pomfi/balena-allwinner
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

v5.3.15

Browse source
This commit is contained in:
flowzone-app[bot] 2024-06-05 06:19:12 +00:00 committed by GitHub
parent 3ee64839a6
commit 29d60d76f3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 249 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

230
.versionbot/CHANGELOG.yml
View file

@ -1,3 +1,233 @@
- commits:
- subject: Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3
hash: 1337ef2c3d505b9164e371c580e04c82a6fbb315
body: Update layers/meta-balena
footer:
Changelog-entry: Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3
changelog-entry: Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3
author: Self-hosted Renovate Bot
nested:
- commits:
- subject: "os-helpers-tpm2: fix empty efivar reads"
hash: 3f9d048f964f922c9bfaeee4939197cb31c8eef6
body: >
When reading from efi variables in hostapp-update hooks during
rollback,
tcgtool will improperly read zero bytes from efivar files. This
results
in an improper calculation of the PCR 7 digest, and an
unbootable
system.
Read the file contents, skipping the first four bytes that are
attributes, and pipe the data directly to tcgtool to work around
this.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "rollback-health: bind mount EFI partition in old_rootfs"
hash: 8761c1d6536d86249757f37925ae40d905716cc3
body: >
Some hooks, such as 0-signed-update, will attempt to read files
from the
EFI system partition, such as combined policy binaries.
Bind mount the EFI partition into old_rootfs before running
hooks to
ensure this is available.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "rollback-health: mount securityfs in old_rootfs"
hash: e87838103af3c5ee05c60b7105353f987af47e61
body: >
When rollback-health runs, a failing healthcheck causes the
hostapp-update hooks to be run from the inactive partition, to
make the
inactive system bootable again.
The 0-signed-update hook, which updates the sealing policy for
secure
boot enabled systems, reads from the securityfs mounted at
/sys/kernel/security in order to parse the TPM event log.
If this filesystem isn't mounted, the hook will improperly
detect that
the TPM event log isn't available, and unneccessarily create a
combined
policy when a single PCR policy would suffice.
Mount this filesystem in old_rootfs before chrooting to fix
this.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "os-helpers-tpm2: compute_pcr7 w/ events post separator"
hash: e4f8f6f9c79f994f873bc930bfa028f2161a29d9
body: >
In commit 1c19ebb, we append digests from the TPM event log
corresponding to events that are logged before EV_SEPARATOR. For
instance, parsing the event log on a typical system for event
types, the
output looks like this:
EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot)
EV_EFI_VARIABLE_DRIVER_CONFIG (PK)
EV_EFI_VARIABLE_DRIVER_CONFIG (KEK)
EV_EFI_VARIABLE_DRIVER_CONFIG (db)
EV_EFI_VARIABLE_DRIVER_CONFIG (dbx)
EV_SEPARATOR
This system requires no merging of event log digests.
On systems that measure EFI binaries (mostly only QEMU w/ edk2),
we also
get this:
EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot)
EV_EFI_VARIABLE_DRIVER_CONFIG (PK)
EV_EFI_VARIABLE_DRIVER_CONFIG (KEK)
EV_EFI_VARIABLE_DRIVER_CONFIG (db)
EV_EFI_VARIABLE_DRIVER_CONFIG (dbx)
EV_SEPARATOR
EV_EFI_VARIABLE_AUTHORITY (bootx64.efi)
EV_EFI_VARIABLE_AUTHORITY (bzImage)
Again, this requires no merging. We compute the signature of the
relevant EFI binaries ourselves, as they're subject to change
during
hostapp-update.
However, we've also seen event logs like this:
EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot)
EV_EFI_VARIABLE_DRIVER_CONFIG (PK)
EV_EFI_VARIABLE_DRIVER_CONFIG (KEK)
EV_EFI_VARIABLE_DRIVER_CONFIG (db)
EV_EFI_VARIABLE_DRIVER_CONFIG (dbx)
EV_EFI_ACTION (DMA Protection Disabled)
EV_SEPARATOR
This case is the one we've handled previously, by reading from
the event
log and appending event digests before EV_SEPARATOR. We stopped
at
EV_SEPARATOR because we weren't parsing event types previously,
and this
digest is a constant that's easily recognized. However, we've
since
encountered systems that have unexpected events *after*
EV_SEPARATOR, as
shown below.
EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot)
EV_EFI_VARIABLE_DRIVER_CONFIG (PK)
EV_EFI_VARIABLE_DRIVER_CONFIG (KEK)
EV_EFI_VARIABLE_DRIVER_CONFIG (db)
EV_EFI_VARIABLE_DRIVER_CONFIG (dbx)
EV_SEPARATOR
Unknown event type (?!)
In order to handle this, parse digests and event types into
temporary
files and iterate through them together. We only stop appending
digests
from the event log when the next event type is
EV_EFI_VARIABLE_AUTHORITY
(EFI binary signature) or we hit the end of the list. This
should
account for all possible variations.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
version: meta-balena-5.3.15
title: ""
date: 2024-06-05T00:15:59.506Z
version: 5.3.15
title: ""
date: 2024-06-05T06:19:04.804Z
- commits: - commits:
- subject: Update layers/meta-balena to 9e95be489587395fec796dc6969fc7d78cf81f77 - subject: Update layers/meta-balena to 9e95be489587395fec796dc6969fc7d78cf81f77
hash: b7742b1ea89f9c2f37e730fadf2b39af91121ef9 hash: b7742b1ea89f9c2f37e730fadf2b39af91121ef9

18
CHANGELOG.md
View file

@ -1,6 +1,24 @@
Change log Change log
----------- -----------
# v5.3.15
## (2024-06-05)
<details>
<summary> Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3 [Self-hosted Renovate Bot] </summary>
> ## meta-balena-5.3.15
> ### (2024-06-05)
>
> * os-helpers-tpm2: fix empty efivar reads [Joseph Kogut]
> * rollback-health: bind mount EFI partition in old_rootfs [Joseph Kogut]
> * rollback-health: mount securityfs in old_rootfs [Joseph Kogut]
> * os-helpers-tpm2: compute_pcr7 w/ events post separator [Joseph Kogut]
>
</details>
# v5.3.14 # v5.3.14
## (2024-06-02) ## (2024-06-02)

2
VERSION
View file

@ -1 +1 @@
5.3.14 5.3.15