| Message ID | 20210201162425.31726-3-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | Secureboot fixes | expand |
On 01.02.21 17:24, Q. Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > /etc/os-release is controlled by the Debian Package base-files > and will be silently overwritten if the package updates the file. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > classes/image_uuid.bbclass | 4 +--- > .../initramfs-config/files/initramfs.image_uuid.hook | 6 +++--- > .../initramfs-config/files/secure-boot-debian-local-patch | 4 ++-- > 3 files changed, 6 insertions(+), 8 deletions(-) > > diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass > index 2813ed9..a0ab202 100644 > --- a/classes/image_uuid.bbclass > +++ b/classes/image_uuid.bbclass > @@ -22,9 +22,7 @@ IMAGE_UUID ?= "${@generate_image_uuid(d)}" > do_generate_image_uuid[vardeps] += "IMAGE_UUID" > do_generate_image_uuid[depends] = "buildchroot-target:do_build" > do_generate_image_uuid() { > - sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release' > - echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \ > - sudo tee -a '${IMAGE_ROOTFS}/etc/os-release' > + sudo sh -c 'echo "IMAGE_UUID=\"${IMAGE_UUID}\"" > "${IMAGE_ROOTFS}/etc/secureboot-image-uuid"' > image_do_mounts > > # update initramfs to add uuid > diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook > index 910ce84..bf39abb 100644 > --- a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook > +++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook > @@ -22,12 +22,12 @@ esac > . /usr/share/initramfs-tools/scripts/functions > . /usr/share/initramfs-tools/hook-functions > > -if [ ! -e /etc/os-release ]; then > - echo "Warning: couldn't find /etc/os-release!" > +if [ ! -e /etc/secureboot-image-uuid ]; then > + echo "Warning: couldn't find /etc/secureboot-image-uuid!" > exit 0 > fi > > -IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release) > +IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/secureboot-image-uuid) > echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid" > > exit 0 > \ No newline at end of file > diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch > index cd2d271..82d325a 100644 > --- a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch > +++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch > @@ -58,8 +58,8 @@ > + # Mount root > + # shellcheck disable=SC2086 > + if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then > -+ if [ -e "${rootmnt?}"/etc/os-release ]; then > -+ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' ) > ++ if [ -e "${rootmnt?}"/etc/secureboot-image-uuid ]; then > ++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/secureboot-image-uuid | tr -d '"' ) > + if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then > + return 0 > + fi > This one would work, though, if we fixed https://groups.google.com/d/msgid/isar-users/67e1fac9-5af5-29aa-de57-9a0de0cdd165%40siemens.com in Isar, right? Should we rather wait for that? Applied patch 1 for now. Jan
On 2/1/21 5:47 PM, Jan Kiszka wrote: > On 01.02.21 17:24, Q. Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> /etc/os-release is controlled by the Debian Package base-files >> and will be silently overwritten if the package updates the file. >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> classes/image_uuid.bbclass | 4 +--- >> .../initramfs-config/files/initramfs.image_uuid.hook | 6 +++--- >> .../initramfs-config/files/secure-boot-debian-local-patch | 4 ++-- >> 3 files changed, 6 insertions(+), 8 deletions(-) >> >> diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass >> index 2813ed9..a0ab202 100644 >> --- a/classes/image_uuid.bbclass >> +++ b/classes/image_uuid.bbclass >> @@ -22,9 +22,7 @@ IMAGE_UUID ?= "${@generate_image_uuid(d)}" >> do_generate_image_uuid[vardeps] += "IMAGE_UUID" >> do_generate_image_uuid[depends] = "buildchroot-target:do_build" >> do_generate_image_uuid() { >> - sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release' >> - echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \ >> - sudo tee -a '${IMAGE_ROOTFS}/etc/os-release' >> + sudo sh -c 'echo "IMAGE_UUID=\"${IMAGE_UUID}\"" > "${IMAGE_ROOTFS}/etc/secureboot-image-uuid"' >> image_do_mounts >> >> # update initramfs to add uuid >> diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook >> index 910ce84..bf39abb 100644 >> --- a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook >> +++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook >> @@ -22,12 +22,12 @@ esac >> . /usr/share/initramfs-tools/scripts/functions >> . /usr/share/initramfs-tools/hook-functions >> >> -if [ ! -e /etc/os-release ]; then >> - echo "Warning: couldn't find /etc/os-release!" >> +if [ ! -e /etc/secureboot-image-uuid ]; then >> + echo "Warning: couldn't find /etc/secureboot-image-uuid!" >> exit 0 >> fi >> >> -IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release) >> +IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/secureboot-image-uuid) >> echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid" >> >> exit 0 >> \ No newline at end of file >> diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch >> index cd2d271..82d325a 100644 >> --- a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch >> +++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch >> @@ -58,8 +58,8 @@ >> + # Mount root >> + # shellcheck disable=SC2086 >> + if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then >> -+ if [ -e "${rootmnt?}"/etc/os-release ]; then >> -+ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' ) >> ++ if [ -e "${rootmnt?}"/etc/secureboot-image-uuid ]; then >> ++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/secureboot-image-uuid | tr -d '"' ) >> + if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then >> + return 0 >> + fi >> > > This one would work, though, if we fixed > https://groups.google.com/d/msgid/isar-users/67e1fac9-5af5-29aa-de57-9a0de0cdd165%40siemens.com > in Isar, right? Should we rather wait for that? At the moment I would say yes, wait for it. Quirin > > Applied patch 1 for now. > > Jan > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6160): https://lists.cip-project.org/g/cip-dev/message/6160 Mute This Topic: https://lists.cip-project.org/mt/80289768/4520388 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org] -=-=-=-=-=-=-=-=-=-=-=-
diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass index 2813ed9..a0ab202 100644 --- a/classes/image_uuid.bbclass +++ b/classes/image_uuid.bbclass @@ -22,9 +22,7 @@ IMAGE_UUID ?= "${@generate_image_uuid(d)}" do_generate_image_uuid[vardeps] += "IMAGE_UUID" do_generate_image_uuid[depends] = "buildchroot-target:do_build" do_generate_image_uuid() { - sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release' - echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \ - sudo tee -a '${IMAGE_ROOTFS}/etc/os-release' + sudo sh -c 'echo "IMAGE_UUID=\"${IMAGE_UUID}\"" > "${IMAGE_ROOTFS}/etc/secureboot-image-uuid"' image_do_mounts # update initramfs to add uuid diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook index 910ce84..bf39abb 100644 --- a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook +++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook @@ -22,12 +22,12 @@ esac . /usr/share/initramfs-tools/scripts/functions . /usr/share/initramfs-tools/hook-functions -if [ ! -e /etc/os-release ]; then - echo "Warning: couldn't find /etc/os-release!" +if [ ! -e /etc/secureboot-image-uuid ]; then + echo "Warning: couldn't find /etc/secureboot-image-uuid!" exit 0 fi -IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release) +IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/secureboot-image-uuid) echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid" exit 0 \ No newline at end of file diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch index cd2d271..82d325a 100644 --- a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch +++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch @@ -58,8 +58,8 @@ + # Mount root + # shellcheck disable=SC2086 + if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then -+ if [ -e "${rootmnt?}"/etc/os-release ]; then -+ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' ) ++ if [ -e "${rootmnt?}"/etc/secureboot-image-uuid ]; then ++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/secureboot-image-uuid | tr -d '"' ) + if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then + return 0 + fi