From patchwork Fri Aug 21 09:55:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 11728719 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9A43F1575 for ; Fri, 21 Aug 2020 09:56:04 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 75398207DF for ; Fri, 21 Aug 2020 09:56:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="XeKXY2lZ" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 75398207DF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5170+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id rxfSYY4521763xyVw8zGhXQO; Fri, 21 Aug 2020 02:56:04 -0700 X-Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) by mx.groups.io with SMTP id smtpd.web11.130579.1598003762831393641 for ; Fri, 21 Aug 2020 02:56:03 -0700 X-Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 07L9u1rd026935 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 21 Aug 2020 11:56:01 +0200 X-Received: from md2dvrtc.fritz.box ([167.87.58.237]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 07L9u0Qq003248; Fri, 21 Aug 2020 11:56:00 +0200 From: "Quirin Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Quirin Gylstorff Subject: [cip-dev][isar-cip-core][PATCH v4 1/6] linux-cip: Update revision of kernel config Date: Fri, 21 Aug 2020 11:55:54 +0200 Message-Id: <20200821095559.28467-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> References: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: hXQJREMqkgjLMDKAP9TDyByNx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1598003764; bh=H9x25AtM00MWj/7uIAdLMAIfBXx2cnFkxduVVEzZgnE=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=XeKXY2lZPVxup+2H/yEEh++nymD9JAxr4LYNdNSMwmpbF3rA+0yOYV83fNi9r9IUAnb eurnsdbX/7ppoeUJREAyaLdk17TFKZbQCtP0SvlHk/Gj5duh2BGegaJLbhRp9pLGlu1CN z63NQzMH292fxaeDrmYAw2JE5cVf1pX/8kI= From: Quirin Gylstorff Update the kernel configuration to the lasted version to avoid a qemu runtime error. Signed-off-by: Quirin Gylstorff --- recipes-kernel/linux/linux-cip-common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index d45a3b0..0c76835 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -26,4 +26,4 @@ SRC_URI += " \ SRC_URI_append = " ${@conditional("USE_CIP_KERNEL_CONFIG", "1", \ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-config.git;protocol=https;destsuffix=cip-kernel-config;name=cip-kernel-config", \ "file://${KERNEL_DEFCONFIG}",d)}" -SRCREV_cip-kernel-config ?= "db2085219b5f28ed7c3e0fbdf93b7867947958a8" +SRCREV_cip-kernel-config ?= "ca24d965adf77730caf1cd32bdfcffd69e369502" From patchwork Fri Aug 21 09:55:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 11728723 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 47690175D for ; Fri, 21 Aug 2020 09:56:05 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2259820FC3 for ; Fri, 21 Aug 2020 09:56:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="XjYttjZN" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2259820FC3 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5171+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id VO8KYY4521763xpE5AKlDBEM; Fri, 21 Aug 2020 02:56:04 -0700 X-Received: from thoth.sbs.de (thoth.sbs.de [192.35.17.2]) by mx.groups.io with SMTP id smtpd.web12.129956.1598003763484095683 for ; Fri, 21 Aug 2020 02:56:04 -0700 X-Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id 07L9u1ue001291 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 21 Aug 2020 11:56:01 +0200 X-Received: from md2dvrtc.fritz.box ([167.87.58.237]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 07L9u0Qr003248; Fri, 21 Aug 2020 11:56:01 +0200 From: "Quirin Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Quirin Gylstorff Subject: [cip-dev][isar-cip-core][PATCH v4 2/6] isar-patch: Add initramfs-config patch Date: Fri, 21 Aug 2020 11:55:55 +0200 Message-Id: <20200821095559.28467-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> References: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: 0KK11XPJrNGjjCSeuL1ZzCsSx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1598003764; bh=PBKkopBEnN9rjwpN4v+vl182PIC628ztXPivmZp2jAE=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=XjYttjZN6s92c8IrvL9v19FF7AibPjMCuT7/Xqld2TehkzqGzzvfFZhJEQUgTMDRPTk unGUICF6sTe5e71F4d6111zCfoIDqk6UOXu+cR60yiMY1BHhrK+XWgJDxp9h/BDaa02Ue uX6ZqJH6zVawFi4PFqmAyBxjUwmyKsLHE80= From: Quirin Gylstorff Adapt the initramfs generation to set for example the root device in the initramfs Signed-off-by: Quirin Gylstorff --- .../0001-u-boot-add-libubootenv.patch | 161 +++++++------- ...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++++ kas-cip.yml | 3 + 3 files changed, 290 insertions(+), 81 deletions(-) create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch diff --git a/isar-patches/0001-u-boot-add-libubootenv.patch b/isar-patches/0001-u-boot-add-libubootenv.patch index 10a5b4a..6002cf1 100644 --- a/isar-patches/0001-u-boot-add-libubootenv.patch +++ b/isar-patches/0001-u-boot-add-libubootenv.patch @@ -1,4 +1,4 @@ -From 76897e89977f895495e21e37cb76f90392d55ef9 Mon Sep 17 00:00:00 2001 +From dda00e6addc7c51862b8175d473a1ea42dcd5c9e Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Fri, 19 Jun 2020 17:00:36 +0200 Subject: [PATCH v2] u-boot: add libubootenv @@ -16,20 +16,25 @@ as both try to install fw_printenv and fw_sentenv. This conflict is not part of the control file as it breaks the installation of custom u-boot-tools from the u-boot-sources. +This patch uses dpkg-gdb to build the package from salsa.debian.org and adds +a fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967487. + Signed-off-by: Quirin Gylstorff --- + +Changes V2: +- use dpkg-gbd instead dpkg +- use salsa.debian.org as source +- add fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967487 + meta-isar/conf/machine/de0-nano-soc.conf | 2 +- - .../libubootenv/files/debian/compat | 1 + - .../libubootenv/files/debian/control.tmpl | 15 +++++++++ - .../libubootenv/files/debian/rules.tmpl | 24 ++++++++++++++ - .../libubootenv/libubootenv_0.2.bb | 32 +++++++++++++++++++ + .../0002-Add-support-GNUInstallDirs.patch | 48 +++++++++++++++++++ + .../libubootenv/libubootenv_0.2.bb | 30 ++++++++++++ .../files/debian/u-boot-tools.conffiles | 1 - - .../u-boot/files/debian/u-boot-tools.install | 2 -- + .../u-boot/files/debian/u-boot-tools.install | 2 - .../u-boot/files/debian/u-boot-tools.links | 1 - - 8 files changed, 73 insertions(+), 5 deletions(-) - create mode 100644 meta/recipes-bsp/libubootenv/files/debian/compat - create mode 100644 meta/recipes-bsp/libubootenv/files/debian/control.tmpl - create mode 100644 meta/recipes-bsp/libubootenv/files/debian/rules.tmpl + 6 files changed, 79 insertions(+), 5 deletions(-) + create mode 100644 meta/recipes-bsp/libubootenv/files/0002-Add-support-GNUInstallDirs.patch create mode 100644 meta/recipes-bsp/libubootenv/libubootenv_0.2.bb delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links @@ -44,70 +49,66 @@ index 3a2c009..6558d90 100644 -IMAGE_INSTALL += "u-boot-tools u-boot-script" +IMAGE_INSTALL += "u-boot-tools libubootenv u-boot-script" -diff --git a/meta/recipes-bsp/libubootenv/files/debian/compat b/meta/recipes-bsp/libubootenv/files/debian/compat -new file mode 100644 -index 0000000..b4de394 ---- /dev/null -+++ b/meta/recipes-bsp/libubootenv/files/debian/compat -@@ -0,0 +1 @@ -+11 -diff --git a/meta/recipes-bsp/libubootenv/files/debian/control.tmpl b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl +diff --git a/meta/recipes-bsp/libubootenv/files/0002-Add-support-GNUInstallDirs.patch b/meta/recipes-bsp/libubootenv/files/0002-Add-support-GNUInstallDirs.patch new file mode 100644 -index 0000000..fade69a +index 0000000..f8c3038 --- /dev/null -+++ b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl -@@ -0,0 +1,15 @@ -+Source: libubootenv -+Section: embedded -+Priority: optional -+Maintainer: Stefano Babic -+Build-Depends: ${BUILD_DEB_DEPENDS} -+Standards-Version: 4.2.1 -+Homepage: https://sbabic.github.io/libubootenv -+ -+Package: libubootenv -+Architecture: any -+Depends: ${DEBIAN_DEPENDS} -+Description: libubootenv is a library that provides a hardware independent -+ way to access to U-Boot environment. U-Boot has its default environment -+ compiled board-dependently and this means that tools to access the environment -+ are also board specific, too. -diff --git a/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl -new file mode 100644 -index 0000000..56ccd19 ---- /dev/null -+++ b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl -@@ -0,0 +1,24 @@ -+#!/usr/bin/make -f -+ -+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) -+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- -+export CC=$(DEB_HOST_GNU_TYPE)-gcc -+export LD=$(DEB_HOST_GNU_TYPE)-gcc -+endif -+ -+export DH_VERBOSE = 1 ++++ b/meta/recipes-bsp/libubootenv/files/0002-Add-support-GNUInstallDirs.patch +@@ -0,0 +1,48 @@ ++From b17d194bd8285a19382a902a0bec9e5e042df064 Mon Sep 17 00:00:00 2001 ++From: Nobuhiro Iwamatsu ++Date: Tue, 16 Apr 2019 08:52:01 +0900 ++Subject: [PATCH 2/4] Add support GNUInstallDirs ++ ++This adds the functionality of the module "GNUInstallDirs" to make the ++installation compatible with GNU. ++ ++https://cmake.org/cmake/help/v3.14/module/GNUInstallDirs.html ++ ++Signed-off-by: Nobuhiro Iwamatsu ++--- ++ CMakeLists.txt | 2 ++ ++ src/CMakeLists.txt | 8 ++++---- ++ 2 files changed, 6 insertions(+), 4 deletions(-) ++ ++diff --git a/CMakeLists.txt b/CMakeLists.txt ++index 104969e..57477fc 100644 ++--- a/CMakeLists.txt +++++ b/CMakeLists.txt ++@@ -10,6 +10,8 @@ add_definitions(-DVERSION="${VERSION}") ++ ++ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99") ++ +++include("GNUInstallDirs") +++ ++ #set(CMAKE_C_FLAGS_DEBUG "-g") ++ include_directories ("${PROJECT_SOURCE_DIR}/src") ++ add_subdirectory (src) ++diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt ++index ea5979c..d97f221 100644 ++--- a/src/CMakeLists.txt +++++ b/src/CMakeLists.txt ++@@ -19,7 +19,7 @@ add_executable(fw_setenv fw_setenv.c) ++ target_link_libraries(fw_printenv ubootenv z) ++ target_link_libraries(fw_setenv ubootenv z) ++ ++-install (TARGETS ubootenv DESTINATION lib) ++-install (FILES libuboot.h DESTINATION include) ++-install (TARGETS fw_printenv DESTINATION bin) ++-install (TARGETS fw_setenv DESTINATION bin) +++install (TARGETS ubootenv DESTINATION "${CMAKE_INSTALL_LIBDIR}") +++install (FILES libuboot.h DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}") +++install (TARGETS fw_printenv DESTINATION "${CMAKE_INSTALL_BINDIR}") +++install (TARGETS fw_setenv DESTINATION "${CMAKE_INSTALL_BINDIR}") ++-- ++2.20.1 + -+export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow -+ -+override_dh_auto_configure: -+ dh_auto_configure -- -+ -+%: -+ echo $@ -+ dh $@ -+ -+override_dh_installchangelogs: -+ true -+ -+override_dh_installdocs: -+ true diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb new file mode 100644 -index 0000000..1be058c +index 0000000..995e581 --- /dev/null +++ b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb -@@ -0,0 +1,32 @@ +@@ -0,0 +1,30 @@ +# libubootenv +# +# This software is a part of ISAR. @@ -119,26 +120,24 @@ index 0000000..1be058c +HOMEPAGE= "https://github.com/sbabic/swupdate" +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" -+SRC_URI = "gitsm://github.com/sbabic/libubootenv.git;branch=master;protocol=https" -+ -+SRCREV = "bf6ff631c0e38cede67268ceb8bf1383b5f8848e" + -+BUILD_DEB_DEPENDS = "cmake, zlib1g-dev" ++inherit dpkg-gbp + -+SRC_URI += "file://debian" -+TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl" -+TEMPLATE_VARS += "BUILD_DEB_DEPENDS DEFCONFIG DEBIAN_DEPENDS" -+ -+ -+inherit dpkg ++SRC_URI = "git://salsa.debian.org/debian/libubootenv.git;protocol=https \ ++ file://0002-Add-support-GNUInstallDirs.patch;apply=no " ++SRCREV = "2c7cb6d941d906dcc1d2e447cc17e418485dff12" + +S = "${WORKDIR}/git" + +do_prepare_build() { -+ DEBDIR=${S}/debian -+ install -d ${DEBDIR} -+ cp -R ${WORKDIR}/debian ${S} -+ deb_add_changelog ++ cd ${S} ++ export QUILT_PATCHES=debian/patches ++ quilt import -f ${WORKDIR}/*.patch ++ quilt push -a ++} ++ ++dpkg_runbuild_prepend() { ++ export DEB_BUILD_OPTIONS="nocheck" +} diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles deleted file mode 100644 diff --git a/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch new file mode 100644 index 0000000..f8fb28e --- /dev/null +++ b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch @@ -0,0 +1,207 @@ +From 7c85e2e363fd39e60bf5041d02e14e8bd62c1a68 Mon Sep 17 00:00:00 2001 +From: Quirin Gylstorff +Date: Tue, 24 Mar 2020 17:58:08 +0100 +Subject: [PATCH v7 1/3] meta/support: Generate a custom initramfs + +This package sets the Parameters for mkinitramfs/update-intramfs +before it regenerates the initrd.img of debian with a modified version. + +Use cases are the remove unnecessary kernel modules to reduce the +size of the initrd by using the parameters: +``` +INITRAMFS_MODULES = "list" +INITRAMFS_MODULE_LIST += "ext4" +``` + +Set the boot root during the initrd generation by setting `INITRAMFS_ROOT`. + +see also man pages of mkinitramfs and initramfs.conf. + +Signed-off-by: Quirin Gylstorff +--- + .../initramfs-config/initramfs-config_0.1.bb | 6 +++ + .../initramfs-config/files/control.tmpl | 12 +++++ + .../initramfs-config/files/postinst.tmpl | 50 +++++++++++++++++++ + .../initramfs-config/files/postrm.tmpl | 41 +++++++++++++++ + .../initramfs-config/initramfs-config.inc | 32 ++++++++++++ + 5 files changed, 141 insertions(+) + create mode 100644 meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb + create mode 100644 meta/recipes-support/initramfs-config/files/control.tmpl + create mode 100644 meta/recipes-support/initramfs-config/files/postinst.tmpl + create mode 100644 meta/recipes-support/initramfs-config/files/postrm.tmpl + create mode 100644 meta/recipes-support/initramfs-config/initramfs-config.inc + +diff --git a/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb +new file mode 100644 +index 0000000..c951e8a +--- /dev/null ++++ b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb +@@ -0,0 +1,6 @@ ++# ++# Copyright (C) Siemens AG, 2020 ++# ++# SPDX-License-Identifier: MIT ++ ++require recipes-support/initramfs-config/initramfs-config.inc +diff --git a/meta/recipes-support/initramfs-config/files/control.tmpl b/meta/recipes-support/initramfs-config/files/control.tmpl +new file mode 100644 +index 0000000..66984eb +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/files/control.tmpl +@@ -0,0 +1,12 @@ ++Source: ${PN} ++Section: misc ++Priority: optional ++Standards-Version: 3.9.6 ++Maintainer: isar-users ++Build-Depends: debhelper (>= 9) ++ ++ ++Package: ${PN} ++Architecture: any ++Depends: ${shlibs:Depends}, ${misc:Depends}, initramfs-tools-core, ${DEBIAN_DEPENDS} ++Description: Configuration files for a custom initramfs +diff --git a/meta/recipes-support/initramfs-config/files/postinst.tmpl b/meta/recipes-support/initramfs-config/files/postinst.tmpl +new file mode 100644 +index 0000000..e523906 +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/files/postinst.tmpl +@@ -0,0 +1,50 @@ ++#!/bin/sh ++# postinst script for initramfs-config ++# ++# see: dh_installdeb(1) ++ ++set -e ++ ++case "$1" in ++ configure) ++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf ++ if [ -f ${INITRAMFS_CONF} ]; then ++ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF} ++ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then ++ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF} ++ else ++ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF} ++ fi ++ fi ++ ++ MODULES_LIST_FILE=/etc/initramfs-tools/modules ++ if [ -f ${MODULES_LIST_FILE} ]; then ++ for modname in ${INITRAMFS_MODULE_LIST}; do ++ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then ++ echo "$modname" >> "${MODULES_LIST_FILE}" ++ fi ++ done ++ fi ++ ++ update-initramfs -v -u ++ ++ ;; ++ abort-upgrade|abort-remove|abort-deconfigure) ++ ;; ++ ++ *) ++ echo "postinst called with unknown argument \`$1'" >&2 ++ exit 1 ++ ;; ++esac ++# dh_installdeb will replace this with shell code automatically ++# generated by other debhelper scripts. ++#DEBHELPER# ++ ++exit 0 +diff --git a/meta/recipes-support/initramfs-config/files/postrm.tmpl b/meta/recipes-support/initramfs-config/files/postrm.tmpl +new file mode 100644 +index 0000000..115d9b6 +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/files/postrm.tmpl +@@ -0,0 +1,41 @@ ++#!/bin/sh ++# postrm script for initramfs-config ++# ++# see: dh_installdeb(1) ++ ++set -e ++ ++case "$1" in ++ purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ++ # back to the debian defaults ++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf ++ sed -i -E 's/(^MODULES=).*/\1most/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^BUSYBOX=).*/\1auto/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^COMPRESS=).*/\1gzip/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^KEYMAP=).*/\1n/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^DEVICE=).*/\1/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^NFSROOT=).*/\1auto/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^RUNSIZE=).*/\110%/' ${INITRAMFS_CONF} ++ sed -i -E 's/(^ROOT=).*//' ${INITRAMFS_CONF} ++ ++ # remove the added modules ++ MODULES_LIST_FILE=/etc/initramfs-tools/modules ++ for modname in ${INITRAMFS_MODULE_LIST}; do ++ sed -i -E 's/$modname//' ++ done ++ ++ update-initramfs -v -u ++ ;; ++ ++ *) ++ echo "postrm called with unknown argument \`$1'" >&2 ++ exit 1 ++ ;; ++esac ++ ++# dh_installdeb will replace this with shell code automatically ++# generated by other debhelper scripts. ++ ++#DEBHELPER# ++ ++exit 0 +diff --git a/meta/recipes-support/initramfs-config/initramfs-config.inc b/meta/recipes-support/initramfs-config/initramfs-config.inc +new file mode 100644 +index 0000000..16049a9 +--- /dev/null ++++ b/meta/recipes-support/initramfs-config/initramfs-config.inc +@@ -0,0 +1,32 @@ ++# This software is a part of ISAR. ++# Copyright (C) 2020 Siemens AG ++# ++# SPDX-License-Identifier: MIT ++inherit dpkg-raw ++inherit template ++DESCRIPTION = "Recipe to set the initramfs configuration and generate a new ramfs" ++ ++FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:" ++ ++SRC_URI = "file://postinst.tmpl \ ++ file://postrm.tmpl \ ++ file://control.tmpl \ ++ " ++ ++INITRAMFS_MODULES ?= "most" ++INITRAMFS_BUSYBOX ?= "auto" ++INITRAMFS_COMPRESS ?= "gzip" ++INITRAMFS_KEYMAP ?= "n" ++INITRAMFS_NET_DEVICE ?= "" ++INITRAMFS_NFSROOT ?= "auto" ++INITRAMFS_RUNSIZE ?= "10%" ++INITRAMFS_ROOT ?= "" ++INITRAMFS_MODULE_LIST ?= "" ++CREATE_NEW_INITRAMFS ?= "n" ++KERNEL_PACKAGE = "${@ ("linux-image-" + d.getVar("KERNEL_NAME", True)) if d.getVar("KERNEL_NAME", True) else ""}" ++DEBIAN_DEPENDS += ", ${KERNEL_PACKAGE}" ++TEMPLATE_FILES = "postinst.tmpl control.tmpl postrm.tmpl" ++TEMPLATE_VARS += "INITRAMFS_MODULES INITRAMFS_BUSYBOX INITRAMFS_COMPRESS \ ++ INITRAMFS_KEYMAP INITRAMFS_NET_DEVICE INITRAMFS_NFSROOT \ ++ INITRAMFS_RUNSIZE INITRAMFS_ROOT INITRAMFS_MODULE_LIST \ ++ CREATE_NEW_INITRAMFS DEBIAN_DEPENDS PN" +-- +2.20.1 + diff --git a/kas-cip.yml b/kas-cip.yml index f4edd0f..66a58f1 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -27,6 +27,9 @@ repos: 01-libubootenv: path: isar-patches/0001-u-boot-add-libubootenv.patch repo: cip-core + 02-initramfs: + path: isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch + repo: cip-core bblayers_conf_header: standard: | From patchwork Fri Aug 21 09:55:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 11728721 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 337E9722 for ; Fri, 21 Aug 2020 09:56:05 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0CB92207DE for ; Fri, 21 Aug 2020 09:56:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="GuMDZrJM" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0CB92207DE Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5172+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id 1aB2YY4521763xCttqq1F45T; Fri, 21 Aug 2020 02:56:04 -0700 X-Received: from thoth.sbs.de (thoth.sbs.de [192.35.17.2]) by mx.groups.io with SMTP id smtpd.web11.130580.1598003763553195079 for ; Fri, 21 Aug 2020 02:56:04 -0700 X-Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id 07L9u282001316 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 21 Aug 2020 11:56:02 +0200 X-Received: from md2dvrtc.fritz.box ([167.87.58.237]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 07L9u0Qs003248; Fri, 21 Aug 2020 11:56:01 +0200 From: "Quirin Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Quirin Gylstorff Subject: [cip-dev][isar-cip-core][PATCH v4 3/6] secure-boot: select boot partition in initramfs Date: Fri, 21 Aug 2020 11:55:56 +0200 Message-Id: <20200821095559.28467-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> References: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: 4wDetpgYyCeFFQP1SIHxcpnGx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1598003764; bh=jgRi8dH6CVe/tkZR+9QdpN9qiQ2vtJRE4ggavXIqOsM=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=GuMDZrJMoGSBGuAemhkI1/vWpLzfiK4mK9/nHt0Fvy9JiXG54rMIDypiMCo9GNqruel WxNT7Lec2vZATOxYx3adYazix36YjbmnSUZMeDboS1zPEbY1ajTL/C7uV7nfGsTf9HrH3 kQxsU0AYOPeOE/oZY3/Lwg7dqB2OiIKQp4k= From: Quirin Gylstorff As the usage of a unified kernel image freeze the kernel commmandline during build time the rootfs selection for swupdate can no longer be done with the kernel commandline and must be done later in the boot process. Read the root filesystem /etc/os-release and check if it contains the same uuid as stored in the initramfs . If the uuids are the same boot the root file system. Signed-off-by: Quirin Gylstorff --- classes/image_uuid.bbclass | 33 ++++++++ .../files/initramfs.image_uuid.hook | 33 ++++++++ .../files/initramfs.lsblk.hook | 29 +++++++ .../initramfs-config/files/postinst.ext | 3 + .../initramfs-config/files/postinst.tmpl | 31 ++++++++ .../files/secure-boot-debian-local-patch | 79 +++++++++++++++++++ .../initramfs-abrootfs-secureboot_0.1.bb | 38 +++++++++ 7 files changed, 246 insertions(+) create mode 100644 classes/image_uuid.bbclass create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook create mode 100644 recipes-support/initramfs-config/files/postinst.ext create mode 100644 recipes-support/initramfs-config/files/postinst.tmpl create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass new file mode 100644 index 0000000..d5337b8 --- /dev/null +++ b/classes/image_uuid.bbclass @@ -0,0 +1,33 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +def generate_image_uuid(d): + import uuid + + base_hash = d.getVar("BB_BASEHASH_task-do_rootfs_install", True) + if base_hash is None: + return None + return str(uuid.UUID(base_hash[:32], version=4)) + +IMAGE_UUID ?= "${@generate_image_uuid(d)}" + +do_generate_image_uuid[vardeps] += "IMAGE_UUID" +do_generate_image_uuid[depends] = "buildchroot-target:do_build" +do_generate_image_uuid() { + sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release' + echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \ + sudo tee -a '${IMAGE_ROOTFS}/etc/os-release' + image_do_mounts + + # update initramfs to add uuid + sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u +} +addtask generate_image_uuid before do_copy_boot_files after do_rootfs_install diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook new file mode 100644 index 0000000..910ce84 --- /dev/null +++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook @@ -0,0 +1,33 @@ +# This software is a part of ISAR. +# Copyright (C) Siemens AG, 2020 +# +# SPDX-License-Identifier: MIT + +#!/bin/sh +set -x +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/scripts/functions +. /usr/share/initramfs-tools/hook-functions + +if [ ! -e /etc/os-release ]; then + echo "Warning: couldn't find /etc/os-release!" + exit 0 +fi + +IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release) +echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid" + +exit 0 \ No newline at end of file diff --git a/recipes-support/initramfs-config/files/initramfs.lsblk.hook b/recipes-support/initramfs-config/files/initramfs.lsblk.hook new file mode 100644 index 0000000..cf32404 --- /dev/null +++ b/recipes-support/initramfs-config/files/initramfs.lsblk.hook @@ -0,0 +1,29 @@ +# This software is a part of ISAR. +# Copyright (C) Siemens AG, 2020 +# +# SPDX-License-Identifier: MIT + +#!/bin/sh +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/scripts/functions +. /usr/share/initramfs-tools/hook-functions + +if [ ! -x /usr/bin/lsblk ]; then + echo "Warning: couldn't find /usr/bin/lsblk!" + exit 0 +fi + +copy_exec /usr/bin/lsblk diff --git a/recipes-support/initramfs-config/files/postinst.ext b/recipes-support/initramfs-config/files/postinst.ext new file mode 100644 index 0000000..cdafa74 --- /dev/null +++ b/recipes-support/initramfs-config/files/postinst.ext @@ -0,0 +1,3 @@ +if [ -d /usr/share/secureboot ]; then + patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch +fi diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl new file mode 100644 index 0000000..008f68d --- /dev/null +++ b/recipes-support/initramfs-config/files/postinst.tmpl @@ -0,0 +1,31 @@ +#!/bin/sh +if [ -d /usr/share/secureboot ]; then + patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch +fi + +INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf +if [ -f ${INITRAMFS_CONF} ]; then + sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF} + sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF} + sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF} + sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF} + sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF} + sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF} + sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF} + if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then + sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF} + else + sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF} + fi +fi + +MODULES_LIST_FILE=/etc/initramfs-tools/modules +if [ -f ${MODULES_LIST_FILE} ]; then + for modname in ${INITRAMFS_MODULE_LIST}; do + if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then + echo "$modname" >> "${MODULES_LIST_FILE}" + fi + done +fi + +update-initramfs -v -u diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch new file mode 100644 index 0000000..219578c --- /dev/null +++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch @@ -0,0 +1,79 @@ +--- local 2020-07-02 14:59:15.461895194 +0200 ++++ ../../../../../../../../../../../recipes-support/initramfs-config/files/local 2020-07-02 14:58:58.405730914 +0200 +@@ -1,5 +1,4 @@ + # Local filesystem mounting -*- shell-script -*- +- + local_top() + { + if [ "${local_top_used}" != "yes" ]; then +@@ -155,34 +154,47 @@ + local_mount_root() + { + local_top +- if [ -z "${ROOT}" ]; then +- panic "No root device specified. Boot arguments must include a root= parameter." +- fi +- local_device_setup "${ROOT}" "root file system" +- ROOT="${DEV}" +- +- # Get the root filesystem type if not set +- if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then +- FSTYPE=$(get_fstype "${ROOT}") +- else +- FSTYPE=${ROOTFSTYPE} ++ if [ ! -e /conf/image_uuid ]; then ++ panic "could not find image_uuid to select correct root file system" + fi ++ local INITRAMFS_IMAGE_UUID=$(cat /conf/image_uuid) ++ local partitions=$(blkid -o device) ++ for part in $partitions; do ++ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then ++ local_device_setup "${part}" "root file system" ++ ROOT="${DEV}" ++ ++ # Get the root filesystem type if not set ++ if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then ++ FSTYPE=$(get_fstype "${ROOT}") ++ else ++ FSTYPE=${ROOTFSTYPE} ++ fi + +- local_premount ++ local_premount + +- if [ "${readonly?}" = "y" ]; then +- roflag=-r +- else +- roflag=-w +- fi ++ if [ "${readonly?}" = "y" ]; then ++ roflag=-r ++ else ++ roflag=-w ++ fi ++ checkfs "${ROOT}" root "${FSTYPE}" + +- checkfs "${ROOT}" root "${FSTYPE}" ++ # Mount root ++ # shellcheck disable=SC2086 ++ if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then ++ if [ -e "${rootmnt?}"/etc/os-release ]; then ++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' ) ++ if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then ++ return ++ fi ++ fi ++ umount "${rootmnt?}" ++ fi ++ fi ++ done ++ panic "Could not find ROOTFS with matching UUID $INITRAMFS_IMAGE_UUID" + +- # Mount root +- # shellcheck disable=SC2086 +- if ! mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then +- panic "Failed to mount ${ROOT} as root file system." +- fi + } + + local_mount_fs() diff --git a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb new file mode 100644 index 0000000..0be9871 --- /dev/null +++ b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb @@ -0,0 +1,38 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +require recipes-support/initramfs-config/initramfs-config.inc + +FILESPATH =. "${LAYERDIR_isar-siemens}/recipes-support/initramfs-config/files:" + +DEBIAN_DEPENDS += ", busybox, patch" + +SRC_URI += "file://postinst.ext \ + file://initramfs.lsblk.hook \ + file://initramfs.image_uuid.hook \ + file://secure-boot-debian-local-patch" + +INITRAMFS_BUSYBOX = "y" + +do_install() { + # add patch for local to /usr/share/secure boot + TARGET=${D}/usr/share/secureboot + install -m 0755 -d ${TARGET} + install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch + # patch postinst + sed -i -e '/configure)/r ${WORKDIR}/postinst.ext' ${WORKDIR}/postinst + + # add hooks for secure boot + HOOKS=${D}/etc/initramfs-tools/hooks +install -m 0755 -d ${HOOKS} + install -m 0740 ${WORKDIR}/initramfs.lsblk.hook ${HOOKS}/lsblk.hook + install -m 0740 ${WORKDIR}/initramfs.image_uuid.hook ${HOOKS}/image_uuid.hook +} +addtask do_install after do_transform_template From patchwork Fri Aug 21 09:55:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 11728725 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8329C1575 for ; Fri, 21 Aug 2020 09:56:05 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5DD3B20732 for ; Fri, 21 Aug 2020 09:56:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="Kqyrksd2" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5DD3B20732 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5173+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id wllQYY4521763xu3dxr3xMOq; Fri, 21 Aug 2020 02:56:05 -0700 X-Received: from lizzard.sbs.de (lizzard.sbs.de [194.138.37.39]) by mx.groups.io with SMTP id smtpd.web10.131307.1598003764019432902 for ; Fri, 21 Aug 2020 02:56:04 -0700 X-Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 07L9u2kg027438 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 21 Aug 2020 11:56:02 +0200 X-Received: from md2dvrtc.fritz.box ([167.87.58.237]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 07L9u0Qt003248; Fri, 21 Aug 2020 11:56:02 +0200 From: "Quirin Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Quirin Gylstorff Subject: [cip-dev][isar-cip-core][PATCH v4 4/6] secure-boot: Add secure boot with unified kernel image Date: Fri, 21 Aug 2020 11:55:57 +0200 Message-Id: <20200821095559.28467-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> References: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: UjZyWXhFG4pHokVVfLxBFl0ux4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1598003765; bh=tnTw/X4pNjq9fFGEixdzVDuyS+8/YZHdH19EhxRCBYQ=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=Kqyrksd2bsZSl2AzCd1qVenyu8cvejjRMvLGQRpakkRlqxVutXmrglN845eaxhsPJ2g rGFg44amxxVZ5NCt0ED+weavZObxyVh8NeRSE6fH6oxB/m8IxJYpS9rJllxJILfnqPG9h glqXjpfhX25xFMrPPXNIVDbUTxY2XoLA+sE= From: Quirin Gylstorff A unified kernel image contains the os-release, kernel, kernel commandline, initramfs and efi-stub in one binary. This binary can be boot by systemd-boot and efibootguard. It also allows to sign kernel and initramfs as one packages. Signed-off-by: Quirin Gylstorff --- kas/opt/ebg-secure-boot-base.yml | 18 ++++ kas/opt/ebg-swu.yml | 4 +- recipes-core/images/cip-core-image.bb | 12 +-- .../files/secure-boot/sw-description.tmpl | 29 +++++++ recipes-core/images/files/sw-description.tmpl | 19 ++-- recipes-core/images/secureboot.inc | 21 +++++ recipes-core/images/swupdate.inc | 21 +++++ .../ebg-secure-boot-secrets_0.1.bb | 51 +++++++++++ .../ebg-secure-boot-secrets/files/README.md | 1 + .../files/control.tmpl | 12 +++ .../files/sign_secure_image.sh.tmpl | 22 +++++ .../initramfs-config/files/postinst.tmpl | 31 ------- ...enerate-sb-db-from-existing-certificate.sh | 16 ++++ scripts/generate_secure_boot_keys.sh | 51 +++++++++++ .../wic/plugins/source/efibootguard-boot.py | 87 +++++++++++++++++-- .../wic/plugins/source/efibootguard-efi.py | 40 ++++++++- scripts/start-efishell.sh | 12 +++ start-qemu.sh | 59 +++++++++---- wic/ebg-signed-bootloader.inc | 2 + wic/qemu-amd64-efibootguard-secureboot.wks | 9 ++ wic/qemu-amd64-efibootguard.wks | 1 - 21 files changed, 440 insertions(+), 78 deletions(-) create mode 100644 kas/opt/ebg-secure-boot-base.yml create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl create mode 100644 recipes-core/images/secureboot.inc create mode 100644 recipes-core/images/swupdate.inc create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl delete mode 100644 recipes-support/initramfs-config/files/postinst.tmpl create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh create mode 100755 scripts/generate_secure_boot_keys.sh create mode 100755 scripts/start-efishell.sh create mode 100644 wic/ebg-signed-bootloader.inc create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml new file mode 100644 index 0000000..c1d98b1 --- /dev/null +++ b/kas/opt/ebg-secure-boot-base.yml @@ -0,0 +1,18 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + +local_conf_header: + initramfs: | + IMAGE_INSTALL += "initramfs-abrootfs-secureboot" + SWU_DESCRIPTION = "secureboot" diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml index 5b39730..304fa4d 100644 --- a/kas/opt/ebg-swu.yml +++ b/kas/opt/ebg-swu.yml @@ -22,5 +22,5 @@ local_conf_header: WICVARS += "WDOG_TIMEOUT" wic: | - IMAGE_TYPE = "wic-img" - WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks" + IMAGE_TYPE = "wic-swu-img" + WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks" diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb index fd2fd83..2cecde3 100644 --- a/recipes-core/images/cip-core-image.bb +++ b/recipes-core/images/cip-core-image.bb @@ -10,18 +10,12 @@ # inherit image - +inherit image_uuid ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'" DESCRIPTION = "CIP Core image" IMAGE_INSTALL += "customizations" # for swupdate -EXTRACT_PARTITIONS = "img4" -ROOTFS_PARTITION_NAME="img4.gz" - -SRC_URI += "file://sw-description.tmpl" -TEMPLATE_FILES += "sw-description.tmpl" -TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME" - -SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}" +SWU_DESCRIPTION ??= "swupdate" +include ${SWU_DESCRIPTION}.inc diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl new file mode 100644 index 0000000..bce97d0 --- /dev/null +++ b/recipes-core/images/files/secure-boot/sw-description.tmpl @@ -0,0 +1,29 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# +software = +{ + version = "0.2"; + name = "secure boot update" + images: ({ + filename = "${ROOTFS_PARTITION_NAME}"; + device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002"; + type = "roundrobin"; + compressed = "true"; + filesystem = "ext4"; + }); + files: ({ + filename = "linux.signed.efi"; + path = "linux.signed.efi"; + type = "kernelfile"; + device = "sda2,sda3"; + filesystem = "vfat"; + }) +} diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl index bef1984..bb34088 100644 --- a/recipes-core/images/files/sw-description.tmpl +++ b/recipes-core/images/files/sw-description.tmpl @@ -11,19 +11,26 @@ software = { version = "0.2"; - name = "ebsy secure boot update" + name = "cip software update" images: ({ - filename = "${EXTRACTED_PARTITION_NAME}"; + filename = "${ROOTFS_PARTITION_NAME}"; device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002"; type = "roundrobin"; - compressed = true; + compressed = "true"; filesystem = "ext4"; }); files: ({ - filename = "linux.signed.efi"; - path = "linux.signed.efi"; + filename = "${KERNEL_IMAGE}"; + path = "vmlinuz"; type = "kernelfile"; device = "sda2,sda3"; filesystem = "vfat"; - }) + }, + { + filename = "${INITRD_IMAGE}"; + path = "initrd.img"; + type = "kernelfile"; + device = "sda2,sda3"; + filesystem = "vfat"; + }); } diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc new file mode 100644 index 0000000..3e284e0 --- /dev/null +++ b/recipes-core/images/secureboot.inc @@ -0,0 +1,21 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +EXTRACT_PARTITIONS = "img4" +ROOTFS_PARTITION_NAME="img4.gz" + +SRC_URI += "file://sw-description.tmpl" +TEMPLATE_FILES += "sw-description.tmpl" + +TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME" + +SWU_DESCRIPTION_FILE = "sw-description" +SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc new file mode 100644 index 0000000..a88ed14 --- /dev/null +++ b/recipes-core/images/swupdate.inc @@ -0,0 +1,21 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +FILESEXTRAPATHS_prepend := "${THISDIR}/files/secure-boot:" + +EXTRACT_PARTITIONS = "img4" +ROOTFS_PARTITION_NAME="img4.gz" + +SRC_URI += "file://sw-description.tmpl" +TEMPLATE_FILES += "sw-description.tmpl" +TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE" + +SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb new file mode 100644 index 0000000..37b35c9 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb @@ -0,0 +1,51 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \ + sign an image with the given keys" + +# variables +SB_CERT_PATH = "/usr/share/ebg-secure-boot" +SB_CERTDB ??= "" +SB_VERIFY_CERT ??= "" +SB_KEY_NAME ??= "demoDB" + +# used to sign the image +DEBIAN_DEPENDS = "pesign, sbsigntool" + +# this package cannot be install together with: +DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil" + +SRC_URI = " \ + file://sign_secure_image.sh.tmpl \ + file://control.tmpl" +SRC_URI_append = " ${@ d.getVar(SB_CERTDB) or "" }" +SRC_URI_append = " ${@ d.getVar(SB_VERIFY_CERT) or "" }" +TEMPLATE_FILES = "sign_secure_image.sh.tmpl" +TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME" + +TEMPLATE_FILES += "control.tmpl" +TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS" + +do_install() { + TARGET=${D}${SB_CERT_PATH} + install -m 0700 -d ${TARGET} + cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB} + chmod 700 ${TARGET}/${SB_CERTDB} + install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT} + TARGET=${D}/usr/bin + install -d ${TARGET} + install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh +} + +addtask do_install after do_transform_template diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/README.md b/recipes-devtools/ebg-secure-boot-secrets/files/README.md new file mode 100644 index 0000000..c739c51 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/files/README.md @@ -0,0 +1 @@ +For a secure boot image this directory needs to contain the certdb directory and the db.crt file. diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl new file mode 100644 index 0000000..8361a49 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl @@ -0,0 +1,12 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: ${MAINTAINER} +Build-Depends: debhelper (>= 9) + +Package: ${PN} +Architecture: ${DPKG_ARCH} +Depends: ${DEBIAN_DEPENDS} +Description: ${DESCRIPTION} +Conflicts: ${DEBIAN_CONFLICTS} diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl new file mode 100644 index 0000000..e84fd4c --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl @@ -0,0 +1,22 @@ +#!/bin/sh +set -e +set -x +signee=$1 +signed=$2 + +usage(){ + echo "sign with debian snakeoil" + echo "$0 signee signed" + echo "signee: path to the image to be signed" + echo "signed: path to store the signed image" +} + + +if [ -z "$signee" ] || [ -z "$signed" ]; then + usage + exit 1 +fi + +pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed +sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed +exit 0 diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl deleted file mode 100644 index 008f68d..0000000 --- a/recipes-support/initramfs-config/files/postinst.tmpl +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh -if [ -d /usr/share/secureboot ]; then - patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch -fi - -INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf -if [ -f ${INITRAMFS_CONF} ]; then - sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF} - sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF} - sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF} - sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF} - sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF} - sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF} - sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF} - if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then - sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF} - else - sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF} - fi -fi - -MODULES_LIST_FILE=/etc/initramfs-tools/modules -if [ -f ${MODULES_LIST_FILE} ]; then - for modname in ${INITRAMFS_MODULE_LIST}; do - if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then - echo "$modname" >> "${MODULES_LIST_FILE}" - fi - done -fi - -update-initramfs -v -u diff --git a/scripts/generate-sb-db-from-existing-certificate.sh b/scripts/generate-sb-db-from-existing-certificate.sh new file mode 100755 index 0000000..035f189 --- /dev/null +++ b/scripts/generate-sb-db-from-existing-certificate.sh @@ -0,0 +1,16 @@ +#!/bin/sh +name=${SB_NAME:-snakeoil} +keydir=${SB_KEYDIR:-./keys} +if [ ! -d ${keydir} ]; then + mkdir -p ${keydir} +fi +inkey=${INKEY:-/usr/share/ovmf/PkKek-1-snakeoil.key} +incert=${INCERT:-/usr/share/ovmf/PkKek-1-snakeoil.pem} +nick_name=${IN_NICK:-snakeoil} +TMP=$(mktemp -d) +mkdir -p ${keydir}/${name}certdb +certutil -N --empty-password -d ${keydir}/${name}certdb +openssl pkcs12 -export -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name +pk12util -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb +cp $incert ${keydir}/$(basename $incert) +rm -rf $TMP diff --git a/scripts/generate_secure_boot_keys.sh b/scripts/generate_secure_boot_keys.sh new file mode 100755 index 0000000..8d3f8c0 --- /dev/null +++ b/scripts/generate_secure_boot_keys.sh @@ -0,0 +1,51 @@ +#!/bin/sh +name=${SB_NAME:-demo} +keydir=${SB_KEYDIR:-./keys} +if [ ! -d ${keydir} ]; then + mkdir -p ${keydir} +fi +openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}PK/" -outform PEM \ + -keyout ${keydir}/${name}PK.key -out ${keydir}/${name}PK.crt -days 3650 -nodes -sha256 +openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}KEK/" -outform PEM \ + -keyout ${keydir}/${name}KEK.key -out ${keydir}/${name}KEK.crt -days 3650 -nodes -sha256 +openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}DB/" -outform PEM \ + -keyout ${keydir}/${name}DB.key -out ${keydir}/${name}DB.crt -days 3650 -nodes -sha256 +openssl x509 -in ${keydir}/${name}PK.crt -out ${keydir}/${name}PK.cer -outform DER +openssl x509 -in ${keydir}/${name}KEK.crt -out ${keydir}/${name}KEK.cer -outform DER +openssl x509 -in ${keydir}/${name}DB.crt -out ${keydir}/${name}DB.cer -outform DER + +openssl pkcs12 -export -out ${keydir}/${name}DB.p12 \ + -in ${keydir}/${name}DB.crt -inkey ${keydir}/${name}DB.key -passout pass: + +GUID=$(uuidgen --random) +echo $GUID > ${keydir}/${name}GUID + +cert-to-efi-sig-list -g $GUID ${keydir}/${name}PK.crt ${keydir}/${name}PK.esl +cert-to-efi-sig-list -g $GUID ${keydir}/${name}KEK.crt ${keydir}/${name}KEK.esl +cert-to-efi-sig-list -g $GUID ${keydir}/${name}DB.crt ${keydir}/${name}DB.esl +rm -f ${keydir}/${name}noPK.esl +touch ${keydir}/${name}noPK.esl + +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + PK ${keydir}/${name}PK.esl ${keydir}/${name}PK.auth +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + PK ${keydir}/${name}noPK.esl ${keydir}/${name}noPK.auth +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + KEK ${keydir}/${name}KEK.esl ${keydir}/${name}KEK.auth +sign-efi-sig-list -g $GUID \ + -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ + DB ${keydir}/${name}DB.esl ${keydir}/${name}DB.auth + +chmod 0600 ${keydir}/${name}*.key +mkdir -p ${keydir}/${name}certdb +certutil -N --empty-password -d ${keydir}/${name}certdb + +certutil -A -n 'PK' -d ${keydir}/${name}certdb -t CT,CT,CT -i ${keydir}/${name}PK.crt +pk12util -W "" -d ${keydir}/${name}certdb -i ${keydir}/${name}DB.p12 +certutil -d ${keydir}/${name}certdb -A -i ${keydir}/${name}DB.crt -n "" -t u + +certutil -d ${keydir}/${name}certdb -K +certutil -d ${keydir}/${name}certdb -L diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py index 38d2b2e..d291f75 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -80,17 +80,29 @@ class EfibootguardBootPlugin(SourcePlugin): boot_files = source_params.get("files", "").split(' ') + uefi_kernel = source_params.get("unified-kernel") cmdline = bootloader.append - root_dev = source_params.get("root", None) - if not root_dev: - msger.error("Specify root in source params") - exit(1) + if uefi_kernel: + boot_image = cls._create_unified_kernel_image(rootfs_dir, + cr_workdir, + cmdline, + uefi_kernel, + deploy_dir, + kernel_image, + initrd_image, + source_params) + boot_files.append(boot_image) + else: + root_dev = source_params.get("root", None) + if not root_dev: + msger.error("Specify root in source params") + exit(1) root_dev = root_dev.replace(":", "=") - cmdline += " root=%s rw" % root_dev - boot_files.append(kernel_image) - boot_files.append(initrd_image) - cmdline += "initrd=%s" % initrd_image if initrd_image else "" + cmdline += " root=%s rw" % root_dev + boot_files.append(kernel_image) + boot_files.append(initrd_image) + cmdline += "initrd=%s" % initrd_image if initrd_image else "" part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, part.label, part.lineno) @@ -160,3 +172,62 @@ class EfibootguardBootPlugin(SourcePlugin): part.size = bootimg_size part.source_file = bootimg + + @classmethod + def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline, + uefi_kernel, deploy_dir, kernel_image, + initrd_image, source_params): + rootfs_path = rootfs_dir.get('ROOTFS_DIR') + os_release_file = "{root}/etc/os-release".format(root=rootfs_path) + efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linuxx64.efi.stub"\ + .format(rootfs_path=rootfs_path) + msger.debug("osrelease path: %s", os_release_file) + kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\ + .format(cr_workdir=cr_workdir) + with open(kernel_cmdline_file, "w") as cmd_fd: + cmd_fd.write(cmdline) + uefi_kernel_name = "linux.efi" + uefi_kernel_file = "{deploy_dir}/{uefi_kernel_name}"\ + .format(deploy_dir=deploy_dir, uefi_kernel_name=uefi_kernel_name) + kernel = "{deploy_dir}/{kernel_image}"\ + .format(deploy_dir=deploy_dir, kernel_image=kernel_image) + initrd = "{deploy_dir}/{initrd_image}"\ + .format(deploy_dir=deploy_dir, initrd_image=initrd_image) + objcopy_cmd = 'objcopy \ + --add-section .osrel={os_release_file} \ + --change-section-vma .osrel=0x20000 \ + --add-section .cmdline={kernel_cmdline_file} \ + --change-section-vma .cmdline=0x30000 \ + --add-section .linux={kernel} \ + --change-section-vma .linux=0x2000000 \ + --add-section .initrd={initrd} \ + --change-section-vma .initrd=0x3000000 \ + {efistub} {uefi_kernel_file}'.format( + os_release_file=os_release_file, + kernel_cmdline_file=kernel_cmdline_file, + kernel=kernel, + initrd=initrd, + efistub=efistub, + uefi_kernel_file=uefi_kernel_file) + exec_cmd(objcopy_cmd) + + return cls._sign_file(name=uefi_kernel_name, + signee=uefi_kernel_file, + deploy_dir=deploy_dir, + source_params=source_params) + + @classmethod + def _sign_file(cls, name, signee, deploy_dir, source_params): + sign_script = source_params.get("signwith") + if sign_script and os.path.exists(sign_script): + msger.info("sign with script %s", sign_script) + name = name.replace(".efi", ".signed.efi") + sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\ + .format(sign_script=sign_script, signee=signee, + deploy_dir=deploy_dir, name=name) + exec_cmd(sign_cmd) + elif sign_script and not os.path.exists(sign_script): + msger.error("Could not find script %s", sign_script) + exit(1) + + return name diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py index 5ee451f..6647212 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-efi.py +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py @@ -64,10 +64,17 @@ class EfibootguardEFIPlugin(SourcePlugin): exec_cmd(create_dir_cmd) for bootloader in bootloader_files: - cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir, - bootloader, - part_rootfs_dir, - bootloader) + signed_bootloader = cls._sign_file(bootloader, + "{}/{}".format(deploy_dir, + bootloader + ), + cr_workdir, + source_params) + # important the bootloader in deploy_dir is no longer signed + cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir, + signed_bootloader, + part_rootfs_dir, + bootloader) exec_cmd(cp_cmd, True) du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir blocks = int(exec_cmd(du_cmd).split()[0]) @@ -100,3 +107,28 @@ class EfibootguardEFIPlugin(SourcePlugin): part.size = efi_part_image_size part.source_file = efi_part_image + + + @classmethod + def _sign_file(cls, name, signee, cr_workdir, source_params): + sign_script = source_params.get("signwith") + if sign_script and os.path.exists(sign_script): + work_name = name.replace(".efi", ".signed.efi") + sign_cmd = "{sign_script} {signee} \ + {cr_workdir}/{work_name}".format(sign_script=sign_script, + signee=signee, + cr_workdir=cr_workdir, + work_name=work_name) + exec_cmd(sign_cmd) + elif sign_script and not os.path.exists(sign_script): + msger.error("Could not find script %s", sign_script) + exit(1) + else: + # if we do nothing copy the signee to the work directory + work_name = name + cp_cmd = "cp {signee} {cr_workdir}/{work_name}".format( + signee=signee, + cr_workdir=cr_workdir, + work_name=work_name) + exec_cmd(cp_cmd) + return work_name diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh new file mode 100755 index 0000000..d451f43 --- /dev/null +++ b/scripts/start-efishell.sh @@ -0,0 +1,12 @@ +#!/bin/sh +ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} +ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} +DISK=$1 +qemu-system-x86_64 -enable-kvm -M q35 \ + -cpu host,hv_relaxed,hv_vapic,hv-spinlocks=0xfff -smp 2 -m 2G -no-hpet \ + -global ICH9-LPC.disable_s3=1 \ + -global isa-fdc.driveA= \ + -boot menu=on \ + -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ + -drive if=pflash,format=raw,file=${ovmf_vars} \ + -drive file=fat:rw:$DISK diff --git a/start-qemu.sh b/start-qemu.sh index 5c17d74..c10a34d 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -15,6 +15,8 @@ usage() echo "Usage: $0 ARCHITECTURE [QEMU_OPTIONS]" echo -e "\nSet QEMU_PATH environment variable to use a locally " \ "built QEMU version" + echo -e "\nSet SECURE_BOOT environment variable to boot a secure boot environment " \ + "This environment also needs the variables OVMF_VARS and OVMF_CODE set" exit 1 } @@ -22,17 +24,25 @@ if [ -n "${QEMU_PATH}" ]; then QEMU_PATH="${QEMU_PATH}/" fi +if [ -z "${DISTRO_RELEASE}" ]; then + DISTRO_RELEASE="buster" +fi +if [ -z "${TARGET_IMAGE}" ];then + TARGET_IMAGE="cip-core-image" +fi + case "$1" in x86|x86_64|amd64) DISTRO_ARCH=amd64 QEMU=qemu-system-x86_64 QEMU_EXTRA_ARGS=" \ - -cpu host -smp 4 \ - -enable-kvm -machine q35 \ + -cpu qemu64 \ + -smp 4 \ + -machine q35,accel=kvm:tcg \ -device ide-hd,drive=disk \ -device virtio-net-pci,netdev=net" KERNEL_CMDLINE=" \ - root=/dev/sda vga=0x305 console=ttyS0" + root=/dev/sda" ;; arm64|aarch64) DISTRO_ARCH=arm64 @@ -71,25 +81,40 @@ case "$1" in ;; esac -if [ -z "${DISTRO_RELEASE}" ]; then - DISTRO_RELEASE="buster" -fi - -if [ -z "${TARGET_IMAGE}" ]; then - TARGET_IMAGE="cip-core-image" -fi - IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}" -IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img) if [ -z "${DISPLAY}" ]; then QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic" + case "$1" in + x86|x86_64|amd64) + KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0" + esac fi shift 1 -${QEMU_PATH}${QEMU} \ - -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ - -m 1G -serial mon:stdio -netdev user,id=net \ - -kernel ${IMAGE_PREFIX}-vmlinuz -append "${KERNEL_CMDLINE}" \ - -initrd ${IMAGE_PREFIX}-initrd.img ${QEMU_EXTRA_ARGS} "$@" +if [ -n "${SECURE_BOOT}" ]; then + ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} + ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} + QEMU_EXTRA_ARGS=" ${QEMU_EXTRA_ARGS} \ + -global ICH9-LPC.disable_s3=1 \ + -global isa-fdc.driveA= " + + BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ + -drive if=pflash,format=raw,file=${ovmf_vars} \ + -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw" + ${QEMU_PATH}${QEMU} \ + -m 1G -serial mon:stdio -netdev user,id=net \ + ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@" +else + IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img) + + KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1) + INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1) + + ${QEMU_PATH}${QEMU} \ + -m 1G -serial mon:stdio -netdev user,id=net \ + -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \ + -kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \ + -initrd ${INITRD_FILE} ${QEMU_EXTRA_ARGS} "$@" +fi diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc new file mode 100644 index 0000000..667e014 --- /dev/null +++ b/wic/ebg-signed-bootloader.inc @@ -0,0 +1,2 @@ +# EFI partition containing efibootguard bootloader binary +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks new file mode 100644 index 0000000..9ccf501 --- /dev/null +++ b/wic/qemu-amd64-efibootguard-secureboot.wks @@ -0,0 +1,9 @@ +# short-description: Qemu-amd64 with Efibootguard and SWUpdate +# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate +include ebg-signed-bootloader.inc + +# EFI Boot Guard environment/config partitions plus Kernel files +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" + +include swupdate-partition.inc diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks index 3cd7360..a9a8446 100644 --- a/wic/qemu-amd64-efibootguard.wks +++ b/wic/qemu-amd64-efibootguard.wks @@ -1,5 +1,4 @@ # short-description: Qemu-amd64 with Efibootguard and SWUpdate # long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate - include ebg-sysparts.inc include swupdate-partition.inc From patchwork Fri Aug 21 09:55:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 11728727 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 48595722 for ; Fri, 21 Aug 2020 09:56:06 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 23DE4207DE for ; Fri, 21 Aug 2020 09:56:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="m+z2bJKH" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 23DE4207DE Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5174+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id BN8gYY4521763xzEokol492p; Fri, 21 Aug 2020 02:56:05 -0700 X-Received: from lizzard.sbs.de (lizzard.sbs.de [194.138.37.39]) by mx.groups.io with SMTP id smtpd.web12.129957.1598003764536679031 for ; Fri, 21 Aug 2020 02:56:05 -0700 X-Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 07L9u3rq027450 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 21 Aug 2020 11:56:03 +0200 X-Received: from md2dvrtc.fritz.box ([167.87.58.237]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 07L9u0Qu003248; Fri, 21 Aug 2020 11:56:02 +0200 From: "Quirin Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Quirin Gylstorff Subject: [cip-dev][isar-cip-core][PATCH v4 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Date: Fri, 21 Aug 2020 11:55:58 +0200 Message-Id: <20200821095559.28467-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> References: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: nWjeYvUNEvvKhIN44BQgeTLWx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1598003765; bh=jir8rcCll0IpeSgBV+PAekjS14My+4r1FAaqDbzQTCI=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=m+z2bJKHtcjZuqv0PPe/Ew79Nl0ihBiUBFoN5f21sTS/1Lu9h48Slr6GMaKhLZSWsgh KVU2Tq8B3bHdt9hVckh2kK1c2+Nje6ExgqtZmMtUGwxgzlykDT+QSiMyS8IdsIISF6VjZ IDoJrMCZWAIXzYPqHCc+bhMpgO9I3qTb5wI= From: Quirin Gylstorff Use the Debian snakeoil keys to have a demo case available without the OVMF setup. Copy the used keys from the build to the deploy directory to allow usage in non-Debian distributions. Signed-off-by: Quirin Gylstorff --- conf/distro/debian-buster-backports.list | 1 + conf/distro/preferences.ovmf-snakeoil.conf | 3 ++ kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++++++++++++++ .../ebg-secure-boot-snakeoil_0.1.bb | 34 ++++++++++++++++++ .../files/control.tmpl | 12 +++++++ .../files/sign_secure_image.sh | 36 +++++++++++++++++++ .../ovmf-binaries/files/control.tmpl | 11 ++++++ .../ovmf-binaries/ovmf-binaries_0.1.bb | 30 ++++++++++++++++ start-qemu.sh | 4 +-- 9 files changed, 157 insertions(+), 2 deletions(-) create mode 100644 conf/distro/debian-buster-backports.list create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb diff --git a/conf/distro/debian-buster-backports.list b/conf/distro/debian-buster-backports.list new file mode 100644 index 0000000..f2dd104 --- /dev/null +++ b/conf/distro/debian-buster-backports.list @@ -0,0 +1 @@ +deb http://ftp.us.debian.org/debian buster-backports main contrib non-free diff --git a/conf/distro/preferences.ovmf-snakeoil.conf b/conf/distro/preferences.ovmf-snakeoil.conf new file mode 100644 index 0000000..b51d1d4 --- /dev/null +++ b/conf/distro/preferences.ovmf-snakeoil.conf @@ -0,0 +1,3 @@ +Package: ovmf +Pin: release n=buster-backports +Pin-Priority: 801 diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml new file mode 100644 index 0000000..cda8177 --- /dev/null +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -0,0 +1,28 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + includes: + - ebg-secure-boot-base.yml + + +local_conf_header: + secure-boot: | + # Add snakeoil and ovmf binaries for qemu + IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries" + IMAGER_INSTALL += "ebg-secure-boot-snakeoil" + WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks" + + ovmf: | + # snakeoil certs are only part of backports + DISTRO_APT_SOURCES_append = " conf/distro/debian-buster-backports.list" + DISTRO_APT_PREFERENCES_append = " conf/distro/preferences.ovmf-snakeoil.conf" diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb new file mode 100644 index 0000000..4975d92 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb @@ -0,0 +1,34 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "Add script to sign for secure boot with the debian snakeoil keys" +# used to sign the image +DEBIAN_DEPENDS = "pesign, sbsigntool, ovmf, openssl, libnss3-tools" + + +# this package cannot be install together with: +DEBIAN_CONFLICTS = "ebg-secure-boot-secrets" + +SRC_URI = "file://sign_secure_image.sh \ + file://control.tmpl" + +TEMPLATE_FILES = "control.tmpl" +TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS" + +do_install() { + TARGET=${D}/usr/bin + install -d ${TARGET} + install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh +} + +addtask do_install after do_transform_template diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl new file mode 100644 index 0000000..8361a49 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl @@ -0,0 +1,12 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: ${MAINTAINER} +Build-Depends: debhelper (>= 9) + +Package: ${PN} +Architecture: ${DPKG_ARCH} +Depends: ${DEBIAN_DEPENDS} +Description: ${DESCRIPTION} +Conflicts: ${DEBIAN_CONFLICTS} diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh new file mode 100644 index 0000000..081dbe9 --- /dev/null +++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh @@ -0,0 +1,36 @@ +#!/bin/sh +set -e +set -x +signee=$1 +signed=$2 + +usage(){ + echo "sign with debian snakeoil" + echo "$0 signee signed" + echo "signee: path to the image to be signed" + echo "signed: path to store the signed image" +} + + +if [ -z "$signee" ] || [ -z "$signed" ]; then + usage + exit 1 +fi + +name=snakeoil +keydir=$(mktemp -d) +inkey=/usr/share/ovmf/PkKek-1-snakeoil.key +incert=/usr/share/ovmf/PkKek-1-snakeoil.pem +nick_name=snakeoil +TMP=$(mktemp -d) +mkdir -p ${keydir}/${name}certdb +certutil -N --empty-password -d ${keydir}/${name}certdb +openssl pkcs12 -export -passin pass:"snakeoil" -passout pass: -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name +pk12util -W "" -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb +cp $incert ${keydir}/$(basename $incert) +rm -rf $TMP + +pesign --force --verbose --padding -n ${keydir}/${name}certdb -c "$nick_name" -s -i $signee -o $signed +sbverify --cert $incert $signed +rm -rf $keydir +exit 0 diff --git a/recipes-devtools/ovmf-binaries/files/control.tmpl b/recipes-devtools/ovmf-binaries/files/control.tmpl new file mode 100644 index 0000000..54641d6 --- /dev/null +++ b/recipes-devtools/ovmf-binaries/files/control.tmpl @@ -0,0 +1,11 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: ${MAINTAINER} +Build-Depends: debhelper (>= 9), ${DEBIAN_BUILD_DEPENDS} + +Package: ${PN} +Architecture: ${DPKG_ARCH} +Depends: ${DEBIAN_DEPENDS} +Description: ${DESCRIPTION} diff --git a/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb new file mode 100644 index 0000000..025b970 --- /dev/null +++ b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb @@ -0,0 +1,30 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "Copy the OVMF biniaries from the build changeroot to the deploy dir" + +# this is a empty debian package +SRC_URI = "file://control.tmpl" + +DEBIAN_BUILD_DEPENDS = "ovmf" +TEMPLATE_FILES = "control.tmpl" +TEMPLATE_VARS += "PN DEBIAN_DEPENDS MAINTAINER DESCRIPTION DPKG_ARCH DEBIAN_BUILD_DEPENDS" + + +do_extract_ovmf() { + install -m 0755 -d ${DEPLOY_DIR_IMAGE} + cp -r ${BUILDCHROOT_DIR}/usr/share/OVMF ${DEPLOY_DIR_IMAGE} + chown $(id -u):$(id -g) ${DEPLOY_DIR_IMAGE}/OVMF +} + +addtask do_extract_ovmf after do_install_builddeps before do_dpkg_build diff --git a/start-qemu.sh b/start-qemu.sh index c10a34d..e53cd99 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -94,8 +94,8 @@ fi shift 1 if [ -n "${SECURE_BOOT}" ]; then - ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} - ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} + ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd} + ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS.snakeoil.fd} QEMU_EXTRA_ARGS=" ${QEMU_EXTRA_ARGS} \ -global ICH9-LPC.disable_s3=1 \ -global isa-fdc.driveA= " From patchwork Fri Aug 21 09:55:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 11728729 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5725F722 for ; Fri, 21 Aug 2020 09:56:07 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3278D20732 for ; Fri, 21 Aug 2020 09:56:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="AtgZBaD/" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3278D20732 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5175+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id oN1LYY4521763xog1bLJkUSq; Fri, 21 Aug 2020 02:56:07 -0700 X-Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by mx.groups.io with SMTP id smtpd.web10.131308.1598003765596000008 for ; Fri, 21 Aug 2020 02:56:06 -0700 X-Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 07L9u3hA003068 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 21 Aug 2020 11:56:03 +0200 X-Received: from md2dvrtc.fritz.box ([167.87.58.237]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 07L9u0Qv003248; Fri, 21 Aug 2020 11:56:03 +0200 From: "Quirin Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Quirin Gylstorff Subject: [cip-dev][isar-cip-core][PATCH v4 6/6] doc: Add README for secureboot Date: Fri, 21 Aug 2020 11:55:59 +0200 Message-Id: <20200821095559.28467-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> References: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-MIME-Autoconverted: from 8bit to quoted-printable by david.siemens.de id 07L9u3hA003068 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: BR1YmISsHMSc7Kbj98WOneOMx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1598003767; bh=j7nMolXNnZcMOyG4d5tgmNx7dRJuBiQlvCRJBJseZz8=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=AtgZBaD/oKFbwXouVZTOlHjzEPcZy28/w2SQ+nPRruFTBBMgf9M1UsLXricKjltGHxs AKG/GwW82pl3f39iqI5zKrEb1JhXv8pk1U9/W7x+zIsuKnI7LstWHiGF2JPiR3qwP7Xrp /IajyyRpWbxo1g47qe0ZjhUecIPRaIW0ZS8= From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- doc/README.secureboot.md | 229 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 doc/README.secureboot.md diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md new file mode 100644 index 0000000..d79248b --- /dev/null +++ b/doc/README.secureboot.md @@ -0,0 +1,229 @@ +# Efibootguard Secure boot + +This document describes how to generate a secure boot capable image with +[efibootguard](https://github.com/siemens/efibootguard). + +## Description + +The image build signs the efibootguard bootloader (bootx64.efi) and generates +a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/). +A unified kernel image packs the kernel, initramfs and the kernel command-line +in one binary object. As the kernel command-line is immutable after the build +process, the previous selection of the root file system with a command-line parameter is no longer +possible. Therefore the selection of the root file-system occurs now in the initramfs. + +The image uses an A/B partition layout to update the root file system. The sample implementation to +select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs. +During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs. +If a match is found the rootfs is used for the boot. + +## Adaptation for Images + +### WIC +The following elements must be present in a wks file to create a secure boot capable image. + +``` +part --source efibootguard-efi --sourceparams "signwith=