Initial commit

This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
@@ -0,0 +1,5 @@
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
@@ -0,0 +1,9 @@
# openbmc fstab
/dev/root / auto defaults 1 1
proc /proc proc defaults 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0
tmpfs /run tmpfs mode=0755,nodev,nosuid,strictatime 0 0
tmpfs /var/volatile tmpfs defaults 0 0
tmpfs /media tmpfs defaults 0 0
/var/persist/home /home none bind 0 0
@@ -0,0 +1,9 @@
# openbmc fstab
/dev/root / auto defaults 1 1
proc /proc proc defaults 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0
tmpfs /run tmpfs mode=0755,nodev,nosuid,strictatime 0 0
tmpfs /var/volatile tmpfs defaults 0 0
tmpfs /media tmpfs defaults 0 0
/var/persist/home /home none bind 0 0
@@ -0,0 +1,18 @@
FILESEXTRAPATHS:prepend:df-obmc-ubi-fs := "${THISDIR}/${PN}/df-ubi:"
FILESEXTRAPATHS:prepend:df-phosphor-mmc := "${THISDIR}/${PN}/df-mmc:"
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += " \
file://50-rp_filter.conf \
"
do_install:append() {
sed -i 's/\(\(passwd\|group\):\s*\).*/\1files systemd/' \
"${D}${sysconfdir}/nsswitch.conf"
install -d ${D}/srv
install -d ${D}/${libdir}/sysctl.d
install -D -m 644 ${WORKDIR}/50-rp_filter.conf ${D}/${libdir}/sysctl.d/50-rp_filter.conf
}
RDEPENDS:${PN}:append:df-obmc-ubi-fs = " preinit-mounts"
RDEPENDS:${PN}:append:df-obmc-static-norootfs = " phosphor-static-norootfs-init"
@@ -0,0 +1,8 @@
CONFIG_DEVMEM=y
CONFIG_EXPAND=y
CONFIG_FEATURE_LESS_REGEXP=y
CONFIG_FEATURE_LESS_TRUNCATE=y
CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y
CONFIG_TRUNCATE=y
CONFIG_WATCHDOG=y
CONFIG_WGET=n
@@ -0,0 +1,4 @@
CONFIG_FLASHCP=y
CONFIG_FLASH_LOCK=y
CONFIG_FLASH_UNLOCK=y
CONFIG_FLASH_ERASEALL=y
@@ -0,0 +1,10 @@
## In orer to make systemd-pager work well there are a number of busybox less
## features we need to enable.
CONFIG_FEATURE_LESS_DASHCMD=y
CONFIG_FEATURE_LESS_RAW=y
CONFIG_FEATURE_LESS_ENV=y
## These are nice features for users.
CONFIG_FEATURE_LESS_WINCH=y
CONFIG_FEATURE_LESS_ASK_TERMINAL=y
CONFIG_FEATURE_LESS_REGEXP=y
@@ -0,0 +1 @@
CONFIG_MOUNTPOINT=y
@@ -0,0 +1 @@
CONFIG_REBOOT=y
@@ -0,0 +1,10 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += " \
file://busybox.cfg \
file://flash.cfg \
file://less.cfg \
file://mountpoint.cfg \
${@bb.utils.contains('DISTRO_FEATURES', 'obmc-ubi-fs', \
'', 'file://reboot.cfg', d)} \
"
@@ -0,0 +1,12 @@
[Unit]
Description=Migrate dropbear keys from /var/lib to /etc
Before=dropbearkey.service
ConditionPathExists=/var/lib/dropbear/dropbear_rsa_host_key
[Service]
RemainAfterExit=yes
Type=oneshot
ExecStart=/usr/libexec/dropbear/migrate-key-location
[Install]
WantedBy=dropbearkey.service
@@ -0,0 +1 @@
DROPBEAR_EXTRA_ARGS="-G priv-admin"
@@ -0,0 +1,18 @@
[Unit]
Description=SSH Key Generation
[Service]
# Set the default RSA key path then load environment variables from the
# environment file, which might override the default RSA key path.
Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"
EnvironmentFile=-/etc/default/dropbear
Type=oneshot
ExecStart=@BASE_BINDIR@/sh -c \
"if [[ ! -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key ]]; then \
@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR}; \
@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key; \
fi"
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,6 @@
// Disable CBC ciphers for modern security.
#define DROPBEAR_ENABLE_CBC_MODE 0
#define DROPBEAR_SHA1_96_HMAC 0
#define DROPBEAR_SHA2_256_HMAC 1
#define DROPBEAR_SHA2_512_HMAC 1
@@ -0,0 +1,11 @@
#!/bin/sh
if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]; then
if [ -e /var/lib/dropbear/dropbear_rsa_host_key ]; then
echo "Migrating Dropbear key from /var/lib to /etc."
mkdir -p /etc/dropbear
mv /var/lib/dropbear/dropbear_rsa_host_key /etc/dropbear
else
echo "No Dropbear key found in /var/lib."
fi
fi
@@ -0,0 +1,33 @@
diff --git a/options.h b/options.h
index 0c51bb1..3df2d67 100644
--- a/options.h
+++ b/options.h
@@ -95,12 +95,12 @@ much traffic. */
#define DROPBEAR_AES256
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
/*#define DROPBEAR_BLOWFISH*/
-#define DROPBEAR_TWOFISH256
-#define DROPBEAR_TWOFISH128
+/*#define DROPBEAR_TWOFISH256*/
+/*#define DROPBEAR_TWOFISH128*/
/* Enable CBC mode for ciphers. This has security issues though
* is the most compatible with older SSH implementations */
-#define DROPBEAR_ENABLE_CBC_MODE
+/*#define DROPBEAR_ENABLE_CBC_MODE*/
/* Enable "Counter Mode" for ciphers. This is more secure than normal
* CBC mode against certain attacks. It is recommended for security
@@ -131,10 +131,10 @@ If you test it please contact the Dropbear author */
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */
#define DROPBEAR_SHA1_HMAC
-#define DROPBEAR_SHA1_96_HMAC
+/*#define DROPBEAR_SHA1_96_HMAC*/
#define DROPBEAR_SHA2_256_HMAC
#define DROPBEAR_SHA2_512_HMAC
-#define DROPBEAR_MD5_HMAC
+/*#define DROPBEAR_MD5_HMAC*/
/* You can also disable integrity. Don't bother disabling this if you're
* still using a cipher, it's relatively cheap. If you disable this it's dead
@@ -0,0 +1,26 @@
# 0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch
# has been upstreamed. This patch can be removed once we upgrade
# to yocto 2.5 or later which will pull in the latest dropbear code.
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://dropbearkey.service \
file://localoptions.h \
file://dropbear.default \
file://dropbear-migrate-key-location.service \
file://migrate-key-location \
"
# pull in OpenSSH's /usr/libexec/sftp-server so we don't have to rely
# on the crufty old scp protocol for file transfer
RDEPENDS:${PN} += "openssh-sftp-server"
# Add service to migrate the dropbear keys from /var/lib to /etc.
do_install:append() {
install -d ${D}${base_libdir}/systemd/system
install -m 0644 ${WORKDIR}/dropbear-migrate-key-location.service \
${D}${base_libdir}/systemd/system
install -d ${D}${libexecdir}/${BPN}
install -m 0755 ${WORKDIR}/migrate-key-location ${D}${libexecdir}/${BPN}
}
SYSTEMD_SERVICE:${PN}:append = " dropbear-migrate-key-location.service"
@@ -0,0 +1,4 @@
## We do not currently use any gio-modules, set clear this variable to prevent
## the postinstall hook from being done. The postinstall hook prevents
## the read-only-rootfs IMAGE_FEATURE.
GIO_MODULE_PACKAGES = ""
@@ -0,0 +1,2 @@
# OpenBMC doesn't use python anymore, so no need for libxml python bindings
PACKAGECONFIG:openbmc-phosphor:class-target = ""
@@ -0,0 +1,33 @@
# WARNING!
#
# These modifications to os-release disable the bitbake parse
# cache (for the os-release recipe only). Before copying
# and pasting into another recipe ensure it is understood
# what that means!
OS_RELEASE_ROOTPATH ?= "${COREBASE}"
def run_git(d, cmd):
try:
oeroot = d.getVar('OS_RELEASE_ROOTPATH', True)
return bb.process.run(("export PSEUDO_DISABLED=1; " +
"git --work-tree %s --git-dir %s/.git %s")
% (oeroot, oeroot, cmd))[0].strip('\n')
except Exception as e:
bb.warn("Unexpected exception from 'git' call: %s" % e)
pass
# DISTRO_VERSION can be overridden by a bbappend or config, so it must be a
# weak override. But, when a variable is weakly overridden the definition
# and not the contents are used in the task-hash (for sstate reuse). We need
# a strong variable in the vardeps chain for do_compile so that we get the
# contents of the 'git describe --dirty' call. Create a strong/immediate
# indirection via PHOSPHOR_OS_RELEASE_DISTRO_VERSION.
PHOSPHOR_OS_RELEASE_DISTRO_VERSION := "${@run_git(d, 'describe --dirty')}"
DISTRO_VERSION ??= "${PHOSPHOR_OS_RELEASE_DISTRO_VERSION}"
EXTENDED_VERSION ??= "${PHOSPHOR_OS_RELEASE_DISTRO_VERSION}"
VERSION = "${@'-'.join(d.getVar('VERSION_ID').split('-')[0:2])}"
OPENBMC_TARGET_MACHINE = "${MACHINE}"
OS_RELEASE_FIELDS:append = " BUILD_ID OPENBMC_TARGET_MACHINE EXTENDED_VERSION"
# Ensure the git commands run every time bitbake is invoked.
BB_DONT_CACHE = "1"
# Make os-release available to other recipes.
SYSROOT_DIRS:append = " ${sysconfdir}"
@@ -0,0 +1,5 @@
RDEPENDS:${PN}:append = " \
nativesdk-autoconf-archive \
nativesdk-meson \
nativesdk-python3-sdbus++ \
"
@@ -0,0 +1,12 @@
RRECOMMENDS:${PN}:append = " \
cli11-dev \
function2-dev \
googletest \
libcereal-dev \
libstdc++-staticdev \
nlohmann-json-dev \
phosphor-dbus-interfaces-yaml \
phosphor-logging \
sdbusplus \
"
RRECOMMENDS:${PN}:append:df-etcd = " etc-cpp-apiv3 protobuf"
@@ -0,0 +1,7 @@
RDEPENDS:${PN}:remove = " \
lttng-tools \
lttng-ust \
lttng-modules \
powertop \
latencytop \
"
@@ -0,0 +1,17 @@
SUMMARY = "Phosphor systemd configuration overrides"
DESCRIPTION = "Overrides for systemd and its applications"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
DEPENDS += "systemd"
PR = "r1"
SRC_URI += "file://service-restart-policy.conf"
SRC_URI += "file://journald-maxlevel-policy.conf"
do_install() {
install -m 644 -D ${WORKDIR}/service-restart-policy.conf ${D}${systemd_unitdir}/system.conf.d/service-restart-policy.conf
install -m 644 -D ${WORKDIR}/journald-maxlevel-policy.conf ${D}${systemd_unitdir}/journald.conf.d/journald-maxlevel-policy.conf
}
FILES:${PN} += "${systemd_unitdir}/system.conf.d/service-restart-policy.conf"
FILES:${PN} += "${systemd_unitdir}/journald.conf.d/journald-maxlevel-policy.conf"
@@ -0,0 +1,6 @@
# Don't store "debug" messages, only "info" and below.
# Reference: journald.conf(5)
[Journal]
MaxLevelStore=info
MaxLevelSyslog=info
@@ -0,0 +1,31 @@
# This file overrides some defaults for systemd
#
# - Change the RestartSec from 100ms to 1s.
# When a service hits a failure, our new debug collection service kicks
# in. When a core file is involved, it's been found that generating 5 core
# files within ~500ms puts a huge strain on the BMC. Also, if the bmc is
# going to get a fix on a restart of a service, the more time the better
# (think retries on device driver scenarios).
#
# - Change the StartLimitBurst to 2
# Five just seems excessive for our services in openbmc. In all fail
# scenarios seen so far (other then with phosphor-hwmon), either
# restarting once does the job or restarting all 5 times does not help
# and we just end up hitting the 5 limit anyway.
#
# - Change the StartLimitIntervalSec to 30s
# The BMC CPU performance is already challenged. When a service is
# failing and a core dump is being generated and collected into a dump,
# it's even more challenged. Recent failures have shown situations where
# the service does not fail again until 15-20 seconds after the initial
# failure which means the default of 10s for this results in the service
# being restarted indefinitely. Change this to 30s to only allow a service
# to be restarted StartLimitBurst times within a 30s interval before
# being put in a permanent fail state.
#
# See systemd-system.conf(5) for details on the conf files
[Manager]
DefaultRestartSec=1s
DefaultStartLimitBurst=2
DefaultStartLimitIntervalSec=30s
@@ -0,0 +1,5 @@
[Manager]
RuntimeWatchdogSec=120s
RuntimeWatchdogPreSec=90s
RuntimeWatchdogPreGovernor=panic
WatchdogDevice=/dev/watchdog
@@ -0,0 +1,54 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
PACKAGECONFIG = "\
cgroupv2 \
coredump \
hostnamed \
networkd \
nss \
pam \
pstore \
randomseed \
resolved \
seccomp \
sysusers \
timedated \
timesyncd \
zstd \
"
EXTRA_OEMESON:append = " -Ddns-servers=''"
PACKAGES =+ "${PN}-catalog-extralocales"
RRECOMMENDS:${PN}:append:openbmc-phosphor = " phosphor-systemd-policy"
FILES:${PN}-catalog-extralocales = "\
${exec_prefix}/lib/systemd/catalog/*.*.catalog \
"
SRC_URI:append = " \
file://40-hardware-watchdog.conf \
"
FILES:${PN}:append = " \
${systemd_unitdir}/system.conf.d/40-hardware-watchdog.conf \
"
do_install:append() {
install -d -m 0755 ${D}${systemd_unitdir}/system.conf.d/
install -m 0644 ${WORKDIR}/40-hardware-watchdog.conf ${D}${systemd_unitdir}/system.conf.d/
}
# udev is added to the USERADD_PACKAGES due to some 'render' group
# being necessary to create for /dev/dri handling, which we don't
# have to worry about. A side-effect of this is udev would RDEPEND on
# 'shadow' which prevents us from putting it into the initramfs. We
# have plenty of other stuff that RDEPENDS on 'shadow' so, remove udev
# from USERADD_PACKAGES to get around that.
USERADD_PACKAGES:remove = "udev"
ALTERNATIVE_LINK_NAME[init] = "${base_sbindir}/init"
ALTERNATIVE_PRIORITY[init] ?= "300"
ALTERNATIVE:${PN} += "init"
ALTERNATIVE_TARGET[init] = "${rootlibexecdir}/systemd/systemd"