From patchwork Fri Jan 24 08:06:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13949059 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9F02C02181 for ; Fri, 24 Jan 2025 08:07:10 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web11.6955.1737706022717092079 for ; Fri, 24 Jan 2025 00:07:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm2 header.b=O71LZ5ee; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-202501240806594d88bf48e1d18f4f0e-kezh9k@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 202501240806594d88bf48e1d18f4f0e for ; Fri, 24 Jan 2025 09:07:00 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=MjqFPvwsBRBlRHUSzUPX5/la5IAT3ARaPgoy0XEiIaw=; b=O71LZ5ee1A63WNDW7WkDtDgOXgUBt278J1Bp8rC2FvtNMe/MC5q1kTscsgA/X+grEkCfHS 4EjBDdsK+qnjJGMFQV0+YBS0bt13E915B6Bnth761V6Tpav5a4CaRqS6b4NZVCgubV0axmnj v6nRtaV7jhiVL7FM50FrskcK6fhgRWQ/nu8ABtxm16d9HJmzB/yEaD1Ci/wMoW5HHrvGUURg nMqZuILUIEErFWbq2K41Ye6CHCcc6FKe6gwU5wWIP5sGrJU+mrOym9Ov9HZnoOSuBJ78eljR Ge6B9X+GrwN7AZzat5P5rEahhN6TFKGXV/IuQHirgxG2wgWp1rF/Yenw==; From: Quirin Gylstorff To: Sai.Sathujoda@toshiba-tsip.com, jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH 1/3] build x86-uefi with secure boot Date: Fri, 24 Jan 2025 09:06:25 +0100 Message-ID: <20250124080659.469424-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20250124080659.469424-1-Quirin.Gylstorff@siemens.com> References: <20250124080659.469424-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Jan 2025 08:07:10 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17618 From: Quirin Gylstorff Signed-off-by: Quirin Gylstorff --- .gitlab-ci.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d4bd283..42e247d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -241,6 +241,16 @@ build:qemu-amd64-secure-boot-encrypt: deploy: disable encrypt: enable +build:x86-uefi-secure-boot: + extends: + - .build_base + variables: + target: x86-uefi + extension: security + use_rt: disable + targz: disable + encrypt: disable + build:qemu-amd64-swupdate: extends: - .build_base From patchwork Fri Jan 24 08:06:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13949057 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CCA24C0218B for ; Fri, 24 Jan 2025 08:07:10 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.6954.1737706022631775362 for ; Fri, 24 Jan 2025 00:07:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm2 header.b=JVKkxvo9; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-51332-20250124080700fca1d7833a0521ebc9-ggkxxd@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20250124080700fca1d7833a0521ebc9 for ; Fri, 24 Jan 2025 09:07:00 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=9+nPxDoi/CJE4WX2zcwWT48EokYnKMKJwAKISLG9KDY=; b=JVKkxvo9d4+Sqky0yOntmatFp2uFAMNucT8foXmMsrxdN31WxeRL9S6qHDWQB9YBPK+wbh ymfXGzmbl5k2GNmB9GczlSmt2vCXL/BwVQEY3JzCG9PxTh/orEGmft6moXALOs56up2xZLYJ pcWhQ2oOzZJ0+HB4YfzCeatKzj1oZ9YVyeffZcr43J67mkWS/EKU7j85vIi9W34tszHr1Her 5JbKYQOxBH1rZqfnGVBha7qFQFMWMDLwDY0oOxKSVgSpQv6P52XJjvqopqfAEMPW2OaN9pzE RThwTSMX9h9ZbYx6OLrXYciQ6LR00xK6Ebnq6ETcu53j1Y9YbvcMybPQ==; From: Quirin Gylstorff To: Sai.Sathujoda@toshiba-tsip.com, jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH 2/3] x86-uefi: disable watchdog for testing on mcom Date: Fri, 24 Jan 2025 09:06:26 +0100 Message-ID: <20250124080659.469424-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20250124080659.469424-1-Quirin.Gylstorff@siemens.com> References: <20250124080659.469424-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Jan 2025 08:07:10 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17616 From: Quirin Gylstorff Due to the multiple watchdogs available on the mcom device efibootguard select the iTCO watchdog and the Linux kernel selects the WDAT watchdog which leads to an system reboot during booting as the Linux kernel no longer drives the iTCO watchdog. Signed-off-by: Quirin Gylstorff --- .gitlab-ci.yml | 2 ++ kas/opt/disable-watchdog.yml | 15 +++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 kas/opt/disable-watchdog.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 42e247d..97ef031 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -64,6 +64,7 @@ default: - if [ "${release}" = "bookworm" ]; then base_yaml="${base_yaml}:kas/opt/bookworm.yml"; fi - if [ "${release}" = "trixie" ]; then base_yaml="${base_yaml}:kas/opt/trixie.yml"; fi - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-data.yml"; fi + - if [ "${disable_watchdog}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/disable-watchdog.yml"; fi - if [ "${swupdate_version}" = "2022.12" ]; then base_yaml="${base_yaml}:kas/opt/swupdate-2022.12.yaml"; fi - echo "Building ${base_yaml}" - kas build ${base_yaml} @@ -250,6 +251,7 @@ build:x86-uefi-secure-boot: use_rt: disable targz: disable encrypt: disable + disable_watchdog: enable build:qemu-amd64-swupdate: extends: diff --git a/kas/opt/disable-watchdog.yml b/kas/opt/disable-watchdog.yml new file mode 100644 index 0000000..88ece6b --- /dev/null +++ b/kas/opt/disable-watchdog.yml @@ -0,0 +1,15 @@ +# +# Copyright (c) Siemens AG, 2025 +# +# Authors: +# Quirin Gylstorff +# +# SPDX-License-Identifier: MIT +# + +header: + version: 14 + +local_conf_header: + no-watchdog: | + WDOG_TIMEOUT = "0" From patchwork Fri Jan 24 08:06:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13949056 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFE73C0218D for ; Fri, 24 Jan 2025 08:07:10 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.6956.1737706022675200984 for ; Fri, 24 Jan 2025 00:07:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm2 header.b=RHOOn0if; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-51332-20250124080700085cb0ffd3be50822e-qu82sw@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250124080700085cb0ffd3be50822e for ; Fri, 24 Jan 2025 09:07:00 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=8EE8GkAjrs7dRjk7QPm23JwUuXsPA9/kJ9eSVTAAp7c=; b=RHOOn0ifTzx7+pIbYsz2PX4Xiew3XEemquioR6eeEVR2qhmWt4eLEnLNwjD3XNidJtRUIz LmwsWjm+pexMEgNWp+vg3qcCw3Uwgl115v+Q7mN3n5Vc6OUS1sk6XLTS5fYXicO5rzL86EnE oHBmnhS79djuY9ySUs77wsF19x6XMxf/TOlzXE1kE96DhKKvj7nAmGyEuAElhm09WerhYX7x r/JobV2MKYxhM2gf0LpF3RM1JriIwukocEtUOEN/7BJod1ZcfzM4gejLxpxYlqsnyvjW9A6W KN5GwCKIX6E7r/vRke5gIbgax75S9kbKGR5o3fRYmWnKHVYKYC8tYjiw==; From: Quirin Gylstorff To: Sai.Sathujoda@toshiba-tsip.com, jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH 3/3] customizations-security: add curl to download LAVA overlay Date: Fri, 24 Jan 2025 09:06:27 +0100 Message-ID: <20250124080659.469424-4-Quirin.Gylstorff@siemens.com> In-Reply-To: <20250124080659.469424-1-Quirin.Gylstorff@siemens.com> References: <20250124080659.469424-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Jan 2025 08:07:10 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17619 From: Quirin Gylstorff Lava generates an directory, in LAVA called overlay, which contains all scripts and tests of the test stage. The Device-under-test needs to be instrumented with with this overlay. LAVA provides the possibility to download the overlay via http or NFS. We use curl to download to the overlay from a http server. Signed-off-by: Quirin Gylstorff --- recipes-core/security-customizations/security-customizations.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb index 75a6a99..9fbc2a5 100644 --- a/recipes-core/security-customizations/security-customizations.bb +++ b/recipes-core/security-customizations/security-customizations.bb @@ -18,7 +18,7 @@ SRC_URI = "file://postinst \ file://ssh-pam-remote.conf" DEPENDS = "customizations sshd-regen-keys" -DEBIAN_DEPENDS = "customizations, sshd-regen-keys, libpam-google-authenticator, libpam-modules, libpam-runtime, auditd" +DEBIAN_DEPENDS = "customizations, sshd-regen-keys, libpam-google-authenticator, libpam-modules, libpam-runtime, auditd, curl" # Package names based on the distro version DEBIAN_DEPENDS:append:buster = ", libpam-cracklib"