* [isar-cip-core][PATCH 01/19] start-qemu.sh: Add ssh access to guest from localhost
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 02/19] swupdate: Simplify secure-swupdate-img class Jan Kiszka
` (18 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
Permit ssh logins to the guest from the host using port 22222
forwarding, but only from the local machine. This is useful, e.g., to
send an swu file into the VM for testing swupdate.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
start-qemu.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/start-qemu.sh b/start-qemu.sh
index e986791..c5cd9fa 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -117,7 +117,7 @@ shift 1
QEMU_COMMON_OPTIONS=" \
-m 1G \
-serial mon:stdio \
- -netdev user,id=net \
+ -netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
${QEMU_EXTRA_ARGS}"
if [ -n "${SECURE_BOOT}" ]; then
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 02/19] swupdate: Simplify secure-swupdate-img class
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 01/19] start-qemu.sh: Add ssh access to guest from localhost Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 03/19] swupdate: Drop no longer used SOURCE_IMAGE_FILE Jan Kiszka
` (17 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
Directly include wic-swu-img, avoiding code duplication this way.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
classes/secure-swupdate-img.bbclass | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass
index 330f619..c2b2402 100644
--- a/classes/secure-swupdate-img.bbclass
+++ b/classes/secure-swupdate-img.bbclass
@@ -20,11 +20,7 @@ do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
inherit verity-img
-inherit wic-img
-inherit swupdate-img
-
-SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+inherit wic-swu-img
addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
addtask do_wic_image after do_verity_image
-addtask do_swupdate_image after do_wic_image
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 03/19] swupdate: Drop no longer used SOURCE_IMAGE_FILE
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 01/19] start-qemu.sh: Add ssh access to guest from localhost Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 02/19] swupdate: Simplify secure-swupdate-img class Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 04/19] swupdate: Rename secure-swupdate-img class Jan Kiszka
` (16 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
Obsoleted by aed961de08e1.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
classes/wic-swu-img.bbclass | 2 --
1 file changed, 2 deletions(-)
diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass
index 5e6de40..f03befa 100644
--- a/classes/wic-swu-img.bbclass
+++ b/classes/wic-swu-img.bbclass
@@ -12,6 +12,4 @@
inherit wic-img
inherit swupdate-img
-SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
-
addtask do_swupdate_image after do_wic_image
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 04/19] swupdate: Rename secure-swupdate-img class
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (2 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 03/19] swupdate: Drop no longer used SOURCE_IMAGE_FILE Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 05/19] Drop initramfs-abrootfs-secureboot references Jan Kiszka
` (15 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
Align the name to the non-secure counter part wic-swu-img.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
...{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} | 0
kas/opt/ebg-secure-boot-snakeoil.yml | 3 +--
2 files changed, 1 insertion(+), 2 deletions(-)
rename classes/{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} (100%)
diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-wic-swu-img.bbclass
similarity index 100%
rename from classes/secure-swupdate-img.bbclass
rename to classes/secure-wic-swu-img.bbclass
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index a7d644b..10414fb 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -14,7 +14,6 @@ header:
includes:
- kas/opt/ebg-secure-boot-base.yml
-
local_conf_header:
image-options: |
CIP_IMAGE_OPTIONS_append = " read-only.inc"
@@ -24,7 +23,7 @@ local_conf_header:
verity-img: |
SECURE_IMAGE_FSTYPE = "squashfs"
- IMAGE_FSTYPES = "secure-swupdate-img"
+ IMAGE_FSTYPES = "secure-wic-swu-img"
WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
secure-boot: |
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 05/19] Drop initramfs-abrootfs-secureboot references
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (3 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 04/19] swupdate: Rename secure-swupdate-img class Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 06/19] Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook Jan Kiszka
` (14 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
As secure boot implies for isar-cip-core dm-verity with read-only
rootfs, we only added initramfs-abrootfs-secureboot to remove it again.
So don't reference it at all. It will be used differently soon,
therefore keep the recipe.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
kas/opt/ebg-secure-boot-base.yml | 3 +--
recipes-core/images/read-only.inc | 1 -
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 8f769b6..299b663 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -15,7 +15,6 @@ header:
- kas/opt/efibootguard.yml
local_conf_header:
- initramfs: |
- IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
+ secure_swu: |
SWU_DESCRIPTION = "secureboot"
SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
diff --git a/recipes-core/images/read-only.inc b/recipes-core/images/read-only.inc
index 604caa0..c031e39 100644
--- a/recipes-core/images/read-only.inc
+++ b/recipes-core/images/read-only.inc
@@ -14,7 +14,6 @@ SQUASHFS_EXCLUDE_DIRS += "home var"
IMAGE_INSTALL += "etc-overlay-fs"
IMAGE_INSTALL += "home-fs"
IMAGE_INSTALL += "tmp-fs"
-IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot"
image_configure_fstab() {
sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 06/19] Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (4 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 05/19] Drop initramfs-abrootfs-secureboot references Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 07/19] swupdate: Switch to unified kernel image by default Jan Kiszka
` (13 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
It had nothing to do with secure boot at all, only with selecting the
rootfs from the initramfs via a uuid match.
Relocate to recipes-initramfs as well at this chance as this is more
logical, even if initramfs-abrootfs-hook is not using the initramfs
image class yet.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
.../initramfs-abrootfs-hook/files/debian-local-patch | 0
.../files/initramfs.image_uuid.hook | 0
.../initramfs-abrootfs-hook}/files/initramfs.lsblk.hook | 0
.../initramfs-abrootfs-hook}/files/postinst | 2 +-
.../initramfs-abrootfs-hook_0.1.bb | 8 ++++----
5 files changed, 5 insertions(+), 5 deletions(-)
rename recipes-support/initramfs-config/files/secure-boot-debian-local-patch => recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch (100%)
rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.image_uuid.hook (100%)
rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.lsblk.hook (100%)
rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/postinst (73%)
rename recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb => recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb (74%)
diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch
similarity index 100%
rename from recipes-support/initramfs-config/files/secure-boot-debian-local-patch
rename to recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch
diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook
similarity index 100%
rename from recipes-support/initramfs-config/files/initramfs.image_uuid.hook
rename to recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook
diff --git a/recipes-support/initramfs-config/files/initramfs.lsblk.hook b/recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.lsblk.hook
similarity index 100%
rename from recipes-support/initramfs-config/files/initramfs.lsblk.hook
rename to recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.lsblk.hook
diff --git a/recipes-support/initramfs-config/files/postinst b/recipes-initramfs/initramfs-abrootfs-hook/files/postinst
similarity index 73%
rename from recipes-support/initramfs-config/files/postinst
rename to recipes-initramfs/initramfs-abrootfs-hook/files/postinst
index 2d4256d..e065524 100644
--- a/recipes-support/initramfs-config/files/postinst
+++ b/recipes-initramfs/initramfs-abrootfs-hook/files/postinst
@@ -1,6 +1,6 @@
#!/bin/sh
# patch local script
-patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/initramfs-abrootfs-hook/debian-local.patch
update-initramfs -v -u
diff --git a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
similarity index 74%
rename from recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
rename to recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
index 4b257fa..9c1776a 100644
--- a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
+++ b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb
@@ -16,13 +16,13 @@ DEBIAN_DEPENDS += ", busybox, patch"
SRC_URI += "file://postinst \
file://initramfs.lsblk.hook \
file://initramfs.image_uuid.hook \
- file://secure-boot-debian-local-patch"
+ file://debian-local-patch"
do_install() {
- # add patch for local to /usr/share/secure boot
- TARGET=${D}/usr/share/secureboot
+ # add patch for local to /usr/share/initramfs-abrootfs-hook
+ TARGET=${D}/usr/share/initramfs-abrootfs-hook
install -m 0755 -d ${TARGET}
- install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch
+ install -m 0644 ${WORKDIR}/debian-local-patch ${TARGET}/debian-local.patch
# add hooks for secure boot
HOOKS=${D}/etc/initramfs-tools/hooks
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 07/19] swupdate: Switch to unified kernel image by default
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (5 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 06/19] Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 08/19] swupdate: Drop PN from TEMPLATE_VARS Jan Kiszka
` (12 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
This will help to move non-secure and secure boot closer. It will also
be required when booting non-x86 kernels with device trees that shall be
replaceable via updates, thus shall be embedded into the unified kernel
image.
The change obsoletes the need to specify "unified-kernel=y" as
efibootguard-boot plugin parameter. Users can still select the classic
boot method by providing "unified-kernel=n".
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
kas/opt/ebg-swu.yml | 4 ++++
recipes-core/images/files/sw-description.tmpl | 20 +++++--------------
recipes-core/images/swupdate.inc | 4 ++--
.../files/swupdate.handler.efibootguard.ini | 16 +++------------
.../wic/plugins/source/efibootguard-boot.py | 10 ++++------
wic/ebg-sysparts.inc | 4 ++--
wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 ++--
7 files changed, 22 insertions(+), 40 deletions(-)
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index e708d0a..a58f0ed 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -14,3 +14,7 @@ header:
includes:
- kas/opt/efibootguard.yml
- kas/opt/swupdate.yml
+
+local_conf_header:
+ initramfs: |
+ IMAGE_INSTALL += "initramfs-abrootfs-hook"
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index c44c2a8..7dd67f9 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -11,10 +11,10 @@
software =
{
version = "0.2";
- name = "cip software update"
+ name = "cip software update";
images: ({
filename = "${ROOTFS_PARTITION_NAME}";
- device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
+ device = "sda4,sda5";
type = "roundrobin";
compressed = "zlib";
filesystem = "ext4";
@@ -23,23 +23,13 @@ software =
};
});
files: ({
- filename = "${KERNEL_IMAGE}";
- path = "vmlinuz";
+ filename = "linux.efi";
+ path = "linux.efi";
type = "roundrobin";
- device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1";
+ device = "sda4->BOOT0,sda5->BOOT1";
filesystem = "vfat";
properties: {
subtype = "kernel";
};
- },
- {
- filename = "${INITRD_IMAGE}";
- path = "${INITRD_IMAGE}";
- type = "roundrobin";
- device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1";
- filesystem = "vfat";
- properties: {
- subtype = "initrd";
- };
});
}
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index c23c103..2c3ad65 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"
-TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE"
+TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME"
-SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}"
+SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
index 3aee76c..b5e8070 100644
--- a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
+++ b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
@@ -2,25 +2,15 @@
chainhandler=raw
[image.selector]
-method=cmdline_rr
+method=getroot_rr
key=root
-[image.bootenv]
-kernelparams=root=PARTUUID=${rrtarget} ${cmdline_root}
-
[kernel]
chainhandler=rawfile
[kernel.selector]
-method=cmdline_rrmap
+method=getroot_rrmap
key=root
[kernel.bootenv]
-kernelfile=C:BOOT${rrindex}:vmlinuz
-
-[initrd]
-chainhandler=rawfile
-
-[initrd.selector]
-method=cmdline_rrmap
-key=root
+kernelfile=C:BOOT${rrindex}:linux.efi
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 98a327c..4291dc2 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -78,15 +78,13 @@ class EfibootguardBootPlugin(SourcePlugin):
efibootguard in local.conf with WDOG_TIMEOUT=")
exit(1)
-
boot_files = source_params.get("files", "").split(' ')
- uefi_kernel = source_params.get("unified-kernel")
+ unified_kernel = source_params.get("unified-kernel") or 'y'
cmdline = bootloader.append
- if uefi_kernel:
+ if unified_kernel == 'y':
boot_image = cls._create_unified_kernel_image(rootfs_dir,
cr_workdir,
cmdline,
- uefi_kernel,
deploy_dir,
kernel_image,
initrd_image,
@@ -174,8 +172,8 @@ class EfibootguardBootPlugin(SourcePlugin):
@classmethod
def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
- uefi_kernel, deploy_dir, kernel_image,
- initrd_image, source_params):
+ deploy_dir, kernel_image, initrd_image,
+ source_params):
# we need to map the distro_arch to uefi values
distro_to_efi_arch = {
"amd64": "x64",
diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc
index dea99e8..18c879a 100644
--- a/wic/ebg-sysparts.inc
+++ b/wic/ebg-sysparts.inc
@@ -4,5 +4,5 @@
part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active
# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index 72a6f8c..c47257b 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -2,8 +2,8 @@
include ebg-signed-bootloader.inc
# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 08/19] swupdate: Drop PN from TEMPLATE_VARS
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (6 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 07/19] swupdate: Switch to unified kernel image by default Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 09/19] efibootguard: Avoid rename linux.efi when signing it Jan Kiszka
` (11 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
Was never used in any of the template files.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
recipes-core/images/secureboot.inc | 2 +-
recipes-core/images/swupdate.inc | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc
index 3e6eef8..e01c834 100644
--- a/recipes-core/images/secureboot.inc
+++ b/recipes-core/images/secureboot.inc
@@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"
-TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME"
+TEMPLATE_VARS += "ROOTFS_PARTITION_NAME"
SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
index 2c3ad65..64887df 100644
--- a/recipes-core/images/swupdate.inc
+++ b/recipes-core/images/swupdate.inc
@@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
SRC_URI += "file://sw-description.tmpl"
TEMPLATE_FILES += "sw-description.tmpl"
-TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME"
+TEMPLATE_VARS += "ROOTFS_PARTITION_NAME"
SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 09/19] efibootguard: Avoid rename linux.efi when signing it
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (7 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 08/19] swupdate: Drop PN from TEMPLATE_VARS Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 10/19] Unify configuration of secure vs. non-secure SWUpdate Jan Kiszka
` (10 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
This will simplify handling of secure vs. non-secure configurations.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
.../files/secure-boot/sw-description.tmpl | 4 ++--
recipes-core/images/secureboot.inc | 2 +-
.../swupdate.handler.efibootguard.ini | 2 +-
.../wic/plugins/source/efibootguard-boot.py | 20 +++++++++----------
4 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
index f8e5375..7dc070a 100644
--- a/recipes-core/images/files/secure-boot/sw-description.tmpl
+++ b/recipes-core/images/files/secure-boot/sw-description.tmpl
@@ -23,8 +23,8 @@ software =
};
});
files: ({
- filename = "linux.signed.efi";
- path = "linux.signed.efi";
+ filename = "linux.efi";
+ path = "linux.efi";
type = "roundrobin";
device = "sda4->BOOT0,sda5->BOOT1";
filesystem = "vfat";
diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc
index e01c834..6182080 100644
--- a/recipes-core/images/secureboot.inc
+++ b/recipes-core/images/secureboot.inc
@@ -18,4 +18,4 @@ TEMPLATE_FILES += "sw-description.tmpl"
TEMPLATE_VARS += "ROOTFS_PARTITION_NAME"
-SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}"
+SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
index 4a109b7..b5e8070 100644
--- a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
+++ b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
@@ -13,4 +13,4 @@ method=getroot_rrmap
key=root
[kernel.bootenv]
-kernelfile=C:BOOT${rrindex}:linux.signed.efi
+kernelfile=C:BOOT${rrindex}:linux.efi
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 4291dc2..909e629 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -215,23 +215,21 @@ class EfibootguardBootPlugin(SourcePlugin):
uefi_kernel_file=uefi_kernel_file)
exec_cmd(objcopy_cmd)
- return cls._sign_file(name=uefi_kernel_name,
- signee=uefi_kernel_file,
- deploy_dir=deploy_dir,
- source_params=source_params)
+ cls._sign_file(signee=uefi_kernel_file, source_params=source_params)
+
+ return uefi_kernel_name
@classmethod
- def _sign_file(cls, name, signee, deploy_dir, source_params):
+ def _sign_file(cls, signee, source_params):
sign_script = source_params.get("signwith")
if sign_script and os.path.exists(sign_script):
msger.info("sign with script %s", sign_script)
- name = name.replace(".efi", ".signed.efi")
- sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\
- .format(sign_script=sign_script, signee=signee,
- deploy_dir=deploy_dir, name=name)
+ orig_signee = signee + ".unsigned"
+ os.rename(signee, orig_signee)
+ sign_cmd = "{sign_script} {orig_signee} {signee}"\
+ .format(sign_script=sign_script, orig_signee=orig_signee,
+ signee=signee)
exec_cmd(sign_cmd)
elif sign_script and not os.path.exists(sign_script):
msger.error("Could not find script %s", sign_script)
exit(1)
-
- return name
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 10/19] Unify configuration of secure vs. non-secure SWUpdate
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (8 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 09/19] efibootguard: Avoid rename linux.efi when signing it Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 11/19] cip-core-image: Do not include swupdate.inc unless it is used Jan Kiszka
` (9 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
The sw-descriptions are practically identical, the roundrobin-handler
ini files are absolutely the same. So drop them and use unified configs.
That allows to drop kas/opt/ebg-secure-boot-base.yml as well.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
kas/opt/ebg-secure-boot-base.yml | 20 -----------
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
.../files/secure-boot/sw-description.tmpl | 35 -------------------
recipes-core/images/secureboot.inc | 21 -----------
.../swupdate.handler.efibootguard.ini | 16 ---------
5 files changed, 1 insertion(+), 93 deletions(-)
delete mode 100644 kas/opt/ebg-secure-boot-base.yml
delete mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
delete mode 100644 recipes-core/images/secureboot.inc
delete mode 100644 recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
deleted file mode 100644
index 299b663..0000000
--- a/kas/opt/ebg-secure-boot-base.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-header:
- version: 10
- includes:
- - kas/opt/efibootguard.yml
-
-local_conf_header:
- secure_swu: |
- SWU_DESCRIPTION = "secureboot"
- SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 10414fb..28b3545 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -12,7 +12,7 @@
header:
version: 10
includes:
- - kas/opt/ebg-secure-boot-base.yml
+ - kas/opt/efibootguard.yml
local_conf_header:
image-options: |
diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
deleted file mode 100644
index 7dc070a..0000000
--- a/recipes-core/images/files/secure-boot/sw-description.tmpl
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-software =
-{
- version = "0.2";
- name = "secure boot update"
- images: ({
- filename = "${ROOTFS_PARTITION_NAME}";
- device = "sda4,sda5";
- type = "roundrobin";
- compressed = "zlib";
- filesystem = "ext4";
- properties: {
- subtype = "image";
- };
- });
- files: ({
- filename = "linux.efi";
- path = "linux.efi";
- type = "roundrobin";
- device = "sda4->BOOT0,sda5->BOOT1";
- filesystem = "vfat";
- properties: {
- subtype = "kernel";
- };
- })
-}
diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc
deleted file mode 100644
index 6182080..0000000
--- a/recipes-core/images/secureboot.inc
+++ /dev/null
@@ -1,21 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/files/secure-boot:"
-
-ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz"
-
-SRC_URI += "file://sw-description.tmpl"
-TEMPLATE_FILES += "sw-description.tmpl"
-
-TEMPLATE_VARS += "ROOTFS_PARTITION_NAME"
-
-SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
deleted file mode 100644
index b5e8070..0000000
--- a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
+++ /dev/null
@@ -1,16 +0,0 @@
-[image]
-chainhandler=raw
-
-[image.selector]
-method=getroot_rr
-key=root
-
-[kernel]
-chainhandler=rawfile
-
-[kernel.selector]
-method=getroot_rrmap
-key=root
-
-[kernel.bootenv]
-kernelfile=C:BOOT${rrindex}:linux.efi
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 11/19] cip-core-image: Do not include swupdate.inc unless it is used
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (9 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 10/19] Unify configuration of secure vs. non-secure SWUpdate Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 12/19] cip-core-image: Make image-uuid an image option Jan Kiszka
` (8 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
Was harmless to do so for non-swupdate images, but also unneeded.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
kas/opt/ebg-secure-boot-snakeoil.yml | 5 +++--
kas/opt/swupdate.yml | 3 +++
recipes-core/images/cip-core-image.bb | 5 ++---
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 28b3545..be58b15 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -15,8 +15,9 @@ header:
- kas/opt/efibootguard.yml
local_conf_header:
- image-options: |
- CIP_IMAGE_OPTIONS_append = " read-only.inc"
+ image-options-swupdate-ro: |
+ CIP_IMAGE_OPTIONS_append = " swupdate.inc read-only.inc"
+
swupdate: |
IMAGE_INSTALL_append = " swupdate"
IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml
index a8b903f..1b2aff4 100644
--- a/kas/opt/swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -19,6 +19,9 @@ local_conf_header:
IMAGE_INSTALL_append = " swupdate"
IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
+ image-option-swupdate: |
+ CIP_IMAGE_OPTIONS_append = " swupdate.inc"
+
wic-swu: |
IMAGE_FSTYPES = "wic-swu-img"
WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 9bf21ff..ecba06d 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -11,12 +11,11 @@
inherit image
inherit image_uuid
+
ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'"
DESCRIPTION = "CIP Core image"
IMAGE_INSTALL += "customizations"
-# for swupdate
-SWU_DESCRIPTION ??= "swupdate"
-CIP_IMAGE_OPTIONS ?= "${SWU_DESCRIPTION}.inc"
+CIP_IMAGE_OPTIONS ?= ""
include ${CIP_IMAGE_OPTIONS}
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 12/19] cip-core-image: Make image-uuid an image option
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (10 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 11/19] cip-core-image: Do not include swupdate.inc unless it is used Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 13/19] swupdate: Add patch to fix EBG bootloader_env_get Jan Kiszka
` (7 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
This allows to avoid running this needless task for the secure image
where we use the dm-verity hash as image identification.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
kas/opt/ebg-swu.yml | 3 +++
recipes-core/images/cip-core-image.bb | 1 -
recipes-core/images/image-uuid.inc | 12 ++++++++++++
3 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 recipes-core/images/image-uuid.inc
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index a58f0ed..d811929 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -18,3 +18,6 @@ header:
local_conf_header:
initramfs: |
IMAGE_INSTALL += "initramfs-abrootfs-hook"
+
+ image-option-uuid: |
+ CIP_IMAGE_OPTIONS_append = " image-uuid.inc"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index ecba06d..3f8c320 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -10,7 +10,6 @@
#
inherit image
-inherit image_uuid
ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'"
DESCRIPTION = "CIP Core image"
diff --git a/recipes-core/images/image-uuid.inc b/recipes-core/images/image-uuid.inc
new file mode 100644
index 0000000..5e5a727
--- /dev/null
+++ b/recipes-core/images/image-uuid.inc
@@ -0,0 +1,12 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image_uuid
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 13/19] swupdate: Add patch to fix EBG bootloader_env_get
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (11 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 12/19] cip-core-image: Make image-uuid an image option Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 14/19] swupdate: Switch to bootenv_rrmap+kernelfile for device selection Jan Kiszka
` (6 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
Will be required for using bootenv_rrmap with the roundrobin handler.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
...onfig-Make-image-encryption-optional.patch | 8 +--
.../0002-debian-rules-Add-CONFIG_MTD.patch | 6 +-
...es-Add-option-to-disable-fs-creation.patch | 8 +--
...ules-Add-option-to-disable-webserver.patch | 8 +--
...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 8 +--
...ules-Add-Embedded-Lua-handler-option.patch | 6 +-
...-SWUpdate-USB-service-and-Udev-rules.patch | 10 +--
...option-to-disable-CONFIG_HASH_VERIFY.patch | 6 +-
...ch-to-fix-bootloader_env_get-for-EBG.patch | 66 +++++++++++++++++++
...repare-build-for-isar-debian-buster.patch} | 10 +--
.../swupdate/swupdate_2021.11-1+debian-gbp.bb | 5 +-
11 files changed, 104 insertions(+), 37 deletions(-)
create mode 100644 recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch
rename recipes-core/swupdate/files/{0009-debian-prepare-build-for-isar-debian-buster.patch => 0010-debian-prepare-build-for-isar-debian-buster.patch} (92%)
diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
index c501e42..aa20ab6 100644
--- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
+++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
@@ -1,7 +1,7 @@
-From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001
+From 5d78de76eab1218494c714e9816152e4d821fa86 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Wed, 29 Sep 2021 15:28:21 +0200
-Subject: [PATCH 1/9] debian/config: Make image encryption optional
+Subject: [PATCH 01/10] debian/config: Make image encryption optional
This can be use to ease the setup with SWUpdate.
@@ -12,7 +12,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/configs/defconfig b/debian/configs/defconfig
-index 02681e53..b34168e3 100644
+index 02681e5..b34168e 100644
--- a/debian/configs/defconfig
+++ b/debian/configs/defconfig
@@ -3,7 +3,6 @@ CONFIG_HW_COMPATIBILITY=y
@@ -24,7 +24,7 @@ index 02681e53..b34168e3 100644
CONFIG_SURICATTA_SSL=y
CONFIG_UPDATE_STATE_CHOICE_BOOTLOADER=y
diff --git a/debian/rules b/debian/rules
-index 864add23..08b74a1d 100755
+index 864add2..08b74a1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -41,6 +41,9 @@ endif
diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
index 50cf805..e62a4fc 100644
--- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
+++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
@@ -1,7 +1,7 @@
-From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001
+From c3adc5d2be41e151c811c96f2bed245778fec82c Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Wed, 29 Sep 2021 11:29:57 +0200
-Subject: [PATCH 2/9] debian/rules: Add CONFIG_MTD
+Subject: [PATCH 02/10] debian/rules: Add CONFIG_MTD
if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled.
@@ -11,7 +11,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
1 file changed, 1 insertion(+)
diff --git a/debian/rules b/debian/rules
-index 08b74a1d..6705140b 100755
+index 08b74a1..6705140 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,6 +20,7 @@ endif
diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
index c5815cb..08ba9b9 100644
--- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
+++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
@@ -1,7 +1,7 @@
-From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001
+From 17d962a9b43f5debaed85affc6dccb2c471bffe9 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Mon, 4 Oct 2021 17:15:56 +0200
-Subject: [PATCH 3/9] debian/rules: Add option to disable fs creation
+Subject: [PATCH 03/10] debian/rules: Add option to disable fs creation
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
@@ -10,7 +10,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/debian/configs/defconfig b/debian/configs/defconfig
-index b34168e3..d011deb1 100644
+index b34168e..d011deb 100644
--- a/debian/configs/defconfig
+++ b/debian/configs/defconfig
@@ -9,12 +9,6 @@ CONFIG_UPDATE_STATE_CHOICE_BOOTLOADER=y
@@ -27,7 +27,7 @@ index b34168e3..d011deb1 100644
CONFIG_RAW=y
CONFIG_RDIFFHANDLER=y
diff --git a/debian/rules b/debian/rules
-index 6705140b..983e122f 100755
+index 6705140..983e122 100755
--- a/debian/rules
+++ b/debian/rules
@@ -45,6 +45,15 @@ endif
diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
index 4a9076d..eaa6fcf 100644
--- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
+++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
@@ -1,7 +1,7 @@
-From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001
+From a02a6d4385f314601ef5c7094ecb26f5b5c3f134 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Mon, 4 Oct 2021 17:27:11 +0200
-Subject: [PATCH 4/9] debian/rules: Add option to disable webserver
+Subject: [PATCH 04/10] debian/rules: Add option to disable webserver
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
@@ -10,7 +10,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/debian/configs/defconfig b/debian/configs/defconfig
-index d011deb1..337fcce0 100644
+index d011deb..337fcce 100644
--- a/debian/configs/defconfig
+++ b/debian/configs/defconfig
@@ -6,8 +6,6 @@ CONFIG_SIGALG_CMS=y
@@ -23,7 +23,7 @@ index d011deb1..337fcce0 100644
CONFIG_UNIQUEUUID=y
CONFIG_RAW=y
diff --git a/debian/rules b/debian/rules
-index 983e122f..6078ed89 100755
+index 983e122..6078ed8 100755
--- a/debian/rules
+++ b/debian/rules
@@ -39,6 +39,10 @@ else ifneq (,$(filter pkg.swupdate.efibootguard,$(DEB_BUILD_PROFILES)))
diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
index 87eba2c..eb19e5f 100644
--- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
+++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
@@ -1,7 +1,7 @@
-From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001
+From 8315d5ff8168fca1bd3752764e71f98e8b55f2ad Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Tue, 5 Oct 2021 10:56:25 +0200
-Subject: [PATCH 5/9] debian: Make CONFIG_HW_COMPATIBILTY optional
+Subject: [PATCH 05/10] debian: Make CONFIG_HW_COMPATIBILTY optional
Add option for qemu.
@@ -12,7 +12,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/configs/defconfig b/debian/configs/defconfig
-index 337fcce0..6fc1137f 100644
+index 337fcce..6fc1137 100644
--- a/debian/configs/defconfig
+++ b/debian/configs/defconfig
@@ -1,5 +1,4 @@
@@ -22,7 +22,7 @@ index 337fcce0..6fc1137f 100644
CONFIG_DOWNLOAD_SSL=y
CONFIG_SIGALG_CMS=y
diff --git a/debian/rules b/debian/rules
-index 6078ed89..19870e98 100755
+index 6078ed8..19870e9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -39,6 +39,9 @@ else ifneq (,$(filter pkg.swupdate.efibootguard,$(DEB_BUILD_PROFILES)))
diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
index 5d7543b..1d6a247 100644
--- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
@@ -1,7 +1,7 @@
-From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001
+From 19969a388e414db84e54a706e9227c301b0408a2 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 6/9] debian/rules: Add Embedded Lua handler option
+Subject: [PATCH 06/10] debian/rules: Add Embedded Lua handler option
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
@@ -9,7 +9,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
1 file changed, 5 insertions(+)
diff --git a/debian/rules b/debian/rules
-index 19870e98..12eb0ba5 100755
+index 19870e9..12eb0ba 100755
--- a/debian/rules
+++ b/debian/rules
@@ -68,7 +68,12 @@ ifneq (,$(LUA_VERSION))
diff --git a/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
index 2779d8b..90c8d98 100644
--- a/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
+++ b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
@@ -1,7 +1,7 @@
-From 625db939a1dec7d1aa6fbcb01c2c4cbd699bfe7b Mon Sep 17 00:00:00 2001
+From db391d1dd34806ae6694205b08b4661318bef37b Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Mon, 7 Feb 2022 09:28:39 +0100
-Subject: [PATCH 7/9] debian: Remove SWUpdate USB service and Udev rules
+Subject: [PATCH 07/10] debian: Remove SWUpdate USB service and Udev rules
The current implementation will install an abitrary SWUpdate binary
from a plug-in USB stick. This is a major security risk for devices
@@ -19,7 +19,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
delete mode 100644 debian/swupdate.udev
diff --git a/debian/rules b/debian/rules
-index 12eb0ba5..76fce010 100755
+index 12eb0ba..76fce01 100755
--- a/debian/rules
+++ b/debian/rules
@@ -101,7 +101,6 @@ override_dh_auto_install:
@@ -32,7 +32,7 @@ index 12eb0ba5..76fce010 100755
override_dh_gencontrol:
diff --git a/debian/swupdate.swupdate-usb@.service b/debian/swupdate.swupdate-usb@.service
deleted file mode 100644
-index eda9d153..00000000
+index eda9d15..0000000
--- a/debian/swupdate.swupdate-usb@.service
+++ /dev/null
@@ -1,8 +0,0 @@
@@ -46,7 +46,7 @@ index eda9d153..00000000
-ExecStopPost=/bin/umount /mnt
diff --git a/debian/swupdate.udev b/debian/swupdate.udev
deleted file mode 100644
-index b4efd0b7..00000000
+index b4efd0b..0000000
--- a/debian/swupdate.udev
+++ /dev/null
@@ -1,2 +0,0 @@
diff --git a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
index a7c5ee7..a5207ee 100644
--- a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
+++ b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
@@ -1,7 +1,7 @@
-From cddd3472aad2d8e48d557705b82ffcc0c7d14a02 Mon Sep 17 00:00:00 2001
+From 2776a4817eb91be3df001e04d548a702e9f5291a Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Mon, 14 Feb 2022 12:27:43 +0100
-Subject: [PATCH 8/9] Add Profile option to disable CONFIG_HASH_VERIFY
+Subject: [PATCH 08/10] Add Profile option to disable CONFIG_HASH_VERIFY
This change also enables CONFIG_HASH_VERIFY by default.
@@ -11,7 +11,7 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
1 file changed, 3 insertions(+)
diff --git a/debian/rules b/debian/rules
-index 76fce010..4dc9e170 100755
+index 76fce01..4dc9e17 100755
--- a/debian/rules
+++ b/debian/rules
@@ -42,6 +42,9 @@ endif
diff --git a/recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch b/recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch
new file mode 100644
index 0000000..fd263ee
--- /dev/null
+++ b/recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch
@@ -0,0 +1,66 @@
+From 09a736a651ae05378d9ef8018589c9f834b729a6 Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Tue, 12 Apr 2022 08:01:21 +0200
+Subject: [PATCH 09/10] debian: Add patch to fix bootloader_env_get for EBG
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+---
+ ...ix-do_env_get-for-anything-but-globa.patch | 38 +++++++++++++++++++
+ debian/patches/series | 1 +
+ 2 files changed, 39 insertions(+)
+ create mode 100644 debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch
+
+diff --git a/debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch b/debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch
+new file mode 100644
+index 0000000..f99f7ee
+--- /dev/null
++++ b/debian/patches/0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch
+@@ -0,0 +1,38 @@
++From 62cd7c93dc31e5ad8dccdd1db791892864fbbccf Mon Sep 17 00:00:00 2001
++From: Jan Kiszka <jan.kiszka@siemens.com>
++Date: Tue, 12 Apr 2022 07:49:14 +0200
++Subject: [PATCH] bootloader: EBG: fix do_env_get for anything but global state
++
++The return value conversion must only be applied on STATE_KEY. This
++fixes strangely broken strings for all other keys.
++
++Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
++---
++ bootloader/ebg.c | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/bootloader/ebg.c b/bootloader/ebg.c
++index 2aa9010..a0b45dc 100644
++--- a/bootloader/ebg.c
+++++ b/bootloader/ebg.c
++@@ -115,6 +115,8 @@ char *bootloader_env_get(const char *name)
++ if (strncmp(name, (char *)STATE_KEY, strlen((char *)STATE_KEY) + 1) == 0) {
++ value = (char *)malloc(sizeof(char));
++ *value = ebg_env_getglobalstate(&ebgenv);
+++ /* Map EFI Boot Guard's int return to update_state_t's char value */
+++ *value = *value + '0';
++ } else {
++ if ((size = ebg_env_get(&ebgenv, (char *)name, NULL)) != 0) {
++ value = malloc(size);
++@@ -133,8 +135,6 @@ char *bootloader_env_get(const char *name)
++ name, strerror(errno));
++ }
++
++- /* Map EFI Boot Guard's int return to update_state_t's char value */
++- *value = *value + '0';
++ return value;
++ }
++
++--
++2.34.1
++
+diff --git a/debian/patches/series b/debian/patches/series
+index 8c5564a..98628a7 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -1 +1,2 @@
+ use-gcc-compiler.diff
++0001-bootloader-EBG-fix-do_env_get-for-anything-but-globa.patch
+--
+2.34.1
+
diff --git a/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0010-debian-prepare-build-for-isar-debian-buster.patch
similarity index 92%
rename from recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
rename to recipes-core/swupdate/files/0010-debian-prepare-build-for-isar-debian-buster.patch
index 8afef74..1d476e9 100644
--- a/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
+++ b/recipes-core/swupdate/files/0010-debian-prepare-build-for-isar-debian-buster.patch
@@ -1,7 +1,7 @@
-From 5dda7f815dafdfbd1b187ccc912eca38e9aee7bb Mon Sep 17 00:00:00 2001
+From c9661853aea11f090b5936363b0bae10fe6ebed6 Mon Sep 17 00:00:00 2001
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Date: Wed, 29 Sep 2021 16:17:03 +0200
-Subject: [PATCH 9/9] debian: prepare build for isar debian buster
+Subject: [PATCH 10/10] debian: prepare build for isar debian buster
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
@@ -13,13 +13,13 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
diff --git a/debian/compat b/debian/compat
new file mode 100644
-index 00000000..f599e28b
+index 0000000..f599e28
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/debian/control b/debian/control
-index 192c4a2a..9318fa12 100644
+index 192c4a2..9318fa1 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
@@ -47,7 +47,7 @@ index 192c4a2a..9318fa12 100644
libebgenv-dev <pkg.swupdate.efibootguard> | efibootguard-dev <pkg.swupdate.efibootguard>,
libcmocka-dev,
diff --git a/debian/rules b/debian/rules
-index 4dc9e170..370ca3d8 100755
+index 4dc9e17..370ca3d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -19,13 +19,15 @@ endif
diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
index bf060b4..7edefe7 100644
--- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
@@ -23,7 +23,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \
file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \
file://0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch \
- file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch"
+ file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch \
+ file://0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch"
# end patching for dm-verity based images
@@ -39,7 +40,7 @@ DEB_BUILD_PROFILES += "cross nocheck"
# DEB_BUILD_PROFILES += "pkg.swupdate.embeddedlua"
# modify for debian buster build
-SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
+SRC_URI_append_buster = " file://0010-debian-prepare-build-for-isar-debian-buster.patch"
# disable create filesystem due to missing symbols in debian buster
# disable webserver due to missing symbols in debian buster
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 14/19] swupdate: Switch to bootenv_rrmap+kernelfile for device selection
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (12 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 13/19] swupdate: Add patch to fix EBG bootloader_env_get Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 15/19] customizations: Enable systemd watchdog Jan Kiszka
` (5 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
This allows for a medium-independent sw-description. Not required so far
for QEMU, but it may become useful in the future or for downstream
layers, at least as reference.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
recipes-core/images/files/sw-description.tmpl | 4 ++--
.../files/swupdate.handler.efibootguard.ini | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index 7dd67f9..f5cafeb 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -14,7 +14,7 @@ software =
name = "cip software update";
images: ({
filename = "${ROOTFS_PARTITION_NAME}";
- device = "sda4,sda5";
+ device = "C:BOOT0:linux.efi->fedcba98-7654-3210-cafe-5e0710000001,C:BOOT1:linux.efi->fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
compressed = "zlib";
filesystem = "ext4";
@@ -26,7 +26,7 @@ software =
filename = "linux.efi";
path = "linux.efi";
type = "roundrobin";
- device = "sda4->BOOT0,sda5->BOOT1";
+ device = "C:BOOT0:linux.efi->BOOT0,C:BOOT1:linux.efi->BOOT1";
filesystem = "vfat";
properties: {
subtype = "kernel";
diff --git a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
index b5e8070..58271da 100644
--- a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
+++ b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini
@@ -2,15 +2,15 @@
chainhandler=raw
[image.selector]
-method=getroot_rr
-key=root
+method=bootenv_rrmap
+key=kernelfile
[kernel]
chainhandler=rawfile
[kernel.selector]
-method=getroot_rrmap
-key=root
+method=bootenv_rrmap
+key=kernelfile
[kernel.bootenv]
kernelfile=C:BOOT${rrindex}:linux.efi
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 15/19] customizations: Enable systemd watchdog
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (13 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 14/19] swupdate: Switch to bootenv_rrmap+kernelfile for device selection Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 16/19] linux-cip: Update cip-kernel-config Jan Kiszka
` (4 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
This is needed for proper SWUpdate processing and does not harm in other
cases, even if the platform has no watchdog.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
recipes-core/customizations/common.inc | 6 +++++-
recipes-core/customizations/files/99-watchdog.conf | 3 +++
2 files changed, 8 insertions(+), 1 deletion(-)
create mode 100644 recipes-core/customizations/files/99-watchdog.conf
diff --git a/recipes-core/customizations/common.inc b/recipes-core/customizations/common.inc
index d3eb7b8..1124ff2 100644
--- a/recipes-core/customizations/common.inc
+++ b/recipes-core/customizations/common.inc
@@ -16,7 +16,8 @@ FILESPATH_append := ":${FILE_DIRNAME}/files"
SRC_URI = " \
file://postinst \
file://ethernet \
- file://99-silent-printk.conf"
+ file://99-silent-printk.conf \
+ file://99-watchdog.conf"
WIRELESS_FIRMWARE_PACKAGE ?= ""
INSTALL_WIRELESS_TOOLS ??= "0"
@@ -34,4 +35,7 @@ do_install() {
install -v -d ${D}/etc/sysctl.d
install -v -m 644 ${WORKDIR}/99-silent-printk.conf ${D}/etc/sysctl.d/
+
+ install -v -d ${D}/etc/systemd/system.conf.d
+ install -v -m 644 ${WORKDIR}/99-watchdog.conf ${D}/etc/systemd/system.conf.d/
}
diff --git a/recipes-core/customizations/files/99-watchdog.conf b/recipes-core/customizations/files/99-watchdog.conf
new file mode 100644
index 0000000..c02756d
--- /dev/null
+++ b/recipes-core/customizations/files/99-watchdog.conf
@@ -0,0 +1,3 @@
+[Manager]
+RuntimeWatchdogSec=60s
+ShutdownWatchdogSec=60s
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 16/19] linux-cip: Update cip-kernel-config
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (14 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 15/19] customizations: Enable systemd watchdog Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 17/19] start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset Jan Kiszka
` (3 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
This specifically brings iTCO support for QEMU which will be needed to
run SWUpdate full-featured.
---
recipes-kernel/linux/linux-cip-common.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 84515c2..238e5b0 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi
SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
-SRCREV_cip-kernel-config ?= "3f527304fdadd163e20b7a5a9cfabaca7506c716"
+SRCREV_cip-kernel-config ?= "0150b63d0e74d64cc0d5baa9b9440cc148abad8b"
S = "${WORKDIR}/linux-cip-v${PV}"
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 17/19] start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (15 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 16/19] linux-cip: Update cip-kernel-config Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 18/19] doc: Update README.swupdate Jan Kiszka
` (2 subsequent siblings)
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
Allows full testing of the SWUpdate feature.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
start-qemu.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/start-qemu.sh b/start-qemu.sh
index c5cd9fa..fe08ebd 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -53,6 +53,7 @@ case "$1" in
-cpu qemu64 \
-smp 4 \
-machine q35,accel=kvm:tcg \
+ -global ICH9-LPC.noreboot=off \
-device virtio-net-pci,netdev=net"
if [ -n "${SECURE_BOOT}" ]; then
# set bootindex=0 to boot disk instead of EFI-shell
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 18/19] doc: Update README.swupdate
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (16 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 17/19] start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 7:16 ` [isar-cip-core][PATCH 19/19] doc: README.secureboot polishing Jan Kiszka
2022-04-13 13:54 ` [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Gylstorff Quirin
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
Reflect the changes on the non-secure SWUpdate procedure in the
documentation and streamline it a bit. Also switch to host-originated
scp to transfer the swu image to avoid the need for sshd on the host.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
doc/README.swupdate.md | 166 ++++++++++++++++++++++-------------------
1 file changed, 90 insertions(+), 76 deletions(-)
diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md
index 05768da..e28db24 100644
--- a/doc/README.swupdate.md
+++ b/doc/README.swupdate.md
@@ -1,31 +1,38 @@
+# SWUpdate support for the CIP core image
-Clone the isar-cip-core repository
+This document describes how to build and test the SWUpdate pre-integration for
+isar-cip-core, targeting a QEMU x86 virtual machine.
+
+Start with cloning the isar-cip-core repository:
```
host$ git clone https://gitlab.com/cip-project/cip-core/isar-cip-core.git
```
-Build the CIP Core image
+# Building and testing the CIP Core image
Set up `kas-container` as described in the [top-level README](../README.md).
-Then build the image:
+Then build the image which will later serve as update package:
```
host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
```
-- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp)
-- modify the image for example add a new version to the image by adding PV=2.0.0 to cip-core-image.bb
-- rebuild the image using above command and start the new target
+Save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu` into a separate folder (ex: /tmp).
+
+Next, rebuild the image, switching to the RT kernel as modification:
```
-host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/rt.yml
```
-Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system
+Now start the image which will contain the RT kernel:
+```
+host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
+```
+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder into the running system:
```
-root@demo:~# scp <host-user>@10.0.2.2:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu .
+host$ scp -P 22222 /tmp/cip-core-image-cip-core-buster-qemu-amd64.swu root@localhost:
```
Check which partition is booted, e.g. with lsblk:
-
```
root@demo:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
@@ -37,11 +44,22 @@ sda 8:0 0 2G 0 disk
└─sda5 8:5 0 1000M 0 part
```
-Apply swupdate and reboot
+Also check that you are running the RT kernel:
+```
+root@demo:~# uname -a
+Linux demo 4.19.233-cip69-rt24 #1 SMP PREEMPT RT Tue Apr 12 09:23:51 UTC 2022 x86_64 GNU/Linux
+root@demo:~# ls /lib/modules
+4.19.233-cip69-rt24
+root@demo:~# cat /sys/kernel/realtime
+1
+```
+
+Now apply swupdate and reboot
```
root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
root@demo:~# reboot
```
+
Check which partition is booted, e.g. with lsblk and the rootfs should have changed
```
root@demo:~# lsblk
@@ -54,150 +72,146 @@ sda 8:0 0 2G 0 disk
└─sda5 8:5 0 1000M 0 part /
```
+Check the active kernel:
+```
+root@demo:~# uname -a
+Linux demo 4.19.235-cip70 #1 SMP Tue Apr 12 09:08:39 UTC 2022 x86_64 GNU/Linux
+root@demo:~# ls /lib/modules
+4.19.235-cip70
+```
+
Check bootloader ustate after swupdate
```
root@demo:~# bg_printenv
+
----------------------------
-Config Partition #0 Values:
+ Config Partition #0 Values:
in_progress: no
revision: 2
-kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+kernel: C:BOOT0:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 0 (OK)
user variables:
+
+
----------------------------
Config Partition #1 Values:
in_progress: no
revision: 3
-kernel: C:BOOT1:vmlinuz
-kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+kernel: C:BOOT1:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 2 (TESTING)
+
+user variables:
+
+
```
-if Partition #1 usate is 2 (TESTING) then execute below command to confirm swupdate and the command will set ustate to "OK"
+If Partition #1 ustate is 2 (TESTING) then execute below command to confirm swupdate and the command will set ustate to "OK".
```
root@demo:~# bg_setenv -c
```
-# swupdate rollback example
+## SWUpdate rollback example
-Build the image for swupdate with service which causes kernel panic during system boot using below command.
+Build the image for swupdate with a service which causes kernel panic during system boot using below command:
```
host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/kernel-panic.yml
```
-- save the generated swu build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu in a separate folder (ex: tmp)
-- build the image again without `kernel-panic.yml` recipe using below command
+Save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu` in a separate folder.
+Then build the image without `kernel-panic.yml` recipe using below command:
```
host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml
```
-Start the target on QEMU
+Start the target on QEMU:
```
host$ SWUPDATE_BOOT=y ./start-qemu.sh amd64
```
-Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder to the running system
-
+Copy `cip-core-image-cip-core-buster-qemu-amd64.swu` file from `tmp` folder into the running system:
```
-root@demo:~# scp <host-user>@10.0.2.2:<path-to-swu-file>/tmp/cip-core-image-cip-core-buster-qemu-amd64.swu .
+host$ scp -P 22222 /tmp/cip-core-image-cip-core-buster-qemu-amd64.swu root@localhost:
```
-Check which partition is booted, e.g. with lsblk:
-
+Apply swupdate as below:
```
-root@demo:~# lsblk
-NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
-sda 8:0 0 2G 0 disk
-├─sda1 8:1 0 16.4M 0 part
-├─sda2 8:2 0 32M 0 part
-├─sda3 8:3 0 32M 0 part
-├─sda4 8:4 0 1000M 0 part /
-└─sda5 8:5 0 1000M 0 part
+root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
```
-Check bootloader ustate before swupdate and should be as below
+Check bootloader ustate after swupdate. If the swupdate is successful then **revision number** should be **3** and status should be changed to **INSTALLED** for Partition #1.
```
root@demo:~# bg_printenv
+
----------------------------
-Config Partition #0 Values:
+ Config Partition #0 Values:
in_progress: no
revision: 2
-kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+kernel: C:BOOT0:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 0 (OK)
user variables:
-----------------------------
-Config Partition #1 Values:
-in_progress: no
-revision: 1
-kernel: C:BOOT1:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
-watchdog timeout: 60 seconds
-ustate: 0 (OK)
-```
-Apply swupdate as below
-```
-root@demo:~# swupdate -i cip-core-image-cip-core-buster-qemu-amd64.swu
-```
-check bootloader ustate after swupdate. if the swupdate is successful then **revision number** should increase to **3** and status should be changed to **INSTALLED** for Partition #1.
-```
-root@demo:~# bg_printenv
-----------------------------
-Config Partition #0 Values:
-in_progress: no
-revision: 2
-kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
-watchdog timeout: 60 seconds
-ustate: 0 (OK)
-user variables:
----------------------------
-Config Partition #1 Values:
+ Config Partition #1 Values:
in_progress: no
revision: 3
-kernel: C:BOOT1:vmlinuz
-kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-core-buster-qemu-amd64-initrd.img
+kernel: C:BOOT1:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 1 (INSTALLED)
+
+user variables:
+
+
```
-Execute reboot command
-- reboot command should cause kernel panic error.
-- watchdog timer should expire and restart the qemu. bootloader should select previous partition to boot.
+Execute the reboot command.
```
root@demo:~# reboot
```
-Once the system is restarted, check the bootloader ustate
-- if update is failed then **revision number** should reduce to **0** and status should change to **FAILED** for Partition #1.
+The new kernel should cause a kernel panic error.
+The watchdog timer should expire and restart the VM (it will take 2 minutes due to an issue in.
+The bootloader will then select the previous, working partition and boot from it.
+
+Once the system is restarted, check the bootloader ustate.
+If update is failed then **revision number** should be reduced to **0** and status should have changed to **FAILED** for Partition #1.
```
root@demo:~# bg_printenv
+
----------------------------
Config Partition #0 Values:
in_progress: no
revision: 2
-kernel: C:BOOT0:cip-core-image-cip-core-buster-qemu-amd64-vmlinuz
-kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000001 rw initrd=cip-core-image-cip-corg
+kernel: C:BOOT0:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 0 (OK)
user variables:
+
+
+
----------------------------
Config Partition #1 Values:
in_progress: no
revision: 0
-kernel: C:BOOT1:vmlinuz
-kernelargs: root=PARTUUID=fedcba98-7654-3210-cafe-5e0710000002 console=tty0 console=ttyS0,115200 rootwait earlyprintk rw initrd=cip-core-image-cip-corg
+kernel: C:BOOT1:linux.efi
+kernelargs: console=tty0 console=ttyS0,115200 rootwait earlyprintk
watchdog timeout: 60 seconds
ustate: 3 (FAILED)
+
+user variables:
+
+
```
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* [isar-cip-core][PATCH 19/19] doc: README.secureboot polishing
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (17 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 18/19] doc: Update README.swupdate Jan Kiszka
@ 2022-04-13 7:16 ` Jan Kiszka
2022-04-13 13:54 ` [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Gylstorff Quirin
19 siblings, 0 replies; 21+ messages in thread
From: Jan Kiszka @ 2022-04-13 7:16 UTC (permalink / raw)
To: cip-dev; +Cc: Quirin Gylstorff, Christian Storm
From: Jan Kiszka <jan.kiszka@siemens.com>
There has never been a uefikernel parameter for efibootguard-boot, so
drop this.
Furthermore, spell-out "EFI Boot Guard" and adjust some section levels
and titles.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
doc/README.secureboot.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 3c2d524..b2d7be9 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -1,11 +1,11 @@
-# Efibootguard Secure boot
+# EFI Boot Guard secure boot
This document describes how to generate a secure boot capable image with
[efibootguard](https://github.com/siemens/efibootguard).
## Description
-The image build signs the efibootguard bootloader (bootx64.efi) and generates
+The image build signs the EFI Boot Guard bootloader (bootx64.efi) and generates
a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
A unified kernel image packs the kernel, initramfs and the kernel command-line
in one binary object. As the kernel command-line is immutable after the build
@@ -19,12 +19,12 @@ If a match is found the rootfs is used for the boot.
## Adaptation for Images
-### WIC
+### WIC
The following elements must be present in a wks file to create a secure boot capable image.
```
part --source efibootguard-efi --sourceparams "signwith=<script or executable to sign the image>"
-part --source efibootguard-boot --sourceparams "uefikernel=<name of the unified kernel>,signwith=<script or executable to sign the image>"
+part --source efibootguard-boot --sourceparams "signwith=<script or executable to sign the image>"
```
#### Script or executable to sign the image
@@ -43,7 +43,6 @@ executable or script with the following interface:
Supply the script name and path to wic by adding
`signwith=<path and name of the script to sign>"` to sourceparams of the partition.
-
### Existing packages to sign an image
#### ebg-secure-boot-snakeoil
@@ -63,7 +62,7 @@ The following variable and steps are necessary to build a secure boot capable im
The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in `recipes-devtools/ebg-secure-boot-secrets/files/`
-## QEMU
+## Running in QEMU
Set up a secure boot test environment with [QEMU](https://www.qemu.org/)
@@ -138,7 +137,7 @@ scripts/start-efishell.sh secureboot-tools
### Build image
-Build the image with a signed efibootguard and unified kernel image
+Build the image with a signed EFI Boot Guard and unified kernel image
with the snakeoil keys by executing:
```
@@ -202,7 +201,8 @@ OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd \
OVMF_VARS=<path to the modified OVMF_VARS.fd> \
./start-qemu.sh amd64
```
-# Example: Update the image
+
+## Example: Update the image
For updating the image, the following steps are necessary:
- [Build the image with snakeoil keys](### Build image)
--
2.34.1
^ permalink raw reply related [flat|nested] 21+ messages in thread* Re: [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings
2022-04-13 7:16 [isar-cip-core][PATCH 00/19] SWUpdate & EFI Boot Guard refactorings Jan Kiszka
` (18 preceding siblings ...)
2022-04-13 7:16 ` [isar-cip-core][PATCH 19/19] doc: README.secureboot polishing Jan Kiszka
@ 2022-04-13 13:54 ` Gylstorff Quirin
19 siblings, 0 replies; 21+ messages in thread
From: Gylstorff Quirin @ 2022-04-13 13:54 UTC (permalink / raw)
To: Jan Kiszka, cip-dev; +Cc: Christian Storm
On 4/13/22 09:16, Jan Kiszka wrote:
> Several refactorings, simplifications and fixes of the SWUpdate and EFI
> Boot Guard integration. This primarily aims at the unification of both
> variants.
>
> For that, this switches to unified kernel images also in the non-secure
> mode. This allows to share configuration files between both as well.
>
> Furthermore, the device selection in sw-description is abstracted from
> the concrete medium, making it easier for downstream to place images on
> either internal or external media without adjusting device paths.
>
> Finally, the watchdog support in QEMU is fixed and enabled so that we
> can run update and failure sequences completely.
>
> Jan
I tested it once and it looks good to me.
Quirin
>
> Jan Kiszka (19):
> start-qemu.sh: Add ssh access to guest from localhost
> swupdate: Simplify secure-swupdate-img class
> swupdate: Drop no longer used SOURCE_IMAGE_FILE
> swupdate: Rename secure-swupdate-img class
> Drop initramfs-abrootfs-secureboot references
> Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook
> swupdate: Switch to unified kernel image by default
> swupdate: Drop PN from TEMPLATE_VARS
> efibootguard: Avoid rename linux.efi when signing it
> Unify configuration of secure vs. non-secure SWUpdate
> cip-core-image: Do not include swupdate.inc unless it is used
> cip-core-image: Make image-uuid an image option
> swupdate: Add patch to fix EBG bootloader_env_get
> swupdate: Switch to bootenv_rrmap+kernelfile for device selection
> customizations: Enable systemd watchdog
> linux-cip: Update cip-kernel-config
> start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset
> doc: Update README.swupdate
> doc: README.secureboot polishing
>
> ...img.bbclass => secure-wic-swu-img.bbclass} | 6 +-
> classes/wic-swu-img.bbclass | 2 -
> doc/README.secureboot.md | 16 +-
> doc/README.swupdate.md | 166 ++++++++++--------
> kas/opt/ebg-secure-boot-base.yml | 21 ---
> kas/opt/ebg-secure-boot-snakeoil.yml | 10 +-
> kas/opt/ebg-swu.yml | 7 +
> kas/opt/swupdate.yml | 3 +
> recipes-core/customizations/common.inc | 6 +-
> .../customizations/files/99-watchdog.conf | 3 +
> recipes-core/images/cip-core-image.bb | 6 +-
> .../files/secure-boot/sw-description.tmpl | 35 ----
> recipes-core/images/files/sw-description.tmpl | 20 +--
> recipes-core/images/image-uuid.inc | 12 ++
> recipes-core/images/read-only.inc | 1 -
> recipes-core/images/secureboot.inc | 21 ---
> recipes-core/images/swupdate.inc | 4 +-
> .../swupdate.handler.efibootguard.ini | 16 --
> .../files/swupdate.handler.efibootguard.ini | 20 +--
> ...onfig-Make-image-encryption-optional.patch | 8 +-
> .../0002-debian-rules-Add-CONFIG_MTD.patch | 6 +-
> ...es-Add-option-to-disable-fs-creation.patch | 8 +-
> ...ules-Add-option-to-disable-webserver.patch | 8 +-
> ...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 8 +-
> ...ules-Add-Embedded-Lua-handler-option.patch | 6 +-
> ...-SWUpdate-USB-service-and-Udev-rules.patch | 10 +-
> ...option-to-disable-CONFIG_HASH_VERIFY.patch | 6 +-
> ...ch-to-fix-bootloader_env_get-for-EBG.patch | 66 +++++++
> ...repare-build-for-isar-debian-buster.patch} | 10 +-
> .../swupdate/swupdate_2021.11-1+debian-gbp.bb | 5 +-
> .../files/debian-local-patch | 0
> .../files/initramfs.image_uuid.hook | 0
> .../files/initramfs.lsblk.hook | 0
> .../initramfs-abrootfs-hook}/files/postinst | 2 +-
> .../initramfs-abrootfs-hook_0.1.bb | 8 +-
> recipes-kernel/linux/linux-cip-common.inc | 2 +-
> .../wic/plugins/source/efibootguard-boot.py | 30 ++--
> start-qemu.sh | 3 +-
> wic/ebg-sysparts.inc | 4 +-
> wic/qemu-amd64-efibootguard-secureboot.wks.in | 4 +-
> 40 files changed, 277 insertions(+), 292 deletions(-)
> rename classes/{secure-swupdate-img.bbclass => secure-wic-swu-img.bbclass} (82%)
> delete mode 100644 kas/opt/ebg-secure-boot-base.yml
> create mode 100644 recipes-core/customizations/files/99-watchdog.conf
> delete mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
> create mode 100644 recipes-core/images/image-uuid.inc
> delete mode 100644 recipes-core/images/secureboot.inc
> delete mode 100644 recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
> create mode 100644 recipes-core/swupdate/files/0009-debian-Add-patch-to-fix-bootloader_env_get-for-EBG.patch
> rename recipes-core/swupdate/files/{0009-debian-prepare-build-for-isar-debian-buster.patch => 0010-debian-prepare-build-for-isar-debian-buster.patch} (92%)
> rename recipes-support/initramfs-config/files/secure-boot-debian-local-patch => recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch (100%)
> rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.image_uuid.hook (100%)
> rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/initramfs.lsblk.hook (100%)
> rename {recipes-support/initramfs-config => recipes-initramfs/initramfs-abrootfs-hook}/files/postinst (73%)
> rename recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb => recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb (74%)
>
^ permalink raw reply [flat|nested] 21+ messages in thread