search

coreycothrum / meta-mender-luks

mender with LUKS encrypted partitions
MIT License
11 stars 5 forks source link

Workspace example? #4

Closed Minipada closed 3 years ago

Minipada commented 3 years ago

Hi, First, thanks for providing this tool. I'm trying to set it up in my workspace and encountered some little issues here and there but could hopefully create an image. I'm testing with Yocto dunfell on qemu-X64 at the moment with the linux-yocto kernel.

I managed to build the image but I end up in the Uefi console. I tried starting grub from there but I ended up with a black screen.

This is my current configuration:

MACHINE = "qemux86-64"

# MENDER-LUKS config
MENDER/KERNEL_PART_A_NAME                  = "kernela"
MENDER/KERNEL_PART_B_NAME                  = "kernelb"

require conf/include/mender-luks.inc
require conf/include/mender-kernel.inc

IMAGE_INSTALL_append = "packagegroup-mender-luks"
MENDER/KERNEL_PART_SIZE_MB = "128"
MENDER/LUKS_PASSWORD           = "password"

# MENDER Config
MENDER_FEATURES_ENABLE_append = " mender-grub mender-image-uefi"
MENDER_FEATURES_DISABLE_append = " mender-uboot mender-image-sd"

# Yocto config
RM_OLD_IMAGE = "1"

GLIBC_GENERATE_LOCALES = "en_US.UTF-8"
IMAGE_LINGUAS ?= "en-us"

NOHDD="1"
NOISO="1"

USER_CLASSES ?= "buildstats image-mklibs image-prelink"
PACKAGE_CLASSES = "package_deb"
PACKAGE_FEED_BASE_PATHS = "deb"
IMAGE_OVERHEAD_FACTOR = "1.0"
EXTRA_IMAGE_FEATURES = "ssh-server-openssh package-management debug-tweaks splash tools-debug allow-empty-password debug-tweaks post-install-logging tools-profile"

DISTRO_FEATURES_remove = "bluetooth"
DISTRO_FEATURES_remove = "3g"
DISTRO_FEATURES_remove = "nfc"
DISTRO_FEATURES_remove = "nfs"
DISTRO_FEATURES_remove = "ext2"

DISTRO_FEATURES_append = " systemd "
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"

I used cryptsetup 2.3.2 on an ubuntu server, compiled it myself to make it work. I am not sure what I am missing but any help would be appreciated.

Edit: I tried enabling efi-secure-boot but i have the same result

coreycothrum commented 3 years ago

I don't have a publishable reference build, but it is on my list of things to do.

Unforunately, I have not tested this with "qemu-X64" as the machine target. I'll use that as the target for the reference build when I'm able to. Hopeful soonish (sometime this week maybe).

Does mender need this layer for a qemu target? Is that enabled in your bblayers.conf? Have you got a standard mender image (i.e. a build without meta-mender-kernel or meta-mender-luks) to run on qemu?

You are probably the first person besides me to try and get this going. I know the README is currently a bit lacking. Feedback on anything you found confusing would be appreciated.

Minipada commented 3 years ago

Thanks for the prompt answer. With which machine did you test? Maybe I could give it a try. I have a standard working image for it with meta-mender-qemu, it only fails when adding the meta-mender-luks and dependent layers.

I had some issues with meta-mender-kernel mostly. Before doing a PR, you may want to check:

diff --git a/classes/mender-kernel-kernelimg.bbclass b/classes/mender-kernel-kernelimg.bbclass
index ec333f8..bedddea 100644
--- a/classes/mender-kernel-kernelimg.bbclass
+++ b/classes/mender-kernel-kernelimg.bbclass
@@ -68,7 +68,7 @@ do_mender_kernel_deploy_to_sysroot() {
     for ktype in ${KERNEL_IMAGETYPES}; do
       local base_name="$ktype"

-      cp "$src_dir/$base_name"{,.*} "$dst_dir/"
+      cp "$src_dir/$base_name"* "$dst_dir/"
     done

     for fstype in ${INITRAMFS_FSTYPES}; do
diff --git a/classes/mender-kernel-part-images.bbclass b/classes/mender-kernel-part-images.bbclass
index bb50304..675626a 100644
--- a/classes/mender-kernel-part-images.bbclass
+++ b/classes/mender-kernel-part-images.bbclass
@@ -1,4 +1,5 @@
 IMAGE_TYPEDEP_sdimg   += "kernelimg"
 IMAGE_TYPEDEP_uefiimg += "kernelimg"
+IMAGE_TYPEDEP += "kernelimg"
 IMAGE_TYPEDEP_biosimg += "kernelimg"
 IMAGE_TYPEDEP_gptimg  += "kernelimg"
diff --git a/classes/mender-kernel-vars.bbclass b/classes/mender-kernel-vars.bbclass
index 327d3c9..fe6944f 100644
--- a/classes/mender-kernel-vars.bbclass
+++ b/classes/mender-kernel-vars.bbclass
@@ -3,11 +3,12 @@
 ################################################################################
 MENDER/KERNEL_PART_A_NAME                  = "kernela"
 MENDER/KERNEL_PART_B_NAME                  = "kernelb"
-MENDER/KERNEL_EXTRA_PARTS                  = "${MENDER/KERNEL_PART_A_NAME} ${MENDER/KERNEL_PART_B_NAME}"
+MENDER/KERNEL_EXTRA_PARTS                  = "kernela kernelb"
+#${MENDER/KERNEL_PART_A_NAME} ${MENDER/KERNEL_PART_B_NAME}"

 MENDER_EXTRA_PARTS                        += "${MENDER/KERNEL_EXTRA_PARTS}"
-MENDER_EXTRA_PARTS[kernela]                = "--label=${MENDER/KERNEL_PART_A____NAME} --source rawcopy --sourceparams=file=${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.kernelimg --fstype=${MENDER/KERNEL_PART_FSTYPE_TO_GEN}"
-MENDER_EXTRA_PARTS[kernelb]                = "--label=${MENDER/KERNEL_PART_B____NAME} --source rawcopy --sourceparams=file=${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.kernelimg --fstype=${MENDER/KERNEL_PART_FSTYPE_TO_GEN}"
+MENDER_EXTRA_PARTS[kernela]                = "--label=kernela --source rawcopy --sourceparams=file=${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.kernelimg --fstype=${MENDER/KERNEL_PART_FSTYPE_TO_GEN}"
+MENDER_EXTRA_PARTS[kernelb]                = "--label=kernelb --source rawcopy --sourceparams=file=${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.kernelimg --fstype=${MENDER/KERNEL_PART_FSTYPE_TO_GEN}"
 MENDER_EXTRA_PARTS_SIZES_MB[kernela]       = "${MENDER/KERNEL_PART_SIZE_MB}"
 MENDER_EXTRA_PARTS_SIZES_MB[kernelb]       = "${MENDER/KERNEL_PART_SIZE_MB}"

Changes I did in order of the patch:

  1. Without this change, the cp is not executed. I am not sure what you wanted to do, how you wanted it to expand but this change solved the issue.
  2. I don't know why, but kernelimg was not done...
  3. ${MENDER/KERNEL_PART_ANAME} and ${MENDER/KERNEL_PART_BNAME} don't exist. I hardcoded kernela and b but now I just notice that it's probably a typo with the number of underscores.

I am very interested in using mender+encrypted drive in the long run, so I'd be happy to help and support in general.

coreycothrum commented 3 years ago

I'd recommend a fresh pull. I was sort of in the middle of getting all this framework stuff ready to go, and I haven't been shy rebasing stuff.

I've significantly updated the README. Refer there for a bit of info on my build environment (i.e. my Dockerfile).

I've tested this using kas to generate the bitbake environment. QEMU machine type builds/runs for me with these commands:

cd $YOCTO_WORKDIR

# build image
kas build $YOCTO_WORKDIR/meta-mender-luks/kas/reference_builds/kas.min.x86-64.yml:$YOCTO_WORKDIR/meta-mender-luks/kas/reference_builds/kas.qemu.yml

# run w/ QEMU
source $YOCTO_WORKDIR/poky/oe-init-build-env $YOCTO_WORKDIR/build
qemu-system-x86_64 -m 1G -drive file=/yocto_workspace/kern_tmp/build/tmp/deploy/images/qemux86-64/ovmf.qcow2,if=pflash,format=qcow2,unit=0,readonly=on    \
                         -drive file=/yocto_workspace/kern_tmp/build/tmp/deploy/images/qemux86-64/ovmf.vars.qcow2,if=pflash,format=qcow2,unit=1           \
                         -drive file=/yocto_workspace/kern_tmp/build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.uefiimg,if=ide,format=raw \
                         -net user,hostfwd=tcp::8822-:22    \
                         -net nic,macaddr=52:54:00:6e:bd:37 \
                         -display vnc=:23 -nographic

qemu-system-x86_64 required memory to be increased from default (e.g. -m 1G), overwise grub gave an out of memory error.

Otherwise, all my functional testing has been on actual HW (x86_64).