| Message ID | 20211112115017.401779-5-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | Read-only root file system with dm-verity | expand |
On 12.11.21 12:50, Q. Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > CIP Kernel Config does not contain support for dm-verity > squashfs. Overlay_FS support is added for etc-overlay. > This should be quickly addressed by expanding the configs of all boards we want to enable this way. Start with QEMU and the IPCs. Otherwise, we risk to ignore this subsystem /wrt CVEs. > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > recipes-kernel/linux/files/verity.cfg | 5 +++++ > recipes-kernel/linux/linux-cip-common.inc | 6 ++++++ > 2 files changed, 11 insertions(+) > create mode 100644 recipes-kernel/linux/files/verity.cfg > > diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg > new file mode 100644 > index 0000000..35d8208 > --- /dev/null > +++ b/recipes-kernel/linux/files/verity.cfg > @@ -0,0 +1,5 @@ > +CONFIG_BLK_DEV_DM=y > +CONFIG_DM_VERITY=y > +CONFIG_DM_CRYPT=y > +CONFIG_SQUASHFS=y > +CONFIG_OVERLAY_FS=y > diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc > index 1afec88..0792371 100644 > --- a/recipes-kernel/linux/linux-cip-common.inc > +++ b/recipes-kernel/linux/linux-cip-common.inc > @@ -28,3 +28,9 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}" > SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e" > > S = "${WORKDIR}/linux-cip-v${PV}" > + > +SRC_URI += "file://verity.cfg" > + > +do_prepare_build_prepend() { > + cat ${WORKDIR}/verity.cfg >> ${WORKDIR}/${KERNEL_DEFCONFIG} > +} > This should be appended conditionally, when building a secure image, I would say. Jan
On 11/12/21 1:46 PM, Jan Kiszka wrote: > On 12.11.21 12:50, Q. Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> CIP Kernel Config does not contain support for dm-verity >> squashfs. Overlay_FS support is added for etc-overlay. >> > > This should be quickly addressed by expanding the configs of all boards > we want to enable this way. Start with QEMU and the IPCs. Otherwise, we > risk to ignore this subsystem /wrt CVEs. I send a patch series for qemu and ipc to the mailing list. Quirin > >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> recipes-kernel/linux/files/verity.cfg | 5 +++++ >> recipes-kernel/linux/linux-cip-common.inc | 6 ++++++ >> 2 files changed, 11 insertions(+) >> create mode 100644 recipes-kernel/linux/files/verity.cfg >> >> diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg >> new file mode 100644 >> index 0000000..35d8208 >> --- /dev/null >> +++ b/recipes-kernel/linux/files/verity.cfg >> @@ -0,0 +1,5 @@ >> +CONFIG_BLK_DEV_DM=y >> +CONFIG_DM_VERITY=y >> +CONFIG_DM_CRYPT=y >> +CONFIG_SQUASHFS=y >> +CONFIG_OVERLAY_FS=y >> diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc >> index 1afec88..0792371 100644 >> --- a/recipes-kernel/linux/linux-cip-common.inc >> +++ b/recipes-kernel/linux/linux-cip-common.inc >> @@ -28,3 +28,9 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}" >> SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e" >> >> S = "${WORKDIR}/linux-cip-v${PV}" >> + >> +SRC_URI += "file://verity.cfg" >> + >> +do_prepare_build_prepend() { >> + cat ${WORKDIR}/verity.cfg >> ${WORKDIR}/${KERNEL_DEFCONFIG} >> +} >> > > This should be appended conditionally, when building a secure image, I > would say. > > Jan >
diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg new file mode 100644 index 0000000..35d8208 --- /dev/null +++ b/recipes-kernel/linux/files/verity.cfg @@ -0,0 +1,5 @@ +CONFIG_BLK_DEV_DM=y +CONFIG_DM_VERITY=y +CONFIG_DM_CRYPT=y +CONFIG_SQUASHFS=y +CONFIG_OVERLAY_FS=y diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 1afec88..0792371 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -28,3 +28,9 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}" SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e" S = "${WORKDIR}/linux-cip-v${PV}" + +SRC_URI += "file://verity.cfg" + +do_prepare_build_prepend() { + cat ${WORKDIR}/verity.cfg >> ${WORKDIR}/${KERNEL_DEFCONFIG} +}