Kirkstone: backport main changes #1543
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Simplify the Secure Boot key provisioning process by adding a systemd-boot entry wich uses the efitools EFI program "LockDown.efi". Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit c23ebb7) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Automount[1] the boot partition to minimize vfat partition corruption risks. This mounts the partition on demand and unmounts after use. [1] https://www.freedesktop.org/software/systemd/man/latest/systemd.automount.html# Signed-off-by: Vanessa Maegima <vanessa.maegima@foundries.io> (cherry picked from commit 52eadde) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Drop unneeded variable assigments as they don't make sense (the variable is assigned to its value). Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io> (cherry picked from commit 14b1840) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Store stable boot firmware version in "fiovb.bootfirmware_version", and use "bootfirmware_version" only as a temporary storage for a target boot firmware version Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io> (cherry picked from commit 47083a3) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
angolini
reviewed
Nov 21, 2024
meta-lmp-base/recipes-bsp/u-boot/u-boot-ostree-scr-fit/boot-header.cmd.in
Outdated
Show resolved
Hide resolved
meta-lmp-base/recipes-sota/custom-sota-client/custom-sota-client_git.bb
Outdated
Show resolved
Hide resolved
meta-lmp-bsp/conf/machine/include/lmp-mfgtool-machine-custom.inc
Outdated
Show resolved
Hide resolved
angolini
requested review from
a team,
Tim-Anderson,
vanmaegima and
caiotpereira
vanmaegima
reviewed
Nov 21, 2024
There was a problem hiding this comment.
From CS perspective:
- removing jailhouse should be fine as it's already removed from Factory creation and active customers are not using it (we should just document as an Attention Point for the Migration)
- changes in BRANCH/SRCREV need to be double checked as Daiane pointed out
- UEFI provision changes look good
- SOTA client changes look good
quaresmajose
force-pushed
the
kirkstone
branch
from
da05a7e
to
2b7f5b8
Compare
Report errors during secure boot sign and verify. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit 2e5e792) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> (cherry picked from commit fbcf51d) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> (cherry picked from commit eb7b3a2) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> (cherry picked from commit f92130d) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
This allows us to reduce maintenance and testing effort. If necessary, it can be added at the customer's factory. Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> (cherry picked from commit 73ab71f) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Generate a specular file (unlock) to the provisioning one. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit 026661d) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Use efivar to access uefi variables in a standard way. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit 352caf1) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Add support for a CI encrypted rootfs USB installer. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit 2445ef2) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Using efivar --print-decimal returns an integer. Fixes: 352caf1 ("base: initramfs-framework: refactor access to UEFI variables") Fixes: 2445ef2 ("base: init-install-efi: installer: support encrypted rootfs") Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit 604223e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Fix the current implementation where the passphrase is not being propagated. Users can now request their own passphrases for CI luks encryption. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit 1c4ae75) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Systemd-boot will display its menu by alphabetically iterating the different configuration files. This commit makes sure that the secure boot menus (provision/revocation) are displayed next to each other for a more structured screen. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit 3d03807) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
The UEFI key revocation tool requires the user to provide the keys that need to be revoked. If the keys are not provided, the userspace tools built by this recipe will still be deployed. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit fcd7286) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Instead of raising a Python exception, we can verify that all required keys are present and provide a helpful error message if any are missing. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> (cherry picked from commit a135ad2) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
On the first boot, systemd-boot 250.4 defaults to the last element on the display list. Make the OSTree deployment the last (alphabetically sorted) Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (cherry picked from commit 129b261) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
quaresmajose
force-pushed
the
kirkstone
branch
from
2b7f5b8
to
2d532d0
Compare
I dropped these changes
|
I dropped these changes
right, so I also drop it |
angolini
approved these changes
Nov 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
backport some changes from main tip add24ec