[cip-dev][isar-cip-core][RFC 0/8] Read-only root file system with dm-verity

[cip-dev][isar-cip-core][RFC 0/8] Read-only root file system with dm-verity

[Q. Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patch series adds support for a read-only squashfs based root filesystem
wit SWUpdate support and secureboot.

The build is somewhat complex as we need the output of dm-verity to generate
the initramfs. The build is split in the following steps
1. We build the root file system
2. We generate a squashfs image - this can also be replace by another image format(e.g. ext4)
3. We build from the image the dm-verity partition and add it to the end of the image
4. We add the resulting verity environment to the initrd

We build the signed efi tool chain.

This series needs SWUpdate 2021.11. The necessary changes are currently backported.

Quirin Gylstorff (8):
  Add new class to create a squashfs based root file system
  Add classes for dm-verity based rootfs
  linux-cip-common: Add options necessary for dm-verity
  Create a initrd with support for dm-verity
  Create an read-only rootfs with dm-verity
  Create systemd mount units for a etc overlay
  Mount writable home partition
  swupdate: Backport patches from SWUpdate Master

 classes/squashfs-img.bbclass                  |  42 ++++
 classes/verity-img.bbclass                    |  73 +++++++
 classes/wic-verity-img.bbclass                |  23 +++
 kas/opt/verity.yml                            |  34 ++++
 .../etc-overlay-fs/etc-overlay-fs_0.1.bb      |  16 ++
 .../etc-overlay-fs/files/etc-hostname.service |  14 ++
 .../etc-overlay-fs/files/etc-sysusers.service |  14 ++
 recipes-core/etc-overlay-fs/files/etc.mount   |  13 ++
 .../files/overlay-parse-etc.service           |  12 ++
 recipes-core/etc-overlay-fs/files/postinst    |   6 +
 recipes-core/home-fs/files/home.mount         |  11 +
 recipes-core/home-fs/files/postinst           |   3 +
 recipes-core/home-fs/home-fs_0.1.bb           |  10 +
 .../images/cip-core-image-read-only.bb        |  26 +++
 .../0001-add-patches-for-dm-verity.patch      | 188 ++++++++++++++++++
 .../swupdate/swupdate_2021.04-1+debian-gbp.bb |   5 +
 recipes-core/tmp-fs/files/postinst            |   3 +
 recipes-core/tmp-fs/files/tmp.mount           |  11 +
 recipes-core/tmp-fs/tmp-fs_0.1.bb             |   9 +
 .../cip-core-initramfs/cip-core-initramfs.bb  |  16 ++
 .../files/verity.conf-hook                    |   1 +
 .../initramfs-verity-hook/files/verity.hook   |  23 +++
 .../initramfs-verity-hook/files/verity.script |  68 +++++++
 .../initramfs-verity-hook_0.1.bb              |  39 ++++
 recipes-kernel/linux/files/verity.cfg         |   5 +
 recipes-kernel/linux/linux-cip-common.inc     |   6 +
 wic/qemu-amd64-read-only.wks.in               |  15 ++
 27 files changed, 686 insertions(+)
 create mode 100644 classes/squashfs-img.bbclass
 create mode 100644 classes/verity-img.bbclass
 create mode 100644 classes/wic-verity-img.bbclass
 create mode 100644 kas/opt/verity.yml
 create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
 create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
 create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
 create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
 create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
 create mode 100755 recipes-core/etc-overlay-fs/files/postinst
 create mode 100644 recipes-core/home-fs/files/home.mount
 create mode 100755 recipes-core/home-fs/files/postinst
 create mode 100644 recipes-core/home-fs/home-fs_0.1.bb
 create mode 100644 recipes-core/images/cip-core-image-read-only.bb
 create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
 create mode 100755 recipes-core/tmp-fs/files/postinst
 create mode 100644 recipes-core/tmp-fs/files/tmp.mount
 create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
 create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
 create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
 create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
 create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script
 create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
 create mode 100644 recipes-kernel/linux/files/verity.cfg
 create mode 100644 wic/qemu-amd64-read-only.wks.in

-- 
2.30.2

[cip-dev][isar-cip-core][RFC 1/8] Add new class to create a squashfs based root file system

[Q. Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This file system is read only and use a reduced image size.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/squashfs-img.bbclass | 42 ++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 classes/squashfs-img.bbclass

diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
new file mode 100644
index 0000000..f827e8c
--- /dev/null
+++ b/classes/squashfs-img.bbclass
@@ -0,0 +1,42 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
+
+IMAGER_INSTALL += "squashfs-tools"
+
+SQUASHFS_EXCLUDE_DIRS ?= ""
+SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
+SQUASHFS_CREATION_ARGS ?= " "
+# Generate squashfs filesystem image
+python __anonymous() {
+    exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split()
+    if len(exclude_directories) == 0:
+        return
+    args=d.getVar('SQUASHFS_CREATION_ARGS')
+    args+=" -wildcards"
+    # use wildcard to exclude only content of the the directory
+    # this allows to use the directory as a mount point
+    for dir in exclude_directories:
+        args+=" -e {dir}/* ".format(dir=dir)
+    d.setVar('SQUASHFS_CREATION_ARGS', args)
+}
+
+do_squashfs_image() {
+    rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'
+
+    image_do_mounts
+
+    sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs  \
+        "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
+        ${SQUASHFS_CREATION_ARGS}
+}
+addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
-- 
2.30.2

[PATCH] recipes-core/swupdate: Update the SRC_URI and SWUPDATE_BUILD_PROFILES append for buster

[Q. Gylstorff]

From: Srinuvasan A <srinuvasan_a@mentor.com>

When we build the swupdate debian package for buster some build
dependency packages are not available in stable buster repo, hence we created a
patch in cip-core upstream for buster build, here we hardcoded the distro
for buster build hence it is building fine in cip-core not the downstream layer,
added the OVERRIDES for BASE_DISTRO_CODENAME to select the particular base distro.

Signed-off-by: Srinuvasan A <srinuvasan_a@mentor.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/swupdate/swupdate.inc                     | 2 ++
 recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/recipes-core/swupdate/swupdate.inc b/recipes-core/swupdate/swupdate.inc
index a469587..191aa2b 100644
--- a/recipes-core/swupdate/swupdate.inc
+++ b/recipes-core/swupdate/swupdate.inc
@@ -13,6 +13,8 @@ HOMEPAGE= "https://github.com/sbabic/swupdate"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
 
+OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
+
 def get_bootloader_build_profile(d):
     bootloader = d.getVar("SWUPDATE_BOOTLOADER") or ""
     if bootloader == "efibootguard":
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index a451b55..e62230f 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -35,14 +35,14 @@ SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"
 # SWUPDATE_BUILD_PROFILES += "pkg.swupdate.embeddedlua"
 
 # modify for debian buster build
-SRC_URI_append_cip-core-buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
+SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
 
 # disable documentation due to missing packages in debian buster
 # disable create filesystem due to missing symbols in debian buster
 # disable webserver due to missing symbols in debian buster
-SWUPDATE_BUILD_PROFILES_append_cip-core-buster = " nodoc \
-                                                   pkg.swupdate.nocreatefs \
-                                                   pkg.swupdate.nowebserver "
+SWUPDATE_BUILD_PROFILES_append_buster = " nodoc \
+                                          pkg.swupdate.nocreatefs \
+                                          pkg.swupdate.nowebserver "
 # In debian buster the git-compression defaults to gz and does not detect other
 # compression formats.
 GBP_EXTRA_OPTIONS += "--git-compression=xz"
-- 
2.30.2

[cip-dev][isar-cip-core][RFC 2/8] Add classes for dm-verity based rootfs

[Q. Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add a bbclass to add dm-verity to a existing root file system
partition. As we need the output of `veritysetup` to generate
the initrd. Therefore do_verity_image must be called before wic
generates the final disk image.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/verity-img.bbclass     | 73 ++++++++++++++++++++++++++++++++++
 classes/wic-verity-img.bbclass | 17 ++++++++
 2 files changed, 90 insertions(+)
 create mode 100644 classes/verity-img.bbclass
 create mode 100644 classes/wic-verity-img.bbclass

diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass
new file mode 100644
index 0000000..82159b3
--- /dev/null
+++ b/classes/verity-img.bbclass
@@ -0,0 +1,73 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+IMAGER_INSTALL += "cryptsetup"
+
+VERITY_IMAGE_TYPE ?= "squashfs"
+VERITY_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
+VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
+VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
+VERITY_HASH_BLOCK_SIZE ?= "1024"
+VERITY_DATA_BLOCK_SIZE ?= "1024"
+
+create_verity_env_file() {
+
+    local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.${VERITY_IMAGE_TYPE}.env"
+    rm -f $ENV
+
+    local input="${WORKDIR}/${VERITY_IMAGE_METADATA}"
+    # remove header from verity meta data
+    sed -i '/VERITY header information for/d' $input
+    IFS=":"
+    while read KEY VAL; do
+        printf '%s=%s\n' \
+            "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
+            "$(echo "$VAL" | tr -d ' \t')" >> $ENV
+    done < $input
+}
+
+verity_setup() {
+    rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+    rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA}
+
+    cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+
+    image_do_mounts
+    sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \
+        --hash-block-size "${VERITY_HASH_BLOCK_SIZE}"  \
+        --data-block-size "${VERITY_DATA_BLOCK_SIZE}"  \
+        --data-blocks "${VERITY_DATA_BLOCKS}" \
+        --hash-offset "${VERITY_INPUT_IMAGE_SIZE}" \
+        "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+        "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+        >"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+
+    echo "Hash offset:    	${VERITY_INPUT_IMAGE_SIZE}" \
+        >>"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+}
+
+do_verity_image[cleandirs] = "${WORKDIR}/verity"
+python do_verity_image() {
+    import os
+
+    image_file = os.path.join(
+        d.getVar("DEPLOY_DIR_IMAGE"),
+        d.getVar("VERITY_IMAGE")
+    )
+    data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
+    size = os.stat(image_file).st_size
+    assert size % data_block_size == 0, f"image is not well-sized!"
+    d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
+    d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
+
+    bb.build.exec_func('verity_setup', d)
+    bb.build.exec_func('create_verity_env_file', d)
+}
+addtask verity_image before do_image after do_image_tools
diff --git a/classes/wic-verity-img.bbclass b/classes/wic-verity-img.bbclass
new file mode 100644
index 0000000..e185cf8
--- /dev/null
+++ b/classes/wic-verity-img.bbclass
@@ -0,0 +1,17 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit squashfs-img
+inherit verity-img
+inherit wic-img
+
+addtask verity_image after do_squashfs_image
+addtask do_wic_image after do_verity_image
-- 
2.30.2

[cip-dev][isar-cip-core][RFC 3/8] linux-cip-common: Add options necessary for dm-verity

[Q. Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

CIP Kernel Config does not contain support for dm-verity
squashfs. Overlay_FS support is added for etc-overlay.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-kernel/linux/files/verity.cfg     | 5 +++++
 recipes-kernel/linux/linux-cip-common.inc | 6 ++++++
 2 files changed, 11 insertions(+)
 create mode 100644 recipes-kernel/linux/files/verity.cfg

diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg
new file mode 100644
index 0000000..35d8208
--- /dev/null
+++ b/recipes-kernel/linux/files/verity.cfg
@@ -0,0 +1,5 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_SQUASHFS=y
+CONFIG_OVERLAY_FS=y
diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 1afec88..0792371 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -28,3 +28,9 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
 SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"
 
 S = "${WORKDIR}/linux-cip-v${PV}"
+
+SRC_URI += "file://verity.cfg"
+
+do_prepare_build_prepend() {
+    cat ${WORKDIR}/verity.cfg >> ${WORKDIR}/${KERNEL_DEFCONFIG}
+}
-- 
2.30.2

[cip-dev][isar-cip-core][RFC 4/8] Create a initrd with support for dm-verity

[Q. Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Adapt the initrd to open a dm-verity partition with a fixed
root hash.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../cip-core-initramfs/cip-core-initramfs.bb  | 16 +++++
 .../files/verity.conf-hook                    |  1 +
 .../initramfs-verity-hook/files/verity.hook   | 23 +++++++
 .../initramfs-verity-hook/files/verity.script | 68 +++++++++++++++++++
 .../initramfs-verity-hook_0.1.bb              | 39 +++++++++++
 5 files changed, 147 insertions(+)
 create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
 create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
 create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
 create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script
 create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb

diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
new file mode 100644
index 0000000..825fb9f
--- /dev/null
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+    initramfs-verity-hook \
+    "
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
new file mode 100644
index 0000000..9b61fb8
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
@@ -0,0 +1 @@
+BUSYBOX=y
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
new file mode 100644
index 0000000..5eada8a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
@@ -0,0 +1,23 @@
+#!/bin/sh
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
+
+manual_add_modules dm_mod
+manual_add_modules dm_verity
+
+copy_exec /sbin/veritysetup
+copy_exec /sbin/dmsetup
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
+copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script b/recipes-initramfs/initramfs-verity-hook/files/verity.script
new file mode 100644
index 0000000..a66b557
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script
@@ -0,0 +1,68 @@
+#!/bin/sh
+prereqs()
+{
+    # Make sure that this script is run last in local-top
+    local req
+    for req in "${0%/*}"/*; do
+        script="${req##*/}"
+        if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
+            printf '%s\n' "$script"
+        fi
+    done
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /scripts/functions
+. /lib/cryptsetup/functions
+. /usr/share/verity-env/verity.env
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted.  As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken trust chain.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
+case "$ROOT" in
+    PART*)
+        # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+        # partition
+        ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+        ;;
+    "")
+        # No Root device was given. Use veritysetup verify to search matching roots
+        partitions=$(blkid -o device)
+        for part in $partitions; do
+            if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+                if veritysetup verify \
+                   "$part" "$part" "${ROOT_HASH}" \
+                   --hash-offset "${HASH_OFFSET}";then
+                    ROOT="$part"
+                    break
+                fi
+            fi
+        done
+        ;;
+esac
+set -- "$ROOT" verityroot
+if ! veritysetup open \
+     --restart-on-corruption \
+     --data-block-size "${DATA_BLOCK_SIZE}" \
+     --hash-block-size "${HASH_BLOCK_SIZE}" \
+     --data-blocks "${DATA_BLOCKS}" \
+     --hash-offset "${HASH_OFFSET}" \
+     --salt "${SALT}" \
+     "$1" "$2" "$1" "${ROOT_HASH}"; then
+    panic "Can't open verity rootfs!"
+fi
+
+wait_for_udev 10
+
+if ! ROOT="$(dm_blkdevname verityroot)"; then
+    panic "Can't find the verity root device!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
new file mode 100644
index 0000000..e067a22
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -0,0 +1,39 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://verity.conf-hook \
+    file://verity.hook \
+    file://verity.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
+
+VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.${VERITY_IMAGE_TYPE}.env"
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/verity-env \
+    ${D}/usr/share/initramfs-tools/scripts/local-top \
+    ${D}/usr/share/initramfs-tools/conf-hooks.d"
+do_install() {
+    # Insert the veritysetup commandline into the script
+    if [ -f "${VERITY_ENV_FILE}" ]; then
+        install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
+        install -m 0755 "${WORKDIR}/verity.script" \
+            "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
+    fi
+    install -m 0755 "${WORKDIR}/verity.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/verity"
+}
-- 
2.30.2

[cip-dev][isar-cip-core][RFC 5/8] Create an read-only rootfs with dm-verity

[Q. Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/wic-verity-img.bbclass                |  8 ++++-
 kas/opt/verity.yml                            | 34 +++++++++++++++++++
 .../images/cip-core-image-read-only.bb        | 24 +++++++++++++
 recipes-core/tmp-fs/files/postinst            |  3 ++
 recipes-core/tmp-fs/files/tmp.mount           | 11 ++++++
 recipes-core/tmp-fs/tmp-fs_0.1.bb             |  9 +++++
 wic/qemu-amd64-read-only.wks.in               | 13 +++++++
 7 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 kas/opt/verity.yml
 create mode 100644 recipes-core/images/cip-core-image-read-only.bb
 create mode 100755 recipes-core/tmp-fs/files/postinst
 create mode 100644 recipes-core/tmp-fs/files/tmp.mount
 create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
 create mode 100644 wic/qemu-amd64-read-only.wks.in

diff --git a/classes/wic-verity-img.bbclass b/classes/wic-verity-img.bbclass
index e185cf8..9b8a79e 100644
--- a/classes/wic-verity-img.bbclass
+++ b/classes/wic-verity-img.bbclass
@@ -12,6 +12,12 @@
 inherit squashfs-img
 inherit verity-img
 inherit wic-img
+inherit extract-partition
+inherit swupdate-img
 
-addtask verity_image after do_squashfs_image
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_squashfs_image
 addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/verity.yml b/kas/opt/verity.yml
new file mode 100644
index 0000000..088f44a
--- /dev/null
+++ b/kas/opt/verity.yml
@@ -0,0 +1,34 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+# This kas file creates a image with a read-only rootfs
+# and secure-boot
+
+header:
+  version: 10
+  includes:
+   - efibootguard.yml
+
+target: cip-core-image-read-only
+
+local_conf_header:
+  verity-img: |
+    IMAGE_TYPE = "wic-verity-img"
+    WKS_FILE = "${MACHINE}-read-only.wks.in"
+    VERITY_IMAGE_TYPE = "squashfs"
+  swupdate: |
+    IMAGE_INSTALL_append = " swupdate"
+    IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+    SWU_DESCRIPTION = "secureboot"
+    SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+  secure-boot: |
+    # Add snakeoil and ovmf binaries for qemu
+    IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
+    IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..24ace3c
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,24 @@
+require cip-core-image.bb
+
+INITRAMFS_RECIPE = "cip-core-initramfs"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+    sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root	/		auto		defaults,ro			0	0
+LABEL=var	/var		auto		defaults			0	0
+proc		/proc		proc		nosuid,noexec,nodev		0	0
+sysfs		/sys		sysfs		nosuid,noexec,nodev		0	0
+devpts		/dev/pts	devpts		gid=5,mode=620			0	0
+tmpfs		/run		tmpfs		nodev,nosuid,size=500M,mode=755	0	0
+devtmpfs	/dev		devtmpfs	mode=0755,nosuid		0	0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount  || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..4e0c467
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,9 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+           file://tmp.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+    install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/wic/qemu-amd64-read-only.wks.in b/wic/qemu-amd64-read-only.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-read-only.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi  --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024  --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
-- 
2.30.2

[cip-dev][isar-cip-core][RFC 6/8] Create systemd mount units for a etc overlay

[Q. Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

As /etc is read-only and needs to be accessed by the initrd
move the user defined settings to a overlay in /var/local/etc.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../etc-overlay-fs/etc-overlay-fs_0.1.bb         | 16 ++++++++++++++++
 .../etc-overlay-fs/files/etc-hostname.service    | 14 ++++++++++++++
 .../etc-overlay-fs/files/etc-sysusers.service    | 14 ++++++++++++++
 recipes-core/etc-overlay-fs/files/etc.mount      | 13 +++++++++++++
 .../files/overlay-parse-etc.service              | 12 ++++++++++++
 recipes-core/etc-overlay-fs/files/postinst       |  6 ++++++
 recipes-core/images/cip-core-image-read-only.bb  |  1 +
 7 files changed, 76 insertions(+)
 create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
 create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
 create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
 create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
 create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
 create mode 100755 recipes-core/etc-overlay-fs/files/postinst

diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
new file mode 100644
index 0000000..f1c8349
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
@@ -0,0 +1,16 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+           file://etc.mount \
+           file://overlay-parse-etc.service \
+           file://etc-hostname.service \
+           file://etc-sysusers.service"
+
+do_install[cleandirs]+="${D}/lib/systemd/system ${D}/var/local/etc ${D}/var/local/.atomic"
+do_install() {
+    TARGET=${D}/lib/systemd/system
+    install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
+    install -m 0644 ${WORKDIR}/overlay-parse-etc.service  ${TARGET}/overlay-parse-etc.service
+    install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
+    install -m 0644 ${WORKDIR}/etc-sysusers.service ${TARGET}/etc-sysusers.service
+}
diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
new file mode 100644
index 0000000..2306b9f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/hostname --boot --file /etc/hostname
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.service b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
new file mode 100644
index 0000000..6caf6b0
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=make systemd-sysusers /etc overlay aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/systemd-sysusers
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
new file mode 100644
index 0000000..f0ae3c5
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc.mount
@@ -0,0 +1,13 @@
+[Unit]
+Description=Overlay-mount /etc
+Requires=var.mount
+After=var.mount
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
new file mode 100644
index 0000000..062bb40
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Reload Configuration from the etc overlay
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=!/bin/systemctl daemon-reload
+ExecStart=!/bin/systemctl --no-block isolate multi-user.target
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
new file mode 100755
index 0000000..35641af
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/postinst
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+deb-systemd-helper enable etc.mount  || true
+deb-systemd-helper enable overlay-parse-etc.service || true
+deb-systemd-helper enable etc-hostname.service || true
+deb-systemd-helper enable etc-sysusers.service || true
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index 24ace3c..6e2a40a 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -6,6 +6,7 @@ do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
 
 SQUASHFS_EXCLUDE_DIRS += "home var"
 
+IMAGE_INSTALL += "etc-overlay-fs"
 IMAGE_INSTALL += "tmp-fs"
 IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
 
-- 
2.30.2

[cip-dev][isar-cip-core][RFC 7/8] Mount writable home partition

[Q. Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add an example how to add an writable home partition

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/home-fs/files/home.mount           | 11 +++++++++++
 recipes-core/home-fs/files/postinst             |  3 +++
 recipes-core/home-fs/home-fs_0.1.bb             | 10 ++++++++++
 recipes-core/images/cip-core-image-read-only.bb |  1 +
 wic/qemu-amd64-read-only.wks.in                 |  2 ++
 5 files changed, 27 insertions(+)
 create mode 100644 recipes-core/home-fs/files/home.mount
 create mode 100755 recipes-core/home-fs/files/postinst
 create mode 100644 recipes-core/home-fs/home-fs_0.1.bb

diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount
new file mode 100644
index 0000000..31272a0
--- /dev/null
+++ b/recipes-core/home-fs/files/home.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Mount /home partition
+
+[Mount]
+What=/dev/disk/by-partlabel/home
+Where=/home
+Type=auto
+Options=defaults
+
+[Install]
+WantedBy=local-fs.target
\ No newline at end of file
diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst
new file mode 100755
index 0000000..f6184d6
--- /dev/null
+++ b/recipes-core/home-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable home.mount  || true
diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb
new file mode 100644
index 0000000..c2b31c1
--- /dev/null
+++ b/recipes-core/home-fs/home-fs_0.1.bb
@@ -0,0 +1,10 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+           file://home.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+    install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount
+
+}
\ No newline at end of file
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index 6e2a40a..4853571 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -7,6 +7,7 @@ do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
 SQUASHFS_EXCLUDE_DIRS += "home var"
 
 IMAGE_INSTALL += "etc-overlay-fs"
+IMAGE_INSTALL += "home-fs"
 IMAGE_INSTALL += "tmp-fs"
 IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
 
diff --git a/wic/qemu-amd64-read-only.wks.in b/wic/qemu-amd64-read-only.wks.in
index c4ea0c8..81fd4fe 100644
--- a/wic/qemu-amd64-read-only.wks.in
+++ b/wic/qemu-amd64-read-only.wks.in
@@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe
 part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
 part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
 
+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024  --size 1G
 part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024  --size 2G
 
 bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
-- 
2.30.2

[cip-dev][isar-cip-core][RFC 8/8] swupdate: Backport patches from SWUpdate Master

[Q. Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../0001-add-patches-for-dm-verity.patch      | 188 ++++++++++++++++++
 .../swupdate/swupdate_2021.04-1+debian-gbp.bb |   5 +
 2 files changed, 193 insertions(+)
 create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch

diff --git a/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
new file mode 100644
index 0000000..f143207
--- /dev/null
+++ b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
@@ -0,0 +1,188 @@
+From 4650883c2ffc4ed9e479e1eefdce044067c7de0b Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Mon, 25 Oct 2021 14:43:07 +0200
+Subject: [PATCH] add patches for dm-verity
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ ...d-get_root-source-proc-self-mountinfo.diff | 68 +++++++++++++++
+ ...-Extend-get_root-to-find-LUKS-devices.diff | 83 +++++++++++++++++++
+ debian/patches/series                         |  2 +
+ 3 files changed, 153 insertions(+)
+ create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+ create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+
+diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+new file mode 100644
+index 0000000..5db0e61
+--- /dev/null
++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+@@ -0,0 +1,68 @@
++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
++From: Christian Storm <christian.storm@siemens.com>
++Date: Thu, 10 Jun 2021 00:30:24 +0200
++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
++
++Filesystems such as BTRFS report synthetic device major:minor
++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
++won't be found by get_root_from_partitions().
++
++As /proc/self/mountinfo's information is subject to mount-
++namespacing, it complements get_root_from_partitions() rather
++than replacing it.
++
++Signed-off-by: Christian Storm <christian.storm@siemens.com>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
++---
++ core/util.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/core/util.c b/core/util.c
++index 7d7673a..51a16b6 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
++ 	return NULL;
++ }
++ 
+++/*
+++ * Return the rootfs's device name from /proc/self/mountinfo.
+++ * Needed for filesystems having synthetic stat(2) st_dev
+++ * values such as BTRFS.
+++ */
+++static char *get_root_from_mountinfo(void)
+++{
+++	char *mnt_point, *device = NULL;
+++	FILE *fp = fopen("/proc/self/mountinfo", "r");
+++	while (fp && !feof(fp)){
+++		/* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
+++		if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
+++			   &mnt_point, &device) == 2) {
+++			if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
+++				free(mnt_point);
+++				break;
+++			}
+++			free(mnt_point);
+++			free(device);
+++		}
+++		device = NULL;
+++	}
+++	(void)fclose(fp);
+++	return device;
+++}
+++
++ #define MAX_CMDLINE_LENGTH 4096
++ static char *get_root_from_cmdline(void)
++ {
++@@ -936,6 +962,8 @@ char *get_root_device(void)
++ 	root = get_root_from_partitions();
++ 	if (!root)
++ 		root = get_root_from_cmdline();
+++	if (!root)
+++		root = get_root_from_mountinfo();
++ 
++ 	return root;
++ }
++-- 
++2.30.2
++
+diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+new file mode 100644
+index 0000000..a62d59c
+--- /dev/null
++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+@@ -0,0 +1,83 @@
++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
++From: Stefano Babic <sbabic@denx.de>
++Date: Thu, 10 Jun 2021 16:14:44 +0200
++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
++
++This helps in case of encrypted filesystem or device mapper.
++The returned device read from partitions is usually a dm-X device and
++this does not show which is the block device that contains it. Look in
++sysfs and check if the device has "slaves" entries, indicating the
++presence of an underlying device. If found, return this instead of the
++device returned parsing /proc/partitions.
++
++Signed-off-by: Stefano Babic <sbabic@denx.de>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
++---
++ core/util.c | 26 ++++++++++++++++++++++++--
++ 1 file changed, 24 insertions(+), 2 deletions(-)
++
++diff --git a/core/util.c b/core/util.c
++index 51a16b6..3b81c09 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -24,6 +24,7 @@
++ #include <libgen.h>
++ #include <regex.h>
++ #include <string.h>
+++#include <dirent.h>
++ 
++ #if defined(__linux__)
++ #include <sys/statvfs.h>
++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
++ /*
++  * This returns the device name where rootfs is mounted
++  */
+++
+++static int filter_slave(const struct dirent *ent) {
+++	return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
+++}
++ static char *get_root_from_partitions(void)
++ {
++ 	struct stat info;
++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
++ 	char *devname = NULL;
++ 	unsigned long major, minor, nblocks;
++ 	char buf[256];
++-	int ret;
+++	int ret, dev_major, dev_minor, n;
+++	struct dirent **devlist = NULL;
++ 
++ 	if (stat("/", &info) < 0)
++ 		return NULL;
++ 
+++	dev_major = info.st_dev / 256;
+++	dev_minor = info.st_dev % 256;
+++
+++	/*
+++	 * Check if this is just a container, for example in case of LUKS
+++	 * Search if the device has slaves pointing to another device
+++	 */
+++	snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
+++	n = scandir(buf, &devlist, filter_slave, NULL);
+++	if (n == 1) {
+++		devname = strdup(devlist[0]->d_name);
+++		free(devlist);
+++		return devname;
+++	}
+++	free(devlist);
+++
++ 	fp = fopen("/proc/partitions", "r");
++ 	if (!fp)
++ 		return NULL;
++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
++ 			     &major, &minor, &nblocks, &devname);
++ 		if (ret != 4)
++ 			continue;
++-		if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
+++		if ((major == dev_major) && (minor == dev_minor)) {
++ 			fclose(fp);
++ 			return devname;
++ 		}
++-- 
++2.30.2
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..f3bd00e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,3 @@
+ use-gcc-compiler.diff
++0002-util-Extend-get_root-to-find-LUKS-devices.diff
++0001-util-Add-get_root-source-proc-self-mountinfo.diff
+-- 
+2.30.2
+
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index 7a0fb9b..90854a4 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
             file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
             file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"
 
+# Patch for dm-verity based images - can be removed with SWUpdate 2021.10
+SRC_URI += "file://0001-add-patches-for-dm-verity.patch"
+
+# end patching for dm-verity based images
+
 # deactivate signing and encryption for simple a/b rootfs update
 SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"
 
-- 
2.30.2

Re: [cip-dev] [PATCH] recipes-core/swupdate: Update the SRC_URI and SWUPDATE_BUILD_PROFILES append for buster

[Gylstorff Quirin]

This should not be have sent.

Drop.

On 11/12/21 12:50 PM, Quirin Gylstorff via lists.cip-project.org wrote:
> From: Srinuvasan A <srinuvasan_a@mentor.com>
> 
> When we build the swupdate debian package for buster some build
> dependency packages are not available in stable buster repo, hence we created a
> patch in cip-core upstream for buster build, here we hardcoded the distro
> for buster build hence it is building fine in cip-core not the downstream layer,
> added the OVERRIDES for BASE_DISTRO_CODENAME to select the particular base distro.
> 
> Signed-off-by: Srinuvasan A <srinuvasan_a@mentor.com>
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>   recipes-core/swupdate/swupdate.inc                     | 2 ++
>   recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb | 8 ++++----
>   2 files changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/recipes-core/swupdate/swupdate.inc b/recipes-core/swupdate/swupdate.inc
> index a469587..191aa2b 100644
> --- a/recipes-core/swupdate/swupdate.inc
> +++ b/recipes-core/swupdate/swupdate.inc
> @@ -13,6 +13,8 @@ HOMEPAGE= "https://github.com/sbabic/swupdate"
>   LICENSE = "GPL-2.0"
>   LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
>   
> +OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
> +
>   def get_bootloader_build_profile(d):
>       bootloader = d.getVar("SWUPDATE_BOOTLOADER") or ""
>       if bootloader == "efibootguard":
> diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
> index a451b55..e62230f 100644
> --- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
> +++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
> @@ -35,14 +35,14 @@ SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"
>   # SWUPDATE_BUILD_PROFILES += "pkg.swupdate.embeddedlua"
>   
>   # modify for debian buster build
> -SRC_URI_append_cip-core-buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
> +SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
>   
>   # disable documentation due to missing packages in debian buster
>   # disable create filesystem due to missing symbols in debian buster
>   # disable webserver due to missing symbols in debian buster
> -SWUPDATE_BUILD_PROFILES_append_cip-core-buster = " nodoc \
> -                                                   pkg.swupdate.nocreatefs \
> -                                                   pkg.swupdate.nowebserver "
> +SWUPDATE_BUILD_PROFILES_append_buster = " nodoc \
> +                                          pkg.swupdate.nocreatefs \
> +                                          pkg.swupdate.nowebserver "
>   # In debian buster the git-compression defaults to gz and does not detect other
>   # compression formats.
>   GBP_EXTRA_OPTIONS += "--git-compression=xz"
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6880): https://lists.cip-project.org/g/cip-dev/message/6880
> Mute This Topic: https://lists.cip-project.org/mt/87004225/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

-- 




With best regards,
Quirin Gylstorff

Siemens AG
Technology
Research in Digitalization and Automation
Smart Embedded Systems
T RDA IOT SES-DE
Otto-Hahn-Ring 6
81739 Muenchen, Germany
Mobile: +49 173 3746683
mailto:quirin.gylstorff@siemens.com <mailto:quirin.gylstorff@siemens.com>
www.siemens.com <https://siemens.com>

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
Hagemann Snabe; Managing Board: Roland Busch, Chairman, President and
Chief Executive Officer; Cedrik Neike, Matthias Rebellius, Ralf P.
Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany;
Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB
6684; WEEE-Reg.-No. DE 23691322

Important notice: This e-mail and any attachment thereof contain
corporate proprietary information. If you have received it by mistake,
please notify us immediately by reply e-mail and delete this e-mail and
its attachments from your system. Thank you.

Re: [cip-dev][isar-cip-core][RFC 1/8] Add new class to create a squashfs based root file system

[Jan Kiszka]

On 12.11.21 12:50, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This file system is read only and use a reduced image size.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  classes/squashfs-img.bbclass | 42 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 42 insertions(+)
>  create mode 100644 classes/squashfs-img.bbclass
> 
> diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
> new file mode 100644
> index 0000000..f827e8c
> --- /dev/null
> +++ b/classes/squashfs-img.bbclass
> @@ -0,0 +1,42 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2021
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
> +
> +IMAGER_INSTALL += "squashfs-tools"
> +
> +SQUASHFS_EXCLUDE_DIRS ?= ""
> +SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
> +SQUASHFS_CREATION_ARGS ?= " "

Blank line after this.

> +# Generate squashfs filesystem image

I don't think the anonymous function does that...

> +python __anonymous() {
> +    exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split()
> +    if len(exclude_directories) == 0:
> +        return
> +    args=d.getVar('SQUASHFS_CREATION_ARGS')
> +    args+=" -wildcards"
> +    # use wildcard to exclude only content of the the directory
> +    # this allows to use the directory as a mount point
> +    for dir in exclude_directories:
> +        args+=" -e {dir}/* ".format(dir=dir)
> +    d.setVar('SQUASHFS_CREATION_ARGS', args)

How about d.appendVar?

And Python style for python functions, please.

> +}
> +
> +do_squashfs_image() {
> +    rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'
> +
> +    image_do_mounts
> +
> +    sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs  \
> +        "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
> +        ${SQUASHFS_CREATION_ARGS}
> +}
> +addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
> 

This should also qualify as generic Isar class. It can start here, though.

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Re: [cip-dev][isar-cip-core][RFC 3/8] linux-cip-common: Add options necessary for dm-verity

[Jan Kiszka]

On 12.11.21 12:50, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> CIP Kernel Config does not contain support for dm-verity
> squashfs. Overlay_FS support is added for etc-overlay.
> 

This should be quickly addressed by expanding the configs of all boards
we want to enable this way. Start with QEMU and the IPCs. Otherwise, we
risk to ignore this subsystem /wrt CVEs.

> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  recipes-kernel/linux/files/verity.cfg     | 5 +++++
>  recipes-kernel/linux/linux-cip-common.inc | 6 ++++++
>  2 files changed, 11 insertions(+)
>  create mode 100644 recipes-kernel/linux/files/verity.cfg
> 
> diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg
> new file mode 100644
> index 0000000..35d8208
> --- /dev/null
> +++ b/recipes-kernel/linux/files/verity.cfg
> @@ -0,0 +1,5 @@
> +CONFIG_BLK_DEV_DM=y
> +CONFIG_DM_VERITY=y
> +CONFIG_DM_CRYPT=y
> +CONFIG_SQUASHFS=y
> +CONFIG_OVERLAY_FS=y
> diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
> index 1afec88..0792371 100644
> --- a/recipes-kernel/linux/linux-cip-common.inc
> +++ b/recipes-kernel/linux/linux-cip-common.inc
> @@ -28,3 +28,9 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
>  SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"
>  
>  S = "${WORKDIR}/linux-cip-v${PV}"
> +
> +SRC_URI += "file://verity.cfg"
> +
> +do_prepare_build_prepend() {
> +    cat ${WORKDIR}/verity.cfg >> ${WORKDIR}/${KERNEL_DEFCONFIG}
> +}
> 

This should be appended conditionally, when building a secure image, I
would say.

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Re: [cip-dev][isar-cip-core][RFC 4/8] Create a initrd with support for dm-verity

[Jan Kiszka]

On 12.11.21 12:50, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Adapt the initrd to open a dm-verity partition with a fixed
> root hash.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../cip-core-initramfs/cip-core-initramfs.bb  | 16 +++++
>  .../files/verity.conf-hook                    |  1 +
>  .../initramfs-verity-hook/files/verity.hook   | 23 +++++++
>  .../initramfs-verity-hook/files/verity.script | 68 +++++++++++++++++++
>  .../initramfs-verity-hook_0.1.bb              | 39 +++++++++++
>  5 files changed, 147 insertions(+)
>  create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
>  create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
>  create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
>  create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script
>  create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
> 
> diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
> new file mode 100644
> index 0000000..825fb9f
> --- /dev/null
> +++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
> @@ -0,0 +1,16 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2021
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit initramfs
> +
> +INITRAMFS_INSTALL += " \
> +    initramfs-verity-hook \
> +    "
> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
> new file mode 100644
> index 0000000..9b61fb8
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
> @@ -0,0 +1 @@
> +BUSYBOX=y
> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
> new file mode 100644
> index 0000000..5eada8a
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
> @@ -0,0 +1,23 @@
> +#!/bin/sh
> +PREREQ=""
> +prereqs()
> +{
> +    echo "$PREREQ"
> +}
> +case $1 in
> +prereqs)
> +    prereqs
> +    exit 0
> +    ;;
> +esac
> +
> +. /usr/share/initramfs-tools/hook-functions
> +# Begin real processing below this line
> +
> +manual_add_modules dm_mod
> +manual_add_modules dm_verity
> +
> +copy_exec /sbin/veritysetup
> +copy_exec /sbin/dmsetup
> +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
> +copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script b/recipes-initramfs/initramfs-verity-hook/files/verity.script
> new file mode 100644
> index 0000000..a66b557
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script
> @@ -0,0 +1,68 @@
> +#!/bin/sh
> +prereqs()
> +{
> +    # Make sure that this script is run last in local-top
> +    local req
> +    for req in "${0%/*}"/*; do
> +        script="${req##*/}"
> +        if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
> +            printf '%s\n' "$script"
> +        fi
> +    done
> +}
> +case $1 in
> +prereqs)
> +    prereqs
> +    exit 0
> +    ;;
> +esac
> +
> +. /scripts/functions
> +. /lib/cryptsetup/functions
> +. /usr/share/verity-env/verity.env
> +# Even if this script fails horribly, make sure there won't be a chance the
> +# current $ROOT will be attempted.  As this device most likely contains a
> +# perfectly valid filesystem, it would be mounted successfully, leading to a
> +# broken trust chain.
> +echo "ROOT=/dev/null" >/conf/param.conf
> +wait_for_udev 10
> +case "$ROOT" in
> +    PART*)
> +        # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
> +        # partition
> +        ROOT=$(blkid --list-one --output device --match-token "$ROOT")
> +        ;;
> +    "")
> +        # No Root device was given. Use veritysetup verify to search matching roots
> +        partitions=$(blkid -o device)
> +        for part in $partitions; do
> +            if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
> +                if veritysetup verify \
> +                   "$part" "$part" "${ROOT_HASH}" \
> +                   --hash-offset "${HASH_OFFSET}";then
> +                    ROOT="$part"
> +                    break
> +                fi
> +            fi
> +        done
> +        ;;
> +esac
> +set -- "$ROOT" verityroot
> +if ! veritysetup open \
> +     --restart-on-corruption \
> +     --data-block-size "${DATA_BLOCK_SIZE}" \
> +     --hash-block-size "${HASH_BLOCK_SIZE}" \
> +     --data-blocks "${DATA_BLOCKS}" \
> +     --hash-offset "${HASH_OFFSET}" \
> +     --salt "${SALT}" \
> +     "$1" "$2" "$1" "${ROOT_HASH}"; then
> +    panic "Can't open verity rootfs!"
> +fi
> +
> +wait_for_udev 10
> +
> +if ! ROOT="$(dm_blkdevname verityroot)"; then
> +    panic "Can't find the verity root device!"
> +fi
> +
> +echo "ROOT=${ROOT}" >/conf/param.conf
> diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
> new file mode 100644
> index 0000000..e067a22
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
> @@ -0,0 +1,39 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2021
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg-raw
> +
> +SRC_URI += " \
> +    file://verity.conf-hook \
> +    file://verity.hook \
> +    file://verity.script \
> +    "
> +
> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
> +
> +VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
> +VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.${VERITY_IMAGE_TYPE}.env"

Blank line.

> +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
> +do_install[cleandirs] += " \
> +    ${D}/usr/share/initramfs-tools/hooks \
> +    ${D}/usr/share/verity-env \
> +    ${D}/usr/share/initramfs-tools/scripts/local-top \
> +    ${D}/usr/share/initramfs-tools/conf-hooks.d"

Blank line, to be more readable.

> +do_install() {
> +    # Insert the veritysetup commandline into the script
> +    if [ -f "${VERITY_ENV_FILE}" ]; then
> +        install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
> +        install -m 0755 "${WORKDIR}/verity.script" \
> +            "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
> +    fi
> +    install -m 0755 "${WORKDIR}/verity.hook" \
> +        "${D}/usr/share/initramfs-tools/hooks/verity"
> +}
> 

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Re: [cip-dev][isar-cip-core][RFC 5/8] Create an read-only rootfs with dm-verity

[Jan Kiszka]

On 12.11.21 12:50, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This root file system supports SWUpdate and secure boot.
> We need a writable /tmp and /var for a boot without error messages.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  classes/wic-verity-img.bbclass                |  8 ++++-
>  kas/opt/verity.yml                            | 34 +++++++++++++++++++
>  .../images/cip-core-image-read-only.bb        | 24 +++++++++++++
>  recipes-core/tmp-fs/files/postinst            |  3 ++
>  recipes-core/tmp-fs/files/tmp.mount           | 11 ++++++
>  recipes-core/tmp-fs/tmp-fs_0.1.bb             |  9 +++++
>  wic/qemu-amd64-read-only.wks.in               | 13 +++++++
>  7 files changed, 101 insertions(+), 1 deletion(-)
>  create mode 100644 kas/opt/verity.yml
>  create mode 100644 recipes-core/images/cip-core-image-read-only.bb
>  create mode 100755 recipes-core/tmp-fs/files/postinst
>  create mode 100644 recipes-core/tmp-fs/files/tmp.mount
>  create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
>  create mode 100644 wic/qemu-amd64-read-only.wks.in
> 
> diff --git a/classes/wic-verity-img.bbclass b/classes/wic-verity-img.bbclass
> index e185cf8..9b8a79e 100644
> --- a/classes/wic-verity-img.bbclass
> +++ b/classes/wic-verity-img.bbclass
> @@ -12,6 +12,12 @@
>  inherit squashfs-img
>  inherit verity-img
>  inherit wic-img
> +inherit extract-partition
> +inherit swupdate-img
>  

Is that still a "wic-verity-img" class then? Or rather a
secure-swupdate-img class, now with persistency?

> -addtask verity_image after do_squashfs_image
> +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
> +
> +addtask do_verity_image after do_squashfs_image
>  addtask do_wic_image after do_verity_image
> +addtask do_extract_partition after do_wic_image
> +addtask do_swupdate_image after do_extract_partition
> diff --git a/kas/opt/verity.yml b/kas/opt/verity.yml
> new file mode 100644
> index 0000000..088f44a
> --- /dev/null
> +++ b/kas/opt/verity.yml
> @@ -0,0 +1,34 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2020
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +# This kas file creates a image with a read-only rootfs
> +# and secure-boot
> +
> +header:
> +  version: 10
> +  includes:
> +   - efibootguard.yml
> +
> +target: cip-core-image-read-only
> +
> +local_conf_header:
> +  verity-img: |
> +    IMAGE_TYPE = "wic-verity-img"
> +    WKS_FILE = "${MACHINE}-read-only.wks.in"
> +    VERITY_IMAGE_TYPE = "squashfs"
> +  swupdate: |
> +    IMAGE_INSTALL_append = " swupdate"
> +    IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
> +    SWU_DESCRIPTION = "secureboot"
> +    SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
> +  secure-boot: |
> +    # Add snakeoil and ovmf binaries for qemu
> +    IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
> +    IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
> diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
> new file mode 100644
> index 0000000..24ace3c
> --- /dev/null
> +++ b/recipes-core/images/cip-core-image-read-only.bb
> @@ -0,0 +1,24 @@
> +require cip-core-image.bb
> +
> +INITRAMFS_RECIPE = "cip-core-initramfs"
> +INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
> +do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
> +
> +SQUASHFS_EXCLUDE_DIRS += "home var"
> +
> +IMAGE_INSTALL += "tmp-fs"
> +IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
> +
> +image_configure_fstab() {
> +    sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
> +# Begin /etc/fstab
> +/dev/root	/		auto		defaults,ro			0	0
> +LABEL=var	/var		auto		defaults			0	0
> +proc		/proc		proc		nosuid,noexec,nodev		0	0
> +sysfs		/sys		sysfs		nosuid,noexec,nodev		0	0
> +devpts		/dev/pts	devpts		gid=5,mode=620			0	0
> +tmpfs		/run		tmpfs		nodev,nosuid,size=500M,mode=755	0	0
> +devtmpfs	/dev		devtmpfs	mode=0755,nosuid		0	0
> +# End /etc/fstab
> +EOF
> +}
> diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
> new file mode 100755
> index 0000000..07017fd
> --- /dev/null
> +++ b/recipes-core/tmp-fs/files/postinst
> @@ -0,0 +1,3 @@
> +#!/bin/sh
> +
> +deb-systemd-helper enable tmp.mount  || true
> diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
> new file mode 100644
> index 0000000..7a31ed6
> --- /dev/null
> +++ b/recipes-core/tmp-fs/files/tmp.mount
> @@ -0,0 +1,11 @@
> +[Unit]
> +Description=Create /tmp
> +
> +[Mount]
> +What=tmpfs
> +Where=/tmp
> +Type=tmpfs
> +Options=nodev,nosuid,size=500M,mode=755
> +
> +[Install]
> +WantedBy=local-fs.target
> diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
> new file mode 100644
> index 0000000..4e0c467
> --- /dev/null
> +++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
> @@ -0,0 +1,9 @@
> +inherit dpkg-raw
> +
> +SRC_URI = "file://postinst \
> +           file://tmp.mount"
> +
> +do_install[cleandirs]+="${D}/lib/systemd/system"
> +do_install() {
> +    install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
> +}
> diff --git a/wic/qemu-amd64-read-only.wks.in b/wic/qemu-amd64-read-only.wks.in
> new file mode 100644
> index 0000000..c4ea0c8
> --- /dev/null
> +++ b/wic/qemu-amd64-read-only.wks.in
> @@ -0,0 +1,13 @@
> +# EFI partition containing efibootguard bootloader binary
> +part --source efibootguard-efi  --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
> +
> +# EFI Boot Guard environment/config partitions plus Kernel files
> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
> +
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
> +
> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024  --size 2G
> +
> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
> 

Rather than adding yet another wks file, maybe better extend the
existing qemu-amd64-efibootguard-secureboot.wks. I would see dm-verity
as an extension of the secure-swupdate configuration, not as a variant
or something completely separate.

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Re: [cip-dev][isar-cip-core][RFC 4/8] Create a initrd with support for dm-verity

[Gylstorff Quirin]

Hi,

On 11/15/21 5:58 PM, Raphael Lisicki wrote:
> 
> 
> On 12.11.21 12:50, Q. Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Adapt the initrd to open a dm-verity partition with a fixed
>> root hash.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../cip-core-initramfs/cip-core-initramfs.bb  | 16 +++++
>>   .../files/verity.conf-hook                    |  1 +
>>   .../initramfs-verity-hook/files/verity.hook   | 23 +++++++
>>   .../initramfs-verity-hook/files/verity.script | 68 +++++++++++++++++++
>>   .../initramfs-verity-hook_0.1.bb              | 39 +++++++++++
>>   5 files changed, 147 insertions(+)
>>   create mode 100644 
>> recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
>>   create mode 100644 
>> recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
>>   create mode 100644 
>> recipes-initramfs/initramfs-verity-hook/files/verity.hook
>>   create mode 100644 
>> recipes-initramfs/initramfs-verity-hook/files/verity.script
>>   create mode 100644 
>> recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
>>
>> diff --git 
>> a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb 
>> b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
>> new file mode 100644
>> index 0000000..825fb9f
>> --- /dev/null
>> +++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
>> @@ -0,0 +1,16 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2021
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +inherit initramfs
>> +
>> +INITRAMFS_INSTALL += " \
>> +    initramfs-verity-hook \
>> +    "
>> diff --git 
>> a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook 
>> b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
>> new file mode 100644
>> index 0000000..9b61fb8
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
>> @@ -0,0 +1 @@
>> +BUSYBOX=y
>> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook 
>> b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
>> new file mode 100644
>> index 0000000..5eada8a
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
>> @@ -0,0 +1,23 @@
>> +#!/bin/sh
>> +PREREQ=""
>> +prereqs()
>> +{
>> +    echo "$PREREQ"
>> +}
>> +case $1 in
>> +prereqs)
>> +    prereqs
>> +    exit 0
>> +    ;;
>> +esac
>> +
>> +. /usr/share/initramfs-tools/hook-functions
>> +# Begin real processing below this line
>> +
>> +manual_add_modules dm_mod
>> +manual_add_modules dm_verity
>> +
>> +copy_exec /sbin/veritysetup
>> +copy_exec /sbin/dmsetup
>> +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
>> +copy_file library /usr/share/verity-env/verity.env 
>> /usr/share/verity-env/verity.env
>> diff --git 
>> a/recipes-initramfs/initramfs-verity-hook/files/verity.script 
>> b/recipes-initramfs/initramfs-verity-hook/files/verity.script
>> new file mode 100644
>> index 0000000..a66b557
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script
>> @@ -0,0 +1,68 @@
>> +#!/bin/sh
>> +prereqs()
>> +{
>> +    # Make sure that this script is run last in local-top
>> +    local req
>> +    for req in "${0%/*}"/*; do
>> +        script="${req##*/}"
>> +        if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" 
>> ]; then
>> +            printf '%s\n' "$script"
>> +        fi
>> +    done
>> +}
>> +case $1 in
>> +prereqs)
>> +    prereqs
>> +    exit 0
>> +    ;;
>> +esac
>> +
>> +. /scripts/functions
>> +. /lib/cryptsetup/functions
>> +. /usr/share/verity-env/verity.env
>> +# Even if this script fails horribly, make sure there won't be a 
>> chance the
>> +# current $ROOT will be attempted.  As this device most likely 
>> contains a
>> +# perfectly valid filesystem, it would be mounted successfully, 
>> leading to a
>> +# broken trust chain.
>> +echo "ROOT=/dev/null" >/conf/param.conf
>> +wait_for_udev 10
>> +case "$ROOT" in
>> +    PART*)
>> +        # root was given as PARTUUID= or PARTLABEL=. Use blkid to 
>> find the matching
>> +        # partition
>> +        ROOT=$(blkid --list-one --output device --match-token "$ROOT")
>> +        ;;
>> +    "")
>> +        # No Root device was given. Use veritysetup verify to search 
>> matching roots
>> +        partitions=$(blkid -o device)
>> +        for part in $partitions; do
>> +            if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o 
>> value)" = "filesystem" ]; then
>> +                if veritysetup verify \
>> +                   "$part" "$part" "${ROOT_HASH}" \
>> +                   --hash-offset "${HASH_OFFSET}";then
>> +                    ROOT="$part"
>> +                    break
>> +                fi
>> +            fi
>> +        done
>> +        ;;
>> +esac
>> +set -- "$ROOT" verityroot
>> +if ! veritysetup open \
>> +     --restart-on-corruption \
> 
> Would be great if this was configurable for test-builds, which might 
> need to be modified.
> 

No problem - I will make this configurable during build time in v2.

Quirin
> 
>> +     --data-block-size "${DATA_BLOCK_SIZE}" \
>> +     --hash-block-size "${HASH_BLOCK_SIZE}" \
>> +     --data-blocks "${DATA_BLOCKS}" \
>> +     --hash-offset "${HASH_OFFSET}" \
>> +     --salt "${SALT}" \
>> +     "$1" "$2" "$1" "${ROOT_HASH}"; then
>> +    panic "Can't open verity rootfs!"
>> +fi
>> +
>> +wait_for_udev 10
>> +
>> +if ! ROOT="$(dm_blkdevname verityroot)"; then
>> +    panic "Can't find the verity root device!"
>> +fi
>> +
>> +echo "ROOT=${ROOT}" >/conf/param.conf
>> diff --git 
>> a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb 
>> b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
>> new file mode 100644
>> index 0000000..e067a22
>> --- /dev/null
>> +++ 
>> b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
>> @@ -0,0 +1,39 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2021
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +inherit dpkg-raw
>> +
>> +SRC_URI += " \
>> +    file://verity.conf-hook \
>> +    file://verity.hook \
>> +    file://verity.script \
>> +    "
>> +
>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
>> +
>> +VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
>> +VERITY_ENV_FILE = 
>> "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.${VERITY_IMAGE_TYPE}.env" 
>>
>> +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
>> +do_install[cleandirs] += " \
>> +    ${D}/usr/share/initramfs-tools/hooks \
>> +    ${D}/usr/share/verity-env \
>> +    ${D}/usr/share/initramfs-tools/scripts/local-top \
>> +    ${D}/usr/share/initramfs-tools/conf-hooks.d"
>> +do_install() {
>> +    # Insert the veritysetup commandline into the script
>> +    if [ -f "${VERITY_ENV_FILE}" ]; then
>> +        install -m 0600 "${VERITY_ENV_FILE}" 
>> "${D}/usr/share/verity-env/verity.env"
>> +        install -m 0755 "${WORKDIR}/verity.script" \
>> +            "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
>> +    fi
>> +    install -m 0755 "${WORKDIR}/verity.hook" \
>> +        "${D}/usr/share/initramfs-tools/hooks/verity"
>> +}
>>

Re: [cip-dev][isar-cip-core][RFC 3/8] linux-cip-common: Add options necessary for dm-verity

[Gylstorff Quirin]

On 11/12/21 1:46 PM, Jan Kiszka wrote:
> On 12.11.21 12:50, Q. Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> CIP Kernel Config does not contain support for dm-verity
>> squashfs. Overlay_FS support is added for etc-overlay.
>>
> 
> This should be quickly addressed by expanding the configs of all boards
> we want to enable this way. Start with QEMU and the IPCs. Otherwise, we
> risk to ignore this subsystem /wrt CVEs.

I send a patch series for qemu and ipc to the mailing list.

Quirin
> 
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   recipes-kernel/linux/files/verity.cfg     | 5 +++++
>>   recipes-kernel/linux/linux-cip-common.inc | 6 ++++++
>>   2 files changed, 11 insertions(+)
>>   create mode 100644 recipes-kernel/linux/files/verity.cfg
>>
>> diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg
>> new file mode 100644
>> index 0000000..35d8208
>> --- /dev/null
>> +++ b/recipes-kernel/linux/files/verity.cfg
>> @@ -0,0 +1,5 @@
>> +CONFIG_BLK_DEV_DM=y
>> +CONFIG_DM_VERITY=y
>> +CONFIG_DM_CRYPT=y
>> +CONFIG_SQUASHFS=y
>> +CONFIG_OVERLAY_FS=y
>> diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
>> index 1afec88..0792371 100644
>> --- a/recipes-kernel/linux/linux-cip-common.inc
>> +++ b/recipes-kernel/linux/linux-cip-common.inc
>> @@ -28,3 +28,9 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
>>   SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"
>>   
>>   S = "${WORKDIR}/linux-cip-v${PV}"
>> +
>> +SRC_URI += "file://verity.cfg"
>> +
>> +do_prepare_build_prepend() {
>> +    cat ${WORKDIR}/verity.cfg >> ${WORKDIR}/${KERNEL_DEFCONFIG}
>> +}
>>
> 
> This should be appended conditionally, when building a secure image, I
> would say.
> 
> Jan
>