[next] Add measured boot support to NILRT x64#1018
Open
amstewart wants to merge 23 commits into
Open
Conversation
Add TPM utilities to all NILRT images via the ni-base packagegroup, and re-add the security-tpm2 packagegroup from OE upstream to the ni-tpm packagegroup. We cannot use the whole ni-tpm packagegroup in -base because pkggrp-security-tpm2 depends upon python3, which is only installed in the runmode image. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The new runmode initramfs needs an init system (PID 1). Build it into the core feed so that it is represented in our SBOMs and packaging infrastructure. But do not add it to a packagegroup so that it doesn't get accidentally installed by a user with something else. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
* Add section headers to script for clarity. * Re-order some constants for clarity. No functional changes intended. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Rename the 'arch' variable 'ARCH' to be more consistent with other variables that are not populated by the user. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Udev will populate the /dev/disks/* directories with symlinks to devices based on their properties - including label. Using this tree to find the `nirootfs` partition is more straightforward that using `lsblk` comprehension and also works when `nirootfs` is a device-mapped partition via LUKS or LVM. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
* Move the source files into a named directory, to prepare for expanding their structure. * Reorder the recipe file to comply with the layer styleguide. * Add recipe headers for clarity. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The recipe RDEPENDS are split between assignments for no apparent reason, combine them for clarity. The main package FILES variable assigns standard file paths for no apparent reason, remove the duplicate entries for clarity. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Add a minimal Makefile implementation to nisystemformat, so that it is easier to build and test changes on real targets. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Some of the nisystemformat usage text contains options which are not actually parsed or used. Remove them for correctness and clarity. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The ``nisystemformat`` main script is very large and difficult to follow. Break out its functionality into supporting shell libraries, which are sourced by the main file. Also revitalize the main (safemode) usage information in preparation for future extension. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The nisystemformat usage and command validation code has accumulated technical cruft from the aborted RAUC implementation. And it present three different usage documentations, depending on which mode you are booted into - even though the actual code is the same behind the docs. * For clarity, collapse the three usage texts into one, more manageable document. * Move the ``set_mode`` function to usage.sh, where it is primarily used. * Fix some incorrect validation text about a non-existent "-v" option. * Move the non-RAUC filesystem type validation out into the main nisystemformat script for now - since that is where the ``supported_fstypes`` information is. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The aborted RAUC content is cluttering up the nisystemformat script. Remove it for clarity. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Move the netconfig-related content into its own library, for clarity. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The EXITCODES variable is declared read-only, which means that bash will throw a warning if a script tries to import it twice, including through another import. We could defend against that case by checking if it has already been declared and then skipping redefinition. But it might be reasonable to change/overwrite the EXITCODES during script execution (if the script changes personality). So instead, just make it mutable. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Break out the nisystemfromat 'format' command functions into their own library, for clarity. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Adjust the format.sh functions to make them a little more readable. Use a trap to handle service restarts to ensure that we always attempt it in case of a failure. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Add a `-e` optiont to the `nisystemformat` script. When expressed, it will attempt to encrypt the rootfs partition with LUKS and seal an unlocking key to the current TPM state using the `ni-reseal-luks` tool.
Update the bb recipe file to accomodate the changes that have gone into the source layout. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The anonymous python function which set the INITRAMFS_FSTYPES was removed. Set it explicitly to ensure that we get a cpio initramfs archive which can be included in the runmode BSI. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Some ARM targets use ext4 instead of ubifs. So port ext4 changes from nilrt_os_common. Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@emerson.com> (cherry picked from commit bf67c4b) Rebased to nilrt/master/next by moving Artemis logc into the format.sh library file. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com> (cherry picked from commit 0b8e89b) Rebased to nilrt/master/next by moving code into the various lib/ files where it belongs. Since the master/next version of ni-systemformat already uses EXIT codes 8 and 9, bumped the INSUFFICIENT_PRIVILEGES code to 10. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
There have been several substantial changes to the ni-systemformat scripting. Some of them, like the new EUID==0 check, could break backwards compatibility in the public API. So bump the version to 2.0.0 to signal those changes. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
There was a problem hiding this comment.
Pull request overview
This PR introduces measured-boot-related plumbing for NILRT x64 by adding TPM/LUKS tooling to base images and refactoring nisystemformat into a modular implementation that can optionally LUKS-encrypt the rootfs and bind unlock to the TPM (PCR 7). It also adds/adjusts initramfs packaging to support unlocking and switching into an encrypted root filesystem at boot.
Changes:
- Refactor
nisystemformatinto a main CLI plus library modules (usage, formatting, netconfig, encryption, exit codes). - Add
-eencryption option tonisystemformat -fand wire in TPM/LUKS tooling. - Update Yocto packaging/packagegroups and init scripts to include TPM tools and generate
targetinfo.ini.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| recipes-ni/ni-systemformat/ni-systemformat/src/nisystemformat | New modular top-level nisystemformat entrypoint wiring together library modules. |
| recipes-ni/ni-systemformat/ni-systemformat/src/lib/util.sh | Common utilities (logging, retry, tempfiles, error handling). |
| recipes-ni/ni-systemformat/ni-systemformat/src/lib/usage.sh | CLI parsing + usage/help text and argument validation. |
| recipes-ni/ni-systemformat/ni-systemformat/src/lib/netconfig.sh | Network config save/restore around formatting. |
| recipes-ni/ni-systemformat/ni-systemformat/src/lib/format.sh | Core formatting logic, service stop/start, and LUKS conversion hooks. |
| recipes-ni/ni-systemformat/ni-systemformat/src/lib/exit_codes.sh | Centralized exit code mapping. |
| recipes-ni/ni-systemformat/ni-systemformat/src/lib/encryption.sh | TPM presence checks for encryption mode. |
| recipes-ni/ni-systemformat/ni-systemformat/Makefile | Build/install logic for the new modular layout. |
| recipes-ni/ni-systemformat/ni-systemformat/init/nitargetinfo | Init script to cache targetinfo.ini from nisystemformat. |
| recipes-ni/ni-systemformat/ni-systemformat.bb | Recipe refactor: new sources, version bump, deps, init script install. |
| recipes-ni/ni-systemformat/files/nisystemformat | Removes legacy monolithic script (replaced by modular implementation). |
| recipes-core/packagegroups/packagegroup-ni-tpm.bb | Adds additional TPM2 packagegroup dependency. |
| recipes-core/packagegroups/packagegroup-ni-base.bb | Adjust x64 base image TPM/LUKS tooling dependencies. |
| recipes-core/packagegroups/packagefeed-ni-core.bb | Adds initramfs dependency for x64 feed (currently duplicated). |
| recipes-core/images/nilrt-runmode-initramfs.bb | Adjust initramfs output types configuration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| mountfs=ext4 | ||
| fi | ||
|
|
||
| if [ "$ARCH" = "x86_64" ] || [ "$mountfs" = "ext4" ]; then |
| function supported_fstypes() | ||
| { | ||
| if [ "$ARCH" = "armv7l" ]; then | ||
| if [ "$mountfs" = "ext4" ]; then # Adding $mountfs condition to properly report fstype for Artemis |
Comment on lines
+100
to
+124
| log INFO "Encrypting $configfs_dev with LUKS..." | ||
| _convert_to_luks "$configfs_dev" "$NICONFIG_PARTLABEL" \ | ||
| || die UNKNOWN_ERROR "Failed to convert configfs partition to LUKS." | ||
| log INFO "DONE" | ||
| configfs_dev="$CONFIGFS_DEV" # update configfs_dev to point to the new mapper device | ||
| else | ||
| if cryptsetup isLuks "$configfs_dev" 2>/dev/null; then | ||
| log INFO "Converting $configfs_dev back to non-LUKS." | ||
| cryptsetup erase -q "${configfs_dev}" | ||
| fi | ||
| fi | ||
|
|
||
| # fstype is validated before calling format_config | ||
| case "$1" in | ||
| ubifs) | ||
| local partition_label="boot-config" | ||
| local volume_number="3" | ||
| local volume_label="config" | ||
| format_ubi_volume "$partition_label" "$volume_number" "$volume_label" | ||
| ;; | ||
| ext4) | ||
| local volume_label="niconfig" | ||
| local options="" | ||
| mkfs.ext4 -q -F -I 256 -L $volume_label $options ${2:-$CONFIGFS_DEV} | ||
| ;; |
Comment on lines
+339
to
+341
| if ! /etc/init.d/sshd stop; then | ||
| /etc/init.d/sshd status && [ $? -eq 3 ] | ||
| fi |
| die_with_usage INVALID_ARGUMENT "No command-line arguments specified." | ||
| fi | ||
|
|
||
| while getopts "4cefhln:orst:" option |
Contributor
Author
There was a problem hiding this comment.
-4 and -o were never really implemented. I had left them in because I didn't want to break backwards compatibility, but any code calling them will error in this version anyway. And we're bumping the ni-systemformat version to 2.0.0 anyway. So I'll just remove them.
Comment on lines
+98
to
+111
| function with_retry() { | ||
| local cmd="$@" # command to execute (with args) | ||
| for attemptItr in `seq 1 "$COMMAND_RETRY_COUNT"`; do | ||
| if eval "$cmd"; then | ||
| return 0 | ||
| fi | ||
|
|
||
| echo "$* failed with $? (attempt $attemptItr)" >&2 | ||
| sleep "$COMMAND_RETRY_SLEEP" | ||
| done | ||
|
|
||
| echo "ERROR: $* failed ($COMMAND_RETRY_COUNT attempts)" >&2 | ||
| return 1 | ||
| } |
Comment on lines
+352
to
+354
| # Print the supported filesystem types for this system. | ||
| # The output is a comma-separated list of filesystem types, | ||
| # with no trailing comma. |
Comment on lines
+49
to
+53
| # Image-specific packages kept separately so they are not accidentally | ||
| # installed via a packagegroup dependency into the wrong image. | ||
| RDEPENDS:${PN}:append:x64 = "\ | ||
| init-nilrt-runmode-initramfs \ | ||
| " |
Comment on lines
66
to
+75
| RDEPENDS:${PN} += "\ | ||
| bash \ | ||
| niacctbase \ | ||
| " | ||
| # nisystemformat rdeps | ||
| RDEPENDS:${PN} += "\ | ||
| coreutils \ | ||
| e2fsprogs-mke2fs \ | ||
| pkgconfig \ | ||
| ni-netcfgutil \ | ||
| niacctbase \ | ||
| util-linux-lsblk \ | ||
| util-linux-logger \ | ||
| " |
| # legacy symlink location | ||
| install -d ${D}/usr/local/natinst/bin | ||
| ln -sf ${bindir}/nisystemformat ${D}/usr/local/natinst/bin/nisystemformat | ||
| # The nisystemformat binary can ban executed by anyone in the 'ni' group. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of Changes
ni-systemformatrecipe implementation to be more modular and (I hope) comprehensible in the long-term.-eoption to thenisystemformat -f(format) operation. When expressed, it will encrypt the rootfs with LUKS and bind the decryption key to the TPM PCR 7.nisystemformat. Squashes the usage information down to a single concept - rather than keeping separate workflows for safemode and runmode.nisystemformatto version 2.0.0, since there have been many changes.Limitations
Justification
AB#3737965
AB#3752796
AB#3752799
Testing
TODO: Detail what testing has been done to ensure this submission meets requirements.
bitbake packagefeed-ni-core)nisystemformat -eoption and validated that the runmode initramfs unlocks and boots into the encrypted rootfs (when it is encrypted).Runmode bootlog
Runmode partition layout
Procedure