| Message ID | 20220207091752.190490-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [isar-cip-core] swupdate: Remove usb.service | expand |
On 07.02.22 10:17, Q. Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > Upstream adds an udev-rules and systemd service to install a swu from > a plug-in USB stick. > > If the signing of the SWUpdate binary is deactivated > (current default in isar-cip-core) this service allows the installation > of a abitrary SWUpdate binary from a plug-in USB stick. > > Remove the installation and the files from the debian folder to > deactivate the possibility to install from USB. > > Reported-by: Lisicki, Raphael <raphael.lisicki@siemens.com> > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > ...onfig-Make-image-encryption-optional.patch | 2 +- > .../0002-debian-rules-Add-CONFIG_MTD.patch | 2 +- > ...es-Add-option-to-disable-fs-creation.patch | 2 +- > ...ules-Add-option-to-disable-webserver.patch | 2 +- > ...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 2 +- > ...ules-Add-Embedded-Lua-handler-option.patch | 2 +- > ...prepare-build-for-isar-debian-buster.patch | 2 +- > ...-SWUpdate-USB-service-and-Udev-rules.patch | 57 +++++++++++++++++++ > .../swupdate/swupdate_2021.11-1+debian-gbp.bb | 3 +- > 9 files changed, 66 insertions(+), 8 deletions(-) > create mode 100644 recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch > > diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch > index c07b103..8b186e0 100644 > --- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch > +++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch > @@ -1,7 +1,7 @@ > From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001 > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > Date: Wed, 29 Sep 2021 15:28:21 +0200 > -Subject: [PATCH 1/7] debian/config: Make image encryption optional > +Subject: [PATCH 1/8] debian/config: Make image encryption optional > > This can be use to ease the setup with SWUpdate. > > diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch > index 8ebd09e..eb5067d 100644 > --- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch > +++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch > @@ -1,7 +1,7 @@ > From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001 > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > Date: Wed, 29 Sep 2021 11:29:57 +0200 > -Subject: [PATCH 2/7] debian/rules: Add CONFIG_MTD > +Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD > > if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled. > > diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch > index 876e164..3671709 100644 > --- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch > +++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch > @@ -1,7 +1,7 @@ > From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001 > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > Date: Mon, 4 Oct 2021 17:15:56 +0200 > -Subject: [PATCH 3/7] debian/rules: Add option to disable fs creation > +Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch > index 66e48e6..8fbb722 100644 > --- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch > +++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch > @@ -1,7 +1,7 @@ > From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001 > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > Date: Mon, 4 Oct 2021 17:27:11 +0200 > -Subject: [PATCH 4/7] debian/rules: Add option to disable webserver > +Subject: [PATCH 4/8] debian/rules: Add option to disable webserver > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch > index 4cca3bf..96443f2 100644 > --- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch > +++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch > @@ -1,7 +1,7 @@ > From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001 > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > Date: Tue, 5 Oct 2021 10:56:25 +0200 > -Subject: [PATCH 5/7] debian: Make CONFIG_HW_COMPATIBILTY optional > +Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional > > Add option for qemu. > > diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch > index 447f6ad..324f079 100644 > --- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch > +++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch > @@ -1,7 +1,7 @@ > From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001 > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > Date: Wed, 29 Sep 2021 11:32:41 +0200 > -Subject: [PATCH 6/7] debian/rules: Add Embedded Lua handler option > +Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch > index 3ff4ca9..0b08f25 100644 > --- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch > +++ b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch > @@ -1,7 +1,7 @@ > From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001 > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > Date: Wed, 29 Sep 2021 16:17:03 +0200 > -Subject: [PATCH 7/7] debian: prepare build for isar debian buster > +Subject: [PATCH 7/8] debian: prepare build for isar debian buster > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch > new file mode 100644 > index 0000000..3cce24b > --- /dev/null > +++ b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch > @@ -0,0 +1,57 @@ > +From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001 > +From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > +Date: Mon, 7 Feb 2022 09:28:39 +0100 > +Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules > + > +The current implementation will install an abitrary SWUpdate binary > +from a plug-in USB stick. This is a major security risk for devices > +using the SWUpdate package from Debian. > + > +Remove the installation and the files from the debian folder. > + > +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > +--- > + debian/rules | 1 - > + debian/swupdate.swupdate-usb@.service | 8 -------- > + debian/swupdate.udev | 2 -- > + 3 files changed, 11 deletions(-) > + delete mode 100644 debian/swupdate.swupdate-usb@.service > + delete mode 100644 debian/swupdate.udev > + > +diff --git a/debian/rules b/debian/rules > +index e1c4a921..84ed55d4 100755 > +--- a/debian/rules > ++++ b/debian/rules > +@@ -103,7 +103,6 @@ override_dh_auto_install: > + override_dh_installsystemd: > + dh_installsystemd --no-start > + dh_installsystemd --name=swupdate-progress > +- dh_installsystemd --no-start --name=swupdate-usb@ > + > + ifeq (,$(filter pkg.swupdate.bpo,$(DEB_BUILD_PROFILES))) > + override_dh_gencontrol: > +diff --git a/debian/swupdate.swupdate-usb@.service b/debian/swupdate.swupdate-usb@.service > +deleted file mode 100644 > +index eda9d153..00000000 > +--- a/debian/swupdate.swupdate-usb@.service > ++++ /dev/null > +@@ -1,8 +0,0 @@ > +-[Unit] > +-Description=usb media swupdate service > +-Requires=swupdate-progress.service > +- > +-[Service] > +-ExecStartPre=/bin/mount /dev/%I /mnt > +-ExecStart=/bin/sh -c "swupdate-client -v /mnt/*.swu" > +-ExecStopPost=/bin/umount /mnt > +diff --git a/debian/swupdate.udev b/debian/swupdate.udev > +deleted file mode 100644 > +index b4efd0b7..00000000 > +--- a/debian/swupdate.udev > ++++ /dev/null > +@@ -1,2 +0,0 @@ > +-ACTION=="add", KERNEL=="sd*", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", ENV{ID_FS_USAGE}=="filesystem", TAG+="systemd", ENV{SYSTEMD_WANTS}+="swupdate-usb@%k.service" > +- > +-- > +2.34.1 > + > diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb > index 48a6cc1..2995d71 100644 > --- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb > +++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb > @@ -21,7 +21,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \ > file://0003-debian-rules-Add-option-to-disable-fs-creation.patch \ > file://0004-debian-rules-Add-option-to-disable-webserver.patch \ > file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \ > - file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch" > + file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \ > + file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch" > > # end patching for dm-verity based images > Thanks, applied to next as quick-fix. Wouldn't it be more useful to make this configurable (opt-in via /etc/something on the device), possibly also in Debian? Jan
On 2/7/22 10:22, Jan Kiszka wrote: > On 07.02.22 10:17, Q. Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> Upstream adds an udev-rules and systemd service to install a swu from >> a plug-in USB stick. >> >> If the signing of the SWUpdate binary is deactivated >> (current default in isar-cip-core) this service allows the installation >> of a abitrary SWUpdate binary from a plug-in USB stick. >> >> Remove the installation and the files from the debian folder to >> deactivate the possibility to install from USB. >> >> Reported-by: Lisicki, Raphael <raphael.lisicki@siemens.com> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> ...onfig-Make-image-encryption-optional.patch | 2 +- >> .../0002-debian-rules-Add-CONFIG_MTD.patch | 2 +- >> ...es-Add-option-to-disable-fs-creation.patch | 2 +- >> ...ules-Add-option-to-disable-webserver.patch | 2 +- >> ...Make-CONFIG_HW_COMPATIBILTY-optional.patch | 2 +- >> ...ules-Add-Embedded-Lua-handler-option.patch | 2 +- >> ...prepare-build-for-isar-debian-buster.patch | 2 +- >> ...-SWUpdate-USB-service-and-Udev-rules.patch | 57 +++++++++++++++++++ >> .../swupdate/swupdate_2021.11-1+debian-gbp.bb | 3 +- >> 9 files changed, 66 insertions(+), 8 deletions(-) >> create mode 100644 recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch >> >> diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch >> index c07b103..8b186e0 100644 >> --- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch >> +++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch >> @@ -1,7 +1,7 @@ >> From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001 >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> Date: Wed, 29 Sep 2021 15:28:21 +0200 >> -Subject: [PATCH 1/7] debian/config: Make image encryption optional >> +Subject: [PATCH 1/8] debian/config: Make image encryption optional >> >> This can be use to ease the setup with SWUpdate. >> >> diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch >> index 8ebd09e..eb5067d 100644 >> --- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch >> +++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch >> @@ -1,7 +1,7 @@ >> From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001 >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> Date: Wed, 29 Sep 2021 11:29:57 +0200 >> -Subject: [PATCH 2/7] debian/rules: Add CONFIG_MTD >> +Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD >> >> if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled. >> >> diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch >> index 876e164..3671709 100644 >> --- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch >> +++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch >> @@ -1,7 +1,7 @@ >> From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001 >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> Date: Mon, 4 Oct 2021 17:15:56 +0200 >> -Subject: [PATCH 3/7] debian/rules: Add option to disable fs creation >> +Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch >> index 66e48e6..8fbb722 100644 >> --- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch >> +++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch >> @@ -1,7 +1,7 @@ >> From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001 >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> Date: Mon, 4 Oct 2021 17:27:11 +0200 >> -Subject: [PATCH 4/7] debian/rules: Add option to disable webserver >> +Subject: [PATCH 4/8] debian/rules: Add option to disable webserver >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch >> index 4cca3bf..96443f2 100644 >> --- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch >> +++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch >> @@ -1,7 +1,7 @@ >> From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001 >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> Date: Tue, 5 Oct 2021 10:56:25 +0200 >> -Subject: [PATCH 5/7] debian: Make CONFIG_HW_COMPATIBILTY optional >> +Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional >> >> Add option for qemu. >> >> diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch >> index 447f6ad..324f079 100644 >> --- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch >> +++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch >> @@ -1,7 +1,7 @@ >> From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001 >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> Date: Wed, 29 Sep 2021 11:32:41 +0200 >> -Subject: [PATCH 6/7] debian/rules: Add Embedded Lua handler option >> +Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch >> index 3ff4ca9..0b08f25 100644 >> --- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch >> +++ b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch >> @@ -1,7 +1,7 @@ >> From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001 >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> Date: Wed, 29 Sep 2021 16:17:03 +0200 >> -Subject: [PATCH 7/7] debian: prepare build for isar debian buster >> +Subject: [PATCH 7/8] debian: prepare build for isar debian buster >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch >> new file mode 100644 >> index 0000000..3cce24b >> --- /dev/null >> +++ b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch >> @@ -0,0 +1,57 @@ >> +From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001 >> +From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> +Date: Mon, 7 Feb 2022 09:28:39 +0100 >> +Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules >> + >> +The current implementation will install an abitrary SWUpdate binary >> +from a plug-in USB stick. This is a major security risk for devices >> +using the SWUpdate package from Debian. >> + >> +Remove the installation and the files from the debian folder. >> + >> +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> +--- >> + debian/rules | 1 - >> + debian/swupdate.swupdate-usb@.service | 8 -------- >> + debian/swupdate.udev | 2 -- >> + 3 files changed, 11 deletions(-) >> + delete mode 100644 debian/swupdate.swupdate-usb@.service >> + delete mode 100644 debian/swupdate.udev >> + >> +diff --git a/debian/rules b/debian/rules >> +index e1c4a921..84ed55d4 100755 >> +--- a/debian/rules >> ++++ b/debian/rules >> +@@ -103,7 +103,6 @@ override_dh_auto_install: >> + override_dh_installsystemd: >> + dh_installsystemd --no-start >> + dh_installsystemd --name=swupdate-progress >> +- dh_installsystemd --no-start --name=swupdate-usb@ >> + >> + ifeq (,$(filter pkg.swupdate.bpo,$(DEB_BUILD_PROFILES))) >> + override_dh_gencontrol: >> +diff --git a/debian/swupdate.swupdate-usb@.service b/debian/swupdate.swupdate-usb@.service >> +deleted file mode 100644 >> +index eda9d153..00000000 >> +--- a/debian/swupdate.swupdate-usb@.service >> ++++ /dev/null >> +@@ -1,8 +0,0 @@ >> +-[Unit] >> +-Description=usb media swupdate service >> +-Requires=swupdate-progress.service >> +- >> +-[Service] >> +-ExecStartPre=/bin/mount /dev/%I /mnt >> +-ExecStart=/bin/sh -c "swupdate-client -v /mnt/*.swu" >> +-ExecStopPost=/bin/umount /mnt >> +diff --git a/debian/swupdate.udev b/debian/swupdate.udev >> +deleted file mode 100644 >> +index b4efd0b7..00000000 >> +--- a/debian/swupdate.udev >> ++++ /dev/null >> +@@ -1,2 +0,0 @@ >> +-ACTION=="add", KERNEL=="sd*", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", ENV{ID_FS_USAGE}=="filesystem", TAG+="systemd", ENV{SYSTEMD_WANTS}+="swupdate-usb@%k.service" >> +- >> +-- >> +2.34.1 >> + >> diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb >> index 48a6cc1..2995d71 100644 >> --- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb >> +++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb >> @@ -21,7 +21,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \ >> file://0003-debian-rules-Add-option-to-disable-fs-creation.patch \ >> file://0004-debian-rules-Add-option-to-disable-webserver.patch \ >> file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \ >> - file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch" >> + file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \ >> + file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch" >> >> # end patching for dm-verity based images >> > > Thanks, applied to next as quick-fix. > > Wouldn't it be more useful to make this configurable (opt-in via > /etc/something on the device), possibly also in Debian? > > Jan > I currently looking into it to make it configurable in upstream. I will also try to add a warning to the upstream build. Quirin
diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch index c07b103..8b186e0 100644 --- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch +++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch @@ -1,7 +1,7 @@ From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff <quirin.gylstorff@siemens.com> Date: Wed, 29 Sep 2021 15:28:21 +0200 -Subject: [PATCH 1/7] debian/config: Make image encryption optional +Subject: [PATCH 1/8] debian/config: Make image encryption optional This can be use to ease the setup with SWUpdate. diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch index 8ebd09e..eb5067d 100644 --- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch +++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch @@ -1,7 +1,7 @@ From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff <quirin.gylstorff@siemens.com> Date: Wed, 29 Sep 2021 11:29:57 +0200 -Subject: [PATCH 2/7] debian/rules: Add CONFIG_MTD +Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled. diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch index 876e164..3671709 100644 --- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch +++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch @@ -1,7 +1,7 @@ From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff <quirin.gylstorff@siemens.com> Date: Mon, 4 Oct 2021 17:15:56 +0200 -Subject: [PATCH 3/7] debian/rules: Add option to disable fs creation +Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch index 66e48e6..8fbb722 100644 --- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch +++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch @@ -1,7 +1,7 @@ From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff <quirin.gylstorff@siemens.com> Date: Mon, 4 Oct 2021 17:27:11 +0200 -Subject: [PATCH 4/7] debian/rules: Add option to disable webserver +Subject: [PATCH 4/8] debian/rules: Add option to disable webserver Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch index 4cca3bf..96443f2 100644 --- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch +++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch @@ -1,7 +1,7 @@ From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff <quirin.gylstorff@siemens.com> Date: Tue, 5 Oct 2021 10:56:25 +0200 -Subject: [PATCH 5/7] debian: Make CONFIG_HW_COMPATIBILTY optional +Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional Add option for qemu. diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch index 447f6ad..324f079 100644 --- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch +++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch @@ -1,7 +1,7 @@ From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff <quirin.gylstorff@siemens.com> Date: Wed, 29 Sep 2021 11:32:41 +0200 -Subject: [PATCH 6/7] debian/rules: Add Embedded Lua handler option +Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch index 3ff4ca9..0b08f25 100644 --- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch +++ b/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch @@ -1,7 +1,7 @@ From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001 From: Quirin Gylstorff <quirin.gylstorff@siemens.com> Date: Wed, 29 Sep 2021 16:17:03 +0200 -Subject: [PATCH 7/7] debian: prepare build for isar debian buster +Subject: [PATCH 7/8] debian: prepare build for isar debian buster Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch new file mode 100644 index 0000000..3cce24b --- /dev/null +++ b/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch @@ -0,0 +1,57 @@ +From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001 +From: Quirin Gylstorff <quirin.gylstorff@siemens.com> +Date: Mon, 7 Feb 2022 09:28:39 +0100 +Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules + +The current implementation will install an abitrary SWUpdate binary +from a plug-in USB stick. This is a major security risk for devices +using the SWUpdate package from Debian. + +Remove the installation and the files from the debian folder. + +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> +--- + debian/rules | 1 - + debian/swupdate.swupdate-usb@.service | 8 -------- + debian/swupdate.udev | 2 -- + 3 files changed, 11 deletions(-) + delete mode 100644 debian/swupdate.swupdate-usb@.service + delete mode 100644 debian/swupdate.udev + +diff --git a/debian/rules b/debian/rules +index e1c4a921..84ed55d4 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -103,7 +103,6 @@ override_dh_auto_install: + override_dh_installsystemd: + dh_installsystemd --no-start + dh_installsystemd --name=swupdate-progress +- dh_installsystemd --no-start --name=swupdate-usb@ + + ifeq (,$(filter pkg.swupdate.bpo,$(DEB_BUILD_PROFILES))) + override_dh_gencontrol: +diff --git a/debian/swupdate.swupdate-usb@.service b/debian/swupdate.swupdate-usb@.service +deleted file mode 100644 +index eda9d153..00000000 +--- a/debian/swupdate.swupdate-usb@.service ++++ /dev/null +@@ -1,8 +0,0 @@ +-[Unit] +-Description=usb media swupdate service +-Requires=swupdate-progress.service +- +-[Service] +-ExecStartPre=/bin/mount /dev/%I /mnt +-ExecStart=/bin/sh -c "swupdate-client -v /mnt/*.swu" +-ExecStopPost=/bin/umount /mnt +diff --git a/debian/swupdate.udev b/debian/swupdate.udev +deleted file mode 100644 +index b4efd0b7..00000000 +--- a/debian/swupdate.udev ++++ /dev/null +@@ -1,2 +0,0 @@ +-ACTION=="add", KERNEL=="sd*", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", ENV{ID_FS_USAGE}=="filesystem", TAG+="systemd", ENV{SYSTEMD_WANTS}+="swupdate-usb@%k.service" +- +-- +2.34.1 + diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb index 48a6cc1..2995d71 100644 --- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb +++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb @@ -21,7 +21,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \ file://0003-debian-rules-Add-option-to-disable-fs-creation.patch \ file://0004-debian-rules-Add-option-to-disable-webserver.patch \ file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \ - file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch" + file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \ + file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch" # end patching for dm-verity based images