Wednesday, October 16, 2024

TP-Link TL-WN821N v2 on Raspbian Bullseye

Having updated to bullseye, my Wifi dongle stopped working with the error 

[ 2270.938923] usb 1-1.4: New USB device strings: Mfr=16, Product=32, SerialNumber=48
[ 2270.938940] usb 1-1.4: Product: USB2.0 WLAN
[ 2270.938959] usb 1-1.4: Manufacturer: ATHER
[ 2270.938997] usb 1-1.4: SerialNumber: 12345
[ 2271.050454] usb 1-1.4: reset high-speed USB device number 8 using dwc_otg
[ 2271.218098] usb 1-1.4: Direct firmware load for carl9170-1.fw failed with error -2
[ 2271.218139] usb 1-1.4: firmware not found.

Solution

sudo apt install firmware-linux-free
sudo apt install firmware-linux-nonfree

Unplug/plug the dongle
Use iwlist scan to find the SSID for my wifi network
Use raspi-config to set the SSID and password
Connection is established in a few seconds

Note - ensure you have a decent USB power supply and cable to the RPi as the dongle draws some extra current.

Friday, May 17, 2024

Integrity Measurement Architecture (IMA) on Raspian

What is IMA?

Linux Integrity Measurement Architecture (IMA) is a subsystem in the Linux kernel that provides mechanisms for ensuring the integrity of files, directories, and critical system components. IMA is part of the Linux kernel's security infrastructure and is used to detect and prevent unauthorized changes to the system.

What is EVM?

Linux Extended Verification Module (EVM) is a security feature in the Linux kernel designed to enhance the integrity of the system by protecting extended attributes (xattrs) of files. These attributes often include security-related metadata, such as those used by the Integrity Measurement Architecture (IMA), Linux Security Modules (LSMs) like SELinux or Smack, and other extended attributes.

Exploring some use cases

Enable IMA, EVM and build kernel

$ diff defconfig ./arch/arm/configs/bcm2709_defconfig
672a673
> CONFIG_TCG_TPM=m
1499,1500d1499
< CONFIG_IMA=y
< CONFIG_EVM=y

Boot with the kernel and check that IMA, EVM are present

root@raspberrypi:~# find /sys/kernel/security/
/sys/kernel/security/
/sys/kernel/security/evm
/sys/kernel/security/ima
/sys/kernel/security/integrity
/sys/kernel/security/integrity/evm
/sys/kernel/security/integrity/evm/evm
/sys/kernel/security/integrity/ima
/sys/kernel/security/integrity/ima/policy
/sys/kernel/security/integrity/ima/violations
/sys/kernel/security/integrity/ima/runtime_measurements_count
/sys/kernel/security/integrity/ima/ascii_runtime_measurements
/sys/kernel/security/integrity/ima/binary_runtime_measurements
/sys/kernel/security/lsm

Test digital signature validation of immutable files

The package ima-evm-utils was not available for my version of Raspian

$ apt-cache search ima-evm-utils
$

Download, configure, build, install

$ git clone https://github.com/stefanberger/ima-evm-utils.git
$ cd ima-evm-utils/
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install
$ sudo ldconfig

Generate a key pair

pi@raspberrypi:~ $ openssl genrsa -out rsa_private.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................+++++
.....................+++++
e is 65537 (0x010001)
pi@raspberrypi:~ $ openssl rsa -pubout -in rsa_private.pem -out rsa_public.pem
writing RSA key

Import public key into keyring

pi@raspberrypi:~ $ sudo evmctl import --rsa rsa_public.pem $(keyctl newring _ima @u)
Importing public key F0D70A9FC543B7FD from file rsa_public.pem into keyring 348838330
keyid: 975180608
975180608

Test on hello world executable

pi@raspberrypi:~ $ cat hello.c
#include <stdio.h>

int main()
{
        printf("Hello world\n");
        return 0;
}
pi@raspberrypi:~ $ gcc hello.c -o hello
pi@raspberrypi:~ $ sudo evmctl ima_sign --key rsa_private.pem hello
hash(sha1): c7a17949155c2e35f0065551f4cc04adaf466eb3
evm/ima signature: 264 bytes
0302029bd7cf87010025f8f15ce309bb25dc27409dce375f01545d7ed7c7096e382ffe7bc1c92faa86056f6d145895a4372bdbe9fd2167475b0be45562d7ffdb3e7d4197263b384087fbb4be62074bff604b8404144de692011ea18d0e8109526500bd07d9e47a9a3192f1c6ffde86d317fd8bebb0d67360785520490b6fa80b358762afce1d11398ddd32a0ae7385921342174110447ccecea0ad1eea663f4acc98fbcfb31db1e7d56fa476ef118021341437511753e1530acd33c0b04875598983aea04cf4c74f5a7cf94419dc3fba0ca60850b3df8fc731c2bf399b7efbf5ccea4bb4d5a6cda0828a688837a709678d41eeeca8d47a3b3808279aae36b489dd0582199b5393b5ce

pi@raspberrypi:~ $ getfattr -m . -d ./hello
# file: hello
security.ima=0sAwICm9fPhwEAJfjxXOMJuyXcJ0CdzjdfAVRdftfHCW44L/57wckvqoYFb20UWJWkNyvb6f0hZ0dbC+RVYtf/2z59QZcmOzhAh/u0vmIHS/9gS4QEFE3mkgEeoY0OgQlSZQC9B9nkepoxkvHG/96G0xf9i+uw1nNgeFUgSQtvqAs1h2Kvzh0ROY3dMqCuc4WSE0IXQRBEfM7OoK0e6mY/SsyY+8+zHbHn1W+kdu8RgCE0FDdRF1PhUwrNM8CwSHVZiYOuoEz0x09afPlEGdw/ugymCFCz34/HMcK/OZt++/XM6ku01abNoIKKaIg3pwlnjUHu7KjUejs4CCearja0id0FghmbU5O1zg==



Sunday, December 3, 2023

dm-integrity, dm-crypt, luks

Build dm-integrity for RPI

dm-integrity was not included in my Raspian kernel, built as per -

https://www.raspberrypi.com/documentation/computers/linux_kernel.html

and load (as a module)

dm-integrity (no encryption)

Create an image file as backing for a loop device

$ dd if=/dev/zero of=./file.img bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB, 100 MiB) copied, 2.28869 s, 45.8 MB/s

Create the loop device

$ sudo losetup --find --show ./file.img
/dev/loop0

Create key, format, open using integrity setup

$ dd if=/dev/urandom bs=32 count=1 of=./keyfile

$ sudo integritysetup format /dev/loop0 --tag-size 32 --integrity hmac-sha256 --integrity-key-file ./keyfile --integrity-key-size 32 --batch-mode

$ sudo integritysetup open /dev/loop0 testinteg --integrity hmac-sha256 --integrity-key-file ./keyfile --integrity-key-size 32 --batch-mode

$ sudo integritysetup status testinteg
/dev/mapper/testinteg is active.
  type:    INTEGRITY
  tag size: 32
  integrity: hmac(sha256)
  device:  /dev/loop0
  loop:    /home/pi/dm-integrity/file.img
  sector size:  512 bytes
  interleave sectors: 32768
  size:    190920 sectors
  mode:    read/write
  failures: 0
  journal size: 811008 bytes
  journal watermark: 50%
  journal commit time: 10000 ms

$ lsblk /dev/loop0
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
loop0         7:0    0  100M  0 loop
└─testinteg 254:0    0 93.2M  0 crypt

Format with ext4, mount, test

$ sudo mkfs.ext4 /dev/mapper/testinteg 
$ sudo mkdir /mnt/testinteg 
$ sudo mount /dev/mapper/testinteg /mnt/testinteg 

Create a test file

$ sudo dd if=/dev/zero of=/mnt/testinteg/zero bs=1M count=50
$ sudo hexdump /mnt/testinteg/zero
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
3200000

Tamper

$ dd if=/dev/random of=./file.img bs=1 seek=40M count=512
$ sudo umount /mnt/testinteg
$ sudo integritysetup close testinteg

Remount and check

$ sudo integritysetup open /dev/loop0 testinteg --integrity hmac-sha256 --integrity-key-file ./keyfile --integrity-key-size 32 --batch-mode

$ dmesg |tail
[  514.542274] device-mapper: integrity: dm-0: Checksum failed at sector 0x2e900
[  514.542773] device-mapper: integrity: dm-0: Checksum failed at sector 0x2e900
[  514.542802] Buffer I/O error on dev dm-0, logical block 23840, async page read

$ sudo integritysetup status testinteg
/dev/mapper/testinteg is active.
  type:    INTEGRITY
  tag size: 32
  integrity: hmac(sha256)
  device:  /dev/loop0
  loop:    /home/pi/dm-integrity/file.img
  sector size:  512 bytes
  interleave sectors: 32768
  size:    190920 sectors
  mode:    read/write
  failures: 2
  journal size: 811008 bytes
  journal watermark: 50%
  journal commit time: 10000 ms

dm-integrity finds the 'corrupt' data when mapping

$ sudo fsck.ext4 -a /dev/mapper/testinteg 
$ sudo mount /dev/mapper/testinteg /mnt/testinteg 
$ sudo hexdump /mnt/testinteg/zero
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
hexdump: /mnt/testinteg/zero: Input/output error
01bf800

dm-crypt (no integrity)

Create key and format, open using cryptsetup

$ dd if=/dev/urandom bs=32 count=1 of=./keyfile

$ sudo cryptsetup luksFormat --type luks2 /dev/loop1 --cipher aes-xts-plain64 --key-file ./keyfile --batch-mode
$ sudo cryptsetup open /dev/loop1 testcrypt --key-file ./keyfile

$ sudo cryptsetup status testcrypt
/dev/mapper/testcrypt is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/loop1
  loop:    /home/pi/luks2wip/file.img
  sector size:  512
  offset:  32768 sectors
  size:    172032 sectors
  mode:    read/write

$ lsblk /dev/loop1
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
loop1         7:1    0  100M  0 loop
└─testcrypt 254:0    0   84M  0 crypt

Format with ext4, mount, test

$ sudo mkfs.ext4 /dev/mapper/testcrypt
$ sudo mkdir /mnt/testcrypt
$ sudo mount /dev/mapper/testcrypt /mnt/testcrypt
$ sudo umount /mnt/testcrypt

Unmount

$ sudo cryptsetup close testcrypt
$ file file.img
file.img: LUKS encrypted file, ver 2 [, , sha256] UUID: 3f01b422-6a29-4d58-a9f4-ffbe992790b6

Tamper and check

$ dd if=/dev/zero of=./file.img bs=1 seek=40M count=1
$ sudo cryptsetup open /dev/loop1 testcrypt --key-file ./keyfile
$ sudo fsck.ext4 -a /dev/mapper/testcrypt
$ sudo mount /dev/mapper/testcrypt /mnt/testcrypt

dm-integrity + dm-crypt


Create key and format, open using cryptsetup

$ dd if=/dev/urandom bs=32 count=1 of=./keyfile

$ sudo cryptsetup luksFormat --type luks2 /dev/loop2 --cipher aes-xts-plain64 --integrity hmac-sha256 --key-file ./keyfile --batch-mode

$ sudo cryptsetup open /dev/loop2 testintegcrypt --key-file ./keyfile

$ sudo cryptsetup status testintegcrypt
/dev/mapper/testintegcrypt is active.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 768 bits
  key location: keyring
  integrity: hmac(sha256)
  integrity keysize: 256 bits
  device:  /dev/loop2
  loop:    /home/pi/dm-integ-crypt/file.img
  sector size:  512
  offset:  0 sectors
  size:    160200 sectors
  mode:    read/write

$ lsblk /dev/loop2
NAME                 MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
loop2                  7:2    0  100M  0 loop
└─testintegcrypt_dif 254:1    0 78.2M  0 crypt
  └─testintegcrypt   254:2    0 78.2M  0 crypt

Format with ext4, mount, test

$ sudo mkfs.ext4 /dev/mapper/testintegcrypt
$ sudo mkdir /mnt/testintegcrypt
$ sudo mount /dev/mapper/testintegcrypt /mnt/testintegcrypt

Create a test file

$ sudo dd if=/dev/zero of=/mnt/testintegcrypt/zero bs=1M count=50
$ sudo hexdump /mnt/testintegcrypt/zero
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
3200000

Unmount

$ sudo umount /mnt/testintegcrypt
$ sudo cryptsetup close testintegcrypt

Tamper and check

$ dd if=/dev/random of=./file.img bs=1 seek=40M count=512

$ sudo cryptsetup open /dev/loop2 testintegcrypt --key-file ./keyfile

The 'corrupt' data isn't found until it is accessed

$ sudo fsck.ext4 -a /dev/mapper/testintegcrypt
Error reading block 32769 (Input/output error).

/dev/mapper/testintegcrypt: UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY.
        (i.e., without -a or -p options)

$ sudo mount /dev/mapper/testintegcrypt /mnt/testintegcrypt
$ sudo hexdump /mnt/testintegcrypt/zero
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
hexdump: /mnt/testintegcrypt/zero: Input/output error
0b38000


Monday, April 10, 2023

Yocto - building a dmverity/squashfs ro-rootfs

Configure the kernel with dm-verity support

$ bitbake linux-yocto -c kernel_configme -f
$ bitbake linux-yocto -c menuconfig

Using menuconfig select -

Device Drivers / Multiple device drivers support / Device Mapper Support / DM "dm-mod.create=" parameter support = [*]
Verity target support = [*]
Verity data device root hash signature verification support = [*]
Cryptographic API / Certificates for signature checking / Additional X.509 keys for default system keyring = ("${HOME}/keys/verity_cert.pem")

Generate a config fragment and check the content

$ bitbake linux-yocto -c diffconfig

$ cat tmp/work/qemux86_64-poky-linux/linux-yocto/*/fragment.cfg
CONFIG_DM_INIT=y
CONFIG_DM_VERITY=y
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
# CONFIG_DM_VERITY_FEC is not set
CONFIG_SYSTEM_TRUSTED_KEYS="${HOME}/keys/verity_cert.pem"

$ mv 
tmp/work/qemux86_64-poky-linux/linux-yocto/*/fragment.cfg ../meta-mylayer/recipes-kernel/linux/linux-yocto/dmverity.cfg

Add a reference to the fragment in your kernel recipe - meta-mylayer/recipes-kernel/linux/linux-yocto_%.bbappend

SRC_URI += "file://dmverity.cfg"

Create the certificate

Parameter explanation
-nodes
No DES (i.e. don't encrypt the private key with Data Encryption Standard) 
-days
Specifies the number of days to make a certificate valid for. 
-set_serial
Specifies the serial number to use. 
In a certificate, the serial number is chosen by the CA which issued the certificate. It is just written in the certificate. The CA can choose the serial number in any way as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is supposed to choose unique serial numbers, that is, unique for the CA.  
-subject
https://en.wikipedia.org/wiki/X.509#Sample_X.509_certificates

Command -
$ openssl req -x509 -newkey rsa:1024 -keyout verity_key.pem \
    -out verity_cert.pem -nodes -days 7300 -set_serial 01 -subject /CN=bugwhine.blogspot.com

Move them somewhere safe
$ mv verity_cert.pem ${HOME}/keys
$ mv verity_key.pem ${HOME}/keys

Build the kernel
$ bitbake linux-yocto -c clean
$ bitbake linux-yocto 

Confirm that it was configured correctly -
$ grep -i verity tmp/work/qemux86_64-poky-linux/linux-yocto/*/*/.config
CONFIG_DM_VERITY=y
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
# CONFIG_DM_VERITY_FEC is not set
# CONFIG_FS_VERITY is not set
CONFIG_SYSTEM_TRUSTED_KEYS="${HOME}/keys/verity_cert.pem"

Setup yocto to generate verity metadata for the rootfs image

$ git clone git://git.yoctoproject.org/meta-security
$ cd meta-security
$ git checkout --track remotes/origin/dunfell
$ cd ..
$ git clone https://github.com/openembedded/meta-openembedded.git
$ git checkout --track remotes/origin/dunfell

Add these layers to conf/bblayers.conf -

  meta-security \
  meta-openembedded/meta-oe \
  meta-openembedded/meta-python \
  meta-openembedded/meta-networking \
  meta-openembedded/meta-perl \

Create a wic kickstart file (recipes-core/images/my-image-verity-wic.wks) containing -

part / --source rootfs --ondisk sda --fstype=squashfs
part /media/rfs/rw --ondisk sda --fstype=ext4 --label rwoverlay --size 100M
part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"

Create a new image recipe (recipes-core/images/my-image-verity-wic.bb) containing -

DESCRIPTION = "A console-only image with more full-featured Linux system \
functionality installed."

SRC_URI = "file://${FILE_DIRNAME}/${BPN}.wks"

IMAGE_FEATURES += "splash ssh-server-openssh"

IMAGE_INSTALL = "\
    packagegroup-core-boot \
    packagegroup-core-full-cmdline \
    ${CORE_IMAGE_EXTRA_INSTALL} \
    initscripts-readonly-rootfs-overlay \
    cryptsetup \
    "

DM_VERITY_IMAGE = "my-image-verity-wic"
DM_VERITY_IMAGE_TYPE = "squashfs"
IMAGE_CLASSES += "dm-verity-img"
IMAGE_FSTYPES = "squashfs squashfs.verity wic"

WICVARS_append = " DM_VERITY_IMAGE DM_VERITY_IMAGE_TYPE"

inherit core-image

WKS_FILE = "my-image.wks"

WKS_FILE_DEPENDS = "dosfstools-native mtools-native gptfdisk-native squashfs-tools-native"
WKS_FILE_DEPENDS_append_x86 = " syslinux-native syslinux"
WKS_FILE_DEPENDS_append_x86-64 = " syslinux-native syslinux"
WKS_FILE_DEPENDS_append_x86-x32 = " syslinux-native syslinux"

QB_KERNEL_CMDLINE_APPEND += "root=/dev/vda1 rootrw=/dev/vda2 rootrwoptions=rw,noatime init=/init"
QB_DEFAULT_FSTYPE = "wic"
QB_FSINFO = "wic:no-kernel-in-fs"
#QB_KERNEL_ROOT = "/dev/vda1"

Patch meta-security/classes/dm-verity-img.bbclass adding squashfs support -

VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity squashfs.verity"

Build and note the verity parameters needed to map it

$ bitbake my-image-verity-wic

$ cat tmp/work-shared/qemux86-64/dm-verity/my-image-verity-wic.squashfs.verity.env
UUID=abcab4c0-3187-4b91-bcb5-d804229456e2
HASH_TYPE=1
DATA_BLOCKS=26760
DATA_BLOCK_SIZE=1024
HASH_BLOCK_SIZE=4096
HASH_ALGORITHM=sha256
SALT=5ac714319ab03dfad686c5563dc78b3be03c802c0f62477a423a56148a32c417
ROOT_HASH=6b4478922104f14b6ca6f463dab26b9a4c653e6b2507e493cf2c95f687b19fc8
DATA_SIZE=27402240

Boot in qemu

At this stage we have both the original squashfs image, and squashfs image with verity metadata appended in partitions 1 and 3 of the wic image.

We boot the squashfs image first -

$ runqemu my-image-verity-wic nographic kvm

Poky (Yocto Project Reference Distro) 3.1.24 qemux86-64 ttyS0

qemux86-64 login: root
root@qemux86-64:~#
root@qemux86-64:~# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
hdc     22:0    1     4G  0 disk
vda    253:0    0 153.1M  0 disk
|-vda1 253:1    0  26.1M  0 part /media/rfs/ro
|-vda2 253:2    0   100M  0 part /media/rfs/rw
`-vda3 253:3    0    27M  0 part

Then map and mount it -

root@qemux86-64:~# veritysetup --data-block-size=1024 --hash-offset=27402240 open /dev/vda3 root /dev/vda3 \
>  6b4478922104f14b6ca6f463dab26b9a4c653e6b2507e493cf2c95f687b19fc8
root@qemux86-64:~# ls /dev/mapper/root
/dev/mapper/root
root@qemux86-64:~# mkdir /tmp/dmroot
root@qemux86-64:~# mount /dev/mapper/root /tmp/dmroot/
mount: /var/volatile/tmp/dmroot: WARNING: device write-protected, mounted read-only.
root@qemux86-64:~#

and confirm that it is readable

root@qemux86-64:~# file /tmp/dmroot/usr/sbin/veritysetup
/tmp/dmroot/usr/sbin/veritysetup: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-x86-64.so.2, BuildID[sha1]=8035280d420b22091cf8319d4ceda8e6d

Now we'll tamper with the image, reboot -

root@qemux86-64:~# dd if=/dev/zero of=/dev/vda3 bs=1024 skip=10 count=1
1+0 records in
1+0 records out
1024 bytes (1.0 kB, 1.0 KiB) copied, 0.00516249 s, 198 kB/s
root@qemux86-64:~# reboot

And check if we can remap/mount it -

root@qemux86-64:~#
root@qemux86-64:~# veritysetup --data-block-size=1024 --hash-offset=27402240 open /dev/vda3 root /dev/vda3 \
>  6b4478922104f14b6ca6f463dab26b9a4c653e6b2507e493cf2c95f687b19fc8
Verity device detected corruption after activation.
root@qemux86-64:~#
root@qemux86-64:~# dmesg |tail
[   46.457801] Buffer I/O error on dev dm-0, logical block 0, async page read
[   46.459131] device-mapper: verity: 253:3: data block 0 is corrupted
[   46.459468] device-mapper: verity: 253:3: data block 0 is corrupted
[   46.459475] Buffer I/O error on dev dm-0, logical block 0, async page read
[   46.461389] Buffer I/O error on dev dm-0, logical block 0, async page read
[   46.462957] Buffer I/O error on dev dm-0, logical block 0, async page read
[   46.465372] Buffer I/O error on dev dm-0, logical block 0, async page read
[   46.466989] Buffer I/O error on dev dm-0, logical block 0, async page read
[   46.468663] Buffer I/O error on dev dm-0, logical block 0, async page read
[   46.544350] device-mapper: verity: 253:3: reached maximum errors
root@qemux86-64:~#
root@qemux86-64:~# mkdir /tmp/dmroot
root@qemux86-64:~# mount /dev/mapper/root /tmp/dmroot/
mount: /var/volatile/tmp/dmroot: can't read superblock on /dev/mapper/root.
root@qemux86-64:~#

Note it complains about logical block 0 as I used 'skip=10' rather than 'seek=10' in my dd command.

As previously, the files are available at -


Next steps will be 
- signing and authenticating the root hash
- boot with authentication

Sunday, April 9, 2023

Yocto - read-only rootfs (squashfs) + ext4 overlay (qemu)

Experimenting with a qemu yocto build that models an Embedded system with a read-only rootfs, and writeable overlay.

Basic yocto setup

Clone git://git.yoctoproject.org/poky

Checkout dunfell branch

Clone https://github.com/marcusfolkesson/meta-readonly-rootfs-overlay.git

Update the compatibility in meta-readonly-rootfs-overlay/conf/layer.conf to match your poky branch

LAYERSERIES_COMPAT_readonly-rootfs-overlay = "honister kirkstone dunfell"

source oe-init-build-env

Add meta-readonly-rootfs-overlay to build/conf/bblayers.conf

Create own layer meta-mylayer (git@github.com:bugwhine/meta-mylayer.git)

and add to build/conf/bblayers.conf

Setup meta-mylayer/conf/layer.conf containing the boilerplate -

# We have a conf and classes directory, add to BBPATH
BBPATH .= ":${LAYERDIR}"

# We have recipes-* directories, add to BBFILES
BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
            ${LAYERDIR}/recipes-*/*/*.bbappend"

BBFILE_COLLECTIONS += "mylayer"
BBFILE_PATTERN_mylayer = "^${LAYERDIR}/"
BBFILE_PRIORITY_mylayer = "5"
LAYERVERSION_mylayer = "4"
LAYERSERIES_COMPAT_mylayer = "dunfell"

Add squashfs support to the yocto kernel

$ bitbake linux-yocto -c kernel_configme -f
$ bitbake linux-yocto -c menuconfig

Use menuconfig to add squashfs support, and customize options as desired

$ bitbake linux-yocto -c diffconfig
$ mkdir -p meta-mylayer/recipes-kernel/linux
$ mv fragment.cfg ../meta-mylayer/recipes-kernel/linux/linux-yocto/squashfs.cfg

Create a bbappend file meta-mylayer/recipes-kernel/linux/linux-yocto_%.bbappend referencing the fragment

FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://squashfs.cfg"

Build the kernel 

$ bitbake linux-yocto

And confirm that the configuration is present

$ grep SQUASHFS `find tmp/work/qemux86_64-poky-linux/linux-yocto/ -name '.config'`
CONFIG_SQUASHFS=y
...
CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3

Setup an image (wic)

Create an image recipe meta-mylayer/recipes-core/images/my-image-wic.bb with content (based on core-image-full-cmdline)

DESCRIPTION = "A console-only image with more full-featured Linux system \
functionality installed."

SRC_URI = "file://${FILE_DIRNAME}/${BPN}.wks"

IMAGE_FEATURES += "splash ssh-server-openssh"

IMAGE_INSTALL = "\
    packagegroup-core-boot \
    packagegroup-core-full-cmdline \
    ${CORE_IMAGE_EXTRA_INSTALL} \
    initscripts-readonly-rootfs-overlay \
    "

IMAGE_FSTYPES = "wic"

inherit core-image

WKS_FILE = "my-image-wic.wks"

WKS_FILE_DEPENDS = "dosfstools-native mtools-native gptfdisk-native squashfs-tools-native"
WKS_FILE_DEPENDS_append_x86 = " syslinux-native syslinux"
WKS_FILE_DEPENDS_append_x86-64 = " syslinux-native syslinux"
WKS_FILE_DEPENDS_append_x86-x32 = " syslinux-native syslinux"

QB_KERNEL_CMDLINE_APPEND += "root=/dev/vda1 rootrw=/dev/vda2 rootrwoptions=rw,noatime init=/init"
QB_DEFAULT_FSTYPE = "wic"
QB_FSINFO = "wic:no-kernel-in-fs"
#QB_KERNEL_ROOT = "/dev/vda1"

Create the wks (wick kickstart script) meta-mylayer/recipes-core/images/my-image-wic.wks with content - 

part / --source rootfs --ondisk sda --fstype=squashfs --align 1024
part /media/rfs/rw --ondisk sda --fstype=ext4 --label rwoverlay --size 100M

Build and run

$ bitbake my-image-wic
...
$ runqemu my-image-wic nographic kvm
...
Booting from ROM...
[    0.000000] Linux version 5.4.230-yocto-standard (oe-user@oe-host) (gcc version 9.5.0 (GCC)) #1 SMP PREEMPT Wed Feb 1 15:40:31 UTC 2023
[    0.000000] Command line: root=/dev/vda rw  console=ttyS0 mem=256M ip=192.168.7.2::192.168.7.1:255.255.255.0 oprofile.timer=1 root=/dev/vda1 rootrw=/dev/vda2 rootrwoptions=rw,noatime init=/ini
...
Poky (Yocto Project Reference Distro) 3.1.24 qemux86-64 ttyS0

qemux86-64 login: root

Check the rootfs mounts  

root@qemux86-64:~# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
hdc     22:0    1     4G  0 disk
vda    253:0    0 126.3M  0 disk
|-vda1 253:1    0  25.3M  0 part /media/rfs/ro
`-vda2 253:2    0   100M  0 part /media/rfs/rw

root@qemux86-64:~# cat /proc/mounts
...
/dev/root /media/rfs/ro squashfs ro,relatime 0 0
/dev/vda2 /media/rfs/rw ext4 rw,noatime 0 0
overlay / overlay rw,relatime,lowerdir=/media/rfs/ro,upperdir=/media/rfs/rw/upperdir,workdir=/media/rfs/rw/work 0 0
...

Confirm that the overlay is working

root@qemux86-64:~# touch /etc/aaa
root@qemux86-64:~# ls /media/rfs/rw/upperdir/etc/aaa
/media/rfs/rw/upperdir/etc/aaa
root@qemux86-64:~# ls /media/rfs/ro/etc/aaa
ls: cannot access '/media/rfs/ro/etc/aaa': No such file or directory


Wednesday, April 1, 2020

TP-Link TL WN823N on Raspberry Pi 2B

Although this page  -
https://elinux.org/RPi_USB_Wi-Fi_Adapters
states -
TL-WN823N Works out of box on Raspian using powered USB Hub

For me, although it was identified on USB, wlan0 did not exist.

The procedure from -
https://www.raspberrypi.org/forums/viewtopic.php?p=462982#p462982

resolved it, such that
pi@raspberrypi:~ $ dmesg |grep -E "8192eu|wlan"
[    6.130806] 8192eu: loading out-of-tree module taints kernel.
[    6.282145] RTL871X: rtl8192eu v4.4.1_17696.20160509_BTCOEX20160412-0042
[    6.282164] RTL871X: rtl8192eu BT-Coex version = BTCOEX20160412-0042
[    6.417300] RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=50:3e:aa:86:9d:85
[    6.419838] usbcore: registered new interface driver rtl8192eu
[   11.433648] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   20.945234] RTL871X: rtw_set_802_11_connect(wlan0)  fw_state=0x00000008
[   22.527221] RTL871X: rtw_cfg80211_indicate_connect(wlan0) BSS not found !!
[   23.053309] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready

pi@raspberrypi:~ $ lsusb
Bus 001 Device 004: ID 2357:0109 TP-Link TL WN823N RTL8192EU

pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.19.113-v7+ #1300 SMP Thu Mar 26 16:53:09 GMT 2020 armv7l GNU/Linux
pi@raspberrypi:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

Sunday, September 8, 2019

Docker Toolbox (on Windows) cheatsheet

Start with an empty ubuntu container

$ docker run -t -i ubuntu /bin/bash
$ exit

Commit it to a new image
$ docker commit d1dbe5528e65 commitrunning

Open VirtualBox, to configure shared drives

Setup a shared folder named 'd' with path 'd:\"
In the (Linux) shell (docker@default) give the commands
docker@default:~$ sudo mkdir /d
docker@default:~$ sudo mount -t vboxsf d /d

Add the volume to the image

$ docker run -ti -v //d/repo/:/repo commitrunning /bin/bash

Display containers

$ docker ps -a

Display images

$ docker image ls

Display dockerfile for container

$ docker container inspect unruffled_shtern

About dockerfiles, containers, images

https://blog.octo.com/en/docker-registry-first-steps/

Connect to running container

$ docker exec -it unruffled_shtern /bin/bash