Build scripts?

[westurner]

Are there build scripts for this?

[westurner]

selinux modules, logging commands run (as root)

In reading /root/.bash_history (and /var/log/dnf.log*) in fedora-pinebookpro-gnome-0.8.img.xz, I noticed the SELinux policy modules /root/modules/disk1.pp and /root/modules/*.te. What are these for / [why] are they necessary [after relabeling]?

With fedora-arm-image-installer, you can specify fedora-arm-image-installer --selinux=on --relabel; which enables selinux by setting SELINUX=enforcing in /etc/selinux/config and touches /.autorelabel (which causes the next boot to take quite awhile due to running restorecon on everything in /): https://pagure.io/arm-image-installer/blob/master/f/arm-image-installer

Inlined copy of `/root/modules/*.te`

```bash [root@mb2 modules]# (for f in *.te; do echo "#### $f ####"; cat "$f"; echo -e "\n"; done) #### disk1.te #### module disk1 1.0; require { type unlabeled_t; type local_login_t; class file read; } #============= local_login_t ============== allow local_login_t unlabeled_t:file read; #### mod1.te #### module mod1 1.0; require { type iptables_t; type kernel_t; class fifo_file read; } #============= iptables_t ============== allow iptables_t kernel_t:fifo_file read; #### mod2.te #### module mod2 1.0; require { type systemd_logind_t; type unlabeled_t; type system_dbusd_t; type systemd_hostnamed_t; type systemd_localed_t; type xdm_t; class file { getattr open read }; } #============= system_dbusd_t ============== allow system_dbusd_t unlabeled_t:file { getattr open }; #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t unlabeled_t:file { getattr open read }; #============= systemd_localed_t ============== allow systemd_localed_t unlabeled_t:file { getattr open read }; #============= systemd_logind_t ============== allow systemd_logind_t unlabeled_t:file { getattr open read }; #============= xdm_t ============== allow xdm_t unlabeled_t:file { getattr open read }; #### mod4.te #### module mod4 1.0; require { type initrc_t; type policykit_auth_t; type init_t; type chkpwd_t; type unconfined_service_t; type policykit_t; type user_devpts_t; class process { noatsecure rlimitinh siginh }; class chr_file { read write }; } #============= chkpwd_t ============== allow chkpwd_t user_devpts_t:chr_file { read write }; #============= init_t ============== allow init_t initrc_t:process siginh; allow init_t unconfined_service_t:process siginh; #============= policykit_t ============== allow policykit_t policykit_auth_t:process { noatsecure rlimitinh siginh }; #### mod5.te #### module mod5 1.0; require { type chkpwd_t; type unconfined_t; type unlabeled_t; type xdm_t; class file { getattr open read }; class process noatsecure; } #============= xdm_t ============== allow xdm_t chkpwd_t:process noatsecure; allow xdm_t unconfined_t:process noatsecure; #!!!! This avc is allowed in the current policy allow xdm_t unlabeled_t:file { getattr open read }; #### mod6.te #### module mod6 1.0; require { type rpm_var_lib_t; type xdm_t; type unlabeled_t; type init_t; type chkpwd_t; type unconfined_t; type abrt_t; class dir mounton; class process { noatsecure rlimitinh siginh }; class file write; } #============= abrt_t ============== allow abrt_t rpm_var_lib_t:file write; #============= init_t ============== allow init_t chkpwd_t:process siginh; allow init_t unconfined_t:process siginh; allow init_t unlabeled_t:dir mounton; #============= xdm_t ============== #!!!! This avc is allowed in the current policy allow xdm_t chkpwd_t:process noatsecure; allow xdm_t chkpwd_t:process { rlimitinh siginh }; #!!!! This avc is allowed in the current policy allow xdm_t unconfined_t:process noatsecure; allow xdm_t unconfined_t:process siginh; #### mod8.te #### module mod8 1.0; require { type unlabeled_t; type groupadd_t; type useradd_t; class file read; } #============= groupadd_t ============== allow groupadd_t unlabeled_t:file read; #============= useradd_t ============== allow useradd_t unlabeled_t:file read; #### mod9.te #### module mod9 1.0; require { type session_dbusd_tmp_t; type systemd_logind_t; class sock_file unlink; } #============= systemd_logind_t ============== allow systemd_logind_t session_dbusd_tmp_t:sock_file unlink; ```

/root/.bash_history is not at all a complete log of the image build. FWIW, you can log all commands run as any user with auditd:

$ cat >> /etc/audit/audit.rules <<EOF

# Log all commands
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
EOF

$ cat >> /etc/audit/audit.rules <<EOF

# Log all commands run as root (effective UID=0)
-a exit,always -F arch=b32 -F euid=0 -S execve 
-a exit,always -F arch=b64 -F euid=0 -S execve 
EOF

I think -F b64 just works on aarch64, but haven't tested it yet: https://github.com/linux-audit/audit-userspace/blob/4e03eb0c5c/lib/libaudit.c#L1316

$ man audit.rules
# [...]

 When you specify a syscall name, auditctl will look up the name and get
 its syscall number. This leads to some problems on bi-arch  machines.
 The  32  and  64  bit syscall  numbers sometimes, but not always, line
 up. So, to solve this problem, you would generally need to break the
 rule into 2 with one specify‐ing -F arch=b32 and the other specifying
 -F arch=b64. This needs to go in front of the -S option so that
 auditctl looks at the right  lookup  table when returning the number.

Boot config

Search terms:

• "Pinebook Pro"
• "pinebookpro"
• "rk3399"
• "evb-rk3399"
• "pbpro"
• "pbp"

Rockchip docs:

• http://opensource.rock-chips.com/wiki_Boot_option
• http://rockchip.wikidot.com/linux-user-guide > "Booting from SD card"
  • [ ] Is the Pinebook Pro an rk3399-excavator ?

fedora-arm-image-installer

https://pagure.io/arm-image-installer/blob/master/f/arm-image-installer

• https://pagure.io/arm-image-installer/blob/master/f/socs.d/Rockchips-ARMv8

  # write uboot
  echo "= Writing idbloader.img for $TARGET .... on media $MEDIA"
  dd if=$PREFIX/usr/share/uboot/$TARGET/idbloader.img of=$MEDIA seek=64; sync; sleep 5
  echo "= Writing u-boot FIT image for $TARGET .... on media $MEDIA"
  dd if=$PREFIX/usr/share/uboot/$TARGET/u-boot.itb of=$MEDIA seek=16384; sync; sleep 5
  # set console for Rockchips
  SYSCON=ttyS2,1500000n8

• https://pagure.io/arm-image-installer/issue/52 "Missing rock64 file in board.d directory."
• https://pagure.io/arm-image-installer/issue/42

  We don't currently support setting up any of the rk3399 devices via this tool. It's quite complex to do those devices. The process will likely be supported by a different tool. Patches or ideas as always are welcome.

how to dd u-boot for rk3399 devices

• [ ] Is there an already-built trust.img somewhere?
  • [ ] Is this necessary for pinebook pro? manjaro-arm-tools doesn't write a trust.img for pbpro
• http://opensource.rock-chips.com/wiki_Boot_option#Boot_from_SD.2FTF_Card

  For with SPL:

  dd if=idbloader.img of=sdb seek=64
  dd if=u-boot.itb of=sdb seek=16384
  dd if=boot.img of=sdb seek=32768
  dd if=rootfs.img of=sdb seek=262144

  For with miniloader:

  dd if=idbloader.img of=sdb seek=64
  dd if=uboot.img of=sdb seek=16384
  dd if=trust.img of=sdb seek=24576
  dd if=boot.img of=sdb seek=32768
  dd if=rootfs.img of=sdb seek=262144

manjaro-arm-tools

• "pbpro"
  • https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-tools/-/blob/90b49c55884a2c2945d32c86d80b599ca85cbd18/lib/functions.sh#L438
  • create_emmc_install()
  • create_img()
  • create partitions w/ parted
  • flash bootloader

pbp-uboot: U-Boot with Pinebook Pro support patches

"U-Boot with pinebook pro support patches" https://git.eno.space/pbp-uboot.git

• (This is apparently what guix uses)

  • "[PATCH 0/2] Add initial Pinebook Pro support" https://issues.guix.gnu.org/issue/39617 https://gitlab.com/janneke/guix/-/blob/wip-pinebook-pro/gnu/system/examples/pinebook-pro.tmpl

  Kernel args:

  ethaddr=${ethaddr} eth1addr=${eth1addr} serial=${serial#}
  video=HDMI-A-1:1920x1080@60 video=eDP-1:1920x1080@60 vga=current

  • http://opensource.rock-chips.com/wiki_Rockchip_Kernel
    • kernel args: earlycon=uart8250,mmio32,0xff1a0000
• [ ] Merge these into u-boot if appropriate? (4/29 sent an email to @anarsoul ) #
  • https://git.eno.space/pbp-uboot.git/tree/arch/arm/mach-rockchip/rk3399/Kconfig
  • https://git.eno.space/pbp-uboot.git/tree/board/pine64/pinebook_pro_rk3399
  • https://git.eno.space/pbp-uboot.git/tree/configs/pinebook_pro-rk3399_defconfig
  • https://github.com/u-boot/u-boot/blob/master/configs/pinebook_pro-rk3399_defconfig
  • https://git.eno.space/pbp-uboot.git/tree/board/pine64/pinebook_pro_rk3399/pinebook-pro-rk3399.c
  • https://github.com/u-boot/u-boot/blob/master/board/pine64/rockpro64_rk3399/rockpro64-rk3399.c
  • https://github.com/u-boot/u-boot/blob/master/board/rockchip/evb_rk3399/evb-rk3399.c
  • https://github.com/rockchip-linux/u-boot/blob/next-dev/board/rockchip/evb_rk3399/evb-rk3399.c

debian u-boot package

The debian u-boot changelog mentions "pinebookpro" and "rk3399": https://launchpad.net/debian/+source/u-boot/2020.04+dfsg-2 :

  u-boot (2020.04+dfsg-2) unstable; urgency=medium

  * debian/patches:
    - Remove dreamplug cache patch, fixed upstream.
    - Add patches submitted upstream to support pinebook pro.
  * u-boot-rockchip:
    - Add support for rockpro64-rk3399.
    - Add support for pinebook-pro-rk3399.
    - Add u-boot-install-rockchip helper script.

-- Vagrant Cascadian <vagrant@debian.org>  Mon, 20 Apr 2020 19:34:37 -0700

• https://salsa.debian.org/debian/u-boot/-/tree/debian/master/debian/patches/pinebook-pro :

  0001-video-simple_panel-add-boe-nv140fhmn49-display.patch
  0002-dt-bindings-input-adopt-Linux-gpio-keys-binding-cons.patch
  0003-dt-bindings-leds-adopt-Linux-leds-common-binding-con.patch
  0004-arm-dts-rockchip-Add-initial-DT-for-Pinebook-Pro.patch
  0005-Add-initial-support-for-the-Pinebook-Pro-laptop-from.patch
  0006-drivers-video-rockchip-fix-building-eDP-and-LVDS-dri.patch

• https://salsa.debian.org/debian/u-boot/-/blob/master/debian/patches/pinebook-pro/0005-Add-initial-support-for-the-Pinebook-Pro-laptop-from.patch
• https://salsa.debian.org/debian/u-boot/-/blob/master/debian/bin/u-boot-install-rockchip
• https://salsa.debian.org/debian/u-boot/-/tree/master/arch/arm/mach-rockchip/rk3399
• https://salsa.debian.org/debian/u-boot/-/tree/master/board/rockchip/evb_rk3399
• https://salsa.debian.org/debian/u-boot/-/blob/master/board/pine64/rockpro64_rk3399/rockpro64-rk3399.c
  • [ ] Merge from the longer https://git.eno.space/pbp-uboot.git/tree/board/pine64/pinebook_pro_rk3399/pinebook-pro-rk3399.c ?

fedora uboot-images-armv8

Source: https://apps.fedoraproject.org/packages/uboot-tools Source: https://apps.fedoraproject.org/packages/uboot-images-armv8

Changelog: https://apps.fedoraproject.org/packages/uboot-images-armv8/changelog/ :

2020-04-20 - Peter Robinson <pbrobinson@fedoraproject.org> - 2020.04-2
- Fix ATF for new aarch64 devices
- Fix Wandboard board detection (rhbz 1825247)
- Fix mSD card on RockPro64
- Enable (inital) Pinebook Pro

Package Build Spec: https://apps.fedoraproject.org/packages/uboot-images-armv8/sources/spec/

pinebook-pro files in https://fedora.pkgs.org/32/fedora-aarch64/uboot-images-armv8-2020.04-2.fc32.noarch.rpm.html :

/usr/share/uboot/pinebook-pro-rk3399/idbloader.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot-dtb.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot.bin
/usr/share/uboot/pinebook-pro-rk3399/u-boot.dtb
/usr/share/uboot/pinebook-pro-rk3399/u-boot.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot.itb

rockchip U-Boot Custodian Tree

• https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip
• https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/blob/master/board/pine64/rockpro64_rk3399/rockpro64-rk3399.c
  • [ ] Merge from the apparently longer https://git.eno.space/pbp-uboot.git/tree/board/pine64/pinebook_pro_rk3399/pinebook-pro-rk3399.c ?

rockchip-linux

https://github.com/rockchip-linux/u-boot/tree/next-dev/board/rockchip

• https://github.com/rockchip-linux/u-boot/blob/next-dev/board/rockchip/evb_rk3399/evb-rk3399.c

kernel args

ethaddr=${ethaddr} eth1addr=${eth1addr} serial=${serial#} 
video=HDMI-A-1:1920x1080@60 video=eDP-1:1920x1080@60 vga=current
earlycon=uart8250,mmio32,0xff1a0000
#maxcpus=4
#maxcpus=6

[westurner]

https://pagure.io/arm-image-installer/issue/52#comment-658679 suggests:

Had success installing F32 with the arm-image-installer using sudo arm-image-installer --addconsole --addkey ~/.ssh/id_rsa.pub --relabel --resizefs --image=/opt/downloads/Pine64/Fedora-Minimal-32-1.6.aarch64.raw.xz --media=/dev/sdb --target=rock64-rk3328

However, I had to rename or create the board file /usr/share/arm-image-installer/boards.d/rock64-rk3328

# write uboot
echo "= Writing idbloader.img for $TARGET .... on media $MEDIA"
dd if=$PREFIX/usr/share/uboot/$TARGET/idbloader.img of=$MEDIA seek=64; sync; sleep 5
echo "= Writing u-boot FIT image for $TARGET .... on media $MEDIA"
dd if=$PREFIX/usr/share/uboot/$TARGET/u-boot.itb of=$MEDIA seek=16384; sync; sleep 5
# set console for Rockchips
SYSCON=ttyS2,1500000n8

[westurner]

Wondering how much of these setup scripts can be used for the Pinebook Pro? https://github.com/nikhiljha/pp-fedora-sdsetup

Is this script all that's specific to the PinePhone? https://github.com/nikhiljha/pp-fedora-sdsetup/blob/master/phone-scripts/02-install-packages.sh

[bengtfredh]

I copy/paste together a script that is working. It is nice if somone can help testing. https://github.com/bengtfredh/pinebook-pro-fedora-installer.git

[westurner]

Hey are those selinux modules (from fedora-pinebookpro-gnome-0.8.img.xz) that I inlined in https://github.com/smithmcgriff/Fedora-on-pinebookpro/issues/5#issuecomment-621065372 from audit2allow? Who could advise on these .pp policies for Fedora 33+?

[westurner]

https://github.com/major/stopdisablingselinux.com