This should be addressed to the maintainers of meta-secure-core, this is, Jia.
Openembedded/Yocto in general does not define or test OS upgrades. You can also start looking into the failure you're getting from here: https://github.com/rpm-software-management/rpm/blob/master/plugins/ima.c Alex On Sun, 16 Feb 2020 at 22:21, Muhlenkamp, Lewis < [email protected]> wrote: > Hello, > > > > I’ve been trying to get the security stuff in meta-secure-core working so > I can upgrade from one version of the OS I’m creating, right now called > LewisOS, to a new version, just by being able to run “rpm -U” or “dnf > upgrade” commands. I can run “dnf upgrade” successfully against non kernel > related packages, but the kernel, initramfs and systemd-boot RPMs always > fail with the same error, no matter what I try. > > > > I am using Zeus for my builds. I am using an older commit for LewisOS > version X, 8a518a2054bdd349d7661ee4872590fc8750313f, dated 2019 Dec 30, of > the meta-secure-core GIT repo. I am using > 8302e3c479154157667e22e9d7c5461c966b4586, dated 2020 Jan 19, of the > meta-secure-core GIT repo for LewisOS version Y. > > > > My machine is intel-corei7-64. > > > > I’ll just stick with systemd-boot RPM for this email. LewisOS version X > installs systemd-boot-243+0+efb536d0cb-r0.corei7_64_intell_common. LewisOS > version Y contains systemd-boot-243.2-r0.corei7_64_intel_common. When I > try to upgrade systemd-boot, I get the following error message: > > > > === Start upgrade messages === > > root@intel-corei7-64:/var/opt/repos/os# rpm -q systemd-boot > > systemd-boot-243+0+efb536d0cb-r0.corei7_64_intel_common > > root@intel-corei7-64:/var/opt/repos/os# rpm -qp > systemd-boot-243.2-r0.corei7_64_intel_common.rpm > > systemd-boot-243.2-r0.corei7_64_intel_common > > root@intel-corei7-64:/var/opt/repos/os# rpm -Uhv > systemd-boot-243.2-r0.corei7_64_intel_common.rpm > > Verifying… > ######################################## [100%] > > Preparing… > ######################################## [100%] > > Updating / installing… > > 1:systemd-boot-243.2-r0 > ######################################## [ 50%] > > error: ima: could not apply signature on > ‘/boot/EFI/BOOT/bootx64.efi;5e49ad05’: Operation not supported > > error: Plugin ima: hook fsm_file_prepare failed > > error: unpacking of archive failed on file > /boot/EFI/BOOT/bootx64.efi;5e49ad05: cpio: (error 0x2) > > error: systemd-boot-243.2-r0.corei7_64_intel_common: install failed > > error: systemd-boot-243+0+efb536d0cb-r0.corei7_64_intel_common: erase > skipped > > === End upgrade messages === > > > > > > The above error messages also appear when I try updating > kernel-image-bzimage, kernel-initramfs and systemd-bootconf. > > > > I have the following in my bblayers.conf file: > > > > === Start bblayers.conf === > > # LAYER_CONF_VERSION is increased each time build/conf/bblayers.conf > > # changes incompatibly > > LCONF_VERSION = "7" > > > > BBPATH = "${TOPDIR}" > > BBFILES ?= "" > > > > BBLAYERS ?= " \ > > ${HOME}/meta-stryker/meta-lewisos-distro \ > > ${HOME}/meta-stryker/meta-lewisos-common \ > > ${HOME}/meta-stryker/meta-lewisos-edge \ > > ${HOME}/oe-core/meta \ > > ${HOME}/meta-openembedded/meta-python \ > > ${HOME}/meta-openembedded/meta-perl \ > > ${HOME}/meta-openembedded/meta-filesystems \ > > ${HOME}/meta-openembedded/meta-oe \ > > ${HOME}/meta-openembedded/meta-networking \ > > ${HOME}/meta-openembedded/meta-webserver \ > > ${HOME}/meta-intel \ > > ${HOME}/meta-virtualization \ > > ${HOME}/meta-cloud-services \ > > ${HOME}/meta-cloud-services/meta-openstack \ > > ${HOME}/meta-secure-core/meta \ > > ${HOME}/meta-secure-core/meta-signing-key \ > > ${HOME}/meta-secure-core/meta-tpm \ > > ${HOME}/meta-secure-core/meta-tpm2 \ > > ${HOME}/meta-secure-core/meta-efi-secure-boot \ > > ${HOME}/meta-secure-core/meta-integrity \ > > ${HOME}/meta-secure-core/meta-encrypted-storage \ > > ${HOME}/meta-secure-core/meta-ids \ > > ${HOME}/meta-secure-core/meta-intel-sgx \ > > " > > === End bblayers.conf === > > > > > > Here is my local.conf file > > > > === Start local.conf === > > MACHINE ?= "intel-corei7-64" > > DL_DIR ?= "/var/opt/openembedded-linux/downloads" > > SSTATE_DIR ?= "/var/opt/openembedded-linux/sstate-cache" > > PACKAGE_CLASSES ?= "package_rpm" > > > > # Extra image configuration defaults > > # > > # The EXTRA_IMAGE_FEATURES variable allows extra packages to be added to > the generated > > # images. > > # There are other application targets that can be used here too, see > > # meta/classes/image.bbclass and meta/classes/core-image.bbclass for more > details. > > # We default to enabling the debugging tweaks. > > EXTRA_IMAGE_FEATURES ?= "debug-tweaks" > > > > USER_CLASSES ?= "buildstats image-mklibs image-prelink" > > PATCHRESOLVE = "noop" > > BB_DISKMON_DIRS ??= "\ > > STOPTASKS,${TMPDIR},1G,100K \ > > STOPTASKS,${DL_DIR},1G,100K \ > > STOPTASKS,${SSTATE_DIR},1G,100K \ > > STOPTASKS,/tmp,100M,100K \ > > ABORT,${TMPDIR},100M,1K \ > > ABORT,${DL_DIR},100M,1K \ > > ABORT,${SSTATE_DIR},100M,1K \ > > ABORT,/tmp,10M,1K" > > > > PACKAGECONFIG_append_pn-qemu-native = " sdl" > > PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl" > > CONF_VERSION = "1" > > > > DISTRO = "lewisos" > > > > # The following 2 lines are to generate an ISO. > > IMAGE_FSTYPES += "live" > > NOISO = "0" > > > > # The following line is needed to help address issues with updating the OS. > > # It prevents a lot of messages regarding file/directory ownership issues. > > DIRFILES = "1" > > > > # The BBMASK directive below is to prevent the kernel-initramfs.bbappend > > # from meta-secure-core from being used. We have customized the bb file. > > # So, don't want any changes to it. > > BBMASK += > "meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend" > > > > # INITRAMFS_IMAGE must be defined here. It cannot be defined in an image > > # recipe. If it is only defined in an image recipe, the build fails to > > # sign packages. > > INITRAMFS_IMAGE = "secure-core-image-initramfs" > > > > # Similarly, the kernel-image-bzimage must be defined here. When it was > > # set in the image recipe, got complaints about no buildable providers. > > # Weird. > > IMAGE_INSTALL += "kernel-image-bzimage" > > > > # These DISTRO_FEATURES must remain here. When I tried to put them into > > # the lewisos.conf distro configuration file, the build of the stryker-edge > > # image failed. Got old errors. Apparently some of the bbappends were > > # not picked up properly when these were defined in the distro config > > # file. Not sure why. > > DISTRO_FEATURES_NATIVE_append += "systemd ima tpm tpm2 efi-secure-boot > luks" > > DISTRO_FEATURES_append += "systemd ima tpm tpm2 efi-secure-boot luks > modsign pam intel-sgx" > > > > MACHINE_FEATURES_NATIVE_append += "efi" > > MACHINE_FEATURES_append += "efi" > > DEBUG_FLAGS_forcevariable = "" > > USER_CLASSES_remove = "image-prelink" > > === End local.conf === > > > > > > Here is my lewisos.conf distro configuration file. > > > > === Start lewisos.conf === > > # Lewisos distribution configuration file > > DISTRO = "lewisos" > > DISTRO_NAME = "Lewis test distribution" > > DISTRO_VERSION = "0.1.3-ou" > > MAINTAINER = "[email protected]" > > > > IMAGE_VERSION_SUFFIX = "-${DISTRO_VERSION}" > > > > # Want to use systemd as the init manager > > DISTRO_FEATURES_append = " systemd" > > VIRTUAL-RUNTIME_init_manager = "systemd" > > VIRTUAL-RUNTIME_initscripts = "systemd-compat-units" > > > > # Need virtualization > > DISTRO_FEATURES_append = " virtualization" > > > > # Add support for wireless > > DISTRO_FEATURES_append = " wifi" > > > > # Add support for disk encryption, secure boot and access to TPM > > # Needed for both the product build, and for native > > # From the meta-secure-core layer > > # DISTRO_FEATURES_append = " ima tpm tpm2 efi-secure-boot luks modsign pam > intel-sgx" > > # DISTRO_FEATURES_NATIVE_append = " ima tpm tpm2 efi-secure-boot luks" > > > > # Remove undesirable features > > DISTRO_FEATURES_BACKFILL_CONSIDERED += "nfs" > > DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit" > > DISTRO_FEATURES_BACKFILL_CONSIDERED += "zeroconf" > > > > # Set up for signing RPMs > > # Inherit the sign_rpm_ext and user-key-store classes from the > meta-secure-core > > # layer. They provide some additional functionality. > > # If not using the meta-secure-core layer, uncomment the sign_rpm line and > > # comment out the sign_rpm_ext and user-key-store lines. > > # INHERIT += "sign_rpm" > > INHERIT += "sign_rpm_ext" > > INHERIT += "user-key-store" > > > > # NOTE: The two RPM_GPG lines cannot have spaces in their values. It > causes > > # the build to fail since the scripts cannot handle the space. > > RPM_GPG_NAME = "xxxxxxxx" > > RPM_GPG_PASSPHRASE = "yyyyyyyy" > > === End lewisos.conf === > > > > > > And here is my bbappend for linux-intel > > > > === Start linux-intel_%.bbappend === > > FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" > > SRC_URI += "file://kernel_baseline.scc" > > KERNEL_IMAGEDEST = "boot/${DISTRO}-${DISTRO_VERSION}" > > > > FILES_kernel-image-bzimage = "/boot/${PV}/bzImage-${KERNEL_VERSION_NAME}" > > > > python do_package_prepend () { > > os.remove(d.getVar('D') + '/' + d.getVar('KERNEL_IMAGEDEST') + > '/bzImage') > > } > > > > require recipes-kernel/linux/linux-yocto-integrity.inc > > === End linux-intel_%.bbappend === > > > > > > I’m removing symbolic links and putting the kernel and initramfs in > version specific directories because the /boot partition is vfat, which > doesn’t support symbolic links, and if I kept the names as something like > bzImage, then “dnf upgrade” would complain about multiple RPMs trying to > own the same file. > > > > What am I missing? Where did I make a mistake? Does the > meta-secure-core, or Openembedded/Yocto in general support upgrading from > version X to version Y of an OS using just some command like “dnf upgrade”? > > > > If you need more information, please let me know. > > > > As one last piece of info, if I remove “ima” from DISTRO_FEATURES, the > build hangs when trying to sign the RPMs. > > > > Thank you > > > > Lewis Muhlenkamp > > > Follow this link to read our Privacy Statement > <https://www.stryker.com/content/stryker/gb/en/legal/global-policy-statement.html/> > -- > _______________________________________________ > Openembedded-core mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-core >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6380): https://lists.yoctoproject.org/g/meta-intel/message/6380 Mute This Topic: https://lists.yoctoproject.org/mt/71344392/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-intel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
