes/secure-wic-swu-img.bbclass b/classes/secure-wic-swu-img.bbclass deleted file mode 100644 index 5e8e48a..0000000 --- a/classes/secure-wic-swu-img.bbclass +++ /dev/null @@ -1,15 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2021-2022 -# -# Authors: -# Quirin Gylstorff <quirin.gylstorff@siemens.com> -# -# SPDX-License-Identifier: MIT -# - -inherit verity-img -inherit wic-swu-img - -addtask do_wic_image after do_verity_image diff --git a/classes/squashfs-img.bbclass b/classes/squashfs.bbclass similarity index 66% rename from classes/squashfs-img.bbclass rename to classes/squashfs.bbclass index c22d7d6..376ddfe 100644 --- a/classes/squashfs-img.bbclass +++ b/classes/squashfs.bbclass @@ -9,9 +9,7 @@ # SPDX-License-Identifier: MIT # -SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img" - -IMAGER_INSTALL += "squashfs-tools" +IMAGER_INSTALL_squashfs += "squashfs-tools" SQUASHFS_EXCLUDE_DIRS ?= "" SQUASHFS_CONTENT ?= "${PP_ROOTFS}" @@ -29,14 +27,11 @@ python __anonymous() { d.appendVar('SQUASHFS_CREATION_ARGS', args) } -do_squashfs_image[dirs] = "${DEPLOY_DIR_IMAGE}" -do_squashfs_image() { +IMAGE_CMD_squashfs[depends] = "${PN}:do_transform_template" +IMAGE_CMD_squashfs() { rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}' - image_do_mounts - - sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \ - "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \ + ${SUDO_CHROOT} /bin/mksquashfs \ + '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ ${SQUASHFS_CREATION_ARGS} } -addtask do_squashfs_image before do_image after do_image_tools do_excl_directories diff --git a/classes/swupdate-img.bbclass b/classes/swupdate.bbclass similarity index 92% rename from classes/swupdate-img.bbclass rename to classes/swupdate.bbclass index 1437c07..c3fc303 100644 --- a/classes/swupdate-img.bbclass +++ b/classes/swupdate.bbclass @@ -18,9 +18,9 @@ SWU_SIGNATURE_TYPE ?= "rsa" IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" -do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}" -do_swupdate_image[cleandirs] += "${WORKDIR}/swu" -do_swupdate_image() { +do_swupdate_binary[stamp-extra-info] = "${DISTRO}-${MACHINE}" +do_swupdate_binary[cleandirs] += "${WORKDIR}/swu" +do_swupdate_binary() { rm -f '${SWU_IMAGE_FILE}' cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}' @@ -91,4 +91,4 @@ do_swupdate_image() { cd - } -addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template +addtask swupdate_binary before do_build after do_deploy do_copy_boot_files do_install_imager_deps do_transform_template diff --git a/classes/verity-img.bbclass b/classes/verity.bbclass similarity index 78% rename from classes/verity-img.bbclass rename to classes/verity.bbclass index b7d7f08..bbc57b0 100644 --- a/classes/verity-img.bbclass +++ b/classes/verity.bbclass @@ -8,13 +8,16 @@ # # SPDX-License-Identifier: MIT # - VERITY_IMAGE_TYPE ?= "squashfs" -inherit ${VERITY_IMAGE_TYPE}-img +inherit ${VERITY_IMAGE_TYPE} + +IMAGE_TYPEDEP_verity = "${VERITY_IMAGE_TYPE}" +IMAGE_TYPEDEP_wic += "verity" +IMAGER_INSTALL_verity += "cryptsetup" -VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img" -VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" +VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}" +VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.verity" VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata" VERITY_HASH_BLOCK_SIZE ?= "1024" VERITY_DATA_BLOCK_SIZE ?= "1024" @@ -37,14 +40,28 @@ create_verity_env_file() { done < $input } -verity_setup() { +python calculate_verity_data_blocks() { + import os + + image_file = os.path.join( + d.getVar("DEPLOY_DIR_IMAGE"), + d.getVar("VERITY_INPUT_IMAGE") + ) + data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE")) + size = os.stat(image_file).st_size + assert size % data_block_size == 0, f"image is not well-sized!" + d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) + d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) +} +do_image_verity[cleandirs] = "${WORKDIR}/verity" +do_image_verity[prefuncs] = "calculate_verity_data_blocks" +IMAGE_CMD_verity() { rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA} cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} - image_do_mounts - sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \ + ${SUDO_CHROOT} /sbin/veritysetup format \ --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \ --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \ --data-blocks "${VERITY_DATA_BLOCKS}" \ @@ -55,23 +72,5 @@ verity_setup() { echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \ >>"${WORKDIR}/${VERITY_IMAGE_METADATA}" + create_verity_env_file } - -do_verity_image[cleandirs] = "${WORKDIR}/verity" -python do_verity_image() { - import os - - image_file = os.path.join( - d.getVar("DEPLOY_DIR_IMAGE"), - d.getVar("VERITY_INPUT_IMAGE") - ) - data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE")) - size = os.stat(image_file).st_size - assert size % data_block_size == 0, f"image is not well-sized!" - d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) - d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) - - bb.build.exec_func('verity_setup', d) - bb.build.exec_func('create_verity_env_file', d) -} -addtask verity_image before do_image after do_${VERITY_IMAGE_TYPE}_image diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml index 3f2a794..2822cef 100644 --- a/kas/opt/ebg-secure-boot-snakeoil.yml +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -23,7 +23,8 @@ local_conf_header: IMAGE_INSTALL_append = " swupdate-handler-roundrobin" secure-boot-image: | - IMAGE_FSTYPES = "secure-wic-swu-img" + IMAGE_CLASSES += "verity" + IMAGE_FSTYPES = "wic" WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" INITRAMFS_INSTALL_append = " initramfs-verity-hook" diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml index 72429c6..c2bd15c 100644 --- a/kas/opt/swupdate.yml +++ b/kas/opt/swupdate.yml @@ -23,5 +23,7 @@ local_conf_header: CIP_IMAGE_OPTIONS_append = " swupdate.inc" wic-swu: | + IMAGE_CLASSES += "squashfs" + IMAGE_TYPEDEP_wic += "squashfs" IMAGE_FSTYPES = "wic" WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in" diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl index f5cafeb..1eb7758 100644 --- a/recipes-core/images/files/sw-description.tmpl +++ b/recipes-core/images/files/sw-description.tmpl @@ -16,7 +16,6 @@ software = filename = "${ROOTFS_PARTITION_NAME}"; device = "C:BOOT0:linux.efi->fedcba98-7654-3210-cafe-5e0710000001,C:BOOT1:linux.efi->fedcba98-7654-3210-cafe-5e0710000002"; type = "roundrobin"; - compressed = "zlib"; filesystem = "ext4"; properties: { subtype = "image"; diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 64887df..2ec767f 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -8,10 +8,12 @@ # # SPDX-License-Identifier: MIT # +inherit swupdate +inherit read-only-rootfs -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.p4" -ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz" +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" SRC_URI += "file://sw-description.tmpl" TEMPLATE_FILES += "sw-description.tmpl" diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb index f0d2d68..60ee8da 100644 --- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb @@ -28,7 +28,7 @@ VERITY_IMAGE_RECIPE ?= "cip-core-image" VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env" -do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image" +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity" do_install[cleandirs] += " \ ${D}/usr/share/initramfs-tools/hooks \ ${D}/usr/share/verity-env \ diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index e097eac..0e298bc 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" # home and var are extra partitions part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in index b3bbed4..3b8dadd 100644 --- a/wic/qemu-arm64-efibootguard-secureboot.wks.in +++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in @@ -1,7 +1,7 @@ include ebg-signed-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" # home and var are extra partitions part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in index f60ebcf..c71253d 100644 --- a/wic/x86-efibootguard.wks.in +++ b/wic/x86-efibootguard.wks.in @@ -3,8 +3,8 @@ include ebg-sysparts.inc -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" -part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" # home and var are extra partitions part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G