From 116506d9b2eb13fcb80912ab6091f7861959abdb Mon Sep 17 00:00:00 2001 From: Jason Andryuk Date: Mon, 13 Dec 2021 09:26:28 -0500 Subject: [PATCH 1/6] bootloaders: load the CML SINIT ACM We need to load the CML SINIT ACM for tboot to use it. --- .../xenclient-dom0-tweaks/xenclient-dom0-tweaks/grub.cfg | 7 +++++++ .../xenclient-dom0-tweaks/xenclient-dom0-tweaks/openxt.cfg | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/recipes-openxt/xenclient-dom0-tweaks/xenclient-dom0-tweaks/grub.cfg b/recipes-openxt/xenclient-dom0-tweaks/xenclient-dom0-tweaks/grub.cfg index a603d8f7e..39fe9756d 100644 --- a/recipes-openxt/xenclient-dom0-tweaks/xenclient-dom0-tweaks/grub.cfg +++ b/recipes-openxt/xenclient-dom0-tweaks/xenclient-dom0-tweaks/grub.cfg @@ -53,6 +53,7 @@ menuentry "XenClient: Normal" { module /boot/6th_gen_i5_i7_SINIT_71.BIN module /boot/7th_gen_i5_i7-SINIT_74.bin module /boot/8th_gen_i5_i7-SINIT_76.bin + module /boot/7th_8th_gen_i5_i7-SINIT_81.bin # This module should remain here or Xen's command line has to be updated with ucode= (currently ucode=-2) module /boot/microcode_intel.bin # not ELF - causes module alignment problems @@ -79,6 +80,7 @@ menuentry "XenClient Technical Support Option: Safe graphics" { module /boot/6th_gen_i5_i7_SINIT_71.BIN module /boot/7th_gen_i5_i7-SINIT_74.bin module /boot/8th_gen_i5_i7-SINIT_76.bin + module /boot/7th_8th_gen_i5_i7-SINIT_81.bin module /boot/microcode_intel.bin module /etc/xen/xenrefpolicy/policy/policy.24 } @@ -102,6 +104,7 @@ menuentry "XenClient Technical Support Option: Safe Mode (no autostart of VMs)" module /boot/6th_gen_i5_i7_SINIT_71.BIN module /boot/7th_gen_i5_i7-SINIT_74.bin module /boot/8th_gen_i5_i7-SINIT_76.bin + module /boot/7th_8th_gen_i5_i7-SINIT_81.bin module /boot/microcode_intel.bin module /etc/xen/xenrefpolicy/policy/policy.24 } @@ -126,6 +129,7 @@ menuentry "XenClient Technical Support Option: Safe Mode with AMT serial" { module /boot/6th_gen_i5_i7_SINIT_71.BIN module /boot/7th_gen_i5_i7-SINIT_74.bin module /boot/8th_gen_i5_i7-SINIT_76.bin + module /boot/7th_8th_gen_i5_i7-SINIT_81.bin module /boot/microcode_intel.bin module /etc/xen/xenrefpolicy/policy/policy.24 } @@ -150,6 +154,7 @@ menuentry "XenClient Technical Support Option: Normal Mode with synchronised con module /boot/6th_gen_i5_i7_SINIT_71.BIN module /boot/7th_gen_i5_i7-SINIT_74.bin module /boot/8th_gen_i5_i7-SINIT_76.bin + module /boot/7th_8th_gen_i5_i7-SINIT_81.bin module /boot/microcode_intel.bin module /etc/xen/xenrefpolicy/policy/policy.24 } @@ -174,6 +179,7 @@ menuentry "XenClient Technical Support Option: console access" { module /boot/6th_gen_i5_i7_SINIT_71.BIN module /boot/7th_gen_i5_i7-SINIT_74.bin module /boot/8th_gen_i5_i7-SINIT_76.bin + module /boot/7th_8th_gen_i5_i7-SINIT_81.bin module /boot/microcode_intel.bin module /etc/xen/xenrefpolicy/policy/policy.24 } @@ -198,6 +204,7 @@ menuentry "XenClient Technical Support Option: console access with AMT serial" { module /boot/6th_gen_i5_i7_SINIT_71.BIN module /boot/7th_gen_i5_i7-SINIT_74.bin module /boot/8th_gen_i5_i7-SINIT_76.bin + module /boot/7th_8th_gen_i5_i7-SINIT_81.bin module /boot/microcode_intel.bin module /etc/xen/xenrefpolicy/policy/policy.24 } diff --git a/recipes-openxt/xenclient-dom0-tweaks/xenclient-dom0-tweaks/openxt.cfg b/recipes-openxt/xenclient-dom0-tweaks/xenclient-dom0-tweaks/openxt.cfg index 6fb50841f..93077093c 100644 --- a/recipes-openxt/xenclient-dom0-tweaks/xenclient-dom0-tweaks/openxt.cfg +++ b/recipes-openxt/xenclient-dom0-tweaks/xenclient-dom0-tweaks/openxt.cfg @@ -1,7 +1,7 @@ [global] default=openxt-normal tboot=tboot min_ram=0x2000000 loglvl=all serial=115200,8n1,0x3f8 logging=serial,memory -sinit=GM45_GS45_PM45_SINIT_51.BIN Q35_SINIT_51.BIN Q45_Q43_SINIT_51.BIN i5_i7_DUAL_SINIT_51.BIN i7_QUAD_SINIT_51.BIN 3rd_gen_i5_i7_SINIT_67.BIN Xeon-5600-3500-SINIT-v1.1.bin Xeon-E7-8800-4800-2800-SINIT-v1.1.bin 4th_gen_i5_i7_SINIT_75.BIN 5th_gen_i5_i7_SINIT_79.BIN 6th_gen_i5_i7_SINIT_71.BIN 7th_gen_i5_i7-SINIT_74.bin 8th_gen_i5_i7-SINIT_76.bin +sinit=GM45_GS45_PM45_SINIT_51.BIN Q35_SINIT_51.BIN Q45_Q43_SINIT_51.BIN i5_i7_DUAL_SINIT_51.BIN i7_QUAD_SINIT_51.BIN 3rd_gen_i5_i7_SINIT_67.BIN Xeon-5600-3500-SINIT-v1.1.bin Xeon-E7-8800-4800-2800-SINIT-v1.1.bin 4th_gen_i5_i7_SINIT_75.BIN 5th_gen_i5_i7_SINIT_79.BIN 6th_gen_i5_i7_SINIT_71.BIN 7th_gen_i5_i7-SINIT_74.bin 8th_gen_i5_i7-SINIT_76.bin 7th_8th_gen_i5_i7-SINIT_81.bin ucode=microcode_intel.bin [openxt-normal] From 0e52d09b8e5ce841c518238c03660f265c3d6a72 Mon Sep 17 00:00:00 2001 From: Jason Andryuk Date: Mon, 28 Feb 2022 14:53:46 -0500 Subject: [PATCH 2/6] openssh: Only use ed25519 sshd host key for argo sshd argo is purely internal to the host. We don't need to use multiple ssh host keys since a single one will be compatible with out provided client ssh. Select ed25519 since it is fast and generally preferred. This means we can drop generating ecdsa, dsa & rsa. Change the bbappend seddery to just modify the single entry. Signed-off-by: Jason Andryuk --- recipes-connectivity/openssh/files/sshd_config_argo | 3 +-- recipes-connectivity/openssh/openssh_8.%.bbappend | 7 ++----- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/recipes-connectivity/openssh/files/sshd_config_argo b/recipes-connectivity/openssh/files/sshd_config_argo index 836ad5e42..a12829e24 100644 --- a/recipes-connectivity/openssh/files/sshd_config_argo +++ b/recipes-connectivity/openssh/files/sshd_config_argo @@ -23,8 +23,7 @@ Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key_argo -HostKey /etc/ssh/ssh_host_dsa_key_argo +HostKey /etc/ssh/ssh_host_ed25519_key_argo # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h diff --git a/recipes-connectivity/openssh/openssh_8.%.bbappend b/recipes-connectivity/openssh/openssh_8.%.bbappend index 9b9140719..91eff5e21 100644 --- a/recipes-connectivity/openssh/openssh_8.%.bbappend +++ b/recipes-connectivity/openssh/openssh_8.%.bbappend @@ -23,11 +23,8 @@ do_install_append() { install -m 0644 ${WORKDIR}/sshd_config_argo ${D}${sysconfdir}/ssh/sshd_config_argo install -m 0644 ${WORKDIR}/sshd_config_argo ${D}${sysconfdir}/ssh/sshd_config_readonly_argo - sed -i -e '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly_argo - echo "HostKey /var/run/ssh/ssh_host_rsa_key_argo" >> ${D}${sysconfdir}/ssh/sshd_config_readonly_argo - echo "HostKey /var/run/ssh/ssh_host_dsa_key_argo" >> ${D}${sysconfdir}/ssh/sshd_config_readonly_argo - echo "HostKey /var/run/ssh/ssh_host_ecdsa_key_argo" >> ${D}${sysconfdir}/ssh/sshd_config_readonly_argo - echo "HostKey /var/run/ssh/ssh_host_ed25519_key_argo" >> ${D}${sysconfdir}/ssh/sshd_config_readonly_argo + sed -i -e 's|^HostKey /etc/ssh/|HostKey /var/run/ssh/|' \ + ${D}${sysconfdir}/ssh/sshd_config_readonly_argo install -m 0644 ${WORKDIR}/volatiles.99_ssh-keygen ${D}${sysconfdir}/default/volatiles/99_ssh-keygen From 1d65bb87ea067ac935883c29fedf382a59a726f5 Mon Sep 17 00:00:00 2001 From: Jason Andryuk Date: Fri, 22 Oct 2021 13:50:31 -0400 Subject: [PATCH 3/6] monit: dom0 listen to 127.0.0.1 Only listed on localhost since it doesn't need to be on the network. Monit has trouble with "localhost" so use 127.0.0.1. --- recipes-extended/monit/monit/dom0-cfg | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/recipes-extended/monit/monit/dom0-cfg b/recipes-extended/monit/monit/dom0-cfg index f9d943ea4..19a66c76b 100644 --- a/recipes-extended/monit/monit/dom0-cfg +++ b/recipes-extended/monit/monit/dom0-cfg @@ -8,3 +8,7 @@ set statefile /var/lib/monit/state set eventqueue basedir /var/lib/monit/events slots 100 + +set httpd port 2812 and + use address 127.0.0.1 + allow 127.0.0.1 From 038cc3d59a2046c26b074eef3ae7b1a1d28eb3e1 Mon Sep 17 00:00:00 2001 From: Jason Andryuk Date: Mon, 30 Aug 2021 15:04:45 -0400 Subject: [PATCH 4/6] argo-module: Add argo-module-udev subpackage This adds udev rules to apply the argo group ownership to /dev/argo*. This helps with deprivileging processes so they don't have to run as root. It's subpackage and will be added as an RRECOMMENDS in most cases. --- recipes-openxt/argo/argo-module_git.bb | 18 ++++++++++++++++++ recipes-openxt/argo/files/60-argo.rules | 2 ++ 2 files changed, 20 insertions(+) create mode 100644 recipes-openxt/argo/files/60-argo.rules diff --git a/recipes-openxt/argo/argo-module_git.bb b/recipes-openxt/argo/argo-module_git.bb index 4d207b31d..4da2fbecb 100644 --- a/recipes-openxt/argo/argo-module_git.bb +++ b/recipes-openxt/argo/argo-module_git.bb @@ -8,13 +8,31 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=4641e94ec96f98fabc56ff9cc48be14b" require argo.inc +SRC_URI += " \ + file://60-argo.rules \ +" S = "${WORKDIR}/git/argo-linux" inherit module inherit module-signing +inherit useradd EXTRA_OEMAKE += "INSTALL_HDR_PATH=${D}${prefix}" MODULES_INSTALL_TARGET += "headers_install" KERNEL_MODULE_AUTOLOAD += "xen-argo" + +RRECOMMENDS_${PN} = "${PN}-udev" +PACKAGE_BEFORE_PN += "${PN}-udev" +FILES_${PN}-udev = " \ + ${sysconfdir}/udev/rules.d/ \ +" + +USERADD_PACKAGES = "${PN}-udev" +GROUPADD_PARAM_${PN}-udev = "-r argo" + +do_install_append() { + install -d ${D}${sysconfdir}/udev/rules.d + install -m 0644 ${WORKDIR}/60-argo.rules ${D}${sysconfdir}/udev/rules.d/ +} diff --git a/recipes-openxt/argo/files/60-argo.rules b/recipes-openxt/argo/files/60-argo.rules new file mode 100644 index 000000000..d92c12396 --- /dev/null +++ b/recipes-openxt/argo/files/60-argo.rules @@ -0,0 +1,2 @@ +KERNEL=="argo_stream", MODE="0660", GROUP="argo" +KERNEL=="argo_dgram", MODE="0660", GROUP="argo" From c09bc0e29da0b324b9e252fdda6a2fa615651f02 Mon Sep 17 00:00:00 2001 From: Jason Andryuk Date: Mon, 30 Aug 2021 15:10:15 -0400 Subject: [PATCH 5/6] libargo: RDEPENDS on argo-module libargo is useless without argo-module. Add that RDEPENDS and remove all the manual IMAGE_INSTALLs of argo-module from image recipes. Proper dependency tracking takes care of that for us. Since KERNEL_MODULE_AUTOLOAD is set properly for argo-module/xen-argo, this is all much nicer. --- recipes-core/images/usbvm-image.bb | 1 - recipes-core/images/xenclient-dom0-image.bb | 1 - recipes-core/images/xenclient-ndvm-image.bb | 1 - recipes-core/images/xenclient-stubdomain-initramfs-image.bb | 1 - recipes-core/images/xenclient-syncvm-image.bb | 1 - recipes-core/images/xenclient-uivm-image.bb | 1 - recipes-openxt/argo/libargo_git.bb | 2 ++ 7 files changed, 2 insertions(+), 6 deletions(-) diff --git a/recipes-core/images/usbvm-image.bb b/recipes-core/images/usbvm-image.bb index 0162c4926..8d1cd8310 100644 --- a/recipes-core/images/usbvm-image.bb +++ b/recipes-core/images/usbvm-image.bb @@ -24,7 +24,6 @@ IMAGE_INSTALL += " \ openssh \ rsyslog \ usbutils \ - argo-module \ grub-xen-conf \ kernel-modules \ vusb-daemon-stub \ diff --git a/recipes-core/images/xenclient-dom0-image.bb b/recipes-core/images/xenclient-dom0-image.bb index 05faa7030..5651998b1 100644 --- a/recipes-core/images/xenclient-dom0-image.bb +++ b/recipes-core/images/xenclient-dom0-image.bb @@ -41,7 +41,6 @@ IMAGE_INSTALL += "\ packagegroup-xenclient-common \ packagegroup-xenclient-dom0 \ packagegroup-openxt-test \ - argo-module \ txt-info-module \ xenclient-preload-hs-libs \ linux-firmware-i915 \ diff --git a/recipes-core/images/xenclient-ndvm-image.bb b/recipes-core/images/xenclient-ndvm-image.bb index 50d92a505..3e9bdc134 100644 --- a/recipes-core/images/xenclient-ndvm-image.bb +++ b/recipes-core/images/xenclient-ndvm-image.bb @@ -56,7 +56,6 @@ IMAGE_INSTALL = " \ linux-firmware-bnx2 \ xenclient-ndvm-tweaks \ rsyslog \ - argo-module \ xen-tools-libxenstore \ xen-tools-xenstore \ wget \ diff --git a/recipes-core/images/xenclient-stubdomain-initramfs-image.bb b/recipes-core/images/xenclient-stubdomain-initramfs-image.bb index e96fb4fea..25d79d12c 100644 --- a/recipes-core/images/xenclient-stubdomain-initramfs-image.bb +++ b/recipes-core/images/xenclient-stubdomain-initramfs-image.bb @@ -20,7 +20,6 @@ IMAGE_INSTALL = " \ initramfs-stubdomain \ xen-tools-xenstore \ qemu-dm-stubdom \ - argo-module \ " IMAGE_LINGUAS = "" diff --git a/recipes-core/images/xenclient-syncvm-image.bb b/recipes-core/images/xenclient-syncvm-image.bb index 9f9d20903..f3d6b0019 100644 --- a/recipes-core/images/xenclient-syncvm-image.bb +++ b/recipes-core/images/xenclient-syncvm-image.bb @@ -32,7 +32,6 @@ IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-xenclient-common \ kernel-modules \ - argo-module \ libargo \ libargo-bin \ rsyslog \ diff --git a/recipes-core/images/xenclient-uivm-image.bb b/recipes-core/images/xenclient-uivm-image.bb index 00c4bd022..4819a2d99 100644 --- a/recipes-core/images/xenclient-uivm-image.bb +++ b/recipes-core/images/xenclient-uivm-image.bb @@ -57,7 +57,6 @@ IMAGE_INSTALL += "\ openssh \ packagegroup-base \ kernel-modules \ - argo-module \ libargo \ libargo-bin \ xinit \ diff --git a/recipes-openxt/argo/libargo_git.bb b/recipes-openxt/argo/libargo_git.bb index 6d1e67515..bad182eb4 100644 --- a/recipes-openxt/argo/libargo_git.bb +++ b/recipes-openxt/argo/libargo_git.bb @@ -10,3 +10,5 @@ S = "${WORKDIR}/git/libargo" inherit autotools-brokensep pkgconfig lib_package EXTRA_OECONF += "--with-pic" + +RDEPENDS_${PN} += "argo-module" From 99b265398d588bfc2c790493ffd015028c55f8b5 Mon Sep 17 00:00:00 2001 From: Jason Andryuk Date: Tue, 20 Jul 2021 11:20:14 -0400 Subject: [PATCH 6/6] syncvm-tweaks: Switch to using dbd-tools-guest domstore_read is a open-coding of db-read-dom0 from dbd-tools-guest, so just replace the use. --- .../network-config.initscript | 18 +++++------------- .../xenclient-syncvm-tweaks_1.0.bb | 2 +- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/recipes-openxt/xenclient-syncvm-tweaks/xenclient-syncvm-tweaks-1.0/network-config.initscript b/recipes-openxt/xenclient-syncvm-tweaks/xenclient-syncvm-tweaks-1.0/network-config.initscript index 762b9f10a..f9792fea8 100644 --- a/recipes-openxt/xenclient-syncvm-tweaks/xenclient-syncvm-tweaks-1.0/network-config.initscript +++ b/recipes-openxt/xenclient-syncvm-tweaks/xenclient-syncvm-tweaks-1.0/network-config.initscript @@ -17,15 +17,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -domstore_read() -{ - LD_PRELOAD=/usr/lib/libargo-1.0.so.0 \ - DBUS_SYSTEM_BUS_ADDRESS=tcp:host=1.0.0.0,port=5556 \ - INET_IS_ARGO=1 \ - db-read "$@" -} - -if [ "$(domstore_read network/mode)" = "static" ] ; then +if [ "$(db-read-dom0 network/mode)" = "static" ] ; then cat < /var/volatile/etc/network/interfaces auto lo @@ -33,13 +25,13 @@ iface lo inet loopback auto eth0 iface eth0 inet static -address $(domstore_read network/address) -netmask $(domstore_read network/netmask) -gateway $(domstore_read network/gateway) +address $(db-read-dom0 network/address) +netmask $(db-read-dom0 network/netmask) +gateway $(db-read-dom0 network/gateway) EOF cat < /etc/resolv.conf -nameserver $(domstore_read network/dns) +nameserver $(db-read-dom0 network/dns) EOF else diff --git a/recipes-openxt/xenclient-syncvm-tweaks/xenclient-syncvm-tweaks_1.0.bb b/recipes-openxt/xenclient-syncvm-tweaks/xenclient-syncvm-tweaks_1.0.bb index 48ce72952..4bfd1b2f1 100644 --- a/recipes-openxt/xenclient-syncvm-tweaks/xenclient-syncvm-tweaks_1.0.bb +++ b/recipes-openxt/xenclient-syncvm-tweaks/xenclient-syncvm-tweaks_1.0.bb @@ -9,7 +9,7 @@ SRC_URI = "file://argo.modutils \ PACKAGES = "${PN}" -RDEPENDS_${PN} += "dbd-tools" +RDEPENDS_${PN} += "dbd-tools-guest" FILES_${PN} = "/"