From: "'Cedric Hombourger' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: srinuvasan.a@siemens.com,
Cedric Hombourger <cedric.hombourger@siemens.com>
Subject: [PATCH] rootfs: do not expose /sys/firmware while building root file-systems
Date: Tue, 17 Jun 2025 14:35:07 +0200 [thread overview]
Message-ID: <20250617123507.2245-1-cedric.hombourger@siemens.com> (raw)
We need /sys while assembling the target root file-system but it exposes
more than the build really needs. Some maintainer scripts (e.g. mdmadm)
check /sys/firmware/efi/efivars while configuring themselves. This would
normally be fine but for Isar builds, any information extracted from there
is for the host doing the build and not for the target we are building for.
In addition, packages seeing /sys/firmware/efi will mount efivars there
and will cause do_rootfs_umount to fail unmounting /sys (because of that
extra mount). By mounting a (small) tmpfs as /sys/firmware in the root
file-system, we hide host details from the build; that extra mount needs
to be removed before we attempt to unmount /sys (but we are in control).
Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
---
meta/classes/rootfs.bbclass | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 5f877962..7b7859b9 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -48,6 +48,12 @@ rootfs_do_mounts() {
mount -o bind,private /sys '${ROOTFSDIR}/sys'
mount --make-rslave '${ROOTFSDIR}/sys'
+ # Mount a tmpfs on /sys/firmware to avoid host contamination problems
+ # (maintainer scripts shouldn't pull host data from there)
+ if [ -d '${ROOTFSDIR}/sys/firmware' ]; then
+ mount -t tmpfs -o size=1m,nosuid,nodev none '${ROOTFSDIR}/sys/firmware'
+ fi
+
# Mount isar-apt if the directory does not exist or if it is empty
# This prevents overwriting something that was copied there
if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \
@@ -94,6 +100,9 @@ rootfs_do_umounts() {
if mountpoint -q '${ROOTFSDIR}/proc'; then
umount '${ROOTFSDIR}/proc'
fi
+ if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then
+ umount '${ROOTFSDIR}/sys/firmware'
+ fi
if mountpoint -q '${ROOTFSDIR}/sys'; then
umount '${ROOTFSDIR}/sys'
fi
--
2.39.5
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250617123507.2245-1-cedric.hombourger%40siemens.com.
next reply other threads:[~2025-06-17 12:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-17 12:35 'Cedric Hombourger' via isar-users [this message]
2025-06-17 12:39 ` Srinuvasan Arjunan
2025-06-17 12:58 ` 'MOESSBAUER, Felix' via isar-users
2025-06-17 14:26 ` 'Jan Kiszka' via isar-users
2025-06-17 14:48 ` 'cedric.hombourger@siemens.com' via isar-users
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250617123507.2245-1-cedric.hombourger@siemens.com \
--to=isar-users@googlegroups.com \
--cc=cedric.hombourger@siemens.com \
--cc=srinuvasan.a@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox