From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Tue, 17 Jun 2025 14:39:23 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qt1-f184.google.com (mail-qt1-f184.google.com [209.85.160.184]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55HCdLvc030260 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 17 Jun 2025 14:39:22 +0200 Received: by mail-qt1-f184.google.com with SMTP id d75a77b69052e-4a5882b7339sf63156751cf.2 for ; Tue, 17 Jun 2025 05:39:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750163956; x=1750768756; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=l7VBrUzgSJHm8ustHPzTDwO6O4DTYYghngH86qWbxvQ=; b=uHazg9c4kuidDRFuwmCeSiQbGJ+zUZZ4hSLNt/1i3KX/IQ3JgD9diAhHBqJ8BQ6X3J YkPjUsvRCsefoPNY3rZGF1oSuT9p88cfwCGWug+OUYpIA990EWMQPzHajsXDiZINe9Wo RVvRKgp7sQJCpl0++mpQiXxoskS8NbcSbwB+gul4Bi+mnUmmk2RJsoh5XjGEVEbR7lcy 3/URz0XYQs2Ejo0Xy+pboB5eSCZX4sv75IkdlVXAuybK06EIhYpYVMtGY/urCyP6BcNo nyX8sIZamIr0dEXtq58r/kq/KQg7XuSPItH6A3rpk2V5Cfo5+dR/8u0+1TnWOaI7HYD6 MYMA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1750163956; x=1750768756; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=l7VBrUzgSJHm8ustHPzTDwO6O4DTYYghngH86qWbxvQ=; b=DzTgarEprDXHIeAD6bCfK1uCoWmoHv+SzPNfzCeKezkijQQCf2CQ+5YsQDMoVXStNp BYPiRVMHi+3v0Doq+nNkRnI6Pg9rlcE7iZ9f2Xludg9S7L54x5oftvvoQQ7VFXPigUuj tUjTzmrVue5rookkH/GW5JBrHwQiUE1J3nFWo6eHs1y1h47BrhZm9BKq6njGP9E4wSL5 h+vXedtjreZfOgySQSnQ9+9oWQgFORq326rNRxwEYgbVo3wQBq8aeYnPAYeNPHiLlwzc q8q776y/kcBwGnEsu5R3WOU3gdvl6oi/ly2EB6KMd36AtyiXuIREZkCWIHmirJMIAsps jeMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750163956; x=1750768756; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-sender:mime-version:subject:references:in-reply-to :message-id:to:from:date:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=l7VBrUzgSJHm8ustHPzTDwO6O4DTYYghngH86qWbxvQ=; b=GCbezRh+U+VuVVLLrGwCmmB6f5aJhTvrqijjy9m27lN5T8wW4geJHsfOyd1yF9G91l ZSDTvV1Tdz0T3cCovNo++OCKuYD+3h/NZkyLlJzGRbcTQRMp21ZXlq8DOFOSTITHey/U I6tyU370plwYemjdsBNOHxbXAerGzFFLxRB5WIPJGFkBbY5KtX5l3ep/TIDtTmZkxJJH WSdwRb12l+g6r2wZ9UZgOPIpvsGABTzD7U7IxkVuScdLAaEEMQBJUCcgfGphbDX4Rjug ea+FDkjf86SBeu+BQWkQpz7LKrUOq8n4o46m6dIdnx6U5Muz1SHASTJmhZGfU/lqKY5h oxgQ== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCUh/K21vWkyCxY3eieTLK6mccH7u+ErhlmSUdnu7pzfLGljXj5FW5jVWsbcdRw9l1/42hoa@ilbers.de X-Gm-Message-State: AOJu0Yz3V4LwEB8oFutYOPzifCegaqOhoWDuaH/sFqsGGk+9I5XQT1/v kZ38kO9z9vSlg192/OCPvqxSKmIJ61JF/++6BO3WFNfvfubZWBzoqiB0 X-Google-Smtp-Source: AGHT+IEfWVheED9eAv8Xv20WFjITpkwYLOhA8W7RfuvWrqO2GdFttzAOdSNn6qqUHXlcqasku7N58g== X-Received: by 2002:ac8:5fc6:0:b0:4a7:24d0:adf9 with SMTP id d75a77b69052e-4a73c58fea2mr161528031cf.24.1750163955903; Tue, 17 Jun 2025 05:39:15 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZcUIKDARxOF/O8OnYu4XBr15R59qfEF1bxZtkpOQC9BLw== Received: by 2002:a05:622a:2cf:b0:4a3:c792:a1c9 with SMTP id d75a77b69052e-4a722c7dfd3ls99494081cf.1.-pod-prod-01-us; Tue, 17 Jun 2025 05:39:15 -0700 (PDT) X-Received: by 2002:a05:620a:2990:b0:7d3:9109:4472 with SMTP id af79cd13be357-7d3c6cda074mr2283384885a.37.1750163954721; Tue, 17 Jun 2025 05:39:14 -0700 (PDT) Date: Tue, 17 Jun 2025 05:39:13 -0700 (PDT) From: Srinuvasan Arjunan To: isar-users Message-Id: In-Reply-To: <20250617123507.2245-1-cedric.hombourger@siemens.com> References: <20250617123507.2245-1-cedric.hombourger@siemens.com> Subject: Re: [PATCH] rootfs: do not expose /sys/firmware while building root file-systems MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_590982_53899717.1750163953704" X-Original-Sender: srinuvasanasv@gmail.com Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: LoQoq1LNeWZY ------=_Part_590982_53899717.1750163953704 Content-Type: multipart/alternative; boundary="----=_Part_590983_1971045013.1750163953704" ------=_Part_590983_1971045013.1750163953704 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tuesday, June 17, 2025 at 6:05:26=E2=80=AFPM UTC+5:30 Cedric Hombourger = wrote: We need /sys while assembling the target root file-system but it exposes=20 more than the build really needs. Some maintainer scripts (e.g. mdmadm)=20 check /sys/firmware/efi/efivars while configuring themselves. This would=20 normally be fine but for Isar builds, any information extracted from there= =20 is for the host doing the build and not for the target we are building for.= =20 In addition, packages seeing /sys/firmware/efi will mount efivars there=20 and will cause do_rootfs_umount to fail unmounting /sys (because of that=20 extra mount). By mounting a (small) tmpfs as /sys/firmware in the root=20 file-system, we hide host details from the build; that extra mount needs=20 to be removed before we attempt to unmount /sys (but we are in control).=20 Signed-off-by: Cedric Hombourger =20 ---=20 meta/classes/rootfs.bbclass | 9 +++++++++=20 1 file changed, 9 insertions(+)=20 diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass=20 index 5f877962..7b7859b9 100644=20 --- a/meta/classes/rootfs.bbclass=20 +++ b/meta/classes/rootfs.bbclass=20 @@ -48,6 +48,12 @@ rootfs_do_mounts() {=20 mount -o bind,private /sys '${ROOTFSDIR}/sys'=20 mount --make-rslave '${ROOTFSDIR}/sys'=20 + # Mount a tmpfs on /sys/firmware to avoid host contamination problems=20 + # (maintainer scripts shouldn't pull host data from there)=20 + if [ -d '${ROOTFSDIR}/sys/firmware' ]; then=20 + mount -t tmpfs -o size=3D1m,nosuid,nodev none '${ROOTFSDIR}/sys/firmware'= =20 + fi=20 +=20 # Mount isar-apt if the directory does not exist or if it is empty=20 # This prevents overwriting something that was copied there=20 if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \=20 @@ -94,6 +100,9 @@ rootfs_do_umounts() {=20 if mountpoint -q '${ROOTFSDIR}/proc'; then=20 umount '${ROOTFSDIR}/proc'=20 fi=20 + if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then=20 + umount '${ROOTFSDIR}/sys/firmware'=20 + fi=20 if mountpoint -q '${ROOTFSDIR}/sys'; then=20 umount '${ROOTFSDIR}/sys'=20 fi=20 --=20 2.39.5 Looks Good To Me. Many thanks, Srinu=20 --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/= a823da0e-da6b-48d7-9b97-78180a508117n%40googlegroups.com. ------=_Part_590983_1971045013.1750163953704 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Tuesday, June 17, 2025 at 6:05:26=E2= =80=AFPM UTC+5:30 Cedric Hombourger wrote:
We need /sys while assembling the target root file-system bu= t it exposes
more than the build really needs. Some maintainer scripts (e.g. mdmad= m)
check /sys/firmware/efi/efivars while configuring themselves. This wo= uld
normally be fine but for Isar builds, any information extracted from = there
is for the host doing the build and not for the target we are buildin= g for.
In addition, packages seeing /sys/firmware/efi will mount efivars the= re
and will cause do_rootfs_umount to fail unmounting /sys (because of t= hat
extra mount). By mounting a (small) tmpfs as /sys/firmware in the roo= t
file-system, we hide host details from the build; that extra mount ne= eds
to be removed before we attempt to unmount /sys (but we are in contro= l).

Signed-off-by: Cedric Hombourger <ce= dric.h...@siemens.com>
---
meta/classes/rootfs.bbclass | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclas= s
index 5f877962..7b7859b9 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -48,6 +48,12 @@ rootfs_do_mounts() {
mount -o bind,private /sys '${ROOTFSDIR}/sys'
mount --make-rslave '${ROOTFSDIR}/sys'
=20
+ # Mount a tmpfs on /sys/firmware to avoid host contamination= problems
+ # (maintainer scripts shouldn't pull host data from there)
+ if [ -d '${ROOTFSDIR}/sys/firmware' ]; then
+ mount -t tmpfs -o size=3D1m,nosuid,nodev none '${ROOTFSD= IR}/sys/firmware'
+ fi
+
# Mount isar-apt if the directory does not exist or if it is= empty
# This prevents overwriting something that was copied there
if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \
@@ -94,6 +100,9 @@ rootfs_do_umounts() {
if mountpoint -q '${ROOTFSDIR}/proc'; then
umount '${ROOTFSDIR}/proc'
fi
+ if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then
+ umount '${ROOTFSDIR}/sys/firmware'
+ fi
if mountpoint -q '${ROOTFSDIR}/sys'; then
umount '${ROOTFSDIR}/sys'
fi
--=20
2.39.5


=C2=A0 Look= s Good To Me.

=C2=A0 Many thanks,
=C2= =A0 Srinu=C2=A0

--
You received this message because you are subscribed to the Google Groups &= quot;isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-use= rs+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-use= rs/a823da0e-da6b-48d7-9b97-78180a508117n%40googlegroups.com.
------=_Part_590983_1971045013.1750163953704-- ------=_Part_590982_53899717.1750163953704--