diff --git a/.gitmodules b/.gitmodules index 6b44124..d7c1d2a 100644 --- a/.gitmodules +++ b/.gitmodules @@ -22,3 +22,7 @@ path = external-layers/meta-swupdate url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git branch = kirkstone +[submodule "external-layers/meta-security"] + path = external-layers/meta-security + url = ssh://git@bitbucket.gad.local:7999/ico/meta-security.git + branch = kirkstone diff --git a/external-layers/meta-security b/external-layers/meta-security new file mode 160000 index 0000000..cefe9ab --- /dev/null +++ b/external-layers/meta-security @@ -0,0 +1 @@ +Subproject commit cefe9aba508c21012969fbaf525d2c0bf68620a6 diff --git a/layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf b/layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf index d5dc4b4..a375486 100644 --- a/layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf +++ b/layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf @@ -35,7 +35,7 @@ UBOOT_MACHINE = "am335x_evm_defconfig" UBOOT_ENTRYPOINT = "0x80008000" UBOOT_LOADADDRESS = "0x80008000" -MACHINE_FEATURES = "usbgadget usbhost vfat alsa" +MACHINE_FEATURES = "usbgadget usbhost vfat alsa dm-verity" # support runqemu EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native" diff --git a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc index d2aa1a4..7674324 100644 --- a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc +++ b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc @@ -1,11 +1,14 @@ # Variable used in WKS file +# Info: WKS use gdisk HEX code to assign GPT GUID : https://askubuntu.com/questions/703443/gdisk-hex-codes +# SFDISK just use the GPT GUID. This mean that 8300 in WKS is indeed 0FC63DAF-8483-4772-8E79-3D69D8477DE4 + WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00' WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"' WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"' -WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0' -WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1' +WKS_PART_ROOT_A ??= 'part / --source rawcopy --sourceparams="file=${IMGDEPLOYDIR}/${COREOS_ROOTFS_IMAGE_FILENAME}" --part-type=8300 --part-name rootfs0' +WKS_PART_ROOT_B ??= 'part --part-type=8300 --part-name rootfs1' WKS_PART_ROOT_SIZE ??= '2G' SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"' diff --git a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/0001-dm-init-add-dm-mod.waitfor-to-wait-for-asynchronousl.patch b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/0001-dm-init-add-dm-mod.waitfor-to-wait-for-asynchronousl.patch new file mode 100644 index 0000000..9aa898c --- /dev/null +++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/0001-dm-init-add-dm-mod.waitfor-to-wait-for-asynchronousl.patch @@ -0,0 +1,118 @@ +From 203a61e84712777c6163055ab226ef9255e98463 Mon Sep 17 00:00:00 2001 +From: Peter Korsgaard +Date: Wed, 16 Nov 2022 07:16:56 +0100 +Subject: [PATCH] dm init: add dm-mod.waitfor to wait for asynchronously probed + block devices + +Just calling wait_for_device_probe() is not enough to ensure that +asynchronously probed block devices are available (E.G. mmc, usb), so +add a "dm-mod.waitfor=[,..,]" parameter to get +dm-init to explicitly wait for specific block devices before +initializing the tables with logic similar to the rootwait logic that +was introduced with commit cc1ed7542c8c ("init: wait for +asynchronously scanned block devices"). + +E.G. with dm-verity on mmc using: +dm-mod.waitfor="PARTLABEL=hash-a,PARTLABEL=root-a" + +[ 0.671671] device-mapper: init: waiting for all devices to be available before creating mapped devices +[ 0.671679] device-mapper: init: waiting for device PARTLABEL=hash-a ... +[ 0.710695] mmc0: new HS200 MMC card at address 0001 +[ 0.711158] mmcblk0: mmc0:0001 004GA0 3.69 GiB +[ 0.715954] mmcblk0boot0: mmc0:0001 004GA0 partition 1 2.00 MiB +[ 0.722085] mmcblk0boot1: mmc0:0001 004GA0 partition 2 2.00 MiB +[ 0.728093] mmcblk0rpmb: mmc0:0001 004GA0 partition 3 512 KiB, chardev (249:0) +[ 0.738274] mmcblk0: p1 p2 p3 p4 p5 p6 p7 +[ 0.751282] device-mapper: init: waiting for device PARTLABEL=root-a ... +[ 0.751306] device-mapper: init: all devices available +[ 0.751683] device-mapper: verity: sha256 using implementation "sha256-generic" +[ 0.759344] device-mapper: ioctl: dm-0 (vroot) is ready +[ 0.766540] VFS: Mounted root (squashfs filesystem) readonly on device 254:0. + +Signed-off-by: Peter Korsgaard +Signed-off-by: Mike Snitzer +--- + .../admin-guide/device-mapper/dm-init.rst | 8 +++++++ + drivers/md/dm-init.c | 22 ++++++++++++++++++- + 2 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/device-mapper/dm-init.rst b/Documentation/admin-guide/device-mapper/dm-init.rst +index e5242ff17e9b..981d6a907699 100644 +--- a/Documentation/admin-guide/device-mapper/dm-init.rst ++++ b/Documentation/admin-guide/device-mapper/dm-init.rst +@@ -123,3 +123,11 @@ Other examples (per target): + 0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256 + fb1a5a0f00deb908d8b53cb270858975e76cf64105d412ce764225d53b8f3cfd + 51934789604d1b92399c52e7cb149d1b3a1b74bbbcb103b2a0aaacbed5c08584 ++ ++For setups using device-mapper on top of asynchronously probed block ++devices (MMC, USB, ..), it may be necessary to tell dm-init to ++explicitly wait for them to become available before setting up the ++device-mapper tables. This can be done with the "dm-mod.waitfor=" ++module parameter, which takes a list of devices to wait for:: ++ ++ dm-mod.waitfor=[,..,] +diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c +index b0c45c6ebe0b..dc4381d68313 100644 +--- a/drivers/md/dm-init.c ++++ b/drivers/md/dm-init.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -18,12 +19,17 @@ + #define DM_MAX_DEVICES 256 + #define DM_MAX_TARGETS 256 + #define DM_MAX_STR_SIZE 4096 ++#define DM_MAX_WAITFOR 256 + + static char *create; + ++static char *waitfor[DM_MAX_WAITFOR]; ++ + /* + * Format: dm-mod.create=,,,,[,
+][;,,,,
[,
+]+] + * Table format: ++ * Block devices to wait for to become available before setting up tables: ++ * dm-mod.waitfor=[,..,] + * + * See Documentation/admin-guide/device-mapper/dm-init.rst for dm-mod.create="..." format + * details. +@@ -266,7 +272,7 @@ static int __init dm_init_init(void) + struct dm_device *dev; + LIST_HEAD(devices); + char *str; +- int r; ++ int i, r; + + if (!create) + return 0; +@@ -286,6 +292,17 @@ static int __init dm_init_init(void) + DMINFO("waiting for all devices to be available before creating mapped devices"); + wait_for_device_probe(); + ++ for (i = 0; i < ARRAY_SIZE(waitfor); i++) { ++ if (waitfor[i]) { ++ DMINFO("waiting for device %s ...", waitfor[i]); ++ while (!dm_get_dev_t(waitfor[i])) ++ msleep(5); ++ } ++ } ++ ++ if (waitfor[0]) ++ DMINFO("all devices available"); ++ + list_for_each_entry(dev, &devices, list) { + if (dm_early_create(&dev->dmi, dev->table, + dev->target_args_array)) +@@ -301,3 +318,6 @@ late_initcall(dm_init_init); + + module_param(create, charp, 0); + MODULE_PARM_DESC(create, "Create a mapped device in early boot"); ++ ++module_param_array(waitfor, charp, NULL, 0); ++MODULE_PARM_DESC(waitfor, "Devices to wait for before setting up tables"); diff --git a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/dm-init.cfg b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/dm-init.cfg new file mode 100644 index 0000000..e8ce416 --- /dev/null +++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/dm-init.cfg @@ -0,0 +1 @@ +CONFIG_DM_INIT=y diff --git a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/erofs.cfg b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/erofs.cfg new file mode 100644 index 0000000..62c2d36 --- /dev/null +++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/erofs.cfg @@ -0,0 +1,8 @@ +CONFIG_EROFS_FS=y +# CONFIG_EROFS_FS_DEBUG is not set +CONFIG_EROFS_FS_XATTR=y +CONFIG_EROFS_FS_POSIX_ACL=y +CONFIG_EROFS_FS_SECURITY=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y +CONFIG_EROFS_FS_ZIP=y diff --git a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-dm-verity.inc b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-dm-verity.inc new file mode 100644 index 0000000..56e22e3 --- /dev/null +++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-dm-verity.inc @@ -0,0 +1,10 @@ +# Backport support for dm-mod.waitfor from Kernel 6.2 +SRC_URI += "file://0001-dm-init-add-dm-mod.waitfor-to-wait-for-asynchronousl.patch" + +# Enable erofs support as this is the default FS in CoreOS if dm-verity is enabled +SRC_URI += "file://erofs.cfg" + +# Ensure dm-verity is enabled +KERNEL_FEATURES:append = " features/device-mapper/dm-verity.scc" +# Ensure that dm-verity can be enabled at boot time without an initramfs +SRC_URI += "file://dm-init.cfg" diff --git a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc index 686d3c6..b4767c7 100644 --- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc +++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc @@ -1,7 +1,10 @@ +# EFI Support +# ============================================================================== inherit coreos-efi-sbsign require conf/image-uefi.conf + # Ensure EFI STUB is enabled KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc" diff --git a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos.inc b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos.inc new file mode 100644 index 0000000..4d7786a --- /dev/null +++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos.inc @@ -0,0 +1,6 @@ +# Ensure that file are found event when this file is included in another layer +# ============================================================================== +FILESEXTRAPATHS:prepend := "${THISDIR}/kernel:" + +require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)} +require ${@bb.utils.contains('MACHINE_FEATURES', 'dm-verity', 'linux-yocto-coreos-dm-verity.inc', '', d)} diff --git a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend index 913e80a..642ea9a 100644 --- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend +++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend @@ -10,4 +10,4 @@ SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a" COMPATIBLE_MACHINE:beaglebone = "beaglebone" LINUX_VERSION:beaglebone = "5.15.54" -require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)} +require linux-yocto-coreos.inc diff --git a/layers/meta-belden-coreos/classes/coreos-image-dm-verity.bbclass b/layers/meta-belden-coreos/classes/coreos-image-dm-verity.bbclass new file mode 100644 index 0000000..8487dd4 --- /dev/null +++ b/layers/meta-belden-coreos/classes/coreos-image-dm-verity.bbclass @@ -0,0 +1,30 @@ +# Glue code to use the dm-verity-img class from meta-security with a CoreOS +# rootfs image + + +# Settings for the image class +# ============================================================================== + +# Use the dm-verity-img.bbclass +IMAGE_CLASSES += "dm-verity-img" + +# Settings for the dm-verity-img class +# ============================================================================== + +# Let's place the .env file in the DEPLOY_DIR, this will be reused by +# coreos-image-uki to generate the kernel command line +STAGING_VERITY_DIR ?= "${DEPLOY_DIR_IMAGE}" + +DM_VERITY_IMAGE ?= "${PN}" + +# We use erofs as this FS offer at the moment the best performance for a read +# only file system. +DM_VERITY_IMAGE_TYPE ?= "erofs" + + +# Settings for coreos-image related classes +# ============================================================================== + +COREOS_ROOTFS_IMAGE_FSTYPE ??= "${DM_VERITY_IMAGE_TYPE}.verity" + + diff --git a/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass b/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass index 11dd9c6..f14c2e4 100644 --- a/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass +++ b/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass @@ -7,16 +7,17 @@ # Swupdate image generation # ============================================================================== -IMAGE_FSTYPES:append = " ext4.zst" + python () { - image = d.getVar('IMAGE_BASENAME') - d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", image, ".ext4.zst") + image = d.getVar('COREOS_ROOTFS_IMAGE_NAME') + image_ext = d.getVar('COREOS_ROOTFS_IMAGE_EXT') + d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", image, image_ext) } inherit swupdate-image # Ensure than variable used in the sw-description files are watched for change -do_swuimage[vardeps] += "COREOS_KERNEL_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME" +do_swuimage[vardeps] += "COREOS_ROOTFS_IMAGE_FILENAME COREOS_KERNEL_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME" do_swuimage[deptask] += "do_bundle_uki" COREOS_EFIBOOTGUARD_NAME ?= "efibootguard${EFI_ARCH}" diff --git a/layers/meta-belden-coreos/classes/coreos-image-uki.bbclass b/layers/meta-belden-coreos/classes/coreos-image-uki.bbclass index 4867fd2..1e39ba7 100644 --- a/layers/meta-belden-coreos/classes/coreos-image-uki.bbclass +++ b/layers/meta-belden-coreos/classes/coreos-image-uki.bbclass @@ -31,6 +31,34 @@ COREOS_UKI_PART_INITRAMFS ??= "" # UKI Generation # ============================================================================== +coreos_dm_verify_cmdline() { + # In all command that use bc to do some math, we use cut to remove the decimal as + # we need integer and bc automatically add .00000000 + + . "${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.${DM_VERITY_IMAGE_TYPE}.verity.env" + DISK_SECTOR_SIZE=512 + + # We need the number of sector used in the block device + # The image size is already a multiple of 512bytes, so we don't need to round it + IMAGE_FILE=$(realpath "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity") + IMAGE_SIZE=$(stat --printf="%s" "${IMAGE_FILE}") + DISK_SECTORS=$(echo "${IMAGE_SIZE}/${DISK_SECTOR_SIZE}" | bc -l | cut -d '.' -f 1 ) + DATA_SECTORS=$(echo "${DATA_SIZE}/${DISK_SECTOR_SIZE}" | bc -l | cut -d '.' -f 1 ) + + # offset, in HASH_BLOCK_SIZE blocks, from the start of hash_device to the root block of the hash tree + # We use a single partition, so the hash is just after the data. DATA_SIZE is in bytes + HASH_OFFSET=$(echo "(${DATA_BLOCKS}*${DATA_BLOCK_SIZE}/${HASH_BLOCK_SIZE})+1" | bc -l | cut -d '.' -f 1 ) + + # MAPPING_TABLE Format https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMVerity + # 0 417792 verity 1 /dev/sdb /dev/sdc 4096 4096 52224 1 sha256 2aa4f7b7b6...f4952060e8 762307f4bc8...d2a6b7595d8.. + # | | | | | | | | | | | | | + # start| | | data_dev | data_block | #blocks | hash_alg root_digest salt + # size | version hash_dev | hash_offset + # target hash_block + MAPPING_TABLE="0 ${DATA_SECTORS} verity ${HASH_TYPE} $1 $1 ${DATA_BLOCK_SIZE} ${HASH_BLOCK_SIZE} ${DATA_BLOCKS} ${HASH_OFFSET} ${HASH_ALGORITHM} ${ROOT_HASH} ${SALT}" + echo "dm-mod.create=\"verity,,,ro,${MAPPING_TABLE} 2 ignore_zero_blocks panic_on_corruption\" dm-mod.waitfor=${1} root=/dev/dm-0 ${APPEND} rootwait" +} + do_image_uki() { deployDir="${DEPLOY_DIR_IMAGE}" @@ -43,9 +71,17 @@ do_image_uki() { DTB_PARAMS="${DTB_PARAMS} --dtb=${deployDir}/${dtb}" done + + # Support for coreos-image-dm-verity + if [ "${COREOS_IMAGE_GENERATE_DM_VERITY}" -eq "1" ]; then + CMDLINE=$(coreos_dm_verify_cmdline "${COREOS_ROOTFS_ROOT}") + else + CMDLINE="${COREOS_KERNEL_CMDLINE}" + fi + echo "kernel: ${COREOS_UKI_PART_KERNEL_FILENAME}" echo "dtb: ${DTB_PARAMS}" - echo "cmdline: ${COREOS_KERNEL_CMDLINE}" + echo "cmdline: ${CMDLINE}" echo "initramfs: ${COREOS_UKI_PART_INITRAMFS}" if [ ! -z "${COREOS_UKI_PART_INITRAMFS}" ]; then @@ -58,13 +94,13 @@ do_image_uki() { "${COREOS_UKI_PART_STUB}" \ "${COREOS_UKI_PART_KERNEL}" \ "${COREOS_KERNEL}" \ - --cmdline "${COREOS_KERNEL_CMDLINE}" \ + --cmdline "${CMDLINE}" \ ${DTB_PARAMS} coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL_FILENAME}" } -do_image_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot" +do_image_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot bc-native:do_populate_sysroot" addtask image_uki after do_image before do_image_complete @@ -75,5 +111,13 @@ do_image_wic[recrdeptask] += "do_image_uki" # UKI image is normally embedded into a SWU image do_image_swu[recrdeptask] += "${@'do_image_uki' if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1' else ''}" -# UKI image may embedded the rootfs as a cpio archive, in this case do_image_uki should run after do_image_cpio -do_image_uki[recrdeptask] += "${@'do_image_cpio' if d.getVar('COREOS_UKI_PART_INITRAMFS') else ''}" +# UKI image may embedded the rootfs as initrd or use the rootfs signature as part of the command line +# thus it should run after the do_image_${FSTYPE} task +python __anonymous() { + image_fstypes = d.getVar('IMAGE_FSTYPES') + rootfs_fstype = d.getVar('COREOS_ROOTFS_IMAGE_FSTYPE') + pn = d.getVar('PN') + + dep = f' {pn}:do_image_{rootfs_fstype.split(".")[0].replace("-", "_")}' + d.appendVarFlag('do_image_uki', 'depends', dep) +} diff --git a/layers/meta-belden-coreos/classes/coreos-image.bbclass b/layers/meta-belden-coreos/classes/coreos-image.bbclass index f2e7f59..7ad8849 100644 --- a/layers/meta-belden-coreos/classes/coreos-image.bbclass +++ b/layers/meta-belden-coreos/classes/coreos-image.bbclass @@ -78,15 +78,47 @@ IMAGE_INSTALL ?= "${COREOS_IMAGE_BASE_INSTALL} ${COREOS_IMAGE_EXTRA_INSTALL}" # before ihneriting the image class, as we don't need to install custom locales IMAGE_LINGUAS ?= " " +# Rootfs Settings +# ============================================================================== + +# Variable for the rootfs +# This can be overriden using ??= in other coreos-image-* classes + +COREOS_ROOTFS_IMAGE_NAME ??= "${IMAGE_BASENAME}-${MACHINE}" +COREOS_ROOTFS_IMAGE_FSTYPE ??= "ext4" +COREOS_ROOTFS_IMAGE_EXT ??= ".${COREOS_ROOTFS_IMAGE_FSTYPE}" +COREOS_ROOTFS_IMAGE_FILENAME ??= "${COREOS_ROOTFS_IMAGE_NAME}${COREOS_ROOTFS_IMAGE_EXT}" + +IMAGE_FSTYPES:append = " ${COREOS_ROOTFS_IMAGE_FSTYPE}" + +# We use the generic python in keyword instead of bb.contains so that erofs or erofs-lz4 or any +# other erofs settings is detected. Erofs is a read only filesystem by design +IMAGE_FEATURES:append = " ${@'read-only-rootfs' if 'erofs' in d.getVar('COREOS_ROOTFS_IMAGE_EXT') else ''}" + +# We use the wic rawcopy plugin instead of roots, as we want to rootfs image to +# be copied as is, so we need to inform bitbake that the wic image depends +# on the erofs image +python __anonymous() { + image_fstypes = d.getVar('IMAGE_FSTYPES') + rootfs_fstype = d.getVar('COREOS_ROOTFS_IMAGE_FSTYPE') + pn = d.getVar('PN') + + if 'wic' in image_fstypes: + dep = f' {pn}:do_image_{rootfs_fstype.split(".")[0].replace("-", "_")}' + d.appendVarFlag('do_image_wic', 'depends', dep) +} + +# Optional coreos-image features that need to be ihnerited before image.bbclass +# ============================================================================== + +# dm-verity is for now conditionnally enabled using a MACHINE_FEATURES as not all +# MACHINE support it yet +COREOS_IMAGE_GENERATE_DM_VERITY ?= "${@bb.utils.contains('MACHINE_FEATURES', 'dm-verity', '1', '0', d)}" +inherit ${@'coreos-image-dm-verity' if d.getVar('COREOS_IMAGE_GENERATE_DM_VERITY') == '1' else ''} + inherit image -# Enable some feature by default -IMAGE_FEATURES:append = " ${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', ' read-only-rootfs', d)}" - -# Add some extra space, as done in core-image-minimal -IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' + 4096', '', d)}" - -# Unified kernel image and swupdate support +# Optional coreos-image features that need to be ihnerited after image.bbclass # ============================================================================== # Support for Unified Kernel Image and Swupdate are optional diff --git a/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc index 1d6ca82..2646519 100644 --- a/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc +++ b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc @@ -16,7 +16,7 @@ INIT_MANAGER = "systemd" VIRTUAL-RUNTIME_syslog = "" VIRTUAL-RUNTIME_base-utils-syslog = "" -DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam" +DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam security" # CoreOS wasn't compatible with older Yocto version, so we should not have any # features backfilled. Value are from DISTRO_FEATURES_BACKFILL diff --git a/layers/meta-belden-coreos/files/sw-description b/layers/meta-belden-coreos/files/sw-description index cbe8f14..478fc1e 100644 --- a/layers/meta-belden-coreos/files/sw-description +++ b/layers/meta-belden-coreos/files/sw-description @@ -7,14 +7,13 @@ software = copy0 = { images: ( { - filename = "@@PN@@-@@MACHINE@@.ext4.zst"; - compressed = "zstd"; + filename = "@@COREOS_ROOTFS_IMAGE_FILENAME@@"; installed-directly = true; # partlabel are stored inside the GPT partition table. # The partition table is flashed only once and never updated device = "/dev/disk/by-partlabel/rootfs0"; type = "raw"; - sha256 = "$swupdate_get_sha256(@@PN@@-@@MACHINE@@.ext4.zst)"; + sha256 = "$swupdate_get_sha256(@@COREOS_ROOTFS_IMAGE_FILENAME@@)"; } # Don't remove the trailing whitspace on the next line otherwise # it will not work due to a regex bug in meta-swupdate @@ -64,14 +63,13 @@ software = copy1 = { images: ( { - filename = "@@PN@@-@@MACHINE@@.ext4.zst"; - compressed = "zstd"; + filename = "@@COREOS_ROOTFS_IMAGE_FILENAME@@"; installed-directly = true; # partlabel are stored inside the GPT partition table. # The partition table is flashed only once and never updated device = "/dev/disk/by-partlabel/rootfs1"; type = "raw"; - sha256 = "$swupdate_get_sha256(@@PN@@-@@MACHINE@@.ext4.zst)"; + sha256 = "$swupdate_get_sha256(@@COREOS_ROOTFS_IMAGE_FILENAME@@)"; } # Don't remove the trailing whitspace on the next line otherwise # it will not work due to a regex bug in meta-swupdate diff --git a/layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb b/layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb index 9db6cc3..53d333f 100644 --- a/layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb +++ b/layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb @@ -1,7 +1,5 @@ DESCRIPTION = "Initramfs image with the CoreOS emmc installer" - - # Don't reboot the device at reboot and don't do A/B switching BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config" @@ -11,7 +9,11 @@ IMAGE_LINGUAS = "" LICENSE = "MIT" -IMAGE_FSTYPES = "cpio.gz" +# Remove default FSTYPES from MACHINE or DISTRO configuration. Note that +# coreos-image-* classes used some :append so the resulting variable will +# contains at least COREOS_ROOTFS_IMAGE_FSTYPE +IMAGE_FSTYPES = "" +COREOS_ROOTFS_IMAGE_FSTYPE = "cpio.gz" # Support for generating a SDCard installer is optional COREOS_INSTALLER_WKS_FILE ??= "" @@ -21,6 +23,10 @@ IMAGE_BOOT_FILES = "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}" COREOS_IMAGE_GENERATE_UKI = "1" +# We don't need dm-verity support for the installer as we bundle the rootfs in +# the UKI, thus the rootfs is part of a signed image +COREOS_IMAGE_GENERATE_DM_VERITY = "0" + # Avoid dependancy loop, we are already in an installer image, so we don't need # to bundle another one COREOS_IMAGE_GENERATE_INSTALLER = "0" diff --git a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb index 246922a..3339c5e 100644 --- a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb +++ b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb @@ -31,4 +31,4 @@ do_configure:append(){ fi } -require recipes-kernel/linux/linux-yocto-coreos-efi.inc +require recipes-kernel/linux/linux-yocto-coreos.inc diff --git a/templates/bblayers.conf.sample b/templates/bblayers.conf.sample index 3f03f07..a5fff6b 100644 --- a/templates/bblayers.conf.sample +++ b/templates/bblayers.conf.sample @@ -16,6 +16,8 @@ BBLAYERS ?= " \ ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-filesystems \ ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-python \ ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-webserver \ + ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-perl \ + ##COREOS_EXTLAYERSDIR##/meta-security \ ##COREOS_EXTLAYERSDIR##/meta-virtualization \ ##COREOS_EXTLAYERSDIR##/meta-efibootguard \ ##COREOS_EXTLAYERSDIR##/meta-swupdate \