New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UEFI-based SWUpdate and Secure Boot integration #314
Conversation
This brings a resolution of build conflicts between tensorflow and swupdate packages. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
@@ -13,7 +13,7 @@ Before=swupdate.service shutdown.target | |||
|
|||
[Service] | |||
Type=oneshot | |||
ExecStart=/usr/share/u-boot-env/patch-u-boot-env.sh sysselect /usr/share/u-boot-env/patch-u-boot-env.config | |||
ExecStart=sh -c '/usr/share/u-boot-env/patch-u-boot-env.sh watchdog_timeout_ms /usr/share/u-boot-env/patch-u-boot-env.config; fw_setenv watchdog_timeout_ms 60000' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the reason for setting the variable watchdog_timeout_ms
in the u-boot config script and the patch service?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The patch service can also handle current firmware 1.2.1 (for non-secure swupdate) by not only setting a non-zero timeout but also adding the related scripts that is missing in that version.
52b5059
to
c204548
Compare
@jan-kiszka , Sorry but I could not recall the exact |
-> validated firewall settings |
Brings internal simplifications and allows to update to kas 3.x, thus Debian bullseye as build environment. It also permits to build EFI Boot Guard for arm64 which will be used soon. Temporarily, we pick up an older version of wic-swu-img.bbclass in order to preserve the r/w property of the rootfs that isar-cip-core already dropped. Alignment to isar-cip-core will happen in succeeding steps. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
…ecipe No need to carry this in the kas file. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Those are not compatible / not needed (we use PARTLABEL so far) with SWUpdate images. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Those are dropped into the soon persistent [/home]/root folder, thus cannot be part of the update image anymore. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This will be needed when making the rootfs read-only and /home persistent. We keep a link, though, so that everything feels the same. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Will be needed for read-only rootfs imaging. This patch is likely not the final solution as upstream OE gave some push-back. But the use-case is valid, and there will be an official pattern or patch eventually. We will adopt that once available. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Keeping this off prevents the kernel from being bootable via a UEFI bootloader. However, the latest firmware release is already capable of booting via UEFI. So there is no reason to deny this default option. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Will be needed for a read-only rootfs. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Adopting the UEFI-based boot that isar-cip-core pre-integrates allows sharing of much more recipes and patterns. It also enables the switch to the more appropriate read-only rootfs setup which avoids mixing up local installation with full-image updating. Finally, this lays the ground for secure boot and rootfs image integrity checking in later steps. We boot the kernel now via EFI Boot Guard and a unified kernel image generated by it. That means, watchdog handling will remain with U-Boot but rootfs selection is moved to EFI Boot Guard. The unified kernel image contains all device trees of the IOT2050 variants and selects the fitting one based on what U-Boot passed down as firmware DTB. So we preserve the ability to update kernel and DTB in lock-step. An initramfs is now generate with pairs the booted kernel with the associated rootfs and mounts the /etc overlay early. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The current expired already 2 years ago, and that will make some validators unhappy. Refresh, giving it a decade now. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Will be needed for secure boot. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Will be needed when we use dm-verity for the rootfs. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This provides our custMpk key/cert for signing and validating artifacts in the upcoming secure boot setup. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Adopt the secure boot pattern of isar-cip-core by enabling dm-verity for the rootfs and activating signatures for the boot loader as well as the unified kernel image. Note that the persistent /var and /home partitions are not yet protected. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Many are backported from mainline, some still need upstreaming. None of them should have negative impact on the default non-secure configuration of the firmware. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This requires to build in the corresponding image certificate as static EFI vars into U-Boot, at least as long as we have no secure storage as alternative. Hardening is done via a config fragment that adjusts BOOTCOMMAND to only run bootefi while still respecting boot_targets. Note that not all U-Boot env variables can be protected. Specifically Ethernet MAC addresses remain in the unprotect env section and could be manipulated offline. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Let's better test the full-featured build here. Also, the secure image boots fine on a non-secured firmware. The non-secure option could be added as separate target if we see too many regressions for it. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
c204548
to
1ec3d8b
Compare
Not completely secure yet due to
Still requires addition work on the documentation front, both to update it and to describe in more details how to adopt and customize these patterns for product images.
@gylstorffq @stormc