* [cip-dev][isar-cip-core][RESEND PATCH 1/9] Add new class to create a squashfs based root file system
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
@ 2021-11-30 11:47 ` Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 2/9] Add verity-img.bbclass for dm-verity based rootfs Q. Gylstorff
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Q. Gylstorff @ 2021-11-30 11:47 UTC (permalink / raw)
To: jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This file system is read only and use a reduced image size.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/squashfs-img.bbclass | 41 ++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 classes/squashfs-img.bbclass
diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
new file mode 100644
index 0000000..0fcfca5
--- /dev/null
+++ b/classes/squashfs-img.bbclass
@@ -0,0 +1,41 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
+
+IMAGER_INSTALL += "squashfs-tools"
+
+SQUASHFS_EXCLUDE_DIRS ?= ""
+SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
+SQUASHFS_CREATION_ARGS ?= " "
+# Generate squashfs filesystem image
+python __anonymous() {
+ exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split()
+ if len(exclude_directories) == 0:
+ return
+ # use wildcard to exclude only content of the the directory
+ # this allows to use the directory as a mount point
+ args = " -wildcards"
+ for dir in exclude_directories:
+ args += " -e {dir}/* ".format(dir=dir)
+ d.appendVar('SQUASHFS_CREATION_ARGS', args)
+}
+
+do_squashfs_image() {
+ rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'
+
+ image_do_mounts
+
+ sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \
+ "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
+ ${SQUASHFS_CREATION_ARGS}
+}
+addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][RESEND PATCH 2/9] Add verity-img.bbclass for dm-verity based rootfs
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 1/9] Add new class to create a squashfs based root file system Q. Gylstorff
@ 2021-11-30 11:47 ` Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 3/9] linux-cip-common: Increase revision kernel config Q. Gylstorff
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Q. Gylstorff @ 2021-11-30 11:47 UTC (permalink / raw)
To: jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
As we need the output of `veritysetup` to generate
the initrd. Therefore do_verity_image must be called before wic
generates the final disk image.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/verity-img.bbclass | 73 ++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
create mode 100644 classes/verity-img.bbclass
diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass
new file mode 100644
index 0000000..3c94643
--- /dev/null
+++ b/classes/verity-img.bbclass
@@ -0,0 +1,73 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+IMAGER_INSTALL += "cryptsetup"
+
+VERITY_IMAGE_TYPE ?= "squashfs"
+VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
+VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
+VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
+VERITY_HASH_BLOCK_SIZE ?= "1024"
+VERITY_DATA_BLOCK_SIZE ?= "1024"
+
+create_verity_env_file() {
+
+ local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env"
+ rm -f $ENV
+
+ local input="${WORKDIR}/${VERITY_IMAGE_METADATA}"
+ # remove header from verity meta data
+ sed -i '/VERITY header information for/d' $input
+ IFS=":"
+ while read KEY VAL; do
+ printf '%s=%s\n' \
+ "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
+ "$(echo "$VAL" | tr -d ' \t')" >> $ENV
+ done < $input
+}
+
+verity_setup() {
+ rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+ rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA}
+
+ cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+
+ image_do_mounts
+ sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \
+ --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \
+ --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \
+ --data-blocks "${VERITY_DATA_BLOCKS}" \
+ --hash-offset "${VERITY_INPUT_IMAGE_SIZE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ >"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+
+ echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \
+ >>"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+}
+
+do_verity_image[cleandirs] = "${WORKDIR}/verity"
+python do_verity_image() {
+ import os
+
+ image_file = os.path.join(
+ d.getVar("DEPLOY_DIR_IMAGE"),
+ d.getVar("VERITY_INPUT_IMAGE")
+ )
+ data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
+ size = os.stat(image_file).st_size
+ assert size % data_block_size == 0, f"image is not well-sized!"
+ d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
+ d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
+
+ bb.build.exec_func('verity_setup', d)
+ bb.build.exec_func('create_verity_env_file', d)
+}
+addtask verity_image before do_image after do_image_tools
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][RESEND PATCH 3/9] linux-cip-common: Increase revision kernel config
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 1/9] Add new class to create a squashfs based root file system Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 2/9] Add verity-img.bbclass for dm-verity based rootfs Q. Gylstorff
@ 2021-11-30 11:47 ` Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 4/9] Create a initrd with support for dm-verity Q. Gylstorff
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Q. Gylstorff @ 2021-11-30 11:47 UTC (permalink / raw)
To: jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add support for verity and overlay fs.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-kernel/linux/linux-cip-common.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 1afec88..8fa8988 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi
SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
-SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"
+SRCREV_cip-kernel-config ?= "4f80764b80a81f9590e927fb202f358465b322a6"
S = "${WORKDIR}/linux-cip-v${PV}"
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][RESEND PATCH 4/9] Create a initrd with support for dm-verity
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (2 preceding siblings ...)
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 3/9] linux-cip-common: Increase revision kernel config Q. Gylstorff
@ 2021-11-30 11:47 ` Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 5/9] Create an read-only rootfs with dm-verity Q. Gylstorff
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Q. Gylstorff @ 2021-11-30 11:47 UTC (permalink / raw)
To: jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Adapt the initrd to open a dm-verity partition with a fixed
root hash.
The initramfs script is based on [1].
[1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 ++++++
.../files/verity.script.tmpl | 70 +++++++++++++++++++
.../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++
5 files changed, 161 insertions(+)
create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
new file mode 100644
index 0000000..825fb9f
--- /dev/null
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+ initramfs-verity-hook \
+ "
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
new file mode 100644
index 0000000..9b61fb8
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
@@ -0,0 +1 @@
+BUSYBOX=y
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
new file mode 100644
index 0000000..5eada8a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
@@ -0,0 +1,23 @@
+#!/bin/sh
+PREREQ=""
+prereqs()
+{
+ echo "$PREREQ"
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
+
+manual_add_modules dm_mod
+manual_add_modules dm_verity
+
+copy_exec /sbin/veritysetup
+copy_exec /sbin/dmsetup
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
+copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..7c75b5b
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,70 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ # If the script cryptroot is installed this script
+ # should be second to last
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+. /lib/cryptsetup/functions
+. /usr/share/verity-env/verity.env
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted. As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken trust chain.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
+case "$ROOT" in
+ PART*)
+ # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+ # partition
+ ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ ;;
+ "")
+ # No Root device was given. Use veritysetup verify to search matching roots
+ partitions=$(blkid -o device)
+ for part in $partitions; do
+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ if veritysetup verify \
+ "$part" "$part" "${ROOT_HASH}" \
+ --hash-offset "${HASH_OFFSET}";then
+ ROOT="$part"
+ break
+ fi
+ fi
+ done
+ ;;
+esac
+set -- "$ROOT" verityroot
+if ! veritysetup open \
+ ${VERITY_BEHAVIOR_ON_CORRUPTION} \
+ --data-block-size "${DATA_BLOCK_SIZE}" \
+ --hash-block-size "${HASH_BLOCK_SIZE}" \
+ --data-blocks "${DATA_BLOCKS}" \
+ --hash-offset "${HASH_OFFSET}" \
+ --salt "${SALT}" \
+ "$1" "$2" "$1" "${ROOT_HASH}"; then
+ panic "Can't open verity rootfs - continuing will lead to a broken trust chain!"
+fi
+
+wait_for_udev 10
+
+if ! ROOT="$(dm_blkdevname verityroot)"; then
+ panic "Can't find the verity root device!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
new file mode 100644
index 0000000..a7fbf5a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+ file://verity.conf-hook \
+ file://verity.hook \
+ file://verity.script.tmpl \
+ "
+
+VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption"
+
+TEMPLATE_FILES = "verity.script.tmpl"
+TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION"
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
+
+VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
+
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
+
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[cleandirs] += " \
+ ${D}/usr/share/initramfs-tools/hooks \
+ ${D}/usr/share/verity-env \
+ ${D}/usr/share/initramfs-tools/scripts/local-top \
+ ${D}/usr/share/initramfs-tools/conf-hooks.d"
+
+do_install() {
+ # Insert the veritysetup commandline into the script
+ if [ -f "${VERITY_ENV_FILE}" ]; then
+ install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
+ else
+ bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
+ fi
+ install -m 0755 "${WORKDIR}/verity.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
+ install -m 0755 "${WORKDIR}/verity.hook" \
+ "${D}/usr/share/initramfs-tools/hooks/verity"
+}
+
+addtask do_install after do_transform_template
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][RESEND PATCH 5/9] Create an read-only rootfs with dm-verity
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (3 preceding siblings ...)
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 4/9] Create a initrd with support for dm-verity Q. Gylstorff
@ 2021-11-30 11:47 ` Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 6/9] Create systemd mount units for a etc overlay Q. Gylstorff
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Q. Gylstorff @ 2021-11-30 11:47 UTC (permalink / raw)
To: jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.
The mount point for /tmp is created during the systemd target
local-fs according to [1].
Before `Remount Root and Kernel File Systems.` the tmp of the initrd
is used.
[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.gitlab-ci.yml | 11 -------
Kconfig | 4 +--
classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
kas/opt/ebg-secure-boot-snakeoil.yml | 12 ++++++-
kas/opt/ebg-snakeoil-swu.yml | 16 ----------
.../images/cip-core-image-read-only.bb | 20 ++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++++++++++++++
start-qemu.sh | 4 +++
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
12 files changed, 122 insertions(+), 41 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5becd37..d407f0f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -179,17 +179,6 @@ build:qemu-amd64-swupdate:
targz: disable
deploy: disable
-build:qemu-amd64-secure-boot-swu:
- extends:
- - .build_base
- variables:
- target: qemu-amd64
- extention: ebg-snakeoil-swu
- use_rt: disable
- wic_targz: disable
- targz: disable
- deploy: disable
-
# bullseye images
build:simatic-ipc227e-bullseye:
extends:
diff --git a/Kconfig b/Kconfig
index 3b882d6..e5ce257 100644
--- a/Kconfig
+++ b/Kconfig
@@ -136,11 +136,11 @@ config IMAGE_SWUPDATE
config IMAGE_SECURE_BOOT
bool "Secure boot support"
depends on TARGET_QEMU_AMD64
+ select IMAGE_SWUPDATE
config KAS_INCLUDE_SWUPDATE_SECBOOT
string
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
- default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
- default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
+ default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
endif
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..1cfbacc 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,23 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml
+target: cip-core-image-read-only
local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+ verity-img: |
+ SECURE_IMAGE_FSTYPE = "squashfs"
+ VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+ IMAGE_TYPE = "secure-swupdate-img"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
secure-boot: |
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/ebg-secure-boot-snakeoil.yml
- - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount.tmpl b/recipes-core/tmp-fs/files/tmp.mount.tmpl
new file mode 100644
index 0000000..fcb2f3e
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount.tmpl
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=${TMP_OPTIONS}
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..3ec20c7
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount.tmpl"
+
+TMP_FS_SIZE ?= "500M"
+TMP_FS_MODE ?= "755"
+TMP_FS_OPTIONS = "nodev,nosuid,size=${TMP_SIZE},mode=${TMP_MODE}"
+
+TEMPLATE_FILES = "tmp.mount.tmpl"
+TEMPLATE_VARS += "TMP_FS_OPTIONS"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/start-qemu.sh b/start-qemu.sh
index a92e9f4..c700974 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -42,6 +42,9 @@ if [ -z "${TARGET_IMAGE}" ];then
TARGET_IMAGE="cip-core-image"
if grep -s -q "IMAGE_SECURITY: true" .config.yaml; then
TARGET_IMAGE="cip-core-image-security"
+ fi
+ if [ -n "${SECURE_BOOT}" ]; then
+ TARGET_IMAGE="cip-core-image-read-only"
fi
fi
@@ -55,6 +58,7 @@ case "$1" in
-machine q35,accel=kvm:tcg \
-device virtio-net-pci,netdev=net"
if [ -n "${SECURE_BOOT}" ]; then
+ # set bootindex=0 to boot disk instead of EFI-shell
QEMU_EXTRA_ARGS=" \
${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk,bootindex=0"
else
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
deleted file mode 100644
index ff351db..0000000
--- a/wic/qemu-amd64-efibootguard-secureboot.wks
+++ /dev/null
@@ -1,11 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-signed-bootloader.inc
-
-# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][RESEND PATCH 6/9] Create systemd mount units for a etc overlay
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (4 preceding siblings ...)
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 5/9] Create an read-only rootfs with dm-verity Q. Gylstorff
@ 2021-11-30 11:47 ` Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 7/9] Mount writable home partition Q. Gylstorff
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Q. Gylstorff @ 2021-11-30 11:47 UTC (permalink / raw)
To: jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
As /etc is read-only and needs to be accessed by the initrd
move the user defined settings to a overlay in /var/local/etc.
As systemd sets the hostname directly on start reread the /etc/hostname
after mounting the overlay.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++++++++++++++++++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++
.../files/etc-sshd-regen-keys.conf | 7 ++++
.../etc-overlay-fs/files/etc-sysusers.conf | 4 +++
recipes-core/etc-overlay-fs/files/etc.mount | 13 ++++++++
recipes-core/etc-overlay-fs/files/postinst | 4 +++
.../images/cip-core-image-read-only.bb | 1 +
7 files changed, 75 insertions(+)
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100755 recipes-core/etc-overlay-fs/files/postinst
diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
new file mode 100644
index 0000000..4e2b80b
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://etc.mount \
+ file://etc-hostname.service \
+ file://etc-sshd-regen-keys.conf \
+ file://etc-sysusers.conf"
+
+do_install[cleandirs]+="${D}/usr/lib/systemd/system \
+ ${D}/usr/lib/systemd/system/local-fs.target.wants \
+ ${D}/usr/lib/systemd/system/systemd-sysusers.service.d \
+ ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d \
+ ${D}/var/local/etc \
+ ${D}/var/local/.atomic \
+ "
+do_install() {
+ TARGET=${D}/usr/lib/systemd/system
+ install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
+ install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
+ install -m 0644 ${WORKDIR}/etc-sshd-regen-keys.conf ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d/etc-sshd-regen-keys.conf
+ install -m 0644 ${WORKDIR}/etc-sysusers.conf ${D}/usr/lib/systemd/system/systemd-sysusers.service.d/etc-sysusers.service
+}
diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
new file mode 100644
index 0000000..2306b9f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/hostname --boot --file /etc/hostname
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
new file mode 100644
index 0000000..014b5a6
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
@@ -0,0 +1,7 @@
+[Unit]
+# set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.conf b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf
new file mode 100644
index 0000000..ad45d7f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf
@@ -0,0 +1,4 @@
+[Unit]
+# make systemd-sysusers /etc overlay aware
+Requires=etc.mount
+After=etc.mount
diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
new file mode 100644
index 0000000..f0ae3c5
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc.mount
@@ -0,0 +1,13 @@
+[Unit]
+Description=Overlay-mount /etc
+Requires=var.mount
+After=var.mount
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
new file mode 100755
index 0000000..e436b53
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/postinst
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+deb-systemd-helper enable etc.mount || true
+deb-systemd-helper enable etc-hostname.service || true
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index 7ef2dc2..ceb6ac4 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -2,6 +2,7 @@ require cip-core-image.bb
SQUASHFS_EXCLUDE_DIRS += "home var"
+IMAGE_INSTALL += "etc-overlay-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][RESEND PATCH 7/9] Mount writable home partition
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (5 preceding siblings ...)
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 6/9] Create systemd mount units for a etc overlay Q. Gylstorff
@ 2021-11-30 11:47 ` Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 8/9] kas: Patch isar for correct permissions in var and home Q. Gylstorff
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Q. Gylstorff @ 2021-11-30 11:47 UTC (permalink / raw)
To: jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add an example how to add an writable home partition
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/home-fs/files/home.mount | 12 +++++++++++
recipes-core/home-fs/files/postinst | 3 +++
recipes-core/home-fs/home-fs_0.1.bb | 20 +++++++++++++++++++
.../images/cip-core-image-read-only.bb | 1 +
wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 ++
5 files changed, 38 insertions(+)
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb
diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount
new file mode 100644
index 0000000..062517a
--- /dev/null
+++ b/recipes-core/home-fs/files/home.mount
@@ -0,0 +1,12 @@
+[Unit]
+Description=Mount /home partition
+Before=local-fs.target
+
+[Mount]
+What=/dev/disk/by-partlabel/home
+Where=/home
+Type=auto
+Options=defaults
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst
new file mode 100755
index 0000000..f6184d6
--- /dev/null
+++ b/recipes-core/home-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable home.mount || true
diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb
new file mode 100644
index 0000000..93e08e6
--- /dev/null
+++ b/recipes-core/home-fs/home-fs_0.1.bb
@@ -0,0 +1,20 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://home.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount
+
+}
\ No newline at end of file
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index ceb6ac4..79cd6bf 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -3,6 +3,7 @@ require cip-core-image.bb
SQUASHFS_EXCLUDE_DIRS += "home var"
IMAGE_INSTALL += "etc-overlay-fs"
+IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index c4ea0c8..81fd4fe 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024 --size 1G
part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][RESEND PATCH 8/9] kas: Patch isar for correct permissions in var and home
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (6 preceding siblings ...)
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 7/9] Mount writable home partition Q. Gylstorff
@ 2021-11-30 11:47 ` Q. Gylstorff
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 9/9] swupdate: Backport patches from SWUpdate Master Q. Gylstorff
2021-12-01 11:54 ` [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Jan Kiszka
9 siblings, 0 replies; 11+ messages in thread
From: Q. Gylstorff @ 2021-11-30 11:47 UTC (permalink / raw)
To: jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Get patch from isar mailing list[1].
[1]: https://groups.google.com/g/isar-users/c/wlanc7f7UnQ
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas-cip.yml | 4 +++
...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
diff --git a/kas-cip.yml b/kas-cip.yml
index dc56729..8226954 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -25,6 +25,10 @@ repos:
refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3
layers:
meta:
+ patches:
+ fix-pseudo:
+ repo: cip-core
+ path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
bblayers_conf_header:
standard: |
diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
new file mode 100644
index 0000000..34704f0
--- /dev/null
+++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
@@ -0,0 +1,35 @@
+From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+Date: Wed, 3 Nov 2021 13:53:00 +0100
+Subject: [PATCH] Fix permissions when splitting rootfs folders across
+ partitions.
+
+This patches ensures that the file database containing the file and
+folder usernames and permissions is always located relative to the
+source and not to the appended rootfs-dir.
+
+Prior to this patch, the database was not found when using
+-rootfs-dir in the WIC script, leading to erronous file
+permissions and ownership.
+
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+---
+ scripts/lib/wic/plugins/source/rootfs.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
+index 96d940a9..5ab771e5 100644
+--- a/scripts/lib/wic/plugins/source/rootfs.py
++++ b/scripts/lib/wic/plugins/source/rootfs.py
+@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin):
+
+ part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
+ part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
+- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo")
+ if not os.path.lexists(pseudo_dir):
+ logger.warn("%s folder does not exist. "
+ "Usernames and permissions will be invalid " % pseudo_dir)
+--
+2.30.2
+
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [cip-dev][isar-cip-core][RESEND PATCH 9/9] swupdate: Backport patches from SWUpdate Master
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (7 preceding siblings ...)
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 8/9] kas: Patch isar for correct permissions in var and home Q. Gylstorff
@ 2021-11-30 11:47 ` Q. Gylstorff
2021-12-01 11:54 ` [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Jan Kiszka
9 siblings, 0 replies; 11+ messages in thread
From: Q. Gylstorff @ 2021-11-30 11:47 UTC (permalink / raw)
To: jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
2 files changed, 196 insertions(+)
create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
diff --git a/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
new file mode 100644
index 0000000..a4c8856
--- /dev/null
+++ b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
@@ -0,0 +1,191 @@
+From 9904222a872e1707d8e1205009962fd68c3e5c7d Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Mon, 25 Oct 2021 14:43:07 +0200
+Subject: [PATCH] debian/patches: add patches for dm-verity
+
+Backport the following patches to detect the correct partition to
+update.
+388f1777 util: Add get_root source /proc/self/mountinfo
+3914d2b7 util: Extend get_root to find LUKS devices
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ ...d-get_root-source-proc-self-mountinfo.diff | 67 +++++++++++++++
+ ...-Extend-get_root-to-find-LUKS-devices.diff | 82 +++++++++++++++++++
+ debian/patches/series | 2 +
+ 3 files changed, 151 insertions(+)
+ create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+ create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+
+diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+new file mode 100644
+index 0000000..2b25a19
+--- /dev/null
++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+@@ -0,0 +1,67 @@
++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
++From: Christian Storm <christian.storm@siemens.com>
++Date: Thu, 10 Jun 2021 00:30:24 +0200
++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
++
++Filesystems such as BTRFS report synthetic device major:minor
++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
++won't be found by get_root_from_partitions().
++
++As /proc/self/mountinfo's information is subject to mount-
++namespacing, it complements get_root_from_partitions() rather
++than replacing it.
++
++Signed-off-by: Christian Storm <christian.storm@siemens.com>
++---
++ core/util.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/core/util.c b/core/util.c
++index 7d7673a..51a16b6 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
++ return NULL;
++ }
++
+++/*
+++ * Return the rootfs's device name from /proc/self/mountinfo.
+++ * Needed for filesystems having synthetic stat(2) st_dev
+++ * values such as BTRFS.
+++ */
+++static char *get_root_from_mountinfo(void)
+++{
+++ char *mnt_point, *device = NULL;
+++ FILE *fp = fopen("/proc/self/mountinfo", "r");
+++ while (fp && !feof(fp)){
+++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
+++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
+++ &mnt_point, &device) == 2) {
+++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
+++ free(mnt_point);
+++ break;
+++ }
+++ free(mnt_point);
+++ free(device);
+++ }
+++ device = NULL;
+++ }
+++ (void)fclose(fp);
+++ return device;
+++}
+++
++ #define MAX_CMDLINE_LENGTH 4096
++ static char *get_root_from_cmdline(void)
++ {
++@@ -936,6 +962,8 @@ char *get_root_device(void)
++ root = get_root_from_partitions();
++ if (!root)
++ root = get_root_from_cmdline();
+++ if (!root)
+++ root = get_root_from_mountinfo();
++
++ return root;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+new file mode 100644
+index 0000000..039bfb8
+--- /dev/null
++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+@@ -0,0 +1,82 @@
++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
++From: Stefano Babic <sbabic@denx.de>
++Date: Thu, 10 Jun 2021 16:14:44 +0200
++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
++
++This helps in case of encrypted filesystem or device mapper.
++The returned device read from partitions is usually a dm-X device and
++this does not show which is the block device that contains it. Look in
++sysfs and check if the device has "slaves" entries, indicating the
++presence of an underlying device. If found, return this instead of the
++device returned parsing /proc/partitions.
++
++Signed-off-by: Stefano Babic <sbabic@denx.de>
++---
++ core/util.c | 26 ++++++++++++++++++++++++--
++ 1 file changed, 24 insertions(+), 2 deletions(-)
++
++diff --git a/core/util.c b/core/util.c
++index 51a16b6..3b81c09 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -24,6 +24,7 @@
++ #include <libgen.h>
++ #include <regex.h>
++ #include <string.h>
+++#include <dirent.h>
++
++ #if defined(__linux__)
++ #include <sys/statvfs.h>
++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
++ /*
++ * This returns the device name where rootfs is mounted
++ */
+++
+++static int filter_slave(const struct dirent *ent) {
+++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
+++}
++ static char *get_root_from_partitions(void)
++ {
++ struct stat info;
++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
++ char *devname = NULL;
++ unsigned long major, minor, nblocks;
++ char buf[256];
++- int ret;
+++ int ret, dev_major, dev_minor, n;
+++ struct dirent **devlist = NULL;
++
++ if (stat("/", &info) < 0)
++ return NULL;
++
+++ dev_major = info.st_dev / 256;
+++ dev_minor = info.st_dev % 256;
+++
+++ /*
+++ * Check if this is just a container, for example in case of LUKS
+++ * Search if the device has slaves pointing to another device
+++ */
+++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
+++ n = scandir(buf, &devlist, filter_slave, NULL);
+++ if (n == 1) {
+++ devname = strdup(devlist[0]->d_name);
+++ free(devlist);
+++ return devname;
+++ }
+++ free(devlist);
+++
++ fp = fopen("/proc/partitions", "r");
++ if (!fp)
++ return NULL;
++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
++ &major, &minor, &nblocks, &devname);
++ if (ret != 4)
++ continue;
++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
+++ if ((major == dev_major) && (minor == dev_minor)) {
++ fclose(fp);
++ return devname;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..f3bd00e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,3 @@
+ use-gcc-compiler.diff
++0002-util-Extend-get_root-to-find-LUKS-devices.diff
++0001-util-Add-get_root-source-proc-self-mountinfo.diff
+--
+2.30.2
+
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index 7a0fb9b..a4d67fe 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"
+# Patch for dm-verity based images - can be removed with next SWUpdate release
+SRC_URI += "file://0001-debian-patches-add-patches-for-dm-verity.patch"
+
+# end patching for dm-verity based images
+
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity
2021-11-30 11:47 [cip-dev][isar-cip-core][RESEND PATCH 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (8 preceding siblings ...)
2021-11-30 11:47 ` [cip-dev][isar-cip-core][RESEND PATCH 9/9] swupdate: Backport patches from SWUpdate Master Q. Gylstorff
@ 2021-12-01 11:54 ` Jan Kiszka
9 siblings, 0 replies; 11+ messages in thread
From: Jan Kiszka @ 2021-12-01 11:54 UTC (permalink / raw)
To: Q. Gylstorff, cip-dev
On 30.11.21 12:47, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> *This patch series adds support for a read-only squashfs based root filesystem
> wit SWUpdate support and secureboot.
>
> The build is somewhat complex as we need the output of dm-verity to generate
> the initramfs. The build is split in the following steps
> 1. Build the root file system
> 2. Generate a squashfs image - this can also be replace by another image format(e.g. ext4)
> 3. Build from the image the dm-verity partition and add it to the end of the image
> 4. Add the resulting verity environment to the initrd
> 5. Build the signed efi tool chain.
>
> This series needs SWUpdate 2021.11. The necessary changes are currently backported.
>
> Changes in RFC V2:
> - rebase onto orgin/next
> - adapt Kconfig to new ebg-secure-boot-snakeoil.yml by deleting unnecessary options
> - Cleanup to support different file-systems for verity-img
> - tested with ext4 and squashfs
> - simplified kernel patching
> - prepend not necessary
> - added flag to enable/disable
> - whitespaces for readability
> - integrated into ebg-secure-boot-snakeoil
> - make behavior on corruption configurable during build time.
> - default is restart on corruption
> - add ISAR patch for correct permissions
>
> Changes in RFC V3:
> - Configurable size of /tmp
> - remove unnecessary overlay-parse-etc.service
> - convert etc-sysusers to drop in configuration of systemd-sysusers.service
> - extend commit messages
>
> Changes in Patch:
> - rebased onto origin/next 2550c34a03ae3c035a1593585f2d8e545c83140d
> - initrd verity warning message
> - Kconfig: secure-boot element selects also swupdate
> as the secureboot kas option contains swupdate
> - fixed ci build
>
> Quirin Gylstorff (9):
> Add new class to create a squashfs based root file system
> Add verity-img.bbclass for dm-verity based rootfs
> linux-cip-common: Increase revision kernel config
> Create a initrd with support for dm-verity
> Create an read-only rootfs with dm-verity
> Create systemd mount units for a etc overlay
> Mount writable home partition
> kas: Patch isar for correct permissions in var and home
> swupdate: Backport patches from SWUpdate Master
>
> .gitlab-ci.yml | 11 -
> Kconfig | 4 +-
> classes/secure-swupdate-img.bbclass | 32 +++
> classes/squashfs-img.bbclass | 41 ++++
> classes/verity-img.bbclass | 73 +++++++
> kas-cip.yml | 4 +
> kas/opt/ebg-secure-boot-snakeoil.yml | 12 +-
> ...when-splitting-rootfs-folders-across.patch | 35 ++++
> .../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++
> .../etc-overlay-fs/files/etc-hostname.service | 14 ++
> .../files/etc-sshd-regen-keys.conf | 7 +
> .../etc-overlay-fs/files/etc-sysusers.conf | 4 +
> recipes-core/etc-overlay-fs/files/etc.mount | 13 ++
> recipes-core/etc-overlay-fs/files/postinst | 4 +
> recipes-core/home-fs/files/home.mount | 12 ++
> recipes-core/home-fs/files/postinst | 3 +
> recipes-core/home-fs/home-fs_0.1.bb | 20 ++
> .../images/cip-core-image-read-only.bb | 22 ++
> ...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++
> .../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
> recipes-core/tmp-fs/files/postinst | 3 +
> recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +
> recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++
> .../cip-core-initramfs/cip-core-initramfs.bb | 10 +-
> .../files/verity.conf-hook | 1 +
> .../initramfs-verity-hook/files/verity.hook | 23 +++
> .../files/verity.script.tmpl | 70 +++++++
> .../initramfs-verity-hook_0.1.bb | 51 +++++
> recipes-kernel/linux/linux-cip-common.inc | 2 +-
> start-qemu.sh | 4 +
> wic/qemu-amd64-efibootguard-secureboot.wks | 11 -
> wic/qemu-amd64-efibootguard-secureboot.wks.in | 15 ++
> 32 files changed, 735 insertions(+), 31 deletions(-)
> create mode 100644 classes/secure-swupdate-img.bbclass
> create mode 100644 classes/squashfs-img.bbclass
> create mode 100644 classes/verity-img.bbclass
> create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
> create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
> create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
> create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
> create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
> create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
> create mode 100755 recipes-core/etc-overlay-fs/files/postinst
> create mode 100644 recipes-core/home-fs/files/home.mount
> create mode 100755 recipes-core/home-fs/files/postinst
> create mode 100644 recipes-core/home-fs/home-fs_0.1.bb
> create mode 100644 recipes-core/images/cip-core-image-read-only.bb
> create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch
> create mode 100755 recipes-core/tmp-fs/files/postinst
> create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl
> create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
> rename kas/opt/ebg-snakeoil-swu.yml => recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb (61%)
> create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
> create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
> create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
> create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
> delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
> create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in
>
Thanks, applied to next.
Jan
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 11+ messages in thread