Add basic openscap test. This looks for an existing profile and run a basic scan.
Openscap scans return 1 in case of failure, 0 in case of success and 2 when a
vulnerability has been found. As this does not aim to check openscap reports, 2 is
considered as a successful test.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
(added to test image)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
According to the Yocto reference manual [1], the IMAGE_NAME_SUFFIX should
be set to empty for the initramfs image. Otherwise, we may incur a build
error like following due to the initrd check in live-vm-common.bbclass:
ERROR: core-image-minimal-1.0-r0 do_bootimg: build-test/tmp/deploy/images/genericx86-64/dm-verity-image-initramfs-genericx86-64.cpio.gz is invalid. initrd image creation failed.
ERROR: core-image-minimal-1.0-r0 do_bootimg: ExecutionError('build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/run.build_hddimg.1961965', 1, None, None)
ERROR: Logfile of failure stored in: build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/log.do_bootimg.1961965
ERROR: Task (poky/meta/recipes-core/images/core-image-minimal.bb:do_bootimg) failed with exit code '1'
[1] https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_NAME_SUFFIX
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Using <DM_VERITY_IMAGE_TYPE> in the depends variable does not work for
compressed image types like squashfs-zst, as the resulting task
dependency still contains the incompatible dash. Replacing the dash by
an underscore resolves this issue.
Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This is to simplify tesing to build one image and include pkgs depending on the
layers included in the BBLAYERS.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Since IMAGE_LINGUAS defaults to 'en-us en-gb' and since localization is
not needed on this type of purpose-specific initramfs image, reset the
variable which helps by shaving off almost 700kB from resulting bundled
zImage-initramfs artifact.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This removes following boot-time complaints from udevd regarding
missing group declarations:
[ 6.624454] udevd[163]: specified group 'tty' unknown
[ 6.625340] udevd[163]: specified group 'dialout' unknown
[ 6.625692] udevd[163]: specified group 'kmem' unknown
[ 6.626022] udevd[163]: specified group 'input' unknown
[ 6.626541] udevd[163]: specified group 'video' unknown
[ 6.626977] udevd[163]: specified group 'audio' unknown
[ 6.627532] udevd[163]: specified group 'lp' unknown
[ 6.628187] udevd[163]: specified group 'disk' unknown
[ 6.628558] udevd[163]: specified group 'cdrom' unknown
Size impact of this change on resulting bundled zImage-initramfs
artifact is less than +1kB which is neglible.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
- revise declaration ordering as suggested by oe-stylize.py
- sort PACKAGE_INSTALL entries in alphabetic order
- split long command line in deploy_verity_hash()
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Introduce new STAGING_VERITY_DIR variable specific to this bbclass which
defines the directory where the verity.env file is stored during
<DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE> task and can
consequtively be picked up into associated initramfs rootfs (which
facilitates executing 'veritysetup' and related actions).
By doing this we mitigate failures that were thus far associated to this
facility, such as
install: cannot stat '.../build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.ext4.verity.env': No such file or directory
and
install: cannot stat '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity.env': No such file or directory
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Bind custom actions in this image recipe in do_image() rather than
do_rootfs(), which can help shaving even dozens of seconds from duration
of 'bitbake <DM_VERITY_IMAGE>' command re-execution.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In order to ensure that the bundled initramfs always contains the most
recently generated DM_VERITY_IMAGE specific root filesystems' root hash,
we disable the timestamp for do_rootfs() task here, meaning that the
task will be re-executed whenever some task that depends on it executes.
Without this change, executing e.g. the following sequence
$ bitbake <DM_VERITY_IMAGE>
$ bitbake -c clean <DM_VERITY_IMAGE>
$ bitbake <DM_VERITY_IMAGE>
results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like
Mounting /dev/vda over dm-verity as the root filesystem
[ 8.729974] device-mapper: verity: sha256 using implementation sha256-generic
[ 8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read
Verity device detected corruption after activation.
[ 8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read
...
[ 9.135707] EXT4-fs (dm-0): unable to read superblock
[ 9.142897] EXT4-fs (dm-0): unable to read superblock
[ 9.145393] EXT4-fs (dm-0): unable to read superblock
[ 9.147905] FAT-fs (dm-0): unable to read boot sector
mount: /new_root: can't read superblock on /dev/mapper/rootfs.
BusyBox v1.32.0 () multi-call binary.
Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS]
[ 9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
[ 9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1
[ 9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
...
[ 9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]---
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This adds various bits and pieces to enable generating a working example
of a full chain of trust up to dm-verity-protected rootfs level on Beagle
Bone Black.
The new initramfs is quite generic and should work for other SoCs as well
when using fitImage.
The following config can be used with current master poky,
meta-openembedded & meta-security to generate a BBB image using verified
boot and dm-verity.
UBOOT_SIGN_KEYDIR = "/tmp/test-keys/"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_SIGN_ENABLE = "1"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_MACHINE_beaglebone-yocto = "am335x_boneblack_vboot_config"
IMAGE_CLASSES += "dm-verity-img"
IMAGE_FSTYPES += "wic.xz ext4"
DM_VERITY_IMAGE = "core-image-full-cmdline"
DM_VERITY_IMAGE_TYPE = "ext4"
KERNEL_CLASSES += "kernel-fitimage"
KERNEL_IMAGETYPE_beaglebone-yocto = "fitImage"
IMAGE_INSTALL_remove = " kernel-image-zimage"
IMAGE_BOOT_FILES_remove = " zImage"
IMAGE_BOOT_FILES_append = " fitImage-${INITRAMFS_IMAGE}-${MACHINE}-${MACHINE};fitImage"
# Using systemd is not strictly needed but deals nicely with read-only
# filesystem by default.
DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
INITRAMFS_IMAGE = "dm-verity-image-initramfs"
INITRAMFS_FSTYPES = "cpio.gz"
INITRAMFS_IMAGE_BUNDLE = "1"
WKS_FILE = "beaglebone-yocto-verity.wks.in"
KERNEL_FEATURES_append = " features/device-mapper/dm-verity.scc"
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
