* [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity
@ 2021-11-16 11:27 Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 1/9] Add new class to create a squashfs based root file system Q. Gylstorff
` (8 more replies)
0 siblings, 9 replies; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patch series adds support for a read-only squashfs based root filesystem
wit SWUpdate support and secureboot.
The build is somewhat complex as we need the output of dm-verity to generate
the initramfs. The build is split in the following steps
1. Build the root file system
2. Generate a squashfs image - this can also be replace by another image format(e.g. ext4)
3. Build from the image the dm-verity partition and add it to the end of the image
4. Add the resulting verity environment to the initrd
5. Build the signed efi tool chain.
This series needs SWUpdate 2021.11. The necessary changes are currently backported.
Changes in V2:
- rebase onto orgin/next
- adapt Kconfig to new ebg-secure-boot-snakeoil.yml by deleting unnecessary options
- Cleanup to support different file-systems for verity-img
- tested with ext4 and squashfs
- simplified kernel patching
- prepend not necessary
- added flag to enable/disable
- whitespaces for readability
- integrated into ebg-secure-boot-snakeoil
- make behavior on corruption configurable during build time.
- default is restart on corruption
- add ISAR patch for correct permissions
Quirin Gylstorff (9):
Add new class to create a squashfs based root file system
Add verity-img.bbclass for dm-verity based rootfs
linux-cip-common: Add options necessary for dm-verity
Create a initrd with support for dm-verity
Create an read-only rootfs with dm-verity
Create systemd mount units for a etc overlay
Mount writable home partition
kas: Patch isar for correct permissions in var and home
swupdate: Backport patches from SWUpdate Master
Kconfig | 3 +-
classes/secure-swupdate-img.bbclass | 32 +++
classes/squashfs-img.bbclass | 41 ++++
classes/verity-img.bbclass | 73 +++++++
kas-cip.yml | 4 +
kas/opt/ebg-secure-boot-base.yml | 2 +
kas/opt/ebg-secure-boot-snakeoil.yml | 13 +-
...when-splitting-rootfs-folders-across.patch | 35 ++++
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 16 ++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++
.../etc-overlay-fs/files/etc-sysusers.service | 14 ++
recipes-core/etc-overlay-fs/files/etc.mount | 13 ++
.../files/overlay-parse-etc.service | 12 ++
recipes-core/etc-overlay-fs/files/postinst | 6 +
recipes-core/home-fs/files/home.mount | 11 +
recipes-core/home-fs/files/postinst | 3 +
recipes-core/home-fs/home-fs_0.1.bb | 10 +
.../images/cip-core-image-read-only.bb | 22 ++
.../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
recipes-core/tmp-fs/files/postinst | 3 +
recipes-core/tmp-fs/files/tmp.mount | 11 +
recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 +
.../cip-core-initramfs/cip-core-initramfs.bb | 10 +-
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++
.../files/verity.script.tmpl | 68 +++++++
.../initramfs-verity-hook_0.1.bb | 51 +++++
recipes-kernel/linux/files/verity.cfg | 5 +
recipes-kernel/linux/linux-cip-common.inc | 4 +
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -
wic/qemu-amd64-efibootguard-secureboot.wks.in | 15 ++
32 files changed, 709 insertions(+), 19 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
create mode 100644 classes/squashfs-img.bbclass
create mode 100644 classes/verity-img.bbclass
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
create mode 100755 recipes-core/etc-overlay-fs/files/postinst
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
rename kas/opt/ebg-snakeoil-swu.yml => recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb (61%)
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
create mode 100644 recipes-kernel/linux/files/verity.cfg
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in
--
2.30.2
^ permalink raw reply [flat|nested] 25+ messages in thread
* [cip-dev][isar-cip-core]RFC v2 1/9] Add new class to create a squashfs based root file system
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
@ 2021-11-16 11:27 ` Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 2/9] Add verity-img.bbclass for dm-verity based rootfs Q. Gylstorff
` (7 subsequent siblings)
8 siblings, 0 replies; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This file system is read only and use a reduced image size.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/squashfs-img.bbclass | 41 ++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 classes/squashfs-img.bbclass
diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
new file mode 100644
index 0000000..0fcfca5
--- /dev/null
+++ b/classes/squashfs-img.bbclass
@@ -0,0 +1,41 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img"
+
+IMAGER_INSTALL += "squashfs-tools"
+
+SQUASHFS_EXCLUDE_DIRS ?= ""
+SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
+SQUASHFS_CREATION_ARGS ?= " "
+# Generate squashfs filesystem image
+python __anonymous() {
+ exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split()
+ if len(exclude_directories) == 0:
+ return
+ # use wildcard to exclude only content of the the directory
+ # this allows to use the directory as a mount point
+ args = " -wildcards"
+ for dir in exclude_directories:
+ args += " -e {dir}/* ".format(dir=dir)
+ d.appendVar('SQUASHFS_CREATION_ARGS', args)
+}
+
+do_squashfs_image() {
+ rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}'
+
+ image_do_mounts
+
+ sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \
+ "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \
+ ${SQUASHFS_CREATION_ARGS}
+}
+addtask do_squashfs_image before do_image after do_image_tools do_excl_directories
--
2.30.2
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [cip-dev][isar-cip-core]RFC v2 2/9] Add verity-img.bbclass for dm-verity based rootfs
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 1/9] Add new class to create a squashfs based root file system Q. Gylstorff
@ 2021-11-16 11:27 ` Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 3/9] linux-cip-common: Add options necessary for dm-verity Q. Gylstorff
` (6 subsequent siblings)
8 siblings, 0 replies; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
As we need the output of `veritysetup` to generate
the initrd. Therefore do_verity_image must be called before wic
generates the final disk image.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/verity-img.bbclass | 73 ++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
create mode 100644 classes/verity-img.bbclass
diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass
new file mode 100644
index 0000000..3c94643
--- /dev/null
+++ b/classes/verity-img.bbclass
@@ -0,0 +1,73 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+IMAGER_INSTALL += "cryptsetup"
+
+VERITY_IMAGE_TYPE ?= "squashfs"
+VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
+VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
+VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
+VERITY_HASH_BLOCK_SIZE ?= "1024"
+VERITY_DATA_BLOCK_SIZE ?= "1024"
+
+create_verity_env_file() {
+
+ local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env"
+ rm -f $ENV
+
+ local input="${WORKDIR}/${VERITY_IMAGE_METADATA}"
+ # remove header from verity meta data
+ sed -i '/VERITY header information for/d' $input
+ IFS=":"
+ while read KEY VAL; do
+ printf '%s=%s\n' \
+ "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
+ "$(echo "$VAL" | tr -d ' \t')" >> $ENV
+ done < $input
+}
+
+verity_setup() {
+ rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+ rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA}
+
+ cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE}
+
+ image_do_mounts
+ sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \
+ --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \
+ --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \
+ --data-blocks "${VERITY_DATA_BLOCKS}" \
+ --hash-offset "${VERITY_INPUT_IMAGE_SIZE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \
+ >"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+
+ echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \
+ >>"${WORKDIR}/${VERITY_IMAGE_METADATA}"
+}
+
+do_verity_image[cleandirs] = "${WORKDIR}/verity"
+python do_verity_image() {
+ import os
+
+ image_file = os.path.join(
+ d.getVar("DEPLOY_DIR_IMAGE"),
+ d.getVar("VERITY_INPUT_IMAGE")
+ )
+ data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE"))
+ size = os.stat(image_file).st_size
+ assert size % data_block_size == 0, f"image is not well-sized!"
+ d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size))
+ d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size))
+
+ bb.build.exec_func('verity_setup', d)
+ bb.build.exec_func('create_verity_env_file', d)
+}
+addtask verity_image before do_image after do_image_tools
--
2.30.2
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [cip-dev][isar-cip-core]RFC v2 3/9] linux-cip-common: Add options necessary for dm-verity
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 1/9] Add new class to create a squashfs based root file system Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 2/9] Add verity-img.bbclass for dm-verity based rootfs Q. Gylstorff
@ 2021-11-16 11:27 ` Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support " Q. Gylstorff
` (5 subsequent siblings)
8 siblings, 0 replies; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
CIP Kernel Config does not contain support for dm-verity
squashfs. Overlay_FS support is added for etc-overlay.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-kernel/linux/files/verity.cfg | 5 +++++
recipes-kernel/linux/linux-cip-common.inc | 4 ++++
2 files changed, 9 insertions(+)
create mode 100644 recipes-kernel/linux/files/verity.cfg
diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg
new file mode 100644
index 0000000..35d8208
--- /dev/null
+++ b/recipes-kernel/linux/files/verity.cfg
@@ -0,0 +1,5 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_SQUASHFS=y
+CONFIG_OVERLAY_FS=y
diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 1afec88..bbbf812 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -28,3 +28,7 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"
S = "${WORKDIR}/linux-cip-v${PV}"
+
+SECURE_BOOT_KERNEL ?= "0"
+
+SRC_URI += "${@'file://verity.cfg' if d.getVar('SECURE_BOOT_KERNEL') == '1' else ''}"
--
2.30.2
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (2 preceding siblings ...)
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 3/9] linux-cip-common: Add options necessary for dm-verity Q. Gylstorff
@ 2021-11-16 11:27 ` Q. Gylstorff
2021-11-17 12:33 ` Christian Storm
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity Q. Gylstorff
` (4 subsequent siblings)
8 siblings, 1 reply; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Adapt the initrd to open a dm-verity partition with a fixed
root hash.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
.../files/verity.conf-hook | 1 +
.../initramfs-verity-hook/files/verity.hook | 23 +++++++
.../files/verity.script.tmpl | 68 +++++++++++++++++++
.../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++
5 files changed, 159 insertions(+)
create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
new file mode 100644
index 0000000..825fb9f
--- /dev/null
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+ initramfs-verity-hook \
+ "
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
new file mode 100644
index 0000000..9b61fb8
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
@@ -0,0 +1 @@
+BUSYBOX=y
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
new file mode 100644
index 0000000..5eada8a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
@@ -0,0 +1,23 @@
+#!/bin/sh
+PREREQ=""
+prereqs()
+{
+ echo "$PREREQ"
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+# Begin real processing below this line
+
+manual_add_modules dm_mod
+manual_add_modules dm_verity
+
+copy_exec /sbin/veritysetup
+copy_exec /sbin/dmsetup
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
+copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..c4f3dc4
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,68 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
+ printf '%s\n' "$script"
+ fi
+ done
+}
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+. /lib/cryptsetup/functions
+. /usr/share/verity-env/verity.env
+# Even if this script fails horribly, make sure there won't be a chance the
+# current $ROOT will be attempted. As this device most likely contains a
+# perfectly valid filesystem, it would be mounted successfully, leading to a
+# broken trust chain.
+echo "ROOT=/dev/null" >/conf/param.conf
+wait_for_udev 10
+case "$ROOT" in
+ PART*)
+ # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
+ # partition
+ ROOT=$(blkid --list-one --output device --match-token "$ROOT")
+ ;;
+ "")
+ # No Root device was given. Use veritysetup verify to search matching roots
+ partitions=$(blkid -o device)
+ for part in $partitions; do
+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
+ if veritysetup verify \
+ "$part" "$part" "${ROOT_HASH}" \
+ --hash-offset "${HASH_OFFSET}";then
+ ROOT="$part"
+ break
+ fi
+ fi
+ done
+ ;;
+esac
+set -- "$ROOT" verityroot
+if ! veritysetup open \
+ ${VERITY_BEHAVIOR_ON_CORRUPTION} \
+ --data-block-size "${DATA_BLOCK_SIZE}" \
+ --hash-block-size "${HASH_BLOCK_SIZE}" \
+ --data-blocks "${DATA_BLOCKS}" \
+ --hash-offset "${HASH_OFFSET}" \
+ --salt "${SALT}" \
+ "$1" "$2" "$1" "${ROOT_HASH}"; then
+ panic "Can't open verity rootfs!"
+fi
+
+wait_for_udev 10
+
+if ! ROOT="$(dm_blkdevname verityroot)"; then
+ panic "Can't find the verity root device!"
+fi
+
+echo "ROOT=${ROOT}" >/conf/param.conf
diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
new file mode 100644
index 0000000..a7fbf5a
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+ file://verity.conf-hook \
+ file://verity.hook \
+ file://verity.script.tmpl \
+ "
+
+VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption"
+
+TEMPLATE_FILES = "verity.script.tmpl"
+TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION"
+
+DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
+
+VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
+
+VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
+
+do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
+do_install[cleandirs] += " \
+ ${D}/usr/share/initramfs-tools/hooks \
+ ${D}/usr/share/verity-env \
+ ${D}/usr/share/initramfs-tools/scripts/local-top \
+ ${D}/usr/share/initramfs-tools/conf-hooks.d"
+
+do_install() {
+ # Insert the veritysetup commandline into the script
+ if [ -f "${VERITY_ENV_FILE}" ]; then
+ install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
+ else
+ bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
+ fi
+ install -m 0755 "${WORKDIR}/verity.script" \
+ "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
+ install -m 0755 "${WORKDIR}/verity.hook" \
+ "${D}/usr/share/initramfs-tools/hooks/verity"
+}
+
+addtask do_install after do_transform_template
--
2.30.2
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (3 preceding siblings ...)
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support " Q. Gylstorff
@ 2021-11-16 11:27 ` Q. Gylstorff
2021-11-17 12:18 ` Christian Storm
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay Q. Gylstorff
` (3 subsequent siblings)
8 siblings, 1 reply; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This root file system supports SWUpdate and secure boot.
We need a writable /tmp and /var for a boot without error messages.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Kconfig | 3 +-
classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
kas/opt/ebg-secure-boot-base.yml | 2 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
kas/opt/ebg-snakeoil-swu.yml | 16 ----------
.../images/cip-core-image-read-only.bb | 20 ++++++++++++
recipes-core/tmp-fs/files/postinst | 3 ++
recipes-core/tmp-fs/files/tmp.mount | 11 +++++++
recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 ++++++
wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
11 files changed, 103 insertions(+), 30 deletions(-)
create mode 100644 classes/secure-swupdate-img.bbclass
delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
create mode 100644 recipes-core/images/cip-core-image-read-only.bb
create mode 100755 recipes-core/tmp-fs/files/postinst
create mode 100644 recipes-core/tmp-fs/files/tmp.mount
create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in
diff --git a/Kconfig b/Kconfig
index 8421f1b..e97cb03 100644
--- a/Kconfig
+++ b/Kconfig
@@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
config KAS_INCLUDE_SWUPDATE_SECBOOT
string
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
- default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
- default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
+ default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
endif
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
new file mode 100644
index 0000000..431939b
--- /dev/null
+++ b/classes/secure-swupdate-img.bbclass
@@ -0,0 +1,32 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SECURE_IMAGE_FSTYPE ?= "squashfs"
+
+inherit ${SECURE_IMAGE_FSTYPE}-img
+
+VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
+
+INITRAMFS_RECIPE ?= "cip-core-initramfs"
+do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
+INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
+
+inherit verity-img
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
+addtask do_wic_image after do_verity_image
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 8f769b6..acb4de0 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -19,3 +19,5 @@ local_conf_header:
IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
SWU_DESCRIPTION = "secureboot"
SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
+ kernel: |
+ SECURE_BOOT_KERNEL = "1"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 2f45bde..4a9185c 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,13 +14,24 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml
+target: cip-core-image-read-only
local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+ IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+
+ verity-img: |
+ SECURE_BOOT_KERNEL = "1"
+ SECURE_IMAGE_FSTYPE = "squashfs"
+ VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
+ IMAGE_TYPE = "secure-swupdate-img"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+
secure-boot: |
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
deleted file mode 100644
index 2f15c0e..0000000
--- a/kas/opt/ebg-snakeoil-swu.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/ebg-secure-boot-snakeoil.yml
- - kas/opt/swupdate.yml
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
new file mode 100644
index 0000000..7ef2dc2
--- /dev/null
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -0,0 +1,20 @@
+require cip-core-image.bb
+
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+IMAGE_INSTALL += "tmp-fs"
+IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
+
+image_configure_fstab() {
+ sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root / auto defaults,ro 0 0
+LABEL=var /var auto defaults 0 0
+proc /proc proc nosuid,noexec,nodev 0 0
+sysfs /sys sysfs nosuid,noexec,nodev 0 0
+devpts /dev/pts devpts gid=5,mode=620 0 0
+tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
+devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
+# End /etc/fstab
+EOF
+}
diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
new file mode 100755
index 0000000..07017fd
--- /dev/null
+++ b/recipes-core/tmp-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable tmp.mount || true
diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
new file mode 100644
index 0000000..7a31ed6
--- /dev/null
+++ b/recipes-core/tmp-fs/files/tmp.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create /tmp
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=nodev,nosuid,size=500M,mode=755
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
new file mode 100644
index 0000000..4e0c467
--- /dev/null
+++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
@@ -0,0 +1,9 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://tmp.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
+}
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
deleted file mode 100644
index ff351db..0000000
--- a/wic/qemu-amd64-efibootguard-secureboot.wks
+++ /dev/null
@@ -1,11 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-signed-bootloader.inc
-
-# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..c4ea0c8
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -0,0 +1,13 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [cip-dev][isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (4 preceding siblings ...)
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity Q. Gylstorff
@ 2021-11-16 11:27 ` Q. Gylstorff
2021-11-17 12:11 ` Christian Storm
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 7/9] Mount writable home partition Q. Gylstorff
` (2 subsequent siblings)
8 siblings, 1 reply; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
As /etc is read-only and needs to be accessed by the initrd
move the user defined settings to a overlay in /var/local/etc.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 16 ++++++++++++++++
.../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++++++++
.../etc-overlay-fs/files/etc-sysusers.service | 14 ++++++++++++++
recipes-core/etc-overlay-fs/files/etc.mount | 13 +++++++++++++
.../files/overlay-parse-etc.service | 12 ++++++++++++
recipes-core/etc-overlay-fs/files/postinst | 6 ++++++
recipes-core/images/cip-core-image-read-only.bb | 1 +
7 files changed, 76 insertions(+)
create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
create mode 100755 recipes-core/etc-overlay-fs/files/postinst
diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
new file mode 100644
index 0000000..f1c8349
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
@@ -0,0 +1,16 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://etc.mount \
+ file://overlay-parse-etc.service \
+ file://etc-hostname.service \
+ file://etc-sysusers.service"
+
+do_install[cleandirs]+="${D}/lib/systemd/system ${D}/var/local/etc ${D}/var/local/.atomic"
+do_install() {
+ TARGET=${D}/lib/systemd/system
+ install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
+ install -m 0644 ${WORKDIR}/overlay-parse-etc.service ${TARGET}/overlay-parse-etc.service
+ install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
+ install -m 0644 ${WORKDIR}/etc-sysusers.service ${TARGET}/etc-sysusers.service
+}
diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
new file mode 100644
index 0000000..2306b9f
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=set hostname /etc overlay-aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/hostname --boot --file /etc/hostname
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.service b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
new file mode 100644
index 0000000..6caf6b0
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=make systemd-sysusers /etc overlay aware
+Before=network-pre.target
+Wants=network-pre.target
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/systemd-sysusers
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
new file mode 100644
index 0000000..f0ae3c5
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/etc.mount
@@ -0,0 +1,13 @@
+[Unit]
+Description=Overlay-mount /etc
+Requires=var.mount
+After=var.mount
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
+
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
new file mode 100644
index 0000000..062bb40
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Reload Configuration from the etc overlay
+Requires=etc.mount
+After=etc.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=!/bin/systemctl daemon-reload
+ExecStart=!/bin/systemctl --no-block isolate multi-user.target
+[Install]
+WantedBy=local-fs.target
diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
new file mode 100755
index 0000000..35641af
--- /dev/null
+++ b/recipes-core/etc-overlay-fs/files/postinst
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+deb-systemd-helper enable etc.mount || true
+deb-systemd-helper enable overlay-parse-etc.service || true
+deb-systemd-helper enable etc-hostname.service || true
+deb-systemd-helper enable etc-sysusers.service || true
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index 7ef2dc2..ceb6ac4 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -2,6 +2,7 @@ require cip-core-image.bb
SQUASHFS_EXCLUDE_DIRS += "home var"
+IMAGE_INSTALL += "etc-overlay-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
--
2.30.2
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [cip-dev][isar-cip-core]RFC v2 7/9] Mount writable home partition
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (5 preceding siblings ...)
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay Q. Gylstorff
@ 2021-11-16 11:27 ` Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master Q. Gylstorff
8 siblings, 0 replies; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add an example how to add an writable home partition
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/home-fs/files/home.mount | 11 +++++++++++
recipes-core/home-fs/files/postinst | 3 +++
recipes-core/home-fs/home-fs_0.1.bb | 10 ++++++++++
recipes-core/images/cip-core-image-read-only.bb | 1 +
wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 ++
5 files changed, 27 insertions(+)
create mode 100644 recipes-core/home-fs/files/home.mount
create mode 100755 recipes-core/home-fs/files/postinst
create mode 100644 recipes-core/home-fs/home-fs_0.1.bb
diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount
new file mode 100644
index 0000000..31272a0
--- /dev/null
+++ b/recipes-core/home-fs/files/home.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Mount /home partition
+
+[Mount]
+What=/dev/disk/by-partlabel/home
+Where=/home
+Type=auto
+Options=defaults
+
+[Install]
+WantedBy=local-fs.target
\ No newline at end of file
diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst
new file mode 100755
index 0000000..f6184d6
--- /dev/null
+++ b/recipes-core/home-fs/files/postinst
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+deb-systemd-helper enable home.mount || true
diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb
new file mode 100644
index 0000000..c2b31c1
--- /dev/null
+++ b/recipes-core/home-fs/home-fs_0.1.bb
@@ -0,0 +1,10 @@
+inherit dpkg-raw
+
+SRC_URI = "file://postinst \
+ file://home.mount"
+
+do_install[cleandirs]+="${D}/lib/systemd/system"
+do_install() {
+ install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount
+
+}
\ No newline at end of file
diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
index ceb6ac4..79cd6bf 100644
--- a/recipes-core/images/cip-core-image-read-only.bb
+++ b/recipes-core/images/cip-core-image-read-only.bb
@@ -3,6 +3,7 @@ require cip-core-image.bb
SQUASHFS_EXCLUDE_DIRS += "home var"
IMAGE_INSTALL += "etc-overlay-fs"
+IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index c4ea0c8..81fd4fe 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024 --size 1G
part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
--
2.30.2
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [cip-dev][isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (6 preceding siblings ...)
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 7/9] Mount writable home partition Q. Gylstorff
@ 2021-11-16 11:27 ` Q. Gylstorff
2021-11-17 10:27 ` Christian Storm
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master Q. Gylstorff
8 siblings, 1 reply; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas-cip.yml | 4 +++
...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
diff --git a/kas-cip.yml b/kas-cip.yml
index dc56729..8226954 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -25,6 +25,10 @@ repos:
refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3
layers:
meta:
+ patches:
+ fix-pseudo:
+ repo: cip-core
+ path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
bblayers_conf_header:
standard: |
diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
new file mode 100644
index 0000000..34704f0
--- /dev/null
+++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
@@ -0,0 +1,35 @@
+From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+Date: Wed, 3 Nov 2021 13:53:00 +0100
+Subject: [PATCH] Fix permissions when splitting rootfs folders across
+ partitions.
+
+This patches ensures that the file database containing the file and
+folder usernames and permissions is always located relative to the
+source and not to the appended rootfs-dir.
+
+Prior to this patch, the database was not found when using
+-rootfs-dir in the WIC script, leading to erronous file
+permissions and ownership.
+
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+---
+ scripts/lib/wic/plugins/source/rootfs.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
+index 96d940a9..5ab771e5 100644
+--- a/scripts/lib/wic/plugins/source/rootfs.py
++++ b/scripts/lib/wic/plugins/source/rootfs.py
+@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin):
+
+ part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
+ part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
+- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo")
+ if not os.path.lexists(pseudo_dir):
+ logger.warn("%s folder does not exist. "
+ "Usernames and permissions will be invalid " % pseudo_dir)
+--
+2.30.2
+
--
2.30.2
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
` (7 preceding siblings ...)
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home Q. Gylstorff
@ 2021-11-16 11:27 ` Q. Gylstorff
2021-11-17 10:40 ` Christian Storm
8 siblings, 1 reply; 25+ messages in thread
From: Q. Gylstorff @ 2021-11-16 11:27 UTC (permalink / raw)
To: raphael.lisicki, jan.kiszka, cip-dev
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Backport the following patches to detect the correct partition to
update.
388f1777 util: Add get_root source /proc/self/mountinfo
3914d2b7 util: Extend get_root to find LUKS devices
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++
.../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
2 files changed, 193 insertions(+)
create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
diff --git a/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
new file mode 100644
index 0000000..f143207
--- /dev/null
+++ b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
@@ -0,0 +1,188 @@
+From 4650883c2ffc4ed9e479e1eefdce044067c7de0b Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Mon, 25 Oct 2021 14:43:07 +0200
+Subject: [PATCH] add patches for dm-verity
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ ...d-get_root-source-proc-self-mountinfo.diff | 68 +++++++++++++++
+ ...-Extend-get_root-to-find-LUKS-devices.diff | 83 +++++++++++++++++++
+ debian/patches/series | 2 +
+ 3 files changed, 153 insertions(+)
+ create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+ create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+
+diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+new file mode 100644
+index 0000000..5db0e61
+--- /dev/null
++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
+@@ -0,0 +1,68 @@
++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
++From: Christian Storm <christian.storm@siemens.com>
++Date: Thu, 10 Jun 2021 00:30:24 +0200
++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
++
++Filesystems such as BTRFS report synthetic device major:minor
++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
++won't be found by get_root_from_partitions().
++
++As /proc/self/mountinfo's information is subject to mount-
++namespacing, it complements get_root_from_partitions() rather
++than replacing it.
++
++Signed-off-by: Christian Storm <christian.storm@siemens.com>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
++---
++ core/util.c | 28 ++++++++++++++++++++++++++++
++ 1 file changed, 28 insertions(+)
++
++diff --git a/core/util.c b/core/util.c
++index 7d7673a..51a16b6 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
++ return NULL;
++ }
++
+++/*
+++ * Return the rootfs's device name from /proc/self/mountinfo.
+++ * Needed for filesystems having synthetic stat(2) st_dev
+++ * values such as BTRFS.
+++ */
+++static char *get_root_from_mountinfo(void)
+++{
+++ char *mnt_point, *device = NULL;
+++ FILE *fp = fopen("/proc/self/mountinfo", "r");
+++ while (fp && !feof(fp)){
+++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
+++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
+++ &mnt_point, &device) == 2) {
+++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
+++ free(mnt_point);
+++ break;
+++ }
+++ free(mnt_point);
+++ free(device);
+++ }
+++ device = NULL;
+++ }
+++ (void)fclose(fp);
+++ return device;
+++}
+++
++ #define MAX_CMDLINE_LENGTH 4096
++ static char *get_root_from_cmdline(void)
++ {
++@@ -936,6 +962,8 @@ char *get_root_device(void)
++ root = get_root_from_partitions();
++ if (!root)
++ root = get_root_from_cmdline();
+++ if (!root)
+++ root = get_root_from_mountinfo();
++
++ return root;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+new file mode 100644
+index 0000000..a62d59c
+--- /dev/null
++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
+@@ -0,0 +1,83 @@
++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
++From: Stefano Babic <sbabic@denx.de>
++Date: Thu, 10 Jun 2021 16:14:44 +0200
++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
++
++This helps in case of encrypted filesystem or device mapper.
++The returned device read from partitions is usually a dm-X device and
++this does not show which is the block device that contains it. Look in
++sysfs and check if the device has "slaves" entries, indicating the
++presence of an underlying device. If found, return this instead of the
++device returned parsing /proc/partitions.
++
++Signed-off-by: Stefano Babic <sbabic@denx.de>
++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
++---
++ core/util.c | 26 ++++++++++++++++++++++++--
++ 1 file changed, 24 insertions(+), 2 deletions(-)
++
++diff --git a/core/util.c b/core/util.c
++index 51a16b6..3b81c09 100644
++--- a/core/util.c
+++++ b/core/util.c
++@@ -24,6 +24,7 @@
++ #include <libgen.h>
++ #include <regex.h>
++ #include <string.h>
+++#include <dirent.h>
++
++ #if defined(__linux__)
++ #include <sys/statvfs.h>
++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
++ /*
++ * This returns the device name where rootfs is mounted
++ */
+++
+++static int filter_slave(const struct dirent *ent) {
+++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
+++}
++ static char *get_root_from_partitions(void)
++ {
++ struct stat info;
++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
++ char *devname = NULL;
++ unsigned long major, minor, nblocks;
++ char buf[256];
++- int ret;
+++ int ret, dev_major, dev_minor, n;
+++ struct dirent **devlist = NULL;
++
++ if (stat("/", &info) < 0)
++ return NULL;
++
+++ dev_major = info.st_dev / 256;
+++ dev_minor = info.st_dev % 256;
+++
+++ /*
+++ * Check if this is just a container, for example in case of LUKS
+++ * Search if the device has slaves pointing to another device
+++ */
+++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
+++ n = scandir(buf, &devlist, filter_slave, NULL);
+++ if (n == 1) {
+++ devname = strdup(devlist[0]->d_name);
+++ free(devlist);
+++ return devname;
+++ }
+++ free(devlist);
+++
++ fp = fopen("/proc/partitions", "r");
++ if (!fp)
++ return NULL;
++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
++ &major, &minor, &nblocks, &devname);
++ if (ret != 4)
++ continue;
++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
+++ if ((major == dev_major) && (minor == dev_minor)) {
++ fclose(fp);
++ return devname;
++ }
++--
++2.30.2
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..f3bd00e 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,3 @@
+ use-gcc-compiler.diff
++0002-util-Extend-get_root-to-find-LUKS-devices.diff
++0001-util-Add-get_root-source-proc-self-mountinfo.diff
+--
+2.30.2
+
diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index 7a0fb9b..90854a4 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"
+# Patch for dm-verity based images - can be removed with SWUpdate 2021.10
+SRC_URI += "file://0001-add-patches-for-dm-verity.patch"
+
+# end patching for dm-verity based images
+
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"
--
2.30.2
^ permalink raw reply related [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home Q. Gylstorff
@ 2021-11-17 10:27 ` Christian Storm
2021-11-17 11:41 ` Gylstorff Quirin
0 siblings, 1 reply; 25+ messages in thread
From: Christian Storm @ 2021-11-17 10:27 UTC (permalink / raw)
To: cip-dev
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
A note where this comes from, where it's supposed to go in oder to get
rid of this patch here eventually would be helpful.
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> kas-cip.yml | 4 +++
> ...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++
> 2 files changed, 39 insertions(+)
> create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
>
> diff --git a/kas-cip.yml b/kas-cip.yml
> index dc56729..8226954 100644
> --- a/kas-cip.yml
> +++ b/kas-cip.yml
> @@ -25,6 +25,10 @@ repos:
> refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3
> layers:
> meta:
> + patches:
> + fix-pseudo:
> + repo: cip-core
> + path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
>
> bblayers_conf_header:
> standard: |
> diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
> new file mode 100644
> index 0000000..34704f0
> --- /dev/null
> +++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
> @@ -0,0 +1,35 @@
> +From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001
> +From: Felix Moessbauer <felix.moessbauer@siemens.com>
> +Date: Wed, 3 Nov 2021 13:53:00 +0100
> +Subject: [PATCH] Fix permissions when splitting rootfs folders across
> + partitions.
> +
> +This patches ensures that the file database containing the file and
> +folder usernames and permissions is always located relative to the
> +source and not to the appended rootfs-dir.
> +
> +Prior to this patch, the database was not found when using
> +-rootfs-dir in the WIC script, leading to erronous file
> +permissions and ownership.
> +
> +Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> +---
> + scripts/lib/wic/plugins/source/rootfs.py | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
> +index 96d940a9..5ab771e5 100644
> +--- a/scripts/lib/wic/plugins/source/rootfs.py
> ++++ b/scripts/lib/wic/plugins/source/rootfs.py
> +@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin):
> +
> + part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
> + part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
> +- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
> ++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo")
> + if not os.path.lexists(pseudo_dir):
> + logger.warn("%s folder does not exist. "
> + "Usernames and permissions will be invalid " % pseudo_dir)
> +--
> +2.30.2
> +
> --
> 2.30.2
>
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master Q. Gylstorff
@ 2021-11-17 10:40 ` Christian Storm
2021-11-17 11:36 ` Gylstorff Quirin
0 siblings, 1 reply; 25+ messages in thread
From: Christian Storm @ 2021-11-17 10:40 UTC (permalink / raw)
To: cip-dev
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Backport the following patches to detect the correct partition to
> update.
> 388f1777 util: Add get_root source /proc/self/mountinfo
> 3914d2b7 util: Extend get_root to find LUKS devices
Why not upgrade to a newer version of SWUpdate instead of backporting
stuff? There's no real advantage to stay on a "release" as SWUpdate
follows rolling releases -- granted, you have to do the qualification
but that applies to "releases" as well...
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++
> .../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
> 2 files changed, 193 insertions(+)
> create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
>
> diff --git a/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
> new file mode 100644
> index 0000000..f143207
> --- /dev/null
> +++ b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
> @@ -0,0 +1,188 @@
> +From 4650883c2ffc4ed9e479e1eefdce044067c7de0b Mon Sep 17 00:00:00 2001
> +From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +Date: Mon, 25 Oct 2021 14:43:07 +0200
> +Subject: [PATCH] add patches for dm-verity
> +
> +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +---
> + ...d-get_root-source-proc-self-mountinfo.diff | 68 +++++++++++++++
> + ...-Extend-get_root-to-find-LUKS-devices.diff | 83 +++++++++++++++++++
> + debian/patches/series | 2 +
> + 3 files changed, 153 insertions(+)
> + create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
> + create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
> +
> +diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
> +new file mode 100644
> +index 0000000..5db0e61
> +--- /dev/null
> ++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
> +@@ -0,0 +1,68 @@
> ++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
> ++From: Christian Storm <christian.storm@siemens.com>
> ++Date: Thu, 10 Jun 2021 00:30:24 +0200
> ++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
> ++
> ++Filesystems such as BTRFS report synthetic device major:minor
> ++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
> ++won't be found by get_root_from_partitions().
> ++
> ++As /proc/self/mountinfo's information is subject to mount-
> ++namespacing, it complements get_root_from_partitions() rather
> ++than replacing it.
> ++
> ++Signed-off-by: Christian Storm <christian.storm@siemens.com>
> ++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Hm, why is your sign-off needed here as you've grabbed that directly
from SWUpdate's repo?
> ++---
> ++ core/util.c | 28 ++++++++++++++++++++++++++++
> ++ 1 file changed, 28 insertions(+)
> ++
> ++diff --git a/core/util.c b/core/util.c
> ++index 7d7673a..51a16b6 100644
> ++--- a/core/util.c
> +++++ b/core/util.c
> ++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
> ++ return NULL;
> ++ }
> ++
> +++/*
> +++ * Return the rootfs's device name from /proc/self/mountinfo.
> +++ * Needed for filesystems having synthetic stat(2) st_dev
> +++ * values such as BTRFS.
> +++ */
> +++static char *get_root_from_mountinfo(void)
> +++{
> +++ char *mnt_point, *device = NULL;
> +++ FILE *fp = fopen("/proc/self/mountinfo", "r");
> +++ while (fp && !feof(fp)){
> +++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
> +++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
> +++ &mnt_point, &device) == 2) {
> +++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
> +++ free(mnt_point);
> +++ break;
> +++ }
> +++ free(mnt_point);
> +++ free(device);
> +++ }
> +++ device = NULL;
> +++ }
> +++ (void)fclose(fp);
> +++ return device;
> +++}
> +++
> ++ #define MAX_CMDLINE_LENGTH 4096
> ++ static char *get_root_from_cmdline(void)
> ++ {
> ++@@ -936,6 +962,8 @@ char *get_root_device(void)
> ++ root = get_root_from_partitions();
> ++ if (!root)
> ++ root = get_root_from_cmdline();
> +++ if (!root)
> +++ root = get_root_from_mountinfo();
> ++
> ++ return root;
> ++ }
> ++--
> ++2.30.2
> ++
> +diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
> +new file mode 100644
> +index 0000000..a62d59c
> +--- /dev/null
> ++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
> +@@ -0,0 +1,83 @@
> ++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
> ++From: Stefano Babic <sbabic@denx.de>
> ++Date: Thu, 10 Jun 2021 16:14:44 +0200
> ++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
> ++
> ++This helps in case of encrypted filesystem or device mapper.
> ++The returned device read from partitions is usually a dm-X device and
> ++this does not show which is the block device that contains it. Look in
> ++sysfs and check if the device has "slaves" entries, indicating the
> ++presence of an underlying device. If found, return this instead of the
> ++device returned parsing /proc/partitions.
> ++
> ++Signed-off-by: Stefano Babic <sbabic@denx.de>
> ++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Same question as above applies here.
> ++---
> ++ core/util.c | 26 ++++++++++++++++++++++++--
> ++ 1 file changed, 24 insertions(+), 2 deletions(-)
> ++
> ++diff --git a/core/util.c b/core/util.c
> ++index 51a16b6..3b81c09 100644
> ++--- a/core/util.c
> +++++ b/core/util.c
> ++@@ -24,6 +24,7 @@
> ++ #include <libgen.h>
> ++ #include <regex.h>
> ++ #include <string.h>
> +++#include <dirent.h>
> ++
> ++ #if defined(__linux__)
> ++ #include <sys/statvfs.h>
> ++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
> ++ /*
> ++ * This returns the device name where rootfs is mounted
> ++ */
> +++
> +++static int filter_slave(const struct dirent *ent) {
> +++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
> +++}
> ++ static char *get_root_from_partitions(void)
> ++ {
> ++ struct stat info;
> ++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
> ++ char *devname = NULL;
> ++ unsigned long major, minor, nblocks;
> ++ char buf[256];
> ++- int ret;
> +++ int ret, dev_major, dev_minor, n;
> +++ struct dirent **devlist = NULL;
> ++
> ++ if (stat("/", &info) < 0)
> ++ return NULL;
> ++
> +++ dev_major = info.st_dev / 256;
> +++ dev_minor = info.st_dev % 256;
> +++
> +++ /*
> +++ * Check if this is just a container, for example in case of LUKS
> +++ * Search if the device has slaves pointing to another device
> +++ */
> +++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
> +++ n = scandir(buf, &devlist, filter_slave, NULL);
> +++ if (n == 1) {
> +++ devname = strdup(devlist[0]->d_name);
> +++ free(devlist);
> +++ return devname;
> +++ }
> +++ free(devlist);
> +++
> ++ fp = fopen("/proc/partitions", "r");
> ++ if (!fp)
> ++ return NULL;
> ++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
> ++ &major, &minor, &nblocks, &devname);
> ++ if (ret != 4)
> ++ continue;
> ++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
> +++ if ((major == dev_major) && (minor == dev_minor)) {
> ++ fclose(fp);
> ++ return devname;
> ++ }
> ++--
> ++2.30.2
> ++
> +diff --git a/debian/patches/series b/debian/patches/series
> +index 8c5564a..f3bd00e 100644
> +--- a/debian/patches/series
> ++++ b/debian/patches/series
> +@@ -1 +1,3 @@
> + use-gcc-compiler.diff
> ++0002-util-Extend-get_root-to-find-LUKS-devices.diff
> ++0001-util-Add-get_root-source-proc-self-mountinfo.diff
> +--
> +2.30.2
> +
> diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
> index 7a0fb9b..90854a4 100644
> --- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
> +++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
> @@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
> file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
> file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"
>
> +# Patch for dm-verity based images - can be removed with SWUpdate 2021.10
> +SRC_URI += "file://0001-add-patches-for-dm-verity.patch"
> +
> +# end patching for dm-verity based images
> +
> # deactivate signing and encryption for simple a/b rootfs update
> SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"
>
> --
> 2.30.2
>
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master
2021-11-17 10:40 ` Christian Storm
@ 2021-11-17 11:36 ` Gylstorff Quirin
2021-11-19 6:42 ` Jan Kiszka
0 siblings, 1 reply; 25+ messages in thread
From: Gylstorff Quirin @ 2021-11-17 11:36 UTC (permalink / raw)
To: cip-dev
On 11/17/21 11:40 AM, Christian Storm via lists.cip-project.org wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Backport the following patches to detect the correct partition to
>> update.
>> 388f1777 util: Add get_root source /proc/self/mountinfo
>> 3914d2b7 util: Extend get_root to find LUKS devices
>
> Why not upgrade to a newer version of SWUpdate instead of backporting
> stuff? There's no real advantage to stay on a "release" as SWUpdate
> follows rolling releases -- granted, you have to do the qualification
> but that applies to "releases" as well...
>
The build of SWUpdate uses dpkg-gbp to follow the Debian build of
SWUpdate with sources from [1].
As Debian only follows fixed release , currently 2021.04, I patched the
version.
This patchset is no longer necessary after Debian uses the next Release
SWUpdate version.
[1]: https://salsa.debian.org/debian/swupdate.
>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> .../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++
>> .../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 +
>> 2 files changed, 193 insertions(+)
>> create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
>>
>> diff --git a/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
>> new file mode 100644
>> index 0000000..f143207
>> --- /dev/null
>> +++ b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch
>> @@ -0,0 +1,188 @@
>> +From 4650883c2ffc4ed9e479e1eefdce044067c7de0b Mon Sep 17 00:00:00 2001
>> +From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +Date: Mon, 25 Oct 2021 14:43:07 +0200
>> +Subject: [PATCH] add patches for dm-verity
>> +
>> +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +---
>> + ...d-get_root-source-proc-self-mountinfo.diff | 68 +++++++++++++++
>> + ...-Extend-get_root-to-find-LUKS-devices.diff | 83 +++++++++++++++++++
>> + debian/patches/series | 2 +
>> + 3 files changed, 153 insertions(+)
>> + create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
>> + create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
>> +
>> +diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
>> +new file mode 100644
>> +index 0000000..5db0e61
>> +--- /dev/null
>> ++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff
>> +@@ -0,0 +1,68 @@
>> ++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001
>> ++From: Christian Storm <christian.storm@siemens.com>
>> ++Date: Thu, 10 Jun 2021 00:30:24 +0200
>> ++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo
>> ++
>> ++Filesystems such as BTRFS report synthetic device major:minor
>> ++numbers in stat(2)'s st_dev value. Hence, such a root filesystem
>> ++won't be found by get_root_from_partitions().
>> ++
>> ++As /proc/self/mountinfo's information is subject to mount-
>> ++namespacing, it complements get_root_from_partitions() rather
>> ++than replacing it.
>> ++
>> ++Signed-off-by: Christian Storm <christian.storm@siemens.com>
>> ++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Hm, why is your sign-off needed here as you've grabbed that directly
> from SWUpdate's repo?
I will fix it in a new version.
>
>> ++---
>> ++ core/util.c | 28 ++++++++++++++++++++++++++++
>> ++ 1 file changed, 28 insertions(+)
>> ++
>> ++diff --git a/core/util.c b/core/util.c
>> ++index 7d7673a..51a16b6 100644
>> ++--- a/core/util.c
>> +++++ b/core/util.c
>> ++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void)
>> ++ return NULL;
>> ++ }
>> ++
>> +++/*
>> +++ * Return the rootfs's device name from /proc/self/mountinfo.
>> +++ * Needed for filesystems having synthetic stat(2) st_dev
>> +++ * values such as BTRFS.
>> +++ */
>> +++static char *get_root_from_mountinfo(void)
>> +++{
>> +++ char *mnt_point, *device = NULL;
>> +++ FILE *fp = fopen("/proc/self/mountinfo", "r");
>> +++ while (fp && !feof(fp)){
>> +++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */
>> +++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s",
>> +++ &mnt_point, &device) == 2) {
>> +++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) {
>> +++ free(mnt_point);
>> +++ break;
>> +++ }
>> +++ free(mnt_point);
>> +++ free(device);
>> +++ }
>> +++ device = NULL;
>> +++ }
>> +++ (void)fclose(fp);
>> +++ return device;
>> +++}
>> +++
>> ++ #define MAX_CMDLINE_LENGTH 4096
>> ++ static char *get_root_from_cmdline(void)
>> ++ {
>> ++@@ -936,6 +962,8 @@ char *get_root_device(void)
>> ++ root = get_root_from_partitions();
>> ++ if (!root)
>> ++ root = get_root_from_cmdline();
>> +++ if (!root)
>> +++ root = get_root_from_mountinfo();
>> ++
>> ++ return root;
>> ++ }
>> ++--
>> ++2.30.2
>> ++
>> +diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
>> +new file mode 100644
>> +index 0000000..a62d59c
>> +--- /dev/null
>> ++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff
>> +@@ -0,0 +1,83 @@
>> ++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001
>> ++From: Stefano Babic <sbabic@denx.de>
>> ++Date: Thu, 10 Jun 2021 16:14:44 +0200
>> ++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices
>> ++
>> ++This helps in case of encrypted filesystem or device mapper.
>> ++The returned device read from partitions is usually a dm-X device and
>> ++this does not show which is the block device that contains it. Look in
>> ++sysfs and check if the device has "slaves" entries, indicating the
>> ++presence of an underlying device. If found, return this instead of the
>> ++device returned parsing /proc/partitions.
>> ++
>> ++Signed-off-by: Stefano Babic <sbabic@denx.de>
>> ++Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Same question as above applies here.
>
New version is in work
>> ++---
>> ++ core/util.c | 26 ++++++++++++++++++++++++--
>> ++ 1 file changed, 24 insertions(+), 2 deletions(-)
>> ++
>> ++diff --git a/core/util.c b/core/util.c
>> ++index 51a16b6..3b81c09 100644
>> ++--- a/core/util.c
>> +++++ b/core/util.c
>> ++@@ -24,6 +24,7 @@
>> ++ #include <libgen.h>
>> ++ #include <regex.h>
>> ++ #include <string.h>
>> +++#include <dirent.h>
>> ++
>> ++ #if defined(__linux__)
>> ++ #include <sys/statvfs.h>
>> ++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src)
>> ++ /*
>> ++ * This returns the device name where rootfs is mounted
>> ++ */
>> +++
>> +++static int filter_slave(const struct dirent *ent) {
>> +++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, ".."));
>> +++}
>> ++ static char *get_root_from_partitions(void)
>> ++ {
>> ++ struct stat info;
>> ++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void)
>> ++ char *devname = NULL;
>> ++ unsigned long major, minor, nblocks;
>> ++ char buf[256];
>> ++- int ret;
>> +++ int ret, dev_major, dev_minor, n;
>> +++ struct dirent **devlist = NULL;
>> ++
>> ++ if (stat("/", &info) < 0)
>> ++ return NULL;
>> ++
>> +++ dev_major = info.st_dev / 256;
>> +++ dev_minor = info.st_dev % 256;
>> +++
>> +++ /*
>> +++ * Check if this is just a container, for example in case of LUKS
>> +++ * Search if the device has slaves pointing to another device
>> +++ */
>> +++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor);
>> +++ n = scandir(buf, &devlist, filter_slave, NULL);
>> +++ if (n == 1) {
>> +++ devname = strdup(devlist[0]->d_name);
>> +++ free(devlist);
>> +++ return devname;
>> +++ }
>> +++ free(devlist);
>> +++
>> ++ fp = fopen("/proc/partitions", "r");
>> ++ if (!fp)
>> ++ return NULL;
>> ++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void)
>> ++ &major, &minor, &nblocks, &devname);
>> ++ if (ret != 4)
>> ++ continue;
>> ++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) {
>> +++ if ((major == dev_major) && (minor == dev_minor)) {
>> ++ fclose(fp);
>> ++ return devname;
>> ++ }
>> ++--
>> ++2.30.2
>> ++
>> +diff --git a/debian/patches/series b/debian/patches/series
>> +index 8c5564a..f3bd00e 100644
>> +--- a/debian/patches/series
>> ++++ b/debian/patches/series
>> +@@ -1 +1,3 @@
>> + use-gcc-compiler.diff
>> ++0002-util-Extend-get_root-to-find-LUKS-devices.diff
>> ++0001-util-Add-get_root-source-proc-self-mountinfo.diff
>> +--
>> +2.30.2
>> +
>> diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
>> index 7a0fb9b..90854a4 100644
>> --- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
>> +++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
>> @@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
>> file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
>> file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch"
>>
>> +# Patch for dm-verity based images - can be removed with SWUpdate 2021.10
>> +SRC_URI += "file://0001-add-patches-for-dm-verity.patch"
>> +
>> +# end patching for dm-verity based images
>> +
>> # deactivate signing and encryption for simple a/b rootfs update
>> SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"
>>
>> --
>> 2.30.2
>>
>
>
> Kind regards,
> Christian
>
Quirin
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home
2021-11-17 10:27 ` Christian Storm
@ 2021-11-17 11:41 ` Gylstorff Quirin
0 siblings, 0 replies; 25+ messages in thread
From: Gylstorff Quirin @ 2021-11-17 11:41 UTC (permalink / raw)
To: cip-dev
On 11/17/21 11:27 AM, Christian Storm via lists.cip-project.org wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
>
> A note where this comes from, where it's supposed to go in oder to get
> rid of this patch here eventually would be helpful.
>
I will add a link to the discussion of the Patch on the ISAR mailing
list[1] in the next version.
[1]: https://groups.google.com/g/isar-users/c/wlanc7f7UnQ
Kind regards
Quirin
>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> kas-cip.yml | 4 +++
>> ...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++
>> 2 files changed, 39 insertions(+)
>> create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
>>
>> diff --git a/kas-cip.yml b/kas-cip.yml
>> index dc56729..8226954 100644
>> --- a/kas-cip.yml
>> +++ b/kas-cip.yml
>> @@ -25,6 +25,10 @@ repos:
>> refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3
>> layers:
>> meta:
>> + patches:
>> + fix-pseudo:
>> + repo: cip-core
>> + path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
>>
>> bblayers_conf_header:
>> standard: |
>> diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
>> new file mode 100644
>> index 0000000..34704f0
>> --- /dev/null
>> +++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch
>> @@ -0,0 +1,35 @@
>> +From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001
>> +From: Felix Moessbauer <felix.moessbauer@siemens.com>
>> +Date: Wed, 3 Nov 2021 13:53:00 +0100
>> +Subject: [PATCH] Fix permissions when splitting rootfs folders across
>> + partitions.
>> +
>> +This patches ensures that the file database containing the file and
>> +folder usernames and permissions is always located relative to the
>> +source and not to the appended rootfs-dir.
>> +
>> +Prior to this patch, the database was not found when using
>> +-rootfs-dir in the WIC script, leading to erronous file
>> +permissions and ownership.
>> +
>> +Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
>> +---
>> + scripts/lib/wic/plugins/source/rootfs.py | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
>> +index 96d940a9..5ab771e5 100644
>> +--- a/scripts/lib/wic/plugins/source/rootfs.py
>> ++++ b/scripts/lib/wic/plugins/source/rootfs.py
>> +@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin):
>> +
>> + part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
>> + part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
>> +- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
>> ++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo")
>> + if not os.path.lexists(pseudo_dir):
>> + logger.warn("%s folder does not exist. "
>> + "Usernames and permissions will be invalid " % pseudo_dir)
>> +--
>> +2.30.2
>> +
>> --
>> 2.30.2
>>
>
>
>
> Kind regards,
> Christian
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6936): https://lists.cip-project.org/g/cip-dev/message/6936
> Mute This Topic: https://lists.cip-project.org/mt/87092663/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay Q. Gylstorff
@ 2021-11-17 12:11 ` Christian Storm
2021-11-18 18:12 ` Gylstorff Quirin
0 siblings, 1 reply; 25+ messages in thread
From: Christian Storm @ 2021-11-17 12:11 UTC (permalink / raw)
To: cip-dev
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> As /etc is read-only and needs to be accessed by the initrd
> move the user defined settings to a overlay in /var/local/etc.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../etc-overlay-fs/etc-overlay-fs_0.1.bb | 16 ++++++++++++++++
> .../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++++++++
> .../etc-overlay-fs/files/etc-sysusers.service | 14 ++++++++++++++
> recipes-core/etc-overlay-fs/files/etc.mount | 13 +++++++++++++
> .../files/overlay-parse-etc.service | 12 ++++++++++++
> recipes-core/etc-overlay-fs/files/postinst | 6 ++++++
> recipes-core/images/cip-core-image-read-only.bb | 1 +
> 7 files changed, 76 insertions(+)
> create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
> create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
> create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
> create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
> create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
> create mode 100755 recipes-core/etc-overlay-fs/files/postinst
>
> diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
> new file mode 100644
> index 0000000..f1c8349
> --- /dev/null
> +++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
> @@ -0,0 +1,16 @@
> +inherit dpkg-raw
> +
> +SRC_URI = "file://postinst \
> + file://etc.mount \
> + file://overlay-parse-etc.service \
> + file://etc-hostname.service \
> + file://etc-sysusers.service"
> +
> +do_install[cleandirs]+="${D}/lib/systemd/system ${D}/var/local/etc ${D}/var/local/.atomic"
> +do_install() {
> + TARGET=${D}/lib/systemd/system
> + install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
> + install -m 0644 ${WORKDIR}/overlay-parse-etc.service ${TARGET}/overlay-parse-etc.service
> + install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
> + install -m 0644 ${WORKDIR}/etc-sysusers.service ${TARGET}/etc-sysusers.service
> +}
> diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
> new file mode 100644
> index 0000000..2306b9f
> --- /dev/null
> +++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
> @@ -0,0 +1,14 @@
> +[Unit]
> +Description=set hostname /etc overlay-aware
> +Before=network-pre.target
> +Wants=network-pre.target
> +Requires=etc.mount
> +After=etc.mount
> +
> +[Service]
> +Type=oneshot
> +RemainAfterExit=yes
> +ExecStart=/bin/hostname --boot --file /etc/hostname
> +
> +[Install]
> +WantedBy=basic.target
> diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.service b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
> new file mode 100644
> index 0000000..6caf6b0
> --- /dev/null
> +++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
> @@ -0,0 +1,14 @@
> +[Unit]
> +Description=make systemd-sysusers /etc overlay aware
> +Before=network-pre.target
> +Wants=network-pre.target
> +Requires=etc.mount
> +After=etc.mount
> +
> +[Service]
> +Type=oneshot
> +RemainAfterExit=yes
> +ExecStart=/usr/bin/systemd-sysusers
> +
> +[Install]
> +WantedBy=basic.target
Hm, why do you replace/create those services instead of augmenting the
current default ones via conf.d'lets?
Why is this one here dependent on network?
Why does this differ that much from upstream service files, see, e.g.,
https://github.com/systemd/systemd/blob/main/units/systemd-sysusers.service
> diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
> new file mode 100644
> index 0000000..f0ae3c5
> --- /dev/null
> +++ b/recipes-core/etc-overlay-fs/files/etc.mount
> @@ -0,0 +1,13 @@
> +[Unit]
> +Description=Overlay-mount /etc
> +Requires=var.mount
> +After=var.mount
> +
> +[Mount]
> +What=overlay
> +Where=/etc
> +Type=overlay
> +Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
> +
> +[Install]
> +WantedBy=local-fs.target
> diff --git a/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
> new file mode 100644
> index 0000000..062bb40
> --- /dev/null
> +++ b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
> @@ -0,0 +1,12 @@
> +[Unit]
> +Description=Reload Configuration from the etc overlay
> +Requires=etc.mount
> +After=etc.mount
> +
> +[Service]
> +Type=oneshot
> +RemainAfterExit=yes
> +ExecStartPre=!/bin/systemctl daemon-reload
> +ExecStart=!/bin/systemctl --no-block isolate multi-user.target
Wow, this is a big cannon, why do you need this? Isn't there another way?
> +[Install]
> +WantedBy=local-fs.target
> diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
> new file mode 100755
> index 0000000..35641af
> --- /dev/null
> +++ b/recipes-core/etc-overlay-fs/files/postinst
> @@ -0,0 +1,6 @@
> +#!/bin/sh
> +
> +deb-systemd-helper enable etc.mount || true
> +deb-systemd-helper enable overlay-parse-etc.service || true
> +deb-systemd-helper enable etc-hostname.service || true
> +deb-systemd-helper enable etc-sysusers.service || true
> diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
> index 7ef2dc2..ceb6ac4 100644
> --- a/recipes-core/images/cip-core-image-read-only.bb
> +++ b/recipes-core/images/cip-core-image-read-only.bb
> @@ -2,6 +2,7 @@ require cip-core-image.bb
>
> SQUASHFS_EXCLUDE_DIRS += "home var"
>
> +IMAGE_INSTALL += "etc-overlay-fs"
> IMAGE_INSTALL += "tmp-fs"
> IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
>
> --
> 2.30.2
>
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity Q. Gylstorff
@ 2021-11-17 12:18 ` Christian Storm
2021-11-18 18:10 ` Gylstorff Quirin
0 siblings, 1 reply; 25+ messages in thread
From: Christian Storm @ 2021-11-17 12:18 UTC (permalink / raw)
To: cip-dev
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This root file system supports SWUpdate and secure boot.
> We need a writable /tmp and /var for a boot without error messages.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> Kconfig | 3 +-
> classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
> kas/opt/ebg-secure-boot-base.yml | 2 ++
> kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
> kas/opt/ebg-snakeoil-swu.yml | 16 ----------
> .../images/cip-core-image-read-only.bb | 20 ++++++++++++
> recipes-core/tmp-fs/files/postinst | 3 ++
> recipes-core/tmp-fs/files/tmp.mount | 11 +++++++
> recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 ++++++
> wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
> wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
> 11 files changed, 103 insertions(+), 30 deletions(-)
> create mode 100644 classes/secure-swupdate-img.bbclass
> delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
> create mode 100644 recipes-core/images/cip-core-image-read-only.bb
> create mode 100755 recipes-core/tmp-fs/files/postinst
> create mode 100644 recipes-core/tmp-fs/files/tmp.mount
> create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
> delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
> create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in
>
> diff --git a/Kconfig b/Kconfig
> index 8421f1b..e97cb03 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
> config KAS_INCLUDE_SWUPDATE_SECBOOT
> string
> default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
> - default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
> - default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
> + default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
>
> endif
> diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
> new file mode 100644
> index 0000000..431939b
> --- /dev/null
> +++ b/classes/secure-swupdate-img.bbclass
> @@ -0,0 +1,32 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2021
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +SECURE_IMAGE_FSTYPE ?= "squashfs"
> +
> +inherit ${SECURE_IMAGE_FSTYPE}-img
> +
> +VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
> +
> +INITRAMFS_RECIPE ?= "cip-core-initramfs"
> +do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
> +INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
> +
> +inherit verity-img
> +inherit wic-img
> +inherit extract-partition
> +inherit swupdate-img
> +
> +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
> +
> +addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
> +addtask do_wic_image after do_verity_image
> +addtask do_extract_partition after do_wic_image
> +addtask do_swupdate_image after do_extract_partition
> diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
> index 8f769b6..acb4de0 100644
> --- a/kas/opt/ebg-secure-boot-base.yml
> +++ b/kas/opt/ebg-secure-boot-base.yml
> @@ -19,3 +19,5 @@ local_conf_header:
> IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
> SWU_DESCRIPTION = "secureboot"
> SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
> + kernel: |
> + SECURE_BOOT_KERNEL = "1"
> diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
> index 2f45bde..4a9185c 100644
> --- a/kas/opt/ebg-secure-boot-snakeoil.yml
> +++ b/kas/opt/ebg-secure-boot-snakeoil.yml
> @@ -14,13 +14,24 @@ header:
> includes:
> - kas/opt/ebg-secure-boot-base.yml
>
> +target: cip-core-image-read-only
>
> local_conf_header:
> + swupdate: |
> + IMAGE_INSTALL_append = " swupdate"
> + IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
> +
> + verity-img: |
> + SECURE_BOOT_KERNEL = "1"
> + SECURE_IMAGE_FSTYPE = "squashfs"
> + VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
> + IMAGE_TYPE = "secure-swupdate-img"
> + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
> +
> secure-boot: |
> # Add snakeoil and ovmf binaries for qemu
> IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
> IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
> - WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
>
> ovmf: |
> # snakeoil certs are only part of backports
> diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
> deleted file mode 100644
> index 2f15c0e..0000000
> --- a/kas/opt/ebg-snakeoil-swu.yml
> +++ /dev/null
> @@ -1,16 +0,0 @@
> -#
> -# CIP Core, generic profile
> -#
> -# Copyright (c) Siemens AG, 2021
> -#
> -# Authors:
> -# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> -#
> -# SPDX-License-Identifier: MIT
> -#
> -
> -header:
> - version: 10
> - includes:
> - - kas/opt/ebg-secure-boot-snakeoil.yml
> - - kas/opt/swupdate.yml
> diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
> new file mode 100644
> index 0000000..7ef2dc2
> --- /dev/null
> +++ b/recipes-core/images/cip-core-image-read-only.bb
> @@ -0,0 +1,20 @@
> +require cip-core-image.bb
> +
> +SQUASHFS_EXCLUDE_DIRS += "home var"
> +
> +IMAGE_INSTALL += "tmp-fs"
> +IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
> +
> +image_configure_fstab() {
> + sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
> +# Begin /etc/fstab
> +/dev/root / auto defaults,ro 0 0
> +LABEL=var /var auto defaults 0 0
> +proc /proc proc nosuid,noexec,nodev 0 0
> +sysfs /sys sysfs nosuid,noexec,nodev 0 0
> +devpts /dev/pts devpts gid=5,mode=620 0 0
> +tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
> +devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
> +# End /etc/fstab
> +EOF
> +}
> diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
> new file mode 100755
> index 0000000..07017fd
> --- /dev/null
> +++ b/recipes-core/tmp-fs/files/postinst
> @@ -0,0 +1,3 @@
> +#!/bin/sh
> +
> +deb-systemd-helper enable tmp.mount || true
> diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
> new file mode 100644
> index 0000000..7a31ed6
> --- /dev/null
> +++ b/recipes-core/tmp-fs/files/tmp.mount
> @@ -0,0 +1,11 @@
> +[Unit]
> +Description=Create /tmp
> +
> +[Mount]
> +What=tmpfs
> +Where=/tmp
> +Type=tmpfs
> +Options=nodev,nosuid,size=500M,mode=755
Hm, shouldn't size be configurable?
> +
> +[Install]
> +WantedBy=local-fs.target
Is this the right point in time? Isn't /tmp needed before this?
> diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
> new file mode 100644
> index 0000000..4e0c467
> --- /dev/null
> +++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
> @@ -0,0 +1,9 @@
> +inherit dpkg-raw
> +
> +SRC_URI = "file://postinst \
> + file://tmp.mount"
> +
> +do_install[cleandirs]+="${D}/lib/systemd/system"
> +do_install() {
> + install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
> +}
> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
> deleted file mode 100644
> index ff351db..0000000
> --- a/wic/qemu-amd64-efibootguard-secureboot.wks
> +++ /dev/null
> @@ -1,11 +0,0 @@
> -# short-description: Qemu-amd64 with Efibootguard and SWUpdate
> -# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
> -include ebg-signed-bootloader.inc
> -
> -# EFI Boot Guard environment/config partitions plus Kernel files
> -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
> -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
> -
> -include swupdate-partition.inc
> -
> -bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> new file mode 100644
> index 0000000..c4ea0c8
> --- /dev/null
> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> @@ -0,0 +1,13 @@
> +# EFI partition containing efibootguard bootloader binary
> +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
> +
> +# EFI Boot Guard environment/config partitions plus Kernel files
> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
> +
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
> +
> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
> +
> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
> --
> 2.30.2
>
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support " Q. Gylstorff
@ 2021-11-17 12:33 ` Christian Storm
2021-11-18 18:19 ` Gylstorff Quirin
0 siblings, 1 reply; 25+ messages in thread
From: Christian Storm @ 2021-11-17 12:33 UTC (permalink / raw)
To: cip-dev
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Adapt the initrd to open a dm-verity partition with a fixed
> root hash.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> .../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
> .../files/verity.conf-hook | 1 +
> .../initramfs-verity-hook/files/verity.hook | 23 +++++++
> .../files/verity.script.tmpl | 68 +++++++++++++++++++
> .../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++
> 5 files changed, 159 insertions(+)
> create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
> create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
> create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
> create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
> create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
>
> diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
> new file mode 100644
> index 0000000..825fb9f
> --- /dev/null
> +++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
> @@ -0,0 +1,16 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2021
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit initramfs
> +
> +INITRAMFS_INSTALL += " \
> + initramfs-verity-hook \
> + "
> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
> new file mode 100644
> index 0000000..9b61fb8
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
> @@ -0,0 +1 @@
> +BUSYBOX=y
> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
> new file mode 100644
> index 0000000..5eada8a
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
> @@ -0,0 +1,23 @@
> +#!/bin/sh
> +PREREQ=""
> +prereqs()
> +{
> + echo "$PREREQ"
> +}
> +case $1 in
> +prereqs)
> + prereqs
> + exit 0
> + ;;
> +esac
> +
> +. /usr/share/initramfs-tools/hook-functions
> +# Begin real processing below this line
> +
> +manual_add_modules dm_mod
> +manual_add_modules dm_verity
> +
> +copy_exec /sbin/veritysetup
> +copy_exec /sbin/dmsetup
> +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
> +copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
> new file mode 100644
> index 0000000..c4f3dc4
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
> @@ -0,0 +1,68 @@
> +#!/bin/sh
> +prereqs()
> +{
> + # Make sure that this script is run last in local-top
> + local req
> + for req in "${0%/*}"/*; do
> + script="${req##*/}"
> + if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
Hm, so you explicitly enumerate all scripts except for cryptroot so that
you run (hopefully right?) thereafter.
Isn't it sufficient to make cryptroot dependent on this?
Looks too verbose and complicated...
> + printf '%s\n' "$script"
> + fi
> + done
> +}
> +case $1 in
> +prereqs)
> + prereqs
> + exit 0
> + ;;
> +esac
> +
> +. /scripts/functions
> +. /lib/cryptsetup/functions
> +. /usr/share/verity-env/verity.env
> +# Even if this script fails horribly, make sure there won't be a chance the
> +# current $ROOT will be attempted. As this device most likely contains a
> +# perfectly valid filesystem, it would be mounted successfully, leading to a
> +# broken trust chain.
> +echo "ROOT=/dev/null" >/conf/param.conf
> +wait_for_udev 10
Why this hard timeout? Shouldn't this be configurable so to match to
different setups of hardware?
> +case "$ROOT" in
> + PART*)
> + # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
> + # partition
> + ROOT=$(blkid --list-one --output device --match-token "$ROOT")
> + ;;
> + "")
> + # No Root device was given. Use veritysetup verify to search matching roots
> + partitions=$(blkid -o device)
> + for part in $partitions; do
> + if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
> + if veritysetup verify \
> + "$part" "$part" "${ROOT_HASH}" \
> + --hash-offset "${HASH_OFFSET}";then
> + ROOT="$part"
> + break
> + fi
> + fi
> + done
> + ;;
> +esac
> +set -- "$ROOT" verityroot
> +if ! veritysetup open \
> + ${VERITY_BEHAVIOR_ON_CORRUPTION} \
> + --data-block-size "${DATA_BLOCK_SIZE}" \
> + --hash-block-size "${HASH_BLOCK_SIZE}" \
> + --data-blocks "${DATA_BLOCKS}" \
> + --hash-offset "${HASH_OFFSET}" \
> + --salt "${SALT}" \
> + "$1" "$2" "$1" "${ROOT_HASH}"; then
> + panic "Can't open verity rootfs!"
The above comment's gist may also help here in case you run into this
output on a machine.
> +fi
> +
> +wait_for_udev 10
Same as above.
> +
> +if ! ROOT="$(dm_blkdevname verityroot)"; then
> + panic "Can't find the verity root device!"
> +fi
> +
> +echo "ROOT=${ROOT}" >/conf/param.conf
> diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
> new file mode 100644
> index 0000000..a7fbf5a
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
> @@ -0,0 +1,51 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2021
> +#
> +# Authors:
> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg-raw
> +
> +SRC_URI += " \
> + file://verity.conf-hook \
> + file://verity.hook \
> + file://verity.script.tmpl \
> + "
> +
> +VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption"
> +
> +TEMPLATE_FILES = "verity.script.tmpl"
> +TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION"
> +
> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
> +
> +VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
> +
> +VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
> +
> +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
> +do_install[cleandirs] += " \
> + ${D}/usr/share/initramfs-tools/hooks \
> + ${D}/usr/share/verity-env \
> + ${D}/usr/share/initramfs-tools/scripts/local-top \
> + ${D}/usr/share/initramfs-tools/conf-hooks.d"
> +
> +do_install() {
> + # Insert the veritysetup commandline into the script
> + if [ -f "${VERITY_ENV_FILE}" ]; then
> + install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
> + else
> + bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
> + fi
> + install -m 0755 "${WORKDIR}/verity.script" \
> + "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
> + install -m 0755 "${WORKDIR}/verity.hook" \
> + "${D}/usr/share/initramfs-tools/hooks/verity"
> +}
> +
> +addtask do_install after do_transform_template
> --
> 2.30.2
>
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity
2021-11-17 12:18 ` Christian Storm
@ 2021-11-18 18:10 ` Gylstorff Quirin
2021-11-19 6:41 ` Jan Kiszka
0 siblings, 1 reply; 25+ messages in thread
From: Gylstorff Quirin @ 2021-11-18 18:10 UTC (permalink / raw)
To: cip-dev
On 11/17/21 1:18 PM, Christian Storm via lists.cip-project.org wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This root file system supports SWUpdate and secure boot.
>> We need a writable /tmp and /var for a boot without error messages.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> Kconfig | 3 +-
>> classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
>> kas/opt/ebg-secure-boot-base.yml | 2 ++
>> kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
>> kas/opt/ebg-snakeoil-swu.yml | 16 ----------
>> .../images/cip-core-image-read-only.bb | 20 ++++++++++++
>> recipes-core/tmp-fs/files/postinst | 3 ++
>> recipes-core/tmp-fs/files/tmp.mount | 11 +++++++
>> recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 ++++++
>> wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
>> wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
>> 11 files changed, 103 insertions(+), 30 deletions(-)
>> create mode 100644 classes/secure-swupdate-img.bbclass
>> delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
>> create mode 100644 recipes-core/images/cip-core-image-read-only.bb
>> create mode 100755 recipes-core/tmp-fs/files/postinst
>> create mode 100644 recipes-core/tmp-fs/files/tmp.mount
>> create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
>> delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
>> create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in
>>
>> diff --git a/Kconfig b/Kconfig
>> index 8421f1b..e97cb03 100644
>> --- a/Kconfig
>> +++ b/Kconfig
>> @@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
>> config KAS_INCLUDE_SWUPDATE_SECBOOT
>> string
>> default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
>> - default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
>> - default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
>> + default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
>>
>> endif
>> diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
>> new file mode 100644
>> index 0000000..431939b
>> --- /dev/null
>> +++ b/classes/secure-swupdate-img.bbclass
>> @@ -0,0 +1,32 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2021
>> +#
>> +# Authors:
>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +SECURE_IMAGE_FSTYPE ?= "squashfs"
>> +
>> +inherit ${SECURE_IMAGE_FSTYPE}-img
>> +
>> +VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
>> +
>> +INITRAMFS_RECIPE ?= "cip-core-initramfs"
>> +do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
>> +INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
>> +
>> +inherit verity-img
>> +inherit wic-img
>> +inherit extract-partition
>> +inherit swupdate-img
>> +
>> +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
>> +
>> +addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
>> +addtask do_wic_image after do_verity_image
>> +addtask do_extract_partition after do_wic_image
>> +addtask do_swupdate_image after do_extract_partition
>> diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
>> index 8f769b6..acb4de0 100644
>> --- a/kas/opt/ebg-secure-boot-base.yml
>> +++ b/kas/opt/ebg-secure-boot-base.yml
>> @@ -19,3 +19,5 @@ local_conf_header:
>> IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
>> SWU_DESCRIPTION = "secureboot"
>> SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
>> + kernel: |
>> + SECURE_BOOT_KERNEL = "1"
>> diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
>> index 2f45bde..4a9185c 100644
>> --- a/kas/opt/ebg-secure-boot-snakeoil.yml
>> +++ b/kas/opt/ebg-secure-boot-snakeoil.yml
>> @@ -14,13 +14,24 @@ header:
>> includes:
>> - kas/opt/ebg-secure-boot-base.yml
>>
>> +target: cip-core-image-read-only
>>
>> local_conf_header:
>> + swupdate: |
>> + IMAGE_INSTALL_append = " swupdate"
>> + IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
>> +
>> + verity-img: |
>> + SECURE_BOOT_KERNEL = "1"
>> + SECURE_IMAGE_FSTYPE = "squashfs"
>> + VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
>> + IMAGE_TYPE = "secure-swupdate-img"
>> + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
>> +
>> secure-boot: |
>> # Add snakeoil and ovmf binaries for qemu
>> IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
>> IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
>> - WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
>>
>> ovmf: |
>> # snakeoil certs are only part of backports
>> diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
>> deleted file mode 100644
>> index 2f15c0e..0000000
>> --- a/kas/opt/ebg-snakeoil-swu.yml
>> +++ /dev/null
>> @@ -1,16 +0,0 @@
>> -#
>> -# CIP Core, generic profile
>> -#
>> -# Copyright (c) Siemens AG, 2021
>> -#
>> -# Authors:
>> -# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> -#
>> -# SPDX-License-Identifier: MIT
>> -#
>> -
>> -header:
>> - version: 10
>> - includes:
>> - - kas/opt/ebg-secure-boot-snakeoil.yml
>> - - kas/opt/swupdate.yml
>> diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
>> new file mode 100644
>> index 0000000..7ef2dc2
>> --- /dev/null
>> +++ b/recipes-core/images/cip-core-image-read-only.bb
>> @@ -0,0 +1,20 @@
>> +require cip-core-image.bb
>> +
>> +SQUASHFS_EXCLUDE_DIRS += "home var"
>> +
>> +IMAGE_INSTALL += "tmp-fs"
>> +IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
>> +
>> +image_configure_fstab() {
>> + sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
>> +# Begin /etc/fstab
>> +/dev/root / auto defaults,ro 0 0
>> +LABEL=var /var auto defaults 0 0
>> +proc /proc proc nosuid,noexec,nodev 0 0
>> +sysfs /sys sysfs nosuid,noexec,nodev 0 0
>> +devpts /dev/pts devpts gid=5,mode=620 0 0
>> +tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0
>> +devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
>> +# End /etc/fstab
>> +EOF
>> +}
>> diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst
>> new file mode 100755
>> index 0000000..07017fd
>> --- /dev/null
>> +++ b/recipes-core/tmp-fs/files/postinst
>> @@ -0,0 +1,3 @@
>> +#!/bin/sh
>> +
>> +deb-systemd-helper enable tmp.mount || true
>> diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount
>> new file mode 100644
>> index 0000000..7a31ed6
>> --- /dev/null
>> +++ b/recipes-core/tmp-fs/files/tmp.mount
>> @@ -0,0 +1,11 @@
>> +[Unit]
>> +Description=Create /tmp
>> +
>> +[Mount]
>> +What=tmpfs
>> +Where=/tmp
>> +Type=tmpfs
>> +Options=nodev,nosuid,size=500M,mode=755
>
> Hm, shouldn't size be configurable?
I will make it configurable in the next version.
>
>
>> +
>> +[Install]
>> +WantedBy=local-fs.target
>
> Is this the right point in time? Isn't /tmp needed before this?
According my testing and [1] if /tmp is mount a in /etc/fstab. systemd
mounts before the local-fs.target.
In the cip-core-image /tmp is not need before this as the /tmp of the
initrd is used.
The systemd log looks like this
```
[ OK ] Started Remount Root and Kernel File Systems.
Starting Create Static Device Nodes in /dev...
[ OK ] Started Create Static Device Nodes in /dev.
Starting udev Kernel Device Manager...
[ OK ] Reached target Local File Systems (Pre).
Mounting Create /tmp...
[ OK ] Mounted Create /tmp.
[ OK ] Started Journal Service.
```
[1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html
>
>
>> diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb
>> new file mode 100644
>> index 0000000..4e0c467
>> --- /dev/null
>> +++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb
>> @@ -0,0 +1,9 @@
>> +inherit dpkg-raw
>> +
>> +SRC_URI = "file://postinst \
>> + file://tmp.mount"
>> +
>> +do_install[cleandirs]+="${D}/lib/systemd/system"
>> +do_install() {
>> + install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount
>> +}
>> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
>> deleted file mode 100644
>> index ff351db..0000000
>> --- a/wic/qemu-amd64-efibootguard-secureboot.wks
>> +++ /dev/null
>> @@ -1,11 +0,0 @@
>> -# short-description: Qemu-amd64 with Efibootguard and SWUpdate
>> -# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
>> -include ebg-signed-bootloader.inc
>> -
>> -# EFI Boot Guard environment/config partitions plus Kernel files
>> -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>> -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>> -
>> -include swupdate-partition.inc
>> -
>> -bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0"
>> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
>> new file mode 100644
>> index 0000000..c4ea0c8
>> --- /dev/null
>> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
>> @@ -0,0 +1,13 @@
>> +# EFI partition containing efibootguard bootloader binary
>> +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
>> +
>> +# EFI Boot Guard environment/config partitions plus Kernel files
>> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>> +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
>> +
>> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
>> +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
>> +
>> +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G
>> +
>> +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
>> --
>> 2.30.2
>>
>
>
>
> Kind regards,
> Christian
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6945): https://lists.cip-project.org/g/cip-dev/message/6945
> Mute This Topic: https://lists.cip-project.org/mt/87092664/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay
2021-11-17 12:11 ` Christian Storm
@ 2021-11-18 18:12 ` Gylstorff Quirin
0 siblings, 0 replies; 25+ messages in thread
From: Gylstorff Quirin @ 2021-11-18 18:12 UTC (permalink / raw)
To: cip-dev
On 11/17/21 1:11 PM, Christian Storm via lists.cip-project.org wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> As /etc is read-only and needs to be accessed by the initrd
>> move the user defined settings to a overlay in /var/local/etc.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> .../etc-overlay-fs/etc-overlay-fs_0.1.bb | 16 ++++++++++++++++
>> .../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++++++++
>> .../etc-overlay-fs/files/etc-sysusers.service | 14 ++++++++++++++
>> recipes-core/etc-overlay-fs/files/etc.mount | 13 +++++++++++++
>> .../files/overlay-parse-etc.service | 12 ++++++++++++
>> recipes-core/etc-overlay-fs/files/postinst | 6 ++++++
>> recipes-core/images/cip-core-image-read-only.bb | 1 +
>> 7 files changed, 76 insertions(+)
>> create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
>> create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
>> create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service
>> create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
>> create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
>> create mode 100755 recipes-core/etc-overlay-fs/files/postinst
>>
>> diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
>> new file mode 100644
>> index 0000000..f1c8349
>> --- /dev/null
>> +++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
>> @@ -0,0 +1,16 @@
>> +inherit dpkg-raw
>> +
>> +SRC_URI = "file://postinst \
>> + file://etc.mount \
>> + file://overlay-parse-etc.service \
>> + file://etc-hostname.service \
>> + file://etc-sysusers.service"
>> +
>> +do_install[cleandirs]+="${D}/lib/systemd/system ${D}/var/local/etc ${D}/var/local/.atomic"
>> +do_install() {
>> + TARGET=${D}/lib/systemd/system
>> + install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount
>> + install -m 0644 ${WORKDIR}/overlay-parse-etc.service ${TARGET}/overlay-parse-etc.service
>> + install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service
>> + install -m 0644 ${WORKDIR}/etc-sysusers.service ${TARGET}/etc-sysusers.service
>> +}
>> diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service
>> new file mode 100644
>> index 0000000..2306b9f
>> --- /dev/null
>> +++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service
>> @@ -0,0 +1,14 @@
>> +[Unit]
>> +Description=set hostname /etc overlay-aware
>> +Before=network-pre.target
>> +Wants=network-pre.target
>> +Requires=etc.mount
>> +After=etc.mount
>> +
>> +[Service]
>> +Type=oneshot
>> +RemainAfterExit=yes
>> +ExecStart=/bin/hostname --boot --file /etc/hostname
>> +
>> +[Install]
>> +WantedBy=basic.target
>> diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.service b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
>> new file mode 100644
>> index 0000000..6caf6b0
>> --- /dev/null
>> +++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.service
>> @@ -0,0 +1,14 @@
>> +[Unit]
>> +Description=make systemd-sysusers /etc overlay aware
>> +Before=network-pre.target
>> +Wants=network-pre.target
>> +Requires=etc.mount
>> +After=etc.mount
>> +
>> +[Service]
>> +Type=oneshot
>> +RemainAfterExit=yes
>> +ExecStart=/usr/bin/systemd-sysusers
>> +
>> +[Install]
>> +WantedBy=basic.target
>
> Hm, why do you replace/create those services instead of augmenting the
> current default ones via conf.d'lets?
> Why is this one here dependent on network?
> Why does this differ that much from upstream service files, see, e.g.,
> https://github.com/systemd/systemd/blob/main/units/systemd-sysusers.service
>
You right thats the better solution. Will test it and add it in a v3.
>
>> diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount
>> new file mode 100644
>> index 0000000..f0ae3c5
>> --- /dev/null
>> +++ b/recipes-core/etc-overlay-fs/files/etc.mount
>> @@ -0,0 +1,13 @@
>> +[Unit]
>> +Description=Overlay-mount /etc
>> +Requires=var.mount
>> +After=var.mount
>> +
>> +[Mount]
>> +What=overlay
>> +Where=/etc
>> +Type=overlay
>> +Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic
>> +
>> +[Install]
>> +WantedBy=local-fs.target
>> diff --git a/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
>> new file mode 100644
>> index 0000000..062bb40
>> --- /dev/null
>> +++ b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service
>> @@ -0,0 +1,12 @@
>> +[Unit]
>> +Description=Reload Configuration from the etc overlay
>> +Requires=etc.mount
>> +After=etc.mount
>> +
>> +[Service]
>> +Type=oneshot
>> +RemainAfterExit=yes
>> +ExecStartPre=!/bin/systemctl daemon-reload
>> +ExecStart=!/bin/systemctl --no-block isolate multi-user.target
>
> Wow, this is a big cannon, why do you need this? Isn't there another way?
After testing in the current cip-core-image i don't need it.
Quirin
>
>
>> +[Install]
>> +WantedBy=local-fs.target
>> diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst
>> new file mode 100755
>> index 0000000..35641af
>> --- /dev/null
>> +++ b/recipes-core/etc-overlay-fs/files/postinst
>> @@ -0,0 +1,6 @@
>> +#!/bin/sh
>> +
>> +deb-systemd-helper enable etc.mount || true
>> +deb-systemd-helper enable overlay-parse-etc.service || true
>> +deb-systemd-helper enable etc-hostname.service || true
>> +deb-systemd-helper enable etc-sysusers.service || true
>> diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb
>> index 7ef2dc2..ceb6ac4 100644
>> --- a/recipes-core/images/cip-core-image-read-only.bb
>> +++ b/recipes-core/images/cip-core-image-read-only.bb
>> @@ -2,6 +2,7 @@ require cip-core-image.bb
>>
>> SQUASHFS_EXCLUDE_DIRS += "home var"
>>
>> +IMAGE_INSTALL += "etc-overlay-fs"
>> IMAGE_INSTALL += "tmp-fs"
>> IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
>>
>> --
>> 2.30.2
>>
>
>
>
> Kind regards,
> Christian
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6944): https://lists.cip-project.org/g/cip-dev/message/6944
> Mute This Topic: https://lists.cip-project.org/mt/87092661/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity
2021-11-17 12:33 ` Christian Storm
@ 2021-11-18 18:19 ` Gylstorff Quirin
2021-11-19 13:29 ` Christian Storm
0 siblings, 1 reply; 25+ messages in thread
From: Gylstorff Quirin @ 2021-11-18 18:19 UTC (permalink / raw)
To: cip-dev
On 11/17/21 1:33 PM, Christian Storm via lists.cip-project.org wrote:
>
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Adapt the initrd to open a dm-verity partition with a fixed
>> root hash.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> .../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++
>> .../files/verity.conf-hook | 1 +
>> .../initramfs-verity-hook/files/verity.hook | 23 +++++++
>> .../files/verity.script.tmpl | 68 +++++++++++++++++++
>> .../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++
>> 5 files changed, 159 insertions(+)
>> create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
>> create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
>> create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook
>> create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
>> create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
>>
>> diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
>> new file mode 100644
>> index 0000000..825fb9f
>> --- /dev/null
>> +++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
>> @@ -0,0 +1,16 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2021
>> +#
>> +# Authors:
>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +inherit initramfs
>> +
>> +INITRAMFS_INSTALL += " \
>> + initramfs-verity-hook \
>> + "
>> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
>> new file mode 100644
>> index 0000000..9b61fb8
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook
>> @@ -0,0 +1 @@
>> +BUSYBOX=y
>> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
>> new file mode 100644
>> index 0000000..5eada8a
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook
>> @@ -0,0 +1,23 @@
>> +#!/bin/sh
>> +PREREQ=""
>> +prereqs()
>> +{
>> + echo "$PREREQ"
>> +}
>> +case $1 in
>> +prereqs)
>> + prereqs
>> + exit 0
>> + ;;
>> +esac
>> +
>> +. /usr/share/initramfs-tools/hook-functions
>> +# Begin real processing below this line
>> +
>> +manual_add_modules dm_mod
>> +manual_add_modules dm_verity
>> +
>> +copy_exec /sbin/veritysetup
>> +copy_exec /sbin/dmsetup
>> +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
>> +copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
>> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
>> new file mode 100644
>> index 0000000..c4f3dc4
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
>> @@ -0,0 +1,68 @@
>> +#!/bin/sh
>> +prereqs()
>> +{
>> + # Make sure that this script is run last in local-top
>> + local req
>> + for req in "${0%/*}"/*; do
>> + script="${req##*/}"
>> + if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
>
> Hm, so you explicitly enumerate all scripts except for cryptroot so that
> you run (hopefully right?) thereafter.
> Isn't it sufficient to make cryptroot dependent on this?
> Looks too verbose and complicated...
It is the same scripting as cryptroot uses in Debian 11 which inspired
this script. See [1].
[1]:
https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot
>
>
>> + printf '%s\n' "$script"
>> + fi
>> + done
>> +}
>> +case $1 in
>> +prereqs)
>> + prereqs
>> + exit 0
>> + ;;
>> +esac
>> +
>> +. /scripts/functions
>> +. /lib/cryptsetup/functions
>> +. /usr/share/verity-env/verity.env
>> +# Even if this script fails horribly, make sure there won't be a chance the
>> +# current $ROOT will be attempted. As this device most likely contains a
>> +# perfectly valid filesystem, it would be mounted successfully, leading to a
>> +# broken trust chain.
>> +echo "ROOT=/dev/null" >/conf/param.conf
>> +wait_for_udev 10
>
> Why this hard timeout? Shouldn't this be configurable so to match to
> different setups of hardware?
>
I will add currently the default is from [1] and used in the Debian
provided initrd scripts.
>
>> +case "$ROOT" in
>> + PART*)
>> + # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching
>> + # partition
>> + ROOT=$(blkid --list-one --output device --match-token "$ROOT")
>> + ;;
>> + "")
>> + # No Root device was given. Use veritysetup verify to search matching roots
>> + partitions=$(blkid -o device)
>> + for part in $partitions; do
>> + if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
>> + if veritysetup verify \
>> + "$part" "$part" "${ROOT_HASH}" \
>> + --hash-offset "${HASH_OFFSET}";then
>> + ROOT="$part"
>> + break
>> + fi
>> + fi
>> + done
>> + ;;
>> +esac
>> +set -- "$ROOT" verityroot
>> +if ! veritysetup open \
>> + ${VERITY_BEHAVIOR_ON_CORRUPTION} \
>> + --data-block-size "${DATA_BLOCK_SIZE}" \
>> + --hash-block-size "${HASH_BLOCK_SIZE}" \
>> + --data-blocks "${DATA_BLOCKS}" \
>> + --hash-offset "${HASH_OFFSET}" \
>> + --salt "${SALT}" \
>> + "$1" "$2" "$1" "${ROOT_HASH}"; then
>> + panic "Can't open verity rootfs!"
>
> The above comment's gist may also help here in case you run into this
> output on a machine.
>
>
>> +fi
>> +
>> +wait_for_udev 10
>
> Same as above.
Quirin
>
>
>> +
>> +if ! ROOT="$(dm_blkdevname verityroot)"; then
>> + panic "Can't find the verity root device!"
>> +fi
>> +
>> +echo "ROOT=${ROOT}" >/conf/param.conf
>> diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
>> new file mode 100644
>> index 0000000..a7fbf5a
>> --- /dev/null
>> +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb
>> @@ -0,0 +1,51 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2021
>> +#
>> +# Authors:
>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +inherit dpkg-raw
>> +
>> +SRC_URI += " \
>> + file://verity.conf-hook \
>> + file://verity.hook \
>> + file://verity.script.tmpl \
>> + "
>> +
>> +VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption"
>> +
>> +TEMPLATE_FILES = "verity.script.tmpl"
>> +TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION"
>> +
>> +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup"
>> +
>> +VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only"
>> +
>> +VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env"
>> +
>> +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image"
>> +do_install[cleandirs] += " \
>> + ${D}/usr/share/initramfs-tools/hooks \
>> + ${D}/usr/share/verity-env \
>> + ${D}/usr/share/initramfs-tools/scripts/local-top \
>> + ${D}/usr/share/initramfs-tools/conf-hooks.d"
>> +
>> +do_install() {
>> + # Insert the veritysetup commandline into the script
>> + if [ -f "${VERITY_ENV_FILE}" ]; then
>> + install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
>> + else
>> + bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
>> + fi
>> + install -m 0755 "${WORKDIR}/verity.script" \
>> + "${D}/usr/share/initramfs-tools/scripts/local-top/verity"
>> + install -m 0755 "${WORKDIR}/verity.hook" \
>> + "${D}/usr/share/initramfs-tools/hooks/verity"
>> +}
>> +
>> +addtask do_install after do_transform_template
>> --
>> 2.30.2
>>
>
>
>
> Kind regards,
> Christian
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6946): https://lists.cip-project.org/g/cip-dev/message/6946
> Mute This Topic: https://lists.cip-project.org/mt/87092657/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity
2021-11-18 18:10 ` Gylstorff Quirin
@ 2021-11-19 6:41 ` Jan Kiszka
0 siblings, 0 replies; 25+ messages in thread
From: Jan Kiszka @ 2021-11-19 6:41 UTC (permalink / raw)
To: Gylstorff Quirin, cip-dev
On 18.11.21 19:10, Gylstorff Quirin wrote:
>
>
> On 11/17/21 1:18 PM, Christian Storm via lists.cip-project.org wrote:
>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>
>>> This root file system supports SWUpdate and secure boot.
>>> We need a writable /tmp and /var for a boot without error messages.
>>>
>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> ---
>>> Kconfig | 3 +-
>>> classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++
>>> kas/opt/ebg-secure-boot-base.yml | 2 ++
>>> kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++-
>>> kas/opt/ebg-snakeoil-swu.yml | 16 ----------
>>> .../images/cip-core-image-read-only.bb | 20 ++++++++++++
>>> recipes-core/tmp-fs/files/postinst | 3 ++
>>> recipes-core/tmp-fs/files/tmp.mount | 11 +++++++
>>> recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 ++++++
>>> wic/qemu-amd64-efibootguard-secureboot.wks | 11 -------
>>> wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++
>>> 11 files changed, 103 insertions(+), 30 deletions(-)
>>> create mode 100644 classes/secure-swupdate-img.bbclass
>>> delete mode 100644 kas/opt/ebg-snakeoil-swu.yml
>>> create mode 100644 recipes-core/images/cip-core-image-read-only.bb
>>> create mode 100755 recipes-core/tmp-fs/files/postinst
>>> create mode 100644 recipes-core/tmp-fs/files/tmp.mount
>>> create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb
>>> delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
>>> create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in
>>>
>>> diff --git a/Kconfig b/Kconfig
>>> index 8421f1b..e97cb03 100644
>>> --- a/Kconfig
>>> +++ b/Kconfig
>>> @@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT
>>> config KAS_INCLUDE_SWUPDATE_SECBOOT
>>> string
>>> default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE &&
>>> !IMAGE_SECURE_BOOT
>>> - default "kas/opt/ebg-secure-boot-snakeoil.yml" if
>>> !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT
>>> - default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE &&
>>> IMAGE_SECURE_BOOT
>>> + default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT
>>> endif
>>> diff --git a/classes/secure-swupdate-img.bbclass
>>> b/classes/secure-swupdate-img.bbclass
>>> new file mode 100644
>>> index 0000000..431939b
>>> --- /dev/null
>>> +++ b/classes/secure-swupdate-img.bbclass
>>> @@ -0,0 +1,32 @@
>>> +#
>>> +# CIP Core, generic profile
>>> +#
>>> +# Copyright (c) Siemens AG, 2021
>>> +#
>>> +# Authors:
>>> +# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +#
>>> +
>>> +SECURE_IMAGE_FSTYPE ?= "squashfs"
>>> +
>>> +inherit ${SECURE_IMAGE_FSTYPE}-img
>>> +
>>> +VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
>>> +
>>> +INITRAMFS_RECIPE ?= "cip-core-initramfs"
>>> +do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
>>> +INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
>>> +
>>> +inherit verity-img
>>> +inherit wic-img
>>> +inherit extract-partition
>>> +inherit swupdate-img
>>> +
>>> +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
>>> +
>>> +addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
>>> +addtask do_wic_image after do_verity_image
>>> +addtask do_extract_partition after do_wic_image
>>> +addtask do_swupdate_image after do_extract_partition
>>> diff --git a/kas/opt/ebg-secure-boot-base.yml
>>> b/kas/opt/ebg-secure-boot-base.yml
>>> index 8f769b6..acb4de0 100644
>>> --- a/kas/opt/ebg-secure-boot-base.yml
>>> +++ b/kas/opt/ebg-secure-boot-base.yml
>>> @@ -19,3 +19,5 @@ local_conf_header:
>>> IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
>>> SWU_DESCRIPTION = "secureboot"
>>> SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG =
>>> "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
>>> + kernel: |
>>> + SECURE_BOOT_KERNEL = "1"
>>> diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml
>>> b/kas/opt/ebg-secure-boot-snakeoil.yml
>>> index 2f45bde..4a9185c 100644
>>> --- a/kas/opt/ebg-secure-boot-snakeoil.yml
>>> +++ b/kas/opt/ebg-secure-boot-snakeoil.yml
>>> @@ -14,13 +14,24 @@ header:
>>> includes:
>>> - kas/opt/ebg-secure-boot-base.yml
>>> +target: cip-core-image-read-only
>>> local_conf_header:
>>> + swupdate: |
>>> + IMAGE_INSTALL_append = " swupdate"
>>> + IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
>>> +
>>> + verity-img: |
>>> + SECURE_BOOT_KERNEL = "1"
>>> + SECURE_IMAGE_FSTYPE = "squashfs"
>>> + VERITY_IMAGE_RECIPE = "cip-core-image-read-only"
>>> + IMAGE_TYPE = "secure-swupdate-img"
>>> + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
>>> +
>>> secure-boot: |
>>> # Add snakeoil and ovmf binaries for qemu
>>> IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
>>> IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
>>> - WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"
>>> ovmf: |
>>> # snakeoil certs are only part of backports
>>> diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml
>>> deleted file mode 100644
>>> index 2f15c0e..0000000
>>> --- a/kas/opt/ebg-snakeoil-swu.yml
>>> +++ /dev/null
>>> @@ -1,16 +0,0 @@
>>> -#
>>> -# CIP Core, generic profile
>>> -#
>>> -# Copyright (c) Siemens AG, 2021
>>> -#
>>> -# Authors:
>>> -# Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> -#
>>> -# SPDX-License-Identifier: MIT
>>> -#
>>> -
>>> -header:
>>> - version: 10
>>> - includes:
>>> - - kas/opt/ebg-secure-boot-snakeoil.yml
>>> - - kas/opt/swupdate.yml
>>> diff --git a/recipes-core/images/cip-core-image-read-only.bb
>>> b/recipes-core/images/cip-core-image-read-only.bb
>>> new file mode 100644
>>> index 0000000..7ef2dc2
>>> --- /dev/null
>>> +++ b/recipes-core/images/cip-core-image-read-only.bb
>>> @@ -0,0 +1,20 @@
>>> +require cip-core-image.bb
>>> +
>>> +SQUASHFS_EXCLUDE_DIRS += "home var"
>>> +
>>> +IMAGE_INSTALL += "tmp-fs"
>>> +IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
>>> +
>>> +image_configure_fstab() {
>>> + sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
>>> +# Begin /etc/fstab
>>> +/dev/root / auto defaults,ro 0 0
>>> +LABEL=var /var auto defaults 0 0
>>> +proc /proc proc nosuid,noexec,nodev 0 0
>>> +sysfs /sys sysfs nosuid,noexec,nodev 0 0
>>> +devpts /dev/pts devpts gid=5,mode=620
>>> 0 0
>>> +tmpfs /run tmpfs
>>> nodev,nosuid,size=500M,mode=755 0 0
>>> +devtmpfs /dev devtmpfs mode=0755,nosuid 0 0
>>> +# End /etc/fstab
>>> +EOF
>>> +}
>>> diff --git a/recipes-core/tmp-fs/files/postinst
>>> b/recipes-core/tmp-fs/files/postinst
>>> new file mode 100755
>>> index 0000000..07017fd
>>> --- /dev/null
>>> +++ b/recipes-core/tmp-fs/files/postinst
>>> @@ -0,0 +1,3 @@
>>> +#!/bin/sh
>>> +
>>> +deb-systemd-helper enable tmp.mount || true
>>> diff --git a/recipes-core/tmp-fs/files/tmp.mount
>>> b/recipes-core/tmp-fs/files/tmp.mount
>>> new file mode 100644
>>> index 0000000..7a31ed6
>>> --- /dev/null
>>> +++ b/recipes-core/tmp-fs/files/tmp.mount
>>> @@ -0,0 +1,11 @@
>>> +[Unit]
>>> +Description=Create /tmp
>>> +
>>> +[Mount]
>>> +What=tmpfs
>>> +Where=/tmp
>>> +Type=tmpfs
>>> +Options=nodev,nosuid,size=500M,mode=755
>>
>> Hm, shouldn't size be configurable?
>
> I will make it configurable in the next version.
>>
>>
>>> +
>>> +[Install]
>>> +WantedBy=local-fs.target
>>
>> Is this the right point in time? Isn't /tmp needed before this?
>
>
> According my testing and [1] if /tmp is mount a in /etc/fstab. systemd
> mounts before the local-fs.target.
>
> In the cip-core-image /tmp is not need before this as the /tmp of the
> initrd is used.
>
> The systemd log looks like this
> ```
> [ OK ] Started Remount Root and Kernel File Systems.
> Starting Create Static Device Nodes in /dev...
> [ OK ] Started Create Static Device Nodes in /dev.
> Starting udev Kernel Device Manager...
> [ OK ] Reached target Local File Systems (Pre).
> Mounting Create /tmp...
> [ OK ] Mounted Create /tmp.
> [ OK ] Started Journal Service.
>
> ```
>
> [1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html
Reason should also be recorded then, e.g. in the commit message.
Jan
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master
2021-11-17 11:36 ` Gylstorff Quirin
@ 2021-11-19 6:42 ` Jan Kiszka
2021-11-19 13:34 ` Christian Storm
0 siblings, 1 reply; 25+ messages in thread
From: Jan Kiszka @ 2021-11-19 6:42 UTC (permalink / raw)
To: Gylstorff Quirin, cip-dev
On 17.11.21 12:36, Gylstorff Quirin wrote:
>
>
> On 11/17/21 11:40 AM, Christian Storm via lists.cip-project.org wrote:
>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>
>>> Backport the following patches to detect the correct partition to
>>> update.
>>> 388f1777 util: Add get_root source /proc/self/mountinfo
>>> 3914d2b7 util: Extend get_root to find LUKS devices
>>
>> Why not upgrade to a newer version of SWUpdate instead of backporting
>> stuff? There's no real advantage to stay on a "release" as SWUpdate
>> follows rolling releases -- granted, you have to do the qualification
>> but that applies to "releases" as well...
>>
>
> The build of SWUpdate uses dpkg-gbp to follow the Debian build of
> SWUpdate with sources from [1].
>
> As Debian only follows fixed release , currently 2021.04, I patched the
> version.
> This patchset is no longer necessary after Debian uses the next Release
> SWUpdate version.
>
I agree that a single backport is better in this case. But as 2021.11 is
to appear soon, it may resolve this automatically for v3 already.
Jan
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity
2021-11-18 18:19 ` Gylstorff Quirin
@ 2021-11-19 13:29 ` Christian Storm
2021-11-23 13:31 ` Gylstorff Quirin
0 siblings, 1 reply; 25+ messages in thread
From: Christian Storm @ 2021-11-19 13:29 UTC (permalink / raw)
To: cip-dev
> > > diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
> > > new file mode 100644
> > > index 0000000..c4f3dc4
> > > --- /dev/null
> > > +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
> > > @@ -0,0 +1,68 @@
> > > +#!/bin/sh
> > > +prereqs()
> > > +{
> > > + # Make sure that this script is run last in local-top
> > > + local req
> > > + for req in "${0%/*}"/*; do
> > > + script="${req##*/}"
> > > + if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
> >
> > Hm, so you explicitly enumerate all scripts except for cryptroot so that
> > you run (hopefully right?) thereafter.
> > Isn't it sufficient to make cryptroot dependent on this?
> > Looks too verbose and complicated...
>
> It is the same scripting as cryptroot uses in Debian 11 which inspired this
> script. See [1].
> [1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot
Anyway, this doesn't answer the questions?
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master
2021-11-19 6:42 ` Jan Kiszka
@ 2021-11-19 13:34 ` Christian Storm
0 siblings, 0 replies; 25+ messages in thread
From: Christian Storm @ 2021-11-19 13:34 UTC (permalink / raw)
To: cip-dev
> >>> Backport the following patches to detect the correct partition to
> >>> update.
> >>> 388f1777 util: Add get_root source /proc/self/mountinfo
> >>> 3914d2b7 util: Extend get_root to find LUKS devices
> >>
> >> Why not upgrade to a newer version of SWUpdate instead of backporting
> >> stuff? There's no real advantage to stay on a "release" as SWUpdate
> >> follows rolling releases -- granted, you have to do the qualification
> >> but that applies to "releases" as well...
> >>
> >
> > The build of SWUpdate uses dpkg-gbp to follow the Debian build of
> > SWUpdate with sources from [1].
> >
> > As Debian only follows fixed release , currently 2021.04, I patched the
> > version.
> > This patchset is no longer necessary after Debian uses the next Release
> > SWUpdate version.
> >
>
> I agree that a single backport is better in this case. But as 2021.11 is
> to appear soon, it may resolve this automatically for v3 already.
The old version doesn't give you any advantage as there's nothing that
qualifies a "release" that other shas don't give you, except that it's
tagged at some point in time as "release". But sticking to Debian's
recipes is of course beneficial from a maintenance perspective as long
as the patch queue to be put on top is not too large....
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, Technology, T RDA IOT SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity
2021-11-19 13:29 ` Christian Storm
@ 2021-11-23 13:31 ` Gylstorff Quirin
0 siblings, 0 replies; 25+ messages in thread
From: Gylstorff Quirin @ 2021-11-23 13:31 UTC (permalink / raw)
To: cip-dev
On 11/19/21 2:29 PM, Christian Storm via lists.cip-project.org wrote:
>>>> diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
>>>> new file mode 100644
>>>> index 0000000..c4f3dc4
>>>> --- /dev/null
>>>> +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
>>>> @@ -0,0 +1,68 @@
>>>> +#!/bin/sh
>>>> +prereqs()
>>>> +{
>>>> + # Make sure that this script is run last in local-top
>>>> + local req
>>>> + for req in "${0%/*}"/*; do
>>>> + script="${req##*/}"
>>>> + if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
>>>
>>> Hm, so you explicitly enumerate all scripts except for cryptroot so that
>>> you run (hopefully right?) thereafter.
>>> Isn't it sufficient to make cryptroot dependent on this?
>>> Looks too verbose and complicated...
>>
>> It is the same scripting as cryptroot uses in Debian 11 which inspired this
>> script. See [1].
>> [1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot
>
> Anyway, this doesn't answer the questions?
>
>
>
> Kind regards,
> Christian
The `verity.script` should executed as last script in the local-top init
phase. if the cryptroot script exists `verity.script` is the second last
script.
If the package `cryptsetup-initramfs` is always installed an entry in
the cryptroot script would be enough. We have currently no dependency to
`cryptsetup-initramfs`.
If we want to change the cryptroot dependency we need to patch the
necessary scripts/packages. Patching other packages is something I like
to avoid for this feature.
Quirin
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6960): https://lists.cip-project.org/g/cip-dev/message/6960
> Mute This Topic: https://lists.cip-project.org/mt/87092657/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129121/1753640/1405269326/xyzzy [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
^ permalink raw reply [flat|nested] 25+ messages in thread
end of thread, other threads:[~2021-11-23 13:31 UTC | newest]
Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-16 11:27 [cip-dev][isar-cip-core]RFC v2 0/9] Read-only root file system with dm-verity Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 1/9] Add new class to create a squashfs based root file system Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 2/9] Add verity-img.bbclass for dm-verity based rootfs Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 3/9] linux-cip-common: Add options necessary for dm-verity Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 4/9] Create a initrd with support " Q. Gylstorff
2021-11-17 12:33 ` Christian Storm
2021-11-18 18:19 ` Gylstorff Quirin
2021-11-19 13:29 ` Christian Storm
2021-11-23 13:31 ` Gylstorff Quirin
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 5/9] Create an read-only rootfs with dm-verity Q. Gylstorff
2021-11-17 12:18 ` Christian Storm
2021-11-18 18:10 ` Gylstorff Quirin
2021-11-19 6:41 ` Jan Kiszka
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 6/9] Create systemd mount units for a etc overlay Q. Gylstorff
2021-11-17 12:11 ` Christian Storm
2021-11-18 18:12 ` Gylstorff Quirin
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 7/9] Mount writable home partition Q. Gylstorff
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 8/9] kas: Patch isar for correct permissions in var and home Q. Gylstorff
2021-11-17 10:27 ` Christian Storm
2021-11-17 11:41 ` Gylstorff Quirin
2021-11-16 11:27 ` [cip-dev][isar-cip-core]RFC v2 9/9] swupdate: Backport patches from SWUpdate Master Q. Gylstorff
2021-11-17 10:40 ` Christian Storm
2021-11-17 11:36 ` Gylstorff Quirin
2021-11-19 6:42 ` Jan Kiszka
2021-11-19 13:34 ` Christian Storm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).