From: Quirin.Gylstorff@siemens.com
To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com
Subject: [cip-dev][isar-cip-core][PATCH v2] swupdate: Add option to disable CONFIG_HASH_VERIFY
Date: Mon, 14 Feb 2022 13:28:05 +0100 [thread overview]
Message-ID: <20220214122805.262651-1-Quirin.Gylstorff@siemens.com> (raw)
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patch activate CONFIG_HASH_VERITY to ensure the integrity of the
swu binary. To ensure simple example builds the option can be disabled
by with the debian build profile `pkg.swupdate.nohashverify`.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Changes V2:
- add missing patch description
...onfig-Make-image-encryption-optional.patch | 2 +-
.../0002-debian-rules-Add-CONFIG_MTD.patch | 2 +-
...es-Add-option-to-disable-fs-creation.patch | 2 +-
...ules-Add-option-to-disable-webserver.patch | 2 +-
...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 2 +-
...ules-Add-Embedded-Lua-handler-option.patch | 2 +-
...SWUpdate-USB-service-and-Udev-rules.patch} | 8 ++---
...option-to-disable-CONFIG_HASH_VERIFY.patch | 29 +++++++++++++++++++
...repare-build-for-isar-debian-buster.patch} | 6 ++--
.../swupdate/swupdate_2021.11-1+debian-gbp.bb | 5 ++--
10 files changed, 45 insertions(+), 15 deletions(-)
rename recipes-core/swupdate/files/{0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch => 0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch} (89%)
create mode 100644 recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
rename recipes-core/swupdate/files/{0007-debian-prepare-build-for-isar-debian-buster.patch => 0009-debian-prepare-build-for-isar-debian-buster.patch} (94%)
diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
index 8b186e0..c501e42 100644
--- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
+++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
@@ -1,7 +1,7 @@
From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Wed, 29 Sep 2021 15:28:21 +0200
-Subject: [PATCH 1/8] debian/config: Make image encryption optional
+Subject: [PATCH 1/9] debian/config: Make image encryption optional
This can be use to ease the setup with SWUpdate.
diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
index eb5067d..50cf805 100644
--- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
+++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
@@ -1,7 +1,7 @@
From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Wed, 29 Sep 2021 11:29:57 +0200
-Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD
+Subject: [PATCH 2/9] debian/rules: Add CONFIG_MTD
if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled.
diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
index 3671709..c5815cb 100644
--- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
+++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
@@ -1,7 +1,7 @@
From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Mon, 4 Oct 2021 17:15:56 +0200
-Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation
+Subject: [PATCH 3/9] debian/rules: Add option to disable fs creation
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
index 8fbb722..4a9076d 100644
--- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
+++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
@@ -1,7 +1,7 @@
From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Mon, 4 Oct 2021 17:27:11 +0200
-Subject: [PATCH 4/8] debian/rules: Add option to disable webserver
+Subject: [PATCH 4/9] debian/rules: Add option to disable webserver
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
index 96443f2..87eba2c 100644
--- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
+++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
@@ -1,7 +1,7 @@
From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Tue, 5 Oct 2021 10:56:25 +0200
-Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional
+Subject: [PATCH 5/9] debian: Make CONFIG_HW_COMPATIBILTY optional
Add option for qemu.
diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
index 324f079..5d7543b 100644
--- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
@@ -1,7 +1,7 @@
From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option
+Subject: [PATCH 6/9] debian/rules: Add Embedded Lua handler option
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
similarity index 89%
rename from recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
rename to recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
index 3cce24b..2779d8b 100644
--- a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
+++ b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
@@ -1,7 +1,7 @@
-From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001
+From 625db939a1dec7d1aa6fbcb01c2c4cbd699bfe7b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Mon, 7 Feb 2022 09:28:39 +0100
-Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules
+Subject: [PATCH 7/9] debian: Remove SWUpdate USB service and Udev rules
The current implementation will install an abitrary SWUpdate binary
from a plug-in USB stick. This is a major security risk for devices
@@ -19,10 +19,10 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
delete mode 100644 debian/swupdate.udev
diff --git a/debian/rules b/debian/rules
-index e1c4a921..84ed55d4 100755
+index 12eb0ba5..76fce010 100755
--- a/debian/rules
+++ b/debian/rules
-@@ -103,7 +103,6 @@ override_dh_auto_install:
+@@ -101,7 +101,6 @@ override_dh_auto_install:
override_dh_installsystemd:
dh_installsystemd --no-start
dh_installsystemd --name=swupdate-progress
diff --git a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
new file mode 100644
index 0000000..a7c5ee7
--- /dev/null
+++ b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
@@ -0,0 +1,29 @@
+From cddd3472aad2d8e48d557705b82ffcc0c7d14a02 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Mon, 14 Feb 2022 12:27:43 +0100
+Subject: [PATCH 8/9] Add Profile option to disable CONFIG_HASH_VERIFY
+
+This change also enables CONFIG_HASH_VERIFY by default.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ debian/rules | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/debian/rules b/debian/rules
+index 76fce010..4dc9e170 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -42,6 +42,9 @@ endif
+ ifneq (,$(filter pkg.swupdate.hwcompatibility,$(DEB_BUILD_PROFILES)))
+ echo CONFIG_HW_COMPATIBILITY=y >> configs/debian_defconfig
+ endif
++ifeq (,$(filter pkg.swupdate.nohashverify,$(DEB_BUILD_PROFILES)))
++ echo CONFIG_HASH_VERIFY=y >> configs/debian_defconfig
++endif
+ ifeq (,$(filter pkg.swupdate.nowebserver,$(DEB_BUILD_PROFILES)))
+ echo CONFIG_WEBSERVER=y >> configs/debian_defconfig
+ echo CONFIG_MONGOOSESSL=y >> configs/debian_defconfig
+--
+2.34.1
+
diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
similarity index 94%
rename from recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
rename to recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
index 0b08f25..8afef74 100644
--- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
+++ b/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
@@ -1,7 +1,7 @@
-From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001
+From 5dda7f815dafdfbd1b187ccc912eca38e9aee7bb Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Wed, 29 Sep 2021 16:17:03 +0200
-Subject: [PATCH 7/8] debian: prepare build for isar debian buster
+Subject: [PATCH 9/9] debian: prepare build for isar debian buster
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
@@ -47,7 +47,7 @@ index 192c4a2a..9318fa12 100644
libebgenv-dev <pkg.swupdate.efibootguard> | efibootguard-dev <pkg.swupdate.efibootguard>,
libcmocka-dev,
diff --git a/debian/rules b/debian/rules
-index 12eb0ba5..e1c4a921 100755
+index 4dc9e170..370ca3d8 100755
--- a/debian/rules
+++ b/debian/rules
@@ -19,13 +19,15 @@ endif
diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
index 2995d71..699dad3 100644
--- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
@@ -22,7 +22,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \
file://0004-debian-rules-Add-option-to-disable-webserver.patch \
file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \
- file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch"
+ file://0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch \
+ file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch"
# end patching for dm-verity based images
@@ -38,7 +39,7 @@ SWUPDATE_BUILD_PROFILES += "cross nocheck"
# SWUPDATE_BUILD_PROFILES += "pkg.swupdate.embeddedlua"
# modify for debian buster build
-SRC_URI_append_buster = " file://0007-debian-prepare-build-for-isar-debian-buster.patch"
+SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
# disable documentation due to missing packages
SWUPDATE_BUILD_PROFILES_append = " nodoc "
--
2.34.1
next reply other threads:[~2022-02-14 12:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-14 12:28 Quirin.Gylstorff [this message]
2022-02-15 9:37 ` [cip-dev][isar-cip-core][PATCH v2] swupdate: Add option to disable CONFIG_HASH_VERIFY Jan Kiszka
2022-02-15 9:47 ` quirin.gylstorff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220214122805.262651-1-Quirin.Gylstorff@siemens.com \
--to=quirin.gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=jan.kiszka@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.