From patchwork Fri Nov 12 11:50:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12616671 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 675DFC433FE for ; Fri, 12 Nov 2021 11:50:22 +0000 (UTC) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx.groups.io with SMTP id smtpd.web10.14759.1636717821214977162 for ; Fri, 12 Nov 2021 03:50:21 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 192.35.17.28, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id 1ACBoIbW008769 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 12 Nov 2021 12:50:18 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.150]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ACBoHAg023845; Fri, 12 Nov 2021 12:50:18 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC 1/8] Add new class to create a squashfs based root file system Date: Fri, 12 Nov 2021 12:50:09 +0100 Message-Id: <20211112115017.401779-2-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> References: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Nov 2021 11:50:22 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6881 From: Quirin Gylstorff This file system is read only and use a reduced image size. Signed-off-by: Quirin Gylstorff --- classes/squashfs-img.bbclass | 42 ++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 classes/squashfs-img.bbclass diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass new file mode 100644 index 0000000..f827e8c --- /dev/null +++ b/classes/squashfs-img.bbclass @@ -0,0 +1,42 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img" + +IMAGER_INSTALL += "squashfs-tools" + +SQUASHFS_EXCLUDE_DIRS ?= "" +SQUASHFS_CONTENT ?= "${PP_ROOTFS}" +SQUASHFS_CREATION_ARGS ?= " " +# Generate squashfs filesystem image +python __anonymous() { + exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split() + if len(exclude_directories) == 0: + return + args=d.getVar('SQUASHFS_CREATION_ARGS') + args+=" -wildcards" + # use wildcard to exclude only content of the the directory + # this allows to use the directory as a mount point + for dir in exclude_directories: + args+=" -e {dir}/* ".format(dir=dir) + d.setVar('SQUASHFS_CREATION_ARGS', args) +} + +do_squashfs_image() { + rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}' + + image_do_mounts + + sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \ + "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \ + ${SQUASHFS_CREATION_ARGS} +} +addtask do_squashfs_image before do_image after do_image_tools do_excl_directories From patchwork Fri Nov 12 11:50:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12616685 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FE3CC4167B for ; Fri, 12 Nov 2021 11:50:25 +0000 (UTC) Received: from thoth.sbs.de (thoth.sbs.de [192.35.17.2]) by mx.groups.io with SMTP id smtpd.web12.14460.1636717821616974626 for ; Fri, 12 Nov 2021 03:50:22 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 192.35.17.2, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ACBoIbF004111 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 12 Nov 2021 12:50:19 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.150]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ACBoHAi023845; Fri, 12 Nov 2021 12:50:18 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC 2/8] Add classes for dm-verity based rootfs Date: Fri, 12 Nov 2021 12:50:11 +0100 Message-Id: <20211112115017.401779-4-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> References: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Nov 2021 11:50:25 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6884 From: Quirin Gylstorff Add a bbclass to add dm-verity to a existing root file system partition. As we need the output of `veritysetup` to generate the initrd. Therefore do_verity_image must be called before wic generates the final disk image. Signed-off-by: Quirin Gylstorff --- classes/verity-img.bbclass | 73 ++++++++++++++++++++++++++++++++++ classes/wic-verity-img.bbclass | 17 ++++++++ 2 files changed, 90 insertions(+) create mode 100644 classes/verity-img.bbclass create mode 100644 classes/wic-verity-img.bbclass diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass new file mode 100644 index 0000000..82159b3 --- /dev/null +++ b/classes/verity-img.bbclass @@ -0,0 +1,73 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# +IMAGER_INSTALL += "cryptsetup" + +VERITY_IMAGE_TYPE ?= "squashfs" +VERITY_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img" +VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" +VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata" +VERITY_HASH_BLOCK_SIZE ?= "1024" +VERITY_DATA_BLOCK_SIZE ?= "1024" + +create_verity_env_file() { + + local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.${VERITY_IMAGE_TYPE}.env" + rm -f $ENV + + local input="${WORKDIR}/${VERITY_IMAGE_METADATA}" + # remove header from verity meta data + sed -i '/VERITY header information for/d' $input + IFS=":" + while read KEY VAL; do + printf '%s=%s\n' \ + "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \ + "$(echo "$VAL" | tr -d ' \t')" >> $ENV + done < $input +} + +verity_setup() { + rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} + rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA} + + cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} + + image_do_mounts + sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \ + --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \ + --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \ + --data-blocks "${VERITY_DATA_BLOCKS}" \ + --hash-offset "${VERITY_INPUT_IMAGE_SIZE}" \ + "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \ + "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \ + >"${WORKDIR}/${VERITY_IMAGE_METADATA}" + + echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \ + >>"${WORKDIR}/${VERITY_IMAGE_METADATA}" +} + +do_verity_image[cleandirs] = "${WORKDIR}/verity" +python do_verity_image() { + import os + + image_file = os.path.join( + d.getVar("DEPLOY_DIR_IMAGE"), + d.getVar("VERITY_IMAGE") + ) + data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE")) + size = os.stat(image_file).st_size + assert size % data_block_size == 0, f"image is not well-sized!" + d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) + d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) + + bb.build.exec_func('verity_setup', d) + bb.build.exec_func('create_verity_env_file', d) +} +addtask verity_image before do_image after do_image_tools diff --git a/classes/wic-verity-img.bbclass b/classes/wic-verity-img.bbclass new file mode 100644 index 0000000..e185cf8 --- /dev/null +++ b/classes/wic-verity-img.bbclass @@ -0,0 +1,17 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit squashfs-img +inherit verity-img +inherit wic-img + +addtask verity_image after do_squashfs_image +addtask do_wic_image after do_verity_image From patchwork Fri Nov 12 11:50:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12616677 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 692CAC433EF for ; Fri, 12 Nov 2021 11:50:23 +0000 (UTC) Received: from thoth.sbs.de (thoth.sbs.de [192.35.17.2]) by mx.groups.io with SMTP id smtpd.web09.14720.1636717821491513940 for ; Fri, 12 Nov 2021 03:50:22 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 192.35.17.2, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ACBoJO6004116 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 12 Nov 2021 12:50:19 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.150]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ACBoHAj023845; Fri, 12 Nov 2021 12:50:18 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC 3/8] linux-cip-common: Add options necessary for dm-verity Date: Fri, 12 Nov 2021 12:50:12 +0100 Message-Id: <20211112115017.401779-5-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> References: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Nov 2021 11:50:23 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6883 From: Quirin Gylstorff CIP Kernel Config does not contain support for dm-verity squashfs. Overlay_FS support is added for etc-overlay. Signed-off-by: Quirin Gylstorff --- recipes-kernel/linux/files/verity.cfg | 5 +++++ recipes-kernel/linux/linux-cip-common.inc | 6 ++++++ 2 files changed, 11 insertions(+) create mode 100644 recipes-kernel/linux/files/verity.cfg diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg new file mode 100644 index 0000000..35d8208 --- /dev/null +++ b/recipes-kernel/linux/files/verity.cfg @@ -0,0 +1,5 @@ +CONFIG_BLK_DEV_DM=y +CONFIG_DM_VERITY=y +CONFIG_DM_CRYPT=y +CONFIG_SQUASHFS=y +CONFIG_OVERLAY_FS=y diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 1afec88..0792371 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -28,3 +28,9 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}" SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e" S = "${WORKDIR}/linux-cip-v${PV}" + +SRC_URI += "file://verity.cfg" + +do_prepare_build_prepend() { + cat ${WORKDIR}/verity.cfg >> ${WORKDIR}/${KERNEL_DEFCONFIG} +} From patchwork Fri Nov 12 11:50:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12616673 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60326C433F5 for ; Fri, 12 Nov 2021 11:50:22 +0000 (UTC) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by mx.groups.io with SMTP id smtpd.web12.14459.1636717821269380139 for ; Fri, 12 Nov 2021 03:50:21 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 192.35.17.14, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 1ACBoJ7F006147 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 12 Nov 2021 12:50:19 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.150]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ACBoHAk023845; Fri, 12 Nov 2021 12:50:19 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC 4/8] Create a initrd with support for dm-verity Date: Fri, 12 Nov 2021 12:50:13 +0100 Message-Id: <20211112115017.401779-6-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> References: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Nov 2021 11:50:22 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6882 From: Quirin Gylstorff Adapt the initrd to open a dm-verity partition with a fixed root hash. Signed-off-by: Quirin Gylstorff --- .../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++ .../files/verity.conf-hook | 1 + .../initramfs-verity-hook/files/verity.hook | 23 +++++++ .../initramfs-verity-hook/files/verity.script | 68 +++++++++++++++++++ .../initramfs-verity-hook_0.1.bb | 39 +++++++++++ 5 files changed, 147 insertions(+) create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb new file mode 100644 index 0000000..825fb9f --- /dev/null +++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit initramfs + +INITRAMFS_INSTALL += " \ + initramfs-verity-hook \ + " diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook new file mode 100644 index 0000000..9b61fb8 --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook @@ -0,0 +1 @@ +BUSYBOX=y diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook new file mode 100644 index 0000000..5eada8a --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook @@ -0,0 +1,23 @@ +#!/bin/sh +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +# Begin real processing below this line + +manual_add_modules dm_mod +manual_add_modules dm_verity + +copy_exec /sbin/veritysetup +copy_exec /sbin/dmsetup +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions +copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script b/recipes-initramfs/initramfs-verity-hook/files/verity.script new file mode 100644 index 0000000..a66b557 --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script @@ -0,0 +1,68 @@ +#!/bin/sh +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions +. /lib/cryptsetup/functions +. /usr/share/verity-env/verity.env +# Even if this script fails horribly, make sure there won't be a chance the +# current $ROOT will be attempted. As this device most likely contains a +# perfectly valid filesystem, it would be mounted successfully, leading to a +# broken trust chain. +echo "ROOT=/dev/null" >/conf/param.conf +wait_for_udev 10 +case "$ROOT" in + PART*) + # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching + # partition + ROOT=$(blkid --list-one --output device --match-token "$ROOT") + ;; + "") + # No Root device was given. Use veritysetup verify to search matching roots + partitions=$(blkid -o device) + for part in $partitions; do + if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then + if veritysetup verify \ + "$part" "$part" "${ROOT_HASH}" \ + --hash-offset "${HASH_OFFSET}";then + ROOT="$part" + break + fi + fi + done + ;; +esac +set -- "$ROOT" verityroot +if ! veritysetup open \ + --restart-on-corruption \ + --data-block-size "${DATA_BLOCK_SIZE}" \ + --hash-block-size "${HASH_BLOCK_SIZE}" \ + --data-blocks "${DATA_BLOCKS}" \ + --hash-offset "${HASH_OFFSET}" \ + --salt "${SALT}" \ + "$1" "$2" "$1" "${ROOT_HASH}"; then + panic "Can't open verity rootfs!" +fi + +wait_for_udev 10 + +if ! ROOT="$(dm_blkdevname verityroot)"; then + panic "Can't find the verity root device!" +fi + +echo "ROOT=${ROOT}" >/conf/param.conf diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb new file mode 100644 index 0000000..e067a22 --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb @@ -0,0 +1,39 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +SRC_URI += " \ + file://verity.conf-hook \ + file://verity.hook \ + file://verity.script \ + " + +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup" + +VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only" +VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.${VERITY_IMAGE_TYPE}.env" +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image" +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/verity-env \ + ${D}/usr/share/initramfs-tools/scripts/local-top \ + ${D}/usr/share/initramfs-tools/conf-hooks.d" +do_install() { + # Insert the veritysetup commandline into the script + if [ -f "${VERITY_ENV_FILE}" ]; then + install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env" + install -m 0755 "${WORKDIR}/verity.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-top/verity" + fi + install -m 0755 "${WORKDIR}/verity.hook" \ + "${D}/usr/share/initramfs-tools/hooks/verity" +} From patchwork Fri Nov 12 11:50:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12616679 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 409EBC4332F for ; Fri, 12 Nov 2021 11:50:23 +0000 (UTC) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx.groups.io with SMTP id smtpd.web10.14761.1636717821913071647 for ; Fri, 12 Nov 2021 03:50:22 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 192.35.17.28, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id 1ACBoJOH008795 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 12 Nov 2021 12:50:19 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.150]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ACBoHAl023845; Fri, 12 Nov 2021 12:50:19 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC 5/8] Create an read-only rootfs with dm-verity Date: Fri, 12 Nov 2021 12:50:14 +0100 Message-Id: <20211112115017.401779-7-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> References: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Nov 2021 11:50:23 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6886 From: Quirin Gylstorff This root file system supports SWUpdate and secure boot. We need a writable /tmp and /var for a boot without error messages. Signed-off-by: Quirin Gylstorff --- classes/wic-verity-img.bbclass | 8 ++++- kas/opt/verity.yml | 34 +++++++++++++++++++ .../images/cip-core-image-read-only.bb | 24 +++++++++++++ recipes-core/tmp-fs/files/postinst | 3 ++ recipes-core/tmp-fs/files/tmp.mount | 11 ++++++ recipes-core/tmp-fs/tmp-fs_0.1.bb | 9 +++++ wic/qemu-amd64-read-only.wks.in | 13 +++++++ 7 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 kas/opt/verity.yml create mode 100644 recipes-core/images/cip-core-image-read-only.bb create mode 100755 recipes-core/tmp-fs/files/postinst create mode 100644 recipes-core/tmp-fs/files/tmp.mount create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb create mode 100644 wic/qemu-amd64-read-only.wks.in diff --git a/classes/wic-verity-img.bbclass b/classes/wic-verity-img.bbclass index e185cf8..9b8a79e 100644 --- a/classes/wic-verity-img.bbclass +++ b/classes/wic-verity-img.bbclass @@ -12,6 +12,12 @@ inherit squashfs-img inherit verity-img inherit wic-img +inherit extract-partition +inherit swupdate-img -addtask verity_image after do_squashfs_image +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}" + +addtask do_verity_image after do_squashfs_image addtask do_wic_image after do_verity_image +addtask do_extract_partition after do_wic_image +addtask do_swupdate_image after do_extract_partition diff --git a/kas/opt/verity.yml b/kas/opt/verity.yml new file mode 100644 index 0000000..088f44a --- /dev/null +++ b/kas/opt/verity.yml @@ -0,0 +1,34 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2020 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# +# This kas file creates a image with a read-only rootfs +# and secure-boot + +header: + version: 10 + includes: + - efibootguard.yml + +target: cip-core-image-read-only + +local_conf_header: + verity-img: | + IMAGE_TYPE = "wic-verity-img" + WKS_FILE = "${MACHINE}-read-only.wks.in" + VERITY_IMAGE_TYPE = "squashfs" + swupdate: | + IMAGE_INSTALL_append = " swupdate" + IMAGE_INSTALL_append = " swupdate-handler-roundrobin" + SWU_DESCRIPTION = "secureboot" + SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini" + secure-boot: | + # Add snakeoil and ovmf binaries for qemu + IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries" + IMAGER_INSTALL += "ebg-secure-boot-snakeoil" diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb new file mode 100644 index 0000000..24ace3c --- /dev/null +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -0,0 +1,24 @@ +require cip-core-image.bb + +INITRAMFS_RECIPE = "cip-core-initramfs" +INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" +do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build" + +SQUASHFS_EXCLUDE_DIRS += "home var" + +IMAGE_INSTALL += "tmp-fs" +IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" + +image_configure_fstab() { + sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF +# Begin /etc/fstab +/dev/root / auto defaults,ro 0 0 +LABEL=var /var auto defaults 0 0 +proc /proc proc nosuid,noexec,nodev 0 0 +sysfs /sys sysfs nosuid,noexec,nodev 0 0 +devpts /dev/pts devpts gid=5,mode=620 0 0 +tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0 +devtmpfs /dev devtmpfs mode=0755,nosuid 0 0 +# End /etc/fstab +EOF +} diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst new file mode 100755 index 0000000..07017fd --- /dev/null +++ b/recipes-core/tmp-fs/files/postinst @@ -0,0 +1,3 @@ +#!/bin/sh + +deb-systemd-helper enable tmp.mount || true diff --git a/recipes-core/tmp-fs/files/tmp.mount b/recipes-core/tmp-fs/files/tmp.mount new file mode 100644 index 0000000..7a31ed6 --- /dev/null +++ b/recipes-core/tmp-fs/files/tmp.mount @@ -0,0 +1,11 @@ +[Unit] +Description=Create /tmp + +[Mount] +What=tmpfs +Where=/tmp +Type=tmpfs +Options=nodev,nosuid,size=500M,mode=755 + +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb new file mode 100644 index 0000000..4e0c467 --- /dev/null +++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb @@ -0,0 +1,9 @@ +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://tmp.mount" + +do_install[cleandirs]+="${D}/lib/systemd/system" +do_install() { + install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount +} diff --git a/wic/qemu-amd64-read-only.wks.in b/wic/qemu-amd64-read-only.wks.in new file mode 100644 index 0000000..c4ea0c8 --- /dev/null +++ b/wic/qemu-amd64-read-only.wks.in @@ -0,0 +1,13 @@ +# EFI partition containing efibootguard bootloader binary +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" + +# EFI Boot Guard environment/config partitions plus Kernel files +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" + +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" + +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G + +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk" From patchwork Fri Nov 12 11:50:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12616687 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C24BC433F5 for ; Fri, 12 Nov 2021 11:50:25 +0000 (UTC) Received: from lizzard.sbs.de (lizzard.sbs.de [194.138.37.39]) by mx.groups.io with SMTP id smtpd.web09.14721.1636717823604269922 for ; Fri, 12 Nov 2021 03:50:24 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 194.138.37.39, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ACBoJeS028340 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 12 Nov 2021 12:50:19 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.150]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ACBoHAm023845; Fri, 12 Nov 2021 12:50:19 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC 6/8] Create systemd mount units for a etc overlay Date: Fri, 12 Nov 2021 12:50:15 +0100 Message-Id: <20211112115017.401779-8-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> References: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Nov 2021 11:50:25 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6887 From: Quirin Gylstorff As /etc is read-only and needs to be accessed by the initrd move the user defined settings to a overlay in /var/local/etc. Signed-off-by: Quirin Gylstorff --- .../etc-overlay-fs/etc-overlay-fs_0.1.bb | 16 ++++++++++++++++ .../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++++++++ .../etc-overlay-fs/files/etc-sysusers.service | 14 ++++++++++++++ recipes-core/etc-overlay-fs/files/etc.mount | 13 +++++++++++++ .../files/overlay-parse-etc.service | 12 ++++++++++++ recipes-core/etc-overlay-fs/files/postinst | 6 ++++++ recipes-core/images/cip-core-image-read-only.bb | 1 + 7 files changed, 76 insertions(+) create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.service create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount create mode 100644 recipes-core/etc-overlay-fs/files/overlay-parse-etc.service create mode 100755 recipes-core/etc-overlay-fs/files/postinst diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb new file mode 100644 index 0000000..f1c8349 --- /dev/null +++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb @@ -0,0 +1,16 @@ +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://etc.mount \ + file://overlay-parse-etc.service \ + file://etc-hostname.service \ + file://etc-sysusers.service" + +do_install[cleandirs]+="${D}/lib/systemd/system ${D}/var/local/etc ${D}/var/local/.atomic" +do_install() { + TARGET=${D}/lib/systemd/system + install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount + install -m 0644 ${WORKDIR}/overlay-parse-etc.service ${TARGET}/overlay-parse-etc.service + install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service + install -m 0644 ${WORKDIR}/etc-sysusers.service ${TARGET}/etc-sysusers.service +} diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service new file mode 100644 index 0000000..2306b9f --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service @@ -0,0 +1,14 @@ +[Unit] +Description=set hostname /etc overlay-aware +Before=network-pre.target +Wants=network-pre.target +Requires=etc.mount +After=etc.mount + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/hostname --boot --file /etc/hostname + +[Install] +WantedBy=basic.target diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.service b/recipes-core/etc-overlay-fs/files/etc-sysusers.service new file mode 100644 index 0000000..6caf6b0 --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.service @@ -0,0 +1,14 @@ +[Unit] +Description=make systemd-sysusers /etc overlay aware +Before=network-pre.target +Wants=network-pre.target +Requires=etc.mount +After=etc.mount + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/systemd-sysusers + +[Install] +WantedBy=basic.target diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount new file mode 100644 index 0000000..f0ae3c5 --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc.mount @@ -0,0 +1,13 @@ +[Unit] +Description=Overlay-mount /etc +Requires=var.mount +After=var.mount + +[Mount] +What=overlay +Where=/etc +Type=overlay +Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic + +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service new file mode 100644 index 0000000..062bb40 --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/overlay-parse-etc.service @@ -0,0 +1,12 @@ +[Unit] +Description=Reload Configuration from the etc overlay +Requires=etc.mount +After=etc.mount + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStartPre=!/bin/systemctl daemon-reload +ExecStart=!/bin/systemctl --no-block isolate multi-user.target +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst new file mode 100755 index 0000000..35641af --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/postinst @@ -0,0 +1,6 @@ +#!/bin/sh + +deb-systemd-helper enable etc.mount || true +deb-systemd-helper enable overlay-parse-etc.service || true +deb-systemd-helper enable etc-hostname.service || true +deb-systemd-helper enable etc-sysusers.service || true diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb index 24ace3c..6e2a40a 100644 --- a/recipes-core/images/cip-core-image-read-only.bb +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -6,6 +6,7 @@ do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build" SQUASHFS_EXCLUDE_DIRS += "home var" +IMAGE_INSTALL += "etc-overlay-fs" IMAGE_INSTALL += "tmp-fs" IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" From patchwork Fri Nov 12 11:50:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12616675 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D73BC43217 for ; Fri, 12 Nov 2021 11:50:23 +0000 (UTC) Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) by mx.groups.io with SMTP id smtpd.web10.14760.1636717821645501312 for ; Fri, 12 Nov 2021 03:50:22 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 194.138.37.40, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ACBoKGj016852 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 12 Nov 2021 12:50:20 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.150]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ACBoHAn023845; Fri, 12 Nov 2021 12:50:19 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC 7/8] Mount writable home partition Date: Fri, 12 Nov 2021 12:50:16 +0100 Message-Id: <20211112115017.401779-9-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> References: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Nov 2021 11:50:23 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6885 From: Quirin Gylstorff Add an example how to add an writable home partition Signed-off-by: Quirin Gylstorff --- recipes-core/home-fs/files/home.mount | 11 +++++++++++ recipes-core/home-fs/files/postinst | 3 +++ recipes-core/home-fs/home-fs_0.1.bb | 10 ++++++++++ recipes-core/images/cip-core-image-read-only.bb | 1 + wic/qemu-amd64-read-only.wks.in | 2 ++ 5 files changed, 27 insertions(+) create mode 100644 recipes-core/home-fs/files/home.mount create mode 100755 recipes-core/home-fs/files/postinst create mode 100644 recipes-core/home-fs/home-fs_0.1.bb diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount new file mode 100644 index 0000000..31272a0 --- /dev/null +++ b/recipes-core/home-fs/files/home.mount @@ -0,0 +1,11 @@ +[Unit] +Description=Mount /home partition + +[Mount] +What=/dev/disk/by-partlabel/home +Where=/home +Type=auto +Options=defaults + +[Install] +WantedBy=local-fs.target \ No newline at end of file diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst new file mode 100755 index 0000000..f6184d6 --- /dev/null +++ b/recipes-core/home-fs/files/postinst @@ -0,0 +1,3 @@ +#!/bin/sh + +deb-systemd-helper enable home.mount || true diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb new file mode 100644 index 0000000..c2b31c1 --- /dev/null +++ b/recipes-core/home-fs/home-fs_0.1.bb @@ -0,0 +1,10 @@ +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://home.mount" + +do_install[cleandirs]+="${D}/lib/systemd/system" +do_install() { + install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount + +} \ No newline at end of file diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb index 6e2a40a..4853571 100644 --- a/recipes-core/images/cip-core-image-read-only.bb +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -7,6 +7,7 @@ do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build" SQUASHFS_EXCLUDE_DIRS += "home var" IMAGE_INSTALL += "etc-overlay-fs" +IMAGE_INSTALL += "home-fs" IMAGE_INSTALL += "tmp-fs" IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" diff --git a/wic/qemu-amd64-read-only.wks.in b/wic/qemu-amd64-read-only.wks.in index c4ea0c8..81fd4fe 100644 --- a/wic/qemu-amd64-read-only.wks.in +++ b/wic/qemu-amd64-read-only.wks.in @@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" +# home and var are extra partitions +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024 --size 1G part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk" From patchwork Fri Nov 12 11:50:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 12616683 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40A57C43219 for ; Fri, 12 Nov 2021 11:50:25 +0000 (UTC) Received: from lizzard.sbs.de (lizzard.sbs.de [194.138.37.39]) by mx.groups.io with SMTP id smtpd.web11.14653.1636717823604257984 for ; Fri, 12 Nov 2021 03:50:24 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 194.138.37.39, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ACBoK1A028348 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 12 Nov 2021 12:50:20 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.150]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ACBoHAo023845; Fri, 12 Nov 2021 12:50:20 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Subject: [cip-dev][isar-cip-core][RFC 8/8] swupdate: Backport patches from SWUpdate Master Date: Fri, 12 Nov 2021 12:50:17 +0100 Message-Id: <20211112115017.401779-10-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> References: <20211112115017.401779-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Nov 2021 11:50:25 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6889 From: Quirin Gylstorff Backport the following patches to detect the correct partition to update. 388f1777 util: Add get_root source /proc/self/mountinfo 3914d2b7 util: Extend get_root to find LUKS devices Signed-off-by: Quirin Gylstorff --- .../0001-add-patches-for-dm-verity.patch | 188 ++++++++++++++++++ .../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 + 2 files changed, 193 insertions(+) create mode 100644 recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch diff --git a/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch new file mode 100644 index 0000000..f143207 --- /dev/null +++ b/recipes-core/swupdate/files/0001-add-patches-for-dm-verity.patch @@ -0,0 +1,188 @@ +From 4650883c2ffc4ed9e479e1eefdce044067c7de0b Mon Sep 17 00:00:00 2001 +From: Quirin Gylstorff +Date: Mon, 25 Oct 2021 14:43:07 +0200 +Subject: [PATCH] add patches for dm-verity + +Signed-off-by: Quirin Gylstorff +--- + ...d-get_root-source-proc-self-mountinfo.diff | 68 +++++++++++++++ + ...-Extend-get_root-to-find-LUKS-devices.diff | 83 +++++++++++++++++++ + debian/patches/series | 2 + + 3 files changed, 153 insertions(+) + create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff + create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff + +diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff +new file mode 100644 +index 0000000..5db0e61 +--- /dev/null ++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff +@@ -0,0 +1,68 @@ ++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001 ++From: Christian Storm ++Date: Thu, 10 Jun 2021 00:30:24 +0200 ++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo ++ ++Filesystems such as BTRFS report synthetic device major:minor ++numbers in stat(2)'s st_dev value. Hence, such a root filesystem ++won't be found by get_root_from_partitions(). ++ ++As /proc/self/mountinfo's information is subject to mount- ++namespacing, it complements get_root_from_partitions() rather ++than replacing it. ++ ++Signed-off-by: Christian Storm ++Signed-off-by: Quirin Gylstorff ++--- ++ core/util.c | 28 ++++++++++++++++++++++++++++ ++ 1 file changed, 28 insertions(+) ++ ++diff --git a/core/util.c b/core/util.c ++index 7d7673a..51a16b6 100644 ++--- a/core/util.c +++++ b/core/util.c ++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void) ++ return NULL; ++ } ++ +++/* +++ * Return the rootfs's device name from /proc/self/mountinfo. +++ * Needed for filesystems having synthetic stat(2) st_dev +++ * values such as BTRFS. +++ */ +++static char *get_root_from_mountinfo(void) +++{ +++ char *mnt_point, *device = NULL; +++ FILE *fp = fopen("/proc/self/mountinfo", "r"); +++ while (fp && !feof(fp)){ +++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */ +++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s", +++ &mnt_point, &device) == 2) { +++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) { +++ free(mnt_point); +++ break; +++ } +++ free(mnt_point); +++ free(device); +++ } +++ device = NULL; +++ } +++ (void)fclose(fp); +++ return device; +++} +++ ++ #define MAX_CMDLINE_LENGTH 4096 ++ static char *get_root_from_cmdline(void) ++ { ++@@ -936,6 +962,8 @@ char *get_root_device(void) ++ root = get_root_from_partitions(); ++ if (!root) ++ root = get_root_from_cmdline(); +++ if (!root) +++ root = get_root_from_mountinfo(); ++ ++ return root; ++ } ++-- ++2.30.2 ++ +diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff +new file mode 100644 +index 0000000..a62d59c +--- /dev/null ++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff +@@ -0,0 +1,83 @@ ++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001 ++From: Stefano Babic ++Date: Thu, 10 Jun 2021 16:14:44 +0200 ++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices ++ ++This helps in case of encrypted filesystem or device mapper. ++The returned device read from partitions is usually a dm-X device and ++this does not show which is the block device that contains it. Look in ++sysfs and check if the device has "slaves" entries, indicating the ++presence of an underlying device. If found, return this instead of the ++device returned parsing /proc/partitions. ++ ++Signed-off-by: Stefano Babic ++Signed-off-by: Quirin Gylstorff ++--- ++ core/util.c | 26 ++++++++++++++++++++++++-- ++ 1 file changed, 24 insertions(+), 2 deletions(-) ++ ++diff --git a/core/util.c b/core/util.c ++index 51a16b6..3b81c09 100644 ++--- a/core/util.c +++++ b/core/util.c ++@@ -24,6 +24,7 @@ ++ #include ++ #include ++ #include +++#include ++ ++ #if defined(__linux__) ++ #include ++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src) ++ /* ++ * This returns the device name where rootfs is mounted ++ */ +++ +++static int filter_slave(const struct dirent *ent) { +++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, "..")); +++} ++ static char *get_root_from_partitions(void) ++ { ++ struct stat info; ++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void) ++ char *devname = NULL; ++ unsigned long major, minor, nblocks; ++ char buf[256]; ++- int ret; +++ int ret, dev_major, dev_minor, n; +++ struct dirent **devlist = NULL; ++ ++ if (stat("/", &info) < 0) ++ return NULL; ++ +++ dev_major = info.st_dev / 256; +++ dev_minor = info.st_dev % 256; +++ +++ /* +++ * Check if this is just a container, for example in case of LUKS +++ * Search if the device has slaves pointing to another device +++ */ +++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor); +++ n = scandir(buf, &devlist, filter_slave, NULL); +++ if (n == 1) { +++ devname = strdup(devlist[0]->d_name); +++ free(devlist); +++ return devname; +++ } +++ free(devlist); +++ ++ fp = fopen("/proc/partitions", "r"); ++ if (!fp) ++ return NULL; ++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void) ++ &major, &minor, &nblocks, &devname); ++ if (ret != 4) ++ continue; ++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) { +++ if ((major == dev_major) && (minor == dev_minor)) { ++ fclose(fp); ++ return devname; ++ } ++-- ++2.30.2 ++ +diff --git a/debian/patches/series b/debian/patches/series +index 8c5564a..f3bd00e 100644 +--- a/debian/patches/series ++++ b/debian/patches/series +@@ -1 +1,3 @@ + use-gcc-compiler.diff ++0002-util-Extend-get_root-to-find-LUKS-devices.diff ++0001-util-Add-get_root-source-proc-self-mountinfo.diff +-- +2.30.2 + diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb index 7a0fb9b..90854a4 100644 --- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb +++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb @@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \ file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \ file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch" +# Patch for dm-verity based images - can be removed with SWUpdate 2021.10 +SRC_URI += "file://0001-add-patches-for-dm-verity.patch" + +# end patching for dm-verity based images + # deactivate signing and encryption for simple a/b rootfs update SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"