diff options
| author | William A. Kennington III <wak@google.com> | 2020-06-02 01:29:29 +0300 |
|---|---|---|
| committer | Andrew Geissler <geissonator@yahoo.com> | 2020-07-15 00:28:03 +0300 |
| commit | 82de478fac4e7c581f3cd439c98b9e367e09b6c4 (patch) | |
| tree | b3aa1c7eee7eb435dff8cf04fbb98ed1064e0080 | |
| parent | 45a5795e7304029424e771f8f62b2614ab35c02d (diff) | |
| download | openbmc-82de478fac4e7c581f3cd439c98b9e367e09b6c4.tar.xz | |
noverify-bmc-update: Only commit payload on update
We don't want to allow indirect updates via users issuing `mc reboot
cold` commands after verifying but without peforming the update step.
(From meta-phosphor rev: 892e90b3ea1eb39994af943a8686bb96c1473ad9)
Change-Id: Ia846efafef6bdf64f102d6e0511d5e8ed874e966
Signed-off-by: William A. Kennington III <wak@google.com>
Fixed misspelling of command
Signed-off-by: Brad Bishop<bradleyb@fuzziesquirrel.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
4 files changed, 14 insertions, 2 deletions
diff --git a/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update.bb b/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update.bb index fb1480fb1..503e836a8 100644 --- a/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update.bb +++ b/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update.bb @@ -4,9 +4,11 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda inherit systemd +SRC_URI += "file://noverify-bmc-update.service" SRC_URI += "file://noverify-bmc-verify.service" SRC_URI += "file://config-bmc.json" +SYSTEMD_SERVICE_${PN} += "noverify-bmc-update.service" SYSTEMD_SERVICE_${PN} += "noverify-bmc-verify.service" FILES_${PN} += "${datadir}/phosphor-ipmi-flash/config-bmc.json" @@ -15,5 +17,6 @@ do_install() { install -m 0644 ${WORKDIR}/config-bmc.json ${D}${datadir}/phosphor-ipmi-flash install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/noverify-bmc-update.service ${D}${systemd_system_unitdir} install -m 0644 ${WORKDIR}/noverify-bmc-verify.service ${D}${systemd_system_unitdir} } diff --git a/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/config-bmc.json b/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/config-bmc.json index 86afb3ba3..31df4a1ef 100644 --- a/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/config-bmc.json +++ b/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/config-bmc.json @@ -14,7 +14,7 @@ }, "update": { "type": "systemd", - "unit": "reboot.target" + "unit": "noverify-bmc-update.service" } } }] diff --git a/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/noverify-bmc-update.service b/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/noverify-bmc-update.service new file mode 100644 index 000000000..e30d64723 --- /dev/null +++ b/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/noverify-bmc-update.service @@ -0,0 +1,9 @@ +[Unit] +Description=Commit image for update and reboot + +[Service] +Type=oneshot +ExecStart=/bin/mv /run/initramfs/bmc-image-verified /run/initramfs/image-bmc +# This command is intentionally blocking to ensure this unit doesn't complete +# before the BMC reboots. +ExecStart=/usr/bin/systemctl start --job-mode=replace-irreversibly reboot.target diff --git a/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/noverify-bmc-verify.service b/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/noverify-bmc-verify.service index 50855b6b2..a535329fb 100644 --- a/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/noverify-bmc-verify.service +++ b/meta-phosphor/recipes-phosphor/flash/noverify-bmc-update/noverify-bmc-verify.service @@ -3,4 +3,4 @@ Description=Don't verify the image, just stage it for update [Service] Type=oneshot -ExecStart=/bin/mv /run/initramfs/bmc-image /run/initramfs/image-bmc +ExecStart=/bin/mv /run/initramfs/bmc-image /run/initramfs/bmc-image-verified |