From patchwork Wed Apr 13 07:16:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812183 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D7987C47086 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-227.flowmailer.net (mta-64-227.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.3438.1649834200604021533 for ; Wed, 13 Apr 2022 00:16:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=RHpkLIny; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-2022041307163746d86e549f88a03708-srvv2h@rts-flowmailer.siemens.com) Received: by mta-64-227.flowmailer.net with ESMTPSA id 2022041307163746d86e549f88a03708 for ; Wed, 13 Apr 2022 09:16:37 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=bDocXaCGhbhn7O/mO/yfrmCRILJstylRTdv2cMci6QI=; b=RHpkLInysiyV0CqiEw1ivA5Mwi++CwJH2nTcEmpU8xY7C9WGv/rZB+wNjzG1+iUxjhZhj0 uWt6+NBIUf6RWTIod2VPVrx/zTPOiOcd7eEnfKQTJLH6bup2l0NHd0lFXRVsagfHL7UvUFL5 Pls6IXXzzy4JtW0Ezj+JKr83SJjOw=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 01/19] start-qemu.sh: Add ssh access to guest from localhost Date: Wed, 13 Apr 2022 09:16:18 +0200 Message-Id: <0ab69754d5edbdb0ce740b460e3a4d80dc016da2.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8057 From: Jan Kiszka Permit ssh logins to the guest from the host using port 22222 forwarding, but only from the local machine. This is useful, e.g., to send an swu file into the VM for testing swupdate. Signed-off-by: Jan Kiszka --- start-qemu.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/start-qemu.sh b/start-qemu.sh index e986791..c5cd9fa 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -117,7 +117,7 @@ shift 1 QEMU_COMMON_OPTIONS=" \ -m 1G \ -serial mon:stdio \ - -netdev user,id=net \ + -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \ ${QEMU_EXTRA_ARGS}" if [ -n "${SECURE_BOOT}" ]; then From patchwork Wed Apr 13 07:16:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812166 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2941C47080 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-227.flowmailer.net (mta-64-227.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web12.3486.1649834200902452012 for ; Wed, 13 Apr 2022 00:16:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=VlzkLj15; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-2022041307163729e15825d4c9639e62-casall@rts-flowmailer.siemens.com) Received: by mta-64-227.flowmailer.net with ESMTPSA id 2022041307163729e15825d4c9639e62 for ; Wed, 13 Apr 2022 09:16:37 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=RITniMLEOpnZDqyj8tzCxqWyJz8knzT0vusUqmVL7ao=; b=VlzkLj15bHVqfe948CCgSN5vuOVfA8o/EIf+jD6oCfByTojWXKu67JqzJR51ZcTJxeJHn6 tpAZFUsziFH7DUMvDT7HBnXUIQNcrB9B1Gbhhlt7BVdC+QK30jOtKzkpuknuO9gQ63EYxuVn zGTqFGFMta6FcFXbwMABznNrPi2S4=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 02/19] swupdate: Simplify secure-swupdate-img class Date: Wed, 13 Apr 2022 09:16:19 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8051 From: Jan Kiszka Directly include wic-swu-img, avoiding code duplication this way. Signed-off-by: Jan Kiszka --- classes/secure-swupdate-img.bbclass | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass index 330f619..c2b2402 100644 --- a/classes/secure-swupdate-img.bbclass +++ b/classes/secure-swupdate-img.bbclass @@ -20,11 +20,7 @@ do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build" INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" inherit verity-img -inherit wic-img -inherit swupdate-img - -SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}" +inherit wic-swu-img addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image addtask do_wic_image after do_verity_image -addtask do_swupdate_image after do_wic_image From patchwork Wed Apr 13 07:16:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812178 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBD73C4707E for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web09.3447.1649834200872258805 for ; Wed, 13 Apr 2022 00:16:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=R3jILmdP; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-294854-2022041307163890b23aeba13d20deb3-hxb1kk@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 2022041307163890b23aeba13d20deb3 for ; Wed, 13 Apr 2022 09:16:38 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=0iZkS2Ii5LwsnX7UEwhus5w40IPOXD/pNrnYYVadXsc=; b=R3jILmdP/YrPlE5hjHHBUFZDiFIrCbeYpt460xSAhSV7bgUMxgAOKC2sIuAXcpFCFZj4ko G/KVWCDfxhFlnewEzmWU95kj3NDPryUNxIOxcIjWzsNS6p83yLOvOk/wXzp3LsLd9BKKUxgc bNKeX1CM69Vk/DgoLjWT4d6pjEzdQ=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 03/19] swupdate: Drop no longer used SOURCE_IMAGE_FILE Date: Wed, 13 Apr 2022 09:16:20 +0200 Message-Id: <5420dbbd4bd6ef2bb59a8feaa4a9e2523eaddd3d.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8062 From: Jan Kiszka Obsoleted by aed961de08e1. Signed-off-by: Jan Kiszka --- classes/wic-swu-img.bbclass | 2 -- 1 file changed, 2 deletions(-) diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass index 5e6de40..f03befa 100644 --- a/classes/wic-swu-img.bbclass +++ b/classes/wic-swu-img.bbclass @@ -12,6 +12,4 @@ inherit wic-img inherit swupdate-img -SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}" - addtask do_swupdate_image after do_wic_image From patchwork Wed Apr 13 07:16:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812177 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D7593C47085 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web08.3506.1649834201191474110 for ; Wed, 13 Apr 2022 00:16:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=fY7N5pPc; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-294854-20220413071638943d4bbb37a5647276-a_ygdq@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20220413071638943d4bbb37a5647276 for ; Wed, 13 Apr 2022 09:16:38 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=vGYvJ2H6eZXyBZZdiBVU0oj4Cwjy4ICTxVgcRenErBI=; b=fY7N5pPcUqrc94mI1S73bvSYK9XjLU2yHdCJSNeZjifoDiH8fRJVDQROXwLyOqO3JrYxUg w0s3BhFw1rXoL1N23V54i/wOZx+zLR0kHwiL4k695r+07bltbc5XjbhOaIjiox3FN0R2TWYB Rbg83GeStmtjEGR4ZONvJ80AB6a24=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 04/19] swupdate: Rename secure-swupdate-img class Date: Wed, 13 Apr 2022 09:16:21 +0200 Message-Id: <97436664b76f3439a4f05e34cae2a9f399f44e63.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8056 From: Jan Kiszka Align the name to the non-secure counter part wic-swu-img. Signed-off-by: Jan Kiszka --- ...{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} | 0 kas/opt/ebg-secure-boot-snakeoil.yml | 3 +-- 2 files changed, 1 insertion(+), 2 deletions(-) rename classes/{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} (100%) diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-wic-swu-img.bbclass similarity index 100% rename from classes/secure-swupdate-img.bbclass rename to classes/secure-wic-swu-img.bbclass diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml index a7d644b..10414fb 100644 --- a/kas/opt/ebg-secure-boot-snakeoil.yml +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -14,7 +14,6 @@ header: includes: - kas/opt/ebg-secure-boot-base.yml - local_conf_header: image-options: | CIP_IMAGE_OPTIONS_append = " read-only.inc" @@ -24,7 +23,7 @@ local_conf_header: verity-img: | SECURE_IMAGE_FSTYPE = "squashfs" - IMAGE_FSTYPES = "secure-swupdate-img" + IMAGE_FSTYPES = "secure-wic-swu-img" WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" secure-boot: | From patchwork Wed Apr 13 07:16:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812167 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2A2FC47081 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.3439.1649834201007022100 for ; Wed, 13 Apr 2022 00:16:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=L5zt3V99; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-294854-202204130716381e15ab7788a120bbcb-qnmqlu@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202204130716381e15ab7788a120bbcb for ; Wed, 13 Apr 2022 09:16:39 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=2lLgbvhssjcBsutXkX5BwwXU5sIgS+xvwGYj+OR3mks=; b=L5zt3V99rZjEX7i8JBWSnoUixe9YEoMIEZQO8XK4AIDkk6BdoTmn3PyGznRDBK+DtO1I9x K8wG17hUw+CUTRGaDWRVrj2LocLLKkayKyd+xcsdw8MWRUak3TeoDD9zG2djr91QkvkP9fLs RUeSo/cMh7GjwS4w46m0lRhXJQW8U=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 05/19] Drop initramfs-abrootfs-secureboot references Date: Wed, 13 Apr 2022 09:16:22 +0200 Message-Id: <6d0bd2b8f9a8f3ba4364934d3de70495df5c07cb.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8052 From: Jan Kiszka As secure boot implies for isar-cip-core dm-verity with read-only rootfs, we only added initramfs-abrootfs-secureboot to remove it again. So don't reference it at all. It will be used differently soon, therefore keep the recipe. Signed-off-by: Jan Kiszka --- kas/opt/ebg-secure-boot-base.yml | 3 +-- recipes-core/images/read-only.inc | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml index 8f769b6..299b663 100644 --- a/kas/opt/ebg-secure-boot-base.yml +++ b/kas/opt/ebg-secure-boot-base.yml @@ -15,7 +15,6 @@ header: - kas/opt/efibootguard.yml local_conf_header: - initramfs: | - IMAGE_INSTALL += "initramfs-abrootfs-secureboot" + secure_swu: | SWU_DESCRIPTION = "secureboot" SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini" diff --git a/recipes-core/images/read-only.inc b/recipes-core/images/read-only.inc index 604caa0..c031e39 100644 --- a/recipes-core/images/read-only.inc +++ b/recipes-core/images/read-only.inc @@ -14,7 +14,6 @@ SQUASHFS_EXCLUDE_DIRS += "home var" IMAGE_INSTALL += "etc-overlay-fs" IMAGE_INSTALL += "home-fs" IMAGE_INSTALL += "tmp-fs" -IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" image_configure_fstab() { sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF From patchwork Wed Apr 13 07:16:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812169 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA32CC35294 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.3440.1649834201790323295 for ; Wed, 13 Apr 2022 00:16:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=S6ca5VGw; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-294854-20220413071639b5fda85eae376d18cc-p0eqdv@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20220413071639b5fda85eae376d18cc for ; Wed, 13 Apr 2022 09:16:39 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=/neP2DqsRB7QLYgyJtwGqJQtHfGAwDI9gfMwR3+6rno=; b=S6ca5VGwEr1qDQ8j+4mdZDszRANYemNx9LJNDTTNFVDm5xVwfNxvJe9MY2PqttikhBPqF5 wpDYhdA1A9hba5fvyl/7bRzIPMST4CqWVCj7NNbofC3KheIuV11C7T0wDbIizKLMFhFcVA0V pmZP7TebO9zvoK0vUep8FY61FUD30=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 06/19] Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook Date: Wed, 13 Apr 2022 09:16:23 +0200 Message-Id: <97078215b7c27cc404046015b84da6422ecd5a35.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8053 From: Jan Kiszka It had nothing to do with secure boot at all, only with selecting the rootfs from the initramfs via a uuid match. Relocate to recipes-initramfs as well at this chance as this is more logical, even if initramfs-abrootfs-hook is not using the initramfs image class yet. Signed-off-by: Jan Kiszka --- .../initramfs-abrootfs-hook/files/debian-local-patch | 0 .../files/initramfs.image_uuid.hook | 0 .../initramfs-abrootfs-hook}/files/initramfs.lsblk.hook | 0 .../initramfs-abrootfs-hook}/files/postinst | 2 +- .../initramfs-abrootfs-hook_0.1.bb | 8 ++++---- 5 files changed, 5 insertions(+), 5 deletions(-) rename recipes-support/initramfs-config/files/secure-boot-debian-local-patch => recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch (100%) rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.image_uuid.hook (100%) rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.lsblk.hook (100%) rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/postinst (73%) rename recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb => recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb (74%) diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch similarity index 100% rename from recipes-support/initramfs-config/files/secure-boot-debian-local-patch rename to recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook similarity index 100% rename from recipes-support/initramfs-config/files/initramfs.image_uuid.hook rename to recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook diff --git a/recipes-support/initramfs-config/files/initramfs.lsblk.hook b/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.lsblk.hook similarity index 100% rename from recipes-support/initramfs-config/files/initramfs.lsblk.hook rename to recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.lsblk.hook diff --git a/recipes-support/initramfs-config/files/postinst b/recipes-initramfs/initramfs-abrootfs-hook/files/postinst similarity index 73% rename from recipes-support/initramfs-config/files/postinst rename to recipes-initramfs/initramfs-abrootfs-hook/files/postinst index 2d4256d..e065524 100644 --- a/recipes-support/initramfs-config/files/postinst +++ b/recipes-initramfs/initramfs-abrootfs-hook/files/postinst @@ -1,6 +1,6 @@ #!/bin/sh # patch local script -patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch +patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/initramfs-abrootfs-hook/debian-local.patch update-initramfs -v -u diff --git a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb similarity index 74% rename from recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb rename to recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb index 4b257fa..9c1776a 100644 --- a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb +++ b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb @@ -16,13 +16,13 @@ DEBIAN_DEPENDS += ", busybox, patch" SRC_URI += "file://postinst \ file://initramfs.lsblk.hook \ file://initramfs.image_uuid.hook \ - file://secure-boot-debian-local-patch" + file://debian-local-patch" do_install() { - # add patch for local to /usr/share/secure boot - TARGET=${D}/usr/share/secureboot + # add patch for local to /usr/share/initramfs-abrootfs-hook + TARGET=${D}/usr/share/initramfs-abrootfs-hook install -m 0755 -d ${TARGET} - install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch + install -m 0644 ${WORKDIR}/debian-local-patch ${TARGET}/debian-local.patch # add hooks for secure boot HOOKS=${D}/etc/initramfs-tools/hooks From patchwork Wed Apr 13 07:16:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812171 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD360C47084 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-227.flowmailer.net (mta-64-227.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web08.3507.1649834201494836727 for ; Wed, 13 Apr 2022 00:16:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=J3YVC6kx; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-202204130716392a49924007b31d7597-kccjrj@rts-flowmailer.siemens.com) Received: by mta-64-227.flowmailer.net with ESMTPSA id 202204130716392a49924007b31d7597 for ; Wed, 13 Apr 2022 09:16:39 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=6bk8k2EPRnZrtjBduGkr2w61hzhb0QrWQmMgc9u4BXE=; b=J3YVC6kxeHC99JZSwUilLwHdv0bK2rtuZKIv2QKNwJQlTz2soeRhWrfwfR5fhqgzTIJd/A g2TS9ZV9NF99JRyt/zAjELtHsezF2oyUv4m6gjrxQFtVDOC7X8Kwb8ZiLGe/bbrqOD/Gg+hb Bo0hETn7/xAhlqutoy7/bHVJ8MI0A=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 07/19] swupdate: Switch to unified kernel image by default Date: Wed, 13 Apr 2022 09:16:24 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8055 From: Jan Kiszka This will help to move non-secure and secure boot closer. It will also be required when booting non-x86 kernels with device trees that shall be replaceable via updates, thus shall be embedded into the unified kernel image. The change obsoletes the need to specify "unified-kernel=y" as efibootguard-boot plugin parameter. Users can still select the classic boot method by providing "unified-kernel=n". Signed-off-by: Jan Kiszka --- kas/opt/ebg-swu.yml | 4 ++++ recipes-core/images/files/sw-description.tmpl | 20 +++++-------------- recipes-core/images/swupdate.inc | 4 ++-- .../files/swupdate.handler.efibootguard.ini | 16 +++------------ .../wic/plugins/source/efibootguard-boot.py | 10 ++++------ wic/ebg-sysparts.inc | 4 ++-- wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++-- 7 files changed, 22 insertions(+), 40 deletions(-) diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml index e708d0a..a58f0ed 100644 --- a/kas/opt/ebg-swu.yml +++ b/kas/opt/ebg-swu.yml @@ -14,3 +14,7 @@ header: includes: - kas/opt/efibootguard.yml - kas/opt/swupdate.yml + +local_conf_header: + initramfs: | + IMAGE_INSTALL += "initramfs-abrootfs-hook" diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl index c44c2a8..7dd67f9 100644 --- a/recipes-core/images/files/sw-description.tmpl +++ b/recipes-core/images/files/sw-description.tmpl @@ -11,10 +11,10 @@ software = { version = "0.2"; - name = "cip software update" + name = "cip software update"; images: ({ filename = "${ROOTFS_PARTITION_NAME}"; - device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002"; + device = "sda4,sda5"; type = "roundrobin"; compressed = "zlib"; filesystem = "ext4"; @@ -23,23 +23,13 @@ software = }; }); files: ({ - filename = "${KERNEL_IMAGE}"; - path = "vmlinuz"; + filename = "linux.efi"; + path = "linux.efi"; type = "roundrobin"; - device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1"; + device = "sda4->BOOT0,sda5->BOOT1"; filesystem = "vfat"; properties: { subtype = "kernel"; }; - }, - { - filename = "${INITRD_IMAGE}"; - path = "${INITRD_IMAGE}"; - type = "roundrobin"; - device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1"; - filesystem = "vfat"; - properties: { - subtype = "initrd"; - }; }); } diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index c23c103..2c3ad65 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz" SRC_URI += "file://sw-description.tmpl" TEMPLATE_FILES += "sw-description.tmpl" -TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE" +TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME" -SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}" +SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini index 3aee76c..b5e8070 100644 --- a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini +++ b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini @@ -2,25 +2,15 @@ chainhandler=raw [image.selector] -method=cmdline_rr +method=getroot_rr key=root -[image.bootenv] -kernelparams=root=PARTUUID=${rrtarget} ${cmdline_root} - [kernel] chainhandler=rawfile [kernel.selector] -method=cmdline_rrmap +method=getroot_rrmap key=root [kernel.bootenv] -kernelfile=C:BOOT${rrindex}:vmlinuz - -[initrd] -chainhandler=rawfile - -[initrd.selector] -method=cmdline_rrmap -key=root +kernelfile=C:BOOT${rrindex}:linux.efi diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py index 98a327c..4291dc2 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -78,15 +78,13 @@ class EfibootguardBootPlugin(SourcePlugin): efibootguard in local.conf with WDOG_TIMEOUT=") exit(1) - boot_files = source_params.get("files", "").split(' ') - uefi_kernel = source_params.get("unified-kernel") + unified_kernel = source_params.get("unified-kernel") or 'y' cmdline = bootloader.append - if uefi_kernel: + if unified_kernel == 'y': boot_image = cls._create_unified_kernel_image(rootfs_dir, cr_workdir, cmdline, - uefi_kernel, deploy_dir, kernel_image, initrd_image, @@ -174,8 +172,8 @@ class EfibootguardBootPlugin(SourcePlugin): @classmethod def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline, - uefi_kernel, deploy_dir, kernel_image, - initrd_image, source_params): + deploy_dir, kernel_image, initrd_image, + source_params): # we need to map the distro_arch to uefi values distro_to_efi_arch = { "amd64": "x64", diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc index dea99e8..18c879a 100644 --- a/wic/ebg-sysparts.inc +++ b/wic/ebg-sysparts.inc @@ -4,5 +4,5 @@ part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active # EFI Boot Guard environment/config partitions plus Kernel files -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001" -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index 72a6f8c..c47257b 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -2,8 +2,8 @@ include ebg-signed-bootloader.inc # EFI Boot Guard environment/config partitions plus Kernel files -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh" part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" From patchwork Wed Apr 13 07:16:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812172 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD2E0C47082 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web12.3487.1649834202065311179 for ; Wed, 13 Apr 2022 00:16:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=H3reN+Ic; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-294854-202204130716392135cf3ce2e54743e2-dysyq0@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 202204130716392135cf3ce2e54743e2 for ; Wed, 13 Apr 2022 09:16:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=/thx0OZbrN9UnHtNyRkJJpxE3uHGG8uq7rfZy4jYdKk=; b=H3reN+Ic8ck67ns51DhoHbOzb96a9IT/RIXXZa9yJ00U4Wokqt3OxrWLlTlx/Z+ti+mx31 s3ZlftATPOlA4bgs2A6p2DHyi6Hgt4sw7jPQuJBIuxRePR6lvrp+1infN9U/y9SmEU3OBslK 7zp9RCxzZYZGCZXihtdM89G1MFMDg=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 08/19] swupdate: Drop PN from TEMPLATE_VARS Date: Wed, 13 Apr 2022 09:16:25 +0200 Message-Id: <35bdc4f05109e40da19644cf312d0f98634dffc9.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8054 From: Jan Kiszka Was never used in any of the template files. Signed-off-by: Jan Kiszka --- recipes-core/images/secureboot.inc | 2 +- recipes-core/images/swupdate.inc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc index 3e6eef8..e01c834 100644 --- a/recipes-core/images/secureboot.inc +++ b/recipes-core/images/secureboot.inc @@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz" SRC_URI += "file://sw-description.tmpl" TEMPLATE_FILES += "sw-description.tmpl" -TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME" +TEMPLATE_VARS += "ROOTFS_PARTITION_NAME" SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 2c3ad65..64887df 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz" SRC_URI += "file://sw-description.tmpl" TEMPLATE_FILES += "sw-description.tmpl" -TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME" +TEMPLATE_VARS += "ROOTFS_PARTITION_NAME" SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}" From patchwork Wed Apr 13 07:16:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812180 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6F63C35295 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web12.3488.1649834202281066312 for ; Wed, 13 Apr 2022 00:16:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=EOGFK/rn; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-20220413071640b78ba512f07487a7a8-2ahpfq@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20220413071640b78ba512f07487a7a8 for ; Wed, 13 Apr 2022 09:16:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=z9vykiiqCX8cdOtZPQpLGv/qrK03N21sWGHgkGf2JDI=; b=EOGFK/rnrJ513xNJZq7GhcRPrFMnCUkbpTNRd1F2b2QxgvhpU0V/x0tqooHpiHGcTF7yph bm/YHiULR2i4DpmjeSYvRiB+j/jUN8BKe//20QxZyOrckdqUptzwlElcx2ICMv1yHwdOtChF hTX2NujuuZ1kOQ1HJtIaB5B/+vuU8=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 09/19] efibootguard: Avoid rename linux.efi when signing it Date: Wed, 13 Apr 2022 09:16:26 +0200 Message-Id: <49780064267568514aa991e83602edc83ca2dbeb.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8058 From: Jan Kiszka This will simplify handling of secure vs. non-secure configurations. Signed-off-by: Jan Kiszka --- .../files/secure-boot/sw-description.tmpl | 4 ++-- recipes-core/images/secureboot.inc | 2 +- .../swupdate.handler.efibootguard.ini | 2 +- .../wic/plugins/source/efibootguard-boot.py | 20 +++++++++---------- 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl index f8e5375..7dc070a 100644 --- a/recipes-core/images/files/secure-boot/sw-description.tmpl +++ b/recipes-core/images/files/secure-boot/sw-description.tmpl @@ -23,8 +23,8 @@ software = }; }); files: ({ - filename = "linux.signed.efi"; - path = "linux.signed.efi"; + filename = "linux.efi"; + path = "linux.efi"; type = "roundrobin"; device = "sda4->BOOT0,sda5->BOOT1"; filesystem = "vfat"; diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc index e01c834..6182080 100644 --- a/recipes-core/images/secureboot.inc +++ b/recipes-core/images/secureboot.inc @@ -18,4 +18,4 @@ TEMPLATE_FILES += "sw-description.tmpl" TEMPLATE_VARS += "ROOTFS_PARTITION_NAME" -SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}" +SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini index 4a109b7..b5e8070 100644 --- a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini +++ b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini @@ -13,4 +13,4 @@ method=getroot_rrmap key=root [kernel.bootenv] -kernelfile=C:BOOT${rrindex}:linux.signed.efi +kernelfile=C:BOOT${rrindex}:linux.efi diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py index 4291dc2..909e629 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -215,23 +215,21 @@ class EfibootguardBootPlugin(SourcePlugin): uefi_kernel_file=uefi_kernel_file) exec_cmd(objcopy_cmd) - return cls._sign_file(name=uefi_kernel_name, - signee=uefi_kernel_file, - deploy_dir=deploy_dir, - source_params=source_params) + cls._sign_file(signee=uefi_kernel_file, source_params=source_params) + + return uefi_kernel_name @classmethod - def _sign_file(cls, name, signee, deploy_dir, source_params): + def _sign_file(cls, signee, source_params): sign_script = source_params.get("signwith") if sign_script and os.path.exists(sign_script): msger.info("sign with script %s", sign_script) - name = name.replace(".efi", ".signed.efi") - sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\ - .format(sign_script=sign_script, signee=signee, - deploy_dir=deploy_dir, name=name) + orig_signee = signee + ".unsigned" + os.rename(signee, orig_signee) + sign_cmd = "{sign_script} {orig_signee} {signee}"\ + .format(sign_script=sign_script, orig_signee=orig_signee, + signee=signee) exec_cmd(sign_cmd) elif sign_script and not os.path.exists(sign_script): msger.error("Could not find script %s", sign_script) exit(1) - - return name From patchwork Wed Apr 13 07:16:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812176 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E551CC352A7 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.3583.1649834202622474908 for ; Wed, 13 Apr 2022 00:16:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=SwCQopuJ; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-294854-20220413071640eb7e9d79a924ce2997-ub0tbx@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20220413071640eb7e9d79a924ce2997 for ; Wed, 13 Apr 2022 09:16:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=qPza/YyG9drxcGvvvkI+UYR1OFWBuJWb5rJkL/dBeCI=; b=SwCQopuJEZzMSwtqY7e+eodGRdijwxJtImhDSQavFvrUPlM+fiyVyjqxJ0QF3eIOOzAClT VM3ABZ3QWZ/D4iuRI1BWzh6OHZw2Or/AzSb9U2ql48nBGyRVkrQ5yroW6fjsiJsI55oN8w72 shquwGQYqXkQs04K4ftx5wew6eLek=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 10/19] Unify configuration of secure vs. non-secure SWUpdate Date: Wed, 13 Apr 2022 09:16:27 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8061 From: Jan Kiszka The sw-descriptions are practically identical, the roundrobin-handler ini files are absolutely the same. So drop them and use unified configs. That allows to drop kas/opt/ebg-secure-boot-base.yml as well. Signed-off-by: Jan Kiszka --- kas/opt/ebg-secure-boot-base.yml | 20 ----------- kas/opt/ebg-secure-boot-snakeoil.yml | 2 +- .../files/secure-boot/sw-description.tmpl | 35 ------------------- recipes-core/images/secureboot.inc | 21 ----------- .../swupdate.handler.efibootguard.ini | 16 --------- 5 files changed, 1 insertion(+), 93 deletions(-) delete mode 100644 kas/opt/ebg-secure-boot-base.yml delete mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl delete mode 100644 recipes-core/images/secureboot.inc delete mode 100644 recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml deleted file mode 100644 index 299b663..0000000 --- a/kas/opt/ebg-secure-boot-base.yml +++ /dev/null @@ -1,20 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2020 -# -# Authors: -# Quirin Gylstorff -# -# SPDX-License-Identifier: MIT -# - -header: - version: 10 - includes: - - kas/opt/efibootguard.yml - -local_conf_header: - secure_swu: | - SWU_DESCRIPTION = "secureboot" - SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini" diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml index 10414fb..28b3545 100644 --- a/kas/opt/ebg-secure-boot-snakeoil.yml +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -12,7 +12,7 @@ header: version: 10 includes: - - kas/opt/ebg-secure-boot-base.yml + - kas/opt/efibootguard.yml local_conf_header: image-options: | diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl deleted file mode 100644 index 7dc070a..0000000 --- a/recipes-core/images/files/secure-boot/sw-description.tmpl +++ /dev/null @@ -1,35 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2020 -# -# Authors: -# Quirin Gylstorff -# -# SPDX-License-Identifier: MIT -# -software = -{ - version = "0.2"; - name = "secure boot update" - images: ({ - filename = "${ROOTFS_PARTITION_NAME}"; - device = "sda4,sda5"; - type = "roundrobin"; - compressed = "zlib"; - filesystem = "ext4"; - properties: { - subtype = "image"; - }; - }); - files: ({ - filename = "linux.efi"; - path = "linux.efi"; - type = "roundrobin"; - device = "sda4->BOOT0,sda5->BOOT1"; - filesystem = "vfat"; - properties: { - subtype = "kernel"; - }; - }) -} diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc deleted file mode 100644 index 6182080..0000000 --- a/recipes-core/images/secureboot.inc +++ /dev/null @@ -1,21 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2020 -# -# Authors: -# Quirin Gylstorff -# -# SPDX-License-Identifier: MIT -# - -FILESEXTRAPATHS_prepend := "${THISDIR}/files/secure-boot:" - -ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz" - -SRC_URI += "file://sw-description.tmpl" -TEMPLATE_FILES += "sw-description.tmpl" - -TEMPLATE_VARS += "ROOTFS_PARTITION_NAME" - -SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini deleted file mode 100644 index b5e8070..0000000 --- a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini +++ /dev/null @@ -1,16 +0,0 @@ -[image] -chainhandler=raw - -[image.selector] -method=getroot_rr -key=root - -[kernel] -chainhandler=rawfile - -[kernel.selector] -method=getroot_rrmap -key=root - -[kernel.bootenv] -kernelfile=C:BOOT${rrindex}:linux.efi From patchwork Wed Apr 13 07:16:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812175 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1676C47087 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web08.3505.1649834200264054053 for ; Wed, 13 Apr 2022 00:16:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=WsQApROt; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-294854-202204130716411a3e4158f393195e36-_z75p9@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202204130716411a3e4158f393195e36 for ; Wed, 13 Apr 2022 09:16:41 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=XIpjY0U3erg0ZlLX/Cx0Fqh/8h51dE8tsuTThC+Zw1M=; b=WsQApROtD3s5Qk43hJbswb7IzWHw1oUgXp9ocMG8ZFYNfe9BE2H/7XsQRCN/WoM2Mjf2Lb 1eopq7HTi6jIMPYTj1sbTrVEChLmTbvAFsGHAtDGRXXUj10M8CSs0Fy3rSyYH2gSNK75payh OX+fh4SqCN8CNVqOTm4GsNOZvh9CY=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 11/19] cip-core-image: Do not include swupdate.inc unless it is used Date: Wed, 13 Apr 2022 09:16:28 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8059 From: Jan Kiszka Was harmless to do so for non-swupdate images, but also unneeded. Signed-off-by: Jan Kiszka --- kas/opt/ebg-secure-boot-snakeoil.yml | 5 +++-- kas/opt/swupdate.yml | 3 +++ recipes-core/images/cip-core-image.bb | 5 ++--- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml index 28b3545..be58b15 100644 --- a/kas/opt/ebg-secure-boot-snakeoil.yml +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -15,8 +15,9 @@ header: - kas/opt/efibootguard.yml local_conf_header: - image-options: | - CIP_IMAGE_OPTIONS_append = " read-only.inc" + image-options-swupdate-ro: | + CIP_IMAGE_OPTIONS_append = " swupdate.inc read-only.inc" + swupdate: | IMAGE_INSTALL_append = " swupdate" IMAGE_INSTALL_append = " swupdate-handler-roundrobin" diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml index a8b903f..1b2aff4 100644 --- a/kas/opt/swupdate.yml +++ b/kas/opt/swupdate.yml @@ -19,6 +19,9 @@ local_conf_header: IMAGE_INSTALL_append = " swupdate" IMAGE_INSTALL_append = " swupdate-handler-roundrobin" + image-option-swupdate: | + CIP_IMAGE_OPTIONS_append = " swupdate.inc" + wic-swu: | IMAGE_FSTYPES = "wic-swu-img" WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks" diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb index 9bf21ff..ecba06d 100644 --- a/recipes-core/images/cip-core-image.bb +++ b/recipes-core/images/cip-core-image.bb @@ -11,12 +11,11 @@ inherit image inherit image_uuid + ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'" DESCRIPTION = "CIP Core image" IMAGE_INSTALL += "customizations" -# for swupdate -SWU_DESCRIPTION ??= "swupdate" -CIP_IMAGE_OPTIONS ?= "${SWU_DESCRIPTION}.inc" +CIP_IMAGE_OPTIONS ?= "" include ${CIP_IMAGE_OPTIONS} From patchwork Wed Apr 13 07:16:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812170 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E130DC35296 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web09.3448.1649834203249368757 for ; Wed, 13 Apr 2022 00:16:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=i/NW8ToZ; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-294854-202204130716411568aed146e5ada199-j4yfjn@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202204130716411568aed146e5ada199 for ; Wed, 13 Apr 2022 09:16:41 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=NerAL1RtRUBoGMEUAFjz+Mc0ZfWzzzTSI/DNoJvnO6A=; b=i/NW8ToZuQztZHy6HBen9LWGcM2kPbhEL4zlUhHCB2aW13XFQUDKw1Xk7G59rvp4sYN2Wz ZkIwQKaLBIqsnzVNIDPV325bI80wG8WisXrgYTjlEi+GN8PJ5cZSp7e7EGlO/zwjtAWTWbB9 vIIr6XG7ZECNa9TouXoGckftij2oQ=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 12/19] cip-core-image: Make image-uuid an image option Date: Wed, 13 Apr 2022 09:16:29 +0200 Message-Id: <51a923c07081a08eff871979a91aae7926df5e3c.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8060 From: Jan Kiszka This allows to avoid running this needless task for the secure image where we use the dm-verity hash as image identification. Signed-off-by: Jan Kiszka --- kas/opt/ebg-swu.yml | 3 +++ recipes-core/images/cip-core-image.bb | 1 - recipes-core/images/image-uuid.inc | 12 ++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 recipes-core/images/image-uuid.inc diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml index a58f0ed..d811929 100644 --- a/kas/opt/ebg-swu.yml +++ b/kas/opt/ebg-swu.yml @@ -18,3 +18,6 @@ header: local_conf_header: initramfs: | IMAGE_INSTALL += "initramfs-abrootfs-hook" + + image-option-uuid: | + CIP_IMAGE_OPTIONS_append = " image-uuid.inc" diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb index ecba06d..3f8c320 100644 --- a/recipes-core/images/cip-core-image.bb +++ b/recipes-core/images/cip-core-image.bb @@ -10,7 +10,6 @@ # inherit image -inherit image_uuid ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'" DESCRIPTION = "CIP Core image" diff --git a/recipes-core/images/image-uuid.inc b/recipes-core/images/image-uuid.inc new file mode 100644 index 0000000..5e5a727 --- /dev/null +++ b/recipes-core/images/image-uuid.inc @@ -0,0 +1,12 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# + +inherit image_uuid From patchwork Wed Apr 13 07:16:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812181 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C487C38161 for ; Wed, 13 Apr 2022 15:48:07 +0000 (UTC) Received: from mta-64-227.flowmailer.net (mta-64-227.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web12.3489.1649834203718853424 for ; Wed, 13 Apr 2022 00:16:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=LFRS0GpI; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-20220413071641458befd0565cf5d5f8-ucwzoq@rts-flowmailer.siemens.com) Received: by mta-64-227.flowmailer.net with ESMTPSA id 20220413071641458befd0565cf5d5f8 for ; Wed, 13 Apr 2022 09:16:42 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=pYYd3KVfhb3NbqQjxRW+m46pbpRHOjlE/YTA9S3iHkU=; b=LFRS0GpIXiloA3AWr5egM86W6iTfrU8jwRU6Nk7gnRtteF9OlQjEnEPGifTGKTwDl4x3QO 3QVnyUP1VZfK3F+FOlxktolLaevgd5CeT8Fulv3aE2YWIKIri+n5N6w5S/cX6JywJJxQRpRL uVsgbAP3j8vtJXV7KkiIpJZmZcLAw=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 13/19] swupdate: Add patch to fix EBG bootloader_env_get Date: Wed, 13 Apr 2022 09:16:30 +0200 Message-Id: <958c2c379e58a62919aecf825c431dbac2882d96.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:07 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8068 From: Jan Kiszka Will be required for using bootenv_rrmap with the roundrobin handler. Signed-off-by: Jan Kiszka --- ...onfig-Make-image-encryption-optional.patch | 8 +-- .../0002-debian-rules-Add-CONFIG_MTD.patch | 6 +- ...es-Add-option-to-disable-fs-creation.patch | 8 +-- ...ules-Add-option-to-disable-webserver.patch | 8 +-- ...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 8 +-- ...ules-Add-Embedded-Lua-handler-option.patch | 6 +- ...-SWUpdate-USB-service-and-Udev-rules.patch | 10 +-- ...option-to-disable-CONFIG_HASH_VERIFY.patch | 6 +- ...ch-to-fix-bootloader_env_get-for-EBG.patch | 66 +++++++++++++++++++ ...repare-build-for-isar-debian-buster.patch} | 10 +-- .../swupdate/swupdate_2021.11-1+debian-gbp.bb | 5 +- 11 files changed, 104 insertions(+), 37 deletions(-) create mode 100644 recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch rename recipes-core/swupdate/files/{0009-debian-prepare-build-for-isar-debian-buster.patch => 0010-debian-prepare-build-for-isar-debian-buster.patch} (92%) diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch index c501e42..aa20ab6 100644 --- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch +++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch @@ -1,7 +1,7 @@ -From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001 +From 5d78de76eab1218494c714e9816152e4d821fa86 Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Wed, 29 Sep 2021 15:28:21 +0200 -Subject: [PATCH 1/9] debian/config: Make image encryption optional +Subject: [PATCH 01/10] debian/config: Make image encryption optional This can be use to ease the setup with SWUpdate. @@ -12,7 +12,7 @@ Signed-off-by: Quirin Gylstorff 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/configs/defconfig b/debian/configs/defconfig -index 02681e53..b34168e3 100644 +index 02681e5..b34168e 100644 --- a/debian/configs/defconfig +++ b/debian/configs/defconfig @@ -3,7 +3,6 @@ CONFIG_HW_COMPATIBILITY=y @@ -24,7 +24,7 @@ index 02681e53..b34168e3 100644 CONFIG_SURICATTA_SSL=y CONFIG_UPDATE_STATE_CHOICE_BOOTLOADER=y diff --git a/debian/rules b/debian/rules -index 864add23..08b74a1d 100755 +index 864add2..08b74a1 100755 --- a/debian/rules +++ b/debian/rules @@ -41,6 +41,9 @@ endif diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch index 50cf805..e62a4fc 100644 --- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch +++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch @@ -1,7 +1,7 @@ -From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001 +From c3adc5d2be41e151c811c96f2bed245778fec82c Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Wed, 29 Sep 2021 11:29:57 +0200 -Subject: [PATCH 2/9] debian/rules: Add CONFIG_MTD +Subject: [PATCH 02/10] debian/rules: Add CONFIG_MTD if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled. @@ -11,7 +11,7 @@ Signed-off-by: Quirin Gylstorff 1 file changed, 1 insertion(+) diff --git a/debian/rules b/debian/rules -index 08b74a1d..6705140b 100755 +index 08b74a1..6705140 100755 --- a/debian/rules +++ b/debian/rules @@ -20,6 +20,7 @@ endif diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch index c5815cb..08ba9b9 100644 --- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch +++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch @@ -1,7 +1,7 @@ -From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001 +From 17d962a9b43f5debaed85affc6dccb2c471bffe9 Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Mon, 4 Oct 2021 17:15:56 +0200 -Subject: [PATCH 3/9] debian/rules: Add option to disable fs creation +Subject: [PATCH 03/10] debian/rules: Add option to disable fs creation Signed-off-by: Quirin Gylstorff --- @@ -10,7 +10,7 @@ Signed-off-by: Quirin Gylstorff 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/debian/configs/defconfig b/debian/configs/defconfig -index b34168e3..d011deb1 100644 +index b34168e..d011deb 100644 --- a/debian/configs/defconfig +++ b/debian/configs/defconfig @@ -9,12 +9,6 @@ CONFIG_UPDATE_STATE_CHOICE_BOOTLOADER=y @@ -27,7 +27,7 @@ index b34168e3..d011deb1 100644 CONFIG_RAW=y CONFIG_RDIFFHANDLER=y diff --git a/debian/rules b/debian/rules -index 6705140b..983e122f 100755 +index 6705140..983e122 100755 --- a/debian/rules +++ b/debian/rules @@ -45,6 +45,15 @@ endif diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch index 4a9076d..eaa6fcf 100644 --- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch +++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch @@ -1,7 +1,7 @@ -From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001 +From a02a6d4385f314601ef5c7094ecb26f5b5c3f134 Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Mon, 4 Oct 2021 17:27:11 +0200 -Subject: [PATCH 4/9] debian/rules: Add option to disable webserver +Subject: [PATCH 04/10] debian/rules: Add option to disable webserver Signed-off-by: Quirin Gylstorff --- @@ -10,7 +10,7 @@ Signed-off-by: Quirin Gylstorff 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/debian/configs/defconfig b/debian/configs/defconfig -index d011deb1..337fcce0 100644 +index d011deb..337fcce 100644 --- a/debian/configs/defconfig +++ b/debian/configs/defconfig @@ -6,8 +6,6 @@ CONFIG_SIGALG_CMS=y @@ -23,7 +23,7 @@ index d011deb1..337fcce0 100644 CONFIG_UNIQUEUUID=y CONFIG_RAW=y diff --git a/debian/rules b/debian/rules -index 983e122f..6078ed89 100755 +index 983e122..6078ed8 100755 --- a/debian/rules +++ b/debian/rules @@ -39,6 +39,10 @@ else ifneq (,$(filter pkg.swupdate.efibootguard,$(DEB_BUILD_PROFILES))) diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch index 87eba2c..eb19e5f 100644 --- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch +++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch @@ -1,7 +1,7 @@ -From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001 +From 8315d5ff8168fca1bd3752764e71f98e8b55f2ad Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Tue, 5 Oct 2021 10:56:25 +0200 -Subject: [PATCH 5/9] debian: Make CONFIG_HW_COMPATIBILTY optional +Subject: [PATCH 05/10] debian: Make CONFIG_HW_COMPATIBILTY optional Add option for qemu. @@ -12,7 +12,7 @@ Signed-off-by: Quirin Gylstorff 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/configs/defconfig b/debian/configs/defconfig -index 337fcce0..6fc1137f 100644 +index 337fcce..6fc1137 100644 --- a/debian/configs/defconfig +++ b/debian/configs/defconfig @@ -1,5 +1,4 @@ @@ -22,7 +22,7 @@ index 337fcce0..6fc1137f 100644 CONFIG_DOWNLOAD_SSL=y CONFIG_SIGALG_CMS=y diff --git a/debian/rules b/debian/rules -index 6078ed89..19870e98 100755 +index 6078ed8..19870e9 100755 --- a/debian/rules +++ b/debian/rules @@ -39,6 +39,9 @@ else ifneq (,$(filter pkg.swupdate.efibootguard,$(DEB_BUILD_PROFILES))) diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch index 5d7543b..1d6a247 100644 --- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch +++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch @@ -1,7 +1,7 @@ -From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001 +From 19969a388e414db84e54a706e9227c301b0408a2 Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Wed, 29 Sep 2021 11:32:41 +0200 -Subject: [PATCH 6/9] debian/rules: Add Embedded Lua handler option +Subject: [PATCH 06/10] debian/rules: Add Embedded Lua handler option Signed-off-by: Quirin Gylstorff --- @@ -9,7 +9,7 @@ Signed-off-by: Quirin Gylstorff 1 file changed, 5 insertions(+) diff --git a/debian/rules b/debian/rules -index 19870e98..12eb0ba5 100755 +index 19870e9..12eb0ba 100755 --- a/debian/rules +++ b/debian/rules @@ -68,7 +68,12 @@ ifneq (,$(LUA_VERSION)) diff --git a/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch index 2779d8b..90c8d98 100644 --- a/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch +++ b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch @@ -1,7 +1,7 @@ -From 625db939a1dec7d1aa6fbcb01c2c4cbd699bfe7b Mon Sep 17 00:00:00 2001 +From db391d1dd34806ae6694205b08b4661318bef37b Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Mon, 7 Feb 2022 09:28:39 +0100 -Subject: [PATCH 7/9] debian: Remove SWUpdate USB service and Udev rules +Subject: [PATCH 07/10] debian: Remove SWUpdate USB service and Udev rules The current implementation will install an abitrary SWUpdate binary from a plug-in USB stick. This is a major security risk for devices @@ -19,7 +19,7 @@ Signed-off-by: Quirin Gylstorff delete mode 100644 debian/swupdate.udev diff --git a/debian/rules b/debian/rules -index 12eb0ba5..76fce010 100755 +index 12eb0ba..76fce01 100755 --- a/debian/rules +++ b/debian/rules @@ -101,7 +101,6 @@ override_dh_auto_install: @@ -32,7 +32,7 @@ index 12eb0ba5..76fce010 100755 override_dh_gencontrol: diff --git a/debian/swupdate.swupdate-usb@.service b/debian/swupdate.swupdate-usb@.service deleted file mode 100644 -index eda9d153..00000000 +index eda9d15..0000000 --- a/debian/swupdate.swupdate-usb@.service +++ /dev/null @@ -1,8 +0,0 @@ @@ -46,7 +46,7 @@ index eda9d153..00000000 -ExecStopPost=/bin/umount /mnt diff --git a/debian/swupdate.udev b/debian/swupdate.udev deleted file mode 100644 -index b4efd0b7..00000000 +index b4efd0b..0000000 --- a/debian/swupdate.udev +++ /dev/null @@ -1,2 +0,0 @@ diff --git a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch index a7c5ee7..a5207ee 100644 --- a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch +++ b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch @@ -1,7 +1,7 @@ -From cddd3472aad2d8e48d557705b82ffcc0c7d14a02 Mon Sep 17 00:00:00 2001 +From 2776a4817eb91be3df001e04d548a702e9f5291a Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Mon, 14 Feb 2022 12:27:43 +0100 -Subject: [PATCH 8/9] Add Profile option to disable CONFIG_HASH_VERIFY +Subject: [PATCH 08/10] Add Profile option to disable CONFIG_HASH_VERIFY This change also enables CONFIG_HASH_VERIFY by default. @@ -11,7 +11,7 @@ Signed-off-by: Quirin Gylstorff 1 file changed, 3 insertions(+) diff --git a/debian/rules b/debian/rules -index 76fce010..4dc9e170 100755 +index 76fce01..4dc9e17 100755 --- a/debian/rules +++ b/debian/rules @@ -42,6 +42,9 @@ endif diff --git a/recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch b/recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch new file mode 100644 index 0000000..fd263ee --- /dev/null +++ b/recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch @@ -0,0 +1,66 @@ +From 09a736a651ae05378d9ef8018589c9f834b729a6 Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Tue, 12 Apr 2022 08:01:21 +0200 +Subject: [PATCH 09/10] debian: Add patch to fix bootloader_env_get for EBG + +Signed-off-by: Jan Kiszka +--- + ...ix-do_env_get-for-anything-but-globa.patch | 38 +++++++++++++++++++ + debian/patches/series | 1 + + 2 files changed, 39 insertions(+) + create mode 100644 debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch + +diff --git a/debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch b/debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch +new file mode 100644 +index 0000000..f99f7ee +--- /dev/null ++++ b/debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch +@@ -0,0 +1,38 @@ ++From 62cd7c93dc31e5ad8dccdd1db791892864fbbccf Mon Sep 17 00:00:00 2001 ++From: Jan Kiszka ++Date: Tue, 12 Apr 2022 07:49:14 +0200 ++Subject: [PATCH] bootloader: EBG: fix do_env_get for anything but global state ++ ++The return value conversion must only be applied on STATE_KEY. This ++fixes strangely broken strings for all other keys. ++ ++Signed-off-by: Jan Kiszka ++--- ++ bootloader/ebg.c | 4 ++-- ++ 1 file changed, 2 insertions(+), 2 deletions(-) ++ ++diff --git a/bootloader/ebg.c b/bootloader/ebg.c ++index 2aa9010..a0b45dc 100644 ++--- a/bootloader/ebg.c +++++ b/bootloader/ebg.c ++@@ -115,6 +115,8 @@ char *bootloader_env_get(const char *name) ++ if (strncmp(name, (char *)STATE_KEY, strlen((char *)STATE_KEY) + 1) == 0) { ++ value = (char *)malloc(sizeof(char)); ++ *value = ebg_env_getglobalstate(&ebgenv); +++ /* Map EFI Boot Guard's int return to update_state_t's char value */ +++ *value = *value + '0'; ++ } else { ++ if ((size = ebg_env_get(&ebgenv, (char *)name, NULL)) != 0) { ++ value = malloc(size); ++@@ -133,8 +135,6 @@ char *bootloader_env_get(const char *name) ++ name, strerror(errno)); ++ } ++ ++- /* Map EFI Boot Guard's int return to update_state_t's char value */ ++- *value = *value + '0'; ++ return value; ++ } ++ ++-- ++2.34.1 ++ +diff --git a/debian/patches/series b/debian/patches/series +index 8c5564a..98628a7 100644 +--- a/debian/patches/series ++++ b/debian/patches/series +@@ -1 +1,2 @@ + use-gcc-compiler.diff ++0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch +-- +2.34.1 + diff --git a/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0010-debian-prepare-build-for-isar-debian-buster.patch similarity index 92% rename from recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch rename to recipes-core/swupdate/files/0010-debian-prepare-build-for-isar-debian-buster.patch index 8afef74..1d476e9 100644 --- a/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch +++ b/recipes-core/swupdate/files/0010-debian-prepare-build-for-isar-debian-buster.patch @@ -1,7 +1,7 @@ -From 5dda7f815dafdfbd1b187ccc912eca38e9aee7bb Mon Sep 17 00:00:00 2001 +From c9661853aea11f090b5936363b0bae10fe6ebed6 Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff Date: Wed, 29 Sep 2021 16:17:03 +0200 -Subject: [PATCH 9/9] debian: prepare build for isar debian buster +Subject: [PATCH 10/10] debian: prepare build for isar debian buster Signed-off-by: Quirin Gylstorff --- @@ -13,13 +13,13 @@ Signed-off-by: Quirin Gylstorff diff --git a/debian/compat b/debian/compat new file mode 100644 -index 00000000..f599e28b +index 0000000..f599e28 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +10 diff --git a/debian/control b/debian/control -index 192c4a2a..9318fa12 100644 +index 192c4a2..9318fa1 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional @@ -47,7 +47,7 @@ index 192c4a2a..9318fa12 100644 libebgenv-dev | efibootguard-dev , libcmocka-dev, diff --git a/debian/rules b/debian/rules -index 4dc9e170..370ca3d8 100755 +index 4dc9e17..370ca3d 100755 --- a/debian/rules +++ b/debian/rules @@ -19,13 +19,15 @@ endif diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb index bf060b4..7edefe7 100644 --- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb +++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb @@ -23,7 +23,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \ file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \ file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \ file://0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch \ - file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch" + file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch \ + file://0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch" # end patching for dm-verity based images @@ -39,7 +40,7 @@ DEB_BUILD_PROFILES += "cross nocheck" # DEB_BUILD_PROFILES += "pkg.swupdate.embeddedlua" # modify for debian buster build -SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch" +SRC_URI_append_buster = " file://0010-debian-prepare-build-for-isar-debian-buster.patch" # disable create filesystem due to missing symbols in debian buster # disable webserver due to missing symbols in debian buster From patchwork Wed Apr 13 07:16:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812174 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08927C352B6 for ; Wed, 13 Apr 2022 15:48:07 +0000 (UTC) Received: from mta-64-227.flowmailer.net (mta-64-227.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web12.3486.1649834200902452012 for ; Wed, 13 Apr 2022 00:16:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=g3mBjTh2; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-2022041307164201b1df86640b4d8324-pixonj@rts-flowmailer.siemens.com) Received: by mta-64-227.flowmailer.net with ESMTPSA id 2022041307164201b1df86640b4d8324 for ; Wed, 13 Apr 2022 09:16:42 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=cv9NeKNXiaWE1LNXo2zWOhF9f96vfPGiUI528SMfhps=; b=g3mBjTh2d2hECDcFpLnx9kvdgYlk2jmfmisbG7ib7R2EF/QQJuqU8mfcXtvro3x0LoAiEr vkAqIoHVyW87X1irEyLB8mVBYzv2h7+vWbumoFYT2ziSi8nosc+qMCtkhvaKZQXpDoXS5EhK nyuNgsAg8gP7RYGDigrkZ/iKs52/s=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 14/19] swupdate: Switch to bootenv_rrmap+kernelfile for device selection Date: Wed, 13 Apr 2022 09:16:31 +0200 Message-Id: <8c6b9776be2e54190b101bd63f12cc22e5d5feaf.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:07 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8067 From: Jan Kiszka This allows for a medium-independent sw-description. Not required so far for QEMU, but it may become useful in the future or for downstream layers, at least as reference. Signed-off-by: Jan Kiszka --- recipes-core/images/files/sw-description.tmpl | 4 ++-- .../files/swupdate.handler.efibootguard.ini | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl index 7dd67f9..f5cafeb 100644 --- a/recipes-core/images/files/sw-description.tmpl +++ b/recipes-core/images/files/sw-description.tmpl @@ -14,7 +14,7 @@ software = name = "cip software update"; images: ({ filename = "${ROOTFS_PARTITION_NAME}"; - device = "sda4,sda5"; + device = "C:BOOT0:linux.efi->fedcba98-7654-3210-cafe-5e0710000001,C:BOOT1:linux.efi->fedcba98-7654-3210-cafe-5e0710000002"; type = "roundrobin"; compressed = "zlib"; filesystem = "ext4"; @@ -26,7 +26,7 @@ software = filename = "linux.efi"; path = "linux.efi"; type = "roundrobin"; - device = "sda4->BOOT0,sda5->BOOT1"; + device = "C:BOOT0:linux.efi->BOOT0,C:BOOT1:linux.efi->BOOT1"; filesystem = "vfat"; properties: { subtype = "kernel"; diff --git a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini index b5e8070..58271da 100644 --- a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini +++ b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini @@ -2,15 +2,15 @@ chainhandler=raw [image.selector] -method=getroot_rr -key=root +method=bootenv_rrmap +key=kernelfile [kernel] chainhandler=rawfile [kernel.selector] -method=getroot_rrmap -key=root +method=bootenv_rrmap +key=kernelfile [kernel.bootenv] kernelfile=C:BOOT${rrindex}:linux.efi From patchwork Wed Apr 13 07:16:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812173 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBD43C352A1 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.3440.1649834201790323295 for ; Wed, 13 Apr 2022 00:16:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=Ji3D4ild; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-294854-2022041307164288fcf5a39b400db915-hwbedz@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2022041307164288fcf5a39b400db915 for ; Wed, 13 Apr 2022 09:16:42 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=6goxvXHlyZzvrSb4uGCMup++ZyGQ5feD37PjerDN3Bs=; b=Ji3D4ildxd4FgP0rMnU9SpF7u8FJVBSye/hO5kQ9AAql+s8Dkrw75kq+2idt3hiR7DmWZc hpngVIM0C2lXpHCcvEb4B7rMtwU5SFc+u7h0N0Cw5EPLCalNrMc75XfxYfFTz8+YP/F2YkAF UCEeBK+WGpQZ4QUglyNc/2FUV6mXs=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 15/19] customizations: Enable systemd watchdog Date: Wed, 13 Apr 2022 09:16:32 +0200 Message-Id: <89ec2cb2d8709419c8adffdc071242c69e50266a.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8063 From: Jan Kiszka This is needed for proper SWUpdate processing and does not harm in other cases, even if the platform has no watchdog. Signed-off-by: Jan Kiszka --- recipes-core/customizations/common.inc | 6 +++++- recipes-core/customizations/files/99-watchdog.conf | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 recipes-core/customizations/files/99-watchdog.conf diff --git a/recipes-core/customizations/common.inc b/recipes-core/customizations/common.inc index d3eb7b8..1124ff2 100644 --- a/recipes-core/customizations/common.inc +++ b/recipes-core/customizations/common.inc @@ -16,7 +16,8 @@ FILESPATH_append := ":${FILE_DIRNAME}/files" SRC_URI = " \ file://postinst \ file://ethernet \ - file://99-silent-printk.conf" + file://99-silent-printk.conf \ + file://99-watchdog.conf" WIRELESS_FIRMWARE_PACKAGE ?= "" INSTALL_WIRELESS_TOOLS ??= "0" @@ -34,4 +35,7 @@ do_install() { install -v -d ${D}/etc/sysctl.d install -v -m 644 ${WORKDIR}/99-silent-printk.conf ${D}/etc/sysctl.d/ + + install -v -d ${D}/etc/systemd/system.conf.d + install -v -m 644 ${WORKDIR}/99-watchdog.conf ${D}/etc/systemd/system.conf.d/ } diff --git a/recipes-core/customizations/files/99-watchdog.conf b/recipes-core/customizations/files/99-watchdog.conf new file mode 100644 index 0000000..c02756d --- /dev/null +++ b/recipes-core/customizations/files/99-watchdog.conf @@ -0,0 +1,3 @@ +[Manager] +RuntimeWatchdogSec=60s +ShutdownWatchdogSec=60s From patchwork Wed Apr 13 07:16:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812182 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C4BAC47088 for ; Wed, 13 Apr 2022 15:48:07 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web12.3487.1649834202065311179 for ; Wed, 13 Apr 2022 00:16:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=HSTR/Lbv; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-294854-20220413071642b026afa83f16388c10-o5kdo_@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20220413071642b026afa83f16388c10 for ; Wed, 13 Apr 2022 09:16:43 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=//SYPF7y8mH3m8VXx6pZfoDzeZRri59cQ02vgNv7K5Q=; b=HSTR/LbvHQ6pVbmesSCNBSFz1VQL5E4Td+u2Cm9g66M3bEOODH5Ak0FsId7NW7EbC5axkn m9uU1ruaHfaMrEWuZB3InnoUqs7Tle9MiuqVi0duiLUH1y8pyn3vNFX0dcYKO3ZYG8blyG83 ECUPcHdIgMpD9WjCUMvdXYz17Z41o=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 16/19] linux-cip: Update cip-kernel-config Date: Wed, 13 Apr 2022 09:16:33 +0200 Message-Id: <77f74bd470100773cd9813916718d2b247d49eb7.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:07 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8069 From: Jan Kiszka This specifically brings iTCO support for QEMU which will be needed to run SWUpdate full-featured. --- recipes-kernel/linux/linux-cip-common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 84515c2..238e5b0 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}" -SRCREV_cip-kernel-config ?= "3f527304fdadd163e20b7a5a9cfabaca7506c716" +SRCREV_cip-kernel-config ?= "0150b63d0e74d64cc0d5baa9b9440cc148abad8b" S = "${WORKDIR}/linux-cip-v${PV}" From patchwork Wed Apr 13 07:16:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812179 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFD17C352A8 for ; Wed, 13 Apr 2022 15:48:06 +0000 (UTC) Received: from mta-64-227.flowmailer.net (mta-64-227.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web08.3507.1649834201494836727 for ; Wed, 13 Apr 2022 00:16:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=VsTQYrMv; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-202204130716439b756e8fe6add4f6f2-__ufpy@rts-flowmailer.siemens.com) Received: by mta-64-227.flowmailer.net with ESMTPSA id 202204130716439b756e8fe6add4f6f2 for ; Wed, 13 Apr 2022 09:16:43 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=zM6/ldiNw4HrtwyAHQUyCoJBTCPpCioGsttEv70Cxdo=; b=VsTQYrMvCJ/T230DKCEi6/AMhIzYC67V4duaSbcP83/fbNpQtTwupXSEiTZbecKrXTB57y 8ENwnT+vvm7i9ID68quM6jniChuOM3z3GEH3B+qehpQLfUKZks15Y2at6H6c/hO6tsx/R2jN J3Bz58AhML6x6vPj330koPGDX2mzo=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 17/19] start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset Date: Wed, 13 Apr 2022 09:16:34 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:06 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8064 From: Jan Kiszka Allows full testing of the SWUpdate feature. Signed-off-by: Jan Kiszka --- start-qemu.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/start-qemu.sh b/start-qemu.sh index c5cd9fa..fe08ebd 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -53,6 +53,7 @@ case "$1" in -cpu qemu64 \ -smp 4 \ -machine q35,accel=kvm:tcg \ + -global ICH9-LPC.noreboot=off \ -device virtio-net-pci,netdev=net" if [ -n "${SECURE_BOOT}" ]; then # set bootindex=0 to boot disk instead of EFI-shell From patchwork Wed Apr 13 07:16:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13005257 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mta-64-227.flowmailer.net (mta-64-227.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.3438.1649834200604021533 for ; Wed, 13 Apr 2022 00:16:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=AyODwE+a; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-202204130716431385b12f32016f4265-1lusyr@rts-flowmailer.siemens.com) Received: by mta-64-227.flowmailer.net with ESMTPSA id 202204130716431385b12f32016f4265 for ; Wed, 13 Apr 2022 09:16:43 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=le2mND6VwDa7A+MTMyLG91h9BqQ8xoQ28ymoQVEaaco=; b=AyODwE+aVl+ozARE0eW3C4k/ulzEjZL0JXo8dWG4N4NCgi+riTnblcKFtNDY/+qtfxsvXc jVEZMSIrbbYtMKztuqYX9lLTVieoFgWyb5/qyfWDcsoRD0JjPQemXcBkxoRGn1VDMkyquYBQ jfFKlIoA+g9NUh8du9fIj4gl2+oDA=; From: "Jan Kiszka" To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 18/19] doc: Update README.swupdate Date: Wed, 13 Apr 2022 09:16:35 +0200 Message-Id: <09173a76dd97f3b97ec34a10531eb4354f6d3b03.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: From: Jan Kiszka Reflect the changes on the non-secure SWUpdate procedure in the documentation and streamline it a bit. Also switch to host-originated scp to transfer the swu image to avoid the need for sshd on the host. Signed-off-by: Jan Kiszka --- doc/README.swupdate.md | 166 ++++++++++++++++++++++------------------- 1 file changed, 90 insertions(+), 76 deletions(-) diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md index 05768da..e28db24 100644 --- a/doc/README.swupdate.md +++ b/doc/README.swupdate.md @@ -1,31 +1,38 @@ +# SWUpdate support for the CIP core image -Clone the isar-cip-core repository +This document describes how to build and test the SWUpdate pre-integration for +isar-cip-core, targeting a QEMU x86 virtual machine. + +Start with cloning the isar-cip-core repository: ``` host$ git clone https://gitlab.com/cip-project/cip-core/isar-cip-core.git ``` -Build the CIP Core image +# Building and testing the CIP Core image Set up `kas-container` as described in the [top-level README](../README.md). -Then build the image: +Then build the image which will later serve as update package: ``` host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml ``` -- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp) -- modify the image for example add a new version to the image by adding PV=2.0.0 to cip-core-image.bb -- rebuild the image using above command and start the new target +Save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu` into a separate folder (ex: /tmp). + +Next, rebuild the image, switching to the RT kernel as modification: ``` -host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64 +host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/rt.yml ``` -Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system +Now start the image which will contain the RT kernel: +``` +host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64 +``` +Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder into the running system: ``` -root@demo:~# scp @10.0.2.2:/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu . +host$ scp -P 22222 /tmp/cip-core-image-cip-core-buster-qemu-amd64.swu root@localhost: ``` Check which partition is booted, e.g. with lsblk: - ``` root@demo:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT @@ -37,11 +44,22 @@ sda 8:0 0 2G 0 disk └─sda5 8:5 0 1000M 0 part ``` -Apply swupdate and reboot +Also check that you are running the RT kernel: +``` +root@demo:~# uname -a +Linux demo 4.19.233-cip69-rt24 #1 SMP PREEMPT RT Tue Apr 12 09:23:51 UTC 2022 x86_64 GNU/Linux +root@demo:~# ls /lib/modules +4.19.233-cip69-rt24 +root@demo:~# cat /sys/kernel/realtime +1 +``` + +Now apply swupdate and reboot ``` root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu root@demo:~# reboot ``` + Check which partition is booted, e.g. with lsblk and the rootfs should have changed ``` root@demo:~# lsblk @@ -54,150 +72,146 @@ sda 8:0 0 2G 0 disk └─sda5 8:5 0 1000M 0 part / ``` +Check the active kernel: +``` +root@demo:~# uname -a +Linux demo 4.19.235-cip70 #1 SMP Tue Apr 12 09:08:39 UTC 2022 x86_64 GNU/Linux +root@demo:~# ls /lib/modules +4.19.235-cip70 +``` + Check bootloader ustate after swupdate ``` root@demo:~# bg_printenv + ---------------------------- -Config Partition #0 Values: + Config Partition #0 Values: in_progress: no revision: 2 -kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz -kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img +kernel: C:BOOT0:linux.efi +kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog timeout: 60 seconds ustate: 0 (OK) user variables: + + ---------------------------- Config Partition #1 Values: in_progress: no revision: 3 -kernel: C:BOOT1:vmlinuz -kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img +kernel: C:BOOT1:linux.efi +kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog timeout: 60 seconds ustate: 2 (TESTING) + +user variables: + + ``` -if Partition #1 usate is 2 (TESTING) then execute below command to confirm swupdate and the command will set ustate to "OK" +If Partition #1 ustate is 2 (TESTING) then execute below command to confirm swupdate and the command will set ustate to "OK". ``` root@demo:~# bg_setenv -c ``` -# swupdate rollback example +## SWUpdate rollback example -Build the image for swupdate with service which causes kernel panic during system boot using below command. +Build the image for swupdate with a service which causes kernel panic during system boot using below command: ``` host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/kernel-panic.yml ``` -- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp) -- build the image again without `kernel-panic.yml` recipe using below command +Save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu` in a separate folder. +Then build the image without `kernel-panic.yml` recipe using below command: ``` host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml ``` -Start the target on QEMU +Start the target on QEMU: ``` host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64 ``` -Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system - +Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder into the running system: ``` -root@demo:~# scp @10.0.2.2:/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu . +host$ scp -P 22222 /tmp/cip-core-image-cip-core-buster-qemu-amd64.swu root@localhost: ``` -Check which partition is booted, e.g. with lsblk: - +Apply swupdate as below: ``` -root@demo:~# lsblk -NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT -sda 8:0 0 2G 0 disk -├─sda1 8:1 0 16.4M 0 part -├─sda2 8:2 0 32M 0 part -├─sda3 8:3 0 32M 0 part -├─sda4 8:4 0 1000M 0 part / -└─sda5 8:5 0 1000M 0 part +root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu ``` -Check bootloader ustate before swupdate and should be as below +Check bootloader ustate after swupdate. If the swupdate is successful then **revision number** should be **3** and status should be changed to **INSTALLED** for Partition #1. ``` root@demo:~# bg_printenv + ---------------------------- -Config Partition #0 Values: + Config Partition #0 Values: in_progress: no revision: 2 -kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz -kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img +kernel: C:BOOT0:linux.efi +kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog timeout: 60 seconds ustate: 0 (OK) user variables: ----------------------------- -Config Partition #1 Values: -in_progress: no -revision: 1 -kernel: C:BOOT1:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz -kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img -watchdog timeout: 60 seconds -ustate: 0 (OK) -``` -Apply swupdate as below -``` -root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu -``` -check bootloader ustate after swupdate. if the swupdate is successful then **revision number** should increase to **3** and status should be changed to **INSTALLED** for Partition #1. -``` -root@demo:~# bg_printenv ----------------------------- -Config Partition #0 Values: -in_progress: no -revision: 2 -kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz -kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img -watchdog timeout: 60 seconds -ustate: 0 (OK) -user variables: ---------------------------- -Config Partition #1 Values: + Config Partition #1 Values: in_progress: no revision: 3 -kernel: C:BOOT1:vmlinuz -kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img +kernel: C:BOOT1:linux.efi +kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog timeout: 60 seconds ustate: 1 (INSTALLED) + +user variables: + + ``` -Execute reboot command -- reboot command should cause kernel panic error. -- watchdog timer should expire and restart the qemu. bootloader should select previous partition to boot. +Execute the reboot command. ``` root@demo:~# reboot ``` -Once the system is restarted, check the bootloader ustate -- if update is failed then **revision number** should reduce to **0** and status should change to **FAILED** for Partition #1. +The new kernel should cause a kernel panic error. +The watchdog timer should expire and restart the VM (it will take 2 minutes due to an issue in. +The bootloader will then select the previous, working partition and boot from it. + +Once the system is restarted, check the bootloader ustate. +If update is failed then **revision number** should be reduced to **0** and status should have changed to **FAILED** for Partition #1. ``` root@demo:~# bg_printenv + ---------------------------- Config Partition #0 Values: in_progress: no revision: 2 -kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz -kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-corg +kernel: C:BOOT0:linux.efi +kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog timeout: 60 seconds ustate: 0 (OK) user variables: + + + ---------------------------- Config Partition #1 Values: in_progress: no revision: 0 -kernel: C:BOOT1:vmlinuz -kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-corg +kernel: C:BOOT1:linux.efi +kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog timeout: 60 seconds ustate: 3 (FAILED) + +user variables: + + ``` From patchwork Wed Apr 13 07:16:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 12812184 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0272BC352AA for ; Wed, 13 Apr 2022 15:48:07 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.3440.1649834201790323295 for ; Wed, 13 Apr 2022 00:16:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=khttu8KY; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-294854-202204130716430c0da5d3fa0b062d83-ucxtq0@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202204130716430c0da5d3fa0b062d83 for ; Wed, 13 Apr 2022 09:16:44 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=QjhILSWUFTGLOnXV8x7gQka8M+oclocTcR+QDf4/8T8=; b=khttu8KYfs3j7jWSTpNpPNziYeYpB/BpGyNihjrGpArX+ggSVXJGG372IPP9aDABxztd26 +LJgS5eIbc/wBvLDeAA7pz4p17fQAyYIFExJ/6WUKhsZ/dGIzZxihoCj+aAHn8mk31O5+LMj +B1auqezIuxuJjAaXCltIs7/P91Ng=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Christian Storm Subject: [isar-cip-core][PATCH 19/19] doc: README.secureboot polishing Date: Wed, 13 Apr 2022 09:16:36 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Apr 2022 15:48:07 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8066 From: Jan Kiszka There has never been a uefikernel parameter for efibootguard-boot, so drop this. Furthermore, spell-out "EFI Boot Guard" and adjust some section levels and titles. Signed-off-by: Jan Kiszka --- doc/README.secureboot.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 3c2d524..b2d7be9 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -1,11 +1,11 @@ -# Efibootguard Secure boot +# EFI Boot Guard secure boot This document describes how to generate a secure boot capable image with [efibootguard](https://github.com/siemens/efibootguard). ## Description -The image build signs the efibootguard bootloader (bootx64.efi) and generates +The image build signs the EFI Boot Guard bootloader (bootx64.efi) and generates a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/). A unified kernel image packs the kernel, initramfs and the kernel command-line in one binary object. As the kernel command-line is immutable after the build @@ -19,12 +19,12 @@ If a match is found the rootfs is used for the boot. ## Adaptation for Images -### WIC +### WIC The following elements must be present in a wks file to create a secure boot capable image. ``` part --source efibootguard-efi --sourceparams "signwith=