From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 07/19] swupdate: Switch to unified kernel image by default
Date: Wed, 13 Apr 2022 09:16:24 +0200 [thread overview]
Message-ID: <ec84e655e1d0a6f0909969f351de6e4ed0abc0d1.1649834193.git.jan.kiszka@siemens.com> (raw)
In-Reply-To: <cover.1649834193.git.jan.kiszka@siemens.com>
From: Jan Kiszka <jan.kiszka@siemens.com>
This will help to move non-secure and secure boot closer. It will also
be required when booting non-x86 kernels with device trees that shall be
replaceable via updates, thus shall be embedded into the unified kernel
image.
The change obsoletes the need to specify "unified-kernel=y" as
efibootguard-boot plugin parameter. Users can still select the classic
boot method by providing "unified-kernel=n".
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
kas/opt/ebg-swu.yml | 4 ++++
recipes-core/images/files/sw-description.tmpl | 20 +++++--------------
recipes-core/images/swupdate.inc | 4 ++--
.../files/swupdate.handler.efibootguard.ini | 16 +++------------
.../wic/plugins/source/efibootguard-boot.py | 10 ++++------
wic/ebg-sysparts.inc | 4 ++--
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
7 files changed, 22 insertions(+), 40 deletions(-)
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index e708d0a..a58f0ed 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -14,3 +14,7 @@ header:
includes:
- kas/opt/efibootguard.yml
- kas/opt/swupdate.yml
+
+local_conf_header:
+ initramfs: |
+ IMAGE_INSTALL += "initramfs-abrootfs-hook"
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index c44c2a8..7dd67f9 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -11,10 +11,10 @@
software =
{
version = "0.2";
- name = "cip software update"
+ name = "cip software update";
images: ({
filename = "${ROOTFS_PARTITION_NAME}";
- device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
+ device = "sda4,sda5";
type = "roundrobin";
compressed = "zlib";
filesystem = "ext4";
@@ -23,23 +23,13 @@ software =
};
});
files: ({
- filename = "${KERNEL_IMAGE}";
- path = "vmlinuz";
+ filename = "linux.efi";
+ path = "linux.efi";
type = "roundrobin";
- device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1";
+ device = "sda4->BOOT0,sda5->BOOT1";
filesystem = "vfat";
properties: {
subtype = "kernel";
};
- },
- {
- filename = "${INITRD_IMAGE}";
- path = "${INITRD_IMAGE}";
- type = "roundrobin";
- device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1";
- filesystem = "vfat";
- properties: {
- subtype = "initrd";
- };
});
}
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index c23c103..2c3ad65 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"
-TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE"
+TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME"
-SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}"
+SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
index 3aee76c..b5e8070 100644
--- a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
+++ b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
@@ -2,25 +2,15 @@
chainhandler=raw
[image.selector]
-method=cmdline_rr
+method=getroot_rr
key=root
-[image.bootenv]
-kernelparams=root=PARTUUID=${rrtarget} ${cmdline_root}
-
[kernel]
chainhandler=rawfile
[kernel.selector]
-method=cmdline_rrmap
+method=getroot_rrmap
key=root
[kernel.bootenv]
-kernelfile=C:BOOT${rrindex}:vmlinuz
-
-[initrd]
-chainhandler=rawfile
-
-[initrd.selector]
-method=cmdline_rrmap
-key=root
+kernelfile=C:BOOT${rrindex}:linux.efi
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 98a327c..4291dc2 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -78,15 +78,13 @@ class EfibootguardBootPlugin(SourcePlugin):
efibootguard in local.conf with WDOG_TIMEOUT=")
exit(1)
-
boot_files = source_params.get("files", "").split(' ')
- uefi_kernel = source_params.get("unified-kernel")
+ unified_kernel = source_params.get("unified-kernel") or 'y'
cmdline = bootloader.append
- if uefi_kernel:
+ if unified_kernel == 'y':
boot_image = cls._create_unified_kernel_image(rootfs_dir,
cr_workdir,
cmdline,
- uefi_kernel,
deploy_dir,
kernel_image,
initrd_image,
@@ -174,8 +172,8 @@ class EfibootguardBootPlugin(SourcePlugin):
@classmethod
def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
- uefi_kernel, deploy_dir, kernel_image,
- initrd_image, source_params):
+ deploy_dir, kernel_image, initrd_image,
+ source_params):
# we need to map the distro_arch to uefi values
distro_to_efi_arch = {
"amd64": "x64",
diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc
index dea99e8..18c879a 100644
--- a/wic/ebg-sysparts.inc
+++ b/wic/ebg-sysparts.inc
@@ -4,5 +4,5 @@
part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active
# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index 72a6f8c..c47257b 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -2,8 +2,8 @@
include ebg-signed-bootloader.inc
# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
--
2.34.1
next prev parent reply other threads:[~2022-04-13 15:48 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 01/19] start-qemu.sh: Add ssh access to guest from localhost Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 02/19] swupdate: Simplify secure-swupdate-img class Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 03/19] swupdate: Drop no longer used SOURCE_IMAGE_FILE Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 04/19] swupdate: Rename secure-swupdate-img class Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 05/19] Drop initramfs-abrootfs-secureboot references Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 06/19] Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook Jan Kiszka
2022-04-13 7:16 ` Jan Kiszka [this message]
2022-04-13 7:16 ` [isar-cip-core][PATCH 08/19] swupdate: Drop PN from TEMPLATE_VARS Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 09/19] efibootguard: Avoid rename linux.efi when signing it Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 10/19] Unify configuration of secure vs. non-secure SWUpdate Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 11/19] cip-core-image: Do not include swupdate.inc unless it is used Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 12/19] cip-core-image: Make image-uuid an image option Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 13/19] swupdate: Add patch to fix EBG bootloader_env_get Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 14/19] swupdate: Switch to bootenv_rrmap+kernelfile for device selection Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 15/19] customizations: Enable systemd watchdog Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 16/19] linux-cip: Update cip-kernel-config Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 17/19] start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 18/19] doc: Update README.swupdate Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 19/19] doc: README.secureboot polishing Jan Kiszka
2022-04-13 13:54 ` [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Gylstorff Quirin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ec84e655e1d0a6f0909969f351de6e4ed0abc0d1.1649834193.git.jan.kiszka@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=christian.storm@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=quirin.gylstorff@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.