From patchwork Fri Aug 12 09:51:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12942070 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57321C3F6B0 for ; Fri, 12 Aug 2022 09:51:25 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.8812.1660297876304775214 for ; Fri, 12 Aug 2022 02:51:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm2 header.b=Zp/o9khc; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20220812095113cc4d125f1a72370af8-dhu96m@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20220812095113cc4d125f1a72370af8 for ; Fri, 12 Aug 2022 11:51:14 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=5cbb1r00jgIEkcNlN6fcDY8t08oC6fqngs/nGkMjYjQ=; b=Zp/o9khcOTNyfP0TS+woiZr5pNSeFrrSl0tyMMOu6iIAdEnkCHtzaSDB8KwPx9SbKzvlGc SZ8f3fJkvL/VbNPVodDzUyMmR03H3xlFVojDkn1nXmLp6dtqdga9eiYkuphVN1+42azKfjct z9bQQ0tZJF3UyRTORAjBFnz1m1QGw=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 1/3] initramfs-*-hook: Add DEBIAN_CONFLICTS Date: Fri, 12 Aug 2022 11:51:10 +0200 Message-Id: <20220812095112.632930-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20220812095112.632930-1-Quirin.Gylstorff@siemens.com> References: <20220812095112.632930-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Aug 2022 09:51:25 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9168 From: Quirin Gylstorff If both initramfs-abrootfs-hook and initramfs-verity-hook are installed the system will enter a reboot loop. Signed-off-by: Quirin Gylstorff --- .../initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb | 1 + .../initramfs-verity-hook/initramfs-verity-hook_0.1.bb | 1 + 2 files changed, 2 insertions(+) diff --git a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb index 1693e85..8b1536f 100644 --- a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb +++ b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb @@ -13,6 +13,7 @@ inherit dpkg-raw DEBIAN_DEPENDS = "initramfs-tools" +DEBIAN_CONFLICTS = "initramfs-verity-hook" SRC_URI += "file://abrootfs.hook \ file://abrootfs.script" diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb index 60ee8da..5998908 100644 --- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb @@ -23,6 +23,7 @@ TEMPLATE_FILES = "verity.script.tmpl" TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION" DEBIAN_DEPENDS = "initramfs-tools, cryptsetup" +DEBIAN_CONFLICTS = "initramfs-abrootfs-hook" VERITY_IMAGE_RECIPE ?= "cip-core-image" From patchwork Fri Aug 12 09:51:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12942072 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61D17C25B0E for ; Fri, 12 Aug 2022 09:51:25 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web08.8858.1660297875951284536 for ; Fri, 12 Aug 2022 02:51:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm2 header.b=ihIVwyx8; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20220812095113731cb0b9d4d1b892c8-cqjtjv@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20220812095113731cb0b9d4d1b892c8 for ; Fri, 12 Aug 2022 11:51:14 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=mtATVuEETdt3mYL5WI6GNRdW13LiUd0Y4Fh/3LKqffo=; b=ihIVwyx8H+5LMAs5MF7H8edH1OPT2eAZaylspGKkKyqM7mFtknOnBY485DFQBhKUjkA2hz LQA/cD7CrXdXg4KTppfGZCLG0DYIgzlZhHExGtvF79MfU0mjOCFtpjLa77AwYcXOLieG/Okb IVW43MinsZoH6md3Ur37u10KXq8i0=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 2/3] kas/opt/swupdate: Move the package installation to swupdate.inc Date: Fri, 12 Aug 2022 11:51:11 +0200 Message-Id: <20220812095112.632930-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20220812095112.632930-1-Quirin.Gylstorff@siemens.com> References: <20220812095112.632930-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Aug 2022 09:51:25 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9169 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- kas/opt/ebg-secure-boot-snakeoil.yml | 4 ---- kas/opt/swupdate.yml | 4 ---- recipes-core/images/swupdate.inc | 3 +++ 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml index 2822cef..3202076 100644 --- a/kas/opt/ebg-secure-boot-snakeoil.yml +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -18,10 +18,6 @@ local_conf_header: image-options-swupdate: | CIP_IMAGE_OPTIONS_append = " swupdate.inc" - swupdate: | - IMAGE_INSTALL_append = " swupdate" - IMAGE_INSTALL_append = " swupdate-handler-roundrobin" - secure-boot-image: | IMAGE_CLASSES += "verity" IMAGE_FSTYPES = "wic" diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml index c2bd15c..8ba03c9 100644 --- a/kas/opt/swupdate.yml +++ b/kas/opt/swupdate.yml @@ -15,10 +15,6 @@ header: version: 10 local_conf_header: - swupdate: | - IMAGE_INSTALL_append = " swupdate" - IMAGE_INSTALL_append = " swupdate-handler-roundrobin" - image-option-swupdate: | CIP_IMAGE_OPTIONS_append = " swupdate.inc" diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index e0252df..edc41a0 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -12,6 +12,9 @@ inherit swupdate inherit read-only-rootfs +IMAGE_INSTALL += " swupdate" +IMAGE_INSTALL += " swupdate-handler-roundrobin" + ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.p4.gz" FILESEXTRAPATHS_prepend := "${THISDIR}/files:" From patchwork Fri Aug 12 09:51:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12942071 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55D36C00140 for ; Fri, 12 Aug 2022 09:51:25 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web09.8963.1660297876162995885 for ; Fri, 12 Aug 2022 02:51:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm2 header.b=Og3KgZim; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-51332-20220812095114c5af4efafb47e71c72-_zpi6r@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20220812095114c5af4efafb47e71c72 for ; Fri, 12 Aug 2022 11:51:14 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=MNZfxhqM2mfTDwNMgLPkYuddWasw0CBTezCl6VqcNPI=; b=Og3KgZimjndYBBQTVhoRLRsgDayj3bpR91WRMrUNOMGHWRIl5/JyitNz2nPfjQX2ppvavJ dA3hTOvnU1xYl2953tLjAdfrEfk8oGjL+0hmJrU+XIWxHexDqvaE8JGniL+/mEqssONgyxYu jkB6r0jxFbldjxJkISSgeqAbFitsE=; From: Quirin Gylstorff To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][PATCH v5 3/3] kas: Remove efibootguard.yml Date: Fri, 12 Aug 2022 11:51:12 +0200 Message-Id: <20220812095112.632930-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20220812095112.632930-1-Quirin.Gylstorff@siemens.com> References: <20220812095112.632930-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Aug 2022 09:51:25 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9171 From: Quirin Gylstorff A build with only the option `kas/efibootguard.yml` will not succeed. Move the content to a include in the image directory and the adapt the kas files. Signed-off-by: Quirin Gylstorff --- kas/opt/ebg-secure-boot-snakeoil.yml | 7 +++-- kas/opt/ebg-swu.yml | 18 ++++++++++--- kas/opt/efibootguard.yml | 39 ---------------------------- recipes-core/images/efibootguard.inc | 18 +++++++++++++ 4 files changed, 36 insertions(+), 46 deletions(-) delete mode 100644 kas/opt/efibootguard.yml create mode 100644 recipes-core/images/efibootguard.inc diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml index 3202076..ff65e99 100644 --- a/kas/opt/ebg-secure-boot-snakeoil.yml +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -12,17 +12,16 @@ header: version: 10 includes: - - kas/opt/efibootguard.yml + - kas/opt/ebg-swu.yml local_conf_header: - image-options-swupdate: | - CIP_IMAGE_OPTIONS_append = " swupdate.inc" - secure-boot-image: | IMAGE_CLASSES += "verity" IMAGE_FSTYPES = "wic" WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" INITRAMFS_INSTALL_append = " initramfs-verity-hook" + # abrootfs cannot be installed together with verity + INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook" secure-boot: | IMAGER_BUILD_DEPS += "ebg-secure-boot-signer" diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml index 5e4e771..e0bbe2e 100644 --- a/kas/opt/ebg-swu.yml +++ b/kas/opt/ebg-swu.yml @@ -12,12 +12,24 @@ header: version: 10 includes: - - kas/opt/efibootguard.yml - kas/opt/swupdate.yml local_conf_header: + ebg_swu_bootloader: | + WKS_FILE ?= "${MACHINE}-efibootguard.wks.in" + SWUPDATE_BOOTLOADER = "efibootguard" + ebg_swu_image_options: | + CIP_IMAGE_OPTIONS_append = " efibootguard.inc image-uuid.inc" initramfs: | INITRAMFS_INSTALL_append = " initramfs-abrootfs-hook" + firmware-binaries: | + # Add ovmf binaries for qemu + IMAGER_BUILD_DEPS_append_qemu-amd64 += "ovmf-binaries" + # not needed for Debian 11 and later + OVERRIDES_append_qemu-amd64 = ":${BASE_DISTRO_CODENAME}" + DISTRO_APT_SOURCES_append_qemu-amd64_buster = " conf/distro/debian-buster-backports.list" + DISTRO_APT_PREFERENCES_append_qemu-amd64_buster = " conf/distro/preferences.ovmf-snakeoil.conf" + # Add U-Boot for qemu + IMAGER_BUILD_DEPS_append_qemu-arm64 += "u-boot-qemu-arm64" + IMAGER_BUILD_DEPS_append_qemu-arm += "u-boot-qemu-arm" - image-option-uuid: | - CIP_IMAGE_OPTIONS_append = " image-uuid.inc" diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml deleted file mode 100644 index cee9c78..0000000 --- a/kas/opt/efibootguard.yml +++ /dev/null @@ -1,39 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2020 -# -# Authors: -# Quirin Gylstorff -# -# SPDX-License-Identifier: MIT -# -# This kas file adds efibootguard as the bootloader to the image - -header: - version: 10 - -local_conf_header: - efibootguard: | - IMAGE_INSTALL_append = " efibootguard" - - efibootguard-swupdate: | - SWUPDATE_BOOTLOADER = "efibootguard" - - efibootguard-wic: | - WIC_IMAGER_INSTALL_append = " efibootguard" - WDOG_TIMEOUT ?= "60" - WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE DTB_FILES" - IMAGE_FSTYPES ?= "wic" - WKS_FILE ?= "${MACHINE}-efibootguard.wks.in" - - firmware-binaries: | - # Add ovmf binaries for qemu - IMAGER_BUILD_DEPS_append_qemu-amd64 += "ovmf-binaries" - # not needed for Debian 11 and later - OVERRIDES_append_qemu-amd64 = ":${BASE_DISTRO_CODENAME}" - DISTRO_APT_SOURCES_append_qemu-amd64_buster = " conf/distro/debian-buster-backports.list" - DISTRO_APT_PREFERENCES_append_qemu-amd64_buster = " conf/distro/preferences.ovmf-snakeoil.conf" - # Add U-Boot for qemu - IMAGER_BUILD_DEPS_append_qemu-arm64 += "u-boot-qemu-arm64" - IMAGER_BUILD_DEPS_append_qemu-arm += "u-boot-qemu-arm" diff --git a/recipes-core/images/efibootguard.inc b/recipes-core/images/efibootguard.inc new file mode 100644 index 0000000..eace4fd --- /dev/null +++ b/recipes-core/images/efibootguard.inc @@ -0,0 +1,18 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +IMAGE_INSTALL_append = " efibootguard" + +WIC_IMAGER_INSTALL_append = " efibootguard" +WDOG_TIMEOUT ?= "60" +WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE DTB_FILES" +IMAGE_FSTYPES += "wic" +