- 13 Jun, 2022 8 commits
-
-
Signed-off-by:
Quirin Gylstorff <quirin.gylstorff@siemens.com> Signed-off-by:
Jan Kiszka <jan.kiszka@siemens.com>
-
The identifier img was delete from the image name. Signed-off-by:
-
The image types wic-swu-img and secure-wic-swu-img were removed. Rename `squashfs-img` to squashfs according new naming scheme. To use squashfs include: IMAGE_CLASSES += "squashfs" IMAGE_TYPEDEP_wic += "squashfs" The modifications for a read-only root file system are now part of a bbclass which can be include directly into the image recipe. The modifications to generate a SWUpdate update package are also no longer part of the image build process and in a seperate bbclass. This class needs to be included in the image recipe. To create a verity based image to following line need to be added to the local.conf or similar configuration: IMAGE_CLASSES += "verity" Signed-off-by: -
Signed-off-by:
-
The variables U_BOOT_CONFIG and U_BOOT_BIN are added by template variables[1]. [1]: https://github.com/ilbers/isar/commit/48dd7969e3c977e7e39b235be71c1f06d912b336 Signed-off-by:
-
This update introduces the new IMAGE_CMD_*. Signed-off-by:
-
Signed-off-by:
-
Jan Kiszka authored
Signed-off-by:
-
- 09 Jun, 2022 1 commit
-
-
Jan Kiszka authored
Signed-off-by:
-
- 07 Jun, 2022 2 commits
-
-
Add ltp.inc file so that downstream users can build their own ltp version using bits from isar-cip-core. Signed-off-by:
Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com> Signed-off-by:
-
Update to the latest ltp version. The latest ltp version depends on pkg-config. To avoid problem during cross-build, namely Makefile:207: *** running tests on cross-compile build not supported. Stop. we need to disable autotest. Signed-off-by:
-
- 02 Jun, 2022 2 commits
-
-
Jan Kiszka authored
Same story as for abrootfs-hook, same solution pattern, just different implementation of find_root_via_image_uuid. Signed-off-by: -
Jan Kiszka authored
Add a retry loop to account for storage devices that do not show up immediately. Specifically USB can fall under this. The logic is split along the classic PARTUUID/PARTLABEL case and the more complex image UUID matching. To avoid continously mounting/ checking/unmounting the same partitions partitions, we keep track of the already checked ones and only test those that are newly discovered. Signed-off-by:
-
- 25 May, 2022 1 commit
-
-
Jan Kiszka authored
For new projects, this is clearly the better choice. So, move our defaults forward. A separate kas option is introduced to allow explicit selections without relying on defaults. CI is kept with its existing focus on buster images. This can be updated separately later on. Signed-off-by:
-
- 16 May, 2022 2 commits
-
-
Jan Kiszka authored
Signed-off-by: -
Jan Kiszka authored
Model ebg-signed-sysparts.inc analogously to ebg-sysparts.inc because both in-tree users share already the configuration and kernel partition entries, and that is also generally expected from downstream users. Reported-by:
Bao Cheng Su <baocheng.su@siemens.com> Signed-off-by:
-
- 10 May, 2022 1 commit
-
-
Jan Kiszka authored
There is no "qemu-armhf", we called it qemu-arm. Therefore, finding its images failed. Rename DISTRO_ARCH to QEMU_ARCH and set it to "arm" for the related target. Signed-off-by:
-
- 09 May, 2022 1 commit
-
-
Update SWUpdate to commit https://salsa.debian.org/debian/swupdate/ 344548c816b555c58ec199f31e45703897d23fb5. This contains the upstream version of the patches: -debian-Make-CONFIG_HW_COMPATIBILTY-optional.patch -debian-rules-Add-Embedded-Lua-handler-option.patch -debian-Remove-SWUpdate-USB-service-and-Udev-rules.patch -Add-Profile-option-to-disable-CONFIG_HASH_VERIFY.patch The available build options are now documented in ${S}/debian/README.Debian. Signed-off-by:
-
- 05 May, 2022 6 commits
-
-
Jan Kiszka authored
We just need to pick up the newly deployed firmware.bin as -bios, analogously to the x86's OVMF, and switch to a disk image. A separate key storage is not yet used, thus there is no difference between normal and secure mode for arm64 so far. Signed-off-by: -
Jan Kiszka authored
Hook up the new U-Boot recipe, provide new wks files and disable the watchdog for EFI Boot Guard - that's all what's need to allow offering SWUpdate and secure boot for the QEMU arm64 target. QEMU currently does not provide a watchdog for the virt machine which we plan to use. A patch to change this has been sent, but for now we will have to live without one. Signed-off-by: -
Jan Kiszka authored
This will be used for booting via UEFI, both in open and locked-down secure mode. The secure mode variations can be selected by adding "secureboot" to OVERRIDES. One extra patch is needed to add support for long-living certificates. It is pending upstream. Signed-off-by: -
Jan Kiszka authored
Pick up the DTBs specified via DTB_FILES and embed them into the unified kernel image that the wic plugin can generate. This does not work for normal kernels, so bail out if DTB_FILES is set in that mode. Signed-off-by: -
Jan Kiszka authored
Switch to the unified kernel image and its generator script that EFI Boot Guard now provides. So far this only simplifies the generation process. But it will also allow to use the more advanced device tree embedding of the EBG linux-stub later on. As the linux-stub uses LINUX_EFI_INITRD_MEDIA_GUID for loading the initrd, we need to restrict support to CIP kernel 5.10 as this feature was only introduced with 5.8. Signed-off-by: -
Jan Kiszka authored
We crash in case of an empty command line with non-unified kernel images right now. Just avoid cmdline==None, will also make upcoming changes simpler. Signed-off-by:
-
- 04 May, 2022 7 commits
-
-
Jan Kiszka authored
This version bring the new unified kernel stub and script to generate unified kernel images from that. That script requires python3, so we need to expand the package dependencies. As we package all tools into a single deb, and the target usually requires bg_{print,set}env, python3 is now also pulled onto the target. If that should be avoided, we will have to split packaging in future. One extra patch is needed that missed the release. It fixes building under buster for arm64. Signed-off-by: -
Jan Kiszka authored
Signed-off-by: -
Jan Kiszka authored
Needed for iTCO under -rt kernels, swupdate support on arm64 and xattr for squashfs in swupudate scenarios. Signed-off-by: -
Jan Kiszka authored
Simplify the signing recipe to a single, generic one. Instead, provide secure-boot-secrets packages that contain the used image key and certificate at a well-defined location. This allows for easy reuse in other recipes than ebg-secure-boot-signer. U-Boot will be one. Rather than using the OVMF package as build-time source for the snakeoil keys, we import the two artifacts here. This allows to run the required key removal upfront and simplifies the usage for buster. The certificate has such a long lifetime that also future Debian should use the same one, thus the snakeoil artifacts of OVMF should stay in sync with our copy of key and cert. We may revisit this when discontinuing support for buster, though. Signed-off-by: -
Jan Kiszka authored
Forgotten to remove in f1e55949 . Signed-off-by:
-
Jan Kiszka authored
Needed in case overlay support is built as kernel module. Signed-off-by: -
Jan Kiszka authored
Fail loudly in case the overlay cannot be mounted. Signed-off-by:
-
- 22 Apr, 2022 6 commits
-
-
Jan Kiszka authored
On panic, initramfs-tools opens up a shell unless panic=X is set on the kernel command line. Fix that because such a shell could break the chain of trust. Signed-off-by: -
Jan Kiszka authored
Rather than verifying the complete device, match on the UUID embedded into the dm-verity superblock. That is much faster and, thus, saves boot time with large partitions and/or slow devices. Signed-off-by: -
Jan Kiszka authored
This is needed for read-only rootfs setups. We could also update the account settings, but establishing a link comes with less surprises. Signed-off-by: -
Jan Kiszka authored
As systemd is not well prepared for read-only rootfs, specifically /wrt machine-id management and anything that depends on it, it's best to mount the /etc overlay already in the initramfs. This implies that also /var is mounted at that level. We still keep the fstab setup done by wic-swu-img class so that systemd will recognize the rootfs as read-only and not try to remount it rw which will only fail with underlying squashfs. Signed-off-by: -
Jan Kiszka authored
We only get it implicitly so far, but that may always change. Signed-off-by: -
Jan Kiszka authored
This unifies the pattern we generate initramfs images for non-secure and secure SWUpdate images. Besides cleaning up the related abrootfs selection hook, the unification is a precondition for adding another initramfs recipe later that will be shared between both image types The pattern followed in the new initramfs-abrootfs-hook script is now similar to initramfs-verity-hook: a local-top hook is used, rather than a patch for Debian's local script. This hook looks for the matching rootfs by read-only mounting candidates, comparing the contained UUID against the one stored in the initramfs, unmounting again, and then setting the ROOT variable on match. Signed-off-by:
-
- 21 Apr, 2022 1 commit
-
-
Jan Kiszka authored
"rw" is meaningless and misleading for the read-only rootfs we have. Signed-off-by:
-
- 19 Apr, 2022 1 commit
-
-
Jan Kiszka authored
First, sda is the default anyway. But, more importantly, we do not need this parameter in these cases as we either mount by label/uuid or do not mount at all (EBG partitions). Signed-off-by:
-
- 18 Apr, 2022 1 commit
-
-
Jan Kiszka authored
No need to run this for non-qemu and non-x86. And, yes, overrides can stack. Signed-off-by:
-
