v5.3.2

balena-os · Apr 29, 2024 · a806955 · a806955
1 parent a236852
commit a806955
Show file tree

Hide file tree

Showing 3 changed files with 384 additions and 1 deletion.
diff --git a/.versionbot/CHANGELOG.yml b/.versionbot/CHANGELOG.yml
@@ -1,3 +1,325 @@
+- commits:
+    - subject: Update layers/meta-balena to f212a46b75701da1ad174eaca183c5b9f55075ec
+      hash: 983b52d9c3b5717c465b3d164e97db2fa0ff4bff
+      body: Update layers/meta-balena
+      footer:
+        Changelog-entry: Update layers/meta-balena to f212a46b75701da1ad174eaca183c5b9f55075ec
+        changelog-entry: Update layers/meta-balena to f212a46b75701da1ad174eaca183c5b9f55075ec
+      author: Self-hosted Renovate Bot
+      nested:
+        - commits:
+            - subject: "contributing-device-support.md: Rework repo transfer and autokit
+                requirement steps"
+              hash: d9b9d5e0f084ab9370ff69468f8a14b25148fb47
+              body: ""
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Florin Sarbu <florin@balena.io>
+                signed-off-by: Florin Sarbu <florin@balena.io>
+              author: Florin Sarbu
+              nested: []
+          version: meta-balena-5.3.2
+          title: ""
+          date: 2024-04-25T00:38:23.057Z
+        - commits:
+            - subject: "tests: os: address race in internet con. sharing tests"
+              hash: c8fccaef7c48dcccb150f46d0bedb48460ead445
+              body: >
+                For some device types it's been noted that it takes longer than
+                the time it takes do do one check of the iptables rules for the
+                intended rules to appear, leading to a failure. This aims to
+                make the check more consistent by checking 5 times before
+                failing.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Ryan Cooke <ryan@balena.io>
+                signed-off-by: Ryan Cooke <ryan@balena.io>
+              author: rcooke-warwick
+              nested: []
+          version: meta-balena-5.3.1
+          title: ""
+          date: 2024-04-24T15:34:48.717Z
+        - commits:
+            - subject: "hup: signed-update: silence tpm2-tools output"
+              hash: 877b7b39f2ac3dbab0cc806916ef2c13dbdfd885
+              body: |
+                The output of these tools doesn't need logged. Silence them.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "hup: silence mountpoint"
+              hash: d9a477b706ffc8ba4d8126e9665a2142bb705719
+              body: ""
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "hup: signed-update: print predicted PCR values after creating a
+                policy"
+              hash: a3b2b9ba45470b4ff6b35c56c13e2400c51c95c7
+              body: ""
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "os-helpers-tpm2: firmware_measures_efibins: silence grep"
+              hash: cd7b142195cd7cd33126e0dfbd75ee00e6b03aa3
+              body: >
+                The firmware_measures_efibins function outputs different strings
+
+                depending on whether the TPM event log is available, and whether
+                or not
+
+                EFI binaries are measured into PCR 7 as indicated in the event
+                log.
+
+
+                We don't need to print the output of the parsed event log, so
+                redirect
+
+                it.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "os-helpers-tpm2: specify TCTI backend"
+              hash: c4eb9d7f6ad412bd74d77ece0e534c8dd2dd6fac
+              body: >
+                Specify the TCTI backend [0], which also silences error messages
+                from
+
+                trying unsupported backends
+
+
+                [0]
+                https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "os-helpers-sb: silence 'command -v'"
+              hash: 0cc0e51ec48fd90c7164cf458c6a2b583319999d
+              body: ""
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "hup: signed-update: update boot files as needed"
+              hash: c08e732e0a678bce9cf48774fabd9016325fcaa7
+              body: >
+                Unconditionally update the kernel and second stage bootloader
+                when the
+
+                content on disk doesn't match the binaries shipped in the
+                hostapp.
+
+
+                Previously this was only done when migrating, but the kernel,
+                and
+
+                consequently the second stage bootloader, change every build.
+                This means
+
+                firmwares which measure EFI binaries into PCR 7 won't boot
+                unless the
+
+                second stage bootloader is updated to match the digests enrolled
+                in the
+
+                security database.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "hup: signed-update: always remove policy directory"
+              hash: 7c4032d4596c72a85902c91bd48845543f3651b3
+              body: >
+                After creating a new policy, always remove any previous policy
+                directory
+
+                that was found.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "os-helpers-tpm2: append event log digests before separator"
+              hash: 1c19ebb6b7c9b47ae81a3d67fc5526ea3ed55caf
+              body: >
+                Don't continue appending event log digests after the separator.
+                This
+
+                fixes creating a TPM policy on machines that measure EFI
+                binaries into
+
+                PCR 7 double appending the EFI binary hashes, which will cause
+                boot
+
+                failures.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "hostapp-update-hooks: signed-update: fix exit code conditional"
+              hash: 06ef101cf68056c348f4c6810b522f2bbdbb7e55
+              body: >
+                Shellcheck warning SC2319 indicates that the condition being
+                checked
+
+                here may be overwritten by subsequent commands.
+
+
+                Replace this conditional with a switch statement that directly
+                evaluates
+
+                the output.
+
+
+                Also bump the minor version to make it more obvious that PCR 7
+                sealing
+
+                brings a new feature, which should've happened previously.
+              footer:
+                Change-type: minor
+                change-type: minor
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "os-helpers-tpm2: fix awk syntax error causing unbootable machines"
+              hash: 6c21f43c49361dac28f432083122a3ee35704a6f
+              body: >
+                A missing semi-colon caused the firmware_measures_efibins
+                function to
+
+                return an exit code of one, which the 0-signed-update
+                hostapp-update
+
+                hook interpreted as "this firmware does not measure EFI binaries
+                into
+
+                PCR 7", as opposed to zero, indicating "this firmware *does*
+                measure EFI
+
+                binaries into PCR 7", or two, indicating "the TPM event log is
+
+                unavailable and it's impossible to tell."
+
+
+                Taking the wrong branch in this conditional led to an
+                inappropriate
+
+                policy being created to seal the LUKS passphrase, which could
+                not be
+
+                unlocked on the next boot, as in QEMU with edk2, EFI binaries
+                *are*
+
+                measured into PCR 7.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+          version: meta-balena-5.3.0
+          title: ""
+          date: 2024-04-24T06:33:36.925Z
+        - commits:
+            - subject: "hostapp-update-hooks: check for logging helper"
+              hash: 8561f0f7d92702a0d374846555904d6f2e01c697
+              body: >
+                Older balenaOS version (before v2.58) do not contain the logging
+                helper
+
+                in the rootfs and the new OS hooks fail to execute.
+
+
+                This commit checks for the file existence before using it, and
+                defines
+
+                the logging functions when not detected.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Alex Gonzalez <alexg@balena.io>
+                signed-off-by: Alex Gonzalez <alexg@balena.io>
+              author: Alex Gonzalez
+              nested: []
+          version: meta-balena-5.2.10
+          title: ""
+          date: 2024-04-23T10:14:54.964Z
+        - commits:
+            - subject: Update tests/leviathan digest to 5984adc
+              hash: d620600db09f2215dbfc43748fcc493023809bf2
+              body: Update tests/leviathan
+              footer:
+                Change-type: patch
+                change-type: patch
+              author: Self-hosted Renovate Bot
+              nested:
+                - commits:
+                    - subject: Update actions/upload-artifact digest to 1746f4a
+                      hash: 4872b11fad92f5c8ea60050e21aa63a2bbb1289d
+                      body: |
+                        Update actions/upload-artifact
+                      footer:
+                        Change-type: patch
+                        change-type: patch
+                      author: Self-hosted Renovate Bot
+                      nested: []
+                  version: leviathan-2.30.11
+                  title: ""
+                  date: 2024-04-22T01:55:56.805Z
+                - commits:
+                    - subject: Update Lock file maintenance
+                      hash: c3225ffd4e4fde06ceaf3ace5778fa8633a72e28
+                      body: |
+                        Update
+                      footer:
+                        Change-type: patch
+                        change-type: patch
+                      author: Self-hosted Renovate Bot
+                      nested: []
+                  version: leviathan-2.30.10
+                  title: ""
+                  date: 2024-04-22T00:50:13.147Z
+          version: meta-balena-5.2.9
+          title: ""
+          date: 2024-04-22T05:25:28.462Z
+  version: 5.3.2
+  title: ""
+  date: 2024-04-29T12:29:44.332Z
 - commits:
     - subject: Update layers/meta-balena to 5d7a7ecfdc69c481e6e762e38e66b8b291a70e32
       hash: 96ae30310b37824ca86e93feddba2fc73c0ab319

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,67 @@
 Change log
 -----------
 
+# v5.3.2
+## (2024-04-29)
+
+
+<details>
+<summary> Update layers/meta-balena to f212a46b75701da1ad174eaca183c5b9f55075ec [Self-hosted Renovate Bot] </summary>
+
+> ## meta-balena-5.3.2
+> ### (2024-04-25)
+> 
+> * contributing-device-support.md: Rework repo transfer and autokit requirement steps [Florin Sarbu]
+> 
+> ## meta-balena-5.3.1
+> ### (2024-04-24)
+> 
+> * tests: os: address race in internet con. sharing tests [rcooke-warwick]
+> 
+> ## meta-balena-5.3.0
+> ### (2024-04-24)
+> 
+> * hup: signed-update: silence tpm2-tools output [Joseph Kogut]
+> * hup: silence mountpoint [Joseph Kogut]
+> * hup: signed-update: print predicted PCR values after creating a policy [Joseph Kogut]
+> * os-helpers-tpm2: firmware_measures_efibins: silence grep [Joseph Kogut]
+> * os-helpers-tpm2: specify TCTI backend [Joseph Kogut]
+> * os-helpers-sb: silence 'command -v' [Joseph Kogut]
+> * hup: signed-update: update boot files as needed [Joseph Kogut]
+> * hup: signed-update: always remove policy directory [Joseph Kogut]
+> * os-helpers-tpm2: append event log digests before separator [Joseph Kogut]
+> * hostapp-update-hooks: signed-update: fix exit code conditional [Joseph Kogut]
+> * os-helpers-tpm2: fix awk syntax error causing unbootable machines [Joseph Kogut]
+> 
+> ## meta-balena-5.2.10
+> ### (2024-04-23)
+> 
+> * hostapp-update-hooks: check for logging helper [Alex Gonzalez]
+> 
+> ## meta-balena-5.2.9
+> ### (2024-04-22)
+> 
+> 
+> <details>
+> <summary> Update tests/leviathan digest to 5984adc [Self-hosted Renovate Bot] </summary>
+> 
+>> ### leviathan-2.30.11
+>> #### (2024-04-22)
+>> 
+>> * Update actions/upload-artifact digest to 1746f4a [Self-hosted Renovate Bot]
+>> 
+>> ### leviathan-2.30.10
+>> #### (2024-04-22)
+>> 
+>> * Update Lock file maintenance [Self-hosted Renovate Bot]
+>> 
+> 
+> </details>
+> 
+> 
+
+</details>
+
 # v5.2.8
 ## (2024-04-19)
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-5.2.8
+5.3.2