gulp>> meta-mender-kernel>> 返回
项目作者: coreycothrum

项目描述 :
mender with separate A/B kernel partitions
高级语言: NASL
项目地址: git://github.com/coreycothrum/meta-mender-kernel.git
创建时间: 2020-06-10T16:08:24Z
项目社区:https://github.com/coreycothrum/meta-mender-kernel
开源协议:MIT License
下载


meta-mender-kernel

Separate A/B kernel partitions for meta-mender.

Probably not very useful by itself, but is a prerequisite for things like encrypting the rootfs.

Overview

  • Two additional A/B kernel partitions are created after the /data partition via the mender-core variable MENDER_EXTRA_PARTS.
  • On boot, GRUB selects the corresponding kernel partition based on mender_boot_part. The kernel and/or initramfs are loaded from this partition.
  • An ArtifactInstall state-script updates the kernel partition.
  • Optional UEFI Secure Boot.

UEFI Secure Boot Integration

Requires meta-secure-core. See this kas file for more setup details.

There were a few gotchas integrating secure boot

SELoader is not setup to verify anything outside the /efi partition. To workaround this:

  1. use SELoader to verify everything on /efi (config, env, EFI binaries, etc). This is noop and standard meta-efi-secure-boot operation.
  2. use shim to verify the INITRAMFS_IMAGE_BUNDLE
    1. enforce INITRAMFS_IMAGE_BUNDLE
    2. sign INITRAMFS_IMAGE_BUNDLE with sb_sign to use MOK key(s)
    3. use chainloader instead of linux grub command to launch INITRAMFS_IMAGE_BUNDLE

Installation

  • Add this layer to bblayers.conf
  • local.conf should include: require conf/include/mender-kernel.inc and any configuration variables
  • Image recipe should include: require conf/include/mender-kernel-image.inc

Configuration

Variables

Variable Default Description
MENDER/KERNEL_PART_SIZE_MB 256 size (MB) of each kernel partition

Release Schedule and Roadmap

This layer will remain compatible with the latest YOCTO LTS. This mirrors what meta-mender does.