From patchwork Mon Dec 2 14:51:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890852 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9874ED7832B for ; Mon, 2 Dec 2024 14:51:39 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.174652.1733151094403796516 for ; Mon, 02 Dec 2024 06:51:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=VC+ZkgaV; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-294854-202412021451310a6b7da53022a62353-zp2p8g@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 202412021451310a6b7da53022a62353 for ; Mon, 02 Dec 2024 15:51:31 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=CxGj68hCDEZzsflw7VfbvZyiP9FVtNJbqqsm+HBOJSY=; b=VC+ZkgaVqjbmHiwYRJCpWpn1ldB/Uqj16O9VF0U3vD135uQQToUNhkT8+Ie7jbrdMWajQJ ywKjgfv96Wv6x7jbmuawtjihl8wODBfFVEEOSYZode2RfSRHqCMY0U08qhEydB/qTT8RrCp/ p055IX8MOVR2x5LCW8jTgSbdMA0n9Uu9YGQP3YGl8got4UpeuapxjQv/yRzfx0fHl5+Zha+v IyDdaz+IkM0NmZkl2GZbw9OX2S0ujebRcMkiudCP98w7icBy/yqCl2zdQmsMri/KXVjg9h9D eOiq4sHAu8AiPY+mzW+Dxv/w+t7p7JFjm5HFYWpWfrTdmWOqhzXGp/zA==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 01/10] Update isar revision Date: Mon, 2 Dec 2024 15:51:04 +0100 Message-ID: <75593f244100cc726e7e337298f54f2e80b82a6d.1733151072.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17309 From: Jan Kiszka Brings initramfs helpers and mmdebstrap support. Signed-off-by: Jan Kiszka --- kas-cip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kas-cip.yml b/kas-cip.yml index 6c83a0d3..abdf92af 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -22,7 +22,7 @@ repos: isar: url: https://github.com/ilbers/isar.git - commit: b92e9076e27bf22b8296dd3440bf25ebf348e2c6 + commit: a6171856de84da3deca1355da7aa9c09588e7ea2 layers: meta: From patchwork Mon Dec 2 14:51:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890851 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 976BED78321 for ; Mon, 2 Dec 2024 14:51:39 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.175575.1733151095512780478 for ; Mon, 02 Dec 2024 06:51:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=W+7RC5Yk; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-294854-20241202145133aad830ff7dd682cd81-guwuk3@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20241202145133aad830ff7dd682cd81 for ; Mon, 02 Dec 2024 15:51:33 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=XsrOyvjQb2NRmAXYNXuidWzNHNPAbUngJrl+5w9QU0s=; b=W+7RC5YkVcK+Dp48vr7MNOHf8vqsuisgl4bV3j6BjFp0o2R2BxpB+HB1VY9rDOM1xZYHy0 IFUbI64KvUZEo++E9ujQ7WCyYpWgD5fyBFJkYtNBFYY2wGLFGwdVl54QPnTif7wVlolZ2+Vl wnjYSNHv7jdiVZ2PHyC+scRNGBbgBj1R0uz5PZTp+PijqnHbWl4PycbZvaJGat+nL0jYG+eX INIlzCBTbjgqgiGPllFO1o6+BAIWJo6Pt/BxdR8k5IbzOp+VysHmtGhGBGZxY4iUo6yGtvfj ob9BOqspoY7Qc8xk8km/zyIx4F89TIKvDjBMJ116pZI7U3Uxb97facLw==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 02/10] initramfs-abrootfs-hook: Convert to hook.inc Date: Mon, 2 Dec 2024 15:51:05 +0100 Message-ID: <0c165d4ff9ef33eb580ebbcf6758958e42e2ad38.1733151072.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17311 From: Jan Kiszka Reduces boilerplate code. Signed-off-by: Jan Kiszka --- .../files/abrootfs.hook | 24 ------------------ .../initramfs-abrootfs-hook/files/hook | 5 ++++ .../{abrootfs.script => local-top-complete} | 0 ..._0.1.bb => initramfs-abrootfs-hook_0.2.bb} | 25 ++++++++----------- 4 files changed, 15 insertions(+), 39 deletions(-) delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.hook create mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/hook rename recipes-initramfs/initramfs-abrootfs-hook/files/{abrootfs.script => local-top-complete} (100%) rename recipes-initramfs/initramfs-abrootfs-hook/{initramfs-abrootfs-hook_0.1.bb => initramfs-abrootfs-hook_0.2.bb} (61%) diff --git a/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.hook b/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.hook deleted file mode 100644 index bacbc2ee..00000000 --- a/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.hook +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -# Copyright (C) Siemens AG, 2020-2022 -# -# SPDX-License-Identifier: MIT - -PREREQ="" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/scripts/functions -. /usr/share/initramfs-tools/hook-functions - -copy_exec /usr/bin/lsblk -copy_file library /usr/share/abrootfs/image-uuid.env /usr/share/abrootfs/image-uuid.env diff --git a/recipes-initramfs/initramfs-abrootfs-hook/files/hook b/recipes-initramfs/initramfs-abrootfs-hook/files/hook new file mode 100644 index 00000000..6d4a6129 --- /dev/null +++ b/recipes-initramfs/initramfs-abrootfs-hook/files/hook @@ -0,0 +1,5 @@ +# Copyright (C) Siemens AG, 2020-2022 +# +# SPDX-License-Identifier: MIT + +copy_file library /usr/share/abrootfs/image-uuid.env /usr/share/abrootfs/image-uuid.env diff --git a/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script b/recipes-initramfs/initramfs-abrootfs-hook/files/local-top-complete similarity index 100% rename from recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script rename to recipes-initramfs/initramfs-abrootfs-hook/files/local-top-complete diff --git a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.2.bb similarity index 61% rename from recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb rename to recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.2.bb index 17c60da4..592f305f 100644 --- a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb +++ b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.2.bb @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2020-2022 +# Copyright (c) Siemens AG, 2020-2024 # # Authors: # Quirin Gylstorff @@ -9,17 +9,19 @@ # # SPDX-License-Identifier: MIT +require recipes-initramfs/initramfs-hook/hook.inc -inherit dpkg-raw - -DEBIAN_DEPENDS = "initramfs-tools" +DEBIAN_DEPENDS .= ", util-linux" DEBIAN_CONFLICTS = "initramfs-verity-hook" -SRC_URI += "file://abrootfs.hook \ - file://abrootfs.script" +SRC_URI += " \ + file://hook \ + file://local-top-complete" ABROOTFS_IMAGE_RECIPE ?= "cip-core-image" +HOOK_COPY_EXECS = "lsblk" + # This is defined in image.bbclass which cannot be used in a package recipe. # However, we need to use IMAGE_FULLNAME to pick up any extensions of it. IMAGE_FULLNAME ??= "${ABROOTFS_IMAGE_RECIPE}-${DISTRO}-${MACHINE}" @@ -27,19 +29,12 @@ IMAGE_FULLNAME ??= "${ABROOTFS_IMAGE_RECIPE}-${DISTRO}-${MACHINE}" IMAGE_UUID_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.uuid.env" do_install[depends] += "${ABROOTFS_IMAGE_RECIPE}:do_generate_image_uuid" -do_install[cleandirs] += " \ - ${D}/usr/share/initramfs-tools/hooks \ - ${D}/usr/share/abrootfs \ - ${D}/usr/share/initramfs-tools/scripts/local-top" +do_install[cleandirs] += "${D}/usr/share/abrootfs" -do_install() { +do_install:append() { if [ -f "${IMAGE_UUID_ENV_FILE}" ]; then install -m 0600 "${IMAGE_UUID_ENV_FILE}" "${D}/usr/share/abrootfs/image-uuid.env" else bberror "Did not find ${IMAGE_UUID_ENV_FILE}. initramfs will not be build correctly!" fi - install -m 0755 "${WORKDIR}/abrootfs.script" \ - "${D}/usr/share/initramfs-tools/scripts/local-top/abrootfs" - install -m 0755 "${WORKDIR}/abrootfs.hook" \ - "${D}/usr/share/initramfs-tools/hooks/abrootfs" } From patchwork Mon Dec 2 14:51:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890853 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD000D78336 for ; Mon, 2 Dec 2024 14:51:39 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.175576.1733151096412742655 for ; Mon, 02 Dec 2024 06:51:36 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=lmW3i1tK; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-294854-202412021451344511174b5d76b64173-pg0uuk@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 202412021451344511174b5d76b64173 for ; Mon, 02 Dec 2024 15:51:34 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=OV3SF+j56A32mCpXJjsAfQDPRGrz+lHLQw0v+neQOGs=; b=lmW3i1tKRWpYM8ygrVxKcCdeEZftDwO4oVEUQkerx/yOXWQ5Rq7Dslz+bo8isixRHQrIad KjI1b8SZ3i1V56U0FTe7kSD4ZUjUTMU/mPv/FWGKXSHzEKOo5ybgLOZQKoyaAP/keOY3eEpV BTBmw/ewqajRZqFhiAYyke5Guuz8AZkRAPwUmx/J3mZkrcYoKxu9lnYWHLWenz1KMCqG+tm6 c5x99P5ohVJIHH2ypGILymgLr94SxKz/Iktdn0kPHP4PDGQFCkt4l1AxwnQj5hcf9pUfZL2a mwy56E1AB3kfgMK7gEaSEIk95M7PhJEnn2wYRkktYJS6AsXDBEg8Pbmg==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 03/10] initramfs-crypt-hook: Convert awk statement into simple variable evaluation Date: Mon, 2 Dec 2024 15:51:06 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17313 From: Jan Kiszka Use suffix removal to convert "/dev/some-device" into "some-device". It's simpler and avoids sub-processes. Signed-off-by: Jan Kiszka --- .../initramfs-crypt-hook/files/encrypt_partition.script | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index 2cd6798d..28548502 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -62,7 +62,7 @@ service_watchdog() { } reencrypt_existing_partition() { - part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$1" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)" + part_size_blocks="$(cat /sys/class/block/"${1##*/}"/size)" # reduce the filesystem and partition by 32M to fit the LUKS header partition_fstype=$(get_fstype "${1}") reduce_device_size=32768 From patchwork Mon Dec 2 14:51:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890858 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6B21D7832F for ; Mon, 2 Dec 2024 14:51:39 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.174654.1733151097003799811 for ; Mon, 02 Dec 2024 06:51:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=KkYQx1dz; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-294854-2024120214513462497449d6beffa1ee-g4m6zw@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 2024120214513462497449d6beffa1ee for ; Mon, 02 Dec 2024 15:51:34 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=5YY0+KRIeQYAkAHWxPDebV2ucsTtAqUu1gqCAbjvmco=; b=KkYQx1dz/wMoBb+vqBjnXPD5q7Ro9Vw49fDKNQy4C/vuDnNWZnNLHhCoAJ6TglQNiqfj/+ aTPcfDF47fRa4GF8f+kR4zGL552v1tLd3IsYEJb8Xa7DBAhMIekAta9vg7nBTQhKTk/jjvZD 1/ZUbcvOHkrUUbJUFTgzzmEgeHWXU/lzO6dAEEHoS+CwszCZkcOZogBJrYS1Uk92rjJ579KO 0k8ddcUa5/c4tIMw+uwD/aCNCfdCmAR5mS4bO+Ili8xSYo0ETowWefkhf5kyE9B1hkNvYRsf 79p4J/+v6AkzbFxBTYMS6TFjKq4Vz+YIxgoaKNbZM3nAOavi29BrbCsg==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 04/10] initramfs-crypt-hook: Convert to hook.inc Date: Mon, 2 Dec 2024 15:51:07 +0100 Message-ID: <6675ca7a075d6cf7eae4adcd12958c749b464f87.1733151072.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17315 From: Jan Kiszka Here, we specifically benefit from the new generator by pulling a lot of the variations into the bitbake domain. Most of the hook bits are now generated, code duplications are avoided. Signed-off-by: Jan Kiszka --- ...pt_partition.clevis.bullseye_or_later.hook | 34 ------- .../encrypt_partition.clevis.buster.hook | 29 ------ .../files/encrypt_partition.clevis.hook | 88 ----------------- .../files/encrypt_partition.systemd.hook | 68 ------------- .../initramfs-crypt-hook/files/hook | 11 +++ ...artitions.script => local-bottom-complete} | 0 ...pt_partition.script => local-top-complete} | 0 .../initramfs-crypt-hook_0.4.bb | 96 ------------------ .../initramfs-crypt-hook_0.5.bb | 97 +++++++++++++++++++ 9 files changed, 108 insertions(+), 315 deletions(-) delete mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook delete mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook delete mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook delete mode 100755 recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook create mode 100644 recipes-initramfs/initramfs-crypt-hook/files/hook rename recipes-initramfs/initramfs-crypt-hook/files/{mount_crypt_partitions.script => local-bottom-complete} (100%) rename recipes-initramfs/initramfs-crypt-hook/files/{encrypt_partition.script => local-top-complete} (100%) delete mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.4.bb create mode 100644 recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook deleted file mode 100755 index b244d45f..00000000 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.bullseye_or_later.hook +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# Copyright (C) Siemens AG, 2020-2023 -# -# SPDX-License-Identifier: MIT - -PREREQ="" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions - -if [ -f /etc/os-release ]; then - . /etc/os-release -fi -hook_error() { - echo "(ERROR): $1" >&2 - exit 1 -} - -copy_exec /usr/bin/clevis-luks-list || hook_error "/usr/bin/clevis-luks-list not found" -copy_exec /usr/bin/clevis-luks-common-functions || hook_error "/usr/bin/clevis-luks-common-functions not found" -copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" -copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" -copy_exec /usr/bin/tpm2_flushcontext || hook_error "Unable to copy /usr/bin/tpm2_flushcontext" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook deleted file mode 100755 index 617d40f9..00000000 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.buster.hook +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh -# Copyright (C) Siemens AG, 2020-2023 -# -# SPDX-License-Identifier: MIT - -PREREQ="" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions - -if [ -f /etc/os-release ]; then - . /etc/os-release -fi -hook_error() { - echo "(ERROR): $1" >&2 - exit 1 -} -copy_exec /usr/bin/tpm2_pcrlist || hook_error "Unable to copy /usr/bin/tpm2_pcrlist" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook deleted file mode 100755 index 4e62ef78..00000000 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.hook +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/sh -# Copyright (C) Siemens AG, 2020-2023 -# -# SPDX-License-Identifier: MIT - -PREREQ="" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions - -if [ -f /etc/os-release ]; then - . /etc/os-release -fi -hook_error() { - echo "(ERROR): $1" >&2 - exit 1 -} - -manual_add_modules tpm -manual_add_modules tpm_tis_core -manual_add_modules tpm_tis -manual_add_modules tpm_crb -manual_add_modules dm_mod -manual_add_modules dm_crypt - -# add required crypto modules in case -# the kernel does not have them as default -manual_add_modules ecb -manual_add_modules aes_generic -manual_add_modules xts - -copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" -copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" -copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found" -copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" -copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found" -copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" -copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" -copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" -copy_exec /usr/bin/clevis || hook_error "/usr/bin/clevis not found" -copy_exec /usr/bin/clevis-decrypt || hook_error "/usr/bin/clevis-decrypt not found" -copy_exec /usr/bin/clevis-encrypt-tpm2 || hook_error "/usr/bin/clevis-encrypt-tpm2 not found" -copy_exec /usr/bin/clevis-decrypt-tpm2 || hook_error "/usr/bin/clevis-decrypt-tpm2 not found" -copy_exec /usr/bin/clevis-luks-bind || hook_error "/usr/bin/clevis-luks-bind not found" -copy_exec /usr/bin/clevis-luks-unlock || hook_error "/usr/bin/clevis-luks-unlock not found" -copy_exec /usr/bin/tpm2_createprimary || hook_error "Unable to copy /usr/bin/tpm2_createprimary" -copy_exec /usr/bin/tpm2_unseal || hook_error "Unable to copy /usr/bin/tpm2_unseal" -copy_exec /usr/bin/tpm2_create || hook_error "Unable to copy /usr/bin/tpm2_create" -copy_exec /usr/bin/tpm2_load || hook_error "Unable to copy /usr/bin/tpm2_load" -copy_exec /usr/bin/tpm2_createpolicy || hook_error "Unable to copy /usr/bin/tpm2_createpolicy" -copy_exec /usr/bin/bash || hook_error "Unable to copy /usr/bin/bash" -copy_exec /usr/bin/luksmeta || hook_error "Unable to copy /usr/bin/luksmeta" -copy_exec /usr/bin/jose || hook_error "Unable to copy /usr/bin/jose" -copy_exec /usr/bin/sed || hook_error "Unable to copy /usr/bin/sed" -copy_exec /usr/bin/tail || hook_error "Unable to copy /usr/bin/tail" -copy_exec /usr/bin/sort || hook_error "Unable to copy /usr/bin/sort" -copy_exec /usr/bin/rm || hook_error "Unable to copy /usr/bin/rm" -copy_exec /usr/bin/mktemp || hook_error "Unable to copy /usr/bin/mktemp" -copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename" -copy_exec /usr/bin/seq || hook_error "Unable to copy /usr/bin/seq" -copy_exec /usr/bin/pwmake || hook_error "Unable to copy /usr/bin/pwmake" -copy_exec /usr/bin/file || hook_error "Unable to copy /usr/bin/file " -copy_exec /usr/lib/*/libgcc_s.so.1 || hook_error "Unable to copy /usr/lib/*/libgcc_s.so.1 " -copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse" -copy_exec /usr/bin/mountpoint || hook_error "Unable to copy /usr/bin/mountpoint" - -if [ -x /usr/sbin/cryptsetup-reencrypt ]; then - copy_exec /usr/sbin/cryptsetup-reencrypt -fi - -for _LIBRARY in /usr/lib/*/libtss2*; do - copy_exec "$_LIBRARY" -done - -copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env -copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2 -copy_file pwmake-config /usr/share/encrypt_partition/pwquality.conf /etc/security/pwquality.conf diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook deleted file mode 100755 index be8c1173..00000000 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/sh -# Copyright (C) Siemens AG, 2020-2024 -# -# SPDX-License-Identifier: MIT - -PREREQ="" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions - -hook_error() { - echo "(ERROR): $1" >&2 - exit 1 -} - -manual_add_modules tpm -manual_add_modules tpm_tis_core -manual_add_modules tpm_tis -manual_add_modules tpm_crb -manual_add_modules dm_mod -manual_add_modules dm_crypt - -# add required crypto modules in case -# the kernel does not have them as default -manual_add_modules ecb -manual_add_modules aes_generic -manual_add_modules xts - -copy_exec /usr/bin/openssl || hook_error "/usr/bin/openssl not found" -copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" -copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found" -copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" -copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found" -copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found" -copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found" -copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" -copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found" -copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found" -copy_exec /usr/bin/systemd-cryptenroll || hook_error "/usr/bin/systemd-cryptenroll not found" -copy_exec /usr/lib/systemd/systemd-cryptsetup || hook_error "/usr/lib/systemd/systemd-cryptsetup not found" -copy_exec /usr/bin/tpm2_pcrread || hook_error "Unable to copy /usr/bin/tpm2_pcrread" -copy_exec /usr/bin/tpm2_testparms || hook_error "Unable to copy /usr/bin/tpm2_testparms" -copy_exec /usr/bin/basename || hook_error "Unable to copy /usr/bin/basename" -copy_exec /usr/bin/uuidparse || hook_error "Unable to copy /usr/bin/uuidparse" -copy_exec /usr/bin/mountpoint || hook_error "Unable to copy /usr/bin/mountpoint" - -copy_exec /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so || hook_error "/usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so not found" -if [ -x /usr/sbin/cryptsetup-reencrypt ]; then - copy_exec /usr/sbin/cryptsetup-reencrypt -fi - -for _LIBRARY in /usr/lib/*/libtss2* /usr/lib/*/libgcc_s.so.1; do - copy_exec "$_LIBRARY" -done - -copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2 -copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env diff --git a/recipes-initramfs/initramfs-crypt-hook/files/hook b/recipes-initramfs/initramfs-crypt-hook/files/hook new file mode 100644 index 00000000..1e64f624 --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/files/hook @@ -0,0 +1,11 @@ +# Copyright (C) Siemens AG, 2020-2024 +# +# SPDX-License-Identifier: MIT + +for _LIBRARY in /usr/lib/*/libtss2*; do + copy_exec "$_LIBRARY" +done + +copy_file library /usr/share/encrypt_partition/encrypt_partition.env /usr/share/encrypt_partition/encrypt_partition.env +copy_file library /usr/share/encrypt_partition/encrypt_partition_tpm2 /usr/share/encrypt_partition/encrypt_partition_tpm2 +copy_file pwmake-config /usr/share/encrypt_partition/pwquality.conf /etc/security/pwquality.conf diff --git a/recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script b/recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete similarity index 100% rename from recipes-initramfs/initramfs-crypt-hook/files/mount_crypt_partitions.script rename to recipes-initramfs/initramfs-crypt-hook/files/local-bottom-complete diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete similarity index 100% rename from recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script rename to recipes-initramfs/initramfs-crypt-hook/files/local-top-complete diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.4.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.4.bb deleted file mode 100644 index 03a2bf44..00000000 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.4.bb +++ /dev/null @@ -1,96 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2020-2024 -# -# Authors: -# Quirin Gylstorff -# -# SPDX-License-Identifier: MIT - -inherit dpkg-raw -DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ - awk, openssl, e2fsprogs, tpm2-tools, coreutils, uuid-runtime" - -CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" - -DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev, libtss2-esys0" -DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0" -DEBIAN_DEPENDS:append:bookworm = ", libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0" -DEBIAN_DEPENDS:append:trixie = ", systemd-cryptsetup, libtss2-esys-3.0.2-0t64, libtss2-rc0t64, libtss2-mu-4.0.1-0t64" -DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}" - -def encryption_dependency(d): - crypt_backend = d.getVar('CRYPT_BACKEND') - if crypt_backend == 'clevis': - clevis_depends= d.getVar('CLEVIS_DEPEND') - return f"{clevis_depends}, clevis-tpm2" - elif crypt_backend == 'systemd': - return ", systemd (>= 251)" - else: - bb.error("unkown cryptbackend defined") - -def add_additional_clevis_hooks(d): - base_distro_code_name = d.getVar('BASE_DISTRO_CODENAME') or "" - crypt_backend = d.getVar('CRYPT_BACKEND') or "" - if crypt_backend != 'clevis': - return "" - if base_distro_code_name == "buster": - return f"encrypt_partition.{crypt_backend}.buster.hook" - else: - return f"encrypt_partition.{crypt_backend}.bullseye_or_later.hook" - -CRYPT_BACKEND:buster = "clevis" -CRYPT_BACKEND:bullseye = "clevis" -CRYPT_BACKEND = "systemd" - -SRC_URI += "file://encrypt_partition.env.tmpl \ - file://encrypt_partition.script \ - file://encrypt_partition.${CRYPT_BACKEND}.script \ - file://mount_crypt_partitions.script \ - file://encrypt_partition.${CRYPT_BACKEND}.hook \ - file://pwquality.conf" -ADDITIONAL_CLEVIS_HOOK = "${@add_additional_clevis_hooks(d)}" -SRC_URI += "${@ 'file://' + d.getVar('ADDITIONAL_CLEVIS_HOOK') if d.getVar('ADDITIONAL_CLEVIS_HOOK')else ''}" -# CRYPT_PARTITIONS elements are :: -CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" -# CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem -# in a newly formatted LUKS Partition -CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" -# Timeout for creating / re-encrypting partitions on first boot -CRYPT_SETUP_TIMEOUT ??= "600" -# Watchdog to service during the initial setup of the crypto partitions -INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" -# clevis needs tpm hash algorithm type -CRYPT_HASH_TYPE ??= "sha256" -CRYPT_KEY_ALGORITHM ??= "ecc" -CRYPT_ENCRYPTION_OPTIONAL ??= "false" - -TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ - CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ - CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" -TEMPLATE_FILES = "encrypt_partition.env.tmpl" - -do_install[cleandirs] += " \ - ${D}/usr/share/initramfs-tools/hooks \ - ${D}/usr/share/encrypt_partition \ - ${D}/usr/share/initramfs-tools/scripts/local-top \ - ${D}/usr/share/initramfs-tools/scripts/local-bottom" - -do_install() { - install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" - install -m 0755 "${WORKDIR}/encrypt_partition.script" \ - "${D}/usr/share/initramfs-tools/scripts/local-top/encrypt_partition" - install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \ - "${D}/usr/share/encrypt_partition/encrypt_partition_tpm2" - install -m 0755 "${WORKDIR}/mount_crypt_partitions.script" \ - "${D}/usr/share/initramfs-tools/scripts/local-bottom/mount_decrypted_partition" - install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.hook" \ - "${D}/usr/share/initramfs-tools/hooks/encrypt_partition" - if [ -f "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" ]; then - install -m 0755 "${WORKDIR}"/"${ADDITIONAL_CLEVIS_HOOK}" \ - "${D}/usr/share/initramfs-tools/hooks/encrypt_partition.${BASE_DISTRO_CODENAME}" - fi - - install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf" -} diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb new file mode 100644 index 00000000..6ff315ed --- /dev/null +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb @@ -0,0 +1,97 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020-2024 +# +# Authors: +# Quirin Gylstorff +# Jan Kiszka +# +# SPDX-License-Identifier: MIT + +require recipes-initramfs/initramfs-hook/hook.inc + +DEBIAN_DEPENDS .= ", \ + cryptsetup, \ + awk, \ + openssl, \ + e2fsprogs, \ + tpm2-tools, \ + coreutils, \ + uuid-runtime" + +CRYPT_BACKEND:buster = "clevis" +CRYPT_BACKEND:bullseye = "clevis" +CRYPT_BACKEND ?= "systemd" + +OVERRIDES .= ":${CRYPT_BACKEND}" + +DEBIAN_DEPENDS:append:buster = ", libgcc-7-dev, libtss2-esys0" +DEBIAN_DEPENDS:append:bullseye = ", libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0" +DEBIAN_DEPENDS:append:bookworm = ", libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0" +DEBIAN_DEPENDS:append:trixie = ", libtss2-esys-3.0.2-0t64, libtss2-rc0t64, libtss2-mu-4.0.1-0t64" + +DEBIAN_DEPENDS:append:clevis = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools, clevis-tpm2" +DEBIAN_DEPENDS:append:systemd:trixie = ", systemd-cryptsetup" +DEBIAN_DEPENDS:append:systemd = ", systemd (>= 251)" + +HOOK_ADD_MODULES = " \ + tpm tpm_tis_core tpm_tis tpm_crb dm_mod dm_crypt \ + ecb aes_generic xts" + +HOOK_COPY_EXECS = " \ + openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ + e2fsck resize2fs cryptsetup \ + tpm2_pcrread tpm2_testparms tpm2_flushcontext \ + /usr/lib/*/libgcc_s.so.1" + +HOOK_COPY_EXECS:append:clevis = " \ + clevis clevis-decrypt clevis-encrypt-tpm2 clevis-decrypt-tpm2 \ + clevis-luks-bind clevis-luks-unlock \ + clevis-luks-list clevis-luks-common-functions \ + tpm2_createprimary tpm2_unseal tpm2_create tpm2_load tpm2_createpolicy \ + bash luksmeta jose sed tail sort rm mktemp pwmake file" +HOOK_COPY_EXECS:append:systemd = " \ + systemd-cryptenroll tpm2_pcrread tpm2_testparms \ + /usr/lib/systemd/systemd-cryptsetup \ + /usr/lib/*/cryptsetup/libcryptsetup-token-systemd-tpm2.so" + +HOOK_COPY_EXECS:append:buster = " cryptsetup-reencrypt tpm2_pcrlist" +HOOK_COPY_EXECS:remove:buster = " \ + tpm2_pcrread tpm2_testparms tpm2_flushcontext \ + clevis-luks-list clevis-luks-common-functions" +HOOK_COPY_EXECS:append:bullseye = " cryptsetup-reencrypt" + +SRC_URI += "file://encrypt_partition.env.tmpl \ + file://local-top-complete \ + file://encrypt_partition.${CRYPT_BACKEND}.script \ + file://local-bottom-complete \ + file://hook \ + file://pwquality.conf" + +# CRYPT_PARTITIONS elements are :: +CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" +# CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem +# in a newly formatted LUKS Partition +CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" +# Timeout for creating / re-encrypting partitions on first boot +CRYPT_SETUP_TIMEOUT ??= "600" +# Watchdog to service during the initial setup of the crypto partitions +INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" +# clevis needs tpm hash algorithm type +CRYPT_HASH_TYPE ??= "sha256" +CRYPT_KEY_ALGORITHM ??= "ecc" +CRYPT_ENCRYPTION_OPTIONAL ??= "false" + +TEMPLATE_VARS += "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ + CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE \ + CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" +TEMPLATE_FILES += "encrypt_partition.env.tmpl" + +do_install[cleandirs] += "${D}/usr/share/encrypt_partition" +do_install:prepend() { + install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" + install -m 0644 "${WORKDIR}/pwquality.conf" "${D}/usr/share/encrypt_partition/pwquality.conf" + install -m 0755 "${WORKDIR}/encrypt_partition.${CRYPT_BACKEND}.script" \ + "${D}/usr/share/encrypt_partition/encrypt_partition_tpm2" +} From patchwork Mon Dec 2 14:51:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890856 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95D82D78329 for ; Mon, 2 Dec 2024 14:51:39 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.175577.1733151097268660198 for ; Mon, 02 Dec 2024 06:51:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=VOeHXNyT; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-294854-2024120214513560102f75ca1c039bad-x3i8a0@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2024120214513560102f75ca1c039bad for ; Mon, 02 Dec 2024 15:51:35 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=5dHio+Q6mBlsAPrGojIojLviWgx6+Oy3LoBddFhUkEc=; b=VOeHXNyTOua9W2oMpOOveEHMDNxYX9A9FX7VWnH5dNKxP0+45ncEQ3UUzlgyopG3t4szO7 ytHWbf6+AyBJoC/W3wTNAnmwcHlexnHXQsltcK+qdEgw29EvXN884LxU9hyGiPYCT8b6hcsu FlS90A4dlN0EHGuuYPKYPUvuoqhW7S9/TJWwAZ/Jwq8SoS1xLPeYRTeIQuEcF1G0Zngvhs0V dP5QYNZmeG9vW97K25MSHJSA5IsmXPCghuEoJ6vFQxkdxReisAqvzBNkCTOjgtyD9cuyRDWQ rQpyCaV1AYoCD59X0ZMC++pdSCyuouAfUC++VLKMpzeIPEZlsStnBDzA==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 05/10] initramfs-erofs/squashfs-hook: Convert to hook.inc Date: Mon, 2 Dec 2024 15:51:08 +0100 Message-ID: <5ab2ad8433666362cfe30c5c21d70ae2f36117bb.1733151072.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17316 From: Jan Kiszka Simplifies the recipes to their minimum. The Debian dependency on erofs-utils was actually not needed, drop it at this chance. Signed-off-by: Jan Kiszka --- .../initramfs-erofs-hook/files/erofs.hook | 25 ------------------- .../initramfs-erofs-hook_0.1.bb | 24 ------------------ .../initramfs-erofs-hook_0.2.bb | 14 +++++++++++ .../initramfs-squashfs-hook_0.1.bb | 24 ------------------ .../initramfs-squashfs-hook_0.2.bb | 14 +++++++++++ 5 files changed, 28 insertions(+), 73 deletions(-) delete mode 100644 recipes-initramfs/initramfs-erofs-hook/files/erofs.hook delete mode 100644 recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.1.bb create mode 100644 recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb delete mode 100644 recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.1.bb create mode 100644 recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb diff --git a/recipes-initramfs/initramfs-erofs-hook/files/erofs.hook b/recipes-initramfs/initramfs-erofs-hook/files/erofs.hook deleted file mode 100644 index cf43bf10..00000000 --- a/recipes-initramfs/initramfs-erofs-hook/files/erofs.hook +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2024 -# -# Authors: -# Jan Kiszka -# - -PREREQ="" -prereqs() -{ - echo "$PREREQ" -} -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions - -manual_add_modules erofs diff --git a/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.1.bb b/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.1.bb deleted file mode 100644 index ab679c91..00000000 --- a/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.1.bb +++ /dev/null @@ -1,24 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2024 -# -# Authors: -# Jan Kiszka -# -# SPDX-License-Identifier: MIT -# - -inherit dpkg-raw - -SRC_URI += "file://erofs.hook" - -DEBIAN_DEPENDS = "erofs-utils" - -do_install[cleandirs] += " \ - ${D}/usr/share/initramfs-tools/hooks" - -do_install() { - install -m 0755 "${WORKDIR}/erofs.hook" \ - "${D}/usr/share/initramfs-tools/hooks/erofs" -} diff --git a/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb b/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb new file mode 100644 index 00000000..a7dbb673 --- /dev/null +++ b/recipes-initramfs/initramfs-erofs-hook/initramfs-erofs-hook_0.2.bb @@ -0,0 +1,14 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# + +require recipes-initramfs/initramfs-hook/hook.inc + +HOOK_ADD_MODULES = "erofs" diff --git a/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.1.bb b/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.1.bb deleted file mode 100644 index 332278f5..00000000 --- a/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.1.bb +++ /dev/null @@ -1,24 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2022 -# -# Authors: -# Felix Moessbauer -# -# SPDX-License-Identifier: MIT -# - -inherit dpkg-raw - -SRC_URI += "file://squashfs.hook" - -DEBIAN_DEPENDS = "initramfs-tools" - -do_install[cleandirs] += " \ - ${D}/usr/share/initramfs-tools/hooks" - -do_install() { - install -m 0755 "${WORKDIR}/squashfs.hook" \ - "${D}/usr/share/initramfs-tools/hooks/squashfs" -} diff --git a/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb b/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb new file mode 100644 index 00000000..4b199834 --- /dev/null +++ b/recipes-initramfs/initramfs-squashfs-hook/initramfs-squashfs-hook_0.2.bb @@ -0,0 +1,14 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# + +require recipes-initramfs/initramfs-hook/hook.inc + +HOOK_ADD_MODULES = "squashfs" From patchwork Mon Dec 2 14:51:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890857 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0AF8D78333 for ; Mon, 2 Dec 2024 14:51:39 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.175575.1733151095512780478 for ; Mon, 02 Dec 2024 06:51:36 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=AOvQGjHM; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-294854-202412021451354ebac7d0531a8e9d7c-dqvlfn@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202412021451354ebac7d0531a8e9d7c for ; Mon, 02 Dec 2024 15:51:35 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=+18aKPFg1lFSneqgtVxdUusrgNWRnP5o4ooeMBKw06w=; b=AOvQGjHMywQwQVHpZde5KRD1WxGMQjDxbKGViFLES5Iw/rxCwCFl86dxzxeVwCdGlsxWQK z3+/S4W/eVsQVlqFpUh2btWfxfjI/xHOrt33dexdC6stWPnyKApI4+oMPvI59s/Ni+eKVT7V +7bUtV5OKhMJRl0vba/KW0uLKAjXpqqRRFooRGKs1UN40QzTeHZlt+Lmtpa6Aitf/IZnfzIB d72hxKJP3su3K8uq4PEKRThAgYLKL4xLL39JDEhc7E+2gHwIKWHlHJHBLjOO0wzJzKcwBB/r O8FvQs5XeQW2ShokfCh1KeyJyAEIIAbKliJJ09IS4QzJT4jxluDUN8Yw==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 06/10] initramfs-overlay-hook: Convert to hook.inc Date: Mon, 2 Dec 2024 15:51:09 +0100 Message-ID: <35a226b87671c1a4814ec8b3c2f04f8bb2049b8c.1733151072.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17312 From: Jan Kiszka Simplifies the code. Signed-off-by: Jan Kiszka --- ...{overlay.script.tmpl => local-bottom.tmpl} | 23 ++----------- .../initramfs-overlay-hook/files/overlay.hook | 34 ------------------- ...k_0.1.bb => initramfs-overlay-hook_0.2.bb} | 20 ++++------- 3 files changed, 10 insertions(+), 67 deletions(-) rename recipes-initramfs/initramfs-overlay-hook/files/{overlay.script.tmpl => local-bottom.tmpl} (91%) delete mode 100644 recipes-initramfs/initramfs-overlay-hook/files/overlay.hook rename recipes-initramfs/initramfs-overlay-hook/{initramfs-overlay-hook_0.1.bb => initramfs-overlay-hook_0.2.bb} (71%) diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/local-bottom.tmpl similarity index 91% rename from recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl rename to recipes-initramfs/initramfs-overlay-hook/files/local-bottom.tmpl index 72d13963..f829a9bb 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl +++ b/recipes-initramfs/initramfs-overlay-hook/files/local-bottom.tmpl @@ -1,32 +1,13 @@ -#!/bin/sh # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2022-2023 +# Copyright (c) Siemens AG, 2022-2024 # # Authors: # Jan Kiszka # Quirin Gylstorff # -PREREQ="" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in -# get pre-requisites -prereqs) - prereqs - exit 0 - ;; -esac - -. /scripts/functions - - ovl_partition_device="${INITRAMFS_OVERLAY_STORAGE_DEVICE}" ovl_storage_path="${INITRAMFS_OVERLAY_STORAGE_PATH}" ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}" @@ -76,3 +57,5 @@ for ovl_lower_dir in ${ovl_lower_dirs}; do panic "Can't mount overlay for '$ovl_lower_dir' !" fi done + +exit 0 diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook b/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook deleted file mode 100644 index 6f634c50..00000000 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.hook +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2022 -# -# Authors: -# Jan Kiszka -# - -PREREQ="" -prereqs() -{ - echo "$PREREQ" -} -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions - -hook_error() { - echo "(ERROR): $1" >&2 - exit 1 -} - -manual_add_modules overlay -copy_exec /usr/bin/mountpoint || hook_error "/usr/bin/mountpoint not found" -copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found" -copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found" -copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found" diff --git a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.2.bb similarity index 71% rename from recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb rename to recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.2.bb index 7097130d..e6ac1e91 100644 --- a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb +++ b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.2.bb @@ -1,7 +1,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2022 - 2023 +# Copyright (c) Siemens AG, 2022 - 2024 # # Authors: # Jan Kiszka @@ -10,13 +10,12 @@ # SPDX-License-Identifier: MIT # -inherit dpkg-raw +require recipes-initramfs/initramfs-hook/hook.inc INITRAMFS_OVERLAY_RECOVERY_SCRIPT ??= "overlay_recovery_action.script" SRC_URI += " \ - file://overlay.hook \ - file://overlay.script.tmpl \ + file://local-bottom.tmpl \ file://${INITRAMFS_OVERLAY_RECOVERY_SCRIPT} \ " @@ -34,7 +33,7 @@ INITRAMFS_OVERLAY_STORAGE_PATH ??= "/var/local" INITRAMFS_OVERLAY_STORAGE_DEVICE ??= "/dev/disk/by-label/var" INITRAMFS_OVERLAY_MOUNT_OPTION ??= "defaults,nodev,nosuid,noexec" -TEMPLATE_FILES = "overlay.script.tmpl" +TEMPLATE_FILES += "local-bottom.tmpl" TEMPLATE_VARS += " INITRAMFS_OVERLAY_STORAGE_PATH \ INITRAMFS_OVERLAY_PATHS \ INITRAMFS_OVERLAY_STORAGE_DEVICE \ @@ -43,15 +42,10 @@ TEMPLATE_VARS += " INITRAMFS_OVERLAY_STORAGE_PATH \ DEBIAN_DEPENDS = "initramfs-tools, awk, coreutils, util-linux" -do_install[cleandirs] += " \ - ${D}/usr/share/initramfs-tools/hooks \ - ${D}/usr/share/initramfs-tools/scripts/local-bottom" +HOOK_ADD_MODULES = "overlay" +HOOK_ADD_EXECS = "mountpoint awk e2fsck mke2fs" -do_install() { - install -m 0755 "${WORKDIR}/overlay.hook" \ - "${D}/usr/share/initramfs-tools/hooks/overlay" - install -m 0755 "${WORKDIR}/overlay.script" \ - "${D}/usr/share/initramfs-tools/scripts/local-bottom/overlay" +do_install:append() { install -m 0755 "${WORKDIR}/${INITRAMFS_OVERLAY_RECOVERY_SCRIPT}" \ "${D}/usr/share/initramfs-tools/scripts" } From patchwork Mon Dec 2 14:51:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890854 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A69D7D7832E for ; Mon, 2 Dec 2024 14:51:39 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.174652.1733151094403796516 for ; Mon, 02 Dec 2024 06:51:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=JDZD/Udc; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-294854-202412021451365c761ba1e9195c24ea-__8mqk@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 202412021451365c761ba1e9195c24ea for ; Mon, 02 Dec 2024 15:51:36 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=LraoXwwIuW3cEqjJ1FB6LxRBMGSBmp3xI1dspSBNw0M=; b=JDZD/UdcjeeihUVAffR+yrazOOEJNeeZPGQ4fC1ymyTJGXkMMLVzBfxocqXjcXb0eHOtF1 n67Tl3eg4TF3tEdcEcr75Lmscyaz0WgGv1lMhKibQ9FSoN9vfGQfhuT8fXnGolrBC49UIzlo o4Y1x+O0CQkA7zbB12kPfgdlHgJnGxmTwYR2E8u+C6cI6VQNKEFNbd4UT7qXZzjohWB98zQi qAPaw9DK+saIzK6FdAJ8U8RLWDj50SZQ6GYmVdXPzeIuFRaAHWWKrp7VXIfv+BeR/zLnBWY3 iydsSb3TGl9g0TfYNh3Km2Pq+Hq9EXPuDioDpxHeMb3GOXMZ+33q+hpg==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 07/10] initramfs-verity-hook: Drop dead verity.conf-hook artifact Date: Mon, 2 Dec 2024 15:51:10 +0100 Message-ID: <0b2d9912cdf106fb8655c9a8f3c30a9a3c2daf26.1733151072.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17314 From: Jan Kiszka This was never used in fact. Signed-off-by: Jan Kiszka --- .../initramfs-verity-hook/files/verity.conf-hook | 1 - ...tramfs-verity-hook_0.1.bb => initramfs-verity-hook_0.2.bb} | 4 +--- 2 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook rename recipes-initramfs/initramfs-verity-hook/{initramfs-verity-hook_0.1.bb => initramfs-verity-hook_0.2.bb} (92%) diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook deleted file mode 100644 index 9b61fb85..00000000 --- a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook +++ /dev/null @@ -1 +0,0 @@ -BUSYBOX=y diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb similarity index 92% rename from recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb rename to recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb index a86e47df..6db4efcc 100644 --- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb @@ -12,7 +12,6 @@ inherit dpkg-raw SRC_URI += " \ - file://verity.conf-hook \ file://verity.hook \ file://verity.script.tmpl \ " @@ -37,8 +36,7 @@ do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity" do_install[cleandirs] += " \ ${D}/usr/share/initramfs-tools/hooks \ ${D}/usr/share/verity-env \ - ${D}/usr/share/initramfs-tools/scripts/local-top \ - ${D}/usr/share/initramfs-tools/conf-hooks.d" + ${D}/usr/share/initramfs-tools/scripts/local-top" do_install() { # Insert the veritysetup commandline into the script From patchwork Mon Dec 2 14:51:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890855 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C00EED78332 for ; Mon, 2 Dec 2024 14:51:39 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.175576.1733151096412742655 for ; Mon, 02 Dec 2024 06:51:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=TqtALidS; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-294854-20241202145137455e0d4afa66591a79-35zzs_@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20241202145137455e0d4afa66591a79 for ; Mon, 02 Dec 2024 15:51:37 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=Z2cCa9wsRbJvoopfPV/uQsEWl+MaSRN0zjUEbkPVZvE=; b=TqtALidSn8b0dC3v8Yhd3KcJ1opQjDnggPJTV2AOAmrFwHfcKTeWOhYEJPU4YMAqK0vhhl +K2Pf/M+0Kg066QDtqH8QI+B7NhM1qya2nWGJUA+AAnwbyrPg+CcrPSoZcInbq5XZr5qxkzy DGx5Aw+vAdTPVcA/gcDGELOF77M2MZ5MiuUQLLpk8yZ7JmrUpoWEcjb9aQhUFXgWKyY761f9 3E1dO18Gdjq/8s9RACosN7qvfl3Pbrj2R4LKKWocOxm2DBTiFVhBkQUFCTKBgZP5APtlUuRv uOiLmhtXBt2/k6LmazIlQDUprlvVAob9HcjTvGyWLoGEFE9xiOsyGopw==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 08/10] initramfs-verity-hook: Convert to hook.inc Date: Mon, 2 Dec 2024 15:51:11 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:39 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17317 From: Jan Kiszka Simplifies the code. Signed-off-by: Jan Kiszka --- .../initramfs-verity-hook/files/hook | 5 ++++ ...ty.script.tmpl => local-top-complete.tmpl} | 0 .../initramfs-verity-hook/files/verity.hook | 23 ------------------- .../initramfs-verity-hook_0.2.bb | 22 ++++++++---------- 4 files changed, 14 insertions(+), 36 deletions(-) create mode 100644 recipes-initramfs/initramfs-verity-hook/files/hook rename recipes-initramfs/initramfs-verity-hook/files/{verity.script.tmpl => local-top-complete.tmpl} (100%) delete mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook diff --git a/recipes-initramfs/initramfs-verity-hook/files/hook b/recipes-initramfs/initramfs-verity-hook/files/hook new file mode 100644 index 00000000..1550dafe --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/hook @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: MIT +# Copyright (c) Siemens AG, 2021-2024 + +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions +copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/local-top-complete.tmpl similarity index 100% rename from recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl rename to recipes-initramfs/initramfs-verity-hook/files/local-top-complete.tmpl diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook deleted file mode 100644 index 5eada8a0..00000000 --- a/recipes-initramfs/initramfs-verity-hook/files/verity.hook +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -PREREQ="" -prereqs() -{ - echo "$PREREQ" -} -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions -# Begin real processing below this line - -manual_add_modules dm_mod -manual_add_modules dm_verity - -copy_exec /sbin/veritysetup -copy_exec /sbin/dmsetup -copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions -copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb index 6db4efcc..d8f62bb4 100644 --- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb @@ -9,21 +9,24 @@ # SPDX-License-Identifier: MIT # -inherit dpkg-raw +require recipes-initramfs/initramfs-hook/hook.inc SRC_URI += " \ - file://verity.hook \ - file://verity.script.tmpl \ + file://hook \ + file://local-top-complete.tmpl \ " VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption" -TEMPLATE_FILES = "verity.script.tmpl" +TEMPLATE_FILES += "local-top-complete.tmpl" TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION" DEBIAN_DEPENDS = "initramfs-tools, cryptsetup" DEBIAN_CONFLICTS = "initramfs-abrootfs-hook" +HOOK_ADD_MODULES = "dm_mod dm_verity" +HOOK_COPY_EXECS = "veritysetup dmsetup" + VERITY_IMAGE_RECIPE ?= "cip-core-image" # This is defined in image.bbclass which cannot be used in a package recipe. @@ -33,22 +36,15 @@ IMAGE_FULLNAME ??= "${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}" VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env" do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity" -do_install[cleandirs] += " \ - ${D}/usr/share/initramfs-tools/hooks \ - ${D}/usr/share/verity-env \ - ${D}/usr/share/initramfs-tools/scripts/local-top" +do_install[cleandirs] += "${D}/usr/share/verity-env" -do_install() { +do_install:append() { # Insert the veritysetup commandline into the script if [ -f "${VERITY_ENV_FILE}" ]; then install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env" else bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!" fi - install -m 0755 "${WORKDIR}/verity.script" \ - "${D}/usr/share/initramfs-tools/scripts/local-top/verity" - install -m 0755 "${WORKDIR}/verity.hook" \ - "${D}/usr/share/initramfs-tools/hooks/verity" } addtask install after do_transform_template From patchwork Mon Dec 2 14:51:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890861 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8BD8D7832F for ; Mon, 2 Dec 2024 14:51:49 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.175576.1733151096412742655 for ; Mon, 02 Dec 2024 06:51:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=hZbC4xQb; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-294854-20241202145138e736ffd6baeadbb182-varmvf@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20241202145138e736ffd6baeadbb182 for ; Mon, 02 Dec 2024 15:51:39 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=beRAoREnUKJlD219FMLUUZ6PUnPCKGa77V1/lgvBxuM=; b=hZbC4xQbYFPR67es8JVyn/e4vQSVLFbGohCMFxOkSTLgrxGkbfdHXr6wnI4n7pfwBOuIGg fbkjt91bqmABItjZqc5XgIvmy6SAwrDOAYw4A7jpg87OfCRMOhLUQuPPq91TkBH1fFXluP6L 62L54zDWcnPPudaEHVDzKsUPCGzioo/RQknjXgQZ6ciX62ZtbGZQlwLLUwTZ0mosT8+mvnZo N7DKufkST+J+r51KsSukFLpDSlEfps3Nq6DQN63ktAaPlyZXs+5ZWeIHKXFIt7jvA64mJAe2 E8c12ap5Iym13SJjsB7YJ2VyTcWI2JE8ap4lsl6T5WDYQebluOaEf6yQ==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff Subject: [isar-cip-core][PATCH 09/10] initramfs-crypt-hook: Add support for expanding encrypted partition Date: Mon, 2 Dec 2024 15:51:12 +0100 Message-ID: <284175c31c74b2f2e70287cca5d2b90c3e7199b2.1733151072.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:49 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17318 From: Jan Kiszka The crypt hook already performs resizing or appropriately sized formatting of partitions it handles during first boot. If we also add the partition expansion logic from isar's expand-on-first-boot, we get feature-complete expansion of encrypted partitions. The feature is controlled by appending ":expand" to the affected partition in CRYPT_PARTITIONS. In contrast to isar's expansion logic, we do not have enough information at that time when it is called in order to identify the target partition automatically. That is another reason to embed this feature into the crypt hook. There is not too much code to be taken from isar for this, so it is easiest to duplicate and adjust that as needed, rather than introducing some reusable upstream. This might be revisited in the future. Signed-off-by: Jan Kiszka --- kas/opt/expand-on-first-boot.yml | 3 + .../files/local-top-complete | 63 +++++++++++++++++++ .../initramfs-crypt-hook_0.5.bb | 6 +- 3 files changed, 71 insertions(+), 1 deletion(-) diff --git a/kas/opt/expand-on-first-boot.yml b/kas/opt/expand-on-first-boot.yml index 03d666b2..f5be6992 100644 --- a/kas/opt/expand-on-first-boot.yml +++ b/kas/opt/expand-on-first-boot.yml @@ -15,3 +15,6 @@ header: local_conf_header: package-expand-on-first-boot: | IMAGE_INSTALL:append = " expand-on-first-boot" + expand-before-encrypt: | + IMAGE_INSTALL:remove:encrypt-partitions = "expand-on-first-boot" + CRYPT_PARTITIONS:append:encrypt-partitions = ":expand" diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index 28548502..834dea22 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -95,6 +95,64 @@ EOF /usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2" fi } + +expand_partition() { + boot_device="$(echo "${part_device}" | sed 's/p\?[0-9]*$//')" + last_part="$(sfdisk -d "${boot_device}" 2>/dev/null | \ + tail -1 | cut -d ' ' -f 1)" + if [ "$last_part" != "$1" ]; then + log_warning_msg "To be expanded partition is not last - skipping expansion" + return + fi + + buffer_size=32768 + boot_device_name=${boot_device##*/} + disk_size="$(cat /sys/class/block/"${boot_device_name}"/size)" + all_parts_size=0 + for partition in /sys/class/block/"${boot_device_name}"/"${boot_device_name}"*; do + part_size=$(cat "${partition}"/size) + all_parts_size=$((all_parts_size + part_size)) + done + + minimal_size=$((all_parts_size + buffer_size)) + if [ "$disk_size" -lt "$minimal_size" ]; then + return + fi + + log_begin_msg "Expanding partition $last_part" + + is_gpt="$(sfdisk -d "${boot_device}" 2>/dev/null | grep -q "label: gpt" \ + && echo 1 || echo 0)" + if [ "$is_gpt" = "1" ]; then + dd if="${boot_device}" of=/tmp/__mbr__.bak count=1 >/dev/null 2>&1 + fi + + # Transform the partition table as follows: + # + # - Remove any 'last-lba' header so sfdisk uses the entire available + # space. + # - If this partition table is MBR and an extended partition container + # (EBR) exists, we assume this needs to be expanded as well; remove + # its size field so sfdisk expands it. + # - For the previously fetched last partition, also remove the size + # field so sfdisk expands it. + sfdisk -d "${boot_device}" 2>/dev/null | \ + grep -v last-lba | \ + sed 's|^\(.*, \)size=[^,]*, \(type=[f5]\)$|\1\2|' | \ + sed 's|^\('"${last_part}"' .*, \)size=[^,]*, |\1|' | \ + sfdisk --force "${boot_device}" >/dev/null 2>&1 + + if [ "$is_gpt" = "1" ]; then + dd if=/tmp/__mbr__.bak of="${boot_device}" >/dev/null 2>&1 + rm /tmp/__mbr__.bak + fi + + # Inform the kernel about the partitioning change + partx -u "${last_part}" + + log_end_msg +} + for candidate in /dev/tpm*; do if [ -x /usr/bin/tpm2_pcrread ]; then if ! tpm2_pcrread -T device:"$candidate" "$pcr_bank_hash_type":7 --quiet ; then @@ -129,6 +187,7 @@ for partition_set in $partition_sets; do partition="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')" partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')" partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')" + partition_expand="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[4]}')" case "$partition" in /*) part_device=$(readlink -f "$partition") @@ -153,6 +212,10 @@ for partition_set in $partition_sets; do echo "ROOT=$decrypted_part" >/conf/param.conf fi + if [ "$partition_expand" = "expand" ]; then + expand_partition $part_device + fi + if /usr/sbin/cryptsetup luksDump --batch-mode "$part_device" \ | grep -q "luks2"; then open_tpm2_partition "$part_device" "$crypt_mount_name" "$tpm_device" diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb index 6ff315ed..71ee44db 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb @@ -69,7 +69,7 @@ SRC_URI += "file://encrypt_partition.env.tmpl \ file://hook \ file://pwquality.conf" -# CRYPT_PARTITIONS elements are :: +# CRYPT_PARTITIONS elements are ::[:expand] CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt" # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem # in a newly formatted LUKS Partition @@ -88,6 +88,10 @@ TEMPLATE_VARS += "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ CRYPT_KEY_ALGORITHM CRYPT_ENCRYPTION_OPTIONAL" TEMPLATE_FILES += "encrypt_partition.env.tmpl" +OVERRIDES .= "${@':expand-on-crypt' if ':expand' in d.getVar('CRYPT_PARTITIONS') else ''}" +DEBIAN_DEPENDS:append:expand-on-crypt = ", fdisk, util-linux" +HOOK_COPY_EXECS:append:expand-on-crypt = " sed sfdisk tail cut dd partx rm" + do_install[cleandirs] += "${D}/usr/share/encrypt_partition" do_install:prepend() { install -m 0600 "${WORKDIR}/encrypt_partition.env" "${D}/usr/share/encrypt_partition/encrypt_partition.env" From patchwork Mon Dec 2 14:51:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13890860 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8BA1D78321 for ; Mon, 2 Dec 2024 14:51:49 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web11.175583.1733151104576398153 for ; Mon, 02 Dec 2024 06:51:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm2 header.b=AVhc1zOq; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-294854-20241202145142159da9b6dffca64234-vitnlb@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20241202145142159da9b6dffca64234 for ; Mon, 02 Dec 2024 15:51:42 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=LAa4MCIky4Gxx9rB2f0z01/HxNXI2dpmdZ9v28J2seg=; b=AVhc1zOqtTDZ2lP7rq9tKkOA3OBi52yoenJy5dtp0gdNB3r5PoM7wEWP4md81IEOfXVyWu uEv1Cf3PSPVmUP4qvGu/8OGkyCA1EZTIXjQc51fzIwcuOrBjMflDftlgGT7MDlZgVXc5cyWf AnXtkQPXdDhC5hzCZuqYOKIwzroIsFLuQZadRkRWWFZS4xWtMoLw1cnS1j4kJAvXvdTDUwWU N9hEX95XYP4Aq/vgh+RfjHxQnK1sFh98uBlrOqsmINUjeLptt41NKlcEHs7ZczvvPMjvMMc6 3LEvwoFd0C2z/wDVyNSQkqdfYMEAU7xDYlfkD97lFFfrN/ziwc+syjPg==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Alexander Heinisch , Quirin Gylstorff , =?utf-8?q?Fabian_Bl=C3=A4s?= =?utf-8?q?e?= Subject: [isar-cip-core][PATCH 10/10] initramfs-crypt-hook: invalidate PCR7 after unlocking partitions Date: Mon, 2 Dec 2024 15:51:13 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Dec 2024 14:51:49 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17319 From: Jan Kiszka This avoids that the running Linux can still access the partition keys and possibly leak them. In the future, we may better address that by measure boot. Suggested-by: Fabian Bläse Signed-off-by: Jan Kiszka --- .../initramfs-crypt-hook/files/local-top-complete | 3 +++ .../initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete index 834dea22..4bcb4277 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete +++ b/recipes-initramfs/initramfs-crypt-hook/files/local-top-complete @@ -258,6 +258,9 @@ for partition_set in $partition_sets; do finalize_tpm2_encryption "$part_device" done +# invalidate PCR7 to lock access to the disk keys +tpm2_pcrextend 7:sha1=1111111111111111111111111111111111111111,sha256=1111111111111111111111111111111111111111111111111111111111111111 + if [ -n "$watchdog_pid" ]; then kill "$watchdog_pid" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb index 71ee44db..2145a6e5 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.5.bb @@ -42,7 +42,7 @@ HOOK_ADD_MODULES = " \ HOOK_COPY_EXECS = " \ openssl mke2fs grep awk expr seq sleep basename uuidparse mountpoint \ e2fsck resize2fs cryptsetup \ - tpm2_pcrread tpm2_testparms tpm2_flushcontext \ + tpm2_pcrread tpm2_pcrextend tpm2_testparms tpm2_flushcontext \ /usr/lib/*/libgcc_s.so.1" HOOK_COPY_EXECS:append:clevis = " \