Add channel and per-channel signing

.gitignore

@@ -1,3 +1,5 @@
 build/
 bitbake-cookerdaemon.log
 *~
+*.priv
+*.pub

meta-citadel/classes/citadel-image.bbclass

@@ -1,35 +1,77 @@
 
 DEPENDS:append = " citadel-tools-native mtools-native cryptsetup-native coreutils-native"
 
+inherit image
+require conf/distro/citadel-distro.conf
+
 # Block size must be 4096 or dm-verity won't work
 EXTRA_IMAGECMD:ext4 = "-i 4096 -b 4096"
 IMAGE_FSTYPES = "ext4"
 IMAGE_OVERHEAD_FACTOR = "1.2"
 
-inherit image
 
-CITADEL_IMAGE_CHANNEL ??= "dev"
+python () {
+    import os
+    import re
+    import bb
+
+    recipe_file = d.getVar('FILE')
+    if recipe_file is None:
+        bb.fatal("FILE variable is not set. This indicates a problem with the build environment.")
+
+    # Derive layerdir from recipe_file
+    # recipe_file is something like /home/builder/citadel/poky/../meta-citadel/recipes-citadel/images/base-realmfs-image.bb
+    # We need to get /home/builder/citadel/meta-citadel
+    meta_citadel_index = recipe_file.find('meta-citadel')
+    if meta_citadel_index == -1:
+        bb.fatal("Could not find 'meta-citadel' in recipe file path.")
+    layerdir = os.path.abspath(recipe_file[:meta_citadel_index + len('meta-citadel')])
+
+    # Manually parse citadel-distro.conf to get CITADEL_CHANNEL
+    citadel_distro_conf_path = os.path.join(layerdir, 'conf', 'distro', 'citadel-distro.conf')
+    citadel_channel = None
+    try:
+        with open(citadel_distro_conf_path, 'r') as f:
+            for line in f:
+                match = re.match(r'CITADEL_CHANNEL\s*=\s*"(.*)"', line)
+                if match:
+                    citadel_channel = match.group(1)
+                    break
+    except FileNotFoundError:
+        bb.fatal(f"citadel-distro.conf not found at {citadel_distro_conf_path}")
+
+    if citadel_channel is None:
+        bb.fatal(f"CITADEL_CHANNEL not found in {citadel_distro_conf_path}. Please ensure it is set.")
+
+    private_key_path = os.path.join(layerdir, 'recipes-citadel', 'citadel-keys', 'files', citadel_channel + '.priv')
+    d.setVar('PRIVATE_KEY_PATH_ABS', private_key_path)
+}
+
+CITADEL_CHANNEL ??= "dev"
 CITADEL_IMAGE_COMPRESS ??= "true"
 
 do_citadel_mkimage() {
+    set -x
     cat > ${B}/mkimage.conf << EOF
 image-type = "${CITADEL_IMAGE_TYPE}"
-channel = "${CITADEL_IMAGE_CHANNEL}"
-version = ${CITADEL_IMAGE_VERSION}
+channel = "${CITADEL_CHANNEL}"
+version = "${CITADEL_IMAGE_VERSION}"
 timestamp = "${DATETIME}"
 source = "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.ext4"
 compress = ${CITADEL_IMAGE_COMPRESS}
 EOF
-
-    ver=$(printf "%03d" ${CITADEL_IMAGE_VERSION})
+    if [ "${CITADEL_CHANNEL}" != "dev" ]; then
+        echo 'private-key-path = "${PRIVATE_KEY_PATH_ABS}"' >> ${B}/mkimage.conf
+    fi
+    ver=${CITADEL_IMAGE_VERSION}
 
     if [ "${CITADEL_IMAGE_TYPE}" = "kernel" ]; then
         KERNEL_ID=$(generate_kernel_id)
         echo "kernel-version = \"${CITADEL_KERNEL_VERSION}\"" >> ${B}/mkimage.conf
         echo "kernel-id = \"${KERNEL_ID}\"" >> ${B}/mkimage.conf
-        fname="citadel-kernel-${CITADEL_KERNEL_VERSION}-${CITADEL_IMAGE_CHANNEL}-${ver}.img"
+        fname="citadel-kernel-${CITADEL_KERNEL_VERSION}-${CITADEL_CHANNEL}-${ver}.img"
     else
-        fname="citadel-${CITADEL_IMAGE_TYPE}-${CITADEL_IMAGE_CHANNEL}-${ver}.img"
+        fname="citadel-${CITADEL_IMAGE_TYPE}-${CITADEL_CHANNEL}-${ver}.img"
     fi
     citadel-mkimage ${B}
     mv ${B}/${fname} ${IMGDEPLOYDIR}
@@ -38,6 +80,7 @@ EOF
 addtask do_citadel_mkimage after do_image_ext4 before do_image_complete
 do_citadel_mkimage[cleandirs] = "${B}"
 do_citadel_mkimage[vardepsexclude] = "DATETIME"
+do_citadel_mkimage[vardeps] += "CITADEL_CHANNEL"
 
 IMAGE_POSTPROCESS_COMMAND += " generate_shasum_buildhistory ;"
 

meta-citadel/conf/distro/citadel-distro.conf

@@ -46,3 +46,14 @@ INHERIT += "buildhistory"
 PREFERRED_RPROVIDER_libdevmapper-native = "libdevmapper-native"
 
 require conf/distro/include/security_flags.inc
+
+# --- Citadel Update Configuration ---
+# Single source of truth for update client, channel, and component versions.
+CITADEL_CLIENT = "public"
+CITADEL_CHANNEL = "dev"
+CITADEL_PUBLISHER = "Subgraph"
+
+CITADEL_ROOTFS_VERSION = "0.1.0"
+CITADEL_KERNEL_VERSION = "6.14.0"
+CITADEL_EXTRA_VERSION = "0.1.0"
+CITADEL_REALMFS_VERSION = "0.1.0"

meta-citadel/conf/templates/default/local.conf.sample

@@ -290,9 +290,3 @@ CONF_VERSION = "2"
 #
 # CITADEL_GNOME_SHELL_PATH = "/home/user/citadel-gnome/gnome-shell"
 # CITADEL_MUTTER_PATH = "/home/user/citadel-gnome/mutter"
-#
-
-#
-# Uncomment to include tpm2-tools package in Citadel rootfs image
-#
-#INCLUDE_TPM2_TOOLS = "1"

meta-citadel/recipes-citadel/bbappends/iptables/iptables.rules

@@ -6,4 +6,5 @@
 -A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
 -A OUTPUT -p udp -m owner --uid-owner systemd-timesync -j ACCEPT
 -A OUTPUT -j LOG --log-uid --log-prefix 'iptables'
+-A OUTPUT -p tcp -m owner --uid-owner citadel-tool --dports 443 -j ACCEPT
 COMMIT

meta-citadel/recipes-citadel/bbappends/systemd_%.bbappend

@@ -10,7 +10,6 @@ GROUPADD_PARAM:${PN} += "-r wheel; -r kvm; -r render"
 PACKAGECONFIG = "\
     efi acl ldconfig pam rfkill backlight binfmt hostnamed localed logind machined myhostname \
     nss polkit randomseed seccomp timedated utmp timesyncd kmod sysusers gshadow cryptsetup \
-    tpm2 repart openssl \
 "
 
 # This is to avoid deletion of tmp.mount

meta-citadel/recipes-citadel/bbappends/tpm2-tools_%.bbappend

@@ -1,2 +0,0 @@
-
-DEPENDS = "tpm2-tss openssl curl efivar"

meta-citadel/recipes-citadel/citadel-config/citadel-config.bb

@@ -27,6 +27,8 @@ UDEV_RULES = "\
     file://udev/udisks2-hide.rules \
 "
 DEFAULT_PASSWORD = "\
+    file://citadel-create-config.sh \
+    file://systemd/citadel-create-config.service \
     file://citadel-setpassword.sh \
     file://systemd/citadel-setpassword.service \
 "
@@ -60,7 +62,9 @@ SRC_URI = "\
     file://apt-cacher-ng/acng.conf \
     file://apt-cacher-ng/security.conf \
     file://iwd/main.conf \
+    file://citadel-fetch/update_server_key.pub \
     file://pulse/cookie \
+    file://citadel.conf.in \
     ${DEFAULT_REALM_UNITS} \
     ${MODPROBE_CONFIG} \
     ${SYSCTL_CONFIG} \
@@ -77,7 +81,7 @@ RDEPENDS:${PN} = "bash"
 
 inherit allarch systemd useradd
 
-SYSTEMD_SERVICE:${PN} = "zram-swap.service citadel-launch-default-realm.path x11-session-switcher.service citadel-installer-backend.service installer-session-switcher.service citadel-setpassword.service watch-resolvconf.service watch-resolvconf.path"
+SYSTEMD_SERVICE:${PN} = "zram-swap.service citadel-launch-default-realm.path x11-session-switcher.service citadel-installer-backend.service installer-session-switcher.service citadel-setpassword.service watch-resolvconf.service watch-resolvconf.path citadel-create-config.service"
 
 do_install() {
     install -m 0755 -d ${D}/storage
@@ -124,6 +128,9 @@ do_install() {
     install -m 644 ${UNPACKDIR}/systemd/watch-resolvconf.service ${D}${systemd_system_unitdir}
     install -m 644 ${UNPACKDIR}/systemd/watch-resolvconf.path ${D}${systemd_system_unitdir}
 
+    install -m 644 ${UNPACKDIR}/systemd/citadel-create-config.service ${D}${systemd_system_unitdir}
+    install -m 0754 ${UNPACKDIR}/citadel-create-config.sh ${D}${libexecdir}
+
     install -m 644 ${UNPACKDIR}/systemd/citadel-setpassword.service ${D}${systemd_system_unitdir}
     install -m 0754 ${UNPACKDIR}/citadel-setpassword.sh ${D}${libexecdir}
     install -d ${D}${systemd_user_unitdir}/gnome-session@citadel-installer.target.d
@@ -174,6 +181,9 @@ do_install() {
 
     install -m 0644 ${UNPACKDIR}/iwd/main.conf ${D}${sysconfdir}/iwd/
 
+    install -d ${D}${sysconfdir}/citadel
+    install -m 0644 ${UNPACKDIR}/citadel-fetch/update_server_key.pub ${D}${sysconfdir}/citadel/
+
     install -d ${D}${datadir}/apt-cacher-ng/conf
     install -m 0644 ${UNPACKDIR}/apt-cacher-ng/acng.conf ${D}${datadir}/apt-cacher-ng/conf/
     install -m 0644 ${UNPACKDIR}/apt-cacher-ng/security.conf ${D}${datadir}/apt-cacher-ng/conf/
@@ -186,6 +196,13 @@ do_install() {
     ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/etc.conf
     ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/home.conf
 
+    # Process citadel.conf.in template
+    install -d ${D}${datadir}/factory/storage/citadel-state
+    sed -e 's/@CITADEL_CLIENT@/${CITADEL_CLIENT}/g' \
+        -e 's/@CITADEL_CHANNEL@/${CITADEL_CHANNEL}/g' \
+        -e 's/@CITADEL_PUBLISHER@/${CITADEL_PUBLISHER}/g' \
+        < ${UNPACKDIR}/citadel.conf.in > ${D}${datadir}/factory/storage/citadel-state/citadel.conf
+
     install -d ${D}${datadir}/themes
     install -d ${D}${datadir}/icons
     install -d ${D}${libdir}/modules

meta-citadel/recipes-citadel/citadel-config/citadel-config/citadel-create-config.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+CONFIG_FILE="/storage/citadel-state/citadel.conf"
+FACTORY_CONFIG_FILE="/usr/share/factory/storage/citadel-state/citadel.conf"
+
+if [ ! -f "${CONFIG_FILE}" ]; then
+    if [ -f "${FACTORY_CONFIG_FILE}" ]; then
+        cp "${FACTORY_CONFIG_FILE}" "${CONFIG_FILE}"
+        chmod 0644 "${CONFIG_FILE}"
+    fi
+fi

meta-citadel/recipes-citadel/citadel-config/citadel-config/citadel.conf.in

@@ -0,0 +1,7 @@
+# Citadel OS Configuration
+# This file contains persistent settings for the OS.
+# It is generated from a template during the Yocto build.
+
+CITADEL_CLIENT="@CITADEL_CLIENT@"
+CITADEL_CHANNEL="@CITADEL_CHANNEL@"
+CITADEL_PUBLISHER="@CITADEL_PUBLISHER@"

meta-citadel/recipes-citadel/citadel-config/citadel-config/systemd/citadel-create-config.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Create Citadel config file from factory default
+ConditionPathExists=!/storage/citadel-state/citadel.conf
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/citadel-create-config.sh
+
+[Install]
+WantedBy=multi-user.target

meta-citadel/recipes-citadel/citadel-config/files/citadel-fetch/update_server_key.pub

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+BLABLABLABLABLABLABLABLABLABLA
+-----END PUBLIC KEY-----

meta-citadel/recipes-citadel/citadel-keys/citadel-keys.bb

@@ -0,0 +1,26 @@
+SUMMARY = "Installs the single public key for Citadel image verification"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+PV = "1.0"
+
+NO_STAGING_AREA = "1"
+
+# S = "${WORKDIR}"
+
+# SRC_URI is still needed for dependency tracking
+
+FILES:${PN} += "/usr/share/citadel/keys/"
+
+do_install() {
+    if [ -f "${THISDIR}/files/dev.pub" ] || [ -f "${THISDIR}/files/dev.priv" ]; then
+        bbfatal "dev.pub or dev.priv should not exist. The dev channel must not have a pre-set key."
+    fi
+    install -d ${D}/usr/share/citadel/keys/
+    if [ "${CITADEL_CHANNEL}" != "dev" ]; then
+        KEY_FILE="${THISDIR}/files/${CITADEL_CHANNEL}.pub"
+        if [ ! -f "${KEY_FILE}" ]; then
+            bbfatal "Public key for channel '${CITADEL_CHANNEL}' not found at ${KEY_FILE}"
+        fi
+        install -m 0644 "${KEY_FILE}" ${D}/usr/share/citadel/keys/${CITADEL_CHANNEL}.pub
+    fi
+}

meta-citadel/recipes-citadel/citadel-realms/citadel-realms.bb

@@ -3,7 +3,7 @@ LICENSE="CLOSED"
 SRC_URI = "gitsm://git.subgraph.com/brl/citadel-realms.git;protocol=https;branch=master"
 
 PV = "1.0"
-SRCREV = "2270a3e7b35add1d9155017525251a72228a84ad"
+SRCREV = "ab78839ae43bf0d225e05d736b03bc2a08330d1f"
 
 S = "${WORKDIR}/git"
 

meta-citadel/recipes-citadel/images/base-realmfs-image.bb

@@ -7,32 +7,75 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 
 inherit deploy
 require citadel-image.inc
+require conf/distro/citadel-distro.conf
 
 REALMFS_DIR = "${TOPDIR}/realmfs"
-CITADEL_IMAGE_VERSION = "1"
+CITADEL_IMAGE_VERSION = "${CITADEL_REALMFS_VERSION}"
+python () {
+    import os
+    import re
+    import bb
+
+    recipe_file = d.getVar('FILE')
+    if recipe_file is None:
+        bb.fatal("FILE variable is not set. This indicates a problem with the build environment.")
+
+    # Derive layerdir from recipe_file
+    # recipe_file is something like /home/builder/citadel/poky/../meta-citadel/recipes-citadel/images/base-realmfs-image.bb
+    # We need to get /home/builder/citadel/meta-citadel
+    meta_citadel_index = recipe_file.find('meta-citadel')
+    if meta_citadel_index == -1:
+        bb.fatal("Could not find 'meta-citadel' in recipe file path.")
+    layerdir = os.path.abspath(recipe_file[:meta_citadel_index + len('meta-citadel')])
+
+    # Manually parse citadel-distro.conf to get CITADEL_CHANNEL
+    citadel_distro_conf_path = os.path.join(layerdir, 'conf', 'distro', 'citadel-distro.conf')
+    citadel_channel = None
+    try:
+        with open(citadel_distro_conf_path, 'r') as f:
+            for line in f:
+                match = re.match(r'CITADEL_CHANNEL\s*=\s*"(.*)"', line)
+                if match:
+                    citadel_channel = match.group(1)
+                    break
+    except FileNotFoundError:
+        bb.fatal(f"citadel-distro.conf not found at {citadel_distro_conf_path}")
+
+    if citadel_channel is None:
+        bb.fatal(f"CITADEL_CHANNEL not found in {citadel_distro_conf_path}. Please ensure it is set.")
+
+    private_key_path = os.path.join(layerdir, 'recipes-citadel', 'citadel-keys', 'files', citadel_channel + '.priv')
+    d.setVar('PRIVATE_KEY_PATH_ABS', private_key_path)
+}
+
+
 do_realmfs_mkimage() {
     cat > ${B}/mkimage.conf << EOF
 image-type = "realmfs"
-channel = "${CITADEL_IMAGE_CHANNEL}"
-version = 1
+channel = "${CITADEL_CHANNEL}"
+version = "${CITADEL_IMAGE_VERSION}"
 timestamp = "${DATETIME}"
 source = "${REALMFS_DIR}/citadel-realmfs.ext4"
 realmfs-name = "base"
 compress = true
+private-key-path = "${PRIVATE_KEY_PATH_ABS}"
 EOF
     citadel-mkimage ${B}
 }
 
+
 addtask do_realmfs_mkimage after do_configure before do_build
 do_realmfs_mkimage[vardepsexclude] = "DATETIME"
+do_realmfs_mkimage[vardeps] += "CITADEL_CHANNEL"
 do_realmfs_mkimage[cleandirs] = "${B}"
 
 do_deploy() {
-    ver=$(printf "%03d" ${CITADEL_IMAGE_VERSION})
-    fname="citadel-realmfs-${CITADEL_IMAGE_CHANNEL}-${ver}.img"
+    ver=${CITADEL_IMAGE_VERSION}
+    fname="citadel-realmfs-${CITADEL_CHANNEL}-${ver}.img"
     install -m 644 -T ${B}/${fname} ${DEPLOYDIR}/base-realmfs.img
 }
 addtask do_deploy after do_realmfs_mkimage before do_build
+do_deploy[vardeps] += "CITADEL_CHANNEL"
 
 do_fetch[noexec] = "1"
 do_unpack[noexec] = "1"

meta-citadel/recipes-citadel/images/citadel-extra-image.bb

@@ -14,7 +14,7 @@ PACKAGE_INSTALL = "\
     adwaita-icon-theme-symbolic \
 "
 
-CITADEL_IMAGE_VERSION = "${CITADEL_IMAGE_VERSION_extra}"
+CITADEL_IMAGE_VERSION = "${CITADEL_EXTRA_VERSION}"
 CITADEL_IMAGE_TYPE = "extra"
 
 require citadel-image.inc

meta-citadel/recipes-citadel/images/citadel-image.inc

@@ -1,10 +1,3 @@
-
-CITADEL_IMAGE_CHANNEL = "dev"
-
-CITADEL_IMAGE_VERSION_rootfs = "1"
-CITADEL_IMAGE_VERSION_extra = "1"
-CITADEL_IMAGE_VERSION_kernel = "1"
-
 CITADEL_KERNEL_VERSION = "6.14.0"
 
 CITADEL_KERNEL_CONFIG = "${COREBASE}/../meta-citadel/recipes-kernel/citadel-kernel/files/defconfig"

meta-citadel/recipes-citadel/images/citadel-installer-image.bb

@@ -53,9 +53,9 @@ install_syslinux_files() {
 
 install_image_files() {
     install -d ${IMAGE_ROOTFS}/images
-    install_resource_image "rootfs" ${CITADEL_IMAGE_VERSION_rootfs}
-    install_resource_image "extra" ${CITADEL_IMAGE_VERSION_extra}
-    install_resource_image "kernel" ${CITADEL_IMAGE_VERSION_kernel}
+    install_resource_image "rootfs" ${CITADEL_ROOTFS_VERSION}
+    install_resource_image "extra" ${CITADEL_EXTRA_VERSION}
+    install_resource_image "kernel" ${CITADEL_KERNEL_VERSION}
     install ${DEPLOY_DIR_IMAGE}/base-realmfs.img ${IMAGE_ROOTFS}/images/
 }
 
@@ -95,13 +95,13 @@ EOF
 }
 
 install_resource_image() {
-    version=$(printf "%03d" ${2})
+    version=${2}
 
     if [ "${1}" = "kernel" ]; then
-        src_fname="citadel-kernel-${CITADEL_KERNEL_VERSION}-${CITADEL_IMAGE_CHANNEL}-${version}.img"
+        src_fname="citadel-kernel-${CITADEL_KERNEL_VERSION}-${CITADEL_CHANNEL}-${version}.img"
         dst_fname="citadel-kernel-${CITADEL_KERNEL_VERSION}.img"
     else
-        src_fname="citadel-${1}-${CITADEL_IMAGE_CHANNEL}-${version}.img"
+        src_fname="citadel-${1}-${CITADEL_CHANNEL}-${version}.img"
         dst_fname="citadel-${1}.img"
     fi
 

meta-citadel/recipes-citadel/images/citadel-kernel-image.bb

@@ -3,7 +3,7 @@ LICENSE = "MIT"
 
 PACKAGE_INSTALL = "kernel-modules"
 
-CITADEL_IMAGE_VERSION = "${CITADEL_IMAGE_VERSION_kernel}"
+CITADEL_IMAGE_VERSION = "${CITADEL_KERNEL_VERSION}"
 CITADEL_IMAGE_TYPE = "kernel"
 
 require citadel-image.inc

meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb

@@ -2,6 +2,7 @@
 SUMMARY = "Subgraph OS Citadel image builder"
 LICENSE = "MIT"
 
+
 SYSTEMD_DEFAULT_TARGET = "graphical.target"
 
 ROOTFS_POSTPROCESS_COMMAND += "set_disable_root_password; symlink_lib64; setup_var; append_os_release;"
@@ -11,7 +12,7 @@ IMAGE_INSTALL += "\
     packagegroup-citadel \
 "
 
-CITADEL_IMAGE_VERSION = "${CITADEL_IMAGE_VERSION_rootfs}"
+CITADEL_IMAGE_VERSION = "${CITADEL_ROOTFS_VERSION}"
 CITADEL_IMAGE_TYPE = "rootfs"
 
 require citadel-image.inc
@@ -54,8 +55,9 @@ setup_var() {
 }
 
 append_os_release() {
-    echo "CITADEL_CHANNEL=\"${CITADEL_IMAGE_CHANNEL}\"" >> ${IMAGE_ROOTFS}/etc/os-release
-    echo "CITADEL_ROOTFS_VERSION=\"${CITADEL_IMAGE_VERSION_rootfs}\"" >> ${IMAGE_ROOTFS}/etc/os-release
+    echo "CITADEL_CHANNEL=\"${CITADEL_CHANNEL}\"" >> ${IMAGE_ROOTFS}/etc/os-release
+    echo "CITADEL_ROOTFS_VERSION=${CITADEL_ROOTFS_VERSION}" >> ${IMAGE_ROOTFS}/etc/os-release
+    echo "PRETTY_NAME=\"Citadel ${DISTRO_VERSION}\"" >> ${IMAGE_ROOTFS}/etc/os-release
 }
 
 do_rm_var_link() {

meta-citadel/recipes-citadel/packagegroups/packagegroup-citadel-base.bb

@@ -16,6 +16,7 @@ BASH_COMPLETION = "\
 RDEPENDS:${PN} = "\
     keyutils \
     citadel-config \
+    citadel-keys \
     base-files \
     base-passwd \
     systemd \

meta-citadel/recipes-citadel/packagegroups/packagegroup-citadel.bb

@@ -12,5 +12,4 @@ RDEPENDS:${PN} = "\
     citadel-tools-boot \
     citadel-installer-ui \
     citadel-documentation \
-    ${@'tpm2-tools' if d.getVar('INCLUDE_TPM2_TOOLS') == "1" else "" } \
 "

meta-citadel/recipes-core/citadel-tools/citadel-tools_0.1.0.bb

@@ -3,7 +3,7 @@ HOMEPAGE = "http://github.com/subgraph/citadel"
 LICENSE = "CLOSED"
 LIC_FILES_CHKSUM=""
 
-inherit cargo cargo-update-recipe-crates systemd gsettings pkgconfig
+inherit cargo cargo-update-recipe-crates systemd gsettings pkgconfig useradd
 
 # DONUT USE CARGO BITBAKE ANYMORE!
 #
@@ -14,7 +14,7 @@ require citadel-tools-crates.inc
 #
 # Update this when changes are pushed to github
 #
-SRCREV = "3a3d5c3b9b02728753d4f659073168c5d3f3664e"
+SRCREV = "43f0e3ff98ac7b40838c00615f0445c4a7ed7ce7"
 
 # get git repo owner from citadel to find the correct citadel-tools repo path
 python () {
@@ -54,11 +54,15 @@ FILES:${PN} = "\
     ${bindir}/citadel-image \
     ${bindir}/citadel-realmfs \
     ${bindir}/citadel-update \
+    ${bindir}/citadel-fetch \
     ${systemd_system_unitdir} \
     ${sysconfdir}/dbus-1/system.d \
     ${datadir}/applications \
 "
 
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM:${PN} = "-m -u 700 -s /bin/nologin citadel-tool"
+
 SYSTEMD_SERVICE:${PN} = "citadel-current-watcher.path citadel-realmsd.service citadel-boot-automount.service"
 
 TARGET_BIN = "${B}/target/${CARGO_TARGET_SUBDIR}"
@@ -89,6 +93,8 @@ do_install() {
 
     # /usr/libexec/citadel-tool
     install -m 755 ${TARGET_BIN}/citadel-tool ${D}${libexecdir}
+    # Change ownership of the main tool executable for citadel-fetch
+    chown 700 ${D}${libexecdir}/citadel-tool
 
     # citadel-realms as /usr/bin/realms
     install -m 755 -T ${TARGET_BIN}/citadel-realms ${D}${bindir}/realms
@@ -108,6 +114,7 @@ do_install() {
     ln ${D}${libexecdir}/citadel-tool ${D}${bindir}/citadel-mkimage
     ln ${D}${libexecdir}/citadel-tool ${D}${bindir}/citadel-realmfs
     ln ${D}${libexecdir}/citadel-tool ${D}${bindir}/citadel-update
+    ln ${D}${libexecdir}/citadel-tool ${D}${bindir}/citadel-fetch
 }
 
 #

meta-citadel/recipes-initrd/images/citadel-initramfs-image.bb

@@ -4,6 +4,7 @@ NO_RECOMMENDATIONS = "1"
 
 PACKAGE_INSTALL = "\
     citadel-initramfs \
+    citadel-keys \
     citadel-tools-boot \
     cryptsetup \
     lvm2 \
@@ -182,7 +183,6 @@ SYSTEMD_UNITS = "\
     umount.target \
 "
 
-
 remove_systemd_wants() {
     for path in ${IMAGE_ROOTFS}${systemd_system_unitdir}/*; do
         if [ -d ${path} ]; then
@@ -229,5 +229,6 @@ append_initrd_release() {
     cat >> ${IMAGE_ROOTFS}/etc/initrd-release << EOF
 CITADEL_KERNEL_VERSION="${CITADEL_KERNEL_VERSION}"
 CITADEL_KERNEL_ID="${KERNEL_ID}"
+CITADEL_CHANNEL="${CITADEL_CHANNEL}"
 EOF
 }

meta-citadel/recipes-support/tpm2-tools/files/0001-tests-switch-to-python3.patch

@@ -1,106 +0,0 @@
-From c3eb378f7f81179d830e9c7d585e53a20c385dee Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Wed, 22 Jul 2020 13:45:44 +0800
-Subject: [PATCH] tests: switch to python3
-
-The python2 is EOL and in some distributions (e.g. CentOS 8/RHEL 8),
-there is no python symbolic link by default.
-See: https://developers.redhat.com/blog/2018/11/14/python-in-rhel-8/
-
-Update the scripts to switch to python3.
-
-Upstream-Status: Pending
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- test/integration/helpers.sh                | 12 +++---------
- test/integration/tests/activecredential.sh |  4 +---
- test/integration/tests/getcap.sh           |  4 +---
- test/integration/tests/print.sh            |  4 +---
- 4 files changed, 6 insertions(+), 18 deletions(-)
-
-diff --git a/test/integration/helpers.sh b/test/integration/helpers.sh
-index b986662..d370a2a 100644
---- a/test/integration/helpers.sh
-+++ b/test/integration/helpers.sh
-@@ -51,9 +51,7 @@ is_cmd_supported() {
- 
- function filter_algs_by() {
- 
--python << pyscript
--from __future__ import print_function
--
-+python3 << pyscript
- import sys
- import yaml
- 
-@@ -176,9 +174,7 @@ populate_alg_modes() {
- # as the first argument loads as a YAML file.
- #
- function yaml_verify() {
--python << pyscript
--from __future__ import print_function
--
-+python3 << pyscript
- import sys
- import yaml
- 
-@@ -202,9 +198,7 @@ function yaml_get_kv() {
-         third_arg=$3
-     fi
- 
--python << pyscript
--from __future__ import print_function
--
-+python3 << pyscript
- import sys
- import yaml
- 
-diff --git a/test/integration/tests/activecredential.sh b/test/integration/tests/activecredential.sh
-index 703823d..95019bf 100644
---- a/test/integration/tests/activecredential.sh
-+++ b/test/integration/tests/activecredential.sh
-@@ -45,9 +45,7 @@ tpm2 flushcontext session.ctx
- diff actcred.out secret.data
- 
- # Capture the yaml output and verify that its the same as the name output
--loaded_key_name_yaml=`python << pyscript
--from __future__ import print_function
--
-+loaded_key_name_yaml=`python3 << pyscript
- import yaml
- 
- with open('ak.out', 'r') as f:
-diff --git a/test/integration/tests/getcap.sh b/test/integration/tests/getcap.sh
-index ebd16fd..9ecb31e 100644
---- a/test/integration/tests/getcap.sh
-+++ b/test/integration/tests/getcap.sh
-@@ -15,9 +15,7 @@ trap cleanup EXIT
- 
- function yaml_to_list() {
- 
--python << pyscript
--from __future__ import print_function
--
-+python3 << pyscript
- import sys
- import yaml
- 
-diff --git a/test/integration/tests/print.sh b/test/integration/tests/print.sh
-index 977543b..1465c7d 100644
---- a/test/integration/tests/print.sh
-+++ b/test/integration/tests/print.sh
-@@ -56,9 +56,7 @@ tpm2 quote -Q -c $ak_ctx -l "sha256:0,2,4,9,10,11,12,17" -q "0f8beb45ac" \
- tpm2 print -t TPMS_ATTEST $quote_file > $print_file
- 
- # Check printed yaml
--python << pyscript
--from __future__ import print_function
--
-+python3 << pyscript
- import sys
- import re
- import yaml
--- 
-2.25.1
-

meta-citadel/recipes-support/tpm2-tools/tpm2-tools_5.7.bb

@@ -1,19 +0,0 @@
-SUMMARY = "Trusted Platform Module 2.0 tools"
-DESCRIPTION = "Trusted Platform Module (TPM2.0) tools based on tpm2-tss."
-SECTION = "tpm"
-
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=a846608d090aa64494c45fc147cc12e3"
-
-SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
-           file://0001-tests-switch-to-python3.patch \
-          "
-
-SRC_URI[sha256sum] = "3810d36b5079256f4f2f7ce552e22213d43b1031c131538df8a2dbc3c570983a"
-
-UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
-UPSTREAM_CHECK_REGEX = "releases/tag/v?(?P<pver>\d+(\.\d+)+)"
-
-DEPENDS = "tpm2-abrmd tpm2-tss openssl curl"
-
-inherit autotools pkgconfig bash-completion

meta-citadel/recipes-support/tpm2-tss/tpm2-tss/0001-Do-not-create-user-and-group.patch

@@ -1,53 +0,0 @@
-From 3a1d6cd2f41ecd73c7d867b22546857286db8f95 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Wed, 26 Apr 2023 17:01:31 +0800
-Subject: [PATCH] Do not create user and group
-
-Do not create user/group since we are in cross build env.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- Makefile.am  |  2 +-
- configure.ac | 11 -----------
- 2 files changed, 1 insertion(+), 12 deletions(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index f03d15c..30fad17 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -994,7 +994,7 @@ endif
- 	@test -n "$(DESTDIR)" || $(call check_fapi_dirs)
- endif
- 
--install-data-hook: install-dirs
-+install-data-hook:
- 	-if [ ! -z "$(udevrulesprefix)" ]; then \
- 		mv $(DESTDIR)$(udevrulesdir)/tpm-udev.rules $(DESTDIR)$(udevrulesdir)/$(udevrulesprefix)tpm-udev.rules; \
- 	fi
-diff --git a/configure.ac b/configure.ac
-index eb6051e..a52c472 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -663,17 +663,6 @@ AM_CONDITIONAL([SYSD_SYSUSERS], [test "x$systemd_sysusers" = "xyes" && test "x$s
- AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes)
- AM_CONDITIONAL([SYSD_TMPFILES], [test "x$systemd_tmpfiles" = "xyes" && test "x$tmpfilesdir" != "xno"])
- 
--# Check all tools used by make install
--AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"],
--    [ AC_CHECK_PROG(useradd, useradd, yes)
--      AC_CHECK_PROG(groupadd, groupadd, yes)
--      AC_CHECK_PROG(adduser, adduser, yes)
--      AC_CHECK_PROG(addgroup, addgroup, yes)
--      AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
--         [AC_MSG_ERROR([addgroup or groupadd are needed.])])
--      AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
--         [AC_MSG_ERROR([adduser or useradd are needed.])])])
--
- AC_SUBST([PATH])
- 
- dnl --------- Doxy Gen -----------------------
--- 
-2.25.1
-

meta-citadel/recipes-support/tpm2-tss/tpm2-tss_4.1.3.bb

@@ -1,85 +0,0 @@
-SUMMARY = "Software stack for TPM2."
-DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) "
-SECTION = "tpm"
-
-LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
-
-SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
-           file://0001-Do-not-create-user-and-group.patch \
-          "
-
-SRC_URI[sha256sum] = "37f1580200ab78305d1fc872d89241aaee0c93cbe85bc559bf332737a60d3be8"
-
-UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
-UPSTREAM_CHECK_REGEX = "releases/tag/v?(?P<pver>\d+(\.\d+)+)"
-
-DEPENDS = "openssl"
-
-inherit autotools pkgconfig systemd useradd
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, "
-PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,curl json-c util-linux-libuuid"
-PACKAGECONFIG[policy] = "--enable-policy,--disable-policy,curl json-c util-linux-libuuid"
-
-EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/"
-EXTRA_OECONF:remove = " --disable-static"
-
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM:${PN} = "--system tss"
-USERADD_PARAM:${PN} = "--system -M -d / -s /bin/false -g tss tss"
-
-PROVIDES = "${PACKAGES}"
-PACKAGES = " \
-    ${PN} \
-    ${PN}-dbg \
-    ${PN}-doc \
-    libtss2-mu \
-    libtss2-mu-dev \
-    libtss2-mu-staticdev \
-    libtss2-tcti-device \
-    libtss2-tcti-device-dev \
-    libtss2-tcti-device-staticdev \
-    libtss2-tcti-mssim \
-    libtss2-tcti-mssim-dev \
-    libtss2-tcti-mssim-staticdev \
-    libtss2 \
-    libtss2-dev \
-    libtss2-staticdev \
-"
-
-FILES:libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*"
-FILES:libtss2-tcti-device-dev = " \
-    ${includedir}/tss2/tss2_tcti_device.h \
-    ${libdir}/pkgconfig/tss2-tcti-device.pc \
-    ${libdir}/libtss2-tcti-device.so"
-FILES:libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a"
-
-FILES:libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*"
-FILES:libtss2-tcti-mssim-dev = " \
-    ${includedir}/tss2/tss2_tcti_mssim.h \
-    ${libdir}/pkgconfig/tss2-tcti-mssim.pc \
-    ${libdir}/libtss2-tcti-mssim.so"
-FILES:libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a"
-
-FILES:libtss2-mu = "${libdir}/libtss2-mu.so.*"
-FILES:libtss2-mu-dev = " \
-    ${includedir}/tss2/tss2_mu.h \
-    ${libdir}/pkgconfig/tss2-mu.pc \
-    ${libdir}/libtss2-mu.so"
-FILES:libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a"
-
-FILES:libtss2 = "${libdir}/libtss2*so.*"
-FILES:libtss2-dev = " \
-    ${includedir} \
-    ${libdir}/pkgconfig \
-    ${libdir}/libtss2*so"
-FILES:libtss2-staticdev = "${libdir}/libtss*a"
-
-FILES:${PN} = " \
-    ${libdir}/udev \
-    ${nonarch_base_libdir}/udev \
-    ${sysconfdir}/tmpfiles.d \
-    ${sysconfdir}/tpm2-tss \
-    ${sysconfdir}/sysusers.d"