[isar-cip-core][PATCH 0/5] Enable feature combinations of test and security extensions

[isar-cip-core][PATCH 0/5] Enable feature combinations of test and security extensions

[Jan Kiszka]

This allows to build SWupdate/secure boot images with test extensions as
well as security extensions.

Jan

Jan Kiszka (5):
  swupdate: Avoid open-coding IMAGE_FULLNAME
  initramfs-*-hook: Avoid open-coding IMAGE_FULLNAME
  start-qemu: Add support for booting test-extended images
  cip-core-image-security: Add support for SWUpdate
  security-customizations: Fix password hint

 classes/swupdate.bbclass                                    | 2 +-
 kas/opt/security.yml                                        | 3 +++
 recipes-core/images/cip-core-image-security.bb              | 3 +++
 recipes-core/security-customizations/files/postinst         | 2 +-
 .../initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb  | 6 +++++-
 .../initramfs-verity-hook/initramfs-verity-hook_0.1.bb      | 6 +++++-
 start-qemu.sh                                               | 6 +++++-
 7 files changed, 23 insertions(+), 5 deletions(-)

-- 
2.35.3

[isar-cip-core][PATCH 1/5] swupdate: Avoid open-coding IMAGE_FULLNAME

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This will break if IMAGE_FULLNAME is not PN-DISTRO-MACHINE, e.g. when
enabling kas/ops/test.yml.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/swupdate.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index 9fcaf3c2..064d0ad5 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -15,7 +15,7 @@ SWU_ROOTFS_NAME ?= "${IMAGE_FULLNAME}"
 SWU_COMPRESSION_TYPE ?= "zlib"
 SWU_ROOTFS_PARTITION_NAME ?= "${SWU_ROOTFS_NAME}.${SWU_ROOTFS_TYPE}.${@get_swu_compression_type(d)}"
 
-SWU_IMAGE_FILE ?= "${DEPLOY_DIR_IMAGE}/${PN}-${DISTRO}-${MACHINE}.swu"
+SWU_IMAGE_FILE ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.swu"
 SWU_DESCRIPTION_FILE ?= "sw-description"
 SWU_ADDITIONAL_FILES ?= "linux.efi ${SWU_ROOTFS_PARTITION_NAME}"
 SWU_SIGNED ?= ""
-- 
2.35.3

[isar-cip-core][PATCH 2/5] initramfs-*-hook: Avoid open-coding IMAGE_FULLNAME

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

We can't pull IMAGE_FULLNAME from the image class as this is a dpkg
class, but we should account for potential global changes to this
variable like done by kas/opt/test.yml. This will ensure that we stay
in sync with the generator in image_uuid.bbclass.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb  | 6 +++++-
 .../initramfs-verity-hook/initramfs-verity-hook_0.1.bb      | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
index 8b1536f3..17c60da4 100644
--- a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
@@ -20,7 +20,11 @@ SRC_URI += "file://abrootfs.hook \
 
 ABROOTFS_IMAGE_RECIPE ?= "cip-core-image"
 
-IMAGE_UUID_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${ABROOTFS_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.uuid.env"
+# This is defined in image.bbclass which cannot be used in a package recipe.
+# However, we need to use IMAGE_FULLNAME to pick up any extensions of it.
+IMAGE_FULLNAME ??= "${ABROOTFS_IMAGE_RECIPE}-${DISTRO}-${MACHINE}"
+
+IMAGE_UUID_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.uuid.env"
 
 do_install[depends] += "${ABROOTFS_IMAGE_RECIPE}:do_generate_image_uuid"
 do_install[cleandirs] += " \
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
index 59989081..3fc63ed2 100644
--- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -27,7 +27,11 @@ DEBIAN_CONFLICTS = "initramfs-abrootfs-hook"
 
 VERITY_IMAGE_RECIPE ?= "cip-core-image"
 
-VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
+# This is defined in image.bbclass which cannot be used in a package recipe.
+# However, we need to use IMAGE_FULLNAME to pick up any extensions of it.
+IMAGE_FULLNAME ??= "${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}"
+
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env"
 
 do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity"
 do_install[cleandirs] += " \
-- 
2.35.3

[isar-cip-core][PATCH 3/5] start-qemu: Add support for booting test-extended images

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 start-qemu.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index dd16aed9..cccc51ef 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -50,6 +50,10 @@ if [ -z "${TARGET_IMAGE}" ];then
 	fi
 fi
 
+if grep -s -q "IMAGE_TESTING: true" .config.yaml; then
+	TEST_IMAGE="-test"
+fi
+
 arch="$1"
 shift 1
 
@@ -125,7 +129,7 @@ case "${arch}" in
 		;;
 esac
 
-IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${QEMU_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${QEMU_ARCH}"
+IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${QEMU_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${QEMU_ARCH}${TEST_IMAGE}"
 
 if [ -z "${DISPLAY}" ]; then
 	QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic"
-- 
2.35.3

[isar-cip-core][PATCH 4/5] cip-core-image-security: Add support for SWUpdate

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This allows to enable both SWUpdate and the security-extended image at
the same time.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas/opt/security.yml                           | 3 +++
 recipes-core/images/cip-core-image-security.bb | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/kas/opt/security.yml b/kas/opt/security.yml
index c385a627..4d119056 100644
--- a/kas/opt/security.yml
+++ b/kas/opt/security.yml
@@ -18,3 +18,6 @@ local_conf_header:
     USERS += "root"
     USER_root[password] = "Cipsecurity@123"
     USER_root[flags] = "clear-text-password"
+  adjust-swupdate: |
+    ABROOTFS_IMAGE_RECIPE = "cip-core-image-security"
+    VERITY_IMAGE_RECIPE = "cip-core-image-security"
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index bfd91bd3..563de897 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -43,3 +43,6 @@ IMAGE_PREINSTALL += " \
 # Package names based on the distro version
 IMAGE_PREINSTALL:append:buster = " libtss2-esys0"
 IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0"
+
+CIP_IMAGE_OPTIONS ?= ""
+require ${CIP_IMAGE_OPTIONS}
-- 
2.35.3

[isar-cip-core][PATCH 5/5] security-customizations: Fix password hint

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-core/security-customizations/files/postinst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 4ff8ecf6..167bab1c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -4,7 +4,7 @@
 # Security Package configurations
 #
 
-echo "CIP Core Security Image (login: root/root)" > /etc/issue
+echo "CIP Core Security Image (login: root/Cipsecurity@123)" > /etc/issue
 
 HOSTNAME=demo
 echo "$HOSTNAME" > /etc/hostname
-- 
2.35.3