This error occurs randomly.
/bin/bash: pod2man: command not found
[Yocto #14304]
minor space/tab cleanup
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Cc: Ben <koncept1@gmail.com>
Introduce IMA_FORCE to allow the IMA policy be applied forcely even
'no_ima' boot parameter is available.
This ensures the end users have a way to disable 'no_ima' support if
they want to, because it may expose a security risk if an attacker can
find a way to change kernel arguments, it will easily bypass rootfs
authenticity checks.
Signed-off-by: Sergio Prado <sergio.prado@toradex.com>
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
IMA_POLICY is being referred as policy recipe name in some places and it
is also being referred as policy file in other places, they are
conflicting with each other which make it impossible to set a IMA_POLICY
global variable in config file.
Fix it by dropping IMA_POLICY definitions from policy recipes
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This ensures when a end user change the IMA_EVM_X509 key file,
ima-evm-keys recipe will be rebuilt.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/image.bbclass:
| IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \
| if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \
| and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True,
| False, d) else ''} reproducible_final_image_task; "
and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT
since that would impact all recipes but not only image recipes.
To fix the above issues, we introduce a ima_evm_sign_handler setting
IMA/EVM rootfs signing requirements/dependencies in event
bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if
IMA/EVM rootfs signing logic should be applied or not.
Also add ima-evm-keys to IMAGE_INSTALL.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid
sanity check for ima-evm-utils-native.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
ERROR: apparmor-2.13.4-r0 do_package: QA Issue: apparmor: Files/directories were installed but not shipped in any package:
/usr/lib/systemd
/usr/lib/systemd/system
/usr/lib/systemd/system/apparmor.service
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Updating BBFILES with := isn't the standard way and can break
parsing under certain conditions, instead use += which is widely used.
Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 63e1cf3ffa)
Add checks that include dm-verity specific kernel config fragment
when dm-verity-img.bbclass is used.
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit d9feafe991)
Based on systemd-bootdisk-microcode.wks.in, this adds
the dm-verity image similar to the beaglebone wks
already in meta-security.
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 0de4f3bfb7)
Since dm-verity-image.bbclass effectively injects
<DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE>
dependency for do_image_wic task, we can change verity rootfs artifact
reference here from DEPLOY_DIR_IMAGE to IMGDEPLOYDIR in order to
mitigate following breakage which was observed when bitbaking
<DM_VERITY_IMAGE> target from scratch (using sstate-cache provided
artifacts):
| wic.filemap.Error: cannot open image file '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity': [Errno 2] No such file or directory: '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity'
| WARNING: exit code 1 from a shell command.
|
ERROR: Task (.../meta/recipes-core/images/core-image-minimal.bb:do_image_wic) failed with exit code '1'
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 4602d64208)
Since IMAGE_LINGUAS defaults to 'en-us en-gb' and since localization is
not needed on this type of purpose-specific initramfs image, reset the
variable which helps by shaving off almost 700kB from resulting bundled
zImage-initramfs artifact.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5f196cf59d)
This removes following boot-time complaints from udevd regarding
missing group declarations:
[ 6.624454] udevd[163]: specified group 'tty' unknown
[ 6.625340] udevd[163]: specified group 'dialout' unknown
[ 6.625692] udevd[163]: specified group 'kmem' unknown
[ 6.626022] udevd[163]: specified group 'input' unknown
[ 6.626541] udevd[163]: specified group 'video' unknown
[ 6.626977] udevd[163]: specified group 'audio' unknown
[ 6.627532] udevd[163]: specified group 'lp' unknown
[ 6.628187] udevd[163]: specified group 'disk' unknown
[ 6.628558] udevd[163]: specified group 'cdrom' unknown
Size impact of this change on resulting bundled zImage-initramfs
artifact is less than +1kB which is neglible.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit e88895e109)
- revise declaration ordering as suggested by oe-stylize.py
- sort PACKAGE_INSTALL entries in alphabetic order
- split long command line in deploy_verity_hash()
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 1d21cec5fd)
Add 'initramfs-module-dmverity' as an extension to poky upstream
provided initramfs-framework suite via matchingly named bbappend file.
Together with pre-existing 'initramfs-module-udev' this module can be
used to facilitate dm-verity rootfs mounting from initramfs context
that is bundled with Linux kernel.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 489f7c900c)
Introduce new STAGING_VERITY_DIR variable specific to this bbclass which
defines the directory where the verity.env file is stored during
<DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE> task and can
consequtively be picked up into associated initramfs rootfs (which
facilitates executing 'veritysetup' and related actions).
By doing this we mitigate failures that were thus far associated to this
facility, such as
install: cannot stat '.../build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.ext4.verity.env': No such file or directory
and
install: cannot stat '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity.env': No such file or directory
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 170945ff9f)
Add checks that include dm-verity specific kernel config fragment
when dm-verity-img.bbclass is used.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 6f40921308)
Bind custom actions in this image recipe in do_image() rather than
do_rootfs(), which can help shaving even dozens of seconds from duration
of 'bitbake <DM_VERITY_IMAGE>' command re-execution.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 03fdaf2f04)
In order to ensure that the bundled initramfs always contains the most
recently generated DM_VERITY_IMAGE specific root filesystems' root hash,
we disable the timestamp for do_rootfs() task here, meaning that the
task will be re-executed whenever some task that depends on it executes.
Without this change, executing e.g. the following sequence
$ bitbake <DM_VERITY_IMAGE>
$ bitbake -c clean <DM_VERITY_IMAGE>
$ bitbake <DM_VERITY_IMAGE>
results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like
Mounting /dev/vda over dm-verity as the root filesystem
[ 8.729974] device-mapper: verity: sha256 using implementation sha256-generic
[ 8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read
Verity device detected corruption after activation.
[ 8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read
...
[ 9.135707] EXT4-fs (dm-0): unable to read superblock
[ 9.142897] EXT4-fs (dm-0): unable to read superblock
[ 9.145393] EXT4-fs (dm-0): unable to read superblock
[ 9.147905] FAT-fs (dm-0): unable to read boot sector
mount: /new_root: can't read superblock on /dev/mapper/rootfs.
BusyBox v1.32.0 () multi-call binary.
Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS]
[ 9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
[ 9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1
[ 9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
...
[ 9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]---
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 4cf81a5847)
Relocate checking if DM_VERITY_IMAGE and DM_VERITY_IMAGE_TYPE are
defined as non-empty strings before DM_VERITY_IMAGE vs. PN
comparison is performed. By doing so we start seeing following kind
of bitbake parse-time console warnings in case either DM_VERITY_IMAGE
or DM_VERITY_IMAGE_TYPE is not set, when 'dm-verity-img' is defined
in IMAGE_CLASSES:
WARNING: .../meta/recipes-core/images/core-image-minimal.bb: dm-verity-img class inherited but not used
WARNING: .../meta-openembedded/meta-oe/recipes-core/images/meta-oe-ptest-image.bb: dm-verity-img class inherited but not used
whereas before this change this warning was printed only once, when
image pointed by <DM_VERITY_IMAGE> was parsed (and recipe with that
name could be found in BBFILES mask scipe), and DM_VERITY_IMAGE_TYPE
was not set.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit fd23d52565)
Resort to printf in order to avoid usage of non-POSIX compliant echo
flags. This mitigates following errors visible in console during
boot-up with image that has been built on a host that symlinks
'/bin/sh' to 'dash':
/init: /usr/share/dm-verity.env: line 1: -NE_UUID: not found
/init: /usr/share/dm-verity.env: line 2: -ne: not found
/init: /usr/share/dm-verity.env: line 3: 642864e8-6a17-46b9-ba1e-9386a3909c8d: not found
/init: /usr/share/dm-verity.env: line 4: -NE_HASH_TYPE: not found
/init: /usr/share/dm-verity.env: line 5: -ne: not found
/init: /usr/share/dm-verity.env: line 6: 1: not found
/init: /usr/share/dm-verity.env: line 7: -NE_DATA_BLOCKS: not found
/init: /usr/share/dm-verity.env: line 8: -ne: not found
/init: /usr/share/dm-verity.env: line 9: 12064: not found
/init: /usr/share/dm-verity.env: line 10: -NE_DATA_BLOCK_SIZE: not found
/init: /usr/share/dm-verity.env: line 11: -ne: not found
/init: /usr/share/dm-verity.env: line 12: 1024: not found
/init: /usr/share/dm-verity.env: line 13: -NE_HASH_BLOCK_SIZE: not found
/init: /usr/share/dm-verity.env: line 14: -ne: not found
/init: /usr/share/dm-verity.env: line 15: 4096: not found
/init: /usr/share/dm-verity.env: line 16: -NE_HASH_ALGORITHM: not found
/init: /usr/share/dm-verity.env: line 17: -ne: not found
/init: /usr/share/dm-verity.env: line 18: sha256: not found
/init: /usr/share/dm-verity.env: line 19: -NE_SALT: not found
/init: /usr/share/dm-verity.env: line 20: -ne: not found
/init: /usr/share/dm-verity.env: line 21: 19d98185b42a897a37db6c56c7470ab2d455f0de46daa0df735eee6263816439: not found
/init: /usr/share/dm-verity.env: line 22: -NE_ROOT_HASH: not found
/init: /usr/share/dm-verity.env: line 23: -ne: not found
/init: /usr/share/dm-verity.env: line 24: 298d75fc2ea27fe594b6a37158a6ae7538e77d918bab98c475934f625de0e4ab: not found
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit ad55aaca1b)
Some XML related fixes are needed to make the sssd manpages buildable
Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5efa53b2b2)
It requires http_parser.h to build secrets:
| configure: error:
| You must have the header file http_parser.h installed to build sssd
| with secrets responder. If you want to build sssd without secret responder
| then specify --without-secrets when running configure.
The header file is from package http-parser[1] rather than apache2. But
there is no recipe http-parser in openembedded. So disable build secrets
for sssd and remove related systemd service and socket files.
Reference:
1. https://github.com/nodejs/http-parser
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 7831969f8c)
