[isar-cip-core,07/19] swupdate: Switch to unified kernel image by default

Message ID	ec84e655e1d0a6f0909969f351de6e4ed0abc0d1.1649834193.git.jan.kiszka@siemens.com (mailing list archive)
State	Handled Elsewhere
Headers	show Return-Path: <jan.kiszka@siemens.com> ip: 185.136.64.227, mailfrom: fm-294854-202204130716392a49924007b31d7597-kccjrj@rts-flowmailer.siemens.com) From: Jan Kiszka <jan.kiszka@siemens.com> To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>, Christian Storm <christian.storm@siemens.com> Subject: [isar-cip-core][PATCH 07/19] swupdate: Switch to unified kernel image by default Date: Wed, 13 Apr 2022 09:16:24 +0200 Message-Id: <ec84e655e1d0a6f0909969f351de6e4ed0abc0d1.1649834193.git.jan.kiszka@siemens.com> In-Reply-To: <cover.1649834193.git.jan.kiszka@siemens.com> References: <cover.1649834193.git.jan.kiszka@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-294854:519-21489:flowmailer
Series	SWUpdate & EFI Boot Guard refactorings \| expand [isar-cip-core,00/19] SWUpdate & EFI Boot Guard refactorings [isar-cip-core,01/19] start-qemu.sh: Add ssh access to guest from localhost [isar-cip-core,02/19] swupdate: Simplify secure-swupdate-img class [isar-cip-core,03/19] swupdate: Drop no longer used SOURCE_IMAGE_FILE [isar-cip-core,04/19] swupdate: Rename secure-swupdate-img class [isar-cip-core,05/19] Drop initramfs-abrootfs-secureboot references [isar-cip-core,06/19] Rename initramfs-abrootfs-secureboot to initramfs-abrootfs-hook [isar-cip-core,07/19] swupdate: Switch to unified kernel image by default [isar-cip-core,08/19] swupdate: Drop PN from TEMPLATE_VARS [isar-cip-core,09/19] efibootguard: Avoid rename linux.efi when signing it [isar-cip-core,10/19] Unify configuration of secure vs. non-secure SWUpdate [isar-cip-core,11/19] cip-core-image: Do not include swupdate.inc unless it is used [isar-cip-core,12/19] cip-core-image: Make image-uuid an image option [isar-cip-core,13/19] swupdate: Add patch to fix EBG bootloader_env_get [isar-cip-core,14/19] swupdate: Switch to bootenv_rrmap+kernelfile for device selection [isar-cip-core,15/19] customizations: Enable systemd watchdog [isar-cip-core,16/19] linux-cip: Update cip-kernel-config [isar-cip-core,17/19] start-qemu.sh: Ensure that iTCO watchdog timeout triggers reset [isar-cip-core,18/19] doc: Update README.swupdate [isar-cip-core,19/19] doc: README.secureboot polishing

diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml index e708d0a..a58f0ed 100644 --- a/kas/opt/ebg-swu.yml +++ b/kas/opt/ebg-swu.yml @@ -14,3 +14,7 @@ header: includes: - kas/opt/efibootguard.yml - kas/opt/swupdate.yml + +local_conf_header: + initramfs: | + IMAGE_INSTALL += "initramfs-abrootfs-hook" diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl index c44c2a8..7dd67f9 100644 --- a/recipes-core/images/files/sw-description.tmpl +++ b/recipes-core/images/files/sw-description.tmpl @@ -11,10 +11,10 @@ software = { version = "0.2"; - name = "cip software update" + name = "cip software update"; images: ({ filename = "${ROOTFS_PARTITION_NAME}"; - device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002"; + device = "sda4,sda5"; type = "roundrobin"; compressed = "zlib"; filesystem = "ext4"; @@ -23,23 +23,13 @@ software = }; }); files: ({ - filename = "${KERNEL_IMAGE}"; - path = "vmlinuz"; + filename = "linux.efi"; + path = "linux.efi"; type = "roundrobin"; - device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1"; + device = "sda4->BOOT0,sda5->BOOT1"; filesystem = "vfat"; properties: { subtype = "kernel"; }; - }, - { - filename = "${INITRD_IMAGE}"; - path = "${INITRD_IMAGE}"; - type = "roundrobin"; - device = "fedcba98-7654-3210-cafe-5e0710000001->BOOT0,fedcba98-7654-3210-cafe-5e0710000002->BOOT1"; - filesystem = "vfat"; - properties: { - subtype = "initrd"; - }; }); } diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index c23c103..2c3ad65 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -16,6 +16,6 @@ ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.img.p4.gz" SRC_URI += "file://sw-description.tmpl" TEMPLATE_FILES += "sw-description.tmpl" -TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE" +TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME" -SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}" +SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}" diff --git a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini index 3aee76c..b5e8070 100644 --- a/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini +++ b/recipes-core/swupdate-handler-roundrobin/files/swupdate.handler.efibootguard.ini @@ -2,25 +2,15 @@ chainhandler=raw [image.selector] -method=cmdline_rr +method=getroot_rr key=root -[image.bootenv] -kernelparams=root=PARTUUID=${rrtarget} ${cmdline_root} - [kernel] chainhandler=rawfile [kernel.selector] -method=cmdline_rrmap +method=getroot_rrmap key=root [kernel.bootenv] -kernelfile=C:BOOT${rrindex}:vmlinuz - -[initrd] -chainhandler=rawfile - -[initrd.selector] -method=cmdline_rrmap -key=root +kernelfile=C:BOOT${rrindex}:linux.efi diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py index 98a327c..4291dc2 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -78,15 +78,13 @@ class EfibootguardBootPlugin(SourcePlugin): efibootguard in local.conf with WDOG_TIMEOUT=") exit(1) - boot_files = source_params.get("files", "").split(' ') - uefi_kernel = source_params.get("unified-kernel") + unified_kernel = source_params.get("unified-kernel") or 'y' cmdline = bootloader.append - if uefi_kernel: + if unified_kernel == 'y': boot_image = cls._create_unified_kernel_image(rootfs_dir, cr_workdir, cmdline, - uefi_kernel, deploy_dir, kernel_image, initrd_image, @@ -174,8 +172,8 @@ class EfibootguardBootPlugin(SourcePlugin): @classmethod def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline, - uefi_kernel, deploy_dir, kernel_image, - initrd_image, source_params): + deploy_dir, kernel_image, initrd_image, + source_params): # we need to map the distro_arch to uefi values distro_to_efi_arch = { "amd64": "x64", diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc index dea99e8..18c879a 100644 --- a/wic/ebg-sysparts.inc +++ b/wic/ebg-sysparts.inc @@ -4,5 +4,5 @@ part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active # EFI Boot Guard environment/config partitions plus Kernel files -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001" -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index 72a6f8c..c47257b 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -2,8 +2,8 @@ include ebg-signed-bootloader.inc # EFI Boot Guard environment/config partitions plus Kernel files -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh" part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"

[isar-cip-core,07/19] swupdate: Switch to unified kernel image by default

Commit Message

Patch