From patchwork Thu Mar 2 20:30:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13157836 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B75CEC7EE36 for ; Thu, 2 Mar 2023 20:31:01 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.5532.1677789060014002899 for ; Thu, 02 Mar 2023 12:31:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=b2xsW6OP; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-294854-20230302203056edc49861d50a9caa4b-9mnyvx@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20230302203056edc49861d50a9caa4b for ; Thu, 02 Mar 2023 21:30:56 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=n/PATM8WHtASMOcmYVCQa8Vg8M8klsAQdpNThe4TzjU=; b=b2xsW6OPo6Hh0HaED5TXCxgFOun2CBU8v0vM9TJbElUbyWOZE7jzZGH5mg1BZ2PKyiLlq2 OHUrcbqporxb+6WHUFZksVeW9dwUm8Sh2EXmJUOh1nrQghd5sw5KHtgh9cis6nt5qs0RF4lD FlPEOvcdRh/9iHdCkkKroDJs9qCCc=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [isar-cip-core][PATCH 1/5] swupdate: Avoid open-coding IMAGE_FULLNAME Date: Thu, 2 Mar 2023 21:30:50 +0100 Message-Id: <4b6435e74e0d9d396ff75e9a834715f4a3011f7f.1677789054.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Mar 2023 20:31:01 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10890 From: Jan Kiszka This will break if IMAGE_FULLNAME is not PN-DISTRO-MACHINE, e.g. when enabling kas/ops/test.yml. Signed-off-by: Jan Kiszka --- classes/swupdate.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 9fcaf3c2..064d0ad5 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -15,7 +15,7 @@ SWU_ROOTFS_NAME ?= "${IMAGE_FULLNAME}" SWU_COMPRESSION_TYPE ?= "zlib" SWU_ROOTFS_PARTITION_NAME ?= "${SWU_ROOTFS_NAME}.${SWU_ROOTFS_TYPE}.${@get_swu_compression_type(d)}" -SWU_IMAGE_FILE ?= "${DEPLOY_DIR_IMAGE}/${PN}-${DISTRO}-${MACHINE}.swu" +SWU_IMAGE_FILE ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.swu" SWU_DESCRIPTION_FILE ?= "sw-description" SWU_ADDITIONAL_FILES ?= "linux.efi ${SWU_ROOTFS_PARTITION_NAME}" SWU_SIGNED ?= "" From patchwork Thu Mar 2 20:30:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13157832 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8BA3C7EE37 for ; Thu, 2 Mar 2023 20:31:01 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.5530.1677789059756469286 for ; Thu, 02 Mar 2023 12:31:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=pHAo9F2M; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-294854-20230302203056905a8b7e9a0b14adc6-2a7oaf@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20230302203056905a8b7e9a0b14adc6 for ; Thu, 02 Mar 2023 21:30:56 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=FFFrx1w5YHb1KmUEfb7HFMHi5w/cuGfEF2G52gdiCJg=; b=pHAo9F2MX6XKfQK1xY73Xs+PoBqihE7PJRLXs5qd4t6J9H5ybqrGOmbDxgXCeR9W6/832B JysyAILvM3Sjn/MSfs8zCDFoh2ojH7ESVRBm71s+BHyyuPbHzm5GYSYfMSnFnUm4BqOdvD8+ 0cnzO4WLoXQQpTZDgh/RqYqBotVs0=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [isar-cip-core][PATCH 2/5] initramfs-*-hook: Avoid open-coding IMAGE_FULLNAME Date: Thu, 2 Mar 2023 21:30:51 +0100 Message-Id: <4c5c5cddd691665c3ad06ea0740a7a98371fff2c.1677789054.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Mar 2023 20:31:01 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10889 From: Jan Kiszka We can't pull IMAGE_FULLNAME from the image class as this is a dpkg class, but we should account for potential global changes to this variable like done by kas/opt/test.yml. This will ensure that we stay in sync with the generator in image_uuid.bbclass. Signed-off-by: Jan Kiszka --- .../initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb | 6 +++++- .../initramfs-verity-hook/initramfs-verity-hook_0.1.bb | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb index 8b1536f3..17c60da4 100644 --- a/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb +++ b/recipes-initramfs/initramfs-abrootfs-hook/initramfs-abrootfs-hook_0.1.bb @@ -20,7 +20,11 @@ SRC_URI += "file://abrootfs.hook \ ABROOTFS_IMAGE_RECIPE ?= "cip-core-image" -IMAGE_UUID_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${ABROOTFS_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.uuid.env" +# This is defined in image.bbclass which cannot be used in a package recipe. +# However, we need to use IMAGE_FULLNAME to pick up any extensions of it. +IMAGE_FULLNAME ??= "${ABROOTFS_IMAGE_RECIPE}-${DISTRO}-${MACHINE}" + +IMAGE_UUID_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.uuid.env" do_install[depends] += "${ABROOTFS_IMAGE_RECIPE}:do_generate_image_uuid" do_install[cleandirs] += " \ diff --git a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb index 59989081..3fc63ed2 100644 --- a/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb +++ b/recipes-initramfs/initramfs-verity-hook/initramfs-verity-hook_0.1.bb @@ -27,7 +27,11 @@ DEBIAN_CONFLICTS = "initramfs-abrootfs-hook" VERITY_IMAGE_RECIPE ?= "cip-core-image" -VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}.verity.env" +# This is defined in image.bbclass which cannot be used in a package recipe. +# However, we need to use IMAGE_FULLNAME to pick up any extensions of it. +IMAGE_FULLNAME ??= "${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}" + +VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env" do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity" do_install[cleandirs] += " \ From patchwork Thu Mar 2 20:30:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13157834 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A53E9C7EE33 for ; Thu, 2 Mar 2023 20:31:01 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.5501.1677789060160844684 for ; Thu, 02 Mar 2023 12:31:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=KVrx/QmJ; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-294854-202303022030567e2353c5745692055a-vzrsi8@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202303022030567e2353c5745692055a for ; Thu, 02 Mar 2023 21:30:56 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=6TZPU5gwTATXqObKFt7RMSjAfHfjFQQePhnJnDB8Sk0=; b=KVrx/QmJy78hN6wszu6+oF9QbCKS43YFROFo200pV4NrA5NfbLNzlY0BQhSlNR7cUIJ786 uefzHFkAMucEK9LI0wt+fvJQcTtZ/1aaI3HCWhiEItxwHqvL72zhGRnajExZbyo8Luuckkdf V920ia+xpVTSYwwXslWPI43cGrDDM=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [isar-cip-core][PATCH 3/5] start-qemu: Add support for booting test-extended images Date: Thu, 2 Mar 2023 21:30:52 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Mar 2023 20:31:01 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10885 From: Jan Kiszka Signed-off-by: Jan Kiszka --- start-qemu.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/start-qemu.sh b/start-qemu.sh index dd16aed9..cccc51ef 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -50,6 +50,10 @@ if [ -z "${TARGET_IMAGE}" ];then fi fi +if grep -s -q "IMAGE_TESTING: true" .config.yaml; then + TEST_IMAGE="-test" +fi + arch="$1" shift 1 @@ -125,7 +129,7 @@ case "${arch}" in ;; esac -IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${QEMU_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${QEMU_ARCH}" +IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${QEMU_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${QEMU_ARCH}${TEST_IMAGE}" if [ -z "${DISPLAY}" ]; then QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic" From patchwork Thu Mar 2 20:30:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13157835 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAEB3C6FA8E for ; Thu, 2 Mar 2023 20:31:01 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.5500.1677789059648389585 for ; Thu, 02 Mar 2023 12:31:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=liw7kjgt; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-294854-20230302203056bf9cf580eec6e3cb09-ijbzv1@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20230302203056bf9cf580eec6e3cb09 for ; Thu, 02 Mar 2023 21:30:57 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=mc3M9bDlAnSxapUV9shCKDUxWNekgKWzSa2bjggDDUI=; b=liw7kjgtiruAeBRubPr5zKIWH3J1yexqRMxPfyYAf9ZaOMKPGZOVIn8vZWU2KicLTyN4UC AB68lmbTtBHzY8RHgEJ0PmCDcQm0NWc6yoaa7iPGVTpd/Jd0Z6z9GDNjs/+nXPKy5Zl0kz1f RFXPmeGdS22bku3Nmec9RDDAEyi4w=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [isar-cip-core][PATCH 4/5] cip-core-image-security: Add support for SWUpdate Date: Thu, 2 Mar 2023 21:30:53 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Mar 2023 20:31:01 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10888 From: Jan Kiszka This allows to enable both SWUpdate and the security-extended image at the same time. Signed-off-by: Jan Kiszka --- kas/opt/security.yml | 3 +++ recipes-core/images/cip-core-image-security.bb | 3 +++ 2 files changed, 6 insertions(+) diff --git a/kas/opt/security.yml b/kas/opt/security.yml index c385a627..4d119056 100644 --- a/kas/opt/security.yml +++ b/kas/opt/security.yml @@ -18,3 +18,6 @@ local_conf_header: USERS += "root" USER_root[password] = "Cipsecurity@123" USER_root[flags] = "clear-text-password" + adjust-swupdate: | + ABROOTFS_IMAGE_RECIPE = "cip-core-image-security" + VERITY_IMAGE_RECIPE = "cip-core-image-security" diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb index bfd91bd3..563de897 100644 --- a/recipes-core/images/cip-core-image-security.bb +++ b/recipes-core/images/cip-core-image-security.bb @@ -43,3 +43,6 @@ IMAGE_PREINSTALL += " \ # Package names based on the distro version IMAGE_PREINSTALL:append:buster = " libtss2-esys0" IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0" + +CIP_IMAGE_OPTIONS ?= "" +require ${CIP_IMAGE_OPTIONS} From patchwork Thu Mar 2 20:30:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13157831 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A15C7C678D4 for ; Thu, 2 Mar 2023 20:31:01 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.5529.1677789059735470594 for ; Thu, 02 Mar 2023 12:31:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=N8lc/qwA; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-294854-2023030220305725027de5d9cc088d98-oqgdze@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 2023030220305725027de5d9cc088d98 for ; Thu, 02 Mar 2023 21:30:57 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=f2Rx+RN2NGB1p7rbxxWFTbuY6aRml6rxHuIfKZkIyj8=; b=N8lc/qwAj94k99/f629f46fYC2PtjDqBnwL1TyPl6JMHdWOsRLAstvU9r9f8MVQjtq/hzy htWYOfk7kU6FxHyIY93KA1iET9if9wlnHzj2wJewWFGLHCg6inpdtPX6O6L4MeEEeG/3UCA0 BHE4US+bSgrRQEy3fAeihqgcjslDg=; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [isar-cip-core][PATCH 5/5] security-customizations: Fix password hint Date: Thu, 2 Mar 2023 21:30:54 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Mar 2023 20:31:01 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10886 From: Jan Kiszka Signed-off-by: Jan Kiszka --- recipes-core/security-customizations/files/postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index 4ff8ecf6..167bab1c 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -4,7 +4,7 @@ # Security Package configurations # -echo "CIP Core Security Image (login: root/root)" > /etc/issue +echo "CIP Core Security Image (login: root/Cipsecurity@123)" > /etc/issue HOSTNAME=demo echo "$HOSTNAME" > /etc/hostname