v2.114.24

This commit is contained in:
Balena CI 2023-05-11 23:19:21 +00:00
parent dd52e25dc7
commit 11edc2f001
No known key found for this signature in database
GPG key ID: E2ADEC9754128402
3 changed files with 101 additions and 1 deletions

View file

@ -1,3 +1,86 @@
- commits:
- subject: Update layers/meta-balena to d0b1a5a80c691e752dd5b396ce7da995507dd619
hash: 07c73fd8c48891af0600b13457da3ab1390dc37c
body: Update layers/meta-balena
footer:
Changelog-entry: Update layers/meta-balena to d0b1a5a80c691e752dd5b396ce7da995507dd619
changelog-entry: Update layers/meta-balena to d0b1a5a80c691e752dd5b396ce7da995507dd619
author: Renovate Bot
nested:
- commits:
- subject: "resin-init-flasher: add more comments around efi/boot partition split"
hash: 63663b30f8962be8b6d8070340fe89e435f8915b
body: |
This is hard to follow when reading the code without context.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Michal Toman <michalt@balena.io>
signed-off-by: Michal Toman <michalt@balena.io>
author: Michal Toman
nested: []
- subject: "resin-init-flasher: reboot into signed flasher when provisioning
secure boot"
hash: ceedc55646898e4eacb840f89710f39c58674323
body: >
When programming keys for secure boot, some devices do not clear
the setup mode flag after a new PK is installed. In this case
flasher will reboot in order to ensure the keys are actually saved
and the device comes back with secure boot enabled. Since we changed
flasher to be unsigned by default, this reboot causes a security
violation.
With this patch flasher will add a new boot entry before issuing
the reboot so that signed flasher comes up and the installation process
can continue.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Michal Toman <michalt@balena.io>
signed-off-by: Michal Toman <michalt@balena.io>
author: Michal Toman
nested: []
- subject: "resin-init-flasher: Fill db EFI variable from esl file instead of
auth"
hash: d1e045b826c48168d75163cf9bb9fb1a387ed4f2
body: >
Currently the db.auth file is signed as "append" in order to
make HUP work.
Most UEFI firmwares will accept such file even for "replace", which we do
during the initial provisioning, however we have seen devices that will
only allow appending, which makes flasher fail.
With this patch flasher will use the esl file for initial programming
of the db variable.
PK and KEK are unaffected.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Michal Toman <michalt@balena.io>
signed-off-by: Michal Toman <michalt@balena.io>
author: Michal Toman
nested: []
version: meta-balena-2.114.24
title: ""
date: 2023-05-11T20:31:43.765Z
version: 2.114.24
title: ""
date: 2023-05-11T23:19:17.360Z
- commits:
- subject: Update layers/meta-balena to 3f2f215e39c39fc3ef227db665c99fb8ad77ee08
hash: 7155621e3e419840628ab4c0e9ad972037cf2f4b

View file

@ -1,6 +1,23 @@
Change log
-----------
# v2.114.24
## (2023-05-11)
<details>
<summary> Update layers/meta-balena to d0b1a5a80c691e752dd5b396ce7da995507dd619 [Renovate Bot] </summary>
> ## meta-balena-2.114.24
> ### (2023-05-11)
>
> * resin-init-flasher: add more comments around efi/boot partition split [Michal Toman]
> * resin-init-flasher: reboot into signed flasher when provisioning secure boot [Michal Toman]
> * resin-init-flasher: Fill db EFI variable from esl file instead of auth [Michal Toman]
>
</details>
# v2.114.23
## (2023-05-06)

View file

@ -1 +1 @@
2.114.23
2.114.24