From patchwork Mon Oct 23 14:59:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13433005 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32948C25B46 for ; Mon, 23 Oct 2023 15:02:52 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.123303.1698073368273104004 for ; Mon, 23 Oct 2023 08:02:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=YLuDH072; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-2023102315024555dde4533e7b3e985a-sngi3l@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 2023102315024555dde4533e7b3e985a for ; Mon, 23 Oct 2023 17:02:45 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=/Sz9C6l9A/PBioN5WMmzX12cB42SN+LBEoaxCQpcoXo=; b=YLuDH072uOh818PLpFAl+F1hLj+XRmrkKqZnQPaTtdveDF+yd9WpsGVreg4DU/7EB1KeFP y8I50ofnBmHcVwUJlSiOApNqQLyO7jHkGw3mF9oapZ6314nkxiNLRdUvoiH8Ypz9mBjkibZt OVsTNlZqV0WQu4x3rwZRhP3eZnbgY=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, venkata.pyla@toshiba-tsip.com, dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [cip-dev][isar-cip-core][RFC 1/9] scripts/deploy-kernelci: Format python code and remove unused import Date: Mon, 23 Oct 2023 16:59:59 +0200 Message-ID: <20231023150243.3990309-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> References: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 15:02:52 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13434 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- scripts/deploy-kernelci.py | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/scripts/deploy-kernelci.py b/scripts/deploy-kernelci.py index 5a8adca..62f3f01 100755 --- a/scripts/deploy-kernelci.py +++ b/scripts/deploy-kernelci.py @@ -1,30 +1,30 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -import subprocess import requests import os import sys import time from urllib.parse import urljoin -cdate=time.strftime("%Y%m%d") -api="https://api.kernelci.org/upload" -token=os.getenv("KERNELCI_TOKEN") +cdate = time.strftime("%Y%m%d") +api = "https://api.kernelci.org/upload" +token = os.getenv("KERNELCI_TOKEN") -release=sys.argv[1] -target=sys.argv[2] -extension=sys.argv[3] +release = sys.argv[1] +target = sys.argv[2] +extension = sys.argv[3] -rootfs_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+".tar.gz" -initrd_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img" -initrd_gz_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img.gz" +rootfs_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+".tar.gz" +initrd_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img" +initrd_gz_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img.gz" + +input_dir = "build/tmp/deploy/images/"+target +upload_path = "/images/rootfs/cip/"+cdate+"/"+target+"/" +upload_path_latest = "/images/rootfs/cip/latest/"+target+"/" +rootfs = input_dir+"/"+rootfs_filename +initrd = input_dir+"/"+initrd_filename -input_dir="build/tmp/deploy/images/"+target -upload_path="/images/rootfs/cip/"+cdate+"/"+target+"/" -upload_path_latest="/images/rootfs/cip/latest/"+target+"/" -rootfs=input_dir+"/"+rootfs_filename -initrd=input_dir+"/"+initrd_filename def upload_file(api, token, path, input_file, input_filename): headers = { @@ -40,6 +40,7 @@ def upload_file(api, token, path, input_file, input_filename): resp = requests.post(url, headers=headers, data=data, files=files) resp.raise_for_status() + if os.path.exists(rootfs) and os.path.exists(initrd): print("uploading rootfs to KernelCI") upload_file(api, token, upload_path, rootfs, rootfs_filename) From patchwork Mon Oct 23 15:00:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13432998 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5838C001E0 for ; Mon, 23 Oct 2023 15:02:51 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.123302.1698073368080723669 for ; Mon, 23 Oct 2023 08:02:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=XBGQ+wqa; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-2023102315024675d07f75a33157049a-8nxajt@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 2023102315024675d07f75a33157049a for ; Mon, 23 Oct 2023 17:02:46 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=+J4uuX7uOtQ+LbSvZ3IDo8ENFfKDx5ouS56iYtvAg20=; b=XBGQ+wqaEXoZV1dQYn4e3tat7YdceE3BfZqqEl2F0NYThPvt4Obip+TLXFXHNuyMg9K1bG XUCQr/p+6X8WgaVFhg90sgwHJXi3mG7150IphyxomLy110a1QMOOKzcrIyLqauRo92NMV6WN XbqE2h5NUOq6h2KmpWMJM3rRdTpm8=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, venkata.pyla@toshiba-tsip.com, dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [cip-dev][isar-cip-core][RFC 2/9] customizations: Add variable to set the HOSTNAME Date: Mon, 23 Oct 2023 17:00:00 +0200 Message-ID: <20231023150243.3990309-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> References: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 15:02:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13433 From: Quirin Gylstorff Add the variable CUSTOM_HOSTNAME to modify the hostname of the image. The default value of CUSTOM_HOSTNAME is "demo". Signed-off-by: Quirin Gylstorff --- recipes-core/customizations/common.inc | 6 +++++- .../customizations/files/{postinst => postinst.tmpl} | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) rename recipes-core/customizations/files/{postinst => postinst.tmpl} (85%) diff --git a/recipes-core/customizations/common.inc b/recipes-core/customizations/common.inc index 680a4d6..79bf80d 100644 --- a/recipes-core/customizations/common.inc +++ b/recipes-core/customizations/common.inc @@ -14,16 +14,20 @@ inherit dpkg-raw FILESPATH:append := ":${FILE_DIRNAME}/files" SRC_URI = " \ - file://postinst \ + file://postinst.tmpl \ file://ethernet \ file://99-silent-printk.conf \ file://99-watchdog.conf" SRC_URI:append:swupdate = " file://swupdate.cfg" +CUSTOM_HOSTNAME ??= "demo" WIRELESS_FIRMWARE_PACKAGE ?= "" INSTALL_WIRELESS_TOOLS ??= "0" +TEMPLATE_FILES += "postinst.tmpl" +TEMPLATE_VARS += "CUSTOM_HOSTNAME" + DEPENDS += "sshd-regen-keys change-root-homedir" DEBIAN_DEPENDS = " \ diff --git a/recipes-core/customizations/files/postinst b/recipes-core/customizations/files/postinst.tmpl similarity index 85% rename from recipes-core/customizations/files/postinst rename to recipes-core/customizations/files/postinst.tmpl index 7e7ea36..2668a93 100644 --- a/recipes-core/customizations/files/postinst +++ b/recipes-core/customizations/files/postinst.tmpl @@ -2,7 +2,7 @@ # # CIP Core, generic profile # -# Copyright (c) Siemens AG, 2019 +# Copyright (c) Siemens AG, 2019-2023 # # Authors: # Jan Kiszka @@ -18,6 +18,6 @@ if ! grep -e "^PermitRootLogin.*yes" -q /etc/ssh/sshd_config; then echo "PermitRootLogin yes" >> /etc/ssh/sshd_config fi -HOSTNAME=demo +HOSTNAME="${CUSTOM_HOSTNAME}" echo "$HOSTNAME" > /etc/hostname echo "127.0.0.1 $HOSTNAME" >> /etc/hosts From patchwork Mon Oct 23 15:00:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13433006 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2CC50C25B49 for ; Mon, 23 Oct 2023 15:02:52 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.123304.1698073368523506970 for ; Mon, 23 Oct 2023 08:02:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=kgQZWoSY; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-202310231502467cad6f28de2fe70c7c-53j2l2@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202310231502467cad6f28de2fe70c7c for ; Mon, 23 Oct 2023 17:02:46 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=KkrE/aaGJne7YC9Xs4E/hV6L1sOCQbFqkS7i9saxwLk=; b=kgQZWoSYb+glgynVN1cYZ1Iv/CAKwEQ/EDogbHKh8p8MTBXsGiwal6+F8eUcYRGPYtQaCI ZmlELyDrClDQwd4uY6CRy75JhrvIz7BJj6cwq3hgv6aoT7uBhTqfwkWKbE1WkEUxWlcVlikP xo80NMJhb/RJLD2VlL09lmwLiDQJk=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, venkata.pyla@toshiba-tsip.com, dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [cip-dev][isar-cip-core][RFC 3/9] customizations: Move ssh configuration from postinst to sshd_config.d Date: Mon, 23 Oct 2023 17:00:01 +0200 Message-ID: <20231023150243.3990309-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> References: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 15:02:52 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13435 From: Quirin Gylstorff Make the ssh configuration in line with Debian guidelines by adding an additional file to /etc/ssh/sshd_config.d/. This also allows to disable these changes with a customization.bbappend instead of overwritting the postinst script. Signed-off-by: Quirin Gylstorff --- recipes-core/customizations/customizations.bb | 8 ++++++++ recipes-core/customizations/files/postinst.tmpl | 4 ---- recipes-core/customizations/files/ssh-permit-root.conf | 1 + 3 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb index ad16a90..3dbeb3f 100644 --- a/recipes-core/customizations/customizations.bb +++ b/recipes-core/customizations/customizations.bb @@ -11,6 +11,7 @@ require common.inc +SRC_URI += "file://ssh-permit-root.conf" DESCRIPTION = "CIP Core image demo & customizations" do_prepare_build:prepend:qemu-riscv64() { @@ -20,3 +21,10 @@ do_prepare_build:prepend:qemu-riscv64() { echo "systemctl mask serial-getty@hvc0.service" >> ${WORKDIR}/postinst fi } + +do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/" +do_install:append () { + if [ -f "${WORKDIR}/ssh-permit-root.conf" ]; then + install -v -m 644 ${WORKDIR}/ssh-permit-root.conf ${D}/etc/ssh/sshd_config.d/ + fi +} diff --git a/recipes-core/customizations/files/postinst.tmpl b/recipes-core/customizations/files/postinst.tmpl index 2668a93..62e9a1a 100644 --- a/recipes-core/customizations/files/postinst.tmpl +++ b/recipes-core/customizations/files/postinst.tmpl @@ -14,10 +14,6 @@ set -e echo "CIP Core Demo & Test Image (login: root/root)" > /etc/issue -if ! grep -e "^PermitRootLogin.*yes" -q /etc/ssh/sshd_config; then - echo "PermitRootLogin yes" >> /etc/ssh/sshd_config -fi - HOSTNAME="${CUSTOM_HOSTNAME}" echo "$HOSTNAME" > /etc/hostname echo "127.0.0.1 $HOSTNAME" >> /etc/hosts diff --git a/recipes-core/customizations/files/ssh-permit-root.conf b/recipes-core/customizations/files/ssh-permit-root.conf new file mode 100644 index 0000000..1073982 --- /dev/null +++ b/recipes-core/customizations/files/ssh-permit-root.conf @@ -0,0 +1 @@ +PermitRootLogin yes From patchwork Mon Oct 23 15:00:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13433007 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E98CC25B47 for ; Mon, 23 Oct 2023 15:02:52 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.122855.1698073368915208372 for ; Mon, 23 Oct 2023 08:02:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=gka9jwIw; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-51332-20231023150246b0ac4c61c6aa9b4c96-9e9th9@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20231023150246b0ac4c61c6aa9b4c96 for ; Mon, 23 Oct 2023 17:02:47 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=cf6CKS5vv+7Bbob2Up+oY7zdNhEIWYkPB0sj770ounI=; b=gka9jwIw5Ifu5A4ZWbVi+ApnBWKsi+OXBUxwA76cF9DHOkjxQ3axLysd2SoPKwPEE5AL8y GtmlkRMm+jAlmfk9wROvwPZLSMce9add2qJSnyz0YhFSAPNqZSY6vT21mUp3cbITn3ppCZgM 6Ha0Krunt7QrZL/zUIlav28nP4gQg=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, venkata.pyla@toshiba-tsip.com, dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [cip-dev][isar-cip-core][RFC 4/9] security-customizations: Add dependency to customizations Date: Mon, 23 Oct 2023 17:00:02 +0200 Message-ID: <20231023150243.3990309-5-Quirin.Gylstorff@siemens.com> In-Reply-To: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> References: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 15:02:52 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13437 From: Quirin Gylstorff To simplify package structure Security customizations no longer set the hostname and use a dependency instead of a include. Add the OVERRIDE `security` to enable or disable security related configuration settings. Signed-off-by: Quirin Gylstorff --- kas/opt/security.yml | 2 ++ recipes-core/customizations/customizations.bb | 2 ++ recipes-core/security-customizations/files/postinst | 4 ---- .../security-customizations/security-customizations.bb | 8 ++++---- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/kas/opt/security.yml b/kas/opt/security.yml index d87235a..000c522 100644 --- a/kas/opt/security.yml +++ b/kas/opt/security.yml @@ -24,3 +24,5 @@ local_conf_header: adjust-swupdate: | ABROOTFS_IMAGE_RECIPE = "cip-core-image-security" VERITY_IMAGE_RECIPE = "cip-core-image-security" + security-override: | + OVERRIDES .= ":security" diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb index 3dbeb3f..3f6b5de 100644 --- a/recipes-core/customizations/customizations.bb +++ b/recipes-core/customizations/customizations.bb @@ -12,6 +12,8 @@ require common.inc SRC_URI += "file://ssh-permit-root.conf" +SRC_URI:remove:security = "file://ssh-permit-root.conf" + DESCRIPTION = "CIP Core image demo & customizations" do_prepare_build:prepend:qemu-riscv64() { diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index 620c863..bbd21bd 100755 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -8,10 +8,6 @@ set -e echo "CIP Core Security Image (login: root/CIPsecurity@123)" > /etc/issue -HOSTNAME=demo -echo "$HOSTNAME" > /etc/hostname -echo "127.0.0.1 $HOSTNAME" >> /etc/hosts - # CR1.7: Strength of password-based authentication # Pam configuration to enforce password strength PAM_PWD_FILE="/etc/pam.d/common-password" diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb index 240a577..d5249a2 100644 --- a/recipes-core/security-customizations/security-customizations.bb +++ b/recipes-core/security-customizations/security-customizations.bb @@ -9,12 +9,12 @@ # SPDX-License-Identifier: MIT # -require recipes-core/customizations/common.inc +inherit dpkg-raw DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation" -SRC_URI += "file://postinst" +SRC_URI = "file://postinst" -DEPENDS += "sshd-regen-keys" -DEBIAN_DEPENDS += ", sshd-regen-keys, libpam-google-authenticator" +DEPENDS = "customizations, sshd-regen-keys" +DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator" From patchwork Mon Oct 23 15:00:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13433000 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C88B2C25B44 for ; Mon, 23 Oct 2023 15:02:51 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web11.123305.1698073370104406094 for ; Mon, 23 Oct 2023 08:02:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=RQeAibtr; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-202310231502475697aa21d7b195a367-1mltm0@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 202310231502475697aa21d7b195a367 for ; Mon, 23 Oct 2023 17:02:47 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=DpJ5enxTStm0JqVPfSab2POrhUxiD+dzpPTvVi48S5I=; b=RQeAibtrP7NQ+SSNtdXq0iIrDbM4nXDVGwRgb6wEK1GLAUNfVReVs59ZW8X13URGsAndgJ e6qf/igYB3K8Gv5fsDYJ9PnWtqOE/apEcpieY/h1mkk8gmCJx61J2T04IxZ/VQN/IGthLV1J UY2RahgRpu/HPNALzQvU7Pvm8+bMY=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, venkata.pyla@toshiba-tsip.com, dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [cip-dev][isar-cip-core][RFC 5/9] security-customizations: Fix shell error Date: Mon, 23 Oct 2023 17:00:03 +0200 Message-ID: <20231023150243.3990309-6-Quirin.Gylstorff@siemens.com> In-Reply-To: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> References: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 15:02:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13440 From: Quirin Gylstorff if [ -f ... ] does not work with globbing. Signed-off-by: Quirin Gylstorff --- recipes-core/security-customizations/files/postinst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index bbd21bd..717b7ac 100755 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -32,11 +32,11 @@ fi # Lock user account after unsuccessful login attempts PAM_AUTH_FILE="/etc/pam.d/common-auth" # pam_tally2 is deprecated from pam version 1.4.0-7 -if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then +if readlink -f /lib/*-linux-gnu*/security/pam_tally2.so; then PAM_MODULE="pam_tally2.so" PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \naccount required pam_tally2.so" -elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then +elif readlink -f /lib/*-linux-gnu*/security/pam_faillock.so; then PAM_MODULE="pam_faillock.so" PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ From patchwork Mon Oct 23 15:00:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13433001 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DAF46C25B41 for ; Mon, 23 Oct 2023 15:02:51 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.122856.1698073369921008264 for ; Mon, 23 Oct 2023 08:02:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=WxAXu3/D; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-20231023150247f712a03c9cc201f866-ardpkg@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20231023150247f712a03c9cc201f866 for ; Mon, 23 Oct 2023 17:02:48 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=b3ESTw/WyWgx1z2zLpB4b04iyAVbpWnEdJ8ZFMpm4lc=; b=WxAXu3/DNTAKf219KIqdtd58a9jUApalggwlttBBJiaeSKmMLxKCmxBlL6l499/XovK9wz 2OHqqR7MKz+ySNqpcPgmoZilafIDXDoGW1TjA93ZUxZ28mzeD2aPb+Wcgh9O0xUx0WAp9Fmk nXFh9gZmxR+PSXElGCXc7Ng0UG52M=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, venkata.pyla@toshiba-tsip.com, dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [cip-dev][isar-cip-core][RFC 6/9] security-customizations: Extract sshd config from postinst to files Date: Mon, 23 Oct 2023 17:00:04 +0200 Message-ID: <20231023150243.3990309-7-Quirin.Gylstorff@siemens.com> In-Reply-To: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> References: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 15:02:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13439 From: Quirin Gylstorff For easier maintenance extract the ssh configuration to /etc/sshd_config.d/. Configuration entries in sshd_config.d will overwrite elements in sshd_config. Signed-off-by: Quirin Gylstorff --- .../security-customizations/files/postinst | 16 ---------------- .../files/ssh-pam-remote.conf | 4 ++++ .../files/ssh-remote-session-term.conf | 5 +++++ .../security-customizations.bb | 9 ++++++++- 4 files changed, 17 insertions(+), 17 deletions(-) create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index 717b7ac..daade83 100755 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -51,14 +51,6 @@ if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then fi sed -i "0,/^auth.*/s/^auth.*/${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}" -# CR2.6: Remote session termination -# Terminate remote session after inactive time period -SSHD_CONFIG="/etc/ssh/sshd_config" -alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}") -alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}") -sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}" -sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}" - # CR2.7: Concurrent session control # Limit the concurrent login sessions LIMITS_CONFIG="/etc/security/limits.conf" @@ -80,12 +72,4 @@ if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}" fi echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}" -# Enable PAM configuration for Remote Session -if grep -s -q "ChallengeResponseAuthentication" "${SSHD_CONFIG}";then - sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" -fi -if grep -s -q "KbdInteractiveAuthentication" "${SSHD_CONFIG}";then - sed -i 's/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/g' "${SSHD_CONFIG}" -fi -echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}" diff --git a/recipes-core/security-customizations/files/ssh-pam-remote.conf b/recipes-core/security-customizations/files/ssh-pam-remote.conf new file mode 100644 index 0000000..d460b0c --- /dev/null +++ b/recipes-core/security-customizations/files/ssh-pam-remote.conf @@ -0,0 +1,4 @@ +# Enable PAM configuration for Remote Session +ChallengeResponseAuthentication yes +KbdInteractiveAuthentication yes +AuthenticationMethods keyboard-interactive diff --git a/recipes-core/security-customizations/files/ssh-remote-session-term.conf b/recipes-core/security-customizations/files/ssh-remote-session-term.conf new file mode 100644 index 0000000..d11b92e --- /dev/null +++ b/recipes-core/security-customizations/files/ssh-remote-session-term.conf @@ -0,0 +1,5 @@ +# CR2.6: Remote session termination +# Terminate remote session after inactive time period + +ClientAliveInterval 120 +ClientAliveCountMax 0 diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb index d5249a2..d3cede8 100644 --- a/recipes-core/security-customizations/security-customizations.bb +++ b/recipes-core/security-customizations/security-customizations.bb @@ -13,8 +13,15 @@ inherit dpkg-raw DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation" -SRC_URI = "file://postinst" +SRC_URI = "file://postinst \ + file://ssh-remote-session-term.conf \ + file://ssh-pam-remote.conf" DEPENDS = "customizations, sshd-regen-keys" DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator" +do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/" +do_install () { + install -m 600 ${WORKDIR}/ssh-remote-session-term.conf ${D}/etc/ssh/sshd_config.d/ + install -m 600 ${WORKDIR}/ssh-pam-remote.conf ${D}/etc/ssh/sshd_config.d/ +} From patchwork Mon Oct 23 15:00:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13433004 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5220C00A8F for ; Mon, 23 Oct 2023 15:02:51 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.122857.1698073370357591545 for ; Mon, 23 Oct 2023 08:02:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=M7Fz70V8; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-202310231502480111daadf2d8b5ba62-k7tlad@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202310231502480111daadf2d8b5ba62 for ; Mon, 23 Oct 2023 17:02:48 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=4IkDu18R4zE1qepCehBL+sZyXeRAoOF8S/C6JS/KvVU=; b=M7Fz70V8jvn6Ofjo4gxMBLH1I5jaQ6xmFh6ZGju5+ySXNBwo7e15jyWhU7j+yxXy/EBde3 UDcLs2IyGktd4tMnGobYlcEOlX4OzZ+kaZaikhon2sWm2n7Y9pamdAbXULO8lZAcaVGfhLAg MuSeR2yfDg0vf5EdUM6uIGy8qdUBg=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, venkata.pyla@toshiba-tsip.com, dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [cip-dev][isar-cip-core][RFC 7/9] cip-core-image-security: Move packages to security-customization Date: Mon, 23 Oct 2023 17:00:05 +0200 Message-ID: <20231023150243.3990309-8-Quirin.Gylstorff@siemens.com> In-Reply-To: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> References: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 15:02:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13441 From: Quirin Gylstorff To ensure that the package security-customizations is installable move packages from cip-core-image-security as dependencies to security-paackges. Signed-off-by: Quirin Gylstorff --- recipes-core/images/cip-core-image-security.bb | 12 +----------- .../security-customizations.bb | 14 +++++++++++--- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb index 3421ce5..525a346 100644 --- a/recipes-core/images/cip-core-image-security.bb +++ b/recipes-core/images/cip-core-image-security.bb @@ -28,24 +28,14 @@ IMAGE_PREINSTALL += " \ tpm2-tools \ tpm2-abrmd \ acl \ - audispd-plugins auditd \ + audispd-plugins \ uuid-runtime \ sudo \ aide-common \ - libpam-google-authenticator \ passwd \ login \ - libpam-runtime \ util-linux \ " -# Package names based on the distro version -IMAGE_PREINSTALL:append:buster = " libtss2-esys0 \ - libpam-cracklib" -IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0 \ - libpam-cracklib" -IMAGE_PREINSTALL:append:bookworm = " libtss2-esys-3.0.2-0 \ - libpam-passwdqc" - CIP_IMAGE_OPTIONS ?= "" require ${CIP_IMAGE_OPTIONS} diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb index d3cede8..162d2f6 100644 --- a/recipes-core/security-customizations/security-customizations.bb +++ b/recipes-core/security-customizations/security-customizations.bb @@ -11,14 +11,22 @@ inherit dpkg-raw -DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation" +DESCRIPTION = "CIP Security configuration for IEC62443-4-2 evaluation" SRC_URI = "file://postinst \ file://ssh-remote-session-term.conf \ file://ssh-pam-remote.conf" -DEPENDS = "customizations, sshd-regen-keys" -DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator" +DEPENDS = "customizations sshd-regen-keys" +DEBIAN_DEPENDS = "customizations, sshd-regen-keys, libpam-google-authenticator, libpam-modules, libpam-runtime, auditd" + +# Package names based on the distro version +DEBIAN_DEPENDS:append:buster = ", libtss2-esys0, \ + libpam-cracklib" +DEBIAN_DEPENDS:append:bullseye = ", libtss2-esys-3.0.2-0, \ + libpam-cracklib" +DEBIAN_DEPENDS:append:bookworm = ", libtss2-esys-3.0.2-0, \ +libpam-passwdqc" do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/" do_install () { From patchwork Mon Oct 23 15:00:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13432999 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2DCAC004C0 for ; Mon, 23 Oct 2023 15:02:51 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.122858.1698073370816960200 for ; Mon, 23 Oct 2023 08:02:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=bEUhdAEo; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20231023150248055d7a0e12863fe180-1vfzt3@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20231023150248055d7a0e12863fe180 for ; Mon, 23 Oct 2023 17:02:48 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=4yMJjJ/SF4ixxHUG4EcI/irLionAYK3VquIQ/8Nx4yk=; b=bEUhdAEovWQxBpU3LNOjS9AJdSZKJZNEGoKXLJrxl9DXwV96rYHZbFtL4FM2o0e03oi6ya yXEDwH9GIaMB/lc9BW99I9u1UBBIcBwXgzy2pIFiKv6ICLLTh/t6wEz2ibxV8B4cRK/B2mLO m4020VuwQAQwTzfvSPNfy/bPXE7gs=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, venkata.pyla@toshiba-tsip.com, dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [cip-dev][isar-cip-core][RFC 8/9] customization-kernelci: Add dependency to customizations Date: Mon, 23 Oct 2023 17:00:06 +0200 Message-ID: <20231023150243.3990309-9-Quirin.Gylstorff@siemens.com> In-Reply-To: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> References: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 15:02:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13442 From: Quirin Gylstorff This is to simplify maintenance. Also extract serial getty override and sshd_config changes from postinstall to seperate files. Signed-off-by: Quirin Gylstorff --- .../kernelci-customizations/files/postinst | 11 ----------- .../files/serial-getty-kernelci-override.conf | 3 +++ .../files/ssh-permit-empty-passwords.conf | 2 ++ .../kernelci-customizations.bb | 18 ++++++++++++++---- 4 files changed, 19 insertions(+), 15 deletions(-) create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf diff --git a/recipes-core/kernelci-customizations/files/postinst b/recipes-core/kernelci-customizations/files/postinst index 7ae30e8..08544a4 100644 --- a/recipes-core/kernelci-customizations/files/postinst +++ b/recipes-core/kernelci-customizations/files/postinst @@ -15,20 +15,9 @@ echo "CIP Core Demo & Test Image" > /etc/issue # permit root login without password -echo "PermitRootLogin yes" >> /etc/ssh/sshd_config -echo "PermitEmptyPasswords yes" >> /etc/ssh/sshd_config passwd root -d -# serial getty service for autologin -mkdir -p /etc/systemd/system/serial-getty@.service.d/ -echo "[Service]" > /etc/systemd/system/serial-getty@.service.d/override.conf -echo "ExecStart=" >> /etc/systemd/system/serial-getty@.service.d/override.conf -echo "ExecStart=-/sbin/agetty --autologin root --keep-baud 115200,38400,9600 %I $TERM" >> /etc/systemd/system/serial-getty@.service.d/override.conf - # set the profile for KernelCI echo "PS1='\$(pwd) # '" > /root/.profile echo "cd /" >> /root/.profile -HOSTNAME=demo -echo "$HOSTNAME" > /etc/hostname -echo "127.0.0.1 $HOSTNAME" >> /etc/hosts diff --git a/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf b/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf new file mode 100644 index 0000000..a1472c5 --- /dev/null +++ b/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=-/sbin/agetty --autologin root --keep-baud 115200,38400,9600 %I $TERM diff --git a/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf b/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf new file mode 100644 index 0000000..b958fec --- /dev/null +++ b/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf @@ -0,0 +1,2 @@ +PermitEmptyPasswords yes + diff --git a/recipes-core/kernelci-customizations/kernelci-customizations.bb b/recipes-core/kernelci-customizations/kernelci-customizations.bb index f972be5..3a99884 100644 --- a/recipes-core/kernelci-customizations/kernelci-customizations.bb +++ b/recipes-core/kernelci-customizations/kernelci-customizations.bb @@ -11,13 +11,23 @@ # SPDX-License-Identifier: MIT # -require recipes-core/customizations/common.inc +inherit dpkg-raw DESCRIPTION = "CIP Core KernelCI image customizations" -SRC_URI += "file://dmesg.sh" +DEPENDS += "customizations" +DEBIAN_DEPENDS += "customizations" -do_install:append() { - install -v -d ${D}/opt/kernelci +SRC_URI = "file://postinst \ + file://dmesg.sh \ + file://serial-getty-kernelci-override.conf \ + file://ssh-permit-empty-passwords.conf" + +do_install[cleandirs] = "${D}/opt/kernelci/ \ + ${D}/etc/systemd/system/serial-getty@.service.d/ \ + ${D}/etc/ssh/sshd_config.d/" +do_install() { install -v -m 744 ${WORKDIR}/dmesg.sh ${D}/opt/kernelci/ + install -v -m 644 ${WORKDIR}/serial-getty-kernelci-override.conf ${D}/etc/systemd/system/serial-getty@.service.d/serial-getty-kernelci-override.conf + install -v -m 600 ${WORKDIR}/ssh-permit-empty-passwords.conf ${D}/etc/ssh/sshd_config.d/ssh-permit-empty-passwords.conf } From patchwork Mon Oct 23 15:00:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gylstorff Quirin X-Patchwork-Id: 13433003 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F33DDC25B45 for ; Mon, 23 Oct 2023 15:02:51 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.123302.1698073368080723669 for ; Mon, 23 Oct 2023 08:02:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm1 header.b=kCc2AZ0n; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-51332-20231023150249cbb911ddbbb73d7a76-oiepex@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20231023150249cbb911ddbbb73d7a76 for ; Mon, 23 Oct 2023 17:02:49 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=nMbM3+ayTDWkq3ePJRp1e1khVw270YqiABTsAvFuPM0=; b=kCc2AZ0nZhvsn+7tur44nH+ZcWs/zKrOXz0R6RZdT6XtuhrziD5FDoU2z1q+XvLoCFAsZz Rr2vvaOoQrVc+a80HFc6Au7Eu9Ph2NK2LgzE6pMq+aPytCgD1E6s4gckdPqb6ODA07MPJtqa 2DNsKyqKflsQDQHjyukg3Yt+djOM0=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org, venkata.pyla@toshiba-tsip.com, dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [cip-dev][isar-cip-core][RFC 9/9] kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf Date: Mon, 23 Oct 2023 17:00:07 +0200 Message-ID: <20231023150243.3990309-10-Quirin.Gylstorff@siemens.com> In-Reply-To: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> References: <20231023150243.3990309-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 15:02:51 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/13438 From: Quirin Gylstorff This ensures that all images are build reproducible. Signed-off-by: Quirin Gylstorff --- conf/layer.conf | 2 ++ kas/opt/reproducible.yml | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/conf/layer.conf b/conf/layer.conf index 2c888b2..82b4084 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -24,3 +24,5 @@ LAYERDIR_cip-core = "${LAYERDIR}" LAYERDIR_cip-core[vardepvalue] = "isar-cip-core" IMAGE_CLASSES += "squashfs verity swupdate" + +SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}" diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml index 5d6a896..bc71f28 100644 --- a/kas/opt/reproducible.yml +++ b/kas/opt/reproducible.yml @@ -13,5 +13,4 @@ header: local_conf_header: reproducible-builds: | - SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}" WIC_DEPLOY_PARTITIONS = "1"