x-boot - boot
x-sys-a - sys-a
x-sys-b - sys-b
x-dev-data - devdata
x-sys-data - sysdata
x-app-data - appdata

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

Our initial implementation defines the partitions labels as it follows:
x-boot
x-dev-data
x-sys-data
x-app-data

This was proven to be problematic in many ways.

First of all, this needs to be treated with care as the associated
systemd mount unit would need to escape the dashes. For example,
"x-dev-data" would need to have a mount unit associated escaping this to
"x\x2ddev\x2ddata".

Secondly, the yocto version we are using (dunfell) has a bug where
backslashes are not supported in SRC_URI[1]. This would require a
workaround when using mount points with an escaped filename.

The easiest way forward would be to just not use dashes for the labels.
In this way, we maintain consistentcy for the mountpoints (/mnt/<label>)
without having to deal with all the above.

[1] https://bugzilla.yoctoproject.org/show_bug.cgi?id=8161



Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

The root b partition was initially set up using the assumption that a
wic part configuration without fstype would leave the partition empty
(no filesystem). Checking a bit deeper the wic implementation, that
never worked as expected as the tool defaults to a vfat partition[1] (when
no fstype is provided). Also, squashfs doesn't support an empty
filesystem.

Given the above, we switch the second rootfs (B) to using the same
content as the default one (A). This has an added advantage that we can
test switching the root filesystem A-B without any additional
operations.

[1] https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/scripts/lib/wic/ksparser.py?h=dunfell#n158



Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

This makes things cleaner and more consistent when the other partitions
use variables like:
SYSDATA_PARTITION_SIZE
APPDATA_PARTITION_SIZE
etc.

Keep this change consistent on the wic files too.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

Cleanup description and let PROVIDES default to PN

Signed-off-by: Amit Kucheria <amit.kucheria.ext@huawei.com>

The build `make` metadata tracks sysroot dependencies as file suitable
for `make` to get the dependecies of the main source file. This is done
with a combination of preprocessor options: -MD and -MF. These files are
suffixed `.d`. When these files are generated with paths that include
the version of the dependency, later dependecy version bumps will
invalidate these paths as the sysroot gets regenerated.

For example, gcc headers file stdbool.h is defined as the dependecy to:
[BUILD]/tmp/work/stm32mp1_av96-poky-linux-musleabi/optee-os-stm32mp/3.12.0.r1-r0/recipe-sysroot-native/usr/lib/arm-poky-linux-musleabi/gcc/arm-poky-linux-musleabi/11.1.1/include/stdbool.h

This include the gcc version 11.1.1 in its path. When gcc is upgraded,
sysroot is regenerated, configure and compile retriggered but compile
will reuse the generated `.d` file from the old gcc version, hence
failing to find the header mentioned above (as the gcc version changed).

This recipe uses an out-of-tree build so the easiest and most effective
fix it to just clean B once configure is triggered (retriggered). This
will force make to regenerate the dependency files as per the new paths
in the sysroot (assuming a sysroot update).

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

Document how to wire the breadboards for the door lock blueprint

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Bernhard Rosenkränzer authored 3 years ago and Stefan Schmidt committed 3 years ago

This is a backport of openembedded-core commit
b4bc29cf19d811c0ec948dbe69c0bc79fe31e0e8:

Source: https://sourceware.org/git/glibc.git
Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=27896

Backported upstream commit 42d359350510506b87101cf77202fefcbfc790cb to
glibc-2.33 source with dependent commit id 217b6dc298156bdb0d6aea9ea93e7e394a5ff091.

Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb

]

Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Update to gcc 11.2. This is a bugfix release and shouldn't cause any
problems.

Drop patches that have been merged upstream.

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Clarify the image name we use for the blueprint as well as the used
distro config.

Signed-off-by: Stefan Schmidt <stefan.schmidt@huawei.com>

This is a first stab at documenting the network properties used in the
gateway blueprint. It reflects the current status and needs to be kept
in sync with changes.

Fixes: https://git.ostc-eu.org/OSTC/planning/core-os/-/issues/201



Signed-off-by: Stefan Schmidt <stefan.schmidt@huawei.com>

Without the extra empty line the formatting for the numbered would not
kick in.

Signed-off-by: Stefan Schmidt <stefan.schmidt@huawei.com>

Update the Linux kernel recipe to the 5.10.52 version from OE [1],
log available from [2].

[1] 9cec9a92c3e8451d1b9875e97e63c24543a6f787
[2] https://git.openembedded.org/openembedded-core/commit/meta/recipes-kernel/linux/linux-yocto_5.10.bb?id=9cec9a92c3e8451d1b9875e97e63c24543a6f787



Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

Marta Rybczynska authored 3 years ago and Bernhard Rosenkränzer committed 3 years ago

Compilers and related utils are better restricted on production platforms.
Change permissions of all installed binutils tools to remove access from
users outside of the root group.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

Add meta-riscv to bblayers.conf.sample to enable RISC-V support
in all ASOS builds

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Use binutils 2.37 by default in allscenarios-linux

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Update binutils to 2.37 -- it brings many improvements, including some
needed to get a working RISC-V 32 toolchain.

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

It is a good practice to timeout the shell if no activity. Add a timeout
to the /etc/profile* settings in a separate script.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

Remove the hardening distro requirement from the recipe,
we do not want to rename our distro and this feature is useful
in all cases.

One thing that needs to be added is setting up the password min/max
age, and the minimum password length.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

Marta Rybczynska authored 3 years ago and Bernhard Rosenkränzer committed 3 years ago

The append in the meta-security layer works for a "harden" distro
only. We remove this limit as we do want it by default and we do not
want to rename our distro.

A discussion on the mailing list [1] mentions that we might get
DISTRO_FEATURE in the future.

[1] https://patchwork.openembedded.org/patch/174773/



Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

Marta Rybczynska authored 3 years ago and Bernhard Rosenkränzer committed 3 years ago

Backports the recipes of the meta-hardening layer from meta-security in
hardknott, synced up to 5050d1267ad41288c903086030594f8702bfa039

It includes recipes for hardening base-files (/etc/profile) and shadow
(/etc/login.defs).

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

We do not use NFS in the image, nor in any of the blueprints. An unused service
is a potential security issue, so we remove it.

In addition to expected DISTRO_FEATURES/IMAGE_FEATURES, we need to remove a
dependency to the packagegroup-core-device-devel that includes nfs. This
package is included in poky.conf for all qemu builds, but is not needed and
has been removed from Poky [1] in August 2020.

[1] https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=d707fa30f8a24d1e50831846330757254f245791



Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

The default configuration for the rootfs is now read-only. The ro
argument is injected through APPEND in read-only-rootfs hooks so all we
need to do is to drop `rw`.

We also let rootfstype be defined dynamically so we can support multiple
configuration in the future.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

Default configuration uses `rw`. We default now to read-only root
filesystems so we switch the argument accordingly.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

This can help in development to play with deltas on squashfs images.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

The change also maintains support for ext4 so that in the future we
can expose a development mode where rootfs is ro but on ext4.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

The root filesystem defaults to squashfs.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

The root filesystem defaults to squashfs.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

The root filesystem defaults to squashfs.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

The root filesystem defaults to squashfs.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

The root filesystem defaults to squashfs.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>

On x86-64, tm.h (needed to build gcc plugins) tries to include
config/i386/linux64.h, which isn't installed. Fortunately it also
isn't used, so simply removing the include statement is an ok fix.

Sample failure see
https://git.ostc-eu.org/OSTC/OHOS/meta-ohos/-/jobs/43762



Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Document and add gcc plugin based hardening options

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Fix building the kernel's gcc plugins with gcc 11.x - gcc 11.x needs
constexpr (hence -std=gnu++11 or higher), and the check for gcc
plugin support needs modifications (or simple disabling, given in
our context, we know gcc has plugin support).

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Backport musl 1.2.2 from poky master.
This is in sync with commit 4da1e8091ea0a57209519f0a4755d06aa108f439

musl 1.2.2 brings, among other things, a number of important bugfixes and
a much better malloc implementation.

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

Bernhard Rosenkränzer authored 3 years ago and Stefan Schmidt committed 3 years ago

Use glibc 2.33 from meta-ohos instead of 2.31 from dunfell

Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>