[OE-core] Fail to upgrade RPMs when IMA enabled

Alexander Kanavin alex.kanavin at gmail.com
Sun Feb 16 21:42:10 UTC 2020 

This should be addressed to the maintainers of meta-secure-core, this is,
Jia.

Openembedded/Yocto in general does not define or test OS upgrades.

You can also start looking into the failure you're getting from here:
https://github.com/rpm-software-management/rpm/blob/master/plugins/ima.c

Alex

On Sun, 16 Feb 2020 at 22:21, Muhlenkamp, Lewis <
lewis.muhlenkamp at stryker.com> wrote:

> Hello,
>
>
>
> I’ve been trying to get the security stuff in meta-secure-core working so
> I can upgrade from one version of the OS I’m creating, right now called
> LewisOS, to a new version, just by being able to run “rpm -U” or “dnf
> upgrade” commands.  I can run “dnf upgrade” successfully against non kernel
> related packages, but the kernel, initramfs and systemd-boot RPMs always
> fail with the same error, no matter what I try.
>
>
>
> I am using Zeus for my builds.  I am using an older commit for LewisOS
> version X, 8a518a2054bdd349d7661ee4872590fc8750313f, dated 2019 Dec 30, of
> the meta-secure-core GIT repo.  I am using
> 8302e3c479154157667e22e9d7c5461c966b4586, dated 2020 Jan 19, of the
> meta-secure-core GIT repo for LewisOS version Y.
>
>
>
> My machine is intel-corei7-64.
>
>
>
> I’ll just stick with systemd-boot RPM for this email.  LewisOS version X
> installs systemd-boot-243+0+efb536d0cb-r0.corei7_64_intell_common.  LewisOS
> version Y contains systemd-boot-243.2-r0.corei7_64_intel_common.  When I
> try to upgrade systemd-boot, I get the following error message:
>
>
>
> === Start upgrade messages ===
>
> root at intel-corei7-64:/var/opt/repos/os# rpm -q systemd-boot
>
> systemd-boot-243+0+efb536d0cb-r0.corei7_64_intel_common
>
> root at intel-corei7-64:/var/opt/repos/os# rpm -qp
> systemd-boot-243.2-r0.corei7_64_intel_common.rpm
>
> systemd-boot-243.2-r0.corei7_64_intel_common
>
> root at intel-corei7-64:/var/opt/repos/os# rpm -Uhv
> systemd-boot-243.2-r0.corei7_64_intel_common.rpm
>
> Verifying…
> ######################################## [100%]
>
> Preparing…
> ######################################## [100%]
>
> Updating / installing…
>
>    1:systemd-boot-243.2-r0
> ######################################## [ 50%]
>
> error: ima: could not apply signature on
> ‘/boot/EFI/BOOT/bootx64.efi;5e49ad05’: Operation not supported
>
> error: Plugin ima: hook fsm_file_prepare failed
>
> error: unpacking of archive failed on file
> /boot/EFI/BOOT/bootx64.efi;5e49ad05: cpio: (error 0x2)
>
> error: systemd-boot-243.2-r0.corei7_64_intel_common: install failed
>
> error: systemd-boot-243+0+efb536d0cb-r0.corei7_64_intel_common: erase
> skipped
>
> === End upgrade messages ===
>
>
>
>
>
> The above error messages also appear when I try updating
> kernel-image-bzimage, kernel-initramfs and systemd-bootconf.
>
>
>
> I have the following in my bblayers.conf file:
>
>
>
> === Start bblayers.conf ===
>
> # LAYER_CONF_VERSION is increased each time build/conf/bblayers.conf
>
> # changes incompatibly
>
> LCONF_VERSION = "7"
>
>
>
> BBPATH = "${TOPDIR}"
>
> BBFILES ?= ""
>
>
>
> BBLAYERS ?= " \
>
>   ${HOME}/meta-stryker/meta-lewisos-distro \
>
>   ${HOME}/meta-stryker/meta-lewisos-common \
>
>   ${HOME}/meta-stryker/meta-lewisos-edge \
>
>   ${HOME}/oe-core/meta \
>
>   ${HOME}/meta-openembedded/meta-python \
>
>   ${HOME}/meta-openembedded/meta-perl \
>
>   ${HOME}/meta-openembedded/meta-filesystems \
>
>   ${HOME}/meta-openembedded/meta-oe \
>
>   ${HOME}/meta-openembedded/meta-networking \
>
>   ${HOME}/meta-openembedded/meta-webserver \
>
>   ${HOME}/meta-intel \
>
>   ${HOME}/meta-virtualization \
>
>   ${HOME}/meta-cloud-services \
>
>   ${HOME}/meta-cloud-services/meta-openstack \
>
>   ${HOME}/meta-secure-core/meta \
>
>   ${HOME}/meta-secure-core/meta-signing-key \
>
>   ${HOME}/meta-secure-core/meta-tpm \
>
>   ${HOME}/meta-secure-core/meta-tpm2 \
>
>   ${HOME}/meta-secure-core/meta-efi-secure-boot \
>
>   ${HOME}/meta-secure-core/meta-integrity \
>
>   ${HOME}/meta-secure-core/meta-encrypted-storage \
>
>   ${HOME}/meta-secure-core/meta-ids \
>
>   ${HOME}/meta-secure-core/meta-intel-sgx \
>
>   "
>
> === End bblayers.conf ===
>
>
>
>
>
> Here is my local.conf file
>
>
>
> === Start local.conf ===
>
> MACHINE ?= "intel-corei7-64"
>
> DL_DIR ?= "/var/opt/openembedded-linux/downloads"
>
> SSTATE_DIR ?= "/var/opt/openembedded-linux/sstate-cache"
>
> PACKAGE_CLASSES ?= "package_rpm"
>
>
>
> # Extra image configuration defaults
>
> #
>
> # The EXTRA_IMAGE_FEATURES variable allows extra packages to be added to
> the generated
>
> # images.
>
> # There are other application targets that can be used here too, see
>
> # meta/classes/image.bbclass and meta/classes/core-image.bbclass for more
> details.
>
> # We default to enabling the debugging tweaks.
>
> EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
>
>
>
> USER_CLASSES ?= "buildstats image-mklibs image-prelink"
>
> PATCHRESOLVE = "noop"
>
> BB_DISKMON_DIRS ??= "\
>
>     STOPTASKS,${TMPDIR},1G,100K \
>
>     STOPTASKS,${DL_DIR},1G,100K \
>
>     STOPTASKS,${SSTATE_DIR},1G,100K \
>
>     STOPTASKS,/tmp,100M,100K \
>
>     ABORT,${TMPDIR},100M,1K \
>
>     ABORT,${DL_DIR},100M,1K \
>
>     ABORT,${SSTATE_DIR},100M,1K \
>
>     ABORT,/tmp,10M,1K"
>
>
>
> PACKAGECONFIG_append_pn-qemu-native = " sdl"
>
> PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
>
> CONF_VERSION = "1"
>
>
>
> DISTRO = "lewisos"
>
>
>
> # The following 2 lines are to generate an ISO.
>
> IMAGE_FSTYPES += "live"
>
> NOISO = "0"
>
>
>
> # The following line is needed to help address issues with updating the OS.
>
> # It prevents a lot of messages regarding file/directory ownership issues.
>
> DIRFILES = "1"
>
>
>
> # The BBMASK directive below is to prevent the kernel-initramfs.bbappend
>
> # from meta-secure-core from being used.  We have customized the bb file.
>
> # So, don't want any changes to it.
>
> BBMASK +=
> "meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend"
>
>
>
> # INITRAMFS_IMAGE must be defined here.  It cannot be defined in an image
>
> # recipe.  If it is only defined in an image recipe, the build fails to
>
> # sign packages.
>
> INITRAMFS_IMAGE = "secure-core-image-initramfs"
>
>
>
> # Similarly, the kernel-image-bzimage must be defined here.  When it was
>
> # set in the image recipe, got complaints about no buildable providers.
>
> # Weird.
>
> IMAGE_INSTALL += "kernel-image-bzimage"
>
>
>
> # These DISTRO_FEATURES must remain here.  When I tried to put them into
>
> # the lewisos.conf distro configuration file, the build of the stryker-edge
>
> # image failed.  Got old errors.  Apparently some of the bbappends were
>
> # not picked up properly when these were defined in the distro config
>
> # file.  Not sure why.
>
> DISTRO_FEATURES_NATIVE_append += "systemd ima tpm tpm2 efi-secure-boot
> luks"
>
> DISTRO_FEATURES_append += "systemd ima tpm tpm2 efi-secure-boot luks
> modsign pam intel-sgx"
>
>
>
> MACHINE_FEATURES_NATIVE_append += "efi"
>
> MACHINE_FEATURES_append += "efi"
>
> DEBUG_FLAGS_forcevariable = ""
>
> USER_CLASSES_remove = "image-prelink"
>
> === End local.conf ===
>
>
>
>
>
> Here is my lewisos.conf distro configuration file.
>
>
>
> === Start lewisos.conf ===
>
> # Lewisos distribution configuration file
>
> DISTRO = "lewisos"
>
> DISTRO_NAME = "Lewis test distribution"
>
> DISTRO_VERSION = "0.1.3-ou"
>
> MAINTAINER = "mako.device at stryker.com"
>
>
>
> IMAGE_VERSION_SUFFIX = "-${DISTRO_VERSION}"
>
>
>
> # Want to use systemd as the init manager
>
> DISTRO_FEATURES_append = " systemd"
>
> VIRTUAL-RUNTIME_init_manager = "systemd"
>
> VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
>
>
>
> # Need virtualization
>
> DISTRO_FEATURES_append = " virtualization"
>
>
>
> # Add support for wireless
>
> DISTRO_FEATURES_append = " wifi"
>
>
>
> # Add support for disk encryption, secure boot and access to TPM
>
> # Needed for both the product build, and for native
>
> # From the meta-secure-core layer
>
> # DISTRO_FEATURES_append = " ima tpm tpm2 efi-secure-boot luks modsign pam
> intel-sgx"
>
> # DISTRO_FEATURES_NATIVE_append = " ima tpm tpm2 efi-secure-boot luks"
>
>
>
> # Remove undesirable features
>
> DISTRO_FEATURES_BACKFILL_CONSIDERED += "nfs"
>
> DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
>
> DISTRO_FEATURES_BACKFILL_CONSIDERED += "zeroconf"
>
>
>
> # Set up for signing RPMs
>
> # Inherit the sign_rpm_ext and user-key-store classes from the
> meta-secure-core
>
> # layer.  They provide some additional functionality.
>
> # If not using the meta-secure-core layer, uncomment the sign_rpm line and
>
> # comment out the sign_rpm_ext and user-key-store lines.
>
> # INHERIT += "sign_rpm"
>
> INHERIT += "sign_rpm_ext"
>
> INHERIT += "user-key-store"
>
>
>
> # NOTE: The two RPM_GPG lines cannot have spaces in their values.  It
> causes
>
> # the build to fail since the scripts cannot handle the space.
>
> RPM_GPG_NAME = "xxxxxxxx"
>
> RPM_GPG_PASSPHRASE = "yyyyyyyy"
>
> === End lewisos.conf ===
>
>
>
>
>
> And here is my bbappend for linux-intel
>
>
>
> === Start linux-intel_%.bbappend ===
>
> FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
>
> SRC_URI += "file://kernel_baseline.scc"
>
> KERNEL_IMAGEDEST = "boot/${DISTRO}-${DISTRO_VERSION}"
>
>
>
> FILES_kernel-image-bzimage = "/boot/${PV}/bzImage-${KERNEL_VERSION_NAME}"
>
>
>
> python do_package_prepend () {
>
>     os.remove(d.getVar('D') + '/' + d.getVar('KERNEL_IMAGEDEST') +
> '/bzImage')
>
> }
>
>
>
> require recipes-kernel/linux/linux-yocto-integrity.inc
>
> === End linux-intel_%.bbappend ===
>
>
>
>
>
> I’m removing symbolic links and putting the kernel and initramfs in
> version specific directories because the /boot partition is vfat, which
> doesn’t support symbolic links, and if I kept the names as something like
> bzImage, then “dnf upgrade” would complain about multiple RPMs trying to
> own the same file.
>
>
>
> What am I missing?  Where did I make a mistake?  Does the
> meta-secure-core, or Openembedded/Yocto in general support upgrading from
> version X to version Y of an OS using just some command like “dnf upgrade”?
>
>
>
> If you need more information, please let me know.
>
>
>
> As one last piece of info, if I remove “ima” from DISTRO_FEATURES, the
> build hangs when trying to sign the RPMs.
>
>
>
> Thank you
>
>
>
> Lewis Muhlenkamp
>
>
> Follow this link to read our Privacy Statement
> <https://www.stryker.com/content/stryker/gb/en/legal/global-policy-statement.html/>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200216/67914960/attachment-0001.html>

More information about the Openembedded-core mailing list