| Message ID | 20221115144031.89678-1-s.zhmylev@yadro.com |
|---|---|
| State | New |
| Headers | show |
| Series | wic: implement bootloader --password | expand |
Wait, is the password provided through command line? Alex On Tue, 15 Nov 2022 at 15:40, Sergey Zhmylev <s.zhmylev@yadro.com> wrote: > > From: Sergei Zhmylev <s.zhmylev@yadro.com> > > Currently the only way to specify a password for bootloader > is to supply a complete user-defined bootloader config file > to the build process. This patch introduces a --password > paramenter in order to simplify bootloaders hardening. > > Signed-off-by: Sergei Zhmylev <s.zhmylev@yadro.com> > --- > scripts/lib/wic/ksparser.py | 1 + > scripts/lib/wic/plugins/source/bootimg-efi.py | 6 +++++- > scripts/lib/wic/plugins/source/bootimg-pcbios.py | 7 ++++++- > .../lib/wic/plugins/source/isoimage-isohybrid.py | 13 +++++++++++-- > 4 files changed, 23 insertions(+), 4 deletions(-) > > diff --git a/scripts/lib/wic/ksparser.py b/scripts/lib/wic/ksparser.py > index d1e546b12d..89bc897a5a 100644 > --- a/scripts/lib/wic/ksparser.py > +++ b/scripts/lib/wic/ksparser.py > @@ -195,6 +195,7 @@ class KickStart(): > default='msdos') > bootloader.add_argument('--timeout', type=int) > bootloader.add_argument('--source') > + bootloader.add_argument('--password') > > include = subparsers.add_parser('include') > include.add_argument('path', type=cannedpathtype) > diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py > index 4b00913a70..3d84252796 100644 > --- a/scripts/lib/wic/plugins/source/bootimg-efi.py > +++ b/scripts/lib/wic/plugins/source/bootimg-efi.py > @@ -86,7 +86,11 @@ class BootimgEFIPlugin(SourcePlugin): > grubefi_conf += "serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1\n" > grubefi_conf += "default=boot\n" > grubefi_conf += "timeout=%s\n" % bootloader.timeout > - grubefi_conf += "menuentry '%s'{\n" % (title if title else "boot") > + if bootloader.password: > + grubefi_conf += "set superusers=\"root\"\n" > + grubefi_conf += "export superusers\n" > + grubefi_conf += "password root %s\n" % (bootloader.password) > + grubefi_conf += "menuentry '%s' %s {\n" % (title if title else "boot", "--unrestricted" if bootloader.password else "") > > kernel = get_bitbake_var("KERNEL_IMAGETYPE") > if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1": > diff --git a/scripts/lib/wic/plugins/source/bootimg-pcbios.py b/scripts/lib/wic/plugins/source/bootimg-pcbios.py > index 32e47f1831..cbf4622cf9 100644 > --- a/scripts/lib/wic/plugins/source/bootimg-pcbios.py > +++ b/scripts/lib/wic/plugins/source/bootimg-pcbios.py > @@ -113,8 +113,13 @@ class BootimgPcbiosPlugin(SourcePlugin): > syslinux_conf = "" > syslinux_conf += "PROMPT 0\n" > syslinux_conf += "TIMEOUT " + str(bootloader.timeout) + "\n" > + if bootloader.password: > + syslinux_conf += "MENU MASTER PASSWD " + str(bootloader.password) + "\n" > + syslinux_conf += "ALLOWOPTIONS 0\n" > + syslinux_conf += "NOESCAPE 1\n" > + else: > + syslinux_conf += "ALLOWOPTIONS 1\n" > syslinux_conf += "\n" > - syslinux_conf += "ALLOWOPTIONS 1\n" > syslinux_conf += "SERIAL 0 115200\n" > syslinux_conf += "\n" > if splashline: > diff --git a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py > index 607356ad13..1d5099f954 100644 > --- a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py > +++ b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py > @@ -63,8 +63,13 @@ class IsoImagePlugin(SourcePlugin): > syslinux_conf = "" > syslinux_conf += "PROMPT 0\n" > syslinux_conf += "TIMEOUT %s \n" % (bootloader.timeout or 10) > + if bootloader.password: > + syslinux_conf += "MENU MASTER PASSWD " + str(bootloader.password) + "\n" > + syslinux_conf += "ALLOWOPTIONS 0\n" > + syslinux_conf += "NOESCAPE 1\n" > + else: > + syslinux_conf += "ALLOWOPTIONS 1\n" > syslinux_conf += "\n" > - syslinux_conf += "ALLOWOPTIONS 1\n" > syslinux_conf += "SERIAL 0 115200\n" > syslinux_conf += "\n" > if splashline: > @@ -116,10 +121,14 @@ class IsoImagePlugin(SourcePlugin): > grubefi_conf += "--parity=no --stop=1\n" > grubefi_conf += "default=boot\n" > grubefi_conf += "timeout=%s\n" % (bootloader.timeout or 10) > + if bootloader.password: > + grubefi_conf += "set superusers=\"root\"\n" > + grubefi_conf += "export superusers\n" > + grubefi_conf += "password root %s\n" % (bootloader.password) > grubefi_conf += "\n" > grubefi_conf += "search --set=root --label %s " % part.label > grubefi_conf += "\n" > - grubefi_conf += "menuentry 'boot'{\n" > + grubefi_conf += "menuentry 'boot' %s {\n" % ("--unrestricted" if bootloader.password else "") > > kernel = get_bitbake_var("KERNEL_IMAGETYPE") > if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1": > -- > 2.37.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#173346): https://lists.openembedded.org/g/openembedded-core/message/173346 > Mute This Topic: https://lists.openembedded.org/mt/95043934/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
No, the password is provided through wks file. ksparser.py is a wic subsystem which parses those kikstart files.
On Tue, 2022-11-15 at 17:40 +0300, Sergey Zhmylev wrote: > From: Sergei Zhmylev <s.zhmylev@yadro.com> > > Currently the only way to specify a password for bootloader > is to supply a complete user-defined bootloader config file > to the build process. This patch introduces a --password > paramenter in order to simplify bootloaders hardening. > > Signed-off-by: Sergei Zhmylev <s.zhmylev@yadro.com> > --- > scripts/lib/wic/ksparser.py | 1 + > scripts/lib/wic/plugins/source/bootimg-efi.py | 6 +++++- > scripts/lib/wic/plugins/source/bootimg-pcbios.py | 7 ++++++- > .../lib/wic/plugins/source/isoimage-isohybrid.py | 13 +++++++++++-- > 4 files changed, 23 insertions(+), 4 deletions(-) Sorry about the delay in reply on this one. Wic is one of the components we have some nice tests for. Would you be able to add a test for this new functionality to the testsuite please? You can run it with "oe-selftest -r wic". Also, do we need some documentation about this in the manuals? Cheers, Richard
diff --git a/scripts/lib/wic/ksparser.py b/scripts/lib/wic/ksparser.py index d1e546b12d..89bc897a5a 100644 --- a/scripts/lib/wic/ksparser.py +++ b/scripts/lib/wic/ksparser.py @@ -195,6 +195,7 @@ class KickStart(): default='msdos') bootloader.add_argument('--timeout', type=int) bootloader.add_argument('--source') + bootloader.add_argument('--password') include = subparsers.add_parser('include') include.add_argument('path', type=cannedpathtype) diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py index 4b00913a70..3d84252796 100644 --- a/scripts/lib/wic/plugins/source/bootimg-efi.py +++ b/scripts/lib/wic/plugins/source/bootimg-efi.py @@ -86,7 +86,11 @@ class BootimgEFIPlugin(SourcePlugin): grubefi_conf += "serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1\n" grubefi_conf += "default=boot\n" grubefi_conf += "timeout=%s\n" % bootloader.timeout - grubefi_conf += "menuentry '%s'{\n" % (title if title else "boot") + if bootloader.password: + grubefi_conf += "set superusers=\"root\"\n" + grubefi_conf += "export superusers\n" + grubefi_conf += "password root %s\n" % (bootloader.password) + grubefi_conf += "menuentry '%s' %s {\n" % (title if title else "boot", "--unrestricted" if bootloader.password else "") kernel = get_bitbake_var("KERNEL_IMAGETYPE") if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1": diff --git a/scripts/lib/wic/plugins/source/bootimg-pcbios.py b/scripts/lib/wic/plugins/source/bootimg-pcbios.py index 32e47f1831..cbf4622cf9 100644 --- a/scripts/lib/wic/plugins/source/bootimg-pcbios.py +++ b/scripts/lib/wic/plugins/source/bootimg-pcbios.py @@ -113,8 +113,13 @@ class BootimgPcbiosPlugin(SourcePlugin): syslinux_conf = "" syslinux_conf += "PROMPT 0\n" syslinux_conf += "TIMEOUT " + str(bootloader.timeout) + "\n" + if bootloader.password: + syslinux_conf += "MENU MASTER PASSWD " + str(bootloader.password) + "\n" + syslinux_conf += "ALLOWOPTIONS 0\n" + syslinux_conf += "NOESCAPE 1\n" + else: + syslinux_conf += "ALLOWOPTIONS 1\n" syslinux_conf += "\n" - syslinux_conf += "ALLOWOPTIONS 1\n" syslinux_conf += "SERIAL 0 115200\n" syslinux_conf += "\n" if splashline: diff --git a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py index 607356ad13..1d5099f954 100644 --- a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py +++ b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py @@ -63,8 +63,13 @@ class IsoImagePlugin(SourcePlugin): syslinux_conf = "" syslinux_conf += "PROMPT 0\n" syslinux_conf += "TIMEOUT %s \n" % (bootloader.timeout or 10) + if bootloader.password: + syslinux_conf += "MENU MASTER PASSWD " + str(bootloader.password) + "\n" + syslinux_conf += "ALLOWOPTIONS 0\n" + syslinux_conf += "NOESCAPE 1\n" + else: + syslinux_conf += "ALLOWOPTIONS 1\n" syslinux_conf += "\n" - syslinux_conf += "ALLOWOPTIONS 1\n" syslinux_conf += "SERIAL 0 115200\n" syslinux_conf += "\n" if splashline: @@ -116,10 +121,14 @@ class IsoImagePlugin(SourcePlugin): grubefi_conf += "--parity=no --stop=1\n" grubefi_conf += "default=boot\n" grubefi_conf += "timeout=%s\n" % (bootloader.timeout or 10) + if bootloader.password: + grubefi_conf += "set superusers=\"root\"\n" + grubefi_conf += "export superusers\n" + grubefi_conf += "password root %s\n" % (bootloader.password) grubefi_conf += "\n" grubefi_conf += "search --set=root --label %s " % part.label grubefi_conf += "\n" - grubefi_conf += "menuentry 'boot'{\n" + grubefi_conf += "menuentry 'boot' %s {\n" % ("--unrestricted" if bootloader.password else "") kernel = get_bitbake_var("KERNEL_IMAGETYPE") if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1":