Open westurner opened 4 years ago
In reading /root/.bash_history
(and /var/log/dnf.log*
) in fedora-pinebookpro-gnome-0.8.img.xz
, I noticed the SELinux policy modules /root/modules/disk1.pp
and /root/modules/*.te
. What are these for / [why] are they necessary [after relabeling]?
With fedora-arm-image-installer, you can specify fedora-arm-image-installer --selinux=on --relabel
; which enables selinux by setting SELINUX=enforcing
in /etc/selinux/config
and touches /.autorelabel
(which causes the next boot to take quite awhile due to running restorecon
on everything in /
):
https://pagure.io/arm-image-installer/blob/master/f/arm-image-installer
/root/.bash_history
is not at all a complete log of the image build.
FWIW, you can log all commands run as any user with auditd:
$ cat >> /etc/audit/audit.rules <<EOF
# Log all commands
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
EOF
$ cat >> /etc/audit/audit.rules <<EOF
# Log all commands run as root (effective UID=0)
-a exit,always -F arch=b32 -F euid=0 -S execve
-a exit,always -F arch=b64 -F euid=0 -S execve
EOF
I think -F b64
just works on aarch64, but haven't tested it yet:
https://github.com/linux-audit/audit-userspace/blob/4e03eb0c5c/lib/libaudit.c#L1316
$ man audit.rules
# [...]
When you specify a syscall name, auditctl will look up the name and get
its syscall number. This leads to some problems on bi-arch machines.
The 32 and 64 bit syscall numbers sometimes, but not always, line
up. So, to solve this problem, you would generally need to break the
rule into 2 with one specify‐ing -F arch=b32 and the other specifying
-F arch=b64. This needs to go in front of the -S option so that
auditctl looks at the right lookup table when returning the number.
Search terms:
rk3399-excavator
?https://pagure.io/arm-image-installer/blob/master/f/arm-image-installer
# write uboot echo "= Writing idbloader.img for $TARGET .... on media $MEDIA" dd if=$PREFIX/usr/share/uboot/$TARGET/idbloader.img of=$MEDIA seek=64; sync; sleep 5 echo "= Writing u-boot FIT image for $TARGET .... on media $MEDIA" dd if=$PREFIX/usr/share/uboot/$TARGET/u-boot.itb of=$MEDIA seek=16384; sync; sleep 5 # set console for Rockchips SYSCON=ttyS2,1500000n8
We don't currently support setting up any of the rk3399 devices via this tool. It's quite complex to do those devices. The process will likely be supported by a different tool. Patches or ideas as always are welcome.
trust.img
somewhere?
For with SPL:
dd if=idbloader.img of=sdb seek=64 dd if=u-boot.itb of=sdb seek=16384 dd if=boot.img of=sdb seek=32768 dd if=rootfs.img of=sdb seek=262144
For with miniloader:
dd if=idbloader.img of=sdb seek=64 dd if=uboot.img of=sdb seek=16384 dd if=trust.img of=sdb seek=24576 dd if=boot.img of=sdb seek=32768 dd if=rootfs.img of=sdb seek=262144
create_emmc_install()
create_img()
"U-Boot with pinebook pro support patches" https://git.eno.space/pbp-uboot.git
(This is apparently what guix uses)
Kernel args:
ethaddr=${ethaddr} eth1addr=${eth1addr} serial=${serial#}
video=HDMI-A-1:1920x1080@60 video=eDP-1:1920x1080@60 vga=current
earlycon=uart8250,mmio32,0xff1a0000
The debian u-boot changelog mentions "pinebookpro" and "rk3399": https://launchpad.net/debian/+source/u-boot/2020.04+dfsg-2 :
u-boot (2020.04+dfsg-2) unstable; urgency=medium * debian/patches: - Remove dreamplug cache patch, fixed upstream. - Add patches submitted upstream to support pinebook pro. * u-boot-rockchip: - Add support for rockpro64-rk3399. - Add support for pinebook-pro-rk3399. - Add u-boot-install-rockchip helper script. -- Vagrant Cascadian <vagrant@debian.org> Mon, 20 Apr 2020 19:34:37 -0700
0001-video-simple_panel-add-boe-nv140fhmn49-display.patch
0002-dt-bindings-input-adopt-Linux-gpio-keys-binding-cons.patch
0003-dt-bindings-leds-adopt-Linux-leds-common-binding-con.patch
0004-arm-dts-rockchip-Add-initial-DT-for-Pinebook-Pro.patch
0005-Add-initial-support-for-the-Pinebook-Pro-laptop-from.patch
0006-drivers-video-rockchip-fix-building-eDP-and-LVDS-dri.patch
Source: https://apps.fedoraproject.org/packages/uboot-tools Source: https://apps.fedoraproject.org/packages/uboot-images-armv8
Changelog: https://apps.fedoraproject.org/packages/uboot-images-armv8/changelog/ :
2020-04-20 - Peter Robinson <pbrobinson@fedoraproject.org> - 2020.04-2 - Fix ATF for new aarch64 devices - Fix Wandboard board detection (rhbz 1825247) - Fix mSD card on RockPro64 - Enable (inital) Pinebook Pro
Package Build Spec: https://apps.fedoraproject.org/packages/uboot-images-armv8/sources/spec/
pinebook-pro files in https://fedora.pkgs.org/32/fedora-aarch64/uboot-images-armv8-2020.04-2.fc32.noarch.rpm.html :
/usr/share/uboot/pinebook-pro-rk3399/idbloader.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot-dtb.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot.bin
/usr/share/uboot/pinebook-pro-rk3399/u-boot.dtb
/usr/share/uboot/pinebook-pro-rk3399/u-boot.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot.itb
https://github.com/rockchip-linux/u-boot/tree/next-dev/board/rockchip
ethaddr=${ethaddr} eth1addr=${eth1addr} serial=${serial#}
video=HDMI-A-1:1920x1080@60 video=eDP-1:1920x1080@60 vga=current
earlycon=uart8250,mmio32,0xff1a0000
#maxcpus=4
#maxcpus=6
https://pagure.io/arm-image-installer/issue/52#comment-658679 suggests:
Had success installing F32 with the arm-image-installer using
sudo arm-image-installer --addconsole --addkey ~/.ssh/id_rsa.pub --relabel --resizefs --image=/opt/downloads/Pine64/Fedora-Minimal-32-1.6.aarch64.raw.xz --media=/dev/sdb --target=rock64-rk3328
However, I had to rename or create the board file /usr/share/arm-image-installer/boards.d/rock64-rk3328
# write uboot echo "= Writing idbloader.img for $TARGET .... on media $MEDIA" dd if=$PREFIX/usr/share/uboot/$TARGET/idbloader.img of=$MEDIA seek=64; sync; sleep 5 echo "= Writing u-boot FIT image for $TARGET .... on media $MEDIA" dd if=$PREFIX/usr/share/uboot/$TARGET/u-boot.itb of=$MEDIA seek=16384; sync; sleep 5 # set console for Rockchips SYSCON=ttyS2,1500000n8
Wondering how much of these setup scripts can be used for the Pinebook Pro? https://github.com/nikhiljha/pp-fedora-sdsetup
Is this script all that's specific to the PinePhone? https://github.com/nikhiljha/pp-fedora-sdsetup/blob/master/phone-scripts/02-install-packages.sh
I copy/paste together a script that is working. It is nice if somone can help testing. https://github.com/bengtfredh/pinebook-pro-fedora-installer.git
Hey are those selinux modules (from fedora-pinebookpro-gnome-0.8.img.xz
) that I inlined in
https://github.com/smithmcgriff/Fedora-on-pinebookpro/issues/5#issuecomment-621065372 from audit2allow?
Who could advise on these .pp policies for Fedora 33+?
Are there build scripts for this?