[isar-cip-core][PATCH 0/5] Read-only rootfs for non-secure swupdate / cleanups / fixes

[isar-cip-core][PATCH 0/5] Read-only rootfs for non-secure swupdate / cleanups / fixes

[Jan Kiszka]

Unifies secure and non-secure swupdate variants further by using a
read-only rootfs in both cases. See patchs for more details.

Applies on top of "SWUpdate & EFI Boot Guard refactorings".

Jan

Jan Kiszka (5):
  squashfs-img: Cosmetic cleanups
  verity-img: Inherit the source image type class directly
  swupdate: Make rootfs read-only also in non-secure setup
  Restrict OVMF to qemu-amd64 machine
  wic: Drop redundant / misleading --ondisk sda parameters

 classes/secure-wic-swu-img.bbclass            |  9 +-----
 classes/squashfs-img.bbclass                  | 12 ++++----
 classes/verity-img.bbclass                    | 10 +++++--
 classes/wic-swu-img.bbclass                   | 23 ++++++++++++++
 kas/opt/ebg-secure-boot-snakeoil.yml          |  7 ++---
 kas/opt/efibootguard.yml                      | 12 ++++----
 kas/opt/swupdate.yml                          |  2 +-
 recipes-core/images/read-only.inc             | 30 -------------------
 wic/ebg-signed-bootloader.inc                 |  2 +-
 wic/ebg-sysparts.inc                          |  6 ++--
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 12 ++++----
 wic/qemu-amd64-efibootguard.wks               |  6 ----
 wic/qemu-amd64-efibootguard.wks.in            |  1 +
 wic/simatic-ipc227e-efibootguard.wks          |  7 -----
 wic/simatic-ipc227e-efibootguard.wks.in       |  1 +
 wic/simatic-ipc227e.wks                       |  4 +--
 wic/swupdate-partition.inc                    |  2 --
 wic/x86-efibootguard.wks.in                   | 13 ++++++++
 18 files changed, 74 insertions(+), 85 deletions(-)
 delete mode 100644 recipes-core/images/read-only.inc
 delete mode 100644 wic/qemu-amd64-efibootguard.wks
 create mode 120000 wic/qemu-amd64-efibootguard.wks.in
 delete mode 100644 wic/simatic-ipc227e-efibootguard.wks
 create mode 120000 wic/simatic-ipc227e-efibootguard.wks.in
 delete mode 100644 wic/swupdate-partition.inc
 create mode 100644 wic/x86-efibootguard.wks.in

-- 
2.34.1

[isar-cip-core][PATCH 1/5] squashfs-img: Cosmetic cleanups

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

SQUASHFS_EXCLUDE_DIRS is given a default value in this class, so the
'or ""' is redundant. Furthermore, remove the unneeded space from the
SQUASHFS_CREATION_ARGS default assignment as well as misleading comment
in front of its anonymous constructor function.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/squashfs-img.bbclass | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
index 0fcfca5..04bb67c 100644
--- a/classes/squashfs-img.bbclass
+++ b/classes/squashfs-img.bbclass
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2021
+# Copyright (c) Siemens AG, 2021-2022
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -15,14 +15,14 @@ IMAGER_INSTALL += "squashfs-tools"
 
 SQUASHFS_EXCLUDE_DIRS ?= ""
 SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
-SQUASHFS_CREATION_ARGS ?= " "
-# Generate squashfs filesystem image
+SQUASHFS_CREATION_ARGS ?= ""
+
 python __anonymous() {
-    exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split()
+    exclude_directories = d.getVar('SQUASHFS_EXCLUDE_DIRS').split()
     if len(exclude_directories) == 0:
         return
-    # use wildcard to exclude only content of the the directory
-    # this allows to use the directory as a mount point
+    # Use wildcard to exclude only content of the directory.
+    # This allows to use the directory as a mount point.
     args = " -wildcards"
     for dir in exclude_directories:
         args += " -e {dir}/* ".format(dir=dir)
-- 
2.34.1

[isar-cip-core][PATCH 2/5] verity-img: Inherit the source image type class directly

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

VERITY_IMAGE_TYPE defines where the verity-img class takes its input
from. Ensure that this class is present and hook it up directly in
verity-img. Makes the usage of this class more convenient.

Consequently, code can be dropped from the secure-wic-swu-img class.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/secure-wic-swu-img.bbclass |  9 +--------
 classes/verity-img.bbclass         | 10 +++++++---
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/classes/secure-wic-swu-img.bbclass b/classes/secure-wic-swu-img.bbclass
index c2b2402..85342fe 100644
--- a/classes/secure-wic-swu-img.bbclass
+++ b/classes/secure-wic-swu-img.bbclass
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2021
+# Copyright (c) Siemens AG, 2021-2022
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -9,12 +9,6 @@
 # SPDX-License-Identifier: MIT
 #
 
-SECURE_IMAGE_FSTYPE ?= "squashfs"
-
-inherit ${SECURE_IMAGE_FSTYPE}-img
-
-VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
-
 INITRAMFS_RECIPE ?= "cip-core-initramfs"
 do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
 INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
@@ -22,5 +16,4 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
 inherit verity-img
 inherit wic-swu-img
 
-addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
 addtask do_wic_image after do_verity_image
diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass
index 3c94643..b7d7f08 100644
--- a/classes/verity-img.bbclass
+++ b/classes/verity-img.bbclass
@@ -1,22 +1,26 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2021
+# Copyright (c) Siemens AG, 2021-2022
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
 #
 # SPDX-License-Identifier: MIT
 #
-IMAGER_INSTALL += "cryptsetup"
 
 VERITY_IMAGE_TYPE ?= "squashfs"
+
+inherit ${VERITY_IMAGE_TYPE}-img
+
 VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
 VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
 VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
 VERITY_HASH_BLOCK_SIZE ?= "1024"
 VERITY_DATA_BLOCK_SIZE ?= "1024"
 
+IMAGER_INSTALL += "cryptsetup"
+
 create_verity_env_file() {
 
     local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env"
@@ -70,4 +74,4 @@ python do_verity_image() {
     bb.build.exec_func('verity_setup', d)
     bb.build.exec_func('create_verity_env_file', d)
 }
-addtask verity_image before do_image after do_image_tools
+addtask verity_image before do_image after do_${VERITY_IMAGE_TYPE}_image
-- 
2.34.1

[isar-cip-core][PATCH 3/5] swupdate: Make rootfs read-only also in non-secure setup

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This is more logical because the rootfs is going to be overwritten
completely on updates. Everything that is supposed to stay should go
into the overlays.

Along this, wic-swu-img.bbclass is aligned to its big brother
secure-wic-swu-img.bbclass pulling the image include read-only.inc in.

To reduce the (already existing) duplication between
qemu-amd64-efibootguard.wks.in and simatic-ipc227e-efibootguard.wks.in,
replace both by a link to a common wks file.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/wic-swu-img.bbclass             | 23 +++++++++++++++++++
 kas/opt/ebg-secure-boot-snakeoil.yml    |  7 +++---
 kas/opt/efibootguard.yml                |  2 +-
 kas/opt/swupdate.yml                    |  2 +-
 recipes-core/images/read-only.inc       | 30 -------------------------
 wic/qemu-amd64-efibootguard.wks         |  6 -----
 wic/qemu-amd64-efibootguard.wks.in      |  1 +
 wic/simatic-ipc227e-efibootguard.wks    |  7 ------
 wic/simatic-ipc227e-efibootguard.wks.in |  1 +
 wic/swupdate-partition.inc              |  2 --
 wic/x86-efibootguard.wks.in             | 13 +++++++++++
 11 files changed, 43 insertions(+), 51 deletions(-)
 delete mode 100644 recipes-core/images/read-only.inc
 delete mode 100644 wic/qemu-amd64-efibootguard.wks
 create mode 120000 wic/qemu-amd64-efibootguard.wks.in
 delete mode 100644 wic/simatic-ipc227e-efibootguard.wks
 create mode 120000 wic/simatic-ipc227e-efibootguard.wks.in
 delete mode 100644 wic/swupdate-partition.inc
 create mode 100644 wic/x86-efibootguard.wks.in

diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass
index f03befa..231b249 100644
--- a/classes/wic-swu-img.bbclass
+++ b/classes/wic-swu-img.bbclass
@@ -9,7 +9,30 @@
 # SPDX-License-Identifier: MIT
 #
 
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+inherit squashfs-img
 inherit wic-img
 inherit swupdate-img
 
+IMAGE_INSTALL += "etc-overlay-fs"
+IMAGE_INSTALL += "home-fs"
+IMAGE_INSTALL += "tmp-fs"
+
+image_configure_fstab() {
+    sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root	/		auto		defaults,ro			0	0
+LABEL=var	/var		auto		defaults			0	0
+proc		/proc		proc		nosuid,noexec,nodev		0	0
+sysfs		/sys		sysfs		nosuid,noexec,nodev		0	0
+devpts		/dev/pts	devpts		gid=5,mode=620			0	0
+tmpfs		/run		tmpfs		nodev,nosuid,size=500M,mode=755	0	0
+devtmpfs	/dev		devtmpfs	mode=0755,nosuid		0	0
+# End /etc/fstab
+EOF
+}
+
+addtask do_wic_image after do_squashfs_image
+
 addtask do_swupdate_image after do_wic_image
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index be58b15..14a5d6a 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -15,15 +15,14 @@ header:
    - kas/opt/efibootguard.yml
 
 local_conf_header:
-  image-options-swupdate-ro: |
-    CIP_IMAGE_OPTIONS_append = " swupdate.inc read-only.inc"
+  image-options-swupdate: |
+    CIP_IMAGE_OPTIONS_append = " swupdate.inc"
 
   swupdate: |
     IMAGE_INSTALL_append = " swupdate"
     IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
 
-  verity-img: |
-    SECURE_IMAGE_FSTYPE = "squashfs"
+  secure-boot-image: |
     IMAGE_FSTYPES = "secure-wic-swu-img"
     WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
 
diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
index 0502b9c..ce89756 100644
--- a/kas/opt/efibootguard.yml
+++ b/kas/opt/efibootguard.yml
@@ -25,7 +25,7 @@ local_conf_header:
     WDOG_TIMEOUT ?= "60"
     WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE"
     IMAGE_FSTYPES ?= "wic-img"
-    WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
+    WKS_FILE ?= "${MACHINE}-efibootguard.wks.in"
 
   ovmf-binaries: |
     # Add ovmf binaries for qemu
diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml
index 1b2aff4..31cd0d1 100644
--- a/kas/opt/swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -24,4 +24,4 @@ local_conf_header:
 
   wic-swu: |
     IMAGE_FSTYPES = "wic-swu-img"
-    WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
+    WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in"
diff --git a/recipes-core/images/read-only.inc b/recipes-core/images/read-only.inc
deleted file mode 100644
index c031e39..0000000
--- a/recipes-core/images/read-only.inc
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-#  Quirin Gylstorff <Quriin.Gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-SQUASHFS_EXCLUDE_DIRS += "home var"
-
-IMAGE_INSTALL += "etc-overlay-fs"
-IMAGE_INSTALL += "home-fs"
-IMAGE_INSTALL += "tmp-fs"
-
-image_configure_fstab() {
-    sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
-# Begin /etc/fstab
-/dev/root	/		auto		defaults,ro			0	0
-LABEL=var	/var		auto		defaults			0	0
-proc		/proc		proc		nosuid,noexec,nodev		0	0
-sysfs		/sys		sysfs		nosuid,noexec,nodev		0	0
-devpts		/dev/pts	devpts		gid=5,mode=620			0	0
-tmpfs		/run		tmpfs		nodev,nosuid,size=500M,mode=755	0	0
-devtmpfs	/dev		devtmpfs	mode=0755,nosuid		0	0
-# End /etc/fstab
-EOF
-}
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
deleted file mode 100644
index 6653068..0000000
--- a/wic/qemu-amd64-efibootguard.wks
+++ /dev/null
@@ -1,6 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-sysparts.inc
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
diff --git a/wic/qemu-amd64-efibootguard.wks.in b/wic/qemu-amd64-efibootguard.wks.in
new file mode 120000
index 0000000..b3a73fa
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard.wks.in
@@ -0,0 +1 @@
+x86-efibootguard.wks.in
\ No newline at end of file
diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks
deleted file mode 100644
index f6191bc..0000000
--- a/wic/simatic-ipc227e-efibootguard.wks
+++ /dev/null
@@ -1,7 +0,0 @@
-# short-description: Simatic-ipc227e with EFI Boot Guard and SWUpdate
-# long-description: Disk image for Simatic-ipc227e with EFI Boot Guard and SWUpdate
-
-include ebg-sysparts.inc
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
diff --git a/wic/simatic-ipc227e-efibootguard.wks.in b/wic/simatic-ipc227e-efibootguard.wks.in
new file mode 120000
index 0000000..b3a73fa
--- /dev/null
+++ b/wic/simatic-ipc227e-efibootguard.wks.in
@@ -0,0 +1 @@
+x86-efibootguard.wks.in
\ No newline at end of file
diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc
deleted file mode 100644
index 6912542..0000000
--- a/wic/swupdate-partition.inc
+++ /dev/null
@@ -1,2 +0,0 @@
-part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M   --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4 --mkfs-extraopts "-T default"
-part  --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M   --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4 --mkfs-extraopts "-T default"
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
new file mode 100644
index 0000000..f60ebcf
--- /dev/null
+++ b/wic/x86-efibootguard.wks.in
@@ -0,0 +1,13 @@
+# short-description: x86 with EFI Boot Guard and SWUpdate
+# long-description: Disk image for x86 machines with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
-- 
2.34.1

[isar-cip-core][PATCH 4/5] Restrict OVMF to qemu-amd64 machine

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

No need to run this for non-qemu and non-x86. And, yes, overrides can
stack.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas/opt/efibootguard.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
index ce89756..2d84427 100644
--- a/kas/opt/efibootguard.yml
+++ b/kas/opt/efibootguard.yml
@@ -29,8 +29,8 @@ local_conf_header:
 
   ovmf-binaries: |
     # Add ovmf binaries for qemu
-    IMAGER_BUILD_DEPS += "ovmf-binaries"
-    # not needed Debian 11 and later
-    OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
-    DISTRO_APT_SOURCES_append_buster = " conf/distro/debian-buster-backports.list"
-    DISTRO_APT_PREFERENCES_append_buster = " conf/distro/preferences.ovmf-snakeoil.conf"
+    IMAGER_BUILD_DEPS_append_qemu-amd64 += "ovmf-binaries"
+    # not needed for Debian 11 and later
+    OVERRIDES_append_qemu-amd64 = ":${BASE_DISTRO_CODENAME}"
+    DISTRO_APT_SOURCES_append_qemu-amd64_buster = " conf/distro/debian-buster-backports.list"
+    DISTRO_APT_PREFERENCES_append_qemu-amd64_buster = " conf/distro/preferences.ovmf-snakeoil.conf"
-- 
2.34.1

[isar-cip-core][PATCH 5/5] wic: Drop redundant / misleading --ondisk sda parameters

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

First, sda is the default anyway. But, more importantly, we do not need
this parameter in these cases as we either mount by label/uuid or do not
mount at all (EBG partitions).

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 wic/ebg-signed-bootloader.inc                 |  2 +-
 wic/ebg-sysparts.inc                          |  6 +++---
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 12 ++++++------
 wic/simatic-ipc227e.wks                       |  4 ++--
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc
index 667e014..62ebca9 100644
--- a/wic/ebg-signed-bootloader.inc
+++ b/wic/ebg-signed-bootloader.inc
@@ -1,2 +1,2 @@
 # EFI partition containing efibootguard bootloader binary
-part --source efibootguard-efi  --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-efi  --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc
index 18c879a..9b2c879 100644
--- a/wic/ebg-sysparts.inc
+++ b/wic/ebg-sysparts.inc
@@ -1,8 +1,8 @@
 # default partition layout EFI Boot Guard usage
 
 # EFI partition containing efibootguard bootloader binary
-part --source efibootguard-efi  --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active
+part --source efibootguard-efi  --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active
 
 # EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index c47257b..54f7143 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -2,14 +2,14 @@
 include ebg-signed-bootloader.inc
 
 # EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh"
 
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
 
 # home and var are extra partitions
-part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024  --size 1G
-part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024  --size 2G
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
+part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
 
 bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
diff --git a/wic/simatic-ipc227e.wks b/wic/simatic-ipc227e.wks
index d0081f7..9044e0f 100644
--- a/wic/simatic-ipc227e.wks
+++ b/wic/simatic-ipc227e.wks
@@ -6,8 +6,8 @@
 # SPDX-License-Identifier: MIT
 #
 
-part /boot --source bootimg-efi-isar --sourceparams "loader=grub-efi" --ondisk sda --label efi --part-type EF00 --align 1024
+part /boot --source bootimg-efi-isar --sourceparams "loader=grub-efi" --label efi --part-type EF00 --align 1024
 
-part / --source rootfs --ondisk sda --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
+part / --source rootfs --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
 
 bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"
-- 
2.34.1