[OE-core] Fail to upgrade RPMs when IMA enabled

Sun Feb 16 21:21:20 UTC 2020

Hello,

I've been trying to get the security stuff in meta-secure-core working so I can upgrade from one version of the OS I'm creating, right now called LewisOS, to a new version, just by being able to run "rpm -U" or "dnf upgrade" commands.  I can run "dnf upgrade" successfully against non kernel related packages, but the kernel, initramfs and systemd-boot RPMs always fail with the same error, no matter what I try.

I am using Zeus for my builds.  I am using an older commit for LewisOS version X, 8a518a2054bdd349d7661ee4872590fc8750313f, dated 2019 Dec 30, of the meta-secure-core GIT repo.  I am using 8302e3c479154157667e22e9d7c5461c966b4586, dated 2020 Jan 19, of the meta-secure-core GIT repo for LewisOS version Y.

My machine is intel-corei7-64.

I'll just stick with systemd-boot RPM for this email.  LewisOS version X installs systemd-boot-243+0+efb536d0cb-r0.corei7_64_intell_common.  LewisOS version Y contains systemd-boot-243.2-r0.corei7_64_intel_common.  When I try to upgrade systemd-boot, I get the following error message:

=== Start upgrade messages ===
root at intel-corei7-64:/var/opt/repos/os# rpm -q systemd-boot
systemd-boot-243+0+efb536d0cb-r0.corei7_64_intel_common
root at intel-corei7-64:/var/opt/repos/os# rpm -qp systemd-boot-243.2-r0.corei7_64_intel_common.rpm
systemd-boot-243.2-r0.corei7_64_intel_common
root at intel-corei7-64:/var/opt/repos/os# rpm -Uhv systemd-boot-243.2-r0.corei7_64_intel_common.rpm
Verifying...                          ######################################## [100%]
Preparing...                          ######################################## [100%]
Updating / installing...
   1:systemd-boot-243.2-r0          ######################################## [ 50%]
error: ima: could not apply signature on '/boot/EFI/BOOT/bootx64.efi;5e49ad05': Operation not supported
error: Plugin ima: hook fsm_file_prepare failed
error: unpacking of archive failed on file /boot/EFI/BOOT/bootx64.efi;5e49ad05: cpio: (error 0x2)
error: systemd-boot-243.2-r0.corei7_64_intel_common: install failed
error: systemd-boot-243+0+efb536d0cb-r0.corei7_64_intel_common: erase skipped
=== End upgrade messages ===

The above error messages also appear when I try updating kernel-image-bzimage, kernel-initramfs and systemd-bootconf.

I have the following in my bblayers.conf file:

=== Start bblayers.conf ===
# LAYER_CONF_VERSION is increased each time build/conf/bblayers.conf
# changes incompatibly
LCONF_VERSION = "7"

BBPATH = "${TOPDIR}"
BBFILES ?= ""

BBLAYERS ?= " \
  ${HOME}/meta-stryker/meta-lewisos-distro \
  ${HOME}/meta-stryker/meta-lewisos-common \
  ${HOME}/meta-stryker/meta-lewisos-edge \
  ${HOME}/oe-core/meta \
  ${HOME}/meta-openembedded/meta-python \
  ${HOME}/meta-openembedded/meta-perl \
  ${HOME}/meta-openembedded/meta-filesystems \
  ${HOME}/meta-openembedded/meta-oe \
  ${HOME}/meta-openembedded/meta-networking \
  ${HOME}/meta-openembedded/meta-webserver \
  ${HOME}/meta-intel \
  ${HOME}/meta-virtualization \
  ${HOME}/meta-cloud-services \
  ${HOME}/meta-cloud-services/meta-openstack \
  ${HOME}/meta-secure-core/meta \
  ${HOME}/meta-secure-core/meta-signing-key \
  ${HOME}/meta-secure-core/meta-tpm \
  ${HOME}/meta-secure-core/meta-tpm2 \
  ${HOME}/meta-secure-core/meta-efi-secure-boot \
  ${HOME}/meta-secure-core/meta-integrity \
  ${HOME}/meta-secure-core/meta-encrypted-storage \
  ${HOME}/meta-secure-core/meta-ids \
  ${HOME}/meta-secure-core/meta-intel-sgx \
  "
=== End bblayers.conf ===

Here is my local.conf file

=== Start local.conf ===
MACHINE ?= "intel-corei7-64"
DL_DIR ?= "/var/opt/openembedded-linux/downloads"
SSTATE_DIR ?= "/var/opt/openembedded-linux/sstate-cache"
PACKAGE_CLASSES ?= "package_rpm"

# Extra image configuration defaults
#
# The EXTRA_IMAGE_FEATURES variable allows extra packages to be added to the generated
# images.
# There are other application targets that can be used here too, see
# meta/classes/image.bbclass and meta/classes/core-image.bbclass for more details.
# We default to enabling the debugging tweaks.
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"

USER_CLASSES ?= "buildstats image-mklibs image-prelink"
PATCHRESOLVE = "noop"
BB_DISKMON_DIRS ??= "\
    STOPTASKS,${TMPDIR},1G,100K \
    STOPTASKS,${DL_DIR},1G,100K \
    STOPTASKS,${SSTATE_DIR},1G,100K \
    STOPTASKS,/tmp,100M,100K \
    ABORT,${TMPDIR},100M,1K \
    ABORT,${DL_DIR},100M,1K \
    ABORT,${SSTATE_DIR},100M,1K \
    ABORT,/tmp,10M,1K"

PACKAGECONFIG_append_pn-qemu-native = " sdl"
PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
CONF_VERSION = "1"

DISTRO = "lewisos"

# The following 2 lines are to generate an ISO.
IMAGE_FSTYPES += "live"
NOISO = "0"

# The following line is needed to help address issues with updating the OS.
# It prevents a lot of messages regarding file/directory ownership issues.
DIRFILES = "1"

# The BBMASK directive below is to prevent the kernel-initramfs.bbappend
# from meta-secure-core from being used.  We have customized the bb file.
# So, don't want any changes to it.
BBMASK += "meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend"

# INITRAMFS_IMAGE must be defined here.  It cannot be defined in an image
# recipe.  If it is only defined in an image recipe, the build fails to
# sign packages.
INITRAMFS_IMAGE = "secure-core-image-initramfs"

# Similarly, the kernel-image-bzimage must be defined here.  When it was
# set in the image recipe, got complaints about no buildable providers.
# Weird.
IMAGE_INSTALL += "kernel-image-bzimage"

# These DISTRO_FEATURES must remain here.  When I tried to put them into
# the lewisos.conf distro configuration file, the build of the stryker-edge
# image failed.  Got old errors.  Apparently some of the bbappends were
# not picked up properly when these were defined in the distro config
# file.  Not sure why.
DISTRO_FEATURES_NATIVE_append += "systemd ima tpm tpm2 efi-secure-boot luks"
DISTRO_FEATURES_append += "systemd ima tpm tpm2 efi-secure-boot luks modsign pam intel-sgx"

MACHINE_FEATURES_NATIVE_append += "efi"
MACHINE_FEATURES_append += "efi"
DEBUG_FLAGS_forcevariable = ""
USER_CLASSES_remove = "image-prelink"
=== End local.conf ===

Here is my lewisos.conf distro configuration file.

=== Start lewisos.conf ===
# Lewisos distribution configuration file
DISTRO = "lewisos"
DISTRO_NAME = "Lewis test distribution"
DISTRO_VERSION = "0.1.3-ou"
MAINTAINER = "mako.device at stryker.com"

IMAGE_VERSION_SUFFIX = "-${DISTRO_VERSION}"

# Want to use systemd as the init manager
DISTRO_FEATURES_append = " systemd"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"

# Need virtualization
DISTRO_FEATURES_append = " virtualization"

# Add support for wireless
DISTRO_FEATURES_append = " wifi"

# Add support for disk encryption, secure boot and access to TPM
# Needed for both the product build, and for native
# From the meta-secure-core layer
# DISTRO_FEATURES_append = " ima tpm tpm2 efi-secure-boot luks modsign pam intel-sgx"
# DISTRO_FEATURES_NATIVE_append = " ima tpm tpm2 efi-secure-boot luks"

# Remove undesirable features
DISTRO_FEATURES_BACKFILL_CONSIDERED += "nfs"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "zeroconf"

# Set up for signing RPMs
# Inherit the sign_rpm_ext and user-key-store classes from the meta-secure-core
# layer.  They provide some additional functionality.
# If not using the meta-secure-core layer, uncomment the sign_rpm line and
# comment out the sign_rpm_ext and user-key-store lines.
# INHERIT += "sign_rpm"
INHERIT += "sign_rpm_ext"
INHERIT += "user-key-store"

# NOTE: The two RPM_GPG lines cannot have spaces in their values.  It causes
# the build to fail since the scripts cannot handle the space.
RPM_GPG_NAME = "xxxxxxxx"
RPM_GPG_PASSPHRASE = "yyyyyyyy"
=== End lewisos.conf ===

And here is my bbappend for linux-intel

=== Start linux-intel_%.bbappend ===
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://kernel_baseline.scc"
KERNEL_IMAGEDEST = "boot/${DISTRO}-${DISTRO_VERSION}"

FILES_kernel-image-bzimage = "/boot/${PV}/bzImage-${KERNEL_VERSION_NAME}"

python do_package_prepend () {
    os.remove(d.getVar('D') + '/' + d.getVar('KERNEL_IMAGEDEST') + '/bzImage')
}

require recipes-kernel/linux/linux-yocto-integrity.inc
=== End linux-intel_%.bbappend ===

I'm removing symbolic links and putting the kernel and initramfs in version specific directories because the /boot partition is vfat, which doesn't support symbolic links, and if I kept the names as something like bzImage, then "dnf upgrade" would complain about multiple RPMs trying to own the same file.

What am I missing?  Where did I make a mistake?  Does the meta-secure-core, or Openembedded/Yocto in general support upgrading from version X to version Y of an OS using just some command like "dnf upgrade"?

If you need more information, please let me know.

As one last piece of info, if I remove "ima" from DISTRO_FEATURES, the build hangs when trying to sign the RPMs.

Thank you

Lewis Muhlenkamp

Follow this link to read our Privacy Statement<https://www.stryker.com/content/stryker/gb/en/legal/global-policy-statement.html/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200216/94d28c72/attachment-0001.html>