Initial commit

2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
@@ -0,0 +1,5 @@
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+net.ipv4.conf.default.rp_filter = 2
+net.ipv4.conf.all.rp_filter = 2
+
@@ -0,0 +1,9 @@
+# openbmc fstab
+
+/dev/root            /                    auto       defaults              1  1
+proc                 /proc                proc       defaults              0  0
+devpts               /dev/pts             devpts     mode=0620,gid=5       0  0
+tmpfs                /run                 tmpfs      mode=0755,nodev,nosuid,strictatime 0  0
+tmpfs                /var/volatile        tmpfs      defaults              0  0
+tmpfs                /media               tmpfs      defaults              0  0
+/var/persist/home    /home                none       bind                  0  0
@@ -0,0 +1,9 @@
+# openbmc fstab
+
+/dev/root            /                    auto       defaults              1  1
+proc                 /proc                proc       defaults              0  0
+devpts               /dev/pts             devpts     mode=0620,gid=5       0  0
+tmpfs                /run                 tmpfs      mode=0755,nodev,nosuid,strictatime 0  0
+tmpfs                /var/volatile        tmpfs      defaults              0  0
+tmpfs                /media               tmpfs      defaults              0  0
+/var/persist/home    /home                none       bind                  0  0
@@ -0,0 +1,18 @@
+FILESEXTRAPATHS:prepend:df-obmc-ubi-fs := "${THISDIR}/${PN}/df-ubi:"
+FILESEXTRAPATHS:prepend:df-phosphor-mmc := "${THISDIR}/${PN}/df-mmc:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+    file://50-rp_filter.conf \
+"
+
+do_install:append() {
+    sed -i 's/\(\(passwd\|group\):\s*\).*/\1files systemd/' \
+        "${D}${sysconfdir}/nsswitch.conf"
+    install -d ${D}/srv
+    install -d ${D}/${libdir}/sysctl.d
+    install -D -m 644 ${WORKDIR}/50-rp_filter.conf ${D}/${libdir}/sysctl.d/50-rp_filter.conf
+}
+
+RDEPENDS:${PN}:append:df-obmc-ubi-fs = " preinit-mounts"
+RDEPENDS:${PN}:append:df-obmc-static-norootfs = " phosphor-static-norootfs-init"
@@ -0,0 +1,8 @@
+CONFIG_DEVMEM=y
+CONFIG_EXPAND=y
+CONFIG_FEATURE_LESS_REGEXP=y
+CONFIG_FEATURE_LESS_TRUNCATE=y
+CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y
+CONFIG_TRUNCATE=y
+CONFIG_WATCHDOG=y
+CONFIG_WGET=n
@@ -0,0 +1,4 @@
+CONFIG_FLASHCP=y
+CONFIG_FLASH_LOCK=y
+CONFIG_FLASH_UNLOCK=y
+CONFIG_FLASH_ERASEALL=y
@@ -0,0 +1,10 @@
+## In orer to make systemd-pager work well there are a number of busybox less
+## features we need to enable.
+CONFIG_FEATURE_LESS_DASHCMD=y
+CONFIG_FEATURE_LESS_RAW=y
+CONFIG_FEATURE_LESS_ENV=y
+
+## These are nice features for users.
+CONFIG_FEATURE_LESS_WINCH=y
+CONFIG_FEATURE_LESS_ASK_TERMINAL=y
+CONFIG_FEATURE_LESS_REGEXP=y
@@ -0,0 +1 @@
+CONFIG_MOUNTPOINT=y
@@ -0,0 +1 @@
+CONFIG_REBOOT=y
@@ -0,0 +1,10 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+    file://busybox.cfg \
+    file://flash.cfg \
+    file://less.cfg \
+    file://mountpoint.cfg \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'obmc-ubi-fs', \
+                         '', 'file://reboot.cfg', d)} \
+"
@@ -0,0 +1,12 @@
+[Unit]
+Description=Migrate dropbear keys from /var/lib to /etc
+Before=dropbearkey.service
+ConditionPathExists=/var/lib/dropbear/dropbear_rsa_host_key
+
+[Service]
+RemainAfterExit=yes
+Type=oneshot
+ExecStart=/usr/libexec/dropbear/migrate-key-location
+
+[Install]
+WantedBy=dropbearkey.service
@@ -0,0 +1 @@
+DROPBEAR_EXTRA_ARGS="-G priv-admin"
@@ -0,0 +1,18 @@
+[Unit]
+Description=SSH Key Generation
+
+[Service]
+# Set the default RSA key path then load environment variables from the
+# environment file, which might override the default RSA key path.
+Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"
+EnvironmentFile=-/etc/default/dropbear
+Type=oneshot
+ExecStart=@BASE_BINDIR@/sh -c \
+    "if [[ ! -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key ]]; then \
+        @BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR}; \
+        @SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key; \
+     fi"
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,6 @@
+// Disable CBC ciphers for modern security.
+#define DROPBEAR_ENABLE_CBC_MODE 0
+
+#define DROPBEAR_SHA1_96_HMAC 0
+#define DROPBEAR_SHA2_256_HMAC 1
+#define DROPBEAR_SHA2_512_HMAC 1
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]; then
+    if [ -e /var/lib/dropbear/dropbear_rsa_host_key ]; then
+        echo "Migrating Dropbear key from /var/lib to /etc."
+        mkdir -p /etc/dropbear
+        mv /var/lib/dropbear/dropbear_rsa_host_key /etc/dropbear
+    else
+        echo "No Dropbear key found in /var/lib."
+    fi
+fi
@@ -0,0 +1,33 @@
+diff --git a/options.h b/options.h
+index 0c51bb1..3df2d67 100644
+--- a/options.h
+++ b/options.h
+@@ -95,12 +95,12 @@ much traffic. */
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
+/*#define DROPBEAR_TWOFISH256*/
+/*#define DROPBEAR_TWOFISH128*/
+ 
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE
+/*#define DROPBEAR_ENABLE_CBC_MODE*/
+ 
+ /* Enable "Counter Mode" for ciphers. This is more secure than normal
+  * CBC mode against certain attacks. It is recommended for security
+@@ -131,10 +131,10 @@ If you test it please contact the Dropbear author */
+  * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
+  * which are not the standard form. */
+ #define DROPBEAR_SHA1_HMAC
+-#define DROPBEAR_SHA1_96_HMAC
+/*#define DROPBEAR_SHA1_96_HMAC*/
+ #define DROPBEAR_SHA2_256_HMAC
+ #define DROPBEAR_SHA2_512_HMAC
+-#define DROPBEAR_MD5_HMAC
+/*#define DROPBEAR_MD5_HMAC*/
+ 
+ /* You can also disable integrity. Don't bother disabling this if you're
+  * still using a cipher, it's relatively cheap. If you disable this it's dead
@@ -0,0 +1,26 @@
+# 0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch
+# has been upstreamed.  This patch can be removed once we upgrade
+# to yocto 2.5 or later which will pull in the latest dropbear code.
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://dropbearkey.service \
+            file://localoptions.h \
+            file://dropbear.default \
+            file://dropbear-migrate-key-location.service \
+            file://migrate-key-location \
+           "
+
+# pull in OpenSSH's /usr/libexec/sftp-server so we don't have to rely
+# on the crufty old scp protocol for file transfer
+RDEPENDS:${PN} += "openssh-sftp-server"
+
+# Add service to migrate the dropbear keys from /var/lib to /etc.
+do_install:append() {
+    install -d ${D}${base_libdir}/systemd/system
+    install -m 0644 ${WORKDIR}/dropbear-migrate-key-location.service \
+        ${D}${base_libdir}/systemd/system
+
+    install -d ${D}${libexecdir}/${BPN}
+    install -m 0755 ${WORKDIR}/migrate-key-location ${D}${libexecdir}/${BPN}
+}
+SYSTEMD_SERVICE:${PN}:append = " dropbear-migrate-key-location.service"
@@ -0,0 +1,4 @@
+## We do not currently use any gio-modules, set clear this variable to prevent
+## the postinstall hook from being done.  The postinstall hook prevents
+## the read-only-rootfs IMAGE_FEATURE.
+GIO_MODULE_PACKAGES = ""
@@ -0,0 +1,2 @@
+# OpenBMC doesn't use python anymore, so no need for libxml python bindings
+PACKAGECONFIG:openbmc-phosphor:class-target = ""
@@ -0,0 +1,33 @@
+# WARNING!
+#
+# These modifications to os-release disable the bitbake parse
+# cache (for the os-release recipe only).  Before copying
+# and pasting into another recipe ensure it is understood
+# what that means!
+
+OS_RELEASE_ROOTPATH ?= "${COREBASE}"
+def run_git(d, cmd):
+    try:
+        oeroot = d.getVar('OS_RELEASE_ROOTPATH', True)
+        return bb.process.run(("export PSEUDO_DISABLED=1; " +
+                               "git --work-tree %s --git-dir %s/.git %s")
+            % (oeroot, oeroot, cmd))[0].strip('\n')
+    except Exception as e:
+        bb.warn("Unexpected exception from 'git' call: %s" % e)
+        pass
+# DISTRO_VERSION can be overridden by a bbappend or config, so it must be a
+# weak override.  But, when a variable is weakly overridden the definition
+# and not the contents are used in the task-hash (for sstate reuse).  We need
+# a strong variable in the vardeps chain for do_compile so that we get the
+# contents of the 'git describe --dirty' call.  Create a strong/immediate
+# indirection via PHOSPHOR_OS_RELEASE_DISTRO_VERSION.
+PHOSPHOR_OS_RELEASE_DISTRO_VERSION := "${@run_git(d, 'describe --dirty')}"
+DISTRO_VERSION ??= "${PHOSPHOR_OS_RELEASE_DISTRO_VERSION}"
+EXTENDED_VERSION ??= "${PHOSPHOR_OS_RELEASE_DISTRO_VERSION}"
+VERSION = "${@'-'.join(d.getVar('VERSION_ID').split('-')[0:2])}"
+OPENBMC_TARGET_MACHINE = "${MACHINE}"
+OS_RELEASE_FIELDS:append = " BUILD_ID OPENBMC_TARGET_MACHINE EXTENDED_VERSION"
+# Ensure the git commands run every time bitbake is invoked.
+BB_DONT_CACHE = "1"
+# Make os-release available to other recipes.
+SYSROOT_DIRS:append = " ${sysconfdir}"
@@ -0,0 +1,5 @@
+RDEPENDS:${PN}:append = " \
+        nativesdk-autoconf-archive \
+        nativesdk-meson \
+        nativesdk-python3-sdbus++ \
+        "
@@ -0,0 +1,12 @@
+RRECOMMENDS:${PN}:append = " \
+    cli11-dev \
+    function2-dev \
+    googletest \
+    libcereal-dev \
+    libstdc++-staticdev \
+    nlohmann-json-dev \
+    phosphor-dbus-interfaces-yaml \
+    phosphor-logging \
+    sdbusplus \
+    "
+RRECOMMENDS:${PN}:append:df-etcd = " etc-cpp-apiv3 protobuf"
@@ -0,0 +1,7 @@
+RDEPENDS:${PN}:remove = " \
+              lttng-tools \
+              lttng-ust \
+              lttng-modules \
+              powertop \
+              latencytop \
+              "
@@ -0,0 +1,17 @@
+SUMMARY = "Phosphor systemd configuration overrides"
+DESCRIPTION = "Overrides for systemd and its applications"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+DEPENDS += "systemd"
+PR = "r1"
+
+SRC_URI += "file://service-restart-policy.conf"
+SRC_URI += "file://journald-maxlevel-policy.conf"
+
+do_install() {
+        install -m 644 -D ${WORKDIR}/service-restart-policy.conf ${D}${systemd_unitdir}/system.conf.d/service-restart-policy.conf
+        install -m 644 -D ${WORKDIR}/journald-maxlevel-policy.conf ${D}${systemd_unitdir}/journald.conf.d/journald-maxlevel-policy.conf
+}
+
+FILES:${PN} += "${systemd_unitdir}/system.conf.d/service-restart-policy.conf"
+FILES:${PN} += "${systemd_unitdir}/journald.conf.d/journald-maxlevel-policy.conf"
@@ -0,0 +1,6 @@
+# Don't store "debug" messages, only "info" and below.
+# Reference: journald.conf(5)
+
+[Journal]
+MaxLevelStore=info
+MaxLevelSyslog=info
@@ -0,0 +1,31 @@
+# This file overrides some defaults for systemd
+#
+# - Change the RestartSec from 100ms to 1s.
+# When a service hits a failure, our new debug collection service kicks
+# in.  When a core file is involved, it's been found that generating 5 core
+# files within ~500ms puts a huge strain on the BMC.  Also, if the bmc is
+# going to get a fix on a restart of a service, the more time the better
+# (think retries on device driver scenarios).
+#
+# - Change the StartLimitBurst to 2
+# Five just seems excessive for our services in openbmc.  In all fail
+# scenarios seen so far (other then with phosphor-hwmon), either
+# restarting once does the job or restarting all 5 times does not help
+# and we just end up hitting the 5 limit anyway.
+#
+# - Change the StartLimitIntervalSec to 30s
+# The BMC CPU performance is already challenged. When a service is
+# failing and a core dump is being generated and collected into a dump,
+# it's even more challenged. Recent failures have shown situations where
+# the service does not fail again until 15-20 seconds after the initial
+# failure which means the default of 10s for this results in the service
+# being restarted indefinitely. Change this to 30s to only allow a service
+# to be restarted StartLimitBurst times within a 30s interval before
+# being put in a permanent fail state.
+#
+# See systemd-system.conf(5) for details on the conf files
+
+[Manager]
+DefaultRestartSec=1s
+DefaultStartLimitBurst=2
+DefaultStartLimitIntervalSec=30s
@@ -0,0 +1,5 @@
+[Manager]
+RuntimeWatchdogSec=120s
+RuntimeWatchdogPreSec=90s
+RuntimeWatchdogPreGovernor=panic
+WatchdogDevice=/dev/watchdog
@@ -0,0 +1,54 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+PACKAGECONFIG = "\
+        cgroupv2 \
+        coredump \
+        hostnamed \
+        networkd \
+        nss \
+        pam \
+        pstore \
+        randomseed \
+        resolved \
+        seccomp \
+        sysusers \
+        timedated \
+        timesyncd \
+        zstd \
+        "
+
+EXTRA_OEMESON:append = " -Ddns-servers=''"
+
+PACKAGES =+ "${PN}-catalog-extralocales"
+
+RRECOMMENDS:${PN}:append:openbmc-phosphor = " phosphor-systemd-policy"
+
+FILES:${PN}-catalog-extralocales = "\
+    ${exec_prefix}/lib/systemd/catalog/*.*.catalog \
+"
+
+SRC_URI:append = " \
+  file://40-hardware-watchdog.conf \
+  "
+
+FILES:${PN}:append = " \
+  ${systemd_unitdir}/system.conf.d/40-hardware-watchdog.conf \
+  "
+
+do_install:append() {
+    install -d -m 0755 ${D}${systemd_unitdir}/system.conf.d/
+    install -m 0644 ${WORKDIR}/40-hardware-watchdog.conf ${D}${systemd_unitdir}/system.conf.d/
+}
+
+# udev is added to the USERADD_PACKAGES due to some 'render' group
+# being necessary to create for /dev/dri handling, which we don't
+# have to worry about.  A side-effect of this is udev would RDEPEND on
+# 'shadow' which prevents us from putting it into the initramfs.  We
+# have plenty of other stuff that RDEPENDS on 'shadow' so, remove udev
+# from USERADD_PACKAGES to get around that.
+USERADD_PACKAGES:remove = "udev"
+
+ALTERNATIVE_LINK_NAME[init] = "${base_sbindir}/init"
+ALTERNATIVE_PRIORITY[init] ?= "300"
+
+ALTERNATIVE:${PN} += "init"
+ALTERNATIVE_TARGET[init] = "${rootlibexecdir}/systemd/systemd"