From patchwork Fri Feb 14 12:23:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 13977077 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC030C021A0 for ; Mon, 17 Feb 2025 05:09:07 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.19840.1739535838958496051 for ; Fri, 14 Feb 2025 04:24:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=felix.moessbauer@siemens.com header.s=fm2 header.b=PXtJ09d9; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-1321639-202502141223559bcf15612a9f828968-xy5sek@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202502141223559bcf15612a9f828968 for ; Fri, 14 Feb 2025 13:23:56 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=tiRfon7EM1VUfNSIaFztYCV15xfDS/HqIE8LgRHG76U=; b=PXtJ09d9DYBH0tLONBo2LFBgUlil+uuGwyo2guOfHsv6sjWY90vjeJxkjzzleUWg8fEX87 na+XkjIjyWVI03u2gBCqsCg6eLFNe6aYlOATsaFQ+FhLdiWT1Pjb4aMv+XmyKmdaigfgyIW7 ERP4HNhPastj0rUtGWDaEPuSbmFXOiVjxf9I6Ym5khG6OtRicE/jeV/jcXXWJnTSVAAczlMU oHOqS1b5VVXQu0MUy9AryhlRaApekjZLpKc4kFNw1SIWfSu4H+UMcpyycL1ScD1idOjLAqak OVNwXAJA7wc//1WFGFgqdzyoq4A5suPmefd5kWcSlb+4AYjBdmCpKFGA==; From: Felix Moessbauer To: cip-dev@lists.cip-project.org Cc: quirin.gylstorff@siemens.com, jan.kiszka@siemens.com, Felix Moessbauer Subject: [isar-cip-core][RFC 1/2] wic(ebg): add support to add verity env to cmdline Date: Fri, 14 Feb 2025 13:23:28 +0100 Message-ID: <20250214122329.2766449-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1321639:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Feb 2025 05:09:07 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17848 Passing the verity data via the initrd has proven problematic, as this requires to rebuild the initrd on each (bitwise) change of the verity container. For use cases with not bit-by-bit reproducible rootfs this can lead to verity hash inconsistencies as the bitbake state diverges from the file state in case some task artifacts are taken from the SState cache. Further, the build time is prolonged as on every rootfs change also the initfs needs to be rebuild (also polluting the SState cache with not-reusable entries). We now change this by adding the verity data to the kernel cmdline (similar to how systemd envisions this). The ebg-boot wic plugin already adds information about the imaged partitions to the kernel cmdline of the UKI (or config). We now add support to add the verity environment by setting the source parameter "verity_root=y". The environment is read from the images *.verity.env file, converted into the systemd-veritysetup-generator syntax and added to the command line. As we currently do not use the systemd integration, we use the parameter "cip.verity_root_options" instead. Later on this can be replaced by "systemd.verity_root_options". Signed-off-by: Felix Moessbauer --- .../wic/plugins/source/efibootguard-boot.py | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py index 8b1097f..aa093e2 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -87,6 +87,10 @@ class EfibootguardBootPlugin(SourcePlugin): boot_files = source_params.get("files", "").split(' ') unified_kernel = source_params.get("unified-kernel") or 'y' cmdline = bootloader.append or '' + # the verity cmdline format is identical to systemd.verity_root_options + if source_params.get("verity_root") == 'y': + cmdline += " cip.verity_root_options=panic-on-corruption,%s" \ + % cls._get_verity_opts() if unified_kernel == 'y': boot_image = cls._create_unified_kernel_image(rootfs_dir, cr_workdir, @@ -143,6 +147,31 @@ class EfibootguardBootPlugin(SourcePlugin): cls._create_img(part_rootfs_dir, part, cr_workdir, native_sysroot, oe_builddir) + @classmethod + def _get_verity_opts(cls): + verity_sd_keys = ["data-block-size", "hash-block-size", "data-blocks", + "hash-offset", "salt", "uuid", "hash"] + opts = {} + deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE") + verityenv = None + for file in os.listdir(deploy_dir): + if fnmatch.fnmatch(file, '*.verity.env'): + verityenv = os.path.join(deploy_dir, file) + break + if not verityenv: + msger.error("No verity env file found in directory %s", deploy_dir) + exit(1) + with open(verityenv, "r") as venv: + for line in venv: + k, v = line.strip().split("=") + if k == "ROOT_HASH": + sd_key = "hash" + else: + sd_key = k.replace("_", "-").lower() + opts[sd_key] = v + sd_opts = {k: v for k, v in opts.items() if k in verity_sd_keys} + return ",".join(["%s=%s" % (k, v) for k, v in sd_opts.items()]) + @classmethod def _create_img(cls, part_rootfs_dir, part, cr_workdir, native_sysroot, oe_builddir): From patchwork Fri Feb 14 12:23:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 13977170 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2CF4EC021A0 for ; Mon, 17 Feb 2025 06:47:18 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.19841.1739535839273368064 for ; Fri, 14 Feb 2025 04:24:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=felix.moessbauer@siemens.com header.s=fm2 header.b=GyvU+DSv; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-1321639-202502141223570472f7bbaff7218c1e-4pfczn@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202502141223570472f7bbaff7218c1e for ; Fri, 14 Feb 2025 13:23:57 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=kz2YKkSg8UnPjMwOaE5iOAkGu+DfcvDzUh2WjP1JV2I=; b=GyvU+DSvd76QyBdyfFj+1WnP0iuraQRxrQQE7bfV1dYOmtBJoCXZdp+AH7vKM0CCFrZt5p MppzdrEoMV2MQO0zLP0Ab8Z1VSp0gwYP2AIwEmK1Zygc1xVPPODW9puZ4YmFNYpPJlFJrtGs VLEdHFvxgvYCK1w9AlP3OVGv8cCFZH5933tDskt4G6RuVm9v0QD6izwNI9QcJi0SpxyXPRc2 ysIxoyg0g6r74XaThGqMtkKnI5AP+UliQFgqzETkig+b+M71gye2Wyh0V2YG1v2CYiP27pOB B7kwUNlqsmqkq8FAksOnVSyrDTeoCJZleBdzySXYWNBzPtZfnnEHMh7w==; From: Felix Moessbauer To: cip-dev@lists.cip-project.org Cc: quirin.gylstorff@siemens.com, jan.kiszka@siemens.com, Felix Moessbauer Subject: [isar-cip-core][RFC 2/2] port verity env handling to new kernel cmdline infrastructure Date: Fri, 14 Feb 2025 13:23:29 +0100 Message-ID: <20250214122329.2766449-2-felix.moessbauer@siemens.com> In-Reply-To: <20250214122329.2766449-1-felix.moessbauer@siemens.com> References: <20250214122329.2766449-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1321639:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Feb 2025 06:47:18 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17850 Previously the verity env was injected as file into the initrd and then sourced at runtime. As we now have infrastructure in place to add the verity env to the kernel cmdline, we replace the hard-coded values with logic to extract it from the kernel cmdline. By that, we also remove the dependency between the initrmfs build and the verity creation, which reduces the set of dependencies (good for caching), as well as increases the parallism of the build. Once widely supported, the initrd scripts can be completely replaced by the systemd-veritysetup-generator (identical syntax). Signed-off-by: Felix Moessbauer --- kas/opt/security.yml | 1 - .../initramfs-verity-hook/files/hook | 1 - .../files/local-top-complete.tmpl | 41 ++++++++++++++++++- .../initramfs-verity-hook_0.2.bb | 24 +---------- wic/ebg-signed-sysparts.inc | 4 +- 5 files changed, 43 insertions(+), 28 deletions(-) diff --git a/kas/opt/security.yml b/kas/opt/security.yml index 4aa40e0..317af85 100644 --- a/kas/opt/security.yml +++ b/kas/opt/security.yml @@ -23,6 +23,5 @@ local_conf_header: USER_root[flags] = "clear-text-password" adjust-swupdate: | ABROOTFS_IMAGE_RECIPE = "cip-core-image-security" - VERITY_IMAGE_RECIPE = "cip-core-image-security" security-override: | OVERRIDES .= ":security" diff --git a/recipes-initramfs/initramfs-verity-hook/files/hook b/recipes-initramfs/initramfs-verity-hook/files/hook index 1550daf..557e4f3 100644 --- a/recipes-initramfs/initramfs-verity-hook/files/hook +++ b/recipes-initramfs/initramfs-verity-hook/files/hook @@ -2,4 +2,3 @@ # Copyright (c) Siemens AG, 2021-2024 copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions -copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env diff --git a/recipes-initramfs/initramfs-verity-hook/files/local-top-complete.tmpl b/recipes-initramfs/initramfs-verity-hook/files/local-top-complete.tmpl index 8865b0f..991178c 100644 --- a/recipes-initramfs/initramfs-verity-hook/files/local-top-complete.tmpl +++ b/recipes-initramfs/initramfs-verity-hook/files/local-top-complete.tmpl @@ -32,7 +32,44 @@ esac . /scripts/functions . /lib/cryptsetup/functions -. /usr/share/verity-env/verity.env + +load_verity_env_from_cmdline() +{ + local verity_opts + local key + local val + local opt + verity_opts=$(cat /proc/cmdline | sed -n 's/.*cip.verity_root_options=\([^ ]*\).*/\1/p' | sed 's/,/ /g') + for opt in $verity_opts; do + key=$(echo $opt | sed 's/=.*//') + val=$(echo $opt | sed 's/^[^=]*=//') + case "$key" in + uuid) + UUID="$val" + ;; + salt) + SALT="$val" + ;; + data-blocks) + DATA_BLOCKS="$val" + ;; + data-block-size) + DATA_BLOCK_SIZE="$val" + ;; + hash-block-size) + HASH_BLOCK_SIZE="$val" + ;; + hash-offset) + HASH_OFFSET="$val" + ;; + hash) + ROOT_HASH="$val" + ;; + *) + ;; + esac + done +} find_root_via_image_uuid() { @@ -63,6 +100,8 @@ find_root_via_image_uuid() echo "ROOT=/dev/null" >/conf/param.conf wait_for_udev 10 +load_verity_env_from_cmdline + case "$ROOT" in PART*) # Root was given as PARTUUID= or PARTLABEL=. diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb index a6c4666..668419e 100644 --- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.2.bb @@ -25,26 +25,4 @@ DEBIAN_DEPENDS .= ", cryptsetup" DEBIAN_CONFLICTS = "initramfs-abrootfs-hook" HOOK_ADD_MODULES = "dm_mod dm_verity" -HOOK_COPY_EXECS = "veritysetup dmsetup" - -VERITY_IMAGE_RECIPE ?= "cip-core-image" - -# This is defined in image.bbclass which cannot be used in a package recipe. -# However, we need to use IMAGE_FULLNAME to pick up any extensions of it. -IMAGE_FULLNAME ??= "${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}" - -VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env" - -do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity" -do_install[cleandirs] += "${D}/usr/share/verity-env" - -do_install:append() { - # Insert the veritysetup commandline into the script - if [ -f "${VERITY_ENV_FILE}" ]; then - install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env" - else - bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!" - fi -} - -addtask install after do_transform_template +HOOK_COPY_EXECS = "veritysetup dmsetup sed" diff --git a/wic/ebg-signed-sysparts.inc b/wic/ebg-signed-sysparts.inc index 9292eee..b888239 100644 --- a/wic/ebg-signed-sysparts.inc +++ b/wic/ebg-signed-sysparts.inc @@ -4,5 +4,5 @@ part --source efibootguard-efi --size 16M --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" --fsuuid 0x4321dcba --uuid d1360f76-b09a-4bcc-b923-8195088cbe02 # EFI Boot Guard environment/config partitions plus Kernel files -part --source efibootguard-boot --fixed-size 64M --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh" --fsuuid 0x4321dcbb --uuid f870258b-706f-4a66-8d58-b5a75ce61b8b -part --source efibootguard-boot --fixed-size 64M --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh" --fsuuid 0x4321dcbc --uuid 6e41f2a7-e3eb-403f-8637-b111e4482ee9 +part --source efibootguard-boot --fixed-size 64M --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh,verity_root=y" --fsuuid 0x4321dcbb --uuid f870258b-706f-4a66-8d58-b5a75ce61b8b +part --source efibootguard-boot --fixed-size 64M --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh,verity_root=y" --fsuuid 0x4321dcbc --uuid 6e41f2a7-e3eb-403f-8637-b111e4482ee9