From patchwork Tue Nov 23 14:57:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 12634455 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C573C4321E for ; Tue, 23 Nov 2021 14:57:53 +0000 (UTC) Received: from lizzard.sbs.de (lizzard.sbs.de [194.138.37.39]) by mx.groups.io with SMTP id smtpd.web12.12315.1637679471127139827 for ; Tue, 23 Nov 2021 06:57:51 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 194.138.37.39, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ANEvmB4006889 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 23 Nov 2021 15:57:49 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.152]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ANEvlcu005894; Tue, 23 Nov 2021 15:57:48 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC v3 1/9] Add new class to create a squashfs based root file system Date: Tue, 23 Nov 2021 15:57:39 +0100 Message-Id: <20211123145747.101549-2-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> References: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Nov 2021 14:57:53 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6969 From: Quirin Gylstorff This file system is read only and use a reduced image size. Signed-off-by: Quirin Gylstorff --- classes/squashfs-img.bbclass | 41 ++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 classes/squashfs-img.bbclass diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass new file mode 100644 index 0000000..0fcfca5 --- /dev/null +++ b/classes/squashfs-img.bbclass @@ -0,0 +1,41 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +SQUASHFS_IMAGE_FILE = "${IMAGE_FULLNAME}.squashfs.img" + +IMAGER_INSTALL += "squashfs-tools" + +SQUASHFS_EXCLUDE_DIRS ?= "" +SQUASHFS_CONTENT ?= "${PP_ROOTFS}" +SQUASHFS_CREATION_ARGS ?= " " +# Generate squashfs filesystem image +python __anonymous() { + exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split() + if len(exclude_directories) == 0: + return + # use wildcard to exclude only content of the the directory + # this allows to use the directory as a mount point + args = " -wildcards" + for dir in exclude_directories: + args += " -e {dir}/* ".format(dir=dir) + d.appendVar('SQUASHFS_CREATION_ARGS', args) +} + +do_squashfs_image() { + rm -f '${DEPLOY_DIR_IMAGE}/${SQUASHFS_IMAGE_FILE}' + + image_do_mounts + + sudo chroot "${BUILDCHROOT_DIR}" /bin/mksquashfs \ + "${SQUASHFS_CONTENT}" "${PP_DEPLOY}/${SQUASHFS_IMAGE_FILE}" \ + ${SQUASHFS_CREATION_ARGS} +} +addtask do_squashfs_image before do_image after do_image_tools do_excl_directories From patchwork Tue Nov 23 14:57:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 12634451 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1734BC4332F for ; Tue, 23 Nov 2021 14:57:53 +0000 (UTC) Received: from lizzard.sbs.de (lizzard.sbs.de [194.138.37.39]) by mx.groups.io with SMTP id smtpd.web11.12060.1637679471416274861 for ; Tue, 23 Nov 2021 06:57:52 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 194.138.37.39, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ANEvmt4006892 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 23 Nov 2021 15:57:49 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.152]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ANEvlcv005894; Tue, 23 Nov 2021 15:57:48 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC v3 2/9] Add verity-img.bbclass for dm-verity based rootfs Date: Tue, 23 Nov 2021 15:57:40 +0100 Message-Id: <20211123145747.101549-3-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> References: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Nov 2021 14:57:53 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6971 From: Quirin Gylstorff As we need the output of `veritysetup` to generate the initrd. Therefore do_verity_image must be called before wic generates the final disk image. Signed-off-by: Quirin Gylstorff --- classes/verity-img.bbclass | 73 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 classes/verity-img.bbclass diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass new file mode 100644 index 0000000..3c94643 --- /dev/null +++ b/classes/verity-img.bbclass @@ -0,0 +1,73 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# +IMAGER_INSTALL += "cryptsetup" + +VERITY_IMAGE_TYPE ?= "squashfs" +VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img" +VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" +VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata" +VERITY_HASH_BLOCK_SIZE ?= "1024" +VERITY_DATA_BLOCK_SIZE ?= "1024" + +create_verity_env_file() { + + local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env" + rm -f $ENV + + local input="${WORKDIR}/${VERITY_IMAGE_METADATA}" + # remove header from verity meta data + sed -i '/VERITY header information for/d' $input + IFS=":" + while read KEY VAL; do + printf '%s=%s\n' \ + "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \ + "$(echo "$VAL" | tr -d ' \t')" >> $ENV + done < $input +} + +verity_setup() { + rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} + rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA} + + cp -a ${DEPLOY_DIR_IMAGE}/${VERITY_INPUT_IMAGE} ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} + + image_do_mounts + sudo chroot "${BUILDCHROOT_DIR}" /sbin/veritysetup format \ + --hash-block-size "${VERITY_HASH_BLOCK_SIZE}" \ + --data-block-size "${VERITY_DATA_BLOCK_SIZE}" \ + --data-blocks "${VERITY_DATA_BLOCKS}" \ + --hash-offset "${VERITY_INPUT_IMAGE_SIZE}" \ + "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \ + "${PP_DEPLOY}/${VERITY_OUTPUT_IMAGE}" \ + >"${WORKDIR}/${VERITY_IMAGE_METADATA}" + + echo "Hash offset: ${VERITY_INPUT_IMAGE_SIZE}" \ + >>"${WORKDIR}/${VERITY_IMAGE_METADATA}" +} + +do_verity_image[cleandirs] = "${WORKDIR}/verity" +python do_verity_image() { + import os + + image_file = os.path.join( + d.getVar("DEPLOY_DIR_IMAGE"), + d.getVar("VERITY_INPUT_IMAGE") + ) + data_block_size = int(d.getVar("VERITY_DATA_BLOCK_SIZE")) + size = os.stat(image_file).st_size + assert size % data_block_size == 0, f"image is not well-sized!" + d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) + d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) + + bb.build.exec_func('verity_setup', d) + bb.build.exec_func('create_verity_env_file', d) +} +addtask verity_image before do_image after do_image_tools From patchwork Tue Nov 23 14:57:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 12634449 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40700C43219 for ; Tue, 23 Nov 2021 14:57:53 +0000 (UTC) Received: from thoth.sbs.de (thoth.sbs.de [192.35.17.2]) by mx.groups.io with SMTP id smtpd.web09.12287.1637679471205781441 for ; Tue, 23 Nov 2021 06:57:51 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 192.35.17.2, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ANEvnrs015802 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 23 Nov 2021 15:57:49 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.152]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ANEvlcw005894; Tue, 23 Nov 2021 15:57:49 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC v3 3/9] linux-cip-common: Add options necessary for dm-verity Date: Tue, 23 Nov 2021 15:57:41 +0100 Message-Id: <20211123145747.101549-4-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> References: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Nov 2021 14:57:53 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6970 From: Quirin Gylstorff CIP Kernel Config does not contain support for dm-verity squashfs. Overlay_FS support is added for etc-overlay. Signed-off-by: Quirin Gylstorff --- recipes-kernel/linux/files/verity.cfg | 5 +++++ recipes-kernel/linux/linux-cip-common.inc | 4 ++++ 2 files changed, 9 insertions(+) create mode 100644 recipes-kernel/linux/files/verity.cfg diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg new file mode 100644 index 0000000..35d8208 --- /dev/null +++ b/recipes-kernel/linux/files/verity.cfg @@ -0,0 +1,5 @@ +CONFIG_BLK_DEV_DM=y +CONFIG_DM_VERITY=y +CONFIG_DM_CRYPT=y +CONFIG_SQUASHFS=y +CONFIG_OVERLAY_FS=y diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 1afec88..bbbf812 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -28,3 +28,7 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}" SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e" S = "${WORKDIR}/linux-cip-v${PV}" + +SECURE_BOOT_KERNEL ?= "0" + +SRC_URI += "${@'file://verity.cfg' if d.getVar('SECURE_BOOT_KERNEL') == '1' else ''}" From patchwork Tue Nov 23 14:57:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 12634443 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E45D8C433FE for ; Tue, 23 Nov 2021 14:57:52 +0000 (UTC) Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) by mx.groups.io with SMTP id smtpd.web12.12316.1637679471706702457 for ; Tue, 23 Nov 2021 06:57:52 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 194.138.37.40, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ANEvnHr032588 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 23 Nov 2021 15:57:49 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.152]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ANEvlcx005894; Tue, 23 Nov 2021 15:57:49 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC v3 4/9] Create a initrd with support for dm-verity Date: Tue, 23 Nov 2021 15:57:42 +0100 Message-Id: <20211123145747.101549-5-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> References: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Nov 2021 14:57:52 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6973 From: Quirin Gylstorff Adapt the initrd to open a dm-verity partition with a fixed root hash. Signed-off-by: Quirin Gylstorff --- .../cip-core-initramfs/cip-core-initramfs.bb | 16 +++++ .../files/verity.conf-hook | 1 + .../initramfs-verity-hook/files/verity.hook | 23 +++++++ .../files/verity.script.tmpl | 68 +++++++++++++++++++ .../initramfs-verity-hook_0.1.bb | 51 ++++++++++++++ 5 files changed, 159 insertions(+) create mode 100644 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.hook create mode 100644 recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl create mode 100644 recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb new file mode 100644 index 0000000..825fb9f --- /dev/null +++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit initramfs + +INITRAMFS_INSTALL += " \ + initramfs-verity-hook \ + " diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook new file mode 100644 index 0000000..9b61fb8 --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.conf-hook @@ -0,0 +1 @@ +BUSYBOX=y diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.hook b/recipes-initramfs/initramfs-verity-hook/files/verity.hook new file mode 100644 index 0000000..5eada8a --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.hook @@ -0,0 +1,23 @@ +#!/bin/sh +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +# Begin real processing below this line + +manual_add_modules dm_mod +manual_add_modules dm_verity + +copy_exec /sbin/veritysetup +copy_exec /sbin/dmsetup +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions +copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl new file mode 100644 index 0000000..c4f3dc4 --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl @@ -0,0 +1,68 @@ +#!/bin/sh +prereqs() +{ + # Make sure that this script is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then + printf '%s\n' "$script" + fi + done +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions +. /lib/cryptsetup/functions +. /usr/share/verity-env/verity.env +# Even if this script fails horribly, make sure there won't be a chance the +# current $ROOT will be attempted. As this device most likely contains a +# perfectly valid filesystem, it would be mounted successfully, leading to a +# broken trust chain. +echo "ROOT=/dev/null" >/conf/param.conf +wait_for_udev 10 +case "$ROOT" in + PART*) + # root was given as PARTUUID= or PARTLABEL=. Use blkid to find the matching + # partition + ROOT=$(blkid --list-one --output device --match-token "$ROOT") + ;; + "") + # No Root device was given. Use veritysetup verify to search matching roots + partitions=$(blkid -o device) + for part in $partitions; do + if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then + if veritysetup verify \ + "$part" "$part" "${ROOT_HASH}" \ + --hash-offset "${HASH_OFFSET}";then + ROOT="$part" + break + fi + fi + done + ;; +esac +set -- "$ROOT" verityroot +if ! veritysetup open \ + ${VERITY_BEHAVIOR_ON_CORRUPTION} \ + --data-block-size "${DATA_BLOCK_SIZE}" \ + --hash-block-size "${HASH_BLOCK_SIZE}" \ + --data-blocks "${DATA_BLOCKS}" \ + --hash-offset "${HASH_OFFSET}" \ + --salt "${SALT}" \ + "$1" "$2" "$1" "${ROOT_HASH}"; then + panic "Can't open verity rootfs!" +fi + +wait_for_udev 10 + +if ! ROOT="$(dm_blkdevname verityroot)"; then + panic "Can't find the verity root device!" +fi + +echo "ROOT=${ROOT}" >/conf/param.conf diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb new file mode 100644 index 0000000..a7fbf5a --- /dev/null +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb @@ -0,0 +1,51 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +SRC_URI += " \ + file://verity.conf-hook \ + file://verity.hook \ + file://verity.script.tmpl \ + " + +VERITY_BEHAVIOR_ON_CORRUPTION ?= "--restart-on-corruption" + +TEMPLATE_FILES = "verity.script.tmpl" +TEMPLATE_VARS += "VERITY_BEHAVIOR_ON_CORRUPTION" + +DEBIAN_DEPENDS = "initramfs-tools, cryptsetup" + +VERITY_IMAGE_RECIPE ?= "cip-core-image-read-only" + +VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env" + +do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_verity_image" +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/verity-env \ + ${D}/usr/share/initramfs-tools/scripts/local-top \ + ${D}/usr/share/initramfs-tools/conf-hooks.d" + +do_install() { + # Insert the veritysetup commandline into the script + if [ -f "${VERITY_ENV_FILE}" ]; then + install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env" + else + bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!" + fi + install -m 0755 "${WORKDIR}/verity.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-top/verity" + install -m 0755 "${WORKDIR}/verity.hook" \ + "${D}/usr/share/initramfs-tools/hooks/verity" +} + +addtask do_install after do_transform_template From patchwork Tue Nov 23 14:57:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 12634453 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 020EBC43217 for ; Tue, 23 Nov 2021 14:57:53 +0000 (UTC) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by mx.groups.io with SMTP id smtpd.web11.12061.1637679471428163896 for ; Tue, 23 Nov 2021 06:57:52 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 192.35.17.14, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 1ANEvn6Y001066 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 23 Nov 2021 15:57:49 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.152]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ANEvld0005894; Tue, 23 Nov 2021 15:57:49 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC v3 5/9] Create an read-only rootfs with dm-verity Date: Tue, 23 Nov 2021 15:57:43 +0100 Message-Id: <20211123145747.101549-6-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> References: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Nov 2021 14:57:53 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6972 From: Quirin Gylstorff This root file system supports SWUpdate and secure boot. We need a writable /tmp and /var for a boot without error messages. The mount point for /tmp is created during the systemd target local-fs according to [1]. Before `Remount Root and Kernel File Systems.` the tmp of the initrd is used. [1]: https://www.freedesktop.org/software/systemd/man/systemd.special.html Signed-off-by: Quirin Gylstorff --- Kconfig | 3 +- classes/secure-swupdate-img.bbclass | 32 +++++++++++++++++++ kas/opt/ebg-secure-boot-base.yml | 2 ++ kas/opt/ebg-secure-boot-snakeoil.yml | 13 +++++++- kas/opt/ebg-snakeoil-swu.yml | 16 ---------- .../images/cip-core-image-read-only.bb | 20 ++++++++++++ recipes-core/tmp-fs/files/postinst | 3 ++ recipes-core/tmp-fs/files/tmp.mount.tmpl | 11 +++++++ recipes-core/tmp-fs/tmp-fs_0.1.bb | 26 +++++++++++++++ wic/qemu-amd64-efibootguard-secureboot.wks | 11 ------- wic/qemu-amd64-efibootguard-secureboot.wks.in | 13 ++++++++ 11 files changed, 120 insertions(+), 30 deletions(-) create mode 100644 classes/secure-swupdate-img.bbclass delete mode 100644 kas/opt/ebg-snakeoil-swu.yml create mode 100644 recipes-core/images/cip-core-image-read-only.bb create mode 100755 recipes-core/tmp-fs/files/postinst create mode 100644 recipes-core/tmp-fs/files/tmp.mount.tmpl create mode 100644 recipes-core/tmp-fs/tmp-fs_0.1.bb delete mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks.in diff --git a/Kconfig b/Kconfig index 8421f1b..e97cb03 100644 --- a/Kconfig +++ b/Kconfig @@ -141,7 +141,6 @@ config IMAGE_SECURE_BOOT config KAS_INCLUDE_SWUPDATE_SECBOOT string default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT - default "kas/opt/ebg-secure-boot-snakeoil.yml" if !IMAGE_SWUPDATE && IMAGE_SECURE_BOOT - default "kas/opt/ebg-snakeoil-swu.yml" if IMAGE_SWUPDATE && IMAGE_SECURE_BOOT + default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT endif diff --git a/classes/secure-swupdate-img.bbclass b/classes/secure-swupdate-img.bbclass new file mode 100644 index 0000000..431939b --- /dev/null +++ b/classes/secure-swupdate-img.bbclass @@ -0,0 +1,32 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +SECURE_IMAGE_FSTYPE ?= "squashfs" + +inherit ${SECURE_IMAGE_FSTYPE}-img + +VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}" + +INITRAMFS_RECIPE ?= "cip-core-initramfs" +do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build" +INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" + +inherit verity-img +inherit wic-img +inherit extract-partition +inherit swupdate-img + +SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}" + +addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image +addtask do_wic_image after do_verity_image +addtask do_extract_partition after do_wic_image +addtask do_swupdate_image after do_extract_partition diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml index 8f769b6..acb4de0 100644 --- a/kas/opt/ebg-secure-boot-base.yml +++ b/kas/opt/ebg-secure-boot-base.yml @@ -19,3 +19,5 @@ local_conf_header: IMAGE_INSTALL += "initramfs-abrootfs-secureboot" SWU_DESCRIPTION = "secureboot" SWUPDATE_ROUND_ROBIN_HANDLER_CONFIG = "secureboot/swupdate.handler.${SWUPDATE_BOOTLOADER}.ini" + kernel: | + SECURE_BOOT_KERNEL = "1" diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml index 2f45bde..4a9185c 100644 --- a/kas/opt/ebg-secure-boot-snakeoil.yml +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -14,13 +14,24 @@ header: includes: - kas/opt/ebg-secure-boot-base.yml +target: cip-core-image-read-only local_conf_header: + swupdate: | + IMAGE_INSTALL_append = " swupdate" + IMAGE_INSTALL_append = " swupdate-handler-roundrobin" + + verity-img: | + SECURE_BOOT_KERNEL = "1" + SECURE_IMAGE_FSTYPE = "squashfs" + VERITY_IMAGE_RECIPE = "cip-core-image-read-only" + IMAGE_TYPE = "secure-swupdate-img" + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" + secure-boot: | # Add snakeoil and ovmf binaries for qemu IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries" IMAGER_INSTALL += "ebg-secure-boot-snakeoil" - WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks" ovmf: | # snakeoil certs are only part of backports diff --git a/kas/opt/ebg-snakeoil-swu.yml b/kas/opt/ebg-snakeoil-swu.yml deleted file mode 100644 index 2f15c0e..0000000 --- a/kas/opt/ebg-snakeoil-swu.yml +++ /dev/null @@ -1,16 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2021 -# -# Authors: -# Quirin Gylstorff -# -# SPDX-License-Identifier: MIT -# - -header: - version: 10 - includes: - - kas/opt/ebg-secure-boot-snakeoil.yml - - kas/opt/swupdate.yml diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb new file mode 100644 index 0000000..7ef2dc2 --- /dev/null +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -0,0 +1,20 @@ +require cip-core-image.bb + +SQUASHFS_EXCLUDE_DIRS += "home var" + +IMAGE_INSTALL += "tmp-fs" +IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" + +image_configure_fstab() { + sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF +# Begin /etc/fstab +/dev/root / auto defaults,ro 0 0 +LABEL=var /var auto defaults 0 0 +proc /proc proc nosuid,noexec,nodev 0 0 +sysfs /sys sysfs nosuid,noexec,nodev 0 0 +devpts /dev/pts devpts gid=5,mode=620 0 0 +tmpfs /run tmpfs nodev,nosuid,size=500M,mode=755 0 0 +devtmpfs /dev devtmpfs mode=0755,nosuid 0 0 +# End /etc/fstab +EOF +} diff --git a/recipes-core/tmp-fs/files/postinst b/recipes-core/tmp-fs/files/postinst new file mode 100755 index 0000000..07017fd --- /dev/null +++ b/recipes-core/tmp-fs/files/postinst @@ -0,0 +1,3 @@ +#!/bin/sh + +deb-systemd-helper enable tmp.mount || true diff --git a/recipes-core/tmp-fs/files/tmp.mount.tmpl b/recipes-core/tmp-fs/files/tmp.mount.tmpl new file mode 100644 index 0000000..fcb2f3e --- /dev/null +++ b/recipes-core/tmp-fs/files/tmp.mount.tmpl @@ -0,0 +1,11 @@ +[Unit] +Description=Create /tmp + +[Mount] +What=tmpfs +Where=/tmp +Type=tmpfs +Options=${TMP_OPTIONS} + +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/tmp-fs/tmp-fs_0.1.bb b/recipes-core/tmp-fs/tmp-fs_0.1.bb new file mode 100644 index 0000000..3ec20c7 --- /dev/null +++ b/recipes-core/tmp-fs/tmp-fs_0.1.bb @@ -0,0 +1,26 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://tmp.mount.tmpl" + +TMP_FS_SIZE ?= "500M" +TMP_FS_MODE ?= "755" +TMP_FS_OPTIONS = "nodev,nosuid,size=${TMP_SIZE},mode=${TMP_MODE}" + +TEMPLATE_FILES = "tmp.mount.tmpl" +TEMPLATE_VARS += "TMP_FS_OPTIONS" + +do_install[cleandirs]+="${D}/lib/systemd/system" +do_install() { + install -m 0644 ${WORKDIR}/tmp.mount ${D}/lib/systemd/system/tmp.mount +} diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks deleted file mode 100644 index ff351db..0000000 --- a/wic/qemu-amd64-efibootguard-secureboot.wks +++ /dev/null @@ -1,11 +0,0 @@ -# short-description: Qemu-amd64 with Efibootguard and SWUpdate -# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate -include ebg-signed-bootloader.inc - -# EFI Boot Guard environment/config partitions plus Kernel files -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" -part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" - -include swupdate-partition.inc - -bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=0" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in new file mode 100644 index 0000000..c4ea0c8 --- /dev/null +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -0,0 +1,13 @@ +# EFI partition containing efibootguard bootloader binary +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" + +# EFI Boot Guard environment/config partitions plus Kernel files +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" + +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" +part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" + +part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G + +bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk" From patchwork Tue Nov 23 14:57:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 12634445 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8580C433F5 for ; Tue, 23 Nov 2021 14:57:52 +0000 (UTC) Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) by mx.groups.io with SMTP id smtpd.web11.12062.1637679471715237834 for ; Tue, 23 Nov 2021 06:57:52 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 194.138.37.40, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ANEvoA5032593 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 23 Nov 2021 15:57:50 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.152]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ANEvld1005894; Tue, 23 Nov 2021 15:57:49 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC v3 6/9] Create systemd mount units for a etc overlay Date: Tue, 23 Nov 2021 15:57:44 +0100 Message-Id: <20211123145747.101549-7-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> References: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Nov 2021 14:57:52 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6975 From: Quirin Gylstorff As /etc is read-only and needs to be accessed by the initrd move the user defined settings to a overlay in /var/local/etc. As systemd sets the hostname directly on start reread the /etc/hostname after mounting the overlay. Signed-off-by: Quirin Gylstorff --- .../etc-overlay-fs/etc-overlay-fs_0.1.bb | 32 +++++++++++++++++++ .../etc-overlay-fs/files/etc-hostname.service | 14 ++++++++ .../files/etc-sshd-regen-keys.conf | 7 ++++ .../etc-overlay-fs/files/etc-sysusers.conf | 4 +++ recipes-core/etc-overlay-fs/files/etc.mount | 13 ++++++++ recipes-core/etc-overlay-fs/files/postinst | 4 +++ .../images/cip-core-image-read-only.bb | 1 + 7 files changed, 75 insertions(+) create mode 100644 recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb create mode 100644 recipes-core/etc-overlay-fs/files/etc-hostname.service create mode 100644 recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf create mode 100644 recipes-core/etc-overlay-fs/files/etc-sysusers.conf create mode 100644 recipes-core/etc-overlay-fs/files/etc.mount create mode 100755 recipes-core/etc-overlay-fs/files/postinst diff --git a/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb new file mode 100644 index 0000000..4e2b80b --- /dev/null +++ b/recipes-core/etc-overlay-fs/etc-overlay-fs_0.1.bb @@ -0,0 +1,32 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://etc.mount \ + file://etc-hostname.service \ + file://etc-sshd-regen-keys.conf \ + file://etc-sysusers.conf" + +do_install[cleandirs]+="${D}/usr/lib/systemd/system \ + ${D}/usr/lib/systemd/system/local-fs.target.wants \ + ${D}/usr/lib/systemd/system/systemd-sysusers.service.d \ + ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d \ + ${D}/var/local/etc \ + ${D}/var/local/.atomic \ + " +do_install() { + TARGET=${D}/usr/lib/systemd/system + install -m 0644 ${WORKDIR}/etc.mount ${TARGET}/etc.mount + install -m 0644 ${WORKDIR}/etc-hostname.service ${TARGET}/etc-hostname.service + install -m 0644 ${WORKDIR}/etc-sshd-regen-keys.conf ${D}/usr/lib/systemd/system/sshd-regen-keys.service.d/etc-sshd-regen-keys.conf + install -m 0644 ${WORKDIR}/etc-sysusers.conf ${D}/usr/lib/systemd/system/systemd-sysusers.service.d/etc-sysusers.service +} diff --git a/recipes-core/etc-overlay-fs/files/etc-hostname.service b/recipes-core/etc-overlay-fs/files/etc-hostname.service new file mode 100644 index 0000000..2306b9f --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc-hostname.service @@ -0,0 +1,14 @@ +[Unit] +Description=set hostname /etc overlay-aware +Before=network-pre.target +Wants=network-pre.target +Requires=etc.mount +After=etc.mount + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/hostname --boot --file /etc/hostname + +[Install] +WantedBy=basic.target diff --git a/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf new file mode 100644 index 0000000..014b5a6 --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc-sshd-regen-keys.conf @@ -0,0 +1,7 @@ +[Unit] +# set hostname /etc overlay-aware +Before=network-pre.target +Wants=network-pre.target +Requires=etc.mount +After=etc.mount + diff --git a/recipes-core/etc-overlay-fs/files/etc-sysusers.conf b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf new file mode 100644 index 0000000..ad45d7f --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc-sysusers.conf @@ -0,0 +1,4 @@ +[Unit] +# make systemd-sysusers /etc overlay aware +Requires=etc.mount +After=etc.mount diff --git a/recipes-core/etc-overlay-fs/files/etc.mount b/recipes-core/etc-overlay-fs/files/etc.mount new file mode 100644 index 0000000..f0ae3c5 --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/etc.mount @@ -0,0 +1,13 @@ +[Unit] +Description=Overlay-mount /etc +Requires=var.mount +After=var.mount + +[Mount] +What=overlay +Where=/etc +Type=overlay +Options=noauto,x-systemd.automount,lowerdir=/etc,upperdir=/var/local/etc,workdir=/var/local/.atomic + +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/etc-overlay-fs/files/postinst b/recipes-core/etc-overlay-fs/files/postinst new file mode 100755 index 0000000..e436b53 --- /dev/null +++ b/recipes-core/etc-overlay-fs/files/postinst @@ -0,0 +1,4 @@ +#!/bin/sh + +deb-systemd-helper enable etc.mount || true +deb-systemd-helper enable etc-hostname.service || true diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb index 7ef2dc2..ceb6ac4 100644 --- a/recipes-core/images/cip-core-image-read-only.bb +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -2,6 +2,7 @@ require cip-core-image.bb SQUASHFS_EXCLUDE_DIRS += "home var" +IMAGE_INSTALL += "etc-overlay-fs" IMAGE_INSTALL += "tmp-fs" IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" From patchwork Tue Nov 23 14:57:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 12634447 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8560C433EF for ; Tue, 23 Nov 2021 14:57:52 +0000 (UTC) Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) by mx.groups.io with SMTP id smtpd.web11.12063.1637679471786213510 for ; Tue, 23 Nov 2021 06:57:52 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 194.138.37.40, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ANEvod0032598 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 23 Nov 2021 15:57:50 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.152]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ANEvld2005894; Tue, 23 Nov 2021 15:57:50 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC v3 7/9] Mount writable home partition Date: Tue, 23 Nov 2021 15:57:45 +0100 Message-Id: <20211123145747.101549-8-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> References: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Nov 2021 14:57:52 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6974 From: Quirin Gylstorff Add an example how to add an writable home partition Signed-off-by: Quirin Gylstorff --- recipes-core/home-fs/files/home.mount | 12 +++++++++++ recipes-core/home-fs/files/postinst | 3 +++ recipes-core/home-fs/home-fs_0.1.bb | 20 +++++++++++++++++++ .../images/cip-core-image-read-only.bb | 1 + wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 ++ 5 files changed, 38 insertions(+) create mode 100644 recipes-core/home-fs/files/home.mount create mode 100755 recipes-core/home-fs/files/postinst create mode 100644 recipes-core/home-fs/home-fs_0.1.bb diff --git a/recipes-core/home-fs/files/home.mount b/recipes-core/home-fs/files/home.mount new file mode 100644 index 0000000..062517a --- /dev/null +++ b/recipes-core/home-fs/files/home.mount @@ -0,0 +1,12 @@ +[Unit] +Description=Mount /home partition +Before=local-fs.target + +[Mount] +What=/dev/disk/by-partlabel/home +Where=/home +Type=auto +Options=defaults + +[Install] +WantedBy=local-fs.target diff --git a/recipes-core/home-fs/files/postinst b/recipes-core/home-fs/files/postinst new file mode 100755 index 0000000..f6184d6 --- /dev/null +++ b/recipes-core/home-fs/files/postinst @@ -0,0 +1,3 @@ +#!/bin/sh + +deb-systemd-helper enable home.mount || true diff --git a/recipes-core/home-fs/home-fs_0.1.bb b/recipes-core/home-fs/home-fs_0.1.bb new file mode 100644 index 0000000..93e08e6 --- /dev/null +++ b/recipes-core/home-fs/home-fs_0.1.bb @@ -0,0 +1,20 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw + +SRC_URI = "file://postinst \ + file://home.mount" + +do_install[cleandirs]+="${D}/lib/systemd/system" +do_install() { + install -m 0644 ${WORKDIR}/home.mount ${D}/lib/systemd/system/home.mount + +} \ No newline at end of file diff --git a/recipes-core/images/cip-core-image-read-only.bb b/recipes-core/images/cip-core-image-read-only.bb index ceb6ac4..79cd6bf 100644 --- a/recipes-core/images/cip-core-image-read-only.bb +++ b/recipes-core/images/cip-core-image-read-only.bb @@ -3,6 +3,7 @@ require cip-core-image.bb SQUASHFS_EXCLUDE_DIRS += "home var" IMAGE_INSTALL += "etc-overlay-fs" +IMAGE_INSTALL += "home-fs" IMAGE_INSTALL += "tmp-fs" IMAGE_INSTALL_remove += "initramfs-abrootfs-secureboot" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index c4ea0c8..81fd4fe 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -8,6 +8,8 @@ part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhe part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001" part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002" +# home and var are extra partitions +part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024 --size 1G part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024 --size 2G bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk" From patchwork Tue Nov 23 14:57:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 12634459 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A1EFC41535 for ; Tue, 23 Nov 2021 14:57:54 +0000 (UTC) Received: from lizzard.sbs.de (lizzard.sbs.de [194.138.37.39]) by mx.groups.io with SMTP id smtpd.web08.12096.1637679472082515688 for ; Tue, 23 Nov 2021 06:57:52 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 194.138.37.39, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 1ANEvocp006899 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 23 Nov 2021 15:57:50 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.152]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ANEvld3005894; Tue, 23 Nov 2021 15:57:50 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC v3 8/9] kas: Patch isar for correct permissions in var and home Date: Tue, 23 Nov 2021 15:57:46 +0100 Message-Id: <20211123145747.101549-9-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> References: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Nov 2021 14:57:54 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6976 From: Quirin Gylstorff Get patch from isar mailing list[1]. [1]: https://groups.google.com/g/isar-users/c/wlanc7f7UnQ Signed-off-by: Quirin Gylstorff --- kas-cip.yml | 4 +++ ...when-splitting-rootfs-folders-across.patch | 35 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch diff --git a/kas-cip.yml b/kas-cip.yml index dc56729..8226954 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -25,6 +25,10 @@ repos: refspec: ceb7e21154fc4862f704bb5c7739e87a26db6eb3 layers: meta: + patches: + fix-pseudo: + repo: cip-core + path: patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch bblayers_conf_header: standard: | diff --git a/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch new file mode 100644 index 0000000..34704f0 --- /dev/null +++ b/patches/isar/0001-Fix-permissions-when-splitting-rootfs-folders-across.patch @@ -0,0 +1,35 @@ +From 34b37fccd5e454d29d6d4d002d48a9619782b1bb Mon Sep 17 00:00:00 2001 +From: Felix Moessbauer +Date: Wed, 3 Nov 2021 13:53:00 +0100 +Subject: [PATCH] Fix permissions when splitting rootfs folders across + partitions. + +This patches ensures that the file database containing the file and +folder usernames and permissions is always located relative to the +source and not to the appended rootfs-dir. + +Prior to this patch, the database was not found when using +-rootfs-dir in the WIC script, leading to erronous file +permissions and ownership. + +Signed-off-by: Felix Moessbauer +--- + scripts/lib/wic/plugins/source/rootfs.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py +index 96d940a9..5ab771e5 100644 +--- a/scripts/lib/wic/plugins/source/rootfs.py ++++ b/scripts/lib/wic/plugins/source/rootfs.py +@@ -95,7 +95,7 @@ class RootfsPlugin(SourcePlugin): + + part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir) + part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab")) +- pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo") ++ pseudo_dir = os.path.join(krootfs_dir['ROOTFS_DIR'], "../pseudo") + if not os.path.lexists(pseudo_dir): + logger.warn("%s folder does not exist. " + "Usernames and permissions will be invalid " % pseudo_dir) +-- +2.30.2 + From patchwork Tue Nov 23 14:57:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 12634461 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40CC5C4167D for ; Tue, 23 Nov 2021 14:57:54 +0000 (UTC) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx.groups.io with SMTP id smtpd.web09.12288.1637679472868037270 for ; Tue, 23 Nov 2021 06:57:53 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: siemens.com, ip: 192.35.17.28, mailfrom: quirin.gylstorff@siemens.com) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id 1ANEvoar018607 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 23 Nov 2021 15:57:51 +0100 Received: from md2dvrtc.fritz.box ([167.87.35.152]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1ANEvld4005894; Tue, 23 Nov 2021 15:57:50 +0100 From: "Q. Gylstorff" To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com, christian.storm@siemens.com Subject: [cip-dev][isar-cip-core][RFC v3 9/9] swupdate: Backport patches from SWUpdate Master Date: Tue, 23 Nov 2021 15:57:47 +0100 Message-Id: <20211123145747.101549-10-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> References: <20211123145747.101549-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Nov 2021 14:57:54 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/6977 From: Quirin Gylstorff Backport the following patches to detect the correct partition to update. 388f1777 util: Add get_root source /proc/self/mountinfo 3914d2b7 util: Extend get_root to find LUKS devices Signed-off-by: Quirin Gylstorff --- ...an-patches-add-patches-for-dm-verity.patch | 191 ++++++++++++++++++ .../swupdate/swupdate_2021.04-1+debian-gbp.bb | 5 + 2 files changed, 196 insertions(+) create mode 100644 recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch diff --git a/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch new file mode 100644 index 0000000..a4c8856 --- /dev/null +++ b/recipes-core/swupdate/files/0001-debian-patches-add-patches-for-dm-verity.patch @@ -0,0 +1,191 @@ +From 9904222a872e1707d8e1205009962fd68c3e5c7d Mon Sep 17 00:00:00 2001 +From: Quirin Gylstorff +Date: Mon, 25 Oct 2021 14:43:07 +0200 +Subject: [PATCH] debian/patches: add patches for dm-verity + +Backport the following patches to detect the correct partition to +update. +388f1777 util: Add get_root source /proc/self/mountinfo +3914d2b7 util: Extend get_root to find LUKS devices + +Signed-off-by: Quirin Gylstorff +--- + ...d-get_root-source-proc-self-mountinfo.diff | 67 +++++++++++++++ + ...-Extend-get_root-to-find-LUKS-devices.diff | 82 +++++++++++++++++++ + debian/patches/series | 2 + + 3 files changed, 151 insertions(+) + create mode 100644 debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff + create mode 100644 debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff + +diff --git a/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff +new file mode 100644 +index 0000000..2b25a19 +--- /dev/null ++++ b/debian/patches/0001-util-Add-get_root-source-proc-self-mountinfo.diff +@@ -0,0 +1,67 @@ ++From 388f1777e3e9e7dfbe41768aa7ce86bc0ee25c37 Mon Sep 17 00:00:00 2001 ++From: Christian Storm ++Date: Thu, 10 Jun 2021 00:30:24 +0200 ++Subject: [PATCH 1/2] util: Add get_root source /proc/self/mountinfo ++ ++Filesystems such as BTRFS report synthetic device major:minor ++numbers in stat(2)'s st_dev value. Hence, such a root filesystem ++won't be found by get_root_from_partitions(). ++ ++As /proc/self/mountinfo's information is subject to mount- ++namespacing, it complements get_root_from_partitions() rather ++than replacing it. ++ ++Signed-off-by: Christian Storm ++--- ++ core/util.c | 28 ++++++++++++++++++++++++++++ ++ 1 file changed, 28 insertions(+) ++ ++diff --git a/core/util.c b/core/util.c ++index 7d7673a..51a16b6 100644 ++--- a/core/util.c +++++ b/core/util.c ++@@ -883,6 +883,32 @@ static char *get_root_from_partitions(void) ++ return NULL; ++ } ++ +++/* +++ * Return the rootfs's device name from /proc/self/mountinfo. +++ * Needed for filesystems having synthetic stat(2) st_dev +++ * values such as BTRFS. +++ */ +++static char *get_root_from_mountinfo(void) +++{ +++ char *mnt_point, *device = NULL; +++ FILE *fp = fopen("/proc/self/mountinfo", "r"); +++ while (fp && !feof(fp)){ +++ /* format: https://www.kernel.org/doc/Documentation/filesystems/proc.txt */ +++ if (fscanf(fp, "%*s %*s %*u:%*u %*s %ms %*s %*[-] %*s %ms %*s", +++ &mnt_point, &device) == 2) { +++ if ( (!strcmp(mnt_point, "/")) && (strcmp(device, "none")) ) { +++ free(mnt_point); +++ break; +++ } +++ free(mnt_point); +++ free(device); +++ } +++ device = NULL; +++ } +++ (void)fclose(fp); +++ return device; +++} +++ ++ #define MAX_CMDLINE_LENGTH 4096 ++ static char *get_root_from_cmdline(void) ++ { ++@@ -936,6 +962,8 @@ char *get_root_device(void) ++ root = get_root_from_partitions(); ++ if (!root) ++ root = get_root_from_cmdline(); +++ if (!root) +++ root = get_root_from_mountinfo(); ++ ++ return root; ++ } ++-- ++2.30.2 ++ +diff --git a/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff +new file mode 100644 +index 0000000..039bfb8 +--- /dev/null ++++ b/debian/patches/0002-util-Extend-get_root-to-find-LUKS-devices.diff +@@ -0,0 +1,82 @@ ++From 3914d2b73bf80b24aba015d9225082c2965c7a02 Mon Sep 17 00:00:00 2001 ++From: Stefano Babic ++Date: Thu, 10 Jun 2021 16:14:44 +0200 ++Subject: [PATCH 2/2] util: Extend get_root to find LUKS devices ++ ++This helps in case of encrypted filesystem or device mapper. ++The returned device read from partitions is usually a dm-X device and ++this does not show which is the block device that contains it. Look in ++sysfs and check if the device has "slaves" entries, indicating the ++presence of an underlying device. If found, return this instead of the ++device returned parsing /proc/partitions. ++ ++Signed-off-by: Stefano Babic ++--- ++ core/util.c | 26 ++++++++++++++++++++++++-- ++ 1 file changed, 24 insertions(+), 2 deletions(-) ++ ++diff --git a/core/util.c b/core/util.c ++index 51a16b6..3b81c09 100644 ++--- a/core/util.c +++++ b/core/util.c ++@@ -24,6 +24,7 @@ ++ #include ++ #include ++ #include +++#include ++ ++ #if defined(__linux__) ++ #include ++@@ -851,6 +852,10 @@ size_t snescape(char *dst, size_t n, const char *src) ++ /* ++ * This returns the device name where rootfs is mounted ++ */ +++ +++static int filter_slave(const struct dirent *ent) { +++ return (strcmp(ent->d_name, ".") && strcmp(ent->d_name, "..")); +++} ++ static char *get_root_from_partitions(void) ++ { ++ struct stat info; ++@@ -858,11 +863,28 @@ static char *get_root_from_partitions(void) ++ char *devname = NULL; ++ unsigned long major, minor, nblocks; ++ char buf[256]; ++- int ret; +++ int ret, dev_major, dev_minor, n; +++ struct dirent **devlist = NULL; ++ ++ if (stat("/", &info) < 0) ++ return NULL; ++ +++ dev_major = info.st_dev / 256; +++ dev_minor = info.st_dev % 256; +++ +++ /* +++ * Check if this is just a container, for example in case of LUKS +++ * Search if the device has slaves pointing to another device +++ */ +++ snprintf(buf, sizeof(buf) - 1, "/sys/dev/block/%d:%d/slaves", dev_major, dev_minor); +++ n = scandir(buf, &devlist, filter_slave, NULL); +++ if (n == 1) { +++ devname = strdup(devlist[0]->d_name); +++ free(devlist); +++ return devname; +++ } +++ free(devlist); +++ ++ fp = fopen("/proc/partitions", "r"); ++ if (!fp) ++ return NULL; ++@@ -872,7 +894,7 @@ static char *get_root_from_partitions(void) ++ &major, &minor, &nblocks, &devname); ++ if (ret != 4) ++ continue; ++- if ((major == info.st_dev / 256) && (minor == info.st_dev % 256)) { +++ if ((major == dev_major) && (minor == dev_minor)) { ++ fclose(fp); ++ return devname; ++ } ++-- ++2.30.2 ++ +diff --git a/debian/patches/series b/debian/patches/series +index 8c5564a..f3bd00e 100644 +--- a/debian/patches/series ++++ b/debian/patches/series +@@ -1 +1,3 @@ + use-gcc-compiler.diff ++0002-util-Extend-get_root-to-find-LUKS-devices.diff ++0001-util-Add-get_root-source-proc-self-mountinfo.diff +-- +2.30.2 + diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb index 7a0fb9b..a4d67fe 100644 --- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb +++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb @@ -25,6 +25,11 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \ file://0007-debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch \ file://0008-debian-rules-Add-Embedded-Lua-handler-option.patch" +# Patch for dm-verity based images - can be removed with next SWUpdate release +SRC_URI += "file://0001-debian-patches-add-patches-for-dm-verity.patch" + +# end patching for dm-verity based images + # deactivate signing and encryption for simple a/b rootfs update SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"