From patchwork Tue Apr 19 16:06:54 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12819265
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D50BDC3527C
	for <webhook@archiver.kernel.org>; Tue, 19 Apr 2022 17:48:47 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.web11.1359.1650384422681603508
 for <cip-dev@lists.cip-project.org>;
 Tue, 19 Apr 2022 09:07:03 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=JbdbyHOM;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-294854-202204191606594a4761e40c4cd589eb-exsw5j@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 202204191606594a4761e40c4cd589eb
        for <cip-dev@lists.cip-project.org>;
        Tue, 19 Apr 2022 18:06:59 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=yqBq9e6JOX38D37d2PaWqVpW+iF6pD87DmcgfoLvJjI=;
 b=JbdbyHOM4fjzMnHJl7NEwvz2AAZaHfpd5MVhuVGRPVsbhiLAwvIP/FoaYDpPfVYNRfUs00
 5VO+nFTjW6bFPWpDJUqH/RqwiqvdY38M+iF7D8UNVawF+taIrhAhPmfG8arzwDlMb0kOiGX0
 mSyvAG0/a82vjIkn6ATHXrkOi/BoE=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 1/5] squashfs-img: Cosmetic cleanups
Date: Tue, 19 Apr 2022 18:06:54 +0200
Message-Id: 
 <f8bf883a040a9b1b50eee89177b6a5b69ee88b0c.1650384418.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1650384418.git.jan.kiszka@siemens.com>
References: <cover.1650384418.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 19 Apr 2022 17:48:47 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8107

From: Jan Kiszka <jan.kiszka@siemens.com>

SQUASHFS_EXCLUDE_DIRS is given a default value in this class, so the
'or ""' is redundant. Furthermore, remove the unneeded space from the
SQUASHFS_CREATION_ARGS default assignment as well as misleading comment
in front of its anonymous constructor function.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/squashfs-img.bbclass | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/classes/squashfs-img.bbclass b/classes/squashfs-img.bbclass
index 0fcfca5..04bb67c 100644
--- a/classes/squashfs-img.bbclass
+++ b/classes/squashfs-img.bbclass
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2021
+# Copyright (c) Siemens AG, 2021-2022
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -15,14 +15,14 @@ IMAGER_INSTALL += "squashfs-tools"
 
 SQUASHFS_EXCLUDE_DIRS ?= ""
 SQUASHFS_CONTENT ?= "${PP_ROOTFS}"
-SQUASHFS_CREATION_ARGS ?= " "
-# Generate squashfs filesystem image
+SQUASHFS_CREATION_ARGS ?= ""
+
 python __anonymous() {
-    exclude_directories = (d.getVar('SQUASHFS_EXCLUDE_DIRS') or "").split()
+    exclude_directories = d.getVar('SQUASHFS_EXCLUDE_DIRS').split()
     if len(exclude_directories) == 0:
         return
-    # use wildcard to exclude only content of the the directory
-    # this allows to use the directory as a mount point
+    # Use wildcard to exclude only content of the directory.
+    # This allows to use the directory as a mount point.
     args = " -wildcards"
     for dir in exclude_directories:
         args += " -e {dir}/* ".format(dir=dir)

From patchwork Tue Apr 19 16:06:55 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12819264
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CC02EC4167D
	for <webhook@archiver.kernel.org>; Tue, 19 Apr 2022 17:48:47 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web10.1288.1650384422679254422
 for <cip-dev@lists.cip-project.org>;
 Tue, 19 Apr 2022 09:07:03 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=kexM0+ea;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-294854-202204191606594516229fbcb960f25a-ljk7yu@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 202204191606594516229fbcb960f25a
        for <cip-dev@lists.cip-project.org>;
        Tue, 19 Apr 2022 18:06:59 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=DVa28e3revwltqWwVqd9NCgHW3AJxtMPoEIE6vlQpS0=;
 b=kexM0+eaVcpuz4jvMvRTYFwwZ6kmqri/de8Mm4mYccjibQLHTW4qLaJWICHN5/lD3UIQrI
 q8v8Y16QfYISFE9iLJp7g5hWn6G6dGkIM31hw6v2sukbscy65C97/rA+BYII8OT6uljLwzsX
 WMeH/0fk8kPuXVvJ30uTaeoAN7SNA=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 2/5] verity-img: Inherit the source image type
 class directly
Date: Tue, 19 Apr 2022 18:06:55 +0200
Message-Id: 
 <6659ac3c63809a0adc2065dbd9593cedc79b1d04.1650384418.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1650384418.git.jan.kiszka@siemens.com>
References: <cover.1650384418.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 19 Apr 2022 17:48:47 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8106

From: Jan Kiszka <jan.kiszka@siemens.com>

VERITY_IMAGE_TYPE defines where the verity-img class takes its input
from. Ensure that this class is present and hook it up directly in
verity-img. Makes the usage of this class more convenient.

Consequently, code can be dropped from the secure-wic-swu-img class.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/secure-wic-swu-img.bbclass |  9 +--------
 classes/verity-img.bbclass         | 10 +++++++---
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/classes/secure-wic-swu-img.bbclass b/classes/secure-wic-swu-img.bbclass
index c2b2402..85342fe 100644
--- a/classes/secure-wic-swu-img.bbclass
+++ b/classes/secure-wic-swu-img.bbclass
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2021
+# Copyright (c) Siemens AG, 2021-2022
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
@@ -9,12 +9,6 @@
 # SPDX-License-Identifier: MIT
 #
 
-SECURE_IMAGE_FSTYPE ?= "squashfs"
-
-inherit ${SECURE_IMAGE_FSTYPE}-img
-
-VERITY_IMAGE_TYPE = "${SECURE_IMAGE_FSTYPE}"
-
 INITRAMFS_RECIPE ?= "cip-core-initramfs"
 do_wic_image[depends] += "${INITRAMFS_RECIPE}:do_build"
 INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
@@ -22,5 +16,4 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
 inherit verity-img
 inherit wic-swu-img
 
-addtask do_verity_image after do_${SECURE_IMAGE_FSTYPE}_image
 addtask do_wic_image after do_verity_image
diff --git a/classes/verity-img.bbclass b/classes/verity-img.bbclass
index 3c94643..b7d7f08 100644
--- a/classes/verity-img.bbclass
+++ b/classes/verity-img.bbclass
@@ -1,22 +1,26 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2021
+# Copyright (c) Siemens AG, 2021-2022
 #
 # Authors:
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
 #
 # SPDX-License-Identifier: MIT
 #
-IMAGER_INSTALL += "cryptsetup"
 
 VERITY_IMAGE_TYPE ?= "squashfs"
+
+inherit ${VERITY_IMAGE_TYPE}-img
+
 VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.img"
 VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img"
 VERITY_IMAGE_METADATA = "${VERITY_OUTPUT_IMAGE}.metadata"
 VERITY_HASH_BLOCK_SIZE ?= "1024"
 VERITY_DATA_BLOCK_SIZE ?= "1024"
 
+IMAGER_INSTALL += "cryptsetup"
+
 create_verity_env_file() {
 
     local ENV="${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env"
@@ -70,4 +74,4 @@ python do_verity_image() {
     bb.build.exec_func('verity_setup', d)
     bb.build.exec_func('create_verity_env_file', d)
 }
-addtask verity_image before do_image after do_image_tools
+addtask verity_image before do_image after do_${VERITY_IMAGE_TYPE}_image

From patchwork Tue Apr 19 16:06:56 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12819269
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E4F07C4707A
	for <webhook@archiver.kernel.org>; Tue, 19 Apr 2022 17:48:47 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web08.1387.1650384423096486753
 for <cip-dev@lists.cip-project.org>;
 Tue, 19 Apr 2022 09:07:03 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=jlpOH+Ra;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-294854-202204191606594111a61313db6640ec-usukku@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 202204191606594111a61313db6640ec
        for <cip-dev@lists.cip-project.org>;
        Tue, 19 Apr 2022 18:07:00 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=MEQHPFoVUTyR9c3RGz46MbfJnoGDZWiBQLofLmUz97M=;
 b=jlpOH+Rag3I/WIZl0OjceTGroOjIRuyL0UYgMYx+1rOH5fS8gG+tINWNXPERcTCn4LuHZm
 M8Lf2SamKqZgIF5zb0Cy293nlxPQ5jCQbr3PqtVBM3T7Bt/iPW7cwyHvfEBcZoq4U85GijxW
 NXE3OEHwm86Ka8muLRPqUXwzCwSp4=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 3/5] swupdate: Make rootfs read-only also in
 non-secure setup
Date: Tue, 19 Apr 2022 18:06:56 +0200
Message-Id: 
 <35eb6427e61911e9b209169271a043c9ebafa76a.1650384418.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1650384418.git.jan.kiszka@siemens.com>
References: <cover.1650384418.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 19 Apr 2022 17:48:47 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8111

From: Jan Kiszka <jan.kiszka@siemens.com>

This is more logical because the rootfs is going to be overwritten
completely on updates. Everything that is supposed to stay should go
into the overlays.

Along this, wic-swu-img.bbclass is aligned to its big brother
secure-wic-swu-img.bbclass pulling the image include read-only.inc in.

To reduce the (already existing) duplication between
qemu-amd64-efibootguard.wks.in and simatic-ipc227e-efibootguard.wks.in,
replace both by a link to a common wks file.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/wic-swu-img.bbclass             | 23 +++++++++++++++++++
 kas/opt/ebg-secure-boot-snakeoil.yml    |  7 +++---
 kas/opt/efibootguard.yml                |  2 +-
 kas/opt/swupdate.yml                    |  2 +-
 recipes-core/images/read-only.inc       | 30 -------------------------
 wic/qemu-amd64-efibootguard.wks         |  6 -----
 wic/qemu-amd64-efibootguard.wks.in      |  1 +
 wic/simatic-ipc227e-efibootguard.wks    |  7 ------
 wic/simatic-ipc227e-efibootguard.wks.in |  1 +
 wic/swupdate-partition.inc              |  2 --
 wic/x86-efibootguard.wks.in             | 13 +++++++++++
 11 files changed, 43 insertions(+), 51 deletions(-)
 delete mode 100644 recipes-core/images/read-only.inc
 delete mode 100644 wic/qemu-amd64-efibootguard.wks
 create mode 120000 wic/qemu-amd64-efibootguard.wks.in
 delete mode 100644 wic/simatic-ipc227e-efibootguard.wks
 create mode 120000 wic/simatic-ipc227e-efibootguard.wks.in
 delete mode 100644 wic/swupdate-partition.inc
 create mode 100644 wic/x86-efibootguard.wks.in

diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass
index f03befa..231b249 100644
--- a/classes/wic-swu-img.bbclass
+++ b/classes/wic-swu-img.bbclass
@@ -9,7 +9,30 @@
 # SPDX-License-Identifier: MIT
 #
 
+SQUASHFS_EXCLUDE_DIRS += "home var"
+
+inherit squashfs-img
 inherit wic-img
 inherit swupdate-img
 
+IMAGE_INSTALL += "etc-overlay-fs"
+IMAGE_INSTALL += "home-fs"
+IMAGE_INSTALL += "tmp-fs"
+
+image_configure_fstab() {
+    sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
+# Begin /etc/fstab
+/dev/root	/		auto		defaults,ro			0	0
+LABEL=var	/var		auto		defaults			0	0
+proc		/proc		proc		nosuid,noexec,nodev		0	0
+sysfs		/sys		sysfs		nosuid,noexec,nodev		0	0
+devpts		/dev/pts	devpts		gid=5,mode=620			0	0
+tmpfs		/run		tmpfs		nodev,nosuid,size=500M,mode=755	0	0
+devtmpfs	/dev		devtmpfs	mode=0755,nosuid		0	0
+# End /etc/fstab
+EOF
+}
+
+addtask do_wic_image after do_squashfs_image
+
 addtask do_swupdate_image after do_wic_image
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index be58b15..14a5d6a 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -15,15 +15,14 @@ header:
    - kas/opt/efibootguard.yml
 
 local_conf_header:
-  image-options-swupdate-ro: |
-    CIP_IMAGE_OPTIONS_append = " swupdate.inc read-only.inc"
+  image-options-swupdate: |
+    CIP_IMAGE_OPTIONS_append = " swupdate.inc"
 
   swupdate: |
     IMAGE_INSTALL_append = " swupdate"
     IMAGE_INSTALL_append = " swupdate-handler-roundrobin"
 
-  verity-img: |
-    SECURE_IMAGE_FSTYPE = "squashfs"
+  secure-boot-image: |
     IMAGE_FSTYPES = "secure-wic-swu-img"
     WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
 
diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
index 0502b9c..ce89756 100644
--- a/kas/opt/efibootguard.yml
+++ b/kas/opt/efibootguard.yml
@@ -25,7 +25,7 @@ local_conf_header:
     WDOG_TIMEOUT ?= "60"
     WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE"
     IMAGE_FSTYPES ?= "wic-img"
-    WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
+    WKS_FILE ?= "${MACHINE}-efibootguard.wks.in"
 
   ovmf-binaries: |
     # Add ovmf binaries for qemu
diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml
index 1b2aff4..31cd0d1 100644
--- a/kas/opt/swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -24,4 +24,4 @@ local_conf_header:
 
   wic-swu: |
     IMAGE_FSTYPES = "wic-swu-img"
-    WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
+    WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in"
diff --git a/recipes-core/images/read-only.inc b/recipes-core/images/read-only.inc
deleted file mode 100644
index c031e39..0000000
--- a/recipes-core/images/read-only.inc
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2021
-#
-# Authors:
-#  Quirin Gylstorff <Quriin.Gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-SQUASHFS_EXCLUDE_DIRS += "home var"
-
-IMAGE_INSTALL += "etc-overlay-fs"
-IMAGE_INSTALL += "home-fs"
-IMAGE_INSTALL += "tmp-fs"
-
-image_configure_fstab() {
-    sudo tee '${IMAGE_ROOTFS}/etc/fstab' << EOF
-# Begin /etc/fstab
-/dev/root	/		auto		defaults,ro			0	0
-LABEL=var	/var		auto		defaults			0	0
-proc		/proc		proc		nosuid,noexec,nodev		0	0
-sysfs		/sys		sysfs		nosuid,noexec,nodev		0	0
-devpts		/dev/pts	devpts		gid=5,mode=620			0	0
-tmpfs		/run		tmpfs		nodev,nosuid,size=500M,mode=755	0	0
-devtmpfs	/dev		devtmpfs	mode=0755,nosuid		0	0
-# End /etc/fstab
-EOF
-}
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
deleted file mode 100644
index 6653068..0000000
--- a/wic/qemu-amd64-efibootguard.wks
+++ /dev/null
@@ -1,6 +0,0 @@
-# short-description: Qemu-amd64 with Efibootguard and SWUpdate
-# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
-include ebg-sysparts.inc
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
diff --git a/wic/qemu-amd64-efibootguard.wks.in b/wic/qemu-amd64-efibootguard.wks.in
new file mode 120000
index 0000000..b3a73fa
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard.wks.in
@@ -0,0 +1 @@
+x86-efibootguard.wks.in
\ No newline at end of file
diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks
deleted file mode 100644
index f6191bc..0000000
--- a/wic/simatic-ipc227e-efibootguard.wks
+++ /dev/null
@@ -1,7 +0,0 @@
-# short-description: Simatic-ipc227e with EFI Boot Guard and SWUpdate
-# long-description: Disk image for Simatic-ipc227e with EFI Boot Guard and SWUpdate
-
-include ebg-sysparts.inc
-include swupdate-partition.inc
-
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
diff --git a/wic/simatic-ipc227e-efibootguard.wks.in b/wic/simatic-ipc227e-efibootguard.wks.in
new file mode 120000
index 0000000..b3a73fa
--- /dev/null
+++ b/wic/simatic-ipc227e-efibootguard.wks.in
@@ -0,0 +1 @@
+x86-efibootguard.wks.in
\ No newline at end of file
diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc
deleted file mode 100644
index 6912542..0000000
--- a/wic/swupdate-partition.inc
+++ /dev/null
@@ -1,2 +0,0 @@
-part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M   --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4 --mkfs-extraopts "-T default"
-part  --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M   --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4 --mkfs-extraopts "-T default"
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
new file mode 100644
index 0000000..f60ebcf
--- /dev/null
+++ b/wic/x86-efibootguard.wks.in
@@ -0,0 +1,13 @@
+# short-description: x86 with EFI Boot Guard and SWUpdate
+# long-description: Disk image for x86 machines with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"

From patchwork Tue Apr 19 16:06:57 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12819267
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DDD4EC3526F
	for <webhook@archiver.kernel.org>; Tue, 19 Apr 2022 17:48:47 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web09.1328.1650384423099893397
 for <cip-dev@lists.cip-project.org>;
 Tue, 19 Apr 2022 09:07:03 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=Vn3QLbcO;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-294854-202204191607008708b398e96c1ffbd3-4mas9o@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 202204191607008708b398e96c1ffbd3
        for <cip-dev@lists.cip-project.org>;
        Tue, 19 Apr 2022 18:07:00 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=F04np6A3YIsU85PLtds4woYFdB864iC9yfTB8VZyVDw=;
 b=Vn3QLbcOXdzHNadwog3PO65aGPFaWcgulF/a3r08T5QlerVESCnGcnp7T+BvDBdNW7M3hB
 UCmYosSszaMZ9jzdQPJ7wYSsM/bgd/cR0zBD7wWr/kSyF980ud7zUnRiJ9YsNMt6uNQuHPgR
 AbaEIPJCQLuei7TSeEnLQSH+GsoVk=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 4/5] Restrict OVMF to qemu-amd64 machine
Date: Tue, 19 Apr 2022 18:06:57 +0200
Message-Id: 
 <32d37669f36a38fbdfb5e19ffcc1f16047aa9af8.1650384418.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1650384418.git.jan.kiszka@siemens.com>
References: <cover.1650384418.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 19 Apr 2022 17:48:47 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8109

From: Jan Kiszka <jan.kiszka@siemens.com>

No need to run this for non-qemu and non-x86. And, yes, overrides can
stack.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas/opt/efibootguard.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
index ce89756..2d84427 100644
--- a/kas/opt/efibootguard.yml
+++ b/kas/opt/efibootguard.yml
@@ -29,8 +29,8 @@ local_conf_header:
 
   ovmf-binaries: |
     # Add ovmf binaries for qemu
-    IMAGER_BUILD_DEPS += "ovmf-binaries"
-    # not needed Debian 11 and later
-    OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
-    DISTRO_APT_SOURCES_append_buster = " conf/distro/debian-buster-backports.list"
-    DISTRO_APT_PREFERENCES_append_buster = " conf/distro/preferences.ovmf-snakeoil.conf"
+    IMAGER_BUILD_DEPS_append_qemu-amd64 += "ovmf-binaries"
+    # not needed for Debian 11 and later
+    OVERRIDES_append_qemu-amd64 = ":${BASE_DISTRO_CODENAME}"
+    DISTRO_APT_SOURCES_append_qemu-amd64_buster = " conf/distro/debian-buster-backports.list"
+    DISTRO_APT_PREFERENCES_append_qemu-amd64_buster = " conf/distro/preferences.ovmf-snakeoil.conf"

From patchwork Tue Apr 19 16:06:58 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12819266
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D554BC41535
	for <webhook@archiver.kernel.org>; Tue, 19 Apr 2022 17:48:47 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web08.1386.1650384423096306932
 for <cip-dev@lists.cip-project.org>;
 Tue, 19 Apr 2022 09:07:03 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=YTp5mAxz;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-294854-202204191607000454c1885a44a1b843-_nae1q@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 202204191607000454c1885a44a1b843
        for <cip-dev@lists.cip-project.org>;
        Tue, 19 Apr 2022 18:07:00 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=y9bXgGbX7OOtVx4/jJlQhNL49cgsnyBtrqxmMwkr1/g=;
 b=YTp5mAxzdzYaEeuN8/XZS9sQYxF4XmRW/j4u6eeQ6pVOIiTVfPKpdRyCC18nqDNY0kgG/T
 nRruN5mFe/R3CQcWTIhRUJ2fvU0EEJ+6GpHDWmU7T45bpj4aNfDuEyuwpPw9RrIRVks7oOVk
 fAkxvY/yS4RJOoQGZLVyxVeG9PXJs=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 5/5] wic: Drop redundant / misleading --ondisk
 sda parameters
Date: Tue, 19 Apr 2022 18:06:58 +0200
Message-Id: 
 <550de78f33624ba99dfc9eaf32e3f419faae39e0.1650384418.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1650384418.git.jan.kiszka@siemens.com>
References: <cover.1650384418.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Tue, 19 Apr 2022 17:48:47 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8108

From: Jan Kiszka <jan.kiszka@siemens.com>

First, sda is the default anyway. But, more importantly, we do not need
this parameter in these cases as we either mount by label/uuid or do not
mount at all (EBG partitions).

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 wic/ebg-signed-bootloader.inc                 |  2 +-
 wic/ebg-sysparts.inc                          |  6 +++---
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 12 ++++++------
 wic/simatic-ipc227e.wks                       |  4 ++--
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc
index 667e014..62ebca9 100644
--- a/wic/ebg-signed-bootloader.inc
+++ b/wic/ebg-signed-bootloader.inc
@@ -1,2 +1,2 @@
 # EFI partition containing efibootguard bootloader binary
-part --source efibootguard-efi  --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-efi  --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc
index 18c879a..9b2c879 100644
--- a/wic/ebg-sysparts.inc
+++ b/wic/ebg-sysparts.inc
@@ -1,8 +1,8 @@
 # default partition layout EFI Boot Guard usage
 
 # EFI partition containing efibootguard bootloader binary
-part --source efibootguard-efi  --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active
+part --source efibootguard-efi  --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active
 
 # EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index c47257b..54f7143 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -2,14 +2,14 @@
 include ebg-signed-bootloader.inc
 
 # EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh"
-part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh"
 
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
-part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --ondisk sda --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
 
 # home and var are extra partitions
-part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --ondisk sda --fstype=ext4 --label home --align 1024  --size 1G
-part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --ondisk sda --fstype=ext4 --label var --align 1024  --size 2G
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
+part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
 
 bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait rw earlyprintk"
diff --git a/wic/simatic-ipc227e.wks b/wic/simatic-ipc227e.wks
index d0081f7..9044e0f 100644
--- a/wic/simatic-ipc227e.wks
+++ b/wic/simatic-ipc227e.wks
@@ -6,8 +6,8 @@
 # SPDX-License-Identifier: MIT
 #
 
-part /boot --source bootimg-efi-isar --sourceparams "loader=grub-efi" --ondisk sda --label efi --part-type EF00 --align 1024
+part /boot --source bootimg-efi-isar --sourceparams "loader=grub-efi" --label efi --part-type EF00 --align 1024
 
-part / --source rootfs --ondisk sda --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
+part / --source rootfs --fstype ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
 
 bootloader --ptable gpt --timeout 2 --append "console=ttyS0,115200"