[OE-core] Fail to upgrade RPMs when IMA enabled
Muhlenkamp, Lewis
lewis.muhlenkamp at stryker.com
Sun Feb 16 21:21:20 UTC 2020
Hello,
I've been trying to get the security stuff in meta-secure-core working so I can upgrade from one version of the OS I'm creating, right now called LewisOS, to a new version, just by being able to run "rpm -U" or "dnf upgrade" commands. I can run "dnf upgrade" successfully against non kernel related packages, but the kernel, initramfs and systemd-boot RPMs always fail with the same error, no matter what I try.
I am using Zeus for my builds. I am using an older commit for LewisOS version X, 8a518a2054bdd349d7661ee4872590fc8750313f, dated 2019 Dec 30, of the meta-secure-core GIT repo. I am using 8302e3c479154157667e22e9d7c5461c966b4586, dated 2020 Jan 19, of the meta-secure-core GIT repo for LewisOS version Y.
My machine is intel-corei7-64.
I'll just stick with systemd-boot RPM for this email. LewisOS version X installs systemd-boot-243+0+efb536d0cb-r0.corei7_64_intell_common. LewisOS version Y contains systemd-boot-243.2-r0.corei7_64_intel_common. When I try to upgrade systemd-boot, I get the following error message:
=== Start upgrade messages ===
root at intel-corei7-64:/var/opt/repos/os# rpm -q systemd-boot
systemd-boot-243+0+efb536d0cb-r0.corei7_64_intel_common
root at intel-corei7-64:/var/opt/repos/os# rpm -qp systemd-boot-243.2-r0.corei7_64_intel_common.rpm
systemd-boot-243.2-r0.corei7_64_intel_common
root at intel-corei7-64:/var/opt/repos/os# rpm -Uhv systemd-boot-243.2-r0.corei7_64_intel_common.rpm
Verifying... ######################################## [100%]
Preparing... ######################################## [100%]
Updating / installing...
1:systemd-boot-243.2-r0 ######################################## [ 50%]
error: ima: could not apply signature on '/boot/EFI/BOOT/bootx64.efi;5e49ad05': Operation not supported
error: Plugin ima: hook fsm_file_prepare failed
error: unpacking of archive failed on file /boot/EFI/BOOT/bootx64.efi;5e49ad05: cpio: (error 0x2)
error: systemd-boot-243.2-r0.corei7_64_intel_common: install failed
error: systemd-boot-243+0+efb536d0cb-r0.corei7_64_intel_common: erase skipped
=== End upgrade messages ===
The above error messages also appear when I try updating kernel-image-bzimage, kernel-initramfs and systemd-bootconf.
I have the following in my bblayers.conf file:
=== Start bblayers.conf ===
# LAYER_CONF_VERSION is increased each time build/conf/bblayers.conf
# changes incompatibly
LCONF_VERSION = "7"
BBPATH = "${TOPDIR}"
BBFILES ?= ""
BBLAYERS ?= " \
${HOME}/meta-stryker/meta-lewisos-distro \
${HOME}/meta-stryker/meta-lewisos-common \
${HOME}/meta-stryker/meta-lewisos-edge \
${HOME}/oe-core/meta \
${HOME}/meta-openembedded/meta-python \
${HOME}/meta-openembedded/meta-perl \
${HOME}/meta-openembedded/meta-filesystems \
${HOME}/meta-openembedded/meta-oe \
${HOME}/meta-openembedded/meta-networking \
${HOME}/meta-openembedded/meta-webserver \
${HOME}/meta-intel \
${HOME}/meta-virtualization \
${HOME}/meta-cloud-services \
${HOME}/meta-cloud-services/meta-openstack \
${HOME}/meta-secure-core/meta \
${HOME}/meta-secure-core/meta-signing-key \
${HOME}/meta-secure-core/meta-tpm \
${HOME}/meta-secure-core/meta-tpm2 \
${HOME}/meta-secure-core/meta-efi-secure-boot \
${HOME}/meta-secure-core/meta-integrity \
${HOME}/meta-secure-core/meta-encrypted-storage \
${HOME}/meta-secure-core/meta-ids \
${HOME}/meta-secure-core/meta-intel-sgx \
"
=== End bblayers.conf ===
Here is my local.conf file
=== Start local.conf ===
MACHINE ?= "intel-corei7-64"
DL_DIR ?= "/var/opt/openembedded-linux/downloads"
SSTATE_DIR ?= "/var/opt/openembedded-linux/sstate-cache"
PACKAGE_CLASSES ?= "package_rpm"
# Extra image configuration defaults
#
# The EXTRA_IMAGE_FEATURES variable allows extra packages to be added to the generated
# images.
# There are other application targets that can be used here too, see
# meta/classes/image.bbclass and meta/classes/core-image.bbclass for more details.
# We default to enabling the debugging tweaks.
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
USER_CLASSES ?= "buildstats image-mklibs image-prelink"
PATCHRESOLVE = "noop"
BB_DISKMON_DIRS ??= "\
STOPTASKS,${TMPDIR},1G,100K \
STOPTASKS,${DL_DIR},1G,100K \
STOPTASKS,${SSTATE_DIR},1G,100K \
STOPTASKS,/tmp,100M,100K \
ABORT,${TMPDIR},100M,1K \
ABORT,${DL_DIR},100M,1K \
ABORT,${SSTATE_DIR},100M,1K \
ABORT,/tmp,10M,1K"
PACKAGECONFIG_append_pn-qemu-native = " sdl"
PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
CONF_VERSION = "1"
DISTRO = "lewisos"
# The following 2 lines are to generate an ISO.
IMAGE_FSTYPES += "live"
NOISO = "0"
# The following line is needed to help address issues with updating the OS.
# It prevents a lot of messages regarding file/directory ownership issues.
DIRFILES = "1"
# The BBMASK directive below is to prevent the kernel-initramfs.bbappend
# from meta-secure-core from being used. We have customized the bb file.
# So, don't want any changes to it.
BBMASK += "meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend"
# INITRAMFS_IMAGE must be defined here. It cannot be defined in an image
# recipe. If it is only defined in an image recipe, the build fails to
# sign packages.
INITRAMFS_IMAGE = "secure-core-image-initramfs"
# Similarly, the kernel-image-bzimage must be defined here. When it was
# set in the image recipe, got complaints about no buildable providers.
# Weird.
IMAGE_INSTALL += "kernel-image-bzimage"
# These DISTRO_FEATURES must remain here. When I tried to put them into
# the lewisos.conf distro configuration file, the build of the stryker-edge
# image failed. Got old errors. Apparently some of the bbappends were
# not picked up properly when these were defined in the distro config
# file. Not sure why.
DISTRO_FEATURES_NATIVE_append += "systemd ima tpm tpm2 efi-secure-boot luks"
DISTRO_FEATURES_append += "systemd ima tpm tpm2 efi-secure-boot luks modsign pam intel-sgx"
MACHINE_FEATURES_NATIVE_append += "efi"
MACHINE_FEATURES_append += "efi"
DEBUG_FLAGS_forcevariable = ""
USER_CLASSES_remove = "image-prelink"
=== End local.conf ===
Here is my lewisos.conf distro configuration file.
=== Start lewisos.conf ===
# Lewisos distribution configuration file
DISTRO = "lewisos"
DISTRO_NAME = "Lewis test distribution"
DISTRO_VERSION = "0.1.3-ou"
MAINTAINER = "mako.device at stryker.com"
IMAGE_VERSION_SUFFIX = "-${DISTRO_VERSION}"
# Want to use systemd as the init manager
DISTRO_FEATURES_append = " systemd"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
# Need virtualization
DISTRO_FEATURES_append = " virtualization"
# Add support for wireless
DISTRO_FEATURES_append = " wifi"
# Add support for disk encryption, secure boot and access to TPM
# Needed for both the product build, and for native
# From the meta-secure-core layer
# DISTRO_FEATURES_append = " ima tpm tpm2 efi-secure-boot luks modsign pam intel-sgx"
# DISTRO_FEATURES_NATIVE_append = " ima tpm tpm2 efi-secure-boot luks"
# Remove undesirable features
DISTRO_FEATURES_BACKFILL_CONSIDERED += "nfs"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "zeroconf"
# Set up for signing RPMs
# Inherit the sign_rpm_ext and user-key-store classes from the meta-secure-core
# layer. They provide some additional functionality.
# If not using the meta-secure-core layer, uncomment the sign_rpm line and
# comment out the sign_rpm_ext and user-key-store lines.
# INHERIT += "sign_rpm"
INHERIT += "sign_rpm_ext"
INHERIT += "user-key-store"
# NOTE: The two RPM_GPG lines cannot have spaces in their values. It causes
# the build to fail since the scripts cannot handle the space.
RPM_GPG_NAME = "xxxxxxxx"
RPM_GPG_PASSPHRASE = "yyyyyyyy"
=== End lewisos.conf ===
And here is my bbappend for linux-intel
=== Start linux-intel_%.bbappend ===
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://kernel_baseline.scc"
KERNEL_IMAGEDEST = "boot/${DISTRO}-${DISTRO_VERSION}"
FILES_kernel-image-bzimage = "/boot/${PV}/bzImage-${KERNEL_VERSION_NAME}"
python do_package_prepend () {
os.remove(d.getVar('D') + '/' + d.getVar('KERNEL_IMAGEDEST') + '/bzImage')
}
require recipes-kernel/linux/linux-yocto-integrity.inc
=== End linux-intel_%.bbappend ===
I'm removing symbolic links and putting the kernel and initramfs in version specific directories because the /boot partition is vfat, which doesn't support symbolic links, and if I kept the names as something like bzImage, then "dnf upgrade" would complain about multiple RPMs trying to own the same file.
What am I missing? Where did I make a mistake? Does the meta-secure-core, or Openembedded/Yocto in general support upgrading from version X to version Y of an OS using just some command like "dnf upgrade"?
If you need more information, please let me know.
As one last piece of info, if I remove "ima" from DISTRO_FEATURES, the build hangs when trying to sign the RPMs.
Thank you
Lewis Muhlenkamp
Follow this link to read our Privacy Statement<https://www.stryker.com/content/stryker/gb/en/legal/global-policy-statement.html/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200216/94d28c72/attachment-0001.html>
More information about the Openembedded-core
mailing list