pomfi/balena-allwinner
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

v2.114.6

Browse source
This commit is contained in:
Balena CI 2023-04-20 06:16:13 +00:00
parent 3182377df3
commit 05599a1354
No known key found for this signature in database
GPG key ID: E2ADEC9754128402
3 changed files with 94 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
.versionbot/CHANGELOG.yml
View file

@ -1,3 +1,79 @@
- commits:
- subject: Update layers/meta-balena to ac3e9193544d0bc3188473f725e3d88495caed75
hash: de97c0b480efb3fc2d1146c1e80e22504339e7d1
body: Update layers/meta-balena
footer:
Changelog-entry: Update layers/meta-balena to ac3e9193544d0bc3188473f725e3d88495caed75
changelog-entry: Update layers/meta-balena to ac3e9193544d0bc3188473f725e3d88495caed75
author: Renovate Bot
nested:
- commits:
- subject: Update db and dbx hashes during HUP when secure boot is enabled
hash: 775dc7dba7afe2674dc0ef84e00bb773495d4c98
body: >
After moving to hashes for authenticating the allowed OS list, we need
to update the db variable on each HUP to make sure the new OS
will be bootable. After confirming that the update went through,
we need to update the dbx variable to make sure the old OS is
no longer bootable.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Michal Toman <michalt@balena.io>
signed-off-by: Michal Toman <michalt@balena.io>
author: Michal Toman
nested: []
- subject: "balena-db-hashes: ship both db and dbx updates"
hash: c428010c83fd3a3ca1f4cdc72fc94a90f6be6ee4
body: >
In order to use hashes we can not use UEFI time-based authentication
for updates as this would prevent rollbacks. Instead we ship appendable
updates for both db and dbx that HUP can use.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Michal Toman <michalt@balena.io>
signed-off-by: Michal Toman <michalt@balena.io>
author: Michal Toman
nested: []
- subject: Use hashes instead of certificates for secure boot image validation
hash: c205b247c14cbdd132cb1bb335da2d17fa40caf5
body: >
This patch changes the validation of bootable images from certificate
signatures to a list of allowed hashes of binaries. This only applies
on db level, PK and KEK are still certificates.
The motivation is that certificates expire and we need to be sure
that even devices that have been lying on a shelf for several years
or whose CMOS battery has died and reset date to 1970-01-01 are still
bootable. Using hashes is more aligned with this use-case and also
more similar to the approach that embedded SoCs use.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Michal Toman <michalt@balena.io>
signed-off-by: Michal Toman <michalt@balena.io>
author: Michal Toman
nested: []
version: meta-balena-2.114.6
title: ""
date: 2023-04-20T04:15:18.461Z
version: 2.114.6
title: ""
date: 2023-04-20T06:16:08.581Z
- commits:
- subject: Update layers/meta-balena to cca4a5e7e9523bbe5892af3846ff8b3f03d6c749
hash: 2c5fdcba6e76535c912915a8331b7443db0857e4

17
CHANGELOG.md
View file

@ -1,6 +1,23 @@
Change log
-----------
# v2.114.6
## (2023-04-20)
<details>
<summary> Update layers/meta-balena to ac3e9193544d0bc3188473f725e3d88495caed75 [Renovate Bot] </summary>
> ## meta-balena-2.114.6
> ### (2023-04-20)
>
> * Update db and dbx hashes during HUP when secure boot is enabled [Michal Toman]
> * balena-db-hashes: ship both db and dbx updates [Michal Toman]
> * Use hashes instead of certificates for secure boot image validation [Michal Toman]
>
</details>
# v2.114.5
## (2023-04-19)

2
VERSION
View file

@ -1 +1 @@
2.114.5
2.114.6