Kirkstone: backport main changes#1543
Merged
quaresmajose merged 19 commits intofoundriesio:kirkstonefrom Nov 25, 2024
Merged
Conversation
Simplify the Secure Boot key provisioning process by adding a systemd-boot entry wich uses the efitools EFI program "LockDown.efi". Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit c23ebb7) Signed-off-by: Jose Quaresma <[email protected]>
Automount[1] the boot partition to minimize vfat partition corruption risks. This mounts the partition on demand and unmounts after use. [1] https://www.freedesktop.org/software/systemd/man/latest/systemd.automount.html# Signed-off-by: Vanessa Maegima <[email protected]> (cherry picked from commit 52eadde) Signed-off-by: Jose Quaresma <[email protected]>
Drop unneeded variable assigments as they don't make sense (the variable is assigned to its value). Signed-off-by: Igor Opaniuk <[email protected]> (cherry picked from commit 14b1840) Signed-off-by: Jose Quaresma <[email protected]>
Store stable boot firmware version in "fiovb.bootfirmware_version", and use "bootfirmware_version" only as a temporary storage for a target boot firmware version Signed-off-by: Igor Opaniuk <[email protected]> (cherry picked from commit 47083a3) Signed-off-by: Jose Quaresma <[email protected]>
angolini
reviewed
Nov 21, 2024
angolini
requested review from
a team,
Tim-Anderson,
caiotpereira and
vanmaegima
vanmaegima
reviewed
Nov 21, 2024
Member
vanmaegima
left a comment
vanmaegima
left a comment
There was a problem hiding this comment.
From CS perspective:
- removing jailhouse should be fine as it's already removed from Factory creation and active customers are not using it (we should just document as an Attention Point for the Migration)
- changes in BRANCH/SRCREV need to be double checked as Daiane pointed out
- UEFI provision changes look good
- SOTA client changes look good
Member
quaresmajose
force-pushed
the
kirkstone
branch
from
da05a7e to
2b7f5b8
Compare
Report errors during secure boot sign and verify. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit 2e5e792) Signed-off-by: Jose Quaresma <[email protected]>
Signed-off-by: Jose Quaresma <[email protected]> (cherry picked from commit fbcf51d) Signed-off-by: Jose Quaresma <[email protected]>
Signed-off-by: Jose Quaresma <[email protected]> (cherry picked from commit eb7b3a2) Signed-off-by: Jose Quaresma <[email protected]>
Signed-off-by: Jose Quaresma <[email protected]> (cherry picked from commit f92130d) Signed-off-by: Jose Quaresma <[email protected]>
This allows us to reduce maintenance and testing effort. If necessary, it can be added at the customer's factory. Signed-off-by: Jose Quaresma <[email protected]> (cherry picked from commit 73ab71f) Signed-off-by: Jose Quaresma <[email protected]>
Generate a specular file (unlock) to the provisioning one. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit 026661d) Signed-off-by: Jose Quaresma <[email protected]>
Use efivar to access uefi variables in a standard way. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit 352caf1) Signed-off-by: Jose Quaresma <[email protected]>
Add support for a CI encrypted rootfs USB installer. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit 2445ef2) Signed-off-by: Jose Quaresma <[email protected]>
Using efivar --print-decimal returns an integer. Fixes: 352caf1 ("base: initramfs-framework: refactor access to UEFI variables") Fixes: 2445ef2 ("base: init-install-efi: installer: support encrypted rootfs") Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit 604223e) Signed-off-by: Jose Quaresma <[email protected]>
Fix the current implementation where the passphrase is not being propagated. Users can now request their own passphrases for CI luks encryption. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit 1c4ae75) Signed-off-by: Jose Quaresma <[email protected]>
Systemd-boot will display its menu by alphabetically iterating the different configuration files. This commit makes sure that the secure boot menus (provision/revocation) are displayed next to each other for a more structured screen. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit 3d03807) Signed-off-by: Jose Quaresma <[email protected]>
The UEFI key revocation tool requires the user to provide the keys that need to be revoked. If the keys are not provided, the userspace tools built by this recipe will still be deployed. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit fcd7286) Signed-off-by: Jose Quaresma <[email protected]>
Instead of raising a Python exception, we can verify that all required keys are present and provide a helpful error message if any are missing. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> Signed-off-by: Jose Quaresma <[email protected]> (cherry picked from commit a135ad2) Signed-off-by: Jose Quaresma <[email protected]>
On the first boot, systemd-boot 250.4 defaults to the last element on the display list. Make the OSTree deployment the last (alphabetically sorted) Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> (cherry picked from commit 129b261) Signed-off-by: Jose Quaresma <[email protected]>
Fix the path to the combo (tfa+fip) image ('s/arm-trusted-firmware/fip/g').
Fixes: 5413f74 ("bsp: tf-a-fio-st: create combo images for eval board")
Signed-off-by: Igor Opaniuk <[email protected]>
(cherry picked from commit d6b9d3f)
Signed-off-by: Jose Quaresma <[email protected]>
quaresmajose
force-pushed
the
kirkstone
branch
from
2b7f5b8 to
2d532d0
Compare
Member
Author
I dropped these changes
|
Member
Author
I dropped these changes
right, so I also drop it |
angolini
approved these changes
Nov 22, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backport some changes from main tip add24ec