diff --git a/.versionbot/CHANGELOG.yml b/.versionbot/CHANGELOG.yml index c4444ea..14a3ae8 100644 --- a/.versionbot/CHANGELOG.yml +++ b/.versionbot/CHANGELOG.yml @@ -1,3 +1,233 @@ +- commits: + - subject: Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3 + hash: 1337ef2c3d505b9164e371c580e04c82a6fbb315 + body: Update layers/meta-balena + footer: + Changelog-entry: Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3 + changelog-entry: Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3 + author: Self-hosted Renovate Bot + nested: + - commits: + - subject: "os-helpers-tpm2: fix empty efivar reads" + hash: 3f9d048f964f922c9bfaeee4939197cb31c8eef6 + body: > + When reading from efi variables in hostapp-update hooks during + rollback, + + tcgtool will improperly read zero bytes from efivar files. This + results + + in an improper calculation of the PCR 7 digest, and an + unbootable + + system. + + + Read the file contents, skipping the first four bytes that are + + attributes, and pipe the data directly to tcgtool to work around + this. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "rollback-health: bind mount EFI partition in old_rootfs" + hash: 8761c1d6536d86249757f37925ae40d905716cc3 + body: > + Some hooks, such as 0-signed-update, will attempt to read files + from the + + EFI system partition, such as combined policy binaries. + + + Bind mount the EFI partition into old_rootfs before running + hooks to + + ensure this is available. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "rollback-health: mount securityfs in old_rootfs" + hash: e87838103af3c5ee05c60b7105353f987af47e61 + body: > + When rollback-health runs, a failing healthcheck causes the + + hostapp-update hooks to be run from the inactive partition, to + make the + + inactive system bootable again. + + + The 0-signed-update hook, which updates the sealing policy for + secure + + boot enabled systems, reads from the securityfs mounted at + + /sys/kernel/security in order to parse the TPM event log. + + + If this filesystem isn't mounted, the hook will improperly + detect that + + the TPM event log isn't available, and unneccessarily create a + combined + + policy when a single PCR policy would suffice. + + + Mount this filesystem in old_rootfs before chrooting to fix + this. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "os-helpers-tpm2: compute_pcr7 w/ events post separator" + hash: e4f8f6f9c79f994f873bc930bfa028f2161a29d9 + body: > + In commit 1c19ebb, we append digests from the TPM event log + + corresponding to events that are logged before EV_SEPARATOR. For + + instance, parsing the event log on a typical system for event + types, the + + output looks like this: + + + EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) + + EV_EFI_VARIABLE_DRIVER_CONFIG (PK) + + EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) + + EV_EFI_VARIABLE_DRIVER_CONFIG (db) + + EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) + + EV_SEPARATOR + + + This system requires no merging of event log digests. + + + On systems that measure EFI binaries (mostly only QEMU w/ edk2), + we also + + get this: + + + EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) + + EV_EFI_VARIABLE_DRIVER_CONFIG (PK) + + EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) + + EV_EFI_VARIABLE_DRIVER_CONFIG (db) + + EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) + + EV_SEPARATOR + + EV_EFI_VARIABLE_AUTHORITY (bootx64.efi) + + EV_EFI_VARIABLE_AUTHORITY (bzImage) + + + Again, this requires no merging. We compute the signature of the + + relevant EFI binaries ourselves, as they're subject to change + during + + hostapp-update. + + + However, we've also seen event logs like this: + + + EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) + + EV_EFI_VARIABLE_DRIVER_CONFIG (PK) + + EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) + + EV_EFI_VARIABLE_DRIVER_CONFIG (db) + + EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) + + EV_EFI_ACTION (DMA Protection Disabled) + + EV_SEPARATOR + + + This case is the one we've handled previously, by reading from + the event + + log and appending event digests before EV_SEPARATOR. We stopped + at + + EV_SEPARATOR because we weren't parsing event types previously, + and this + + digest is a constant that's easily recognized. However, we've + since + + encountered systems that have unexpected events *after* + EV_SEPARATOR, as + + shown below. + + + EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) + + EV_EFI_VARIABLE_DRIVER_CONFIG (PK) + + EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) + + EV_EFI_VARIABLE_DRIVER_CONFIG (db) + + EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) + + EV_SEPARATOR + + Unknown event type (?!) + + + In order to handle this, parse digests and event types into + temporary + + files and iterate through them together. We only stop appending + digests + + from the event log when the next event type is + EV_EFI_VARIABLE_AUTHORITY + + (EFI binary signature) or we hit the end of the list. This + should + + account for all possible variations. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + version: meta-balena-5.3.15 + title: "" + date: 2024-06-05T00:15:59.506Z + version: 5.3.15 + title: "" + date: 2024-06-05T06:19:04.804Z - commits: - subject: Update layers/meta-balena to 9e95be489587395fec796dc6969fc7d78cf81f77 hash: b7742b1ea89f9c2f37e730fadf2b39af91121ef9 diff --git a/CHANGELOG.md b/CHANGELOG.md index 1263dc3..71eadc1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,24 @@ Change log ----------- +# v5.3.15 +## (2024-06-05) + + +
+ Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3 [Self-hosted Renovate Bot] + +> ## meta-balena-5.3.15 +> ### (2024-06-05) +> +> * os-helpers-tpm2: fix empty efivar reads [Joseph Kogut] +> * rollback-health: bind mount EFI partition in old_rootfs [Joseph Kogut] +> * rollback-health: mount securityfs in old_rootfs [Joseph Kogut] +> * os-helpers-tpm2: compute_pcr7 w/ events post separator [Joseph Kogut] +> + +
+ # v5.3.14 ## (2024-06-02) diff --git a/VERSION b/VERSION index 1cb2aaa..03017c9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.3.14 \ No newline at end of file +5.3.15 \ No newline at end of file