[isar-cip-core][PATCH v3 0/7] Fix read-only rootfs setup /wrt etc overlay - and more

[isar-cip-core][PATCH v3 0/7] Fix read-only rootfs setup /wrt etc overlay - and more

[Jan Kiszka]

Changes in v3:
 - create DEPLOY_DIR_IMAGE paths when needed in image-uuid and squashfs
   classes
 - drop not longer needed image_do_mounts from image-uuid

Changes in v2:
 - panic on /var mounting failure during overlay setup
 - panic-reboot on initramfs failures in secure mode
 - /root persistence
 - faster rootfs selection under dm-verity

This addresses the problem of current read-only rootfs + /etc overlay as
used for the SWUpdate setups.

Due to ordering issues in systemd startup between machine-id handling
vs. making /etc writable via the overlay, various things are broken down
the line, e.g. journal reporting. Reading [1], it appeared to be best to
move the overlay mounting into the initramfs. And this implementation
proves this to be right: simpler and working smoothly.

As a by-product, this also unifies the initramfs-abrootfs-hook, and
makes it simpler as well.

Furthermore, this plugs a hole in the secure boot process if the
initramfs fails (we got a shell then), makes /root persistent and
optimizes the rootfs selection via dm-verity.

Jan

[1] https://www.spinics.net/lists/systemd-devel/msg05670.html

Jan Kiszka (7):
  wic: Align kernel command line of qemu-amd64-efibootguard*
  initramfs-abrootfs-hook: Convert to an initramfs-class recipe
  squashfs-img: Make sure DEPLOY_DIR_IMAGE exists
  Convert /etc overlay from systemd mount unit to initramfs hook
  customizations: Relocate /root under /home
  initramfs-verify-hook: Optimize probing of partitions
  secureboot: Prevent getting shell on panic

 classes/image_uuid.bbclass                    | 11 +++--
 classes/secure-wic-swu-img.bbclass            |  4 --
 classes/squashfs-img.bbclass                  |  1 +
 classes/wic-swu-img.bbclass                   |  6 ++-
 kas/opt/ebg-secure-boot-snakeoil.yml          |  1 +
 kas/opt/ebg-swu.yml                           |  2 +-
 recipes-core/customizations/files/postinst    |  4 ++
 .../etc-overlay-fs/etc-overlay-fs_0.1.bb      | 32 -------------
 .../etc-overlay-fs/files/etc-hostname.service | 14 ------
 .../files/etc-sshd-regen-keys.conf            |  6 ---
 .../etc-overlay-fs/files/etc-sysusers.conf    |  4 --
 recipes-core/etc-overlay-fs/files/etc.mount   | 13 ------
 recipes-core/etc-overlay-fs/files/postinst    |  4 --
 .../cip-core-initramfs/cip-core-initramfs.bb  |  2 +-
 .../{initramfs.lsblk.hook => abrootfs.hook}   | 11 ++---
 .../files/abrootfs.script}                    | 46 +++++++++----------
 .../files/initramfs.image_uuid.hook           | 33 -------------
 .../initramfs-abrootfs-hook/files/postinst    |  6 ---
 .../initramfs-abrootfs-hook_0.1.bb            | 41 ++++++++++-------
 .../files/etc-overlay.script                  | 34 ++++++++++++++
 .../initramfs-etc-overlay-hook_0.1.bb         | 27 +++++++++++
 .../files/verity.script.tmpl                  | 18 ++++++--
 wic/qemu-amd64-efibootguard-secureboot.wks.in |  2 +-
 23 files changed, 142 insertions(+), 180 deletions(-)
 delete mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
 delete mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
 delete mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
 delete mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
 delete mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
 delete mode 100755 recipes-core/etc-overlay-fs/files/postinst
 rename recipes-initramfs/initramfs-abrootfs-hook/files/{initramfs.lsblk.hook => abrootfs.hook} (62%)
 copy recipes-initramfs/{initramfs-verity-hook/files/verity.script.tmpl => initramfs-abrootfs-hook/files/abrootfs.script} (53%)
 delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook
 delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/postinst
 create mode 100644 recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script
 create mode 100644 recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb

-- 
2.34.1

[isar-cip-core][PATCH v3 1/7] wic: Align kernel command line of qemu-amd64-efibootguard*

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

"rw" is meaningless and misleading for the read-only rootfs we have.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index 54f7143..affa299 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -12,4 +12,4 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE
 part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
 part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
 
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
-- 
2.34.1

[isar-cip-core][PATCH v3 2/7] initramfs-abrootfs-hook: Convert to an initramfs-class recipe

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This unifies the pattern we generate initramfs images for non-secure and
secure SWUpdate images. Besides cleaning up the related abrootfs
selection hook, the unification is a precondition for adding another
initramfs recipe later that will be shared between both image types

The pattern followed in the new initramfs-abrootfs-hook script is now
similar to initramfs-verity-hook: a local-top hook is used, rather than
a patch for Debian's local script. This hook looks for the matching
rootfs by read-only mounting candidates, comparing the contained UUID
against the one stored in the initramfs, unmounting again, and then
setting the ROOT variable on match.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/image_uuid.bbclass                    | 11 ++--
 classes/secure-wic-swu-img.bbclass            |  4 --
 classes/wic-swu-img.bbclass                   |  6 ++
 kas/opt/ebg-secure-boot-snakeoil.yml          |  1 +
 kas/opt/ebg-swu.yml                           |  2 +-
 .../cip-core-initramfs/cip-core-initramfs.bb  |  4 --
 .../{initramfs.lsblk.hook => abrootfs.hook}   | 11 +---
 .../files/abrootfs.script                     | 66 +++++++++++++++++++
 .../files/initramfs.image_uuid.hook           | 33 ----------
 .../initramfs-abrootfs-hook/files/postinst    |  6 --
 .../initramfs-abrootfs-hook_0.1.bb            | 41 +++++++-----
 11 files changed, 107 insertions(+), 78 deletions(-)
 rename recipes-initramfs/initramfs-abrootfs-hook/files/{initramfs.lsblk.hook => abrootfs.hook} (62%)
 create mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script
 delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook
 delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/postinst

diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
index 2813ed9..71cc3ad 100644
--- a/classes/image_uuid.bbclass
+++ b/classes/image_uuid.bbclass
@@ -1,10 +1,11 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2022
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#  Jan Kiszka <jan.kiszka@siemens.com>
 #
 # SPDX-License-Identifier: MIT
 #
@@ -21,13 +22,13 @@ IMAGE_UUID ?= "${@generate_image_uuid(d)}"
 
 do_generate_image_uuid[vardeps] += "IMAGE_UUID"
 do_generate_image_uuid[depends] = "buildchroot-target:do_build"
+do_generate_image_uuid[dirs] = "${DEPLOY_DIR_IMAGE}"
 do_generate_image_uuid() {
     sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release'
     echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \
         sudo tee -a '${IMAGE_ROOTFS}/etc/os-release'
-    image_do_mounts
 
-    # update initramfs to add uuid
-    sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u
+    echo "TARGET_IMAGE_UUID=\"${IMAGE_UUID}\"" \
+        > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.uuid.env"
 }
-addtask generate_image_uuid before do_copy_boot_files after do_rootfs_install
+addtask generate_image_uuid before do_image after do_rootfs
diff --git a/classes/secure-wic-swu-img.bbclass b/classes/secure-wic-swu-img.bbclass
index 85342fe..5e8e48a 100644
--- a/classes/secure-wic-swu-img.bbclass
+++ b/classes/secure-wic-swu-img.bbclass
@@ -9,10 +9,6 @@
 # SPDX-License-Identifier: MIT
 #
 
-INITRAMFS_RECIPE ?= "cip-core-initramfs"
-do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
-INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
-
 inherit verity-img
 inherit wic-swu-img
 
diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass
index 231b249..b93a96a 100644
--- a/classes/wic-swu-img.bbclass
+++ b/classes/wic-swu-img.bbclass
@@ -16,6 +16,12 @@ inherit wic-img
 inherit swupdate-img
 
 IMAGE_INSTALL += "etc-overlay-fs"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+
 IMAGE_INSTALL += "home-fs"
 IMAGE_INSTALL += "tmp-fs"
 
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 14a5d6a..b329f41 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -25,6 +25,7 @@ local_conf_header:
   secure-boot-image: |
     IMAGE_FSTYPES = "secure-wic-swu-img"
     WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+    INITRAMFS_INSTALL_append = " initramfs-verity-hook"
 
   secure-boot: |
     # Add snakeoil binaries for qemu
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index d811929..5e4e771 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -17,7 +17,7 @@ header:
 
 local_conf_header:
   initramfs: |
-    IMAGE_INSTALL += "initramfs-abrootfs-hook"
+    INITRAMFS_INSTALL_append = " initramfs-abrootfs-hook"
 
   image-option-uuid: |
     CIP_IMAGE_OPTIONS_append = " image-uuid.inc"
diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
index 825fb9f..649daa2 100644
--- a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -10,7 +10,3 @@
 #
 
 inherit initramfs
-
-INITRAMFS_INSTALL += " \
-    initramfs-verity-hook \
-    "
diff --git a/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.lsblk.hook b/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.hook
similarity index 62%
rename from recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.lsblk.hook
rename to recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.hook
index cf32404..bacbc2e 100644
--- a/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.lsblk.hook
+++ b/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.hook
@@ -1,9 +1,8 @@
-# This software is a part of ISAR.
-# Copyright (C) Siemens AG, 2020
+#!/bin/sh
+# Copyright (C) Siemens AG, 2020-2022
 #
 # SPDX-License-Identifier: MIT
 
-#!/bin/sh
 PREREQ=""
 
 prereqs()
@@ -21,9 +20,5 @@ esac
 . /usr/share/initramfs-tools/scripts/functions
 . /usr/share/initramfs-tools/hook-functions
 
-if [ ! -x /usr/bin/lsblk ]; then
-	echo "Warning: couldn't find /usr/bin/lsblk!"
-	exit 0
-fi
-
 copy_exec /usr/bin/lsblk
+copy_file library /usr/share/abrootfs/image-uuid.env /usr/share/abrootfs/image-uuid.env
diff --git a/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script b/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script
new file mode 100644
index 0000000..b61fe30
--- /dev/null
+++ b/recipes-initramfs/initramfs-abrootfs-hook/files/abrootfs.script
@@ -0,0 +1,66 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020-2022
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+prereqs()
+{
+    # Make sure that this script is run last in local-top
+    local req
+    for req in "${0%/*}"/*; do
+        script="${req##*/}"
+        if [ "$script" != "${0##*/}" ]; then
+            printf '%s\n' "$script"
+        fi
+    done
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /scripts/functions
+. /usr/share/abrootfs/image-uuid.env
+
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted.  As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken boot.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
+case "$ROOT" in
+    PART*)
+        # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+        # partition
+        ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+        ;;
+    "")
+        # No Root device was given. Use find the matching IMAGE_UUID
+        partitions=$(blkid -o device)
+        for part in $partitions; do
+            if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+                mount -o ro -t $(get_fstype $part) $part ${rootmnt}
+                . ${rootmnt}/etc/os-release
+                umount ${rootmnt}
+                if [ "${IMAGE_UUID}" = "${TARGET_IMAGE_UUID}" ]; then
+                    ROOT="$part"
+                    break
+                fi
+            fi
+        done
+        ;;
+esac
+
+if [ -z "${ROOT}" ]; then
+    panic "Can't find the root device with matching UUID!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook b/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook
deleted file mode 100644
index 910ce84..0000000
--- a/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook
+++ /dev/null
@@ -1,33 +0,0 @@
-# This software is a part of ISAR.
-# Copyright (C) Siemens AG, 2020
-#
-# SPDX-License-Identifier: MIT
-
-#!/bin/sh
-set -x
-PREREQ=""
-
-prereqs()
-{
-     echo "$PREREQ"
-}
-
-case $1 in
-prereqs)
-     prereqs
-     exit 0
-     ;;
-esac
-
-. /usr/share/initramfs-tools/scripts/functions
-. /usr/share/initramfs-tools/hook-functions
-
-if [ ! -e /etc/os-release ]; then
-	echo "Warning: couldn't find /etc/os-release!"
-	exit 0
-fi
-
-IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release)
-echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid"
-
-exit 0
\ No newline at end of file
diff --git a/recipes-initramfs/initramfs-abrootfs-hook/files/postinst b/recipes-initramfs/initramfs-abrootfs-hook/files/postinst
deleted file mode 100644
index e065524..0000000
--- a/recipes-initramfs/initramfs-abrootfs-hook/files/postinst
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-# patch local script
-patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/initramfs-abrootfs-hook/debian-local.patch
-
-update-initramfs -v -u
diff --git a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
index 9c1776a..1693e85 100644
--- a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
@@ -1,33 +1,40 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2022
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#  Jan Kiszka <jan.kiszka@siemens.com>
 #
 # SPDX-License-Identifier: MIT
 
 
 inherit dpkg-raw
 
-DEBIAN_DEPENDS += ", busybox, patch"
+DEBIAN_DEPENDS = "initramfs-tools"
 
-SRC_URI += "file://postinst \
-            file://initramfs.lsblk.hook \
-            file://initramfs.image_uuid.hook \
-            file://debian-local-patch"
+SRC_URI += "file://abrootfs.hook \
+            file://abrootfs.script"
+
+ABROOTFS_IMAGE_RECIPE ?= "cip-core-image"
+
+IMAGE_UUID_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${ABROOTFS_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.uuid.env"
+
+do_install[depends] += "${ABROOTFS_IMAGE_RECIPE}:do_generate_image_uuid"
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/abrootfs \
+    ${D}/usr/share/initramfs-tools/scripts/local-top"
 
 do_install() {
-    # add patch for local to /usr/share/initramfs-abrootfs-hook
-    TARGET=${D}/usr/share/initramfs-abrootfs-hook
-    install -m 0755 -d ${TARGET}
-    install -m 0644 ${WORKDIR}/debian-local-patch ${TARGET}/debian-local.patch
-
-    # add hooks for secure boot
-    HOOKS=${D}/etc/initramfs-tools/hooks
-    install -m 0755 -d ${HOOKS}
-    install -m 0740 ${WORKDIR}/initramfs.lsblk.hook ${HOOKS}/lsblk.hook
-    install -m 0740 ${WORKDIR}/initramfs.image_uuid.hook ${HOOKS}/image_uuid.hook
+    if [ -f "${IMAGE_UUID_ENV_FILE}" ]; then
+        install -m 0600 "${IMAGE_UUID_ENV_FILE}" "${D}/usr/share/abrootfs/image-uuid.env"
+    else
+        bberror "Did not find ${IMAGE_UUID_ENV_FILE}. initramfs will not be build correctly!"
+    fi
+    install -m 0755 "${WORKDIR}/abrootfs.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-top/abrootfs"
+    install -m 0755 "${WORKDIR}/abrootfs.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/abrootfs"
 }
-addtask do_install after do_transform_template
-- 
2.34.1

[isar-cip-core][PATCH v3 3/7] squashfs-img: Make sure DEPLOY_DIR_IMAGE exists

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

We only get it implicitly so far, but that may always change.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/squashfs-img.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
index 04bb67c..c22d7d6 100644
--- a/classes/squashfs-img.bbclass
+++ b/classes/squashfs-img.bbclass
@@ -29,6 +29,7 @@ python __anonymous() {
     d.appendVar('SQUASHFS_CREATION_ARGS', args)
 }
 
+do_squashfs_image[dirs] = "${DEPLOY_DIR_IMAGE}"
 do_squashfs_image() {
     rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'
 
-- 
2.34.1

[isar-cip-core][PATCH v3 4/7] Convert /etc overlay from systemd mount unit to initramfs hook

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

As systemd is not well prepared for read-only rootfs, specifically /wrt
machine-id management and anything that depends on it, it's best to
mount the /etc overlay already in the initramfs. This implies that also
/var is mounted at that level. We still keep the fstab setup done by
wic-swu-img class so that systemd will recognize the rootfs as read-only
and not try to remount it rw which will only fail with underlying
squashfs.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/wic-swu-img.bbclass                   |  2 --
 .../etc-overlay-fs/etc-overlay-fs_0.1.bb      | 32 -----------------
 .../etc-overlay-fs/files/etc-hostname.service | 14 --------
 .../files/etc-sshd-regen-keys.conf            |  6 ----
 .../etc-overlay-fs/files/etc-sysusers.conf    |  4 ---
 recipes-core/etc-overlay-fs/files/etc.mount   | 13 -------
 recipes-core/etc-overlay-fs/files/postinst    |  4 ---
 .../cip-core-initramfs/cip-core-initramfs.bb  |  4 +++
 .../files/etc-overlay.script                  | 34 +++++++++++++++++++
 .../initramfs-etc-overlay-hook_0.1.bb         | 27 +++++++++++++++
 10 files changed, 65 insertions(+), 75 deletions(-)
 delete mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
 delete mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
 delete mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
 delete mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
 delete mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
 delete mode 100755 recipes-core/etc-overlay-fs/files/postinst
 create mode 100644 recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script
 create mode 100644 recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb

diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass
index b93a96a..41b2164 100644
--- a/classes/wic-swu-img.bbclass
+++ b/classes/wic-swu-img.bbclass
@@ -15,8 +15,6 @@ inherit squashfs-img
 inherit wic-img
 inherit swupdate-img
 
-IMAGE_INSTALL += "etc-overlay-fs"
-
 INITRAMFS_RECIPE ?= "cip-core-initramfs"
 INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
 
diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
deleted file mode 100644
index 4e2b80b..0000000
--- a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
+++ /dev/null
@@ -1,32 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-
-inherit dpkg-raw
-
-SRC_URI = "file://postinst \
-           file://etc.mount \
-           file://etc-hostname.service \
-           file://etc-sshd-regen-keys.conf \
-           file://etc-sysusers.conf"
-
-do_install[cleandirs]+="${D}/usr/lib/systemd/system \
-                        ${D}/usr/lib/systemd/system/local-fs.target.wants \
-                        ${D}/usr/lib/systemd/system/systemd-sysusers.service.d \
-                        ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d \
-                        ${D}/var/local/etc \
-                        ${D}/var/local/.atomic \
-                        "
-do_install() {
-    TARGET=${D}/usr/lib/systemd/system
-    install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
-    install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
-    install -m 0644 ${WORKDIR}/etc-sshd-regen-keys.conf ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d/etc-sshd-regen-keys.conf
-    install -m 0644 ${WORKDIR}/etc-sysusers.conf ${D}/usr/lib/systemd/system/systemd-sysusers.service.d/etc-sysusers.service
-}
diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
deleted file mode 100644
index 2306b9f..0000000
--- a/recipes-core/etc-overlay-fs/files/etc-hostname.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=set hostname /etc overlay-aware
-Before=network-pre.target
-Wants=network-pre.target
-Requires=etc.mount
-After=etc.mount
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/bin/hostname --boot --file /etc/hostname
-
-[Install]
-WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
deleted file mode 100644
index b386c12..0000000
--- a/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-[Unit]
-# set hostname /etc overlay-aware
-Before=network-pre.target
-Wants=network-pre.target
-Requires=etc.mount
-After=etc.mount
diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.conf b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf
deleted file mode 100644
index ad45d7f..0000000
--- a/recipes-core/etc-overlay-fs/files/etc-sysusers.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-[Unit]
-# make systemd-sysusers /etc overlay aware
-Requires=etc.mount
-After=etc.mount
diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
deleted file mode 100644
index f0ae3c5..0000000
--- a/recipes-core/etc-overlay-fs/files/etc.mount
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=Overlay-mount /etc
-Requires=var.mount
-After=var.mount
-
-[Mount]
-What=overlay
-Where=/etc
-Type=overlay
-Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
-
-[Install]
-WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
deleted file mode 100755
index e436b53..0000000
--- a/recipes-core/etc-overlay-fs/files/postinst
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-deb-systemd-helper enable etc.mount  || true
-deb-systemd-helper enable etc-hostname.service || true
diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
index 649daa2..9e0ee26 100644
--- a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -10,3 +10,7 @@
 #
 
 inherit initramfs
+
+INITRAMFS_INSTALL += " \
+    initramfs-etc-overlay-hook \
+    "
diff --git a/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script b/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script
new file mode 100644
index 0000000..a9a3663
--- /dev/null
+++ b/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+if ! mount -t $(get_fstype /dev/disk/by-label/var) /dev/disk/by-label/var ${rootmnt}/var; then
+	panic "Can't mount /var partition - overlay will not work!"
+fi
+
+mkdir -p ${rootmnt}/var/local/etc
+mkdir -p ${rootmnt}/var/local/.atomic
+mount -t overlay -o lowerdir=${rootmnt}/etc,upperdir=${rootmnt}/var/local/etc,workdir=${rootmnt}/var/local/.atomic overlay ${rootmnt}/etc
diff --git a/recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb b/recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb
new file mode 100644
index 0000000..19e9261
--- /dev/null
+++ b/recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb
@@ -0,0 +1,27 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://etc-overlay.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/etc-overlay.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/etc-overlay"
+}
-- 
2.34.1

[isar-cip-core][PATCH v3 5/7] customizations: Relocate /root under /home

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This is needed for read-only rootfs setups. We could also update the
account settings, but establishing a link comes with less surprises.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-core/customizations/files/postinst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/recipes-core/customizations/files/postinst b/recipes-core/customizations/files/postinst
index 9b553da..6ca309a 100644
--- a/recipes-core/customizations/files/postinst
+++ b/recipes-core/customizations/files/postinst
@@ -17,3 +17,7 @@ echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
 HOSTNAME=demo
 echo "$HOSTNAME" > /etc/hostname
 echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
+
+# needed for read-only rootfs with writable /home
+mv /root /home/
+ln -s /home/root /root
-- 
2.34.1

[isar-cip-core][PATCH v3 6/7] initramfs-verify-hook: Optimize probing of partitions

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Rather than verifying the complete device, match on the UUID embedded
into the dm-verity superblock. That is much faster and, thus, saves boot
time with large partitions and/or slow devices.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../files/verity.script.tmpl                   | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
index 7c75b5b..da37711 100644
--- a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -37,12 +37,20 @@ case "$ROOT" in
     "")
         # No Root device was given. Use veritysetup verify to search matching roots
         partitions=$(blkid -o device)
-        for part in $partitions; do
+        for part in ${partitions}; do
             if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
-                if veritysetup verify \
-                   "$part" "$part" "${ROOT_HASH}" \
-                   --hash-offset "${HASH_OFFSET}";then
-                    ROOT="$part"
+                verity_uuid=$(
+                    veritysetup dump "${part}" --hash-offset "${HASH_OFFSET}" | \
+                        while IFS=":" read key value; do
+                            if [ "${key}" = "UUID" ]; then
+                                # this pattern must use a real tab
+                                echo "${value##*	}"
+                                break
+                            fi
+                        done
+                    )
+                if [ "${UUID}" = "${verity_uuid}" ]; then
+                    ROOT="${part}"
                     break
                 fi
             fi
-- 
2.34.1

[isar-cip-core][PATCH v3 7/7] secureboot: Prevent getting shell on panic

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

On panic, initramfs-tools opens up a shell unless panic=X is set on the
kernel command line. Fix that because such a shell could break the chain
of trust.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index affa299..4a0e987 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -12,4 +12,4 @@ part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE
 part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
 part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
 
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=5"
-- 
2.34.1