diff --git a/.circleci/config.yml b/.circleci/config.yml index 5e733e8..833e7b8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ exec: &exec name: build-tools/nerves-system-br - version: 1.23.2 - elixir: 1.15.2-otp-26 + version: 1.24.1 + elixir: 1.15.6-otp-26 version: 2.1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 051f9ff..9ef5aae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,37 @@ follows: releases, and Linux kernel updates. They're also made to fix bugs and add features to the build infrastructure. +## v1.24.1 + +This is a security/bug fix update. + +* Package updates + * [nerves_system_br v1.24.1](https://github.com/nerves-project/nerves_system_br/releases/tag/v1.24.1) + * [Erlang/OTP 26.1.1](https://erlang.org/download/OTP-26.1.1.README) + * [Buildroot 2023.05.3](https://lore.kernel.org/buildroot/87h6ngup34.fsf@48ers.dk/T/) + +## v1.24.0 + +This is a Buildroot version update that appears to mostly contain bug and +security fixes. It should be a low risk upgrade from v1.23.2. + +* New features + * Support factory reset, preventing firmware reverts. See [Nerves.Runtime.FwupOps](https://hexdocs.pm/nerves_runtime/Nerves.Runtime.FwupOps.html) + +* Updated dependencies + * [nerves_system_br v1.24.0](https://github.com/nerves-project/nerves_system_br/releases/tag/v1.24.0) + * [Buildroot 2023.05.2](https://lore.kernel.org/buildroot/87ledrkrpp.fsf@48ers.dk/T/), [2023.05.1](https://lore.kernel.org/buildroot/87351m8qm4.fsf@48ers.dk/T/), [2023.05](https://lore.kernel.org/buildroot/87r0qn2c77.fsf@48ers.dk/T/) + * [Erlang/OTP 26.1](https://erlang.org/download/OTP-26.1.README) + +## v1.23.2 + +* Fixes + * This fixes a rare aarch64 Erlang JIT bug that affects NervesKey users. See + `nerves_system_br` notes. + +* Updated dependencies + * [nerves_system_br v1.23.3](https://github.com/nerves-project/nerves_system_br/releases/tag/v1.23.3) + ## v1.23.1 This is a bug and security fix update. It should be a low risk upgrade. diff --git a/VERSION b/VERSION index 49e0a31..f9e8384 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.23.1 +1.24.1 diff --git a/fwup-revert.conf b/fwup-ops.conf similarity index 68% rename from fwup-revert.conf rename to fwup-ops.conf index 788dc6b..012432c 100644 --- a/fwup-revert.conf +++ b/fwup-ops.conf @@ -1,17 +1,25 @@ -# Revert firmware for the Raspberry Pi 4 +# # Post-installation firmware operations for the Raspberry Pi 4 +# +# Tasks include: +# +# * `factory-reset` - Clear out the writable filesystem and any other writable +# areas so that they can be re-initialized on the next boot. +# * `prevent-revert` - Prevent `revert` from working until the next firmware +# * `revert` - Revert to the previous firmware if it's still available +# * `validate` - Mark this firmware as a good update. +# * `status` - Print out which partition is active (`a` or `b`) # # To use: -# 1. Run `fwup -c -f fwup-revert.conf -o revert.fw` and copy revert.fw to -# the device. This is done automatically as part of the Nerves system -# build process. The file is stored in `/usr/share/fwup/revert.fw`. -# 2. On the device, run `fwup -t revert revert.fw -d $NERVES_FW_DEVPATH`. If -# it succeeds, reboot. If not, then it's possible that there isn't a previous -# firmware or the metadata about what's stored where is corrupt or out of -# sync. +# +# 1. Run `fwup -c -f fwup-ops.conf -o ops.fw` and copy ops.fw to +# the device. This is done automatically as part of the Nerves system +# build process. The file is stored in `/usr/share/fwup/ops.fw`. +# 2. On the device, run `fwup -t -d /dev/rootdisk0 --enable-trim /usr/share/fwup/ops.fw`. +# 3. Reboot after running `revert` or `factory-reset`. # # It is critical that this is kept in sync with the main fwup.conf. -require-fwup-version="0.19.0" +require-fwup-version="1.0.0" # # Firmware metadata @@ -30,16 +38,8 @@ define(NERVES_FW_PLATFORM, "rpi4") define(NERVES_FW_ARCHITECTURE, "arm") define(NERVES_FW_AUTHOR, "The Nerves Team") -define(NERVES_FW_DEVPATH, "/dev/mmcblk0") -define(NERVES_FW_APPLICATION_PART0_DEVPATH, "/dev/mmcblk0p3") # Linux part number is 1-based -define(NERVES_FW_APPLICATION_PART0_FSTYPE, "f2fs") -define(NERVES_FW_APPLICATION_PART0_TARGET, "/root") - -# Default paths if not specified via the commandline -define(ROOTFS, "${NERVES_SYSTEM}/images/rootfs.squashfs") - -# This configuration file will create an image that has an MBR and the -# following 3 partitions: +# This configuration file will create an image that +# has an MBR and the following layout: # # +----------------------------+ # | MBR | @@ -150,6 +150,65 @@ uboot-environment uboot-env { block-count = ${UBOOT_ENV_COUNT} } +## +# factory-reset +## +task factory-reset { + on-init { + info("Erasing all writable data") + # This requires --enable-trim + # Trim may not work on MicroSD card, so don't rely on it + trim(${APP_PART_OFFSET}, ${APP_PART_COUNT}) + raw_memset(${APP_PART_OFFSET}, 256, 0xff) + } +} + +## +# prevent-revert +# +# Pass `--enable-trim` to also clear out the partition that no longer should be used. +## +task prevent-revert.a { + # Check that we're running on B + require-partition-offset(0, ${BOOT_B_PART_OFFSET}) + require-partition-offset(1, ${ROOTFS_B_PART_OFFSET}) + require-uboot-variable(uboot-env, "nerves_fw_active", "b") + + on-init { + info("Preventing reverts to partition A") + # Remove U-Boot variables that fwup uses to allow reverting images + uboot_unsetenv(uboot-env, "a.nerves_fw_platform") + uboot_unsetenv(uboot-env, "a.nerves_fw_architecture") + # Clear out the old image using TRIM. This requires --enable-trim + trim(${ROOTFS_A_PART_OFFSET}, ${ROOTFS_A_PART_COUNT}) + trim(${BOOT_A_PART_OFFSET}, ${BOOT_A_PART_COUNT}) + } +} +task prevent-revert.b { + # Check that we're running on A + require-partition-offset(0, ${BOOT_A_PART_OFFSET}) + require-partition-offset(1, ${ROOTFS_A_PART_OFFSET}) + require-uboot-variable(uboot-env, "nerves_fw_active", "a") + + on-init { + info("Preventing reverts to partition B") + # Remove U-Boot variables that fwup uses to allow reverting images + uboot_unsetenv(uboot-env, "b.nerves_fw_platform") + uboot_unsetenv(uboot-env, "b.nerves_fw_architecture") + # Clear out the image using TRIM. This requires --enable-trim + trim(${ROOTFS_B_PART_OFFSET}, ${ROOTFS_B_PART_COUNT}) + trim(${BOOT_B_PART_OFFSET}, ${BOOT_B_PART_COUNT}) + } +} +task prevent-revert.fail { + on-init { + error("Error detecting active partition") + } +} + +## +# revert +## task revert.a { # This task reverts to the A partition, so check that we're running on B require-partition-offset(0, ${BOOT_B_PART_OFFSET}) @@ -211,7 +270,11 @@ task revert.wrongplatform { } } -# Run "fwup /usr/share/fwup/revert.fw -t status -d /dev/mmcblk0 -q -U" to check the status. +## +# status +# +# Run "fwup /usr/share/fwup/ops.fw -t status -d /dev/rootdisk0 -q -U" to check the status. +## task status.aa { require-path-at-offset("/", ${ROOTFS_A_PART_OFFSET}) require-uboot-variable(uboot-env, "nerves_fw_active", "a") @@ -235,3 +298,15 @@ task status.ba { task status.fail { on-init { error("fail") } } + +## +# validate +# +# The fwup configuration for this device always validates, so this doesn't do anything. +## +task validate { + on-init { + info("Validate") + uboot_setenv(uboot-env, "nerves_fw_validated", "1") + } +} diff --git a/mix.exs b/mix.exs index ee84c7f..e6d6524 100644 --- a/mix.exs +++ b/mix.exs @@ -69,7 +69,7 @@ defmodule NervesSystemRpi4.MixProject do defp deps do [ {:nerves, "~> 1.5.4 or ~> 1.6.0 or ~> 1.7.15 or ~> 1.8", runtime: false}, - {:nerves_system_br, "1.23.2", runtime: false}, + {:nerves_system_br, "1.24.1", runtime: false}, {:nerves_toolchain_aarch64_nerves_linux_gnu, "~> 1.8.0", runtime: false}, {:nerves_system_linter, "~> 0.4", only: [:dev, :test], runtime: false}, {:ex_doc, "~> 0.22", only: :docs, runtime: false} @@ -106,7 +106,7 @@ defmodule NervesSystemRpi4.MixProject do "CHANGELOG.md", "cmdline.txt", "config.txt", - "fwup-revert.conf", + "fwup-ops.conf", "fwup.conf", "LICENSE", "linux-6.1.defconfig", diff --git a/mix.lock b/mix.lock index de62041..0d76efc 100644 --- a/mix.lock +++ b/mix.lock @@ -1,14 +1,14 @@ %{ - "castore": {:hex, :castore, "1.0.3", "7130ba6d24c8424014194676d608cb989f62ef8039efd50ff4b3f33286d06db8", [:mix], [], "hexpm", "680ab01ef5d15b161ed6a95449fac5c6b8f60055677a8e79acf01b27baa4390b"}, - "earmark_parser": {:hex, :earmark_parser, "1.4.33", "3c3fd9673bb5dcc9edc28dd90f50c87ce506d1f71b70e3de69aa8154bc695d44", [:mix], [], "hexpm", "2d526833729b59b9fdb85785078697c72ac5e5066350663e5be6a1182da61b8f"}, + "castore": {:hex, :castore, "1.0.4", "ff4d0fb2e6411c0479b1d965a814ea6d00e51eb2f58697446e9c41a97d940b28", [:mix], [], "hexpm", "9418c1b8144e11656f0be99943db4caf04612e3eaecefb5dae9a2a87565584f8"}, + "earmark_parser": {:hex, :earmark_parser, "1.4.37", "2ad73550e27c8946648b06905a57e4d454e4d7229c2dafa72a0348c99d8be5f7", [:mix], [], "hexpm", "6b19783f2802f039806f375610faa22da130b8edc21209d0bff47918bb48360e"}, "elixir_make": {:hex, :elixir_make, "0.7.7", "7128c60c2476019ed978210c245badf08b03dbec4f24d05790ef791da11aa17c", [:mix], [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: true]}], "hexpm", "5bc19fff950fad52bbe5f211b12db9ec82c6b34a9647da0c2224b8b8464c7e6c"}, - "ex_doc": {:hex, :ex_doc, "0.30.3", "bfca4d340e3b95f2eb26e72e4890da83e2b3a5c5b0e52607333bf5017284b063", [:mix], [{:earmark_parser, "~> 1.4.31", [hex: :earmark_parser, repo: "hexpm", optional: false]}, {:makeup_elixir, "~> 0.14", [hex: :makeup_elixir, repo: "hexpm", optional: false]}, {:makeup_erlang, "~> 0.1", [hex: :makeup_erlang, repo: "hexpm", optional: false]}], "hexpm", "fbc8702046c1d25edf79de376297e608ac78cdc3a29f075484773ad1718918b6"}, + "ex_doc": {:hex, :ex_doc, "0.30.6", "5f8b54854b240a2b55c9734c4b1d0dd7bdd41f71a095d42a70445c03cf05a281", [:mix], [{:earmark_parser, "~> 1.4.31", [hex: :earmark_parser, repo: "hexpm", optional: false]}, {:makeup_elixir, "~> 0.14", [hex: :makeup_elixir, repo: "hexpm", optional: false]}, {:makeup_erlang, "~> 0.1", [hex: :makeup_erlang, repo: "hexpm", optional: false]}], "hexpm", "bd48f2ddacf4e482c727f9293d9498e0881597eae6ddc3d9562bd7923375109f"}, "jason": {:hex, :jason, "1.4.1", "af1504e35f629ddcdd6addb3513c3853991f694921b1b9368b0bd32beb9f1b63", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "fbb01ecdfd565b56261302f7e1fcc27c4fb8f32d56eab74db621fc154604a7a1"}, "makeup": {:hex, :makeup, "1.1.0", "6b67c8bc2882a6b6a445859952a602afc1a41c2e08379ca057c0f525366fc3ca", [:mix], [{:nimble_parsec, "~> 1.2.2 or ~> 1.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "0a45ed501f4a8897f580eabf99a2e5234ea3e75a4373c8a52824f6e873be57a6"}, "makeup_elixir": {:hex, :makeup_elixir, "0.16.1", "cc9e3ca312f1cfeccc572b37a09980287e243648108384b97ff2b76e505c3555", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}, {:nimble_parsec, "~> 1.2.3 or ~> 1.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "e127a341ad1b209bd80f7bd1620a15693a9908ed780c3b763bccf7d200c767c6"}, "makeup_erlang": {:hex, :makeup_erlang, "0.1.2", "ad87296a092a46e03b7e9b0be7631ddcf64c790fa68a9ef5323b6cbb36affc72", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm", "f3f5a1ca93ce6e092d92b6d9c049bcda58a3b617a8d888f8e7231c85630e8108"}, - "nerves": {:hex, :nerves, "1.10.3", "31e29aaee9d9a4e7aa396a926d646c251cacf7c9e5f96b312dc23486dcd2231e", [:make, :mix], [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}, {:jason, "~> 1.2", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "84ff7f82bd9fb313af90bf5c6230825fa90f2e159d0355584a9d0ff1d29f4e56"}, - "nerves_system_br": {:hex, :nerves_system_br, "1.23.2", "1e9ef3b384e3b325ab5cc4a0767c6cbfdc8dcac1040b7a8c9b762e73db0cbfde", [:mix], [], "hexpm", "da32bde1c0746055ce12618798967dc2449c3af2e1f10d04d288b511a0ce12dd"}, + "nerves": {:hex, :nerves, "1.10.4", "9c7e1f3e0e2896216c1b623dc05e05ec434d5f3f1d8291d4688b61b1a4f5540d", [:make, :mix], [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}, {:jason, "~> 1.2", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "2e9c728f1d95e6ce998a4836d2f96f27777663953339d0f85fb68dc11ab48f1d"}, + "nerves_system_br": {:hex, :nerves_system_br, "1.24.1", "2c9df0bee3bc01a971e1d72a5b137fe9448a74ba1fdd0da02c52e291b468f8a7", [:mix], [], "hexpm", "d13ce0501f4db51869628d138edf5bffbb4fe38f3afa9f9f1e5371f7501535ff"}, "nerves_system_linter": {:hex, :nerves_system_linter, "0.4.0", "81e9a6f5018fe5fb67d7b43a04dca36156f62b55b5554eb2fa3964d3889d09cd", [:mix], [], "hexpm", "b5bd8480ce7a6317f4601ff41fd2f594bdf76aff0bdf6dcfac571c3fa1ec5f82"}, "nerves_toolchain_aarch64_nerves_linux_gnu": {:hex, :nerves_toolchain_aarch64_nerves_linux_gnu, "1.8.0", "40f7fe58737aaa9c6beee0e3599cca2265d1b4e40d7ab2713d7ad872349f21c2", [:mix], [{:nerves, "~> 1.4", [hex: :nerves, repo: "hexpm", optional: false]}, {:nerves_toolchain_ctng, "~> 1.9.3", [hex: :nerves_toolchain_ctng, repo: "hexpm", optional: false]}], "hexpm", "c06a16b54634bbab7348ee7686e3b02574e0af742144c406b0f196b5b374349c"}, "nerves_toolchain_ctng": {:hex, :nerves_toolchain_ctng, "1.9.3", "60e87fde05988c4264babc8d68a9221c7b8fe5dc195b7d1526f29b8e626c735c", [:mix], [{:nerves, "~> 1.0", [hex: :nerves, repo: "hexpm", optional: false]}], "hexpm", "2b6edb0687b7f78d3fa49958d759f647e351b23c1f59f637c617a6dc179994ae"}, diff --git a/post-build.sh b/post-build.sh index 894f099..8da89ba 100755 --- a/post-build.sh +++ b/post-build.sh @@ -19,10 +19,12 @@ function slim_down_dri_libs() { slim_down_dri_libs -# Create the revert script for manually switching back to the previously -# active firmware. +# Create the fwup ops script to handling MicroSD/eMMC operations at runtime +# NOTE: revert.fw is the previous, more limited version of this. ops.fw is +# backwards compatible. mkdir -p $TARGET_DIR/usr/share/fwup -$HOST_DIR/usr/bin/fwup -c -f $NERVES_DEFCONFIG_DIR/fwup-revert.conf -o $TARGET_DIR/usr/share/fwup/revert.fw +$HOST_DIR/usr/bin/fwup -c -f $NERVES_DEFCONFIG_DIR/fwup-ops.conf -o $TARGET_DIR/usr/share/fwup/ops.fw +ln -sf ops.fw $TARGET_DIR/usr/share/fwup/revert.fw # Copy the fwup includes to the images dir cp -rf $NERVES_DEFCONFIG_DIR/fwup_include $BINARIES_DIR