From: Jan Kiszka <jan.kiszka@siemens.com>
To: "Q. Gylstorff" <Quirin.Gylstorff@siemens.com>,
cip-dev@lists.cip-project.org
Subject: Re: [cip-dev][isar-cip-core][RFC 5/8] Create an read-only rootfs with dm-verity
Date: Fri, 12 Nov 2021 13:53:02 +0100 [thread overview]
Message-ID: <1cb84d4a-6b72-0a1b-312e-6db3a86de90e@siemens.com> (raw)
In-Reply-To: <20211112115017.401779-7-Quirin.Gylstorff@siemens.com>
On 12.11.21 12:50, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This root file system supports SWUpdate and secure boot.
> We need a writable /tmp and /var for a boot without error messages.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> classes/wic-verity-img.bbclass | 8 ++++-
> kas/opt/verity.yml | 34 +++++++++++++++++++
> .../images/cip-core-image-read-only.bb | 24 +++++++++++++
> recipes-core/tmp-fs/files/postinst | 3 ++
> recipes-core/tmp-fs/files/tmp.mount | 11 ++++++
> recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 +++++
> wic/qemu-amd64-read-only.wks.in | 13 +++++++
> 7 files changed, 101 insertions(+), 1 deletion(-)
> create mode 100644 kas/opt/verity.yml
> create mode 100644 recipes-core/images/cip-core-image-read-only.bb
> create mode 100755 recipes-core/tmp-fs/files/postinst
> create mode 100644 recipes-core/tmp-fs/files/tmp.mount
> create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
> create mode 100644 wic/qemu-amd64-read-only.wks.in
>
> diff --git a/classes/wic-verity-img.bbclass b/classes/wic-verity-img.bbclass
> index e185cf8..9b8a79e 100644
> --- a/classes/wic-verity-img.bbclass
> +++ b/classes/wic-verity-img.bbclass
> @@ -12,6 +12,12 @@
> inherit squashfs-img
> inherit verity-img
> inherit wic-img
> +inherit extract-partition
> +inherit swupdate-img
>
Is that still a "wic-verity-img" class then? Or rather a
secure-swupdate-img class, now with persistency?
> -addtask verity_image after do_squashfs_image
> +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
> +
> +addtask do_verity_image after do_squashfs_image
> addtask do_wic_image after do_verity_image
> +addtask do_extract_partition after do_wic_image
> +addtask do_swupdate_image after do_extract_partition
> diff --git a/kas/opt/verity.yml b/kas/opt/verity.yml
> new file mode 100644
> index 0000000..088f44a
> --- /dev/null
> +++ b/kas/opt/verity.yml
> @@ -0,0 +1,34 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2020
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +# This kas file creates a image with a read-only rootfs
> +# and secure-boot
> +
> +header:
> + version: 10
> + includes:
> + - efibootguard.yml
> +
> +target: cip-core-image-read-only
> +
> +local_conf_header:
> + verity-img: |
> + IMAGE_TYPE = "wic-verity-img"
> + WKS_FILE = "${MACHINE}-read-only.wks.in"
> + VERITY_IMAGE_TYPE = "squashfs"
> + swupdate: |
> + IMAGE_INSTALL_append = " swupdate"
> + IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
> + SWU_DESCRIPTION = "secureboot"
> + SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
> + secure-boot: |
> + # Add snakeoil and ovmf binaries for qemu
> + IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
> + IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
> diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
> new file mode 100644
> index 0000000..24ace3c
> --- /dev/null
> +++ b/recipes-core/images/cip-core-image-read-only.bb
> @@ -0,0 +1,24 @@
> +require cip-core-image.bb
> +
> +INITRAMFS_RECIPE = "cip-core-initramfs"
> +INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
> +do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
> +
> +SQUASHFS_EXCLUDE_DIRS += "home var"
> +
> +IMAGE_INSTALL += "tmp-fs"
> +IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
> +
> +image_configure_fstab() {
> + sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
> +# Begin /etc/fstab
> +/dev/root / auto defaults,ro 0 0
> +LABEL=var /var auto defaults 0 0
> +proc /proc proc nosuid,noexec,nodev 0 0
> +sysfs /sys sysfs nosuid,noexec,nodev 0 0
> +devpts /dev/pts devpts gid=5,mode=620 0 0
> +tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
> +devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
> +# End /etc/fstab
> +EOF
> +}
> diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
> new file mode 100755
> index 0000000..07017fd
> --- /dev/null
> +++ b/recipes-core/tmp-fs/files/postinst
> @@ -0,0 +1,3 @@
> +#!/bin/sh
> +
> +deb-systemd-helper enable tmp.mount || true
> diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
> new file mode 100644
> index 0000000..7a31ed6
> --- /dev/null
> +++ b/recipes-core/tmp-fs/files/tmp.mount
> @@ -0,0 +1,11 @@
> +[Unit]
> +Description=Create /tmp
> +
> +[Mount]
> +What=tmpfs
> +Where=/tmp
> +Type=tmpfs
> +Options=nodev,nosuid,size=500M,mode=755
> +
> +[Install]
> +WantedBy=local-fs.target
> diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
> new file mode 100644
> index 0000000..4e0c467
> --- /dev/null
> +++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
> @@ -0,0 +1,9 @@
> +inherit dpkg-raw
> +
> +SRC_URI = "file://postinst \
> + file://tmp.mount"
> +
> +do_install[cleandirs]+="${D}/lib/systemd/system"
> +do_install() {
> + install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
> +}
> diff --git a/wic/qemu-amd64-read-only.wks.in b/wic/qemu-amd64-read-only.wks.in
> new file mode 100644
> index 0000000..c4ea0c8
> --- /dev/null
> +++ b/wic/qemu-amd64-read-only.wks.in
> @@ -0,0 +1,13 @@
> +# EFI partition containing efibootguard bootloader binary
> +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
> +
> +# EFI Boot Guard environment/config partitions plus Kernel files
> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
> +
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
> +
> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
> +
> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
>
Rather than adding yet another wks file, maybe better extend the
existing qemu-amd64-efibootguard-secureboot.wks. I would see dm-verity
as an extension of the secure-swupdate configuration, not as a variant
or something completely separate.
Jan
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
next prev parent reply other threads:[~2021-11-12 12:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-12 11:50 [cip-dev][isar-cip-core][RFC 0/8] Read-only root file system with dm-verity Q. Gylstorff
2021-11-12 11:50 ` [cip-dev][isar-cip-core][RFC 1/8] Add new class to create a squashfs based root file system Q. Gylstorff
2021-11-12 12:41 ` Jan Kiszka
2021-11-12 11:50 ` [PATCH] recipes-core/swupdate: Update the SRC_URI and SWUPDATE_BUILD_PROFILES append for buster Q. Gylstorff
2021-11-12 11:58 ` [cip-dev] " Gylstorff Quirin
2021-11-12 11:50 ` [cip-dev][isar-cip-core][RFC 2/8] Add classes for dm-verity based rootfs Q. Gylstorff
2021-11-12 11:50 ` [cip-dev][isar-cip-core][RFC 3/8] linux-cip-common: Add options necessary for dm-verity Q. Gylstorff
2021-11-12 12:46 ` Jan Kiszka
2021-11-16 10:43 ` Gylstorff Quirin
2021-11-12 11:50 ` [cip-dev][isar-cip-core][RFC 4/8] Create a initrd with support " Q. Gylstorff
2021-11-12 12:47 ` Jan Kiszka
[not found] ` <39f049c6-510a-5ac4-6e73-8a865e95405e@siemens.com>
2021-11-15 18:43 ` Gylstorff Quirin
2021-11-12 11:50 ` [cip-dev][isar-cip-core][RFC 5/8] Create an read-only rootfs with dm-verity Q. Gylstorff
2021-11-12 12:53 ` Jan Kiszka [this message]
2021-11-12 11:50 ` [cip-dev][isar-cip-core][RFC 6/8] Create systemd mount units for a etc overlay Q. Gylstorff
2021-11-12 11:50 ` [cip-dev][isar-cip-core][RFC 7/8] Mount writable home partition Q. Gylstorff
2021-11-12 11:50 ` [cip-dev][isar-cip-core][RFC 8/8] swupdate: Backport patches from SWUpdate Master Q. Gylstorff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1cb84d4a-6b72-0a1b-312e-6db3a86de90e@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=Quirin.Gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.