summaryrefslogtreecommitdiffstats
path: root/recipes-core
Commit message (Collapse)AuthorAgeFilesLines
* dm-verity-image-initramfs: Bind at do_image insteadniko.mauno@vaisala.com2020-09-121-3/+3
| | | | | | | | | Bind custom actions in this image recipe in do_image() rather than do_rootfs(), which can help shaving even dozens of seconds from duration of 'bitbake <DM_VERITY_IMAGE>' command re-execution. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Ensure verity hash syncniko.mauno@vaisala.com2020-09-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to ensure that the bundled initramfs always contains the most recently generated DM_VERITY_IMAGE specific root filesystems' root hash, we disable the timestamp for do_rootfs() task here, meaning that the task will be re-executed whenever some task that depends on it executes. Without this change, executing e.g. the following sequence $ bitbake <DM_VERITY_IMAGE> $ bitbake -c clean <DM_VERITY_IMAGE> $ bitbake <DM_VERITY_IMAGE> results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like Mounting /dev/vda over dm-verity as the root filesystem [ 8.729974] device-mapper: verity: sha256 using implementation sha256-generic [ 8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read Verity device detected corruption after activation. [ 8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read ... [ 9.135707] EXT4-fs (dm-0): unable to read superblock [ 9.142897] EXT4-fs (dm-0): unable to read superblock [ 9.145393] EXT4-fs (dm-0): unable to read superblock [ 9.147905] FAT-fs (dm-0): unable to read boot sector mount: /new_root: can't read superblock on /dev/mapper/rootfs. BusyBox v1.32.0 () multi-call binary. Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS] [ 9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1 [ 9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 ... [ 9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]--- Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: restore riscv64 for libssecompArmin Kuster2020-07-271-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: remove libseccomp for riscv*Armin Kuster2020-07-271-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: remove clamav for riscv*Armin Kuster2020-07-251-3/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* security packagegroups: move to recipes-coreArmin Kuster2020-07-252-0/+96
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* security images: Move to recipe-coreArmin Kuster2020-07-254-0/+87
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity: add a working example for BeagleBone BlackBartosz Golaszewski2020-05-153-0/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds various bits and pieces to enable generating a working example of a full chain of trust up to dm-verity-protected rootfs level on Beagle Bone Black. The new initramfs is quite generic and should work for other SoCs as well when using fitImage. The following config can be used with current master poky, meta-openembedded & meta-security to generate a BBB image using verified boot and dm-verity. UBOOT_SIGN_KEYDIR = "/tmp/test-keys/" UBOOT_SIGN_KEYNAME = "dev" UBOOT_SIGN_ENABLE = "1" UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000" UBOOT_MACHINE_beaglebone-yocto = "am335x_boneblack_vboot_config" IMAGE_CLASSES += "dm-verity-img" IMAGE_FSTYPES += "wic.xz ext4" DM_VERITY_IMAGE = "core-image-full-cmdline" DM_VERITY_IMAGE_TYPE = "ext4" KERNEL_CLASSES += "kernel-fitimage" KERNEL_IMAGETYPE_beaglebone-yocto = "fitImage" IMAGE_INSTALL_remove = " kernel-image-zimage" IMAGE_BOOT_FILES_remove = " zImage" IMAGE_BOOT_FILES_append = " fitImage-${INITRAMFS_IMAGE}-${MACHINE}-${MACHINE};fitImage" # Using systemd is not strictly needed but deals nicely with read-only # filesystem by default. DISTRO_FEATURES_append = " systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit" VIRTUAL-RUNTIME_init_manager = "systemd" VIRTUAL-RUNTIME_initscripts = "systemd-compat-units" INITRAMFS_IMAGE = "dm-verity-image-initramfs" INITRAMFS_FSTYPES = "cpio.gz" INITRAMFS_IMAGE_BUNDLE = "1" WKS_FILE = "beaglebone-yocto-verity.wks.in" KERNEL_FEATURES_append = " features/device-mapper/dm-verity.scc" Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* busybox: fix sig changes when layer addedArmin Kuster2019-09-072-3/+4
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libseccomp: add testsArmin Kuster2015-04-152-0/+4
update busybox for extend head option for test suite remove seq -f option as it is not supported buy busybox Signed-off-by: Armin Kuster <akuster808@gmail.com>