From patchwork Thu Nov 7 10:57:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866195 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23AB2D43344 for ; Thu, 7 Nov 2024 10:58:14 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.69033.1730977083816661210 for ; Thu, 07 Nov 2024 02:58:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=DxabcE5r; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-294854-2024110710580091f4ffe1e87a2cf34a-bwftcw@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2024110710580091f4ffe1e87a2cf34a for ; Thu, 07 Nov 2024 11:58:00 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=3mj10dz889tlSKJb66BWEHwBYR6Uhe65ywoAoyieqvY=; b=DxabcE5rvRpzbBUxp85eG2Zl3CYDb0RuI9U9KaEY2uaAm0TdxRGFr6dBviRkMQGRTpeObk y2nmW3t0xcHv+EVzvylleMqqUaObf9HZvc6umbhlLVs5ueYtSjbkBDhziqrQyeh3TTEIrbx8 UWlyXMT9RH96S/IYjM1LL/nPGH5V2bicxLgXE1qIMHDEC7AekWrcr4u5ysdtH7Vkq7oAQDrN K7UOD5s36kaf2cj4fGqre+DX3L6sryG2MfUmzkbKdz5POzrWGmt8t5Cbu2Y7MmTZfuNLSSlZ /x4EJduDQ0j2O9Nw4tBdlepPn1d2uroeRxqVK1sT/rXWQwXNAsnPB2ZQ==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi Subject: [isar-cip-core][PATCH 1/9] Provide recipe to rebuild gnu-efi 3.0.18 for fixing armhf bug Date: Thu, 7 Nov 2024 11:57:49 +0100 Message-ID: <49baabb6f460de97658e4d51c9d7006134f2581f.1730977077.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 10:58:14 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17207 From: Jan Kiszka This allows to rebuild gnu-efi from testing/unstable in order to address https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086705. With this version, the kernel stub of EFI Boot Guard is built correctly again, and the system boots. Signed-off-by: Jan Kiszka --- .../efibootguard/efibootguard_0.18-1+cip.bb | 4 + .../0001-ARM32-Split-headers-and-code.patch | 93 +++++++++++++++++++ recipes-devtools/gnu-efi/gnu-efi_latest.bb | 25 +++++ 3 files changed, 122 insertions(+) create mode 100644 recipes-devtools/gnu-efi/files/0001-ARM32-Split-headers-and-code.patch create mode 100644 recipes-devtools/gnu-efi/gnu-efi_latest.bb diff --git a/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb b/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb index 931bc8ea..63373119 100644 --- a/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb +++ b/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb @@ -35,6 +35,10 @@ PATCHTOOL = "git" inherit dpkg DEPENDS = "python-shtab" + +DEPENDS:trixie = "gnu-efi" +DEPENDS:sid = "gnu-efi" + # needed for buster, bullseye could use compat >= 13 python() { arch = d.getVar('DISTRO_ARCH') diff --git a/recipes-devtools/gnu-efi/files/0001-ARM32-Split-headers-and-code.patch b/recipes-devtools/gnu-efi/files/0001-ARM32-Split-headers-and-code.patch new file mode 100644 index 00000000..2f15d246 --- /dev/null +++ b/recipes-devtools/gnu-efi/files/0001-ARM32-Split-headers-and-code.patch @@ -0,0 +1,93 @@ +From 24a4cd0e5653fd84b004c00c808c45cc3fb7a7e2 Mon Sep 17 00:00:00 2001 +From: Callum Farmer +Date: Mon, 23 Sep 2024 16:51:49 +0100 +Subject: [PATCH] ARM32: Split headers and code + +* Force code to be at known dest of 4096 +* Move _start into .text +* Load the _start symbol address and then minus 4096 to get the load + address + +Signed-off-by: Callum Farmer +--- + gnuefi/crt0-efi-arm.S | 21 +++++++++++---------- + gnuefi/elf_arm_efi.lds | 1 + + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/gnuefi/crt0-efi-arm.S b/gnuefi/crt0-efi-arm.S +index 9c2c467..ad02ca1 100644 +--- a/gnuefi/crt0-efi-arm.S ++++ b/gnuefi/crt0-efi-arm.S +@@ -45,11 +45,11 @@ optional_header: + .2byte 0x10b // PE32+ format + .byte 0x02 // MajorLinkerVersion + .byte 0x14 // MinorLinkerVersion +- .4byte _etext - _start // SizeOfCode ++ .4byte _text_size - ImageBase // SizeOfCode + .4byte _alldata_size - ImageBase // SizeOfInitializedData + .4byte 0 // SizeOfUninitializedData +- .4byte _start - ImageBase // AddressOfEntryPoint +- .4byte _start - ImageBase // BaseOfCode ++ .4byte _text - ImageBase // AddressOfEntryPoint ++ .4byte _text - ImageBase // BaseOfCode + .4byte _reloc - ImageBase // BaseOfData + + extra_header_fields: +@@ -67,7 +67,7 @@ extra_header_fields: + .4byte _image_end - ImageBase // SizeOfImage + + // Everything before the kernel image is considered part of the header +- .4byte _start - ImageBase // SizeOfHeaders ++ .4byte _text - ImageBase // SizeOfHeaders + .4byte 0 // CheckSum + .2byte EFI_SUBSYSTEM // Subsystem + .2byte 0 // DllCharacteristics +@@ -100,10 +100,10 @@ extra_header_fields: + section_table: + + .ascii ".text\0\0\0" +- .4byte _evtext - _start // VirtualSize +- .4byte _start - ImageBase // VirtualAddress +- .4byte _etext - _start // SizeOfRawData +- .4byte _start - ImageBase // PointerToRawData ++ .4byte _text_vsize - ImageBase // VirtualSize ++ .4byte _text - ImageBase // VirtualAddress ++ .4byte _text_size - ImageBase // SizeOfRawData ++ .4byte _text - ImageBase // PointerToRawData + .4byte 0 // PointerToRelocations (0 for executables) + .4byte 0 // PointerToLineNumbers (0 for executables) + .2byte 0 // NumberOfRelocations (0 for executables) +@@ -148,7 +148,7 @@ section_table: + .2byte 0 // NumberOfLineNumbers + .4byte 0x40000040 // Characteristics (section flags) + +-.balign 256 ++.text + .globl _start + .type _start,%function + _start: +@@ -159,7 +159,8 @@ _start: + adr r1, .L_DYNAMIC + ldr r0, [r1] + add r1, r0, r1 +- adr r0, ImageBase ++ adr r0, _start ++ sub r0, r0, #0x1000 + bl _relocate + teq r0, #0 + bne 0f +diff --git a/gnuefi/elf_arm_efi.lds b/gnuefi/elf_arm_efi.lds +index afe17af..b7e3fb1 100644 +--- a/gnuefi/elf_arm_efi.lds ++++ b/gnuefi/elf_arm_efi.lds +@@ -5,6 +5,7 @@ SECTIONS + { + .text 0 : { + *(.text.head) ++ . = 0x1000; + _text = .; + *(.text) + *(.text.*) +-- +2.43.0 + diff --git a/recipes-devtools/gnu-efi/gnu-efi_latest.bb b/recipes-devtools/gnu-efi/gnu-efi_latest.bb new file mode 100644 index 00000000..2272a2b9 --- /dev/null +++ b/recipes-devtools/gnu-efi/gnu-efi_latest.bb @@ -0,0 +1,25 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Jan Kiszka +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg + +CHANGELOG_V="+cip" + +SRC_URI = "apt://${BPN}" +SRC_URI += "file://0001-ARM32-Split-headers-and-code.patch;apply=no" + +do_prepare_build() { + deb_add_changelog + + cd ${S} + quilt import -f ${WORKDIR}/*.patch + quilt push -a +} From patchwork Thu Nov 7 10:57:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866197 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31F82D43349 for ; Thu, 7 Nov 2024 10:58:14 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.69365.1730977083585632412 for ; Thu, 07 Nov 2024 02:58:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=PzaY78io; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-294854-20241107105801de928480eaaa2c87f1-vcsq8z@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20241107105801de928480eaaa2c87f1 for ; Thu, 07 Nov 2024 11:58:01 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=IM+lVJiFnurms4Gm7mqJigdFQxkEVJW1evCjP08B6x8=; b=PzaY78io5jKsxMWvEWsfLhwzb11g97w0PhlqCXZJuvdK+LWXtluPwg2Lm1mzeSSq7h4Dhn Z+AtJg1ZUov9LgwLnwH+5/g/gJoyqqN5jduualj9+MWIekdXHHnRLd8f+WT+AwNicNq6+NMe DRDEaAVL/g+tQuTk+bUkzWos4a7UEs0dPrQvG+aUpD25Lt3Qg5opPDgYcae7zfVn31w/DFMd L68fKmlque8SFqDX0RenS6lV8zy4X1hqwr60iX8KPX+mGJgqROvpP8SDjTx2w9NfKffgCYl+ x3g9vQ97q6v7/G0cCnAG6rnnxUpg/Ohra3YrMU7UTyEmUay38zWWZhtQ==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi Subject: [isar-cip-core][PATCH 2/9] swupdate: Control self-building via boolean var Date: Thu, 7 Nov 2024 11:57:50 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 10:58:14 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17208 From: Jan Kiszka Under the assumption that future versions of Debian will deliver us the needed versions of SWUpdate, this eases to opt-in for self-building. Signed-off-by: Jan Kiszka --- recipes-core/images/swupdate.inc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 96994b5c..b1cad439 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -17,9 +17,13 @@ SWU_HW_COMPAT ?= "cip-core-1.0" IMAGER_BUILD_DEPS:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" IMAGER_INSTALL:swu += "${@'swupdate-signer' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" IMAGE_INSTALL += "${@'swupdate-certificates' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}" -IMAGE_INSTALL += " swupdate" -IMAGE_INSTALL:remove:sid = "swupdate" -IMAGE_PREINSTALL:append:sid = " swupdate" +SWUPDATE_SELFBUILT ?= "0" +SWUPDATE_SELFBUILT:buster = "1" +SWUPDATE_SELFBUILT:bullseye = "1" +SWUPDATE_SELFBUILT:bookworm = "1" + +IMAGE_INSTALL:append = "${@' swupdate' if bb.utils.to_boolean(d.getVar('SWUPDATE_SELFBUILT')) else ''}" +IMAGE_PREINSTALL:append = "${@'' if bb.utils.to_boolean(d.getVar('SWUPDATE_SELFBUILT')) else ' swupdate'}" IMAGE_INSTALL += " swupdate-handler-roundrobin" From patchwork Thu Nov 7 10:57:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866198 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48735D4334D for ; Thu, 7 Nov 2024 10:58:14 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.69034.1730977083984737231 for ; Thu, 07 Nov 2024 02:58:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=CQYDJ6S3; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-294854-20241107105801bf0b30ad1638f6f9e5-m5eaeb@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20241107105801bf0b30ad1638f6f9e5 for ; Thu, 07 Nov 2024 11:58:02 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=GAx0EO1bD2lfZmWu7BUnXUNf32uLViWgdOW3Zc73PSw=; b=CQYDJ6S39DCWt1aafAFU4reR8cTCPuWA+eftflqd1cR3a3P5KZIqOukzntrXEjmywgu+zd PavRbBEheY22i+FJQLqx7fa6ONcfbQUaolwzyCCgVdaBTtbaWUlf4XHjyV31GV96uDFmFA/k VChuApDQjJ5XcY4O/ptpwRt69vMijk/k2IblsrOU06Ne4f0KLvfCFxV5Bztuf9AJKQ0CoLSY e2cJJDhJ67yS1YnWd3GKHP1jYzRR04o/tJ83DgAhQHpNmJ2hS6PE4uabHsnC+sy2TxTkuxSd EECYa3vWraIzzbeUdVs5JQh9TIyTw8+OXfJFeRenC+HoR9K/awDWLR+A==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi Subject: [isar-cip-core][PATCH 3/9] swupdate-signer: Ensure compatibility also with latest openssl 3.3 Date: Thu, 7 Nov 2024 11:57:51 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 10:58:14 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17205 From: Jan Kiszka That -check option was probably never official and is now definitely gone with openssl 3.3 from trixie. In fact, we do not even need it, the return code is set as expected also without it. Signed-off-by: Jan Kiszka --- recipes-devtools/swupdate-signer/files/sign-swu-cms | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/recipes-devtools/swupdate-signer/files/sign-swu-cms b/recipes-devtools/swupdate-signer/files/sign-swu-cms index d844e011..cb0cd4af 100644 --- a/recipes-devtools/swupdate-signer/files/sign-swu-cms +++ b/recipes-devtools/swupdate-signer/files/sign-swu-cms @@ -10,14 +10,11 @@ error_msg() { } if ! openssl rsa -check -noout -in "$inkey"; then - error_msg "key '$inkey' is not a rsa key " + error_msg "key '$inkey' is not a rsa key" fi -# if openssl > 3.0 we have the x509 check option -if openssl version | grep -q "3.[0-9].[0-9]"; then - if ! openssl x509 -check -noout -in "$cert"; then - error_msg "certificate '$cert' is not a certificate" - fi +if ! openssl x509 -noout -in "$cert"; then + error_msg "certificate '$cert' is not a certificate" fi key_md5=$(openssl rsa -modulus -noout -in "$inkey" | openssl md5) From patchwork Thu Nov 7 10:57:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866189 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CB3AD44D56 for ; Thu, 7 Nov 2024 10:58:14 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.69366.1730977084457909220 for ; Thu, 07 Nov 2024 02:58:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=NXi/PeQz; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-294854-20241107105802eb0e45a2ef92b204a0-tpq_oa@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20241107105802eb0e45a2ef92b204a0 for ; Thu, 07 Nov 2024 11:58:02 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=n6CnCPfgnQRrnB/6l9D4yiBiORHq4ID2IdqxhmlC6LE=; b=NXi/PeQzE3CXaaqniJU4rjL4k1bzBOX3GxZiB8ZEzLq03DgwUkmT5lGYLAFvv3eII4PETK 2uramHTrNPROMujfeYMvI5Y9hDlIWTg0a5R5z/55t4HB8G2X2e1pPNbx02b8Di8p1ywxaait bBfTCL2J/+u3IUejxiKl4iB3v7T+9/86Rwzjl9MJ1Wtvr+rkTkT4+34xfPX9p8iU7IUoQDWt rjDcPaSp0IMJ+++7Coi9u0xQQLFekiqIfn4ZnatPU73/VPMYp8aPzKFc26m/OxAZarrl2SqV TRwC3gwA47JisTnw/JE8UzkyjVnLOWXA29Knw6pc6FQroRs6SgMeuHgA==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi Subject: [isar-cip-core][PATCH 4/9] u-boot: Use efisebdb with trixie for generating the UEFI key database Date: Thu, 7 Nov 2024 11:57:52 +0100 Message-ID: <6d99a378b11f36b48bb236e45b6582d064eb1199.1730977077.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 10:58:14 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17206 From: Jan Kiszka Latest peboot dropped efisiglist and points to efisebdb from the efivar package instead. That requires us to specify a key owner GUID, and we use a random one here for our demo purposes. Signed-off-by: Jan Kiszka --- recipes-bsp/u-boot/files/rules.tmpl | 8 ++++++-- recipes-bsp/u-boot/u-boot-common-2024.01.inc | 5 ++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/recipes-bsp/u-boot/files/rules.tmpl b/recipes-bsp/u-boot/files/rules.tmpl index c697cdb7..593919c3 100755 --- a/recipes-bsp/u-boot/files/rules.tmpl +++ b/recipes-bsp/u-boot/files/rules.tmpl @@ -1,6 +1,6 @@ #!/usr/bin/make -f # -# Copyright (c) Siemens AG, 2018-2022 +# Copyright (c) Siemens AG, 2018-2024 # # SPDX-License-Identifier: MIT @@ -13,7 +13,11 @@ override_dh_auto_build: if [ -e /usr/share/secure-boot-secrets/secure-boot.pem ]; then \ openssl x509 -in /usr/share/secure-boot-secrets/secure-boot.pem -out secure-boot.der -outform der; \ rm -f secure-boot.esl; \ - efisiglist -a -c secure-boot.der -o secure-boot.esl; \ + if [ -x /usr/bin/efisecdb ]; then \ + efisecdb -g 32db313c-f7d4-42a6-9a49-e32870001c63 -a -c secure-boot.der -o secure-boot.esl; \ + else \ + efisiglist -a -c secure-boot.der -o secure-boot.esl; \ + fi; \ rm -f ubootefi.var; \ tools/efivar.py set -i ubootefi.var -n PK -d secure-boot.esl -t file; \ tools/efivar.py set -i ubootefi.var -n KEK -d secure-boot.esl -t file; \ diff --git a/recipes-bsp/u-boot/u-boot-common-2024.01.inc b/recipes-bsp/u-boot/u-boot-common-2024.01.inc index 69427322..5a020da2 100644 --- a/recipes-bsp/u-boot/u-boot-common-2024.01.inc +++ b/recipes-bsp/u-boot/u-boot-common-2024.01.inc @@ -24,7 +24,10 @@ S = "${WORKDIR}/u-boot-${PV}" DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:${DISTRO_ARCH}" DEBIAN_BUILD_DEPENDS:append:secureboot = ", \ - openssl, pesign, secure-boot-secrets, python3-openssl:native" + openssl, efivar, secure-boot-secrets, python3-openssl:native" +DEBIAN_BUILD_DEPENDS:append:secureboot:buster = ", pesign" +DEBIAN_BUILD_DEPENDS:append:secureboot:bullseye = ", pesign" +DEBIAN_BUILD_DEPENDS:append:secureboot:bookworm = ", pesign" DEPENDS:append:secureboot = " secure-boot-secrets" do_prepare_build:append:secureboot() { From patchwork Thu Nov 7 10:57:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866192 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31C94D43346 for ; Thu, 7 Nov 2024 10:58:14 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.69035.1730977085018665385 for ; Thu, 07 Nov 2024 02:58:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=hFVFJgvZ; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-294854-2024110710580397777a098ab50b48c5-e3y8jn@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 2024110710580397777a098ab50b48c5 for ; Thu, 07 Nov 2024 11:58:03 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=I8KhWcyyUNi1y1uv2USiYGudFsq0C9C0KJdA2igfFEQ=; b=hFVFJgvZzKisPY+ZkAb75WLazVjvpuW/VAg7H7pt54t6xIu1sISSuPkxMpDSvYsRBiKmyj M6xINEbu8RDGwXI8KeEYXU4NzzRmDzhXh7sTFONZ/rymeHkATtuKYdFF59J/T/+EREOYkDda CKjidOtLo4yLjUV4+ZHvt2cIdooDm2LtP0CNlhFnMkmk0V9chqTZBOJ7JwGZjU0Wp1Eb2nuu EDtOQ4yP6ZZ15cB86JPh33TaKGuprHqI2sJFak8EAY9FH2GV9bUfasGNDinrP8hm6BHOB/Rw 65fJk4sY4fHL3Wj4CJQsj/CTXlatBzHriityiNyHb7iZYWo+dM8/F4mA==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi Subject: [isar-cip-core][PATCH 5/9] initramfs-crypt-hook: Make dependencies release-specific and add trixie support Date: Thu, 7 Nov 2024 11:57:53 +0100 Message-ID: <3e27ea182df73993bf5bc4d6a0521601ae818b15.1730977077.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 10:58:14 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17209 From: Jan Kiszka Rather than making the list of alternatives longer and longer, append dependencies depending on the selected Debian release. Will also make it easier to clean up when we once drop support for a release. Along with this refactoring comes the list of dependencies needed with trixie. Signed-off-by: Jan Kiszka --- ...s-crypt-hook_0.3.bb => initramfs-crypt-hook_0.4.bb} | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.3.bb => initramfs-crypt-hook_0.4.bb} (89%) diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.3.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.4.bb similarity index 89% rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.3.bb rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.4.bb index 72de5b6c..03a2bf44 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.3.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.4.bb @@ -10,14 +10,14 @@ inherit dpkg-raw DEBIAN_DEPENDS = "initramfs-tools, cryptsetup, \ - awk, openssl, libtss2-esys-3.0.2-0 | libtss2-esys0, \ - libtss2-rc0 | libtss2-esys0, libtss2-mu0 | libtss2-esys0, \ - e2fsprogs, tpm2-tools, coreutils, uuid-runtime" + awk, openssl, e2fsprogs, tpm2-tools, coreutils, uuid-runtime" CLEVIS_DEPEND = ", clevis-luks, jose, bash, luksmeta, file, libpwquality-tools" -DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev" -DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}" +DEBIAN_DEPENDS:append:buster = "${CLEVIS_DEPEND}, libgcc-7-dev, libtss2-esys0" +DEBIAN_DEPENDS:append:bullseye = "${CLEVIS_DEPEND}, libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0" +DEBIAN_DEPENDS:append:bookworm = ", libtss2-esys-3.0.2-0, libtss2-rc0, libtss2-mu0" +DEBIAN_DEPENDS:append:trixie = ", systemd-cryptsetup, libtss2-esys-3.0.2-0t64, libtss2-rc0t64, libtss2-mu-4.0.1-0t64" DEBIAN_DEPENDS:append = "${@encryption_dependency(d)}" def encryption_dependency(d): From patchwork Thu Nov 7 10:57:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866194 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23AEAD43345 for ; Thu, 7 Nov 2024 10:58:14 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.69036.1730977085414743745 for ; Thu, 07 Nov 2024 02:58:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=c8sN7K3k; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-294854-2024110710580313cfb6480d11cf5258-cneosp@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2024110710580313cfb6480d11cf5258 for ; Thu, 07 Nov 2024 11:58:03 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=9R07GYmtbTHfstw0JOMoDbmMvFff8zDyHcks29Nf8RY=; b=c8sN7K3kF48/+hUJA26cfM0Rsxu/UHM5nUA0Yq/Ck2wRhroVhiOxdviYBf1RNnh/G6uZX2 9wOHAOHqySf8cGPKYO/7U9xGqXYpMWm1m5qyefhwXjLN+phTeWlQLo9/YKppGH2/ElJpZhKq S1YxmKoecJxVTPX6hmeT4Vxz9kT2iUv5LLkrp7i/sGC8grIrq6/2tQmHEslrWsQc7ZedNuX2 fGTUBF1cCDpTx/tQC/3hS+cOMppq832OJULrLgHHMC3eFqJFpOhV0JkQYzidwP+6796OLA0F NrxsM91caW65+dlo1lExg/6fFFiCrLZgcf9AjOQvr5wDQBdD2iUYpWyw==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi Subject: [isar-cip-core][PATCH 6/9] read-only-rootfs: Do not install tmp-fs with trixie anymore Date: Thu, 7 Nov 2024 11:57:54 +0100 Message-ID: <2a89d970944b690200e71386ebacab882543c8a9.1730977077.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 10:58:14 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17211 From: Jan Kiszka Debian trixie gained tmpfs-based tmp by default, thus no longer needs our manual activation via the tmp-fs recipe. Signed-off-by: Jan Kiszka --- classes/read-only-rootfs.bbclass | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-rootfs.bbclass index fa56b2eb..9ebcadc2 100644 --- a/classes/read-only-rootfs.bbclass +++ b/classes/read-only-rootfs.bbclass @@ -15,7 +15,10 @@ INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img" do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build" IMAGE_INSTALL += "home-fs" -IMAGE_INSTALL += "tmp-fs" + +IMAGE_INSTALL:append:buster = " tmp-fs" +IMAGE_INSTALL:append:bullseye = " tmp-fs" +IMAGE_INSTALL:append:bookworm = " tmp-fs" # For pre bookworm images, empty /var is not usable IMAGE_INSTALL:append = " immutable-rootfs" From patchwork Thu Nov 7 10:57:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866191 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E960D59F76 for ; Thu, 7 Nov 2024 10:58:14 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.69367.1730977086117674580 for ; Thu, 07 Nov 2024 02:58:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=ViZ/H/6M; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-294854-20241107105804ac167ea13fa6d24719-o_bdh8@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20241107105804ac167ea13fa6d24719 for ; Thu, 07 Nov 2024 11:58:04 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=4u6dsiZDEDO5OvWsSo1zLwGopKwkaOlJbR+xL8g9VIQ=; b=ViZ/H/6MaaSnafYQEAB0O1Muux/cMgGUn/FouJLO7MnAILRPXS5FziYJB158CnjZAwO2ZV p6FtBZ28ZGoTJCWLiRUIr/fInW61iPPjvvSORJZjMG3R44vsTo0cFnVPV+BxUw2Tw3jKqwwA g/Cvp2nvkIzt9HVO4vENl695eAQqJkO5lySnUZOZsSAS262PZDtpsyf1s0C+laoX2mjUdqPC CiaS5/vwz4zjiy5GQbcx60QmYOFWKoq74NG/aA8WrqUst9PYJ+BOFHaBGzRbOlfPWP/7xz39 txV+EIv4aXG75rGehjJ5hrc4/CrrOOU/TgYpYNO8x1Smmmp8drWCnEpw==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi Subject: [isar-cip-core][PATCH 7/9] efibootguard: Use prebuilt python-shtab from trixie onward Date: Thu, 7 Nov 2024 11:57:55 +0100 Message-ID: <6946d79d99ac67744e9e9c59829a03ffb5809547.1730977077.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 10:58:14 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17213 From: Jan Kiszka With trixie, we even get 1.7.1, so we no longer need to use the self-built version. Signed-off-by: Jan Kiszka --- recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb b/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb index 63373119..5f1a47e8 100644 --- a/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb +++ b/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb @@ -34,7 +34,9 @@ PATCHTOOL = "git" inherit dpkg -DEPENDS = "python-shtab" +DEPENDS:buster = "python-shtab" +DEPENDS:bullseye = "python-shtab" +DEPENDS:bookworm = "python-shtab" DEPENDS:trixie = "gnu-efi" DEPENDS:sid = "gnu-efi" From patchwork Thu Nov 7 10:57:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866196 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4541FD4334B for ; Thu, 7 Nov 2024 10:58:14 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.69033.1730977083816661210 for ; Thu, 07 Nov 2024 02:58:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=SotyqUEt; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-294854-202411071058049944e65d1da4fffc29-redlhq@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202411071058049944e65d1da4fffc29 for ; Thu, 07 Nov 2024 11:58:05 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=quip0bhfAbLImM4O05s0oNdIorG3GsZ58e0pO7sBgVw=; b=SotyqUEtI6lNIcKvNHyziLxTx3AiD5kVZJ/lkilc6TGz0cfudH7MUuqjaLsXgwxV9z2s/v 5qP4nFI/+nmrUQ5gxZ58gDLCRELIfLmF7LtUzb2geMTqB0Z4hJZNx8lG77tGg6Ivjhh/0H6G +Ld+sE4YcKCXGQ1C6U45Dcqj+Xk08JQr1sIL/l71YobWYhx2dbXHVRt4pEfPET07yybyl8kD cHeFH0yh9UE46JTsxU5ac7vE/YyFVCIamXqjgCJUAg51DUHaJ3Ce5eZf8cibUOcNLS7W2dV3 IZ2NL+Axqju3/DatxVVySgoAeVytjSo6B8zvQFZzbQwWv8ZTm67ujYJQ==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi Subject: [isar-cip-core][PATCH 8/9] Add Debian trixie Date: Thu, 7 Nov 2024 11:57:56 +0100 Message-ID: <9f7d4bfb8372fd290187302c94c455ddf5aafa4c.1730977077.git.jan.kiszka@siemens.com> In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 10:58:14 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17210 From: Jan Kiszka Comes with an isar revision bump to stop using a self-built crossbuild-essential-riscv64 package. Based on similar changes by Cedric Hombourger and Quirin Gylstorff. Signed-off-by: Jan Kiszka --- Kconfig | 4 ++++ conf/distro/cip-core-trixie.conf | 16 ++++++++++++++++ kas-cip.yml | 2 +- kas/opt/trixie.yml | 15 +++++++++++++++ recipes-devtools/secure-boot-secrets/files/sid | 1 + .../files/{sid => trixie}/PkKek-1-snakeoil.key | 0 .../files/{sid => trixie}/PkKek-1-snakeoil.pem | 0 .../swupdate-certificates/files/trixie | 1 + start-qemu.sh | 2 ++ 9 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 conf/distro/cip-core-trixie.conf create mode 100644 kas/opt/trixie.yml create mode 120000 recipes-devtools/secure-boot-secrets/files/sid rename recipes-devtools/secure-boot-secrets/files/{sid => trixie}/PkKek-1-snakeoil.key (100%) rename recipes-devtools/secure-boot-secrets/files/{sid => trixie}/PkKek-1-snakeoil.pem (100%) create mode 120000 recipes-devtools/swupdate-certificates/files/trixie diff --git a/Kconfig b/Kconfig index d10ae917..09bb7699 100644 --- a/Kconfig +++ b/Kconfig @@ -136,6 +136,9 @@ config DEBIAN_BOOKWORM bool "bookworm (12)" depends on !ARCH_RISCV64 +config DEBIAN_TRIXIE + bool "trixie (testing)" + config DEBIAN_SID bool "sid (unstable)" depends on ARCH_RISCV64 @@ -147,6 +150,7 @@ config KAS_INCLUDE_DEBIAN default "kas/opt/buster.yml" if DEBIAN_BUSTER default "kas/opt/bullseye.yml" if DEBIAN_BULLSEYE default "kas/opt/bookworm.yml" if DEBIAN_BOOKWORM + default "kas/opt/trixie.yml" if DEBIAN_TRIXIE default "kas/opt/sid.yml" if DEBIAN_SID comment "Image features" diff --git a/conf/distro/cip-core-trixie.conf b/conf/distro/cip-core-trixie.conf new file mode 100644 index 00000000..58999d1b --- /dev/null +++ b/conf/distro/cip-core-trixie.conf @@ -0,0 +1,16 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Cedric Hombourger +# +# SPDX-License-Identifier: MIT +# + +require conf/distro/debian-trixie.conf +require cip-core-common.inc + +PREFERRED_VERSION_linux-cip ?= "6.1.%" +PREFERRED_VERSION_linux-cip-rt ?= "6.1.%" diff --git a/kas-cip.yml b/kas-cip.yml index 73c467ed..fcdb10c4 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -22,7 +22,7 @@ repos: isar: url: https://github.com/ilbers/isar.git - commit: 8c9bdd3cb0ac93aa46552d4554bafaea5d1d7d13 + commit: 57f6b70d91711075fbeb07dd2bdf5c9e5b3c6ee6 layers: meta: diff --git a/kas/opt/trixie.yml b/kas/opt/trixie.yml new file mode 100644 index 00000000..e9a76ef5 --- /dev/null +++ b/kas/opt/trixie.yml @@ -0,0 +1,15 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2024 +# +# Authors: +# Cedric Hombourger +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + +distro: cip-core-trixie diff --git a/recipes-devtools/secure-boot-secrets/files/sid b/recipes-devtools/secure-boot-secrets/files/sid new file mode 120000 index 00000000..f0b7e328 --- /dev/null +++ b/recipes-devtools/secure-boot-secrets/files/sid @@ -0,0 +1 @@ +trixie \ No newline at end of file diff --git a/recipes-devtools/secure-boot-secrets/files/sid/PkKek-1-snakeoil.key b/recipes-devtools/secure-boot-secrets/files/trixie/PkKek-1-snakeoil.key similarity index 100% rename from recipes-devtools/secure-boot-secrets/files/sid/PkKek-1-snakeoil.key rename to recipes-devtools/secure-boot-secrets/files/trixie/PkKek-1-snakeoil.key diff --git a/recipes-devtools/secure-boot-secrets/files/sid/PkKek-1-snakeoil.pem b/recipes-devtools/secure-boot-secrets/files/trixie/PkKek-1-snakeoil.pem similarity index 100% rename from recipes-devtools/secure-boot-secrets/files/sid/PkKek-1-snakeoil.pem rename to recipes-devtools/secure-boot-secrets/files/trixie/PkKek-1-snakeoil.pem diff --git a/recipes-devtools/swupdate-certificates/files/trixie b/recipes-devtools/swupdate-certificates/files/trixie new file mode 120000 index 00000000..3d633aef --- /dev/null +++ b/recipes-devtools/swupdate-certificates/files/trixie @@ -0,0 +1 @@ +../../secure-boot-secrets/files/trixie \ No newline at end of file diff --git a/start-qemu.sh b/start-qemu.sh index 9ec0f1c2..0e425ea7 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -46,6 +46,8 @@ if [ -z "${DISTRO_RELEASE}" ]; then DISTRO_RELEASE="buster" elif grep -s -q "DEBIAN_BOOKWORM: true" .config.yaml; then DISTRO_RELEASE="bookworm" + elif grep -s -q "DEBIAN_TRIXIE: true" .config.yaml; then + DISTRO_RELEASE="trixie" else DISTRO_RELEASE="bullseye" fi From patchwork Thu Nov 7 10:57:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866193 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18DBAD43341 for ; Thu, 7 Nov 2024 10:58:14 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.69365.1730977083585632412 for ; Thu, 07 Nov 2024 02:58:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=hz3/wV76; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-294854-202411071058051fe8616d155c6bb9a2-kxv7_p@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202411071058051fe8616d155c6bb9a2 for ; Thu, 07 Nov 2024 11:58:05 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=jan.kiszka@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=a/Jfd5aceguohp26jkuaW5iyVUY8ZWGlxv40MJW1E2g=; b=hz3/wV76YlMRNWviniYan8up8Ke+OfN1R+Y1eK87YHg8AjxmbY2PcyvzZeaF1O8TSLID01 RYzQIJ4LZhIrobBm3/6yUMKsp+YLn3z9W+GgBu8oKfogUlbXHfWegqahJZL2RjcXoyVwSOfM kUZYAuedlohtGuTfk6Dbx3y/f2RqK+Un6k1HGd62HK7PYNOPTbgCz/pjcM7DxfF6uEsuayIm f+7LgFWruE7e7S8HEcsYKWT4ZuCNif9Fzu70OBTLLx45k/+UmtHiCbl9CH4EVxepFuStsSYX yk9jPzUZ9D2YBNbPBL20wLVB0HqUTLr1dLI/MrmmV7c5fQZusy4HJB9w==; From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi Subject: [isar-cip-core][PATCH 9/9] Replace sid with trixie Date: Thu, 7 Nov 2024 11:57:57 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-294854:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 10:58:14 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17212 From: Jan Kiszka The only reasons to have sid support in isar-cip-core so far was riscv64 and also testing of zchunk-based delta-updates. Both can now be addressed in a more stable way via upcoming Debian 13 / trixie. Signed-off-by: Jan Kiszka --- .gitlab-ci.yml | 6 +++--- Kconfig | 5 ----- classes/delta-update.bbclass | 4 ++-- conf/distro/cip-core-sid.conf | 20 ------------------- doc/README.swupdate.md | 16 +++++++-------- kas/opt/sid.yml | 15 -------------- .../efibootguard/efibootguard_0.18-1+cip.bb | 1 - start-qemu.sh | 4 +--- 8 files changed, 14 insertions(+), 57 deletions(-) delete mode 100644 conf/distro/cip-core-sid.conf delete mode 100644 kas/opt/sid.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2c6a688b..6f824102 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -62,7 +62,7 @@ default: - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi - if [ "${release}" = "bookworm" ]; then base_yaml="${base_yaml}:kas/opt/bookworm.yml"; fi - - if [ "${release}" = "sid" ]; then base_yaml="${base_yaml}:kas/opt/sid.yml"; fi + - if [ "${release}" = "trixie" ]; then base_yaml="${base_yaml}:kas/opt/trixie.yml"; fi - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-data.yml"; fi - if [ "${swupdate_version}" = "2022.12" ]; then base_yaml="${base_yaml}:kas/opt/swupdate-2022.12.yaml"; fi - echo "Building ${base_yaml}" @@ -333,13 +333,13 @@ build:qemu-amd64-secure-boot-buster: deploy: disable encrypt: enable -# riscv64 (sid) +# trixie images build:qemu-riscv64: extends: - .build_base variables: target: qemu-riscv64 - release: sid + release: trixie use_rt: disable targz: disable deploy: disable diff --git a/Kconfig b/Kconfig index 09bb7699..3c246fa5 100644 --- a/Kconfig +++ b/Kconfig @@ -139,10 +139,6 @@ config DEBIAN_BOOKWORM config DEBIAN_TRIXIE bool "trixie (testing)" -config DEBIAN_SID - bool "sid (unstable)" - depends on ARCH_RISCV64 - endchoice config KAS_INCLUDE_DEBIAN @@ -151,7 +147,6 @@ config KAS_INCLUDE_DEBIAN default "kas/opt/bullseye.yml" if DEBIAN_BULLSEYE default "kas/opt/bookworm.yml" if DEBIAN_BOOKWORM default "kas/opt/trixie.yml" if DEBIAN_TRIXIE - default "kas/opt/sid.yml" if DEBIAN_SID comment "Image features" diff --git a/classes/delta-update.bbclass b/classes/delta-update.bbclass index ae2453d7..ab11be59 100644 --- a/classes/delta-update.bbclass +++ b/classes/delta-update.bbclass @@ -27,8 +27,8 @@ python () { if d.getVar("DELTA_RDIFF_REF_IMAGE") == "": bb.fatal("You must set DELTA_RDIFF_REF_IMAGE and provide the required files as artifacts to this recipe") elif d.getVar("DELTA_UPDATE_TYPE") == "zchunk": - if d.getVar("BASE_DISTRO_CODENAME") != "sid": - bb.fatal("Zchunk based delta update is only supported from sid") + if d.getVar("BASE_DISTRO_CODENAME") != "trixie": + bb.fatal("Zchunk based delta update is only supported from trixie onward") else: disable_delta_update_tasks(d) } diff --git a/conf/distro/cip-core-sid.conf b/conf/distro/cip-core-sid.conf deleted file mode 100644 index eefcbb59..00000000 --- a/conf/distro/cip-core-sid.conf +++ /dev/null @@ -1,20 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2022-2024 -# -# Authors: -# Jan Kiszka -# -# SPDX-License-Identifier: MIT -# - -require conf/distro/debian-sid.conf -require cip-core-common.inc - -# corresponds to 20240211T000000Z -ISAR_APT_SNAPSHOT_TIMESTAMP ?= "1707606000" -ISAR_USE_APT_SNAPSHOT ?= "1" - -PREFERRED_VERSION_linux-cip ?= "6.1.%" -PREFERRED_VERSION_linux-cip-rt ?= "6.1.%" diff --git a/doc/README.swupdate.md b/doc/README.swupdate.md index 027a8fd7..5308a50f 100644 --- a/doc/README.swupdate.md +++ b/doc/README.swupdate.md @@ -435,27 +435,27 @@ host$ scp -P 22222 ./cip-core-image-cip-core-bookworm-qemu-amd64.swu root@localh ## Delta Software Update using zchunk handler -Currently zchunk based delta updates are supported only in Sid images. Make sure to build the first image with Sid as the distribution with the following command: +Currently zchunk based delta updates are supported only in trixie images. Make sure to build the first image with trixie as the distribution with the following command: ``` -host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/sid.yml +host$ ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/trixie.yml ``` For Delta update with zchunk, set the variable `DELTA_ZCK_URL` with the URL of the zck file that is hosted in a http server and set the `DELTA_UPDATE_TYPE` to `zchunk` in `delta-update.yml` file. Build the second image with the modification as shown above with the following command: ``` -KAS_BUILD_DIR=build-v2 ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/sid.yml:kas/opt/delta-update.yml +KAS_BUILD_DIR=build-v2 ./kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/trixie.yml:kas/opt/delta-update.yml ``` Now start the first image. Run the following commands: ``` -host$ DISTRO_RELEASE=sid SWUPDATE_BOOT=y ./start-qemu.sh amd64 +host$ DISTRO_RELEASE=trixie SWUPDATE_BOOT=y ./start-qemu.sh amd64 ``` -Copy `cip-core-image-cip-core-sid-qemu-amd64.swu` file from `build-v2/tmp/deploy/images/qemu-amd64/` folder into the running system: +Copy `cip-core-image-cip-core-trixie-qemu-amd64.swu` file from `build-v2/tmp/deploy/images/qemu-amd64/` folder into the running system: ``` host$ cd build-v2/tmp/deploy/images/qemu-amd64/ -host$ scp -P 22222 ./cip-core-image-cip-core-sid-qemu-amd64.swu root@localhost: +host$ scp -P 22222 ./cip-core-image-cip-core-trixie-qemu-amd64.swu root@localhost: ``` -The `cip-core-image-cip-core-sid-qemu-amd64.zck` file must be hosted in a http server. -Any http server (service) can be used to host the .zck file as long as the http server supports http range requests. Copy the `build-v2/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-sid-qemu-amd64.zck` to the server directory. For more information on the integration of zchunk handler in swupdate, refer the [documentation](https://sbabic.github.io/swupdate/delta-update.html#integration-in-swupdate-the-delta-handler) +The `cip-core-image-cip-core-trixie-qemu-amd64.zck` file must be hosted in a http server. +Any http server (service) can be used to host the .zck file as long as the http server supports http range requests. Copy the `build-v2/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-trixie-qemu-amd64.zck` to the server directory. For more information on the integration of zchunk handler in swupdate, refer the [documentation](https://sbabic.github.io/swupdate/delta-update.html#integration-in-swupdate-the-delta-handler) ## Delta Software Update Verification diff --git a/kas/opt/sid.yml b/kas/opt/sid.yml deleted file mode 100644 index be2eeb47..00000000 --- a/kas/opt/sid.yml +++ /dev/null @@ -1,15 +0,0 @@ -# -# CIP Core, generic profile -# -# Copyright (c) Siemens AG, 2022-2024 -# -# Authors: -# Jan Kiszka -# -# SPDX-License-Identifier: MIT -# - -header: - version: 14 - -distro: cip-core-sid diff --git a/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb b/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb index 5f1a47e8..6d32833a 100644 --- a/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb +++ b/recipes-bsp/efibootguard/efibootguard_0.18-1+cip.bb @@ -39,7 +39,6 @@ DEPENDS:bullseye = "python-shtab" DEPENDS:bookworm = "python-shtab" DEPENDS:trixie = "gnu-efi" -DEPENDS:sid = "gnu-efi" # needed for buster, bullseye could use compat >= 13 python() { diff --git a/start-qemu.sh b/start-qemu.sh index 0e425ea7..e8f1cfc3 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -40,9 +40,7 @@ if [ -n "${QEMU_PATH}" ]; then fi if [ -z "${DISTRO_RELEASE}" ]; then - if grep -s -q "DEBIAN_SID: true" .config.yaml; then - DISTRO_RELEASE="sid" - elif grep -s -q "DEBIAN_BUSTER: true" .config.yaml; then + if grep -s -q "DEBIAN_BUSTER: true" .config.yaml; then DISTRO_RELEASE="buster" elif grep -s -q "DEBIAN_BOOKWORM: true" .config.yaml; then DISTRO_RELEASE="bookworm" From patchwork Thu Nov 7 17:31:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13866820 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8D2AD5D67D for ; Thu, 7 Nov 2024 17:31:26 +0000 (UTC) Received: from EUR02-DB5-obe.outbound.protection.outlook.com (EUR02-DB5-obe.outbound.protection.outlook.com [40.107.249.59]) by mx.groups.io with SMTP id smtpd.web10.78249.1731000678689635843 for ; Thu, 07 Nov 2024 09:31:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@siemens.com header.s=selector2 header.b=yXibANoS; spf=pass (domain: siemens.com, ip: 40.107.249.59, mailfrom: jan.kiszka@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=F/h50UMyYMYiwOz4BwZywh6NBmXQumPneiUSiHPxWrxJXZ5PWs6h6xBWxFQIiDCC17tUkH3oPQqWx1CEqso7ljv5i6ZMRYQJUA6UKWIeA12uCvLruHcFh5UtfvXKS9m8nKospqgkDwUF8lmApsskNC+k8dtTJbtIy6GZI+QbBQfgXc3v4Zt2mbARmNL4eailK0kzZTUqh3/MHj2Ju65cWGrp3V3AXiej1/8VC3uaXE9mEp9rqvPV4P/1bzTZXskuRVY9C3ALNGPkkPWqeAYPe3VGbrgu9s/xa8iK3gcGMmETfs+sRF+CnE3RTO7PIIFmDtBUaOUcvzgHBnoqoaSsSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HwQx9wC6ytNYjDXqcgz1WzhKil21eguQzn2IRuttunM=; b=f4eanfhubnjmc72qgAhTwW/nlsmxnKAxr7EY61+1HJ679U12zN/72s8KxiEJeIOVyUJgn7HjmPMz2pLuizQFm0xVPdVFs5eyWFPky0JFlFbU1WTSYfdrHO003XYF7Ak7jGmpcNxbJFcWYmSy30A42jZTSdLpc63nVf5VnfV4/MffrPpjr5F3qYwzVGfTSspI43o2P6G1PoYSgwnEqiuNrrRD7x+jAqMywHaODakC5GdHt1nFX2FOHt2IchsMZGwH6kuse80pc5LQWqnx5o01kmA7SFAJaiTFi73U4wbwPwPO5nRGBBpiDg9PeY+b9l4zPLWMq78l6QDLQd6/T8KaEw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HwQx9wC6ytNYjDXqcgz1WzhKil21eguQzn2IRuttunM=; b=yXibANoSUQJVydV9wYnyBOIZqcezDZAa+/jxJ5Ur/t70iFM3+LoU/dY7oSekfBhLeWTA10k7oA1ZKQkoehRObGG+ByEJSjgWEqcUC/f2r06YpiFct/42MjrLKjpL20dpq7uXIzahPpuX2Yye0dbNp4JO/hl2S5PobXA7d6TNtTWZ3zO8+yWusymMSnLUy4QTXfwdZ9ke218X7qHGIu3SvN79o7aPL3Cn96f7iYYA0OIEg+nYH/3NT68eG5fxkl3JsHyXZeUio01geBlimtgJFiRoB8DK5/oGWGxKswBEe3hCWCci6wYDwTFQ1gxxOOBDkukeoCmUSY5l7MJ4iZuqXA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) by AS8PR10MB7561.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:564::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.19; Thu, 7 Nov 2024 17:31:15 +0000 Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::8fe1:7e71:cf4a:7408]) by AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::8fe1:7e71:cf4a:7408%5]) with mapi id 15.20.8137.018; Thu, 7 Nov 2024 17:31:14 +0000 Message-ID: Date: Thu, 7 Nov 2024 18:31:09 +0100 User-Agent: Mozilla Thunderbird Subject: [isar-cip-core][PATCH 10/9] swupdate: Perform checks for supported configurations From: Jan Kiszka To: cip-dev@lists.cip-project.org Cc: Quirin Gylstorff , Cedric Hombourger , Kazuhiro Hayashi References: Content-Language: en-US Autocrypt: addr=jan.kiszka@siemens.com; keydata= xsFNBGZY+hkBEACkdtFD81AUVtTVX+UEiUFs7ZQPQsdFpzVmr6R3D059f+lzr4Mlg6KKAcNZ uNUqthIkgLGWzKugodvkcCK8Wbyw+1vxcl4Lw56WezLsOTfu7oi7Z0vp1XkrLcM0tofTbClW xMA964mgUlBT2m/J/ybZd945D0wU57k/smGzDAxkpJgHBrYE/iJWcu46jkGZaLjK4xcMoBWB I6hW9Njxx3Ek0fpLO3876bszc8KjcHOulKreK+ezyJ01Hvbx85s68XWN6N2ulLGtk7E/sXlb 79hylHy5QuU9mZdsRjjRGJb0H9Buzfuz0XrcwOTMJq7e7fbN0QakjivAXsmXim+s5dlKlZjr L3ILWte4ah7cGgqc06nFb5jOhnGnZwnKJlpuod3pc/BFaFGtVHvyoRgxJ9tmDZnjzMfu8YrA +MVv6muwbHnEAeh/f8e9O+oeouqTBzgcaWTq81IyS56/UD6U5GHet9Pz1MB15nnzVcyZXIoC roIhgCUkcl+5m2Z9G56bkiUcFq0IcACzjcRPWvwA09ZbRHXAK/ao/+vPAIMnU6OTx3ejsbHn oh6VpHD3tucIt+xA4/l3LlkZMt5FZjFdkZUuAVU6kBAwElNBCYcrrLYZBRkSGPGDGYZmXAW/ VkNUVTJkRg6MGIeqZmpeoaV2xaIGHBSTDX8+b0c0hT/Bgzjv8QARAQABzSNKYW4gS2lzemth IDxqYW4ua2lzemthQHNpZW1lbnMuY29tPsLBlAQTAQoAPhYhBABMZH11cs99cr20+2mdhQqf QXvYBQJmWPvXAhsDBQkFo5qABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEGmdhQqfQXvY zPAP/jGiVJ2VgPcRWt2P8FbByfrJJAPCsos+SZpncRi7tl9yTEpS+t57h7myEKPdB3L+kxzg K3dt1UhYp4FeIHA3jpJYaFvD7kNZJZ1cU55QXrJI3xu/xfB6VhCs+VAUlt7XhOsOmTQqCpH7 pRcZ5juxZCOxXG2fTQTQo0gfF5+PQwQYUp0NdTbVox5PTx5RK3KfPqmAJsBKdwEaIkuY9FbM 9lGg8XBNzD2R/13cCd4hRrZDtyegrtocpBAruVqOZhsMb/h7Wd0TGoJ/zJr3w3WnDM08c+RA 5LHMbiA29MXq1KxlnsYDfWB8ts3HIJ3ROBvagA20mbOm26ddeFjLdGcBTrzbHbzCReEtN++s gZneKsYiueFDTxXjUOJgp8JDdVPM+++axSMo2js8TwVefTfCYt0oWMEqlQqSqgQwIuzpRO6I ik7HAFq8fssy2cY8Imofbj77uKz0BNZC/1nGG1OI9cU2jHrqsn1i95KaS6fPu4EN6XP/Gi/O 0DxND+HEyzVqhUJkvXUhTsOzgzWAvW9BlkKRiVizKM6PLsVm/XmeapGs4ir/U8OzKI+SM3R8 VMW8eovWgXNUQ9F2vS1dHO8eRn2UqDKBZSo+qCRWLRtsqNzmU4N0zuGqZSaDCvkMwF6kIRkD ZkDjjYQtoftPGchLBTUzeUa2gfOr1T4xSQUHhPL8zsFNBGZY+hkBEADb5quW4M0eaWPIjqY6 aC/vHCmpELmS/HMa5zlA0dWlxCPEjkchN8W4PB+NMOXFEJuKLLFs6+s5/KlNok/kGKg4fITf Vcd+BQd/YRks3qFifckU+kxoXpTc2bksTtLuiPkcyFmjBph/BGms35mvOA0OaEO6fQbauiHa QnYrgUQM+YD4uFoQOLnWTPmBjccoPuiJDafzLxwj4r+JH4fA/4zzDa5OFbfVq3ieYGqiBrtj tBFv5epVvGK1zoQ+Rc+h5+dCWPwC2i3cXTUVf0woepF8mUXFcNhY+Eh8vvh1lxfD35z2CJeY txMcA44Lp06kArpWDjGJddd+OTmUkFWeYtAdaCpj/GItuJcQZkaaTeiHqPPrbvXM361rtvaw XFUzUlvoW1Sb7/SeE/BtWoxkeZOgsqouXPTjlFLapvLu5g9MPNimjkYqukASq/+e8MMKP+EE v3BAFVFGvNE3UlNRh+ppBqBUZiqkzg4q2hfeTjnivgChzXlvfTx9M6BJmuDnYAho4BA6vRh4 Dr7LYTLIwGjguIuuQcP2ENN+l32nidy154zCEp5/Rv4K8SYdVegrQ7rWiULgDz9VQWo2zAjo TgFKg3AE3ujDy4V2VndtkMRYpwwuilCDQ+Bpb5ixfbFyZ4oVGs6F3jhtWN5Uu43FhHSCqUv8 FCzl44AyGulVYU7hTQARAQABwsF8BBgBCgAmFiEEAExkfXVyz31yvbT7aZ2FCp9Be9gFAmZY +hkCGwwFCQWjmoAACgkQaZ2FCp9Be9hN3g/8CdNqlOfBZGCFNZ8Kf4tpRpeN3TGmekGRpohU bBMvHYiWW8SvmCgEuBokS+Lx3pyPJQCYZDXLCq47gsLdnhVcQ2ZKNCrr9yhrj6kHxe1Sqv1S MhxD8dBqW6CFe/mbiK9wEMDIqys7L0Xy/lgCFxZswlBW3eU2Zacdo0fDzLiJm9I0C9iPZzkJ gITjoqsiIi/5c3eCY2s2OENL9VPXiH1GPQfHZ23ouiMf+ojVZ7kycLjz+nFr5A14w/B7uHjz uL6tnA+AtGCredDne66LSK3HD0vC7569sZ/j8kGKjlUtC+zm0j03iPI6gi8YeCn9b4F8sLpB lBdlqo9BB+uqoM6F8zMfIfDsqjB0r/q7WeJaI8NKfFwNOGPuo93N+WUyBi2yYCXMOgBUifm0 T6Hbf3SHQpbA56wcKPWJqAC2iFaxNDowcJij9LtEqOlToCMtDBekDwchRvqrWN1mDXLg+av8 qH4kDzsqKX8zzTzfAWFxrkXA/kFpR3JsMzNmvextkN2kOLCCHkym0zz5Y3vxaYtbXG2wTrqJ 8WpkWIE8STUhQa9AkezgucXN7r6uSrzW8IQXxBInZwFIyBgM0f/fzyNqzThFT15QMrYUqhhW ZffO4PeNJOUYfXdH13A6rbU0y6xE7Okuoa01EqNi9yqyLA8gPgg/DhOpGtK8KokCsdYsTbk= In-Reply-To: X-ClientProxiedBy: CH0PR03CA0253.namprd03.prod.outlook.com (2603:10b6:610:e5::18) To AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS4PR10MB6181:EE_|AS8PR10MB7561:EE_ X-MS-Office365-Filtering-Correlation-Id: 76edd4a3-193b-48bf-d061-08dcff51fade X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?W5PeaVWHxR+1Tz6Lah87xzCKR1UsBLE?= =?utf-8?q?4kGPKAJTbJ3eIRDOjKo+cUmJe28ASN1R2hRz10b+p6GKNgFjYCCdl6sM5rClWjTrH?= =?utf-8?q?97Ax3hChEN+1JmWsup2Qnzp928GJABJUstvmnpgAp7J7pDKcMDaCm7zYo+pZvUiPP?= =?utf-8?q?VDrYMAmVu5PUfIFiSofn8CP5NogqbU30/JQ2ZF0f+bIE6D37rcMw73Qz6ag7cj4XB?= =?utf-8?q?ysAG6NJ73QOAJHyxIeYljokwWJVS2feausk9pNOL3H8O4e3tkY0nel0x2M07Aldy2?= =?utf-8?q?SDKLpwaYdP5QAGT65ZueD3etsMe4vbYKiXUUCWe76whRrN5C2XiATOCHN5lFyeUgy?= =?utf-8?q?I3Oxf7NQr4LhYL3YcdMOt0VtdwCU9baCNhOMwl5BE41Q18ObC27OMZ+Z9H9dzcxcf?= =?utf-8?q?78xy6hD4PetL7TorfJA9lOMUGgqZjTvQ2M7zfA9o59thL5bfRIewsihsbUXTpgKhd?= =?utf-8?q?FEyKYHd0s/gZ0Hc7TyAaIF/pBORN4MCj3xOosG/LOO3AuXp4cwts1NAQnP1m5JLtg?= =?utf-8?q?oi9aQoZW7gdFwgaeo+oMYnM7v2GU2nt6BKIrxGWENuwkGxDCdqq+TF7qs+Q1J86wR?= =?utf-8?q?JDuPKkENuxnaTxtRCRf9R0HHK6+YrEADUkw8KbpC0Q9HpGn6a4aI4UO9awUWkHxHc?= =?utf-8?q?XtL0i47E3UcuLPgm5+YklN86atVCqoTSz2R2a9sViKgKkFfQrYxJapK/jOmR5QKBE?= =?utf-8?q?8kP7kBTKcD0RRk5S9+An+ylZY90FnWc5v+ETWFEYlUo5KeTTDzm5NZirIj+U+ygKb?= =?utf-8?q?O6XzX62e5CBMSkULqkggsEJOlcYCwFsTKiegEtBXnIHMrKcLAOQp0PRkkcq0R+pTr?= =?utf-8?q?vRIqW45IJTDkMdhoYrvfYJ1mp3gRlAX4RwR8XFbsIOBdQ10aZjIrg4aGxlPeA/Zqe?= =?utf-8?q?ZgLrAjWTot/dVPWYK/kmpznrXgBMohfC64hGJx2Zbt4lRI8ICJZE72eBe8oAxLpon?= =?utf-8?q?vF32JK0DjELHYjuaUssYLTwDZjzeQ2JZO+A6DNu776agLEROF8ur4f0+Uo6rvcBak?= =?utf-8?q?0IlpkvMnE3mb04wzT/o1RDmRMmvgZHHQ1sYahETa4UBs25hEyLI3ltruddjSzFYUY?= =?utf-8?q?WaApjqRiYbV0dQdKTg8VHvxx97Y5l1owYJQOSPgqwd1L8m8rALIYpK5C7dHSSR2Ia?= =?utf-8?q?FaHZKtsIRkVg+MeRA2eTK5uq6MoxQguxLCh64tuRACJK5OxuHxRqp4/c8s1fMFIpb?= =?utf-8?q?FSsDczSis05U7cDwfwbZAXwnOlIXlTaXyacK3HGUgibQmTQgxGw6CJc57n6tYAkxn?= =?utf-8?q?+PY8IvqDMd18U?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?UdTqwSRhjPbfV0c1H9fhZULRCS7m?= =?utf-8?q?TWsIkxZN+AUCTOssQhKaILcOVfeBu0X6aJOdn1rfMhF+bet1l0Of6aXnnr0NPRLa7?= =?utf-8?q?dk6bK6bD16k64Cqpe5FYanJzOpDeiPz83Mn3ihGFNjVZA9upygB3dgwoJQSMgnxW+?= =?utf-8?q?fHff2NyMrTz9TFXSNEeRKKR3aLdi8d6tL/J1ty3B5/CrSZ7YkR+4IL4jLgu4qhR9V?= =?utf-8?q?ARJ4v5MpaapL1rDzBFJTO3t/D+79N0V20I1nAZQqN04A8cGW/FMxC320t/V5mWyNO?= =?utf-8?q?k2OO1PdMFZOsjvN2IyAkuLdAd2rNzWe1WkONWXaiImi/QO7ASKtK+dVr9n0CS1zQ7?= =?utf-8?q?r3O+YSwAcglAc2EDNTJk8OLDX8gGwNpcTePmspl2LhZpnl72IZis10okMbQXoW9RW?= =?utf-8?q?qnRQZiY4+KpVFRZ/WffxWrOnv3SQZmOE77xfcZUK3wxvvlBomw5NjMxxm8PiK2RMk?= =?utf-8?q?dlPXzvQoCC0ukq7zMhiI3nuRCOV5I4gELD/viPVwQtIWQdA+CRgDjYziF2SfI2cij?= =?utf-8?q?zRFoGduB5PYa0Rwrt/3w3kUmu+P3v3L/oww3uNDquQWT3Sy6KZxL/obHX3By3cXCu?= =?utf-8?q?yyL1Cqu+RPtHmKkUEpIW0atAT1HZ+ruMZvm8WRZo3jdn9accruGq5A8JSoPlAhUKf?= =?utf-8?q?Oe7mVzFzLZoGnVJVoQvAHimKBZyqyNGqOH6kfoPaiXU8lTS8C+lvhRf8wTUvbtJS1?= =?utf-8?q?MVle+KfYySVl0jPuDvcs66E8us4LdDrPiDsY0X7WDrs+mfo+I9UmIKFzn6vkBSpuz?= =?utf-8?q?bDfa6OjEht6Ys87Cd581idvryVxuAnuPShhgMPo52SFZzZsv57krAqSGvUIOEZMMZ?= =?utf-8?q?VHZRWjvI0PKHcSGPb18zenwZ2bs4su9hNaa69aVDDOSFTGg8HrFqzXGQEGTJ1PmBy?= =?utf-8?q?f+GJxdXKkyhA+N4yyAIt96depgPImynB4GUK+oxdsECSDfsWTEQ9UswZ7lX37P6ec?= =?utf-8?q?0NvzSnvOWGjJUZB70LyQJftlP9SYy01EDLcR1YaBOw1Pgy0JMd+wMQ3ApeX/ypECK?= =?utf-8?q?X8RS98zb/sOzHlujtrDgTw709T3ymv0qNxQ39FZZ3fFe6tZ4Dp7HI3XrqAT5CnMa+?= =?utf-8?q?2yT9pGqTsjyHcFTEAmx2nQksYlvJZ8MlxFAS/ivGrRULHh7gv8tuIwk60iRWSOS8R?= =?utf-8?q?AdecLl4DboABzTcfs4zyPa0FG8eB9GB8ybT42/iwqTjWqAQakzraxMRLG8mMZFhiu?= =?utf-8?q?KcY703VcM1vb62/FbqxwDQCPhOlbG/y+AUD3l1e+MCtFqQjeVmqlXjinwCokp1NbW?= =?utf-8?q?c0uouweRIlsTUt17N/X0hdeqo9d09AAWuXuJ7AHshHCgeeSAbQSPymqbN2iIbsg9Y?= =?utf-8?q?K8a7yuOWLbMrDZOs06n4aRv7cUeG3sAfW+b3vVYmDzz9NfvfiwUDSoaiC7Jn5aOoI?= =?utf-8?q?5W7u0tG464NJalmnqmvMY2Tt/AAj3uF22aExM+t/QVqkpvOEex0SFdz3Pdq8Rg1mq?= =?utf-8?q?BOXkdTyB74WTLmtLCQYcZNVnFqj9izCs5suaHv/6C2vBEBladQLyQ8KNVCW2ftKFI?= =?utf-8?q?sCwYg2H4++FtnVtEcUHOfG1IxN1efpFUXA=3D=3D?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 76edd4a3-193b-48bf-d061-08dcff51fade X-MS-Exchange-CrossTenant-AuthSource: AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Nov 2024 17:31:14.8744 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ztumID8MvnDeu4NTquR8e0KGTFQq9hexaTTWW3Qs6J5YOLZJjNB0oW2Bvef6F7cApALOD86m/Erbwgi8DEHQBA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB7561 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Nov 2024 17:31:26 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17222 From: Jan Kiszka The upcoming trixie release is currently containing everything we need from SWUpdate, so we are retiring the self-building option from that release on - until someone comes up with a valid use case to restore it. This happens to avoid exposing a configuration that is technically selectable but became silently broken due to being effectively unused. The Debian package enforces SWU signing. Therefore warn if a user configures this out while using the upstream package. Signed-off-by: Jan Kiszka --- recipes-core/images/swupdate.inc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index b1cad439..81c33658 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -23,6 +23,17 @@ SWUPDATE_SELFBUILT:buster = "1" SWUPDATE_SELFBUILT:bullseye = "1" SWUPDATE_SELFBUILT:bookworm = "1" +python() { + base_distro = d.getVar('BASE_DISTRO_CODENAME') + if base_distro not in ['buster', 'bullseye', 'bookworm'] and \ + bb.utils.to_boolean(d.getVar('SWUPDATE_SELFBUILT')): + bb.fatal(f'Self-built SWUpdate not supported for {base_distro}') + + if not bb.utils.to_boolean(d.getVar('SWUPDATE_SELFBUILT')) and \ + not bb.utils.to_boolean(d.getVar('SWU_SIGNED')): + bb.fatal('SWUpdate from Debian requires signed SWUs') +} + IMAGE_INSTALL:append = "${@' swupdate' if bb.utils.to_boolean(d.getVar('SWUPDATE_SELFBUILT')) else ''}" IMAGE_PREINSTALL:append = "${@'' if bb.utils.to_boolean(d.getVar('SWUPDATE_SELFBUILT')) else ' swupdate'}"