Export the dynamic build data for consumption in wic image generation.
It can either be included directly or manually parsed for useful chunks
in custom configurations people end up making.
For convenience, it is placed alongside the work-shared/dm-verity dir
where we already store the plain environment file and the veritysetup
formatting argument that was used.
There is a subtle thing going on here with respect to using an include,
which warrants a mention. The wic (wks.in) stuff only has access to
normal Yocto/OE/bitbake variables.
So, instead of a fragment, say if you had:
DM_VERITY_ROOT_HASH = "__not_set__"
and then later, did a:
d.setVar("DM_VERITY_ROOT_HASH", value)
after the image was built, and the hash was known - that seems sane.
But the problem is that once you do that, your variables are tracked
by default, and bitbake/lib/bb/siggen.py will be angry with you for
changing metadata during a build. In theory one should be able to avoid
this with BB_BASEHASH_IGNORE_VARS and "vardepsexclude" but it means more
exposed variables, and as much as I tried, I couldn't get this to work.
Creating a fragment with the dynamic data for inclusion avoids all that.
The wks template itself remains static, and hence doesn't trigger warns.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There are essentially two ways for dealing with where to put the hash
data for dm-verity block integrity checks.
You can store both in a single partition, by using ~95% of the storage
space for the filesystem and the remaining 5% tail for the hash, or you
can use a completely separate partition (or even device) for storing the
hash data elsewhere.
Method A relies on using a hash offset argument during creation, which
is generally OK from a scripted use case but is error prone when run
from the command line and the offset calculated manually.
Method B has the advantage of using the basic partition/device
compartmentalization of the kernel to ensure the fs data doesn't
overwrite the hash or vice versa. It takes any possible errors due to
math miscalculations completely off the table.
At the moment, our current support is hard coded to only support the
offset method A. Here we add support for separate hash as per B.
As multiple partitions are now in play, we use the UUID creation
standard adopted by the systemd/verity community which implicitly links
the root and hash partitions by splitting the top roothash in two for
the UUIDs of the components.
This change optionally creates the separate hash file but no examples
use it yet. Further commits will implement an example.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
We already have this directory to save the environment variable settings
so they can be copied into the initramfs for runtime setup.
There are quite a few veritysetup args, and the nature of storing the
hash data after the filesystem data in an "oversized" partition can be
error prone due to rounding, fencepost errors, etc.
Save a copy of what we used for ease of debug inspection, and for basic
cut and paste use in experimentation and tweaking.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In making changes to the existing veritysetup arg list, it is harder to
see what the proposed change is since they are are glued together on one
long line. Break them up so reviewing future unified diffs will be more
easy to visually parse.
This also makes it easier to temp. dump the args to a file for debugging.
In theory this should have no functional change.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Without these one line descriptors and their associated marker prefix,
the output from "wic list images" only shows they are available as a
choice but w/o any description
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a
This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).
This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.
This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:
0 (0%) meta-parsec
N/A (0%) meta-hardening
1 (100%) meta-integrity
15 (68%) meta-tpm
27 (61%) meta-security
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
These two layers do not have oeqa lib modules. Remove these two
lines. Otherwise, `bitbake-layers add-layer <any_layer>' would fail
if either of these two layers are in BBLAYERS.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Dependencies to perl modules Cwd and Encode were missing.
Complete error on buck-security launch :
Can't locate Encode/Encoding.pm in @INC (you may need to install the Encode::Encoding module) (@INC contains: /usr/lib/perl5/site_perl/5.36.0/arm-linux /usr/lib/perl5/site_perl/5.36.0 /usr/lib/perl5/vendor_perl/5.36.0/arm-linux /usr/lib/perl5/vendor_perl/5.36.0 /usr/lib/perl5/5.36.0/arm-linux /usr/lib/perl5/5.36.0) at /usr/lib/perl5/5.36.0/parent.pm line 16.
BEGIN failed--compilation aborted at /usr/lib/perl5/5.36.0/arm-linux/Encode.pm line 178.
Compilation failed in require at /usr/lib/perl5/5.36.0/Pod/Text.pm line 24.
BEGIN failed--compilation aborted at /usr/lib/perl5/5.36.0/Pod/Text.pm line 24.
Compilation failed in require at (eval 6) line 1.
BEGIN failed--compilation aborted at /usr/lib/perl5/5.36.0/Pod/Usage.pm line 30.
Compilation failed in require at /usr/bin/buck-security line 12.
BEGIN failed--compilation aborted at /usr/bin/buck-security line 12.
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If we use a non PARTUUID root parameter, we would always get a error
like below:
realpath: /dev/disk/by-partuuid//dev/mmcblk0p2: No such file or directory
This seems pretty confusion and it also seems no need to emit this kind
of error when we are waiting for the root device. So suppress all the
realpath errors.
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This version supports openssl 3.1
The maintainer changed his tag versions hence the different looking
version.
The maintainer also has stopped releasing tar files and asked we
directly grab from git.
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Currently build fails with:
| error: manifest path `/home/builder/build/tmp_qemuarm64/work/cortexa57-linux/parsec-tool/0.6.0-r0/cargo_home/bitbake/parsec-tool-0.6.0//Cargo.toml` does not exist
Normal source directory has Cargo.toml so only set ${B} to the
new path.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
After latest changes to ${S}, parsec-service fails to apply systemd.patch:
ERROR: parsec-service-1.2.0-r0 do_patch: Applying patch 'systemd.patch' on target directory '/home/builder/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/parsec-service/1.2.0-r0/cargo_home/bitbake/parsec-service-1.2.0'
CmdError('quilt --quiltrc /home/builder/build/tmp_qemuarm64/work/cortexa57-linux/parsec-service/1.2.0-r0/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch systemd.patch
can't find file to patch at input line 11
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|
|Run the Parsec service as parsec user in /var/lib/parsec/ working directory.
|
|Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
|Upstream-Status: Inappropriate [deployment configuration]
|
|diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service
|index c07c3b9..a6fe6a3 100644
|--- a/systemd-daemon/parsec.service
|+++ b/systemd-daemon/parsec.service
--------------------------
No file to patch. Skipping patch.
1 out of 1 hunk ignored
Patch systemd.patch does not apply (enforce with -f)
stderr: ")
ERROR: Logfile of failure stored in: /home/builder/build/tmp_qemuarm64/work/cortexa57-linux/parsec-service/1.2.0-r0/temp/log.do_patch.218884
Instead of changing S, it seems to be sufficient to switch build directory B
to ${CARGO_VENDORING_DIRECTORY}/${BP}.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
arm, arm64 and other machines can also have tpm and tpm2 devices
and the config snippets tpm.scc and tpm2.scc work there too.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Updating libhoth to match version in openbmc
https://gerrit.openbmc.org/c/openbmc/openbmc/+/63424
libhoth detailed changes:
Willy Tu
Expose header files expose USB APIs
aranikam
Add flash_spi_info command
Add address mode flag for spi update/read
Chris Evans
Rename ec_ commands; permit old command names as an alias.
Apply clang-format, and enable it as a check action. (#24)
Sui Chen
Add payload status
Add console snapshot
Daimeng Wang
libhoth: automated mtd mailbox discovery
libhoth: implement MTD transport
libhoth: add MTD backend boilerplate API
Yoan Andreev
Dont check for non-snapshot console params
Extern c wrap (#22)
Build improvements (#18)
Add basic abstraction to libhoth and SPIDEV support (#17)
Vidya Satyamsetti
Add extern
Kor Nielsen
htool console: Don't leave O_NONBLOCK set on stdin
[fix] In legacy mailbox protocol, look at response size.
[fix] Support legacy response buffers larger than 62 bytes.
[feat] htool: Support Hoth-B devices.
Add --baud_rate flag to "htool console".
Setup github workflow to build project.
Rename "htool console -l" to "htool console -n".
Add --onlcr flag to "htool console".
Make example visibility public.
Fix BUILD file formatting.
Remove out-of-date :enumerate and :ec_hello.
Add libusb to bazel WORKSPACE.
Fix undefined behavior in htool command handling.
Signed-off-by: John Edward Broadbent <jebr@google.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Yocto mickledore introduced the addpylib directive for explicitly adding
layer paths to the PYTHONPATH.
Standalone OEQA test suite discovery does not require this directive but
it is required to import test cases from other layers, e.g. to extend
and modify the test cases.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
We have systemd-bootdisk-dmverity.wks.in as an example template but
no mention of it in docs or config files. Similar to the beaglebone
black insructions added earlier, we do the same for (qemu)x86-64.
This hopefully walks through getting things configured for building
a systemd based dm-verity image and booting it on qemux86-64 --filling
in a lot of blanks and assumptions so that someone relatively new to
the feature can get off the ground more quickly by using qemu as a
stepping stone towards their final physical implementation.
Finally, the full image is deployed and booted on real hardware.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Adding to your local.conf right out of the gate:
EXTRA_IMAGE_FEATURES = "read-only-rootfs"
while you are trying to sort out other things can be just another
complication to an already steep learning curve.
For example, I found simply enabling this with systemd caused:
systemd[1]: Failed to fork off sandboxing environment for executing generators: Protocol error
[!!!!!!] Failed to start up manager.
systemd[1]: Freezing execution.
While I'd like to get to the root cause of that, it doesn't change that
things boot fine w/o adding to EXTRA_IMAGE_FEATURES, even though the
rootfs is still read-only courtesy of dm-verity.
Reword things so as to make it clear it isn't strictly a hard requirement
and hence can be delayed as people work through their implementation.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Some platform creators tend to list a whole bunch of layers by
default in conf/bblayers.conf. Without getting into the debate of
whether that is a good idea, it can tend to have the effect of
people seeing the meta-security DISTRO_FEATURES warning time and
time again and becoming essentially numb to it.
After having fallen into this trap myself, I figured it was worth
the extra mention in the dm-verity doc so there is a better chance
of users realizing "hey - this applies to me!".
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To avoid having linux-%.bbappend included in targets unrelated to the
linux kernel, rename linux-%.bbappend to linux-yocto%.bbappend.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Append ':append' to do_configure so it does not replace all existing
do_configure's.
Only run 'sed' when DISTRO_FEATURES contains 'ima' and the .config file
exists.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Drop the kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg.
Instead, require projects that use squashfs to set this option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
commit: 0594aee packagegroup-security-tpm2.bb: remove dynamic pkgs
is causing an issue with some users. Restore the packages and opted
to fix via PACKAGE_ARCH = "${TUNE_PKGARCH}"
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Yocto mickledore introduced the addpylib directive for explicitly adding
layer paths to the PYTHONPATH.
Standalone OEQA test suite discovery does not require this directive but
it is required to import test cases from other layers, e.g. to extend
and modify the test cases.
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
