v5.3.4
This commit is contained in:
parent
095903e29e
commit
39a569c004
3 changed files with 421 additions and 1 deletions
|
@ -1,3 +1,385 @@
|
|||
- commits:
|
||||
- subject: Update layers/meta-balena to b09a185be7b866374d1c4d0ed37e9407289293a6
|
||||
hash: 47a5887379912906aa0e775a0e4609a3ec9540d6
|
||||
body: Update layers/meta-balena
|
||||
footer:
|
||||
Changelog-entry: Update layers/meta-balena to b09a185be7b866374d1c4d0ed37e9407289293a6
|
||||
changelog-entry: Update layers/meta-balena to b09a185be7b866374d1c4d0ed37e9407289293a6
|
||||
author: Self-hosted Renovate Bot
|
||||
nested:
|
||||
- commits:
|
||||
- subject: "hostapp-update-hooks: 99-balena-bootloader: Adapt to secure boot"
|
||||
hash: 241caa3243c23363841e7aa6f89cc116cf24d200
|
||||
body: ""
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "hostapp-update-hooks: fix linter warnings"
|
||||
hash: a35ae938fd981e4e2bd84031352f1417f07b1a01
|
||||
body: |
|
||||
Remove some of the low-risk linter warnings.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: image-balena: use relative path to generate boot fingerprint"
|
||||
hash: b30ce236a9e8f6229d5af527d853e6e3fc090d72
|
||||
body: >
|
||||
Ideally we would re-use the function is the target os-helpers-fs
|
||||
file,
|
||||
|
||||
but Yocto's recipe bash support is not completely compatible
|
||||
with POSIX syntax.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "os-helpers: add a helper function to generate fingerprint files"
|
||||
hash: 487b4f4dbc62de77f6b76f27f80bab69a192bee1
|
||||
body: >
|
||||
This function will be re-used as it's called from the HUP hooks
|
||||
and
|
||||
|
||||
from the flasher image for secure boot devices that split boot
|
||||
|
||||
partitions.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: sign-rsa: add dependencies"
|
||||
hash: eafbc411e99430ade0d4e141e4c3e7f59ae0feb9
|
||||
body: ""
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "initrdscripts: migrate: allow command line argument configuration"
|
||||
hash: c8de15a999aec50915c7cf829e7ec3886aaa3182
|
||||
body: >
|
||||
The migrate module is currently only enabled if specified in
|
||||
config.json.
|
||||
|
||||
This commit introduces a command line argument override for
|
||||
board
|
||||
|
||||
integration layers to use. This allows for example for
|
||||
non-flasher device
|
||||
|
||||
types to force the migration.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: image-balena: provide board configuration hook"
|
||||
hash: cda7d24207d736bc8fe4f58ed47489ecc2db2db3
|
||||
body: >
|
||||
Add a hook for boards to initialize boot partition configuration.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "initrdscripts: abroot: add missing dependency"
|
||||
hash: 593ce8db2c2de1b6b92e3e57af932a4d3eefe14f
|
||||
body: >
|
||||
The abroot script sources balena-config-defaults so let's make
|
||||
sure
|
||||
|
||||
it's included in the build.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: kernel-balena: selectively include dmcrypt for signed images"
|
||||
hash: 1bdb0d2be57c2f7697c5af6d3bdc76cf873ddd06
|
||||
body: ""
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "hostapp-update-hooks: only include os-helpers-sb for signed builds"
|
||||
hash: bfe9204622793b6afb0879c0fce0aad2d0cb7de6
|
||||
body: ""
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "hostapp-update-hooks: 1-bootfiles: Check for os-helpers-sb before
|
||||
including"
|
||||
hash: 55ea286a40181f0e809280f4e8f2c9ed743d4bb7
|
||||
body: |
|
||||
The `os-helpers-sb` file is only included for signed builds.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "docs: add secure boot abstractions details"
|
||||
hash: 91dad6cdb1b4e9e10a9ac4017d4b975256d9186c
|
||||
body: ""
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "initrdscripts: fsuuidinit: use file based mutex to avoid race
|
||||
condition"
|
||||
hash: 3f6a302bf53c6c0a609015c92ff927c7575412d9
|
||||
body: >
|
||||
As soon as the UUID is regenerated udev runs the correspondign
|
||||
rules.
|
||||
|
||||
|
||||
However, the rules expect the new UUID to be cached in a file,
|
||||
so there
|
||||
|
||||
is a race condition between the creation of the file and the
|
||||
udev rule.
|
||||
|
||||
|
||||
This commit avoid the race condition by using a file mutex that
|
||||
the
|
||||
|
||||
udev rule can wait on.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "systemd: update_state_probe: Use a file mutex to avoid race condition"
|
||||
hash: ef51b29b330e77b2111644fa4dbae156ca753e6c
|
||||
body: >
|
||||
As soon as the UUID is modified udev re-runs the rules for the
|
||||
partition.
|
||||
|
||||
However, the rule expects the new root UUID to be cached in a
|
||||
file, and
|
||||
|
||||
if the udev rule gets there before the file is created it fails.
|
||||
|
||||
|
||||
This commit waits on a lock file mutex before accessing said
|
||||
file.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "os-helpers: extend filesystem helper with wait4rm"
|
||||
hash: bb77f62506329bb4f09a480b5ef1239742e71294
|
||||
body: >
|
||||
This function waits until a file is removed or times out -
|
||||
useful to
|
||||
|
||||
implement basic file based mutexes.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "os-helpers-fs: regenerate_uuid: skip remounting"
|
||||
hash: 7674716ffd7472f7a487c027ba756803e1d446fb
|
||||
body: >
|
||||
Remounting filesystems is done on systems with a broken clock in
|
||||
order
|
||||
|
||||
to prevent tune2fs from bailing out when the last mounted time
|
||||
is in the
|
||||
|
||||
future. This resets the last mounted time to now.
|
||||
|
||||
|
||||
However, the filesystem is immediately unmounted again without
|
||||
being
|
||||
|
||||
utilized, and the mount and unmount process is time consuming.
|
||||
Instead,
|
||||
|
||||
use `-e continue` to tell tune2fs to continue after an error,
|
||||
which
|
||||
|
||||
achieves the same result with less time and complexity.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "resin-init-flasher: replace fatal with fail"
|
||||
hash: 53e995bfc70dcea70b476cb26a5e68df0e2a53a8
|
||||
body: >
|
||||
The fatal() function is only defined while running in the
|
||||
initramfs
|
||||
|
||||
while fail() is provided by the OS helper logging which is
|
||||
available
|
||||
|
||||
in both the OS and flasher image.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "balena-image-bootloader-initramfs: add modules needed for secure boot"
|
||||
hash: dfa88cfb6cf195c9748a41fe5bdad4954a72f27d
|
||||
body: >
|
||||
The balena bootloader needs to mount encrypted disks to kexec
|
||||
the final
|
||||
|
||||
kernel which is stored in the encrypted root partitions.
|
||||
|
||||
|
||||
It also needs to run the data partition expander twice on boot,
|
||||
once in the
|
||||
|
||||
balena bootloader that expands the disk, and later on the final
|
||||
|
||||
initramfs to expand the file system.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: balena-bootloader: add support for encrypted disks mount and
|
||||
kexec"
|
||||
hash: dccf18856d3198ed2bb3394792b859de12aad407
|
||||
body: >
|
||||
The kernel needs crypto support to mount encrypted disks at boot
|
||||
and
|
||||
|
||||
kexec image authentication.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: balena-bootloader: specify a deployment subfolder"
|
||||
hash: 1e1c465dc899377dd10350038f20a653eea95325
|
||||
body: >
|
||||
This prevents overwritting deployment files that are also
|
||||
deployed
|
||||
|
||||
by the standard linux recipe.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: kernel-balena: add secureboot configuration dependencies"
|
||||
hash: f8eca19e9180b7d4f2d80ae87ef4074be7a81ff5
|
||||
body: ""
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: kernel-balena: non-efi device types also use EFI signing for
|
||||
kexec"
|
||||
hash: 8b4f5dd0f5e806954897f3dbac3da00f0487ba88
|
||||
body: >
|
||||
Remove the conditional to signing the kernel initramfs on EFI
|
||||
machine
|
||||
|
||||
features as kexec also requires this.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: sign-efi: allow to configure deployment directory"
|
||||
hash: fc36626aeedfe681e5198083112c4f17e8688596
|
||||
body: >
|
||||
This is needed for systems that build and deploy two different
|
||||
linux
|
||||
|
||||
kernels like is the case when using the balena bootloader so
|
||||
that
|
||||
|
||||
different recipes do not try to deploy the same files.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
- subject: "classes: sign-efi: support compressed payloads"
|
||||
hash: ac9955350690d0f044a9e15469a93819c3591f27
|
||||
body: >
|
||||
The EFI class is used to sign Linux kernel binaries, and these
|
||||
can come
|
||||
|
||||
in a zImage (compressed) format that needs to be decompressed
|
||||
before
|
||||
|
||||
signing.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
signed-off-by: Alex Gonzalez <alexg@balena.io>
|
||||
author: Alex Gonzalez
|
||||
nested: []
|
||||
version: meta-balena-5.3.4
|
||||
title: ""
|
||||
date: 2024-05-12T17:56:11.300Z
|
||||
version: 5.3.4
|
||||
title: ""
|
||||
date: 2024-05-12T22:46:57.225Z
|
||||
- commits:
|
||||
- subject: Update balena-yocto-scripts to 466d6ec592656bb950a393fc1c7a5d5ff4cf3455
|
||||
hash: 47e5b0f60f9e1d647c2a6fe77ec2941d38f5d640
|
||||
|
|
38
CHANGELOG.md
38
CHANGELOG.md
|
@ -1,6 +1,44 @@
|
|||
Change log
|
||||
-----------
|
||||
|
||||
# v5.3.4
|
||||
## (2024-05-12)
|
||||
|
||||
|
||||
<details>
|
||||
<summary> Update layers/meta-balena to b09a185be7b866374d1c4d0ed37e9407289293a6 [Self-hosted Renovate Bot] </summary>
|
||||
|
||||
> ## meta-balena-5.3.4
|
||||
> ### (2024-05-12)
|
||||
>
|
||||
> * hostapp-update-hooks: 99-balena-bootloader: Adapt to secure boot [Alex Gonzalez]
|
||||
> * hostapp-update-hooks: fix linter warnings [Alex Gonzalez]
|
||||
> * classes: image-balena: use relative path to generate boot fingerprint [Alex Gonzalez]
|
||||
> * os-helpers: add a helper function to generate fingerprint files [Alex Gonzalez]
|
||||
> * classes: sign-rsa: add dependencies [Alex Gonzalez]
|
||||
> * initrdscripts: migrate: allow command line argument configuration [Alex Gonzalez]
|
||||
> * classes: image-balena: provide board configuration hook [Alex Gonzalez]
|
||||
> * initrdscripts: abroot: add missing dependency [Alex Gonzalez]
|
||||
> * classes: kernel-balena: selectively include dmcrypt for signed images [Alex Gonzalez]
|
||||
> * hostapp-update-hooks: only include os-helpers-sb for signed builds [Alex Gonzalez]
|
||||
> * hostapp-update-hooks: 1-bootfiles: Check for os-helpers-sb before including [Alex Gonzalez]
|
||||
> * docs: add secure boot abstractions details [Alex Gonzalez]
|
||||
> * initrdscripts: fsuuidinit: use file based mutex to avoid race condition [Alex Gonzalez]
|
||||
> * systemd: update_state_probe: Use a file mutex to avoid race condition [Alex Gonzalez]
|
||||
> * os-helpers: extend filesystem helper with wait4rm [Alex Gonzalez]
|
||||
> * os-helpers-fs: regenerate_uuid: skip remounting [Joseph Kogut]
|
||||
> * resin-init-flasher: replace fatal with fail [Alex Gonzalez]
|
||||
> * balena-image-bootloader-initramfs: add modules needed for secure boot [Alex Gonzalez]
|
||||
> * classes: balena-bootloader: add support for encrypted disks mount and kexec [Alex Gonzalez]
|
||||
> * classes: balena-bootloader: specify a deployment subfolder [Alex Gonzalez]
|
||||
> * classes: kernel-balena: add secureboot configuration dependencies [Alex Gonzalez]
|
||||
> * classes: kernel-balena: non-efi device types also use EFI signing for kexec [Alex Gonzalez]
|
||||
> * classes: sign-efi: allow to configure deployment directory [Alex Gonzalez]
|
||||
> * classes: sign-efi: support compressed payloads [Alex Gonzalez]
|
||||
>
|
||||
|
||||
</details>
|
||||
|
||||
# v5.3.3+rev1
|
||||
## (2024-05-02)
|
||||
|
||||
|
|
2
VERSION
2
VERSION
|
@ -1 +1 @@
|
|||
5.3.3+rev1
|
||||
5.3.4
|
Loading…
Add table
Reference in a new issue