From: Gylstorff Quirin <quirin.gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org
Subject: Re: [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity
Date: Thu, 18 Nov 2021 19:10:30 +0100 [thread overview]
Message-ID: <18128c5f-d4ea-7f8f-e1a3-77390afa6a86@siemens.com> (raw)
In-Reply-To: <20211117121815.efuw3n7pyehisw75@MD1ZFJVC.ad001.siemens.net>
On 11/17/21 1:18 PM, Christian Storm via lists.cip-project.org wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This root file system supports SWUpdate and secure boot.
>> We need a writable /tmp and /var for a boot without error messages.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> Kconfig | 3 +-
>> classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
>> kas/opt/ebg-secure-boot-base.yml | 2 ++
>> kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
>> kas/opt/ebg-snakeoil-swu.yml | 16 ----------
>> .../images/cip-core-image-read-only.bb | 20 ++++++++++++
>> recipes-core/tmp-fs/files/postinst | 3 ++
>> recipes-core/tmp-fs/files/tmp.mount | 11 +++++++
>> recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 ++++++
>> wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
>> wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
>> 11 files changed, 103 insertions(+), 30 deletions(-)
>> create mode 100644 classes/secure-swupdate-img.bbclass
>> delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
>> create mode 100644 recipes-core/images/cip-core-image-read-only.bb
>> create mode 100755 recipes-core/tmp-fs/files/postinst
>> create mode 100644 recipes-core/tmp-fs/files/tmp.mount
>> create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
>> delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
>> create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in
>>
>> diff --git a/Kconfig b/Kconfig
>> index 8421f1b..e97cb03 100644
>> --- a/Kconfig
>> +++ b/Kconfig
>> @@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
>> config KAS_INCLUDE_SWUPDATE_SECBOOT
>> string
>> default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
>> - default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
>> - default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
>> + default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
>>
>> endif
>> diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
>> new file mode 100644
>> index 0000000..431939b
>> --- /dev/null
>> +++ b/classes/secure-swupdate-img.bbclass
>> @@ -0,0 +1,32 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2021
>> +#
>> +# Authors:
>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +SECURE_IMAGE_FSTYPE ?= "squashfs"
>> +
>> +inherit ${SECURE_IMAGE_FSTYPE}-img
>> +
>> +VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
>> +
>> +INITRAMFS_RECIPE ?= "cip-core-initramfs"
>> +do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
>> +INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
>> +
>> +inherit verity-img
>> +inherit wic-img
>> +inherit extract-partition
>> +inherit swupdate-img
>> +
>> +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
>> +
>> +addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
>> +addtask do_wic_image after do_verity_image
>> +addtask do_extract_partition after do_wic_image
>> +addtask do_swupdate_image after do_extract_partition
>> diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
>> index 8f769b6..acb4de0 100644
>> --- a/kas/opt/ebg-secure-boot-base.yml
>> +++ b/kas/opt/ebg-secure-boot-base.yml
>> @@ -19,3 +19,5 @@ local_conf_header:
>> IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
>> SWU_DESCRIPTION = "secureboot"
>> SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
>> + kernel: |
>> + SECURE_BOOT_KERNEL = "1"
>> diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
>> index 2f45bde..4a9185c 100644
>> --- a/kas/opt/ebg-secure-boot-snakeoil.yml
>> +++ b/kas/opt/ebg-secure-boot-snakeoil.yml
>> @@ -14,13 +14,24 @@ header:
>> includes:
>> - kas/opt/ebg-secure-boot-base.yml
>>
>> +target: cip-core-image-read-only
>>
>> local_conf_header:
>> + swupdate: |
>> + IMAGE_INSTALL_append = " swupdate"
>> + IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
>> +
>> + verity-img: |
>> + SECURE_BOOT_KERNEL = "1"
>> + SECURE_IMAGE_FSTYPE = "squashfs"
>> + VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
>> + IMAGE_TYPE = "secure-swupdate-img"
>> + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
>> +
>> secure-boot: |
>> # Add snakeoil and ovmf binaries for qemu
>> IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
>> IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
>> - WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
>>
>> ovmf: |
>> # snakeoil certs are only part of backports
>> diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
>> deleted file mode 100644
>> index 2f15c0e..0000000
>> --- a/kas/opt/ebg-snakeoil-swu.yml
>> +++ /dev/null
>> @@ -1,16 +0,0 @@
>> -#
>> -# CIP Core, generic profile
>> -#
>> -# Copyright (c) Siemens AG, 2021
>> -#
>> -# Authors:
>> -# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> -#
>> -# SPDX-License-Identifier: MIT
>> -#
>> -
>> -header:
>> - version: 10
>> - includes:
>> - - kas/opt/ebg-secure-boot-snakeoil.yml
>> - - kas/opt/swupdate.yml
>> diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
>> new file mode 100644
>> index 0000000..7ef2dc2
>> --- /dev/null
>> +++ b/recipes-core/images/cip-core-image-read-only.bb
>> @@ -0,0 +1,20 @@
>> +require cip-core-image.bb
>> +
>> +SQUASHFS_EXCLUDE_DIRS += "home var"
>> +
>> +IMAGE_INSTALL += "tmp-fs"
>> +IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
>> +
>> +image_configure_fstab() {
>> + sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
>> +# Begin /etc/fstab
>> +/dev/root / auto defaults,ro 0 0
>> +LABEL=var /var auto defaults 0 0
>> +proc /proc proc nosuid,noexec,nodev 0 0
>> +sysfs /sys sysfs nosuid,noexec,nodev 0 0
>> +devpts /dev/pts devpts gid=5,mode=620 0 0
>> +tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
>> +devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
>> +# End /etc/fstab
>> +EOF
>> +}
>> diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
>> new file mode 100755
>> index 0000000..07017fd
>> --- /dev/null
>> +++ b/recipes-core/tmp-fs/files/postinst
>> @@ -0,0 +1,3 @@
>> +#!/bin/sh
>> +
>> +deb-systemd-helper enable tmp.mount || true
>> diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
>> new file mode 100644
>> index 0000000..7a31ed6
>> --- /dev/null
>> +++ b/recipes-core/tmp-fs/files/tmp.mount
>> @@ -0,0 +1,11 @@
>> +[Unit]
>> +Description=Create /tmp
>> +
>> +[Mount]
>> +What=tmpfs
>> +Where=/tmp
>> +Type=tmpfs
>> +Options=nodev,nosuid,size=500M,mode=755
>
> Hm, shouldn't size be configurable?
I will make it configurable in the next version.
>
>
>> +
>> +[Install]
>> +WantedBy=local-fs.target
>
> Is this the right point in time? Isn't /tmp needed before this?
According my testing and [1] if /tmp is mount a in /etc/fstab. systemd
mounts before the local-fs.target.
In the cip-core-image /tmp is not need before this as the /tmp of the
initrd is used.
The systemd log looks like this
```
[ OK ] Started Remount Root and Kernel File Systems.
Starting Create Static Device Nodes in /dev...
[ OK ] Started Create Static Device Nodes in /dev.
Starting udev Kernel Device Manager...
[ OK ] Reached target Local File Systems (Pre).
Mounting Create /tmp...
[ OK ] Mounted Create /tmp.
[ OK ] Started Journal Service.
```
[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html
>
>
>> diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
>> new file mode 100644
>> index 0000000..4e0c467
>> --- /dev/null
>> +++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
>> @@ -0,0 +1,9 @@
>> +inherit dpkg-raw
>> +
>> +SRC_URI = "file://postinst \
>> + file://tmp.mount"
>> +
>> +do_install[cleandirs]+="${D}/lib/systemd/system"
>> +do_install() {
>> + install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
>> +}
>> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
>> deleted file mode 100644
>> index ff351db..0000000
>> --- a/wic/qemu-amd64-efibootguard-secureboot.wks
>> +++ /dev/null
>> @@ -1,11 +0,0 @@
>> -# short-description: Qemu-amd64 with Efibootguard and SWUpdate
>> -# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
>> -include ebg-signed-bootloader.inc
>> -
>> -# EFI Boot Guard environment/config partitions plus Kernel files
>> -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>> -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>> -
>> -include swupdate-partition.inc
>> -
>> -bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
>> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
>> new file mode 100644
>> index 0000000..c4ea0c8
>> --- /dev/null
>> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
>> @@ -0,0 +1,13 @@
>> +# EFI partition containing efibootguard bootloader binary
>> +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
>> +
>> +# EFI Boot Guard environment/config partitions plus Kernel files
>> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>> +
>> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
>> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
>> +
>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
>> +
>> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
>> --
>> 2.30.2
>>
>
>
>
> Kind regards,
> Christian
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6945): https://lists.cip-project.org/g/cip-dev/message/6945
> Mute This Topic: https://lists.cip-project.org/mt/87092664/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2021-11-18 18:10 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 1/9] Add new class to create a squashfs based root file system Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 2/9] Add verity-img.bbclass for dm-verity based rootfs Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 3/9] linux-cip-common: Add options necessary for dm-verity Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support " Q. Gylstorff
2021-11-17 12:33 ` Christian Storm
2021-11-18 18:19 ` Gylstorff Quirin
2021-11-19 13:29 ` Christian Storm
2021-11-23 13:31 ` Gylstorff Quirin
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity Q. Gylstorff
2021-11-17 12:18 ` Christian Storm
2021-11-18 18:10 ` Gylstorff Quirin [this message]
2021-11-19 6:41 ` Jan Kiszka
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay Q. Gylstorff
2021-11-17 12:11 ` Christian Storm
2021-11-18 18:12 ` Gylstorff Quirin
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 7/9] Mount writable home partition Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home Q. Gylstorff
2021-11-17 10:27 ` Christian Storm
2021-11-17 11:41 ` Gylstorff Quirin
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master Q. Gylstorff
2021-11-17 10:40 ` Christian Storm
2021-11-17 11:36 ` Gylstorff Quirin
2021-11-19 6:42 ` Jan Kiszka
2021-11-19 13:34 ` Christian Storm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=18128c5f-d4ea-7f8f-e1a3-77390afa6a86@siemens.com \
--to=quirin.gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.