From patchwork Thu Jul  6 08:04:26 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 13303317
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 065F5EB64DC
	for <webhook@archiver.kernel.org>; Thu,  6 Jul 2023 08:04:39 +0000 (UTC)
Received: from mta-64-228.siemens.flowmailer.net
 (mta-64-228.siemens.flowmailer.net [185.136.64.228])
 by mx.groups.io with SMTP id smtpd.web10.16609.1688630673055613251
 for <cip-dev@lists.cip-project.org>;
 Thu, 06 Jul 2023 01:04:33 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=Cg6SStj2;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228,
 mailfrom:
 fm-294854-20230706080429eb9cd6c46ba30f2db8-y8b3_r@rts-flowmailer.siemens.com)
Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id
 20230706080429eb9cd6c46ba30f2db8
        for <cip-dev@lists.cip-project.org>;
        Thu, 06 Jul 2023 10:04:29 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=rhozErsQWXw3+H65Y09Qxhdsa6ZZVaTe2LBLbgiyftU=;
 b=Cg6SStj2hr0x7ooCkiF+6GmKCp7m0Y3enwsLpKwIwcCRrw1TwXwzQJxTBGP7MIrShLD8Sq
 A/3354lfBUbUgv9b/ahfXBWBN8TSyZLqt/yAoji970xSWkXzmJA/HxqibLw24qb68JQaAx6q
 eIIoIbMvUk91lD21RhJ5DX0LXr7Cs=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [isar-cip-core][PATCH 1/3] initramfs-crypt-hook: Remove needless
 differences between clevis and systemd scripts
Date: Thu,  6 Jul 2023 10:04:26 +0200
Message-Id: 
 <1365151926687b7dfadcf7bb13b2600772cb6a55.1688630668.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1688630668.git.jan.kiszka@siemens.com>
References: <cover.1688630668.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 06 Jul 2023 08:04:39 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12254

From: Jan Kiszka <jan.kiszka@siemens.com>

Just quoting and comment styles.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../files/encrypt_partition.clevis.script     |  5 ++---
 .../files/encrypt_partition.systemd.script    | 22 +++++++++----------
 2 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index bcb5a048..9a1c37ba 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -41,7 +41,7 @@ tpm_device=/dev/tpmrm0
 partition_sets="$PARTITIONS"
 create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD"
 
-if [ -z "${create_file_system_cmd}" ];then
+if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
 
@@ -73,7 +73,6 @@ reencrypt_existing_partition() {
 	else
 		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
 	fi
-
 }
 
 if [ ! -e "$tpm_device" ]; then
@@ -89,7 +88,7 @@ for partition_set in $partition_sets; do
 	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
 	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
 	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
-	partition=/dev/disk/by-partlabel/$partition_label
+	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
 	decrypted_part=/dev/mapper/"$crypt_mount_name"
 	# clevis does not work with links in /dev/disk*
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 927184c0..eefac4bd 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -8,6 +8,7 @@
 #  Quirin Gylstorff <quirin.gylstorff@siemens.com>
 #
 # SPDX-License-Identifier: MIT
+
 prereqs()
 {
 	# Make sure that this script is run last in local-top
@@ -52,11 +53,11 @@ open_tpm2_partition() {
 }
 
 enroll_tpm2_token() {
-	#check systemd version and export password if necessary
+	# check systemd version and export password if necessary
 	if [ -x /usr/bin/systemd-cryptenroll ]; then
 		systemd_version=$(systemd-cryptenroll --version | \
 			  awk -F " " 'NR==1{print $2 }')
-		#check systemd version and export password if necessary
+		# check systemd version and export password if necessary
 		if [ "$systemd_version" -ge "251" ]; then
 			PASSWORD=$(cat "$2" )
 			export PASSWORD
@@ -72,20 +73,19 @@ enroll_tpm2_token() {
 }
 
 reencrypt_existing_partition() {
-	part_device=$(readlink -f "$partition")
-	part_size_blocks=$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)
+	part_device="$(readlink -f "$partition")"
+	part_size_blocks="$(cat /sys/class/block/"$(awk -v dev="$part_device" 'BEGIN{split(dev,a,"/"); print a[3]}' )"/size)"
 	# reduce the filesystem and partition by 32M to fit the LUKS header
 	reduce_device_size=32768
-	reduced_size=$(expr "$part_size_blocks" - 65536 )
-	reduced_size_in_byte=$(expr "$reduced_size" \* 512)
-	reduced_size_in_kb=$(expr "$reduced_size_in_byte" / 1024)K
+	reduced_size="$(expr "$part_size_blocks" - 65536 )"
+	reduced_size_in_byte="$(expr "$reduced_size" \* 512)"
+	reduced_size_in_kb="$(expr "$reduced_size_in_byte" / 1024)K"
 	resize2fs "$1" "${reduced_size_in_kb}"
 	if [ -x /usr/sbin/cryptsetup-reencrypt ]; then
 		/usr/sbin/cryptsetup-reencrypt --new --reduce-device-size "$reduce_device_size"k "$1" < "$2"
 	else
 		/usr/sbin/cryptsetup reencrypt --encrypt --reduce-device-size "$reduce_device_size"k "$1" < "$2"
 	fi
-
 }
 
 if [ ! -e "$tpm_device" ]; then
@@ -93,9 +93,9 @@ if [ ! -e "$tpm_device" ]; then
 fi
 
 for partition_set in $partition_sets; do
-	partition_label=$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')
-	partition_mountpoint=$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')
-	partition_format=$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')
+	partition_label="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[1]}')"
+	partition_mountpoint="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[2]}')"
+	partition_format="$(awk -v var="$partition_set" 'BEGIN{split(var,a,":"); print a[3]}')"
 	partition=/dev/disk/by-partlabel/"$partition_label"
 	crypt_mount_name="encrypted_$partition_label"
 	decrypted_part=/dev/mapper/"$crypt_mount_name"

From patchwork Thu Jul  6 08:04:27 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 13303318
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 082B2EB64D9
	for <webhook@archiver.kernel.org>; Thu,  6 Jul 2023 08:04:39 +0000 (UTC)
Received: from mta-65-226.siemens.flowmailer.net
 (mta-65-226.siemens.flowmailer.net [185.136.65.226])
 by mx.groups.io with SMTP id smtpd.web10.16607.1688630672358813969
 for <cip-dev@lists.cip-project.org>;
 Thu, 06 Jul 2023 01:04:33 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=bqhG/Q75;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226,
 mailfrom:
 fm-294854-20230706080429097dfe430862c58012-ehutco@rts-flowmailer.siemens.com)
Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id
 20230706080429097dfe430862c58012
        for <cip-dev@lists.cip-project.org>;
        Thu, 06 Jul 2023 10:04:29 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=m0Li02p90h+ohYbi7BjOuykt1nPiC8kH4XDxNerK7Ec=;
 b=bqhG/Q75mt+vcStjQH1eVp5vQbD88Hs4zdQYngZfQWqw9kUtX/6O45jwio43ITN6GrJkwc
 VNsthdNRJmcM75h2wg1I3XxecqmuH/Iaiu0aj9LTiXUkvdD+cUCVh7QLDIjo7Sdar/CGmKj5
 WMK2tNLGnq45h+osNcL5MdDJjaxN4=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [isar-cip-core][PATCH 2/3] initramfs-crypt-hook: Service watchdog
 while setting up the crypto partitions
Date: Thu,  6 Jul 2023 10:04:27 +0200
Message-Id: 
 <3e0c558a5b9b0643012484839a1dbf671c4708fb.1688630668.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1688630668.git.jan.kiszka@siemens.com>
References: <cover.1688630668.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 06 Jul 2023 08:04:39 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12256

From: Jan Kiszka <jan.kiszka@siemens.com>

These operations can take longer than the watchdog timeout normally
needed for booting Linux up to systemd. Add a background loop to both
scripts then triggers the watchdog every 10 s, but only up to a
configurable limit. Also the watchdog device can be configured, though
the default /dev/watchdog should be fine in almost all cases.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../files/encrypt_partition.clevis.script       | 17 +++++++++++++++++
 .../files/encrypt_partition.env.tmpl            |  2 ++
 .../files/encrypt_partition.systemd.hook        |  2 ++
 .../files/encrypt_partition.systemd.script      | 17 +++++++++++++++++
 .../initramfs-crypt-hook_0.1.bb                 |  7 ++++++-
 5 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index 9a1c37ba..c38c0e94 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
 
+service_watchdog() {
+	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+		printf '\0'
+		sleep 10
+	done > "$WATCHDOG_DEV"
+}
+
 open_tpm2_partition() {
 	if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
 		 -d "$1"; then
@@ -104,6 +111,12 @@ for partition_set in $partition_sets; do
 		continue
 	fi
 
+	# service watchdog in the background during lengthy re-encryption
+	if [ -z "$watchdog_pid" ]; then
+		service_watchdog &
+		watchdog_pid=$!
+	fi
+
 	# create random password for initial encryption
 	# this will be dropped after reboot
 	tmp_key=/tmp/"$partition_label-lukskey"
@@ -136,3 +149,7 @@ for partition_set in $partition_sets; do
 	# afterwards no new keys can be enrolled
 	cryptsetup -v luksKillSlot -q  "$part_device" 0
 done
+
+if [ -n "$watchdog_pid" ]; then
+	kill "$watchdog_pid"
+fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
index d04be56c..382fe45f 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl
@@ -1,2 +1,4 @@
 PARTITIONS="${CRYPT_PARTITIONS}"
 CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}"
+SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}"
+WATCHDOG_DEV="${WATCHDOG_DEVICE}"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
index fa37b57a..08ea631a 100755
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.hook
@@ -36,6 +36,8 @@ copy_exec /usr/sbin/mke2fs || hook_error "/usr/sbin/mke2fs not found"
 copy_exec /usr/bin/grep || hook_error "/usr/bin/grep not found"
 copy_exec /usr/bin/awk || hook_error "/usr/bin/awk not found"
 copy_exec /usr/bin/expr || hook_error "/usr/bin/expr not found"
+copy_exec /usr/bin/seq || hook_error "/usr/bin/seq not found"
+copy_exec /usr/bin/sleep || hook_error "/usr/bin/sleep not found"
 copy_exec /usr/sbin/e2fsck || hook_error "/usr/sbin/e2fsck not found"
 copy_exec /usr/sbin/resize2fs || hook_error "/usr/sbin/resize2fs not found"
 copy_exec /usr/sbin/cryptsetup || hook_error "/usr/sbin/cryptsetup not found"
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index eefac4bd..cf513dfe 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -45,6 +45,13 @@ if [ -z "${create_file_system_cmd}" ]; then
 	create_file_system_cmd="mke2fs -t ext4"
 fi
 
+service_watchdog() {
+	for n in $(seq $(($SETUP_TIMEOUT / 10)) ); do
+		printf '\0'
+		sleep 10
+	done > "$WATCHDOG_DEV"
+}
+
 open_tpm2_partition() {
 	if ! /usr/lib/systemd/systemd-cryptsetup attach "$crypt_mount_name" \
 		 "$1" - tpm2-device="$tpm_device"; then
@@ -111,6 +118,12 @@ for partition_set in $partition_sets; do
 		continue
 	fi
 
+	# pet watchdog in the background during lengthy re-encryption
+	if [ -z "$watchdog_pid" ]; then
+		service_watchdog &
+		watchdog_pid=$!
+	fi
+
 	# create random password for initial encryption
 	# this will be dropped after reboot
 	tmp_key=/tmp/"$partition_label-lukskey"
@@ -143,3 +156,7 @@ for partition_set in $partition_sets; do
 	# afterwards no new keys can be enrolled
 	/usr/bin/systemd-cryptenroll "$partition" --wipe-slot=0
 done
+
+if [ -n "$watchdog_pid" ]; then
+	kill "$watchdog_pid"
+fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
index 997f469d..db65ea40 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb
@@ -33,8 +33,13 @@ CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
 # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
 # in a newly formatted LUKS Partition
 CRYPT_CREATE_FILE_SYSTEM_CMD ??= "mke2fs -t ext4"
+# Timeout for creating / re-encrypting partitions on first boot
+CRYPT_SETUP_TIMEOUT ??= "600"
+# Watchdog to service during the initial setup of the crypto partitions
+WATCHDOG_DEVICE ??= "/dev/watchdog"
 
-TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD"
+TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \
+    CRYPT_SETUP_TIMEOUT WATCHDOG_DEVICE"
 TEMPLATE_FILES = "encrypt_partition.env.tmpl"
 
 do_install[cleandirs] += " \

From patchwork Thu Jul  6 08:04:28 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 13303320
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0736FEB64DD
	for <webhook@archiver.kernel.org>; Thu,  6 Jul 2023 08:04:39 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.web10.16608.1688630672827081983
 for <cip-dev@lists.cip-project.org>;
 Thu, 06 Jul 2023 01:04:33 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=Znuk5Bcc;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-294854-20230706080429c5a0647cef89d92681-_teyvd@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 20230706080429c5a0647cef89d92681
        for <cip-dev@lists.cip-project.org>;
        Thu, 06 Jul 2023 10:04:30 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=mFOnYt+ByGBhyHEOIsSF9pJseMh3qBxUzEKY4lP8Br4=;
 b=Znuk5BcclZ0HA7CVrPgr0UtUYqsT7hKlLKWgtGKn+GlxudNcN2WFEYQn6iZB2Qx+SmctZB
 cjQ/8knKzZXxUv+EsDwPrVcUccRR9tXd9CRfz+6WiFP9eFp8sx0tO+sLkHfVqgzyVpzLSWJy
 5IMPSvZLHAU+RgGTnU1Q3Qw7GLeUg=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [isar-cip-core][PATCH 3/3] x86: Harden watchdog settings
Date: Thu,  6 Jul 2023 10:04:28 +0200
Message-Id: 
 <47f5c4c4904d2759cee134f4cd150c1c38fa8cf2.1688630668.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1688630668.git.jan.kiszka@siemens.com>
References: <cover.1688630668.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 06 Jul 2023 08:04:39 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/12257

From: Jan Kiszka <jan.kiszka@siemens.com>

These ensure that the watchdog is only starting to be services by
systemd, not yet by the kernel itself right after probing. This is
needed in order to catch lock-ups in the initramfs userspace.

While at it, turn the iTCO - where used - into no-way-out mode, making
things even more robust.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +-
 wic/x86-efibootguard.wks.in                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index 5c411161..12fa45f0 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -7,4 +7,4 @@ part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}
 part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
 part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
 
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk panic=5"
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog.handle_boot_enabled=0 iTCO_wdt.nowayout=1 panic=5"
diff --git a/wic/x86-efibootguard.wks.in b/wic/x86-efibootguard.wks.in
index 24b43873..38ad4117 100644
--- a/wic/x86-efibootguard.wks.in
+++ b/wic/x86-efibootguard.wks.in
@@ -11,4 +11,4 @@ part --source empty --align 1024 --fixed-size 1G --uuid "${ABROOTFS_PART_UUID_B}
 part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G --extra-space=100M 
 part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G --extra-space=100M
 
-bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk watchdog.handle_boot_enabled=0 iTCO_wdt.nowayout=1 "