TP-Link TL-WN821N v2 on Raspbian Bullseye

Having updated to bullseye, my Wifi dongle stopped working with the error 

[ 2270.938923] usb 1-1.4: New USB device strings: Mfr=16, Product=32, SerialNumber=48
[ 2270.938940] usb 1-1.4: Product: USB2.0 WLAN
[ 2270.938959] usb 1-1.4: Manufacturer: ATHER
[ 2270.938997] usb 1-1.4: SerialNumber: 12345
[ 2271.050454] usb 1-1.4: reset high-speed USB device number 8 using dwc_otg
[ 2271.218098] usb 1-1.4: Direct firmware load for carl9170-1.fw failed with error -2
[ 2271.218139] usb 1-1.4: firmware not found.

Solution

sudo apt install firmware-linux-free

sudo apt install firmware-linux-nonfree

Unplug/plug the dongle

Use iwlist scan to find the SSID for my wifi network

Use raspi-config to set the SSID and password

Connection is established in a few seconds

Note - ensure you have a decent USB power supply and cable to the RPi as the dongle draws some extra current.

Integrity Measurement Architecture (IMA) on Raspian

What is IMA?

Linux Integrity Measurement Architecture (IMA) is a subsystem in the Linux kernel that provides mechanisms for ensuring the integrity of files, directories, and critical system components. IMA is part of the Linux kernel's security infrastructure and is used to detect and prevent unauthorized changes to the system.

What is EVM?

Linux Extended Verification Module (EVM) is a security feature in the Linux kernel designed to enhance the integrity of the system by protecting extended attributes (xattrs) of files. These attributes often include security-related metadata, such as those used by the Integrity Measurement Architecture (IMA), Linux Security Modules (LSMs) like SELinux or Smack, and other extended attributes.

Exploring some use cases

Enable IMA, EVM and build kernel

$ diff defconfig ./arch/arm/configs/bcm2709_defconfig

672a673

> CONFIG_TCG_TPM=m

1499,1500d1499

< CONFIG_IMA=y

< CONFIG_EVM=y

Boot with the kernel and check that IMA, EVM are present

root@raspberrypi:~# find /sys/kernel/security/

/sys/kernel/security/

/sys/kernel/security/evm

/sys/kernel/security/ima

/sys/kernel/security/integrity

/sys/kernel/security/integrity/evm

/sys/kernel/security/integrity/evm/evm

/sys/kernel/security/integrity/ima

/sys/kernel/security/integrity/ima/policy

/sys/kernel/security/integrity/ima/violations

/sys/kernel/security/integrity/ima/runtime_measurements_count

/sys/kernel/security/integrity/ima/ascii_runtime_measurements

/sys/kernel/security/integrity/ima/binary_runtime_measurements

/sys/kernel/security/lsm

Test digital signature validation of immutable files

The package ima-evm-utils was not available for my version of Raspian

$ apt-cache search ima-evm-utils

$

Download, configure, build, install

$ git clone https://github.com/stefanberger/ima-evm-utils.git

$ cd ima-evm-utils/

$ ./autogen.sh

$ ./configure

$ make

$ sudo make install

$ sudo ldconfig

Generate a key pair

pi@raspberrypi:~ $ openssl genrsa -out rsa_private.pem 2048

Generating RSA private key, 2048 bit long modulus (2 primes)

.............................................+++++

.....................+++++

e is 65537 (0x010001)

pi@raspberrypi:~ $ openssl rsa -pubout -in rsa_private.pem -out rsa_public.pem

writing RSA key

Import public key into keyring

pi@raspberrypi:~ $ sudo evmctl import --rsa rsa_public.pem $(keyctl newring _ima @u)

Importing public key F0D70A9FC543B7FD from file rsa_public.pem into keyring 348838330

keyid: 975180608

975180608

Test on hello world executable

pi@raspberrypi:~ $ cat hello.c

#include <stdio.h>

int main()

{

        printf("Hello world\n");

        return 0;

}

pi@raspberrypi:~ $ gcc hello.c -o hello

pi@raspberrypi:~ $ sudo evmctl ima_sign --key rsa_private.pem hello

hash(sha1): c7a17949155c2e35f0065551f4cc04adaf466eb3

evm/ima signature: 264 bytes

0302029bd7cf87010025f8f15ce309bb25dc27409dce375f01545d7ed7c7096e382ffe7bc1c92faa86056f6d145895a4372bdbe9fd2167475b0be45562d7ffdb3e7d4197263b384087fbb4be62074bff604b8404144de692011ea18d0e8109526500bd07d9e47a9a3192f1c6ffde86d317fd8bebb0d67360785520490b6fa80b358762afce1d11398ddd32a0ae7385921342174110447ccecea0ad1eea663f4acc98fbcfb31db1e7d56fa476ef118021341437511753e1530acd33c0b04875598983aea04cf4c74f5a7cf94419dc3fba0ca60850b3df8fc731c2bf399b7efbf5ccea4bb4d5a6cda0828a688837a709678d41eeeca8d47a3b3808279aae36b489dd0582199b5393b5ce

pi@raspberrypi:~ $ getfattr -m . -d ./hello

# file: hello

security.ima=0sAwICm9fPhwEAJfjxXOMJuyXcJ0CdzjdfAVRdftfHCW44L/57wckvqoYFb20UWJWkNyvb6f0hZ0dbC+RVYtf/2z59QZcmOzhAh/u0vmIHS/9gS4QEFE3mkgEeoY0OgQlSZQC9B9nkepoxkvHG/96G0xf9i+uw1nNgeFUgSQtvqAs1h2Kvzh0ROY3dMqCuc4WSE0IXQRBEfM7OoK0e6mY/SsyY+8+zHbHn1W+kdu8RgCE0FDdRF1PhUwrNM8CwSHVZiYOuoEz0x09afPlEGdw/ugymCFCz34/HMcK/OZt++/XM6ku01abNoIKKaIg3pwlnjUHu7KjUejs4CCearja0id0FghmbU5O1zg==

dm-integrity, dm-crypt, luks

Build dm-integrity for RPI

dm-integrity was not included in my Raspian kernel, built as per -

https://www.raspberrypi.com/documentation/computers/linux_kernel.html

and load (as a module)

dm-integrity (no encryption)

Create an image file as backing for a loop device

$ dd if=/dev/zero of=./file.img bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB, 100 MiB) copied, 2.28869 s, 45.8 MB/s

Create the loop device

$ sudo losetup --find --show ./file.img

/dev/loop0

Create key, format, open using integrity setup

$ dd if=/dev/urandom bs=32 count=1 of=./keyfile

$ sudo integritysetup format /dev/loop0 --tag-size 32 --integrity hmac-sha256 --integrity-key-file ./keyfile --integrity-key-size 32 --batch-mode

$ sudo integritysetup open /dev/loop0 testinteg --integrity hmac-sha256 --integrity-key-file ./keyfile --integrity-key-size 32 --batch-mode

$ sudo integritysetup status testinteg

/dev/mapper/testinteg is active.

  type:    INTEGRITY

  tag size: 32

  integrity: hmac(sha256)

  device:  /dev/loop0

  loop:    /home/pi/dm-integrity/file.img

  sector size:  512 bytes

  interleave sectors: 32768

  size:    190920 sectors

  mode:    read/write

  failures: 0

  journal size: 811008 bytes

  journal watermark: 50%

  journal commit time: 10000 ms

$ lsblk /dev/loop0

NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT

loop0         7:0    0  100M  0 loop

└─testinteg 254:0    0 93.2M  0 crypt

Format with ext4, mount, test

$ sudo mkfs.ext4 /dev/mapper/testinteg 

$ sudo mkdir /mnt/testinteg 

$ sudo mount /dev/mapper/testinteg /mnt/testinteg 

Create a test file

$ sudo dd if=/dev/zero of=/mnt/testinteg/zero bs=1M count=50

$ sudo hexdump /mnt/testinteg/zero

0000000 0000 0000 0000 0000 0000 0000 0000 0000

*

3200000

Tamper

$ dd if=/dev/random of=./file.img bs=1 seek=40M count=512

$ sudo umount /mnt/testinteg

$ sudo integritysetup close testinteg

Remount and check

$ sudo integritysetup open /dev/loop0 testinteg --integrity hmac-sha256 --integrity-key-file ./keyfile --integrity-key-size 32 --batch-mode

$ dmesg |tail

[  514.542274] device-mapper: integrity: dm-0: Checksum failed at sector 0x2e900

[  514.542773] device-mapper: integrity: dm-0: Checksum failed at sector 0x2e900

[  514.542802] Buffer I/O error on dev dm-0, logical block 23840, async page read

$ sudo integritysetup status testinteg

/dev/mapper/testinteg is active.

  type:    INTEGRITY

  tag size: 32

  integrity: hmac(sha256)

  device:  /dev/loop0

  loop:    /home/pi/dm-integrity/file.img

  sector size:  512 bytes

  interleave sectors: 32768

  size:    190920 sectors

  mode:    read/write

  failures: 2

  journal size: 811008 bytes

  journal watermark: 50%

  journal commit time: 10000 ms

dm-integrity finds the 'corrupt' data when mapping

$ sudo fsck.ext4 -a /dev/mapper/testinteg 

$ sudo mount /dev/mapper/testinteg /mnt/testinteg 

$ sudo hexdump /mnt/testinteg/zero

0000000 0000 0000 0000 0000 0000 0000 0000 0000

*

hexdump: /mnt/testinteg/zero: Input/output error

01bf800

dm-crypt (no integrity)

Create key and format, open using cryptsetup

$ dd if=/dev/urandom bs=32 count=1 of=./keyfile

$ sudo cryptsetup luksFormat --type luks2 /dev/loop1 --cipher aes-xts-plain64 --key-file ./keyfile --batch-mode

$ sudo cryptsetup open /dev/loop1 testcrypt --key-file ./keyfile

$ sudo cryptsetup status testcrypt

/dev/mapper/testcrypt is active and is in use.

  type:    LUKS2

  cipher:  aes-xts-plain64

  keysize: 512 bits

  key location: keyring

  device:  /dev/loop1

  loop:    /home/pi/luks2wip/file.img

  sector size:  512

  offset:  32768 sectors

  size:    172032 sectors

  mode:    read/write

$ lsblk /dev/loop1

NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT

loop1         7:1    0  100M  0 loop

└─testcrypt 254:0    0   84M  0 crypt

Format with ext4, mount, test

$ sudo mkfs.ext4 /dev/mapper/testcrypt

$ sudo mkdir /mnt/testcrypt

$ sudo mount /dev/mapper/testcrypt /mnt/testcrypt

$ sudo umount /mnt/testcrypt

Unmount

$ sudo cryptsetup close testcrypt

$ file file.img

file.img: LUKS encrypted file, ver 2 [, , sha256] UUID: 3f01b422-6a29-4d58-a9f4-ffbe992790b6

Tamper and check

$ dd if=/dev/zero of=./file.img bs=1 seek=40M count=1

$ sudo cryptsetup open /dev/loop1 testcrypt --key-file ./keyfile

$ sudo fsck.ext4 -a /dev/mapper/testcrypt

$ sudo mount /dev/mapper/testcrypt /mnt/testcrypt

dm-integrity + dm-crypt

https://archive.fosdem.org/2018/schedule/event/cryptsetup/

Create key and format, open using cryptsetup

$ dd if=/dev/urandom bs=32 count=1 of=./keyfile

$ sudo cryptsetup luksFormat --type luks2 /dev/loop2 --cipher aes-xts-plain64 --integrity hmac-sha256 --key-file ./keyfile --batch-mode

$ sudo cryptsetup open /dev/loop2 testintegcrypt --key-file ./keyfile

$ sudo cryptsetup status testintegcrypt

/dev/mapper/testintegcrypt is active.

  type:    LUKS2

  cipher:  aes-xts-plain64

  keysize: 768 bits

  key location: keyring

  integrity: hmac(sha256)

  integrity keysize: 256 bits

  device:  /dev/loop2

  loop:    /home/pi/dm-integ-crypt/file.img

  sector size:  512

  offset:  0 sectors

  size:    160200 sectors

  mode:    read/write

$ lsblk /dev/loop2

NAME                 MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT

loop2                  7:2    0  100M  0 loop

└─testintegcrypt_dif 254:1    0 78.2M  0 crypt

  └─testintegcrypt   254:2    0 78.2M  0 crypt

Format with ext4, mount, test

$ sudo mkfs.ext4 /dev/mapper/testintegcrypt

$ sudo mkdir /mnt/testintegcrypt

$ sudo mount /dev/mapper/testintegcrypt /mnt/testintegcrypt

Create a test file

$ sudo dd if=/dev/zero of=/mnt/testintegcrypt/zero bs=1M count=50

$ sudo hexdump /mnt/testintegcrypt/zero

0000000 0000 0000 0000 0000 0000 0000 0000 0000

*

3200000

Unmount

$ sudo umount /mnt/testintegcrypt

$ sudo cryptsetup close testintegcrypt

Tamper and check

$ dd if=/dev/random of=./file.img bs=1 seek=40M count=512

$ sudo cryptsetup open /dev/loop2 testintegcrypt --key-file ./keyfile

The 'corrupt' data isn't found until it is accessed

$ sudo fsck.ext4 -a /dev/mapper/testintegcrypt

Error reading block 32769 (Input/output error).

/dev/mapper/testintegcrypt: UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY.

        (i.e., without -a or -p options)

$ sudo mount /dev/mapper/testintegcrypt /mnt/testintegcrypt

$ sudo hexdump /mnt/testintegcrypt/zero

0000000 0000 0000 0000 0000 0000 0000 0000 0000

*

hexdump: /mnt/testintegcrypt/zero: Input/output error

0b38000

Yocto - building a dmverity/squashfs ro-rootfs

Configure the kernel with dm-verity support

$ bitbake linux-yocto -c kernel_configme -f

$ bitbake linux-yocto -c menuconfig

Using menuconfig select -

Device Drivers / Multiple device drivers support / Device Mapper Support / DM "dm-mod.create=" parameter support = [*]

Verity target support = [*]

Verity data device root hash signature verification support = [*]

Cryptographic API / Certificates for signature checking / Additional X.509 keys for default system keyring = ("${HOME}/keys/verity_cert.pem")

Generate a config fragment and check the content

$ bitbake linux-yocto -c diffconfig

$ cat tmp/work/qemux86_64-poky-linux/linux-yocto/*/fragment.cfg

CONFIG_DM_INIT=y

CONFIG_DM_VERITY=y

CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y

# CONFIG_DM_VERITY_FEC is not set

CONFIG_SYSTEM_TRUSTED_KEYS="${HOME}/keys/verity_cert.pem"

$ mv tmp/work/qemux86_64-poky-linux/linux-yocto/*/fragment.cfg ../meta-mylayer/recipes-kernel/linux/linux-yocto/dmverity.cfg

Add a reference to the fragment in your kernel recipe - meta-mylayer/recipes-kernel/linux/linux-yocto_%.bbappend

SRC_URI += "file://dmverity.cfg"

Create the certificate

Parameter explanation

-nodes

No DES (i.e. don't encrypt the private key with Data Encryption Standard) 

-days

Specifies the number of days to make a certificate valid for. 

-set_serial

Specifies the serial number to use. 

In a certificate, the serial number is chosen by the CA which issued the certificate. It is just written in the certificate. The CA can choose the serial number in any way as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is supposed to choose unique serial numbers, that is, unique for the CA.  

-subject

https://en.wikipedia.org/wiki/X.509#Sample_X.509_certificates

Command -

$ openssl req -x509 -newkey rsa:1024 -keyout verity_key.pem \

    -out verity_cert.pem -nodes -days 7300 -set_serial 01 -subject /CN=bugwhine.blogspot.com

Move them somewhere safe

$ mv verity_cert.pem ${HOME}/keys

$ mv verity_key.pem ${HOME}/keys

Build the kernel

$ bitbake linux-yocto -c clean

$ bitbake linux-yocto 

Confirm that it was configured correctly -

$ grep -i verity tmp/work/qemux86_64-poky-linux/linux-yocto/*/*/.config

CONFIG_DM_VERITY=y

CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y

# CONFIG_DM_VERITY_FEC is not set

# CONFIG_FS_VERITY is not set

CONFIG_SYSTEM_TRUSTED_KEYS="${HOME}/keys/verity_cert.pem"

Setup yocto to generate verity metadata for the rootfs image

$ git clone git://git.yoctoproject.org/meta-security

$ cd meta-security

$ git checkout --track remotes/origin/dunfell

$ cd ..

$ git clone https://github.com/openembedded/meta-openembedded.git

$ git checkout --track remotes/origin/dunfell

Add these layers to conf/bblayers.conf -

  meta-security \

  meta-openembedded/meta-oe \

  meta-openembedded/meta-python \

  meta-openembedded/meta-networking \

  meta-openembedded/meta-perl \

Create a wic kickstart file (recipes-core/images/my-image-verity-wic.wks) containing -

part / --source rootfs --ondisk sda --fstype=squashfs

part /media/rfs/rw --ondisk sda --fstype=ext4 --label rwoverlay --size 100M

part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"

Create a new image recipe (recipes-core/images/my-image-verity-wic.bb) containing -

DESCRIPTION = "A console-only image with more full-featured Linux system \

functionality installed."

SRC_URI = "file://${FILE_DIRNAME}/${BPN}.wks"

IMAGE_FEATURES += "splash ssh-server-openssh"

IMAGE_INSTALL = "\

    packagegroup-core-boot \

    packagegroup-core-full-cmdline \

    ${CORE_IMAGE_EXTRA_INSTALL} \

    initscripts-readonly-rootfs-overlay \

    cryptsetup \

    "

DM_VERITY_IMAGE = "my-image-verity-wic"

DM_VERITY_IMAGE_TYPE = "squashfs"

IMAGE_CLASSES += "dm-verity-img"

IMAGE_FSTYPES = "squashfs squashfs.verity wic"

WICVARS_append = " DM_VERITY_IMAGE DM_VERITY_IMAGE_TYPE"

inherit core-image

WKS_FILE = "my-image.wks"

WKS_FILE_DEPENDS = "dosfstools-native mtools-native gptfdisk-native squashfs-tools-native"

WKS_FILE_DEPENDS_append_x86 = " syslinux-native syslinux"

WKS_FILE_DEPENDS_append_x86-64 = " syslinux-native syslinux"

WKS_FILE_DEPENDS_append_x86-x32 = " syslinux-native syslinux"

QB_KERNEL_CMDLINE_APPEND += "root=/dev/vda1 rootrw=/dev/vda2 rootrwoptions=rw,noatime init=/init"

QB_DEFAULT_FSTYPE = "wic"

QB_FSINFO = "wic:no-kernel-in-fs"

#QB_KERNEL_ROOT = "/dev/vda1"

Patch meta-security/classes/dm-verity-img.bbclass adding squashfs support -

VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity squashfs.verity"

Build and note the verity parameters needed to map it

$ bitbake my-image-verity-wic

$ cat tmp/work-shared/qemux86-64/dm-verity/my-image-verity-wic.squashfs.verity.env

UUID=abcab4c0-3187-4b91-bcb5-d804229456e2

HASH_TYPE=1

DATA_BLOCKS=26760

DATA_BLOCK_SIZE=1024

HASH_BLOCK_SIZE=4096

HASH_ALGORITHM=sha256

SALT=5ac714319ab03dfad686c5563dc78b3be03c802c0f62477a423a56148a32c417

ROOT_HASH=6b4478922104f14b6ca6f463dab26b9a4c653e6b2507e493cf2c95f687b19fc8

DATA_SIZE=27402240

Boot in qemu

At this stage we have both the original squashfs image, and squashfs image with verity metadata appended in partitions 1 and 3 of the wic image.

We boot the squashfs image first -

$ runqemu my-image-verity-wic nographic kvm

Poky (Yocto Project Reference Distro) 3.1.24 qemux86-64 ttyS0

qemux86-64 login: root

root@qemux86-64:~#

root@qemux86-64:~# lsblk

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT

hdc     22:0    1     4G  0 disk

vda    253:0    0 153.1M  0 disk

|-vda1 253:1    0  26.1M  0 part /media/rfs/ro

|-vda2 253:2    0   100M  0 part /media/rfs/rw

`-vda3 253:3    0    27M  0 part

Then map and mount it -

root@qemux86-64:~# veritysetup --data-block-size=1024 --hash-offset=27402240 open /dev/vda3 root /dev/vda3 \

>  6b4478922104f14b6ca6f463dab26b9a4c653e6b2507e493cf2c95f687b19fc8

root@qemux86-64:~# ls /dev/mapper/root

/dev/mapper/root

root@qemux86-64:~# mkdir /tmp/dmroot

root@qemux86-64:~# mount /dev/mapper/root /tmp/dmroot/

mount: /var/volatile/tmp/dmroot: WARNING: device write-protected, mounted read-only.

root@qemux86-64:~#

and confirm that it is readable

root@qemux86-64:~# file /tmp/dmroot/usr/sbin/veritysetup

/tmp/dmroot/usr/sbin/veritysetup: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-x86-64.so.2, BuildID[sha1]=8035280d420b22091cf8319d4ceda8e6d

Now we'll tamper with the image, reboot -

root@qemux86-64:~# dd if=/dev/zero of=/dev/vda3 bs=1024 skip=10 count=1

1+0 records in

1+0 records out

1024 bytes (1.0 kB, 1.0 KiB) copied, 0.00516249 s, 198 kB/s

root@qemux86-64:~# reboot

And check if we can remap/mount it -

root@qemux86-64:~#

root@qemux86-64:~# veritysetup --data-block-size=1024 --hash-offset=27402240 open /dev/vda3 root /dev/vda3 \

>  6b4478922104f14b6ca6f463dab26b9a4c653e6b2507e493cf2c95f687b19fc8

Verity device detected corruption after activation.

root@qemux86-64:~#

root@qemux86-64:~# dmesg |tail

[   46.457801] Buffer I/O error on dev dm-0, logical block 0, async page read

[   46.459131] device-mapper: verity: 253:3: data block 0 is corrupted

[   46.459468] device-mapper: verity: 253:3: data block 0 is corrupted

[   46.459475] Buffer I/O error on dev dm-0, logical block 0, async page read

[   46.461389] Buffer I/O error on dev dm-0, logical block 0, async page read

[   46.462957] Buffer I/O error on dev dm-0, logical block 0, async page read

[   46.465372] Buffer I/O error on dev dm-0, logical block 0, async page read

[   46.466989] Buffer I/O error on dev dm-0, logical block 0, async page read

[   46.468663] Buffer I/O error on dev dm-0, logical block 0, async page read

[   46.544350] device-mapper: verity: 253:3: reached maximum errors

root@qemux86-64:~#

root@qemux86-64:~# mkdir /tmp/dmroot

root@qemux86-64:~# mount /dev/mapper/root /tmp/dmroot/

mount: /var/volatile/tmp/dmroot: can't read superblock on /dev/mapper/root.

root@qemux86-64:~#

Note it complains about logical block 0 as I used 'skip=10' rather than 'seek=10' in my dd command.

As previously, the files are available at -

https://github.com/bugwhine/meta-mylayer

Kudos to https://www.timesys.com/security/dm-verity-without-an-initramfs/

Next steps will be 

- signing and authenticating the root hash

- boot with authentication

Yocto - read-only rootfs (squashfs) + ext4 overlay (qemu)

Experimenting with a qemu yocto build that models an Embedded system with a read-only rootfs, and writeable overlay.

Basic yocto setup

Clone git://git.yoctoproject.org/poky

Checkout dunfell branch

Clone https://github.com/marcusfolkesson/meta-readonly-rootfs-overlay.git

Update the compatibility in meta-readonly-rootfs-overlay/conf/layer.conf to match your poky branch

LAYERSERIES_COMPAT_readonly-rootfs-overlay = "honister kirkstone dunfell"

source oe-init-build-env

Add meta-readonly-rootfs-overlay to build/conf/bblayers.conf

Create own layer meta-mylayer (git@github.com:bugwhine/meta-mylayer.git)

and add to build/conf/bblayers.conf

Setup meta-mylayer/conf/layer.conf containing the boilerplate -

# We have a conf and classes directory, add to BBPATH

BBPATH .= ":${LAYERDIR}"

# We have recipes-* directories, add to BBFILES

BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \

            ${LAYERDIR}/recipes-*/*/*.bbappend"

BBFILE_COLLECTIONS += "mylayer"

BBFILE_PATTERN_mylayer = "^${LAYERDIR}/"

BBFILE_PRIORITY_mylayer = "5"

LAYERVERSION_mylayer = "4"

LAYERSERIES_COMPAT_mylayer = "dunfell"

Add squashfs support to the yocto kernel

$ bitbake linux-yocto -c kernel_configme -f

$ bitbake linux-yocto -c menuconfig

Use menuconfig to add squashfs support, and customize options as desired

$ bitbake linux-yocto -c diffconfig
$ mkdir -p meta-mylayer/recipes-kernel/linux
$ mv fragment.cfg ../meta-mylayer/recipes-kernel/linux/linux-yocto/squashfs.cfg

Create a bbappend file meta-mylayer/recipes-kernel/linux/linux-yocto_%.bbappend referencing the fragment

FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"

SRC_URI += "file://squashfs.cfg"

Build the kernel 

$ bitbake linux-yocto

And confirm that the configuration is present

$ grep SQUASHFS `find tmp/work/qemux86_64-poky-linux/linux-yocto/ -name '.config'`

CONFIG_SQUASHFS=y

...

CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3

Setup an image (wic)

Create an image recipe meta-mylayer/recipes-core/images/my-image-wic.bb with content (based on core-image-full-cmdline)

DESCRIPTION = "A console-only image with more full-featured Linux system \

functionality installed."

SRC_URI = "file://${FILE_DIRNAME}/${BPN}.wks"

IMAGE_FEATURES += "splash ssh-server-openssh"

IMAGE_INSTALL = "\

    packagegroup-core-boot \

    packagegroup-core-full-cmdline \

    ${CORE_IMAGE_EXTRA_INSTALL} \

    initscripts-readonly-rootfs-overlay \

    "

IMAGE_FSTYPES = "wic"

inherit core-image

WKS_FILE = "my-image-wic.wks"

WKS_FILE_DEPENDS = "dosfstools-native mtools-native gptfdisk-native squashfs-tools-native"

WKS_FILE_DEPENDS_append_x86 = " syslinux-native syslinux"

WKS_FILE_DEPENDS_append_x86-64 = " syslinux-native syslinux"

WKS_FILE_DEPENDS_append_x86-x32 = " syslinux-native syslinux"

QB_KERNEL_CMDLINE_APPEND += "root=/dev/vda1 rootrw=/dev/vda2 rootrwoptions=rw,noatime init=/init"

QB_DEFAULT_FSTYPE = "wic"

QB_FSINFO = "wic:no-kernel-in-fs"

#QB_KERNEL_ROOT = "/dev/vda1"

Create the wks (wick kickstart script) meta-mylayer/recipes-core/images/my-image-wic.wks with content - 

part / --source rootfs --ondisk sda --fstype=squashfs --align 1024

part /media/rfs/rw --ondisk sda --fstype=ext4 --label rwoverlay --size 100M

Build and run

$ bitbake my-image-wic
...

$ runqemu my-image-wic nographic kvm

...

Booting from ROM...

[    0.000000] Linux version 5.4.230-yocto-standard (oe-user@oe-host) (gcc version 9.5.0 (GCC)) #1 SMP PREEMPT Wed Feb 1 15:40:31 UTC 2023

[    0.000000] Command line: root=/dev/vda rw  console=ttyS0 mem=256M ip=192.168.7.2::192.168.7.1:255.255.255.0 oprofile.timer=1 root=/dev/vda1 rootrw=/dev/vda2 rootrwoptions=rw,noatime init=/ini

...

Poky (Yocto Project Reference Distro) 3.1.24 qemux86-64 ttyS0

qemux86-64 login: root

Check the rootfs mounts  

root@qemux86-64:~# lsblk

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT

hdc     22:0    1     4G  0 disk

vda    253:0    0 126.3M  0 disk

|-vda1 253:1    0  25.3M  0 part /media/rfs/ro

`-vda2 253:2    0   100M  0 part /media/rfs/rw

root@qemux86-64:~# cat /proc/mounts

...

/dev/root /media/rfs/ro squashfs ro,relatime 0 0

/dev/vda2 /media/rfs/rw ext4 rw,noatime 0 0

overlay / overlay rw,relatime,lowerdir=/media/rfs/ro,upperdir=/media/rfs/rw/upperdir,workdir=/media/rfs/rw/work 0 0

...

Confirm that the overlay is working

root@qemux86-64:~# touch /etc/aaa

root@qemux86-64:~# ls /media/rfs/rw/upperdir/etc/aaa

/media/rfs/rw/upperdir/etc/aaa

root@qemux86-64:~# ls /media/rfs/ro/etc/aaa

ls: cannot access '/media/rfs/ro/etc/aaa': No such file or directory

TP-Link TL WN823N on Raspberry Pi 2B

Although this page  -
https://elinux.org/RPi_USB_Wi-Fi_Adapters
states -
TL-WN823N Works out of box on Raspian using powered USB Hub

For me, although it was identified on USB, wlan0 did not exist.

The procedure from -
https://www.raspberrypi.org/forums/viewtopic.php?p=462982#p462982

resolved it, such that
pi@raspberrypi:~ $ dmesg |grep -E "8192eu|wlan"
[    6.130806] 8192eu: loading out-of-tree module taints kernel.
[    6.282145] RTL871X: rtl8192eu v4.4.1_17696.20160509_BTCOEX20160412-0042
[    6.282164] RTL871X: rtl8192eu BT-Coex version = BTCOEX20160412-0042
[    6.417300] RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=50:3e:aa:86:9d:85
[    6.419838] usbcore: registered new interface driver rtl8192eu
[   11.433648] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   20.945234] RTL871X: rtw_set_802_11_connect(wlan0)  fw_state=0x00000008
[   22.527221] RTL871X: rtw_cfg80211_indicate_connect(wlan0) BSS not found !!
[   23.053309] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready

pi@raspberrypi:~ $ lsusb
Bus 001 Device 004: ID 2357:0109 TP-Link TL WN823N RTL8192EU

pi@raspberrypi:~ $ uname -a

Linux raspberrypi 4.19.113-v7+ #1300 SMP Thu Mar 26 16:53:09 GMT 2020 armv7l GNU/Linux

pi@raspberrypi:~ $ cat /etc/os-release

PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"

NAME="Raspbian GNU/Linux"

VERSION_ID="10"

VERSION="10 (buster)"

VERSION_CODENAME=buster

ID=raspbian

ID_LIKE=debian

HOME_URL="http://www.raspbian.org/"

SUPPORT_URL="http://www.raspbian.org/RaspbianForums"

BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

Docker Toolbox (on Windows) cheatsheet

Start with an empty ubuntu container

$ docker run -t -i ubuntu /bin/bash
$ exit

Commit it to a new image
$ docker commit d1dbe5528e65 commitrunning

Open VirtualBox, to configure shared drives

Setup a shared folder named 'd' with path 'd:\"
In the (Linux) shell (docker@default) give the commands
docker@default:~$ sudo mkdir /d
docker@default:~$ sudo mount -t vboxsf d /d

Add the volume to the image

$ docker run -ti -v //d/repo/:/repo commitrunning /bin/bash

Display containers

$ docker ps -a

Display images

$ docker image ls

Display dockerfile for container

$ docker container inspect unruffled_shtern

About dockerfiles, containers, images

https://blog.octo.com/en/docker-registry-first-steps/

Connect to running container

$ docker exec -it unruffled_shtern /bin/bash