From: Gylstorff Quirin <quirin.gylstorff@siemens.com>
To: Jan Kiszka <jan.kiszka@siemens.com>, cip-dev@lists.cip-project.org
Cc: Christian Storm <christian.storm@siemens.com>
Subject: Re: [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings
Date: Wed, 13 Apr 2022 15:54:16 +0200 [thread overview]
Message-ID: <f7b6752a-521e-b1dc-a366-acdde99862b9@siemens.com> (raw)
In-Reply-To: <cover.1649834193.git.jan.kiszka@siemens.com>
On 4/13/22 09:16, Jan Kiszka wrote:
> Several refactorings, simplifications and fixes of the SWUpdate and EFI
> Boot Guard integration. This primarily aims at the unification of both
> variants.
>
> For that, this switches to unified kernel images also in the non-secure
> mode. This allows to share configuration files between both as well.
>
> Furthermore, the device selection in sw-description is abstracted from
> the concrete medium, making it easier for downstream to place images on
> either internal or external media without adjusting device paths.
>
> Finally, the watchdog support in QEMU is fixed and enabled so that we
> can run update and failure sequences completely.
>
> Jan
I tested it once and it looks good to me.
Quirin
>
> Jan Kiszka (19):
> start-qemu.sh: Add ssh access to guest from localhost
> swupdate: Simplify secure-swupdate-img class
> swupdate: Drop no longer used SOURCE_IMAGE_FILE
> swupdate: Rename secure-swupdate-img class
> Drop initramfs-abrootfs-secureboot references
> Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook
> swupdate: Switch to unified kernel image by default
> swupdate: Drop PN from TEMPLATE_VARS
> efibootguard: Avoid rename linux.efi when signing it
> Unify configuration of secure vs. non-secure SWUpdate
> cip-core-image: Do not include swupdate.inc unless it is used
> cip-core-image: Make image-uuid an image option
> swupdate: Add patch to fix EBG bootloader_env_get
> swupdate: Switch to bootenv_rrmap+kernelfile for device selection
> customizations: Enable systemd watchdog
> linux-cip: Update cip-kernel-config
> start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset
> doc: Update README.swupdate
> doc: README.secureboot polishing
>
> ...img.bbclass => secure-wic-swu-img.bbclass} | 6 +-
> classes/wic-swu-img.bbclass | 2 -
> doc/README.secureboot.md | 16 +-
> doc/README.swupdate.md | 166 ++++++++++--------
> kas/opt/ebg-secure-boot-base.yml | 21 ---
> kas/opt/ebg-secure-boot-snakeoil.yml | 10 +-
> kas/opt/ebg-swu.yml | 7 +
> kas/opt/swupdate.yml | 3 +
> recipes-core/customizations/common.inc | 6 +-
> .../customizations/files/99-watchdog.conf | 3 +
> recipes-core/images/cip-core-image.bb | 6 +-
> .../files/secure-boot/sw-description.tmpl | 35 ----
> recipes-core/images/files/sw-description.tmpl | 20 +--
> recipes-core/images/image-uuid.inc | 12 ++
> recipes-core/images/read-only.inc | 1 -
> recipes-core/images/secureboot.inc | 21 ---
> recipes-core/images/swupdate.inc | 4 +-
> .../swupdate.handler.efibootguard.ini | 16 --
> .../files/swupdate.handler.efibootguard.ini | 20 +--
> ...onfig-Make-image-encryption-optional.patch | 8 +-
> .../0002-debian-rules-Add-CONFIG_MTD.patch | 6 +-
> ...es-Add-option-to-disable-fs-creation.patch | 8 +-
> ...ules-Add-option-to-disable-webserver.patch | 8 +-
> ...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 8 +-
> ...ules-Add-Embedded-Lua-handler-option.patch | 6 +-
> ...-SWUpdate-USB-service-and-Udev-rules.patch | 10 +-
> ...option-to-disable-CONFIG_HASH_VERIFY.patch | 6 +-
> ...ch-to-fix-bootloader_env_get-for-EBG.patch | 66 +++++++
> ...repare-build-for-isar-debian-buster.patch} | 10 +-
> .../swupdate/swupdate_2021.11-1+debian-gbp.bb | 5 +-
> .../files/debian-local-patch | 0
> .../files/initramfs.image_uuid.hook | 0
> .../files/initramfs.lsblk.hook | 0
> .../initramfs-abrootfs-hook}/files/postinst | 2 +-
> .../initramfs-abrootfs-hook_0.1.bb | 8 +-
> recipes-kernel/linux/linux-cip-common.inc | 2 +-
> .../wic/plugins/source/efibootguard-boot.py | 30 ++--
> start-qemu.sh | 3 +-
> wic/ebg-sysparts.inc | 4 +-
> wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
> 40 files changed, 277 insertions(+), 292 deletions(-)
> rename classes/{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} (82%)
> delete mode 100644 kas/opt/ebg-secure-boot-base.yml
> create mode 100644 recipes-core/customizations/files/99-watchdog.conf
> delete mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
> create mode 100644 recipes-core/images/image-uuid.inc
> delete mode 100644 recipes-core/images/secureboot.inc
> delete mode 100644 recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
> create mode 100644 recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch
> rename recipes-core/swupdate/files/{0009-debian-prepare-build-for-isar-debian-buster.patch => 0010-debian-prepare-build-for-isar-debian-buster.patch} (92%)
> rename recipes-support/initramfs-config/files/secure-boot-debian-local-patch => recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch (100%)
> rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.image_uuid.hook (100%)
> rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.lsblk.hook (100%)
> rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/postinst (73%)
> rename recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb => recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb (74%)
>
prev parent reply other threads:[~2022-04-13 15:48 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 01/19] start-qemu.sh: Add ssh access to guest from localhost Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 02/19] swupdate: Simplify secure-swupdate-img class Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 03/19] swupdate: Drop no longer used SOURCE_IMAGE_FILE Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 04/19] swupdate: Rename secure-swupdate-img class Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 05/19] Drop initramfs-abrootfs-secureboot references Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 06/19] Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 07/19] swupdate: Switch to unified kernel image by default Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 08/19] swupdate: Drop PN from TEMPLATE_VARS Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 09/19] efibootguard: Avoid rename linux.efi when signing it Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 10/19] Unify configuration of secure vs. non-secure SWUpdate Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 11/19] cip-core-image: Do not include swupdate.inc unless it is used Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 12/19] cip-core-image: Make image-uuid an image option Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 13/19] swupdate: Add patch to fix EBG bootloader_env_get Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 14/19] swupdate: Switch to bootenv_rrmap+kernelfile for device selection Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 15/19] customizations: Enable systemd watchdog Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 16/19] linux-cip: Update cip-kernel-config Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 17/19] start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 18/19] doc: Update README.swupdate Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 19/19] doc: README.secureboot polishing Jan Kiszka
2022-04-13 13:54 ` Gylstorff Quirin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7b6752a-521e-b1dc-a366-acdde99862b9@siemens.com \
--to=quirin.gylstorff@siemens.com \
--cc=christian.storm@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=jan.kiszka@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.