[TEST BUILD] Installer image

.gitmodules

@@ -1,6 +1,6 @@
 [submodule "openembedded-core"]
 	path = openembedded-core
-	url = http://git.openembedded.org/openembedded-core
+	url = https://github.com/pohly/openembedded-core.git
 	branch = master
 [submodule "bitbake"]
 	path = bitbake
@@ -28,3 +28,7 @@
 [submodule "meta-intel-realsense"]
 	path = meta-intel-realsense
 	url = https://github.com/IntelRealSense/meta-intel-realsense.git
+[submodule "meta-security"]
+	path = meta-security
+	url = https://github.com/pohly/meta-security.git
+	branch = swtpm

doc/howtos/image-installer.rst

@@ -0,0 +1,70 @@
+Building with swupd enabled
+===========================
+
+* git clone --recursive --branch installer-image https://github.com/pohly/intel-iot-refkit.git
+* git clone https://git.yoctoproject.org/git/meta-swupd
+* cd intel-iot-refkit
+* . refkit-init-build-env
+* bitbake-layers add-layer `pwd`/../../meta-swupd
+* Add to local.conf:
+
+      require conf/distro/include/refkit-development.inc
+
+      REFKIT_IMAGE_COMMON_EXTRA_FEATURES_append = " swupd"
+      OS_VERSION = "1000"
+      SWUPD_VERSION_URL = ""
+      SWUPD_CONTENT_URL = ""
+
+* bitbake ovmf refkit-installer-image refkit-image-common swtpm-wrappers
+* meta-swupd/scripts/swupd-http-server &
+* Edit local.conf to build an incremental update:
+
+      OS_VERSION = "1010"
+      SWUPD_VERSION_URL = "http://localhost:8000"
+      SWUPD_CONTENT_URL = "http://localhost:8000"
+
+* bitbake refkit-image-common # Do not rebuild the refkit-installer-image!
+
+Installing, rebooting, updating
+===============================
+
+Precondition: user must be able to run commands as root with sudo.
+
+* cd intel-iot-refkit
+* . refkit-init-build-env
+* export PATH=../doc/howtos/image-installer:$PATH
+* meta-swupd/scripts/swupd-http-server &
+* init-tpm # initializes content of a virtual TPM
+* run-swtpm # run software TPM in background as root, creates /dev/vtpm0 (must be repeated after each runqemu run!)
+* runqemu-install
+* Once booting has finished:
+  * lsblk # dm-verity is active, shown twice and size is a bit odd (hash partition /dev/vda4 should be smaller)
+  * mount # rootfs is ro
+  * image-installer
+  * select refkit-image-common (swupd enabled!), confirm vdb, yes
+  * reboot
+* run-swtpm
+* cp tmp-glibc/deploy/images/intel-corei7-64/my-installed-image-intel-corei7-64.wic tmp-glibc/deploy/images/intel-corei7-64/my-installed-image-intel-corei7-64.wic.1000 # can be copied back to repeat the following steps without starting at the top
+* runqemu-internal-disk
+* Once booted:
+  * cat /etc/os-release
+  * lsblk # LUKS crypt active
+  * mount # rootfs is rw
+  * connmanctl services
+  * connmanctl config ethernet_525400123402_cable --ipv4 manual 192.168.7.2 # must match tap0 on host
+  * swupd verify --url http://192.168.7.1:8000
+  * cryptsetup # command not available
+  * swupd update --url http://192.168.7.1:8000 # fast, incremental update
+  * cryptsetup status rootfs
+  * cat /etc/os-release
+
+Troubleshooting
+===============
+
+bitbake do_fetch_swupd_inputs fails: SWUPD_VERSION_URL and
+SWUPD_CONTENT_URL must be empty for the first build, and non-empty in the
+second build. meta-swupd/scripts/swupd-http-server must be running
+during the second build.
+
+qemu can't open /dev/vtpm0: run-swtpm. Must be done after each runqemu invocation
+because swtpm shuts down after use.

doc/howtos/image-installer/init-tpm

@@ -0,0 +1,6 @@
+#!/bin/sh -ex
+
+IMAGE_DIR=tmp-glibc/deploy/images/intel-corei7-64
+rm -rf $IMAGE_DIR/my-tpm
+mkdir $IMAGE_DIR/my-tpm
+tmp-glibc/work/*/swtpm-wrappers/1.0-r0/swtpm_setup_oe.sh --tpm-state $IMAGE_DIR/my-tpm --createek

doc/howtos/image-installer/run-swtpm

@@ -0,0 +1,10 @@
+#!/bin/sh -ex
+
+IMAGE_DIR=tmp-glibc/deploy/images/intel-corei7-64
+# LOGFILE=tmp-glibc/log/swtpm_cuse.log
+# rm -f $LOGFILE
+# touch $LOGFILE
+# Beware, need absolute paths!
+# --log file=$(realpath $LOGFILE),level=20
+sudo tmp-glibc/work/*/swtpm-wrappers/1.0-r0/swtpm_cuse_oe.sh -n vtpm0 --tpmstate dir=$(realpath $IMAGE_DIR/my-tpm)
+sudo chown $(id -u) /dev/vtpm0

doc/howtos/image-installer/runqemu-install

@@ -0,0 +1,6 @@
+#!/bin/sh -ex
+
+IMAGE_DIR=tmp-glibc/deploy/images/intel-corei7-64
+truncate -s 4G $IMAGE_DIR/my-installed-image-intel-corei7-64.wic
+cp $IMAGE_DIR/refkit-installer-image-intel-corei7-64.qemuboot.conf $IMAGE_DIR/my-installed-image-intel-corei7-64.qemuboot.conf
+runqemu serial nographic refkit-installer-image wic intel-corei7-64 "qemuparams=-drive if=virtio,file=$IMAGE_DIR/my-installed-image-intel-corei7-64.wic,format=raw -tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0" ovmf

doc/howtos/image-installer/runqemu-internal-disk

@@ -0,0 +1,4 @@
+#!/bin/sh -ex
+
+IMAGE_DIR=tmp-glibc/deploy/images/intel-corei7-64
+runqemu serial nographic my-installed-image wic intel-corei7-64 "qemuparams=-tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0" ovmf

meta-refkit/classes/image-dsk.bbclass

@@ -75,15 +75,15 @@ DSK_IMAGE_LAYOUT ??= ' \
     "partition_01_primary_uefi_boot": { \
         "name": "primary_uefi", \
         "uuid": 0, \
-        "size_mb": 15, \
+        "size_mb": ${REFKIT_VFAT_MB}, \
         "source": "${IMAGE_ROOTFS}/boot/", \
         "filesystem": "vfat", \
         "type": "${PARTITION_TYPE_EFI}" \
     }, \
     "partition_02_secondary_uefi_boot": { \
         "name": "secondary_uefi", \
         "uuid": 0, \
-        "size_mb": 15, \
+        "size_mb": ${REFKIT_VFAT_MB}, \
         "source": "${IMAGE_ROOTFS}/boot/", \
         "filesystem": "vfat", \
         "type": "${PARTITION_TYPE_EFI_BACKUP}" \