| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
glome is now in the meta-security layer and shouldn't(*) be included
here.
glome-config is also removed; downstreams should bbappend glome to
overwrite /etc/glome/config.
(*) https://lore.kernel.org/all/Ys6zBXR+8AP3wjYG@heinlein.stwcx.org.github.beta.tailscale.net/
Tested:
Added meta-security layer to a build and tested downstream BMC build.
Link: https://gerrit.openbmc.org/id/I8e96a5c15a277c343ca38c32ad5b987944642008
Change-Id: I8e96a5c15a277c343ca38c32ad5b987944642008
Signed-off-by: Luke Granger-Brown <lukegb@google.com>
|
|
This CL adds support for bridging ethernet devices to gbmcbr and
interface renaming based on the dev address.
Change-Id: Ibc5fc8e0426e117191574553b36ea59a6735b91c
Signed-off-by: Yuxiao Zhang <yuxiaozhang@google.com>
|
|
This updates to libpam 1.5.2. This version removes support for
pam_cracklib and pam_tally2. They are replaced by pam_pwquality and
pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through
Redfish, it's possible that they will remain in the overlay of
/etc/pam.d with the old module names preventing PAM from working
correctly. To avoid this, this commit includes a script that will detect
if the old modules are in the overlay and update the overlay with the
new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there
are configured parameters during a downgrade from libpam 1.5.2 to libpam
1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security
and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack
differently than pam_tally2.
This patchset causes a BMC operational change:
- The pam_tally2 command (invoked from the BMC's command line) is no
longer present. If you used the "pam_tally2 -u USER -r" command
to unlock a user after repeated authentication failures, change to
use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate
users after installing this change, the cause might be an overlayfs file
hiding the new /etc/pam.d/common-auth file. To find out, use
`grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2"
then your BMC is affected. The recovery is to delete the overlay file,
to factory reset the BMC, or manually-install the changed files.
The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold
value of 0 which does not lock account passwords no matter how many
consecutive failed authentication attempts. To configure this on
the BMC, for example, use:
curl -X PATCH https://${bmc}/redfish/v1/AccountService
-d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios:
1. Install from scratch. Success.
2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces:
- the passwd command
- the PATCH Refish AccountService {Password: NEW}
- SSH (accessible only when the password is expired)
- IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords
Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the
D-Bus User AccountPolicy RememberOldPasswordTimes property continues to
work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
|
This is the prod configuration.
Change-Id: I04c33362cf874637caa528779c57bcacfca50201
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
The package "cracklib" is not needed. Ideally in the future we will
start using Google GLOME.
The "libpam" library depends on cracklib, so override the libpam
recipe also, so that it no longer depends on cracklib.
Tested: This has been tested locally on our local product, which uses
OpenBMC, and it appeared to work just fine for us.
Signed-off-by: Kasun Athukorala <kasunath@google.com>
Change-Id: I0d7714766a2e14151f00f6582abee78dee43614d
Signed-off-by: Josh Lehan <krellan@google.com>
|
|
glome-config only provides the config file for glome. It is more
appropriate to decouple them by adding glome-config to
OBMC_IMAGE_EXTRA_INSTALL in the meta-google layer. Then when glome is
migrated to another meta layer, it won't need this RDEPENDS.
(This is a follow-up of
https://gerrit.openbmc.org/c/openbmc/openbmc/+/56618/)
Also add glome-login to OBMC_IMAGE_EXTRA_INSTALL since it is also
needed.
Tested:
Built an image and run it on a real machine. Verified that glome is
enabled and the generated link gave a valid password.
Signed-off-by: Leo Tu <leotu@google.com>
Change-Id: I985670454f4749c5297261ec81466fed9cdc5c40
|
|
When searching the tree for 'gmbc', I was surprised to find we had no
machines that use the Google layer. That's because it's a typo, and the
layer is called gbmc.
Change-Id: I75f31456f5e48246fe387322c72301d8552ca2d2
Signed-off-by: Joel Stanley <joel@jms.id.au>
|
|
A number of machines need network debugging and it's useful to have this
available in our dev builds.
Change-Id: I37c0a7317295fb6d75c2fcf2cc913b63dd9b20a7
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
There are generally other ways to poke at the IO space of the BMC and
there isn't any evidence these are being used anymore.
Change-Id: I9d0e7187f2be8bbbf349e8cdf63c32013876260c
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
```
convert-overrides.py meta-google
git grep "_[a-z0-9_/-]*[ :]" -- meta-google | grep ".bb"
git grep -l _gbmc -- meta-google | grep ".bb" \
| xargs sed -i 's/_gbmc/:gbmc/'
git grep -l _prod -- meta-google | grep ".bb" \
| xargs sed -i 's/_prod/:prod/'
git grep -l _dev -- meta-google | grep ".bb" \
| xargs sed -i 's/_dev/:dev/'
git grep -l _hoth -- meta-google | grep ".bb" \
| xargs sed -i 's/_hoth/:hoth/'
git grep -l _bandaid -- meta-google | grep ".bb" \
| xargs sed -i 's/_bandaid/:bandaid/'
```
Some small fix includes
```
platforms_gbmc_bringup
platforms_gbmc_secure
```
Tested:
```
$ git grep "_[a-z0-9_/-]*[ :]" -- meta-google | grep ".bb"
meta-google/recipes-connectivity/avahi/avahi_%.bbappend:do_install:append:gbmc() {
meta-google/recipes-core/dropbear/dropbear_%.bbappend:do_install:append:gbmc:dev() {
meta-google/recipes-core/dropbear/dropbear_%.bbappend: echo ' chain gbmc_br_pub_input {' >>"$rules"
meta-google/recipes-extended/libconfig/conf2struct-native_git.bb: oe_runmake checker
meta-google/recipes-extended/libconfig/conf2struct-native_git.bb: oe_runmake install
meta-google/recipes-extended/networking/mstpd_git.bb:do_install:append() {
meta-google/recipes-extended/networking/sslh_git.bb: oe_runmake distclean
meta-google/recipes-extended/networking/sslh_git.bb: oe_runmake sslh-conf.h
meta-google/recipes-extended/networking/sslh_git.bb: oe_runmake install
meta-google/recipes-google/ipmi/ipmi-fru-sh.bb:do_install:append() {
meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb:do_install:append() {
meta-google/recipes-google/networking/gbmc-bridge.bb:do_rm_work:prepend() {
meta-google/recipes-google/networking/gbmc-bridge.bb: # HACK: Work around broken do_rm_work not properly calling rm with `--`
meta-google/recipes-google/networking/gbmc-ip-monitor.bb:do_install:append() {
meta-google/recipes-google/networking/gbmc-iperf3.bb:do_install:append:dev() {
meta-google/recipes-google/networking/gbmc-iperf3.bb: echo ' chain gbmc_br_pub_input {' >>"$rules"
meta-google/recipes-google/networking/gbmc-mac-config.bb:do_install:append() {
meta-google/recipes-google/networking/network-sh.bb:do_install:append() {
meta-google/recipes-google/ssh/authorized-keys-comp.bb:SUMMARY = "Compiles a set of authorized_keys files into a single file"
meta-google/recipes-google/ssh/authorized-keys-comp.bb:do_install:append() {
meta-google/recipes-google/systemd/gbmc-systemd-config.bb:do_install:append:dev() {
meta-google/recipes-google/test/test-sh.bb:do_install:append() {
meta-google/recipes-phosphor/flash/inplace-gbmc-update.bb:do_install:prepend:dev() {
meta-google/recipes-phosphor/host/phosphor-host-postd_%.bbappend:do_install:append:gbmc:dev() {
meta-google/recipes-phosphor/initrdscripts/obmc-phosphor-initfs.bbappend:do_install:append:gbmc:dev() {
meta-google/recipes-phosphor/initrdscripts/obmc-phosphor-initfs.bbappend:do_install:append:gbmc:prod() {
meta-google/recipes-phosphor/ipmi/phosphor-ipmi-config.bbappend:do_install:append:gbmc() {
meta-google/recipes-phosphor/ipmi/phosphor-ipmi-config.bbappend: overlapping="$(jq '."${GBMCBR_IPMI_CHANNEL}" | .is_valid and .name != "gbmcbr"' $chjson)"
```
Change-Id: I9d610c664bd44e8bd81fb8f7e76249a0b43b9ffd
Signed-off-by: Willy Tu <wltu@google.com>
|
|
For gbmc override, add inplace-gbmc-update and set it as the
PREFERRED_PROVIDER for virtual/bmc-update.
Google-Bug-Id: 179618452
Google-Bug-Id: 179618500
Signed-off-by: Brandon Kim <brandonkim@google.com>
Change-Id: If8b7a3640b66fd323ee5c1a98619a09463933898
|
|
For gbmc override, add dummy-gbmc-update
Google-Bug-Id: 179618452
Google-Bug-Id: 179618500
Signed-off-by: Brandon Kim <brandonkim@google.com>
Change-Id: I09925bb262f7a535ff569689a37640a028a09137
|
|
Utilities such as ipmitool, iotools, lrzsz should be added to gbmc.
Google-Bug-Id: 179618452
Signed-off-by: Brandon Kim <brandonkim@google.com>
Change-Id: Id092157e8868648d1a97ef90928dac2cfa1307ae
|
|
This reverts commit f93003dd8cf24bd689a7cf24407273b54b9994d4.
Change-Id: Ia5ccc39e09d56b0ea083666eb8df3d858f1ac2f5
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
We want a key we can freely distribute to anyone who is building gBMC
for use with SSH on development images.
Change-Id: Iafedbbc6ebe2e62bce966bb368dd53831e29bd00
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
This adds a startup routine that compiles an authorized_keys file from
multiple locations in the filesystem, allowing for multiple providers
without clashing.
Change-Id: Ib26e04af42f29d42410154fdd809aa3a525fc9d5
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Change-Id: I0e68a7520191554680c94d8e3b8bc98f368ac71b
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
iproute2 provides a more complete set of utilies that are better behaved
than the busybox variants with more complex network configurations.
Change-Id: Ic638fac3deda68e2e509d733994b7b24cd2d38f1
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
This package allows a system to specify an IPMI FRU that contains MAC
Address information used to populated MAC addresses for specified
interfaces.
Change-Id: I457d41509da0e63db4410937b84140d4ba410b41
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Change-Id: Id15f7bb08f08da3cfdef24c0c38a42caffdb70c0
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Change-Id: I56abfee5270d63e8077314f548effa86596a148d
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Change-Id: I37c82c2e7d494e7ae5581ee93ea34ac2908bedfb
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Add the phosphor-ipmi-flash package to any image that includes the
meta-google layer.
(From meta-google rev: 2dcc5ffe9c59962b1404871639e60c30c1c113a1)
Change-Id: Ib36f98cbf4f53f20aff41604bcef5486c22c8e2c
Signed-off-by: Patrick Venture <venture@google.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Add the google-ipmi-i2c package to the obmc-phosphor-image so that it is
installed when this layer is included.
Tested: Built by adding meta-google to quanta-q71l and verified
library installed.
(From meta-google rev: c97e1e7ceb25dd9d79da3fcd8849243b212867d5)
Change-Id: I2c37dd69749e0bc3cfc2076ef10cd9392d053429
Signed-off-by: Patrick Venture <venture@google.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Any Google supported image will require these handlers included. Beyond
this, the Google OEM Number is set to be used in phosphor-ipmi-ethstats
due to current infrastructure.
Tested: Added to build and these packages were installed.
(From meta-google rev: 474a6b1a09cab26f71d2573b7c6272d41d2bab0e)
Change-Id: I084ff4310cc184f1db5271c67200cf9cc5c7055b
Signed-off-by: Patrick Venture <venture@google.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Add the google-ipmi-sys package to the obmc-phosphor-image
so that it is installed when this layer is included.
(From meta-google rev: eb12226c53cf875ba8a760d255076e65ac7c1ba5)
Change-Id: I3350fb615e1ad054b09775def7df7572674e5c2d
Signed-off-by: Patrick Venture <venture@google.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
