-
-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Qubes fwupd upstream #834
base: master
Are you sure you want to change the base?
Qubes fwupd upstream #834
Conversation
@macpijan Heads is versioned per commit ID (as of now) which is inserted at build time under /etc/config Let me know if we should change something |
@macpijan I see that the script searches for a ROM inside a known path. Normal boot codepath entry point for /boot integrity validation verify_global_hashes() local fonction check_config imported global fonction So that if a new firmware is dropped in path, verify_global_hashes could see that the past ROM that was user signed changed, and then check ROM signature against heads imported distinguished distro key (oem_distro_keys instead)? |
@tlaurion Currently we are parsing the Heads version from the Currently, the qubes-fwupd is looking for the line:
The version number is set in the LOCALVERSION variable. If there is no version tag, it assumes that bios is older than the one that exists in the lvfs.
In our case, the easiest to handle would be some release cycle with the version numbers. Every release should be uploaded to the lvfs. |
@Asiderr can you pinpoint to experts, documentation so that we can move this forward? My understanding here is that we have to change heads rolling release to a commited time based release, where CircleCI would need to push artifacts back into github, where measured matching (reproducible hashes for different hosts/OS builds) builds would be pushed. I have no idea right now how to push that change forward, and do not have the rights over Heads repo to do such changes where @osresearch didn't replied to messages sent over slack on the matter after the opening of that PR. Intuition says that changing manually the version under coreboot config for each board is not the way to go.
Opened an issue a long time ago on that matter. Will edit when found again. |
@Asiderr I also understand that (actions needed, in short)
|
The latest documentation about the heads update can be found here: Here is the class that handles the heads update process:
You're right, it should be automated somehow.
The source code of the wrapper should be placed in the fwupd/fwupd repo.
That's right. |
You do the PRs? |
@tlaurion We're discussing the way of the upstream now: |
@Asiderr important question on FWUPD #859 (comment) |
So following merge of https://github.com/osresearch/heads/pull/859/files#diff-18936189b28399cf48703d0c1ec1df33e57c559de2a12f4438be00e6813bdb68R40-R41 We now have, injected in coreboot config automatically for each built board: And the filenames for final produced rom images can be seen, and downloaded for testing of FWUPD usage of CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME here in ~2 hours from now (since heads modules changes, triggering a new CicrlceCI build only on musl-cross-make CircleCi cache) Any comment?
|
@tlaurion Naming and versioning look fine and I'll include the changes in the wrapper.
For testing purposes, I'll put manually the cabinet archives on the LVFS. But it's temporary and we have to ask @hughsie if there is any possibility to automate the upload process (I don't see any information in the documentation on this topic). |
We have robot users that are able to upload automatically; Dell uses this to automate firmware being uploaded to the LVFS as it's built in their pipeline. https://gitlab.com/fwupd/lvfs-website/-/blob/master/contrib/example.py has an example upload if that helps. |
@macpijan Any news? |
@tlaurion Sorry for the delay. Our plan is to go back to it next week and finish by the end of the year. |
@macpijan any updates and links would be greatly appreciated! |
@Asiderr Please provide links |
@tlaurion @macpijan The qubes-wrapper has been merged recently in the fwupd tree: |
@Asiderr @macpijan There is QubesOS/qubes-issues#6792 blocking while a test rom seem to resolve all sandy/ivy bridge issues. I now have a testing platform to test QubesOS 4.1 deployment on. Contacted @osresearch to have current Heads repo on a release, with binaries coming from CircleCI uploaded to that github release following https://circleci.com/blog/publishing-to-github-releases-via-circleci/ |
Ping @osresearch |
8f4051c
to
a7d216b
Compare
Signed-off-by: Norbert Kamiński <[email protected]>
a7d216b
to
97851b9
Compare
@tlaurion I updated I created a Qubes OS CI in fwupd that generates binary packages, and we are currently discussing the possibility of upstreaming to YUM and APT (fwupd/fwupd#4744). The last thing we need to think about is the release process of the Heads. The Heads binaries must be uploaded to the LFVS. |
Can you use the API? https://lvfs.readthedocs.io/en/latest/upload.html#automatic-uploads |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Asiderr: some concerns about content of updates dir and lack of verification of that content prior of proposing end-user for firmware upgrades
# check if fwupd updates exist | ||
if ls /boot/updates/*/*.rom > /dev/null 2>&1; then | ||
if (whiptail --title 'Flash the BIOS with a new ROM' \ | ||
--yesno "A ROM detected in the /boot/updates directory.\n\nDo you want to proceed?" 16 90) then | ||
find /boot/updates ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question from what will be dropped under /boot/updates//
- Do we have a hashes.txt coming from the builds?
- Is that hashes.txt detached signed with OEM key and provided as well?
- Should we think of adding a OEM directory to add public keys under OEM directory?
- Should we add validation prior of proposing the ROM to the user and only propose if valid?
- The same logic then booting from ISO could easily be borrowed here, where ISO is validated against a seperate
gpg --home=
instance relative to known distro keys
Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Otherwise, any rom being dropped under /boot/updates would be considered a valid firmware update.
@MrChromebox
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Otherwise, any rom being dropped under /boot/updates would be considered a valid firmware update.
@MrChromebox
that's really no different from what we do now from USB
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MrChromebox well, right now upgrading from USB considered intentional. Now anything pushing updates to that directory would leave user thinking that firmware is authentic and valid and would prompt the user to flash without further validation from Heads.
Implementation on the Heads side isn't completed yet, so stable release can't be updated yet. There is a work in progress version at linuxboot/heads#834. So, add a note that it isn't fully supported yet. Signed-off-by: Marek Marczykowski-Górecki <[email protected]>
Implementation on the Heads side isn't completed yet, so stable release can't be updated yet. There is a work in progress version at linuxboot/heads#834. So, add a note that it isn't fully supported yet. Signed-off-by: Marek Marczykowski-Górecki <[email protected]>
Implementation on the Heads side isn't completed yet, so stable release can't be updated yet. There is a work in progress version at linuxboot/heads#834. So, add a note that it isn't fully supported yet. Signed-off-by: Marek Marczykowski-Górecki <[email protected]>
Implementation on the Heads side isn't completed yet, so stable release can't be updated yet. There is a work in progress version at linuxboot/heads#834. So, add a note that it isn't fully supported yet. Signed-off-by: Marek Marczykowski-Górecki <[email protected]>
Implementation on the Heads side isn't completed yet, so stable release can't be updated yet. There is a work in progress version at linuxboot/heads#834. So, add a note that it isn't fully supported yet. Signed-off-by: Marek Marczykowski-Górecki <[email protected]>
Implementation on the Heads side isn't completed yet, so stable release can't be updated yet. There is a work in progress version at linuxboot/heads#834. So, add a note that it isn't fully supported yet. Signed-off-by: Marek Marczykowski-Górecki <[email protected]>
Implementation on the Heads side isn't completed yet, so stable release can't be updated yet. There is a work in progress version at linuxboot/heads#834. So, add a note that it isn't fully supported yet. Signed-off-by: Marek Marczykowski-Górecki <[email protected]>
@tlaurion
How is heads currently versioned? In the QubesOS script https://github.com/3mdeb/qubes-fwupd/blob/master/src/qubes_fwupd_heads.py#L91 we check for the current version and want to download an update from LVFS only if the version is more recent. We can see that the latest tag is from 2017 though. We have used the LOCALVERSION field to inert the version information for testing purposes.
The Python script drops the update file to the boot partition. Then, the flash-gui.sh script was extended to look for updates there in the first place.
The update process is described here: https://github.com/3mdeb/qubes-fwupd/blob/master/doc/heads_udpate.md