Build scripts?

[westurner]

Are there build scripts for this?

[westurner]

selinux modules, logging commands run (as root)

In reading /root/.bash_history (and /var/log/dnf.log*) in fedora-pinebookpro-gnome-0.8.img.xz, I noticed the SELinux policy modules /root/modules/disk1.pp and /root/modules/*.te. What are these for / [why] are they necessary [after relabeling]?

With fedora-arm-image-installer, you can specify fedora-arm-image-installer --selinux=on --relabel; which enables selinux by setting SELINUX=enforcing in /etc/selinux/config and touches /.autorelabel (which causes the next boot to take quite awhile due to running restorecon on everything in /):
https://pagure.io/arm-image-installer/blob/master/f/arm-image-installer

Inlined copy of `/root/modules/*.te`

[root@mb2 modules]# (for f in *.te; do echo "#### $f ####"; cat "$f"; echo -e "\n"; done)
#### disk1.te ####

module disk1 1.0;

require {
	type unlabeled_t;
	type local_login_t;
	class file read;
}

#============= local_login_t ==============
allow local_login_t unlabeled_t:file read;


#### mod1.te ####

module mod1 1.0;

require {
	type iptables_t;
	type kernel_t;
	class fifo_file read;
}

#============= iptables_t ==============
allow iptables_t kernel_t:fifo_file read;


#### mod2.te ####

module mod2 1.0;

require {
	type systemd_logind_t;
	type unlabeled_t;
	type system_dbusd_t;
	type systemd_hostnamed_t;
	type systemd_localed_t;
	type xdm_t;
	class file { getattr open read };
}

#============= system_dbusd_t ==============
allow system_dbusd_t unlabeled_t:file { getattr open };

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t unlabeled_t:file { getattr open read };

#============= systemd_localed_t ==============
allow systemd_localed_t unlabeled_t:file { getattr open read };

#============= systemd_logind_t ==============
allow systemd_logind_t unlabeled_t:file { getattr open read };

#============= xdm_t ==============
allow xdm_t unlabeled_t:file { getattr open read };


#### mod4.te ####

module mod4 1.0;

require {
	type initrc_t;
	type policykit_auth_t;
	type init_t;
	type chkpwd_t;
	type unconfined_service_t;
	type policykit_t;
	type user_devpts_t;
	class process { noatsecure rlimitinh siginh };
	class chr_file { read write };
}

#============= chkpwd_t ==============
allow chkpwd_t user_devpts_t:chr_file { read write };

#============= init_t ==============
allow init_t initrc_t:process siginh;
allow init_t unconfined_service_t:process siginh;

#============= policykit_t ==============
allow policykit_t policykit_auth_t:process { noatsecure rlimitinh siginh };


#### mod5.te ####

module mod5 1.0;

require {
	type chkpwd_t;
	type unconfined_t;
	type unlabeled_t;
	type xdm_t;
	class file { getattr open read };
	class process noatsecure;
}

#============= xdm_t ==============
allow xdm_t chkpwd_t:process noatsecure;
allow xdm_t unconfined_t:process noatsecure;

#!!!! This avc is allowed in the current policy
allow xdm_t unlabeled_t:file { getattr open read };


#### mod6.te ####

module mod6 1.0;

require {
	type rpm_var_lib_t;
	type xdm_t;
	type unlabeled_t;
	type init_t;
	type chkpwd_t;
	type unconfined_t;
	type abrt_t;
	class dir mounton;
	class process { noatsecure rlimitinh siginh };
	class file write;
}

#============= abrt_t ==============
allow abrt_t rpm_var_lib_t:file write;

#============= init_t ==============
allow init_t chkpwd_t:process siginh;
allow init_t unconfined_t:process siginh;
allow init_t unlabeled_t:dir mounton;

#============= xdm_t ==============

#!!!! This avc is allowed in the current policy
allow xdm_t chkpwd_t:process noatsecure;
allow xdm_t chkpwd_t:process { rlimitinh siginh };

#!!!! This avc is allowed in the current policy
allow xdm_t unconfined_t:process noatsecure;
allow xdm_t unconfined_t:process siginh;


#### mod8.te ####

module mod8 1.0;

require {
	type unlabeled_t;
	type groupadd_t;
	type useradd_t;
	class file read;
}

#============= groupadd_t ==============
allow groupadd_t unlabeled_t:file read;

#============= useradd_t ==============
allow useradd_t unlabeled_t:file read;


#### mod9.te ####

module mod9 1.0;

require {
	type session_dbusd_tmp_t;
	type systemd_logind_t;
	class sock_file unlink;
}

#============= systemd_logind_t ==============
allow systemd_logind_t session_dbusd_tmp_t:sock_file unlink;

/root/.bash_history is not at all a complete log of the image build.
FWIW, you can log all commands run as any user with auditd:

$ cat >> /etc/audit/audit.rules <<EOF

# Log all commands
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
EOF

$ cat >> /etc/audit/audit.rules <<EOF

# Log all commands run as root (effective UID=0)
-a exit,always -F arch=b32 -F euid=0 -S execve 
-a exit,always -F arch=b64 -F euid=0 -S execve 
EOF

I think -F b64 just works on aarch64, but haven't tested it yet:
https://github.com/linux-audit/audit-userspace/blob/4e03eb0c5c/lib/libaudit.c#L1316

$ man audit.rules
# [...]

 When you specify a syscall name, auditctl will look up the name and get
 its syscall number. This leads to some problems on bi-arch  machines.
 The  32  and  64  bit syscall  numbers sometimes, but not always, line
 up. So, to solve this problem, you would generally need to break the
 rule into 2 with one specify‐ing -F arch=b32 and the other specifying
 -F arch=b64. This needs to go in front of the -S option so that
 auditctl looks at the right  lookup  table when returning the number.

Boot config

Search terms:

• "Pinebook Pro"
• "pinebookpro"
• "rk3399"
• "evb-rk3399"
• "pbpro"
• "pbp"

Rockchip docs:

• http://opensource.rock-chips.com/wiki_Boot_option
• http://rockchip.wikidot.com/linux-user-guide > "Booting from SD card"
  • Is the Pinebook Pro an rk3399-excavator ?

fedora-arm-image-installer

https://pagure.io/arm-image-installer/blob/master/f/arm-image-installer

• https://pagure.io/arm-image-installer/blob/master/f/socs.d/Rockchips-ARMv8

  # write uboot
  echo "= Writing idbloader.img for $TARGET .... on media $MEDIA"
  dd if=$PREFIX/usr/share/uboot/$TARGET/idbloader.img of=$MEDIA seek=64; sync; sleep 5
  echo "= Writing u-boot FIT image for $TARGET .... on media $MEDIA"
  dd if=$PREFIX/usr/share/uboot/$TARGET/u-boot.itb of=$MEDIA seek=16384; sync; sleep 5
  # set console for Rockchips
  SYSCON=ttyS2,1500000n8
  

• https://pagure.io/arm-image-installer/issue/52
  "Missing rock64 file in board.d directory."
• https://pagure.io/arm-image-installer/issue/42

  We don't currently support setting up any of the rk3399 devices via this tool. It's quite complex to do those devices. The process will likely be supported by a different tool. Patches or ideas as always are welcome.

how to dd u-boot for rk3399 devices

• Is there an already-built trust.img somewhere?
  • Is this necessary for pinebook pro? manjaro-arm-tools doesn't write a trust.img for pbpro
• http://opensource.rock-chips.com/wiki_Boot_option#Boot_from_SD.2FTF_Card

  For with SPL:

  dd if=idbloader.img of=sdb seek=64
  dd if=u-boot.itb of=sdb seek=16384
  dd if=boot.img of=sdb seek=32768
  dd if=rootfs.img of=sdb seek=262144
  

  For with miniloader:

  dd if=idbloader.img of=sdb seek=64
  dd if=uboot.img of=sdb seek=16384
  dd if=trust.img of=sdb seek=24576
  dd if=boot.img of=sdb seek=32768
  dd if=rootfs.img of=sdb seek=262144
  

manjaro-arm-tools

• "pbpro"
  • https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-tools/-/blob/90b49c55884a2c2945d32c86d80b599ca85cbd18/lib/functions.sh#L438
  • create_emmc_install()
  • create_img()
    • create partitions w/ parted
    • flash bootloader

pbp-uboot: U-Boot with Pinebook Pro support patches

"U-Boot with pinebook pro support patches"
https://git.eno.space/pbp-uboot.git

• (This is apparently what guix uses)

  • "[PATCH 0/2] Add initial Pinebook Pro support"
    https://issues.guix.gnu.org/issue/39617
    https://gitlab.com/janneke/guix/-/blob/wip-pinebook-pro/gnu/system/examples/pinebook-pro.tmpl

    Kernel args:

    ethaddr=${ethaddr} eth1addr=${eth1addr} serial=${serial#}
    video=HDMI-A-1:1920x1080@60 video=eDP-1:1920x1080@60 vga=current
    

    • http://opensource.rock-chips.com/wiki_Rockchip_Kernel
      • kernel args: earlycon=uart8250,mmio32,0xff1a0000
• Merge these into u-boot if appropriate? (4/29 sent an email to @anarsoul ) #
  • https://git.eno.space/pbp-uboot.git/tree/arch/arm/mach-rockchip/rk3399/Kconfig
  • https://git.eno.space/pbp-uboot.git/tree/board/pine64/pinebook_pro_rk3399
  • https://git.eno.space/pbp-uboot.git/tree/configs/pinebook_pro-rk3399_defconfig
    • https://github.com/u-boot/u-boot/blob/master/configs/pinebook_pro-rk3399_defconfig
  • https://git.eno.space/pbp-uboot.git/tree/board/pine64/pinebook_pro_rk3399/pinebook-pro-rk3399.c
    • https://github.com/u-boot/u-boot/blob/master/board/pine64/rockpro64_rk3399/rockpro64-rk3399.c
    • https://github.com/u-boot/u-boot/blob/master/board/rockchip/evb_rk3399/evb-rk3399.c
    • https://github.com/rockchip-linux/u-boot/blob/next-dev/board/rockchip/evb_rk3399/evb-rk3399.c

debian u-boot package

The debian u-boot changelog mentions "pinebookpro" and "rk3399":
https://launchpad.net/debian/+source/u-boot/2020.04+dfsg-2 :

  u-boot (2020.04+dfsg-2) unstable; urgency=medium

  * debian/patches:
    - Remove dreamplug cache patch, fixed upstream.
    - Add patches submitted upstream to support pinebook pro.
  * u-boot-rockchip:
    - Add support for rockpro64-rk3399.
    - Add support for pinebook-pro-rk3399.
    - Add u-boot-install-rockchip helper script.

-- Vagrant Cascadian <vagrant@debian.org>  Mon, 20 Apr 2020 19:34:37 -0700

• https://salsa.debian.org/debian/u-boot/-/tree/debian/master/debian/patches/pinebook-pro :

  0001-video-simple_panel-add-boe-nv140fhmn49-display.patch
  0002-dt-bindings-input-adopt-Linux-gpio-keys-binding-cons.patch
  0003-dt-bindings-leds-adopt-Linux-leds-common-binding-con.patch
  0004-arm-dts-rockchip-Add-initial-DT-for-Pinebook-Pro.patch
  0005-Add-initial-support-for-the-Pinebook-Pro-laptop-from.patch
  0006-drivers-video-rockchip-fix-building-eDP-and-LVDS-dri.patch
  

• https://salsa.debian.org/debian/u-boot/-/blob/master/debian/patches/pinebook-pro/0005-Add-initial-support-for-the-Pinebook-Pro-laptop-from.patch
• https://salsa.debian.org/debian/u-boot/-/blob/master/debian/bin/u-boot-install-rockchip
• https://salsa.debian.org/debian/u-boot/-/tree/master/arch/arm/mach-rockchip/rk3399
• https://salsa.debian.org/debian/u-boot/-/tree/master/board/rockchip/evb_rk3399
• https://salsa.debian.org/debian/u-boot/-/blob/master/board/pine64/rockpro64_rk3399/rockpro64-rk3399.c
  • Merge from the longer
    https://git.eno.space/pbp-uboot.git/tree/board/pine64/pinebook_pro_rk3399/pinebook-pro-rk3399.c ?

fedora uboot-images-armv8

Source: https://apps.fedoraproject.org/packages/uboot-tools
Source: https://apps.fedoraproject.org/packages/uboot-images-armv8

Changelog: https://apps.fedoraproject.org/packages/uboot-images-armv8/changelog/ :

2020-04-20 - Peter Robinson <pbrobinson@fedoraproject.org> - 2020.04-2
- Fix ATF for new aarch64 devices
- Fix Wandboard board detection (rhbz 1825247)
- Fix mSD card on RockPro64
- Enable (inital) Pinebook Pro

Package Build Spec: https://apps.fedoraproject.org/packages/uboot-images-armv8/sources/spec/

pinebook-pro files in https://fedora.pkgs.org/32/fedora-aarch64/uboot-images-armv8-2020.04-2.fc32.noarch.rpm.html :

/usr/share/uboot/pinebook-pro-rk3399/idbloader.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot-dtb.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot.bin
/usr/share/uboot/pinebook-pro-rk3399/u-boot.dtb
/usr/share/uboot/pinebook-pro-rk3399/u-boot.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot.itb

rockchip U-Boot Custodian Tree

• https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip
• https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/blob/master/board/pine64/rockpro64_rk3399/rockpro64-rk3399.c
  • Merge from the apparently longer
    https://git.eno.space/pbp-uboot.git/tree/board/pine64/pinebook_pro_rk3399/pinebook-pro-rk3399.c ?

rockchip-linux

https://github.com/rockchip-linux/u-boot/tree/next-dev/board/rockchip

• https://github.com/rockchip-linux/u-boot/blob/next-dev/board/rockchip/evb_rk3399/evb-rk3399.c

kernel args

ethaddr=${ethaddr} eth1addr=${eth1addr} serial=${serial#} 
video=HDMI-A-1:1920x1080@60 video=eDP-1:1920x1080@60 vga=current
earlycon=uart8250,mmio32,0xff1a0000
#maxcpus=4
#maxcpus=6

[westurner]

https://pagure.io/arm-image-installer/issue/52#comment-658679 suggests:

Had success installing F32 with the arm-image-installer using
sudo arm-image-installer --addconsole --addkey ~/.ssh/id_rsa.pub --relabel --resizefs --image=/opt/downloads/Pine64/Fedora-Minimal-32-1.6.aarch64.raw.xz --media=/dev/sdb --target=rock64-rk3328

However, I had to rename or create the board file
/usr/share/arm-image-installer/boards.d/rock64-rk3328

# write uboot
echo "= Writing idbloader.img for $TARGET .... on media $MEDIA"
dd if=$PREFIX/usr/share/uboot/$TARGET/idbloader.img of=$MEDIA seek=64; sync; sleep 5
echo "= Writing u-boot FIT image for $TARGET .... on media $MEDIA"
dd if=$PREFIX/usr/share/uboot/$TARGET/u-boot.itb of=$MEDIA seek=16384; sync; sleep 5
# set console for Rockchips
SYSCON=ttyS2,1500000n8

[westurner]

Wondering how much of these setup scripts can be used for the Pinebook Pro?
https://github.com/nikhiljha/pp-fedora-sdsetup

Is this script all that's specific to the PinePhone?
https://github.com/nikhiljha/pp-fedora-sdsetup/blob/master/phone-scripts/02-install-packages.sh

[bengtfredh]

I copy/paste together a script that is working. It is nice if somone can help testing.
https://github.com/bengtfredh/pinebook-pro-fedora-installer.git

[westurner]

Hey are those selinux modules (from fedora-pinebookpro-gnome-0.8.img.xz) that I inlined in
#5 (comment) from audit2allow?
Who could advise on these .pp policies for Fedora 33+?

[westurner]

https://github.com/major/stopdisablingselinux.com