pomfi/balena-allwinner
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

v5.3.0

Browse source
This commit is contained in:
flowzone-app[bot] 2024-04-24 09:41:47 +00:00 committed by GitHub
parent ada2a0c2df
commit 8f4e47dcd9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 281 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

250
.versionbot/CHANGELOG.yml
View file

@ -1,3 +1,253 @@
- commits:
- subject: Update layers/meta-balena to 02acc2b2f2337154e79825e21fc5a517a1f97315
hash: 9a0617ba3a62ced79a63c22dac7d8537ec595067
body: Update layers/meta-balena
footer:
Changelog-entry: Update layers/meta-balena to 02acc2b2f2337154e79825e21fc5a517a1f97315
changelog-entry: Update layers/meta-balena to 02acc2b2f2337154e79825e21fc5a517a1f97315
author: Self-hosted Renovate Bot
nested:
- commits:
- subject: "hup: signed-update: silence tpm2-tools output"
hash: 877b7b39f2ac3dbab0cc806916ef2c13dbdfd885
body: |
The output of these tools doesn't need logged. Silence them.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "hup: silence mountpoint"
hash: d9a477b706ffc8ba4d8126e9665a2142bb705719
body: ""
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "hup: signed-update: print predicted PCR values after creating a
policy"
hash: a3b2b9ba45470b4ff6b35c56c13e2400c51c95c7
body: ""
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "os-helpers-tpm2: firmware_measures_efibins: silence grep"
hash: cd7b142195cd7cd33126e0dfbd75ee00e6b03aa3
body: >
The firmware_measures_efibins function outputs different strings
depending on whether the TPM event log is available, and whether
or not
EFI binaries are measured into PCR 7 as indicated in the event
log.
We don't need to print the output of the parsed event log, so
redirect
it.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "os-helpers-tpm2: specify TCTI backend"
hash: c4eb9d7f6ad412bd74d77ece0e534c8dd2dd6fac
body: >
Specify the TCTI backend [0], which also silences error messages
from
trying unsupported backends
[0]
https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "os-helpers-sb: silence 'command -v'"
hash: 0cc0e51ec48fd90c7164cf458c6a2b583319999d
body: ""
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "hup: signed-update: update boot files as needed"
hash: c08e732e0a678bce9cf48774fabd9016325fcaa7
body: >
Unconditionally update the kernel and second stage bootloader
when the
content on disk doesn't match the binaries shipped in the
hostapp.
Previously this was only done when migrating, but the kernel,
and
consequently the second stage bootloader, change every build.
This means
firmwares which measure EFI binaries into PCR 7 won't boot
unless the
second stage bootloader is updated to match the digests enrolled
in the
security database.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "hup: signed-update: always remove policy directory"
hash: 7c4032d4596c72a85902c91bd48845543f3651b3
body: >
After creating a new policy, always remove any previous policy
directory
that was found.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "os-helpers-tpm2: append event log digests before separator"
hash: 1c19ebb6b7c9b47ae81a3d67fc5526ea3ed55caf
body: >
Don't continue appending event log digests after the separator.
This
fixes creating a TPM policy on machines that measure EFI
binaries into
PCR 7 double appending the EFI binary hashes, which will cause
boot
failures.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "hostapp-update-hooks: signed-update: fix exit code conditional"
hash: 06ef101cf68056c348f4c6810b522f2bbdbb7e55
body: >
Shellcheck warning SC2319 indicates that the condition being
checked
here may be overwritten by subsequent commands.
Replace this conditional with a switch statement that directly
evaluates
the output.
Also bump the minor version to make it more obvious that PCR 7
sealing
brings a new feature, which should've happened previously.
footer:
Change-type: minor
change-type: minor
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
- subject: "os-helpers-tpm2: fix awk syntax error causing unbootable machines"
hash: 6c21f43c49361dac28f432083122a3ee35704a6f
body: >
A missing semi-colon caused the firmware_measures_efibins
function to
return an exit code of one, which the 0-signed-update
hostapp-update
hook interpreted as "this firmware does not measure EFI binaries
into
PCR 7", as opposed to zero, indicating "this firmware *does*
measure EFI
binaries into PCR 7", or two, indicating "the TPM event log is
unavailable and it's impossible to tell."
Taking the wrong branch in this conditional led to an
inappropriate
policy being created to seal the LUKS passphrase, which could
not be
unlocked on the next boot, as in QEMU with edk2, EFI binaries
*are*
measured into PCR 7.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
signed-off-by: Joseph Kogut <joseph@balena.io>
author: Joseph Kogut
nested: []
version: meta-balena-5.3.0
title: ""
date: 2024-04-24T06:33:36.925Z
- commits:
- subject: "hostapp-update-hooks: check for logging helper"
hash: 8561f0f7d92702a0d374846555904d6f2e01c697
body: >
Older balenaOS version (before v2.58) do not contain the logging
helper
in the rootfs and the new OS hooks fail to execute.
This commit checks for the file existence before using it, and
defines
the logging functions when not detected.
footer:
Change-type: patch
change-type: patch
Signed-off-by: Alex Gonzalez <alexg@balena.io>
signed-off-by: Alex Gonzalez <alexg@balena.io>
author: Alex Gonzalez
nested: []
version: meta-balena-5.2.10
title: ""
date: 2024-04-23T10:14:54.964Z
version: 5.3.0
title: ""
date: 2024-04-24T09:41:39.388Z
- commits: - commits:
- subject: Update layers/meta-balena to 09f97ae4e491700fc458672c94fd7170b37551e1 - subject: Update layers/meta-balena to 09f97ae4e491700fc458672c94fd7170b37551e1
hash: a7f7e8a8b2873a7e08153f725662d538957e33b4 hash: a7f7e8a8b2873a7e08153f725662d538957e33b4

30
CHANGELOG.md
View file

@ -1,6 +1,36 @@
Change log Change log
----------- -----------
# v5.3.0
## (2024-04-24)
<details>
<summary> Update layers/meta-balena to 02acc2b2f2337154e79825e21fc5a517a1f97315 [Self-hosted Renovate Bot] </summary>
> ## meta-balena-5.3.0
> ### (2024-04-24)
>
> * hup: signed-update: silence tpm2-tools output [Joseph Kogut]
> * hup: silence mountpoint [Joseph Kogut]
> * hup: signed-update: print predicted PCR values after creating a policy [Joseph Kogut]
> * os-helpers-tpm2: firmware_measures_efibins: silence grep [Joseph Kogut]
> * os-helpers-tpm2: specify TCTI backend [Joseph Kogut]
> * os-helpers-sb: silence 'command -v' [Joseph Kogut]
> * hup: signed-update: update boot files as needed [Joseph Kogut]
> * hup: signed-update: always remove policy directory [Joseph Kogut]
> * os-helpers-tpm2: append event log digests before separator [Joseph Kogut]
> * hostapp-update-hooks: signed-update: fix exit code conditional [Joseph Kogut]
> * os-helpers-tpm2: fix awk syntax error causing unbootable machines [Joseph Kogut]
>
> ## meta-balena-5.2.10
> ### (2024-04-23)
>
> * hostapp-update-hooks: check for logging helper [Alex Gonzalez]
>
</details>
# v5.2.9 # v5.2.9
## (2024-04-22) ## (2024-04-22)

2
VERSION
View file

@ -1 +1 @@
5.2.9 5.3.0