The public-key repo is different in opendev and other projects.
The integ is just referencing the sha from the opendev public-key.
Story: 2010550
Task: 47537
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: Iafdb523bc06eb79740f7c2e6ca5066674b95f792
The Debian packaging has been changed to reflect all the
latest git commits under the directory, pointed as usable, and to
improve pkg-versioning addressing the first commit as start point to
debian build packages.
This commit add GITREVCOUNT and remove PKG_GITREVCOUNT of the packages
to calculate git revisions relative to package's source git repository,
instead of count git revisions relative only to package's debian
folder. This ensures that any new code submissions under those
directories will increment the versions.
The commit SHA 9b545c5e19 was chosen to be the BASE_SRCREV of the
base-passwd's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained base-passwd version .stx.8)
The commit SHA 698c14ccef was chosen to be the BASE_SRCREV of the
puppet-ldap's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained puppet-ldap version .stx.2)
The commit SHA 39bc6c35f1 was chosen to be the BASE_SRCREV of the
ldapscripts's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained ldapscripts version .stx.4)
The commit SHA 2821680c8b was chosen to be the BASE_SRCREV of the
openldap's metadata because is the commit that creates the debian
directory with build files structure for this package.
(maintained openldap version .stx.9)
The commit SHA f043585c65 was chosen to be the BASE_SRCREV of the
openscap's metadata because is the commit that creates the debian
directory with build files structure for this package.
(maintained openscap version .stx.3)
The commit SHA de2af4d74d was chosen to be the BASE_SRCREV of the
keyrings.alt's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained keyring.alt version .stx.4)
The commit SHA de2af4d74d was chosen to be the BASE_SRCREV of the
python-keyring's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained python-keyring version .stx.4)
Test Plan:
PASS: Verify package versions are updated as expected.
PASS: build-pkgs -c -p base-passwd
PASS: build-pkgs -c -p puppet-ldap
PASS: build-pkgs -c -p ldapscripts
PASS: build-pkgs -c -p openldap
PASS: build-pkgs -c -p openscap
PASS: build-pkgs -c -p keyrings.alt
PASS: build-pkgs -c -p python-keyrings
Story: 2010550
Task: 47496
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
Change-Id: I32b47348ece39ea88b3c5aeb0d1e64c6d3e7a6b5
This commit fixes lint errors identified by Zuul after stx-integ-pylint
job is executed.
Test Plan:
PASS: stx-integ-pylint job is executed successfully.
PASS: Run "yamllint ." command on integ repo base directory. Observe
that no lint errors of line-length, truthy, indentation,
new-line-at-end-of-file and document-start are listed.
PASS: build-pkgs -a -c
Closes-Bug: 2011632
Change-Id: I4d8229b5de8c9d88ff2aab6169521ab377b5866c
Signed-off-by: Manoel Benedito Neto <manoel.beneditoneto@windriver.com>
Add SRC_GITREVCOUNT to calculate the relevant git commits of
"src_path" or "src_files" to package's revision.
Test Plan:
Pass: build-pkgs -c -p systemd-presets,shim
Pass: Observe relevant git commits of 'src_path' or 'src_files'
are added to package's revision
Story: 2010550
Task: 47537
Depends-On: https://review.opendev.org/c/starlingx/root/+/875584
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I9852f534c53664e89e8b0082d2e68b3d9333d6f9
Upgrade Openscap tool to release 1.3.6, using the debianized version
1.3.6+dsfg-6 for the packaging files available at
https://salsa.debian.org/debian/openscap/-/blob/debian/1.3.6+dfsg-6/debian/changelog
Didn't change any files or patches.
Segmentation faults during Openscap usage seen in Starlingx were
fixed in this release of Openscap, and are the reason of this upgrade.
Test Plan:
PASS: Build iso.
PASS: Deploy AIO-SX.
PASS: Check version (oscap --version). Result should be 1.3.6.
PASS: Run openscap using one of default manifests. There should be no
segmentation fault issues. Command i.e.:
"oscap xccdf eval --profile \
xccdf_org.ssgproject.content_profile_anssi_np_nt28_high \
--report controller-0-report.html \
/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml".
Closes-Bug: 2006782
Signed-off-by: Marcelo de Castro Loebens <Marcelo.DeCastroLoebens@windriver.com>
Change-Id: I34ff193227ae51ec709b7d69b6a97abc074721f3
New git repo cgcs-root/public-keys is available now for public
keys used in secure boot process.
This commit moves the keys from integ to the git repo.
Keys involved:
boot_pub_key
tis-boot.crt
tis-shim.der
For grub-efi, the "src_files" in meta_data.yaml can't cause
the files copied to source code dir when "dl_hook" exists.
So remove the useless "src_files" settings here.
Test plan:
The tests are done with all the changes which involve
public-keys/integ/root repos for this enhancement about pub keys.
- PASS: rebuild gurb-efi/efitools/shim packages;
- PASS: follow the process to build iso image for secure boot;
- PASS: installation test on AIO-DX lab with secure boot enabled.
Story: 2009221
Task: 47358
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I8cde2acfbe90872151f871c3e01a0e45ad8c4c6c
The debian version did not match the downloaded
tarball.
The build break issue was introduced when this merged
https://review.opendev.org/c/starlingx/integ/+/860297
Test Plan:
downloader -b -s -B std,rt
build-pkgs -c python-keyring
Story: 2010353
Task: 46503
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I4a19bacf11fc45e3c9be5c4666554f17e93057e2
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use shim version: 15+1533136590.3beb971.
Although there was a debian package for shim here, it wasn't
effective because LAT didn't use it (the shim version in use is
12+gitAUTOINC+5202f80c32). So I abandon it and choose a proper
version for this porting.
I choose this version because it should be matched with the grub image.
shim 15.3 introduced and now mandates SBAT.
This means that shim 15.3+ will not launch any EFI binaries
without a .sbat section.
Use tis-shim.der (another format for tis-shim.crt) to verify grub
image's signature.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46401
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I2449ac9bbad7635b095a66309f77765a8a01cd1b
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Add efitools 1.9.2-1 for debian.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46400
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I672f0c0182bf894d10c508b83b959eec47971ceb
Before Bullseye got released openscap was removed
from the repository because it had some installability
issues according to the bug reports. Most notably it
hard codes to a specific version of Perl.
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993328)
This has been fixed in newer versions of openscap,
so in order to make life easier just use the newer
release tarball from Github, along with the Debian
packaging from Debian Experimental. This approach was
taken because the source package was not in versioned
control yet in the Debian's git repository yet. Once
it has been included then the current strategy can
be revisitied. No changes were made to the original
Debian packaging.
Test Plan
Build openscap package.
Install ISO
Run openscap binary
Story: 2009964
Task: 45395
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I7f646cd940aaa6871f3f184498b3e3f3689724fd
Distro layer package 'python-keyring' has a dependency on flock layer
package 'tsconfig'. This is s violation of the layering policy,
preventing successful layerd builds.
Get the SW_VERSION via parsing the /etc/build.info file instead of the
tsconfig.tsconfig python module at run time. We do this so that
python-keyring no longer has a runtime dependency on tsconfig.
Test Plan:
Pass: build python-keyring
Pass: put the codes in a test.py. get the SW_VERSION variable by run the
test.py in an environment in which build-info is installed.
Pass: trigger exception if removing /etc/build.info, or no SW_VERSION
in the file.
Closes-Bug: https://bugs.launchpad.net/starlingx/+bug/1968611
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I7f0c4eaae7aacf5bcbef082817dc99a62600a162
This work is part of Debian integration effort.
This work only affects Debian.
Cannot obtain password from keyring when doing 'source
/etc/platform/openrc' from sysadmin user.
Due to a comparison with a wrong octal permissions string, code that
requires elevation is run. The code shouldn't run in the first place
using sysadmin user.
Fix the comparison string.
Debian Bullseye tests:
- PASS: build-pkgs and build-image
- PASS: bootstrap
- PASS: after bootstrap can source /etc/platform/openrc from sysadmin
Story: 2009221
Task: 43438
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: I0c1f53c216f1a126280e0e27748fd50b2759f3c3
Port 0001-Use-Titanium-certificate.patch from Centos
Test Plan:
Pass: successfully build test
Pass: successfully intall test
Story: 2009221
Task: 44124
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: Ic73ccf6825e033bef70b36b6e7b44491b9b1b865
The upstream commit 1e422ed of python-keyring moved non-preferred
keyring backends to separated package "keyrings.alt", so adding the
keyrings.alt and porting the patches related to non-preferred
keyring backends to keyrings.alt.
Patches are not up to our standard. Bringing them up to standard
is future work, tracked by:
https://bugs.launchpad.net/starlingx/+bug/1950506.
Related-Bug: 1950506
Building successfully.
Installing python3-keyrings.alt, python3-keyring and the dependence
package tsconfig successfully.
Booting up ISO successfully on qemu.
Story: 2009221
Task: 43438
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I4b70927709f0cc968e32af1d0e2a9402f47b2fe9
Package a copy of the shim.efi file to /pxeboot to support UEFI secure
boot. The recent grub2 update for CVE-2020-15705 requires the use of
shim.efi in order to support kernel signature validation.
Change-Id: If87925e1697b34d7ff1a7a770d9f13619dd9dd52
Partial-Bug: 1927730
Signed-off-by: Don Penney <don.penney@windriver.com>
Updated user ownership to "root" for "swtpm_setup.sh"
to fix openscap security violation.
Verified that installation is successful for AIO-SX
and Standard 2+2 system configurations.
Executed certificate installation in a TPM system and
verified is successful..
Story: 2008037
Task: 40694
Change-Id: I7aa8e48d60f189627a4d57441aa1c342c4cb5c20
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
This update makes use of the PKG_GITREVCOUNT variable
to auto-version the packages in this repo.
Story: 2007750
Task: 39951
Change-Id: I854419c922b9db4edbbf6f1e987a982ec2ec7b59
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
Secure Boot's hasn't been tested since July 2018
The principle players in the Secure Boot chain of trust are Shim,
Grub, and the Linux kernel. All three components have seen multiple
upgrades since the last test.
A new build option has been added to shim, (ENABLE_SHIM_CERT) that
enables/disables the support for an embedded shim key. It defaults
to disabled. It also controls the generation of a random shim key,
and the build time signing of fallback and MokManager components.
Since we don't want a random shim key (reproducable builds), and we do
signing as a post build step, leaving it disabled seemed like the correct
setting initially... until it's function to disable shim keys entirely
was discovered.
This update reworks the shim patch so that we can embed a prebuilt
shim key, and still have shim key functionality active.
Closes-Bug: 1864245
Change-Id: Ibcb6bcfe3060ce0b3e2c2f3c23908bb7127b0ccd
Signed-off-by: Scott Little <scott.little@windriver.com>
The self-signed certificate is currently generated with Wind River
specific info. This commit is to set the common name to StarlingX.
Closes-Bug: 1827229
Change-Id: I01f73091e815a0e171b2228cafe5851f4ef49049
Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
This also changes the group wrs_protected to sys_protected
to de-brand the user and group names.
Depends-On: I887464a20fc17d66529caea03be2b445156f9426
Change-Id: Ic2ea06d3ac15c31854a604af5f4cecf9094fcaea
Story: 2004716
Task: 28748
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Refactor low latency compute per-cpu power management
out of stx-nova into libvirt qemu hook
Story: 2004610
Task: 28508
Change-Id: I80432b36c4e71d957db51f1742ef87fb519acce2
Signed-off-by: Daniel Chavolla <daniel.chavolla@windriver.com>
Test:
Install bootimage.iso on bare mental, enable
Intel TXT setting in BIOS. During installation
make with such selection
"Standard Controller" or "All-in-One Controller" ->
"Graphical console" -> "EXTENDED Security Profile" ->
"Trusted Boot Profile"
After system bootup, check tboot with such command
"sudo txt-stat"
Depends-On: https://review.openstack.org/627745
Story: 2004522
Task: 28436
Change-Id: I7599f1648acfa71757cd5dfdb54f00c9499c8d61
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
It is introduced by CentOS 7.6 upgrade.
Story: 2004660
Task: 28705
Change-Id: I6184b8ab9213eb995eb409cfeef6153f4fb4233a
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
fixed handling of security certificates in tpm mode
The code that handles the installation of tpm security
certificates stopped working after recent updates to
other packages
This commit updates the code to properly work with the
current system configuration
Closes-Bug: #1808163
Change-Id: I76e10cf1ed68cfeb0ce3ee560df0c34711f57af2
Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
Package audit-config is created to config customized config
file of audit. Since there is no other change for audit,
we could replace srpm with rpm directly.
audit-config is set to depends on audit, so audit rpm will be
installed automatically.
Test:
Pass build and multi node deploy test. Confirm syslog.conf is
the same as before in the deploy.
Story: 2003768
Task: 27602
Depends-On: https://review.openstack.org/617174
Change-Id: I6101142642dd21c35e7db1352cc8c9aa05fba923
Signed-off-by: slin14 <shuicheng.lin@intel.com>
This commit modifies the vtpm instance path to reflect
openstack-help default
The vtpm data will now be located under
/var/lib/nova/instances
Story: 2003909
Task: 27081
Change-Id: Ibb54558e2d84afae23c9094e631b904a68400e7e
Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
With rpm version < 4.13, patch cmd will create .orig file for fuzzy
patch in default. And this .orig file may lead to rpmbuild failure
"error: Installed (but unpackaged) file(s) found:"
Please visit below link to get more detail info:
https://bugs.launchpad.net/starlingx/+bug/1794611
Story: 2003917
Task: 26817
Change-Id: I455087544161e38160608b1fba27e00584c61feb
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Problem:
- Centos 7.5 upgraded tpm2-toolss.
- Porting of tpm2-toolss patches did not resolve and 'fuzz' in the line
numbers of the patches.
- If tpm2-tools is built by rpm 4.11, or default version of rpm
until 4.14 is compiled, a fuzzy patch results in the creating
of an .orig file.
- Packaging of tpm2-toolss failes due to the unexpected, and
unpackaged .orig file
Solution:
Safest solution is to de-fuzz our tpm2-toolss patches.
Story: 2003389
Task: 26755
Change-Id: I8dd8d71e2bdcd75ec6786af6bf162f3deae046a2
Signed-off-by: Sun Austin <austin.sun@intel.com>
Move content from stx-gplv3 into stx-integ
Packages will be relocated to
stx-integ:
base/
anaconda
crontabs
dnsmasq
rsync
database/
python-psycopg2
filesystem/
parted
grub/
grub2
security/
python-keyring
Change-Id: I17163dbff41222985a29228a8b42c919a86d1e67
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
Yue Tao