From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 0/6] Fix read-only rootfs setup /wrt etc overlay - and more
Date: Fri, 22 Apr 2022 09:47:32 +0200 [thread overview]
Message-ID: <cover.1650613658.git.jan.kiszka@siemens.com> (raw)
Changes in v2:
- panic on /var mounting failure during overlay setup
- panic-reboot on initramfs failures in secure mode
- /root persistence
- faster rootfs selection under dm-verity
This addresses the problem of current read-only rootfs + /etc overlay as
used for the SWUpdate setups.
Due to ordering issues in systemd startup between machine-id handling
vs. making /etc writable via the overlay, various things are broken down
the line, e.g. journal reporting. Reading [1], it appeared to be best to
move the overlay mounting into the initramfs. And this implementation
proves this to be right: simpler and working smoothly.
As a by-product, this also unifies the initramfs-abrootfs-hook, and
makes it simpler as well.
Furthermore, this plugs a hole in the secure boot process if the
initramfs fails (we got a shell then), makes /root persistent and
optimizes the rootfs selection via dm-verity.
Jan
[1] https://www.spinics.net/lists/systemd-devel/msg05670.html
Jan Kiszka (6):
wic: Align kernel command line of qemu-amd64-efibootguard*
initramfs-abrootfs-hook: Convert to an initramfs-class recipe
Convert /etc overlay from systemd mount unit to initramfs hook
customizations: Relocate /root under /home
initramfs-verify-hook: Optimize probing of partitions
secureboot: Prevent getting shell on panic
classes/image_uuid.bbclass | 6 +--
classes/secure-wic-swu-img.bbclass | 4 --
classes/wic-swu-img.bbclass | 6 ++-
kas/opt/ebg-secure-boot-snakeoil.yml | 1 +
kas/opt/ebg-swu.yml | 2 +-
recipes-core/customizations/files/postinst | 4 ++
.../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 -------------
.../etc-overlay-fs/files/etc-hostname.service | 14 ------
.../files/etc-sshd-regen-keys.conf | 6 ---
.../etc-overlay-fs/files/etc-sysusers.conf | 4 --
recipes-core/etc-overlay-fs/files/etc.mount | 13 ------
recipes-core/etc-overlay-fs/files/postinst | 4 --
.../cip-core-initramfs/cip-core-initramfs.bb | 2 +-
.../{initramfs.lsblk.hook => abrootfs.hook} | 11 ++---
.../files/abrootfs.script} | 46 +++++++++----------
.../files/initramfs.image_uuid.hook | 33 -------------
.../initramfs-abrootfs-hook/files/postinst | 6 ---
.../initramfs-abrootfs-hook_0.1.bb | 41 ++++++++++-------
.../files/etc-overlay.script | 34 ++++++++++++++
.../initramfs-etc-overlay-hook_0.1.bb | 27 +++++++++++
.../files/verity.script.tmpl | 18 ++++++--
wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +-
22 files changed, 138 insertions(+), 178 deletions(-)
delete mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb
delete mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service
delete mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf
delete mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf
delete mode 100644 recipes-core/etc-overlay-fs/files/etc.mount
delete mode 100755 recipes-core/etc-overlay-fs/files/postinst
rename recipes-initramfs/initramfs-abrootfs-hook/files/{initramfs.lsblk.hook => abrootfs.hook} (62%)
copy recipes-initramfs/{initramfs-verity-hook/files/verity.script.tmpl => initramfs-abrootfs-hook/files/abrootfs.script} (53%)
delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/initramfs.image_uuid.hook
delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/postinst
create mode 100644 recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script
create mode 100644 recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb
--
2.34.1
next reply other threads:[~2022-04-22 16:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-22 7:47 Jan Kiszka [this message]
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 1/6] wic: Align kernel command line of qemu-amd64-efibootguard* Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 2/6] initramfs-abrootfs-hook: Convert to an initramfs-class recipe Jan Kiszka
2022-04-22 16:59 ` Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 3/6] Convert /etc overlay from systemd mount unit to initramfs hook Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 4/6] customizations: Relocate /root under /home Jan Kiszka
2022-04-22 12:22 ` Gylstorff Quirin
2022-04-22 12:53 ` Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 5/6] initramfs-verify-hook: Optimize probing of partitions Jan Kiszka
2022-04-22 7:47 ` [isar-cip-core][PATCH v2 6/6] secureboot: Prevent getting shell on panic Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1650613658.git.jan.kiszka@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=christian.storm@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=quirin.gylstorff@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox