This repository was archived by the owner on Aug 5, 2022. It is now read-only.
[TEST BUILD] Installer image #19
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
Question: should refkit-installer-image be created by default? |
Contributor
Author
|
I suppose we want the installer image, so I've enabled it also by default. |
Contributor
Author
|
Building multipath-tools fails - a known issue, the patch fixing it just isn't in refkit yet. |
pohly
force-pushed
the
installer-image
branch
from
ebee9eb to
83afdac
Compare
Contributor
Author
|
test this please I've added the updated meta-openembedded with the multipath-tools fix. |
pohly
force-pushed
the
installer-image
branch
from
83afdac to
d304d88
Compare
mythi
reviewed
Feb 15, 2017
meta-refkit/conf/distro/refkit.conf
Outdated
|
|
||
| KERNEL_FEATURES_append = "${@ bb.utils.contains('DISTRO_FEATURES', 'dm-verity', ' dm-verity.scc', '', d) }" | ||
| SRC_URI_append_pn-linux-yocto = " file://dm-verity.scc" | ||
| FILESEXTRAPATHS_prepend_pn-linux-yocto = "${META_REFKIT_BASE}/files/linux-yocto:" |
Contributor
There was a problem hiding this comment.
@pohly linux-intel is what we get from meta-intel nowadays. Have you submitted these in yocto-kernel-cache already? We've targeted to not have BSP bbappends here but all comes from meta-intel.
Contributor
Author
There was a problem hiding this comment.
Yes, I have submitted it, but it's not yet available. The entire commit can be reverted once it is.
Contributor
Author
There was a problem hiding this comment.
Similar modifications for the new linux-intel need to be added.
Contributor
There was a problem hiding this comment.
It uses the same kernel cache. Once the scc is merged there let's submit a meta-intel patch ourselves to speed up things.
Contributor
Author
|
Please do not merge quite yet. While re-testing the dm-verity change without the local.conf changes that I was using earlier I am running into some problem with the verity.scc that I need to investigate first. |
pohly
force-pushed
the
installer-image
branch
from
d304d88 to
a6f782b
Compare
pohly
force-pushed
the
installer-image
branch
from
a6f782b to
7f9f52b
Compare
pohly
force-pushed
the
installer-image
branch
from
7f9f52b to
6090b8e
Compare
Setting DEPENDS_${PN} has no effect. DEPENDS must be set instead,
to ensure that attr-native really is available. The name also
was wrong.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
The VFAT parition size specified in the DSK_IMAGE_LAYOUT no longer matched the actual size used for images, and 15MB indeed is barely large enough. Adding tools like cryptsetup to the initramfs causes it to exceed that limit. Instead of hard-coding a fixed size in the .wks.in file, now a per-image variable is inserted instead. The size of the rootfs can also be controlled, including not limiting it at all and thus adapting the image size to the size of the rootfs. This will be needed for the installer image which is larger than normal images. The default is the same as before (30MB for the VFAT partitions, 4GB total image size). Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
The Ostro OS OX approach of embedding the installer into the initramfs had several limitations: - accidentally booting the image tainted the image and made it impossible to install from it - installer image and installed image had to have exactly the same content - not very user friendly, in particular no easy way to configure the installation This new approach takes an arbitrary base image (in our case, the same content as in refkit-image-common) and adds to it: - the "image-installer" installer script - several other image files The content of the script is highly configurable. The generic part is in image-installer.bbclass, the refkit specific part in refkit-installer-image.bb. One possible usage is to add a systemd unit which can be started directly after booting and that will do a fully automated installation, for use in a factory. The manual installation can be tested in runqemu with: $ mkdir -p my-machine $ truncate -s 4G my-machine/hard-disk $ runqemu serial nographic refkit-installer-image wic intel-corei7-64 'qemuparams=-drive if=virtio,file=my-machine/hard-disk,format=raw' ovmf Pick an image file [(RETURN) = (0) = refkit-image-common-intel-corei7-64.wic, (1) = refkit-image-computervision-intel-corei7-64.wic]: Boot device is /dev/vda3. Found the following additional disk(s): vdb Pick a target device [(RETURN) = (0) = vdb]: Installing from /usr/lib/image-installer/refkit-image-common-intel-corei7-64.wic to /dev/vdb. Proceed? Type yes to confirm and no to abort: yes Running: kpartx -sav /usr/lib/image-installer/refkit-image-common-intel-corei7-64.wic Running: mount /dev/mapper/loop0p3 /tmp/tmp.PnK7AL Running: sgdisk -o /dev/vdb The operation has completed successfully. Running: sgdisk -n 1:+0:+15M -c 1:primary_uefi -t 1:EF00 -u 1:c63df54b-122c-4515-9e30-db041407809a -- /dev/vdb Setting name! partNum is 0 REALLY setting name! The operation has completed successfully. Running: sgdisk -A 1:set:2 -- /dev/vdb The operation has completed successfully. Running: mkfs.fat /dev/vdb1 mkfs.fat 4.0 (2016-05-06) Running: mount -t vfat /dev/vdb1 /tmp/tmp.IViBan Running: cp -r /tmp/tmp.PnK7AL/boot/EFI_internal_storage /tmp/tmp.IViBan/EFI Running: sgdisk -n 2:+0:+15M -c 2:secondary_uefi -t 2:2700 -u 2:c4e695f4-b184-41a3-9f4f-2c2f4a48aacd -- /dev/vdb Setting name! partNum is 1 REALLY setting name! The operation has completed successfully. Running: mkfs.fat /dev/vdb2 mkfs.fat 4.0 (2016-05-06) Running: mount -t vfat /dev/vdb2 /tmp/tmp.qhjKVX Running: cp -r /tmp/tmp.PnK7AL/boot/EFI_internal_storage /tmp/tmp.qhjKVX/EFI Running: sgdisk -n 3:+0:-1s -c 3:rootfs -t 3:8300 -u 3:12345678-9abc-def0-0fed-cba987654320 -- /dev/vdb Setting name! partNum is 2 REALLY setting name! The operation has completed successfully. Running: mkfs.ext4 -q -v -F -U 12345678-9abc-def0-0fed-cba987654320 /dev/vdb3 /dev/vdb3 contains a ext4 file system last mounted on / on Fri Jan 27 07:31:59 2017 fs_types for mke2fs.conf resolution: 'ext4' Running: mount -t ext4 /dev/vdb3 /tmp/tmp.awaVqF Running: rsync -aAX /tmp/tmp.PnK7AL/ /tmp/tmp.awaVqF/ done $ ln my-machine/hard-disk tmp-glibc/deploy/images/intel-corei7-64/my-installed-image-intel-corei7-64.wic $ cp tmp-glibc/deploy/images/intel-corei7-64/refkit-installer-image-intel-corei7-64.qemuboot.conf tmp-glibc/deploy/images/intel-corei7-64/my-installed-image-intel-corei7-64.qemuboot.conf $ runqemu my-installed-image wic intel-corei7-64 ovmf Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
When the "luks" distro feature is set, the refkit-installer-image sets up LUKS for the rootfs and the refkit-initramfs opens that before mounting the rootfs. Currently a proof-of-concept because a well-known password is needed. Depends on cryptsetup from meta-openembedded. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
The per-machine key is stored in TPM NVRAM, where it is only available to valid, authorized software once Secure Boot is enabled. This is a proof-of-concept. It relies heavily on working Secure Boot, which requires further work and solving some usability questions, like distinguishing between a device fresh from the factory and a locked down device. Bringing up TPM inside the initramfs depends on IPv4. init-ifupdown is used to provide the necessary config files. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
The .scc files are merged upstream, but not all SRCREVs updates have found their way into OE-core (sent), meta-intel (not even sent) or refkit. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
The fixes for multipath-tools compilation are needed for the installer image. multipath-tools was blacklisted because of a compile problem on ARM. We can override that in the distro, a patch fixing that upstream was sent. * meta-openembedded 5ecbf9b...044e518 (105): > smbnetfs gnome-disk-utility contacts kexecboot initramfs-kexecboot-klibc-image system-config-keyboard system-setup-keyboard geany geany-plugins efivar efibootmgr gimp system-config-keyboard tumbler: Blacklist > recipes: blacklist recipes runtime depending on blacklisted recipes > recipes: blacklist recipes depending on blacklisted recipes > python-edbus exquisite elementary libeweather unionfs-fuse xfsprogs gmtk devilspie2 gnome-backgrounds gnome-desktop gnome-mime-data gtk-engines gtksourceview2 libgnomekbd libidl-native onboard libgpewidget ubi-utils-klibc kexec-tools-klibc gupnp-igd gupnp-tools dvb-apps gstreamer mpd crda netcat-openbsd wireshark gnokii libmbim mosh networkmanager-openvpn libtelepathy dbus-daemon-proxy libdbus-c++ php vala-dbus-binding-tool collectd libgxim pywbem gtkhtml2 fbida fontforge libsexy wayland-fits xstdcmap xf86-video-glamo font-adobe-100dpi font-adobe-utopia-100dpi font-bh-100dpi font-bh-lucidatypewriter-100dpi font-misc-misc crash a2jmidid libsdl2-mixer libsdl-mixer minidlna sylpheed libsdl2-ttf libsdl-ttf ode pidgin postgresql syslog-ng usb-modeswitch xdg-user-dirs gateone python3-cryptography-vectors python3-ndg-httpsclient python-cryptography-vectors python-pbr bundler netdata menulibre openzone xfce4-verve-plugin iperf terminus-font xf86-video-nouveau ipmiutil klibc-utils pmbw multipath-tools gparted, gnome-system-monitor, php, vala-dbus-binding-tool, gtkmathview, lmsensors, postgresql: Blacklist > gnome-disk-utility: add dbus-glib-native to DEPENDS > nostromo: add base-passwd to DEPENDS > sthttpd: add base-passwd to DEPENDS > xfce4-notifyd: add dbus-glib-native to DEPENDS > geany: fix build > abiword: fix build > gedit: fix build > gegl: fix build > libgnomeui: fix build > evolution-data-server: fix build > poppler: add qttools-native to qt5 dependency to fix build > libglade: fix build and cleanup > esound: fix build > audiofile: add alsa-lib to DEPENDS > exfat-utils: update SRC_URI > glibmm: add dependency on glib-2.0-native > libwebsockets: Add recipe for version 2.1.0 > libuv: Add recipe for version 1.10.2 > libev: Add recipe for version 4.24 > dconf: make gtk+3 dependency optional > dconf: fix bash completion in wrong package > dconf: depends on dbus > udisks: Make use of bitbake variables for sbin, lib locations. > nginx: update to version 1.11.9 > nginx: update to version 1.10.3 > apache: use the APACHE_MIRROR variable in the SRC_URI > python-py: update to version 1.4.32 > python-sqlalchemy: update to version 1.1.5 > python-werkzeug: update to version 0.11.15 > python-thrift: update to version 0.10.0 > python-pyalsaaudio: update to version 0.8.2 > gateone: correct the inherit to use setuptools > python-pbr: change the dependency to be a RDEPENDS and fix build issues > procmail: avoid bashism in do_install > cryptsetup: enable native compilation > lvm2: enable native compilation > fuse: support native compilation > lvm2: remove unbuildable 2.02.138 > linux-yocto-tiny-kexecboot: remove obsoleted recipe > initramfs-kexecboot-image: disable runtime dependency on run-postinsts > udisks: add missing hard dependency > lm_sensors: update SRC_URI > python-pycrypto: add app to meta-python > iperf: remove depricated package > ipmiutil: fix build issue > libatasmart: unify the complier and CFLAGS for host build > postgresgl: update to 9.4.10 and build fix > nginx: handle systemd service file > python-pytest: update version to 3.0.6 > python-lxml: update to version 3.7.2 > python-requests: update to version 2.13.0 > python-ndg-httpsclient: add to the DEPENDS rather than replace > python-cryptography-vectors: add to the DEPENDS rather than replace > python-pyudev: update to version 0.21.0 > python-pybind11: Update to version 2.0.1 > python-idna: update to version 2.2 > udisks2: add libxslt-native to DEPENDS for xsltproc to be in sysroot > m2crypto: depend on typing > typing: add version 3.5.3.0 > geoclue: add missing dependency on gobject-introspection-native > vboxguestdrivers: upgrade to 5.1.14 to fix compatibility with 4.9 kernel > gst-instruments: add recipe > python-pytz: update to 2016.10 > python-pyyaml: add dependency on python > python3-multidict: make repeated builds work even without sphinx > python-pyopenssl: Don't overwrite inherited dependencies > python-cffi: Don't overwrite inherited dependencies > libnet-ssleay-perl: fix build error > opencv: Configure freetype via PACKAGECONFIG > multipath-tools: update to 0.6.4 > multipath-tools: fix building of shared objects > remove some more True options to getVar calls > nano: upgrade to 2.7.4 > jack: add ARM NEON support for sample conversions > python-pyopenssl: Fix build for per recipe sysroot. > python-ndg-httpsclient: Fix build for per recipe sysroot. > python-cffi: Fix build for per-recipe sysroot. > python-click: update to version 6.7 > python-psutil: upgrade to version 5.0.1 > python-pyro4: update to version 4.53 > python-serpent: add new recipe for version 1.16 > python-selectors34: add new recipe for version 1.1 > libgphoto2: remove bash runtime dependency. > luajit: mips and mipsel are 32bit targets too > xfce: add dbus-glib-native to DEPENDS to fix do_configure > tremor: add (from oe-core) > python-netaddr: update to version 0.7.19 > python-flask-bootstrap: update to version 3.3.7.1 > python-ipaddress: update to version 1.0.18 > nginx: update to version 1.11.8 > onboard: initial add 1.3.0 > picocom: Fix build > fwts: upgrade to 17.01.00 release > rsyslog: use atomic builtins to avoid race issue > kodi-17: Fix build for qemuarm and update to latest > kodi-17: Recommend python-ctpes for addons to work > kodi-17: Upgrade 17.0 release > kodi-17: Fix build with musl > kodi-17: Add packageconfig for lcms support > kodi: Fix build with pic on x86_64 > kodi: Add krypton/17.0 recipe Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Adding additional lines to REFKIT_EXTRA_PARTITION makes it possible to create additional partitions. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
dm-verity is useful as an integrity protection mechanism for read-only partitions. In contrast to whole-disk encryption, it also works for removable media like USB sticks. Accidental (media errors) or intentional (offline attacks) modifications are detected at runtime directly when accessing blocks. This would be useful for the installer image (more reliable flashing), even when not worrying about offline attacks. However, the distro feature is currently disabled by default because it depends on pending patches in meta-oe which enable building the necessary tools also natively. A default signing key is provided as part of this change, but only used when the build is configured to be for development. When building a production image, the developer needs to create and configure his own secret key. OpenSSL is used for signinging and verification. GnuPG was considered. It would make passphrase handling for the private key a bit more flexible, but adds a huge chain of dependencies to the initramfs and thus was ruled out. It also would introduce GPLv3 into the initramfs. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Enabling the build of the installer image also indirectly triggers building of the images included in it. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
The swtpm and trousers fixes are staged upstream, but not in master yet. In the meantime this submodule pulls from a fork based on the current master with those pending patches added. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
30MB are not enough when enabling dm-verity support and thus including cryptsetup and openssl in the initramfs. The size increase could be made conditional, but that seems overly complex. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
The result is that the installer image will be read-only with dm-verity as integrity protection. The main practical advantage is that bit flips on low-quality USB sticks will be detected reliably. Whole disk-encryption with LUKS is enabled for normal images, but not enforced and thus does not really protect against offline attacks. It gets activated for images installed by the installer image. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Patches pending upstream, but not merged yet. Enables "bitbake ovmf". Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
The removal of ttyS0 from APPEND is annoying when running under qemu, because there's no output on the serial console. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
tcsd is not started automatically, but we need that for the installer script. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Recipe specific sysroots revealed the missing glib-2.0 dependency. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Patch sent to OE-core ("[PATCH] libarchive: fix bzip2 dependency for
native build").
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
This corresponds to the demo described in "Surviving in the Wilderness: Integrity Protection and System Update" https://openiotelcna2017.sched.com/event/9J5i Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
pohly
force-pushed
the
installer-image
branch
from
6090b8e to
9c86bdd
Compare
jlaako
reviewed
Feb 21, 2017
| # By default, the full image is going to use roughly 4GB, independent | ||
| # of the actual roofs size. | ||
| WKS_FILE = "refkit-directdisk.wks.in" | ||
| REFKIT_VFAT_MB ??= "30" |
| # of the actual roofs size. | ||
| WKS_FILE = "refkit-directdisk.wks.in" | ||
| REFKIT_VFAT_MB ??= "30" | ||
| REFKIT_IMAGE_SIZE ??= "--fixed-size 3700M" |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Includes also support for whole-disk encryption and dm-verity (currently limited to the installer image).
Whole-disk encryption depends on TPM 1.2 and recipes from meta-security with patches that are currently pending in meta-security master-next (for example, "trousers: tcsd.conf must be owned tss:tss"). The PR can be merged, but the feature can't be enabled.
There are some TODOs that depend on extending the product vs. development image concept. There was a discussion around that also in OE-core (triggered by the proposal to set a root password by default); we should reach some conclusion for OE-core and used that for our refkit-production.inc and
refkit-development.inc files and also these TODO items. For now I propose to merge as-is.
Documentation only exists in the form of source code comments.