[meta-security][PATCH 1/4] tpm2-tss: support native builds

All of lore.kernel.org
 help / color / mirror / Atom feed

* [meta-security][PATCH 1/4] tpm2-tss: support native builds
@ 2023-12-21  7:57 Mikko Rapeli
  2023-12-21  7:57 ` [meta-security][PATCH 2/4] dm-verity-img.bbclass: use bc-native Mikko Rapeli
                   ` (3 more replies)
  0 siblings, 4 replies; 8+ messages in thread
From: Mikko Rapeli @ 2023-12-21  7:57 UTC (permalink / raw)
  To: yocto; +Cc: Erik Schilling, Mikko Rapeli

systemd tool ukify
https://www.freedesktop.org/software/systemd/man/latest/ukify.html
depends on systemd-measure
https://www.freedesktop.org/software/systemd/man/latest/systemd-measure.html
which depends on tpm2-tss. So to support creating UKI
images containing both kernel and initramfs with systemd-native,
tpm2-tss support is needed for native too.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
index 6386105..dceebc2 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
@@ -93,3 +93,5 @@ FILES:${PN} = "\
     ${sysconfdir}/sysusers.d"
 
 RDEPENDS:libtss2 = "libgcrypt"
+
+BBCLASSEXTEND = "native"
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [meta-security][PATCH 2/4] dm-verity-img.bbclass: use bc-native
  2023-12-21  7:57 [meta-security][PATCH 1/4] tpm2-tss: support native builds Mikko Rapeli
@ 2023-12-21  7:57 ` Mikko Rapeli
  2023-12-21  8:37   ` Erik Schilling
  2023-12-21  7:57 ` [meta-security][PATCH 3/4] dm-verity-img.bbclass: remove IMAGE_NAME_SUFFIX Mikko Rapeli
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 8+ messages in thread
From: Mikko Rapeli @ 2023-12-21  7:57 UTC (permalink / raw)
  To: yocto; +Cc: Erik Schilling, Mikko Rapeli

From: Erik Schilling <erik.schilling@linaro.org>

Build host may not have bc.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 classes/dm-verity-img.bbclass | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 045c860..3dd2b94 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -49,6 +49,8 @@ DM_VERITY_SEPARATE_HASH ?= "0"
 DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709"
 DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5"
 
+DEPENDS += "bc-native"
+
 # Process the output from veritysetup and generate the corresponding .env
 # file. The output from veritysetup is not very machine-friendly so we need to
 # convert it to some better format. Let's drop the first line (doesn't contain
@@ -87,8 +89,8 @@ process_verity() {
     # https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
 
     ROOT_HASH=$(cat $ENV | grep ^ROOT_HASH | sed 's/ROOT_HASH=//' | tr a-f A-F)
-    ROOT_HI=$(echo "obase=16;ibase=16;$ROOT_HASH/2^80" | /usr/bin/bc)
-    ROOT_LO=$(echo "obase=16;ibase=16;$ROOT_HASH%2^80" | /usr/bin/bc)
+    ROOT_HI=$(echo "obase=16;ibase=16;$ROOT_HASH/2^80" | bc)
+    ROOT_LO=$(echo "obase=16;ibase=16;$ROOT_HASH%2^80" | bc)
 
     # Hyphenate as per UUID spec and as expected by wic+sgdisk parameters.
     # Prefix with leading zeros, in case hash chunks weren't using highest bits
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [meta-security][PATCH 2/4] dm-verity-img.bbclass: use bc-native
  2023-12-21  7:57 ` [meta-security][PATCH 2/4] dm-verity-img.bbclass: use bc-native Mikko Rapeli
@ 2023-12-21  8:37   ` Erik Schilling
  0 siblings, 0 replies; 8+ messages in thread
From: Erik Schilling @ 2023-12-21  8:37 UTC (permalink / raw)
  To: Mikko Rapeli, yocto

On Thu Dec 21, 2023 at 8:57 AM CET, Mikko Rapeli wrote:
> From: Erik Schilling <erik.schilling@linaro.org>
>
> Build host may not have bc.
>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>

Signed-off-by: Erik Schilling <erik.schilling@linaro.org>

> ---
>  classes/dm-verity-img.bbclass | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
> index 045c860..3dd2b94 100644
> --- a/classes/dm-verity-img.bbclass
> +++ b/classes/dm-verity-img.bbclass
> @@ -49,6 +49,8 @@ DM_VERITY_SEPARATE_HASH ?= "0"
>  DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709"
>  DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5"
>  
> +DEPENDS += "bc-native"
> +
>  # Process the output from veritysetup and generate the corresponding .env
>  # file. The output from veritysetup is not very machine-friendly so we need to
>  # convert it to some better format. Let's drop the first line (doesn't contain
> @@ -87,8 +89,8 @@ process_verity() {
>      # https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
>  
>      ROOT_HASH=$(cat $ENV | grep ^ROOT_HASH | sed 's/ROOT_HASH=//' | tr a-f A-F)
> -    ROOT_HI=$(echo "obase=16;ibase=16;$ROOT_HASH/2^80" | /usr/bin/bc)
> -    ROOT_LO=$(echo "obase=16;ibase=16;$ROOT_HASH%2^80" | /usr/bin/bc)
> +    ROOT_HI=$(echo "obase=16;ibase=16;$ROOT_HASH/2^80" | bc)
> +    ROOT_LO=$(echo "obase=16;ibase=16;$ROOT_HASH%2^80" | bc)
>  
>      # Hyphenate as per UUID spec and as expected by wic+sgdisk parameters.
>      # Prefix with leading zeros, in case hash chunks weren't using highest bits



^ permalink raw reply	[flat|nested] 8+ messages in thread

* [meta-security][PATCH 3/4] dm-verity-img.bbclass: remove IMAGE_NAME_SUFFIX
  2023-12-21  7:57 [meta-security][PATCH 1/4] tpm2-tss: support native builds Mikko Rapeli
  2023-12-21  7:57 ` [meta-security][PATCH 2/4] dm-verity-img.bbclass: use bc-native Mikko Rapeli
@ 2023-12-21  7:57 ` Mikko Rapeli
  2023-12-21  8:37   ` Erik Schilling
  2023-12-21  7:57 ` [meta-security][PATCH 4/4] dm-verity-img.bbclass: add DM_VERITY_DEPLOY_DIR Mikko Rapeli
  2023-12-21  8:39 ` [meta-security][PATCH 1/4] tpm2-tss: support native builds Erik Schilling
  3 siblings, 1 reply; 8+ messages in thread
From: Mikko Rapeli @ 2023-12-21  7:57 UTC (permalink / raw)
  To: yocto; +Cc: Erik Schilling, Mikko Rapeli

From: Erik Schilling <erik.schilling@linaro.org>

It is embedded into IMAGE_NAME since poky master branch commit
6f6c79029bc2020907295858449c725952d560a1

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 classes/dm-verity-img.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 3dd2b94..7f35df5 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -115,7 +115,7 @@ process_verity() {
 
 verity_setup() {
     local TYPE=$1
-    local INPUT=${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.$TYPE
+    local INPUT=${IMAGE_NAME}.$TYPE
     local SIZE=$(stat --printf="%s" $INPUT)
     local OUTPUT=$INPUT.verity
     local OUTPUT_HASH=$INPUT.verity
@@ -157,7 +157,7 @@ verity_setup() {
 # make "dateless" symlink for the hash so the wks can find it.
 verity_hash() {
     cd ${IMGDEPLOYDIR}
-    ln -sf ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.vhash \
+    ln -sf ${IMAGE_NAME}.${DM_VERITY_IMAGE_TYPE}.vhash \
         ${IMAGE_BASENAME}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash
 }
 
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [meta-security][PATCH 3/4] dm-verity-img.bbclass: remove IMAGE_NAME_SUFFIX
  2023-12-21  7:57 ` [meta-security][PATCH 3/4] dm-verity-img.bbclass: remove IMAGE_NAME_SUFFIX Mikko Rapeli
@ 2023-12-21  8:37   ` Erik Schilling
  0 siblings, 0 replies; 8+ messages in thread
From: Erik Schilling @ 2023-12-21  8:37 UTC (permalink / raw)
  To: Mikko Rapeli, yocto

On Thu Dec 21, 2023 at 8:57 AM CET, Mikko Rapeli wrote:
> From: Erik Schilling <erik.schilling@linaro.org>
>
> It is embedded into IMAGE_NAME since poky master branch commit
> 6f6c79029bc2020907295858449c725952d560a1
>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>

Signed-off-by: Erik Schilling <erik.schilling@linaro.org>

> ---
>  classes/dm-verity-img.bbclass | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
> index 3dd2b94..7f35df5 100644
> --- a/classes/dm-verity-img.bbclass
> +++ b/classes/dm-verity-img.bbclass
> @@ -115,7 +115,7 @@ process_verity() {
>  
>  verity_setup() {
>      local TYPE=$1
> -    local INPUT=${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.$TYPE
> +    local INPUT=${IMAGE_NAME}.$TYPE
>      local SIZE=$(stat --printf="%s" $INPUT)
>      local OUTPUT=$INPUT.verity
>      local OUTPUT_HASH=$INPUT.verity
> @@ -157,7 +157,7 @@ verity_setup() {
>  # make "dateless" symlink for the hash so the wks can find it.
>  verity_hash() {
>      cd ${IMGDEPLOYDIR}
> -    ln -sf ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.vhash \
> +    ln -sf ${IMAGE_NAME}.${DM_VERITY_IMAGE_TYPE}.vhash \
>          ${IMAGE_BASENAME}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash
>  }
>  



^ permalink raw reply	[flat|nested] 8+ messages in thread

* [meta-security][PATCH 4/4] dm-verity-img.bbclass: add DM_VERITY_DEPLOY_DIR
  2023-12-21  7:57 [meta-security][PATCH 1/4] tpm2-tss: support native builds Mikko Rapeli
  2023-12-21  7:57 ` [meta-security][PATCH 2/4] dm-verity-img.bbclass: use bc-native Mikko Rapeli
  2023-12-21  7:57 ` [meta-security][PATCH 3/4] dm-verity-img.bbclass: remove IMAGE_NAME_SUFFIX Mikko Rapeli
@ 2023-12-21  7:57 ` Mikko Rapeli
  2023-12-21  8:39   ` Erik Schilling
  2023-12-21  8:39 ` [meta-security][PATCH 1/4] tpm2-tss: support native builds Erik Schilling
  3 siblings, 1 reply; 8+ messages in thread
From: Mikko Rapeli @ 2023-12-21  7:57 UTC (permalink / raw)
  To: yocto; +Cc: Erik Schilling, Mikko Rapeli

If image recipe A wants to embed another image B which used
dm-verity-img.bbclass and generated the .wks file, then
recipe B must deploy everything to IMGDEPLOYDIR but recipe A
finds the output from DM_VERITY_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}".

Now both A and B images can use dm-verity-img.bbclass.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 classes/dm-verity-img.bbclass | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 7f35df5..2f212d6 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -33,6 +33,10 @@
 # is stored where it can be installed into associated initramfs rootfs.
 STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
 
+# location of images, default current image recipe. Set to DEPLOY_DIR_IMAGE
+# if non-verity images want to embed the .wks and verity image.
+DM_VERITY_DEPLOY_DIR ?= "${IMGDEPLOYDIR}"
+
 # Define the data block size to use in veritysetup.
 DM_VERITY_IMAGE_DATA_BLOCK_SIZE ?= "1024"
 
@@ -107,10 +111,10 @@ process_verity() {
     # Create wks.in fragment with build specific UUIDs for partitions.
     # Unfortunately the wks.in does not support line continuations...
     # First, the unappended filesystem data partition.
-    echo 'part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verityroot --part-type="${DM_VERITY_ROOT_GUID}"'" --uuid=\"$ROOT_UUID\"" > $WKS_INC
+    echo 'part / --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}.rootfs.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verityroot --part-type="${DM_VERITY_ROOT_GUID}"'" --uuid=\"$ROOT_UUID\"" > $WKS_INC
 
     # note: no default mount point for hash data partition
-    echo 'part --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash" --part-name verityhash --part-type="${DM_VERITY_RHASH_GUID}"'" --uuid=\"$RHASH_UUID\"" >> $WKS_INC
+    echo 'part --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash" --part-name verityhash --part-type="${DM_VERITY_RHASH_GUID}"'" --uuid=\"$RHASH_UUID\"" >> $WKS_INC
 }
 
 verity_setup() {
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [meta-security][PATCH 4/4] dm-verity-img.bbclass: add DM_VERITY_DEPLOY_DIR
  2023-12-21  7:57 ` [meta-security][PATCH 4/4] dm-verity-img.bbclass: add DM_VERITY_DEPLOY_DIR Mikko Rapeli
@ 2023-12-21  8:39   ` Erik Schilling
  0 siblings, 0 replies; 8+ messages in thread
From: Erik Schilling @ 2023-12-21  8:39 UTC (permalink / raw)
  To: Mikko Rapeli, yocto

On Thu Dec 21, 2023 at 8:57 AM CET, Mikko Rapeli wrote:
> If image recipe A wants to embed another image B which used
> dm-verity-img.bbclass and generated the .wks file, then
> recipe B must deploy everything to IMGDEPLOYDIR but recipe A
> finds the output from DM_VERITY_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}".
>
> Now both A and B images can use dm-verity-img.bbclass.
>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  classes/dm-verity-img.bbclass | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
> index 7f35df5..2f212d6 100644
> --- a/classes/dm-verity-img.bbclass
> +++ b/classes/dm-verity-img.bbclass
> @@ -33,6 +33,10 @@
>  # is stored where it can be installed into associated initramfs rootfs.
>  STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
>  
> +# location of images, default current image recipe. Set to DEPLOY_DIR_IMAGE
> +# if non-verity images want to embed the .wks and verity image.
> +DM_VERITY_DEPLOY_DIR ?= "${IMGDEPLOYDIR}"
> +
>  # Define the data block size to use in veritysetup.
>  DM_VERITY_IMAGE_DATA_BLOCK_SIZE ?= "1024"
>  
> @@ -107,10 +111,10 @@ process_verity() {
>      # Create wks.in fragment with build specific UUIDs for partitions.
>      # Unfortunately the wks.in does not support line continuations...
>      # First, the unappended filesystem data partition.
> -    echo 'part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verityroot --part-type="${DM_VERITY_ROOT_GUID}"'" --uuid=\"$ROOT_UUID\"" > $WKS_INC
> +    echo 'part / --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}.rootfs.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verityroot --part-type="${DM_VERITY_ROOT_GUID}"'" --uuid=\"$ROOT_UUID\"" > $WKS_INC
>  
>      # note: no default mount point for hash data partition
> -    echo 'part --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash" --part-name verityhash --part-type="${DM_VERITY_RHASH_GUID}"'" --uuid=\"$RHASH_UUID\"" >> $WKS_INC
> +    echo 'part --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash" --part-name verityhash --part-type="${DM_VERITY_RHASH_GUID}"'" --uuid=\"$RHASH_UUID\"" >> $WKS_INC
>  }
>  
>  verity_setup() {

Reviewed-by: Erik Schilling <erik.schilling@linaro.org>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [meta-security][PATCH 1/4] tpm2-tss: support native builds
  2023-12-21  7:57 [meta-security][PATCH 1/4] tpm2-tss: support native builds Mikko Rapeli
                   ` (2 preceding siblings ...)
  2023-12-21  7:57 ` [meta-security][PATCH 4/4] dm-verity-img.bbclass: add DM_VERITY_DEPLOY_DIR Mikko Rapeli
@ 2023-12-21  8:39 ` Erik Schilling
  3 siblings, 0 replies; 8+ messages in thread
From: Erik Schilling @ 2023-12-21  8:39 UTC (permalink / raw)
  To: Mikko Rapeli, yocto

On Thu Dec 21, 2023 at 8:57 AM CET, Mikko Rapeli wrote:
> systemd tool ukify
> https://www.freedesktop.org/software/systemd/man/latest/ukify.html
> depends on systemd-measure
> https://www.freedesktop.org/software/systemd/man/latest/systemd-measure.html
> which depends on tpm2-tss. So to support creating UKI
> images containing both kernel and initramfs with systemd-native,
> tpm2-tss support is needed for native too.
>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
> index 6386105..dceebc2 100644
> --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
> +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
> @@ -93,3 +93,5 @@ FILES:${PN} = "\
>      ${sysconfdir}/sysusers.d"
>  
>  RDEPENDS:libtss2 = "libgcrypt"
> +
> +BBCLASSEXTEND = "native"

Reviewed-by: Erik Schilling <erik.schilling@linaro.org>


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2023-12-21  8:39 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-21  7:57 [meta-security][PATCH 1/4] tpm2-tss: support native builds Mikko Rapeli
2023-12-21  7:57 ` [meta-security][PATCH 2/4] dm-verity-img.bbclass: use bc-native Mikko Rapeli
2023-12-21  8:37   ` Erik Schilling
2023-12-21  7:57 ` [meta-security][PATCH 3/4] dm-verity-img.bbclass: remove IMAGE_NAME_SUFFIX Mikko Rapeli
2023-12-21  8:37   ` Erik Schilling
2023-12-21  7:57 ` [meta-security][PATCH 4/4] dm-verity-img.bbclass: add DM_VERITY_DEPLOY_DIR Mikko Rapeli
2023-12-21  8:39   ` Erik Schilling
2023-12-21  8:39 ` [meta-security][PATCH 1/4] tpm2-tss: support native builds Erik Schilling

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.