LM
/
coreos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: LM:HEAD
Branches Tags
LM:HEAD
LM:feat/signed-firmware/multicert
LM:chore/meta-belden-marvell-octeon-tx2-bsp
LM:kirkstone
LM:kirkstone-next
LM:feat/eagle40-03/add-partition
LM:master
LM:chore/staging-bsp
LM:feat/nitroc
LM:update_subomdules_2024-03-07_15-15
LM:update_subomdules_2024-03-07_15-14
LM:gemini-improvements
LM:add_commit_status
LM:enable_watchdog
LM:kirkstone_kas
LM:update_subomdules_2023-12-12_18-09
LM:feat/netmodule-gemini-bsp
LM:add_uefi_qemu_and_meta_arm
LM:feat/oe-master
LM:kirkstone-tmp
LM:kirkstone-next-tmp
LM:bugfix/core-os-container-package
LM:feat/signed-swu
LM:feat/ms-hyperv
LM:add_eagle40_03_board
LM:add_variable_for_kernel_in_wks_file
LM:hackathon/codebusters/devtool-ide
LM:feature/k3s
LM:docs/secure-boot
LM:feat/bats
LM:feat/verity
LM:feat/distro-rework
LM:synchonize_kirkstone_with_master
LM:update_to
LM:fix/generate-keys
LM:fix_populate_sdk_build
LM:update_subomdules_2023-07-26_10-23
LM:test/verification_build_server
LM:feat/netmodule-bsp
LM:update_subomdules_2023-06-23_09-58
LM:update_subomdules_2023-06-23_09-56
LM:feature/cve_check
LM:update_subomdules_2023-06-23_06-09
LM:doc/quickBuildUpdate
LM:update_subomdules_2023-06-19_10-28
LM:feature/cn913x_kernel_tune
LM:feature/cn913x_defconfig_clean_ath11_enable
LM:hotfix/phy_issue
LM:feat/coreos-swupdate-helper
LM:update_subomdules_2023-05-10_10-13
LM:fix/broken-keyhash
LM:feat/openssh
LM:feat/add_support_script
LM:feat/add_ramoops
LM:feat/use_multiconfig_for_building_container
LM:cmakedemo_docs_warning
LM:demoimage_recipe_add_cmakedemo
LM:doc_demo_cmake
LM:adding_swupdate
LM:docs/docker-and-update
LM:feat/container-bundle
LM:hotfix/update_uboot_config
LM:feat/update-layers-scripts
LM:feat/oci-image
LM:feat/use_new_kernel_concept
LM:feat/beaglebone
LM:feat/sanity-checks
LM:feat/add-distro-setup
LM:coreos-1.0.0-rc.1
...
pull from: LM:feat/verity
Branches Tags
LM:feat/signed-firmware/multicert
LM:chore/meta-belden-marvell-octeon-tx2-bsp
LM:kirkstone
LM:kirkstone-next
LM:feat/eagle40-03/add-partition
LM:HEAD
LM:master
LM:chore/staging-bsp
LM:feat/nitroc
LM:update_subomdules_2024-03-07_15-15
LM:update_subomdules_2024-03-07_15-14
LM:gemini-improvements
LM:add_commit_status
LM:enable_watchdog
LM:kirkstone_kas
LM:update_subomdules_2023-12-12_18-09
LM:feat/netmodule-gemini-bsp
LM:add_uefi_qemu_and_meta_arm
LM:feat/oe-master
LM:kirkstone-tmp
LM:kirkstone-next-tmp
LM:bugfix/core-os-container-package
LM:feat/signed-swu
LM:feat/ms-hyperv
LM:add_eagle40_03_board
LM:add_variable_for_kernel_in_wks_file
LM:hackathon/codebusters/devtool-ide
LM:feature/k3s
LM:docs/secure-boot
LM:feat/bats
LM:feat/verity
LM:feat/distro-rework
LM:synchonize_kirkstone_with_master
LM:update_to
LM:fix/generate-keys
LM:fix_populate_sdk_build
LM:update_subomdules_2023-07-26_10-23
LM:test/verification_build_server
LM:feat/netmodule-bsp
LM:update_subomdules_2023-06-23_09-58
LM:update_subomdules_2023-06-23_09-56
LM:feature/cve_check
LM:update_subomdules_2023-06-23_06-09
LM:doc/quickBuildUpdate
LM:update_subomdules_2023-06-19_10-28
LM:feature/cn913x_kernel_tune
LM:feature/cn913x_defconfig_clean_ath11_enable
LM:hotfix/phy_issue
LM:feat/coreos-swupdate-helper
LM:update_subomdules_2023-05-10_10-13
LM:fix/broken-keyhash
LM:feat/openssh
LM:feat/add_support_script
LM:feat/add_ramoops
LM:feat/use_multiconfig_for_building_container
LM:cmakedemo_docs_warning
LM:demoimage_recipe_add_cmakedemo
LM:doc_demo_cmake
LM:adding_swupdate
LM:docs/docker-and-update
LM:feat/container-bundle
LM:hotfix/update_uboot_config
LM:feat/update-layers-scripts
LM:feat/oci-image
LM:feat/use_new_kernel_concept
LM:feat/beaglebone
LM:feat/sanity-checks
LM:feat/add-distro-setup
LM:coreos-1.0.0-rc.1

1 Commits
HEAD ... feat/verit

Author SHA1 Message Date
Samuel Dolt 495f7ffe84 feat(coreos-image): add support for dm-verity 
Machine that add dm-verity into MACHINE_FEATURES now get a
read only rootfs that is verified using dm-verity. In this
case the rootfs is formatted with erofs

BREAKING CHANGE: The beaglebone machine now use dm-verity and read
only rootfs by default
 2023-08-14 11:03:30 +02:00
20 changed files with 298 additions and 31 deletions
Show Stats Expand all files Collapse all files

4
.gitmodules vendored
View File

@ -22,3 +22,7 @@
path = external-layers/meta-swupdate path = external-layers/meta-swupdate
url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git
branch = kirkstone branch = kirkstone
[submodule "external-layers/meta-security"]
path = external-layers/meta-security
url = ssh://git@bitbucket.gad.local:7999/ico/meta-security.git
branch = kirkstone

1
external-layers/meta-security Submodule

@ -0,0 +1 @@
Subproject commit cefe9aba508c21012969fbaf525d2c0bf68620a6

2
layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf
View File

@ -35,7 +35,7 @@ UBOOT_MACHINE = "am335x_evm_defconfig"
UBOOT_ENTRYPOINT = "0x80008000" UBOOT_ENTRYPOINT = "0x80008000"
UBOOT_LOADADDRESS = "0x80008000" UBOOT_LOADADDRESS = "0x80008000"
MACHINE_FEATURES = "usbgadget usbhost vfat alsa" MACHINE_FEATURES = "usbgadget usbhost vfat alsa dm-verity"
# support runqemu # support runqemu
EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native" EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native"

7
layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
View File

@ -1,11 +1,14 @@
# Variable used in WKS file # Variable used in WKS file
# Info: WKS use gdisk HEX code to assign GPT GUID : https://askubuntu.com/questions/703443/gdisk-hex-codes
# SFDISK just use the GPT GUID. This mean that 8300 in WKS is indeed 0FC63DAF-8483-4772-8E79-3D69D8477DE4
WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00' WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00'
WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"' WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"' WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0' WKS_PART_ROOT_A ??= 'part / --source rawcopy --sourceparams="file=${IMGDEPLOYDIR}/${COREOS_ROOTFS_IMAGE_FILENAME}" --part-type=8300 --part-name rootfs0'
WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1' WKS_PART_ROOT_B ??= 'part --part-type=8300 --part-name rootfs1'
WKS_PART_ROOT_SIZE ??= '2G' WKS_PART_ROOT_SIZE ??= '2G'
SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"' SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'

118
layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/0001-dm-init-add-dm-mod.waitfor-to-wait-for-asynchronousl.patch Normal file
View File

@ -0,0 +1,118 @@
From 203a61e84712777c6163055ab226ef9255e98463 Mon Sep 17 00:00:00 2001
From: Peter Korsgaard <peter@korsgaard.com>
Date: Wed, 16 Nov 2022 07:16:56 +0100
Subject: [PATCH] dm init: add dm-mod.waitfor to wait for asynchronously probed
block devices
Just calling wait_for_device_probe() is not enough to ensure that
asynchronously probed block devices are available (E.G. mmc, usb), so
add a "dm-mod.waitfor=<device1>[,..,<deviceN>]" parameter to get
dm-init to explicitly wait for specific block devices before
initializing the tables with logic similar to the rootwait logic that
was introduced with commit cc1ed7542c8c ("init: wait for
asynchronously scanned block devices").
E.G. with dm-verity on mmc using:
dm-mod.waitfor="PARTLABEL=hash-a,PARTLABEL=root-a"
[ 0.671671] device-mapper: init: waiting for all devices to be available before creating mapped devices
[ 0.671679] device-mapper: init: waiting for device PARTLABEL=hash-a ...
[ 0.710695] mmc0: new HS200 MMC card at address 0001
[ 0.711158] mmcblk0: mmc0:0001 004GA0 3.69 GiB
[ 0.715954] mmcblk0boot0: mmc0:0001 004GA0 partition 1 2.00 MiB
[ 0.722085] mmcblk0boot1: mmc0:0001 004GA0 partition 2 2.00 MiB
[ 0.728093] mmcblk0rpmb: mmc0:0001 004GA0 partition 3 512 KiB, chardev (249:0)
[ 0.738274] mmcblk0: p1 p2 p3 p4 p5 p6 p7
[ 0.751282] device-mapper: init: waiting for device PARTLABEL=root-a ...
[ 0.751306] device-mapper: init: all devices available
[ 0.751683] device-mapper: verity: sha256 using implementation "sha256-generic"
[ 0.759344] device-mapper: ioctl: dm-0 (vroot) is ready
[ 0.766540] VFS: Mounted root (squashfs filesystem) readonly on device 254:0.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
---
.../admin-guide/device-mapper/dm-init.rst | 8 +++++++
drivers/md/dm-init.c | 22 ++++++++++++++++++-
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/Documentation/admin-guide/device-mapper/dm-init.rst b/Documentation/admin-guide/device-mapper/dm-init.rst
index e5242ff17e9b..981d6a907699 100644
--- a/Documentation/admin-guide/device-mapper/dm-init.rst
+++ b/Documentation/admin-guide/device-mapper/dm-init.rst
@@ -123,3 +123,11 @@ Other examples (per target):
0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
fb1a5a0f00deb908d8b53cb270858975e76cf64105d412ce764225d53b8f3cfd
51934789604d1b92399c52e7cb149d1b3a1b74bbbcb103b2a0aaacbed5c08584
+
+For setups using device-mapper on top of asynchronously probed block
+devices (MMC, USB, ..), it may be necessary to tell dm-init to
+explicitly wait for them to become available before setting up the
+device-mapper tables. This can be done with the "dm-mod.waitfor="
+module parameter, which takes a list of devices to wait for::
+
+ dm-mod.waitfor=<device1>[,..,<deviceN>]
diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c
index b0c45c6ebe0b..dc4381d68313 100644
--- a/drivers/md/dm-init.c
+++ b/drivers/md/dm-init.c
@@ -8,6 +8,7 @@
*/
#include <linux/ctype.h>
+#include <linux/delay.h>
#include <linux/device.h>
#include <linux/device-mapper.h>
#include <linux/init.h>
@@ -18,12 +19,17 @@
#define DM_MAX_DEVICES 256
#define DM_MAX_TARGETS 256
#define DM_MAX_STR_SIZE 4096
+#define DM_MAX_WAITFOR 256
static char *create;
+static char *waitfor[DM_MAX_WAITFOR];
+
/*
* Format: dm-mod.create=<name>,<uuid>,<minor>,<flags>,<table>[,<table>+][;<name>,<uuid>,<minor>,<flags>,<table>[,<table>+]+]
* Table format: <start_sector> <num_sectors> <target_type> <target_args>
+ * Block devices to wait for to become available before setting up tables:
+ * dm-mod.waitfor=<device1>[,..,<deviceN>]
*
* See Documentation/admin-guide/device-mapper/dm-init.rst for dm-mod.create="..." format
* details.
@@ -266,7 +272,7 @@ static int __init dm_init_init(void)
struct dm_device *dev;
LIST_HEAD(devices);
char *str;
- int r;
+ int i, r;
if (!create)
return 0;
@@ -286,6 +292,17 @@ static int __init dm_init_init(void)
DMINFO("waiting for all devices to be available before creating mapped devices");
wait_for_device_probe();
+ for (i = 0; i < ARRAY_SIZE(waitfor); i++) {
+ if (waitfor[i]) {
+ DMINFO("waiting for device %s ...", waitfor[i]);
+ while (!dm_get_dev_t(waitfor[i]))
+ msleep(5);
+ }
+ }
+
+ if (waitfor[0])
+ DMINFO("all devices available");
+
list_for_each_entry(dev, &devices, list) {
if (dm_early_create(&dev->dmi, dev->table,
dev->target_args_array))
@@ -301,3 +318,6 @@ late_initcall(dm_init_init);
module_param(create, charp, 0);
MODULE_PARM_DESC(create, "Create a mapped device in early boot");
+
+module_param_array(waitfor, charp, NULL, 0);
+MODULE_PARM_DESC(waitfor, "Devices to wait for before setting up tables");

1
layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/dm-init.cfg Normal file
View File

@ -0,0 +1 @@
CONFIG_DM_INIT=y

8
layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/erofs.cfg Normal file
View File

@ -0,0 +1,8 @@
CONFIG_EROFS_FS=y
# CONFIG_EROFS_FS_DEBUG is not set
CONFIG_EROFS_FS_XATTR=y
CONFIG_EROFS_FS_POSIX_ACL=y
CONFIG_EROFS_FS_SECURITY=y
CONFIG_CRYPTO_LZ4=y
CONFIG_CRYPTO_LZ4HC=y
CONFIG_EROFS_FS_ZIP=y

10
layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-dm-verity.inc Normal file
View File

@ -0,0 +1,10 @@
# Backport support for dm-mod.waitfor from Kernel 6.2
SRC_URI += "file://0001-dm-init-add-dm-mod.waitfor-to-wait-for-asynchronousl.patch"
# Enable erofs support as this is the default FS in CoreOS if dm-verity is enabled
SRC_URI += "file://erofs.cfg"
# Ensure dm-verity is enabled
KERNEL_FEATURES:append = " features/device-mapper/dm-verity.scc"
# Ensure that dm-verity can be enabled at boot time without an initramfs
SRC_URI += "file://dm-init.cfg"

3
layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc
View File

@ -1,7 +1,10 @@
# EFI Support
# ==============================================================================
inherit coreos-efi-sbsign inherit coreos-efi-sbsign
require conf/image-uefi.conf require conf/image-uefi.conf
# Ensure EFI STUB is enabled # Ensure EFI STUB is enabled
KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc" KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"

6
layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos.inc Normal file
View File

@ -0,0 +1,6 @@
# Ensure that file are found event when this file is included in another layer
# ==============================================================================
FILESEXTRAPATHS:prepend := "${THISDIR}/kernel:"
require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)}
require ${@bb.utils.contains('MACHINE_FEATURES', 'dm-verity', 'linux-yocto-coreos-dm-verity.inc', '', d)}

2
layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend
View File

@ -10,4 +10,4 @@ SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
COMPATIBLE_MACHINE:beaglebone = "beaglebone" COMPATIBLE_MACHINE:beaglebone = "beaglebone"
LINUX_VERSION:beaglebone = "5.15.54" LINUX_VERSION:beaglebone = "5.15.54"
require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)} require linux-yocto-coreos.inc

30
layers/meta-belden-coreos/classes/coreos-image-dm-verity.bbclass Normal file
View File

@ -0,0 +1,30 @@
# Glue code to use the dm-verity-img class from meta-security with a CoreOS
# rootfs image
# Settings for the image class
# ==============================================================================
# Use the dm-verity-img.bbclass
IMAGE_CLASSES += "dm-verity-img"
# Settings for the dm-verity-img class
# ==============================================================================
# Let's place the .env file in the DEPLOY_DIR, this will be reused by
# coreos-image-uki to generate the kernel command line
STAGING_VERITY_DIR ?= "${DEPLOY_DIR_IMAGE}"
DM_VERITY_IMAGE ?= "${PN}"
# We use erofs as this FS offer at the moment the best performance for a read
# only file system.
DM_VERITY_IMAGE_TYPE ?= "erofs"
# Settings for coreos-image related classes
# ==============================================================================
COREOS_ROOTFS_IMAGE_FSTYPE ??= "${DM_VERITY_IMAGE_TYPE}.verity"

9
layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass
View File

@ -7,16 +7,17 @@
# Swupdate image generation # Swupdate image generation
# ============================================================================== # ==============================================================================
IMAGE_FSTYPES:append = " ext4.zst"
python () { python () {
image = d.getVar('IMAGE_BASENAME') image = d.getVar('COREOS_ROOTFS_IMAGE_NAME')
d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", image, ".ext4.zst") image_ext = d.getVar('COREOS_ROOTFS_IMAGE_EXT')
d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", image, image_ext)
} }
inherit swupdate-image inherit swupdate-image
# Ensure than variable used in the sw-description files are watched for change # Ensure than variable used in the sw-description files are watched for change
do_swuimage[vardeps] += "COREOS_KERNEL_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME" do_swuimage[vardeps] += "COREOS_ROOTFS_IMAGE_FILENAME COREOS_KERNEL_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME"
do_swuimage[deptask] += "do_bundle_uki" do_swuimage[deptask] += "do_bundle_uki"
COREOS_EFIBOOTGUARD_NAME ?= "efibootguard${EFI_ARCH}" COREOS_EFIBOOTGUARD_NAME ?= "efibootguard${EFI_ARCH}"

54
layers/meta-belden-coreos/classes/coreos-image-uki.bbclass
View File

@ -31,6 +31,34 @@ COREOS_UKI_PART_INITRAMFS ??= ""
# UKI Generation # UKI Generation
# ============================================================================== # ==============================================================================
coreos_dm_verify_cmdline() {
# In all command that use bc to do some math, we use cut to remove the decimal as
# we need integer and bc automatically add .00000000
. "${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.${DM_VERITY_IMAGE_TYPE}.verity.env"
DISK_SECTOR_SIZE=512
# We need the number of sector used in the block device
# The image size is already a multiple of 512bytes, so we don't need to round it
IMAGE_FILE=$(realpath "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity")
IMAGE_SIZE=$(stat --printf="%s" "${IMAGE_FILE}")
DISK_SECTORS=$(echo "${IMAGE_SIZE}/${DISK_SECTOR_SIZE}" | bc -l | cut -d '.' -f 1 )
DATA_SECTORS=$(echo "${DATA_SIZE}/${DISK_SECTOR_SIZE}" | bc -l | cut -d '.' -f 1 )
# offset, in HASH_BLOCK_SIZE blocks, from the start of hash_device to the root block of the hash tree
# We use a single partition, so the hash is just after the data. DATA_SIZE is in bytes
HASH_OFFSET=$(echo "(${DATA_BLOCKS}*${DATA_BLOCK_SIZE}/${HASH_BLOCK_SIZE})+1" | bc -l | cut -d '.' -f 1 )
# MAPPING_TABLE Format https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMVerity
# 0 417792 verity 1 /dev/sdb /dev/sdc 4096 4096 52224 1 sha256 2aa4f7b7b6...f4952060e8 762307f4bc8...d2a6b7595d8..
# | | | | | | | | | | | | |
# start| | | data_dev | data_block | #blocks | hash_alg root_digest salt
# size | version hash_dev | hash_offset
# target hash_block
MAPPING_TABLE="0 ${DATA_SECTORS} verity ${HASH_TYPE} $1 $1 ${DATA_BLOCK_SIZE} ${HASH_BLOCK_SIZE} ${DATA_BLOCKS} ${HASH_OFFSET} ${HASH_ALGORITHM} ${ROOT_HASH} ${SALT}"
echo "dm-mod.create=\"verity,,,ro,${MAPPING_TABLE} 2 ignore_zero_blocks panic_on_corruption\" dm-mod.waitfor=${1} root=/dev/dm-0 ${APPEND} rootwait"
}
do_image_uki() { do_image_uki() {
deployDir="${DEPLOY_DIR_IMAGE}" deployDir="${DEPLOY_DIR_IMAGE}"
@ -43,9 +71,17 @@ do_image_uki() {
DTB_PARAMS="${DTB_PARAMS} --dtb=${deployDir}/${dtb}" DTB_PARAMS="${DTB_PARAMS} --dtb=${deployDir}/${dtb}"
done done
# Support for coreos-image-dm-verity
if [ "${COREOS_IMAGE_GENERATE_DM_VERITY}" -eq "1" ]; then
CMDLINE=$(coreos_dm_verify_cmdline "${COREOS_ROOTFS_ROOT}")
else
CMDLINE="${COREOS_KERNEL_CMDLINE}"
fi
echo "kernel: ${COREOS_UKI_PART_KERNEL_FILENAME}" echo "kernel: ${COREOS_UKI_PART_KERNEL_FILENAME}"
echo "dtb: ${DTB_PARAMS}" echo "dtb: ${DTB_PARAMS}"
echo "cmdline: ${COREOS_KERNEL_CMDLINE}" echo "cmdline: ${CMDLINE}"
echo "initramfs: ${COREOS_UKI_PART_INITRAMFS}" echo "initramfs: ${COREOS_UKI_PART_INITRAMFS}"
if [ ! -z "${COREOS_UKI_PART_INITRAMFS}" ]; then if [ ! -z "${COREOS_UKI_PART_INITRAMFS}" ]; then
@ -58,13 +94,13 @@ do_image_uki() {
"${COREOS_UKI_PART_STUB}" \ "${COREOS_UKI_PART_STUB}" \
"${COREOS_UKI_PART_KERNEL}" \ "${COREOS_UKI_PART_KERNEL}" \
"${COREOS_KERNEL}" \ "${COREOS_KERNEL}" \
--cmdline "${COREOS_KERNEL_CMDLINE}" \ --cmdline "${CMDLINE}" \
${DTB_PARAMS} ${DTB_PARAMS}
coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL_FILENAME}" coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL_FILENAME}"
} }
do_image_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot" do_image_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot bc-native:do_populate_sysroot"
addtask image_uki after do_image before do_image_complete addtask image_uki after do_image before do_image_complete
@ -75,5 +111,13 @@ do_image_wic[recrdeptask] += "do_image_uki"
# UKI image is normally embedded into a SWU image # UKI image is normally embedded into a SWU image
do_image_swu[recrdeptask] += "${@'do_image_uki' if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1' else ''}" do_image_swu[recrdeptask] += "${@'do_image_uki' if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1' else ''}"
# UKI image may embedded the rootfs as a cpio archive, in this case do_image_uki should run after do_image_cpio # UKI image may embedded the rootfs as initrd or use the rootfs signature as part of the command line
do_image_uki[recrdeptask] += "${@'do_image_cpio' if d.getVar('COREOS_UKI_PART_INITRAMFS') else ''}" # thus it should run after the do_image_${FSTYPE} task
python __anonymous() {
image_fstypes = d.getVar('IMAGE_FSTYPES')
rootfs_fstype = d.getVar('COREOS_ROOTFS_IMAGE_FSTYPE')
pn = d.getVar('PN')
dep = f' {pn}:do_image_{rootfs_fstype.split(".")[0].replace("-", "_")}'
d.appendVarFlag('do_image_uki', 'depends', dep)
}

46
layers/meta-belden-coreos/classes/coreos-image.bbclass
View File

@ -78,15 +78,47 @@ IMAGE_INSTALL ?= "${COREOS_IMAGE_BASE_INSTALL} ${COREOS_IMAGE_EXTRA_INSTALL}"
# before ihneriting the image class, as we don't need to install custom locales # before ihneriting the image class, as we don't need to install custom locales
IMAGE_LINGUAS ?= " " IMAGE_LINGUAS ?= " "
# Rootfs Settings
# ==============================================================================
# Variable for the rootfs
# This can be overriden using ??= in other coreos-image-* classes
COREOS_ROOTFS_IMAGE_NAME ??= "${IMAGE_BASENAME}-${MACHINE}"
COREOS_ROOTFS_IMAGE_FSTYPE ??= "ext4"
COREOS_ROOTFS_IMAGE_EXT ??= ".${COREOS_ROOTFS_IMAGE_FSTYPE}"
COREOS_ROOTFS_IMAGE_FILENAME ??= "${COREOS_ROOTFS_IMAGE_NAME}${COREOS_ROOTFS_IMAGE_EXT}"
IMAGE_FSTYPES:append = " ${COREOS_ROOTFS_IMAGE_FSTYPE}"
# We use the generic python in keyword instead of bb.contains so that erofs or erofs-lz4 or any
# other erofs settings is detected. Erofs is a read only filesystem by design
IMAGE_FEATURES:append = " ${@'read-only-rootfs' if 'erofs' in d.getVar('COREOS_ROOTFS_IMAGE_EXT') else ''}"
# We use the wic rawcopy plugin instead of roots, as we want to rootfs image to
# be copied as is, so we need to inform bitbake that the wic image depends
# on the erofs image
python __anonymous() {
image_fstypes = d.getVar('IMAGE_FSTYPES')
rootfs_fstype = d.getVar('COREOS_ROOTFS_IMAGE_FSTYPE')
pn = d.getVar('PN')
if 'wic' in image_fstypes:
dep = f' {pn}:do_image_{rootfs_fstype.split(".")[0].replace("-", "_")}'
d.appendVarFlag('do_image_wic', 'depends', dep)
}
# Optional coreos-image features that need to be ihnerited before image.bbclass
# ==============================================================================
# dm-verity is for now conditionnally enabled using a MACHINE_FEATURES as not all
# MACHINE support it yet
COREOS_IMAGE_GENERATE_DM_VERITY ?= "${@bb.utils.contains('MACHINE_FEATURES', 'dm-verity', '1', '0', d)}"
inherit ${@'coreos-image-dm-verity' if d.getVar('COREOS_IMAGE_GENERATE_DM_VERITY') == '1' else ''}
inherit image inherit image
# Enable some feature by default # Optional coreos-image features that need to be ihnerited after image.bbclass
IMAGE_FEATURES:append = " ${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', ' read-only-rootfs', d)}"
# Add some extra space, as done in core-image-minimal
IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' + 4096', '', d)}"
# Unified kernel image and swupdate support
# ============================================================================== # ==============================================================================
# Support for Unified Kernel Image and Swupdate are optional # Support for Unified Kernel Image and Swupdate are optional

2
layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc
View File

@ -16,7 +16,7 @@ INIT_MANAGER = "systemd"
VIRTUAL-RUNTIME_syslog = "" VIRTUAL-RUNTIME_syslog = ""
VIRTUAL-RUNTIME_base-utils-syslog = "" VIRTUAL-RUNTIME_base-utils-syslog = ""
DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam" DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam security"
# CoreOS wasn't compatible with older Yocto version, so we should not have any # CoreOS wasn't compatible with older Yocto version, so we should not have any
# features backfilled. Value are from DISTRO_FEATURES_BACKFILL # features backfilled. Value are from DISTRO_FEATURES_BACKFILL

10
layers/meta-belden-coreos/files/sw-description
View File

@ -7,14 +7,13 @@ software =
copy0 = { copy0 = {
images: ( images: (
{ {
filename = "@@PN@@-@@MACHINE@@.ext4.zst"; filename = "@@COREOS_ROOTFS_IMAGE_FILENAME@@";
compressed = "zstd";
installed-directly = true; installed-directly = true;
# partlabel are stored inside the GPT partition table. # partlabel are stored inside the GPT partition table.
# The partition table is flashed only once and never updated # The partition table is flashed only once and never updated
device = "/dev/disk/by-partlabel/rootfs0"; device = "/dev/disk/by-partlabel/rootfs0";
type = "raw"; type = "raw";
sha256 = "$swupdate_get_sha256(@@PN@@-@@MACHINE@@.ext4.zst)"; sha256 = "$swupdate_get_sha256(@@COREOS_ROOTFS_IMAGE_FILENAME@@)";
} }
# Don't remove the trailing whitspace on the next line otherwise # Don't remove the trailing whitspace on the next line otherwise
# it will not work due to a regex bug in meta-swupdate # it will not work due to a regex bug in meta-swupdate
@ -64,14 +63,13 @@ software =
copy1 = { copy1 = {
images: ( images: (
{ {
filename = "@@PN@@-@@MACHINE@@.ext4.zst"; filename = "@@COREOS_ROOTFS_IMAGE_FILENAME@@";
compressed = "zstd";
installed-directly = true; installed-directly = true;
# partlabel are stored inside the GPT partition table. # partlabel are stored inside the GPT partition table.
# The partition table is flashed only once and never updated # The partition table is flashed only once and never updated
device = "/dev/disk/by-partlabel/rootfs1"; device = "/dev/disk/by-partlabel/rootfs1";
type = "raw"; type = "raw";
sha256 = "$swupdate_get_sha256(@@PN@@-@@MACHINE@@.ext4.zst)"; sha256 = "$swupdate_get_sha256(@@COREOS_ROOTFS_IMAGE_FILENAME@@)";
} }
# Don't remove the trailing whitspace on the next line otherwise # Don't remove the trailing whitspace on the next line otherwise
# it will not work due to a regex bug in meta-swupdate # it will not work due to a regex bug in meta-swupdate

12
layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb
View File

@ -1,7 +1,5 @@
DESCRIPTION = "Initramfs image with the CoreOS emmc installer" DESCRIPTION = "Initramfs image with the CoreOS emmc installer"
# Don't reboot the device at reboot and don't do A/B switching # Don't reboot the device at reboot and don't do A/B switching
BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config" BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config"
@ -11,7 +9,11 @@ IMAGE_LINGUAS = ""
LICENSE = "MIT" LICENSE = "MIT"
IMAGE_FSTYPES = "cpio.gz" # Remove default FSTYPES from MACHINE or DISTRO configuration. Note that
# coreos-image-* classes used some :append so the resulting variable will
# contains at least COREOS_ROOTFS_IMAGE_FSTYPE
IMAGE_FSTYPES = ""
COREOS_ROOTFS_IMAGE_FSTYPE = "cpio.gz"
# Support for generating a SDCard installer is optional # Support for generating a SDCard installer is optional
COREOS_INSTALLER_WKS_FILE ??= "" COREOS_INSTALLER_WKS_FILE ??= ""
@ -21,6 +23,10 @@ IMAGE_BOOT_FILES = "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
COREOS_IMAGE_GENERATE_UKI = "1" COREOS_IMAGE_GENERATE_UKI = "1"
# We don't need dm-verity support for the installer as we bundle the rootfs in
# the UKI, thus the rootfs is part of a signed image
COREOS_IMAGE_GENERATE_DM_VERITY = "0"
# Avoid dependancy loop, we are already in an installer image, so we don't need # Avoid dependancy loop, we are already in an installer image, so we don't need
# to bundle another one # to bundle another one
COREOS_IMAGE_GENERATE_INSTALLER = "0" COREOS_IMAGE_GENERATE_INSTALLER = "0"

2
layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb
View File

@ -31,4 +31,4 @@ do_configure:append(){
fi fi
} }
require recipes-kernel/linux/linux-yocto-coreos-efi.inc require recipes-kernel/linux/linux-yocto-coreos.inc

2
templates/bblayers.conf.sample
View File

@ -16,6 +16,8 @@ BBLAYERS ?= " \
##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-filesystems \ ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-filesystems \
##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-python \ ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-python \
##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-webserver \ ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-webserver \
##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-perl \
##COREOS_EXTLAYERSDIR##/meta-security \
##COREOS_EXTLAYERSDIR##/meta-virtualization \ ##COREOS_EXTLAYERSDIR##/meta-virtualization \
##COREOS_EXTLAYERSDIR##/meta-efibootguard \ ##COREOS_EXTLAYERSDIR##/meta-efibootguard \
##COREOS_EXTLAYERSDIR##/meta-swupdate \ ##COREOS_EXTLAYERSDIR##/meta-swupdate \