[PATCH] rootfs-postcommands.bbclass: avoid moving ssh host keys if etc is writable

[PATCH] rootfs-postcommands.bbclass: avoid moving ssh host keys if etc is writable

[Peter Bergin]

When using IMAGE_FEATURE read-only-rootfs ssh host keys are moved to volatile
storage. If the feature overlayfs-etc is used in addition to read-only-rootfs
/etc is writable and the move is not wanted. But in the case also the IMAGE_FEATURE
stateless-roots is used the keys will be moved as storage of keys should not
be wanted in a stateless-rootfs.

This change only takes effect in the case IMAGE_FEATURE contains read-only-rootfs.
In adddition the following cases are handled:

  IMAGE_FEATURES = "read-only-rootfs" --> ssh keys/config handled as ro root
  IMAGE_FEATURES = "read-only-rootfs overlayfs-etc" --> ssh keys/config handled as rw root
  IMAGE_FEATURES = "read-only-rootfs stateless-rootfs" --> ssh keys/config handled as ro root
  IMAGE_FEATURES = "read-only-rootfs overlayfs-etc stateless-rootfs" --> ssh keys/config handled as ro root

Signed-off-by: Peter Bergin <peter@berginkonsult.se>
---
 .../rootfs-postcommands.bbclass               | 32 +++++++++++--------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass
index 215e38e33d..367fe07c09 100644
--- a/meta/classes-recipe/rootfs-postcommands.bbclass
+++ b/meta/classes-recipe/rootfs-postcommands.bbclass
@@ -22,7 +22,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
 # Create /etc/timestamp during image construction to give a reasonably sane default time setting
 ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; "
 
-# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
+# Tweak files in /etc if read-only-rootfs is enabled
 ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
 
 # We also need to do the same for the kernel boot parameters,
@@ -111,21 +111,25 @@ read_only_rootfs_hook () {
 	# If we're using openssh and the /etc/ssh directory has no pre-generated keys,
 	# we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
 	# and the keys under /var/run/ssh.
-	if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
-		if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
-			echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
-			echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
-		else
-			echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
-			echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
+	# If overlayfs-etc is used this is not done as /etc is treated as writable
+	# If stateless-rootfs is enabled this is always done as we don't want to save keys then
+	if ${@ 'false;' if bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc', True, False, d) and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, False, d) else 'true;'} then
+	    if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
+		    if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
+			    echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
+			    echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
+		    else
+			    echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
+			    echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
+		    fi
 		fi
-	fi
 
-	# Also tweak the key location for dropbear in the same way.
-	if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
-		if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
-			echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
-		fi
+	    # Also tweak the key location for dropbear in the same way.
+	    if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
+		    if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
+			    echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
+		    fi
+	    fi
 	fi
 
 	if ${@bb.utils.contains("DISTRO_FEATURES", "sysvinit", "true", "false", d)}; then
-- 
2.34.1

RE: [OE-core] [PATCH] rootfs-postcommands.bbclass: avoid moving ssh host keys if etc is writable

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Peter Bergin
> Sent: den 5 september 2022 16:23
> To: openembedded-core@lists.openembedded.org
> Cc: Peter Bergin <peter@berginkonsult.se>
> Subject: [OE-core] [PATCH] rootfs-postcommands.bbclass: avoid moving ssh host keys if etc is writable
> 
> When using IMAGE_FEATURE read-only-rootfs ssh host keys are moved to volatile
> storage. If the feature overlayfs-etc is used in addition to read-only-rootfs
> /etc is writable and the move is not wanted. But in the case also the IMAGE_FEATURE
> stateless-roots is used the keys will be moved as storage of keys should not

Correct "stateless-roots" to "stateless-rootfs".

> be wanted in a stateless-rootfs.
> 
> This change only takes effect in the case IMAGE_FEATURE contains read-only-rootfs.
> In adddition the following cases are handled:
> 
>   IMAGE_FEATURES = "read-only-rootfs" --> ssh keys/config handled as ro root
>   IMAGE_FEATURES = "read-only-rootfs overlayfs-etc" --> ssh keys/config handled as rw root
>   IMAGE_FEATURES = "read-only-rootfs stateless-rootfs" --> ssh keys/config handled as ro root
>   IMAGE_FEATURES = "read-only-rootfs overlayfs-etc stateless-rootfs" --> ssh keys/config handled as ro root
> 
> Signed-off-by: Peter Bergin <peter@berginkonsult.se>
> ---
>  .../rootfs-postcommands.bbclass               | 32 +++++++++++--------
>  1 file changed, 18 insertions(+), 14 deletions(-)
> 
> diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass
> index 215e38e33d..367fe07c09 100644
> --- a/meta/classes-recipe/rootfs-postcommands.bbclass
> +++ b/meta/classes-recipe/rootfs-postcommands.bbclass
> @@ -22,7 +22,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
>  # Create /etc/timestamp during image construction to give a reasonably sane default time setting
>  ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; "
> 
> -# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
> +# Tweak files in /etc if read-only-rootfs is enabled
>  ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
> 
>  # We also need to do the same for the kernel boot parameters,
> @@ -111,21 +111,25 @@ read_only_rootfs_hook () {
>  	# If we're using openssh and the /etc/ssh directory has no pre-generated keys,
>  	# we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
>  	# and the keys under /var/run/ssh.
> -	if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
> -		if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
> -			echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
> -			echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
> -		else
> -			echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
> -			echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
> +	# If overlayfs-etc is used this is not done as /etc is treated as writable
> +	# If stateless-rootfs is enabled this is always done as we don't want to save keys then
> +	if ${@ 'false;' if bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc', True, False, d) and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, False, d) else 'true;'} then

It is easier to understand the combined if statement if the 
conditions of the inner if statements are true when the 
conditions of the outer if statement shall be true. Also, 
the ";" belongs outside the ${@...}:

	if ${@ 'true' if not bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc', True, False, d) or bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, False, d) else 'false'}; then

> +	    if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then

Correct the indentation here and below. Indentation of shell 
code in OE Core is done using tabs.

> +		    if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
> +			    echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
> +			    echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
> +		    else
> +			    echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
> +			    echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
> +		    fi
>  		fi
> -	fi
> 
> -	# Also tweak the key location for dropbear in the same way.
> -	if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
> -		if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
> -			echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
> -		fi
> +	    # Also tweak the key location for dropbear in the same way.
> +	    if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
> +		    if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
> +			    echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
> +		    fi
> +	    fi
>  	fi
> 
>  	if ${@bb.utils.contains("DISTRO_FEATURES", "sysvinit", "true", "false", d)}; then
> --
> 2.34.1

//Peter

Re: [OE-core] [PATCH] rootfs-postcommands.bbclass: avoid moving ssh host keys if etc is writable

[Peter Bergin]

Thanks for the review. I have addressed them in v2 that is sent.

/Peter

On 2022-09-05 18:15, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Peter Bergin
>> Sent: den 5 september 2022 16:23
>> To: openembedded-core@lists.openembedded.org
>> Cc: Peter Bergin <peter@berginkonsult.se>
>> Subject: [OE-core] [PATCH] rootfs-postcommands.bbclass: avoid moving ssh host keys if etc is writable
>>
>> When using IMAGE_FEATURE read-only-rootfs ssh host keys are moved to volatile
>> storage. If the feature overlayfs-etc is used in addition to read-only-rootfs
>> /etc is writable and the move is not wanted. But in the case also the IMAGE_FEATURE
>> stateless-roots is used the keys will be moved as storage of keys should not
> Correct "stateless-roots" to "stateless-rootfs".
>
>> be wanted in a stateless-rootfs.
>>
>> This change only takes effect in the case IMAGE_FEATURE contains read-only-rootfs.
>> In adddition the following cases are handled:
>>
>>    IMAGE_FEATURES = "read-only-rootfs" --> ssh keys/config handled as ro root
>>    IMAGE_FEATURES = "read-only-rootfs overlayfs-etc" --> ssh keys/config handled as rw root
>>    IMAGE_FEATURES = "read-only-rootfs stateless-rootfs" --> ssh keys/config handled as ro root
>>    IMAGE_FEATURES = "read-only-rootfs overlayfs-etc stateless-rootfs" --> ssh keys/config handled as ro root
>>
>> Signed-off-by: Peter Bergin <peter@berginkonsult.se>
>> ---
>>   .../rootfs-postcommands.bbclass               | 32 +++++++++++--------
>>   1 file changed, 18 insertions(+), 14 deletions(-)
>>
>> diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass
>> index 215e38e33d..367fe07c09 100644
>> --- a/meta/classes-recipe/rootfs-postcommands.bbclass
>> +++ b/meta/classes-recipe/rootfs-postcommands.bbclass
>> @@ -22,7 +22,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
>>   # Create /etc/timestamp during image construction to give a reasonably sane default time setting
>>   ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; "
>>
>> -# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
>> +# Tweak files in /etc if read-only-rootfs is enabled
>>   ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
>>
>>   # We also need to do the same for the kernel boot parameters,
>> @@ -111,21 +111,25 @@ read_only_rootfs_hook () {
>>   	# If we're using openssh and the /etc/ssh directory has no pre-generated keys,
>>   	# we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
>>   	# and the keys under /var/run/ssh.
>> -	if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
>> -		if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
>> -			echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
>> -			echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
>> -		else
>> -			echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
>> -			echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
>> +	# If overlayfs-etc is used this is not done as /etc is treated as writable
>> +	# If stateless-rootfs is enabled this is always done as we don't want to save keys then
>> +	if ${@ 'false;' if bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc', True, False, d) and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, False, d) else 'true;'} then
> It is easier to understand the combined if statement if the
> conditions of the inner if statements are true when the
> conditions of the outer if statement shall be true. Also,
> the ";" belongs outside the ${@...}:
>
> 	if ${@ 'true' if not bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc', True, False, d) or bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, False, d) else 'false'}; then
>
>> +	    if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
> Correct the indentation here and below. Indentation of shell
> code in OE Core is done using tabs.
>
>> +		    if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
>> +			    echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
>> +			    echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
>> +		    else
>> +			    echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
>> +			    echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
>> +		    fi
>>   		fi
>> -	fi
>>
>> -	# Also tweak the key location for dropbear in the same way.
>> -	if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
>> -		if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
>> -			echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
>> -		fi
>> +	    # Also tweak the key location for dropbear in the same way.
>> +	    if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
>> +		    if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
>> +			    echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
>> +		    fi
>> +	    fi
>>   	fi
>>
>>   	if ${@bb.utils.contains("DISTRO_FEATURES", "sysvinit", "true", "false", d)}; then
>> --
>> 2.34.1
> //Peter
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#170319): https://lists.openembedded.org/g/openembedded-core/message/170319
> Mute This Topic: https://lists.openembedded.org/mt/93479678/3617552
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [peter@berginkonsult.se]
> -=-=-=-=-=-=-=-=-=-=-=-
>