From 05599a13543b4de4ee3977a98f543f03713335bb Mon Sep 17 00:00:00 2001 From: Balena CI Date: Thu, 20 Apr 2023 06:16:13 +0000 Subject: [PATCH] v2.114.6 --- .versionbot/CHANGELOG.yml | 76 +++++++++++++++++++++++++++++++++++++++ CHANGELOG.md | 17 +++++++++ VERSION | 2 +- 3 files changed, 94 insertions(+), 1 deletion(-) diff --git a/.versionbot/CHANGELOG.yml b/.versionbot/CHANGELOG.yml index aebd520..2a091d1 100644 --- a/.versionbot/CHANGELOG.yml +++ b/.versionbot/CHANGELOG.yml @@ -1,3 +1,79 @@ +- commits: + - subject: Update layers/meta-balena to ac3e9193544d0bc3188473f725e3d88495caed75 + hash: de97c0b480efb3fc2d1146c1e80e22504339e7d1 + body: Update layers/meta-balena + footer: + Changelog-entry: Update layers/meta-balena to ac3e9193544d0bc3188473f725e3d88495caed75 + changelog-entry: Update layers/meta-balena to ac3e9193544d0bc3188473f725e3d88495caed75 + author: Renovate Bot + nested: + - commits: + - subject: Update db and dbx hashes during HUP when secure boot is enabled + hash: 775dc7dba7afe2674dc0ef84e00bb773495d4c98 + body: > + After moving to hashes for authenticating the allowed OS list, we need + + to update the db variable on each HUP to make sure the new OS + + will be bootable. After confirming that the update went through, + + we need to update the dbx variable to make sure the old OS is + + no longer bootable. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Michal Toman + signed-off-by: Michal Toman + author: Michal Toman + nested: [] + - subject: "balena-db-hashes: ship both db and dbx updates" + hash: c428010c83fd3a3ca1f4cdc72fc94a90f6be6ee4 + body: > + In order to use hashes we can not use UEFI time-based authentication + + for updates as this would prevent rollbacks. Instead we ship appendable + + updates for both db and dbx that HUP can use. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Michal Toman + signed-off-by: Michal Toman + author: Michal Toman + nested: [] + - subject: Use hashes instead of certificates for secure boot image validation + hash: c205b247c14cbdd132cb1bb335da2d17fa40caf5 + body: > + This patch changes the validation of bootable images from certificate + + signatures to a list of allowed hashes of binaries. This only applies + + on db level, PK and KEK are still certificates. + + + The motivation is that certificates expire and we need to be sure + + that even devices that have been lying on a shelf for several years + + or whose CMOS battery has died and reset date to 1970-01-01 are still + + bootable. Using hashes is more aligned with this use-case and also + + more similar to the approach that embedded SoCs use. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Michal Toman + signed-off-by: Michal Toman + author: Michal Toman + nested: [] + version: meta-balena-2.114.6 + title: "" + date: 2023-04-20T04:15:18.461Z + version: 2.114.6 + title: "" + date: 2023-04-20T06:16:08.581Z - commits: - subject: Update layers/meta-balena to cca4a5e7e9523bbe5892af3846ff8b3f03d6c749 hash: 2c5fdcba6e76535c912915a8331b7443db0857e4 diff --git a/CHANGELOG.md b/CHANGELOG.md index e4e5dde..a4f4c2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,23 @@ Change log ----------- +# v2.114.6 +## (2023-04-20) + + +
+ Update layers/meta-balena to ac3e9193544d0bc3188473f725e3d88495caed75 [Renovate Bot] + +> ## meta-balena-2.114.6 +> ### (2023-04-20) +> +> * Update db and dbx hashes during HUP when secure boot is enabled [Michal Toman] +> * balena-db-hashes: ship both db and dbx updates [Michal Toman] +> * Use hashes instead of certificates for secure boot image validation [Michal Toman] +> + +
+ # v2.114.5 ## (2023-04-19) diff --git a/VERSION b/VERSION index 76c8c24..f1a120e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.114.5 \ No newline at end of file +2.114.6 \ No newline at end of file