diff mbox series

[isar-cip-core,v2] swupdate: Add option to disable CONFIG_HASH_VERIFY

Message ID 20220214122805.262651-1-Quirin.Gylstorff@siemens.com (mailing list archive)
State New
Headers show
Series [isar-cip-core,v2] swupdate: Add option to disable CONFIG_HASH_VERIFY | expand

Commit Message

Quirin Gylstorff Feb. 14, 2022, 12:28 p.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patch activate CONFIG_HASH_VERITY to ensure the integrity of the
swu binary. To ensure simple example builds the option can be disabled
by with the debian build profile `pkg.swupdate.nohashverify`.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---

Changes V2:
 - add missing patch description

 ...onfig-Make-image-encryption-optional.patch |  2 +-
 .../0002-debian-rules-Add-CONFIG_MTD.patch    |  2 +-
 ...es-Add-option-to-disable-fs-creation.patch |  2 +-
 ...ules-Add-option-to-disable-webserver.patch |  2 +-
 ...Make-CONFIG_HW_COMPATIBILTY-optional.patch |  2 +-
 ...ules-Add-Embedded-Lua-handler-option.patch |  2 +-
 ...SWUpdate-USB-service-and-Udev-rules.patch} |  8 ++---
 ...option-to-disable-CONFIG_HASH_VERIFY.patch | 29 +++++++++++++++++++
 ...repare-build-for-isar-debian-buster.patch} |  6 ++--
 .../swupdate/swupdate_2021.11-1+debian-gbp.bb |  5 ++--
 10 files changed, 45 insertions(+), 15 deletions(-)
 rename recipes-core/swupdate/files/{0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch => 0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch} (89%)
 create mode 100644 recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
 rename recipes-core/swupdate/files/{0007-debian-prepare-build-for-isar-debian-buster.patch => 0009-debian-prepare-build-for-isar-debian-buster.patch} (94%)

Comments

Jan Kiszka Feb. 15, 2022, 9:37 a.m. UTC | #1
On 14.02.22 13:28, Quirin.Gylstorff@siemens.com wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This patch activate CONFIG_HASH_VERITY to ensure the integrity of the
> swu binary. To ensure simple example builds the option can be disabled
> by with the debian build profile `pkg.swupdate.nohashverify`.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> 
> Changes V2:
>  - add missing patch description
> 
>  ...onfig-Make-image-encryption-optional.patch |  2 +-
>  .../0002-debian-rules-Add-CONFIG_MTD.patch    |  2 +-
>  ...es-Add-option-to-disable-fs-creation.patch |  2 +-
>  ...ules-Add-option-to-disable-webserver.patch |  2 +-
>  ...Make-CONFIG_HW_COMPATIBILTY-optional.patch |  2 +-
>  ...ules-Add-Embedded-Lua-handler-option.patch |  2 +-
>  ...SWUpdate-USB-service-and-Udev-rules.patch} |  8 ++---
>  ...option-to-disable-CONFIG_HASH_VERIFY.patch | 29 +++++++++++++++++++
>  ...repare-build-for-isar-debian-buster.patch} |  6 ++--
>  .../swupdate/swupdate_2021.11-1+debian-gbp.bb |  5 ++--
>  10 files changed, 45 insertions(+), 15 deletions(-)
>  rename recipes-core/swupdate/files/{0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch => 0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch} (89%)
>  create mode 100644 recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
>  rename recipes-core/swupdate/files/{0007-debian-prepare-build-for-isar-debian-buster.patch => 0009-debian-prepare-build-for-isar-debian-buster.patch} (94%)
> 
> diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
> index 8b186e0..c501e42 100644
> --- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
> +++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
> @@ -1,7 +1,7 @@
>  From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001
>  From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  Date: Wed, 29 Sep 2021 15:28:21 +0200
> -Subject: [PATCH 1/8] debian/config: Make image encryption optional
> +Subject: [PATCH 1/9] debian/config: Make image encryption optional
>  
>  This can be use to ease the setup with SWUpdate.
>  
> diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
> index eb5067d..50cf805 100644
> --- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
> +++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
> @@ -1,7 +1,7 @@
>  From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001
>  From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  Date: Wed, 29 Sep 2021 11:29:57 +0200
> -Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD
> +Subject: [PATCH 2/9] debian/rules: Add CONFIG_MTD
>  
>  if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled.
>  
> diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
> index 3671709..c5815cb 100644
> --- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
> +++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
> @@ -1,7 +1,7 @@
>  From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001
>  From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  Date: Mon, 4 Oct 2021 17:15:56 +0200
> -Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation
> +Subject: [PATCH 3/9] debian/rules: Add option to disable fs creation
>  
>  Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  ---
> diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
> index 8fbb722..4a9076d 100644
> --- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
> +++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
> @@ -1,7 +1,7 @@
>  From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001
>  From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  Date: Mon, 4 Oct 2021 17:27:11 +0200
> -Subject: [PATCH 4/8] debian/rules: Add option to disable webserver
> +Subject: [PATCH 4/9] debian/rules: Add option to disable webserver
>  
>  Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  ---
> diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
> index 96443f2..87eba2c 100644
> --- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
> +++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
> @@ -1,7 +1,7 @@
>  From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001
>  From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  Date: Tue, 5 Oct 2021 10:56:25 +0200
> -Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional
> +Subject: [PATCH 5/9] debian: Make CONFIG_HW_COMPATIBILTY optional
>  
>  Add option for qemu.
>  
> diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
> index 324f079..5d7543b 100644
> --- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
> +++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
> @@ -1,7 +1,7 @@
>  From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001
>  From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  Date: Wed, 29 Sep 2021 11:32:41 +0200
> -Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option
> +Subject: [PATCH 6/9] debian/rules: Add Embedded Lua handler option
>  
>  Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  ---
> diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
> similarity index 89%
> rename from recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
> rename to recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
> index 3cce24b..2779d8b 100644
> --- a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
> +++ b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
> @@ -1,7 +1,7 @@
> -From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001
> +From 625db939a1dec7d1aa6fbcb01c2c4cbd699bfe7b Mon Sep 17 00:00:00 2001
>  From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  Date: Mon, 7 Feb 2022 09:28:39 +0100
> -Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules
> +Subject: [PATCH 7/9] debian: Remove SWUpdate USB service and Udev rules
>  
>  The current implementation will install an abitrary SWUpdate binary
>  from a plug-in USB stick. This is a major security risk for devices
> @@ -19,10 +19,10 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>   delete mode 100644 debian/swupdate.udev
>  
>  diff --git a/debian/rules b/debian/rules
> -index e1c4a921..84ed55d4 100755
> +index 12eb0ba5..76fce010 100755
>  --- a/debian/rules
>  +++ b/debian/rules
> -@@ -103,7 +103,6 @@ override_dh_auto_install:
> +@@ -101,7 +101,6 @@ override_dh_auto_install:
>   override_dh_installsystemd:
>   	dh_installsystemd --no-start
>   	dh_installsystemd --name=swupdate-progress
> diff --git a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
> new file mode 100644
> index 0000000..a7c5ee7
> --- /dev/null
> +++ b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
> @@ -0,0 +1,29 @@
> +From cddd3472aad2d8e48d557705b82ffcc0c7d14a02 Mon Sep 17 00:00:00 2001
> +From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +Date: Mon, 14 Feb 2022 12:27:43 +0100
> +Subject: [PATCH 8/9] Add Profile option to disable CONFIG_HASH_VERIFY
> +
> +This change also enables CONFIG_HASH_VERIFY by default.
> +
> +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +---
> + debian/rules | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/debian/rules b/debian/rules
> +index 76fce010..4dc9e170 100755
> +--- a/debian/rules
> ++++ b/debian/rules
> +@@ -42,6 +42,9 @@ endif
> + ifneq (,$(filter pkg.swupdate.hwcompatibility,$(DEB_BUILD_PROFILES)))
> + 	echo CONFIG_HW_COMPATIBILITY=y                   >> configs/debian_defconfig
> + endif
> ++ifeq (,$(filter pkg.swupdate.nohashverify,$(DEB_BUILD_PROFILES)))
> ++	echo CONFIG_HASH_VERIFY=y                   >> configs/debian_defconfig
> ++endif
> + ifeq (,$(filter pkg.swupdate.nowebserver,$(DEB_BUILD_PROFILES)))
> + 	echo CONFIG_WEBSERVER=y   >> configs/debian_defconfig
> + 	echo CONFIG_MONGOOSESSL=y >> configs/debian_defconfig
> +-- 
> +2.34.1
> +
> diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
> similarity index 94%
> rename from recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
> rename to recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
> index 0b08f25..8afef74 100644
> --- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
> +++ b/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
> @@ -1,7 +1,7 @@
> -From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001
> +From 5dda7f815dafdfbd1b187ccc912eca38e9aee7bb Mon Sep 17 00:00:00 2001
>  From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  Date: Wed, 29 Sep 2021 16:17:03 +0200
> -Subject: [PATCH 7/8] debian: prepare build for isar debian buster
> +Subject: [PATCH 9/9] debian: prepare build for isar debian buster
>  
>  Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>  ---
> @@ -47,7 +47,7 @@ index 192c4a2a..9318fa12 100644
>                  libebgenv-dev <pkg.swupdate.efibootguard> | efibootguard-dev <pkg.swupdate.efibootguard>,
>                  libcmocka-dev,
>  diff --git a/debian/rules b/debian/rules
> -index 12eb0ba5..e1c4a921 100755
> +index 4dc9e170..370ca3d8 100755
>  --- a/debian/rules
>  +++ b/debian/rules
>  @@ -19,13 +19,15 @@ endif
> diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
> index 2995d71..699dad3 100644
> --- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
> +++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
> @@ -22,7 +22,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \
>              file://0004-debian-rules-Add-option-to-disable-webserver.patch \
>              file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
>              file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \
> -            file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch"
> +            file://0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch \
> +            file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch"
>  
>  # end patching for dm-verity based images
>  
> @@ -38,7 +39,7 @@ SWUPDATE_BUILD_PROFILES += "cross nocheck"
>  # SWUPDATE_BUILD_PROFILES += "pkg.swupdate.embeddedlua"
>  
>  # modify for debian buster build
> -SRC_URI_append_buster = " file://0007-debian-prepare-build-for-isar-debian-buster.patch"
> +SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
>  
>  # disable documentation due to missing packages
>  SWUPDATE_BUILD_PROFILES_append = " nodoc "

Thanks, applied. I suspect you already sent the embedded patch to Debian
as well, right?

Jan
Quirin Gylstorff Feb. 15, 2022, 9:47 a.m. UTC | #2
On 2/15/22 10:37, Jan Kiszka wrote:
> On 14.02.22 13:28, Quirin.Gylstorff@siemens.com wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This patch activate CONFIG_HASH_VERITY to ensure the integrity of the
>> swu binary. To ensure simple example builds the option can be disabled
>> by with the debian build profile `pkg.swupdate.nohashverify`.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>
>> Changes V2:
>>   - add missing patch description
>>
>>   ...onfig-Make-image-encryption-optional.patch |  2 +-
>>   .../0002-debian-rules-Add-CONFIG_MTD.patch    |  2 +-
>>   ...es-Add-option-to-disable-fs-creation.patch |  2 +-
>>   ...ules-Add-option-to-disable-webserver.patch |  2 +-
>>   ...Make-CONFIG_HW_COMPATIBILTY-optional.patch |  2 +-
>>   ...ules-Add-Embedded-Lua-handler-option.patch |  2 +-
>>   ...SWUpdate-USB-service-and-Udev-rules.patch} |  8 ++---
>>   ...option-to-disable-CONFIG_HASH_VERIFY.patch | 29 +++++++++++++++++++
>>   ...repare-build-for-isar-debian-buster.patch} |  6 ++--
>>   .../swupdate/swupdate_2021.11-1+debian-gbp.bb |  5 ++--
>>   10 files changed, 45 insertions(+), 15 deletions(-)
>>   rename recipes-core/swupdate/files/{0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch => 0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch} (89%)
>>   create mode 100644 recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
>>   rename recipes-core/swupdate/files/{0007-debian-prepare-build-for-isar-debian-buster.patch => 0009-debian-prepare-build-for-isar-debian-buster.patch} (94%)
>>
>> diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
>> index 8b186e0..c501e42 100644
>> --- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
>> +++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
>> @@ -1,7 +1,7 @@
>>   From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001
>>   From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   Date: Wed, 29 Sep 2021 15:28:21 +0200
>> -Subject: [PATCH 1/8] debian/config: Make image encryption optional
>> +Subject: [PATCH 1/9] debian/config: Make image encryption optional
>>   
>>   This can be use to ease the setup with SWUpdate.
>>   
>> diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
>> index eb5067d..50cf805 100644
>> --- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
>> +++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
>> @@ -1,7 +1,7 @@
>>   From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001
>>   From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   Date: Wed, 29 Sep 2021 11:29:57 +0200
>> -Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD
>> +Subject: [PATCH 2/9] debian/rules: Add CONFIG_MTD
>>   
>>   if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled.
>>   
>> diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
>> index 3671709..c5815cb 100644
>> --- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
>> +++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
>> @@ -1,7 +1,7 @@
>>   From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001
>>   From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   Date: Mon, 4 Oct 2021 17:15:56 +0200
>> -Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation
>> +Subject: [PATCH 3/9] debian/rules: Add option to disable fs creation
>>   
>>   Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   ---
>> diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
>> index 8fbb722..4a9076d 100644
>> --- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
>> +++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
>> @@ -1,7 +1,7 @@
>>   From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001
>>   From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   Date: Mon, 4 Oct 2021 17:27:11 +0200
>> -Subject: [PATCH 4/8] debian/rules: Add option to disable webserver
>> +Subject: [PATCH 4/9] debian/rules: Add option to disable webserver
>>   
>>   Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   ---
>> diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
>> index 96443f2..87eba2c 100644
>> --- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
>> +++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
>> @@ -1,7 +1,7 @@
>>   From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001
>>   From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   Date: Tue, 5 Oct 2021 10:56:25 +0200
>> -Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional
>> +Subject: [PATCH 5/9] debian: Make CONFIG_HW_COMPATIBILTY optional
>>   
>>   Add option for qemu.
>>   
>> diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
>> index 324f079..5d7543b 100644
>> --- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
>> +++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
>> @@ -1,7 +1,7 @@
>>   From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001
>>   From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   Date: Wed, 29 Sep 2021 11:32:41 +0200
>> -Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option
>> +Subject: [PATCH 6/9] debian/rules: Add Embedded Lua handler option
>>   
>>   Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   ---
>> diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
>> similarity index 89%
>> rename from recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
>> rename to recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
>> index 3cce24b..2779d8b 100644
>> --- a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
>> +++ b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
>> @@ -1,7 +1,7 @@
>> -From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001
>> +From 625db939a1dec7d1aa6fbcb01c2c4cbd699bfe7b Mon Sep 17 00:00:00 2001
>>   From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   Date: Mon, 7 Feb 2022 09:28:39 +0100
>> -Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules
>> +Subject: [PATCH 7/9] debian: Remove SWUpdate USB service and Udev rules
>>   
>>   The current implementation will install an abitrary SWUpdate binary
>>   from a plug-in USB stick. This is a major security risk for devices
>> @@ -19,10 +19,10 @@ Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>    delete mode 100644 debian/swupdate.udev
>>   
>>   diff --git a/debian/rules b/debian/rules
>> -index e1c4a921..84ed55d4 100755
>> +index 12eb0ba5..76fce010 100755
>>   --- a/debian/rules
>>   +++ b/debian/rules
>> -@@ -103,7 +103,6 @@ override_dh_auto_install:
>> +@@ -101,7 +101,6 @@ override_dh_auto_install:
>>    override_dh_installsystemd:
>>    	dh_installsystemd --no-start
>>    	dh_installsystemd --name=swupdate-progress
>> diff --git a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
>> new file mode 100644
>> index 0000000..a7c5ee7
>> --- /dev/null
>> +++ b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
>> @@ -0,0 +1,29 @@
>> +From cddd3472aad2d8e48d557705b82ffcc0c7d14a02 Mon Sep 17 00:00:00 2001
>> +From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +Date: Mon, 14 Feb 2022 12:27:43 +0100
>> +Subject: [PATCH 8/9] Add Profile option to disable CONFIG_HASH_VERIFY
>> +
>> +This change also enables CONFIG_HASH_VERIFY by default.
>> +
>> +Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +---
>> + debian/rules | 3 +++
>> + 1 file changed, 3 insertions(+)
>> +
>> +diff --git a/debian/rules b/debian/rules
>> +index 76fce010..4dc9e170 100755
>> +--- a/debian/rules
>> ++++ b/debian/rules
>> +@@ -42,6 +42,9 @@ endif
>> + ifneq (,$(filter pkg.swupdate.hwcompatibility,$(DEB_BUILD_PROFILES)))
>> + 	echo CONFIG_HW_COMPATIBILITY=y                   >> configs/debian_defconfig
>> + endif
>> ++ifeq (,$(filter pkg.swupdate.nohashverify,$(DEB_BUILD_PROFILES)))
>> ++	echo CONFIG_HASH_VERIFY=y                   >> configs/debian_defconfig
>> ++endif
>> + ifeq (,$(filter pkg.swupdate.nowebserver,$(DEB_BUILD_PROFILES)))
>> + 	echo CONFIG_WEBSERVER=y   >> configs/debian_defconfig
>> + 	echo CONFIG_MONGOOSESSL=y >> configs/debian_defconfig
>> +--
>> +2.34.1
>> +
>> diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
>> similarity index 94%
>> rename from recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
>> rename to recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
>> index 0b08f25..8afef74 100644
>> --- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
>> +++ b/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
>> @@ -1,7 +1,7 @@
>> -From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001
>> +From 5dda7f815dafdfbd1b187ccc912eca38e9aee7bb Mon Sep 17 00:00:00 2001
>>   From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   Date: Wed, 29 Sep 2021 16:17:03 +0200
>> -Subject: [PATCH 7/8] debian: prepare build for isar debian buster
>> +Subject: [PATCH 9/9] debian: prepare build for isar debian buster
>>   
>>   Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>   ---
>> @@ -47,7 +47,7 @@ index 192c4a2a..9318fa12 100644
>>                   libebgenv-dev <pkg.swupdate.efibootguard> | efibootguard-dev <pkg.swupdate.efibootguard>,
>>                   libcmocka-dev,
>>   diff --git a/debian/rules b/debian/rules
>> -index 12eb0ba5..e1c4a921 100755
>> +index 4dc9e170..370ca3d8 100755
>>   --- a/debian/rules
>>   +++ b/debian/rules
>>   @@ -19,13 +19,15 @@ endif
>> diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
>> index 2995d71..699dad3 100644
>> --- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
>> +++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
>> @@ -22,7 +22,8 @@ SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \
>>               file://0004-debian-rules-Add-option-to-disable-webserver.patch \
>>               file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
>>               file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \
>> -            file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch"
>> +            file://0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch \
>> +            file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch"
>>   
>>   # end patching for dm-verity based images
>>   
>> @@ -38,7 +39,7 @@ SWUPDATE_BUILD_PROFILES += "cross nocheck"
>>   # SWUPDATE_BUILD_PROFILES += "pkg.swupdate.embeddedlua"
>>   
>>   # modify for debian buster build
>> -SRC_URI_append_buster = " file://0007-debian-prepare-build-for-isar-debian-buster.patch"
>> +SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
>>   
>>   # disable documentation due to missing packages
>>   SWUPDATE_BUILD_PROFILES_append = " nodoc "
> 
> Thanks, applied. I suspect you already sent the embedded patch to Debian
> as well, right?

Most of them - we still have the Embedded lua handler which will stay as 
it make no sense for upstream.

And as long as we support Buster - these patches will also stay.

> 
> Jan
> 
Quirin
diff mbox series

Patch

diff --git a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
index 8b186e0..c501e42 100644
--- a/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
+++ b/recipes-core/swupdate/files/0001-debian-config-Make-image-encryption-optional.patch
@@ -1,7 +1,7 @@ 
 From 20bb45563fe8f3ec95ef22d715d1add014156543 Mon Sep 17 00:00:00 2001
 From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 Date: Wed, 29 Sep 2021 15:28:21 +0200
-Subject: [PATCH 1/8] debian/config: Make image encryption optional
+Subject: [PATCH 1/9] debian/config: Make image encryption optional
 
 This can be use to ease the setup with SWUpdate.
 
diff --git a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
index eb5067d..50cf805 100644
--- a/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
+++ b/recipes-core/swupdate/files/0002-debian-rules-Add-CONFIG_MTD.patch
@@ -1,7 +1,7 @@ 
 From 1d52fe25e72f9e33525bca7efa5efe901cb32c65 Mon Sep 17 00:00:00 2001
 From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 Date: Wed, 29 Sep 2021 11:29:57 +0200
-Subject: [PATCH 2/8] debian/rules: Add CONFIG_MTD
+Subject: [PATCH 2/9] debian/rules: Add CONFIG_MTD
 
 if pkg.swupdate.bpo is set CONFIG_MTD is disable but not enabled.
 
diff --git a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
index 3671709..c5815cb 100644
--- a/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
+++ b/recipes-core/swupdate/files/0003-debian-rules-Add-option-to-disable-fs-creation.patch
@@ -1,7 +1,7 @@ 
 From 8b6f01b6126933723963497d0db0c256e5251c5b Mon Sep 17 00:00:00 2001
 From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 Date: Mon, 4 Oct 2021 17:15:56 +0200
-Subject: [PATCH 3/8] debian/rules: Add option to disable fs creation
+Subject: [PATCH 3/9] debian/rules: Add option to disable fs creation
 
 Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 ---
diff --git a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
index 8fbb722..4a9076d 100644
--- a/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
+++ b/recipes-core/swupdate/files/0004-debian-rules-Add-option-to-disable-webserver.patch
@@ -1,7 +1,7 @@ 
 From c1f46ecb2ac3aed3a711dec767321afa92b600d8 Mon Sep 17 00:00:00 2001
 From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 Date: Mon, 4 Oct 2021 17:27:11 +0200
-Subject: [PATCH 4/8] debian/rules: Add option to disable webserver
+Subject: [PATCH 4/9] debian/rules: Add option to disable webserver
 
 Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 ---
diff --git a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
index 96443f2..87eba2c 100644
--- a/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
+++ b/recipes-core/swupdate/files/0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch
@@ -1,7 +1,7 @@ 
 From ccc6f5d04aba0f1270f7d6b6de298b2084ad3bfd Mon Sep 17 00:00:00 2001
 From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 Date: Tue, 5 Oct 2021 10:56:25 +0200
-Subject: [PATCH 5/8] debian: Make CONFIG_HW_COMPATIBILTY optional
+Subject: [PATCH 5/9] debian: Make CONFIG_HW_COMPATIBILTY optional
 
 Add option for qemu.
 
diff --git a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
index 324f079..5d7543b 100644
--- a/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ b/recipes-core/swupdate/files/0006-debian-rules-Add-Embedded-Lua-handler-option.patch
@@ -1,7 +1,7 @@ 
 From 7107052e6aa1a35a2900070797ac013d49814f0b Mon Sep 17 00:00:00 2001
 From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 6/8] debian/rules: Add Embedded Lua handler option
+Subject: [PATCH 6/9] debian/rules: Add Embedded Lua handler option
 
 Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 ---
diff --git a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
similarity index 89%
rename from recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
rename to recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
index 3cce24b..2779d8b 100644
--- a/recipes-core/swupdate/files/0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
+++ b/recipes-core/swupdate/files/0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch
@@ -1,7 +1,7 @@ 
-From 93b9a179119394395c72e62e59a73d29e9bba735 Mon Sep 17 00:00:00 2001
+From 625db939a1dec7d1aa6fbcb01c2c4cbd699bfe7b Mon Sep 17 00:00:00 2001
 From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 Date: Mon, 7 Feb 2022 09:28:39 +0100
-Subject: [PATCH 8/8] debian: Remove SWUpdate USB service and Udev rules
+Subject: [PATCH 7/9] debian: Remove SWUpdate USB service and Udev rules
 
 The current implementation will install an abitrary SWUpdate binary
 from a plug-in USB stick. This is a major security risk for devices
@@ -19,10 +19,10 @@  Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
  delete mode 100644 debian/swupdate.udev
 
 diff --git a/debian/rules b/debian/rules
-index e1c4a921..84ed55d4 100755
+index 12eb0ba5..76fce010 100755
 --- a/debian/rules
 +++ b/debian/rules
-@@ -103,7 +103,6 @@ override_dh_auto_install:
+@@ -101,7 +101,6 @@ override_dh_auto_install:
  override_dh_installsystemd:
  	dh_installsystemd --no-start
  	dh_installsystemd --name=swupdate-progress
diff --git a/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
new file mode 100644
index 0000000..a7c5ee7
--- /dev/null
+++ b/recipes-core/swupdate/files/0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch
@@ -0,0 +1,29 @@ 
+From cddd3472aad2d8e48d557705b82ffcc0c7d14a02 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Mon, 14 Feb 2022 12:27:43 +0100
+Subject: [PATCH 8/9] Add Profile option to disable CONFIG_HASH_VERIFY
+
+This change also enables CONFIG_HASH_VERIFY by default.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ debian/rules | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/debian/rules b/debian/rules
+index 76fce010..4dc9e170 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -42,6 +42,9 @@ endif
+ ifneq (,$(filter pkg.swupdate.hwcompatibility,$(DEB_BUILD_PROFILES)))
+ 	echo CONFIG_HW_COMPATIBILITY=y                   >> configs/debian_defconfig
+ endif
++ifeq (,$(filter pkg.swupdate.nohashverify,$(DEB_BUILD_PROFILES)))
++	echo CONFIG_HASH_VERIFY=y                   >> configs/debian_defconfig
++endif
+ ifeq (,$(filter pkg.swupdate.nowebserver,$(DEB_BUILD_PROFILES)))
+ 	echo CONFIG_WEBSERVER=y   >> configs/debian_defconfig
+ 	echo CONFIG_MONGOOSESSL=y >> configs/debian_defconfig
+-- 
+2.34.1
+
diff --git a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch b/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
similarity index 94%
rename from recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
rename to recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
index 0b08f25..8afef74 100644
--- a/recipes-core/swupdate/files/0007-debian-prepare-build-for-isar-debian-buster.patch
+++ b/recipes-core/swupdate/files/0009-debian-prepare-build-for-isar-debian-buster.patch
@@ -1,7 +1,7 @@ 
-From 123190b2aa72818186ba12a04d793ff7d4244828 Mon Sep 17 00:00:00 2001
+From 5dda7f815dafdfbd1b187ccc912eca38e9aee7bb Mon Sep 17 00:00:00 2001
 From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 Date: Wed, 29 Sep 2021 16:17:03 +0200
-Subject: [PATCH 7/8] debian: prepare build for isar debian buster
+Subject: [PATCH 9/9] debian: prepare build for isar debian buster
 
 Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
 ---
@@ -47,7 +47,7 @@  index 192c4a2a..9318fa12 100644
                 libebgenv-dev <pkg.swupdate.efibootguard> | efibootguard-dev <pkg.swupdate.efibootguard>,
                 libcmocka-dev,
 diff --git a/debian/rules b/debian/rules
-index 12eb0ba5..e1c4a921 100755
+index 4dc9e170..370ca3d8 100755
 --- a/debian/rules
 +++ b/debian/rules
 @@ -19,13 +19,15 @@ endif
diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
index 2995d71..699dad3 100644
--- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb
@@ -22,7 +22,8 @@  SRC_URI += "file://0001-debian-config-Make-image-encryption-optional.patch \
             file://0004-debian-rules-Add-option-to-disable-webserver.patch \
             file://0005-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \
             file://0006-debian-rules-Add-Embedded-Lua-handler-option.patch \
-            file://0008-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch"
+            file://0007-debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch \
+            file://0008-Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch"
 
 # end patching for dm-verity based images
 
@@ -38,7 +39,7 @@  SWUPDATE_BUILD_PROFILES += "cross nocheck"
 # SWUPDATE_BUILD_PROFILES += "pkg.swupdate.embeddedlua"
 
 # modify for debian buster build
-SRC_URI_append_buster = " file://0007-debian-prepare-build-for-isar-debian-buster.patch"
+SRC_URI_append_buster = " file://0009-debian-prepare-build-for-isar-debian-buster.patch"
 
 # disable documentation due to missing packages
 SWUPDATE_BUILD_PROFILES_append = " nodoc "